IaC Pricing Reality Check - What Actually Costs Money

Every vendor claims their tool is "free" until you actually try to use it in production. Then you get hit with bills that make you question your career choices.

CloudFormation: "Free" Like a Puppy Is Free

AWS CloudFormation doesn't cost anything upfront, which is nice until you realize it's like getting a free car that only runs on premium gas and breaks down every weekend.

Sure, basic AWS resources are free to provision. But the moment you need anything beyond basic EC2 and S3 - like custom resources or third-party integrations - AWS starts charging $0.0009 per operation. Sounds cheap? Try provisioning a Datadog monitor resource 10,000 times a month. That's $9 just for one type of resource operation. We had 247 Datadog monitors across 3 environments, and every update triggered handler operations. The AWS Free Tier only covers 1,000 handler operations per month, which sounds generous until you realize third-party providers can burn through that in a single deployment.

I learned this the hard way in November 2023 when we migrated our monitoring setup from Terraform to CloudFormation. What we thought would be a free migration ended up costing $347/month just in CloudFormation handler operations. The Datadog provider alone was generating 12,000+ operations per month because it was polling for state changes every 30 seconds. The bill breakdown looked like we were paying AWS for the privilege of using other people's tools. Check out this CloudFormation cost optimization guide if you want to understand just how deep this rabbit hole goes. There's also extensive documentation on custom resources that fails to mention the cost implications.

Terraform: "Free" Until You Need to Sleep

Terraform itself costs nothing. Running Terraform without losing your sanity? That's where they get you.

You start with local state files. Then someone else touches your code and overwrites your state. So you set up S3 backend. Then you need state locking with DynamoDB. Then someone accidentally corrupts the state file and you get this fucking error. The AWS best practices guide covers this setup, but doesn't mention the operational nightmare that follows. Here's a detailed analysis of why state locking still doesn't solve all your problems:

Error: Error acquiring the state lock
Error message: ConditionalCheckFailedException: The conditional request failed

And you spend 6 hours rebuilding infrastructure from memory because your backup state file is also corrupted (this was Friday night, 9 PM, while my kid was screaming in the background).

Within 3 months, you're running a dedicated engineer just on Terraform operations. That's $120k/year before you even get to the infrastructure costs. Add monitoring, security scanning, and CI/CD integration, and you're easily at $200k annually just to make the "free" tool work. This state management guide breaks down the six most common issues you'll face. There's also this comprehensive troubleshooting guide that documents solutions to problems you didn't even know existed yet.

We tried running pure Terraform from v0.12 through v1.3 for 2 years. I calculated we spent more on engineering time debugging state file issues than we would have on HCP Terraform. The breaking point was when our lead DevOps engineer quit after spending a weekend in February 2023 recovering from a corrupted state file that took down staging. The state got corrupted during a partial apply when terraform v1.2.8 crashed mid-execution. This horror story from AWS shows what happens when state corruption goes undetected. There's also this recovery guide that walks through fixing corrupted state files - bookmark it now because you'll need it later.

Pulumi: Death by a Thousand Credits

Pulumi's credit system is designed to confuse you into spending money. They count every individual resource, including shit you didn't even know existed.

We thought we had 200 resources in our Kubernetes cluster. Pulumi's console showed 847 billable resources - I remember the exact number because I stared at that fucking dashboard for 3 hours trying to figure out where all the resources came from. Turns out every security group rule counts separately. Every IAM policy attachment is a separate resource. Every individual subnet route is a resource.

Our "simple" EKS cluster with 5 t3.medium nodes suddenly cost $423/month just in Pulumi credits. The actual compute was only $180/month. The worst part? You don't find out until after deployment. Their cost estimator is useless because nobody knows their actual resource count until Pulumi counts it for you. This detailed pricing analysis breaks down exactly how their credit system works and why it's designed to be confusing. There's also this pricing overview that explains the difference between declared resources and billable resources.

I spent a weekend in March 2024 trying to optimize our resource usage, combining security groups and IAM roles. Cut it down from 847 to 392 resources and felt proud. Then we added one more microservice (just a simple Express.js API) and were back up to 623 resources. Pulumi counted every single environment variable injection as a separate resource.

Want to see how fucked you really are? Run this:

pulumi stack --show-urns | grep -E \"(aws:|kubernetes:)\" | wc -l

That's your actual billable resource count. Spoiler: it's way higher than you think.

Spacelift: At Least They're Honest About Screwing You

Spacelift charges $399/month minimum. Sounds expensive until you realize it doesn't scale with your infrastructure size. You pay the same whether you manage 100 resources or 10,000.

The pricing is actually predictable, which is refreshing after dealing with Pulumi's credit roulette. You know exactly what you're paying each month. No surprises, no weird resource counting, just straightforward "pay this much, get this much concurrency."

We switched to Spacelift after the Pulumi bill hit $800/month for the same infrastructure. Yeah, $399 seemed expensive at first, but at least I could budget for it without having nightmares about resource drift adding $200 to next month's bill.

Nobody talks about the real costs until you're already fucked. Here's what actually happens when you deploy IaC in production.

The \"Free\" Terraform Nightmare

We started with Terraform 0.12.0 in June 2020 because it was "free." Three years later, we had a dedicated team of 4 engineers (Sarah, Mike, Dave, and that contractor whose name I can't remember) just keeping it running. That's $400k/year in salaries before you factor in the infrastructure costs, monitoring, and the therapy bills.

State File Hell: $15k/year minimum

• S3 backend with encryption and versioning
• DynamoDB for locking (because without it, Sarah from the DevOps team will overwrite your state and you'll spend your Saturday rebuilding prod from screenshots)
• Cross-region replication because the one time AWS us-east-1 went down, we couldn't deploy anything for 6 hours

The Weekend Recovery Tax: Priceless
Every 3 months, someone corrupts a state file. Usually on Friday at 5 PM. I've spent more weekends recovering Terraform state than I care to count. In December 2022, we had to rebuild our entire staging environment from scratch because the state file got corrupted during a failed terraform apply (someone ctrl+c'd it halfway through), and our backup was also corrupted because we were using S3 versioning but the versioning was broken. Took 14 hours.

Security Compliance Bullshit: $50k/year

• Policy enforcement with OPA (had to hire a consultant just to understand the REGO language) - Here's a comprehensive OPA tutorial that might save you from hiring consultants, and this Rego language guide that breaks down the syntax
• Secret scanning because Dave hardcoded an API key in a Terraform variable
• Audit logging that nobody reads until the compliance audit - Here's the HCP Terraform policy guide for when you inevitably need to implement this

Multi-Cloud Is a Special Kind of Hell

We thought multi-cloud would give us negotiating power with vendors. Instead, it gave us multiple bills and triple the operational overhead.

AWS: CloudFormation works great until you need to integrate with anything non-AWS. Then you're paying handler operation fees for every third-party resource. Our Datadog integration alone costs $200/month in CloudFormation operations.

Azure: ARM templates are "free" but good luck finding anyone who actually knows how to write them. We hired a consultant from Microsoft for $2k/week just to set up our Azure infrastructure because the ARM template documentation is complete garbage. Half the examples are outdated and the other half reference deprecated resource types. This Reddit thread captures the frustration perfectly, and here's a detailed analysis of why ARM templates are fundamentally broken. Some engineers just recommend avoiding ARM entirely.

GCP: Deployment Manager is so limited we ended up using Terraform anyway. So we're paying for GCP resources plus maintaining Terraform state files plus the engineering overhead of keeping everything in sync.

The breaking point was when we had 3 different state files, 4 different CI/CD pipelines, and 2 different policy systems. I calculated we were spending more on multi-cloud operational overhead than we were saving on compute costs.

Pulumi's Resource Counting Scam

Pulumi's resource counting is designed to maximize their revenue at your expense. They count resources in the most granular way possible.

The Kubernetes Cluster Trap:

• 1 EKS cluster = 1 resource (seems reasonable)
• 5 security groups = 5 resources (okay, still reasonable)
• 20 security group rules = 20 MORE resources (wait, what?)
• 15 IAM roles = 15 resources
• 45 IAM policy attachments = 45 MORE resources (because fuck you)
• 10 subnets = 10 resources
• 30 route table entries = 30 MORE resources

That "simple" 5-node EKS cluster (t3.medium instances, basic networking) ended up being 237 billable resources according to Pulumi's console. I know the exact number because I took a screenshot and sent it to our VP of Engineering with the subject line "What the fuck is this?" Point is, way more than anyone would expect. At $0.0005 per resource-hour, that's about $85/month just for Pulumi to count our shit.

The worst part? You can't estimate costs upfront. Their pricing calculator is useless because you don't know your actual resource count until after deployment. We thought our migration would cost $50/month based on their "Simple Cost Calculator" which counted our cluster as "~50 resources." First bill in January 2024 was $387.43 because apparently every security group rule, every environment variable, and every damn annotation counts as a separate billable resource.

The Enterprise Sales Call Tax

Once you hit any kind of scale, every platform wants to get on a call to "understand your needs." Translation: figure out how much they can extract from you.

HCP Terraform: Started at $20/user/month. Enterprise sales called and suddenly we need "enhanced security features" for $500/month extra. Plus "priority support" for another $300/month. Plus "audit logging" that should be fucking included.

Pulumi Enterprise: The sales guy wouldn't even tell us the price until after a 3-hour "discovery call" and a security questionnaire. Turns out "enterprise pricing" starts at $50k/year. For the same features that Spacelift includes at $399/month.

The Hidden Infrastructure Tax

Every IaC platform needs supporting infrastructure that nobody budgets for:

Monitoring and Alerting: $200+/month

• CloudWatch/DataDog dashboards to track failed deployments
• PagerDuty integration because infrastructure failures happen at 3 AM
• Log aggregation because you need to debug why that apply failed

Backup and Recovery: $100+/month

• State file backups (learned this the hard way)
• Configuration backups because someone will delete something important
• Disaster recovery procedures that you'll never test until it's too late

CI/CD Integration: $500+/month

• Runner infrastructure for GitLab/GitHub Actions
• Secret management because you can't hardcode credentials (right, Dave?)
• Environment management because you need separate pipelines for dev/staging/prod

The Real Cost Breakdown

After 5 years of running IaC at scale, here's what it actually costs:

Small Team (5-15 engineers):

• Terraform OSS: $150k/year (1 dedicated engineer + infrastructure)
• CloudFormation: $100k/year (0.5 engineer + AWS fees for third-party resources)
• Spacelift: $50k/year ($399/month + minimal engineering overhead)

Medium Company (50-100 engineers):

• Terraform OSS: $500k/year (3-4 engineers + full operational overhead)
• HCP Terraform: $200k/year ($20/user + enterprise features + sales tax)
• Pulumi: $300k/year (credit costs + 2 engineers managing resource optimization)
• Spacelift: $120k/year (predictable scaling + 1 engineer)

Enterprise (200+ engineers):

• Any solution: You're fucked, but Spacelift fucks you the least

The pattern is clear: anything that scales with team size or resource count will bankrupt you. Flat-rate pricing with reasonable limits is the only sustainable model.