From 6fbf46c7db81713d905040e2b3168506dca664cc Mon Sep 17 00:00:00 2001
From: Anton Tolchanov <anton@tailscale.com>
Date: Wed, 14 Feb 2024 14:48:29 +0000
Subject: [PATCH] tailscale: support policies as HuJSON

The `acl` argument of the `tailscale_acl` resource can now be a HuJSON
string. Instead of unmarshalling `acl` into an `ACL` struct of the [API
client](https://github.com/tailscale/tailscale-client-go) just to have
the client serialize it into JSON again, policy content gets passed
to the Tailscale API verbatim.

This allows users to define their policy as HuJSON strings, with
comments being preserved. Since JSON is a subset of HuJSON, this is
backwards compatible, so I am not adding a separate field for this as
has been previously suggested in #227.

Validation is now performed by calling the [Validate and test policy
file](https://github.com/tailscale/tailscale/blob/main/api.md#validate-and-test-policy-file)
API, which will help catch any semantic errors in the policy at
`terraform plan` stage (for example, when a syntactically correct policy
contains configuration that is not supported by the Tailnet's current
[pricing plan](https://tailscale.com/pricing)).

Finally, this will also allow users to use new fields in the policy
without requiring a new release of the Terraform provider.

I've also added a new `hujson` field to the `tailscale_acl` data
resource that shows current policy as a HuJSON string.

Fixes #331
Fixes #227

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
---
 docs/data-sources/acl.md                     |   3 +-
 docs/resources/acl.md                        |  23 +++-
 examples/resources/tailscale_acl/resource.tf |  21 +++-
 go.mod                                       |  16 ++-
 go.sum                                       |  20 ++--
 tailscale/data_source_acl.go                 |  25 ++--
 tailscale/resource_acl.go                    | 116 +++++++------------
 tailscale/resource_acl_test.go               |  53 +++++----
 tailscale/tailscale_test.go                  |   8 +-
 9 files changed, 158 insertions(+), 127 deletions(-)

diff --git a/docs/data-sources/acl.md b/docs/data-sources/acl.md
index 2c4dcbd5..c6772f13 100644
--- a/docs/data-sources/acl.md
+++ b/docs/data-sources/acl.md
@@ -17,5 +17,6 @@ The acl data source gets the Tailscale ACL for a tailnet
 
 ### Read-Only
 
+- `hujson` (String) The contents of Tailscale ACL as a HuJSON string
 - `id` (String) The ID of this resource.
-- `json` (String) The contents of Tailscale ACL as JSON
+- `json` (String) The contents of Tailscale ACL as a JSON string
diff --git a/docs/resources/acl.md b/docs/resources/acl.md
index 1d069c7d..79fd84f4 100644
--- a/docs/resources/acl.md
+++ b/docs/resources/acl.md
@@ -16,7 +16,7 @@ If tests are defined in the ACL (the top-level "tests" section), ACL validation
 ## Example Usage
 
 ```terraform
-resource "tailscale_acl" "sample_acl" {
+resource "tailscale_acl" "as_json" {
   acl = jsonencode({
     acls : [
       {
@@ -24,9 +24,26 @@ resource "tailscale_acl" "sample_acl" {
         action = "accept",
         users  = ["*"],
         ports  = ["*:*"],
-    }],
+      },
+    ],
   })
 }
+
+resource "tailscale_acl" "as_hujson" {
+  acl = <<EOF
+  {
+    // Comments in HuJSON policy are preserved when the policy is applied.
+    "acls": [
+      {
+        // Allow all users access to all ports.
+        action = "accept",
+        users  = ["*"],
+        ports  = ["*:*"],
+      },
+    ],
+  }
+  EOF
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
@@ -34,7 +51,7 @@ resource "tailscale_acl" "sample_acl" {
 
 ### Required
 
-- `acl` (String) The JSON-based policy that defines which devices and users are allowed to connect in your network
+- `acl` (String) The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.
 
 ### Optional
 
diff --git a/examples/resources/tailscale_acl/resource.tf b/examples/resources/tailscale_acl/resource.tf
index 0dd35094..29933933 100644
--- a/examples/resources/tailscale_acl/resource.tf
+++ b/examples/resources/tailscale_acl/resource.tf
@@ -1,4 +1,4 @@
-resource "tailscale_acl" "sample_acl" {
+resource "tailscale_acl" "as_json" {
   acl = jsonencode({
     acls : [
       {
@@ -6,6 +6,23 @@ resource "tailscale_acl" "sample_acl" {
         action = "accept",
         users  = ["*"],
         ports  = ["*:*"],
-    }],
+      },
+    ],
   })
 }
+
+resource "tailscale_acl" "as_hujson" {
+  acl = <<EOF
+  {
+    // Comments in HuJSON policy are preserved when the policy is applied.
+    "acls": [
+      {
+        // Allow all users access to all ports.
+        action = "accept",
+        users  = ["*"],
+        ports  = ["*:*"],
+      },
+    ],
+  }
+  EOF
+}
diff --git a/go.mod b/go.mod
index d4f28668..1563b861 100644
--- a/go.mod
+++ b/go.mod
@@ -1,18 +1,15 @@
 module github.com/tailscale/terraform-provider-tailscale
 
-go 1.21
-
-toolchain go1.21.0
+go 1.22.0
 
 require (
-	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/hashicorp/terraform-plugin-docs v0.18.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.32.0
 	github.com/stretchr/testify v1.8.4
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
-	github.com/tailscale/tailscale-client-go v1.15.0
+	github.com/tailscale/tailscale-client-go v1.16.0
 	golang.org/x/tools v0.17.0
 	tailscale.com v1.58.2
 )
@@ -31,6 +28,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.4.0 // indirect
 	github.com/hashicorp/cli v1.1.6 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -75,12 +73,12 @@ require (
 	github.com/zclconf/go-cty v1.14.2 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect
-	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/crypto v0.19.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/oauth2 v0.14.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
diff --git a/go.sum b/go.sum
index 9ec2742c..253e1e63 100644
--- a/go.sum
+++ b/go.sum
@@ -188,8 +188,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/tailscale-client-go v1.15.0 h1:5M1f7k3nOcRbCC6bs3TLDhWyP/Q6OH455ER88QMN7SI=
-github.com/tailscale/tailscale-client-go v1.15.0/go.mod h1:RMwBhvUj9/L1gGcX4PTEFPDoHIRtsNkGWEwBUrDHoIg=
+github.com/tailscale/tailscale-client-go v1.16.0 h1:mipLVbha5SAVGZT/h3I5qZMrrGXz0iAw4QWXKDfe0l0=
+github.com/tailscale/tailscale-client-go v1.16.0/go.mod h1:v7ssNztaIngJixKoWAgnfhEbzOyRVPI5qT/niBcoI4k=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
@@ -215,8 +215,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -230,10 +230,10 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
-golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -253,8 +253,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
diff --git a/tailscale/data_source_acl.go b/tailscale/data_source_acl.go
index 923fde78..db9a7d4e 100644
--- a/tailscale/data_source_acl.go
+++ b/tailscale/data_source_acl.go
@@ -2,11 +2,11 @@ package tailscale
 
 import (
 	"context"
-	"encoding/json"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
+	"github.com/tailscale/hujson"
 	"github.com/tailscale/tailscale-client-go/tailscale"
 )
 
@@ -18,7 +18,12 @@ func dataSourceACL() *schema.Resource {
 			"json": {
 				Computed:    true,
 				Type:        schema.TypeString,
-				Description: "The contents of Tailscale ACL as JSON",
+				Description: "The contents of Tailscale ACL as a JSON string",
+			},
+			"hujson": {
+				Computed:    true,
+				Type:        schema.TypeString,
+				Description: "The contents of Tailscale ACL as a HuJSON string",
 			},
 		},
 	}
@@ -27,17 +32,21 @@ func dataSourceACL() *schema.Resource {
 func dataSourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
 
-	acl, err := client.ACL(ctx)
+	acl, err := client.RawACL(ctx)
 	if err != nil {
 		return diagnosticsError(err, "Failed to fetch ACL")
 	}
-
-	aclJson, err := json.Marshal(acl)
+	huj, err := hujson.Parse([]byte(acl))
 	if err != nil {
-		return diag.FromErr(err)
+		return diagnosticsError(err, "Failed to parse ACL as HuJSON")
+	}
+	if err := d.Set("hujson", huj.String()); err != nil {
+		return diagnosticsError(err, "Failed to set HuJSON")
 	}
-	if err := d.Set("json", string(aclJson)); err != nil {
-		return diag.Errorf("setting json: %s", err)
+
+	huj.Minimize()
+	if err := d.Set("json", huj.String()); err != nil {
+		return diagnosticsError(err, "Failed to set HuJSON")
 	}
 
 	d.SetId(createUUID())
diff --git a/tailscale/resource_acl.go b/tailscale/resource_acl.go
index 267d6ec7..5c03aac6 100644
--- a/tailscale/resource_acl.go
+++ b/tailscale/resource_acl.go
@@ -1,13 +1,10 @@
 package tailscale
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 
-	"github.com/google/go-cmp/cmp"
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -33,12 +30,48 @@ func resourceACL() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
+		CustomizeDiff: func(ctx context.Context, rd *schema.ResourceDiff, m interface{}) error {
+			client := m.(*tailscale.Client)
+			return client.ValidateACL(ctx, rd.Get("acl").(string))
+		},
 		Schema: map[string]*schema.Schema{
 			"acl": {
-				Type:             schema.TypeString,
-				Required:         true,
-				ValidateDiagFunc: validateACL,
-				Description:      "The JSON-based policy that defines which devices and users are allowed to connect in your network",
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The policy that defines which devices and users are allowed to connect in your network. Can be either a JSON or a HuJSON string.",
+
+				// Field-level validation just checks that it's valid JSON or HuJSON.
+				// Actual contents of the policy is validated by calling the API when
+				// the whole resource is validated in CustomizeDiff.
+				ValidateDiagFunc: func(i interface{}, p cty.Path) diag.Diagnostics {
+					_, err := hujson.Parse([]byte(i.(string)))
+					if err != nil {
+						return diagnosticsErrorWithPath(err, "ACL is not a valid HuJSON string", p)
+					}
+					return nil
+				},
+
+				// Do not show a diff if canonical HuJSON representation of the policy did not
+				// change. We still expect a diff when switching from JSON to HuJSON (or back),
+				// even if there are no semantic changes.
+				DiffSuppressFunc: func(k, oldValue, newValue string, d *schema.ResourceData) bool {
+					old, oldErr := hujson.Format([]byte(oldValue))
+					new, newErr := hujson.Format([]byte(newValue))
+					if oldErr != nil || newErr != nil {
+						return false
+					}
+					return string(old) == string(new)
+				},
+				DiffSuppressOnRefresh: true,
+
+				// Use the canonical HuJSON representation of the policy in Terraform state.
+				StateFunc: func(i interface{}) string {
+					value, err := hujson.Format([]byte(i.(string)))
+					if err != nil {
+						panic(fmt.Errorf("could not parse ACL as HuJSON: %s", err))
+					}
+					return string(value)
+				},
 			},
 			"overwrite_existing_content": {
 				Type:        schema.TypeBool,
@@ -49,45 +82,14 @@ func resourceACL() *schema.Resource {
 	}
 }
 
-func validateACL(i interface{}, p cty.Path) diag.Diagnostics {
-	if _, err := unmarshalACL(i.(string)); err != nil {
-		return diagnosticsErrorWithPath(err, "Invalid ACL", p)
-	}
-	return nil
-}
-
-func sameACL(a, b tailscale.ACL) bool {
-	return cmp.Equal(a, b)
-}
-
 func resourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	acl, err := client.ACL(ctx)
+	acl, err := client.RawACL(ctx)
 	if err != nil {
 		return diagnosticsError(err, "Failed to fetch ACL")
 	}
 
-	// If we have ACL content in Terraform state that is equivalent to the ACL
-	// fetched via API, keep the local version. This is to have further changes
-	// diffed against previous version specified by the user, avoiding spurious
-	// diffs caused by potentially different spelling of ACL field names.
-	current := d.Get("acl").(string)
-	if current != "" {
-		cur, err := unmarshalACL(current)
-		if err != nil {
-			return diagnosticsError(err, "Failed to unmarshal current ACL")
-		}
-		if sameACL(cur, *acl) {
-			return nil
-		}
-	}
-
-	aclStr, err := json.MarshalIndent(acl, "", "  ")
-	if err != nil {
-		return diagnosticsError(err, "Failed to marshal ACL for")
-	}
-
-	if err := d.Set("acl", string(aclStr)); err != nil {
+	if err := d.Set("acl", acl); err != nil {
 		return diag.FromErr(err)
 	}
 	return nil
@@ -95,12 +97,7 @@ func resourceACLRead(ctx context.Context, d *schema.ResourceData, m interface{})
 
 func resourceACLCreate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	aclStr := d.Get("acl").(string)
-
-	acl, err := unmarshalACL(aclStr)
-	if err != nil {
-		return diagnosticsError(err, "Failed to unmarshal ACL")
-	}
+	acl := d.Get("acl").(string)
 
 	// Setting the `ts-default` ETag will make this operation succeed only if
 	// ACL contents has never been changed from its default value.
@@ -126,39 +123,14 @@ func resourceACLCreate(ctx context.Context, d *schema.ResourceData, m interface{
 
 func resourceACLUpdate(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
 	client := m.(*tailscale.Client)
-	aclStr := d.Get("acl").(string)
 
 	if !d.HasChange("acl") {
 		return nil
 	}
 
-	acl, err := unmarshalACL(aclStr)
-	if err != nil {
-		return diagnosticsError(err, "Failed to unmarshal ACL")
-	}
-
-	if err := client.SetACL(ctx, acl); err != nil {
+	if err := client.SetACL(ctx, d.Get("acl").(string)); err != nil {
 		return diagnosticsError(err, "Failed to set ACL")
 	}
 
 	return nil
 }
-
-func unmarshalACL(s string) (tailscale.ACL, error) {
-	b, err := hujson.Standardize([]byte(s))
-	if err != nil {
-		return tailscale.ACL{}, err
-	}
-
-	decoder := json.NewDecoder(bytes.NewBuffer(b))
-	decoder.DisallowUnknownFields()
-
-	var acl tailscale.ACL
-	if err = decoder.Decode(&acl); err != nil {
-		return acl, fmt.Errorf("%w. (This error may be caused by a new ACL feature that is not yet supported by "+
-			"this terraform provider. If you're using a valid ACL field, please raise an issue at "+
-			"https://github.com/tailscale/terraform-provider-tailscale/issues/new/choose)", err)
-	}
-
-	return acl, nil
-}
diff --git a/tailscale/resource_acl_test.go b/tailscale/resource_acl_test.go
index eb35a0a9..a83ed8b1 100644
--- a/tailscale/resource_acl_test.go
+++ b/tailscale/resource_acl_test.go
@@ -82,28 +82,28 @@ func TestProvider_TailscaleACL(t *testing.T) {
 	})
 }
 
-// TestProvider_TailscaleACLDiffs checks that ACL keys specified with
-// different casing than the one used by the API client do not result
-// in spurious diffs in Terraform plan.
+// TestProvider_TailscaleACLDiffs checks that changes in whitespace
+// do not cause diffs in the Terraform plan.
 func TestProvider_TailscaleACLDiffs(t *testing.T) {
-	// policyObject returns a map that, when serialized to JSON,
-	// is a valid Tailscale policy with only the "Hosts" field set.
-	policyObject := func(hostsKey string) map[string]map[string]string {
-		return map[string]map[string]string{
-			hostsKey: {"example": "100.101.102.103"},
-		}
-	}
-	policyHCL := func(hostsKey string) string {
-		j, err := json.MarshalIndent(policyObject(hostsKey), "", " ")
+	policyJSON := func(indent string) []byte {
+		j, err := json.MarshalIndent(map[string]map[string]string{
+			"hosts": {"example": "100.101.102.103"},
+		}, "", indent)
 		if err != nil {
 			t.Fatal(err)
 		}
+		return j
+	}
+	toHuJSON := func(j []byte) []byte {
+		return []byte(fmt.Sprintf("// This is a HuJSON policy\n%s", j))
+	}
+	toHCL := func(policy []byte) string {
 		return fmt.Sprintf(
 			`resource "tailscale_acl" "test_acl" {
 				acl = <<EOF
 					%s
 				EOF
-			}`, j)
+			}`, policy)
 	}
 
 	resource.Test(t, resource.TestCase{
@@ -111,20 +111,31 @@ func TestProvider_TailscaleACLDiffs(t *testing.T) {
 		ProviderFactories: testProviderFactories(t),
 		PreCheck: func() {
 			testServer.ResponseCode = http.StatusOK
+			testServer.ResponseBody = []byte("{}")
 		},
 		Steps: []resource.TestStep{
-			testResourceCreated("tailscale_acl.test_acl", policyHCL("hosts")),
+			testResourceCreated("tailscale_acl.test_acl", toHCL(policyJSON(" "))),
 
-			// Now we check that, whatever spelling of "hosts" we use, the
-			// Terraform plan will be empty.
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("hosts"),
+			// Now we check that whitespace changes result in empty plan.
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON(" ")),
+				PreConfig: func() {
+					testServer.ResponseBody = policyJSON(" ")
+				},
+			},
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON("\t"))},
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(policyJSON("      "))},
+
+			// The same policy in HuJSON will result in a diff.
+			{
+				ResourceName: "tailscale_acl.test_acl", Config: toHCL(toHuJSON(policyJSON("  "))),
+				ExpectNonEmptyPlan: true,
+			},
+			// Further changes in whitespace are not causing a diff.
+			{ResourceName: "tailscale_acl.test_acl", Config: toHCL(toHuJSON(policyJSON("\t"))),
 				PreConfig: func() {
-					testServer.ResponseBody = policyObject("HOSTS")
+					testServer.ResponseBody = toHuJSON(policyJSON("  "))
 				},
 			},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("Hosts")},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("HoStS")},
-			{ResourceName: "tailscale_acl.test_acl", Config: policyHCL("HOSTS")},
 		},
 	})
 }
diff --git a/tailscale/tailscale_test.go b/tailscale/tailscale_test.go
index 58cbb933..b101cf66 100644
--- a/tailscale/tailscale_test.go
+++ b/tailscale/tailscale_test.go
@@ -69,5 +69,11 @@ func (t *TestServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	assert.NoError(t.t, err)
 
 	w.WriteHeader(t.ResponseCode)
-	assert.NoError(t.t, json.NewEncoder(w).Encode(t.ResponseBody))
+	switch body := t.ResponseBody.(type) {
+	case []byte:
+		_, err := w.Write(body)
+		assert.NoError(t.t, err)
+	default:
+		assert.NoError(t.t, json.NewEncoder(w).Encode(body))
+	}
 }