refs sparkfabrik-innovation-team/board#3552 - Create ECR lifecycle po… (#64)

* refs sparkfabrik-innovation-team/board#3552 - Create ECR lifecycle policy

* Update CHANGELOG.md

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: osvaldot

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.5.0] - 2025-05-16
+
+### Added
+
+- Add repository lifecycle policy and `repository_expiration_days` variable
+
 ## [4.4.0] - 2025-04-29
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-aws-eks-bootstrap/compare/4.3.0...4.4.0)

README.md

@@ -103,6 +103,7 @@ The patches will add the special toleration to the resources, allowing them to b
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | n/a | `list(string)` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project name | `string` | n/a | yes |
 | <a name="input_prometheus_stack_additional_values"></a> [prometheus\_stack\_additional\_values](#input\_prometheus\_stack\_additional\_values) | Additional values for Kube Prometheus Stack | `list(string)` | `[]` | no |
+| <a name="input_repository_expiration_days"></a> [repository\_expiration\_days](#input\_repository\_expiration\_days) | Value to set the expiration days for the application repositories, null means no expiration | `number` | `null` | no |
 | <a name="input_velero_bucket_expiration_days"></a> [velero\_bucket\_expiration\_days](#input\_velero\_bucket\_expiration\_days) | n/a | `number` | `90` | no |
 | <a name="input_velero_bucket_glacier_days"></a> [velero\_bucket\_glacier\_days](#input\_velero\_bucket\_glacier\_days) | n/a | `number` | `60` | no |
 | <a name="input_velero_bucket_infrequently_access_days"></a> [velero\_bucket\_infrequently\_access\_days](#input\_velero\_bucket\_infrequently\_access\_days) | n/a | `number` | `30` | no |
@@ -130,6 +131,7 @@ The patches will add the special toleration to the resources, allowing them to b
 
 | Name | Type |
 |------|------|
+| [aws_ecr_lifecycle_policy.project_image](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_repository.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [aws_iam_policy.aws_ebs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |

ecr.tf

@@ -5,19 +5,56 @@ locals {
   customer_application_repositories = distinct(flatten([
     for k, app in var.customer_application : [
       for repo in app.repositories : {
-        app_name = k
+        app_name  = k
         repo_name = repo
       }
   ]]))
 }
 
 ## Create ECR repository
 resource "aws_ecr_repository" "repository" {
-  for_each = { for entry in local.customer_application_repositories : "${entry.app_name}-${entry.repo_name}" => entry } 
-  name = each.key
+  for_each = { for entry in local.customer_application_repositories : "${entry.app_name}-${entry.repo_name}" => entry }
+  name     = each.key
 
   tags = {
-    Cluster = var.cluster_name
+    Cluster     = var.cluster_name
     Application = each.key
   }
 }
+
+resource "aws_ecr_lifecycle_policy" "project_image" {
+  for_each = var.repository_expiration_days != null ? { for entry in local.customer_application_repositories : "${entry.app_name}-${entry.repo_name}" => entry } : {}
+
+  repository = each.key
+
+  policy = jsonencode({
+    rules = [
+      {
+        "rulePriority" : 1,
+        "description" : "Keep image tagged with main, master, stage, dev*, review*",
+        "selection" : {
+          "tagStatus" : "tagged",
+          "tagPrefixList" : ["main", "master", "stage", "dev*", "review*"],
+          "countType" : "imageCountMoreThan",
+          "countNumber" : 9999
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      },
+      {
+        "rulePriority" : 2,
+        "description" : "Remove images older than ${var.repository_expiration_days} days",
+        "selection" : {
+          "tagStatus" : "any",
+          "countType" : "sinceImagePushed",
+          "countUnit" : "days",
+          "countNumber" : var.repository_expiration_days
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      }
+    ]
+  })
+}

variables.tf

@@ -302,6 +302,12 @@ variable "customer_application" {
   }))
 }
 
+variable "repository_expiration_days" {
+  type = number
+  description = "Repository expiration days, used for lifecycle policy. Null to disable."
+  default = null
+}
+
 # Velero
 variable "enable_velero" {
   type        = bool