From a168c8f3dfb93fa2d1e1a87bf85d9e67e52431ab Mon Sep 17 00:00:00 2001
From: cloudneutral <haitaopanhq@gmail.com>
Date: Mon, 8 Dec 2025 17:20:11 +0800
Subject: [PATCH] Refine bootstrap workflow scope and retention

---
 ...ard-iac-pipeline-aws-global-bootstrap.yaml | 34 +++++++++++++++++++
 .../aws-cloud/README.md                       |  1 +
 2 files changed, 35 insertions(+)

diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
index ad7470f2..6f976a3b 100644
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-bootstrap.yaml
@@ -1,5 +1,9 @@
 name: Terraform Standard - AWS Account Bootstrap
 
+concurrency:
+  group: terraform-bootstrap-${{ github.ref }}
+  cancel-in-progress: false
+
 on:
   push:
     paths:
@@ -31,10 +35,28 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Document Bootstrap Scope
+        run: |
+          cat <<'SUMMARY' >> "$GITHUB_STEP_SUMMARY"
+          ## Bootstrap scope
+          - IAM: create Terraform deploy role and automation user for DevOps
+          - S3: create remote state bucket (versioned + SSE)
+          - DynamoDB: create state lock table for Terraform CRUD workflows
+          
+          This workflow is designed to be re-runnable for create/update/destroy by restoring and uploading module state.
+          SUMMARY
+
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.9.5
 
+      - name: Restore Terraform state
+        uses: actions/download-artifact@v4
+        continue-on-error: true
+        with:
+          name: tfstate-${{ matrix.target }}
+          path: ${{ env.TF_WORKDIR }}/${{ matrix.target }}
+
       - name: AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -71,6 +93,18 @@ jobs:
         with:
           name: outputs-${{ matrix.target }}
           path: iac-template/terraform-hcl-standard/aws-cloud/outputs_${{ matrix.target }}.json
+          retention-days: 30
+
+      - name: Save Terraform state
+        if: env.DEPLOY_ACTION != 'plan'
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfstate-${{ matrix.target }}
+          path: |
+            ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate
+            ${{ env.TF_WORKDIR }}/${{ matrix.target }}/terraform.tfstate.backup
+          if-no-files-found: ignore
+          retention-days: 30
 
   aggregate:
     name: "Aggregate Bootstrap Outputs"
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/README.md b/iac-template/terraform-hcl-standard/aws-cloud/README.md
index 94bb7342..af4f92a8 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md
@@ -2,6 +2,7 @@
 
 This repository provides bootstrap Terraform modules that must be applied before enabling a Terraform remote backend on AWS.
 It creates:
+- IAM artifacts — a deploy role plus a dedicated DevOps/automation user for Terraform
 - S3 bucket — to store Terraform remote state
 - DynamoDB table — to store Terraform state locks