arazzo: 1.0.1
info:
  title: Prisma Data Platform Rotate an Environment API Key
  summary: Mint a fresh API key for an environment and revoke the previous one in a single zero-gap rotation.
  description: >-
    Rotates the API key for a Data Platform environment without an access gap.
    The workflow lists the existing keys to capture the one being replaced,
    mints a new key (whose value is returned only once), and then deletes the
    old key so any leaked credential is revoked. Ordering the create before the
    delete keeps the environment continuously authenticated during the
    rotation. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: dataPlatformApi
  url: ../openapi/prisma-data-platform-openapi.yml
  type: openapi
workflows:
- workflowId: rotate-api-key
  summary: Create a new environment API key and revoke the previous key.
  description: >-
    Lists the environment's keys, mints a replacement key, and deletes the
    previously active key.
  inputs:
    type: object
    required:
    - apiToken
    - environmentId
    - newKeyName
    properties:
      apiToken:
        type: string
        description: Service token or OAuth access token for the Data Platform API, sent as a Bearer token.
      environmentId:
        type: string
        description: Identifier of the environment whose key is being rotated.
      newKeyName:
        type: string
        description: Display name for the replacement API key.
  steps:
  - stepId: listKeys
    description: >-
      List the API keys for the environment so the currently active key can be
      identified for later revocation.
    operationId: listApiKeys
    parameters:
    - name: environmentId
      in: path
      value: $inputs.environmentId
    - name: Authorization
      in: header
      value: Bearer $inputs.apiToken
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      oldKeyId: $response.body#/data/0/id
  - stepId: createKey
    description: >-
      Mint a replacement API key for the environment before revoking the old
      one so the environment stays authenticated throughout the rotation.
    operationId: createApiKey
    parameters:
    - name: environmentId
      in: path
      value: $inputs.environmentId
    - name: Authorization
      in: header
      value: Bearer $inputs.apiToken
    requestBody:
      contentType: application/json
      payload:
        name: $inputs.newKeyName
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      newKeyId: $response.body#/id
      newKeyValue: $response.body#/apiKey
  - stepId: revokeOldKey
    description: >-
      Permanently revoke and delete the previously active API key now that the
      replacement is in place. Returns 204 No Content on success.
    operationId: deleteApiKey
    parameters:
    - name: apiKeyId
      in: path
      value: $steps.listKeys.outputs.oldKeyId
    - name: Authorization
      in: header
      value: Bearer $inputs.apiToken
    successCriteria:
    - condition: $statusCode == 204
    outputs:
      revokedKeyId: $steps.listKeys.outputs.oldKeyId
  outputs:
    newKeyId: $steps.createKey.outputs.newKeyId
    newKeyValue: $steps.createKey.outputs.newKeyValue
    revokedKeyId: $steps.revokeOldKey.outputs.revokedKeyId