Provide an option to disable password auth for database users
Currently, it is not possible securely create a user in a terraform DevOps pipeline, since "Passwords may show up in Terraform related logs" according to the documentation. If the password was no longer required to create a user, we could avoid this issue by only using certificate authentication.
Agree. I think it should be possible to use a `random_password` resource or a fixed initial password secret, then change it out of band, and use a lifecycle policy to prevent changes after the resource changes. But it would be much cleaner if the provider could set an empty or random password on resource creation, so that the password could be managed out of band vs. having to define the resource with a password, then removing the password resource later.
Even in the case of using a secure backend for the password, it will end up being viewable in cleartext in the (unencrypted) state, so not ideal.