Share environment variables accross workspaces in TF Cloud

Hi there !

I just got started with TF cloud and I just managed to setup my first project that works with multiple AWS environments :partying_face:

Now, here’s my setup looks like:

AWS Environments

We are using 2 AWS accounts to host our dev and prod environments.

AWS Credentials

For each of these environments, there is a user that is dedicated to be used for TF Cloud.

Project repository

We have a growing amount of microservice repositories that are being deployed to the Amazon Cloud. So far, I have been focusing one of these repositories to experiment with TF cloud and I have migrated its state from AWS S3 to TF Cloud.


As my repository has to be deployed to both our dev and prod account in the Amazon Cloud, it is configured to work with two workspaces that reflect the AWS environments:

  • my-project-dev (dev)
  • my-project-prod (prod)

Both of these workspaces have been configured with CLI-driven workflow.

Environment variables

In order to have each of these workspaces rolling out our infrastruture changes to the corresponding AWS environment, I have accordingly added the appropriate AWS credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) as environment variables.

Now, the good news is, everything works as intended :v: I am able to switch workspaces from the command line and to apply the expected changes to the expected AWS environment.

The thing is, when I now look ahead, I realize that we are going to configure the same AWS Credentials again and again for each repository and each AWS environment. This does not scale very well.

Is there a way to define sets of environment variables that can be used across workspaces ?

Hi @LaurentEsc,

Currently, there is no native way to have “sets of variables” or “multi-workspace” variables in Terraform Cloud.

You could use .tfvars files, but that wouldn’t be very prudent for sensitive information like keys and passwords.

As a start, you may wish to check out the “Terraform Cloud” a.k.a. “tfe” provider that would allow you to create your workspace variables “as a code” from one central “meta” workspace by utilising the tfe_variable resource.

If your security needs grow, you might want to check HashiCorp Vault. It will allow you to securely provide secrets to Terraform runs and in the case of AWS credentials (and other supported cloud providers, databases, etc.) it can generate temporary short-lived credentials for every Terraform run, additionally strengthening your security posture.

You can check the following tutorial that showcases this:

Hope this sets you off on the right track.



@qwerty1979bg Thanks for the quick answer, that was really helpful !

I have opted for the tfe provider for now and was able to solve the scaling issue I was seeing ahead.