feat: add support for latest downstream cognito-message-sender

- add allow list to by email verifications
- use sendgrid an email provider

Author: sgtoj

main.tf

@@ -354,12 +354,15 @@ resource "aws_lambda_function" "email_msg_sender" {
 
   environment {
     variables = {
-      APP_DEBUG_MODE                          = var.email_sender_debug_mode
-      APP_LOG_LEVEL                           = var.service_log_level
-      APP_KMS_KEY_ID                          = module.kms_key.key_arn
-      APP_EMAIL_SENDER_POLICY_PATH            = local.email_sender_policy_path
-      APP_SENDGRID_API_KEY                    = var.sendgrid_api_key
-      APP_SENDGRID_EMAIL_VERIFICATION_ENABLED = var.sendgrid_email_verification_enabled
+      APP_DEBUG_MODE                            = var.email_sender_debug_mode
+      APP_LOG_LEVEL                             = var.service_log_level
+      APP_KMS_KEY_ID                            = module.kms_key.key_arn
+      APP_EMAIL_PROVIDER                        = var.email_sender_providers[0]
+      APP_EMAIL_SENDER_POLICY_PATH              = local.email_sender_policy_path
+      APP_SENDGRID_EMAIL_SEND_API_KEY           = var.sendgrid_email_send_api_key
+      APP_SENDGRID_EMAIL_VERIFICATION_API_KEY   = coalesce(var.sendgrid_email_verification_api_key, var.sendgrid_api_key)
+      APP_SENDGRID_EMAIL_VERIFICATION_ALLOWLIST = join(",", var.sendgrid_email_verification_allowlist)
+      APP_SENDGRID_EMAIL_VERIFICATION_ENABLED   = var.sendgrid_email_verification_enabled
     }
   }
 

variables.tf

@@ -46,10 +46,54 @@ variable "email_sender_policy_content" {
   default     = ""
 }
 
+variable "email_sender_providers" {
+  type        = list(string)
+  description = "List of enabled email providers."
+  default     = ["ses"]
+
+  validation {
+    condition     = length(var.email_sender_providers)
+    error_message = "Must define exactly one email provider. Support for more than one coming the future."
+  }
+
+  validation {
+    condition     = alltrue([for x in var.email_sender_providers : contains(["ses", "sendgrid"], x)])
+    error_message = "Invalid email provider"
+  }
+
+  validation {
+    condition     = !contains(var.email_sender_providers, "sendgrid") || (contains(var.email_sender_providers, "sendgrid") && length(var.sendgrid_email_send_api_key) > 0)
+    error_message = "SendGrid is set as email provider but its API is not set."
+  }
+}
+
 variable "sendgrid_api_key" {
   type        = string
-  description = "The SendGrid API key used to interact with its API."
+  description = "Deprecated: Use sendgrid_email_send_api_key"
+  default     = ""
+}
+
+variable "sendgrid_email_send_api_key" {
+  type        = string
+  description = "The SendGrid API key used to interact with its Mail Send API."
+  default     = ""
+}
+
+variable "sendgrid_email_verification_api_key" {
+  type        = string
+  description = "The SendGrid API key used to interact with its Email Verification API."
   default     = ""
+
+  validation {
+    condition     = !var.sendgrid_email_verification_enabled || (var.sendgrid_email_verification_enabled && length("${var.sendgrid_email_verification_api_key}${var.sendgrid_api_key}") > 0)
+    error_message = "SendGrid Email Verification is enabled but API Key is not set."
+  }
+}
+
+variable "sendgrid_email_verification_allowlist" {
+  type        = list(string)
+  description = "List of email domains that bypass email validation."
+  default     = []
 }
 
 variable "sendgrid_email_verification_enabled" {