diff --git a/salt/postgres/config.sls b/salt/postgres/config.sls
index e458e8455..f5bf856eb 100644
--- a/salt/postgres/config.sls
+++ b/salt/postgres/config.sls
@@ -94,6 +94,14 @@ postgres_app_secret:
     - require:
       - file: postgressecretsdir
 
+postgrestelegrafrole:
+  file.managed:
+    - name: /usr/local/bin/telegraf_role.sh
+    - source: salt://postgres/files/telegraf_role.sh
+    - user: root
+    - group: root
+    - mode: 755
+
 postgres_sbin:
   file.recurse:
     - name: /usr/sbin
diff --git a/salt/postgres/files/telegraf_role.sh b/salt/postgres/files/telegraf_role.sh
new file mode 100644
index 000000000..352efa018
--- /dev/null
+++ b/salt/postgres/files/telegraf_role.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# Provision or update a Telegraf postgres role.
+# Expects ROLE_USER and ROLE_PASS environment variables.
+
+docker exec -i so-postgres psql \
+  -v ON_ERROR_STOP=1 \
+  -v role_user="$ROLE_USER" \
+  -v role_pass="$ROLE_PASS" \
+  -U postgres -d so_telegraf <<'EOSQL'
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = :role_user) THEN
+        EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', :role_user, :role_pass);
+    ELSE
+        EXECUTE format('ALTER ROLE %I WITH LOGIN PASSWORD %L', :role_user, :role_pass);
+    END IF;
+END
+$$;
+GRANT CONNECT ON DATABASE so_telegraf TO :"role_user";
+GRANT so_telegraf TO :"role_user";
+EOSQL
diff --git a/salt/postgres/telegraf_users.sls b/salt/postgres/telegraf_users.sls
index 6d6a30d84..bafa781cc 100644
--- a/salt/postgres/telegraf_users.sls
+++ b/salt/postgres/telegraf_users.sls
@@ -100,26 +100,17 @@ postgres_telegraf_group_role:
 {%   for mid, entry in creds.items() %}
 {%     if entry.get('user') and entry.get('pass') %}
 {%       set u = entry.user %}
-{%       set p = entry.pass | replace("'", "''") %}
+{%       set p = entry.pass %}
 
 postgres_telegraf_role_{{ u }}:
   cmd.run:
-    - name: |
-        docker exec -i so-postgres psql -v ON_ERROR_STOP=1 -U postgres -d so_telegraf <<'EOSQL'
-        DO $$
-        BEGIN
-            IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ u }}') THEN
-                EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', '{{ u }}', '{{ p }}');
-            ELSE
-                EXECUTE format('ALTER ROLE %I WITH PASSWORD %L', '{{ u }}', '{{ p }}');
-            END IF;
-        END
-        $$;
-        GRANT CONNECT ON DATABASE so_telegraf TO "{{ u }}";
-        GRANT so_telegraf TO "{{ u }}";
-        EOSQL
+    - name: /usr/local/bin/telegraf_role.sh
+    - env:
+      - ROLE_USER: {{ u }}
+      - ROLE_PASS: {{ p }}
     - hide_output: True
     - require:
+      - file: postgrestelegrafrole
       - cmd: postgres_telegraf_group_role
 
 {%     endif %}