Google Workspace Decommission an Org Unit

arazzo: 1.0.1
info:
  title: Google Workspace Decommission an Org Unit
  summary: Move a user out of an org unit, then delete the now-empty unit.
  description: >-
    Retires an organizational unit that must be emptied before it can be
    removed. The workflow confirms the org unit exists, moves the supplied user
    out to a destination unit so the source becomes empty, and then deletes the
    source unit. Only empty organizational units can be deleted, so the move
    step is a precondition for the delete. Every step spells out its request
    inline so the flow can be read and executed without opening the underlying
    OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: directoryApi
  url: ../openapi/admin-sdk-directory-api.yml
  type: openapi
workflows:
- workflowId: decommission-org-unit
  summary: Empty an org unit by moving its user out, then delete the unit.
  description: >-
    Confirms the source org unit exists, patches the user's orgUnitPath to a
    destination unit to empty the source, and deletes the now-empty source org
    unit.
  inputs:
    type: object
    required:
    - accessToken
    - orgUnitPath
    - userKey
    - destinationOrgUnitPath
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer access token with the orgunit and user scopes.
      orgUnitPath:
        type: string
        description: The full path (minus leading slash) of the org unit to decommission.
      userKey:
        type: string
        description: Primary email, alias, or unique id of the user to move out.
      destinationOrgUnitPath:
        type: string
        description: The org unit path to move the user into before deleting the source.
      customerId:
        type: string
        description: Customer account id or the my_customer alias.
        default: my_customer
  steps:
  - stepId: confirmOrgUnit
    description: >-
      Read the source organizational unit to confirm it exists before emptying
      and deleting it.
    operationId: getOrgUnit
    parameters:
    - name: customerId
      in: path
      value: $inputs.customerId
    - name: orgUnitPath
      in: path
      value: $inputs.orgUnitPath
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      orgUnitId: $response.body#/orgUnitId
  - stepId: moveUserOut
    description: >-
      Patch the user's orgUnitPath to the destination unit so the source
      organizational unit becomes empty.
    operationId: patchUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    requestBody:
      contentType: application/json
      payload:
        orgUnitPath: $inputs.destinationOrgUnitPath
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      orgUnitPath: $response.body#/orgUnitPath
  - stepId: deleteOrgUnit
    description: >-
      Delete the now-empty source organizational unit.
    operationId: deleteOrgUnit
    parameters:
    - name: customerId
      in: path
      value: $inputs.customerId
    - name: orgUnitPath
      in: path
      value: $inputs.orgUnitPath
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 204
  outputs:
    deletedOrgUnitId: $steps.confirmOrgUnit.outputs.orgUnitId
    movedUserId: $steps.moveUserOut.outputs.userId
    movedUserOrgUnitPath: $steps.moveUserOut.outputs.orgUnitPath