[Filebeat] Do not run azure-eventhub input and azure module in FIPS builds

[ycombinator]

Proposed commit message

This PR ensures that the Filebeat azure-eventhub input will not start in FIPS-capable distributions of Filebeat, as the input indirectly depends on code that is not FIPS-compliant. Specifically, the azure-eventhub input depends on the github.com/Azure/azure-sdk-for-go/sdk/azidentity package. This package, in turn, depends on the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant. Further, the SDK doesn't plan to offer a way to disable the use of this package at compile time (see Azure/azure-sdk-for-go#24336).

In addition to the azure-eventhub input, the azure module will also not start in FIPS-capable distributions of Filebeat, as this module uses the azure-eventhub input.

Attempting to run a FIPS-capable distribution of Filebeat with either the azure-eventhub input or the azure module configured will result in Filebeat not starting up and an error in the Filebeat logs like so:

{"log.level":"info","@timestamp":"2025-06-25T14:19:46.212-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":542},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-06-25T14:19:46.212-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [azure-eventhub] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [azure-eventhub] is not FIPS capable

The o365audit input declares itself as not being FIPS-capable by setting the ExcludeFromFIPS field on the v2.Plugin struct to true (see also: #45036).

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

FIPS-capable artifacts of Filebeat will not start the azure module or the azure-eventhub input.

$ mage clean && FIPS=true mage build

$ cat <<EOF > filebeat-test-input.yml
filebeat.inputs:
- type: azure-eventhub
  id: id-nofips
  enabled: true
  eventhub: foo
  connection_string: bar
  storage_account: baz
  storage_account_key: qux

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-input.yml -e

$ cat <<EOF > filebeat-test-module.yml
filebeat.modules:
- module: azure
  activitylogs:
    enabled: true
    var.connection_string: foo
    var.storage_account: bar
    var.storage_account_key: baz

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-module.yml -e

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @ycombinator? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[ycombinator]

@Mergifyio backport 9.1

[mergify]

backport 9.1

✅ Backports have been created

Details

• Backport to branch 9.1 not needed, change already in branch 9.1