Terraform
Control costs with policies
HCP Terraform estimates costs for many resources found in your Terraform configuration. It displays an hourly and monthly cost for each resource, and the monthly delta. It also totals the cost and delta of all estimatable resources.
In this tutorial, you will enable cost estimation and define a Sentinel policy to check whether the total monthly delta is less than one hundred dollars a month.
Prerequisites
For this tutorial you will need:
- An HCP Terraform account or a Terraform Enterprise account
- A GitHub account
- An AWS account to create example resources
You should also be familiar with how to create and destroy HCP Terraform workspaces.
Warning
Do not apply this policy to a production workspace as it may impact your production environment.
Note
HCP Terraform will not estimate cost on runs or applies targeted against a subset of resources.
Fork the example repository
Fork the example repository, which contains an example Terraform configuration to provision an EC2 instance.
Note
If you completed the Upload Your Sentinel Policy Set to HCP Terraform tutorial, you may already have a fork of this repository. Feel free to use it.
Create an HCP Terraform workspace
Navigate to your HCP Terraform organization and create a new VCS-backed
workspace connected to your fork of the learn-terraform-sentinel
repository.
Note
If you completed the Upload Your Sentinel Policy Set to HCP Terraform tutorial, you may already have a workspace for this configuration. Feel free to use it.
Configure workspace variables
Navigate to your learn-terraform-sentinel
workspace's Variables page.
Define a variable called instance_type
and set the value to t2.large
.
If you are not using a tutorial-specific HCP Terraform organization with a global credentials variable set, associate your AWS credentials variable set with the workspace.
Tip
If you have not yet created a variable set for your AWS credentials, review the Create a Variable Set tutorial to create one now.
When complete, your variable definitions will match the following:
Verify costs using policies
Note
HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
To verify cost estimates using policies, you need to define your policy and update your policy set.
Create a fork of the example repository, which contains a Sentinel policy that flags any resource changes that increase costs by greater than $100.
The sentinel.hcl
file in this repository declares the new policy in your policy set. Note that
the enforcement_level
is set to soft-mandatory
: this allows team members
with override permissions to allow a Terraform run to proceed in the event of policy failure. HCP Terraform will log any overrides.
sentinel.hcl
policy "less-than-100-month" {
enforcement_level = "soft-mandatory"
}
The less-than-100-month.sentinel
file contains the policy definition.
less-than-100-month.hcl
import "tfrun"
import "decimal"
delta_monthly_cost = decimal.new(tfrun.cost_estimate.delta_monthly_cost)
main = rule {
delta_monthly_cost.less_than(100)
}
This policy uses the
tfrun import
to check that the cost delta for a Terraform run is no more than $100. The policy definition uses the decimal
import for precise calculations when working with currency numbers.
HCP Terraform will run checks for policies defined in
sentinel.hcl
in all workspaces associated with the policy set.
Create a policy set
In HCP Terraform, navigate to your organization's Settings > Policy Sets and select Connect
a new policy set. Select your fork of the learn-terraform-cost-estimation
repostiory as the source.
Tip
The search bar for policy repositories is case sensitive.
In HCP Terraform, you can apply policy sets either across your organization, or to specific workspaces.
On the Configure Settings page:
- Select the Sentinel policy framework
- Under Scope of policies, select Policies enforced on selected projects and workspaces
- Select your
learn-terraform-sentinel
workspace - Click Connect policy set
Trigger a run
Tip
For a full list of supported resources in HCP Terraform cost estimation, refer to the AWS, Azure, and Google Cloud Cost Estimation Documentation.
Navigate to your learn-terraform-sentinel
workspace. Click on the New run button, select the Plan and apply (standard) option, then click Start.
View cost estimate
After queueing a new run, HCP Terraform will estimate changes to your resource costs and display them in the run UI. There you will find the list of resources, their price details, and the list of un-estimated resources. You will also find the new total to determine the proposed overall monthly cost once the run is applied.
In this case, the new resource definition satisfies the Sentinel policy check you defined.
Note
This is just an estimate; some resources do not have cost information available or have unpredictable usage-based pricing.
Click Discard run to cancel the run.
Delete the policy set
Navigate back to your organization's Settings > Policy Sets. Select the learn-terraform-cost-estimation
policy set, then under Workspaces, click Delete policy set. Confirm by clicking Yes, delete policy
set**.
Delete workspace
Under your workspace's Settings menu, select the Destruction and Deletion option, then delete the workspace.
Next steps
In this tutorial you created and used a Sentinel policy check that uses HCP Terraform's cost estimation feature. This provides another tool to manage your infrastructure spending.
To learn more about cost estimation, refer to the Cost Estimation documentation.
If you would like to learn more about HCP Terraform, refer to the following resources:
- Learn how to migrate terraform state to HCP Terraform
- Learn more about HCP Terraform workspaces
- Read the HCP Terraform documentation
- Learn about the free and paid features of HCP Terraform
- Learn more about Cost Estimation Documentation
- Read the Run States Documentation.