sfgov-mikela · May 24, 2024 21:41
diff --git a/gistfile1.txt b/gistfile1.txt
 The production AWS environment has SES setup for api.sf.gov.  The staging server will have permission for api.dev.sf.gov can be setup manually(or grab Mikela)

 From the platform_base playbook we will need to add this permission to the instance_profile IAM role.  
 https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html#iam-and-ses-examples-access-specific-ses-api-version

 It looks like the current iam_instance_profile is pointing at an s3_write_profile
 https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39

 Which is created here
 https://github.com/SFDigitalServices/ansible-platform/blob/main/roles/s3_public/tasks/main.yaml#L36

 Move that "Iam role with admin access to write to buckets" task into platform_deploy.yaml and change the name from "{{ namespace }}-{{ stage }}-s3-write" to "{{ namespace }}-{{ stage }}-instance-profile"

 and update https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39
 To use that arn

 So something like

 ```

 - name: S3 bucket write policy
  community.aws.iam_managed_policy:
    policy_name: "{{ namespace }}-{{ stage }}-ses-send"
    policy:
      Version: "2012-10-17"
      Statement:
        ....
  register: ses_send_policy

 - name: Iam role with admin access to write to buckets # apply to ec2 instance
  community.aws.iam_role:
    name: "{{ namespace }}-{{ stage }}-instance-profile"
    managed_policies:
      - "{{ s3_write_policy.policy.arn }}"
      - "{{ ses_send_policy.policy.arn }}"
    assume_role_policy_document:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - ec2.amazonaws.com
          Action: sts:AssumeRole
    tags:
      Name: "{{ namespace }}-{{ stage }}-instance-profile"
      Type: public
      Stage: "{{ stage }}"
      Namespace: "{{ namespace }}"
  register: instance_profile

 - name: Start an instance on private subnet
  amazon.aws.ec2_instance:
      name: "{{ namespace }}_{{ stage }}_web"
 ....(change this line)
      iam_instance_profile: "{{ instance_profile.iam_role.arn }}"
 ....
 ```

 That after that update rerun platform_deploy should change the instance_profile and it will have SES permissions

 Then from django follow these instructions
 https://github.com/django-ses/django-ses

 You will not need to set the ACCESS_KEY or SECRET vars and will just need these set in seetings/production.py

 ```
 EMAIL_BACKEND = 'django_ses.SESBackend'
 AWS_SES_REGION_NAME = 'us-west-2'
 AWS_SES_REGION_ENDPOINT = 'email.us-west-2.amazonaws.com'
 USE_SES_V2 = True
 ```
	The production AWS environment has SES setup for api.sf.gov. The staging server will have permission for api.dev.sf.gov can be setup manually(or grab Mikela)

	From the platform_base playbook we will need to add this permission to the instance_profile IAM role.
	https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html#iam-and-ses-examples-access-specific-ses-api-version

	It looks like the current iam_instance_profile is pointing at an s3_write_profile
	https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39

	Which is created here
	https://github.com/SFDigitalServices/ansible-platform/blob/main/roles/s3_public/tasks/main.yaml#L36

	Move that "Iam role with admin access to write to buckets" task into platform_deploy.yaml and change the name from "{{ namespace }}-{{ stage }}-s3-write" to "{{ namespace }}-{{ stage }}-instance-profile"

	and update https://github.com/SFDigitalServices/ansible-platform/blob/main/platform_deploy.yaml#L39
	To use that arn

	So something like

	```

	- name: S3 bucket write policy
	community.aws.iam_managed_policy:
	policy_name: "{{ namespace }}-{{ stage }}-ses-send"
	policy:
	Version: "2012-10-17"
	Statement:
	....
	register: ses_send_policy

	- name: Iam role with admin access to write to buckets # apply to ec2 instance
	community.aws.iam_role:
	name: "{{ namespace }}-{{ stage }}-instance-profile"
	managed_policies:
	- "{{ s3_write_policy.policy.arn }}"
	- "{{ ses_send_policy.policy.arn }}"
	assume_role_policy_document:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ec2.amazonaws.com
	Action: sts:AssumeRole
	tags:
	Name: "{{ namespace }}-{{ stage }}-instance-profile"
	Type: public
	Stage: "{{ stage }}"
	Namespace: "{{ namespace }}"
	register: instance_profile

	- name: Start an instance on private subnet
	amazon.aws.ec2_instance:
	name: "{{ namespace }}_{{ stage }}_web"
	....(change this line)
	iam_instance_profile: "{{ instance_profile.iam_role.arn }}"
	....
	```

	That after that update rerun platform_deploy should change the instance_profile and it will have SES permissions

	Then from django follow these instructions
	https://github.com/django-ses/django-ses

	You will not need to set the ACCESS_KEY or SECRET vars and will just need these set in seetings/production.py

	```
	EMAIL_BACKEND = 'django_ses.SESBackend'
	AWS_SES_REGION_NAME = 'us-west-2'
	AWS_SES_REGION_ENDPOINT = 'email.us-west-2.amazonaws.com'
	USE_SES_V2 = True
	```