From a8c643d1df9ea7d437840096c16c922d1b1b4c9d Mon Sep 17 00:00:00 2001
From: Stacey Salamon <stacey.salamon@aiven.io>
Date: Mon, 25 Nov 2024 20:38:39 +0100
Subject: [PATCH] docs: add org level permissions example

---
 docs/resources/organization_permission.md     | 45 ++++++++++++++++---
 .../aiven_organization_permission/resource.tf | 41 +++++++++++++++--
 .../organization/organization_permission.go   |  2 +-
 3 files changed, 77 insertions(+), 11 deletions(-)

diff --git a/docs/resources/organization_permission.md b/docs/resources/organization_permission.md
index e78a56fc1..9fbda7032 100644
--- a/docs/resources/organization_permission.md
+++ b/docs/resources/organization_permission.md
@@ -3,22 +3,24 @@
 page_title: "aiven_organization_permission Resource - terraform-provider-aiven"
 subcategory: ""
 description: |-
-  Grants roles and permissions https://aiven.io/docs/platform/concepts/permissions to a principal for a resource.
+  Grants roles and permissions https://aiven.io/docs/platform/concepts/permissions to a principal for a resource. Permissions can be granted at the organization, organizational unit, and project level. Unit-level permissions aren't shown in the Aiven Console.
 ---
 
 # aiven_organization_permission (Resource)
 
-Grants [roles and permissions](https://aiven.io/docs/platform/concepts/permissions) to a principal for a resource.
+Grants [roles and permissions](https://aiven.io/docs/platform/concepts/permissions) to a principal for a resource. Permissions can be granted at the organization, organizational unit, and project level. Unit-level permissions aren't shown in the Aiven Console.
 
 ## Example Usage
 
 ```terraform
-resource "aiven_organization_permission" "example_permissions" {
+# Grant access to a specific project
+resource "aiven_organization_permission" "example_project_permissions" {
   organization_id = data.aiven_organization.main.id
   resource_id     = data.aiven_project.example_project.id
   resource_type   = "project"
   permissions {
-    # Grant the operator role and permission to read service logs to a user
+    # Grant a user the operator role and 
+    # permission to read service logs
     permissions = [
       "operator",
       "service:logs:read"
@@ -26,17 +28,48 @@ resource "aiven_organization_permission" "example_permissions" {
     principal_id   = "u123a456b7890c"
     principal_type = "user"
   }
-  # Grant write project integrations and read project networking permissions, and the developer role to a group
+  # Grant a group the write project integrations 
+  # permission and the developer role 
   permissions {
     permissions = [
       "project:integrations:write",
-      "project:networking:read",
       "developer"
     ]
     principal_id   = data.aiven_organization_user_group.example_group.group_id
     principal_type = "user_group"
   }
 }
+
+# Organization-level permissions
+resource "aiven_organization_permission" "example_org_permissions" {
+  organization_id = data.aiven_organization.main.id
+  resource_id     = data.aiven_organization.main.id
+  resource_type   = "organization"
+
+  # Grant a user permission to manage application 
+  # users and view all project audit logs
+  permissions {
+    permissions = [
+      "organization:app_users:write",
+      "project:audit_logs:read"
+    ]
+    principal_id   = "u123a456b7890c" 
+    principal_type = "user"
+  }
+
+  # Grant a group permission to manage users,
+  # groups, domains, and identity providers
+  permissions {
+    permissions = [
+      "organization:users:write",
+      "organization:groups:write",
+      "organization:domains:write",
+      "organization:idps:write"
+    ]
+    principal_id   = aiven_organization_user_group.example_group.group_id
+    principal_type = "user_group"
+  }
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
diff --git a/examples/resources/aiven_organization_permission/resource.tf b/examples/resources/aiven_organization_permission/resource.tf
index bd5c391ce..6afdce5fb 100644
--- a/examples/resources/aiven_organization_permission/resource.tf
+++ b/examples/resources/aiven_organization_permission/resource.tf
@@ -1,9 +1,11 @@
-resource "aiven_organization_permission" "example_permissions" {
+# Grant access to a specific project
+resource "aiven_organization_permission" "example_project_permissions" {
   organization_id = data.aiven_organization.main.id
   resource_id     = data.aiven_project.example_project.id
   resource_type   = "project"
   permissions {
-    # Grant the operator role and permission to read service logs to a user
+    # Grant a user the operator role and 
+    # permission to read service logs
     permissions = [
       "operator",
       "service:logs:read"
@@ -11,14 +13,45 @@ resource "aiven_organization_permission" "example_permissions" {
     principal_id   = "u123a456b7890c"
     principal_type = "user"
   }
-  # Grant write project integrations and read project networking permissions, and the developer role to a group
+  # Grant a group the write project integrations 
+  # permission and the developer role 
   permissions {
     permissions = [
       "project:integrations:write",
-      "project:networking:read",
       "developer"
     ]
     principal_id   = data.aiven_organization_user_group.example_group.group_id
     principal_type = "user_group"
   }
 }
+
+# Organization-level permissions
+resource "aiven_organization_permission" "example_org_permissions" {
+  organization_id = data.aiven_organization.main.id
+  resource_id     = data.aiven_organization.main.id
+  resource_type   = "organization"
+
+  # Grant a user permission to manage application 
+  # users and view all project audit logs
+  permissions {
+    permissions = [
+      "organization:app_users:write",
+      "project:audit_logs:read"
+    ]
+    principal_id   = "u123a456b7890c" 
+    principal_type = "user"
+  }
+
+  # Grant a group permission to manage users,
+  # groups, domains, and identity providers
+  permissions {
+    permissions = [
+      "organization:users:write",
+      "organization:groups:write",
+      "organization:domains:write",
+      "organization:idps:write"
+    ]
+    principal_id   = aiven_organization_user_group.example_group.group_id
+    principal_type = "user_group"
+  }
+}
diff --git a/internal/sdkprovider/service/organization/organization_permission.go b/internal/sdkprovider/service/organization/organization_permission.go
index 5e87bb56f..7212d4c98 100644
--- a/internal/sdkprovider/service/organization/organization_permission.go
+++ b/internal/sdkprovider/service/organization/organization_permission.go
@@ -72,7 +72,7 @@ var permissionFields = map[string]*schema.Schema{
 
 func ResourceOrganizationalPermission() *schema.Resource {
 	return &schema.Resource{
-		Description:   "Grants [roles and permissions](https://aiven.io/docs/platform/concepts/permissions) to a principal for a resource.",
+		Description:   "Grants [roles and permissions](https://aiven.io/docs/platform/concepts/permissions) to a principal for a resource. Permissions can be granted at the organization, organizational unit, and project level. Unit-level permissions aren't shown in the Aiven Console.",
 		CreateContext: common.WithGenClient(resourceOrganizationalPermissionUpsert),
 		ReadContext:   common.WithGenClient(resourceOrganizationalPermissionRead),
 		UpdateContext: common.WithGenClient(resourceOrganizationalPermissionUpsert),