The latest articles on DEV Community by Karthik K Pradeep (@foldedodin). https://dev.to/foldedodin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3811793%2F86d48240-7033-4492-9587-c5cff2ee70d8.jpg https://dev.to/foldedodin en Karthik K Pradeep Mon, 23 Mar 2026 21:39:25 +0000 https://dev.to/foldedodin/i-stopped-deploying-manually-heres-my-cicd-pipeline-with-github-actions-2h6k https://dev.to/foldedodin/i-stopped-deploying-manually-heres-my-cicd-pipeline-with-github-actions-2h6k <p>How I moved AquaChain from manual deployments to a GitHub Actions pipeline that catches bad changes before they hit production.</p> <p><em>AquaChain is a production-focused IoT water quality monitoring platform: sensors send readings into AWS, Lambda services process and analyze them, and the frontend gives admins, technicians, and consumers role-based views into device health, alerts, and operations.</em></p> <h2> Where I Started </h2> <p>For a long time, my deployment process looked like this:</p> <ol> <li>Build locally</li> <li>SSH into the server</li> <li>Restart the app</li> <li>Hope nothing breaks</li> </ol> <p>That last step was the real problem.</p> <p>The moment I finally stopped trusting manual deploys was a frontend release that looked fine on my machine but went out with the wrong production environment settings. AquaChain loaded, but API requests started failing immediately. I was SSH'ing into the box, checking logs, rolling back, and trying to remember which local change caused it. The rollback only took a few tense minutes, but a few minutes of visible production errors is still a production incident. Nothing about that failure was dramatic. It was worse: it was avoidable.</p> <p>That was the pattern I wanted to kill. Too much depended on memory, local state, and luck.</p> <h2> What I Wanted From the Pipeline </h2> <p>I wanted a pipeline that:</p> <ul> <li>Runs linting, type checks, and tests on every pull request</li> <li>Blocks merges when quality checks fail</li> <li>Deploys the frontend only when frontend files change</li> <li>Deploys Lambda functions only when backend files change</li> <li>Uses short-lived AWS credentials instead of long-lived secrets</li> <li>Completes under 5 minutes so it does not become something people route around</li> </ul> <p>One practical note before the YAML: GitHub Actions minutes are not free forever. On GitHub-hosted runners, every PR build costs time and money once you move past the included allowance. Path filters, caching, and splitting work by concern are not just performance improvements. They control your bill.</p> <h2> The Repository Reality </h2> <p>This post uses AquaChain names throughout because the examples are derived from the current AquaChain workflow, not a sanitized demo.</p> <p>The repo itself looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aquachain/ ├── frontend/ # Next.js app ├── lambda/ # AWS Lambda functions (Python) ├── infrastructure/ # AWS CDK and infra code ├── config/ # Shared CI config such as requirements-dev.txt └── .github/ └── workflows/ └── ci-cd-pipeline.yml </code></pre> </div> <p>These examples are derived from <code>.github/workflows/ci-cd-pipeline.yml</code>; I am splitting them into three workflows here for clarity, but in practice they currently live in one file.</p> <p>The <code>config/</code> directory holds shared CI tooling such as <code>requirements-dev.txt</code> and <code>pytest.ini</code>, so linting and test setup lives in one place instead of being duplicated across every Lambda service.</p> <h2> Workflow 1: PR Checks </h2> <p>This runs on pull requests and on pushes to <code>main</code>. If this fails, nothing should merge.</p> <p>If code can still drift into <code>main</code> after this job fails, the pipeline is just theater.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/pr-checks.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PR Checks</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">frontend-checks</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Frontend - Lint, Type Check, Test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">18"</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s">frontend/package-lock.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Type check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx tsc --noEmit</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test -- --watchAll=false --coverage --passWithNoTests</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="na">backend-checks</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Backend - Lint, Type Check, Test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.11"</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">pip"</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s">config/requirements-dev.txt</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install backend tooling</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install -r ./config/requirements-dev.txt</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">flake8 ./lambda --max-line-length=120 --exclude=./lambda/layers</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Type check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">mypy ./lambda --config-file ./lambda/mypy.ini --ignore-missing-imports</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest ./lambda -v --tb=short -c ./config/pytest.ini</span> </code></pre> </div> <p>A few details matter here:</p> <p><strong><code>npm ci</code> instead of <code>npm install</code>.</strong> <code>ci</code> installs exactly what is in <code>package-lock.json</code> and fails if the lockfile is out of sync. That is what you want in CI.</p> <p><strong>The backend paths are explicit.</strong> In AquaChain, shared Python tooling lives under <code>config/</code>, so I reference <code>./config/requirements-dev.txt</code> directly instead of assuming readers know what the runner's default directory is.</p> <p><strong><code>--watchAll=false</code> on Jest is non-negotiable.</strong> Without it, the job hangs waiting for interactive input.</p> <p>If your Lambda estate gets large, this is the point where I would switch from one backend job to a matrix strategy per function. AquaChain's full workflow already does that for better parallelism and clearer failures.</p> <h2> Caching Is Worth It </h2> <p>The cache lines in the workflow above are not decorative. On a codebase this size, a cold <code>npm ci</code> can easily take roughly 60-90 seconds, while a warm cache often brings that same step down closer to 10-20 seconds. The exact numbers vary by runner, but the order-of-magnitude difference is real.</p> <p><code>pip</code> caching buys the same kind of win for Python tooling. If you skip caching, the pipeline still works. It just feels slower every single run, and that is how teams end up resenting CI.</p> <h2> Workflow 2: Deploy Frontend to Vercel </h2> <p>I use the Vercel CLI instead of relying entirely on the built-in GitHub integration. It gives me tighter control over when builds happen and which environment variables are in play.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy-frontend.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Frontend</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">frontend/**"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Vercel</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">18"</span> <span class="na">cache</span><span class="pi">:</span> <span class="s2">"</span><span class="s">npm"</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s">frontend/package-lock.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Vercel CLI</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install -g vercel@latest</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Pull Vercel environment</span> <span class="na">run</span><span class="pi">:</span> <span class="s">vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">frontend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">env</span><span class="pi">:</span> <span class="na">REACT_APP_API_ENDPOINT</span><span class="pi">:</span> <span class="s">${{ secrets.PROD_API_ENDPOINT }}</span> <span class="na">REACT_APP_USER_POOL_ID</span><span class="pi">:</span> <span class="s">${{ secrets.PROD_USER_POOL_ID }}</span> <span class="na">REACT_APP_USER_POOL_CLIENT_ID</span><span class="pi">:</span> <span class="s">${{ secrets.PROD_USER_POOL_CLIENT_ID }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="s">vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }}</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">frontend</span> </code></pre> </div> <p>The <code>paths</code> filter is doing two jobs for me:</p> <ul> <li>It stops backend-only commits from wasting frontend build minutes.</li> <li>It keeps the workflow history clean because only relevant deploys appear.</li> </ul> <p>Convenience is great right up until you are explaining an unexpected deploy during an incident. I would rather be explicit.</p> <p>For PR previews, I use the same pattern on <code>pull_request</code> without <code>--prod</code>. Each PR gets its own preview deployment URL.</p> <h2> Workflow 3: Deploy Lambda to AWS </h2> <p>This is the part I would explicitly not implement with <code>github.event.commits[0].modified</code>.</p> <p>That field only tells you what changed in the first commit listed in the push payload. On a multi-commit push or a squash merge, it can miss files that absolutely changed. It looks clever, but it is fragile.</p> <p>If a deployment decision depends on a webhook payload shortcut instead of the actual file paths I care about, I do not trust it.</p> <p>The more reliable pattern is:</p> <ol> <li>Use a top-level <code>paths</code> filter so the workflow runs only for backend changes.</li> <li>Use <code>dorny/paths-filter</code> inside the job when you need per-folder deploy decisions. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy-backend.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Backend</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">lambda/**"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Lambda Functions</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Detect changed Lambda folders</span> <span class="na">id</span><span class="pi">:</span> <span class="s">changes</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dorny/paths-filter@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">filters</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">data_processing:</span> <span class="s">- "lambda/data_processing/**"</span> <span class="s">notification_service:</span> <span class="s">- "lambda/notification_service/**"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials (OIDC)</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/github-actions-deploy</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">ap-south-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.11"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy data processing Lambda</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.changes.outputs.data_processing == 'true'</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">lambda/data_processing</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">zip -r function.zip . -x "tests/*" "*.pyc"</span> <span class="s">aws lambda update-function-code \</span> <span class="s">--function-name AquaChain-Function-data_processing-production \</span> <span class="s">--zip-file fileb://function.zip \</span> <span class="s">--region ap-south-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy notification API Lambda</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.changes.outputs.notification_service == 'true'</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">lambda/notification_service</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">zip -r function.zip . -x "tests/*" "*.pyc"</span> <span class="s">aws lambda update-function-code \</span> <span class="s">--function-name AquaChain-Function-notification_service-production \</span> <span class="s">--zip-file fileb://function.zip \</span> <span class="s">--region ap-south-1</span> </code></pre> </div> <p>If you only have one Lambda function, the workflow-level <code>paths</code> filter is enough. If you have many, add a change-detection step like the one above. AquaChain's current production workflow uses environment-specific names such as <code>AquaChain-Function-data_processing-production</code>, so the example mirrors that pattern instead of pointing at a <code>-dev</code> function.</p> <h2> The OIDC Auth Setup </h2> <p>The security mistake I still see too often in GitHub Actions is storing <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code> as repository secrets.</p> <p>Those are long-lived credentials. If they leak, the problem does not end when the workflow ends.</p> <p>OIDC is the better pattern. GitHub Actions assumes an IAM role directly and receives short-lived credentials for that run only.</p> <p>Here is the CDK shape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_iam</span> <span class="k">as</span> <span class="n">iam</span> <span class="n">github_provider</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">OpenIdConnectProvider</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GitHubOIDC</span><span class="sh">"</span><span class="p">,</span> <span class="n">url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://token.actions.githubusercontent.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_ids</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">sts.amazonaws.com</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">deploy_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GitHubActionsDeployRole</span><span class="sh">"</span><span class="p">,</span> <span class="n">role_name</span><span class="o">=</span><span class="sh">"</span><span class="s">github-actions-deploy</span><span class="sh">"</span><span class="p">,</span> <span class="n">assumed_by</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="nc">WebIdentityPrincipal</span><span class="p">(</span> <span class="n">github_provider</span><span class="p">.</span><span class="n">open_id_connect_provider_arn</span><span class="p">,</span> <span class="n">conditions</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">StringEquals</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">token.actions.githubusercontent.com:aud</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sts.amazonaws.com</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">StringLike</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">token.actions.githubusercontent.com:sub</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">repo:your-org/your-repo:ref:refs/heads/main</span><span class="sh">"</span> <span class="p">},</span> <span class="p">},</span> <span class="p">),</span> <span class="p">)</span> <span class="n">deploy_role</span><span class="p">.</span><span class="nf">add_to_policy</span><span class="p">(</span><span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">lambda:UpdateFunctionCode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">lambda:UpdateFunctionConfiguration</span><span class="sh">"</span><span class="p">],</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">arn:aws:lambda:ap-south-1:123456789012:function:AquaChain-Function-*</span><span class="sh">"</span><span class="p">],</span> <span class="p">))</span> </code></pre> </div> <p>The important detail is the <code>sub</code> restriction. Without that, you are trusting GitHub broadly. With it, you are trusting one repository and one branch.</p> <h2> Secrets Management </h2> <p>GitHub gives you three useful scopes for secrets:</p> <ul> <li>Repository secrets for repo-wide values</li> <li>Environment secrets for protected environments such as <code>production</code> </li> <li>Organization secrets for shared values across repos</li> </ul> <p>For production deploys, I prefer environment secrets plus protection rules. That forces a deliberate approval step before the workflow can read sensitive values.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> </code></pre> </div> <p>That one line is small, but it changes the blast radius of a bad push.</p> <h2> Branch Protection Rules </h2> <p>The pipeline only matters if people cannot quietly route around it.</p> <p>GitHub starts running these workflow files as soon as they exist under <code>.github/workflows/</code> and you push them to the repo. What it does not do by itself is block merges. For that, go to <strong>Settings -&gt; Branches</strong> in the repository and lock down <code>main</code> with:</p> <ul> <li>Required status checks</li> <li>Up-to-date branch enforcement</li> <li>At least one approving review</li> <li>No direct pushes to <code>main</code> </li> </ul> <p>That turns the release path into one narrow lane instead of a social convention.</p> <h2> The Full Picture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer pushes branch ↓ PR opened -&gt; PR checks run ├── Frontend: lint + typecheck + test + build └── Backend: flake8 + mypy + pytest ↓ All checks pass -&gt; PR review ↓ PR merged to main ↓ ├── frontend/** changed -&gt; deploy-frontend.yml -&gt; Vercel production └── lambda/** changed -&gt; deploy-backend.yml -&gt; AWS Lambda </code></pre> </div> <h3> CI/CD Pipeline Visualization </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3tjh8ezrf8anf69wku1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj3tjh8ezrf8anf69wku1.png" alt="GitHub Actions Pipeline" width="800" height="332"></a><br> Real GitHub Actions workflow for AquaChain — showing code quality checks, testing, build, and deployment stages.</p> <h2> Next Steps I'm Planning </h2> <p>This setup is already useful, but it is not the endpoint.</p> <p><strong>Add a smoke test after deployment.</strong> A quick health-check call after deploy would catch broken releases before users do.</p> <p><strong>Extract reusable workflow pieces.</strong> Once the pipeline settles down, shared setup can move into reusable workflows or composite actions.</p> <p><strong>Keep GitHub Actions versions current automatically.</strong> Dependabot already makes sense for application dependencies. It should also keep workflow actions fresh.</p> <h2> The Payoff </h2> <p>Before this pipeline, a configuration mistake turned into a production debugging session over SSH. After it, that same class of mistake is far more likely to show up as a visible CI failure, a scoped deploy failure, or at minimum a traceable release with logs and approvals attached.</p> <p>That is the benchmark I care about now. The failed deploy from the intro should not be a live fire exercise on a server. It should be a boring red workflow run that never gets mistaken for a normal release.</p> githubactions cicd automation github Karthik K Pradeep Sun, 22 Mar 2026 11:10:49 +0000 https://dev.to/foldedodin/serverless-ml-inference-with-aws-lambda-docker-25nk https://dev.to/foldedodin/serverless-ml-inference-with-aws-lambda-docker-25nk <p>Running ML models in production sounds simple until you realize you're paying for servers 24/7 even when nobody is using them. That was my situation. <br> I had a model running on EC2, serving predictions through Flask. It worked. It also quietly burned money every hour of the day. So I rebuilt the entire inference pipeline using AWS Lambda and reduced costs to almost zero during idle time. <br> This post walks through exactly how I did it.</p> <h2> The Problem with "Always-On" ML Inference </h2> <p>When I first deployed a machine learning model, I followed the standard approach:</p> <ul> <li>Flask API</li> <li>EC2 instance</li> <li>Load model at startup</li> <li>Serve predictions over HTTP</li> </ul> <p>It worked.</p> <p>But it also meant:</p> <ul> <li>Paying for compute 24/7</li> <li>Even at 3AM when traffic = 0</li> </ul> <p>For systems like AquaChain, inference is event-driven:</p> <ul> <li>Bursts of requests from devices</li> <li>Long idle periods</li> </ul> <p>Running a server continuously for this pattern is wasteful.</p> <p>Enter: Serverless ML Inference<br> With AWS Lambda:</p> <ol> <li>You pay only when your model runs</li> <li>No idle infrastructure</li> <li>Fully event-driven execution</li> </ol> <h2> The Stack </h2> <ul> <li>scikit-learn 1.4.0</li> <li>XGBoost 2.0.3</li> <li>numpy 1.26.3 + pandas 2.1.4</li> <li>Python 3.11</li> <li>AWS Lambda (container image)</li> <li>Amazon ECR (container registry)</li> <li>S3 (model artifact storage)</li> </ul> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ml_inference/ ├── handler.py # Lambda entry point ├── model_loader.py # S3 model caching logic ├── feature_extractor.py ├── Dockerfile └── requirements.txt </code></pre> </div> <h2> The Dockerfile </h2> <p>The key is using AWS's official Lambda base image. It includes the Lambda runtime interface client, so your container behaves exactly like a standard Lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> public.ecr.aws/lambda/python:3.11</span> <span class="c"># Copy requirements first for layer caching</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Copy function code</span> <span class="k">COPY</span><span class="s"> handler.py model_loader.py feature_extractor.py ./</span> <span class="c"># Lambda handler entrypoint</span> <span class="k">CMD</span><span class="s"> ["handler.lambda_handler"]</span> </code></pre> </div> <p>The <code>requirements.txt</code> for the ML stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">scikit-learn</span><span class="p">=</span><span class="s">=1.4.0</span> <span class="py">xgboost</span><span class="p">=</span><span class="s">=2.0.3</span> <span class="py">numpy</span><span class="p">=</span><span class="s">=1.26.3</span> <span class="py">pandas</span><span class="p">=</span><span class="s">=2.1.4</span> <span class="py">boto3</span><span class="p">=</span><span class="s">=1.34.34</span> <span class="py">joblib</span><span class="p">=</span><span class="s">=1.3.2</span> </code></pre> </div> <blockquote> <p>One important detail: put <code>COPY requirements.txt</code> and <code>RUN pip install</code> before copying your application code. Docker caches each layer — if your code changes but your dependencies don't, the pip install layer is reused and your build takes seconds instead of minutes.</p> </blockquote> <h2> The Handler </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">model_loader</span> <span class="kn">import</span> <span class="n">get_model</span> <span class="kn">from</span> <span class="n">feature_extractor</span> <span class="kn">import</span> <span class="n">extract_features</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">readings</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">readings</span><span class="sh">'</span><span class="p">,</span> <span class="p">{})</span> <span class="n">device_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Validate inputs before touching the model </span> <span class="n">required</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">pH</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">turbidity</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">tds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">temperature</span><span class="sh">'</span><span class="p">]</span> <span class="n">missing</span> <span class="o">=</span> <span class="p">[</span><span class="n">f</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">required</span> <span class="k">if</span> <span class="n">f</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">readings</span><span class="p">]</span> <span class="k">if</span> <span class="n">missing</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Missing fields: </span><span class="si">{</span><span class="n">missing</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">code</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">VALIDATION_ERROR</span><span class="sh">'</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Extract features (includes trend calculations) </span> <span class="n">features</span> <span class="o">=</span> <span class="nf">extract_features</span><span class="p">(</span><span class="n">readings</span><span class="p">)</span> <span class="c1"># Get model — cached in /tmp after first load </span> <span class="n">model</span> <span class="o">=</span> <span class="nf">get_model</span><span class="p">()</span> <span class="c1"># Run inference </span> <span class="n">wqi</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="nf">predict</span><span class="p">([</span><span class="n">features</span><span class="p">])[</span><span class="mi">0</span><span class="p">])</span> <span class="n">confidence</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="nf">predict_proba</span><span class="p">([</span><span class="n">features</span><span class="p">]).</span><span class="nf">max</span><span class="p">())</span> <span class="n">quality</span> <span class="o">=</span> <span class="nf">classify_wqi</span><span class="p">(</span><span class="n">wqi</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Inference complete</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">:</span> <span class="n">device_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">wqi</span><span class="sh">'</span><span class="p">:</span> <span class="n">wqi</span><span class="p">,</span> <span class="sh">'</span><span class="s">quality</span><span class="sh">'</span><span class="p">:</span> <span class="n">quality</span><span class="p">,</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="n">confidence</span> <span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">'</span><span class="s">wqi</span><span class="sh">'</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">wqi</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">'</span><span class="s">quality</span><span class="sh">'</span><span class="p">:</span> <span class="n">quality</span><span class="p">,</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">confidence</span><span class="p">,</span> <span class="mi">4</span><span class="p">),</span> <span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">:</span> <span class="n">device_id</span> <span class="p">})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Inference error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Inference failed</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">code</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">INFERENCE_ERROR</span><span class="sh">'</span> <span class="p">})</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">classify_wqi</span><span class="p">(</span><span class="n">wqi</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">wqi</span> <span class="o">&gt;=</span> <span class="mi">90</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Excellent</span><span class="sh">'</span> <span class="k">if</span> <span class="n">wqi</span> <span class="o">&gt;=</span> <span class="mi">70</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Good</span><span class="sh">'</span> <span class="k">if</span> <span class="n">wqi</span> <span class="o">&gt;=</span> <span class="mi">50</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Fair</span><span class="sh">'</span> <span class="k">if</span> <span class="n">wqi</span> <span class="o">&gt;=</span> <span class="mi">25</span><span class="p">:</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Poor</span><span class="sh">'</span> <span class="k">return</span> <span class="sh">'</span><span class="s">Very Poor</span><span class="sh">'</span> </code></pre> </div> <h2> Model Caching: The Most Important Optimization </h2> <p>Lambda's <code>/tmp</code> directory persists across warm invocations of the same container instance. Loading a model from S3 on every request would add 200–500ms of latency and unnecessary S3 GET costs. Cache it in <code>/tmp</code> on first load:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">joblib</span> <span class="kn">import</span> <span class="n">logging</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">MODEL_S3_BUCKET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">MODEL_BUCKET</span><span class="sh">'</span><span class="p">]</span> <span class="n">MODEL_S3_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">MODEL_KEY</span><span class="sh">'</span><span class="p">]</span> <span class="n">LOCAL_MODEL_PATH</span> <span class="o">=</span> <span class="sh">'</span><span class="s">/tmp/model.joblib</span><span class="sh">'</span> <span class="n">_model_cache</span> <span class="o">=</span> <span class="bp">None</span> <span class="c1"># Module-level cache — survives across warm invocations </span> <span class="k">def</span> <span class="nf">get_model</span><span class="p">():</span> <span class="k">global</span> <span class="n">_model_cache</span> <span class="k">if</span> <span class="n">_model_cache</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sh">"</span><span class="s">Using in-memory model cache</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">_model_cache</span> <span class="c1"># Check /tmp first (warm container, model already downloaded) </span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">LOCAL_MODEL_PATH</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Loading model from /tmp cache</span><span class="sh">"</span><span class="p">)</span> <span class="n">_model_cache</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">LOCAL_MODEL_PATH</span><span class="p">)</span> <span class="k">return</span> <span class="n">_model_cache</span> <span class="c1"># Cold start — download from S3 </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Downloading model from s3://</span><span class="si">{</span><span class="n">MODEL_S3_BUCKET</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">MODEL_S3_KEY</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">s3</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">)</span> <span class="n">s3</span><span class="p">.</span><span class="nf">download_file</span><span class="p">(</span><span class="n">MODEL_S3_BUCKET</span><span class="p">,</span> <span class="n">MODEL_S3_KEY</span><span class="p">,</span> <span class="n">LOCAL_MODEL_PATH</span><span class="p">)</span> <span class="n">_model_cache</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">LOCAL_MODEL_PATH</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Model loaded and cached</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">_model_cache</span> </code></pre> </div> <p>Two levels of caching here:</p> <ol> <li> <code>_model_cache</code> — in-memory, fastest possible, survives as long as the container is warm</li> <li> <code>/tmp/model.joblib</code> — survives container reuse even if the Python process restarts</li> </ol> <p>On a cold start you pay the S3 download once. Every subsequent warm invocation skips it entirely.</p> <h2> Building and Pushing to ECR </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Authenticate Docker with ECR</span> aws ecr get-login-password <span class="nt">--region</span> ap-south-1 | <span class="se">\</span> docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="se">\</span> 758346259059.dkr.ecr.ap-south-1.amazonaws.com <span class="c"># Build the image</span> docker build <span class="nt">-t</span> aquachain-ml-inference <span class="nb">.</span> <span class="c"># Tag for ECR</span> docker tag aquachain-ml-inference:latest <span class="se">\</span> 758346259059.dkr.ecr.ap-south-1.amazonaws.com/aquachain-ml-inference:latest <span class="c"># Push</span> docker push <span class="se">\</span> 758346259059.dkr.ecr.ap-south-1.amazonaws.com/aquachain-ml-inference:latest </code></pre> </div> <p>Then deploy the Lambda pointing at the ECR image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda update-function-code <span class="se">\</span> <span class="nt">--function-name</span> aquachain-function-ml-inference-dev <span class="se">\</span> <span class="nt">--image-uri</span> 758346259059.dkr.ecr.ap-south-1.amazonaws.com/aquachain-ml-inference:latest <span class="se">\</span> <span class="nt">--region</span> ap-south-1 </code></pre> </div> <h2> CDK Definition </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">lambda_</span><span class="p">,</span> <span class="n">aws_ecr</span> <span class="k">as</span> <span class="n">ecr</span><span class="p">,</span> <span class="n">aws_iam</span> <span class="k">as</span> <span class="n">iam</span><span class="p">,</span> <span class="n">Duration</span> <span class="p">)</span> <span class="c1"># Reference existing ECR repo </span><span class="n">repo</span> <span class="o">=</span> <span class="n">ecr</span><span class="p">.</span><span class="n">Repository</span><span class="p">.</span><span class="nf">from_repository_name</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">MLInferenceRepo</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">aquachain-ml-inference</span><span class="sh">"</span> <span class="p">)</span> <span class="n">ml_inference_fn</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="nc">DockerImageFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">MLInferenceFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">aquachain-function-ml-inference-dev</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">lambda_</span><span class="p">.</span><span class="n">DockerImageCode</span><span class="p">.</span><span class="nf">from_ecr</span><span class="p">(</span> <span class="n">repo</span><span class="p">,</span> <span class="n">tag_or_digest</span><span class="o">=</span><span class="sh">"</span><span class="s">latest</span><span class="sh">"</span> <span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">1024</span><span class="p">,</span> <span class="c1"># ML models benefit from more memory </span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">MODEL_BUCKET</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">aquachain-models-dev</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">MODEL_KEY</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">wqi/model_v2.joblib</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">LOG_LEVEL</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Grant S3 read access for model download </span><span class="n">model_bucket</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">ml_inference_fn</span><span class="p">)</span> </code></pre> </div> <p>Memory sizing matters here. I started at 512MB and saw ~180ms inference times. Bumping to 1024MB dropped it to ~85ms — Lambda allocates CPU proportionally to memory, so more memory = faster CPU = faster inference. Run a few tests at different memory sizes; the cost difference is often negligible compared to the latency improvement.</p> <h2> Handling Cold Starts </h2> <p>Cold starts for container-based Lambdas are longer than zip-based ones — typically 2–5 seconds for a 500MB image. For AquaChain this is acceptable because inference is triggered asynchronously (the data processing Lambda doesn't wait for the result). But if you need synchronous inference with strict latency SLAs, two options:</p> <p><strong>1. Provisioned Concurrency</strong> — keeps N container instances warm at all times. Eliminates cold starts, but you pay for idle time. Only worth it if your p99 latency requirement is under 500ms and you have consistent traffic.</p> <p><strong>2. Scheduled warm-up ping</strong> — an EventBridge rule that invokes the function every 5 minutes with a dummy payload. Cheap, effective for low-traffic functions, but not a guarantee.</p> <p>For most ML inference use cases, async invocation + accepting occasional cold starts is the right trade-off.</p> <h2> Updating the Model </h2> <p>One of the best things about this setup: updating the model doesn't require a code deployment. You just upload a new <code>model.joblib</code> to S3 with the same key. The next cold start picks it up automatically.</p> <p>For versioned rollouts, use S3 versioning and point the Lambda env var at a specific version ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Upload new model version</span> aws s3 <span class="nb">cp </span>model_v3.joblib s3://aquachain-models-dev/wqi/model_v2.joblib <span class="c"># If you need to roll back, just update the env var to point at the previous version</span> aws lambda update-function-configuration <span class="se">\</span> <span class="nt">--function-name</span> aquachain-function-ml-inference-dev <span class="se">\</span> <span class="nt">--environment</span> <span class="s2">"Variables={MODEL_KEY=wqi/model_v1.joblib,MODEL_BUCKET=aquachain-models-dev}"</span> <span class="se">\</span> <span class="nt">--region</span> ap-south-1 </code></pre> </div> <h2> The Numbers </h2> <p>Running in production on AquaChain:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Cold start (image download + model load)</td> <td>~2.1s</td> </tr> <tr> <td>Warm inference (in-memory cache)</td> <td>~85ms</td> </tr> <tr> <td>Warm inference (first call, /tmp cache)</td> <td>~120ms</td> </tr> <tr> <td>Memory used</td> <td>~310MB of 1024MB allocated</td> </tr> <tr> <td>Cost per 1M inferences</td> <td>~$0.21</td> </tr> </tbody> </table></div> <p>Compare that to a <code>t3.small</code> EC2 instance running 24/7: ~$15/month regardless of traffic. At our current inference volume, Lambda costs under $1/month.</p> <h2> When NOT to Use Lambda </h2> <p>Serverless ML is not a silver bullet.</p> <p>Avoid Lambda if:</p> <ul> <li>You need ultra-low latency (&lt;50ms)</li> <li>You have constant high traffic</li> <li>Your model is extremely large (&gt;5GB and slow to load)</li> </ul> <p>In those cases, a dedicated endpoint (SageMaker / ECS / EC2) is a better fit.</p> <h2> What I'd Do Differently </h2> <p><strong>1. Use multi-stage Docker builds.</strong> The current image includes build tools that aren't needed at runtime. A multi-stage build copies only the installed packages into the final image, reducing image size by 30–40% and speeding up cold starts.</p> <p><strong>2. Pin the base image digest, not just the tag.</strong> <code>python:3.11</code> tags can change. Use the SHA256 digest for reproducible builds in production.</p> <p><strong>3. Add model validation on load.</strong> Before caching the model, run a quick sanity check — predict on a known input and assert the output is in the expected range. Catches corrupted model files before they serve bad predictions.</p> <p>Serverless ML inference isn’t for every system.But for event-driven workloads — like AquaChain — it hits a rare sweet spot:</p> <ol> <li>low cost, zero idle infrastructure, and production-grade performance. </li> <li>If your model doesn’t need to run 24/7, your infrastructure shouldn’t either.</li> </ol> machinelearning aws serverless devops Karthik K Pradeep Sat, 21 Mar 2026 07:10:20 +0000 https://dev.to/foldedodin/how-i-built-a-serverless-iot-pipeline-on-aws-49c https://dev.to/foldedodin/how-i-built-a-serverless-iot-pipeline-on-aws-49c <p>Water quality testing normally takes between 24 and 48 hours.<br> This makes it almost impossible to monitor water quality in real-time, especially in cases where the water has to be clean in real-time.I wanted this time taken down to seconds.<br> That is why I created a real-time water quality monitoring system using ESP32 sensors, AWS IoT Core, Lambda, and DynamoDB — a production-ready pipeline, not a demo.</p> <h2> The Problem </h2> <p>Most IoT tutorials go this far:</p> <ul> <li>Sending a temperature reading</li> <li>Displaying it on a dashboard</li> </ul> <p>They don’t cover what happens when you need to:</p> <ul> <li>Handle 100K+ messages per hour reliably</li> <li>Run ML inference on every incoming reading</li> <li>Trigger alerts within &lt;5 seconds</li> <li>Keep costs under $2 per device/month</li> </ul> <h2> The Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmf1oanwfazk3cohifv07.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmf1oanwfazk3cohifv07.png" alt="Water Quality Testing with ESP32 MicroController"></a><br> This system is built as a totally serverless, event-driven architecture where each component is triggered by incoming data rather than continuous operation.<br> It eliminates the need for infrastructure management as there are no EC2 instances, container orchestration layers, or manual scaling configurations.<br> Each service (IoT Core, Lambda, DynamoDB, and API Gateway) scales independently based on workload, enabling the system to handle variable data ingestion rates efficiently while maintaining low operational overhead.</p> <h2> Device Layer: ESP32 + MQTT </h2> <p>Each ESP32 device collects sensor data every 60 seconds:</p> <ul> <li>pH (0–14)</li> <li>Turbidity (0–1000 NTU)</li> <li>TDS — Total Dissolved Solids (0–2000 ppm)</li> <li>Temperature (-10°C to 50°C)</li> </ul> <p>Example payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"deviceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ESP32-ABC123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2024-01-15T10:30:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"pH"</span><span class="p">:</span><span class="w"> </span><span class="mf">7.2</span><span class="p">,</span><span class="w"> </span><span class="nl">"turbidity"</span><span class="p">:</span><span class="w"> </span><span class="mf">3.5</span><span class="p">,</span><span class="w"> </span><span class="nl">"tds"</span><span class="p">:</span><span class="w"> </span><span class="mi">450</span><span class="p">,</span><span class="w"> </span><span class="nl">"temperature"</span><span class="p">:</span><span class="w"> </span><span class="mf">22.5</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"firmwareVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"batteryLevel"</span><span class="p">:</span><span class="w"> </span><span class="mi">85</span><span class="p">,</span><span class="w"> </span><span class="nl">"signalStrength"</span><span class="p">:</span><span class="w"> </span><span class="mi">-45</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Why MQTT over HTTP? It's a fraction of the overhead. MQTT keeps a persistent TCP connection, so each message is just the payload no HTTP headers, no TLS handshake per message. At 100K messages/hour that difference matters.</p> <h2> AWS IoT Core: Secure Ingestion Layer </h2> <p>IoT Core acts as the managed MQTT broker. Devices connect with X.509 certificates — no username/password, no API keys. Each device gets its own cert, so you can revoke a single compromised device without touching anything else.<br> The IoT Rule that routes messages to Lambda is dead simple:<br> <code>SELECT * FROM 'aquachain/devices/+/data'<br> </code><br> The '+' wildcard matches any device ID, and the IoT Core evaluates this rule for every matching message, invoking the Lambda function. This approach eliminates the need for polling and queues, making it a pure event-driven system.</p> <h2> Lambda: Validation and Storage </h2> <p>The data processing Lambda does three things: validate, store, and trigger inference.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">device_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">]</span> <span class="n">readings</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">readings</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># 1. Validate sensor ranges </span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">validate_readings</span><span class="p">(</span><span class="n">readings</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Invalid readings from </span><span class="si">{</span><span class="n">device_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">:</span> <span class="n">device_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">readings</span><span class="sh">'</span><span class="p">:</span> <span class="n">readings</span> <span class="p">})</span> <span class="k">return</span> <span class="c1"># Drop the message, don't store garbage </span> <span class="c1"># 2. Store in DynamoDB </span> <span class="n">table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">:</span> <span class="n">device_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">],</span> <span class="o">**</span><span class="n">readings</span><span class="p">,</span> <span class="sh">'</span><span class="s">ttl</span><span class="sh">'</span><span class="p">:</span> <span class="nf">int</span><span class="p">((</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">90</span><span class="p">)).</span><span class="nf">timestamp</span><span class="p">())</span> <span class="p">})</span> <span class="c1"># 3. Trigger ML inference asynchronously </span> <span class="n">lambda_client</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span> <span class="n">FunctionName</span><span class="o">=</span><span class="sh">'</span><span class="s">aquachain-function-ml-inference-dev</span><span class="sh">'</span><span class="p">,</span> <span class="n">InvocationType</span><span class="o">=</span><span class="sh">'</span><span class="s">Event</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># async — don't wait </span> <span class="n">Payload</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>A few things worth calling out here:</p> <p><strong>1. Validation is non-negotiable.</strong> Sensors drift, connectors corrode, and firmware bugs happen. If you store garbage readings, your ML model trains on garbage. I reject anything outside physical bounds — pH can't be 15, temperature can't be -50°C.</p> <p><strong>2. TTL is free data lifecycle management</strong>. DynamoDB's TTL feature automatically deletes items after a timestamp you set. Raw readings expire after 90 days with zero Lambda invocations and zero cost.</p> <p><strong>3. Async ML invocation</strong>. I invoke the inference Lambda with InvocationType='Event' so the data processing function returns immediately. The ML inference runs in parallel. This is what keeps the pipeline fast.</p> <h2> The Latency Reality </h2> <p>Here's what the actual CloudWatch data shows for the data processing Lambda:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Duration</th> </tr> </thead> <tbody> <tr> <td>Warm, no DB write</td> <td>~2ms</td> </tr> <tr> <td>Warm, with DynamoDB PutItem</td> <td>~150ms</td> </tr> <tr> <td>Cold start</td> <td>~617ms init + ~2ms execution</td> </tr> </tbody> </table></div> <p>The warm execution with a DynamoDB write averages around 150ms. Cold starts add ~617ms on top. The product aim was &lt;5 seconds from sensor reading to dashboard we're well inside that. However, if you consistently target sub-100ms Lambda execution, the DynamoDB write is likely your bottleneck. The fix involves making the write asynchronous via SQS, so the Lambda validates and returns in ~2ms, while a separate consumer handles persistence.</p> <h2> ML Inference: XGBoost on Lambda </h2> <p>The ML model is an XGBoost classifier that outputs a Water Quality Index (WQI) from 0-100. It is fully contained in Lambda, no SageMaker endpoint to keep warm, no idle costs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Load model from S3 (cached in /tmp after first load) </span> <span class="n">model</span> <span class="o">=</span> <span class="nf">load_model</span><span class="p">()</span> <span class="n">features</span> <span class="o">=</span> <span class="nf">extract_features</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">readings</span><span class="sh">'</span><span class="p">])</span> <span class="n">wqi</span> <span class="o">=</span> <span class="n">model</span><span class="p">.</span><span class="nf">predict</span><span class="p">([</span><span class="n">features</span><span class="p">])[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">wqi</span> <span class="o">&lt;</span> <span class="mi">50</span><span class="p">:</span> <span class="nf">trigger_alert</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">],</span> <span class="n">wqi</span><span class="p">,</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">readings</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span><span class="sh">'</span><span class="s">wqi</span><span class="sh">'</span><span class="p">:</span> <span class="nf">float</span><span class="p">(</span><span class="n">wqi</span><span class="p">),</span> <span class="sh">'</span><span class="s">quality</span><span class="sh">'</span><span class="p">:</span> <span class="nf">classify_wqi</span><span class="p">(</span><span class="n">wqi</span><span class="p">)}</span> </code></pre> </div> <p>The ML model used here is an XGBoost classifier that outputs a <strong>Water Quality Index (WQI)</strong> ranging from 0-100. It is fully contained in Lambda, no SageMakeThe model caches in /tmp after the initial run; subsequent warm calls skip S3 downloads, keeping inference under 100ms. Speaking of model performance, this model has 99.74% accuracy on the validation set, which sounds great until you see that the data is highly structured and the classes are well-separated. XGBoost is actually the correct choice here, as it handles missing sensor values, trains quickly, and is even interpretable enough that you be able to explain why it flagged a particular reading.</p> <h2> DynamoDB: Schema Design for Time-Series </h2> <p>The readings table uses a composite key:</p> <ul> <li>Partition key: deviceId</li> <li>Sort key: timestamp This means all readings for a device are co-located on the same partition, and you can query a time range with a single DynamoDB Query call, no scans, no GSIs needed for the primary access pattern. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="nc">Key</span><span class="p">(</span><span class="sh">'</span><span class="s">deviceId</span><span class="sh">'</span><span class="p">).</span><span class="nf">eq</span><span class="p">(</span><span class="n">device_id</span><span class="p">)</span> <span class="o">&amp;</span> <span class="nc">Key</span><span class="p">(</span><span class="sh">'</span><span class="s">timestamp</span><span class="sh">'</span><span class="p">).</span><span class="nf">between</span><span class="p">(</span><span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">),</span> <span class="n">ScanIndexForward</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="c1"># newest first </span> <span class="n">Limit</span><span class="o">=</span><span class="mi">100</span> <span class="p">)</span> </code></pre> </div> <p>One thing I got wrong early on: I was storing floats directly. DynamoDB doesn't support Python floats; it uses Decimal. The fix is a recursive converter before any put_item call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">floats_to_decimal</span><span class="p">(</span><span class="n">obj</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="nb">float</span><span class="p">):</span> <span class="k">return</span> <span class="nc">Decimal</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">obj</span><span class="p">))</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="nf">floats_to_decimal</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">obj</span><span class="p">.</span><span class="nf">items</span><span class="p">()}</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="nb">list</span><span class="p">):</span> <span class="k">return</span> <span class="p">[</span><span class="nf">floats_to_decimal</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">obj</span><span class="p">]</span> <span class="k">return</span> <span class="n">obj</span> </code></pre> </div> <h2> Infrastructure as Code: AWS CDK </h2> <p>Everything is defined in Python CDK. No clicking around the console, no manual resource creation. The IoT rule, Lambda functions, DynamoDB tables, IAM policies are all code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># IoT Rule → Lambda </span><span class="n">iot_rule</span> <span class="o">=</span> <span class="n">iot</span><span class="p">.</span><span class="nc">CfnTopicRule</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DataIngestionRule</span><span class="sh">"</span><span class="p">,</span> <span class="n">rule_name</span><span class="o">=</span><span class="sh">"</span><span class="s">aquachain_data_ingestion_dev</span><span class="sh">"</span><span class="p">,</span> <span class="n">topic_rule_payload</span><span class="o">=</span><span class="n">iot</span><span class="p">.</span><span class="n">CfnTopicRule</span><span class="p">.</span><span class="nc">TopicRulePayloadProperty</span><span class="p">(</span> <span class="n">sql</span><span class="o">=</span><span class="sh">"</span><span class="s">SELECT * FROM </span><span class="sh">'</span><span class="s">aquachain/devices/+/data</span><span class="sh">'"</span><span class="p">,</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span><span class="n">iot</span><span class="p">.</span><span class="n">CfnTopicRule</span><span class="p">.</span><span class="nc">ActionProperty</span><span class="p">(</span> <span class="n">lambda_</span><span class="o">=</span><span class="n">iot</span><span class="p">.</span><span class="n">CfnTopicRule</span><span class="p">.</span><span class="nc">LambdaActionProperty</span><span class="p">(</span> <span class="n">function_arn</span><span class="o">=</span><span class="n">data_processing_fn</span><span class="p">.</span><span class="n">function_arn</span> <span class="p">)</span> <span class="p">)]</span> <span class="p">)</span> <span class="p">)</span> <span class="c1"># Grant IoT Core permission to invoke Lambda </span><span class="n">data_processing_fn</span><span class="p">.</span><span class="nf">add_permission</span><span class="p">(</span><span class="sh">"</span><span class="s">IoTInvoke</span><span class="sh">"</span><span class="p">,</span> <span class="n">principal</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="sh">"</span><span class="s">iot.amazonaws.com</span><span class="sh">"</span><span class="p">),</span> <span class="n">source_arn</span><span class="o">=</span><span class="n">iot_rule</span><span class="p">.</span><span class="n">attr_arn</span> <span class="p">)</span> </code></pre> </div> <p>The IAM policy for the data processing Lambda follows least privilege. It can only write to the specific DynamoDB table and invoke the specific ML inference function. Nothing else.</p> <h2> What I'd Do Differently </h2> <p><strong>1. SQS Buffer between IoT Core &amp; Lambda.</strong> Rule -&gt; Lambda is fine, but throttling on Lambda will cause IoT Core to drop messages. An SQS queue between the two provides a buffer &amp; retry functionality automatically.</p> <p><strong>2. Using DynamoDB on-demand since day on</strong>e. I used provisioned capacity initially, which consumed a lot of time to get the read &amp; write units right. Using on-demand costs a little more per request, but removes the need to think about capacity planning altogether. It’s worth paying a little more considering the nature of IoT data, which can cause spikes in usage.</p> <p><strong>3. Using structured logging since day one</strong>. I implemented structured logging in JSON later on, which was a nightmare to add to 30+ Lambda functions. It would have been so much easier to add a logging utility that adds a device ID, request ID, &amp; timestamp to every log line, which would have made querying logs a breeze using CloudWatch Insights.</p> <h2> The Numbers </h2> <p>After running in production:</p> <ul> <li>712 Lambda invocations over the past week, zero errors</li> <li>Average warm execution: ~83ms</li> <li>Cold start init: ~615ms (happens rarely after the function is warm)</li> <li>DynamoDB write latency: ~148ms average</li> <li>Cost: well under $2/device/month at current scale In this case, the serverless model really delivers on its promise. There is no infrastructure to babysit, scaling is automatic, and costs scale linearly with usage, not being a flat monthly charge.</li> </ul> <h2> Wrapping Up </h2> <p>The hardest part of this build was not the AWS services themselves – the documentation is good, and the SDKs are solid. The hardest part was the sensor layer – calibration drift, WiFi reconnection logic, etc.<br> The cloud pipeline is actually the easy part – as long as you've got the DynamoDB key schema correct upfront, validate at the edge before anything goes into the database, and keep the Lambda functions thin, validate, store, and delegate.<br> The entire stack – ESP32 firmware, Lambda functions, CDK infrastructure, React dashboard is the AquaChain project. Would be happy to dive deeper into any of these parts.<br> _<br> Built with: ESP32, AWS IoT Core, Lambda (Python 3.11), DynamoDB, XGBoost, AWS CDK, React 19_</p> aws iot serverless backend