cost: eliminate NAT gateways by running Fargate tasks in public subnets

.modules/webservice/ecs.tf

@@ -9,8 +9,9 @@ resource "aws_ecs_service" "webservice" {
   launch_type                        = var.launch_type
 
   network_configuration {
-    subnets         = data.tfe_outputs.infrastructure.values[var.region].private_subnets
-    security_groups = [aws_security_group.container_sg.id]
+    subnets          = var.public_task ? data.tfe_outputs.infrastructure.values[var.region].public_subnets : data.tfe_outputs.infrastructure.values[var.region].private_subnets
+    security_groups  = [aws_security_group.container_sg.id]
+    assign_public_ip = var.public_task
   }
 
   depends_on = [

.modules/webservice/network.tf

@@ -33,16 +33,17 @@ resource "aws_security_group" "container_sg" {
   }
 
   ingress {
-    description = "Web traffic"
-    from_port   = var.port
-    protocol    = "tcp"
-    to_port     = var.port
-    cidr_blocks = ["0.0.0.0/0"]
+    description     = var.public_task ? "Web traffic from ALB only" : "Web traffic"
+    from_port       = var.port
+    protocol        = "tcp"
+    to_port         = var.port
+    security_groups = var.public_task ? [aws_security_group.lb_sg.id] : []
+    cidr_blocks     = var.public_task ? [] : ["0.0.0.0/0"]
   }
 
   tags = {
     Region = var.region
-    Zone   = "private"
+    Zone   = var.public_task ? "public" : "private"
   }
 }
 

.modules/webservice/variables.tf

@@ -77,3 +77,9 @@ variable "rolling_updates" {
   default     = false
   type        = bool
 }
+
+variable "public_task" {
+  description = "Run the Fargate task in a public subnet with a public IP, removing the need for a NAT gateway"
+  default     = false
+  type        = bool
+}

infrastructure/main.tf

@@ -13,8 +13,9 @@ provider "aws" {
 }
 
 module "us_east_1" {
-  source       = "./region"
-  region       = "us-east-1"
-  ecs_policy   = aws_iam_instance_profile.ecs_instance_profile.arn
-  network_cidr = var.network_cidr["us-east-1"]
+  source             = "./region"
+  region             = "us-east-1"
+  ecs_policy         = aws_iam_instance_profile.ecs_instance_profile.arn
+  network_cidr       = var.network_cidr["us-east-1"]
+  enable_nat_gateway = false
 }

infrastructure/region/network.tf

@@ -30,7 +30,7 @@ resource "aws_route_table" "public" {
 }
 
 resource "aws_eip" "nat" {
-  count = 2
+  count = var.enable_nat_gateway ? 2 : 0
 
   vpc = true
 
@@ -42,7 +42,7 @@ resource "aws_eip" "nat" {
 }
 
 resource "aws_nat_gateway" "gw_nat" {
-  count = 2
+  count = var.enable_nat_gateway ? 2 : 0
 
   allocation_id = aws_eip.nat[count.index].id
   subnet_id     = aws_subnet.public[count.index].id
@@ -53,7 +53,7 @@ resource "aws_nat_gateway" "gw_nat" {
 }
 
 resource "aws_route_table" "private" {
-  count = 2
+  count = var.enable_nat_gateway ? 2 : 0
 
   vpc_id = aws_vpc.network.id
 

infrastructure/region/subnet.tf

@@ -36,7 +36,7 @@ resource "aws_route_table_association" "public" {
 }
 
 resource "aws_route_table_association" "private" {
-  count = 2
+  count = var.enable_nat_gateway ? 2 : 0
 
   subnet_id      = aws_subnet.private[count.index].id
   route_table_id = aws_route_table.private[count.index].id

infrastructure/region/variables.tf

@@ -12,3 +12,9 @@ variable "ecs_policy" {
   description = "The name attribute of the IAM instance profile"
   type        = string
 }
+
+variable "enable_nat_gateway" {
+  description = "Create NAT gateways and route private subnets through them. Set to false when all services use public_task = true."
+  type        = bool
+  default     = true
+}

service_hub_bots/main.tf

@@ -33,6 +33,7 @@ module "webservice_service_hub_bots" {
   port              = 5000
   healthcheck_path  = "/__heartbeat__"
   rolling_updates   = true
+  public_task       = true
 
   container_definitions = {
     "command" : [