diff --git a/docs/data-sources/acl.md b/docs/data-sources/acl.md
index 2c4dcbd5..c6772f13 100644
--- a/docs/data-sources/acl.md
+++ b/docs/data-sources/acl.md
@@ -17,5 +17,6 @@ The acl data source gets the Tailscale ACL for a tailnet
 
 ### Read-Only
 
+- `hujson` (String) The contents of Tailscale ACL as a HuJSON string
 - `id` (String) The ID of this resource.
-- `json` (String) The contents of Tailscale ACL as JSON
+- `json` (String) The contents of Tailscale ACL as a JSON string
diff --git a/docs/resources/acl.md b/docs/resources/acl.md
index 1d069c7d..cc630cb8 100644
--- a/docs/resources/acl.md
+++ b/docs/resources/acl.md
@@ -16,7 +16,7 @@ If tests are defined in the ACL (the top-level "tests" section), ACL validation
 ## Example Usage
 
 ```terraform
-resource "tailscale_acl" "sample_acl" {
+resource "tailscale_acl" "as_json" {
   acl = jsonencode({
     acls : [
       {
@@ -24,9 +24,26 @@ resource "tailscale_acl" "sample_acl" {
         action = "accept",
         users  = ["*"],
         ports  = ["*:*"],
-    }],
+      }
+    ],
   })
 }
+
+resource "tailscale_acl" "as_hujson" {
+  acl = <<EOF
+  {
+    // Comments in HuJSON policy are preserved when the policy is applied.
+    "acls": [
+      {
+        // Allow all users access to all ports.
+        action = "accept",
+        users  = ["*"],
+        ports  = ["*:*"],
+      },
+    ],
+  }
+  EOF
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -34,7 +51,7 @@ resource "tailscale_acl" "sample_acl" {
 
 ### Required
 
-- `acl` (String) The JSON-based policy that defines which devices and users are allowed to connect in your network
+- `acl` (String) The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
 
 ### Optional
 
diff --git a/examples/resources/tailscale_acl/resource.tf b/examples/resources/tailscale_acl/resource.tf
index 0dd35094..d7a2e1f9 100644
--- a/examples/resources/tailscale_acl/resource.tf
+++ b/examples/resources/tailscale_acl/resource.tf
@@ -1,4 +1,4 @@
-resource "tailscale_acl" "sample_acl" {
+resource "tailscale_acl" "as_json" {
   acl = jsonencode({
     acls : [
       {
@@ -6,6 +6,23 @@ resource "tailscale_acl" "sample_acl" {
         action = "accept",
         users  = ["*"],
         ports  = ["*:*"],
-    }],
+      }
+    ],
   })
 }
+
+resource "tailscale_acl" "as_hujson" {
+  acl = <<EOF
+  {
+    // Comments in HuJSON policy are preserved when the policy is applied.
+    "acls": [
+      {
+        // Allow all users access to all ports.
+        action = "accept",
+        users  = ["*"],
+        ports  = ["*:*"],
+      },
+    ],
+  }
+  EOF
+}
diff --git a/go.mod b/go.mod
index d4f28668..1563b861 100644
--- a/go.mod
+++ b/go.mod
@@ -1,18 +1,15 @@
 module github.com/tailscale/terraform-provider-tailscale
 
-go 1.21
-
-toolchain go1.21.0
+go 1.22.0
 
 require (
-	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/terraform-plugin-docs v0.18.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.32.0
 	github.com/stretchr/testify v1.8.4
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
-	github.com/tailscale/tailscale-client-go v1.15.0
+	github.com/tailscale/tailscale-client-go v1.16.0
 	golang.org/x/tools v0.17.0
 	tailscale.com v1.58.2
 )
@@ -31,6 +28,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.4.0 // indirect
 	github.com/hashicorp/cli v1.1.6 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -75,12 +73,12 @@ require (
 	github.com/zclconf/go-cty v1.14.2 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/crypto v0.19.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/oauth2 v0.14.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
diff --git a/go.sum b/go.sum
index 9ec2742c..253e1e63 100644
--- a/go.sum
+++ b/go.sum
@@ -188,8 +188,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/tailscale-client-go v1.15.0 h1:5M1f7k3nOcRbCC6bs3TLDhWyP/Q6OH455ER88QMN7SI=
-github.com/tailscale/tailscale-client-go v1.15.0/go.mod h1:RMwBhvUj9/L1gGcX4PTEFPDoHIRtsNkGWEwBUrDHoIg=
+github.com/tailscale/tailscale-client-go v1.16.0 h1:mipLVbha5SAVGZT/h3I5qZMrrGXz0iAw4QWXKDfe0l0=
+github.com/tailscale/tailscale-client-go v1.16.0/go.mod h1:v7ssNztaIngJixKoWAgnfhEbzOyRVPI5qT/niBcoI4k=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
@@ -215,8 +215,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -230,10 +230,10 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
-golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -253,8 +253,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
diff --git a/tailscale/data_source_acl.go b/tailscale/data_source_acl.go
index 923fde78..db9a7d4e 100644
--- a/tailscale/data_source_acl.go
+++ b/tailscale/data_source_acl.go
@@ -2,11 +2,11 @@ package tailscale
 
 import (
 	"context"
-	"encoding/json"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
+	"github.com/tailscale/hujson"
 	"github.com/tailscale/tailscale-client-go/tailscale"
 )
 
@@ -18,7 +18,12 @@ func dataSourceACL() *schema.Resource {
 			"json": {
 				Computed:    true,
 				Type:        schema.TypeString,
-				Description: "The contents of Tailscale ACL as JSON",
+				Description: "The contents of Tailscale ACL as a JSON string",
+			},
+			"hujson": {
+				Computed:    true,
+				Type:        schema.TypeString,
+				Description: "The contents of Tailscale ACL as a HuJSON string",
 			},
 		},
 	}
@@ -27,17 +32,21 @@ func dataSourceACL() *schema.Resource {
 func dataSourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
 
-	acl, err := client.ACL(ctx)
+	acl, err := client.RawACL(ctx)
 	if err != nil {
 		return diagnosticsError(err, "Failed to fetch ACL")
 	}
-
-	aclJson, err := json.Marshal(acl)
+	huj, err := hujson.Parse([]byte(acl))
 	if err != nil {
-		return diag.FromErr(err)
+		return diagnosticsError(err, "Failed to parse ACL as HuJSON")
+	}
+	if err := d.Set("hujson", huj.String()); err != nil {
+		return diagnosticsError(err, "Failed to set HuJSON")
 	}
-	if err := d.Set("json", string(aclJson)); err != nil {
-		return diag.Errorf("setting json: %s", err)
+
+	huj.Minimize()
+	if err := d.Set("json", huj.String()); err != nil {
+		return diagnosticsError(err, "Failed to set HuJSON")
 	}
 
 	d.SetId(createUUID())
diff --git a/tailscale/resource_acl.go b/tailscale/resource_acl.go
index 267d6ec7..5c03aac6 100644
--- a/tailscale/resource_acl.go
+++ b/tailscale/resource_acl.go
@@ -1,13 +1,10 @@
 package tailscale
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 
-	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -33,12 +30,48 @@ func resourceACL() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
+		CustomizeDiff: func(ctx context.Context, rd *schema.ResourceDiff, m interface{}) error {
+			client := m.(*tailscale.Client)
+			return client.ValidateACL(ctx, rd.Get("acl").(string))
+		},
 		Schema: map[string]*schema.Schema{
 			"acl": {
-				Type:             schema.TypeString,
-				Required:         true,
-				ValidateDiagFunc: validateACL,
-				Description:      "The JSON-based policy that defines which devices and users are allowed to connect in your network",
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.",
+
+				// Field-level validation just checks that it's valid JSON or HuJSON.
+				// Actual contents of the policy is validated by calling the API when
+				// the whole resource is validated in CustomizeDiff.
+				ValidateDiagFunc: func(i interface{}, p cty.Path) diag.Diagnostics {
+					_, err := hujson.Parse([]byte(i.(string)))
+					if err != nil {
+						return diagnosticsErrorWithPath(err, "ACL is not a valid HuJSON string", p)
+					}
+					return nil
+				},
+
+				// Do not show a diff if canonical HuJSON representation of the policy did not
+				// change. We still expect a diff when switching from JSON to HuJSON (or back),
+				// even if there are no semantic changes.
+				DiffSuppressFunc: func(k, oldValue, newValue string, d *schema.ResourceData) bool {
+					old, oldErr := hujson.Format([]byte(oldValue))
+					new, newErr := hujson.Format([]byte(newValue))
+					if oldErr != nil || newErr != nil {
+						return false
+					}
+					return string(old) == string(new)
+				},
+				DiffSuppressOnRefresh: true,
+
+				// Use the canonical HuJSON representation of the policy in Terraform state.
+				StateFunc: func(i interface{}) string {
+					value, err := hujson.Format([]byte(i.(string)))
+					if err != nil {
+						panic(fmt.Errorf("could not parse ACL as HuJSON: %s", err))
+					}
+					return string(value)
+				},
 			},
 			"overwrite_existing_content": {
 				Type:        schema.TypeBool,
@@ -49,45 +82,14 @@ func resourceACL() *schema.Resource {
 	}
 }
 
-func validateACL(i interface{}, p cty.Path) diag.Diagnostics {
-	if _, err := unmarshalACL(i.(string)); err != nil {
-		return diagnosticsErrorWithPath(err, "Invalid ACL", p)
-	}
-	return nil
-}
-
-func sameACL(a, b tailscale.ACL) bool {
-	return cmp.Equal(a, b)
-}
-
 func resourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	acl, err := client.ACL(ctx)
+	acl, err := client.RawACL(ctx)
 	if err != nil {
 		return diagnosticsError(err, "Failed to fetch ACL")
 	}
 
-	// If we have ACL content in Terraform state that is equivalent to the ACL
-	// fetched via API, keep the local version. This is to have further changes
-	// diffed against previous version specified by the user, avoiding spurious
-	// diffs caused by potentially different spelling of ACL field names.
-	current := d.Get("acl").(string)
-	if current != "" {
-		cur, err := unmarshalACL(current)
-		if err != nil {
-			return diagnosticsError(err, "Failed to unmarshal current ACL")
-		}
-		if sameACL(cur, *acl) {
-			return nil
-		}
-	}
-
-	aclStr, err := json.MarshalIndent(acl, "", "  ")
-	if err != nil {
-		return diagnosticsError(err, "Failed to marshal ACL for")
-	}
-
-	if err := d.Set("acl", string(aclStr)); err != nil {
+	if err := d.Set("acl", acl); err != nil {
 		return diag.FromErr(err)
 	}
 	return nil
@@ -95,12 +97,7 @@ func resourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{})
 
 func resourceACLCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	aclStr := d.Get("acl").(string)
-
-	acl, err := unmarshalACL(aclStr)
-	if err != nil {
-		return diagnosticsError(err, "Failed to unmarshal ACL")
-	}
+	acl := d.Get("acl").(string)
 
 	// Setting the `ts-default` ETag will make this operation succeed only if
 	// ACL contents has never been changed from its default value.
@@ -126,39 +123,14 @@ func resourceACLCreate(ctx context.Context, d *schema.ResourceData, m interface{
 
 func resourceACLUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	aclStr := d.Get("acl").(string)
 
 	if !d.HasChange("acl") {
 		return nil
 	}
 
-	acl, err := unmarshalACL(aclStr)
-	if err != nil {
-		return diagnosticsError(err, "Failed to unmarshal ACL")
-	}
-
-	if err := client.SetACL(ctx, acl); err != nil {
+	if err := client.SetACL(ctx, d.Get("acl").(string)); err != nil {
 		return diagnosticsError(err, "Failed to set ACL")
 	}
 
 	return nil
 }
-
-func unmarshalACL(s string) (tailscale.ACL, error) {
-	b, err := hujson.Standardize([]byte(s))
-	if err != nil {
-		return tailscale.ACL{}, err
-	}
-
-	decoder := json.NewDecoder(bytes.NewBuffer(b))
-	decoder.DisallowUnknownFields()
-
-	var acl tailscale.ACL
-	if err = decoder.Decode(&acl); err != nil {
-		return acl, fmt.Errorf("%w. (This error may be caused by a new ACL feature that is not yet supported by "+
-			"this terraform provider. If you're using a valid ACL field, please raise an issue at "+
-			"https://github.com/tailscale/terraform-provider-tailscale/issues/new/choose)", err)
-	}
-
-	return acl, nil
-}
diff --git a/tailscale/resource_acl_test.go b/tailscale/resource_acl_test.go
index eb35a0a9..a83ed8b1 100644
--- a/tailscale/resource_acl_test.go
+++ b/tailscale/resource_acl_test.go
@@ -82,28 +82,28 @@ func TestProvider_TailscaleACL(t *testing.T) {
 	})
 }
 
-// TestProvider_TailscaleACLDiffs checks that ACL keys specified with
-// different casing than the one used by the API client do not result
-// in spurious diffs in Terraform plan.
+// TestProvider_TailscaleACLDiffs checks that changes in whitespace
+// do not cause diffs in the Terraform plan.
 func TestProvider_TailscaleACLDiffs(t *testing.T) {
-	// policyObject returns a map that, when serialized to JSON,
-	// is a valid Tailscale policy with only the "Hosts" field set.
-	policyObject := func(hostsKey string) map[string]map[string]string {
-		return map[string]map[string]string{
-			hostsKey: {"example": "100.101.102.103"},
-		}
-	}
-	policyHCL := func(hostsKey string) string {
-		j, err := json.MarshalIndent(policyObject(hostsKey), "", " ")
+	policyJSON := func(indent string) []byte {
+		j, err := json.MarshalIndent(map[string]map[string]string{
+			"hosts": {"example": "100.101.102.103"},
+		}, "", indent)
 		if err != nil {
 			t.Fatal(err)
 		}
+		return j
+	}
+	toHuJSON := func(j []byte) []byte {
+		return []byte(fmt.Sprintf("// This is a HuJSON policy\n%s", j))
+	}
+	toHCL := func(policy []byte) string {
 		return fmt.Sprintf(
 			`resource "tailscale_acl" "test_acl" {
 				acl = <<EOF
 					%s
 				EOF
-			}`, j)
+			}`, policy)
 	}
 
 	resource.Test(t, resource.TestCase{
@@ -111,20 +111,31 @@ func TestProvider_TailscaleACLDiffs(t *testing.T) {
 		ProviderFactories: testProviderFactories(t),
 		PreCheck: func() {
 			testServer.ResponseCode = http.StatusOK
+			testServer.ResponseBody = []byte("{}")
 		},
 		Steps: []resource.TestStep{
-			testResourceCreated("tailscale_acl.test_acl", policyHCL("hosts")),
+			testResourceCreated("tailscale_acl.test_acl", toHCL(policyJSON(" "))),
 
-			// Now we check that, whatever spelling of "hosts" we use, the
-			// Terraform plan will be empty.
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("hosts"),
+			// Now we check that whitespace changes result in empty plan.
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON(" ")),
+				PreConfig: func() {
+					testServer.ResponseBody = policyJSON(" ")
+				},
+			},
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON("\t"))},
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON("      "))},
+
+			// The same policy in HuJSON will result in a diff.
+			{
+				ResourceName: "tailscale_acl.test_acl", Config: toHCL(toHuJSON(policyJSON("  "))),
+				ExpectNonEmptyPlan: true,
+			},
+			// Further changes in whitespace are not causing a diff.
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(toHuJSON(policyJSON("\t"))),
 				PreConfig: func() {
-					testServer.ResponseBody = policyObject("HOSTS")
+					testServer.ResponseBody = toHuJSON(policyJSON("  "))
 				},
 			},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("Hosts")},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("HoStS")},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("HOSTS")},
 		},
 	})
 }
diff --git a/tailscale/tailscale_test.go b/tailscale/tailscale_test.go
index 58cbb933..b101cf66 100644
--- a/tailscale/tailscale_test.go
+++ b/tailscale/tailscale_test.go
@@ -69,5 +69,11 @@ func (t *TestServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	assert.NoError(t.t, err)
 
 	w.WriteHeader(t.ResponseCode)
-	assert.NoError(t.t, json.NewEncoder(w).Encode(t.ResponseBody))
+	switch body := t.ResponseBody.(type) {
+	case []byte:
+		_, err := w.Write(body)
+		assert.NoError(t.t, err)
+	default:
+		assert.NoError(t.t, json.NewEncoder(w).Encode(body))
+	}
 }