Importing GCP projects' IAM policy

I have been working on automating our IAM management in GCP (currently at the project level) using terraform. In order to do so, I’m using terraform’s import blocks to first generate project_id.tf file per project. I’d it working back in December 2024 and due to priority issues, the project got no attention until a few days back.

I am now testing the importing of IAM policies per project (using a for loop in bash) and running into issues for projects that have a binding involving a deleted IAM principal with error like below:

  • terraform plan -var project=sm-ms -generate-config-out=sm-ms.tf
    google_project_iam_policy.project: Preparing import… [id=sm-ms]
    google_project_iam_policy.project: Refreshing state… [id=sm-ms]

Planning failed. Terraform encountered an error while generating this plan.


│ Warning: Config generation is experimental

│ Generating configuration during import is currently experimental, and the generated configuration format may change in future versions.


│ Error: invalid value for bindings.26.members.5 (Terraform does not support IAM members for deleted principals)

│ with google_project_iam_policy.project,
│ on sm-ms.tf line 1:
│ (source code not available)


Earlier it used to work, not sure what has changed. Anyway, could someone please let me know if there’s a workaround to go past this error? Or is it like there’s no way out except to first make sure that all role bindings involving a deleted IAM principal be deleted before the import operation is performed?