I've figured out that initially replacing the policy document with literal text (good or bad, doesn't matter). Run

pulumi up

and the user gets created and then pulumi fails. Then I can revert to acquiring the ARN of the user automatically and everything works. I thought that by declaring the "depends_on" parameters that the user ARN acquisition would work, but that doesn't seem to work. Is there a timing configuration, or something else that needs to be resolved?

user = iam.User(
        "pulumi_user",
        name=construct_iam_resource_name("iam_deployment"),
        path=automata_iam_path,
        tags={"purpose": "Account used to perform Pulumi stack updates on CI/CD."},
    )

    user_arn = user.arn.apply(lambda arn: arn)

    instance_assume_role_policy = iam.get_policy_document(
        opts=pulumi.ResourceOptions(depends_on=[user]),
        statements=[
            {
                "actions": ["sts:AssumeRole"],
                "effect": "Allow",
                "principals": [{"identifiers": [user_arn], "type": "AWS"}],
            },
        ],
        version="2012-10-17",
    )