diff --git a/docs/roles/_init.md b/docs/roles/_init.md
index 27d3629e3..0f40180e3 100644
--- a/docs/roles/_init.md
+++ b/docs/roles/_init.md
@@ -27,7 +27,8 @@ _init:
   force_play: false
   lock_file: /tmp/ce-provision-lock
   deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy
-  ce_provision_version: 2.x # Outputted by the _init role at the start of plays.
+  ce_provision_version: 2.x # Outputted by the _init role at the start of plays
+  install_ansible: true # set to false to not install Ansible in a venv
 
   # Although these variables logically belong with ce_provision, the _init role needs to
   # gather the extra variables if there are any, so there are _init variables.
diff --git a/docs/roles/aws/aws_opensearch.md b/docs/roles/aws/aws_opensearch.md
index c27085bfa..f952e3e08 100644
--- a/docs/roles/aws/aws_opensearch.md
+++ b/docs/roles/aws/aws_opensearch.md
@@ -35,6 +35,8 @@ aws_opensearch:
   #      value: 2
   #      unit: "HOURS"
   #    cron_expression_for_recurrence: "cron(0 2 * * *)"
+  wait: true
+  wait_timeout: 1800 # Default is 300 seconds, but in fact the domain becomes available in about 30 minutes.
 
 ```
 
diff --git a/roles/_init/README.md b/roles/_init/README.md
index 27d3629e3..0f40180e3 100644
--- a/roles/_init/README.md
+++ b/roles/_init/README.md
@@ -27,7 +27,8 @@ _init:
   force_play: false
   lock_file: /tmp/ce-provision-lock
   deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy
-  ce_provision_version: 2.x # Outputted by the _init role at the start of plays.
+  ce_provision_version: 2.x # Outputted by the _init role at the start of plays
+  install_ansible: true # set to false to not install Ansible in a venv
 
   # Although these variables logically belong with ce_provision, the _init role needs to
   # gather the extra variables if there are any, so there are _init variables.
diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml
index 8c2646bd8..97a5ad1bf 100644
--- a/roles/_init/defaults/main.yml
+++ b/roles/_init/defaults/main.yml
@@ -17,7 +17,8 @@ _init:
   force_play: false
   lock_file: /tmp/ce-provision-lock
   deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy
-  ce_provision_version: 2.x # Outputted by the _init role at the start of plays.
+  ce_provision_version: 2.x # Outputted by the _init role at the start of plays
+  install_ansible: true # set to false to not install Ansible in a venv
 
   # Although these variables logically belong with ce_provision, the _init role needs to
   # gather the extra variables if there are any, so there are _init variables.
diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml
index 4abe95653..457afa494 100644
--- a/roles/_init/tasks/main.yml
+++ b/roles/_init/tasks/main.yml
@@ -123,23 +123,26 @@
 # Install Ansible under the controller user for all servers
 # Ensure ansible_connection == 'ssh' (i.e. we are connecting to a server) before executing
 - name: Install Ansible.
-  ansible.builtin.include_role:
-    name: debian/user_provision
-  when: ansible_connection == 'ssh'
-
-- name: Install Ansible.
-  ansible.builtin.include_role:
-    name: debian/ansible
-  vars:
-    ce_ansible:
-      venv_path: "{{ _venv_path }}"
-      venv_command: "{{ _venv_command }}"
-      install_username: "{{ _venv_install_username }}"
-      upgrade:
-        enabled: true
-        command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible"
-        on_calendar: "*-*-* 01:30:00"
-        timer_name: "{{ _ce_ansible_timer_name }}"
-      linters:
-        enabled: false
-  when: ansible_connection == 'ssh'
+  when:
+    - ansible_connection == 'ssh'
+    - install_ansible
+  block:
+    - name: Install ce-provision user.
+      ansible.builtin.include_role:
+        name: debian/user_provision
+
+    - name: Install Ansible.
+      ansible.builtin.include_role:
+        name: debian/ansible
+      vars:
+        ce_ansible:
+          venv_path: "{{ _venv_path }}"
+          venv_command: "{{ _venv_command }}"
+          install_username: "{{ _venv_install_username }}"
+          upgrade:
+            enabled: true
+            command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible"
+            on_calendar: "*-*-* 01:30:00"
+            timer_name: "{{ _ce_ansible_timer_name }}"
+          linters:
+            enabled: false
diff --git a/roles/aws/aws_opensearch/README.md b/roles/aws/aws_opensearch/README.md
index c27085bfa..f952e3e08 100644
--- a/roles/aws/aws_opensearch/README.md
+++ b/roles/aws/aws_opensearch/README.md
@@ -35,6 +35,8 @@ aws_opensearch:
   #      value: 2
   #      unit: "HOURS"
   #    cron_expression_for_recurrence: "cron(0 2 * * *)"
+  wait: true
+  wait_timeout: 1800 # Default is 300 seconds, but in fact the domain becomes available in about 30 minutes.
 
 ```