dynamodb-registration-keys
Overview
Provisions the DynamoDB table that holds one-time device registration keys. Keys have a 30-minute TTL enforced by DynamoDB's TTL feature. The deploy workflow includes import logic to adopt an existing table into CloudFormation without data loss.
CloudFormation Stack
firefly-dynamodb-registration-keys
Dependencies
Deploy Dependencies
None — this workflow has no prerequisites.
Delete Dependencies
| Workflow | Reason |
|---|---|
| delete-func-api-registration-keys-post | Lambda IAM permissions referencing this table must be removed first |
| delete-func-api-registration-keys-get | Lambda IAM permissions referencing this table must be removed first |
| delete-func-api-devices-register-post | Lambda IAM permissions referencing this table must be removed first |
Required By
Required By Deploy
| Workflow | Reason |
|---|---|
| func-api-registration-keys-post | Table must exist before the function is deployed and granted write access |
| func-api-registration-keys-get | Table must exist before the function is deployed and granted scan access |
| func-api-devices-register-post | Table must exist before the function is deployed and granted read/delete access |
Required By Delete
None.
Deploy Workflow
Description
Deploys the firefly-dynamodb-registration-keys CloudFormation stack. The workflow includes import logic to handle the case where the DynamoDB table already exists but the CloudFormation stack does not — this allows adopting a pre-existing table without data loss.
Normal path (stack exists): runs aws cloudformation deploy with --no-fail-on-empty-changeset.
Import path (table exists, stack does not):
- Creates a CloudFormation
IMPORTchangeset to adopt the existing table. - Waits for the changeset to reach
CREATE_COMPLETE. - Executes the changeset and waits for
IMPORT_COMPLETE. - Runs a second
aws cloudformation deployto add theOutputssection (omitted from the import template body).
Fresh path (neither stack nor table exists): runs aws cloudformation deploy normally.
Steps
- Configure AWS credentials.
- Run the Python deploy script, which:
- Checks whether the
firefly-dynamodb-registration-keysCloudFormation stack exists. - Checks whether the
firefly-registration-keysDynamoDB table exists. - Follows the appropriate deploy path (normal, import, or fresh) as described above.
- Checks whether the
Delete Workflow
Description
Calls sam delete to remove the firefly-dynamodb-registration-keys stack and its associated DynamoDB table. All Lambda functions that reference this table must be deleted first.
The table has DeletionProtectionEnabled: true — deletion protection must be manually disabled in the AWS Console before the stack can be deleted.
Steps
- Configure AWS credentials.
- SAM delete
firefly-dynamodb-registration-keys.
Failure Scenarios
| Scenario | Behavior |
|---|---|
| Table exists, stack does not | Deploy workflow runs the import path to adopt the table into CloudFormation. |
| Deletion protection enabled | Stack deletion fails with DELETE_FAILED. Disable deletion protection on the table in the AWS Console, then re-run. |
| Dependent Lambda stacks not deleted first | Stack deletion fails because IAM resource-based policies still reference the table. Delete Lambda stacks first. |