Testing Boto3- need to test inactivation of users over 70 days

Question

How can I test my script which deactivates aws users if their last login or access key was last used over 70 days ago. Moto which is mock boto3 does not have the ability to manipulated the "Password_last_used_" field and in aws sandbox the same is true. How could one go about to devise a valid unit test strategy? Any help is appreciated.

One approach- Currently I am trying to refactor my code so that functions are separated. For example I refactored to create a function called calculate_last_login with the parameter lastLogin . this means I can pass any number to it and see if it calculates the correct number of days since the last login date.

Answer 1

It is possible to manipulate the password_last_used field in Moto - it just requires you to use the internal API.

import boto3
from datetime import datetime, timedelta
from moto import mock_iam
from moto.backends import get_backend
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID


@mock_iam
def test_password_last_used():
    iam_client = boto3.client("iam")
    current_time = datetime.utcnow()
    password_last_used_date = current_time - timedelta(days=100)

    username = "test.user"
    iam_client.create_user(Path='/staff/', UserName=username)

    # Change Moto's internal state
    iam_backend = get_backend("iam")[ACCOUNT_ID]["global"]
    iam_backend.users[username].password_last_used = password_last_used_date

Followup calls to (for example) boto3.resource("iam").User will then return the value that you've set for password_last_used.

See this Github issue here where this question was raised as well: https://github.com/getmoto/moto/issues/5927