How can one configure an AWS ElasticSearch access policy using CloudFormation?

The AWS documentation on ElasticSearch access control talks about how to grant access to the ES domains subresources while preventing changes to the domain's configuration by creating an ES domain resource policy and setting the resource to the ES domain ARN followed by /*. For example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/test-user"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/*"
    }
  ]
}

In this example, test-user is granted rights to perform actions on the ES domain subresources but not the ES domain configuration itself.

When provisioning an AWS ES Domain using CloudFormation, one can set the resource policy with the AccessPolicies property. There is no CloudFormation resource like AWS::Elasticsearch::DomainAccessPolicy unfortunately and it appears that the only way to set a resource policy on an ES domain is with this property.

How can one take advantage of the types of policies recommended in the access control docs if there's now way to know the ES Domain ARN to use in the Resource field, since the ES domain hasn't yet been created at the point where the access policy is defined?

I've tried referencing the DomainArn attribute of the ES domain in the resource field of the Access Policy, but understandably that doesn't work since it creates circular dependency.

The only solution I've thought of so far is to just wait until AWS updates CloudFormation to include a AWS::Elasticsearch::DomainAccessPolicy resource type.