diff --git a/modules/aws/bastion/bastion-logs.tf b/modules/aws/bastion/bastion-logs.tf
index 3c389c91..a00cabeb 100644
--- a/modules/aws/bastion/bastion-logs.tf
+++ b/modules/aws/bastion/bastion-logs.tf
@@ -2,10 +2,7 @@ resource "aws_cloudwatch_log_group" "bastion_log_group" {
   count = var.forward_logs_enabled ? 1 : 0
   name  = "${var.cluster_name}_bastion"
 
-  tags = {
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = local.common_tags
 }
 
 resource "aws_cloudwatch_log_stream" "bastion_logs" {
diff --git a/modules/aws/bastion/bastion.tf b/modules/aws/bastion/bastion.tf
index f949c0c7..dd416bf5 100644
--- a/modules/aws/bastion/bastion.tf
+++ b/modules/aws/bastion/bastion.tf
@@ -7,10 +7,14 @@ locals {
   # In China there is no tags for s3 buckets
   s3_ignition_bastion_key = element(concat(aws_s3_bucket_object.ignition_bastion_with_tags.*.key, aws_s3_bucket_object.ignition_bastion_without_tags.*.key), 0)
 
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "giantswarm.io/cluster-type", "control-plane",
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
 }
 
@@ -34,11 +38,12 @@ resource "aws_instance" "bastion" {
 
   user_data = data.ignition_config.s3.rendered
 
-  tags = {
-    Name                         = "${var.cluster_name}-bastion${count.index}"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-bastion${count.index}"
+    )
+  )
 }
 
 resource "aws_security_group" "bastion" {
@@ -86,11 +91,12 @@ resource "aws_security_group" "bastion" {
     self        = true
   }
 
-  tags = {
-    Name                         = "${var.cluster_name}-bastion"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-bastion"
+    )
+  )
 }
 
 resource "aws_route53_record" "bastion" {
diff --git a/modules/aws/bastion/variables.tf b/modules/aws/bastion/variables.tf
index dd1a9315..0d5779d0 100644
--- a/modules/aws/bastion/variables.tf
+++ b/modules/aws/bastion/variables.tf
@@ -88,3 +88,10 @@ variable "transit_vpc_cidr" {
   type        = string
 }
 
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}
+}
+
diff --git a/modules/aws/master/master.tf b/modules/aws/master/master.tf
index a5ae53d9..50ae3043 100644
--- a/modules/aws/master/master.tf
+++ b/modules/aws/master/master.tf
@@ -1,9 +1,16 @@
 locals {
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "giantswarm.io/cluster-type", "control-plane",
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
+
+  common_tags_asg = join("",[for key, value in var.additional_tags : "{\"Key\":\"${key}\",\"Value\":\"${value}\",\"PropagateAtLaunch\": true},"])
+
   customer_vpn_public_subnets = var.customer_vpn_public_subnets != "" ? split(",", var.customer_vpn_public_subnets) : []
   customer_vpn_private_subnets = var.customer_vpn_private_subnets != "" ? split(",", var.customer_vpn_private_subnets) : []
   # k8s_api prefixed values represent access to public loadbalancer
@@ -39,6 +46,7 @@ resource "aws_cloudformation_stack" "master_asg" {
         "DesiredCapacity": "1",
         "MinSize": "1",
         "Tags": [
+          ${local.common_tags_asg}
           {
             "Key": "Name",
             "Value": "${var.cluster_name}-master-${count.index}",
diff --git a/modules/aws/master/variables.tf b/modules/aws/master/variables.tf
index 6ce57597..b37ab66a 100644
--- a/modules/aws/master/variables.tf
+++ b/modules/aws/master/variables.tf
@@ -124,3 +124,10 @@ variable "vpc_id" {
 }
 
 variable "s3_bucket_tags" {}
+
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/aws/s3/s3.tf b/modules/aws/s3/s3.tf
index d8958ec3..f4e11b1d 100644
--- a/modules/aws/s3/s3.tf
+++ b/modules/aws/s3/s3.tf
@@ -1,8 +1,12 @@
 locals {
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "giantswarm.io/cluster-type", "control-plane",
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
 }
 
diff --git a/modules/aws/s3/variables.tf b/modules/aws/s3/variables.tf
index f3ee019d..67a06f2e 100644
--- a/modules/aws/s3/variables.tf
+++ b/modules/aws/s3/variables.tf
@@ -13,3 +13,10 @@ variable "logs_expiration_days" {
 variable "s3_bucket_prefix" {
   type = string
 }
+
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}
+}
diff --git a/modules/aws/vault/variables.tf b/modules/aws/vault/variables.tf
index 3908c922..02ec3957 100644
--- a/modules/aws/vault/variables.tf
+++ b/modules/aws/vault/variables.tf
@@ -106,3 +106,10 @@ variable "worker_subnet_count" {
 }
 
 variable "s3_bucket_tags" {}
+
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}
+}
diff --git a/modules/aws/vault/vault-elb.tf b/modules/aws/vault/vault-elb.tf
index 1d93f757..32113d82 100644
--- a/modules/aws/vault/vault-elb.tf
+++ b/modules/aws/vault/vault-elb.tf
@@ -19,11 +19,12 @@ resource "aws_elb" "vault" {
     interval            = 5
   }
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-vault"
+    )
+  )
 }
 
 resource "aws_elb_attachment" "vault" {
@@ -57,11 +58,12 @@ resource "aws_security_group" "vault_elb" {
     cidr_blocks = [var.ipam_network_cidr]
   }
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault-elb"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-vault-elb"
+    )
+  )
 }
 
 resource "aws_route53_record" "vault-elb" {
diff --git a/modules/aws/vault/vault.tf b/modules/aws/vault/vault.tf
index ad8b33b9..91506b2a 100644
--- a/modules/aws/vault/vault.tf
+++ b/modules/aws/vault/vault.tf
@@ -2,10 +2,14 @@ locals {
   # In China there is no tags for s3 buckets
   s3_ignition_vault_key = element(concat(aws_s3_bucket_object.ignition_vault_with_tags.*.key, aws_s3_bucket_object.ignition_vault_without_tags.*.key), 0)
 
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "giantswarm.io/cluster-type", "control-plane",
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
 }
 
@@ -43,11 +47,12 @@ resource "aws_instance" "vault" {
 
   user_data = data.ignition_config.s3.rendered
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault${count.index}"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map( 
+      "Name", "${var.cluster_name}-vault${count.index}"
+    )
+  )
 }
 
 resource "aws_ebs_volume" "vault_etcd" {
@@ -55,11 +60,12 @@ resource "aws_ebs_volume" "vault_etcd" {
   size              = var.volume_size_etcd
   type              = var.volume_type
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-vault"
+    )
+  )
 }
 
 resource "aws_volume_attachment" "vault_etcd_ebs" {
@@ -77,11 +83,12 @@ resource "aws_ebs_volume" "vault_logs" {
   size              = var.volume_size_logs
   type              = var.volume_type
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name", "${var.cluster_name}-vault"
+    ),
+  )
 }
 
 resource "aws_volume_attachment" "vault_logs_ebs" {
@@ -148,11 +155,12 @@ resource "aws_security_group" "vault" {
     cidr_blocks = concat(data.aws_subnet.worker_subnets.*.cidr_block,[var.aws_cni_cidr_block])
   }
 
-  tags = {
-    Name                         = "${var.cluster_name}-vault"
-    "giantswarm.io/cluster"      = var.cluster_name
-    "giantswarm.io/installation" = var.cluster_name
-  }
+  tags = merge(
+    local.common_tags,
+    map(
+      "Name" , "${var.cluster_name}-vault"
+    )
+  )
 }
 
 resource "aws_route53_record" "vault" {
diff --git a/modules/aws/vpc/variables.tf b/modules/aws/vpc/variables.tf
index a76f84a5..4da3d1d4 100644
--- a/modules/aws/vpc/variables.tf
+++ b/modules/aws/vpc/variables.tf
@@ -61,3 +61,9 @@ variable "transit_vpc_cidr" {
   type = string
 }
 
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}
+}
diff --git a/modules/aws/vpc/vpc.tf b/modules/aws/vpc/vpc.tf
index 7bc4926b..620ebbcf 100644
--- a/modules/aws/vpc/vpc.tf
+++ b/modules/aws/vpc/vpc.tf
@@ -7,11 +7,14 @@
 #   * the private nat gateway is in the elb subnet as well (needs to be in a public subnet)
 
 locals {
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "giantswarm.io/cluster-type", "control-plane",
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "giantswarm.io/cluster-type", "control-plane",
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
 
   policy_allow = <<EOF
diff --git a/modules/aws/worker-asg/variables.tf b/modules/aws/worker-asg/variables.tf
index 744d9602..e1544f42 100644
--- a/modules/aws/worker-asg/variables.tf
+++ b/modules/aws/worker-asg/variables.tf
@@ -91,3 +91,10 @@ variable "vpc_id" {
 }
 
 variable "s3_bucket_tags" {}
+
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}
+}
diff --git a/modules/aws/worker-asg/worker-asg.tf b/modules/aws/worker-asg/worker-asg.tf
index 39a268ee..1a6b5054 100644
--- a/modules/aws/worker-asg/worker-asg.tf
+++ b/modules/aws/worker-asg/worker-asg.tf
@@ -2,11 +2,17 @@ locals {
   # In China there is no tags for s3 buckets
   s3_ignition_worker_key = element(concat(aws_s3_bucket_object.ignition_worker_with_tags.*.key, aws_s3_bucket_object.ignition_worker_without_tags.*.key), 0)
 
-  common_tags = map(
-    "giantswarm.io/cluster", var.cluster_name,
-    "giantswarm.io/installation", var.cluster_name,
-    "kubernetes.io/cluster/${var.cluster_name}", "owned"
+  common_tags = merge(
+    var.additional_tags,
+    map(
+      "giantswarm.io/cluster", var.cluster_name,
+      "giantswarm.io/installation", var.cluster_name,
+      "kubernetes.io/cluster/${var.cluster_name}", "owned"
+    )
   )
+  common_tags_asg = join("",[for key, value in var.additional_tags : "{\"Key\":\"${key}\",\"Value\":\"${value}\",\"PropagateAtLaunch\": true},"])
+
+
 }
 
 resource "aws_cloudformation_stack" "worker_asg" {
@@ -28,6 +34,7 @@ resource "aws_cloudformation_stack" "worker_asg" {
         "MaxSize": "${var.worker_count * 2}",
         "MinSize": "${var.worker_count}",
         "Tags": [
+          ${local.common_tags_asg}
           {
             "Key": "Name",
             "Value": "${var.cluster_name}-worker",
diff --git a/platforms/aws/giantnetes/main.tf b/platforms/aws/giantnetes/main.tf
index 486faecc..fe95ce33 100644
--- a/platforms/aws/giantnetes/main.tf
+++ b/platforms/aws/giantnetes/main.tf
@@ -70,6 +70,7 @@ module "dns" {
 module "vpc" {
   source = "../../../modules/aws/vpc"
 
+  additional_tags    = var.additional_tags
   arn_region         = var.arn_region
   aws_account        = var.aws_account
   aws_cni_cidr_v2    = var.aws_cni_cidr_v2
@@ -89,6 +90,7 @@ module "vpc" {
 module "s3" {
   source = "../../../modules/aws/s3"
 
+  additional_tags      = var.additional_tags
   aws_account          = var.aws_account
   cluster_name         = var.cluster_name
   logs_expiration_days = var.logs_expiration_days
@@ -157,6 +159,7 @@ data "gotemplate" "bastion" {
 module "bastion" {
   source = "../../../modules/aws/bastion"
 
+  additional_tags        = var.additional_tags
   arn_region             = var.arn_region
   aws_account            = var.aws_account
   aws_cni_subnets        = var.aws_cni_subnets_v2
@@ -187,6 +190,7 @@ data "gotemplate" "vault" {
 module "vault" {
   source = "../../../modules/aws/vault"
 
+  additional_tags        = var.additional_tags
   arn_region             = var.arn_region
   aws_account            = var.aws_account
   aws_cni_cidr_block     = var.aws_cni_cidr_v2
@@ -224,6 +228,7 @@ module "master" {
 
   master_count = var.master_count
 
+  additional_tags              = var.additional_tags
   api_dns                      = var.api_dns
   api_internal_dns             = var.api_internal_dns
   aws_account                  = var.aws_account
@@ -262,6 +267,7 @@ data "gotemplate" "worker" {
 module "worker" {
   source = "../../../modules/aws/worker-asg"
 
+  additional_tags        = var.additional_tags
   aws_account            = var.aws_account
   aws_region             = var.aws_region
   aws_cni_cidr_block     = var.aws_cni_cidr_v2
diff --git a/platforms/aws/giantnetes/variables.tf b/platforms/aws/giantnetes/variables.tf
index fe5f1580..d15c983f 100644
--- a/platforms/aws/giantnetes/variables.tf
+++ b/platforms/aws/giantnetes/variables.tf
@@ -369,3 +369,10 @@ variable "release_version" {
   type        = string
   default     = ""
 }
+
+### additional tags
+variable "additional_tags" {
+  description = "Additional tags that can be added to all resources"
+  type        = map
+  default     = {}  
+}