CloudFront tag-based invalidations: now supported in CloudFront Purger

What's changed

Until now, CloudFront only supported path-based cache invalidations. That meant purging a single piece of content could require dozens of individual requests - one per URL.

Drupal's cache tag system is far more precise. Tags like node:42 or taxonomy_term:7 let you target exactly the content that's changed, across every URL it appears on. With tag-based invalidations now available in CloudFront, we can take full advantage of that.

The new cloudfront_purger_tags submodule bridges the two. It adds a Cache-Tags header to your Drupal responses and enables the purger to send tag-based invalidation requests directly to CloudFront.

How it works

Drupal cache tags can be long - config:views.view.content_recent, For example, a single response can carry dozens of them. CloudFront enforces strict header size limits, so we hash each tag to a 6-character string using xxHash3 before sending it.

When content is invalidated, the purger sends the corresponding hashed tags to CloudFront, prefixed with # (e.g., #a1b2c3). CloudFront handles the rest.

Getting started

You'll need:

• The cloudfront_purger module (parent module)
• A CloudFront distribution with CacheTagConfig enabled

Enable cache tag tracking on your distribution

Using the AWS CLI:

aws cloudfront update-distribution \
  --id YOUR_DISTRIBUTION_ID \
  --distribution-config file://distribution-config.json

Your distribution config should include:

{   
	"CacheTagConfig": {     
		"Enabled": true,
		"HeaderName": "Cache-Tags"   
	}
}

You can also configure this via the web UI, CloudFormation or Terraform.

Enable the submodule

Enable cloudfront_purger_tags alongside the parent module. You'll also need the purge_queuer_coretags submodule, which should be configured in the Purge UI at /admin/config/development/performance/purge.

The cache tag header name defaults to Cache-Tags and can be changed via cloudfront_purger_tags.settings - just make sure it matches the HeaderName in your CloudFront config.

Optionally, configure a tag blocklist at /admin/config/development/performance/purge to exclude high-volume prefixes like config: or theme_registry from being queued.

A note on limitations

CloudFront enforces resource limits on cache tag headers:

• Maximum 50 cache tags per cached object
• Maximum 256 characters per tag
• Maximum 1,783 characters per header value

If a response exceeds these limits excess tags are dropped by CloudFront. Content tagged with dropped tags won't be invalidated when those tags are purged.

If you hit this regularly, consider path-based invalidations for high-tag-count responses, or review your caching strategy to reduce tag density.

One thing to check before going to production: if you've enabled Drupal's debug cacheability headers ($settings['http.response.debug_cacheability_headers'] = TRUE), make sure that's turned off. Those headers contain verbose, unhashed tags that will exceed CDN limits. They're disabled by default in Drupal.

Hosting on Skpr?

Our Skpr hosting platform uses CloudFront under the hood. If you're interested in using tag-based invalidations on Skpr, get in touch.

Try it out

This feature is experimental - we'd love your feedback. Install the module, enable the submodule, and let us know how it goes via the issue queue.

Full setup details are in the README and the CloudFront tag-based invalidation documentation.