Scanning Resources
Run a discovery scan to find existing cloud resources across AWS, GCP, Azure, and Oracle Cloud.
Discovery Wizard
Select Provider
Choose AWS, GCP, Azure, or Oracle Cloud.
Choose Integration
Select the cloud integration with credentials for this provider.
Configure Scope
Set the scan mode, regions, and resource types.
Select Resource Types
Choose which resource types to scan (or use "Select Common" for typical resources).
Review and Start
Review the configuration and start the scan.
Provider-Specific Scope
Each provider has different scope options for controlling what gets scanned.
AWS
| Scan Mode | Description |
|---|---|
| Single Account | Scan resources in the configured AWS account |
| Organization | Scan all accounts in the AWS Organization |
| Selected Accounts | Scan specific accounts (with optional exclusions) |
Region Selection: Choose one or more AWS regions (us-east-1, eu-west-1, etc.). Supports multi-region and all-region scanning.
Required Permissions:
Describe*andList*for target resource typesorganizations:ListAccountsandsts:AssumeRolefor organization scanning
GCP
| Scope | Description |
|---|---|
| Project | Scan a single GCP project |
| Folder | Scan all projects under a folder |
| Organization | Scan the entire GCP organization |
Supports included/excluded project lists for folder and organization scopes.
Required Permissions:
cloudasset.assets.searchAllResourcesfor discoveryresourcemanager.folders.listandresourcemanager.projects.listfor folder/org scope
Azure
| Scope | Description |
|---|---|
| Subscription | Scan a single Azure subscription |
| Management Group | Scan all subscriptions under a management group |
| Selected Subscriptions | Scan specific subscriptions |
Required Permissions:
Microsoft.ResourceGraph/resources/readfor discoveryMicrosoft.Management/managementGroups/readfor management group scope
Oracle Cloud
| Scope | Description |
|---|---|
| Compartment | Scan a single OCI compartment |
| Tenancy | Scan the entire tenancy |
Supports included/excluded compartment lists for tenancy scope.
Required Permissions:
- API key authentication
- Compartment-level read access for target resource types
Resource Types
Common Resource Sets
VMs, VPCs/VNets/VCNs, subnets, security groups or NSGs, storage, and databases.
Advanced Resource Sets
Kubernetes clusters, serverless functions, IAM, load balancers, CDN, and higher-order platform services.
Scan Controls
Pause and Resume
Long-running scans can be paused and resumed:
- Click Pause to halt an in-progress scan
- The session status changes to Paused and retains all resources discovered so far
- Click Resume to continue scanning from where it left off
Scan Progress
| Icon | Status |
|---|---|
| ✓ | Resource type completed |
| ● | Currently scanning |
| ○ | Pending |
| ✗ | Failed |
Estimated Duration
| Scope | Time |
|---|---|
| 1 region, basic resources | 1 to 2 min |
| 1 region, all resource types | 3 to 5 min |
| Multiple regions | 5 to 15 min |
| Organization-wide, all types | 15 to 30 min |
Multi-Account Scanning
AWS Organizations
Configure Integration
Set up AWS integration in the organization management account.
Enable Organization Scanning
Select Organization scan mode in the discovery wizard.
Select Scope
Choose specific organizational units (OUs) or member accounts, or scan all.
Scan
ops0 assumes roles in each member account and scans resources.
GCP Folders & Organizations
Configure Integration
Set up GCP integration with an organization-level service account.
Select Folder or Organization Scope
Choose the folder hierarchy or organization root.
Include/Exclude Projects
Optionally specify which projects to include or exclude.
Scan
ops0 enumerates all projects under the scope and scans each.
Azure Management Groups
Configure Integration
Set up Azure integration with management group access.
Select Management Group Scope
Choose the management group root or specific subscriptions.
Scan
ops0 discovers all subscriptions and scans resources.
Oracle Cloud Tenancy
Configure Integration
Set up Oracle Cloud integration with tenancy-level API key access.
Select Tenancy Scope
Choose tenancy-wide scanning or specific compartments.
Include/Exclude Compartments
Optionally specify which compartments to include or exclude.
Scan
ops0 enumerates compartments and scans resources in each.
Discovery Projects
Organize discovered resources into logical groupings before generating code.
Creating a Discovery Project
Open Session
Navigate to the completed discovery session.
Click "Create Project"
Select resources to include in the project.
Configure
Set project name, description, and tags (environment, owner, application).
Select Resources
Use manual selection, filter by tag, filter by type, filter by region, or select by relationship (resource + all dependencies).
State Backend Configuration
When creating a discovery project, configure the Terraform state backend:
| Backend | Description |
|---|---|
| S3 | AWS S3 bucket with optional DynamoDB locking |
| Azure Blob | Azure Storage Account for state files |
| GCS | Google Cloud Storage bucket |
| Local | Local filesystem (single user only) |
Job History
View past discovery jobs at Discovery → Job History:
- Scan configuration and scope
- Start/end times and duration
- Resource count by type
- Success/failure status
- Link to session results
Troubleshooting
Access Denied
Required IAM or cloud permissions are missing. Verify the integration has the read scopes needed for the selected provider and scope.
Rate Limited
The provider is throttling API calls. Retry after a short wait or reduce the scan scope and resource types.
Connection Failed
This usually means a network or credential problem. Test the integration in Settings and verify the credentials are still valid.
Timeout
The scan is taking too long for the selected scope. Reduce regions or resource types, or use pause and resume for large inventories.
- Start with your primary region if you're unsure where to begin.
- Use Select Common for a first pass on typical infrastructure.
- Pause long scans and resume later when you need to spread the work out.
- Use separate sessions per account when you want cleaner history and easier comparisons.