Develop Reference

Add extension to R4 Patient

How do I add the below to an R4 Patient?
"search": {
"extension": [
{
"url": "http://hl7.org/fhir/StructureDefinition/match-grade",
"valueCode": "certain"
}
],
"mode": "match",
"score": 1.0
}
The objects that were under stu2 and stu3 (I think) have been deprecated.
DSTU3 and Later
// Create an example patient
Patient patient = new Patient();
patient.addIdentifier().setUse(Identifier.IdentifierUse.OFFICIAL).setSystem("urn:example").setValue("7000135");
// Create an extension
Extension ext = new Extension();
ext.setUrl("http://example.com/extensions#someext");
ext.setValue(new DateTimeType("2011-01-02T11:13:15"));
// Add the extension to the resource
patient.addExtension(ext);
Full "response" json from patient match below (sample data, not real data !! )
{
"resourceType": "Bundle",
"id": "94897c77-4120-482f-bdb4-4c8b9a71ade1",
"meta": {
"versionId": "1",
"lastUpdated": "2020-11-24T08:45:49.445-05:00"
},
"type": "searchset",
"total": 1,
"link": [
{
"relation": "self",
"url": "http://wildfhir4.aegis.net/fhir4-0-0/Patient/$match?"
}
],
"entry": [
{
"fullUrl": "http://wildfhir4.aegis.net/fhir4-0-0/Patient/9126db824dcf4d5ab3f68e63bd5eaced",
"resource": {
"resourceType": "Patient",
"id": "9126db824dcf4d5ab3f68e63bd5eaced",
"meta": {
"versionId": "1",
"lastUpdated": "2020-09-03T09:03:28.193-04:00",
"tag": [
{
"system": "http://terminology.hl7.org/CodeSystem/v3-ActReason",
"code": "HTEST",
"display": "test health data"
}
]
},
"text": {
"status": "generated",
"div": "<div xmlns=\"http://www.w3.org/1999/xhtml\"><table><tbody><tr><td>Name</td><td>Peter James \n <b>Chalmers</b> ("Jim") \n </td></tr><tr><td>Address</td><td>534 Erewhon, Pleasantville, Vic, 3999</td></tr><tr><td>Contacts</td><td>Home: unknown. Work: (03) 5555 6473</td></tr><tr><td>Id</td><td>MRN: 12345 (Acme Healthcare)</td></tr></tbody></table></div>"
},
"identifier": [
{
"use": "usual",
"type": {
"coding": [
{
"system": "http://terminology.hl7.org/CodeSystem/v2-0203",
"code": "MR"
}
]
},
"system": "urn:oid:1.2.36.146.595.217.0.1",
"value": "12345",
"period": {
"start": "2001-05-06"
},
"assigner": {
"display": "Acme Healthcare"
}
}
],
"active": true,
"name": [
{
"use": "official",
"family": "Chalmers",
"given": [
"Peter",
"James"
]
},
{
"use": "usual",
"given": [
"Jim"
]
},
{
"use": "maiden",
"family": "Windsor",
"given": [
"Peter",
"James"
],
"period": {
"end": "2002"
}
}
],
"telecom": [
{
"use": "home"
},
{
"system": "phone",
"value": "(03) 5555 6473",
"use": "work",
"rank": 1
},
{
"system": "phone",
"value": "(03) 3410 5613",
"use": "mobile",
"rank": 2
},
{
"system": "phone",
"value": "(03) 5555 8834",
"use": "old",
"period": {
"end": "2014"
}
}
],
"gender": "male",
"birthDate": "1974-12-25",
"_birthDate": {
"extension": [
{
"url": "http://hl7.org/fhir/StructureDefinition/patient-birthTime",
"valueDateTime": "1974-12-25T14:35:45-05:00"
}
]
},
"deceasedBoolean": false,
"address": [
{
"use": "home",
"type": "both",
"text": "534 Erewhon St PeasantVille, Rainbow, Vic 3999",
"line": [
"534 Erewhon St"
],
"city": "PleasantVille",
"district": "Rainbow",
"state": "Vic",
"postalCode": "3999",
"period": {
"start": "1974-12-25"
}
}
],
"contact": [
{
"relationship": [
{
"coding": [
{
"system": "http://terminology.hl7.org/CodeSystem/v2-0131",
"code": "N"
}
]
}
],
"name": {
"family": "du Marché",
"_family": {
"extension": [
{
"url": "http://hl7.org/fhir/StructureDefinition/humanname-own-prefix",
"valueString": "VV"
}
]
},
"given": [
"Bénédicte"
]
},
"telecom": [
{
"system": "phone",
"value": "+33 (237) 998327"
}
],
"address": {
"use": "home",
"type": "both",
"line": [
"534 Erewhon St"
],
"city": "PleasantVille",
"district": "Rainbow",
"state": "Vic",
"postalCode": "3999",
"period": {
"start": "1974-12-25"
}
},
"gender": "female",
"period": {
"start": "2012"
}
}
],
"managingOrganization": {
"reference": "Organization/1"
}
},
"search": {
"extension": [
{
"url": "http://hl7.org/fhir/StructureDefinition/match-grade",
"valueCode": "certain"
}
],
"mode": "match",
"score": 1.0
}
}
]
}
APPEND: I found this:
https://hapifhir.io/hapi-fhir/apidocs/hapi-fhir-structures-r4/org/hl7/fhir/r4/model/codesystems/MatchGrade.html

That extension isn't allowed on Patient. It's defined with a context of Bundle.entry.search. It's not a characteristic of the patient themselves, it's a characteristic of a particular entry in a search result based on a specific set of search criteria. The same Patient instance might well be a good result on one search and a poor result on a different search. So to add the extension, you'd have to add it on a 'search' object, not patient.

Ok.
Here it is. The primary objects were inner/nested objects under Bundle....thus why I didn't see them early. (example : Bundle.BundleEntrySearchComponent)
// a java example with the import statements. #shocking!
//import org.hl7.fhir.r4.model.Bundle;
//import org.hl7.fhir.r4.model.CodeType;
//import org.hl7.fhir.r4.model.Extension;
//import org.hl7.fhir.r4.model.Patient;
//import org.hl7.fhir.r4.model.codesystems.MatchGrade;
//import java.util.Collections;
Bundle innerBundle = new Bundle();
innerBundle.setType(Bundle.BundleType.SEARCHSET);
innerBundle.setTotal(1);
Patient pat = new Patient();
HumanName hn = new HumanName();
hn.setFamily("Smith");
p.setName(Collections.singletonList(hn));
Bundle.BundleEntrySearchComponent besc = new Bundle.BundleEntrySearchComponent();
besc.setScore(0.88);
besc.setMode(Bundle.SearchEntryMode.MATCH);
Bundle.BundleEntryComponent bec = new Bundle.BundleEntryComponent();
Extension matchGradeExtension = besc.addExtension();
matchGradeExtension.setUrl("http://hl7.org/fhir/StructureDefinition/match-grade");
matchGradeExtension.setValue(new CodeType(MatchGrade.PROBABLE.toCode()));
bec.setResource(pat);
bec.setSearch(besc);
innerBundle.setEntry(Collections.singletonList(bec));
Json looks like this:
{
"resourceType": "Bundle",
"type": "searchset",
"total": 1,
"entry": [
{
"resource": {
"resourceType": "Patient",
"name": [
{
"family": "Smith"
}
]
},
"search": {
"extension": [
{
"url": "http://hl7.org/fhir/StructureDefinition/match-grade",
"valueCode": "certain"
}
],
"mode": "match",
"score": 0.88
}
}
]
}

SAM template for API Gateway has errors within Visual Studio (as part of Serverless Application solution)

I am trying to create a SAM template (serverless.template) in visual studio to publish my API Gateway. I have a couple of errors being produced within the template validation (in Visual Studio) that I'm unable to resolve. When published, the stack deploys, but there is no usage plan(s) or api key(s) created (or rather, they are created but not viewable in the console, they come up as 'invalid reference' if you try to view them via Cloudformation > Resources, and they don't show up at all in the API Gateway console).
The errors are:
ServerlessRestApiDeployment26aad1646f is an unknown reference
"ServerlessRestApiProdStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "ServerlessRestApiDeployment26aad1646f"
},
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": "Prod"
}
},
And
ServerlessRestApiProdStage is an invalid type for this reference
"APIGatewayHeartInHandKey": {
"Type": "AWS::ApiGateway::ApiKey",
"DependsOn": [
"ServerlessRestApi",
"ServerlessRestApiProdStage"
],
"Properties": {
"Name": "HeartInHandApiKey",
"Description": "Api Key for Heart In Hand",
"Enabled": true,
"GenerateDistinctId": true,
"StageKeys": [
{
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": {
"Ref": "ServerlessRestApiProdStage"
}
}
]
}
},
The full SAM template shown below.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Transform": "AWS::Serverless-2016-10-31",
"Description": "API Gateway to access InSite data-store",
"Resources": {
"Get": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::Get",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/",
"Method": "GET"
}
}
}
}
},
"GetTableBasic": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::GetTableBasic",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/tables/{tableid}/{columnid}",
"Method": "GET"
}
}
}
}
},
"GetColumnList": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::GetColumnList",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/list/columns/{tableid}",
"Method": "GET"
}
}
}
}
},
"GetTableList": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::GetTableList",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/list/tables",
"Method": "GET"
}
}
}
}
},
"PostClickCollectNotification": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::PostClickCollectNotification",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/datagw/general/webhook/ccnotify",
"Method": "POST"
}
}
}
}
},
"PostClickCollectStockUpdate": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::PostClickCollectStockUpdate",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/datagw/general/post/sohupdate",
"Method": "POST"
}
}
}
}
},
"GetTableResponse": {
"Type": "AWS::Serverless::Function",
"Properties": {
"VpcConfig": {
"SecurityGroupIds": [
"sg-111a1476"
],
"SubnetIds": [
"subnet-3029a769",
"subnet-5ec0b928"
]
},
"Handler": "AWSServerlessInSiteDataGw::AWSServerlessInSiteDataGw.Functions::GetTableResponse",
"Runtime": "dotnetcore2.0",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"AWSLambdaBasicExecutionRole",
"AWSLambdaVPCAccessExecutionRole",
"AmazonSSMFullAccess"
],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "datagw/general/table/get/{tableid}",
"Method": "GET"
}
}
}
}
},
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description":"This is a placeholder for the description of this web api",
"ApiKeySourceType":"HEADER",
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"paths": {
"/list/tables": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableList.Arn}/invocations"
}
},
"responses": {}
}
},
"/list/columns/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetColumnList.Arn}/invocations"
}
},
"responses": {}
}
},
"datagw/general/table/get/{tableid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableResponse.Arn}/invocations"
}
},
"responses": {}
}
},
"/": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${Get.Arn}/invocations"
}
},
"responses": {}
}
},
"/tables/{tableid}/{columnid}": {
"get": {
"x-amazon-apigateway-integration": {
"httpMethod": "POST",
"type": "aws_proxy",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${GetTableBasic.Arn}/invocations"
}
},
"responses": {}
}
}
},
"swagger": "2.0"
}
}
},
"ServerlessRestApiProdStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "ServerlessRestApiDeployment26aad1646f"
},
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": "Prod"
}
},
"CustomLambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": "lambdaAccessApiKeys",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": {
"Fn::Sub": [
"arn:aws:apigateway:ap-southeast-2::/apikeys/${__keyId__}",
{
"__keyId__": {
"Ref": "APIGatewayHeartInHandKey"
}
}
]
}
}
]
}
}
]
}
},
"GetApiKeyValueLambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": {
"Fn::Join": [
"\n",
[
"import json",
"import boto3",
"client = boto3.client('apigateway')",
"def lambda_handler(event, context):",
" response = client.get_api_key(",
" apiKey= event['apiKeyId'],",
" includeValue = True",
")",
" return {",
" 'statusCode': 200,",
" 'body': response['value']}"
]
]
}
},
"Handler": "index.lambda_handler",
"Runtime": "python3.6",
"Timeout": 30,
"Role": {
"Fn::GetAtt": [
"CustomLambdaExecutionRole",
"Arn"
]
}
}
},
"APIGatewayUsagePlanInternal": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": {
"Ref": "ServerlessRestApi"
},
"Stage": {
"Ref": "ServerlessRestApiProdStage"
}
}
],
"Description": "Internal Apps Usage Plan",
"UsagePlanName": "Insite-datagw-InternalAppPlan"
}
},
"APIGatewayUsagePlanExternal": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": {
"Ref": "ServerlessRestApi"
},
"Stage": {
"Ref": "ServerlessRestApiProdStage"
}
}
],
"Description": "External Apps Usage Plan",
"UsagePlanName": "InSite-datagw-ExternalAppPlan"
}
},
"APIGatewayHeartInHandKey": {
"Type": "AWS::ApiGateway::ApiKey",
"DependsOn": [
"ServerlessRestApi",
"ServerlessRestApiProdStage"
],
"Properties": {
"Name": "HeartInHandApiKey",
"Description": "Api Key for Heart In Hand",
"Enabled": true,
"GenerateDistinctId": true,
"StageKeys": [
{
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": {
"Ref": "ServerlessRestApiProdStage"
}
}
]
}
},
"LinkHeartInHandKey": {
"Type": "AWS::ApiGateway::UsagePlanKey",
"Properties": {
"KeyId": {
"Ref": "APIGatewayHeartInHandKey"
},
"KeyType": "API_KEY",
"UsagePlanId": {
"Ref": "APIGatewayUsagePlanInternal"
}
}
},
"APIGatewayPricelineSiteKey": {
"Type": "AWS::ApiGateway::ApiKey",
"DependsOn": [
"ServerlessRestApi",
"ServerlessRestApiProdStage"
],
"Properties": {
"Name": "PricelineSiteApiKey",
"Description": "Api Key for Priceline Website",
"Enabled": true,
"GenerateDistinctId": true,
"StageKeys": [
{
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": {
"Ref": "ServerlessRestApiProdStage"
}
}
]
}
},
"LinkPricelineSiteKey": {
"Type": "AWS::ApiGateway::UsagePlanKey",
"Properties": {
"KeyId": {
"Ref": "APIGatewayPricelineSiteKey"
},
"KeyType": "API_KEY",
"UsagePlanId": {
"Ref": "APIGatewayUsagePlanInternal"
}
}
}
},
"Outputs": {
"ApiURL": {
"Description": "API endpoint URL for Prod environment",
"Value": {
"Fn::Sub": "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
}
}
}
}

it looks like you're trying to use features of the AWS::Serverless::Api resource from SAM without defining an AWS::Serverless::Api in your template.
In order to fix the issues you've brought up, it looks like you need to:
Remove the ServerlessRestApiProdStage resource
Sam will generate this resource (and the deployment resource) for you if you use an AWS::Serverless::Api resource.
Convert your AWS::ApiGateway::RestApi resource into an AWS::Serverless::Api resource:
Remove ApiKeySourceType property and add "x-amazon-apigateway-api-key-source" : "HEADER", to the swagger,
Change the Type from AWS::ApiGateway::RestApi to AWS::Serverless::Api
"ServerlessRestApi": {
"Type": "AWS::Serverless::RestApi",
"Properties": {
"Description":"This is a placeholder for the description of this web api",
"Body": {
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"x-amazon-apigateway-api-key-source" : "HEADER",
"paths": {
...

Enforce tagging in ec2

Created an IAM policy that should restrict user to now to allow ec2 instance creation when tags value not met
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": ""
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::image/",
"arn:aws:ec2:::snapshot/",
"arn:aws:ec2:::subnet/",
"arn:aws:ec2:::network-interface/",
"arn:aws:ec2:::security-group/",
"arn:aws:ec2:::key-pair/"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::volume/",
"arn:aws:ec2:::instance/"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/shutdown": "true",
"aws:RequestTag/terminate": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"shutdown",
"terminate"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:::volume/",
"arn:aws:ec2:::instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}

Please check with the policy simulator at https://policysim.aws.amazon.com/home/index.jsp?#
With the following policy, I'm able to confirm that it works:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToDescribeAll",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowRunInstancesWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/terminate": "true",
"aws:RequestTag/shutdown": "true"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"terminate",
"shutdown"
]
}
}
},
{
"Sid": "AllowCreateTagsOnlyLaunching",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}

You may use something like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Application",
"Environment"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/Application": [
"app-01",
"app-02"
],
"aws:RequestTag/Environment": [
"development",
"production"
]
}
}
}
]
}

Cloudformation - 'AWS_PROXY' currently only supports Lambda function

I have the following error when I want to create a stack with cloudformation:
The following resource(s) failed to create: [ApiSyncLogsPost]. . Rollback requested by user.
CREATE_FAILED AWS::ApiGateway::Method ApiSyncLogsPost Integrations of type 'AWS_PROXY' currently only supports Lambda function and Firehose stream invocations. (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: 8bff48b0-93e4-11e8-a183-5de2b976f282)
I didn't find anything relevant regarding this error on google, when I search about it I just get a lot of AWS cloudformation documentation.
What I think is happening is that ApiSyncLogsPost resource is not defined properly, but the examples I found on the internet are similar.
What needs to be changed to solve that error?
Here is the cloudformation json:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Metadata": {
"AWS::CloudFormation::Designer": {
"a73e3686-2291-49a2-b052-565c5f85a9c9": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 270,
"y": 120
},
"z": 2,
"parent": "d68e59d4-72c0-425a-9b7b-227cbac3252d",
"embeds": []
},
"0665ec07-964b-4c90-86c5-5f7731cece7b": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 420,
"y": 120
},
"z": 1,
"embeds": []
},
"d68e59d4-72c0-425a-9b7b-227cbac3252d": {
"size": {
"width": 300,
"height": 240
},
"position": {
"x": 60,
"y": 90
},
"z": 1,
"embeds": [
"a73e3686-2291-49a2-b052-565c5f85a9c9",
"2cefafdd-86fd-4cbe-b42e-c638a8c23a19"
],
"iscontainedinside": [
"a86c6b83-5254-4848-943e-db6e35f09bf6"
]
},
"2cefafdd-86fd-4cbe-b42e-c638a8c23a19": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 60,
"y": 120
},
"z": 2,
"parent": "d68e59d4-72c0-425a-9b7b-227cbac3252d",
"embeds": [],
"iscontainedinside": [
"d68e59d4-72c0-425a-9b7b-227cbac3252d",
"d68e59d4-72c0-425a-9b7b-227cbac3252d",
"a86c6b83-5254-4848-943e-db6e35f09bf6"
]
},
"a86c6b83-5254-4848-943e-db6e35f09bf6": {
"size": {
"width": 330,
"height": 330
},
"position": {
"x": 510,
"y": 90
},
"z": 1,
"embeds": [
"66745c5a-f3ad-4b8c-b575-e90d73cbf19b",
"cf340921-6a8b-45f2-8a2a-14ffb0e537e8",
"925587cf-52b3-4507-9131-6be6777905fe"
]
},
"66745c5a-f3ad-4b8c-b575-e90d73cbf19b": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 540,
"y": 150
},
"z": 2,
"parent": "a86c6b83-5254-4848-943e-db6e35f09bf6",
"embeds": [],
"iscontainedinside": [
"a86c6b83-5254-4848-943e-db6e35f09bf6"
]
},
"cf340921-6a8b-45f2-8a2a-14ffb0e537e8": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 680,
"y": 200
},
"z": 2,
"parent": "a86c6b83-5254-4848-943e-db6e35f09bf6",
"embeds": [],
"iscontainedinside": [
"a86c6b83-5254-4848-943e-db6e35f09bf6"
]
},
"925587cf-52b3-4507-9131-6be6777905fe": {
"size": {
"width": 60,
"height": 60
},
"position": {
"x": 540,
"y": 270
},
"z": 2,
"parent": "a86c6b83-5254-4848-943e-db6e35f09bf6",
"embeds": [],
"iscontainedinside": [
"a86c6b83-5254-4848-943e-db6e35f09bf6"
],
"dependson": [
"2cefafdd-86fd-4cbe-b42e-c638a8c23a19"
]
}
}
},
"Parameters": {
"DatabaseUrl": {
"Description": "DATABASE_URL taken from elastic bean. Example: postgres://my_own_user:my_own_access#my_own_link.rds.amazonaws.com:PORT/my_database_name",
"Type": "String"
},
"LogentriesToken": {
"Description": "",
"Type": "String"
},
"RedisUrl": {
"Description": "",
"Type": "String"
},
"DeploymentStage": {
"Description": "",
"Type": "String",
"Default": "staging"
},
"StackResourcePrefix": {
"Description": "The name will be used to create all the resources that belongs to the same stack.",
"Default": "StagingSyncLogs",
"Type": "String"
}
},
"Resources": {
"ErrorCfn": {
"Type": "AWS::ApiGateway::Model",
"Properties": {
"ContentType": "application/json",
"Name": "ErrorCfn",
"RestApiId": {
"Ref": "SyncLogsApi"
},
"Schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "Error Schema",
"type": "object",
"properties": {
"message": {
"type": "string"
}
}
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "cf340921-6a8b-45f2-8a2a-14ffb0e537e8"
}
}
},
"UserPropertyModel": {
"Type": "AWS::ApiGateway::Model",
"Properties": {
"ContentType": "application/json",
"Name": "UserPropertyModel",
"RestApiId": {
"Ref": "SyncLogsApi"
},
"Schema": {
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "UserPropertyModel",
"type": "object",
"properties": {
"Name": {
"type": "string"
}
}
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "66745c5a-f3ad-4b8c-b575-e90d73cbf19b"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "PolicyNameForLambdaRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
}
],
"RoleName": {
"Fn::Join": [
"_",
[
{
"Ref": "StackResourcePrefix"
},
"PostgresCron",
"Role"
]
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "0665ec07-964b-4c90-86c5-5f7731cece7b"
}
}
},
"SyncLogsLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "myBucket456464",
"S3Key": "myCode34535.zip"
},
"Environment": {
"Variables": {
"DATABASE_URL": {
"Ref": "DatabaseUrl"
},
"LOGENTRIES_TOKEN": {
"Ref": "LogentriesToken"
},
"REDIS_URL": {
"Ref": "RedisUrl"
}
}
},
"Tags": [
{
"Key": "DeploymentStage",
"Value": {
"Ref": "DeploymentStage"
}
}
],
"FunctionName": {
"Fn::Join": [
"",
[
{
"Ref": "StackResourcePrefix"
},
"_",
"lambda"
]
]
},
"Description": "Lambda function for syncing logs to logentries",
"Handler": "index.handler",
"Runtime": "nodejs6.10",
"MemorySize": 128,
"Timeout": 300,
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a73e3686-2291-49a2-b052-565c5f85a9c9"
}
}
},
"ProxyResource": {
"Type": "AWS::ApiGateway::Resource",
"Properties": {
"RestApiId": {
"Ref": "SyncLogsApi"
},
"ParentId": {
"Fn::GetAtt": [
"SyncLogsApi",
"RootResourceId"
]
},
"PathPart": "synclogs"
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "d68e59d4-72c0-425a-9b7b-227cbac3252d"
}
}
},
"SyncLogsApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": "Sync logs Api",
"Description": "Sync logs when this link is called.",
"FailOnWarnings": true
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a86c6b83-5254-4848-943e-db6e35f09bf6"
}
}
},
"ApiSyncLogsPost": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"ResourceId": {
"Ref": "ProxyResource"
},
"RestApiId": {
"Ref": "SyncLogsApi"
},
"HttpMethod": "POST",
"AuthorizationType": "NONE",
"Integration": {
"Type": "AWS_PROXY",
"IntegrationHttpMethod": "POST",
"Uri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Fn::GetAtt": [
"SyncLogsLambda",
"Arn"
]
},
"/synclogs"
]
]
}
},
"MethodResponses": [
{
"ResponseModels": {
"application/json": {
"Ref": "UserPropertyModel"
}
},
"StatusCode": 200
},
{
"ResponseModels": {
"application/json": {
"Ref": "ErrorCfn"
}
},
"StatusCode": 404
},
{
"ResponseModels": {
"application/json": {
"Ref": "ErrorCfn"
}
},
"StatusCode": 500
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "2cefafdd-86fd-4cbe-b42e-c638a8c23a19"
}
}
},
"RestApiDeployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "SyncLogsApi"
},
"StageName": "Staging"
},
"DependsOn": [
"ApiSyncLogsPost"
],
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "925587cf-52b3-4507-9131-6be6777905fe"
}
}
}
}
}

The error is due to improper value for Integration.Uri in the ApiSyncLogsPost resource. The Uri should have the form:
arn:aws:apigateway:{region}:{subdomain.service|service}:path|action/{service_api}
Example:
arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:012345678901:function:MyLambda/invocations
In your case, the string "/synclogs" at the end which should actually be "/invocations"
The following Integration.Uri for ApiSyncLogsPost should fix the issue:
{
"Uri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Fn::GetAtt": [
"SyncLogsLambda",
"Arn"
]
},
"/invocations"
]
]
}
}

Cloudformation IAM role timeout "resource did not stabilize"

I have a cloudformation template that experiences timeout during IAM role creation:
Role XXX is not stabilized
here is the resource in question:
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
},
"Policies": [
{
"PolicyName": "WriteLogs",
"PolicyDocument": {
"Statement": {
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Join": ["", [
"arn:aws:logs:*:*:log-group:/aws/lambda/",
{
"Ref": "AWS::StackName"
},
"-*"
]]}
}
}
},
{
"PolicyName": "CreateStack",
"PolicyDocument": {
"Statement": {
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack"
],
"Resource": "*"
}
}
}
]
}
}
Any ideas what I could be doing wrong?