Forced tagging for terraform resources in AWS

Question

I was wondering if there is a good way to enforce the tagging of AWS resources for all developers. Or at least provide a predefined set of tags that are inserted automatically. The reason behind this is that some team members forget to tag their resources or using a different set of tags. Furthermore if you want to change the tags for future deployments you have to change it everywhere. So, my idea up to now is to create a map that includes all tags that should be set by default (project, version, cost allocation). Now everyone can use this default list and add further tags if needed for their resources. But there is no guarantee that everybody is using this map for default tagging. I don't know a way how I could achieve that but maybe someone has a good idea to do this...

Answer 1

Option 1: Within Terraform Enterprise, you can use Sentinel to enforce policies how a resource should look like. See the Hashicorp example for enforced tags: https://github.com/hashicorp/terraform-guides/blob/master/governance/second-generation/aws/enforce-mandatory-tags.sentinel

Option 2: If you don't have Terraform Enterprise, create modules with parameters that are filling the tags within the module, and discourage usage of "plain" aws resources.

Option 3: Make tag inspection part of your automated test suite (e.g. with terratest), and let tests fail when they do not have appropriate tags.

Answer 2

To solve this problem, we created a tags module which each project is expected to use when defining resources. The module has parameters for product_name, service_name, as well as an extra_tags parameter. It then combines those values with an internal map and exports the final map so that it can be used throughout the project.

Within our team culture, each team understands that tagging is important to maintaining control and responsibility of the resources and costs in AWS. Not tagging your resources is a reason for getting a PR marked declined or needs work.

We do use AWS Config to monitor for untagged resourced and notify us, however your best line of defense for keeping resources tagged is culture and pull reviews.