diff --git a/README.md b/README.md
index 12fb13b6..c91a6922 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,10 @@ The overall structure of this repository can be broken down as follows:
   - Python virtual environment.
     - See `.python-version` for the recommended version of Python.
     - If you use `env` or `venv`, the `.gitignore` will exclude it.
+    
+  -  Install required Ansible galaxy collections:
+    - `ansible-galaxy collection install community.docker`
+    
   - The CDH Ansible vault key. This can be referenced on the command line or better set as in the Bash session, i.e. `export ANSIBLE_VAULT_PASSWORD_FILE=/path/to/.passwd`
   - A GitHub [personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/) for any playbook that uses the `create_deployment` and `close_deployment` roles. You can set this in your Bash session as `ANSIBLE_GITHUB_TOKEN` or pass it on the command line as `-e github_token=`
   - The CDH deploy bot key. This can be added to ssh-agent or in `~/.ssh/config`. All production deploys must be on the campus network (including VPN) and proxy through the QA server to production, with an ssh config stanza that looks something like:
diff --git a/roles/build_virtualenv/tasks/main.yml b/roles/build_virtualenv/tasks/main.yml
index 270491b5..3effb37f 100644
--- a/roles/build_virtualenv/tasks/main.yml
+++ b/roles/build_virtualenv/tasks/main.yml
@@ -31,6 +31,6 @@
         virtualenv_site_packages: yes
         virtualenv_python: "{{ python_version }}"
       when: install_app_requirements
-      
+
   rescue:
     - include_tasks: roles/create_deployment/tasks/fail.yml
diff --git a/roles/deploy_user/molecule/default/verify.yml b/roles/deploy_user/molecule/default/verify.yml
index f45bc2bd..8289cdd8 100644
--- a/roles/deploy_user/molecule/default/verify.yml
+++ b/roles/deploy_user/molecule/default/verify.yml
@@ -29,6 +29,7 @@
     - name: "get user group memberships"
       command: groups conan
       register: user_groups
+      check_mode: yes
     - name: "user should be member of deploy group"
       assert:
         that:
diff --git a/roles/postgresql/defaults/main.yml b/roles/postgresql/defaults/main.yml
index 0c44266f..aafbe7d7 100644
--- a/roles/postgresql/defaults/main.yml
+++ b/roles/postgresql/defaults/main.yml
@@ -5,6 +5,7 @@ postgres_host: localhost
 postgres_version: 12
 postgres_admin_user: postgres
 postgres_admin_password: postgres
+postgres_hba_conf_path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
 application_db_name: app
 application_dbuser_name: app_user
 application_dbuser_password: changethis
diff --git a/roles/postgresql/meta/main.yml b/roles/postgresql/meta/main.yml
index 8235b3ac..26c90561 100644
--- a/roles/postgresql/meta/main.yml
+++ b/roles/postgresql/meta/main.yml
@@ -16,6 +16,8 @@ galaxy_info:
   # - CC-BY-4.0
   license: Apache-2.0
 
+  min_ansible_version: 2.10
+
   # If this a Container Enabled role, provide the minimum Ansible Container version.
   # min_ansible_container_version:
 
@@ -44,6 +46,6 @@ dependencies:
   # if you add dependencies to this list.
   - {
       role: build_virtualenv,
-      virtualenv_path: deploy_user_venv,
+      virtualenv_path: "{{ deploy_user_venv }}",
       install_app_requirements: false,
     }
diff --git a/roles/postgresql/molecule/default/converge.yml b/roles/postgresql/molecule/default/converge.yml
index e2964e9b..15d88fc0 100644
--- a/roles/postgresql/molecule/default/converge.yml
+++ b/roles/postgresql/molecule/default/converge.yml
@@ -1,6 +1,9 @@
 ---
 - name: Converge
-  hosts: all
+  hosts: localhost
+  vars:
+    python_version: "python3.6"
+    postgres_hba_conf_path: "/var/lib/postgresql/data/pg_hba.conf"
   tasks:
     - name: "Include postgresql"
       include_role:
diff --git a/roles/postgresql/molecule/default/prepare.yml b/roles/postgresql/molecule/default/prepare.yml
index 3cbcd7ec..71c5927d 100644
--- a/roles/postgresql/molecule/default/prepare.yml
+++ b/roles/postgresql/molecule/default/prepare.yml
@@ -2,6 +2,8 @@
 - name: Prepare
   hosts: localhost
   gather_facts: false
+  vars:
+    python_version: "python3.6"
   vars_files:
     - ../../defaults/main.yml
   tasks:
diff --git a/roles/postgresql/molecule/default/verify.yml b/roles/postgresql/molecule/default/verify.yml
index 79044cd0..25691182 100644
--- a/roles/postgresql/molecule/default/verify.yml
+++ b/roles/postgresql/molecule/default/verify.yml
@@ -4,7 +4,25 @@
 - name: Verify
   hosts: all
   gather_facts: false
+  vars:
+    postgres_hba_conf_path: "/var/lib/postgresql/data/pg_hba.conf"
+  vars_files:
+    - ../../defaults/main.yml
   tasks:
-  - name: Example assertion
-    assert:
-      that: true
+
+    - name: ensure postgresql db user can create tables
+      vars:
+        ansible_python_interpreter: "{{ deploy_user_venv }}/bin/python"
+      postgresql_table:
+        login_host: "{{ postgres_host }}"
+        port: "{{ postgres_port }}"
+        login_user: "{{ application_dbuser_name }}"
+        login_password: "{{ application_dbuser_password }}"
+        db: "{{ application_db_name }}"
+        table: "test_table"
+
+      check_mode: yes
+      register: db_user_info
+
+    - name: debug db_user_info
+      debug: "{{ db_user_info }}"
diff --git a/roles/postgresql/tasks/create_db.yml b/roles/postgresql/tasks/create_db.yml
index 7e078e08..9450cf12 100644
--- a/roles/postgresql/tasks/create_db.yml
+++ b/roles/postgresql/tasks/create_db.yml
@@ -9,6 +9,5 @@
     encoding: "UTF-8"
     owner: "{{ application_dbuser_name }}"
     state: "present"
-  with:
     ansible_python_interpreter: "{{ deploy_user_venv }}/bin/python"
   changed_when: false
diff --git a/roles/postgresql/tasks/create_user.yml b/roles/postgresql/tasks/create_user.yml
index 514e0df7..7bc6562a 100644
--- a/roles/postgresql/tasks/create_user.yml
+++ b/roles/postgresql/tasks/create_user.yml
@@ -1,5 +1,7 @@
 ---
 - name: create postgresql db user
+  vars:
+    ansible_python_interpreter: "{{ deploy_user_venv }}/bin/python"
   postgresql_user:
     name: "{{ application_dbuser_name }}"
     login_host: "{{ postgres_host }}"
@@ -10,6 +12,4 @@
     encrypted: true
     role_attr_flags: "{{ application_dbuser_role_attr_flags }}"
     state: "present"
-  with:
-    ansible_python_interpreter: "{{ deploy_user_venv }}/bin/python"
   tags: create_user
diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml
index 29df799c..6da841dd 100644
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -2,14 +2,15 @@
 # tasks file for postgresql
 - name: install postgresql python client
   pip:
-    virtualenv: deploy_user_venv
-    name: pyscopg2
+    virtualenv: "{{ deploy_user_venv }}"
+    name: psycopg2-binary
     state: present
 
 - name: ensure access to postgres server
   lineinfile:
-    path: "/etc/postgresql/{{ postgres_version }}/main/pg_hba.conf"
+    path: "{{ postgres_hba_conf_path }}"
     line: "host    all             all             {{ ansible_default_ipv4.address }}/32       md5"
+  become: yes
   delegate_to: "{{ postgres_host }}"
 
 - name: reload remote postgres server