Return to Answer

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update can get a chance to run.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - echo "APT Periodic Updates Early Kill" | systemd-cat

You should also wait for cloud-init to finish (any time) since it moves apt sources around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful.

# Show microseconds in systemd journal
journalctl -r -o short-precise

You can verify this worked as follows:

# Verify nothing was updated until we run apt update ourselves.
cd /var/lib/apt/lists
sudo du -sh .   # small size
ls -ltr         # old timestamps

I thought I also had to run apt-get -y purge update-notifier-common ubuntu-release-upgrader-core landscape-common in the bootcmd, but that does not seem necessary after further testing. But I still think they're garbage and also cause additional network activity during ssh login (Due to dynamic motd)

Also, removing the unattended-upgrades package is fine, and probably what you want if you're building AMIs for new releases.

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update can get a chance to run.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - apt-get -y purge update-notifier-common ubuntu-release-upgrader-core landscape-common unattended-upgrades
    - echo "Removed APT and Ubuntu 18.04 garbage early" | systemd-cat

Once you ssh into the instance, you should also wait for the final phases of cloud-init to finish, since it moves apt sources / lists around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful to see how early the bootcmd runs:

# Show microseconds in systemd journal
journalctl -r -o short-precise

You can verify this worked as follows:

apt-config dump | grep Periodic

# Verify nothing was updated until we run apt update ourselves.
cd /var/lib/apt/lists
sudo du -sh .   # small size
ls -ltr         # old timestamps

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update runs.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - echo "APT Periodic Updates Early Kill" | systemd-cat

You should also wait for cloud-init to finish (any time) since it moves apt sources around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful.

# Show microseconds in systemd journal
journalctl -r -o short-precise

You can verify this worked as follows:

# Verify nothing was updated until we run apt update ourselves.
cd /var/lib/apt/lists
sudo du -sh .   # small size
ls -ltr         # old timestamps

I thought I also had to run apt-get -y purge update-notifier-common ubuntu-release-upgrader-core landscape-common in the bootcmd, but that does not seem necessary after further testing. But I still think they're garbage and also cause additional network activity during ssh login (Due to dynamic motd)

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update can get a chance to run.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - echo "APT Periodic Updates Early Kill" | systemd-cat

You should also wait for cloud-init to finish (any time) since it moves apt sources around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful.

# Show microseconds in systemd journal
journalctl -r -o short-precise

You can verify this worked as follows:

# Verify nothing was updated until we run apt update ourselves.
cd /var/lib/apt/lists
sudo du -sh .   # small size
ls -ltr         # old timestamps

I thought I also had to run apt-get -y purge update-notifier-common ubuntu-release-upgrader-core landscape-common in the bootcmd, but that does not seem necessary after further testing. But I still think they're garbage and also cause additional network activity during ssh login (Due to dynamic motd)

Also, removing the unattended-upgrades package is fine, and probably what you want if you're building AMIs for new releases.

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update runs.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - echo "APT Periodic Updates Early Kill" | systemd-cat

You should also wait for cloud-init to finish (any time) since it moves apt sources around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful.

# Show microseconds in systemd journal
journalctl -r -o short-precise

If you are feeling extra brave, you might be able to remove the unattended-upgrade package in the bootcmd, but I choose not to remove packges/systemd timers during that time, and just turn it off via config.

You can disable this via the "bootcmd" cloud-init module. This runs before network is brought up, which is required before apt update runs.

#cloud-config
bootcmd:
    - echo 'APT::Periodic::Enable "0";' > /etc/apt/apt.conf.d/10cloudinit-disable
    - echo "APT Periodic Updates Early Kill" | systemd-cat

You should also wait for cloud-init to finish (any time) since it moves apt sources around.

# Wait for cloud-init to finish moving apt sources.list around... 
# a good source of random failures
# Note this is NOT a replacement for also disabling apt updates via bootcmd
while [ ! -f /var/lib/cloud/instance/boot-finished ]; do
    echo 'Waiting for cloud-init to finish...'
    sleep 3
done

This is also helpful.

# Show microseconds in systemd journal
journalctl -r -o short-precise

You can verify this worked as follows:

# Verify nothing was updated until we run apt update ourselves.
cd /var/lib/apt/lists
sudo du -sh .   # small size
ls -ltr         # old timestamps

I thought I also had to run apt-get -y purge update-notifier-common ubuntu-release-upgrader-core landscape-common in the bootcmd, but that does not seem necessary after further testing. But I still think they're garbage and also cause additional network activity during ssh login (Due to dynamic motd)