diff --git a/.gitignore b/.gitignore
index 9bb1709e..bbd5abff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,5 @@ ci-scripts
 .mono
 /go/
 *.sln
+.config/
+.gradle/
\ No newline at end of file
diff --git a/CHANGELOG_PENDING.md b/CHANGELOG_PENDING.md
index 5e78e668..25e67938 100644
--- a/CHANGELOG_PENDING.md
+++ b/CHANGELOG_PENDING.md
@@ -1,4 +1,5 @@
 ### Improvements
+- Added secret support for all fields in DeploymentSettings [#419](https://github.com/pulumi/pulumi-pulumiservice/issues/419)
 
 ### Bug Fixes
 
diff --git a/examples/ts-deployment-settings/index.ts b/examples/ts-deployment-settings/index.ts
index 77c3f360..fc9b9eb1 100644
--- a/examples/ts-deployment-settings/index.ts
+++ b/examples/ts-deployment-settings/index.ts
@@ -63,6 +63,6 @@ const settings = new service.DeploymentSettings("deployment_settings", {
         }
     },
     cacheOptions: {
-        enable: true,
+        enable: pulumi.secret(true),
     }
 });
diff --git a/provider/pkg/provider/deployment_settings.go b/provider/pkg/provider/deployment_settings.go
index 1fce1f17..d08080bc 100644
--- a/provider/pkg/provider/deployment_settings.go
+++ b/provider/pkg/provider/deployment_settings.go
@@ -285,8 +285,8 @@ func (ds *PulumiServiceDeploymentSettingsResource) ToPulumiServiceDeploymentSett
 	input.Stack.ProjectName = getSecretOrStringValue(inputMap["project"])
 	input.Stack.StackName = getSecretOrStringValue(inputMap["stack"])
 
-	if inputMap["agentPoolId"].HasValue() && inputMap["agentPoolId"].IsString() {
-		input.AgentPoolId = inputMap["agentPoolId"].StringValue()
+	if inputMap["agentPoolId"].HasValue() {
+		input.AgentPoolId = getSecretOrStringValue(inputMap["agentPoolId"])
 	}
 
 	input.ExecutorContext = toExecutorContext(inputMap)
@@ -327,17 +327,17 @@ func toGitHubConfig(inputMap resource.PropertyMap) *pulumiapi.GitHubConfiguratio
 		github.Repository = getSecretOrStringValue(githubInput["repository"])
 	}
 
-	if githubInput["deployCommits"].HasValue() && githubInput["deployCommits"].IsBool() {
-		github.DeployCommits = githubInput["deployCommits"].BoolValue()
+	if githubInput["deployCommits"].HasValue() {
+		github.DeployCommits = getSecretOrBoolValue(githubInput["deployCommits"])
 	}
-	if githubInput["previewPullRequests"].HasValue() && githubInput["previewPullRequests"].IsBool() {
-		github.PreviewPullRequests = githubInput["previewPullRequests"].BoolValue()
+	if githubInput["previewPullRequests"].HasValue() {
+		github.PreviewPullRequests = getSecretOrBoolValue(githubInput["previewPullRequests"])
 	}
-	if githubInput["pullRequestTemplate"].HasValue() && githubInput["pullRequestTemplate"].IsBool() {
-		github.PullRequestTemplate = githubInput["pullRequestTemplate"].BoolValue()
+	if githubInput["pullRequestTemplate"].HasValue() {
+		github.PullRequestTemplate = getSecretOrBoolValue(githubInput["pullRequestTemplate"])
 	}
-	if githubInput["paths"].HasValue() && githubInput["paths"].IsArray() {
-		pathsInput := githubInput["paths"].ArrayValue()
+	if githubInput["paths"].HasValue() {
+		pathsInput := getSecretOrArrayValue(githubInput["paths"])
 		paths := make([]string, len(pathsInput))
 
 		for i, v := range pathsInput {
@@ -445,14 +445,12 @@ func toOperationContext(inputMap resource.PropertyMap) *pulumiapi.OperationConte
 		oc.EnvironmentVariables = ev
 	}
 
-	if ocInput["preRunCommands"].HasValue() && ocInput["preRunCommands"].IsArray() {
-		pcInput := ocInput["preRunCommands"].ArrayValue()
+	if ocInput["preRunCommands"].HasValue() {
+		pcInput := getSecretOrArrayValue(ocInput["preRunCommands"])
 		pc := make([]string, len(pcInput))
 
 		for i, v := range pcInput {
-			if v.IsString() {
-				pc[i] = v.StringValue()
-			}
+			pc[i] = getSecretOrStringValue(v)
 		}
 
 		oc.PreRunCommands = pc
@@ -462,20 +460,20 @@ func toOperationContext(inputMap resource.PropertyMap) *pulumiapi.OperationConte
 		oInput := ocInput["options"].ObjectValue()
 		var o pulumiapi.OperationContextOptions
 
-		if oInput["skipInstallDependencies"].HasValue() && oInput["skipInstallDependencies"].IsBool() {
-			o.SkipInstallDependencies = oInput["skipInstallDependencies"].BoolValue()
+		if oInput["skipInstallDependencies"].HasValue() {
+			o.SkipInstallDependencies = getSecretOrBoolValue(oInput["skipInstallDependencies"])
 		}
 
-		if oInput["skipIntermediateDeployments"].HasValue() && oInput["skipIntermediateDeployments"].IsBool() {
-			o.SkipIntermediateDeployments = oInput["skipIntermediateDeployments"].BoolValue()
+		if oInput["skipIntermediateDeployments"].HasValue() {
+			o.SkipIntermediateDeployments = getSecretOrBoolValue(oInput["skipIntermediateDeployments"])
 		}
 
-		if oInput["Shell"].HasValue() && oInput["Shell"].IsString() {
-			o.Shell = oInput["Shell"].StringValue()
+		if oInput["Shell"].HasValue() {
+			o.Shell = getSecretOrStringValue(oInput["Shell"])
 		}
 
-		if oInput["deleteAfterDestroy"].HasValue() && oInput["deleteAfterDestroy"].IsBool() {
-			o.DeleteAfterDestroy = oInput["deleteAfterDestroy"].BoolValue()
+		if oInput["deleteAfterDestroy"].HasValue() {
+			o.DeleteAfterDestroy = getSecretOrBoolValue(oInput["deleteAfterDestroy"])
 		}
 
 		oc.Options = &o
@@ -498,8 +496,8 @@ func toOperationContext(inputMap resource.PropertyMap) *pulumiapi.OperationConte
 			if awsInput["sessionName"].HasValue() {
 				aws.SessionName = getSecretOrStringValue(awsInput["sessionName"])
 			}
-			if awsInput["policyARNs"].HasValue() && awsInput["policyARNs"].IsArray() {
-				policyARNsInput := awsInput["policyARNs"].ArrayValue()
+			if awsInput["policyARNs"].HasValue() {
+				policyARNsInput := getSecretOrArrayValue(awsInput["policyARNs"])
 				policyARNs := make([]string, len(policyARNsInput))
 
 				for i, v := range policyARNsInput {
@@ -569,8 +567,8 @@ func toCacheOptions(inputMap resource.PropertyMap) *pulumiapi.CacheOptions {
 	coInput := inputMap["cacheOptions"].ObjectValue()
 	var co pulumiapi.CacheOptions
 
-	if coInput["enable"].HasValue() && coInput["enable"].IsBool() {
-		co.Enable = coInput["enable"].BoolValue()
+	if coInput["enable"].HasValue() {
+		co.Enable = getSecretOrBoolValue(coInput["enable"])
 	}
 
 	return &co
diff --git a/provider/pkg/provider/secret_util.go b/provider/pkg/provider/secret_util.go
index f79a5b8e..95e405d2 100644
--- a/provider/pkg/provider/secret_util.go
+++ b/provider/pkg/provider/secret_util.go
@@ -29,6 +29,24 @@ func getSecretOrStringNullableValue(prop resource.PropertyValue) *string {
 	return &resultString
 }
 
+func getSecretOrBoolValue(prop resource.PropertyValue) bool {
+	switch prop.V.(type) {
+	case *resource.Secret:
+		return prop.SecretValue().Element.BoolValue()
+	default:
+		return prop.BoolValue()
+	}
+}
+
+func getSecretOrArrayValue(prop resource.PropertyValue) []resource.PropertyValue {
+	switch prop.V.(type) {
+	case *resource.Secret:
+		return prop.SecretValue().Element.ArrayValue()
+	default:
+		return prop.ArrayValue()
+	}
+}
+
 // All imported inputs will have a dummy value, asking to be replaced in real code
 // All imported properties are just set to ciphertext read from Pulumi Service
 func importSecretValue(propertyMap resource.PropertyMap, propertyName string, cipherValue pulumiapi.SecretValue, isInput bool) {