cli: Show forces replacement for sensitive attrs

When rendering a plan diff, sensitive resource attributes would previously omit the "forces replacement" comment, which can lead to confusion when the only reason for a resource being replaced is a sensitive attribute.
2021-05-03 06:48:10 -04:00 · 2021-05-03 06:48:10 -04:00 · c95e9ada6b
parent 6bed3008a5
commit c95e9ada6b
2 changed files with 30 additions and 0 deletions
--- a/command/format/diff.go
+++ b/command/format/diff.go
@ -359,6 +359,9 @@ func (p *blockBodyDiffPrinter) writeAttrDiff(name string, attrS *configschema.At

 	if attrS.Sensitive {
 		p.buf.WriteString("(sensitive value)")
+		if p.pathForcesNewResource(path) {
+			p.buf.WriteString(p.color.Color(forcesNewResourceCaption))
+		}
 	} else {
 		switch {
 		case showJustNew:
--- a/command/format/diff_test.go
+++ b/command/format/diff_test.go
@ -3992,6 +3992,33 @@ func TestResourceChange_sensitiveVariable(t *testing.T) {
          # so its contents will not be displayed.
        }
    }
+`,
+		},
+		"update with sensitive attribute forcing replacement": {
+			Action: plans.DeleteThenCreate,
+			Mode:   addrs.ManagedResourceMode,
+			Before: cty.ObjectVal(map[string]cty.Value{
+				"id":  cty.StringVal("i-02ae66f368e8518a9"),
+				"ami": cty.StringVal("ami-BEFORE"),
+			}),
+			After: cty.ObjectVal(map[string]cty.Value{
+				"id":  cty.StringVal("i-02ae66f368e8518a9"),
+				"ami": cty.StringVal("ami-AFTER"),
+			}),
+			Schema: &configschema.Block{
+				Attributes: map[string]*configschema.Attribute{
+					"id":  {Type: cty.String, Optional: true, Computed: true},
+					"ami": {Type: cty.String, Optional: true, Computed: true, Sensitive: true},
+				},
+			},
+			RequiredReplace: cty.NewPathSet(
+				cty.GetAttrPath("ami"),
+			),
+			ExpectedOutput: `  # test_instance.example must be replaced
+-/+ resource "test_instance" "example" {
+      ~ ami = (sensitive value) # forces replacement
+        id  = "i-02ae66f368e8518a9"
+    }
 `,
 		},
 	}