From dce36ec61ab77ef7244f757c6bec6ccd0c45c40d Mon Sep 17 00:00:00 2001
From: Kalil Smith-Nuevelle <kalilsn@gmail.com>
Date: Mon, 28 Apr 2025 11:51:46 -0500
Subject: [PATCH] Only keep 10 images at a time in ECR

---
 .../global_aws/.terraform.lock.hcl            | 66 +++++++++----------
 .../modules/ecr-repositories/main.tf          | 33 ++++++++++
 2 files changed, 66 insertions(+), 33 deletions(-)

diff --git a/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl b/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl
index 35b9288d6d..914234d06e 100644
--- a/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl
+++ b/infrastructure/terraform/environments/global_aws/.terraform.lock.hcl
@@ -2,47 +2,47 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/cloudflare/cloudflare" {
-  version     = "4.30.0"
+  version     = "4.52.0"
   constraints = "~> 4.0"
   hashes = [
-    "h1:FhhTF09/BBk37akGLFx9/uWkGUGwSNRub8vP80TaF7Q=",
-    "zh:218d1948b59e3d2e3af082724a0d057bcca5a5643c5e7c3b85eefc02430edd6b",
-    "zh:24eb677bc1b205565efb5c0d1c464f63d1e240aac61f5b2ef15165fe842cb7e2",
-    "zh:27896ed2a4f05f6a46ef25e674e445e89bd4bfba8cddbe95940109c6dc3179cc",
-    "zh:38b3b8297a9650b0ed09d57e0d802f5d851062bdadf72825652232c9a67346ac",
-    "zh:58d49ec9f414d0ff71e94cc991e1e3e33a13502ce0fea1393edd1297d0877bab",
-    "zh:5ed92c556e72cc4ea7fdf6db9e0dd7b093d179e26f2d2989b21a004a6402f2ae",
-    "zh:71f5c64702a7b2102f6d5edfd767953cd5b1248093c05983b909de06cf0c40cc",
-    "zh:788a023967db63b8eda9c0415851a743daf4073bab66b0bd1204bccbb54c9f8f",
-    "zh:7b9cd30355b4f63941284998167c3f3e5d208685e5176928275436de012f62d2",
+    "h1:Pi5M+GeoMSN2eJ6QnIeXjBf19O+rby/74CfB2ocpv20=",
+    "zh:19be1a91c982b902c42aba47766860dfa5dc151eed1e95fd39ca642229381ef0",
+    "zh:1de451c4d1ecf7efbe67b6dace3426ba810711afdd644b0f1b870364c8ae91f8",
+    "zh:352b4a2120173298622e669258744554339d959ac3a95607b117a48ee4a83238",
+    "zh:3c6f1346d9154afbd2d558fabb4b0150fc8d559aa961254144fe1bc17fe6032f",
+    "zh:4c4c92d53fb535b1e0eff26f222bbd627b97d3b4c891ec9c321268676d06152f",
+    "zh:53276f68006c9ceb7cdb10a6ccf91a5c1eadd1407a28edb5741e84e88d7e29e8",
+    "zh:7925a97773948171a63d4f65bb81ee92fd6d07a447e36012977313293a5435c9",
+    "zh:7dfb0a4496cfe032437386d0a2cd9229a1956e9c30bd920923c141b0f0440060",
     "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
-    "zh:923ec04258fde407f0fce80488268f4277ffac68fb7240eee4f4373a344c5469",
-    "zh:97473bdb848a7f77832fde6d0e68877bdcc17bf47ae3639fb09e1aeff4a92a01",
-    "zh:9b8754d8f7c15878ecb8897a6ffc4e9ec95f4e5f0560f4129af82a8200e602ea",
-    "zh:b890723ed524d34e7fbee6c119714be23e1783b82441ce4c18871c9d54f10cbd",
-    "zh:c75e0e5f406653c9b4928d97a38410ad7bb20d48e260c17ae3125a77b0457bf5",
+    "zh:8d4aa79f0a414bb4163d771063c70cd991c8fac6c766e685bac2ee12903c5bd6",
+    "zh:a67540c13565616a7e7e51ee9366e88b0dc60046e1d75c72680e150bd02725bb",
+    "zh:a936383a4767f5393f38f622e92bf2d0c03fe04b69c284951f27345766c7b31b",
+    "zh:d4887d73c466ff036eecf50ad6404ba38fd82ea4855296b1846d244b0f13c380",
+    "zh:e9093c8bd5b6cd99c81666e315197791781b8f93afa14fc2e0f732d1bb2a44b7",
+    "zh:efd3b3f1ec59a37f635aa1d4efcf178734c2fcf8ddb0d56ea690bec342da8672",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.33.0"
-  constraints = ">= 2.0.0"
+  version     = "5.96.0"
+  constraints = ">= 2.0.0, >= 4.0.0"
   hashes = [
-    "h1:kPm7PkwHh6tZ74pUj5C/QRPtauxdnzrEG2yhCJla/4o=",
-    "zh:10bb683f2a9306e881f51a971ad3b2bb654ac94b54945dd63769876a343b5b04",
-    "zh:3916406db958d5487ea0c2d2320012d1907c29e6d01bf693560fe05e38ee0601",
-    "zh:3cb54b76b2f9e30620f3281ab7fb20633b1e4584fc84cc4ecd5752546252e86f",
-    "zh:513bcfd6971482215c5d64725189f875cbcbd260c6d11f0da4d66321efd93a92",
-    "zh:545a34427ebe7a950056627e7c980c9ba16318bf086d300eb808ffc41c52b7a8",
-    "zh:5a44b90faf1c8e8269f389c04bfac25ad4766d26360e7f7ac371be12a442981c",
-    "zh:64e1ef83162f78538dccad8b035577738851395ba774d6919cb21eb465a21e3a",
-    "zh:7315c70cb6b7f975471ea6129474639a08c58c071afc95a36cfaa41a13ae7fb9",
-    "zh:9806faae58938d638b757f54414400be998dddb45edfd4a29c85e827111dc93d",
-    "zh:997fa2e2db242354d9f772fba7eb17bd6d18d28480291dd93f85a18ca0a67ac2",
+    "h1:a/VEUu6BGQSPlUAzbN+zqaDCdi0QGh/VzBgo2gCran0=",
+    "zh:3f7e734abb9d647c851f5cb987837d7c073c9cbf1f520a031027d827f93d3b68",
+    "zh:5ca9400360a803a11cf432ca203be9f09da8fff9c96110a83c9029102b18c9d5",
+    "zh:5d421f475d467af182a527b7a61d50105dc63394316edf1c775ef736f84b941c",
+    "zh:68f2328e7f3e7666835d6815b39b46b08954a91204f82a6f648c928a0b09a744",
+    "zh:6a4170e7e2764df2968d1df65efebda55273dfc36dc6741207afb5e4b7e85448",
+    "zh:73f2a15bee21f7c92a071e2520216d0a40041aca52c0f6682e540da8ffcfada4",
+    "zh:9843d6973aedfd4cbaafd7110420d0c4c1d7ef4a2eeff508294c3adcc3613145",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:9f9e076b7e9752971f39eead6eda69df1c5e890c82ba2ca95f56974af7adfe79",
-    "zh:b1d6af047f96de7f97d38b685654f1aed4356d5060b0e696d87d0270f5d49f75",
-    "zh:bfb0654b6f34398aeffdf907b744af06733d168db610a2c5747263380f817ac7",
-    "zh:e25203ee8cedccf60bf450950d533d3c172509bda8af97dbc3bc817d2a503c57",
+    "zh:9d1abd6be717c42f2a6257ee227d3e9548c31f01c976ed7b32b2745a63659a67",
+    "zh:a70d642e323021d54a92f0daa81d096cb5067cb99ce116047a42eb1cb1d579a0",
+    "zh:b9a2b293208d5a0449275fae463319e0998c841e0bcd4014594a49ba54bb70d6",
+    "zh:ce0b0eb7ac24ff58c20efcb526c3f792a95be3617c795b45bbeea9f302903ae7",
+    "zh:dbbf98b3cd8003833c472bdb89321c17a9bbdc1b785e7e3d75f8af924ee5a0e4",
+    "zh:df86cf9311a4be8bb4a251196650653f97e01fbf5fe72deecc8f28a35a5352ae",
+    "zh:f92992881afd9339f3e539fcd90cfc1e9ed1356b5e760bbcc804314c3cd6837f",
   ]
 }
diff --git a/infrastructure/terraform/modules/ecr-repositories/main.tf b/infrastructure/terraform/modules/ecr-repositories/main.tf
index 862bb992e8..1dcb099050 100644
--- a/infrastructure/terraform/modules/ecr-repositories/main.tf
+++ b/infrastructure/terraform/modules/ecr-repositories/main.tf
@@ -10,6 +10,18 @@ terraform {
   }
 }
 
+data "aws_ecr_lifecycle_policy_document" "default_policy" {
+  rule {
+    priority    = 1
+    description = "Only keep 10 images at a time"
+
+    selection {
+      tag_status   = "any"
+      count_type   = "imageCountMoreThan"
+      count_number = 10
+    }
+  }
+}
 
 # ecr repositories for all containers
 resource "aws_ecr_repository" "pubpub_v7" {
@@ -20,7 +32,11 @@ resource "aws_ecr_repository" "pubpub_v7" {
     scan_on_push = false # can set this to true if we want
   }
 }
+resource "aws_ecr_lifecycle_policy" "pubpub_v7" {
+  repository = aws_ecr_repository.pubpub_v7.name
 
+  policy = data.aws_ecr_lifecycle_policy_document.default_policy.json
+}
 resource "aws_ecr_repository" "pubpub_v7_core" {
   name                 = "pubpub-v7-core"
   image_tag_mutability = "MUTABLE"
@@ -30,6 +46,12 @@ resource "aws_ecr_repository" "pubpub_v7_core" {
   }
 }
 
+resource "aws_ecr_lifecycle_policy" "pubpub_v7_core" {
+  repository = aws_ecr_repository.pubpub_v7_core.name
+
+  policy = data.aws_ecr_lifecycle_policy_document.default_policy.json
+}
+
 resource "aws_ecr_repository" "pubpub_v7_jobs" {
   name                 = "pubpub-v7-jobs"
   image_tag_mutability = "MUTABLE"
@@ -39,6 +61,12 @@ resource "aws_ecr_repository" "pubpub_v7_jobs" {
   }
 }
 
+resource "aws_ecr_lifecycle_policy" "pubpub_v7_jobs" {
+  repository = aws_ecr_repository.pubpub_v7_jobs.name
+
+  policy = data.aws_ecr_lifecycle_policy_document.default_policy.json
+}
+
 # tiny image that just removes the a path prefix
 resource "aws_ecr_repository" "nginx" {
   name                 = "nginx"
@@ -49,3 +77,8 @@ resource "aws_ecr_repository" "nginx" {
   }
 }
 
+resource "aws_ecr_lifecycle_policy" "nginx" {
+  repository = aws_ecr_repository.nginx.name
+
+  policy = data.aws_ecr_lifecycle_policy_document.default_policy.json
+}