From 9378fe7aa3100d46d52f4c42ccd02dcaec229639 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 6 Jan 2026 17:29:07 +0000
Subject: [PATCH 01/11] APM 6720 ecr lifecycle policy

---
 .../tasks/build-container.yml                 |  8 +++++
 ecr/ecr_lifecyle.json                         | 29 +++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 ecr/ecr_lifecyle.json

diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 56be84bb0..018d5dce9 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -31,3 +31,11 @@
   ansible.builtin.command:
     cmd: "docker push {{ image_name }}"
   when: build_result.rc == 0
+
+- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }}
+  ansible.builtin.command:
+    cmd: >
+      {{ aws_cmd }} ecr put-lifecycle-policy
+      --repository-name {{ service_id }}_{{ item }}
+      --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json
+  when: lifecycle_check.rc != 0 and build_result.rc == 0
\ No newline at end of file
diff --git a/ecr/ecr_lifecyle.json b/ecr/ecr_lifecyle.json
new file mode 100644
index 000000000..79971883d
--- /dev/null
+++ b/ecr/ecr_lifecyle.json
@@ -0,0 +1,29 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Expire untagged images beyond the latest 3",
+      "selection": {
+        "tagStatus": "untagged",
+        "countType": "imageCountMoreThan",
+        "countNumber": 10
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Retain ECS-protected images",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 9999
+      },
+      "action": {
+        "type": "retain"
+      }
+    }
+  ]
+}

From 88fa44cbcbdf7c2de5a038ae93ff888d02dc7d26 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Fri, 9 Jan 2026 17:47:43 +0000
Subject: [PATCH 02/11] APM 6720 ecr lifecycle policy

---
 .../tasks/build-container.yml                 | 10 +++++-
 .../roles/deploy-ecs-proxies/tasks/main.yml   | 35 +++++++++++++++++++
 .../templates/terraform/locals.tf             |  2 +-
 ecr/ecr_lifecyle.json                         | 27 ++++++++++----
 4 files changed, 65 insertions(+), 9 deletions(-)

diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 018d5dce9..1314e2b96 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -32,10 +32,18 @@
     cmd: "docker push {{ image_name }}"
   when: build_result.rc == 0
 
+- name: Check if lifecycle policy exists for {{ service_id }}_{{ item }}
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr get-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+  register: lifecycle_check
+  failed_when: false
+  changed_when: false
+
 - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }}
   ansible.builtin.command:
     cmd: >
       {{ aws_cmd }} ecr put-lifecycle-policy
       --repository-name {{ service_id }}_{{ item }}
       --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json
-  when: lifecycle_check.rc != 0 and build_result.rc == 0
\ No newline at end of file
+  when: lifecycle_check.rc != 0 and build_result.rc == 0
diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
index 668c8cb0e..a72e962d8 100644
--- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml
+++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
@@ -82,6 +82,41 @@
       register: tfapply
       when: not do_not_terraform
 
+    - name: "{{ item.env }} | Login and pull image"
+      vars:
+        REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com"
+        IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
+        TAG: "{{ build_label }}"
+      shell: |
+        aws ecr get-login-password --region eu-west-2 \
+          | docker login --username AWS --password-stdin {{ REG }}
+
+        docker pull {{ REG }}/{{ IMG }}:{{ TAG }}
+      args:
+        executable: /bin/bash
+      loop:
+        - { env: "PTL",  account: "{{ PTL_ACCOUNT_ID }}" }
+        - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" }
+      loop_control:
+        label: "{{ item.env }}"
+    
+    - name: "{{ item.env }} | Retag and push image"
+      vars:
+        REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com"
+        IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
+        TAG: "{{ build_label }}"
+        NEW: "ecs-{{ build_label }}"
+      shell: |
+        docker tag  {{ REG }}/{{ IMG }}:{{ TAG }} {{ REG }}/{{ IMG }}:{{ NEW }}
+        docker push {{ REG }}/{{ IMG }}:{{ NEW }}
+      args:
+        executable: /bin/bash
+      loop:
+        - { env: "PTL",  account: "{{ PTL_ACCOUNT_ID }}" }
+        - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" }
+      loop_control:
+        label: "{{ item.env }}"
+
   rescue:
     - name: output plan
       debug:
diff --git a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf
index c01c869d5..9556883d4 100644
--- a/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf
+++ b/ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf
@@ -49,7 +49,7 @@ locals {
         (
           container
           | combine(
-            {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label }
+            {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':ecs-' + build_label }
           )
         ) | to_json
     }},
diff --git a/ecr/ecr_lifecyle.json b/ecr/ecr_lifecyle.json
index 79971883d..39f3c60d2 100644
--- a/ecr/ecr_lifecyle.json
+++ b/ecr/ecr_lifecyle.json
@@ -2,11 +2,12 @@
   "rules": [
     {
       "rulePriority": 1,
-      "description": "Expire untagged images beyond the latest 3",
+      "description": "Keep the latest 2 ECS release builds",
       "selection": {
-        "tagStatus": "untagged",
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
         "countType": "imageCountMoreThan",
-        "countNumber": 10
+        "countNumber": 2
       },
       "action": {
         "type": "expire"
@@ -14,15 +15,27 @@
     },
     {
       "rulePriority": 2,
-      "description": "Retain ECS-protected images",
+      "description": "Keep the latest 2 PR builds",
       "selection": {
         "tagStatus": "tagged",
-        "tagPrefixList": ["ecs-"],
+        "tagPrefixList": [""],
+        "countType": "imageCountMoreThan",
+        "countNumber": 2
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 3,
+      "description": "Delete ALL untagged images",
+      "selection": {
+        "tagStatus": "untagged",
         "countType": "imageCountMoreThan",
-        "countNumber": 9999
+        "countNumber": 0
       },
       "action": {
-        "type": "retain"
+        "type": "expire"
       }
     }
   ]

From e753c09879a8434670cca44f221881e47137a514 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 13 Jan 2026 15:03:11 +0000
Subject: [PATCH 03/11] file location update

---
 .../build-ecs-proxies/files}/ecr_lifecyle.json  | 17 +++++++++--------
 .../build-ecs-proxies/tasks/build-container.yml |  2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)
 rename {ecr => ansible/roles/build-ecs-proxies/files}/ecr_lifecyle.json (58%)

diff --git a/ecr/ecr_lifecyle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json
similarity index 58%
rename from ecr/ecr_lifecyle.json
rename to ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json
index 39f3c60d2..58a08f455 100644
--- a/ecr/ecr_lifecyle.json
+++ b/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json
@@ -2,12 +2,12 @@
   "rules": [
     {
       "rulePriority": 1,
-      "description": "Keep the latest 2 ECS release builds",
+      "description": "Always keep the latest 500 ECS builds -AMEND NUMBER AFTER TEST",
       "selection": {
         "tagStatus": "tagged",
         "tagPrefixList": ["ecs-"],
         "countType": "imageCountMoreThan",
-        "countNumber": 2
+        "countNumber": 500
       },
       "action": {
         "type": "expire"
@@ -15,12 +15,12 @@
     },
     {
       "rulePriority": 2,
-      "description": "Keep the latest 2 PR builds",
+      "description": "Keep the latest 50 non‑ECS builds -AMEND NUMBER AFTER TEST",
       "selection": {
         "tagStatus": "tagged",
-        "tagPrefixList": [""],
+        "tagPatternList": ["*"],
         "countType": "imageCountMoreThan",
-        "countNumber": 2
+        "countNumber": 500
       },
       "action": {
         "type": "expire"
@@ -28,11 +28,12 @@
     },
     {
       "rulePriority": 3,
-      "description": "Delete ALL untagged images",
+      "description": "Expire untagged images older than 3 days",
       "selection": {
         "tagStatus": "untagged",
-        "countType": "imageCountMoreThan",
-        "countNumber": 0
+        "countType": "sinceImagePushed",
+        "countUnit": "days",
+        "countNumber": 3
       },
       "action": {
         "type": "expire"
diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 1314e2b96..c3e00a836 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -45,5 +45,5 @@
     cmd: >
       {{ aws_cmd }} ecr put-lifecycle-policy
       --repository-name {{ service_id }}_{{ item }}
-      --lifecycle-policy-text file://{{ base_dir }}/ecr/ecr_lifecycle.json
+      --lifecycle-policy-text file://{{ base_dir }}/files/ecr_lifecycle.json
   when: lifecycle_check.rc != 0 and build_result.rc == 0

From cd2c70518858d24fae14e625cf5af0524e4bd1b8 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 13 Jan 2026 15:57:21 +0000
Subject: [PATCH 04/11] file location update

---
 ansible/roles/build-ecs-proxies/tasks/build-container.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index c3e00a836..03590a1fa 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -45,5 +45,11 @@
     cmd: >
       {{ aws_cmd }} ecr put-lifecycle-policy
       --repository-name {{ service_id }}_{{ item }}
-      --lifecycle-policy-text file://{{ base_dir }}/files/ecr_lifecycle.json
+      --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
   when: lifecycle_check.rc != 0 and build_result.rc == 0
+
+- debug:
+    msg: "ROLE PATH = {{ role_path }}"
+- debug:
+    msg: "BASE DIR = {{ base_dir }}"
+

From a2978eb55d33df01b05b02dad14132a9203e1edd Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 13 Jan 2026 16:24:22 +0000
Subject: [PATCH 05/11] file location update

---
 .../tasks/build-container.yml                 | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 03590a1fa..0b2991ab0 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -40,6 +40,21 @@
   failed_when: false
   changed_when: false
 
+- debug: 
+    msg:
+      - "ROLE PATH = {{ role_path }}" 
+      - "BASE DIR = {{ base_dir }}" 
+      - "PWD = {{ lookup('env','PWD') }}"
+
+- name: List contents of the role directory
+  ansible.builtin.command: "ls -R {{ role_path }}"
+  register: ls_role
+  changed_when: false
+  failed_when: false
+
+- debug:
+    var: ls_role.stdout_lines
+
 - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }}
   ansible.builtin.command:
     cmd: >
@@ -47,9 +62,3 @@
       --repository-name {{ service_id }}_{{ item }}
       --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
   when: lifecycle_check.rc != 0 and build_result.rc == 0
-
-- debug:
-    msg: "ROLE PATH = {{ role_path }}"
-- debug:
-    msg: "BASE DIR = {{ base_dir }}"
-

From 5df07cc0765c2912df8cacdf8f5c75e94c9e48b3 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 13 Jan 2026 16:58:37 +0000
Subject: [PATCH 06/11] filename corrected

---
 .../{ecr_lifecyle.json => ecr_lifecycle.json}     |  0
 .../build-ecs-proxies/tasks/build-container.yml   | 15 ---------------
 2 files changed, 15 deletions(-)
 rename ansible/roles/build-ecs-proxies/files/{ecr_lifecyle.json => ecr_lifecycle.json} (100%)

diff --git a/ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json b/ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json
similarity index 100%
rename from ansible/roles/build-ecs-proxies/files/ecr_lifecyle.json
rename to ansible/roles/build-ecs-proxies/files/ecr_lifecycle.json
diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 0b2991ab0..079f23b80 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -40,21 +40,6 @@
   failed_when: false
   changed_when: false
 
-- debug: 
-    msg:
-      - "ROLE PATH = {{ role_path }}" 
-      - "BASE DIR = {{ base_dir }}" 
-      - "PWD = {{ lookup('env','PWD') }}"
-
-- name: List contents of the role directory
-  ansible.builtin.command: "ls -R {{ role_path }}"
-  register: ls_role
-  changed_when: false
-  failed_when: false
-
-- debug:
-    var: ls_role.stdout_lines
-
 - name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }}
   ansible.builtin.command:
     cmd: >

From ddefb2f0ffc1fd22881da3f39b75b625fc946903 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Tue, 13 Jan 2026 17:46:42 +0000
Subject: [PATCH 07/11] updating iam permissions

---
 .../templates/terraform/iam.tf                     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf
index 29eb55a3e..775b01a11 100644
--- a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf
+++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf
@@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" {
       "ecr:DescribeRepositories",
       "ecr:ListImages",
       "ecr:DescribeImages",
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy",
       "s3:GetObject"
     ]
 
@@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" {
 
   }
 
+  statement {
+    actions = [
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy"
+    ]
+
+    resources = [
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}",
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*"
+    ]
+  }
+
   statement {
     actions = [
       "s3:ListBucket",

From 53e4fb543450ff8d5c522d317a79fac6e600a556 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Wed, 14 Jan 2026 10:21:59 +0000
Subject: [PATCH 08/11] ecr policy put permissions

---
 ansible/roles/create-ecr-build-role/vars/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/roles/create-ecr-build-role/vars/main.yml b/ansible/roles/create-ecr-build-role/vars/main.yml
index c40db5b1a..817fd7bb0 100644
--- a/ansible/roles/create-ecr-build-role/vars/main.yml
+++ b/ansible/roles/create-ecr-build-role/vars/main.yml
@@ -44,6 +44,7 @@ aws_ecs_policy:
         - "ecr:StartImageScan"
         - "ecr:StartLifecyclePolicyPreview"
         - "ecr:UploadLayerPart"
+        - "ecr:PutLifecyclePolicy"
       Resource: [
         "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*"
       ]

From cbd0df6b4cef94d1b9324cfd7b77ddfaa10d77d5 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Wed, 14 Jan 2026 12:54:36 +0000
Subject: [PATCH 09/11] tagging ecs

---
 .../roles/deploy-ecs-proxies/tasks/main.yml   | 41 +++++++------------
 1 file changed, 15 insertions(+), 26 deletions(-)

diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
index a72e962d8..f70aa3456 100644
--- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml
+++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
@@ -82,40 +82,29 @@
       register: tfapply
       when: not do_not_terraform
 
-    - name: "{{ item.env }} | Login and pull image"
+    - name: Retag and promote ECS image (release pipelines only)
+      when: pr_number is not defined or pr_number == ""
       vars:
-        REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com"
+        PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
+        PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
         IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
         TAG: "{{ build_label }}"
+        NEW: "ecs-{{ build_label }}"
       shell: |
         aws ecr get-login-password --region eu-west-2 \
-          | docker login --username AWS --password-stdin {{ REG }}
+          | docker login --username AWS --password-stdin {{ PTL_REG }}
 
-        docker pull {{ REG }}/{{ IMG }}:{{ TAG }}
-      args:
-        executable: /bin/bash
-      loop:
-        - { env: "PTL",  account: "{{ PTL_ACCOUNT_ID }}" }
-        - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" }
-      loop_control:
-        label: "{{ item.env }}"
-    
-    - name: "{{ item.env }} | Retag and push image"
-      vars:
-        REG: "{{ item.account }}.dkr.ecr.eu-west-2.amazonaws.com"
-        IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
-        TAG: "{{ build_label }}"
-        NEW: "ecs-{{ build_label }}"
-      shell: |
-        docker tag  {{ REG }}/{{ IMG }}:{{ TAG }} {{ REG }}/{{ IMG }}:{{ NEW }}
-        docker push {{ REG }}/{{ IMG }}:{{ NEW }}
+        docker pull {{ PTL_REG }}/{{ IMG }}:{{ TAG }}
+        docker tag {{ PTL_REG }}/{{ IMG }}:{{ TAG }} {{ PTL_REG }}/{{ IMG }}:{{ NEW }}
+        docker push {{ PTL_REG }}/{{ IMG }}:{{ NEW }}
+
+        aws ecr get-login-password --region eu-west-2 \
+          | docker login --username AWS --password-stdin {{ PROD_REG }}
+
+        docker tag {{ PTL_REG }}/{{ IMG }}:{{ NEW }} {{ PROD_REG }}/{{ IMG }}:{{ NEW }}
+        docker push {{ PROD_REG }}/{{ IMG }}:{{ NEW }}
       args:
         executable: /bin/bash
-      loop:
-        - { env: "PTL",  account: "{{ PTL_ACCOUNT_ID }}" }
-        - { env: "PROD", account: "{{ PROD_ACCOUNT_ID }}" }
-      loop_control:
-        label: "{{ item.env }}"
 
   rescue:
     - name: output plan

From dd037bfbde47ee998d878054d3853504ab5da7b4 Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Wed, 14 Jan 2026 17:01:31 +0000
Subject: [PATCH 10/11] lifecycle policy

---
 .../tasks/build-container.yml                 | 28 +++++++++++++------
 .../roles/deploy-ecs-proxies/tasks/main.yml   |  2 +-
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/ansible/roles/build-ecs-proxies/tasks/build-container.yml b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
index 079f23b80..4977c58c5 100644
--- a/ansible/roles/build-ecs-proxies/tasks/build-container.yml
+++ b/ansible/roles/build-ecs-proxies/tasks/build-container.yml
@@ -32,18 +32,28 @@
     cmd: "docker push {{ image_name }}"
   when: build_result.rc == 0
 
-- name: Check if lifecycle policy exists for {{ service_id }}_{{ item }}
+- name: Get existing lifecycle policy JSON for {{ service_id }}_{{ item }}
   ansible.builtin.command: >
     {{ aws_cmd }} ecr get-lifecycle-policy
     --repository-name {{ service_id }}_{{ item }}
-  register: lifecycle_check
+    --query 'lifecyclePolicyText'
+    --output text
+  register: existing_policy
   failed_when: false
   changed_when: false
 
-- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }}
-  ansible.builtin.command:
-    cmd: >
-      {{ aws_cmd }} ecr put-lifecycle-policy
-      --repository-name {{ service_id }}_{{ item }}
-      --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
-  when: lifecycle_check.rc != 0 and build_result.rc == 0
+- name: Read lifecycle policy from the local file
+  ansible.builtin.slurp:
+    src: "{{ role_path }}/files/ecr_lifecycle.json"
+  register: desired_policy_raw
+
+- name: Decode lifecycle policy file
+  set_fact:
+    desired_policy: "{{ desired_policy_raw.content | b64decode }}"
+
+- name: Apply lifecycle policy to ecr {{ service_id }}_{{ item }} if different
+  ansible.builtin.command: >
+    {{ aws_cmd }} ecr put-lifecycle-policy
+    --repository-name {{ service_id }}_{{ item }}
+    --lifecycle-policy-text file://{{ role_path }}/files/ecr_lifecycle.json
+  when: existing_policy.stdout != desired_policy and build_result.rc == 0
\ No newline at end of file
diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
index f70aa3456..6413cf0ed 100644
--- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml
+++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
@@ -83,7 +83,7 @@
       when: not do_not_terraform
 
     - name: Retag and promote ECS image (release pipelines only)
-      when: pr_number is not defined or pr_number == ""
+      #when: pr_number is not defined or pr_number == ""
       vars:
         PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
         PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"

From 7bd107aa91062fcfdc872e938bcfde604c403b5c Mon Sep 17 00:00:00 2001
From: CLJ2006 <clarissa.john2@nhs.net>
Date: Wed, 14 Jan 2026 17:33:16 +0000
Subject: [PATCH 11/11] test ecr lifecycle policy

---
 ansible/roles/deploy-ecs-proxies/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/deploy-ecs-proxies/tasks/main.yml b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
index 6413cf0ed..895f6d958 100644
--- a/ansible/roles/deploy-ecs-proxies/tasks/main.yml
+++ b/ansible/roles/deploy-ecs-proxies/tasks/main.yml
@@ -86,7 +86,7 @@
       #when: pr_number is not defined or pr_number == ""
       vars:
         PTL_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
-        PROD_REG: "{{ PROD_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
+        PROD_REG: "{{ PTL_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com"
         IMG: "{{ service_id }}_{{ ecs_service[0].name }}"
         TAG: "{{ build_label }}"
         NEW: "ecs-{{ build_label }}"