Hi @schollii,
The intended way to reveal the sensitive values when you’re at a terminal is to run a command like terraform output -json, or any other variant that produces machine-readable output. It sounds like you’ve been using that already.
I think the situation you’ve described here is that you see Terraform proposing a change in the plan output but you can’t see what exactly is being proposed, because you’ve used a sensitive value as part of it.
While I would be the first to accept that it’s not a super convenient answer, I think the current answer is the same for plans as it is for output values: use one of the machine-readable output mechanisms to inspect the value. In the case of plan output, you can get there like this:
terraform plan -out=tfplan
terraform show -json tfplan
# then, if you decide that the planned change is acceptable
terraform apply tfplan
This sort of workflow is of course only reasonable for rare situations, because it’s inconvenient. If you’ll be doing this routinely (e.g. in automation) then I might consider a design that includes an additional output value where you’ve somehow masked out the sensitive parts of the big JSON string and then passed the result through nonsensitive to assure Terraform that you’ve removed all of the sensitive parts. Then that slightly-transformed version should be visible in the “changes to outputs” section of the plan so humans can inspect the shape of the data structure without also disclosing the sensitive portion(s).