/terraform-aws-ses-smtp-credentials

Generate and rotate IAM access keys usable for sending email uses Amazon SES

Primary LanguagePython

SES SMTP User

Provides SMTP credentials for an existing SES domain identity.

SMTP usernames and passwords for SES require creating an IAM user and access key. This module will create a Secrets Manager secret and populate it with rotating SMTP credentials from a dedicated IAM user.

Example:

module "ses_smtp" {
  source = "github.com/thoughtbot/terraform-aws-ses-smtp-credentials?ref=v0.2.0"

  # The domain corresponding to your domain identity
  domain          = "example.com"

  # The name of the secret to create
  name = "example-production-smtp"

  # Fill in details for your VPC
  subnet_ids = data.aws_subnet.private.*.id
  vpc_id     = data.aws_vpc.this.id
}

The outputs include policy_json, which is an IAM policy allowing access to the secret. You can add this to an IAM role or policy.

Requirements

Name Version
terraform >= 0.14.0
aws ~> 4.0

Providers

Name Version
aws ~> 4.0

Modules

Name Source Version
rotation github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function v0.4.0
secret github.com/thoughtbot/terraform-aws-secrets//secret v0.4.0

Resources

Name Type
aws_iam_policy.access_keys resource
aws_iam_policy.send_mail resource
aws_iam_role_policy_attachment.access_keys resource
aws_iam_user.mail resource
aws_iam_user_policy_attachment.send_mail resource
aws_security_group.function resource
aws_security_group_rule.function_egress resource
aws_caller_identity.this data source
aws_iam_policy_document.access_keys data source
aws_iam_policy_document.send_mail data source
aws_region.this data source

Inputs

Name Description Type Default Required
admin_principals Principals allowed to peform admin actions (default: current account) list(string) null no
domain The domain from which emails are sent string n/a yes
identity_account_id ID of account that is authorized to send emails (default: current account) string null no
name Name for created resources string n/a yes
read_principals Principals allowed to read the secret (default: current account) list(string) null no
subnet_ids Subnets in which the rotation function should run list(string) [] no
tags Tags which should be applied to created resources map(string) {} no
trust_tags Tags required on principals accessing the secret map(string) {} no
vpc_id VPC in which the rotation function should run string null no

Outputs

Name Description
policy_json Required IAM policies
secret_arn ARN of the secrets manager secret containing credentials
secret_name Name of the secrets manager secret containing credentials
smtp_user_name IAM user name of the SMTP user