Commit 8b217ca
fix: truncate long lines before tfmask to prevent bufio.Scanner crash
tfmask is a Go binary that reads plan output line-by-line using
bufio.Scanner, which has a default 64KB buffer limit. Terraform resources
that embed large base64 blobs in their plan output (e.g.
google_api_gateway_api_config with openapi_documents) produce single lines
that exceed this limit.
When tfmask crashes mid-pipe, terraform receives SIGPIPE and exits with a
non-standard code (not 0 or 2). PIPESTATUS[0] then captures that bad code,
neither branch of the PLAN_EXIT check matches, set_output changes is never
called, and the apply step is skipped with "No plan changes detected".
Fix: add a Python pre-processor before tfmask that truncates any line
exceeding 65000 chars. This preserves tfmask's secret-masking for all
normal lines while preventing it from crashing on oversized blob lines.
The truncated content only affects the human-readable plan display in
plan.txt — it has no effect on whether changes are detected or applied.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent ecd6697 commit 8b217ca
1 file changed
Lines changed: 11 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
505 | 505 | | |
506 | 506 | | |
507 | 507 | | |
| 508 | + | |
| 509 | + | |
| 510 | + | |
| 511 | + | |
| 512 | + | |
| 513 | + | |
| 514 | + | |
| 515 | + | |
| 516 | + | |
| 517 | + | |
| 518 | + | |
508 | 519 | | |
509 | 520 | | |
510 | 521 | | |
| |||
0 commit comments