Ephemeral workspaces

The ephemeral workspace feature allows teams to set a timeout for automatically destroying resources managed by a workspace. The delay is either fixed (a specific day and time) or relative (after a period of inactivity). We recommend that you consider this feature for temporary and development workspaces as a way to decrease cloud wastel

With this feature, once the configured timeout (or inactivity period) is reached, all the resources managed by the workspace are destroyed, but the workspace and its configuration are still available. If the infrastructure is needed again at a later time, the user can simply initial a Terraform apply operation to recreate the environment.

Please review the official documentation for more details on this capability.

Implementation guidance

Roles and responsibilities

Implementing ephemeral workspaces requires collaboration between several key roles:

• Platform Engineers are responsible for configuring the TTL policies, destroy schedules, and notifications in HCP Terraform. They ensure that environments are efficiently managed and align with best practices for performance, cost, and security. Platform engineers should work closely with other teams to define standards for non-production environments.
• Development and QA Teams consume ephemeral workspaces for tasks such as feature development and testing. Although they don't configure the environments, they need to coordinate with platform engineers to ensure that TTL settings align with their workflows, avoiding destruction during critical work periods.
• Security Teams oversee compliance with security standards, ensuring that workspace destruction processes adhere to policies and that no sensitive data remains after resources are destroyed.

Permissions requirements

The following permissions are involved in setting up ephemeral workspaces:

• Administration permissions on the workspace (workspace-level).
• Project Admin on the project (project-level).
• Manage all projects organization-level permission.

Configuring at scale

While it is possible to set up ephemeral workspaces on an individual workspace level, this is not the recommended approach. Instead you should consider one of the following approaches:

• Provisioning of ephemeral workspaces as code.
• Self-service provisioning of ephemeral workspaces.

Provisioning ephemeral workspaces as code

In this approach, the platform team leverages the Terraform configuration used to configure HCP Terraform or Terraform Enterprise (see the Landing zones section applied to HCP Terraform configuration) to provision workspaces with ephemeral workspace attributes set (see tfe_workspace). The standard pattern for such a workspace can be codified in a Terraform module.

This approach works if the platform team is in charge of the deployment of such workspaces, or if developers are sufficiently knowledgeable about HCP Terraform or Terraform Enterprise to be delegated the task of provisioning ephemeral workspaces in projects they have been granted administrative access to.

Self-service provisioning of ephemeral workspaces

In this approach, the platform team sets up one (or more projects) dedicated to ephemeral workspaces, and a Terraform no-code module that provisions the ephemeral workspace in the dedicated project.

The project’s configuration must set a default timeframe workspaces to automatically destroy their infrastructure. This can be done using the WebUI or automated using the HCP Terraform API. You should also ensure that the workspaces have the necessary permissions to provision infrastructure, either by using dynamic provider credentials (preferred), IAM roles, or static credentials.

Setting up notifications

We recommend that notifications at the workspace level are set up so that development teams are informed of the following events related to ephemeral workspaces:

• Auto-destroy reminder (send a reminder 12 and 24 hours before an auto-destroy run)
• Auto-destroy results (the results of an auto-destroy run)

Please refer to the notification section for more details.