Hello there,
I have been working with Terraform for a few months now, primarily managing infrastructure for dev, staging, and production environments. I am currently trying to refine how we handle deployments across these environments, and I have come across mixed advice regarding the use of Terraform workspaces vs. maintaining separate state files or even separate directories/repos per environment.
What are the current best practices in the community for managing multiple environments effectively? Are workspaces still considered viable for anything beyond basic use cases, or do most teams lean toward completely separate configurations and state files for each environment?
I am also curious about how people are handling secrets and variables across environments are you using something like Vault, SSM, or environment-specific .tfvars files?
My main goals are simplicity, clarity, and minimizing the risk of accidentally applying changes to the wrong environment.
Thanks in advance for your help and assistance.
This is a big challenge in most Terraform environments, and there isn’t a great one-size-fits-all solution.
I personally find that tools like Terragrunt and Terramate have a lot to offer – I’d avoided using Terragrunt for years because of some concerns about if it would continue to be maintained, and / or whether it would continue to track new versions of Terraform (and, now, also OpenTofu). But it adds a lot of useful enhancements (Terragrunt, at least), in terms of being able to generate parallel structures, setup / generate remote state references in a consistent / predictable way, ability to include another layer of variables, etc. However, it will take a little extra time to get a reasonable layout / setup you’re happy with.
I had my team working on Terraform’s “workspace” feature a few years back, and we mostly got it working in a way that was acceptable to us, but there are some quirks / annoyances. The hardest part is if you need to suppress certain things in one workspace but not another - you can often do it using count or similar hacks, but it’s not pretty. Also, I think Terraform Cloud also uses (or used to use) “workspace” to refer to its states, which makes the naming kind of confusing.
You can also look at Terraform’s new “stacks” feature.
ps - There are times where you can get away with just not DRYing things up too much, and using modules / data structures / tfvars to keep things relatively copy / paste compliant. But even when it works, it’s always something I feel a little unhappy about, personally.