diff --git a/google-workspace.tf b/google-workspace.tf
index 197700e..577b10b 100644
--- a/google-workspace.tf
+++ b/google-workspace.tf
@@ -7,7 +7,7 @@ provider "google" {
 
 
 module "worklytics_connectors_google_workspace" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-google-workspace?ref=v0.4.47"
 
   providers = {
     google = google.google_workspace
diff --git a/main.tf b/main.tf
index da36ff4..e72f7a8 100644
--- a/main.tf
+++ b/main.tf
@@ -18,7 +18,7 @@ terraform {
 
 # general cases
 module "worklytics_connectors" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=v0.4.47"
 
   enabled_connectors               = var.enabled_connectors
   jira_cloud_id                    = var.jira_cloud_id
@@ -95,7 +95,7 @@ locals {
 }
 
 module "psoxy" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-host?ref=v0.4.47"
 
   environment_name                = var.environment_name
   aws_account_id                  = var.aws_account_id
@@ -115,6 +115,7 @@ module "psoxy" {
   logs_kms_key_arn                = var.project_aws_kms_key_arn
   aws_ssm_key_id                  = var.project_aws_kms_key_arn
   use_api_gateway_v2              = var.use_api_gateway_v2
+  secrets_store_implementation    = var.secrets_store_implementation
   bulk_sanitized_expiration_days  = var.bulk_sanitized_expiration_days
   bulk_input_expiration_days      = var.bulk_input_expiration_days
   api_connectors                  = local.api_connectors
@@ -142,7 +143,7 @@ locals {
 module "connection_in_worklytics" {
   for_each = local.all_instances
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-psoxy-connection-aws?ref=v0.4.47"
 
   psoxy_instance_id  = each.key
   worklytics_host    = var.worklytics_host
diff --git a/msft-365.tf b/msft-365.tf
index 83db81b..5dc7b7e 100644
--- a/msft-365.tf
+++ b/msft-365.tf
@@ -1,7 +1,8 @@
 # BEGIN MSFT
 
 module "worklytics_connectors_msft_365" {
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=v0.4.47"
+
 
   enabled_connectors                  = var.enabled_connectors
   environment_id                      = var.environment_name
@@ -43,7 +44,7 @@ data "aws_region" "current" {
 module "cognito_identity_pool" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-pool?ref=v0.4.47"
 
   developer_provider_name = local.developer_provider_name
   name                    = "${local.env_qualifier}-azure-ad-federation"
@@ -52,7 +53,7 @@ module "cognito_identity_pool" {
 module "cognito_identity" {
   count = local.msft_365_enabled ? 1 : 0 # only provision identity pool if MSFT-365 connectors are enabled
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/aws-cognito-identity-cli?ref=v0.4.47"
 
   aws_region       = data.aws_region.current.id
   aws_role         = var.aws_assume_role_arn
@@ -73,7 +74,7 @@ resource "aws_iam_role_policy_attachment" "cognito_lambda_policy" {
 module "msft_connection_auth_federation" {
   for_each = module.worklytics_connectors_msft_365.enabled_api_connectors
 
-  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.4.46"
+  source = "git::https://github.com/worklytics/psoxy//infra/modules/azuread-federated-credentials?ref=v0.4.47"
 
   application_object_id = each.value.connector.id
   display_name          = "${local.env_qualifier}AccessFromAWS"
@@ -101,4 +102,4 @@ locals {
 output "msft_365_api_clients" {
   description = "Map of API client identifiers. Useful for configuration of clients, terraform migration."
   value       = module.worklytics_connectors_msft_365.api_clients
-}
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index ee930fa..b7841de 100644
--- a/variables.tf
+++ b/variables.tf
@@ -53,6 +53,12 @@ variable "aws_ssm_param_root_path" {
   }
 }
 
+variable "secrets_store_implementation" {
+  type        = string
+  description = "one of 'aws_ssm_parameter_store' (default) or 'aws_secrets_manager'"
+  default     = "aws_ssm_parameter_store"
+}
+
 variable "project_aws_kms_key_arn" {
   type        = string
   description = "AWS KMS key ARN to use to encrypt all AWS components created by this Terraform configuration that support CMEKs. NOTE: Terraform must be authenticated as an AWS principal authorized to encrypt/decrypt with this key."