Only show external changes which contributed to the plan

[jbardin]

This is a continuation of the Contributing Resources Prototype in #28944.

Using the same mechanisms for static analysis of the configuration, we take a different approach to the displaying of contributing changes in the plan, with the end goal being to display as little extraneous information as possible to the user. The assumption made here is that extra refresh information, i.e "false positives", are a larger impediment to user's understanding of the plan than possibly hidden refresh information, which in most cases can be still inferred from the changes in the plan output. Taking this premise, we record only the specific attribute addresses that contributed to the plan, and filter the output down to those specific references.

Previously we would also show all external attribute changes for any resource instance with planned changes, because there is no way to infer any relationships between attributes made by the provider. While this may be the case technically, in practice the fact that the updated value will be shown in the diff is usually enough to deduce what is causing the inconsistency. In all cases a full refresh plan can be still run to see the drift report in its entirety.

The process of filtering these diffs is a bit of a hack, but I didn't want to risk any change to the diff rendering in this PR. What we do here is to create a fake after value for the change during rendering, starting with the before value, and only adding in the changes from the real after value which were marked as relevant. This lets us use the same diff renderer, but shows a reduced set of changes in the normal plan output.

As an example of the reduced output, take this configuration

resource "simple_resource" "ok" {
  for_each = { a = "1", b = "2" }
}

resource "simple_resource" "two" {
  value    = simple_resource.ok["a"].id
}

resource "simple_resource" "three" {
  for_each = simple_resource.ok
}

These fake resources will update their id attribute on every read, but only simple_resource.two makes use of this attribute in its configuration. Even though all resources will show external changes in a refresh-only plan, a normal plan will output:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform
apply" which may have affected this plan:

  # simple_resource.ok["a"] has changed
  ~ resource "simple_resource" "ok" {
      ~ id = "2022-02-07 15:05:56.954005" -> "2022-02-07 15:05:59.009979"
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes
using ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions
are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # simple_resource.two will be updated in-place
  ~ resource "simple_resource" "two" {
        id    = "2022-02-07 15:05:59.010821"
      ~ value = "2022-02-07 15:05:56.954005" -> "2022-02-07 15:05:59.009979"
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Additionally we also add the resource instances and individual attributes which may have contributed to the planned changes to the json format of the plan in a relevant_attributes field. We use the already existing path encoding for individual attributes as defined for replace_paths.

This PR also does not address any ignore_changes alike feature for external changes rather than configuration changes. A goal here is to take the fact that the configuration already contains most of the information needed to determine if a particular value is used or not. The new analysis aims to take that existing context and automatically apply it to the external changes report, negating the need for an "unused attributes" feature. We can evaluate if that feature, or any additional flags are still needed in the future.

[hashicorp-cla]

All committers have signed the CLA.

[github-actions]

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.