-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to wait for Email Identity verification #15
Comments
@rpaterson thanks for the thoughtful analysis. Being able to wait for SES verification would be helpful not only for email identities, but also for domain identities. (Route53 domain verifications are usually instantaneous, but it can take longer if you're using an outside DNS provider.) I don't think there's any way to get notified when identity verification completes, so I guess we'd have to poll SES's GetIdentityVerificationAttributes until it comes back with VerificationStatus either Success or Failed. I'm a little uncomfortable adding polling to the existing Lambda custom resource handlers. I'd like to keep them with the minimum possible permissions and with a short maximum execution time (they currently use the Lambda default 3 seconds max). What would you think about instead adding a new CF resource Resources:
MySESSender:
Type: Custom::SES_EmailIdentity
Properties:
EmailAddress: "[email protected]"
MySESSender_Verified:
Type: Custom::SES_VerifiedIdentity
Properties:
Identity: !Ref MySESSender
# This resource won't provision until MySESSender is verified or fails.
# Identity can be a ref to a Custom::SES_Domain or Custom::SES_EmailIdentity.
# Other properties could adjust timeout, polling interval.
MyCognitoUserPool:
Type: AWS::Cognito::UserPool
DependsOn: MySESSender_Verified
Properties:
EmailConfiguration:
From: !GetAtt MySESSender.EmailAddress If |
Edit: ha ha nevermind I see now you suggested the same thing! Yes I think that would work well. |
The new resource probably needs a better name. Maybe |
Problem
I'm trying to add an SES Email Identity and configure AWS Cognito to use it in the same CloudFormation stack. This fails because after
aws-cfn-ses-domain
creates the Email Identity it is inVerification Status = 'pending'
state. SES sends the verification email but then CloudFormation immediately tries to use the new Email Identity with Cognito without waiting for it to be verified. Before I have a chance to check my inbox and click the link in the verification email, the CloudFormation stack has already failed with an error from Cognito:(Ignore the "sandbox" part, the account is not actually in the SES sandbox. The problem is the Email Identity has not been verified.)
Solution
Add an option to wait Email Identity to be verified.
Compatibility
If the new option is false by default (don't wait) then existing users should be unaffected.
Additional info
In theory it should be possible to implement this waiting behaviour manually using
AWS::CloudFormation::WaitCondition
, but that's awkward at best and it would be really nice ifaws-cfn-ses-domain
could handle it automatically.System
The text was updated successfully, but these errors were encountered: