This is a Terraform deployment for creating IAM resources for those users allowed to send email or manage the email suppression list in the COOL.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in
remote_states.tf.
- User accounts for all users must have been created previously. We
recommend using the
cisagov/cool-users-non-adminrepository to create users. - Terraform in
cisagov/cool-dns-cyber.dhs.govmust have been applied.
- User accounts for all users must have been created previously. We
recommend using the
| Name | Version |
|---|---|
| terraform | ~> 1.1 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.users | ~> 4.9 |
| terraform | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_group.email_sending | resource |
| aws_iam_group.suppression_list_management | resource |
| aws_iam_group_policy_attachment.email_sending | resource |
| aws_iam_group_policy_attachment.suppression_list_management | resource |
| aws_iam_policy.email_sending | resource |
| aws_iam_policy.suppression_list_management | resource |
| aws_iam_user_group_membership.email_sending | resource |
| aws_iam_user_group_membership.suppression_list_management | resource |
| aws_caller_identity.default | data source |
| aws_caller_identity.users | data source |
| aws_iam_policy_document.email_sending | data source |
| aws_iam_policy_document.suppression_list_management | data source |
| terraform_remote_state.dns | data source |
| terraform_remote_state.users | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The AWS region in which resources are to be created (e.g. us-east-1). | string |
"us-east-1" |
no |
| email_sending_group_name | The name of the IAM group whose members are allowed to send email via SES. | string |
"SES_cyber.dhs.gov_emailers" |
no |
| email_sending_policy_description | The description to associate with the IAM policy in the Users account that allows the email sending group to assume the email sending role in the DNS account. | string |
"Allows the email sending group to assume the email sending role in the DNS account." |
no |
| email_sending_policy_name | The name of the IAM policy in the Users account that allows the email sending group to assume the email sending role in the DNS account. | string |
"DNS-AssumeSesSendEmail-cyber.dhs.gov" |
no |
| group_membership | A list of the usernames of users that exist in the Users account comprising the members of the email sending group (e.g. [{name = "lemmy.kilmister", can_send_email = true, can_manage_suppression_list = true}, {name = "phil.taylor", can_send_email = false, can_manage_suppression_list = true}, {name = "eddie.clarke", can_send_email = true, can_manage_suppression_list = false}]). | list(object({ name = string, can_send_email = bool, can_manage_suppression_list = bool })) |
n/a | yes |
| suppression_list_management_group_name | The name of the IAM group whose members are allowed to manage the SES email suppression list. | string |
"SES_cyber.dhs.gov_suppression_list_managers" |
no |
| suppression_list_management_policy_description | The description to associate with the IAM policy in the Users account that allows the suppression list management group to assume the suppression list management role in the DNS account. | string |
"Allows the suppression list management group to assume the suppression list management role in the DNS account." |
no |
| suppression_list_management_policy_name | The name of the IAM policy in the Users account that allows the suppression list management group to assume the suppression list management role in the DNS account. | string |
"DNS-AssumeSesManageSuppressionList-cyber.dhs.gov" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| email_sending_group | The IAM group whose members are allowed to send email via SES. |
| email_sending_policy | The IAM policy in the Users account that allows the email sending group to assume the email sending role in the DNS account. |
| suppression_list_management_group | The IAM group whose members are allowed to manage the SES email suppression list. |
| suppression_list_management_policy | The IAM policy in the Users account that allows the suppression list management group to assume the suppression list management role in the DNS account. |
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, this is just the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.