Using Terraform Workspace for AWS multi account architectures
7 comments
·February 5, 2025jayceedenton
Is there any benefit to using workspaces over just introducing some variables and having an 'environment' variable?
You can have a directory per environment and a directory of shared resources that are used by all environments.
It seems like workspaces add a new construct to be learned and another thing to add to all commands without much benefit. Could we just stick with the simple way of doing this?
maurobaraldi
The proposal shows an example on how to isolate environments without duplicating some code. It acts, more or less, as a template for the architecture which you render it according to the values (environments/accounts).
I agree it isn't a simplest way to do that, but I don't think that it add as much complexity this. Perhaps it could be more laborious for the point of view of architecture, but it could be easier to handle and maintain.
_joel
They seem to play nicer with Terraform Cloud, when I've used it. I'm not sure how useful they are if it's just vanilla tf, especially if your codebase is simple. I guess it's just extra isolation for safety, perhaps.
NomDePlum
Been a while since I used workspaces but my understanding is that you have: - a directory that has the infrastructure code - a directory per environment that has the specific configuration to be applied to that environment
It's a pretty classic separation of code and config. Might not be intuitive to everyone I guess, but that separation is very beneficial I find.
For instance, adding a new environment is relatively trivial. Not something you do all the time granted, but I have had the need on occasions.
Same goes for removing an environment.
new_user_final
There is a typo in the submission title. Isn't it easier to copy than type the whole title?
maurobaraldi
Fixed. thanks for the watchful eyes :-)
I generally consider the AWS CLI configuration to be something that's unique to a developer's workstation, and shouldn't be referenced in terraform code (in the form of tying the workspace name to your AWS profile name).
This would only work if all developers on a team have synchronised the same AWS CLI config (which to me is like asking people to synchronise dotfiles, not something I'd be willing to do).
My go-to architecture for multi-environment tends to be this, as it lends itself relatively well to Git Flow (or GitHub Flow): https://github.com/antonbabenko/terraform-best-practices/tre...