FAQ
How does Infracost work?
Infracost's CLI and source control integrations (e.g. GitHub App):
-
Extract cost-related parameters
Infracost parses Terraform HCL code directly to extract only cost-related parameters, such as the instance type or disk size. Infracost automatically discovers all projects or environment in your repo. -
Retrieves prices from the Cloud Pricing API
Infracost retrieves prices from an internal Cloud Pricing API - which takes into account any custom price books in your org. The CLI does not send the Terraform plan JSON file, or any cloud credentials or secrets to the Cloud Pricing API. The API returns the prices. -
Calculates costs and evaluates policies
Infracost uses the code diff to calculate costs and evaluates the code for FinOps best practice and your tagging policies. -
Infracost Cloud
If you use Infracost Cloud, the final cost estimate and policy issues are saved in your dashboard.
Security and Privacy
Security is of paramount importance to us. We are SOC 2 Type II certified. Our Trust center page enables you to request details and provides an overview of the processes and systems Infracost has in place to ensure we are continually protecting our users' data.
What data is sent to the Cloud Pricing API?
No cloud credentials or secrets are sent to the Cloud Pricing API. Infracost does not make any changes to your Terraform state or cloud resources.
The Cloud Pricing API needs the relevant data to return a unique cloud price point. The Terraform HCL code is parsed by the Infracost CLI to extract the relevant data to make requests to the Cloud Pricing API. We also send the count of Terraform resource types to the Cloud Pricing API to enable us to better prioritize support for new resources. Additional context such as the operating system, Terraform version, type of CI system, and Infracost version are also sent alongside error tracking events so we can identify and fix issues quickly.
Here is an example request to the Cloud Pricing API for a t3.micro instance and the returned response:
Example request:
query {
products(
filter: {
vendorName: "aws"
service: "AmazonEC2"
productFamily: "Compute Instance"
region: "us-east-1"
attributeFilters: [
{ key: "instanceType", value: "t3.micro" }
{ key: "tenancy", value: "Shared" }
{ key: "capacitystatus", value: "Used" }
{ key: "operatingSystem", value: "Linux" }
{ key: "preInstalledSw", value: "NA" }
]
}
) {
prices(filter: { purchaseOption: "on_demand" }) {
USD
}
}
}
Example response:
{
"data": {
"products": [
{
"prices": [
{
"USD": "0.0104000000"
}
]
}
]
}
}
Does Infracost need cloud credentials?
No! Infracost parses code directly and uses pricing data to estimate costs.
Does the Infracost CLI send the Terraform plan to the Cloud Pricing API?
No. The Infracost CLI parses the Terraform HCL code directly or the plan JSON file to find cost-related parameters and uses those to lookup cloud prices.
What data is sent to Infracost Cloud?
If you use Infracost Cloud, cost estimates and policy issues are saved in your dashboard so you can see them in a central place.
Do you sell my data?
No. Infracost is backed by top-tier investors including Y Combinator and Sequoia. We also have an paid product. For more information about how we handle data see our Privacy Policy.
How should I report a security vulnerability?
If you believe you have found a vulnerability within Infracost, please let us know right away. Follow the process outlined here.
How can I allowlist Infracost IP addresses?
Infracost provides static IPs for its Cloud Pricing API and Infracost Cloud services. If your environment has network traffic restrictions, you can allowlist these IPs in your firewall rules.
| Name | Source | Destination | Domains | Port | IPs | Notes |
|---|---|---|---|---|---|---|
| Inbound | Infracost Cloud | Your CI/CD system | N/A | 443 | 3.133.40.66 3.16.104.91 3.147.121.170 3.141.214.65 18.221.82.195 18.119.42.142 | Only needed if you use source control integrations |
| Outbound | Your CI/CD system | Infracost Cloud | dashboard.api.infracost.io pricing.api.infracost.io | 443 | 76.223.127.201 52.223.24.69 | Infracost CLI uses both domains |
Features
Which cloud providers and IaC frameworks are supported?
Currently AWS, Azure and Google are supported with Terraform.
What's the difference between Infracost and Terraform Cloud's cost estimation?
There are three key areas of differentiation.
1. Cost estimation differences
- Terraform Cloud (TFC) cost estimation does not cover many of the cloud resources from AWS, Azure and GCP. Infracost supports over 1,100 resources from AWS, Azure and GCP; TFC covers around 200. Here's a quick comparison: Infracost Azure coverage vs TFC Azure coverage.
- Cost estimation of usage based resources: Infracost supports estimating usage-based resources such as AWS Lambda or Azure Blob storage with usage profiles (e.g. use 100GB to estimate S3 costs). TFC does not support estimating usage-based resources.
- Your discount rates: Infracost supports your discount levels including AWS EDP, Azure EA and custom price books. Terraform Cloud only support public prices.
2. FinOps guardrails, policies, and tag checker
Infracost supports FinOps guardrails (budget checks, and kicking-off approval workflows), a set of best practice policies, and checking for the right tag keys and tag values - all out of the box.
TFC does not provide these; it does enable you to write code to check for policies, but you will have to either teach FinOps practitioners and managers to code, and enable them to do it (there is no user interface), or have an engineering team do all that and maintain it. On top of these, Infracost provides an inventory of all resources that are failing tags and policies so you can see where your biggest issues are and how to fix them.
3. Infracost can be run on engineering machines
Since Infracost does not need a Terraform plan file, cloud credentials or secrets, engineers can install the Infracost AI skills, IDE extenions, or the CLI and get cost estimates before sending pull requests, directly on their machines. Infracost also supports cost estimation of Terraform modules as well as Terragrunt projects. TFC cost estimation does not have these capabilities.
What's the difference between Infracost and Cloudability Governance?
Overall, Infracost is a more mature Shift Left product. It differenciates on a few different pillars:
1. Broad coverage of IaC resources
Infracost supports thousands of resources across AWS, Azure and Google with Terraform, CloudFormation and CDK.
Cloudability Governance only supports 20 resources in AWS with Terraform only.
2. Shifting left into coding agents and IDEs
Infracost parses HCL code directly, which enabled us to build Claude, Copilot, VS Code, Cursor and other integrations that prevent issues before code is even committed on developer machines.
The result is greater engineering velocity. Preventing issues at the source is an order of magnitude faster than catching them in CI, in code review, or after deployment. Engineers spend less time in review cycles and rework, and FinOps teams spend less time chasing down untagged resources or unexplained cost spikes.
Cloudability Governance parses Terraform Plan JSON files, which means it cannot shift left onto developer machines — there is no plan JSON file on dev machines.
3. One-click setup across thousands of repos
Infracost has a managed GitHub, GitLab and Azure Repos app that parses Terraform (HCL), CloudFormation or CDK code directly. That means you can enable Infracost across thousands of code repos in one click without changing any CI/CD pipelines.
Cloudability Governance requires you to modify your CI/CD pipeline to send the Terraform Plan JSON file. This takes significant setup time as well as ongoing maintenance and patching of those pipelines to use newer CLI versions.
4. Infracost managed FinOps Policies
Infracost maintains the FinOps policies, and keeps them updated when cloud providers add new resources, change existing resources and prices. When a new capability is released, Infracost will add the policy to your account for you to review. You can then use Infracost Cloud to check the blast radius of the change or the new capability, and either turn the policy on or off.
5. Enterprise fix rollouts
Infracost "Campaigns" is a feature which enables enterprise wide rollout of fixes. Select a set of policies, set deadlines, and Infracost will open Pull Requests with AI to fix the issues across the codebase.
6. Measure the impact of Shift Left
Infracost tracks the Return On Investment (ROI) and the impact of Shift Left, and shows this in a management report. It will track the cost impact of changes, and the savings achieved by all teams. There is also a user leaderboard feature, which can be used to motivate teams.
7. Secure by default: no secrets or credentials sent to third parties
Infracost parses Terraform (HCL), CloudFormation and CDK code files directly, which is secure by default as IaC code does not contain secrets or credentials. Cloudability Governance parses Terraform Plan JSON files, which contains secrets and credentials — meaning sensitive data is included in what gets sent to and analyzed by Cloudability.
What Terraform versions are supported?
Infracost works with Terraform v0.12 and above.
How do you deal with auto-scaling groups?
Auto-scaling groups have a dynamic instance count so it's useful for engineers to get a cost estimate for them as their cost can vary significantly.
By default, Infracost parses the code to detect the instance count, thus it has to follow the static logic from the autoscaling group in AWS, Azure or Google. For example, the aws_autoscaling_group resource has a desired_capacity that is used, and if that is not set, the min_size is used, and otherwise we default to an instance count of 1.
You can override the instance count manually in the usage file.
How do you deal with Reserved Instances and Savings Plans?
See this doc for details.
Can I show costs in a different currency?
Sure! See the currency docs section.
What's the difference between source control and CI/CD integration?
Source control integration is when you connect Infracost directly to your GitHub or GitLab. CI/CD integration is when you install the Infracost CLI in your CI/CD pipelines and run commands. We recommend source control integration as it is simpler to setup and faster to run.
Do you offer support?
Yes! We're happy to help you, see our support page.
Can I log in with GitHub?
Yes! When logging into Infracost via Github, your work email must be listed as a verified email to properly match up with your Infracost account. If your Github email is not verified, you'll receive an error message when attempting to sign in asking you to verify your email with Github.
Can I rename or move GitLab repositories?
Yes! Infracost supports GitLab repository renaming and moving repositories to different projects. However, there is a brief period where webhooks and checks will be temporarily disrupted.
When you rename or move a GitLab repository:
- Webhooks will stop working temporarily because they need to be reinstalled
- Infracost checks will be interrupted until the system detects the rename
- Our system periodically scans for renamed repositories and automatically reinstalls webhooks
For large-scale operations: If you're planning to rename or move many repositories at once, please contact our support team beforehand. We can help coordinate the process to minimize downtime and ensure checks resume quickly.