arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Put New Version and Verify
  summary: Store a new encrypted version of a secret with PutSecretValue, then read the current value to confirm the update.
  description: >-
    The credential update pattern. When an application's password or API key
    changes, this workflow attaches a brand new encrypted version to an existing
    secret with PutSecretValue and stages it as AWSCURRENT, then reads the
    secret back to confirm the new version is the one served by default. Every
    step inlines the AWS JSON 1.1 X-Amz-Target header and request payload so the
    flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: put-version-and-verify
  summary: Attach a new secret version and verify it becomes the current value.
  description: >-
    Calls PutSecretValue to create a new version of an existing secret, then
    calls GetSecretValue to confirm the new SecretString is served as the
    current value.
  inputs:
    type: object
    required:
    - SecretId
    - SecretString
    properties:
      SecretId:
        type: string
        description: The ARN or name of the secret to update.
      SecretString:
        type: string
        description: The new text data to encrypt and store as the latest version.
  steps:
  - stepId: putSecretValue
    description: >-
      Create a new encrypted version of the secret holding the supplied
      SecretString value.
    operationId: PutSecretValue
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.PutSecretValue
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
        SecretString: $inputs.SecretString
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      newVersionId: $response.body#/VersionId
      versionStages: $response.body#/VersionStages
  - stepId: getSecretValue
    description: >-
      Read the secret value back to confirm the newly stored version is the one
      served by default.
    operationId: GetSecretValue
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.GetSecretValue
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.putSecretValue.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      currentVersionId: $response.body#/VersionId
      currentSecretString: $response.body#/SecretString
  outputs:
    secretArn: $steps.putSecretValue.outputs.secretArn
    newVersionId: $steps.putSecretValue.outputs.newVersionId
    currentVersionId: $steps.getSecretValue.outputs.currentVersionId
    currentSecretString: $steps.getSecretValue.outputs.currentSecretString