Maker hard-coded 8s sleep after IAM steps — replace with detect-and-retry

[rafeegnash]

Problem

internal/maker/exec.go:582-587 hard-codes time.Sleep(8 * time.Second) after every iam create-role, create-instance-profile, add-role-to-instance-profile. The sleep:

1. Fires on every IAM step regardless of whether a subsequent step consumes it (waste)
2. Is insufficient for real-world IAM propagation (10–60s observed) — so subsequent steps still fail with InvalidParameterValue: Invalid IAM Instance Profile or AssumeRoleException: cannot be assumed
3. The Lambda-specific retryLambdaCreateFunctionOnAssumeRole in internal/maker/retry.go already demonstrates the right pattern

Where

internal/maker/exec.go:582-587

Fix

Remove the unconditional sleep. Move IAM-propagation handling into the failure path: detect the specific error strings (InvalidParameterValue.*Invalid IAM Instance Profile, AssumeRoleException.*cannot be assumed) and retry the affected step with exponential backoff. Mirror retryLambdaCreateFunctionOnAssumeRole.

Acceptance criteria

• No time.Sleep in the IAM step path
• A subsequent step that depends on IAM propagation auto-retries up to 60s with exponential backoff
• A ec2 run-instances step that hits Invalid IAM Instance Profile retries instead of failing the plan
• Total plan execution time DROPS on plans without IAM (the unconditional sleep is removed) and SUCCEEDS more often on plans with IAM