wip - aws.ecr - log warning on access denied instead of raising

[thisisshi]

ECR's resource level IAM policies causes custodian to error out if a single repository denies access to custodian's role. This pr logs the error as a warning in the logs and continues on to the rest of the resources. Also fixes this for get lifecycle policy

Traceback (most recent call last):
File "/src/c7n/policy.py", line 232, in run
resources = self.policy.resource_manager.resources()
File "/src/c7n/query.py", line 421, in resources
resources = self.filter_resources(resources)
File "/src/c7n/manager.py", line 105, in filter_resources
resources = f.process(resources, event)
File "/src/c7n/resources/ecr.py", line 116, in process
resources = list(filter(None, w.map(_augment, resources)))
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 586, in result_iterator
yield fs.pop().result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 432, in result
return self.__get_result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
raise self._exception
File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
result = self.fn(*self.args, **self.kwargs)
File "/src/c7n/resources/ecr.py", line 109, in _augment
repositoryName=r['repositoryName'])['policyText']
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetRepositoryPolicy operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/CloudCustodian is not authorized to perform: ecr:GetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:xxxxxxxxxxxx:repository/test with an explicit deny

[kapilt]

maybe not for this pr, but i feel like we really need to have these captured and a way to track signal a policy's failure on a partial like this. warning log messages just haven't been cutting at it scale, i don't get the sense any one looks at the logs typically.

[thisisshi]

@kapilt yeah, I was originally going to add in the c7n:DeniedMethods attribute to cross-account but in the case that the resource fails to get a repository policy, you would never be able to see it in the output. Additionally, when you wrap the cross account filter in a not block, the annotated key is removed.

[kapilt]

wrt to tests, perhaps worth looking at how i was doing it for ebs snapshot not found when tagging pr

[kapilt]

some changes got pushed to this that now unconditionally and without logging swallow all other exceptions ...