diff --git a/main.tf b/main.tf
index 0d4864d..e9c3615 100644
--- a/main.tf
+++ b/main.tf
@@ -229,6 +229,21 @@ resource "aws_ssm_parameter" "placeholder" {
   }
 }
 
+resource "aws_secretsmanager_secret" "placeholder" {
+  # skipped check to keep consistent behaviour between ssm params and secrets
+  # Rotation can be added later as a configurable option. Some will want it, for some it will break things
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+  for_each = var.secretsmanager_secrets
+
+  name        = "/${var.secretsmanager_secrets_prefix}${var.name}/${each.key}"
+  description = each.value.description
+  kms_key_id  = each.value.kms_key_id
+
+  tags = merge(local.tags, {
+    Name = "${var.name}-${each.key}"
+  })
+}
+
 #------------------------------------------------------------------------------
 # Instance IAM role extra permissions
 # Allow GetParameter to the EC2 scoped SSM parameter path
@@ -248,6 +263,17 @@ data "aws_iam_policy_document" "ssm_parameter" {
     resources = ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.id}:parameter/${var.ssm_parameters_prefix}${var.name}/*"]
   }
 }
+data "aws_iam_policy_document" "secretsmanager" {
+  statement {
+    effect = "Allow"
+    actions = flatten([
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:PutSecretValue"
+    ])
+    #tfsec:ignore:aws-iam-no-policy-wildcards: acccess scoped to parameter path of EC2
+    resources = ["arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.id}:secret:/${var.secretsmanager_secrets_prefix}${var.name}/*"]
+  }
+}
 
 resource "aws_iam_role" "this" {
   name                 = "${var.iam_resource_names_prefix}-role-${var.name}"
@@ -285,6 +311,12 @@ resource "aws_iam_role_policy" "ssm_parameter" {
   role   = aws_iam_role.this.id
   policy = data.aws_iam_policy_document.ssm_parameter.json
 }
+resource "aws_iam_role_policy" "secretsmanager_secret" {
+  count  = var.secretsmanager_secrets != null ? 1 : 0
+  name   = "Ec2SecretsmanagerSecretPolicy-${var.name}"
+  role   = aws_iam_role.this.id
+  policy = data.aws_iam_policy_document.secretsmanager.json
+}
 
 resource "aws_iam_instance_profile" "this" {
   name = "${var.iam_resource_names_prefix}-profile-${var.name}"
diff --git a/variables.tf b/variables.tf
index 97309f8..2e7bfb8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -174,6 +174,11 @@ variable "ssm_parameters_prefix" {
   description = "Optionally prefix ssm parameters with this prefix.  Add a trailing /"
   default     = ""
 }
+variable "secretsmanager_secrets_prefix" {
+  type        = string
+  description = "Optionally prefix secretsmanager secrets with this prefix.  Add a trailing /"
+  default     = ""
+}
 
 variable "ssm_parameters" {
   description = "A map of SSM parameters to create. Set a specific value or a randomly generated value.  If neither random or value are set, a placeholder value is created which can be updated outside of terraform"
@@ -190,6 +195,15 @@ variable "ssm_parameters" {
   default = null
 }
 
+variable "secretsmanager_secrets" {
+  description = "A map of secretsmanager secrets to create. No value is created, add a value outside of terraform"
+  type = map(object({
+    description = optional(string)
+    kms_key_id  = optional(string)
+  }))
+  default = {}
+}
+
 variable "cloudwatch_metric_alarms" {
   description = "Map of cloudwatch metric alarms.  The alarm name is set to the ec2 instance name plus the map key."
   type = map(object({