Fix notifications access from service #154
Conversation
| @@ -18,6 +18,9 @@ locals { | |||
|
|
|||
| # AWS services used by ECS Exec | |||
| var.enable_command_execution ? ["ssmmessages"] : [], | |||
|
|
|||
| # AWS services used by notifications | |||
| var.enable_notifications ? ["pinpoint", "email-smtp"] : [], | |||
There was a problem hiding this comment.
It's called mobile-targeting in IAM but the VPC endpoints are ["pinpoint", "email-smtp"] ??? bah
There was a problem hiding this comment.
yeah i put mobiletargeting at first and got an error saying that doesn't exist.
also, the AWS docs don't mention "email-smtp" anywhere, instead they said to search for smtp and then click on that one, so I had to go to the console and search to find out that email-smtp was what they meant.
There was a problem hiding this comment.
https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html
amazing right?
| ] | ||
| Resource = [ | ||
| var.domain_identity_arn, | ||
| "arn:*:ses:*:*:configuration-set/*", |
There was a problem hiding this comment.
Any specific reason why this 2nd on isn't an arn as well?
There was a problem hiding this comment.
configuration sets don't actually have arns as far as i could tell. couldn't find it on AWS console, and don't see it in the outputs in the terraform aws_sesv2_configuration_set data source or resource, so you'd have to construct it manually.
and in my opinion i don't think it's actually a big deal to allow the use of any configuration set.
There was a problem hiding this comment.
Wow... yeah no arns mentioned here. That's a new one for me!
lorenyu
changed the title
|
done in navapbc/template-infra#835 |
Ticket
Contributes to navapbc/template-infra#792
Changes
Fix ability for ECS service to access Pinpoint:
Also add notifications test endpoint to example app for testing:
Context for reviewers
I added /notifications endpoint since it will be useful to test changes to notifications infrastructure, but while testing I discovered some access bugs
Testing
Applied changes to dev network to create the two VPC endpoints using
Tested locally
Tested on the PR environment, you can too! (took a while to get the IAM permissions right)
Preview environment
♻️ Environment destroyed ♻️