From e719a5af664e1815d2e55e7f35d61522d54963d5 Mon Sep 17 00:00:00 2001
From: vjeffrey <vj@mondoo.com>
Date: Fri, 23 Aug 2024 22:02:28 -0600
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20improve=20the=20sagemaker=20note?=
 =?UTF-8?q?book=20instance=20&=20iam=20mfadevice=20resource=20(#4587)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 providers/aws/resources/aws.lr           |  2 +-
 providers/aws/resources/aws.lr.go        | 18 +++++++++--
 providers/aws/resources/aws_iam.go       | 40 ++++++++++++++----------
 providers/aws/resources/aws_sagemaker.go | 29 +++++++++--------
 4 files changed, 56 insertions(+), 33 deletions(-)

diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr
index d04fd999e9..bce64ee084 100644
--- a/providers/aws/resources/aws.lr
+++ b/providers/aws/resources/aws.lr
@@ -891,7 +891,7 @@ private aws.iam.virtualmfadevice @defaults("serialNumber") {
   // Time when the MFA device was enabled
   enableDate time
   // User associated with the MFA device
-  user aws.iam.user
+  user() aws.iam.user
 }
 
 // AWS IAM Access Analyzer resource (for assessing the configuration of AWS IAM Access Analyzer)
diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go
index 576b502a4d..9292a41833 100644
--- a/providers/aws/resources/aws.lr.go
+++ b/providers/aws/resources/aws.lr.go
@@ -15721,7 +15721,7 @@ func (c *mqlAwsIamGroup) GetUsernames() *plugin.TValue[[]interface{}] {
 type mqlAwsIamVirtualmfadevice struct {
 	MqlRuntime *plugin.Runtime
 	__id string
-	// optional: if you define mqlAwsIamVirtualmfadeviceInternal it will be used here
+	mqlAwsIamVirtualmfadeviceInternal
 	SerialNumber plugin.TValue[string]
 	EnableDate plugin.TValue[*time.Time]
 	User plugin.TValue[*mqlAwsIamUser]
@@ -15773,7 +15773,19 @@ func (c *mqlAwsIamVirtualmfadevice) GetEnableDate() *plugin.TValue[*time.Time] {
 }
 
 func (c *mqlAwsIamVirtualmfadevice) GetUser() *plugin.TValue[*mqlAwsIamUser] {
-	return &c.User
+	return plugin.GetOrCompute[*mqlAwsIamUser](&c.User, func() (*mqlAwsIamUser, error) {
+		if c.MqlRuntime.HasRecording {
+			d, err := c.MqlRuntime.FieldResourceFromRecording("aws.iam.virtualmfadevice", c.__id, "user")
+			if err != nil {
+				return nil, err
+			}
+			if d != nil {
+				return d.Value.(*mqlAwsIamUser), nil
+			}
+		}
+
+		return c.user()
+	})
 }
 
 // mqlAwsIamAccessAnalyzer for the aws.iam.accessAnalyzer resource
@@ -16200,7 +16212,7 @@ func (c *mqlAwsSagemakerNotebookinstance) GetTags() *plugin.TValue[map[string]in
 type mqlAwsSagemakerNotebookinstanceDetails struct {
 	MqlRuntime *plugin.Runtime
 	__id string
-	// optional: if you define mqlAwsSagemakerNotebookinstanceDetailsInternal it will be used here
+	mqlAwsSagemakerNotebookinstanceDetailsInternal
 	Arn plugin.TValue[string]
 	KmsKey plugin.TValue[*mqlAwsKmsKey]
 	DirectInternetAccess plugin.TValue[string]
diff --git a/providers/aws/resources/aws_iam.go b/providers/aws/resources/aws_iam.go
index 664e95d57c..044545866c 100644
--- a/providers/aws/resources/aws_iam.go
+++ b/providers/aws/resources/aws_iam.go
@@ -303,38 +303,46 @@ func (a *mqlAwsIam) virtualMfaDevices() ([]interface{}, error) {
 	for i := range devicesResp.VirtualMFADevices {
 		device := devicesResp.VirtualMFADevices[i]
 
-		var mqlAwsIamUser plugin.Resource
 		args := map[string]*llx.RawData{
 			"serialNumber": llx.StringDataPtr(device.SerialNumber),
 			"enableDate":   llx.TimeDataPtr(device.EnableDate),
 		}
 
-		usr := device.User
-		if usr != nil {
-			mqlAwsIamUser, err = NewResource(a.MqlRuntime, "aws.iam.user", map[string]*llx.RawData{
-				"arn":  llx.StringDataPtr(usr.Arn),
-				"name": llx.StringDataPtr(usr.UserName),
-			})
-			if err == nil {
-				args["user"] = llx.ResourceData(mqlAwsIamUser, "aws.iam.user")
-			}
-		}
-
-		if usr == nil || err != nil {
-			args["user"] = llx.NilData
-		}
-
 		mqlAwsIamMfaDevice, err := CreateResource(a.MqlRuntime, "aws.iam.virtualmfadevice", args)
 		if err != nil {
 			return nil, err
 		}
 
 		res = append(res, mqlAwsIamMfaDevice)
+		if device.User != nil {
+			mqlAwsIamMfaDevice.(*mqlAwsIamVirtualmfadevice).cacheUserArn = device.User.Arn
+			mqlAwsIamMfaDevice.(*mqlAwsIamVirtualmfadevice).cacheUserName = device.User.UserName
+		}
 	}
 
 	return res, nil
 }
 
+func (a *mqlAwsIamVirtualmfadevice) user() (*mqlAwsIamUser, error) {
+	if a.cacheUserArn != nil && a.cacheUserName != nil {
+		awsIamUser, err := NewResource(a.MqlRuntime, "aws.iam.user", map[string]*llx.RawData{
+			"arn":  llx.StringDataPtr(a.cacheUserArn),
+			"name": llx.StringDataPtr(a.cacheUserName),
+		})
+		if err != nil {
+			return nil, err
+		}
+		return awsIamUser.(*mqlAwsIamUser), nil
+	}
+	a.User.State = plugin.StateIsNull | plugin.StateIsSet
+	return nil, nil
+}
+
+type mqlAwsIamVirtualmfadeviceInternal struct {
+	cacheUserName *string
+	cacheUserArn  *string
+}
+
 func (a *mqlAwsIam) mqlPolicies(policies []iamtypes.Policy) ([]interface{}, error) {
 	res := []interface{}{}
 	for i := range policies {
diff --git a/providers/aws/resources/aws_sagemaker.go b/providers/aws/resources/aws_sagemaker.go
index 4d58c291c8..a4b0aa9d7f 100644
--- a/providers/aws/resources/aws_sagemaker.go
+++ b/providers/aws/resources/aws_sagemaker.go
@@ -238,27 +238,30 @@ func (a *mqlAwsSagemakerNotebookinstance) details() (*mqlAwsSagemakerNotebookins
 		"directInternetAccess": llx.StringData(string(instanceDetails.DirectInternetAccess)),
 	}
 
-	if instanceDetails.KmsKeyId != nil && *instanceDetails.KmsKeyId != "" {
-		mqlKeyResource, err := NewResource(a.MqlRuntime, "aws.kms.key",
-			map[string]*llx.RawData{"arn": llx.StringData(convert.ToString(instanceDetails.KmsKeyId))},
-		)
-		if err != nil {
-			log.Error().Err(err).Msg("cannot create kms key resource")
-		} else {
-			args["kmsKey"] = llx.ResourceData(mqlKeyResource, mqlKeyResource.MqlName())
-		}
-	} else {
-		args["kmsKey"] = llx.NilData
-	}
 	mqlInstanceDetails, err := CreateResource(a.MqlRuntime, "aws.sagemaker.notebookinstance.details", args)
 	if err != nil {
 		return nil, err
 	}
+	mqlInstanceDetails.(*mqlAwsSagemakerNotebookinstanceDetails).cacheKmsKey = instanceDetails.KmsKeyId
 	return mqlInstanceDetails.(*mqlAwsSagemakerNotebookinstanceDetails), nil
 }
 
+type mqlAwsSagemakerNotebookinstanceDetailsInternal struct {
+	cacheKmsKey *string
+}
+
 func (a *mqlAwsSagemakerNotebookinstanceDetails) kmsKey() (*mqlAwsKmsKey, error) {
-	return &mqlAwsKmsKey{}, nil
+	if a.cacheKmsKey != nil && *a.cacheKmsKey != "" {
+		mqlKeyResource, err := NewResource(a.MqlRuntime, "aws.kms.key",
+			map[string]*llx.RawData{"arn": llx.StringData(convert.ToString(a.cacheKmsKey))},
+		)
+		if err != nil {
+			return nil, err
+		}
+		return mqlKeyResource.(*mqlAwsKmsKey), nil
+	}
+	a.KmsKey.State = plugin.StateIsNull | plugin.StateIsSet
+	return nil, nil
 }
 
 func (a *mqlAwsSagemakerEndpoint) id() (string, error) {