Compartments are one of the differentiators on Oracle Cloud Infrastructure, personally i haven't seem a similar service on other cloud provider. There are other similar concepts like tagging or projects but with different focus.
A Compartment is a collection of related resources, specifically a logical collection of related resources (such as VCN, block volumes, instances, subnets). This collection can only be accessed by certain group users that have been granted permission by an administrator.
Here we have 10 things to know about compartments that can be useful before you start to work on Oracle Cloud Infrastructure:
1.-When you sign up for Oracle Cloud Infrastructure, Oracle creates your tenancy, which is the root compartment that holds all your cloud resources
The root compartment is named after the tenancy itself (More about tenancies on another entry), this is the reason why the tenancy admin (Part of Administrator group) is also the root compartment Admin.
Note it is a good practice to keep the number of members from administrator groups as small as posible and create admin groups to control specific compartments (in practices this are sub-compartments from root compartment)
Note: This is only one of the option to design compartments distribution but it is up to the architecture that best fit the client
Currently all users and groups are created inside the root compartment and you can create policies that allow these users to access resources on other compartments.
2.-An OCI resource can only belong to one compartment
OCI resources cannot be part of two compartments, you must created either inside a specific compartment or inside the root compartment.
Remember that we mentioned that compartment are logical collection, which means that are logical structure, so you can have, for example, two instances on different compartments, that belong to the same VCN and same subnet.
Note it is useful to think of compartments as responsibility area where you define permissions rather than a physical container.
3.-Compartments can have child compartments or sub-compartments nested 6 levels deep
At the date of first publication of this entry, there is a limit of maximum 6 nested compartments.
For example, you can have the following compartments:
nosomoscavernicolas > prod > compute_Services > app1 > db_app1 > no_sql_dbs1 > free_users
It is a good practice to design compartment hierarchy before you start creating resources even though you can move an entire compartment tree between parent compartment and also you can move resources between compartments.
Yo can review the updated number inside: Identity and Access Management FAQ
4.-You can delete compartments
You can delete compartments but you need to satisfy this requirements:
- You need to have administrator access or the required policy to delete the compartment.
- To delete a compartment, there should be no resources inside of it, including any policy attached to the compartment.
Note some resources types cannot be deleted therefore compartments for these resources cannot be deleted either. On this case you can rename the compartment to reuse the name.
After you delete the compartment, it starts a delete job, what Oracle does is change the name of the compartment for something like CompartmentA.qR5hP2BD and the status for these compartment is set to deleted but you are still able to see the deleted compartment on the compartments page for 365 days.
You can see if all the resources for a compartment are deleted using the Tenancy Explorer
5.-Tenancy and compartments are global resources
This means that compartments spans across regions and availability domains which lets us group resources that are on different regions, representing a good way for implementing cost management.
Note Remember that compartments are logical grouping of resources not bounded to physical limitations.
6.-You can apply security policies on a compartment basis
After you create a compartment you need to create at least one policy so users or groups can access resources inside the new compartment, otherwise only admins will have access to the compartment's resources.
Note compartments permissions can be inherited so if you have, let say, a group called db-operators with access to all resources on Compartment-A, and then you create a Compartment-B inside Compartment-A, users from db-operators will have access to resources on Compartment-B too unless you specify otherwise.
For example if you want to allow that the OS management agent service to read information from instances on a certain compartment you need to create this policy:
Allow dynamic-group OSManagementAgent to read instance-family in compartment PROD-A
To provide admin access to a compartment
Allow group A-Admins to manage all-resources in compartment Project-A
Another example, you want to provide permissions so HR admins can manage object storage (OCI Service) inside the compartment HR
Allow group hr-admins to manage object-family in compartment PROD-A
Note An individual resource type is the most granular way to declare resources, these are vcn, instance, etc. Also resource-type are grouped into families, for example instance-family, volume-family, etc.
You can find more details on attaching policies from: Policy attachment
7.-You can set quotas on a compartment
Compartment quotas are similar to service limits.
Quotas are set by administrators to limit the amount of resources that can be created inside a compartment, this way you can control the cost and avoid creating resources that are not needed.
For this administrators can set policies.
There are 3 types of quotas:
- set - set max number of resources
- unset - resets quota to the default service limit
- zero - removes access to a cloud resource for a compartment. for example, if you want to avoid the creation of block volumes in a compartment you can create this zero quota for that service.
Within a policy, quota statements are evaluated in order, and later statements supersede previous statements that target the same resource.
Note when you move resources from one compartment to another you must take into consideration any quota on the destination compartment, otherwise you will not be able to create the resources until you adjust the quota.
OTHER RESOURCES:
Managing compartments
Compartment Quotas
OCI Key Concepts and Terminology
Oracle Cloud Infrastructure Compartments
Top comments (0)