Updating Key Vault Secret values and their dependent resources

I’ve been tasked with automating secret rotation within a serverless application deployed by Terraform. I was hoping that I could leverage Terraforms refresh functionality to detect when a tracked sensitive value (i.e. Storage Account SAS Key deployed by terraform) has changed, update the associated Key Vault secret value, then update resources dependent on that secret value (i.e. an APIM Named Value).

I’ve had limited success, but the best I can achieve is having to run Terraform Apply twice, once to fetch the new sensitive value, commit it to state and update the KV Secret, and another to update the dependent resource with the new Secret ID.

Is there any way to get this to work in one Terraform Apply? Is this possibly a bug or just a result of how Terraform works?