From 9378fe7aa3100d46d52f4c42ccd02dcaec229639 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 6 Jan 2026 17:29:07 +0000 Subject: [PATCH 01/22] APM 6720 ecr lifecycle policy --- .../tasks/build-container.yml | 8 +++++ ecr/ecr_lifecyle.json | 29 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 ecr/ecr_lifecyle.json diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 56be84bb0..018d5dce9 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -31,3 +31,11 @@ ansible.builtin.command: cmd: "docker push {{ image_name }}" when: build_result.rc == 0 + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} + ansible.builtin.command: + cmd: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json + when: lifecycle_check.rc != 0 and build_result.rc == 0 \ No newline at end of file diff --git a/ecr/ecr_lifecyle.json b/ecr/ecr_lifecyle.json new file mode 100644 index 000000000..79971883d --- /dev/null +++ b/ecr/ecr_lifecyle.json @@ -0,0 +1,29 @@ +{ + "rules": [ + { + "rulePriority": 1, + "description": "Expire untagged images beyond the latest 3", + "selection": { + "tagStatus": "untagged", + "countType": "imageCountMoreThan", + "countNumber": 10 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 2, + "description": "Retain ECS-protected images", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": ["ecs-"], + "countType": "imageCountMoreThan", + "countNumber": 9999 + }, + "action": { + "type": "retain" + } + } + ] +} From 88fa44cbcbdf7c2de5a038ae93ff888d02dc7d26 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Fri, 9 Jan 2026 17:47:43 +0000 Subject: [PATCH 02/22] APM 6720 ecr lifecycle policy --- .../tasks/build-container.yml | 10 +++++- .../roles/deploy-ecs-proxies/tasks/main.yml | 35 +++++++++++++++++++ .../templates/terraform/locals.tf | 2 +- ecr/ecr_lifecyle.json | 27 ++++++++++---- 4 files changed, 65 insertions(+), 9 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 018d5dce9..1314e2b96 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,10 +32,18 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 +- name: Check if lifecycle policy exists for {{ service_id }}_{{ item }} + ansible.builtin.command: > + {{ aws_cmd }} ecr get-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + register: lifecycle_check + failed_when: false + changed_when: false + - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} ansible.builtin.command: cmd: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json - when: lifecycle_check.rc != 0 and build_result.rc == 0 \ No newline at end of file + when: lifecycle_check.rc != 0 and build_result.rc == 0 diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index 668c8cb0e..a72e962d8 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -82,6 +82,41 @@ register: tfapply when: not do_not_terraform + - name: "{{ item.env }} | Login and pull image" + vars: + REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com" + IMG: "{{ service_id }}_{{ ecs_service[0].name }}" + TAG: "{{ build_label }}" + shell: | + aws ecr get-login-password --region eu-west-2 \ + | docker login --username AWS --password-stdin {{ REG }} + + docker pull {{ REG }}/{{ IMG }}:{{ TAG }} + args: + executable: /bin/bash + loop: + - { env: "PTL", account: "{{ PTL_ACCOUNT_ID }}" } + - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" } + loop_control: + label: "{{ item.env }}" + + - name: "{{ item.env }} | Retag and push image" + vars: + REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com" + IMG: "{{ service_id }}_{{ ecs_service[0].name }}" + TAG: "{{ build_label }}" + NEW: "ecs-{{ build_label }}" + shell: | + docker tag {{ REG }}/{{ IMG }}:{{ TAG }} {{ REG }}/{{ IMG }}:{{ NEW }} + docker push {{ REG }}/{{ IMG }}:{{ NEW }} + args: + executable: /bin/bash + loop: + - { env: "PTL", account: "{{ PTL_ACCOUNT_ID }}" } + - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" } + loop_control: + label: "{{ item.env }}" + rescue: - name: output plan debug: diff --git a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf index c01c869d5..9556883d4 100644 --- a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf +++ b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf @@ -49,7 +49,7 @@ locals { ( container | combine( - {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label } + {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':ecs-' + build_label } ) ) | to_json }}, diff --git a/ecr/ecr_lifecyle.json b/ecr/ecr_lifecyle.json index 79971883d..39f3c60d2 100644 --- a/ecr/ecr_lifecyle.json +++ b/ecr/ecr_lifecyle.json @@ -2,11 +2,12 @@ "rules": [ { "rulePriority": 1, - "description": "Expire untagged images beyond the latest 3", + "description": "Keep the latest 2 ECS release builds", "selection": { - "tagStatus": "untagged", + "tagStatus": "tagged", + "tagPrefixList": ["ecs-"], "countType": "imageCountMoreThan", - "countNumber": 10 + "countNumber": 2 }, "action": { "type": "expire" @@ -14,15 +15,27 @@ }, { "rulePriority": 2, - "description": "Retain ECS-protected images", + "description": "Keep the latest 2 PR builds", "selection": { "tagStatus": "tagged", - "tagPrefixList": ["ecs-"], + "tagPrefixList": [""], + "countType": "imageCountMoreThan", + "countNumber": 2 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 3, + "description": "Delete ALL untagged images", + "selection": { + "tagStatus": "untagged", "countType": "imageCountMoreThan", - "countNumber": 9999 + "countNumber": 0 }, "action": { - "type": "retain" + "type": "expire" } } ] From e753c09879a8434670cca44f221881e47137a514 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 13 Jan 2026 15:03:11 +0000 Subject: [PATCH 03/22] file location update --- .../build-ecs-proxies/files}/ecr_lifecyle.json | 17 +++++++++-------- .../build-ecs-proxies/tasks/build-container.yml | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) rename {ecr => ansible/roles/build-ecs-proxies/files}/ecr_lifecyle.json (58%) diff --git a/ecr/ecr_lifecyle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json similarity index 58% rename from ecr/ecr_lifecyle.json rename to ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json index 39f3c60d2..58a08f455 100644 --- a/ecr/ecr_lifecyle.json +++ b/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json @@ -2,12 +2,12 @@ "rules": [ { "rulePriority": 1, - "description": "Keep the latest 2 ECS release builds", + "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST", "selection": { "tagStatus": "tagged", "tagPrefixList": ["ecs-"], "countType": "imageCountMoreThan", - "countNumber": 2 + "countNumber": 500 }, "action": { "type": "expire" @@ -15,12 +15,12 @@ }, { "rulePriority": 2, - "description": "Keep the latest 2 PR builds", + "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST", "selection": { "tagStatus": "tagged", - "tagPrefixList": [""], + "tagPatternList": ["*"], "countType": "imageCountMoreThan", - "countNumber": 2 + "countNumber": 500 }, "action": { "type": "expire" @@ -28,11 +28,12 @@ }, { "rulePriority": 3, - "description": "Delete ALL untagged images", + "description": "Expire untagged images older than 3 days", "selection": { "tagStatus": "untagged", - "countType": "imageCountMoreThan", - "countNumber": 0 + "countType": "sinceImagePushed", + "countUnit": "days", + "countNumber": 3 }, "action": { "type": "expire" diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 1314e2b96..c3e00a836 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -45,5 +45,5 @@ cmd: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json + --lifecycle-policy-text file://{{ base_dir }}/files/ecr_lifecycle.json when: lifecycle_check.rc != 0 and build_result.rc == 0 From cd2c70518858d24fae14e625cf5af0524e4bd1b8 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 13 Jan 2026 15:57:21 +0000 Subject: [PATCH 04/22] file location update --- ansible/roles/build-ecs-proxies/tasks/build-container.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index c3e00a836..03590a1fa 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -45,5 +45,11 @@ cmd: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ base_dir }}/files/ecr_lifecycle.json + --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json when: lifecycle_check.rc != 0 and build_result.rc == 0 + +- debug: + msg: "ROLE PATH = {{ role_path }}" +- debug: + msg: "BASE DIR = {{ base_dir }}" + From a2978eb55d33df01b05b02dad14132a9203e1edd Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 13 Jan 2026 16:24:22 +0000 Subject: [PATCH 05/22] file location update --- .../tasks/build-container.yml | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 03590a1fa..0b2991ab0 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -40,6 +40,21 @@ failed_when: false changed_when: false +- debug: + msg: + - "ROLE PATH = {{ role_path }}" + - "BASE DIR = {{ base_dir }}" + - "PWD = {{ lookup('env','PWD') }}" + +- name: List contents of the role directory + ansible.builtin.command: "ls -R {{ role_path }}" + register: ls_role + changed_when: false + failed_when: false + +- debug: + var: ls_role.stdout_lines + - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} ansible.builtin.command: cmd: > @@ -47,9 +62,3 @@ --repository-name {{ service_id }}_{{ item }} --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json when: lifecycle_check.rc != 0 and build_result.rc == 0 - -- debug: - msg: "ROLE PATH = {{ role_path }}" -- debug: - msg: "BASE DIR = {{ base_dir }}" - From 5df07cc0765c2912df8cacdf8f5c75e94c9e48b3 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 13 Jan 2026 16:58:37 +0000 Subject: [PATCH 06/22] filename corrected --- .../{ecr_lifecyle.json => ecr_lifecycle.json} | 0 .../build-ecs-proxies/tasks/build-container.yml | 15 --------------- 2 files changed, 15 deletions(-) rename ansible/roles/build-ecs-proxies/files/{ecr_lifecyle.json => ecr_lifecycle.json} (100%) diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json similarity index 100% rename from ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json rename to ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 0b2991ab0..079f23b80 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -40,21 +40,6 @@ failed_when: false changed_when: false -- debug: - msg: - - "ROLE PATH = {{ role_path }}" - - "BASE DIR = {{ base_dir }}" - - "PWD = {{ lookup('env','PWD') }}" - -- name: List contents of the role directory - ansible.builtin.command: "ls -R {{ role_path }}" - register: ls_role - changed_when: false - failed_when: false - -- debug: - var: ls_role.stdout_lines - - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} ansible.builtin.command: cmd: > From ddefb2f0ffc1fd22881da3f39b75b625fc946903 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Tue, 13 Jan 2026 17:46:42 +0000 Subject: [PATCH 07/22] updating iam permissions --- .../templates/terraform/iam.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf index 29eb55a3e..775b01a11 100644 --- a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf +++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf @@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" { "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy", "s3:GetObject" ] @@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" { } + statement { + actions = [ + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy" + ] + + resources = [ + "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}", + "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*" + ] + } + statement { actions = [ "s3:ListBucket", From 53e4fb543450ff8d5c522d317a79fac6e600a556 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Wed, 14 Jan 2026 10:21:59 +0000 Subject: [PATCH 08/22] ecr policy put permissions --- ansible/roles/create-ecr-build-role/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/create-ecr-build-role/vars/main.yml b/ansible/roles/create-ecr-build-role/vars/main.yml index c40db5b1a..817fd7bb0 100644 --- a/ansible/roles/create-ecr-build-role/vars/main.yml +++ b/ansible/roles/create-ecr-build-role/vars/main.yml @@ -44,6 +44,7 @@ aws_ecs_policy: - "ecr:StartImageScan" - "ecr:StartLifecyclePolicyPreview" - "ecr:UploadLayerPart" + - "ecr:PutLifecyclePolicy" Resource: [ "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*" ] From cbd0df6b4cef94d1b9324cfd7b77ddfaa10d77d5 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Wed, 14 Jan 2026 12:54:36 +0000 Subject: [PATCH 09/22] tagging ecs --- .../roles/deploy-ecs-proxies/tasks/main.yml | 41 +++++++------------ 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index a72e962d8..f70aa3456 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -82,40 +82,29 @@ register: tfapply when: not do_not_terraform - - name: "{{ item.env }} | Login and pull image" + - name: Retag and promote ECS image (release pipelines only) + when: pr_number is not defined or pr_number == "" vars: - REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com" + PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" + PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" IMG: "{{ service_id }}_{{ ecs_service[0].name }}" TAG: "{{ build_label }}" + NEW: "ecs-{{ build_label }}" shell: | aws ecr get-login-password --region eu-west-2 \ - | docker login --username AWS --password-stdin {{ REG }} + | docker login --username AWS --password-stdin {{ PTL_REG }} - docker pull {{ REG }}/{{ IMG }}:{{ TAG }} - args: - executable: /bin/bash - loop: - - { env: "PTL", account: "{{ PTL_ACCOUNT_ID }}" } - - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" } - loop_control: - label: "{{ item.env }}" - - - name: "{{ item.env }} | Retag and push image" - vars: - REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com" - IMG: "{{ service_id }}_{{ ecs_service[0].name }}" - TAG: "{{ build_label }}" - NEW: "ecs-{{ build_label }}" - shell: | - docker tag {{ REG }}/{{ IMG }}:{{ TAG }} {{ REG }}/{{ IMG }}:{{ NEW }} - docker push {{ REG }}/{{ IMG }}:{{ NEW }} + docker pull {{ PTL_REG }}/{{ IMG }}:{{ TAG }} + docker tag {{ PTL_REG }}/{{ IMG }}:{{ TAG }} {{ PTL_REG }}/{{ IMG }}:{{ NEW }} + docker push {{ PTL_REG }}/{{ IMG }}:{{ NEW }} + + aws ecr get-login-password --region eu-west-2 \ + | docker login --username AWS --password-stdin {{ PROD_REG }} + + docker tag {{ PTL_REG }}/{{ IMG }}:{{ NEW }} {{ PROD_REG }}/{{ IMG }}:{{ NEW }} + docker push {{ PROD_REG }}/{{ IMG }}:{{ NEW }} args: executable: /bin/bash - loop: - - { env: "PTL", account: "{{ PTL_ACCOUNT_ID }}" } - - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" } - loop_control: - label: "{{ item.env }}" rescue: - name: output plan From dd037bfbde47ee998d878054d3853504ab5da7b4 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Wed, 14 Jan 2026 17:01:31 +0000 Subject: [PATCH 10/22] lifecycle policy --- .../tasks/build-container.yml | 28 +++++++++++++------ .../roles/deploy-ecs-proxies/tasks/main.yml | 2 +- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 079f23b80..4977c58c5 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,18 +32,28 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 -- name: Check if lifecycle policy exists for {{ service_id }}_{{ item }} +- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} ansible.builtin.command: > {{ aws_cmd }} ecr get-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - register: lifecycle_check + --query 'lifecyclePolicyText' + --output text + register: existing_policy failed_when: false changed_when: false -- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} - ansible.builtin.command: - cmd: > - {{ aws_cmd }} ecr put-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json - when: lifecycle_check.rc != 0 and build_result.rc == 0 +- name: Read lifecycle policy from the local file + ansible.builtin.slurp: + src: "{{ role_path }}/files/ecr_lifecycle.json" + register: desired_policy_raw + +- name: Decode lifecycle policy file + set_fact: + desired_policy: "{{ desired_policy_raw.content | b64decode }}" + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different + ansible.builtin.command: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json + when: existing_policy.stdout != desired_policy and build_result.rc == 0 \ No newline at end of file diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index f70aa3456..6413cf0ed 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -83,7 +83,7 @@ when: not do_not_terraform - name: Retag and promote ECS image (release pipelines only) - when: pr_number is not defined or pr_number == "" + #when: pr_number is not defined or pr_number == "" vars: PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" From 7bd107aa91062fcfdc872e938bcfde604c403b5c Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Wed, 14 Jan 2026 17:33:16 +0000 Subject: [PATCH 11/22] test ecr lifecycle policy --- ansible/roles/deploy-ecs-proxies/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index 6413cf0ed..895f6d958 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -86,7 +86,7 @@ #when: pr_number is not defined or pr_number == "" vars: PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" - PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" + PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" IMG: "{{ service_id }}_{{ ecs_service[0].name }}" TAG: "{{ build_label }}" NEW: "ecs-{{ build_label }}" From 22da7b3ef341ff61ac9e32176ca8407f67629a4b Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 14:52:39 +0000 Subject: [PATCH 12/22] ecr lifecycle policy updates --- ansible/build-ecs-proxies.yml | 3 +- ansible/deploy-ecs-proxies.yml | 5 +- .../files/ecr_lifecycle.json | 20 ++++---- .../tasks/build-container.yml | 50 +++++++++---------- .../roles/deploy-ecs-proxies/tasks/main.yml | 4 +- .../tasks/files/ecr_lifecycle.json | 43 ++++++++++++++++ .../roles/ecr-lifecycle-policy/tasks/main.yml | 32 ++++++++++++ 7 files changed, 118 insertions(+), 39 deletions(-) create mode 100644 ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json create mode 100644 ansible/roles/ecr-lifecycle-policy/tasks/main.yml diff --git a/ansible/build-ecs-proxies.yml b/ansible/build-ecs-proxies.yml index 3bcefdd8a..00da7c53a 100644 --- a/ansible/build-ecs-proxies.yml +++ b/ansible/build-ecs-proxies.yml @@ -20,4 +20,5 @@ roles: - setup-facts - - build-ecs-proxies \ No newline at end of file + - build-ecs-proxies + - ecr-lifecycle-policy \ No newline at end of file diff --git a/ansible/deploy-ecs-proxies.yml b/ansible/deploy-ecs-proxies.yml index 43a54df26..a18c3fd64 100644 --- a/ansible/deploy-ecs-proxies.yml +++ b/ansible/deploy-ecs-proxies.yml @@ -45,4 +45,7 @@ roles: - setup-facts - - deploy-ecs-proxies \ No newline at end of file + - deploy-ecs-proxies + + # - role: ecr-lifecycle-policy + # when: RELEASE_RELEASEID is defined and RELEASE_RELEASEID != "" \ No newline at end of file diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json index 58a08f455..fb969878a 100644 --- a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json +++ b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json @@ -2,12 +2,12 @@ "rules": [ { "rulePriority": 1, - "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST", + "description": "Keep the 10 most recent ECS deployment images - AMEND NUMBER AFTER TEST", "selection": { "tagStatus": "tagged", "tagPrefixList": ["ecs-"], "countType": "imageCountMoreThan", - "countNumber": 500 + "countNumber": 800 }, "action": { "type": "expire" @@ -15,12 +15,12 @@ }, { "rulePriority": 2, - "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST", + "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST", "selection": { "tagStatus": "tagged", - "tagPatternList": ["*"], + "tagPrefixList": [""], "countType": "imageCountMoreThan", - "countNumber": 500 + "countNumber": 800 }, "action": { "type": "expire" @@ -28,12 +28,12 @@ }, { "rulePriority": 3, - "description": "Expire untagged images older than 3 days", + "description": "Never expire the 'latest' tag", "selection": { - "tagStatus": "untagged", - "countType": "sinceImagePushed", - "countUnit": "days", - "countNumber": 3 + "tagStatus": "tagged", + "tagPrefixList": ["latest"], + "countType": "imageCountMoreThan", + "countNumber": 9999 }, "action": { "type": "expire" diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 4977c58c5..4c6ee79af 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,28 +32,28 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 -- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} - ansible.builtin.command: > - {{ aws_cmd }} ecr get-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --query 'lifecyclePolicyText' - --output text - register: existing_policy - failed_when: false - changed_when: false - -- name: Read lifecycle policy from the local file - ansible.builtin.slurp: - src: "{{ role_path }}/files/ecr_lifecycle.json" - register: desired_policy_raw - -- name: Decode lifecycle policy file - set_fact: - desired_policy: "{{ desired_policy_raw.content | b64decode }}" - -- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different - ansible.builtin.command: > - {{ aws_cmd }} ecr put-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json - when: existing_policy.stdout != desired_policy and build_result.rc == 0 \ No newline at end of file +# - name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} +# ansible.builtin.command: > +# {{ aws_cmd }} ecr get-lifecycle-policy +# --repository-name {{ service_id }}_{{ item }} +# --query 'lifecyclePolicyText' +# --output text +# register: existing_policy +# failed_when: false +# changed_when: false + +# - name: Read lifecycle policy from the local file +# ansible.builtin.slurp: +# src: "{{ role_path }}/files/ecr_lifecycle.json" +# register: desired_policy_raw + +# - name: Decode lifecycle policy file +# set_fact: +# desired_policy: "{{ desired_policy_raw.content | b64decode }}" + +# - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different +# ansible.builtin.command: > +# {{ aws_cmd }} ecr put-lifecycle-policy +# --repository-name {{ service_id }}_{{ item }} +# --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json +# when: existing_policy.stdout != desired_policy and build_result.rc == 0 \ No newline at end of file diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml index 895f6d958..f70aa3456 100644 --- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml +++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml @@ -83,10 +83,10 @@ when: not do_not_terraform - name: Retag and promote ECS image (release pipelines only) - #when: pr_number is not defined or pr_number == "" + when: pr_number is not defined or pr_number == "" vars: PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" - PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" + PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com" IMG: "{{ service_id }}_{{ ecs_service[0].name }}" TAG: "{{ build_label }}" NEW: "ecs-{{ build_label }}" diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json b/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json new file mode 100644 index 000000000..fb969878a --- /dev/null +++ b/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json @@ -0,0 +1,43 @@ +{ + "rules": [ + { + "rulePriority": 1, + "description": "Keep the 10 most recent ECS deployment images - AMEND NUMBER AFTER TEST", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": ["ecs-"], + "countType": "imageCountMoreThan", + "countNumber": 800 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 2, + "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": [""], + "countType": "imageCountMoreThan", + "countNumber": 800 + }, + "action": { + "type": "expire" + } + }, + { + "rulePriority": 3, + "description": "Never expire the 'latest' tag", + "selection": { + "tagStatus": "tagged", + "tagPrefixList": ["latest"], + "countType": "imageCountMoreThan", + "countNumber": 9999 + }, + "action": { + "type": "expire" + } + } + ] +} diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/main.yml b/ansible/roles/ecr-lifecycle-policy/tasks/main.yml new file mode 100644 index 000000000..cf50008f2 --- /dev/null +++ b/ansible/roles/ecr-lifecycle-policy/tasks/main.yml @@ -0,0 +1,32 @@ +- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} + ansible.builtin.command: > + {{ aws_cmd }} ecr get-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --query 'lifecyclePolicyText' + --output text + register: existing_policy_raw + failed_when: false + changed_when: false + +- name: Parse existing lifecycle policy JSON + set_fact: + existing_policy_json: "{{ existing_policy_raw.stdout | default('{}') | from_json }}" + when: existing_policy_raw.stdout != "" + +- name: Read lifecycle policy from the local file + ansible.builtin.slurp: + src: "{{ role_path }}/files/ecr_lifecycle.json" + register: desired_policy_raw + +- name: Decode lifecycle policy file + set_fact: + desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}" + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different + ansible.builtin.command: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json + when: + - existing_policy_json != desired_policy_json + - env != "prod" or prod_lifecycle_update_allowed From 8098301a02922d5ceb13319abda553143a19b95e Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 15:45:31 +0000 Subject: [PATCH 13/22] ecr lifecycle policy updates --- ansible/build-ecs-proxies.yml | 3 +- ansible/deploy-ecs-proxies.yml | 5 +- .../tasks/build-container.yml | 57 +++++++++++-------- .../roles/ecr-lifecycle-policy/tasks/main.yml | 32 ----------- .../ecr_lifecycle.json | 0 5 files changed, 34 insertions(+), 63 deletions(-) delete mode 100644 ansible/roles/ecr-lifecycle-policy/tasks/main.yml rename {ansible/roles/ecr-lifecycle-policy/tasks/files => ecr-lifecycle}/ecr_lifecycle.json (100%) diff --git a/ansible/build-ecs-proxies.yml b/ansible/build-ecs-proxies.yml index 00da7c53a..3bcefdd8a 100644 --- a/ansible/build-ecs-proxies.yml +++ b/ansible/build-ecs-proxies.yml @@ -20,5 +20,4 @@ roles: - setup-facts - - build-ecs-proxies - - ecr-lifecycle-policy \ No newline at end of file + - build-ecs-proxies \ No newline at end of file diff --git a/ansible/deploy-ecs-proxies.yml b/ansible/deploy-ecs-proxies.yml index a18c3fd64..43a54df26 100644 --- a/ansible/deploy-ecs-proxies.yml +++ b/ansible/deploy-ecs-proxies.yml @@ -45,7 +45,4 @@ roles: - setup-facts - - deploy-ecs-proxies - - # - role: ecr-lifecycle-policy - # when: RELEASE_RELEASEID is defined and RELEASE_RELEASEID != "" \ No newline at end of file + - deploy-ecs-proxies \ No newline at end of file diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 4c6ee79af..cbba0ca4d 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,28 +32,35 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 -# - name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} -# ansible.builtin.command: > -# {{ aws_cmd }} ecr get-lifecycle-policy -# --repository-name {{ service_id }}_{{ item }} -# --query 'lifecyclePolicyText' -# --output text -# register: existing_policy -# failed_when: false -# changed_when: false - -# - name: Read lifecycle policy from the local file -# ansible.builtin.slurp: -# src: "{{ role_path }}/files/ecr_lifecycle.json" -# register: desired_policy_raw - -# - name: Decode lifecycle policy file -# set_fact: -# desired_policy: "{{ desired_policy_raw.content | b64decode }}" - -# - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different -# ansible.builtin.command: > -# {{ aws_cmd }} ecr put-lifecycle-policy -# --repository-name {{ service_id }}_{{ item }} -# --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json -# when: existing_policy.stdout != desired_policy and build_result.rc == 0 \ No newline at end of file +- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} + ansible.builtin.command: > + {{ aws_cmd }} ecr get-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --query 'lifecyclePolicyText' + --output text + register: existing_policy_raw + failed_when: false + changed_when: false + +- name: Parse existing lifecycle policy JSON + set_fact: + existing_policy_json: "{{ existing_policy_raw.stdout | default('{}') | from_json }}" + when: existing_policy_raw.stdout != "" + +- name: Read lifecycle policy from the local file + ansible.builtin.slurp: + src: "{{ role_path }}/files/ecr_lifecycle.json" + register: desired_policy_raw + +- name: Decode lifecycle policy file + set_fact: + desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}" + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different + ansible.builtin.command: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ playbook_dir }}/../../common/a-management-utils-3/ecr-lifecycle/ecr_lifecycle.json + when: + - existing_policy_json != desired_policy_json + - env != "prod" or prod_lifecycle_update_allowed diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/main.yml b/ansible/roles/ecr-lifecycle-policy/tasks/main.yml deleted file mode 100644 index cf50008f2..000000000 --- a/ansible/roles/ecr-lifecycle-policy/tasks/main.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} - ansible.builtin.command: > - {{ aws_cmd }} ecr get-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --query 'lifecyclePolicyText' - --output text - register: existing_policy_raw - failed_when: false - changed_when: false - -- name: Parse existing lifecycle policy JSON - set_fact: - existing_policy_json: "{{ existing_policy_raw.stdout | default('{}') | from_json }}" - when: existing_policy_raw.stdout != "" - -- name: Read lifecycle policy from the local file - ansible.builtin.slurp: - src: "{{ role_path }}/files/ecr_lifecycle.json" - register: desired_policy_raw - -- name: Decode lifecycle policy file - set_fact: - desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}" - -- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different - ansible.builtin.command: > - {{ aws_cmd }} ecr put-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json - when: - - existing_policy_json != desired_policy_json - - env != "prod" or prod_lifecycle_update_allowed diff --git a/ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json b/ecr-lifecycle/ecr_lifecycle.json similarity index 100% rename from ansible/roles/ecr-lifecycle-policy/tasks/files/ecr_lifecycle.json rename to ecr-lifecycle/ecr_lifecycle.json From e323623a5185f19502330c080ffd7cbd9f335543 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 16:12:46 +0000 Subject: [PATCH 14/22] ecr lifecycle policy null values --- .../tasks/build-container.yml | 30 +++++++++++++++---- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index cbba0ca4d..99f03b0fd 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,6 +32,15 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 +- name: List contents of playbook_dir + ansible.builtin.command: > + ls -al {{ playbook_dir }} + register: ls_playbook + +- name: Show playbook_dir contents + debug: + var: ls_playbook.stdout + - name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} ansible.builtin.command: > {{ aws_cmd }} ecr get-lifecycle-policy @@ -42,14 +51,23 @@ failed_when: false changed_when: false -- name: Parse existing lifecycle policy JSON +- name: Parse existing lifecycle policy JSON if present + set_fact: + existing_policy_json: "{{ existing_policy_raw.stdout | from_json }}" + when: + - existing_policy_raw.stdout is defined + - existing_policy_raw.stdout != "" + - existing_policy_raw.stdout != "None" + - existing_policy_raw.stdout != "null" + +- name: Ensure existing_policy_json always exists set_fact: - existing_policy_json: "{{ existing_policy_raw.stdout | default('{}') | from_json }}" - when: existing_policy_raw.stdout != "" + existing_policy_json: {} + when: existing_policy_json is not defined -- name: Read lifecycle policy from the local file +- name: Read lifecycle policy from the shared file ansible.builtin.slurp: - src: "{{ role_path }}/files/ecr_lifecycle.json" + src: "{{ playbook_dir }}/../../ecr-lifecycle/ecr_lifecycle.json" register: desired_policy_raw - name: Decode lifecycle policy file @@ -60,7 +78,7 @@ ansible.builtin.command: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ playbook_dir }}/../../common/a-management-utils-3/ecr-lifecycle/ecr_lifecycle.json + --lifecycle-policy-text file://{{ playbook_dir }}/../../ecr-lifecycle/ecr_lifecycle.json when: - existing_policy_json != desired_policy_json - env != "prod" or prod_lifecycle_update_allowed From 6d0fe9dbbd7065f7fc6da69d3149465ce56d9040 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 16:28:50 +0000 Subject: [PATCH 15/22] ecr lifecycle file loaction --- ansible/roles/build-ecs-proxies/tasks/build-container.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 99f03b0fd..9bd601de5 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -67,7 +67,7 @@ - name: Read lifecycle policy from the shared file ansible.builtin.slurp: - src: "{{ playbook_dir }}/../../ecr-lifecycle/ecr_lifecycle.json" + src: "{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json" register: desired_policy_raw - name: Decode lifecycle policy file @@ -78,7 +78,7 @@ ansible.builtin.command: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ playbook_dir }}/../../ecr-lifecycle/ecr_lifecycle.json + --lifecycle-policy-text file://{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json when: - existing_policy_json != desired_policy_json - env != "prod" or prod_lifecycle_update_allowed From 988cfd601b9576f4021f6da1c0b09cd2ab57e25b Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 16:38:33 +0000 Subject: [PATCH 16/22] ecr lifecycle file update --- ansible/roles/build-ecs-proxies/tasks/build-container.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 9bd601de5..0a9e4572e 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -81,4 +81,3 @@ --lifecycle-policy-text file://{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json when: - existing_policy_json != desired_policy_json - - env != "prod" or prod_lifecycle_update_allowed From 7fcfa61d56d1f1fe967e79da34abcb007e7333bc Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 17:02:25 +0000 Subject: [PATCH 17/22] ecr lifecycle file move --- .../ecr-lifecycle}/ecr_lifecycle.json | 0 .../tasks/build-container.yml | 48 +++++++++++++++++++ 2 files changed, 48 insertions(+) rename {ecr-lifecycle => ansible/ecr-lifecycle}/ecr_lifecycle.json (100%) diff --git a/ecr-lifecycle/ecr_lifecycle.json b/ansible/ecr-lifecycle/ecr_lifecycle.json similarity index 100% rename from ecr-lifecycle/ecr_lifecycle.json rename to ansible/ecr-lifecycle/ecr_lifecycle.json diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index 0a9e4572e..b7f1d1948 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -79,5 +79,53 @@ {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} --lifecycle-policy-text file://{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json + when: + - existing_policy_json != desired_policy_json- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} + ansible.builtin.command: > + {{ aws_cmd }} ecr get-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --query 'lifecyclePolicyText' + --output text + register: existing_policy_raw + failed_when: false + changed_when: false + +- name: Parse existing lifecycle policy JSON if present + set_fact: + existing_policy_json: "{{ existing_policy_raw.stdout | from_json }}" + when: + - existing_policy_raw.stdout is defined + - existing_policy_raw.stdout != "" + - existing_policy_raw.stdout != "None" + - existing_policy_raw.stdout != "null" + +- name: Ensure existing_policy_json always exists + set_fact: + existing_policy_json: {} + when: existing_policy_json is not defined + +- name: Read lifecycle policy from the shared file + ansible.builtin.slurp: + src: "{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json" + register: desired_policy_raw + +- name: Debug raw slurp output + debug: + var: desired_policy_raw + +- name: Show decoded lifecycle policy content + debug: + msg: "{{ desired_policy_raw.content | b64decode }}" + +- name: Decode lifecycle policy file + set_fact: + desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}" + +- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different + ansible.builtin.command: > + {{ aws_cmd }} ecr put-lifecycle-policy + --repository-name {{ service_id }}_{{ item }} + --lifecycle-policy-text file://{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json when: - existing_policy_json != desired_policy_json + From f2e76cca9a0595bff900102cd396c7266563d826 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 17:15:24 +0000 Subject: [PATCH 18/22] ecr lifecycle file removed duplicate code --- .../tasks/build-container.yml | 48 ------------------- 1 file changed, 48 deletions(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index b7f1d1948..df553e943 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -32,15 +32,6 @@ cmd: "docker push {{ image_name }}" when: build_result.rc == 0 -- name: List contents of playbook_dir - ansible.builtin.command: > - ls -al {{ playbook_dir }} - register: ls_playbook - -- name: Show playbook_dir contents - debug: - var: ls_playbook.stdout - - name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} ansible.builtin.command: > {{ aws_cmd }} ecr get-lifecycle-policy @@ -65,45 +56,6 @@ existing_policy_json: {} when: existing_policy_json is not defined -- name: Read lifecycle policy from the shared file - ansible.builtin.slurp: - src: "{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json" - register: desired_policy_raw - -- name: Decode lifecycle policy file - set_fact: - desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}" - -- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different - ansible.builtin.command: > - {{ aws_cmd }} ecr put-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ playbook_dir }}/../ecr-lifecycle/ecr_lifecycle.json - when: - - existing_policy_json != desired_policy_json- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }} - ansible.builtin.command: > - {{ aws_cmd }} ecr get-lifecycle-policy - --repository-name {{ service_id }}_{{ item }} - --query 'lifecyclePolicyText' - --output text - register: existing_policy_raw - failed_when: false - changed_when: false - -- name: Parse existing lifecycle policy JSON if present - set_fact: - existing_policy_json: "{{ existing_policy_raw.stdout | from_json }}" - when: - - existing_policy_raw.stdout is defined - - existing_policy_raw.stdout != "" - - existing_policy_raw.stdout != "None" - - existing_policy_raw.stdout != "null" - -- name: Ensure existing_policy_json always exists - set_fact: - existing_policy_json: {} - when: existing_policy_json is not defined - - name: Read lifecycle policy from the shared file ansible.builtin.slurp: src: "{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json" From f93e8c93062da122c72bb736e4250858b6a7049c Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Thu, 15 Jan 2026 17:35:36 +0000 Subject: [PATCH 19/22] ecr lifecycle file fixed file --- ansible/roles/build-ecs-proxies/tasks/build-container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml index df553e943..7e90e04f7 100644 --- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml +++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml @@ -77,7 +77,7 @@ ansible.builtin.command: > {{ aws_cmd }} ecr put-lifecycle-policy --repository-name {{ service_id }}_{{ item }} - --lifecycle-policy-text file://{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json + --lifecycle-policy-text '{{ desired_policy_json | to_json }}' when: - existing_policy_json != desired_policy_json From 75084703458ebfcf8f30b633de093a703f9c5bb5 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Fri, 16 Jan 2026 08:38:38 +0000 Subject: [PATCH 20/22] lifecycle recent tags --- ansible/ecr-lifecycle/ecr_lifecycle.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/ecr-lifecycle/ecr_lifecycle.json b/ansible/ecr-lifecycle/ecr_lifecycle.json index fb969878a..69da21142 100644 --- a/ansible/ecr-lifecycle/ecr_lifecycle.json +++ b/ansible/ecr-lifecycle/ecr_lifecycle.json @@ -18,7 +18,7 @@ "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST", "selection": { "tagStatus": "tagged", - "tagPrefixList": [""], + "tagPrefixList": ["*"], "countType": "imageCountMoreThan", "countNumber": 800 }, From 496ab54d2b45ec1e2b01930e858faf9e7c68c290 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Fri, 16 Jan 2026 08:39:45 +0000 Subject: [PATCH 21/22] lifecycle recent tags --- ansible/ecr-lifecycle/ecr_lifecycle.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/ecr-lifecycle/ecr_lifecycle.json b/ansible/ecr-lifecycle/ecr_lifecycle.json index 69da21142..b6f01e065 100644 --- a/ansible/ecr-lifecycle/ecr_lifecycle.json +++ b/ansible/ecr-lifecycle/ecr_lifecycle.json @@ -15,7 +15,7 @@ }, { "rulePriority": 2, - "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST", + "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST ", "selection": { "tagStatus": "tagged", "tagPrefixList": ["*"], From 1ecd98642ee3d37de60518c7ad93fef80b10c2b4 Mon Sep 17 00:00:00 2001 From: CLJ2006 Date: Fri, 16 Jan 2026 10:57:25 +0000 Subject: [PATCH 22/22] lifecycle policy --- ansible/ecr-lifecycle/ecr_lifecycle.json | 25 ++++------- .../files/ecr_lifecycle.json | 43 ------------------- 2 files changed, 9 insertions(+), 59 deletions(-) delete mode 100644 ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json diff --git a/ansible/ecr-lifecycle/ecr_lifecycle.json b/ansible/ecr-lifecycle/ecr_lifecycle.json index b6f01e065..cfdea1bdf 100644 --- a/ansible/ecr-lifecycle/ecr_lifecycle.json +++ b/ansible/ecr-lifecycle/ecr_lifecycle.json @@ -9,35 +9,28 @@ "countType": "imageCountMoreThan", "countNumber": 800 }, - "action": { - "type": "expire" - } + "action": { "type": "expire" } }, { "rulePriority": 2, - "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST ", + "description": "Never expire the 'latest' tag", "selection": { "tagStatus": "tagged", - "tagPrefixList": ["*"], + "tagPrefixList": ["latest"], "countType": "imageCountMoreThan", - "countNumber": 800 + "countNumber": 9999 }, - "action": { - "type": "expire" - } + "action": { "type": "expire" } }, { "rulePriority": 3, - "description": "Never expire the 'latest' tag", + "description": "Keep the 5 most recent build images (all tags) - AMEND NUMBER AFTER TEST", "selection": { - "tagStatus": "tagged", - "tagPrefixList": ["latest"], + "tagStatus": "any", "countType": "imageCountMoreThan", - "countNumber": 9999 + "countNumber": 800 }, - "action": { - "type": "expire" - } + "action": { "type": "expire" } } ] } diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json deleted file mode 100644 index fb969878a..000000000 --- a/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "rules": [ - { - "rulePriority": 1, - "description": "Keep the 10 most recent ECS deployment images - AMEND NUMBER AFTER TEST", - "selection": { - "tagStatus": "tagged", - "tagPrefixList": ["ecs-"], - "countType": "imageCountMoreThan", - "countNumber": 800 - }, - "action": { - "type": "expire" - } - }, - { - "rulePriority": 2, - "description": "Keep the 5 most recent build images - AMEND NUMBER AFTER TEST", - "selection": { - "tagStatus": "tagged", - "tagPrefixList": [""], - "countType": "imageCountMoreThan", - "countNumber": 800 - }, - "action": { - "type": "expire" - } - }, - { - "rulePriority": 3, - "description": "Never expire the 'latest' tag", - "selection": { - "tagStatus": "tagged", - "tagPrefixList": ["latest"], - "countType": "imageCountMoreThan", - "countNumber": 9999 - }, - "action": { - "type": "expire" - } - } - ] -}