I have an ECR repo in AWS which has many images and some of them are being used and other are being not used, I have created an lambda which will delete the unused ECR images which are older than 30 days, The lambda triggers everyday, but recently it one of ECS was stopped for some time and lambda considered it’s image as not in use and deleted the image and when the ECS service was up then it was getting failed as it didn’t found the image.
Here is my lambda:
import boto3
from datetime import datetime, timedelta
def lambda_handler(event, context):
client = boto3.client("ecr")
response = client.describe_images(repositoryName="test")
# print(response)
last_30_days = (datetime.now() - timedelta(days=30)).strftime("%Y-%m-%d")
last_30_days = datetime.strptime(last_30_days, "%Y-%m-%d")
todo_delete = []
for x in response["imageDetails"]:
image_date = x["imagePushedAt"].strftime("%Y-%m-%d")
image_date = datetime.strptime(image_date, "%Y-%m-%d")
if last_30_days > image_date:
todo_delete.append(x["imageDigest"])
for imageDigest in todo_delete:
response = client.batch_delete_image(
repositoryName="test",
imageIds=[
{"imageDigest": imageDigest},
],
)
print(response)
I tried some more changes where I increased the period as 90 days, but it won’t resolve the issue permanently. Is there any way to avoid some images (Expect tag I tried it, it will work but in my case the tags are dynamic so we don’t know what is there).
2
Answers
Alternative solution – ECR Lifecycle policies
I would suggest better solution this using Lambda, you can use ECR Lifecycle policies
Lifecycle policies allow you to define a set of rules to remove old container images automatically. You can also preview rules to see exactly which container images are affected when the rule runs. This allows repositories to be better organized, makes it easier to find the code revisions that matter, and lowers storage costs
Here is an example:
Your issue is that you only check for the image creation date, but not if it is in use or not. To check if an image is used, the easiest way is probably to look for image tag. By default the last image you pushed should be tagged as "latest". There can only be one image with a given tag (latest for instance), so your old images will have no tag (if they were only tagged as latest, if they had other tags that have not been reused they will still have one). In this way checking for images with no tags could help you check if your image is in use.