Fix ec2_instance eventual consistency when wait: false (#51885)

* Do not return 'instances' when wait is false

* Added integration tests for wait: false

* Added changelog fragment

* Fix test suite to work with ec2_instance

* Additional permissions
* Enforce boto3 version
* Fix broken tests
* Improve error messages

* fix linter issues

hacking/aws_config/testing_policies/compute-policy.json

@@ -42,6 +42,7 @@
                 "ec2:AssociateVpcCidrBlock",
                 "ec2:AssociateSubnetCidrBlock",
                 "ec2:AttachInternetGateway",
+                "ec2:AttachNetworkInterface",
                 "ec2:AttachVpnGateway",
                 "ec2:CreateCustomerGateway",
                 "ec2:CreateDhcpOptions",
@@ -80,6 +81,7 @@
                 "ec2:DisassociateSubnetCidrBlock",
                 "ec2:ImportKeyPair",
                 "ec2:ModifyImageAttribute",
+                "ec2:ModifyInstanceAttribute",
                 "ec2:ModifySubnetAttribute",
                 "ec2:ModifyVpcAttribute",
                 "ec2:RegisterImage",
@@ -102,6 +104,8 @@
                 "ec2:RevokeSecurityGroupEgress",
                 "ec2:RevokeSecurityGroupIngress",
                 "ec2:RunInstances",
+                "ec2:StartInstances",
+                "ec2:StopInstances",
                 "ec2:TerminateInstances",
                 "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                 "ec2:UpdateSecurityGroupRuleDescriptionsEgress"

hacking/aws_config/testing_policies/container-policy.json

@@ -45,8 +45,6 @@
             "ecs:StopTask",
             "ecs:UpdateService",
             "elasticloadbalancing:Describe*",
-            "iam:AttachRolePolicy",
-            "iam:CreateRole",
             "iam:GetPolicy",
             "iam:GetPolicyVersion",
             "iam:GetRole",

hacking/aws_config/testing_policies/security-policy.json

@@ -26,6 +26,43 @@
             "Effect": "Allow",
             "Sid": "AllowReadOnlyIAMUse"
         },
+        {
+            "Action": [
+                "iam:AttachRolePolicy",
+                "iam:CreateRole",
+                "iam:DeleteRole",
+                "iam:DetachRolePolicy",
+                "iam:PassRole"
+             ],
+            "Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
+            "Effect": "Allow",
+            "Sid": "AllowUpdateOfSpecificRoles"
+        },
+        {
+            "Action": [
+                "iam:CreateInstanceProfile",
+                "iam:DeleteInstanceProfile",
+                "iam:AddRoleToInstanceProfile",
+                "iam:RemoveRoleFromInstanceProfile"
+             ],
+            "Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
+            "Effect": "Allow",
+            "Sid": "AllowUpdateOfSpecificInstanceProfiles"
+        },
+        {
+            "Action": [
+                "ec2:ReplaceIamInstanceProfileAssociation"
+             ],
+            "Resource": "*",
+            "Condition": {
+              "ArnEquals": {
+                "ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
+              }
+            },
+            "Effect": "Allow",
+            "Sid": "AllowReplacementOfSpecificInstanceProfiles"
+        },
+
         {
             "Sid": "AllowWAFusage",
             "Action": "waf:*",