feat: SMTP credentials set

[stevenlafl]

Problem

Need to automatically generate SMTP credentials to use in another resource (like EC2, ECS environment files)

Solution

Create a new resource for generating and outputting SMTP credentials.

Here it is in the old console (the new one does not have this feature yet):

Compatibility

No implications - another new resource would be created.

System

• aws-cfn-ses-domain version: 0.3
• aws cli version: aws-cli/1.22.11 Python/3.6.9 Linux/5.4.0-1061-aws botocore/1.23.11
• OS: Amazon Linux 2

Would you be willing to help?

I can help test it.

[medmunds]

Hmm. I think this is doable, but it's not entirely clear to me the best way to fit it into CloudFormation.

Interestingly, you can almost get SMTP credentials now, just using existing CloudFormation resources. Here's what the SES console does when you use it to create SMTP credentials:

1. Creates a new IAM user. (You can already do this in CF with an AWS::IAM::User resource.)
2. Attaches an IAM inline policy to that user, which allows action ses:SendRawEmail on resource * with no other restrictions. (You can do this in CF with AWS::IAM::Policy. And you might prefer to restrict it to only allow a particular sender domain.)
3. Creates an IAM access key for the new user. (Do this in CF with AWS::IAM::AccessKey.)
4. Calculates the SMTP password from the access key secret and the SES region, using this algorithm for generating an Amazon SES SMTP password. (I don't think you can calculate this directly in a CF template, because there's no CF intrinsic function for HmacSha256.)
5. Provides you the following information:
   • SMTP username: the access key id from step 3
   • SMTP password: the result of the calculation from step 4
   • SMTP host: email-smtp.{SES_REGION}.amazonaws.com

So SES SMTP credentials aren't really a single "resource", but are actually a combination of three provisioned physical resources (IAM user, inline policy, and access key) plus a calculation on the access key's secret (which isn't really provisioning anything new).

We could try to package all of this up into a pseudo Custom::SES_SMTP_Credentials resource. But my experience is that bundling physical resources like this is fragile: you have to cover all the cases where some of the resources failed or got modified out from under you (during creation, update, and deletion). It's much easier to keep all the physical resources at the template level, and just let CF handle all the inter-resource logic. Also, you'd have to grant some really scary create/modify/delete IAM user permissions to the Custom::SES_SMTP_Credentials implementation.

Another option would be creating a new custom "resource" that just does the SMTP password calculation from step 4 above. It wouldn't really provision anything, but that means it's pretty easy to implement. I'd probably lean toward this approach, with an example nested CF template to provision the other resources.

But if you're already running code somewhere (anywhere) in your stack where you'll be sending email, the easiest approach might be to just calculate the SMTP password there. Use CF to provision the IAM user, inline policy, and access key, and provide the access key id and secret to the resource that will be doing SMTP sends. Then in your code that's doing SMTP sends (or init or config for it), use SES's algorithm to calculate the SMTP password from the access key secret. That works right now, without needing any new CF custom resources.

[stevenlafl]

Amazing answer. I'll give this a shot!