arazzo: 1.0.1
info:
  title: AWS SAR Set Application Policy
  summary: Create an application, attach a sharing permission policy to it, then read the policy back.
  description: >-
    Establishes who can deploy a serverless application. The workflow creates a
    new application, sets the permission policy with one or more statements that
    grant accounts the ability to deploy it, and then reads the policy back to
    confirm the statements were applied. Every step spells out its request
    inline so the flow can be read and executed without opening the underlying
    OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: serverlessRepoApi
  url: ../openapi/amazon-serverless-application-repository-openapi.yml
  type: openapi
workflows:
- workflowId: set-application-policy
  summary: Create an application, set its permission policy, and verify it.
  description: >-
    Creates a new application, applies a sharing permission policy made up of
    statements, and reads the policy back to confirm the granted permissions.
  inputs:
    type: object
    required:
    - name
    - author
    - description
    - statements
    properties:
      name:
        type: string
        description: The name of the application to create.
      author:
        type: string
        description: The name of the author publishing the app.
      description:
        type: string
        description: The description of the application.
      statements:
        type: array
        description: An array of policy statements granting deploy permissions.
        items:
          type: object
          properties:
            statementId:
              type: string
              description: A unique ID for the statement.
            principals:
              type: array
              items:
                type: string
              description: AWS account IDs or * for public access.
            actions:
              type: array
              items:
                type: string
              description: The permissions to grant.
  steps:
  - stepId: createApplication
    description: >-
      Create the application that the sharing policy will be attached to.
    operationId: CreateApplication
    requestBody:
      contentType: application/json
      payload:
        name: $inputs.name
        author: $inputs.author
        description: $inputs.description
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      applicationId: $response.body#/applicationId
  - stepId: putPolicy
    description: >-
      Set the permission policy for the application using the supplied
      statements.
    operationId: PutApplicationPolicy
    parameters:
    - name: applicationId
      in: path
      value: $steps.createApplication.outputs.applicationId
    requestBody:
      contentType: application/json
      payload:
        statements: $inputs.statements
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      statements: $response.body#/statements
  - stepId: getPolicy
    description: >-
      Read the policy back to confirm the statements were applied to the
      application.
    operationId: GetApplicationPolicy
    parameters:
    - name: applicationId
      in: path
      value: $steps.createApplication.outputs.applicationId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      statements: $response.body#/statements
  outputs:
    applicationId: $steps.createApplication.outputs.applicationId
    appliedStatements: $steps.putPolicy.outputs.statements
    verifiedStatements: $steps.getPolicy.outputs.statements