arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Create and Read Secret
  summary: Create a new secret, then immediately retrieve its decrypted value to confirm it was stored.
  description: >-
    The foundational provisioning pattern for Secrets Manager. The workflow
    creates a new secret with an encrypted SecretString value, captures the
    resulting ARN and version id, and then reads the secret value back so the
    caller can confirm the stored payload round-trips correctly. Every step
    spells out the AWS JSON 1.1 protocol details inline — the X-Amz-Target
    header that selects the operation and the request payload — so the flow can
    be read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: create-and-read-secret
  summary: Create a secret and read its value back to verify storage.
  description: >-
    Creates a secret from the supplied name and string value, then calls
    GetSecretValue against the new ARN to confirm the encrypted payload was
    stored and can be decrypted.
  inputs:
    type: object
    required:
    - Name
    - SecretString
    properties:
      Name:
        type: string
        description: The friendly name of the new secret.
      Description:
        type: string
        description: An optional description of the secret.
      SecretString:
        type: string
        description: The text data to encrypt and store in the secret.
  steps:
  - stepId: createSecret
    description: >-
      Create a new secret holding the supplied SecretString value under the
      requested name.
    operationId: CreateSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.CreateSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        Name: $inputs.Name
        Description: $inputs.Description
        SecretString: $inputs.SecretString
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      secretName: $response.body#/Name
      versionId: $response.body#/VersionId
  - stepId: getSecretValue
    description: >-
      Retrieve the decrypted value of the secret just created, using its ARN as
      the SecretId.
    operationId: GetSecretValue
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.GetSecretValue
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.createSecret.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretString: $response.body#/SecretString
      readVersionId: $response.body#/VersionId
  outputs:
    secretArn: $steps.createSecret.outputs.secretArn
    secretName: $steps.createSecret.outputs.secretName
    versionId: $steps.createSecret.outputs.versionId
    secretString: $steps.getSecretValue.outputs.secretString