fix: detect and delete RDS clusters/instances with deletion protection enabled (#955)

Resolves issue where RDS clusters and instances with deletion protection
enabled were not being detected during discovery, even when matching tag
and time filters.

Since the nukeAll functions already disable deletion protection before
deletion, these resources can be safely included in discovery and will
be properly cleaned up.

Fixes #953

Author: james00012

aws/resources/rds.go

@@ -22,11 +22,6 @@ func (di *DBInstances) getAll(ctx context.Context, configObj config.Config) ([]*
 	var names []*string
 
 	for _, database := range result.DBInstances {
-		// Skip deletion-protected instances when config doesn't explicitly include them
-		if database.DeletionProtection != nil && *database.DeletionProtection && !configObj.DBInstances.IncludeDeletionProtected {
-			continue
-		}
-
 		if configObj.DBInstances.ShouldInclude(config.ResourceValue{
 			Time: database.InstanceCreateTime,
 			Name: database.DBInstanceIdentifier,

aws/resources/rds_cluster.go

@@ -47,11 +47,6 @@ func (instance *DBClusters) getAll(c context.Context, configObj config.Config) (
 
 	var names []*string
 	for _, database := range result.DBClusters {
-		// Skip deletion-protected clusters when config doesn't explicitly include them
-		if database.DeletionProtection != nil && *database.DeletionProtection && !configObj.DBClusters.IncludeDeletionProtected {
-			continue
-		}
-
 		if configObj.DBClusters.ShouldInclude(config.ResourceValue{
 			Name: database.DBClusterIdentifier,
 			Time: database.ClusterCreateTime,

aws/resources/rds_cluster_test.go

@@ -63,13 +63,15 @@ func TestRDSClusterGetAll(t *testing.T) {
 		},
 	}
 
-	// Test Case 1: Empty config - should exclude deletion-protected clusters by default
+	// Test Case 1: Empty config - should include both protected and unprotected clusters
+	// Deletion protection is automatically disabled during deletion, so we include these clusters
 	clusters, err := dbCluster.getAll(context.Background(), config.Config{DBClusters: config.AWSProtectectableResourceType{}})
 	assert.NoError(t, err)
 	assert.Contains(t, aws.ToStringSlice(clusters), strings.ToLower(testName))
-	assert.NotContains(t, aws.ToStringSlice(clusters), strings.ToLower(testProtectedName))
+	assert.Contains(t, aws.ToStringSlice(clusters), strings.ToLower(testProtectedName))
 
-	// Test Case 2: IncludeDeletionProtected=true - should include both protected and unprotected clusters
+	// Test Case 2: With IncludeDeletionProtected flag - behavior is now the same as Test Case 1
+	// since deletion-protected clusters are always included
 	clusters, err = dbCluster.getAll(context.Background(), config.Config{
 		DBClusters: config.AWSProtectectableResourceType{
 			IncludeDeletionProtected: true,

aws/resources/rds_test.go

@@ -100,7 +100,7 @@ func TestDBInstances_GetAll(t *testing.T) {
 	}{
 		"emptyFilter": {
 			configObj: config.AWSProtectectableResourceType{},
-			expected:  []string{testIdentifier1, testIdentifier2},
+			expected:  []string{testIdentifier1, testIdentifier2, testIdentifier3},
 		},
 		"nameExclusionFilter": {
 			configObj: config.AWSProtectectableResourceType{ResourceType: config.ResourceType{
@@ -110,7 +110,7 @@ func TestDBInstances_GetAll(t *testing.T) {
 					}},
 				},
 			}},
-			expected: []string{testIdentifier1, testIdentifier2},
+			expected: []string{testIdentifier1, testIdentifier2, testIdentifier3},
 		},
 		"timeAfterExclusionFilter": {
 			configObj: config.AWSProtectectableResourceType{