ServiceNow Integration & Non-Production FinOps Policies

Happy August!

Summer may be in full swing, but our team has been hard at work in between recharging on vacations. I’m excited to announce the release of major product updates all focused on helping enterprises with FinOps tagging 🏷️

API for ServiceNow integration

Large enterprises are familiar with this FinOps challenge: cloud resources need to be tagged with ServiceNow application names or Service IDs. Without this, showback reports are not accurate and optimization opportunities cannot be assigned to teams easily.

Enterprises have thousands of applications, so it’s easy to have typos, incorrect capital letters, dashes and hyphens mixed up in the tag values in infra-as-code. That creates a mess that FinOps teams have to deal with, and fixing typos isn’t fun for any engineer…

We’ve just released the Infracost Cloud API to solve this problem! The API enables you to regularly push the thousands of tag values from ServiceNow to Infracost, and it will automatically validate them before deployment (e.g. in GitHub pull requests).

Fix your default tags

A key FinOps best practice is to use Terraform “provider” or “default tags” for AWS and Google, rather than tagging individual resources (hopefully Azure supports that soon). This allows you to update tag values across all resources in a repo from a single location.

While default tags are awesome, two issues arise:

1. Not all development teams are aware of them, leading to inconsistent adoption across teams in large enterprises.
2. Default tags don’t apply to dynamically created resources, like AWS AutoScalingGroups or ECS. This can result in untagged or mistagged costs, as these nuances are often overlooked in Terraform documentation.

We believe that the best way to encourage engineers to take action is to educate them about these issues within their workflow. So we’ve updated the Infracost pull request comment to address both issues:

1. It now checks for default tags and links engineers to that code block to fix the issue centrally.
2. It identifies tag issues with dynamic resources and provides specific instructions and a link to the exact file and line number for quick fixes.

Fix your module tags

Top engineering teams at large enterprises use reusable modules for their infra-as-code, often maintained by Platform or DevOps teams. However, this can create a FinOps tagging challenge: tags may need updates within the module itself, but Development teams (who use the modules) might not be aware or might be focused on other tasks by the time the tagging issue is discovered.

This leads to untagged or mistagged resources and frustration for the FinOps team, who must coordinate between Platform and Development teams to resolve it.

To address this, the Infracost pull request comment now identifies module tagging issues, linking engineers directly to the module code for quick fixes 🏃‍♀️

Easily login to see all issues (SAML group mappings)

Last month we updated the Infracost pull request comment to include a link to all pre-existing tagging and FinOps issues in the repo being updated. This gave engineers new awareness by putting relevant data in their workflow; however, it required them to signup and request access to see details in Infracost (which could take a few days at large enterprises).

We released a major update to our single sign-on (SSO) to support SAML group mappings. This enables engineers to simply login to Infracost and automatically get the right permissions based on their SAML groups. No more waiting for an invite – just login!

FinOps policies for non-production environments

We regularly review Well-Architected Frameworks and consult with FinOps practitioners to automate best practices. Some, like using single-AZ databases in non-production, are often overlooked but offer significant cost savings!

We’ve released four new FinOps policies that warn engineers about these best practices. Infracost supports this by letting you define filters for production environments. Visit the Infracost Cloud > Governance > FinOps policies page to enable these checks in your pull request comments.