385: Put APIGateway in front of private loadbalancer

[chriswilty]

Description

Before we start using our spylogic.ai domain, I wanted to be able to stand up the application and test front-to-back, particularly given the difficulties around configuring secure cookies. For this, API Gateway seemed ideal... There were a few hiccups along the way, and some Express wrangling was needed (which can hopefully be removed once we are using spylogic.ai) but it all appears to work - remotely and locally.

Resolves #385

Screenshots

I may as well put a screenshot here of it deployed in AWS... Can do that once our new AWS account is up and running.

Notes

• There are a few things still to cleanup, will do that shortly - hence PR is a draft for now.
• I've tested that it still works locally, but worth testing your own local too.
• I will close #385 after merging this PR, and handle reverting the API Gateway stuff and making our Application Load Balancer secure in #809

Checklist

Have you done the following?

• [x] Linked the relevant Issue
• [ ] Added tests
• [x] Ensured the workflow steps are passing

[pmarsh-scottlogic]

by the way, looks like you can merge this without approval. I didn't know it that's what you wanted for the branch protections