Skip to content

[plugin] Support deploying Lambda functions as OCI container images#687

Merged
sebsto merged 8 commits into
mainfrom
feature/oci-archive-backend
Jun 30, 2026
Merged

[plugin] Support deploying Lambda functions as OCI container images#687
sebsto merged 8 commits into
mainfrom
feature/oci-archive-backend

Conversation

@sebsto

@sebsto sebsto commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Closes #193

Adds OCI container image support to the lambda-build and lambda-deploy plugins, alongside the existing ZIP path. Functions can now be larger than the ZIP limits and bundle extra binaries or system libraries.

  • lambda-build --archive-format oci builds an OCI image (minimal Amazon Linux 2023 base, your binary as the bootstrap entrypoint), using docker or Apple's container. --base-oci-image overrides the base.
  • lambda-deploy pushes the image to Amazon ECR and creates an Image-packaged function: ensure repo, login, tag, push, unwrap the multi-arch index to the single-arch child digest (Lambda rejects indexes), then create/update. Guards against changing the package type of an existing function.
  • A build manifest written next to the artifact carries the package type, architecture, and container CLI from build to deploy.

Plumbing

  • New ECR API client, plus image fields on the Lambda client, generated via scripts/generate-aws-clients.sh. The script was rewritten to run on stock macOS bash and to use the soto-codegenerator plugins (download-aws-models + build) instead of driving the binary directly.
  • The deployer is split into Deployer+{Zip,ECR,S3,IAM,LambdaFunction,FunctionUrl,Configuration,Error}.swift.

Testing

  • Unit tests for the archive backend, ECR index-unwrap, build manifest, and config parsing.
  • Verified end to end against real AWS: build with container, push to ECR, create the function, and invoke it successfully.
  • A runnable Examples/OCIImage example and a deploying-with-oci DocC article.

Note: the OCI build and deploy commands use --disable-sandbox because the container CLI talks to its daemon over a socket the plugin sandbox does not allow.

@sebsto sebsto added the 🆕 semver/minor Adds new public API. label Jun 30, 2026
@sebsto sebsto merged commit 8345d55 into main Jun 30, 2026
53 checks passed
@sebsto sebsto deleted the feature/oci-archive-backend branch June 30, 2026 19:01
sebsto added a commit that referenced this pull request Jul 1, 2026
Fixes #683

## Description of changes

`lambda-build` and `lambda-deploy` could independently choose the target
architecture, so a user could build an `arm64` binary and deploy a
function declaring `x64` (or the reverse). The deploy "succeeded" but
the function was broken at invoke time, with no error at build or
deploy.

The OCI PR (#687) introduced the `build-manifest.json` hand-off but only
wired the architecture into the image deploy path. This PR closes the
underlying latent bug for the ZIP path and makes a mismatch impossible
to deploy silently.

### `lambda-build`
- Adds `--architecture <x64|arm64>` (default: host).
- The flag actually drives the build: the container is run/pulled/built
for that platform (`docker --platform linux/<arch>`, Apple `container
--arch <arch>`), so the produced binary matches what the manifest
records. The CLI-specific spelling lives in each `ContainerCLI`
implementation.
- Both ZIP and OCI backends record the real architecture in
`build-manifest.json` (ZIP previously hardcoded `.host`).
- A native (Amazon Linux host) build rejects an explicit
cross-architecture request, since it can only target the host and would
otherwise record a mismatched architecture.

### `lambda-deploy`
- When `--architecture` is omitted, deploy adopts the architecture
recorded in the manifest instead of independently re-defaulting to the
host.
- When `--architecture` is passed and disagrees with the built artifact,
deploy fails fast with a descriptive error rather than creating a broken
function.
- No manifest (legacy `archive` output, or `--input-directory`) falls
back to the previous behavior; `--architecture` remains the way to
declare the arch there.

### Docs & tests
- Documents the flag and the build→deploy hand-off in the DocC articles.
- Adds unit tests for arg parsing, backend threading, the updated CLI
argv, and the deploy-side reconciliation (match / mismatch / omitted /
no-manifest).

## New/existing dependencies impact assessment, if applicable

No new dependencies.

## Conventional Commits

fix: enforce architecture consistency between lambda-build and
lambda-deploy

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🆕 semver/minor Adds new public API.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[plugin] Offer the option to package and deploy using AWS Lambda Container Image Support

1 participant