Merge pull request aws-samples#2885 from DmitryGulin/pattern/lambda-managed-instances-cdk

add a simplistic `lambda-managed-instances-cdk` pattern

Author: julianwood

lambda-managed-instances-cdk/.gitignore

@@ -0,0 +1,91 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+
+# Parcel default cache directory
+.parcel-cache
+
+# npm
+.npm
+
+# yarn
+.yarn
+
+# IDE
+.vscode/
+.idea/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# CDK Context & Staging files
+.cdk.staging/
+cdk.out/
+cdk.context.json

lambda-managed-instances-cdk/.npmignore

@@ -0,0 +1,6 @@
+*.ts
+!*.d.ts
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out

lambda-managed-instances-cdk/README.md

@@ -0,0 +1,179 @@
+# Hello World on AWS Lambda Managed Instances
+
+This pattern demonstrates how to deploy a simple Hello World Lambda function running on AWS Lambda Managed Instances using AWS CDK. AWS Lambda Managed Instances enables you to run Lambda functions on EC2 instances while maintaining Lambda's operational simplicity. It fully manages infrastructure tasks including instance lifecycle, OS and runtime patching, routing, load balancing, and auto scaling.
+
+Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/lambda-managed-instances-cdk
+
+Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example.
+
+**Note**: AWS Lambda Managed Instances provision EC2 instances that are **NOT eligible for the AWS Free Tier**. These instances will incur charges immediately upon deployment, regardless of your Free Tier status.
+
+## Requirements
+
+* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources.
+* [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) (latest available version) installed and configured
+* [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+* [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html) (version 2.232.0 or later) installed and configured
+* [Node.js](https://nodejs.org/) (version 24.x or later)
+
+## Deployment Instructions
+
+1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository:
+    ``` 
+    git clone https://github.com/aws-samples/serverless-patterns
+    ```
+1. Change directory to the pattern directory:
+    ```
+    cd lambda-managed-instances-cdk
+    ```
+1. Install the project dependencies:
+    ```
+    npm install
+    ```
+1. Deploy the CDK stack:
+    ```
+    cdk deploy
+    ```
+    Note: This stack will deploy to your default AWS region. Please refer to the [AWS capabilities explorer](https://builder.aws.com/build/capabilities/explore) for feature availability in your desired region.
+
+1. Note the outputs from the CDK deployment process. These contain the resource names and/or ARNs which are used for testing.
+
+## How it works
+
+This pattern creates a capacity provider with VPC and security group configuration, then deploys a Node.js Lambda function (ARM64 architecture) that is associated with the capacity provider to run on managed EC2 instances. The function accepts an event with a name parameter and returns a greeting message, with execution logs captured in a dedicated CloudWatch log group.
+
+## Testing
+
+After deployment, you can test the Lambda function using AWS CLI or AWS Console.
+
+### AWS CLI Testing
+
+1. **Basic function invocation**:
+   ```bash
+   aws lambda invoke \
+     --function-name hello-world-managed-instances-cdk \
+     --payload file://events/hello-world.json \
+     --cli-binary-format raw-in-base64-out \
+     response.json
+   ```
+
+2. **View the response**:
+   ```bash
+   cat response.json
+   ```
+
+3. **Custom name invocation**:
+   ```bash
+   echo '{"name":"Lambda Managed Instances"}' | aws lambda invoke \
+     --function-name hello-world-managed-instances-cdk \
+     --payload file:///dev/stdin \
+     --cli-binary-format raw-in-base64-out \
+     custom-response.json
+   ```
+
+4. **View CloudWatch logs**:
+   ```bash
+   aws logs filter-log-events \
+     --log-group-name /demo/lambda/hello-world-managed-instances-cdk \
+     --start-time $(date -d '5 minutes ago' +%s)000
+   ```
+
+### AWS Console Testing
+
+1. Navigate to the Lambda service in the AWS Console
+2. Find the function named `hello-world-managed-instances-cdk`
+3. Create a test event using the payload from `events/hello-world.json` or create a custom payload:
+   ```json
+   {
+     "name": "Your Custom Name"
+   }
+   ```
+4. Execute the test and observe the results in the execution logs
+
+### Expected Response
+
+The function returns a JSON response with the following structure:
+
+```json
+{
+  "response": "Hello AWS Lambda on Managed Instances"
+}
+```
+
+### Monitoring and Observability
+
+Monitor the function execution through:
+- **CloudWatch Logs**: Detailed execution logs with event and response data in the dedicated log group
+- **Lambda Metrics**: Function performance and invocation statistics
+- **CloudWatch Metrics**: Custom metrics and alarms for monitoring
+
+The stack outputs include the log group name for easy reference when setting up monitoring dashboards or log analysis tools.
+
+## Inspecting AWS Lambda Managed Instances Infrastructure
+
+AWS Lambda Managed Instances provision EC2 instances behind the scenes to run your Lambda functions. You can inspect this infrastructure using AWS CLI commands:
+
+### View Capacity Provider Details
+
+```bash
+aws lambda get-capacity-provider --capacity-provider-name lambda-capacity-provider-cdk
+```
+
+This shows:
+- Capacity provider ARN and state
+- VPC configuration (subnets and security groups)
+- Instance requirements (architecture, scaling mode)
+- IAM roles and permissions
+
+### List Associated EC2 Instances
+
+```bash
+aws ec2 describe-instances \
+  --filters "Name=tag:aws:lambda:capacity-provider,Values=arn:aws:lambda:*:capacity-provider:lambda-capacity-provider-cdk" \
+  --query 'Reservations[*].Instances[*].[InstanceId,InstanceType,State.Name,LaunchTime,SubnetId,PrivateIpAddress]' \
+  --output table
+```
+
+This displays:
+- Instance IDs and types
+- Current state (running, pending, terminated)
+- Launch times and subnet distribution
+- Private IP addresses within the VPC
+
+**Note**: For a complete list of supported EC2 instance types for AWS Lambda Managed Instances and their pricing, see the [AWS Lambda Pricing page](https://aws.amazon.com/lambda/pricing/).
+
+### Understanding Instance Behavior
+
+**Auto-scaling**: Instances are automatically created and terminated based on function demand
+- **Scale-up**: New instances launch when function invocation increases
+- **Scale-down**: Unused instances terminate after periods of low activity
+- **Multi-AZ**: Instances are distributed across availability zones for high availability
+
+**Instance Lifecycle**:
+- Instances typically launch within 1-2 minutes of stack deployment
+- They remain running to provide immediate function execution
+- AWS manages all instance lifecycle operations automatically
+
+### Automated Testing
+
+The included test script (`./test-lambda.sh`) automatically inspects both the capacity provider and EC2 instances, providing a comprehensive view of the managed instances infrastructure.
+
+## Regional Availability
+
+This stack will deploy to your default AWS region. Before deploying, please verify that AWS Lambda Managed Instances feature is available in your target region by using the [AWS capabilities explorer](https://builder.aws.com/build/capabilities/explore) or consulting the official [AWS Lambda Managed Instances documentation](https://docs.aws.amazon.com/lambda/latest/dg/lambda-managed-instances.html).
+
+## Cleanup
+ 
+1. Delete the stack
+    ```bash
+    cdk destroy
+    ```
+1. Confirm the stack has been deleted by checking the AWS CloudFormation console or running:
+    ```bash
+    aws cloudformation describe-stacks --stack-name lambda-managed-instances-cdk
+    ```
+
+----
+Copyright 2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+SPDX-License-Identifier: MIT-0

lambda-managed-instances-cdk/bin/app.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+import { App } from 'aws-cdk-lib/core';
+import { DemoStack } from '../lib/demo-stack';
+
+const app = new App();
+new DemoStack(app, 'LambdaManagedInstancesDemo', {
+  stackName: 'lambda-managed-instances-cdk',
+  env: { 
+    account: process.env.CDK_DEFAULT_ACCOUNT, 
+    region: process.env.CDK_DEFAULT_REGION 
+  },
+  description: 'Simple Hello World Lambda function running on Lambda Managed Instances',
+});

lambda-managed-instances-cdk/cdk.json

@@ -0,0 +1,70 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableLogging": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableLogging": true,
+    "@aws-cdk/aws-normlizer:disable": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:generateSecretManagerSecretName": true,
+    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForSourceAction": true
+  }
+}

lambda-managed-instances-cdk/events/hello-world.json

@@ -0,0 +1,3 @@
+{
+  "name": "AWS Lambda on Managed Instances"
+}