https://github.com/ansible-collections/amazon.aws/issues/2102

1. 1. 1. Summary

I have been using 7.3.0 collection for some time, but it stopped working with upgrade to 7.5.0.
amazon.aws.iam_role is no longer able to ignore already existing entries and it fails with

```yaml
fatal: [ae1ascs -> localhost]: FAILED! => {
"boto3_version": "1.34.97",
"botocore_version": "1.34.97",
"changed": false,
"error": {
"code": "EntityAlreadyExists",
"message": "Instance Profile HA-Role-Pacemaker already exists.",
"type": "Sender"
```
```bash
Traceback (most recent call last):
File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 685, in main
create_or_update_role(module, client)
File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 496, in create_or_update_role
changed |= create_instance_profiles(client, check_mode, role_name, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 523, in create_instance_profiles
create_iam_instance_profile(client, role_name, path, {})
File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 46, in handler
raise cls._CUSTOM_EXCEPTION(message=f"Failed to

{description}

", exception=e) from e
ansible_collections.amazon.aws.plugins.module_utils.iam.AnsibleIAMError: Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.
```

1. 1. 1. Issue Type

Bug Report

1. 1. 1. Component Name

amazon.aws.iam_role

1. 1. 1. Ansible Version

```console (paste below)
$ ansible --version
ansible [core 2.16.6]
config file = None
configured module search path = ['/home/mmamula/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.11/site-packages/ansible
ansible collection location = /home/mmamula/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.11.9 (main, Apr 08 2024, 06:18:15) [GCC] (/usr/bin/python3.11)
jinja version = 3.1.3
libyaml = True
```

1. 1. 1. Collection Versions

```console (paste below)
$ ansible-galaxy collection list
Collection Version
---------------------------------------- -------
amazon.aws 7.5.0
ansible.netcommon 5.3.0
ansible.posix 1.5.4
ansible.utils 2.12.0
ansible.windows 2.3.0
arista.eos 6.2.2
awx.awx 23.9.0
azure.azcollection 1.19.0
check_point.mgmt 5.2.3
chocolatey.chocolatey 1.5.1
cisco.aci 2.9.0
cisco.asa 4.0.3
cisco.dnac 6.13.3
cisco.intersight 2.0.8
cisco.ios 5.3.0
cisco.iosxr 6.1.1
cisco.ise 2.8.1
cisco.meraki 2.18.0
cisco.mso 2.6.0
cisco.nxos 5.3.0
cisco.ucs 1.10.0
cloud.common 2.1.4
cloudscale_ch.cloud 2.3.1
community.aws 7.2.0
community.azure 2.0.0
community.ciscosmb 1.0.7
community.crypto 2.19.0
community.digitalocean 1.26.0
community.dns 2.9.0
community.docker 3.9.0
community.general 8.6.0
community.grafana 1.8.0
community.hashi_vault 6.2.0
community.hrobot 1.9.2
community.library_inventory_filtering_v1 1.0.1
community.libvirt 1.3.0
community.mongodb 1.7.3
community.mysql 3.9.0
community.network 5.0.2
community.okd 2.3.0
community.postgresql 3.4.0
community.proxysql 1.5.1
community.rabbitmq 1.3.0
community.routeros 2.15.0
community.sap 2.0.0
community.sap_libs 1.4.2
community.sops 1.6.7
community.vmware 4.3.0
community.windows 2.2.0
community.zabbix 2.3.1
containers.podman 1.13.0
cyberark.conjur 1.2.2
cyberark.pas 1.0.25
dellemc.enterprise_sonic 2.4.0
dellemc.openmanage 8.7.0
dellemc.powerflex 2.3.0
dellemc.unity 1.7.1
f5networks.f5_modules 1.28.0
fortinet.fortimanager 2.4.0
fortinet.fortios 2.3.6
frr.frr 2.0.2
gluster.gluster 1.0.2
google.cloud 1.3.0
grafana.grafana 2.2.5
hetzner.hcloud 2.5.0
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 2.0.0
ibm.storage_virtualize 2.3.1
infinidat.infinibox 1.4.5
infoblox.nios_modules 1.6.1
inspur.ispim 2.2.0
inspur.sm 2.3.0
junipernetworks.junos 5.3.1
kubernetes.core 2.4.2
lowlydba.sqlserver 2.3.2
microsoft.ad 1.5.0
netapp.aws 21.7.1
netapp.azure 21.10.1
netapp.cloudmanager 21.22.1
netapp.elementsw 21.7.0
netapp.ontap 22.11.0
netapp.storagegrid 21.12.0
netapp.um_info 21.8.1
netapp_eseries.santricity 1.4.0
netbox.netbox 3.17.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.1.0
openstack.cloud 2.2.0
openvswitch.openvswitch 2.1.1
ovirt.ovirt 3.2.0
purestorage.flasharray 1.27.0
purestorage.flashblade 1.17.0
purestorage.fusion 1.6.1
sensu.sensu_go 1.14.0
splunk.es 2.1.2
t_systems_mms.icinga_director 2.0.1
telekom_mms.icinga_director 1.35.0
theforeman.foreman 3.15.0
vmware.vmware_rest 2.3.1
vultr.cloud 1.12.1
vyos.vyos 4.1.0
wti.remote 1.0.5
```

1. 1. 1. AWS SDK versions

```console (paste below)
$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires:
Required-by:
—
Name: boto3
Version: 1.34.97
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
—
Name: botocore
Version: 1.34.97
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer
```

1. 1. 1. Configuration

```console (paste below)
$ ansible-config dump --only-changed
CONFIG_FILE() = None
PAGER(env: PAGER) = less
```

1. 1. 1. OS / Environment

SLES for SAP 15 SP3
SLES for SAP 15 SP5
openSUSE Tumbleweed

1. 1. 1. Steps to Reproduce

<!--- Paste example playbooks or commands between quotes below -->
```yaml (paste below)

• name: AWS IAM Role - HA-Role-Pacemaker
  register: __sap_vm_provision_task_aws_iam_role_ha_pacemaker
  no_log: "{{ __sap_vm_provision_no_log }}"
  amazon.aws.iam_role:
  name: "HA-Role-Pacemaker"
  assume_role_policy_document: |
  {
  "Version": "2012-10-17",
  "Statement": [
  Unknown macro: { "Effect"}

  ]
  }
  access_key: "{{ sap_vm_provision_aws_access_key }}"
  secret_key: "{{ sap_vm_provision_aws_secret_access_key }}"
  ```
  https://github.com/sap-linuxlab/community.sap_infrastructure/blob/0e67afc14738c8731192ef9f5040496c4a96e9b1/roles/sap_vm_provision/tasks/platform_ansible/aws_ec2_vs/execute_setup_ha.yml#L257

1. 1. 1. Expected Results

IAM role HA-Role-Pacemaker is created.

1. 1. 1. Actual Results

```console (paste below)
fatal: [ae1ascs -> localhost]: FAILED! => {
"boto3_version": "1.34.97",
"botocore_version": "1.34.97",
"changed": false,
"error":

{ "code": "EntityAlreadyExists", "message": "Instance Profile HA-Role-Pacemaker already exists.", "type": "Sender" }

,
"invocation": {
"module_args": {
"access_key": "XXX",
"assume_role_policy_document": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Sid\": \"\",\n \"Principal\":

{\n \"Service\": \"ec2.amazonaws.com\"\n }

\n }\n ]\n}",
"aws_ca_bundle": null,
"aws_config": null,
"boundary": null,
"create_instance_profile": true,
"debug_botocore_endpoint_logs": false,
"delete_instance_profile": false,
"description": null,
"endpoint_url": null,
"managed_policies": null,
"max_session_duration": null,
"name": "HA-Role-Pacemaker",
"path": null,
"profile": null,
"purge_policies": true,
"purge_tags": true,
"region": "eu-central-1",
"secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"session_token": null,
"state": "present",
"tags": null,
"validate_certs": true,
"wait": true,
"wait_timeout": 120
}
},
"msg": "Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.",
"response_metadata": {
"http_headers":

{ "content-length": "301", "content-type": "text/xml", "date": "Fri, 03 May 2024 08:20:06 GMT", "x-amzn-requestid": "922e49ae-286c-4c03-b673-ed8a22bb13d1" }

,
"http_status_code": 409,
"request_id": "933e49ae-286c-4c03-b673-ed8a66bb13d1",
"retry_attempts": 0
}
}
```

1. 1. 1. Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct