diff --git a/environments/README.md b/environments/README.md
new file mode 100644
index 0000000..128f5bc
--- /dev/null
+++ b/environments/README.md
@@ -0,0 +1,14 @@
+# Environments Configuration (Optional)
+
+Define specific variables per environment. Currently used for Azure Resource tags, e.g. `env=dev` vs `env=prod`.
+
+These custom tags are merged into defaults defined in [`/variables.tf`](./../variables.tf)
+
+### Usage example
+
+These values need to be explicitly specified via `-var-file` flag, e.g.
+
+```
+terraform plan -var-file=environments/dev.tfvars -out plan.tfplan
+terraform apply plan.tfplan
+```
diff --git a/environments/dev.tfvars b/environments/dev.tfvars
new file mode 100644
index 0000000..49e1816
--- /dev/null
+++ b/environments/dev.tfvars
@@ -0,0 +1,6 @@
+custom_tags = {
+  demo-version = "v0.5.0"
+  env          = "dev"
+  devops-org   = "julie-msft"
+  github       = "azure/devops-governance"
+}
diff --git a/environments/prod.tfvars b/environments/prod.tfvars
new file mode 100644
index 0000000..b18b591
--- /dev/null
+++ b/environments/prod.tfvars
@@ -0,0 +1,6 @@
+custom_tags = {
+  demo-version = "v0.5.0"
+  env          = "production"
+  devops-org   = "julie-msft"
+  github       = "azure/devops-governance"
+}
diff --git a/main.tf b/main.tf
index 6732495..78f5182 100644
--- a/main.tf
+++ b/main.tf
@@ -16,6 +16,7 @@ locals {
   suffix                    = random_string.suffix.result
   application_owners_ids    = length(var.application_owners_ids) == 0 ? [data.azurerm_client_config.current.object_id] : var.application_owners_ids
   superadmins_aad_object_id = var.superadmins_aad_object_id == "" ? data.azurerm_client_config.current.object_id : var.superadmins_aad_object_id # Default to current ARM client
+  tags                      = merge(var.default_tags, var.custom_tags)
 }
 
 # =================
@@ -56,6 +57,7 @@ module "arm_environments" {
   admins_group_id      = azuread_group.groups["${each.value.team}_admins"].id
   superadmins_group_id = local.superadmins_aad_object_id
   service_principal_id = module.service_principals["${each.value.team}_${each.value.env}"].principal_id
+  tags                 = local.tags
 }
 
 # ==============
diff --git a/modules/azure-resources/variables.tf b/modules/azure-resources/variables.tf
index dc205e9..4aa82dc 100644
--- a/modules/azure-resources/variables.tf
+++ b/modules/azure-resources/variables.tf
@@ -49,12 +49,6 @@ variable "client_object_id" {
 variable "tags" {
   description = "Tags to apply to Azure Resources"
   type        = map(string)
-  default = {
-    demo   = "governance"
-    devops = "true"
-    oss    = "terraform"
-    public = "true"
-  }
 }
 
 data "azurerm_client_config" "current" {}
diff --git a/variables.tf b/variables.tf
index 7e42ffa..0899c43 100644
--- a/variables.tf
+++ b/variables.tf
@@ -26,3 +26,20 @@ variable "projects" {
 variable "environments" {
   type = map(map(string))
 }
+
+variable "default_tags" {
+  description = "Tags to apply to Azure Resources"
+  type        = map(string)
+  default = {
+    public = "true"
+    demo   = "e2e-governance"
+    iac    = "terraform"
+    ci     = "azure-pipelines"
+  }
+}
+
+variable "custom_tags" {
+  description = "Extra Tags to apply to Azure Resources"
+  type        = map(string)
+  default     = {}
+}