nginx::nginx_servers locations no longer produces valid nginx configuration (Regression)

[kwisatz]

In 0.16, the hiera data below produced valid nginx configurations. However, in 3.3.0, it no longer does and closes the server block too early.
May be related to #1360.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.14
• Ruby: 2.7
• Distribution: Debian
• Module version: 3.3.0

How to reproduce (e.g Puppet code you use)

nginx::nginx_servers:
  icinga2:
    ensure: present
    server_name:
      - icinga.mon.int.mde-content.com
    use_default_location: no
    locations:
      'icinga-letsencrypt':
        location: '/.well-known/acme-challenge/'
        www_root: '/var/tmp/letsencrypt'
      'icingaweb2-redirect':
        ensure: present
        location: '/'
        ssl_only: true
        fastcgi: phpfpm
        location_cfg_append:
          access_log: 'off'
          return: '301 $scheme://$host/icingaweb2'
      'icingaweb2':
        ensure: present
        www_root: '/usr/share/icingaweb2/public'
        ssl_only: true
        fastcgi: phpfpm
        location: '~ ^/icingaweb2(.+)?'
        try_files:
          - '$1'
          - '$uri'
          - '$uri/'
          - '/icingaweb2/index.php$is_args$args'
      'icingaweb2_index':
        ensure: present
        ssl_only: true
        fastcgi: phpfpm
        location: '~ ^/icingaweb2/index\.php(.*)$'
        location_cfg_append:
          fastcgi_param SCRIPT_FILENAME: /usr/share/icingaweb2/public/index.php
          fastcgi_param ICINGAWEB_CONFIGDIR: /etc/icingaweb2

What are you seeing

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           icinga.mon.int.mde-content.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/icinga2.access.log;
  error_log             /var/log/nginx/icinga2.error.log;

  location /.well-known/acme-challenge/ {
    root      /var/tmp/letsencrypt;
    index     index.html index.htm index.php;
  }
}

  location ~ ^/icingaweb2/index\.php(.*)$ {
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
  }

  location / {
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    access_log off;
    return 301 $scheme://$host/icingaweb2;
  }

  location ~ ^/icingaweb2(.+)? {
    root          /usr/share/icingaweb2/public;
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
  }

What behaviour did you expect instead

# MANAGED BY PUPPET
server {
  listen *:80;


  server_name           icinga.mon.int.mde-content.com;

  
  index  index.html index.htm index.php;
  access_log            /var/log/nginx/icinga2.access.log;
  error_log             /var/log/nginx/icinga2.error.log;

  location /.well-known/acme-challenge/ {
    root      /var/tmp/letsencrypt;
    index     index.html index.htm index.php;
  }

  location ~ ^/icingaweb2/index\.php(.*)$ {
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
    fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
  }

  location / {
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    access_log off;
    return 301 $scheme://$host/icingaweb2;
  }

  location ~ ^/icingaweb2(.+)? {
    root          /usr/share/icingaweb2/public;
    include       /etc/nginx/fastcgi.conf;

    fastcgi_pass  phpfpm;
    try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
  }
}

Output log

Any additional information you'd like to impart

[kwisatz]

OK, I missed those ssl_only: true inside the location blocks.
The previous config had ssl: yes while the current one doesn't.

The actual "bug" should probably be that the module does not complain if there are location resources that claim to be ssl_only while there is no ssl support in the server section itself. But I don't know how trivial or complicated this would be.