data "aws_caller_identity" "this" {}
data "aws_region" "this" {}

resource "aws_sesv2_email_identity" "this" {
  for_each               = toset(var.emails)
  email_identity         = each.value
  configuration_set_name = aws_sesv2_configuration_set.this.configuration_set_name
}

resource "aws_sesv2_configuration_set" "this" {
  configuration_set_name = "default-sesv2-configuration-set"

  delivery_options {
    tls_policy = var.require_tls ? "REQUIRE" : "OPTIONAL"
  }

  reputation_options {
    reputation_metrics_enabled = var.reputation_metrics_enabled
  }

  sending_options {
    sending_enabled = true
  }
}

# The exact same policy can be created successfully on console!
#resource "aws_sesv2_email_identity_policy" "this" {
#  for_each       = aws_sesv2_email_identity.this
#  email_identity = each.value.arn
#  policy_name    = "default-policy"
#  # policy         = data.aws_iam_policy_document.ses-policy[each.key].json
#  policy = jsonencode({
#    "Version" : "2012-10-17",
#    "Statement" : [
#      {
#        "Sid" : "default",
#        "Effect" : "Allow",
#        "Principal" : {
#          "AWS" : "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
#        },
#        "Action" : [
#          "ses:SendEmail",
#          "ses:SendRawEmail"
#        ],
#        "Resource" : each.value.arn,
#        "Condition" : {}
#      }
#    ]
#  })
#}

#data "aws_iam_policy_document" "ses-policy" {
#  for_each = aws_sesv2_email_identity.this
#  statement {
#    sid       = "default"
#    actions   = ["SES:SendEmail", "SES:SendRawEmail"]
#    resources = [each.value.arn]
#    principals {
#      identifiers = [data.aws_caller_identity.this.account_id]
#      type        = "AWS"
#    }
#  }
#}