diff --git a/src/cluster-regional.tf b/src/cluster-regional.tf
index f40c025..080e7e8 100644
--- a/src/cluster-regional.tf
+++ b/src/cluster-regional.tf
@@ -7,16 +7,17 @@ module "aurora_postgres_cluster" {
   source  = "cloudposse/rds-cluster/aws"
   version = "2.1.1"
 
-  cluster_type   = "regional"
-  engine         = var.engine
-  engine_version = var.engine_version
-  engine_mode    = var.engine_mode
-  cluster_family = var.cluster_family
-  instance_type  = var.instance_type
-  cluster_size   = var.cluster_size
-  promotion_tier = var.promotion_tier
-  admin_user     = local.admin_user
-  admin_password = local.admin_password
+  cluster_type               = "regional"
+  engine                     = var.engine
+  engine_version             = var.engine_version
+  engine_mode                = var.engine_mode
+  cluster_family             = var.cluster_family
+  instance_type              = var.instance_type
+  cluster_size               = var.cluster_size
+  promotion_tier             = var.promotion_tier
+  admin_user                 = local.admin_user
+  admin_password             = local.admin_password
+  manage_admin_user_password = var.manage_admin_user_password
 
   db_name                              = local.database_name
   publicly_accessible                  = var.publicly_accessible
diff --git a/src/main.tf b/src/main.tf
index 8885d87..dd2aa15 100644
--- a/src/main.tf
+++ b/src/main.tf
@@ -14,9 +14,14 @@ locals {
 
   zone_id = module.dns_gbl_delegated.outputs.default_dns_zone_id
 
-  admin_user     = length(var.admin_user) > 0 ? var.admin_user : join("", random_pet.admin_user[*].id)
-  admin_password = length(var.admin_password) > 0 ? var.admin_password : join("", random_password.admin_password[*].result)
-  database_name  = length(var.database_name) > 0 ? var.database_name : join("", random_pet.database_name[*].id)
+  # 1. If manage_admin_user_password is true, AWS manages the password (admin_password must be empty)
+  # 2. If admin_password is provided, that value is used (manage_admin_user_password must be false)
+  # 3. If both are unset/false/empty, the module creates a random password
+  create_password = local.enabled && var.admin_password == "" && !var.manage_admin_user_password
+  admin_password  = var.manage_admin_user_password ? null : (local.create_password ? one(random_password.admin_password[*].result) : var.admin_password)
+
+  admin_user    = length(var.admin_user) > 0 ? var.admin_user : one(random_pet.admin_user[*].id)
+  database_name = length(var.database_name) > 0 ? var.database_name : one(random_pet.database_name[*].id)
 
   cluster_dns_name_prefix = format("%v%v%v%v", module.this.name, module.this.delimiter, var.cluster_name, module.this.delimiter)
   cluster_dns_name        = format("%v%v", local.cluster_dns_name_prefix, var.cluster_dns_name_part)
diff --git a/src/variables.tf b/src/variables.tf
index e6b8b8f..cb4d8cc 100644
--- a/src/variables.tf
+++ b/src/variables.tf
@@ -122,6 +122,13 @@ variable "admin_password" {
   }
 }
 
+variable "manage_admin_user_password" {
+  type        = bool
+  default     = false
+  description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if admin_password is provided"
+  nullable    = false
+}
+
 # https://aws.amazon.com/rds/aurora/pricing
 variable "instance_type" {
   type        = string