From 76ddbf76f83d525f152d6178bfc1cf1df0ebcd73 Mon Sep 17 00:00:00 2001
From: Michael Ortiz <michael.ortiz.porrata@gmail.com>
Date: Fri, 12 Jul 2024 08:50:37 -0400
Subject: [PATCH] Add demo and update README.

---
 .gitignore      |  3 ++-
 README.md       | 21 ++++++++++++++++++---
 demo/backend.tf |  8 ++++++++
 demo/main.tf    | 29 +++++++++++++++++++++++++++++
 demo/outputs.tf | 19 +++++++++++++++++++
 5 files changed, 76 insertions(+), 4 deletions(-)
 create mode 100644 demo/backend.tf
 create mode 100644 demo/main.tf
 create mode 100644 demo/outputs.tf

diff --git a/.gitignore b/.gitignore
index 496ee2c..6a80b2b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-.DS_Store
\ No newline at end of file
+.DS_Store
+.terraform*
\ No newline at end of file
diff --git a/README.md b/README.md
index 1ad9e0e..e2b3d78 100644
--- a/README.md
+++ b/README.md
@@ -12,8 +12,6 @@ To configure you S3 Terraform Backend in AWS, use this module:
 
 https://github.com/michael-ortiz/terraform-aws-s3-terraform-state
 
-Enjoty!
-
 ## Usage
 
 ```yaml
@@ -36,4 +34,21 @@ jobs:
       # Optional
       # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-```
\ No newline at end of file
+```
+
+## Demo
+
+In order to deploy, you must comment out the `backend.tf` code, and deploy manually using CLI into your AWS Account.
+Once a `terraform.tfstate` is generated, you must copy the `.tfstate` file into S3 bucket state destination that you configured in the S3 backend in `backend.tf` and `main.tf` or reference the plan output to get the S3 bucket and DynamoDB table name.
+
+Once the file is copied, uncomment the commented code, remove the generated terraform files in your project:
+
+```
+rm rf .terraform*
+```
+
+Next, run `terraform init` and `terraform plan`. If your local AWS Credentials have access to read from S3, the plan should succeed and should be reading the state from S3.
+
+Finally, to implement this in your GitHub Repository Actions, copy the plan outputs of the `apply_role_arn` and `plan_role_arn` values, and pass them as secrets to the reusable workflow `terraform-workflow.yaml`. See example on `Usage` section on how to set this up.
+
+Enjoy!
\ No newline at end of file
diff --git a/demo/backend.tf b/demo/backend.tf
new file mode 100644
index 0000000..2c1c410
--- /dev/null
+++ b/demo/backend.tf
@@ -0,0 +1,8 @@
+# terraform {
+#   backend "s3" {
+#     bucket         = "my-terraform-state-bucket-1234"
+#     key            = "terraform.tfstate"
+#     dynamodb_table = "terraform-s3-state-lock"
+#     region         = "us-east-1"
+#   }
+# }
\ No newline at end of file
diff --git a/demo/main.tf b/demo/main.tf
new file mode 100644
index 0000000..ced496e
--- /dev/null
+++ b/demo/main.tf
@@ -0,0 +1,29 @@
+module "s3_terraform_state" {
+  source  = "michael-ortiz/s3-terraform-state/aws"
+  version = "~> 1.0"
+
+  state_bucket_names    = ["my-terraform-state-bucket-1234"] // Used in backend.tf to set S3 backend
+  state_lock_table_name = "terraform-s3-state-lock"          // Used in backend.tf to set S3 backend
+}
+
+# Plan Role with ReadOnlyAccess - Creates OIDC Provider
+module "github_actions_oidc_plan" {
+  source  = "michael-ortiz/github-actions-oidc/aws"
+  version = "~> 1.0"
+
+  create_oidc_provider    = true
+  role_name               = "github-actions-oidc-role-plan"
+  repositories            = ["Organization/RepositoryName"]
+  oidc_role_policies_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
+}
+
+# Apply Role with AdministratorAccess - Does not create OIDC Provider becase it was already created in the Plan Role
+module "github_actions_oidc_apply" {
+  source  = "michael-ortiz/github-actions-oidc/aws"
+  version = "~> 1.0"
+
+  create_oidc_provider    = false
+  role_name               = "github-actions-oidc-role-apply"
+  repositories            = ["Organization/RepositoryName"]
+  oidc_role_policies_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+}
diff --git a/demo/outputs.tf b/demo/outputs.tf
new file mode 100644
index 0000000..edc6f54
--- /dev/null
+++ b/demo/outputs.tf
@@ -0,0 +1,19 @@
+output "apply_role_arn" {
+  description = "The ARN of the role to be assumed by the apply job"
+  value       = module.github_actions_oidc_apply.oidc_role_arn
+}
+
+output "plan_role_arn" {
+  description = "The ARN of the role to be assumed by the plan job"
+  value       = module.github_actions_oidc_apply.oidc_role_arn
+}
+
+output "state_bucket_names" {
+  description = "The names of the S3 buckets used for Terraform state storage"
+  value       = module.s3_terraform_state.state_bucket_names
+}
+
+output "state_lock_table_name" {
+  description = "The name of the DynamoDB table used for Terraform state locking"
+  value       = module.s3_terraform_state.state_lock_table_name
+}
\ No newline at end of file