feat(aws-test-infra): add AWS test infrastructure provisioning action

[sowmyav27]

Summary

Fixes: ENGQA-702

A composite action that provisions and tears down AWS test infrastructure (VPC + subnet + IGW + route table + security group + EC2 instances) for e2e workflows. Built as a Go binary using aws-sdk-go-v2, unit-tested with hand-rolled mocks.

Replaces ~150 lines of duplicated Bash + aws-cli that previously lived inline in loft-sh/vcluster-pro's e2e-selinux-support-matrix.yaml and prerelease-vcluster.yaml workflows. A separate vcluster-pro PR migrates those workflows to use this action.

Why

• De-duplicate ~150 lines of identical AWS provisioning + teardown across two consumer workflows.
• Make it testable — DevOps's concern that hundreds of lines of inline Bash had no tests at all.
• Replace Bash with a typed language — Go, since the consumers already have actions/setup-go in place.

Design

Build-from-source: the action runs go build from src/ on every invocation. Mirrors run-ginkgo's pattern — assumes the consumer has Go available (via actions/setup-go). No separate release artifact lifecycle, no SHA-256 dance, no two-step "merge then tag then PR" coordination. Tag aws-test-infra/v1 is usable immediately after merge.

Two subcommands:

• provision: VPC/subnet/IGW/route table/SG/EC2/SSM-wait. Optional -ami-architecture and -ami-virtualization-type filter to preserve the safety net the original Bash had (defaults to x86_64 + hvm in action.yml).
• cleanup: best-effort direct teardown by ID, plus a tag-based sweep that catches resources from runs that failed before exporting IDs. Sweep errors are logged + swallowed by default to match set +e semantics of the original Bash teardown; -strict-sweep opts back into hard failure.

Outputs:

• Standard: vpc-id, igw-id, subnet-id, route-table-id, route-assoc-id, security-group-id, ami-id, primary-public-ip, instance-ids (CSV).
• Per-role named: primary-instance-id, worker1-instance-id, worker2-instance-id (covers the common 3-instance case).
• instance-id-by-role (JSON map): for consumers using arbitrary role names or non-three-instance counts.

Tests

29 top-level / 71 cases / 62.9% coverage. Cover:

• API call ordering and tag application on every resource
• The "return collected IDs on failure" contract that lets cleanup tear down failed provisions
• Tag-based sweep correctness (filter scope, dependency ordering)
• Strict-sweep error semantics for if: always() cleanup steps
• Dependency-order strict checks (disassoc-before-delete, terminate-before-VPC-delete)
• Ingress encoding round-trip
• Flag validation
• Output format wiring (GITHUB_OUTPUT append-mode, JSON map for arbitrary roles)

Test plan

• PR-time CI green (test-aws-test-infra.yaml: go test ./... + build verification)
• After merge, push tag aws-test-infra/v1 so the consumer PR (vcluster-pro engqa-aws-mig) can reference it
• Validate end-to-end via workflow_dispatch on e2e-selinux-support-matrix.yaml in vcluster-pro after the consumer PR merges (matrix runs on all 3 distros, cleanup leaves no orphans)
• Validate via workflow_dispatch on prerelease-vcluster.yaml (Kind shared-HA + EC2 standalone paths both pass, teardown succeeds)

[sydorovdmytro]

if info.PingStatus == ssmtypes.PingStatusOnline { is more accurate

[sydorovdmytro]

I would replace the account ID with some placeholder. It's a public repository and we should not expose any internal infra identifiers.

[sydorovdmytro]

If the DescribeSecurityGroups fails, we don't cleanup route tables, subnets, IGWs, or VPCs. The possible solution:

func sweepByTag(ctx context.Context, logger *slog.Logger, c EC2API, waiter EC2Waiter,
  runID string) error {
        logger.Info("running tag-based sweep", "run_id", runID)
        tagFilter := []types.Filter{{Name: aws.String("tag:RunID"), Values: []string{runID}}

        var errs []error

        // Instances
        instOut, err := c.DescribeInstances(ctx, &ec2.DescribeInstancesInput{
                Filters: append(append([]types.Filter{}, tagFilter...),
                        types.Filter{Name: aws.String("instance-state-name"),
                                Values: []string{"pending", "running", "stopping", "stopped"
        })
        if err != nil {
                errs = append(errs, fmt.Errorf("describe-instances (sweep): %w", err))
        } else {
                // ... terminate discovered instances (unchanged)
        }

        // Security groups
        sgOut, err := c.DescribeSecurityGroups(ctx, &ec2.DescribeSecurityGroupsInput{Filters
  tagFilter})
        if err != nil {
                errs = append(errs, fmt.Errorf("describe-security-groups (sweep): %w", err))
        } else {
                // ... delete discovered SGs (unchanged)
        }

        // ... same pattern for RouteTables, Subnets, IGWs, VPCs

        return errors.Join(errs...)
  }

[sydorovdmytro]

I'm not exactly sure about flag.ExitOnError. With malformed flags with no value or unexpected flags like -typo=foo the Go stdlib calls os.Exit(2) which makes Line 52 a dead code. Maybe flag.ContinueOnError would make more sense here.

Same for runProvision in provision.go

[sydorovdmytro]

This function looks obsolete and never used

[sydorovdmytro]

go test -v -race -count=1 ./...

[sydorovdmytro]

go test -v -race -count=1 ./...