apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: ecs-public-ip
  labels:
    ecs.aws.tags.kyverno.io: 'ecs-service'
  annotations:
    title.policy.kyverno.io: ECS public IP
    description.policy.kyverno.io: This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.
spec:
  rules:
    - name: ecs-public-ip
      match:
        any:
        - type: aws_ecs_service
      context:
      - name: allowed-values
        variable: [false]
      assert:
        all:
        - message: "ECS services should not have public IP addresses assigned to them automatically"
          check:
            values:
              ~.network_configuration:
                (contains('$allowed-values', @.assign_public_ip)): false