🐛 skip disabled AlloyDB API during GCP discovery (#7343)

vjeffrey · claude · web-flow · commit e1bac2028077 · 2026-04-22T11:23:50.000-06:00
cnspec scan gcp aborted with PermissionDenied when the AlloyDB API
was not enabled in the project, because alloydb.clusters / instances /
backups bubbled the raw gRPC error and discovery.go stops the scan on
any discovery target error. AlloyDB was the one service in the Auto
discovery set missing the skippable-error pattern that backupdr, batch,
cloudbuild, dlp, eventarc, gke_backup and others already use.

Guard each ListX iterator with isGRPCSkippable so disabled APIs,
missing permissions, or NotFound locations degrade gracefully with
a warning instead of failing the whole scan.

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/providers/gcp/resources/alloydb.go b/providers/gcp/resources/alloydb.go
@@ -11,6 +11,7 @@ import (
 
 	alloydb "cloud.google.com/go/alloydb/apiv1"
 	"cloud.google.com/go/alloydb/apiv1/alloydbpb"
+	"github.com/rs/zerolog/log"
 	"go.mondoo.com/mql/v13/llx"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
@@ -82,6 +83,10 @@ func (g *mqlGcpProjectAlloydbService) clusters() ([]any, error) {
 			break
 		}
 		if err != nil {
+			if isGRPCSkippable(err) {
+				log.Warn().Err(err).Msg("could not list AlloyDB clusters")
+				return nil, nil
+			}
 			return nil, err
 		}
 
@@ -297,6 +302,10 @@ func (g *mqlGcpProjectAlloydbServiceCluster) instances() ([]any, error) {
 			break
 		}
 		if err != nil {
+			if isGRPCSkippable(err) {
+				log.Warn().Err(err).Msg("could not list AlloyDB instances")
+				return nil, nil
+			}
 			return nil, err
 		}
 
@@ -437,6 +446,10 @@ func (g *mqlGcpProjectAlloydbServiceCluster) backups() ([]any, error) {
 			break
 		}
 		if err != nil {
+			if isGRPCSkippable(err) {
+				log.Warn().Err(err).Msg("could not list AlloyDB backups")
+				return nil, nil
+			}
 			return nil, err
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`
`12`	`12`	`alloydb "cloud.google.com/go/alloydb/apiv1"`
`13`	`13`	`"cloud.google.com/go/alloydb/apiv1/alloydbpb"`
	`14`	`+ "github.com/rs/zerolog/log"`
`14`	`15`	`"go.mondoo.com/mql/v13/llx"`
`15`	`16`	`"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"`
`16`	`17`	`"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"`
`@@ -82,6 +83,10 @@ func (g *mqlGcpProjectAlloydbService) clusters() ([]any, error) {`
`82`	`83`	`break`
`83`	`84`	`}`
`84`	`85`	`if err != nil {`
	`86`	`+ if isGRPCSkippable(err) {`
	`87`	`+ log.Warn().Err(err).Msg("could not list AlloyDB clusters")`
	`88`	`+ return nil, nil`
	`89`	`+ }`
`85`	`90`	`return nil, err`
`86`	`91`	`}`
`87`	`92`
`@@ -297,6 +302,10 @@ func (g *mqlGcpProjectAlloydbServiceCluster) instances() ([]any, error) {`
`297`	`302`	`break`
`298`	`303`	`}`
`299`	`304`	`if err != nil {`
	`305`	`+ if isGRPCSkippable(err) {`
	`306`	`+ log.Warn().Err(err).Msg("could not list AlloyDB instances")`
	`307`	`+ return nil, nil`
	`308`	`+ }`
`300`	`309`	`return nil, err`
`301`	`310`	`}`
`302`	`311`
`@@ -437,6 +446,10 @@ func (g *mqlGcpProjectAlloydbServiceCluster) backups() ([]any, error) {`
`437`	`446`	`break`
`438`	`447`	`}`
`439`	`448`	`if err != nil {`
	`449`	`+ if isGRPCSkippable(err) {`
	`450`	`+ log.Warn().Err(err).Msg("could not list AlloyDB backups")`
	`451`	`+ return nil, nil`
	`452`	`+ }`
`440`	`453`	`return nil, err`
`441`	`454`	`}`
`442`	`455`