Why does 'terraform workspace new' fail with 'Error: No such workspace' even when I'm trying to create it?

This usually means your backend configuration itself is invalid — wrong organization name, incorrect S3 bucket, bad key prefix, or a mismatched `TF_WORKSPACE` environment variable that is overriding your CLI command. Terraform can't create a workspace in a backend it can't authenticate to or locate. Run `terraform init -reconfigure` first, verify your backend block credentials, then retry `terraform workspace new `.

How do I list all existing workspaces in a Terraform remote backend?

Run `terraform workspace list` after a successful `terraform init`. For Terraform Cloud, you can also query the API: `curl -H 'Authorization: Bearer $TF_TOKEN' https://app.terraform.io/api/v2/organizations/ /workspaces`. For S3 backends, workspaces are stored as subdirectories under the `env:/` prefix in your state bucket — list them with `aws s3 ls s3:// /env:/`.

What is the safest way to handle Terraform workspaces in a CI/CD pipeline to prevent this error?

Use an idempotent pre-flight step: `terraform workspace select 2>/dev/null || terraform workspace new `. This attempts to select an existing workspace and only creates it if the select fails. Combine this with sanitized workspace name construction (lowercase, replace `/` with `-`, enforce max 64 chars) to prevent naming mismatches caused by branch names. Never rely on a hardcoded workspace name in your backend block for multi-environment pipelines.

Fixing Terraform 'Error: No Such Workspace' on Remote Backend Workspace Discovery

Threat/Impact Level: HIGH | Exploitability/Downtime Risk: HIGH | Time to Fix: 10 mins

TL;DR

What broke: The workspace name referenced in your terraform workspace new or terraform workspace select command does not exist in the configured remote backend — Terraform Cloud, S3, GCS, or Azure Blob has no state file or workspace record matching that name.
How to fix it: Create the workspace in the remote backend first (via Terraform Cloud UI/API, or by correcting the workspace block in backend {}) before running CLI commands against it.
Action: Use our Client-Side Sandbox below to auto-refactor this — paste your backend {} block and the failing command, and get the corrected config and CLI sequence instantly.

The Incident (What Does the Error Mean?)

Raw error output you'll see in the terminal:

$ terraform workspace new staging
Error: No such workspace

The workspace "staging" does not exist.

To create this workspace, run:
  terraform workspace new staging

Or, when using a cloud {} block or remote backend with a specific workspace prefix:

$ terraform init
╷
│ Error: No such workspace: app-staging
│
│ The configured workspace ("app-staging") does not exist in the
│ remote backend. To create it, run:
│   terraform workspace new app-staging
│
│ Or select an existing workspace with:
│   terraform workspace select <name>
╵

Immediate consequence: Every terraform plan, terraform apply, and terraform init is dead in the water. No state can be read or written. If this fires in a CI/CD pipeline mid-deployment, your pipeline exits non-zero and any in-flight infrastructure changes are left in an unknown state — no rollback, no forward progress.

The Attack Vector / Blast Radius

This isn't just a developer inconvenience. The blast radius is significant:

1. State Lock Orphaning. If a terraform apply partially initializes before hitting this error, the DynamoDB lock table (for S3 backends) or the Terraform Cloud run lock can be left in a locked state. Every subsequent run fails with Error acquiring the state lock until manually force-unlocked — a second outage on top of the first.

2. Workspace Naming Drift in Multi-Environment Pipelines. When workspace names are dynamically constructed from CI variables (e.g., TF_WORKSPACE=app-${BRANCH_NAME}), a branch rename, a typo, or a missing prefix in the backend {} block causes the constructed name to never match what exists in the remote. This silently breaks every feature branch deployment.

3. Terraform Cloud Organization/Project Mismatch. If the organization or workspaces { name = ... } values in the cloud {} block point to a non-existent Terraform Cloud organization or project, the error surfaces identically but the fix path is completely different — and teams waste 30+ minutes debugging the wrong layer.

4. S3 Backend Key Prefix Collisions. With S3 backends, Terraform derives workspace state paths from a key prefix. If the workspace was never terraform workspace new'd, the S3 object literally does not exist. Any automation assuming the state file is present (e.g., terraform_remote_state data sources in downstream stacks) will fail with a null state read — silently corrupting dependent resource lookups.

How to Fix It (The Solution)

Root Cause Checklist — Run These First

List existing workspaces: terraform workspace list — confirm what actually exists in the backend.
Check your backend config: Is organization, hostname, bucket, or prefix correct for the target environment?
Check TF_WORKSPACE env var: An incorrectly set env var overrides the CLI and silently selects a non-existent workspace.

Basic Fix — Terraform Cloud (`cloud {}` block)

# main.tf
 terraform {
-  cloud {
-    organization = "my-org"
-    workspaces {
-      name = "app-producton"  # typo: 'producton' never existed
-    }
-  }
+  cloud {
+    organization = "my-org"
+    workspaces {
+      name = "app-production"  # corrected name matching TFC workspace
+    }
+  }
 }

Then run the correct sequence:

# Step 1: Re-initialize with corrected backend config
terraform init -reconfigure

# Step 2: Create the workspace if it genuinely doesn't exist yet
terraform workspace new app-production

# Step 3: Verify
terraform workspace show

Basic Fix — S3 Remote Backend

# backend.tf
 terraform {
   backend "s3" {
     bucket         = "my-tfstate-bucket"
-    key            = "envs/stagng/terraform.tfstate"  # typo in prefix
+    key            = "envs/staging/terraform.tfstate"  # corrected key path
     region         = "us-east-1"
     dynamodb_table = "terraform-lock"
     encrypt        = true
   }
 }

After correcting the key, initialize and create the workspace:

terraform init -reconfigure
terraform workspace new staging
terraform workspace select staging

Enterprise Best Practice — Dynamic Workspace Discovery with Prefix Strategy

Hardcoding workspace names is the root cause of this error in 80% of CI pipelines. Use the prefix strategy with validation:

# backend.tf — Terraform Cloud
 terraform {
   cloud {
     organization = "my-org"
-    workspaces {
-      name = "app-production"  # hardcoded, breaks on every new env
-    }
+    workspaces {
+      tags = ["app", "managed-by-terraform"]  # discover by tag, not hardcoded name
+    }
   }
 }

# ci-pipeline.yml (GitHub Actions example)
 - name: Terraform Init
   run: |
-    export TF_WORKSPACE="app-${{ github.ref_name }}"  # raw branch name, unsafe
+    SAFE_WS=$(echo "app-${{ github.ref_name }}" | tr '/' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-64)
+    export TF_WORKSPACE="$SAFE_WS"
+    # Pre-create workspace if missing, idempotent
+    terraform workspace select "$SAFE_WS" 2>/dev/null || terraform workspace new "$SAFE_WS"
     terraform init

For S3 backends, enforce workspace existence as a pre-flight check:

# scripts/preflight.sh
+#!/bin/bash
+set -euo pipefail
+WORKSPACE=${TF_WORKSPACE:-default}
+EXISTING=$(terraform workspace list | tr -d '* ' | tr -d ' ')
+if ! echo "$EXISTING" | grep -qx "$WORKSPACE"; then
+  echo "[PREFLIGHT] Workspace '$WORKSPACE' not found. Creating..."
+  terraform workspace new "$WORKSPACE"
+fi
+echo "[PREFLIGHT] Workspace '$WORKSPACE' confirmed."

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Checkov — Catch Backend Misconfigs Pre-Commit

# Install and run against your Terraform directory
pip install checkov
checkov -d . --check CKV_TF_1  # Enforces remote backend is configured

2. OPA Policy — Enforce Workspace Naming Conventions

# policies/workspace_naming.rego
package terraform.workspace

deny[msg] {
  ws := input.workspace_name
  not regex.match("^(app|infra|data)-(production|staging|dev)(-[a-z0-9]+)?$", ws)
  msg := sprintf("Workspace name '%v' violates naming convention. Must match pattern: <team>-<env>[-<suffix>]", [ws])
}

3. `terraform validate` + Workspace Pre-flight in Pipeline

# .github/workflows/terraform.yml
jobs:
  terraform:
    steps:
      - name: Terraform Format Check
        run: terraform fmt -check -recursive

      - name: Terraform Validate
        run: terraform validate

      - name: Workspace Pre-flight
        run: bash scripts/preflight.sh

      - name: Terraform Plan
        run: terraform plan -out=tfplan

4. Atlantis — Workspace Enforcement via `atlantis.yaml`

# atlantis.yaml
version: 3
projects:
  - name: app-production
    dir: ./infra
    workspace: app-production
    terraform_version: v1.7.0
    autoplan:
      when_modified: ["**/*.tf", "**/*.tfvars"]
      enabled: true

Atlantis will fail the PR check if the workspace doesn't exist in the backend before any plan is attempted — catching this error before it ever reaches a human.