You write a conditional.
The condition is false.
The broken branch should never run.
Terraform plans successfully.
Then you change one detail.
Same pattern.
Now the plan fails.
This is where most engineers assume Terraform evaluates both branches.
That assumption is wrong.
Terraform does not evaluate both branches for values.
Terraform evaluates only the selected branch when the condition is known.
But Terraform still has to validate the expression first.
That validation happens at the expression level.
Both branches must resolve to a compatible result type.
If Terraform can validate the expression without touching the invalid reference, the plan succeeds.
If it cannot, the plan fails before branch selection can protect you.
So the failure is not about execution.
It is about whether Terraform can safely validate the expression structure.
This is the first boundary.
There is a second, separate boundary.
What happens when Terraform does need to evaluate a missing value?
That is where try() comes in.
try() does not change how conditionals work.try() handles evaluation errors when a value is actually accessed.
It catches the failure and returns a fallback instead of stopping the plan.
So you have two distinct behaviors:
- conditional expressions control which value is selected
try()controls what happens when evaluation fails
Confusing these leads to incorrect fixes.
You might try to “protect” a conditional with try(),
when the real issue is type validation.
Or you might expect a conditional to prevent a failure,
when Terraform still needs to validate the expression first.