-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
148 lines (123 loc) · 3.77 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
resource "cloudflare_zone" "domain" {
account_id = var.cloudflare_account_id
zone = var.domain
jump_start = true
}
resource "cloudflare_record" "MX" {
zone_id = cloudflare_zone.domain.id
name = "@"
type = "MX"
ttl = 1
value = "inbound-smtp.${var.aws_region}.amazonaws.com"
priority = 10
}
# verify the domain's identity in SES
resource "aws_ses_domain_identity" "email_domain_identity" {
domain = var.domain
}
resource "cloudflare_record" "SESToken" {
zone_id = cloudflare_zone.domain.id
name = "_amazonses.${var.domain}"
value = aws_ses_domain_identity.email_domain_identity.verification_token
type = "TXT"
ttl = 1
}
# SPF
resource "cloudflare_record" "SESSPF" {
zone_id = cloudflare_zone.domain.id
name = "@"
value = "v=spf1 include:amazonses.com -all"
type = "TXT"
ttl = 1
}
# DKIM
resource "aws_ses_domain_dkim" "email_dkim" {
domain = aws_ses_domain_identity.email_domain_identity.domain
}
resource "cloudflare_record" "SESDKIM" {
count = 3
zone_id = cloudflare_zone.domain.id
name = "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}._domainkey.${var.domain}"
value = "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}.dkim.amazonses.com"
type = "CNAME"
ttl = 1
}
# Create S3 bucket for receiving emails
data "aws_s3_bucket" "mailbox" {
bucket = var.aws_s3_bucket_name
}
resource "aws_s3_bucket_acl" "mailbox" {
bucket = data.aws_s3_bucket.mailbox.id
acl = "private"
}
data "aws_iam_policy_document" "mailbox" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["ses.amazonaws.com"]
}
actions = [
"s3:PutObject"
]
resources = ["${data.aws_s3_bucket.mailbox.arn}/*"]
}
}
resource "aws_s3_bucket_policy" "mailbox" {
bucket = data.aws_s3_bucket.mailbox.id
policy = data.aws_iam_policy_document.mailbox.json
}
# Create a new rule set
resource "aws_ses_receipt_rule_set" "main" {
rule_set_name = var.domain
}
resource "aws_ses_receipt_rule" "main" {
name = "mailbox"
rule_set_name = aws_ses_receipt_rule_set.main.rule_set_name
recipients = var.email_recipients
enabled = true
scan_enabled = true
s3_action {
bucket_name = var.aws_s3_bucket_name
object_key_prefix = "mailbox/${var.domain}"
position = 1
}
# This is a workaround for this issue:
# https://github.com/hashicorp/terraform-provider-aws/issues/7917
depends_on = [aws_s3_bucket_policy.mailbox]
}
# Activate rule set
resource "aws_ses_active_receipt_rule_set" "main" {
rule_set_name = aws_ses_receipt_rule_set.main.rule_set_name
}
resource "sendgrid_subuser" "subuser" {
username = var.sendgrid_username
email = var.sendgrid_email
password = var.sendgrid_password
ips = [var.sendgrid_ip]
}
resource "sendgrid_domain_authentication" "domain" {
domain = var.domain
subdomain = var.sub_domain
automatic_security = true
valid = true
}
resource "cloudflare_record" "domain" {
count = 3
zone_id = cloudflare_zone.domain.id
name = sendgrid_domain_authentication.domain.dns[count.index].host
value = sendgrid_domain_authentication.domain.dns[count.index].data
type = upper(sendgrid_domain_authentication.domain.dns[count.index].type)
proxied = false
}
# Manually verify the domain via curl because the Terraform module doesn't support this yet.
resource "null_resource" "auth-verification" {
provisioner "local-exec" {
command = <<-EOT
curl -s \
-X POST 'https://api.sendgrid.com/v3/whitelabel/domains/${sendgrid_domain_authentication.domain.id}/validate' \
--header 'Authorization: Bearer ${var.sendgrid_api_key}'
EOT
}
depends_on = [cloudflare_record.domain]
}