From 63571d1eb04af4beb57b49ee78ca0405d407ea6f Mon Sep 17 00:00:00 2001 From: Ignacio Nin Date: Thu, 26 May 2022 15:25:26 -0300 Subject: [PATCH 1/3] Set lifecycle rules --- .circleci/config.yml | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5037682..ae78691 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -7,7 +7,7 @@ orbs: # https://circleci.com/orbs/registry/orb/circleci/aws-ecr # required environment variables: # https://circleci.com/docs/2.0/ecs-ecr/#configure-circleci-environment-variables - aws-ecr: circleci/aws-ecr@6.15.3 + aws-ecr: circleci/aws-ecr@8.1.2 workflows: version: 2 @@ -32,6 +32,36 @@ workflows: tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1" # create the AWS ECR repo if it does not exist already. create-repo: true + lifecycle-policy-path: > + { + "rules": [ + { + "rulePriority": 1, + "description": "Keep latest master image", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": ["master", "main"], + "countType": "imageCountMoreThan", + "countNumber": 5 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 2, + "description": "Expire all images older than 90 days.", + "selection": { + "countType": "sinceImagePushed", + "countNumber": 90, + "countUnit": "days" + }, + "action": { + "type": "expire" + } + } + ] + } # provide the aws-ecr context (environment variables) to push docker_image into ecr. # https://circleci.com/docs/2.0/ecs-ecr/#configure-circleci-environment-variables context: aws-ecr From 54a2357d0b99545d64dd5dbcd91f8db0020ab2e5 Mon Sep 17 00:00:00 2001 From: Ignacio Nin Date: Thu, 26 May 2022 16:06:17 -0300 Subject: [PATCH 2/3] Set a comment --- .circleci/config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index ae78691..fc43455 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -32,6 +32,8 @@ workflows: tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1" # create the AWS ECR repo if it does not exist already. create-repo: true + # Set the lifecycle for the repo. Note that this setting expects + # an inline policy, even if it's named "-path". lifecycle-policy-path: > { "rules": [ From ff7c06af3f82756f8bd78a2b40e1c35e09d26e1c Mon Sep 17 00:00:00 2001 From: Ignacio Nin Date: Thu, 26 May 2022 16:44:22 -0300 Subject: [PATCH 3/3] Guard master and main from ECR lifecycle rules Avoid removing "master" and "main" tagged images to avoid removing a running image after aggressive master/main rebuilding. In order to glob all master and main images, add a composite tag for the branch and build number. --- .circleci/config.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index fc43455..09463cf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -28,12 +28,17 @@ workflows: # # The AWS ECR repo name, example: remind101/acme-inc repo: "$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME" - # tags for this image, comma separated. - tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1" + # tags for this image, comma separated. A composite of branch+sha1 is + # added so the lifecycle rule (below) can filter images beginning + # with "master" or "main" to avoid applying aggressive rules. + tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1,$CIRCLE_BRANCH-$CIRCLE_BUILD_NUM" # create the AWS ECR repo if it does not exist already. create-repo: true # Set the lifecycle for the repo. Note that this setting expects # an inline policy, even if it's named "-path". + # The max count for master and main is set to 8,000, 80% of the} + # available space in the repo, in order to safeguard against removing + # running images after aggressive rebuilding of the master branch. lifecycle-policy-path: > { "rules": [ @@ -44,7 +49,7 @@ workflows: "tagStatus": "tagged", "tagPrefixList": ["master", "main"], "countType": "imageCountMoreThan", - "countNumber": 5 + "countNumber": 8000 }, "action": { "type": "expire"