cloud configured to an unencrypted ami as source for root device but Encrypt EBS root volume is set to be 'encrypted' , once instance is being launched looks like 2 api are beinh sent one is correct ( encrypted ) but the other is not encrypted 

The EC2 Plugin might inject a default (unencrypted) mapping

Even though you i set ebsEncryptRootVolume: ENCRYPTED, the plugin may still include an additional block device mapping based on the AMI's original snapshot (snap-*), and not override encryption on that explicitly.

"userData": "<sensitiveDataRemoved>",
        "instanceType": "t3a.large",
        "blockDeviceMapping": {
            "items": [
                {
                    "deviceName": "/dev/xvda",
                    "ebs":

{                         "snapshotId": "snap-0b7ea4cb7847ae4e7",                         "volumeSize": 10,                         "deleteOnTermination": true,                         "volumeType": "gp3",                         "iops": 3000,                         "encrypted": true,                         "throughput": 125                     }

                },
                {
                    "deviceName": "/dev/xvda",
                    "ebs": {
                        "snapshotId": "snap-0b7ea4cb7847ae4e7",
                        "volumeSize": 10,
                        "deleteOnTermination": true,
                        "volumeType": "gp3",
                        "iops": 3000,
                        "encrypted": false,
                        "throughput": 125