diff --git a/terraform/context_apply_test.go b/terraform/context_apply_test.go
index 7cbd8ddc0..a29ba8730 100644
--- a/terraform/context_apply_test.go
+++ b/terraform/context_apply_test.go
@@ -12363,3 +12363,50 @@ resource "test_instance" "a" {
 		}
 	}
 }
+
+func TestContext2Apply_dataSensitive(t *testing.T) {
+	m := testModule(t, "apply-data-sensitive")
+	p := testProvider("null")
+	p.ApplyResourceChangeFn = testApplyFn
+	p.PlanResourceChangeFn = testDiffFn
+	p.ReadDataSourceFn = func(req providers.ReadDataSourceRequest) providers.ReadDataSourceResponse {
+		// add the required id
+		m := req.Config.AsValueMap()
+		m["id"] = cty.StringVal("foo")
+
+		return providers.ReadDataSourceResponse{
+			State: cty.ObjectVal(m),
+		}
+	}
+
+	ctx := testContext2(t, &ContextOpts{
+		Config: m,
+		Providers: map[addrs.Provider]providers.Factory{
+			addrs.NewDefaultProvider("null"): testProviderFuncFixed(p),
+		},
+	})
+
+	if p, diags := ctx.Plan(); diags.HasErrors() {
+		t.Fatalf("diags: %s", diags.Err())
+	} else {
+		t.Logf(legacyDiffComparisonString(p.Changes))
+	}
+
+	state, diags := ctx.Apply()
+	assertNoErrors(t, diags)
+
+	addr := mustResourceInstanceAddr("data.null_data_source.testing")
+
+	dataSourceState := state.ResourceInstance(addr)
+	pvms := dataSourceState.Current.AttrSensitivePaths
+	if len(pvms) != 1 {
+		t.Fatalf("expected 1 sensitive path, got %d", len(pvms))
+	}
+	pvm := pvms[0]
+	if gotPath, wantPath := pvm.Path, cty.GetAttrPath("foo"); !gotPath.Equals(wantPath) {
+		t.Errorf("wrong path\n got: %#v\nwant: %#v", gotPath, wantPath)
+	}
+	if gotMarks, wantMarks := pvm.Marks, cty.NewValueMarks("sensitive"); !gotMarks.Equal(wantMarks) {
+		t.Errorf("wrong marks\n got: %#v\nwant: %#v", gotMarks, wantMarks)
+	}
+}
diff --git a/terraform/node_resource_abstract_instance.go b/terraform/node_resource_abstract_instance.go
index 18846047a..224c18d51 100644
--- a/terraform/node_resource_abstract_instance.go
+++ b/terraform/node_resource_abstract_instance.go
@@ -1194,6 +1194,10 @@ func (n *NodeAbstractResourceInstance) readDataSource(ctx EvalContext, configVal
 		return newVal, diags
 	}
 
+	// Unmark before sending to provider, will re-mark before returning
+	var pvm []cty.PathValueMarks
+	configVal, pvm = configVal.UnmarkDeepWithPaths()
+
 	log.Printf("[TRACE] readDataSource: Re-validating config for %s", n.Addr)
 	validateResp := provider.ValidateDataSourceConfig(
 		providers.ValidateDataSourceConfigRequest{
@@ -1269,6 +1273,10 @@ func (n *NodeAbstractResourceInstance) readDataSource(ctx EvalContext, configVal
 		newVal = cty.UnknownAsNull(newVal)
 	}
 
+	if len(pvm) > 0 {
+		newVal = newVal.MarkWithPaths(pvm)
+	}
+
 	return newVal, diags
 }
 
diff --git a/terraform/testdata/apply-data-sensitive/main.tf b/terraform/testdata/apply-data-sensitive/main.tf
new file mode 100644
index 000000000..c248a7c33
--- /dev/null
+++ b/terraform/testdata/apply-data-sensitive/main.tf
@@ -0,0 +1,8 @@
+variable "foo" {
+  sensitive = true
+  default = "foo"
+}
+
+data "null_data_source" "testing" {
+  foo = var.foo
+}