From f118d404ba9e4c461019e3154a4aabad14e4db16 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 2 Oct 2024 16:57:19 +0200 Subject: [PATCH 1/4] Adding-aws-ses-role --- roles/aws/aws_ses/defaults/main.yml | 2 + roles/aws/aws_ses/tasks/main.yml | 36 ++++++++++++++++++ .../aws_ses/templates/fetch_account_id.py.j2 | 18 +++++++++ roles/aws/aws_ses/templates/ses.json.j2 | 37 +++++++++++++++++++ 4 files changed, 93 insertions(+) create mode 100644 roles/aws/aws_ses/defaults/main.yml create mode 100644 roles/aws/aws_ses/tasks/main.yml create mode 100644 roles/aws/aws_ses/templates/fetch_account_id.py.j2 create mode 100644 roles/aws/aws_ses/templates/ses.json.j2 diff --git a/roles/aws/aws_ses/defaults/main.yml b/roles/aws/aws_ses/defaults/main.yml new file mode 100644 index 000000000..10218b089 --- /dev/null +++ b/roles/aws/aws_ses/defaults/main.yml @@ -0,0 +1,2 @@ +_ses_domain: codeenigma.uk +region: "{{ _aws_region}}" diff --git a/roles/aws/aws_ses/tasks/main.yml b/roles/aws/aws_ses/tasks/main.yml new file mode 100644 index 000000000..191ca6e55 --- /dev/null +++ b/roles/aws/aws_ses/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: "Ensure {{ _aws_profile }}.codeenigma.uk domain identity exists" + community.aws.ses_identity: + profile: "{{ _aws_profile }}" + identity: "{{ _aws_profile }}.codeenigma.uk" + state: present + region: "{{ _aws_region}}" + +- name: Gather AWS account ID if it isn't already set. + amazon.aws.aws_caller_info: + profile: "{{ _aws_profile }}" + delegate_to: localhost + register: aws_account_id + +- name: Add sending authorization policy to domain identity + community.aws.ses_identity_policy: + identity: "{{ _aws_profile }}.codeenigma.uk" + policy_name: AWSses + policy: "{{ lookup('template', 'ses.json.j2') }}" + state: present + region: "{{ _aws_region }}" + +- name: Fetch SES domain CNAME + ansible.builtin.command: "aws ses verify-domain-dkim --domain {{ _aws_profile }}.codeenigma.uk --region {{ _aws_region }}" + register: ses_dkim_attributes + +- name: Add a DNS records in Route 53 for validation. + amazon.aws.route53: + state: present + zone: codeenigma.uk + record: "{{ item }}._domainkey.{{ _aws_profile }}.codeenigma.uk" + profile: "core" + type: CNAME + ttl: 300 + value: "{{ item }}.dkim.amazonses.com" + loop: "{{ ses_dkim_attributes.stdout | from_json | json_query('DkimTokens') }}" diff --git a/roles/aws/aws_ses/templates/fetch_account_id.py.j2 b/roles/aws/aws_ses/templates/fetch_account_id.py.j2 new file mode 100644 index 000000000..8de519679 --- /dev/null +++ b/roles/aws/aws_ses/templates/fetch_account_id.py.j2 @@ -0,0 +1,18 @@ +#!/home/controller/ansible/bin/python3 +import boto3 +import sys +from botocore.exceptions import NoCredentialsError + +def get_account_id(): + try: + session = boto3.Session() + sts_client = session.client('sts') + response = sts_client.get_caller_identity() + return response['Account'] + except NoCredentialsError: + print("Could not find AWS credentials.") + sys.exit(1) + +if __name__ == "__main__": + account_id = get_account_id() + print(account_id) diff --git a/roles/aws/aws_ses/templates/ses.json.j2 b/roles/aws/aws_ses/templates/ses.json.j2 new file mode 100644 index 000000000..9823d3fa7 --- /dev/null +++ b/roles/aws/aws_ses/templates/ses.json.j2 @@ -0,0 +1,37 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ses:SendEmail", + "ses:PutEmailIdentityDkimAttributes", + "ses:PutEmailIdentityDkimSigningAttributes", + "ses:ListRecommendations", + "ses:BatchGetMetricData", + "ses:UntagResource", + "ses:TagResource", + "ses:PutEmailIdentityMailFromAttributes", + "ses:PutEmailIdentityFeedbackAttributes", + "ses:PutEmailIdentityConfigurationSetAttributes", + "ses:DeleteEmailIdentityPolicy", + "ses:DeleteEmailIdentity", + "ses:UpdateEmailIdentityPolicy", + "ses:CreateDeliverabilityTestReport", + "ses:CreateEmailIdentityPolicy", + "ses:GetDomainStatisticsReport", + "ses:GetEmailIdentityPolicies", + "ses:GetEmailIdentity", + "ses:SendBulkTemplatedEmail", + "ses:SendTemplatedEmail", + "ses:SendRawEmail" + ], + "Principal": { + "AWS": [ + "{{ aws_account_id.account }}" + ] + }, + "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/{{ _aws_profile }}.codeenigma.uk" + } + ] +} From 8e208545b8e038c47c90c443a1fc691774123421 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 2 Oct 2024 17:09:45 +0200 Subject: [PATCH 2/4] Removing-python-script --- .../aws_ses/templates/fetch_account_id.py.j2 | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 roles/aws/aws_ses/templates/fetch_account_id.py.j2 diff --git a/roles/aws/aws_ses/templates/fetch_account_id.py.j2 b/roles/aws/aws_ses/templates/fetch_account_id.py.j2 deleted file mode 100644 index 8de519679..000000000 --- a/roles/aws/aws_ses/templates/fetch_account_id.py.j2 +++ /dev/null @@ -1,18 +0,0 @@ -#!/home/controller/ansible/bin/python3 -import boto3 -import sys -from botocore.exceptions import NoCredentialsError - -def get_account_id(): - try: - session = boto3.Session() - sts_client = session.client('sts') - response = sts_client.get_caller_identity() - return response['Account'] - except NoCredentialsError: - print("Could not find AWS credentials.") - sys.exit(1) - -if __name__ == "__main__": - account_id = get_account_id() - print(account_id) From f5ca3878e571272158431fa2d4f758196b5be277 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 2 Oct 2024 17:16:40 +0200 Subject: [PATCH 3/4] Changing-domain-name --- roles/aws/aws_ses/tasks/main.yml | 10 +++++----- roles/aws/aws_ses/templates/ses.json.j2 | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/aws/aws_ses/tasks/main.yml b/roles/aws/aws_ses/tasks/main.yml index 191ca6e55..c639597a2 100644 --- a/roles/aws/aws_ses/tasks/main.yml +++ b/roles/aws/aws_ses/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: "Ensure {{ _aws_profile }}.codeenigma.uk domain identity exists" +- name: "Ensure codeenigma.uk domain identity exists" community.aws.ses_identity: profile: "{{ _aws_profile }}" - identity: "{{ _aws_profile }}.codeenigma.uk" + identity: "codeenigma.uk" state: present region: "{{ _aws_region}}" @@ -14,21 +14,21 @@ - name: Add sending authorization policy to domain identity community.aws.ses_identity_policy: - identity: "{{ _aws_profile }}.codeenigma.uk" + identity: "codeenigma.uk" policy_name: AWSses policy: "{{ lookup('template', 'ses.json.j2') }}" state: present region: "{{ _aws_region }}" - name: Fetch SES domain CNAME - ansible.builtin.command: "aws ses verify-domain-dkim --domain {{ _aws_profile }}.codeenigma.uk --region {{ _aws_region }}" + ansible.builtin.command: "aws ses verify-domain-dkim --domain codeenigma.uk --region {{ _aws_region }}" register: ses_dkim_attributes - name: Add a DNS records in Route 53 for validation. amazon.aws.route53: state: present zone: codeenigma.uk - record: "{{ item }}._domainkey.{{ _aws_profile }}.codeenigma.uk" + record: "{{ item }}._domainkey.codeenigma.uk" profile: "core" type: CNAME ttl: 300 diff --git a/roles/aws/aws_ses/templates/ses.json.j2 b/roles/aws/aws_ses/templates/ses.json.j2 index 9823d3fa7..2c9d72a3e 100644 --- a/roles/aws/aws_ses/templates/ses.json.j2 +++ b/roles/aws/aws_ses/templates/ses.json.j2 @@ -31,7 +31,7 @@ "{{ aws_account_id.account }}" ] }, - "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/{{ _aws_profile }}.codeenigma.uk" + "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/codeenigma.uk" } ] } From 31fe1edfa4208562ca50f638111e56809f0f1ef3 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Wed, 2 Oct 2024 17:19:51 +0200 Subject: [PATCH 4/4] Using-variable-for-domain-name --- roles/aws/aws_ses/tasks/main.yml | 12 ++++++------ roles/aws/aws_ses/templates/ses.json.j2 | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/aws/aws_ses/tasks/main.yml b/roles/aws/aws_ses/tasks/main.yml index c639597a2..62da7c1b5 100644 --- a/roles/aws/aws_ses/tasks/main.yml +++ b/roles/aws/aws_ses/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: "Ensure codeenigma.uk domain identity exists" +- name: "Ensure {{ _ses_domain }} domain identity exists" community.aws.ses_identity: profile: "{{ _aws_profile }}" - identity: "codeenigma.uk" + identity: "{{ _ses_domain }}" state: present region: "{{ _aws_region}}" @@ -14,21 +14,21 @@ - name: Add sending authorization policy to domain identity community.aws.ses_identity_policy: - identity: "codeenigma.uk" + identity: "{{ _ses_domain }}" policy_name: AWSses policy: "{{ lookup('template', 'ses.json.j2') }}" state: present region: "{{ _aws_region }}" - name: Fetch SES domain CNAME - ansible.builtin.command: "aws ses verify-domain-dkim --domain codeenigma.uk --region {{ _aws_region }}" + ansible.builtin.command: "aws ses verify-domain-dkim --domain {{ _ses_domain }} --region {{ _aws_region }}" register: ses_dkim_attributes - name: Add a DNS records in Route 53 for validation. amazon.aws.route53: state: present - zone: codeenigma.uk - record: "{{ item }}._domainkey.codeenigma.uk" + zone: "{{ _ses_domain }}" + record: "{{ item }}._domainkey.{{ _ses_domain }}" profile: "core" type: CNAME ttl: 300 diff --git a/roles/aws/aws_ses/templates/ses.json.j2 b/roles/aws/aws_ses/templates/ses.json.j2 index 2c9d72a3e..3230f7bdd 100644 --- a/roles/aws/aws_ses/templates/ses.json.j2 +++ b/roles/aws/aws_ses/templates/ses.json.j2 @@ -31,7 +31,7 @@ "{{ aws_account_id.account }}" ] }, - "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/codeenigma.uk" + "Resource": "arn:aws:ses:{{ _aws_region }}:{{ aws_account_id.account }}:identity/{{ _ses_domain }}" } ] }