In this post I cover how I create email accounts in AWS with terraform. I choose terraform because is easier to setup than the aws console, in this case the only thing previously needed is the aws hosted zone.
Create two files, one called variables.tf and the other main.tf.
variables.tf
variable "zone_id" {
default = "ABCDFGH1234567"
description = "Zone ID where you have your domains"
}
variable "domain" {
default = "myawesomeemail.com"
}
variable "admin_email" {
default = "admin@myawesomeemail.com"
}
variable "admin_dev_email" {
default = "dev-admin@myawesomeemail.com"
}
variable "admin_stg_email" {
default = "stg-admin@myawesomeemail.com"
}
In the variables.tf file, I wrote the domain, the hosted zone id and the email accounts that I need. In this case just as a demonstration I setup three email accounts.
main.tf
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_ses_domain_identity" "email-domain" {
domain = var.domain
}
resource "aws_route53_record" "email-record" {
zone_id = var.zone_id
name = "_amzonses.email.com"
type = "TXT"
ttl = 600
records = [
aws_ses_domain_identity.email-domain.verification_token,
]
}
resource "aws_ses_domain_dkim" "domain_dkim" {
domain = aws_ses_domain_identity.email-domain.domain
}
resource "aws_route53_record" "email_dkim_record" {
count = 3
zone_id = var.zone_id
name = "${element(aws_ses_domain_dkim.domain_dkim.dkim_tokens, count.index)}._domainkey.email.net"
type = "CNAME"
ttl = 600
records = [
"${element(aws_ses_domain_dkim.domain_dkim.dkim_tokens, count.index)}.dkim.amazonses.com",
]
}
resource "aws_route53_record" "email-mx-records" {
zone_id = var.zone_id
name = var.domain
type = "MX"
ttl = "600"
records = [
"10 inbound-smtp.us-east-1.amazonses.com",
"10 inbound-smtp.us-east-1.amazonaws.com",
]
}
resource "aws_route53_record" "spf-records" {
zone_id = var.zone_id
name = var.domain
type = "TXT"
ttl = "600"
records = [
"v=spf1 include:amazonses -all"
]
}
resource "aws_ses_receipt_rule_set" "main_email" {
rule_set_name = "email"
}
resource "aws_ses_active_receipt_rule_set" "email_active_rule" {
rule_set_name = aws_ses_receipt_rule_set.main_email.rule_set_name
depends_on = [
aws_ses_receipt_rule.admin
]
}
resource "aws_ses_receipt_rule" "admin" {
name = "admin"
rule_set_name = "email"
recipients = [var.admin_email, var.admin_dev_email, var.admin_stg_email]
enabled = true
scan_enabled = true
add_header_action {
header_name = "Custom-Header"
header_value = "Provided by Amazon SES"
position = 1
}
s3_action {
bucket_name = aws_s3_bucket.email_bucket.id
position = 2
}
depends_on = [aws_ses_receipt_rule_set.main_email, aws_s3_bucket.email_bucket]
}
resource "aws_ses_email_identity" "admin_email" {
email = var.admin_email
}
resource "aws_ses_email_identity" "dev_email" {
email = var.admin_dev_email
}
resource "aws_ses_email_identity" "stg_email" {
email = var.admin_stg_email
}
resource "aws_s3_bucket" "email_bucket" {
bucket = "email-bucket"
acl = "public-read"
tags = {
Name = "EmailBucket"
}
}
resource "aws_s3_bucket_policy" "policy_bucket" {
bucket = aws_s3_bucket.email_bucket.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::email-bucket/*"
}
]
}
POLICY
}
In the main.tf file I basically setup the receipt rules the TXT and the MX records and the bucket where the emails are going to.