Control Costs with Policies
Terraform Cloud estimates costs for many resources found in your Terraform configuration. It displays an hourly and monthly cost for each resource, and the monthly delta. It also totals the cost and delta of all estimatable resources.
In this tutorial, you will enable cost estimation and define policy to check whether the total monthly delta is less than one hundred dollars a month.
Note: This functionality is available in the Terraform Cloud Team & Governance tier, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under Plan & Billing. Cost estimates are not available for workspaces using versions of Terraform less than 0.12.0.
Prerequisites
For this tutorial you will need:
- A Terraform Cloud Team & Governance tier account or a Terraform Enterprise account
- A GitHub account
- An AWS account to create example resources
You should also be familiar with how to create and destroy Terraform Cloud workspaces.
Warning: Do not apply this policy to a production workspace as it may impact your production environment.
Note: Terraform Cloud will not estimate cost on runs or applies targeted against a subset of resources.
Fork the example repository
Fork the example repository, which contains an example Terraform configuration to provision an EC2 instance.
Note: If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a fork of this repository. Feel free to use it.
Create a Terraform Cloud workspace
Navigate to your Terraform Cloud organization and create a new VCS-backed
workspace connected to your fork of the learn-sentinel-tfc repository.
Note: If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a workspace for this configuration. Feel free to use it.
Configure workspace variables
Navigate to your learn-sentinel-tfc workspace's Variables page.
Define a variable called instance_type and set the value to t2.large.
If you are not using a tutorial-specific Terraform Cloud organization with a global credentials variable set, associate your AWS credentials variable set with the workspace.
Tip: If you have not yet created a variable set for your AWS credentials, review the Create a Variable Set tutorial to create one now.
When complete, your variable definitions will match the following:
Verify costs using policies
To verify cost estimates using policies, you need to define your policy and update your policy set.
Create a fork of the example repository, which contains a Sentinel policy that flags any resource changes that increase costs by greater than $100.
The sentinel.hcl file in this repository declares the new policy in your policy set. Note that
the enforcement_level is set to soft-mandatory: this allows team members
with explicitly set permission to override the policy check and logs and
overrides.
The less-than-100-month.sentinel file contains the policy definition.
This policy uses the
tfrun import
to check that the cost delta for a Terraform run is no more than $100. The
decimal import is used for more precise calculations when working with
currency numbers.
Terraform Cloud will run checks for policies defined in
sentinel.hcl in all workspaces associated with the policy set.
Create a policy set
In Terraform Cloud, navigate to your organization's Settings > Policy Sets and select Connect
a new policy set. Configure your fork of the learn-terraform-cost-estimation
repostiory as the source.
Tip: The search bar for policy repositories is case sensitive.
In Terraform Cloud, you can apply policy sets either across your organization, or to specific workspaces.
On the Configure Settings page:
- Select Policies enforced on selected workspaces under Scope of Policies
- Select your
learn-sentinel-tfcworkspace and click the purple Add workspace button - Click Connect policy set
Trigger a run
Tip: For a full list of supported resources in Terraform Cloud cost estimation, refer to the AWS, Azure, and Google Cloud Cost Estimation Documentation.
Navigate to your learn-sentinel-tfc workspace. Click on the Actions menu, select Start new run, then select the Plan and apply (standard) option.
View cost estimate
After queueing a new run, Terraform Cloud will estimate changes to your resource costs and display them in the run UI. There you will find the list of resources, their price details, and the list of un-estimated resources. You will also find the new total to determine the proposed overall monthly cost once the run is applied.
In this case, the new resource definition satisfies the Sentinel policy check you defined.
Note: This is just an estimate; some resources do not have cost information available or have unpredictable usage-based pricing.
Click Discard run to cancel the run.
Delete the policy set
Navigate back to your organization's Settings > Policy Sets. Select the learn-terraform-cost-estimation policy set, then under Workspaces, click Delete policy set. Confirm by clicking Yes, delete policy
set**.
Delete workspace
Under your workspace's Settings menu, select the Destruction and Deletion option, then delete the workspace.
Next steps
In this tutorial you created and used a Sentinel policy check that uses Terraform Cloud's cost estimation feature. This provides another tool to manage your infrastructure spending.
To learn more about cost estimation, refer to the Cost Estimation documentation.
If you would like to learn more about Terraform Cloud, refer to the following resources:
- Learn how to migrate terraform state to Terraform Cloud
- Learn more about Terraform Cloud workspaces
- Read the Terraform Cloud documentation
- Learn about the free and paid features of Terraform Cloud
- Learn more about Cost Estimation Documentation
- Read the Run States Documentation.