How do you implement Terraform in a CI/CD pipeline safely?

Running Terraform in CI/CD requires careful guardrails:

1. PR triggers plan: On every pull request, run terraform plan and post the output as a PR comment (using tools like Atlantis or terraform-pr-commenter).
2. Merge triggers apply: Only apply after PR is merged to main. Require manual approval for production.
3. State locking: Ensure DynamoDB locking is configured to prevent concurrent applies.
4. OIDC credentials: Use OIDC to get short-lived tokens from AWS instead of storing long-lived access keys.
5. Plan artifacts: Save the plan file and apply that exact file — never re-plan at apply time.