test(tfacc): wire EC2 NAT/peering/DHCP-assoc/flow-log + fix peering-options & flow-log fidelity

[vieiralucas]

Summary

First batch of the EC2 acceptance-tree expansion for fakecloud-tfacc. The single ec2 shard previously ran only EIP/KeyPair + core VPC _basic families; this wires the next tranche of VPC control-plane resources (all already implemented in fakecloud-ec2, just untested against the upstream suite) and fixes the two fidelity gaps they surfaced.

New ec2-vpc2 shard (split out of ec2 to keep that job's wall time down and isolate the newer families), covering _basic for:

• VPCNATGateway
• VPCPeeringConnection
• VPCPeeringConnectionOptions
• VPCDHCPOptionsAssociation
• VPCFlowLog

Fidelity fixes the new tests forced:

• VPC peering options — DescribeVpcPeeringConnections / Create / Accept now emit <peeringOptions> (allowDnsResolutionFromRemoteVpc plus the two classic-link egress flags) inside both requesterVpcInfo and accepterVpcInfo. The accepter side appears once the connection is active. Previously the options set via ModifyVpcPeeringConnectionOptions were persisted but never surfaced on read, so the Terraform provider nil-dereferenced on the missing PeeringOptions struct (server-visible as a provider panic).
• VPC flow logs — CreateFlowLogs now reads and persists DeliverLogsPermissionArn and MaxAggregationInterval (AWS default 600), and DescribeFlowLogs returns <deliverLogsPermissionArn> + <maxAggregationInterval>. The provider asserts iam_role_arn and max_aggregation_interval round-trip.

The CI fan-out is auto-generated from SHARDS via the tfacc_shards bin, so the new shard is picked up automatically; the matching ec2_vpc2_acceptance test was added to tests/acc.rs. No hardcoded shard count to update.

Test plan

• All five families pass locally against a fresh fakecloud server:
  • VPCNATGateway_basic PASS
  • VPCPeeringConnection_basic PASS
  • VPCPeeringConnectionOptions_basic PASS (was a provider nil-panic)
  • VPCDHCPOptionsAssociation_basic PASS
  • VPCFlowLog_basic PASS (was failing on missing iam_role_arn / max_aggregation_interval)
• cargo test -p fakecloud-ec2 — 54 passed
• cargo clippy -p fakecloud-ec2 -p fakecloud-tfacc --all-targets -- -D warnings clean; cargo fmt applied.

Surface check

• No new public API / introspection endpoint — these are EC2 response fields the SDKs already model, so no first-party SDK change.
• FlowLog struct gained two fields with #[serde(default)] (+ a 600 default fn), so persisted snapshots from older versions deserialize fine.
• tfacc service list in docs/about/conformance.md is unchanged: ec2 is already listed; this batch deepens resource coverage within that service rather than adding a service. (Note: that page's "27 services today" line is stale from earlier batches independent of this change.)

Follow-on batches

EIP association (needs instance launch + DescribeInstanceTypeOfferings, Docker), VPC endpoints / managed prefix lists / customer & VPN gateways (a provider panic aborts that group — needs its own investigation), then RDS and Lambda trees.

---

Summary by cubic

Adds an ec2-vpc2 acceptance shard to fakecloud-tfacc for more EC2 VPC resources, and fixes EC2 peering options and flow log fields to match AWS so provider reads don’t crash and values round-trip.

• New Features

  • New ec2-vpc2 shard covering _basic: VPCNATGateway, VPCPeeringConnection, VPCPeeringConnectionOptions, VPCDHCPOptionsAssociation, VPCFlowLog.
  • Added ec2_vpc2_acceptance test; CI picks it up automatically via tfacc_shards.

• Bug Fixes

  • Peering options: DescribeVpcPeeringConnections now includes <peeringOptions> in both requesterVpcInfo and accepterVpcInfo (after active), matching ModifyVpcPeeringConnectionOptions and preventing a nil deref.
  • Flow logs: CreateFlowLogs/DescribeFlowLogs now persist and return deliverLogsPermissionArn and maxAggregationInterval (defaults to 600).

^{Written for commit 4d328be. Summary will update on new commits.}