I'm using Ansible to automate the management of existing hosts. I'd like the playbook to be as comprehensive as possible and to that end I'm attempting to automate the creation and assignment of IAM roles to the instances.
I saw that it's possible to assign roles to new instances, which is not exactly my use case: https://docs.ansible.com/ansible/latest/modules/ec2_module.html#parameter-instance_profile_name
This post recommends using the aws client via the shell module for existing instances:https://www.reddit.com/r/ansible/comments/ah4jcc/how_do_you_attach_an_iam_role_onto_the_ec2/
But, the problem with that is the aws client supports two commands:
aws ec2 replace-iam-instance-profile-association
aws ec2 associate-iam-instance-profile
This means I need to first check if a profile has been assigned to the instance before choosing one of these commands. To perform that check, I need to use a third command:
aws ec2 describe-iam-instance-profile-associations
All of this logic makes the playbook quite messy.
Is there a cleaner way to accomplish this?