KeyCredentialsInvalidStartDate error when changing azuread_application resource

[avanschie]

I have an azuread_application resource where I'm using password. I'm using a time_rotate resource to managed the password's start_date and end_date, similar to the example in the documentation.

I now modified the application's redirect_uris, and in the terraform output I see that redirect_uris will be updated, as well as the password. It shows that the password will be deleted (-) and created (+). Note: the password's end_date still lies in the future. The password is created with the same start_date as before, which lies in the past. This results in an error in the terraform apply:

KeyCredentialsInvalidStartDate: Key credential start date is invalid.

I don't understand what the expected behavior should be.

1. Should a change to redirect_uris also recreate the password?
2. Is a password's start_date in the past allowed at the time of the password creation?
3. If the answers to 1. is "yes" and 2 is "no", then it looks like time_rotating isn't a solution to managed the password's dates, since whenever there is a change to a field that also recreates the password, we encounter the above error.