Create experiment for sensitive attribute

configs/experiments.go

@@ -138,6 +138,17 @@ func checkModuleExperiments(m *Module) hcl.Diagnostics {
 			}
 		}
 	*/
-
+	if !m.ActiveExperiments.Has(experiments.SensitiveVariables) {
+		for _, v := range m.Variables {
+			if v.Sensitive {
+				diags = diags.Append(&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Variable sensitivity is experimental",
+					Detail:   "This feature is currently an opt-in experiment, subject to change in future releases based on feedback.\n\nActivate the feature for this module by adding sensitive_variables to the list of active experiments.",
+					Subject:  v.DeclRange.Ptr(),
+				})
+			}
+		}
+	}
 	return diags
 }

configs/testdata/valid-files/variables.tf

@@ -22,7 +22,3 @@ variable "cheeze_pizza" {
 variable "π" {
   default = 3.14159265359
 }
-
-variable "sensitive-value" {
-  sensitive = true
-}

configs/testdata/warning-files/variables-sensitive.tf

@@ -0,0 +1,7 @@
+terraform {
+  experiments = [sensitive_variables] # WARNING: Experimental feature "sensitive_variables" is active
+}
+
+variable "sensitive-value" {
+  sensitive = true
+}

experiments/experiment.go

@@ -14,12 +14,14 @@ type Experiment string
 // identifier so that it can be specified in configuration.
 const (
 	VariableValidation = Experiment("variable_validation")
+	SensitiveVariables = Experiment("sensitive_variables")
 )
 
 func init() {
 	// Each experiment constant defined above must be registered here as either
 	// a current or a concluded experiment.
 	registerConcludedExperiment(VariableValidation, "Custom variable validation can now be used by default, without enabling an experiment.")
+	registerCurrentExperiment(SensitiveVariables)
 }
 
 // GetCurrent takes an experiment name and returns the experiment value