Cloud Discovery Pro+

Cloud Discovery scans your AWS, Azure, and GCP accounts to find all deployed resources, identify orphaned infrastructure not managed by Terraform, and provide cost and security insights.

Overview

Most organizations have resources deployed outside of Terraform — manually created, from scripts, or legacy infrastructure. Cloud Discovery finds these resources and helps you bring them under IaC management or clean them up.

How It Works

1. Scan — Controlinfra uses your cloud credentials to enumerate resources across services and regions
2. Classify — Each resource is classified as Managed (in Terraform state), Orphan (not in any state), or Ignored
3. Analyze — AI insights highlight cost optimization, security risks, and cleanup opportunities
4. Act — Generate Terraform code for orphaned resources or mark them as ignored

Supported Resource Types

Cloud Discovery supports 37 AWS resource types, 100+ Azure resource types, and 17 GCP resource types across these services:

Service	Resource Types
EC2	Instances, Security Groups, Volumes (EBS), Elastic IPs, Key Pairs, AMIs
VPC	VPCs, Subnets, Internet Gateways, NAT Gateways, Route Tables
S3	Buckets
RDS	DB Instances, DB Clusters, Snapshots
Lambda	Functions
IAM	Roles, Policies, Users
ECS	Clusters, Services, Task Definitions
EKS	Clusters
CloudFront	Distributions
Route 53	Hosted Zones
SNS	Topics
SQS	Queues
DynamoDB	Tables
ElastiCache	Clusters
ELB	Load Balancers (ALB, NLB, CLB), Target Groups
CloudWatch	Log Groups, Alarms

GCP Resource Types

Service	Resource Types
Compute Engine	Instances, Firewalls, Networks, Subnetworks, Disks, Addresses
Cloud Storage	Buckets
Cloud SQL	Database Instances
GKE	Container Clusters
Cloud DNS	Managed Zones
Pub/Sub	Topics, Subscriptions
Memorystore	Redis Instances
Cloud Run	Services
Cloud Functions	Functions
Cloud KMS	Key Rings, Crypto Keys

Running a Discovery Scan

1. Navigate to Cloud Discovery from the main navigation
2. Click New Scan
3. Configure the scan:

Option	Description
Cloud Account	Select which cloud account to scan (see Multi-Account Support)
Regions	Select regions to scan (or all) — AWS regions, Azure locations, or GCP zones
Resource Types	Filter to specific services (or all)

4. Click Start Scan

TIP

First scans can take several minutes depending on the number of regions and resources. Subsequent scans are faster due to incremental detection.

Multi-Account Support

Manage multiple AWS, Azure, and GCP accounts from a single Controlinfra organization using Cloud Accounts.

Adding a Cloud Account

1. Go to Settings → Cloud Accounts
2. Click Add Cloud Account
3. Provide:
   • Account Name — Friendly label (e.g., "Production", "Staging")
   • Provider — AWS, Azure, or GCP
   • Account ID — AWS Account ID, Azure Subscription ID, or GCP Project ID
   • Credentials — AWS: Access Key/Secret Key or IAM Role ARN; Azure: OIDC or Service Principal; GCP: Service Account Key or Workload Identity
4. Click Validate to test the connection
5. Save the cloud account

Account Limits by Plan

Plan	Cloud Accounts	Regions per Account
Free	0	0
Pro	1	1
Team	Unlimited	Unlimited
Enterprise	Unlimited	Unlimited

AssumeRole Setup (Recommended, via Cloud Accounts)

This setup is supported via the Cloud Accounts form (Settings → Cloud Accounts → Add Cloud Account), which is the path Cloud Discovery uses. The legacy per-repo "Add Repository" creds form does not accept assume_role on the cloud runner — use Cloud Accounts.

For cross-account access, create an IAM role in the target account:

1. Create an IAM role with the ReadOnlyAccess managed policy
2. Set the trust policy to allow Controlinfra to assume the role. The principal you trust depends on which runner is doing the scan:
   • Cloud runner (Controlinfra-managed): trust Controlinfra's master IAM user ARN — the Add Cloud Account form surfaces the exact ARN you need to paste into your trust policy.
   • Self-hosted runner: trust your own runner's IAM role ARN.
3. In Controlinfra, provide the Role ARN when adding the cloud account.

This is more secure than static access keys and follows AWS best practices. See the full setup including trust-policy templates and the difference between control-plane vs runner-chained AssumeRole in the AWS credentials guide.

Picking an auth method per cloud

Each provider's auth methods have different trust requirements and hosting constraints (e.g. Azure Managed Identity and GCP Workload Identity require the scanner to run on Azure / GCE respectively). The "Trust requirements at a glance" table at the top of each cloud's credentials guide is the canonical reference:

• AWS — Trust requirements
• Azure — Trust requirements
• GCP — Trust requirements

Resource Classification

Every discovered resource is assigned an IaC status:

Status	Description
Managed	Found in a Terraform state file — tracked and managed
Orphan	Not found in any Terraform state — unmanaged infrastructure
Ignored	Manually marked as ignored by a user

Changing Status

• Click on any resource to view its details
• Use the Status dropdown to change classification
• Marking a resource as Ignored removes it from orphan counts and alerts

Resource Boards

The discovery dashboard provides boards for organizing and reviewing resources:

• All Resources — Complete list with filters and search
• Orphans — Unmanaged resources requiring attention
• By Service — Grouped by cloud service
• By Account — Grouped by cloud account (multi-account)
• By Region — Geographic distribution

Orphan Detection

Orphaned resources are highlighted with actionable details:

• Resource type and ID
• Region and account
• Creation date (when available)
• Estimated cost (for resources with pricing data)
• Risk level — Security and cost risk assessment

Terraform Generation

For orphaned resources, Controlinfra can generate Terraform configuration:

1. Select an orphaned resource
2. Click Generate Terraform
3. Review the generated HCL code
4. Copy to clipboard or download as a .tf file

WARNING

Generated Terraform is a starting point. Always review and test the configuration before applying it. Some resource attributes may require manual adjustment.

AI Insights

When AI analysis is enabled, Cloud Discovery provides:

• Cost optimization — Identify underutilized or oversized resources
• Security findings — Flag misconfigured security groups, public access, missing encryption
• Cleanup recommendations — Suggest resources safe to delete
• IaC adoption score — Percentage of resources under Terraform management

Dashboard

The Cloud Discovery dashboard shows:

• Total resources discovered
• IaC coverage percentage (managed vs. orphan)
• Resource breakdown by service and region
• Cost estimates for orphaned resources
• Trend data over time

Best Practices

1. Scan regularly — Run weekly scans to catch new orphaned resources early
2. Start with one region — Begin with your primary region before expanding
3. Use AssumeRole — More secure than static access keys for cross-account access
4. Triage orphans — Review and classify orphans promptly: generate Terraform, ignore, or delete
5. Track IaC coverage — Use the dashboard to monitor your Terraform adoption percentage over time

Next Steps

• Cloud Discovery API Reference
• Cloud Accounts API Reference
• Configuring Cloud Credentials