feat(gcp-compute): add check to ensure VMs are not preemptible or spot (#9342)

Co-authored-by: HugoPBrito <[email protected]>

Author: lydiavilchez

prowler/CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### Added
 - `cloudstorage_uses_vpc_service_controls` check for GCP provider [(#9256)](https://github.com/prowler-cloud/prowler/pull/9256)
 - `repository_immutable_releases_enabled` check for GitHub provider [(#9162)](https://github.com/prowler-cloud/prowler/pull/9162)
+- `compute_instance_preemptible_vm_disabled` check for GCP provider [(#9342)](https://github.com/prowler-cloud/prowler/pull/9342)
 - `compute_instance_automatic_restart_enabled` check for GCP provider [(#9271)](https://github.com/prowler-cloud/prowler/pull/9271)
 
 ---

prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/__init__.py

@@ -0,0 +1,37 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_preemptible_vm_disabled",
+  "CheckTitle": "VM instance is not configured as preemptible or Spot VM",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "compute.googleapis.com/Instance",
+  "Description": "This check verifies that VM instances are not configured as **preemptible** or **Spot VMs**.\n\nBoth preemptible and Spot VMs can be terminated by Google at any time when resources are needed elsewhere, making them unsuitable for production and business-critical workloads. Spot VMs are the newer version of preemptible VMs and are Google's recommended approach for interruptible workloads.",
+  "Risk": "Preemptible and Spot VMs may be **terminated at any time** by Google Cloud, causing:\n\n- **Service disruptions** for production workloads\n- **Data loss** if workloads are not fault-tolerant\n- **Availability issues** for business-critical applications\n\nThey are designed for batch jobs and fault-tolerant workloads only.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/compute/docs/instances/preemptible",
+    "https://cloud.google.com/compute/docs/instances/spot",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/disable-preemptibility.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Go to Compute Engine console\n2. Select the preemptible or Spot VM instance\n3. Create a machine image from the instance\n4. Create a new instance from the machine image\n5. During creation, set **VM provisioning model** to **Standard** (not Spot)\n6. Delete the original preemptible or Spot VM instance",
+      "Terraform": "```hcl\nresource \"google_compute_instance\" \"example_resource\" {\n  name         = \"example-instance\"\n  machine_type = \"e2-medium\"\n  zone         = \"us-central1-a\"\n\n  scheduling {\n    # Use standard provisioning model for production workloads (not Spot)\n    provisioning_model = \"STANDARD\"\n    # Also ensure preemptible is false (legacy field)\n    preemptible = false\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Use standard provisioning model for production and business-critical VM instances. Preemptible and Spot VMs should only be used for fault-tolerant, batch processing, or non-critical workloads that can handle interruptions.",
+      "Url": "https://hub.prowler.com/checks/compute_instance_preemptible_vm_disabled"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.metadata.json

@@ -0,0 +1,32 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.compute.compute_client import compute_client
+
+
+class compute_instance_preemptible_vm_disabled(Check):
+    """
+    Ensure GCP Compute Engine VM instances are not preemptible or Spot VMs.
+
+    - PASS: VM instance is not preemptible (preemptible=False) and not Spot
+      (provisioningModel != "SPOT").
+    - FAIL: VM instance is preemptible (preemptible=True) or Spot
+      (provisioningModel="SPOT").
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        for instance in compute_client.instances:
+            report = Check_Report_GCP(metadata=self.metadata(), resource=instance)
+            report.status = "PASS"
+            report.status_extended = (
+                f"VM Instance {instance.name} is not preemptible or Spot VM."
+            )
+
+            if instance.preemptible or instance.provisioning_model == "SPOT":
+                report.status = "FAIL"
+                vm_type = "preemptible" if instance.preemptible else "Spot VM"
+                report.status_extended = (
+                    f"VM Instance {instance.name} is configured as {vm_type}."
+                )
+
+            findings.append(report)
+        return findings

prowler/providers/gcp/services/compute/compute_instance_preemptible_vm_disabled/compute_instance_preemptible_vm_disabled.py

@@ -136,13 +136,13 @@ def _get_instances(self, zone):
                                 automatic_restart=instance.get("scheduling", {}).get(
                                     "automaticRestart", False
                                 ),
-                                preemptible=instance.get("scheduling", {}).get(
-                                    "preemptible", False
-                                ),
                                 provisioning_model=instance.get("scheduling", {}).get(
                                     "provisioningModel", "STANDARD"
                                 ),
                                 project_id=project_id,
+                                preemptible=instance.get("scheduling", {}).get(
+                                    "preemptible", False
+                                ),
                             )
                         )