How to renew a Key Vault backed Cert in an Azure App Service Custom Hostname Binding

I am struggling with the renewal process for a certificate stored in Key Vault for an Azure App Service. Here is what I have:

1 - azurerm_app_service_certificate resource using a cert stored in Azure Key Vault
2 - App Service using this certificate for a custom hostname binding

This works fine.

Now the certificate is up for renewal, so i have created a new version of the certificate in Azure Key Vault. When i run Terraform Plan, it wants to create the new azurerm_app_service_certificate resource because it detects a new version of the certificate in the KeyVault. This is where it goes wrong - it cannot delete the existing resource because it is used by the App Service, and i can’t remove the version of the certificate from the key vault because Azure don’t support removing versions.

To get around this, i ended up hardcoding the Cert ID into my Hostname binding rather than using a data source to look it up. I then created a new Key Vault Certificate for the new cert so now i have in KeyVault something like:

This seems like a very clunky way of working and i wondered if i am missing something here or whether they way I am doing it is the only way to renew a certificate at expiry time. For reference here is how i reference the 2 resources:

resource “azurerm_app_service_certificate” “engineering-2020-21” {
name = “star-eng-company-com”
resource_group_name =
location = var.resourceGroupLocation
key_vault_secret_id =

resource “azurerm_app_service_custom_hostname_binding” “integration-forms” {
hostname = “
app_service_name =
resource_group_name = data.terraform_remote_state.internal-common.outputs.internal-rg-ui
ssl_state = “SniEnabled”
thumbprint = data.terraform_remote_state.internal-common.outputs.starengcertthumbprint

For the above the 2 resources are managed by different state files and the thumbprint is outputted from the azurerm_app_service_certificate resource.