fix(docdb): secret rotation ignores excluded characters in password (#17609)

We need to pass whatever `excludeCharacters` were passed to the generated Secret to the application responsible for the rotation.

Fixes #17347
Fixes #17575 

------

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: markussiebert

packages/@aws-cdk/aws-docdb/README.md

@@ -21,7 +21,7 @@ your instances will be launched privately or publicly:
 const cluster = new DatabaseCluster(this, 'Database', {
     masterUser: {
         username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB
-        excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/"
+        excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" and is also used for eventually created rotations
         secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name
     },
     instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),

packages/@aws-cdk/aws-docdb/lib/cluster.ts

@@ -491,6 +491,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
       secret: this.secret,
       automaticallyAfter,
       application: DatabaseCluster.SINGLE_USER_ROTATION_APPLICATION,
+      excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters,
       vpc: this.vpc,
       vpcSubnets: this.vpcSubnets,
       target: this,
@@ -508,6 +509,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
       secret: options.secret,
       masterSecret: this.secret,
       automaticallyAfter: options.automaticallyAfter,
+      excludeCharacters: (this.node.tryFindChild('Secret') as DatabaseSecret)._excludedCharacters,
       application: DatabaseCluster.MULTI_USER_ROTATION_APPLICATION,
       vpc: this.vpc,
       vpcSubnets: this.vpcSubnets,

packages/@aws-cdk/aws-docdb/lib/database-secret.ts

@@ -48,7 +48,16 @@ export interface DatabaseSecretProps {
  * @resource AWS::SecretsManager::Secret
  */
 export class DatabaseSecret extends Secret {
+
+  /**
+   * the excluded characters for this Secret
+   * @internal
+   */
+  public readonly _excludedCharacters: string;
+
   constructor(scope: Construct, id: string, props: DatabaseSecretProps) {
+    const excludedCharacters = props.excludeCharacters ?? '"@/';
+
     super(scope, id, {
       secretName: props.secretName,
       description: `Generated by the CDK for stack: ${Aws.STACK_NAME}`,
@@ -68,8 +77,10 @@ export class DatabaseSecret extends Secret {
           masterarn: props.masterSecret?.secretArn,
         }),
         generateStringKey: 'password',
-        excludeCharacters: props.excludeCharacters ?? '"@/',
+        excludeCharacters: excludedCharacters,
       },
     });
+
+    this._excludedCharacters = excludedCharacters;
   }
 }

packages/@aws-cdk/aws-docdb/test/cluster.test.ts

@@ -684,6 +684,7 @@ describe('DatabaseCluster', () => {
           ],
         },
         functionName: 'DatabaseRotationSingleUser458A45BE',
+        excludeCharacters: '\"@/',
         vpcSubnetIds: {
           'Fn::Join': [
             '',
@@ -796,6 +797,7 @@ describe('DatabaseCluster', () => {
           ],
         },
         functionName: 'DatabaseRotation0D47EBD2',
+        excludeCharacters: '\"@/',
         vpcSubnetIds: {
           'Fn::Join': [
             '',

packages/@aws-cdk/aws-docdb/test/integ.cluster-rotation.lit.expected.json

@@ -785,6 +785,7 @@
             ]
           },
           "functionName": "awscdkdocdbclusterrotationDatabaseRotationSingleUser7DAE65BE",
+          "excludeCharacters": "\"@/",
           "vpcSubnetIds": {
             "Fn::Join": [
               "",