How to enable cost estimation in Terraform Enterprise

Introduction

Terraform Enterprise can estimate the cost of resources during a Terraform plan. This feature is not enabled by default and requires configuration for each cloud provider.

This guide provides the steps to enable and configure the Cost Estimation feature in Terraform Enterprise.

Prerequisites

• Administrative access to your Terraform Enterprise instance.
• Authentication credentials for the cloud providers (AWS, Azure, or GCP) where you intend to enable Cost Estimation.
• An understanding of which resources support cost estimation for your provider:
  • AWS Cost Estimation Resources
  • Azure Cost Estimation Resources
  • GCP Cost Estimation Resources

Procedure

Follow these steps to enable and configure Cost Estimation. The credentials configured in these settings are used only to retrieve pricing information from cloud provider APIs and are not linked to Terraform Enterprise organizations or workspaces.

1. Navigate to Cost Estimation Settings. Log in to your Terraform Enterprise account and navigate to your Profile Icon > Admin > Cost Estimation.
2. Enable the Feature Globally. Select the Enable Cost Estimation checkbox to activate the feature.

3. Configure AWS Authentication. To estimate costs for AWS resources, you must authenticate using either an instance profile or AWS access keys. The associated IAM role requires full access to the AWS Price List Service. Use the following IAM policy as a reference.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Action": [
           "pricing:*"
         ],
         "Effect": "Allow",
         "Resource": "*"
       }
     ]
   }

   If you use an instance profile, you must configure the HTTP PUT response hop limit metadata option with a value of 2 or greater. For more details, refer to the AWS documentation to configure the instance metadata service.

4. Configure Google Cloud Authentication. To estimate costs for Google Cloud Platform (GCP) resources, provide credentials for a GCP Service Account. No specific IAM permissions are required, as the pricing data is public.

5. Configure Azure Authentication. To estimate costs for Azure resources, provide credentials for an Azure Service Principal. The associated role requires read access to the RateCard service. Use the following Azure role definition as a reference, replacing [SUBSCRIPTION-ID] and [ROLE-ID] with your identifiers.

   {
     "assignableScopes": [
       "/subscriptions/[SUBSCRIPTION-ID]"
     ],
     "description": "Rate Card query role",
     "id": "/subscriptions/[SUBSCRIPTION-ID]/providers/Microsoft.Authorization/roleDefinitions/[ROLE-ID]",
     "name": "[ROLE-ID]",
     "permissions": [
       {
         "actions": [
           "Microsoft.Commerce/RateCard/read"
         ],
         "dataActions": [],
         "notActions": [],
         "notDataActions": []
       }
     ],
     "roleName": "Terraform Cloud Cost Estimation",
     "roleType": "CustomRole",
     "type": "Microsoft.Authorization/roleDefinitions"
   }

   Enter your Azure Client ID, Azure Client Secret, Azure Subscription ID, and Azure Tenant ID in the provided fields.

6. Save Global Settings. After configuring authentication for your cloud providers, select Save Settings.
7. Enable Cost Estimation for Workspaces. Navigate to Settings > Cost Estimation.
8. Apply to All Workspaces. Select the Enable Cost Estimation for all workspaces checkbox and click Update Settings.

Additional Information

• Enabling Cost Estimation provides valuable cost data during the planning phase of a Terraform run, allowing your organization to make more informed decisions about infrastructure changes.
• Keep your cloud provider credentials secure and up-to-date to ensure accurate cost estimations.
• For a complete overview, refer to the official Terraform Enterprise Cost Estimation documentation.