I really dislike that the solutions for AWS tag shortcomings is custom code.<p>I'm a big AWS fan and heavy user for 5 years now, but it seems silly to me that you need to write a custom wrapper (e.g. force the creation through a managed script/template like Terraform/Ansible/CF)... Or write reactionary cloud trail policies to handle a situation where someone launches an EC2 instance without providing a specific tag.<p>The fact IAM policies still can't deny requests missing a tag, or deny requests by tag-value condition seems silly to me... Or one step further: allowing some auto-populated tags like what principle was responsible for making the instance in the first place.
Something that's pretty nice in AWS CDK is that tagging is recursive - so if you add a tag to eg. a top-level ECS service object then the tags are applied to all of its children automatically. <a href="https://docs.aws.amazon.com/cdk/latest/guide/tagging.html" rel="nofollow">https://docs.aws.amazon.com/cdk/latest/guide/tagging.html</a>
This is one of the bread butter use cases on the opensource cloud custodian project (auto tagging, tag enforcement workflows, retro-active tagging from cloudtrail, etc). <a href="https://cloudcustodian.io" rel="nofollow">https://cloudcustodian.io</a> (now a cncf sandbox project).
We use cloudposse's label terraform module for everything. It works really well and it lets you use common values for everything. Paired with terragrunt it removes most of the pain of tagging for us.
Tags are not supported for some VPC components (on creation). In that sense, Azure Resource Group and Google Projects is way better for organising and project based permissions.<p>Source:
<a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-ec2-resources-table" rel="nofollow">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Ta...</a>