check plan first

2026-06-08 11:17:27 +00:00 · 2026-02-02 18:27:55 +00:00 · 2026-02-02 18:27:55 +00:00 · 1a640d6d01
commit 1a640d6d01
parent 150da2a780
4 changed files with 41 additions and 7 deletions
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@ -55,4 +55,10 @@ jobs:
      - name: Terraform Plan (shared)
        run: |
          cd infrastructure/terraform/shared
-          terraform plan -var-file=dev.tfvars
+          terraform plan -var-file=dev.tfvars
+
+      # # only run once
+      # - name: Terraform Apply (shared)
+      #   run: |
+      #     cd infrastructure/terraform/shared
+      #     terraform apply -auto-approve -var-file=dev.tfvars
--- a/infrastructure/terraform/modules/ecr/main.tf
+++ b/infrastructure/terraform/modules/ecr/main.tf
@ -1,7 +1,6 @@
 resource "aws_ecr_repository" "my_repository" {
-  name                 = "${var.ecr_name}"
+  name                 = var.ecr_name
  image_tag_mutability = "MUTABLE"
-  # Allows overwriting image tags, change to IMMUTABLE if you want to prevent overwriting

  image_scanning_configuration {
    scan_on_push = true
@ -13,13 +12,27 @@ resource "aws_ecr_lifecycle_policy" "my_repository_policy" {

  policy = jsonencode({
    rules = [
+      # 1️⃣ PROTECT important environment tags forever
      {
        rulePriority = 1
-        description  = "Retain only the last 10 images"
-        selection    = {
+        description  = "Keep prod, main, dev images forever"
+        selection = {
+          tagStatus     = "tagged"
+          tagPrefixList = ["prod", "main", "dev"]
+        }
+        action = {
+          type = "retain"
+        }
+      },
+
+      # 2️⃣ Expire everything else beyond the most recent 20 images
+      {
+        rulePriority = 2
+        description  = "Expire old non-protected images"
+        selection = {
          tagStatus   = "any"
          countType   = "imageCountMoreThan"
-          countNumber = 10
+          countNumber = 20
        }
        action = {
          type = "expire"
@ -27,4 +40,4 @@ resource "aws_ecr_lifecycle_policy" "my_repository_policy" {
      }
    ]
  })
-}
+}
--- a/infrastructure/terraform/modules/ecr/outputs.tf
+++ b/infrastructure/terraform/modules/ecr/outputs.tf
@ -1,4 +1,10 @@
 output "ecr_repository_name" {
  description = "Name of the EPR repo in AWS"
  value       = aws_ecr_repository.my_repository.name
+}
+
+
+output "ecr_repository_url" {
+  description = "Full ECR repository URL"
+  value       = aws_ecr_repository.my_repository.repository_url
 }
--- a/infrastructure/terraform/shared/main.tf
+++ b/infrastructure/terraform/shared/main.tf
@ -288,4 +288,13 @@ module "ses" {

 output "ses_dns_records" {
  value = module.ses.dns_records
+}
+
+
+################################################
+# One ECR to rule all the lambdas
+################################################
+module "lambda_shared_ecr" {
+  source   = "../modules/ecr"
+  ecr_name = "lambda-shared-${var.stage}"
 }