diff --git a/aws_auth.tf b/aws_auth.tf
index 85ff2a2..0c898d1 100644
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -5,6 +5,8 @@ resource "local_file" "config_map_aws_auth" {
 }
 
 resource "null_resource" "update_config_map_aws_auth" {
+  depends_on = ["aws_eks_cluster.this"]
+
   provisioner "local-exec" {
     command = "kubectl apply -f ${var.config_output_path}config-map-aws-auth_${var.cluster_name}.yaml --kubeconfig ${var.config_output_path}kubeconfig_${var.cluster_name}"
   }
diff --git a/local.tf b/local.tf
index 5ab276e..22920ea 100644
--- a/local.tf
+++ b/local.tf
@@ -6,6 +6,7 @@ locals {
   cluster_security_group_id = "${coalesce(join("", aws_security_group.cluster.*.id), var.cluster_security_group_id)}"
 
   worker_security_group_id = "${coalesce(join("", aws_security_group.workers.*.id), var.worker_security_group_id)}"
+  default_iam_role_id      = "${element(concat(aws_iam_role.workers.*.id, list("")), 0)}"
   kubeconfig_name          = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
 
   workers_group_defaults_defaults = {
@@ -30,7 +31,7 @@ locals {
     autoscaling_enabled           = false                           # Sets whether policy and matching tags will be added to allow autoscaling.
     additional_security_group_ids = ""                              # A comman delimited list of additional security group ids to include in worker launch config
     protect_from_scale_in         = false                           # Prevent AWS from scaling in, so that cluster-autoscaler is solely responsible.
-    iam_role_id                   = "${aws_iam_role.workers.id}"    # Use the specified IAM role if set.
+    iam_role_id                   = "${local.default_iam_role_id}"  # Use the specified IAM role if set.
   }
 
   workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}"