Test whether updated deployment overwrites database owner password

It is best practice, and we will recommend to users, that the database owner password be changed immediately after deployment. If the user does so, and they should, will subsequent deployments like for an app tag update reset the owner password to that initially set? If so we've got a problem.

To address this the best solution, if available, would be to use a lifecycle block directing the provider to ignore changes to the role resource blocks:

resource "postgresql_role" "the_role" {
  ...

  lifecycle {
    ignore_changes = [
      password
    ]
  }
}

The above example should ignore changes. This block is part of the Terraform core and I believe does not need explicit support from the provider.