Fix 6 P1 infrastructure issues from code review (FRE-4574)

- ALB: deploy to public subnets instead of private (adds public_subnet_ids var)
- ECS: fix launch_desired_count → launch_type = FARGATE
- Secrets: accept actual RDS/ElastiCache endpoints from parent module
- Deploy: fix circular dependency (needs.detect → steps.detect)
- Health check: dynamic ALB DNS lookup via aws elbv2 CLI
- Health check: exit 1 on failure so rollback triggers

Co-Authored-By: Paperclip <noreply@paperclip.ing>

infra/modules/ecs/main.tf

@@ -14,7 +14,12 @@ variable "vpc_id" {
 }
 
 variable "subnet_ids" {
-  description = "Private subnet IDs"
+  description = "Private subnet IDs for ECS tasks"
+  type        = list(string)
+}
+
+variable "public_subnet_ids" {
+  description = "Public subnet IDs for ALB"
   type        = list(string)
 }
 
@@ -273,7 +278,7 @@ resource "aws_ecs_service" "services" {
   task_definition = aws_ecs_task_definition.services[each.key].arn
   desired_count   = var.environment == "production" ? 3 : 1
 
-  launch_desired_count = "FARGATE"
+  launch_type = "FARGATE"
 
   network_configuration {
     subnets          = var.subnet_ids
@@ -307,7 +312,7 @@ resource "aws_lb" "main" {
   internal           = false
   load_balancer_type = "application"
   security_groups    = var.security_group_ids
-  subnets            = var.subnet_ids
+  subnets            = var.public_subnet_ids
 
   tags = {
     Name = "${var.cluster_name}-alb"