arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Generate Password and Store Secret
  summary: Generate a random password, store it as a new secret, then read the secret value back to confirm it was saved.
  description: >-
    The credential bootstrap pattern. The workflow asks Secrets Manager to
    generate a strong random password to its complexity rules, stores that
    password as the SecretString of a brand new secret, and then retrieves the
    secret value to confirm the generated credential round-trips correctly.
    Every step inlines the AWS JSON 1.1 X-Amz-Target header and request payload
    so the flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: generate-password-and-store-secret
  summary: Generate a random password and persist it as a new secret.
  description: >-
    Calls GetRandomPassword to produce a strong credential, CreateSecret to
    store it under the supplied name, and GetSecretValue to confirm the stored
    value matches.
  inputs:
    type: object
    required:
    - Name
    properties:
      Name:
        type: string
        description: The friendly name of the new secret to create.
      Description:
        type: string
        description: An optional description of the secret.
      PasswordLength:
        type: integer
        description: The length of the generated password.
        default: 32
      ExcludePunctuation:
        type: boolean
        description: Whether to exclude punctuation characters from the password.
        default: false
  steps:
  - stepId: getRandomPassword
    description: >-
      Generate a strong random password to the supplied length and complexity
      rules.
    operationId: GetRandomPassword
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.GetRandomPassword
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        PasswordLength: $inputs.PasswordLength
        ExcludePunctuation: $inputs.ExcludePunctuation
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      randomPassword: $response.body#/RandomPassword
  - stepId: createSecret
    description: >-
      Store the generated password as the SecretString of a new secret under
      the requested name.
    operationId: CreateSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.CreateSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        Name: $inputs.Name
        Description: $inputs.Description
        SecretString: $steps.getRandomPassword.outputs.randomPassword
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      versionId: $response.body#/VersionId
  - stepId: getSecretValue
    description: >-
      Retrieve the stored secret value to confirm the generated password was
      saved correctly.
    operationId: GetSecretValue
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.GetSecretValue
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.createSecret.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      storedSecretString: $response.body#/SecretString
      versionId: $response.body#/VersionId
  outputs:
    secretArn: $steps.createSecret.outputs.secretArn
    versionId: $steps.createSecret.outputs.versionId
    storedSecretString: $steps.getSecretValue.outputs.storedSecretString