⚠️ [942] Replace Amazon Pinpoint with direct SES usage (#968)

sean-navapbc · Sean Thomas · web-flow · commit 4ebae278bd84 · 2025-10-22T12:19:42.000-04:00
## Ticket Resolves #942 ## Changes - Updated template-only-app/notifications.py to use SES - Removed Pinpoint resources (main.tf, email.tf, access_control.tf) - Updated IAM policies to SES-only - Updated environment variables to use AWS_SES_FROM_EMAIL - Updated all Pinpoint references in comments and docs - Removed Pinpoint VPC endpoint - Removed mobiletargeting from AWS services - ## Context for reviewers - https://p-231-app-dev-1629703657.us-east-1.elb.amazonaws.com/email-notifications - Emails successfully sent using new SES direct integration ### FOR RELEASE If you want to test SES alongside your existing Pinpoint setup before fully migrating, you can adopt a gradual approach: #### Phase 1: Add SES alongside Pinpoint (Optional) Keep your Pinpoint resources - Don't delete aws_pinpoint_app.app or related resources yet Add the SES environment variable to your service configuration `infra/<app_name>/service/notifications.tf`: ``` notifications_environment_variables = local.notifications_config != null ? { # Existing Pinpoint variables AWS_PINPOINT_APP_ID = module.notifications[0].app_id # New SES variable (can construct inline to avoid output changes) AWS_SES_FROM_EMAIL = local.notifications_config.sender_display_name != null ? "${local.notifications_config.sender_display_name} <${local.notifications_config.sender_email}>" : local.notifications_config.sender_email } : {} ``` Update your application code to use the sesv2 client instead of pinpoint, referencing AWS_SES_FROM_EMAIL Test that SES email sending works in your environment #### Phase 2: Remove Pinpoint Once you've confirmed SES works: Apply the full migration by merging/pulling the changes from this PR Run terraform apply to destroy the Pinpoint resources This approach minimizes risk by allowing you to validate SES functionality before removing Pinpoint infrastructure. > Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, [GIF demos](https://www.cockos.com/licecap/), shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox. Co-authored-by: Sean Thomas <sean.thomas@navapbc.com>
diff --git a/infra/modules/network/resources/variables.tf b/infra/modules/network/resources/variables.tf
@@ -6,7 +6,7 @@ variable "enable_command_execution" {
 
 variable "enable_notifications" {
   type        = bool
-  description = "Whether the application(s) in this network need AWS Pinpoint access."
+  description = "Whether the application(s) in this network need email notification access via SES."
   default     = false
 }
 
diff --git a/infra/modules/network/resources/vpc_endpoints.tf b/infra/modules/network/resources/vpc_endpoints.tf
@@ -17,7 +17,7 @@ locals {
     var.enable_command_execution ? ["ssmmessages"] : [],
 
     # AWS services used by notifications
-    var.enable_notifications ? ["pinpoint", "email-smtp"] : [],
+    var.enable_notifications ? ["email-smtp"] : [],
   )
 
   # S3 and DynamoDB use Gateway VPC endpoints. All other services use Interface VPC endpoints
diff --git a/infra/modules/notifications-email-domain/resources/access_control.tf b/infra/modules/notifications-email-domain/resources/access_control.tf
diff --git a/infra/modules/notifications-email-domain/resources/main.tf b/infra/modules/notifications-email-domain/resources/main.tf
@@ -9,7 +9,7 @@ locals {
 }
 
 # Verify email sender identity.
-# Docs: https://docs.aws.amazon.com/pinpoint/latest/userguide/channels-email-manage-verify.html
+# Docs: https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html
 resource "aws_sesv2_email_identity" "sender_domain" {
   email_identity         = var.domain_name
   configuration_set_name = aws_sesv2_configuration_set.email.configuration_set_name
diff --git a/infra/modules/notifications/resources/access_control.tf b/infra/modules/notifications/resources/access_control.tf
@@ -1,21 +1,12 @@
 resource "aws_iam_policy" "access" {
   name        = "${var.name}-notifications-access"
-  description = "Policy for calling SendMessages and SendUsersMessages on Pinpoint app ${var.name}"
+  description = "Policy for sending emails via SES for ${var.name}"
 
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
-      # From https://docs.aws.amazon.com/pinpoint/latest/developerguide/permissions-actions.html#permissions-actions-apiactions-messages
-      {
-        Effect = "Allow"
-        Action = [
-          "mobiletargeting:SendMessages",
-          "mobiletargeting:SendUsersMessages"
-        ]
-        Resource = "${aws_pinpoint_app.app.arn}/messages"
-      },
-
-      # From https://docs.aws.amazon.com/pinpoint/latest/developerguide/permissions-ses.html
+      # Permissions for sending emails via SES
+      # From https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html
       {
         Effect = "Allow"
         Action = [
diff --git a/infra/modules/notifications/resources/email.tf b/infra/modules/notifications/resources/email.tf
diff --git a/infra/modules/notifications/resources/main.tf b/infra/modules/notifications/resources/main.tf
diff --git a/infra/modules/notifications/resources/outputs.tf b/infra/modules/notifications/resources/outputs.tf
@@ -1,7 +1,7 @@
-output "app_id" {
-  value = aws_pinpoint_app.app.application_id
-}
-
 output "access_policy_arn" {
   value = aws_iam_policy.access.arn
 }
+
+output "from_email" {
+  value = var.sender_display_name != null ? "${var.sender_display_name} <${var.sender_email}>" : var.sender_email
+}
diff --git a/infra/project-config/aws_services.tf b/infra/project-config/aws_services.tf
@@ -54,9 +54,6 @@ locals {
     // Amazon CloudWatch Logs – Collects, monitors, and analyzes log data from AWS services.
     "logs",
 
-    // Amazon Pinpoint – Provides customer engagement and messaging capabilities. Used for notifications.
-    "mobiletargeting",
-
     // Amazon EventBridge Pipes – Connects event producers to consumers with filtering and enrichment.
     "pipes",
 
@@ -84,7 +81,7 @@ locals {
     // AWS Cloud Map – Provides service discovery for microservices and applications.
     "servicediscovery",
 
-    // Amazon Simple Email Service (SES) – An email sending and receiving service. Used in conjunction with Amazon Pinpoint for notifications.
+    // Amazon Simple Email Service (SES) – An email sending and receiving service. Used for email notifications.
     "ses",
 
     // Amazon Simple Notification Service (SNS) – A pub/sub messaging service.
diff --git a/infra/{{app_name}}/app-config/env-config/notifications.tf b/infra/{{app_name}}/app-config/env-config/notifications.tf
@@ -1,7 +1,7 @@
 # Notifications configuration
 locals {
   notifications_config = var.enable_notifications && var.domain_name != null && local.network_config.domain_config.hosted_zone != null ? {
-    # Pinpoint app name.
+    # Notification configuration name.
     name = "${var.app_name}-${var.environment}"
 
     # Configure the name that users see in the "From" section of their inbox,
diff --git a/infra/{{app_name}}/app-config/main.tf b/infra/{{app_name}}/app-config/main.tf
@@ -39,8 +39,8 @@ locals {
   # If either (domain name or hosted zone) is not set in an environment, notifications will not actually be enabled.
   #
   # If enabled:
-  # 1. Creates an AWS Pinpoint application
-  # 2. Configures email notifications using AWS SES
+  # 1. Configures AWS SES for sending email notifications
+  # 2. Sets up IAM permissions for the application to send emails
   enable_notifications = false
 
   # Whether or not the application should enable WAF for the load balancer.
diff --git a/infra/{{app_name}}/service/notifications.tf b/infra/{{app_name}}/service/notifications.tf
@@ -8,8 +8,7 @@ locals {
     module.existing_notifications_email_domain[0].domain_identity_arn
   ) : null
   notifications_environment_variables = local.notifications_config != null ? {
-    AWS_PINPOINT_APP_ID       = module.notifications[0].app_id,
-    AWS_PINPOINT_SENDER_EMAIL = local.notifications_config.sender_email
+    AWS_SES_FROM_EMAIL = module.notifications[0].from_email
   } : {}
   notifications_app_name = local.notifications_config != null ? "${local.prefix}${local.notifications_config.name}" : ""
 }
@@ -33,9 +32,8 @@ module "existing_notifications_email_domain" {
   domain_name = module.domain.domain_name
 }
 
-# If the app has `enable_notifications` set to true, create a new email notification
-# AWS Pinpoint app for the service. A new app is created for all environments, including
-# temporary environments.
+# If the app has `enable_notifications` set to true, create IAM policies for SES access.
+# A new policy is created for all environments, including temporary environments.
 module "notifications" {
   count  = local.notifications_config != null ? 1 : 0
   source = "../../modules/notifications/resources"
diff --git a/infra/{{app_name}}/service/outputs.tf b/infra/{{app_name}}/service/outputs.tf
@@ -14,8 +14,8 @@ output "migrator_username" {
   value = module.app_config.has_database ? module.database[0].migrator_username : null
 }
 
-output "pinpoint_app_id" {
-  value = local.notifications_config != null ? module.notifications[0].app_id : null
+output "ses_from_email" {
+  value = local.notifications_config != null ? module.notifications[0].from_email : null
 }
 
 output "service_cluster_name" {
diff --git a/template-only-app/notifications.py b/template-only-app/notifications.py
@@ -2,32 +2,28 @@
 import boto3
 
 def send_email(to: str, subject: str, message: str):
-    pinpoint_client = boto3.client("pinpoint")
-    app_id = os.environ["AWS_PINPOINT_APP_ID"]
+    ses_client = boto3.client("sesv2")
+    from_email = os.environ["AWS_SES_FROM_EMAIL"]
 
-    response = pinpoint_client.send_messages(
-        ApplicationId=app_id,
-        MessageRequest={
-            "Addresses": {
-                to: {
-                    "ChannelType": "EMAIL"
-                }
-            },
-            "MessageConfiguration": {
-                "EmailMessage": {
-                    "SimpleEmail": {
-                        "Subject": {
-                            "Charset": "UTF-8",
-                            "Data": subject
-                        },
-                        "HtmlPart": {
-                            "Charset": "UTF-8",
-                            "Data": message
-                        },
-                        "TextPart": {
-                            "Charset": "UTF-8",
-                            "Data": message
-                        }
+    response = ses_client.send_email(
+        FromEmailAddress=from_email,
+        Destination={
+            "ToAddresses": [to]
+        },
+        Content={
+            "Simple": {
+                "Subject": {
+                    "Data": subject,
+                    "Charset": "UTF-8"
+                },
+                "Body": {
+                    "Html": {
+                        "Data": message,
+                        "Charset": "UTF-8"
+                    },
+                    "Text": {
+                        "Data": message,
+                        "Charset": "UTF-8"
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ variable "enable_command_execution" {`
`6`	`6`
`7`	`7`	`variable "enable_notifications" {`
`8`	`8`	`type = bool`
`9`		`- description = "Whether the application(s) in this network need AWS Pinpoint access."`
	`9`	`+ description = "Whether the application(s) in this network need email notification access via SES."`
`10`	`10`	`default = false`
`11`	`11`	`}`
`12`	`12`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ locals {`
`17`	`17`	`var.enable_command_execution ? ["ssmmessages"] : [],`
`18`	`18`
`19`	`19`	`# AWS services used by notifications`
`20`		`- var.enable_notifications ? ["pinpoint", "email-smtp"] : [],`
	`20`	`+ var.enable_notifications ? ["email-smtp"] : [],`
`21`	`21`	`)`
`22`	`22`
`23`	`23`	`# S3 and DynamoDB use Gateway VPC endpoints. All other services use Interface VPC endpoints`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ locals {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`# Verify email sender identity.`
`12`		`-# Docs: https://docs.aws.amazon.com/pinpoint/latest/userguide/channels-email-manage-verify.html`
	`12`	`+# Docs: https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html`
`13`	`13`	`resource "aws_sesv2_email_identity" "sender_domain" {`
`14`	`14`	`email_identity = var.domain_name`
`15`	`15`	`configuration_set_name = aws_sesv2_configuration_set.email.configuration_set_name`