ecr lifecycle policy updates

CLJ2006 · CLJ2006 · commit 22da7b3ef341 · 2026-01-15T14:52:39.000Z
diff --git a/ansible/build-ecs-proxies.yml b/ansible/build-ecs-proxies.yml
@@ -20,4 +20,5 @@
 
   roles:
     - setup-facts
-    - build-ecs-proxies
+    - build-ecs-proxies
+    - ecr-lifecycle-policy
diff --git a/ansible/deploy-ecs-proxies.yml b/ansible/deploy-ecs-proxies.yml
@@ -45,4 +45,7 @@
 
   roles:
     - setup-facts
-    - deploy-ecs-proxies
+    - deploy-ecs-proxies
+
+    # - role: ecr-lifecycle-policy 
+    #   when: RELEASE_RELEASEID is defined and RELEASE_RELEASEID != ""
diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json
@@ -2,38 +2,38 @@
   "rules": [
     {
       "rulePriority": 1,
-      "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST",
+      "description": "Keep the 10 most recent ECS deployment images - AMEND NUMBER AFTER TEST",
       "selection": {
         "tagStatus": "tagged",
         "tagPrefixList": ["ecs-"],
         "countType": "imageCountMoreThan",
-        "countNumber": 500
+        "countNumber": 800
       },
       "action": {
         "type": "expire"
       }
     },
     {
       "rulePriority": 2,
-      "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST",
+      "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST",
       "selection": {
         "tagStatus": "tagged",
-        "tagPatternList": ["*"],
+        "tagPrefixList": [""],
         "countType": "imageCountMoreThan",
-        "countNumber": 500
+        "countNumber": 800
       },
       "action": {
         "type": "expire"
       }
     },
     {
       "rulePriority": 3,
-      "description": "Expire untagged images older than 3 days",
+      "description": "Never expire the 'latest' tag",
       "selection": {
-        "tagStatus": "untagged",
-        "countType": "sinceImagePushed",
-        "countUnit": "days",
-        "countNumber": 3
+        "tagStatus": "tagged",
+        "tagPrefixList": ["latest"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 9999
       },
       "action": {
         "type": "expire"
diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -32,28 +32,28 @@
     cmd: "docker push {{ image_name }}"
   when: build_result.rc == 0
 
-- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }}
-  ansible.builtin.command: >
-    {{ aws_cmd }} ecr get-lifecycle-policy
-    --repository-name {{ service_id }}_{{ item }}
-    --query 'lifecyclePolicyText'
-    --output text
-  register: existing_policy
-  failed_when: false
-  changed_when: false
-
-- name: Read lifecycle policy from the local file
-  ansible.builtin.slurp:
-    src: "{{ role_path }}/files/ecr_lifecycle.json"
-  register: desired_policy_raw
-
-- name: Decode lifecycle policy file
-  set_fact:
-    desired_policy: "{{ desired_policy_raw.content | b64decode }}"
-
-- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different
-  ansible.builtin.command: >
-    {{ aws_cmd }} ecr put-lifecycle-policy
-    --repository-name {{ service_id }}_{{ item }}
-    --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
-  when: existing_policy.stdout != desired_policy and build_result.rc == 0
+# - name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }}
+#   ansible.builtin.command: >
+#     {{ aws_cmd }} ecr get-lifecycle-policy
+#     --repository-name {{ service_id }}_{{ item }}
+#     --query 'lifecyclePolicyText'
+#     --output text
+#   register: existing_policy
+#   failed_when: false
+#   changed_when: false
+
+# - name: Read lifecycle policy from the local file
+#   ansible.builtin.slurp:
+#     src: "{{ role_path }}/files/ecr_lifecycle.json"
+#   register: desired_policy_raw
+
+# - name: Decode lifecycle policy file
+#   set_fact:
+#     desired_policy: "{{ desired_policy_raw.content | b64decode }}"
+
+# - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different
+#   ansible.builtin.command: >
+#     {{ aws_cmd }} ecr put-lifecycle-policy
+#     --repository-name {{ service_id }}_{{ item }}
+#     --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
+#   when: existing_policy.stdout != desired_policy and build_result.rc == 0
diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
@@ -83,10 +83,10 @@
       when: not do_not_terraform
 
     - name: Retag and promote ECS image (release pipelines only)
-      #when: pr_number is not defined or pr_number == ""
+      when: pr_number is not defined or pr_number == ""
       vars:
         PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
-        PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
+        PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
         IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
         TAG: "{{ build_label }}"
         NEW: "ecs-{{ build_label }}"
diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json b/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json
@@ -0,0 +1,43 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Keep the 10 most recent ECS deployment images - AMEND NUMBER AFTER TEST",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 800
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": [""],
+        "countType": "imageCountMoreThan",
+        "countNumber": 800
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 3,
+      "description": "Never expire the 'latest' tag",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["latest"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 9999
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}
diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/main.yml b/ansible/roles/ecr-lifecycle-policy/tasks/main.yml
@@ -0,0 +1,32 @@
+- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }}
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr get-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+    --query 'lifecyclePolicyText'
+    --output text
+  register: existing_policy_raw
+  failed_when: false
+  changed_when: false
+
+- name: Parse existing lifecycle policy JSON
+  set_fact:
+    existing_policy_json: "{{ existing_policy_raw.stdout | default('{}') | from_json }}"
+  when: existing_policy_raw.stdout != ""
+
+- name: Read lifecycle policy from the local file
+  ansible.builtin.slurp:
+    src: "{{ role_path }}/files/ecr_lifecycle.json"
+  register: desired_policy_raw
+
+- name: Decode lifecycle policy file
+  set_fact:
+    desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}"
+
+- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr put-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+    --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
+  when:
+    - existing_policy_json != desired_policy_json
+    - env != "prod" or prod_lifecycle_update_allowed
