Containers-roadmap: ECR image - protect specific version/tag from deletion

Created on 8 Dec 2019  路  2Comments  路  Source: aws/containers-roadmap

As a user of AWS container services, I would like to be able to "lock" a particular image version/tag and prevent it from being deleted either manually or via lifecycle policies.

Tell us about your request
Add deletion protection to ECR repository images to prevent accidental deletion of important image versions when using automation, CLI or via lifecycle rules.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We push images to all environments regularly and tag as "latest" the image version we need to that environment when needed. Currently, lifecycle rules are set to keep 10 image versions, however, images are pushed several times per day. Sometimes, the "latest" tag image is being removed by the lifecycle policy. Both "image count" and "time since image pushed" policies can remove image versions that are important to the current environment.

Are you currently working around this issue?
We will increase the number of images to 100 as a temporary solution and consider stop pushing images to all environments all the time and instead push only during CD, which will prolong the deployment time.

ECR Proposed
Source
picture Space-Venom
👍17

Most helpful comment

Hi, we encounter a problem today. During the night one of our developer accidentally removed the prod.latest tag which is used by our ECS Task definition.

This morning traffic increased and when new Tasks tried to start they failed because our prod.latest tag was absent.

In our case our ECR Lifecycle policies are correctly configured and work since several months.

It would be great to add a feature in ECR to prevent human errors associated to critical Docker tags. In addition it would probably simplify ECR Lifecycle policies if the "lock" prevent Lifecycle policies to remove the tag.

Temporarily we'll develop a simple AWS Lambda function to be notified on our pager when a critical tag is accidentally removed.

picture bgaillard on 12 Feb 2020
👍14

All 2 comments

From https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html

An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority.

So, have the first rule in your lifecycle policy match tag 'latest' with eg. expire imageCountMoreThan 1. Then, any further rules will not expire your 'latest' image.

jsharper picture jsharper on 8 Dec 2019
👍2

Hi, we encounter a problem today. During the night one of our developer accidentally removed the prod.latest tag which is used by our ECS Task definition.

This morning traffic increased and when new Tasks tried to start they failed because our prod.latest tag was absent.

In our case our ECR Lifecycle policies are correctly configured and work since several months.

It would be great to add a feature in ECR to prevent human errors associated to critical Docker tags. In addition it would probably simplify ECR Lifecycle policies if the "lock" prevent Lifecycle policies to remove the tag.

Temporarily we'll develop a simple AWS Lambda function to be notified on our pager when a critical tag is accidentally removed.

bgaillard picture bgaillard on 12 Feb 2020
👍14
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sarath9985 picture sarath9985  路  3Comments
abby-fuller picture abby-fuller  路  3Comments
yavor-atanasov picture yavor-atanasov  路  3Comments
pauldougan picture pauldougan  路  3Comments
yinshiua picture yinshiua  路  3Comments