blockstorage_block_volume_cmk_encryption_enabledblockstorage_boot_volume_cmk_encryption_enabledcloudguard_enabledcore_default_security_list_allow_icmp_onlycore_instance_encryption_in_transit_enabledcore_instance_legacy_metadata_service_endpoint_disabledcore_instance_secure_boot_enabledcore_network_security_group_restrict_ingress_rdp_allcore_network_security_group_restrict_ingress_ssh_allcore_security_list_restrict_ingress_rdp_allcore_security_list_restrict_ingress_ssh_allcore_subnet_flow_log_enabledevents_rule_notification_cloud_guard_problems_detectedevents_rule_notification_iam_group_changesevents_rule_notification_iam_policy_changesevents_rule_notification_iam_user_changesevents_rule_notification_identity_provider_changesevents_rule_notification_idp_group_mapping_changesevents_rule_notification_local_user_authevents_rule_notification_network_gateway_changesevents_rule_notification_network_security_list_changesevents_rule_notification_route_table_changesevents_rule_notification_security_list_changesevents_rule_notification_vcn_changesfilestorage_filesystem_cmk_encryption_enabledidentity_administrator_user_with_no_api_keyidentity_auth_token_age_90identity_authentication_password_policy_strong_min_length_14identity_default_tagidentity_iam_administrators_no_update_tenancy_administrators_group_permissionidentity_only_administrators_group_with_manage_all_resources_permission_in_tenancyidentity_root_compartment_no_resourcesidentity_tenancy_audit_log_retention_period_365_daysidentity_tenancy_with_one_active_compartmentidentity_user_api_key_age_90identity_user_console_access_mfa_enabledidentity_user_credentials_unused_45_daysidentity_user_customer_secret_key_age_90identity_user_db_credential_age_90identity_user_one_active_api_keyidentity_user_valid_emailkms_cmk_rotation_365manual_controlnotification_topic_with_subscriptionobjectstorage_bucket_cmk_encryption_enabledobjectstorage_bucket_public_access_blockedobjectstorage_bucket_versioning_enabledobjectstorage_bucket_write_logging_enabledoracle_autonomous_database_not_publicly_accessible
Query: identity_root_compartment_no_resources
Usage
powerpipe query oci_compliance.query.identity_root_compartment_no_resources
SQL
with tenancy as ( select id, tenant_id, tenant_name, _ctx from oci_identity_tenancy), root_resource_counts as ( select t.id as root_compartment_id, 'VCN' as resource_type, count(*) as resource_count from tenancy t join oci_core_vcn v on v.compartment_id = t.id group by t.id union all select t.id as root_compartment_id, 'Instance' as resource_type, count(*) as resource_count from tenancy t join oci_core_instance i on i.compartment_id = t.id where coalesce(i.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING') group by t.id union all select t.id as root_compartment_id, 'Boot Volume' as resource_type, count(*) as resource_count from tenancy t join oci_core_boot_volume b on b.compartment_id = t.id where coalesce(b.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id union all select t.id as root_compartment_id, 'Block Volume' as resource_type, count(*) as resource_count from tenancy t join oci_core_volume vol on vol.compartment_id = t.id where coalesce(vol.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id union all select t.id as root_compartment_id, 'Volume Group' as resource_type, count(*) as resource_count from tenancy t join oci_core_volume_group vg on vg.compartment_id = t.id where coalesce(vg.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id union all select t.id as root_compartment_id, 'File System' as resource_type, count(*) as resource_count from tenancy t join oci_file_storage_file_system fs on fs.compartment_id = t.id where coalesce(fs.lifecycle_state, '') not in ('DELETED', 'DELETING') group by t.id union all select t.id as root_compartment_id, 'Object Storage Bucket' as resource_type, count(*) as resource_count from tenancy t join oci_objectstorage_bucket bucket on bucket.compartment_id = t.id group by t.id union all select t.id as root_compartment_id, 'Autonomous Database' as resource_type, count(*) as resource_count from tenancy t join oci_database_autonomous_database adb on adb.compartment_id = t.id where coalesce(adb.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id union all select t.id as root_compartment_id, 'DB System' as resource_type, count(*) as resource_count from tenancy t join oci_database_db_system dbs on dbs.compartment_id = t.id where coalesce(dbs.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id union all select t.id as root_compartment_id, 'Load Balancer' as resource_type, count(*) as resource_count from tenancy t join oci_core_load_balancer lb on lb.compartment_id = t.id where coalesce(lb.lifecycle_state, '') not in ('TERMINATED', 'TERMINATING', 'DELETED') group by t.id), summary as ( select root_compartment_id, sum(resource_count) as total_resources, string_agg(format('%s=%s', resource_type, resource_count), ', ' order by resource_type) as resource_breakdown from root_resource_counts group by root_compartment_id)select t.id as resource, case when coalesce(s.total_resources, 0) > 0 then 'alarm' else 'ok' end as status, case when coalesce(s.total_resources, 0) > 0 then format( 'Root compartment contains %s resource(s): %s.', s.total_resources, coalesce(s.resource_breakdown, 'unknown') ) else 'No resources created in root compartment.' end as reason , t.tenant_name as tenantfrom tenancy t left join summary s on s.root_compartment_id = t.id;
Controls
The query is being used by the following controls: