In ECR I created a lifecycle policy to keep images for 10 years but it deleted them instead
I have a private ECR image repository called "python-bot".
I wanted to add a Lifecycle Policy that would:
- Keep images with the tags
latest,main,cacheand any tag starting with20for 10 years - Delete untagged images after 7 days
- Delete everything else after 60 days
I created the following lifecycle policy, however the problem is after I ran it it deleted all the images with latest, main, cache and any tag starting with 20.
What did I do wrong?
{
"rules": [
{
"rulePriority": 1,
"description": "Keep images matching \"latest\", \"main\", \"master\", \"cache\" or start with 20",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"latest",
"main",
"master",
"cache",
"20*"
],
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 3650
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 2,
"description": "Remove untagged images after 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 3,
"description": "Remove anything else older than 60 days",
"selection": {
"tagStatus": "any",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 60
},
"action": {
"type": "expire"
}
}
]
}
Before:
After:
- Newest
- Most votes
- Most comments
The solution is to split the tags out into their own rules.
Previously having them all in one rule in a tagPatternList acted as an AND, so the image needed to be tagged with all the tags latest, main, master and cache for that particular rule to apply.
By splitting them out individually into their own rules acts like an OR, meaning it only needs to match one, so the most recent main tag is preserved, and because "An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority" (according to https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html) that means the most recent main image will be preserved forever.
This way the most important tags last longer than 60 days, and everything else is deleted. The AWS AI answer keeps every single image for 10 years.
{
"rules": [
{
"rulePriority": 1,
"description": "Keep most recent image with tag matching \"latest\"",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"latest"
],
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 2,
"description": "Keep most recent image with tag matching \"main\"",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"main"
],
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 3,
"description": "Keep most recent image with tag matching \"master\"",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"master"
],
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 4,
"description": "Keep most recent image with tag matching \"cache\"",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"cache"
],
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 5,
"description": "Keep most recent 1000 images with tag starting with 20",
"selection": {
"tagStatus": "tagged",
"tagPatternList": [
"20*"
],
"countType": "imageCountMoreThan",
"countNumber": 1000
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 6,
"description": "Remove untagged images after 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 7,
"description": "Remove anything else older than 60 days",
"selection": {
"tagStatus": "any",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 60
},
"action": {
"type": "expire"
}
}
]
}
The issue with your lifecycle policy is in the first rule, which is intended to keep specific tagged images for 10 years. The problem lies in the "action" section of this rule.
In your policy, all rules, including the first one, have the action type set to "expire". This means that instead of keeping the images, the rule is actually set to expire (delete) them after 3650 days (10 years).
Lifecycle policies in Amazon ECR are designed to expire images, not to explicitly keep them. By default, images that don't match any expiration rules are kept indefinitely.
Your corrected lifecycle policy should look like this:
{ "rules": [ { "rulePriority": 1, "description": "Remove untagged images after 10 years", "selection": { "tagStatus": "untagged", "countType": "sinceImagePushed", "countUnit": "days", "countNumber": 3650 }, "action": { "type": "expire" } } ] }
This policy will:
- Remove untagged images after 10 years
The images with the tags will be preserved indefinitely as they won't match any of these expiration rules. Unfortunately you cant specifcy a rule with a NOT TAG operator. This would be a nice feature but currently is not part of the rule set (Gary Mclean)
Remember to always use the lifecycle policy preview feature before applying a new policy to verify its effects on your images.
Sources
Creating a lifecycle policy for a repository in Amazon ECR - Amazon ECR
Automate the cleanup of images by using lifecycle policies in Amazon ECR - Amazon ECR
Lifecycle policy properties in Amazon ECR - Amazon ECR
Creating a lifecycle policy preview in Amazon ECR - Amazon ECR
My understanding is that your version of the lifecycle policy will delete everything within 60 days too
Hey Steve, you are correct.. I will update the Answer
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
Your still going to loose images after 60 days no matter what the tag
I won't lose the images I want to keep - I've tested it and it works perfectly, you should try it too.
It's also documented in Lifecycle Policies chapter in the user guide (https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#:~:text=An%20image%20that%20matches%20the%20tagging%20requirements%20of%20a%20rule%20cannot%20be%20expired%20by%20a%20rule%20with%20a%20lower%20priority.)
An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority. Because rule number 2 looks for the image that is tagged with
mainthen rule number 7 cannot expire that same image.