Implement module merge for sensitive config

Implements merging behavior for when sensitive
is set on a variable and adds testing accordingly

configs/module_merge.go

@@ -42,6 +42,10 @@ func (v *Variable) merge(ov *Variable) hcl.Diagnostics {
 		v.Description = ov.Description
 		v.DescriptionSet = ov.DescriptionSet
 	}
+	if ov.SensitiveSet {
+		v.Sensitive = ov.Sensitive
+		v.SensitiveSet = ov.SensitiveSet
+	}
 	if ov.Default != cty.NilVal {
 		v.Default = ov.Default
 	}

configs/module_merge_test.go

@@ -1,6 +1,7 @@
 package configs
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/hashicorp/hcl/v2"
@@ -227,6 +228,64 @@ func TestModuleOverrideDynamic(t *testing.T) {
 	})
 }
 
+func TestModuleOverrideSensitiveVariable(t *testing.T) {
+	type testCase struct {
+		sensitive    bool
+		sensitiveSet bool
+	}
+	cases := map[string]testCase{
+		"false_true": {
+			sensitive:    true,
+			sensitiveSet: true,
+		},
+		"true_false": {
+			sensitive:    false,
+			sensitiveSet: true,
+		},
+		"false_false_true": {
+			sensitive:    true,
+			sensitiveSet: true,
+		},
+		"true_true_false": {
+			sensitive:    false,
+			sensitiveSet: true,
+		},
+		"false_true_false": {
+			sensitive:    false,
+			sensitiveSet: true,
+		},
+		"true_false_true": {
+			sensitive:    true,
+			sensitiveSet: true,
+		},
+	}
+
+	// TODO: When variable sensitivity is no longer experimental,
+	// move this test folder to "valid-modules" (it currently has a warning)
+	// and activate the diags assertion
+	mod, _ := testModuleFromDir("testdata/warning-modules/override-variable")
+
+	// assertNoDiagnostics(t, diags)
+
+	if mod == nil {
+		t.Fatalf("module is nil")
+	}
+
+	got := mod.Variables
+
+	for v, want := range cases {
+		t.Run(fmt.Sprintf("variable %s", v), func(t *testing.T) {
+			if got[v].Sensitive != want.sensitive {
+				t.Errorf("wrong result for sensitive\ngot: %t want: %t", got[v].Sensitive, want.sensitive)
+			}
+
+			if got[v].SensitiveSet != want.sensitiveSet {
+				t.Errorf("wrong result for sensitive set\ngot: %t want: %t", got[v].Sensitive, want.sensitive)
+			}
+		})
+	}
+}
+
 func TestModuleOverrideResourceFQNs(t *testing.T) {
 	mod, diags := testModuleFromDir("testdata/valid-modules/override-resource-provider")
 	assertNoDiagnostics(t, diags)

configs/named_values.go

@@ -28,6 +28,7 @@ type Variable struct {
 	Sensitive   bool
 
 	DescriptionSet bool
+	SensitiveSet   bool
 
 	DeclRange hcl.Range
 }
@@ -98,6 +99,7 @@ func decodeVariableBlock(block *hcl.Block, override bool) (*Variable, hcl.Diagno
 	if attr, exists := content.Attributes["sensitive"]; exists {
 		valDiags := gohcl.DecodeExpression(attr.Expr, nil, &v.Sensitive)
 		diags = append(diags, valDiags...)
+		v.SensitiveSet = true
 	}
 
 	if attr, exists := content.Attributes["default"]; exists {

configs/testdata/warning-modules/override-variable/a_override.tf

@@ -0,0 +1,23 @@
+variable "false_true" {
+  sensitive = true
+}
+
+variable "true_false" {
+  sensitive = false
+}
+
+variable "false_false_true" {
+  sensitive = false
+}
+
+variable "true_true_false" {
+  sensitive = true
+}
+
+variable "false_true_false" {
+  sensitive = true
+}
+
+variable "true_false_true" {
+  sensitive = false
+}

configs/testdata/warning-modules/override-variable/b_override.tf

@@ -0,0 +1,21 @@
+variable "false_true" {
+}
+
+variable "true_false" {
+}
+
+variable "false_false_true" {
+  sensitive = true
+}
+
+variable "true_true_false" {
+  sensitive = false
+}
+
+variable "false_true_false" {
+  sensitive = false
+}
+
+variable "true_false_true" {
+  sensitive = true
+}

configs/testdata/warning-modules/override-variable/primary.tf

@@ -0,0 +1,27 @@
+terraform {
+  experiments = [sensitive_variables]
+}
+
+variable "false_true" {
+  sensitive = false
+}
+
+variable "true_false" {
+  sensitive = true
+}
+
+variable "false_false_true" {
+  sensitive = false
+}
+
+variable "true_true_false" {
+  sensitive = true
+}
+
+variable "false_true_false" {
+  sensitive = false
+}
+
+variable "true_false_true" {
+  sensitive = true
+}