Add demo and update README.

.gitignore

@@ -1 +1,2 @@
-.DS_Store
+.DS_Store
+.terraform*

README.md

@@ -12,8 +12,6 @@ To configure you S3 Terraform Backend in AWS, use this module:
 
 https://github.com/michael-ortiz/terraform-aws-s3-terraform-state
 
-Enjoty!
-
 ## Usage
 
 ```yaml
@@ -36,4 +34,21 @@ jobs:
       # Optional
       # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-```
+```
+
+## Demo
+
+In order to deploy, you must comment out the `backend.tf` code, and deploy manually using CLI into your AWS Account.
+Once a `terraform.tfstate` is generated, you must copy the `.tfstate` file into S3 bucket state destination that you configured in the S3 backend in `backend.tf` and `main.tf` or reference the plan output to get the S3 bucket and DynamoDB table name.
+
+Once the file is copied, uncomment the commented code, remove the generated terraform files in your project:
+
+```
+rm rf .terraform*
+```
+
+Next, run `terraform init` and `terraform plan`. If your local AWS Credentials have access to read from S3, the plan should succeed and should be reading the state from S3.
+
+Finally, to implement this in your GitHub Repository Actions, copy the plan outputs of the `apply_role_arn` and `plan_role_arn` values, and pass them as secrets to the reusable workflow `terraform-workflow.yaml`. See example on `Usage` section on how to set this up.
+
+Enjoy!

demo/backend.tf

@@ -0,0 +1,8 @@
+# terraform {
+#   backend "s3" {
+#     bucket         = "my-terraform-state-bucket-1234"
+#     key            = "terraform.tfstate"
+#     dynamodb_table = "terraform-s3-state-lock"
+#     region         = "us-east-1"
+#   }
+# }

demo/main.tf

@@ -0,0 +1,29 @@
+module "s3_terraform_state" {
+  source  = "michael-ortiz/s3-terraform-state/aws"
+  version = "~> 1.0"
+
+  state_bucket_names    = ["my-terraform-state-bucket-1234"] // Used in backend.tf to set S3 backend
+  state_lock_table_name = "terraform-s3-state-lock"          // Used in backend.tf to set S3 backend
+}
+
+# Plan Role with ReadOnlyAccess - Creates OIDC Provider
+module "github_actions_oidc_plan" {
+  source  = "michael-ortiz/github-actions-oidc/aws"
+  version = "~> 1.0"
+
+  create_oidc_provider    = true
+  role_name               = "github-actions-oidc-role-plan"
+  repositories            = ["Organization/RepositoryName"]
+  oidc_role_policies_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
+}
+
+# Apply Role with AdministratorAccess - Does not create OIDC Provider becase it was already created in the Plan Role
+module "github_actions_oidc_apply" {
+  source  = "michael-ortiz/github-actions-oidc/aws"
+  version = "~> 1.0"
+
+  create_oidc_provider    = false
+  role_name               = "github-actions-oidc-role-apply"
+  repositories            = ["Organization/RepositoryName"]
+  oidc_role_policies_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+}

demo/outputs.tf

@@ -0,0 +1,19 @@
+output "apply_role_arn" {
+  description = "The ARN of the role to be assumed by the apply job"
+  value       = module.github_actions_oidc_apply.oidc_role_arn
+}
+
+output "plan_role_arn" {
+  description = "The ARN of the role to be assumed by the plan job"
+  value       = module.github_actions_oidc_apply.oidc_role_arn
+}
+
+output "state_bucket_names" {
+  description = "The names of the S3 buckets used for Terraform state storage"
+  value       = module.s3_terraform_state.state_bucket_names
+}
+
+output "state_lock_table_name" {
+  description = "The name of the DynamoDB table used for Terraform state locking"
+  value       = module.s3_terraform_state.state_lock_table_name
+}