Merge pull request #31813 from hashicorp/uk1288-redact-output-sensiti…

…ve-values

omit sensitive output values in logs from terraform apply json command

internal/command/views/apply_test.go

@@ -246,7 +246,6 @@ func TestApplyJSON_outputs(t *testing.T) {
 				},
 				"password": map[string]interface{}{
 					"sensitive": true,
-					"value":     "horse-battery",
 					"type":      "string",
 				},
 			},

internal/command/views/json/output.go

@@ -42,10 +42,15 @@ func OutputsFromMap(outputValues map[string]*states.OutputValue) (Outputs, tfdia
 			return nil, diags
 		}
 
+		var redactedValue json.RawMessage
+		if !ov.Sensitive {
+			redactedValue = json.RawMessage(value)
+		}
+
 		outputs[name] = Output{
 			Sensitive: ov.Sensitive,
 			Type:      json.RawMessage(valueType),
-			Value:     json.RawMessage(value),
+			Value:     redactedValue,
 		}
 	}
 

internal/command/views/json/output_test.go

@@ -52,12 +52,10 @@ func TestOutputsFromMap(t *testing.T) {
 		"beep": {
 			Sensitive: true,
 			Type:      json.RawMessage(`"string"`),
-			Value:     json.RawMessage(`"horse-battery"`),
 		},
 		"blorp": {
 			Sensitive: true,
 			Type:      json.RawMessage(`["object",{"a":["object",{"b":["object",{"c":"string"}]}]}]`),
-			Value:     json.RawMessage(`{"a":{"b":{"c":"oh, hi"}}}`),
 		},
 		"honk": {
 			Sensitive: false,

internal/command/views/json_view.go

@@ -13,7 +13,7 @@ import (
 // This version describes the schema of JSON UI messages. This version must be
 // updated after making any changes to this view, the jsonHook, or any of the
 // command/views/json package.
-const JSON_UI_VERSION = "1.0"
+const JSON_UI_VERSION = "1.1"
 
 func NewJSONView(view *View) *JSONView {
 	log := hclog.New(&hclog.LoggerOptions{

internal/command/views/refresh_test.go

@@ -98,7 +98,6 @@ func TestRefreshJSON_outputs(t *testing.T) {
 				},
 				"password": map[string]interface{}{
 					"sensitive": true,
-					"value":     "horse-battery",
 					"type":      "string",
 				},
 			},