diff --git a/plans/objchange/compatible.go b/plans/objchange/compatible.go
index 181a044f6..5536ad41c 100644
--- a/plans/objchange/compatible.go
+++ b/plans/objchange/compatible.go
@@ -73,8 +73,9 @@ func assertObjectCompatible(schema *configschema.Block, planned, actual cty.Valu
 		}
 	}
 	for name, blockS := range schema.BlockTypes {
-		plannedV := planned.GetAttr(name)
-		actualV := actual.GetAttr(name)
+		// Unmark values before testing compatibility
+		plannedV, _ := planned.GetAttr(name).UnmarkDeep()
+		actualV, _ := actual.GetAttr(name).UnmarkDeep()
 
 		// As a special case, if there were any blocks whose leaf attributes
 		// are all unknown then we assume (possibly incorrectly) that the
diff --git a/terraform/context_apply_test.go b/terraform/context_apply_test.go
index 4596ae09d..e45a20c26 100644
--- a/terraform/context_apply_test.go
+++ b/terraform/context_apply_test.go
@@ -11939,8 +11939,17 @@ variable "sensitive_var" {
 	sensitive = true
 }
 
+variable "sensitive_id" {
+	default = "secret id"
+	sensitive = true
+}
+
 resource "test_resource" "foo" {
 	value   = var.sensitive_var
+
+	network_interface {
+		network_interface_id = var.sensitive_id
+	}
 }`,
 	})
 
@@ -11982,7 +11991,7 @@ resource "test_resource" "foo" {
 		t.Fatalf("apply errors: %s", diags.Err())
 	}
 
-	// Now change the variable value
+	// Now change the variable value for sensitive_var
 	ctx = testContext2(t, &ContextOpts{
 		Config: m,
 		Providers: map[addrs.Provider]providers.Factory{
diff --git a/terraform/context_test.go b/terraform/context_test.go
index a07e275e2..c0e33d7fd 100644
--- a/terraform/context_test.go
+++ b/terraform/context_test.go
@@ -636,6 +636,17 @@ func testProviderSchema(name string) *ProviderSchema {
 						Optional: true,
 					},
 				},
+				BlockTypes: map[string]*configschema.NestedBlock{
+					"network_interface": {
+						Block: configschema.Block{
+							Attributes: map[string]*configschema.Attribute{
+								"network_interface_id": {Type: cty.String, Optional: true},
+								"device_index":         {Type: cty.Number, Optional: true},
+							},
+						},
+						Nesting: configschema.NestingSet,
+					},
+				},
 			},
 			name + "_ami_list": {
 				Attributes: map[string]*configschema.Attribute{