cds-snc / notification-planning-core

Project planning for GC Notify Core Team
0 stars 0 forks source link

AWS DKIM Validation Broken Between V1 and V2 API #443

Open ben851 opened 3 weeks ago

ben851 commented 3 weeks ago

Description

Domain validation is broken when deploying a new environment. As per AWS:

My name is Duanne, here to assist with the domain verification pending issue you noted for domain dev.notification.cdssandbox.xyz. To set the context, SES currently runs two API versions, v1 and v2. The v2 API is newer and is what the SES Console is currently based on. There are also differences in how identities are verified for both versions of the API. The v2 API will verify a domain based on the existence of the DKIM DNS records, while the v1 API requires a TXT record to be added to complete identity verification.

Looking at the request to verify the domain dev.notification.cdssandbox.xyz, the request was made by Terraform using the v1 API call VerifyDomainIdentity. Cloudtrail link for this event, here[1]. As such, SES is now looking for the TXT record to complete verification, but can only find TXT records for other regions the domain is/was verified in. For this reason you see the message that the DNS record was found but the value of the DNS record is not what was expected.

There are two ways to resolve this -

Delete and re-add the domain using the v2 API:

Add the TXT record required as part of the v1 API:

Name: _amazonses.dev.notification.cdssandbox.xyz (your DNS provider may automatically append the domain name, in which case you use only _amazonses as the name) Value: +mX5BSV/wAQEiD5VAh7JQ3xXOAdmLSoBvnFTcnvpsHE=

Once the TXT recorded is added and SES has been able to resolve it, the verification should complete.

I would recommend that you move over to using the v2 API.

[1] https://ca-central-1.console.aws.amazon.com/cloudtrail/home?region=ca-central-1#/events?StartTime=2024-10-19T11:47:50.102Z&EndTime=2024-10-22T11:47:50.102Z&EventSource=ses.amazonaws.com

If you have any further questions, please let me know and have a good day!

We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence.

WHY are we building?

We need to be able to programmatically recreate our environment as part of BCP and keeping dev environments clean.

WHAT are we building?

Review Duanne's recommendations and determine how to implement this by terraform

VALUE created by our solution

Our system will be able to be automatically deployed again.

Acceptance Criteria

QA Steps

ben851 commented 3 weeks ago

AWS response: My name is Duanne, here to assist with the domain verification pending issue you noted for domain dev.notification.cdssandbox.xyz. To set the context, SES currently runs two API versions, v1 and v2. The v2 API is newer and is what the SES Console is currently based on. There are also differences in how identities are verified for both versions of the API. The v2 API will verify a domain based on the existence of the DKIM DNS records, while the v1 API requires a TXT record to be added to complete identity verification.

Looking at the request to verify the domain dev.notification.cdssandbox.xyz, the request was made by Terraform using the v1 API call VerifyDomainIdentity. Cloudtrail link for this event, here[1]. As such, SES is now looking for the TXT record to complete verification, but can only find TXT records for other regions the domain is/was verified in. For this reason you see the message that the DNS record was found but the value of the DNS record is not what was expected.

There are two ways to resolve this -

Delete and re-add the domain using the v2 API:

Add the TXT record required as part of the v1 API:

Name: _amazonses.dev.notification.cdssandbox.xyz (your DNS provider may automatically append the domain name, in which case you use only _amazonses as the name) Value: +mX5BSV/wAQEiD5VAh7JQ3xXOAdmLSoBvnFTcnvpsHE=

Once the TXT recorded is added and SES has been able to resolve it, the verification should complete.

I would recommend that you move over to using the v2 API.

ben851 commented 3 weeks ago

I migrated the ses domain identity to the V2 resource in Terraform, and this resolved the issue.

We will have to delete and recreate the identities in staging and production in order for this to work.

ben851 commented 3 weeks ago

Production release scheduled tomorrow for 8am

ben851 commented 2 weeks ago

Production released, all domains are still verified. Ready for QA/closure

sastels commented 2 weeks ago

Done, Jimmy will investigate the unverified domain. trvapply-vrtdemande.apps.cic.gc.ca