more email infra

2025-09-02 17:29:49 -07:00 · 2025-09-02 17:29:49 -07:00 · d15f0d430f
commit d15f0d430f
parent bd8a817484
2 changed files with 48 additions and 0 deletions
--- a/infra/email/main.tf
+++ b/infra/email/main.tf
@ -82,6 +82,33 @@ resource "aws_s3_bucket_public_access_block" "email_storage" {
  restrict_public_buckets = true
 }

+# S3 bucket policy to allow SES to write emails
+resource "aws_s3_bucket_policy" "email_storage" {
+  bucket = aws_s3_bucket.email_storage.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowSESToWriteEmails"
+        Effect = "Allow"
+        Principal = {
+          Service = "ses.amazonaws.com"
+        }
+        Action = [
+          "s3:PutObject"
+        ]
+        Resource = "${aws_s3_bucket.email_storage.arn}/*"
+        Condition = {
+          StringEquals = {
+            "aws:Referer" = var.aws_account_id
+          }
+        }
+      }
+    ]
+  })
+}
+
 # SES Domain identity for 127local.net
 resource "aws_ses_domain_identity" "calculator" {
  domain = var.domain_name
@ -102,6 +129,15 @@ resource "aws_route53_record" "ses_dkim" {
  records = ["${element(aws_ses_domain_dkim.calculator.dkim_tokens, count.index)}.dkim.amazonses.com"]
 }

+# MX record for email receiving
+resource "aws_route53_record" "ses_mx" {
+  zone_id = var.route53_zone_id
+  name    = var.domain_name
+  type    = "MX"
+  ttl     = "300"
+  records = ["10 inbound-smtp.us-west-2.amazonaws.com"]
+}
+
 # SES Email receiving rule set
 resource "aws_ses_receipt_rule_set" "calculator" {
  rule_set_name = "calculator-main-rule-set"
@ -210,6 +246,13 @@ resource "aws_iam_role_policy" "lambda_policy" {
        ]
        Resource = "${aws_s3_bucket.email_storage.arn}/*"
      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket"
+        ]
+        Resource = aws_s3_bucket.email_storage.arn
+      },
      {
        Effect = "Allow"
        Action = [
--- a/infra/email/variables.tf
+++ b/infra/email/variables.tf
@ -18,3 +18,8 @@ variable "route53_zone_id" {
  description = "Route53 hosted zone ID for the domain"
  type        = string
 }
+
+variable "aws_account_id" {
+  description = "AWS Account ID for SES S3 bucket policy"
+  type        = string
+}