[Update: 12th Aug’19] OCI Resources now can move across compartments and compartment itself can move to.
Compartment is the first thing you will select when creating any OCI resource like Compute, Storage, Network/VCN, Load Balancer, Database etc so it is very important to understand compartment in OCI.
This post covers everything you must know about Compartment.
- Overview of Compartment
- Quick facts about Compartment
- How to Create a Compartment in OCI
- How to Grant Access in Compartments
- Creating Resources in a Compartment
- Moving Resources to a different Compartment
- Moving Compartment and its implications
- Delete a Compartment in OCI
- Renaming a Compartment
- Viewing a Resources Created within a Compartment
(Note: If you are just starting on Oracle Cloud or new to Oracle Cloud Infrastructure (OCI), then I would suggest you check our previous post on Oracle Cloud Infrastructure (OCI) basic concepts i.e. Region, AD, Tenancy, Compartment, VCN, IAM, Storage Service etc)
Overview of Compartment
A compartment is a logical container, to organize and control access to the Oracle Cloud Infrastructure (OCI) Resources (Compute, Storage, Network, Load Balancer etc) created within that compartment and you impose some policies to that compartment, which restricts who can use the resources created within than compartment other than administrators of your account.
According to this Diagram,
- You create one compartment i.e Central_IT Compartment. This compartment is a top-level compartment which has access to all Identity and Access Management resources in OCI, this team is a superuser and they will manage other users.
- Now within the same compartment, you create another compartment Central_IT_Network Compartment which manages the organization’s network like VCN, Internet Gateway, Load Balancer, DNS, FastConnect etc.
- Next, according to your business requirement you create more Compartments for Finance & HR team, who have access to finance and HR related resource like load Balancer, Object Storage, Database system, within these compartments, you can have sub-compartment like Fin Proj A, Fin Proj B, HR Proj A & HR Proj B, who have access to very limited resources like Virtual Machine (VM) & Security List.
Quick facts about Compartment
- [July 2019] Now Compartment can move to a different parent Compartment.
- [July 2019] Most of the OCI resources can now move from one compartment to another.
- [July 2019] Deleting compartment in Govt Cloud is not yet possible
- To delete a compartment, it must be empty of all resources
- [July 2019] we can create multilevel/Sub compartments and maximum as of now we can have 6 compartment levels.
- Compartments can be renamed or deleted (once all the associated resource are deleted or terminated from the compartment)
- Compartments are global meaning they span across Regions.
- When a tenancy is provisioned a root compartment is created
- Each resource belongs to a single compartment but resource can be shared across compartments
- E.g. VCN & Subnet can be in a different compartment
- After creating a compartment, you need to write at least one policy for it, otherwise, resources inside compartment can’t be accessed (except Tenancy Admin)
- Policies n Higher Level do get inherited to sub-compartments.
How to Create a Compartment in OCI
- Open the navigation menu. Under Governance and Administration, go to Identity and click Compartments.
2. A list of the compartments you have access to is displayed. Click on Create Compartment
3. Enter the required details & click on Create Compartment
When creating a compartment, you must provide a name for it (maximum 100 characters, including letters, numbers, periods, hyphens, and underscores) that is unique within its parent compartment.
How to Grant Access in Compartments
- The very first thing After creating a compartment, you need to write at least one Policy for it, otherwise, no one can access it (except administrators or users who have permissions set at the tenancy level).
- When you create an access policy, you need to specify which compartment to attach it to.
Note: Policy, attached to a group defines who can access what’s in a Tenancy or Compartment
Create OCI Resources in a Compartment
- To place or create a new resource (Compute, Storage, Database, VCN, etc) in a compartment, you simply select that compartment when creating the resource (the compartment is one of the required pieces of information to create a resource)
![Create resource in a Compartment]()
Moving OCI Resources to a different Compartment
Moving OCI Resources to a different CompartmentMost resources can be moved after they are created. There are a few resources that you can’t move from one compartment to another. After you move the resource to the new compartment, the policies that govern the new compartment apply immediately and affect access to the resource.
Note: After a resource is moved to a new compartment, policies applicable to new compartment are applicable immediately, and affects access to the resource.
Moving Compartment to different Compartment
- From July 2019 onwards, you can also move a compartment to different parent compartment within the same tenancy
- When you move a compartment, all its contents (sub-compartment & resources) are moved with it
- To move a compartment, you must belong to a group that has
manage all-resources permission on parent compartment of the current compartment that you want to move and destination compartment
Moving Compartment: Policy Implications
Use Case 1: Move Compartment C from B to D compartment (where policy is written at Root level)
You have one Tenancy (root Compartment), within this, you have Compartment A within this have another Compartment B & D and within Parent B compartment has Compartment C which we are moving to parent compartment D.
On root compartment level, we have written the policy to allow Group G1 to manage compartment A:B and Group G2 to manage A:D as soon as when we move Compartment C from parent B to parent D compartment Group G1 has no more access compartment C and Group G2 will get automatically get access to the compartment C. 
Use Case 2: Move Compartment A from Test to Dev compartment (when Policy written at Operation Level)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have operations like Test & Dev and within Test compartment, you have Compartment A which you are moving to Dev compartment.
In policy, we have allowed Group G1 to manage buckets in compartment Test: A at the operation level. As we have applied the Policies at operation level, Group G1 will automatically move Compartment A from test to Dev Compartment and Group G1 will not lose permission. In this case, Policy will be automatically updated for you.
Use Case 3: Move Compartment A from Test to Dev compartment (when Policy written at Test Level Compartment)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have operations like Test & Dev and within Test compartment, you have Compartment A which you are moving to Dev compartment.
This time, Policies are written at Test level compartment instead of operation level compartment which says allow Group G1 to manage buckets in compartment A, and the policy will not be updated or this policy will be failed because Policy has been written at Test level, not on the operation level.
To move compartment A from Test to Dev you have to manually type policy at dev compartment where Group G1 to manage buckets in compartment A and existing policy must delete.
Use Case 4: Move Compartment A from Test to prod compartment inside HR (when Policy written at root level)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have an operation and HR compartments and within this, you have test, dev & prod Compartment respectively. Now within a test compartment, you have Compartment A which you are moving to prod compartment.
In this, Policy is written at the root level so this policy has all way to go to Operation and test compartment so now this Policy will allow compartment A to go to prod compartment and Group G1 does not lose permission.
Note: If you want to know more about these use cases in detail check the video which mentions in this blog above.
Moving Compartment: Restrictions
- You can’t move a compartment to a destination compartment with the same name as compartment being moved.
- Two compartments within the same parent cannot have the same name. Therefore you can’t move a compartment to a destination compartment where a compartment with the same name already exists.
Delete a Compartment in OCI
- To delete a compartment, it must be empty of all resources. Before you initiate deleting a compartment, be sure that all its resources have been moved, deleted, or terminated, including any policies attached to the compartment.
- Some resource types can’t be deleted, therefore, compartments containing these resource types can’t be deleted. A resource type that can’t be deleted is:
- Data transfer jobs
Note: To know more about Deleting Compartments check my previous blog on Oracle Cloud Infrastructure (OCI): Updates October 2018
Renaming a Compartment
- Compartments can be renamed and policy defined to that compartment will automatically be applied to the renamed compartment.
Note: You can’t change the name of your root compartment.
Viewing a Resources Created within a Compartment
- You can also view the resources created within a compartment, select the type of resource you want to view. For example, click Database to view all your Database resources, it can be done from Console or via making API calls ie. from Command Line Interface (CLI)
Note: It’s not possible to get a list of all the resources created within a compartment by using a single API call. Instead, you can list all the resources of a given type in the compartment (e.g., all the instances, all the block storage volumes, etc.).
Related/Further Readings
- Managing Compartments
- Unable To Create a Policy Under a Compartment
- Q/A 1Z0-932 Day 2: IAM (Compartments, Policies, Users, Groups)
- Oracle Cloud Infrastructure (OCI): Region, AD, Tenancy, Compartment, VCN, IAM, Storage Service
- All About Oracle Cloud Infrastructure (OCI) Architect Associate exam (1Z0-932)
If you want to test Your Oracle Cloud Infrastructure (OCI) Knowledge With Quiz to know what you are good at, and what you should start working on, click on the image below to Start Quiz Now.
FREE Community
Click on the below image to join our FREE Telegram Group.
The post Compartment In Oracle Cloud Infrastructure (OCI): Everything You Must Know appeared first on Oracle Trainings.