Failed to read private key: no key found when provisioning aws_instance

I’m using terraform 0.14.6 with provider registry.terraform.io/hashicorp/aws v3.26.0.

I have setup a VPC with a bastion server on a public subnet, and two EC2 instances on a private subnet. I’ve setup a security group that allows me to ssh into the bastion server, and from there, into the EC2 instances. I can manually connect to bastion and the EC2 instances no problem.

I have also created a SecretsManager secret to store the private key that allows ssh access into the bastion and EC2 instances. I read that secret string that contains the private key as a data block to provide that private key to the EC2 resource as a connection block. I’ve tried that particular secrets_version data block with arn and with name and regardless, unfortunately, when I try to provision the EC2 instances, I get the Failed to read private key: no key found error. At this point I’m simply trying to do the simplest remote-exec I can to see if I can get the connection working.

Everything works except the provisioning. What might I be doing wrong?

My EC2 main.tf:

resource "aws_instance" "app" {
  count             = var.instance_count
  ami               = "ami-0885b1f6bd170450c"
  instance_type     = var.instance_type
  availability_zone = data.aws_availability_zones.available.names[0]

  subnet_id              = var.subnet_id
  key_name               = var.key_name
  vpc_security_group_ids = var.security_group_ids

  connection {
    type         = "ssh"
    user         = "ubuntu"
    bastion_host = var.bastion_host
    private_key  = data.aws_secretsmanager_secret_version.bastion.secret_string
    host         = self.private_dns
  }

  provisioner "remote-exec" {
    inline     = ["sudo bash"]
    on_failure = fail
  }
}

data "aws_secretsmanager_secret" "bastion" {
  name = "Bastion_private_key"
}

data "aws_secretsmanager_secret_version" "bastion" {
  secret_id = data.aws_secretsmanager_secret.bastion.id
}