Terratags Update: Advanced Pattern Validation, Multi-Provider Support, and Enhanced Reporting

2025-07-24

4 minute read

Tagging , Compliance

Since my initial blog post about Terratags in May 2025, the project has evolved significantly. What started as a weekend project to enforce basic tag presence on AWS resources has grown into a tagging validation tool with advanced pattern matching, multi-provider support, and updated reporting capabilities. Some of you reached out and opened issues/enhancement requests around some of the featureset currently available v0.4.0.

What’s New: Major Updates Since v0.1.0

The latest version of Terratags (v0.4.0) introduces several features that address some of the enhancement requests that came my way:

1. Advanced Pattern Validation with Regex Support

The most significant addition is pattern validation - the ability to validate not just tag presence, but also tag values using regular expressions. This addresses a gap where teams need to enforce specific naming conventions, email formats, or business rules for tag values. I was talking to a customer who wanted something similar few months back to match up to their CMDB naming standards and so on. It did influence some of the work here.

Before: Simple Presence Validation

1required_tags:
2  - Name
3  - Environment
4  - Owner
5  - Project

Now: Advanced Pattern Validation

 1required_tags:
 2  # Strict environment values
 3  Environment:
 4    pattern: "^(dev|test|staging|prod)$"
 5  
 6  # Valid email for ownership
 7  Owner:
 8    pattern: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"
 9  
10  # Project code format
11  Project:
12    pattern: "^[A-Z]{2,4}-[0-9]{3,6}$"
13  
14  # No whitespace in names
15  Name:
16    pattern: "^\\S+$"
17  
18  # Simple presence validation (no pattern)
19  Team: {}

2. Multi-Provider Support: Beyond AWS

Terratags now supports additional providers, significantly expanding its utility:

AWS Cloud Control (AWSCC) Provider Support

The AWSCC provider uses a different tag format than the standard AWS provider:

 1# Standard AWS Provider
 2resource "aws_s3_bucket" "example" {
 3  tags = {
 4    Environment = "prod"
 5    Project     = "demo"
 6  }
 7}
 8
 9# AWSCC Provider
10resource "awscc_apigateway_rest_api" "example" {
11  tags = [{
12    key   = "Environment"
13    value = "prod"
14  }, {
15    key   = "Project"
16    value = "demo"
17  }]
18}

Terratags now handles both formats seamlessly, with automatic detection and validation.

Azure Providers Support

Support for both azurerm and azapi providers:

 1# Azurerm Provider
 2resource "azurerm_resource_group" "example" {
 3  name     = "example-resources"
 4  location = "West Europe"
 5  
 6  tags = {
 7    Environment = "Production"
 8    Project     = "Terratags"
 9  }
10}
11
12# azapi Provider with default_tags support
13provider "azapi" {
14  default_tags = {
15    Environment = "Production"
16    Project     = "Terratags"
17  }
18}

The azapi provider even supports default_tags similar to the AWS provider, making tag management more consistent across cloud providers. The issue related to this is kept open as I learn more about the Azure side of providers in Terraform.

3. Enhanced Reporting and Visualization

The HTML reporting system has been modified with:

Visual indicators for compliant, non-compliant, and exempt resources
Detailed breakdown of tag status for each resource
Tag source tracking (resource-level vs provider default_tags)
Exemption details including reasons for exemptions
Summary statistics including exempt resources
Tag violation counts by tag name

Sample Terratags Report

4. Pre-commit Hook Integration

As much as I like to take credit for thinking about adding a pre-commit hook integration, I didn’t have it in my list of things to do initially. But making this available across the hooks space makes it a lot more valuable and it was easily justifiable.

 1repos:
 2  - repo: https://github.com/terratags/terratags
 3    rev: v0.4.0
 4    hooks:
 5      - id: terratags
 6        args: [
 7          --config=terratags.yaml,
 8          --exemptions=exemptions.yaml,
 9          --remediate
10        ]

This enables automatic tag validation before commits, preventing non-compliant resources from entering your codebase.

Real-World Pattern Examples

Environment Validation

1Environment:
2  pattern: "^(dev|test|staging|prod)$"

✅ Matches: dev, test, staging, prod
❌ Rejects: development, production, DEV, Test

Cost Center Format

1CostCenter:
2  pattern: "^CC-[0-9]{4}$"

✅ Matches: CC-1234, CC-5678, CC-9012
❌ Rejects: CC123, CC-12345, cc-1234

Project Code Format

1Project:
2  pattern: "^[A-Z]{2,4}-[0-9]{3,6}$"

✅ Matches: WEB-123456, DATA-567890, SEC-123456
❌ Rejects: web-123, PROJECT, ABC-12

Email Validation

1Owner:
2  pattern: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"

✅ Matches: devops@company.com, team.lead@company.com
❌ Rejects: username, user@domain, @company.com

Backward Compatibility and Migration

One of the key design principles for these updates was maintaining backward compatibility. All existing simple configurations continue to work unchanged:

1# This continues to work exactly as before
2required_tags:
3  - Name
4  - Environment
5  - Owner

You can migrate to advanced features incrementally:

1# Mixed format - gradually add patterns
2required_tags:
3  Name: {}  # Just presence validation
4  Environment:
5    pattern: "^(dev|test|staging|prod)$"  # Pattern validation
6  Owner: {}  # Just presence validation for now

Future Roadmap: What’s Next

Add Google provider support.
Review any open issues with module level validation.

If you’re new to Terratags or want to upgrade:

Installation

1# Using Homebrew (recommended)
2brew install terratags/tap/terratags

Basic Usage with Pattern Validation

Create a configuration file with patterns:

1required_tags:
2  Environment:
3    pattern: "^(dev|test|staging|prod)$"
4  Owner:
5    pattern: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"
6  Name: {}

Run validation:

1terratags -config config.yaml -dir ./infra -report report.html

Set up pre-commit hooks:

1repos:
2  - repo: https://github.com/terratags/terratags
3    rev: v0.4.0
4    hooks:
5      - id: terratags

Resources

GitHub Repository: https://github.com/terratags/terratags
Documentation: https://terratags.github.io/terratags/
Pattern Matching Guide: https://terratags.github.io/terratags/pattern-matching/
Pre-commit Integration: https://terratags.github.io/terratags/pre-commit/

I’d love to hear about your experience with Terratags, especially how you’re using the new pattern validation features. Feel free to reach out with feedback and suggestions !