Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: adding intermediary S3 bucket for FFIS email data #64

Merged
merged 4 commits into from
Apr 28, 2023
Merged

fix: adding intermediary S3 bucket for FFIS email data #64

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d3e8b6
fix: adding intermediary S3 bucket for FFIS email data
slapula Apr 27, 2023
cfe3463
Merge branch 'main' into 61-ffis-source-bucket-for-ses
TylerHendrickson Apr 27, 2023
d1af427
standalone rule set resource
slapula Apr 27, 2023
51e4328
update based on feedback
slapula Apr 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 37 additions & 6 deletions terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ module "grants_source_data_bucket" {
sse_algorithm = "AES256"
allow_ssl_requests_only = true
allow_encrypted_uploads_only = true
source_policy_documents = [data.aws_iam_policy_document.ses_source_data_s3_access.json]
source_policy_documents = []

lifecycle_configuration_rules = [
{
Expand Down Expand Up @@ -181,6 +181,33 @@ module "grants_prepared_data_bucket" {
]
}

module "ffis_source_data_bucket" {
source = "cloudposse/s3-bucket/aws"
version = "3.0.0"
context = module.s3_label.context
name = "ffis_source_data"
slapula marked this conversation as resolved.
Show resolved Hide resolved

acl = "private"
versioning_enabled = true
sse_algorithm = "AES256"
allow_ssl_requests_only = true
allow_encrypted_uploads_only = false
source_policy_documents = [data.aws_iam_policy_document.ses_source_data_s3_access.json]

lifecycle_configuration_rules = [
{
enabled = true
id = "rule-1"
filter_and = null
abort_incomplete_multipart_upload_days = 1
transition = [{ days = null }]
expiration = { days = 30 }
noncurrent_version_transition = []
slapula marked this conversation as resolved.
Show resolved Hide resolved
noncurrent_version_expiration = { days = null }
}
]
}

resource "aws_scheduler_schedule_group" "default" {
count = var.eventbridge_scheduler_enabled ? 1 : 0

Expand All @@ -204,19 +231,23 @@ data "aws_iam_policy_document" "read_datadog_api_key_secret" {
}
}

resource "aws_ses_receipt_rule_set" "ffis_ingest" {
rule_set_name = "${var.namespace}-ffis_ingest"
}

resource "aws_ses_receipt_rule" "ffis_ingest" {
depends_on = [
module.grants_source_data_bucket
module.ffis_source_data_bucket
]
name = "${var.namespace}-ffis_ingest"
rule_set_name = "ffis_ingest-rule-set"
rule_set_name = aws_ses_receipt_rule_set.ffis_ingest.rule_set_name
recipients = [var.ffis_ingest_email_address]
enabled = true
scan_enabled = true
tls_policy = "Require"

s3_action {
bucket_name = module.grants_source_data_bucket.bucket_id
bucket_name = module.ffis_source_data_bucket.bucket_id
position = 1
object_key_prefix = "ses/ffis_ingest/new"
}
Expand All @@ -234,13 +265,13 @@ data "aws_iam_policy_document" "ses_source_data_s3_access" {
"s3:PutObject",
]

resources = ["${module.grants_source_data_bucket.bucket_arn}/ses/*"]
resources = ["${module.ffis_source_data_bucket.bucket_arn}/ses/*"]

condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = [
"arn:aws:ses:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:receipt-rule-set/ffis_ingest-rule-set:receipt-rule/${var.namespace}-ffis_ingest"
"arn:aws:ses:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:receipt-rule-set/${var.namespace}-ffis_ingest:receipt-rule/${var.namespace}-ffis_ingest"
]
}
condition {
Expand Down