Adds lifecycle policy for ECR images

base/codebuild_ecr_customer_portal/lifecycle-policy.json

@@ -0,0 +1,55 @@
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Expire images that aren't tagged",
+            "selection": {
+                "tagStatus": "untagged",
+                "countType": "imageCountMoreThan",
+                "countNumber": 1 
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 2,
+            "description": "Keep last 3 images of branch images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["branch-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 3
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 3,
+            "description": "Keep last 3 images of commit images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["commit-"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 3
+            },
+            "action": {
+                "type": "expire"
+            }
+        },
+        {
+            "rulePriority": 4,
+            "description": "Remove any images older than 42 days",
+            "selection": {
+                "tagStatus": "any",
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 42
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}

base/codebuild_ecr_customer_portal/main.tf

@@ -68,11 +68,21 @@ resource "aws_ecr_repository_policy" "this-api" {
   policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
+resource "aws_ecr_lifecycle_policy" "this-api" {
+  repository = aws_ecr_repository.this-api.name
+  policy = file("${path.module}/lifecycle-policy.json")
+}
+
 resource "aws_ecr_repository_policy" "this-nginx" {
   repository = aws_ecr_repository.this-nginx.name
   policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
+resource "aws_ecr_lifecycle_policy" "this-nginx" {
+  repository = aws_ecr_repository.this-nginx.name
+  policy = file("${path.module}/lifecycle-policy.json")
+}
+
 resource "aws_codebuild_webhook" "this" {
   project_name  = var.name
   branch_filter = var.webhook_branch_filter

base/codebuild_ecr_project/default-lifecycle-policy.json

@@ -0,0 +1,16 @@
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Expire images that aren't tagged",
+            "selection": {
+                "tagStatus": "untagged",
+                "countType": "imageCountMoreThan",
+                "countNumber": 1 
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}

base/codebuild_ecr_project/main.tf

@@ -67,6 +67,11 @@ resource "aws_ecr_repository_policy" "this" {
   policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
 }
 
+resource "aws_ecr_lifecycle_policy" "this" {
+  repository = aws_ecr_repository.this.name
+  policy = file("${path.module}/default-lifecycle-policy.json")
+}
+
 resource "aws_codebuild_webhook" "this" {
   project_name  = var.name
   branch_filter = var.webhook_branch_filter

base/codebuild_ecr_project/vars.tf

@@ -10,6 +10,7 @@ variable "aws_partition_alias" { type = string }
 variable "aws_account_id" { type = string }
 variable "name" { type = string }
 variable "service_role" { type = string }
+variable "responsible_accounts" { type = map(list(string)) }
 variable "artifact_s3_bucket" { type = string }
 variable "codebuild_image" {type = string }