arazzo: 1.0.1
info:
  title: Google Workspace Delete a User Safely
  summary: Look up a user, confirm it exists, then delete the account.
  description: >-
    A guarded deletion flow. The workflow first reads the user by its key to
    confirm the account exists and capture its id, then deletes the user. Because
    deleted users remain recoverable for twenty days, the flow records the id so
    the account can later be restored with the undelete operation if needed.
    Every step spells out its request inline so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: directoryApi
  url: ../openapi/admin-sdk-directory-api.yml
  type: openapi
workflows:
- workflowId: delete-user-safely
  summary: Verify a user exists and then delete the account.
  description: >-
    Fetches the user by its key to confirm existence and record its id and org
    unit, then issues the delete so the account moves into the 20-day
    recoverable window.
  inputs:
    type: object
    required:
    - accessToken
    - userKey
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer access token with the admin.directory.user scope.
      userKey:
        type: string
        description: Primary email, alias, or unique id of the user to delete.
  steps:
  - stepId: lookupUser
    description: >-
      Read the user by its key to confirm the account exists and capture the id
      and org unit before deleting.
    operationId: getUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      orgUnitPath: $response.body#/orgUnitPath
  - stepId: deleteUser
    description: >-
      Delete the confirmed user account. The user remains recoverable for 20
      days via the undelete operation.
    operationId: deleteUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 204
  outputs:
    deletedUserId: $steps.lookupUser.outputs.userId
    formerOrgUnitPath: $steps.lookupUser.outputs.orgUnitPath