This platform was engineered as a production-grade digital operating system for a consulting business, combining Payload CMS, Next.js, and Terraform-managed AWS infrastructure into a single repeatable delivery model.
Architecture
Decoupled frontend + Payload backend
Infrastructure
Terraform-managed AWS + OpenNext runtime
Operations
Automated CI/CD with controlled revalidation
At a Glance
This project delivers a modern, production-ready web platform for a consulting business with three core goals:
Give non-engineers a reliable content and publishing workflow.
Serve a high-performance public website with strong SEO and controlled freshness.
Keep infrastructure deterministic, auditable, and repeatable through infrastructure as code and CI/CD guardrails.
The final system uses a decoupled architecture:
Payload CMS for authoring, admin operations, and API delivery.
Next.js for public presentation, SEO rendering, and cache-aware content delivery.
Terraform + AWS for networking, compute, data, storage, CDN, and deployment orchestration.
1. Business Context and Problem Statement
The business needed more than a marketing site. It needed an operating platform:
A structured editorial workflow for pages, services, case studies, and blog content.
Flexible block-based page composition without developer involvement for routine changes.
Reliable lead capture with anti-abuse protections and traceable outbound communication.
A deployment system that could be executed repeatedly without manual AWS console drift.
The core challenge was balancing two competing needs:
Speed and control for editors in admin.
Speed and stability for visitors on the public website.
A monolithic setup would blur these concerns. The solution was to split content operations from presentation delivery, then connect both through explicit contracts and cache invalidation controls.
2. Objectives and Success Criteria
Primary objectives
Decouple content operations from frontend delivery.
Enable rich content composition with reusable blocks.
Maintain strict deployment repeatability across infrastructure and runtime configuration.
Implement production-safe lead workflow automation.
Preserve SEO and performance quality under frequent content updates.
Technical success criteria
IaC-managed infrastructure with no required manual console edits.
End-to-end deployment via GitHub Actions using versioned artifacts.
Deterministic runtime configuration for Lambda timeout, concurrency, and DB pooling.
Controlled cache invalidation from Payload content hooks.
Operational guardrails to prevent runtime drift between Terraform intent and active Lambda alias versions.
3. Architecture Overview
3.1 System design
The platform is composed of three major subsystems:
Backend CMS/API (backend/):
Payload CMS 3 running on Next.js and deployed with OpenNext.
PostgreSQL-backed via @payloadcms/db-postgres.
Admin UI, collections, globals, custom endpoints, and content hooks.
Frontend web app (frontend/):
Next.js App Router presentation layer.
Static-first rendering with tag/path revalidation.
CloudFront-backed OpenNext runtimes for frontend and backend.
S3 + CloudFront media pipeline.
3.2 Why this architecture
This architecture creates clean operational boundaries:
Editors and admins use Payload independently from frontend deployment cadence.
Frontend can optimize aggressively for cache and rendering speed.
Infrastructure is controlled through code and validated in CI.
That separation materially reduces blast radius when one subsystem changes.
4. Backend Implementation (Payload CMS)
4.1 Content model and editorial system
The CMS implements structured collections for:
pages
services
caseStudies
posts
categories
media
icons
generated-emails
supporting collections and globals (nav, footer, site-profile, etc.)
The major content collections are block-driven and draft-enabled, allowing editors to assemble pages from reusable content primitives while preserving schema constraints.
4.2 Rich text and authoring customization
A custom Lexical configuration extends default editing behavior with:
block and inline block composition
curated heading/formatting controls
custom text and highlight color controls via a dedicated color picker feature
controlled link and upload behavior
AI-assisted editing features with explicit authenticated access
This gives editorial flexibility while reducing uncontrolled formatting drift.
4.3 Forms, anti-abuse, and communication workflow
The form subsystem is implemented with the Payload form-builder plugin and custom workflow logic:
Cloudflare Turnstile verification for bot resistance.
Honeypot checks for lightweight spam filtering.
Post-submission automation that can send or capture outbound email payloads.
Generated email records persisted for auditability and operational traceability.
This design treats forms as an operational workflow, not just a contact endpoint.
5. Frontend Implementation (Next.js)
5.1 Rendering strategy and data contract
The frontend consumes Payload through typed utilities and route-specific loaders:
Static param generation for content routes.
Draft mode support for preview/editor workflows.
Cache-aware fetch wrappers and explicit revalidation strategy.
Public routes include:
/ and /:slug pages
/services/:slug
/case-studies/:slug
/blog, /blog/:slug, and category routes
sitemap and preview/revalidation endpoints
5.2 SEO and metadata system
The app centralizes organization/site metadata and emits:
route-level metadata
Open Graph/Twitter metadata
JSON-LD for organization, webpage, article, service, and breadcrumb schemas
This creates a consistent SEO baseline across all content types.
5.3 Block rendering on the public site
Frontend block renderers map directly to CMS block definitions:
content and CTA blocks
form blocks
media and media grid blocks
features blocks
code snippet blocks
blog archive and highlight blocks
This keeps authoring and presentation contracts synchronized.
6. Media and Asset Delivery
Media is routed through an S3 + CloudFront pipeline:
Payload stores media objects in S3 using the storage plugin.
Generated file URLs point to the media CDN domain.
CloudFront becomes the only public asset delivery surface.
Benefits:
improved global delivery latency
tighter access pattern control
clean separation between object storage and public URL strategy
0:00 / 0:00
7. Infrastructure and Deployment Architecture
7.1 Terraform-managed stack
The infrastructure code provisions:
VPC with public/private/database subnet segmentation
security groups for least-privilege network paths
PostgreSQL RDS in private subnets
Secrets Manager for app and DB secrets
ACM certificates and Route53 DNS records
OpenNext frontend and backend runtimes
media storage and CDN distribution
All environment-sensitive runtime values are parameterized through Terraform variables and workflow-enforced overrides.
7.2 CI/CD pipeline design
The deployment workflow is artifact-driven and environment-aware:
Build frontend OpenNext artifact.
Build backend OpenNext artifact.
Decode terraform.tfvars from base64 GitHub secret.
Enforce runtime guardrail overrides in workflow.
Run terraform init/validate/plan/apply.
Execute backend guardrail verification script.
Run CloudFront invalidation and health checks.
This avoids manual mutation in AWS and keeps deploy behavior repeatable.
8. Security and Governance
Key security and governance characteristics:
Secrets are environment-injected and managed through AWS Secrets Manager / CI secret channels.
RDS is private-subnet scoped, not directly public.
Lambda-to-RDS access is SG-constrained.
Revalidation endpoint is secret-protected.
Form submission protection includes server-side verification and anti-spam controls.
Seed behavior is intentionally disabled in version-controlled source to prevent unauthorized runtime seeding.
9. Outcomes
The application now provides:
A complete editorial operating system for a consulting brand.
A fast public web experience with structured SEO and controlled cache freshness.
An auditable infrastructure and deployment workflow suitable for production operations.
A resilient path for ongoing feature expansion without sacrificing operational discipline.
This project is a maintainable digital platform with clear runtime boundaries, content governance, and deploy-time guarantees.
Want similar outcomes?
We can map your architecture, delivery workflow, and migration priorities into an executable plan.
