An API key with ORGREADONLY should be sufficient to run a terraform plan. Afterall its describe is "Provides read-only access to the settings, users, projects, and billing in the organization.")
However, this is not the case: checking settings for "Cloud Provider Access" [1] and "Encrypting at Rest" [2] fail due to mission permission. Read-write project permissions like GROUP_OWNER on each project are required.

[1] https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Cloud-Provider-Access/operation/listCloudProviderAccessRoles
[2] https://www.mongodb.com/docs/atlas/reference/api-resources-spec/#tag/Encryption-at-Rest-using-Customer-Key-Management/operation/getEncryptionAtRest