While tagging resources in CloudFormation is straightforward, conditionally tagging them is a little non-obvious and requires use of conditions.

Use case: tagging a release version

I wanted the ability to conditionally tag a Secrets Manager secret with a release version when the secret was deployed into production. For lower environments, I didn’t care / want to specify a release version.

First, we define a parameter that will contain the release version:

Parameters:
	ReleaseVersion:
		Type: String
		Description: The release version e.g. 1.2.3
		Default: ''

Next, we define a condition to easily check whether a non-default value was provided for the parameter:

Conditions:
	HasNoReleaseVersion:
		!Equals [!Ref ReleaseVersion, '']

Finally, we tie it all together on the resource by conditionally setting the release tag depending on the evaluation of HasNoReleaseVersion:

Resources:
	MySecret:
		Properties:
			Tags:
				- Fn::If:
					- HasNoReleaseVersion
					- !Ref AWS::NoValue
					- Key: release
					- Value: !Ref ReleaseVersion

The AWS::NoValue pseudo parameter will ensure the tag is not created unless a non-default value for the release version was provided.