TurboFinOpsTurboFinOps
Docs/Terraform Cost Gate

How to

Terraform Cost Gate

Estimate the monthly cost impact of a Terraform change before apply, with a pass / warn / fail verdict and a PR-ready comment.

Back to How To Guides

What the Terraform Cost Gate Does

The cost gate reads a Terraform plan and estimates the monthly and annualized cost change of the proposed infrastructure changes — before you run terraform apply. It returns a pass / warn / fail verdict against thresholds you set, a per-resource breakdown, and a markdown comment you can post on the pull request.

It is a guardrail, not a billing quote. It catches expensive changes — a new database, ten NAT gateways, or a resize from a small instance to a large one — early, where they are cheapest to question.

Available on

ProfessionalEnterprise

Roles: Admin, FinOps, Security.

How It Works

The gate parses the plan you submit. It does not run Terraform, reach your cloud, or read any credentials — it only inspects the plan you paste or post. From each resource change it estimates a monthly delta:

  • Compute and databases scale by instance size — a vCPU-derived factor parsed from instance_type (AWS), machine_type (GCP) and size (Azure). A t3.micro and an m5.24xlarge are not priced the same.
  • Disks are priced by provisioned GB; fleets are multiplied by node or desired count.
  • create adds cost, destroy subtracts it, and update / replace compute the after-minus-before delta — so a resize (often the most expensive change) is captured, not reported as zero.
  • JSON plans (terraform show -json plan) carry the size attributes and give the most accurate estimate; plain text plans fall back to flat per-type rates.

Important

Estimates are heuristic and proportional to real cost drivers (size, GB, count) — they are not a live, per-SKU, per-region provider quote. Use the verdict to flag changes for review, not as a contractual figure.

Using the In-Dashboard Preview

The fastest way to try it is the preview at Integrations → Terraform Cost Gate.

  1. 1Generate the plan JSON locally: terraform plan -out=plan && terraform show -json plan > plan.json
  2. 2Open Integrations → Terraform Cost Gate and paste the JSON (or the plan text) into the box. Use "Load a sample plan" to see the shape.
  3. 3Set your Warn and Fail thresholds in $/month.
  4. 4Click Estimate cost. You get the monthly and annual delta, the verdict, a per-resource table, and a copy-ready PR comment.

API & CI Usage

The same check is available as a stateless API endpoint:

POST /api/v1/integrations/terraform/cost-check
Authorization: Bearer <token>
Content-Type: application/json

{
  "planJson": { /* terraform show -json plan output */ },
  "warnMonthlyIncreaseUsd": 100,
  "failMonthlyIncreaseUsd": 500
}

# Response
{
  "status": "fail",
  "estimatedMonthlyDeltaUsd": 406.0,
  "annualizedDeltaUsd": 4872.0,
  "summary": { "creates": 1, "updates": 1, "destroys": 1, "replaces": 0 },
  "markdown": "## Terraform Cost Impact …"
}

Send either planJson (recommended, size-aware) or planText. Gate a deploy by failing the job when status is fail.

Authentication note

The endpoint authenticates with a bearer session token today. A dedicated long-lived CI token for unattended pipeline runs is on the roadmap — until then, the in-dashboard preview is the supported workflow for ad-hoc checks.

FAQ

Does it run Terraform or connect to my cloud?

No. It only parses the plan you submit. It does not execute Terraform, call any cloud API, or read credentials. Nothing is stored — the check is stateless.

Why is a resize (update) now showing a cost, when other tools report zero?

For update and replace actions the gate computes the after-minus-before delta from the instance size in the plan. Scaling an instance up is captured as a positive monthly delta rather than ignored.

How accurate is the dollar figure?

It is a heuristic proportional to the real cost drivers (instance size, disk GB, node count). It is directionally accurate for catching large changes, but it is not a per-SKU, per-region billing quote. Confirm exact figures in your cloud provider pricing calculator before committing.

What if my plan is plain text, not JSON?

It still works, but plain text plans do not include size attributes, so the estimate falls back to flat per-type rates. Use terraform show -json plan for the size-aware estimate.

Get started

Find recoverable spend before the next invoice lands.

Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.

Read-only scan first. Approval gates before remediation.
Connect a cloud scopeSee pricing