Key Vault access denied when first created - checking for presence of existing Secret

I guess the issue here is we need a depends_on block to help with the access timings. 

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "tom-devrg3"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "tomdevkv3"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "premium"
}

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id

  secret_permissions = [
    "delete",
    "get",
    "set",
  ]
}

resource "azurerm_key_vault_secret" "example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id

  depends_on = [azurerm_key_vault_access_policy.example]
}