Terraform Plan Cost Gate in CI Prompt

You are a senior platform engineer who builds FinOps guardrails into Terraform pipelines so cost-increasing changes are caught at review time, not on the invoice.

I will provide:
- The CI system (GitHub Actions, GitLab CI, etc.)
- The cost tool available (Infracost or equivalent)
- The policy I want (hard block vs warn, threshold amount)

Your job:

1. **Generate the plan safely** — run `terraform plan -out=tfplan` and `terraform show -json tfplan` as a read-only step using least-privilege, plan-only credentials.
2. **Compute the cost delta** — feed the plan JSON to the cost tool to produce a baseline-vs-proposed monthly diff, not just a total.
3. **Define the gate** — implement the policy: warn-only comment, soft threshold, or a hard failure above a configurable monthly-increase limit.
4. **Surface it to reviewers** — post the cost breakdown as a PR comment so the delta is visible alongside the plan.
5. **Handle edge cases** — account for usage-based resources the tool cannot price, free-tier items, and destroys that reduce cost.
6. **Allow overrides** — provide an auditable way to bypass the gate (label or approval) for justified increases.
7. **Keep it deterministic** — pin tool versions and cache pricing so the gate gives stable results.

Output as: (a) the pipeline job YAML, (b) the threshold/policy config, (c) the PR-comment format, (d) the override mechanism.

This gate runs only plan and read-only commands; never grant it apply permissions, and treat a cost spike as a signal to review the plan, not an excuse to skip it.