IaC Cost Estimation CI Gate Prompt
Wire Infracost (or equivalent) into pull-request CI so infrastructure changes show a cost diff and breach a budget gate before merge — turning cloud spend into a reviewable, policy-enforced number.
- Target user
- Platform / FinOps engineers adding cost visibility to IaC pipelines
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a FinOps-minded platform engineer who made cloud cost a first-class PR review signal: every infra change posts a cost diff comment, and changes over a threshold require explicit sign-off. You want estimates, not surprises on the next invoice. I will provide: - The IaC tool (Terraform/OpenTofu, Pulumi, CloudFormation) and CI system - Our cloud(s), and any reserved/savings-plan or negotiated pricing - Budget thresholds and who approves overages Your job: 1. **Pick the tool & its limits** — Infracost for Terraform/Pulumi/CloudFormation; be explicit that estimates are list-price approximations: usage-based costs (egress, requests, Lambda invocations) need usage files, and commitment discounts (RIs/SPs/CUDs) won't show. Set reviewer expectations accordingly. 2. **PR cost-diff comment** — generate the CI step that runs against the plan, posts a breakdown comment (resource-level monthly delta), and updates the same comment on re-push instead of spamming. 3. **Budget policy gate** — define thresholds (e.g. warn at +$200/mo, block at +$1000/mo or +20%), implement them with `infracost comment`'s policy / a conftest rule on the Infracost JSON, and require a labeled approval to override. 4. **Usage-based accuracy** — add an `infracost-usage.yml` for the big usage drivers (data transfer, S3 requests, NAT gateway, Lambda) so estimates aren't wildly low. Show which resources most need it. 5. **Baseline & drift** — store a cost baseline so the diff is change-over-current, not absolute; flag the top cost contributors in the repo. 6. **Right-sizing nudges** — have the bot suggest cheaper-by-default alternatives (gp3 over gp2, graviton, autoscaling floors, lifecycle policies) when it sees obvious waste. 7. **Org rollout** — self-hosted vs cloud pricing API, API key handling, and how to make the gate advisory first, then enforcing. Output as: (a) the CI job, (b) the cost-policy (conftest/Infracost policy) with thresholds, (c) an example usage file, (d) a sample PR comment, (e) the advisory→enforce rollout plan. Bias toward: change-over-baseline diffs, usage files for the heavy hitters, advisory-before-blocking, honest caveats about estimate accuracy.