No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Question: When does pulumi add tags and default tags to the api requests? On resource creation / modification or only in a seperate putTags operation?

I don't believe it is specified or consistent for all resource types. For many resources I suspect tags are sent as part of the initial resource creation API, but others may need multiple requests to set the tags. For example in the bridged AWS provider, s3 buckets set their tags using a <https://github.com/hashicorp/terraform-provider-aws/blob/799e6e0dc1749e7f0fdb4ab4d43ec62d7d7ef74c/internal/service/s3/bucket.go#L789|separate request> during the s3 bucket creation.

That would be sad, that way I can not restrict operations to those with the correct tags

```{
    "Statement": [
        {
            "Action": [
                "s3:*",
                "lambda:*",
                "cloudfront:*",
                "cloudfront-keyvaluestore:*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/customer": "Arsventa GmbH",
                    "aws:RequestTag/environment": [
                        "live",
                        "stage"
                    ],
                    "aws:RequestTag/product": "MetropolGuru",
                    "aws:RequestTag/project": "metropol-guru"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}```