added domain verification

Author: akbaralihussain

main.tf

@@ -30,4 +30,8 @@ locals {
     for key, project_info in local.all_projects : key => project_info if(contains(project_info.channels, "email"))
   }
 
+  projects_need_domain_verification = {
+    for key, project_info in local.projects_need_email : key => project_info if(project_info.verify_domain_identity)
+  }
+
 }

output.tf

@@ -1,4 +1,4 @@
-
+# outputs
 output "domain_identities" {
   value = aws_ses_domain_identity.domain
 }

ses-identity.tf renamed to ses-identity-domain.tf

@@ -5,6 +5,9 @@ locals {
 
   valid_domains     = [for p in local.projects_need_email : split("@", p.from_email)[1]]
   domain_identities = toset(distinct(local.valid_domains))
+
+  valid_domains_to_verify     = [for p in local.projects_need_domain_verification : split("@", p.from_email)[1]]
+  domains_to_verify = toset(distinct(local.valid_domains_to_verify))
 }
 
 # create all Domain identities
@@ -14,56 +17,38 @@ resource "aws_ses_domain_identity" "domain" {
   domain = each.value
 }
 
-# policy for Domain identities
-data "aws_iam_policy_document" "domain" {
-  for_each = aws_ses_domain_identity.domain
-
-  statement {
-    actions   = ["ses:*"]
-    resources = [aws_ses_domain_identity.domain[each.key].arn]
-
-    principals {
-      type        = "Service"
-      identifiers = ["pinpoint.amazonaws.com"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      values   = [data.aws_caller_identity.current.account_id]
-      variable = "aws:SourceAccount"
-    }
+# retrieve Hosted Zone using Domain Name
+data "aws_route53_zone" "by_name" {
+  for_each = local.domains_to_verify
 
-    condition {
-      test     = "StringLike"
-      values   = ["arn:aws:mobiletargeting:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:apps/*"]
-      variable = "aws:SourceArn"
-    }
-  }
+  name = each.key
 }
 
-resource "aws_ses_identity_policy" "domain" {
-  for_each = aws_ses_domain_identity.domain
+resource "aws_route53_record" "verification" {
+  for_each = data.aws_route53_zone.by_name
 
-  identity = each.value.arn
-  name     = "${replace(replace(each.value.id, "@", "_"), ".", "_")}-identity-policy"
-  policy   = data.aws_iam_policy_document.domain[each.key].json
+  zone_id = each.value.zone_id
+  name    = "_amazonses.${each.value.id}"
+  type    = "TXT"
+  ttl     = "600"
+  # records = [each.value.verification_token]
+  records = [aws_ses_domain_identity.domain[each.key].verification_token]
 }
 
-# create all Email identities
-resource "aws_ses_email_identity" "email" {
-  for_each = local.email_identities
+resource "aws_ses_domain_identity_verification" "example_verification" {
+  for_each = data.aws_route53_zone.by_name
 
-  email = each.value
+  domain     = aws_ses_domain_identity.domain[each.key].id
+  depends_on = [aws_route53_record.verification]
 }
 
-# policy for Email identities
-data "aws_iam_policy_document" "email" {
-  for_each = aws_ses_email_identity.email
+# policy for Domain identities
+data "aws_iam_policy_document" "domain" {
+  for_each = aws_ses_domain_identity.domain
 
   statement {
     actions   = ["ses:*"]
-    resources = [aws_ses_email_identity.email[each.key].arn]
-
+    resources = [aws_ses_domain_identity.domain[each.key].arn]
 
     principals {
       type        = "Service"
@@ -84,10 +69,10 @@ data "aws_iam_policy_document" "email" {
   }
 }
 
-resource "aws_ses_identity_policy" "email" {
-  for_each = aws_ses_email_identity.email
+resource "aws_ses_identity_policy" "domain" {
+  for_each = aws_ses_domain_identity.domain
 
   identity = each.value.arn
   name     = "${replace(replace(each.value.id, "@", "_"), ".", "_")}-identity-policy"
-  policy   = data.aws_iam_policy_document.email[each.key].json
+  policy   = data.aws_iam_policy_document.domain[each.key].json
 }

ses-identity-email.tf

@@ -0,0 +1,43 @@
+
+# create all Email identities
+resource "aws_ses_email_identity" "email" {
+  for_each = local.email_identities
+
+  email = each.value
+}
+
+# policy for Email identities
+data "aws_iam_policy_document" "email" {
+  for_each = aws_ses_email_identity.email
+
+  statement {
+    actions   = ["ses:*"]
+    resources = [aws_ses_email_identity.email[each.key].arn]
+
+
+    principals {
+      type        = "Service"
+      identifiers = ["pinpoint.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      values   = [data.aws_caller_identity.current.account_id]
+      variable = "aws:SourceAccount"
+    }
+
+    condition {
+      test     = "StringLike"
+      values   = ["arn:aws:mobiletargeting:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:apps/*"]
+      variable = "aws:SourceArn"
+    }
+  }
+}
+
+resource "aws_ses_identity_policy" "email" {
+  for_each = aws_ses_email_identity.email
+
+  identity = each.value.arn
+  name     = "${replace(replace(each.value.id, "@", "_"), ".", "_")}-identity-policy"
+  policy   = data.aws_iam_policy_document.email[each.key].json
+}

variables.tf

@@ -1,7 +1,7 @@
 variable "api_name" {
   type        = string
   default     = "messaging"
-  description = "Name for your API. Default is Messaging"
+  description = "Name for your API. Default value is 'Messaging'"
   # validation {
   #   condition = (can(regex("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])\\.)*([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$", var.api_name))
   #     && !strcontains(var.api_name, "..")
@@ -21,10 +21,11 @@ variable "api_version" {
 
 variable "projects" {
   type = map(object({
-    channels          = list(string)
-    from_email        = string
-    to_emails         = list(string)
-    need_api_endpoint = bool
+    channels               = list(string)
+    from_email             = string
+    to_emails              = list(string)
+    need_api_endpoint      = bool
+    verify_domain_identity = bool
   }))
   description = "List of Projects to build Messaging channels (Project details as Map(Object('Project-Name'={channels=['email','sms'], from_email='[email protected]', to_emails=['[email protected]','[email protected]'] need_api_endpoint=true}))"
 }