okta_email_template_settings bricks the okta dashboard for emails

[Caribosaurus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.10.4
on darwin_arm64

• provider registry.terraform.io/hashicorp/local v2.5.2
• provider registry.terraform.io/hashicorp/random v3.6.3
• provider registry.terraform.io/hashicorp/tls v4.0.6
• provider registry.terraform.io/iwarapter/jwks v0.1.0
• provider registry.terraform.io/okta/okta v4.13.0

Affected Resource(s)

okta_email_template_settings

Terraform Configuration Files

resource "okta_email_template_settings" "forgot_password" {
  for_each      = { for brand in data.okta_brands.circlek.brands : brand.id => brand }
  brand_id      = each.key
  template_name = "ForgotPassword"
  recipients    = "ALL_USERS"
}

resource "okta_email_template_settings" "forgot_password_denied" {
  for_each      = { for brand in data.okta_brands.circlek.brands : brand.id => brand }
  brand_id      = each.key
  template_name = "ForgotPasswordDenied"
  recipients    = "ALL_USERS"
}

resource "okta_email_template_settings" "password_changed" {
  for_each      = { for brand in data.okta_brands.circlek.brands : brand.id => brand }
  brand_id      = each.key
  template_name = "PasswordChanged"
  recipients    = "ALL_USERS"
}

resource "okta_email_template_settings" "email_challenge" {
  for_each      = { for brand in data.okta_brands.circlek.brands : brand.id => brand }
  brand_id      = each.key
  template_name = "ForgotPasswordDenied"
  recipients    = "ALL_USERS"
}

resource "okta_email_template_settings" "email_factor_verification" {
  for_each      = { for brand in data.okta_brands.circlek.brands : brand.id => brand }
  brand_id      = each.key
  template_name = "EmailFactorVerification"
  recipients    = "ALL_USERS"
}

Expected Behavior

Track in terraform the current recipients of the email templates.

Can this be done in the Admin UI?

yes

Can this be done in the actual API call?

yes

Actual Behavior

Apply wants to create the ressource. once the ressource is created the emails page in okta now return an error.

https://tennant-admin.oktapreview.com/api/v1/brands/id/templates/email?limit=100&expand=customizationCount,settings
{
"errorCode": "E0000009",
"errorSummary": "Internal Server Error",
"errorLink": "E0000009",
"errorId": "oaed10Qse71S1W9sloJmcGAzQ",
"errorCauses": []
}

Steps to Reproduce

1. terraform apply

[monde]

Agreed, the TF provider shouldn't give input that will adversely affect the org. However, the TF provider is just making public API calls. Anything could give this same combination of input would cause the same behavior and is indicative of an underlying bug in the Okta service.

https://oktainc.atlassian.net/browse/OKTA-858196

[Caribosaurus]

Ok I did some further testing on other dev tennant.
It seems like in my original config I had 2 forgot password denied and that caused the dashboard to be bricked.
If I redo it one by one on the other tennant without duplicates, the dashboard still works.