Don't use type alias in postgresql_password

Type aliases from modules aren't available on the agent.
See https://puppet.atlassian.net/browse/PUP-7197

This means that calls to `postgresql::postgresql_password` can't be
deferred if the `hash` parameter uses the type
`Postgresql::Pg_password_encryption`. Instead we have to use the raw
`Enum`, (which unfortunately causes code duplication, but this is
unavoidable).

Using this function with `Deferred` is not just a theoretical use-case.
The module itself tries to here.
https://github.com/puppetlabs/puppetlabs-postgresql/blob/20704ffae24dcf970784697b1798c09d026fb7f8/manifests/server/role.pp#L162

Author: figless

lib/puppet/functions/postgresql/postgresql_password.rb

@@ -24,7 +24,8 @@
     required_param 'Variant[String[1], Integer]', :username
     required_param 'Variant[String[1], Sensitive[String[1]], Integer]', :password
     optional_param 'Boolean', :sensitive
-    optional_param 'Optional[Postgresql::Pg_password_encryption]', :hash
+    # The following Enum is also defined in `types/pg_password_encryption.pp` but type alias can't be used in Deferred functions.
+    optional_param 'Optional[Enum["md5", "scram-sha-256"]]', :hash
     optional_param 'Optional[Variant[String[1], Integer]]', :salt
     return_type 'Variant[String, Sensitive[String]]'
   end

spec/acceptance/db_deferred_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'postgresql::server::db:' do
+  let(:user) { 'user_test' }
+  let(:password) { 'deferred_password_test' }
+  let(:database) { 'test_database' }
+
+  let(:pp_one) do
+    <<-MANIFEST.unindent
+      $user = #{user}
+      $password = #{password}
+      $database = #{database}
+
+      include postgresql::server
+      postgresql::server::db { $database:
+         user     => $user,
+         password => Deferred('unwrap', [$password]),
+      }
+    MANIFEST
+  end
+
+  it 'creates a database with with the password in the deferred function' do
+    if run_shell('puppet --version').stdout[0].to_i < 7
+      skip # Deferred function fixes only in puppet 7, see https://tickets.puppetlabs.com/browse/PUP-11518
+    end
+    apply_manifest(pp_one)
+    psql_cmd = "PGPASSWORD=#{password} PGUSER=#{user} PGDATABASE=#{database} psql -h 127.0.0.1 -d postgres -c '\\q'"
+    run_shell("cd /tmp; su #{shellescape('postgres')} -c #{shellescape(psql_cmd)}",
+              acceptable_exit_codes: [0])
+  end
+end

types/pg_password_encryption.pp

@@ -1,2 +1,4 @@
 # @summary the supported password_encryption
+# Note that this Enum is also defined in:
+# lib/puppet/functions/postgresql/postgresql_password.rb
 type Postgresql::Pg_password_encryption = Enum['md5', 'scram-sha-256']