By the time a cloud resource appears on your bill, it's too late to easily remove it — it's been running for weeks and is probably depended on by other services. Shift-left cost management means catching expensive infrastructure decisions at the point they're made: in pull requests, before resources are provisioned.
// Affiliate disclosure: FinOpsForge may earn a commission if you sign up via links on this page. This never affects our ratings or editorial independence. We test tools on real cloud workloads.
What Is Shift-Left Cost Management?
Shift-left means moving cost visibility and controls earlier in the development lifecycle — into the infrastructure-as-code (IaC) review process, before resources are actually provisioned. An engineer writing Terraform should see the monthly cost impact of their changes before they merge, not after the next billing cycle.
Studies show it's 100x cheaper to fix a cost issue in a pull request than after it's been running in production for a month. Shift-left tools make this possible.
Infracost — The Leading Shift-Left Tool
Infracost is an open-source tool that parses Terraform plans and generates a cost estimate breakdown. It supports AWS, Azure, and GCP with 1,000+ resources priced. The free tier covers unlimited CLI usage; the Team tier ($50/month) adds CI/CD integrations, team policies, and Slack notifications.
brew install infracost
infracost auth login
infracost breakdown --path .
infracost diff --path . --compare-to /tmp/infracost-base.json
Example output when a developer adds an aws_db_instance:
+ aws_db_instance.main
Instance type db.r5.2xlarge
Database engine PostgreSQL
Multi-AZ true
Cost breakdown:
Database instance $876.00/mo
Storage (500 GB gp2) $57.50/mo
Monthly cost change: +$933.50
CI/CD Integration
The real value of Infracost comes from integrating it into your pull request workflow. Every PR that changes Terraform gets an automatic cost estimate comment:
name: Infracost
on: [pull_request]
jobs:
infracost:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: infracost/actions/setup@v2
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
- name: Generate cost estimate
run: |
infracost breakdown --path=. --format=json --out-file=/tmp/infracost.json
- uses: infracost/actions/comment@v1
with:
path: /tmp/infracost.json
behavior: update
Cost Policies with OPA
Open Policy Agent (OPA) combined with Infracost lets you enforce cost guardrails in CI — blocking PRs that exceed cost thresholds:
package infracost
deny[msg] {
monthly_cost := input.projects[_].diff.totalMonthlyCost
to_number(monthly_cost) > 1000
msg := sprintf("PR adds $%.2f/month — exceeds $1000 threshold. Get approval.",
[to_number(monthly_cost)])
}
This creates a hard stop on expensive infrastructure changes — engineering leads or FinOps team must approve PRs that exceed cost thresholds before they can merge.
Terraform Cost Best Practices
- Use variables for instance types — makes right-sizing changes a one-line diff instead of hunting through modules
- Tag everything at the resource level — Terraform makes consistent tagging trivial with
default_tags on AWS providers
- Separate dev/staging/prod workspaces — enforce smaller instance types in non-production via workspace-conditional variables
- Use data sources to reference existing resources — avoid provisioning duplicate infrastructure (VPCs, security groups) that runs parallel costs
- Review
terraform plan output before apply — new resources added to plans should be questioned: is this intentional? Is the size appropriate?
// FAQ
Is Infracost accurate enough to rely on?
Accuracy is 85–95% for common resources (EC2, RDS, S3, EKS). Less accurate for: data transfer costs (usage-based), Lambda (highly variable), and newer resource types. It's a directional signal for pull requests — not a replacement for your actual bill.
Does Infracost work with Terragrunt or OpenTofu?
Yes — Infracost supports Terragrunt, OpenTofu, and Pulumi (beta). Pass the --terragrunt-flags option for Terragrunt workspaces. OpenTofu works with the standard Terraform workflow.