The Workspace Anti-Pattern

Terraform workspaces allow multiple named state instances within a single backend using terraform workspace select <n>. While this appears convenient for multi-environment management, it creates hidden coupling risks. A single state file structure across environments means one misconfigured variable can trigger production changes during a dev deployment. The workspace selector becomes a single point of failure, as engineers must remember to switch contexts before every operation.

Directory per environment structures (dev/, staging/, prod/) with separate remote state files in Cloud Storage provide hard boundaries. Remote state storage ensures team members always work with the latest infrastructure snapshot, preventing drift from local state files. Each environment maintains independent state locks, preventing cross-environment contamination. This isolation makes it impossible to accidentally apply staging configuration to production infrastructure.

Module-per-Service Architecture

infrastructure/
├── modules/
│   ├── api-service/
│   ├── data-pipeline/
│   └── frontend-app/
├── environments/
│   ├── dev/
│   │   ├── api-service/
│   │   ├── data-pipeline/
│   │   └── backend.tf (separate state)
│   ├── staging/
│   └── prod/

The module-per-service pattern enables teams to operate independently without stepping on each other. Each service owns its Terraform module and state file. When the API team needs to scale their Cloud Run instances, they don't risk affecting the data engineering team's BigQuery resources. Remote state in Cloud Storage with automatic locking prevents concurrent modifications. If two CI/CD pipelines attempt simultaneous applies, one waits for the lock release.

PR-Based Infrastructure Workflow

Terraform Cloud or Atlantis transforms infrastructure changes into reviewable pull requests. Engineers propose changes, automated plans run showing exact resource modifications, and senior engineers approve before apply. This mirrors code review practices for infrastructure.

State locking during plan generation prevents race conditions. Cloud Storage's native locking mechanism ensures only one Terraform process modifies state at any time. CI/CD pipelines integrate seamlessly. GitHub Actions or CircleCI trigger plans on PR creation, and applies execute only after merge with proper approvals.

Blast Radius Containment

Smaller state files inherently limit mistake scope. A misconfigured module affecting one service doesn't cascade to unrelated infrastructure. Targeted applies using -target=module.api_service provide surgical precision during incident response. You can roll back a problematic change without re-applying the entire environment.

Monolithic state files create all-or-nothing scenarios. Module-per-service granularity means teams can iterate quickly on their services while maintaining stability across the platform. When production issues arise, engineers can scope fixes to specific modules rather than risking broader infrastructure changes.