Configure AWS SES Domain Identity and DKIM with CDK

README.md

Configure AWS SES Domain Identity and DKIM with CDK

Some AWS resources are not availble via Cloudformation but can be managed via AWS API. One example is SES Domain Identity and Domain DKIM configuration.

It's easy to make API Calls using CDK. Check out the example below

ses_stack.py

from aws_cdk import core as cdk
from aws_cdk import custom_resources
from aws_cdk import aws_route53 as route53

class SesStack(cdk.Stack):
    _hosted_zone: route53.IHostedZone

    def __init__(
        self,
        scope: cdk.Construct,
        construct_id: str,
        hosted_zone: route53.IHostedZone,
        **kwargs,
    ) -> None:
        super().__init__(scope, construct_id, **kwargs)

        self._hosted_zone = hosted_zone
        self.configure_aws_ses()

    def configure_aws_ses(self):
        self.configure_aws_ses_domain_identity()
        self.configure_domain_dkim()

    def configure_aws_ses_domain_identity(self):
        verify_domain_identity = custom_resources.AwsCustomResource(
            self,
            "VerifySesDomain",
            on_create=custom_resources.AwsSdkCall(
                service="SES",
                action="verifyDomainIdentity",
                parameters={"Domain": "example.com"},
                physical_resource_id=custom_resources.PhysicalResourceId.from_response(
                    "VerificationToken"
                ),
            ),
            # https://github.com/aws/aws-cdk/issues/4533
            policy=custom_resources.AwsCustomResourcePolicy.from_statements(
                statements=[
                    iam.PolicyStatement(
                        actions=["ses:VerifyDomainIdentity"],
                        resources=["*"],
                    )
                ]
            ),
        )

        route53.TxtRecord(
            self,
            "SESVerificationRecord",
            zone=self._hosted_zone,
            record_name=f"_amazonses.example.com",
            values=[verify_domain_identity.get_response_field("VerificationToken")],
        )

    def configure_domain_dkim(self):
        verify_domain_dkim = custom_resources.AwsCustomResource(
            self,
            "VerifySesDomainDkim",
            on_create=custom_resources.AwsSdkCall(
                service="SES",
                action="verifyDomainDkim",
                parameters={"Domain": "example.com"},
                physical_resource_id=custom_resources.PhysicalResourceId.of(
                    f"ses_dkim_domain-example.com"
                ),
            ),
            # https://github.com/aws/aws-cdk/issues/4533
            policy=custom_resources.AwsCustomResourcePolicy.from_statements(
                statements=[
                    iam.PolicyStatement(
                        actions=["ses:VerifyDomainDkim"],
                        resources=["*"],
                    )
                ]
            ),
        )

        route53.CnameRecord(
            self,
            "SESDkimVerificationRecord0",
            zone=self._hosted_zone,
            record_name=f"{verify_domain_dkim.get_response_field('DkimTokens.0')}._domainkey",
            domain_name=f"{verify_domain_dkim.get_response_field('DkimTokens.0')}.dkim.amazonses.com",
        )
        route53.CnameRecord(
            self,
            "SESDkimVerificationRecord1",
            zone=self._hosted_zone,
            record_name=f"{verify_domain_dkim.get_response_field('DkimTokens.1')}._domainkey",
            domain_name=f"{verify_domain_dkim.get_response_field('DkimTokens.1')}.dkim.amazonses.com",
        )
        route53.CnameRecord(
            self,
            "SESDkimVerificationRecord2",
            zone=self._hosted_zone,
            record_name=f"{verify_domain_dkim.get_response_field('DkimTokens.2')}._domainkey",
            domain_name=f"{verify_domain_dkim.get_response_field('DkimTokens.2')}.dkim.amazonses.com",
        )

Since June 2022 CloudFormation supports SES https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ses-emailidentity.html