Terraform AWS SES Credentials: A Complete Guide

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

This guide provides a step-by-step approach to configuring AWS Simple Email Service (SES) using Terraform, enabling you to send emails programmatically. We'll cover creating the necessary IAM resources, generating SMTP credentials, verifying your domain, and configuring your email client.

1. Create an IAM user: You'll need an IAM user with permissions to send emails via SES.

   resource "aws_iam_user" "ses_user" {
     name = "ses_user"
   }

2. Attach an IAM policy to the user: This policy will grant access to SES actions. You can use the AmazonSESFullAccess managed policy or create a custom one.

   resource "aws_iam_user_policy_attachment" "ses_policy_attachment" {
     user      = aws_iam_user.ses_user.name
     policy_arn = "arn:aws:iam::aws:policy/AmazonSESFullAccess"
   }

3. Generate SMTP credentials: Use the aws_iam_access_key resource to create an access key for the IAM user. Then, use a data source like aws_ses_smtp_credentials (from the thoughtbot/terraform-aws-ses-smtp-credentials module) to convert these into SMTP credentials.

   resource "aws_iam_access_key" "ses_access_key" {
     user = aws_iam_user.ses_user.name
   }
   
   data "aws_ses_smtp_credentials" "credentials" {
     user_name = aws_iam_user.ses_user.name
     access_key_id     = aws_iam_access_key.ses_access_key.id
     secret_access_key = aws_iam_access_key.ses_access_key.secret
   }

4. Verify your domain or email address: Before sending emails, you need to verify your domain or email address with SES. Use the aws_ses_domain_identity resource for domain verification.

   resource "aws_ses_domain_identity" "example" {
     domain = "example.com"
   }

5. Configure your email client: Use the generated SMTP credentials (username and password) from step 3 to configure your email client or application.

Important Notes:

• Security: Store your SMTP credentials securely. Avoid hardcoding them in your code. Use environment variables or a secrets management solution.
• Rotation: Regularly rotate your IAM access keys and SMTP credentials for enhanced security.
• Testing: Use SES's sandbox environment for testing before moving to production.
• Limitations: SES has sending limits. Make sure you're aware of them and request increases if needed.

This Terraform code provisions resources on AWS to enable sending emails via Simple Email Service (SES). It creates an IAM user with necessary permissions, generates SMTP credentials, and guides through domain verification. The code utilizes a module for converting access keys to SMTP credentials and outputs the generated credentials for use with email clients. Remember to replace placeholders with actual values and handle credentials securely.

This code example demonstrates how to set up an IAM user with SES access, generate SMTP credentials, verify a domain, and configure an email client.

Important: Replace placeholders like example.com with your actual values.

# Configure the AWS Provider
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

# Configure the AWS Region
provider "aws" {
  region = "us-east-1" # Replace with your desired region
}

# Create an IAM user for SES
resource "aws_iam_user" "ses_user" {
  name = "ses_user"
}

# Attach the AmazonSESFullAccess policy to the user
resource "aws_iam_user_policy_attachment" "ses_policy_attachment" {
  user      = aws_iam_user.ses_user.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSESFullAccess"
}

# Generate an access key for the IAM user
resource "aws_iam_access_key" "ses_access_key" {
  user = aws_iam_user.ses_user.name
}

# Use the thoughtbot/terraform-aws-ses-smtp-credentials module
# to convert the access key to SMTP credentials
module "ses_smtp_credentials" {
  source  = "thoughtbot/terraform-aws-ses-smtp-credentials"
  version = "~> 0.1"

  user_name = aws_iam_user.ses_user.name
  access_key_id     = aws_iam_access_key.ses_access_key.id
  secret_access_key = aws_iam_access_key.ses_access_key.secret
}

# Verify your domain with SES
resource "aws_ses_domain_identity" "example" {
  domain = "example.com" # Replace with your domain
}

# Output the generated SMTP credentials
output "smtp_credentials" {
  value = {
    username = module.ses_smtp_credentials.username
    password = module.ses_smtp_credentials.password
  }
  sensitive = true # Mark the output as sensitive
}

To use the generated credentials:

1. Run terraform apply to create the resources.
2. Retrieve the sensitive output values: terraform output -json smtp_credentials | jq '.password,.username'
3. Configure your email client or application with the obtained SMTP credentials.

Remember:

• Security: Store the output credentials securely using environment variables or a secrets management solution.
• Rotation: Regularly rotate your IAM access keys and SMTP credentials.
• Testing: Use the SES sandbox environment for testing before moving to production.
• Limits: Be aware of SES sending limits and request increases if needed.

IAM and Permissions:

• Instead of using the AmazonSESFullAccess managed policy, it's best practice to create a custom IAM policy with only the specific SES actions your application requires. This enhances security by following the least privilege principle.
• Consider using IAM Roles instead of IAM Users for applications running on EC2 instances or within other AWS services. This eliminates the need to manage long-term access keys.

SMTP Credentials:

• The thoughtbot/terraform-aws-ses-smtp-credentials module simplifies the process of generating SMTP credentials. Ensure you're using a trusted and up-to-date module.
• Never hardcode SMTP credentials in your code or configuration files. Use environment variables, secrets management solutions like AWS Secrets Manager, or secure parameter stores.

Domain Verification and Email Sending:

• Domain verification is crucial for improving email deliverability and reputation. Consider also setting up SPF and DKIM records for your domain in SES.
• When sending emails, use a reputable "From" email address that aligns with your verified domain. This helps avoid emails being flagged as spam.
• Implement error handling in your email sending logic to gracefully handle issues like bounces, complaints, and sending limits.
• Monitor your SES sending reputation through the Amazon SES console. Address any issues promptly to maintain good deliverability rates.

Terraform Best Practices:

• Use Terraform workspaces or separate environments to manage different stages of your application (e.g., development, staging, production).
• Enable Terraform Cloud or a similar solution for remote state management, collaboration, and automated deployments.
• Format your Terraform code consistently and use comments to improve readability and maintainability.

Additional Considerations:

• Explore SES features like email templates, sending statistics, and event notifications to enhance your email sending workflow.
• Consider using a dedicated email sending service or library in your application code to simplify email composition, handling attachments, and managing sending limits.
• Stay updated on SES pricing and sending limits to avoid unexpected costs or disruptions.

This guide outlines how to configure AWS Simple Email Service (SES) using Terraform to send emails from your applications.

Steps:

1. IAM User Creation: Create a dedicated IAM user with permissions to interact with SES.
2. Policy Attachment: Grant the IAM user access to SES actions, either using the AmazonSESFullAccess managed policy or a custom policy.
3. SMTP Credential Generation:
   • Generate an access key for the IAM user.
   • Utilize the aws_ses_smtp_credentials data source (from the thoughtbot/terraform-aws-ses-smtp-credentials module) to convert the access key into usable SMTP credentials.
4. Domain/Email Verification: Verify your domain or email address with SES to comply with their sending policies. This can be achieved using the aws_ses_domain_identity resource.
5. Email Client Configuration: Configure your chosen email client or application using the generated SMTP credentials (username and password).

Security and Best Practices:

• Secure Credential Storage: Never hardcode SMTP credentials. Utilize environment variables or a dedicated secrets management solution.
• Credential Rotation: Regularly rotate IAM access keys and corresponding SMTP credentials to enhance security.
• Sandbox Testing: Leverage SES's sandbox environment for testing purposes before deploying to a production environment.
• Sending Limits: Be aware of SES sending limits and request increases if your application requires them.

By following these steps, you can effectively set up and manage AWS SES using Terraform, enabling secure and efficient email sending from your applications. Remember to prioritize security by protecting your SMTP credentials, rotating them regularly, and adhering to best practices for IAM and SES configuration. By leveraging Terraform's infrastructure-as-code capabilities, you can automate the process, ensuring consistency and repeatability in your SES setup. Always refer to the official AWS documentation and Terraform provider documentation for the most up-to-date information and best practices.

• thoughtbot/terraform-aws-ses-smtp-credentials: Generate ... - GitHub | Generate and rotate IAM access keys usable for sending email uses Amazon SES - thoughtbot/terraform-aws-ses-smtp-credentials
• aws_ses_domain_identity | Resources | hashicorp/aws | Terraform ... | Provides an SES domain identity resource. Example Usage Basic Usage resource "aws_ses_domain_identity" "example" { domain = "example.com" }
• terraform-aws-ses-smtp-credentials/main.tf at main · thoughtbot ... | Generate and rotate IAM access keys usable for sending email uses Amazon SES - thoughtbot/terraform-aws-ses-smtp-credentials
• How to send test email in Amazon SES via Terraform? - AWS ... | How to send emails to corresponding email addresses hosted by Amazon SES using Terraform? Is it supported by Terraform? How to test email sending and monitoring | AWS Messaging & Targeting Blog I have a doubt that Terraform itself does not provide direct support for simulating these following scenarios. Successful delivery — The recipient’s email provider accepts your email. Bounce — The recipient’s email provider rejects your email with an SMTP 550 5.1.1 (“Unknown User”) response code. Compla...
• Forwarding emails with SES and Terraform - Cuddly, Octo-Palm Tree | A few weeks ago, I had a bit of a scramble when I realized, on Saturday, that the corporate emails I'm responsible for would suddenly stop working on the following Monday, two days later.A few weeks prior, I had decided to switch DNS provider. I had been unhappy with the service I was getting for about a year, but DNS is a bit of a dangerous thing to tinker with, so I'd put it off. It also has a tendency to fade into the background, as (at least at the level of complexity I'm at) it's very slow-changing.
• How to Set Up Cost-Effective Email Solutions with AWS SES and ... | Learn to configure AWS SES for your domain to send and receive emails securely and cost-effectively using Terraform.
• Exploring AWS Cognito User Pools using Terraform | Medium | Configuring cognito using terraform to automate it all
• Use temporary credentials with AWS resources - AWS Identity and ... | Learn how to use temporary security credentials from IAM STS to make programmatic requests for AWS resources with the AWS SDKs or API calls.
• (AWS SES) Can't send SMTP message using newly created user : r ... | Posted by u/Shag_Dog - 2 votes and 6 comments