modules/aws/vpc - Better security for master nodes

For a VPC with master nodes in a public subnet, they are reachable
from the entire internet. Usually, one will communicate with them via
an ELB, and not directly. This change limits access to 80/443 TCP and
ICMP to only nodes within the VPC and cluster.

Author: mrwacky42

modules/aws/vpc/sg-master.tf

@@ -23,7 +23,7 @@ resource "aws_security_group_rule" "master_ingress_icmp" {
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "icmp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 0
   to_port     = 0
 }
@@ -43,7 +43,7 @@ resource "aws_security_group_rule" "master_ingress_http" {
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 80
   to_port     = 80
 }
@@ -53,7 +53,7 @@ resource "aws_security_group_rule" "master_ingress_https" {
   security_group_id = "${aws_security_group.master.id}"
 
   protocol    = "tcp"
-  cidr_blocks = ["0.0.0.0/0"]
+  cidr_blocks = ["${data.aws_vpc.cluster_vpc.cidr_block}"]
   from_port   = 443
   to_port     = 443
 }