diff --git a/manifests/policy/base.pp b/manifests/policy/base.pp
index 8e7a6acc..5cf2b761 100644
--- a/manifests/policy/base.pp
+++ b/manifests/policy/base.pp
@@ -16,12 +16,35 @@
 #    The value to set
 #    string; optional; the value to set
 #
+#  [*file_mode*]
+#    (optional) Permission mode for the policy file
+#    Defaults to '0640'
+#
+#  [*file_user*]
+#    (optional) User for the policy file
+#    Defaults to undef
+#
+#  [*file_group*]
+#    (optional) Group for the policy file
+#    Defaults to undef
+#
 define openstacklib::policy::base (
   $file_path,
   $key,
   $value = '',
+  $file_mode  = '0640',
+  $file_user  = undef,
+  $file_group = undef,
 ) {
 
+  ensure_resource('file', $file_path, {
+    mode    => $file_mode,
+    owner   => $file_user,
+    group   => $file_group,
+    replace => false, # augeas will manage the content, we just need to make sure it exists
+    content => '{}'
+  })
+
   # Add entry if it doesn't exists
   augeas { "${file_path}-${key}-${value}-add":
     lens    => 'Json.lns',
@@ -40,7 +63,8 @@ define openstacklib::policy::base (
     changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
   }
 
-  Augeas<| title == "${file_path}-${key}-${value}-add" |>
+  File<| title == $file_path |>
+  -> Augeas<| title == "${file_path}-${key}-${value}-add" |>
     ~> Augeas<| title == "${file_path}-${key}-${value}" |>
 
 }
diff --git a/releasenotes/notes/ensure-policy-file-exists-1c53dc62e10c53d3.yaml b/releasenotes/notes/ensure-policy-file-exists-1c53dc62e10c53d3.yaml
new file mode 100644
index 00000000..2bc99e5b
--- /dev/null
+++ b/releasenotes/notes/ensure-policy-file-exists-1c53dc62e10c53d3.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    The upstream services are moving their policy files into code which means
+    they may not exist if a user tries to customize the policies. We've added
+    an file resource to openstacklib::policy::base to ensure the file exists
+    but this means that the user/group need to be passed into the module or
+    it will possibly lock out services from being able to read this file as
+    the defaults limit it to just root:root.
diff --git a/spec/defines/openstacklib_policy_spec.rb b/spec/defines/openstacklib_policy_base_spec.rb
similarity index 71%
rename from spec/defines/openstacklib_policy_spec.rb
rename to spec/defines/openstacklib_policy_base_spec.rb
index 0ac2eded..b53d6caa 100644
--- a/spec/defines/openstacklib_policy_spec.rb
+++ b/spec/defines/openstacklib_policy_base_spec.rb
@@ -3,18 +3,30 @@ require 'spec_helper'
 describe 'openstacklib::policy::base' do
 
 
-  shared_examples_for 'openstacklib::policy' do
+  shared_examples_for 'openstacklib::policy::base' do
     context 'with some basic parameters' do
       let :title do
         'nova-contest_is_admin'
       end
 
       let :params do
-        {:file_path => '/etc/nova/policy.json',
-        :key       => 'context_is_admin or owner',
-        :value     => 'foo:bar'}
+        {
+          :file_path  => '/etc/nova/policy.json',
+          :key        => 'context_is_admin or owner',
+          :value      => 'foo:bar',
+          :file_mode  => '0644',
+          :file_user  => 'foo',
+          :file_group => 'bar'
+        }
       end
 
+      it {
+        is_expected.to contain_file('/etc/nova/policy.json').with(
+          :mode  => '0644',
+          :owner => 'foo',
+          :group => 'bar')
+      }
+
       it 'configures (modifies) the proper policy' do
         is_expected.to contain_augeas('/etc/nova/policy.json-context_is_admin or owner-foo:bar').with(
           'lens'    => 'Json.lns',
@@ -45,7 +57,7 @@ describe 'openstacklib::policy::base' do
         facts.merge!(OSDefaults.get_facts())
       end
 
-      it_configures 'openstacklib::policy'
+      it_configures 'openstacklib::policy::base'
     end
   end