Specify properties of the Secret as part of Database instance - Description, ExcludeCharacters

When doing new rds.DatabaseInstance(this, 'AppDb', { ... }), a secret is automatically generated with the database’s connection info. This is super useful, but not quite sufficient for my use case. I’d like to be able to specify the secret properties when creating the RDS instance.

Use Case

I need to specify some other characters to exclude from the generated password (specifically ;, since I’ll be assembling a semicolon-delimited connection string like Host=abc.com;Port=5432;Username=admin;Password=p@ssw0rd;).

Proposed Solution

Add a secretProperties property to the RDS DatabaseInstanceProps that mixes in any specified options with the defaults when creating the DB secret, e.g.:

const appDbInstance = new DatabaseInstance(this, 'AppDb', {
	databaseName: 'AppDb',
	engine: DatabaseInstanceEngine.POSTGRES,
	engineVersion: '10.9',
	secretProperties: {
		excludeCharacters: '"@/\\;'
	}
});

Other

I would override this manually, but trying this only adds a property to the SecretTargetAttachment not the Secret itself:

const cfnAppSecret = appDbInstance.secret!.node.defaultChild as CfnSecretTargetAttachment;

cfnAppSecret.addOverride('Properties.GenerateSecretString.ExcludeCharacters', '"@/\\;');

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request