Email Domain gets detached from Brand when applying any updates to that Brand

[ReeceWilliams7]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.6.1

Affected Resource(s)

• okta_brand
• okta_email_domain

Terraform Configuration Files

resource "okta_brand" "xxx_web" {
  name                                = var.xxx_brand_name
  remove_powered_by_okta              = true
  default_app_classic_application_uri = "https://xxx.xxx.com"
}

resource "okta_email_domain" "xxx_web" {
  brand_id     = okta_brand.xxx_web.id
  domain       = "xxx.com"
  display_name = "xxx"
  user_name    = "no-reply"
}

Debug Output

Apologies, but Gist is blocked at work so cannot use that.

In this example, we're setting the default_app_classic_application_uri attribute which was previously empty.

Expected Behavior

When updating a brand that has an Email Domain attached, that email domain should remain attached post update.

Can this be done in the Admin UI?

Yes. And in fact, the Admin UI allows you to attach the same Email Domain to multiple brands ("Copy to another brand" option).

Can this be done in the actual API call?

Yes. However, the Update Brand API call allows you to specify the emailDomainId. On the Terraform Provider here, it's a read_only/computed attribute. This suggests that the API allows the same email domain to be attached to multiple brands.

Actual Behavior

The Email Domain gets removed from the brand and so the brand reverts to the default Okta Email sender.

Steps to Reproduce

1. Create a brand and Email Domain ID

2. Make a change to the brand via Terraform

3. Run Terraform Apply

4. Note that the email_domain_id attribute is going to be changed (known after apply)

5. Post apply, see via the Okta Admin Console that the Email Domain has been detached from the brand.

6. terraform apply

References

I've found various issues/PRs/discussions on a similar topic.

• Wrong definition of email_domain_id in brand resource #1855
• resource okta_brand's email_domain_id is an attribute, not an argument #1831
• okta_brand requires email_domain_id #1824
• Receiving Terraform Cyclical Error between the okta_brand and okta_email_domain Resources #1771
• update brand to correctly reflect api #1898

None of these appear to be addressing the issue though, and in fact seem to argue against the ability to attach the same Email Domain ID to multiple brands.

The Brands API appears to support this (as does the Admin UI, demonstrably).

• Okta API - Replace a Brand

Although admittedly, this does then seem to be in conflict with the email-domains API, which only provides for a single brand id against an email domain in the create operation -

• Okta API - Create an Email Domain

Whilst the update operation doesn't even have a brand_id property -

• Okta API - Replace an Email Domain

The whole design between Brands and Email Domains is therefore very confusing (which I appreciate is contributing to the challenge in implementing it within the Terraform provider).

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-690454

[duytiennguyen-okta]

@ReeceWilliams7 It's look like I will have to talk to the API team about this. cc @jefftaylor-okta