Infracost - Shift FinOps Left to Cut Cloud Waste

TL;DR

TL;DR: Infracost started as a Terraform pull-request cost comment and has grown into a Shift FinOps Left platform: PR-time cost diffs, FinOps guardrails in CI, AI-driven waste remediation, and a platform dashboard that breaks down savings across compute, storage, and tagging. The CLI and IaC runners are Apache-2.0 open source with 12,300+ stars; the hosted platform adds governance, AI remediation, and a FinOps guide for self-service infrastructure.

Source and Accuracy Notes

• Product site: infracost.io
• GitHub repo: github.com/infracost/infracost (12,338 stars, Go, Apache-2.0)
• Launch HN: Launch HN: Infracost (YC W21) – open-source cloud cost estimator (190 points)
• The 190-point launch was the original PR-comment product. Everything added since 2021 (guardrails, AI remediation, platform manager view) is the modern pitch the current site describes.

What Is Infracost?

Infracost is a cloud cost intelligence layer that lives next to your Infrastructure-as-Code repos. The open-source core is a Go CLI that reads Terraform, OpenTofu, CloudFormation, AWS CDK, and Pulumi plans, then outputs the monthly cost diff for every resource. You wire it into a CI step on pull requests and reviewers see a comment like +$563,417 / mo (+200%) before the change is merged.

What makes it more than a single-purpose CLI is the surrounding platform:

• PR cost comments for Terraform / OpenTofu / CDK / CloudFormation / Pulumi in GitHub, GitLab, Bitbucket, and Azure DevOps
• FinOps guardrails that block pull requests which breach budget policies (for example “fail PR if monthly cost delta exceeds $1,000”)
• AI-driven remediation that scans existing resources for waste and suggests concrete Terraform patches
• Tagging compliance that ties untagged spend back to the right cost center
• Savings breakdown dashboard (the source of the launch HN image) that shows what fraction of compute, storage, and logging is already optimized
• IDE and AI agent integrations for VS Code, JetBrains, Cursor, and Claude Code, so engineers see cost impact as they write code

The core positioning is captured in the platform’s tagline: “Shift FinOps Left.” The idea is to put cost controls into the developer workflow rather than into a finance dashboard reviewed after the bill lands.

Repo-Specific Setup Workflow

The fastest way to get value is to run the CLI locally against a Terraform plan. The flow below works on macOS, Linux, and Windows with no API key for the first run (a free Infracost Cloud account unlocks PR comments and the hosted dashboard).

Step 1: Install the CLI

# macOS (Homebrew)
brew install infracost

# Linux / WSL
curl -fsSL https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh

# Windows (Scoop)
scoop install infracost

Verify the install and log into the hosted platform (optional but required for PR comments):

infracost --version
infracost auth login

Step 2: Register a Terraform project

Pick one Terraform directory in your repo and generate the price book the CLI uses:

cd path/to/your/terraform
infracost breakdown --path . --format table

A typical output looks like this for a small AWS footprint:

Project: acme-prod
Name                                       Monthly Qty  Unit        Monthly Cost

aws_instance.web
 ├─ Linux/UNIX usage (us-east-1)            730          hours       $42.00
 └─ root_block_device.storage_gb            20           GB          $2.00
aws_db_instance.primary
 ├─ PostgreSQL (db.t3.medium, 730h)          1            months      $59.00
 └─ storage (gp2, 20GB)                      20           GB          $2.30
aws_s3_bucket.logs
 └─ Standard storage                        500          GB          $11.50
-------------------------------------------------------------
Project total                                              $116.80 / mo

Step 3: Add a cost comment to pull requests

For GitHub Actions, the canonical recipe is the infracost/actions/setup step plus infracost/actions/comment:

name: Infracost
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  infracost:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: infracost/actions/setup@v4
        with:
          api-key: ${{ secrets.INFRACOST_API_KEY }}
      - run: terraform init
      - run: terraform plan -out tfplan.binary
      - run: terraform show -json tfplan.binary > plan.json
      - uses: infracost/actions/comment@v4
        with:
          path: plan.json
          behavior: update

The first time you open a pull request you should see a comment with a “Diff” table showing the monthly cost change of the change set, broken down per resource. The behavior of the comment is configurable: update keeps a single comment updated on every push, delete-and-new posts a fresh comment each run, and new always adds a new comment.

Step 4: Layer on a FinOps guardrail

A FinOps guardrail is a cost policy that fails a pull request when the proposed change violates it. The simplest example is a hard cap on monthly cost delta. Infracost ships a JSON-based policy DSL that the CLI evaluates against a plan:

infracost breakdown --path . --format json --out-file infracost.json
infracost diff --path infracost.json --format json --out-file diff.json
infracost run --policy-file policies/cost-cap.yml --path plan.json

A minimal cost-cap.yml policy file:

policies:
  - name: Block excessive cost increases
    rules:
      - metric: monthlyCost
        op: greaterThan
        value: 1000
        unit: USD

Wire the same step into a required CI check, and you have a hard guardrail: any change that would push the project over the threshold is blocked at review time rather than at the end of the month.

Step 5: Optional - install the IDE / AI agent extension

The platform publishes dedicated extensions for VS Code, JetBrains IDEs, Cursor, and Claude Code. Once connected with the same INFRACOST_API_KEY, the extension shows the running cost of the resource the cursor is in, so a developer writing a new aws_instance block sees the monthly price update live.

Deeper Analysis

What makes Infracost worth a closer look in 2026 is that the original PR-comment concept has been extended into a workflow that mirrors how platform engineering teams actually want to enforce FinOps today.

The shift-left framing matches the rest of the platform engineering stack. The “shift left” idea in DevSecOps is to move security, compliance, and quality checks as early as possible in the developer loop. Infracost applies the same idea to cost: instead of finance reporting on a dashboard 30 days after the bill, the developer sees the cost impact in their editor and the CI blocks budget breaches. The result is that cost becomes a first-class reviewable artifact, not a postmortem number.

The platform manager view is the differentiator versus simple PR comments. The hosted platform adds the role-based view finance and platform teams need: a savings breakdown across compute, storage, tagging, and logging, with percentages of each category that are already optimized. The platform’s published metrics (69% of enterprises overrun their cloud budget, 30% of cloud resources are wasted) frame Infracost as a continuous governance tool, not a one-shot PR comment.

AI remediation is the newest piece and worth scrutinizing. The platform’s value proposition includes “use AI to identify and quickly remediate new and existing cloud waste.” In practice this means scanning the live cloud state, finding resources that violate a FinOps policy (untagged, over-provisioned, idle, missing lifecycle rules), and proposing Terraform patches. This is a meaningful upgrade from the original 2021 launch, but it also depends on the hosted platform’s policies and AI integration rather than the open-source core.

The open-source core still does the heavy lifting. Even if you never sign up for the hosted platform, the CLI plus a CI step gives you the original launch promise: every pull request shows a cost diff, every plan can be diffed locally, and the policy DSL gives you a starting point for guardrails. This is the right entry point if your team is not ready to commit to a SaaS contract.

Practical Evaluation Checklist

Before adopting, walk through the following:

• [ ] Pick one Terraform / OpenTofu repo with a non-trivial plan and run infracost breakdown locally - it works without an account
• [ ] Decide which CI surface to attach first: GitHub Actions is the simplest integration; GitLab and Azure DevOps have similar recipes
• [ ] Choose a starter policy: most teams begin with a monthly cost delta cap, then add tag compliance and instance type restrictions
• [ ] Audit IaC scope: the CLI supports Terraform, OpenTofu, CloudFormation, AWS CDK, and Pulumi - confirm all the IaC flavors in your repos are covered before rollout
• [ ] Set a key-rotation policy for INFRACOST_API_KEY and decide which org members can author or override guardrails
• [ ] If you have multiple AWS / Azure / GCP accounts, plan for the Infracost Cloud org structure before importing dozens of repos
• [ ] Decide whether the AI remediation and savings dashboard justify the hosted contract, or whether the open-source CLI plus a homegrown Grafana panel is enough

Security Notes

• The CLI reads your Terraform plan locally; the only data sent to Infracost Cloud is the parsed cost diff, not your full plan
• API keys are scoped to an Infracost Cloud org; rotate them in your CI secret store on the same schedule as your cloud provider keys
• The guardrail step in CI runs the same binary against the same plan; it cannot modify your infrastructure, only fail or pass
• The hosted platform’s AI remediation makes Terraform patches - it does not apply them automatically. Review every AI-generated patch in a pull request before merge.
• If you operate in a region with strict data residency requirements, check Infracost’s data processing addendum before turning on the hosted platform

FAQ

Q: Does Infracost work without an Infracost Cloud account? A: Yes. The open-source CLI handles the full cost breakdown and plan diff locally. A free Infracost Cloud account unlocks the pull-request comment, the savings dashboard, and the policy DSL run from CI.

Q: How does Infracost differ from AWS Cost Explorer or Azure Cost Management? A: Those are post-bill dashboards oriented to finance teams. Infracost runs at code review time, is driven by your Terraform plan rather than last month’s invoice, and produces line-item cost diffs per resource change. The hosted platform layers a savings breakdown on top, but the core audience is engineers and platform teams, not finance.

Q: Does the policy DSL support tagging and not just cost caps? A: Yes. Policies can target tags, instance types, regions, and resource kinds in addition to the raw monthly cost metric. The simplest starting set is a monthly cap, a required-tag policy, and a region restriction.

Q: Is this open source or source-available? A: The CLI and the GitHub Actions integrations are Apache-2.0. The hosted platform (guardrails, AI remediation, savings dashboard) is a paid SaaS product.

Q: Can I run Infracost against OpenTofu? A: Yes. The CLI consumes the JSON plan output, which OpenTofu produces with the same terraform show -json or tofu show -json command. The CloudFormation and AWS CDK parsers are independent of the Terraform flavor.

Q: How accurate are the cost numbers? A: The CLI uses Infracost’s price book, which is updated continuously from AWS, Azure, and GCP pricing APIs. Reserve Instances, Savings Plans, and Enterprise Discount Programs are not factored in by default - you can supply a usage file with your negotiated rates for higher accuracy.

Conclusion

Infracost is the most mature open-source implementation of the shift-left FinOps idea. The 12K-star Apache-2.0 CLI is a low-friction entry point: install it, run infracost breakdown against one Terraform directory, and you immediately see the same cost numbers a finance dashboard would show 30 days later. From there, layering a PR comment and a FinOps guardrail into CI is a single GitHub Actions recipe. The hosted platform’s AI remediation and savings breakdown are the layer finance and platform teams buy into once the developer-side workflow is in place.