From c6d17f17147d3a04b6616f407e0119ce4b6bedc3 Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Tue, 3 Feb 2026 16:58:33 -0500 Subject: [PATCH 1/3] add wiz entra id enterprise application graph api perms --- terraform/azure_ad/.terraform.lock.hcl | 32 +++++++++++++------------- terraform/azure_ad/rbac_wiz.tf | 20 ++++++++++++++++ 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/terraform/azure_ad/.terraform.lock.hcl b/terraform/azure_ad/.terraform.lock.hcl index 218965c5..e888833e 100644 --- a/terraform/azure_ad/.terraform.lock.hcl +++ b/terraform/azure_ad/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.28.0" + version = "6.30.0" hashes = [ - "h1:RwoFuX1yGMVaKJaUmXDKklEaQ/yUCEdt5k2kz+/g08c=", - "zh:0ba0d5eb6e0c6a933eb2befe3cdbf22b58fbc0337bf138f95bf0e8bb6e6df93e", - "zh:23eacdd4e6db32cf0ff2ce189461bdbb62e46513978d33c5de4decc4670870ec", - "zh:307b06a15fc00a8e6fd243abde2cbe5112e9d40371542665b91bec1018dd6e3c", - "zh:37a02d5b45a9d050b9642c9e2e268297254192280df72f6e46641daca52e40ec", - "zh:3da866639f07d92e734557d673092719c33ede80f4276c835bf7f231a669aa33", - "zh:480060b0ba310d0f6b6a14d60b276698cb103c48fd2f7e2802ae47c963995ec6", - "zh:57796453455c20db80d9168edbf125bf6180e1aae869de1546a2be58e4e405ec", - "zh:69139cba772d4df8de87598d8d8a2b1b4b254866db046c061dccc79edb14e6b9", - "zh:7312763259b859ff911c5452ca8bdf7d0be6231c5ea0de2df8f09d51770900ac", - "zh:8d2d6f4015d3c155d7eb53e36f019a729aefb46ebfe13f3a637327d3a1402ecc", - "zh:94ce589275c77308e6253f607de96919b840c2dd36c44aa798f693c9dd81af42", + "h1:FNkicntiPhllPhKf8uBJTCQVY/cqN/sXa/LwE4Q0ML8=", + "zh:08fdcbb84b63739b758fd2f657303f495859ae15f2d6c3dbd642520cadb5f063", + "zh:1e69ff49906541cd511bdabcd4b2996a731b1642ba26b834cdac5432e8d5c557", + "zh:3aa23e3af1fb1dd0c025cb8fb73abdabd3f44b6a687a2a239947e7b0201b2f1f", + "zh:4b3b81e63eee913c874e8115d6a83d12bd9d7903446f91be15ba50c583c79549", + "zh:6e93a72d8770d73a4122dc82af33a020d58feeaca4e194a2685dce30dbcdce24", + "zh:74be722c9a64b95e06554cde0bef624084cc5a5ea7f3373f1975b7a4737d7074", + "zh:7d2acf6bc93be26504fd0e2965c77699a49549f74a767d0a81430d9e12d51358", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:adaceec6a1bf4f5df1e12bd72cf52b72087c72efed078aef636f8988325b1a8b", - "zh:d37be1ce187d94fd9df7b13a717c219964cd835c946243f096c6b230cdfd7e92", - "zh:fe6205b5ca2ff36e68395cb8d3ae10a3728f405cdbcd46b206a515e1ebcf17a1", + "zh:aef629bc537b4cc0f64ece87bc2bfdb3e032a4d03a3f7f301f4c84ffdc2ac1ac", + "zh:b41dcc4a2c8e356d82d3f92629aab0e25849db106a43e7adf06d8c6bda7af4c9", + "zh:b4d7a9cf9ad5ac5dd07f4ea1e834b63f14e752f9aca9452cd99570fed16e0c12", + "zh:bcb20f64b9b4599fa746305bcff7eeee3da85029dc467f812f950cf45b519436", + "zh:e45a520b82a1d2d42360db1b93d8e96406a7548948ed528bac5018e1d731c5c6", + "zh:f743e4a0e10dc64669469e6a22e47012f07fb94587f5a1e8cf5431da4e878ae1", + "zh:fe1895af7dcc5815896f892b2593fe71b7f4f364b71d9487d6e8b10ef244c11c", ] } diff --git a/terraform/azure_ad/rbac_wiz.tf b/terraform/azure_ad/rbac_wiz.tf index 3c6c2455..89eff79d 100644 --- a/terraform/azure_ad/rbac_wiz.tf +++ b/terraform/azure_ad/rbac_wiz.tf @@ -138,6 +138,14 @@ locals { "FXCI Azure DevTest" = "108d46d5-fe9b-4850-9a7d-8c914aa6c1f0", "Trusted FXCI Azure DevTest" = "a30e97ab-734a-4f3b-a0e4-c51c0bff0701" } + + wiz_graph_permissions = { + "AccessReview.Read.All" = "d07a8cc0-3d51-4b77-b3b0-32bf3a4589c8" + "AuditLog.Read.All" = "b0afded3-3588-46d8-8b3d-9842eff778da" + "Directory.Read.All" = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" + "Policy.Read.All" = "246dd0d5-5bd0-4def-940b-0421030a5b68" + "RoleManagement.Read.All" = "c7fbd983-d9aa-4fa7-84b8-17382c103bc4" + } } # Data source to lookup app registration by client ID @@ -155,6 +163,18 @@ data "azuread_service_principal" "wiz_enterprise_app_sp" { object_id = "bc7a1764-1e44-48d6-8990-718a2be1ba34" } +# Microsoft Graph service principal (well-known app ID) +data "azuread_service_principal" "msgraph" { + client_id = "00000003-0000-0000-c000-000000000000" +} + +resource "azuread_app_role_assignment" "wiz_enterprise_app_graph" { + for_each = local.wiz_graph_permissions + app_role_id = each.value + principal_object_id = data.azuread_service_principal.wiz_enterprise_app_sp.object_id + resource_object_id = data.azuread_service_principal.msgraph.object_id +} + # Assign reader to all subscriptions resource "azurerm_role_assignment" "wiz_disk_reader" { for_each = merge(local.fxci_subscriptions_map, local.non_fxci_subscriptions_map) From 39181a7eeeeca2c9a2a4cef4da173c555a9cc8fe Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Tue, 3 Feb 2026 16:59:12 -0500 Subject: [PATCH 2/3] fix name --- terraform/azure_ad/rbac_wiz.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/azure_ad/rbac_wiz.tf b/terraform/azure_ad/rbac_wiz.tf index 89eff79d..9b215fa5 100644 --- a/terraform/azure_ad/rbac_wiz.tf +++ b/terraform/azure_ad/rbac_wiz.tf @@ -140,7 +140,7 @@ locals { } wiz_graph_permissions = { - "AccessReview.Read.All" = "d07a8cc0-3d51-4b77-b3b0-32bf3a4589c8" + "AccessReview.Read.All" = "ebfcd32b-babb-40f4-a14b-42706e83bd28" "AuditLog.Read.All" = "b0afded3-3588-46d8-8b3d-9842eff778da" "Directory.Read.All" = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" "Policy.Read.All" = "246dd0d5-5bd0-4def-940b-0421030a5b68" From 2af49ddad5a4140aa47345c4ec9e9baf8f6e8e5a Mon Sep 17 00:00:00 2001 From: Jonathan Moss Date: Tue, 3 Feb 2026 17:00:06 -0500 Subject: [PATCH 3/3] remove unused entra id p2 license log --- terraform/azure_ad/rbac_wiz.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/azure_ad/rbac_wiz.tf b/terraform/azure_ad/rbac_wiz.tf index 9b215fa5..e9906665 100644 --- a/terraform/azure_ad/rbac_wiz.tf +++ b/terraform/azure_ad/rbac_wiz.tf @@ -140,7 +140,6 @@ locals { } wiz_graph_permissions = { - "AccessReview.Read.All" = "ebfcd32b-babb-40f4-a14b-42706e83bd28" "AuditLog.Read.All" = "b0afded3-3588-46d8-8b3d-9842eff778da" "Directory.Read.All" = "7ab1d382-f21e-4acd-a863-ba3e13f7da61" "Policy.Read.All" = "246dd0d5-5bd0-4def-940b-0421030a5b68"