Define Terraform infrastructure for email metrics (#2924)

Define Terraform infrastructure for email metrics.
usdigitalresponse · Apr 23, 2024 · 9a8bea7 · 9a8bea7
1 parent c7b19db
commit 9a8bea7
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 17 deletions.
diff --git a/terraform/email.tf b/terraform/email.tf
@@ -0,0 +1,49 @@
+resource "aws_route53_record" "mail_redirect" {
+  zone_id = data.aws_ssm_parameter.public_dns_zone_id.value
+  name    = "mail-redirect.${data.aws_region.current.name}"
+  type    = "CNAME"
+  records = ["r.${data.aws_region.current.name}.awstrack.me"]
+  ttl     = 86400
+}
+
+resource "aws_sesv2_configuration_set" "default" {
+  configuration_set_name = "${var.namespace}-default"
+
+  delivery_options {
+    tls_policy = "REQUIRE"
+  }
+
+  tracking_options {
+    custom_redirect_domain = "${aws_route53_record.mail_redirect.name}.${var.website_domain_name}"
+  }
+}
+
+data "aws_sns_topic" "datadog_forwarder" {
+  count = var.ses_datadog_events_enabled ? 1 : 0
+  name  = "datadog-forwarder"
+}
+
+resource "aws_sesv2_configuration_set_event_destination" "default" {
+  count                  = var.ses_datadog_events_enabled ? 1 : 0
+  event_destination_name = "DatadogForwarderSNSTopic"
+  configuration_set_name = aws_sesv2_configuration_set.default.configuration_set_name
+
+  event_destination {
+    sns_destination {
+      topic_arn = join("", data.aws_sns_topic.datadog_forwarder[*].arn)
+    }
+    enabled = true
+    matching_event_types = [
+      "SEND",
+      "REJECT",
+      "BOUNCE",
+      "COMPLAINT",
+      "DELIVERY",
+      "OPEN",
+      "CLICK",
+      "RENDERING_FAILURE",
+      "DELIVERY_DELAY",
+      "SUBSCRIPTION"
+    ]
+  }
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -34,6 +34,8 @@ provider "datadog" {
   app_key  = var.datadog_app_key
 }
 
+data "aws_region" "current" {}
+
 data "aws_caller_identity" "current" {}
 
 data "aws_ssm_parameter" "vpc_id" {
@@ -205,7 +207,8 @@ module "api" {
   postgres_db_name         = module.postgres.default_db_name
 
   # Email
-  notifications_email_address = "grants-notifications@${var.website_domain_name}"
+  notifications_email_address   = "grants-notifications@${var.website_domain_name}"
+  ses_configuration_set_default = aws_sesv2_configuration_set.default.configuration_set_name
 }
 
 module "consume_grants" {
@@ -267,14 +270,15 @@ module "arpa_audit_report" {
   stop_timeout_seconds  = 120
   consumer_task_command = ["node", "./src/scripts/arpaAuditReport.js"]
   consumer_container_environment = {
-    API_DOMAIN          = "https://${local.api_domain_name}"
-    AUDIT_REPORT_BUCKET = module.api.arpa_audit_reports_bucket_id
-    DATA_DIR            = "/var/data"
-    LOG_LEVEL           = "DEBUG"
-    LOG_SRC_ENABLED     = "false"
-    NODE_OPTIONS        = "--max_old_space_size=3584" # Reserve 512 MB for other task resources
-    NOTIFICATIONS_EMAIL = "grants-notifications@${var.website_domain_name}"
-    WEBSITE_DOMAIN      = "https://${var.website_domain_name}"
+    API_DOMAIN                    = "https://${local.api_domain_name}"
+    AUDIT_REPORT_BUCKET           = module.api.arpa_audit_reports_bucket_id
+    DATA_DIR                      = "/var/data"
+    LOG_LEVEL                     = "DEBUG"
+    LOG_SRC_ENABLED               = "false"
+    NODE_OPTIONS                  = "--max_old_space_size=3584" # Reserve 512 MB for other task resources
+    NOTIFICATIONS_EMAIL           = "grants-notifications@${var.website_domain_name}"
+    SES_CONFIGURATION_SET_DEFAULT = aws_sesv2_configuration_set.default.configuration_set_name
+    WEBSITE_DOMAIN                = "https://${var.website_domain_name}"
   }
   datadog_environment_variables = {
     DD_LOGS_INJECTION    = "true"
@@ -356,14 +360,15 @@ module "arpa_treasury_report" {
   stop_timeout_seconds  = 120
   consumer_task_command = ["node", "./src/scripts/arpaTreasuryReport.js"]
   consumer_container_environment = {
-    API_DOMAIN          = "https://${local.api_domain_name}"
-    AUDIT_REPORT_BUCKET = module.api.arpa_audit_reports_bucket_id
-    DATA_DIR            = "/var/data"
-    LOG_LEVEL           = "DEBUG"
-    LOG_SRC_ENABLED     = "false"
-    NODE_OPTIONS        = "--max_old_space_size=3584" # Reserve 512 MB for other task resources
-    NOTIFICATIONS_EMAIL = "grants-notifications@${var.website_domain_name}"
-    WEBSITE_DOMAIN      = "https://${var.website_domain_name}"
+    API_DOMAIN                    = "https://${local.api_domain_name}"
+    AUDIT_REPORT_BUCKET           = module.api.arpa_audit_reports_bucket_id
+    DATA_DIR                      = "/var/data"
+    LOG_LEVEL                     = "DEBUG"
+    LOG_SRC_ENABLED               = "false"
+    NODE_OPTIONS                  = "--max_old_space_size=3584" # Reserve 512 MB for other task resources
+    NOTIFICATIONS_EMAIL           = "grants-notifications@${var.website_domain_name}"
+    SES_CONFIGURATION_SET_DEFAULT = aws_sesv2_configuration_set.default.configuration_set_name
+    WEBSITE_DOMAIN                = "https://${var.website_domain_name}"
   }
   datadog_environment_variables = {
     DD_LOGS_INJECTION    = "true"

diff --git a/terraform/modules/gost_api/task.tf b/terraform/modules/gost_api/task.tf
@@ -56,6 +56,7 @@ module "api_container_definition" {
       NODE_OPTIONS                       = "--max_old_space_size=1024"
       NOTIFICATIONS_EMAIL                = var.notifications_email_address
       PGSSLROOTCERT                      = "rds-combined-ca-bundle.pem"
+      SES_CONFIGURATION_SET_DEFAULT      = var.ses_configuration_set_default
       VUE_APP_GRANTS_API_URL             = module.api_gateway.apigatewayv2_api_api_endpoint
       WEBSITE_DOMAIN                     = "https://${var.website_domain_name}"
     },

diff --git a/terraform/modules/gost_api/variables.tf b/terraform/modules/gost_api/variables.tf
@@ -150,6 +150,11 @@ variable "notifications_email_address" {
   }
 }
 
+variable "ses_configuration_set_default" {
+  description = "Name of the configuration set that should be used for all emails sent through SES."
+  type        = string
+}
+
 variable "ses_sandbox_mode_email_recipients" {
   description = "List of email addresses to verify so that they may receive emails when SES is in sandbox mode. ONLY USE THIS FOR DEVELOPMENT PURPOSES!"
   type        = list(string)

diff --git a/terraform/prod.tfvars b/terraform/prod.tfvars
@@ -12,6 +12,7 @@ datadog_monitor_notification_handles = [
   "[email protected]",
   "[email protected]",
 ]
+ses_datadog_events_enabled = true
 
 // Website
 website_enabled     = true

diff --git a/terraform/staging.tfvars b/terraform/staging.tfvars
@@ -9,6 +9,7 @@ ssm_deployment_parameters_path_prefix = "/gost/staging/deploy-config"
 datadog_draft                        = true
 datadog_monitors_enabled             = true
 datadog_monitor_notification_handles = []
+ses_datadog_events_enabled           = true
 
 // Website
 website_enabled     = true

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -48,6 +48,12 @@ variable "datadog_draft" {
   default     = true
 }
 
+variable "ses_datadog_events_enabled" {
+  description = "Whether to send email events to Datadog in order to collect email metrics."
+  type        = bool
+  default     = false
+}
+
 // Common
 variable "permissions_boundary_policy_name" {
   description = "Name of the permissions boundary for service roles"