Secondary ip is getting removed on one apply then readded on the subsequent apply. What gives?

I am configuring and aws_network_interface and setting a private ip and requesting a secondary_private_ip. I’m seeing a problem where I run apply once and it adds the secondary IP, then I run apply a second time, and it removes the IP. If I keep running apply, it will add then remove the secondary. I’ve tried adding prevent_destroy to both the aws_network_interface and the aws_instance but it keeps destroying and readding the secondary. Is there anyway to stop this?

Heres my config for the aws_network_interface

 resource "aws_network_interface" "tips_sql_1_secondary_ip" {
  count                 = "${element(var.tips_sql_enabled, 0) ? 1 : 0}"
  subnet_id             = "${element(aws_subnet.data.*.id, 0)}"
  private_ips           = ["${cidrhost(element(aws_subnet.data.*.cidr_block, 0), module.config.data_subnet_tipssql_host_number)}"]
  private_ips_count     = 2
  security_groups       = ["${aws_security_group.tips_sql_serverports.id}", "${aws_security_group.tips_sql_sqlports.id}"]

  lifecycle {
    prevent_destroy     = true
    # ignore_changes            = ["private_ips_count"]
  }
}

Heres the config for the aws_instance that references it.

resource "aws_instance" "tips_sql_1" {
  count                       = "${element(var.tips_sql_enabled, 0) ? 1 : 0}"
  ami                         = "${data.aws_ami.mssql.id}"
  instance_type               = "${element(var.tips_sql_instance_type, 0)}"
  iam_instance_profile        = "${aws_iam_instance_profile.tips_sql_profile.name}"
  key_name                    = "${aws_key_pair.tips_sql_key.id}"
  user_data                   = "${data.template_file.userdata_sql_server_1_setup.rendered}"
  network_interface {
    device_index = 0
    network_interface_id = "${aws_network_interface.tips_sql_1_secondary_ip.id}"
  }
  monitoring                  = true
  disable_api_termination     = "${element(var.tips_sql_disable_api_termination, 0)}"
  root_block_device {
    volume_type               = "gp2"
    volume_size               = "${element(var.tips_sql_root_volume_size, 0)}"
    delete_on_termination     = "${element(var.tips_sql_delete_on_termination, 0)}"
  }
  
  tags = "${merge(
    local.tips_sql_common_tags,
    map("Name","${format("%[1]s-%[2]s", var.name_prefix, element(var.tips_sql_instances, 0))}")
  )}"
    #map("Name","${format(module.config.name_format_var_dif, var.name_prefix, element(var.tips_sql_instances, count.index + 1), var.name_suffix)}")

  lifecycle {
    # prevent_destroy           = true
    # ignore_changes            = ["network_interface"]
  }
}

The output shows that private_ips.# is changed back to 1, but I cant figure out why.

  ~ aws_network_interface.tips_sql_1_secondary_ip
      private_ips.#:                                      "2" => "1"
      private_ips.1802257xxx:                             "10.25.62.xxx" => ""
      private_ips.1954363xxx:                             "10.25.62.xxx" => "10.25.62.xxx"