diff --git a/manifests/server/role.pp b/manifests/server/role.pp
index 0ef4651531..d56e008d13 100644
--- a/manifests/server/role.pp
+++ b/manifests/server/role.pp
@@ -133,7 +133,7 @@
       }
       postgresql_psql { "ALTER ROLE ${username} ENCRYPTED PASSWORD ****":
         command     => Sensitive("ALTER ROLE \"${username}\" ${password_sql}"),
-        unless      => Sensitive("SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'"),
+        unless      => "SELECT 1 FROM pg_shadow WHERE usename = '${username}' AND passwd = '${pwd_hash_sql}'",
         sensitive   => true,
       }
     }
diff --git a/spec/unit/defines/server/role_spec.rb b/spec/unit/defines/server/role_spec.rb
index 5e3e005dfa..4d7cd63fe3 100644
--- a/spec/unit/defines/server/role_spec.rb
+++ b/spec/unit/defines/server/role_spec.rb
@@ -42,7 +42,7 @@
     is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
       .with('command'     => 'Sensitive [value redacted]',
             'sensitive'   => 'true',
-            'unless'      => 'Sensitive [value redacted]',
+            'unless'      => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
             'port'        => '5432')
   end
 
@@ -74,7 +74,8 @@
     it 'has alter role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
-              'unless'  => 'Sensitive [value redacted]', 'port' => '5432',
+              'unless'  => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
+              'port'    => '5432',
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end
@@ -107,7 +108,7 @@
     it 'has alter role for "test" user with password as ****' do
       is_expected.to contain_postgresql_psql('ALTER ROLE test ENCRYPTED PASSWORD ****')
         .with('command' => 'Sensitive [value redacted]', 'sensitive' => 'true',
-              'unless'  => 'Sensitive [value redacted]',
+              'unless'  => "SELECT 1 FROM pg_shadow WHERE usename = 'test' AND passwd = 'md5b6f7fcbbabb4befde4588a26c1cfd2fa'",
               'connect_settings' => { 'PGHOST' => 'postgres-db-server', 'DBVERSION' => '9.1',
                                       'PGPORT' => '1234', 'PGUSER' => 'login-user', 'PGPASSWORD' => 'login-pass' })
     end