diff --git a/indexer/lambda.tf b/indexer/lambda.tf
index dffb1808..32f67ec2 100644
--- a/indexer/lambda.tf
+++ b/indexer/lambda.tf
@@ -39,6 +39,9 @@ resource "aws_lambda_function" "main" {
         environment_variable.name => environment_variable.value
       },
       each.value.environment_variables,
+      {
+        DB_PASSWORD : jsondecode(data.aws_secretsmanager_secret_version.ender_secrets.secret_string)["DB_PASSWORD"],
+      }
     )
   }
 
diff --git a/indexer/locals.tf b/indexer/locals.tf
index 8151571e..1051a57c 100644
--- a/indexer/locals.tf
+++ b/indexer/locals.tf
@@ -237,10 +237,6 @@ locals {
       name  = "DB_USERNAME",
       value = local.rds_username,
     },
-    {
-      name  = "DB_PASSWORD",
-      value = var.rds_db_password,
-    },
     {
       name  = "DB_HOSTNAME",
       value = aws_db_instance.main.address,
diff --git a/indexer/rds.tf b/indexer/rds.tf
index 8bac39a4..72a7383e 100644
--- a/indexer/rds.tf
+++ b/indexer/rds.tf
@@ -188,6 +188,10 @@ locals {
   aws_db_instance_main_name = "${var.environment}-${var.indexers[var.region].name}-db"
 }
 
+data "aws_secretsmanager_secret_version" "ender_secrets" {
+  secret_id = "${var.environment}-ender-secrets"
+}
+
 # RDS instance.
 resource "aws_db_instance" "main" {
   identifier        = local.aws_db_instance_main_name
@@ -198,7 +202,7 @@ resource "aws_db_instance" "main" {
   db_name           = local.rds_db_name
   username          = local.rds_username
   # DB password is a sensitive variable passed in via the Terraform Workspace.
-  password               = var.rds_db_password
+  password               = jsondecode(data.aws_secretsmanager_secret_version.ender_secrets.secret_string)["DB_PASSWORD"]
   db_subnet_group_name   = aws_db_subnet_group.main.name
   vpc_security_group_ids = [aws_security_group.rds.id]
   parameter_group_name   = aws_db_parameter_group.main.name