In order to give our appstore ec2 the ability to store digital assets (e.g., app jar files and screen shots) in its designated S3 bucket, we create an IAM managed policy and IAM role specifically for that S3 bucket.

When we create the ec2, we provide the name of role via using the parameter "instance_profile_name."

This of course only runs once when the ec2 is created. Later in the same playbook, we include a task "Grant testappstore access to s3 bucket" which tries again to add the role to the ec2. This ensures that if we change the s3 bucket for some reason, the ec2 will get modified with the correct role.

However, this task fails with an error message reading:

"TASK [ec2 : Grant testappstore access to s3 bucket] **************************************************************************
fatal: [localhost]: FAILED! => changed=false
attempts: 3
msg: You must include an image_id or image.id parameter to create an instance, or use a launch_template."

For this task, re-write the task "Add EC2 private IP to RDS host security group" and make it properly idempotent such that if the ec2 does not already have the given role, it is added.