2

Is there a way to exclude certain tags/images from a cleanup policy?

E.g. say I have a repository with images and the related SHAs for the Pull Request which triggered their creation. When these are approved for deployment to an environment the image is tagged with that environment's name, resulting in something like this:

+---------------------------------------------------------------------------+
| Image Tags      | Image URI                                               |
+---------------------------------------------------------------------------+
| sha923456       | 000000.dkr.ecr.eu-west-1.amazonaws.com/myrepo:sha923456 |
+-----------------+---------------------------------------------------------+
| sha823456, test | 000000.dkr.ecr.eu-west-1.amazonaws.com/myrepo:test      |
+-----------------+---------------------------------------------------------+
| sha723456       | 000000.dkr.ecr.eu-west-1.amazonaws.com/myrepo:sha723456 |
+-----------------+---------------------------------------------------------+
| sha623456, prod | 000000.dkr.ecr.eu-west-1.amazonaws.com/myrepo:prod      |
+-----------------+---------------------------------------------------------+
| sha523456       | 000000.dkr.ecr.eu-west-1.amazonaws.com/myrepo:sha523456 |
+-----------------+---------------------------------------------------------+

I want to ensure that what's currently deployed to any environment doesn't get deleted; so those images tagged test or prod should be kept. In addition, the SHA tags against their images should be kept.

Beyond that, I want to keep all images created in the last 90 days with an SHA tag.

I'm happy for anything untagged to be removed.

Applying the below rules almost works; only it seems that because there's a match on the sha tag, the prod and test images would be expired.

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Remove untagged images",
      "selection": {
        "tagStatus": "untagged",
        "countType": "imageCountMoreThan",
        "countNumber": 1
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 100,
      "description": "Purge non-deployed images over 90 days old",
      "selection": {
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 90,
        "tagStatus": "tagged",
        "tagPrefixList": [
          "sha"
        ]
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

I can't find any documentation on adding a "NOT" rule, and trying an exclamation doesn't work.

    {
      "rulePriority": 100,
      "description": "Purge non-deployed images over 90 days old",
      "selection": {
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 90,
        "tagStatus": "tagged",
        "tagPrefixList": [
          "!test", "!prod"
        ]
      },
      "action": {
        "type": "expire"
      }
    }
JohnLBevan
  • 1,134
  • 7
  • 20
  • 44
  • Note: Looking at the `protected_tags` variable on https://github.com/cloudposse/terraform-aws-ecr/tree/d374970008f2109e9255c5597db0ba7bc4217e37 it seems the way to do this is to have a different policy impact the tags-of-interest first, only setting the expiration rule to something suitably high that nothing will ever meet that threshold. – JohnLBevan Aug 05 '20 at 13:06
  • 2
    This seems to be a good workaround, in case you haven't found it yet: https://stackoverflow.com/a/51391405/5257855 – fardin Feb 08 '21 at 15:43

0 Answers0