provider/aws: Fix WAF IPSet descriptors removal on update

[radeksimko]

Closes #10403
Closes #10914

Before this patch we were never deleting descriptors from the IPSet except when deleting the whole IPSet. We were always just inserting more.

Fortunately because the Read() is implemented correctly we keep track of all descriptors, including the ones that user wanted to delete, but weren't deleted. That is how users can recover from the buggy state as we can just delete descriptors we know about.

TL;DR It should be sufficient to just re-apply after the bugfix was released to recover.

Test plan

make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSWafIPSet_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/04/19 14:05:36 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSWafIPSet_ -timeout 120m
=== RUN   TestAccAWSWafIPSet_basic
--- PASS: TestAccAWSWafIPSet_basic (58.86s)
=== RUN   TestAccAWSWafIPSet_disappears
--- PASS: TestAccAWSWafIPSet_disappears (60.86s)
=== RUN   TestAccAWSWafIPSet_changeNameForceNew
--- PASS: TestAccAWSWafIPSet_changeNameForceNew (119.98s)
=== RUN   TestAccAWSWafIPSet_changeDescriptors
--- PASS: TestAccAWSWafIPSet_changeDescriptors (97.32s)
=== RUN   TestAccAWSWafIPSet_noDescriptors
--- PASS: TestAccAWSWafIPSet_noDescriptors (36.35s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	373.406s

cc @yusukegoto I think the same bugs exists in your PR too, so feel free to cherry-pick from here.

btw. I believe there's very similar bug affecting byte match set which I plan to fix too.

[catsby]

LGTM!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.