func-api-devices-backup-post
Overview
Deploys the Lambda function that handles POST /devices/{uuid}/backup. Called by the Controller firmware to upload an encrypted configuration backup to S3. Authenticates the request by verifying an ECDSA P-256 signature over SHA-256(nonce || timestamp) using the public key stored at registration time. This route has no Cognito JWT authorizer — it is authenticated solely by the device's cryptographic signature.
CloudFormation Stack
firefly-func-api-devices-backup-post
CloudWatch Logs
| Setting | Value |
|---|---|
| Log group | /aws/lambda/firefly-func-api-devices-backup-post |
| Retention | 30 days |
Dependencies
Deploy Dependencies
| Workflow | Reason |
|---|---|
| api-gateway | ApiId resolved from stack outputs |
| dynamodb-devices | Table must exist before the function is deployed and granted read/write access |
| shared-layer | Lambda layer must exist before function deployment |
| s3-device-backups | S3 bucket must exist before the function is deployed and granted put/head access |
Delete Dependencies
None — this workflow has no prerequisites.
Required By
Required By Deploy
| Workflow | Reason |
|---|---|
| run-integration-tests | Endpoint must be live before integration tests run |
Required By Delete
| Workflow | Reason |
|---|---|
| delete-api-gateway | Route registration must be removed before the API Gateway stack is deleted |
| delete-dynamodb-devices | IAM permissions referencing the table must be removed first |
| delete-shared-layer | Layer reference must be removed before the layer stack is deleted |
| delete-s3-device-backups | IAM permissions referencing the bucket must be removed first |
IAM Permissions
The Lambda execution role (firefly-func-api-devices-backup-post-role) is granted:
dynamodb:GetItem,dynamodb:UpdateItemonfirefly-devicess3:PutObject,s3:HeadObjecton the device backups bucketappconfig:StartConfigurationSession,appconfig:GetLatestConfigurationon*
Deploy Workflow
Description
Resolves the HTTP API Gateway ID, shared layer ARN, and AppConfig extension layer ARN from CloudFormation stack outputs. Installs cryptography, cffi, and pycparser as arm64 binary dependencies alongside the Lambda source, then performs a SAM deploy.
Steps
- Configure AWS credentials.
- Look up
ApiIdfrom thefirefly-api-gatewaystack output. - Look up
SharedLayerArnfrom thefirefly-shared-layerstack output. - Look up
AppConfigExtensionLayerArnfrom thefirefly-shared-layerstack output. - Install Python arm64 dependencies into
lambdas/func-api-devices-backup-post/. - SAM deploy
firefly-func-api-devices-backup-postwith parameters:ApiIdSharedLayerArnAppConfigExtensionLayerArnBackupBucketName
Delete Workflow
Description
Calls sam delete to remove the Lambda function, its IAM role, and the API Gateway route integration. Also deletes the CloudWatch log group.
Steps
- Configure AWS credentials.
- SAM delete
firefly-func-api-devices-backup-post. - Delete CloudWatch log group
/aws/lambda/firefly-func-api-devices-backup-post.
Failure Scenarios
| Scenario | Behavior |
|---|---|
firefly-api-gateway stack not found | describe-stacks returns an error; workflow fails before SAM deploy. Deploy api-gateway first. |
firefly-dynamodb-devices stack not deployed | Function deploys but returns errors at runtime. Deploy dynamodb-devices first. |
firefly-shared-layer stack not found | Layer ARN lookup fails; SAM deploy is not attempted. Deploy shared-layer first. |
firefly-s3-device-backups stack not deployed | Function deploys but S3 operations fail at runtime. Deploy s3-device-backups first. |
| Device UUID not found | Lambda returns 401 Unauthorized. |
| Timestamp outside the acceptance window | Lambda returns 401 Unauthorized. |
| Invalid or mismatched signature | Lambda returns 401 Unauthorized. |
| Body not valid FFCE format | Lambda returns 400 Bad Request. |