User_data template_file extra quotes when running cloud-init script


I’m finding extra quotes and double quotes turning into single quotes once ran as part of cloud-init and I’m not sure why or if there is a way around it.

Terraform Version

Terraform v0.13.5
+ provider v2.0.0
+ provider v3.22.0
+ provider v2.2.0
+ provider v2.1.0

Terraform Configuration Files

data template_file "BastionHostUserData" {
  template = file("${path.module}/scripts/")
  vars = {
    Region           =
    SshKeysParam     = var.BastionHostPubKeysName
    BastionHostname  = lower("bastion.${terraform.workspace}.staging.${var.Route53ZonePubName}")
    Prompt           = terraform.workspace
    DbMasterPassword = var.DbMasterPassword
    DbHostname       = var.DbHostname
    DbAppUser        = var.DbAppUser
    DbAppPassword    = var.DbAppPassword

Relevant portion within the user_data script:

  mysql -u root -p"${DbMasterPassword}" -h ${DbHostname} -Be "CREATE USER \'${DbAppUser}\'@\'%\' IDENTIFIED BY \'${DbAppPassword}\';"
  mysql -u root -p"${DbMasterPassword}" -h ${DbHostname} -Be "GRANT ALL ON database.* TO \'${DbAppUser}\'@\'%\';"

I've also tried:

  mysql -u root -p"${DbMasterPassword}" -h ${DbHostname} -Be "CREATE USER '${DbAppUser}'@'%' IDENTIFIED BY '${DbAppPassword}';"
  mysql -u root -p"${DbMasterPassword}" -h ${DbHostname} -Be "GRANT ALL ON database.* TO '${DbAppUser}'@'%';"

Expected Behavior

I would expect the commands to run out as follows:

mysql -u root -p"${var1}" -h ${var2} -Be "CREATE USER \'${var3}\'@\'%\' IDENTIFIED BY \'${var4}\';"
Needs to translate to:
mysql -u root -pValueOfVar1 -h ValueOfVar2 -Be "CREATE USER 'ValueOfVar3'@'%' IDENTIFIED BY 'ValueOfVar4';"

When I omit the trying to escape the single quote the command fails completely and the single quote is omitted.
Weirdly enough if I echo the command output it seems the strings are expanding to what I want but for whatever reason terraform is doing something different when it actually runs.

Actual Behavior

Instead I get output like the following:
'CREATE USER '\''xxx'\''@'\''@'\'' IDENTIFIED BY '\''xxxxxxxx'\'''

Is there a way for me to pass in data into my script to allow for what I need above?

Steps to Reproduce

Duplicate the script and attach it to an aws ec2 instance and parse the log or watch error.