Fix: Allow SendEmail using configuration set

[TylerHendrickson]

Ticket #2880

Relates to #3035 (same bug, different fix) and #3011 (reintroduced the bug)

Description

This PR fixes an error which is currently preventing emails from sending in Staging:

AccessDenied: User arn:aws:sts::357150818708:assumed-role/gost-staging-api-ECSTask-2023021701041477300000000a/969ff5cbe4c14e75a8427065217e836e' is not authorized to perform ses:SendEmail' on resource `arn:aws:ses:us-west-2:357150818708:configuration-set/gost-staging-default'

After merging #3011, an SES configuration set is specified when sending emails. However, the ECS task responsible for sending the email does not have permission to send emails using a configuration set. This PR amends the send-email IAM policy document for the ECS task's execution role with a grant for the missing permission.

Screenshots / Demo Video

Testing

Output from terraform plan for this PR shows the configuration set resource ARN, arn:aws:ses:us-west-2:357150818708:configuration-set/gost-staging-default, in the IAM policy:

  # module.api.aws_iam_role_policy.task["send-emails"] will be updated in-place
  ~ resource "aws_iam_role_policy" "task" {
        id     = "gost-staging-api-ECSTask-2023021701041477300000000a:send-emails"
        name   = "send-emails"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          ~ StringLike = {
                              ~ "ses:FromAddress" = "[email protected]" -> [
                                  + "[email protected]",
                                ]
                            }
                        }
                      ~ Resource  = "arn:aws:ses:us-west-2:357150818708:identity/staging.grants.usdr.dev" -> [
                          + "arn:aws:ses:us-west-2:357150818708:identity/staging.grants.usdr.dev",
                          + "arn:aws:ses:us-west-2:357150818708:configuration-set/gost-staging-default",
                        ]
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

[github-actions]

QA Summary

QA Check	Result
🌐 Client Tests	✅
🔗 Server Tests	✅
🤝 E2E Tests	✅
📏 ESLint	✅
🧹 TFLint	✅

Test Coverage

Coverage report for `packages/client`

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	16.86	19.39	15.9	17.08
🔴	src	0	0	0	0
🔴	App.vue	0	100	100	0	9
🔴	main.js	0	0	0	0	4-53
🔴	src/arpa_reporter	0	0	0	0
🔴	App.vue	0	100	100	0	13
🔴	main.js	0	0	0	0	4-36
🟡	...ter/components	53.46	40.84	52.08	53.46
🔴	AlertBox.vue	16.66	0	0	16.66	2-4,35-36
🟡	...oadButton.vue	70	50	42.85	70	60-67
🟢	...ileButton.vue	100	75	100	100	4
🔴	...ttonSmall.vue	0	100	0	0	13-23
🟢	...mplateBtn.vue	100	50	100	100	4
🟡	...avigation.vue	64.51	54.16	52.38	64.51	...13-219,228-235
🔴	StandardForm.vue	33.33	30.3	46.15	33.33	...24-128,135-157
🟢	...porter/helpers	84.61	79.48	87.5	84.61
🟢	form-helpers.js	84.21	79.48	85.71	84.21	7,16,25,81-83
🟢	short-uuid.js	100	100	100	100
🔴	...eporter/router	0	0	0	0
🔴	index.js	0	0	0	0	21-137
🔴	...reporter/store	4.85	0	2.17	5.1
🔴	index.js	4.85	0	2.17	5.1	13-16,34-263
🔴	...reporter/views	23.61	25.78	28.42	23.61
🟢	AgenciesView.vue	100	50	100	100	4-29
🔴	AgencyView.vue	0	0	0	0	30-96
🔴	HomeView.vue	28.88	45.23	50	28.88	57-58,113,137-207
🔴	LoginView.vue	0	0	0	0	49-100
🔴	...plateView.vue	0	0	0	0	47-113
🔴	...ploadView.vue	0	0	0	0	24-144
🔴	...eriodView.vue	0	0	0	0	30-90
🔴	...riodsView.vue	0	0	0	0	124-174
🔴	...pientView.vue	0	0	0	0	56-152
🔴	...ientsView.vue	0	0	0	0	103-210
🟡	UploadView.vue	52.7	47.69	70.83	52.7	...41-442,448-449
🔴	UploadsView.vue	40.67	37.5	65.21	40.67	...65-268,276-291
🟡	UserView.vue	51.28	37.5	70.58	51.28	84,97-137
🔴	UsersView.vue	0	0	0	0	61-129
🔴	...ationView.vue	0	0	0	0	112-273
🔴	src/components	6.61	8	4.76	6.61
🔴	...vityTable.vue	3.22	0	0	3.22	2-74,110-179
🟡	BaseLayout.vue	53.33	72.72	40	53.33	46,220-232
🔴	...atesTable.vue	8.33	0	0	8.33	2-4,56-88
🔴	CopyButton.vue	0	100	0	0	29-49
🔴	GrantsTable.vue	3.52	0	0	3.52	2-142,187-543
🔴	...dUploader.vue	3.12	0	0	3.12	2-22,55-111
🔴	SearchFilter.vue	4.34	0	0	4.34	2-24,40-82
🔴	UserAvatar.vue	9.09	0	0	9.09	2-4,29-40
🔴	...ponents/Modals	12.32	12.07	9.19	12.39
🔴	...anization.vue	24	44.44	15.38	24	22-82,143-178
🔴	AddTeam.vue	45.45	40	44.44	45.45	...04,210,216-245
🔴	AddUser.vue	0	0	0	0	74-176
🔴	...anization.vue	29.41	37.5	12.5	29.41	19-29,58-78
🔴	EditTeam.vue	20	10.34	25	20	19-94,123,208-301
🔴	EditUser.vue	0	0	0	0	67-128
🔴	...ilsLegacy.vue	1.96	0	0	1.96	3-160,205-369
🔴	ImportTeams.vue	21.05	0	0	21.05	2-32,56-82
🔴	ImportUsers.vue	0	0	0	0	49-80
🔴	...archPanel.vue	2.5	0	0	2.5	2-64,146-255
🔴	SearchPanel.vue	2.56	0	0	2.63	2-258,301-484
🔴	src/helpers	16.96	20	17.14	17.43
🟢	constants.js	100	100	100	100
🟢	currency.js	100	100	100	100
🟢	dates.js	100	100	100	100
🔴	fetchApi.js	5.71	16.66	5.88	5.71	9-97
🔴	filters.js	4	0	0	4.54	19-51
🔴	form-helpers.js	0	0	0	0	5-82
🟡	gtag.js	77.77	90	75	77.77	12,51
🟢	...s/featureFlags	100	100	100	100
🟢	index.js	100	100	100	100
🟢	utils.js	100	100	100	100
🔴	src/mixin	20	0	28.57	20
🔴	...zableTable.js	20	0	28.57	20	16-31,36-37,42
🔴	src/router	19.44	12.5	16.66	19.44
🔴	index.js	19.44	12.5	16.66	19.44	...72-173,177-195
🟢	src/store	100	100	100	100
🟢	index.js	100	100	100	100
🔴	src/store/modules	3.58	0	4.72	3.77
🔴	agencies.js	5.26	100	8.33	5.55	13-70
🔴	alerts.js	20	100	20	20	10-24
🔴	grants.js	1.41	0	1.05	1.49	58-352
🔴	organization.js	33.33	100	33.33	33.33	21-25
🔴	roles.js	20	100	20	25	13-22
🔴	tenants.js	11.11	100	14.28	12.5	13-32
🔴	users.js	2.43	0	4.76	2.5	17-100
🔴	src/views	12.3	20	11.8	12.35
🔴	...orterView.vue	0	0	0	0	96-151
🔴	...boardView.vue	39.13	50	36.36	39.13	...30-140,158-169
🔴	...tailsView.vue	0	0	0	0	239-526
🟡	GrantsView.vue	50	100	100	50	2
🔴	LoginView.vue	4.34	0	0	4.54	3-61,87-134
🔴	MyGrantsView.vue	0	100	0	0	46-65
🔴	...ofileView.vue	0	0	0	0	78-129
🔴	NotFoundView.vue	0	0	100	0	2-4
🟡	...tionsView.vue	56.25	50	41.66	56.25	...,94-97,111-115
🔴	...ivityView.vue	0	0	0	0	63-134
🟡	TeamsView.vue	66.66	83.33	57.14	66.66	66,142,156-163
🔴	...DatesView.vue	0	0	0	0	49-119
🔴	UsersView.vue	0	0	0	0	62-139

Coverage report for `packages/server`

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🟡	All files	55.56	48.04	50.13	55.84
🟢	src	82	33.33	60	82
🟢	configure.js	82	33.33	60	82	43,62-69,98-100
🟢	src/arpa_reporter	98.75	66.66	100	98.75
🟢	configure.js	97.36	40	100	97.36	36
🟢	environment.js	100	100	100	100
🟢	use-request.js	100	100	100	100
🔴	src/arpa_reporter/db	38.58	32.92	44.44	40.16
🔴	arpa-subrecipients.js	13.15	4.34	15.38	14.28	23-92
🔴	reporting-periods.js	37.2	46.87	40	38.09	46,77-156
🟢	settings.js	100	83.33	100	100	13
🟡	uploads.js	50	28.57	52.38	51.42	18-29,83,98-123,140-149
🔴	src/arpa_reporter/lib	29.71	33.58	35	28.53
🟢	arpa-ec-codes.js	100	100	100	100
🔴	audit-report.js	21.56	19.78	24.59	21.38	...27-528,553-683,731-757
🟡	ensure-async-context.js	75	100	50	100
🟢	format.js	90.62	90	90	91.3	41-42
🟡	log.js	75	50	50	75	13,25
🟡	preconditions.js	66.66	33.33	100	66.66	3
🔴	spreadsheet.js	9.09	0	0	9.09	15-32
🟢	validation-error.js	85.71	100	50	85.71	16
🔴	src/arpa_reporter/routes	40	14.92	14.28	40.6
🔴	agencies.js	22.58	0	0	23.33	13-21,26-53
🟡	application_settings.js	75	100	0	75	10-11
🟡	audit-report.js	68.91	58.33	100	68.91	57-58,64-78,100-116
🟢	exports.js	81.42	83.33	100	81.42	61-75,98-99
🔴	reporting-periods.js	20	0	0	20.43	...25-137,143-149,154-180
🔴	subrecipients.js	23.8	0	0	23.8	12-13,17-27,31-48,52-63
🔴	uploads.js	28.28	7.89	9.09	29.16	...33-154,164-166,173-180
🔴	users.js	19.6	0	0	20	15-35,39-44,48-81
🔴	src/arpa_reporter/services	42.6	30.12	45.39	42.97
🔴	generate-arpa-report.js	36.86	2.79	50	37.24	...-974,983-996,1070-1137
🔴	get-template.js	21.62	0	0	21.62	18-79
🟡	persist-upload.js	68.6	90	69.56	68.67	...58-200,221-235,273-295
🔴	records.js	20.75	0	11.11	21.15	38-204,221-276
🔴	revalidate-uploads.js	37.5	100	0	37.5	5-14
🔴	validate-upload.js	38.19	49.41	32.14	39.11	...20,339,361,379-668,683
🟢	validation-rules.js	98.18	90	90.9	100	157,173
🟡	src/db	74.48	71.31	68.78	74.53
🟢	connection.js	100	50	100	100	6
🟢	constants.js	100	100	100	100
🟡	helpers.js	75	83.33	50	75	5,21-22
🟢	index.js	82.6	78.36	82.35	82.56	...51-1417,1599-1600,1607
🟢	saved_search_migration.js	92	88.23	71.42	93.61	5,69,134
🔴	tenant_creation.js	10.58	2.7	0	11.11	15-40,48-210,220
🔴	src/db/arpa_reporter_db_shims	23.68	0	0	23.68
🔴	agencies.js	22.22	100	0	22.22	11-51
🔴	users.js	25	0	0	25	12-62
🟡	src/lib	68.2	64	62.88	69.21
🟢	access-helpers.js	93.54	89.18	100	93.54	96-97,102-103
🟢	agencyImporter.js	90.38	88.46	100	90.19	26,29,35,93-94
🔴	batchProcessor.js	2.94	0	0	3.03	35-104
🟢	email.js	92.85	79.24	100	92.76	...38,160-164,211,357-360
🔴	gost-aws.js	47.82	37.5	42.85	47.72	13-58,94,104,114-134
🟢	grants-ingest.js	83.33	97.5	90	83.33	...28-131,138-140,155-159
🔴	grantsgov.js	6.25	6.52	0	6.97	12-220
🟡	logging.js	77.77	85.71	100	77.77	11,13
🟢	redirect_validation.js	100	100	100	100
🟢	userImporter.js	82.27	58.33	88.88	81.57	32,47,53,62,73-81,143-152
🔴	src/lib/annualReports	27.38	0	0	27.38
🔴	doc-builder.js	7.69	0	0	7.69	[19-3...[Comment body truncated]

[github-actions]

Terraform Summary

Step	Result
🖌 Terraform Format & Style	✅
⚙️ Terraform Initialization	✅
🤖 Terraform Validation	✅
📖 Terraform Plan	✅

Hint: If "Terraform Format & Style" failed, run terraform fmt -recursive from the terraform/ directory and commit the results.

Output

Validation Output

Success! The configuration is valid.

Plan Summary

CHANGE	RESOURCE
update	module.api.aws_ecs_service.default[0]
	module.api.aws_iam_role_policy.task["send-emails"]
	module.api.module.grant_digest_scheduled_task.aws_iam_role_policy.default[0]
	module.api.module.grant_digest_scheduled_task.aws_scheduler_schedule.default[0]
	module.arpa_audit_report.aws_ecs_service.default
	module.arpa_audit_report.aws_iam_role_policy.task["send-emails"]
	module.arpa_treasury_report.aws_ecs_service.default
	module.arpa_treasury_report.aws_iam_role_policy.task["send-emails"]
	module.consume_grants.aws_ecs_service.default
	module.website.aws_s3_object.deploy-config[0]
	module.website.aws_s3_object.origin_dist_artifact["js/chunk-vendors.3aabd919.js.map"]
recreate	module.api.aws_ecs_task_definition.default[0]
	module.arpa_audit_report.aws_ecs_task_definition.consumer
	module.arpa_treasury_report.aws_ecs_task_definition.consumer
	module.consume_grants.aws_ecs_task_definition.consume_grants

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration