Cloud Discovery Pro+
Cloud Discovery scans your AWS and Azure accounts to find all deployed resources, identify orphaned infrastructure not managed by Terraform, and provide cost and security insights.
Overview
Most organizations have resources deployed outside of Terraform — manually created, from scripts, or legacy infrastructure. Cloud Discovery finds these resources and helps you bring them under IaC management or clean them up.
How It Works
- Scan — Controlinfra uses your cloud credentials to enumerate resources across services and regions
- Classify — Each resource is classified as Managed (in Terraform state), Orphan (not in any state), or Ignored
- Analyze — AI insights highlight cost optimization, security risks, and cleanup opportunities
- Act — Generate Terraform code for orphaned resources or mark them as ignored
Supported Resource Types
Cloud Discovery supports 37 AWS resource types and 100+ Azure resource types across these services:
| Service | Resource Types |
|---|---|
| EC2 | Instances, Security Groups, Volumes (EBS), Elastic IPs, Key Pairs, AMIs |
| VPC | VPCs, Subnets, Internet Gateways, NAT Gateways, Route Tables |
| S3 | Buckets |
| RDS | DB Instances, DB Clusters, Snapshots |
| Lambda | Functions |
| IAM | Roles, Policies, Users |
| ECS | Clusters, Services, Task Definitions |
| EKS | Clusters |
| CloudFront | Distributions |
| Route 53 | Hosted Zones |
| SNS | Topics |
| SQS | Queues |
| DynamoDB | Tables |
| ElastiCache | Clusters |
| ELB | Load Balancers (ALB, NLB, CLB), Target Groups |
| CloudWatch | Log Groups, Alarms |
Running a Discovery Scan
- Navigate to Cloud Discovery from the main navigation
- Click New Scan
- Configure the scan:
| Option | Description |
|---|---|
| Cloud Account | Select which cloud account to scan (see Multi-Account Support) |
| Regions | Select AWS regions to scan (or all) |
| Resource Types | Filter to specific services (or all) |
- Click Start Scan
TIP
First scans can take several minutes depending on the number of regions and resources. Subsequent scans are faster due to incremental detection.
Multi-Account Support
Manage multiple AWS accounts from a single Controlinfra organization using Cloud Accounts.
Adding a Cloud Account
- Go to Settings → Cloud Accounts
- Click Add Cloud Account
- Provide:
- Account Name — Friendly label (e.g., "Production", "Staging")
- AWS Account ID — The 12-digit AWS account ID
- Credentials — Access Key / Secret Key, or IAM Role ARN for AssumeRole
- Click Validate to test the connection
- Save the cloud account
Account Limits by Plan
| Plan | Cloud Accounts | Regions per Account |
|---|---|---|
| Free | 0 | 0 |
| Pro | 1 | 1 |
| Team | Unlimited | Unlimited |
| Enterprise | Unlimited | Unlimited |
AssumeRole Setup (Recommended)
For cross-account access, create an IAM role in the target account:
- Create an IAM role with the
ReadOnlyAccessmanaged policy - Set the trust policy to allow your Controlinfra account to assume the role
- In Controlinfra, provide the Role ARN when adding the cloud account
This is more secure than static access keys and follows AWS best practices.
Resource Classification
Every discovered resource is assigned an IaC status:
| Status | Description |
|---|---|
| Managed | Found in a Terraform state file — tracked and managed |
| Orphan | Not found in any Terraform state — unmanaged infrastructure |
| Ignored | Manually marked as ignored by a user |
Changing Status
- Click on any resource to view its details
- Use the Status dropdown to change classification
- Marking a resource as Ignored removes it from orphan counts and alerts
Resource Boards
The discovery dashboard provides boards for organizing and reviewing resources:
- All Resources — Complete list with filters and search
- Orphans — Unmanaged resources requiring attention
- By Service — Grouped by AWS service
- By Account — Grouped by cloud account (multi-account)
- By Region — Geographic distribution
Orphan Detection
Orphaned resources are highlighted with actionable details:
- Resource type and ID
- Region and account
- Creation date (when available)
- Estimated cost (for resources with pricing data)
- Risk level — Security and cost risk assessment
Terraform Generation
For orphaned resources, Controlinfra can generate Terraform configuration:
- Select an orphaned resource
- Click Generate Terraform
- Review the generated HCL code
- Copy to clipboard or download as a
.tffile
WARNING
Generated Terraform is a starting point. Always review and test the configuration before applying it. Some resource attributes may require manual adjustment.
AI Insights
When AI analysis is enabled, Cloud Discovery provides:
- Cost optimization — Identify underutilized or oversized resources
- Security findings — Flag misconfigured security groups, public access, missing encryption
- Cleanup recommendations — Suggest resources safe to delete
- IaC adoption score — Percentage of resources under Terraform management
Dashboard
The Cloud Discovery dashboard shows:
- Total resources discovered
- IaC coverage percentage (managed vs. orphan)
- Resource breakdown by service and region
- Cost estimates for orphaned resources
- Trend data over time
Best Practices
- Scan regularly — Run weekly scans to catch new orphaned resources early
- Start with one region — Begin with your primary region before expanding
- Use AssumeRole — More secure than static access keys for cross-account access
- Triage orphans — Review and classify orphans promptly: generate Terraform, ignore, or delete
- Track IaC coverage — Use the dashboard to monitor your Terraform adoption percentage over time