feat: add ses tenant support for teams (#193)

apps/web/package.json

@@ -19,8 +19,9 @@
   "dependencies": {
     "@auth/prisma-adapter": "^2.9.0",
     "@aws-sdk/client-s3": "^3.797.0",
-    "@aws-sdk/client-sesv2": "^3.797.0",
+    "@aws-sdk/client-sesv2": "^3.858.0",
     "@aws-sdk/client-sns": "^3.797.0",
+    "@aws-sdk/client-sts": "^3.864.0",
     "@aws-sdk/s3-request-presigner": "^3.797.0",
     "@hono/swagger-ui": "^0.5.1",
     "@hono/zod-openapi": "^0.10.0",

apps/web/prisma/migrations/20250808231408_add_ses_tenant_id/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Team" ADD COLUMN     "sesTenantId" TEXT;

apps/web/prisma/migrations/20250809070118_add_ses_tenant_id_to_domain/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Domain" ADD COLUMN     "sesTenantId" TEXT;

apps/web/prisma/schema.prisma

@@ -106,6 +106,7 @@ model Team {
   isActive         Boolean           @default(true)
   apiRateLimit     Int               @default(2)
   billingEmail     String?
+  sesTenantId      String?
   teamUsers        TeamUser[]
   domains          Domain[]
   apiKeys          ApiKey[]
@@ -184,6 +185,7 @@ model Domain {
   dmarcAdded    Boolean      @default(false)
   errorMessage  String?
   subdomain     String?
+  sesTenantId   String?
   isVerifying   Boolean      @default(false)
   createdAt     DateTime     @default(now())
   updatedAt     DateTime     @updatedAt

apps/web/src/server/api/routers/domain.ts

@@ -25,7 +25,12 @@ export const domainRouter = createTRPCRouter({
   createDomain: teamProcedure
     .input(z.object({ name: z.string(), region: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      return createDomain(ctx.team.id, input.name, input.region);
+      return createDomain(
+        ctx.team.id,
+        input.name,
+        input.region,
+        ctx.team.sesTenantId ?? undefined
+      );
     }),
 
   startVerification: domainProcedure.mutation(async ({ ctx, input }) => {

apps/web/src/server/aws/ses.ts

@@ -9,16 +9,38 @@ import {
   CreateConfigurationSetCommand,
   EventType,
   GetAccountCommand,
+  CreateTenantResourceAssociationCommand,
+  DeleteTenantResourceAssociationCommand,
 } from "@aws-sdk/client-sesv2";
+import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 import { generateKeyPairSync } from "crypto";
-import mime from "mime-types";
 import nodemailer from "nodemailer";
-import { Readable } from "stream";
 import { env } from "~/env";
 import { EmailContent } from "~/types";
 import { nanoid } from "../nanoid";
 import { logger } from "../logger/log";
 
+let accountId: string | undefined = undefined;
+
+async function getAccountId(region: string) {
+  if (accountId) {
+    return accountId;
+  }
+
+  const stsClient = new STSClient({
+    region: region,
+  });
+  const command = new GetCallerIdentityCommand({});
+  const response = await stsClient.send(command);
+  accountId = response.Account;
+  return accountId;
+}
+
+async function getIdentityArn(domain: string, region: string) {
+  const accountId = await getAccountId(region);
+  return `arn:aws:ses:${region}:${accountId}:identity/${domain}`;
+}
+
 function getSesClient(region: string) {
   return new SESv2Client({
     region: region,
@@ -56,7 +78,11 @@ function generateKeyPair() {
   return { privateKey: base64PrivateKey, publicKey: base64PublicKey };
 }
 
-export async function addDomain(domain: string, region: string) {
+export async function addDomain(
+  domain: string,
+  region: string,
+  sesTenantId?: string
+) {
   const sesClient = getSesClient(region);
 
   const { privateKey, publicKey } = generateKeyPair();
@@ -76,6 +102,26 @@ export async function addDomain(domain: string, region: string) {
 
   const emailIdentityResponse = await sesClient.send(emailIdentityCommand);
 
+  if (sesTenantId) {
+    const tenantResourceAssociationCommand =
+      new CreateTenantResourceAssociationCommand({
+        TenantName: sesTenantId,
+        ResourceArn: await getIdentityArn(domain, region),
+      });
+
+    const tenantResourceAssociationResponse = await sesClient.send(
+      tenantResourceAssociationCommand
+    );
+
+    if (tenantResourceAssociationResponse.$metadata.httpStatusCode !== 200) {
+      logger.error(
+        { tenantResourceAssociationResponse },
+        "Failed to associate domain with tenant"
+      );
+      throw new Error("Failed to associate domain with tenant");
+    }
+  }
+
   if (
     response.$metadata.httpStatusCode !== 200 ||
     emailIdentityResponse.$metadata.httpStatusCode !== 200
@@ -90,8 +136,33 @@ export async function addDomain(domain: string, region: string) {
   return publicKey;
 }
 
-export async function deleteDomain(domain: string, region: string) {
+export async function deleteDomain(
+  domain: string,
+  region: string,
+  sesTenantId?: string
+) {
   const sesClient = getSesClient(region);
+
+  if (sesTenantId) {
+    const tenantResourceAssociationCommand =
+      new DeleteTenantResourceAssociationCommand({
+        TenantName: sesTenantId,
+        ResourceArn: await getIdentityArn(domain, region),
+      });
+
+    const tenantResourceAssociationResponse = await sesClient.send(
+      tenantResourceAssociationCommand
+    );
+
+    if (tenantResourceAssociationResponse.$metadata.httpStatusCode !== 200) {
+      logger.error(
+        { tenantResourceAssociationResponse },
+        "Failed to delete tenant resource association"
+      );
+      throw new Error("Failed to delete tenant resource association");
+    }
+  }
+
   const command = new DeleteEmailIdentityCommand({
     EmailIdentity: domain,
   });
@@ -124,6 +195,7 @@ export async function sendRawEmail({
   isBulk,
   inReplyToMessageId,
   emailId,
+  sesTenantId,
 }: Partial<EmailContent> & {
   region: string;
   configurationSetName: string;
@@ -187,6 +259,7 @@ export async function sendRawEmail({
       },
     },
     ConfigurationSetName: configurationSetName,
+    TenantName: sesTenantId ? sesTenantId : undefined,
   });
 
   try {

apps/web/src/server/public-api/api/domains/create-domain.ts

@@ -36,7 +36,12 @@ function createDomain(app: PublicAPIApp) {
   app.openapi(route, async (c) => {
     const team = c.var.team;
     const body = c.req.valid("json");
-    const response = await createDomainService(team.id, body.name, body.region);
+    const response = await createDomainService(
+      team.id,
+      body.name,
+      body.region,
+      team.sesTenantId ?? undefined
+    );
 
     return c.json(response);
   });

apps/web/src/server/service/domain-service.ts

@@ -57,7 +57,8 @@ export async function validateDomainFromEmail(email: string, teamId: number) {
 export async function createDomain(
   teamId: number,
   name: string,
-  region: string
+  region: string,
+  sesTenantId?: string
 ) {
   const domainStr = tldts.getDomain(name);
 
@@ -74,7 +75,7 @@ export async function createDomain(
   }
 
   const subdomain = tldts.getSubdomain(name);
-  const publicKey = await ses.addDomain(name, region);
+  const publicKey = await ses.addDomain(name, region, sesTenantId);
 
   const domain = await db.domain.create({
     data: {
@@ -83,6 +84,7 @@ export async function createDomain(
       teamId,
       subdomain,
       region,
+      sesTenantId,
     },
   });
 
@@ -165,7 +167,11 @@ export async function deleteDomain(id: number) {
     throw new Error("Domain not found");
   }
 
-  const deleted = await ses.deleteDomain(domain.name, domain.region);
+  const deleted = await ses.deleteDomain(
+    domain.name,
+    domain.region,
+    domain.sesTenantId ?? undefined
+  );
 
   if (!deleted) {
     throw new Error("Error in deleting domain");

apps/web/src/server/service/email-queue-service.ts

@@ -382,6 +382,7 @@ async function executeEmail(job: QueueEmailJob) {
       isBulk,
       inReplyToMessageId,
       emailId: email.id,
+      sesTenantId: domain?.sesTenantId,
     });
 
     logger.info(

apps/web/src/types/index.ts

@@ -13,6 +13,7 @@ export type EmailContent = {
   unsubUrl?: string;
   scheduledAt?: string;
   inReplyToId?: string | null;
+  sesTenantId?: string | null;
 };
 
 export type EmailAttachment = {