Best practice when using Terraform Cloud within an AWS Organization using Control Tower

With the AWS guidance to separate environments into separate AWS accounts and the release of AWS Control Tower which makes setting up the multiple accounts with self-provisioning of new accounts through the Service Catalog, I’m attempting to work out the best practice for how to set up and manage my Terraform Cloud workspaces.

I realize this is going to take using IAM roles as that’s how Control Tower facilitates access to the multi-accounts and all examples I’ve found are geared around running your Terraform code through a CI/CD process, not utilizing Terraform Cloud. That to me seems like it would a lot of reinventing the wheel if that ends up being the only course of action to take, but something makes me believe there is another way. Right now the method I have used has been to add the region, access key, and secret key id as environment variables on the workspace with the secret key id marked as sensitive.

I have some of my Terraform IaC in repositories configured for VCS workflow in Terraform Cloud with upwards of a dozen workspaces using the same repository but having different variables. This would be a hassle to have to migrate to a CI/CD pipeline to handle.