arazzo: 1.0.1 info: title: Azure Container Apps Rotate and Verify Secrets summary: Write a new secret value to an app, wait for provisioning, then list secrets to confirm it is present. description: >- Container app secrets are stored in the app configuration and surfaced through a dedicated list-secrets operation. This workflow patches a container app to add or rotate a named secret, polls the app until provisioning settles, then lists the app's secrets to confirm the rotated secret is present. Every step spells out its request inline so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: containerAppsApi url: ../openapi/azure-container-apps-openapi.yml type: openapi workflows: - workflowId: rotate-and-verify-secrets summary: Rotate a named container app secret and confirm it via the list-secrets operation. description: >- Patches the app configuration with the new secret value, polls until the app is Succeeded, then lists secrets and returns the secret names. inputs: type: object required: - subscriptionId - resourceGroupName - containerAppName - location - secretName - secretValue properties: subscriptionId: type: string description: The Azure subscription ID. resourceGroupName: type: string description: The name of the resource group. containerAppName: type: string description: The name of the container app. location: type: string description: The Azure region of the app (e.g. eastus). secretName: type: string description: The name of the secret to add or rotate. secretValue: type: string description: The new value for the secret. apiVersion: type: string description: Client API version. default: '2023-05-01' steps: - stepId: rotateSecret description: >- Patch the container app configuration with the new secret value in the ARM properties envelope. operationId: ContainerApps_Update parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: containerAppName in: path value: $inputs.containerAppName - name: api-version in: query value: $inputs.apiVersion requestBody: contentType: application/json payload: location: $inputs.location properties: configuration: secrets: - name: $inputs.secretName value: $inputs.secretValue successCriteria: - condition: $statusCode == 200 outputs: containerAppId: $response.body#/id - stepId: pollApp description: >- Read the container app and check its provisioningState, looping while the configuration change is still applying and proceeding once it settles. operationId: ContainerApps_Get parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: containerAppName in: path value: $inputs.containerAppName - name: api-version in: query value: $inputs.apiVersion successCriteria: - condition: $statusCode == 200 outputs: provisioningState: $response.body#/properties/provisioningState onSuccess: - name: configApplied type: goto stepId: listSecrets criteria: - context: $response.body condition: $.properties.provisioningState == "Succeeded" type: jsonpath - name: configFailed type: end criteria: - context: $response.body condition: $.properties.provisioningState == "Failed" || $.properties.provisioningState == "Canceled" type: jsonpath - name: keepPolling type: goto stepId: pollApp criteria: - context: $response.body condition: $.properties.provisioningState == "InProgress" type: jsonpath - stepId: listSecrets description: >- List the container app secrets to confirm the rotated secret is present. operationId: ContainerApps_ListSecrets parameters: - name: subscriptionId in: path value: $inputs.subscriptionId - name: resourceGroupName in: path value: $inputs.resourceGroupName - name: containerAppName in: path value: $inputs.containerAppName - name: api-version in: query value: $inputs.apiVersion successCriteria: - condition: $statusCode == 200 outputs: secrets: $response.body#/value outputs: containerAppId: $steps.rotateSecret.outputs.containerAppId secrets: $steps.listSecrets.outputs.secrets