Sovereign Cloud Architecture
PROPOSAL Procurement & Delivery Framework for Cooperative Development

Procurement & Delivery Framework

Purpose: This document defines how companies within cooperative jurisdictions (UK, EU, Canada, Australia) can tender for, develop, test, and deliver sovereign cloud capabilities that integrate into a shared catalogue.

Audience: Procurement Officers, Vendor Management, Technical Authorities, Delivery Leads

The goal is to create a robust catalogue of cloud services to host in the CloudStack hyperscaler infrastructure. This requires a structured approach to procurement, development standards, CI/CD integration, and cooperative sign-off that ensures quality, security, and interoperability across all participating jurisdictions.

CRITICAL: Legal Compliance Analysis

Running a single tender across four different procurement regimes is legally impractical. See the Procurement Law Compliance Analysis for detailed analysis of UK Procurement Act 2023, EU Directive 2014/24, Canadian Buy Canadian policies, and Australian Commonwealth Procurement Rules 2025 - plus our recommended Coordinated Parallel Procurement model.

1. Executive Summary

This framework establishes:

  1. Capability Catalogue: A structured list of ~35 core capabilities needed to replace AWS/Azure/GCP services
  2. Tender Process: How SMEs in each jurisdiction bid for capability development contracts
  3. Development Standards: Mandatory IaC, security, documentation, and testing requirements
  4. CI/CD Pipeline: Shared infrastructure for build, test, security scan, and deployment
  5. Acceptance Process: How capabilities are reviewed, tested, and signed off by the cooperative
  6. Ongoing Maintenance: Support, patching, and evolution responsibilities

2. Resource Pool Estimation

Based on population ratios and typical SME density in cloud technology sectors:

Jurisdiction Population Ratio vs UK Implied Supplier Count Implied People (5 per supplier)
United Kingdom 1.0 15 75
European Union (27 members) ~6.4 ~96 ~480
Australia ~0.39 ~6 ~30
Canada ~0.57 ~9 ~45
Total Cooperative - ~126 SMEs ~630 specialists
AI Augmentation: With modern AI-assisted development, this resource pool of ~630 specialists can achieve output equivalent to a much larger team. The framework assumes AI tooling (Claude, Copilot, etc.) is integrated into the development workflow.

3. Capability Catalogue Structure

The catalogue organises capabilities into domains, with each capability defined as a discrete, tendered unit of work:

3.1 Catalogue Domains

Domain Capability Count AWS Equivalents Priority
A. Compute & App Hosting 4 EC2, EKS, Lambda, App Runner Critical
B. Storage 4 S3, EBS, EFS, Glacier Critical
C. Databases 5 RDS, DynamoDB, ElastiCache, DocumentDB, Aurora Critical
D. Networking 5 VPC, Route 53, ELB/ALB, CloudFront, API Gateway Critical
E. Security & Identity 5 IAM, KMS, Secrets Manager, Cognito, WAF Critical
F. Messaging & Integration 4 SQS, SNS, Kinesis, EventBridge High
G. DevOps & Observability 5 CloudWatch, CloudTrail, X-Ray, ECR, CloudFormation High
H. Analytics & Data 4 Redshift, Athena, Glue, QuickSight Medium
Total Core Capabilities ~36 - -

3.2 Capability Definition Template

Each capability in the catalogue is defined using this standard template:

CAP-B01: Object Storage Service (S3-Compatible)

Capability ID CAP-B01
Domain B. Storage
AWS Equivalent Amazon S3
Open Source Base MinIO / Ceph RGW
Priority Critical
Estimated Effort 3-person team, 12 weeks
Dependencies CAP-E02 (IAM/RBAC), CAP-E03 (KMS)

Functional Requirements

  • S3-compatible API (GetObject, PutObject, ListBucket, etc.)
  • Bucket policies and ACLs
  • Object versioning
  • Lifecycle policies (transition, expiration)
  • Cross-region replication (between cooperative jurisdictions)
  • Server-side encryption (SSE-S3, SSE-KMS)
  • Event notifications to message queue

Non-Functional Requirements

  • 99.99% availability SLA
  • 11 nines durability
  • Maximum latency: 100ms P99 for GET operations
  • Scale to 100PB+ per jurisdiction

Deliverables

  • OpenTofu module for MinIO cluster deployment
  • Helm chart for Kubernetes deployment
  • Integration with CAP-E02 (Keycloak) for IAM
  • Integration with CAP-E03 (OpenBao) for KMS
  • Prometheus metrics and Grafana dashboards
  • Operational runbook
  • Disaster recovery playbook
  • Security hardening documentation

4. Tender Process

4.1 Process Overview

CAPABILITY TENDER LIFECYCLE
PHASE 1: PREPARATION
Capability Specification Drafted
Working Group Review
Steering Committee Approval
PHASE 2: TENDER
ITT Published (Invitation to Tender)
SME Submissions (4 week window)
Technical + Commercial Evaluation
PHASE 3: DEVELOPMENT
Contract Award & Onboarding
Development Sprints (Agile, 2-week)
Continuous Integration
PHASE 4: ACCEPTANCE
Security Review (SAST/DAST/Pen Test)
Documentation Review
Working Group Technical Sign-off
PHASE 5: DEPLOYMENT
Staging Deployment (All 4 jurisdictions)
Performance & Scale Testing
Steering Committee Go-Live Approval
PHASE 6: OPERATIONS
Production Catalogue Publication
Ongoing Support Contract
SLA Monitoring & Continuous Improvement

4.2 Tender Eligibility Requirements

To tender for capability development, suppliers must meet these baseline criteria:

Criterion Requirement Evidence
Jurisdiction Incorporated in UK, EU-27, Canada, or Australia Certificate of incorporation
Ownership No US parent company or majority US ownership Ownership structure disclosure
Security Clearance Ability to obtain national security vetting (SC/CTC equivalent) Prior clearance or eligibility statement
Technical Capability Demonstrated experience with open-source cloud technologies Portfolio, GitHub contributions, references
Financial Stability 3+ years trading, positive net assets Audited accounts
Insurance Professional indemnity £2M+, Public liability £5M+ Insurance certificates
Quality Management ISO 9001 or equivalent quality processes Certification or process documentation
Security Management ISO 27001 or Cyber Essentials Plus (or national equivalent) Certification

4.3 Evaluation Criteria

Criterion Weighting Assessment Method
Technical Approach 40% Written proposal + technical presentation
Team Experience 25% CVs, references, portfolio review
Delivery Track Record 15% Case studies, reference calls
Price 15% Fixed price for deliverables + support rate card
Social Value 5% SME status, apprenticeships, environmental policy

4.4 Jurisdiction Allocation

Capabilities are allocated to jurisdictions based on expertise and proportional contribution:

Allocation Principle: Each jurisdiction leads development of capabilities proportional to their resource pool, while ensuring no single jurisdiction becomes a critical dependency for essential services.
Jurisdiction Target Allocation Recommended Focus Areas
EU (Germany/France lead) ~50% (18 capabilities) CloudStack core, Kubernetes, GDPR compliance tooling
United Kingdom ~25% (9 capabilities) Security (IAM, KMS, OpenBao), GDS patterns, identity
Canada ~15% (5 capabilities) Edge computing, bilingual support, analytics
Australia ~10% (4 capabilities) DR/resilience, APAC optimisation, PSPF compliance

5. Development Standards

5.1 Mandatory Technical Requirements

All capability deliverables must meet these standards:

Infrastructure as Code

  • OpenTofu modules for CloudStack deployment
  • Helm charts for Kubernetes workloads
  • Ansible playbooks for configuration management
  • All IaC version-controlled in shared GitLab
  • Module versioning using semantic versioning

Security Requirements

  • Security hardening guide per capability
  • Encryption at rest and in transit mandatory
  • Integration with CAP-E02 (IAM/Keycloak)
  • Integration with CAP-E03 (OpenBao) for secrets
  • CIS benchmark compliance where applicable

Testing Requirements

  • Unit tests with >80% code coverage
  • Integration tests against CloudStack
  • Performance benchmarks with defined baselines
  • Chaos engineering tests (failure scenarios)
  • Security tests (SAST, DAST, dependency scan)

Documentation Requirements

  • Architecture decision records (ADRs)
  • API documentation (OpenAPI 3.0)
  • Operator runbook (deployment, scaling, backup)
  • Disaster recovery playbook
  • Security hardening guide

5.2 Code Repository Structure

sovereign-catalogue/
├── capabilities/
│   ├── CAP-A01-compute-vm/
│   │   ├── opentofu/
│   │   │   ├── modules/
│   │   │   ├── examples/
│   │   │   └── tests/
│   │   ├── helm/
│   │   │   ├── charts/
│   │   │   └── values/
│   │   ├── docs/
│   │   │   ├── architecture.md
│   │   │   ├── runbook.md
│   │   │   ├── security.md
│   │   │   └── adr/
│   │   ├── tests/
│   │   │   ├── unit/
│   │   │   ├── integration/
│   │   │   ├── performance/
│   │   │   └── security/
│   │   ├── CHANGELOG.md
│   │   ├── OWNERS.md          # Responsible supplier
│   │   └── VERSION
│   ├── CAP-B01-object-storage/
│   │   └── ...
│   └── ...
├── shared/
│   ├── opentofu-modules/      # Common modules
│   ├── helm-library/           # Base charts
│   ├── security-policies/      # OPA policies
│   └── test-framework/         # Shared test utilities
├── pipelines/
│   ├── build.yml
│   ├── test.yml
│   ├── security-scan.yml
│   └── deploy.yml
└── docs/
    ├── contributing.md
    ├── standards.md
    └── catalogue-index.md

6. CI/CD Pipeline

6.1 Pipeline Architecture

COOPERATIVE CI/CD PIPELINE
Developer
Local Dev
  • Code changes
  • Local testing
Code Review
  • 2 approvers from different jurisdictions
Merge to main
  • Protected branch
Release Tag
  • Semantic versioning
Pipeline Stages
1. BUILD
  • OpenTofu
  • Helm
  • Container
2. TEST
  • Unit
  • Integration
  • Security
3. SECURITY
  • SAST
  • DAST
  • SCA
  • Secrets scan
4. STAGING
  • Deploy to all jurisdictions
5. PRODUCTION (Gated)
  • Steering Committee approval
Outputs
Artifacts Registry
  • MinIO storage
Test Reports
  • Coverage reports
Security Dashboard
  • Vulnerability reports
Environments
Staging
  • UK Staging
  • EU Staging
  • CA Staging
  • AU Staging
Production
  • UK Prod
  • EU Prod
  • CA Prod
  • AU Prod

6.2 Pipeline Stages Detail

# .gitlab-ci.yml - Sovereign Capability Pipeline

stages:
  - build
  - test
  - security
  - staging
  - approval
  - production

variables:
  CAPABILITY_ID: "CAP-B01"
  VERSION: "${CI_COMMIT_TAG}"

# ════════════════════════════════════════════════════════════════════
# STAGE 1: BUILD
# ════════════════════════════════════════════════════════════════════
build:opentofu:
  stage: build
  image: opentofu/opentofu:1.7
  script:
    - cd capabilities/${CAPABILITY_ID}/opentofu
    - opentofu init -backend=false
    - opentofu validate
    - opentofu fmt -check -recursive
  artifacts:
    paths:
      - capabilities/${CAPABILITY_ID}/opentofu/

build:helm:
  stage: build
  image: alpine/helm:3.14
  script:
    - cd capabilities/${CAPABILITY_ID}/helm
    - helm lint charts/*
    - helm package charts/* -d packages/
  artifacts:
    paths:
      - capabilities/${CAPABILITY_ID}/helm/packages/

build:container:
  stage: build
  image: docker:24
  services:
    - docker:24-dind
  script:
    - docker build -t sovereign-registry.eu/${CAPABILITY_ID}:${VERSION} .
    - docker push sovereign-registry.eu/${CAPABILITY_ID}:${VERSION}

# ════════════════════════════════════════════════════════════════════
# STAGE 2: TEST
# ════════════════════════════════════════════════════════════════════
test:unit:
  stage: test
  script:
    - cd capabilities/${CAPABILITY_ID}/tests/unit
    - pytest --cov=../ --cov-report=xml --junitxml=report.xml
  coverage: '/TOTAL.*\s+(\d+%)/'
  artifacts:
    reports:
      junit: capabilities/${CAPABILITY_ID}/tests/unit/report.xml
      coverage_report:
        coverage_format: cobertura
        path: capabilities/${CAPABILITY_ID}/tests/unit/coverage.xml

test:integration:
  stage: test
  needs: [build:opentofu, build:helm]
  script:
    # Spin up ephemeral CloudStack environment
    - cd capabilities/${CAPABILITY_ID}/tests/integration
    - opentofu init
    - opentofu apply -auto-approve -var="env=ci-${CI_PIPELINE_ID}"
    - pytest test_integration.py
  after_script:
    - opentofu destroy -auto-approve -var="env=ci-${CI_PIPELINE_ID}"

test:performance:
  stage: test
  script:
    - cd capabilities/${CAPABILITY_ID}/tests/performance
    - k6 run benchmark.js --out json=results.json
  artifacts:
    paths:
      - capabilities/${CAPABILITY_ID}/tests/performance/results.json

# ════════════════════════════════════════════════════════════════════
# STAGE 3: SECURITY
# ════════════════════════════════════════════════════════════════════
security:sast:
  stage: security
  image: returntocorp/semgrep
  script:
    - semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json > sast-results.json
  artifacts:
    reports:
      sast: sast-results.json

security:dependency-scan:
  stage: security
  script:
    - trivy fs --format json --output deps-scan.json .
  artifacts:
    reports:
      dependency_scanning: deps-scan.json

security:opentofu-scan:
  stage: security
  image: aquasec/tfsec
  script:
    - tfsec capabilities/${CAPABILITY_ID}/opentofu --format json > tfsec-results.json
  artifacts:
    paths:
      - tfsec-results.json

security:secrets-scan:
  stage: security
  image: zricethezav/gitleaks
  script:
    - gitleaks detect --source . --report-format json --report-path secrets-scan.json
  artifacts:
    paths:
      - secrets-scan.json

# ════════════════════════════════════════════════════════════════════
# STAGE 4: STAGING DEPLOYMENT (All Jurisdictions)
# ════════════════════════════════════════════════════════════════════
.deploy_staging:
  stage: staging
  script:
    - cd capabilities/${CAPABILITY_ID}/opentofu/environments/staging-${JURISDICTION}
    - opentofu init
    - opentofu apply -auto-approve
  environment:
    name: staging/${JURISDICTION}
    url: https://${CAPABILITY_ID}.staging.${JURISDICTION}.sovereign-cloud.gov

staging:uk:
  extends: .deploy_staging
  variables:
    JURISDICTION: uk

staging:eu:
  extends: .deploy_staging
  variables:
    JURISDICTION: eu

staging:ca:
  extends: .deploy_staging
  variables:
    JURISDICTION: ca

staging:au:
  extends: .deploy_staging
  variables:
    JURISDICTION: au

# ════════════════════════════════════════════════════════════════════
# STAGE 5: APPROVAL GATE
# ════════════════════════════════════════════════════════════════════
approval:steering-committee:
  stage: approval
  script:
    - echo "Awaiting steering committee approval"
  environment:
    name: production
  when: manual
  allow_failure: false
  rules:
    - if: $CI_COMMIT_TAG

# ════════════════════════════════════════════════════════════════════
# STAGE 6: PRODUCTION DEPLOYMENT
# ════════════════════════════════════════════════════════════════════
.deploy_production:
  stage: production
  needs: [approval:steering-committee]
  script:
    - cd capabilities/${CAPABILITY_ID}/opentofu/environments/prod-${JURISDICTION}
    - opentofu init
    - opentofu plan -out=tfplan
    - opentofu apply tfplan
  environment:
    name: production/${JURISDICTION}
    url: https://${CAPABILITY_ID}.${JURISDICTION}.sovereign-cloud.gov
  rules:
    - if: $CI_COMMIT_TAG

production:uk:
  extends: .deploy_production
  variables:
    JURISDICTION: uk

production:eu:
  extends: .deploy_production
  variables:
    JURISDICTION: eu

production:ca:
  extends: .deploy_production
  variables:
    JURISDICTION: ca

production:au:
  extends: .deploy_production
  variables:
    JURISDICTION: au

6.3 Security Gates

Mandatory Security Gates: No capability can proceed to production without passing all security gates. Failures block the pipeline and require remediation.
Gate Tool Failure Threshold Action on Failure
SAST (Static Analysis) Semgrep Any HIGH/CRITICAL Pipeline blocked
Dependency Scan Trivy Any CRITICAL CVE Pipeline blocked
OpenTofu Scan tfsec Any HIGH/CRITICAL Pipeline blocked
Secrets Scan Gitleaks Any detected secret Pipeline blocked + alert
Container Scan Trivy Any CRITICAL CVE Pipeline blocked
DAST (Staging) OWASP ZAP Any HIGH risk Production blocked

7. Acceptance & Sign-off Process

7.1 Acceptance Criteria

Each capability must satisfy all acceptance criteria before production sign-off:

Category Criteria Verified By
Functional All requirements in capability spec are implemented and tested Working Group Technical Lead
Security All security gates passed; pen test completed (if applicable) Security Working Group
Performance Meets defined SLA targets under load testing Platform Engineering WG
Documentation Runbook, DR playbook, security guide completed and reviewed Documentation Review Board
Integration Successfully deployed to all 4 jurisdiction staging environments Jurisdiction Technical Leads
Interoperability Integrates correctly with dependent capabilities Integration Test Suite

7.2 Sign-off Authorities

Sign-off Authority Scope
Technical Sign-off Domain Working Group Lead Confirms technical requirements met
Security Sign-off Security Working Group Lead Confirms security requirements met
Jurisdiction Sign-off Each Jurisdiction Technical Lead (x4) Confirms capability works in their environment
Production Sign-off Steering Committee (majority vote) Authorises production deployment

7.3 Dispute Resolution

If a jurisdiction raises concerns blocking sign-off:

  1. Technical Resolution (5 days): Working group attempts to resolve with supplier
  2. Escalation (5 days): Steering Committee reviews and mediates
  3. Conditional Deployment: If unresolved, capability may deploy to consenting jurisdictions only
  4. Long-term Resolution: Issue tracked, remediation funded in next development phase

8. Ongoing Operations & Support

8.1 Support Model

Support Tier Responsibility SLA
L1: Jurisdiction Operations Local government ops teams using runbooks First response: 15 min (P1)
L2: Capability Owner Original development supplier (contracted support) Escalation response: 1 hour (P1)
L3: Working Group Cross-jurisdiction expert escalation Complex issue resolution: 4 hours (P1)

8.2 Maintenance & Evolution

9. Governance Structure

9.1 Bodies

Body Composition Responsibilities Meeting Cadence
Steering Committee 1 senior rep per jurisdiction (4 total) Strategic direction, budget, production approvals Monthly
Technical Board Technical leads from all working groups Architecture decisions, standards, interoperability Bi-weekly
Working Groups (8) Domain experts from across jurisdictions Capability development oversight, technical review Weekly
Security Council Security leads from each jurisdiction Security standards, incident response, pen testing Weekly

10. Next Steps

Recommended Actions:
  1. Establish Steering Committee: Each jurisdiction nominates senior representative
  2. Finalise Capability Catalogue: Working groups complete all 36 capability specifications
  3. Set Up Shared Infrastructure: Deploy GitLab, artifact registry, CI/CD runners in EU
  4. Pilot Tender: Run first tender for 2-3 critical capabilities (e.g., S3, IAM, PostgreSQL)
  5. Refine Process: Iterate on framework based on pilot learnings
  6. Scale: Launch full tender programme for remaining capabilities

Related Documentation