Terraform modules
Infracost include any modules that are used by your Terraform or Terragrunt projects. Public modules are automatically downloaded; but you need to setup access for private modules so Infracost can process them.
Private modules
Git modules
Infracost downloads private git modules using the same method that Terraform/Terragrunt does (e.g. using SSH keys or HTTPS credentials). In CI/CD integrations, you can an environment variable or secret with your private SSH key so Infracost can access private repositories:
mkdir -p ~/.ssh
eval `ssh-add -s`
echo "$GIT_SSH_KEY" | tr -d '\r' | ssh-add -
# Update this to github.com, gitlab.com, bitbucket.org, ssh.dev.azure.com or your source control server's domain
ssh-keyscan github.com >> ~/.ssh/known_hosts
# Run Infracost commands as usual
infracost breakdown --path /code
The GIT_SSH_KEY secret variable usually starts with -----BEGIN RSA PRIVATE KEY-----. If your SSH key has a passphrase too, you can also add an environment variable or secret with your passphrase:
mkdir -p ~/.ssh
eval `ssh-add -s`
echo '#!/bin/sh'> ~/.ssh_askpass
echo "echo $GIT_SSH_KEY_PASSPHRASE" >> ~/.ssh_askpass && chmod +x ~/.ssh_askpass
echo "$GIT_SSH_KEY" | tr -d '\r' | DISPLAY=None SSH_ASKPASS=~/.ssh_askpass ssh-add -
# Update this to github.com, gitlab.com, bitbucket.org, ssh.dev.azure.com or your source control server's domain
ssh-keyscan github.com >> ~/.ssh/known_hosts
# Run Infracost commands as usual
infracost breakdown --path /code
Registry modules
Public registry modules are automatically supported so no extra setup is needed in Infracost. For private registry modules, set the following environment variables:
- Private Terraform Cloud registry modules: set the
INFRACOST_TERRAFORM_CLOUD_TOKENenvironment variable to a Team API Token or User API Token. - Private Terraform Enterprise registry modules: set the
INFRACOST_TERRAFORM_CLOUD_HOSTenvironment variable to your TFE hostname andINFRACOST_TERRAFORM_CLOUD_TOKENto a Team API Token or User API Token. - Private GitLab registry modules: set the
INFRACOST_TERRAFORM_CLOUD_HOSTenvironment variable togitlab.com(or your GitLab hostname) andINFRACOST_TERRAFORM_CLOUD_TOKENto your GitLab token. - Private JFrog registry modules: set the
INFRACOST_TERRAFORM_CLOUD_HOSTenvironment variable to your JFrog hostname andINFRACOST_TERRAFORM_CLOUD_TOKENto your identity token. - Other private registry modules: set the
INFRACOST_TERRAFORM_CLOUD_HOSTenvironment variable to the hostname of the registry andINFRACOST_TERRAFORM_CLOUD_TOKENto the access token for that registry. - Modules from multiple private registries: use the Terraform CLI config file option below.
For local development environments, use the Terraform CLI config file: by default Infracost reads registry credentials from your ~/.terraform.d/credentials.tfrc.json file or the path specified by the TF_CLI_CONFIG_FILE environment variable. If you're using a custom Terraform CLI config file to specify the credentials make sure you are setting the TF_CLI_CONFIG_FILE environment variable to the absolute path of that file.
S3 modules
If you store your private modules in an S3 bucket, you need to provide readonly AWS IAM credentials so the CLI can download them and estimate their costs. You can do this using the usual AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, and the following policy for your S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectDownload",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Running Infracost in module repos
You can run infracost breakdown --path modules/my-module to get a cost estimate for an individual module. Module variables can be passed-in using the --terraform-var-file or terraform-var flags.
To get a combined cost estimate from multiple modules, create a config-file as follows and run infracost breakdown --config-file infracost.yml:
version: 0.1
projects:
- path: my-s3-module
terraform_var_files:
- my-s3.tfvars
- us-east.tfvars
- path: my-ec2-module
terraform_var_files:
- my-ec2.tfvars