arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Rotate and Describe
  summary: Start rotation on a secret with a Lambda rotation function, then describe it to confirm rotation is configured.
  description: >-
    The managed-rotation enablement pattern. The workflow configures and starts
    the asynchronous rotation process for a secret — wiring up the rotation
    Lambda and an automatic rotation schedule — and then calls DescribeSecret to
    read back the rotation metadata so the caller can confirm RotationEnabled is
    set and the rules took effect. Every step inlines the AWS JSON 1.1
    X-Amz-Target header and request payload so the flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: rotate-and-describe
  summary: Start secret rotation and confirm it is enabled via DescribeSecret.
  description: >-
    Calls RotateSecret to attach a rotation Lambda and schedule, then calls
    DescribeSecret to verify RotationEnabled and the rotation rules were
    applied.
  inputs:
    type: object
    required:
    - SecretId
    - RotationLambdaARN
    properties:
      SecretId:
        type: string
        description: The ARN or name of the secret to rotate.
      RotationLambdaARN:
        type: string
        description: The ARN of the Lambda function that rotates the secret.
      AutomaticallyAfterDays:
        type: integer
        description: The number of days between automatic scheduled rotations.
        default: 30
      RotateImmediately:
        type: boolean
        description: Whether to rotate the secret immediately after configuring.
        default: true
  steps:
  - stepId: rotateSecret
    description: >-
      Configure and start the rotation process, attaching the rotation Lambda
      and an automatic rotation schedule to the secret.
    operationId: RotateSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.RotateSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
        RotationLambdaARN: $inputs.RotationLambdaARN
        RotationRules:
          AutomaticallyAfterDays: $inputs.AutomaticallyAfterDays
        RotateImmediately: $inputs.RotateImmediately
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      versionId: $response.body#/VersionId
  - stepId: describeSecret
    description: >-
      Read the secret metadata back to confirm rotation is enabled and the
      rotation rules were applied.
    operationId: DescribeSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DescribeSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.rotateSecret.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      rotationEnabled: $response.body#/RotationEnabled
      rotationLambdaARN: $response.body#/RotationLambdaARN
      rotationRules: $response.body#/RotationRules
  outputs:
    secretArn: $steps.rotateSecret.outputs.secretArn
    rotatedVersionId: $steps.rotateSecret.outputs.versionId
    rotationEnabled: $steps.describeSecret.outputs.rotationEnabled