Creating a Yandex Cloud Postbox address and verifying domain ownership with Terraform

In this tutorial, you will use Terraform to create an address in Yandex Cloud Postbox and add resource records to your domain’s DNS zone to verify domain ownership and send emails.

You can add a resource record for domain ownership verification to Yandex Cloud DNS, if you have delegated the domain, or with your domain registrar.

To access Yandex Cloud Postbox, the tutorial uses an API compatible with AWS SESv2, so the AWS provider is used to create and manage Yandex Cloud Postbox resources. To manage all other resources, you will use the Yandex Cloud provider.

1. Get your cloud ready.
2. Delegate your domain to Cloud DNS.
3. Prepare keys for signing emails.
4. Create your infrastructure.
5. Test the service.

If you no longer need the resources you created, delete them.

Get your cloud readyGet your cloud ready

Sign up for Yandex Cloud and create a billing account:

1. Navigate to the management console and log in to Yandex Cloud or create a new account.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Required paid resourcesRequired paid resources

The costs to support the infrastructure for creating an address, verifying domain ownership, and sending emails include:

• Fee for sent emails (see Yandex Cloud Postbox pricing).
• Fee for public DNS queries and DNS zones if using Yandex Cloud DNS (see Cloud DNS pricing).

Delegate your domain to Cloud DNSDelegate your domain to Cloud DNS

If you have a registered domain name, you can use Yandex Cloud DNS to manage the domain.

To delegate a domain to Cloud DNS, in your account on your domain registrar's website, specify the DNS server addresses in the domain settings:

• ns1.yandexcloud.net
• ns2.yandexcloud.net

Delegation does not take effect immediately. Internet provider servers normally update records within 24 hours (86,400 seconds). This depends on the TTL value which specifies how long domain records are cached.

You can check domain delegation using Whois or the dig utility:

dig +short NS example.com

Result:

ns2.yandexcloud.net.
ns1.yandexcloud.net.

Prepare keys for signing emailsPrepare keys for signing emails

To sign emails, create an RSA key. Use the key creation script, as the AWS provider expects the key not in PEM format but as a string where line breaks and the first and last lines are removed.

1. Create a generate-key.sh script with the following contents:

   #!/bin/bash
   
   # Generate private key
   openssl genrsa -out raw_privatekey.pem 2048
   
   # Generate public key from the private key
   openssl rsa -in raw_privatekey.pem -pubout -out publickey.pem
   
   # Process private key for AWS (remove headers and line breaks)
   cat raw_privatekey.pem | grep -v "BEGIN" | grep -v "END" | tr -d '\n' > privatekey.pem
   
   # Format public key for DKIM DNS TXT record
   # Remove headers, strip newlines and concatenate for DNS TXT record
   DKIM_DNS_VALUE=$(cat publickey.pem | grep -v "BEGIN" | grep -v "END" | tr -d '\n')
   echo "$DKIM_DNS_VALUE" > dkim_dns_value.txt
   
   echo "Keys generated:"
   echo "- privatekey.pem (AWS-formatted private key)"
   echo "- publickey.pem (Public key)"
   echo "- raw_privatekey.pem (Original private key with headers)"
   echo "- dkim_dns_value.txt (Public key formatted for DKIM DNS TXT record)"
   

2. In the terminal, navigate to the folder with the script and run it:

   ./generate-key.sh
   

The script will create:

• privatekey.pem: Private key in the AWS provider’s format.
• publickey.pem: Public key.
• raw_privatekey.pem: Original private key.
• dkim_dns_value.txt: Value for creating a DKIM record.

Create your infrastructureCreate your infrastructure

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

To create an infrastructure using Terraform:

1. Install Terraform, get the credentials, and specify the source for installing Yandex Cloud (see Configure a provider, step 1).

2. Set up your infrastructure description files:

   1. Clone the repository with configuration files.

      git clone https://github.com/yandex-cloud-examples/yc-postbox-tf.git
      

   2. Navigate to the repository directory. Make sure it contains the following files:

      • postbox-email-identity.tf: New infrastructure configuration
      • postbox-email-identity.auto.tfvars: User data file

   Learn more about the properties of Terraform resources in the relevant Terraform guides:

   • Service account: yandex_iam_service_account
   • Assigning access permissions: yandex_resourcemanager_folder_iam_member.
   • Static access key: yandex_iam_service_account_static_access_key.
   • DNS zone: yandex_dns_zone
   • DNS resource record: yandex_dns_recordset

3. In the postbox-email-identity.auto.tfvars file, set the following user-defined properties:

   • folder_id: Folder ID.
   • domain_signing_selector: Selector for domain signing, e.g., _postbox.
   • domain: Domain for sending emails, e.g., mail.example.com.
   • dns_zone_name: Name of an existing DNS zone to which the record will be added.

4. Create the resources:

   1. In the terminal, go to the directory where you edited the configuration file.

   2. Make sure the configuration file is correct using this command:

      terraform validate
      

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.
      

   3. Run this command:

      terraform plan
      

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

   4. Apply the changes:

      terraform apply
      

   5. Type yes and press Enter to confirm the changes.

output "dkim_record" {
  value = {
    value = "v=DKIM1;h=sha256;k=rsa;p=${trim(local.public_key, "\n")}"
    name  = "${var.domain_signing_selector}._domainkey.${var.domain}"
    type  = "TXT"
    ttl   = 3600
  }
}

After creating the infrastructure, test the service.

Test the serviceTest the service

Make sure the address was successfully created and send a test email:

1. In the management console, select the folder where you created the address.
2. Select Cloud Postbox.
3. Select the address you created and make sure the test status on the address page has changed to Success.
4. Send a test email.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

1. Open the postbox-email-identity.tf file and delete your infrastructure description from it.

2. Apply the changes:

   1. In the terminal, go to the directory where you edited the configuration file.

   2. Make sure the configuration file is correct using this command:

      terraform validate
      

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.
      

   3. Run this command:

      terraform plan
      

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

   4. Apply the changes:

      terraform apply
      

   5. Type yes and press Enter to confirm the changes.