Back to docs
Reference

Resource Coverage

175 deterministic handlers for AWS, GCP, and Azure. BitNet classifier extends coverage to 12 cloud providers with 400+ resource types.

Overview

RecourseOS uses a two-tier system for recoverability classification:

  • Deterministic handlers — 175 resource types with explicit rules that check safety signals from resource configuration
  • Semantic classifier — Dynamic signal extraction for unknown resources across 12 cloud providers
175
Deterministic
400+
Classifier
12
Providers

How Signals Are Checked

Both deterministic handlers and the classifier extract safety signals from resource attributes. Common signals include:

Signal CategoryAttributes Checked
Deletion protectiondeletion_protectiondeletion_protection_enabledtermination_protection
Versioningversioningversioning_enabledversioning_configuration
Backupsbackup_retention_periodpoint_in_time_recoverybackup_policy
Recovery windowsrecovery_window_in_daysretention_in_daysdeletion_window_in_days
Final snapshotsskip_final_snapshotfinal_snapshot_identifier
Force deletionforce_destroyforce_delete

To see exact signals checked for a specific resource, use recourse explain which outputs a detailed trace.

Deterministic Handlers

97
AWS
38
GCP
40
Azure

AWS 97 resources

Databases

aws_db_instanceaws_rds_clusteraws_rds_cluster_instanceaws_db_snapshotaws_db_cluster_snapshotaws_dynamodb_tableaws_dynamodb_global_tableaws_dynamodb_table_itemaws_elasticache_clusteraws_elasticache_replication_groupaws_elasticache_global_replication_groupaws_elasticache_serverless_cacheaws_elasticache_snapshotaws_elasticache_parameter_groupaws_elasticache_subnet_groupaws_elasticache_useraws_elasticache_user_groupaws_elasticache_user_group_associationaws_neptune_clusteraws_neptune_cluster_instanceaws_neptune_cluster_snapshotaws_neptune_cluster_parameter_groupaws_neptune_parameter_groupaws_neptune_subnet_groupaws_neptune_event_subscription

Storage

aws_s3_bucketaws_s3_bucket_versioningaws_s3_objectaws_ebs_volumeaws_ebs_snapshotaws_ebs_snapshot_copyaws_volume_attachmentaws_amiaws_ami_copyaws_efs_file_systemaws_efs_file_system_policyaws_efs_mount_targetaws_efs_access_pointaws_efs_backup_policyaws_efs_replication_configuration

Compute

aws_instanceaws_spot_instance_requestaws_launch_templateaws_iam_instance_profileaws_lambda_functionaws_lambda_aliasaws_lambda_layer_versionaws_lambda_permissionaws_lambda_event_source_mapping

Networking

aws_vpcaws_subnetaws_internet_gatewayaws_nat_gatewayaws_eipaws_route_tableaws_route_table_associationaws_routeaws_network_aclaws_network_acl_ruleaws_security_groupaws_security_group_ruleaws_vpc_security_group_ingress_ruleaws_vpc_security_group_egress_ruleaws_lbaws_albaws_elbaws_lb_listeneraws_lb_listener_ruleaws_lb_target_groupaws_lb_target_group_attachmentaws_route53_zoneaws_route53_recordaws_route53_health_check

Identity & Security

aws_iam_useraws_iam_groupaws_iam_roleaws_iam_policyaws_iam_user_policyaws_iam_user_policy_attachmentaws_iam_role_policyaws_iam_role_policy_attachmentaws_kms_keyaws_kms_aliasaws_kms_grantaws_secretsmanager_secretaws_secretsmanager_secret_versionaws_secretsmanager_secret_policyaws_secretsmanager_secret_rotation

Messaging & Observability

aws_sns_topicaws_sns_topic_subscriptionaws_sns_topic_policyaws_sqs_queueaws_sqs_queue_policyaws_cloudwatch_log_groupaws_cloudwatch_log_streamaws_cloudwatch_metric_alarmaws_cloudwatch_dashboard

GCP 38 resources

google_bigquery_datasetgoogle_bigquery_dataset_iam_bindinggoogle_bigquery_dataset_iam_membergoogle_bigquery_dataset_iam_policygoogle_bigquery_routinegoogle_bigquery_tablegoogle_bigquery_table_iam_bindinggoogle_bigquery_table_iam_membergoogle_bigquery_table_iam_policygoogle_compute_diskgoogle_compute_snapshotgoogle_container_clustergoogle_container_node_poolgoogle_dns_record_setgoogle_kms_crypto_keygoogle_kms_crypto_key_iam_bindinggoogle_kms_crypto_key_iam_membergoogle_kms_key_ringgoogle_project_iam_bindinggoogle_project_iam_membergoogle_project_iam_policygoogle_secret_manager_secretgoogle_secret_manager_secret_iam_bindinggoogle_secret_manager_secret_iam_membergoogle_secret_manager_secret_iam_policygoogle_secret_manager_secret_versiongoogle_service_accountgoogle_service_account_iam_bindinggoogle_service_account_iam_membergoogle_service_account_keygoogle_sql_databasegoogle_sql_database_instancegoogle_sql_usergoogle_storage_bucketgoogle_storage_bucket_iam_bindinggoogle_storage_bucket_iam_membergoogle_storage_bucket_iam_policygoogle_storage_bucket_object

Azure 40 resources

azuread_applicationazuread_service_principalazuread_service_principal_passwordazurerm_cosmosdb_accountazurerm_cosmosdb_cassandra_keyspaceazurerm_cosmosdb_cassandra_tableazurerm_cosmosdb_gremlin_databaseazurerm_cosmosdb_gremlin_graphazurerm_cosmosdb_mongo_collectionazurerm_cosmosdb_mongo_databaseazurerm_cosmosdb_sql_containerazurerm_cosmosdb_sql_databaseazurerm_cosmosdb_sql_role_assignmentazurerm_cosmosdb_sql_role_definitionazurerm_cosmosdb_tableazurerm_dns_a_recordazurerm_dns_cname_recordazurerm_key_vaultazurerm_key_vault_access_policyazurerm_key_vault_certificateazurerm_key_vault_keyazurerm_key_vault_secretazurerm_kubernetes_clusterazurerm_kubernetes_cluster_node_poolazurerm_managed_diskazurerm_mariadb_serverazurerm_mssql_databaseazurerm_mysql_flexible_serverazurerm_postgresql_flexible_serverazurerm_private_dns_a_recordazurerm_role_assignmentazurerm_role_definitionazurerm_snapshotazurerm_sql_databaseazurerm_storage_accountazurerm_storage_blobazurerm_storage_containerazurerm_storage_queueazurerm_storage_shareazurerm_storage_table

Classifier Coverage 12 providers

The BitNet classifier handles resource types without deterministic handlers. It's trained on 400+ resources across 12 cloud providers:

Supported Providers

ProviderPrefixCoverage
Amazon Web Servicesaws_deterministic + classifier
Google Cloud Platformgoogle_deterministic + classifier
Microsoft Azureazurerm_deterministic + classifier
Oracle Cloudoci_classifier
Alibaba Cloudalicloud_classifier
DigitalOceandigitalocean_classifier
Exoscaleexoscale_classifier
Hetzner Cloudhcloud_classifier
Linodelinode_classifier
Scalewayscaleway_classifier
UpCloudupcloud_classifier
Vultrvultr_classifier

Semantic Signals

The classifier uses provider-neutral signals that generalize across clouds:

  • Resource name patterns — backup, snapshot, replica, archive, volume, bucket, database
  • Configuration signals — deletion_protection, versioning, retention, soft_delete
  • Action context — delete vs update vs create
  • Category inference — 13 resource categories (database, storage, compute, secrets, etc.)

Usage

Enable the classifier with the --classifier flag. Unknown resources default to needs-review when evidence is weak.

recourse plan plan.json --classifier
recourse evaluate terraform plan.json --classifier

Check the source field in responses to distinguish deterministic rules from classifier verdicts.