diff --git a/rds-postgres/admin-login/main.tf b/rds-postgres/admin-login/main.tf
index 4ad1b59..42929da 100644
--- a/rds-postgres/admin-login/main.tf
+++ b/rds-postgres/admin-login/main.tf
@@ -9,12 +9,13 @@ module "secret" {
   trust_tags       = var.trust_tags
 
   initial_value = jsonencode({
-    dbname   = var.database_name
-    engine   = data.aws_db_instance.this.engine
-    host     = data.aws_db_instance.this.address
-    password = var.initial_password
-    port     = tostring(data.aws_db_instance.this.port)
-    username = var.username
+    dbname       = var.database_name
+    engine       = data.aws_db_instance.this.engine
+    host         = data.aws_db_instance.this.address
+    replica_host = data.aws_db_instance.replica.address
+    password     = var.initial_password
+    port         = tostring(data.aws_db_instance.this.port)
+    username     = var.username
   })
 }
 
@@ -77,6 +78,10 @@ data "aws_db_instance" "this" {
   db_instance_identifier = var.identifier
 }
 
+data "aws_db_instance" "replica" {
+  db_instance_identifier = var.replica_identifier
+}
+
 locals {
   full_name = join("-", ["rds-postgres", var.identifier])
 }
diff --git a/rds-postgres/admin-login/rotation/lambda_function.py b/rds-postgres/admin-login/rotation/lambda_function.py
index 76e621f..4c4e36c 100644
--- a/rds-postgres/admin-login/rotation/lambda_function.py
+++ b/rds-postgres/admin-login/rotation/lambda_function.py
@@ -31,7 +31,8 @@ def lambda_handler(event, context):
         'username': <required: username>,
         'password': <required: password>,
         'dbname': <optional: database name, default to 'postgres'>,
-        'port': <optional: if not specified, default port 5432 will be used>
+        'port': <optional: if not specified, default port 5432 will be used>,
+        'replica_host': <optional: host address of replica DB>
     }
 
     Args:
@@ -126,7 +127,11 @@ def create_secret(service_client, arn, token):
         current_dict['password'] = passwd['RandomPassword']
 
         # Add DATABASE_URL to secret
-        current_dict['DATABASE_URL'] = dict_to_url(current_dict)
+        current_dict['DATABASE_URL'] = dict_to_url(current_dict, false)
+
+        if secret['replica_host']:
+            # Add DATABASE_REPLICA_URL to secret
+            current_dict['DATABASE_REPLICA_URL'] = dict_to_url(current_dict, true)
 
         # Put the secret
         service_client.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=json.dumps(current_dict), VersionStages=['AWSPENDING'])
@@ -278,7 +283,7 @@ def finish_secret(service_client, arn, token):
     service_client.update_secret_version_stage(SecretId=arn, VersionStage="AWSCURRENT", MoveToVersionId=token, RemoveFromVersionId=current_version)
     logger.info("finishSecret: Successfully set AWSCURRENT stage to version %s for secret %s." % (token, arn))
 
-def dict_to_url(secret):
+def dict_to_url(secret, replica):
     """Reformats connection details as a URL string
 
     Generate a Heroku-style DATABASE_URL with connection details
@@ -289,9 +294,13 @@ def dict_to_url(secret):
     Returns:
         url: DATABASE_URL-style string
     """
+    if replica:
+        host = secret['host']
+    else:
+        host = secret['replica_host']
 
     return "postgres://%s:%s@%s:%s/%s" % (secret['username'],
-            secret['password'], secret['host'], secret['port'],
+            secret['password'], host, secret['port'],
             secret['dbname'])
 
 def get_connection(secret_dict):
diff --git a/rds-postgres/admin-login/variables.tf b/rds-postgres/admin-login/variables.tf
index ea01d32..bd12f7c 100644
--- a/rds-postgres/admin-login/variables.tf
+++ b/rds-postgres/admin-login/variables.tf
@@ -31,6 +31,11 @@ variable "read_principals" {
   default     = null
 }
 
+variable "replica_identifier" {
+  description = "Identifier of the database replica"
+  type        = string
+}
+
 variable "secret_name" {
   description = "Override the name for this secret"
   type        = string