Remove configured capability in the folders

zli82016 · zli82016 · commit 19acdd033890 · 2026-01-08T08:30:45.000-08:00
diff --git a/mmv1/third_party/terraform/services/resourcemanager/resource_google_folder_sweeper.go b/mmv1/third_party/terraform/services/resourcemanager/resource_google_folder_sweeper.go
@@ -5,14 +5,20 @@ import (
 	"fmt"
 	"log"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
+	"github.com/hashicorp/terraform-provider-google/google/services/resourcemanager3"
 	"github.com/hashicorp/terraform-provider-google/google/sweeper"
+	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
+	"google.golang.org/api/cloudresourcemanager/v1"
+	"google.golang.org/api/googleapi"
 )
 
 func init() {
 	sweeper.AddTestSweepersLegacy("GoogleFolder", testSweepFolder)
 }
+
 func testSweepFolder(region string) error {
 	config, err := sweeper.SharedConfigForRegion(region)
 	if err != nil {
@@ -27,7 +33,6 @@ func testSweepFolder(region string) error {
 	}
 
 	org := envvar.UnsafeGetTestOrgFromEnv()
-	log.Printf("[DEBUG] org %s", org)
 
 	if org == "" {
 		log.Printf("[INFO][SWEEPER_LOG] no organization set, failing folder sweeper")
@@ -37,9 +42,8 @@ func testSweepFolder(region string) error {
 	parent := "organizations/" + org
 
 	token := ""
+	svc := config.NewResourceManagerV3Client(config.UserAgent)
 	for paginate := true; paginate; {
-		// Filter for folders with test prefix
-		// filter := fmt.Sprintf("id:\"%s*\" -lifecycleState:DELETE_REQUESTED parent.id:%v", TestPrefix, org)
 		found, err := config.NewResourceManagerV3Client(config.UserAgent).Folders.List().Parent(parent).PageToken(token).Do()
 		if err != nil {
 			log.Printf("[INFO][SWEEPER_LOG] error listing folders: %s", err)
@@ -53,8 +57,35 @@ func testSweepFolder(region string) error {
 			log.Printf("[INFO][SWEEPER_LOG] Sweeping Folder id: %s, name: %s", folder.Name, folder.DisplayName)
 			_, err := config.NewResourceManagerV3Client(config.UserAgent).Folders.Delete(folder.Name).Do()
 			if err != nil {
-				log.Printf("[INFO][SWEEPER_LOG] Error, failed to delete folder %s: %s", folder.Name, err)
-				continue
+				if isCapabilityError(err) {
+					log.Println("[INFO][SWEEPER_LOG]Detected 'configured capability' violation. Starting cleanup...")
+
+					// 2. Get Folder to find ManagementProject
+					folder, err := config.NewResourceManagerV3Client(config.UserAgent).Folders.Get(folder.Name).Do()
+					if err != nil {
+						log.Printf("[INFO][SWEEPER_LOG] Error, failed to delete folder %s: %s", folder.Name, err)
+						continue
+					}
+
+					// 3. Handle Liens on Management Project
+					if folder.ManagementProject != "" {
+						cleanupLiens(svc, folder.ManagementProject)
+					}
+
+					// 4. Disable configured capability
+					disableCapability(folder.Name)
+
+					// 5. Retry Delete
+					log.Println("[INFO][SWEEPER_LOG]Retrying folder deletion...")
+					_, err = config.NewResourceManagerV3Client(config.UserAgent).Folders.Delete(folder.Name).Do()
+					if err != nil {
+						log.Printf("[INFO][SWEEPER_LOG] Error, failed to delete folder %s: %s", folder.Name, err)
+						continue
+					}
+				} else {
+					log.Printf("[INFO][SWEEPER_LOG] Error, failed to delete folder %s: %s", folder.Name, err)
+					continue
+				}
 			}
 		}
 		token = found.NextPageToken
@@ -63,3 +94,86 @@ func testSweepFolder(region string) error {
 
 	return nil
 }
+
+// isCapabilityError parses the GCP error for the specific PreconditionFailure
+func isCapabilityError(err error) bool {
+	if gErr, ok := err.(*googleapi.Error); ok {
+		if gErr.Code == 400 && strings.Contains(gErr.Message, "Precondition check failed") {
+			// Deep check for the description in the error details
+			for _, detail := range gErr.Details {
+				if dMap, ok := detail.(map[string]interface{}); ok {
+					if violations, ok := dMap["violations"].([]interface{}); ok {
+						for _, v := range violations {
+							if vMap, ok := v.(map[string]interface{}); ok {
+								if strings.Contains(fmt.Sprint(vMap["description"]), "configured capability") {
+									return true
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+	return false
+}
+
+func cleanupLiens(svc *cloudresourcemanager.Service, project string) {
+	log.Printf("[INFO][SWEEPER_LOG]Checking liens on %s...\n", project)
+	resp, err := svc.Liens.List().Parent(project).Do()
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG]Failed to list liens: %v", err)
+		return
+	}
+	for _, l := range resp.Liens {
+		log.Printf("[INFO][SWEEPER_LOG]Deleting lien: %s\n", l.Name)
+		_, _ = svc.Liens.Delete(l.Name).Do()
+	}
+}
+
+func disableCapability(folderName string) {
+	// Format is folders/{id}/capabilities/app-management
+	capName := fmt.Sprintf("%s/capabilities/app-management", folderName)
+	log.Printf("[INFO][SWEEPER_LOG]Disabling capability: %s\n", capName)
+
+	config, err := sweeper.SharedConfigForRegion("global")
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error getting shared config for region: %s", err)
+		return
+	}
+
+	err = config.LoadAndValidate(context.Background())
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] error loading: %s", err)
+		return
+	}
+
+	obj := map[string]interface{}{
+		"value": false,
+	}
+
+	url := "https://cloudresourcemanager.googleapis.com/v3/" + capName
+
+	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+		Config:    config,
+		Method:    "PATCH",
+		Project:   config.Project,
+		RawURL:    url,
+		UserAgent: config.UserAgent,
+		Body:      obj,
+	})
+
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] Error disabling Capability: %s, err: %s", capName, err)
+	} else {
+		log.Printf("[INFO][SWEEPER_LOG] Finished disabled Capability: %s", capName)
+	}
+
+	err = resourcemanager3.ResourceManager3OperationWaitTime(
+		config, res, "Updating Capability", config.UserAgent,
+		20*time.Minute)
+
+	if err != nil {
+		log.Printf("[INFO][SWEEPER_LOG] Error for disabling Capability operation: %s, err: %s", capName, err)
+	}
+}
