Azure certificate being recreated with every apply

We’re using a azurerm_app_service_certificate which has it’s key_vault_secret_id set from a data "azurerm_key_vault_secret".

But every time we apply the terraform changes, the certificate is being destroyed and then recreated because the key_vault_secret_id is marked as (known after deploy) #forces replacement.

The thing is, the secret is listed as being read only, and we know for a fact it isn’t being recreated or changed, because it’s not controlled by this terraform run so is essentially static.

The names can be reliably reproduced every time and do not vary.

The file:

data “azurerm_key_vault” “key_vault” {
name = generated name
resource_group_name = generated name
}

data “azurerm_key_vault_secret” “key_vault_secret” {
name = generated name
key_vault_id = data.azurerm_key_vault.key_vault.id
}

resource “azurerm_app_service_certificate” “app_service_certificate” {
name = generated name
resource_group_name = generated name
location = generated location
key_vault_secret_id = data.azurerm_key_vault_secret.key_vault_secret.id

tags = var.tags
}