Defining a state as an array can cause an unnecessary updating action

[sbrowne-godaddy]

Describe the Bug

When using the state parameter as an array with a single value, the matching routine expects the loaded value to also be an array, even if there is only a single value within the array.

Expected Behavior

Whilst the policy applies cleanly, re-applying the policy will attempt to update the rule every time the policy is applied.

Steps to Reproduce

Steps to reproduce the behavior:

1. Define firewall policy similar to:

  firewall { '997 drop invalid forward (v4)':
    chain  => 'FORWARD',
    proto  => 'all',
    state  => ['INVALID'],
    jump   => 'DROP',
    before => undef,
  }

2. Apply.
3. Ouput expected:

...
Notice: /Stage[main]/Profile::Base::Firewall::Post/Firewall[997 drop invalid forward (v4)]/state: current_value 'INVALID', should be ['INVALID'] (noop) (corrective)
...

Environment

• Version: module tag v8.0.2, puppet 8.6.0
• Platform: RHEL7, RHEL9

Additional Context

Reducing the value to a string does clean up the issue:

  firewall { '997 drop invalid forward (v4)':
    chain  => 'FORWARD',
    proto  => 'all',
    state  => 'INVALID',
    jump   => 'DROP',
    before => undef,
  }

However I feel that a single-entry array for this parameter should not cause an error. When comparing the rules, the single-entry array should be flattened to a string to match how it is loaded from the destination system. (or vice-versa).

This is a changed behaviour in the module, admittedly from a much older release.

[rodehoed]

This issue is still here it seems. A quick search/replace fixed all of them. Our notice message is slightly difference:
Notice: /Stage[main]/system::xxx/Firewall[660 Rest APIr]/state: state changed 'NEW' to ['NEW'] (corrective)