Allow sending SES emails using domain identity

Opetushallitus · Jan 20, 2025 · 99d1b41 · 99d1b41
1 parent f65c012
commit 99d1b41
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/aoe-infra/bin/infra.ts b/aoe-infra/bin/infra.ts
@@ -97,11 +97,20 @@ if (environmentName === 'dev' || environmentName === 'qa' || environmentName ===
     vpc: Network.vpc
   })
 
+  let sesIamPolicy: iam.PolicyStatement | undefined;
+
   if (environmentName !== 'prod') {
-    new SesStack(app, 'SesStack', {
+    const sesStack = new SesStack(app, 'SesStack', {
       env: { region: 'eu-west-1' },
       hostedZone: HostedZones.publicHostedZone
     });
+
+    sesIamPolicy = new iam.PolicyStatement({
+      actions: ['ses:SendEmail'],
+      resources: [
+        sesStack.emailIdentity.emailIdentityArn
+      ]
+    });
   }
 
   const SecurityGroups = new SecurityGroupStack(app, 'SecurityGroupStack', {
@@ -430,13 +439,6 @@ if (environmentName === 'dev' || environmentName === 'qa' || environmentName ===
     resources: [efs.fileSystem.fileSystemArn]
   })
 
-  const sesIamPolicy = new iam.PolicyStatement({
-    actions: ['ses:SendEmail'],
-    resources: [
-      '*'
-    ]
-  });
-
   new EcsServiceStack(app, 'WebBackendEcsService', {
     env: { region: 'eu-west-1' },
     stackName: `${environmentName}-web-backend-service`,
@@ -489,7 +491,7 @@ if (environmentName === 'dev' || environmentName === 'qa' || environmentName ===
       efsPolicyStatement,
       kafkaClusterIamPolicy,
       kafkaTopicIamPolicy,
-      sesIamPolicy
+      ...(sesIamPolicy ? [sesIamPolicy] : []),
     ],
     privateDnsNamespace: namespace.privateDnsNamespace,
     efs: {