Skip to main content

Terraform Cloud/Enterprise

Infracost is an official HashiCorp partner. We work together to ensure that Infracost can be used alongside Terraform Cloud/Enterprise and integrated into your workflow.

Official Infracost HashiCorp partner badge

Integration options

Option 1: Source control systems

Our CI/CD integrations run the Infracost CLI and parse Terraform HCL code directly. We recommend using this option as it enables you to post pull request comments and use all Infracost features. See our CI/CD integrations for details.

Option 2: Terraform Run Tasks

This option uses the Terraform plan JSON that Terraform Cloud/Enterprise generates. The following features are not currently supported by this option: posting pull request comments, multiple currencies, modelling usage-based resources via the usage-file. Please contact us if you need these features.

Terraform Run Tasks can be used to integrate Infracost into Terraform Cloud/Enterprise directly. It sits between the plan and apply stage and shows a cost estimate for the changes that are about to be deployed. There is also a shareable details link that will open a pre-authenticated link with a detailed breakdown of costs per resource.

1. Generate Infracost Endpoint

Sign up or log in to Infracost Cloud and go to the Integrations page to enable the Terraform Cloud integration. This creates an Infracost endpoint URL and HMAC key that you'll use in the next step. You can also create an organization in Infracost to match the organization name you have in Terraform Cloud.

2. Firewall configuration for TFE

This step is only needed by Terraform Enterprise (TFE) users. You need to allow incoming traffic from to your TFE instance port 443 (or whatever port you use); this is the IP address used by Infracost Cloud services to call your Run Task integration.

If you have restricted out-going traffic from your TFE instance, you need to allow traffic to be sent to too. If you can only do that by IP address (and not domains), you should whitelist, and but we recommend you whitelist the domain as these IP addresses are likely to change.

3. Configure a Run Task

Follow the instructions for configuring a Run Task in Terraform Cloud. There are two steps you need to do: setup the integration, and enable it as a post-plan stage in your workspaces.


Currently, only the post-plan stage is supported when you configure Run Tasks in Terraform Cloud.

Example Terraform code to create a Run Task for your TFE organization
# You can create Run Tasks for your TFE organization using the Terraform console
# or inside your Terraform repository:

resource "tfe_organization_run_task" "example" {
# Name of your TFE organization
organization = "org-name"
# Endpoint URL from Infracost
url = ""
# Name of your Run Task
name = "Infracost"
enabled = true
# HMAC Key from Infracost
hmac_key = "SUPER_SECRET_KEY"
description = "Infracost cost estimation"

# Now that you have a Run task for your entire Organization,
# you need to set up individual Run Tasks for each workspace:

resource "tfe_workspace_run_task" "example" {
# ID of your workspace
workspace_id =
# ID of the organization run task previously created.
task_id =
enforcement_level = "advisory"

4. Results

After you've setup the integration, and enabled it on one or more of your workspaces, your runs will show the Infracost Run Task output and a link to the details.

Infracost is a verified Terraform Cloud integration. Terraform Cloud only sends the plan JSON file to Infracost during cost estimation, no other secrets/logs are sent, and once the cost estimate is generated, the temporary plan file is deleted from our servers.

Terraform Cloud dashboardDetails link
Infracost running as a Run TaskInfracost details link

Running Infracost on local dev machines

If you are using Terraform Cloud/Enterprise, or Terraform workspaces, and you'd like to run Infracost locally on your dev machine, please follow the below instructions.

With Terraform Cloud/Enterprise

When Terraform Cloud/Enterprise's remote execution mode is used, Infracost will use the token in the Terraform CLI config file to automatically retrieve the variables. If that does not satisfy your use-case, you can either:

  1. Set the INFRACOST_TERRAFORM_CLOUD_TOKEN environment variable to a Team API Token or User API Token. INFRACOST_TERRAFORM_CLOUD_HOST can also be set for Terraform Enterprise users (e.g. to avoid using These environment variables can also be set in the config file.
  2. Set the TF_CLI_CONFIG_FILE to the absolute path of your Terraform CLI config file.

With Terraform workspaces

Terraform Cloud/Enterprise users who use multiple Terraform workspaces, can use an Infracost config file to define them; their results will be combined into the same breakdown or diff output.

If you'd like to select one workspace, you can do so by either:

  1. using the --terraform-workspace flag.
  2. setting the INFRACOST_TERRAFORM_WORKSPACE environment variable (this sets the TF_WORKSPACE internally).

Only set this for multi-workspace deployments, otherwise it might result in the Terraform error "workspaces not supported". If you see this error, try running unset INFRACOST_TERRAFORM_WORKSPACE and unset TF_WORKSPACE.