// vpnGatewayAttachStateRefreshFunc returns a resource.StateRefreshFunc that is used to watch
// the state of a VPN gateway's attachment
func vpnGatewayAttachStateRefreshFunc(conn *ec2.EC2, id string, expected string) resource.StateRefreshFunc {
	var start time.Time
	return func() (interface{}, string, error) {
		if start.IsZero() {
			start = time.Now()
		}

		resp, err := conn.DescribeVPNGateways(&ec2.DescribeVPNGatewaysInput{
			VPNGatewayIDs: []*string{aws.String(id)},
		})
		if err != nil {
			if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() == "InvalidVpnGatewayID.NotFound" {
				resp = nil
			} else {
				log.Printf("[ERROR] Error on VpnGatewayStateRefresh: %s", err)
				return nil, "", err
			}
		}

		if resp == nil {
			// Sometimes AWS just has consistency issues and doesn't see
			// our instance yet. Return an empty state.
			return nil, "", nil
		}

		vpnGateway := resp.VPNGateways[0]

		if time.Now().Sub(start) > 10*time.Second {
			return vpnGateway, expected, nil
		}

		if len(vpnGateway.VPCAttachments) == 0 {
			// No attachments, we're detached
			return vpnGateway, "detached", nil
		}

		return vpnGateway, *vpnGateway.VPCAttachments[0].State, nil
	}
}