In a resource of type aws_ecs_task_definition my plan has an line that looks like this:
~ container_definitions = (sensitive) # forces replacement
Now in principle this could be doing anything - deleting all my containers, spinning up bitcoin mining containers, etc.
Is there any way I can look at the data, both the old and the new?
When your configuration or a provider marks an attribute as sensitive, Terraform will always hide that value in any output that's intended for human consumption.
The real values are available in machine-readable output though. This is primarily with the aim of integrating with external software, but if you need to then you can also inspect the machine-readable output directly yourself.
You can get a machine-readable (JSON) rendering of a plan like this:
terraform plan -out=tfplan
terraform show -json tfplan
If you intend to read it directly in the terminal then it can help to pipe it into jq, if you have that utility installed:
terraform show -json tfplan | jq
