feat(redshift): expose user.secret as property (#17520) (#20078)

This change will expose Redshift User.secret as property and close #17520
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-redshift/README.md

@@ -60,24 +60,6 @@ The endpoint to access your database cluster will be available as the `.clusterE
 cluster.clusterEndpoint.socketAddress;   // "HOSTNAME:PORT"
 ```
 
-## Rotating credentials
-
-When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
-
-```ts fixture=cluster
-cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
-```
-
-The multi user rotation scheme is also available:
-
-```ts fixture=cluster
-import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
-
-cluster.addRotationMultiUser('MyUser', {
-  secret: secretsmanager.Secret.fromSecretNameV2(this, 'Imported Secret', 'my-secret'),
-});
-```
-
 ## Database Resources
 
 This module allows for the creation of non-CloudFormation database resources such as users
@@ -273,3 +255,24 @@ call to `grant` but the user does not have the specified permission.
 
 Note that this does not occur when duplicate privileges are granted within the same
 application, as such privileges are de-duplicated before any SQL query is submitted.
+
+## Rotating credentials
+
+When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
+
+```ts fixture=cluster
+cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
+```
+
+The multi user rotation scheme is also available:
+
+```ts fixture=cluster
+
+const user = new User(this, 'User', {
+  cluster: cluster,
+  databaseName: 'databaseName',
+});
+cluster.addRotationMultiUser('MultiUserRotation', {
+  secret: user.secret,
+});
+```

packages/@aws-cdk/aws-redshift/lib/user.ts

@@ -1,4 +1,5 @@
 import * as kms from '@aws-cdk/aws-kms';
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { ICluster } from './cluster';
@@ -137,6 +138,12 @@ export class User extends UserBase {
   readonly databaseName: string;
   protected databaseProps: DatabaseOptions;
 
+  /**
+   * The Secrets Manager secret of the user.
+   * @attribute
+   */
+  public readonly secret: secretsmanager.ISecret;
+
   private resource: DatabaseQuery<UserHandlerProps>;
 
   constructor(scope: Construct, id: string, props: UserProps) {
@@ -165,6 +172,7 @@ export class User extends UserBase {
     attachedSecret.grantRead(this.resource);
 
     this.username = this.resource.getAttString('username');
+    this.secret = secret;
   }
 
   /**

packages/@aws-cdk/aws-redshift/test/user.test.ts

@@ -90,6 +90,14 @@ describe('cluster user', () => {
     });
   });
 
+  it('secret property is exposed', () => {
+    const user = new redshift.User(stack, 'User', databaseOptions);
+
+    expect(stack.resolve(user.secret.secretArn)).toStrictEqual({
+      Ref: 'UserSecretE2C04A69',
+    });
+  });
+
   it('uses username when provided', () => {
     const username = 'username';