Ubuntu 18.04 AWS images - and probably other Cloud images as well - have automated upgrades turned on. This is done via two systemd timers, apt-daily.timer and apt-daily-upgrade.timer. The timers kick of periodically as well as when an instance is rebooted. This sounds reasonable until you are provisioning something: you're unable to install or configure any packages while apt and/or dpkg are running. With a really fresh cloud base image this may not be an issue, but when the base image gets sufficiently old then apt-get upgrade starts taking enough time to cause issues.
There are two approaches to solving this problem. The first is make your provisioning scripts wait until all the apt and dpkg processes have finished. This is what our wait_for_apt.sh script does. Unfortunately that script is currently unable to catch cases where the debconf database is locked.
Another option is to override some of the apt-daily.timer settings to delay the launch of the commands that would lock apt, dpkg and debconf. This can be done by creating an override file, /etc/systemd/system/apt-daily.timer.d/override.conf, with contents like this (courtesy of AskUbuntu):
[Timer] OnBootSec=15min OnUnitActiveSec=1d AccuracySec=1h RandomizedDelaySec=30min
The timer that actually runs "apt-get upgrade" does not need to be modified, because it is configured to start after apt-daily.timer.