@common-creation/aws-cdk-ses-domain-identity
Version:
Constructs for provisioning and referencing domain identities which can be used in SES RuleSets and Actions Construct.
86 lines • 4.03 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.DnsValidatedDomainIdentity = void 0;
const aws_cdk_lib_1 = require("aws-cdk-lib");
const iam = require("aws-cdk-lib/aws-iam");
const lambda = require("aws-cdk-lib/aws-lambda");
const path = require("path");
/**
* A domain identity managed by AWS SES. Will be automatically
* validated using DNS validation against the specified Route 53 hosted zone.
*/
class DnsValidatedDomainIdentity extends aws_cdk_lib_1.Resource {
constructor(scope, id, props) {
var _a, _b;
super(scope, id);
const stack = aws_cdk_lib_1.Stack.of(this);
const region = (_a = props.region) !== null && _a !== void 0 ? _a : stack.region;
const accountId = stack.account;
this.domainName = props.domainName;
this.dkim = (_b = props.dkim) !== null && _b !== void 0 ? _b : false;
this.identityArn = `arn:aws:ses:${region}:${accountId}:identity/${this.domainName}`;
this.normalizedZoneName = props.hostedZone.zoneName;
// Remove trailing `.` from zone name
if (this.normalizedZoneName.endsWith(".")) {
this.normalizedZoneName = this.normalizedZoneName.substring(0, this.normalizedZoneName.length - 1);
}
// Remove any `/hostedzone/` prefix from the Hosted Zone ID
this.hostedZoneId = props.hostedZone.hostedZoneId.replace(/^\/hostedzone\//, "");
const requestorFunction = new lambda.Function(this, "DomainIdentityRequestorFunction", {
code: lambda.Code.fromAsset(path.resolve(__dirname, "..", "lambda-packages", "dns-validated-domain-identity-handler", "dist")),
handler: "index.identityRequestHandler",
runtime: lambda.Runtime.NODEJS_14_X,
memorySize: 128,
timeout: aws_cdk_lib_1.Duration.minutes(15),
role: props.customResourceRole,
});
requestorFunction.addToRolePolicy(new iam.PolicyStatement({
actions: [
"ses:GetIdentityVerificationAttributes",
"ses:GetIdentityDkimAttributes",
"ses:SetIdentityDkimEnabled",
"ses:VerifyDomainIdentity",
"ses:VerifyDomainDkim",
"ses:ListIdentities",
"ses:DeleteIdentity",
],
resources: ["*"],
}));
requestorFunction.addToRolePolicy(new iam.PolicyStatement({
actions: ["route53:GetChange"],
resources: ["*"],
}));
requestorFunction.addToRolePolicy(new iam.PolicyStatement({
actions: [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
],
resources: [
`arn:${aws_cdk_lib_1.Stack.of(requestorFunction).partition}:route53:::hostedzone/${this.hostedZoneId}`,
],
}));
const identity = new aws_cdk_lib_1.CustomResource(this, "IdentityRequestorResource", {
serviceToken: requestorFunction.functionArn,
properties: {
DomainName: this.domainName,
HostedZoneId: this.hostedZoneId,
Region: region,
DKIM: props.dkim,
},
});
this.node.addValidation({
validate: () => {
const errors = [];
// Ensure the zone name is a parent zone of the certificate domain name
if (!aws_cdk_lib_1.Token.isUnresolved(this.normalizedZoneName) &&
this.domainName !== this.normalizedZoneName &&
!this.domainName.endsWith("." + this.normalizedZoneName)) {
errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for SES identity domain name ${this.domainName}`);
}
return errors;
},
});
}
}
exports.DnsValidatedDomainIdentity = DnsValidatedDomainIdentity;
//# sourceMappingURL=dns-validated-domain-identity.js.map