apply: include sensitive metadata when comparing changed input values

[liamcervante]

This PR updates the output for when input values have erroneously changed between plan and apply so that sensitive input values are hidden in the error message.

This approach just rechecks the actual configuration for sensitive values, and applies those marks to the rendered outputs. Interestingly, the plan itself does not contain the information from the configuration, even those it does have room for the marks to be added. This comment suggests that this is deliberate, so I didn't change that behaviour.

Another approach would be to change that behaviour and add the marks from the config during the plan stage, and then just apply the marks from the plan instead of rechecking the config. I was worried about unintended side effects etc, so I went with just rechecking the config but am happy to go and make the more complete change if anyone feels strongly about it.

Fixes #37563

Target Release

1.13.2

Rollback Plan

• If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

• This change is user-facing and I added a changelog entry.
• This change is not user-facing.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.