@cloud-copilot/iam-lens 0.1.25 → 0.1.27

package/dist/cjs/collect/client.js

@@ -1,25 +1,54 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IamCollectClient = void 0;
+exports.IamCollectClient = exports.NoCacheProvider = exports.InMemoryCacheProvider = void 0;
 const iam_utils_1 = require("@cloud-copilot/iam-utils");
+/**
+ * A cache provider that stores results in memory for a single worker.
+ */
+class InMemoryCacheProvider {
+    cache = {};
+    async withCache(cacheKey, fetcher) {
+        if (cacheKey in this.cache) {
+            return this.cache[cacheKey];
+        }
+        const value = await fetcher();
+        this.cache[cacheKey] = value;
+        return value;
+    }
+}
+exports.InMemoryCacheProvider = InMemoryCacheProvider;
+/**
+ * A cache provider that does not cache results.
+ */
+class NoCacheProvider {
+    async withCache(cacheKey, fetcher) {
+        return fetcher();
+    }
+}
+exports.NoCacheProvider = NoCacheProvider;
+/**
+ * A client for simplifying access to the IAM collect data store.
+ */
 class IamCollectClient {
     storageClient;
-    _cache = {};
-    _enableCaching;
+    cacheProvider;
+    /**
+     * Creates a new instance of the IamCollectClient.
+     *
+     * @param storageClient the iam-collect storage client to use for data access
+     * @param clientOptions optional configuration options for the client. By default, uses an in-memory cache provider.
+     */
     constructor(storageClient, clientOptions) {
         this.storageClient = storageClient;
-        this._enableCaching = clientOptions?.enableCaching !== false;
-    }
-    // Generic cache helper
-    async withCache(cacheKey, fetcher) {
-        if (this._enableCaching && cacheKey in this._cache) {
-            return this._cache[cacheKey];
+        if (clientOptions?.cacheProvider === undefined) {
+            this.cacheProvider = new InMemoryCacheProvider();
         }
-        const value = await fetcher();
-        if (this._enableCaching) {
-            this._cache[cacheKey] = value;
+        else {
+            this.cacheProvider = clientOptions.cacheProvider;
         }
-        return value;
+    }
+    async withCache(cacheKey, fetcher) {
+        return this.cacheProvider.withCache(cacheKey, fetcher);
     }
     /**
      * Checks if an account exists in the store.
@@ -27,8 +56,11 @@ class IamCollectClient {
      * @returns True if the account exists, false otherwise.
      */
     async accountExists(accountId) {
-        const accounts = await this.storageClient.listAccountIds();
-        return accounts.includes(accountId);
+        const cacheKey = `accountExists:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const accounts = await this.storageClient.listAccountIds();
+            return accounts.includes(accountId);
+        });
     }
     /**
      * Get all account IDs in the store.
@@ -36,7 +68,10 @@ class IamCollectClient {
      * @returns all account IDs in the store
      */
     async allAccounts() {
-        return this.storageClient.listAccountIds();
+        const cacheKey = `allAccounts`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.listAccountIds();
+        });
     }
     /**
      * Checks if a principal exists in the store.
@@ -44,9 +79,12 @@ class IamCollectClient {
      * @returns True if the principal exists, false otherwise.
      */
     async principalExists(principalArn) {
-        const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
-        const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
-        return !!principalData;
+        const cacheKey = `principalExists:${principalArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = (0, iam_utils_1.splitArnParts)(principalArn).accountId;
+            const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
+            return !!principalData;
+        });
     }
     /**
      * Gets the SCP Hierarchy for an account. The first element is the root, the last element is the account itself.
@@ -104,21 +142,24 @@ class IamCollectClient {
      * @returns The OUs for the account.
      */
     async getOrgUnitHierarchyForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const ouIds = [];
-        let ouId = await this.getOrgUnitIdForAccount(accountId);
-        ouIds.push(ouId);
-        while (ouId) {
-            const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
-            if (parentOuId) {
-                ouIds.unshift(parentOuId);
+        const cacheKey = `orgUnitHierarchy:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
             }
-            ouId = parentOuId;
-        }
-        return ouIds;
+            const ouIds = [];
+            let ouId = await this.getOrgUnitIdForAccount(accountId);
+            ouIds.push(ouId);
+            while (ouId) {
+                const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
+                if (parentOuId) {
+                    ouIds.unshift(parentOuId);
+                }
+                ouId = parentOuId;
+            }
+            return ouIds;
+        });
     }
     /**
      * Gets the org unit ID for an account.
@@ -126,12 +167,15 @@ class IamCollectClient {
      * @returns The org unit ID for the account, or undefined if not found.
      */
     async getOrgUnitIdForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return undefined;
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        return accounts[accountId].ou;
+        const cacheKey = `orgUnitId:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return undefined;
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            return accounts[accountId].ou;
+        });
     }
     /**
      * Gets the parent org unit ID for a given org unit.
@@ -140,9 +184,12 @@ class IamCollectClient {
      * @returns The parent org unit ID, or undefined if not found.
      */
     async getParentOrgUnitIdForOrgUnit(orgId, ouId) {
-        const ouData = await this.getOrgUnitsDataForOrg(orgId);
-        const ou = ouData[ouId];
-        return ou.parent;
+        const cacheKey = `parentOrgUnit:${orgId}:${ouId}`;
+        return this.withCache(cacheKey, async () => {
+            const ouData = await this.getOrgUnitsDataForOrg(orgId);
+            const ou = ouData[ouId];
+            return ou.parent;
+        });
     }
     /**
      * Gets the SCPs for an account.
@@ -159,19 +206,22 @@ class IamCollectClient {
      * @returns The org policies for the account.
      */
     async getOrgPoliciesForAccount(accountId, policyType) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        const orgInformation = accounts[accountId];
-        const policyArns = orgInformation[policyType];
-        const policies = [];
-        for (const policyArn of policyArns) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForAccount:${accountId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            const orgInformation = accounts[accountId];
+            const policyArns = orgInformation[policyType];
+            const policies = [];
+            for (const policyArn of policyArns) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the account data for an organization.
@@ -179,7 +229,10 @@ class IamCollectClient {
      * @returns The account data for the organization.
      */
     async getAccountDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        const cacheKey = `accountDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        });
     }
     /**
      * Gets the org units data for an organization.
@@ -187,7 +240,10 @@ class IamCollectClient {
      * @returns The org units data for the organization.
      */
     async getOrgUnitsDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        const cacheKey = `orgUnitsDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        });
     }
     /**
      * Gets a specific org policy.
@@ -197,17 +253,20 @@ class IamCollectClient {
      * @returns The org policy.
      */
     async getOrgPolicy(orgId, policyType, policyArn) {
-        const policyId = policyArn.split('/').at(-1);
-        const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
-        const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
-        }
-        return {
-            arn: policyData.arn,
-            name: policyData.name,
-            policy: policyDocument
-        };
+        const cacheKey = `orgPolicy:${orgId}:${policyType}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyId = policyArn.split('/').at(-1);
+            const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
+            const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
+            }
+            return {
+                arn: policyData.arn,
+                name: policyData.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the RCPs for an account.
@@ -242,15 +301,18 @@ class IamCollectClient {
      * @returns The org policies for the org unit.
      */
     async getOrgPoliciesForOrgUnit(orgId, orgUnitId, policyType) {
-        const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
-        const orgUnit = orgUnitInformation[orgUnitId];
-        const orgPolicies = orgUnit[policyType];
-        const policies = [];
-        for (const policyArn of orgPolicies) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForOrgUnit:${orgId}:${orgUnitId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
+            const orgUnit = orgUnitInformation[orgUnitId];
+            const orgPolicies = orgUnit[policyType];
+            const policies = [];
+            for (const policyArn of orgPolicies) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the RCPs for an org unit.
@@ -267,17 +329,23 @@ class IamCollectClient {
      * @returns The org ID for the account, or undefined if not found.
      */
     async getOrgIdForAccount(accountId) {
-        const index = await this.storageClient.getIndex('accounts-to-orgs', {});
+        const index = await this.getIndex('accounts-to-orgs', {});
         const accountToOrgMap = index.data;
         return accountToOrgMap[accountId];
     }
+    async getIndex(indexName, defaultValue) {
+        const cacheKey = `index:${indexName}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getIndex(indexName, defaultValue);
+        });
+    }
     /**
      * Gets the account ID for a given S3 bucket name.
      * @param bucketName The name of the bucket.
      * @returns The account ID for the bucket, or undefined if not found.
      */
     async getAccountIdForBucket(bucketName) {
-        const index = await this.storageClient.getIndex('buckets-to-accounts', {});
+        const index = await this.getIndex('buckets-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[bucketName]?.accountId;
     }
@@ -287,7 +355,7 @@ class IamCollectClient {
      * @returns The account ID for the API Gateway, or undefined if not found.
      */
     async getAccountIdForRestApi(apiArn) {
-        const index = await this.storageClient.getIndex('apigateways-to-accounts', {});
+        const index = await this.getIndex('apigateways-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[apiArn];
     }
@@ -309,16 +377,19 @@ class IamCollectClient {
         });
     }
     async getManagedPolicy(accountId, policyArn) {
-        const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
-        const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
-        }
-        return {
-            arn: policyMetadata.arn,
-            name: policyMetadata.name,
-            policy: policyDocument
-        };
+        const cacheKey = `managedPolicy:${accountId}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
+            const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
+            }
+            return {
+                arn: policyMetadata.arn,
+                name: policyMetadata.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the inline policies attached to a user.
@@ -336,10 +407,19 @@ class IamCollectClient {
             }));
         });
     }
+    /**
+     * Gets metadata for an IAM user.
+     *
+     * @param userArn the ARN of the user.
+     * @returns the metadata for the user, or undefined if not found.
+     */
     async getIamUserMetadata(userArn) {
-        const accountId = (0, iam_utils_1.splitArnParts)(userArn).accountId;
-        // The permissions boundary is stored as a policy ARN on the user resource metadata
-        return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        const cacheKey = `iamUserMetadata:${userArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = (0, iam_utils_1.splitArnParts)(userArn).accountId;
+            // The permissions boundary is stored as a policy ARN on the user resource metadata
+            return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        });
     }
     /**
      * Gets the permissions boundary policy attached to a user, if any.
@@ -394,6 +474,12 @@ class IamCollectClient {
             return results;
         });
     }
+    /**
+     * Get the inline policies attached to a group.
+     *
+     * @param groupArn the ARN of the group.
+     * @returns the inline policies for the group.
+     */
     async getInlinePoliciesForGroup(groupArn) {
         const cacheKey = `groupInlinePolicies:${groupArn}`;
         return this.withCache(cacheKey, async () => {
@@ -405,6 +491,11 @@ class IamCollectClient {
             }));
         });
     }
+    /**
+     * Gets the managed policies attached to a role.
+     * @param roleArn the ARN of the role.
+     * @returns the managed policies attached to the role.
+     */
     async getManagedPoliciesForRole(roleArn) {
         const cacheKey = `managedPoliciesForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -417,6 +508,12 @@ class IamCollectClient {
             return results;
         });
     }
+    /**
+     * Get the inline policies attached to a role.
+     *
+     * @param roleArn the ARN of the role.
+     * @returns the inline policies for the role.
+     */
     async getInlinePoliciesForRole(roleArn) {
         const cacheKey = `inlinePoliciesForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -428,6 +525,11 @@ class IamCollectClient {
             }));
         });
     }
+    /**
+     * Get the permissions boundary policy attached to a role, if any.
+     * @param roleArn the ARN of the role.
+     * @returns the permissions boundary policy as a ManagedPolicy, or undefined if none is set.
+     */
     async getPermissionsBoundaryForRole(roleArn) {
         const cacheKey = `permissionBoundaryForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -451,7 +553,10 @@ class IamCollectClient {
      * @returns the metadata for the organization
      */
     async getOrganizationMetadata(organizationId) {
-        return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        const cacheKey = `organizationMetadata:${organizationId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        });
     }
     /**
      * Gets the resource policy for a given resource ARN and account.
@@ -461,13 +566,16 @@ class IamCollectClient {
      * @returns The resource policy, or undefined if not found.
      */
     async getResourcePolicyForArn(resourceArn, accountId) {
-        const arnParts = (0, iam_utils_1.splitArnParts)(resourceArn);
-        let metadataKey = 'policy';
-        if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
-            metadataKey = 'trust-policy';
-        }
-        const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
-        return resourcePolicy;
+        const cacheKey = `resourcePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const arnParts = (0, iam_utils_1.splitArnParts)(resourceArn);
+            let metadataKey = 'policy';
+            if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
+                metadataKey = 'trust-policy';
+            }
+            const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
+            return resourcePolicy;
+        });
     }
     /**
      * Gets the RAM share policy for a given resource ARN and account.
@@ -477,8 +585,11 @@ class IamCollectClient {
      * @returns The RAM share policy, or undefined if not found.
      */
     async getRamSharePolicyForArn(resourceArn, accountId) {
-        const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
-        return armSharePolicy?.policy;
+        const cacheKey = `ramSharePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
+            return armSharePolicy?.policy;
+        });
     }
     /**
      * Gets the tags for a given resource ARN and account.
@@ -488,8 +599,11 @@ class IamCollectClient {
      * @returns The tags as a record, or undefined if not found.
      */
     async getTagsForResource(resourceArn, accountId) {
-        const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
-        return tags || {};
+        const cacheKey = `tagsForResource:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
+            return tags || {};
+        });
     }
     /**
      * Gets a unique ID for an IAM resource based on its ARN and account ID.
@@ -500,9 +614,12 @@ class IamCollectClient {
      * @returns a unique ID for the resource, or undefined if not found
      */
     async getUniqueIdForIamResource(resourceArn) {
-        const accountId = (0, iam_utils_1.splitArnParts)(resourceArn).accountId;
-        const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
-        return resourceMetadata?.id;
+        const cacheKey = `uniqueIdForIamResource:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = (0, iam_utils_1.splitArnParts)(resourceArn).accountId;
+            const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
+            return resourceMetadata?.id;
+        });
     }
     /**
      * Get the account IDs for an organization.
@@ -525,52 +642,74 @@ class IamCollectClient {
      * @returns returns the organization structure or undefined if not found
      */
     async getOrganizationStructure(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        const cacheKey = `organizationStructure:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        });
     }
+    /**
+     * Get the accounts for a given organization path.
+     *
+     * @param orgId the ID of the organization
+     * @param ouIds the ids of the organizational units in the path
+     * @returns a tuple containing a boolean indicating success and an array of account IDs
+     */
     async getAccountsForOrgPath(orgId, ouIds) {
-        const orgUnits = await this.getOrganizationStructure(orgId);
-        if (!orgUnits || ouIds.length === 0) {
-            return [false, []];
-        }
-        const rootOu = orgUnits[ouIds[0]];
-        // Now look through the structure to find the OU
-        let currentStructure = rootOu;
-        for (const ou of ouIds.slice(1)) {
-            currentStructure = currentStructure.children?.[ou];
-            if (!currentStructure) {
-                return [false, []]; // OU not found in the structure
+        const cacheKey = `accountsForOrgPath:${orgId}:${ouIds.join('/')}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnits = await this.getOrganizationStructure(orgId);
+            if (!orgUnits || ouIds.length === 0) {
+                return [false, []];
             }
-        }
-        const getAccountId = (a) => a.split('/').at(-1);
-        const accounts = [];
-        if (currentStructure.accounts) {
-            accounts.push(...currentStructure.accounts?.map(getAccountId));
-        }
-        const children = Object.values(currentStructure.children || {});
-        // Traverse the children to collect all accounts
-        while (children.length > 0) {
-            const child = children.shift();
-            if (child?.accounts) {
-                accounts.push(...child.accounts.map(getAccountId));
+            const rootOu = orgUnits[ouIds[0]];
+            // Now look through the structure to find the OU
+            let currentStructure = rootOu;
+            for (const ou of ouIds.slice(1)) {
+                currentStructure = currentStructure.children?.[ou];
+                if (!currentStructure) {
+                    return [false, []]; // OU not found in the structure
+                }
             }
-            if (child?.children) {
-                children.push(...Object.values(child.children));
+            const getAccountId = (a) => a.split('/').at(-1);
+            const accounts = [];
+            if (currentStructure.accounts) {
+                accounts.push(...currentStructure.accounts?.map(getAccountId));
             }
-        }
-        return [true, accounts];
+            const children = Object.values(currentStructure.children || {});
+            // Traverse the children to collect all accounts
+            while (children.length > 0) {
+                const child = children.shift();
+                if (child?.accounts) {
+                    accounts.push(...child.accounts.map(getAccountId));
+                }
+                if (child?.children) {
+                    children.push(...Object.values(child.children));
+                }
+            }
+            return [true, accounts];
+        });
     }
+    /**
+     * Get all the principals (users and roles) in a given account.
+     *
+     * @param accountId the ID of the account
+     * @returns a list of all principal ARNs in the account
+     */
     async getAllPrincipalsInAccount(accountId) {
-        const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'user',
-            account: accountId
-        });
-        const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'role',
-            account: accountId
+        const cacheKey = `allPrincipalsInAccount:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'user',
+                account: accountId
+            });
+            const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'role',
+                account: accountId
+            });
+            return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
         });
-        return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
     }
     /**
      * Get the VPC endpoint policy for a given VPC endpoint ARN.
@@ -579,9 +718,12 @@ class IamCollectClient {
      * @returns the VPC endpoint policy, or undefined if not found
      */
     async getVpcEndpointPolicyForArn(vpcEndpointArn) {
-        const accountId = (0, iam_utils_1.splitArnParts)(vpcEndpointArn).accountId;
-        const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
-        return vpcEndpointPolicy;
+        const cacheKey = `vpcEndpointPolicy:${vpcEndpointArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = (0, iam_utils_1.splitArnParts)(vpcEndpointArn).accountId;
+            const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
+            return vpcEndpointPolicy;
+        });
     }
     /**
      * Get the ARN of a VPC endpoint given its ID.
@@ -589,7 +731,7 @@ class IamCollectClient {
      * @returns the ARN of the VPC endpoint, or undefined if not found
      */
     async getVpcEndpointArnForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -603,7 +745,7 @@ class IamCollectClient {
      * @returns the VPC endpoint ID, or undefined if not found
      */
     async getVpcEndpointIdForVpcService(vpcId, service) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -621,7 +763,7 @@ class IamCollectClient {
      * @returns the VPC ID, or undefined if not found
      */
     async getVpcIdForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });