diff --git a/README.md b/README.md
index d926e324..fd632617 100644
--- a/README.md
+++ b/README.md
@@ -161,6 +161,7 @@ You will not be able to upgrade directly from `1.21` to `1.24`.
 | <a name="input_database_instance_class"></a> [database\_instance\_class](#input\_database\_instance\_class) | Instance type to use by database master instance. | `string` | `"db.r5.large"` | no |
 | <a name="input_database_master_username"></a> [database\_master\_username](#input\_database\_master\_username) | Specifies the master\_username value to set for the database | `string` | `"wandb"` | no |
 | <a name="input_database_name"></a> [database\_name](#input\_database\_name) | Specifies the name of the database | `string` | `"wandb_local"` | no |
+| <a name="input_database_performance_insights_kms_key_arn"></a> [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | n/a | yes |
 | <a name="input_database_snapshot_identifier"></a> [database\_snapshot\_identifier](#input\_database\_snapshot\_identifier) | Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot | `string` | `null` | no |
 | <a name="input_database_sort_buffer_size"></a> [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / S3 can't be deleted when this value is set to `true`. | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index d0bad966..9e8c634c 100644
--- a/main.tf
+++ b/main.tf
@@ -73,8 +73,9 @@ locals {
 module "database" {
   source = "./modules/database"
 
-  namespace   = var.namespace
-  kms_key_arn = local.kms_key_arn
+  namespace                        = var.namespace
+  kms_key_arn                      = local.kms_key_arn
+  performance_insights_kms_key_arn = var.database_performance_insights_kms_key_arn_kms_key_arn
 
   database_name   = var.database_name
   master_username = var.database_master_username
diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf
index 1083e1c7..a060e093 100644
--- a/modules/app_eks/iam-roles.tf
+++ b/modules/app_eks/iam-roles.tf
@@ -1,7 +1,7 @@
 resource "aws_iam_role" "node" {
   name               = "${var.namespace}-node"
   assume_role_policy = data.aws_iam_policy_document.node_assume.json
-  
+
   // todo: refactor --> v1.16.3
   inline_policy {}
 }
diff --git a/modules/database/main.tf b/modules/database/main.tf
index dbff10db..2f29fd46 100644
--- a/modules/database/main.tf
+++ b/modules/database/main.tf
@@ -98,39 +98,39 @@ module "aurora" {
   source  = "terraform-aws-modules/rds-aurora/aws"
   version = "6.2.0"
 
-  allow_major_version_upgrade           = true
-  allowed_cidr_blocks                   = var.allowed_cidr_blocks
-  apply_immediately                     = true
-  autoscaling_enabled                   = false
-  backup_retention_period               = var.backup_retention_period
-  create_db_subnet_group                = var.create_db_subnet_group
-  create_random_password                = false
-  create_security_group                 = true
-  database_name                         = var.database_name
-  db_cluster_parameter_group_name       = aws_rds_cluster_parameter_group.default.id
-  db_parameter_group_name               = aws_db_parameter_group.default.id
-  db_subnet_group_name                  = var.db_subnet_group_name
-  deletion_protection                   = var.deletion_protection
-  enabled_cloudwatch_logs_exports       = ["audit", "error", "general", "slowquery"]
-  engine                                = "aurora-mysql"
-  engine_version                        = var.engine_version
-  iam_database_authentication_enabled   = false
-  iam_role_force_detach_policies        = true
-  iam_role_name                         = "${var.namespace}-aurora-monitoring"
-  instance_class                        = var.instance_class
-  instances                             = { 1 = {} }
-  kms_key_id                            = var.kms_key_arn
-  master_password                       = local.master_password
-  master_username                       = var.master_username
-  monitoring_interval                   = 15
-  name                                  = var.namespace
+  allow_major_version_upgrade         = true
+  allowed_cidr_blocks                 = var.allowed_cidr_blocks
+  apply_immediately                   = true
+  autoscaling_enabled                 = false
+  backup_retention_period             = var.backup_retention_period
+  create_db_subnet_group              = var.create_db_subnet_group
+  create_random_password              = false
+  create_security_group               = true
+  database_name                       = var.database_name
+  db_cluster_parameter_group_name     = aws_rds_cluster_parameter_group.default.id
+  db_parameter_group_name             = aws_db_parameter_group.default.id
+  db_subnet_group_name                = var.db_subnet_group_name
+  deletion_protection                 = var.deletion_protection
+  enabled_cloudwatch_logs_exports     = ["audit", "error", "general", "slowquery"]
+  engine                              = "aurora-mysql"
+  engine_version                      = var.engine_version
+  iam_database_authentication_enabled = false
+  iam_role_force_detach_policies      = true
+  iam_role_name                       = "${var.namespace}-aurora-monitoring"
+  instance_class                      = var.instance_class
+  instances                           = { 1 = {} }
+  kms_key_id                          = var.kms_key_arn
+  master_password                     = local.master_password
+  master_username                     = var.master_username
+  monitoring_interval                 = 15
+  name                                = var.namespace
   ////////////////////////////////////////////////////////////////////////////////////////
   // !!! note on performance insights !!!
   // AWS offers 7 days of performance insights free. keeping them after this period
   // incurs a per-vcpu cost. so we can keep them for 7 days and they're free
   ////////////////////////////////////////////////////////////////////////////////////////
   performance_insights_enabled          = true
-  performance_insights_kms_key_id       = var.kms_key_arn
+  performance_insights_kms_key_id       = var.performance_insights_kms_key_arn == "" ? var.kms_key_arn : var.database_performance_insights_kms_key_arn
   performance_insights_retention_period = 7
   preferred_backup_window               = var.preferred_backup_window
   preferred_maintenance_window          = var.preferred_maintenance_window
@@ -141,5 +141,5 @@ module "aurora" {
   subnets                               = var.subnets
   vpc_id                                = var.vpc_id
 
-  
+
 }
diff --git a/variables.tf b/variables.tf
index f4610380..55eead20 100644
--- a/variables.tf
+++ b/variables.tf
@@ -68,6 +68,11 @@ variable "database_innodb_lru_scan_depth" {
   default     = 128
 }
 
+variable "database_performance_insights_kms_key_arn" {
+  description = "Specifies an existing KMS key ARN to encrypt the performance insights data if performance_insights_enabled is was enabled out of band"
+  type        = string
+}
+
 ##########################################
 # DNS                                    #
 ##########################################