Databricks_secret_scope (with Azure KeyVault back) proper config

Need some help with databricks_secret_scope backed by KeyVault deployment.
Here is my code:

provider "databricks" {
  host                        = azurerm_databricks_workspace.databricks_workspace.workspace_url
  azure_workspace_resource_id =

resource "databricks_secret_scope" "dbatabricks_kv1" {
  name                     = "tf_scope1"
  initial_manage_principal = "users"

  keyvault_metadata {
    resource_id =
    dns_name    = module.kv.uri

resource "databricks_secret_acl" "databricks_acl" {
  principal  = "users"
  permission = "MANAGE"
  scope      =

But during deployment I’ve got next error:

│ Error: cannot read secret scope: invalid character ‘<’ looking for beginning of value

│ with databricks_secret_scope.dbatabricks_kv1,
│ on line 41, in resource “databricks_secret_scope” “dbatabricks_kv1”:
│ 41: resource “databricks_secret_scope” “dbatabricks_kv1” {

What did I miss in this config?

My service principal of course added to KeyVault access policy to do everything with secrets. Pretty much same as all other users who are in Databricks - added to KeyVault’s ACL.