diff --git a/REFERENCE.md b/REFERENCE.md
index c40a5eb3215a38164a6f5c5a60a38adba0618726..387082b9ae42f610c0c81486a4779c051d45b2eb 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -16,7 +16,7 @@
 
 #### Private Classes
 
-* `cfssl::goose`: Install a database migration tool used by CFSSL
+* `cfssl::goose`: Installs Goose, a database migration tool used by CFSSL
 
 ### Defined types
 
diff --git a/manifests/goose.pp b/manifests/goose.pp
index 7746f1a0440a92f8dc001bc65e95507edd07632d..8dd68a08e0c889b09a4c7f9e9dcc8799d3b1374d 100644
--- a/manifests/goose.pp
+++ b/manifests/goose.pp
@@ -1,6 +1,6 @@
-# @summary Install a database migration tool used by CFSSL
+# @summary Installs Goose, a database migration tool used by CFSSL
 #
-# Install a database migration tool used by CFSSL
+# Installs Goose, a database migration tool used by CFSSL
 #
 # @example
 #   include cfssl::goose
@@ -9,20 +9,19 @@
 #
 class cfssl::goose {
   assert_private()
-  # stuffs for goose : a database migration tool used by CFSSL
-  package { $cfssl::params::go_package:
-    ensure => present,
+
+  archive { "${cfssl::binpath}/goose" :
+    ensure          => present,
+    source          => $cfssl::params::goose_downloadurl,
+    checksum_verify => true,
+    checksum_type   => $cfssl::params::goose_checksumtype,
+    checksum        => $cfssl::params::goose_checksum,
   }
-  -> file { '/usr/local/bin/go':
-    ensure => link,
-    target => $cfssl::params::go_targetlink,
-  }
-  -> exec { 'install goose':
-    command     => '/usr/local/bin/go install bitbucket.org/liamstask/goose/cmd/goose@latest',
-    creates     => "/home/${cfssl::sysuser}/go/bin/goose",
-    user        => $cfssl::sysuser,
-    environment => ["HOME=/home/${cfssl::sysuser}"],
-    cwd         => '/tmp',
-    require     => User[$cfssl::sysuser],
+  -> file { "${cfssl::binpath}/goose" :
+    ensure  => file,
+    mode    => '0700',
+    owner   => $cfssl::sysuser,
+    group   => $cfssl::sysgroup,
+    require => User[$cfssl::sysuser],
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 09269d07bf533f13afda5bf0a86d68524eb18d22..b2acd0a9570ba246d624664b35db476c16178651 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -78,6 +78,11 @@ class cfssl (
   include postgresql::server
 
   $_goose_cfssldbmigrate_path = "/home/${cfssl::sysuser}/goose-cfssldbmigrate"
+  $_dbpassword_unsensitive = if $dbpassword =~ Sensitive[String] {
+    $dbpassword.unwrap
+  } else {
+    $dbpassword
+  }
 
   group { $sysgroup :
     ensure => present,
@@ -157,19 +162,16 @@ class cfssl (
     revision => "v${version}",
     user     => $sysuser,
   }
-  -> file { "${_goose_cfssldbmigrate_path}/certdb/pg/dbconf.yml":
-    ensure  => file,
-    mode    => '0600',
-    owner   => $sysuser,
-    group   => $sysgroup,
-    content => epp('cfssl/goose-dbconf.yml.epp'),
-  }
 
   exec { 'goose pg up':
-    command     => "/home/${sysuser}/go/bin/goose --env puppetmigrate -path ${_goose_cfssldbmigrate_path}/certdb/pg up",
+    command     => "${binpath}/goose postgres \"host=localhost user=${cfssl::dbuser} password='\$DBPASSWORD' dbname=${cfssl::dbname} sslmode=disable\" up",
     user        => $sysuser,
-    environment => ["HOME=/home/${sysuser}/"],
-    onlyif      => "/home/${sysuser}/go/bin/goose --env puppetmigrate -path ${_goose_cfssldbmigrate_path}/certdb/pg status | grep -q 'Pending'",
+    environment => [
+      "HOME=/home/${sysuser}/",
+      "DBPASSWORD=${_dbpassword_unsensitive}",
+    ],
+    cwd         => "${_goose_cfssldbmigrate_path}/certdb/pg/migrations",
+    onlyif      => "${binpath}/goose postgres \"host=localhost user=${cfssl::dbuser} password='\$DBPASSWORD' dbname=${cfssl::dbname} sslmode=disable\" status 2>&1 | grep -q 'Pending'",
     require     => [
       User[$sysuser],
       Vcsrepo[$_goose_cfssldbmigrate_path],
diff --git a/manifests/params.pp b/manifests/params.pp
index 9088a369338b367070feecbedfef3a904a5398fc..67524de0cc45d425341719be5f0ec06a1c64f0b1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -10,18 +10,7 @@ class cfssl::params {
   $db_config_json = 'db-config.json'
   $systemd_unitdir = '/etc/systemd/system'
   $systemd_unit_file = "${systemd_unitdir}/cfssl.service"
-
-  case $facts['os']['release']['major'] {
-    '20.04':  {
-      $go_package = 'golang-1.16-go'
-      $go_targetlink = '/usr/lib/go-1.16/bin/go'
-    }
-    '22.04':  {
-      $go_package = 'golang-1.17-go'
-      $go_targetlink = '/usr/lib/go-1.17/bin/go'
-    }
-    default:  {
-      fail("${module_name} does not support OS ${facts['os']['name']}-${facts['os']['release']['major']}")
-    }
-  }
+  $goose_downloadurl = 'https://github.com/pressly/goose/releases/download/v3.7.0/goose_linux_x86_64'
+  $goose_checksumtype = 'sha256'
+  $goose_checksum = 'd3b6b90af96e898c8a7e6c7b4fd45d04b994ca2f7fa4a6f66ef0fccfe31818df'
 }