Tags only when resource updated

I would like to define a tag that gets set only for resources that will be changed. The tag would have the git hash of the git repo that is causing the resource to change. Eg.

git sha 1: terraform apply -> resources A, B, C created -> tag 1 is git sha 1
git sha 2: terraform apply -> resource A is updated because new name -> A tag 1 is git sha 2, B and C tag 1 untouched
git sha 3: terraform apply -> resource A and C untouched, but B is updated because of new security group -> B tag 1 is git sha 3, A and C tag 1 untouched

If you look in AWS at resources A, B and C, you would then know from tag 1 that A was last updated at git sha 2, and B at git sha 3, and C at git sha 1 (which is also when C was created).

I thought I had found the solution:

provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = {
      GitSHA = var.git_sha
  ignore_tags = {
    keys = ["GitSHA"]

Unfortunately this does not work: when the GitSHA tag changes value, resources that do not get updated are left alone, but those that get updated do not get the new GitSHA tag value.

Am I missing something, is there a better way to do this?

I should clarify that, "resource that are not flagged for update are left alone as expected, "