How to execute chef on vsphere_virtual_machine resource now that chef provisioner removed

I’ve been trying to figure out how to migrate a module to run under terraform version 1.x but cannot find any good examples or documentation.

The code below is my starting point - any suggestions on what I need to change?

My Chef knowledge is VERY basic so this https://github.com/hashicorp/terraform-provisioner-migration really doesn’t provide enough information for me to get started.

resource "vsphere_virtual_machine" "vm" {
  lifecycle {
    ignore_changes = [
      disk,
      custom_attributes,
      boot_delay
    ]
  }
  name                   = var.node_name
  resource_pool_id       = data.vsphere_compute_cluster.cluster.resource_pool_id
  datastore_cluster_id   = data.vsphere_datastore_cluster.datastore_cluster.id
  guest_id               = data.vsphere_virtual_machine.template.guest_id
  num_cpus               = var.num_cpus
  memory                 = var.memory
  folder                 = "${var.dc}${var.compute_cluster_name}${var.vm_path}"
  enable_logging         = true
  cpu_hot_add_enabled    = true
  cpu_hot_remove_enabled = true
  memory_hot_add_enabled = true
  enable_disk_uuid       = var.enable_disk_uuid
  custom_attributes = {
    "${data.vsphere_custom_attribute.ApplicationID.id}"   = var.ApplicationID,
    "${data.vsphere_custom_attribute.BackupRequired.id}"  = var.BackupRequired,
    "${data.vsphere_custom_attribute.CreatorSalaryID.id}" = var.CreatorSalaryID,
    "${data.vsphere_custom_attribute.Environment.id}"     = var.Environment,
    "${data.vsphere_custom_attribute.SupportRU.id}"       = var.SupportRU,
    "${data.vsphere_custom_attribute.Squad.id}"           = var.Squad,
    "${data.vsphere_custom_attribute.ExpiryDate.id}"      = local.expiry
  }

  # Create the FRONT NIC on demand if needed.
  dynamic "network_interface" {
    for_each = data.vsphere_network.network_front

    content {
      network_id = data.vsphere_network.network_front[network_interface.key].id
    }
  }

  # Each virtual server has at least one NIC (AKA rear NIC).
  network_interface {
    network_id = data.vsphere_network.network_rear.id
  }
  cdrom {
    client_device = "1"
  }
  disk {
    label            = "disk0"
    size             = data.vsphere_virtual_machine.template.disks.0.size
    eagerly_scrub    = data.vsphere_virtual_machine.template.disks.0.eagerly_scrub
    thin_provisioned = data.vsphere_virtual_machine.template.disks.0.thin_provisioned
  }
  dynamic "disk" {
    for_each = var.disks
    content {
      label       = "disk${disk.key + 1}"
      size        = disk.value
      unit_number = disk.key + 1
    }
  }

  clone {
    template_uuid = data.vsphere_virtual_machine.template.id

    customize {
      linux_options {
        host_name = var.hostname
        domain    = var.domain_name
      }

      dynamic "network_interface" {
        for_each = var.ipv4_address_list

        content {
          ipv4_address = split("/", network_interface.value)[0]
          ipv4_netmask = split("/", network_interface.value)[1]
        }
      }

      ipv4_gateway    = var.ipv4_gateway_list[0]
      dns_suffix_list = [var.domain_name]
      dns_server_list = var.dns_server_list
    }
  }

  provisioner "remote-exec" {
    inline = [
      "sudo hostnamectl set-hostname ${var.hostname}.${var.domain_name}",
      "sudo hostnamectl set-location ${var.dc}",
      "sudo hostnamectl set-deployment Terraform-${var.Environment}-${var.CreatorSalaryID}",
      "sudo echo -e '[Chef]\nname=local Chef repository\nbaseurl=https://artifactory.internal.co.nz/yum-chef-remote/el/7/x86_64/\nenabled=1\nfastestmirror_enabled=0\ngpgcheck=0'>/tmp/Chef.repo",
      "sudo cp /tmp/Chef.repo /etc/yum.repos.d/Chef.repo",
      "sudo yum install ${var.chef_version} -y",
      # Below commands are required to allow GEMs to be successfully installed from artifactory2 - which uses SSL.  Required if any cookbooks have gem dependencies as Chef will put GEM installs BEFORE initial Chef runlist
      "for geminstall in `find /opt/chef -name ssl_certs`; do sudo mkdir -p $${geminstall}/artifactory.internal.co.nz; for sourcecert in `ls /etc/pki/ca-trust/source/anchors`; do pemfile=`basename $${sourcecert} .crt`; sudo ln -s /etc/pki/ca-trust/source/anchors/$${sourcecert} $${geminstall}/artifactory.internal.co.nz/$${pemfile}.pem; done; done",
      "sudo /opt/chef/embedded/bin/gem sources -r https://rubygems.org/",
      "sudo /opt/chef/embedded/bin/gem sources -a https://artifactory.internal.co.nz/api/gems/gems-remote/"
    ]

    connection {
      host        = local.remote_exec_ip
      type        = "ssh"
      user        = var.remote_ssh_user
      private_key = file(var.remote_ssh_key)
      script_path = "/var/tmp/init.sh"
    }
  }

  provisioner "chef" {
    attributes_json = jsonencode(
      var.chef_node_extra_attributes == {} ?
      merge(local.chef_node_basic_attributes, local.chef_node_basic_attributes) :
      merge(local.chef_node_basic_attributes, var.chef_node_extra_attributes)
    )

    server_url = var.chef_server_url
    node_name  = var.node_name

    use_policyfile = true
    policy_name    = var.policy_name
    policy_group   = var.policy_group
    os_type        = "linux"
    client_options = [
      "chef_license 'accept'",
      "rubygems_url 'https://artifactory.internal.co.nz/api/gems/gems-remote/'",
    ]
    skip_install            = true
    fetch_chef_certificates = true
    recreate_client         = true
    vault_json              = var.chef_vaults
    user_name               = var.chef_user_name
    user_key                = file(var.private_chef_key)

    # If you have a self signed cert on your chef server change this to :verify_none
    ssl_verify_mode = ":verify_none"

    connection {
      host        = local.remote_exec_ip
      type        = "ssh"
      user        = var.remote_ssh_user
      private_key = file(var.remote_ssh_key)
    }
  }
}