Terraform Workspaces for Environment Management

Learn how Terraform workspaces isolate dev, staging & prod, secure state files, and streamline multi-environment IaC management.

Sebastian Stadil

21 May 2025 • 3 min read

Terraform workspaces provide a mechanism to manage multiple, distinct state files for the same configuration. This allows you to deploy the same infrastructure code to different environments (e.g., development, staging, production) without altering the code itself, by simply switching workspaces.

What are Terraform Workspaces?

By default, Terraform operates in a workspace named default. When you create a new workspace (e.g., terraform workspace new dev), Terraform creates a separate state file for that workspace (e.g., terraform.tfstate.d/dev/terraform.tfstate). All operations within that workspace will then read from and write to its dedicated state file.

# Create a new workspace
terraform workspace new dev

# Switch to the new workspace
terraform workspace select dev

# List workspaces
terraform workspace list
# Output:
#   default
# * dev

# Show current workspace
terraform workspace show
# Output:
# dev

You can then use the terraform.workspace interpolation to introduce slight variations in your configuration based on the active workspace:

resource "aws_instance" "example" {
  ami           = "ami-0c55b31ad20f0c502" # Consider using a map for AMIs per region/env
  instance_type = terraform.workspace == "prod" ? "t2.medium" : "t2.micro"
  tags = {
    Name        = "Server-${terraform.workspace}"
    Environment = terraform.workspace
  }
}

Common Sticking Points

Misunderstanding Purpose: Workspaces are for managing multiple state files for the same configuration, primarily for environment separation (dev/staging/prod). They are not a replacement for version control branches (for code changes) or separate configuration directories (for fundamentally different infrastructures).
Overuse of Conditional Logic: Relying too heavily on terraform.workspace for conditional logic can make configurations complex and hard to read. It's often better to use input variables driven by *.tfvars files per environment for more significant differences.
Not True Isolation: While state is separate, if resource naming or other shared service configurations are not carefully managed with workspace-specific parameters, deployments in different workspaces can still conflict.
Limited Scope: Workspaces are a CLI-level concept. They don't inherently provide features like Role-Based Access Control (RBAC) for different environments or manage distinct sets of input variables beyond what you script.

The Scalr Perspective

While Terraform workspaces offer a basic way to separate state, managing multiple environments robustly in an organizational context requires more comprehensive capabilities. This is where a platform like Scalr provides significant advantages, offering a more structured and feature-rich approach to environment management:

First-Class Environments: Scalr treats environments as a core concept, going beyond simple state separation. Each Scalr environment can have its own dedicated set of variables, cloud credentials, policy sets, and RBAC.
Variable Management: Instead of relying solely on terraform.workspace interpolation or manually managing tfvars files, Scalr allows you to define and scope variables (including sensitive ones) at the environment, project, or global level, injecting them securely at runtime.
RBAC and Governance: Scalr enables you to define who can plan or apply changes in specific environments (e.g., only senior engineers can apply to production). OPA policies can also be applied per environment to enforce specific rules.
No Code Changes for Environment Promotion: With Scalr, promoting a configuration from dev to staging to prod can be managed through its workflow without needing terraform.workspace in the code. The same code runs, but Scalr injects the environment-specific context (variables, credentials).
Enhanced Isolation and Security: By managing credentials and variables at the environment level within Scalr, you achieve better isolation and reduce the risk of cross-environment interference or credential leakage.

Scalr effectively elevates the concept of environment management from a CLI convenience (workspaces) to a full-fledged operational model, providing the security, governance, and automation needed for collaborative teams.

Summary Table

Feature	Terraform Workspaces (CLI)	Scalr Environments
Primary Goal	Separate state files for the same configuration.	Comprehensive management of distinct deployment targets.
State Management	Manages separate `.tfstate` files per workspace.	Manages state, variables, credentials, policies per env.
Variable Handling	`terraform.workspace` interpolation; manual tfvars.	Centralized, hierarchical, secure variable injection.
Access Control	None built-in (relies on underlying system).	Granular RBAC per environment.
Code Changes	Often requires `terraform.workspace` in code.	Promotes same code with environment-specific context.
Use Case	Simple dev/staging/prod for individual/small teams.	Scalable, secure environment management for organizations.

Conclusion

Terraform workspaces are a useful tool for basic environment separation directly within the CLI. However, for more complex organizational needs involving multiple teams, stringent security, and robust governance, a dedicated platform like Scalr provides a far more comprehensive and powerful solution for managing your Terraform environments.