Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrllg...
I'm trying to restrict the S3 bucket used for **StackSet** templates with the IAM condition **cloudformation:TemplateUrl**, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy.
The [doc page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions) explains that you can use the condition as usual, but there is a Note that is not clear for me:

For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set.
Thank for your help!
```
{
"eventVersion": "1.08",
[...]
"eventTime": "2022-08-09T15:42:50Z",
"eventSource": "cloudformation.amazonaws.com",
"eventName": "CreateStackSet",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"stackSetName": "test-deny1",
"templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml",
"description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.",
"clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e",
"capabilities": [
"CAPABILITY_IAM"
]
},
"responseElements": {
"stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6"
},
[...]
}
```
For reference my IAM Policy:
```
{
"Sid": "TemplateFromTrustedBucket",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStackSet",
"cloudformation:UpdateStackSet"
],
"Resource": "*",
"Condition": {
"StringLike": {
"cloudformation:TemplateURL": [
"https://s3.amazonaws.com/trusted-bucket/*"
]
}
}
}
```lg...