Air-gapped Terraform cost estimation for regulated environments

Quick answer

Run c3x pricing sync on a machine with internet access to download the pricing dataset. Transfer the database file to your air-gapped network. Estimate Terraform costs with c3x estimate --path . --offline and no external network calls happen during the estimate. Right for IL5/IL6, classified environments, GovCloud, and any regulated workload where SaaS-based cost tools aren't permitted.

Federal agencies, defense contractors, and regulated industries have a problem the rest of the cloud world doesn't: they can't send Terraform configurations to an external SaaS for cost estimation. The data is sensitive, the network is restricted, and the audit trail for outbound calls is a compliance burden. The commercial cost estimation tools that dominate the space (Infracost, Vantage, CloudZero) all require external API connectivity. That excludes them from IL5+, classified, and many regulated environments.

C3X was designed for this gap. The CLI is a single self-contained binary, the pricing database is a portable file, and offline mode guarantees zero external calls during estimation. This post walks through how to set up air-gapped cost estimation, what to know about pricing data hygiene, and the operational patterns federal and regulated teams have settled into.

The two-stage setup

Air-gapped cost estimation has two stages: pricing data acquisition (online) and cost estimation (offline). They run on separate machines on separate networks.

Stage 1: pricing sync on a connected machine

On a machine with internet access (typically a low-side or development workstation, not a high-side workstation), download the pricing database:

c3x pricing sync --providers aws,azure,gcp --output ./pricing-db.tar.gz

This pulls from AWS bulk pricing, Azure Retail Prices, and GCP Billing Catalog, then writes a compressed SQLite database containing 2.7M+ SKUs. The file is roughly 800 MB compressed, 2 GB uncompressed.

For environments where outbound to public pricing endpoints is not allowed at all, you can run the c3x-pricing-api scraper on a physically separate machine, output the SQLite, and transport the file via approved means (CD, one-way diode, sneakernet).

Stage 2: estimate on the air-gapped machine

Copy pricing-db.tar.gz to the air-gapped network using your organization's approved transfer process. On the air-gapped machine, extract and point c3x at it:

tar xzf pricing-db.tar.gz -C /var/lib/c3x/

# Estimate using offline mode
c3x estimate --path /path/to/terraform --offline --pricing-db /var/lib/c3x/pricing.db

With --offline, c3x makes no external network calls. All pricing lookups go to the local database. The estimate runs entirely within the air-gapped network.

How to verify "no external calls"

Security review for federal customers typically includes verifying the claim of no external network calls. Three ways to confirm:

Source code review. C3X is Apache 2.0 open source. The full source is at github.com/c3xdev/c3x. The offline mode flag short-circuits all network paths; you can grep for httpClient or fetch and verify they're conditionally disabled.
Process-level isolation. Run c3x with no network namespace access: unshare -n c3x estimate --path . --offline. If c3x attempts any external call, it'll fail. We test this in CI as part of the release process.
Audit log inspection. Capture syscall traces (strace -e network) during a c3x estimate run with --offline and confirm no network syscalls (other than localhost loopback for the local pricing DB) are made.

Self-hosted pricing API inside the network

For environments where you want network-style access to pricing data but still want to stay within the network boundary, run the self-hosted pricing API.

# On a server inside the air-gapped network
docker compose -f /opt/c3x-pricing-api/docker-compose.yml up -d

# Restore pricing data from the synced file
docker compose exec api c3x-pricing-api import /tmp/pricing-db.tar.gz

# Configure c3x to use the internal endpoint
export C3X_PRICING_API_ENDPOINT=https://pricing.internal.example.gov

Engineers in the network can now run c3x estimate normally without --offline. The CLI queries the local pricing.internal endpoint, which never leaves the network.

For more on the self-hosted pricing API architecture, see self-hosting a cloud pricing API on a €4 VPS. The same docker-compose works inside a regulated network.

AWS GovCloud support

AWS publishes GovCloud pricing in separate bulk pricing files for the us-gov-west-1 and us-gov-east-1 regions. C3X's pricing sync includes them automatically. Estimates work for resources in both commercial and GovCloud regions in the same template.

Important detail: GovCloud has different pricing than commercial AWS, sometimes higher. A m5.xlarge in us-east-1 is $0.192/hour; the same instance in us-gov-west-1 is $0.246/hour, about 28% more. If your Terraform deploys to GovCloud, make sure your region attribute is set correctly so c3x uses the right rates.

Operational patterns for federal teams

Three patterns we've seen federal and defense contractor teams adopt for air-gapped cost estimation:

Weekly cross-domain pricing refresh

A scheduled job on a low-side workstation runs c3x pricing sync every Monday, signs the resulting database, and transfers it to the high-side network via the approved cross-domain process. The high-side workstation imports the database into the self-hosted pricing API. Engineers query that API as part of their normal Terraform workflow.

Weekly refresh is appropriate because cloud pricing changes infrequently. AWS publishes updates to bulk pricing files at roughly the same cadence.

CI integration with embedded pricing database

For teams running CI inside the air-gapped network (e.g., a GitLab runner on isolated infrastructure), the CI image bundles a recent pricing database. The image rebuilds weekly with a fresh database; PR jobs use the most recent image. This way no CI job needs network access for pricing.

# Dockerfile for the CI image
FROM c3xdev/c3x:latest
COPY ./pricing-db.tar.gz /var/lib/c3x/
RUN tar xzf /var/lib/c3x/pricing-db.tar.gz -C /var/lib/c3x/

ENV C3X_OFFLINE=true
ENV C3X_PRICING_DB=/var/lib/c3x/pricing.db

Engineers don't see the offline flag; the image makes it transparent.

Manual exports for cost reviews

For monthly cost reviews where teams generate written estimates as documents, an engineer runs c3x estimate offline on their workstation, formats the output as JSON or markdown, and includes it in the cost review document. No external calls; the document is generated entirely on the trusted workstation.

c3x estimate --path . --offline --format json > monthly-estimate.json
c3x estimate --path . --offline --format markdown > monthly-estimate.md

What's not supported in offline mode

Three things require online access and aren't available in offline mode:

Pricing data updates. Obviously, you need internet to refresh the local pricing database. Run pricing sync on a connected machine and transfer the result.
Recommendations that require AWS APIs. Some recommendations (e.g., "this instance is under-utilized based on CloudWatch metrics") require live AWS access. They're skipped in offline mode. Recommendations that only need pricing data (m5 → m7i, gp2 → gp3) still work.
PR comment integration with GitHub/GitLab/Bitbucket. Posting comments requires reaching the platform API. For air-gapped CI, the comment step is skipped or replaced with a local artifact attached to the build.

Compliance considerations

Beyond the technical setup, three compliance considerations come up regularly in security reviews:

Software supply chain

C3X distributes binaries via GitHub releases. Each release has SHA-256 checksums and is signed. Source code is on GitHub for review. For environments requiring stricter supply chain guarantees, build c3x from source on a trusted build system; the codebase is plain Go with standard dependencies.

Telemetry

C3X has no telemetry. The binary makes no analytics calls, no usage reporting, no anonymous identifiers. The only outbound calls are to the pricing API endpoint, which is configurable and can be set to a local self-hosted instance or disabled entirely with --offline.

Data handling

C3X reads Terraform configurations from local disk. The configurations stay on local disk. No part of the Terraform file is sent over the network in any mode. The only network traffic (when not in offline mode) is the pricing query: a list of attribute filters and a returned price.

For environments where even the resource type names are sensitive, offline mode is the only acceptable choice. With --offline, the pricing query never leaves the machine.

FAQ

Can I estimate Terraform costs in an air-gapped environment?

Yes. C3X supports fully offline mode. Run c3x pricing sync once on a machine with internet access to download the pricing dataset, transfer the database file to the air-gapped network, then estimate with --offline. No external API calls during the estimate.

What about IL5/IL6 and classified environments?

C3X is suitable for IL5/IL6 deployments. The binary is self-contained, has no telemetry, no auto-update, no outbound calls in offline mode. Source code is Apache 2.0 on GitHub for security review. The pricing database is a single SQLite or PostgreSQL file that can be vetted before introduction to the secured network.

How often do I need to refresh the offline pricing database?

Cloud pricing changes infrequently, typically a few times per quarter. Monthly refresh is sufficient for most workloads. For environments with stricter accuracy requirements, weekly refreshes are reasonable. Compare to the official AWS bulk pricing publication frequency, which is also typically weekly to monthly.

Does the offline mode support AWS GovCloud?

Yes. AWS publishes GovCloud pricing in the same bulk pricing format as commercial AWS, in separate JSON files for the GovCloud regions. C3X downloads them via the same c3x pricing sync command. Pricing for us-gov-west-1 and us-gov-east-1 is included alongside commercial regions in the database.

Can I run the self-hosted pricing API inside an air-gapped network?

Yes. The self-hosted pricing API (the c3x-pricing-api repo) is the same docker-compose that runs the public pricing.c3x.dev. Stand it up inside your VPC or air-gapped network. The scrape job needs internet access to download pricing data; run it on a periodically-connected machine and transfer the resulting database file to the air-gapped instance.

Does C3X have FedRAMP authorization?

C3X is open-source software, not a SaaS service, so FedRAMP authorization doesn't apply in the conventional sense. When deployed inside a FedRAMP-authorized environment, C3X inherits the environment's authorization. Most federal customers running C3X do so as a contractor-installed binary inside an already-authorized boundary.

Getting started in your environment

The fastest path to working air-gapped cost estimation:

On a connected machine, install c3x and run c3x pricing sync --providers aws,azure,gcp --output pricing-db.tar.gz.
Transfer the file to your air-gapped network using your organization's approved process.
On the air-gapped machine, install c3x (binary from a verified release) and extract the pricing database.
Run c3x estimate --path . --offline to verify it works.
For team-wide access, stand up the self-hosted pricing API and point engineers' CLI configurations at it.

For step-by-step details on each phase, see the self-hosted docs. For the CLI command reference including all offline-mode flags, see the CLI documentation. For the broader product positioning, the Infracost alternative comparison covers why most SaaS-based cost tools can't fit this use case.