jsonplan and jsonstate: include sensitive_values in state representations

[mildwonkey]

A sensitive_values field has been added to the resource in state and planned values which is a map of all sensitive attributes with the values set to true. To achieve this, I stole and exported the sensitiveAsBool function that was in jsonplan (it had to be moved to jsonstate to avoid import cycles).

It wasn't entirely clear to me if the values in state would suffice, or if we also need to consult the schema - I believe that this is sufficient for state files written since v0.15, and if that's incorrect or insufficient, I'll add in the provider schema step as well.

I also updated the documentation, and, since we've considered this before, bumped the FormatVersions for both jsonstate and jsonplan.

[mwhooker]

did you read my mind?

[alisdair]

By using a map[string]bool here I think we reduce the granularity of sensitivity when compared to the precise level used in change representation (which uses a json.RawMessage for BeforeSensitive/AfterSensitive). This means that for the following config:

resource "null_resource" "none" {
  triggers = {
    boop = "beep"
    flap = sensitive("honk")
  }
}

the sensitive_values output would be {"triggers":true} rather than {"triggers":{"flap":true}}. As a result, a state renderer would have to hide the entire triggers attribute, rather than just the one sensitive member.

This is compatible with the JSON plan sensitivity output, just more coarse. Is that necessary or could we consider keeping the full sensitivity information?

[mildwonkey]

🤔 you're absolutely correct, that ain't right, I shall fix that.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.