arazzo: 1.0.1
info:
  title: Amazon Lake Formation Audit Resource Permissions
  summary: Enumerate registered data lake locations and list the permissions on a selected resource.
  description: >-
    A read-only governance audit flow. The workflow lists every resource
    registered with Lake Formation, describes the resource the auditor is
    interested in to capture its data access role, and lists the principal
    permissions on a Data Catalog resource so an access review can be performed.
    Every step spells out its request inline so the flow can be read and
    executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: lakeFormationApi
  url: ../openapi/amazon-lake-formation-openapi.yml
  type: openapi
workflows:
- workflowId: audit-resource-permissions
  summary: Inventory registered locations and audit permissions on a selected resource.
  description: >-
    Lists registered data lake locations, describes a target location, and lists
    the permissions on a Data Catalog resource for an access review.
  inputs:
    type: object
    required:
    - resourceArn
    - resource
    properties:
      resourceArn:
        type: string
        description: The ARN of the registered data lake location to describe.
      resource:
        type: object
        description: The Data Catalog Resource whose permissions are being audited.
      principal:
        type: object
        description: Optional principal to scope the permission listing to a single identity.
  steps:
  - stepId: listResources
    description: >-
      List all resources currently registered with Lake Formation to establish
      the audit scope.
    operationId: ListResources
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      resourceInfoList: $response.body#/ResourceInfoList
  - stepId: describeResource
    description: >-
      Describe the target registered location to capture its current data
      access role.
    operationId: DescribeResource
    parameters:
    - name: resourceArn
      in: path
      value: $inputs.resourceArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      resourceInfo: $response.body#/ResourceInfo
  - stepId: listPermissions
    description: >-
      List the principal permissions on the Data Catalog resource for the access
      review.
    operationId: ListPermissions
    requestBody:
      contentType: application/json
      payload:
        Principal: $inputs.principal
        Resource: $inputs.resource
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      principalResourcePermissions: $response.body#/PrincipalResourcePermissions
  outputs:
    resourceInfoList: $steps.listResources.outputs.resourceInfoList
    resourceInfo: $steps.describeResource.outputs.resourceInfo
    principalResourcePermissions: $steps.listPermissions.outputs.principalResourcePermissions