resource "aws_ses_domain_identity" "this" {
  domain = var.domain_name
}

# DKIM signing
resource "aws_ses_domain_dkim" "this" {
  domain = aws_ses_domain_identity.this.domain
}

# IAM user for SES SMTP
resource "aws_iam_user" "ses_user" {
  name = "${var.stage}-ses-user"
}

resource "aws_iam_user_policy" "ses_send_policy" {
  name = "AllowSESSendEmail"
  user = aws_iam_user.ses_user.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = [
          "ses:SendEmail",
          "ses:SendRawEmail"
        ]
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_access_key" "ses_user" {
  user = aws_iam_user.ses_user.name
}

# Store SMTP credentials in AWS Secrets Manager
resource "aws_secretsmanager_secret" "ses_smtp" {
  name        = "${var.stage}/ses/smtp_credentials"
  description = "SMTP credentials for SES (${var.stage})"
}

resource "aws_secretsmanager_secret_version" "ses_smtp" {
  secret_id     = aws_secretsmanager_secret.ses_smtp.id
  secret_string = jsonencode({
    username = aws_iam_access_key.ses_user.id
    password = aws_iam_access_key.ses_user.ses_smtp_password_v4
  })
}