From 4edb434c7d8083e6ec73924ba8e28653be113a3b Mon Sep 17 00:00:00 2001
From: Abraham Chavez <achave11@ucsc.edu>
Date: Thu, 31 Aug 2023 22:22:08 -0700
Subject: [PATCH] [u] Document moving the SES service out of sandbox once per
 shared deployment

---
 README.md     | 33 +++++++++++++++++++++++++++++++++
 UPGRADING.rst |  4 ++++
 2 files changed, 37 insertions(+)

diff --git a/README.md b/README.md
index e9e5b854a1..9d077f71ee 100644
--- a/README.md
+++ b/README.md
@@ -641,6 +641,39 @@ These steps are performed once per deployment (multiple times per project).
 
 9. `_refresh`
 
+### 3.2.3 Transition Amazon SES resource out of sandbox
+
+Perform these steps once the cloud insfrastructure has been provisioned for the
+shared deployment, section #3.3. Before continuing, make sure that the SES
+identity provisioned by Terraform is the deployment's indexer domain, and that
+it's listed as verified, in the Verified identities tab, to view from the AWS
+SES console.
+
+Run the following AWS CLI command to request for the AWS SES Identity to be
+removed from sandbox, this is done in order to avoid having to confirm a
+subscription to a recepient soly used for the purpose of monitoring, run::
+
+    aws sesv2 put-account-details \
+    --production-access-enabled \
+    --mail-type TRANSACTIONAL \
+    --website-url $(echo "from azul import config; print(config.indexer_endpoint.host)" | python) \
+    --use-case-description "We would like to use SES to replace our current \
+                            notification infrastructure, which is based on an \
+                            SNS topic with one Google group email subscribed. \
+                            We would only ever send emails to one specific \
+                            email address. Will not send unsolicited email, \
+                            or emails to any other recipient for that matter. \
+                            The reason we want to switch to SES is so that we \
+                            do not have to confirm the subscription of the \
+                            recipient to the SNS topic, because that \
+                            confirmation requires manual intervention which \
+                            prevents us from fully automating our \
+                            infrastructure deployment. Instead we would like \
+                            to have a Lambda function invoked by the SNS \
+                            topic, and have that lambda function send the \
+                            email to the single recipient via SES." \
+    --contact-language EN
+
 ## 3.3 Provisioning cloud infrastructure
 
 Once you've configured the project and your personal deployment or a shared
diff --git a/UPGRADING.rst b/UPGRADING.rst
index 83b66b3c6f..e65bf319ff 100644
--- a/UPGRADING.rst
+++ b/UPGRADING.rst
@@ -29,6 +29,10 @@ Manually deploy the ``shared`` & ``gitlab`` components (in that order)
 of any main deployment just before pushing the merge commit to the
 GitLab instance in that deployment.
 
+After the merge commit builds on GitLab, follow the instructions in the
+README.md, for section 3.2.3 titled `Transition Amazon SES resource out of sandbox`.
+This needs to be done for all main deplouments, except the ``dev`` account.
+
 
 DataBiosphere/azul-private#95 Resolve vulnerabilities in AMI for GitLab
 =======================================================================