Passwords shown in puppet agent/apply --test output

When running puppet with --test, passwords are shown in the diff output:

Notice: /Stage[main]/Foreman::Database::Postgresql/Postgresql::Server::Db[foreman]/Postgresql::Server::Role[foreman]/Postgresql_psql[ALTER ROLE foreman ENCRYPTED PASSWORD ****]/command: command changed 'notrun' to 'ALTER ROLE "foreman" ENCRYPTED PASSWORD '$NEWPGPASSWD''
Notice: /Stage[main]/Foreman::Config/File[/etc/foreman/database.yml]/content:
--- /etc/foreman/database.yml   2016-09-22 15:17:30.849893994 +0200
+++ /tmp/puppet-file20160922-2739-1bwkd1t       2016-09-22 15:31:04.026653398 +0200
@@ -24,5 +24,5 @@
   port: 5432
   database: foreman
   username: foreman
-  password: "foo"
+  password: "foobar"
   pool: 5

The file resources should be declared with { show_diff => false }.

Originally noticed by @elconas

[mmoll]

note: https://tickets.puppetlabs.com/browse/PUP-6627

Of course, I'd be happy for someone to implement proper use of Sensitive in this module, as well :-)

[mmoll]

someone[tm] ;)