Support non-us-east-1 regions for terminator

[jonpspri]

Summary

• Make terminator region configurable via TEST_REGION environment variable (default: us-east-1)
• Make SSM bucket name configurable via SSM_BUCKET_NAME environment variable (default: ssm-encrypted-test-bucket)
• Add _create() region override for global AWS services (CloudFront-scoped WAFv2)
• Split WAF Classic and WAFv2 read actions out of region-restricted IAM policy statements since they use global endpoints
• Add SSM encrypted test bucket creation step to deploy-test-policy.yml
• Move config.yml to config.yml.example and gitignore the real config (contains account IDs)
• Remove temporary hard-coded ARN for old Lambda account from test role trust policy

Test plan

• Verify terminator Lambda runs without WAF/WAFv2 access errors
• Verify CloudFront-scoped WAFv2 terminator classes work from non-us-east-1 regions
• Verify SSM bucket is created by deploy-test-policy.yml

[Copilot]

Pull request overview

Adds configurability and regional flexibility to the AWS “terminator” Lambda and associated test/deploy infrastructure so integration tests can run outside us-east-1 while still handling global AWS endpoints correctly.

Changes:

• Make terminator region (TEST_REGION) and SSM test bucket name (SSM_BUCKET_NAME) configurable via environment variables (with defaults).
• Add region_name override support to _create() and force us-east-1 for CloudFront-scoped WAFv2 list operations.
• Update IAM policy structure for global WAF/WAFv2 endpoints and add an Ansible step to ensure the persistent SSM test bucket exists; rename and ignore local aws/config.yml.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
aws/terminator/storage_services.py	Uses SSM_BUCKET_NAME constant for S3 ignore/cleanup behavior.
aws/terminator/application_security.py	Forces WAFv2 CloudFront scope discovery via us-east-1 client region override.
aws/terminator/__init__.py	Reads TEST_REGION/SSM_BUCKET_NAME from env and adds optional region_name to _create().
aws/terminator.yml	Passes new env vars into the terminator Lambda configuration.
aws/policy/application-security.yaml	Splits global WAF Classic + WAFv2 read/list actions into non-region-restricted statements.
aws/deploy-test-policy.yml	Adds Ansible task to create the persistent encrypted S3 bucket for SSM plugin tests.
aws/config.yml.example	Provides example config including ssm_bucket_name.
.gitignore	Ignores local aws/config.yml (and .envrc).

Comments suppressed due to low confidence (1)

aws/terminator/storage_services.py:66

• paginate_objects initializes bucket_contents as {} but returns list_bucket_objects_result['Contents'] (a list) when present. Returning a consistent list type (e.g., [] when empty) avoids confusing callers and makes the behavior/type expectations clearer.

            list_bucket_objects_result = client.get_paginator('list_objects_v2').paginate(Bucket=SSM_BUCKET_NAME).build_full_result()
            bucket_contents = {}
            if list_bucket_objects_result.get('Contents'):
                bucket_contents = list_bucket_objects_result['Contents']
            return bucket_contents

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mattclay]

@jonpspri Is there a PR that these changes are in support of?

[jonpspri]

Not directly. I'm working in eu-west-1 as my primary operating region. I'm testing aws-terminator in that region (as part of testing #330 and #332) -- these are the changes I've had to make for it to be cleanly runnable in that region (no error messages) and easily refreshed from the command line.

Biggest challenge was "global" services that always expect us-east-1 regardless of what region you're calling from (e.g. waf, part of waf2).

[mattclay]

@jonpspri A significant portion of the changes in this PR appear to be unrelated to making it easier to work with an alternative region. Please omit the unrelated changes from this PR to make it easier to review.