add an email sender policy #91
Conversation
This policy construct will add a parameter to the stack for the sending address, which has regex'd input limiting it to a @theguardian.com email address.
akash1810
added
the
needs-new-release
| @@ -1,6 +1,6 @@ | |||
| import type { CfnParameterProps } from "@aws-cdk/core"; | |||
| import { CfnParameter } from "@aws-cdk/core"; | |||
| import { Stage, Stages } from "../../constants"; | |||
| import { RegexPattern, Stage, Stages } from "../../constants"; | |||
There was a problem hiding this comment.
Encapsulation and unit tests ftw 👍
| // see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policies.html | ||
| new PolicyStatement({ | ||
| effect: Effect.ALLOW, | ||
| actions: ["ses:SendEmail"], |
There was a problem hiding this comment.
I remember there was one example from the datalake where they had both this and SendRawEmail. I was reading up on the difference in the boto3 docs and SendRawEmail is what you need to use to send an email with an attachment, for example. Do you think it's overkill to include it here as well?
There was a problem hiding this comment.
Oops, was meant to include something about this in the description.
It looks like the datalake's permissions are too wide. That is, it's only calling SendEmailRequest and the permission for SendRawEmail should be dropped as it's not making a SendRawEmailRequest.
We can always add it later if needed.
| Effect: "Allow", | ||
| Resource: { | ||
| "Fn::Join": [ | ||
| "", |
There was a problem hiding this comment.
This empty string is a cdk oddity isn't it? I was wondering if there was something to fix on our side, but it looks fine on our side
There was a problem hiding this comment.
Yeah, it's super odd! I'd be reluctant to patch it on our side as this is auto-generated output; any patch we add would need to be compatible with future versions of the aws-cdk library.
There was a problem hiding this comment.
Agreed, I don't think we should introduce a workaround for this.
There was a problem hiding this comment.
We might be able to use one of these functions https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.Arn.html.
What does this change?
Adds a new
GuSESSenderPolicyconstruct which will:EmailSenderAddressparameter to aGuStackses:SendEmailon that addressWe have a few stacks that have this permission, each declare the policy in varying ways from no restriction to resource restricted to condition restricted.
After reading this, for our existing use cases it looks like a resource constraint and a condition amount to the same thing? So went with resource constraining as it was first in the docs.
Does this change require changes to existing projects or CDK CLI?
Yes, it simplifies the AMIable stack.
How to test
Run unit tests.
How can we measure success?
Providing more standard constructs and a standard way to declare this policy.
Have we considered potential risks?
n/a