Add SES resource (#5387)

* Add SES resource

* Detect ReceiptRule deletion outside of Terraform

* Handle order of rule actions

* Add position field to docs

* Fix hashes, add log messages, and other small cleanup

* Fix rebase issue

* Fix formatting

builtin/providers/aws/config.go

@@ -50,6 +50,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/redshift"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/aws/aws-sdk-go/service/s3"
+	"github.com/aws/aws-sdk-go/service/ses"
 	"github.com/aws/aws-sdk-go/service/sns"
 	"github.com/aws/aws-sdk-go/service/sqs"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -94,6 +95,7 @@ type AWSClient struct {
 	apigateway            *apigateway.APIGateway
 	autoscalingconn       *autoscaling.AutoScaling
 	s3conn                *s3.S3
+	sesConn               *ses.SES
 	sqsconn               *sqs.SQS
 	snsconn               *sns.SNS
 	stsconn               *sts.STS
@@ -214,6 +216,9 @@ func (c *Config) Client() (interface{}, error) {
 		log.Println("[INFO] Initializing S3 connection")
 		client.s3conn = s3.New(sess)
 
+		log.Println("[INFO] Initializing SES connection")
+		client.sesConn = ses.New(sess)
+
 		log.Println("[INFO] Initializing SQS connection")
 		client.sqsconn = sqs.New(sess)
 

builtin/providers/aws/provider.go

@@ -251,6 +251,10 @@ func Provider() terraform.ResourceProvider {
 			"aws_route":                                    resourceAwsRoute(),
 			"aws_route_table":                              resourceAwsRouteTable(),
 			"aws_route_table_association":                  resourceAwsRouteTableAssociation(),
+			"aws_ses_active_receipt_rule_set":              resourceAwsSesActiveReceiptRuleSet(),
+			"aws_ses_receipt_filter":                       resourceAwsSesReceiptFilter(),
+			"aws_ses_receipt_rule":                         resourceAwsSesReceiptRule(),
+			"aws_ses_receipt_rule_set":                     resourceAwsSesReceiptRuleSet(),
 			"aws_s3_bucket":                                resourceAwsS3Bucket(),
 			"aws_s3_bucket_object":                         resourceAwsS3BucketObject(),
 			"aws_s3_bucket_notification":                   resourceAwsS3BucketNotification(),

builtin/providers/aws/resource_aws_ses_active_receipt_rule_set.go

@@ -0,0 +1,80 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSesActiveReceiptRuleSet() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSesActiveReceiptRuleSetUpdate,
+		Update: resourceAwsSesActiveReceiptRuleSetUpdate,
+		Read:   resourceAwsSesActiveReceiptRuleSetRead,
+		Delete: resourceAwsSesActiveReceiptRuleSetDelete,
+
+		Schema: map[string]*schema.Schema{
+			"rule_set_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceAwsSesActiveReceiptRuleSetUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	ruleSetName := d.Get("rule_set_name").(string)
+
+	createOpts := &ses.SetActiveReceiptRuleSetInput{
+		RuleSetName: aws.String(ruleSetName),
+	}
+
+	_, err := conn.SetActiveReceiptRuleSet(createOpts)
+	if err != nil {
+		return fmt.Errorf("Error setting active SES rule set: %s", err)
+	}
+
+	d.SetId(ruleSetName)
+
+	return resourceAwsSesActiveReceiptRuleSetRead(d, meta)
+}
+
+func resourceAwsSesActiveReceiptRuleSetRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	describeOpts := &ses.DescribeActiveReceiptRuleSetInput{}
+
+	response, err := conn.DescribeActiveReceiptRuleSet(describeOpts)
+	if err != nil {
+		return err
+	}
+
+	if response.Metadata != nil {
+		d.Set("rule_set_name", response.Metadata.Name)
+	} else {
+		log.Print("[WARN] No active Receipt Rule Set found")
+		d.SetId("")
+	}
+
+	return nil
+}
+
+func resourceAwsSesActiveReceiptRuleSetDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	deleteOpts := &ses.SetActiveReceiptRuleSetInput{
+		RuleSetName: nil,
+	}
+
+	_, err := conn.SetActiveReceiptRuleSet(deleteOpts)
+	if err != nil {
+		return fmt.Errorf("Error deleting active SES rule set: %s", err)
+	}
+
+	return nil
+}

builtin/providers/aws/resource_aws_ses_active_receipt_rule_set_test.go

@@ -0,0 +1,87 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSESActiveReceiptRuleSet_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESActiveReceiptRuleSetDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESActiveReceiptRuleSetConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESActiveReceiptRuleSetExists("aws_ses_active_receipt_rule_set.test"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckSESActiveReceiptRuleSetDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_ses_active_receipt_rule_set" {
+			continue
+		}
+
+		response, err := conn.DescribeActiveReceiptRuleSet(&ses.DescribeActiveReceiptRuleSetInput{})
+		if err != nil {
+			return err
+		}
+
+		if response.Metadata != nil && *response.Metadata.Name == "test-receipt-rule" {
+			return fmt.Errorf("Active receipt rule set still exists")
+		}
+
+	}
+
+	return nil
+
+}
+
+func testAccCheckAwsSESActiveReceiptRuleSetExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES Active Receipt Rule Set not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES Active Receipt Rule Set name not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		response, err := conn.DescribeActiveReceiptRuleSet(&ses.DescribeActiveReceiptRuleSetInput{})
+		if err != nil {
+			return err
+		}
+
+		if *response.Metadata.Name != "test-receipt-rule" {
+			return fmt.Errorf("The active receipt rule set (%s) was not set to test-receipt-rule", *response.Metadata.Name)
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSSESActiveReceiptRuleSetConfig = `
+resource "aws_ses_receipt_rule_set" "test" {
+    rule_set_name = "test-receipt-rule"
+}
+
+resource "aws_ses_active_receipt_rule_set" "test" {
+    rule_set_name = "${aws_ses_receipt_rule_set.test.rule_set_name}"
+}
+`

builtin/providers/aws/resource_aws_ses_receipt_filter.go

@@ -0,0 +1,105 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSesReceiptFilter() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSesReceiptFilterCreate,
+		Read:   resourceAwsSesReceiptFilterRead,
+		Delete: resourceAwsSesReceiptFilterDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"cidr": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"policy": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsSesReceiptFilterCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	name := d.Get("name").(string)
+
+	createOpts := &ses.CreateReceiptFilterInput{
+		Filter: &ses.ReceiptFilter{
+			Name: aws.String(name),
+			IpFilter: &ses.ReceiptIpFilter{
+				Cidr:   aws.String(d.Get("cidr").(string)),
+				Policy: aws.String(d.Get("policy").(string)),
+			},
+		},
+	}
+
+	_, err := conn.CreateReceiptFilter(createOpts)
+	if err != nil {
+		return fmt.Errorf("Error creating SES receipt filter: %s", err)
+	}
+
+	d.SetId(name)
+
+	return resourceAwsSesReceiptFilterRead(d, meta)
+}
+
+func resourceAwsSesReceiptFilterRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	listOpts := &ses.ListReceiptFiltersInput{}
+
+	response, err := conn.ListReceiptFilters(listOpts)
+	if err != nil {
+		return err
+	}
+
+	found := false
+	for _, element := range response.Filters {
+		if *element.Name == d.Id() {
+			d.Set("cidr", element.IpFilter.Cidr)
+			d.Set("policy", element.IpFilter.Policy)
+			found = true
+		}
+	}
+
+	if !found {
+		log.Printf("[WARN] SES Receipt Filter (%s) not found", d.Id())
+		d.SetId("")
+	}
+
+	return nil
+}
+
+func resourceAwsSesReceiptFilterDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	deleteOpts := &ses.DeleteReceiptFilterInput{
+		FilterName: aws.String(d.Id()),
+	}
+
+	_, err := conn.DeleteReceiptFilter(deleteOpts)
+	if err != nil {
+		return fmt.Errorf("Error deleting SES receipt filter: %s", err)
+	}
+
+	return nil
+}

builtin/providers/aws/resource_aws_ses_receipt_filter_test.go

@@ -0,0 +1,99 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSESReceiptFilter_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESReceiptFilterDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESReceiptFilterConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESReceiptFilterExists("aws_ses_receipt_filter.test"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckSESReceiptFilterDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_ses_receipt_filter" {
+			continue
+		}
+
+		response, err := conn.ListReceiptFilters(&ses.ListReceiptFiltersInput{})
+		if err != nil {
+			return err
+		}
+
+		found := false
+		for _, element := range response.Filters {
+			if *element.Name == "block-some-ip" {
+				found = true
+			}
+		}
+
+		if found {
+			return fmt.Errorf("The receipt filter still exists")
+		}
+
+	}
+
+	return nil
+
+}
+
+func testAccCheckAwsSESReceiptFilterExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES receipt filter not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES receipt filter ID not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		response, err := conn.ListReceiptFilters(&ses.ListReceiptFiltersInput{})
+		if err != nil {
+			return err
+		}
+
+		found := false
+		for _, element := range response.Filters {
+			if *element.Name == "block-some-ip" {
+				found = true
+			}
+		}
+
+		if !found {
+			return fmt.Errorf("The receipt filter was not created")
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSSESReceiptFilterConfig = `
+resource "aws_ses_receipt_filter" "test" {
+    name = "block-some-ip"
+    cidr = "10.10.10.10"
+    policy = "Block"
+}
+`

builtin/providers/aws/resource_aws_ses_receipt_rule.go

@@ -0,0 +1,764 @@
+package aws
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"sort"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/hashcode"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSesReceiptRule() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSesReceiptRuleCreate,
+		Update: resourceAwsSesReceiptRuleUpdate,
+		Read:   resourceAwsSesReceiptRuleRead,
+		Delete: resourceAwsSesReceiptRuleDelete,
+
+		Schema: map[string]*schema.Schema{
+			"name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"rule_set_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+
+			"after": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+
+			"enabled": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+
+			"recipients": &schema.Schema{
+				Type:     schema.TypeSet,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Optional: true,
+				Set:      schema.HashString,
+			},
+
+			"scan_enabled": &schema.Schema{
+				Type:     schema.TypeBool,
+				Optional: true,
+				Computed: true,
+			},
+
+			"tls_policy": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+
+			"add_header_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"header_name": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"header_value": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["header_name"].(string)))
+					buf.WriteString(fmt.Sprintf("%s-", m["header_value"].(string)))
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"bounce_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"message": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"sender": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"smtp_reply_code": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"status_code": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["message"].(string)))
+					buf.WriteString(fmt.Sprintf("%s-", m["sender"].(string)))
+					buf.WriteString(fmt.Sprintf("%s-", m["smtp_reply_code"].(string)))
+
+					if _, ok := m["status_code"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["status_code"].(string)))
+					}
+
+					if _, ok := m["topic_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					}
+
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"lambda_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"function_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"invocation_type": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
+
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["function_arn"].(string)))
+
+					if _, ok := m["invocation_type"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["invocation_type"].(string)))
+					}
+
+					if _, ok := m["topic_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					}
+
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"s3_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"bucket_name": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"kms_key_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"object_key_prefix": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["bucket_name"].(string)))
+
+					if _, ok := m["kms_key_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["kms_key_arn"].(string)))
+					}
+
+					if _, ok := m["object_key_prefix"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["object_key_prefix"].(string)))
+					}
+
+					if _, ok := m["topic_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					}
+
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"sns_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"stop_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"scope": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["scope"].(string)))
+
+					if _, ok := m["topic_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					}
+
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+
+			"workmail_action": &schema.Schema{
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"organization_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Required: true,
+						},
+
+						"topic_arn": &schema.Schema{
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+
+						"position": &schema.Schema{
+							Type:     schema.TypeInt,
+							Required: true,
+						},
+					},
+				},
+				Set: func(v interface{}) int {
+					var buf bytes.Buffer
+					m := v.(map[string]interface{})
+					buf.WriteString(fmt.Sprintf("%s-", m["organization_arn"].(string)))
+
+					if _, ok := m["topic_arn"]; ok {
+						buf.WriteString(fmt.Sprintf("%s-", m["topic_arn"].(string)))
+					}
+
+					buf.WriteString(fmt.Sprintf("%d-", m["position"].(int)))
+
+					return hashcode.String(buf.String())
+				},
+			},
+		},
+	}
+}
+
+func resourceAwsSesReceiptRuleCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	createOpts := &ses.CreateReceiptRuleInput{
+		Rule:        buildReceiptRule(d, meta),
+		RuleSetName: aws.String(d.Get("rule_set_name").(string)),
+	}
+
+	if v, ok := d.GetOk("after"); ok {
+		createOpts.After = aws.String(v.(string))
+	}
+
+	_, err := conn.CreateReceiptRule(createOpts)
+	if err != nil {
+		return fmt.Errorf("Error creating SES rule: %s", err)
+	}
+
+	d.SetId(d.Get("name").(string))
+
+	return resourceAwsSesReceiptRuleUpdate(d, meta)
+}
+
+func resourceAwsSesReceiptRuleUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	updateOpts := &ses.UpdateReceiptRuleInput{
+		Rule:        buildReceiptRule(d, meta),
+		RuleSetName: aws.String(d.Get("rule_set_name").(string)),
+	}
+
+	_, err := conn.UpdateReceiptRule(updateOpts)
+	if err != nil {
+		return fmt.Errorf("Error updating SES rule: %s", err)
+	}
+
+	if d.HasChange("after") {
+		changePosOpts := &ses.SetReceiptRulePositionInput{
+			After:       aws.String(d.Get("after").(string)),
+			RuleName:    aws.String(d.Get("name").(string)),
+			RuleSetName: aws.String(d.Get("rule_set_name").(string)),
+		}
+
+		_, err := conn.SetReceiptRulePosition(changePosOpts)
+		if err != nil {
+			return fmt.Errorf("Error updating SES rule: %s", err)
+		}
+	}
+
+	return resourceAwsSesReceiptRuleRead(d, meta)
+}
+
+func resourceAwsSesReceiptRuleRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	describeOpts := &ses.DescribeReceiptRuleInput{
+		RuleName:    aws.String(d.Id()),
+		RuleSetName: aws.String(d.Get("rule_set_name").(string)),
+	}
+
+	response, err := conn.DescribeReceiptRule(describeOpts)
+	if err != nil {
+		_, ok := err.(awserr.Error)
+		if ok && err.(awserr.Error).Code() == "RuleDoesNotExist" {
+			log.Printf("[WARN] SES Receipt Rule (%s) not found", d.Id())
+			d.SetId("")
+			return nil
+		} else {
+			return err
+		}
+	}
+
+	d.Set("enabled", *response.Rule.Enabled)
+	d.Set("recipients", flattenStringList(response.Rule.Recipients))
+	d.Set("scan_enabled", *response.Rule.ScanEnabled)
+	d.Set("tls_policy", *response.Rule.TlsPolicy)
+
+	addHeaderActionList := []map[string]interface{}{}
+	bounceActionList := []map[string]interface{}{}
+	lambdaActionList := []map[string]interface{}{}
+	s3ActionList := []map[string]interface{}{}
+	snsActionList := []map[string]interface{}{}
+	stopActionList := []map[string]interface{}{}
+	workmailActionList := []map[string]interface{}{}
+
+	for i, element := range response.Rule.Actions {
+		if element.AddHeaderAction != nil {
+			addHeaderAction := map[string]interface{}{
+				"header_name":  *element.AddHeaderAction.HeaderName,
+				"header_value": *element.AddHeaderAction.HeaderValue,
+				"position":     i,
+			}
+			addHeaderActionList = append(addHeaderActionList, addHeaderAction)
+		}
+
+		if element.BounceAction != nil {
+			bounceAction := map[string]interface{}{
+				"message":         *element.BounceAction.Message,
+				"sender":          *element.BounceAction.Sender,
+				"smtp_reply_code": *element.BounceAction.SmtpReplyCode,
+				"position":        i,
+			}
+
+			if element.BounceAction.StatusCode != nil {
+				bounceAction["status_code"] = *element.BounceAction.StatusCode
+			}
+
+			if element.BounceAction.TopicArn != nil {
+				bounceAction["topic_arn"] = *element.BounceAction.TopicArn
+			}
+
+			bounceActionList = append(bounceActionList, bounceAction)
+		}
+
+		if element.LambdaAction != nil {
+			lambdaAction := map[string]interface{}{
+				"function_arn": *element.LambdaAction.FunctionArn,
+				"position":     i,
+			}
+
+			if element.LambdaAction.InvocationType != nil {
+				lambdaAction["invocation_type"] = *element.LambdaAction.InvocationType
+			}
+
+			if element.LambdaAction.TopicArn != nil {
+				lambdaAction["topic_arn"] = *element.LambdaAction.TopicArn
+			}
+
+			lambdaActionList = append(lambdaActionList, lambdaAction)
+		}
+
+		if element.S3Action != nil {
+			s3Action := map[string]interface{}{
+				"bucket_name": *element.S3Action.BucketName,
+				"position":    i,
+			}
+
+			if element.S3Action.KmsKeyArn != nil {
+				s3Action["kms_key_arn"] = *element.S3Action.KmsKeyArn
+			}
+
+			if element.S3Action.ObjectKeyPrefix != nil {
+				s3Action["object_key_prefix"] = *element.S3Action.ObjectKeyPrefix
+			}
+
+			if element.S3Action.TopicArn != nil {
+				s3Action["topic_arn"] = *element.S3Action.TopicArn
+			}
+
+			s3ActionList = append(s3ActionList, s3Action)
+		}
+
+		if element.SNSAction != nil {
+			snsAction := map[string]interface{}{
+				"topic_arn": *element.SNSAction.TopicArn,
+				"position":  i,
+			}
+
+			snsActionList = append(snsActionList, snsAction)
+		}
+
+		if element.StopAction != nil {
+			stopAction := map[string]interface{}{
+				"scope":    *element.StopAction.Scope,
+				"position": i,
+			}
+
+			if element.StopAction.TopicArn != nil {
+				stopAction["topic_arn"] = *element.StopAction.TopicArn
+			}
+
+			stopActionList = append(stopActionList, stopAction)
+		}
+
+		if element.WorkmailAction != nil {
+			workmailAction := map[string]interface{}{
+				"organization_arn": *element.WorkmailAction.OrganizationArn,
+				"position":         i,
+			}
+
+			if element.WorkmailAction.TopicArn != nil {
+				workmailAction["topic_arn"] = *element.WorkmailAction.TopicArn
+			}
+
+			workmailActionList = append(workmailActionList, workmailAction)
+		}
+
+	}
+
+	err = d.Set("add_header_action", addHeaderActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("bounce_action", bounceActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("lambda_action", lambdaActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("s3_action", s3ActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("sns_action", snsActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("stop_action", stopActionList)
+	if err != nil {
+		return err
+	}
+
+	err = d.Set("workmail_action", workmailActionList)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceAwsSesReceiptRuleDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	deleteOpts := &ses.DeleteReceiptRuleInput{
+		RuleName:    aws.String(d.Id()),
+		RuleSetName: aws.String(d.Get("rule_set_name").(string)),
+	}
+
+	_, err := conn.DeleteReceiptRule(deleteOpts)
+	if err != nil {
+		return fmt.Errorf("Error deleting SES receipt rule: %s", err)
+	}
+
+	return nil
+}
+
+func buildReceiptRule(d *schema.ResourceData, meta interface{}) *ses.ReceiptRule {
+	receiptRule := &ses.ReceiptRule{
+		Name: aws.String(d.Get("name").(string)),
+	}
+
+	if v, ok := d.GetOk("enabled"); ok {
+		receiptRule.Enabled = aws.Bool(v.(bool))
+	}
+
+	if v, ok := d.GetOk("recipients"); ok {
+		receiptRule.Recipients = expandStringList(v.(*schema.Set).List())
+	}
+
+	if v, ok := d.GetOk("scan_enabled"); ok {
+		receiptRule.ScanEnabled = aws.Bool(v.(bool))
+	}
+
+	if v, ok := d.GetOk("tls_policy"); ok {
+		receiptRule.TlsPolicy = aws.String(v.(string))
+	}
+
+	actions := make(map[int]*ses.ReceiptAction)
+
+	if v, ok := d.GetOk("add_header_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				AddHeaderAction: &ses.AddHeaderAction{
+					HeaderName:  aws.String(elem["header_name"].(string)),
+					HeaderValue: aws.String(elem["header_value"].(string)),
+				},
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("bounce_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			bounceAction := &ses.BounceAction{
+				Message:       aws.String(elem["message"].(string)),
+				Sender:        aws.String(elem["sender"].(string)),
+				SmtpReplyCode: aws.String(elem["smtp_reply_code"].(string)),
+			}
+
+			if elem["status_code"] != "" {
+				bounceAction.StatusCode = aws.String(elem["status_code"].(string))
+			}
+
+			if elem["topic_arn"] != "" {
+				bounceAction.TopicArn = aws.String(elem["topic_arn"].(string))
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				BounceAction: bounceAction,
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("lambda_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			lambdaAction := &ses.LambdaAction{
+				FunctionArn: aws.String(elem["function_arn"].(string)),
+			}
+
+			if elem["invocation_type"] != "" {
+				lambdaAction.InvocationType = aws.String(elem["invocation_type"].(string))
+			}
+
+			if elem["topic_arn"] != "" {
+				lambdaAction.TopicArn = aws.String(elem["topic_arn"].(string))
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				LambdaAction: lambdaAction,
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("s3_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			s3Action := &ses.S3Action{
+				BucketName:      aws.String(elem["bucket_name"].(string)),
+				KmsKeyArn:       aws.String(elem["kms_key_arn"].(string)),
+				ObjectKeyPrefix: aws.String(elem["object_key_prefix"].(string)),
+			}
+
+			if elem["topic_arn"] != "" {
+				s3Action.TopicArn = aws.String(elem["topic_arn"].(string))
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				S3Action: s3Action,
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("sns_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			snsAction := &ses.SNSAction{
+				TopicArn: aws.String(elem["topic_arn"].(string)),
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				SNSAction: snsAction,
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("stop_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			stopAction := &ses.StopAction{
+				Scope: aws.String(elem["scope"].(string)),
+			}
+
+			if elem["topic_arn"] != "" {
+				stopAction.TopicArn = aws.String(elem["topic_arn"].(string))
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				StopAction: stopAction,
+			}
+		}
+	}
+
+	if v, ok := d.GetOk("workmail_action"); ok {
+		for _, element := range v.(*schema.Set).List() {
+			elem := element.(map[string]interface{})
+
+			workmailAction := &ses.WorkmailAction{
+				OrganizationArn: aws.String(elem["organization_arn"].(string)),
+			}
+
+			if elem["topic_arn"] != "" {
+				workmailAction.TopicArn = aws.String(elem["topic_arn"].(string))
+			}
+
+			actions[elem["position"].(int)] = &ses.ReceiptAction{
+				WorkmailAction: workmailAction,
+			}
+		}
+	}
+
+	var keys []int
+	for k := range actions {
+		keys = append(keys, k)
+	}
+	sort.Ints(keys)
+
+	sortedActions := []*ses.ReceiptAction{}
+	for _, k := range keys {
+		sortedActions = append(sortedActions, actions[k])
+	}
+
+	receiptRule.Actions = sortedActions
+
+	return receiptRule
+}

builtin/providers/aws/resource_aws_ses_receipt_rule_set.go

@@ -0,0 +1,102 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSesReceiptRuleSet() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSesReceiptRuleSetCreate,
+		Read:   resourceAwsSesReceiptRuleSetRead,
+		Delete: resourceAwsSesReceiptRuleSetDelete,
+
+		Schema: map[string]*schema.Schema{
+			"rule_set_name": &schema.Schema{
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsSesReceiptRuleSetCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	ruleSetName := d.Get("rule_set_name").(string)
+
+	createOpts := &ses.CreateReceiptRuleSetInput{
+		RuleSetName: aws.String(ruleSetName),
+	}
+
+	_, err := conn.CreateReceiptRuleSet(createOpts)
+	if err != nil {
+		return fmt.Errorf("Error creating SES rule set: %s", err)
+	}
+
+	d.SetId(ruleSetName)
+
+	return resourceAwsSesReceiptRuleSetRead(d, meta)
+}
+
+func resourceAwsSesReceiptRuleSetRead(d *schema.ResourceData, meta interface{}) error {
+	ruleSetExists, err := findRuleSet(d.Id(), nil, meta)
+
+	if !ruleSetExists {
+		log.Printf("[WARN] SES Receipt Rule Set (%s) not found", d.Id())
+		d.SetId("")
+	}
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceAwsSesReceiptRuleSetDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).sesConn
+
+	log.Printf("[DEBUG] SES Delete Receipt Rule Set: %s", d.Id())
+	_, err := conn.DeleteReceiptRuleSet(&ses.DeleteReceiptRuleSetInput{
+		RuleSetName: aws.String(d.Id()),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func findRuleSet(name string, token *string, meta interface{}) (bool, error) {
+	conn := meta.(*AWSClient).sesConn
+
+	ruleSetExists := false
+
+	listOpts := &ses.ListReceiptRuleSetsInput{
+		NextToken: token,
+	}
+
+	response, err := conn.ListReceiptRuleSets(listOpts)
+	for _, element := range response.RuleSets {
+		if *element.Name == name {
+			ruleSetExists = true
+		}
+	}
+
+	if err != nil && !ruleSetExists && response.NextToken != nil {
+		ruleSetExists, err = findRuleSet(name, response.NextToken, meta)
+	}
+
+	if err != nil {
+		return false, err
+	}
+
+	return ruleSetExists, nil
+}

builtin/providers/aws/resource_aws_ses_receipt_rule_set_test.go

@@ -0,0 +1,91 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSESReceiptRuleSet_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESReceiptRuleSetDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESReceiptRuleSetConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESReceiptRuleSetExists("aws_ses_receipt_rule_set.test"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckSESReceiptRuleSetDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_ses_receipt_rule_set" {
+			continue
+		}
+
+		params := &ses.DescribeReceiptRuleSetInput{
+			RuleSetName: aws.String("just-a-test"),
+		}
+
+		_, err := conn.DescribeReceiptRuleSet(params)
+		if err == nil {
+			return fmt.Errorf("Receipt rule set %s still exists. Failing!", rs.Primary.ID)
+		}
+
+		// Verify the error is what we want
+		_, ok := err.(awserr.Error)
+		if !ok {
+			return err
+		}
+
+	}
+
+	return nil
+
+}
+
+func testAccCheckAwsSESReceiptRuleSetExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES Receipt Rule Set not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES Receipt Rule Set name not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		params := &ses.DescribeReceiptRuleSetInput{
+			RuleSetName: aws.String("just-a-test"),
+		}
+
+		_, err := conn.DescribeReceiptRuleSet(params)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSSESReceiptRuleSetConfig = `
+resource "aws_ses_receipt_rule_set" "test" {
+    rule_set_name = "just-a-test"
+}
+`

builtin/providers/aws/resource_aws_ses_receipt_rule_test.go

@@ -0,0 +1,292 @@
+package aws
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/service/ses"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSESReceiptRule_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESReceiptRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESReceiptRuleBasicConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESReceiptRuleExists("aws_ses_receipt_rule.basic"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSSESReceiptRule_order(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESReceiptRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESReceiptRuleOrderConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESReceiptRuleOrder("aws_ses_receipt_rule.second"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccAWSSESReceiptRule_actions(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckSESReceiptRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSESReceiptRuleActionsConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsSESReceiptRuleActions("aws_ses_receipt_rule.actions"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckSESReceiptRuleDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_ses_receipt_rule" {
+			continue
+		}
+
+		params := &ses.DescribeReceiptRuleInput{
+			RuleName:    aws.String(rs.Primary.Attributes["name"]),
+			RuleSetName: aws.String(rs.Primary.Attributes["rule_set_name"]),
+		}
+
+		_, err := conn.DescribeReceiptRule(params)
+		if err == nil {
+			return fmt.Errorf("Receipt rule %s still exists. Failing!", rs.Primary.ID)
+		}
+
+		// Verify the error is what we want
+		_, ok := err.(awserr.Error)
+		if !ok {
+			return err
+		}
+
+	}
+
+	return nil
+
+}
+
+func testAccCheckAwsSESReceiptRuleExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES Receipt Rule not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES Receipt Rule name not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		params := &ses.DescribeReceiptRuleInput{
+			RuleName:    aws.String("basic"),
+			RuleSetName: aws.String("test-me"),
+		}
+
+		response, err := conn.DescribeReceiptRule(params)
+		if err != nil {
+			return err
+		}
+
+		if !*response.Rule.Enabled {
+			return fmt.Errorf("Enabled (%s) was not set to true", *response.Rule.Enabled)
+		}
+
+		if !reflect.DeepEqual(response.Rule.Recipients, []*string{aws.String("test@example.com")}) {
+			return fmt.Errorf("Recipients (%v) was not set to [test@example.com]", response.Rule.Recipients)
+		}
+
+		if !*response.Rule.ScanEnabled {
+			return fmt.Errorf("ScanEnabled (%s) was not set to true", *response.Rule.ScanEnabled)
+		}
+
+		if *response.Rule.TlsPolicy != "Require" {
+			return fmt.Errorf("TLS Policy (%s) was not set to Require", *response.Rule.TlsPolicy)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckAwsSESReceiptRuleOrder(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES Receipt Rule not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES Receipt Rule name not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		params := &ses.DescribeReceiptRuleSetInput{
+			RuleSetName: aws.String("test-me"),
+		}
+
+		response, err := conn.DescribeReceiptRuleSet(params)
+		if err != nil {
+			return err
+		}
+
+		if len(response.Rules) != 2 {
+			return fmt.Errorf("Number of rules (%s) was not equal to 2", len(response.Rules))
+		} else if *response.Rules[0].Name != "first" || *response.Rules[1].Name != "second" {
+			return fmt.Errorf("Order of rules (%v) was incorrect", response.Rules)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckAwsSESReceiptRuleActions(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("SES Receipt Rule not found: %s", n)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("SES Receipt Rule name not set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).sesConn
+
+		params := &ses.DescribeReceiptRuleInput{
+			RuleName:    aws.String("actions"),
+			RuleSetName: aws.String("test-me"),
+		}
+
+		response, err := conn.DescribeReceiptRule(params)
+		if err != nil {
+			return err
+		}
+
+		actions := response.Rule.Actions
+
+		if len(actions) != 3 {
+			return fmt.Errorf("Number of rules (%d) was not equal to 3", len(actions))
+		}
+
+		addHeaderAction := actions[0].AddHeaderAction
+		if *addHeaderAction.HeaderName != "Another-Header" {
+			return fmt.Errorf("Header Name (%s) was not equal to Another-Header", *addHeaderAction.HeaderName)
+		}
+
+		if *addHeaderAction.HeaderValue != "First" {
+			return fmt.Errorf("Header Value (%s) was not equal to First", *addHeaderAction.HeaderValue)
+		}
+
+		secondAddHeaderAction := actions[1].AddHeaderAction
+		if *secondAddHeaderAction.HeaderName != "Added-By" {
+			return fmt.Errorf("Header Name (%s) was not equal to Added-By", *secondAddHeaderAction.HeaderName)
+		}
+
+		if *secondAddHeaderAction.HeaderValue != "Terraform" {
+			return fmt.Errorf("Header Value (%s) was not equal to Terraform", *secondAddHeaderAction.HeaderValue)
+		}
+
+		stopAction := actions[2].StopAction
+		if *stopAction.Scope != "RuleSet" {
+			return fmt.Errorf("Scope (%s) was not equal to RuleSet", *stopAction.Scope)
+		}
+
+		return nil
+	}
+}
+
+const testAccAWSSESReceiptRuleBasicConfig = `
+resource "aws_ses_receipt_rule_set" "test" {
+    rule_set_name = "test-me"
+}
+
+resource "aws_ses_receipt_rule" "basic" {
+    name = "basic"
+    rule_set_name = "${aws_ses_receipt_rule_set.test.rule_set_name}"
+    recipients = ["test@example.com"]
+    enabled = true
+    scan_enabled = true
+    tls_policy = "Require"
+}
+`
+
+const testAccAWSSESReceiptRuleOrderConfig = `
+resource "aws_ses_receipt_rule_set" "test" {
+    rule_set_name = "test-me"
+}
+
+resource "aws_ses_receipt_rule" "second" {
+    name = "second"
+    rule_set_name = "${aws_ses_receipt_rule_set.test.rule_set_name}"
+    after = "${aws_ses_receipt_rule.first.name}"
+}
+
+resource "aws_ses_receipt_rule" "first" {
+    name = "first"
+    rule_set_name = "${aws_ses_receipt_rule_set.test.rule_set_name}"
+}
+`
+
+const testAccAWSSESReceiptRuleActionsConfig = `
+resource "aws_s3_bucket" "emails" {
+    bucket = "ses-terraform-emails"
+}
+
+resource "aws_ses_receipt_rule_set" "test" {
+    rule_set_name = "test-me"
+}
+
+resource "aws_ses_receipt_rule" "actions" {
+    name = "actions"
+    rule_set_name = "${aws_ses_receipt_rule_set.test.rule_set_name}"
+
+    add_header_action {
+	header_name = "Added-By"
+	header_value = "Terraform"
+	position = 1
+    }
+
+    add_header_action {
+	header_name = "Another-Header"
+	header_value = "First"
+	position = 0
+    }
+
+    stop_action {
+	scope = "RuleSet"
+	position = 2
+    }
+}
+`

vendor/github.com/aws/aws-sdk-go/service/ses/service.go

@@ -0,0 +1,93 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package ses
+
+import (
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/client"
+	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/private/protocol/query"
+	"github.com/aws/aws-sdk-go/private/signer/v4"
+)
+
+// This is the API Reference for Amazon Simple Email Service (Amazon SES). This
+// documentation is intended to be used in conjunction with the Amazon SES Developer
+// Guide (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/Welcome.html).
+//
+// For a list of Amazon SES endpoints to use in service requests, see Regions
+// and Amazon SES (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/regions.html)
+// in the Amazon SES Developer Guide.
+//The service client's operations are safe to be used concurrently.
+// It is not safe to mutate any of the client's properties though.
+type SES struct {
+	*client.Client
+}
+
+// Used for custom client initialization logic
+var initClient func(*client.Client)
+
+// Used for custom request initialization logic
+var initRequest func(*request.Request)
+
+// A ServiceName is the name of the service the client will make API calls to.
+const ServiceName = "email"
+
+// New creates a new instance of the SES client with a session.
+// If additional configuration is needed for the client instance use the optional
+// aws.Config parameter to add your extra config.
+//
+// Example:
+//     // Create a SES client from just a session.
+//     svc := ses.New(mySession)
+//
+//     // Create a SES client with additional configuration
+//     svc := ses.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
+func New(p client.ConfigProvider, cfgs ...*aws.Config) *SES {
+	c := p.ClientConfig(ServiceName, cfgs...)
+	return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion)
+}
+
+// newClient creates, initializes and returns a new service client instance.
+func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion string) *SES {
+	svc := &SES{
+		Client: client.New(
+			cfg,
+			metadata.ClientInfo{
+				ServiceName:   ServiceName,
+				SigningName:   "ses",
+				SigningRegion: signingRegion,
+				Endpoint:      endpoint,
+				APIVersion:    "2010-12-01",
+			},
+			handlers,
+		),
+	}
+
+	// Handlers
+	svc.Handlers.Sign.PushBack(v4.Sign)
+	svc.Handlers.Build.PushBackNamed(query.BuildHandler)
+	svc.Handlers.Unmarshal.PushBackNamed(query.UnmarshalHandler)
+	svc.Handlers.UnmarshalMeta.PushBackNamed(query.UnmarshalMetaHandler)
+	svc.Handlers.UnmarshalError.PushBackNamed(query.UnmarshalErrorHandler)
+
+	// Run custom client initialization if present
+	if initClient != nil {
+		initClient(svc.Client)
+	}
+
+	return svc
+}
+
+// newRequest creates a new request for a SES operation and runs any
+// custom request initialization.
+func (c *SES) newRequest(op *request.Operation, params, data interface{}) *request.Request {
+	req := c.NewRequest(op, params, data)
+
+	// Run custom request initialization if present
+	if initRequest != nil {
+		initRequest(req)
+	}
+
+	return req
+}

vendor/github.com/aws/aws-sdk-go/service/ses/waiters.go

@@ -0,0 +1,30 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+
+package ses
+
+import (
+	"github.com/aws/aws-sdk-go/private/waiter"
+)
+
+func (c *SES) WaitUntilIdentityExists(input *GetIdentityVerificationAttributesInput) error {
+	waiterCfg := waiter.Config{
+		Operation:   "GetIdentityVerificationAttributes",
+		Delay:       3,
+		MaxAttempts: 20,
+		Acceptors: []waiter.WaitAcceptor{
+			{
+				State:    "success",
+				Matcher:  "pathAll",
+				Argument: "VerificationAttributes.*.VerificationStatus",
+				Expected: "Success",
+			},
+		},
+	}
+
+	w := waiter.Waiter{
+		Client: c,
+		Input:  input,
+		Config: waiterCfg,
+	}
+	return w.Wait()
+}

website/source/docs/providers/aws/r/ses_active_receipt_rule_set.html.markdown

@@ -0,0 +1,25 @@
+---
+layout: "aws"
+page_title: "AWS: ses_active_receipt_rule_set"
+sidebar_current: "docs-aws-resource-ses-active-receipt-rule-set"
+description: |-
+  Provides a resource to designate the active SES receipt rule set
+---
+
+# aws\_ses\_active_receipt_rule_set
+
+Provides a resource to designate the active SES receipt rule set
+
+## Example Usage
+
+```
+resource "aws_ses_active_receipt_rule_set" "main" {
+  rule_set_name = "primary-rules"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `rule_set_name` - (Required) The name of the rule set

website/source/docs/providers/aws/r/ses_receipt_filter.html.markdown

@@ -0,0 +1,29 @@
+---
+layout: "aws"
+page_title: "AWS: ses_receipt_filter"
+sidebar_current: "docs-aws-resource-ses-receipt-filter"
+description: |-
+  Provides an SES receipt filter
+---
+
+# aws\_ses\_receipt_filter
+
+Provides an SES receipt filter resource
+
+## Example Usage
+
+```
+resource "aws_ses_receipt_filter" "filter" {
+  name = "block-spammer"
+  cidr = "10.10.10.10"
+  policy = "Block"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the filter
+* `cidr` - (Required) The IP address or address range to filter, in CIDR notation
+* `policy` - (Required) Block or Allow

website/source/docs/providers/aws/r/ses_receipt_rule.html.markdown

@@ -0,0 +1,100 @@
+---
+layout: "aws"
+page_title: "AWS: ses_receipt_rule"
+sidebar_current: "docs-aws-resource-ses-receipt-rule"
+description: |-
+  Provides an SES receipt rule resource
+---
+
+# aws\_ses\_receipt_rule
+
+Provides an SES receipt rule resource
+
+## Example Usage
+
+```
+# Add a header to the email and store it in S3
+resource "aws_ses_receipt_rule" "store" {
+  name = "store"
+  rule_set_name = "default-rule-set"
+  recipients = ["karen@example.com"]
+  enabled = true
+  scan_enabled = true
+
+  add_header_action {
+    header_name = "Custom-Header"
+    header_value = "Added by SES"
+  }
+
+  s3_action {
+    bucket_name = "emails"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the rule
+* `rule_set_name` - (Required) The name of the rule set
+* `after` - (Optional) The name of the rule to place this rule after
+* `enabled` - (Optional) If true, the rule will be enabled
+* `recipients` - (Optional) A list of email addresses
+* `recipients` - (Optional) A list of email addresses
+* `scan_enabled` - (Optional) If true, incoming emails will be scanned for spam and viruses
+* `tls_policy` - (Optional) Require or Optional
+* `add_header_action` - (Optional) A list of Add Header Action blocks. Documented below.
+* `bounce_action` - (Optional) A list of Bounce Action blocks. Documented below.
+* `lambda_action` - (Optional) A list of Lambda Action blocks. Documented below.
+* `s3_action` - (Optional) A list of S3 Action blocks. Documented below.
+* `sns_action` - (Optional) A list of SNS Action blocks. Documented below.
+* `stop_action` - (Optional) A list of Stop Action blocks. Documented below.
+* `workmail_action` - (Optional) A list of WorkMail Action blocks. Documented below.
+
+Add header actions support the following:
+
+* `header_name` - (Required) The name of the header to add
+* `header_value` - (Required) The value of the header to add
+* `position` - (Required) The position of the action in the receipt rule
+
+Bounce actions support the following:
+
+* `message` - (Required) The message to send
+* `sender` - (Required) The email address of the sender
+* `smtp_reply_code` - (Required) The RFC 5321 SMTP reply code
+* `status_code` - (Optional) The RFC 3463 SMTP enhanced status code
+* `topic_arn` - (Optional) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule
+
+Lambda actions support the following:
+
+* `function_arn` - (Required) The ARN of the Lambda function to invoke
+* `invocation_type` - (Optional) Event or RequestResponse
+* `topic_arn` - (Optional) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule
+
+S3 actions support the following:
+
+* `bucket_name` - (Required) The name of the S3 bucket
+* `kms_key_arn` - (Optional) The ARN of the KMS key
+* `object_key_prefix` - (Optional) The key prefix of the S3 bucket
+* `topic_arn` - (Optional) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule
+
+SNS actions support the following:
+
+* `topic_arn` - (Required) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule
+
+Stop actions support the following:
+
+* `scope` - (Required) The scope to apply
+* `topic_arn` - (Optional) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule
+
+WorkMail actions support the following:
+
+* `organization_arn` - (Required) The ARN of the WorkMail organization
+* `topic_arn` - (Optional) The ARN of an SNS topic to notify
+* `position` - (Required) The position of the action in the receipt rule

website/source/docs/providers/aws/r/ses_receipt_rule_set.html.markdown

@@ -0,0 +1,25 @@
+---
+layout: "aws"
+page_title: "AWS: ses_receipt_rule_set"
+sidebar_current: "docs-aws-resource-ses-receipt-rule-set"
+description: |-
+  Provides an SES receipt rule set resource
+---
+
+# aws\_ses\_active_receipt_rule_set
+
+Provides an SES receipt rule set resource
+
+## Example Usage
+
+```
+resource "aws_ses_receipt_rule_set" "main" {
+  rule_set_name = "primary-rules"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `rule_set_name` - (Required) The name of the rule set

website/source/layouts/aws.erb

@@ -704,6 +704,30 @@
                 </li>
 
 
+                <li<%= sidebar_current(/^docs-aws-resource-ses/) %>>
+                    <a href="#">SES Resources</a>
+                    <ul class="nav nav-visible">
+
+                        <li<%= sidebar_current("docs-aws-resource-ses-active-receipt-rule-set") %>>
+                            <a href="/docs/providers/aws/r/ses_active_receipt_rule_set.html">aws_ses_active_receipt_rule_set</a>
+                        </li>
+
+                        <li<%= sidebar_current("docs-aws-resource-ses-receipt-rule") %>>
+                            <a href="/docs/providers/aws/r/ses_receipt_rule.html">aws_ses_receipt_rule</a>
+                        </li>
+
+                        <li<%= sidebar_current("docs-aws-resource-ses-receipt-filter") %>>
+                            <a href="/docs/providers/aws/r/ses_receipt_filter.html">aws_ses_receipt_filter</a>
+                        </li>
+
+                        <li<%= sidebar_current("docs-aws-resource-ses-receipt-rule-set") %>>
+                            <a href="/docs/providers/aws/r/ses_receipt_rule_set.html">aws_ses_receipt_rule_set</a>
+                        </li>
+
+                    </ul>
+                </li>
+
+
                 <li<%= sidebar_current(/^docs-aws-resource-sns/) %>>
                     <a href="#">SNS Resources</a>
                     <ul class="nav nav-visible">