diff --git a/customer-managed/azure/terraform/.terraform.lock.hcl b/customer-managed/azure/terraform/.terraform.lock.hcl
index 05b315b..9b30a97 100644
--- a/customer-managed/azure/terraform/.terraform.lock.hcl
+++ b/customer-managed/azure/terraform/.terraform.lock.hcl
@@ -20,3 +20,23 @@ provider "registry.terraform.io/hashicorp/azurerm" {
     "zh:edfb9610552691d6a36691dd6e27b0a0829d72d08eb41bc031a19d4dcf57a6e9",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/time" {
+  version     = "0.13.1"
+  constraints = "~> 0.9"
+  hashes = [
+    "h1:ZT5ppCNIModqk3iOkVt5my8b8yBHmDpl663JtXAIRqM=",
+    "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74",
+    "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f",
+    "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a",
+    "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328",
+    "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8",
+    "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b",
+    "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0",
+    "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d",
+    "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75",
+    "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5",
+  ]
+}
diff --git a/customer-managed/azure/terraform/key_vaults.tf b/customer-managed/azure/terraform/key_vaults.tf
index 8007011..f1061e0 100644
--- a/customer-managed/azure/terraform/key_vaults.tf
+++ b/customer-managed/azure/terraform/key_vaults.tf
@@ -2,6 +2,18 @@ locals {
   allowed_subnet_ids = [for s in azurerm_subnet.private : s.id]
 }
 
+# Azure requires the Microsoft.KeyVault service endpoint to be fully propagated
+# on a subnet before the subnet ID can be added to a key vault's network ACL.
+# Without this wait, a new subnet's ACL entry is silently dropped by Azure even
+# though Terraform reports success, causing state drift.
+resource "time_sleep" "wait_for_subnet_service_endpoints" {
+  depends_on      = [azurerm_subnet.private]
+  create_duration = "30s"
+  triggers = {
+    subnet_ids = join(",", sort(local.allowed_subnet_ids))
+  }
+}
+
 resource "azurerm_key_vault" "vault" {
   count               = var.redpanda_management_key_vault_name != "" ? 1 : 0
   name                = "${var.resource_name_prefix}${var.redpanda_management_key_vault_name}"
@@ -43,7 +55,7 @@ resource "azurerm_key_vault" "vault" {
 
   tags = var.tags
 
-  depends_on = [azurerm_resource_group.all]
+  depends_on = [azurerm_resource_group.all, time_sleep.wait_for_subnet_service_endpoints]
 }
 
 resource "azurerm_key_vault" "console" {
@@ -87,5 +99,5 @@ resource "azurerm_key_vault" "console" {
 
   tags = var.tags
 
-  depends_on = [azurerm_resource_group.all]
+  depends_on = [azurerm_resource_group.all, time_sleep.wait_for_subnet_service_endpoints]
 }
diff --git a/customer-managed/azure/terraform/providers.tf b/customer-managed/azure/terraform/providers.tf
index 3c7042c..68931d6 100644
--- a/customer-managed/azure/terraform/providers.tf
+++ b/customer-managed/azure/terraform/providers.tf
@@ -1,10 +1,15 @@
 terraform {
   #backend "azurerm" {}
+  required_version = ">= 1.3"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
       version = "=4.47.0"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = "~> 0.9"
+    }
   }
 }