We have an issue where we create an RDS cluster and then some instances, and we attempt to extract out the Secret for it (to extract password). (letting RDS manage it) Were running into an issue where we extract the secret based on the clusters secret arn, but have noticed issues where it is not matching what is in secrets manager.. looking thru process, it seems when an instance is created, it causes it to update the secret at that point... This results in different values being returned to our application. Is there a process that is missing that we need to do, or is the recommendation for us to create our own secret + rotation and just pass it over to the cluster/instances ourselves? This raised its head as we were disabling the automatic rotation for now but noticed it kept being re-enabled, and determined it was due to the instance creation..

Is the password retrieved from the cluster different to the password that the cluster has set into Secrets Manager? If it is, and if RDS management of the secret is correctly set up, then this is an AWS bug. I would open a support request with AWS about this.

It is.. I did some digging and this looks like a Pulumi bug inherently, due to not implementing a variable of the DB Instance terraform construct, that disables the secret creation if it is a replica, instead of a standalone instance.