The latest articles on Forem by TechOpsBySonali (@techopsbysonali). https://forem.com/techopsbysonali https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3589804%2Fa607c05d-6bd6-4893-9d47-9ffb54b855d5.png https://forem.com/techopsbysonali en TechOpsBySonali Mon, 01 Dec 2025 10:40:33 +0000 https://forem.com/careerbytecode/secrets-safe-3-tier-deployments-fast-terraform-azure-key-vault-complete-hands-on-guide-4ml5 https://forem.com/careerbytecode/secrets-safe-3-tier-deployments-fast-terraform-azure-key-vault-complete-hands-on-guide-4ml5 <p>Deploying the same 3-tier application again and again — dev, test, prod — shouldn’t feel like déjà vu every time.<br> But in many cloud teams, it <em>does</em>.<br> Manual fixes… copy-pasted Terraform… secrets hardcoded inside <code>.tfvars</code>…<br> One small change in dev, not updated in prod…<br> <strong>Boom! Configuration drift, broken deployments, security risks.</strong></p> <p>This hands-on guide shows you exactly how to eliminate all of that using:</p> <p>✅ <strong>Terraform Modular Architecture</strong><br> ✅ <strong>Azure Key Vault for Secure Secrets Management</strong><br> ✅ <strong>Remote State in Azure Storage</strong><br> ✅ <strong>GitHub Actions for Fully Automated CI/CD</strong></p> <p>By the end, you’ll be able to deploy dev, test, and prod environments <strong>identically</strong>, <strong>securely</strong>, and <strong>on autopilot</strong>.</p> <h2> 🔥 1. The Problem: Manual Deployments = Drift + Errors + Chaos </h2> <p>Most teams still deploy environments like this:</p> <ul> <li>Copy old Terraform folder</li> <li>Change a few names</li> <li>Adjust IPs manually</li> <li>Forget a network rule</li> <li>Hardcode passwords “for now” 😅</li> <li>Fix mistakes <em>after</em> something breaks</li> </ul> <p>Result?</p> <p>❌ Inconsistent infra across environments<br> ❌ Security breaches due to exposed secrets<br> ❌ Time wasted troubleshooting<br> ❌ Zero auditability<br> ❌ No single source of truth</p> <p>This hands-on solves exactly this.</p> <h2> 🚀 2. Why This Use Case Matters </h2> <p>Cloud teams today need consistency + speed + security.<br> Manually managing infra no longer works.</p> <p>This use case delivers:</p> <h3> 🧱 <strong>Reusable Terraform Modules</strong> </h3> <p>Resource Group, VNet, Subnet, NSG, VM — once written, reused forever.</p> <h3> 🔐 <strong>Zero Secret Sprawl</strong> </h3> <p>Passwords and sensitive values stored in Azure Key Vault, pulled directly in Terraform.</p> <h3> 🚦 <strong>Environment-driven Deployment</strong> </h3> <p>All differences (dev/test/prod) live in <code>terraform.tfvars</code>.</p> <h3> 🤖 <strong>GitHub Actions = Fully Automated Deployments</strong> </h3> <p>Plan → Validate → Apply → Audit logs — everything automated.</p> <p>This is <strong>production-grade Terraform</strong>, not just a tutorial.</p> <h2> 🕒 3. When You Need This Use Case </h2> <p>You need this setup when:</p> <p>✔️ Deploying multiple environments<br> ✔️ Avoiding inconsistent infra<br> ✔️ Securing all secrets centrally<br> ✔️ Enabling fast onboarding<br> ✔️ Needing auditability and governance<br> ✔️ Running builds from CI/CD pipelines<br> ✔️ Scaling infra to multiple regions</p> <p>This architecture grows as your company grows.</p> <h2> 🛠️ 4. Prerequisites </h2> <ul> <li>Azure Subscription</li> <li>Azure CLI</li> <li>Terraform Installed</li> <li>Git + GitHub</li> <li>Key Vault access</li> <li>Optional: GitHub Actions Service Principal</li> </ul> <p>You’re ready.</p> <h2> 🎯 5. Challenge Questions (Interview-Level) </h2> <p>These make great <strong>DevOps interview</strong> questions too:</p> <ol> <li>How do you avoid copy-paste Terraform for dev/test/prod?</li> <li>How do you secure plaintext secrets in Terraform?</li> <li>How do you stop network drift between environments?</li> <li>How do you enable new developers to deploy infra securely?</li> <li>How do you prove that all environments are deployed from the same code?</li> <li>How do you roll back a Terraform deployment?</li> <li>How do you prevent faulty tfvars from affecting prod?</li> <li>How do you design a module for both Linux &amp; Windows VMs?</li> <li>How do you deploy identical infra to two regions?</li> <li>Why are modules better than plain Terraform scripts?</li> </ol> <h1> 🧑‍💻 6. Complete Hands-On Implementation </h1> <p>Below is the <strong>full real-life end-to-end setup</strong>.</p> <h2> STEP 1️⃣ — Authenticate to Azure &amp; Configure Git </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az login git config <span class="nt">--global</span> user.name <span class="s2">"yourname"</span> git config <span class="nt">--global</span> user.email <span class="s2">"yourmail@example.com"</span> </code></pre> </div> <p>Initialize GitHub repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git init <span class="nb">echo</span> <span class="s2">"# azure-3-tier-architecture"</span> <span class="o">&gt;&gt;</span> README.md git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"first commit"</span> git branch <span class="nt">-M</span> main git remote add origin https://github.com/&lt;yourid&gt;/azure-3-tier-architecture.git git push <span class="nt">-u</span> origin main </code></pre> </div> <h2> STEP 2️⃣ — Create Backend Resources </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">LOCATION</span><span class="o">=</span><span class="s2">"eastus"</span> <span class="nv">RG_NAME</span><span class="o">=</span><span class="s2">"tfstate-rg"</span> <span class="nv">STORAGE_NAME</span><span class="o">=</span><span class="s2">"mytfstate12345"</span> <span class="nv">CONTAINER_NAME</span><span class="o">=</span><span class="s2">"tfstate"</span> <span class="nv">KV_NAME</span><span class="o">=</span><span class="s2">"mykeyvault12345"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az group create <span class="nt">--name</span> <span class="nv">$RG_NAME</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> az storage account create <span class="nt">--name</span> <span class="nv">$STORAGE_NAME</span> <span class="nt">--resource-group</span> <span class="nv">$RG_NAME</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> <span class="nt">--sku</span> Standard_LRS az storage container create <span class="nt">--name</span> <span class="nv">$CONTAINER_NAME</span> <span class="nt">--account-name</span> <span class="nv">$STORAGE_NAME</span> </code></pre> </div> <h2> STEP 3️⃣ — Create Key Vault + Secrets </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az keyvault create <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="nt">--resource-group</span> <span class="nv">$RG_NAME</span> <span class="nt">--location</span> <span class="nv">$LOCATION</span> </code></pre> </div> <h3> Store secrets </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az keyvault secret <span class="nb">set</span> <span class="nt">--vault-name</span> <span class="nv">$KV_NAME</span> <span class="nt">--name</span> <span class="s2">"vm-username"</span> <span class="nt">--value</span> <span class="s2">"learning"</span> az keyvault secret <span class="nb">set</span> <span class="nt">--vault-name</span> <span class="nv">$KV_NAME</span> <span class="nt">--name</span> <span class="s2">"vm-password"</span> <span class="nt">--value</span> <span class="s2">"Redhat@12345"</span> </code></pre> </div> <h2> STEP 4️⃣ — Create GitHub Service Principal </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az ad sp create-for-rbac <span class="nt">--name</span> <span class="s2">"github-spn"</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"Contributor"</span> <span class="nt">--scopes</span><span class="o">=</span><span class="s2">"/subscriptions/&lt;subid&gt;"</span> <span class="nt">--sdk-auth</span> </code></pre> </div> <p>Save JSON output.</p> <p>Grant Key Vault access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az role assignment create <span class="se">\</span> <span class="nt">--assignee</span> &lt;clientId&gt; <span class="se">\</span> <span class="nt">--role</span> <span class="s2">"Key Vault Secrets User"</span> <span class="se">\</span> <span class="nt">--scope</span> <span class="si">$(</span>az keyvault show <span class="nt">--name</span> <span class="nv">$KV_NAME</span> <span class="nt">--query</span> <span class="nb">id</span> <span class="nt">-o</span> tsv<span class="si">)</span> </code></pre> </div> <h2> STEP 5️⃣ — Create Terraform Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform/ ├── backend.tf ├── main.tf ├── variables.tf ├── environments/ │ ├── dev/terraform.tfvars │ ├── test/terraform.tfvars │ └── prod/terraform.tfvars └── modules/ ├── rg/ ├── vnet/ ├── subnet/ ├── nsg/ └── vm/ </code></pre> </div> <h2> STEP 6️⃣ — Add Root Terraform Files </h2> <h3> backend.tf </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="s2">"tfstate-rg"</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="s2">"mytfstate12345"</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"tfstate"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"3tier/dev.tfstate"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> variables.tf </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"location"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"rg_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vnet_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vm_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h3> main.tf </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"azurerm"</span> <span class="p">{</span> <span class="nx">features</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"rg"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/rg"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">rg_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vnet"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/vnet"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vnet_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"subnet"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/subnet"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.vnet_name}-subnet"</span> <span class="nx">vnet_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">nsg_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">nsg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"nsg"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/nsg"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.vnet_name}-nsg"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"azurerm_key_vault"</span> <span class="s2">"kv"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mykeyvault12345"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="s2">"tfstate-rg"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"azurerm_key_vault_secret"</span> <span class="s2">"vm_username"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vm-username"</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">kv</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"azurerm_key_vault_secret"</span> <span class="s2">"vm_password"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vm-password"</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">kv</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vm"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/vm"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span> <span class="nx">admin_username</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_key_vault_secret</span><span class="p">.</span><span class="nx">vm_username</span><span class="p">.</span><span class="nx">value</span> <span class="nx">admin_password</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_key_vault_secret</span><span class="p">.</span><span class="nx">vm_password</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <h2> STEP 7️⃣ — Environment Variables </h2> <h3> dev </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">rg_name</span> <span class="err">=</span> <span class="s2">"rg-dev"</span> <span class="nx">vnet_name</span> <span class="err">=</span> <span class="s2">"vnet-dev"</span> <span class="nx">vm_name</span> <span class="err">=</span> <span class="s2">"vm-dev"</span> <span class="nx">location</span> <span class="err">=</span> <span class="s2">"eastus"</span> </code></pre> </div> <h2> STEP 8️⃣ — Build Modules </h2> <p>(Example: Resource Group)</p> <p>modules/rg/main.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_resource_group"</span> <span class="s2">"rg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="p">}</span> </code></pre> </div> <p>modules/rg/variables.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"location"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>modules/rg/outputs.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">rg</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p>Repeat similar for vnet, subnet, nsg, vm.</p> <h1> 🎉 Final Output </h1> <p>You now have:</p> <p>✔️ Modular Terraform<br> ✔️ Secure secrets with Key Vault<br> ✔️ Remote state<br> ✔️ Reusable environments<br> ✔️ Ready for GitHub Actions automation</p> <p>This is <strong>true enterprise-grade Infrastructure as Code</strong>.</p> <h2> ⭐ Follow Me for Daily DevOps &amp; Cloud Content </h2> <p>🔵 LinkedIn: <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 🐦 Twitter / X: <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📸 Instagram: <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📝 Medium: <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📚 Dev.to: <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 🌐 Hashnode: techopsbysonali.hashnode.dev<br> 🖋️ Blogger: techopsbysonali.blogspot.com</p> <p>**</p> <p>📲 Join My WhatsApp Communities<br> **<br> 👉 Personalized Guidance: <a href="https://wa.me/7620774352" rel="noopener noreferrer">https://wa.me/7620774352</a><br> 👉 Latest Updates Group: <a href="https://lnkd.in/gVTvmRBa" rel="noopener noreferrer">https://lnkd.in/gVTvmRBa</a><br> 👉 Pune Local Meetup Group: <a href="https://lnkd.in/gQbKaUeX" rel="noopener noreferrer">https://lnkd.in/gQbKaUeX</a></p> devops security azure terraform TechOpsBySonali Sun, 23 Nov 2025 14:13:06 +0000 https://forem.com/careerbytecode/terraform-workspaces-proven-multi-environment-patterns-for-real-world-devops-1nme https://forem.com/careerbytecode/terraform-workspaces-proven-multi-environment-patterns-for-real-world-devops-1nme <p><strong>Managing multiple environments (dev, staging, prod)</strong> is a core requirement for any modern infrastructure setup. Terraform offers several ways to do this — but <strong>Terraform Workspaces</strong> are often misunderstood, overused, or misused.</p> <p>This guide cuts through the noise with <strong>clear, real-world patterns</strong> that developers can safely use in production-grade workflows.</p> <h2> <strong>What Terraform Workspaces Actually Do</strong> </h2> <p>Terraform Workspaces <strong>do NOT</strong>:</p> <p>❌ create separate directories<br> ❌ give you different pipelines<br> ❌ create different backend configurations</p> <p>They ONLY provide:</p> <p>✔ Separate <strong>state files</strong> within the same backend<br> ✔ A way to reference the current workspace via <code>terraform.workspace</code><br> ✔ Simple environment switching from the CLI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace new dev terraform workspace new prod terraform workspace <span class="k">select </span>dev terraform workspace <span class="k">select </span>prod </code></pre> </div> <p>You can use the workspace name in resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-${terraform.workspace}"</span> <span class="p">}</span> </code></pre> </div> <p>This creates:</p> <ul> <li><code>myapp-dev</code></li> <li><code>myapp-prod</code></li> </ul> <p>That’s all workspaces do — <strong>state separation + naming context</strong>.</p> <h2> <strong>When You Should (and Should NOT) Use Workspaces</strong> </h2> <h3> ✔ <strong>Use Workspaces When…</strong> </h3> <ul> <li>Infra topology is identical across environments</li> <li>Your team has small/medium infrastructure</li> <li>You want simple state isolation</li> <li>You need quick environment testing</li> </ul> <h3> ✘ <strong>Avoid Workspaces When…</strong> </h3> <ul> <li>Environments have <strong>different architectures</strong> </li> <li>You need <strong>different backends</strong> per environment</li> <li>Every environment has its own repo</li> <li>Your CI/CD pipeline cannot safely switch workspaces</li> </ul> <p>When environments diverge significantly →<br> <strong>Use folder-based or repo-based separation instead.</strong></p> <h1> <strong>Multi-Environment Patterns</strong> </h1> <p>Below are practical Terraform patterns used by DevOps teams of all sizes.</p> <h2> <strong>Pattern 1: Simple Workspace-Based Environments</strong> </h2> <p>A clean, minimal approach.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ main.tf variables.tf outputs.tf </code></pre> </div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-123456"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">workspace</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace new dev terraform apply <span class="nt">-var</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> terraform workspace new prod terraform apply <span class="nt">-var</span><span class="o">=</span><span class="s2">"region=us-east-1"</span> </code></pre> </div> <p><strong>Good for:</strong><br> ✔ Small projects<br> ✔ Simple infra</p> <p><strong>Limitations:</strong><br> ✘ Doesn’t provide per-env backend security</p> <h2> <strong>Pattern 2: Workspaces + Per-Environment Variable Files</strong> </h2> <p>A scalable improvement over Pattern 1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ main.tf variables.tf env/ dev.tfvars prod.tfvars </code></pre> </div> <p>Example: <code>env/dev.tfvars</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.micro"</span> </code></pre> </div> <p>CI/CD:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace <span class="k">select </span>dev terraform apply <span class="nt">-var-file</span><span class="o">=</span><span class="s2">"env/dev.tfvars"</span> </code></pre> </div> <p><strong>Benefits:</strong><br> ✔ Separate configs<br> ✔ Same infra topology<br> ✔ Controlled differences</p> <h2> <strong>Pattern 3: Workspaces with Dynamic Backends</strong> </h2> <p>Store state in separate backend keys.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-terraform-states"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"env/${terraform.workspace}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Resulting state files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>env/dev/terraform.tfstate env/prod/terraform.tfstate </code></pre> </div> <p><strong>Pros:</strong><br> ✔ Strong isolation<br> ✔ Good for regulated industries</p> <p><strong>Cons:</strong><br> ✘ Backend configs cannot always use variables<br> ✘ May require partial backend config overrides in CI/CD</p> <h2> <strong>Pattern 4: Hybrid Model — Workspaces + Folder-Based Environments</strong> </h2> <p>Perfect for mid-sized teams.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ modules/ network/ compute/ env/ dev/ main.tf prod/ main.tf </code></pre> </div> <p>Example: <code>env/dev/main.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../modules/compute"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">workspace</span> <span class="p">}</span> </code></pre> </div> <p>Why teams love this pattern:</p> <p>✔ Versioned modules<br> ✔ Clean environment overrides<br> ✔ Workspace state isolation</p> <h1> <strong>Real-World Scenario Example</strong> </h1> <p>A microservices platform needs:</p> <ul> <li>Same infra topology across environments</li> <li>Different EC2 sizes for dev vs prod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>env/ dev.tfvars prod.tfvars </code></pre> </div> <p><code>dev.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.micro"</span> <span class="nx">enable_monitoring</span> <span class="err">=</span> <span class="kc">false</span> </code></pre> </div> <p><code>prod.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"m5.large"</span> <span class="nx">enable_monitoring</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p>CI/CD deploy step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace <span class="k">select </span>prod terraform apply <span class="nt">-var-file</span><span class="o">=</span><span class="nb">env</span>/prod.tfvars <span class="nt">-auto-approve</span> </code></pre> </div> <p>Outcome:</p> <ul> <li>Fully isolated state</li> <li>Clean promotions</li> <li>Parameterized infra</li> </ul> <h1> <strong>Developer Tips</strong> </h1> <p>💡 <strong>Never store secrets in <code>.tfvars</code></strong> → use Vault, SSM, or env variables.</p> <p>💡 Avoid switching workspaces inside long pipelines — risk of deploying to wrong environment.</p> <p>💡 Validate workspace names:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">allowed</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"stage"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">]</span> <span class="nx">is_valid</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">allowed</span><span class="p">,</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"validate"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_valid</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>💡 Use workspaces <strong>only when architecture remains consistent</strong>.</p> <h1> <strong>Common Questions Developers Ask</strong> </h1> <h3> <strong>1. Are workspaces the same as Git branches?</strong> </h3> <p>No. Workspaces only isolate terraform <strong>state</strong>, not code.</p> <h3> <strong>2. Should I use workspaces for production?</strong> </h3> <p>✔ Yes — if infra is identical<br> ✘ No — if prod requires unique architecture</p> <h3> <strong>3. Do workspaces isolate backend buckets?</strong> </h3> <p>Only if you configure the backend key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">key</span> <span class="err">=</span> <span class="s2">"env/${terraform.workspace}/terraform.tfstate"</span> </code></pre> </div> <h3> <strong>4. Should each environment have its own workspace or folder?</strong> </h3> <ul> <li>Use <strong>workspaces</strong> → simple infra</li> <li>Use <strong>folders/repos</strong> → complex infra</li> </ul> <h3> <strong>5. Do workspaces prevent mistakes?</strong> </h3> <p>They avoid state overlap but do <strong>not</strong> protect against bad pipelines.</p> <h1> <strong>Related Tools &amp; Ecosystem</strong> </h1> <ul> <li> <strong>Terragrunt</strong> — advanced multi-env orchestration</li> <li> <strong>Atlantis</strong> — Terraform GitOps</li> <li> <strong>Spacelift / Terraform Cloud</strong> — remote runs</li> <li> <strong>tflint / tfsec / Terrascan</strong> — linting &amp; security</li> <li> <strong>Infracost</strong> — cost analysis</li> <li> <strong>Pre-commit Terraform Hooks</strong> — automatic linting</li> </ul> <h1> <strong>Conclusion</strong> </h1> <p>Terraform Workspaces are powerful when used correctly.<br> They shine when your environments:</p> <ul> <li>share the same architecture</li> <li>need simple state isolation</li> <li>require parametrized differences</li> </ul> <p>Use these patterns to structure your environments safely and avoid the common pitfalls most teams fall into.</p> <h1> ⭐ Follow Me for Daily DevOps &amp; Cloud Content </h1> <p>🔵 <strong>LinkedIn:</strong> <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 🐦 <strong>Twitter / X:</strong> <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📸 <strong>Instagram:</strong> <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📝 <strong>Medium:</strong> <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 📚 <strong>Dev.to:</strong> <a class="mentioned-user" href="https://dev.to/techopsbysonali">@techopsbysonali</a><br> 🌐 <strong>Hashnode:</strong> techopsbysonali.hashnode.dev<br> 🖋️ <strong>Blogger:</strong> techopsbysonali.blogspot.com</p> <h1> 📲 Join My WhatsApp Communities </h1> <p>👉 Personalized Guidance: <a href="https://wa.me/7620774352" rel="noopener noreferrer">https://wa.me/7620774352</a><br> 👉 Latest Updates Group: <a href="https://lnkd.in/gVTvmRBa" rel="noopener noreferrer">https://lnkd.in/gVTvmRBa</a><br> 👉 Pune Local Meetup Group: <a href="https://lnkd.in/gQbKaUeX" rel="noopener noreferrer">https://lnkd.in/gQbKaUeX</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fec0iep0q19cxemh377gw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fec0iep0q19cxemh377gw.jpg" alt=" " width="800" height="199"></a></p> career cloud devops interview