How do I enforce tagging using Terragrunt

[josh-padnick]

I'm adapting an answer originally written by @brikis98.

Let's take a look at some options for solving this:

Use the Terraform AWS Provider

The AWS Provider supports the default_tags parameter. This works with all AWS resources except aws_autoscaling_group. Here's an example:

provider "aws" {
  default_tags {
    tags = {
      Environment = "test"
      Name        = "example"
    }
  }
}

But this has a key limitation: you have to ensure every single module specifies those tags in its provider block. There is no way to "reuse" that logic with Terraform. You just have to manually copy/paste it into every single module you create. So it’s very error prone and easy to miss it.

Static analysis

You could add static analysis to the CI / CD pipeline of your module repos that scans every module and blocks merge if that module doesn’t specify the proper default_tags block. See this example using tfsec.

Use generate blocks with Terragrunt

Terragrunt supports a generate block. Instead of hard-coding the provider block in every single module, you can ensure that every repo that uses Terragrunt has a single, central generate block used by everything in that repo. That generate block can include the default_tags you want.

Here's an example of how Gruntwork handles this when we set up new DevOps foundations customers:

generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite"
  contents = <<EOF
provider "aws" {
  default_tags {
    tags = {
      Environment = "test"
      Name        = "example"
    }
  }
}
EOF
}

---

Tracked in ticket #110367

[brikis98]

One question that comes up on the items above is how to override the tags. There are a few scenarios for this:

Scenario 1: overriding tags within a module

Let's say you've configured default_tags in your AWS provider as follows:

provider "aws" {
  default_tags {
    tags = {
      Environment = "test"
      Name        = "example"
    }
  }
}

However, in some module, you want to override these tags in a specific resource. You can do so by using the tags attribute on that resource. For example, here is how you can override the default tags in the aws_vpc resource:

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = {
    Name = "example-vpc"
  }
}

Any tags within a resource override tags in default_tags, so if you run apply on this code, then the VPC will end up with two tags, one from default_tags, and one overridden by the aws_vpc resource:

1. Environment: test
2. Name: example-vpc

Scenario 2: overriding tags on a per-environment / per-module basis

Another scenario may be that you want to override tags to different values in different live environments. For example, let's again assume you have default_tags defined as follows:

provider "aws" {
  default_tags {
    tags = {
      Environment = "test"
      Name        = "example"
    }
  }
}

And in your vpc module, instead of a hard-coded tags attribute to override these tags, you can take in tags as an input variable:

variable "tags" {
  description = "Custom tags to set on the VPC"
  type        = map(string)
  default     = {}
}

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = var.tags
}

Now you can optionally override the tags with different values in different environments. E.g., In stage, you might set:

tags = {
  Name = "example-vpc-stage"
}

And in prod, you might set:

tags = {
  Name = "example-vpc-prod"
}

Scenario 3: supporting tag overrides globally with Terragrunt

One other neat thing you can do with Terragrunt is to add support for overriding the tags on all resources, globally. This way, you don't have to add a tags input variable to every single module and every single resource within that module.

To do that, you first create a root terragrunt.hcl file that looks something like this:

locals {
  # The default tags to apply in all environments
  default_tags = {
    Environment = "test"
    Name        = "example"
  }

  # Load an overrides.yml file in any Terragrunt folder, or fallback to {} if none is found
  overrides     = try(yamldecode(file("${get_terragrunt_dir()}/overrides.yml")), {})

  # Read the override tags, if any, from overrides.yml, or fallback to {} if none are found
  override_tags = lookup(local.overrides, "tags", {})

  # The final tags to apply to all resources are a merge between the default tags and override tags
  tags = merge(local.default_tags, local.override_tags)
}

generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite"
  contents = <<EOF
provider "aws" {
  default_tags {
    tags = ${jsonencode(local.tags)}
  }
}
EOF
}

This structure defines some default tags to apply to all modules, but it also allows each module to optionally define an overrides.yml file with override values, including tags to override.

So, for example, in stage/networking/vpc, you might have a terragrunt.hcl that looks like this:

# Include the root terragrunt.hcl config
include "root" {
  path = find_in_parent_folders()
}

And also in stage/networking/vpc, you might have an overrides file called overrides.yml that looks like this:

tags:
  Name: vpc-stage

In prod/networking/vpc/terragrunt.hcl, you'd have the exact same contents as the stage one, but in prod/networking/vpc/overrides.yml, you'd have:

tags:
  Name: vpc-prod

In other words, any of your Terragrunt modules can now include an overrides.yml file to override the "default" config from the root terragrunt.hcl.