Windows Enterprise IT Guide

Quick Start for IT Admins

To unblock Infracost on managed Windows devices:

Allow outbound HTTPS to five domains — see Network Requirements
Add AV/EDR exclusions for Infracost process and path patterns — see Endpoint Protection Whitelisting
Optionally pin plugin versions to control when updates are pulled — see Appendix B: Environment Variables

If your organization uses Windows Defender Application Control (WDAC) or AppLocker in addition to Defender AV, see the WDAC / AppLocker note in the whitelisting section.

Architecture

Infracost uses a plugin architecture. The CLI (infracost.exe) and Language Server (infracost-ls.exe) are the main processes. They spawn four plugin binaries as child processes on demand:

infracost-parser-plugin.exe
infracost-provider-plugin-aws.exe
infracost-provider-plugin-google.exe
infracost-provider-plugin-azurerm.exe

Only the plugins relevant to the IaC being scanned are loaded.

Aspect	Detail
Startup timeout	3 minutes on Windows (accommodates AV scanning of new binaries)
Inter-process communication	localhost TCP (`127.0.0.1`) only — random high port, not accessible from other machines

Network Requirements

Required Endpoints

All communication uses HTTPS (TLS 1.2+). No inbound ports are opened — all connections are outbound only.

Endpoint	Purpose	Protocol
`https://dashboard.api.infracost.io`	Dashboard API (GraphQL) — user profile, policies, run parameters	HTTPS (443)
`https://pricing.api.infracost.io`	Pricing data	HTTPS (443)
`https://login.infracost.io`	OAuth 2.0 authentication	HTTPS (443)
`https://releases.infracost.io`	Plugin manifest (JSON)	HTTPS (443)
`https://api.github.com`	Plugin binary downloads (release assets), update checks	HTTPS (443)

Note: The parser plugin may also make outbound HTTPS connections to registry.terraform.io (or any private Terraform registry used by your organization) to resolve remote module sources referenced in the IaC being scanned. This is standard Terraform module resolution behavior.

Authentication Callback

During interactive OAuth login, the CLI temporarily listens on localhost:8080 (configurable via INFRACOST_CLI_OAUTH_CALLBACK_PORT) to receive the OAuth callback. This is a local-only listener and does not accept connections from other machines.

Endpoint Protection Whitelisting

Why Whitelisting Is Needed

Infracost plugins are downloaded as archives from GitHub, extracted, and executed as child processes. Endpoint protection software may:

Delay startup — Scanning a newly downloaded binary can exceed the default 1-minute process startup timeout. Infracost already extends this to 3 minutes on Windows, but aggressive scanning may still cause timeouts.
Block execution — Heuristic-based detection may flag a binary executing from a user-local cache directory.
Lock files — Real-time scanning can hold file locks during plugin installation, which Infracost handles with retry logic (up to 5 attempts with linear backoff).

Executable Whitelisting (Wildcard Patterns)

The following paths should be excluded from real-time scanning and/or added to allowed application lists. These use wildcard patterns suitable for Intune's endpoint protection profiles.

Binary Paths

%LOCALAPPDATA%\infracost\plugins\*\windows_amd64\*\*.exe

This single wildcard rule covers all current and future plugin binaries across all versions. For a more restrictive approach, specify each plugin individually:

%LOCALAPPDATA%\infracost\plugins\infracost-parser-plugin\windows_amd64\*\infracost-parser-plugin.exe
%LOCALAPPDATA%\infracost\plugins\infracost-provider-plugin-aws\windows_amd64\*\infracost-provider-plugin-aws.exe
%LOCALAPPDATA%\infracost\plugins\infracost-provider-plugin-google\windows_amd64\*\infracost-provider-plugin-google.exe
%LOCALAPPDATA%\infracost\plugins\infracost-provider-plugin-azurerm\windows_amd64\*\infracost-provider-plugin-azurerm.exe

The CLI and Language Server binaries should also be whitelisted at their installed location. The VS Code extension bundles infracost-ls.exe at a known path:

%USERPROFILE%\.vscode\extensions\infracost.infracost-*-win32-*\bin\infracost-ls.exe

For other installations (JetBrains, standalone CLI), the path varies. These broad patterns cover all cases:

*\infracost.exe
*\infracost-ls.exe

Note for ARM64 Windows: If deploying on ARM64 devices, replace windows_amd64 with windows_arm64 in the paths above.

Data and Configuration Paths

Exclude these directories from real-time file scanning to prevent performance degradation during plugin downloads and cache writes:

%LOCALAPPDATA%\infracost\*
%APPDATA%\infracost\*
%TEMP%\infracost-plugin-*

Applying Exclusions

The binary paths, process names, and data directories listed above are the information your endpoint protection team needs to configure exclusions. The exact steps will depend on your tooling — common approaches include:

Microsoft Intune — Antivirus exclusion policies under Endpoint security, assigned to developer device groups
Group Policy — Defender Antivirus exclusion settings via ADMX templates
Third-party EDR (CrowdStrike, SentinelOne, etc.) — Equivalent process/path exclusion rules

WDAC / AppLocker

If your organization enforces WDAC or AppLocker policies, the plugin binaries will also need to be permitted. Since plugins are updated automatically, path-based rules targeting the plugin directories are likely more practical than hash-based rules. Alternatively, pinning plugin versions (see Appendix B) keeps hashes stable between planned updates — however, this delays access to new functionality, bug fixes, and pricing data improvements. Infracost iterates quickly, so pinning should be a conscious trade-off rather than a default.

Verifying Plugin Integrity

All plugin downloads are verified against SHA256 checksums published in the plugin manifest at https://releases.infracost.io/plugins/manifest.json. The manifest lists the expected hash for each platform-specific archive. If the checksum does not match, the plugin is rejected and not installed.

Security Summary

Concern	Detail
Network	All external connections are outbound HTTPS only. Localhost TCP ports are used for plugin gRPC and the transient OAuth callback.
Inter-process communication	gRPC over localhost TCP managed by go-plugin. Binds to `127.0.0.1` on a random high port — not accessible from other machines.
Credential storage	OAuth tokens stored as JSON files with 0600 permissions. No Windows Registry usage.
Plugin integrity	SHA256 verification of all downloaded plugin archives against the published manifest.
No cloud credentials	Infracost does not require or access AWS/Azure/GCP credentials. It uses its own API token for pricing data only.
API endpoints	Hardcoded in the binary. Cannot be overridden by repository configuration files (prevents token exfiltration via malicious repos).
File access	Reads IaC files in the workspace. Writes only to its own config/cache directories and system temp.

Appendix A: Windows File System Layout

All paths use standard Windows APIs (os.UserConfigDir(), os.UserCacheDir()). No Windows Registry entries are created.

Directory Structure

%APPDATA%\infracost\                          ← Configuration & credentials
├── token.json                                ← OAuth token cache (CLI)
├── lsp-token.json                            ← OAuth token cache (Language Server)
├── user.json                                 ← Cached user/org profile
├── credentials.yml                           ← API key (if used instead of OAuth)
├── configuration.yml                         ← CLI settings
├── ignores.json                              ← Dismissed policy violations
├── installId                                 ← Anonymous install identifier (UUID)
└── .state.json                               ← Update check state

%LOCALAPPDATA%\infracost\                     ← Caches & plugins
├── cache\                                    ← Scan results cache
│   └── manifest.json
└── plugins\                                  ← Plugin binaries (auto-downloaded)
    ├── infracost-parser-plugin\
    │   └── windows_amd64\
    │       └── <version>\
    │           └── infracost-parser-plugin.exe
    ├── infracost-provider-plugin-aws\
    │   └── windows_amd64\
    │       └── <version>\
    │           └── infracost-provider-plugin-aws.exe
    ├── infracost-provider-plugin-google\
    │   └── windows_amd64\
    │       └── <version>\
    │           └── infracost-provider-plugin-google.exe
    └── infracost-provider-plugin-azurerm\
        └── windows_amd64\
            └── <version>\
                └── infracost-provider-plugin-azurerm.exe

%TEMP%\                                       ← Temporary files during operation
├── infracost-plugin-*                        ← Plugin download staging
└── pricing.v2.json                           ← Provider plugin pricing cache

If %APPDATA% or %LOCALAPPDATA% are unavailable, the fallback is %USERPROFILE%\.infracost\.

Binary Locations

The CLI and Language Server binaries are placed by the user (or an IDE extension) at a location on PATH. Common locations:

Binary	Typical Path
`infracost.exe`	User-chosen directory on `PATH`
`infracost-ls.exe`	Managed by IDE extension, or user-chosen
Plugin binaries	`%LOCALAPPDATA%\infracost\plugins\<name>\windows_amd64\<version>\`

IDE Extension Paths

The VS Code extension installs to the standard VS Code extensions directory. The JetBrains plugin installs to the standard JetBrains plugin directory. Both bundle infracost-ls.exe inside the extension package — no separate download is required at install time.

Appendix B: Environment Variables Reference

Key environment variables for enterprise configuration:

Variable	Default	Purpose
`INFRACOST_CLI_PLUGIN_AUTO_UPDATE`	`true`	Auto-download latest plugin versions
`INFRACOST_CLI_PLUGIN_CACHE_DIRECTORY`	`%LOCALAPPDATA%\infracost\plugins`	Override plugin cache location
`INFRACOST_CLI_PLUGIN_MANIFEST_URL`	`https://releases.infracost.io/plugins/manifest.json`	Override plugin manifest URL
`INFRACOST_CLI_AUTHENTICATION_TOKEN`	—	Provide auth token directly (bypasses OAuth)
`INFRACOST_CLI_OAUTH_CALLBACK_PORT`	`8080`	Port for OAuth callback listener
`INFRACOST_SKIP_UPDATE_CHECK`	`false`	Disable CLI update checks
`INFRACOST_CLI_LOG_LEVEL`	`warn`	Logging verbosity (`debug`, `info`, `warn`, `error`)
`INFRACOST_CLI_PARSER_PLUGIN_VERSION`	—	Pin parser plugin to a specific version
`INFRACOST_CLI_PROVIDER_PLUGIN_AWS_VERSION`	—	Pin AWS provider plugin to a specific version

Version pinning: Auto-update is enabled by default. Set INFRACOST_CLI_PLUGIN_AUTO_UPDATE=false to use cached plugin versions and only download if no cache exists. Pinning keeps hashes stable for WDAC/AppLocker hash-based rules but delays bug fixes and pricing data updates.

Appendix C: Processes at Runtime

The IDE extension spawns infracost-ls.exe as a child process.
infracost-ls.exe spawns plugin processes on demand (lazy initialization).
Plugin processes are kept alive for the duration of the session and reused for subsequent scans.
When the IDE closes, all child processes are terminated.
For CLI usage, infracost.exe directly spawns the plugin processes.

All inter-process communication is via localhost TCP (127.0.0.1) — not accessible from other machines.

Quick Start for IT Admins​

Architecture​

Network Requirements​

Required Endpoints​

Authentication Callback​

Endpoint Protection Whitelisting​

Why Whitelisting Is Needed​

Executable Whitelisting (Wildcard Patterns)​

Binary Paths​

Data and Configuration Paths​

Applying Exclusions​

WDAC / AppLocker​

Verifying Plugin Integrity​

Security Summary​

Appendix A: Windows File System Layout​

Directory Structure​

Binary Locations​

IDE Extension Paths​

Appendix B: Environment Variables Reference​

Appendix C: Processes at Runtime​