Merge pull request #65 from sparkfabrik/0000-fix-policy

osvaldot · web-flow · commit 215ddda22898 · 2025-05-30T17:42:51.000+02:00
refs #0000 Fix ECR policy
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.6.0] - 2025-05-30
+
+### Added
+
+- Add variables for ECR lifecycle policy configuration and tag protection
+
+### Fixed
+
+- ECR Lifecycle policy rules now properly handle tag protection patterns
+- Fixed ECR lifecycle policy application to respect excluded repositories
+
 ## [4.5.0] - 2025-05-16
 
 ### Added
diff --git a/README.md b/README.md
@@ -71,6 +71,10 @@ The patches will add the special toleration to the resources, allowing them to b
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.24"` | no |
 | <a name="input_customer_application"></a> [customer\_application](#input\_customer\_application) | Customer application | <pre>map(object({<br>    namespaces   = list(string)<br>    repositories = optional(list(string), [])<br>  }))</pre> | n/a | yes |
 | <a name="input_developer_users"></a> [developer\_users](#input\_developer\_users) | n/a | `list(any)` | n/a | yes |
+| <a name="input_ecr_enable_lifecycle_policy"></a> [ecr\_enable\_lifecycle\_policy](#input\_ecr\_enable\_lifecycle\_policy) | Enable lifecycle policy for ECR repositories. | `bool` | `true` | no |
+| <a name="input_ecr_lifecycle_expiration_days"></a> [ecr\_lifecycle\_expiration\_days](#input\_ecr\_lifecycle\_expiration\_days) | Number of days after which untagged images expire. Only applies if enable\_ecr\_lifecycle\_policy is true. | `number` | `30` | no |
+| <a name="input_ecr_lifecycle_policy_excluded_repositories"></a> [ecr\_lifecycle\_policy\_excluded\_repositories](#input\_ecr\_lifecycle\_policy\_excluded\_repositories) | A list of ECR repository names to exclude from the default lifecycle policy. | `list(string)` | `[]` | no |
+| <a name="input_ecr_protected_tag_patterns"></a> [ecr\_protected\_tag\_patterns](#input\_ecr\_protected\_tag\_patterns) | List of tag patterns to keep in ECR lifecycle policy. | `list(string)` | <pre>[<br>  "latest",<br>  "main",<br>  "master",<br>  "stage",<br>  "dev*",<br>  "review*",<br>  "0.*",<br>  "1.*",<br>  "2.*",<br>  "3.*",<br>  "4.*",<br>  "5.*",<br>  "6.*",<br>  "7.*",<br>  "8.*",<br>  "9.*",<br>  "v0.*",<br>  "v1.*",<br>  "v2.*",<br>  "v3.*",<br>  "v4.*",<br>  "v5.*",<br>  "v6.*",<br>  "v7.*",<br>  "v8.*",<br>  "v9.*"<br>]</pre> | no |
 | <a name="input_eks_managed_node_groups"></a> [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | Cluster node group | `any` | <pre>{<br>  "core_pool": {<br>    "desired_size": 2,<br>    "instance_types": [<br>      "t3.medium"<br>    ],<br>    "labels": {<br>      "Pool": "core"<br>    },<br>    "max_size": 4,<br>    "min_size": 1,<br>    "tags": {<br>      "Pool": "core"<br>    }<br>  }<br>}</pre> | no |
 | <a name="input_enable_aws_alb_controller"></a> [enable\_aws\_alb\_controller](#input\_enable\_aws\_alb\_controller) | Enable AWS Load Balancer Controller | `bool` | `false` | no |
 | <a name="input_enable_aws_ebs_csi_driver"></a> [enable\_aws\_ebs\_csi\_driver](#input\_enable\_aws\_ebs\_csi\_driver) | Enable AWS EBS CSI Driver | `bool` | `true` | no |
@@ -103,7 +107,6 @@ The patches will add the special toleration to the resources, allowing them to b
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | n/a | `list(string)` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
 | <a name="input_prometheus_stack_additional_values"></a> [prometheus\_stack\_additional\_values](#input\_prometheus\_stack\_additional\_values) | Additional values for Kube Prometheus Stack | `list(string)` | `[]` | no |
-| <a name="input_repository_expiration_days"></a> [repository\_expiration\_days](#input\_repository\_expiration\_days) | Value to set the expiration days for the application repositories, null means no expiration | `number` | `null` | no |
 | <a name="input_velero_bucket_expiration_days"></a> [velero\_bucket\_expiration\_days](#input\_velero\_bucket\_expiration\_days) | n/a | `number` | `90` | no |
 | <a name="input_velero_bucket_glacier_days"></a> [velero\_bucket\_glacier\_days](#input\_velero\_bucket\_glacier\_days) | n/a | `number` | `60` | no |
 | <a name="input_velero_bucket_infrequently_access_days"></a> [velero\_bucket\_infrequently\_access\_days](#input\_velero\_bucket\_infrequently\_access\_days) | n/a | `number` | `30` | no |
diff --git a/ecr.tf b/ecr.tf
@@ -9,6 +9,39 @@ locals {
         repo_name = repo
       }
   ]]))
+
+  # Generate individual rules for each tag pattern.
+  # Please note that tagPatternList is an AND condition in AWS ECR lifecycle policy
+  tag_protection_rules = [
+    for index, pattern in var.ecr_protected_tag_patterns : {
+      rulePriority = index + 1
+      description  = "Keep images tagged with ${pattern}"
+      selection = {
+        tagStatus      = "tagged"
+        tagPatternList = [pattern]
+        countType      = "imageCountMoreThan"
+        countNumber    = 9999
+      }
+      action = {
+        type = "expire"
+      }
+    }
+  ]
+
+  # Rule to clean up old images
+  cleanup_rule = {
+    rulePriority = length(var.ecr_protected_tag_patterns) + 1
+    description  = "Remove images older than ${var.ecr_lifecycle_expiration_days} days"
+    selection = {
+      tagStatus   = "any"
+      countType   = "sinceImagePushed"
+      countUnit   = "days"
+      countNumber = var.ecr_lifecycle_expiration_days
+    }
+    action = {
+      type = "expire"
+    }
+  }
 }
 
 ## Create ECR repository
@@ -23,38 +56,14 @@ resource "aws_ecr_repository" "repository" {
 }
 
 resource "aws_ecr_lifecycle_policy" "project_image" {
-  for_each = var.repository_expiration_days != null ? { for entry in local.customer_application_repositories : "${entry.app_name}-${entry.repo_name}" => entry } : {}
+  for_each = var.ecr_enable_lifecycle_policy ? {
+    for repo_name, repo_config in aws_ecr_repository.repository : repo_name => repo_config
+    if !contains(var.ecr_lifecycle_policy_excluded_repositories, repo_name)
+  } : {}
 
-  repository = each.key
+  repository = each.value.name
 
   policy = jsonencode({
-    rules = [
-      {
-        "rulePriority" : 1,
-        "description" : "Keep image tagged with main, master, stage, dev*, review*",
-        "selection" : {
-          "tagStatus" : "tagged",
-          "tagPrefixList" : ["main", "master", "stage", "dev*", "review*"],
-          "countType" : "imageCountMoreThan",
-          "countNumber" : 9999
-        },
-        "action" : {
-          "type" : "expire"
-        }
-      },
-      {
-        "rulePriority" : 2,
-        "description" : "Remove images older than ${var.repository_expiration_days} days",
-        "selection" : {
-          "tagStatus" : "any",
-          "countType" : "sinceImagePushed",
-          "countUnit" : "days",
-          "countNumber" : var.repository_expiration_days
-        },
-        "action" : {
-          "type" : "expire"
-        }
-      }
-    ]
+    rules = concat(local.tag_protection_rules, [local.cleanup_rule])
   })
 }
diff --git a/variables.tf b/variables.tf
@@ -302,12 +302,31 @@ variable "customer_application" {
   }))
 }
 
-variable "repository_expiration_days" {
-  type = number
-  description = "Repository expiration days, used for lifecycle policy. Null to disable."
-  default = null
+variable "ecr_protected_tag_patterns" {
+  type        = list(string)
+  description = "List of tag patterns to keep in ECR lifecycle policy."
+  default     = ["latest", "main", "master", "stage", "dev*", "review*", "0.*", "1.*", "2.*", "3.*", "4.*", "5.*", "6.*", "7.*", "8.*", "9.*", "v0.*", "v1.*", "v2.*", "v3.*", "v4.*", "v5.*", "v6.*", "v7.*", "v8.*", "v9.*"]
 }
 
+variable "ecr_enable_lifecycle_policy" {
+  type        = bool
+  description = "Enable lifecycle policy for ECR repositories."
+  default     = true
+}
+
+variable "ecr_lifecycle_expiration_days" {
+  type        = number
+  description = "Number of days after which untagged images expire. Only applies if enable_ecr_lifecycle_policy is true."
+  default     = 30
+}
+
+variable "ecr_lifecycle_policy_excluded_repositories" {
+  description = "A list of ECR repository names to exclude from the default lifecycle policy."
+  type        = list(string)
+  default     = []
+}
+
+
 # Velero
 variable "enable_velero" {
   type        = bool
