Skip to content
Rime Docs

Import Cloud Resources

If your data stack already uses AWS resources — S3 buckets for staging, SNS topics for notifications, IAM roles for access control — you can import them into Rime rather than recreating them. Rime scans your AWS account, discovers resources related to your data stack, and lets you selectively bring them under Rime’s infrastructure management with full Terraform state tracking.

Prerequisites

Before scanning, you need to provide AWS credentials with read access to the resources you want to discover. Rime needs the following IAM permissions at minimum:

  • s3:ListAllMyBuckets, s3:GetBucketLocation, s3:GetBucketPolicy, s3:GetBucketTagging
  • sns:ListTopics, sns:GetTopicAttributes, sns:ListSubscriptionsByTopic
  • iam:ListRoles, iam:GetRole, iam:ListRolePolicies, iam:GetRolePolicy, iam:ListAttachedRolePolicies
  • iam:ListPolicies, iam:GetPolicy, iam:GetPolicyVersion

Provide credentials as an access key pair (access key ID + secret access key) on the import page. Credentials are encrypted at rest and used only during the scan and import process.

Running a scan

Navigate to Project > Migration > Import Cloud Resources and select AWS as the cloud provider. Enter your credentials and the AWS region to scan (or select “All regions” for a full account scan).

Click Start Scan to begin discovery. Rime queries the AWS APIs to find resources across the following categories.

What is discovered

S3 buckets

Rime discovers all S3 buckets in the scanned region(s) and reads their configuration:

PropertyWhat is captured
Bucket name and regionLocation and ARN
VersioningWhether versioning is enabled
EncryptionServer-side encryption configuration (SSE-S3, SSE-KMS)
Lifecycle rulesExpiration and transition policies
Event notificationsSNS/SQS/Lambda triggers (used to identify buckets connected to Snowpipe)
TagsAll resource tags
PolicyBucket policy document

Rime highlights buckets that have event notifications pointing to SNS topics used by Snowpipe, since these are most likely part of your data pipeline.

SNS topics

SNS topics are discovered with their subscriptions and access policies. Rime identifies topics that are subscribed to by Snowpipe SQS queues, flagging these as data pipeline components.

IAM roles

IAM roles are discovered with their trust policies, inline policies, and attached managed policies. Rime flags roles that:

  • Have trust relationships allowing Snowflake’s AWS account to assume them (used for Snowflake external stages and pipes)
  • Have policies granting access to S3 buckets discovered in the scan
  • Match common naming patterns for data pipeline roles (e.g., names containing “snowflake”, “data”, “etl”, “pipeline”)

Resource relationships

After discovering individual resources, Rime maps the relationships between them:

  • Which S3 buckets send event notifications to which SNS topics
  • Which IAM roles grant access to which S3 buckets
  • Which IAM roles are assumed by Snowflake (based on trust policies)

These relationships are displayed as a dependency graph in the import review screen.

Selective import

After the scan, you choose which resources to import. The review screen shows all discovered resources organized by type, with data-pipeline-related resources highlighted and pre-selected.

For each resource, you can see:

  • Its current configuration
  • Its relationships to other discovered resources
  • Whether it conflicts with a resource already managed by Rime

Select the resources you want to manage through Rime. Resources you do not select remain in your AWS account unchanged.

Terraform state adoption

For each imported resource, Rime:

  1. Creates an infrastructure resource in the project that represents the AWS object.
  2. Imports into Terraform state by running terraform import against the existing resource. This means Rime now tracks the resource without recreating it.
  3. Sets desired state to match the current configuration. There is no drift immediately after import.
  4. Enables change management. Future changes to the resource should go through Rime’s infrastructure UI, which generates a Terraform plan and applies it on approval.

The import process does not modify any AWS resources. It only creates Rime’s internal state tracking.

Post-import behavior

Once resources are imported:

  • Changes go through Rime. Modifying an imported resource (e.g., adding a lifecycle rule to an S3 bucket) is done through the infrastructure management UI.
  • Drift detection is active. Rime periodically checks whether the actual AWS configuration matches the desired state. Changes made directly in the AWS console are detected and flagged.
  • Relationships are tracked. If you import both an S3 bucket and the IAM role that grants access to it, Rime understands the dependency and prevents you from deleting the role while the bucket still references it.

Azure resource discovery (planned)

Azure resource discovery is on the roadmap but not yet available. When released, it will support:

  • Azure Blob Storage accounts
  • Azure Event Grid topics
  • Azure Active Directory service principals
  • Azure Key Vault secrets related to Snowflake connections

If you are running your data stack on Azure, you can still use Rime for Snowflake management, connectors, transformations, and monitoring. Infrastructure management for Azure resources will require manual creation in Rime until the Azure import tool is available.

Limitations

  • Read-only scan. The discovery process never modifies AWS resources. It only reads metadata.
  • Cross-account resources are not discovered. The scan covers only the AWS account whose credentials you provide. If your data stack spans multiple AWS accounts, run separate scans for each account.
  • Resource types are limited to those listed above. Other AWS services (Lambda, Step Functions, Glue, etc.) are not currently discovered, even if they are part of your data pipeline.
  • Region-specific resources. S3 bucket names are global, but SNS topics and IAM roles are regional. Make sure to scan the correct region(s) for your data stack.

Next steps