aws-cf-reverse-proxy: add per-behavior gRPC support via grpc_routes#64
Merged
Conversation
Adds opt-in gRPC support so consumers can register CloudFront cache
behaviors that speak gRPC to an EKS ALB origin. Existing distributions
with no grpc_routes set produce a zero-diff plan.
- vars.tf: new grpc_routes = map(string) (default {}).
- main.tf:
- New local.grpc_origin_configs derives an origin per gRPC route with
a distinct origin-grpc-... id. A combined all_origin_configs feeds
the dynamic "origin" block; when grpc_routes = {} it equals
local.origin_configs, preserving the exact origin set.
- http_version flips to http2and3 only when length(grpc_routes) > 0,
otherwise stays http2.
- New dynamic "ordered_cache_behavior" iterates grpc_origin_configs
and emits grpc_config { enabled = true } plus the full method set
CloudFront requires for gRPC behaviors. Reuses the existing cache
policy.
Closes #63
5 tasks
sam-at-luther
added a commit
that referenced
this pull request
May 7, 2026
…d_cache_behavior shuffle diffs (#67) CloudFront's ordered_cache_behavior and origin blocks are TypeList in the provider schema; terraform iterates the for_each map in sorted-key order and the resulting list is diffed by index. When local.origin_configs was keyed by raw path, inserting a new path that sorted earlier than an existing key (e.g. "/.well-known/agent-card.json" sorts before "/.well-known/agent.json" because "-" < ".") shifted every later entry down by one index and produced cosmetic ~ diffs across every behavior. Switch local.origin_configs and local.grpc_origin_configs to be keyed by "<sha256(path)[:8]>-<path>" — a stable hash-prefix that spreads entries over the keyspace so insertions don't predictably shift siblings. The path is appended after the hash purely so generated keys remain human-readable in plan output. path_pattern is now carried in the value so the dynamic blocks can stop reading it from .key. Public API is unchanged: var.origin_routes and var.grpc_routes keep their existing schemas. The output "origin_configs" is re-keyed by path_pattern so its observable shape stays the same for downstream consumers — only internal iteration order changes. The "__grpc__" prefix from #64 was no longer needed because gRPC keys now carry an unambiguous "grpc-" hash-prefixed namespace; the merge into all_origin_configs simplifies to a plain merge(). First apply after consumers bump to this version produces a one-time index shuffle as existing keys migrate from raw-path to hash-prefixed layout. End-state is byte-identical, but reviewers will see what looks like a major rewrite of every existing cache behavior in their first plan. Subsequent additions produce clean single-add diffs. Refs luthersystems/ui-infrastructure#240
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #63
Companion follow-up: luthersystems/ui-infrastructure#241
Summary
Adds opt-in gRPC support to
aws-cf-reverse-proxyso consumers can register CloudFront cache behaviors that speak gRPC to an EKS ALB origin. Existing distributions with nogrpc_routesset produce a zero-diff plan.Changes
vars.tf: newgrpc_routes = map(string)(default{}).main.tf:local.grpc_origin_configsderives an origin per gRPC route with a distinctorigin-grpc-...id. A combinedlocal.all_origin_configsfeeds thedynamic "origin"block; whengrpc_routes = {}it is identical tolocal.origin_configs, preserving the exact origin set.http_versionflips tohttp2and3only whenlength(grpc_routes) > 0, otherwise stayshttp2.dynamic "ordered_cache_behavior"iteratesgrpc_origin_configsand emitsgrpc_config { enabled = true }plus the full method set CloudFront requires for gRPC behaviors. Reuses the existing cache and response-headers policies.Design notes
origin-grpc-<sanitized-path>ids so they never collide with HTTP origins, even when the underlying origin URL is the same ALB. No de-duplication: CloudFront accepts multiple origins pointing at the same domain under distinct ids, and this keeps the locals graph dead simple. If a future consumer wants a shared origin between HTTP and gRPC behaviors, that's an additive change.compressis intentionally omitted on gRPC behaviors (provider defaultfalse); gRPC handles compression at the protocol layer.__grpc__<path>exists only forfor_eachiteration; it never appears in any rendered AWS resource (the dynamic block emitsorigin.value.origin_id, not the key).Verification
terraform fmt -recursive aws-cf-reverse-proxy/clean.terraform validateagainstaws-cf-reverse-proxy/tests/test1/(AWS provider 6.44.0): clean both with the default test (grpc_routesunset) and with a sample entry{"/a2a.v1.A2AService/*" = "https://eks-alb.example.com"}.grpc_routes = {}is structurally guaranteed:local.grpc_origin_configs = {}local.all_origin_configs = merge(origin_configs, {}) == origin_configsdynamic "ordered_cache_behavior"iterates over{}-> zero blockshttp_version = length({}) > 0 ? "http2and3" : "http2"->"http2"grpc_routesentry, plan would show: 1 added origin (origin-grpc-...), 1 addedordered_cache_behaviorwithgrpc_config { enabled = true }, andhttp_versionflippinghttp2 -> http2and3. No other in-place changes.Follow-up
ui-infrastructurecan bump?ref=and add agrpc_routesentry. The issue suggestsv56.0.0; current latest tag isv55.15.2. Not cutting the tag here — leaving that to a maintainer.ui-infrastructureconsumer side is tracked in luthersystems/ui-infrastructure#241; chart side in insideoutmcp chart: add gRPC port + service.annotations passthrough mars#131.