We have had people outside of Juju's control change security group rules to both and a remove rules. When Juju goes to perform an action such as removing a rule that doesn't exist or adding a rule that already exists in the security group we are getting errors from AWS such as not found or already exists.
If the we are doing a security group removal operation and we get a not found error then we should consider this success for the purpose of our state. Vice versa if we are adding a rule and it already exists this shouldn't be an error.
Provided is some Juju output of the problem.
"errorCode": "Client.InvalidPermission.Duplicate",
"errorMessage": "the specified rule \"peer: 172.20.0.0/16, TCP, from port: 8082, to port: 8082, ALLOW\" already exists",
2023-09-28 05:50:10 ERROR juju.worker.dependency engine.go:695 "firewaller" manifold worker returned unexpected error: cannot close ports: operation error EC2: RevokeSecurityGroupIngress, https response error StatusCode: 400, RequestID: 7530a36f-99ca-41d9-8967-b13636f0fd0d, api error InvalidPermission.NotFound: The specified rule does not exist in this security group.
https://pastebin.ubuntu.com/p/sX4TyYtH4K/
This should just be a case of matching on the AWS strong error types and returning a well typed juju error to the firewall worker to make a decision on.
@tlmiller I cannot reproduce this, maybe I'm doing something wrong. This is the scenario I'm following (both juju 3.1.7 and 3.3.1):
``` firewaller opened port ranges [8080/tcp from 0.0.0.0/0,::/0] on "machine-0"
juju bootstrap aws/eu-west-3 c
juju add-model m
juju deploy ubuntu
juju exec --unit ubuntu/0 open-port 8080/tcp
```
At this point I see the logs
```
controller-0: 18:34:11 INFO juju.worker.
```
And the inbound rule has been correctly added to the security group.
Now, if I manually remove the rule from the security group in the aws console, and then run: firewaller closed port ranges [8080/tcp from 0.0.0.0/0,::/0] on "machine-0"
```
juju unexpose ubuntu
```
then I see the logs
```
controller-0: 18:35:16 INFO juju.worker.
```
And no error.
The same happens the other way around (if I manually create the rule before exposing the app).
Do you have a reproducer?