Handle deleted: prefix when deduplicating IAM member map (#2819)

Merged PR #2819.

third_party/terraform/utils/iam.go.erb

@@ -236,10 +236,21 @@ func createIamBindingsMap(bindings []*cloudresourcemanager.Binding) map[iamBindi
 			// <type> is case sensitive
 			// <value> isn't
 			// so let's lowercase the value and leave the type alone
-			pieces := strings.SplitN(m, ":", 2)
-			if len(pieces) > 1 {
-				pieces[1] = strings.ToLower(pieces[1])
+			// since Dec '19 members can be prefixed with "deleted:" to indicate the principal
+			// has been deleted
+			var pieces []string
+			if strings.HasPrefix(m, "deleted:") {
+				pieces = strings.SplitN(m, ":", 3)
+				if len(pieces) > 2 {
+					pieces[2] = strings.ToLower(pieces[2])
+				}
+			} else {
+				pieces = strings.SplitN(m, ":", 2)
+				if len(pieces) > 1 {
+					pieces[1] = strings.ToLower(pieces[1])
+				}
 			}
+
 			m = strings.Join(pieces, ":")
 
 			// Add the member

third_party/terraform/utils/iam_test.go.erb

@@ -661,6 +661,35 @@ func TestIamCreateIamBindingsMap(t *testing.T) {
 				iamBindingKey{"role-3", conditionKey{}}: {"user-3": {}},
 			},
 		},
+		{
+			input: []*cloudresourcemanager.Binding{
+				{
+					Role:    "role-1",
+					Members: []string{"deleted:serviceAccount:user-1", "user-2"},
+				},
+				{
+					Role:    "role-2",
+					Members: []string{"deleted:user:user-1"},
+				},
+				{
+					Role:    "role-1",
+					Members: []string{"serviceAccount:user-3"},
+				},
+				{
+					Role:    "role-2",
+					Members: []string{"user-2"},
+				},
+				{
+					Role:    "role-3",
+					Members: []string{"user-3"},
+				},
+			},
+			expect: map[iamBindingKey]map[string]struct{}{
+				iamBindingKey{"role-1", conditionKey{}}: {"deleted:serviceAccount:user-1": {}, "user-2": {}, "serviceAccount:user-3": {}},
+				iamBindingKey{"role-2", conditionKey{}}: {"deleted:user:user-1": {}, "user-2": {}},
+				iamBindingKey{"role-3", conditionKey{}}: {"user-3": {}},
+			},
+		},
 <% unless version == 'ga' -%>
 		{
 			input: []*cloudresourcemanager.Binding{