okta_email_sender_verification doesn't support being recreated

[kensykora]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

In the scenario where:

• Terraform both creates the okta_email_sender, then DNS settings, then okta_email_sender_verification
• Resource okta_email_sender_verification in terraform are later destroyed or tainted
• Terraform recreates the resources

The okta_email_sender_verification fails to create because it has already been verified. the okta module does not handle this scenario.

Terraform Version

Terraform v1.1.5
on linux_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v3.9.1
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/okta/okta v3.21.0

Affected Resource(s)

• okta_email_sender_verification

Terraform Configuration Files

resource "okta_email_sender" "sender" {
  from_name    = var.support_email_from_name
  from_address = var.support_email_address
  subdomain    = var.support_email_domain_name
}

resource "cloudflare_record" "verification_records" {
  # Okta will reliably create 4 DNS records
  # Each record we need to create comes back from Okta looking like this
  # Unfortunately, we cannot just loop over all the records that come back
  # because Terraform needs to be able to create a deterministic plan
  # 
  # {
  #     fqdn        = "p999._domainkey.mydomain.co"
  #     record_type = "cname"
  #     value       = "p999.domainkey.u99999999.wl999.sendgrid.net"
  # }
  count = 4

  zone_id = data.cloudflare_zone.mydomain_domain.id

  name  = okta_email_sender.sender.dns_records[count.index].fqdn
  value = okta_email_sender.sender.dns_records[count.index].value

  # Make sure it's upper case, cloudflare provider requires this
  type = upper(okta_email_sender.sender.dns_records[count.index].record_type)
}

resource "time_sleep" "dns_propogation" {
  triggers = {
    record_0 = cloudflare_record.verification_records[0].id
    record_1 = cloudflare_record.verification_records[1].id
    record_2 = cloudflare_record.verification_records[2].id
    record_3 = cloudflare_record.verification_records[3].id
  }

  create_duration = "5m"
}

resource "okta_email_sender_verification" "example" {
  depends_on = [
    cloudflare_record.verification_records,
    time_sleep.dns_propogation
  ]

  sender_id = okta_email_sender.sender.id
}

Debug Output

https://gist.github.com/kensykora/9fc4fea745e1eab9d82c87e0bd27d798

Expected Behavior

One of two things:

1. Support importing okta_email_sender_verification resources
2. OR allow this resource to reliably inspect the state of status upon creation and bring it in if it's already verified without an error (maybe a warning)

Actual Behavior

Creation fails:

│ Error: failed to verify custom email sender: the API returned an error: Api validation failed: com.saasure.core.services.mail.exception.EmailSettingsInvalidStatusException. Causes: errorSummary: errors in the field: status
│ 
│   with module.infra.okta_email_sender_verification.example,
│   on ../../infra/main.tf line 75, in resource "okta_email_sender_verification" "example":
│   75: resource "okta_email_sender_verification" "example" {
│ 
╵

Notes

Here is the HTTP error response from the API call to validate:

{
 "errorCode": "E0000001",
 "errorSummary": "Api validation failed: com.saasure.core.services.mail.exception.EmailSettingsInvalidStatusException",
 "errorLink": "E0000001",
 "errorId": "<error_id>",
 "errorCauses": [
  {
   "errorSummary": "errors in the field: status"
  }
 ]
}

Before that error is returned, the status of the okta_email_sender is already set to VERIFIED on the second run

Workaround

• Destroy the okta_email_sender resource, which seems like it might create new dns records that require verification again.
• Not a great one, but if you happen to know that an environment is already verified for a domain name, you can use a variable in your module to count = var.create_okta_email_verification ? 1 : 0 on the okta_email_sender_verification resource.

Steps to Reproduce

1. Run terraform apply with the code sample above
2. Run terraform destroy -target=okta_email_sender_verification.example
3. Run terraform apply again

[bogdanprodan-okta]

Hi, @kensykora! Thanks for submitting this issue! I'll take a look on this asap.

[kensykora]

So after some more testing, I did find that something managed to get it to require verification again, possibly what happened is that I only destroyed the okta_email_sender_verification (steps to reproduce no. 2). I'll update the description

[monde]

@kensykora if we are able to work on this, would #975 go hand in hand with this issue?

[kensykora]

They are different issues but they are related to the same resource type. We worked around the issue, I'm just reporting it for awareness.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days