Public, forkable cloud cost governance lab for showing tagging policy, budget controls, cost anomaly review, cleanup candidates, and FinOps-style release evidence.
This repo does not require AWS credentials. It uses sample cloud inventory and cost data so the governance workflow can run safely in CI.
- Required cloud tagging policy
- Monthly budget threshold evaluation
- Forecasted spend checks
- Untagged cost detection
- Idle and cleanup candidate detection
- Rightsizing recommendation evidence
- Cost anomaly review workflow
- Governance report generation
- GitHub Actions validation with SHA-pinned actions
- Local validation without cloud credentials
| Path | Purpose |
|---|---|
data |
Sample inventory, cost, and usage data |
governance |
Tag policy, budget policy, and cleanup rules |
reports |
Human-readable governance report template |
scripts |
Local validation and report generation |
security/evidence |
Generated evidence target description |
Run:
./scripts/validate-local.shThe validation generates:
.artifacts/governance-report.json
.artifacts/governance-summary.md
Generated artifacts are ignored by git.
The lab treats cost control as an engineering workflow:
- Every resource must have ownership tags.
- Every application must have a monthly budget.
- Forecasted spend must stay below critical thresholds.
- Idle resources must be visible before they become waste.
- Exceptions must be explicit and time-bound.
For a real cloud account, this pattern can be extended with:
- AWS Cost Explorer exports
- AWS Budgets notifications
- Cost Anomaly Detection
- AWS Config tag compliance
- Resource cleanup automation
- Pull request checks against Terraform plans
- Monthly FinOps review reports