Some scripts which will help to automate removal of WAF v1 resources in Amazon. Will iterate through most resources and remove them. This is just a beta, and not fully tested.

nuke_aws_waf_resources.sh

# configure this for AWS credentials, I use aws-vault
function aws_credentials(){
	aws-vault exec foobar
}

# this function removes all filters assigned to conditions
function remove_filters(){
  command=$1
	command_list=list-${command}
	command_get=get-${command%*s}
	jq_extract_sets=$2
	jq_extract_set_id=$3
	update_field=$4
	for set in `aws_credentials -- aws waf $command_list | jq -rc ${jq_extract_sets}`;do
		for condition in $(aws_credentials -- aws waf $command_get --${command%*s}-id $set | jq -rc $jq_extract_set_id | tr -d \" | tr ':' =);do
		  echo $condition
		  CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
		  aws_credentials -- aws waf update-${command%*s}  --change-token "$CHANGE_TOKEN" --${command%*s}-id $set --updates "Action=DELETE,${update_field}=$condition"
		done
	done
}

remove_filters ip-sets '.IPSets[].IPSetId' '.IPSet.IPSetDescriptors[]' 'IPSetDescriptor'
remove_filters size-constraint-sets '.SizeConstraintSets[].SizeConstraintSetId' '.SizeConstraintSet.SizeConstraints[]' 'SizeConstraint'
remove_filters xss-match-sets '.XssMatchSets[].XssMatchSetId' '.XssMatchSets[].XssMatchTuples' 'XssMatchTuple'

# should also work with rules
function delete_conditions(){
  command=$1
	command_list=list-${command}
	command_get=get-${command%*s}
	jq_extract_sets=$2
	# Remove any conditions assigned to rules
	for set in `aws_credentials -- aws waf $command_list | jq -rc ${jq_extract_sets}`;do
		  CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
		  aws_credentials -- aws waf delete-${command%*s}  --change-token "$CHANGE_TOKEN" --${command%*s}-id $set 
	done
}

delete_conditions ip-sets '.IPSets[].IPSetId'
delete_conditions size-constraint-sets '.SizeConstraintSets[].SizeConstraintSetId'
delete_conditions xss-match-sets '.XssMatchSets[].XssMatchSetId'

# Remove any rules assigned to WebACL
for acl in `aws_credentials -- aws waf list-web-acls | jq -rc .WebACLs[].WebACLId`;do
  echo "Removing any rules from $acl"
  for rule in $(aws_credentials -- aws waf get-web-acl --web-acl $acl | jq -rc .WebACL.Rules[] | sed -e 's/:/=/g' | sed -e 's/"Priority"/Priority/g' -e 's/"RuleId"/RuleId/g' -e 's/"Action"/Action/g' -e 's/"Type"/Type/g');do
    CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
	aws_credentials -- aws waf update-web-acl  --change-token "$CHANGE_TOKEN" --web-acl $acl --updates Action=DELETE,ActivatedRule=$rule 
  done
done

# Remove any conditions assigned to rules
for rule in `aws_credentials -- aws waf list-rules | jq -rc .Rules[].RuleId`;do
  echo "Removing any conditions from $rule"
  for predicate in $(aws_credentials -- aws waf get-rule --rule-id $rule | jq -rc .Rule.Predicates[] | sed -e 's/:/=/g' | sed -e 's/"Negated"/Negated/g' -e 's/"Type"/Type/g' -e 's/"DataId"/DataId/g');do
    CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
	aws_credentials -- aws waf update-rule  --change-token "$CHANGE_TOKEN" --rule-id $rule --updates Action=DELETE,Predicate=$predicate 
  done
done

# Delete WebACLs
for acl in `aws_credentials -- aws waf list-web-acls | jq -rc .WebACLs[].WebACLId`;do
  echo "Deleting WebACL $acl"
  CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
  aws_credentials -- aws waf delete-web-acl --web-acl $acl --change-token $CHANGE_TOKEN
done

# Delete rules
for rule in `aws_credentials -- aws waf list-rules | jq -rc .Rules[].RuleId`;do
  echo "Deleting rule $rule"
  CHANGE_TOKEN=`aws_credentials -- aws waf get-change-token | jq -rc .ChangeToken`
  aws_credentials -- aws waf delete-rule --rule-id $rule --change-token $CHANGE_TOKEN
done