Skip to main content

Tagging resources

This runbook defines the mandatory and optional AWS resource tags that must be applied to all infrastructure provisioned by the IAT team.

Tagging ensures:

  • Accurate cost allocation and reporting
  • Clear ownership of infrastructure
  • Production vs non-production visibility
  • Improved operational support and audit readiness

All Terraform-managed resources must include the mandatory tags listed below.

Mandatory Tags

These tags must be applied to all taggable AWS resources.

Tag Value
application <application>
business-unit Technology Services
service-area Network Services
is-production "true" or "false"
owner IAT: InfrastructureAutomationTeam@justice.gov.uk

Optional Tags

These tags are recommended where applicable.

Tag Value
environment-name production, staging, test, or development
runbook URL of the service’s runbook
source-code URL(s) of related source repositories (comma separated if multiple)

Optional tags improve supportability and traceability but do not replace mandatory tags.

Implementation (Terraform)

All Terraform managed infrastructure must apply mandatory tags at creation time.

Two supported implementation patterns are outlined below.

Option 1 – Provider-Level default_tags

This is the recommended approach as it ensures tags are automatically applied to all supported resources within the provider configuration.

provider "aws" {
  default_tags {
    tags = {
      business-unit = "Technology Services"
      service-area  = "Network Services"
      application   = var.application
      is-production = "true"
      owner         = "IAT: InfrastructureAutomationTeam@justice.gov.uk"
    }
  }
}

Option 2 – Module-Level locals + merge

Use this approach only where provider-level default_tags cannot be used. The mandatory tags must be defined once and merged into every taggable resource.

Define mandatory tags in locals

locals {
  mandatory_tags = {
    business-unit = "Technology Services"
    service-area  = "Network Services"
    application   = var.application
    is-production = "true"
    owner         = "IAT: InfrastructureAutomationTeam@justice.gov.uk"
  }
}

Merge mandatory tags at resource level

resource "aws_instance" "example" {
  # ...
  tags = merge(local.mandatory_tags, var.additional_tags)
}
This page was last reviewed on 26 February 2026. It needs to be reviewed again on 26 August 2026 by the page owner #nvvs-devops .