fix(rds): add lower bound validation for ClusterInstance promotionTier

[yasomaru]

promotionTier only validated the upper bound (> 15) but did not reject negative values. Added check for < 0 to match the documented range of 0-15 and the existing error message.

Issue # (if applicable)

Closes #37518

Reason for this change

ClusterInstance's promotionTier validation only checked this.tier > 15 but
did not reject negative values. The error message already stated "must be between
0-15", but the lower bound was not enforced. Negative values passed synth
silently and failed at CloudFormation deploy time.

Description of changes

Added this.tier < 0 to the existing validation condition in
aurora-cluster-instance.ts:

- if (this.tier > 15) {
+ if (this.tier < 0 || this.tier > 15) {

Added unit tests for both boundary violations (promotionTier: -1 and
promotionTier: 16) using test.each, following the existing pattern in
cluster.test.ts.

Describe any new or updated permissions being added

N/A. This is a validation-only change.

Description of how you validated changes

• Added 2 unit tests via test.each covering negative (-1) and above-range (16)
  values
  • All 231 tests in cluster.test.ts pass
  • No integration test needed as this change does not affect synthesized
    CloudFormation templates for valid inputs

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[badmintoncryer]

I think it's better to add a unit test.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[yasomaru]

@badmintoncryer
Thanks !
Added unit tests for both boundary cases (promotionTier: -1 and 16), plus an integ test covering the valid boundaries (0 and 15) with updated snapshots.

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[yasomaru]

Exemption Request

This is a validation-only fix that rejects invalid input earlier (at synth time
instead of deploy time). It does not change synthesized CloudFormation templates
for any valid input, so an integration test is not applicable.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[badmintoncryer]

I think errorMessage variable is not needed.

Suggested change

	[-1, /promotionTier must be between 0-15/],
	[16, /promotionTier must be between 0-15/],
	])('when promotionTier is %s', (promotionTier, errorMessage) => {
	-1, 16,
	])('when promotionTier is %s', (promotionTier) => {