Add postgresql_grant_role resource

[dvdliao]

credit to: @Vince-Chenal

closes: https://github.com/terraform-providers/terraform-provider-postgresql/issues/154

[wimi]

Thank you for your PR and work, @Vince-Chenal and @dvdliao!

I just wanted to ask - there is already https://www.terraform.io/docs/providers/postgresql/r/postgresql_role.html#roles, which does something similar, but on a very basic level.

How will this resource coexist with existing property on postgresql_role? I have a feeling that there will be a conflict after terraform refresh or maybe even on plan.

Generally I like the direction - gives more flexibility and might actually solve some issues out of the box (#173).

[dvdliao]

It should coexist, but not be used together, postgresql_role as it stands now is authoritative, this new resource postgresql_grant_role is not; so it can be used to manage roles that are managed by something else. For the github issues, the common theme is the postgres_role was created by the cloud provider/console, Therefore managing grants with postgresql_role doesn't make much sense because it also manages the role password and other things which is out of terraform's control and would also have drift.

see something like: https://www.terraform.io/docs/providers/google/r/sql_user.html The resource in this PR would allow to manage role grants even though the role itself was created by the cloud console api.

heres another example in terraform where we have the same resources that are authoritative and nonauthoritative: https://www.terraform.io/docs/providers/google/r/google_project_iam.html

[wimi]

Thank you, this is what I meant - these resources should not be used on the same role. Thanks for linking google example, wasn't aware of these kind of cases. I think slightly more descriptive docs are needed (similarly to what you linked in google - there is a lot of warnings about not using some resources on same object).

[cyrilgdn]

@dvdliao Thanks for your work on this, I'll take a look in the next days.