arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Update Metadata and Verify
  summary: Update a secret's description and KMS key with UpdateSecret, then describe it to confirm the new metadata was applied.
  description: >-
    The metadata maintenance pattern. The workflow modifies an existing secret's
    description and the KMS key used to encrypt it with UpdateSecret, then calls
    DescribeSecret to read the metadata back and confirm the changes were
    applied without touching the secret value itself. Every step inlines the AWS
    JSON 1.1 X-Amz-Target header and request payload so the flow is
    self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: update-metadata-and-verify
  summary: Update a secret's description and KMS key, then confirm via DescribeSecret.
  description: >-
    Calls UpdateSecret to change the description and KMS key of an existing
    secret, then calls DescribeSecret to verify the new metadata was applied.
  inputs:
    type: object
    required:
    - SecretId
    - Description
    properties:
      SecretId:
        type: string
        description: The ARN or name of the secret to update.
      Description:
        type: string
        description: The new description to set on the secret.
      KmsKeyId:
        type: string
        description: The ARN, key ID, or alias of the KMS key to encrypt the secret.
  steps:
  - stepId: updateSecret
    description: >-
      Modify the secret's description and KMS key without changing the secret
      value.
    operationId: UpdateSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.UpdateSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $inputs.SecretId
        Description: $inputs.Description
        KmsKeyId: $inputs.KmsKeyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      versionId: $response.body#/VersionId
  - stepId: describeSecret
    description: >-
      Read the secret metadata back to confirm the description and KMS key
      changes were applied.
    operationId: DescribeSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DescribeSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.updateSecret.outputs.secretArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      description: $response.body#/Description
      kmsKeyId: $response.body#/KmsKeyId
      lastChangedDate: $response.body#/LastChangedDate
  outputs:
    secretArn: $steps.updateSecret.outputs.secretArn
    description: $steps.describeSecret.outputs.description
    kmsKeyId: $steps.describeSecret.outputs.kmsKeyId