From 6f9f8884780ae9857050271730505aa386e594f2 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Tue, 22 Oct 2024 17:44:00 +0200
Subject: [PATCH] Move aws ses dkim keys into terraform

---
 .gitignore                          |  1 +
 .terraform.lock.hcl                 | 18 ++++++++++++++++++
 Makefile                            | 16 +++++++++++-----
 dnsconfig.js                        | 19 ++++---------------
 main.tf                             | 11 +++++++++++
 modules/infrastructure/aws-ses.tf   |  4 ++++
 modules/infrastructure/main.tf      |  4 ++++
 modules/infrastructure/output.tf    |  7 +++++++
 modules/infrastructure/variables.tf |  4 ++++
 output.tf                           |  5 +++++
 secrets.auto.tfvars.example         |  9 +++++++++
 variables.tf                        | 17 +++++++++++++++++
 12 files changed, 95 insertions(+), 20 deletions(-)
 create mode 100644 modules/infrastructure/aws-ses.tf

diff --git a/.gitignore b/.gitignore
index ebf0b61..d890845 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 types-dnscontrol.d.ts
 dns/hosts.json
 dns/services.json
+dns/dkim-ses.json
 
 secrets.auto.tfvars
 .terraform
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index e83bfba..e76c19b 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -68,6 +68,24 @@ provider "registry.opentofu.org/goauthentik/authentik" {
   ]
 }
 
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.72.1"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:ckDAOn6cqqO2pJ226GYs8gIZif9TRmAuQEqnPL+LCgg=",
+    "zh:02ee636137e5f8cc9d6900c55a3f3c85e99166b51d17cf96bd62b27182dc7449",
+    "zh:04877c5ce0a0fef6b355decbfe4941e7d5f22d2b7062cd87f70dafe845d635c7",
+    "zh:3d129024594dcf2edac180b8276decc946f4f33d653f44d3c04c4c28b3f85dab",
+    "zh:6fc7ecf746791211d64a38361ce12303dfc3ddf0e609e6d854bc8f3a7f242234",
+    "zh:8d65352eeba3fef611c90b5161336b0cccf3fed8dc2c710537d6578925e2b189",
+    "zh:9c99b31104c80d885aad1846e2b2f25371cbc9c23281fb0e213be0101a415f2c",
+    "zh:b220737d06dc8ef3a6aa32055c1c633d08c27e046b5fb730f93969ef11abb928",
+    "zh:b741b0e79001765c8d2ffdb569f70c0d8b877b870b660e573f3bb6f42dd55f28",
+    "zh:d2434f271f261ccd28a85aa15627ee9cfc9c319a48eb6c0aeb1ffaf80b6ede20",
+    "zh:df4b2338e3e89d66c1697fae9be378db94cb0d7d309c9dc537024cb755b7e21a",
+  ]
+}
+
 provider "registry.opentofu.org/hashicorp/random" {
   version = "3.6.3"
   hashes = [
diff --git a/Makefile b/Makefile
index 98d3075..ae208a9 100644
--- a/Makefile
+++ b/Makefile
@@ -20,8 +20,7 @@ PWD := $(shell pwd)
 		> ./inventory/group_vars/all/opentofu.yml
 
 ./dns/hosts.json: .FORCE
-	tofu output --json \
-		| jq 'with_entries(.value |= .value).hosts' \
+	tofu output --json hosts \
 		> ./dns/hosts.json
 
 ./dns/services.json: ./inventory/group_vars/all/all_services.yml
@@ -29,9 +28,16 @@ PWD := $(shell pwd)
 		-e services_json_file=$(PWD)/dns/services.json \
 		playbooks/create_services_for_dnscontrol.yml
 
+./dns/dkim-ses.json: .FORCE
+	tofu output --json aws_ses_dkim \
+		> ./dns/dkim-ses.json
 
-output: ./dns/hosts.json ./dns/services.json ./inventory/group_vars/all/opentofu.yml
 
+output-dns: ./dns/hosts.json ./dns/services.json ./dns/dkim-ses.json
+
+output-ansible: ./inventory/group_vars/all/opentofu.yml
+
+output: output-dns output-ansible
 
 ./types-dnscontrol.d.ts:
 	dnscontrol write-types
@@ -41,10 +47,10 @@ tofu:
 	@printf "\n=====\n\n"
 	$(MAKE) output
 
-dns: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
+dns: output-dns
 	dnscontrol push
 
-dns-check: ./types-dnscontrol.d.ts ./dns/hosts.json ./dns/services.json
+dns-check: output-dns
 	dnscontrol check-creds ovh
 
 all:
diff --git a/dnsconfig.js b/dnsconfig.js
index 182891d..e7df78c 100644
--- a/dnsconfig.js
+++ b/dnsconfig.js
@@ -4,6 +4,7 @@
 require('dns/default_records.js');
 require('dns/functions.js');
 var dkim = require('dns/dkim.json');
+var dkim_ses = require('dns/dkim-ses.json');
 var hosts = require('dns/hosts.json');
 var services_json = require('dns/services.json');
 
@@ -47,11 +48,7 @@ D("msrg.cc", REG_OVH, DnsProvider(DSP_OVH),
 	SRV("_xmpps-client._tcp", 0, 20,  443, "xmpps.wiuwiu.de."),
 	TXT("xmppconnect", "_xmpp-client-xbosh=https://wiuwiu.de:443/http-bind/"),
 
-	verify_amazon_ses([
-		"rg6sgmw6fr73pucbqz62h25wq2q75iet",
-		"rjczvv7ab3twf6kfjjzmz5fkhpmyc2j5",
-		"bxau47qbno4igiwug2xrmwozzk6vwdyv"
-	]),
+	verify_amazon_ses(dkim_ses["msrg.cc"]),
 
 	// SendGrid DKIM
 	CNAME("em2339.holitime", "u26197282.wl033.sendgrid.net."),
@@ -74,11 +71,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 	acme_challenge("db", "ca2c86c0-ff3d-458a-89e0-11bcfd2543e4"),
 	acme_challenge("auth", "18a42983-3d19-4c17-8213-fc275a8be721"),
 
-	verify_amazon_ses([
-		"dd4g333vxgahaf3rh3dafdx6g7kq7t7z",
-		"tbqt7mluvomvsomaj7nuhvs2xl7hd6hg",
-		"tl2n3zn4jxjodumvqj4jqdavfxznivvd"
-	]),
+	verify_amazon_ses(dkim_ses["serguzim.me"]),
 
 	verify_dmarc_reports([
 		"msrg.cc",
@@ -106,11 +99,7 @@ D("serguzim.me", REG_OVH, DnsProvider(DSP_OVH),
 D("reitanlage-oranienburg.de", REG_OVH, DnsProvider(DSP_OVH),
 	all_defaults("reitanlage-oranienburg.de", false),
 
-	verify_amazon_ses([
-		"kseozkz37py4ukzg2h2kx7bua5r4yv2v",
-		"py2qx6nrsfn7r5j4uwwfpc7tgi63u7sn",
-		"hzmi7t2qcycinuy5edmo5uphohgtkefa"
-	]),
+	verify_amazon_ses(dkim_ses["reitanlage-oranienburg.de"]),
 
 	TXT("default._bimi", "v=BIMI1; l=https://www.reitanlage-oranienburg.de/user/themes/reitanlage-oranienburg/images/bimi.svg")
 );
diff --git a/main.tf b/main.tf
index 82908b3..7504d70 100644
--- a/main.tf
+++ b/main.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
     contabo = {
       source = "contabo/contabo"
       version = "~> 0.1.26"
@@ -69,6 +73,12 @@ terraform {
   }
 }
 
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+}
+
 provider "contabo" {
   oauth2_client_id     = var.contabo_client_id
   oauth2_client_secret = var.contabo_client_secret
@@ -114,6 +124,7 @@ module "infrastructure" {
 
   hosts = var.hosts
   services = var.services
+  email_domains = var.email_domains
 }
 
 provider "authentik" {
diff --git a/modules/infrastructure/aws-ses.tf b/modules/infrastructure/aws-ses.tf
new file mode 100644
index 0000000..8c9a871
--- /dev/null
+++ b/modules/infrastructure/aws-ses.tf
@@ -0,0 +1,4 @@
+resource "aws_sesv2_email_identity" "domains" {
+  for_each = var.email_domains
+  email_identity = each.value
+}
diff --git a/modules/infrastructure/main.tf b/modules/infrastructure/main.tf
index 53784eb..43a0bd3 100644
--- a/modules/infrastructure/main.tf
+++ b/modules/infrastructure/main.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
     contabo = {
       source = "contabo/contabo"
       version = "~> 0.1.26"
diff --git a/modules/infrastructure/output.tf b/modules/infrastructure/output.tf
index 8eb9d06..3307db5 100644
--- a/modules/infrastructure/output.tf
+++ b/modules/infrastructure/output.tf
@@ -70,3 +70,10 @@ output "scaleway_registry_endpoint_public" {
 output "scaleway_registry_endpoint_private" {
   value = scaleway_registry_namespace.private.endpoint
 }
+
+output "aws_ses_dkim" {
+  value = {
+    for key, dkim in aws_sesv2_email_identity.domains : key => dkim.dkim_signing_attributes[0].tokens
+  }
+  sensitive = true
+}
diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf
index 8071d6b..d4d064c 100644
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@@ -41,3 +41,7 @@ variable "hosts" {
     datacenter = optional(string)
   }))
 }
+
+variable "email_domains" {
+  type = set(string)
+}
diff --git a/output.tf b/output.tf
index 040020c..922f4d6 100644
--- a/output.tf
+++ b/output.tf
@@ -41,3 +41,8 @@ output "scaleway_registry_endpoint_public" {
 output "scaleway_registry_endpoint_private" {
   value = module.infrastructure.scaleway_registry_endpoint_private
 }
+
+output "aws_ses_dkim" {
+  value = module.infrastructure.aws_ses_dkim
+  sensitive = true
+}
diff --git a/secrets.auto.tfvars.example b/secrets.auto.tfvars.example
index 8e4fbe3..4c971d0 100644
--- a/secrets.auto.tfvars.example
+++ b/secrets.auto.tfvars.example
@@ -7,6 +7,10 @@ backend_bucket = ""
 
 authentik_token = ""
 
+aws_region = ""
+aws_access_key = ""
+aws_secret_key = ""
+
 contabo_client_id = ""
 contabo_client_secret = ""
 contabo_user = ""
@@ -30,3 +34,8 @@ scaleway_secret_key = ""
 
 tailscale_api_key = ""
 tailscale_tailnet = ""
+
+
+email_domains = [
+  "example.com",
+]
diff --git a/variables.tf b/variables.tf
index 6b6e6b0..6be1ba9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,6 +32,19 @@ variable "authentik_token" {
 }
 
 
+variable "aws_region" {
+  default = "eu-north-1"
+}
+
+variable "aws_access_key" {
+  sensitive = true
+}
+
+variable "aws_secret_key" {
+  sensitive = true
+}
+
+
 variable "contabo_client_id" {
   sensitive = true
 }
@@ -169,3 +182,7 @@ variable "hosts" {
     datacenter = optional(string)
   }))
 }
+
+variable "email_domains" {
+  type = set(string)
+}