In this article, we will look at how to use tags with Terraform. We will explain what they are and why you might use them with some use case examples before moving on to practical examples of how to tag resources on AWS.
What we will cover:
- What are tags in Terraform?
- Use cases for tags in Terraform
- How to manage resource tags using Terraform?
- How to add multiple tags to Terraform resources?
- What are Terraform default tags?
- How to ignore changes to Terraform to tags?
- How to merge Terraform tags?
- Provider differences in Terraform tags
- Tagging shared resources on AWS
- Best practices for Terraform tags
Terraform is really powerful, but to achieve an end-to-end secure GitOps approach, you need to use a product that can run your Terraform workflows. Spacelift takes managing Terraform to the next level by giving you access to a powerful CI/CD workflow and unlocking features such as:
- Policies (based on Open Policy Agent) – You can control how many approvals you need for runs, what kind of resources you can create, and what kind of parameters these resources can have, and you can also control the behavior when a pull request is open or merged.
- Multi-IaC workflows – Combine Terraform with Kubernetes, Ansible, and other infrastructure-as-code (IaC) tools such as OpenTofu, Pulumi, and CloudFormation, create dependencies among them, and share outputs
- Build self-service infrastructure – You can use Blueprints to build self-service infrastructure; simply complete a form to provision infrastructure based on Terraform and other supported tools.
- Integrations with any third-party tools – You can integrate with your favorite third-party tools and even build policies for them. For example, see how to Integrate security tools in your workflows using Custom Inputs.
Spacelift enables you to create private workers inside your infrastructure, which helps you execute Spacelift-related workflows on your end. For more information on configuring private workers, refer to the documentation.
You can check it for free by creating a trial account or booking a demo with one of our engineers.
Terraform tags represent key-value pairs assigned to resources to improve resource categorization, cost management, and automation. They are widely used in cloud environments for optimizing infrastructure operations. A well-thought-out tagging strategy forms the backbone of successful cloud governance and resource optimization.
Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.
Frequently asked questions
What does ~> mean in Terraform?
In Terraform, ~>
is the pessimistic constraint operator used for versioning. It allows updates within the same major or minor version but prevents breaking changes. For example, ~> 2.1
means any version >= 2.1.0
and < 3.0.0
. Similarly, ~> 2.1.3
allows versions < 2.2.0
. This helps ensure compatibility without locking to a single patch.
How do you ignore certain tags in Terraform?
Add a lifecycle
block to the resource and list the attributes (or specific tag keys) Terraform should ignore. The ignore_changes
meta-argument tells Terraform to disregard those attributes on updates while still respecting them at creation time.
Why did my Terraform tags disappear?
Tags in Terraform often disappear due to one of the following causes:
- A module, resource, or provider update overwrote or ignored tags not explicitly defined in the code.
- Default tags defined at the provider level were removed or not merged correctly.
- Tags were managed outside Terraform, and a
terraform apply
reverted them. - Tag keys had dynamic values that evaluated to
null
or empty strings, causing them to be dropped. - A
for_each
ormerge()
function in your tag logic excluded expected keys during evaluation.
How can I tag all existing Terraform resources?
To tag all existing Terraform-managed resources, update your Terraform configuration to include the desired tags in each resource block or use provider-level default tags if supported (e.g., default_tags
in AWS). Then run terraform plan
and terraform apply
to update the tags in place without recreating resources.
Keep in mind:
- Any objects Terraform isn’t already managing must be imported (CLI
terraform import
or theimport { … }
block in Terraform ≥ 1.6) before the new tags can be applied. - Not all resources support tag updates without replacement.
- Use
lifecycle { ignore_changes = [tags] }
cautiously if avoiding drift is important. - For bulk updates, modules or automation can help inject standard tags consistently.
What is etag in Terraform?
etag is a server-supplied fingerprint used for optimistic concurrency control. Terraform includes the etag value on updates. If the remote object’s etag has changed (someone else modified it), the provider raises a conflict instead of overwriting the change. For example, Google IAM resources expose a computed etag, and S3 objects expose their MD5 (or multipart) hash as etag.
Not every resource supports etag. Where absent, the provider handles locking internally or relies on the API’s idempotency.
Automate Terraform deployments with Spacelift
Automate your infrastructure provisioning, build more complex workflows based on Terraform using policy as code, programmatic configuration, context sharing, drift detection, resource visualization, and many more.