diff --git a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx
index 51ced80af77ca..c31cfc419ae82 100644
--- a/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx
+++ b/docs/pages/admin-guides/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform.mdx
@@ -350,6 +350,49 @@ The default is `local`.
 
 See the [Teleport authentication reference](../../../reference/access-controls/authentication.mdx) for more information.
 
+### default_tags
+
+```code
+$ export TF_VAR_default_tags='{"key":"value", "env":"dev"}'
+```
+
+This value can be used to control the default tags applied to all resources,
+including resources created dynamically by the AWS Auto Scaling Groups (ASG).
+The default is no tags.
+
+### enable\_auth\_asg\_instance\_refresh
+
+```code
+$ export TF_VAR_enable_auth_asg_instance_refresh="false"
+```
+
+This variable can be used to enable automatic instance refresh on the Teleport
+**auth server** AWS Autoscaling Group (ASG) - the refresh is triggered by
+changes to the launch template or configuration.
+Enable the auth ASG instance refresh with caution - upgrading the version of
+Teleport will trigger an instance refresh and **auth servers must be scaled down
+to only one instance** before upgrading your Teleport cluster.
+
+### enable\_proxy\_asg\_instance\_refresh
+
+```code
+$ export TF_VAR_enable_proxy_asg_instance_refresh="false"
+```
+
+This variable can be used to enable automatic instance refresh on the Teleport
+**proxy server** AWS Autoscaling Group (ASG) - the refresh is triggered by
+changes to the launch template or configuration.
+
+### enable\_node\_asg\_instance\_refresh
+
+```code
+$ export TF_VAR_enable_node_asg_instance_refresh="false"
+```
+
+This variable can be used to enable automatic instance refresh on the Teleport
+**node server** AWS Autoscaling Group (ASG) - the refresh is triggered by
+changes to the launch template or configuration.
+
 ## Reference deployment defaults
 
 ### Instances
diff --git a/examples/aws/terraform/ha-autoscale-cluster/Makefile b/examples/aws/terraform/ha-autoscale-cluster/Makefile
index db17ff2d3a96d..08511b95cc69b 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/Makefile
+++ b/examples/aws/terraform/ha-autoscale-cluster/Makefile
@@ -71,6 +71,24 @@ TF_VAR_use_tls_routing ?= false
 # Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc", or "saml"
 TF_VAR_teleport_auth_type ?= "local"
 
+# (optional) AWS tags applied to all resources.
+TF_VAR_default_tags ?= {}
+
+# (optional) Whether to trigger instance refresh rollout for Teleport Auth
+# servers when the launch template or configuration changes.
+# Enable this with caution - upgrading Teleport version will trigger an
+# instance refresh and auth servers must be scaled down to only one instance
+# before upgrading your Teleport cluster.
+TF_VAR_enable_auth_asg_instance_refresh ?= false
+
+# (optional) Whether to trigger instance refresh rollout for Teleport Proxy
+# servers when the launch template or configuration changes.
+TF_VAR_enable_proxy_asg_instance_refresh ?= false
+
+# (optional) Whether to trigger instance refresh rollout for Teleport Node
+# servers when the launch template or configuration changes.
+TF_VAR_enable_node_asg_instance_refresh ?= false
+
 export
 
 # Plan launches terraform plan
diff --git a/examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf b/examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf
index ceaaac7682574..f09cadc1707cf 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/auth_asg.tf
@@ -14,7 +14,7 @@ resource "aws_autoscaling_group" "auth" {
 
   launch_template {
     name    = aws_launch_template.auth.name
-    version = "$Latest"
+    version = aws_launch_template.auth.latest_version
   }
 
   // These are target groups of the auth server network load balancer
@@ -33,6 +33,26 @@ resource "aws_autoscaling_group" "auth" {
     propagate_at_launch = true
   }
 
+  dynamic "tag" {
+    for_each = data.aws_default_tags.this.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+
+  dynamic "instance_refresh" {
+    for_each = var.enable_auth_asg_instance_refresh ? [1] : []
+    content {
+      strategy = "Rolling"
+      preferences {
+        auto_rollback          = false
+        min_healthy_percentage = 0
+      }
+    }
+  }
+
   // external autoscale algos can modify these values,
   // so ignore changes to them
   lifecycle {
@@ -99,4 +119,12 @@ resource "aws_launch_template" "auth" {
   iam_instance_profile {
     name = aws_iam_instance_profile.auth.name
   }
+
+  dynamic "tag_specifications" {
+    for_each = ["instance", "volume", "network-interface"]
+    content {
+      resource_type = tag_specifications.value
+      tags          = data.aws_default_tags.this.tags
+    }
+  }
 }
diff --git a/examples/aws/terraform/ha-autoscale-cluster/data.tf b/examples/aws/terraform/ha-autoscale-cluster/data.tf
index f532a8ae744ce..4a3164afc63a4 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/data.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/data.tf
@@ -33,3 +33,5 @@ locals {
 data "aws_kms_alias" "ssm" {
   name = var.kms_alias_name
 }
+
+data "aws_default_tags" "this" {}
diff --git a/examples/aws/terraform/ha-autoscale-cluster/node_asg.tf b/examples/aws/terraform/ha-autoscale-cluster/node_asg.tf
index f7528127a4f20..36d7d4b51205a 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/node_asg.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/node_asg.tf
@@ -13,7 +13,7 @@ resource "aws_autoscaling_group" "node" {
 
   launch_template {
     id      = aws_launch_template.node.id
-    version = "$Latest"
+    version = aws_launch_template.node.latest_version
   }
 
   tag {
@@ -28,6 +28,26 @@ resource "aws_autoscaling_group" "node" {
     propagate_at_launch = true
   }
 
+  dynamic "tag" {
+    for_each = data.aws_default_tags.this.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+
+  dynamic "instance_refresh" {
+    for_each = var.enable_node_asg_instance_refresh ? [1] : []
+    content {
+      strategy = "Rolling"
+      preferences {
+        auto_rollback          = true
+        min_healthy_percentage = 50
+      }
+    }
+  }
+
   // external autoscale algos can modify these values,
   // so ignore changes to them
   lifecycle {
@@ -83,4 +103,12 @@ resource "aws_launch_template" "node" {
   iam_instance_profile {
     name = aws_iam_instance_profile.node.name
   }
+
+  dynamic "tag_specifications" {
+    for_each = ["instance", "volume", "network-interface"]
+    content {
+      resource_type = tag_specifications.value
+      tags          = data.aws_default_tags.this.tags
+    }
+  }
 }
diff --git a/examples/aws/terraform/ha-autoscale-cluster/provider.tf b/examples/aws/terraform/ha-autoscale-cluster/provider.tf
index f602b3a33e903..4df3d5df90150 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/provider.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/provider.tf
@@ -10,4 +10,8 @@ terraform {
 
 provider "aws" {
   region = var.region
+
+  default_tags {
+    tags = var.default_tags
+  }
 }
diff --git a/examples/aws/terraform/ha-autoscale-cluster/proxy_asg.tf b/examples/aws/terraform/ha-autoscale-cluster/proxy_asg.tf
index 8a1da979cf456..880abc7140989 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/proxy_asg.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/proxy_asg.tf
@@ -15,7 +15,7 @@ resource "aws_autoscaling_group" "proxy" {
 
   launch_template {
     name    = aws_launch_template.proxy.name
-    version = "$Latest"
+    version = aws_launch_template.proxy.latest_version
   }
 
   // Auto scaling group is associated with load balancer
@@ -44,6 +44,26 @@ resource "aws_autoscaling_group" "proxy" {
     propagate_at_launch = true
   }
 
+  dynamic "tag" {
+    for_each = data.aws_default_tags.this.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+
+  dynamic "instance_refresh" {
+    for_each = var.enable_proxy_asg_instance_refresh ? [1] : []
+    content {
+      strategy = "Rolling"
+      preferences {
+        auto_rollback          = true
+        min_healthy_percentage = 50
+      }
+    }
+  }
+
   // external autoscale algos can modify these values,
   // so ignore changes to them
   lifecycle {
@@ -68,7 +88,7 @@ resource "aws_autoscaling_group" "proxy_acm" {
 
   launch_template {
     name    = aws_launch_template.proxy.name
-    version = "$Latest"
+    version = aws_launch_template.proxy.latest_version
   }
 
   // Auto scaling group is associated with load balancer
@@ -97,6 +117,26 @@ resource "aws_autoscaling_group" "proxy_acm" {
     propagate_at_launch = true
   }
 
+  dynamic "tag" {
+    for_each = data.aws_default_tags.this.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+
+  dynamic "instance_refresh" {
+    for_each = var.enable_proxy_asg_instance_refresh ? [1] : []
+    content {
+      strategy = "Rolling"
+      preferences {
+        auto_rollback          = true
+        min_healthy_percentage = 50
+      }
+    }
+  }
+
   // external autoscale algos can modify these values,
   // so ignore changes to them
   lifecycle {
@@ -164,4 +204,12 @@ resource "aws_launch_template" "proxy" {
   iam_instance_profile {
     name = aws_iam_instance_profile.proxy.id
   }
+
+  dynamic "tag_specifications" {
+    for_each = ["instance", "volume", "network-interface"]
+    content {
+      resource_type = tag_specifications.value
+      tags          = data.aws_default_tags.this.tags
+    }
+  }
 }
diff --git a/examples/aws/terraform/ha-autoscale-cluster/vars.tf b/examples/aws/terraform/ha-autoscale-cluster/vars.tf
index 27d381e750a04..cfca1cde15fa8 100644
--- a/examples/aws/terraform/ha-autoscale-cluster/vars.tf
+++ b/examples/aws/terraform/ha-autoscale-cluster/vars.tf
@@ -240,3 +240,33 @@ variable "teleport_auth_type" {
   type    = string
   default = "local"
 }
+
+// (optional) Change the default tags applied to all resources.
+variable "default_tags" {
+  type    = map(string)
+  default = {}
+}
+
+// Whether to trigger instance refresh rollout for Teleport Auth servers when
+// servers when the launch template or configuration changes.
+// Enable this with caution - upgrading Teleport version will trigger an
+// instance refresh and auth servers must be scaled down to only one instance
+// before upgrading your Teleport cluster.
+variable "enable_auth_asg_instance_refresh" {
+  type    = bool
+  default = false
+}
+
+// Whether to trigger instance refresh rollout for Teleport Proxy servers when
+// servers when the launch template or configuration changes.
+variable "enable_proxy_asg_instance_refresh" {
+  type    = bool
+  default = false
+}
+
+// Whether to trigger instance refresh rollout for Teleport Node servers when
+// servers when the launch template or configuration changes.
+variable "enable_node_asg_instance_refresh" {
+  type    = bool
+  default = false
+}