APM 6720 ecr lifecycle policy

ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json

@@ -0,0 +1,43 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 500
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPatternList": ["*"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 500
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 3,
+      "description": "Expire untagged images older than 3 days",
+      "selection": {
+        "tagStatus": "untagged",
+        "countType": "sinceImagePushed",
+        "countUnit": "days",
+        "countNumber": 3
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}

ansible/roles/build-ecs-proxies/tasks/build-container.yml

@@ -31,3 +31,29 @@
   ansible.builtin.command:
     cmd: "docker push {{ image_name }}"
   when: build_result.rc == 0
+
+- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }}
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr get-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+    --query 'lifecyclePolicyText'
+    --output text
+  register: existing_policy
+  failed_when: false
+  changed_when: false
+
+- name: Read lifecycle policy from the local file
+  ansible.builtin.slurp:
+    src: "{{ role_path }}/files/ecr_lifecycle.json"
+  register: desired_policy_raw
+
+- name: Decode lifecycle policy file
+  set_fact:
+    desired_policy: "{{ desired_policy_raw.content | b64decode }}"
+
+- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr put-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+    --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
+  when: existing_policy.stdout != desired_policy and build_result.rc == 0

ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf

@@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" {
       "ecr:DescribeRepositories",
       "ecr:ListImages",
       "ecr:DescribeImages",
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy",
       "s3:GetObject"
     ]
 
@@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" {
 
   }
 
+  statement {
+    actions = [
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy"
+    ]
+
+    resources = [
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}",
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*"
+    ]
+  }
+
   statement {
     actions = [
       "s3:ListBucket",

ansible/roles/create-ecr-build-role/vars/main.yml

@@ -44,6 +44,7 @@ aws_ecs_policy:
         - "ecr:StartImageScan"
         - "ecr:StartLifecyclePolicyPreview"
         - "ecr:UploadLayerPart"
+        - "ecr:PutLifecyclePolicy"
       Resource: [
         "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*"
       ]

ansible/roles/deploy-ecs-proxies/tasks/main.yml

@@ -82,6 +82,30 @@
       register: tfapply
       when: not do_not_terraform
 
+    - name: Retag and promote ECS image (release pipelines only)
+      #when: pr_number is not defined or pr_number == ""
+      vars:
+        PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
+        PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
+        IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
+        TAG: "{{ build_label }}"
+        NEW: "ecs-{{ build_label }}"
+      shell: |
+        aws ecr get-login-password --region eu-west-2 \
+          | docker login --username AWS --password-stdin {{ PTL_REG }}
+
+        docker pull {{ PTL_REG }}/{{ IMG }}:{{ TAG }}
+        docker tag {{ PTL_REG }}/{{ IMG }}:{{ TAG }} {{ PTL_REG }}/{{ IMG }}:{{ NEW }}
+        docker push {{ PTL_REG }}/{{ IMG }}:{{ NEW }}
+
+        aws ecr get-login-password --region eu-west-2 \
+          | docker login --username AWS --password-stdin {{ PROD_REG }}
+
+        docker tag {{ PTL_REG }}/{{ IMG }}:{{ NEW }} {{ PROD_REG }}/{{ IMG }}:{{ NEW }}
+        docker push {{ PROD_REG }}/{{ IMG }}:{{ NEW }}
+      args:
+        executable: /bin/bash
+
   rescue:
     - name: output plan
       debug:

ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf

@@ -49,7 +49,7 @@ locals {
         (
           container
           | combine(
-            {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label }
+            {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':ecs-' + build_label }
           )
         ) | to_json
     }},