# ============================================================================
# AWS SES Configuration
# ============================================================================
# Configures AWS Simple Email Service for sending alert notifications

# Email identity for sending alerts
resource "aws_ses_email_identity" "alert_email" {
  email = var.alert_email
}

# IAM user for SMTP authentication
resource "aws_iam_user" "ses_smtp_user" {
  name = "${var.project_name}-ses-smtp-user"
  path = "/system/"

  tags = {
    Name = "${var.project_name}-ses-smtp-user"
  }
}

# Policy allowing the SMTP user to send emails via SES
resource "aws_iam_user_policy" "ses_smtp_user_policy" {
  name = "${var.project_name}-ses-smtp-policy"
  user = aws_iam_user.ses_smtp_user.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "ses:SendEmail",
          "ses:SendRawEmail"
        ]
        Resource = "*"
      }
    ]
  })
}

# Access key for SMTP authentication
resource "aws_iam_access_key" "ses_smtp_access_key" {
  user = aws_iam_user.ses_smtp_user.name
}

# Store SMTP credentials in Secrets Manager
resource "aws_secretsmanager_secret" "ses_smtp_credentials" {
  name                    = "${var.project_name}-ses-smtp-credentials"
  description             = "SMTP credentials for AWS SES"
  recovery_window_in_days = 7

  tags = {
    Name = "${var.project_name}-ses-smtp-credentials"
  }
}

resource "aws_secretsmanager_secret_version" "ses_smtp_credentials" {
  secret_id = aws_secretsmanager_secret.ses_smtp_credentials.id
  secret_string = jsonencode({
    smtp_host     = "email-smtp.${var.aws_region}.amazonaws.com"
    smtp_port     = "587"
    smtp_username = aws_iam_access_key.ses_smtp_access_key.id
    smtp_password = aws_iam_access_key.ses_smtp_access_key.ses_smtp_password_v4
    alert_email   = var.alert_email
  })
}