Skip to main content

Azure Pipelines

Run Infracost in Azure Pipelines to see cloud cost estimates and FinOps best practices in pull requests. Works with both Azure Repos (Git only) and GitHub-backed pipelines.

tip

We recommend using the Azure Repos App (or, for GitHub-backed pipelines, the GitHub App) where possible — they're simpler to set up and faster to run.

Quick start

  1. Install the Infracost tasks from the Azure DevOps Marketplace into your organization. If you don't have permission, you can submit a request to your org admin.

  2. Install the Infracost CLI and run infracost auth login to get a free API key. Retrieve it with infracost configure get api_key.

  3. Follow the appropriate quick start below for your repo type:

Azure Repos

  1. Create a new pipeline:
    1. Choose Azure Repos Git in the Connect stage
    2. Pick the repo you want to integrate
    3. Choose Starter Pipeline in the Configure stage
    4. Replace the starter YAML with the following, and save
pr:
- '*'
trigger:
  branches:
    include:
    - main
    - master

variables:
  - name: SSH_AUTH_SOCK
    value: /tmp/ssh_agent.sock

jobs:
  - job: infracost_pull_request_checks
    condition: and(succeeded(), eq(variables['Build.Reason'], 'PullRequest'))
    displayName: Run Infracost on pull requests
    pool:
      vmImage: ubuntu-latest

    steps:
      - task: InfracostSetup@2
        displayName: Setup Infracost
        inputs:
          apiKey: $(infracostApiKey)

      - bash: |
          git -c http.extraheader="Authorization: Bearer $(System.AccessToken)" clone $(Build.Repository.Uri) --branch=$(System.PullRequest.TargetBranchName) --single-branch /tmp/base
        displayName: Checkout base branch

      - bash: |
          cd /tmp/base
          infracost breakdown --path=. \
            --format=json \
            --out-file=/tmp/infracost-base.json
        displayName: Generate Infracost cost estimate baseline
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)

      - bash: |
          cd -
          infracost diff --path=. \
            --format=json \
            --compare-to=/tmp/infracost-base.json \
            --out-file=/tmp/infracost.json
        displayName: Generate Infracost diff
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)

      - bash: |
          infracost comment azure-repos \
            --path=/tmp/infracost.json \
            --azure-access-token=$(System.AccessToken) \
            --pull-request=$(System.PullRequest.PullRequestId) \
            --repo-url=$(Build.Repository.Uri) \
            --behavior=update
        displayName: Post PR comment
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)

  # Required when using Infracost Cloud
  - job: infracost_cloud_update
    displayName: Update Infracost Cloud
    condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI'))
    pool:
      vmImage: ubuntu-latest

    steps:
      - task: InfracostSetup@2
        displayName: Setup Infracost
        inputs:
          apiKey: $(infracostApiKey)

      - bash: |
          PATTERN="Merged PR ([0-9]+):"
          if [[ "$(Build.SourceVersionMessage)" =~ $PATTERN ]]; then
            PR_ID=${BASH_REMATCH[1]}
            curl \
              --request POST \
              --header "Content-Type: application/json" \
              --header "X-API-Key: $(infracostApiKey)" \
              --data "{ \"query\": \"mutation {updatePullRequestStatus( url: \\\"$(Build.Repository.Uri)/pullrequest/${PR_ID}\\\", status: MERGED )}\" }" \
              "https://dashboard.api.infracost.io/graphql";
          fi
        displayName: Update PR status in Infracost Cloud

      - bash: |
          infracost breakdown \
            --path=. \
            --format=json \
            --out-file=/tmp/infracost.json

          infracost upload --path=/tmp/infracost.json || echo "Always pass main branch runs"
        displayName: Run Infracost on default branch and update Infracost Cloud
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)

  1. Enable PR build triggers. Without this, Azure Pipelines won't trigger builds with the pull request ID, so comments can't be posted.

    1. From your Azure DevOps organization: your project → Project Settings → Repositories → your repo → Policies → your default branch
    2. Under Build Validation, click + and add the pipeline you created. Leave Path filter blank, set Trigger to Automatic, and Policy requirement to Optional.

  2. Allow the pipeline to post PR comments. From the same Repository settings, open the Security tab, find the [project name] Build Service ([org name]) user, and set Contribute to pull requests to Allow.

  3. Add secret variables. From your project: Pipelines → your pipeline → Edit → Variables → click + to add infracostApiKey. Tick Keep this value secret.

  4. Open a test PR — see these steps for what to expect.

The InfracostSetup task

The setup task installs and configures the Infracost CLI:

steps:
  - task: InfracostSetup@v2
    inputs:
      apiKey: $(infracostApiKey)

Inputs:

  • apiKey (required) — your Infracost API key.
  • version (optional, default 0.10.x) — SemVer ranges are supported. Stick with 0.10.x to automatically pick up bug fixes and new resources.
  • currency (optional) — convert output from USD to your preferred ISO 4217 currency, e.g. EUR, BRL, INR.

Troubleshooting

If something goes wrong, tick Enable system diagnostics when running the pipeline manually, or see Microsoft's pipeline troubleshooting docs.

403 error when posting to Azure Repos

This usually means the build agent can't post to the repo. Try:

  1. Re-check the security setting described in step 3 of the Azure Repos quick start above.

  2. Pass the token via env var instead of inline. Update the comment task to use $SYSTEM_ACCESSTOKEN and add the SYSTEM_ACCESSTOKEN env to the git clone, breakdown, and diff steps too:

    - script: |
        infracost comment azure-repos \
          --path=/tmp/infracost.json \
          --azure-access-token=$SYSTEM_ACCESSTOKEN \
          --pull-request=$(System.PullRequest.PullRequestId) \
          --repo-url=$(Build.Repository.Uri) \
          --behavior=update
      displayName: Post Infracost comment
      env:
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)

  3. Limited job auth scope. If your Azure Repo uses "Limit job authorization scope to current project for non-release pipelines", see this article — the build service identity changes and may need different permissions.

  4. Test with a Personal Access Token. Create an Azure DevOps PAT with full permissions, add it as a secret variable personalAccessToken, and swap it in temporarily:

    - script: |
        infracost comment azure-repos \
          --path=/tmp/infracost.json \
          --azure-access-token=$PERSONAL_ACCESS_TOKEN \
          --pull-request=$(System.PullRequest.PullRequestId) \
          --repo-url=$(Build.Repository.Uri) \
          --behavior=update
      displayName: Post Infracost comment
      env:
        PERSONAL_ACCESS_TOKEN: $(personalAccessToken)

    If comments work with the PAT but not System.AccessToken, contact Microsoft Azure Support to investigate.