Azure - AppService + KeyVault gives circular dependency

I’m trying to use the Azure provider to provision the infrastructure. I’ve got the same process working via the AzureCLI, but want to move to Terraform.

Unfortunately, I’ve hit a circular dependency that I can’t seem to resolve. I’ve got the following items.

  1. Cognitive service with a generated API key
  2. AppService with a SystemAssigned identity;
  3. Keyvault, with the identity assigned in (2) given read access;
  4. Keyvault secret with the API key generated in (1).
  5. AppService in (2) needs to be updated with the secret Id generated in (5). - Problem.

Now: I need to set the configuration of the AppService to reference the secret Id that I generate when adding to the vault, but I can’t.

Is there a way to edit these values so the configuration can be set up in parts? ie provision x then modify?