Azure Container Apps · Arazzo Workflow

Azure Container Apps Audit App Security

Version 1.0.0

Read an app, then enumerate its secrets and authentication configurations for a security review.

1 workflow 1 source API 1 provider
View Spec View on GitHub AzureContainersDaprKubernetesMicroservicesServerlessArazzoWorkflows

Provider

azure-container-apps

Workflows

audit-app-security
Enumerate a container app's secrets and auth configs in one pass.
Reads the app, lists its secrets, and lists its auth configs, returning all three so the app's security surface can be reviewed together.
3 steps inputs: apiVersion, containerAppName, resourceGroupName, subscriptionId outputs: authConfigs, containerAppId, ingressExternal, secrets
1
getApp
ContainerApps_Get
Read the container app to confirm it exists and capture whether its ingress is externally exposed.
2
listSecrets
ContainerApps_ListSecrets
List the container app secrets so every stored credential can be reviewed.
3
listAuthConfigs
ContainerAppsAuthConfigs_ListByContainerApp
List the container app authentication configurations so every auth provider attached to the app can be reviewed.

Source API Descriptions

openapi
containerAppsApi https://raw.githubusercontent.com/api-evangelist/azure-container-apps/refs/heads/main/openapi/azure-container-apps-openapi.yml

Arazzo Workflow Specification

azure-container-apps-audit-app-security-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Azure Container Apps Audit App Security
  summary: Read an app, then enumerate its secrets and authentication configurations for a security review.
  description: >-
    A read-only audit flow for a single container app. This workflow reads the
    app to confirm it exists and capture its ingress posture, then lists the
    app's secrets and its authentication configurations so a reviewer can see
    every credential and auth provider attached to the app. Every step spells out
    its request inline so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: containerAppsApi
  url: ../openapi/azure-container-apps-openapi.yml
  type: openapi
workflows:
- workflowId: audit-app-security
  summary: Enumerate a container app's secrets and auth configs in one pass.
  description: >-
    Reads the app, lists its secrets, and lists its auth configs, returning all
    three so the app's security surface can be reviewed together.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - containerAppName
    properties:
      subscriptionId:
        type: string
        description: The Azure subscription ID.
      resourceGroupName:
        type: string
        description: The name of the resource group.
      containerAppName:
        type: string
        description: The name of the container app to audit.
      apiVersion:
        type: string
        description: Client API version.
        default: '2023-05-01'
  steps:
  - stepId: getApp
    description: >-
      Read the container app to confirm it exists and capture whether its
      ingress is externally exposed.
    operationId: ContainerApps_Get
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      containerAppId: $response.body#/id
      ingressExternal: $response.body#/properties/configuration/ingress/external
  - stepId: listSecrets
    description: >-
      List the container app secrets so every stored credential can be reviewed.
    operationId: ContainerApps_ListSecrets
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secrets: $response.body#/value
  - stepId: listAuthConfigs
    description: >-
      List the container app authentication configurations so every auth
      provider attached to the app can be reviewed.
    operationId: ContainerAppsAuthConfigs_ListByContainerApp
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      authConfigs: $response.body#/value
  outputs:
    containerAppId: $steps.getApp.outputs.containerAppId
    ingressExternal: $steps.getApp.outputs.ingressExternal
    secrets: $steps.listSecrets.outputs.secrets
    authConfigs: $steps.listAuthConfigs.outputs.authConfigs