rds: use DataAPI for Aurora cluster without invoking `secret.grantRead()`

[badmintoncryer]

Describe the feature

To use DataAPI for an Aurora cluster without invoking secret.grantRead().

Use Case

DataAPI for an Aurora cluster is supported (#29338).

It is necessary to invoke secret.grantRead() for DatabaseCluster but it is unnecessary for ServelessCluster.
This inconsistency is user-unfriendly and should be addressed.

// Create a serverless V1 cluster
const serverlessV1Cluster = new rds.ServerlessCluster(this, 'AnotherCluster', {
  engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
  vpc,
  enableDataApi: true,
});
serverlessV1Cluster.grantDataApiAccess(fn);

// Create an Aurora cluster
const cluster = new rds.DatabaseCluster(this, 'Cluster', {
  engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
  vpc,
  enableDataApi: true,
});
cluster.grantDataApiAccess(fn);
// It is necessary to grant the function access to the secret associated with the cluster for `DatabaseCluster`.
cluster.secret!.grantRead(fn);

Proposed Solution

Move cluster.secret from DatabaseClusterNew to DatabaseClusterBase and invoke secret.grantRead() in cluster.grantDataApiAccess()

#29338 (comment)

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.131.0

Environment details (OS name and version, etc.)

irrelevant

[tim-finnigan]

Thanks for the feature request - the response to the comment you linked seems to suggest that this is a valid request, if you are interested in submitting another PR for consideration.