Route egress via API Gateway proxy

[rossjrw]

This circumvents costs associated with EIPs by routing external requests through an API Gateway hosting a serverless proxy.

• Resolves #87

Serverless proxy is in place already.

• [x] Route WD requests
• [x] Route Secrets Manager requests
• [ ] Route S3 requests - I don't think this is necessary because there's the option of using a Gateway-type PrivateLink for S3 (which is free), but needs verification (I haven't put any security group on it yet, and haven't even worked out if I need to access it from a specific URL, so it probably doesn't work right now
• [ ] Route email requests - have been approved for SES for this purpose

[rossjrw]

Closed: this isn't how API Gateway works at all, despite what I read which led me to believe it was a potential solution.

API Gateway is called from the internet and can trigger a private Lambda.

It cannot be called from a private Lambda to trigger something on the internet.

(It can be called from the internet to trigger something on the internet.)

Fundamentally, communication with API Gateway requires access to the API Gateway public DNS, which needs access to the internet. Therefore it is not possible to access.

There is the concept of a 'VPC Link' between the Gateway and private stuff in a VPC, but this is only used to allow the Gateway to trigger something in the VPC, not be called from it.