fix: multiple setup steps (#773)

* fix: multiple setup steps

* fix: test set up started

* fix: possible nil pointers in setup

* fix: validate executed step

cmd/zitadel/setup.yaml

@@ -23,52 +23,58 @@ Eventstore:
       MaxCacheSizeInByte: 10485760 #10mb
 
 SetUp:
-  GlobalOrg: 'Global'
+  Step1:
-  IAMProject: 'Zitadel'
+    GlobalOrg: 'Global'
-  DefaultLoginPolicy:
+    IAMProject: 'Zitadel'
-    AllowUsernamePassword: true
+    DefaultLoginPolicy:
-    AllowRegister: true
+      AllowUsernamePassword: true
-    AllowExternalIdp: true
+      AllowRegister: true
-  Orgs:
+      AllowExternalIdp: true
-    - Name: 'Global'
+    Orgs:
-      Domain: 'global.caos.ch'
+      - Name: 'Global'
-      Default: true
+        Domain: 'global.caos.ch'
-      OrgIamPolicy: true
+        Default: true
-      Users:
+        OrgIamPolicy: true
-        - FirstName: 'Global Org'
+        Users:
-          LastName: 'Administrator'
+          - FirstName: 'Global Org'
-          UserName: 'zitadel-global-org-admin@caos.ch'
+            LastName: 'Administrator'
-          Email: 'zitadel-global-org-admin@caos.ch'
+            UserName: 'zitadel-global-org-admin@caos.ch'
-          Password: 'Password1!'
+            Email: 'zitadel-global-org-admin@caos.ch'
-      Owners:
+            Password: 'Password1!'
-        - 'zitadel-global-org-admin@caos.ch'
+        Owners:
-    - Name: 'CAOS AG'
+          - 'zitadel-global-org-admin@caos.ch'
-      Domain: 'caos.ch'
+      - Name: 'CAOS AG'
-      Users:
+        Domain: 'caos.ch'
-        - FirstName: 'Zitadel'
+        Users:
-          LastName: 'Administrator'
+          - FirstName: 'Zitadel'
-          UserName: 'zitadel-admin'
+            LastName: 'Administrator'
-          Email: 'zitadel-admin@caos.ch'
+            UserName: 'zitadel-admin'
-          Password: 'Password1!'
+            Email: 'zitadel-admin@caos.ch'
-      Owners:
+            Password: 'Password1!'
-        - 'zitadel-admin@caos.ch'
+        Owners:
-      Projects:
+          - 'zitadel-admin@caos.ch'
-        - Name: 'Zitadel'
+        Projects:
-          OIDCApps:
+          - Name: 'Zitadel'
-            - Name: 'Management-API'
+            OIDCApps:
-            - Name: 'Auth-API'
+              - Name: 'Management-API'
-            - Name: 'Admin-API'
+              - Name: 'Auth-API'
-            - Name: 'Zitadel Console'
+              - Name: 'Admin-API'
-              RedirectUris:
+              - Name: 'Zitadel Console'
-                - '$ZITADEL_CONSOLE/auth/callback'
+                RedirectUris:
-              PostLogoutRedirectUris:
+                  - '$ZITADEL_CONSOLE/auth/callback'
-                - '$ZITADEL_CONSOLE/signedout'
+                PostLogoutRedirectUris:
-              ResponseTypes:
+                  - '$ZITADEL_CONSOLE/signedout'
-                - $ZITADEL_CONSOLE_RESPONSE_TYPE
+                ResponseTypes:
-              GrantTypes:
+                  - $ZITADEL_CONSOLE_RESPONSE_TYPE
-                - $ZITADEL_CONSOLE_GRANT_TYPE
+                GrantTypes:
-              ApplicationType: 'USER_AGENT'
+                  - $ZITADEL_CONSOLE_GRANT_TYPE
-              AuthMethodType: 'NONE'
+                ApplicationType: 'USER_AGENT'
-              DevMode: $ZITADEL_CONSOLE_DEV_MODE
+                AuthMethodType: 'NONE'
-  Owners:
+                DevMode: $ZITADEL_CONSOLE_DEV_MODE
-    - 'zitadel-admin@caos.ch'
+    Owners:
+      - 'zitadel-admin@caos.ch'
+  #TODO: label policy
+  # Step2:
+  #   DefaulLabelPolicy:
+  #     PrimaryColor: green
+  #     SecondaryColor: red

internal/api/api.go

@@ -77,10 +77,10 @@ func (a *API) healthHandler() http.Handler {
 			if err != nil && !errors.IsNotFound(err) {
 				return errors.ThrowPreconditionFailed(err, "API-dsgT2", "IAM SETUP CHECK FAILED")
 			}
-			if iam == nil || !iam.SetUpStarted {
+			if iam == nil || iam.SetUpStarted < iam_model.StepCount-1 {
 				return errors.ThrowPreconditionFailed(nil, "API-HBfs3", "IAM NOT SET UP")
 			}
-			if !iam.SetUpDone {
+			if iam.SetUpDone < iam_model.StepCount-1 {
 				return errors.ThrowPreconditionFailed(nil, "API-DASs2", "IAM SETUP RUNNING")
 			}
 			return nil

internal/api/grpc/management/iam_converter.go

@@ -9,7 +9,19 @@ func iamFromModel(iam *iam_model.IAM) *management.Iam {
 	return &management.Iam{
 		IamProjectId: iam.IAMProjectID,
 		GlobalOrgId:  iam.GlobalOrgID,
-		SetUpDone:    iam.SetUpDone,
+		SetUpDone:    iamSetupStepFromModel(iam.SetUpDone),
-		SetUpStarted: iam.SetUpStarted,
+		SetUpStarted: iamSetupStepFromModel(iam.SetUpStarted),
+	}
+}
+
+func iamSetupStepFromModel(step iam_model.Step) management.IamSetupStep {
+	switch step {
+	case iam_model.Step1:
+		return management.IamSetupStep_iam_setup_step_1
+		//TODO: label policy
+	// case iam_model.Step2:
+	// 	return management.IamSetupStep_iam_setup_step_2
+	default:
+		return management.IamSetupStep_iam_setup_step_UNDEFINED
 	}
 }

internal/auth/repository/eventsourcing/handler/user_grant.go

@@ -5,13 +5,13 @@ import (
 	"strings"
 
 	"github.com/caos/logging"
-
 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_events "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
@@ -309,7 +309,8 @@ func (u *UserGrant) setIamProjectID() error {
 	if err != nil {
 		return err
 	}
-	if !iam.SetUpDone {
+
+	if iam.SetUpDone < iam_model.StepCount-1 {
 		return caos_errs.ThrowPreconditionFailed(nil, "HANDL-s5DTs", "Setup not done")
 	}
 	u.iamProjectID = iam.IAMProjectID

internal/authz/repository/eventsourcing/eventstore/user_grant.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/authz/repository/eventsourcing/view"
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
 	"github.com/caos/zitadel/internal/usergrant/repository/view/model"
@@ -71,7 +72,7 @@ func (repo *UserGrantRepo) FillIamProjectID(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	if !iam.SetUpDone {
+	if iam.SetUpDone < iam_model.StepCount-1 {
 		return caos_errs.ThrowPreconditionFailed(nil, "EVENT-skiwS", "Setup not done")
 	}
 	repo.IamProjectID = iam.IAMProjectID

internal/authz/repository/eventsourcing/handler/user_grant.go

@@ -12,6 +12,7 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/models"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	iam_events "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
@@ -212,7 +213,7 @@ func (u *UserGrant) setIamProjectID() error {
 	if err != nil {
 		return err
 	}
-	if !iam.SetUpDone {
+	if iam.SetUpDone < iam_model.StepCount-1 {
 		return caos_errs.ThrowPreconditionFailed(nil, "HANDL-s5DTs", "Setup not done")
 	}
 	u.iamProjectID = iam.IAMProjectID

internal/iam/model/iam.go

@@ -4,12 +4,22 @@ import (
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 )
 
+type Step int
+
+const (
+	Step1 Step = iota + 1
+	//TODO: label policy
+	// Step2
+	//StepCount marks the the length of possible steps (StepCount-1 == last possible step)
+	StepCount
+)
+
 type IAM struct {
 	es_models.ObjectRoot
 	GlobalOrgID        string
 	IAMProjectID       string
-	SetUpDone          bool
+	SetUpDone          Step
-	SetUpStarted       bool
+	SetUpStarted       Step
 	Members            []*IAMMember
 	IDPs               []*IDPConfig
 	DefaultLoginPolicy *LoginPolicy

internal/iam/repository/eventsourcing/eventstore.go

@@ -60,32 +60,37 @@ func (es *IAMEventstore) IAMByID(ctx context.Context, id string) (*iam_model.IAM
 	return model.IAMToModel(iam), nil
 }
 
-func (es *IAMEventstore) StartSetup(ctx context.Context, iamID string) (*iam_model.IAM, error) {
+func (es *IAMEventstore) StartSetup(ctx context.Context, iamID string, step iam_model.Step) (*iam_model.IAM, error) {
 	iam, err := es.IAMByID(ctx, iamID)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return nil, err
 	}
 
-	if iam != nil && iam.SetUpStarted {
+	if iam != nil && (iam.SetUpStarted >= step || iam.SetUpStarted != iam.SetUpDone) {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9so34", "Setup already started")
 	}
 
-	repoIam := &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: iamID}}
+	repoIAM := &model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: iamID}, SetUpStarted: model.Step(step)}
-	createAggregate := IAMSetupStartedAggregate(es.AggregateCreator(), repoIam)
+	if iam != nil {
-	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, createAggregate)
+		repoIAM.ObjectRoot = iam.ObjectRoot
+	}
+	createAggregate := IAMSetupStartedAggregate(es.AggregateCreator(), repoIAM)
+	err = es_sdk.Push(ctx, es.PushAggregates, repoIAM.AppendEvents, createAggregate)
 	if err != nil {
 		return nil, err
 	}
 
-	es.iamCache.cacheIAM(repoIam)
+	es.iamCache.cacheIAM(repoIAM)
-	return model.IAMToModel(repoIam), nil
+	return model.IAMToModel(repoIAM), nil
 }
 
-func (es *IAMEventstore) SetupDone(ctx context.Context, iamID string) (*iam_model.IAM, error) {
+func (es *IAMEventstore) SetupDone(ctx context.Context, iamID string, step iam_model.Step) (*iam_model.IAM, error) {
 	iam, err := es.IAMByID(ctx, iamID)
 	if err != nil {
 		return nil, err
 	}
+	iam.SetUpDone = step
+
 	repoIam := model.IAMFromModel(iam)
 	createAggregate := IAMSetupDoneAggregate(es.AggregateCreator(), repoIam)
 	err = es_sdk.Push(ctx, es.PushAggregates, repoIam.AppendEvents, createAggregate)

internal/iam/repository/eventsourcing/eventstore_test.go

@@ -79,9 +79,10 @@ func TestSetUpStarted(t *testing.T) {
 		es    *IAMEventstore
 		ctx   context.Context
 		iamID string
+		step  iam_model.Step
 	}
 	type res struct {
-		iam     *model.IAM
+		iam     *iam_model.IAM
 		errFunc func(err error) bool
 	}
 	tests := []struct {
@@ -95,9 +96,10 @@ func TestSetUpStarted(t *testing.T) {
 				es:    GetMockManipulateIamNotExisting(ctrl),
 				ctx:   authz.NewMockContext("orgID", "userID"),
 				iamID: "iamID",
+				step:  iam_model.Step1,
 			},
 			res: res{
-				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: true},
+				iam: &iam_model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: iam_model.Step1},
 			},
 		},
 		{
@@ -106,6 +108,7 @@ func TestSetUpStarted(t *testing.T) {
 				es:    GetMockManipulateIam(ctrl),
 				ctx:   authz.NewMockContext("orgID", "userID"),
 				iamID: "iamID",
+				step:  iam_model.Step1,
 			},
 			res: res{
 				errFunc: caos_errs.IsPreconditionFailed,
@@ -114,8 +117,9 @@ func TestSetUpStarted(t *testing.T) {
 		{
 			name: "setup iam no id",
 			args: args{
-				es:  GetMockManipulateIam(ctrl),
+				es:   GetMockManipulateIam(ctrl),
-				ctx: authz.NewMockContext("orgID", "userID"),
+				ctx:  authz.NewMockContext("orgID", "userID"),
+				step: iam_model.Step1,
 			},
 			res: res{
 				errFunc: caos_errs.IsPreconditionFailed,
@@ -124,7 +128,7 @@ func TestSetUpStarted(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.StartSetup(tt.args.ctx, tt.args.iamID)
+			result, err := tt.args.es.StartSetup(tt.args.ctx, tt.args.iamID, tt.args.step)
 
 			if tt.res.errFunc == nil && result.AggregateID == "" {
 				t.Errorf("result has no id")
@@ -145,9 +149,10 @@ func TestSetUpDone(t *testing.T) {
 		es    *IAMEventstore
 		ctx   context.Context
 		iamID string
+		step  iam_model.Step
 	}
 	type res struct {
-		iam     *model.IAM
+		iam     *iam_model.IAM
 		errFunc func(err error) bool
 	}
 	tests := []struct {
@@ -161,16 +166,18 @@ func TestSetUpDone(t *testing.T) {
 				es:    GetMockManipulateIam(ctrl),
 				ctx:   authz.NewMockContext("orgID", "userID"),
 				iamID: "iamID",
+				step:  iam_model.Step1,
 			},
 			res: res{
-				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: true, SetUpDone: true},
+				iam: &iam_model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: iam_model.Step1, SetUpDone: iam_model.Step1},
 			},
 		},
 		{
 			name: "setup iam no id",
 			args: args{
-				es:  GetMockManipulateIam(ctrl),
+				es:   GetMockManipulateIam(ctrl),
-				ctx: authz.NewMockContext("orgID", "userID"),
+				ctx:  authz.NewMockContext("orgID", "userID"),
+				step: iam_model.Step1,
 			},
 			res: res{
 				errFunc: caos_errs.IsPreconditionFailed,
@@ -182,6 +189,7 @@ func TestSetUpDone(t *testing.T) {
 				es:    GetMockManipulateIamNotExisting(ctrl),
 				ctx:   authz.NewMockContext("orgID", "userID"),
 				iamID: "iamID",
+				step:  iam_model.Step1,
 			},
 			res: res{
 				errFunc: caos_errs.IsNotFound,
@@ -190,7 +198,7 @@ func TestSetUpDone(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := tt.args.es.SetupDone(tt.args.ctx, tt.args.iamID)
+			result, err := tt.args.es.SetupDone(tt.args.ctx, tt.args.iamID, tt.args.step)
 
 			if tt.res.errFunc == nil && result.AggregateID == "" {
 				t.Errorf("result has no id")
@@ -231,7 +239,7 @@ func TestSetGlobalOrg(t *testing.T) {
 				globalOrg: "globalOrg",
 			},
 			res: res{
-				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: true, GlobalOrgID: "globalOrg"},
+				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: model.Step1, GlobalOrgID: "globalOrg"},
 			},
 		},
 		{
@@ -312,7 +320,7 @@ func TestSetIamProjectID(t *testing.T) {
 				iamProjectID: "iamProjectID",
 			},
 			res: res{
-				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: true, IAMProjectID: "iamProjectID"},
+				iam: &model.IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "iamID", Sequence: 1}, SetUpStarted: model.Step1, IAMProjectID: "iamProjectID"},
 			},
 		},
 		{

internal/iam/repository/eventsourcing/iam.go

@@ -43,7 +43,7 @@ func IAMSetupStartedAggregate(aggCreator *es_models.AggregateCreator, iam *model
 		if err != nil {
 			return nil, err
 		}
-		return agg.AppendEvent(model.IAMSetupStarted, nil)
+		return agg.AppendEvent(model.IAMSetupStarted, &struct{ Step model.Step }{Step: iam.SetUpStarted})
 	}
 }
 
@@ -54,7 +54,7 @@ func IAMSetupDoneAggregate(aggCreator *es_models.AggregateCreator, iam *model.IA
 			return nil, err
 		}
 
-		return agg.AppendEvent(model.IAMSetupDone, nil)
+		return agg.AppendEvent(model.IAMSetupDone, &struct{ Step model.Step }{Step: iam.SetUpDone})
 	}
 }
 

internal/iam/repository/eventsourcing/model/iam.go

@@ -2,6 +2,7 @@ package model
 
 import (
 	"encoding/json"
+
 	"github.com/caos/logging"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
@@ -12,10 +13,19 @@ const (
 	IAMVersion = "v1"
 )
 
+type Step int
+
+const (
+	Step1 = Step(model.Step1)
+	//TODO: label policy
+	// Step2     = Step(model.Step2)
+	StepCount = Step(model.StepCount)
+)
+
 type IAM struct {
 	es_models.ObjectRoot
-	SetUpStarted       bool         `json:"-"`
+	SetUpStarted       Step         `json:"-"`
-	SetUpDone          bool         `json:"-"`
+	SetUpDone          Step         `json:"-"`
 	GlobalOrgID        string       `json:"globalOrgId,omitempty"`
 	IAMProjectID       string       `json:"iamProjectId,omitempty"`
 	Members            []*IAMMember `json:"-"`
@@ -28,8 +38,8 @@ func IAMFromModel(iam *model.IAM) *IAM {
 	idps := IDPConfigsFromModel(iam.IDPs)
 	converted := &IAM{
 		ObjectRoot:   iam.ObjectRoot,
-		SetUpStarted: iam.SetUpStarted,
+		SetUpStarted: Step(iam.SetUpStarted),
-		SetUpDone:    iam.SetUpDone,
+		SetUpDone:    Step(iam.SetUpDone),
 		GlobalOrgID:  iam.GlobalOrgID,
 		IAMProjectID: iam.IAMProjectID,
 		Members:      members,
@@ -46,8 +56,8 @@ func IAMToModel(iam *IAM) *model.IAM {
 	idps := IDPConfigsToModel(iam.IDPs)
 	converted := &model.IAM{
 		ObjectRoot:   iam.ObjectRoot,
-		SetUpStarted: iam.SetUpStarted,
+		SetUpStarted: model.Step(iam.SetUpStarted),
-		SetUpDone:    iam.SetUpDone,
+		SetUpDone:    model.Step(iam.SetUpDone),
 		GlobalOrgID:  iam.GlobalOrgID,
 		IAMProjectID: iam.IAMProjectID,
 		Members:      members,
@@ -72,9 +82,27 @@ func (i *IAM) AppendEvent(event *es_models.Event) (err error) {
 	i.ObjectRoot.AppendEvent(event)
 	switch event.Type {
 	case IAMSetupStarted:
-		i.SetUpStarted = true
+		if len(event.Data) == 0 {
+			i.SetUpStarted = Step(model.Step1)
+			return
+		}
+		step := new(struct{ Step Step })
+		err = json.Unmarshal(event.Data, step)
+		if err != nil {
+			return err
+		}
+		i.SetUpStarted = step.Step
 	case IAMSetupDone:
-		i.SetUpDone = true
+		if len(event.Data) == 0 {
+			i.SetUpDone = Step(model.Step1)
+			return
+		}
+		step := new(struct{ Step Step })
+		err = json.Unmarshal(event.Data, step)
+		if err != nil {
+			return err
+		}
+		i.SetUpDone = step.Step
 	case IAMProjectSet,
 		GlobalOrgSet:
 		err = i.SetData(event)

internal/iam/repository/eventsourcing/model/iam_test.go

@@ -2,8 +2,9 @@ package model
 
 import (
 	"encoding/json"
-	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"testing"
+
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
 )
 
 func mockIamData(iam *IAM) []byte {
@@ -27,31 +28,31 @@ func TestProjectRoleAppendEvent(t *testing.T) {
 				event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: IAMSetupStarted, ResourceOwner: "OrgID"},
 				iam:   &IAM{},
 			},
-			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true},
+			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1},
 		},
 		{
 			name: "append set up done event",
 			args: args{
 				event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: IAMSetupDone, ResourceOwner: "OrgID"},
-				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true},
+				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1},
 			},
-			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true, SetUpDone: true},
+			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1, SetUpDone: Step1},
 		},
 		{
 			name: "append globalorg event",
 			args: args{
 				event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: GlobalOrgSet, ResourceOwner: "OrgID", Data: mockIamData(&IAM{GlobalOrgID: "GlobalOrg"})},
-				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true},
+				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1},
 			},
-			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true, GlobalOrgID: "GlobalOrg"},
+			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1, GlobalOrgID: "GlobalOrg"},
 		},
 		{
 			name: "append iamproject event",
 			args: args{
 				event: &es_models.Event{AggregateID: "AggregateID", Sequence: 1, Type: IAMProjectSet, ResourceOwner: "OrgID", Data: mockIamData(&IAM{IAMProjectID: "IamProject"})},
-				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true},
+				iam:   &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1},
 			},
-			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: true, IAMProjectID: "IamProject"},
+			result: &IAM{ObjectRoot: es_models.ObjectRoot{AggregateID: "AggregateID"}, SetUpStarted: Step1, IAMProjectID: "IamProject"},
 		},
 	}
 	for _, tt := range tests {

internal/setup/config.go

@@ -1,11 +1,41 @@
 package setup
 
+import (
+	"github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
 type IAMSetUp struct {
-	GlobalOrg          string
+	Step1 *Step1
-	IAMProject         string
+	//TODO: label policy
-	DefaultLoginPolicy LoginPolicy
+	// Step2 *Step2
-	Orgs               []Org
+}
-	Owners             []string
+
+func (setup *IAMSetUp) steps(currentDone iam_model.Step) ([]step, error) {
+	steps := make([]step, 0)
+	missingSteps := make([]iam_model.Step, 0)
+
+	for _, step := range []step{
+		setup.Step1,
+		//TODO: label policy
+		// setup.Step2,
+	} {
+		if step.step() <= currentDone {
+			continue
+		}
+
+		if step.isNil() {
+			missingSteps = append(missingSteps, step.step())
+			continue
+		}
+		steps = append(steps, step)
+	}
+
+	if len(missingSteps) > 0 {
+		return nil, errors.ThrowPreconditionFailedf(nil, "SETUP-1nk49", "steps %v not configured", missingSteps)
+	}
+
+	return steps, nil
 }
 
 type LoginPolicy struct {
@@ -14,6 +44,12 @@ type LoginPolicy struct {
 	AllowExternalIdp      bool
 }
 
+//TODO: label policy
+// type LabelPolicy struct {
+// 	PrimaryColor  string
+// 	SecondayColor string
+// }
+
 type User struct {
 	FirstName string
 	LastName  string

internal/setup/setup.go

@@ -7,22 +7,20 @@ import (
 
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_int "github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	es_iam "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
-	org_model "github.com/caos/zitadel/internal/org/model"
 	es_org "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
-	policy_model "github.com/caos/zitadel/internal/policy/model"
 	es_policy "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	es_proj "github.com/caos/zitadel/internal/project/repository/eventsourcing"
 	proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
-	usr_model "github.com/caos/zitadel/internal/user/model"
 	es_usr "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	usr_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 )
@@ -36,14 +34,6 @@ type Setup struct {
 	PolicyEvents  *policy_event.PolicyEventstore
 }
 
-type initializer struct {
-	*Setup
-	createdUsers       map[string]*usr_model.User
-	createdOrgs        map[string]*org_model.Org
-	createdProjects    map[string]*proj_model.Project
-	pwComplexityPolicy *policy_model.PasswordComplexityPolicy
-}
-
 const (
 	OrgOwnerRole                   = "ORG_OWNER"
 	SetupUser                      = "SETUP"
@@ -107,309 +97,65 @@ func StartSetup(esConfig es_int.Config, sd systemdefaults.SystemDefaults) (*Setu
 }
 
 func (s *Setup) Execute(ctx context.Context, setUpConfig IAMSetUp) error {
+	logging.Log("SETUP-hwG32").Info("starting setup")
+
 	iam, err := s.IamEvents.IAMByID(ctx, s.iamID)
 	if err != nil && !caos_errs.IsNotFound(err) {
 		return err
 	}
-	if iam != nil && (iam.SetUpStarted || iam.SetUpDone) {
+	if iam != nil && (iam.SetUpDone == iam_model.StepCount-1 || iam.SetUpStarted != iam.SetUpDone) {
+		logging.Log("SETUP-cWEsn").Info("all steps done")
 		return nil
 	}
 
-	logging.Log("SETUP-hwG32").Info("starting setup")
+	if iam == nil {
-	ctx = setSetUpContextData(ctx, s.iamID)
+		iam = &iam_model.IAM{ObjectRoot: models.ObjectRoot{AggregateID: s.iamID}}
-	iam, err = s.IamEvents.StartSetup(ctx, s.iamID)
-	if err != nil {
-		return err
 	}
 
-	setUp := &initializer{
+	steps, err := setUpConfig.steps(iam.SetUpDone)
-		Setup:           s,
+	if err != nil || len(steps) == 0 {
-		createdUsers:    make(map[string]*usr_model.User),
-		createdOrgs:     make(map[string]*org_model.Org),
-		createdProjects: make(map[string]*proj_model.Project),
-	}
-
-	err = setUp.loginPolicy(ctx, setUpConfig.DefaultLoginPolicy)
-	if err != nil {
-		logging.Log("SETUP-Hdu8S").WithError(err).Error("unable to create login policy")
-		return err
-	}
-
-	pwComplexityPolicy, err := s.PolicyEvents.GetPasswordComplexityPolicy(ctx, policy_model.DefaultPolicy)
-	if err != nil {
-		logging.Log("SETUP-9osWF").WithError(err).Error("unable to read complexity policy")
-		return err
-	}
-	setUp.pwComplexityPolicy = pwComplexityPolicy
-
-	err = setUp.orgs(ctx, setUpConfig.Orgs)
-	if err != nil {
-		logging.Log("SETUP-p4oWq").WithError(err).Error("unable to set up orgs")
 		return err
 	}
 
 	ctx = setSetUpContextData(ctx, s.iamID)
-	err = setUp.iamOwners(ctx, setUpConfig.Owners)
+
-	if err != nil {
+	for _, step := range steps {
-		logging.Log("SETUP-WHr01").WithError(err).Error("unable to set up iam owners")
+		step.init(s)
-		return err
+		if step.step() != iam.SetUpDone+1 {
+			logging.LogWithFields("SETUP-rxRM1", "step", step.step(), "previous", iam.SetUpDone).Warn("wrong step order")
+			return errors.ThrowPreconditionFailed(nil, "SETUP-wwAqO", "too few steps for this zitadel verison")
+		}
+		iam, err = s.IamEvents.StartSetup(ctx, s.iamID, step.step())
+		if err != nil {
+			return err
+		}
+
+		err = step.execute(ctx)
+		if err != nil {
+			return err
+		}
+
+		err = s.validateExecutedStep(ctx)
+		if err != nil {
+			return err
+		}
 	}
 
-	err = setUp.setGlobalOrg(ctx, setUpConfig.GlobalOrg)
-	if err != nil {
-		logging.Log("SETUP-0874m").WithError(err).Error("unable to set global org")
-		return err
-	}
-
-	err = setUp.setIamProject(ctx, setUpConfig.IAMProject)
-	if err != nil {
-		logging.Log("SETUP-kaWjq").WithError(err).Error("unable to set zitadel project")
-		return err
-	}
-
-	iam, err = s.IamEvents.SetupDone(ctx, s.iamID)
-	if err != nil {
-		logging.Log("SETUP-de342").WithError(err).Error("unable to finish setup")
-		return err
-	}
 	logging.Log("SETUP-ds31h").Info("setup done")
 	return nil
 }
 
-func (setUp *initializer) loginPolicy(ctx context.Context, policy LoginPolicy) error {
+func (s *Setup) validateExecutedStep(ctx context.Context) error {
-	logging.Log("SETUP-4djul").Info("setting up login policy")
+	iam, err := s.IamEvents.IAMByID(ctx, s.iamID)
-	loginPolicy := &iam_model.LoginPolicy{
+	if err != nil {
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: setUp.iamID,
-		},
-		AllowRegister:         policy.AllowRegister,
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIdp,
-	}
-	_, err := setUp.IamEvents.AddLoginPolicy(ctx, loginPolicy)
-	return err
-}
-
-func (setUp *initializer) orgs(ctx context.Context, orgs []Org) error {
-	logging.Log("SETUP-dsTh3").Info("setting up orgs")
-	for _, iamOrg := range orgs {
-		org, err := setUp.org(ctx, iamOrg)
-		if err != nil {
-			logging.LogWithFields("SETUP-IlLif", "Org", iamOrg.Name).WithError(err).Error("unable to create org")
-			return err
-		}
-		setUp.createdOrgs[iamOrg.Name] = org
-
-		var policy *org_model.OrgIAMPolicy
-		if iamOrg.OrgIamPolicy {
-			policy, err = setUp.iamorgpolicy(ctx, org)
-			if err != nil {
-				logging.LogWithFields("SETUP-IlLif", "Org IAM Policy", iamOrg.Name).WithError(err).Error("unable to create iam org policy")
-				return err
-			}
-		} else {
-			policy, err = setUp.OrgEvents.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
-			if err != nil {
-				logging.LogWithFields("SETUP-IS8wS", "Org IAM Policy", iamOrg.Name).WithError(err).Error("unable to get default iam org policy")
-				return err
-			}
-		}
-
-		ctx = setSetUpContextData(ctx, org.AggregateID)
-		err = setUp.users(ctx, iamOrg.Users, policy)
-		if err != nil {
-			logging.LogWithFields("SETUP-8zfwz", "Org", iamOrg.Name).WithError(err).Error("unable to set up org users")
-			return err
-		}
-
-		err = setUp.orgOwners(ctx, org, iamOrg.Owners)
-		if err != nil {
-			logging.LogWithFields("SETUP-0874m", "Org", iamOrg.Name).WithError(err).Error("unable to set up org owners")
-			return err
-		}
-
-		err = setUp.projects(ctx, iamOrg.Projects, setUp.createdUsers[iamOrg.Owners[0]].AggregateID)
-		if err != nil {
-			logging.LogWithFields("SETUP-wUzqY", "Org", iamOrg.Name).WithError(err).Error("unable to set up org projects")
-			return err
-		}
-	}
-	logging.Log("SETUP-dgjT4").Info("orgs set up")
-	return nil
-}
-
-func (setUp *initializer) org(ctx context.Context, org Org) (*org_model.Org, error) {
-	ctx = setSetUpContextData(ctx, "")
-	createOrg := &org_model.Org{
-		Name:    org.Name,
-		Domains: []*org_model.OrgDomain{{Domain: org.Domain}},
-	}
-	return setUp.OrgEvents.CreateOrg(ctx, createOrg, nil)
-}
-
-func (setUp *initializer) iamorgpolicy(ctx context.Context, org *org_model.Org) (*org_model.OrgIAMPolicy, error) {
-	ctx = setSetUpContextData(ctx, org.AggregateID)
-	policy := &org_model.OrgIAMPolicy{
-		ObjectRoot:            models.ObjectRoot{AggregateID: org.AggregateID},
-		UserLoginMustBeDomain: false,
-	}
-	return setUp.OrgEvents.AddOrgIAMPolicy(ctx, policy)
-}
-
-func (setUp *initializer) iamOwners(ctx context.Context, owners []string) error {
-	logging.Log("SETUP-dtxfj").Info("setting iam owners")
-	for _, iamOwner := range owners {
-		user, ok := setUp.createdUsers[iamOwner]
-		if !ok {
-			logging.LogWithFields("SETUP-8siew", "Owner", iamOwner).Error("unable to add user to iam members")
-			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-su6L3", "unable to add user to iam members")
-		}
-		_, err := setUp.IamEvents.AddIAMMember(ctx, &iam_model.IAMMember{ObjectRoot: models.ObjectRoot{AggregateID: setUp.iamID}, UserID: user.AggregateID, Roles: []string{"IAM_OWNER"}})
-		if err != nil {
-			logging.Log("SETUP-LM7rI").WithError(err).Error("unable to add iam administrator to iam members as owner")
-			return err
-		}
-	}
-	logging.Log("SETUP-fg5aq").Info("iam owners set")
-	return nil
-}
-
-func (setUp *initializer) setGlobalOrg(ctx context.Context, globalOrgName string) error {
-	logging.Log("SETUP-dsj75").Info("setting global org")
-	globalOrg, ok := setUp.createdOrgs[globalOrgName]
-	if !ok {
-		logging.LogWithFields("SETUP-FBhs9", "GlobalOrg", globalOrgName).Error("global org not created")
-		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-4GwU7", "global org not created: %v", globalOrgName)
-	}
-
-	if _, err := setUp.IamEvents.SetGlobalOrg(ctx, setUp.iamID, globalOrg.AggregateID); err != nil {
-		logging.Log("SETUP-uGMA3").WithError(err).Error("unable to set global org on iam")
 		return err
 	}
-	logging.Log("SETUP-d32h1").Info("global org set")
+	if iam.SetUpStarted != iam.SetUpDone {
-	return nil
+		return errors.ThrowInternal(nil, "SETUP-QeukK", "started step is not equal to done")
-}
-
-func (setUp *initializer) setIamProject(ctx context.Context, iamProjectName string) error {
-	logging.Log("SETUP-HE3qa").Info("setting iam project")
-	iamProject, ok := setUp.createdProjects[iamProjectName]
-	if !ok {
-		logging.LogWithFields("SETUP-SJFWP", "IAM Project", iamProjectName).Error("iam project created")
-		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-sGmQt", "iam project not created: %v", iamProjectName)
-	}
-
-	if _, err := setUp.IamEvents.SetIAMProject(ctx, setUp.iamID, iamProject.AggregateID); err != nil {
-		logging.Log("SETUP-i1pNh").WithError(err).Error("unable to set iam project on iam")
-		return err
-	}
-	logging.Log("SETUP-d7WEU").Info("iam project set")
-	return nil
-}
-
-func (setUp *initializer) users(ctx context.Context, users []User, orgPolicy *org_model.OrgIAMPolicy) error {
-	for _, user := range users {
-		created, err := setUp.user(ctx, user, orgPolicy)
-		if err != nil {
-			logging.LogWithFields("SETUP-9soer", "Email", user.Email).WithError(err).Error("unable to create iam user")
-			return err
-		}
-		setUp.createdUsers[user.Email] = created
 	}
 	return nil
 }
 
-func (setUp *initializer) user(ctx context.Context, user User, orgPolicy *org_model.OrgIAMPolicy) (*usr_model.User, error) {
-	createUser := &usr_model.User{
-		UserName: user.UserName,
-		Human: &usr_model.Human{
-			Profile: &usr_model.Profile{
-				FirstName: user.FirstName,
-				LastName:  user.LastName,
-			},
-			Email: &usr_model.Email{
-				EmailAddress:    user.Email,
-				IsEmailVerified: true,
-			},
-			Password: &usr_model.Password{
-				SecretString: user.Password,
-			},
-		},
-	}
-	return setUp.UserEvents.CreateUser(ctx, createUser, setUp.pwComplexityPolicy, orgPolicy)
-}
-
-func (setUp *initializer) orgOwners(ctx context.Context, org *org_model.Org, owners []string) error {
-	for _, orgOwner := range owners {
-		user, ok := setUp.createdUsers[orgOwner]
-		if !ok {
-			logging.LogWithFields("SETUP-s9ilr", "Owner", orgOwner).Error("unable to add user to org members")
-			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-s0prs", "unable to add user to org members: %v", orgOwner)
-		}
-		err := setUp.orgOwner(ctx, org, user)
-		if err != nil {
-			logging.Log("SETUP-s90oe").WithError(err).Error("unable to add global org admin to members of global org")
-			return err
-		}
-	}
-	return nil
-}
-
-func (setUp *initializer) orgOwner(ctx context.Context, org *org_model.Org, user *usr_model.User) error {
-	addMember := &org_model.OrgMember{
-		ObjectRoot: models.ObjectRoot{AggregateID: org.AggregateID},
-		UserID:     user.AggregateID,
-		Roles:      []string{OrgOwnerRole},
-	}
-	_, err := setUp.OrgEvents.AddOrgMember(ctx, addMember)
-	return err
-}
-
-func (setUp *initializer) projects(ctx context.Context, projects []Project, ownerID string) error {
-	ctxData := authz.GetCtxData(ctx)
-	ctxData.UserID = ownerID
-	projectCtx := authz.SetCtxData(ctx, ctxData)
-
-	for _, project := range projects {
-		createdProject, err := setUp.project(projectCtx, project)
-		if err != nil {
-			return err
-		}
-		setUp.createdProjects[createdProject.Name] = createdProject
-		for _, oidc := range project.OIDCApps {
-			app, err := setUp.oidcApp(ctx, createdProject, oidc)
-			if err != nil {
-				return err
-			}
-			logging.LogWithFields("SETUP-asd32f", "name", app.Name, "clientID", app.OIDCConfig.ClientID).Info("created OIDC application")
-		}
-	}
-	return nil
-}
-
-func (setUp *initializer) project(ctx context.Context, project Project) (*proj_model.Project, error) {
-	addProject := &proj_model.Project{
-		Name: project.Name,
-	}
-	return setUp.ProjectEvents.CreateProject(ctx, addProject, false)
-}
-
-func (setUp *initializer) oidcApp(ctx context.Context, project *proj_model.Project, oidc OIDCApp) (*proj_model.Application, error) {
-	addOIDCApp := &proj_model.Application{
-		ObjectRoot: models.ObjectRoot{AggregateID: project.AggregateID},
-		Name:       oidc.Name,
-		OIDCConfig: &proj_model.OIDCConfig{
-			RedirectUris:           oidc.RedirectUris,
-			ResponseTypes:          getOIDCResponseTypes(oidc.ResponseTypes),
-			GrantTypes:             getOIDCGrantTypes(oidc.GrantTypes),
-			ApplicationType:        getOIDCApplicationType(oidc.ApplicationType),
-			AuthMethodType:         getOIDCAuthMethod(oidc.AuthMethodType),
-			PostLogoutRedirectUris: oidc.PostLogoutRedirectUris,
-			DevMode:                oidc.DevMode,
-		},
-	}
-	return setUp.ProjectEvents.AddApplication(ctx, addOIDCApp)
-}
-
 func getOIDCResponseTypes(responseTypes []string) []proj_model.OIDCResponseType {
 	types := make([]proj_model.OIDCResponseType, len(responseTypes))
 	for i, t := range responseTypes {

internal/setup/step.go

@@ -0,0 +1,14 @@
+package setup
+
+import (
+	"context"
+
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+)
+
+type step interface {
+	step() iam_model.Step
+	execute(context.Context) error
+	init(*Setup)
+	isNil() bool
+}

internal/setup/step1.go

@@ -0,0 +1,325 @@
+package setup
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	policy_model "github.com/caos/zitadel/internal/policy/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+)
+
+type Step1 struct {
+	GlobalOrg          string
+	IAMProject         string
+	DefaultLoginPolicy LoginPolicy
+	Orgs               []Org
+	Owners             []string
+
+	setup              *Setup
+	createdUsers       map[string]*usr_model.User
+	createdOrgs        map[string]*org_model.Org
+	createdProjects    map[string]*proj_model.Project
+	pwComplexityPolicy *policy_model.PasswordComplexityPolicy
+}
+
+func (s *Step1) isNil() bool {
+	return s == nil
+}
+
+func (step *Step1) step() iam_model.Step {
+	return iam_model.Step1
+}
+
+func (step *Step1) init(setup *Setup) {
+	step.setup = setup
+	step.createdUsers = make(map[string]*usr_model.User)
+	step.createdOrgs = make(map[string]*org_model.Org)
+	step.createdProjects = make(map[string]*proj_model.Project)
+}
+
+func (step *Step1) execute(ctx context.Context) (err error) {
+	err = step.loginPolicy(ctx, step.DefaultLoginPolicy)
+	if err != nil {
+		logging.Log("SETUP-Hdu8S").WithError(err).Error("unable to create login policy")
+		return err
+	}
+
+	pwComplexityPolicy, err := step.setup.PolicyEvents.GetPasswordComplexityPolicy(ctx, policy_model.DefaultPolicy)
+	if err != nil {
+		logging.Log("SETUP-9osWF").WithError(err).Error("unable to read complexity policy")
+		return err
+	}
+	step.pwComplexityPolicy = pwComplexityPolicy
+
+	err = step.orgs(ctx, step.Orgs)
+	if err != nil {
+		logging.Log("SETUP-p4oWq").WithError(err).Error("unable to set up orgs")
+		return err
+	}
+
+	ctx = setSetUpContextData(ctx, step.setup.iamID)
+	err = step.iamOwners(ctx, step.Owners)
+	if err != nil {
+		logging.Log("SETUP-WHr01").WithError(err).Error("unable to set up iam owners")
+		return err
+	}
+
+	err = step.setGlobalOrg(ctx, step.GlobalOrg)
+	if err != nil {
+		logging.Log("SETUP-0874m").WithError(err).Error("unable to set global org")
+		return err
+	}
+
+	err = step.setIamProject(ctx, step.IAMProject)
+	if err != nil {
+		logging.Log("SETUP-kaWjq").WithError(err).Error("unable to set zitadel project")
+		return err
+	}
+
+	_, err = step.setup.IamEvents.SetupDone(ctx, step.setup.iamID, step.step())
+	if err != nil {
+		logging.Log("SETUP-de342").WithField("step", step.step()).WithError(err).Error("unable to finish setup")
+		return err
+	}
+	return nil
+}
+
+func (step *Step1) loginPolicy(ctx context.Context, policy LoginPolicy) error {
+	logging.Log("SETUP-4djul").Info("setting up login policy")
+	loginPolicy := &iam_model.LoginPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: step.setup.iamID,
+		},
+		AllowRegister:         policy.AllowRegister,
+		AllowUsernamePassword: policy.AllowUsernamePassword,
+		AllowExternalIdp:      policy.AllowExternalIdp,
+	}
+	_, err := step.setup.IamEvents.AddLoginPolicy(ctx, loginPolicy)
+	return err
+}
+
+func (step *Step1) orgs(ctx context.Context, orgs []Org) error {
+	logging.Log("SETUP-dsTh3").Info("setting up orgs")
+	for _, iamOrg := range orgs {
+		org, err := step.org(ctx, iamOrg)
+		if err != nil {
+			logging.LogWithFields("SETUP-IlLif", "Org", iamOrg.Name).WithError(err).Error("unable to create org")
+			return err
+		}
+		step.createdOrgs[iamOrg.Name] = org
+
+		var policy *org_model.OrgIAMPolicy
+		if iamOrg.OrgIamPolicy {
+			policy, err = step.iamorgpolicy(ctx, org)
+			if err != nil {
+				logging.LogWithFields("SETUP-IlLif", "Org IAM Policy", iamOrg.Name).WithError(err).Error("unable to create iam org policy")
+				return err
+			}
+		} else {
+			policy, err = step.setup.OrgEvents.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
+			if err != nil {
+				logging.LogWithFields("SETUP-IS8wS", "Org IAM Policy", iamOrg.Name).WithError(err).Error("unable to get default iam org policy")
+				return err
+			}
+		}
+
+		ctx = setSetUpContextData(ctx, org.AggregateID)
+		err = step.users(ctx, iamOrg.Users, policy)
+		if err != nil {
+			logging.LogWithFields("SETUP-8zfwz", "Org", iamOrg.Name).WithError(err).Error("unable to set up org users")
+			return err
+		}
+
+		err = step.orgOwners(ctx, org, iamOrg.Owners)
+		if err != nil {
+			logging.LogWithFields("SETUP-0874m", "Org", iamOrg.Name).WithError(err).Error("unable to set up org owners")
+			return err
+		}
+
+		err = step.projects(ctx, iamOrg.Projects, step.createdUsers[iamOrg.Owners[0]].AggregateID)
+		if err != nil {
+			logging.LogWithFields("SETUP-wUzqY", "Org", iamOrg.Name).WithError(err).Error("unable to set up org projects")
+			return err
+		}
+	}
+	logging.Log("SETUP-dgjT4").Info("orgs set up")
+	return nil
+}
+
+func (step *Step1) org(ctx context.Context, org Org) (*org_model.Org, error) {
+	ctx = setSetUpContextData(ctx, "")
+	createOrg := &org_model.Org{
+		Name:    org.Name,
+		Domains: []*org_model.OrgDomain{{Domain: org.Domain}},
+	}
+	return step.setup.OrgEvents.CreateOrg(ctx, createOrg, nil)
+}
+
+func (step *Step1) iamorgpolicy(ctx context.Context, org *org_model.Org) (*org_model.OrgIAMPolicy, error) {
+	ctx = setSetUpContextData(ctx, org.AggregateID)
+	policy := &org_model.OrgIAMPolicy{
+		ObjectRoot:            models.ObjectRoot{AggregateID: org.AggregateID},
+		UserLoginMustBeDomain: false,
+	}
+	return step.setup.OrgEvents.AddOrgIAMPolicy(ctx, policy)
+}
+
+func (step *Step1) iamOwners(ctx context.Context, owners []string) error {
+	logging.Log("SETUP-dtxfj").Info("setting iam owners")
+	for _, iamOwner := range owners {
+		user, ok := step.createdUsers[iamOwner]
+		if !ok {
+			logging.LogWithFields("SETUP-8siew", "Owner", iamOwner).Error("unable to add user to iam members")
+			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-su6L3", "unable to add user to iam members")
+		}
+		_, err := step.setup.IamEvents.AddIAMMember(ctx, &iam_model.IAMMember{ObjectRoot: models.ObjectRoot{AggregateID: step.setup.iamID}, UserID: user.AggregateID, Roles: []string{"IAM_OWNER"}})
+		if err != nil {
+			logging.Log("SETUP-LM7rI").WithError(err).Error("unable to add iam administrator to iam members as owner")
+			return err
+		}
+	}
+	logging.Log("SETUP-fg5aq").Info("iam owners set")
+	return nil
+}
+
+func (step *Step1) setGlobalOrg(ctx context.Context, globalOrgName string) error {
+	logging.Log("SETUP-dsj75").Info("setting global org")
+	globalOrg, ok := step.createdOrgs[globalOrgName]
+	if !ok {
+		logging.LogWithFields("SETUP-FBhs9", "GlobalOrg", globalOrgName).Error("global org not created")
+		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-4GwU7", "global org not created: %v", globalOrgName)
+	}
+
+	if _, err := step.setup.IamEvents.SetGlobalOrg(ctx, step.setup.iamID, globalOrg.AggregateID); err != nil {
+		logging.Log("SETUP-uGMA3").WithError(err).Error("unable to set global org on iam")
+		return err
+	}
+	logging.Log("SETUP-d32h1").Info("global org set")
+	return nil
+}
+
+func (step *Step1) setIamProject(ctx context.Context, iamProjectName string) error {
+	logging.Log("SETUP-HE3qa").Info("setting iam project")
+	iamProject, ok := step.createdProjects[iamProjectName]
+	if !ok {
+		logging.LogWithFields("SETUP-SJFWP", "IAM Project", iamProjectName).Error("iam project created")
+		return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-sGmQt", "iam project not created: %v", iamProjectName)
+	}
+
+	if _, err := step.setup.IamEvents.SetIAMProject(ctx, step.setup.iamID, iamProject.AggregateID); err != nil {
+		logging.Log("SETUP-i1pNh").WithError(err).Error("unable to set iam project on iam")
+		return err
+	}
+	logging.Log("SETUP-d7WEU").Info("iam project set")
+	return nil
+}
+
+func (step *Step1) users(ctx context.Context, users []User, orgPolicy *org_model.OrgIAMPolicy) error {
+	for _, user := range users {
+		created, err := step.user(ctx, user, orgPolicy)
+		if err != nil {
+			logging.LogWithFields("SETUP-9soer", "Email", user.Email).WithError(err).Error("unable to create iam user")
+			return err
+		}
+		step.createdUsers[user.Email] = created
+	}
+	return nil
+}
+
+func (step *Step1) user(ctx context.Context, user User, orgPolicy *org_model.OrgIAMPolicy) (*usr_model.User, error) {
+	createUser := &usr_model.User{
+		UserName: user.UserName,
+		Human: &usr_model.Human{
+			Profile: &usr_model.Profile{
+				FirstName: user.FirstName,
+				LastName:  user.LastName,
+			},
+			Email: &usr_model.Email{
+				EmailAddress:    user.Email,
+				IsEmailVerified: true,
+			},
+			Password: &usr_model.Password{
+				SecretString: user.Password,
+			},
+		},
+	}
+	return step.setup.UserEvents.CreateUser(ctx, createUser, step.pwComplexityPolicy, orgPolicy)
+}
+
+func (step *Step1) orgOwners(ctx context.Context, org *org_model.Org, owners []string) error {
+	for _, orgOwner := range owners {
+		user, ok := step.createdUsers[orgOwner]
+		if !ok {
+			logging.LogWithFields("SETUP-s9ilr", "Owner", orgOwner).Error("unable to add user to org members")
+			return caos_errs.ThrowPreconditionFailedf(nil, "SETUP-s0prs", "unable to add user to org members: %v", orgOwner)
+		}
+		err := step.orgOwner(ctx, org, user)
+		if err != nil {
+			logging.Log("SETUP-s90oe").WithError(err).Error("unable to add global org admin to members of global org")
+			return err
+		}
+	}
+	return nil
+}
+
+func (step *Step1) orgOwner(ctx context.Context, org *org_model.Org, user *usr_model.User) error {
+	addMember := &org_model.OrgMember{
+		ObjectRoot: models.ObjectRoot{AggregateID: org.AggregateID},
+		UserID:     user.AggregateID,
+		Roles:      []string{OrgOwnerRole},
+	}
+	_, err := step.setup.OrgEvents.AddOrgMember(ctx, addMember)
+	return err
+}
+
+func (step *Step1) projects(ctx context.Context, projects []Project, ownerID string) error {
+	ctxData := authz.GetCtxData(ctx)
+	ctxData.UserID = ownerID
+	projectCtx := authz.SetCtxData(ctx, ctxData)
+
+	for _, project := range projects {
+		createdProject, err := step.project(projectCtx, project)
+		if err != nil {
+			return err
+		}
+		step.createdProjects[createdProject.Name] = createdProject
+		for _, oidc := range project.OIDCApps {
+			app, err := step.oidcApp(ctx, createdProject, oidc)
+			if err != nil {
+				return err
+			}
+			logging.LogWithFields("SETUP-asd32f", "name", app.Name, "clientID", app.OIDCConfig.ClientID).Info("created OIDC application")
+		}
+	}
+	return nil
+}
+
+func (step *Step1) project(ctx context.Context, project Project) (*proj_model.Project, error) {
+	addProject := &proj_model.Project{
+		Name: project.Name,
+	}
+	return step.setup.ProjectEvents.CreateProject(ctx, addProject, false)
+}
+
+func (step *Step1) oidcApp(ctx context.Context, project *proj_model.Project, oidc OIDCApp) (*proj_model.Application, error) {
+	addOIDCApp := &proj_model.Application{
+		ObjectRoot: models.ObjectRoot{AggregateID: project.AggregateID},
+		Name:       oidc.Name,
+		OIDCConfig: &proj_model.OIDCConfig{
+			RedirectUris:           oidc.RedirectUris,
+			ResponseTypes:          getOIDCResponseTypes(oidc.ResponseTypes),
+			GrantTypes:             getOIDCGrantTypes(oidc.GrantTypes),
+			ApplicationType:        getOIDCApplicationType(oidc.ApplicationType),
+			AuthMethodType:         getOIDCAuthMethod(oidc.AuthMethodType),
+			PostLogoutRedirectUris: oidc.PostLogoutRedirectUris,
+			DevMode:                oidc.DevMode,
+		},
+	}
+	return step.setup.ProjectEvents.AddApplication(ctx, addOIDCApp)
+}

internal/setup/step2.go

@@ -0,0 +1,30 @@
+package setup
+
+//TODO: label policy
+// import (
+// 	"context"
+
+// 	iam_model "github.com/caos/zitadel/internal/iam/model"
+// )
+
+// type Step2 struct {
+// 	DefaultLabelPolicy LabelPolicy
+
+// 	setup *Setup
+// }
+
+// func (s *Step2) isNil() bool {
+// 	return s == nil
+// }
+
+// func (step *Step2) step() iam_model.Step {
+// 	return iam_model.Step2
+// }
+
+// func (step *Step2) init(setup *Setup) {
+// 	step.setup = setup
+// }
+
+// func (step *Step2) execute(ctx context.Context) error {
+// 	return nil
+// }

pkg/grpc/management/management.pb.gw.go

@@ -146,10 +146,7 @@ func local_request_ManagementService_IsUserUnique_0(ctx context.Context, marshal
 	var protoReq UniqueUserRequest
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_IsUserUnique_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_IsUserUnique_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -236,10 +233,7 @@ func local_request_ManagementService_GetUserByLoginNameGlobal_0(ctx context.Cont
 	var protoReq LoginName
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_GetUserByLoginNameGlobal_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_GetUserByLoginNameGlobal_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -710,10 +704,7 @@ func local_request_ManagementService_UserChanges_0(ctx context.Context, marshale
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
 	}
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_UserChanges_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_UserChanges_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -1252,10 +1243,7 @@ func local_request_ManagementService_ChangeUserUserName_0(ctx context.Context, m
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
 	}
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_ChangeUserUserName_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_ChangeUserUserName_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -2406,10 +2394,7 @@ func local_request_ManagementService_DeletePasswordComplexityPolicy_0(ctx contex
 	var protoReq PasswordComplexityPolicyID
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_DeletePasswordComplexityPolicy_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_DeletePasswordComplexityPolicy_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -2528,10 +2513,7 @@ func local_request_ManagementService_DeletePasswordAgePolicy_0(ctx context.Conte
 	var protoReq PasswordAgePolicyID
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_DeletePasswordAgePolicy_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_DeletePasswordAgePolicy_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -2650,10 +2632,7 @@ func local_request_ManagementService_DeletePasswordLockoutPolicy_0(ctx context.C
 	var protoReq PasswordLockoutPolicyID
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_DeletePasswordLockoutPolicy_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_DeletePasswordLockoutPolicy_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -2756,10 +2735,7 @@ func local_request_ManagementService_OrgChanges_0(ctx context.Context, marshaler
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
 	}
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_OrgChanges_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_OrgChanges_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -2810,10 +2786,7 @@ func local_request_ManagementService_GetOrgByDomainGlobal_0(ctx context.Context,
 	var protoReq Domain
 	var metadata runtime.ServerMetadata
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_GetOrgByDomainGlobal_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_GetOrgByDomainGlobal_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -3494,10 +3467,7 @@ func local_request_ManagementService_ProjectChanges_0(ctx context.Context, marsh
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
 	}
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_ProjectChanges_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_ProjectChanges_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -4934,10 +4904,7 @@ func local_request_ManagementService_ApplicationChanges_0(ctx context.Context, m
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "sec_id", err)
 	}
 
-	if err := req.ParseForm(); err != nil {
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_ManagementService_ApplicationChanges_0); err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_ManagementService_ApplicationChanges_0); err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 

pkg/grpc/management/proto/management.proto

@@ -1503,8 +1503,14 @@ message ZitadelDocs {
 message Iam {
   string global_org_id = 1;
   string iam_project_id = 2;
-  bool set_up_done = 3;
+  IamSetupStep set_up_done = 3;
-  bool set_up_started = 4;
+  IamSetupStep set_up_started = 4;
+}
+
+enum IamSetupStep {
+  iam_setup_step_UNDEFINED = 0;
+  iam_setup_step_1 = 1;
+  iam_setup_step_2 = 2;
 }
 
 message ChangeRequest {