• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Cloud

Skip to main content
10 tutorials
  • What is Terraform Cloud - Intro and Sign Up
  • Log in to Terraform Cloud from the CLI
  • Create a Credentials Variable Set
  • Create a Workspace
  • Create Infrastructure
  • Change Infrastructure
  • Use VCS-Driven Workflow
  • Destroy Resources and Workspaces
  • Enforce a Policy
  • Control Costs with Policies

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Tutorials
  4. Terraform Cloud
  5. Control Costs with Policies

Control Costs with Policies

  • 5min

  • Team & GovernanceTeam & Governance
  • TerraformTerraform

Terraform Cloud estimates costs for many resources found in your Terraform configuration. It displays an hourly and monthly cost for each resource, and the monthly delta. It also totals the cost and delta of all estimatable resources.

In this tutorial, you will enable cost estimation and define policy to check whether the total monthly delta is less than one hundred dollars a month.

Note: This functionality is available in the Terraform Cloud Team & Governance tier, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under Plan & Billing. Cost estimates are not available for workspaces using versions of Terraform less than 0.12.0.

Prerequisites

For this tutorial you will need:

  • A Terraform Cloud Team & Governance tier account or a Terraform Enterprise account
  • A GitHub account
  • An AWS account to create example resources

You should also be familiar with how to create and destroy Terraform Cloud workspaces.

Warning: Do not apply this policy to a production workspace as it may impact your production environment.

Note: Terraform Cloud will not estimate cost on runs or applies targeted against a subset of resources.

Fork the example repository

Fork the example repository, which contains an example Terraform configuration to provision an EC2 instance.

Note: If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a fork of this repository. Feel free to use it.

Fork learn-sentinel-tfc repository

Create a Terraform Cloud workspace

Navigate to your Terraform Cloud organization and create a new VCS-backed workspace connected to your fork of the learn-sentinel-tfc repository.

Note: If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a workspace for this configuration. Feel free to use it.

Configure workspace variables

Navigate to your learn-sentinel-tfc workspace's Variables page.

Define a variable called instance_type and set the value to t2.large.

If you are not using a tutorial-specific Terraform Cloud organization with a global credentials variable set, associate your AWS credentials variable set with the workspace.

Tip: If you have not yet created a variable set for your AWS credentials, review the Create a Variable Set tutorial to create one now.

When complete, your variable definitions will match the following:

Terraform Cloud workspace variables

Verify costs using policies

To verify cost estimates using policies, you need to define your policy and update your policy set.

Create a fork of the example repository, which contains a Sentinel policy that flags any resource changes that increase costs by greater than $100.

The sentinel.hcl file in this repository declares the new policy in your policy set. Note that the enforcement_level is set to soft-mandatory: this allows team members with explicitly set permission to override the policy check and logs and overrides.

sentinel.hcl
policy "less-than-100-month" {
  enforcement_level = "soft-mandatory"
}

The less-than-100-month.sentinel file contains the policy definition.

less-than-100-month.hcl
import "tfrun"
import "decimal"

delta_monthly_cost = decimal.new(tfrun.cost_estimate.delta_monthly_cost)

main = rule {
    delta_monthly_cost.less_than(100)
}

This policy uses the tfrun import to check that the cost delta for a Terraform run is no more than $100. The decimal import is used for more precise calculations when working with currency numbers.

Terraform Cloud will run checks for policies defined in sentinel.hcl in all workspaces associated with the policy set.

Create a policy set

In Terraform Cloud, navigate to your organization's Settings > Policy Sets and select Connect a new policy set. Configure your fork of the learn-terraform-cost-estimation repostiory as the source.

Tip: The search bar for policy repositories is case sensitive.

In Terraform Cloud, you can apply policy sets either across your organization, or to specific workspaces.

On the Configure Settings page:

  1. Select Policies enforced on selected workspaces under Scope of Policies
  2. Select your learn-sentinel-tfc workspace and click the purple Add workspace button
  3. Click Connect policy set

Configure policy set workspaces

Trigger a run

Tip: For a full list of supported resources in Terraform Cloud cost estimation, refer to the AWS, Azure, and Google Cloud Cost Estimation Documentation.

Navigate to your learn-sentinel-tfc workspace. Click on the Actions menu, select Start new run, then select the Plan and apply (standard) option.

View cost estimate

After queueing a new run, Terraform Cloud will estimate changes to your resource costs and display them in the run UI. There you will find the list of resources, their price details, and the list of un-estimated resources. You will also find the new total to determine the proposed overall monthly cost once the run is applied.

In this case, the new resource definition satisfies the Sentinel policy check you defined.

Note: This is just an estimate; some resources do not have cost information available or have unpredictable usage-based pricing.

Terraform Cloud cost estimation Sentinel check passed

Click Discard run to cancel the run.

Delete the policy set

Navigate back to your organization's Settings > Policy Sets. Select the learn-terraform-cost-estimation policy set, then under Workspaces, click Delete policy set. Confirm by clicking Yes, delete policy set**.

Delete Terraform Cloud policy set

Delete workspace

Under your workspace's Settings menu, select the Destruction and Deletion option, then delete the workspace.

Next steps

In this tutorial you created and used a Sentinel policy check that uses Terraform Cloud's cost estimation feature. This provides another tool to manage your infrastructure spending.

To learn more about cost estimation, refer to the Cost Estimation documentation.

If you would like to learn more about Terraform Cloud, refer to the following resources:

  • Learn how to migrate terraform state to Terraform Cloud
  • Learn more about Terraform Cloud workspaces
  • Read the Terraform Cloud documentation
  • Learn about the free and paid features of Terraform Cloud
  • Learn more about Cost Estimation Documentation
  • Read the Run States Documentation.
 Previous
 Next Collection

This tutorial also appears in:

  •  
    7 tutorials
    Enforce Policy with Sentinel
    Enforce policies before your users create infrastructure using Sentinel policy-as-code, included in the Terraform Cloud Team and Governance tier. Write, test, and implement Sentinel policies.
    • Terraform

On this page

  1. Control Costs with Policies
  2. Prerequisites
  3. Fork the example repository
  4. Create a Terraform Cloud workspace
  5. Configure workspace variables
  6. Verify costs using policies
  7. Create a policy set
  8. Trigger a run
  9. View cost estimate
  10. Delete the policy set
  11. Delete workspace
  12. Next steps
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)