test(ec2): harden real SG-enforcement test against reconcile-timing flake

[vieiralucas]

Summary

The new privileged ec2_sg_enforcement_real test (from #1765) flaked on a loaded CI runner: the deny step pinged once fakecloud's nft table merely existed, but the table can appear from one instance's reconcile while the other instance's default-deny rule is still pending — a race.

• Wait for the target instance's specific ip daddr <ip> drop rule (wait_for_deny_rule) instead of just the table.
• Widen the ping poll window to ~30s for slow runners.

No production code change — test robustness only.

Test plan

• cargo clippy -p fakecloud-e2e --all-targets -- -D warnings clean; the privileged sg-enforcement job exercises it.

---

Summary by cubic

Hardened the real EC2 SG enforcement test to remove reconcile-timing flakes by waiting for the target instance’s specific default-deny rule and extending the ping poll window to ~30s. No production code changes; test reliability only.

• Bug Fixes
  • Wait for the target instance’s ip daddr <ip> drop rule in inet fakecloud_ec2 before asserting deny; clearer failure if the rule never appears.
  • Increase ping retry window from ~10s to ~30s for slow CI runners.

^{Written for commit ad4096e. Summary will update on new commits.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!