Handling innacurate plans with the plugin SDK

Hi, I work on a community provider:

I have an issue with the error Error: Provider produced inconsistent final plan as described in:

The proposed solution is to define a CustomizeDiff function, but i cannot get this to work.

My main issue comes because its common to use heredoc to define some of the unstructured json I encounter for some resources. In the trivial example below the rule resource will always produce an unexpected plan if the site resource doesn’t already exist:

Error: Provider produced inconsistent final plan

When expanding the plan for pingaccess_rule.acc_test_rule_bar to include new
values learned so far during apply, provider "pingaccess" produced an invalid
new value for .configuration: was cty.StringVal(""), but now
\"\",\n\t\t\t\"negate\": false,\n\t\t\t\"overrideIpSource\":
false,\n\t\t\t\"headers\": [],\n\t\t\t\"headerValueLocation\":
\"LAST\",\n\t\t\t\"fallbackToLastHopIp\": true,\n\t\t\t\"errorResponseCode\":
null,\n\t\t\t\"rejectionHandlingEnabled\": false\n\t\t}\n").

This is a bug in the provider, which should be reported in the provider's own
issue tracker.
resource "pingaccess_site" "demo" {
  name                       = "demo"
  targets                    = ["localhost:4321"]
  max_connections            = -1
  max_web_socket_connections = -1
  availability_profile_id    = 1

resource "pingaccess_rule" "demo_2" {
  class_name = "com.pingidentity.pa.policy.CIDRPolicyInterceptor"
  name       = "demo_2"
  supported_destinations = [
  configuration = <<EOF
    "cidrNotation": "127.0.0.${pingaccess_site.demo.id}/32",
    "negate": false,
    "overrideIpSource": false,
    "headers": [],
    "headerValueLocation": "LAST",
    "fallbackToLastHopIp": true,
    "errorResponseCode": 403,
    "errorResponseStatusMsg": "Forbidden",
    "errorResponseTemplateFile": "policy.error.page.template.html",
    "errorResponseContentType": "text/html;charset=UTF-8",
    "rejectionHandler": null,
    "rejectionHandlingEnabled": false

I have tried using a CustomizeDiff to catch this but with no luck:

CustomizeDiff: customdiff.ComputedIf("configuration", func(diff *schema.ResourceDiff, meta interface{}) bool {
	return diff.HasChange("configuration")

Any suggestions would be greatly appreciated.

(Using sdk module github.com/hashicorp/terraform-plugin-sdk v1.0.0)

Can anyone provide any guidance on how to deal with this issue with the plugin SDK?

Does pingaccess_rule.acc_test_rule_bar interpolate pingaccess_rule.demo_2's configuration field?