diff --git a/README.md b/README.md
index 846c21e..34e551f 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ You can do this by commenting out the entire module, running a terraform apply,
 | <a name="input_alb_security_group_id"></a> [alb\_security\_group\_id](#input\_alb\_security\_group\_id) | Security Group ID for the ALB | `string` | n/a | yes |
 | <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Whether or not to assign a public IP to the task | `bool` | `false` | no |
 | <a name="input_azs"></a> [azs](#input\_azs) | Availability zones | `list(string)` | n/a | yes |
+| <a name="input_ca_cert_identifier"></a> [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | Identifier of the CA certificate for the DB instance | `string` | `null` | no |
 | <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | ECS cluster to deploy into | `string` | n/a | yes |
 | <a name="input_command"></a> [command](#input\_command) | Container startup command (Use null if container\_definitions is set) | `list(string)` | n/a | yes |
 | <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | A list of valid container definitions provided as a single valid JSON document. By default, this module will generate a container definition for you. If you need to provide your own or have multiple, you can do so here. | `string` | `null` | no |
@@ -73,6 +74,7 @@ You can do this by commenting out the entire module, running a terraform apply,
 | <a name="input_hostname"></a> [hostname](#input\_hostname) | Hostname to use for listener rule | `string` | n/a | yes |
 | <a name="input_listener_arn"></a> [listener\_arn](#input\_listener\_arn) | ALB listener ARN to add listener rule to | `string` | n/a | yes |
 | <a name="input_load_balancer_container_name"></a> [load\_balancer\_container\_name](#input\_load\_balancer\_container\_name) | Container name to use for load balancer target group forwarder | `string` | `null` | no |
+| <a name="input_rds_cluster_engine_version"></a> [rds\_cluster\_engine\_version](#input\_rds\_cluster\_engine\_version) | Database engine version | `string` | `"14.6"` | no |
 | <a name="input_service_name"></a> [service\_name](#input\_service\_name) | Service directory in the application git repo | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnet names the service will reside on. | `list(string)` | n/a | yes |
 | <a name="input_task_cpu"></a> [task\_cpu](#input\_task\_cpu) | Task CPU | `number` | `1024` | no |
diff --git a/db.tf b/db.tf
index 16fa682..aec05cf 100644
--- a/db.tf
+++ b/db.tf
@@ -8,4 +8,6 @@ module "database" {
   name               = var.service_name
   vpc_id             = var.vpc_id
   database_name      = var.db_name
+  ca_cert_identifier = var.ca_cert_identifier
+  engine_version     = var.rds_cluster_engine_version
 }
diff --git a/rds_cluster/main.tf b/rds_cluster/main.tf
index 3a4d854..8ba5e2e 100644
--- a/rds_cluster/main.tf
+++ b/rds_cluster/main.tf
@@ -6,7 +6,7 @@ resource "random_id" "final_snapshot_suffix" {
 resource "aws_rds_cluster" "this" {
   cluster_identifier_prefix       = var.name
   engine                          = "aurora-postgresql"
-  engine_version                  = "14.6"
+  engine_version                  = var.engine_version
   database_name                   = var.database_name
   skip_final_snapshot             = false
   final_snapshot_identifier       = "${var.name}-final-${random_id.final_snapshot_suffix.hex}"
@@ -58,13 +58,14 @@ resource "aws_secretsmanager_secret_version" "connection_string" {
 resource "aws_rds_cluster_instance" "this" {
   count                        = var.instance_count
   engine                       = "aurora-postgresql"
-  engine_version               = "14.6"
+  engine_version               = var.engine_version
   identifier_prefix            = "${var.name}-${count.index + 1}"
   performance_insights_enabled = true
   cluster_identifier           = aws_rds_cluster.this.id
   instance_class               = var.instance_class
   db_subnet_group_name         = aws_db_subnet_group.this.name
   tags                         = var.tags
+  ca_cert_identifier           = var.ca_cert_identifier
 }
 
 resource "aws_db_subnet_group" "this" {
diff --git a/rds_cluster/variables.tf b/rds_cluster/variables.tf
index 9452cdd..8374c1e 100644
--- a/rds_cluster/variables.tf
+++ b/rds_cluster/variables.tf
@@ -44,3 +44,15 @@ variable "instance_class" {
   type        = string
   description = "Instance class"
 }
+
+variable "ca_cert_identifier" {
+  type        = string
+  description = "Identifier of the CA certificate for the DB instance"
+  default     = null
+}
+
+variable "engine_version" {
+  type        = string
+  description = "Database engine version"
+  default     = "14.6"
+}
diff --git a/variables.tf b/variables.tf
index bf8fc37..7ca0f82 100644
--- a/variables.tf
+++ b/variables.tf
@@ -140,3 +140,15 @@ variable "assign_public_ip" {
   description = "Whether or not to assign a public IP to the task"
   default     = false
 }
+
+variable "ca_cert_identifier" {
+  type        = string
+  description = "Identifier of the CA certificate for the DB instance"
+  default     = null
+}
+
+variable "rds_cluster_engine_version" {
+  type        = string
+  description = "Database engine version"
+  default     = "14.6"
+}