aws-rds: Add manageMasterUserPassword support to DatabaseCluster L2 construct

[i-owo-owo-i]

Describe the feature

I would like to add support for the manageMasterUserPassword property to the RDS DatabaseCluster L2 construct. This property enables automatic password management with AWS Secrets Manager for Aurora clusters, which is currently only available through L1 constructs or escape hatches.

Use Case

I often rely on escape hatches to enable automatic password rotation for Aurora clusters, but I would prefer to handle everything within the L2 construct if possible.
Having this feature supported natively in L2 would make the codebase cleaner and more consistent.

Proposed Solution

I think it might be a good idea to add the following property to the DatabaseClusterProps interface in aws-cdk/packages/aws-cdk-lib/aws-rds/lib/cluster.ts, although I’m not entirely sure if this is the correct approach:

// Add to DatabaseClusterProps interface
export interface DatabaseClusterProps {
  // ... existing properties
  /**
   * Whether to manage the master user password with AWS Secrets Manager.
   * 
   * @default false
   */
  readonly manageMasterUserPassword?: boolean;
}

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.219.0

AWS CDK CLI version

2.1029.4

Environment details (OS name and version, etc.)

Ubuntu 24.04.3 LTS

[related-issues-bot-for-aws]

Hi @i-owo-owo-i,

Thanks for reporting! While a member of the CDK team reviews this, we've identified this as a potential duplicate.

Potential Duplicate Issues

• AWS::RDS::DBCluster Password management with Amazon Aurora and AWS Secrets Manager #29239: Both issues request adding the manageMasterUserPassword property to the RDS DatabaseCluster L2 construct to enable automatic password management with AWS Secrets Manager. Both target the same module (aws-cdk-lib/aws-rds) and the same construct (DatabaseCluster). The current issue proposes adding readonly manageMasterUserPassword?: boolean to DatabaseClusterProps, while AWS::RDS::DBCluster Password management with Amazon Aurora and AWS Secrets Manager #29239 similarly requests exposing this L1 parameter in the L2 construct. Both aim to avoid using escape hatches for this functionality.

This message was generated automatically to help connect related conversations and improve discoverability.

Please react with 👍 or 👎 to let us know if this response was helpful!

Thank you for helping improve CDK! 🙌

[i-owo-owo-i]

I noticed that a previous PR attempting to add manageMasterUserPassword to the L2 DatabaseCluster was created but appears to have been closed without merging.

[mazyu36]

I've created a PR before. Waiting a review.
#35734

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.