Overview
RecourseOS uses a two-tier system for recoverability classification:
- Deterministic handlers — 175 resource types with explicit rules that check safety signals from resource configuration
- Semantic classifier — Dynamic signal extraction for unknown resources across 12 cloud providers
How Signals Are Checked
Both deterministic handlers and the classifier extract safety signals from resource attributes. Common signals include:
| Signal Category | Attributes Checked |
|---|---|
| Deletion protection | deletion_protection, deletion_protection_enabled, termination_protection |
| Versioning | versioning, versioning_enabled, versioning_configuration |
| Backups | backup_retention_period, point_in_time_recovery, backup_policy |
| Recovery windows | recovery_window_in_days, retention_in_days, deletion_window_in_days |
| Final snapshots | skip_final_snapshot, final_snapshot_identifier |
| Force deletion | force_destroy, force_delete |
To see exact signals checked for a specific resource, use recourse explain which outputs a detailed trace.
Deterministic Handlers
AWS 97 resources
Databases
aws_db_instance, aws_rds_cluster, aws_rds_cluster_instance, aws_db_snapshot, aws_db_cluster_snapshot, aws_dynamodb_table, aws_dynamodb_global_table, aws_dynamodb_table_item, aws_elasticache_cluster, aws_elasticache_replication_group, aws_elasticache_global_replication_group, aws_elasticache_serverless_cache, aws_elasticache_snapshot, aws_elasticache_parameter_group, aws_elasticache_subnet_group, aws_elasticache_user, aws_elasticache_user_group, aws_elasticache_user_group_association, aws_neptune_cluster, aws_neptune_cluster_instance, aws_neptune_cluster_snapshot, aws_neptune_cluster_parameter_group, aws_neptune_parameter_group, aws_neptune_subnet_group, aws_neptune_event_subscription
Storage
aws_s3_bucket, aws_s3_bucket_versioning, aws_s3_object, aws_ebs_volume, aws_ebs_snapshot, aws_ebs_snapshot_copy, aws_volume_attachment, aws_ami, aws_ami_copy, aws_efs_file_system, aws_efs_file_system_policy, aws_efs_mount_target, aws_efs_access_point, aws_efs_backup_policy, aws_efs_replication_configuration
Compute
aws_instance, aws_spot_instance_request, aws_launch_template, aws_iam_instance_profile, aws_lambda_function, aws_lambda_alias, aws_lambda_layer_version, aws_lambda_permission, aws_lambda_event_source_mapping
Networking
aws_vpc, aws_subnet, aws_internet_gateway, aws_nat_gateway, aws_eip, aws_route_table, aws_route_table_association, aws_route, aws_network_acl, aws_network_acl_rule, aws_security_group, aws_security_group_rule, aws_vpc_security_group_ingress_rule, aws_vpc_security_group_egress_rule, aws_lb, aws_alb, aws_elb, aws_lb_listener, aws_lb_listener_rule, aws_lb_target_group, aws_lb_target_group_attachment, aws_route53_zone, aws_route53_record, aws_route53_health_check
Identity & Security
aws_iam_user, aws_iam_group, aws_iam_role, aws_iam_policy, aws_iam_user_policy, aws_iam_user_policy_attachment, aws_iam_role_policy, aws_iam_role_policy_attachment, aws_kms_key, aws_kms_alias, aws_kms_grant, aws_secretsmanager_secret, aws_secretsmanager_secret_version, aws_secretsmanager_secret_policy, aws_secretsmanager_secret_rotation
Messaging & Observability
aws_sns_topic, aws_sns_topic_subscription, aws_sns_topic_policy, aws_sqs_queue, aws_sqs_queue_policy, aws_cloudwatch_log_group, aws_cloudwatch_log_stream, aws_cloudwatch_metric_alarm, aws_cloudwatch_dashboard
GCP 38 resources
google_bigquery_dataset, google_bigquery_dataset_iam_binding, google_bigquery_dataset_iam_member, google_bigquery_dataset_iam_policy, google_bigquery_routine, google_bigquery_table, google_bigquery_table_iam_binding, google_bigquery_table_iam_member, google_bigquery_table_iam_policy, google_compute_disk, google_compute_snapshot, google_container_cluster, google_container_node_pool, google_dns_record_set, google_kms_crypto_key, google_kms_crypto_key_iam_binding, google_kms_crypto_key_iam_member, google_kms_key_ring, google_project_iam_binding, google_project_iam_member, google_project_iam_policy, google_secret_manager_secret, google_secret_manager_secret_iam_binding, google_secret_manager_secret_iam_member, google_secret_manager_secret_iam_policy, google_secret_manager_secret_version, google_service_account, google_service_account_iam_binding, google_service_account_iam_member, google_service_account_key, google_sql_database, google_sql_database_instance, google_sql_user, google_storage_bucket, google_storage_bucket_iam_binding, google_storage_bucket_iam_member, google_storage_bucket_iam_policy, google_storage_bucket_object
Azure 40 resources
azuread_application, azuread_service_principal, azuread_service_principal_password, azurerm_cosmosdb_account, azurerm_cosmosdb_cassandra_keyspace, azurerm_cosmosdb_cassandra_table, azurerm_cosmosdb_gremlin_database, azurerm_cosmosdb_gremlin_graph, azurerm_cosmosdb_mongo_collection, azurerm_cosmosdb_mongo_database, azurerm_cosmosdb_sql_container, azurerm_cosmosdb_sql_database, azurerm_cosmosdb_sql_role_assignment, azurerm_cosmosdb_sql_role_definition, azurerm_cosmosdb_table, azurerm_dns_a_record, azurerm_dns_cname_record, azurerm_key_vault, azurerm_key_vault_access_policy, azurerm_key_vault_certificate, azurerm_key_vault_key, azurerm_key_vault_secret, azurerm_kubernetes_cluster, azurerm_kubernetes_cluster_node_pool, azurerm_managed_disk, azurerm_mariadb_server, azurerm_mssql_database, azurerm_mysql_flexible_server, azurerm_postgresql_flexible_server, azurerm_private_dns_a_record, azurerm_role_assignment, azurerm_role_definition, azurerm_snapshot, azurerm_sql_database, azurerm_storage_account, azurerm_storage_blob, azurerm_storage_container, azurerm_storage_queue, azurerm_storage_share, azurerm_storage_table
Classifier Coverage 12 providers
The BitNet classifier handles resource types without deterministic handlers. It's trained on 400+ resources across 12 cloud providers:
Supported Providers
| Provider | Prefix | Coverage |
|---|---|---|
| Amazon Web Services | aws_ | deterministic + classifier |
| Google Cloud Platform | google_ | deterministic + classifier |
| Microsoft Azure | azurerm_ | deterministic + classifier |
| Oracle Cloud | oci_ | classifier |
| Alibaba Cloud | alicloud_ | classifier |
| DigitalOcean | digitalocean_ | classifier |
| Exoscale | exoscale_ | classifier |
| Hetzner Cloud | hcloud_ | classifier |
| Linode | linode_ | classifier |
| Scaleway | scaleway_ | classifier |
| UpCloud | upcloud_ | classifier |
| Vultr | vultr_ | classifier |
Semantic Signals
The classifier uses provider-neutral signals that generalize across clouds:
- Resource name patterns — backup, snapshot, replica, archive, volume, bucket, database
- Configuration signals — deletion_protection, versioning, retention, soft_delete
- Action context — delete vs update vs create
- Category inference — 13 resource categories (database, storage, compute, secrets, etc.)
Usage
Enable the classifier with the --classifier flag. Unknown resources default to needs-review when evidence is weak.
recourse plan plan.json --classifier
recourse evaluate terraform plan.json --classifierCheck the source field in responses to distinguish deterministic rules from classifier verdicts.