Skip to content

Testing Lambda Handlers in AWS

Quick guide for deploying and testing Lambda handler changes in real AWS, isolated from existing infrastructure.

How It Works

Three scripts create an isolated set of Lambda functions with a unique prefix (e.g., pr230). Resources created:

Resource Naming Example
IAM Role tradai-<prefix>-lambda-role tradai-pr230-lambda-role
Lambda Functions tradai-<prefix>-<handler> tradai-pr230-promote-model
ECR Tags <prefix> on existing repos tradai/lambda-promote-model:pr230
CloudWatch Logs /aws/lambda/tradai-<prefix>-* Auto-created by Lambda

Existing dev/prod resources are never modified.

Prerequisites

  • AWS CLI installed and credentials set (env vars or aws configure)
  • Docker running
  • UV installed (just commands use it)

Quick Start

# 1. Login via AWS SSO (opens browser, lasts 8-12 hours)
aws sso login --profile tradai

# 2. Setup — builds images, pushes to ECR, creates Lambda functions
bash scripts/test-infra-setup.sh pr230

# 3. Test — invokes each Lambda with test payloads, generates report
bash scripts/test-infra-test.sh pr230

# 4. Review report
cat scripts/output/test-infra-pr230-report.md

# 5. Cleanup — deletes all created resources
bash scripts/test-infra-cleanup.sh pr230

What Each Script Does

test-infra-setup.sh <prefix>

  1. Builds Docker images for 5 Lambda handlers (linux/amd64)
  2. Pushes to existing ECR repos with tag <prefix> (not latest)
  3. Creates IAM role with basic Lambda + DynamoDB read permissions
  4. Creates Lambda functions using the pushed images
  5. Saves state to scripts/output/test-infra-<prefix>-state.json

Duration: ~10-15 min (first run, includes Docker builds)

test-infra-test.sh <prefix>

  1. Invokes each Lambda with realistic payloads
  2. Checks responses for errors
  3. PASS = handler loaded and ran (even if AWS SDK errors occur — expected without VPC)
  4. FAIL = import errors, syntax errors, unexpected crashes
  5. Generates Markdown report in scripts/output/

test-infra-cleanup.sh <prefix>

  1. Deletes all Lambda functions with prefix
  2. Deletes CloudWatch Log Groups
  3. Detaches policies and deletes IAM role
  4. Removes ECR image tags
  5. Verifies nothing remains

Customizing Handlers

Edit the HANDLERS array in test-infra-setup.sh to test different handlers:

HANDLERS=(
    check-retraining-needed
    cleanup-resources
    model-rollback
    promote-model
    retraining-scheduler
    # Add more:
    # health-check
    # drift-monitor
    # backtest-consumer
)

Limitations

  • Lambda functions run without VPC access — they cannot reach DynamoDB, ECS, MLflow, or other AWS services in the private VPC.
  • AWS SDK calls will fail with EndpointConnectionError or ClientError — this is expected and proves the handler loads correctly up to that point.
  • For full integration testing (real DynamoDB/MLflow calls), use the full just infra-bootstrap deployment.

Cost

  • Lambda: Free tier covers 1M requests/month. Test invocations: ~10 = $0.00
  • ECR: ~$0.10/GB/month for stored images. 5 images ≈ 1-2 GB = ~$0.20/month
  • CloudWatch Logs: Negligible for test runs
  • IAM Role: Free

Total: effectively $0 for test runs. Cleanup removes all billable resources.

Troubleshooting

"aws: command not found"

# Windows (Chocolatey)
choco install awscli

# Or add to PATH manually
export PATH="$PATH:/c/Program Files/Amazon/AWSCLIV2"

"ExpiredToken"

Session tokens (from SSO/assume-role) expire after 1-12 hours. Refresh credentials and re-export env vars.

"Docker build fails"

Ensure Docker Desktop is running and has linux/amd64 platform support: 

docker buildx ls  # should show linux/amd64

"ECR push denied"

ECR login may have expired (12-hour token): 

aws ecr get-login-password --region eu-central-1 | \
    docker login --username AWS --password-stdin \
    $(aws sts get-caller-identity --query Account --output text).dkr.ecr.eu-central-1.amazonaws.com