如何确保在terraform中某个模块中的资源之前销毁资源?

我有一个模块，用于设置对密钥保管库的默认访问权限。然后，我有一个在密钥保管库中设置机密的资源：

module "default_kv_access" {
source = "../default_kv_access"
key_vault = azurerm_key_vault.kv
}
...
resource "azurerm_key_vault_secret" "secrets" {
for_each = local.secrets
name         = each.key
value        = each.value
key_vault_id = azurerm_key_vault.kv.id
}

销毁后，terraform 首先销毁模块，然后尝试销毁机密(浪费，因为密钥保管库无论如何都会被销毁，但给定(。

无论如何，通过首先销毁模块，terraform 会删除所有访问策略，因此在销毁azurerm_key_vault_secret资源时 - 它会失败，因为运行代码的服务主体没有必要的机密访问权限。

我需要的是告诉 terraformazurerm_key_vault_secret取决于default_kv_access模块。

所以，问题是我该怎么做，因为我不能只在depends_on语句中提到该模块。

编辑 1

模块代码为：

variable "key_vault" {}
locals {
ctx = jsondecode(file("${path.root}/../${basename(abspath(path.root)) == "product" ? "" : "../"}metadata.g.json"))
# Will have to be replaced when the hosting is ready
hosting_ad_group_name = "AdminRole-Product-DFDevelopmentOps"
}
data "azurerm_client_config" "client" {}
data "azuread_service_principal" "hosting_sp" {
display_name = local.ctx.HostingAppName
}
data "azuread_group" "hosting_ad_group" {
name = local.hosting_ad_group_name
}
locals {
allow_kv_access_to = {
client = {
object_id          = data.azurerm_client_config.client.object_id
secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
}
hosting_sp = {
object_id          = data.azuread_service_principal.hosting_sp.object_id
secret_permissions = ["get", "set", "list", "delete", "recover", "backup", "restore"]
}
hosting_ad_group = {
object_id          = data.azuread_group.hosting_ad_group.id
secret_permissions = ["get", "list"]
}
}
}
resource "azurerm_key_vault_access_policy" "default" {
for_each = local.allow_kv_access_to
key_vault_id = var.key_vault.id
tenant_id    = var.key_vault.tenant_id
object_id    = each.value.object_id
secret_permissions = each.value.secret_permissions
}