func-api-devices-backup-delete
Overview
Deploys the Lambda function that handles DELETE /devices/{uuid}/backup. Called by the Controller firmware to remove a stored configuration backup from S3 and clear last_backup_date from the device's DynamoDB record. Authenticates the request by verifying an ECDSA P-256 signature over SHA-256(nonce || timestamp). This route has no Cognito JWT authorizer — it is authenticated solely by the device's cryptographic signature.
CloudFormation Stack
firefly-func-api-devices-backup-delete
CloudWatch Logs
| Setting | Value |
|---|---|
| Log group | /aws/lambda/firefly-func-api-devices-backup-delete |
| Retention | 30 days |
Dependencies
Deploy Dependencies
| Workflow | Reason |
|---|---|
| api-gateway | ApiId resolved from stack outputs |
| dynamodb-devices | Table must exist before the function is deployed and granted read/write access |
| shared-layer | Lambda layer must exist before function deployment |
| s3-device-backups | S3 bucket must exist before the function is deployed and granted delete access |
Delete Dependencies
None — this workflow has no prerequisites.
Required By
Required By Deploy
| Workflow | Reason |
|---|---|
| run-integration-tests | Endpoint must be live before integration tests run |
Required By Delete
| Workflow | Reason |
|---|---|
| delete-api-gateway | Route registration must be removed before the API Gateway stack is deleted |
| delete-dynamodb-devices | IAM permissions referencing the table must be removed first |
| delete-shared-layer | Layer reference must be removed before the layer stack is deleted |
| delete-s3-device-backups | IAM permissions referencing the bucket must be removed first |
IAM Permissions
The Lambda execution role (firefly-func-api-devices-backup-delete-role) is granted:
dynamodb:GetItem,dynamodb:UpdateItemonfirefly-devicess3:DeleteObjecton the device backups bucketappconfig:StartConfigurationSession,appconfig:GetLatestConfigurationon*
Deploy Workflow
Description
Resolves the HTTP API Gateway ID, shared layer ARN, and AppConfig extension layer ARN from CloudFormation stack outputs. Installs cryptography, cffi, and pycparser as arm64 binary dependencies alongside the Lambda source, then performs a SAM deploy.
Steps
- Configure AWS credentials.
- Look up
ApiIdfrom thefirefly-api-gatewaystack output. - Look up
SharedLayerArnfrom thefirefly-shared-layerstack output. - Look up
AppConfigExtensionLayerArnfrom thefirefly-shared-layerstack output. - Install Python arm64 dependencies into
lambdas/func-api-devices-backup-delete/. - SAM deploy
firefly-func-api-devices-backup-deletewith parameters:ApiIdSharedLayerArnAppConfigExtensionLayerArnBackupBucketName
Delete Workflow
Description
Calls sam delete to remove the Lambda function, its IAM role, and the API Gateway route integration. Also deletes the CloudWatch log group.
Steps
- Configure AWS credentials.
- SAM delete
firefly-func-api-devices-backup-delete. - Delete CloudWatch log group
/aws/lambda/firefly-func-api-devices-backup-delete.
Failure Scenarios
| Scenario | Behavior |
|---|---|
firefly-api-gateway stack not found | describe-stacks returns an error; workflow fails before SAM deploy. Deploy api-gateway first. |
firefly-dynamodb-devices stack not deployed | Function deploys but returns errors at runtime. Deploy dynamodb-devices first. |
firefly-shared-layer stack not found | Layer ARN lookup fails; SAM deploy is not attempted. Deploy shared-layer first. |
firefly-s3-device-backups stack not deployed | Function deploys but S3 operations fail at runtime. Deploy s3-device-backups first. |
| Device UUID not found | Lambda returns 401 Unauthorized. |
| Timestamp outside the acceptance window | Lambda returns 401 Unauthorized. |
| Invalid or mismatched signature | Lambda returns 401 Unauthorized. |