Remove unnecessary http callout and security rule

EKS masters are publicly accessible. You cannot restrict access nor
need to explicitly grant access.
https://github.com/terraform-aws-modules/terraform-aws-eks/pull/69#issuecomment-406123233

README.md

@@ -114,7 +114,6 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |
 | worker_sg_ingress_from_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | string | `1025` | no |
 | workers_group_defaults | Default values for target groups as defined by the list of maps. | map | `<map>` | no |
-| workstation_cidr | Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32. | string | `` | no |
 | write_kubeconfig | Whether to write a kubeconfig file containing the cluster configuration. | string | `true` | no |
 
 ## Outputs

cluster.tf

@@ -44,17 +44,6 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
   count                    = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
-resource "aws_security_group_rule" "cluster_https_cidr_ingress" {
-  cidr_blocks       = ["${local.workstation_cidr}"]
-  description       = "Allow kubectl communication with the EKS cluster API."
-  protocol          = "tcp"
-  security_group_id = "${aws_security_group.cluster.id}"
-  from_port         = 443
-  to_port           = 443
-  type              = "ingress"
-  count             = "${var.cluster_security_group_id == "" ? 1 : 0}"
-}
-
 resource "aws_iam_role" "cluster" {
   name_prefix        = "${var.cluster_name}"
   assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"

data.tf

@@ -1,9 +1,5 @@
 data "aws_region" "current" {}
 
-data "http" "workstation_external_ip" {
-  url = "https://ipv4.icanhazip.com"
-}
-
 data "aws_iam_policy_document" "workers_assume_role_policy" {
   statement {
     sid = "EKSWorkerAssumeRole"

local.tf

@@ -5,10 +5,8 @@ locals {
   # to workaround terraform not supporting short circut evaluation
   cluster_security_group_id = "${coalesce(join("", aws_security_group.cluster.*.id), var.cluster_security_group_id)}"
 
-  worker_security_group_id  = "${coalesce(join("", aws_security_group.workers.*.id), var.worker_security_group_id)}"
+  worker_security_group_id = "${coalesce(join("", aws_security_group.workers.*.id), var.worker_security_group_id)}"
-  workstation_external_cidr = "${chomp(data.http.workstation_external_ip.body)}/32"
+  kubeconfig_name          = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
-  workstation_cidr          = "${coalesce(var.workstation_cidr, local.workstation_external_cidr)}"
-  kubeconfig_name           = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
 
   # Mapping from the node type that we selected and the max number of pods that it can run
   # Taken from https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml

main.tf

@@ -94,4 +94,3 @@
 
 provider "null" {}
 provider "template" {}
-provider "http" {}

variables.tf

@@ -7,11 +7,6 @@ variable "cluster_security_group_id" {
   default     = ""
 }
 
-variable "workstation_cidr" {
-  description = "Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32. "
-  default     = ""
-}
-
 variable "cluster_version" {
   description = "Kubernetes version to use for the EKS cluster."
   default     = "1.10"