Azure/Aws resources should not hard fail on API exceptions

[jquick]

A profile needs to be executable, but a control may fail. We currently throw exceptions for resources that stop full profile execution, resulting in no report. This will lead to issues if we expect json output e.g in Chef Automate. The controls needs to fail (ie, have a failure outcome but absorb any exceptions) if the resource cannot be executed, but we need to generate a report.

We should hook into the fail_resource if the resource connection is bad saying such.

[clintoncwolfe]

The example @chris-rock gave - in which a run hard-failed with "The specified log group does not exist" - is not a connection error. It's an uncaught AWS API exception.

[clintoncwolfe]

For AWS resources, we may be able to wrap the call to fetch_from_api - which gets called in the constructor for both AwsSingularResourceMixin and AwsPluralResourceMixin "mixees".

[clintoncwolfe]

@chris-rock , @jquick, @arlimus - Here is an example of intercepting a missing credentials exception, failing the controls individually, and issuing a log error message (the default AWS error message here is "unable to sign request without credentials set")

[cwolfe@lodi inspec]$ be bin/inspec exec test/aws/default/verify/controls/aws_cloudwatch_alarm.rb -t aws://us-east-2
[2018-02-12T15:28:33-05:00] ERROR: It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details.
[2018-02-12T15:28:33-05:00] ERROR: It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details.

Profile: tests from test/aws/default/verify/controls/aws_cloudwatch_alarm.rb (tests from test.aws.default.verify.controls.aws_cloudwatch_alarm.rb)
Version: (not specified)
Target:  aws://us-east-2

  ∅  aws_cloudwatch_alarm recall: aws_cloudwatch_alarm (2 failed)
     ∅  aws_cloudwatch_alarm
     No AWS credentials available
     ∅  aws_cloudwatch_alarm
     No AWS credentials available


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 2 failures, 0 skipped

So, I'm issuing a long-form message via Inspec::Log.error, and a short message via fail_resource.

[clintoncwolfe]

In progress on branch cw/catch-cloud-exceptions

[clintoncwolfe]

Fixed by #2636