fix: avoid stripping cty sensitivity marks during plan modification

[jatcod3r]

Extending Kirby's fix.

When coderd_template has sensitive tf_vars and a deferred dependency (like time_static) that gets replaced during apply, Terraform re-plans the resource. The previous plan modifier used types.ListValueFrom() to write the entire versions list back, which reconstructed tftypes values and stripped Terraform core's cty-level sensitivity marks. This caused:
'Provider produced inconsistent final plan: inconsistent values for
sensitive attribute'

Changes:

• Replace attribute-level PlanModifyList with resource-level ModifyPlan that only writes directory_hash via SetAttribute (proven safe for sensitivity preservation)
• Move version reconciliation logic (new vs reuse) from plan modifier into Update, re-deriving from private state instead of ID.IsUnknown()
• Keep reconcileVersionIDs() for unit tests but no longer call from plan modifier

Fixes #305

Test Template:

provider "coderd" {
  url   = "https://******"
  token = "******"
}

variable "secret_one" {
  type      = string
  sensitive = true
  default   = "no"
}

variable "normal_info_one" {
  type    = string
  default = "normal-info-2"
}

locals {
  my_secrets = {
    "normal-info-1" = var.normal_info_one
    "secret-1"      = var.secret_one
    "random"        = "Hi!"
  }

  my_tags = {
    # "scope" = var.normal_info_one
    # "env"   = "prod"
  }
}

data "coderd_organization" "org" {
  name = "experiment"
}

resource "random_uuid" "uuid" {
  keepers = local.my_secrets
}

resource "coderd_template" "test_vars_only" {
  name                   = "test-vars-only"
  display_name           = "Test Vars Only"
  description            = "Test tf_vars + provisioner_tags"

  organization_id = data.coderd_organization.org.id
  require_active_version = true
  acl                    = null

  versions = [{
    name        = random_uuid.uuid.result
    message = "My newest stable version"
    directory   = "${path.module}/templates/my-coder-template"
    active      = true
    tf_vars     = [for k, v in local.my_secrets : { name = k, value = tostring(v) }]
    provisioner_tags = [for k, v in local.my_tags : { name = k, value = tostring(v) }]
  }]
}