Wait, aren't CIs built for collaboration?
terraform apply, which introduces actual changes to your infrastructure. As far as your CI system is concerned, running those in parallel is fair game. But what it does to Terraform is nothing short of a disaster - your state is confused and no longer represents any kind of reality. Untangling this mess can take forever.
But you can add manual approval steps
terraform planlocks the state, too. So you can't really run multiple CI jobs in parallel, even if they're only meant to preview changes, because each of them will attempt to lock the state. Yes, you can work around this by explicitly not locking state in CI jobs that you know won't make any state changes, but at this point you've already put so much work into creating a pipeline that's fragile at best and requires you to manually synchronize it.
terraform destroy -auto-approveas an extra CI step? Or printing out those credentials and using them to mine their crypto of choice?
There are better ways to get fired.
But nobody does that!