API Gateway should be optional

[olivermeyer]

The API Gateway is only useful when external traffic is expected. In cases where all traffic will be internal to the VPC in which Metaflow is hosted, the API Gateway only adds value if it's used for additional access control. It's also a liability because the only way to deny all incoming traffic is to misuse the access_list_cidr_blocks variable to make the API Gateway's resource policy allow traffic only from an impossible IP range.

I see two solutions here:

• If the API Gateway is useful even for all-private traffic (e.g. to allow other forms of access control), then it should be possible to make it private
• If the API Gateway is not useful for all-private traffic, then it should be possible to disable it in the module

I think the first solution is preferable in the long run, but the second is simpler to implement. I'm happy to open a PR but I'm not sure which way to go.

[benchoncy]

I'm also in a situation where the API gateway goes unused; it would be nice to see this be optional.

[PierceCoggins]

Agree with this - we could really use optional API gateway too