Skip to content

Instantly share code, notes, and snippets.

@shawnbot

shawnbot/ses.md

Forked from sfgov-mikela/gist:3665278315bcbcfacdd38531484bdc0e
Last active May 24, 2024 21:42
Show Gist options
  • Save shawnbot/90c8e2e5e7bf6edad067c3427b571c17 to your computer and use it in GitHub Desktop.
Save shawnbot/90c8e2e5e7bf6edad067c3427b571c17 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ses.md

The production AWS environment has SES setup for api.sf.gov. The staging server will have permission for api.dev.sf.gov can be setup manually (or grab Mikela)

From the platform_base playbook we will need to add this permission to the instance_profile IAM role: https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html#iam-and-ses-examples-access-specific-ses-api-version

It looks like the current iam_instance_profile is pointing at an s3_write_profile https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39

Which is created here https://github.com/SFDigitalServices/ansible-platform/blob/main/roles/s3_public/tasks/main.yaml#L36

Move that "Iam role with admin access to write to buckets" task into platform_deploy.yaml and change the name from "{{ namespace }}-{{ stage }}-s3-write" to "{{ namespace }}-{{ stage }}-instance-profile"

and update https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39 To use that arn

So something like


- name: S3 bucket write policy
  community.aws.iam_managed_policy:
    policy_name: "{{ namespace }}-{{ stage }}-ses-send"
    policy:
      Version: "2012-10-17"
      Statement:
        ....
  register: ses_send_policy

- name: Iam role with admin access to write to buckets # apply to ec2 instance
  community.aws.iam_role:
    name: "{{ namespace }}-{{ stage }}-instance-profile"
    managed_policies:
      - "{{ s3_write_policy.policy.arn }}"
      - "{{ ses_send_policy.policy.arn }}"
    assume_role_policy_document:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - ec2.amazonaws.com
          Action: sts:AssumeRole
    tags:
      Name: "{{ namespace }}-{{ stage }}-instance-profile"
      Type: public
      Stage: "{{ stage }}"
      Namespace: "{{ namespace }}"
  register: instance_profile

- name: Start an instance on private subnet
  amazon.aws.ec2_instance:
      name: "{{ namespace }}_{{ stage }}_web"
....(change this line)
      iam_instance_profile: "{{ instance_profile.iam_role.arn }}"
....

That after that update rerun platform_deploy should change the instance_profile and it will have SES permissions

Then from django follow these instructions https://github.com/django-ses/django-ses

You will not need to set the ACCESS_KEY or SECRET vars and will just need these set in seetings/production.py

EMAIL_BACKEND = 'django_ses.SESBackend'
AWS_SES_REGION_NAME = 'us-west-2'
AWS_SES_REGION_ENDPOINT = 'email.us-west-2.amazonaws.com'
USE_SES_V2 = True
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment