Drift Setup — GCP

Architecture

Cloud Asset Inventory real-time feed
  → Pub/Sub topic
    → Push subscription
      → api.complyform.dev/v1/drift/event

Cloud Asset Inventory (CAI) watches for resource changes across your GCP project and publishes them to a Pub/Sub topic. A push subscription forwards each event to the ComplyForm drift webhook, where it is validated, matched to your project, and assessed against your active framework controls.

Prerequisites

• ComplyForm Team+ tier with an active project
• GCP project with the Cloud Asset API enabled (cloudasset.googleapis.com)
• Terraform installed (v1.0+)

Step 1: Enable Event-Driven Mode

complyform dashboard project drift enable \
  --mode=event-driven \
  --project-label=prod-gcp

This command returns a webhook secret. Copy it — you will pass it to the Terraform module as webhook_secret.

Step 2: Deploy the Event Pipeline

Save the following Terraform module and apply it to your GCP project.

complyform-drift-gcp/main.tf

variable "project_id" {
  description = "GCP project to monitor"
  type        = string
}

variable "webhook_url" {
  description = "ComplyForm drift webhook endpoint"
  type        = string
  default     = "https://api.complyform.dev/v1/drift/event"
}

variable "webhook_secret" {
  description = "HMAC signing secret from ComplyForm setup"
  type        = string
  sensitive   = true
}

resource "google_cloud_asset_organization_feed" "complyform_drift" {
  billing_project = var.project_id
  feed_id         = "complyform-drift-feed"
  parent          = "projects/${var.project_id}"

  feed_output_config {
    pubsub_destination {
      topic = google_pubsub_topic.complyform_drift.id
    }
  }

  asset_types = [
    "compute.googleapis.com/Instance",
    "compute.googleapis.com/Firewall",
    "compute.googleapis.com/Network",
    "compute.googleapis.com/Subnetwork",
    "storage.googleapis.com/Bucket",
    "sqladmin.googleapis.com/Instance",
    "iam.googleapis.com/ServiceAccount",
    "cloudkms.googleapis.com/CryptoKey",
    "container.googleapis.com/Cluster",
    "logging.googleapis.com/LogSink",
  ]

  condition {
    expression = "true"
  }
}

resource "google_pubsub_topic" "complyform_drift" {
  name    = "complyform-drift-events"
  project = var.project_id
}

resource "google_pubsub_subscription" "complyform_drift" {
  name    = "complyform-drift-push"
  topic   = google_pubsub_topic.complyform_drift.name
  project = var.project_id

  push_config {
    push_endpoint = var.webhook_url

    attributes = {
      x-goog-version = "v1"
    }

    oidc_token {
      service_account_email = google_service_account.complyform_drift.email
    }
  }

  ack_deadline_seconds = 20
}

resource "google_service_account" "complyform_drift" {
  account_id   = "complyform-drift"
  display_name = "ComplyForm Drift Monitor"
  project      = var.project_id
}

Step 3: Apply

cd complyform-drift-gcp
terraform init
terraform apply -var="project_id=my-project" -var="webhook_secret=YOUR_SECRET"

After apply completes, verify the pipeline is active:

complyform dashboard project drift status --project-label=prod-gcp

You should see event-driven: connected and a last-seen timestamp within a few minutes as CAI sends an initial sync event.

Tip

CAI feeds are near real-time — most events arrive within seconds of the resource change.

Next Steps

• Drift Setup Overview — monitoring modes and alert configuration
• Drift Monitoring Guide — dashboards, alert tuning, and triage workflows