我很好奇是否有一种方法可以设置一个通用的生命周期策略,该策略将应用于 ECR 中的所有存储库?
目前,据我了解,没有办法做到这一点。
我正在考虑的一种方法是使用生命周期策略的 JSON 定义并使用 AWS CLI 将其应用于所有存储库(可以有点自动化)。但是这个东西应该在每次创建一个新的存储库时运行,这会增加复杂性。
问问题
2090 次
5 回答
2
仍然没有默认的 ECR 生命周期策略模板或其他东西。因此,正如您所提到的,您可以使用 aws cli 方式,并将其分配为从某个地方执行,例如 Lambda 或 k8s 作业:
获取所有存储库名称:
repositories=($(aws ecr describe-repositories --profile=$profile --output text --query "repositories[*].repositoryName"))将策略应用于每个存储库:
for repository in "${repositories[@]}"; do aws ecr put-lifecycle-policy --profile=$profile --repository-name $repository --lifecycle-policy-text "file://policy.json" done;
于 2020-09-07T07:54:25.827 回答
0
我正在使用 CloudFormation 映射来定义一个策略,然后用一行将其应用于所有存储库:
Mappings:
ECRPolicy:
DevPolicy:
RemoveUntagged: |
{
"rules": [
{
"rulePriority": 1,
"description": "Expire images older than 3 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 3
},
"action": {
"type": "expire"
}
}
]
}
而对于回购它只是:
ECRRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Sub ${ECRRepositoryName}-dev
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:DescribeImages
- ecr:BatchGetImage
Principal:
AWS:
- !Sub arn:aws:iam::${DevAccount}:root
Sid: AllowCrossAccountPull
LifecyclePolicy:
LifecyclePolicyText: !FindInMap [ECRPolicy, DevPolicy, RemoveUntagged]
于 2021-07-22T22:07:49.190 回答
0
使用 Terraform for_each:
locals {
repositories = toset(["foo", "bar", "baz"])
}
resource "aws_ecr_repository" "myrepository" {
for_each = local.repositories
name = each.value
}
resource "aws_ecr_lifecycle_policy" "untagged_removal_policy" {
for_each = local.repositories
repository = aws_ecr_repository.myrepository[each.value].name
policy = jsonencode(
{
"rules": [
{
"rulePriority": 1,
"description": "Expire untagged images after 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": {
"type": "expire"
}
}
]})
}
要输出存储库名称和 URL,请使用for:
output "myrepositories" {
value = {
for repo in aws_ecr_repository.myrepository : repo.name => repo.repository_url
}
description = "Object mapping from repository name (string) to repository URL (string)"
}
于 2021-11-29T10:10:13.530 回答
0
你可以使用 Terraform
resource "aws_ecr_lifecycle_policy" "untagged_removal_policy" {
count = "${length(split(",",local.registries))}"
depends_on = [ "aws_ecr_repository.ecr_repositories" ]
repository = "${aws_ecr_repository.ecr_repositories.*.name[count.index]}"
policy = <<EOF
{
"rules": [
{
"rulePriority": 1,
"description": "Expire Docker images older than 7 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 7
},
"action": {
"type": "expire"
}
}
]
}
EOF
}
于 2019-03-08T10:29:24.567 回答
-2
AWS DOCS:如何使用 Terraform 为标记和未标记图像实施策略的示例
https://docs.aws.amazon.com/AmazonECR/latest/userguide/lifecycle_policy_examples.html
{
"rules": [
{
"rulePriority": 1,
"description": "Remove tagged images with prefix prod-*",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["prod"],
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 2,
"description": "Remove untagged images",
"selection": {
"tagStatus": "untagged",
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
}
]
}
于 2020-03-10T21:14:23.833 回答