SES v2 Sending Stack

aws-ses

Amazon SES (Simple Email Service) v2 sending stack: a configuration set with secure-by-default delivery wired to an optional sending identity (domain or email address). Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. Built on the modern aws_sesv2_* resources (not the legacy aws_ses_* set).

What you get:

• An aws_sesv2_configuration_set — the unit that groups sending rules (TLS policy, reputation tracking, suppression) and is attached to the identity so every send through it inherits them.
• An optional aws_sesv2_email_identity. A domain identity gets provider managed Easy DKIM (the CNAME tokens to publish are returned as dkim_tokens); an email-address identity triggers AWS's verification email. Either way the identity is created static-validated and stays pending verification until you publish DNS / click the link — that is expected and costs nothing.
• Optional custom MAIL FROM domain and an optional CloudWatch event destination (the cheapest event sink — metrics only, no extra infrastructure).

Secure defaults:

• TLS required to the receiving mail server (tls_policy = "REQUIRE") — no cleartext fallback.
• Suppression list enabled for both BOUNCE and COMPLAINT at the configuration-set level, protecting the account's sending reputation.
• Reputation metrics published to CloudWatch so you can alarm before AWS pauses sending.
• DKIM key length defaults to RSA_2048_BIT for domain identities.

No VPC, no servers, no charge to create — SES bills per email actually sent.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). A live apply/verify/destroy fixture is included under tests/ (creates a free configuration set + pending domain identity in a real account, then tears it down). See catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).