terratag
Terratag is a CLI tool that automatically applies tags or labels to AWS, Azure, and GCP resources defined in Terraform or OpenTofu infrastructure-as-code files. It simplifies tag management across multiple cloud providers by injecting tags via local variables, eliminating manual tagging work.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | env0/terratag |
| Owner | env0 |
| Primary language | Go |
| License | MPL-2.0 — OSI-approved |
| Stars | 1.1k |
| Forks | 48 |
| Open issues | 5 |
| Latest release | v0.7.6 (2025-12-17) |
| Last updated | 2026-07-03 |
| Source | https://github.com/env0/terratag |
What terratag is
Written in Go, Terratag parses HCL Terraform/OpenTofu files, identifies resources from supported providers (aws, google, azurerm, azurestack, azapi), and injects tags by creating or modifying `.terratag.tf` files with `locals` and `merge()` functions. It supports filtering and skipping resource types via regex, respects provider schemas via `terraform init`, and maintains backup files.
Get the terratag source
Clone the repository and explore it locally.
git clone https://github.com/env0/terratag.gitcd terratag# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires `terraform init` or `tofu init` to succeed before running Terratag; provider schemas must be available in `.terraform/` lock files.
- Backup files (`.tf.bak`) are created; ensure version control or cleanup scripts handle them to avoid accidental commits.
- Tag values are static in generated locals; if dynamic tag computation is needed, consider wrapping with Terraform variables or local_values upstream.
- Supports Terragrunt with explicit `-type=terragrunt` flag; default behavior assumes flat or standard Terraform module layouts.
- Resource type filtering via regex (`-filter`, `-skip`) is the primary way to scope changes; test filters thoroughly before running on production codebases.
When to avoid it — and what to weigh
- Managing tags at runtime or via cloud-native tooling — If tags must be applied dynamically post-deployment or updated in real-time without code changes, use cloud provider tagging APIs or AWS Systems Manager instead.
- Heavy reliance on computed or data-source tags — Terratag injects static tags; if tag values must be derived from outputs, remote state, or data sources, this approach will not work cleanly.
- Teams using generated or templated Terraform — If Terraform code is generated by other tools, running Terratag post-generation may create merge conflicts or require careful integration into your CI/CD pipeline.
- Projects with strict HCL formatting or linting requirements — Terratag generates `.terratag.tf` files with its own formatting; teams with strict code style policies may need custom post-processing or linting exceptions.
License & commercial use
Licensed under Mozilla Public License 2.0 (MPL-2.0), a weak copyleft license. Allows commercial use, modification, and distribution provided modifications to Terratag itself are shared under MPL-2.0. Derivative works of Terratag must preserve license notices, but code that merely uses Terratag (e.g., generated Terraform files) is not subject to MPL-2.0.
MPL-2.0 permits commercial use and distribution. If you modify Terratag itself, modifications must be shared under MPL-2.0. Generated Terraform files and tags output by Terratag are not restricted. Recommend review with legal counsel if you plan to distribute modified versions of Terratag itself.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Tag values are injected as plaintext Terraform locals; avoid storing secrets in tags. Terratag does not validate tag values, sanitize HCL injection, or restrict resource scope by IAM role. Review generated `.terratag.tf` files before commit. No input sanitization details provided; test with edge cases (special characters, JSON escaping). Backup creation and file I/O should be restricted by OS permissions.
Alternatives to consider
Terraform for_each with merge and local variables
Manual Terraform pattern to apply tags via locals; more control but requires refactoring existing resources and is error-prone at scale.
AWS Resource Groups Tagging API or Azure Policy
Runtime tag application post-deployment; allows dynamic, policy-driven tagging without code changes, but requires cloud-native tooling and post-deployment overhead.
Enforce tagging compliance via policy-as-code validation; does not inject tags but catches missing tags before deployment for policy compliance.
Build on terratag with DEV.co software developers
Terratag automates tag management across Terraform codebases. Evaluate fit for your IaC pipeline, cost allocation, and compliance requirements.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
terratag FAQ
Does Terratag modify my existing .tf files?
Can I run Terratag multiple times?
Does Terratag support computed or dynamic tag values?
What if a resource already has tags?
Work with a software development agency
From first prototype to production, DEV.co delivers software development services around tools like terratag. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Streamline Your Multi-Cloud Tagging Strategy
Terratag automates tag management across Terraform codebases. Evaluate fit for your IaC pipeline, cost allocation, and compliance requirements.