Multi-env: workspaces vs directories

Шаги

1. 01

   Option 1: workspaces

   bashcopy

   cd /home/student/tf-envs/workspaces-style

   cat > main.tf <<'EOF'

   resource "random_id" "suffix" {

     byte_length = 4

   }

   locals {

     env = terraform.workspace

   }

   resource "aws_s3_bucket" "demo" {

     bucket = "linuxlab-${local.env}-${random_id.suffix.hex}"

     tags = {

       Environment = local.env

     }

   }

   output "current_workspace" {

     value = terraform.workspace

   }

   EOF

   terraform init

   Create two workspaces:

   bashcopy

   terraform workspace new dev

   terraform workspace new prod

   terraform workspace list

   The asterisk marks the active one.

   Workspaces are separate states within one backend. With the local backend the state lives in terraform.tfstate.d/<workspace>/. With S3, under different keys.

   ✓ Two workspaces created. Each has its own state.

2. 02

   Apply in both workspaces

   Switch to dev and apply:

   bashcopy

   terraform workspace select dev

   terraform workspace show

   terraform apply -auto-approve

   terraform output current_workspace

   This should create a bucket named linuxlab-dev-<hash>.

   Switch to prod:

   bashcopy

   terraform workspace select prod

   terraform workspace show

   terraform apply -auto-approve

   terraform output current_workspace

   A different bucket is created: linuxlab-prod-<hash>. These two workspaces have separate states, so each one creates its own resource.

   Check it:

   bashcopy

   aws --endpoint-url=http://localstack:4566 s3 ls

   You see both buckets, linuxlab-dev-... and linuxlab-prod-....

   ✓ Workspaces isolated the state: two different buckets from one set of HCL.

3. 03

   The danger of workspaces: apply to the wrong env

   The main problem with workspaces is that it is easy to lose track of which one is active.

   The scenario: you are working in dev, you switch to prod to look at something, then you forget to switch back. You run terraform apply, and you have applied your dev changes to the prod state.

   A guard is a precondition on an external data source that checks the workspace:

   hclcopy

   check "workspace_match" {

     assert {

       condition     = terraform.workspace != "default"

       error_message = "Apply on the 'default' workspace is not allowed: choose dev/stage/prod."

     }

   }

   This is part of a safety belt. On a large team, workspaces are not used for prod, precisely to rule out this mistake. For feature-branch experiments in a local dev, they are fine.

   Go back to dev:

   bashcopy

   terraform workspace select dev

   ✓ You see the danger. In production, use directory style.

4. 04

   Option 2: a shared module for dirs-style

   bashcopy

   mkdir -p /home/student/tf-envs/dirs-style/modules/app

   cat > /home/student/tf-envs/dirs-style/modules/app/main.tf <<'EOF'

   resource "random_id" "suffix" {

     byte_length = 4

   }

   resource "aws_s3_bucket" "demo" {

     bucket = "linuxlab-${var.env}-${random_id.suffix.hex}"

     tags = {

       Environment = var.env

     }

   }

   output "bucket_arn" {

     value = aws_s3_bucket.demo.arn

   }

   EOF

   cat > /home/student/tf-envs/dirs-style/modules/app/variables.tf <<'EOF'

   variable "env" {

     type = string

     validation {

       condition     = contains(["dev", "stage", "prod"], var.env)

       error_message = "env must be dev, stage, or prod."

     }

   }

   EOF

   This is a reusable module, app. It takes env and creates a bucket with the right name.

   Now the env roots:

   ✓ The app module is described. Now the roots per environment.

5. 05

   The dev and prod roots

   bashcopy

   cat > /home/student/tf-envs/dirs-style/envs/dev/main.tf <<'EOF'

   module "app" {

     source = "../../modules/app"

     env    = "dev"

   }

   output "bucket_arn" {

     value = module.app.bucket_arn

   }

   EOF

   cat > /home/student/tf-envs/dirs-style/envs/prod/main.tf <<'EOF'

   module "app" {

     source = "../../modules/app"

     env    = "prod"

   }

   output "bucket_arn" {

     value = module.app.bucket_arn

   }

   EOF

   Apply dev:

   bashcopy

   cd /home/student/tf-envs/dirs-style/envs/dev

   terraform init

   terraform apply -auto-approve

   terraform output bucket_arn

   Apply prod:

   bashcopy

   cd /home/student/tf-envs/dirs-style/envs/prod

   terraform init

   terraform apply -auto-approve

   terraform output bucket_arn

   Each env has its own .terraform/ and its own state. You cannot accidentally apply the dev config to prod, for that you would have to physically move into the other directory.

   ✓ Two env roots, each with its own state. The isolation is solid.

   The same thing on OpenTofu

   OpenTofu keeps the CLI and state compatible with Terraform for the commands in this step: migration usually goes through mv .terraform .terraform.bak; tofu init -upgrade. On a first switch, though, back up the state and do a run on a feature branch, the differences cluster in the newer features (variables in backend, state encryption, OCI registry-backed modules). See tf-opentofu-parity for the full matrix.

   • → OpenTofu parity
6. 06

   Compare the two approaches

   Move into one of the env roots:

   bashcopy

   cd /home/student/tf-envs/dirs-style/envs/dev

   terraform state list

   You see:

   copy

   module.app.aws_s3_bucket.demo

   module.app.random_id.suffix

   A comparison:

   Aspect	Workspaces	Directory-per-env
   HCL is duplicated	No	Minimal (thin root, everything in the module)
   Backend is duplicated	No, single	Yes (each env its own backend)
   Accidental apply to the wrong env	Easy	Hard. You need a cd
   Divergence between envs	Impossible, one set of HCL	Possible (good or bad?)
   Complexity to start	Low	Medium
   Production-scale	Not recommended	Standard

   In real work: workspaces for short experiments, dirs-per-env for anything serious. Many companies use Terragrunt to manage dirs-style (see the advanced track).

   See tf-workspace for workspace details and tf-init-backends for backend per env.

   ✓ The intermediate track is done. Next: production.

   When workspaces are the only option

   Despite everything said above, workspaces are still useful:

   • Short-lived feature branches. You test a PR feature in an isolated state and tear it down after the merge. Duplicating a directory for two days is overkill.
   • One or two developers on a project. The complexity of directory-style pays off at 5+ people. Solo, a workspace is simpler.
   • Envs that stay close. If dev and prod must be bit-for-bit identical, a workspace guarantees that (one set of HCL). Directory-style in theory allows drift.

   The antipattern: workspaces for separating customers ("tenant per workspace"). At a hundred tenants the state operations (refresh, plan) on a single backend get slow, and the risk of mixing them up grows. For multi-tenant, use directory-style or multi-account.

   • → terraform workspace
   • → Init and backend configuration