@Phillip Meng I feel like I push Env0 a lot in here, but you might want to check that out. One of the cool things you can do is define your outputs in TF, then make authorized api calls to Env0 to get said outputs. That means there's no need for a middle man between the TF runs and whatever needs to consume them.
I use TF for some really base level provisioning things that will likely not change much. I use it to set up external dns, jetstack, datadog, KEDA, cuda-drivers, istio, env0-agents, and harness delegates... basically stuff that services need to hook into, and/or things needed to get CI/CD running.
One of the big (theoretical... cause this hasn't happened to me, yet) advantages is that if shit hits the fan, I can get up a base level stack deployed from my local that can unblock all the other CI/CD systems I need to run. Whatever choices you make, just keep disaster recovery in mind... you don't want to get in a state where you need an agent on a cluster to be running to execute infra/k8s configuration changes when you might not have any clusters.