The eks sub-module aws-auth reports Unauthorized

[zenbones]

Using terraform-aws-modules/eks/aws version 20.14.0 and terraform-aws-modules/eks/aws//modules/aws-auth version 20.15.0, with config...

module "aeks-aws-auth" {
  source  = "terraform-aws-modules/eks/aws//modules/aws-auth"
  version = "20.15.0"

  manage_aws_auth_configmap = true

  aws_auth_roles = [
    {
      rolearn  = data.aws_iam_role.karpenter_instance.arn
      username = "system:node:{{EC2PrivateDNSName}}"
      groups   = ["system:bootstrappers", "system:nodes"]
    },
  ]

  aws_auth_users = var.eks_additional_users
}

I get...

│ Error: Have got the following error while validating the existence of the ConfigMap "aws-auth": Unauthorized
│
│   with module.aeks-aws-auth.kubernetes_config_map_v1_data.aws_auth[0],
│   on .terraform\modules\aeks-aws-auth\modules\aws-auth\main.tf line 31, in resource "kubernetes_config_map_v1_data" "aws_auth":
│   31: resource "kubernetes_config_map_v1_data" "aws_auth" {

This same configuration worked in eks version 19.17.2, when aws-auth was not a sub-module, and the above config was embedded within the eks module definition. My aws provider is...

provider "aws" {
  region = var.aws_region
}

data "aws_caller_identity" "current" {}

...and in 19.17.2 this used to allow bothe creation of the eks cluster and management of the aws-auth configMap. Now, with the aws-auth submodule, I can create the cluster and destroy the cluster, but not alter the configMap.

Is this a bug in the sub module? Wrong module version? Misconfiguration? Any help appreciated.

[zenbones]

Maybe more than a question, Looking at the aws-auth configMap in the aws console, I see the EKS node role in the map, but not myself, as creator of the eks instance. I believe the previous versions of the the relevant modules, like the aws console itself, would have added me to the auth map by default.