@bdeferme which version of puppet are you using?
Is it working on this version?
At least on the resource_api used by default on puppet 6 the sensitive is unavailable.
I have not used the sensitive in any of the password properties because of this. Since I cannot control the version of the gem from the module dependencies :(

@wandenberg My bad, apparently the way I tried to do it only works for Provider Transports.
I created a new commit which seems to be working for setting the password. However there are still quite some issues:

Warning: Provider returned data that does not match the Type Schema for `nexus3_ldap[ldap-ad.onprvp.fgov.be]`
Value type mismatch:
    * password: foofoo (expects a Sensitive[String] value, got String)
Notice: /Stage[main]/Profile::Nexus/Nexus3_ldap[ldap-ad.onprvp.fgov.be]/password: password changed 'foofoo' to Sensitive [value redacted] (corrective)

I guess this is because the provider returns a non-sensitive string via the read_config template? (I'm quite new to the Provider API)

Furthermore a subsequent run returns:

Error: Transaction store file /opt/puppetlabs/puppet/cache/state/transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/transactionstore.yaml): Tried to load unspecified class: Puppet::Pops::Types::PSensitiveType::Sensitive); replacing
Wrapped exception:
Tried to load unspecified class: Puppet::Pops::Types::PSensitiveType::Sensitive

Which makes me think Sensitive is not yet supported indeed for Resource API on Puppet 6.

Feel free to close this PR while we wait for Sensitive support in the resource API.

Do you have any ideas on the possibility of suppressing the output when the password is changed?