@cloud-copilot/iam-lens 0.1.1 → 0.1.3

package/dist/esm/collect/client.js

@@ -0,0 +1,454 @@
+import { splitArnParts } from '../util/arn.js';
+// export interface IamCollectClient {
+//   /**
+//    * Does an account exist in the store?
+//    *
+//    * @param accountId the id of the account to check
+//    * @returns true if the account exists, false otherwise
+//    */
+//   accountExists: (accountId: string) => Promise<boolean>
+//   /**
+//    * Does a principal exist in the store?
+//    *
+//    * @param principalArn the arn of the principal to check
+//    * @returns true if the principal exists, false otherwise
+//    */
+//   principalExists: (principalArn: string) => Promise<boolean>
+//   /**
+//    * Get the org id for an account
+//    */
+//   getOrgIdForAccount: (accountId: string) => Promise<string | undefined>
+//   /**
+//    * Get the SCPs for an account and only the account
+//    *
+//    * @param accountId the id of the account to get the policies for
+//    * @returns the policies for the account
+//    */
+//   getScpsForAccount: (accountId: string) => Promise<OrgPolicy[]>
+//   /**
+//    * Get the SCP Hierarchy for an account. The first element is the root, the last element is the account itself.
+//    *
+//    * @param accountId the id of the account to get the policies for
+//    * @returns the policies for the account
+//    */
+//   getScpHierarchyForAccount(accountId: string): Promise<SimulationOrgPolicies[]>
+//   /**
+//    * Get the RCPs for an account
+//    *
+//    * @param accountId the account id to get the policies for
+//    * @returns the policies for the account
+//    */
+//   getRcpsForAccount: (accountId: string) => Promise<OrgPolicy[]>
+//   getRcpHierarchyForAccount(accountId: string): Promise<SimulationOrgPolicies[]>
+//   /**
+//    * Get the SCPs for an org unit
+//    *
+//    * @param orgUnitId the id of the org unit to get the policies for
+//    * @returns the policies for the org unit
+//    */
+//   getScpsForOrgUnit: (orgId: string, orgUnitId: string) => Promise<OrgPolicy[]>
+//   /**
+//    * Get the RCPs for an org unit
+//    *
+//    * @param orgUnitId
+//    * @returns
+//    */
+//   getRcpsForOrgUnit: (orgId: string, orgUnitId: string) => Promise<OrgPolicy[]>
+//   getAccountIdForBucket: (bucketName: string) => Promise<string | undefined>
+//   getAccountIdForRestApi: (apiArn: string) => Promise<string | undefined>
+//   getManagedPoliciesForUser(userArn: string): Promise<ManagedPolicy[]>
+// }
+export class IamCollectClient {
+    constructor(storageClient) {
+        this.storageClient = storageClient;
+    }
+    /**
+     * Checks if an account exists in the store.
+     * @param accountId The ID of the account to check.
+     * @returns True if the account exists, false otherwise.
+     */
+    async accountExists(accountId) {
+        const accounts = await this.storageClient.listAccountIds();
+        return accounts.includes(accountId);
+    }
+    /**
+     * Checks if a principal exists in the store.
+     * @param principalArn The ARN of the principal to check.
+     * @returns True if the principal exists, false otherwise.
+     */
+    async principalExists(principalArn) {
+        const accountId = splitArnParts(principalArn).accountId;
+        const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
+        return !!principalData;
+    }
+    /**
+     * Gets the SCP Hierarchy for an account. The first element is the root, the last element is the account itself.
+     * @param accountId The ID of the account to get the SCP Hierarchy for.
+     * @returns The SCP Hierarchy for the account.
+     */
+    async getScpHierarchyForAccount(accountId) {
+        return this.getOrgPolicyHierarchyForAccount(accountId, 'scps');
+    }
+    /**
+     * Gets the policy hierarchy for an account for a given policy type.
+     * @param accountId The ID of the account.
+     * @param policyType The type of policy ('scps' or 'rcps').
+     * @returns The policy hierarchy for the account.
+     */
+    async getOrgPolicyHierarchyForAccount(accountId, policyType) {
+        const orgId = await this.getOrgIdForAccount(accountId);
+        if (!orgId) {
+            return [];
+        }
+        // SCPs and RCPs do not apply to the root account
+        const orgMetadata = await this.getOrganizationMetadata(orgId);
+        if (orgMetadata.rootAccountId === accountId) {
+            return [];
+        }
+        const policyHierarchy = [];
+        const orgHierarchy = await this.getOrgUnitHierarchyForAccount(accountId);
+        for (const ouId of orgHierarchy) {
+            const policies = await this.getOrgPoliciesForOrgUnit(orgId, ouId, policyType);
+            policyHierarchy.push({
+                orgIdentifier: ouId,
+                policies: policies.map((p) => ({
+                    name: p.arn,
+                    policy: p.policy
+                }))
+            });
+        }
+        const accountPolicies = await this.getOrgPoliciesForAccount(accountId, policyType);
+        policyHierarchy.push({
+            orgIdentifier: accountId,
+            policies: accountPolicies.map((p) => ({
+                name: p.arn,
+                policy: p.policy
+            }))
+        });
+        return policyHierarchy;
+    }
+    /**
+     * Gets the OUs for an account. The first element is the root,
+     * the last element is the parent OU of the account.
+     * @param accountId The ID of the account to get the OUs for.
+     * @returns The OUs for the account.
+     */
+    async getOrgUnitHierarchyForAccount(accountId) {
+        const orgId = await this.getOrgIdForAccount(accountId);
+        if (!orgId) {
+            return [];
+        }
+        const ouIds = [];
+        let ouId = await this.getOrgUnitIdForAccount(accountId);
+        ouIds.push(ouId);
+        while (ouId) {
+            const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
+            if (parentOuId) {
+                ouIds.unshift(parentOuId);
+            }
+            ouId = parentOuId;
+        }
+        return ouIds;
+    }
+    /**
+     * Gets the org unit ID for an account.
+     * @param accountId The ID of the account.
+     * @returns The org unit ID for the account, or undefined if not found.
+     */
+    async getOrgUnitIdForAccount(accountId) {
+        const orgId = await this.getOrgIdForAccount(accountId);
+        if (!orgId) {
+            return undefined;
+        }
+        const accounts = await this.getAccountDataForOrg(orgId);
+        return accounts[accountId].ou;
+    }
+    /**
+     * Gets the parent org unit ID for a given org unit.
+     * @param orgId The ID of the organization.
+     * @param ouId The ID of the org unit.
+     * @returns The parent org unit ID, or undefined if not found.
+     */
+    async getParentOrgUnitIdForOrgUnit(orgId, ouId) {
+        const ouData = await this.getOrgUnitsDataForOrg(orgId);
+        const ou = ouData[ouId];
+        return ou.parent;
+    }
+    /**
+     * Gets the SCPs for an account.
+     * @param accountId The ID of the account.
+     * @returns The SCPs for the account.
+     */
+    async getScpsForAccount(accountId) {
+        return this.getOrgPoliciesForAccount(accountId, 'scps');
+    }
+    /**
+     * Gets the org policies for an account for a given policy type.
+     * @param accountId The ID of the account.
+     * @param policyType The type of policy ('scps' or 'rcps').
+     * @returns The org policies for the account.
+     */
+    async getOrgPoliciesForAccount(accountId, policyType) {
+        const orgId = await this.getOrgIdForAccount(accountId);
+        if (!orgId) {
+            return [];
+        }
+        const accounts = await this.getAccountDataForOrg(orgId);
+        const orgInformation = accounts[accountId];
+        const policyArns = orgInformation[policyType];
+        const policies = [];
+        for (const policyArn of policyArns) {
+            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+            policies.push(policyInfo);
+        }
+        return policies;
+    }
+    /**
+     * Gets the account data for an organization.
+     * @param orgId The ID of the organization.
+     * @returns The account data for the organization.
+     */
+    async getAccountDataForOrg(orgId) {
+        return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+    }
+    /**
+     * Gets the org units data for an organization.
+     * @param orgId The ID of the organization.
+     * @returns The org units data for the organization.
+     */
+    async getOrgUnitsDataForOrg(orgId) {
+        return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+    }
+    /**
+     * Gets a specific org policy.
+     * @param orgId The ID of the organization.
+     * @param policyType The type of policy ('scps' or 'rcps').
+     * @param policyArn The ARN of the policy.
+     * @returns The org policy.
+     */
+    async getOrgPolicy(orgId, policyType, policyArn) {
+        const policyId = policyArn.split('/').at(-1);
+        const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
+        const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
+        return {
+            arn: policyData.arn,
+            name: policyData.name,
+            policy: policyDocument
+        };
+    }
+    /**
+     * Gets the RCPs for an account.
+     * @param accountId The ID of the account.
+     * @returns The RCPs for the account.
+     */
+    async getRcpsForAccount(accountId) {
+        return this.getOrgPoliciesForAccount(accountId, 'rcps');
+    }
+    /**
+     * Gets the RCP hierarchy for an account.
+     * @param accountId The ID of the account.
+     * @returns The RCP hierarchy for the account.
+     */
+    async getRcpHierarchyForAccount(accountId) {
+        return this.getOrgPolicyHierarchyForAccount(accountId, 'rcps');
+    }
+    /**
+     * Gets the SCPs for an org unit.
+     * @param orgId The ID of the organization.
+     * @param orgUnitId The ID of the org unit.
+     * @returns The SCPs for the org unit.
+     */
+    async getScpsForOrgUnit(orgId, orgUnitId) {
+        return this.getOrgPoliciesForOrgUnit(orgId, orgUnitId, 'scps');
+    }
+    /**
+     * Gets the org policies for an org unit for a given policy type.
+     * @param orgId The ID of the organization.
+     * @param orgUnitId The ID of the org unit.
+     * @param policyType The type of policy ('scps' or 'rcps').
+     * @returns The org policies for the org unit.
+     */
+    async getOrgPoliciesForOrgUnit(orgId, orgUnitId, policyType) {
+        const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
+        const orgUnit = orgUnitInformation[orgUnitId];
+        const orgPolicies = orgUnit[policyType];
+        const policies = [];
+        for (const policyArn of orgPolicies) {
+            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+            policies.push(policyInfo);
+        }
+        return policies;
+    }
+    /**
+     * Gets the RCPs for an org unit.
+     * @param orgId The ID of the organization.
+     * @param orgUnitId The ID of the org unit.
+     * @returns The RCPs for the org unit.
+     */
+    async getRcpsForOrgUnit(orgId, orgUnitId) {
+        return this.getOrgPoliciesForOrgUnit(orgId, orgUnitId, 'rcps');
+    }
+    /**
+     * Gets the org ID for an account.
+     * @param accountId The ID of the account.
+     * @returns The org ID for the account, or undefined if not found.
+     */
+    async getOrgIdForAccount(accountId) {
+        const index = await this.storageClient.getIndex('accounts-to-orgs', {});
+        const accountToOrgMap = index.data;
+        return accountToOrgMap[accountId];
+    }
+    /**
+     * Gets the account ID for a given S3 bucket name.
+     * @param bucketName The name of the bucket.
+     * @returns The account ID for the bucket, or undefined if not found.
+     */
+    async getAccountIdForBucket(bucketName) {
+        const index = await this.storageClient.getIndex('buckets-to-accounts', {});
+        const bucketToAccountMap = index.data;
+        return bucketToAccountMap[bucketName]?.accountId;
+    }
+    /**
+     * Gets the account ID for a given API Gateway ARN.
+     * @param apiArn The ARN of the API Gateway.
+     * @returns The account ID for the API Gateway, or undefined if not found.
+     */
+    async getAccountIdForRestApi(apiArn) {
+        const index = await this.storageClient.getIndex('apigateways-to-accounts', {});
+        const bucketToAccountMap = index.data;
+        return bucketToAccountMap[apiArn];
+    }
+    /**
+     * Gets the managed policies attached to a user.
+     * @param userArn The ARN of the user.
+     * @returns The managed policies for the user.
+     */
+    async getManagedPoliciesForUser(userArn) {
+        const accountId = splitArnParts(userArn).accountId;
+        const managedPolicies = await this.storageClient.getResourceMetadata(accountId, userArn, 'managed-policies', []);
+        const results = [];
+        for (const policyArn of managedPolicies) {
+            results.push(await this.getManagedPolicy(accountId, policyArn));
+        }
+        return results;
+    }
+    async getManagedPolicy(accountId, policyArn) {
+        const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
+        const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'policy');
+        return {
+            arn: policyMetadata.arn,
+            name: policyMetadata.name,
+            policy: policyDocument
+        };
+    }
+    /**
+     * Gets the inline policies attached to a user.
+     * @param userArn The ARN of the user.
+     * @returns The inline policies for the user.
+     */
+    async getInlinePoliciesForUser(userArn) {
+        const accountId = splitArnParts(userArn).accountId;
+        const inlinePolicies = await this.storageClient.getResourceMetadata(accountId, userArn, 'inline-policies', []);
+        return inlinePolicies.map((p) => ({
+            name: p.PolicyName,
+            policy: p.PolicyDocument
+        }));
+    }
+    async getIamUserMetadata(userArn) {
+        const accountId = splitArnParts(userArn).accountId;
+        // The permissions boundary is stored as a policy ARN on the user resource metadata
+        return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+    }
+    /**
+     * Gets the permissions boundary policy attached to a user, if any.
+     *
+     * @param userArn The ARN of the user.
+     * @returns The permissions boundary policy as an OrgPolicy, or undefined if none is set.
+     */
+    async getPermissionsBoundaryForUser(userArn) {
+        const accountId = splitArnParts(userArn).accountId;
+        // The permissions boundary is stored as a policy ARN on the user resource metadata
+        const userMetadata = await this.getIamUserMetadata(userArn);
+        if (!userMetadata) {
+            return undefined;
+        }
+        const permissionsBoundaryArn = userMetadata.permissionBoundary;
+        if (!permissionsBoundaryArn) {
+            return undefined;
+        }
+        return this.getManagedPolicy(accountId, permissionsBoundaryArn);
+    }
+    /**
+     * Gets the group ARNs that the user is a member of.
+     * @param userArn The ARN of the user.
+     * @returns An array of group ARNs the user belongs to.
+     */
+    async getGroupsForUser(userArn) {
+        const accountId = splitArnParts(userArn).accountId;
+        const groups = await this.storageClient.getResourceMetadata(accountId, userArn, 'groups', []);
+        return groups;
+    }
+    /**
+     * Gets the managed policies attached to a group.
+     *
+     * @param groupArn The ARN of the group.
+     * @returns The managed policies for the group.
+     */
+    async getManagedPoliciesForGroup(groupArn) {
+        const accountId = splitArnParts(groupArn).accountId;
+        const managedPolicies = await this.storageClient.getResourceMetadata(accountId, groupArn, 'managed-policies', []);
+        const results = [];
+        for (const policyArn of managedPolicies) {
+            results.push(await this.getManagedPolicy(accountId, policyArn));
+        }
+        return results;
+    }
+    async getInlinePoliciesForGroup(groupArn) {
+        const accountId = splitArnParts(groupArn).accountId;
+        const inlinePolicies = await this.storageClient.getResourceMetadata(accountId, groupArn, 'inline-policies', []);
+        return inlinePolicies.map((p) => ({
+            name: p.PolicyName,
+            policy: p.PolicyDocument
+        }));
+    }
+    async getManagedPoliciesForRole(roleArn) {
+        const accountId = splitArnParts(roleArn).accountId;
+        const managedPolicies = await this.storageClient.getResourceMetadata(accountId, roleArn, 'managed-policies', []);
+        const results = [];
+        for (const policyArn of managedPolicies) {
+            results.push(await this.getManagedPolicy(accountId, policyArn));
+        }
+        return results;
+    }
+    async getInlinePoliciesForRole(roleArn) {
+        const accountId = splitArnParts(roleArn).accountId;
+        const inlinePolicies = await this.storageClient.getResourceMetadata(accountId, roleArn, 'inline-policies', []);
+        return inlinePolicies.map((p) => ({
+            name: p.PolicyName,
+            policy: p.PolicyDocument
+        }));
+    }
+    async getPermissionsBoundaryForRole(roleArn) {
+        const accountId = splitArnParts(roleArn).accountId;
+        // The permissions boundary is stored as a policy ARN on the user resource metadata
+        const roleMetadata = await this.getIamUserMetadata(roleArn);
+        if (!roleMetadata) {
+            return undefined;
+        }
+        const permissionsBoundaryArn = roleMetadata.permissionBoundary;
+        if (!permissionsBoundaryArn) {
+            return undefined;
+        }
+        return this.getManagedPolicy(accountId, permissionsBoundaryArn);
+    }
+    /**
+     * Get the metadata for an organization.
+     *
+     * @param organizationId the id of the organization
+     * @returns the metadata for the organization
+     */
+    async getOrganizationMetadata(organizationId) {
+        return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/esm/collect/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAyF9C,sCAAsC;AACtC,QAAQ;AACR,2CAA2C;AAC3C,OAAO;AACP,uDAAuD;AACvD,4DAA4D;AAC5D,QAAQ;AACR,2DAA2D;AAE3D,QAAQ;AACR,4CAA4C;AAC5C,OAAO;AACP,6DAA6D;AAC7D,8DAA8D;AAC9D,QAAQ;AACR,gEAAgE;AAEhE,QAAQ;AACR,qCAAqC;AACrC,QAAQ;AACR,2EAA2E;AAE3E,QAAQ;AACR,wDAAwD;AACxD,OAAO;AACP,sEAAsE;AACtE,6CAA6C;AAC7C,QAAQ;AACR,mEAAmE;AAEnE,QAAQ;AACR,oHAAoH;AACpH,OAAO;AACP,sEAAsE;AACtE,6CAA6C;AAC7C,QAAQ;AACR,mFAAmF;AAEnF,QAAQ;AACR,mCAAmC;AACnC,OAAO;AACP,+DAA+D;AAC/D,6CAA6C;AAC7C,QAAQ;AACR,mEAAmE;AAEnE,mFAAmF;AAEnF,QAAQ;AACR,oCAAoC;AACpC,OAAO;AACP,uEAAuE;AACvE,8CAA8C;AAC9C,QAAQ;AACR,kFAAkF;AAElF,QAAQ;AACR,oCAAoC;AACpC,OAAO;AACP,wBAAwB;AACxB,gBAAgB;AAChB,QAAQ;AACR,kFAAkF;AAElF,+EAA+E;AAE/E,4EAA4E;AAE5E,yEAAyE;AACzE,IAAI;AAEJ,MAAM,OAAO,gBAAgB;IAC3B,YAAoB,aAA0B;QAA1B,kBAAa,GAAb,aAAa,CAAa;IAAG,CAAC;IAElD;;;;OAIG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,CAAA;QAC1D,OAAO,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CAAC,YAAoB;QACxC,MAAM,SAAS,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,SAAU,CAAA;QACxD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAChE,SAAS,EACT,YAAY,EACZ,UAAU,CACX,CAAA;QACD,OAAO,CAAC,CAAC,aAAa,CAAA;IACxB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,yBAAyB,CAAC,SAAiB;QAC/C,OAAO,IAAI,CAAC,+BAA+B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;IAChE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,+BAA+B,CACnC,SAAiB,EACjB,UAAyB;QAEzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAA;QACtD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,CAAA;QACX,CAAC;QAED,iDAAiD;QACjD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;QAC7D,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC5C,OAAO,EAAE,CAAA;QACX,CAAC;QAED,MAAM,eAAe,GAA4B,EAAE,CAAA;QACnD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAA;QAExE,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAA;YAE7E,eAAe,CAAC,IAAI,CAAC;gBACnB,aAAa,EAAE,IAAI;gBACnB,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC7B,IAAI,EAAE,CAAC,CAAC,GAAG;oBACX,MAAM,EAAE,CAAC,CAAC,MAAM;iBACjB,CAAC,CAAC;aACJ,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;QAClF,eAAe,CAAC,IAAI,CAAC;YACnB,aAAa,EAAE,SAAS;YACxB,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACpC,IAAI,EAAE,CAAC,CAAC,GAAG;gBACX,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC,CAAC;SACJ,CAAC,CAAA;QAEF,OAAO,eAAe,CAAA;IACxB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,6BAA6B,CAAC,SAAiB;QACnD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAA;QACtD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,CAAA;QACX,CAAC;QACD,MAAM,KAAK,GAAa,EAAE,CAAA;QAC1B,IAAI,IAAI,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAA;QACvD,KAAK,CAAC,IAAI,CAAC,IAAK,CAAC,CAAA;QACjB,OAAO,IAAI,EAAE,CAAC;YACZ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,4BAA4B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;YACvE,IAAI,UAAU,EAAE,CAAC;gBACf,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;YAC3B,CAAC;YACD,IAAI,GAAG,UAAU,CAAA;QACnB,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAAC,SAAiB;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAA;QACtD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;QACvD,OAAO,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAA;IAC/B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,4BAA4B,CAAC,KAAa,EAAE,IAAY;QAC5D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAA;QACtD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAA;QACvB,OAAO,EAAE,CAAC,MAAM,CAAA;IAClB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CAAC,SAAiB;QACvC,OAAO,IAAI,CAAC,wBAAwB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;IACzD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,wBAAwB,CAC5B,SAAiB,EACjB,UAAyB;QAEzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAA;QACtD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,CAAA;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAA;QACvD,MAAM,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAA;QAC1C,MAAM,UAAU,GAAG,cAAc,CAAC,UAAU,CAAC,CAAA;QAC7C,MAAM,QAAQ,GAAgB,EAAE,CAAA;QAChC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;YACxE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC3B,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAAa;QACtC,OAAO,IAAI,CAAC,aAAa,CAAC,uBAAuB,CAA2B,KAAK,EAAE,UAAU,CAAC,CAAA;IAChG,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,qBAAqB,CAAC,KAAa;QACvC,OAAO,IAAI,CAAC,aAAa,CAAC,uBAAuB,CAAqB,KAAK,EAAE,KAAK,CAAC,CAAA;IACrF,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,UAAyB,EACzB,SAAiB;QAEjB,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAE,CAAA;QAC7C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,6BAA6B,CAGvE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAA;QAC1C,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,6BAA6B,CAC3E,KAAK,EACL,UAAU,EACV,QAAQ,EACR,QAAQ,CACT,CAAA;QAED,OAAO;YACL,GAAG,EAAE,UAAU,CAAC,GAAG;YACnB,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,MAAM,EAAE,cAAc;SACvB,CAAA;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CAAC,SAAiB;QACvC,OAAO,IAAI,CAAC,wBAAwB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;IACzD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,yBAAyB,CAAC,SAAiB;QAC/C,OAAO,IAAI,CAAC,+BAA+B,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;IAChE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,SAAiB;QACtD,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAA;IAChE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,wBAAwB,CAC5B,KAAa,EACb,SAAiB,EACjB,UAAyB;QAEzB,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAA;QAClE,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAA;QAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAA;QACvC,MAAM,QAAQ,GAAgB,EAAE,CAAA;QAChC,KAAK,MAAM,SAAS,IAAI,WAAW,EAAE,CAAC;YACpC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;YACxE,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC3B,CAAC;QAED,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,SAAiB;QACtD,OAAO,IAAI,CAAC,wBAAwB,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAA;IAChE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,kBAAkB,CAAC,SAAiB;QACxC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAyB,kBAAkB,EAAE,EAAE,CAAC,CAAA;QAC/F,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAA;QAClC,OAAO,eAAe,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,qBAAqB,CAAC,UAAkB;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAC7C,qBAAqB,EACrB,EAAE,CACH,CAAA;QACD,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAA;QACrC,OAAO,kBAAkB,CAAC,UAAU,CAAC,EAAE,SAAS,CAAA;IAClD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAAC,MAAc;QACzC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAC7C,yBAAyB,EACzB,EAAE,CACH,CAAA;QACD,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAA;QACrC,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAA;IACnC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,yBAAyB,CAAC,OAAe;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAClE,SAAS,EACT,OAAO,EACP,kBAAkB,EAClB,EAAE,CACH,CAAA;QAED,MAAM,OAAO,GAAoB,EAAE,CAAA;QAEnC,KAAK,MAAM,SAAS,IAAI,eAAe,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;QACjE,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,SAAiB,EAAE,SAAiB;QACzD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAGjE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAA;QACnC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACjE,SAAS,EACT,SAAS,EACT,QAAQ,CACT,CAAA;QACD,OAAO;YACL,GAAG,EAAE,cAAc,CAAC,GAAG;YACvB,IAAI,EAAE,cAAc,CAAC,IAAI;YACzB,MAAM,EAAE,cAAc;SACvB,CAAA;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,wBAAwB,CAAC,OAAe;QAC5C,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAGjE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAA;QAE5C,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAChC,IAAI,EAAE,CAAC,CAAC,UAAU;YAClB,MAAM,EAAE,CAAC,CAAC,cAAc;SACzB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,OAAe;QACtC,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,mFAAmF;QACnF,OAAO,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAC3C,SAAS,EACT,OAAO,EACP,UAAU,CACX,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,6BAA6B,CAAC,OAAe;QACjD,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,mFAAmF;QACnF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,MAAM,sBAAsB,GAAG,YAAY,CAAC,kBAAkB,CAAA;QAC9D,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAA;IACjE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACzD,SAAS,EACT,OAAO,EACP,QAAQ,EACR,EAAE,CACH,CAAA;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,0BAA0B,CAAC,QAAgB;QAC/C,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,SAAU,CAAA;QACpD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAClE,SAAS,EACT,QAAQ,EACR,kBAAkB,EAClB,EAAE,CACH,CAAA;QAED,MAAM,OAAO,GAAoB,EAAE,CAAA;QAEnC,KAAK,MAAM,SAAS,IAAI,eAAe,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;QACjE,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,QAAgB;QAC9C,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC,SAAU,CAAA;QACpD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAGjE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAA;QAE7C,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAChC,IAAI,EAAE,CAAC,CAAC,UAAU;YAClB,MAAM,EAAE,CAAC,CAAC,cAAc;SACzB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,KAAK,CAAC,yBAAyB,CAAC,OAAe;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAClE,SAAS,EACT,OAAO,EACP,kBAAkB,EAClB,EAAE,CACH,CAAA;QAED,MAAM,OAAO,GAAoB,EAAE,CAAA;QAEnC,KAAK,MAAM,SAAS,IAAI,eAAe,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;QACjE,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,OAAe;QAC5C,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAGjE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAA;QAE5C,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAChC,IAAI,EAAE,CAAC,CAAC,UAAU;YAClB,MAAM,EAAE,CAAC,CAAC,cAAc;SACzB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,KAAK,CAAC,6BAA6B,CAAC,OAAe;QACjD,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,SAAU,CAAA;QACnD,mFAAmF;QACnF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAC3D,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,MAAM,sBAAsB,GAAG,YAAY,CAAC,kBAAkB,CAAA;QAC9D,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,OAAO,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAA;IACjE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,uBAAuB,CAAC,cAAsB;QAClD,OAAO,IAAI,CAAC,aAAa,CAAC,uBAAuB,CAC/C,cAAc,EACd,UAAU,CACX,CAAA;IACH,CAAC;CACF"}

package/dist/esm/collect/collect.d.ts

@@ -0,0 +1,18 @@
+import { TopLevelConfig } from '@cloud-copilot/iam-collect';
+import { IamCollectClient } from './client.js';
+/**
+ * Load IAM collect configs from the specified paths.
+ *
+ * @param configPaths the paths to the config files
+ * @returns the top-level configs
+ */
+export declare function loadCollectConfigs(configPaths: string[]): Promise<TopLevelConfig[]>;
+/**
+ * Get a collect client for the specified partition using the provided configs.
+ *
+ * @param configs the top-level configs to use for storage
+ * @param partition which partition to use (aws, aws-cn, aws-us-gov)
+ * @returns the iam-collect client to use for retrieving IAM resources
+ */
+export declare function getCollectClient(configs: TopLevelConfig[], partition: string): IamCollectClient;
+//# sourceMappingURL=collect.d.ts.map

package/dist/esm/collect/collect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"collect.d.ts","sourceRoot":"","sources":["../../../src/collect/collect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAwC,MAAM,4BAA4B,CAAA;AACjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAE9C;;;;;GAKG;AACH,wBAAsB,kBAAkB,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAEzF;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,EAAE,SAAS,EAAE,MAAM,GAAG,gBAAgB,CAE/F"}

package/dist/esm/collect/collect.js

@@ -0,0 +1,22 @@
+import { createStorageClient, loadConfigFiles } from '@cloud-copilot/iam-collect';
+import { IamCollectClient } from './client.js';
+/**
+ * Load IAM collect configs from the specified paths.
+ *
+ * @param configPaths the paths to the config files
+ * @returns the top-level configs
+ */
+export async function loadCollectConfigs(configPaths) {
+    return loadConfigFiles(configPaths);
+}
+/**
+ * Get a collect client for the specified partition using the provided configs.
+ *
+ * @param configs the top-level configs to use for storage
+ * @param partition which partition to use (aws, aws-cn, aws-us-gov)
+ * @returns the iam-collect client to use for retrieving IAM resources
+ */
+export function getCollectClient(configs, partition) {
+    return new IamCollectClient(createStorageClient(configs, partition));
+}
+//# sourceMappingURL=collect.js.map

package/dist/esm/collect/collect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"collect.js","sourceRoot":"","sources":["../../../src/collect/collect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkB,mBAAmB,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAA;AACjG,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAE9C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAqB;IAC5D,OAAO,eAAe,CAAC,WAAW,CAAC,CAAA;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAyB,EAAE,SAAiB;IAC3E,OAAO,IAAI,gBAAgB,CAAC,mBAAmB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAA;AACtE,CAAC"}

package/dist/esm/principals.d.ts

@@ -0,0 +1,40 @@
+import { AwsIamStore } from '@cloud-copilot/iam-collect';
+import { IamCollectClient } from './collect/client.js';
+/**
+ * Check if a principal exists in the specified AWS IAM store.
+ */
+export declare function principalExists(storageClient: AwsIamStore, principalArn: string): Promise<boolean>;
+/**
+ * Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies
+ * @param principalArn the ARN of the user to get policies for
+ * @returns an object containing the managed policies, inline policies, permission boundary, and group policies
+ */
+export declare function getAllPoliciesForUser(collectClient: IamCollectClient, principalArn: string): Promise<{
+    scps: import("./collect/client.js").SimulationOrgPolicies[];
+    rcps: import("./collect/client.js").SimulationOrgPolicies[];
+    managedPolicies: import("./collect/client.js").ManagedPolicy[];
+    inlinePolicies: import("./collect/client.js").InlinePolicy[];
+    permissionBoundary: import("./collect/client.js").ManagedPolicy | undefined;
+    groupPolicies: {
+        group: string;
+        managedPolices: import("./collect/client.js").ManagedPolicy[];
+        inlinePolicies: import("./collect/client.js").InlinePolicy[];
+    }[];
+}>;
+/**
+ * Get all the IAM policies for a role, including managed and inline policies and permission boundaries.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies
+ * @param principalArn the ARN of the role to get policies for
+ * @returns an object containing the managed policies, inline policies, and permission boundary
+ */
+export declare function getAllPoliciesForRole(collectClient: IamCollectClient, principalArn: string): Promise<{
+    scps: import("./collect/client.js").SimulationOrgPolicies[];
+    rcps: import("./collect/client.js").SimulationOrgPolicies[];
+    managedPolices: import("./collect/client.js").ManagedPolicy[];
+    inlinePolicies: import("./collect/client.js").InlinePolicy[];
+    permissionBoundary: import("./collect/client.js").ManagedPolicy | undefined;
+}>;
+//# sourceMappingURL=principals.d.ts.map

package/dist/esm/principals.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"principals.d.ts","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAGtD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,WAAW,EAC1B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAIlB;AAOD;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CAAC,aAAa,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM;;;;;;;;;;;GA2BhG;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CAAC,aAAa,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM;;;;;;GAgBhG"}

package/dist/esm/principals.js

@@ -0,0 +1,66 @@
+import { splitArnParts } from './util/arn.js';
+/**
+ * Check if a principal exists in the specified AWS IAM store.
+ */
+export async function principalExists(storageClient, principalArn) {
+    const accountId = splitArnParts(principalArn).accountId;
+    const principalData = await storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
+    return !!principalData;
+}
+/**
+ * Get all the IAM policies for a user, including managed and inline policies, permission boundaries, and group policies.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies
+ * @param principalArn the ARN of the user to get policies for
+ * @returns an object containing the managed policies, inline policies, permission boundary, and group policies
+ */
+export async function getAllPoliciesForUser(collectClient, principalArn) {
+    const accountId = splitArnParts(principalArn).accountId;
+    const managedPolicies = await collectClient.getManagedPoliciesForUser(principalArn);
+    const inlinePolicies = await collectClient.getInlinePoliciesForUser(principalArn);
+    const permissionBoundary = await collectClient.getPermissionsBoundaryForUser(principalArn);
+    const groups = await collectClient.getGroupsForUser(principalArn);
+    const scps = await collectClient.getScpHierarchyForAccount(accountId);
+    const rcps = await collectClient.getRcpHierarchyForAccount(accountId);
+    const groupPolicies = [];
+    for (const group of groups) {
+        const groupManagedPolicies = await collectClient.getManagedPoliciesForGroup(group);
+        const groupInlinePolicies = await collectClient.getInlinePoliciesForGroup(group);
+        groupPolicies.push({
+            group,
+            managedPolices: groupManagedPolicies,
+            inlinePolicies: groupInlinePolicies
+        });
+    }
+    return {
+        scps,
+        rcps,
+        managedPolicies,
+        inlinePolicies,
+        permissionBoundary,
+        groupPolicies
+    };
+}
+/**
+ * Get all the IAM policies for a role, including managed and inline policies and permission boundaries.
+ *
+ * @param collectClient the IAM collect client to use for retrieving policies
+ * @param principalArn the ARN of the role to get policies for
+ * @returns an object containing the managed policies, inline policies, and permission boundary
+ */
+export async function getAllPoliciesForRole(collectClient, principalArn) {
+    const accountId = splitArnParts(principalArn).accountId;
+    const managedPolices = await collectClient.getManagedPoliciesForRole(principalArn);
+    const inlinePolicies = await collectClient.getInlinePoliciesForRole(principalArn);
+    const permissionBoundary = await collectClient.getPermissionsBoundaryForRole(principalArn);
+    const scps = await collectClient.getScpHierarchyForAccount(accountId);
+    const rcps = await collectClient.getRcpHierarchyForAccount(accountId);
+    return {
+        scps,
+        rcps,
+        managedPolices,
+        inlinePolicies,
+        permissionBoundary
+    };
+}
+//# sourceMappingURL=principals.js.map

package/dist/esm/principals.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"principals.js","sourceRoot":"","sources":["../../src/principals.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAA0B,EAC1B,YAAoB;IAEpB,MAAM,SAAS,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IACxD,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,EAAE,UAAU,CAAC,CAAA;IAClG,OAAO,CAAC,CAAC,aAAa,CAAA;AACxB,CAAC;AAOD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,aAA+B,EAAE,YAAoB;IAC/F,MAAM,SAAS,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAExD,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;IACnF,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,wBAAwB,CAAC,YAAY,CAAC,CAAA;IACjF,MAAM,kBAAkB,GAAG,MAAM,aAAa,CAAC,6BAA6B,CAAC,YAAY,CAAC,CAAA;IAC1F,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAA;IACjE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,aAAa,GAAG,EAAE,CAAA;IACxB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,oBAAoB,GAAG,MAAM,aAAa,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAA;QAClF,MAAM,mBAAmB,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,KAAK,CAAC,CAAA;QAChF,aAAa,CAAC,IAAI,CAAC;YACjB,KAAK;YACL,cAAc,EAAE,oBAAoB;YACpC,cAAc,EAAE,mBAAmB;SACpC,CAAC,CAAA;IACJ,CAAC;IACD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,eAAe;QACf,cAAc;QACd,kBAAkB;QAClB,aAAa;KACd,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,aAA+B,EAAE,YAAoB;IAC/F,MAAM,SAAS,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,SAAU,CAAA;IAExD,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAA;IAClF,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,wBAAwB,CAAC,YAAY,CAAC,CAAA;IACjF,MAAM,kBAAkB,GAAG,MAAM,aAAa,CAAC,6BAA6B,CAAC,YAAY,CAAC,CAAA;IAC1F,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IACrE,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;IAErE,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,cAAc;QACd,cAAc;QACd,kBAAkB;KACnB,CAAA;AACH,CAAC"}

package/dist/esm/resources.d.ts

@@ -0,0 +1,19 @@
+import { Simulation } from '@cloud-copilot/iam-simulate';
+import { IamCollectClient } from './collect/client.js';
+/**
+ * Get the account ID for a given resource ARN. Lookup index if necessary to find the account ID.
+ *
+ * @param collectClient the IAM collect client to use for retrieving the account ID
+ * @param resourceArn the ARN of the resource to get the account ID for
+ * @returns the account ID for the specified resource, or undefined if not found
+ */
+export declare function getAccountIdForResource(collectClient: IamCollectClient, resourceArn: string): Promise<string | undefined>;
+/**
+ * Get the resource control policies (RCPs) for a given resource ARN.
+ *
+ * @param collectClient the IAM collect client to use for retrieving RCPs
+ * @param resourceArn the ARN of the resource to get RCPs for
+ * @returns an array of resource control policies for the specified resource
+ */
+export declare function getRcpsForResource(collectClient: IamCollectClient, resourceArn: string): Promise<Simulation['resourceControlPolicies']>;
+//# sourceMappingURL=resources.d.ts.map

package/dist/esm/resources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.d.ts","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAGtD;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAC3C,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAc7B;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,aAAa,EAAE,gBAAgB,EAC/B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,CAAC,yBAAyB,CAAC,CAAC,CAMhD"}