ECR lifecycle policy

1
votes

In our ECR, we are having multiple repositories for each microservice.

Service 1

Service 2

Service 3

while building the code (for anyone service), creating an image out of it and pushing to ECR, we tag it with keyword - dev and build-XXX-XXX-XXX-XXX.

If we do this process again, the new image will be tagged as above, but the above image (which is now previous) will be only tagged as build-XXX-XXX-XXX-XXX.

How do I set lifecycle policy to remove only those image which is tagged only as build-XXX-XXX-XXX-XXX

I set below policy, but during a test run, I can see that it is also picking up those images which are tagged as dev which I don't want to delete.

dev tagged image will always be present with build-XXX-XXX-XXX-XXX

{
  "rules": [
    {
      "action": {
        "type": "expire"
      },
      "selection": {
        "countType": "imageCountMoreThan",
        "countNumber": 5,
        "tagStatus": "tagged",
        "tagPrefixList": [
          "build"
        ]
      },
      "description": "remove images starting with build",
      "rulePriority": 1
    }
  ]
}

In the same repo, I also push test and UAT images with respective tags (test & uat), with the exactly above process (with build-XXX-XXX-XXX-XXX as well) and don't want to delete them too.

1
amazon-web-servicesamazon-ecsdocker-imageamazon-ecr
The dev tag can't exist on two images at the same time. I am not sure what you're asking here. - jordanm
Obvious solution would be to alter your tagging convention and tag "dev" builds with some other word not containing "build" - Oleksii Donoha
Hi Jordanm, Yes ofcourse dev tag can't exist on two images. If I build first time an image - it will be with two tags - dev and build-XXX-XX and if I build again a second image - now this will be tagged with dev and build-YY-YYY and earlier image only remains with build-XXX-XXX. Hope that clarifies. - Vaibhav

1 Answers

0
votes

An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority.

If you want to keep one dev tagged image, you have to add additional rule for that, set the highest priority for that rule (I set 10 in the example below) and decrease priority of your build tagged rule (I set 100), for example:

{
  "rules": [
    {
      "rulePriority": 10,
      "description": "Remove dev except one",
      "selection": {
        "tagStatus": "tagged",
        "tagPrefixList": [
          "dev"
        ]
        "countType": "imageCountMoreThan",
        "countNumber": 1
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 100,
      "description": "Remove images starting with build",
      "selection": {
        "countType": "imageCountMoreThan",
        "countNumber": 5,
        "tagStatus": "tagged",
        "tagPrefixList": [
          "build"
        ]
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

The same way add rules for tags uat and test with different priority (20 and 30 for example), but higher than build one.