feat: add support for latest downstream cognito-message-sender

sgtoj · sgtoj · commit 6d6193459ce3 · 2025-08-12T14:57:02.000-04:00
- add allow list to by email verifications
- use sendgrid an email provider
diff --git a/main.tf b/main.tf
@@ -354,12 +354,15 @@ resource "aws_lambda_function" "email_msg_sender" {
 
   environment {
     variables = {
-      APP_DEBUG_MODE                          = var.email_sender_debug_mode
-      APP_LOG_LEVEL                           = var.service_log_level
-      APP_KMS_KEY_ID                          = module.kms_key.key_arn
-      APP_EMAIL_SENDER_POLICY_PATH            = local.email_sender_policy_path
-      APP_SENDGRID_API_KEY                    = var.sendgrid_api_key
-      APP_SENDGRID_EMAIL_VERIFICATION_ENABLED = var.sendgrid_email_verification_enabled
+      APP_DEBUG_MODE                            = var.email_sender_debug_mode
+      APP_LOG_LEVEL                             = var.service_log_level
+      APP_KMS_KEY_ID                            = module.kms_key.key_arn
+      APP_EMAIL_PROVIDER                        = var.email_sender_providers[0]
+      APP_EMAIL_SENDER_POLICY_PATH              = local.email_sender_policy_path
+      APP_SENDGRID_EMAIL_SEND_API_KEY           = var.sendgrid_email_send_api_key
+      APP_SENDGRID_EMAIL_VERIFICATION_API_KEY   = coalesce(var.sendgrid_email_verification_api_key, var.sendgrid_api_key)
+      APP_SENDGRID_EMAIL_VERIFICATION_ALLOWLIST = join(",", var.sendgrid_email_verification_allowlist)
+      APP_SENDGRID_EMAIL_VERIFICATION_ENABLED   = var.sendgrid_email_verification_enabled
     }
   }
 
diff --git a/variables.tf b/variables.tf
@@ -46,12 +46,46 @@ variable "email_sender_policy_content" {
   default     = ""
 }
 
+variable "email_sender_providers" {
+  type        = list(string)
+  description = "List of enabled email providers."
+  default     = ["ses"]
+
+  validation {
+    condition     = length(var.email_sender_providers)
+    error_message = "Must define exactly one email provider. Support for more than one coming the future."
+  }
+}
+
 variable "sendgrid_api_key" {
   type        = string
-  description = "The SendGrid API key used to interact with its API."
+  description = "Deprecated: Use sendgrid_email_send_api_key"
   default     = ""
 }
 
+variable "sendgrid_email_send_api_key" {
+  type        = string
+  description = "The SendGrid API key used to interact with its Mail Send API."
+  default     = ""
+}
+
+variable "sendgrid_email_verification_api_key" {
+  type        = string
+  description = "The SendGrid API key used to interact with its Email Verification API."
+  default     = ""
+
+  validation {
+    condition     = !var.sendgrid_email_verification_enabled || (var.sendgrid_email_verification_enabled && length(var.sendgrid_email_verification_api_key) > 0)
+    error_message = "SendGrid Email Verification is enabled but API Key is not set."
+  }
+}
+
+variable "sendgrid_email_verification_allowlist" {
+  type        = list(string)
+  description = "List of email domains that bypass email validation."
+  default     = false
+}
+
 variable "sendgrid_email_verification_enabled" {
   type        = bool
   description = "Toggle to use email verification."
