Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4
• Distribution: rhel 7
• Module version: V4.2.4

How to reproduce

1 - set a dependency between Exec[Firewalld::reload] and another puppet resource that fails in your manifest
2 - add a configuration of a direct rule in hiera or in you manifest
3 - sync your code and deploy

What are you seeing

The direct rule getting deployed in the permanent stage but the reload doesn't execute (skipped). Consequently, it stays inactive in the permanent area waiting for a subsequent reload to occur in the future to get deployed.

What behaviour did you expect instead

if the direct rule isn't present in the Runtime stage, it shouldn't be considered deployed

Any additional information you'd like to impart

is there any reason behind checking rules' existence with the permanent flag ?
i observed the same behavior occuring for the other rules