feat: add authoritative resource to manage grants for an object

[obs-gh-abhinavpappu]

Ensures there are no grants for the specified object other than the ones specified in terraform.

I'm using a schema.TypeSet, which is really convenient because it associates existing statements with the ones defined in terraform automatically based on the subject and role regardless of the statement id. So for example, say terraform defines statements A and B which get created with ids 8001 and 8002. Then if those statements manually get deleted, and then new statements C and D get created with the same subject and role, now with ids 8003 and 8004, terraform apply will make no changes. Otherwise, we create and delete the minimal number of statements to make it match (no statements are updated since we want them to be immutable with v2).

[obs-gh-abhinavpappu]

Also thoughts on renaming this to something like observe_object_grants or observe_resource_grants? I think observe_grants might be too similar to observe_grant, and we may want to add something like observe_group_grants/observe_role_grants in the future that's the authoritative resource to manage role grants for a group.

[vikramraman]

Also thoughts on renaming this to something like observe_object_grants or observe_resource_grants? I think observe_grants might be too similar to observe_grant, and we may want to add something like observe_group_grants/observe_role_grants in the future that's the authoritative resource to manage role grants for a group.

observe_resource_grants sounds good

[obs-gh-abhinavpappu]

Still thinking of ways to rename observe_resource_grants it so it's clearer, looked at some other products' terraform resources, but I don't think they're particularly clear either.

Also not sure if this would help, but I'm open to wrap the oid in a target block or something like that:

resource "observe_resource_grants" "example" {
    target {
        oid = data.observe_dataset.example.oid
    }
    ...
}

I don't want to use qualifier even though having the name match observe_grant would be nice, since it doesn't make as much sense here. Using qualifier sounds like I'm defining a bunch of grants and then just qualifying them with an object id, which is true, but doesn't convey that the object id is more important in this case, with all existing statements for that object being replaced.

[vikramraman]

Still thinking of ways to rename observe_resource_grants it so it's clearer, looked at some other products' terraform resources, but I don't think they're particularly clear either.

Also not sure if this would help, but I'm open to wrap the oid in a target block or something like that:

resource "observe_resource_grants" "example" {
    target {
        oid = data.observe_dataset.example.oid
    }
    ...
}

I don't want to use qualifier even though having the name match observe_grant would be nice, since it doesn't make as much sense here. Using qualifier sounds like I'm defining a bunch of grants and then just qualifying them with an object id, which is true, but doesn't convey that the object id is more important in this case, with all existing statements for that object being replaced.

Is there a reason to introduce a target block here? I'm fine just leaving oid as a top level for now.