feat(gcp-compute): add automatic restart check for VM instances (#9271)

Author: lydiavilchez

prowler/CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### Added
 - `cloudstorage_uses_vpc_service_controls` check for GCP provider [(#9256)](https://github.com/prowler-cloud/prowler/pull/9256)
 - `repository_immutable_releases_enabled` check for GitHub provider [(#9162)](https://github.com/prowler-cloud/prowler/pull/9162)
+- `compute_instance_automatic_restart_enabled` check for GCP provider [(#9271)](https://github.com/prowler-cloud/prowler/pull/9271)
 
 ---
 

prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/__init__.py

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_automatic_restart_enabled",
+  "CheckTitle": "Compute Engine VM instances have Automatic Restart enabled",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "compute.googleapis.com/Instance",
+  "Description": "**Google Compute Engine virtual machine instances** are evaluated to ensure that **Automatic Restart** is enabled. This feature allows the Google Cloud Compute Engine service to automatically restart VM instances when they are terminated due to non-user-initiated reasons such as maintenance events, hardware failures, or software failures.",
+  "Risk": "VM instances without Automatic Restart enabled will not recover automatically from host maintenance events or unexpected failures, potentially leading to prolonged service downtime and requiring manual intervention to restore services.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/enable-automatic-restart.html",
+    "https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud compute instances update <INSTANCE_NAME> --restart-on-failure --zone=<ZONE>",
+      "NativeIaC": "",
+      "Other": "1) Open Google Cloud Console → Compute Engine → VM instances\n2) Click on the instance name to view details\n3) Click 'Edit' at the top of the page\n4) Under 'Availability policies', set 'Automatic restart' to 'On (recommended)'\n5) Click 'Save' at the bottom of the page",
+      "Terraform": "```hcl\n# Example: enable Automatic Restart for a Compute Engine VM instance\nresource \"google_compute_instance\" \"example\" {\n  name         = var.instance_name\n  machine_type = var.machine_type\n  zone         = var.zone\n\n  scheduling {\n    automatic_restart   = true\n    on_host_maintenance = \"MIGRATE\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable the Automatic Restart feature for Compute Engine VM instances to enhance system reliability by automatically recovering from crashes or system-initiated terminations. This setting does not interfere with user-initiated shutdowns or stops.",
+      "Url": "https://hub.prowler.com/check/compute_instance_automatic_restart_enabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "VM instances missing the 'scheduling.automaticRestart' field are treated as having Automatic Restart enabled (defaults to true). Preemptible instances and instances with provisioning model set to SPOT are automatically marked as PASS, as they cannot have Automatic Restart enabled by design."
+}

prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.metadata.json

@@ -0,0 +1,35 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.compute.compute_client import compute_client
+
+
+class compute_instance_automatic_restart_enabled(Check):
+    """
+    Ensure Compute Engine VM instances have Automatic Restart enabled.
+
+    Reports PASS if a VM instance has automatic restart enabled, otherwise FAIL.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for instance in compute_client.instances:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=instance)
+
+            # Preemptible and Spot VMs cannot have automatic restart enabled
+            if instance.preemptible or instance.provisioning_model == "SPOT":
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"VM Instance {instance.name} is a Preemptible or Spot instance, "
+                    "which cannot have Automatic Restart enabled by design."
+                )
+            elif instance.automatic_restart:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"VM Instance {instance.name} has Automatic Restart enabled."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = f"VM Instance {instance.name} does not have Automatic Restart enabled."
+
+            findings.append(report)
+
+        return findings

prowler/providers/gcp/services/compute/compute_instance_automatic_restart_enabled/compute_instance_automatic_restart_enabled.py

@@ -133,6 +133,15 @@ def _get_instances(self, zone):
                                     )
                                     for disk in instance.get("disks", [])
                                 ],
+                                automatic_restart=instance.get("scheduling", {}).get(
+                                    "automaticRestart", False
+                                ),
+                                preemptible=instance.get("scheduling", {}).get(
+                                    "preemptible", False
+                                ),
+                                provisioning_model=instance.get("scheduling", {}).get(
+                                    "provisioningModel", "STANDARD"
+                                ),
                                 project_id=project_id,
                             )
                         )
@@ -365,6 +374,9 @@ class Instance(BaseModel):
     service_accounts: list
     ip_forward: bool
     disks_encryption: list
+    automatic_restart: bool = False
+    preemptible: bool = False
+    provisioning_model: str = "STANDARD"
 
 
 class Network(BaseModel):

prowler/providers/gcp/services/compute/compute_service.py

@@ -759,6 +759,11 @@ def mock_api_instances_calls(client: MagicMock, service: str):
                             "diskType": "disk_type",
                         }
                     ],
+                    "scheduling": {
+                        "automaticRestart": False,
+                        "preemptible": False,
+                        "provisioningModel": "STANDARD",
+                    },
                 },
                 {
                     "name": "instance2",
@@ -785,6 +790,11 @@ def mock_api_instances_calls(client: MagicMock, service: str):
                             "diskType": "disk_type",
                         }
                     ],
+                    "scheduling": {
+                        "automaticRestart": False,
+                        "preemptible": False,
+                        "provisioningModel": "STANDARD",
+                    },
                 },
             ]
         }