func-api-devices-register-post
Overview
Deploys the Lambda function that handles POST /devices/register. Validates a one-time registration key, writes the device record to firefly-devices, and deletes the consumed key. This route is not Cognito-authenticated — it is authenticated solely by the X-Registration-Key header supplied by the HW-Reg application.
CloudFormation Stack
firefly-func-api-devices-register-post
CloudWatch Logs
| Setting | Value |
|---|---|
| Log group | /aws/lambda/firefly-func-api-devices-register-post |
| Retention | 30 days |
Dependencies
Deploy Dependencies
| Workflow | Reason |
|---|---|
| api-gateway | ApiId resolved from stack outputs |
| dynamodb-devices | Table must exist before the function is deployed and granted write access |
| dynamodb-registration-keys | Table must exist before the function is deployed and granted read/delete access |
| shared-layer | Lambda layer must exist before function deployment |
Delete Dependencies
None — this workflow has no prerequisites.
Required By
Required By Deploy
| Workflow | Reason |
|---|---|
| run-integration-tests | Endpoint must be live before integration tests run |
Required By Delete
| Workflow | Reason |
|---|---|
| delete-api-gateway | Route registration must be removed before the API Gateway stack is deleted |
| delete-dynamodb-devices | IAM permissions referencing the table must be removed first |
| delete-dynamodb-registration-keys | IAM permissions referencing the table must be removed first |
| delete-shared-layer | Layer reference must be removed before the layer stack is deleted |
IAM Permissions
The Lambda execution role (firefly-func-api-devices-register-post-role) is granted:
dynamodb:GetItem,dynamodb:PutItemonfirefly-devicesdynamodb:GetItem,dynamodb:DeleteItemonfirefly-registration-keysappconfig:StartConfigurationSession,appconfig:GetLatestConfigurationon*
Deploy Workflow
Description
Resolves the HTTP API Gateway ID, shared layer ARN, and AppConfig extension layer ARN from CloudFormation stack outputs, then performs a SAM deploy. This function does not use a JWT authorizer — no AuthorizerId parameter is needed.
Steps
- Configure AWS credentials.
- Look up
ApiIdfrom thefirefly-api-gatewaystack output. - Look up
SharedLayerArnfrom thefirefly-shared-layerstack output. - Look up
AppConfigExtensionLayerArnfrom thefirefly-shared-layerstack output. - SAM deploy
firefly-func-api-devices-register-postwith parameters:ApiIdSharedLayerArnAppConfigExtensionLayerArn
Delete Workflow
Description
Calls sam delete to remove the Lambda function, its IAM role, and the API Gateway route integration. Also deletes the CloudWatch log group.
Steps
- Configure AWS credentials.
- SAM delete
firefly-func-api-devices-register-post. - Delete CloudWatch log group
/aws/lambda/firefly-func-api-devices-register-post.
Failure Scenarios
| Scenario | Behavior |
|---|---|
firefly-api-gateway stack not found | describe-stacks returns an error; workflow fails before SAM deploy. Deploy api-gateway first. |
firefly-dynamodb-devices stack not deployed | Function deploys but returns errors at runtime when writing device records. Deploy dynamodb-devices first. |
firefly-dynamodb-registration-keys stack not deployed | Function deploys but cannot validate registration keys at runtime. Deploy dynamodb-registration-keys first. |
firefly-shared-layer stack not found | Layer ARN lookup fails; SAM deploy is not attempted. Deploy shared-layer first. |
| Invalid or expired registration key | Lambda returns 401 Unauthorized. |
| Device UUID already registered | Lambda returns 204 immediately without modifying the existing record (idempotent). |