Terraform on AWS
by Sergey Okinchuk
Drift Detection and ReconciliationChapter 11: Testing and Validation
Chapter 10: Collaboration and Automation
Topic 62

Cost Estimation

CostTooling

A Terraform plan tells you what will change but not what it will cost. A one-line edit — bumping an instance type, adding a NAT gateway per availability zone — can quietly add thousands of dollars a month, and the plan shows it as a single innocuous ~ or +. Infracost is the de facto tool for putting a dollar figure on a plan, typically as a pull-request comment showing the monthly cost delta alongside the diff.

The whole idea is to shift cost awareness left — into the review, where catching an oversized resource costs a comment, instead of onto the invoice, where catching it costs a month of overspend and an awkward conversation. Cost becomes one more thing a reviewer sees next to the destroy and replace lines, not a surprise at the end of the billing cycle.

Pricing the plan
terraform plan
Infracost prices it
monthly cost delta on the PR

The Problem

Plans speak in resources, not money. A change from db.t3.medium to db.m5.large reads as a one-line update; a forgotten count = 3 on a NAT gateway reads as three creates. Neither line says "this is roughly an extra 1,200 dollars a month." The cost is real and predictable, but it is invisible in the plan, so a reviewer focused on correctness approves it without ever seeing the price tag.

How Infracost Works

Infracost reads a Terraform plan — usually the JSON output of plan — identifies the priced resources in it, looks each up against the cloud provider's published rate cards, and reports a monthly estimate plus the diff against the prior state. It runs as a CLI step in the pipeline, so the cost figure is computed from the same plan a reviewer is about to approve, not a hand-built guess.

infracost in CI — price the plan and produce a diff
# produce a machine-readable plan
terraform plan -out=tfplan
terraform show -json tfplan > plan.json

# price it and post the monthly delta to the PR
infracost diff --path plan.json \
  --format json --out-file infracost.json
infracost comment github --path infracost.json \
  --repo acme/infra --pull-request $PR_NUMBER

The pipeline turns the plan into JSON, hands it to infracost diff to price against the rate cards, and posts the result as a PR comment. The reviewer sees a line like "Monthly cost will increase by 1,180 dollars (+34%)" sitting next to the code diff — the financial impact made as visible as the resource changes.

PR Integration

The value lands when the cost delta is a comment on the pull request, beside the diff, where it is read during review rather than discovered later. A reviewer approving a change now sees both what changes and what it costs in one place. That co-location is the point: cost stops being a separate quarterly finance exercise and becomes part of the same review that catches a bad replacement.

Policies and Thresholds

A cost number that nobody acts on is noise. Set a threshold — flag or fail the PR when the monthly increase exceeds, say, 500 dollars or 20 percent — so a large jump demands an explicit sign-off rather than slipping through. Without a threshold, the estimate becomes wallpaper everyone scrolls past; with one, a meaningful increase forces a conscious decision before merge.

Limits of Estimation

Infracost prices what it can compute from the plan: instance hours, provisioned storage, gateway baselines. It cannot derive usage-based costs — data transfer, request volume, per-invocation Lambda charges — from the plan alone, because those depend on traffic the plan does not describe; Infracost estimates them only from a separately supplied usage file or default assumptions. Treat the estimate as a directional guide, not a guarantee. It will reliably catch an oversized instance or a multi-AZ NAT; it will not tell you exactly what your data-transfer bill will be next month.

Common Mistakes
  • Reviewing infrastructure changes with no cost signal, approving an instance-type bump or a multi-AZ NAT gateway that balloons the monthly bill.
  • Treating an Infracost estimate as exact and being surprised when usage-based charges — data transfer, request volume — differ from the figure.
  • Bolting on cost estimation but never setting a threshold, so the number becomes noise everyone scrolls past without acting on it.
  • Checking cost only after deployment, on the invoice, when changing the decision is far more expensive than catching it in review.
  • Pricing only the new resources and ignoring the diff against prior state, so a costly replacement looks the same as a cheap one.
Best Practices
  • Add Infracost to the PR pipeline so every infrastructure change shows its monthly cost delta in review, beside the code diff.
  • Set a threshold that flags or blocks large cost increases for an explicit sign-off rather than letting them slip through silently.
  • Treat estimates as a directional guide and account separately for usage-based costs the plan cannot describe.
  • Use the cost diff to catch oversized resources and accidental expensive defaults before merge, not on the invoice.
  • Price the diff against prior state, not just the new resources, so a costly replacement is visible as one.
Comparable tools AWS Pricing Calculator the manual, pre-plan equivalent HCP Terraform cost estimation built into runs Vantage / CloudHealth cost analysis after deployment

Knowledge Check

Why does a Terraform plan alone not show the cost impact of a change?

  • The plan describes resource changes, not money — an instance-type bump or extra NAT gateway reads as an ordinary line with no price attached
  • The plan deliberately suppresses the dollar cost of every change it lists so that the figure cannot influence how reviewers end up judging the diff
  • A change has no measurable cost until it is actually applied, so no plan could ever show a meaningful figure for it
  • The plan does show cost, but only in the add/change/destroy summary line, which reviewers tend to skip

How does Infracost produce a monthly estimate?

  • It reads the plan, identifies priced resources, and looks them up against the cloud provider's published rate cards
  • It queries your actual AWS Cost Explorer bill and projects last month's spend forward
  • It runs the apply against a throwaway sandbox AWS account and then measures the exact charge that AWS actually bills for it
  • It prompts the reviewer to type in a per-resource cost estimate by hand for every changed resource

Which cost category can Infracost not fully predict from a plan?

  • Usage-based costs like data transfer and request volume, which depend on traffic the plan does not describe
  • The flat hourly rate of a specific provisioned EC2 instance type, such as an m5.large running in the us-east-1 region
  • The monthly storage cost of an EBS gp3 volume whose size in GB is fixed and stated in the plan
  • The fixed hourly baseline charge that a NAT gateway accrues just by existing

What does setting a cost threshold on the PR achieve?

  • A large monthly increase demands an explicit sign-off instead of becoming a number nobody acts on
  • It automatically caps the account's actual AWS spend at that monthly dollar figure from that point on
  • It makes the estimate exact by dropping the uncertain usage-based costs out of the total
  • It stops Terraform from applying any individual resource priced above the threshold

You got correct