AWS CloudFormation User Creation and UserPolicy

Could i get some assistance in building what it should be an easy policy? There are no issues creating roles, policies and attaching those. However, for AWS Users seems like there is a different methodology.

• It rolls back with "Resource handler returned message: "Syntax errors in policy. (Service: Iam, Status Code: 400". HandlerError Code: InvalidRequest. I have another stack that works.

  Parameters:
  
   EnterUserName:
  
    Description: Enter the name of the user
  
    Type: String
  
  
    AllowedPattern: ^proga.*$
  
  
   BastionName:
  
    Description: Enter Name of EC2 Tag 
  
    Type: String    
  
   ActivateUser:
  
    Description: Activate User? 
  
    Type: String
  
    Default: No
  
    AllowedValues:
  
    - No
  
    - Yes
  
    ConstraintDescription: Invalid Selection!   
  
  Conditions:
  
   NoUser: !Equals [!Ref ActivateUser, Yes]    
  
  Resources:
  
   SSMSessionUser:
  
    Condition: NoUser
  
    Type: AWS::IAM::User
  
    Properties:
  
     UserName: !Ref EnterUserName
  
   UserPolicy:
  
    Condition: NoUser
  
    Type: AWS::IAM::UserPolicy
  
    Properties:
  
     PolicyName: !Sub ${AWS::StackName}-policyName
  
     PolicyDocument:
  
      Version: '2012-10-17'
  
      Statement:
  
        - Effect: Allow
  
          Action: ssm:StartSession
  
          Resource:
  
            - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:document/SSM-SessionManagerRunShell
  
        - Effect: Allow
  
          Action: ssm:StartSession
  
          Resources: 
  
            - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*
  
          Condition:
  
            StringEquals:
  
              'aws:ResourceTag/Bastion': !Ref BastionName
  
        - Effect: Allow
  
          Action:
  
            - ssm:TerminateSession
  
            - ssm:ResumeSession
  
          Resource: 
  
            - 'arn:aws:ssm:*:*:session/${aws:userid}-*'
  
    UserName: !Ref SSMSessionUser
  

You didn't format the file well. UserName (last line of the template) needs to be indented one more time (in same line with PolicyName and PolicyDocument):

Parameters:
  EnterUserName:
    Description: Enter the name of the user
    Type: String
    AllowedPattern: ^proga.*$
  BastionName:
    Description: Enter Name of EC2 Tag
    Type: String
  ActivateUser:
    Description: Activate User?
    Type: String
    Default: No
    AllowedValues:
      - No
      - Yes
    ConstraintDescription: Invalid Selection!
Conditions:
  NoUser: !Equals [!Ref ActivateUser, Yes]
Resources:
  SSMSessionUser:
    Condition: NoUser
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref EnterUserName
  UserPolicy:
    Condition: NoUser
    Type: AWS::IAM::UserPolicy
    Properties:
      PolicyName: !Sub ${AWS::StackName}-policyName
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: ssm:StartSession
            Resource:
              - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:document/SSM-SessionManagerRunShell
          - Effect: Allow
            Action: ssm:StartSession
            Resource:
              - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*
            Condition:
              StringEquals:
                "aws:ResourceTag/Bastion": !Ref BastionName
          - Effect: Allow
            Action:
              - ssm:TerminateSession
              - ssm:ResumeSession
            Resource:
              - "arn:aws:ssm:*:*:session/${aws:userid}-*"
      UserName: !Ref SSMSessionUser

Edit: Additional problem was in this section

- Effect: Allow
  Action: ssm:StartSession
  Resources:
    - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*

It should be Resource, not Resources