Comment 8 for bug 2013967

The resolution for this seurity bug is comprised of two fixes, one fix for runtime logic that is run either by cloud-init on either first boot and every reboot and one fix for downstream packaging postinstall script to allow for patching /run/cloud-init/instance-data.json for systems which may not reboot.

The commits are below:

 1. upstream commit in main to set perms 640 always and redact instance-data.json
https://github.com/canonical/cloud-init/commit/a378b7e4f47375458651c0972e7cd813f6fe0a6b

 2. postinstall downstream fix to perform the same operations across package upgrade
https://github.com/canonical/cloud-init/commit/86606eb493f251899c1c6784e8d26743d6a379d2

Separately, a backport to Xenial(16.04) packaging postinst for Ubunto Pro ESM was necessary:
https://github.com/canonical/cloud-init/commit/857d03609e7d180c2b640a73bcdb8089b7be6093