Infracost GitHub Actions for Automated Cloud Cost Estimation

Published by TechMarmot Editorail Staff on | Category GitHub Actions

The integration of financial transparency into the DevOps lifecycle—often referred to as FinOps—requires a shift from reactive monthly billing analysis to proactive cost estimation. Infracost provides a specialized suite of tools designed to achieve this by analyzing Terraform code and predicting the cost impact of infrastructure changes before they are applied to a live environment. By embedding these estimations directly into the GitHub workflow via GitHub Actions, organizations can prevent "cloud bill shock" by visualizing the financial implications of a pull request (PR) during the peer-review process. This mechanism transforms the cost of infrastructure from a downstream accounting concern into a primary engineering metric, allowing developers to make informed decisions about resource sizing and provider selection during the development phase.

Architecture of Infracost GitHub Integrations

Infracost offers two primary methods for integrating cost visibility into GitHub: the Infracost GitHub App and the Infracost GitHub Actions. While both serve the objective of cost transparency, they differ significantly in deployment complexity, execution speed, and management overhead.

The Infracost GitHub App is the recommended implementation path for most organizations. It is designed for simplicity and speed, removing the need for manual workflow configuration and the management of individual action versions. It integrates seamlessly with the Infracost Cloud dashboard, providing a streamlined experience for monitoring cost guardrails and tagging policies.

Conversely, the GitHub Actions approach provides a granular alternative for organizations that cannot install third-party apps due to strict security policies or organizational constraints. These actions allow the Infracost CLI to run within a standard CI pipeline, enabling precise control over when scans occur and how the data is processed. The actions handle the complete PR lifecycle, including scanning when a PR is opened, synchronized, or reopened, and updating the status in the Infracost dashboard when a PR is closed or merged.

Implementation Methods for Infracost GitHub Actions

Depending on the complexity of the Terraform environment and the requirements for initialization, there are two distinct methods for utilizing the Infracost GitHub Action.

Method 1: Terraform Directory Scanning

This is the simplest deployment method. In this configuration, the action scans a specific directory containing Terraform files. This approach is ideal for straightforward projects where a full Terraform plan is not strictly required for the initial cost estimation. However, it may encounter limitations if the project relies on complex terraform init or terraform plan sequences that require specific state access.

Method 2: Terraform Plan JSON Processing

For more complex environments, the recommended approach is to use the Terraform plan JSON method. This involves a two-step pipeline:

  1. The setup-terraform GitHub Action is utilized to generate a plan JSON file.
  2. This JSON file is passed to the Infracost GitHub Action using the path input.

This method is significantly more robust as it relies on the actual planned state of the infrastructure, ensuring that the cost estimate reflects the precise changes that will be applied to the cloud environment.

Configuration and Authentication Requirements

To establish a secure connection between GitHub Actions and the Infracost Cloud Pricing API, specific authentication markers must be configured.

API Key Management

The INFRACOST_API_KEY is a mandatory requirement for the action to function. The process for setting this up involves the following steps:

  • Navigate to the GitHub repository settings.
  • Go to Secrets and variables and then to Actions.
  • Select New repository secret.
  • Name the secret INFRACOST_API_KEY and paste the corresponding key obtained from the Infracost dashboard.

In the workflow YAML file, this secret is referenced as follows:

yaml env: INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}

Local Authentication for Development

Before deploying to CI, developers can authenticate locally to test their configurations.

  • Interactive Login: Using the command infracost auth login.
  • Manual Configuration: Using the command infracost configure set api_key <YOUR_API_KEY>.

Once authenticated, the key is stored locally, enabling the use of CLI commands such as breakdown and diff.

Operational Workflow and Command Execution

The core functionality of Infracost revolves around the breakdown and diff operations, which provide the raw data necessary for GitHub PR comments.

Establishing a Cost Baseline

A baseline is a snapshot of the current infrastructure cost before any changes are introduced. This is typically executed from the main or development branch using the following command:

bash infracost breakdown --path .

This process generates a file named infracost-base.json, which serves as the reference point for all subsequent cost comparisons.

Generating Cost Differences

When a developer submits a pull request, Infracost compares the new code against the infracost-base.json. This generates a diff report that highlights:

  • Resources being added.
  • Resources being deleted.
  • Modifications to existing resources that change their monthly cost.

For local testing or CI integrations, the breakdown command can be executed with specific formats:

bash infracost breakdown --path . --format table

Alternatively, the --format json flag can be used for deeper integration into automated CI/CD pipelines.

Deep Dive into GitHub Action Configuration

A fully implemented Infracost workflow requires careful mapping of environment variables and input parameters to ensure the action can communicate with both GitHub and the cloud providers.

Mandatory Environment Variables

The following table details the required environment variables for the Infracost GitHub Action:

Variable Source/Value Purpose
INFRACOST_API_KEY Repository Secret Authenticates the action with the Infracost Cloud Pricing API
GITHUB_TOKEN ${{ secrets.GITHUB_TOKEN }} Grants the action permission to post comments and update PR status
Cloud Credentials Provider Secrets Necessary for terraform init to run successfully

Cloud Provider Credentials

Because Infracost does not send cloud credentials or secrets to the Cloud Pricing API, users must provide the necessary credentials within the GitHub environment so that Terraform can initialize.

  • AWS Users: Must set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  • GCP Users: Must set GOOGLE_CREDENTIALS.
  • Azure Users: Must follow specific Azure-compatible environment variable configurations.

For projects utilizing multiple AWS accounts, a configuration file named infracost.yml can be used to map different credentials to specific paths.

Example infracost.yml:

yaml version: 0.1 projects: - path: myproject/dev env: AWS_ACCESS_KEY_ID: ${DEV_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${DEV_AWS_SECRET_ACCESS_KEY} - path: myproject/prod env: AWS_ACCESS_KEY_ID: ${PROD_AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${PROD_AWS_SECRET_ACCESS_KEY}

Example Workflow Implementation

The following YAML configuration demonstrates a complete implementation of the Infracost GitHub Action, triggered by changes to Terraform files.

```yaml
on:
pull_request:
paths:
- '.tf'
- '.tfvars'
- '**.tfvars.json'

jobs:
infracost:
runs-on: ubuntu-latest
name: Show infracost diff
steps:
- name: Check out repository
uses: actions/checkout@v2

  - name: Run infracost diff
    uses: infracost/infracost-gh-action@master
    env:
      DEV_AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      DEV_AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
      PROD_AWS_ACCESS_KEY_ID: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
      PROD_AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
      INFRACOST_API_KEY: ${{ secrets.INFRACOST_API_KEY }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    with:
      config_file: infracost.yml

```

Governance and Policy Enforcement

Infracost allows organizations to move beyond simple estimation by implementing financial guardrails and mandatory checks.

Required Status Checks

To prevent the merging of infrastructure changes that exceed a specific budget, Infracost can be configured as a "Required Check." This ensures that the "Merge" button in GitHub remains disabled until the cost impact is reviewed and approved.

There are two methods to enforce this:

  • GitHub Rulesets: The recommended approach. Administrators create a ruleset in Settings > Repository > Rulesets and add "Infracost" as a required status check. This is the most efficient way to apply the policy across all repositories in an organization.
  • Branch Protection Rules: An alternative that works on a per-repository basis. This method typically requires the GitHub API to automate the configuration across multiple repositories.

Managing Policy Issues

When a pull request fails a cost policy, engineers have several options for resolution:

  • Dismissal/Snoozing: Policy issues can be dismissed or snoozed directly from the GitHub PR UI. This is critical for emergency shipments where a cost violation must be temporarily ignored to resolve a production incident.
  • Support Queries: Engineers can trigger help documentation by adding a PR comment with @infracost help.

Integration Customization

From the Org Settings > Integrations > GitHub App page, administrators can disable pull request comments. This allows the organization to use the Infracost Cloud dashboard for cost estimates, guardrails, and tagging policies without cluttering the GitHub PR conversation.

Transitioning from Actions to the App

Organizations utilizing GitHub Actions may wish to migrate to the Infracost GitHub App to reduce maintenance. The migration involves:

  • Installing the app via the official usage documentation.
  • Removing all Infracost-related steps and YAML configurations from the .github/workflows directory.

This transition eliminates the need to manage INFRACOST_API_KEY secrets across every repository and removes the overhead of maintaining the CI runner's environment for cost estimation.

Summary of Technical Specifications

The following table summarizes the technical capabilities of the Infracost GitHub Action ecosystem.

Feature GitHub Action GitHub App
Setup Complexity Moderate (YAML config) Low (One-click install)
Execution Speed Dependent on Runner Optimized/Faster
Secret Management Manual per Repo Managed by App
PR Lifecycle Open/Sync/Reopen/Close Fully Automated
Customization High (via infracost.yml) Moderate (via Dashboard)
Policy Enforcement Required Check via Rulesets Required Check via Rulesets

Conclusion

The integration of Infracost into GitHub represents a critical evolution in the Infrastructure as Code (IaC) lifecycle. By shifting cost visibility to the left, organizations eliminate the gap between resource provisioning and financial accountability. Whether utilizing the flexible GitHub Actions for granular control or the streamlined GitHub App for organizational scale, the result is a transparent environment where every line of Terraform code is associated with a predictable dollar value. The ability to enforce these costs through GitHub Rulesets and branch protection ensures that financial guardrails are not merely suggestions but are operational requirements for deployment. This systemic approach to cost management allows engineering teams to optimize their cloud spend in real-time, directly impacting the bottom line by preventing the deployment of over-provisioned resources.

Sources

  1. Infracost GitHub Actions Repository
  2. Infracost GH Action Repository
  3. Getting Started with Infracost - AWS Builders
  4. Infracost GitHub App Integration Documentation

Related Posts