Creating a function app with system assigned identity and adding it as a key vault access policy in one run

I am defining my azurerm_function_app with a SystemAssigned identity block.
In the same update to the environment, I want to add the SystemIdentity that will be created to my azure key vault access policy list.
I receive: The argument "object_id" is required, but no definition was found.

resource "azurerm_key_vault_access_policy" "ingest-function-app-smi" {
  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = data.azurerm_client_config.current_client_config.tenant_id
  object_id    = azurerm_function_app.function-app-ingest.identity[0].principal_id

  secret_permissions = ["Get", "List"]
}

I know that if i create the identity manually or before I try to add it to the key vault, it’s ok. But I’m trying to do them inline.

resource "azurerm_function_app" "function-app-ingest" {
  name                       = "${local.resource-name-prefix}-ingest-fn"
  location                   = var.resource-location
  resource_group_name        = local.resource-group-name
  app_service_plan_id        = azurerm_app_service_plan.function-app-sp.id
  storage_account_name       = azurerm_storage_account.ingest-storage-account.name
  storage_account_access_key = azurerm_storage_account.ingest-storage-account.primary_access_key
  os_type                    = "linux"
  https_only                 = true
  client_cert_mode           = "Required"
  enable_builtin_logging     = false
  version                    = var.app-service-plan-version

  identity {
    type = "SystemAssigned"
  }
  tags = merge(local.common_tags, tomap({ "type" = "function-app" }))
}

I tried to toss a depends_on block on the key vault access policy, but that doesn’t change the resulting output. What’s the best way to do this?