feat(gcp): add check to ensure Managed Instance Groups span multiple zones (#9566)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: lydiavilchez

docs/user-guide/cli/tutorials/configuration_file.mdx

@@ -93,6 +93,11 @@ The following list includes all the Azure checks with configurable variables tha
 ## GCP
 
 ### Configurable Checks
+The following list includes all the GCP checks with configurable variables that can be changed in the configuration yaml file:
+
+| Check Name                                                    | Value                                            | Type            |
+|---------------------------------------------------------------|--------------------------------------------------|-----------------|
+| `compute_instance_group_multiple_zones`                      | `mig_min_zones`                                  | Integer         |
 
 ## Kubernetes
 
@@ -548,6 +553,9 @@ gcp:
   # GCP Compute Configuration
   # gcp.compute_public_address_shodan
   shodan_api_key: null
+  # gcp.compute_instance_group_multiple_zones
+  # Minimum number of zones a MIG should span for high availability
+  mig_min_zones: 2
 
 # Kubernetes Configuration
 kubernetes:

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### Added
 - Add Prowler ThreatScore for the Alibaba Cloud provider [(#9511)](https://github.com/prowler-cloud/prowler/pull/9511)
+- `compute_instance_group_multiple_zones` check for GCP provider [(#9566)](https://github.com/prowler-cloud/prowler/pull/9566)
 
 ### Changed
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)

prowler/config/config.yaml

@@ -507,6 +507,9 @@ gcp:
   # GCP Compute Configuration
   # gcp.compute_public_address_shodan
   shodan_api_key: null
+  # gcp.compute_instance_group_multiple_zones
+  # Minimum number of zones a MIG should span for high availability
+  mig_min_zones: 2
   # GCP Service Account and user-managed keys unused configuration
   # gcp.iam_service_account_unused
   # gcp.iam_sa_user_managed_key_unused

prowler/providers/gcp/services/compute/compute_instance_group_multiple_zones/__init__.py

@@ -0,0 +1,36 @@
+{
+  "Provider": "gcp",
+  "CheckID": "compute_instance_group_multiple_zones",
+  "CheckTitle": "Ensure Managed Instance Groups span multiple zones for high availability",
+  "CheckType": [],
+  "ServiceName": "compute",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
+  "ResourceType": "compute.googleapis.com/InstanceGroupManager",
+  "Description": "Managed Instance Groups (MIGs) should be configured for multi-zone deployments to ensure high availability and fault tolerance. A multi-zone MIG distributes instances across multiple zones within a region, protecting applications from zonal failures.",
+  "Risk": "Running a MIG in a single zone creates a single point of failure. If that zone experiences an outage, all instances in the group become unavailable, resulting in application downtime during zonal failures, no automatic failover to healthy zones, and reduced resilience against infrastructure issues.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/compute/docs/instance-groups/regional-migs",
+    "https://cloud.google.com/compute/docs/instance-groups/distributing-instances-with-regional-instance-groups"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud compute instance-groups managed create INSTANCE_GROUP_NAME --region=REGION --template=INSTANCE_TEMPLATE --size=TARGET_SIZE --zones=ZONE1,ZONE2,ZONE3",
+      "NativeIaC": "",
+      "Other": "1. Navigate to Compute Engine > Instance groups\n2. Click 'Create instance group'\n3. Select 'New managed instance group (stateless)'\n4. For 'Location', select 'Multiple zones'\n5. Choose the target region and zones\n6. Configure the instance template and target size\n7. Click 'Create'",
+      "Terraform": "```hcl\n# Create a regional MIG that spans multiple zones\nresource \"google_compute_region_instance_group_manager\" \"example\" {\n  name               = \"example-mig\"\n  region             = \"us-central1\"\n  base_instance_name = \"example\"\n  target_size        = 3\n\n  version {\n    instance_template = google_compute_instance_template.example.id\n  }\n\n  # Distribute instances across multiple zones\n  distribution_policy_zones = [\"us-central1-a\", \"us-central1-b\", \"us-central1-c\"]\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Use regional managed instance groups instead of zonal MIGs to distribute instances across multiple zones. This provides automatic failover and load distribution, ensuring high availability for production workloads.",
+      "Url": "https://hub.prowler.com/check/compute_instance_group_multiple_zones"
+    }
+  },
+  "Categories": [
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check uses a configurable minimum zone count (default: 2). Configure via 'mig_min_zones' in config.yaml."
+}

prowler/providers/gcp/services/compute/compute_instance_group_multiple_zones/compute_instance_group_multiple_zones.metadata.json

@@ -0,0 +1,45 @@
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.compute.compute_client import compute_client
+
+
+class compute_instance_group_multiple_zones(Check):
+    """
+    Ensure Managed Instance Groups span multiple zones for high availability.
+
+    This check verifies whether GCP Managed Instance Groups (MIGs) are distributed
+    across multiple zones to ensure high availability and fault tolerance.
+
+    - PASS: The MIG spans the minimum required zones (configurable via mig_min_zones).
+    - FAIL: The MIG does not meet the minimum zone requirement.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        findings = []
+        min_zones = compute_client.audit_config.get("mig_min_zones", 2)
+
+        for instance_group in compute_client.instance_groups:
+            report = Check_Report_GCP(
+                metadata=self.metadata(),
+                resource=instance_group,
+                location=instance_group.region,
+            )
+
+            zone_count = len(instance_group.zones)
+            zones_str = ", ".join(instance_group.zones)
+
+            report.status = "PASS"
+            if instance_group.is_regional:
+                report.status_extended = f"Managed Instance Group {instance_group.name} is a regional MIG spanning {zone_count} zones ({zones_str})."
+            else:
+                report.status_extended = f"Managed Instance Group {instance_group.name} spans {zone_count} zones ({zones_str})."
+
+            if zone_count < min_zones:
+                report.status = "FAIL"
+                if instance_group.is_regional:
+                    report.status_extended = f"Managed Instance Group {instance_group.name} is a regional MIG but only spans {zone_count} zone(s) ({zones_str}), minimum required is {min_zones}."
+                else:
+                    report.status_extended = f"Managed Instance Group {instance_group.name} is a zonal MIG running only in {zones_str}, consider converting to a regional MIG for high availability."
+
+            findings.append(report)
+
+        return findings

prowler/providers/gcp/services/compute/compute_instance_group_multiple_zones/compute_instance_group_multiple_zones.py

@@ -1,3 +1,5 @@
+from typing import Optional
+
 from pydantic.v1 import BaseModel
 
 from prowler.lib.logger import logger
@@ -18,6 +20,7 @@ def __init__(self, provider: GcpProvider):
         self.firewalls = []
         self.compute_projects = []
         self.load_balancers = []
+        self.instance_groups = []
         self._get_regions()
         self._get_projects()
         self._get_url_maps()
@@ -28,6 +31,8 @@ def __init__(self, provider: GcpProvider):
         self.__threading_call__(self._get_subnetworks, self.regions)
         self._get_firewalls()
         self.__threading_call__(self._get_addresses, self.regions)
+        self.__threading_call__(self._get_regional_instance_groups, self.regions)
+        self.__threading_call__(self._get_zonal_instance_groups, self.zones)
 
     def _get_regions(self):
         for project_id in self.project_ids:
@@ -362,6 +367,87 @@ def _describe_backend_service(self):
                         f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
                     )
 
+    def _get_regional_instance_groups(self, region: str) -> None:
+        """Fetch regional managed instance groups for all projects."""
+        for project_id in self.project_ids:
+            try:
+                request = self.client.regionInstanceGroupManagers().list(
+                    project=project_id, region=region
+                )
+                while request is not None:
+                    response = request.execute(
+                        http=self.__get_AuthorizedHttp_client__(),
+                        num_retries=DEFAULT_RETRY_ATTEMPTS,
+                    )
+
+                    for mig in response.get("items", []):
+                        zones = [
+                            zone_info["zone"].split("/")[-1]
+                            for zone_info in mig.get("distributionPolicy", {}).get(
+                                "zones", []
+                            )
+                            if zone_info.get("zone")
+                        ]
+
+                        self.instance_groups.append(
+                            ManagedInstanceGroup(
+                                name=mig.get("name", ""),
+                                id=mig.get("id", ""),
+                                region=region,
+                                zone=None,
+                                zones=zones,
+                                is_regional=True,
+                                target_size=mig.get("targetSize", 0),
+                                project_id=project_id,
+                            )
+                        )
+
+                    request = self.client.regionInstanceGroupManagers().list_next(
+                        previous_request=request, previous_response=response
+                    )
+            except Exception as error:
+                logger.error(
+                    f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+
+    def _get_zonal_instance_groups(self, zone: str) -> None:
+        """Fetch zonal managed instance groups for all projects."""
+        for project_id in self.project_ids:
+            try:
+                request = self.client.instanceGroupManagers().list(
+                    project=project_id, zone=zone
+                )
+                while request is not None:
+                    response = request.execute(
+                        http=self.__get_AuthorizedHttp_client__(),
+                        num_retries=DEFAULT_RETRY_ATTEMPTS,
+                    )
+
+                    for mig in response.get("items", []):
+                        mig_zone = mig.get("zone", zone).split("/")[-1]
+                        mig_region = mig_zone.rsplit("-", 1)[0]
+
+                        self.instance_groups.append(
+                            ManagedInstanceGroup(
+                                name=mig.get("name", ""),
+                                id=mig.get("id", ""),
+                                region=mig_region,
+                                zone=mig_zone,
+                                zones=[mig_zone],
+                                is_regional=False,
+                                target_size=mig.get("targetSize", 0),
+                                project_id=project_id,
+                            )
+                        )
+
+                    request = self.client.instanceGroupManagers().list_next(
+                        previous_request=request, previous_response=response
+                    )
+            except Exception as error:
+                logger.error(
+                    f"{zone} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+
 
 class Instance(BaseModel):
     name: str
@@ -428,3 +514,14 @@ class LoadBalancer(BaseModel):
     service: str
     logging: bool = False
     project_id: str
+
+
+class ManagedInstanceGroup(BaseModel):
+    name: str
+    id: str
+    region: str
+    zone: Optional[str]
+    zones: list
+    is_regional: bool
+    target_size: int
+    project_id: str

prowler/providers/gcp/services/compute/compute_service.py

@@ -329,7 +329,11 @@ def mock_prowler_get_latest_release(_, **kwargs):
     "defender_attack_path_minimal_risk_level": "High",
 }
 
-config_gcp = {"shodan_api_key": None, "max_unused_account_days": 30}
+config_gcp = {
+    "shodan_api_key": None,
+    "mig_min_zones": 2,
+    "max_unused_account_days": 30,
+}
 
 config_kubernetes = {
     "audit_log_maxbackup": 10,

tests/config/config_test.py

@@ -410,6 +410,9 @@ gcp:
   # GCP Compute Configuration
   # gcp.compute_public_address_shodan
   shodan_api_key: null
+  # gcp.compute_instance_group_multiple_zones
+  # Minimum number of zones a MIG should span for high availability
+  mig_min_zones: 2
   max_unused_account_days: 30
 
 # Kubernetes Configuration

tests/config/fixtures/config.yaml

@@ -57,6 +57,7 @@ def mock_api_client(GCPService, service, api_version, _):
     mock_api_sink_calls(client)
     mock_api_services_calls(client)
     mock_api_access_policies_calls(client)
+    mock_api_instance_group_managers_calls(client)
 
     return client
 
@@ -1184,3 +1185,59 @@ def mock_list_service_perimeters(parent):
 
     client.accessPolicies().servicePerimeters().list = mock_list_service_perimeters
     client.accessPolicies().servicePerimeters().list_next.return_value = None
+
+
+def mock_api_instance_group_managers_calls(client: MagicMock):
+    """Mock API calls for Managed Instance Groups (both regional and zonal)."""
+    regional_mig1_id = str(uuid4())
+    regional_mig2_id = str(uuid4())
+    zonal_mig1_id = str(uuid4())
+
+    # Mock regional instance group managers
+    client.regionInstanceGroupManagers().list().execute.return_value = {
+        "items": [
+            {
+                "name": "regional-mig-1",
+                "id": regional_mig1_id,
+                "targetSize": 3,
+                "distributionPolicy": {
+                    "zones": [
+                        {
+                            "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/europe-west1-b"
+                        },
+                        {
+                            "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/europe-west1-c"
+                        },
+                        {
+                            "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/europe-west1-d"
+                        },
+                    ]
+                },
+            },
+            {
+                "name": "regional-mig-single-zone",
+                "id": regional_mig2_id,
+                "targetSize": 1,
+                "distributionPolicy": {
+                    "zones": [
+                        {
+                            "zone": "https://www.googleapis.com/compute/v1/projects/test-project/zones/europe-west1-b"
+                        }
+                    ]
+                },
+            },
+        ]
+    }
+    client.regionInstanceGroupManagers().list_next.return_value = None
+
+    # Mock zonal instance group managers
+    client.instanceGroupManagers().list().execute.return_value = {
+        "items": [
+            {
+                "name": "zonal-mig-1",
+                "id": zonal_mig1_id,
+                "targetSize": 2,
+            },
+        ]
+    }
+    client.instanceGroupManagers().list_next.return_value = None