Can you explain why Terraform plan gives for IAM gives "deleted:serviceAccount" result?

When I ran terraform plan on this shared project, I see the following type of output that I’ve never seen before. Why is the serviceAccount displayed this way? If it was deleted, why does it appear at all? And how do I reconcile this with my TF code. btw, the github actions were created / deleted by a different developer.

# google_project_iam_binding.kubernetes_engine_developer_role will be updated in-place
  ~ resource "google_project_iam_binding" "kubernetes_engine_developer_role" {
        id      = "clutch-platform-dev/roles/container.developer"
      ~ members = [
          - "",

I’ve never encountered exactly this, but this is what I’d guess this is saying:

  • A Google service account was deleted
  • The deleted service account’s ID still exists within the IAM role binding
  • Terraform is now planning to remove that
1 Like

Thanks! I think you’re exactly correct. I just checked in the Google console and the deleted service account does indeed still have IAM bindings!