ECS Fargate terraform example causes problems with 1Password firewall #368
Description
The example for deploying to ECS Fargate places the task in a public VPC subnet, which means, at least when using Fargate, it's not possible to ensure that outgoing traffic comes from a specific IP address or set of IP addresses - if the task was deployed to a private subnet, then all outbound traffic to the Internet would come from the elastic IP address of NAT gateway. In a public subnet, a fargate service can have a public IP address (and indeed, the example configuration in this repository gives it one), but you have no control over what that IP address is, and as it is not an elastic IP address, it can change without warning.
For incoming traffic, this is not really a problem, as all incoming traffic goes through the load balancer, and not through the service's public IP address. But, outgoing traffic from the SCIM bridge (such as that going to 1password.com) has as its source IP address the public IP address of the service itself, when the service is deployed as shown in the example. However, 1Password recommends setting up a Firewall rule (within the 1Password admin policies) that blocks access from anonymous IP addresses such as from public cloud providers. This would be fine, if we could an explicit exception to the rule by explicitly allowing the IP address of the SCIM bridge, but of course, that won't work if the SCIM bridge doens't have a fixed IP address.
Anyway, all of that is a long-winded way of suggesting that the example deployment should probably place the SCIM bridge in a private subnet with a NAT gateway, to allow outbound traffic to come from a knowable (and thus allowlistable) IP address.