feat(ses): grant methods to IEmailIdentity (#29084)

### Issue Closes #29083 ### Reason for this change When granting send email access to a lambda the grant needs to be constructed manually, including constructing the ARN for the identity. e.g. ``` Grant.addToPrincipal({ grantee, actions: ["ses:SendEmail"], resourceArns: [ this.stack.formatArn({ service: 'ses', resource: 'identity', resourceName: 'test@example.com', }), ], scope: this }) ``` This is dissimilar to other constructs, which generally expose a grant method and one or more convenience methods for particularly relevant groups of actions. ### Description of changes Added `grant` and `grantSendEmail` to `IEmailIdentity`, and added a common abstract class, `BaseEmailIdentity` with the relevant grant code. This is to avoid code duplication between the full `EmailIdentity` and the `Import` class. ### Description of how you validated changes Tests added for grants on both new and imported email identities, and a test to validate the `grantSendEmail` method. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 13, 2024 · c3c771c · c3c771c
1 parent e890e89
commit c3c771c
Show file tree

Hide file tree

Showing 13 changed files with 749 additions and 88 deletions.
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses/test/fixtures/send-email/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-ses/test/fixtures/send-email/index.py
@@ -0,0 +1,31 @@
+import json
+import boto3
+
+client = boto3.client('ses', region_name='us-west-2')
+
+def lambda_handler(event, context):
+    response = client.send_email(
+    Destination={
+        'ToAddresses': ['test@example.com']
+    },
+    Message={
+        'Body': {
+            'Text': {
+                'Charset': 'UTF-8',
+                'Data': 'This is the message body in text format.',
+            }
+        },
+        'Subject': {
+            'Charset': 'UTF-8',
+            'Data': 'Test email',
+        },
+    },
+    Source='sender@cdk.dev'
+    )
+
+    print(response)
+
+    return {
+        'statusCode': 200,
+        'body': json.dumps("Email Sent Successfully. MessageId is: " + response['MessageId'])
+    }
diff --git a/....email-identity.js.snapshot/EmailIdentityIntegDefaultTestDeployAssert3F909307.assets.json b/....email-identity.js.snapshot/EmailIdentityIntegDefaultTestDeployAssert3F909307.assets.json
diff --git a/....snapshot/asset.ab3156800c2f322f16da8bff913172139189a387dd64a4e622f82a790561fd4d/index.py b/....snapshot/asset.ab3156800c2f322f16da8bff913172139189a387dd64a4e622f82a790561fd4d/index.py
diff --git a/...st/aws-ses/test/integ.email-identity.js.snapshot/cdk-ses-email-identity-integ.assets.json b/...st/aws-ses/test/integ.email-identity.js.snapshot/cdk-ses-email-identity-integ.assets.json
diff --git a/.../aws-ses/test/integ.email-identity.js.snapshot/cdk-ses-email-identity-integ.template.json b/.../aws-ses/test/integ.email-identity.js.snapshot/cdk-ses-email-identity-integ.template.json
@@ -6,19 +6,119 @@
     "Name": "cdk.dev."
    }
   },
+  "FunctionServiceRole675BB04A": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "FunctionServiceRoleDefaultPolicy2F49994A": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "ses:SendEmail",
+        "ses:SendRawEmail"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":ses:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":identity/",
+          {
+           "Ref": "EmailIdentity7187767D"
+          }
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "FunctionServiceRoleDefaultPolicy2F49994A",
+    "Roles": [
+     {
+      "Ref": "FunctionServiceRole675BB04A"
+     }
+    ]
+   }
+  },
+  "Function76856677": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "ab3156800c2f322f16da8bff913172139189a387dd64a4e622f82a790561fd4d.zip"
+    },
+    "FunctionName": "email-sending-lambda",
+    "Handler": "index.lambda_handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "FunctionServiceRole675BB04A",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.11"
+   },
+   "DependsOn": [
+    "FunctionServiceRoleDefaultPolicy2F49994A",
+    "FunctionServiceRole675BB04A"
+   ]
+  },
   "EmailIdentityDkimDnsToken1BA32ACB3": {
    "Type": "AWS::Route53::RecordSet",
    "Properties": {
+    "HostedZoneId": {
+     "Ref": "HostedZoneDB99F866"
+    },
     "Name": {
      "Fn::GetAtt": [
       "EmailIdentity7187767D",
       "DkimDNSTokenName1"
      ]
     },
-    "Type": "CNAME",
-    "HostedZoneId": {
-     "Ref": "HostedZoneDB99F866"
-    },
     "ResourceRecords": [
      {
       "Fn::GetAtt": [
@@ -27,22 +127,22 @@
       ]
      }
     ],
-    "TTL": "1800"
+    "TTL": "1800",
+    "Type": "CNAME"
    }
   },
   "EmailIdentityDkimDnsToken2BBEBB8EC": {
    "Type": "AWS::Route53::RecordSet",
    "Properties": {
+    "HostedZoneId": {
+     "Ref": "HostedZoneDB99F866"
+    },
     "Name": {
      "Fn::GetAtt": [
       "EmailIdentity7187767D",
       "DkimDNSTokenName2"
      ]
     },
-    "Type": "CNAME",
-    "HostedZoneId": {
-     "Ref": "HostedZoneDB99F866"
-    },
     "ResourceRecords": [
      {
       "Fn::GetAtt": [
@@ -51,22 +151,22 @@
       ]
      }
     ],
-    "TTL": "1800"
+    "TTL": "1800",
+    "Type": "CNAME"
    }
   },
   "EmailIdentityDkimDnsToken3BB5E8A49": {
    "Type": "AWS::Route53::RecordSet",
    "Properties": {
+    "HostedZoneId": {
+     "Ref": "HostedZoneDB99F866"
+    },
     "Name": {
      "Fn::GetAtt": [
       "EmailIdentity7187767D",
       "DkimDNSTokenName3"
      ]
     },
-    "Type": "CNAME",
-    "HostedZoneId": {
-     "Ref": "HostedZoneDB99F866"
-    },
     "ResourceRecords": [
      {
       "Fn::GetAtt": [
@@ -75,7 +175,8 @@
       ]
      }
     ],
-    "TTL": "1800"
+    "TTL": "1800",
+    "Type": "CNAME"
    }
   },
   "EmailIdentity7187767D": {
@@ -90,11 +191,10 @@
   "EmailIdentityMailFromMxRecordCEAAECD0": {
    "Type": "AWS::Route53::RecordSet",
    "Properties": {
-    "Name": "mail.cdk.dev.",
-    "Type": "MX",
     "HostedZoneId": {
      "Ref": "HostedZoneDB99F866"
     },
+    "Name": "mail.cdk.dev.",
     "ResourceRecords": [
      {
       "Fn::Join": [
@@ -109,21 +209,22 @@
       ]
      }
     ],
-    "TTL": "1800"
+    "TTL": "1800",
+    "Type": "MX"
    }
   },
   "EmailIdentityMailFromTxtRecordE6B5E5D0": {
    "Type": "AWS::Route53::RecordSet",
    "Properties": {
-    "Name": "mail.cdk.dev.",
-    "Type": "TXT",
     "HostedZoneId": {
      "Ref": "HostedZoneDB99F866"
     },
+    "Name": "mail.cdk.dev.",
     "ResourceRecords": [
      "\"v=spf1 include:amazonses.com ~all\""
     ],
-    "TTL": "1800"
+    "TTL": "1800",
+    "Type": "TXT"
    }
   }
  },

diff --git a/...ws-cdk-testing/framework-integ/test/aws-ses/test/integ.email-identity.js.snapshot/cdk.out b/...ws-cdk-testing/framework-integ/test/aws-ses/test/integ.email-identity.js.snapshot/cdk.out
diff --git a/...cdk-testing/framework-integ/test/aws-ses/test/integ.email-identity.js.snapshot/integ.json b/...cdk-testing/framework-integ/test/aws-ses/test/integ.email-identity.js.snapshot/integ.json