I am new to Terraform, I am trying to set up Gitlab pipeline for dev/stage/prod environments.
What would be the best approach and why?
It very much depends on what you are trying to achieve. Are you wanting multiple pipelines (one per env) so that you can have different code for each? Or are you wanting a single pipeline which deploys the same code to each env in turn?
My experience in that regard (that is predominantly with AWS) depends on your operating model.
An organisation transitionning to the cloud generally has an intermediate step with Ops people and Dev people (potentially multiple teams).
What matters here are how your segregate permissions at 2 levels:
There are organisation where everyone has r/w access to every state files and resources.
But if you want to enforce some boundaries, which is needed in even relatively small org in my experience, you would create a set of access to a backends + resources.
Illustration of a simple case on AWS. You have a typical set of accounts like:
Platform team has access to every account and state backend storing the resources it created (the tag ManagedBy=platformteam will help identify that). Team working on app1 get only access to the app1-prod and app1-test account. Idem for app2.
Some folks might be in the 2 app teams, you provide access thanks group member ship that grant access to roles giving the respective permissions.
Am I making sense?
It must be noted that terraform state files can contain sensitive information. Hence the seggregation at backend level. Example: you have an AWS managed AD resources managed by the platform team and you probably want to avoid an app team to have the admin password of that instance. It stored in the state. The app team should then not be granted access at all, not even read only access.
In addition to what others have said already, I want to note the Terraform documentation section When to use Multiple Workspaces which aims to describe some situations that are good for workspaces and some other situations that are not so good, and then offers some alternative suggestions for the common situations that workspaces are not designed to solve.
Can I also add that workspace have different meanings in the CLI and Cloud context. I always found this very confusing.
Thanks everyone for quick responses!
You answered all my questions and few more I was thinking about 