Script to Expire AWS ECR repository Docker images | How to set ECR lifecycle policy via script
Are you checking for a fix to expire old docker images from ECR? Are you planning to remove ECR images to optimize cost?
If any of the answers to the above question is yes, then this post is the perfect solution for it.
Why this post?
I have been optimizing AWS costs for a while now. So when it comes to ECR all I do was remove all untagged images in ECR. For this, I used the following AWS CLI command to list and remove untagged images.
aws ecr describe-repositories — output text | awk ‘{print $6}’ | while read line; do aws ecr list-images — repository-name $line — filter tagStatus=UNTAGGED — query ‘imageIds[*]’ — output text | while read imageId; do aws ecr batch-delete-image — repository-name $line — image-ids imageDigest=$imageId; done; done
But the drawbacks were that I needed to automate this to run every week. Also, in case we need to keep one untagged image(for rollback purposes) it will be hard to reconfigure the command.
So you are new to ECR lifecycle policy I would highly recommend using the test rule from the AWS ECR console. Refer to this for AWS documentation. Given below is a lifecycle policy template provided by AWS:
{
"rules": [
{
"rulePriority": integer,
"description": "string",
"selection": {
"tagStatus": "tagged"|"untagged"|"any",
"tagPrefixList": list<string>,
"countType": "imageCountMoreThan"|"sinceImagePushed",
"countUnit": "string",
"countNumber": integer
},
"action": {
"type": "expire"
}
}
]
}So basically we can set policy based on count and based on the number of days to expire. When we set up a lifecycle policy based on the number of days to expire there is a chance that the current running ECR image to expire if no images were pushed to ECR. So I would recommend setting ECR lifecycle policy based on the count.
According to our requirement, I needed to set up a lifecycle policy for more than 20 ECR repos. So Setting the ECR lifecycle policy via console would be a hectic job. This is what inspired me to create a script to set ECR lifecycle policy.
The Script
This Script would list all ECR repo and set the same policy(policy.json). Here I set image count 5, So there would be a max of 5 ECR images in the repo.
<policy.json>
{
"rules": [
{
"rulePriority": 1,
"description": "Expire images more than 5",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 5
},
"action": {
"type": "expire"
}
}
]
}Change the count if necessary. Now Let’s see the script
#!/bin/bash
# An anilaugustinechalissery initiative ;)
read -p "Enter the aws profile name please: " profile
export AWS_PROFILE=$profile
echo "aws profile is "$AWS_PROFILE
aws ecr describe-repositories --output yaml --query 'repositories[*].repositoryName[]' | awk '{print $2}' > repolist.txt
echo "Repo list "
echo "========================================="
cat repolist.txt
echo "========================================="
echo "to cancel Ctrl + z in 10s"
sleep 10s
for i in $(cat repolist.txt)
do
echo "Setting lifecycle policy for "$i
aws ecr put-lifecycle-policy --repository-name $i --lifecycle-policy-text "file://policy.json"
doneAs you can see it's a simple combination of AWS CLI and basic bash to list out the ECR repo list, and output it to the policy-setting AWS CLI command. I have added a part to the print list of repo names and is providing a 10-second time delay in case you need to rethink.
If this post has helped you do clap and follow for more :)
