Crown Commercial Service

• Client: Crown Commercial Service (CCS)

• Sector: UK Public Sector / Public Procurement

• Mission: To help the entire UK public sector achieve maximum value when buying common goods and services, ultimately saving taxpayer money.

• Objective: Complete a major migration of high-profile web services from the legacy GPaaS platform to a new, custom-built AWS environment ahead of a critical decommissioning deadline.

Business Challenges

• Hard Decommissioning Deadline: CCS faced an intense pressure deadline of December 2023 to migrate all high-profile services off the legacy GPaaS platform.

• CI/CD Roadblock (Authentication Failure): The initial plan to deploy the Jenkins CI/CD tool on AWS ECS failed due to ECS lacking the native, secure capability to handle the required multi-account authentication.

• Security Imperative: The distributed public sector architecture demanded secure, cross-account access without relying on static, insecure credentials, a non-negotiable requirement.

• Risk: The technical hurdle threatened to derail the entire migration timeline and jeopardise the timely decommissioning of GPaaS.

Approach (The Solution)

Footprint IT Solutions diagnosed the ECS failure and implemented a superior, secure, and cost-effective architectural strategy using AWS EKS (Elastic Kubernetes Service) combined with IRSA.

• Core Strategy (IRSA): Leveraged IAM Roles for Service Accounts (IRSA) within EKS. This feature grants Kubernetes service accounts precise, temporary IAM Roles across multiple AWS accounts, instantly solving the multi-account authentication problem without static credentials.

• Infrastructure as Code (IaC): Delivered the full environment using Terraform to ensure a reliable, auditable, and repeatable deployment.

• Serverless Compute: Deployed the Jenkins master node onto AWS EKS Fargate, providing an always-on, serverless solution.

• Cost Optimisation: Designed Managed EKS node groups using a strategic blend of EC2 Spot and On-Demand instances for optimised spend.

• Automation & Security: Implemented comprehensive security controls and integrated GitHub Actions to fully automate the build and deployment pipelines.

Outcomes

• Migration Deadline Met (Ahead of Schedule): All high-profile sites were migrated, operational, and secured ahead of the critical December 2023 GPaaS decommissioning deadline.

• 100% Secure Authentication: IRSA solved the foundational technical roadblock, establishing 100% secure cross-account access natively, eliminating the reliance on insecure static credentials and enhancing the security posture.

• Operational Efficiency & Resilience: Transition to a cloud-native CI/CD pipeline on EKS Fargate, automated with GitHub Actions, increased the speed and reliability of deployment cycles while minimising maintenance overhead.

• Cost Optimisation: The strategic blend of EC2 instance types guaranteed a cost-effective platform, successfully delivering high value for the taxpayer.

• Future-Proofing: The highly scalable and standardised EKS architecture provides a resilient foundation for CCS to easily integrate future applications and services, marking the start of a technical transformation.

Testimonial

"The standard of service was extremely high, and played a key role in allowing CCS to achieve its objectives successfully migrating its infrastructure to AWS. Andrew demonstrated extensive technical knowledge and high levels of productivity to assist in provisioning the required Infrastructure components for each project, as well as assisting in the migration of relevant data and building application images. Andrew additional provisioned a new Jenkins cluster in EKS, leveraging his strong knowledge of AWS, which has subsequently allowed the business to harness the power of CI/CD, and use this as the primary deployment agent for AWS hosted projects. Andrew also displayed great interpersonal skills, engaging with numerous stakeholders across the business to provide relevant updates and assist/up-skill others as appropriate."

​

George H. Crown Commercial Service