Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set lifecycle rules #9

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Set lifecycle rules #9

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63571d1
Set lifecycle rules
Lowercases May 26, 2022
54a2357
Set a comment
Lowercases May 26, 2022
ff7c06a
Guard master and main from ECR lifecycle rules
Lowercases May 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 40 additions & 3 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ orbs:
# https://circleci.com/orbs/registry/orb/circleci/aws-ecr
# required environment variables:
# https://circleci.com/docs/2.0/ecs-ecr/#configure-circleci-environment-variables
aws-ecr: circleci/aws-ecr@6.15.3
aws-ecr: circleci/aws-ecr@8.1.2

workflows:
version: 2
Expand All @@ -28,10 +28,47 @@ workflows:
#
# The AWS ECR repo name, example: remind101/acme-inc
repo: "$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME"
# tags for this image, comma separated.
tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1"
# tags for this image, comma separated. A composite of branch+sha1 is
# added so the lifecycle rule (below) can filter images beginning
# with "master" or "main" to avoid applying aggressive rules.
tag: "latest,$CIRCLE_BRANCH,$CIRCLE_SHA1,$CIRCLE_BRANCH-$CIRCLE_BUILD_NUM"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd still want to keep the commit SHA in the prefixed tag, because it's nice to have that info embedded and also would make it easier to transition to something other than CircleCI without causing conflicts.

# create the AWS ECR repo if it does not exist already.
create-repo: true
# Set the lifecycle for the repo. Note that this setting expects
# an inline policy, even if it's named "-path".
# The max count for master and main is set to 8,000, 80% of the}
# available space in the repo, in order to safeguard against removing
# running images after aggressive rebuilding of the master branch.
lifecycle-policy-path: >
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation says this should be a path, not the actual content.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! But it's a lie.

I started adding a file as in https://github.com/remind101/r101-api/pull/16623/files#diff-2c27a3138e2c83cb750d9a8a3b415799e8f3806ae6bd8a9d06a6abb23e018d36 (only left there for dev purposes) only to get Invalid length for parameter lifecyclePolicyText, value: 28, valid min length: 100 (https://app.circleci.com/pipelines/github/remind101/r101-api/11123/workflows/b3566098-95c6-4f13-9fd7-8a7f3f79a4d1/jobs/257499).

After my initial wtf moment, my suspects were confirmed when I tried the current approach and bingo! got An error occurred (AccessDeniedException) when calling the PutLifecyclePolicy operation: User: arn:aws:iam::************:user/erc-stage-circleci is not authorized to perform: ecr:PutLifecyclePolicy on resource: arn:aws:ecr:*********:************:repository/remind101/r101-api because no identity-based policy allows the ecr:PutLifecyclePolicy action (https://app.circleci.com/pipelines/github/remind101/r101-api/11188/workflows/00a85887-5e28-4912-81d6-94738f99dbe9/jobs/258057).

Trust no one.

Copy link
Contributor

@isobit isobit May 26, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WTF lol. Well, at least it would be good to have a comment to explain that.

valid min length: 100

🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean with "at least"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added comment

{
"rules": [
{
"rulePriority": 1,
"description": "Keep latest master image",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["master", "main"],
"countType": "imageCountMoreThan",
"countNumber": 8000
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 2,
"description": "Expire all images older than 90 days.",
"selection": {
"countType": "sinceImagePushed",
"countNumber": 90,
"countUnit": "days"
},
"action": {
"type": "expire"
}
}
]
}
# provide the aws-ecr context (environment variables) to push docker_image into ecr.
# https://circleci.com/docs/2.0/ecs-ecr/#configure-circleci-environment-variables
context: aws-ecr
Expand Down