Temporal Rotate an API Key for an Owner

arazzo: 1.0.1
info:
  title: Temporal Rotate an API Key for an Owner
  summary: Read the owner of an existing key, mint a replacement key, then revoke the old one.
  description: >-
    Key rotation keeps Temporal Cloud automation credentials fresh. This workflow
    reads an existing API key to capture its owner, creates a replacement key for
    the same owner with a new expiry, and then deletes the original key. Reading
    the owner before issuing the new key guarantees the replacement is bound to
    the same principal. Every step spells out its request inline so the flow can
    be read and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: cloudOpsApi
  url: ../openapi/cloud-ops-api.yml
  type: openapi
workflows:
- workflowId: rotate-api-key
  summary: Issue a replacement API key for the same owner and revoke the old key.
  description: >-
    Chains getApiKey to read the existing key owner, createApiKey to mint a
    replacement bound to that same owner, and deleteApiKey to revoke the original.
  inputs:
    type: object
    required:
    - bearerToken
    - keyId
    - newDisplayName
    - newExpiryTime
    properties:
      bearerToken:
        type: string
        description: API key used as the Bearer token for Authorization.
      keyId:
        type: string
        description: The identifier of the existing API key to rotate out.
      newDisplayName:
        type: string
        description: The display name for the replacement API key.
      newExpiryTime:
        type: string
        description: RFC3339 timestamp at which the replacement key expires.
  steps:
  - stepId: readExistingKey
    description: >-
      Read the existing API key to capture its owner id and owner type so the
      replacement can be bound to the same principal.
    operationId: getApiKey
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    - name: keyId
      in: path
      value: $inputs.keyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      ownerId: $response.body#/spec/ownerId
      ownerType: $response.body#/spec/ownerType
  - stepId: createReplacement
    description: >-
      Create the replacement API key for the same owner with the new expiry.
    operationId: createApiKey
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    requestBody:
      contentType: application/json
      payload:
        spec:
          displayName: $inputs.newDisplayName
          ownerId: $steps.readExistingKey.outputs.ownerId
          ownerType: $steps.readExistingKey.outputs.ownerType
          expiryTime: $inputs.newExpiryTime
    successCriteria:
    - condition: $statusCode == 200
    onSuccess:
    - name: revokeOld
      type: goto
      stepId: revokeOldKey
      criteria:
      - condition: $statusCode == 200
  - stepId: revokeOldKey
    description: >-
      Delete the original API key now that the replacement has been issued.
    operationId: deleteApiKey
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    - name: keyId
      in: path
      value: $inputs.keyId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      revokeStatus: $statusCode
  outputs:
    ownerId: $steps.readExistingKey.outputs.ownerId
    revokeStatus: $steps.revokeOldKey.outputs.revokeStatus