Cloudformation unable to create resource policy for apigateway

Question

The resource policy is working fine when i directly pass it to the console. Below is resource policy example :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:us-west-2:339159142535:ooxmwl6q4e/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        ""14.98.8.190/32""
                    ]
                }
            }
        }
    ]
}

Now how to create a cloudformation template for this to get created and get attached to the apigateway

I tried to create a policy but as per new policy "Principal" is depricated.

I created a role also but no help. Below is role snippet :-

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "Apifirewall": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "apigateway.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "Apifirewall",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": "*",
                                    "Resource": [
                                        "arn:aws:execute-api:us-west-2:339159142535:ooxmwl6q4e/*"
                                    ],
                                    "Condition": {
                                        "IpAddress": {
                                            "aws:SourceIp": [
                                                "14.98.8.190/32"
                                            ]
                                        }
                                    }
                                }
                            ]
                        }
                    }
                ]
            }
        }
    },
    "Outputs": {
        "Apifirewall": {
            "Value": {
                "Fn::GetAtt": [
                    "Apifirewall",
                    "Arn"
                ]
            }
        }
    }
}

Answer 1

APIGateway resource policy is not binding to IAM Policy, it's different kind of resource.

So to implement it on your RestApi your should use the Policy parameter on AWS::ApiGateway::RestApi resource on

{
  "Type" : "AWS::ApiGateway::RestApi",
  "Properties" : {  
    "ApiKeySourceType" : String,
    "BinaryMediaTypes" : [ String, ... ],
    "Body" : JSON object,
    "BodyS3Location" : S3Location,
    "CloneFrom" : String,
    "Description" : String,      
    "EndpointConfiguration" : EndpointConfiguration,
    "FailOnWarnings" : Boolean,
    "MinimumCompressionSize" : Integer,
    "Name" : String,
    "Parameters" : { String:String, ... },
    "Policy" : JSON object
  }
}