Infrastructure Discovery: Turning Unknown Cloud State into Managed Code in Minutes

Most cloud environments don't fail because they're complex.

They fail because nobody actually knows what exists.

Ask a platform team what's running in their AWS account and you'll hear some version of this: a few Terraform state files, some half-accurate diagrams, tribal knowledge, and a lot of guessing. The reality is worse—large chunks of infrastructure were click-created years ago, never codified, and quietly drifted ever since.

Discovery exists to replace that uncertainty with something concrete: a complete, continuously updated model of your cloud infrastructure, mapped by dependency and ready to be managed as code.

The Actual Problem

Cloud infrastructure is undocumented by default.

Cloud APIs let you create resources without describing why they exist or how they relate to anything else. Terraform state only knows about what Terraform created. Security tools know misconfigurations but not intent. AWS Config knows history but not structure.

The result: no single system has a complete, current, dependency-aware view of your infrastructure.

Manual audits don't fix this. Clicking through the AWS console for three days produces a snapshot that's already wrong by the time it's finished. Terraform import at scale is slow, brittle, and blind to relationships. Existing discovery tools list resources but stop short of explaining how they actually connect.

Discovery is built to solve that gap.

What Discovery Does

Discovery scans your cloud provider APIs and builds a versioned snapshot of everything that exists:

• •Resources and their full configuration

• •Relationships and dependency direction

• •Regional and cross-service connections

• •Cost and metadata context

Each scan produces a point-in-time model you can diff over time, turning undocumented infrastructure into something observable, reviewable, and eventually manageable.

This isn't a compliance report or a static inventory. It's a living infrastructure graph.

Why Relationship Mapping Comes First

Most tools stop at "what exists." Discovery focuses on how things depend on each other.

Take a single EC2 instance. Discovery understands that it:

• •Lives inside a specific VPC and subnet

• •Depends on one or more security groups

• •References IAM roles and instance profiles

• •Attaches to EBS volumes

• •May route traffic through other network constructs

These relationships are classified and directional (`contains`, `uses`, `attached_to`, `routes_to`, `references`), which enables two things most tools can't do reliably:

Correct Terraform ordering

Hard dependencies become explicit `depends_on` blocks in generated code, eliminating the trial-and-error apply cycles that plague imports.

Real blast radius analysis

Click a subnet, a security group, or a role and see exactly what breaks if it changes or disappears.

This is the difference between an inventory and an infrastructure model.

The Technical Architecture

Discovery is built to scan large, messy environments without timing out, throttling APIs, or collapsing under its own memory usage.

Parallel regional scanning

Multiple regions are scanned simultaneously. If you select us-east-1, us-west-2, and eu-west-1, all three run in parallel.

Specialized scanners

Each region runs multiple concurrent scanners, each focused on a specific domain: networking, compute, databases, identity, and more. In total, Discovery uses 15 specialized scanners rather than a single monolithic pass.

Rate-limit aware execution

API calls are throttled intentionally to avoid AWS limits. Speed comes from parallelism, not brute force.

Incremental persistence

As each region completes, results are written immediately. Large accounts don't cause memory spikes or timeouts.

Resume by checkpoint

If a scan fails halfway through—network issues, transient API errors—it resumes from the last completed checkpoint instead of starting over. This is critical in large or unstable environments and is rare among discovery tools.

Typical performance

• •3 regions: ~60–90 seconds

• •1,000+ resources: ~2–5 minutes

Fast enough to be continuous, not just periodic.

What Gets Discovered

Discovery supports all major clouds:

AWS: 100+ resource types including EC2, VPC, S3, RDS, Lambda, EKS, ECS, IAM, Route53, CloudFront, and more

GCP: 100+ asset types via Cloud Asset Inventory

Azure: Full subscription coverage across compute, network, storage, and platform services

For each resource, Discovery captures full configuration, tags, metadata, region, pricing tier, and relationships—not just names.

From Brownfield to Managed Code

Legacy infrastructure doesn't have to stay legacy.

Discovery can generate production-ready Terraform directly from scanned infrastructure. Console-created resources become version-controlled code. Dependency ordering is preserved. You decide what to manage, not the tool.

This turns months of manual codification into minutes and lets teams bring order to environments that were never designed to be clean.

Why This Matters in Practice

Security

You can't secure what you can't see. Discovery surfaces forgotten databases, overly permissive security groups, and public exposure with full context.

Audits and compliance

Instead of assembling evidence from multiple tools, you show a complete, current infrastructure model with relationships and history.

Operational speed

Knowing what exists—and what depends on it—turns risky changes into informed decisions.

Discovery Inside the ops0 Platform

Discovery is the foundation layer:

Discovery + IaC: Scan reality, generate Terraform, deploy from intent

Discovery + Resource Graph: See drift between state files and real infrastructure

Discovery + Hive: Incidents are evaluated with full dependency context

Visibility isn't the end goal. Control is.

The Workflow

1. Connect your cloud accounts (AWS, GCP, Azure)

2. Discovery scans automatically

3. View the complete infrastructure graph

4. Generate IaC for selected resources

5. Continuous scans keep everything current

No manual configuration. No tuning. Just accurate visibility.

From Chaos to Clarity

Infrastructure chaos isn't a failure of discipline—it's the default state of unmanaged systems.

Discovery replaces guessing with evidence, tribal knowledge with shared truth, and outdated documentation with a continuously accurate model of reality.

Once you know exactly what you have, the real question becomes: what do you want to do with it?