diff --git a/aws/resource_aws_opsworks_application.go b/aws/resource_aws_opsworks_application.go
index d1dad14242f..1e5ba805801 100644
--- a/aws/resource_aws_opsworks_application.go
+++ b/aws/resource_aws_opsworks_application.go
@@ -444,12 +444,16 @@ func resourceAwsOpsworksSetApplicationSource(d *schema.ResourceData, v *opsworks
 		if v.Username != nil {
 			m["username"] = *v.Username
 		}
-		if v.Password != nil {
-			m["password"] = *v.Password
-		}
 		if v.Revision != nil {
 			m["revision"] = *v.Revision
 		}
+
+		// v.Password and v.SshKey will, on read, contain the placeholder string
+		// "*****FILTERED*****", so we ignore it on read and let persist
+		// the value already in the state.
+		m["password"] = d.Get("app_source.0.password").(string)
+		m["ssh_key"] = d.Get("app_source.0.ssh_key").(string)
+
 		nv = append(nv, m)
 	}
 
diff --git a/aws/resource_aws_opsworks_stack.go b/aws/resource_aws_opsworks_stack.go
index afa406828e7..177a4a93453 100644
--- a/aws/resource_aws_opsworks_stack.go
+++ b/aws/resource_aws_opsworks_stack.go
@@ -250,9 +250,13 @@ func resourceAwsOpsworksSetStackCustomCookbooksSource(d *schema.ResourceData, v
 		if v.Revision != nil {
 			m["revision"] = *v.Revision
 		}
-		// v.Password will, on read, contain the placeholder string
+
+		// v.Password and v.SshKey will, on read, contain the placeholder string
 		// "*****FILTERED*****", so we ignore it on read and let persist
 		// the value already in the state.
+		m["password"] = d.Get("custom_cookbooks_source.0.password").(string)
+		m["ssh_key"] = d.Get("custom_cookbooks_source.0.ssh_key").(string)
+
 		nv = append(nv, m)
 	}
 
diff --git a/aws/resource_aws_opsworks_stack_test.go b/aws/resource_aws_opsworks_stack_test.go
index fdcb7e7a54e..4b22e44114a 100644
--- a/aws/resource_aws_opsworks_stack_test.go
+++ b/aws/resource_aws_opsworks_stack_test.go
@@ -147,6 +147,37 @@ func TestAccAWSOpsworksStack_noVpcCreateTags(t *testing.T) {
 	})
 }
 
+/////////////////////////////
+// Tests for Custom Cookbooks
+/////////////////////////////
+
+func TestAccAWSOpsworksStack_CustomCookbooks_SetPrivateProperties(t *testing.T) {
+	stackName := fmt.Sprintf("tf-opsworks-acc-%d", acctest.RandInt())
+	var opsstack opsworks.Stack
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsOpsworksStackDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSOpsworksStackConfig_CustomCookbooks_Set(stackName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSOpsworksStackExists("aws_opsworks_stack.tf-acc", true, &opsstack),
+					testAccCheckAWSOpsworksCreateStackAttributesWithCookbooks(&opsstack, "us-west-2a", stackName),
+					resource.TestCheckResourceAttr(
+						"aws_opsworks_stack.tf-acc",
+						"custom_cookbooks_source.0.password",
+						"password"),
+					resource.TestCheckResourceAttr(
+						"aws_opsworks_stack.tf-acc",
+						"custom_cookbooks_source.0.ssh_key",
+						sshKey),
+				),
+			},
+		},
+	})
+}
+
 // Tests the addition of regional endpoints and supporting the classic link used
 // to create Stack's prior to v0.9.0.
 // See https://github.com/hashicorp/terraform/issues/12842
@@ -550,6 +581,61 @@ func testAccCheckAWSOpsworksCreateStackAttributes(
 	}
 }
 
+func testAccCheckAWSOpsworksCreateStackAttributesWithCookbooks(
+	opsstack *opsworks.Stack, zone, stackName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		if *opsstack.Name != stackName {
+			return fmt.Errorf("Unnexpected stackName: %s", *opsstack.Name)
+		}
+
+		if *opsstack.DefaultAvailabilityZone != zone {
+			return fmt.Errorf("Unnexpected DefaultAvailabilityZone: %s", *opsstack.DefaultAvailabilityZone)
+		}
+
+		if *opsstack.DefaultOs != "Amazon Linux 2016.09" {
+			return fmt.Errorf("Unnexpected defaultOs: %s", *opsstack.DefaultOs)
+		}
+
+		if *opsstack.DefaultRootDeviceType != "ebs" {
+			return fmt.Errorf("Unnexpected DefaultRootDeviceType: %s", *opsstack.DefaultRootDeviceType)
+		}
+
+		if *opsstack.CustomJson != `{"key": "value"}` {
+			return fmt.Errorf("Unnexpected CustomJson: %s", *opsstack.CustomJson)
+		}
+
+		if *opsstack.ConfigurationManager.Version != "11.10" {
+			return fmt.Errorf("Unnexpected Version: %s", *opsstack.ConfigurationManager.Version)
+		}
+
+		if *opsstack.UseOpsworksSecurityGroups {
+			return fmt.Errorf("Unnexpected UseOpsworksSecurityGroups: %t", *opsstack.UseOpsworksSecurityGroups)
+		}
+
+		if !*opsstack.UseCustomCookbooks {
+			return fmt.Errorf("Unnexpected UseCustomCookbooks: %t", *opsstack.UseCustomCookbooks)
+		}
+
+		if *opsstack.CustomCookbooksSource.Type != "git" {
+			return fmt.Errorf("Unnexpected *opsstack.CustomCookbooksSource.Type: %s", *opsstack.CustomCookbooksSource.Type)
+		}
+
+		if *opsstack.CustomCookbooksSource.Revision != "master" {
+			return fmt.Errorf("Unnexpected *opsstack.CustomCookbooksSource.Type: %s", *opsstack.CustomCookbooksSource.Revision)
+		}
+
+		if *opsstack.CustomCookbooksSource.Url != "https://github.com/aws/opsworks-example-cookbooks.git" {
+			return fmt.Errorf("Unnexpected *opsstack.CustomCookbooksSource.Type: %s", *opsstack.CustomCookbooksSource.Url)
+		}
+
+		if *opsstack.CustomCookbooksSource.Username != "username" {
+			return fmt.Errorf("Unnexpected *opsstack.CustomCookbooksSource.Type: %s", *opsstack.CustomCookbooksSource.Username)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckAWSOpsworksUpdateStackAttributes(
 	opsstack *opsworks.Stack, zone, stackName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
@@ -1250,3 +1336,151 @@ resource "aws_iam_instance_profile" "opsworks_instance" {
 }
 `, name, name, name, name, name)
 }
+
+/////////////////////////////////////////
+// Helpers for Custom Cookbook properties
+/////////////////////////////////////////
+
+func testAccAWSOpsworksStackConfig_CustomCookbooks_Set(name string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "tf-acc" {
+  cidr_block = "10.3.5.0/24"
+
+  tags = {
+    Name = "terraform-testacc-opsworks-stack-vpc-update"
+  }
+}
+
+resource "aws_subnet" "tf-acc" {
+  vpc_id            = "${aws_vpc.tf-acc.id}"
+  cidr_block        = "${aws_vpc.tf-acc.cidr_block}"
+  availability_zone = "us-west-2a"
+
+  tags = {
+    Name = "tf-acc-opsworks-stack-vpc-update"
+  }
+}
+
+resource "aws_opsworks_stack" "tf-acc" {
+  name                          = "%s"
+  region                        = "us-west-2"
+  vpc_id                        = "${aws_vpc.tf-acc.id}"
+  default_subnet_id             = "${aws_subnet.tf-acc.id}"
+  service_role_arn              = "${aws_iam_role.opsworks_service.arn}"
+  default_instance_profile_arn  = "${aws_iam_instance_profile.opsworks_instance.arn}"
+  default_os                    = "Amazon Linux 2016.09"
+  default_root_device_type      = "ebs"
+  custom_json                   = "{\"key\": \"value\"}"
+  configuration_manager_version = "11.10"
+  use_opsworks_security_groups  = false
+  use_custom_cookbooks          = true
+  manage_berkshelf              = true
+
+  custom_cookbooks_source {
+    type     = "git"
+    revision = "master"
+    url      = "https://github.com/aws/opsworks-example-cookbooks.git"
+    username = "username"
+    password = "password"
+    ssh_key  = "%s"
+  }
+}
+
+resource "aws_iam_role" "opsworks_service" {
+  name = "%s_opsworks_service"
+
+  assume_role_policy = <<EOT
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "opsworks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOT
+}
+
+resource "aws_iam_role_policy" "opsworks_service" {
+  name = "%s_opsworks_service"
+  role = "${aws_iam_role.opsworks_service.id}"
+
+  policy = <<EOT
+{
+  "Statement": [
+    {
+      "Action": [
+        "ec2:*",
+        "iam:PassRole",
+        "cloudwatch:GetMetricStatistics",
+        "elasticloadbalancing:*",
+        "rds:*"
+      ],
+      "Effect": "Allow",
+      "Resource": ["*"]
+    }
+  ]
+}
+EOT
+}
+
+resource "aws_iam_role" "opsworks_instance" {
+  name = "%s_opsworks_instance"
+
+  assume_role_policy = <<EOT
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOT
+}
+
+resource "aws_iam_instance_profile" "opsworks_instance" {
+  name  = "%s_opsworks_instance"
+  roles = ["${aws_iam_role.opsworks_instance.name}"]
+}
+`, name, sshKey, name, name, name, name)
+}
+
+// One-off, bogus private key generated for use in testing
+const sshKey = "-----BEGIN RSA PRIVATE KEY-----" +
+	"MIIEpAIBAAKCAQEAv/1hnOZadSDMbJUVJsqweDwc/4TvhTGf0vl9vtNyjzqUUxgU" +
+	"RrSvYrgkvWgAFtQ9J5QDNOPSRvS8F1cu7tR036cecdHPmA+Cxto1qENy8UeYrKzV" +
+	"I55i+vJiSn3i22HW+SbW1raBM+PL3sp9i0BQmCr8eh3i/VdUm92OQHtnjhfLB3GX" +
+	"xnrvytBfI8p2bx9j7mAAjS/X+QncMawPqI9WGuizmuC2cTQHZpZY7j/w+bItoYIV" +
+	"g5qJV3908LNlNZGU6etdEUTWM1VSNxG2Yk6eULeStSA4oSkJSHlwP1/fjab0j1b4" +
+	"HeB/TUFpy3ODrRAhuHxlyFFWMSzePkXLx9d0GwIDAQABAoIBAFlwrj/M5Ik6XWGc" +
+	"Vj07IdjxkETNZlQzmRRNHHKAyRbGoIDRb+i8lhQ0WxFN2PTJrS+5+YBzPevGabWp" +
+	"7PhgS45BqaI2rzJUz4TZ9TNNMMgMpaiT37t3Nv9XWckAOmYff2mU2XMvlKNa1QgW" +
+	"Z0QvExzAsdwl/jAttgHixjluBAEib+G3p0Xt2CZMQYNzE9H2gH/nqkysiZ5fC+ng" +
+	"RnM843jAHtrfz9Q0ATBADMJZgZepnMZyldaOV+s5L8UB893UGhrfGrBwlHd5U5ug" +
+	"Z/p74IvOgDd3/pp/2yuyqE+RWz9sakss196aJ0jUXVXjH3F+QDdqqPx0YIJ7S0eM" +
+	"13T7hGkCgYEA4TqpoPFYIVEug4gQ6SDttSMwrbA5uBM13s1vjNpDBFuHWFMqgSRe" +
+	"xlIAGCGNhoyTr3xr/34filwGMkMdLw8JFISOIbZ18+qgDOsSW0tXwE03vQgKFNB1" +
+	"ClGEfcd/4B/oLwOe/bqnKVBQSnfp05yqHjdc9XNQeFxLL8LfSv7LIIUCgYEA2jgt" +
+	"108LF+RtdkmSoqLnexJ0jmbPlcYTw1wzuIg49gLdlRxoC+UwPFc+uzMGNxEzr6hG" +
+	"Eg3dJVr3+TMLIcTD6usPWzzuL4ReV/IAhCjzgS/WopqURg4cQ+R4MjvTMg8GCZfE" +
+	"QvjcbpKh5ndP/QQEOy7cAP8BLVSG3/ichMcttB8CgYAdzmaebvILzrOKIpqiT4JF" +
+	"w3dwtO6ehqRNbQCDMmtGC1rY/ICWgJquQjHS/7W8BaSRx7R/JlDEPbNwOWOGU8YO" +
+	"2g/5NC1d70HpE77lKA5f25gxwvuaj4+9otYW0y0AGxjeB+ulhmsS05cck8v0/jmh" +
+	"MBB0RyNyGjy1AGQOh7OYBQKBgQCwFq1HFM2K1hVOYkglXPcV5OqRDn1sCo5gEsLZ" +
+	"oXL1cZKEhIuhLawixPQl8yKMxSDEGjGQ2Acf4axANuRAt5qwskWOBjjdtx66MNoh" +
+	"yznTgVrdk4cakMBWOMKVJplhx6XDj+gbct3NjB2A775oGRmg+Esnsp6siYzcpq0G" +
+	"qANFWQKBgQCyv8KoQXsD8f8XMvicRC42uZXfhlDjOUzpo1O7WQKWBYqPBqz4AHzE" +
+	"Cdy6djI120bqDOifre1qnBjoHezrG+ejaQOTpocOVwT5Zl7BhjoXQZRGiQXj+2aD" +
+	"tmm0+hpmkjX7jiPcljjs8S8gh+uCWieJoO4JNPk2SXRiePpYgKzdlg==" +
+	"-----END RSA PRIVATE KEY-----"
diff --git a/website/docs/r/opsworks_application.html.markdown b/website/docs/r/opsworks_application.html.markdown
index 9ebb25be397..6b08f978b71 100644
--- a/website/docs/r/opsworks_application.html.markdown
+++ b/website/docs/r/opsworks_application.html.markdown
@@ -77,8 +77,8 @@ An `app_source` block supports the following arguments (can only be defined once
 * `type` - (Required) The type of source to use. For example, "archive".
 * `url` - (Required) The URL where the app resource can be found.
 * `username` - (Optional) Username to use when authenticating to the source.
-* `password` - (Optional) Password to use when authenticating to the source.
-* `ssh_key` - (Optional) SSH key to use when authenticating to the source.
+* `password` - (Optional) Password to use when authenticating to the source. Terraform cannot perform drift detection of this configuration.
+* `ssh_key` - (Optional) SSH key to use when authenticating to the source. Terraform cannot perform drift detection of this configuration.
 * `revision` - (Optional) For sources that are version-aware, the revision to use.
 
 An `environment` block supports the following arguments:
diff --git a/website/docs/r/opsworks_stack.html.markdown b/website/docs/r/opsworks_stack.html.markdown
index 166eea950bc..e973b534f09 100644
--- a/website/docs/r/opsworks_stack.html.markdown
+++ b/website/docs/r/opsworks_stack.html.markdown
@@ -73,8 +73,8 @@ The `custom_cookbooks_source` block supports the following arguments:
 * `type` - (Required) The type of source to use. For example, "archive".
 * `url` - (Required) The URL where the cookbooks resource can be found.
 * `username` - (Optional) Username to use when authenticating to the source.
-* `password` - (Optional) Password to use when authenticating to the source.
-* `ssh_key` - (Optional) SSH key to use when authenticating to the source.
+* `password` - (Optional) Password to use when authenticating to the source. Terraform cannot perform drift detection of this configuration.
+* `ssh_key` - (Optional) SSH key to use when authenticating to the source. Terraform cannot perform drift detection of this configuration.
 * `revision` - (Optional) For sources that are version-aware, the revision to use.
 
 ## Attributes Reference