ClickMasters UK DevOps Stack — Standard Configuration
| Layer | Technology | UK Compliance Value | Configuration |
|---|---|---|---|
| Source control | GitHub (private repos) | Pull request audit trail — FCA PS21/3 change management evidence | Branch protection: required reviews, CI passing, no force-push |
| CI/CD | GitHub Actions | FCA audit trail, Cyber Essentials patching in managed runners | On PR: test, lint, security scan; on main merge: deploy to staging; on tag: deploy to production |
| Infrastructure as Code | Terraform or AWS CDK | Cyber Essentials controlled change, reproducible infrastructure | All infrastructure in code — no manual console changes. State in S3 + DynamoDB lock. |
| Compute | ECS Fargate (eu-west-2) | No EC2 patching — Cyber Essentials OS patching handled by AWS | 3 AZs, auto-scaling, health checks, CloudWatch Container Insights |
| Database | RDS PostgreSQL Multi-AZ | AWS-managed patching, automatic failover, FCA PS21/3 resilience | Automated backups 7 days (35 days for regulated), point-in-time recovery |
| Secrets management | AWS Secrets Manager | No hardcoded credentials — Cyber Essentials | Secrets rotated automatically (RDS + API keys) |
| Observability | CloudWatch + X-Ray | NHS DSP Toolkit log retention, FCA audit trail, PS21/3 monitoring | 7-year log retention for regulated, p95/p99 alarms, synthetic canary |
| Security scanning | Dependabot + Semgrep + Trivy | Cyber Essentials CVE patching, PCI-DSS Req 6 | Dependabot PRs auto-raised for critical CVEs; Trivy scans Docker images on every build |
Zero-Downtime Deployment Strategies
| Strategy | How It Works | FCA PS21/3 Suitable | ClickMasters Use Case |
|---|---|---|---|
| Blue-Green | Two identical environments, switch traffic at load balancer | ✅ Yes — instant rollback | All FCA IBS deployments — payment processing |
| Canary (5% → 100%) | Route small % to new version, monitor, then full rollout | ✅ Yes — gradual risk | High-risk feature releases — NHS clinical systems |
| Rolling update | Replace containers one by one | Acceptable for non-IBS | Low-risk internal services |
| Feature flags (LaunchDarkly) | Deploy code dark, release by flag | ✅ Best — decouple deploy from release | A/B testing, phased NHS rollouts, FCA Consumer Duty testing |
Cyber Essentials DevOps Requirements
Patch management: all software must be patched within 14 days of critical patches being released. ECS Fargate and RDS: AWS patches the OS — ClickMasters patches application dependencies (Dependabot). EC2: OS patching is your responsibility — ClickMasters eliminates EC2 from all production deployments.
Malware protection: Docker images scanned for malware with Trivy (every CI/CD build). AWS GuardDuty enabled in all production accounts.
Access control: IAM roles with least privilege for all CI/CD pipelines. No IAM access keys in GitHub repos (Dependabot monitors). OpenID Connect (OIDC) for GitHub Actions → AWS authentication (no long-lived credentials).
Firewall: AWS Security Groups restrict traffic to necessary ports only. All services in private subnets — only Load Balancer in public subnet. AWS WAF on Application Load Balancers for NHS and FCA applications.
Cyber Essentials has specific implications for UK DevOps practices: