ECR Lifecycle Policy example with explanations

lifecycle_policy.json

            {
              "rules": [
                {
                  "rulePriority": 10,
                  "description": "For `latest` tag, keep last 5 images",
                  "selection": {
                    "tagStatus": "tagged",
                    "tagPrefixList": ["latest"],
                    "countType": "imageCountMoreThan",
                    "countNumber": 5
                  },
                  "action": { "type": "expire" }
                },
                {
                  "rulePriority": 20,
                  "description": "For `master` tag, keep last 5 images",
                  "selection": {
                    "tagStatus": "tagged",
                    "tagPrefixList": ["master"],
                    "countType": "imageCountMoreThan",
                    "countNumber": 5
                  },
                  "action": { "type": "expire" }
                },
                {
                  "rulePriority": 990,
                  "description": "Only keep untagged images for 7 days",
                  "selection": {
                    "tagStatus": "untagged",
                    "countType": "sinceImagePushed",
                    "countUnit": "days",
                    "countNumber": 7
                  },
                  "action": { "type": "expire" }
                },
                {
                  "rulePriority": 1000,
                  "description": "Only keep tagged images for 15 days",
                  "selection": {
                    "tagStatus": "any",
                    "countType": "sinceImagePushed",
                    "countUnit": "days",
                    "countNumber": 15
                  },
                  "action": { "type": "expire" }
                }
              ]
            }

As of today(10th Aug, 2018), the life cycle policy in ECR is flawed:

1. You cannot apply both imageCountMoreThan and sinceImagePushed to the same set of tags.
2. You cannot use wild card to match several tags at once.
3. tagPrefixList is not really what most people expect it to be. See this gist for example.
4. I believe we could benefit from an explicit keep action, currently it's expire only.

What I have gathered here is as close to what I had wished to achieve as possible:

1. For a set of tags, retain matched images if count is less than 5.
2. For untagged images, remove them if it is older than 7 days.
3. For other tagged images, remove them if it is older than 15 days.

Please note that you don't want to change that criteria in 1 to a sinceImagePushed based one, because if you image stay stale for some time, the image will get removed.

A note on rule evaluation, according to the documentation, AWS will look at 1 first(priority 10 and 20), retain all the newest images under those tags, and mark all other images under those tags as expired. Then, it will look at 2(priority 990 here), find all untagged images, and mark old ones as expired. Last but not the least, it will look at 3(priority 1000 here), looking at all other images. At this stage, since we had matched those tags in 1 and those untagged ones in 2, all other images are those who have a tag, but not the protected ones, we should remove them if it's more than 15 days old.

all other images are those who have a tag, but not the protected ones, we should remove them if it's more than 15 days old.

What do you mean under protected ones? Which images are protected and by whom?

What do you mean under protected ones? Which images are protected and by whom?

The protected ones are those listed in 1 and 2.