Merge pull request #31849 from hashicorp/workspaces-confusion-fixes

Update workspace documentation
hashicorp · Sep 23, 2022 · a8ea377 · a8ea377
2 parents a5926f1 + 0471c80
commit a8ea377
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 217 deletions.
diff --git a/website/docs/cli/workspaces/index.mdx b/website/docs/cli/workspaces/index.mdx
@@ -7,72 +7,80 @@ description: >-
 
 # Managing Workspaces
 
-In Terraform CLI, _workspaces_ are separate instances of
-[state data](/language/state) that can be used from the same working
-directory. You can use workspaces to manage multiple non-overlapping groups of
-resources with the same configuration.
-
-- Every [initialized working directory](/cli/init) has at least
-  one workspace. (If you haven't created other workspaces, it is a workspace
-  named `default`.)
-- For a given working directory, only one workspace can be _selected_ at a time.
-- Most Terraform commands (including [provisioning](/cli/run)
-  and [state manipulation](/cli/state) commands) only interact
-  with the currently selected workspace.
-- Use [the `terraform workspace select` command](/cli/commands/workspace/select)
-  to change the currently selected workspace.
-- Use the [`terraform workspace list`](/cli/commands/workspace/list),
-  [`terraform workspace new`](/cli/commands/workspace/new), and
-  [`terraform workspace delete`](/cli/commands/workspace/delete) commands
-  to manage the available workspaces in the current working directory.
-
--> **Note:** Terraform Cloud and Terraform CLI both have features called
-"workspaces," but they're slightly different. Terraform Cloud's workspaces
-behave more like completely separate working directories.
-
-## The Purpose of Workspaces
-
-Since most of the resources you can manage with Terraform don't include a unique
-name as part of their configuration, it's common to use the same Terraform
-configuration to provision multiple groups of similar resources.
-
-Terraform relies on [state](/language/state) to associate resources with
-real-world objects, so if you run the same configuration multiple times with
-completely separate state data, Terraform can manage many non-overlapping groups
-of resources. In some cases you'll want to change
-[variable values](/language/values/variables) for these different
-resource collections (like when specifying differences between staging and
-production deployments), and in other cases you might just want many instances
-of a particular infrastructure pattern.
-
-The simplest way to maintain multiple instances of a configuration with
-completely separate state data is to use multiple
-[working directories](/cli/init) (with different
-[backend](/language/settings/backends/configuration) configurations per directory, if you
-aren't using the default `local` backend).
-
-However, this isn't always the most _convenient_ way to handle separate states.
-Terraform installs a separate cache of plugins and modules for each working
-directory, so maintaining multiple directories can waste bandwidth and disk
-space. You must also update your configuration code from version control
-separately for each directory, reinitialize each directory separately when
-changing the configuration, etc.
-
-Workspaces allow you to use the same working copy of your configuration and the
-same plugin and module caches, while still keeping separate states for each
-collection of resources you manage.
+Workspaces in the Terraform CLI refer to separate instances of [state data](/language/state) inside the same Terraform working directory. They are distinctly different from [workspaces in Terraform Cloud](/cloud-docs/workspaces), which each have their own Terraform configuration and function as separate working directories.
+
+Terraform relies on state to associate resources with real-world objects. When you run the same configuration multiple times with separate state data, Terraform can manage multiple sets of non-overlapping resources.
+
+Workspaces can be helpful for specific [use cases](#use-cases), but they are not required to use the Terraform CLI. We recommend using [alternative approaches](#alternatives-to-workspaces) for complex deployments requiring separate credentials and access controls.
+
+
+## Managing CLI Workspaces
+
+Every [initialized working directory](/cli/init) starts with one workspace named `default`.
+
+Use the [`terraform workspace list`](/cli/commands/workspace/list), [`terraform workspace new`](/cli/commands/workspace/new), and [`terraform workspace delete`](/cli/commands/workspace/delete) commands to manage the available workspaces in the current working directory.
+
+Use [the `terraform workspace select` command](/cli/commands/workspace/select) to change the currently selected workspace. For a given working directory, you can only select one workspace can be at a time. Most Terraform commands only interact with the currently selected workspace. This includes [provisioning](/cli/run) and [state manipulation](/cli/state).
+
+When you provision infrastructure in each workspace, you usually need to manually specify different [input variables](/language/values/variables) to differentiate each collection. For example, you might deploy test infrastructure to a different region.
+
+
+## Use Cases
+
+You can create multiple [working directories](/cli/init) to maintain multiple instances of a configuration with completely separate state data. However, Terraform installs a separate cache of plugins and modules for each working directory, so maintaining multiple directories can waste bandwidth and disk space. This approach also requires extra tasks like updating configuration from version control for each directory separately and reinitializing each directory when you change the configuration. Workspaces are convenient because they let you create different sets of infrastructure with the same working copy of your configuration and the same plugin and module caches.
+
+A common use for multiple workspaces is to create a parallel, distinct copy of
+a set of infrastructure to test a set of changes before modifying production infrastructure.
+
+Non-default workspaces are often related to feature branches in version control.
+The default workspace might correspond to the `main` or `trunk` branch, which describes the intended state of production infrastructure. When a developer creates a feature branch for a change, they might also create a corresponding workspace and deploy into it a temporary copy of the main infrastructure. They can then test changes on the copy without affecting the production infrastructure. Once the change is merged and deployed to the default workspace, they destroy the test infrastructure and delete the temporary workspace.
+
+
+### When Not to Use Multiple Workspaces
+
+Workspaces let you quickly switch between multiple instances of a **single configuration** within its **single backend**. They are not designed to solve all problems.
+
+When using Terraform to manage larger systems, you should create separate Terraform configurations that correspond to architectural boundaries within the system. This lets teams manage different components separately. Workspaces alone are not a suitable tool for system decomposition because each subsystem should have its own separate configuration and backend.
+
+In particular, organizations commonly want to create a strong separation
+between multiple deployments of the same infrastructure serving different
+development stages or different internal teams. In this case, the backend for each deployment often has different credentials and access controls. CLI workspaces within a working directory use the same backend, so they are not a suitable isolation mechanism for this scenario.
+
+## Alternatives to Workspaces
+
+Instead of creating CLI workspaces, you can use one or more [re-usable modules](/language/modules/develop) to represent the common elements and then represent each instance as a separate configuration that instantiates those common elements in the context of a different [backend](/language/settings/backends/configuration). The root module of each configuration consists only of a backend configuration and a small number of `module` blocks with arguments describing any small differences between the deployments.
+
+When multiple configurations represent distinct system components rather than multiple deployments, you can pass data from one component to another using paired resources types and data sources.
+
+- When a shared [Consul](https://www.consul.io/) cluster is available, use [`consul_key_prefix`](https://registry.terraform.io/providers/hashicorp/consul/latest/docs/resources/key_prefix) to publish to the key/value store and [`consul_keys`](https://registry.terraform.io/providers/hashicorp/consul/latest/docs/data-sources/keys) to retrieve those values in other configurations.
+
+- In systems that support user-defined labels or tags, use a tagging convention to make resources automatically discoverable. For example, use [the `aws_vpc` resource type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) to assign suitable tags and then [the `aws_vpc` data source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) to query by those tags in other configurations.
+
+- For server addresses, use a provider-specific resource to create a DNS record with a predictable name. Then you can either use that name directly or use [the `dns` provider](https://registry.terraform.io/providers/hashicorp/dns/latest/docs) to retrieve the published addresses in other configurations.
+
+- If you store a Terraform state for one configuration in a remote backend that other configurations can access, then the other configurations can use [`terraform_remote_state`](/language/state/remote-state-data) to directly consume its root module outputs. This setup creates a tighter coupling between configurations, and the root configuration does not need to publish its results in a separate system.
+
 
 ## Interactions with Terraform Cloud Workspaces
 
 Terraform Cloud organizes infrastructure using workspaces, but its workspaces
-act more like completely separate working directories; each Terraform Cloud
+act more like completely separate working directories. Each Terraform Cloud
 workspace has its own Terraform configuration, set of variable values, state
 data, run history, and settings.
 
-These two kinds of workspaces are different, but related. When [using Terraform
-CLI as a frontend for Terraform Cloud](/cli/cloud), you can associate the current working
-directory with one or more remote workspaces. If you associate the
-directory with multiple workspaces (using workspace tags), you can use the
-`terraform workspace` commands to select which remote workspace to use.
+When you [integrate Terraform CLI with Terraform Cloud](/cli/cloud), you can associate the current CLI working directory with one or more remote Terraform Cloud workspaces. Then, use the `terraform workspace` commands to select the remote workspace you want to use for each run.
+
+Refer to [CLI-driven Runs](/cloud-docs/run/cli) in the Terraform Cloud documentation for more details.
+
+
+## Workspace Internals
+
+Workspaces are technically equivalent to renaming your state file. Terraform then includes a set of protections and support for remote state.
+
+Workspaces are also meant to be a shared resource. They are not private, unless you use purely local state and do not commit your state to version control.
+
+For local state, Terraform stores the workspace states in a directory called `terraform.tfstate.d`. This directory should be treated similarly to local-only `terraform.tfstate`. Some teams commit these files to version control, but we recommend using a remote backend instead when there are multiple collaborators.
+
+For [remote state](/language/state/remote), the workspaces are stored directly in the configured [backend](/language/settings/backends). For example, if you use [Consul](/language/settings/backends/consul), the workspaces are stored by appending the workspace name to the state path. To ensure that workspace names are stored correctly and safely in all backends, the name must be valid to use in a URL path segment without escaping.
 
-Refer to [CLI-driven Runs](/cloud-docs/run/cli) in the Terraform Cloud documentation for more details about using Terraform CLI with Terraform Cloud.
+Terraform stores the current workspace name locally in the ignored `.terraform` directory. This allows multiple team members to work on different workspaces concurrently. Workspace names are also attached to associated remote workspaces in Terraform Cloud. For more details about workspace names in Terraform Cloud, refer to the [CLI Integration (recommended)](/cli/cloud/settings#arguments) and [remote backend](/language/settings/backends/remote#workspaces) and  documentation.