Control: 5.2 Ensure no resources are created in the root compartment

Description

When you create a cloud resource such as an instance, block volume, or cloud network, you must specify to which compartment you want the resource to belong. Placing resources in the root compartment makes it difficult to organize and isolate those resources.

Remediation

From Console

1. Login to OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advance Resource Query and hit enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query into the query box:

query
  VCN, instance, volume, filesystem, bucket, autonomousdatabase, database, dbsystem resources
  where compartmentId = '<tenancy-id>'

6. Ensure query returns no results.
7. For each item in the returned results, click the item name.
8. Then select Move Resource or More Actions then Move Resource.
9. Select a compartment that is not the root compartment in CHOOSE NEW COMPARTMENT.
10. Click Move Resource.

From Command Line

1. Execute the following command:

oci search resource structured-search --query-text "query
  VCN, instance, volume, filesystem, bucket, autonomousdatabase, database, dbsystem resources
  where compartmentId = '<tenancy-id>'"

2. Ensure query return no results.
3. For each bucket item execute the below command:

oci os bucket update --bucket-name <bucket-name> --compartment-id <not root compartment-id>

4. For other resources use the change-compartment command for the resource type:

oci <service-command> <resource-command> change-compartment --<item-id> <item-id> --compartment-id <not root compartment-id>
Example for an Autonomous Database:
oci db autonomous-database change-compartment --autonomous-database-id <autonmous-database-id> --compartment-id <not root compartment-id>