Restore config set destination, update SNS policy

After deploying the previous commit, the SNS topic policy looked as expected. However, I finally stumbled upon the page showing the policy for an event destination, which is slightly different than the policy for verified identity notifications. In other words, I was previously following the instructions here: - https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html when I needed to follow the instructions here: - https://docs.aws.amazon.com/ses/latest/dg/event-publishing-add-event-destination-sns.html As noted in the comment I added to template.html, the difference is subtle. It's possible to have one topic for multiple deployments using the verified identity notifications. For this application, however, we set up different topics and destinations for each deployment. This keeps each deployment's notifications encapsulated from one another.
mbland · Apr 10, 2023 · 29fd056 · 29fd056
1 parent 3c62857
commit 29fd056
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -307,6 +307,7 @@ This software is made available as [Open Source software][oss-def] under the
 - [Receiving Amazon SES notifications using Amazon SNS][]
 - [Contents of event data that Amazon SES publishes to Amazon SNS][]
 - [How email sending works in Amazon SES][]
+- [Specifying a configuration set when you send email][]
 
 [Go]: https://go.dev/
 [Amazon Web Services]: https://aws.amazon.com
@@ -390,3 +391,4 @@ This software is made available as [Open Source software][oss-def] under the
 [Receiving Amazon SES notifications using Amazon SNS]: https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-using-notifications-sns.html
 [Contents of event data that Amazon SES publishes to Amazon SNS]: https://docs.aws.amazon.com/ses/latest/dg/event-publishing-retrieving-sns-contents.html
 [How email sending works in Amazon SES]: https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-process.html
+[Specifying a configuration set when you send email]: https://docs.aws.amazon.com/ses/latest/dg/using-configuration-sets-in-email.html
diff --git a/template.yml b/template.yml
@@ -175,7 +175,17 @@ Resources:
       Topics:
         - !Ref DeliveryNotificationsTopic
       PolicyDocument:
-          # https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html#configure-feedback-notifications-prerequisites
+          # Note that this is for an event destination for event publishing:
+          # - https://docs.aws.amazon.com/ses/latest/dg/event-publishing-add-event-destination-sns.html
+          #
+          # as opposed to notifications for a verified identity:
+          # - https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html
+          #
+          # It's subtle. It's possible to have one topic for multiple
+          # deployments using the verified identity notifications. For this
+          # application, however, we set up different topics and destinations
+          # for each deployment. This keeps each deployment's notifications
+          # encapsulated from one another.
           Version: "2012-10-17"
           Id: !Sub "${AWS::StackName}-notification-policy"
           Statement:
@@ -187,7 +197,7 @@ Resources:
               Condition:
                 StringEquals:
                   "AWS:SourceAccount": !Sub "${AWS::AccountId}"
-                  "AWS:SourceArn": !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${EmailDomainName}"
+                  "AWS:SourceArn": !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:configuration-set/${SendingConfigurationSet}"
 
   SendingConfigurationSet:
     # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationset.html
@@ -203,22 +213,22 @@ Resources:
           - COMPLAINT
           - BOUNCE
 
-  #SendingConfigurationSetDestination:
-  #  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationseteventdestination.html
-  #  Type: AWS::SES::ConfigurationSetEventDestination
-  #  Properties:
-  #    ConfigurationSetName: !Ref SendingConfigurationSet
-  #    EventDestination:
-  #      Name: !Sub "${AWS::StackName}-delivery-notifications"
-  #      Enabled: true
-  #      MatchingEventTypes:
-  #        - send
-  #        - delivery
-  #        - reject
-  #        - bounce
-  #        - complaint
-  #      SnsDestination:
-  #        TopicARN: !Ref DeliveryNotificationsTopic
+  SendingConfigurationSetDestination:
+    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationseteventdestination.html
+    Type: AWS::SES::ConfigurationSetEventDestination
+    Properties:
+      ConfigurationSetName: !Ref SendingConfigurationSet
+      EventDestination:
+        Name: !Sub "${AWS::StackName}-delivery-notifications"
+        Enabled: true
+        MatchingEventTypes:
+          - send
+          - delivery
+          - reject
+          - bounce
+          - complaint
+        SnsDestination:
+          TopicARN: !Ref DeliveryNotificationsTopic
 
 Outputs:
   # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api