func updateKmsKeyStatus(conn *kms.KMS, id string, shouldBeEnabled bool) error { var err error if shouldBeEnabled { log.Printf("[DEBUG] Enabling KMS key %q", id) _, err = conn.EnableKey(&kms.EnableKeyInput{ KeyId: aws.String(id), }) } else { log.Printf("[DEBUG] Disabling KMS key %q", id) _, err = conn.DisableKey(&kms.DisableKeyInput{ KeyId: aws.String(id), }) } if err != nil { return fmt.Errorf("Failed to set KMS key %q status to %t: %q", id, shouldBeEnabled, err.Error()) } // Wait for propagation since KMS is eventually consistent wait := resource.StateChangeConf{ Pending: []string{fmt.Sprintf("%t", !shouldBeEnabled)}, Target: []string{fmt.Sprintf("%t", shouldBeEnabled)}, Timeout: 20 * time.Minute, MinTimeout: 2 * time.Second, ContinuousTargetOccurence: 10, Refresh: func() (interface{}, string, error) { log.Printf("[DEBUG] Checking if KMS key %s enabled status is %t", id, shouldBeEnabled) resp, err := conn.DescribeKey(&kms.DescribeKeyInput{ KeyId: aws.String(id), }) if err != nil { return resp, "FAILED", err } status := fmt.Sprintf("%t", *resp.KeyMetadata.Enabled) log.Printf("[DEBUG] KMS key %s status received: %s, retrying", id, status) return resp, status, nil }, } _, err = wait.WaitForState() if err != nil { return fmt.Errorf("Failed setting KMS key status to %t: %s", shouldBeEnabled, err) } return nil }