Control costs with policies
Terraform Cloud estimates costs for many resources found in your Terraform configuration. It displays an hourly and monthly cost for each resource, and the monthly delta. It also totals the cost and delta of all estimatable resources.
In this tutorial, you will enable cost estimation and define policy to check whether the total monthly delta is less than one hundred dollars a month.
Prerequisites
For this tutorial you will need:
- A Terraform Cloud account or a Terraform Enterprise account
- A GitHub account
- An AWS account to create example resources
You should also be familiar with how to create and destroy Terraform Cloud workspaces.
Warning
Do not apply this policy to a production workspace as it may impact your production environment.
Note
Terraform Cloud will not estimate cost on runs or applies targeted against a subset of resources.
Fork the example repository
Fork the example repository, which contains an example Terraform configuration to provision an EC2 instance.
Note
If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a fork of this repository. Feel free to use it.
Create a Terraform Cloud workspace
Navigate to your Terraform Cloud organization and create a new VCS-backed
workspace connected to your fork of the learn-sentinel-tfc repository.
Note
If you completed the Upload Your Sentinel Policy Set to Terraform Cloud tutorial, you may already have a workspace for this configuration. Feel free to use it.
Configure workspace variables
Navigate to your learn-sentinel-tfc workspace's Variables page.
Define a variable called instance_type and set the value to t2.large.
If you are not using a tutorial-specific Terraform Cloud organization with a global credentials variable set, associate your AWS credentials variable set with the workspace.
Tip
If you have not yet created a variable set for your AWS credentials, review the Create a Variable Set tutorial to create one now.
When complete, your variable definitions will match the following:
Verify costs using policies
Note
Terraform Cloud Free Edition includes one policy set of up to five policies. In Terraform Cloud Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to Terraform Cloud pricing for details.
To verify cost estimates using policies, you need to define your policy and update your policy set.
Create a fork of the example repository, which contains a Sentinel policy that flags any resource changes that increase costs by greater than $100.
The sentinel.hcl file in this repository declares the new policy in your policy set. Note that
the enforcement_level is set to soft-mandatory: this allows team members
with override permissions to allow a Terraform run to proceed in the event of policy failure. Terraform Cloud will log any overrides.
The less-than-100-month.sentinel file contains the policy definition.
This policy uses the
tfrun import
to check that the cost delta for a Terraform run is no more than $100. The policy definition uses the decimal import for precise calculations when working with currency numbers.
Terraform Cloud will run checks for policies defined in
sentinel.hcl in all workspaces associated with the policy set.
Create a policy set
In Terraform Cloud, navigate to your organization's Settings > Policy Sets and select Connect
a new policy set. Select your fork of the learn-terraform-cost-estimation
repostiory as the source.
Tip
The search bar for policy repositories is case sensitive.
In Terraform Cloud, you can apply policy sets either across your organization, or to specific workspaces.
On the Configure Settings page:
- Select the Sentinel policy framework
- Under Scope of policies, select Policies enforced on selected workspaces
- Select your
learn-sentinel-tfcworkspace and click Add workspace - Click Connect policy set
Trigger a run
Tip
For a full list of supported resources in Terraform Cloud cost estimation, refer to the AWS, Azure, and Google Cloud Cost Estimation Documentation.
Navigate to your learn-sentinel-tfc workspace. Click on the Actions menu, select Start new run, then select the Plan and apply (standard) option.
View cost estimate
After queueing a new run, Terraform Cloud will estimate changes to your resource costs and display them in the run UI. There you will find the list of resources, their price details, and the list of un-estimated resources. You will also find the new total to determine the proposed overall monthly cost once the run is applied.
In this case, the new resource definition satisfies the Sentinel policy check you defined.
Note
This is just an estimate; some resources do not have cost information available or have unpredictable usage-based pricing.
Click Discard run to cancel the run.
Delete the policy set
Navigate back to your organization's Settings > Policy Sets. Select the learn-terraform-cost-estimation policy set, then under Workspaces, click Delete policy set. Confirm by clicking Yes, delete policy
set**.
Delete workspace
Under your workspace's Settings menu, select the Destruction and Deletion option, then delete the workspace.
Next steps
In this tutorial you created and used a Sentinel policy check that uses Terraform Cloud's cost estimation feature. This provides another tool to manage your infrastructure spending.
To learn more about cost estimation, refer to the Cost Estimation documentation.
If you would like to learn more about Terraform Cloud, refer to the following resources:
- Learn how to migrate terraform state to Terraform Cloud
- Learn more about Terraform Cloud workspaces
- Read the Terraform Cloud documentation
- Learn about the free and paid features of Terraform Cloud
- Learn more about Cost Estimation Documentation
- Read the Run States Documentation.