Description
Right now, in nexus/src/authz/api_resources.rs, we have "typed" and "generic" resources. "typed" resources are resources to which we will allow users to assign roles -- the Fleet, Silos (eventually), Organizations and Projects. Everything else is a generic FleetChild or ProjectChild with a type alias, like type Instance = ProjectChild. The reason is just that there's a bunch of boilerplate for each resource, and given the current policy, nothing actually cares what type anything is, so it was easier to do it this way.
I only recently appreciated that this means you can pass an authz::Project where an authz::Instance is expected, which seems pretty dangerous. That alone convinced me that we're better off with well-typed versions of these things.
It may help simplify the problem if we eliminate the constructors at each level for constructing child resources (e.g., Organization::project(project_id) -> Project). That was a convenient pattern when I expected you'd be building these by hand. But these are generally going to be built by the lookup_resource macro. If we make this Project::from(Organization) instead, we can update the macro to use that, and it may make it quite a lot easier for us to generate the full set of authz types (since you don't have to generate any type-specific methods).