[ECR] [request]: Add configurability to ECR lifecycle policies to be able to specifically target image indexes artifacts and image signature artifacts.

[axelfilisola]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Add configurability to ECR lifecycle policies to be able to specifically target image indexes artifacts and image signature artifacts.

Which service(s) is this request for?
Add configurability to ECR lifecycle policies to be able to specifically target image indexes artifacts and image signature artifacts.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

We are signing images in our ECR Repository according to this guidance: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-signing.html

We would like to implement an ECR Lifecycle Policy that only keeps the latest image. However it appears the policy "Only keep 1 images total" does not do what we need because it will attempt to only keep 1 image, signature, or image index.

ECR lifecycle policies will fail sometimes due to a race condition between deleting an image and deleting its corresponding image index. If the lifecycle execution tries to delete the image index before deleting the image, it will fail - so it needs to know to delete the image first.

Here is an example of that error:

        "lifecycleEventFailureDetails": [
            {
                "lifecycleEventImage": {
                    "digest": "sha256:d2bce1a58adcbf52953ebbf0c6db8d1e1df48ac04bb8439407fbc50eeafe87d4",
                    "tagStatus": "Untagged",
                    "tagList": [],
                    "pushedAt": 1746202309561
                },
                "rulePriority": 1,
                "failureCode": "ImageReferencedByManifestList",
                "failureReason": "Requested image referenced by manifest list: [sha256:524b569833fa9753c385fc062375b4c65f0d6d677fb962c09e39c653883ee695]"
            }
        ]

Are you currently working around this issue?

Tried to implement these lifecycle policies, but the race condition can occur and cause errors:

{
    "rules": [
        {
            "rulePriority": 1,
            "description": "Keep only latest tagged image",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["latest"],
                "countType": "imageCountMoreThan",
                "countNumber": 1
            },
            "action": {
                "type": "expire"
            }
        },
        {
            "rulePriority": 2,
            "description": "Remove untagged images",
            "selection": {
                "tagStatus": "untagged",
                "countType": "sinceImagePushed",
                "countUnit": "days",
                "countNumber": 1
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

Additional context
N/A

Attachments
N/A