Skip to content
ComplyForm Docs

Drift Setup — Azure

Architecture

Section titled “Architecture”
Azure Activity Log (resource writes) + PolicyInsights
  → Event Grid system topic
    → Event subscription
      → api.complyform.dev/v1/drift/event

Azure Event Grid captures resource write and delete events from the Activity Log at the subscription level. An event subscription filters for successful resource operations and forwards them to the ComplyForm drift webhook for re-assessment.

Prerequisites

Section titled “Prerequisites”
  • ComplyForm Team+ tier with an active project
  • Azure subscription with Contributor or Owner access
  • Terraform installed (v1.0+) with the azurerm provider configured

Step 1: Enable Event-Driven Mode

Section titled “Step 1: Enable Event-Driven Mode”
Terminal window
complyform dashboard project drift enable \
  --mode=event-driven \
  --project-label=prod-azure

This command returns a webhook secret. Copy it — you will pass it to the Terraform module as webhook_secret.

Step 2: Deploy the Event Pipeline

Section titled “Step 2: Deploy the Event Pipeline”

Save the following Terraform module and apply it to your Azure subscription.

complyform-drift-azure/main.tf
variable "subscription_id" {
  description = "Azure subscription ID to monitor"
  type        = string
}


variable "webhook_url" {
  description = "ComplyForm drift webhook endpoint"
  type        = string
  default     = "https://api.complyform.dev/v1/drift/event"
}


variable "webhook_secret" {
  description = "HMAC signing secret from ComplyForm setup"
  type        = string
  sensitive   = true
}


resource "azurerm_eventgrid_system_topic" "complyform_drift" {
  name                   = "complyform-drift"
  resource_group_name    = azurerm_resource_group.complyform_drift.name
  location               = "global"
  source_arm_resource_id = "/subscriptions/${var.subscription_id}"
  topic_type             = "Microsoft.Resources.Subscriptions"
}


resource "azurerm_resource_group" "complyform_drift" {
  name     = "rg-complyform-drift"
  location = "eastus"
}


resource "azurerm_eventgrid_system_topic_event_subscription" "complyform_drift" {
  name                = "complyform-drift-events"
  system_topic        = azurerm_eventgrid_system_topic.complyform_drift.name
  resource_group_name = azurerm_resource_group.complyform_drift.name


  webhook_endpoint {
    url = var.webhook_url
  }


  included_event_types = [
    "Microsoft.Resources.ResourceWriteSuccess",
    "Microsoft.Resources.ResourceDeleteSuccess",
  ]


  subject_filter {
    subject_begins_with = "/subscriptions/${var.subscription_id}/resourceGroups"
  }
}

Step 3: Apply

Section titled “Step 3: Apply”
Terminal window
cd complyform-drift-azure
terraform init
terraform apply -var="subscription_id=YOUR_SUBSCRIPTION_ID" -var="webhook_secret=YOUR_SECRET"

After apply completes, verify the pipeline is active:

Terminal window
complyform dashboard project drift status --project-label=prod-azure

Dual-Source Recommendation: PolicyInsights

Section titled “Dual-Source Recommendation: PolicyInsights”

The Terraform module above captures resource write and delete events from the Activity Log. For deeper coverage, consider also subscribing to Microsoft.PolicyInsights events. Azure Policy evaluations — particularly DeployIfNotExists and Modify effects — trigger PolicyInsights events that reveal out-of-band changes made by the platform itself.

To add PolicyInsights coverage, create a second Event Grid system topic with topic_type = "Microsoft.PolicyInsights.PolicyStates" and forward its events to the same webhook endpoint. This gives ComplyForm visibility into both direct resource modifications and policy-driven changes.

Next Steps

Section titled “Next Steps”