Make config set dest unique, add SNS topic policy

It turns out that ConfigurationSetEventDestinations must be unique across ConfigurationSets. The previous commit successfully deployed to the dev pipeline, but failed in prod ("SNS" was the previous name): - https://github.com/mbland/elistman/actions/runs/4661422337/jobs/8250713088 CREATE_FAILED AWS::SES::ConfigurationSetEventDestination SendingConfigurationSetDestination SNS already exists in stack arn:aws:cloudformation:us-east-1:...:stack/elistman-dev/... While I was at it, I also added the DeliveryNotificationsTopicPolicy, which is required to allow SES to publish to the topic: - https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html#configure-feedback-notifications-prerequisites
mbland · Apr 10, 2023 · d85327c · d85327c
1 parent b2722a4
commit d85327c
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/template.yml b/template.yml
@@ -168,6 +168,27 @@ Resources:
     Properties:
       TopicName: !Sub "${AWS::StackName}"
 
+  DeliveryNotificationsTopicPolicy:
+    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html
+    Type: AWS::SNS::TopicPolicy
+    Properties:
+      Topics:
+        - !Ref DeliveryNotificationsTopic
+      PolicyDocument:
+          # https://docs.aws.amazon.com/ses/latest/dg/configure-sns-notifications.html#configure-feedback-notifications-prerequisites
+          Version: 2012-10-17
+          Id: notification-policy
+          Statement:
+            - Effect: Allow
+              Principal:
+                Service: ses.amazonaws.com
+              Action: "sns:Publish"
+              Resource: !Ref DeliveryNotificationsTopic
+              Condition:
+                StringEquals:
+                  "AWS:SourceAccount": !Sub "${AWS::AccountId}"
+                  "AWS:SourceArn": !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${EmailDomainName}"
+
   SendingConfigurationSet:
     # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-configurationset.html
     Type: AWS::SES::ConfigurationSet
@@ -188,7 +209,7 @@ Resources:
     Properties:
       ConfigurationSetName: !Ref SendingConfigurationSet
       EventDestination:
-        Name: "SNS"
+        Name: !Sub "${AWS::StackName}-delivery-notifications"
         Enabled: true
         MatchingEventTypes:
           - send