Combining AWS ECR lifecycle rules using "and"

Question

I would like to set up an AWS ECR lifecycle policy such that an image is expired iff it is older than 90 days and there are at least 10 more recent images. In other words, I want to keep all images that are newer than 90 days, and I want to keep at least the newest 10 images regardless of how old they are.

If I am reading the documentation correctly, this is not possible:

An image is expired by exactly one or zero rules.

and a single rule cannot specify both sinceImagePushed and imageCountMoreThan.

Is this correct? Is there any workaround?

Answer 1

Yes, that is correct. You can play with test rules in AWS ECR console without deleting anything ("Edit Test rules" button under Lifecycle policy. You'll quickly confirm that rules are only evaluated in order of priority and the first match will expire the image.

The only workaround would be disabling AWS Lifecycle policy, writing your own "cleanup service" that will call ECR API and evaluate each repo with custom logic. I haven't found anything off the shelf that does something like this unfortunately. That's how I came across this post :)

I'm probably gonna write my own implementation of this in the future. If I do, I'll probably publish to code and reply back.