PostHog
diff --git a/‎README.md‎
Lines changed: 2 additions & 1 deletion b/‎README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/data-sources/user.md‎
Lines changed: 49 additions & 0 deletions b/‎docs/data-sources/user.md‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎docs/resources/access_control.md‎
Lines changed: 149 additions & 0 deletions b/‎docs/resources/access_control.md‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎docs/resources/organization_member.md‎
Lines changed: 73 additions & 0 deletions b/‎docs/resources/organization_member.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎docs/resources/project_default_access.md‎
Lines changed: 65 additions & 0 deletions b/‎docs/resources/project_default_access.md‎
Lines changed: 65 additions & 0 deletions
@@ -75,7 +75,8 @@ Acceptance tests run against a real PostHog instance and create actual resources
 export POSTHOG_API_KEY="your-api-key"
 export POSTHOG_PROJECT_ID="12345"
 export POSTHOG_HOST="https://us.posthog.com"
-export POSTHOG_ORGANIZATION_ID="your-org-uuid"  # Required for project resource tests
+export POSTHOG_ORGANIZATION_ID="your-org-uuid"   # Default for organization-scoped resources
+export POSTHOG_TEST_USER_EMAIL="user@example.com" # Email of existing org member for membership tests (not the one who owns the token)
 
 make testacc
 ```
 
@@ -0,0 +1,49 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "posthog_user Data Source - posthog"
+subcategory: ""
+description: |-
+  Look up a user by email within an organization. The user must be a member of the organization.
+---
+
+# posthog_user (Data Source)
+
+Look up a user by email within an organization. The user must be a member of the organization.
+
+## Example Usage
+
+```terraform
+# Look up a user by their email address
+data "posthog_user" "alice" {
+  organization_id = "your-organization-uuid"
+  email           = "alice@example.com"
+}
+
+# Use the user's UUID in other resources
+output "alice_uuid" {
+  value = data.posthog_user.alice.uuid
+}
+
+output "alice_name" {
+  value = "${data.posthog_user.alice.first_name} ${data.posthog_user.alice.last_name}"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `email` (String) The email address of the user to look up.
+
+### Optional
+
+- `organization_id` (String) The organization ID to search for the user in. Defaults to the provider-level organization_id.
+
+### Read-Only
+
+- `first_name` (String) The first name of the user.
+- `is_email_verified` (Boolean) Whether the user's email address has been verified.
+- `last_name` (String) The last name of the user.
+- `organization_member_id` (String) The organization membership ID. Use this for `organization_member` in access controls.
+- `uuid` (String) The UUID of the user.
@@ -0,0 +1,149 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "posthog_access_control Resource - posthog"
+subcategory: ""
+description: |-
+  Manages access control for resources within a PostHog project.
+  This resource allows you to set access levels for resource types (like feature flags, dashboards, etc.).
+  You can set permissions at three levels:
+  Project default: Applies to everyone in the project for this resource type. Omit both role and organization_member.Role-specific: Applies to members of a specific role. Set role.Member-specific: Applies to a specific organization member. Set organization_member.
+  Additionally, you can scope to:
+  Resource-type level: Applies to all resources of a type (e.g., all dashboards). Omit resource_id.Resource-instance level: Applies to a specific resource (e.g., one dashboard). Set resource_id.
+  You can combine these: set a project default for all dashboards, or set a project default for a specific dashboard.
+  ~> Note: role and organization_member are mutually exclusive - you cannot specify both. Omit both for project defaults.
+  ~> Enterprise Feature: Role-based access control (RBAC) requires a PostHog Enterprise plan. See Access Control documentation https://posthog.com/docs/settings/access-control for more details.
+---
+
+# posthog_access_control (Resource)
+
+Manages access control for resources within a PostHog project.
+
+This resource allows you to set access levels for resource types (like feature flags, dashboards, etc.).
+
+You can set permissions at three levels:
+- **Project default**: Applies to everyone in the project for this resource type. Omit both `role` and `organization_member`.
+- **Role-specific**: Applies to members of a specific role. Set `role`.
+- **Member-specific**: Applies to a specific organization member. Set `organization_member`.
+
+Additionally, you can scope to:
+- **Resource-type level**: Applies to all resources of a type (e.g., all dashboards). Omit `resource_id`.
+- **Resource-instance level**: Applies to a specific resource (e.g., one dashboard). Set `resource_id`.
+
+You can combine these: set a project default for all dashboards, or set a project default for a specific dashboard.
+
+~> **Note:** `role` and `organization_member` are mutually exclusive - you cannot specify both. Omit both for project defaults.
+
+~> **Enterprise Feature:** Role-based access control (RBAC) requires a PostHog Enterprise plan. See [Access Control documentation](https://posthog.com/docs/settings/access-control) for more details.
+
+## Example Usage
+
+```terraform
+# --- Project Defaults (no role or organization_member) ---
+
+# Set project-wide default: everyone can view surveys
+resource "posthog_access_control" "surveys_project_default" {
+  resource     = "survey"
+  access_level = "viewer"
+}
+
+# Set default for a specific dashboard: everyone can view this dashboard
+resource "posthog_access_control" "analytics_dashboard_default" {
+  resource     = "dashboard"
+  resource_id  = posthog_dashboard.analytics.id
+  access_level = "viewer"
+}
+
+# --- Role-based Access ---
+
+# Grant a role editor access to all feature flags in the project
+resource "posthog_access_control" "engineering_feature_flags" {
+  resource     = "feature_flag"
+  access_level = "editor"
+  role         = posthog_role.engineering.id
+}
+
+# Grant a role viewer access to all dashboards
+resource "posthog_access_control" "support_dashboards" {
+  resource     = "dashboard"
+  access_level = "viewer"
+  role         = posthog_role.support.id
+}
+
+# Grant a role viewer access to a specific dashboard
+resource "posthog_access_control" "support_analytics_dashboard" {
+  resource     = "dashboard"
+  resource_id  = posthog_dashboard.analytics.id
+  access_level = "viewer"
+  role         = posthog_role.support.id
+}
+
+# Explicitly deny a role access to experiments (access_level = "none")
+resource "posthog_access_control" "support_no_experiments" {
+  resource     = "experiment"
+  access_level = "none"
+  role         = posthog_role.support.id
+}
+
+# --- User-specific Access ---
+
+# Grant a specific user editor access to a specific dashboard
+resource "posthog_access_control" "alice_analytics_dashboard" {
+  resource            = "dashboard"
+  resource_id         = posthog_dashboard.analytics.id
+  access_level        = "editor"
+  organization_member = posthog_organization_member.alice.id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `access_level` (String) The access level to grant. Common values are `none`, `viewer`, `editor`.
+- `resource` (String) The resource type to control access for. Valid values include: `action`, `alert`, `annotation`, `cohort`, `dashboard`, `experiment`, `feature_flag`, `insight`, `notebook`, `session_recording`, `survey`, etc.
+
+### Optional
+
+- `organization_member` (String) The organization member ID to grant access to (either `organization_member_id` from `posthog_user` data source, or `posthog_organization_member.<name>.id`). Mutually exclusive with `role`. If neither `role` nor `organization_member` is set, this becomes the project default for the resource type.
+- `project_id` (String) Project ID (environment) for this resource. Overrides the provider-level project_id.
+- `resource_id` (String) The ID of a specific resource to control access for. If omitted, the access control applies to all resources of the specified type.
+- `role` (String) The UUID of the role to grant access to. Mutually exclusive with `organization_member`. If neither `role` nor `organization_member` is set, this becomes the project default for the resource type.
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the access control was created.
+- `id` (String) Composite identifier for the access control.
+- `updated_at` (String) Timestamp when the access control was last updated.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+# Import format for project default (all resources of a type):
+# project_id/resource_type/default
+terraform import posthog_access_control.surveys_project_default 12345/survey/default
+
+# Import format for project default on a specific resource:
+# project_id/resource_type/resource_id/default
+terraform import posthog_access_control.analytics_dashboard_default 12345/dashboard/999/default
+
+# Import format for role-based access control (resource type level):
+# project_id/resource_type/role/role_id
+terraform import posthog_access_control.engineering_feature_flags 12345/feature_flag/role/abc-123-def
+
+# Import format for member-based access control (resource type level):
+# project_id/resource_type/member/member_id
+terraform import posthog_access_control.alice_dashboards 12345/dashboard/member/xyz-456-uvw
+
+# Import format for role-based access control (specific resource):
+# project_id/resource_type/resource_id/role/role_id
+terraform import posthog_access_control.role_specific_dashboard 12345/dashboard/999/role/abc-123-def
+
+# Import format for member-based access control (specific resource):
+# project_id/resource_type/resource_id/member/member_id
+terraform import posthog_access_control.alice_specific_dashboard 12345/dashboard/999/member/xyz-456-uvw
+```
@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "posthog_organization_member Resource - posthog"
+subcategory: ""
+description: |-
+  Manages a user's membership in a PostHog organization.
+  ~> Warning: By default, destroying this resource will remove the user from the organization entirely.
+  Set retain_on_destroy = true to keep the user in the organization when the resource is destroyed.
+  Users must already be members of the organization (e.g., via invite) before this resource can manage them.
+---
+
+# posthog_organization_member (Resource)
+
+Manages a user's membership in a PostHog organization.
+
+~> **Warning:** By default, destroying this resource will **remove the user from the organization entirely**.
+Set `retain_on_destroy = true` to keep the user in the organization when the resource is destroyed.
+Users must already be members of the organization (e.g., via invite) before this resource can manage them.
+
+## Example Usage
+
+```terraform
+# Look up an existing user by email
+data "posthog_user" "alice" {
+  organization_id = "your-organization-uuid"
+  email           = "alice@example.com"
+}
+
+# Manage Alice's organization membership level
+# Note: The user must already be a member of the organization (e.g., via invite)
+resource "posthog_organization_member" "alice" {
+  organization_id = "your-organization-uuid"
+  user_uuid       = data.posthog_user.alice.uuid
+  level           = "admin" # or "member" / "owner"
+
+  # Set to true to keep the user in the organization when this resource is destroyed.
+  # By default, destroying this resource removes the user from the organization entirely.
+  retain_on_destroy = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `user_uuid` (String) The UUID of the user. Use the posthog_user data source to look up users by email.
+
+### Optional
+
+- `level` (String) The access level for the member. Valid values are 'member', 'admin', or 'owner'. Defaults to 'member'.
+- `organization_id` (String) Organization ID for this resource. Overrides the provider-level organization_id.
+- `retain_on_destroy` (Boolean) If true, the user will remain in the organization when this resource is destroyed. Defaults to false.
+
+### Read-Only
+
+- `email` (String) The email address of the user.
+- `first_name` (String) The first name of the user.
+- `id` (String) The member ID.
+- `is_2fa_enabled` (Boolean) Whether two-factor authentication is enabled for the user.
+- `joined_at` (String) Timestamp when the user joined the organization.
+- `last_name` (String) The last name of the user.
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+# Import an organization member using the format: organization_id/user_uuid
+terraform import posthog_organization_member.alice your-organization-uuid/user-uuid
+```
@@ -0,0 +1,65 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "posthog_project_default_access Resource - posthog"
+subcategory: ""
+description: |-
+  Sets the default access level for a PostHog project.
+  This determines the baseline access level for all organization members who don't have explicit access granted via roles or direct membership.
+  ~> Note: There is only one default access level per project. This resource is a singleton - creating multiple instances for the same project will cause conflicts.
+  ~> Destroy Behavior: Destroying this resource resets the default access level to none (most restrictive). It does not restore the previous value.
+  ~> Enterprise Feature: Role-based access control (RBAC) requires a PostHog Enterprise plan. See Access Control documentation https://posthog.com/docs/settings/access-control for more details.
+---
+
+# posthog_project_default_access (Resource)
+
+Sets the default access level for a PostHog project.
+
+This determines the baseline access level for all organization members who don't have explicit access granted via roles or direct membership.
+
+~> **Note:** There is only one default access level per project. This resource is a singleton - creating multiple instances for the same project will cause conflicts.
+
+~> **Destroy Behavior:** Destroying this resource resets the default access level to `none` (most restrictive). It does not restore the previous value.
+
+~> **Enterprise Feature:** Role-based access control (RBAC) requires a PostHog Enterprise plan. See [Access Control documentation](https://posthog.com/docs/settings/access-control) for more details.
+
+## Example Usage
+
+```terraform
+# Set the default access level for a project
+# Everyone without explicit access will have this level
+resource "posthog_project_default_access" "restrictive" {
+  project_id   = "your-project-id"
+  access_level = "none" # Options: none, member, admin
+}
+
+# Use with provider-level project_id
+resource "posthog_project_default_access" "default" {
+  access_level = "member"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `access_level` (String) The default access level for the project. Valid values are `none`, `member`, or `admin`.
+
+### Optional
+
+- `project_id` (String) Project ID (environment) for this resource. Overrides the provider-level project_id.
+
+### Read-Only
+
+- `id` (String) The project ID (used as the resource identifier).
+
+## Import
+
+Import is supported using the following syntax:
+
+The [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import) can be used, for example:
+
+```shell
+# Import using the project_id
+terraform import posthog_project_default_access.example your-project-id
+```