[nexus] Apply limits to affinity group memberships

[smklein]

Fixes #7627

[david-crespo]

Oh this is good. We were debating whether to bother with pagination in the console listing of instances in a group and groups for an instance, and now we definitely won't. cc @charliepark

[david-crespo]

Everything looks good. The only questions I have are

1. Is there a better error code than 400? Probably not. For #5914 I used InvalidValue but it's still a 400, plus it works differently — it's checking the length of an array that is actually present in the JSON.
2. It might be worth sticking the max in the doc string for the add endpoints. Kind of annoying to hard code it in two places but we will survive.
   

   omicron/common/src/api/external/mod.rs

   Lines 1781 to 1786 in 0c92213

   	/// Filters reduce the scope of a firewall rule. Without filters, the rule
   	/// applies to all packets to the targets (or from the targets, if it's an
   	/// outbound rule). With multiple filters, the rule applies only to packets
   	/// matching ALL filters. The maximum number of each type of filter is 256.
   	#[derive(Clone, Debug, PartialEq, Deserialize, Serialize, JsonSchema)]
   	pub struct VpcFirewallRuleFilter {

[smklein]

Everything looks good. The only questions I have are

1. Is there a better error code than 400? Probably not. For Limit number of firewall rules per VPC #5914 I used InvalidValue but it's still a 400, plus it works differently — it's checking the length of an array that is actually present in the JSON.

The other error I was considering was "InsufficientCapacity", which is 507? But that feels a little odd too; it's a limit to either the group/instance, which feels more object-specific than "server-specific".

2. It might be worth sticking the max in the doc string for the add endpoints. Kind of annoying to hard code it in two places but we will survive.
   

   omicron/common/src/api/external/mod.rs

   Lines 1781 to 1786 in 0c92213

   	/// Filters reduce the scope of a firewall rule. Without filters, the rule
   	/// applies to all packets to the targets (or from the targets, if it's an
   	/// outbound rule). With multiple filters, the rule applies only to packets
   	/// matching ALL filters. The maximum number of each type of filter is 256.
   	#[derive(Clone, Debug, PartialEq, Deserialize, Serialize, JsonSchema)]
   	pub struct VpcFirewallRuleFilter {

How about I add it to the AffinityGroupMember docs? With #7864, it'll also be possible to add memberships via instance create. (see: 161d381)