diff --git a/internal/controllers/awsrdsinstance_controller.go b/internal/controllers/awsrdsinstance_controller.go
index d54395f..fcc3d60 100755
--- a/internal/controllers/awsrdsinstance_controller.go
+++ b/internal/controllers/awsrdsinstance_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 	"time"
 
@@ -42,6 +43,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
+const (
+	secretIndexKey = ".metadata.secret"
+)
+
 //+kubebuilder:rbac:groups=cloudautoscale.infra.doodle.com,resources=awsrdsinstances,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=cloudautoscale.infra.doodle.com,resources=awsrdsinstances/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=cloudautoscale.infra.doodle.com,resources=awsrdsinstances/finalizers,verbs=update
@@ -70,10 +75,36 @@ func (r *AWSRDSInstanceReconciler) SetupWithManager(mgr ctrl.Manager, opts AWSRD
 			&corev1.Pod{},
 			handler.EnqueueRequestsFromMapFunc(r.requestsForChangeBySelector),
 		).
+		Watches(
+			&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(r.requestsForSecretChange),
+		).
 		WithOptions(controller.Options{MaxConcurrentReconciles: opts.MaxConcurrentReconciles}).
 		Complete(r)
 }
 
+func (r *AWSRDSInstanceReconciler) requestsForSecretChange(ctx context.Context, o client.Object) []reconcile.Request {
+	sectet, ok := o.(*corev1.Secret)
+	if !ok {
+		panic(fmt.Sprintf("expected a Secret, got %T", o))
+	}
+
+	var list infrav1beta1.AWSRDSInstanceList
+	if err := r.List(ctx, &list, client.MatchingFields{
+		secretIndexKey: objectKey(sectet).String(),
+	}); err != nil {
+		return nil
+	}
+
+	var reqs []reconcile.Request
+	for _, instance := range list.Items {
+		r.Log.V(1).Info("referenced secret from a AWSRDSInstance changed detected", "namespace", instance.GetNamespace(), "name", instance.GetName())
+		reqs = append(reqs, reconcile.Request{NamespacedName: objectKey(&instance)})
+	}
+
+	return reqs
+}
+
 func (r *AWSRDSInstanceReconciler) requestsForChangeBySelector(ctx context.Context, o client.Object) []reconcile.Request {
 	var list infrav1beta1.AWSRDSInstanceList
 	if err := r.List(ctx, &list, client.InNamespace(o.GetNamespace())); err != nil {
@@ -209,14 +240,14 @@ func (r *AWSRDSInstanceReconciler) reconcile(ctx context.Context, instance infra
 		logger.Info("make sure RDS instances are suspended", "instance", opts.instanceName)
 		res, err = r.suspend(ctx, logger, opts)
 
-		if err != nil {
+		if err == nil {
 			instance = infrav1beta1.AWSRDSInstanceReady(instance, metav1.ConditionTrue, "ReconciliationSuccessful", "rds instance suspended")
 		}
 	} else {
 		logger.Info("make sure RDS instances are resumed", "instance", opts.instanceName)
 		res, err = r.resume(ctx, logger, opts)
 
-		if err != nil {
+		if err == nil {
 			instance = infrav1beta1.AWSRDSInstanceReady(instance, metav1.ConditionTrue, "ReconciliationSuccessful", "rds instance suspended")
 		}
 	}
diff --git a/internal/controllers/mongodbatlascluster_controller.go b/internal/controllers/mongodbatlascluster_controller.go
index 979e6ec..f77278a 100755
--- a/internal/controllers/mongodbatlascluster_controller.go
+++ b/internal/controllers/mongodbatlascluster_controller.go
@@ -19,6 +19,7 @@ package controllers
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 	"time"
 
@@ -66,10 +67,36 @@ func (r *MongoDBAtlasClusterReconciler) SetupWithManager(mgr ctrl.Manager, opts
 			&corev1.Pod{},
 			handler.EnqueueRequestsFromMapFunc(r.requestsForChangeBySelector),
 		).
+		Watches(
+			&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(r.requestsForSecretChange),
+		).
 		WithOptions(controller.Options{MaxConcurrentReconciles: opts.MaxConcurrentReconciles}).
 		Complete(r)
 }
 
+func (r *MongoDBAtlasClusterReconciler) requestsForSecretChange(ctx context.Context, o client.Object) []reconcile.Request {
+	sectet, ok := o.(*corev1.Secret)
+	if !ok {
+		panic(fmt.Sprintf("expected a Secret, got %T", o))
+	}
+
+	var list infrav1beta1.MongoDBAtlasClusterList
+	if err := r.List(ctx, &list, client.MatchingFields{
+		secretIndexKey: objectKey(sectet).String(),
+	}); err != nil {
+		return nil
+	}
+
+	var reqs []reconcile.Request
+	for _, cluster := range list.Items {
+		r.Log.V(1).Info("referenced secret from a MongoDBAtlasCluster changed detected", "namespace", cluster.GetNamespace(), "name", cluster.GetName())
+		reqs = append(reqs, reconcile.Request{NamespacedName: objectKey(&cluster)})
+	}
+
+	return reqs
+}
+
 func (r *MongoDBAtlasClusterReconciler) requestsForChangeBySelector(ctx context.Context, o client.Object) []reconcile.Request {
 	var list infrav1beta1.MongoDBAtlasClusterList
 	if err := r.List(ctx, &list, client.InNamespace(o.GetNamespace())); err != nil {
@@ -206,14 +233,14 @@ func (r *MongoDBAtlasClusterReconciler) reconcile(ctx context.Context, cluster i
 		logger.Info("make sure RDS clusters are suspended", "cluster", opts.ClusterName)
 		res, err = r.suspend(ctx, logger, opts)
 
-		if err != nil {
+		if err == nil {
 			cluster = infrav1beta1.MongoDBAtlasClusterReady(cluster, metav1.ConditionTrue, "ReconciliationSuccessful", "atlas cluster suspended")
 		}
 	} else {
 		logger.Info("make sure RDS clusters are resumed", "cluster", opts.ClusterName)
 		res, err = r.resume(ctx, logger, opts)
 
-		if err != nil {
+		if err == nil {
 			cluster = infrav1beta1.MongoDBAtlasClusterReady(cluster, metav1.ConditionTrue, "ReconciliationSuccessful", "atlas cluster resumed")
 		}
 	}