arazzo: 1.0.1
info:
  title: Azure API Management Rotate Subscription Keys
  summary: Confirm a subscription, regenerate both keys, then retrieve the new secrets.
  description: >-
    Rotates the credentials on an existing subscription. The workflow reads the
    subscription to confirm it exists, regenerates the primary key and then the
    secondary key, and finally retrieves the new secrets so they can be
    distributed. Every step spells out its request inline so the flow can be
    read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: azureApiManagementApi
  url: ../openapi/microsoft-azure-api-management-rest-api-openapi.yaml
  type: openapi
workflows:
- workflowId: rotate-subscription-keys
  summary: Regenerate both subscription keys and return the new secrets.
  description: >-
    Confirms the subscription, regenerates the primary and secondary keys, then
    lists the secrets to surface the rotated keys.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - serviceName
    - sid
    properties:
      subscriptionId:
        type: string
        description: The Azure subscription identifier.
      resourceGroupName:
        type: string
        description: The resource group containing the service.
      serviceName:
        type: string
        description: The API Management service name.
      sid:
        type: string
        description: The subscription identifier whose keys are rotated.
  steps:
  - stepId: getSubscription
    description: >-
      Read the subscription to confirm it exists before rotating its keys.
    operationId: Subscription_Get
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: serviceName
      in: path
      value: $inputs.serviceName
    - name: sid
      in: path
      value: $inputs.sid
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      subscriptionResourceId: $response.body#/id
  - stepId: regeneratePrimary
    description: >-
      Regenerate the primary subscription key.
    operationId: Subscription_RegeneratePrimaryKey
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: serviceName
      in: path
      value: $inputs.serviceName
    - name: sid
      in: path
      value: $inputs.sid
    successCriteria:
    - condition: $statusCode == 200
  - stepId: regenerateSecondary
    description: >-
      Regenerate the secondary subscription key.
    operationId: Subscription_RegenerateSecondaryKey
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: serviceName
      in: path
      value: $inputs.serviceName
    - name: sid
      in: path
      value: $inputs.sid
    successCriteria:
    - condition: $statusCode == 200
  - stepId: getSecrets
    description: >-
      Retrieve the rotated primary and secondary keys.
    operationId: Subscription_ListSecrets
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: serviceName
      in: path
      value: $inputs.serviceName
    - name: sid
      in: path
      value: $inputs.sid
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      primaryKey: $response.body#/primaryKey
      secondaryKey: $response.body#/secondaryKey
  outputs:
    primaryKey: $steps.getSecrets.outputs.primaryKey
    secondaryKey: $steps.getSecrets.outputs.secondaryKey