SociIndexGeneratorLambda fails with "image manifest for linux/amd64: not found" when ECR images are arm64-only

[tacrocha]

Problem

The SociIndexGeneratorLambda fails when generating SOCI indexes for container images that are built only for linux/arm64. We previously built multi-architecture images (linux/amd64 and linux/arm64) and SOCI index generation worked. After switching our CI to build only for linux/arm64 (e.g. for Fargate Graviton), the Lambda consistently fails with:

{"level":"error","error":"failed to convert OCI index: image manifest for linux/amd64: not found","RequestId":"...","time":"...","message":"SOCI index build error"}

The Lambda runs on x86_64 (Lambda default). In handler.go, the V2 path calls builder.Convert(ctx, image) with no platform; the conversion appears to resolve the OCI image index using the host default platform (linux/amd64). When the image only has an arm64 manifest, that resolution fails.

Expected Behavior

SOCI index generation should succeed for images that contain only linux/arm64 (or any single platform that exists in the image). The builder should either:

• Use the platform(s) actually present in the image when converting, or
• Support a configurable target platform (e.g. stack parameter or environment variable) so we can specify linux/arm64 for arm64-only registries.

Current Behavior

• Push an image that is linux/arm64 only to ECR (e.g. built with docker buildx build --platform linux/arm64).
• EventBridge triggers the SOCI index builder Lambda on the push.
• Lambda fails with: failed to convert OCI index: image manifest for linux/amd64: not found.
• No SOCI index is created; the image is not usable for SOCI-based lazy loading on Fargate.

Possible Solution

In functions/source/soci-index-generator-lambda/handler.go, in buildIndex():

• For V2: when the image is an OCI index (manifest list), discover the platform(s) in the index and call the SOCI convert API for those platform(s)—or at least for one platform that exists—instead of relying on the host default (platforms.DefaultSpec() → linux/amd64).
• Alternatively: add a CloudFormation parameter (e.g. "Target platform") and pass it to the Lambda as an environment variable (e.g. SOCI_TARGET_PLATFORM=linux/arm64), and use that when resolving/converting so arm64-only (or other single-arch) images work without code changes per deployment.

The underlying soci-snapshotter library supports platform-aware conversion (e.g. ConvertWithPlatforms, WithPlatform), so the fix is in how the Lambda invokes the builder, not in the library itself.

Steps to Reproduce (if applicable)

1. Deploy the CFN stack with SOCI Index Version V2 and a filter that matches your repository (e.g. *:* or candidco/candid-core:*).
2. Build and push an image only for linux/arm64 to the matched ECR repository (e.g. docker buildx build --platform linux/arm64 -t <account>.dkr.ecr.<region>.amazonaws.com/candidco/candid-core:latest --push .).
3. Observe the SociIndexGeneratorLambda invocation in CloudWatch Logs; it fails with failed to convert OCI index: image manifest for linux/amd64: not found.

Screenshots (if applicable)

N/A — error is in CloudWatch Logs as JSON.

Environment

• Project version: Current main branch of awslabs/cfn-ecr-aws-soci-index-builder
• SOCI Index Version (stack parameter): V2.
• Image architecture: linux/arm64 only (single-platform push).
• Lambda runtime: provided.al2023 (x86_64).
• Region: us-east-1.

Additional Context

• We are not able to revert to building amd64 images just to satisfy the Lambda; we want to fix or configure the builder for arm64-only images.
• I did not find an existing open or closed issue describing this scenario; opening this to document it and request support for single-platform (e.g. arm64-only) images.

[Shubhranshu153]

We are actively working to fix it.
Thanks for bringing it up.

[sondavidb]

Related: awslabs/soci-snapshotter#1851