UNPKG

@common-creation/aws-cdk-ses-domain-identity

Version:

Constructs for provisioning and referencing domain identities which can be used in SES RuleSets and Actions Construct.

86 lines 4.03 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.DnsValidatedDomainIdentity = void 0; const aws_cdk_lib_1 = require("aws-cdk-lib"); const iam = require("aws-cdk-lib/aws-iam"); const lambda = require("aws-cdk-lib/aws-lambda"); const path = require("path"); /** * A domain identity managed by AWS SES. Will be automatically * validated using DNS validation against the specified Route 53 hosted zone. */ class DnsValidatedDomainIdentity extends aws_cdk_lib_1.Resource { constructor(scope, id, props) { var _a, _b; super(scope, id); const stack = aws_cdk_lib_1.Stack.of(this); const region = (_a = props.region) !== null && _a !== void 0 ? _a : stack.region; const accountId = stack.account; this.domainName = props.domainName; this.dkim = (_b = props.dkim) !== null && _b !== void 0 ? _b : false; this.identityArn = `arn:aws:ses:${region}:${accountId}:identity/${this.domainName}`; this.normalizedZoneName = props.hostedZone.zoneName; // Remove trailing `.` from zone name if (this.normalizedZoneName.endsWith(".")) { this.normalizedZoneName = this.normalizedZoneName.substring(0, this.normalizedZoneName.length - 1); } // Remove any `/hostedzone/` prefix from the Hosted Zone ID this.hostedZoneId = props.hostedZone.hostedZoneId.replace(/^\/hostedzone\//, ""); const requestorFunction = new lambda.Function(this, "DomainIdentityRequestorFunction", { code: lambda.Code.fromAsset(path.resolve(__dirname, "..", "lambda-packages", "dns-validated-domain-identity-handler", "dist")), handler: "index.identityRequestHandler", runtime: lambda.Runtime.NODEJS_14_X, memorySize: 128, timeout: aws_cdk_lib_1.Duration.minutes(15), role: props.customResourceRole, }); requestorFunction.addToRolePolicy(new iam.PolicyStatement({ actions: [ "ses:GetIdentityVerificationAttributes", "ses:GetIdentityDkimAttributes", "ses:SetIdentityDkimEnabled", "ses:VerifyDomainIdentity", "ses:VerifyDomainDkim", "ses:ListIdentities", "ses:DeleteIdentity", ], resources: ["*"], })); requestorFunction.addToRolePolicy(new iam.PolicyStatement({ actions: ["route53:GetChange"], resources: ["*"], })); requestorFunction.addToRolePolicy(new iam.PolicyStatement({ actions: [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", ], resources: [ `arn:${aws_cdk_lib_1.Stack.of(requestorFunction).partition}:route53:::hostedzone/${this.hostedZoneId}`, ], })); const identity = new aws_cdk_lib_1.CustomResource(this, "IdentityRequestorResource", { serviceToken: requestorFunction.functionArn, properties: { DomainName: this.domainName, HostedZoneId: this.hostedZoneId, Region: region, DKIM: props.dkim, }, }); this.node.addValidation({ validate: () => { const errors = []; // Ensure the zone name is a parent zone of the certificate domain name if (!aws_cdk_lib_1.Token.isUnresolved(this.normalizedZoneName) && this.domainName !== this.normalizedZoneName && !this.domainName.endsWith("." + this.normalizedZoneName)) { errors.push(`DNS zone ${this.normalizedZoneName} is not authoritative for SES identity domain name ${this.domainName}`); } return errors; }, }); } } exports.DnsValidatedDomainIdentity = DnsValidatedDomainIdentity; //# sourceMappingURL=dns-validated-domain-identity.js.map