Open bahrmichael opened 4 years ago
iliapolo
commented
4 years ago @bahrmichael Activating a receipt rule set is not modeled in the CloudFormation resource. The solution to this is to use an AwsCustomResource that will issue the necessary api call using the AWS JavaScript SDK.
I am wondering, is activating a receipt rule set different than enabling all rules in that set? If so, isn't the enabled property on a rule sufficient?
bahrmichael
commented
4 years ago I tried the enabled property and it did not active the ReceiptRuleSet. From my understanding there can only be one active ReceiptRuleSet.
While it might not be modeled in the CloudFormation resource, do you think it would still help to have a high level action-like construct to activate it from the CDK? I'm thinking about how the DnsValidatedCertificate helps me run a CDK stack and end up with a completely set up stack without any additional validation that I'd have to do.
iliapolo
commented
4 years ago @bahrmichael
I tried the enabled property and it did not active the ReceiptRuleSet. From my understanding there can only be one active ReceiptRuleSet.
Right, the enabled property simply activates a rule, but i'm wondering if using enabled on all rules in the rule set will do the same job as activating that rule set. We would also need to add some validation to make sure just one rule set is active.
While it might not be modeled in the CloudFormation resource, do you think it would still help to have a high level action-like construct to activate it from the CDK?
Yes, this might be a nice feature to have. I will mark it. In the meantime, you can use the AwsCustomResource to perform the necessary call as part of the CDK.
Thanks
AramZS
commented
3 years ago +1 I would also like this feature. It is non-intuitive that activating each rule does not activate the rule set or that it is not also an enable property available on the set.
adam-nielsen
commented
3 years ago I was just about to log a support job for this! I couldn't work out why my CDK deployment looked fine but the e-mails I was sending were being rejected. As I was opening the support job I noticed a banner saying "ensure your rule set is active as this is the most common problem", and sure enough, CDK created the rule set, enabled it, but did not make it active - so the newly deployed resources were just sitting there doing nothing.
I am not sure why you would want to create inactive rules in the first place (especially "enabled" inactive rules), but either way I think CDK needs a way to activate the rule set (adding this ability to CloudFormation if required), otherwise it's a bit useless.
adam-nielsen
commented
3 years ago I just realised that you can't activate more than one ReceiptRuleSet, so really, we'd want an ActiveReceiptRuleSet class instead so we can retrieve the current active rule set and modify it. Adding a new ReceiptRuleSet is of little use as two stacks trying to do this will trample each other. Having them both retrieve the active ruleset and modify the rules on it will allow them to co-exist.
adam-nielsen
commented
3 years ago So further to this, I have realised that the active ruleset is no different to any other one. It looks like the correct process is to manually, via the AWS Console, create a ruleset named something generic (like default) and then make it active, once per supported region you wish to use. From then on, any and all CDK stacks just need to retrieve this existing ruleset and add rules to it like this:
const activeRuleSet = cdkSES.ReceiptRuleSet.fromReceiptRuleSetName(this, 'ses-ruleset', 'default');
activeRuleSet.addRule('my-first-rule', {
receiptRuleName: 'my-first-rule',
recipients: [ ... ],
actions: [
new cdkSESActions.S3(...),
],
});This way multiple independent CDK stacks can add and remove rules without conflict. If you try to manage the rule sets with CDK then you'll end up with conflicts as only one ruleset can be active at a time. But this way stacks can almost forget about the ruleset and just add and update the rules themselves as needed.
markusl
commented
7 months ago Workaround:
// The rule set needs to be activated: https://docs.aws.amazon.com/ses/latest/APIReference/API_SetActiveReceiptRuleSet.html
const setActiveReceiptRuleSetSdkCall: cr.AwsSdkCall = {
service: 'SES',
action: 'setActiveReceiptRuleSet',
physicalResourceId: cr.PhysicalResourceId.of('SesCustomResource'),
parameters: {
RuleSetName: ruleSet.receiptRuleSetName,
}
};
new cr.AwsCustomResource(this, "setActiveReceiptRuleSetCustomResource", {
onCreate: setActiveReceiptRuleSetSdkCall,
onUpdate: setActiveReceiptRuleSetSdkCall,
logRetention: RetentionDays.ONE_WEEK,
policy: cr.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
sid: 'SesCustomResourceSetActiveReceiptRuleSet',
effect: iam.Effect.ALLOW,
actions: ['ses:SetActiveReceiptRuleSet'],
resources: ['*']
}),
]),
});
github-actions[bot]
commented
7 months ago This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.
kornicameister
commented
5 months ago @markusl what about deactivating? won't stack fail to delete if rule is active?
markusl
commented
5 months ago @kornicameister Yes, that is the case.onDelete handler can be added to mitigate the issue
It looks like the aws-ses module does not support setting an active receipt rule set yet. This means we currently have to either go through the console or SDK (or some custom action that I haven't explored yet).
Use Case
With the CDK I can currently create a receipt rule set, but I cannot activate it (without going through other tools). I would like to create a receipt rule set and directly activate it.
Proposed Solution
Extend the ReceiptRuleSet with an option parameter to set it as the defeault.
Other
n/a
This is a :rocket: Feature Request