CCM-10283: Fixes

Author: chris-elliott-nhsd

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -55,6 +55,40 @@ data "aws_iam_policy_document" "kms" {
     }
   }
 
+  statement {
+    sid    = "AllowSES"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "ses..amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+
+      values = [
+        "arn:aws:ses:${var.region}:${var.aws_account_id}:receipt-rule-set:*",
+      ]
+    }
+  }
+
   statement {
     sid    = "AllowLogDeliveryEncrypt"
     effect = "Allow"

infrastructure/terraform/components/app/module_backend_api.tf

@@ -28,8 +28,7 @@ module "backend_api" {
 
   send_to_firehose = true
 
-  email_domain             = local.root_domain_name
-  ses_domain_identity_arns = module.ses.domain_identity_arns
+  email_domain = module.ses.domain
 
   mock_letter_supplier_name     = local.mock_letter_supplier_name
   use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null

infrastructure/terraform/components/sandbox/README.md

@@ -15,7 +15,7 @@ No requirements.
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
-| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    email_addresses  = list(string)<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | <pre>{<br/>  "WTMMOCK": {<br/>    "default_supplier": true,<br/>    "email_addresses": [<br/>      "[email protected]"<br/>    ],<br/>    "enable_polling": true<br/>  }<br/>}</pre> | no |
+| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    email_addresses  = list(string)<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | <pre>{<br/>  "WTMMOCK": {<br/>    "default_supplier": true,<br/>    "email_addresses": [<br/>      "template-submitted-recipient@sandbox.templates.dev.nhsnotify.national.nhs.uk"<br/>    ],<br/>    "enable_polling": true<br/>  }<br/>}</pre> | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -27,12 +27,7 @@ module "backend_api" {
   enable_event_stream = true
 
   email_domain             = "sandbox.${local.acct.dns_zone["name"]}"
-  ses_domain_identity_arns = [data.aws_ses_domain_identity.sandbox_ses.arn]
 
   mock_letter_supplier_name     = local.mock_letter_supplier_name
   use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null
 }
-
-data "aws_ses_domain_identity" "sandbox_ses" {
-  domain = "sandbox.${local.acct.dns_zone["name"]}"
-}

infrastructure/terraform/components/sandbox/variables.tf

@@ -72,7 +72,7 @@ variable "letter_suppliers" {
 
   default = {
     "WTMMOCK" = {
-      email_addresses  = ["[email protected]"]
+      email_addresses  = ["template-submitted-recipient@sandbox.templates.dev.nhsnotify.national.nhs.uk"]
       enable_polling   = true
       default_supplier = true
     }

infrastructure/terraform/modules/backend-api/README.md

@@ -32,7 +32,6 @@ No requirements.
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Flag indicating whether logs should be sent to firehose | `bool` | n/a | yes |
-| <a name="input_ses_domain_identity_arns"></a> [ses\_domain\_identity\_arns](#input\_ses\_domain\_identity\_arns) | SES Domain Identity ARNs | `list(string)` | n/a | yes |
 | <a name="input_use_sftp_letter_supplier_mock"></a> [use\_sftp\_letter\_supplier\_mock](#input\_use\_sftp\_letter\_supplier\_mock) | Flag indicating whether mock letter supplier is enabled | `bool` | n/a | yes |
 ## Modules
 

infrastructure/terraform/modules/backend-api/locals.tf

@@ -48,7 +48,7 @@ locals {
     TEMPLATES_DOWNLOAD_BUCKET_NAME          = module.s3bucket_download.id
     TEMPLATES_TABLE_NAME                    = aws_dynamodb_table.templates.name
     ENABLE_PROOFING                         = var.enable_proofing
-    TEMPLATE_SUBMITTED_SENDER_EMAIL_ADDRESS = "template-submitted@${var.email_domain}"
+    TEMPLATE_SUBMITTED_SENDER_EMAIL_ADDRESS = local.template_submitted_sender_email_address
     SUPPLIER_RECIPIENT_EMAIL_ADDRESSES      = jsonencode({ for k, v in var.letter_suppliers : k => v.email_addresses })
   }
 
@@ -57,4 +57,5 @@ locals {
   ][0], "")
 
   sftp_environment = "${var.group}-${var.environment}-${var.component}"
+  template_submitted_sender_email_address = "template-submitted-recipient@${var.email_domain}"
 }

infrastructure/terraform/modules/backend-api/module_submit_template_lambda.tf

@@ -71,6 +71,7 @@ data "aws_iam_policy_document" "submit_template_lambda_policy" {
 
     actions = ["ses:SendRawEmail"]
 
-    resources = var.ses_domain_identity_arns
+    resources = ["arn:aws:ses:${var.region}:${var.aws_account_id}:identity/${local.template_submitted_sender_email_address}",
+    "arn:aws:ses:${var.region}:${var.aws_account_id}:identity/${var.email_domain}"]
   }
 }

infrastructure/terraform/modules/backend-api/variables.tf

@@ -143,8 +143,3 @@ variable "use_sftp_letter_supplier_mock" {
   type        = bool
   description = "Flag indicating whether mock letter supplier is enabled"
 }
-
-variable "ses_domain_identity_arns" {
-  type        = list(string)
-  description = "SES Domain Identity ARNs"
-}

infrastructure/terraform/modules/ses/README.md

@@ -28,7 +28,7 @@ No requirements.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_domain_identity_arns"></a> [domain\_identity\_arns](#output\_domain\_identity\_arns) | n/a |
+| <a name="output_domain"></a> [domain](#output\_domain) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->