v55.21.0

What's Changed

• fix(aws-cf-reverse-proxy): make the duplicate-content UA marker optional (#69) — pass duplicate_content_penalty_secret = "" to disable the static-site-era SEO UA injection. Defaults preserved; existing callers unaffected.

Full Changelog: v55.20.0...v55.21.0

v55.19.0

What's Changed

• aws-cf-reverse-proxy: stable hash-keyed iteration to eliminate ordered_cache_behavior shuffle diffs (#67)

aws-cf-reverse-proxy — stable iteration

Refactors local.origin_configs and local.grpc_origin_configs to be keyed by a hash-prefix of the path (${substr(sha256(path), 0, 8)}-${path}) rather than the raw path. The dynamic ordered_cache_behavior and origin blocks now read path_pattern from the value instead of the key.

Why: terraform's TypeList diff for aws_cloudfront_distribution.ordered_cache_behavior and origin blocks compares element-by-index. When the prior layout was keyed by raw path, inserting any path that sorted earlier than an existing key (e.g. /.well-known/agent-card.json < /.well-known/agent.json) shifted every later entry down one and produced cosmetic ~ diffs across every behavior. Hash-prefixed keys spread entries over the keyspace so insertions land at their hash position without moving siblings.

Consumer impact

⚠️ First plan after bumping shows a one-time shuffle. Every existing ordered_cache_behavior and origin entry migrates from its raw-key index to the hash-key index. The end-state distribution is byte-identical (same path patterns, same target origins, same cache policies), but reviewers will see what looks like a major rewrite. Subsequent route additions produce clean single-block diffs.

After the one-time bump, future additions like the A2A agent-card.json route added in luthersystems/ui-infrastructure#240 generate a clean + ordered_cache_behavior + + origin pair with no shuffle on neighboring routes.

Full Changelog: v55.18.0...v55.19.0

v55.18.0

What's Changed

• aws-cf-reverse-proxy: add extra_forwarded_headers variable (#66)

aws-cf-reverse-proxy custom header forwarding

New optional input variable on the aws-cf-reverse-proxy module:

extra_forwarded_headers = ["X-A2A-Task-Secret"]

Headers in this list are appended to the cache policy's whitelist — included in the cache key and forwarded to origin. Defaults empty so existing distributions render byte-identical.

This unblocks the A2A SDK migration on the InsideOut MCP server, which depends on the X-A2A-Task-Secret request header for per-task secret authentication. Without forwarding, every A2A resume-path operation (GetTask, CancelTask, push-config CRUD, resume-turn SendMessage) fails with -32602 invalid params because CloudFront drops the header at the edge.

Closes tf-modules#65; companion to ui-infrastructure#242.

Full Changelog: v55.17.0...v55.18.0

v55.17.0

What's Changed

• aws-cf-reverse-proxy: add per-behavior gRPC support via grpc_routes (#64)

aws-cf-reverse-proxy gRPC support

New optional input variable on the aws-cf-reverse-proxy module:

grpc_routes = {
  "/a2a.v1.A2AService/*" = "https://<eks-alb>"
}

Each entry registers an ordered_cache_behavior with grpc_config { enabled = true } against a dedicated origin (id origin-grpc-<sanitized-path>). When length(grpc_routes) > 0, the distribution http_version flips to http2and3 (gRPC requires HTTP/2 minimum). With grpc_routes = {} (the default), the rendered distribution is byte-identical to v55.16.0 — existing consumers see zero plan diff.

Companion infra work: luthersystems/mars#132 (chart hooks for gRPC port + Service annotations) and luthersystems/ui-infrastructure#241 (consumer wiring).

Full Changelog: v55.16.0...v55.17.0

v55.16.0

What's Changed

• feat: Add EKS 1.34 addon versions and update ALB controller IAM policy (#62) @sam-at-luther

Full Changelog: v55.15.2...v55.16.0

v55.15.2

• harden aws-platform-ui-bootstrap DNS and state outputs against missing bootstrap resources
• raise aws-platform-ui-bootstrap Terraform floor to >= 1.2 for output preconditions
• replace raw tuple indexing with guarded locals and descriptive failures for missing tfstate resources

v55.15.1

What's Changed

• fix: Eliminate perpetual Terraform drift in 4 AWS resources (#59) @sam-at-luther

Full Changelog: v55.15.0...v55.15.1

v55.15.0

What's Changed

• luthername max_length support — Add optional max_length variable to control generated name length. When set, truncates the prefix while preserving the ID suffix for uniqueness. Useful when downstream modules append suffixes and names exceed AWS service limits. (#56)
• CI modernization — Rewrite GitHub Actions workflow with dynamic module discovery, matrix-based parallel validation, upgraded terraform (1.7.5) and actions versions, following patterns from insideout-terraform-presets.

Full Changelog: v55.14.0...v55.15.0

v55.14.0

What's Changed

• Expose aws_cloudwatch_retention_days in aws-platform-ui-main module, allowing consumers to override CloudWatch log group retention (default remains 90 days)

v55.13.6

What's Changed

• feat: Add trusted_role_arns to eks-service-account-iam-role by @sam-at-luther in #54

Full Changelog: v55.13.5...v55.13.6