Merge pull request #3 from infraspecdev/ses-smtp-support

vjdhama · web-flow · commit ae92f1291b29 · 2023-01-23T13:43:18.000+05:30
add support for amazon SES as smtp service
diff --git a/gitlab_config_templates/nginx.tftpl b/gitlab_config_templates/nginx.tftpl
@@ -0,0 +1,3 @@
+nginx['redirect_http_to_https'] = false
+nginx['listen_port'] = 80
+nginx['listen_https'] = false
diff --git a/gitlab_config_templates/postgres.tftpl b/gitlab_config_templates/postgres.tftpl
@@ -0,0 +1 @@
+postgresql['enable'] = false
diff --git a/gitlab_config_templates/rails.tftpl b/gitlab_config_templates/rails.tftpl
@@ -0,0 +1,22 @@
+external_url '${gitlab_url}'
+
+gitlab_rails['monitoring_whitelist'] = ['0.0.0.0/0','127.0.0.0/8', '::1/128']
+
+gitlab_rails['db_adapter'] = "postgresql"
+gitlab_rails['db_encoding'] = "unicode"
+gitlab_rails['db_database'] = "${gitlab_db_name}"
+gitlab_rails['db_username'] = "${gitlab_db_username}"
+gitlab_rails['db_password'] = "${gitlab_db_password}"
+gitlab_rails['db_host'] = "${gitlab_db_host}"
+
+gitlab_rails['redis_host'] = "${gitlab_redis_host}"
+gitlab_rails['redis_port'] = 6379
+
+letsencrypt['enable'] = false
+
+gitlab_rails['backup_upload_connection'] = {
+  'provider' => 'AWS',
+  'region' => '${aws_region}',
+  'use_iam_profile' => true
+}
+gitlab_rails['backup_upload_remote_directory'] = '${gitlab_backup_s3_bucket_name}'
diff --git a/gitlab_config_templates/redis.tftpl b/gitlab_config_templates/redis.tftpl
@@ -0,0 +1 @@
+redis['enable'] = false
diff --git a/gitlab_config_templates/smtp.tftpl b/gitlab_config_templates/smtp.tftpl
@@ -0,0 +1,8 @@
+gitlab_rails['smtp_enable'] = true
+gitlab_rails['smtp_address'] = "${smtp_address}"
+gitlab_rails['smtp_port'] = 587
+gitlab_rails['smtp_user_name'] = "${smtp_username}"
+gitlab_rails['smtp_password'] = "${smtp_password}"
+gitlab_rails['smtp_domain'] = "${smtp_domain}"
+gitlab_rails['smtp_authentication'] = "login"
+gitlab_rails['smtp_enable_starttls_auto'] = true
diff --git a/main.tf b/main.tf
@@ -456,18 +456,27 @@ resource "aws_iam_instance_profile" "gitlab" {
 
 data "template_file" "gitlab_config_template" {
   template = join("\n", [
-    for fn in fileset(".", "${local.gitlab_config_template_file_path}/**") : file(fn)
+    file("${local.gitlab_config_template_file_path}/postgres.tftpl"),
+    file("${local.gitlab_config_template_file_path}/redis.tftpl"),
+    file("${local.gitlab_config_template_file_path}/nginx.tftpl"),
+    file("${local.gitlab_config_template_file_path}/rails.tftpl"),
+    var.create_ses_identity ? file("${local.gitlab_config_template_file_path}/smtp.tftpl") : "",
   ])
-  vars = {
+  vars = merge({
     gitlab_url                   = local.gitlab_complete_url,
     gitlab_db_name               = module.gitlab_pg.db_instance_name,
     gitlab_db_username           = module.gitlab_pg.db_instance_username,
     gitlab_db_password           = module.gitlab_pg.db_instance_password,
     gitlab_db_host               = module.gitlab_pg.db_instance_address,
     gitlab_redis_host            = aws_elasticache_cluster.gitlab_redis.cache_nodes[0].address,
-    aws_region                   = aws_s3_bucket.gitlab_backup[0].region
+    aws_region                   = aws_s3_bucket.gitlab_backup[0].region,
     gitlab_backup_s3_bucket_name = aws_s3_bucket.gitlab_backup[0].bucket
-  }
+    }, var.create_ses_identity ? {
+    smtp_address  = "email-smtp.${var.aws_region}.amazonaws.com",
+    smtp_username = aws_iam_access_key.gitlab_smtp_user[0].id,
+    smtp_password = aws_iam_access_key.gitlab_smtp_user[0].ses_smtp_password_v4,
+    smtp_domain   = data.aws_route53_zone.email_domain[0].name
+  } : {})
 }
 
 resource "local_sensitive_file" "rendered_gitlab_config_file" {
@@ -496,3 +505,60 @@ resource "null_resource" "gitlab_reconfigure" {
     command = "ansible-playbook -u ubuntu -i '${aws_instance.gitlab[0].private_ip},' --private-key ${var.private_key} -e 'instance_ip_address=${aws_instance.gitlab[0].private_ip} workdir=${local.gitlab_config_tmp_path} config_file=${local_sensitive_file.gitlab_config_file.filename}' ${local.gitlab_config_playbook_file}"
   }
 }
+
+data "aws_route53_zone" "email_domain" {
+  count = var.create_ses_identity ? 1 : 0
+  name  = var.ses_domain != null ? var.ses_domain : var.hosted_zone
+}
+
+resource "aws_ses_domain_identity" "email_domain" {
+  count  = var.create_ses_identity ? 1 : 0
+  domain = data.aws_route53_zone.email_domain[0].name
+}
+
+resource "aws_route53_record" "email_domain_amazonses_verification_record" {
+  count   = var.create_ses_identity ? 1 : 0
+  zone_id = data.aws_route53_zone.email_domain[0].zone_id
+  name    = "_amazonses.${aws_ses_domain_identity.email_domain[0].id}"
+  type    = "TXT"
+  ttl     = "600"
+  records = [aws_ses_domain_identity.email_domain[0].verification_token]
+}
+
+resource "aws_ses_domain_identity_verification" "email_domain_verification" {
+  count  = var.create_ses_identity ? 1 : 0
+  domain = aws_ses_domain_identity.email_domain[0].id
+
+  depends_on = [aws_route53_record.email_domain_amazonses_verification_record[0]]
+}
+
+resource "aws_iam_user" "gitlab_smtp_user" {
+  count = var.create_ses_identity ? 1 : 0
+  name  = var.ses_username
+}
+
+resource "aws_iam_access_key" "gitlab_smtp_user" {
+  count = var.create_ses_identity ? 1 : 0
+  user  = aws_iam_user.gitlab_smtp_user[0].name
+}
+
+data "aws_iam_policy_document" "gitlab_ses_sender" {
+  count = var.create_ses_identity ? 1 : 0
+  statement {
+    actions   = ["ses:SendRawEmail"]
+    resources = [aws_ses_domain_identity.email_domain[0].arn]
+  }
+}
+
+resource "aws_iam_policy" "gitlab_ses_sender" {
+  count       = var.create_ses_identity ? 1 : 0
+  name        = "gitlab_ses_sender"
+  description = "Allows sending of e-mails via Simple Email Service"
+  policy      = data.aws_iam_policy_document.gitlab_ses_sender[0].json
+}
+
+resource "aws_iam_user_policy_attachment" "gitlab_ses_sender" {
+  count      = var.create_ses_identity ? 1 : 0
+  user       = aws_iam_user.gitlab_smtp_user[0].name
+  policy_arn = aws_iam_policy.gitlab_ses_sender[0].arn
+}
diff --git a/variables.tf b/variables.tf
@@ -273,3 +273,27 @@ variable "private_key" {
   type        = string
   description = "Private key to execute ansible playbook on Gitlab instance."
 }
+
+variable "create_ses_identity" {
+  type        = bool
+  description = "Create a Amazon SES domain identity for Gitlab SMTP service. The domain should be hosted on Route53."
+  default     = false
+}
+
+variable "ses_domain" {
+  type        = string
+  description = "Route53 hosted domain name for Amazon SES. If no value provided, value of Gitlab hosted zone will be assumed as default."
+  default     = null
+}
+
+variable "aws_region" {
+  type        = string
+  description = "AWS region code. Eg: ap-south-1"
+  default     = "ap-south-1"
+}
+
+variable "ses_username" {
+  type        = string
+  description = "Username for Gitlab SMTP user"
+  default     = "gitlab_smtp_user"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+nginx['redirect_http_to_https'] = false`
	`2`	`+nginx['listen_port'] = 80`
	`3`	`+nginx['listen_https'] = false`