add wafv2 permissions

[markuman]

Required for

• add wafv2 modules ansible-collections/community.aws#450
• add wafv2_ip_set module ansible-collections/community.aws#449

[markuman]

@jillr @tremble @mattclay

azure pipline blames the policy size.

oversized_policies

Any ideas on how to split it?
And a terminator class vor every module needs also to be created?

[jillr]

We don't need a terminator class for every module but we do need one for every resource that isn't already covered. I only took a quick look at your PRs, looks like you have webacl and ipset resources which would need classes, did I miss any?

[markuman]

looks like you have webacl and ipset resources which would need classes, did I miss any?

@jillr yes :)

• web_acl
• ip_set
• rule_group
• disassociate_web_acl and associate_web_acl

I've added a draft for WafV2IpSetRegion. But I've no idea and I'm a bit lost. I've no idea what to do with created_time method. Furthermore do I need to duplicate everything? Because all wafv2 methods require a scope, which can be REGIONALorCLOUDFRONT`

[tremble]

Re created:
list_ip_sets doesn't return any information about creation time. The DbTerminator class records the first time it sees an object and automatically approximates the age based off of this first encounter.

Re regional vs cloudfront:
_create generates a list of objects, each class can simply run both the boto3 list actions and combine the two lists.

[jillr]

450 passes with the policies in this latest revision but the terminator classes still fail when a resource exists.

$ python3 cleanup.py --target WafV2IpSet --target WafV2RuleGroup --target WafV2WebAcl --stage dev -vvv -c
cleanup     : DEBUG    Config path: config.yml
cleanup     : DEBUG    located WafV2IpSet: count=0
cleanup     : DEBUG    located WafV2IpSet: count=0
cleanup     : DEBUG    located WafV2RuleGroup: count=1
cleanup     : ERROR    {"message": "exception processing resource type: <class 'terminator.security_services.WafV2RuleGroup'>", "traceback": "Traceback (most recent call last):\n  File \"/home/jill/src/aws-terminator/aws/terminator/__init__.py\", line 86, in cleanup_test_account\n    instances = terminator_type.create(credentials)\n  File \"/home/jill/src/aws-terminator/aws/terminator/security_services.py\", line 312, in create\n    item.update({\"Scope\": \"REGIONAL\"})\nAttributeError: 'WafV2RuleGroup' object has no attribute 'update'"}
cleanup     : DEBUG    located WafV2WebAcl: count=1
cleanup     : ERROR    {"message": "exception processing resource type: <class 'terminator.security_services.WafV2WebAcl'>", "traceback": "Traceback (most recent call last):\n  File \"/home/jill/src/aws-terminator/aws/terminator/__init__.py\", line 86, in cleanup_test_account\n    instances = terminator_type.create(credentials)\n  File \"/home/jill/src/aws-terminator/aws/terminator/security_services.py\", line 328, in create\n    item.update({\"Scope\": \"REGIONAL\"})\nAttributeError: 'WafV2WebAcl' object has no attribute 'update'"}

[jillr]

Tested locally, including a termination (I added a 2 minute age limit and used the tests in 450). Everything looks good to me now, thanks very much for this one @markuman!

Will deploy after merge.