diff --git a/lambdas/email_report/main.py b/lambdas/email_report/main.py index 65272508..e62b8973 100644 --- a/lambdas/email_report/main.py +++ b/lambdas/email_report/main.py @@ -38,8 +38,7 @@ def lambda_handler(event, context): BODY_HTML = _construct_email_body(BODY_TEXT, transfer_report_meta_data) SUBJECT = _construct_email_subject(transfer_report_meta_data) - SENDER = secret_manager.get_secret(os.environ["EMAIL_REPORT_SENDER_EMAIL_PARAM_NAME"]) - SENDER_KEY = secret_manager.get_secret(os.environ["EMAIL_REPORT_SENDER_EMAIL_KEY_PARAM_NAME"]) + SENDER = os.environ["EMAIL_REPORT_SENDER"] RECIPIENT = secret_manager.get_secret(os.environ["EMAIL_REPORT_RECIPIENT_EMAIL_PARAM_NAME"]) RECIPIENT_INTERNAL = secret_manager.get_secret(os.environ["EMAIL_REPORT_RECIPIENT_INTERNAL_EMAIL_PARAM_NAME"]) diff --git a/stacks/email_and_alerting/terraform/email-report-lambda.tf b/stacks/email_and_alerting/terraform/email-report-lambda.tf index 3e6eff6a..6353818c 100644 --- a/stacks/email_and_alerting/terraform/email-report-lambda.tf +++ b/stacks/email_and_alerting/terraform/email-report-lambda.tf @@ -16,10 +16,9 @@ resource "aws_lambda_function" "email_report_lambda" { environment { variables = { - EMAIL_REPORT_SENDER_EMAIL_PARAM_NAME = var.email_report_sender_email_param_name, + EMAIL_REPORT_SENDER = local.from_email EMAIL_REPORT_RECIPIENT_EMAIL_PARAM_NAME = var.email_report_recipient_email_param_name EMAIL_REPORT_RECIPIENT_INTERNAL_EMAIL_PARAM_NAME = var.email_report_recipient_internal_email_param_name - EMAIL_REPORT_SENDER_EMAIL_KEY_PARAM_NAME = var.email_report_sender_email_key_param_name } } } diff --git a/stacks/email_and_alerting/terraform/iam.tf b/stacks/email_and_alerting/terraform/iam.tf index 675852b4..78c16ceb 100644 --- a/stacks/email_and_alerting/terraform/iam.tf +++ b/stacks/email_and_alerting/terraform/iam.tf @@ -62,10 +62,8 @@ data "aws_iam_policy_document" "email_report_lambda_ssm_access" { ] resources = [ - "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_sender_email_param_name}", "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_recipient_email_param_name}", "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_recipient_internal_email_param_name}", - "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_sender_email_key_param_name}", ] } } @@ -115,10 +113,6 @@ resource "aws_iam_policy" "email_report_lambda_send_raw_email" { policy = data.aws_iam_policy_document.email_report_send_raw_email.json } -data "aws_ssm_parameter" "email_report_sender_email" { - name = var.email_report_sender_email_param_name -} - data "aws_iam_policy_document" "email_report_send_raw_email" { statement { sid = "SendEmailWithAttachment" @@ -128,7 +122,7 @@ data "aws_iam_policy_document" "email_report_send_raw_email" { ] resources = [ - "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/${data.aws_ssm_parameter.email_report_sender_email.value}", + "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/${local.from_email}", ] } } diff --git a/stacks/email_and_alerting/terraform/ses.tf b/stacks/email_and_alerting/terraform/ses.tf index c870b15d..f5155742 100644 --- a/stacks/email_and_alerting/terraform/ses.tf +++ b/stacks/email_and_alerting/terraform/ses.tf @@ -1,20 +1,12 @@ locals { ses_domain = "mail.${var.hosted_zone_name}" + from_email = "gp2gp-reports@${aws_ses_domain_identity.gp2gp_inbox.domain}" } data "aws_ssm_parameter" "asid_lookup_address_prefix" { name = var.asid_lookup_inbox_prefix_param_name } -resource "aws_ses_email_identity" "gp2gp_inbox_sender_address" { - email = data.aws_ssm_parameter.email_report_sender_email.value -} - -moved { - from = aws_ses_email_identity.email_report - to = aws_ses_email_identity.gp2gp_inbox_sender_address -} - resource "aws_ses_domain_identity" "gp2gp_inbox" { domain = local.ses_domain } @@ -71,7 +63,34 @@ resource "aws_route53_record" "gp2gp_inbox_dmarc" { type = "TXT" ttl = 300 + records = ["v=DMARC1; p=none; adkim=s; aspf=s"] +} + +resource "aws_ses_domain_mail_from" "sending" { + domain = aws_ses_domain_identity.ndr_ses.domain + mail_from_domain = "mail.${aws_ses_domain_identity.ndr_ses.domain}" + + behavior_on_mx_failure = "UseDefaultValue" +} + +resource "aws_route53_record" "ses_mail_from_mx" { + zone_id = data.aws_route53_zone.gp_registrations.zone_id + name = "mail.${aws_ses_domain_identity.ndr_ses.domain}" + type = "MX" + ttl = 600 + records = [ - "v=DMARC1; p=none;" + "10 feedback-smtp.eu-west-2.amazonses.com" ] -} \ No newline at end of file +} + +resource "aws_route53_record" "ses_mail_from_spf" { + zone_id = data.aws_route53_zone.gp_registrations.zone_id + name = "mail.${aws_ses_domain_identity.ndr_ses.domain}" + type = "TXT" + ttl = 600 + + records = [ + "v=spf1 include:amazonses.com -all" + ] +} diff --git a/stacks/email_and_alerting/terraform/variables.tf b/stacks/email_and_alerting/terraform/variables.tf index b352b5af..f9a69d29 100644 --- a/stacks/email_and_alerting/terraform/variables.tf +++ b/stacks/email_and_alerting/terraform/variables.tf @@ -41,16 +41,6 @@ variable "log_alerts_technical_failures_above_threshold_rate_param_name" { description = "SSM parameter containing the technical failure rate threshold percentage" } -variable "email_report_sender_email_param_name" { - type = string - description = "SSM parameter containing the sender email address for emailing reports" -} - -variable "email_report_sender_email_key_param_name" { - type = string - description = "SSM parameter containing the sender email key for SMTP auth" -} - variable "email_report_recipient_email_param_name" { type = string description = "SSM parameter containing the recipient email address for emailing reports" @@ -138,4 +128,4 @@ variable "log_alerts_slack_channel_id_param_name" { variable "log_alerts_slack_bot_token_param_name" { type = string description = "SSM parameter containing the slack bot token needed to send message to slack channels" -} \ No newline at end of file +} diff --git a/stacks/email_and_alerting/vars/dev.tfvars b/stacks/email_and_alerting/vars/dev.tfvars index 4d3614af..186b9606 100644 --- a/stacks/email_and_alerting/vars/dev.tfvars +++ b/stacks/email_and_alerting/vars/dev.tfvars @@ -3,10 +3,8 @@ reports_generator_bucket_param_name = "/registr log_group_param_name = "/registrations/dev/data-pipeline/cloudwatch-log-group-name" asid_lookup_inbox_prefix_param_name = "/registrations/dev/user-input/asid-lookup-inbox-prefix" log_alerts_technical_failures_above_threshold_rate_param_name = "/registrations/dev/user-input/log-alerts-technical-failures-above-threshold-rate" -email_report_sender_email_param_name = "/registrations/dev/user-input/email-report-sender-email" email_report_recipient_email_param_name = "/registrations/dev/user-input/email-report-recipient-email" email_report_recipient_internal_email_param_name = "/registrations/dev/user-input/email-report-recipient-internal-email" -email_report_sender_email_key_param_name = "/registrations/dev/user-input/email-report-sender-email-key" log_alerts_technical_failures_webhook_url_param_name = "/registrations/dev/user-input/log-alerts-technical-failures-webhook-url" log_alerts_technical_failures_above_threshold_webhook_url_param_name = "/registrations/dev/user-input/log-alerts-technical-failures-above-threshold-webhook-url" log_alerts_general_webhook_url_param_name = "/registrations/dev/user-input/log-alerts-general-webhook-url" diff --git a/stacks/email_and_alerting/vars/prod.tfvars b/stacks/email_and_alerting/vars/prod.tfvars index 689e8d07..69376411 100644 --- a/stacks/email_and_alerting/vars/prod.tfvars +++ b/stacks/email_and_alerting/vars/prod.tfvars @@ -3,10 +3,8 @@ reports_generator_bucket_param_name = "/registr log_group_param_name = "/registrations/prod/data-pipeline/cloudwatch-log-group-name" asid_lookup_inbox_prefix_param_name = "/registrations/prod/user-input/asid-lookup-inbox-prefix" log_alerts_technical_failures_above_threshold_rate_param_name = "/registrations/prod/user-input/log-alerts-technical-failures-above-threshold-rate" -email_report_sender_email_param_name = "/registrations/prod/user-input/email-report-sender-email" email_report_recipient_email_param_name = "/registrations/prod/user-input/email-report-recipient-email" email_report_recipient_internal_email_param_name = "/registrations/prod/user-input/email-report-recipient-internal-email" -email_report_sender_email_key_param_name = "/registrations/prod/user-input/email-report-sender-email-key" log_alerts_technical_failures_webhook_url_param_name = "/registrations/prod/user-input/log-alerts-technical-failures-webhook-url" log_alerts_technical_failures_above_threshold_webhook_url_param_name = "/registrations/prod/user-input/log-alerts-technical-failures-above-threshold-webhook-url" log_alerts_general_webhook_url_param_name = "/registrations/prod/user-input/log-alerts-general-webhook-url"