Issue with terraform subsequent runs after updating certificate

We deploy environments in Azure and to ensure certificates are applied have centralized the certificate in keyvault. Using the azurerm_app_service_certificate provider we are now able to add a certificate to the stack during build time, which works fine. We bind the certificate to webapps using a custom powershell script after the terraform run.

I am having issues however whenever the certificate is updated in keyvault, in that it breaks all the terraform deployments referencing it (or the previous certificate at least).

Error: Error deleting App Service Certificate “certificate_name” (Resource Group “ResourceGroupName”): web.CertificatesClient#Delete: Failure sending request: StatusCode=409 – Original Error: autorest/azure: Service returned an error. Status= )

The provider block looks like below:

resource “azurerm_app_service_certificate” “certificate” {
name = var.certificate_name
resource_group_name = var.resource_group
location = var.region
key_vault_secret_id = var.certificate_id

depends_on = [

When certificate is updated the only thing changing is var.certificate_id

Worth noting the certificate automatically updates on the webapps when updated in keyvault, but any further terraform runs do not work. Trashing the entire stack and starting again solves the problem but this is less than ideal. Anyone else seen this and have any suggestions?

Were you able to resolve this issue?
I am facing the same issue. when adding new apps to existing azurerm_app_service_certificate resource. getting a 409 error with no details.