Handle service account key 403 on nonexistent resource requested (#1900)

* 403 on delete / read should count as deleted for this product.

google/resource_google_service_account_key.go

@@ -2,6 +2,7 @@ package google
 
 import (
 	"fmt"
+	"log"
 
 	"github.com/hashicorp/terraform/helper/encryption"
 	"github.com/hashicorp/terraform/helper/schema"
@@ -138,7 +139,18 @@ func resourceGoogleServiceAccountKeyRead(d *schema.ResourceData, meta interface{
 	// Confirm the service account key exists
 	sak, err := config.clientIAM.Projects.ServiceAccounts.Keys.Get(d.Id()).PublicKeyType(publicKeyType).Do()
 	if err != nil {
-		return handleNotFoundError(err, d, fmt.Sprintf("Service Account Key %q", d.Id()))
+		if err = handleNotFoundError(err, d, fmt.Sprintf("Service Account Key %q", d.Id())); err == nil {
+			return nil
+		} else {
+			// This resource also returns 403 when it's not found.
+			if isGoogleApiErrorWithCode(err, 403) {
+				log.Printf("[DEBUG] Got a 403 error trying to read service account key %s, assuming it's gone.", d.Id())
+				d.SetId("")
+				return nil
+			} else {
+				return err
+			}
+		}
 	}
 
 	d.Set("name", sak.Name)
@@ -151,8 +163,20 @@ func resourceGoogleServiceAccountKeyDelete(d *schema.ResourceData, meta interfac
 	config := meta.(*Config)
 
 	_, err := config.clientIAM.Projects.ServiceAccounts.Keys.Delete(d.Id()).Do()
+
 	if err != nil {
-		return handleNotFoundError(err, d, fmt.Sprintf("Service Account Key %q", d.Id()))
+		if err = handleNotFoundError(err, d, fmt.Sprintf("Service Account Key %q", d.Id())); err == nil {
+			return nil
+		} else {
+			// This resource also returns 403 when it's not found.
+			if isGoogleApiErrorWithCode(err, 403) {
+				log.Printf("[DEBUG] Got a 403 error trying to read service account key %s, assuming it's gone.", d.Id())
+				d.SetId("")
+				return nil
+			} else {
+				return err
+			}
+		}
 	}
 
 	d.SetId("")