validation: don't strip marks from variables during validation

[liamcervante]

There is custom logic for variable validations, explained in the surrounding comment. This was actually also stripping away sensitive and ephemeral metadata (or more accurately, just not adding it). This metadata is added by the usual approach of generating the HCL context. This meant errors during variable validation would expose sensitive values.

This PR updates the custom logic so that it only generates the value itself during the validate walk (which is the only time the custom logic is actually needed). For the validate walk, all variables are unknown anyway so the metadata doesn't matter.

Now, during other walks (eg. plan and apply) the real data is used, that does have the sensitive metadata attached. This means the sensitive metadata is no longer being exposed.

Target Release

1.13.2

Rollback Plan

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

• This change is user-facing and I added a changelog entry.
• This change is not user-facing.

[mildwonkey]

LGTM, I tested this out locally and confirmed. Can you add a regression test for this please? A followup PR is fine no need to block the fix.

[liamcervante]

A followup PR is fine no need to block the fix.

I just added it in this one, no rush to merge this as we released yesterday anyway.

[mildwonkey]

thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.