Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Enforce Policy with Sentinel [Team & Governance]

team & governance

Control Costs with Policies

Terraform Cloud estimates costs for many resources found in your Terraform configuration. It displays an hourly and monthly cost for each resource, and the monthly delta. It also totals the cost and delta of all estimable resources.

In this guide, you will enable cost estimation then define policy to check whether the total monthly delta is less than \$100 a month.


This guide assumes that you are familiar with Terraform Cloud and you have an existing test Terraform Cloud workspace configured with AWS access credentials. Do not apply this policy to a production workspace as it may impact your production environment.

If you don’t, refer to the Create a Workspace guide and Set Up Workspace guide to learn more about Terraform Cloud and set up a Terraform Cloud workspace configured with AWS access credentials.

»Enable cost estimation

To enable Cost Estimation for your organization, check the box in your organization's settings on the "Cost Estimation" page, which you can access from the left-hand menu.

Enable Cost Estimation

»Verify costs using policies

To verify cost estimates using policies, you need to update your policy set and define your policy. Fork the example repository cost-estimation branch to review the final configuration.

Add the following configuration to your sentinel.hcl file to declare your new policy in your policy set.

policy "less-than-100-month" {
  enforcement_level = "soft-mandatory"

Then, create a new file named less-than-100-month.sentinel that contains the following policy configuration.

import "tfrun"
import "decimal"

delta_monthly_cost =

main = rule {

This policy uses the tfrun import to check that the new cost delta is no more than \$100. (A new t3.nano instance should cost well below that.) The decimal import is used for more accurate math when working with currency numbers.

Finally, save the updated policy configurations to source control. Terraform Cloud will run both policies defined in the sentinel.hcl policy set.

»Add an estimable Terraform configuration

You will need a valid configuration with cost estimable resources. Add the following terraform configuration in a to your workspace repository.

The Ubuntu ami provided in the sample configuration is for us-west-1. Refer to the Amazon EC2 AMI Locator to select a similar ami for your AWS region.

resource "aws_instance" "basic" {
  ami           = "ami-0ee1a20d6b0c6a347"
  instance_type = "t3.nano"

Then, save the updated configuration to source control and queue a run in Terraform Cloud.

For a full list of supported resources in Terraform Cloud cost estimation, refer to the AWS, Azure, and Google Cloud Cost Estimation Documentation.

»View cost estimate

After queueing a new run, Terraform Cloud will estimate your resource cost, which it displays in a phase in the run UI. There you'll find the list of resources, their price details, and the list of un-estimated resources. You'll also find the totals so you can get a sense of the proposed overall monthly cost once the run is applied.

Cost Estimation Sample Run

Click "Discard run" to cancel the run.

»Next steps

Congrats — you've enabled cost estimation and used it in a policy check! This provides another tool to manage your infrastructure spending.

To learn more about cost estimation, refer to the Cost Estimation documentation.

If you would like to learn more about Terraform Cloud, refer to the following links.