feat(gcp): add check for VM instance deletion protection (#9358)

Author: lydiavilchez

prowler/CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `repository_immutable_releases_enabled` check for GitHub provider [(#9162)](https://github.com/prowler-cloud/prowler/pull/9162)
 - `compute_instance_preemptible_vm_disabled` check for GCP provider [(#9342)](https://github.com/prowler-cloud/prowler/pull/9342)
 - `compute_instance_automatic_restart_enabled` check for GCP provider [(#9271)](https://github.com/prowler-cloud/prowler/pull/9271)
+- `compute_instance_deletion_protection_enabled` check for GCP provider [(#9358)](https://github.com/prowler-cloud/prowler/pull/9358)
 
 ---
 

prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/__init__.py

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_deletion_protection_enabled",
+  "CheckTitle": "VM instance has deletion protection enabled",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "compute.googleapis.com/Instance",
+  "Description": "This check verifies whether GCP Compute Engine VM instances have **deletion protection** enabled to prevent accidental termination of production or critical workloads.",
+  "Risk": "Without deletion protection enabled, VM instances are vulnerable to **accidental deletion** by users with sufficient permissions.\n\nThis could result in:\n- **Service disruption** and downtime for critical applications\n- **Data loss** if persistent disks are also deleted\n- **Recovery delays** while recreating instances and restoring configurations",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-deletion-protection.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud compute instances update INSTANCE_NAME --deletion-protection --zone=ZONE",
+      "NativeIaC": "",
+      "Other": "1. Open the Google Cloud Console\n2. Navigate to Compute Engine > VM instances\n3. Select the target VM instance\n4. Click Edit\n5. Under Deletion protection, check the box to enable\n6. Click Save",
+      "Terraform": "```hcl\nresource \"google_compute_instance\" \"example_resource\" {\n  name         = \"example-instance\"\n  machine_type = \"e2-medium\"\n  zone         = \"us-central1-a\"\n\n  # Enable deletion protection\n  deletion_protection = true\n\n  boot_disk {\n    initialize_params {\n      image = \"debian-cloud/debian-11\"\n    }\n  }\n\n  network_interface {\n    network = \"default\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable deletion protection on all production and business-critical VM instances to prevent accidental termination. Regularly review instances to ensure critical workloads are protected.",
+      "Url": "https://hub.prowler.com/check/compute_instance_deletion_protection_enabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.metadata.json

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.compute.compute_client import compute_client
+
+
+class compute_instance_deletion_protection_enabled(Check):
+    """
+    Ensure that VM instance has deletion protection enabled.
+
+    This check verifies whether GCP Compute Engine VM instances have deletion protection
+    enabled to prevent accidental termination of production or critical workloads.
+
+    - PASS: VM instance has deletion protection enabled.
+    - FAIL: VM instance does not have deletion protection enabled.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for instance in compute_client.instances:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=instance)
+            report.status = "PASS"
+            report.status_extended = (
+                f"VM Instance {instance.name} has deletion protection enabled."
+            )
+            if not instance.deletion_protection:
+                report.status = "FAIL"
+                report.status_extended = f"VM Instance {instance.name} does not have deletion protection enabled."
+            findings.append(report)
+
+        return findings

prowler/providers/gcp/services/compute/compute_instance_deletion_protection_enabled/compute_instance_deletion_protection_enabled.py

@@ -143,6 +143,9 @@ def _get_instances(self, zone):
                                 preemptible=instance.get("scheduling", {}).get(
                                     "preemptible", False
                                 ),
+                                deletion_protection=instance.get(
+                                    "deletionProtection", False
+                                ),
                             )
                         )
 
@@ -377,6 +380,7 @@ class Instance(BaseModel):
     automatic_restart: bool = False
     preemptible: bool = False
     provisioning_model: str = "STANDARD"
+    deletion_protection: bool = False
 
 
 class Network(BaseModel):

prowler/providers/gcp/services/compute/compute_service.py

@@ -0,0 +1,145 @@
+from unittest import mock
+
+from tests.providers.gcp.gcp_fixtures import (
+    GCP_PROJECT_ID,
+    GCP_US_CENTER1_LOCATION,
+    set_mocked_gcp_provider,
+)
+
+
+class TestComputeInstanceDeletionProtectionEnabled:
+    def test_compute_no_instances(self):
+        compute_client = mock.MagicMock()
+        compute_client.instances = []
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled.compute_client",
+                new=compute_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled import (
+                compute_instance_deletion_protection_enabled,
+            )
+
+            check = compute_instance_deletion_protection_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_instance_deletion_protection_enabled(self):
+        compute_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled.compute_client",
+                new=compute_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled import (
+                compute_instance_deletion_protection_enabled,
+            )
+            from prowler.providers.gcp.services.compute.compute_service import Instance
+
+            compute_client.project_ids = [GCP_PROJECT_ID]
+            compute_client.region = GCP_US_CENTER1_LOCATION
+
+            compute_client.instances = [
+                Instance(
+                    name="test-instance",
+                    id="1234567890",
+                    zone=f"{GCP_US_CENTER1_LOCATION}-a",
+                    region=GCP_US_CENTER1_LOCATION,
+                    public_ip=False,
+                    metadata={},
+                    shielded_enabled_vtpm=True,
+                    shielded_enabled_integrity_monitoring=True,
+                    confidential_computing=False,
+                    service_accounts=[
+                        {"email": "123-compute@developer.gserviceaccount.com"}
+                    ],
+                    ip_forward=False,
+                    disks_encryption=[],
+                    project_id=GCP_PROJECT_ID,
+                    deletion_protection=True,
+                )
+            ]
+
+            check = compute_instance_deletion_protection_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"VM Instance {compute_client.instances[0].name} has deletion protection enabled."
+            )
+            assert result[0].resource_id == "1234567890"
+            assert result[0].resource_name == "test-instance"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID
+
+    def test_instance_deletion_protection_disabled(self):
+        compute_client = mock.MagicMock()
+
+        with (
+            mock.patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=set_mocked_gcp_provider(),
+            ),
+            mock.patch(
+                "prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled.compute_client",
+                new=compute_client,
+            ),
+        ):
+            from prowler.providers.gcp.services.compute.compute_instance_deletion_protection_enabled.compute_instance_deletion_protection_enabled import (
+                compute_instance_deletion_protection_enabled,
+            )
+            from prowler.providers.gcp.services.compute.compute_service import Instance
+
+            compute_client.project_ids = [GCP_PROJECT_ID]
+            compute_client.region = GCP_US_CENTER1_LOCATION
+
+            compute_client.instances = [
+                Instance(
+                    name="test-instance",
+                    id="1234567890",
+                    zone=f"{GCP_US_CENTER1_LOCATION}-a",
+                    region=GCP_US_CENTER1_LOCATION,
+                    public_ip=False,
+                    metadata={},
+                    shielded_enabled_vtpm=True,
+                    shielded_enabled_integrity_monitoring=True,
+                    confidential_computing=False,
+                    service_accounts=[
+                        {
+                            "email": f"{GCP_PROJECT_ID}-compute@developer.gserviceaccount.com"
+                        }
+                    ],
+                    ip_forward=False,
+                    disks_encryption=[],
+                    project_id=GCP_PROJECT_ID,
+                    deletion_protection=False,
+                )
+            ]
+
+            check = compute_instance_deletion_protection_enabled()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"VM Instance {compute_client.instances[0].name} does not have deletion protection enabled."
+            )
+            assert result[0].resource_id == "1234567890"
+            assert result[0].resource_name == "test-instance"
+            assert result[0].location == GCP_US_CENTER1_LOCATION
+            assert result[0].project_id == GCP_PROJECT_ID