Tag Enforcement Setup

Prerequisites

AWS account with appropriate permissions
AWS Organizations enabled (for organization-wide enforcement)
Terraform >= 1.0

Step 1: Define the Tagging Policy

module "org_tags" {
  source  = "registry.patterneddesigns.ca/standardnat/tagging-policy/aws"
  version = "1.1.0"

  required_tags = [
    "Environment",
    "Owner",
    "CostCenter",
    "Project"
  ]

  tag_values = {
    Environment = ["dev", "staging", "prod"]
  }

  default_tags = {
    ManagedBy    = "terraform"
    Organization = "acme-corp"
  }

  enforce_lowercase = true
}

Step 2: Apply Provider Default Tags

Configure the AWS provider to automatically apply tags:

provider "aws" {
  region = "us-east-1"

  default_tags {
    tags = module.org_tags.merged_tags
  }
}

Step 3: Export Validation Rules

Export the validation rules for use in CI/CD pipelines:

output "tag_validation_rules" {
  value       = module.org_tags.validation_rules
  description = "Tag validation rules for policy enforcement"
}

output "required_tags" {
  value       = module.org_tags.required_tag_keys
  description = "List of required tag keys"
}

Step 4: Deploy and Verify

Run terraform apply and verify tags are applied to resources.

terraform apply

# Verify tags on a resource
aws ec2 describe-instances \
  --query "Reservations[].Instances[].Tags" \
  --output table