I want an engineer to only use Terraform to provision the infrastructure in AWS and to verify if provisioning was successful he/she should have read-only access in the AWS console. So that the engineer should not make changes to resources at the console inadvertently.
What are the possible ways to achieve this?
Give your users read-only access to the console - and use IAM policies to allow only specific EC2 instances appropriate access to provision infrastructure, and enforce all of your terraform to be executed from those EC2 instances.