diff --git a/main.tf b/main.tf
index 4f56970..dcd1916 100644
--- a/main.tf
+++ b/main.tf
@@ -78,6 +78,8 @@ resource "aws_rds_cluster" "this" {
   manage_master_user_password           = var.global_cluster_identifier == null && var.manage_master_user_password ? var.manage_master_user_password : null
   master_user_secret_kms_key_id         = var.global_cluster_identifier == null && var.manage_master_user_password ? var.master_user_secret_kms_key_id : null
   master_password                       = var.is_primary_cluster && !var.manage_master_user_password ? var.master_password : null
+  master_password_wo                    = var.master_password_wo
+  master_password_wo_version            = var.master_password_wo_version
   master_username                       = var.is_primary_cluster ? var.master_username : null
   monitoring_interval                   = var.cluster_monitoring_interval
   monitoring_role_arn                   = var.create_monitoring_role && var.cluster_monitoring_interval > 0 ? try(aws_iam_role.rds_enhanced_monitoring[0].arn, null) : var.monitoring_role_arn
diff --git a/variables.tf b/variables.tf
index 7a1dadc..015307b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -282,6 +282,20 @@ variable "master_password" {
   default     = null
 }
 
+variable "master_password_wo" {
+  description = "Write-only password for the master DB user. Required unless `manage_master_user_password` is set to `true`, or unless `snapshot_identifier` or `replication_source_identifier` is provided, or unless a `global_cluster_identifier` is provided when the cluster is the secondary cluster of a global database. Unlike `master_password`, this value will not be stored in the Terraform state file"
+  type        = string
+  ephemeral   = true
+  default     = null
+}
+
+variable "master_password_wo_version" {
+  description = "Optional version identifier used to detect changes in `master_password_wo` and force update. Increment to rotate the password."
+  type        = string
+  default     = null
+}
+
+
 variable "master_username" {
   description = "Username for the master DB user. Required unless `snapshot_identifier` or `replication_source_identifier` is provided or unless a `global_cluster_identifier` is provided when the cluster is the secondary cluster of a global database"
   type        = string