diff --git a/manifests/profile/pacemaker/database/mysql_bundle.pp b/manifests/profile/pacemaker/database/mysql_bundle.pp
index b655542ca..61daf9be3 100644
--- a/manifests/profile/pacemaker/database/mysql_bundle.pp
+++ b/manifests/profile/pacemaker/database/mysql_bundle.pp
@@ -423,10 +423,27 @@ MYSQL_HOST=localhost\n",
       }
       File['/etc/sysconfig/clustercheck'] -> Exec['galera-ready']
 
+      # If the root password is to be updated:
+      #   . hiera contains the new password
+      #   . .my.cnf still contains the current root credentials
+      # so changing the root password can only happen before
+      # .my.cnf is re-generated by puppet
+      mysql_user { 'root@localhost':
+        ensure        => present,
+        password_hash => mysql_password($mysql_root_password),
+      }
+      Mysql_user['root@localhost'] -> File['/root/.my.cnf']
+
+      # make sure to update all root users in the mysql DB
+      mysql_user { 'root@%':
+        ensure        => present,
+        password_hash => mysql_password($mysql_root_password),
+      }
+
       # We create databases and users for services at step 2 as well. This ensures
       # Galera is up and ready before those get created
       File['/root/.my.cnf'] -> Mysql_database<||>
-      File['/root/.my.cnf'] -> Mysql_user<||>
+      File['/root/.my.cnf'] -> Mysql_user<|title!='root@localhost'|>
       File['/root/.my.cnf'] -> Mysql_grant<||>
       Exec['galera-ready'] -> Mysql_database<||>
       Exec['galera-ready'] -> Mysql_user<||>