├── .github └── assets │ ├── infracost-cloud-dashboard.png │ └── pr-comment.png ├── .gitignore ├── LICENSE ├── README.md ├── bitbucket-cloud.jenkinsfile ├── bitbucket-server.jenkinsfile ├── examples └── complicated-github.md └── github.jenkinsfile /.github/assets/infracost-cloud-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/infracost/infracost-jenkins/e3faac262e8b9945fa7b6457ddfcd3e471d53a1b/.github/assets/infracost-cloud-dashboard.png -------------------------------------------------------------------------------- /.github/assets/pr-comment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/infracost/infracost-jenkins/e3faac262e8b9945fa7b6457ddfcd3e471d53a1b/.github/assets/pr-comment.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | notes.txt 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Infracost Jenkins 2 | 3 | This project provides the Jenkins integration for Infracost, so you can see cloud cost estimates and FinOps best practices for Terraform in pull requests 💰 4 | 5 | ![Example GitHub screenshot](.github/assets/pr-comment.png?raw=true) 6 | 7 | ## Quick start 8 | 9 | This guide is for using Jenkins with GitHub and Bitbucket. GitHub users can also consider using the [Infracost GitHub App](https://www.infracost.io/docs/integrations/github_app/) as it's much simpler to setup and faster to run. If you use Jenkins with Azure DevOps Repos or GitLab, please email [hello@infracost.io](mailto:hello@infracost.io) so we can discuss your requirements and support you. 10 | 11 | 1. If you haven't done so already, [download Infracost](https://www.infracost.io/docs/#quick-start) and run `infracost auth login` to get a free API key. 12 | 13 | 2. Retrieve your Infracost API key by running `infracost configure get api_key`. 14 | 15 | 3. Create a new credential in Jenkins' management panel (or wherever you store credentials), called `infracost-api-key`, and enter your Infracost API key. 16 | 17 | 4. Create credentials that Infracost will use to post pull request comments. This should be a credential in Jenkins' management panel (or wherever you store credentials), called `github-token`, `bitbucket-app-password` or `bitbucket-access-token`. 18 | 19 | - For GitHub, create a GitHub token, such as [Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token), that can be used by the Infracost CLI in the Jenkinsfile to post comments. The token needs to have `repo` scope so it can post comments. If you are using SAML single sign-on, you must first [authorize the token](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on). 20 | - For Bitbucket Cloud, you can either use a App password (recommended) or a Repository access token. 21 | - To generate a App password go to your Personal Settings > App passwords and generate a password that has read and write permissions for Repositories and Pull requests. 22 | - To generate a Repository access token go to Repository Settings > Access tokens and generate a token that has read and write permissions for Repositories and Pull requests. 23 | - For Bitbucket Server, set this to your [HTTP access token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html). Read-only repository permission should be enough as the [their docs](https://confluence.atlassian.com/bitbucketserver/using-repository-permissions-776639771.html) mentions that "comment on a pull request" is allowed too. 24 | 25 | 5. Implement either [Bitbucket Cloud Jenkinsfile](bitbucket-cloud.jenkinsfile) or [Bitbucket Server Jenkinsfile](bitbucket-server.jenkinsfile) in your Jenkins. Note how the Jenkinsfile has two key steps: 26 | - one step that runs on pull requests and posts the pull request comment 27 | - another step that runs when the main/master branch is updated to upload the results to Infracost Cloud 28 | 29 | The [GitHub Jenkinsfile](github.jenkinsfile) example was developed for cases where there are no pull requests and instead a job is run on feature branches directly; if you use pull requests in your workflow, please email [hello@infracost.io](mailto:hello@infracost.io) so we can update it for you 30 | 31 | 6. Follow [these simple steps](https://www.infracost.io/docs/infracost_cloud/get_started/#4-send-a-pull-request) to test the integration. 32 | 33 | 7. [Infracost Cloud](https://dashboard.infracost.io) is our SaaS product that builds on top of Infracost open source. It enables team leads, managers and FinOps practitioners to setup [tagging policies](https://www.infracost.io/docs/infracost_cloud/tagging_policies/), [guardrails](https://www.infracost.io/docs/infracost_cloud/guardrails/) and [best practices](https://www.infracost.io/docs/infracost_cloud/cost_policies/) to help guide the team. For example, you can check for required tag keys/values, or suggest switching AWS gp2 volumes to gp3 as they are more performant and cheaper. 34 | 35 | If you **do not** want to use [Infracost Cloud](https://dashboard.infracost.io), go to Org Settings and disable the dashboard. This causes the CLI not to send its JSON output to your dashboard; the JSON does not contain any cloud credentials or secrets, see the [FAQ](https://infracost.io/docs/faq/) for more information. 36 | 37 | Infracost Cloud enables you to check for best practices such as using latest generation instance types or block storage, as well as setup tagging policies and guardrails to help guide the team. 38 | 39 | ## Private Terraform modules 40 | 41 | If you use private Terraform modules in your project you'll need to correctly configure the Jenkins pipeline to fetch these. You can find more information about private modules [on our docs](https://www.infracost.io/docs/guides/terraform_modules/). 42 | 43 | ## Comment options 44 | 45 | The Infracost CLI can post cost estimates to pull request or commits on GitHub, GitLab, Azure Repos and Bitbucket. Run `infracost comment --help` to see the the list of options or [see our docs](https://www.infracost.io/docs/features/cli_commands/#comment-on-pull-requests). 46 | 47 | ## Contributing 48 | 49 | Issues and pull requests are welcome. Please create issues in [this repo](https://github.com/infracost/infracost) or [join our community Slack](https://www.infracost.io/community-chat), we are a friendly bunch and happy to help you get started :) 50 | 51 | ## License 52 | 53 | [Apache License 2.0](https://choosealicense.com/licenses/apache-2.0/) 54 | -------------------------------------------------------------------------------- /bitbucket-cloud.jenkinsfile: -------------------------------------------------------------------------------- 1 | // Requires Pipeline Utility Steps plugin (https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/) 2 | 3 | pipeline { 4 | agent any 5 | 6 | parameters { 7 | string(name: 'REPO_NAME', description: 'Bitbucket repository name. E.g. ""') 8 | string(name: 'BRANCH_NAME', description: 'Bitbucket branch name. E.g. "my_branch"') 9 | string(name: 'TF_VAR_FILE', defaultValue: '', description: 'Optional Terraform var file name, relative branch root. E.g. "path/to/my_var_file.tfvars"') 10 | } 11 | 12 | stages { 13 | stage('infracost') { 14 | agent { 15 | docker { 16 | // This uses the latest CLI patch version of 0.10 to pick up bug fixes and new resources. 17 | image 'infracost/infracost:ci-0.10' 18 | args "--user=root --entrypoint='' --pull always" 19 | } 20 | } 21 | 22 | steps { 23 | script { 24 | // Set up required Bitbucket credentials for posting pull request comments. 25 | // Read-only repository permission should be enough as the following doc mentions that "comment on a pull request" is allowed too: 26 | // https://confluence.atlassian.com/bitbucketserver/using-repository-permissions-776639771.html 27 | // 28 | // This should be ":" 29 | env.BITBUCKET_APP_PASSWORD = credentials('bitbucket-app-password') 30 | env.BITBUCKET_URL = 'https://bitbucket.org' 31 | env.BITBUCKET_API_URL = 'https://api.bitbucket.org/2.0' 32 | 33 | env.INFRACOST_API_KEY = credentials('infracost-api-key') 34 | 35 | env.LOG_LEVEL = 'warn' 36 | env.REPO_NAME = "${params.REPO_NAME}" // / 37 | env.BRANCH_NAME = "${params.BRANCH_NAME}" 38 | env.BITBUCKET_GIT_ORIGIN = "${BITBUCKET_URL}/${env.REPO_NAME}" // or a SSH origin like "git@bitbucket.org://.git" 39 | env.TF_VAR_FILE = "${params.TF_VAR_FILE ?: ''}" 40 | 41 | if (env.TF_VAR_FILE && !fileExists(env.TF_VAR_FILE)) { 42 | error("TF_VAR_FILE '${env.TF_VAR_FILE}' was specified but does not exist") 43 | } 44 | 45 | // If you store Terraform variables or modules in a 3rd party such as Terraform Cloud or Spacelift, 46 | // specify the following so Infracost can automatically retrieve them. 47 | // See https://www.infracost.io/docs/features/terraform_modules/#registry-modules for details. 48 | // env.INFRACOST_TERRAFORM_CLOUD_TOKEN = credentials('terraform-cloud-token') 49 | // env.INFRACOST_TERRAFORM_CLOUD_HOST = 'app.terraform.io' 50 | } 51 | 52 | script { 53 | if (env.BITBUCKET_APP_PASSWORD) { 54 | env.BITBUCKET_TOKEN = env.BITBUCKET_APP_PASSWORD 55 | } else if (env.BITBUCKET_ACCESS_TOKEN) { 56 | env.BITBUCKET_TOKEN = env.BITBUCKET_ACCESS_TOKEN 57 | env.BEARER = "Bearer" 58 | } else { 59 | error("Either BITBUCKET_APP_PASSWORD or BITBUCKET_ACCESS_TOKEN environment variable is required") 60 | } 61 | 62 | // setup env necessary for infracost breakdown 63 | 64 | env.INFRACOST_VCS_PROVIDER = 'bitbucket' 65 | env.INFRACOST_VCS_REPOSITORY_URL = "${env.BITBUCKET_URL}/${env.REPO_NAME}" 66 | env.INFRACOST_VCS_BRANCH = env.BRANCH_NAME 67 | 68 | // look up PR details using the Bitbucket REST API 69 | def prsOut = sh(script: 'curl -sS --get \ 70 | --url "$BITBUCKET_API_URL/repositories/$REPO_NAME/pullrequests" \ 71 | --data-urlencode "q=source.branch.name=\\\"$BRANCH_NAME\\\"" \ 72 | --header "Authorization: $BEARER $BITBUCKET_TOKEN" \ 73 | --header "Accept: application/json"', 74 | returnStdout: true).trim() 75 | def prsDetails = readJSON text: prsOut 76 | 77 | if (!prsDetails.values.isEmpty()) { 78 | env.INFRACOST_VCS_PULL_REQUEST_ID = prsDetails.values[0].id 79 | env.INFRACOST_VCS_PULL_REQUEST_URL = prsDetails.values[0].links.html.href 80 | env.INFRACOST_VCS_PULL_REQUEST_TITLE = prsDetails.values[0].title 81 | env.INFRACOST_VCS_PULL_REQUEST_AUTHOR = prsDetails.values[0].author.nickname 82 | env.INFRACOST_VCS_BASE_BRANCH = prsDetails.values[0].destination.branch.name 83 | } 84 | } 85 | 86 | script { 87 | if (!env.INFRACOST_VCS_PULL_REQUEST_URL) { 88 | // this is a branch run and will be handled by the next script block 89 | return 90 | } 91 | def failuresList = null 92 | try { 93 | def mergeBaseSha = null 94 | // find merge base for the PR from Bitbucket REST API 95 | def mergeBaseOut = sh(script: 'curl -sS --get \ 96 | --url "$BITBUCKET_API_URL/repositories/$REPO_NAME/merge-base/$INFRACOST_VCS_BASE_BRANCH..$INFRACOST_VCS_BRANCH" \ 97 | --header "Authorization: $BEARER $BITBUCKET_TOKEN" \ 98 | --header "Accept: application/json"', 99 | returnStdout: true).trim() 100 | def mergeBaseDetails = readJSON text: mergeBaseOut 101 | mergeBaseSha = mergeBaseDetails.hash 102 | 103 | echo "Found merge base SHA: ${mergeBaseSha}" 104 | 105 | // Clone the repository to a temporary directory 106 | sh "git clone --depth 1 -b ${env.INFRACOST_VCS_BRANCH} $BITBUCKET_GIT_ORIGIN /tmp/repo" 107 | 108 | echo "Generating Infracost baseline from merge base" 109 | 110 | // Checkout the merge base commit 111 | sh "cd /tmp/repo && git fetch --depth 1 origin ${mergeBaseSha} && git checkout -q ${mergeBaseSha}" 112 | 113 | sh 'infracost breakdown --path=/tmp/repo \ 114 | --format=json \ 115 | --out-file=/tmp/infracost-base.json \ 116 | --log-level=$LOG_LEVEL \ 117 | --terraform-var-file=$TF_VAR_FILE' 118 | 119 | echo "Generating Infracost diff" 120 | 121 | sh "cd /tmp/repo && git checkout ${env.INFRACOST_VCS_BRANCH}" 122 | 123 | // Generate an Infracost diff and save it to a JSON file. 124 | sh 'infracost diff --path=/tmp/repo \ 125 | --format=json \ 126 | --compare-to=/tmp/infracost-base.json \ 127 | --out-file=/tmp/infracost.json \ 128 | --log-level=$LOG_LEVEL \ 129 | --terraform-var-file=$TF_VAR_FILE' 130 | 131 | echo "Generating Infracost comment" 132 | 133 | // Post PR comment and upload the infracost.json file to Infracost Cloud 134 | def commentOutput = sh( 135 | script: 'infracost comment bitbucket --path=/tmp/infracost.json \ 136 | --repo=$REPO_NAME \ 137 | --pull-request=$INFRACOST_VCS_PULL_REQUEST_ID \ 138 | --bitbucket-server-url=$BITBUCKET_URL \ 139 | --bitbucket-token=$BITBUCKET_TOKEN \ 140 | --behavior=update \ 141 | --format=json \ 142 | --exclude-cli-output \ 143 | 2> commentErrOut.txt \ 144 | || true', 145 | returnStdout: true, 146 | ) 147 | def commentErrOut = readFile('commentErrOut.txt').trim() 148 | echo commentErrOut 149 | 150 | def commentAnchor = "" 151 | def commentMatch = commentErrOut =~ /\/comments\/([^\s]+)/ 152 | if (commentMatch) { 153 | commentAnchor = "#comment-${commentMatch[0][1]}" 154 | } 155 | commentMatch = null // This is needed because Jenkins can't serialize the matcher object 156 | 157 | def commentUrl = "${env.INFRACOST_VCS_PULL_REQUEST_URL}${commentAnchor}" 158 | def commentDetails = readJSON text: commentOutput 159 | 160 | def infracostReport = "########## See Infracost branch diff ##########\n${commentUrl}\n##########" 161 | echo infracostReport 162 | writeFile file: 'infracost.txt', text: infracostReport 163 | archiveArtifacts artifacts: 'infracost.txt' 164 | 165 | if (commentDetails.governanceFailures instanceof List && !commentDetails.governanceFailures.isEmpty()) { 166 | failuresList = commentDetails.governanceFailures.collect { it } 167 | } 168 | } catch (Exception e) { 169 | echo "Caught an error: ${e}" 170 | } 171 | if (failuresList != null) { 172 | error("Governance check failed:\n- ${failuresList.join(' ')}\n") 173 | } 174 | } 175 | 176 | script { 177 | if (env.INFRACOST_VCS_PULL_REQUEST_URL) { 178 | // this is a PR run and has been handled by the previous script block 179 | return 180 | } 181 | 182 | try { 183 | echo "Generating Infracost baseline for default branch" 184 | 185 | // Clone the repository to a temporary directory 186 | sh "git clone --depth 1 -b ${env.BRANCH_NAME} $BITBUCKET_GIT_ORIGIN /tmp/repo && cd /tmp/repo" 187 | 188 | // Run Infracost breakdown, don't use the TF_VAR_FILE so all projects in the repo are evaluated 189 | sh 'infracost breakdown --path=/tmp/repo \ 190 | --format=json \ 191 | --out-file=/tmp/infracost.json \ 192 | --log-level=$LOG_LEVEL' 193 | 194 | // Run Infracost upload 195 | def uploadOutput = sh( script: "infracost upload --path=/tmp/infracost.json --format=json || true", returnStdout: true ) 196 | def uploadDetails = readJSON text: uploadOutput 197 | def repoUrl = uploadDetails.cloudUrl.find(/.*\/repos\/[^\/]+/) 198 | def infracostReport = "########## See Infracost repo report ##########\n${repoUrl}\n##########" 199 | 200 | echo infracostReport 201 | writeFile file: 'infracost.txt', text: infracostReport 202 | archiveArtifacts artifacts: 'infracost.txt' 203 | 204 | // Check for a PR merge in the git log and update PR status in Infracost Cloud 205 | gitLogOut = sh (script: 'cd /tmp/repo && git log -1', returnStdout: true) 206 | def prMergeMatch = gitLogOut =~ /\(pull request #(\d+)\)/ 207 | def prNumber 208 | if (prMergeMatch) { 209 | prNumber = prMergeMatch[0][1] 210 | } 211 | prMergeMatch = null // This is needed because Jenkins can't serialize the matcher object 212 | if (prNumber) { 213 | echo "Found merge comment for PR ${prNumber}" 214 | env.INFRACOST_VCS_PULL_REQUEST_URL = "$BITBUCKET_URL/$REPO_NAME/pull-requests/$prNumber" 215 | 216 | if (env.INFRACOST_VCS_PULL_REQUEST_URL) { 217 | sh 'curl -sS --request POST \ 218 | --header "Content-Type: application/json" \ 219 | --header "X-API-Key: ${INFRACOST_API_KEY}" \ 220 | --data \'{ "query": "mutation { updatePullRequestStatus(url: \\"\'$INFRACOST_VCS_PULL_REQUEST_URL\'\\", status: MERGED) }" }\' \ 221 | "https://dashboard.api.infracost.io/graphql"' 222 | echo "Updated $INFRACOST_VCS_PULL_REQUEST_URL to merged." 223 | } 224 | } 225 | } catch (Exception e) { 226 | echo "Caught an error: ${e}" 227 | } 228 | } 229 | } 230 | } 231 | } 232 | } 233 | -------------------------------------------------------------------------------- /bitbucket-server.jenkinsfile: -------------------------------------------------------------------------------- 1 | // Requires Pipeline Utility Steps plugin (https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/) 2 | 3 | pipeline { 4 | agent any 5 | 6 | parameters { 7 | string(name: 'REPO_NAME', description: 'Bitbucket repository name. E.g. ""') 8 | string(name: 'BRANCH_NAME', description: 'Bitbucket branch name. E.g. "my_branch"') 9 | string(name: 'TF_VAR_FILE', defaultValue: '', description: 'Optional Terraform var file name, relative branch root. E.g. "path/to/my_var_file.tfvars"') 10 | } 11 | 12 | stages { 13 | stage('infracost') { 14 | agent { 15 | docker { 16 | // This uses the latest CLI patch version of 0.10 to pick up bug fixes and new resources. 17 | image 'infracost/infracost:ci-0.10' 18 | args "--user=root --entrypoint='' --pull always" 19 | } 20 | } 21 | 22 | steps { 23 | script { 24 | // Set up required Bitbucket credentials for posting pull request comments. 25 | // Read-only repository permission should be enough as the following doc mentions that "comment on a pull request" is allowed too: 26 | // https://confluence.atlassian.com/bitbucketserver/using-repository-permissions-776639771.html 27 | env.BITBUCKET_ACCESS_TOKEN = credentials('bitbucket-access-token') 28 | 29 | env.BITBUCKET_URL = 'https://bitbucket.org' // Or https://your-bitbucket-server.com 30 | env.BITBUCKET_API_URL = 'https://api.bitbucket.org/2.0' // Or your bitbucket server API URL 31 | 32 | env.INFRACOST_API_KEY = credentials('infracost-api-key') 33 | 34 | env.LOG_LEVEL = 'warn' 35 | env.REPO_NAME = "${params.REPO_NAME}" // / 36 | env.BRANCH_NAME = "${params.BRANCH_NAME}" 37 | env.BITBUCKET_GIT_ORIGIN = "${BITBUCKET_URL}/${env.REPO_NAME}" // or a SSH origin like "git@bitbucket.org://.git" 38 | env.TF_VAR_FILE = "${params.TF_VAR_FILE ?: ''}" 39 | 40 | if (env.TF_VAR_FILE && !fileExists(env.TF_VAR_FILE)) { 41 | error("TF_VAR_FILE '${env.TF_VAR_FILE}' was specified but does not exist") 42 | } 43 | 44 | // If you store Terraform variables or modules in a 3rd party such as Terraform Cloud or Spacelift, 45 | // specify the following so Infracost can automatically retrieve them. 46 | // See https://www.infracost.io/docs/features/terraform_modules/#registry-modules for details. 47 | // env.INFRACOST_TERRAFORM_CLOUD_TOKEN = credentials('terraform-cloud-token') 48 | // env.INFRACOST_TERRAFORM_CLOUD_HOST = 'app.terraform.io' 49 | } 50 | 51 | script { 52 | if (env.BITBUCKET_APP_PASSWORD) { 53 | env.BITBUCKET_TOKEN = env.BITBUCKET_APP_PASSWORD 54 | } else if (env.BITBUCKET_ACCESS_TOKEN) { 55 | env.BITBUCKET_TOKEN = env.BITBUCKET_ACCESS_TOKEN 56 | env.BEARER = "Bearer" 57 | } else { 58 | error("Either BITBUCKET_APP_PASSWORD or BITBUCKET_ACCESS_TOKEN environment variable is required") 59 | } 60 | 61 | // setup env necessary for infracost breakdown 62 | 63 | env.INFRACOST_VCS_PROVIDER = 'bitbucket' 64 | env.INFRACOST_VCS_REPOSITORY_URL = "${env.BITBUCKET_URL}/${env.REPO_NAME}" 65 | env.INFRACOST_VCS_BRANCH = env.BRANCH_NAME 66 | 67 | // look up PR details using the Bitbucket server REST API 68 | // 69 | // NOTE: the following curl and code block needs to be tested with your Bitbucket server version, 70 | // it might require tweaking. Once you're done testing, remove the -i from curl 71 | // and the echo command to reduce noise in your logs. 72 | // 73 | def prsOut = sh(script: 'curl -i --get \ 74 | --url "$BITBUCKET_API_URL/projects/{projectKey}/repos/{repositorySlug}/pull-requests" \ 75 | --data-urlencode "at=refs/heads/$BRANCH_NAME" \ 76 | --header "Authorization: $BEARER $BITBUCKET_TOKEN" \ 77 | --header "Accept: application/json"', 78 | returnStdout: true).trim() 79 | def prsDetails = readJSON text: prsOut 80 | echo "Bitbucket API response for prsDetails: ${prsDetails}" // Delete this line after debugging 81 | 82 | if (!prsDetails.values.isEmpty()) { 83 | env.INFRACOST_VCS_PULL_REQUEST_ID = prsDetails.values[0].id 84 | env.INFRACOST_VCS_PULL_REQUEST_URL = "TODO" 85 | env.INFRACOST_VCS_PULL_REQUEST_TITLE = prsDetails.values[0].title 86 | env.INFRACOST_VCS_BASE_BRANCH = prsDetails.values[0].toRef.id 87 | 88 | def author = prsDetails.values[0].participants.find { it.role == "AUTHOR" } 89 | if (author) { 90 | env.INFRACOST_VCS_PULL_REQUEST_AUTHOR = author.name 91 | } 92 | } 93 | } 94 | 95 | script { 96 | if (!env.INFRACOST_VCS_PULL_REQUEST_URL) { 97 | // this is a branch run and will be handled by the next script block 98 | return 99 | } 100 | def failuresList = null 101 | try { 102 | def mergeBaseSha = null 103 | // find merge base for the PR from Bitbucket server REST API 104 | // 105 | // NOTE: the following curl needs to be tested with your Bitbucket server version, 106 | // it might require tweaking. Once you're done testing, remove the -i from curl 107 | // and the echo command to reduce noise in your logs. 108 | // 109 | def mergeBaseOut = sh(script: 'curl -i --get \ 110 | --url "$BITBUCKET_API_URL/projects/{projectKey}/repos/{repositorySlug}/pull-requests/{pullRequestId}/merge-base" \ 111 | --header "Authorization: $BEARER $BITBUCKET_TOKEN" \ 112 | --header "Accept: application/json"', 113 | returnStdout: true).trim() 114 | def mergeBaseDetails = readJSON text: mergeBaseOut 115 | echo "Bitbucket API response for mergeBaseDetails: ${mergeBaseDetails}" // Delete this line after debugging 116 | mergeBaseSha = mergeBaseDetails.id 117 | 118 | echo "Found merge base SHA: ${mergeBaseSha}" 119 | 120 | // Clone the repository to a temporary directory 121 | sh "git clone --depth 1 -b ${env.INFRACOST_VCS_BRANCH} $BITBUCKET_GIT_ORIGIN /tmp/repo" 122 | 123 | echo "Generating Infracost baseline from merge base" 124 | 125 | // Checkout the merge base commit 126 | sh "cd /tmp/repo && git fetch --depth 1 origin ${mergeBaseSha} && git checkout -q ${mergeBaseSha}" 127 | 128 | sh 'infracost breakdown --path=/tmp/repo \ 129 | --format=json \ 130 | --out-file=/tmp/infracost-base.json \ 131 | --log-level=$LOG_LEVEL \ 132 | --terraform-var-file=$TF_VAR_FILE' 133 | 134 | echo "Generating Infracost diff" 135 | 136 | sh "cd /tmp/repo && git checkout ${env.INFRACOST_VCS_BRANCH}" 137 | 138 | // Generate an Infracost diff and save it to a JSON file. 139 | sh 'infracost diff --path=/tmp/repo \ 140 | --format=json \ 141 | --compare-to=/tmp/infracost-base.json \ 142 | --out-file=/tmp/infracost.json \ 143 | --log-level=$LOG_LEVEL \ 144 | --terraform-var-file=$TF_VAR_FILE' 145 | 146 | echo "Generating Infracost comment" 147 | 148 | // Post PR comment and upload the infracost.json file to Infracost Cloud 149 | def commentOutput = sh( 150 | script: 'infracost comment bitbucket --path=/tmp/infracost.json \ 151 | --repo=$REPO_NAME \ 152 | --pull-request=$INFRACOST_VCS_PULL_REQUEST_ID \ 153 | --bitbucket-server-url=$BITBUCKET_URL \ 154 | --bitbucket-token=$BITBUCKET_TOKEN \ 155 | --behavior=update \ 156 | --format=json \ 157 | --exclude-cli-output \ 158 | 2> commentErrOut.txt \ 159 | || true', 160 | returnStdout: true, 161 | ) 162 | def commentErrOut = readFile('commentErrOut.txt').trim() 163 | echo commentErrOut 164 | 165 | def commentAnchor = "" 166 | def commentMatch = commentErrOut =~ /\/comments\/([^\s]+)/ 167 | if (commentMatch) { 168 | commentAnchor = "#comment-${commentMatch[0][1]}" 169 | } 170 | commentMatch = null // This is needed because Jenkins can't serialize the matcher object 171 | 172 | def commentUrl = "${env.INFRACOST_VCS_PULL_REQUEST_URL}${commentAnchor}" 173 | def commentDetails = readJSON text: commentOutput 174 | 175 | def infracostReport = "########## See Infracost branch diff ##########\n${commentUrl}\n##########" 176 | echo infracostReport 177 | writeFile file: 'infracost.txt', text: infracostReport 178 | archiveArtifacts artifacts: 'infracost.txt' 179 | 180 | if (commentDetails.governanceFailures instanceof List && !commentDetails.governanceFailures.isEmpty()) { 181 | failuresList = commentDetails.governanceFailures.collect { it } 182 | } 183 | } catch (Exception e) { 184 | echo "Caught an error: ${e}" 185 | } 186 | if (failuresList != null) { 187 | error("Governance check failed:\n- ${failuresList.join(' ')}\n") 188 | } 189 | } 190 | 191 | script { 192 | if (env.INFRACOST_VCS_PULL_REQUEST_URL) { 193 | // this is a PR run and has been handled by the previous script block 194 | return 195 | } 196 | 197 | try { 198 | echo "Generating Infracost baseline for default branch" 199 | 200 | // Clone the repository to a temporary directory 201 | sh "git clone --depth 1 -b ${env.BRANCH_NAME} $BITBUCKET_GIT_ORIGIN /tmp/repo && cd /tmp/repo" 202 | 203 | // Run Infracost breakdown, don't use the TF_VAR_FILE so all projects in the repo are evaluated 204 | sh 'infracost breakdown --path=/tmp/repo \ 205 | --format=json \ 206 | --out-file=/tmp/infracost.json \ 207 | --log-level=$LOG_LEVEL' 208 | 209 | // Run Infracost upload 210 | def uploadOutput = sh( script: "infracost upload --path=/tmp/infracost.json --format=json || true", returnStdout: true ) 211 | def uploadDetails = readJSON text: uploadOutput 212 | def repoUrl = uploadDetails.cloudUrl.find(/.*\/repos\/[^\/]+/) 213 | def infracostReport = "########## See Infracost repo report ##########\n${repoUrl}\n##########" 214 | 215 | echo infracostReport 216 | writeFile file: 'infracost.txt', text: infracostReport 217 | archiveArtifacts artifacts: 'infracost.txt' 218 | 219 | // Check for a PR merge in the git log and update PR status in Infracost Cloud 220 | gitLogOut = sh (script: 'cd /tmp/repo && git log -1', returnStdout: true) 221 | def prMergeMatch = gitLogOut =~ /\(pull request #(\d+)\)/ 222 | def prNumber 223 | if (prMergeMatch) { 224 | prNumber = prMergeMatch[0][1] 225 | } 226 | prMergeMatch = null // This is needed because Jenkins can't serialize the matcher object 227 | if (prNumber) { 228 | echo "Found merge comment for PR ${prNumber}" 229 | // TODO, how do we calculate the pr url for a pr number? 230 | //env.INFRACOST_VCS_PULL_REQUEST_URL = "$BITBUCKET_URL/$REPO_NAME/pull-requests/$prNumber" 231 | 232 | if (env.INFRACOST_VCS_PULL_REQUEST_URL) { 233 | sh 'curl -sS --request POST \ 234 | --header "Content-Type: application/json" \ 235 | --header "X-API-Key: ${INFRACOST_API_KEY}" \ 236 | --data \'{ "query": "mutation { updatePullRequestStatus(url: \\"\'$INFRACOST_VCS_PULL_REQUEST_URL\'\\", status: MERGED) }" }\' \ 237 | "https://dashboard.api.infracost.io/graphql"' 238 | echo "Updated $INFRACOST_VCS_PULL_REQUEST_URL to merged." 239 | } 240 | } 241 | } catch (Exception e) { 242 | echo "Caught an error: ${e}" 243 | } 244 | } 245 | } 246 | } 247 | } 248 | } 249 | -------------------------------------------------------------------------------- /examples/complicated-github.md: -------------------------------------------------------------------------------- 1 | Please email [hello@infracost.io](mailto:hello@infracost.io) if you think you need a more complicated GitHub Jenkins setup (such as the following) so we can discuss your requirements and support you. 2 | 3 | This Infracost Jenkins integrations requires two jobs: 4 | - The first job (`infracost-pr.Jenkinsfile`) runs on pull requests to check them and post the pull request comment. Ideally you should configure this job to be automatically triggered when new pull requests are opened. The following example enables you to enter the pull request ULR and run the job manually. 5 | - The second job (`infracost-default-branch-cron.Jenkinsfile`) runs on the main/master branch so the Infracost Cloud dashboard is updated. Ideally you should configure this job to be automatically triggered when the main/master branch is updated. The following example uses a cron schedule to run this job every hour, running this job once or twice a day should also be sufficient. 6 | 7 | ```Jenkinsfile 8 | // This is the infracost-pr.Jenkinsfile 9 | // Requires Pipeline Utility Steps plugin (https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/) 10 | 11 | pipeline { 12 | agent any 13 | 14 | parameters { 15 | string(name: 'PR_URL', defaultValue: '', description: 'Pull request URL') 16 | } 17 | 18 | stages { 19 | stage('infracost') { 20 | agent { 21 | docker { 22 | // Always use the latest 0.10.x version to pick up bug fixes and new resources. 23 | // See https://www.infracost.io/docs/integrations/cicd/#docker-images for other options 24 | image 'infracost/infracost:ci-0.10' 25 | args "--user=root --entrypoint=''" 26 | } 27 | } 28 | 29 | // Set up any required credentials for posting the comment, e.g. GitHub token, GitLab token 30 | environment { 31 | INFRACOST_API_KEY = credentials('infracost-api-key') 32 | GITHUB_TOKEN = credentials('github-token') 33 | INFRACOST_VCS_PROVIDER = 'github' 34 | } 35 | 36 | steps { 37 | // Extract the GitHub repository name and the PR number from the PR URL 38 | script { 39 | def prUrl = params.PR_URL 40 | 41 | def matcher = prUrl =~ /https:\/\/github\.com\/([^\/]+\/[^\/]+)\/pull\/(\d+)/ 42 | if (!matcher) { 43 | error "Failed to parse PR URL: ${prUrl}" 44 | } 45 | env.REPO_NAME = matcher[0][1] 46 | env.PR_NUMBER = matcher[0][2] 47 | 48 | // This is needed because Jenkins can't serialize the matcher object 49 | matcher = null 50 | 51 | // Set PR and Repository URL environment variables 52 | env.INFRACOST_VCS_REPOSITORY_URL = "https://github.com/${env.REPO_NAME}" 53 | env.INFRACOST_VCS_PULL_REQUEST_URL = prUrl 54 | 55 | // Call GitHub API to get PR details 56 | def apiUrl = "https://api.github.com/repos/${env.REPO_NAME}/pulls/${env.PR_NUMBER}" 57 | echo "Calling GitHub API: ${apiUrl}" 58 | def output = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + apiUrl + '\"', returnStdout: true).trim() 59 | def prDetails = readJSON text: output 60 | 61 | // Set environment variables based on PR details 62 | env.INFRACOST_VCS_PULL_REQUEST_TITLE = prDetails.title 63 | env.INFRACOST_VCS_BRANCH = prDetails.head.ref 64 | env.INFRACOST_VCS_PULL_REQUEST_AUTHOR = prDetails.user.login 65 | env.INFRACOST_VCS_PULL_REQUEST_LABELS = prDetails.labels.collect { it.name }.join(',') 66 | env.INFRACOST_VCS_BASE_BRANCH = prDetails.base.ref 67 | env.INFRACOST_VCS_COMMIT_SHA = prDetails.head.sha 68 | 69 | 70 | // Additional API call for commit details 71 | def commitUrl = prDetails.head.repo.commits_url.replace('{/sha}', "/${env.INFRACOST_VCS_COMMIT_SHA}") 72 | echo "Calling GitHub API: ${commitUrl}" 73 | def commitOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + commitUrl + '\"', returnStdout: true).trim() 74 | def commitDetails = readJSON text: commitOutput 75 | 76 | // Set more environment variables based on commit details 77 | env.INFRACOST_VCS_COMMIT_MESSAGE = commitDetails.commit.message 78 | env.INFRACOST_VCS_COMMIT_AUTHOR_EMAIL = commitDetails.commit.author.email 79 | env.INFRACOST_VCS_COMMIT_AUTHOR_NAME = commitDetails.commit.author.name 80 | env.INFRACOST_VCS_COMMIT_TIMESTAMP = commitDetails.commit.author.date 81 | 82 | // Get the merge base SHA using GitHub API 83 | def mergeBaseApiUrl = "https://api.github.com/repos/${env.REPO_NAME}/compare/${env.INFRACOST_VCS_BASE_BRANCH}...${env.INFRACOST_VCS_COMMIT_SHA}" 84 | echo "Calling GitHub API: ${mergeBaseApiUrl}" 85 | def mergeBaseOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + mergeBaseApiUrl + '\"', returnStdout: true).trim() 86 | def mergeBaseDetails = readJSON text: mergeBaseOutput 87 | def mergeBaseSha = mergeBaseDetails.merge_base_commit.sha 88 | 89 | env.MERGE_BASE_SHA = mergeBaseSha 90 | 91 | echo "Found merge base SHA: ${mergeBaseSha}" 92 | 93 | echo 'Finished setting environment variables' 94 | } 95 | 96 | // Find the merge base SHA using head SHA and base ref, then clone and checkout the base branch into 97 | // a temporary directory. 98 | script { 99 | echo "Running Infracost on base branch" 100 | 101 | // Clone the repository to a temporary directory at the merge base commit 102 | sh "git clone --depth 1 -b ${env.MERGE_BASE_SHA} https://github.com/${env.REPO_NAME}.git /tmp/repo && cd /tmp/repo" 103 | 104 | sh 'infracost breakdown --path=/tmp/repo \ 105 | --format=json \ 106 | --out-file=/tmp/infracost-base.json' 107 | } 108 | 109 | script { 110 | echo "Running Infracost on PR branch" 111 | 112 | sh "cd /tmp/repo && git fetch --depth 1 origin ${env.INFRACOST_VCS_COMMIT_SHA} && git checkout ${env.INFRACOST_VCS_COMMIT_SHA}" 113 | 114 | // Generate an Infracost diff and save it to a JSON file. 115 | sh 'infracost diff --path=/tmp/repo \ 116 | --format=json \ 117 | --compare-to=/tmp/infracost-base.json \ 118 | --out-file=/tmp/infracost.json' 119 | } 120 | 121 | script { 122 | echo "Generating Infracost comment" 123 | 124 | // Post PR comment and upload the infracost.json file to Infracost Cloud 125 | sh 'infracost comment github --path=/tmp/infracost.json \ 126 | --repo=$REPO_NAME \ 127 | --pull-request=$PR_NUMBER \ 128 | --github-token=$GITHUB_TOKEN \ 129 | --behavior=update' 130 | } 131 | } 132 | } 133 | } 134 | } 135 | ``` 136 | 137 | ```Jenkinsfile 138 | // This is the infracost-default-branch-cron.Jenkinsfile 139 | // Requires Pipeline Utility Steps plugin (https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/) 140 | 141 | // The following need to be added to 'In-process Script Approval' > 'Signatures already approved' 142 | // staticMethod java.time.ZonedDateTime now 143 | // staticMethod java.time.ZonedDateTime parse java.lang.CharSequence 144 | 145 | import java.time.ZonedDateTime 146 | import java.time.format.DateTimeFormatter 147 | import java.time.temporal.ChronoUnit 148 | 149 | pipeline { 150 | agent any 151 | 152 | triggers { 153 | cron('H * * * *') // Runs every hour 154 | } 155 | 156 | parameters { 157 | text(name: 'REPO_NAMES', defaultValue: '', description: 'List of GitHub repository names, one per line (e.g., "user/repo1\nuser/repo2")') 158 | string(name: 'AGE_THRESHOLD', defaultValue: '3600', description: 'Age of the most recent commits and PRs to check (default 3600 seconds = 1 hour)') 159 | } 160 | 161 | environment { 162 | GITHUB_TOKEN = credentials('github-token') 163 | INFRACOST_API_KEY = credentials('alistair-test-infracost-api-key') 164 | } 165 | 166 | stages { 167 | stage('Infracost default branches and PR status update') { 168 | agent { 169 | docker { 170 | image 'infracost/infracost:ci-0.10' 171 | args "--user=root --entrypoint=''" 172 | } 173 | } 174 | 175 | steps { 176 | script { 177 | def repoNames = params.REPO_NAMES.readLines() 178 | def ageThresholdSeconds = params.AGE_THRESHOLD.toInteger() 179 | 180 | def prStatusUpdates = [] 181 | 182 | def parallelTasks = [:] 183 | 184 | repoNames.each { repoName -> 185 | parallelTasks["Infracost-${repoName}"] = { 186 | echo "Processing repository: ${repoName}" 187 | 188 | // Fetch merged PRs within the time frame 189 | // This fetches the latest 100 closed PRs for the repo 190 | def prsApiUrl = "https://api.github.com/repos/${repoName}/pulls?per_page=100&state=closed&sort=updated&direction=desc" 191 | def prsOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + prsApiUrl +'\"', returnStdout: true).trim() 192 | def prsDetails = readJSON text: prsOutput 193 | 194 | prsDetails.each { pr -> 195 | def closedAt = ZonedDateTime.parse(pr.closed_at) 196 | def currentDateTime = ZonedDateTime.now() 197 | def secondsSinceClosed = ChronoUnit.SECONDS.between(closedAt, currentDateTime) 198 | 199 | if (secondsSinceClosed <= ageThresholdSeconds) { 200 | def status = pr.merged_at ? "MERGED" : "CLOSED" 201 | prStatusUpdates << [url: pr.html_url, status: status] 202 | } 203 | } 204 | 205 | // Get the default branch of the repository 206 | def repoApiUrl = "https://api.github.com/repos/${repoName}" 207 | def repoOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + repoApiUrl + '\"', returnStdout: true).trim() 208 | def repoDetails = readJSON text: repoOutput 209 | def defaultBranch = repoDetails.default_branch 210 | 211 | // Fetch the latest commit on the default branch 212 | def commitsApiUrl = "https://api.github.com/repos/${repoName}/commits?sha=${defaultBranch}" 213 | def latestCommitOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + commitsApiUrl + '\"', returnStdout: true).trim() 214 | def latestCommitDetails = readJSON text: latestCommitOutput 215 | 216 | if (latestCommitDetails.size() == 0) { 217 | echo "No commits found on the default branch for repository ${repoName}. Skipping." 218 | return 219 | } 220 | 221 | def latestCommit = latestCommitDetails[0] 222 | def latestCommitDate = ZonedDateTime.parse(latestCommit.commit.author.date) 223 | def currentDateTime = ZonedDateTime.now() 224 | def secondsSinceLastCommit = ChronoUnit.SECONDS.between(latestCommitDate, currentDateTime) 225 | 226 | if (secondsSinceLastCommit > ageThresholdSeconds) { 227 | echo "Skipping repository ${repoName} as the most recent commit is older than ${ageThresholdSeconds} seconds." 228 | return 229 | } 230 | 231 | // Set the environment variables 232 | // We can't set them directly on the env since that will override other parallel tasks 233 | def localEnvVars = """ 234 | INFRACOST_VCS_REPOSITORY_URL=${repoDetails.html_url} 235 | INFRACOST_VCS_BRANCH=${defaultBranch} 236 | INFRACOST_VCS_COMMIT_SHA=${latestCommit.sha} 237 | INFRACOST_VCS_COMMIT_MESSAGE='${latestCommit.commit.message}' 238 | INFRACOST_VCS_COMMIT_AUTHOR_EMAIL=${latestCommit.commit.author.email} 239 | INFRACOST_VCS_COMMIT_AUTHOR_NAME='${latestCommit.commit.author.name}' 240 | INFRACOST_VCS_COMMIT_TIMESTAMP=${latestCommit.commit.author.date} 241 | """.trim() 242 | 243 | echo "Default branch for ${repoName} is ${defaultBranch}" 244 | 245 | // Create a repo slug so we can use the repo name in paths 246 | def repoSlug = repoName.trim().replace('/', '_') 247 | 248 | // Clone the repository to a temporary directory 249 | sh "git clone --depth 1 -b ${defaultBranch} https://github.com/${repoName}.git /tmp/${repoSlug} && cd /tmp/${repoSlug}" 250 | 251 | // Run Infracost breakdown 252 | sh """ 253 | export ${localEnvVars} 254 | infracost breakdown --path=/tmp/${repoSlug} \ 255 | --format=json \ 256 | --out-file=/tmp/infracost-${repoSlug}.json 257 | """ 258 | 259 | // Run Infracost upload 260 | sh "infracost upload --path=/tmp/infracost-${repoSlug}.json 261 | 262 | // Cleanup 263 | sh "rm -rf /tmp/${repoSlug}" 264 | } 265 | } 266 | 267 | parallel parallelTasks 268 | 269 | if (prStatusUpdates.size() > 0) { 270 | def updatesString = prStatusUpdates.collect { "PR: ${it.url}, Status: ${it.status}" }.join("\n") 271 | 272 | echo "Updating PR status for ${prStatusUpdates.size()} PRs:\n${updatesString}" 273 | 274 | def graphqlQuery = [ 275 | query: "mutation {\n" + prStatusUpdates.collect { update -> 276 | "updatePullRequestStatus(url: \"${update.url}\", status: ${update.status})" 277 | }.join("\n") + "\n}" 278 | ] 279 | 280 | def graphqlData = groovy.json.JsonOutput.toJson(graphqlQuery) 281 | def graphqlApiUrl = 'https://dashboard.api.infracost.io/graphql' 282 | 283 | def response = sh(script: """ 284 | curl -s -X POST -H "Content-Type: application/json" -H "X-Api-Key: \$INFRACOST_API_KEY" \ 285 | -d '${graphqlData}' '${graphqlApiUrl}' 286 | """, returnStdout: true).trim() 287 | 288 | def jsonResponse = readJSON text: response 289 | 290 | // Check for errors in the response 291 | if (jsonResponse.errors != null && jsonResponse.errors.size() > 0) { 292 | jsonResponse.errors.each { error -> 293 | echo "Error: ${error.message}" 294 | } 295 | error "GraphQL API returned errors. See above messages for details." 296 | } 297 | 298 | echo "All PR statuses updated successfully." 299 | } 300 | } 301 | } 302 | } 303 | } 304 | } 305 | ``` 306 | -------------------------------------------------------------------------------- /github.jenkinsfile: -------------------------------------------------------------------------------- 1 | // Requires Pipeline Utility Steps plugin (https://www.jenkins.io/doc/pipeline/steps/pipeline-utility-steps/) 2 | 3 | pipeline { 4 | agent any 5 | 6 | parameters { 7 | string(name: 'REPO_NAME', description: 'GitHub repository name. E.g. "user/repo1"') 8 | string(name: 'BRANCH_NAME', description: 'GitHub branch name. E.g. "my_branch"') 9 | string(name: 'TF_VAR_FILE', defaultValue: '', description: 'Optional Terraform var file name, relative branch root. E.g. "path/to/my_var_file.tfvars"') 10 | } 11 | 12 | stages { 13 | stage('infracost') { 14 | agent { 15 | docker { 16 | // Always use the latest 0.10.x version to pick up bug fixes and new resources. 17 | // See https://www.infracost.io/docs/integrations/cicd/#docker-images for other options 18 | image 'infracost/infracost:ci-0.10' 19 | args "--user=root --entrypoint='' --pull always" 20 | } 21 | } 22 | 23 | steps { 24 | script { 25 | // Set up required credentials for posting the comment, e.g. GitHub token, Infracost API key 26 | env.GITHUB_TOKEN = credentials('github-token') 27 | env.INFRACOST_API_KEY = credentials('infracost-api-key') 28 | 29 | env.LOG_LEVEL = 'warn' 30 | env.GITHUB_URL = 'https://github.com' 31 | env.GITHUB_API_URL = 'https://api.github.com' 32 | env.REPO_NAME = "${params.REPO_NAME}" 33 | env.BRANCH_NAME = "${params.BRANCH_NAME}" 34 | env.TF_VAR_FILE = "${params.TF_VAR_FILE ?: ''}" 35 | 36 | if (env.TF_VAR_FILE && !fileExists(env.TF_VAR_FILE)) { 37 | error("TF_VAR_FILE '${env.TF_VAR_FILE}' was specified but does not exist") 38 | } 39 | 40 | // If you store Terraform variables or modules in a 3rd party such as Terraform Cloud or Spacelift, 41 | // specify the following so Infracost can automatically retrieve them. 42 | // See https://www.infracost.io/docs/features/terraform_modules/#registry-modules for details. 43 | // env.INFRACOST_TERRAFORM_CLOUD_TOKEN = credentials('terraform-cloud-token') 44 | // env.INFRACOST_TERRAFORM_CLOUD_HOST = 'app.terraform.io' 45 | } 46 | 47 | script { 48 | // Get the default branch of the repository 49 | def repoApiUrl = "${env.GITHUB_API_URL}/repos/${env.REPO_NAME}" 50 | echo "Getting repo details from GitHub API: ${repoApiUrl}" 51 | def repoOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + repoApiUrl + '\"', returnStdout: true).trim() 52 | def repoDetails = readJSON text: repoOutput 53 | def defaultBranch = repoDetails.default_branch 54 | env.DEFAULT_BRANCH = defaultBranch 55 | 56 | // Call GitHub API to get branch details 57 | def branchApiUrl = "${env.GITHUB_API_URL}/repos/${env.REPO_NAME}/branches/${env.BRANCH_NAME}" 58 | echo "Getting branch details from GitHub API: ${branchApiUrl}" 59 | def output = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + branchApiUrl + '\"', returnStdout: true).trim() 60 | def branchDetails = readJSON text: output 61 | 62 | // Set branch and repository environment variables 63 | env.INFRACOST_VCS_REPOSITORY_URL = "${GITHUB_URL}/${env.REPO_NAME}" 64 | env.INFRACOST_VCS_BRANCH = env.BRANCH_NAME 65 | env.INFRACOST_VCS_COMMIT_SHA = branchDetails.commit.sha 66 | env.INFRACOST_VCS_COMMIT_AUTHOR_NAME = branchDetails.commit.commit.author.name 67 | env.INFRACOST_VCS_COMMIT_AUTHOR_EMAIL = branchDetails.commit.commit.author.email 68 | env.INFRACOST_VCS_COMMIT_TIMESTAMP = branchDetails.commit.commit.author.date 69 | env.INFRACOST_VCS_COMMIT_MESSAGE = branchDetails.commit.commit.message 70 | 71 | echo 'Finished setting environment variables' 72 | } 73 | 74 | script { 75 | if (env.BRANCH_NAME == env.DEFAULT_BRANCH) { 76 | // don't create a diff, this is a default branch run 77 | return 78 | } 79 | echo "Generating Infracost baseline from default branch" 80 | def failuresList = null 81 | try { 82 | env.INFRACOST_VCS_BASE_BRANCH = env.DEFAULT_BRANCH 83 | 84 | // Get the merge base SHA using GitHub API 85 | def mergeBaseApiUrl = "${env.GITHUB_API_URL}/repos/${env.REPO_NAME}/compare/${env.DEFAULT_BRANCH}...${env.BRANCH_NAME}" 86 | echo "Getting merge base details from GitHub API: ${mergeBaseApiUrl}" 87 | def mergeBaseOutput = sh(script: 'curl -s -H \"Authorization: token $GITHUB_TOKEN\" \"' + mergeBaseApiUrl + '\"', returnStdout: true).trim() 88 | def mergeBaseDetails = readJSON text: mergeBaseOutput 89 | def mergeBaseSha = mergeBaseDetails.merge_base_commit.sha 90 | 91 | echo "Found merge base SHA: ${mergeBaseSha}" 92 | 93 | // Clone the repository to a temporary directory 94 | sh "git clone --depth 1 -b ${env.INFRACOST_VCS_COMMIT_SHA} ${GITHUB_URL}/${env.REPO_NAME}.git /tmp/repo" 95 | 96 | // Checkout the merge base commit 97 | sh "cd /tmp/repo && git fetch --depth 1 origin ${mergeBaseSha} && git checkout -q ${mergeBaseSha}" 98 | 99 | sh 'infracost breakdown --path=/tmp/repo \ 100 | --format=json \ 101 | --out-file=/tmp/infracost-base.json \ 102 | --log-level=$LOG_LEVEL \ 103 | --terraform-var-file=$TF_VAR_FILE' 104 | 105 | echo "Generating Infracost diff" 106 | 107 | sh "cd /tmp/repo && git checkout ${env.INFRACOST_VCS_COMMIT_SHA}" 108 | 109 | // Generate an Infracost diff and save it to a JSON file. 110 | sh 'infracost diff --path=/tmp/repo \ 111 | --format=json \ 112 | --compare-to=/tmp/infracost-base.json \ 113 | --out-file=/tmp/infracost.json \ 114 | --log-level=$LOG_LEVEL \ 115 | --terraform-var-file=$TF_VAR_FILE' 116 | 117 | echo "Generating Infracost comment" 118 | 119 | // Post PR comment and upload the infracost.json file to Infracost Cloud 120 | def commentOutput = sh( 121 | script: 'infracost comment github --path=/tmp/infracost.json \ 122 | --repo=$REPO_NAME \ 123 | --commit=$INFRACOST_VCS_COMMIT_SHA \ 124 | --github-api-url=$GITHUB_API_URL \ 125 | --github-token=$GITHUB_TOKEN \ 126 | --behavior=update \ 127 | --format=json \ 128 | 2> commentErrOut.txt \ 129 | || true', 130 | returnStdout: true, 131 | ) 132 | def commentErrOut = readFile('commentErrOut.txt').trim() 133 | def commentUrl = commentErrOut.find(/[^\s]+#commitcomment[^\s]+/) 134 | def commentDetails = readJSON text: commentOutput 135 | 136 | def infracostReport = "########## See Infracost branch diff ##########\n${commentUrl}\n##########" 137 | echo infracostReport 138 | writeFile file: 'infracost.txt', text: infracostReport 139 | archiveArtifacts artifacts: 'infracost.txt' 140 | 141 | if (commentDetails.governanceFailures instanceof List && !commentDetails.governanceFailures.isEmpty()) { 142 | failuresList = commentDetails.governanceFailures.collect { it } 143 | } 144 | } catch (Exception e) { 145 | echo "Caught an error: ${e}" 146 | } 147 | if (failuresList != null) { 148 | error("Governance check failed:\n- ${failuresList.join(' ')}\n") 149 | } 150 | } 151 | 152 | script { 153 | if (env.BRANCH_NAME != env.DEFAULT_BRANCH) { 154 | // don't upload default branch breakdown, this is a feature branch run 155 | return 156 | } 157 | try { 158 | echo "Generating Infracost baseline for default branch" 159 | 160 | // Clone the repository to a temporary directory 161 | sh "git clone --depth 1 -b ${env.DEFAULT_BRANCH} ${GITHUB_URL}/${env.REPO_NAME}.git /tmp/repo && cd /tmp/repo" 162 | 163 | // For cases where you use pull requests in your workflow, we need to add a step here 164 | // that updates the PR status in Infracost Cloud based on the PR number from the git log. 165 | // See the bitbucket.jenkinsfile for an example. 166 | 167 | // Run Infracost breakdown, don't use the TF_VAR_FILE so all projects in the repo are evaluated 168 | sh 'infracost breakdown --path=/tmp/repo \ 169 | --format=json \ 170 | --out-file=/tmp/infracost.json \ 171 | --log-level=$LOG_LEVEL' 172 | 173 | // Run Infracost upload 174 | def uploadOutput = sh( script: "infracost upload --path=/tmp/infracost.json --format=json || true", returnStdout: true ) 175 | def uploadDetails = readJSON text: uploadOutput 176 | def repoUrl = uploadDetails.cloudUrl.find(/.*\/repos\/[^\/]+/) 177 | def infracostReport = "########## See Infracost repo report ##########\n${repoUrl}\n##########" 178 | 179 | echo infracostReport 180 | writeFile file: 'infracost.txt', text: infracostReport 181 | archiveArtifacts artifacts: 'infracost.txt' 182 | } catch (Exception e) { 183 | echo "Caught an error: ${e}" 184 | } 185 | } 186 | } 187 | } 188 | } 189 | } 190 | --------------------------------------------------------------------------------