we getting an error when enabling the TDE on the Azure SQL via Terraform

Question

Am Running a Terraform Script that creates the following:

1. Creates primary server.
2. Enables sql/ad login.
3. Creates database/s.
4. enables the failover groups.(During this step it also creates a secondary Server and replicates the databaes)
5. Assigns the user Managed identity to both primary and secondary SQL Servers.

Now, I have a flag defined as is_transparent_data_encryption_enabled which will be false by default. When, I enable it as true, It generates the plan as follows :

# azurerm_mssql_server.primary will be updated in-place
  ~ resource "azurerm_mssql_server" "primary" {
        id                                           = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo"
        name                                         = "sqlautopocdemo"    
      + transparent_data_encryption_key_vault_key_id = (known after apply)
        # (12 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }`

  # azurerm_mssql_server.secondary[0] will be updated in-place
  ~ resource "azurerm_mssql_server" "secondary" {
        id                                           = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo-secondary-new"
        name                                         = "sqlautopocdemo-secondary-new" 
      + transparent_data_encryption_key_vault_key_id = (known after apply)
        # (12 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
   }

But, when i run terraform apply, It fails with this message - `

I tried running after an hour too considering it might take some time for the user managed identity to get the access policies reflected, but still , it does not work.

Also, tried enabling it on Secondary first (as mentioned on the Microsoft document) and also tried enabling on the primary first too.. Both fails.

would be helpful with suggestions/inputs as soon as possible please

###############################################################################################

Tried : Enabling TDE on SQL Servers where Failover groups are enabled.But, it is failing with this error -

`
│ Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│   with azurerm_mssql_server.primary,
│   on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│   48: resource "azurerm_mssql_server" "primary" {

Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│   with azurerm_mssql_server.primary,
│   on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│   48: resource "azurerm_mssql_server" "primary" {

Expectations : Need suggestions on what is the problem here as all the pre-requisties are covered. TDE should be enabled on the primary and secondary servers. Thank you.