diff --git a/migration.tf b/migration.tf
index d61d4e95..0922a9ee 100644
--- a/migration.tf
+++ b/migration.tf
@@ -49,3 +49,10 @@ moved {
   from = module.oke.oci_containerengine_node_pool.nodepools
   to   = module.workers[0].oci_containerengine_node_pool.workers
 }
+
+# IAM
+
+moved {
+  from = module.iam.oci_identity_policy.cluster[0]
+  to   = module.iam.oci_identity_policy.after_cluster[0]
+}
diff --git a/module-operator.tf b/module-operator.tf
index cb4d12de..e07c5b03 100644
--- a/module-operator.tf
+++ b/module-operator.tf
@@ -44,7 +44,7 @@ locals {
 }
 
 module "operator" {
-  count          = var.create_bastion && var.create_operator ? 1 : 0
+  count          = var.create_operator ? 1 : 0
   source         = "./modules/operator"
   state_id       = local.state_id
   compartment_id = local.compartment_id
diff --git a/modules/iam/await.tf b/modules/iam/await.tf
index 2a7e3659..ff4bb02f 100644
--- a/modules/iam/await.tf
+++ b/modules/iam/await.tf
@@ -1,6 +1,7 @@
 resource "time_sleep" "await_iam_resources" {
   count = anytrue([
-    local.has_policy_statements,
+    local.has_policy_statements_before_cluster,
+    local.has_policy_statements_after_cluster,
     local.create_iam_tag_namespace,
   ]) ? 1 : 0
   create_duration  = "30s"
diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf
index 64402b84..a24b3302 100644
--- a/modules/iam/outputs.tf
+++ b/modules/iam/outputs.tf
@@ -3,7 +3,7 @@
 
 output "dynamic_group_ids" {
   description = "Cluster IAM dynamic group IDs"
-  value = local.has_policy_statements ? compact([
+  value = local.has_policy_statements_before_cluster || local.has_policy_statements_after_cluster ? compact([
     one(oci_identity_dynamic_group.cluster[*].id),
     one(oci_identity_dynamic_group.workers[*].id),
     one(oci_identity_dynamic_group.autoscaling[*].id),
@@ -13,5 +13,8 @@ output "dynamic_group_ids" {
 
 output "policy_statements" {
   description = "Cluster IAM policy statements"
-  value       = local.has_policy_statements ? local.policy_statements : null
+  value       = local.has_policy_statements_before_cluster || local.has_policy_statements_after_cluster ? distinct(compact(flatten([
+    local.policy_statements_before_cluster,
+    local.policy_statements_after_cluster,
+  ]))) : null
 }
diff --git a/modules/iam/policy.tf b/modules/iam/policy.tf
index 062014c9..bd856e3f 100644
--- a/modules/iam/policy.tf
+++ b/modules/iam/policy.tf
@@ -2,28 +2,48 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
-  policy_statements = distinct(compact(flatten([
+  policy_statements_before_cluster = distinct(compact(flatten([
     local.cluster_policy_statements,
+  ])))
+
+  has_policy_statements_before_cluster = var.create_iam_resources && anytrue([
+    var.create_iam_kms_policy,
+  ])
+
+  policy_statements_after_cluster = distinct(compact(flatten([
     local.worker_policy_statements,
     local.operator_policy_statements,
     local.autoscaler_policy_statements,
   ])))
 
-  has_policy_statements = var.create_iam_resources && anytrue([
+  has_policy_statements_after_cluster = var.create_iam_resources && anytrue([
     var.create_iam_autoscaler_policy,
-    var.create_iam_kms_policy,
     var.create_iam_operator_policy,
     var.create_iam_worker_policy,
   ])
 }
 
-resource "oci_identity_policy" "cluster" {
+resource "oci_identity_policy" "before_cluster" {
+  provider       = oci.home
+  count          = local.has_policy_statements_before_cluster ? 1 : 0
+  compartment_id = var.compartment_id
+  description    = format("Policies for OKE Terraform state %v", var.state_id)
+  name           = format("%s-before-cluster", local.cluster_group_name)
+  statements     = local.policy_statements_before_cluster
+  defined_tags   = local.defined_tags
+  freeform_tags  = local.freeform_tags
+  lifecycle {
+    ignore_changes = [defined_tags, freeform_tags]
+  }
+}
+
+resource "oci_identity_policy" "after_cluster" {
   provider       = oci.home
-  count          = local.has_policy_statements ? 1 : 0
+  count          = local.has_policy_statements_after_cluster ? 1 : 0
   compartment_id = var.compartment_id
   description    = format("Policies for OKE Terraform state %v", var.state_id)
-  name           = local.cluster_group_name
-  statements     = local.policy_statements
+  name           = format("%s-after-cluster", local.cluster_group_name)
+  statements     = local.policy_statements_after_cluster
   defined_tags   = local.defined_tags
   freeform_tags  = local.freeform_tags
   lifecycle {