fix(secretsmanager): hosted rotation with fromSecretNameV2() does not…

… create correct iam policy (aws#28379)

In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct.

The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN.

Closes aws#28308.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.hosted-rotation.js.snapshot/cdk-integ-secret-hosted-rotation.template.json

@@ -14,15 +14,15 @@
   "SecretSchedule18F2CB66": {
    "Type": "AWS::SecretsManager::RotationSchedule",
    "Properties": {
-    "SecretId": {
-     "Ref": "SecretA720EF05"
-    },
     "HostedRotationLambda": {
      "ExcludeCharacters": " %+~`#$&*()|[]{}:;<>?!'/@\"\\",
      "RotationType": "MySQLSingleUser"
     },
     "RotationRules": {
      "ScheduleExpression": "rate(30 days)"
+    },
+    "SecretId": {
+     "Ref": "SecretA720EF05"
     }
    }
   },
@@ -75,16 +75,16 @@
   "CustomSecretScheduleDD99F351": {
    "Type": "AWS::SecretsManager::RotationSchedule",
    "Properties": {
-    "SecretId": {
-     "Ref": "CustomSecret5DC95D87"
-    },
     "HostedRotationLambda": {
      "ExcludeCharacters": "&@/",
      "RotationType": "MySQLSingleUser"
     },
     "RotateImmediatelyOnUpdate": false,
     "RotationRules": {
      "ScheduleExpression": "rate(30 days)"
+    },
+    "SecretId": {
+     "Ref": "CustomSecret5DC95D87"
     }
    }
   },
@@ -123,6 +123,85 @@
      "Ref": "CustomSecret5DC95D87"
     }
    }
+  },
+  "MySecret8FE80B51": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "GenerateSecretString": {}
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "MySecretRotationSchedule673B961C": {
+   "Type": "AWS::SecretsManager::RotationSchedule",
+   "Properties": {
+    "HostedRotationLambda": {
+     "ExcludeCharacters": " %+~`#$&*()|[]{}:;<>?!'/@\"\\",
+     "MasterSecretArn": {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":secretsmanager:",
+        {
+         "Ref": "AWS::Region"
+        },
+        ":",
+        {
+         "Ref": "AWS::AccountId"
+        },
+        ":secret:MasterSecret-??????"
+       ]
+      ]
+     },
+     "RotationType": "PostgreSQLMultiUser"
+    },
+    "RotationRules": {
+     "ScheduleExpression": "rate(30 days)"
+    },
+    "SecretId": {
+     "Ref": "MySecret8FE80B51"
+    }
+   }
+  },
+  "MySecretPolicyDAD0E682": {
+   "Type": "AWS::SecretsManager::ResourcePolicy",
+   "Properties": {
+    "ResourcePolicy": {
+     "Statement": [
+      {
+       "Action": "secretsmanager:DeleteSecret",
+       "Effect": "Deny",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "SecretId": {
+     "Ref": "MySecret8FE80B51"
+    }
+   }
   }
  },
  "Parameters": {