Hmm, if I create an S3 Bucket Policy, that has cognito authorizers and cloudfront stuff in the policy, is there anyway to 'wait' for the output variables in cognito and cloudfront?

Which output variables are you trying to wait on? And which resource are you trying to block creation of until those output are ready?

s3 bucket name, cloudfront Id, and role name

If you use those outputs to construct the policy, it should implicitly depend on them, and when you pass that into the bucket policy, it will in turn implicitly be dependent on those. Are you seeing this not being enforced in practice? If so, could you share more details of your code?

Sorry, please disregard, was a brainfart 😄