Currently the code (for example SecretsManagerRDSPostgreSQLRotationSingleUser) uses the existing password (in the secret) to authenticate/login and then rotates it (as the documentation explains).
Probably a minor improvement, but does it make sense to use the master secret (if exists in the secret) to rotate the secret? In other words, the function checks the secret and if there's a masterarn, it uses it to authenticate/login (similar to multi-user flow) and rotates the secret in single-user mode.
One benefit is that the current password doesn't need to be correct. This makes the whole flow in using CDK a little smoother; creating the RDS instance and its additional credentials.

Thank you for your feedback. We have noted this as a feature request.