Add blocklist only for wet run

[puzzloholic]

I recently use aws-nuke mainly for migrating resources between aws accounts. One thing that always give me goosebumps is when I only need a complete list of resources in legacy production account that need to be migrated to new account.

Blocklist can be used only to block the account id entirely, what I need is blocklist only to delete the resource while allowing read.

I try to change the role used to run aws-nuke but there is always some resources denied access when AdministratorAccess is not used. I try denying delete* action from AdministratorAccess policy, but some resources use remove*, detach*, and so on.

It will be great if there is a second blocklist only to prevent only the wet run, but allowing dry run to be executed on that account.

[ekristen]

Interesting idea. I'm not entirely opposed to it, would take a bit of work to split the dry-run from non apart as it uses the same flow right now.

This isn't the first time someone has mentioned using this tool for "inventory" although tools like cloudquery exists, but it's much different than a simple CLI tool to list everything.