Add secret flag support for webhook headers via new headers_v2 attribute

[Copilot]

• Restore headers as the original deprecated MapAttribute (backwards compatible, with DeprecationMessage and ConflictsWith(headers_v2))
• Add new headers_v2 as SetNestedAttribute with key, value (sensitive), secret (default: false) fields and ConflictsWith(headers)
• Update Webhook model struct to support both Headers map[string]types.String and HeadersV2 []WebhookHeader
• CRUD operations handle both fields: when plan has headers_v2, populate HeadersV2 from API response with secret value preservation; otherwise clear HeadersV2
• Updated examples/resources/contentful_webhook/resource.tf to show headers_v2 usage (with a secret header example) and the deprecated headers form
• Updated docs/resources/webhook.md to reflect the new headers_v2 attribute, nested schema, and deprecated headers annotation
• Restored original TestWebhookResource_Basic test (legacy headers format)
• Added TestWebhookResource_HeadersV2 acceptance test for the new headers_v2 field

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Allow setting Webhook headers as secret</issue_title>
<issue_description>In the web UI of Contentful it is easy to set a header as secret so people can not read it's value. It would be awesome if this provider could also do this if the value is sensitive.

Documentation suggests all you need to do is secret = true:https://www.contentful.com/developers/docs/webhooks/headers/</issue_description>

<agent_instructions>Please implement this into the webhook resource. The additional value should be a boolean that defaults to false (the current implementation)</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Allow setting Webhook headers as secret #148

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[demeyerthom]

@copilot we should not make backwards breaking changes. I would prefer creating a second field called headers_v2 to hold the new configuration, mark the old one as deprecated and have some validation logic with ConflictsWith to ensure either one or the other is used. Please update the PR to reflect this

[Copilot]

@copilot we should not make backwards breaking changes. I would prefer creating a second field called headers_v2 to hold the new configuration, mark the old one as deprecated and h...

Done in commit c364744. The old headers map attribute is now restored and marked as deprecated with a DeprecationMessage pointing users to headers_v2. The new headers_v2 is a SetNestedAttribute with key, value (sensitive), and secret (default: false) fields. Both attributes have ConflictsWith validators to prevent simultaneous use. The original TestWebhookResource_Basic test continues to use the legacy headers map syntax unchanged.

[demeyerthom]

@copilot You are also missing the documentation update. If you can run go generate ./.... Otherwise make the changes directly. Note that these are generated, so the docs should reflect the exact text in the code, or we will have some additional changess down the line

[Copilot]

@copilot You are also missing the documentation update. If you can run go generate ./.... Otherwise make the changes directly. Note that these are generated, so the docs should ref...

Done in commit 24dc59b. The environment doesn't have Terraform in PATH so go generate couldn't run tfplugindocs automatically — I've updated both files manually to exactly match the schema:

• examples/resources/contentful_webhook/resource.tf — now shows headers_v2 with a secret header example, plus a separate example using the deprecated headers map
• docs/resources/webhook.md — updated example, added headers_v2 to the Optional attributes with its nested schema block (key, value (Sensitive), secret), and marked headers as Deprecated

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint-api.hashicorp.com
  • Triggering command: /tmp/go-build4000712566/b001/exe/tfplugindocs /tmp/go-build4000712566/b001/exe/tfplugindocs -complete -buildid ur1qJEC7WAVf2SEHyDJL/ur1qJEC7WAVf2SEHyDJL -goversion go1.24.13 -c=4 -nolocalimports -importcfg /tmp/go-build4000712566/b235/importcfg -pack /opt/hostedtoolcache/go/1.24.13/x64/src/vendor/golang.org/x/net/http/httpproxy/proxy.go (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)