cloudquery
diff --git a/‎plugins/source/aws/client/mocks/mock_iam.go‎
Lines changed: 20 additions & 0 deletions b/‎plugins/source/aws/client/mocks/mock_iam.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎plugins/source/aws/client/services.go‎
Lines changed: 1 addition & 1 deletion b/‎plugins/source/aws/client/services.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎plugins/source/aws/codegen/recipes/iam.go‎
Lines changed: 23 additions & 4 deletions b/‎plugins/source/aws/codegen/recipes/iam.go‎
Lines changed: 23 additions & 4 deletions
diff --git a/‎plugins/source/aws/resources/plugin/tables.go‎
Lines changed: 1 addition & 0 deletions b/‎plugins/source/aws/resources/plugin/tables.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎plugins/source/aws/resources/services/iam/credential_reports.go‎
Lines changed: 131 additions & 0 deletions b/‎plugins/source/aws/resources/services/iam/credential_reports.go‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎plugins/source/aws/resources/services/iam/credential_reports_fetch.go‎
Lines changed: 85 additions & 0 deletions b/‎plugins/source/aws/resources/services/iam/credential_reports_fetch.go‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎plugins/source/aws/resources/services/iam/credential_reports_mock_test.go‎
Lines changed: 48 additions & 0 deletions b/‎plugins/source/aws/resources/services/iam/credential_reports_mock_test.go‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎plugins/source/aws/resources/services/iam/user_policies_fetch.go‎
Lines changed: 2 additions & 4 deletions b/‎plugins/source/aws/resources/services/iam/user_policies_fetch.go‎
Lines changed: 2 additions & 4 deletions
@@ -510,8 +510,8 @@ type IamClient interface {
 	ListRoles(ctx context.Context, params *iam.ListRolesInput, optFns ...func(*iam.Options)) (*iam.ListRolesOutput, error)
 	ListSAMLProviders(ctx context.Context, params *iam.ListSAMLProvidersInput, optFns ...func(*iam.Options)) (*iam.ListSAMLProvidersOutput, error)
 	ListUserPolicies(ctx context.Context, params *iam.ListUserPoliciesInput, optFns ...func(*iam.Options)) (*iam.ListUserPoliciesOutput, error)
+	ListUsers(context.Context, *iam.ListUsersInput, ...func(*iam.Options)) (*iam.ListUsersOutput, error)
 	ListVirtualMFADevices(ctx context.Context, params *iam.ListVirtualMFADevicesInput, optFns ...func(*iam.Options)) (*iam.ListVirtualMFADevicesOutput, error)
-
 	iam.ListServerCertificatesAPIClient
 	iam.ListAccountAliasesAPIClient
 	GetAccountSummary(ctx context.Context, params *iam.GetAccountSummaryInput, optFns ...func(*iam.Options)) (*iam.GetAccountSummaryOutput, error)
 
@@ -26,6 +26,26 @@ func IAMResources() []*Resource {
 				},
 			},
 		},
+		{
+			SubService: "credential_reports",
+			Struct:     &iamService.CredentialReportEntry{},
+			SkipFields: []string{"Arn", "UserCreationTime"},
+			ExtraColumns: []codegen.ColumnDefinition{
+				{
+					Name:     "arn",
+					Type:     schema.TypeString,
+					Resolver: `schema.PathResolver("Arn")`,
+					Options:  schema.ColumnCreationOptions{PrimaryKey: true},
+				},
+				{
+					Name:     "user_creation_time",
+					Type:     schema.TypeTimestamp,
+					Resolver: `schema.PathResolver("UserCreationTime")`,
+					Options:  schema.ColumnCreationOptions{PrimaryKey: true},
+				},
+			},
+			Relations: []string{},
+		},
 		{
 			SubService: "groups",
 			Struct:     &types.Group{},
@@ -226,10 +246,9 @@ func IAMResources() []*Resource {
 			},
 		},
 		{
-			SubService:           "users",
-			Struct:               &iamService.UserWrapper{},
-			SkipFields:           []string{"Arn", "AccountId", "Id", "Tags"},
-			PostResourceResolver: `postIamUserResolver`,
+			SubService: "users",
+			Struct:     &types.User{},
+			SkipFields: []string{"Arn", "AccountId", "Id", "Tags"},
 			ExtraColumns: []codegen.ColumnDefinition{
 				{
 					Name:     "arn",
 
@@ -195,6 +195,7 @@ func tables() []*schema.Table {
 		glue.Workflows(),
 		guardduty.Detectors(),
 		iam.Accounts(),
+		iam.CredentialReports(),
 		iam.Groups(),
 		iam.OpenidConnectIdentityProviders(),
 		iam.PasswordPolicies(),
 
@@ -0,0 +1,85 @@
+package iam
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/smithy-go"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
+	"github.com/cloudquery/plugin-sdk/schema"
+	"github.com/gocarina/gocsv"
+)
+
+type CredentialReportEntry struct {
+	User                      string    `csv:"user"`
+	Arn                       string    `csv:"arn"`
+	UserCreationTime          time.Time `csv:"user_creation_time"`
+	PasswordStatus            string    `csv:"password_enabled"`
+	PasswordLastChanged       string    `csv:"password_last_changed"`
+	PasswordNextRotation      string    `csv:"password_next_rotation"`
+	MfaActive                 bool      `csv:"mfa_active"`
+	AccessKey1Active          bool      `csv:"access_key_1_active"`
+	AccessKey2Active          bool      `csv:"access_key_2_active"`
+	AccessKey1LastRotated     string    `csv:"access_key_1_last_rotated"`
+	AccessKey2LastRotated     string    `csv:"access_key_2_last_rotated"`
+	Cert1Active               bool      `csv:"cert_1_active"`
+	Cert2Active               bool      `csv:"cert_2_active"`
+	Cert1LastRotated          string    `csv:"cert_1_last_rotated"`
+	Cert2LastRotated          string    `csv:"cert_2_last_rotated"`
+	AccessKey1LastUsedDate    time.Time `csv:"access_key_1_last_used_date"`
+	AccessKey1LastUsedRegion  string    `csv:"access_key_1_last_used_region"`
+	AccessKey1LastUsedService string    `csv:"access_key_1_last_used_service"`
+	AccessKey2LastUsedDate    time.Time `csv:"access_key_2_last_used_date"`
+	AccessKey2LastUsedRegion  string    `csv:"access_key_2_last_used_region"`
+	AccessKey2LastUsedService string    `csv:"access_key_2_last_used_service"`
+	PasswordLastUsed          string    `csv:"password_last_used"`
+}
+
+func fetchIamCredentialReports(ctx context.Context, meta schema.ClientMeta, _ *schema.Resource, res chan<- interface{}) error {
+	var err error
+	var apiErr smithy.APIError
+	var reportOutput *iam.GetCredentialReportOutput
+	svc := meta.(*client.Client).Services().IAM
+	for {
+		reportOutput, err = svc.GetCredentialReport(ctx, &iam.GetCredentialReportInput{})
+		if err == nil && reportOutput != nil {
+			var users []*CredentialReportEntry
+			err = gocsv.UnmarshalBytes(reportOutput.Content, &users)
+			if err != nil {
+				return err
+			}
+			res <- users
+		}
+		if !errors.As(err, &apiErr) {
+			return err
+		}
+		switch apiErr.ErrorCode() {
+		case "ReportNotPresent", "ReportExpired":
+			_, err := svc.GenerateCredentialReport(ctx, &iam.GenerateCredentialReportInput{})
+			if err != nil {
+				var serviceError smithy.APIError
+				if !errors.As(err, &serviceError) {
+					return err
+				}
+				// LimitExceeded is the only specific error that should not stop processing
+				// If Limit Exceeded is returned we should try and see if there is a credential report
+				// already generated so we want to sleep for 5 seconds then continue
+				if serviceError.ErrorCode() != "LimitExceeded" {
+					return err
+				}
+				if err := client.Sleep(ctx, 5*time.Second); err != nil {
+					return err
+				}
+			}
+		case "ReportInProgress":
+			meta.Logger().Debug().Msg("Waiting for credential report to be generated")
+			if err := client.Sleep(ctx, 5*time.Second); err != nil {
+				return err
+			}
+		default:
+			return err
+		}
+	}
+}
@@ -0,0 +1,48 @@
+package iam
+
+import (
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client/mocks"
+	"github.com/cloudquery/faker/v3"
+	"github.com/gocarina/gocsv"
+	"github.com/golang/mock/gomock"
+)
+
+func buildCredentialReportUsers(t *testing.T, ctrl *gomock.Controller) client.Services {
+	m := mocks.NewMockIamClient(ctrl)
+
+	ru := CredentialReportEntry{}
+	err := faker.FakeData(&ru)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ru.Arn = "arn123"
+	ru.PasswordStatus = "true"
+	ru.PasswordNextRotation = time.Now().Format(time.RFC3339)
+	ru.PasswordLastChanged = time.Now().Format(time.RFC3339)
+	ru.AccessKey1LastRotated = time.Now().Format(time.RFC3339)
+	ru.AccessKey2LastRotated = time.Now().Format(time.RFC3339)
+	ru.Cert1LastRotated = time.Now().Format(time.RFC3339)
+	ru.Cert2LastRotated = time.Now().Format(time.RFC3339)
+	content, err := gocsv.MarshalBytes([]CredentialReportEntry{ru})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m.EXPECT().GetCredentialReport(gomock.Any(), gomock.Any()).Return(
+		&iam.GetCredentialReportOutput{
+			Content: content,
+		}, nil)
+
+	return client.Services{
+		IAM: m,
+	}
+}
+
+func TestCredentialReports(t *testing.T) {
+	client.AwsMockTestHelper(t, CredentialReports(), buildCredentialReportUsers, client.TestOptions{})
+}
@@ -7,17 +7,15 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/iam/types"
 	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
 	"github.com/cloudquery/plugin-sdk/schema"
 )
 
 func fetchIamUserPolicies(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- interface{}) error {
 	c := meta.(*client.Client)
 	svc := c.Services().IAM
-	user := parent.Item.(UserWrapper)
-	if aws.ToString(user.UserName) == rootName {
-		return nil
-	}
+	user := parent.Item.(*types.User)
 	config := iam.ListUserPoliciesInput{UserName: user.UserName}
 	for {
 		output, err := svc.ListUserPolicies(ctx, &config)