Skip to content

APM-6720-ecr-lifecycle-policy #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CLJ2006 merged 10 commits into from
Feb 12, 2026
Merged

APM-6720-ecr-lifecycle-policy #547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
929edad
retag changes
CLJ2006 Feb 10, 2026
7d709d1
use ecs_tag ansible updates
CLJ2006 Feb 11, 2026
55a63c7
use ecs_tag ansible updates
CLJ2006 Feb 11, 2026
a2c1b35
fixing debug use ecs_tag ansible
CLJ2006 Feb 11, 2026
fdec508
fixing debug use ecs_tag ansible
CLJ2006 Feb 11, 2026
dafdb7f
test condition task definition
CLJ2006 Feb 11, 2026
1b9f116
removing print statements and testing terraform condition
CLJ2006 Feb 11, 2026
14696bb
removing print statements and update terraform condition
CLJ2006 Feb 11, 2026
006d784
additional condition for canary only
CLJ2006 Feb 12, 2026
80b2e47
remove print statements
CLJ2006 Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion ansible/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,10 @@ create-build-env-vars: guard-build_label guard-out_dir
@poetry run ansible-playbook -i local create-build-env-vars.yml

deploy-ecs-proxies: guard-account guard-build_label guard-service_id guard-APIGEE_ENVIRONMENT guard-PROXY_VARS_FILE
@poetry run ansible-playbook -i local deploy-ecs-proxies.yml
@poetry run ansible-playbook -i local deploy-ecs-proxies.yml \

deploy-ecs-proxies-retag: guard-build_label guard-service_id guard-PROXY_VARS_FILE
@poetry run ansible-playbook -i local deploy-ecs-proxies-retag.yml

deploy-apigee-proxy: guard-FULLY_QUALIFIED_SERVICE_NAME guard-SERVICE_BASE_PATH guard-APIGEE_ENVIRONMENT guard-APIGEE_ORGANIZATION guard-APIGEE_ACCESS_TOKEN guard-PROXY_DIR guard-PING
@poetry run ansible-playbook -i local deploy-apigee-proxy.yml
Expand Down
18 changes: 18 additions & 0 deletions ansible/deploy-ecs-proxies-retag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- name: deploy ecs proxies retag
hosts: 127.0.0.1
connection: local
gather_facts: no

vars:
service_id: "{{ lookup('env','service_id') }}"
APIGEE_ENVIRONMENT: "{{ lookup('env','APIGEE_ENVIRONMENT') }}"
account: "{{ lookup('env','account') }}"

pre_tasks:
- name: include container vars
include_vars:
file: "{{ lookup('env', 'CONTAINER_VARS_FILE') | expandvars | expanduser | realpath }}"

roles:
- setup-facts
- deploy-ecs-proxies-retag
9 changes: 9 additions & 0 deletions ansible/deploy-ecs-proxies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,15 @@
- name: include vars
include_vars:
file: "{{ lookup('env', 'PROXY_VARS_FILE') | expandvars | expanduser | realpath }}"

- name: load use_ecs_tag from environment
set_fact:
use_ecs_tag: "{{ lookup('env','use_ecs_tag') | default('false') }}"

- name: normalise use_ecs_tag to boolean
set_fact:
use_ecs_tag: "{{ use_ecs_tag | lower == 'true' }}"


roles:
- setup-facts
Expand Down
36 changes: 36 additions & 0 deletions ansible/ecr-lifecycle/ecr_lifecycle.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"rules": [
{
"rulePriority": 1,
"description": "Keep the 6 most recent ECS deployment images tagged ecs- (release images)",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["ecs-"],
"countType": "imageCountMoreThan",
"countNumber": 6
},
"action": { "type": "expire" }
},
{
"rulePriority": 2,
"description": "Never expire the 'latest' tag",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["latest"],
"countType": "imageCountMoreThan",
"countNumber": 9999
},
"action": { "type": "expire" }
},
{
"rulePriority": 3,
"description": "Keep the 6 most recent build images (all tags)",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 6
},
"action": { "type": "expire" }
}
]
}
23 changes: 23 additions & 0 deletions ansible/roles/build-ecs-proxies/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,29 @@
with_items: "{{ new_repos }}"
when: new_repos

# TO DO- Add back in once confirmed lifecycle policy to be applied to all new repos.

# - name: Read lifecycle policy file
# ansible.builtin.slurp:
# src: "{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json"
# register: desired_policy_raw
# when: new_repos | length > 0

# - name: Decode lifecycle policy JSON
# set_fact:
# desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}"
# when: new_repos | length > 0

# - name: Apply lifecycle policy to each new repo
# ansible.builtin.command: >
# {{ aws_cmd }} ecr put-lifecycle-policy
# --repository-name {{ item }}
# --lifecycle-policy-text '{{ desired_policy_json | to_json }}'
# with_items: "{{ new_repos }}"
# register: lifecycle_update
# ignore_errors: yes
# when: new_repos | length > 0

- name: ecr login
shell: "eval $({{ aws_cmd }} ecr get-login --no-include-email)"
changed_when: no
Expand Down
14 changes: 14 additions & 0 deletions ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" {
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"s3:GetObject"
]

Expand Down Expand Up @@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" {

}

statement {
actions = [
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy"
]

resources = [
"arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}",
"arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*"
]
}

statement {
actions = [
"s3:ListBucket",
Expand Down
1 change: 1 addition & 0 deletions ansible/roles/create-ecr-build-role/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ aws_ecs_policy:
- "ecr:StartImageScan"
- "ecr:StartLifecyclePolicyPreview"
- "ecr:UploadLayerPart"
- "ecr:PutLifecyclePolicy"
Resource: [
"arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*"
]
Expand Down
83 changes: 83 additions & 0 deletions ansible/roles/deploy-ecs-proxies-retag/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
- name: Ensure docker_containers is loaded
include_vars:
file: "{{ lookup('env', 'CONTAINER_VARS_FILE') }}"
when: docker_containers is not defined

- name: Login to ECR
shell: >
{{ aws_cmd }} ecr get-login-password --region {{ aws_region }}
| docker login --username AWS --password-stdin {{ ecr_registry }}

- name: Pulling ECR image
debug:
msg: "Pulling {{ item }}:{{ build_label }}"
loop: "{{ repo_names }}"
loop_control:
label: "{{ item }}"

- name: Pull existing image
ansible.builtin.command:
cmd: >
docker pull {{ ecr_registry }}/{{ item }}:{{ build_label }}
loop: "{{ repo_names }}"
loop_control:
label: "{{ item }}"
register: pull_results

- name: Retagging ECR image
debug:
msg: "Retagging {{ item.item }}:{{ build_label }} → ecs-{{ build_label }}"
loop: "{{ pull_results.results }}"
loop_control:
label: "{{ item.item }}"
when:
- item.rc == 0
- item.item == "canary_canary-api"

- name: Retag image
ansible.builtin.command:
cmd: >
docker tag
{{ ecr_registry }}/{{ item.item }}:{{ build_label }}
{{ ecr_registry }}/{{ item.item }}:ecs-{{ build_label }}
loop: "{{ pull_results.results }}"
loop_control:
label: "{{ item.item }}"
when:
- item.rc == 0
- item.item == "canary_canary-api"

- name: Pushing ECR image
debug:
msg: "Pushing ecs-{{ build_label }} for {{ item.item }}"
loop: "{{ pull_results.results }}"
loop_control:
label: "{{ item.item }}"
when:
- item.rc == 0
- item.item == "canary_canary-api"

- name: Push new tag
ansible.builtin.command:
cmd: >
docker push {{ ecr_registry }}/{{ item.item }}:ecs-{{ build_label }}
loop: "{{ pull_results.results }}"
loop_control:
label: "{{ item.item }}"
when:
- item.rc == 0
- item.item == "canary_canary-api"

# - name: Delete old tag from ECR
# ansible.builtin.command:
# cmd: >
# aws ecr batch-delete-image
# --repository-name {{ item.item }}
# --image-ids imageTag={{ build_label }}
# --region {{ aws_region }}
# loop: "{{ pull_results.results }}"
# loop_control:
# label: "{{ item.item }}"
# when:
# - item.rc == 0
# - item.item == "canary_canary-api"
6 changes: 6 additions & 0 deletions ansible/roles/deploy-ecs-proxies-retag/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
build_label: "{{ lookup('env', 'build_label') }}"
containers: "{{ docker_containers | json_query('[].name') | unique | sort }}"
repo_names: "{{ containers | map('regex_replace', '^(.*)$', service_id + '_\\1') | list }}"
base_dir: "{{ playbook_dir }}/../.."

11 changes: 9 additions & 2 deletions ansible/roles/deploy-ecs-proxies/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,21 @@
with_filetree: "{{ '../templates' }}"
when: item.state == 'file'

- name: ansible use_ecs_tag before terraform
debug:
msg: >
ANSIBLE: use_ecs_tag='{{ use_ecs_tag }}'
TYPE={{ use_ecs_tag | type_debug }}
TF_VAR_use_ecs_tag='{{ use_ecs_tag | ternary("true","false") }}'

- name: terraform plan
shell: "make -C {{ out_dir }}/terraform clean plan args='-no-color -lock-timeout=30m -out tfplan.out'" # noqa 305
shell: "TF_VAR_use_ecs_tag={{ use_ecs_tag | ternary('true','false') }} make -C {{ out_dir }}/terraform clean plan args='-no-color -lock-timeout=30m -out tfplan.out'" # noqa 305
register: tfplan
failed_when: tfplan.rc not in (0, 2)
when: not do_not_terraform

- name: terraform apply
shell: "make -C {{ out_dir }}/terraform apply-plan args='-no-color -lock-timeout=30m --auto-approve tfplan.out'" # noqa 305
shell: "TF_VAR_use_ecs_tag={{ use_ecs_tag | ternary('true','false') }} make -C {{ out_dir }}/terraform apply-plan args='-no-color -lock-timeout=30m --auto-approve tfplan.out'" # noqa 305
register: tfapply
when: not do_not_terraform

Expand Down
38 changes: 27 additions & 11 deletions ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,18 +43,34 @@ locals {

}

ecs_service = [
{% for container in ecs_service %}
{{
(
container
| combine(
{'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label }
ecs_service = [
{% for container in ecs_service %}

{% set image_tag = (
'${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/'
+ service_id + '_' + container.name
+ (
":ecs-" + build_label
if use_ecs_tag and container.name == "canary-api"
else ":" + build_label
)
) | to_json
}},
{% endfor %}
]
)
%}


{{
(
container
| combine(
{
'image': image_tag
}
)
) | to_json
}},

{% endfor %}
]

exposed_service = element(matchkeys(local.ecs_service, local.ecs_service.*.expose, list(true)), 0)

Expand Down
5 changes: 5 additions & 0 deletions ansible/roles/deploy-ecs-proxies/templates/terraform/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,4 +71,9 @@ variable "autoscaling_scale_out_cooldown" {

variable "deregistration_delay" {
type = number
}

variable "use_ecs_tag" {
type = bool
description = "Whether to use ecs- prefixed tag for canary-api"
}
22 changes: 22 additions & 0 deletions azure/deploy-ecs-proxies-retag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
parameters:
- name: 'container_vars'
type: string
default: 'ecs-proxies-containers.yml'

- name: 'env_vars_dir'
type: string
default: './'

- name: 'utils_dir'
type: string
default: 'utils'

steps:
- bash: |
set -e
source "${{ parameters.env_vars_dir }}/.build_env_vars"

export CONTAINER_VARS_FILE="$SERVICE_DIR/ecs-proxies-containers.yml

make --no-print-directory -C ${{ parameters.utils_dir }}/ansible deploy-ecs-proxies-retag
displayName: "Retag ECS proxies"
Loading