Updating Key Vault Secret values and their dependent resources

I’ve been tasked with automating secret rotation within a serverless application deployed by Terraform. I was hoping that I could leverage Terraforms refresh functionality to detect when a tracked sensitive value (i.e. Storage Account SAS Key deployed by terraform) has changed, update the associated Key Vault secret value, then update resources dependent on that secret value (i.e. an APIM Named Value).

I’ve had limited success, but the best I can achieve is having to run Terraform Apply twice, once to fetch the new sensitive value, commit it to state and update the KV Secret, and another to update the dependent resource with the new Secret ID.

Is there any way to get this to work in one Terraform Apply? Is this possibly a bug or just a result of how Terraform works?

This is the bug and it basically makes KeyVault secrets management useless. There’s a bunch of bug reports created but for some reason all of them were closed by Terraform Azure provider developers. See here for example: Change to KeyVault secret does not update dependency · Issue #6743 · hashicorp/terraform-provider-azurerm · GitHub. If you dig further you’ll find more.
There’s no other way to deal with it other than just create a new bug report and mention all previous reports that were closed without any solution.