From 4e2e67b494b131bf42238a53ec494f47b057b08b Mon Sep 17 00:00:00 2001
From: Kilian Engelhardt <kilian.engelhardt@godaddy.com>
Date: Fri, 23 Apr 2021 19:40:01 +0200
Subject: [PATCH 1/3] expand 'ipset::set::array' type to allow nested arrays

---
 types/set/array.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/types/set/array.pp b/types/set/array.pp
index 792524c..25023e1 100644
--- a/types/set/array.pp
+++ b/types/set/array.pp
@@ -1,4 +1,4 @@
 #
-# @summary type to allow an array of ip addresses
+# @summary type to allow nested arrays of ip addresses
 #
-type IPSet::Set::Array = Array[String]
+type IPSet::Set::Array = Variant[Array, String[1]]

From f18923a31ccbe5f1373125b5546ca41ea65f6c7f Mon Sep 17 00:00:00 2001
From: Kilian Engelhardt <kilian.engelhardt@godaddy.com>
Date: Fri, 23 Apr 2021 19:44:18 +0200
Subject: [PATCH 2/3] de-duplicate flattened nested arrays before joining
 elements

---
 manifests/set.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/set.pp b/manifests/set.pp
index eb610cb..ea13811 100644
--- a/manifests/set.pp
+++ b/manifests/set.pp
@@ -31,7 +31,7 @@
 #   }
 #
 # @example setup multiple ipsets based on a hiera hash with multiple arrays and multiple IPv4/IPv6 prefixes. Use the voxpupuli/ferm module to create suitable iptables rules.
-#   $ip_ranges = lookup('ip_net_vlans').flatten.unique
+#   $ip_ranges = lookup('ip_net_vlans')
 #   $ip_ranges_ipv4 = $ip_ranges.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
 #   $ip_ranges_ipv6 = $ip_ranges.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
 #
@@ -108,7 +108,7 @@
     # content
     case $set {
       IPSet::Set::Array: { # lint:ignore:unquoted_string_in_case
-        $new_set = join($set, "\n")
+        $new_set = join(flatten($set).unique, "\n")
         # create file with ipset, one record per line
         file { "${config_path}/${title}.set":
           ensure  => file,

From 33095b79c6fc1f96ccc9abb5bdfc98fbb8e26f62 Mon Sep 17 00:00:00 2001
From: Kilian Engelhardt <kilian.engelhardt@godaddy.com>
Date: Fri, 23 Apr 2021 20:10:48 +0200
Subject: [PATCH 3/3] add test to for handling nested arrays

---
 spec/acceptance/ipset_spec.rb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/spec/acceptance/ipset_spec.rb b/spec/acceptance/ipset_spec.rb
index 21f5208..8b58dd6 100644
--- a/spec/acceptance/ipset_spec.rb
+++ b/spec/acceptance/ipset_spec.rb
@@ -36,6 +36,25 @@
     end
   end
 
+  context 'with a nested array' do
+    it 'handles nested arrays with no errors' do
+      pp = <<-EOS
+      include ipset
+      ipset::set{'nested-set':
+        set  => ['10.0.0.1', ['10.0.0.2', '10.0.0.42']],
+        type => 'hash:net',
+        }
+      EOS
+      # Run it twice and test for idempotency
+      apply_manifest(pp, catch_failures: true)
+      apply_manifest(pp, catch_changes: true)
+    end
+
+    describe command('ipset list basic-set') do
+      its(:stdout) { is_expected.to match %r{.*basic-set.*Type: hash:net.*10\.0\.0\.2.*}m }
+    end
+  end
+
   context 'can delete ipsets' do
     it 'works even here idempotently with no errors' do
       pp = <<-EOS