How to enable cost estimation in Terraform Enterprise

Introduction

Terraform Enterprise offers a valuable Cost Estimation feature that allows organizations to estimate the costs of resources during the planning phase of a Terraform run. However, it's important to note that Cost Estimation is not enabled by default. To make use of this feature, you need to configure it properly for your cloud provider(s). This KB article provides step-by-step guidance on enabling Cost Estimation in Terraform Enterprise.

Prerequisites

Before proceeding with enabling Cost Estimation in Terraform Enterprise, ensure the following:

1. Access to Terraform Enterprise with appropriate permissions to make configuration changes.

2. You must have authentication for the cloud providers (AWS, Azure, GCP) where you wish to enable Cost Estimation. Please find the authentication options for supported cloud providers in procedure section.

3. Keep in mind that not all resources in your cloud provider environment may support cost estimation. You can refer to the following links to understand which resources support cost estimation for each cloud provider:

   • AWS Cost Estimation Resources
   • Azure Cost Estimation Resources
   • GCP Cost Estimation Resources

Procedure

Follow these steps to enable Cost Estimation in Terraform Enterprise:

1. Access Cost Estimation Settings:

   • Log in to your Terraform Enterprise account with the necessary permissions.
   • Navigate to the "Profile Icon" > "Admin", and then select "Cost Estimation."

2. Enable Cost Estimation:

   • Check the "Enable Cost Estimation" option. This activates the Cost Estimation feature.
3. Enable authentication : 
   • Please find the authentication option for supported clouds . Please be aware that the credentials in these settings are not linked to Terraform Enterprise organizations or workspaces. They are exclusively used to establish communication with the APIs of cloud providers for retrieving pricing information. Please note that these settings will have no effect if Cost Estimation is disabled.

     1. AWS Configuration:

        • If you plan to estimate costs for AWS resources, you must authenticate with AWS using either an instance profile or AWS access keys.
        • Ensure that the IAM role associated with these credentials has full access to the AWS Price List Service and its resources.
        • You can use the following IAM policy as a reference for the necessary permissions:
        {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Action": [
                  "pricing:*"
                ],
                "Effect": "Allow",
                "Resource": "*"
              }
            ]
        }
        

        
        

        Use AWS Instance Profile (Optional):

        • If you choose to use an instance profile for AWS authentication, ensure that you configure the "HTTP PUT response hop limit metadata option" with a value of 2 or greater to avoid issues with instance metadata retrieval. You can refer to the configure the metadata instance service page for more details.
     2. Google Cloud Configuration:
        • • To estimate costs for Google Cloud Platform (GCP) resources, you need to provide credentials for a GCP Service Account.
          • No specific IAM permissions are required as the accessed data is public.
          • Please note that this setting will have no effect if Cost Estimation is disabled.

             

     3. Azure Configuration:

        • If you wish to estimate costs for Azure resources, you must provide credentials for an Azure Service Principal.
        • Ensure that the role associated with these credentials has full access to the "RateCard" service and its resources.
        • You can use the following Azure role definition as a reference for the necessary permissions:
        {
            "assignableScopes": [
              "/subscriptions/[SUBSCRIPTION-ID]"
            ],
            "description": "Rate Card query role",
            "id": "/subscriptions/[SUBSCRIPTION-ID]/providers/Microsoft.Authorization/roleDefinitions/[ROLE-ID]",
            "name": "[ROLE-ID]",
            "permissions": [
              {
                "actions": [
                  "Microsoft.Commerce/RateCard/read"
                ],
                "dataActions": [],
                "notActions": [],
                "notDataActions": []
              }
            ],
            "roleName": "Terraform Cloud Cost Estimation",
            "roleType": "CustomRole",
            "type": "Microsoft.Authorization/roleDefinitions"
        }
        

        • • • Replace [SUBSCRIPTION-ID] and [ROLE-ID] with your own subscription and role identifiers.

            • Add Azure Client ID, Azure Client Secret , Azure Subscription ID and Azure Tenant ID.

4. Save Settings

• After configuring the authentication for your cloud providers, click the "Save Settings" button to apply your changes.

5. Enable cost estimation for all workspace.

• Navigate to the "Settings" > "Cost Estimation".
• Check the " Enable Cost Estimation for all workspaces" option
• Click "Update Settings"

Additional Information:

• Enabling Cost Estimation in Terraform Enterprise allows your organization to make more informed decisions about infrastructure changes by providing estimated cost data during the planning phase of a Terraform run.

• Remember to keep your credentials and authentication settings secure and up-to-date to ensure accurate cost estimations.

• Be aware that not all resources in your cloud provider environment may support cost estimation. Refer to the documentation links provided above for detailed information on supported resources.

• Reference documentation: https://developer.hashicorp.com/terraform/enterprise/cost-estimation