terraform-provider-okta: Receiving a Status: 410 Gone Error for resource: "okta_email_sender" when enabling multibranding in Okta

Upon Turning on the MultiBranding feature in Okta and running Terraform I get the following error: image

Community Note

  • Please vote on this issue by adding a šŸ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave ā€œ+1ā€ or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.4.5

Okta Terraform version

3.46.0

Affected Resource(s)

  • okta_email_sender

Terraform Configuration Files

resource "okta_email_sender" "vanity_email_address" {
  from_name    = "email name"
  from_address = var.vanity_email
  subdomain    = "subdomainName"
}

Expected Behavior

Should be able create a vanity email (It works when the multibranding feature off).

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

Yes

Actual Behavior

The API is returning a Error: failed to get custom email sender: the API returned an error: This endpoint has been deprecated., Status: 410 Gone error.

Steps to Reproduce

  1. Turn on multibranding
  2. Run terraform apply on a okta_email_sender resource

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 16
  • Comments: 27 (3 by maintainers)

Most upvoted comments

It was a joke. It was not meant to be offensive nor directed toward you personally.

But since weā€™re on the topic, I am not offended by Okta or itā€™s staff although I would say that my company has every right to be offended.

We pay your company a lot of money to provide services and a portion of those services have been rendered useless for over three months by a breaking change introduced by Okta apparently because your API folks and Terraform folks arenā€™t communicating. Then to make matters worse, the fix offered up for the breaking change was designed with a new dependency, clearly untested, and documented poorly. And now youā€™re asking paying customers to troubleshoot whether or not itā€™s Oktaā€™s Terraform or Oktaā€™s API that isnā€™t working properly.

Oktaā€™s mistakes have caused my company to burn through a minimum of 20 hours worth of labor for troubleshooting, finding work-arounds, and manually performing steps that were automatic CI/CD operations three months ago. And itā€™s not just my company that has been feeling this pain for the past three months, itā€™s every company that had the misfortune of using the okta_email_sender resource. I canā€™t imagine the total number of dollars and hours this breaking change has cost Oktaā€™s customers but Iā€™m certain it would be eye-popping.

I donā€™t know what person, group, process, procedure, or technology at Okta is to blame but the fact remains that a service which we all pay for is not available because of something that went wrong at Okta. At this point Iā€™m done troubleshooting.

And although my description of the issue is accurate, I apologize for using words you find offensive. Again, it was not directed at you personally or any individual. It was referring to the situation and the interdependent layers of technology that have collectively failed.

Please let me and the rest of Oktaā€™s customerā€™s know when the fix will be ready. Thank you for attending to this long outstanding issue. Clint Robinson

+3
ClintonianSunBlaster on Jun 23, 2023

We are one more company waiting on this fix. Thanks for your hard work.

+3
dmbaJoe on Jun 8, 2023

@ClintonianSunBlaster / all, @duytiennguyen-okta is finishing up a work around that will hopefully go out within the week. Definitely not on the back burner.

+3
monde on Jun 1, 2023

This feature appears to be broken due to using an undocumented API /api/v1/org/email/sender. (openapi docs https://github.com/okta/okta-sdk-golang/blob/v2.18.0/.generator/okta-management-APIs-oasv3-noEnums-inheritance.yaml ). This API had a breaking change causing this resource to break as described above.

Iā€™m guessing the current api is the following: https://github.com/okta/okta-sdk-golang/blob/v3.0.2/okta/api_email_domain.go . Or you can look for the /api/v1/email-domains in the opanapi documentation https://github.com/okta/okta-sdk-golang/blob/v3.0.2/okta/api/openapi.yaml

Iā€™m going to likely just delete this resource from terraform state to get my pipelines working. Hopefully there is an update to allow us to manage these in terraform again going forward.

+3
dmsolutionsmn on May 15, 2023

@duytiennguyen-okta and @monde,

Sorry to pile on here butā€¦

There appears to be another issue with the new okta_email_domain resource and itā€™s requirement for a brand_id.

okta_email_domain requires a ā€œbrand_idā€ but it appears the only way to retrieve a list of brand_ids is to use the okta_brand data resource which outputs a list of brands based on the okta_brands data resource output (see https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/brand). This creates a problem because okta_brand doesnā€™t have a reference attribute called ā€œnameā€ so there is no way to retrieve the brand id of a specific custom brand. Instead, you can only reference ā€œtolist(data.okta_brands.test.brands)[x].idā€ which retrieves a brand id from a list based on a list index. It appears that index 0 always gets the brand id of the default brand which happens to be the first brand on the list. But, if you have multiple custom brands and would like the brand id of a specific one, itā€™s guesswork as to which index to use. And worse yet, if youā€™re managing multiple brands across multiple environments, then itā€™s entirely possible indexes could different between environments.

I think a fix would be to update the okta_brand data resource to include a returned attribute called ā€œnameā€ then I/us/we could use a locals that searches the list of brands returned from okta_brand for a brand which matches a specific name to get its specific brand_id? Once we have the correct brand_id we can then use it in the new okta_email_domain resource.

Thanks again, Clint

+2
ClintonianSunBlaster on Jun 23, 2023

@duytiennguyen-okta and @monde,

This issue is ā€œtechnicallyā€ fixed but the fix caused new issues as the new okta_email_domain resource appears to be misconfigured. Specifically, the dns_validation_records attribute contains a sub-attribute called ā€œvaluesā€ which is is incorrectly documented as ā€œvalueā€ at https://registry.terraform.io/providers/okta/okta/latest/docs/resources/email_domain and the ā€œvaluesā€ attribute contains no data.

This creates an issue as we can no longer setup the associated DNS records with TF and thus the new okta_email_domain_validation resource always fails.

Please investigate and fix as soon as possible. Thanks!

Here is an example. Notice ā€œvaluesā€ and itā€™s empty valuesā€¦

okta_email_domain = {
  "brand_id" = "bnd7h60x12vaCa1xxxx7"
  "display_name" = "NoReply"
  "dns_validation_records" = tolist([
    {
      "expiration" = ""
      "fqdn" = "_oktaverification.auth-test.****.com"
      "record_type" = "TXT"
      "values" = tolist([])
    },
    {
      "expiration" = ""
      "fqdn" = "mail.auth-test.****.com"
      "record_type" = "cname"
      "values" = tolist([])
    },
    {
      "expiration" = ""
      "fqdn" = "p06._domainkey.auth-test.****.com"
      "record_type" = "cname"
      "values" = tolist([])
    },
    {
      "expiration" = ""
      "fqdn" = "p36._domainkey.auth-test.****.com"
      "record_type" = "cname"
      "values" = tolist([])
    },
  ])
  "domain" = "auth-test.****.com"
  "id" = "OeD8mxsffffoooU41d7"
  "user_name" = "noreply"
  "validation_status" = "NOT_STARTED"
}
+2
ClintonianSunBlaster on Jun 23, 2023

@monde,

This continues to be an issue. When will this be fixed?

Itā€™s now been 80 days since Okta introduced this breaking change.

We were informed by Okta Support on on June 8th that the okta_email_sender api has been deprecated and replaced by the email_domain api (https://developer.okta.com/docs/api/openapi/okta-management/management/tag/EmailDomain/).

When will the okta_email-sender tf resource be updated to use the new API?

Thanks, Clint

+2
ClintonianSunBlaster on Jun 13, 2023

@monde Iā€™m happy to help debug if useful. But Iā€™m hitting the same issue, this is the one for me: https://github.com/okta/terraform-provider-okta/blob/b4ad5a959aa1d5a81aa358f78beaa0edf783155c/sdk/email_sender.go#L72

/api/v1/org/email/sender/<whatever> seems to be deprecated

EDIT: Ok after reading a few more of this thread, I realize now that the other method was (silently?) deprecated and Iā€™m supposed to use okta_domain_sender Iā€™d add a note on the terraform documentation if possible.

+1
Reflejo on Jun 26, 2023

@monde or @duytiennguyen-okta, can you bring @ClintonianSunBlaster feedback to the attention of Jeff Taylor and/or Nick Gamb. It is valid feedback since our team also lost time working around this issue, and it is best to have visibility, other than twittering to https://twitter.com/toddmckinnon. šŸ™ƒ

+1
hpe-noinarisak on Jun 23, 2023

Oh, I would also consider re-opening this issue @monde, IMO. šŸ˜ø

+1
hpe-noinarisak on Jun 23, 2023
Read more comments on GitHub
← terraform-provider-okta: priority = 0 is ignored for okta_app_signon_policy_rule resource
terraform-provider-okta: Unable to set App Logo for SAML apps →