alphagov · jasonBirchall · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
@@ -16,8 +16,20 @@ terraform {
 
 provider "aws" {
   region = var.aws_region
+  default_tags {
+    tags = local.default_tags
+  }
 }
 
 locals {
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "GOV.UK Chat"
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+
   internal_dns_zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id
 }
@@ -27,6 +27,15 @@ locals {
   secrets_prefix             = "govuk"
   monitoring_namespace       = "monitoring"
 
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "EKS cluster infrastructure"
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+
   default_cluster_addons = {
     coredns    = { most_recent = true }
     kube-proxy = { most_recent = true }
@@ -118,15 +127,9 @@ locals {
 provider "aws" {
   region = "eu-west-1"
   default_tags {
-    tags = {
-      Product              = "GOV.UK"
-      System               = "EKS cluster infrastructure"
-      Environment          = var.govuk_environment
-      Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
-      cluster              = var.cluster_name
-      repository           = "govuk-infrastructure"
-      terraform_deployment = basename(abspath(path.root))
-    }
+    tags = merge(local.default_tags, {
+      cluster = var.cluster_name
+    })
   }
 }
 

@@ -40,15 +40,9 @@ terraform {
 provider "aws" {
   region = "eu-west-1"
   default_tags {
-    tags = {
-      Product              = "GOV.UK"
-      System               = "EKS cluster services"
-      Environment          = var.govuk_environment
-      Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
-      cluster              = "govuk"
-      repository           = "govuk-infrastructure"
-      terraform_deployment = basename(abspath(path.root))
-    }
+    tags = merge(local.default_tags, {
+      cluster = "govuk"
+    })
   }
 }
 
@@ -73,6 +67,15 @@ provider "helm" {
 }
 
 locals {
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "EKS cluster services"
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+
   monitoring_ns          = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.monitoring_namespace
   services_ns            = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_services_namespace
   external_dns_zone_name = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.external_dns_zone_name

@@ -24,6 +24,7 @@ provider "aws" {
     tags = {
       Product              = "GOV.UK"
       System               = "GitHub"
+      Environment          = "[GitHub] Production"
       Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
       repository           = "govuk-infrastructure"
       terraform_deployment = basename(abspath(path.root))

@@ -38,6 +38,7 @@ locals {
 
   default_tags = {
     Product              = "GOV.UK"
+    System               = "GOV.UK Publishing"
     Environment          = var.govuk_environment
     Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
     repository           = "govuk-infrastructure"

@@ -16,9 +16,21 @@ terraform {
 
 provider "aws" {
   region = var.aws_region
+  default_tags {
+    tags = local.default_tags
+  }
 }
 
 locals {
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "OpenSearch"
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+
   domain      = "${var.service}-engine"
   subnet_ids  = data.terraform_remote_state.infra_networking.outputs.private_subnet_rds_ids
   master_user = "${var.service}-masteruser"

diff --git a/terraform/docs/tagging-guide.md b/terraform/docs/tagging-guide.md
@@ -11,12 +11,13 @@ The common column distinguishes between Tags that have been added as part of an
 | **Tag Key** | **Tag Value(s)** | **Description** | **Example** | **Common** |
 |--|--|--|--|--|
 | Name | [ServiceName]-[Environment]-[Workspace] | This is the identifiable name of the service. | publisher-test-default | no |
-| chargeable_entity | govuk-publishing-platform-[Environment] | This is required for billing. | govuk-publishing-platform-test | yes |
-| environment | test integration staging production | Environment area to which this belongs. | test | yes |
-|project | replatforming | This is the project under which this was developed. | replatforming | yes |
+| Product | GOV.UK One Login / GOV.UK or DSP | The product this resource belongs to. | GOV.UK | yes |
+| System | Authentication, Identity proofing and verification core, VPC, etc. | The name of the software system (avoid abbreviations). | VPC | yes |
+| Environment | production, staging, integration, development | Environment area to which this belongs. | production | yes |
+| Owner | Email address for resource owner | Individual email for dev environments, group email elsewhere. | govuk-platform-engineering@digital.cabinet-office.gov.uk | yes |
+| Service | account management, session storage, front end, etc. | Function of the particular resource (optional). | session storage | no |
 | repository | govuk-aws govuk-infrastructure | This is the Git repo where this service resides. | govuk-infrastructure | yes |
 | terraform_deployment | cluster-infrastructure cluster-services ecr govuk-publishing-infrastructure | The source directory where the resource's Terraform code resides. | cluster-infrastructure | yes |
-|terraform_workspace | default bill chris fred karl nadeem steve roch towers | This should be the name of the terraform workspace that created the service. | default | yes |
 
 
 
@@ -38,16 +39,33 @@ tags = merge(
     }
 ```
 
-- Below example of local common tags defined in the main.tf file
+- Below example of common tags defined via provider default_tags in the main.tf file
+```
+provider "aws" {
+  region = "eu-west-1"
+  default_tags {
+    tags = {
+      Product              = "GOV.UK"
+      System               = "[System description - e.g., VPC, Authentication]"
+      Environment          = var.govuk_environment
+      Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+      repository           = "govuk-infrastructure"
+      terraform_deployment = basename(abspath(path.root))
+    }
+  }
+}
+```
+
+- Below example of local additional tags for resource-specific tagging
 ```
 locals {
-  additional_tags = {
-    chargeable_entity    = "govuk-publishing-platform-${var.govuk_environment}"
-    environment          = var.govuk_environment
-    project              = "replatforming"
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "[System description]"
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
     repository           = "govuk-infrastructure"
-    terraform_deployment = "govuk-publishing-platform"
-    terraform_workspace  = terraform.workspace
+    terraform_deployment = basename(abspath(path.root))
   }
 }
 ```
@@ -58,8 +76,24 @@ locals {
 
 **NOTES :-**
 - All listed resources from below should be made compliant.
-- Common Tags have been added as **locals** with in the deployment terraform **main** file.
-- This tagging strategy should ideally be replicated to other and new yet to be deployed environments such as **integration**
+- Common Tags are implemented via AWS provider **default_tags** in the deployment terraform **main** file.
+- Additional resource-specific tags should use the merge pattern with locals when needed.
+- This tagging strategy applies to all environments (production, staging, integration, development).
+
+These are also described in the [GDS Ways](https://gds-way.digital.cabinet-office.gov.uk/manuals/aws-tagging.html#alerting-and-enforcement)
+
+## Mandatory Tags
+The following tags are **MANDATORY** and must be present on all taggable resources:
+
+- **Product**: GOV.UK One Login / GOV.UK or DSP
+- **System**: The name of the software system (avoid abbreviations)  
+- **Environment**: production, staging, integration, or development
+- **Owner**: Email address - individual for dev environments, group elsewhere
+
+## Optional Tags
+The following tag is **OPTIONAL** but recommended:
+
+- **Service**: Function of the particular resource (e.g., account management, session storage, front end)
 
 # AWS Resources
 ## Can be tagged

diff --git a/terraform/docs/tagging-template.md b/terraform/docs/tagging-template.md
@@ -0,0 +1,80 @@
+# Terraform Tagging Template
+
+This template provides the standard tagging configuration for all terraform deployments.
+
+## Standard AWS Provider Configuration
+
+```hcl
+provider "aws" {
+  region = "eu-west-1"
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+locals {
+  default_tags = {
+    Product              = "GOV.UK"
+    System               = "[SYSTEM_NAME]"  # Replace with appropriate system name
+    Environment          = var.govuk_environment
+    Owner                = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+}
+```
+
+## Standard Google Provider Configuration
+
+```hcl
+provider "google" {
+  project = var.google_project_id
+  region  = "europe-west2"
+  default_labels = {
+    product              = "govuk"
+    system               = "[system-name]"  # Replace with lowercase system name
+    environment          = var.govuk_environment
+    owner                = "govuk-platform-engineering"
+    repository           = "govuk-infrastructure"
+    terraform_deployment = basename(abspath(path.root))
+  }
+}
+```
+
+## Resource-Specific Tagging
+
+For resources that need additional tags:
+
+```hcl
+resource "aws_example_resource" "example" {
+  # ... resource configuration ...
+
+  tags = merge(local.default_tags, {
+    Name    = "example-${var.govuk_environment}"
+    Service = "example service"  # Optional - describe the function
+  })
+}
+```
+
+## System Names by Deployment
+
+| Deployment | System Name |
+|------------|-------------|
+| vpc | VPC |
+| cluster-infrastructure | EKS cluster infrastructure |
+| cluster-services | EKS cluster services |
+| rds | EKS RDS |
+| elasticache | GOVUK ElastiCache |
+| opensearch | OpenSearch |
+| ecr | Elastic Container Registry |
+| govuk-publishing-infrastructure | GOV.UK Publishing |
+| datagovuk-infrastructure | DATA.GOV.UK |
+| logging | Logging |
+| github | GitHub |
+| root-dns | DNS |
+| cloudfront | CloudFront |
+| csp-reporter | CSP Reporter |
+| chat | GOV.UK Chat |
+| mobile-backend | GOV.UK App |
+| release | EKS release assumer |
+| tfc-aws-config | Terraform Cloud |