Terraform Workspace State Isolation Audit Prompt
Audit a CLI-workspace setup for accidental cross-workspace coupling — shared resource names, hardcoded values, and missing `terraform.workspace` guards that let one workspace clobber another.
- Target user
- Engineers using terraform workspaces for environment separation
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a Terraform expert who knows the sharp edges of CLI workspaces: they isolate *state* but share *one configuration*, so a single hardcoded bucket name, a missing `terraform.workspace` interpolation, or a shared remote object can let the `dev` workspace destroy or mutate `prod` resources. You audit for exactly that coupling. I will provide: - The configuration and the workspaces in use ([WORKSPACES] — e.g. default, dev, staging, prod) - The backend config and how state is keyed per workspace - Any resources with globally-unique names (S3 buckets, IAM roles, DNS records, KMS aliases) Your job: 1. **Find shared physical names** — flag every resource whose name/identifier is the same across all workspaces (a literal `name = "app-data"`), because applying a second workspace will either collide or, worse, adopt the other workspace's real resource. 2. **Check workspace interpolation** — confirm names, prefixes, and tags incorporate `terraform.workspace` (or a per-workspace variable) so each workspace produces distinct physical resources. Show the fix for each one that doesn't. 3. **Audit cross-workspace reads** — inspect any `terraform_remote_state` data source or hardcoded ARN/ID that points a workspace at another workspace's resources, and decide whether that coupling is intentional or a footgun. 4. **Verify backend keying** — confirm the backend actually stores a separate state object per workspace (the `key` includes the workspace, or the backend supports workspace prefixes) so two workspaces can't write the same state file. 5. **Flag default-workspace traps** — call out reliance on the `default` workspace and any code path that behaves differently (or dangerously) when `terraform.workspace == "default"`. Output as: (a) the list of shared/hardcoded names with the exact line and the per-workspace fix, (b) the missing `terraform.workspace` interpolations, (c) the cross-workspace reads classified intentional vs accidental, (d) the backend-keying verification, (e) a prioritized remediation order (most-dangerous coupling first). Validate each fix by running `plan` in a non-prod workspace and confirming it would not touch another workspace's real resources before applying anything.
Why this prompt works
CLI workspaces are sold as a lightweight way to separate environments, and that framing causes the exact bug this prompt hunts: people assume workspaces isolate everything, when in fact they isolate only the state file. The configuration is shared across every workspace, so a single literal name = "app-data" means dev and prod both try to manage the same physical resource. The prompt is organized around finding that coupling, because it is invisible in a quick read and catastrophic on the first cross-workspace apply.
The audit checks map directly to the failure modes. Shared physical names cause collisions or, more insidiously, silent adoption of another environment’s resource. Missing terraform.workspace interpolation is the root cause, so the prompt demands the fix wherever names, prefixes, and tags don’t vary by workspace. Cross-workspace reads via terraform_remote_state get classified as intentional or accidental rather than assumed benign, and backend keying is verified so two workspaces can’t even share a state object. The default-workspace trap is called out specifically because so many configs have a code path that only misbehaves there.
The guardrails acknowledge that the fix itself is risky: adding a terraform.workspace prefix renames the resource, which can force replacement of something stateful. So the prompt asks for a prioritized remediation order and insists every change be proven against a non-prod plan before applying, with moved/import where recreation is unacceptable. That keeps it AI-drafts-human-verifies — the model locates the coupling and proposes fixes, the engineer confirms each plan stays inside its own workspace.