diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json new file mode 100644 index 000000000..58a08f455 --- /dev/null +++ b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json @@ -0,0 +1,43 @@ +{ + "rules": [ + { + "rulePriority": 1, + "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": ["ecs-"], + "countType": "imageCountMoreThan", + "countNumber": 500 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 2, + "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST", + "selection": { + "tagStatus": "tagged", + "tagPatternList": ["*"], + "countType": "imageCountMoreThan", + "countNumber": 500 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 3, + "description": "Expire untagged images older than 3 days", + "selection": { + "tagStatus": "untagged", + "countType": "sinceImagePushed", + "countUnit": "days", + "countNumber": 3 + }, + "action": { + "type": "expire" + } + } + ] +} diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 56be84bb0..4977c58c5 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -31,3 +31,29 @@ ansible.builtin.command: cmd: "docker push {{ image_name }}" when: build_result.rc == 0 + +- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} + ansible.builtin.command: > + {{ aws_cmd }} ecr get-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --query 'lifecyclePolicyText' + --output text + register: existing_policy + failed_when: false + changed_when: false + +- name: Read lifecycle policy from the local file + ansible.builtin.slurp: + src: "{{ role_path }}/files/ecr_lifecycle.json" + register: desired_policy_raw + +- name: Decode lifecycle policy file + set_fact: + desired_policy: "{{ desired_policy_raw.content | b64decode }}" + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different + ansible.builtin.command: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json + when: existing_policy.stdout != desired_policy and build_result.rc == 0 \ No newline at end of file diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf index 29eb55a3e..775b01a11 100644 --- a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf +++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf @@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" { "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy", "s3:GetObject" ] @@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" { } + statement { + actions = [ + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy" + ] + + resources = [ + "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}", + "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*" + ] + } + statement { actions = [ "s3:ListBucket", diff --git a/ansible/roles/create-ecr-build-role/vars/main.yml b/ansible/roles/create-ecr-build-role/vars/main.yml index c40db5b1a..817fd7bb0 100644 --- a/ansible/roles/create-ecr-build-role/vars/main.yml +++ b/ansible/roles/create-ecr-build-role/vars/main.yml @@ -44,6 +44,7 @@ aws_ecs_policy: - "ecr:StartImageScan" - "ecr:StartLifecyclePolicyPreview" - "ecr:UploadLayerPart" + - "ecr:PutLifecyclePolicy" Resource: [ "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*" ] diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index 668c8cb0e..895f6d958 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -82,6 +82,30 @@ register: tfapply when: not do_not_terraform + - name: Retag and promote ECS image (release pipelines only) + #when: pr_number is not defined or pr_number == "" + vars: + PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" + PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" + IMG: "{{ service_id }}_{{ ecs_service[0].name }}" + TAG: "{{ build_label }}" + NEW: "ecs-{{ build_label }}" + shell: | + aws ecr get-login-password --region eu-west-2 \ + | docker login --username AWS --password-stdin {{ PTL_REG }} + + docker pull {{ PTL_REG }}/{{ IMG }}:{{ TAG }} + docker tag {{ PTL_REG }}/{{ IMG }}:{{ TAG }} {{ PTL_REG }}/{{ IMG }}:{{ NEW }} + docker push {{ PTL_REG }}/{{ IMG }}:{{ NEW }} + + aws ecr get-login-password --region eu-west-2 \ + | docker login --username AWS --password-stdin {{ PROD_REG }} + + docker tag {{ PTL_REG }}/{{ IMG }}:{{ NEW }} {{ PROD_REG }}/{{ IMG }}:{{ NEW }} + docker push {{ PROD_REG }}/{{ IMG }}:{{ NEW }} + args: + executable: /bin/bash + rescue: - name: output plan debug: diff --git a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf index c01c869d5..9556883d4 100644 --- a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf +++ b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf @@ -49,7 +49,7 @@ locals { ( container | combine( - {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label } + {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':ecs-' + build_label } ) ) | to_json }},