func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error { var err error shouldEnableRotation := d.Get("enable_key_rotation").(bool) if shouldEnableRotation { log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id()) _, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{ KeyId: aws.String(d.Id()), }) } else { log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id()) _, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{ KeyId: aws.String(d.Id()), }) } if err != nil { return fmt.Errorf("Failed to set key rotation for %q to %t: %q", d.Id(), shouldEnableRotation, err.Error()) } // Wait for propagation since KMS is eventually consistent wait := resource.StateChangeConf{ Pending: []string{fmt.Sprintf("%t", !shouldEnableRotation)}, Target: []string{fmt.Sprintf("%t", shouldEnableRotation)}, Timeout: 5 * time.Minute, MinTimeout: 1 * time.Second, ContinuousTargetOccurence: 5, Refresh: func() (interface{}, string, error) { log.Printf("[DEBUG] Checking if KMS key %s rotation status is %t", d.Id(), shouldEnableRotation) resp, err := conn.GetKeyRotationStatus(&kms.GetKeyRotationStatusInput{ KeyId: aws.String(d.Id()), }) if err != nil { return resp, "FAILED", err } status := fmt.Sprintf("%t", *resp.KeyRotationEnabled) log.Printf("[DEBUG] KMS key %s rotation status received: %s, retrying", d.Id(), status) return resp, status, nil }, } _, err = wait.WaitForState() if err != nil { return fmt.Errorf("Failed setting KMS key rotation status to %t: %s", shouldEnableRotation, err) } return nil }