core - filters - add value-list filter

[thisisshi]

This PR adds a new in-memory filter, value-list which allows you to do a composite filter on elements in a list on the resource without having to fall back on advanced JMESPath expressions:

policies:
  - name: task-def-with-non-registry-images
    resource: aws.ecs-task-definition
    filters:
        - type: value-list
          key: containerDefinitions
          value:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex

Hat tip @ajkerrigan for the following example:

- type: value
  key: |
    properties.securityRules[?(
      starts_with(properties.sourceAddressPrefix, '1.2.')
      && properties.destinationPortRange == '22'
    )]
  value: not-null

Turns into:

- type: value-list
  key: properties.securityRules[]
  value:
    - type: value
      key: properties.sourceAddressPrefix
      value_type: cidr
      op: in
      value: '1.2.0.0/16'
    - type: value
      key: properties.destinationPortRange
      value_type: integer
      value: 22

[thisisshi]

@ajkerrigan

• sounds good, pushed a pr to annotate with c7n:ValueListMatches with the jmespath to the element(s) that matched
• I dont think there will be a case where key will be something other than a list, if it's a subdict you would be able to just construct the filters with normal value filters, for the name i'm amenable to changes, value-list just happened to be the first name i thought of

[kapilt]

thinking on names, was thinking about list-item.. since its about multi attribute on an item in the list, thoughts?

[thisisshi]

@kapilt list-item sounds good to me