We use a combination of terraform variable validation, Checkov, and AWS SCPs (service control policies). Our devs write the terraform themselves and don’t have access to create resources in the AWS console so variable validation is a good way to enforce the tags, and on PR builds they get errors if they miss tags.
That is uncommon tho, as they use code gen tools we wrote to scaffold code based on the modules our cloud team manages and we have a standard folder structure that waterfalls tags in based on the directory structure so teams can just use a local value (
local.common_info[“aws”][“tags”]
) and it populates everything they need.