Many Terraform users learn that workspaces separate environments. Fewer learn what workspaces actually separate.
A workspace selects a state file. It does not create new AWS credentials. It does not create new permissions. It does not automatically isolate environments.
In this lesson, we examine how terraform.workspace is commonly used for environment mapping, how lookup tables control configuration scope, and why resource naming and IAM roles remain separate concerns.
The most important takeaway is simple: state boundaries and authorization boundaries are different controls.
Understanding that distinction helps prevent a common operational mistake where teams assume workspace separation provides security isolation.
This lesson explores the mechanisms behind workspace-driven configuration and the controls required to safely operate multiple environments from a single codebase.