For the long version, this is a problem because terraform absolutely insists on total hamfisted control of its resources, including libvirt pools. This means that it must create a new one which is necessarily outside of the realm of it's apparmor rules. As such you have to turn that stuff off in the libvirt config file.

Important stuff now that I'm using it to deploy resources.

Other useful things to remember

• hold escape after reboot to get a boot menu to go single-user when using virtual console via virt-manager, etc.
• virsh net dhcp leases default - get the 'local' IPs of the VMs so spawned
• Cloud-init logs live in /var/log/cloud-init*.log
• Overall result lives in /var/lib/cloud/data/result.json, you can read this automatically with your tooling.
• The scripts you run (what you generally care about) live in /var/lib/cloud/instances/$PROVIDER/scripts/runcmd