diff --git a/terraform/context_apply_test.go b/terraform/context_apply_test.go
index 73614c59b..8e0a069df 100644
--- a/terraform/context_apply_test.go
+++ b/terraform/context_apply_test.go
@@ -11856,7 +11856,14 @@ variable "sensitive_map" {
 
 resource "test_resource" "foo" {
 	value = var.sensitive_map.x
-}`,
+	sensitive_value = "should get marked"
+}
+
+resource "test_resource" "bar" {
+	value = test_resource.foo.sensitive_value
+	random = test_resource.foo.id # not sensitive
+}
+`,
 	})
 
 	p := testProvider("test")
@@ -11893,6 +11900,12 @@ resource "test_resource" "foo" {
 	fooChangeSrc := plan.Changes.ResourceInstance(addr)
 	verifySensitiveValue(fooChangeSrc.AfterValMarks)
 
+	barAddr := mustResourceInstanceAddr("test_resource.bar")
+	barChangeSrc := plan.Changes.ResourceInstance(barAddr)
+	if len(barChangeSrc.AfterValMarks) != 1 {
+		t.Fatalf("there should only be 1 marked path for bar, there are %v", len(barChangeSrc.AfterValMarks))
+	}
+
 	state, diags := ctx.Apply()
 	if diags.HasErrors() {
 		t.Fatalf("apply errors: %s", diags.Err())
diff --git a/terraform/context_test.go b/terraform/context_test.go
index dea83a790..b223c2a1e 100644
--- a/terraform/context_test.go
+++ b/terraform/context_test.go
@@ -425,6 +425,11 @@ func testProviderSchema(name string) *ProviderSchema {
 						Type:     cty.String,
 						Optional: true,
 					},
+					"sensitive_value": {
+						Type:      cty.String,
+						Sensitive: true,
+						Optional:  true,
+					},
 					"random": {
 						Type:     cty.String,
 						Optional: true,
diff --git a/terraform/evaluate.go b/terraform/evaluate.go
index 9d3e565b4..950ee9fbc 100644
--- a/terraform/evaluate.go
+++ b/terraform/evaluate.go
@@ -727,7 +727,7 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
 		}
 
 		// Planned resources are temporarily stored in state with empty values,
-		// and need to be replaced bu the planned value here.
+		// and need to be replaced by the planned value here.
 		if is.Current.Status == states.ObjectPlanned {
 			if change == nil {
 				// If the object is in planned status then we should not get
@@ -752,6 +752,10 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
 				continue
 			}
 
+			// If our schema contains sensitive values, mark those as sensitive
+			if schema.ContainsSensitive() {
+				val = markProviderSensitiveAttributes(schema, val, nil)
+			}
 			instances[key] = val
 			continue
 		}
@@ -768,7 +772,13 @@ func (d *evaluationStateData) GetResource(addr addrs.Resource, rng tfdiags.Sourc
 			})
 			continue
 		}
-		instances[key] = ios.Value
+
+		val := ios.Value
+		// If our schema contains sensitive values, mark those as sensitive
+		if schema.ContainsSensitive() {
+			val = markProviderSensitiveAttributes(schema, val, nil)
+		}
+		instances[key] = val
 	}
 
 	var ret cty.Value
@@ -935,3 +945,19 @@ func moduleDisplayAddr(addr addrs.ModuleInstance) string {
 		return addr.String()
 	}
 }
+
+// markProviderSensitiveAttributes returns an updated value
+// where attributes that are Sensitive are marked
+func markProviderSensitiveAttributes(schema *configschema.Block, val cty.Value, path cty.Path) cty.Value {
+	var pvm []cty.PathValueMarks
+	for name, attrS := range schema.Attributes {
+		if attrS.Sensitive {
+			path := append(path, cty.GetAttrStep{Name: name})
+			pvm = append(pvm, cty.PathValueMarks{
+				Path:  path,
+				Marks: cty.NewValueMarks("sensitive"),
+			})
+		}
+	}
+	return val.MarkWithPaths(pvm)
+}