cost: eliminate NAT gateways by running Fargate tasks in public subnets

[jesserockz]

Summary

NAT gateways account for ~$74/month (~63% of our total AWS bill) despite serving a single low-traffic Fargate task. This PR eliminates them by moving Fargate tasks to public subnets with a public IP, while keeping the ALB as the sole ingress point.

Changes

New public_task variable on the webservice module

• false by default — existing behaviour is fully preserved for any service that needs to stay in a private subnet
• When true: task is placed in public subnets with assign_public_ip = true, and the container security group is tightened to accept inbound traffic from the ALB security group only (replacing the previous 0.0.0.0/0 rule)

New enable_nat_gateway variable on the infrastructure/region module

• true by default — NAT gateways, EIPs, and private route table routes are still created unless explicitly disabled
• Private subnets themselves are always provisioned so any future service can opt back into private networking without infrastructure changes
• Set to false for this deployment since service-hub-bots is the only service and is switching to public_task = true

service_hub_bots

• Sets public_task = true

Cost impact

Resource	Before	After	Monthly saving
NAT Gateway hours (2×)	$66.96	$0	$66.96
NAT data processing	$0.02	$0	$0.02
EIP charges (2× NAT EIPs)	~$7.44	$0	~$7.44
Total	~$117/mo	~$43/mo	~$74/mo

Security considerations

The Fargate task will have a public IP assigned by AWS. It is not directly reachable from the internet in practice — the container security group only permits inbound traffic on port 5000 from the ALB security group. All external traffic continues to enter through the ALB on port 443.

Alternatives considered

• Single NAT gateway: reduces cost by ~$37/month but does not eliminate it
• NAT instance (fck-nat): ~$3/month, but adds EC2 operational overhead

Rollback

Set enable_nat_gateway = true and public_task = false in the relevant workspaces and re-apply. No data is at risk — subnets and route tables are recreated cleanly by Terraform.