This repo shows how we build reproducible (byte-for-byte + same CDK asset hash) AWS Lambda .zips from packages in a uv workspace.

Motivation and how and why it works is described in this post: https://maxfriedrich.de/2025/01/02/uv-lambda-cdk/

Make sure CDK (aws-cdk) is installed.

Build asset directories (does not require an AWS account):

cd cdk
uv run cdk synth
# find the assets in cdk/cdk.out
uv run cdk synth
# no new assets should be added

Deploy:

cd cdk
export AWS_PROFILE=... # or configure AWS account in some other way
uv run cdk bootstrap
uv run cdk deploy --all
uv run cdk diff
# the diff should now show 0 differences, no need to re-deploy

Call the Lambda functions:

export AWS_PROFILE=... # or configure AWS account in some other way
uv run pytest tests -m integration

• Set up GitHub OIDC
• Create GitHubActionsDeployment role with permissions:
  • assume-cdk-roles (to deploy with CDK):

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "sts:AssumeRole"
                ],
                "Resource": [
                    "arn:aws:iam::*:role/cdk-*"
                ]
            }
        ]
    }

  • AWSCloudFormationReadOnlyAccess (to read the function URLs from CfnOutput for testing)
  • invoke-function (to call the functions for testing, constrain the resource if needed):

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "lambda:InvokeFunction"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }