@cloud-copilot/iam-lens 0.1.25 → 0.1.26

package/dist/esm/collect/client.js

@@ -1,29 +1,46 @@
 import { splitArnParts } from '@cloud-copilot/iam-utils';
-export class IamCollectClient {
-    constructor(storageClient, clientOptions) {
-        this.storageClient = storageClient;
-        this._cache = {};
-        this._enableCaching = clientOptions?.enableCaching !== false;
+class InMemoryCacheProvider {
+    constructor() {
+        this.cache = {};
     }
-    // Generic cache helper
     async withCache(cacheKey, fetcher) {
-        if (this._enableCaching && cacheKey in this._cache) {
-            return this._cache[cacheKey];
+        if (cacheKey in this.cache) {
+            return this.cache[cacheKey];
         }
         const value = await fetcher();
-        if (this._enableCaching) {
-            this._cache[cacheKey] = value;
-        }
+        this.cache[cacheKey] = value;
         return value;
     }
+}
+export class NoCacheProvider {
+    async withCache(cacheKey, fetcher) {
+        return fetcher();
+    }
+}
+export class IamCollectClient {
+    constructor(storageClient, clientOptions) {
+        this.storageClient = storageClient;
+        if (clientOptions?.cacheProvider === undefined) {
+            this.cacheProvider = new InMemoryCacheProvider();
+        }
+        else {
+            this.cacheProvider = clientOptions.cacheProvider;
+        }
+    }
+    async withCache(cacheKey, fetcher) {
+        return this.cacheProvider.withCache(cacheKey, fetcher);
+    }
     /**
      * Checks if an account exists in the store.
      * @param accountId The ID of the account to check.
      * @returns True if the account exists, false otherwise.
      */
     async accountExists(accountId) {
-        const accounts = await this.storageClient.listAccountIds();
-        return accounts.includes(accountId);
+        const cacheKey = `accountExists:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const accounts = await this.storageClient.listAccountIds();
+            return accounts.includes(accountId);
+        });
     }
     /**
      * Get all account IDs in the store.
@@ -31,7 +48,10 @@ export class IamCollectClient {
      * @returns all account IDs in the store
      */
     async allAccounts() {
-        return this.storageClient.listAccountIds();
+        const cacheKey = `allAccounts`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.listAccountIds();
+        });
     }
     /**
      * Checks if a principal exists in the store.
@@ -39,9 +59,12 @@ export class IamCollectClient {
      * @returns True if the principal exists, false otherwise.
      */
     async principalExists(principalArn) {
-        const accountId = splitArnParts(principalArn).accountId;
-        const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
-        return !!principalData;
+        const cacheKey = `principalExists:${principalArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(principalArn).accountId;
+            const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
+            return !!principalData;
+        });
     }
     /**
      * Gets the SCP Hierarchy for an account. The first element is the root, the last element is the account itself.
@@ -99,21 +122,24 @@ export class IamCollectClient {
      * @returns The OUs for the account.
      */
     async getOrgUnitHierarchyForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const ouIds = [];
-        let ouId = await this.getOrgUnitIdForAccount(accountId);
-        ouIds.push(ouId);
-        while (ouId) {
-            const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
-            if (parentOuId) {
-                ouIds.unshift(parentOuId);
+        const cacheKey = `orgUnitHierarchy:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
             }
-            ouId = parentOuId;
-        }
-        return ouIds;
+            const ouIds = [];
+            let ouId = await this.getOrgUnitIdForAccount(accountId);
+            ouIds.push(ouId);
+            while (ouId) {
+                const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
+                if (parentOuId) {
+                    ouIds.unshift(parentOuId);
+                }
+                ouId = parentOuId;
+            }
+            return ouIds;
+        });
     }
     /**
      * Gets the org unit ID for an account.
@@ -121,12 +147,15 @@ export class IamCollectClient {
      * @returns The org unit ID for the account, or undefined if not found.
      */
     async getOrgUnitIdForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return undefined;
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        return accounts[accountId].ou;
+        const cacheKey = `orgUnitId:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return undefined;
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            return accounts[accountId].ou;
+        });
     }
     /**
      * Gets the parent org unit ID for a given org unit.
@@ -135,9 +164,12 @@ export class IamCollectClient {
      * @returns The parent org unit ID, or undefined if not found.
      */
     async getParentOrgUnitIdForOrgUnit(orgId, ouId) {
-        const ouData = await this.getOrgUnitsDataForOrg(orgId);
-        const ou = ouData[ouId];
-        return ou.parent;
+        const cacheKey = `parentOrgUnit:${orgId}:${ouId}`;
+        return this.withCache(cacheKey, async () => {
+            const ouData = await this.getOrgUnitsDataForOrg(orgId);
+            const ou = ouData[ouId];
+            return ou.parent;
+        });
     }
     /**
      * Gets the SCPs for an account.
@@ -154,19 +186,22 @@ export class IamCollectClient {
      * @returns The org policies for the account.
      */
     async getOrgPoliciesForAccount(accountId, policyType) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        const orgInformation = accounts[accountId];
-        const policyArns = orgInformation[policyType];
-        const policies = [];
-        for (const policyArn of policyArns) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForAccount:${accountId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            const orgInformation = accounts[accountId];
+            const policyArns = orgInformation[policyType];
+            const policies = [];
+            for (const policyArn of policyArns) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the account data for an organization.
@@ -174,7 +209,10 @@ export class IamCollectClient {
      * @returns The account data for the organization.
      */
     async getAccountDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        const cacheKey = `accountDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        });
     }
     /**
      * Gets the org units data for an organization.
@@ -182,7 +220,10 @@ export class IamCollectClient {
      * @returns The org units data for the organization.
      */
     async getOrgUnitsDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        const cacheKey = `orgUnitsDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        });
     }
     /**
      * Gets a specific org policy.
@@ -192,17 +233,20 @@ export class IamCollectClient {
      * @returns The org policy.
      */
     async getOrgPolicy(orgId, policyType, policyArn) {
-        const policyId = policyArn.split('/').at(-1);
-        const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
-        const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
-        }
-        return {
-            arn: policyData.arn,
-            name: policyData.name,
-            policy: policyDocument
-        };
+        const cacheKey = `orgPolicy:${orgId}:${policyType}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyId = policyArn.split('/').at(-1);
+            const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
+            const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
+            }
+            return {
+                arn: policyData.arn,
+                name: policyData.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the RCPs for an account.
@@ -237,15 +281,18 @@ export class IamCollectClient {
      * @returns The org policies for the org unit.
      */
     async getOrgPoliciesForOrgUnit(orgId, orgUnitId, policyType) {
-        const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
-        const orgUnit = orgUnitInformation[orgUnitId];
-        const orgPolicies = orgUnit[policyType];
-        const policies = [];
-        for (const policyArn of orgPolicies) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForOrgUnit:${orgId}:${orgUnitId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
+            const orgUnit = orgUnitInformation[orgUnitId];
+            const orgPolicies = orgUnit[policyType];
+            const policies = [];
+            for (const policyArn of orgPolicies) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the RCPs for an org unit.
@@ -262,17 +309,23 @@ export class IamCollectClient {
      * @returns The org ID for the account, or undefined if not found.
      */
     async getOrgIdForAccount(accountId) {
-        const index = await this.storageClient.getIndex('accounts-to-orgs', {});
+        const index = await this.getIndex('accounts-to-orgs', {});
         const accountToOrgMap = index.data;
         return accountToOrgMap[accountId];
     }
+    async getIndex(indexName, defaultValue) {
+        const cacheKey = `index:${indexName}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getIndex(indexName, defaultValue);
+        });
+    }
     /**
      * Gets the account ID for a given S3 bucket name.
      * @param bucketName The name of the bucket.
      * @returns The account ID for the bucket, or undefined if not found.
      */
     async getAccountIdForBucket(bucketName) {
-        const index = await this.storageClient.getIndex('buckets-to-accounts', {});
+        const index = await this.getIndex('buckets-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[bucketName]?.accountId;
     }
@@ -282,7 +335,7 @@ export class IamCollectClient {
      * @returns The account ID for the API Gateway, or undefined if not found.
      */
     async getAccountIdForRestApi(apiArn) {
-        const index = await this.storageClient.getIndex('apigateways-to-accounts', {});
+        const index = await this.getIndex('apigateways-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[apiArn];
     }
@@ -304,16 +357,19 @@ export class IamCollectClient {
         });
     }
     async getManagedPolicy(accountId, policyArn) {
-        const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
-        const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
-        }
-        return {
-            arn: policyMetadata.arn,
-            name: policyMetadata.name,
-            policy: policyDocument
-        };
+        const cacheKey = `managedPolicy:${accountId}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
+            const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
+            }
+            return {
+                arn: policyMetadata.arn,
+                name: policyMetadata.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the inline policies attached to a user.
@@ -332,9 +388,12 @@ export class IamCollectClient {
         });
     }
     async getIamUserMetadata(userArn) {
-        const accountId = splitArnParts(userArn).accountId;
-        // The permissions boundary is stored as a policy ARN on the user resource metadata
-        return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        const cacheKey = `iamUserMetadata:${userArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(userArn).accountId;
+            // The permissions boundary is stored as a policy ARN on the user resource metadata
+            return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        });
     }
     /**
      * Gets the permissions boundary policy attached to a user, if any.
@@ -446,7 +505,10 @@ export class IamCollectClient {
      * @returns the metadata for the organization
      */
     async getOrganizationMetadata(organizationId) {
-        return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        const cacheKey = `organizationMetadata:${organizationId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        });
     }
     /**
      * Gets the resource policy for a given resource ARN and account.
@@ -456,13 +518,16 @@ export class IamCollectClient {
      * @returns The resource policy, or undefined if not found.
      */
     async getResourcePolicyForArn(resourceArn, accountId) {
-        const arnParts = splitArnParts(resourceArn);
-        let metadataKey = 'policy';
-        if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
-            metadataKey = 'trust-policy';
-        }
-        const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
-        return resourcePolicy;
+        const cacheKey = `resourcePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const arnParts = splitArnParts(resourceArn);
+            let metadataKey = 'policy';
+            if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
+                metadataKey = 'trust-policy';
+            }
+            const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
+            return resourcePolicy;
+        });
     }
     /**
      * Gets the RAM share policy for a given resource ARN and account.
@@ -472,8 +537,11 @@ export class IamCollectClient {
      * @returns The RAM share policy, or undefined if not found.
      */
     async getRamSharePolicyForArn(resourceArn, accountId) {
-        const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
-        return armSharePolicy?.policy;
+        const cacheKey = `ramSharePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
+            return armSharePolicy?.policy;
+        });
     }
     /**
      * Gets the tags for a given resource ARN and account.
@@ -483,8 +551,11 @@ export class IamCollectClient {
      * @returns The tags as a record, or undefined if not found.
      */
     async getTagsForResource(resourceArn, accountId) {
-        const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
-        return tags || {};
+        const cacheKey = `tagsForResource:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
+            return tags || {};
+        });
     }
     /**
      * Gets a unique ID for an IAM resource based on its ARN and account ID.
@@ -495,9 +566,12 @@ export class IamCollectClient {
      * @returns a unique ID for the resource, or undefined if not found
      */
     async getUniqueIdForIamResource(resourceArn) {
-        const accountId = splitArnParts(resourceArn).accountId;
-        const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
-        return resourceMetadata?.id;
+        const cacheKey = `uniqueIdForIamResource:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(resourceArn).accountId;
+            const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
+            return resourceMetadata?.id;
+        });
     }
     /**
      * Get the account IDs for an organization.
@@ -520,52 +594,61 @@ export class IamCollectClient {
      * @returns returns the organization structure or undefined if not found
      */
     async getOrganizationStructure(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        const cacheKey = `organizationStructure:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        });
     }
     async getAccountsForOrgPath(orgId, ouIds) {
-        const orgUnits = await this.getOrganizationStructure(orgId);
-        if (!orgUnits || ouIds.length === 0) {
-            return [false, []];
-        }
-        const rootOu = orgUnits[ouIds[0]];
-        // Now look through the structure to find the OU
-        let currentStructure = rootOu;
-        for (const ou of ouIds.slice(1)) {
-            currentStructure = currentStructure.children?.[ou];
-            if (!currentStructure) {
-                return [false, []]; // OU not found in the structure
+        const cacheKey = `accountsForOrgPath:${orgId}:${ouIds.join('/')}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnits = await this.getOrganizationStructure(orgId);
+            if (!orgUnits || ouIds.length === 0) {
+                return [false, []];
             }
-        }
-        const getAccountId = (a) => a.split('/').at(-1);
-        const accounts = [];
-        if (currentStructure.accounts) {
-            accounts.push(...currentStructure.accounts?.map(getAccountId));
-        }
-        const children = Object.values(currentStructure.children || {});
-        // Traverse the children to collect all accounts
-        while (children.length > 0) {
-            const child = children.shift();
-            if (child?.accounts) {
-                accounts.push(...child.accounts.map(getAccountId));
+            const rootOu = orgUnits[ouIds[0]];
+            // Now look through the structure to find the OU
+            let currentStructure = rootOu;
+            for (const ou of ouIds.slice(1)) {
+                currentStructure = currentStructure.children?.[ou];
+                if (!currentStructure) {
+                    return [false, []]; // OU not found in the structure
+                }
             }
-            if (child?.children) {
-                children.push(...Object.values(child.children));
+            const getAccountId = (a) => a.split('/').at(-1);
+            const accounts = [];
+            if (currentStructure.accounts) {
+                accounts.push(...currentStructure.accounts?.map(getAccountId));
             }
-        }
-        return [true, accounts];
+            const children = Object.values(currentStructure.children || {});
+            // Traverse the children to collect all accounts
+            while (children.length > 0) {
+                const child = children.shift();
+                if (child?.accounts) {
+                    accounts.push(...child.accounts.map(getAccountId));
+                }
+                if (child?.children) {
+                    children.push(...Object.values(child.children));
+                }
+            }
+            return [true, accounts];
+        });
     }
     async getAllPrincipalsInAccount(accountId) {
-        const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'user',
-            account: accountId
-        });
-        const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'role',
-            account: accountId
+        const cacheKey = `allPrincipalsInAccount:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'user',
+                account: accountId
+            });
+            const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'role',
+                account: accountId
+            });
+            return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
         });
-        return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
     }
     /**
      * Get the VPC endpoint policy for a given VPC endpoint ARN.
@@ -574,9 +657,12 @@ export class IamCollectClient {
      * @returns the VPC endpoint policy, or undefined if not found
      */
     async getVpcEndpointPolicyForArn(vpcEndpointArn) {
-        const accountId = splitArnParts(vpcEndpointArn).accountId;
-        const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
-        return vpcEndpointPolicy;
+        const cacheKey = `vpcEndpointPolicy:${vpcEndpointArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(vpcEndpointArn).accountId;
+            const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
+            return vpcEndpointPolicy;
+        });
     }
     /**
      * Get the ARN of a VPC endpoint given its ID.
@@ -584,7 +670,7 @@ export class IamCollectClient {
      * @returns the ARN of the VPC endpoint, or undefined if not found
      */
     async getVpcEndpointArnForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -598,7 +684,7 @@ export class IamCollectClient {
      * @returns the VPC endpoint ID, or undefined if not found
      */
     async getVpcEndpointIdForVpcService(vpcId, service) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -616,7 +702,7 @@ export class IamCollectClient {
      * @returns the VPC ID, or undefined if not found
      */
     async getVpcIdForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });