Is there a method by which we can prevent people from using the default workspace (using s3 remote state) at the S3 bucket level. We tried blocking the “PutObject” permission, but the resources get created first and so all that happens is that we can’t save the resources that now exist.
Hi @richardgavel,
The design intent is that your main infrastructure (as opposed to temporary development infrastructure) would always belong to the default workspace, which is a special workspace that is treated differently by most backends and is often the only workspace for many users, and so there is currently no supported way to remove or lock down that workspace name.
You may be able to rely on implementations of particular backends to achieve this sort of effect, similar to what you attempted with IAM policies here, but I’d classify such a thing as a workaround rather than a solution, unless there’s explicit documentation for the backend saying that it’s a supported usage pattern. I’m not aware of any such pattern for the s3 backend.
I use something like this to ensure that we’re always using an allowed workspace:
locals {
config = local.configs[terraform.workspace] # Crash if we try to use a disallowed workspace
configs = {
production = {
some_var = "some_val"
}
}
}