Azure Container Apps · Arazzo Workflow

Azure Container Apps Rotate and Verify Secrets

Version 1.0.0

Write a new secret value to an app, wait for provisioning, then list secrets to confirm it is present.

1 workflow 1 source API 1 provider
View Spec View on GitHub AzureContainersDaprKubernetesMicroservicesServerlessArazzoWorkflows

Provider

azure-container-apps

Workflows

rotate-and-verify-secrets
Rotate a named container app secret and confirm it via the list-secrets operation.
Patches the app configuration with the new secret value, polls until the app is Succeeded, then lists secrets and returns the secret names.
3 steps inputs: apiVersion, containerAppName, location, resourceGroupName, secretName, secretValue, subscriptionId outputs: containerAppId, secrets
1
rotateSecret
ContainerApps_Update
Patch the container app configuration with the new secret value in the ARM properties envelope.
2
pollApp
ContainerApps_Get
Read the container app and check its provisioningState, looping while the configuration change is still applying and proceeding once it settles.
3
listSecrets
ContainerApps_ListSecrets
List the container app secrets to confirm the rotated secret is present.

Source API Descriptions

openapi
containerAppsApi https://raw.githubusercontent.com/api-evangelist/azure-container-apps/refs/heads/main/openapi/azure-container-apps-openapi.yml

Arazzo Workflow Specification

azure-container-apps-rotate-and-verify-secrets-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Azure Container Apps Rotate and Verify Secrets
  summary: Write a new secret value to an app, wait for provisioning, then list secrets to confirm it is present.
  description: >-
    Container app secrets are stored in the app configuration and surfaced
    through a dedicated list-secrets operation. This workflow patches a container
    app to add or rotate a named secret, polls the app until provisioning
    settles, then lists the app's secrets to confirm the rotated secret is
    present. Every step spells out its request inline so the flow can be read and
    executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: containerAppsApi
  url: ../openapi/azure-container-apps-openapi.yml
  type: openapi
workflows:
- workflowId: rotate-and-verify-secrets
  summary: Rotate a named container app secret and confirm it via the list-secrets operation.
  description: >-
    Patches the app configuration with the new secret value, polls until the app
    is Succeeded, then lists secrets and returns the secret names.
  inputs:
    type: object
    required:
    - subscriptionId
    - resourceGroupName
    - containerAppName
    - location
    - secretName
    - secretValue
    properties:
      subscriptionId:
        type: string
        description: The Azure subscription ID.
      resourceGroupName:
        type: string
        description: The name of the resource group.
      containerAppName:
        type: string
        description: The name of the container app.
      location:
        type: string
        description: The Azure region of the app (e.g. eastus).
      secretName:
        type: string
        description: The name of the secret to add or rotate.
      secretValue:
        type: string
        description: The new value for the secret.
      apiVersion:
        type: string
        description: Client API version.
        default: '2023-05-01'
  steps:
  - stepId: rotateSecret
    description: >-
      Patch the container app configuration with the new secret value in the ARM
      properties envelope.
    operationId: ContainerApps_Update
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    requestBody:
      contentType: application/json
      payload:
        location: $inputs.location
        properties:
          configuration:
            secrets:
            - name: $inputs.secretName
              value: $inputs.secretValue
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      containerAppId: $response.body#/id
  - stepId: pollApp
    description: >-
      Read the container app and check its provisioningState, looping while the
      configuration change is still applying and proceeding once it settles.
    operationId: ContainerApps_Get
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      provisioningState: $response.body#/properties/provisioningState
    onSuccess:
    - name: configApplied
      type: goto
      stepId: listSecrets
      criteria:
      - context: $response.body
        condition: $.properties.provisioningState == "Succeeded"
        type: jsonpath
    - name: configFailed
      type: end
      criteria:
      - context: $response.body
        condition: $.properties.provisioningState == "Failed" || $.properties.provisioningState == "Canceled"
        type: jsonpath
    - name: keepPolling
      type: goto
      stepId: pollApp
      criteria:
      - context: $response.body
        condition: $.properties.provisioningState == "InProgress"
        type: jsonpath
  - stepId: listSecrets
    description: >-
      List the container app secrets to confirm the rotated secret is present.
    operationId: ContainerApps_ListSecrets
    parameters:
    - name: subscriptionId
      in: path
      value: $inputs.subscriptionId
    - name: resourceGroupName
      in: path
      value: $inputs.resourceGroupName
    - name: containerAppName
      in: path
      value: $inputs.containerAppName
    - name: api-version
      in: query
      value: $inputs.apiVersion
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secrets: $response.body#/value
  outputs:
    containerAppId: $steps.rotateSecret.outputs.containerAppId
    secrets: $steps.listSecrets.outputs.secrets