This is a sample repository that showcases how to combine Terraform with tfsec to enforce tagging on all AWS resources that support it.
It makes use of the default_tags property that can be set on the AWS provider configuration. A custom tfsec check enforces that this property is set.
Check out the pull request that shows the feedback that is given in a comment when a non-compliant change is introduced.
For more information on this setup, check out my blog post: Shift left AWS tag enforcement with Terraform and tfsec