feat(aws): add SSM Parameter Store resource

[Amit2465]

Description

Fixes #1065.

Add support for nuking AWS SSM Parameter Store parameters using the generic resource pattern.

How it works

Parameters are discovered via paginated DescribeParameters and deleted individually using DeleteParameter. Tags are fetched separately via ListTagsForResource to support name, time, and tag-based config filtering.

Safety measures

• AWS-managed public parameters (those under the /aws/ prefix, e.g. /aws/service/*, /aws/reference/*) are skipped. AWS reserves this namespace and customers cannot create parameters there — deletion would fail with AccessDeniedException.
• Parameters whose tags cannot be fetched are skipped rather than proceeding with nil tags. Passing nil tags to ShouldInclude would silently bypass cloud-nuke-excluded and cloud-nuke-after protection checks, risking accidental deletion of protected resources.

Pre-commit checks

• gofmt — no issues
• golangci-lint run ./aws/resources/... — 0 issues
• go build ./... — clean
• go vet ./aws/resources/... — clean

Manually verified against a real AWS account:

• inspect-aws --resource-type ssm-parameter correctly lists parameters
• /aws/ managed parameters are correctly skipped and never listed
• Deletion completes successfully

Test output

=== RUN   TestSSMParameter_ResourceName
--- PASS: TestSSMParameter_ResourceName (0.00s)
=== RUN   TestSSMParameter_MaxBatchSize
--- PASS: TestSSMParameter_MaxBatchSize (0.00s)
=== RUN   TestSSMParameter_GetAll
    --- PASS: TestSSMParameter_GetAll/emptyFilter (0.00s)
    --- PASS: TestSSMParameter_GetAll/nameExclusionFilter (0.00s)
    --- PASS: TestSSMParameter_GetAll/timeAfterExclusionFilter (0.00s)
    --- PASS: TestSSMParameter_GetAll/tagExclusionFilter (0.00s)
--- PASS: TestSSMParameter_GetAll (0.00s)
--- PASS: TestSSMParameter_GetAll_TagFetchFailure (0.00s)
--- PASS: TestSSMParameter_GetAll_SkipsAwsManagedParameters (0.00s)
--- PASS: TestSSMParameter_GetAll_DescribeError (0.00s)
--- PASS: TestSSMParameter_NukeAll (0.00s)
--- PASS: TestSSMParameter_NukeAll_Error (0.00s)
PASS
ok  github.com/gruntwork-io/cloud-nuke/aws/resources  0.024s

TODOs

Read the Gruntwork contribution guidelines.

• Update the docs.
• Run the relevant tests successfully, including pre-commit checks.
• Ensure any 3rd party code adheres with our license policy or delete this line if its not applicable.
• Include release notes. If this PR is backward incompatible, include a migration guide.
• Attention Grunts - if this PR adds support for a new resource, ensure the nuke_sandbox and nuke_phxdevops jobs in .circleci/config.yml have been updated with appropriate exclusions (either directly in the job or via the .circleci/nuke_config.yml file) to prevent nuking IAM roles, groups, resources, etc that are important for the test accounts.

Release Notes (draft)

Added AWS SSM Parameter Store (ssm-parameter) as a new supported resource type.

Migration Guide

This PR introduces ssm-parameter as a new AWS resource type. Since cloud-nuke automatically includes all registered resource types, SSM Parameter Store parameters will be nuked by default if no config file is provided.

To opt out, add the following to your config file:

SSMParameter:
  exclude:
    names_regex:
      - ".*"

See configuration docs for full filter options.

[james00012]

Clean implementation with good test coverage. A few items:

1. Unexpected go-jmespath dependency — go.sum picks up github.com/jmespath/go-jmespath v0.4.0 which is a v1 SDK transitive dep. The project uses v2 exclusively. Worth checking where this came from.
2. LastModifiedDate as time filter — Since SSM DescribeParameters doesn't expose creation time, LastModifiedDate is the only option. Worth noting it in the code for future readers.
3. Missing errors.WithStackTrace — listSSMParameters returns bare errors from the paginator. Other AWS resources wrap with go-commons/errors.
4. Subtests missing t.Parallel() — The parent TestSSMParameter_GetAll has it, but the individual t.Run subtests don't.

[Amit2465]

@james00012 Good catches, all fixed.

• go-jmespath is a direct dep of aws-sdk-go-v2/service/ssm (used in
  GetCommandInvocation waiters), not a v1 leak, confirmed via go mod why.
• Added a comment on LastModifiedDate usage.
• Wrapped bare errors with errors.WithStackTrace.
• Added t.Parallel() to the subtests.