Consul TF Provider - Using ca_pem from Vault as variable

I’m trying to use the consul terraform provider to write a consul config entry.
I’m setting the provider with:

provider "consul" {
  datacenter = var.west_region
  address    = var.consul_address
  token      = var.consul_token
  ca_pem = var.consul_ca_pem

The variables are pulled from Vault & set as TF_VAR_consul_...environment variables before performaing a terraform plan. But the ca_pem variable doesn’t parse. tf plan returns
Error: Failed to create http client: Error appending CA: Couldn't parse PEM

Should it be possible to do this?

If I write the CA to a file, I can use the provider with ca_file = <path-to-file> rather than ca_pem, but I’d rather keep it as a variable. What am I missing about using ca_pem ?