IAM client get_group results differ from AWS

[sukekyo26]

Hello.
I am using moto to mock aws.
When I use the get_group method of iam's client in moto, the response is different from the aws response.
In the get_group method response, the user in response['Users'] has a CreateDate item, but moto does not return this item.
The reason is that CreateDate is not defined under Users in GET_GROUP_TEMPLATE in /moto/moto/iam/responses.py.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam/client/get_group.html

moto==4.1.9
boto3==1.26.133
botocore==1.29.133

[rafcio19]

@bblommers I can take a look at this

[bblommers]

Thanks for raising this @sukekyo26, and welcome to Moto! Marking it as an enhancement to add this attribute.

[sukekyo26]

Thanks!
I wasn't aware of it when I raised the issue, but the PasswordLastUsed item is not returned either.
I would appreciate it if you could add it.

[rafcio19]

@sukekyo26 right now the logic which dictates the value of PasswordLastUsed does not exist.

2 solutions come to mind:

1. return a static value, something like CreateDate + 1min
2. add functionality that would trigger update to PasswordLastUsed field, say when update_login_profile is run

This is because right now, afak, we can't really tell when the fake IAM user has used its fake password.

@bblommers @bpandola what do you think?

[bblommers]

Hmm.. There is a legitimate use-case where a user might have never logged in (i.e., never accessed the AWS console), so PasswordLastUsed can be None. So I'm not sure whether Moto should ever set it automagically.

@sukekyo26 Are you using the decorators? You can use the internal API to set the value. Similar to how this user did it:
#5927 (comment)

Moto does still need to return the value in get_group ofcourse, but if you're able to use the internal API, that would give you full control over the exact value.

[sukekyo26]

@rafcio19 @bblommers
Thanks for the reply.
Sorry I'm not very good at communicating.
I'm not asking that moto set up a PasswordLastUsed field and return it in the response.
I am saying that currently the user in response['Users'] returned by moto's get_group method doesn't have a PasswordLastUsed field and cannot be referenced. This is because there is no PasswordLastUsed item under Users in GET_GROUP_TEMPLATE in /moto/moto/iam/responses.py.
Of course, PasswordLastUsed is not an item that all users have, so we can control it with a conditional expression like USER_TEMPLATE.

I want to test my_method using the get_group(GroupName="TestGroup") method and referencing the CreateDate and PasswordLastUsed items.
To do this, I create an IAM user and set the PasswordLastUsed item using moto.backends as shown in the code below, same as #5927 (comment).
But the response to moto's get_group does not include PasswordLastUsed and I want it to return any user that has this item.

import datetime
import boto3

from moto import mock_iam
from moto.backends import get_backend
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID

import utils

@mock_iam
def test_user():
    client = boto3.client("iam")
    client.create_group(GroupName="TestGroup")
    client.create_user(UserName='TestUser')
    client.client.add_user_to_group(
        GroupName="TestGroup",
        UserName="TestUser"
    )
    # set PasswordLastUsed
    iam_backend = get_backend("iam")[ACCOUNT_ID]["global"]
    iam_backend.users["TestUser"].password_last_used = datetime.datetime.utcnow()

    # Methods I would like to test. The content uses the get_group(GroupName="TestGroup") method and references the CreateDate and PasswordLastUsed items.
    utils.my_method("TestGroup")