Terraform Cloud Workspaces are the primary mechanism for isolating state files and variables, effectively creating distinct environments for your infrastructure.
Let’s see this in action. Imagine you’re managing infrastructure for a web application. You’ll likely need separate configurations for development, staging, and production.
Here’s a basic versions.tf and main.tf that you might use.
# versions.tf
terraform {
required_version = "1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
# main.tf
resource "aws_instance" "web_server" {
ami = "ami-0c55b159cbfafe1f0" # Example AMI, replace with a current one
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
Now, to manage this for different environments, you’d create separate Workspaces in Terraform Cloud.
In the Terraform Cloud UI, you’d navigate to your organization, then to "Workspaces," and click "New workspace." You’d choose "Version control workflow" if your code is in Git, or "CLI-driven workflow" if you plan to terraform apply directly from your local machine or CI.
For a typical setup, you’d link it to your Git repository. Terraform Cloud then watches for changes in your designated branch (e.g., main for production, develop for development).
Once the workspace is created, you’ll see sections for "Variables" and "State."
The "Variables" section is where you define environment-specific parameters. For example, in a "Development" workspace, you might set:
instance_type:t2.microami:ami-0c55b159cbfafe1f0(a specific dev AMI)
In a "Production" workspace, you’d have:
instance_type:t3.mediumami:ami-0abcdef1234567890(a hardened production AMI)
These variables can be set as "Terraform variables" (which map directly to variable blocks in your Terraform code) or "Environment variables" (which are exposed to Terraform as environment variables, often used for credentials). You can also mark them as "Sensitive" to prevent them from being displayed in logs.
The "State" section is crucial. Each workspace maintains its own terraform.tfstate file. When you run terraform apply (whether via VCS or CLI), Terraform Cloud uploads the state file to its backend. This means your development EC2 instance’s state is entirely separate from your production EC2 instance’s state.
The problem this solves is the classic "how do I manage multiple environments without state conflicts?" Terraform Cloud provides a clean, managed solution. It abstracts away the complexity of managing remote state files, locking, and providing a consistent interface for variable management across teams and environments.
When Terraform Cloud detects a change in your VCS and a run is triggered, it fetches the code, downloads the necessary providers, and then applies the configuration using the state file associated only with that specific workspace.
The true power here is in how Terraform Cloud handles variable precedence. If you define a variable like instance_type both in your variables.tf file and as a Terraform variable within a workspace, the workspace variable will override the one in the file. This allows you to set defaults in your code but have environment-specific overrides managed centrally in Terraform Cloud.
The next concept you’ll want to explore is how to use Terraform Cloud’s API to automate workspace creation and management.