I realized since this discussion that it’s not so much seeing sensitive values, it’s seeing the proposed changes in a sensitive value that has non-sensitive info that is missing.
The whole point of a plan is to show what will change if the plan is applied. Indeed you don’t usually care what the new value of a sensitive value is, EXCEPT if that value is a mixture of sensitive and non-sensitive info. If a blob was generated from a template (whether it is json, yaml, plain text, csv, etc), and at least one of the variables used to render the template is sensitive, then it makes sense for the blob as a whole to be sensitive.
HOWEVER, that blob should have 2 representations: one that is for terraform, and one for humans. The human one would just replace the sensitive fields with eg **********, and mark that representation non-sensitive; the tf value would be marked sensitive. Then in a plan, it is feasible to only print the lines that have changed in the human-friendly representation.
Example:
# input.yaml file used as template
value:
child1: ${nonsensitive_var}
child2: ${sensitive_var}
# .tf file
resource "xyz_type" "xyz_name" {
something = templatefile("input.yaml", {
nonsensitive_var = var.nonsensitive_var
sensitive_var = var.sensitive_var
})
}
Then terraform apply would show this, if the value of var.nonsensitive_var changed since last apply:
# module.... will be updated in-place
~ resource "xyz_type" "xyz_name" {
~ something = (sensitive; changed lines:
value:
~ child1: new_value_of_nonsensistive_var
child2: (sensitive -- unchanged value redacted)
)
...
}