ensure_packages should run apt-get update once, the first time it is used. This is because if the system hasn't been updated for a while, there could be server changes that will cause regular apt-get installs to fail, and will be fixed with an apt-get update.
I suppose that alternatively, it could detect failure, run apt-get update, and retry once.
I've been doing this as part of Fezzik, but it makes sense in Terraform. I'm worried about the overhead though -- on one of our ec2 machines it took 6.35s to run. How would the failure detection work?
We could also allow the user to specify how stale the apt cache can be before an update is needed, like ansible does.
Another approach is to use ansible for this kind of stuff :)