provider/aws: Revoke default ipv6 egress rule for aws_security_group (#15075)

Fixes: #14522

To follow similar work in IPv4, we are now going to revoke the default
IPv6 egress rule from an empty AWS security group

```
% make testacc TEST=./builtin/providers/aws/ TESTARGS='-run=TestAccAWSSecurityGroup_ipv4andipv6Egress'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/06/05 14:01:52 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws/ -v -run=TestAccAWSSecurityGroup_ipv4andipv6Egress -timeout 120m
=== RUN   TestAccAWSSecurityGroup_ipv4andipv6Egress
--- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (63.39s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	63.423s
```

builtin/providers/aws/resource_aws_security_group.go

@@ -295,6 +295,34 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 				d.Id(), err)
 		}
 
+		log.Printf("[DEBUG] Revoking default IPv6 egress rule for Security Group for %s", d.Id())
+		req = &ec2.RevokeSecurityGroupEgressInput{
+			GroupId: createResp.GroupId,
+			IpPermissions: []*ec2.IpPermission{
+				{
+					FromPort: aws.Int64(int64(0)),
+					ToPort:   aws.Int64(int64(0)),
+					Ipv6Ranges: []*ec2.Ipv6Range{
+						{
+							CidrIpv6: aws.String("::/0"),
+						},
+					},
+					IpProtocol: aws.String("-1"),
+				},
+			},
+		}
+
+		_, err = conn.RevokeSecurityGroupEgress(req)
+		if err != nil {
+			//If we have a NotFound, then we are trying to remove the default IPv6 egress of a non-IPv6
+			//enabled SG
+			if ec2err, ok := err.(awserr.Error); ok && ec2err.Code() != "InvalidPermission.NotFound" {
+				return fmt.Errorf(
+					"Error revoking default IPv6 egress rule for Security Group (%s): %s",
+					d.Id(), err)
+			}
+		}
+
 	}
 
 	return resourceAwsSecurityGroupUpdate(d, meta)

builtin/providers/aws/resource_aws_security_group_test.go

@@ -1010,6 +1010,26 @@ func TestAccAWSSecurityGroup_egressWithPrefixList(t *testing.T) {
 	})
 }
 
+func TestAccAWSSecurityGroup_ipv4andipv6Egress(t *testing.T) {
+	var group ec2.SecurityGroup
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityGroupDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSecurityGroupConfigIpv4andIpv6Egress,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityGroupExists("aws_security_group.egress", &group),
+					resource.TestCheckResourceAttr(
+						"aws_security_group.egress", "egress.#", "2"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSSecurityGroupSGandCidrAttributes(group *ec2.SecurityGroup) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		if *group.GroupName != "terraform_acceptance_test_example" {
@@ -2080,6 +2100,40 @@ resource "aws_security_group_rule" "allow_ipv6_cidr_block" {
 }
 `
 
+const testAccAWSSecurityGroupConfigIpv4andIpv6Egress = `
+resource "aws_vpc" "foo" {
+  cidr_block = "10.1.0.0/16"
+  assign_generated_ipv6_cidr_block = true
+  tags {
+      Name = "tf_sg_ipv4_and_ipv6_acc_test"
+  }
+}
+
+resource "aws_security_group" "egress" {
+  name = "terraform_acceptance_test_example"
+  description = "Used in the terraform acceptance tests"
+  vpc_id = "${aws_vpc.foo.id}"
+  ingress {
+      from_port = 22
+      to_port = 22
+      protocol = "6"
+      cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks  = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    ipv6_cidr_blocks  = ["::/0"]
+  }
+}
+`
+
 const testAccAWSSecurityGroupConfigPrefixListEgress = `
 resource "aws_vpc" "tf_sg_prefix_list_egress_test" {
     cidr_block = "10.0.0.0/16"