How to receive mail in Amazon SES and save it in S3

Jul 10, 2018
Tags: AWS Terraform
Translations: Japanese

Introduction

Mail received at SES, It will automatically save to S3 Bucket.

SES can start up Lambda at the timing it received and store it directly in DynamoDB or RDS.
However, in order to prevent DynamoDB capacity limitation and mail failure due to failure, I decided to save it to S3 for the moment.

Then, if you start Lambda with the save to S3 as a trigger, it will become a system which does not cause data loss.

Terraform

Overall setting

Since SES has few available regions, It separately defines AWS providers for SES and other uses.

variable "aws_region" {
  type = "string"
  default = "ap-northeast-1"
}
variable "aws_region_ses" {
  type = "string"
  default = "us-east-1"
}
variable "aws_s3_bucket_mailbox" {
  type = "string"
  default = "Destination Bucket name"
}
variable "receiver_address" {
  type = "string"
  default = "Receive mail address"
}

terraform {
  backend "s3" {
    bucket = "terraform"
    key    = "example-terraform-ses-s3/state/terraform.tfstate"
    region = "ap-northeast-1"
  }
}

# Separate providers to separate regions with SES and other uses
provider "aws" {
  region = "${var.aws_region}"
}
provider "aws" {
  alias = "ses"
  region = "${var.aws_region_ses}"
}

Policy definition in S3

I set it to use the existing S3 bucket,
Of course it is also possible to create and use a new bucket.

# Use an existing bucket
data "aws_s3_bucket" "mailbox" {
  bucket = "${var.aws_s3_bucket_mailbox}"
}

# Enable Put from SES to S3 bucket
resource "aws_s3_bucket_policy" "mailbox" {
  bucket = "${data.aws_s3_bucket.mailbox.id}"
  policy = "${data.aws_iam_policy_document.mailbox.json}"
}

data "aws_iam_policy_document" "mailbox" {
  statement {
    effect = "Allow"
    principals {
      type = "Service"
      identifiers = ["ses.amazonaws.com"]
    }
    actions = [
      "s3:PutObject"
    ]
    resources = ["${data.aws_s3_bucket.mailbox.arn}/*"]
  }
}

SES rule set

# Create a new rule set
resource "aws_ses_receipt_rule_set" "main" {
  provider = "aws.ses"
  rule_set_name = "s3"
}

resource "aws_ses_receipt_rule" "main" {
  provider = "aws.ses"
  name          = "s3"
  rule_set_name = "${aws_ses_receipt_rule_set.main.rule_set_name}"
  recipients    = ["${var.receiver_address}"]
  enabled       = true
  scan_enabled  = true
  s3_action {
    bucket_name = "${data.aws_s3_bucket.mailbox.id}"
    object_key_prefix = "mailbox/${var.receiver_address}"
    position = 1
  }
}

# Activate rule set
resource "aws_ses_active_receipt_rule_set" "main" {
  provider = "aws.ses"
  rule_set_name = "${aws_ses_receipt_rule_set.main.rule_set_name}"
}

See also