Enforcing AWS Mandatory Tag Policies On Terraform User

Terraform Providers AWS
1

Hello Team,

We are working on a use-case where we are trying to enforce mandatory tag policy on terraform user.
Mandatory tag policy will check for mandatory tags [Name, Owner and Purpose] at the time of resource creation.
We have created policies for below list of resources:
VPC
NAT
IGW
Routetable
IAM USER
IAM ROLE
EFS
SG
ELB
KEY PAIR
SUBNETS
EIP
VPC Peering
S3
NACL

The policy is working prefectly fine for IAM USER,ROLE,EFS,Security Group,ELB,KEY PAIR,SUBNETS and EIP through terraform as well as AWS console.
But it is not working for VPC,NAT Gateway,Internet Gateway,VPC Peering,S3, NACL and Routetable through terraform and working as expected if we try to create these resources through AWS console with mandatory tags.
It seems that terraform is trying to create resources first and then attaches the tags because of which the policy might not be working for the mention resources.
Below is mandatory tag policy written for VPC:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Deny”,
“Action”: “ec2:CreateVpc”,
“Resource”: “arn:aws:ec2::xxxxxxxxxxx:vpc/”,
“Condition”: {
“StringNotLike”: {
“aws:RequestTag/name”: “"
}
}
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Deny”,
“Action”: “ec2:CreateVpc”,
“Resource”: "arn:aws:ec2::xxxxxxxxxxx:vpc/",
“Condition”: {
“StringNotLike”: {
“aws:RequestTag/owner”: "
}
}
},
{
“Sid”: “VisualEditor2”,
“Effect”: “Deny”,
“Action”: “ec2:CreateVpc”,
“Resource”: “arn:aws:ec2::xxxxxxxxxxx:vpc/”,
“Condition”: {
“StringNotLike”: {
“aws:RequestTag/purpose”: “*”
}
}
}
]
}

Tags defined in terraform script:

#Environment Variable
locals {
env_prefix = var.env_prefix
}

Common tags to be assigned to all resources

locals {
Owner = “Xxxx Xxxx”
Purpose = “Testing terraform”
}

Common tags to be assigned to all resources

locals {

common_tags = {
owner = local.Owner
purpose = local.Purpose
}
}

resource “aws_vpc” “main-vpc” {
cidr_block = “10.10.0.0/16”
enable_dns_hostnames = “true”
enable_dns_support = “true”
tags = merge( map( “Name”, “${local.env_prefix}-vpc” ), local.common_tags )
}

Appropriate guidance to resolve the issue will be appreciated. Also I request to provide the backend process of terraform resource creation and tagging.