feat(ses): https policy for custom tracking domain (#34314)

### Issue # (if applicable)

None

### Reason for this change

Cloudformation supports for configuring HttpsPolicy for custom tracking domain in `ConfigurationSet` but AWS CDK cannot do this.

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-ses-configurationset-trackingoptions.html#cfn-ses-configurationset-trackingoptions-httpspolicy

### Description of changes

- Define `HttpsPolicy` enum
- Add `customTrackingHttpsPolicy` to `ConfigurationSetProps`

### Describe any new or updated permissions being added

None

### Description of how you validated changes

Add both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: badmintoncryer

packages/@aws-cdk-testing/framework-integ/test/aws-ses/test/integ.configuration-set-tracking-options.js.snapshot/ConfigurationSetIntegDefaultTestDeployAssert9B6AD46A.assets.json

@@ -0,0 +1,47 @@
+{
+ "Resources": {
+  "ConfigurationSet3DD38186": {
+   "Type": "AWS::SES::ConfigurationSet",
+   "Properties": {
+    "TrackingOptions": {
+     "CustomRedirectDomain": "tracking.example.com",
+     "HttpsPolicy": "REQUIRE"
+    }
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-ses/test/integ.configuration-set-tracking-options.js.snapshot/ConfigurationSetIntegDefaultTestDeployAssert9B6AD46A.template.json

@@ -0,0 +1,41 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+import * as ses from 'aws-cdk-lib/aws-ses';
+
+/**
+ * In order to test this you need to have a valid public hosted zone that you can use
+ * to validate the domain identity.
+ *
+ * Step 1: Create a public hosted zone in Route53
+ * Step 2: Create a email identity in SES and validate it with the hosted zone
+ * Step 3: Set the hosted zone name as an env var "HOSTED_ZONE_NAME"
+ * Step 4: Run this test
+ * Step 5: Correct the hosted zone name in the generated template to `tracking.example.com `
+ */
+const hostedZoneName = process.env.CDK_INTEG_HOSTED_ZONE_NAME ?? process.env.HOSTED_ZONE_NAME;
+if (!hostedZoneName) throw new Error('For this test you must provide your own HostedZoneName as an env var "HOSTED_ZONE_NAME". See framework-integ/README.md for details.');
+
+interface TestStackProps extends StackProps {
+  hostedZoneName: string;
+}
+
+class ConfigurationSetStack extends Stack {
+  constructor(scope: Construct, id: string, props: TestStackProps) {
+    super(scope, id, props);
+
+    new ses.ConfigurationSet(this, 'ConfigurationSet', {
+      customTrackingRedirectDomain: `tracking.${props.hostedZoneName}`,
+      customTrackingHttpsPolicy: ses.HttpsPolicy.REQUIRE,
+    });
+  }
+}
+
+const app = new App();
+
+new integ.IntegTest(app, 'ConfigurationSetInteg', {
+  testCases: [new ConfigurationSetStack(app, 'ses-configuration-set-tracking-options-integ', {
+    hostedZoneName,
+  })],
+  stackUpdateWorkflow: false,
+});

packages/@aws-cdk-testing/framework-integ/test/aws-ses/test/integ.configuration-set-tracking-options.js.snapshot/cdk.out

@@ -139,7 +139,6 @@ import { Duration } from 'aws-cdk-lib';
 declare const myPool: ses.IDedicatedIpPool;
 
 new ses.ConfigurationSet(this, 'ConfigurationSet', {
-  customTrackingRedirectDomain: 'track.cdk.dev',
   tlsPolicy: ses.ConfigurationSetTlsPolicy.REQUIRE,
   dedicatedIpPool: myPool,
   // Specify maximum delivery time
@@ -200,6 +199,20 @@ myConfigurationSet.addEventDestination('ToFirehose', {
 })
 ```
 
+#### Tracking options
+
+You can specify to use a custom redirect domain to handle open and click tracking for email sent with this configuration set by using `customTrackingRedirectDomain` and `customTrackingHttpsPolicy`.
+Detail can be found in [Custom tracking domain](https://docs.aws.amazon.com/ses/latest/dg/configure-custom-open-click-domains.html).
+
+```ts
+new ses.ConfigurationSet(this, 'ConfigurationSet', {
+  customTrackingRedirectDomain: 'track.cdk.dev',
+  customTrackingHttpsPolicy: ses.HttpsPolicy.REQUIRE,
+});
+```
+
+**Note**: The custom tracking redirect domain must be verified in Amazon SES. To create verified identities, you can use the [`EmailIdentity` construct](#email-identity).
+
 ### Override account-level suppression list settings
 
 You can customize account-level suppression list separately for different configuration sets by overriding it