fix(s3): add validation for lifecycle rule transitions (#33731)

### Issue #22103

Closes #22103.

### Reason for this change

When configuring S3 bucket lifecycle rules with transitions, CloudFormation requires exactly one of `TransitionDate` or `TransitionInDays` to be specified. However, the CDK currently allows configurations where neither or both properties are specified, which leads to deployment failures. This change adds validation during synthesis to catch these invalid configurations earlier in the development process.

### Description of changes

This change adds validation during synthesis to ensure that exactly one of transitionDate or transitionAfter is specified in S3 bucket lifecycle rule transitions. Previously, this validation was only performed during deployment, leading to failed deployments when neither or both properties were specified.

The validation is added to the `parseLifecycleRule` function in the S3 bucket implementation, which checks each transition in the lifecycle rules.

### Describe any new or updated permissions being added

No new or updated IAM permissions are required for this change. This is purely a validation improvement in the CDK synthesis process.


### Description of how you validated changes

Added two unit tests to verify the validation:
1. A test that verifies an error is thrown when neither `transitionDate` nor `transitionAfter` is specified
2. A test that verifies an error is thrown when both `transitionDate` and `transitionAfter` are specified

Also ran integration tests to ensure that the change doesn't affect existing valid configurations. No snapshots were updated, confirming that the change only adds validation and doesn't modify the CloudFormation output for valid configurations.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: scorbiere

packages/aws-cdk-lib/aws-s3/README.md

@@ -852,9 +852,9 @@ const bucket = new s3.Bucket(this, 'MyBucket', {
         {
           storageClass: s3.StorageClass.GLACIER,
 
-          // the properties below are optional
+          // exactly one of transitionAfter or transitionDate must be specified
           transitionAfter: Duration.days(30),
-          transitionDate: new Date(),
+          // transitionDate: new Date(), // cannot specify both
         },
       ],
     },

packages/aws-cdk-lib/aws-s3/lib/bucket.ts

@@ -2545,6 +2545,22 @@ export class Bucket extends BucketBase {
         throw new ValidationError('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`', self);
       }
 
+      // Validate transitions: exactly one of transitionDate or transitionAfter must be specified
+      if (rule.transitions) {
+        for (const transition of rule.transitions) {
+          const hasTransitionDate = transition.transitionDate !== undefined;
+          const hasTransitionAfter = transition.transitionAfter !== undefined;
+
+          if (!hasTransitionDate && !hasTransitionAfter) {
+            throw new ValidationError('Exactly one of transitionDate or transitionAfter must be specified in lifecycle rule transition', self);
+          }
+
+          if (hasTransitionDate && hasTransitionAfter) {
+            throw new ValidationError('Exactly one of transitionDate or transitionAfter must be specified in lifecycle rule transition', self);
+          }
+        }
+      }
+
       const x: CfnBucket.RuleProperty = {
         // eslint-disable-next-line max-len
         abortIncompleteMultipartUpload: rule.abortIncompleteMultipartUploadAfter !== undefined ? { daysAfterInitiation: rule.abortIncompleteMultipartUploadAfter.toDays() } : undefined,
@@ -2665,7 +2681,7 @@ export class Bucket extends BucketBase {
     }
 
     if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
-      throw new ValidationError (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`, this);
+      throw new ValidationError(`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`, this);
     }
 
     return {

packages/aws-cdk-lib/aws-s3/test/rules.test.ts

@@ -337,6 +337,46 @@ describe('rules', () => {
     });
   });
 
+  test('throws when neither transitionDate nor transitionAfter is specified', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Bucket(stack, 'Bucket', {
+      lifecycleRules: [{
+        transitions: [{
+          storageClass: StorageClass.GLACIER,
+        }],
+      }],
+    });
+
+    // THEN
+    expect(() => {
+      Template.fromStack(stack).toJSON();
+    }).toThrow('Exactly one of transitionDate or transitionAfter must be specified in lifecycle rule transition');
+  });
+
+  test('throws when both transitionDate and transitionAfter are specified', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new Bucket(stack, 'Bucket', {
+      lifecycleRules: [{
+        transitions: [{
+          storageClass: StorageClass.GLACIER,
+          transitionDate: new Date('2023-01-01'),
+          transitionAfter: Duration.days(30),
+        }],
+      }],
+    });
+
+    // THEN
+    expect(() => {
+      Template.fromStack(stack).toJSON();
+    }).toThrow('Exactly one of transitionDate or transitionAfter must be specified in lifecycle rule transition');
+  });
+
   describe('required properties for rules', () => {
     test('throw if there is a rule doesn\'t have required properties', () => {
       const stack = new Stack();