diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf
index 2df649b0e0..af85f8c3dc 100644
--- a/enos/modules/aws_rdp_domain_controller/main.tf
+++ b/enos/modules/aws_rdp_domain_controller/main.tf
@@ -452,8 +452,6 @@ resource "aws_instance" "domain_controller" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  get_password_data = true
-
   tags = {
     Name = "${var.prefix}-domain-controller-${local.username}"
   }
@@ -472,6 +470,12 @@ resource "time_sleep" "wait_for_reboot" {
   create_duration = "20m"
 }
 
+data "aws_instance" "instance_password" {
+  depends_on        = [time_sleep.wait_10_minutes]
+  instance_id       = aws_instance.domain_controller.id
+  get_password_data = true
+}
+
 # wait for the SSH service to be available on the instance. We specifically use
 # BatchMode=Yes to prevent SSH from prompting for a password to ensure that we
 # can just SSH using the private key
diff --git a/enos/modules/aws_rdp_domain_controller/outputs.tf b/enos/modules/aws_rdp_domain_controller/outputs.tf
index 9ce4de1f3e..7cad99fed6 100644
--- a/enos/modules/aws_rdp_domain_controller/outputs.tf
+++ b/enos/modules/aws_rdp_domain_controller/outputs.tf
@@ -24,8 +24,7 @@ output "admin_username" {
 
 output "password" {
   description = "This is the decrypted administrator password for the EC2 instance"
-  value       = nonsensitive(rsadecrypt(aws_instance.domain_controller.password_data, tls_private_key.rsa_4096_key.private_key_pem))
-
+  value       = nonsensitive(rsadecrypt(data.aws_instance.instance_password.password_data, tls_private_key.rsa_4096_key.private_key_pem))
 }
 
 output "ssh_private_key" {
diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf
index 03230410f1..8f62fd44a3 100644
--- a/enos/modules/aws_rdp_member_server/main.tf
+++ b/enos/modules/aws_rdp_member_server/main.tf
@@ -260,7 +260,6 @@ ${var.domain_admin_password}
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  get_password_data = true
 
   tags = {
     Name = "${var.prefix}-rdp-member-server-${local.username}"
@@ -276,6 +275,12 @@ resource "time_sleep" "wait_5_minutes" {
   create_duration = "5m"
 }
 
+data "aws_instance" "instance_password" {
+  depends_on        = [time_sleep.wait_5_minutes]
+  instance_id       = aws_instance.member_server.id
+  get_password_data = true
+}
+
 # wait for the SSH service to be available on the instance. We specifically use
 # BatchMode=Yes to prevent SSH from prompting for a password to ensure that we
 # can just SSH using the private key
diff --git a/enos/modules/aws_rdp_member_server/outputs.tf b/enos/modules/aws_rdp_member_server/outputs.tf
index d661bbc3e4..dc27ec6a74 100644
--- a/enos/modules/aws_rdp_member_server/outputs.tf
+++ b/enos/modules/aws_rdp_member_server/outputs.tf
@@ -25,8 +25,7 @@ output "admin_username" {
 
 output "password" {
   description = "This is the decrypted administrator password for the EC2 instance"
-  value       = nonsensitive(rsadecrypt(aws_instance.member_server.password_data, file(var.domain_controller_private_key)))
-
+  value       = nonsensitive(rsadecrypt(data.aws_instance.instance_password.password_data, file(var.domain_controller_private_key)))
 }
 
 output "domain_hostname" {
diff --git a/enos/modules/aws_rdp_member_server_with_worker/main.tf b/enos/modules/aws_rdp_member_server_with_worker/main.tf
index 525a02f7a3..4e825def82 100644
--- a/enos/modules/aws_rdp_member_server_with_worker/main.tf
+++ b/enos/modules/aws_rdp_member_server_with_worker/main.tf
@@ -273,7 +273,6 @@ ${var.domain_admin_password}
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  get_password_data = true
 
   tags = {
     Name = "${var.prefix}-windows-worker-${local.username}"
@@ -378,6 +377,12 @@ resource "time_sleep" "wait_2_minutes" {
   create_duration = "2m"
 }
 
+data "aws_instance" "instance_password" {
+  depends_on        = [time_sleep.wait_2_minutes]
+  instance_id       = aws_instance.worker.id
+  get_password_data = true
+}
+
 # used for debug
 resource "local_file" "powershell_script_output" {
   depends_on = [enos_local_exec.run_powershell_script]
diff --git a/enos/modules/aws_rdp_member_server_with_worker/outputs.tf b/enos/modules/aws_rdp_member_server_with_worker/outputs.tf
index b696be4e6b..1ffc6dba23 100644
--- a/enos/modules/aws_rdp_member_server_with_worker/outputs.tf
+++ b/enos/modules/aws_rdp_member_server_with_worker/outputs.tf
@@ -26,5 +26,5 @@ output "admin_username" {
 // This is the decrypted administrator password for the EC2 instance
 output "admin_password" {
   description = "Decrpted admin password for the EC2 instance"
-  value       = nonsensitive(rsadecrypt(aws_instance.worker.password_data, file(var.domain_controller_private_key)))
-}
\ No newline at end of file
+  value       = nonsensitive(rsadecrypt(data.aws_instance.instance_password.password_data, file(var.domain_controller_private_key)))
+}
diff --git a/enos/modules/aws_windows_client/main.tf b/enos/modules/aws_windows_client/main.tf
index 2a019cf19f..26a3864ba0 100644
--- a/enos/modules/aws_windows_client/main.tf
+++ b/enos/modules/aws_windows_client/main.tf
@@ -286,7 +286,6 @@ resource "aws_instance" "client" {
     http_tokens            = "required"
     instance_metadata_tags = "enabled"
   }
-  get_password_data = true
 
   tags = {
     Name = "${var.prefix}-windows-client-${local.username}"
@@ -405,3 +404,9 @@ resource "local_file" "powershell_script_output" {
   content    = enos_local_exec.run_powershell_script[0].stdout
   filename   = "${path.root}/.terraform/tmp/setup_windows_client.out"
 }
+
+data "aws_instance" "instance_password" {
+  depends_on        = [enos_local_exec.run_powershell_script]
+  instance_id       = aws_instance.client.id
+  get_password_data = true
+}
diff --git a/enos/modules/aws_windows_client/outputs.tf b/enos/modules/aws_windows_client/outputs.tf
index 9164e71479..ed2adca4d9 100644
--- a/enos/modules/aws_windows_client/outputs.tf
+++ b/enos/modules/aws_windows_client/outputs.tf
@@ -26,7 +26,7 @@ output "admin_username" {
 // This is the decrypted administrator password for the EC2 instance
 output "admin_password" {
   description = "The password for the administrator account"
-  value       = nonsensitive(rsadecrypt(aws_instance.client.password_data, tls_private_key.rsa-4096-key.private_key_pem))
+  value       = nonsensitive(rsadecrypt(data.aws_instance.instance_password.password_data, tls_private_key.rsa-4096-key.private_key_pem))
 }
 
 output "test_username" {