From 13e1adc419e7b3bf87970e607ab0346ebee051ca Mon Sep 17 00:00:00 2001
From: Daniel Piddock <daniel.piddock@teamcmp.com>
Date: Fri, 3 Aug 2018 21:31:56 +0200
Subject: [PATCH] Remove unnecessary http callout and security rule

EKS masters are publicly accessible. You cannot restrict access nor
need to explicitly grant access.
https://github.com/terraform-aws-modules/terraform-aws-eks/pull/69#issuecomment-406123233
---
 README.md    |  1 -
 cluster.tf   | 11 -----------
 data.tf      |  4 ----
 local.tf     |  6 ++----
 main.tf      |  1 -
 variables.tf |  5 -----
 6 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index be73b3e..9f45a61 100644
--- a/README.md
+++ b/README.md
@@ -114,7 +114,6 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |
 | worker_sg_ingress_from_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | string | `1025` | no |
 | workers_group_defaults | Default values for target groups as defined by the list of maps. | map | `<map>` | no |
-| workstation_cidr | Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32. | string | `` | no |
 | write_kubeconfig | Whether to write a kubeconfig file containing the cluster configuration. | string | `true` | no |
 
 ## Outputs
diff --git a/cluster.tf b/cluster.tf
index 87ad721..756991f 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -44,17 +44,6 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
   count                    = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
-resource "aws_security_group_rule" "cluster_https_cidr_ingress" {
-  cidr_blocks       = ["${local.workstation_cidr}"]
-  description       = "Allow kubectl communication with the EKS cluster API."
-  protocol          = "tcp"
-  security_group_id = "${aws_security_group.cluster.id}"
-  from_port         = 443
-  to_port           = 443
-  type              = "ingress"
-  count             = "${var.cluster_security_group_id == "" ? 1 : 0}"
-}
-
 resource "aws_iam_role" "cluster" {
   name_prefix        = "${var.cluster_name}"
   assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"
diff --git a/data.tf b/data.tf
index f7e2803..3671d1a 100644
--- a/data.tf
+++ b/data.tf
@@ -1,9 +1,5 @@
 data "aws_region" "current" {}
 
-data "http" "workstation_external_ip" {
-  url = "https://ipv4.icanhazip.com"
-}
-
 data "aws_iam_policy_document" "workers_assume_role_policy" {
   statement {
     sid = "EKSWorkerAssumeRole"
diff --git a/local.tf b/local.tf
index 87611ec..be94e47 100644
--- a/local.tf
+++ b/local.tf
@@ -5,10 +5,8 @@ locals {
   # to workaround terraform not supporting short circut evaluation
   cluster_security_group_id = "${coalesce(join("", aws_security_group.cluster.*.id), var.cluster_security_group_id)}"
 
-  worker_security_group_id  = "${coalesce(join("", aws_security_group.workers.*.id), var.worker_security_group_id)}"
-  workstation_external_cidr = "${chomp(data.http.workstation_external_ip.body)}/32"
-  workstation_cidr          = "${coalesce(var.workstation_cidr, local.workstation_external_cidr)}"
-  kubeconfig_name           = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
+  worker_security_group_id = "${coalesce(join("", aws_security_group.workers.*.id), var.worker_security_group_id)}"
+  kubeconfig_name          = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
 
   # Mapping from the node type that we selected and the max number of pods that it can run
   # Taken from https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
diff --git a/main.tf b/main.tf
index 4cdb012..efa289f 100644
--- a/main.tf
+++ b/main.tf
@@ -94,4 +94,3 @@
 
 provider "null" {}
 provider "template" {}
-provider "http" {}
diff --git a/variables.tf b/variables.tf
index 51a24e4..60e3b89 100644
--- a/variables.tf
+++ b/variables.tf
@@ -7,11 +7,6 @@ variable "cluster_security_group_id" {
   default     = ""
 }
 
-variable "workstation_cidr" {
-  description = "Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32. "
-  default     = ""
-}
-
 variable "cluster_version" {
   description = "Kubernetes version to use for the EKS cluster."
   default     = "1.10"