Verifying SES Domain Identity by appending to existing TXT record

Hi everyone,

I’m trying to provision additional sub-accounts in an organization that each need to be able to use their respective SES services. The sending domain is common.

I’ve successfully terraformed SES identities and their verification in the past but I’m having difficulty understanding how to include the verification token in an existing TXT record (since AWS limits you to one)

The hosted zone is managed in a shared services account. The records are managed through role-assuming, aliased providers.

What would be the best way to implement this? Obviously, when removing an account, I would only want the relevant part of the TXT record (the token) to be removed, keeping all other TXT values in tact. I’m anticipating to create at least half a dozen accounts in the near future.

Right now, I’m getting an expected error because the TXT record already exists and is owned by another state.