How do you enforce security policies and compliance checks within a Terraform CI/CD pipeline before infrastructure is actually provisioned?