Dual-FinOps Dashboard
Bridging the gap between proactive infrastructure estimation and reactive operational billing.
Proactive IaC Estimate
Actual 30-Day Spend
The Architecture Behind the Dashboard
A core competency of a Cloud Architect is governance—ensuring that the infrastructure we design doesn't bankrupt the organization. To demonstrate this, I built a "Dual-FinOps" architecture that monitors costs at both ends of the deployment lifecycle.
[ Local Code (Terraform) ] → [ GitHub Actions CI/CD ] → [ S3 Bucket (infracost.json) ]
// Reactive Actuals (AWS Cost Explorer)
[ EventBridge (Daily) ] → [ Lambda (Boto3) ] → [ AWS Cost API ]
↓
[ S3 Bucket (actual_costs.json) ]
Shift-Left: Infracost Integration
Before any infrastructure is actually provisioned, my GitHub Actions pipeline runs the Infracost CLI against my Terraform directory. This scans the planned AWS resources, queries the AWS Price List API, and generates a proactive monthly estimate. This prevents "surprise bills" from ever reaching production.
Reactive Actuals: Serverless Billing Extraction
To verify the estimates against reality, an Amazon EventBridge rule triggers a Python Lambda function every 24 hours. This function utilizes the AWS SDK (Boto3) to securely query the ce:GetCostAndUsage API, pulling the exact Unblended Cost for the trailing 30 days and dropping it as a JSON file into my static S3 bucket.
Accessing billing data requires highly sensitive permissions. Instead of exposing an API Gateway endpoint to the public internet (which could result in a DDoS attack running up my bill), the Lambda function writes directly to the private S3 origin. The IAM Role attached to the Lambda strictly limits it to ce:GetCostAndUsage and s3:PutObject for this single bucket.