diff --git a/build/terraform b/build/terraform
index b9b0b099fde8..d7bafc73157b 160000
--- a/build/terraform
+++ b/build/terraform
@@ -1 +1 @@
-Subproject commit b9b0b099fde8e4ff807d2acfd13cb8bd2ecb9f30
+Subproject commit d7bafc73157bdcdcbfc59b7f45f4c041846a3846
diff --git a/build/terraform-beta b/build/terraform-beta
index e15dd93ec650..56469a9bbcd4 160000
--- a/build/terraform-beta
+++ b/build/terraform-beta
@@ -1 +1 @@
-Subproject commit e15dd93ec650db20c8d1b269c2ea045819e96710
+Subproject commit 56469a9bbcd43c783a4ad6fb4d68d36acf4b9d12
diff --git a/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb b/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb
index f67d4a41ad43..8c0e6ef4985a 100644
--- a/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb
+++ b/third_party/terraform/data_sources/data_source_google_iam_policy.go.erb
@@ -3,11 +3,13 @@ package google
 
 import (
 	"encoding/json"
+	"regexp"
 	"sort"
 	"strconv"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/hashcode"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
 
@@ -39,7 +41,10 @@ func dataSourceGoogleIamPolicy() *schema.Resource {
 						"members": {
 							Type:     schema.TypeSet,
 							Required: true,
-							Elem:     &schema.Schema{Type: schema.TypeString},
+							Elem:     &schema.Schema{
+								Type:         schema.TypeString,
+								ValidateFunc: validation.StringDoesNotMatch(regexp.MustCompile("^deleted:"), "Terraform does not support IAM policies for deleted principals"),
+							},
 							Set:      schema.HashString,
 						},
 <% unless version == 'ga' -%>
diff --git a/third_party/terraform/resources/resource_iam_binding.go.erb b/third_party/terraform/resources/resource_iam_binding.go.erb
index 89567a9021c2..bb7ec0027186 100644
--- a/third_party/terraform/resources/resource_iam_binding.go.erb
+++ b/third_party/terraform/resources/resource_iam_binding.go.erb
@@ -5,9 +5,11 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
 
@@ -23,6 +25,7 @@ var iamBindingSchema = map[string]*schema.Schema{
 		Elem: &schema.Schema{
 			Type:             schema.TypeString,
 			DiffSuppressFunc: caseDiffSuppress,
+			ValidateFunc:     validation.StringDoesNotMatch(regexp.MustCompile("^deleted:"), "Terraform does not support IAM bindings for deleted principals"),
 		},
 		Set: func(v interface{}) int {
 			return schema.HashString(strings.ToLower(v.(string)))
diff --git a/third_party/terraform/resources/resource_iam_member.go.erb b/third_party/terraform/resources/resource_iam_member.go.erb
index 1d7ebf381b2a..86fa3463a82c 100644
--- a/third_party/terraform/resources/resource_iam_member.go.erb
+++ b/third_party/terraform/resources/resource_iam_member.go.erb
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
 	"google.golang.org/api/cloudresourcemanager/v1"
 )
 
@@ -22,6 +23,7 @@ var IamMemberBaseSchema = map[string]*schema.Schema{
 		Required:         true,
 		ForceNew:         true,
 		DiffSuppressFunc: caseDiffSuppress,
+		ValidateFunc:     validation.StringDoesNotMatch(regexp.MustCompile("^deleted:"), "Terraform does not support IAM members for deleted principals"),
 	},
 <% unless version == 'ga' -%>
 	"condition": {