Add Vault only changes required for CloudWatch (#129)

* Add vault only changes

* Add missing required perm

environments/staging/vault/aws_auth.tf

@@ -11,7 +11,7 @@ module "aws_auth" {
   vault_iam_role_arn        = "${data.terraform_remote_state.core.vault_iam_role_arn}"
 
   aws_auth_path         = "${local.aws_path}"
-  base_policies         = ["${vault_policy.child_tokens.name}"]
+  base_policies         = ["${vault_policy.child_tokens.name}", "${vault_policy.aws_sts_telegraf.name}"]
   consul_policies       = []
   nomad_server_policies = ["${module.nomad_vault_integration.nomad_server_policy_name}"]
   nomad_client_policies = ["${module.docker_auth.policy}"]

environments/staging/vault/aws_secret.tf

@@ -102,6 +102,7 @@ data "aws_iam_policy_document" "vault_iam" {
 
       values = [
         "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
+        "${aws_iam_policy.telegraf.arn}",
       ]
     }
   }
@@ -311,6 +312,7 @@ data "aws_iam_policy_document" "telegraf" {
     sid = "GetListMetrics"
 
     actions = [
+      "cloudwatch:GetMetricData",
       "cloudwatch:GetMetricStatistics",
       "cloudwatch:ListMetrics",
     ]
@@ -336,7 +338,7 @@ resource "vault_aws_secret_backend_role" "telegraf" {
   backend = "${vault_aws_secret_backend.aws.path}"
   name    = "${local.telegraf_role_name}"
 
-  policy = "${data.aws_iam_policy_document.telegraf.json}"
+  policy_arn = "${aws_iam_policy.telegraf.arn}"
 }
 
 data "template_file" "aws_sts_telegraf" {

environments/staging/vault/configuration/aws/templates/telegraf.hcl

@@ -1,3 +1,3 @@
-path "${aws_sts_path}/sts/${telegraf_role_name}" {
-    capabilities = ["create", "update"]
+path "${aws_sts_path}/creds/${telegraf_role_name}" {
+    capabilities = ["read"]
 }