Openstack_keymanager_secret_v1 marked for destruction/recreation every plan/apply cycle

I’m having an issue with the openstack_keymanager_secret_v1:

resource "openstack_keymanager_secret_v1" "server_cert" {
  name = "server-cert${var.landscape}"
  payload = filebase64("./certs/server-cert${var.landscape}-${var.os_region}.p12")
  secret_type = "opaque"
  payload_content_type = "application/octet-stream"
  payload_content_encoding = "base64"
}

Every time I run a plan or apply, terraform marks these secrets for replacement, which causes several dependent resources to also be marked for replacement. What am I doing wrong that they are always being replaced?
Here the data output from pan, with some sensitive data removed

# openstack_keymanager_secret_v1.server_cert must be replaced
-/+ resource "openstack_keymanager_secret_v1" "server_cert" {
    + algorithm = (known after apply)
    ~ all_metadata = {} -> (known after apply)
    ~ bit_length = 0 -> (known after apply)
    ~ content_types = {
         - "default" = "application/octet-stream"
        } -> (known after apply)
    ~ created_at = "2022-02-10T17:35:38Z" -> (known after apply)
    ~ creator_id = (REDACTED) -> (known after apply)
    ~ id = (REDACTED) -> (known after apply)
    + mode = (known after apply)
    name = "server-dev"
    + payload = (sensitive value)
    payload_content_encoding = "base64"
    payload_content_type = "application/octet-stream"
    ~ region = "eu-nl-1" -> (known after apply)
    ~ secret_ref = (REDACTED)) -> (known after apply)
    secret_type = "opaque"
    ~ status = "ACTIVE" -> (known after apply)
    ~ updated_at = "2022-02-10T17:35:41Z" -> (known after apply)

    ~ acl {
        ~ read {
            ~ created_at = "2022-02-10T17:35:41Z" -> (known after apply)
            ~ project_access = true -> (known after apply)
            ~ updated_at = "2022-02-10T17:35:41Z" -> (known after apply)
            ~ users = [
                 - (REDACTED),
                ] -> (known after apply)
        }
    }
}