feat: infracost deployment operator changes

[kinjalh]

Test Plan

https://console.kinjal-gitgud.onplural.sh/

Checklist

• I have added a meaningful title and summary to convey the impact of this PR to a user.
• I have deployed the agent to a test environment and verified that it works as expected.
  • Agent starts successfully.
  • Service creation works without any issues when using raw manifests and Helm templates.
  • Service creation works when resources contain both CRD and CRD instances.
  • Service templating works correctly.
  • Service errors are reported properly and visible in the UI.
  • Service updates are reflected properly in the cluster.
  • Service resync triggers immediately and works as expected.
  • Sync waves annotations are respected.
  • Sync phases annotations are respected. Phases are executed in the correct order.
  • Sync hook delete policies are respected. Resources are not recreated once they reach the desired state.
  • Service deletion works and cleanups resources properly.
  • Services can be recreated after deletion.
  • Service detachment works and keeps resources unaffected.
  • Services can be recreated after detachment.
  • Service component trees are working as expected.
  • Cluster health statuses are being updated.
  • Agent logs do not contain any errors (after running for at least 30 minutes).
  • There are no visible anomalies in Datadog (after running for at least 30 minutes).
• I have added tests to cover my changes.
• If required, I have updated the Plural documentation accordingly.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​pluralsh/​console/​go/​client@​v1.74.1 ⏵ v1.76.0	+1

View full report

[greptile-apps]

Greptile Summary

This PR integrates infracost into the deployment operator's Terraform harness to produce per-resource cost estimates after terraform plan, surfacing them to the console via the upgraded console/go/client (v1.74.1 → v1.76.0).

• pkg/harness/tool/terraform/infracost.go — runs infracost breakdown, parses the JSON output, and converts it to StackInfracostResourceAttributes; infracost being absent is a graceful no-op.
• pkg/harness/controller/controller_hooks.go — calls Infracost() in afterPlan() and passes results to UpdateStackRun; failures are logged and non-fatal, consistent with the security-scan pattern.
• pkg/harness/tool/v1/ — adds Infracost() to the Tool interface with a default no-op implementation in DefaultTool.

Confidence Score: 3/5

The infracost feature will silently produce no cost data at runtime because the binary plan file is passed where a JSON plan or directory is required.

The core execution path in runInfracost calls infracost breakdown --path terraform.tfplan with the binary plan file. Infracost does not accept binary plan files via --path; it requires either a Terraform config directory or a JSON plan file (terraform show -json). This means every infracost run will fail, the error will be logged, and InfracostResources will always be nil in the console update — making the entire feature a no-op despite the binary being present. The rest of the wiring (interface, default implementation, controller hook, type definitions) looks correct.

pkg/harness/tool/terraform/infracost.go — specifically the --path argument passed to infracost breakdown

Important Files Changed

Filename	Overview
pkg/harness/tool/terraform/infracost.go	New infracost integration; passes the binary terraform.tfplan file to infracost breakdown --path, which expects a JSON plan or a directory — this will consistently fail at runtime
pkg/harness/tool/terraform/infracost_types.go	New type definitions for infracost JSON output; InfracostResourceScopeFree is declared but never used
pkg/harness/controller/controller_hooks.go	Adds infracost call after security scan in afterPlan; errors are non-fatal (logged and skipped), consistent with how Scan is handled
pkg/harness/tool/v1/types.go	Adds Infracost() to the Tool interface with clear documentation
pkg/harness/tool/v1/tool.go	Adds default no-op Infracost() implementation to DefaultTool
go.mod	Bumps github.com/pluralsh/console/go/client from v1.74.1 to v1.76.0 to pick up InfracostResources field on StackRunAttributes

Comments Outside Diff (2)

1. pkg/harness/tool/terraform/infracost.go, line 46-48 (link)

   Binary plan file passed to infracost --path

   in.planFileName resolves to "terraform.tfplan" (a binary Terraform plan), but infracost breakdown --path <file> expects either a Terraform config directory or a JSON plan file (produced by terraform show -json <planfile>). Passing the binary file will cause infracost to fail to parse the path and return an error, so cost estimates will never be populated in practice.

   The standard approach is to produce a JSON plan first with terraform show -json terraform.tfplan > plan.json, then pass plan.json to --path.

2. pkg/harness/tool/terraform/infracost_types.go, line 64 (link)

   Unused constant InfracostResourceScopeFree

   InfracostResourceScopeFree is declared but never referenced anywhere in the codebase. Resources with no cost are filtered out in convertResource (both hourlyCost and monthlyCost are nil → return nil), so this scope value never gets assigned. Either use it to tag free resources instead of discarding them, or remove the constant to avoid confusion.

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into infracost" | Re-trigger Greptile}