ecr.tf: restore Vault account access to ecr_pushpull_role

At some point it seems like the sts:AssumeRole permission was
dropped for the Vault ARN and limited to only ec2 instances.

This adds the Vault ARN back in as a principal which should
restore their access.

Change-Id: I993bd05b8bd8f441444f50890e514ea74ccbf911
diff --git a/ecr.tf b/ecr.tf
index a395bd0..0c15ffb 100644
--- a/ecr.tf
+++ b/ecr.tf
@@ -14,9 +14,11 @@
     {
       "Effect": "Allow",
       "Principal": {
-        "AWS": [ "987685672616",
-                 "arn:aws:iam::487149096843:user/vault"
-               ]
+        "AWS": [
+            "987685672616",
+            "arn:aws:iam::487149096843:user/vault"
+        ],
+        "Service": "ec2.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
     }