An AWS Tagging Strategy for Terraform (with default_tags)

Q: What is the default_tags block in the AWS Terraform provider?

default_tags is a block on the AWS provider that applies a common set of tags to every resource the provider creates that supports tagging. It lets you define organisation-wide tags such as environment, owner, and managed-by once, instead of repeating them on every resource.

Q: How do I stop tags from drifting?

Define tags as code with default_tags so they're applied consistently, enforce required tags with AWS tag policies or service control policies, and run drift detection so any manual tag change made in the console is surfaced and can be reconciled back into code.

Tags feel optional right up until the day finance asks why the cloud bill doubled and nobody can attribute the spend, or a security review asks who owns an exposed bucket and the answer is a shrug. A tagging strategy is cheap insurance against those moments — but only if it's consistent, and consistency is exactly what humans clicking through consoles fail to deliver. Terraform is how you make tagging automatic and durable. Here's the strategy and the code.

Why tags matter more than they look
A practical tagging convention
default_tags: tag everything, once
Per-resource tags and overrides
Enforcing required tags
Tags drift too
FAQ

Why tags matter more than they look

A tag is just a key-value label, but tags quietly power four things:

Cost allocation. Cost-allocation tags let you slice the bill by team, environment, or product — impossible to do reliably after the fact without them.
Automation. Backup schedules, auto-shutdown, and patching often target resources by tag.
Access & security. Tag-based IAM conditions and attribute-based access control depend on trustworthy tags.
Operations. When something breaks at 2 a.m., Owner and Service tags tell you who to call and what it belongs to.

A practical tagging convention

Keep it small enough that people actually comply. A solid baseline of required tags:

Environment — prod / staging / dev
Owner — the team or email responsible
Service — the application or system the resource belongs to
ManagedBy — e.g. terraform, so console-created resources stand out
CostCenter — for finance attribution

Standardise the details: lower-case keys or PascalCase — pick one and document it. Fixed allowed values for Environment. A short, written tag dictionary beats a sprawling, inconsistently applied one.

default_tags: tag everything, once

The AWS provider's default_tags block applies a common set of tags to every taggable resource it manages — so you define the org-wide tags in one place instead of copy-pasting them onto hundreds of resources:

provider "aws" {
  region = "ap-south-1"

  default_tags {
    tags = {
      Environment = "prod"
      ManagedBy   = "terraform"
      CostCenter  = "platform"
    }
  }
}

Every resource the provider creates now carries those tags automatically. This is the single highest-leverage move in a Terraform tagging strategy.

Per-resource tags and overrides

Resource-specific tags merge with the defaults, and a resource-level tag of the same key overrides the default:

resource "aws_instance" "api" {
  # ...
  tags = {
    Service = "checkout-api"
    Owner   = "payments-team"
  }
}
# Result: Environment + ManagedBy + CostCenter (from default_tags)
#         merged with Service + Owner (from the resource)

Keep universal tags in default_tags and only the resource-specific ones (Service, Owner) on the resource. That keeps the configuration DRY and the intent obvious.

Enforcing required tags

Code makes tagging easy; enforcement makes it reliable. Layer a few controls:

AWS tag policies (via AWS Organizations) define which tags are required and what values are allowed across accounts.
Service control policies can deny creation of resources missing mandatory tags.
Policy-as-code in your pipeline (e.g. checks on the Terraform plan) can fail a PR that introduces untagged resources before it ever reaches AWS.

Tags drift too

A tag changed by hand in the console is drift like any other — and tag drift is especially sneaky because nothing breaks, the cost report just quietly gets wrong. Run drift detection so a manual tag edit surfaces as an alert you can reconcile back into code, rather than discovering it during an audit. If you're codifying an existing account that was tagged inconsistently by hand, an automated scan is the fastest way to see the current tag reality across everything.

InfraSync captures the real tags on your live resources when it generates Terraform, so you start from what's actually there — then you can standardise on default_tags from a true baseline. See the AWS-to-Terraform guide for the codification step.

See your real tags, then standardise them.

InfraSync scans your live AWS account and generates Terraform with the actual tags in place — a true baseline to clean up with default_tags. Read-only, first PR in minutes.

Start a free scan

FAQ

What is the default_tags block in the AWS Terraform provider?

default_tags is a block on the AWS provider that applies a common set of tags to every resource the provider creates that supports tagging. It lets you define organisation-wide tags such as environment, owner, and managed-by once, instead of repeating them on every resource.

Why is an AWS tagging strategy important?

Tags drive cost allocation, automation, access control, and operational clarity. Without a consistent strategy you can't reliably attribute spend, target automation, or tell which team owns a resource. A defined, enforced convention turns tags from noise into a dependable index of your infrastructure.

How do I stop tags from drifting?

Define tags as code with default_tags so they're applied consistently, enforce required tags with AWS tag policies or service control policies, and run drift detection so any manual tag change in the console is surfaced and can be reconciled back into code.

#aws#terraform#tagging#finops#cost-allocation#best-practices