diff --git a/terraform/eval_diff.go b/terraform/eval_diff.go index 669ff6687..d7e43ce28 100644 --- a/terraform/eval_diff.go +++ b/terraform/eval_diff.go @@ -212,23 +212,11 @@ func (n *EvalDiff) Eval(ctx EvalContext) (interface{}, error) { return nil, diags.Err() } - // Create an unmarked version of our config val, defaulting - // to the configVal so we don't do the work of unmarking unless - // necessary - unmarkedConfigVal := configValIgnored - var unmarkedPaths []cty.PathValueMarks - if configValIgnored.ContainsMarked() { - // store the marked values so we can re-mark them later after - // we've sent things over the wire. - unmarkedConfigVal, unmarkedPaths = configValIgnored.UnmarkDeepWithPaths() - } - - unmarkedPriorVal := priorVal - if priorVal.ContainsMarked() { - // store the marked values so we can re-mark them later after - // we've sent things over the wire. - unmarkedPriorVal, _ = priorVal.UnmarkDeep() - } + // Create an unmarked version of our config val and our prior val. + // Store the paths for the config val to re-markafter + // we've sent things over the wire. + unmarkedConfigVal, unmarkedPaths := configValIgnored.UnmarkDeepWithPaths() + unmarkedPriorVal, priorPaths := priorVal.UnmarkDeep() proposedNewVal := objchange.ProposedNewObject(schema, unmarkedPriorVal, unmarkedConfigVal) @@ -395,8 +383,7 @@ func (n *EvalDiff) Eval(ctx EvalContext) (interface{}, error) { } } - // Unmark for this test for equality. If only sensitivity has changed, - // this does not require an Update or Replace + // Unmark for this test for value equality. eqV := unmarkedPlannedNewVal.Equals(unmarkedPriorVal) eq := eqV.IsKnown() && eqV.True() @@ -406,6 +393,11 @@ func (n *EvalDiff) Eval(ctx EvalContext) (interface{}, error) { action = plans.Create case eq: action = plans.NoOp + // If we plan to write or delete sensitive paths from state, + // this is an Update action + if len(priorPaths) != len(unmarkedPaths) { + action = plans.Update + } case !reqRep.Empty(): // If there are any "requires replace" paths left _after our filtering // above_ then this is a replace action.