diff --git a/src/asm.tf b/src/asm.tf
new file mode 100644
index 0000000..6c6cd62
--- /dev/null
+++ b/src/asm.tf
@@ -0,0 +1,26 @@
+resource "aws_secretsmanager_secret" "default" {
+  count = local.asm_enabled ? 1 : 0
+
+  name        = local.mysql_admin_password_key
+  description = format("%s admin creds", module.cluster.id)
+
+  # policy                  = "{}"
+  # kms_key_id              = null # "aws/secretsmanager"
+  # recovery_window_in_days = null # 30
+
+  tags = module.this.tags
+}
+
+resource "aws_secretsmanager_secret_version" "default" {
+  count = local.asm_enabled ? 1 : 0
+
+  secret_id = one(aws_secretsmanager_secret.default[*].id)
+  secret_string = jsonencode({
+    cluster_domain = local.cluster_domain
+    db_host        = module.aurora_mysql.master_host
+    db_port        = module.aurora_mysql.port
+    cluster_name   = module.aurora_mysql.cluster_identifier
+    username       = local.mysql_admin_user
+    password       = local.mysql_admin_password
+  })
+}
diff --git a/src/cluster-regional.tf b/src/cluster-regional.tf
index 6a17f41..27cb36a 100644
--- a/src/cluster-regional.tf
+++ b/src/cluster-regional.tf
@@ -14,7 +14,7 @@ module "aurora_mysql" {
   instance_type       = var.mysql_instance_type
 
   db_name        = local.mysql_db_name
-  db_port        = 3306
+  db_port        = var.mysql_db_port
   admin_password = local.mysql_admin_password
   admin_user     = local.mysql_admin_user
 
diff --git a/src/main.tf b/src/main.tf
index 097d6f5..d51e97a 100644
--- a/src/main.tf
+++ b/src/main.tf
@@ -1,6 +1,9 @@
 locals {
   enabled = module.this.enabled
 
+  asm_enabled = local.enabled && var.secrets_store_type == "ASM"
+  ssm_enabled = local.enabled && var.secrets_store_type == "SSM"
+
   vpc_outputs           = module.vpc.outputs
   dns_delegated_outputs = module.dns-delegated.outputs
   vpc_id                = local.vpc_outputs.vpc_id
diff --git a/src/outputs.tf b/src/outputs.tf
index eafb28a..7cfc576 100644
--- a/src/outputs.tf
+++ b/src/outputs.tf
@@ -24,16 +24,21 @@ output "aurora_mysql_master_hostname" {
 }
 
 output "aurora_mysql_master_password" {
-  value       = local.mysql_db_enabled ? "Password for admin user ${module.aurora_mysql.master_username} is stored in SSM at ${local.mysql_admin_password_key}" : null
-  description = "Location of admin password in SSM"
+  value       = local.mysql_db_enabled ? "Password for admin user ${module.aurora_mysql.master_username} is stored in ${var.secrets_store_type} at ${local.mysql_admin_password_key}" : null
+  description = "Location of admin password"
   sensitive   = true
 }
 
 output "aurora_mysql_master_password_ssm_key" {
-  value       = local.mysql_db_enabled ? local.mysql_admin_password_key : null
+  value       = local.ssm_enabled && local.mysql_db_enabled ? local.mysql_admin_password_key : null
   description = "SSM key for admin password"
 }
 
+output "aurora_mysql_master_password_asm_key" {
+  value       = local.asm_enabled && local.mysql_db_enabled ? local.mysql_admin_password_key : null
+  description = "ASM key for admin password"
+}
+
 output "aurora_mysql_master_username" {
   value       = local.enabled ? module.aurora_mysql.master_username : null
   description = "Aurora MySQL username for the master DB user"
diff --git a/src/ssm.tf b/src/ssm.tf
index 2e551a8..3997573 100644
--- a/src/ssm.tf
+++ b/src/ssm.tf
@@ -21,7 +21,7 @@ locals {
     },
     {
       name        = format("%s/%s", local.ssm_path_prefix, "db_port")
-      value       = "3306"
+      value       = module.aurora_mysql.port
       description = "Aurora MySQL DB Master TCP port"
       type        = "String"
       overwrite   = true
@@ -75,6 +75,8 @@ module "parameter_store_write" {
   source  = "cloudposse/ssm-parameter-store/aws"
   version = "0.13.0"
 
+  enabled = local.ssm_enabled
+
   # kms_arn will only be used for SecureString parameters
   kms_arn = module.kms_key_rds.key_arn
 
diff --git a/src/variables.tf b/src/variables.tf
index 3297da7..e8fff25 100644
--- a/src/variables.tf
+++ b/src/variables.tf
@@ -33,10 +33,21 @@ variable "mysql_name" {
 
 variable "mysql_db_name" {
   type        = string
-  description = "Database name (default is not to create a database"
+  description = "Database name (default is not to create a database)"
   default     = ""
 }
 
+variable "mysql_db_port" {
+  type        = number
+  description = "Database port"
+  default     = 3306
+
+  validation {
+    condition     = var.mysql_db_port >= 1 && var.mysql_db_port <= 65535
+    error_message = "mysql_db_port must be between 1 and 65535."
+  }
+}
+
 variable "mysql_admin_user" {
   type        = string
   description = "MySQL admin user name"
@@ -225,3 +236,14 @@ variable "vpc_component_name" {
   default     = "vpc"
   description = "The name of the VPC component"
 }
+
+variable "secrets_store_type" {
+  type        = string
+  description = "Secret Store type to save database credentials. Valid values: `SSM`, `ASM`"
+  default     = "SSM"
+
+  validation {
+    condition     = contains(["SSM", "ASM"], var.secrets_store_type)
+    error_message = "secrets_store_type must be one of: SSM, ASM."
+  }
+}