arazzo: 1.0.1
info:
  title: Microsoft Azure Audit Subscription Resources
  summary: Confirm a subscription is enabled, list all its resources, and read its predefined tag names.
  description: >-
    A subscription-wide audit flow. The workflow gets the subscription to confirm
    it is Enabled, lists every resource across the subscription, and then reads
    the summary of predefined tag names so an auditor can cross-reference tagging
    coverage against the resource inventory. It branches so a non-enabled
    subscription ends before any inventory is pulled. Every step spells out its
    request inline so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: azureResourceManager
  url: ../openapi/azure-resource-manager-openapi.yml
  type: openapi
workflows:
- workflowId: audit-subscription-resources
  summary: Inventory a subscription's resources and tag names after confirming it is enabled.
  description: >-
    Gets the subscription, branches on its state, then lists all resources and
    the predefined tag names.
  inputs:
    type: object
    required:
    - accessToken
    - subscriptionId
    properties:
      accessToken:
        type: string
        description: An Azure Resource Manager OAuth2 bearer access token.
      subscriptionId:
        type: string
        description: The ID of the target subscription.
      apiVersion:
        type: string
        description: The Azure Resource Manager API version.
        default: '2024-03-01'
  steps:
  - stepId: getSubscription
    description: >-
      Get the subscription and branch: only audit when it reports Enabled,
      otherwise end the flow.
    operationId: Subscriptions_Get
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      state: $response.body#/state
      displayName: $response.body#/displayName
    onSuccess:
    - name: subscriptionEnabled
      type: goto
      stepId: listResources
      criteria:
      - context: $response.body
        condition: $.state == "Enabled"
        type: jsonpath
    - name: subscriptionNotEnabled
      type: end
      criteria:
      - context: $response.body
        condition: $.state != "Enabled"
        type: jsonpath
  - stepId: listResources
    description: List every resource in the subscription for the audit inventory.
    operationId: Resources_List
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      resources: $response.body#/value
  - stepId: listTagNames
    description: Read the summary of predefined tag names to cross-reference tagging coverage.
    operationId: Tags_List
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.accessToken
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      tagNames: $response.body#/value
  outputs:
    subscriptionState: $steps.getSubscription.outputs.state
    resources: $steps.listResources.outputs.resources
    tagNames: $steps.listTagNames.outputs.tagNames