ansible-collections · shvenkat-rh · Jun 26, 2025 · Jun 26, 2025 · Jun 26, 2025 · Jun 27, 2025
diff --git a/changelogs/fragments/20250627-modules-terraform-update-workspace-logic.yml b/changelogs/fragments/20250627-modules-terraform-update-workspace-logic.yml
@@ -0,0 +1,4 @@
+---
+bugfixes:
+  - modules/terraform - Updated Workspace Logic for TFC/TFE and CLI
+    (https://github.com/ansible-collections/cloud.terraform/pull/197)
diff --git a/docs/cloud.terraform.terraform_module.rst b/docs/cloud.terraform.terraform_module.rst
@@ -523,7 +523,18 @@ Examples
               thin_provisioned: true
               unit_number: 3
         force_init: true
+    - name: Using workspace from playbook for Terraform Cloud/Enterprise
+      cloud.terraform.terraform:
+        project_path: '{{ project_dir }}'
+        state: present
+        workspace: 'my_workspace' # workspace must match and exist in Terraform cloud configuration.
 
+    - name: Auto-detect workspace from Terraform cloud configuration for Terraform Cloud/Enterprise
+      cloud.terraform.terraform:
+        project_path: '{{ project_dir }}'
+        state: present
+        # workspace parameter omitted - will be auto-detected from .tf files
+
     ### Example directory structure for plugin_paths example
     # $ tree /path/to/plugins_dir_1
     # /path/to/plugins_dir_1/

diff --git a/plugins/modules/terraform.py b/plugins/modules/terraform.py
@@ -49,7 +49,10 @@
     version_added: 1.0.0
   workspace:
     description:
-      - The terraform workspace to work with.
+      - If specified, this workspace will be used for all operations, provided it matches the workspace  defined in the Terraform Cloud configuration.
+      - If the specified workspace does not match the one in the Terraform Cloud configuration, an error will be raised.
+      - If not specified, the module will attempt to determine the workspace from the Terraform Cloud configuration.
+      - If no workspace is specified in both the playbook and the Terraform Cloud configuration, the module will default to using the Terraform CLI mode.
     type: str
     default: default
     version_added: 1.0.0
@@ -240,6 +243,18 @@
           unit_number: 3
     force_init: true
 
+- name: Using workspace from playbook for Terraform Cloud/Enterprise
+  cloud.terraform.terraform:
+    project_path: '{{ project_dir }}'
+    state: present
+    workspace: 'my_workspace' # workspace must match and exist in Terraform cloud configuration.
+
+- name: Auto-detect workspace from Terraform cloud configuration for Terraform Cloud/Enterprise
+  cloud.terraform.terraform:
+    project_path: '{{ project_dir }}'
+    state: present
+    # workspace parameter omitted - will be auto-detected from .tf files
+
 ### Example directory structure for plugin_paths example
 # $ tree /path/to/plugins_dir_1
 # /path/to/plugins_dir_1/
@@ -521,6 +536,7 @@ def main() -> None:
 
         try:
             workspace_ctx = terraform.workspace_list()
+            workspace_ctx.all.append("default")
         except TerraformWarning as e:
             module.warn(e.message)
             workspace_ctx = TerraformWorkspaceContext(current="default", all=[])
@@ -529,6 +545,8 @@ def main() -> None:
             if workspace not in workspace_ctx.all:
                 terraform.workspace(WorkspaceCommand.NEW, workspace)
             else:
+                if workspace_ctx.current != "default":
+                    workspace = workspace_ctx.current
                 terraform.workspace(WorkspaceCommand.SELECT, workspace)
 
         variables_args = []

diff --git a/tests/integration/targets/tfc_test/aliases b/tests/integration/targets/tfc_test/aliases
@@ -0,0 +1,2 @@
+disabled # Require a HCP configuration account
+cloud/aws
diff --git a/tests/integration/targets/tfc_test/files/main.tf.j2 b/tests/integration/targets/tfc_test/files/main.tf.j2
@@ -0,0 +1,40 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.16"
+    }
+  }
+  required_version = ">= 1.10.0"
+  cloud {
+    organization = "{{ tfc_organization }}"
+    hostname     = "app.terraform.io"
+    token = "{{ hcp_token }}"
+    workspaces {
+      name = "{{ tfc_workspace }}"
+    }
+  }
+}
+
+provider "aws" {
+  region     = "{{ aws_region }}"
+  {% if aws_access_key and aws_secret_key %}
+  access_key = "{{ aws_access_key }}"
+  secret_key = "{{ aws_secret_key }}"
+  {% else %}
+  # Uses environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+  {% endif %}
+}
+
+resource "aws_instance" "app_server_tf" {
+  ami           = "{{ ami_id }}"
+  instance_type = "t2.micro"
+
+  tags = {
+    Name = "Instance_Cloud_TF"
+  }
+}
+
+output "my_output" {
+  value = aws_instance.app_server_tf
+}
diff --git a/tests/integration/targets/tfc_test/tasks/main.yml b/tests/integration/targets/tfc_test/tasks/main.yml
@@ -0,0 +1,137 @@
+- name: Render and test Terraform with AWS
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - ../vars/main.yml
+
+  tasks:
+    - block:
+        - name: Set test path
+          set_fact:
+            test_basedir: "{{ test_basedir | default(output_dir) }}"
+            resource_id: "vpc"
+
+        - name: Render Terraform template
+          ansible.builtin.template:
+            src: ../files/main.tf.j2
+            dest: "{{ test_basedir }}/main.tf"
+
+        - name: Terraform in check mode
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: present
+            workspace: "{{ tfc_workspace }}"
+            force_init: true
+          check_mode: true
+          register: terraform_result
+
+        - name: Check instance doesn't exist
+          amazon.aws.ec2_instance_info:
+            region: "{{ aws_region }}"
+            filters:
+              "tag:Name": Instance_Cloud_TF
+              "instance-state-name": running
+          register: instance_info
+
+        - assert:
+            that:
+              - instance_info.instances | length == 0
+            fail_msg: "Instance_Cloud_TF should not exist in check mode"
+
+        - name: Deploy Terraform
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: present
+            force_init: true
+            workspace: "{{ tfc_workspace }}"
+          register: terraform_result1
+
+        - name: Check instance exists after deploy
+          amazon.aws.ec2_instance_info:
+            region: "{{ aws_region }}"
+            filters:
+              "tag:Name": Instance_Cloud_TF
+              "instance-state-name": running
+          register: instance_info2
+
+        - assert:
+            that:
+              - instance_info2.instances | length == 1
+            fail_msg: "Instance_Cloud_TF should exist after deployment"
+
+        - name: Destroy Terraform
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: absent
+            force_init: true
+            workspace: "{{ tfc_workspace }}"
+          register: terraform_result3
+
+        - name: Verify destruction
+          amazon.aws.ec2_instance_info:
+            region: "{{ aws_region }}"
+            filters:
+              "tag:Name": Instance_Cloud_TF
+              "instance-state-name": running
+          register: instance_info3
+
+        - assert:
+            that:
+              - instance_info3.instances | length == 0
+            fail_msg: "Instance_Cloud_TF should be destroyed"
+
+        - name: Deploy using default workspace from .tf
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: present
+            force_init: true
+          register: terraform_result4
+
+        - name: Check instance exists after deploy
+          amazon.aws.ec2_instance_info:
+            region: "{{ aws_region }}"
+            filters:
+              "tag:Name": Instance_Cloud_TF
+              "instance-state-name": running
+          register: instance_info4
+
+        - assert:
+            that:
+              - instance_info4.instances | length == 1
+            fail_msg: "Instance_Cloud_TF should exist after deployment"
+
+        - name: Destroy again
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: absent
+            force_init: true
+          register: terraform_result4_destroy
+
+        - name: Confirm instance is destroyed
+          amazon.aws.ec2_instance_info:
+            region: "{{ aws_region }}"
+            filters:
+              "tag:Name": Instance_Cloud_TF
+              "instance-state-name": running
+          register: instance_info4_post_destroy
+
+        - assert:
+            that:
+              - instance_info4_post_destroy.instances | length == 0
+            fail_msg: "Instance_Cloud_TF should be destroyed"
+
+        - name: Deploy with mismatched workspace
+          cloud.terraform.terraform:
+            project_path: "{{ test_basedir }}"
+            state: present
+            workspace: "nonexistent_workspace"
+            force_init: true
+          register: terraform_negative_test
+          failed_when: false
+
+        - name: Expect failure due to invalid workspace
+          assert:
+            that:
+              - "workspaces not supported"
+            success_msg: "Terraform failed as expected for invalid workspace"
+            fail_msg: "Terraform unexpectedly succeeded for invalid workspace"
diff --git a/tests/integration/targets/tfc_test/vars/main.yml b/tests/integration/targets/tfc_test/vars/main.yml
@@ -0,0 +1,8 @@
+---
+tfc_organization: "Ansible-BU-TFC"
+tfc_workspace: "my_tf_project_default"
+aws_region: "us-west-2"
+aws_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') }}"
+aws_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') }}"
+ami_id: "ami-830c94e3"
+hcp_token: "{{ lookup('env', 'HCP_TOKEN') }}"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		disabled # Require a HCP configuration account
		cloud/aws