diff --git a/terraform/README.md b/terraform/README.md
index 7bd2aaa3..19ffc604 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -35,6 +35,7 @@ Terraform to deploy the service into AWS.
 | [aws_secretsmanager_secret.admin_oauth_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.admin_oauth_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.admin_secret_key_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret.postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_secretsmanager_secret.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_ssm_parameter.ecr_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
diff --git a/terraform/data.tf b/terraform/data.tf
index fc0570d5..079ac1e6 100644
--- a/terraform/data.tf
+++ b/terraform/data.tf
@@ -37,6 +37,10 @@ data "aws_secretsmanager_secret" "admin_bearer_token" {
   name = "admin-bearer-token"
 }
 
+data "aws_secretsmanager_secret" "postgres" {
+  name = "postgresadmin-connection-string"
+}
+
 data "aws_secretsmanager_secret" "redis" {
   name = "redis-admin-connection-string"
 }
diff --git a/terraform/iam.tf b/terraform/iam.tf
index 2b402a0e..5b69195d 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -8,10 +8,11 @@ data "aws_iam_policy_document" "secrets" {
       "secretsmanager:ListSecretVersionIds"
     ]
     resources = [
-      data.aws_secretsmanager_secret.admin_secret_key_base.arn,
       data.aws_secretsmanager_secret.admin_bearer_token.arn,
       data.aws_secretsmanager_secret.admin_oauth_id.arn,
       data.aws_secretsmanager_secret.admin_oauth_secret.arn,
+      data.aws_secretsmanager_secret.admin_secret_key_base.arn,
+      data.aws_secretsmanager_secret.postgres.arn,
       data.aws_secretsmanager_secret.redis.arn,
     ]
   }
@@ -19,13 +20,13 @@ data "aws_iam_policy_document" "secrets" {
   statement {
     effect = "Allow"
     actions = [
-      "kms:Encrypt",
       "kms:Decrypt",
-      "kms:ReEncryptFrom",
-      "kms:ReEncryptTo",
+      "kms:Encrypt",
       "kms:GenerateDataKeyPair",
       "kms:GenerateDataKeyPairWithoutPlainText",
-      "kms:GenerateDataKeyWithoutPlaintext"
+      "kms:GenerateDataKeyWithoutPlaintext",
+      "kms:ReEncryptFrom",
+      "kms:ReEncryptTo",
     ]
     resources = [
       data.aws_kms_key.secretsmanager_key.arn
@@ -42,13 +43,13 @@ data "aws_iam_policy_document" "exec" {
   statement {
     effect = "Allow"
     actions = [
+      "logs:CreateLogStream",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
       "ssmmessages:CreateControlChannel",
       "ssmmessages:CreateDataChannel",
       "ssmmessages:OpenControlChannel",
       "ssmmessages:OpenDataChannel",
-      "logs:CreateLogStream",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
     ]
     resources = ["*"]
   }
diff --git a/terraform/main.tf b/terraform/main.tf
index bc8629cf..4fd785b5 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -76,6 +76,10 @@ module "service" {
   ]
 
   service_secrets_config = [
+    {
+      name      = "DATABASE_URL"
+      valueFrom = data.aws_secretsmanager_secret.postgres.arn
+    },
     {
       name      = "REDIS_URL"
       valueFrom = data.aws_secretsmanager_secret.redis.arn