### Issue # (if applicable) Closes #31061. ### Reason for this change Calling `grantConnect()` on an instance of `DatabaseInstanceReadReplica` generates an incorrect policy that uses the full ARN of the instance instead of the instanceResourceId value. It should have created policy with correct resource format `arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name` per [Creating and using an IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html). ### Description of changes Fixed the IAM policy that `grantConnect()` generates for `DatabaseInstanceReadReplica`. The change correctly sets the value of `instanceResourceId` to replica instance `attrDbiResourceId`. The value of `instanceResourceId` is used to generate IAM policy. ### Description of how you validated changes - Added new unit test. - Updated existing integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*