942 replace pinpoint with SES (#231)

* 942 replace pinpoint with SES

* updates to access_control

* Replace Pinpoint outputs with SES outputs

- Replace pinpoint_app_id output with ses_configuration_set and ses_from_email
- Updates outputs for all app templates (app, app-flask, app-nextjs, app-rails)
- Completes migration from Amazon Pinpoint to direct SES usage

Related to Amazon Pinpoint end of support (October 30, 2026)
See: https://docs.aws.amazon.com/pinpoint/latest/userguide/migrate.html

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Address PR feedback

* [942] Remove unused outputs from notifications-email-domain modules

* Update `template-infra:base` to version 0.15.7.post1.dev0+4ebae27

* app: Update `template-infra:app` to version 0.15.7.post1.dev0+4ebae27

* app-flask: Update `template-infra:app` to version 0.15.7.post1.dev0+4ebae27

* app-nextjs: Update `template-infra:app` to version 0.15.7.post1.dev0+4ebae27

* app-rails: Update `template-infra:app` to version 0.15.7.post1.dev0+4ebae27

---------

Co-authored-by: Sean Thomas <sean.thomas@navapbc.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

.template-infra/app-app-flask.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.6-18-gc477511
+_commit: v0.15.7-1-g4ebae27
 _src_path: https://github.com/navapbc/template-infra
 app_has_dev_env_setup: true
 app_local_port: 3200

.template-infra/app-app-nextjs.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.6-18-gc477511
+_commit: v0.15.7-1-g4ebae27
 _src_path: https://github.com/navapbc/template-infra
 app_has_dev_env_setup: true
 app_local_port: 3300

.template-infra/app-app-rails.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.6-18-gc477511
+_commit: v0.15.7-1-g4ebae27
 _src_path: https://github.com/navapbc/template-infra
 app_has_dev_env_setup: true
 app_local_port: 3100

.template-infra/app-app.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.6-18-gc477511
+_commit: v0.15.7-1-g4ebae27
 _src_path: https://github.com/navapbc/template-infra
 app_has_dev_env_setup: true
 app_local_port: 3000

.template-infra/base.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.6-18-gc477511
+_commit: v0.15.7-1-g4ebae27
 _src_path: https://github.com/navapbc/template-infra
 base_code_repository_url: git@github.com:navapbc/platform-test.git
 base_default_region: us-east-1

app/notifications.py

@@ -2,32 +2,28 @@
 import boto3
 
 def send_email(to: str, subject: str, message: str):
-    pinpoint_client = boto3.client("pinpoint")
-    app_id = os.environ["AWS_PINPOINT_APP_ID"]
+    ses_client = boto3.client("sesv2")
+    from_email = os.environ["AWS_SES_FROM_EMAIL"]
 
-    response = pinpoint_client.send_messages(
-        ApplicationId=app_id,
-        MessageRequest={
-            "Addresses": {
-                to: {
-                    "ChannelType": "EMAIL"
-                }
-            },
-            "MessageConfiguration": {
-                "EmailMessage": {
-                    "SimpleEmail": {
-                        "Subject": {
-                            "Charset": "UTF-8",
-                            "Data": subject
-                        },
-                        "HtmlPart": {
-                            "Charset": "UTF-8",
-                            "Data": message
-                        },
-                        "TextPart": {
-                            "Charset": "UTF-8",
-                            "Data": message
-                        }
+    response = ses_client.send_email(
+        FromEmailAddress=from_email,
+        Destination={
+            "ToAddresses": [to]
+        },
+        Content={
+            "Simple": {
+                "Subject": {
+                    "Data": subject,
+                    "Charset": "UTF-8"
+                },
+                "Body": {
+                    "Html": {
+                        "Data": message,
+                        "Charset": "UTF-8"
+                    },
+                    "Text": {
+                        "Data": message,
+                        "Charset": "UTF-8"
                     }
                 }
             }

docs/infra/notifications.md

@@ -2,8 +2,8 @@
 
 The application may need to send email notifications to users. This document describes how to configure notifications. The notification setup process will:
 
-1. Create an AWS Pinpoint application for managing notifications
-2. Configure Amazon SES (Simple Email Service) for sending emails
+1. Configure Amazon SES (Simple Email Service) for sending emails
+2. Set up the necessary IAM permissions for SES access
 3. Set up the necessary environment variables for the application service
 
 ## Requirements
@@ -32,28 +32,35 @@ make infra-update-app-service APP_NAME=<APP_NAME> ENVIRONMENT=<ENVIRONMENT>
 
 ## 4. Send a test email
 
-To send a test notification using the AWS CLI, first get the application id for the Pinpoint application/project for the environment you want to test.
+To send a test notification using the AWS CLI, first get the sender email address for the environment you want to test.
 
 ```bash
 bin/terraform-init "infra/<APP_NAME>/service" "<ENVIRONMENT>"
-APPLICATION_ID="$(terraform -chdir=infra/<APP_NAME>/service output -raw pinpoint_app_id)"
+FROM_EMAIL="$(terraform -chdir=infra/<APP_NAME>/service output -raw ses_from_email)"
 ```
 
 Then run the following command, replacing `<RECIPIENT_EMAIL>` with the email address you want to send to:
 
 ```bash
-aws pinpoint send-messages --application-id "$APPLICATION_ID" --message-request '{
-  "Addresses": {
-    "<RECIPIENT_EMAIL>": { "ChannelType": "EMAIL" }
-  },
-  "MessageConfiguration": {
-    "EmailMessage": {
-      "SimpleEmail": {
-        "Subject": { "Data": "Test notification", "Charset": "UTF-8" },
-        "TextPart": { "Data": "This is a message from the future", "Charset": "UTF-8" },
-        "HtmlPart": { "Data": "This is a message from the future", "Charset": "UTF-8" }
+aws sesv2 send-email \
+  --from-email-address "$FROM_EMAIL" \
+  --destination "ToAddresses=<RECIPIENT_EMAIL>" \
+  --content '{
+    "Simple": {
+      "Subject": {
+        "Data": "Test notification",
+        "Charset": "UTF-8"
+      },
+      "Body": {
+        "Text": {
+          "Data": "This is a message from the future",
+          "Charset": "UTF-8"
+        },
+        "Html": {
+          "Data": "<p>This is a message from the future</p>",
+          "Charset": "UTF-8"
+        }
       }
-    } 
-  }
-}'
+    }
+  }'
 ```

docs/system-architecture.md

@@ -16,10 +16,9 @@ This diagram shows the system architecture. [🔒 Make a copy of this Lucid temp
 * **GitHub** — Source code repository. Also responsible for Continuous Integration (CI) and Continuous Delivery (CD) workflows. GitHub Actions builds and deploys releases to an Amazon ECR registry that stores Docker container images for the application service.
 * **Incident Management Service** — Incident management service (e.g. PagerDuty or Splunk On-Call) for managing on-call schedules and paging engineers for urgent production issues.
 * **NAT Gateway** — Enables outbound internet access for resources in private subnets.
-* **Pinpoint** — Amazon Pinpoint service used for sending email and SMS notifications to users.
 * **Secrets Manager** — Securely stores and retrieves sensitive information such as database credentials.
 * **Service** — Amazon ECS service running the application.
-* **SES** — Amazon SES used by Amazon Pinpoint for sending email notifications.
+* **SES** — Amazon Simple Email Service (SES) used for sending email notifications to users.
 * **Terraform Backend Bucket** — Amazon S3 bucket used to store terraform state files.
 * **Terraform State Locks DynamoDB Table** — Amazon DynamoDB table used to manage concurrent access to terraform state files.
 * **VPC Endpoints** — VPC endpoints are used by the Database Role Manager to access Amazon Services without traffic leaving the VPC.

infra/app-flask/app-config/env-config/notifications.tf

@@ -1,7 +1,7 @@
 # Notifications configuration
 locals {
   notifications_config = var.enable_notifications && var.domain_name != null && local.network_config.domain_config.hosted_zone != null ? {
-    # Pinpoint app name.
+    # Notification configuration name.
     name = "${var.app_name}-${var.environment}"
 
     # Configure the name that users see in the "From" section of their inbox,

infra/app-flask/app-config/main.tf

@@ -39,8 +39,8 @@ locals {
   # If either (domain name or hosted zone) is not set in an environment, notifications will not actually be enabled.
   #
   # If enabled:
-  # 1. Creates an AWS Pinpoint application
-  # 2. Configures email notifications using AWS SES
+  # 1. Configures AWS SES for sending email notifications
+  # 2. Sets up IAM permissions for the application to send emails
   enable_notifications = false
 
   # Whether or not the application should enable WAF for the load balancer.