Puppet Sensitive datatype wrapped in a hash

sensitive_test_unwrap.pp

class test(Hash $config){

  file{'/tmp/test123.txt':
   ensure => file,
   content => Sensitive($config.to_yaml),
  }
}
$jwt_token = Sensitive.new('doublesecret')
$config = {
  general => {
    loglevel => 'INFO'
  },
  jwt_token => {
    secret   => $jwt_token.unwrap,
    validity => '7200',
  }
}
class{'test': config => $config }

Notice on line 14 I use the unwrap function, which turns the jwt_token into clear text.

This results in

[root@pe-xl-core-0 /]# puppet apply test2.pp
Notice: Compiled catalog for pe-xl-core-0.puppet.vm in environment production in 0.02 seconds
Notice: /Stage[main]/Test/File[/tmp/test123.txt]/ensure: changed [redacted] to [redacted]
Notice: Applied catalog in 0.21 seconds
[root@pe-xl-core-0 /]# cat /tmp/test123.txt
---
general:
  loglevel: INFO
jwt_token:
  secret: doublesecret
  validity: '7200'

If I don't use unwrap() function the file displays the raw ruby object which is to be expected base we are wrapping the Sensitive as a Sensitive.

---
general:
  loglevel: INFO
jwt_token:
  secret: !ruby/object:Puppet::Pops::Types::PSensitiveType::Sensitive
    value: doublesecret
  validity: '7200'