ECR repos such as tf-qa-projectname-api and tf-prd-projectname-api accumulate images over time. Lifecycle policies prune old layers; images still in use by ECS (running tasks or a task definition revision) are not deleted by AWS.
| Priority | Rule |
|---|---|
| 1 | Expire untagged images after 1 day |
| 2 | Keep only the last 3 images (imageCountMoreThan) |
| 3 | Expire images older than 90 days (safety net) |
Lifecycle removes by age / count / tag, not by CVE. Fix the image, deploy a new task definition, then old digests can be cleaned up once nothing references them.
- Edit
terraform/repositories.tf— setproject_nameand/or therepository_nameslist (repos must already exist in AWS). - Run:
cd terraform
terraform init
terraform applyThat applies all three rules to every repo in the list. Optional: terraform.tfvars for aws_region or rule numbers only — repo names stay in repositories.tf.
Details: terraform/README.md.
Usually an old ECS task definition revision still references the digest. Deregister unused revisions in CI so ECR can expire those images.
complete-infrastructure/— ECS + ECR in the stack- ECR lifecycle policies