Amazon Secrets Manager Find and Delete Secret

arazzo: 1.0.1
info:
  title: Amazon Secrets Manager Find and Delete Secret
  summary: List secrets filtered by name, branch on whether a match exists, then describe and schedule deletion of the matched secret.
  description: >-
    The find-then-act cleanup pattern. The workflow lists secrets using a name
    filter and branches: when a secret matches it is described to capture its
    ARN and then scheduled for deletion with a recovery window, and when no
    secret matches the flow ends without making changes. This protects the
    caller from deleting the wrong secret. Every step inlines the AWS JSON 1.1
    X-Amz-Target header and request payload so the flow is self-describing.
  version: 1.0.0
sourceDescriptions:
- name: secretsManagerApi
  url: ../openapi/amazon-secrets-manager-openapi.yml
  type: openapi
workflows:
- workflowId: find-and-delete-secret
  summary: Locate a secret by name and schedule it for deletion if it exists.
  description: >-
    Lists secrets filtered by the supplied name, and when a match is found
    describes it and calls DeleteSecret with a recovery window; otherwise the
    workflow ends without deleting anything.
  inputs:
    type: object
    required:
    - Name
    properties:
      Name:
        type: string
        description: The friendly name of the secret to find and delete.
      RecoveryWindowInDays:
        type: integer
        description: The number of days Secrets Manager waits before permanent deletion.
        default: 30
  steps:
  - stepId: findSecret
    description: >-
      List secrets filtered by name, returning at most one match so the flow can
      decide whether the target secret exists.
    operationId: ListSecrets
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.ListSecrets
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        MaxResults: 1
        Filters:
        - Key: name
          Values:
          - $inputs.Name
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      matchedArn: $response.body#/SecretList/0/ARN
    onSuccess:
    - name: secretExists
      type: goto
      stepId: describeSecret
      criteria:
      - context: $response.body
        condition: $.SecretList.length > 0
        type: jsonpath
    - name: secretMissing
      type: end
      criteria:
      - context: $response.body
        condition: $.SecretList.length == 0
        type: jsonpath
  - stepId: describeSecret
    description: >-
      Read the matched secret's metadata to confirm its ARN before scheduling
      deletion.
    operationId: DescribeSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DescribeSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.findSecret.outputs.matchedArn
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secretArn: $response.body#/ARN
      secretName: $response.body#/Name
  - stepId: deleteSecret
    description: >-
      Schedule the matched secret for deletion with the supplied recovery
      window so it can be restored before permanent removal.
    operationId: DeleteSecret
    parameters:
    - name: X-Amz-Target
      in: header
      value: secretsmanager.DeleteSecret
    requestBody:
      contentType: application/x-amz-json-1.1
      payload:
        SecretId: $steps.describeSecret.outputs.secretArn
        RecoveryWindowInDays: $inputs.RecoveryWindowInDays
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      deletedArn: $response.body#/ARN
      deletionDate: $response.body#/DeletionDate
  outputs:
    matchedArn: $steps.findSecret.outputs.matchedArn
    deletedArn: $steps.deleteSecret.outputs.deletedArn
    deletionDate: $steps.deleteSecret.outputs.deletionDate