feat(core): add methods to SecretValue and aws-secretsmanager Secret to obtain a literal (unresolved by CloudFormation) dynamic reference key (#34397)

[jdebuseamazon]

Issue # (if applicable)

Closes #34397

Reason for this change

Dynamic references allow an AWS Secrets Manager Secret to be retrieved for use in another AWS CloudFormation resource. Currently the key strings for dynamic references must be created using string manipulation, eg

const passwordKey = `${mySecret.secretArn}:SecretString:password`;

Description of changes

The existing static secretsManager function in aws-cdk-lib/core includes code to generate a dynamic reference key string. This code was therefore extracted into a new static cfnDynamicReferenceKey function to make it available outside the secretsManager function. Using this new static function the above code example becomes

const passwordKey = SecretValue.cfnDynamicReferenceKey(mySecret.secretArn, { jsonField: 'password' });

A new instance method cfnDynamicReferenceKey was also created in the Secret class in aws-cdk-lib/aws-secretsmanager, which calls the new static cfnDynamicReferenceKey function for the secret that it represents. Using this new instance method the above example becomes

const passwordKey = mySecret.cfnDynamicReferenceKey({ jsonField: 'password' });

Description of how you validated changes

Unit tests and an integration test.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: fb7abb6
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Abogical]

Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/analytics-metadata-updater.yml without workflows permission.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.