Merge branch 'main' into limitations.md

2021-02-03 10:12:33 +01:00 · 2021-02-03 10:12:33 +01:00 · d1cb680ba4
parent 90d076e504 0377957ef1
commit d1cb680ba4
124 changed files with 1547846 additions and 571 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -67,7 +67,8 @@ jobs:
      - run:
          name: "Bump driftctl formula"
          command: |
-            brew bump-formula-pr driftctl --url https://github.com/cloudskiff/driftctl/archive/$CIRCLE_TAG.tar.gz
+            brew install-bundler-gems -d -v
+            brew bump-formula-pr driftctl --url https://github.com/cloudskiff/driftctl/archive/$CIRCLE_TAG.tar.gz -d -v
 workflows:
  pullrequest:
    jobs:
--- a/4
+++ b/4
@ -34,7 +34,7 @@ coverage: test

 .PHONY: acc
 acc:
-	DRIFTCTL_ACC=true $(GOTEST) --format testname --junitfile unit-tests-acc.xml -- -coverprofile=cover-acc.out -coverpkg=./pkg/... -run=TestAcc_ ./pkg/resource/...
+	DRIFTCTL_ACC=true $(GOTEST) --format testname --junitfile unit-tests-acc.xml -- -coverprofile=cover-acc.out -test.timeout 1h -coverpkg=./pkg/... -run=TestAcc_ ./pkg/resource/...

 .PHONY: mocks
 mocks: deps
@ -54,7 +54,7 @@ clean:
 .PHONY: lint
 lint:
 	@which golangci-lint > /dev/null 2>&1 || (curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $(GOBINPATH) v1.31.0)
-	golangci-lint run
+	golangci-lint run --timeout=2m

 .PHONY: deps
 deps:
--- a/README.md
+++ b/README.md
@ -168,3 +168,5 @@ $ driftctl scan --from tfstate://terraform_S3.tfstate --from tfstate://terraform
 ## Contribute

 To learn more about compiling driftctl and contributing, please refer to the [contribution guidelines](.github/CONTRIBUTING.md) and [contributing guide](doc/contributing/README.md) for technical details.
+
+Build with ❤️️ from 🇫🇷 🇯🇵 🇬🇷
--- a/doc/cmd/scan/supported_resources/aws.md
+++ b/doc/cmd/scan/supported_resources/aws.md
@ -25,7 +25,29 @@ $ AWS_PROFILE=driftctlrole driftctl scan

 Deploy this CloudFormation template to create our limited permission role that you can use as per our above authentication guide.

-[![Launch Stack](https://cdn.rawgit.com/buildkite/cloudformation-launch-stack-button-svg/master/launch-stack.svg)](https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=driftctl-stack&templateURL=https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml)
+[![Launch Stack](https://cdn.rawgit.com/buildkite/cloudformation-launch-stack-button-svg/master/launch-stack.svg)](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?stackName=driftctl-stack&templateURL=https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml)
+
+### Update the CloudFormation template
+
+It does not exist an automatic way to update the CloudFormation template from our side because you launched this template on your AWS account. That's why you must be the one to update the template to be on the most recent driftctl role.
+
+Find below two ways to update the CloudFormation template:
+
+1. With the AWS console
+
+- In the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation), from the list of stacks, select the driftctl stack
+- In the stack details pane, choose **Update**
+- Select **Replace current template** and specify our **Amazon S3 URL** `https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml`, click **Next**
+- On the **Specify stack details** and the **Configure stack options** pages, click **Next**
+- In the **Change set preview** section, check that AWS CloudFormation will indeed make changes
+- Since our template contains one IAM resource, select **I acknowledge that this template may create IAM resources**
+- Finally, click **Update stack**
+
+2. With the AWS CLI
+
+```console
+$ aws cloudformation update-stack --stack-name DRIFTCTL_STACK_NAME --template-url https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml --capabilities CAPABILITY_NAMED_IAM
+```

 ## Least privileged policy

--- a/doc/contributing/tests.md
+++ b/doc/contributing/tests.md
@ -133,7 +133,9 @@ Acceptance tests need credentials to perform real world action on cloud provider
 Recommended way to run acc tests is to use two distinct credentials:
 one for terraform related actions, and one for driftctl scan.

-You can override environment variables passed to terraform operations by adding `ACC_` prefix on env variables.
+In our acceptance tests, we may need read/write permissions during specific contexts
+(e.g. terraform init, apply, destroy)or lifecycle (PreExec and PostExec).
+If needed, you can override environment variables in those contexts by adding `ACC_` prefix on env variables.

 #### AWS

--- a/pkg/cmd/scan.go
+++ b/pkg/cmd/scan.go
@ -126,8 +126,10 @@ func scanRun(opts *ScanOptions) error {
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)

 	alerter := alerter.NewAlerter()
+	providerLibrary := terraform.NewProviderLibrary()
+	supplierLibrary := resource.NewSupplierLibrary()

-	err := remote.Activate(opts.To, alerter)
+	err := remote.Activate(opts.To, alerter, providerLibrary, supplierLibrary)
 	if err != nil {
 		return err
 	}
@ -135,13 +137,13 @@ func scanRun(opts *ScanOptions) error {
 	// Teardown
 	defer func() {
 		logrus.Trace("Exiting scan cmd")
-		terraform.Cleanup()
+		providerLibrary.Cleanup()
 		logrus.Trace("Exited")
 	}()

-	scanner := pkg.NewScanner(resource.Suppliers(), alerter)
+	scanner := pkg.NewScanner(supplierLibrary.Suppliers(), alerter)

-	iacSupplier, err := supplier.GetIACSupplier(opts.From)
+	iacSupplier, err := supplier.GetIACSupplier(opts.From, providerLibrary)
 	if err != nil {
 		return err
 	}
--- a/pkg/filter/driftignore.go
+++ b/pkg/filter/driftignore.go
@ -37,6 +37,12 @@ func (r *DriftIgnore) readIgnoreFile() error {
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		line := scanner.Text()
+		if line == "" || strings.HasPrefix(line, "#") {
+			logrus.WithFields(logrus.Fields{
+				"line": line,
+			}).Debug("Skipped comment or empty line")
+			continue
+		}
 		typeVal := readDriftIgnoreLine(line)
 		nbArgs := len(typeVal)
 		if nbArgs < 2 {
--- a/pkg/filter/testdata/drift_ignore_valid/.driftignore
+++ b/pkg/filter/testdata/drift_ignore_valid/.driftignore
@ -4,3 +4,4 @@ resource_type.id\.with\.dots
 resource_type.idwith\\
 resource_type.idwith\\backslashes

+# this is a comment
--- a/pkg/iac/supplier/supplier.go
+++ b/pkg/iac/supplier/supplier.go
@ -4,6 +4,7 @@ import (
 	"fmt"

 	"github.com/cloudskiff/driftctl/pkg/iac/terraform/state/backend"
+	"github.com/cloudskiff/driftctl/pkg/terraform"
 	"github.com/sirupsen/logrus"

 	"github.com/cloudskiff/driftctl/pkg/iac/config"
@ -26,7 +27,7 @@ func IsSupplierSupported(supplierKey string) bool {
 	return false
 }

-func GetIACSupplier(configs []config.SupplierConfig) (resource.Supplier, error) {
+func GetIACSupplier(configs []config.SupplierConfig, library *terraform.ProviderLibrary) (resource.Supplier, error) {
 	chainSupplier := resource.NewChainSupplier()
 	for _, config := range configs {
 		if !IsSupplierSupported(config.Key) {
@ -37,7 +38,7 @@ func GetIACSupplier(configs []config.SupplierConfig) (resource.Supplier, error)
 		var err error
 		switch config.Key {
 		case state.TerraformStateReaderSupplier:
-			supplier, err = state.NewReader(config)
+			supplier, err = state.NewReader(config, library)
 		default:
 			return nil, fmt.Errorf("Unsupported supplier '%s'", config.Key)
 		}
--- a/pkg/iac/supplier/supplier_test.go
+++ b/pkg/iac/supplier/supplier_test.go
@ -6,6 +6,7 @@ import (
 	"testing"

 	"github.com/cloudskiff/driftctl/pkg/iac/config"
+	"github.com/cloudskiff/driftctl/pkg/terraform"
 )

 func TestGetIACSupplier(t *testing.T) {
@ -76,7 +77,7 @@ func TestGetIACSupplier(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := GetIACSupplier(tt.args.config)
+			_, err := GetIACSupplier(tt.args.config, terraform.NewProviderLibrary())
 			if tt.wantErr != nil && err.Error() != tt.wantErr.Error() {
 				t.Errorf("GetIACSupplier() error = %v, wantErr %v", err, tt.wantErr)
 				return
--- a/pkg/iac/terraform/state/terraform_state_reader.go
+++ b/pkg/iac/terraform/state/terraform_state_reader.go
@ -21,6 +21,7 @@ import (
 const TerraformStateReaderSupplier = "tfstate"

 type TerraformStateReader struct {
+	library       *terraform.ProviderLibrary
 	config        config.SupplierConfig
 	backend       backend.Backend
 	deserializers []deserializer.CTYDeserializer
@ -35,8 +36,8 @@ func (r *TerraformStateReader) initReader() error {
 	return nil
 }

-func NewReader(config config.SupplierConfig) (*TerraformStateReader, error) {
-	reader := TerraformStateReader{config: config, deserializers: iac.Deserializers()}
+func NewReader(config config.SupplierConfig, library *terraform.ProviderLibrary) (*TerraformStateReader, error) {
+	reader := TerraformStateReader{library: library, config: config, deserializers: iac.Deserializers()}
 	err := reader.initReader()
 	if err != nil {
 		return nil, err
@ -70,7 +71,7 @@ func (r *TerraformStateReader) retrieve() (map[string][]cty.Value, error) {
 				continue
 			}
 			providerType := stateRes.ProviderConfig.Provider.Type
-			provider := terraform.Provider(providerType)
+			provider := r.library.Provider(providerType)
 			if provider == nil {
 				logrus.WithFields(logrus.Fields{
 					"providerKey": providerType,
--- a/pkg/iac/terraform/state/terraform_state_reader_test.go
+++ b/pkg/iac/terraform/state/terraform_state_reader_test.go
@ -90,12 +90,13 @@ func TestTerraformStateReader_Resources(t *testing.T) {
 			}

 			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, realProvider, shouldUpdate)
-
-			terraform.AddProvider(terraform.AWS, provider)
+			library := terraform.NewProviderLibrary()
+			library.AddProvider(terraform.AWS, provider)

 			b, _ := backend.NewFileReader(path.Join(goldenfile.GoldenFilePath, tt.dirName, "terraform.tfstate"))
 			r := &TerraformStateReader{
 				backend:       b,
+				library:       library,
 				deserializers: iac.Deserializers(),
 			}

--- a/pkg/remote/aws/db_instance_supplier.go
+++ b/pkg/remote/aws/db_instance_supplier.go
@ -1,8 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
@ -21,8 +21,13 @@ type DBInstanceSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewDBInstanceSupplier(runner *parallel.ParallelRunner, client rdsiface.RDSAPI) *DBInstanceSupplier {
-	return &DBInstanceSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewDBInstanceDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewDBInstanceSupplier(provider *TerraformProvider) *DBInstanceSupplier {
+	return &DBInstanceSupplier{
+		provider,
+		awsdeserializer.NewDBInstanceDeserializer(),
+		rds.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func listAwsDBInstances(client rdsiface.RDSAPI) ([]*rds.DBInstance, error) {
@ -43,8 +48,7 @@ func (s DBInstanceSupplier) Resources() ([]resource.Resource, error) {
 	resourceList, err := listAwsDBInstances(s.client)

 	if err != nil {
-		logrus.Error(err)
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsDbInstanceResourceType)
 	}

 	for _, res := range resourceList {
--- a/pkg/remote/aws/db_instance_supplier_test.go
+++ b/pkg/remote/aws/db_instance_supplier_test.go
@ -4,7 +4,16 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -21,10 +30,11 @@ import (
 func TestDBInstanceSupplier_Resources(t *testing.T) {

 	tests := []struct {
-		test           string
-		dirName        string
-		instancesPages mocks.DescribeDBInstancesPagesOutput
-		err            error
+		test                string
+		dirName             string
+		instancesPages      mocks.DescribeDBInstancesPagesOutput
+		instancesPagesError error
+		err                 error
 	}{
 		{
 			test:    "no dbs",
@ -74,32 +84,65 @@ func TestDBInstanceSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "multiples mixed db",
+			dirName: "db_instance_multiple",
+			instancesPages: mocks.DescribeDBInstancesPagesOutput{
+				{
+					true,
+					&rds.DescribeDBInstancesOutput{
+						DBInstances: []*rds.DBInstance{
+							{
+								DBInstanceIdentifier: awssdk.String("terraform-20201015115018309600000001"),
+							},
+							{
+								DBInstanceIdentifier: awssdk.String("database-1"),
+							},
+						},
+					},
+				},
+			},
+			err: nil,
+		},
+		{
+			test:                "Cannot list db instances",
+			dirName:             "db_instance_empty",
+			instancesPagesError: awserr.NewRequestFailure(nil, 403, ""),
+			err:                 remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsDbInstanceResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}
-
-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewDBInstanceSupplier(provider.Runner(), rds.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewDBInstanceSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewDBInstanceDeserializer()
+
+			client := mocks.NewMockAWSRDSClient(tt.instancesPages)
+			if tt.instancesPagesError != nil {
+				client = mocks.NewMockAWSRDSErrorClient(tt.instancesPagesError)
+			}
+
 			s := &DBInstanceSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSRDSClient(tt.instancesPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/db_subnet_group_supplier.go
+++ b/pkg/remote/aws/db_subnet_group_supplier.go
@ -1,8 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
 	"github.com/zclconf/go-cty/cty"
@ -24,12 +24,12 @@ type DBSubnetGroupSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewDBSubnetGroupSupplier(runner *parallel.ParallelRunner, client rdsiface.RDSAPI) *DBSubnetGroupSupplier {
+func NewDBSubnetGroupSupplier(provider *TerraformProvider) *DBSubnetGroupSupplier {
 	return &DBSubnetGroupSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewDBSubnetGroupDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner),
+		rds.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

@ -45,8 +45,7 @@ func (s DBSubnetGroupSupplier) Resources() ([]resource.Resource, error) {
 	)

 	if err != nil {
-		logrus.Error(err)
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsDbSubnetGroupResourceType)
 	}

 	for _, subnetGroup := range subnetGroups {
--- a/pkg/remote/aws/db_subnet_group_supplier_test.go
+++ b/pkg/remote/aws/db_subnet_group_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -22,10 +29,11 @@ import (
 func TestDBSubnetGroupSupplier_Resources(t *testing.T) {

 	tests := []struct {
-		test    string
-		dirName string
-		subnets mocks.DescribeSubnetGroupResponse
-		err     error
+		test             string
+		dirName          string
+		subnets          mocks.DescribeSubnetGroupResponse
+		subnetsListError error
+		err              error
 	}{
 		{
 			test:    "no subnets",
@ -65,32 +73,45 @@ func TestDBSubnetGroupSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:             "Cannot list subnet",
+			dirName:          "db_subnet_empty",
+			subnetsListError: awserr.NewRequestFailure(nil, 403, ""),
+			err:              remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsDbSubnetGroupResourceType),
+		},
 	}
 	for _, tt := range tests {
+
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewDBInstanceSupplier(provider.Runner(), rds.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewDBInstanceSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewDBSubnetGroupDeserializer()
+			client := mocks.NewMockAWSRDSSubnetGroupClient(tt.subnets)
+			if tt.subnetsListError != nil {
+				client = mocks.NewMockAWSRDSErrorClient(tt.subnetsListError)
+			}
 			s := &DBSubnetGroupSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSRDSSubnetGroupClient(tt.subnets),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_ami_supplier.go
+++ b/pkg/remote/aws/ec2_ami_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,8 +23,13 @@ type EC2AmiSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2AmiSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2AmiSupplier {
-	return &EC2AmiSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2AmiDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2AmiSupplier(provider *TerraformProvider) *EC2AmiSupplier {
+	return &EC2AmiSupplier{
+		provider,
+		awsdeserializer.NewEC2AmiDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2AmiSupplier) Resources() ([]resource.Resource, error) {
@ -34,7 +40,7 @@ func (s EC2AmiSupplier) Resources() ([]resource.Resource, error) {
 	}
 	response, err := s.client.DescribeImages(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsAmiResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(response.Images) > 0 {
--- a/pkg/remote/aws/ec2_ami_supplier_test.go
+++ b/pkg/remote/aws/ec2_ami_supplier_test.go
@ -4,8 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
+	"github.com/stretchr/testify/assert"

 	"github.com/cloudskiff/driftctl/test/goldenfile"

@ -13,16 +19,15 @@ import (
 	"github.com/cloudskiff/driftctl/pkg/terraform"
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/mocks"
-
-	"github.com/aws/aws-sdk-go/service/ec2"
 )

 func TestEC2AmiSupplier_Resources(t *testing.T) {
 	tests := []struct {
-		test    string
-		dirName string
-		amiIDs  []string
-		err     error
+		test      string
+		dirName   string
+		amiIDs    []string
+		listError error
+		err       error
 	}{
 		{
 			test:    "no amis",
@ -36,32 +41,44 @@ func TestEC2AmiSupplier_Resources(t *testing.T) {
 			amiIDs:  []string{"ami-03a578b46f4c3081b", "ami-025962fd8b456731f"},
 			err:     nil,
 		},
+		{
+			test:      "cannot list amis",
+			dirName:   "ec2_ami_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsAmiResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2AmiSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2AmiSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2AmiDeserializer()
+			client := mocks.NewMockAWSEC2AmiClient(tt.amiIDs)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.listError)
+			}
 			s := &EC2AmiSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2AmiClient(tt.amiIDs),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_ebs_snapshot_supplier.go
+++ b/pkg/remote/aws/ec2_ebs_snapshot_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,14 +23,19 @@ type EC2EbsSnapshotSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2EbsSnapshotSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2EbsSnapshotSupplier {
-	return &EC2EbsSnapshotSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2EbsSnapshotDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2EbsSnapshotSupplier(provider *TerraformProvider) *EC2EbsSnapshotSupplier {
+	return &EC2EbsSnapshotSupplier{
+		provider,
+		awsdeserializer.NewEC2EbsSnapshotDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2EbsSnapshotSupplier) Resources() ([]resource.Resource, error) {
 	snapshots, err := listSnapshots(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsEbsSnapshotResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(snapshots) > 0 {
--- a/pkg/remote/aws/ec2_ebs_snapshot_supplier_test.go
+++ b/pkg/remote/aws/ec2_ebs_snapshot_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -20,10 +27,11 @@ import (

 func TestEC2EbsSnapshotSupplier_Resources(t *testing.T) {
 	tests := []struct {
-		test           string
-		dirName        string
-		snapshotsPages mocks.DescribeSnapshotsPagesOutput
-		err            error
+		test                string
+		dirName             string
+		snapshotsPages      mocks.DescribeSnapshotsPagesOutput
+		snapshotsPagesError error
+		err                 error
 	}{
 		{
 			test:    "no snapshots",
@ -63,32 +71,45 @@ func TestEC2EbsSnapshotSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:                "cannot list snapshots",
+			dirName:             "ec2_ebs_snapshot_empty",
+			snapshotsPagesError: awserr.NewRequestFailure(nil, 403, ""),
+			err:                 remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsEbsSnapshotResourceType),
+		},
 	}
 	for _, tt := range tests {
+
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2EbsSnapshotSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2EbsSnapshotSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2EbsSnapshotDeserializer()
+			client := mocks.NewMockAWSEC2EbsSnapshotClient(tt.snapshotsPages)
+			if tt.snapshotsPagesError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.snapshotsPagesError)
+			}
 			s := &EC2EbsSnapshotSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2EbsSnapshotClient(tt.snapshotsPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_ebs_volume_supplier.go
+++ b/pkg/remote/aws/ec2_ebs_volume_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,14 +23,19 @@ type EC2EbsVolumeSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2EbsVolumeSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2EbsVolumeSupplier {
-	return &EC2EbsVolumeSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2EbsVolumeDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2EbsVolumeSupplier(provider *TerraformProvider) *EC2EbsVolumeSupplier {
+	return &EC2EbsVolumeSupplier{
+		provider,
+		awsdeserializer.NewEC2EbsVolumeDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2EbsVolumeSupplier) Resources() ([]resource.Resource, error) {
 	volumes, err := listVolumes(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsEbsVolumeResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(volumes) > 0 {
--- a/pkg/remote/aws/ec2_ebs_volume_supplier_test.go
+++ b/pkg/remote/aws/ec2_ebs_volume_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -20,10 +27,11 @@ import (

 func TestEC2EbsVolumeSupplier_Resources(t *testing.T) {
 	tests := []struct {
-		test         string
-		dirName      string
-		volumesPages mocks.DescribeVolumesPagesOutput
-		err          error
+		test              string
+		dirName           string
+		volumesPages      mocks.DescribeVolumesPagesOutput
+		volumesPagesError error
+		err               error
 	}{
 		{
 			test:    "no volumes",
@ -63,32 +71,45 @@ func TestEC2EbsVolumeSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:              "cannot list volumes",
+			dirName:           "ec2_ebs_volume_empty",
+			volumesPagesError: awserr.NewRequestFailure(nil, 403, ""),
+			err:               remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsEbsVolumeResourceType),
+		},
 	}
 	for _, tt := range tests {
+
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2EbsVolumeSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2EbsVolumeSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2EbsVolumeDeserializer()
+			client := mocks.NewMockAWSEC2EbsVolumeClient(tt.volumesPages)
+			if tt.volumesPagesError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.volumesPagesError)
+			}
 			s := &EC2EbsVolumeSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2EbsVolumeClient(tt.volumesPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_eip_association_supplier.go
+++ b/pkg/remote/aws/ec2_eip_association_supplier.go
@ -1,7 +1,9 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,14 +23,18 @@ type EC2EipAssociationSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2EipAssociationSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2EipAssociationSupplier {
-	return &EC2EipAssociationSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2EipAssociationDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2EipAssociationSupplier(provider *TerraformProvider) *EC2EipAssociationSupplier {
+	return &EC2EipAssociationSupplier{
+		provider,
+		awsdeserializer.NewEC2EipAssociationDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner())}
 }

 func (s EC2EipAssociationSupplier) Resources() ([]resource.Resource, error) {
 	associationIds, err := listAddressesAssociationIds(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsEipAssociationResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(associationIds) > 0 {
--- a/pkg/remote/aws/ec2_eip_association_supplier_test.go
+++ b/pkg/remote/aws/ec2_eip_association_supplier_test.go
@ -4,7 +4,15 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,6 +31,7 @@ func TestEC2EipAssociationSupplier_Resources(t *testing.T) {
 		test      string
 		dirName   string
 		addresses []*ec2.Address
+		listError error
 		err       error
 	}{
 		{
@ -41,32 +50,44 @@ func TestEC2EipAssociationSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "Cannot list eip associations",
+			dirName:   "ec2_eip_association_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsEipAssociationResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2EipAssociationSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2EipAssociationSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2EipAssociationDeserializer()
+			client := mocks.NewMockAWSEC2EipClient(tt.addresses)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.listError)
+			}
 			s := &EC2EipAssociationSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2EipClient(tt.addresses),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_eip_supplier.go
+++ b/pkg/remote/aws/ec2_eip_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,14 +23,19 @@ type EC2EipSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2EipSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2EipSupplier {
-	return &EC2EipSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2EipDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2EipSupplier(provider *TerraformProvider) *EC2EipSupplier {
+	return &EC2EipSupplier{
+		provider,
+		awsdeserializer.NewEC2EipDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2EipSupplier) Resources() ([]resource.Resource, error) {
 	addresses, err := listAddresses(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsEipResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(addresses) > 0 {
--- a/pkg/remote/aws/ec2_eip_supplier_test.go
+++ b/pkg/remote/aws/ec2_eip_supplier_test.go
@ -4,7 +4,15 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,6 +31,7 @@ func TestEC2EipSupplier_Resources(t *testing.T) {
 		test      string
 		dirName   string
 		addresses []*ec2.Address
+		listError error
 		err       error
 	}{
 		{
@ -44,32 +53,44 @@ func TestEC2EipSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "Cannot list eips",
+			dirName:   "ec2_eip_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsEipResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2EipSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2EipSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2EipDeserializer()
+			client := mocks.NewMockAWSEC2EipClient(tt.addresses)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.listError)
+			}
 			s := &EC2EipSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2EipClient(tt.addresses),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_instance_supplier.go
+++ b/pkg/remote/aws/ec2_instance_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,14 +23,19 @@ type EC2InstanceSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2InstanceSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2InstanceSupplier {
-	return &EC2InstanceSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2InstanceDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2InstanceSupplier(provider *TerraformProvider) *EC2InstanceSupplier {
+	return &EC2InstanceSupplier{
+		provider,
+		awsdeserializer.NewEC2InstanceDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2InstanceSupplier) Resources() ([]resource.Resource, error) {
 	instances, err := listInstances(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsInstanceResourceType)
 	}

 	results := make([]cty.Value, 0)
--- a/pkg/remote/aws/ec2_instance_supplier_test.go
+++ b/pkg/remote/aws/ec2_instance_supplier_test.go
@ -4,7 +4,15 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,6 +31,7 @@ func TestEC2InstanceSupplier_Resources(t *testing.T) {
 		test           string
 		dirName        string
 		instancesPages mocks.DescribeInstancesPagesOutput
+		listError      error
 		err            error
 	}{
 		{
@ -95,32 +104,44 @@ func TestEC2InstanceSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "Cannot list instances",
+			dirName:   "ec2_instance_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsInstanceResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2InstanceSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2InstanceSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2InstanceDeserializer()
+			client := mocks.NewMockAWSEC2InstanceClient(tt.instancesPages)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.listError)
+			}
 			s := &EC2InstanceSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2InstanceClient(tt.instancesPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/ec2_key_pair_supplier.go
+++ b/pkg/remote/aws/ec2_key_pair_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,15 +23,20 @@ type EC2KeyPairSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewEC2KeyPairSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *EC2KeyPairSupplier {
-	return &EC2KeyPairSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewEC2KeyPairDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewEC2KeyPairSupplier(provider *TerraformProvider) *EC2KeyPairSupplier {
+	return &EC2KeyPairSupplier{
+		provider,
+		awsdeserializer.NewEC2KeyPairDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s EC2KeyPairSupplier) Resources() ([]resource.Resource, error) {
 	input := &ec2.DescribeKeyPairsInput{}
 	response, err := s.client.DescribeKeyPairs(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsKeyPairResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(response.KeyPairs) > 0 {
--- a/pkg/remote/aws/ec2_key_pair_supplier_test.go
+++ b/pkg/remote/aws/ec2_key_pair_supplier_test.go
@ -4,7 +4,13 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -18,16 +24,15 @@ import (
 	"github.com/cloudskiff/driftctl/pkg/terraform"
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/mocks"
-
-	"github.com/aws/aws-sdk-go/service/ec2"
 )

 func TestEC2KeyPairSupplier_Resources(t *testing.T) {
 	tests := []struct {
-		test    string
-		dirName string
-		kpNames []string
-		err     error
+		test      string
+		dirName   string
+		kpNames   []string
+		listError error
+		err       error
 	}{
 		{
 			test:    "no key pairs",
@ -41,32 +46,45 @@ func TestEC2KeyPairSupplier_Resources(t *testing.T) {
 			kpNames: []string{"test", "bar"},
 			err:     nil,
 		},
+		{
+			test:      "cannot list key pairs",
+			dirName:   "ec2_key_pair_empty",
+			kpNames:   []string{},
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsKeyPairResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewEC2KeyPairSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewEC2KeyPairSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewEC2KeyPairDeserializer()
+			client := mocks.NewMockAWSEC2KeyPairClient(tt.kpNames)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSEC2ErrorClient(tt.listError)
+			}
 			s := &EC2KeyPairSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSEC2KeyPairClient(tt.kpNames),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/iam_access_key_supplier.go
+++ b/pkg/remote/aws/iam_access_key_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,8 +22,13 @@ type IamAccessKeySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamAccessKeySupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamAccessKeySupplier {
-	return &IamAccessKeySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamAccessKeyDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamAccessKeySupplier(provider *TerraformProvider) *IamAccessKeySupplier {
+	return &IamAccessKeySupplier{
+		provider,
+		awsdeserializer.NewIamAccessKeyDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamAccessKeySupplier) Resources() ([]resource.Resource, error) {
@ -65,7 +71,7 @@ func (s IamAccessKeySupplier) readRes(key *iam.AccessKeyMetadata) (cty.Value, er
 }

 func listIamAccessKeys(client iamiface.IAMAPI) ([]*iam.AccessKeyMetadata, error) {
-	users, err := listIamUsers(client)
+	users, err := listIamUsers(client, resourceaws.AwsIamAccessKeyResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -79,7 +85,7 @@ func listIamAccessKeys(client iamiface.IAMAPI) ([]*iam.AccessKeyMetadata, error)
 			return !lastPage
 		})
 		if err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsIamAccessKeyResourceType)
 		}
 	}

--- a/pkg/remote/aws/iam_access_key_supplier_test.go
+++ b/pkg/remote/aws/iam_access_key_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -14,6 +21,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"

 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -107,24 +115,59 @@ func TestIamAccessKeySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "Cannot list iam user",
+			dirName: "iam_access_key_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages",
+					&iam.ListUsersInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListUsersOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+				client.On("ListAccessKeysPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamAccessKeyResourceType, resourceaws.AwsIamUserResourceType),
+		},
+		{
+			test:    "Cannot list iam access_key",
+			dirName: "iam_access_key_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages",
+					&iam.ListUsersInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListUsersOutput, lastPage bool) bool) bool {
+						callback(&iam.ListUsersOutput{Users: []*iam.User{
+							{
+								UserName: aws.String("test-driftctl"),
+							},
+						}}, true)
+						return true
+					})).Return(nil)
+				client.On("ListAccessKeysPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamAccessKeyResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamAccessKeySupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamAccessKeySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamAccessKeyDeserializer()
 			s := &IamAccessKeySupplier{
 				provider,
@ -133,9 +176,7 @@ func TestIamAccessKeySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/iam_policy_supplier.go
+++ b/pkg/remote/aws/iam_policy_supplier.go
@ -4,7 +4,8 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,14 +23,19 @@ type IamPolicySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamPolicySupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamPolicySupplier {
-	return &IamPolicySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamPolicyDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamPolicySupplier(provider *TerraformProvider) *IamPolicySupplier {
+	return &IamPolicySupplier{
+		provider,
+		awsdeserializer.NewIamPolicyDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamPolicySupplier) Resources() ([]resource.Resource, error) {
 	policies, err := listIamPolicies(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsIamPolicyResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(policies) > 0 {
--- a/pkg/remote/aws/iam_policy_supplier_test.go
+++ b/pkg/remote/aws/iam_policy_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -12,6 +19,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"

 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -66,24 +74,40 @@ func TestIamPolicySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list iam custom policies",
+			dirName: "iam_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On(
+					"ListPoliciesPages",
+					&iam.ListPoliciesInput{Scope: aws.String("Local")},
+					mock.Anything,
+				).Once().Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamPolicyResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamPolicySupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamPolicySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamPolicyDeserializer()
 			s := &IamPolicySupplier{
 				provider,
@ -92,9 +116,7 @@ func TestIamPolicySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/iam_role_policy_attachment_supplier.go
+++ b/pkg/remote/aws/iam_role_policy_attachment_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,12 +22,17 @@ type IamRolePolicyAttachmentSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamRolePolicyAttachmentSupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamRolePolicyAttachmentSupplier {
-	return &IamRolePolicyAttachmentSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamRolePolicyAttachmentDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamRolePolicyAttachmentSupplier(provider *TerraformProvider) *IamRolePolicyAttachmentSupplier {
+	return &IamRolePolicyAttachmentSupplier{
+		provider,
+		awsdeserializer.NewIamRolePolicyAttachmentDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamRolePolicyAttachmentSupplier) Resources() ([]resource.Resource, error) {
-	roles, err := listIamRoles(s.client)
+	roles, err := listIamRoles(s.client, resourceaws.AwsIamRolePolicyAttachmentResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -94,7 +100,7 @@ func listIamRolePoliciesAttachment(roleName string, client iamiface.IAMAPI) ([]*
 		return !lastPage
 	})
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, resourceaws.AwsIamRolePolicyAttachmentResourceType, resourceaws.AwsIamRolePolicyResourceType)
 	}
 	return attachedRolePolicies, nil
 }
--- a/pkg/remote/aws/iam_role_policy_attachment_supplier_test.go
+++ b/pkg/remote/aws/iam_role_policy_attachment_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -13,6 +20,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -132,24 +140,66 @@ func TestIamRolePolicyAttachmentSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "Cannot list roles",
+			dirName: "iam_role_policy_attachment_for_ignored_roles",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListRolesPages",
+					&iam.ListRolesInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListRolesOutput, lastPage bool) bool) bool {
+						callback(&iam.ListRolesOutput{Roles: []*iam.Role{}}, true)
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamRolePolicyAttachmentResourceType, resourceaws.AwsIamRoleResourceType),
+		},
+		{
+			test:    "Cannot list roles policies",
+			dirName: "iam_role_policy_attachment_for_ignored_roles",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListRolesPages",
+					&iam.ListRolesInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListRolesOutput, lastPage bool) bool) bool {
+						callback(&iam.ListRolesOutput{Roles: []*iam.Role{
+							{
+								RoleName: aws.String("test-role"),
+							},
+							{
+								RoleName: aws.String("test-role2"),
+							},
+						}}, true)
+						return true
+					})).Return(nil).Once()
+				client.On("ListAttachedRolePoliciesPages",
+					mock.Anything,
+					mock.MatchedBy(func(callback func(res *iam.ListAttachedRolePoliciesOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, "")).Once()
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamRolePolicyAttachmentResourceType, resourceaws.AwsIamRolePolicyResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamRolePolicyAttachmentSupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamRolePolicyAttachmentSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamRolePolicyAttachmentDeserializer()
 			s := &IamRolePolicyAttachmentSupplier{
 				provider,
@ -158,9 +208,7 @@ func TestIamRolePolicyAttachmentSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 1)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, awsdeserializer.NewIamPolicyAttachmentDeserializer(), shouldUpdate, t)
--- a/pkg/remote/aws/iam_role_policy_supplier.go
+++ b/pkg/remote/aws/iam_role_policy_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"fmt"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/service/iam"
@ -24,12 +24,17 @@ type IamRolePolicySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamRolePolicySupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamRolePolicySupplier {
-	return &IamRolePolicySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamRolePolicyDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamRolePolicySupplier(provider *TerraformProvider) *IamRolePolicySupplier {
+	return &IamRolePolicySupplier{
+		provider,
+		awsdeserializer.NewIamRolePolicyDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamRolePolicySupplier) Resources() ([]resource.Resource, error) {
-	policies, err := listIamRolePolicies(s.client)
+	policies, err := listIamRolePolicies(s.client, resourceaws.AwsIamRolePolicyResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -62,8 +67,8 @@ func (s IamRolePolicySupplier) readRes(name string) (cty.Value, error) {
 	return *res, nil
 }

-func listIamRolePolicies(client iamiface.IAMAPI) ([]string, error) {
-	roles, err := listIamRoles(client)
+func listIamRolePolicies(client iamiface.IAMAPI, supplierType string) ([]string, error) {
+	roles, err := listIamRoles(client, supplierType)
 	if err != nil {
 		return nil, err
 	}
@ -88,7 +93,7 @@ func listIamRolePolicies(client iamiface.IAMAPI) ([]string, error) {
 			return !lastPage
 		})
 		if err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationErrorWithType(err, supplierType, resourceaws.AwsIamRoleResourceType)
 		}
 	}

--- a/pkg/remote/aws/iam_role_policy_supplier_test.go
+++ b/pkg/remote/aws/iam_role_policy_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -13,6 +20,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -123,24 +131,40 @@ func TestIamRolePolicySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "Cannot list roles",
+			dirName: "iam_role_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListRolesPages",
+					&iam.ListRolesInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListRolesOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamRolePolicyResourceType, resourceaws.AwsIamRoleResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamRolePolicySupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamRolePolicySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamRolePolicyDeserializer()
 			s := &IamRolePolicySupplier{
 				provider,
@ -149,9 +173,7 @@ func TestIamRolePolicySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/iam_role_supplier.go
+++ b/pkg/remote/aws/iam_role_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -30,8 +31,13 @@ type IamRoleSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamRoleSupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamRoleSupplier {
-	return &IamRoleSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamRoleDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamRoleSupplier(provider *TerraformProvider) *IamRoleSupplier {
+	return &IamRoleSupplier{
+		provider,
+		awsdeserializer.NewIamRoleDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func awsIamRoleShouldBeIgnored(roleName string) bool {
@ -40,7 +46,7 @@ func awsIamRoleShouldBeIgnored(roleName string) bool {
 }

 func (s IamRoleSupplier) Resources() ([]resource.Resource, error) {
-	roles, err := listIamRoles(s.client)
+	roles, err := listIamRoles(s.client, resourceaws.AwsIamRoleResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -78,7 +84,7 @@ func (s IamRoleSupplier) readRes(resource *iam.Role) (cty.Value, error) {
 	return *res, nil
 }

-func listIamRoles(client iamiface.IAMAPI) ([]*iam.Role, error) {
+func listIamRoles(client iamiface.IAMAPI, supplierType string) ([]*iam.Role, error) {
 	var resources []*iam.Role
 	input := &iam.ListRolesInput{}
 	err := client.ListRolesPages(input, func(res *iam.ListRolesOutput, lastPage bool) bool {
@ -86,7 +92,7 @@ func listIamRoles(client iamiface.IAMAPI) ([]*iam.Role, error) {
 		return !lastPage
 	})
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, supplierType, resourceaws.AwsIamRoleResourceType)
 	}
 	return resources, nil
 }
--- a/pkg/remote/aws/iam_role_supplier_test.go
+++ b/pkg/remote/aws/iam_role_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -12,6 +19,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"

 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -85,24 +93,36 @@ func TestIamRoleSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list iam roles",
+			dirName: "iam_role_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListRolesPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamRoleResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamRoleSupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamRoleSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamRoleDeserializer()
 			s := &IamRoleSupplier{
 				provider,
@ -111,9 +131,7 @@ func TestIamRoleSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/iam_user_policy_attachment_supplier.go
+++ b/pkg/remote/aws/iam_user_policy_attachment_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,12 +22,17 @@ type IamUserPolicyAttachmentSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamUserPolicyAttachmentSupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamUserPolicyAttachmentSupplier {
-	return &IamUserPolicyAttachmentSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamUserPolicyAttachmentDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamUserPolicyAttachmentSupplier(provider *TerraformProvider) *IamUserPolicyAttachmentSupplier {
+	return &IamUserPolicyAttachmentSupplier{
+		provider,
+		awsdeserializer.NewIamUserPolicyAttachmentDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamUserPolicyAttachmentSupplier) Resources() ([]resource.Resource, error) {
-	users, err := listIamUsers(s.client)
+	users, err := listIamUsers(s.client, resourceaws.AwsIamUserPolicyAttachmentResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -37,7 +43,7 @@ func (s IamUserPolicyAttachmentSupplier) Resources() ([]resource.Resource, error
 			userName := *user.UserName
 			policyAttachmentList, err := listIamUserPoliciesAttachment(userName, s.client)
 			if err != nil {
-				return nil, err
+				return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsIamUserPolicyAttachmentResourceType)
 			}
 			attachedPolicies = append(attachedPolicies, policyAttachmentList...)
 		}
--- a/pkg/remote/aws/iam_user_policy_attachment_supplier_test.go
+++ b/pkg/remote/aws/iam_user_policy_attachment_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -13,6 +20,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -148,24 +156,68 @@ func TestIamUserPolicyAttachmentSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list user",
+			dirName: "iam_user_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages",
+					&iam.ListUsersInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListUsersOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, "")).Once()
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamUserPolicyAttachmentResourceType, resourceaws.AwsIamUserResourceType),
+		},
+		{
+			test:    "cannot list user policies attachment",
+			dirName: "iam_user_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages",
+					&iam.ListUsersInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListUsersOutput, lastPage bool) bool) bool {
+						callback(&iam.ListUsersOutput{Users: []*iam.User{
+							{
+								UserName: aws.String("loadbalancer"),
+							},
+							{
+								UserName: aws.String("loadbalancer2"),
+							},
+							{
+								UserName: aws.String("loadbalancer3"),
+							},
+						}}, true)
+						return true
+					})).Return(nil).Once()
+				client.On("ListAttachedUserPoliciesPages",
+					mock.Anything,
+					mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, "")).Once()
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamUserPolicyAttachmentResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamUserPolicyAttachmentSupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamUserPolicyAttachmentSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamUserPolicyAttachmentDeserializer()
 			s := &IamUserPolicyAttachmentSupplier{
 				provider,
@ -174,9 +226,7 @@ func TestIamUserPolicyAttachmentSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 1)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, awsdeserializer.NewIamPolicyAttachmentDeserializer(), shouldUpdate, t)
--- a/pkg/remote/aws/iam_user_policy_supplier.go
+++ b/pkg/remote/aws/iam_user_policy_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"fmt"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/service/iam"
@ -24,12 +24,17 @@ type IamUserPolicySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamUserPolicySupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamUserPolicySupplier {
-	return &IamUserPolicySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamUserPolicyDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamUserPolicySupplier(provider *TerraformProvider) *IamUserPolicySupplier {
+	return &IamUserPolicySupplier{
+		provider,
+		awsdeserializer.NewIamUserPolicyDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamUserPolicySupplier) Resources() ([]resource.Resource, error) {
-	users, err := listIamUsers(s.client)
+	users, err := listIamUsers(s.client, resourceaws.AwsIamUserPolicyResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -40,7 +45,7 @@ func (s IamUserPolicySupplier) Resources() ([]resource.Resource, error) {
 			userName := *user.UserName
 			policyList, err := listIamUserPolicies(userName, s.client)
 			if err != nil {
-				return nil, err
+				return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsIamUserPolicyResourceType)
 			}
 			for _, polName := range policyList {
 				policies = append(policies, fmt.Sprintf("%s:%s", userName, *polName))
--- a/pkg/remote/aws/iam_user_policy_supplier_test.go
+++ b/pkg/remote/aws/iam_user_policy_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/aws"
@ -13,6 +20,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -129,24 +137,58 @@ func TestIamUserPolicySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list iam user (no policy)",
+			dirName: "iam_user_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamUserPolicyResourceType, resourceaws.AwsIamUserResourceType),
+		},
+
+		{
+			test:    "cannot list user policy",
+			dirName: "iam_user_policy_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages",
+					&iam.ListUsersInput{},
+					mock.MatchedBy(func(callback func(res *iam.ListUsersOutput, lastPage bool) bool) bool {
+						callback(&iam.ListUsersOutput{Users: []*iam.User{
+							{
+								UserName: aws.String("loadbalancer"),
+							},
+							{
+								UserName: aws.String("loadbalancer2"),
+							},
+						}}, true)
+						return true
+					})).Return(nil).Once()
+				client.On("ListUserPoliciesPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamUserPolicyResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamUserPolicySupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamUserPolicySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamUserPolicyDeserializer()
 			s := &IamUserPolicySupplier{
 				provider,
@ -155,9 +197,7 @@ func TestIamUserPolicySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/iam_user_supplier.go
+++ b/pkg/remote/aws/iam_user_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,12 +22,17 @@ type IamUserSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewIamUserSupplier(runner *parallel.ParallelRunner, client iamiface.IAMAPI) *IamUserSupplier {
-	return &IamUserSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewIamUserDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewIamUserSupplier(provider *TerraformProvider) *IamUserSupplier {
+	return &IamUserSupplier{
+		provider,
+		awsdeserializer.NewIamUserDeserializer(),
+		iam.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s IamUserSupplier) Resources() ([]resource.Resource, error) {
-	users, err := listIamUsers(s.client)
+	users, err := listIamUsers(s.client, resourceaws.AwsIamUserResourceType)
 	if err != nil {
 		return nil, err
 	}
@ -61,7 +67,7 @@ func (s IamUserSupplier) readRes(user *iam.User) (cty.Value, error) {
 	return *res, nil
 }

-func listIamUsers(client iamiface.IAMAPI) ([]*iam.User, error) {
+func listIamUsers(client iamiface.IAMAPI, supplierType string) ([]*iam.User, error) {
 	var resources []*iam.User
 	input := &iam.ListUsersInput{}
 	err := client.ListUsersPages(input, func(res *iam.ListUsersOutput, lastPage bool) bool {
@ -69,7 +75,7 @@ func listIamUsers(client iamiface.IAMAPI) ([]*iam.User, error) {
 		return !lastPage
 	})
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, supplierType, resourceaws.AwsIamUserResourceType)
 	}
 	return resources, nil
 }
--- a/pkg/remote/aws/iam_user_supplier_test.go
+++ b/pkg/remote/aws/iam_user_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -14,6 +21,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"

 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -64,24 +72,36 @@ func TestIamUserSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list iam user",
+			dirName: "iam_user_empty",
+			mocks: func(client *mocks.FakeIAM) {
+				client.On("ListUsersPages", mock.Anything, mock.Anything).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsIamUserResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewIamUserSupplier(provider.Runner(), iam.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewIamUserSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeIam := mocks.FakeIAM{}
 			c.mocks(&fakeIam)

-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewIamUserDeserializer()
 			s := &IamUserSupplier{
 				provider,
@ -90,9 +110,7 @@ func TestIamUserSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				t.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, t)
--- a/pkg/remote/aws/init.go
+++ b/pkg/remote/aws/init.go
@ -1,15 +1,9 @@
 package aws

 import (
-	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/terraform"
-
-	"github.com/aws/aws-sdk-go/service/ec2"
-	"github.com/aws/aws-sdk-go/service/lambda"
-	"github.com/aws/aws-sdk-go/service/rds"
-	"github.com/aws/aws-sdk-go/service/route53"
 )

 const RemoteAWSTerraform = "aws+tf"
@ -18,7 +12,7 @@ const RemoteAWSTerraform = "aws+tf"
 * Initialize remote (configure credentials, launch tf providers and start gRPC clients)
 * Required to use Scanner
 */
-func Init(alerter *alerter.Alerter) error {
+func Init(alerter *alerter.Alerter, providerLibrary *terraform.ProviderLibrary, supplierLibrary *resource.SupplierLibrary) error {
 	provider, err := NewTerraFormProvider()
 	if err != nil {
 		return err
@ -26,43 +20,43 @@ func Init(alerter *alerter.Alerter) error {

 	factory := AwsClientFactory{config: provider.session}

-	terraform.AddProvider(terraform.AWS, provider)
+	providerLibrary.AddProvider(terraform.AWS, provider)

-	resource.AddSupplier(NewS3BucketSupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewS3BucketAnalyticSupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewS3BucketInventorySupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewS3BucketMetricSupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewS3BucketNotificationSupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewS3BucketPolicySupplier(provider.Runner().SubRunner(), factory))
-	resource.AddSupplier(NewEC2EipSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewEC2EipAssociationSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewEC2EbsVolumeSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewEC2EbsSnapshotSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewRoute53ZoneSupplier(provider.Runner().SubRunner(), route53.New(provider.session)))
-	resource.AddSupplier(NewRoute53RecordSupplier(provider.Runner().SubRunner(), route53.New(provider.session)))
-	resource.AddSupplier(NewEC2InstanceSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewEC2AmiSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewEC2KeyPairSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewLambdaFunctionSupplier(provider.Runner().SubRunner(), lambda.New(provider.session)))
-	resource.AddSupplier(NewDBSubnetGroupSupplier(provider.Runner().SubRunner(), rds.New(provider.session)))
-	resource.AddSupplier(NewDBInstanceSupplier(provider.Runner().SubRunner(), rds.New(provider.session)))
-	resource.AddSupplier(NewVPCSecurityGroupSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewIamUserSupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamUserPolicySupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamUserPolicyAttachmentSupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamAccessKeySupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamRoleSupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamPolicySupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamRolePolicySupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewIamRolePolicyAttachmentSupplier(provider.Runner().SubRunner(), iam.New(provider.session)))
-	resource.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewVPCSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewSubnetSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewRouteTableSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewRouteSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewRouteTableAssociationSupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewNatGatewaySupplier(provider.Runner(), ec2.New(provider.session)))
-	resource.AddSupplier(NewInternetGatewaySupplier(provider.Runner().SubRunner(), ec2.New(provider.session)))
+	supplierLibrary.AddSupplier(NewS3BucketSupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewS3BucketAnalyticSupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewS3BucketInventorySupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewS3BucketMetricSupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewS3BucketNotificationSupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewS3BucketPolicySupplier(provider, factory))
+	supplierLibrary.AddSupplier(NewEC2EipSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2EipAssociationSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2EbsVolumeSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2EbsSnapshotSupplier(provider))
+	supplierLibrary.AddSupplier(NewRoute53ZoneSupplier(provider))
+	supplierLibrary.AddSupplier(NewRoute53RecordSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2InstanceSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2AmiSupplier(provider))
+	supplierLibrary.AddSupplier(NewEC2KeyPairSupplier(provider))
+	supplierLibrary.AddSupplier(NewLambdaFunctionSupplier(provider))
+	supplierLibrary.AddSupplier(NewDBSubnetGroupSupplier(provider))
+	supplierLibrary.AddSupplier(NewDBInstanceSupplier(provider))
+	supplierLibrary.AddSupplier(NewVPCSecurityGroupSupplier(provider))
+	supplierLibrary.AddSupplier(NewIamUserSupplier(provider))
+	supplierLibrary.AddSupplier(NewIamUserPolicySupplier(provider))
+	supplierLibrary.AddSupplier(NewIamUserPolicyAttachmentSupplier(provider))
+	supplierLibrary.AddSupplier(NewIamAccessKeySupplier(provider))
+	supplierLibrary.AddSupplier(NewIamRoleSupplier(provider))
+	supplierLibrary.AddSupplier(NewIamPolicySupplier(provider))
+	supplierLibrary.AddSupplier(NewIamRolePolicySupplier(provider))
+	supplierLibrary.AddSupplier(NewIamRolePolicyAttachmentSupplier(provider))
+	supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))
+	supplierLibrary.AddSupplier(NewVPCSupplier(provider))
+	supplierLibrary.AddSupplier(NewSubnetSupplier(provider))
+	supplierLibrary.AddSupplier(NewRouteTableSupplier(provider))
+	supplierLibrary.AddSupplier(NewRouteSupplier(provider))
+	supplierLibrary.AddSupplier(NewRouteTableAssociationSupplier(provider))
+	supplierLibrary.AddSupplier(NewNatGatewaySupplier(provider))
+	supplierLibrary.AddSupplier(NewInternetGatewaySupplier(provider))

 	return nil
 }
--- a/pkg/remote/aws/internet_gateway_supplier.go
+++ b/pkg/remote/aws/internet_gateway_supplier.go
@ -3,8 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
@ -20,19 +20,19 @@ type InternetGatewaySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewInternetGatewaySupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *InternetGatewaySupplier {
+func NewInternetGatewaySupplier(provider *TerraformProvider) *InternetGatewaySupplier {
 	return &InternetGatewaySupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewInternetGatewayDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

 func (s InternetGatewaySupplier) Resources() ([]resource.Resource, error) {
 	internetGateways, err := listInternetGateways(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsInternetGatewayResourceType)
 	}

 	for _, internetGateway := range internetGateways {
--- a/pkg/remote/aws/internet_gateway_supplier_test.go
+++ b/pkg/remote/aws/internet_gateway_supplier_test.go
@ -4,6 +4,12 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	awssdk "github.com/aws/aws-sdk-go/aws"

 	"github.com/aws/aws-sdk-go/service/ec2"
@ -16,6 +22,7 @@ import (
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -61,23 +68,39 @@ func TestInternetGatewaySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list internet gateways",
+			dirName: "internet_gateway_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeInternetGatewaysPages",
+					&ec2.DescribeInternetGatewaysInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeInternetGatewaysOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsInternetGatewayResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewInternetGatewaySupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewInternetGatewaySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			internetGatewayDeserializer := awsdeserializer.NewInternetGatewayDeserializer()
 			s := &InternetGatewaySupplier{
 				provider,
@ -86,9 +109,7 @@ func TestInternetGatewaySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{internetGatewayDeserializer}
--- a/pkg/remote/aws/lambda_function_supplier.go
+++ b/pkg/remote/aws/lambda_function_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,14 +22,19 @@ type LambdaFunctionSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewLambdaFunctionSupplier(runner *parallel.ParallelRunner, client lambdaiface.LambdaAPI) *LambdaFunctionSupplier {
-	return &LambdaFunctionSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewLambdaFunctionDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewLambdaFunctionSupplier(provider *TerraformProvider) *LambdaFunctionSupplier {
+	return &LambdaFunctionSupplier{
+		provider,
+		awsdeserializer.NewLambdaFunctionDeserializer(),
+		lambda.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s LambdaFunctionSupplier) Resources() ([]resource.Resource, error) {
 	functions, err := listLambdaFunctions(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsLambdaFunctionResourceType)
 	}
 	results := make([]cty.Value, 0)
 	if len(functions) > 0 {
--- a/pkg/remote/aws/lambda_function_supplier_test.go
+++ b/pkg/remote/aws/lambda_function_supplier_test.go
@ -4,7 +4,15 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,6 +31,7 @@ func TestLambdaFunctionSupplier_Resources(t *testing.T) {
 		test           string
 		dirName        string
 		functionsPages mocks.ListFunctionsPagesOutput
+		listError      error
 		err            error
 	}{
 		{
@ -80,32 +89,44 @@ func TestLambdaFunctionSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "cannot list lambda functions",
+			dirName:   "lambda_function_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsLambdaFunctionResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewLambdaFunctionSupplier(provider.Runner(), lambda.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewLambdaFunctionSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewLambdaFunctionDeserializer()
+			client := mocks.NewMockAWSLambdaClient(tt.functionsPages)
+			if tt.listError != nil {
+				client = mocks.NewMockAWSLambdaErrorClient(tt.listError)
+			}
 			s := &LambdaFunctionSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSLambdaClient(tt.functionsPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/nat_gateway_supplier.go
+++ b/pkg/remote/aws/nat_gateway_supplier.go
@ -3,8 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
@ -20,12 +20,12 @@ type NatGatewaySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewNatGatewaySupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *NatGatewaySupplier {
+func NewNatGatewaySupplier(provider *TerraformProvider) *NatGatewaySupplier {
 	return &NatGatewaySupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewNatGatewayDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner.SubRunner()),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

@ -33,7 +33,7 @@ func (s NatGatewaySupplier) Resources() ([]resource.Resource, error) {

 	retrievedNatGateways, err := listNatGateways(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsNatGatewayResourceType)
 	}

 	for _, gateway := range retrievedNatGateways {
--- a/pkg/remote/aws/nat_gateway_supplier_test.go
+++ b/pkg/remote/aws/nat_gateway_supplier_test.go
@ -4,17 +4,23 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/cloudskiff/driftctl/mocks"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/terraform"
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -57,23 +63,39 @@ func TestNatGatewaySupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list gateway",
+			dirName: "nat_gateway_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeNatGatewaysPages",
+					&ec2.DescribeNatGatewaysInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeNatGatewaysOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsNatGatewayResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewNatGatewaySupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewNatGatewaySupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			natGatewaydeserializer := awsdeserializer.NewNatGatewayDeserializer()
 			s := &NatGatewaySupplier{
 				provider,
@ -82,9 +104,7 @@ func TestNatGatewaySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{natGatewaydeserializer}
--- a/pkg/remote/aws/route53_record_supplier.go
+++ b/pkg/remote/aws/route53_record_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"strings"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
@ -15,7 +15,6 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/aws/aws-sdk-go/service/route53/route53iface"
-	"github.com/sirupsen/logrus"
 	"github.com/zclconf/go-cty/cty"
 )

@ -26,21 +25,24 @@ type Route53RecordSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewRoute53RecordSupplier(runner *parallel.ParallelRunner, client route53iface.Route53API) *Route53RecordSupplier {
-	return &Route53RecordSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewRoute53RecordDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewRoute53RecordSupplier(provider *TerraformProvider) *Route53RecordSupplier {
+	return &Route53RecordSupplier{
+		provider,
+		awsdeserializer.NewRoute53RecordDeserializer(),
+		route53.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner())}
 }

 func (s Route53RecordSupplier) Resources() ([]resource.Resource, error) {

 	zones, err := s.listZones()
 	if err != nil {
-		logrus.Error(err)
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, resourceaws.AwsRoute53RecordResourceType, resourceaws.AwsRoute53ZoneResourceType)
 	}

 	for _, zone := range zones {
 		if err := s.listRecordsForZone(zone[0], zone[1]); err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsRoute53RecordResourceType)
 		}
 	}

--- a/pkg/remote/aws/route53_record_supplier_test.go
+++ b/pkg/remote/aws/route53_record_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -24,6 +31,7 @@ func TestRoute53RecordSupplier_Resources(t *testing.T) {
 		dirName      string
 		zonesPages   mocks.ListHostedZonesPagesOutput
 		recordsPages mocks.ListResourceRecordSetsPagesOutput
+		listError    error
 		err          error
 	}{
 		{
@ -177,32 +185,94 @@ func TestRoute53RecordSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "cannot list zones",
+			dirName:   "route53_zone_with_no_record",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			recordsPages: mocks.ListResourceRecordSetsPagesOutput{
+				{
+					true,
+					&route53.ListResourceRecordSetsOutput{
+						ResourceRecordSets: []*route53.ResourceRecordSet{
+							{
+								Name: awssdk.String("test0"),
+								Type: awssdk.String("TXT"),
+							},
+							{
+								Name: awssdk.String("test0"),
+								Type: awssdk.String("A"),
+							},
+							{
+								Name: awssdk.String("test1.foo-2.com"),
+								Type: awssdk.String("TXT"),
+							},
+							{
+								Name: awssdk.String("test1.foo-2.com"),
+								Type: awssdk.String("A"),
+							},
+							{
+								Name: awssdk.String("_test2.foo-2.com"),
+								Type: awssdk.String("TXT"),
+							},
+							{
+								Name: awssdk.String("_test2.foo-2.com"),
+								Type: awssdk.String("A"),
+							},
+						},
+					},
+					"Z06486383UC8WYSBZTWFM",
+				},
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRoute53RecordResourceType, resourceaws.AwsRoute53ZoneResourceType),
+		},
+		{
+			test:    "cannot list records",
+			dirName: "route53_zone_with_no_record",
+			zonesPages: mocks.ListHostedZonesPagesOutput{
+				{
+					true,
+					&route53.ListHostedZonesOutput{
+						HostedZones: []*route53.HostedZone{
+							{
+								Id:   awssdk.String("Z06486383UC8WYSBZTWFM"),
+								Name: awssdk.String("foo-2.com"),
+							},
+						},
+					},
+				},
+			},
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRoute53RecordResourceType),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.test, func(t *testing.T) {
 			shouldUpdate := tt.dirName == *goldenfile.Update
+
+			providerLibrary := terraform.NewProviderLibrary()
+			supplierLibrary := resource.NewSupplierLibrary()
+
 			if shouldUpdate {
 				provider, err := NewTerraFormProvider()
 				if err != nil {
 					t.Fatal(err)
 				}

-				terraform.AddProvider(terraform.AWS, provider)
-				resource.AddSupplier(NewRoute53RecordSupplier(provider.Runner(), route53.New(provider.session)))
+				providerLibrary.AddProvider(terraform.AWS, provider)
+				supplierLibrary.AddSupplier(NewRoute53RecordSupplier(provider))
 			}

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewRoute53RecordDeserializer()
+			client := mocks.NewMockAWSRoute53RecordClient(tt.zonesPages, tt.recordsPages, tt.listError)
 			s := &Route53RecordSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSRoute53RecordClient(tt.zonesPages, tt.recordsPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/route53_zone_supplier.go
+++ b/pkg/remote/aws/route53_zone_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"strings"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -23,8 +24,13 @@ type Route53ZoneSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewRoute53ZoneSupplier(runner *parallel.ParallelRunner, client route53iface.Route53API) *Route53ZoneSupplier {
-	return &Route53ZoneSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewRoute53ZoneDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewRoute53ZoneSupplier(provider *TerraformProvider) *Route53ZoneSupplier {
+	return &Route53ZoneSupplier{
+		provider,
+		awsdeserializer.NewRoute53ZoneDeserializer(),
+		route53.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func listAwsRoute53Zones(client route53iface.Route53API) ([]*route53.HostedZone, error) {
@ -44,8 +50,7 @@ func (s Route53ZoneSupplier) Resources() ([]resource.Resource, error) {

 	zones, err := listAwsRoute53Zones(s.client)
 	if err != nil {
-		logrus.Error(err)
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsRoute53ZoneResourceType)
 	}

 	for _, hostedZone := range zones {
--- a/pkg/remote/aws/route53_zone_supplier_test.go
+++ b/pkg/remote/aws/route53_zone_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -24,6 +31,7 @@ func TestRoute53ZoneSupplier_Resources(t *testing.T) {
 		test       string
 		dirName    string
 		zonesPages mocks.ListHostedZonesPagesOutput
+		listError  error
 		err        error
 	}{
 		{
@ -88,32 +96,41 @@ func TestRoute53ZoneSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:      "cannot list zones",
+			dirName:   "route53_zone_empty",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			err:       remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRoute53ZoneResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewRoute53ZoneSupplier(provider.Runner(), route53.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewRoute53ZoneSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
 			deserializer := awsdeserializer.NewRoute53ZoneDeserializer()
-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
+			client := mocks.NewMockAWSRoute53ZoneClient(tt.zonesPages, tt.listError)
 			s := &Route53ZoneSupplier{
 				provider,
 				deserializer,
-				mocks.NewMockAWSRoute53ZoneClient(tt.zonesPages),
+				client,
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
--- a/pkg/remote/aws/route_supplier.go
+++ b/pkg/remote/aws/route_supplier.go
@ -3,7 +3,6 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,29 +20,24 @@ type RouteSupplier struct {
 	routeRunner       *terraform.ParallelResourceReader
 }

-func NewRouteSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *RouteSupplier {
+func NewRouteSupplier(provider *TerraformProvider) *RouteSupplier {
 	return &RouteSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewRouteDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner.SubRunner()),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

 func (s RouteSupplier) Resources() ([]resource.Resource, error) {

-	routeTables, err := listRouteTables(s.client)
+	routeTables, err := listRouteTables(s.client, aws.AwsRouteResourceType)
 	if err != nil {
-		logrus.Error(err)
 		return nil, err
 	}

 	for _, routeTable := range routeTables {
 		table := *routeTable
-		if err != nil {
-			logrus.Error(err)
-			return nil, err
-		}
 		for _, route := range table.Routes {
 			res := *route
 			s.routeRunner.Run(func() (cty.Value, error) {
--- a/pkg/remote/aws/route_supplier_test.go
+++ b/pkg/remote/aws/route_supplier_test.go
@ -4,6 +4,12 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/cloudskiff/driftctl/mocks"
@ -15,6 +21,7 @@ import (
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -126,23 +133,39 @@ func TestRouteSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list route table",
+			dirName: "route_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeRouteTablesPages",
+					&ec2.DescribeRouteTablesInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeRouteTablesOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRouteResourceType, resourceaws.AwsRouteTableResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewRouteSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewRouteSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			routeDeserializer := awsdeserializer.NewRouteDeserializer()
 			s := &RouteSupplier{
 				provider,
@ -151,9 +174,7 @@ func TestRouteSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{routeDeserializer}
--- a/pkg/remote/aws/route_table_association_supplier.go
+++ b/pkg/remote/aws/route_table_association_supplier.go
@ -3,7 +3,6 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -21,18 +20,18 @@ type RouteTableAssociationSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewRouteTableAssociationSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *RouteTableAssociationSupplier {
+func NewRouteTableAssociationSupplier(provider *TerraformProvider) *RouteTableAssociationSupplier {
 	return &RouteTableAssociationSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewRouteTableAssociationDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

 func (s RouteTableAssociationSupplier) Resources() ([]resource.Resource, error) {

-	tables, err := listRouteTables(s.client)
+	tables, err := listRouteTables(s.client, aws.AwsRouteTableAssociationResourceType)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/remote/aws/route_table_association_supplier_test.go
+++ b/pkg/remote/aws/route_table_association_supplier_test.go
@ -4,8 +4,13 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/aws/aws-sdk-go/aws"
 	awssdk "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/cloudskiff/driftctl/mocks"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
@ -16,6 +21,7 @@ import (
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -130,23 +136,39 @@ func TestRouteTableAssociationSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "Cannot list route table",
+			dirName: "route_table_assoc_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeRouteTablesPages",
+					&ec2.DescribeRouteTablesInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeRouteTablesOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRouteTableAssociationResourceType, resourceaws.AwsRouteTableResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewRouteTableAssociationSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewRouteTableAssociationSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			routeTableAssociationDeserializer := awsdeserializer.NewRouteTableAssociationDeserializer()
 			s := &RouteTableAssociationSupplier{
 				provider,
@ -155,9 +177,7 @@ func TestRouteTableAssociationSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{routeTableAssociationDeserializer}
--- a/pkg/remote/aws/route_table_supplier.go
+++ b/pkg/remote/aws/route_table_supplier.go
@ -3,9 +3,10 @@ package aws
 import (
 	"errors"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -25,22 +26,21 @@ type RouteTableSupplier struct {
 	routeTableRunner              *terraform.ParallelResourceReader
 }

-func NewRouteTableSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *RouteTableSupplier {
+func NewRouteTableSupplier(provider *TerraformProvider) *RouteTableSupplier {
 	return &RouteTableSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewDefaultRouteTableDeserializer(),
 		awsdeserializer.NewRouteTableDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner.SubRunner()),
-		terraform.NewParallelResourceReader(runner.SubRunner()),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

 func (s RouteTableSupplier) Resources() ([]resource.Resource, error) {

-	retrievedRouteTables, err := listRouteTables(s.client)
+	retrievedRouteTables, err := listRouteTables(s.client, aws.AwsRouteTableResourceType)
 	if err != nil {
-		logrus.Error(err)
 		return nil, err
 	}

@ -115,7 +115,7 @@ func (s RouteTableSupplier) readRouteTable(routeTable ec2.RouteTable, isMain boo
 	return *val, nil
 }

-func listRouteTables(client ec2iface.EC2API) ([]*ec2.RouteTable, error) {
+func listRouteTables(client ec2iface.EC2API, supplierType string) ([]*ec2.RouteTable, error) {
 	var routeTables []*ec2.RouteTable
 	input := ec2.DescribeRouteTablesInput{}
 	err := client.DescribeRouteTablesPages(&input,
@ -126,7 +126,7 @@ func listRouteTables(client ec2iface.EC2API) ([]*ec2.RouteTable, error) {
 	)

 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, supplierType, aws.AwsRouteTableResourceType)
 	}

 	return routeTables, nil
--- a/pkg/remote/aws/route_table_supplier_test.go
+++ b/pkg/remote/aws/route_table_supplier_test.go
@ -4,6 +4,12 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/aws/aws-sdk-go/aws"
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
@ -16,6 +22,7 @@ import (
 	"github.com/cloudskiff/driftctl/test"
 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -77,23 +84,40 @@ func TestRouteTableSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list route table",
+			dirName: "route_table_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeRouteTablesPages",
+					&ec2.DescribeRouteTablesInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeRouteTablesOutput, lastPage bool) bool) bool {
+						callback(&ec2.DescribeRouteTablesOutput{}, true)
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsRouteTableResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewRouteTableSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewRouteTableSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			routeTableDeserializer := awsdeserializer.NewRouteTableDeserializer()
 			defaultRouteTableDeserializer := awsdeserializer.NewDefaultRouteTableDeserializer()
 			s := &RouteTableSupplier{
@ -105,9 +129,7 @@ func TestRouteTableSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{routeTableDeserializer, defaultRouteTableDeserializer}
--- a/pkg/remote/aws/s3_bucket_analytic_supplier.go
+++ b/pkg/remote/aws/s3_bucket_analytic_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"fmt"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	awssdk "github.com/aws/aws-sdk-go/aws"
@ -24,8 +24,13 @@ type S3BucketAnalyticSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewS3BucketAnalyticSupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketAnalyticSupplier {
-	return &S3BucketAnalyticSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketAnalyticDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketAnalyticSupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketAnalyticSupplier {
+	return &S3BucketAnalyticSupplier{
+		provider,
+		awsdeserializer.NewS3BucketAnalyticDeserializer(),
+		factory,
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s *S3BucketAnalyticSupplier) Resources() ([]resource.Resource, error) {
@ -34,7 +39,7 @@ func (s *S3BucketAnalyticSupplier) Resources() ([]resource.Resource, error) {
 	client := s.factory.GetS3Client(nil)
 	response, err := client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, aws.AwsS3BucketAnalyticsConfigurationResourceType, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
@ -47,7 +52,7 @@ func (s *S3BucketAnalyticSupplier) Resources() ([]resource.Resource, error) {
 			continue
 		}
 		if err := s.listBucketAnalyticConfiguration(*bucket.Name, region); err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsS3BucketAnalyticsConfigurationResourceType)
 		}
 	}
 	ctyVals, err := s.runner.Wait()
--- a/pkg/remote/aws/s3_bucket_analytic_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_analytic_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,7 +30,8 @@ func TestS3BucketAnalyticSupplier_Resources(t *testing.T) {
 		bucketsIDs     []string
 		bucketLocation map[string]string
 		analyticsIDs   map[string][]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test: "multiple bucket with multiple analytics", dirName: "s3_bucket_analytics_multiple",
@ -51,11 +59,56 @@ func TestS3BucketAnalyticSupplier_Resources(t *testing.T) {
 					"Analytics2_Bucket3",
 				},
 			},
-			wantErr: false,
+		},
+
+		{
+			test: "cannot list bucket", dirName: "s3_bucket_analytics_list_bucket",
+			bucketsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			analyticsIDs: map[string][]string{
+				"bucket-martin-test-drift": {
+					"Analytics_Bucket1",
+					"Analytics2_Bucket1",
+				},
+				"bucket-martin-test-drift2": {
+					"Analytics_Bucket2",
+					"Analytics2_Bucket2",
+				},
+				"bucket-martin-test-drift3": {
+					"Analytics_Bucket3",
+					"Analytics2_Bucket3",
+				},
+			},
+			wantErr: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketAnalyticsConfigurationResourceType, resourceaws.AwsS3BucketResourceType),
+		},
+		{
+			test: "cannot list Analytics", dirName: "s3_bucket_analytics_list_analytics",
+			bucketsIDs: []string{
+				"bucket-martin-test-drift",
+				"bucket-martin-test-drift2",
+				"bucket-martin-test-drift3",
+			},
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			analyticsIDs: nil,
+			listError:    awserr.NewRequestFailure(nil, 403, ""),
+			wantErr:      remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketAnalyticsConfigurationResourceType),
 		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -63,15 +116,15 @@ func TestS3BucketAnalyticSupplier_Resources(t *testing.T) {
 			}

 			factory := AwsClientFactory{config: provider.session}
-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketAnalyticSupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketAnalyticSupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, tt.analyticsIDs, nil, nil, tt.bucketLocation)
+			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, tt.analyticsIDs, nil, nil, tt.bucketLocation, tt.listError)

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			factory := mocks.NewMockAwsClientFactory(mock)

 			deserializer := awsdeserializer.NewS3BucketAnalyticDeserializer()
@ -82,10 +135,8 @@ func TestS3BucketAnalyticSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
+
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/s3_bucket_inventory_supplier.go
+++ b/pkg/remote/aws/s3_bucket_inventory_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"fmt"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	awssdk "github.com/aws/aws-sdk-go/aws"
@ -24,8 +24,13 @@ type S3BucketInventorySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewS3BucketInventorySupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketInventorySupplier {
-	return &S3BucketInventorySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketInventoryDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketInventorySupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketInventorySupplier {
+	return &S3BucketInventorySupplier{
+		provider,
+		awsdeserializer.NewS3BucketInventoryDeserializer(),
+		factory,
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s *S3BucketInventorySupplier) Resources() ([]resource.Resource, error) {
@ -34,7 +39,7 @@ func (s *S3BucketInventorySupplier) Resources() ([]resource.Resource, error) {
 	client := s.factory.GetS3Client(nil)
 	response, err := client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, aws.AwsS3BucketInventoryResourceType, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
@ -47,7 +52,7 @@ func (s *S3BucketInventorySupplier) Resources() ([]resource.Resource, error) {
 			continue
 		}
 		if err := s.listBucketInventoryConfiguration(*bucket.Name, region); err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsS3BucketInventoryResourceType)
 		}
 	}
 	ctyVals, err := s.runner.Wait()
--- a/pkg/remote/aws/s3_bucket_inventory_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_inventory_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,7 +30,8 @@ func TestS3BucketInventorySupplier_Resources(t *testing.T) {
 		bucketsIDs     []string
 		bucketLocation map[string]string
 		inventoriesIDs map[string][]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test: "multiple bucket with multiple inventories", dirName: "s3_bucket_inventories_multiple",
@ -51,11 +59,55 @@ func TestS3BucketInventorySupplier_Resources(t *testing.T) {
 					"Inventory2_Bucket3",
 				},
 			},
-			wantErr: false,
+		},
+		{
+			test: "cannot list bucket", dirName: "s3_bucket_inventories_list_bucket",
+			bucketsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			inventoriesIDs: map[string][]string{
+				"bucket-martin-test-drift": {
+					"Inventory_Bucket1",
+					"Inventory2_Bucket1",
+				},
+				"bucket-martin-test-drift2": {
+					"Inventory_Bucket2",
+					"Inventory2_Bucket2",
+				},
+				"bucket-martin-test-drift3": {
+					"Inventory_Bucket3",
+					"Inventory2_Bucket3",
+				},
+			},
+			wantErr: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketInventoryResourceType, resourceaws.AwsS3BucketResourceType),
+		},
+		{
+			test: "cannot list bucket inventories", dirName: "s3_bucket_inventories_list_inventories",
+			bucketsIDs: []string{
+				"bucket-martin-test-drift",
+				"bucket-martin-test-drift2",
+				"bucket-martin-test-drift3",
+			},
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			inventoriesIDs: nil,
+			listError:      awserr.NewRequestFailure(nil, 403, ""),
+			wantErr:        remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketInventoryResourceType),
 		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -64,16 +116,16 @@ func TestS3BucketInventorySupplier_Resources(t *testing.T) {

 			factory := AwsClientFactory{config: provider.session}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketInventorySupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketInventorySupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, tt.inventoriesIDs, nil, tt.bucketLocation)
+			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, tt.inventoriesIDs, nil, tt.bucketLocation, tt.listError)
 			factory := mocks.NewMockAwsClientFactory(mock)

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewS3BucketInventoryDeserializer()
 			s := &S3BucketInventorySupplier{
 				provider,
@ -82,10 +134,8 @@ func TestS3BucketInventorySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
+
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/s3_bucket_metric_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_metric_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -23,7 +30,8 @@ func TestS3BucketMetricSupplier_Resources(t *testing.T) {
 		bucketsIDs     []string
 		bucketLocation map[string]string
 		metricsIDs     map[string][]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test: "multiple bucket with multiple metrics", dirName: "s3_bucket_metrics_multiple",
@ -51,11 +59,55 @@ func TestS3BucketMetricSupplier_Resources(t *testing.T) {
 					"Metrics2_Bucket3",
 				},
 			},
-			wantErr: false,
+		},
+		{
+			test: "cannot list bucket", dirName: "s3_bucket_metrics_list_bucket",
+			bucketsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			metricsIDs: map[string][]string{
+				"bucket-martin-test-drift": {
+					"Metrics_Bucket1",
+					"Metrics2_Bucket1",
+				},
+				"bucket-martin-test-drift2": {
+					"Metrics_Bucket2",
+					"Metrics2_Bucket2",
+				},
+				"bucket-martin-test-drift3": {
+					"Metrics_Bucket3",
+					"Metrics2_Bucket3",
+				},
+			},
+			wantErr: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketMetricResourceType, resourceaws.AwsS3BucketResourceType),
+		},
+		{
+			test: "cannot list metrics", dirName: "s3_bucket_metrics_list_metrics",
+			bucketsIDs: []string{
+				"bucket-martin-test-drift",
+				"bucket-martin-test-drift2",
+				"bucket-martin-test-drift3",
+			},
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			metricsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			wantErr:    remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketMetricResourceType),
 		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -64,16 +116,16 @@ func TestS3BucketMetricSupplier_Resources(t *testing.T) {

 			factory := AwsClientFactory{config: provider.session}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketMetricSupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketMetricSupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, tt.metricsIDs, tt.bucketLocation)
+			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, tt.metricsIDs, tt.bucketLocation, tt.listError)
 			factory := mocks.NewMockAwsClientFactory(mock)

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewS3BucketMetricDeserializer()
 			s := &S3BucketMetricSupplier{
 				provider,
@ -82,10 +134,8 @@ func TestS3BucketMetricSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
+
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/s3_bucket_metrics_supplier.go
+++ b/pkg/remote/aws/s3_bucket_metrics_supplier.go
@ -3,7 +3,7 @@ package aws
 import (
 	"fmt"

-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	awssdk "github.com/aws/aws-sdk-go/aws"
@ -24,8 +24,13 @@ type S3BucketMetricSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewS3BucketMetricSupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketMetricSupplier {
-	return &S3BucketMetricSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketMetricDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketMetricSupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketMetricSupplier {
+	return &S3BucketMetricSupplier{
+		provider,
+		awsdeserializer.NewS3BucketMetricDeserializer(),
+		factory,
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s *S3BucketMetricSupplier) Resources() ([]resource.Resource, error) {
@ -34,7 +39,7 @@ func (s *S3BucketMetricSupplier) Resources() ([]resource.Resource, error) {
 	client := s.factory.GetS3Client(nil)
 	response, err := client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, aws.AwsS3BucketMetricResourceType, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
@ -47,7 +52,7 @@ func (s *S3BucketMetricSupplier) Resources() ([]resource.Resource, error) {
 			continue
 		}
 		if err := s.listBucketMetricConfiguration(*bucket.Name, region); err != nil {
-			return nil, err
+			return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsS3BucketMetricResourceType)
 		}
 	}
 	ctyVals, err := s.runner.Wait()
--- a/pkg/remote/aws/s3_bucket_notification_supplier.go
+++ b/pkg/remote/aws/s3_bucket_notification_supplier.go
@ -1,8 +1,9 @@
 package aws

 import (
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/aws/aws-sdk-go/service/s3"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -18,8 +19,12 @@ type S3BucketNotificationSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewS3BucketNotificationSupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketNotificationSupplier {
-	return &S3BucketNotificationSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketNotificationDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketNotificationSupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketNotificationSupplier {
+	return &S3BucketNotificationSupplier{
+		provider,
+		awsdeserializer.NewS3BucketNotificationDeserializer(),
+		factory, terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s *S3BucketNotificationSupplier) Resources() ([]resource.Resource, error) {
@ -28,7 +33,7 @@ func (s *S3BucketNotificationSupplier) Resources() ([]resource.Resource, error)
 	client := s.factory.GetS3Client(nil)
 	response, err := client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, aws.AwsS3BucketNotificationResourceType, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
--- a/pkg/remote/aws/s3_bucket_notification_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_notification_supplier_test.go
@ -4,7 +4,15 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+	"github.com/stretchr/testify/assert"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -22,7 +30,8 @@ func TestS3BucketNotificationSupplier_Resources(t *testing.T) {
 		dirName        string
 		bucketsIDs     []string
 		bucketLocation map[string]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test:    "single bucket without notifications",
@ -33,7 +42,6 @@ func TestS3BucketNotificationSupplier_Resources(t *testing.T) {
 			bucketLocation: map[string]string{
 				"dritftctl-test-no-notifications": "eu-west-3",
 			},
-			wantErr: false,
 		},
 		{
 			test: "multiple bucket with notifications", dirName: "s3_bucket_notifications_multiple",
@ -47,11 +55,24 @@ func TestS3BucketNotificationSupplier_Resources(t *testing.T) {
 				"bucket-martin-test-drift2": "eu-west-3",
 				"bucket-martin-test-drift3": "ap-northeast-1",
 			},
-			wantErr: false,
+		},
+		{
+			test: "Cannot list bucket", dirName: "s3_bucket_notifications_list_bucket",
+			listError: awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			wantErr: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketNotificationResourceType, resourceaws.AwsS3BucketResourceType),
 		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -60,16 +81,16 @@ func TestS3BucketNotificationSupplier_Resources(t *testing.T) {

 			factory := AwsClientFactory{config: provider.session}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketNotificationSupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketNotificationSupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation)
+			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation, tt.listError)
 			factory := mocks.NewMockAwsClientFactory(mock)

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewS3BucketNotificationDeserializer()
 			s := &S3BucketNotificationSupplier{
 				provider,
@ -78,10 +99,7 @@ func TestS3BucketNotificationSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/s3_bucket_policy_supplier.go
+++ b/pkg/remote/aws/s3_bucket_policy_supplier.go
@ -2,7 +2,8 @@ package aws

 import (
 	"github.com/aws/aws-sdk-go/service/s3"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -18,8 +19,13 @@ type S3BucketPolicySupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewS3BucketPolicySupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketPolicySupplier {
-	return &S3BucketPolicySupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketPolicyDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketPolicySupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketPolicySupplier {
+	return &S3BucketPolicySupplier{
+		provider,
+		awsdeserializer.NewS3BucketPolicyDeserializer(),
+		factory,
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s *S3BucketPolicySupplier) Resources() ([]resource.Resource, error) {
@ -28,7 +34,7 @@ func (s *S3BucketPolicySupplier) Resources() ([]resource.Resource, error) {
 	client := s.factory.GetS3Client(nil)
 	response, err := client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationErrorWithType(err, aws.AwsS3BucketPolicyResourceType, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
--- a/pkg/remote/aws/s3_bucket_policy_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_policy_supplier_test.go
@ -4,6 +4,13 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

@ -22,7 +29,8 @@ func TestS3BucketPolicySupplier_Resources(t *testing.T) {
 		dirName        string
 		bucketsIDs     []string
 		bucketLocation map[string]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test:    "single bucket without policy",
@ -33,7 +41,6 @@ func TestS3BucketPolicySupplier_Resources(t *testing.T) {
 			bucketLocation: map[string]string{
 				"dritftctl-test-no-policy": "eu-west-3",
 			},
-			wantErr: false,
 		},
 		{
 			test: "multiple bucket with policies", dirName: "s3_bucket_policies_multiple",
@ -47,11 +54,26 @@ func TestS3BucketPolicySupplier_Resources(t *testing.T) {
 				"bucket-martin-test-drift2": "eu-west-3",
 				"bucket-martin-test-drift3": "ap-northeast-1",
 			},
-			wantErr: false,
+		},
+		{
+			test: "cannot list bucket", dirName: "s3_bucket_policies_list_bucket",
+			bucketsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			wantErr: remoteerror.NewResourceEnumerationErrorWithType(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketPolicyResourceType, resourceaws.AwsS3BucketResourceType),
 		},
 	}
 	for _, tt := range tests {
+
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -60,16 +82,16 @@ func TestS3BucketPolicySupplier_Resources(t *testing.T) {

 			factory := AwsClientFactory{config: provider.session}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketPolicySupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketPolicySupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation)
+			mock := mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation, tt.listError)
 			factory := mocks.NewMockAwsClientFactory(mock)

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewS3BucketPolicyDeserializer()
 			s := &S3BucketPolicySupplier{
 				provider,
@ -78,10 +100,8 @@ func TestS3BucketPolicySupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
+
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/s3_bucket_supplier.go
+++ b/pkg/remote/aws/s3_bucket_supplier.go
@ -4,7 +4,8 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -22,8 +23,13 @@ type S3BucketSupplier struct {
 	runner           *terraform.ParallelResourceReader
 }

-func NewS3BucketSupplier(runner *parallel.ParallelRunner, factory AwsClientFactoryInterface) *S3BucketSupplier {
-	return &S3BucketSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewS3BucketDeserializer(), factory, terraform.NewParallelResourceReader(runner)}
+func NewS3BucketSupplier(provider *TerraformProvider, factory AwsClientFactoryInterface) *S3BucketSupplier {
+	return &S3BucketSupplier{
+		provider,
+		awsdeserializer.NewS3BucketDeserializer(),
+		factory,
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s S3BucketSupplier) Resources() ([]resource.Resource, error) {
@ -42,7 +48,7 @@ func (s *S3BucketSupplier) list() ([]cty.Value, error) {

 	response, err := s3Client.ListBuckets(input)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsS3BucketResourceType)
 	}

 	for _, bucket := range response.Buckets {
--- a/pkg/remote/aws/s3_bucket_supplier_test.go
+++ b/pkg/remote/aws/s3_bucket_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/cloudskiff/driftctl/test/goldenfile"
@ -22,7 +29,8 @@ func TestS3BucketSupplier_Resources(t *testing.T) {
 		dirName        string
 		bucketsIDs     []string
 		bucketLocation map[string]string
-		wantErr        bool
+		listError      error
+		wantErr        error
 	}{
 		{
 			test: "multiple bucket", dirName: "s3_bucket_multiple",
@ -36,11 +44,25 @@ func TestS3BucketSupplier_Resources(t *testing.T) {
 				"bucket-martin-test-drift2": "eu-west-3",
 				"bucket-martin-test-drift3": "ap-northeast-1",
 			},
-			wantErr: false,
+		},
+		{
+			test: "cannot list bucket", dirName: "s3_bucket_list",
+			bucketsIDs: nil,
+			listError:  awserr.NewRequestFailure(nil, 403, ""),
+			bucketLocation: map[string]string{
+				"bucket-martin-test-drift":  "eu-west-1",
+				"bucket-martin-test-drift2": "eu-west-3",
+				"bucket-martin-test-drift3": "ap-northeast-1",
+			},
+			wantErr: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsS3BucketResourceType),
 		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
@ -49,15 +71,15 @@ func TestS3BucketSupplier_Resources(t *testing.T) {

 			factory := AwsClientFactory{config: provider.session}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewS3BucketSupplier(provider.Runner().SubRunner(), factory))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewS3BucketSupplier(provider, factory))
 		}

 		t.Run(tt.test, func(t *testing.T) {

-			factory := mocks.NewMockAwsClientFactory(mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation))
+			factory := mocks.NewMockAwsClientFactory(mocks.NewMockAWSS3Client(tt.bucketsIDs, nil, nil, nil, tt.bucketLocation, tt.listError))

-			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewS3BucketDeserializer()
 			s := &S3BucketSupplier{
 				provider,
@ -66,10 +88,7 @@ func TestS3BucketSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Resources() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
+			assert.Equal(t, err, tt.wantErr)
 			test.CtyTestDiff(got, tt.dirName, provider, deserializer, shouldUpdate, t)
 		})
 	}
--- a/pkg/remote/aws/subnet_supplier.go
+++ b/pkg/remote/aws/subnet_supplier.go
@ -3,7 +3,8 @@ package aws
 import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource/aws"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
@ -24,14 +25,14 @@ type SubnetSupplier struct {
 	subnetRunner              *terraform.ParallelResourceReader
 }

-func NewSubnetSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *SubnetSupplier {
+func NewSubnetSupplier(provider *TerraformProvider) *SubnetSupplier {
 	return &SubnetSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewDefaultSubnetDeserializer(),
 		awsdeserializer.NewSubnetDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner.SubRunner()),
-		terraform.NewParallelResourceReader(runner.SubRunner()),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

@ -53,8 +54,7 @@ func (s SubnetSupplier) Resources() ([]resource.Resource, error) {
 	)

 	if err != nil {
-		logrus.Error(err)
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, aws.AwsSubnetResourceType)
 	}

 	for _, item := range subnets {
--- a/pkg/remote/aws/subnet_supplier_test.go
+++ b/pkg/remote/aws/subnet_supplier_test.go
@ -4,7 +4,14 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

@ -14,6 +21,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -87,23 +95,39 @@ func TestSubnetSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list Subnet",
+			dirName: "subnet_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeSubnetsPages",
+					&ec2.DescribeSubnetsInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeSubnetsOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSubnetResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewSubnetSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewSubnetSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			SubnetDeserializer := awsdeserializer.NewSubnetDeserializer()
 			defaultSubnetDeserializer := awsdeserializer.NewDefaultSubnetDeserializer()
 			s := &SubnetSupplier{
@ -115,9 +139,7 @@ func TestSubnetSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			deserializers := []deserializer.CTYDeserializer{SubnetDeserializer, defaultSubnetDeserializer}
--- a/pkg/remote/aws/terraform_provider.go
+++ b/pkg/remote/aws/terraform_provider.go
@ -83,7 +83,7 @@ func NewTerraFormProvider() (*TerraformProvider, error) {
 		select {
 		case <-c:
 			logrus.Warn("Detected interrupt during terraform provider configuration, cleanup ...")
-			tf.Cleanup()
+			p.Cleanup()
 			os.Exit(1)
 		case <-stopCh:
 			return
@ -235,3 +235,12 @@ func (p *TerraformProvider) ReadResource(args tf.ReadResourceArgs) (*cty.Value,
 	}
 	return &newState, nil
 }
+
+func (p *TerraformProvider) Cleanup() {
+	for region, client := range p.grpcProviders {
+		logrus.WithFields(logrus.Fields{
+			"region": region,
+		}).Debug("Closing gRPC client")
+		client.Close()
+	}
+}
--- a/pkg/remote/aws/test/s3_bucket_analytics_list_analytics/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_analytics_list_analytics/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_analytics_list_analytics/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_analytics_list_analytics/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_analytics_list_bucket/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_analytics_list_bucket/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_analytics_list_bucket/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_analytics_list_bucket/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_inventories_list_bucket/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_inventories_list_bucket/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_inventories_list_bucket/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_inventories_list_bucket/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_inventories_list_inventories/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_inventories_list_inventories/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_inventories_list_inventories/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_inventories_list_inventories/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_list/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_list/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_list/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_list/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_metrics_list_bucket/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_metrics_list_bucket/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_metrics_list_bucket/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_metrics_list_bucket/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_metrics_list_metrics/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_metrics_list_metrics/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_metrics_list_metrics/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_metrics_list_metrics/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_notifications_list_bucket/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_notifications_list_bucket/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_notifications_list_bucket/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_notifications_list_bucket/schema.golden.json
--- a/pkg/remote/aws/test/s3_bucket_policies_list_bucket/results.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_policies_list_bucket/results.golden.json
@ -0,0 +1 @@
+[]
--- a/pkg/remote/aws/test/s3_bucket_policies_list_bucket/schema.golden.json
+++ b/pkg/remote/aws/test/s3_bucket_policies_list_bucket/schema.golden.json
--- a/pkg/remote/aws/vpc_security_group_rule_supplier.go
+++ b/pkg/remote/aws/vpc_security_group_rule_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -28,14 +29,19 @@ type VPCSecurityGroupRuleSupplier struct {
 	runner       *terraform.ParallelResourceReader
 }

-func NewVPCSecurityGroupRuleSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *VPCSecurityGroupRuleSupplier {
-	return &VPCSecurityGroupRuleSupplier{terraform.Provider(terraform.AWS), awsdeserializer.NewVPCSecurityGroupRuleDeserializer(), client, terraform.NewParallelResourceReader(runner)}
+func NewVPCSecurityGroupRuleSupplier(provider *TerraformProvider) *VPCSecurityGroupRuleSupplier {
+	return &VPCSecurityGroupRuleSupplier{
+		provider,
+		awsdeserializer.NewVPCSecurityGroupRuleDeserializer(),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+	}
 }

 func (s VPCSecurityGroupRuleSupplier) Resources() ([]resource.Resource, error) {
 	securityGroups, defaultSecurityGroups, err := listSecurityGroups(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsSecurityGroupRuleResourceType)
 	}
 	secGroups := make([]*ec2.SecurityGroup, 0, len(securityGroups)+len(defaultSecurityGroups))
 	secGroups = append(secGroups, securityGroups...)
--- a/pkg/remote/aws/vpc_security_group_rule_supplier_test.go
+++ b/pkg/remote/aws/vpc_security_group_rule_supplier_test.go
@ -4,7 +4,13 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/cloudskiff/driftctl/pkg/parallel"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

 	"github.com/aws/aws-sdk-go/service/ec2"
@ -13,6 +19,7 @@ import (

 	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"

 	"github.com/cloudskiff/driftctl/mocks"
@ -213,23 +220,39 @@ func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list security group rules",
+			dirName: "vpc_security_group_rule_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeSecurityGroupsPages",
+					&ec2.DescribeSecurityGroupsInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupRuleResourceType),
+		},
 	}
 	for _, c := range cases {
 		shouldUpdate := c.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))
 		}

 		t.Run(c.test, func(tt *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			c.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			deserializer := awsdeserializer.NewVPCSecurityGroupRuleDeserializer()
 			s := &VPCSecurityGroupRuleSupplier{
 				provider,
@ -238,9 +261,7 @@ func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if c.err != err {
-				tt.Errorf("Expected error %+v got %+v", c.err, err)
-			}
+			assert.Equal(tt, c.err, err)

 			mock.AssertExpectationsForObjects(tt)
 			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, tt)
--- a/pkg/remote/aws/vpc_security_group_supplier.go
+++ b/pkg/remote/aws/vpc_security_group_supplier.go
@ -1,7 +1,8 @@
 package aws

 import (
-	"github.com/cloudskiff/driftctl/pkg/parallel"
+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
@ -24,21 +25,21 @@ type VPCSecurityGroupSupplier struct {
 	securityGroupRunner              *terraform.ParallelResourceReader
 }

-func NewVPCSecurityGroupSupplier(runner *parallel.ParallelRunner, client ec2iface.EC2API) *VPCSecurityGroupSupplier {
+func NewVPCSecurityGroupSupplier(provider *TerraformProvider) *VPCSecurityGroupSupplier {
 	return &VPCSecurityGroupSupplier{
-		terraform.Provider(terraform.AWS),
+		provider,
 		awsdeserializer.NewDefaultSecurityGroupDeserializer(),
 		awsdeserializer.NewVPCSecurityGroupDeserializer(),
-		client,
-		terraform.NewParallelResourceReader(runner.SubRunner()),
-		terraform.NewParallelResourceReader(runner.SubRunner()),
+		ec2.New(provider.session),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
+		terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
 	}
 }

 func (s VPCSecurityGroupSupplier) Resources() ([]resource.Resource, error) {
 	securityGroups, defaultSecurityGroups, err := listSecurityGroups(s.client)
 	if err != nil {
-		return nil, err
+		return nil, remoteerror.NewResourceEnumerationError(err, resourceaws.AwsSecurityGroupResourceType)
 	}

 	for _, item := range securityGroups {
--- a/pkg/remote/aws/vpc_security_group_supplier_test.go
+++ b/pkg/remote/aws/vpc_security_group_supplier_test.go
@ -4,17 +4,26 @@ import (
 	"context"
 	"testing"

+	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
+
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/cloudskiff/driftctl/mocks"
 	"github.com/cloudskiff/driftctl/pkg/parallel"
 	"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
-	"github.com/cloudskiff/driftctl/pkg/resource"
+
 	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
+
+	"github.com/cloudskiff/driftctl/test/goldenfile"
+
+	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/cloudskiff/driftctl/pkg/terraform"
 	"github.com/cloudskiff/driftctl/test"
-	"github.com/cloudskiff/driftctl/test/goldenfile"
 	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )

@ -62,23 +71,39 @@ func TestVPCSecurityGroupSupplier_Resources(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			test:    "cannot list security groups",
+			dirName: "vpc_security_group_empty",
+			mocks: func(client *mocks.FakeEC2) {
+				client.On("DescribeSecurityGroupsPages",
+					&ec2.DescribeSecurityGroupsInput{},
+					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
+						return true
+					})).Return(awserr.NewRequestFailure(nil, 403, ""))
+			},
+			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupResourceType),
+		},
 	}
 	for _, tt := range tests {
 		shouldUpdate := tt.dirName == *goldenfile.Update
+
+		providerLibrary := terraform.NewProviderLibrary()
+		supplierLibrary := resource.NewSupplierLibrary()
+
 		if shouldUpdate {
 			provider, err := NewTerraFormProvider()
 			if err != nil {
 				t.Fatal(err)
 			}

-			terraform.AddProvider(terraform.AWS, provider)
-			resource.AddSupplier(NewVPCSecurityGroupSupplier(provider.Runner(), ec2.New(provider.session)))
+			providerLibrary.AddProvider(terraform.AWS, provider)
+			supplierLibrary.AddSupplier(NewVPCSecurityGroupSupplier(provider))
 		}

 		t.Run(tt.test, func(t *testing.T) {
 			fakeEC2 := mocks.FakeEC2{}
 			tt.mocks(&fakeEC2)
-			provider := mocks2.NewMockedGoldenTFProvider(tt.dirName, terraform.Provider(terraform.AWS), shouldUpdate)
+			provider := mocks2.NewMockedGoldenTFProvider(tt.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
 			securityGroupDeserializer := awsdeserializer.NewVPCSecurityGroupDeserializer()
 			defaultSecurityGroupDeserializer := awsdeserializer.NewDefaultSecurityGroupDeserializer()
 			s := &VPCSecurityGroupSupplier{
@ -90,9 +115,7 @@ func TestVPCSecurityGroupSupplier_Resources(t *testing.T) {
 				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
 			}
 			got, err := s.Resources()
-			if tt.err != err {
-				t.Errorf("Expected error %+v got %+v", tt.err, err)
-			}
+			assert.Equal(t, tt.err, err)

 			mock.AssertExpectationsForObjects(t)
 			deserializers := []deserializer.CTYDeserializer{securityGroupDeserializer, defaultSecurityGroupDeserializer}
--- a/Show More
+++ b/Show More