[jitl]

We do what you advise against at Notion and it seems to work great for our org of ~100s of developers (although a smaller fraction need to edit terraform regularly).

We use a CLI command `notion aws-sso-login` that logs us into our main user account and adds a profile per delegated app-environment pair account you can access (like app-dev/collections-infra, app-prod/collections-infra) to the AWS CLI config file. This ensures at least the standard list of profiles is present on everyone’s machine whenever they have valid credentials. I have yet to hear anyone complain about this config file meddling.

Then in our terraform directories, we use direnv to set the AWS_PROFILE environment variable to the appropriate profile to manage that stack. You can always override if you need to use a different profile for some reason.