add flag to set fips mode to true for azure (#15)

HassanBaker · Hassan Baker · web-flow · commit 3db450fa8228 · 2025-11-14T18:38:21.000Z
Co-authored-by: Hassan Baker &lt;hassan.baker@corelight.com&gt;
diff --git a/.github/workflows/tag-bump.yml b/.github/workflows/tag-bump.yml
diff --git a/cloud-config/init.tpl b/cloud-config/init.tpl
@@ -56,4 +56,30 @@ write_files:
 %{ endif ~}
 
 runcmd:
-  - corelightctl sensor deploy -v
+  - corelightctl sensor deploy -v
+%{ if azure_fips_enabled ~}
+  - |
+    timeout=120
+    elapsed=0
+    while [ $elapsed -lt $timeout ]; do
+      version=$(waagent version 2>/dev/null | grep "Goal state agent:" | awk '{print $NF}')
+      if [ -n "$version" ]; then
+        # Compare versions: convert to comparable format
+        current=$(echo "$version" | awk -F. '{printf "%d%03d%03d%03d\n", $1, $2, $3, $4}')
+        required=$(echo "2.15.0.1" | awk -F. '{printf "%d%03d%03d%03d\n", $1, $2, $3, $4}')
+        if [ "$current" -ge "$required" ]; then
+          echo "waagent Goal state agent version $version is ready"
+          break
+        fi
+      fi
+      echo "Waiting for waagent Goal state agent >= 2.15.0.1, current: $version ($${elapsed}s elapsed)"
+      sleep 5
+      elapsed=$((elapsed + 5))
+    done
+    if [ $elapsed -ge $timeout ]; then
+      echo "ERROR: Timeout waiting for waagent Goal state agent >= 2.15.0.1"
+      exit 1
+    fi
+  - fips-mode-setup --enable
+  - reboot
+%{ endif ~}
diff --git a/data.tf b/data.tf
@@ -22,6 +22,8 @@ data "cloudinit_config" "config" {
       fleet_http_proxy     = var.fleet_http_proxy
       fleet_https_proxy    = var.fleet_https_proxy
       fleet_no_proxy       = var.fleet_no_proxy
+
+      azure_fips_enabled = var.azure_fips_enabled
     })
     filename = "sensor-build.yaml"
   }
diff --git a/variables.tf b/variables.tf
@@ -94,6 +94,12 @@ variable "fleet_no_proxy" {
   description = "(optional) hosts or domains to bypass the proxy for fleet traffic"
 }
 
+variable "azure_fips_enabled" {
+  type        = bool
+  default     = false
+  description = "(optional) enable FIPS mode on Azure instances"
+}
+
 variable "prometheus_enabled" {
   type        = bool
   default     = false
@@ -104,4 +110,4 @@ variable "fedramp_mode_enabled" {
   type        = bool
   default     = false
   description = "(optional) enable Fedramp mode"
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ data "cloudinit_config" "config" {`
`22`	`22`	`fleet_http_proxy = var.fleet_http_proxy`
`23`	`23`	`fleet_https_proxy = var.fleet_https_proxy`
`24`	`24`	`fleet_no_proxy = var.fleet_no_proxy`
	`25`	`+`
	`26`	`+ azure_fips_enabled = var.azure_fips_enabled`
`25`	`27`	`})`
`26`	`28`	`filename = "sensor-build.yaml"`
`27`	`29`	`}`