From c271d0193b8d950bad245e0151e90453dabd32d8 Mon Sep 17 00:00:00 2001
From: Derek Morgan <79756941+morethancertified@users.noreply.github.com>
Date: Fri, 18 Oct 2024 19:00:04 +0000
Subject: [PATCH] infracost

---
 .github/workflows/infracost.yml | 11 ++---------
 policies/cost.rego              | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 9 deletions(-)
 create mode 100644 policies/cost.rego

diff --git a/.github/workflows/infracost.yml b/.github/workflows/infracost.yml
index db07ea9..2a4d0db 100644
--- a/.github/workflows/infracost.yml
+++ b/.github/workflows/infracost.yml
@@ -1,9 +1,7 @@
 name: 'Run Infracost'
-
 on:
   pull_request:
     types: [opened, synchronize, closed]
-
 jobs:
   infracost-pull-request-checks:
     name: Infracost Pull Request Checks
@@ -13,30 +11,25 @@ jobs:
     permissions:
       contents: read
       pull-requests: write # Required to post comments
-
     steps:
       - name: Setup Infracost
         uses: infracost/actions/setup@v3
         with:
           api-key: ${{ secrets.INFRACOST_API_KEY }}
-
       # Checkout the base branch of the pull request (e.g. main/master).
       - name: Checkout base branch
         uses: actions/checkout@v4
         with:
           ref: '${{ github.event.pull_request.base.ref }}'
-
       # Generate Infracost JSON file as the baseline.
       - name: Generate Infracost cost estimate baseline
         run: |
           infracost breakdown --path=. \
                               --format=json \
                               --out-file=/tmp/infracost-base.json
-
       # Checkout the current PR branch so we can create a diff.
       - name: Checkout PR branch
         uses: actions/checkout@v4
-
       # Generate an Infracost diff and save it to a JSON file.
       - name: Generate Infracost diff
         run: |
@@ -44,13 +37,13 @@ jobs:
                           --format=json \
                           --compare-to=/tmp/infracost-base.json \
                           --out-file=/tmp/infracost.json
-
       - name: Post Infracost comment
         run: |
             infracost comment github --path=/tmp/infracost.json \
                                      --repo=$GITHUB_REPOSITORY \
                                      --github-token=${{ github.token }} \
                                      --pull-request=${{ github.event.pull_request.number }} \
-                                     --behavior=update
+                                     --behavior=update \
+                                     --policy-path ./policies/cost.rego
 
   
\ No newline at end of file
diff --git a/policies/cost.rego b/policies/cost.rego
new file mode 100644
index 0000000..67fb0e6
--- /dev/null
+++ b/policies/cost.rego
@@ -0,0 +1,24 @@
+package infracost # You must specify infracost as the Rego package name
+
+# Each file can have a number of "deny" rules that must return an "out" object
+# with keys "msg" & "failed". You can write as many "deny[out]" rule sets as you wish. 
+# You can read more about rule definitions in Rego here: https://www.openpolicyagent.org/docs/latest/policy-language/#rules
+deny[out] {
+  # maxDiff defines the threshold that you require the cost estimate to be below
+  maxDiff = 5.0
+
+  # msg defines the output that will be shown in PR comments under the Policy Checks/Failures section
+  msg := sprintf(
+    "Total monthly cost diff must be less than $%.2f (actual diff is $%.2f)",
+    [maxDiff, to_number(input.diffTotalMonthlyCost)],
+  )
+
+  # out defines the output for this policy. This output must be formatted with a `msg` and `failed` property.
+  out := {
+    # the msg you want to display in your PR comment, must be a string
+    "msg": msg,
+    # a boolean value that determines if this policy has failed.
+    # In this case if the Infracost breakdown output diffTotalMonthlyCost is greater that $5000
+    "failed": to_number(input.diffTotalMonthlyCost) >= maxDiff
+  }
+}
\ No newline at end of file