arazzo: 1.0.1
info:
  title: Amazon RDS Rotate Master Password
  summary: Reset the master user password immediately and poll until the instance stabilizes.
  description: >-
    Rotates the master user password for a DB instance and waits for the
    credential change to apply. The workflow confirms the instance is available,
    submits a modify request setting a new MasterUserPassword with
    ApplyImmediately, and polls DescribeDBInstances until the status settles back
    to available, looping while the instance is still resetting credentials.
    Every step spells out its request inline so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: amazonRdsApi
  url: ../openapi/amazon-rds-openapi.yml
  type: openapi
workflows:
- workflowId: rotate-master-password
  summary: Reset a DB instance master password and wait for it to apply.
  description: >-
    Confirms the instance is available, modifies the master user password with
    ApplyImmediately, then polls until DescribeDBInstances reports the instance
    available again.
  inputs:
    type: object
    required:
    - dbInstanceIdentifier
    - masterUserPassword
    properties:
      dbInstanceIdentifier:
        type: string
        description: The identifier of the DB instance to rotate credentials for.
      masterUserPassword:
        type: string
        description: The new password to set for the master database user.
  steps:
  - stepId: confirmInstance
    description: >-
      Describe the DB instance to confirm it is available before rotating the
      master credentials.
    operationId: describeDBInstances
    parameters:
    - name: DBInstanceIdentifier
      in: query
      value: $inputs.dbInstanceIdentifier
    successCriteria:
    - condition: $statusCode == 200
    - context: $response.body
      condition: $.dBInstances[0].dBInstanceStatus == 'available'
      type: jsonpath
    outputs:
      masterUsername: $response.body#/dBInstances/0/masterUsername
  - stepId: resetPassword
    description: >-
      Submit the modify request setting the new master user password with the
      change applied immediately.
    operationId: modifyDBInstance
    parameters:
    - name: DBInstanceIdentifier
      in: query
      value: $inputs.dbInstanceIdentifier
    - name: MasterUserPassword
      in: query
      value: $inputs.masterUserPassword
    - name: ApplyImmediately
      in: query
      value: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      pendingStatus: $response.body#/dBInstance/dBInstanceStatus
  - stepId: pollInstance
    description: >-
      Describe the DB instance and inspect its status. While the instance is
      still resetting credentials the workflow loops back to poll again; once it
      is available the flow ends.
    operationId: describeDBInstances
    parameters:
    - name: DBInstanceIdentifier
      in: query
      value: $inputs.dbInstanceIdentifier
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      status: $response.body#/dBInstances/0/dBInstanceStatus
    onSuccess:
    - name: stillApplying
      type: goto
      stepId: pollInstance
      criteria:
      - context: $response.body
        condition: $.dBInstances[0].dBInstanceStatus != 'available'
        type: jsonpath
    - name: available
      type: end
      criteria:
      - context: $response.body
        condition: $.dBInstances[0].dBInstanceStatus == 'available'
        type: jsonpath
  outputs:
    status: $steps.pollInstance.outputs.status
    masterUsername: $steps.confirmInstance.outputs.masterUsername