@cloud-copilot/iam-lens 0.1.25 → 0.1.27

package/dist/esm/collect/client.js

@@ -1,29 +1,61 @@
 import { splitArnParts } from '@cloud-copilot/iam-utils';
-export class IamCollectClient {
-    constructor(storageClient, clientOptions) {
-        this.storageClient = storageClient;
-        this._cache = {};
-        this._enableCaching = clientOptions?.enableCaching !== false;
+/**
+ * A cache provider that stores results in memory for a single worker.
+ */
+export class InMemoryCacheProvider {
+    constructor() {
+        this.cache = {};
     }
-    // Generic cache helper
     async withCache(cacheKey, fetcher) {
-        if (this._enableCaching && cacheKey in this._cache) {
-            return this._cache[cacheKey];
+        if (cacheKey in this.cache) {
+            return this.cache[cacheKey];
         }
         const value = await fetcher();
-        if (this._enableCaching) {
-            this._cache[cacheKey] = value;
-        }
+        this.cache[cacheKey] = value;
         return value;
     }
+}
+/**
+ * A cache provider that does not cache results.
+ */
+export class NoCacheProvider {
+    async withCache(cacheKey, fetcher) {
+        return fetcher();
+    }
+}
+/**
+ * A client for simplifying access to the IAM collect data store.
+ */
+export class IamCollectClient {
+    /**
+     * Creates a new instance of the IamCollectClient.
+     *
+     * @param storageClient the iam-collect storage client to use for data access
+     * @param clientOptions optional configuration options for the client. By default, uses an in-memory cache provider.
+     */
+    constructor(storageClient, clientOptions) {
+        this.storageClient = storageClient;
+        if (clientOptions?.cacheProvider === undefined) {
+            this.cacheProvider = new InMemoryCacheProvider();
+        }
+        else {
+            this.cacheProvider = clientOptions.cacheProvider;
+        }
+    }
+    async withCache(cacheKey, fetcher) {
+        return this.cacheProvider.withCache(cacheKey, fetcher);
+    }
     /**
      * Checks if an account exists in the store.
      * @param accountId The ID of the account to check.
      * @returns True if the account exists, false otherwise.
      */
     async accountExists(accountId) {
-        const accounts = await this.storageClient.listAccountIds();
-        return accounts.includes(accountId);
+        const cacheKey = `accountExists:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const accounts = await this.storageClient.listAccountIds();
+            return accounts.includes(accountId);
+        });
     }
     /**
      * Get all account IDs in the store.
@@ -31,7 +63,10 @@ export class IamCollectClient {
      * @returns all account IDs in the store
      */
     async allAccounts() {
-        return this.storageClient.listAccountIds();
+        const cacheKey = `allAccounts`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.listAccountIds();
+        });
     }
     /**
      * Checks if a principal exists in the store.
@@ -39,9 +74,12 @@ export class IamCollectClient {
      * @returns True if the principal exists, false otherwise.
      */
     async principalExists(principalArn) {
-        const accountId = splitArnParts(principalArn).accountId;
-        const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
-        return !!principalData;
+        const cacheKey = `principalExists:${principalArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(principalArn).accountId;
+            const principalData = await this.storageClient.getResourceMetadata(accountId, principalArn, 'metadata');
+            return !!principalData;
+        });
     }
     /**
      * Gets the SCP Hierarchy for an account. The first element is the root, the last element is the account itself.
@@ -99,21 +137,24 @@ export class IamCollectClient {
      * @returns The OUs for the account.
      */
     async getOrgUnitHierarchyForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const ouIds = [];
-        let ouId = await this.getOrgUnitIdForAccount(accountId);
-        ouIds.push(ouId);
-        while (ouId) {
-            const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
-            if (parentOuId) {
-                ouIds.unshift(parentOuId);
+        const cacheKey = `orgUnitHierarchy:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
             }
-            ouId = parentOuId;
-        }
-        return ouIds;
+            const ouIds = [];
+            let ouId = await this.getOrgUnitIdForAccount(accountId);
+            ouIds.push(ouId);
+            while (ouId) {
+                const parentOuId = await this.getParentOrgUnitIdForOrgUnit(orgId, ouId);
+                if (parentOuId) {
+                    ouIds.unshift(parentOuId);
+                }
+                ouId = parentOuId;
+            }
+            return ouIds;
+        });
     }
     /**
      * Gets the org unit ID for an account.
@@ -121,12 +162,15 @@ export class IamCollectClient {
      * @returns The org unit ID for the account, or undefined if not found.
      */
     async getOrgUnitIdForAccount(accountId) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return undefined;
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        return accounts[accountId].ou;
+        const cacheKey = `orgUnitId:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return undefined;
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            return accounts[accountId].ou;
+        });
     }
     /**
      * Gets the parent org unit ID for a given org unit.
@@ -135,9 +179,12 @@ export class IamCollectClient {
      * @returns The parent org unit ID, or undefined if not found.
      */
     async getParentOrgUnitIdForOrgUnit(orgId, ouId) {
-        const ouData = await this.getOrgUnitsDataForOrg(orgId);
-        const ou = ouData[ouId];
-        return ou.parent;
+        const cacheKey = `parentOrgUnit:${orgId}:${ouId}`;
+        return this.withCache(cacheKey, async () => {
+            const ouData = await this.getOrgUnitsDataForOrg(orgId);
+            const ou = ouData[ouId];
+            return ou.parent;
+        });
     }
     /**
      * Gets the SCPs for an account.
@@ -154,19 +201,22 @@ export class IamCollectClient {
      * @returns The org policies for the account.
      */
     async getOrgPoliciesForAccount(accountId, policyType) {
-        const orgId = await this.getOrgIdForAccount(accountId);
-        if (!orgId) {
-            return [];
-        }
-        const accounts = (await this.getAccountDataForOrg(orgId));
-        const orgInformation = accounts[accountId];
-        const policyArns = orgInformation[policyType];
-        const policies = [];
-        for (const policyArn of policyArns) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForAccount:${accountId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgId = await this.getOrgIdForAccount(accountId);
+            if (!orgId) {
+                return [];
+            }
+            const accounts = (await this.getAccountDataForOrg(orgId));
+            const orgInformation = accounts[accountId];
+            const policyArns = orgInformation[policyType];
+            const policies = [];
+            for (const policyArn of policyArns) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the account data for an organization.
@@ -174,7 +224,10 @@ export class IamCollectClient {
      * @returns The account data for the organization.
      */
     async getAccountDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        const cacheKey = `accountDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'accounts');
+        });
     }
     /**
      * Gets the org units data for an organization.
@@ -182,7 +235,10 @@ export class IamCollectClient {
      * @returns The org units data for the organization.
      */
     async getOrgUnitsDataForOrg(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        const cacheKey = `orgUnitsDataForOrg:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'ous');
+        });
     }
     /**
      * Gets a specific org policy.
@@ -192,17 +248,20 @@ export class IamCollectClient {
      * @returns The org policy.
      */
     async getOrgPolicy(orgId, policyType, policyArn) {
-        const policyId = policyArn.split('/').at(-1);
-        const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
-        const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
-        }
-        return {
-            arn: policyData.arn,
-            name: policyData.name,
-            policy: policyDocument
-        };
+        const cacheKey = `orgPolicy:${orgId}:${policyType}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyId = policyArn.split('/').at(-1);
+            const policyData = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'metadata');
+            const policyDocument = await this.storageClient.getOrganizationPolicyMetadata(orgId, policyType, policyId, 'policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in org ${orgId}`);
+            }
+            return {
+                arn: policyData.arn,
+                name: policyData.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the RCPs for an account.
@@ -237,15 +296,18 @@ export class IamCollectClient {
      * @returns The org policies for the org unit.
      */
     async getOrgPoliciesForOrgUnit(orgId, orgUnitId, policyType) {
-        const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
-        const orgUnit = orgUnitInformation[orgUnitId];
-        const orgPolicies = orgUnit[policyType];
-        const policies = [];
-        for (const policyArn of orgPolicies) {
-            const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
-            policies.push(policyInfo);
-        }
-        return policies;
+        const cacheKey = `orgPoliciesForOrgUnit:${orgId}:${orgUnitId}:${policyType}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnitInformation = await this.getOrgUnitsDataForOrg(orgId);
+            const orgUnit = orgUnitInformation[orgUnitId];
+            const orgPolicies = orgUnit[policyType];
+            const policies = [];
+            for (const policyArn of orgPolicies) {
+                const policyInfo = await this.getOrgPolicy(orgId, policyType, policyArn);
+                policies.push(policyInfo);
+            }
+            return policies;
+        });
     }
     /**
      * Gets the RCPs for an org unit.
@@ -262,17 +324,23 @@ export class IamCollectClient {
      * @returns The org ID for the account, or undefined if not found.
      */
     async getOrgIdForAccount(accountId) {
-        const index = await this.storageClient.getIndex('accounts-to-orgs', {});
+        const index = await this.getIndex('accounts-to-orgs', {});
         const accountToOrgMap = index.data;
         return accountToOrgMap[accountId];
     }
+    async getIndex(indexName, defaultValue) {
+        const cacheKey = `index:${indexName}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getIndex(indexName, defaultValue);
+        });
+    }
     /**
      * Gets the account ID for a given S3 bucket name.
      * @param bucketName The name of the bucket.
      * @returns The account ID for the bucket, or undefined if not found.
      */
     async getAccountIdForBucket(bucketName) {
-        const index = await this.storageClient.getIndex('buckets-to-accounts', {});
+        const index = await this.getIndex('buckets-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[bucketName]?.accountId;
     }
@@ -282,7 +350,7 @@ export class IamCollectClient {
      * @returns The account ID for the API Gateway, or undefined if not found.
      */
     async getAccountIdForRestApi(apiArn) {
-        const index = await this.storageClient.getIndex('apigateways-to-accounts', {});
+        const index = await this.getIndex('apigateways-to-accounts', {});
         const bucketToAccountMap = index.data;
         return bucketToAccountMap[apiArn];
     }
@@ -304,16 +372,19 @@ export class IamCollectClient {
         });
     }
     async getManagedPolicy(accountId, policyArn) {
-        const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
-        const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
-        if (!policyDocument) {
-            console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
-        }
-        return {
-            arn: policyMetadata.arn,
-            name: policyMetadata.name,
-            policy: policyDocument
-        };
+        const cacheKey = `managedPolicy:${accountId}:${policyArn}`;
+        return this.withCache(cacheKey, async () => {
+            const policyMetadata = await this.storageClient.getResourceMetadata(accountId, policyArn, 'metadata');
+            const policyDocument = await this.storageClient.getResourceMetadata(accountId, policyArn, 'current-policy');
+            if (!policyDocument) {
+                console.error(`Policy document not found for ${policyArn} in account ${accountId}`);
+            }
+            return {
+                arn: policyMetadata.arn,
+                name: policyMetadata.name,
+                policy: policyDocument
+            };
+        });
     }
     /**
      * Gets the inline policies attached to a user.
@@ -331,10 +402,19 @@ export class IamCollectClient {
             }));
         });
     }
+    /**
+     * Gets metadata for an IAM user.
+     *
+     * @param userArn the ARN of the user.
+     * @returns the metadata for the user, or undefined if not found.
+     */
     async getIamUserMetadata(userArn) {
-        const accountId = splitArnParts(userArn).accountId;
-        // The permissions boundary is stored as a policy ARN on the user resource metadata
-        return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        const cacheKey = `iamUserMetadata:${userArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(userArn).accountId;
+            // The permissions boundary is stored as a policy ARN on the user resource metadata
+            return this.storageClient.getResourceMetadata(accountId, userArn, 'metadata');
+        });
     }
     /**
      * Gets the permissions boundary policy attached to a user, if any.
@@ -389,6 +469,12 @@ export class IamCollectClient {
             return results;
         });
     }
+    /**
+     * Get the inline policies attached to a group.
+     *
+     * @param groupArn the ARN of the group.
+     * @returns the inline policies for the group.
+     */
     async getInlinePoliciesForGroup(groupArn) {
         const cacheKey = `groupInlinePolicies:${groupArn}`;
         return this.withCache(cacheKey, async () => {
@@ -400,6 +486,11 @@ export class IamCollectClient {
             }));
         });
     }
+    /**
+     * Gets the managed policies attached to a role.
+     * @param roleArn the ARN of the role.
+     * @returns the managed policies attached to the role.
+     */
     async getManagedPoliciesForRole(roleArn) {
         const cacheKey = `managedPoliciesForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -412,6 +503,12 @@ export class IamCollectClient {
             return results;
         });
     }
+    /**
+     * Get the inline policies attached to a role.
+     *
+     * @param roleArn the ARN of the role.
+     * @returns the inline policies for the role.
+     */
     async getInlinePoliciesForRole(roleArn) {
         const cacheKey = `inlinePoliciesForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -423,6 +520,11 @@ export class IamCollectClient {
             }));
         });
     }
+    /**
+     * Get the permissions boundary policy attached to a role, if any.
+     * @param roleArn the ARN of the role.
+     * @returns the permissions boundary policy as a ManagedPolicy, or undefined if none is set.
+     */
     async getPermissionsBoundaryForRole(roleArn) {
         const cacheKey = `permissionBoundaryForRole:${roleArn}`;
         return this.withCache(cacheKey, async () => {
@@ -446,7 +548,10 @@ export class IamCollectClient {
      * @returns the metadata for the organization
      */
     async getOrganizationMetadata(organizationId) {
-        return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        const cacheKey = `organizationMetadata:${organizationId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(organizationId, 'metadata');
+        });
     }
     /**
      * Gets the resource policy for a given resource ARN and account.
@@ -456,13 +561,16 @@ export class IamCollectClient {
      * @returns The resource policy, or undefined if not found.
      */
     async getResourcePolicyForArn(resourceArn, accountId) {
-        const arnParts = splitArnParts(resourceArn);
-        let metadataKey = 'policy';
-        if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
-            metadataKey = 'trust-policy';
-        }
-        const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
-        return resourcePolicy;
+        const cacheKey = `resourcePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const arnParts = splitArnParts(resourceArn);
+            let metadataKey = 'policy';
+            if (arnParts.service === 'iam' && arnParts.resourceType === 'role') {
+                metadataKey = 'trust-policy';
+            }
+            const resourcePolicy = await this.storageClient.getResourceMetadata(accountId, resourceArn, metadataKey);
+            return resourcePolicy;
+        });
     }
     /**
      * Gets the RAM share policy for a given resource ARN and account.
@@ -472,8 +580,11 @@ export class IamCollectClient {
      * @returns The RAM share policy, or undefined if not found.
      */
     async getRamSharePolicyForArn(resourceArn, accountId) {
-        const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
-        return armSharePolicy?.policy;
+        const cacheKey = `ramSharePolicy:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const armSharePolicy = await this.storageClient.getRamResource(accountId, resourceArn);
+            return armSharePolicy?.policy;
+        });
     }
     /**
      * Gets the tags for a given resource ARN and account.
@@ -483,8 +594,11 @@ export class IamCollectClient {
      * @returns The tags as a record, or undefined if not found.
      */
     async getTagsForResource(resourceArn, accountId) {
-        const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
-        return tags || {};
+        const cacheKey = `tagsForResource:${accountId}:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const tags = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'tags');
+            return tags || {};
+        });
     }
     /**
      * Gets a unique ID for an IAM resource based on its ARN and account ID.
@@ -495,9 +609,12 @@ export class IamCollectClient {
      * @returns a unique ID for the resource, or undefined if not found
      */
     async getUniqueIdForIamResource(resourceArn) {
-        const accountId = splitArnParts(resourceArn).accountId;
-        const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
-        return resourceMetadata?.id;
+        const cacheKey = `uniqueIdForIamResource:${resourceArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(resourceArn).accountId;
+            const resourceMetadata = await this.storageClient.getResourceMetadata(accountId, resourceArn, 'metadata');
+            return resourceMetadata?.id;
+        });
     }
     /**
      * Get the account IDs for an organization.
@@ -520,52 +637,74 @@ export class IamCollectClient {
      * @returns returns the organization structure or undefined if not found
      */
     async getOrganizationStructure(orgId) {
-        return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        const cacheKey = `organizationStructure:${orgId}`;
+        return this.withCache(cacheKey, async () => {
+            return this.storageClient.getOrganizationMetadata(orgId, 'structure');
+        });
     }
+    /**
+     * Get the accounts for a given organization path.
+     *
+     * @param orgId the ID of the organization
+     * @param ouIds the ids of the organizational units in the path
+     * @returns a tuple containing a boolean indicating success and an array of account IDs
+     */
     async getAccountsForOrgPath(orgId, ouIds) {
-        const orgUnits = await this.getOrganizationStructure(orgId);
-        if (!orgUnits || ouIds.length === 0) {
-            return [false, []];
-        }
-        const rootOu = orgUnits[ouIds[0]];
-        // Now look through the structure to find the OU
-        let currentStructure = rootOu;
-        for (const ou of ouIds.slice(1)) {
-            currentStructure = currentStructure.children?.[ou];
-            if (!currentStructure) {
-                return [false, []]; // OU not found in the structure
+        const cacheKey = `accountsForOrgPath:${orgId}:${ouIds.join('/')}`;
+        return this.withCache(cacheKey, async () => {
+            const orgUnits = await this.getOrganizationStructure(orgId);
+            if (!orgUnits || ouIds.length === 0) {
+                return [false, []];
             }
-        }
-        const getAccountId = (a) => a.split('/').at(-1);
-        const accounts = [];
-        if (currentStructure.accounts) {
-            accounts.push(...currentStructure.accounts?.map(getAccountId));
-        }
-        const children = Object.values(currentStructure.children || {});
-        // Traverse the children to collect all accounts
-        while (children.length > 0) {
-            const child = children.shift();
-            if (child?.accounts) {
-                accounts.push(...child.accounts.map(getAccountId));
+            const rootOu = orgUnits[ouIds[0]];
+            // Now look through the structure to find the OU
+            let currentStructure = rootOu;
+            for (const ou of ouIds.slice(1)) {
+                currentStructure = currentStructure.children?.[ou];
+                if (!currentStructure) {
+                    return [false, []]; // OU not found in the structure
+                }
             }
-            if (child?.children) {
-                children.push(...Object.values(child.children));
+            const getAccountId = (a) => a.split('/').at(-1);
+            const accounts = [];
+            if (currentStructure.accounts) {
+                accounts.push(...currentStructure.accounts?.map(getAccountId));
             }
-        }
-        return [true, accounts];
+            const children = Object.values(currentStructure.children || {});
+            // Traverse the children to collect all accounts
+            while (children.length > 0) {
+                const child = children.shift();
+                if (child?.accounts) {
+                    accounts.push(...child.accounts.map(getAccountId));
+                }
+                if (child?.children) {
+                    children.push(...Object.values(child.children));
+                }
+            }
+            return [true, accounts];
+        });
     }
+    /**
+     * Get all the principals (users and roles) in a given account.
+     *
+     * @param accountId the ID of the account
+     * @returns a list of all principal ARNs in the account
+     */
     async getAllPrincipalsInAccount(accountId) {
-        const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'user',
-            account: accountId
-        });
-        const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
-            service: 'iam',
-            resourceType: 'role',
-            account: accountId
+        const cacheKey = `allPrincipalsInAccount:${accountId}`;
+        return this.withCache(cacheKey, async () => {
+            const iamUsers = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'user',
+                account: accountId
+            });
+            const iamRoles = await this.storageClient.findResourceMetadata(accountId, {
+                service: 'iam',
+                resourceType: 'role',
+                account: accountId
+            });
+            return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
         });
-        return [...iamUsers.map((user) => user.arn), ...iamRoles.map((role) => role.arn)];
     }
     /**
      * Get the VPC endpoint policy for a given VPC endpoint ARN.
@@ -574,9 +713,12 @@ export class IamCollectClient {
      * @returns the VPC endpoint policy, or undefined if not found
      */
     async getVpcEndpointPolicyForArn(vpcEndpointArn) {
-        const accountId = splitArnParts(vpcEndpointArn).accountId;
-        const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
-        return vpcEndpointPolicy;
+        const cacheKey = `vpcEndpointPolicy:${vpcEndpointArn}`;
+        return this.withCache(cacheKey, async () => {
+            const accountId = splitArnParts(vpcEndpointArn).accountId;
+            const vpcEndpointPolicy = await this.storageClient.getResourceMetadata(accountId, vpcEndpointArn, 'endpoint-policy');
+            return vpcEndpointPolicy;
+        });
     }
     /**
      * Get the ARN of a VPC endpoint given its ID.
@@ -584,7 +726,7 @@ export class IamCollectClient {
      * @returns the ARN of the VPC endpoint, or undefined if not found
      */
     async getVpcEndpointArnForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -598,7 +740,7 @@ export class IamCollectClient {
      * @returns the VPC endpoint ID, or undefined if not found
      */
     async getVpcEndpointIdForVpcService(vpcId, service) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });
@@ -616,7 +758,7 @@ export class IamCollectClient {
      * @returns the VPC ID, or undefined if not found
      */
     async getVpcIdForVpcEndpointId(vpcEndpointId) {
-        const index = await this.storageClient.getIndex('vpcs', {
+        const index = await this.getIndex('vpcs', {
             endpoints: {},
             vpcs: {}
         });