← Back to Engineering Blog
πŸ—“οΈ Feb 18, 2024 ⏱️ 1 min read

Azure DevSecFinOps: Automating Governance at Scale

How we embedded Policy-as-Code and Infracost financial guardrails into GitHub Actions CI/CD pipelines for Azure landing zones.

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œFinOps isn’t just reviewing an Azure invoice at the end of the month. It’s blocking a pull request before an engineer accidentally provisions a $10,000/month VM size.”

At Kyndryl, as Associate Director, I led the deployment of automated DevSecFinOps Guardrails into GitHub Actions CI/CD pipelines.


Shifting Security and Cost Left

  • SecOps Gate (Checkov): Scans Terraform code for unencrypted storage accounts or permissive NSG rules (0.0.0.0/0).
  • FinOps Gate (Infracost): Parses terraform plan output, calculating exact monthly cost impacts directly on pull requests.
# # GitHub Action FinOps Execution Gate
- name: Run Infracost Analysis
  uses: infracost/actions/setup@v2
  with:
    api-key: ${{ secrets.INFRACOST_API_KEY }}

- name: Post Cost Comment to PR
  run: |
    infracost breakdown --path=. --format=json --out-file=infracost.json
    infracost comment github --path=infracost.json --repo=$GITHUB_REPOSITORY --github-token=${{ secrets.GITHUB_TOKEN }}

[!IMPORTANT] If a developer PR increases monthly cloud cost by more than $1,000 without prior FinOps tag approval, the build pipeline fails automatically.


The Verdict

Key Takeaway

Automate Cost and Security Enforcement Before Merge.

Shift security and cost checks directly into your CI/CD pipelines. Using tools like Checkov and Infracost prevents technical debt and budget overruns before code reaches production.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.