Terraform wants to remove Key Vault access policies created by Terraform?

I’m using Terraform Cloud. My script creates several Azure key vaults and also creates access policies to those key vaults for my App Services. For example:

In module key-vault

resource "azurerm_key_vault" "kv" {
  name                        = var.kv_name
  resource_group_name         = var.rg_name
  location                    = var.location
  enabled_for_disk_encryption = var.enabled_for_disk_encryption
  purge_protection_enabled    = var.purge_protection
  sku_name                    = var.sku_name
  soft_delete_retention_days  = var.soft_delete_retention_days
  tenant_id                   = data.azurerm_client_config.current.tenant_id

  access_policy {
    # Grant access to Terraform
    object_id               = data.azurerm_client_config.current.object_id
    tenant_id               = data.azurerm_client_config.current.tenant_id
    certificate_permissions = [
      "Delete",
      "Get",
      "Import",
      "List",
      "Purge",
      "Update"
    ]
    key_permissions         = [
      "Get",
      "List",
      "Purge"
    ]
    secret_permissions      = [
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Set"
    ]
    storage_permissions     = [
      "Get",
      "List"
    ]
  }
 
  tags = var.tags
}

output "kv_id" {
  description = "Key vault ID"
  value       = azurerm_key_vault.kv.id
}

In main.tf

module "kv" {
  source   = "./modules/key-vault"
  kv_name  = "my-kv"
  location = azurerm_resource_group.rg.location
  rg_name  = azurerm_resource_group.rg.name
  tags     = azurerm_resource_group.rg.tags
}

resource "azurerm_key_vault_access_policy" "app_service" {
  key_vault_id       = module.kv.kv_id
  object_id          = azurerm_app_service.my_app.identity[0].principal_id
  tenant_id          = data.azurerm_client_config.current.tenant_id

  key_permissions = [
    "Get",
    "List"
  ]
  secret_permissions = [
    "Get",
    "List",
    "Set"
  ]
  storage_permissions = [
    "Get",
    "List"
  ]
}

The first time I run the entire script, everything is created correctly. If I run Terraform plan again, Terraform says it wants to remove the key vault access policies and does not recreate them. I thought I was misreading it so I applied it, and yes, Terraform removed the access policies.

Why is Terraform doing this?