From d15f0d430fa955e801ebe2af288102986179bc69 Mon Sep 17 00:00:00 2001
From: whilb <will@aerenserve.net>
Date: Tue, 2 Sep 2025 17:29:49 -0700
Subject: [PATCH] more email infra

---
 infra/email/main.tf      | 43 ++++++++++++++++++++++++++++++++++++++++
 infra/email/variables.tf |  5 +++++
 2 files changed, 48 insertions(+)

diff --git a/infra/email/main.tf b/infra/email/main.tf
index 6efc353..442cd21 100644
--- a/infra/email/main.tf
+++ b/infra/email/main.tf
@@ -82,6 +82,33 @@ resource "aws_s3_bucket_public_access_block" "email_storage" {
   restrict_public_buckets = true
 }
 
+# S3 bucket policy to allow SES to write emails
+resource "aws_s3_bucket_policy" "email_storage" {
+  bucket = aws_s3_bucket.email_storage.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowSESToWriteEmails"
+        Effect = "Allow"
+        Principal = {
+          Service = "ses.amazonaws.com"
+        }
+        Action = [
+          "s3:PutObject"
+        ]
+        Resource = "${aws_s3_bucket.email_storage.arn}/*"
+        Condition = {
+          StringEquals = {
+            "aws:Referer" = var.aws_account_id
+          }
+        }
+      }
+    ]
+  })
+}
+
 # SES Domain identity for 127local.net
 resource "aws_ses_domain_identity" "calculator" {
   domain = var.domain_name
@@ -102,6 +129,15 @@ resource "aws_route53_record" "ses_dkim" {
   records = ["${element(aws_ses_domain_dkim.calculator.dkim_tokens, count.index)}.dkim.amazonses.com"]
 }
 
+# MX record for email receiving
+resource "aws_route53_record" "ses_mx" {
+  zone_id = var.route53_zone_id
+  name    = var.domain_name
+  type    = "MX"
+  ttl     = "300"
+  records = ["10 inbound-smtp.us-west-2.amazonaws.com"]
+}
+
 # SES Email receiving rule set
 resource "aws_ses_receipt_rule_set" "calculator" {
   rule_set_name = "calculator-main-rule-set"
@@ -210,6 +246,13 @@ resource "aws_iam_role_policy" "lambda_policy" {
         ]
         Resource = "${aws_s3_bucket.email_storage.arn}/*"
       },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket"
+        ]
+        Resource = aws_s3_bucket.email_storage.arn
+      },
       {
         Effect = "Allow"
         Action = [
diff --git a/infra/email/variables.tf b/infra/email/variables.tf
index 291b564..8c90298 100644
--- a/infra/email/variables.tf
+++ b/infra/email/variables.tf
@@ -18,3 +18,8 @@ variable "route53_zone_id" {
   description = "Route53 hosted zone ID for the domain"
   type        = string
 }
+
+variable "aws_account_id" {
+  description = "AWS Account ID for SES S3 bucket policy"
+  type        = string
+}