From 739e22b89b2c41db7f65e10405a374e9116dd3d3 Mon Sep 17 00:00:00 2001
From: Shagupta Shaikh <58999292+shaguptashaikh@users.noreply.github.com>
Date: Mon, 22 Nov 2021 17:28:23 -0800
Subject: [PATCH] fix: do not fail deployment when missing permission to get
 thing group hierarchy (#1137)

---
 .../deployment/DefaultDeploymentTask.java           | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/main/java/com/aws/greengrass/deployment/DefaultDeploymentTask.java b/src/main/java/com/aws/greengrass/deployment/DefaultDeploymentTask.java
index d42d59e9fb..4dca5f901e 100644
--- a/src/main/java/com/aws/greengrass/deployment/DefaultDeploymentTask.java
+++ b/src/main/java/com/aws/greengrass/deployment/DefaultDeploymentTask.java
@@ -22,6 +22,7 @@
 import com.aws.greengrass.util.Coerce;
 import com.vdurmont.semver4j.Semver;
 import lombok.Getter;
+import software.amazon.awssdk.services.greengrassv2data.model.GreengrassV2DataException;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -194,6 +195,18 @@ private Map<String, Set<ComponentIdentifier>> getNonTargetGroupToRootPackagesMap
         Optional<Set<String>> groupsForDeviceOpt;
         try {
             groupsForDeviceOpt = thingGroupHelper.listThingGroupsForDevice(retryCount);
+        } catch (GreengrassV2DataException e) {
+            if (e.statusCode() == 403) {
+                // Getting group hierarchy requires permission to call the ListThingGroupsForCoreDevice API which
+                // may not be configured on existing IoT Thing policy in use for current device, log a warning in
+                // that case and move on.
+                logger.atWarn().setCause(e).log("Failed to get thing group hierarchy. Deployment will proceed. "
+                        + "To automatically clean up unused components, please add "
+                        + "greengrass:ListThingGroupsForCoreDevice permission to your IoT Thing policy.");
+                groupsForDeviceOpt = getPersistedMembershipInfo();
+            } else {
+                throw new DeploymentTaskFailureException("Error fetching thing group information", e);
+            }
         } catch (Exception e) {
             if (isLocalDeployment && ThingGroupHelper.DEVICE_OFFLINE_INDICATIVE_EXCEPTIONS.contains(e.getClass())) {
                 logger.atWarn().setCause(e).log("Failed to get thing group hierarchy, local deployment will proceed");