How to get key vault certificate value correctly in terraform module to create VPN gateway

Objective: Trying to create VPN gateway in Azure via Terraform

Problem Statement: I am not able to get value of Certificate.

Reference documentation : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate_data

Code that I used:

In Main.tf:

resource "azurerm_key_vault" "kv-ab-vgw" {
  name                       = "kv-ab-vgw"
  location                   = azurerm_resource_group.rg[0].location
  resource_group_name        = azurerm_resource_group.rg[0].name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "standard"
  soft_delete_retention_days = 7

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    certificate_permissions = [
      "Create",
      "Delete",
      "DeleteIssuers",
      "Get",
      "GetIssuers",
      "Import",
      "List",
      "ListIssuers",
      "ManageContacts",
      "ManageIssuers",
      "Purge",
      "SetIssuers",
      "Update",
    ]

    key_permissions = [
      "Backup",
      "Create",
      "Decrypt",
      "Delete",
      "Encrypt",
      "Get",
      "Import",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Sign",
      "UnwrapKey",
      "Update",
      "Verify",
      "WrapKey",
    ]

    secret_permissions = [
      "Backup",
      "Delete",
      "Get",
      "List",
      "Purge",
      "Recover",
      "Restore",
      "Set",
    ]
  }
}

resource "azurerm_key_vault_certificate" "kvc" {
  name         = "ab-generated-cert"
  key_vault_id = azurerm_key_vault.kv-ab-vgw.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]     

      subject            = "CN=VGWCreation"
      validity_in_months = 12
    }
  }
}



data "azurerm_key_vault_certificate_data" "kvcdata" {
  name         = "ab-generated-cert"
  key_vault_id = azurerm_key_vault.kv-ab-vgw.id
}

# VPN

resource "azurerm_virtual_network_gateway" "vpn-gw" {
  name = "vng-ab-hub-dev-we"
  location = azurerm_resource_group.rg[0].location
  resource_group_name = azurerm_resource_group.rg[0].name
  type = "Vpn"
  vpn_type = "RouteBased"
  active_active = true
  enable_bgp = false
  sku = "VpnGw1AZ"
  ip_configuration {
    name = "vnet"
    public_ip_address_id = azurerm_public_ip.vpn-gateway-ip.id
    private_ip_address_allocation = "Static"
    # using gateway subnet for configuring vpn correct ? 
    subnet_id = azurerm_subnet.gw_snet[0].id
  }
  vpn_client_configuration {
    address_space = ["10.xxx.xx.xx/24"]
    root_certificate {
      name = "ab-generated-cert"
      public_cert_data = data.azurerm_key_vault_certificate_data.kvcdata.key
    }
  }
}

Error I get is:

Error: Creating/Updating Virtual Network Gateway: (Name "vng-ab-hub-dev-we" / Resource Group "xx-xx-vnet"): network.VirtualNetworkGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="VpnClientRootCertificateDataInvalid" Message="Data for certificate /subscriptions/xxxxxxx--xxxxx---xxxxxx--xxxxx/resourceGroups/rg-ab-vnet/providers/Microsoft.Network/virtualNetworkGateways/vng-ab-hub-dev-we/vpnClientRootCertificates/ab-generated-cert is invalid." Details=[]
│ 
│   with azurerm_virtual_network_gateway.vpn-gw,
│   on main.tf line 1275, in resource "azurerm_virtual_network_gateway" "vpn-gw":
│ 1275: resource "azurerm_virtual_network_gateway" "vpn-gw" {

Key Vault is successfully created, and I see certificate also there but while using in creating VPN gives invalid data.

Can someone suggest, how to get this fixed..

As mentioned in the comment, you are providing a certificate key, where in fact you need to provide the certificate itself [1]:

public_cert_data - (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- markers.

In order for the error to be fixed, you first need to get the value from the data source using the terraform console:

terraform console
> data.azurerm_key_vault_certificate_data.kvcdata.pem

After you get the value, you should omit the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers and add it as a value for the public_cert_data argument:

public_cert_data = <<EOF
MIIDKDCCAhCgAwIBAgIQPVBXb+qPT/mxZXY0HDo9djANBgkqhkiG9w0BAQsFADAW
...
EOF

Note that it does not matter if EOF or EOT is used [2] as long as rules are followed.

[1] https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_gateway#public_cert_data

[2] https://www.terraform.io/language/expressions/strings#heredoc-strings