fix: rename iam to instance (#3345)

* fix: rename iam command side to instance

* fix: rename iam command side to instance

* fix: rename iam command side to instance

* fix: rename iam command side to instance

* fix: rename orgiampolicy to domain policy

* fix: merge conflicts

* fix: protos

* fix: md files

* implement deprecated org iam policy again

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/repository/instance/aggregate.go

@@ -0,0 +1,30 @@
+package instance
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	instanceEventTypePrefix = eventstore.EventType("instance.")
+)
+
+const (
+	AggregateType    = "instance"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate() *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            domain.IAMID,
+			ResourceOwner: domain.IAMID,
+		},
+	}
+}

internal/repository/instance/custom_text.go

@@ -0,0 +1,105 @@
+package instance
+
+import (
+	"context"
+
+	"golang.org/x/text/language"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	CustomTextSetEventType             = instanceEventTypePrefix + policy.CustomTextSetEventType
+	CustomTextRemovedEventType         = instanceEventTypePrefix + policy.CustomTextRemovedEventType
+	CustomTextTemplateRemovedEventType = instanceEventTypePrefix + policy.CustomTextTemplateRemovedEventType
+)
+
+type CustomTextSetEvent struct {
+	policy.CustomTextSetEvent
+}
+
+func NewCustomTextSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template,
+	key,
+	text string,
+	language language.Tag,
+) *CustomTextSetEvent {
+	return &CustomTextSetEvent{
+		CustomTextSetEvent: *policy.NewCustomTextSetEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, CustomTextSetEventType),
+			template,
+			key,
+			text,
+			language),
+	}
+}
+
+func CustomTextSetEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.CustomTextSetEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CustomTextSetEvent{CustomTextSetEvent: *e.(*policy.CustomTextSetEvent)}, nil
+}
+
+type CustomTextRemovedEvent struct {
+	policy.CustomTextRemovedEvent
+}
+
+func NewCustomTextRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template,
+	key string,
+	language language.Tag,
+) *CustomTextRemovedEvent {
+	return &CustomTextRemovedEvent{
+		CustomTextRemovedEvent: *policy.NewCustomTextRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, CustomTextRemovedEventType),
+			template,
+			key,
+			language),
+	}
+}
+
+func CustomTextRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.CustomTextRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CustomTextRemovedEvent{CustomTextRemovedEvent: *e.(*policy.CustomTextRemovedEvent)}, nil
+}
+
+type CustomTextTemplateRemovedEvent struct {
+	policy.CustomTextTemplateRemovedEvent
+}
+
+func NewCustomTextTemplateRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template string,
+	language language.Tag,
+) *CustomTextTemplateRemovedEvent {
+	return &CustomTextTemplateRemovedEvent{
+		CustomTextTemplateRemovedEvent: *policy.NewCustomTextTemplateRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, CustomTextTemplateRemovedEventType),
+			template,
+			language,
+		),
+	}
+}
+
+func CustomTextTemplateRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.CustomTextTemplateRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CustomTextTemplateRemovedEvent{CustomTextTemplateRemovedEvent: *e.(*policy.CustomTextTemplateRemovedEvent)}, nil
+}

internal/repository/instance/debug_notification_file.go

@@ -0,0 +1,106 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/repository/settings"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	fileType = ".file"
+)
+
+var (
+	DebugNotificationProviderFileAddedEventType   = instanceEventTypePrefix + settings.DebugNotificationPrefix + fileType + settings.DebugNotificationProviderAdded
+	DebugNotificationProviderFileChangedEventType = instanceEventTypePrefix + settings.DebugNotificationPrefix + fileType + settings.DebugNotificationProviderChanged
+	DebugNotificationProviderFileRemovedEventType = instanceEventTypePrefix + settings.DebugNotificationPrefix + fileType + settings.DebugNotificationProviderRemoved
+)
+
+type DebugNotificationProviderFileAddedEvent struct {
+	settings.DebugNotificationProviderAddedEvent
+}
+
+func NewDebugNotificationProviderFileAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	compact bool,
+) *DebugNotificationProviderFileAddedEvent {
+	return &DebugNotificationProviderFileAddedEvent{
+		DebugNotificationProviderAddedEvent: *settings.NewDebugNotificationProviderAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				DebugNotificationProviderFileAddedEventType),
+			compact),
+	}
+}
+
+func DebugNotificationProviderFileAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderFileAddedEvent{DebugNotificationProviderAddedEvent: *e.(*settings.DebugNotificationProviderAddedEvent)}, nil
+}
+
+type DebugNotificationProviderFileChangedEvent struct {
+	settings.DebugNotificationProviderChangedEvent
+}
+
+func NewDebugNotificationProviderFileChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []settings.DebugNotificationProviderChanges,
+) (*DebugNotificationProviderFileChangedEvent, error) {
+	changedEvent, err := settings.NewDebugNotificationProviderChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DebugNotificationProviderFileChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &DebugNotificationProviderFileChangedEvent{DebugNotificationProviderChangedEvent: *changedEvent}, nil
+}
+
+func DebugNotificationProviderFileChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderFileChangedEvent{DebugNotificationProviderChangedEvent: *e.(*settings.DebugNotificationProviderChangedEvent)}, nil
+}
+
+type DebugNotificationProviderFileRemovedEvent struct {
+	settings.DebugNotificationProviderRemovedEvent
+}
+
+func NewDebugNotificationProviderFileRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *DebugNotificationProviderFileRemovedEvent {
+	return &DebugNotificationProviderFileRemovedEvent{
+		DebugNotificationProviderRemovedEvent: *settings.NewDebugNotificationProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				DebugNotificationProviderFileRemovedEventType),
+		),
+	}
+}
+
+func DebugNotificationProviderFileRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderFileRemovedEvent{DebugNotificationProviderRemovedEvent: *e.(*settings.DebugNotificationProviderRemovedEvent)}, nil
+}

internal/repository/instance/debug_notification_log.go

@@ -0,0 +1,108 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/repository/settings"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	logType = ".log"
+)
+
+var (
+	DebugNotificationProviderLogAddedEventType    = instanceEventTypePrefix + settings.DebugNotificationPrefix + logType + settings.DebugNotificationProviderAdded
+	DebugNotificationProviderLogChangedEventType  = instanceEventTypePrefix + settings.DebugNotificationPrefix + logType + settings.DebugNotificationProviderChanged
+	DebugNotificationProviderLogEnabledEventType  = instanceEventTypePrefix + settings.DebugNotificationPrefix + logType + settings.DebugNotificationProviderEnabled
+	DebugNotificationProviderLogDisabledEventType = instanceEventTypePrefix + settings.DebugNotificationPrefix + logType + settings.DebugNotificationProviderDisabled
+	DebugNotificationProviderLogRemovedEventType  = instanceEventTypePrefix + settings.DebugNotificationPrefix + logType + settings.DebugNotificationProviderRemoved
+)
+
+type DebugNotificationProviderLogAddedEvent struct {
+	settings.DebugNotificationProviderAddedEvent
+}
+
+func NewDebugNotificationProviderLogAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	compact bool,
+) *DebugNotificationProviderLogAddedEvent {
+	return &DebugNotificationProviderLogAddedEvent{
+		DebugNotificationProviderAddedEvent: *settings.NewDebugNotificationProviderAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				DebugNotificationProviderLogAddedEventType),
+			compact),
+	}
+}
+
+func DebugNotificationProviderLogAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderLogAddedEvent{DebugNotificationProviderAddedEvent: *e.(*settings.DebugNotificationProviderAddedEvent)}, nil
+}
+
+type DebugNotificationProviderLogChangedEvent struct {
+	settings.DebugNotificationProviderChangedEvent
+}
+
+func NewDebugNotificationProviderLogChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []settings.DebugNotificationProviderChanges,
+) (*DebugNotificationProviderLogChangedEvent, error) {
+	changedEvent, err := settings.NewDebugNotificationProviderChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DebugNotificationProviderLogChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &DebugNotificationProviderLogChangedEvent{DebugNotificationProviderChangedEvent: *changedEvent}, nil
+}
+
+func DebugNotificationProviderLogChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderLogChangedEvent{DebugNotificationProviderChangedEvent: *e.(*settings.DebugNotificationProviderChangedEvent)}, nil
+}
+
+type DebugNotificationProviderLogRemovedEvent struct {
+	settings.DebugNotificationProviderRemovedEvent
+}
+
+func NewDebugNotificationProviderLogRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *DebugNotificationProviderLogRemovedEvent {
+	return &DebugNotificationProviderLogRemovedEvent{
+		DebugNotificationProviderRemovedEvent: *settings.NewDebugNotificationProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				DebugNotificationProviderLogRemovedEventType),
+		),
+	}
+}
+
+func DebugNotificationProviderLogRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := settings.DebugNotificationProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &DebugNotificationProviderLogRemovedEvent{DebugNotificationProviderRemovedEvent: *e.(*settings.DebugNotificationProviderRemovedEvent)}, nil
+}

internal/repository/instance/event_default_language.go

@@ -0,0 +1,57 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"golang.org/x/text/language"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	DefaultLanguageSetEventType eventstore.EventType = "iam.default.language.set"
+)
+
+type DefaultLanguageSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Language language.Tag `json:"language"`
+}
+
+func (e *DefaultLanguageSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *DefaultLanguageSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDefaultLanguageSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	language language.Tag,
+) *DefaultLanguageSetEvent {
+	return &DefaultLanguageSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DefaultLanguageSetEventType,
+		),
+		Language: language,
+	}
+}
+
+func DefaultLanguageSetMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &DefaultLanguageSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-3j9fs", "unable to unmarshal default language set")
+	}
+
+	return e, nil
+}

internal/repository/instance/event_iam_project_set.go

@@ -0,0 +1,56 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	ProjectSetEventType eventstore.EventType = "iam.project.iam.set"
+)
+
+type ProjectSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ProjectID string `json:"iamProjectId"`
+}
+
+func (e *ProjectSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIAMProjectSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID string,
+) *ProjectSetEvent {
+	return &ProjectSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectSetEventType,
+		),
+		ProjectID: projectID,
+	}
+}
+
+func ProjectSetMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &ProjectSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-cdFZH", "unable to unmarshal global org set")
+	}
+
+	return e, nil
+}

internal/repository/instance/event_org_set.go

@@ -0,0 +1,56 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	GlobalOrgSetEventType eventstore.EventType = "iam.global.org.set"
+)
+
+type GlobalOrgSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	OrgID string `json:"globalOrgId"`
+}
+
+func (e *GlobalOrgSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *GlobalOrgSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGlobalOrgSetEventEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	orgID string,
+) *GlobalOrgSetEvent {
+	return &GlobalOrgSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GlobalOrgSetEventType,
+		),
+		OrgID: orgID,
+	}
+}
+
+func GlobalOrgSetMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &GlobalOrgSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-cdFZH", "unable to unmarshal global org set")
+	}
+
+	return e, nil
+}

internal/repository/instance/events_step.go

@@ -0,0 +1,103 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+	"strconv"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueStepStarted                          = "stepstarted"
+	UniqueStepDone                             = "stepdone"
+	SetupDoneEventType    eventstore.EventType = "iam.setup.done"
+	SetupStartedEventType eventstore.EventType = "iam.setup.started"
+)
+
+type SetupStepEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Step domain.Step `json:"Step"`
+	Done bool        `json:"-"`
+}
+
+func NewAddSetupStepStartedUniqueConstraint(step domain.Step) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueStepStarted,
+		strconv.Itoa(int(step)),
+		"Errors.Step.Started.AlreadyExists")
+}
+
+func NewAddSetupStepDoneUniqueConstraint(step domain.Step) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueStepDone,
+		strconv.Itoa(int(step)),
+		"Errors.Step.Done.AlreadyExists")
+}
+
+func (e *SetupStepEvent) Data() interface{} {
+	return e
+}
+
+func (e *SetupStepEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if e.Done {
+		return []*eventstore.EventUniqueConstraint{NewAddSetupStepDoneUniqueConstraint(e.Step)}
+	} else {
+		return []*eventstore.EventUniqueConstraint{NewAddSetupStepStartedUniqueConstraint(e.Step)}
+	}
+}
+
+func SetupStepMapper(event *repository.Event) (eventstore.Event, error) {
+	step := &SetupStepEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+		Done:      eventstore.EventType(event.Type) == SetupDoneEventType,
+		Step:      domain.Step1,
+	}
+	if len(event.Data) == 0 {
+		return step, nil
+	}
+	err := json.Unmarshal(event.Data, step)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-O6rVg", "unable to unmarshal step")
+	}
+
+	return step, nil
+}
+
+func NewSetupStepDoneEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	step domain.Step,
+) *SetupStepEvent {
+
+	return &SetupStepEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SetupDoneEventType,
+		),
+		Step: step,
+		Done: true,
+	}
+}
+
+func NewSetupStepStartedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	step domain.Step,
+) *SetupStepEvent {
+
+	return &SetupStepEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SetupStartedEventType,
+		),
+		Step: step,
+	}
+}

internal/repository/instance/eventstore.go

@@ -0,0 +1,88 @@
+package instance
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(SetupStartedEventType, SetupStepMapper).
+		RegisterFilterEventMapper(SetupDoneEventType, SetupStepMapper).
+		RegisterFilterEventMapper(GlobalOrgSetEventType, GlobalOrgSetMapper).
+		RegisterFilterEventMapper(ProjectSetEventType, ProjectSetMapper).
+		RegisterFilterEventMapper(DefaultLanguageSetEventType, DefaultLanguageSetMapper).
+		RegisterFilterEventMapper(SecretGeneratorAddedEventType, SecretGeneratorAddedEventMapper).
+		RegisterFilterEventMapper(SecretGeneratorChangedEventType, SecretGeneratorChangedEventMapper).
+		RegisterFilterEventMapper(SecretGeneratorRemovedEventType, SecretGeneratorRemovedEventMapper).
+		RegisterFilterEventMapper(SMTPConfigAddedEventType, SMTPConfigAddedEventMapper).
+		RegisterFilterEventMapper(SMTPConfigChangedEventType, SMTPConfigChangedEventMapper).
+		RegisterFilterEventMapper(SMTPConfigPasswordChangedEventType, SMTPConfigPasswordChangedEventMapper).
+		RegisterFilterEventMapper(UniqueConstraintsMigratedEventType, MigrateUniqueConstraintEventMapper).
+		RegisterFilterEventMapper(SMSConfigTwilioAddedEventType, SMSConfigTwilioAddedEventMapper).
+		RegisterFilterEventMapper(SMSConfigTwilioChangedEventType, SMSConfigTwilioChangedEventMapper).
+		RegisterFilterEventMapper(SMSConfigTwilioTokenChangedEventType, SMSConfigTwilioTokenChangedEventMapper).
+		RegisterFilterEventMapper(SMSConfigActivatedEventType, SMSConfigActivatedEventMapper).
+		RegisterFilterEventMapper(SMSConfigDeactivatedEventType, SMSConfigDeactivatedEventMapper).
+		RegisterFilterEventMapper(SMSConfigRemovedEventType, SMSConfigRemovedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderFileAddedEventType, DebugNotificationProviderFileAddedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderFileChangedEventType, DebugNotificationProviderFileChangedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderFileRemovedEventType, DebugNotificationProviderFileRemovedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderLogAddedEventType, DebugNotificationProviderLogAddedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderLogChangedEventType, DebugNotificationProviderLogChangedEventMapper).
+		RegisterFilterEventMapper(DebugNotificationProviderLogRemovedEventType, DebugNotificationProviderLogRemovedEventMapper).
+		RegisterFilterEventMapper(OIDCSettingsAddedEventType, OIDCSettingsAddedEventMapper).
+		RegisterFilterEventMapper(OIDCSettingsChangedEventType, OIDCSettingsChangedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyActivatedEventType, LabelPolicyActivatedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyLogoAddedEventType, LabelPolicyLogoAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyLogoRemovedEventType, LabelPolicyLogoRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyIconAddedEventType, LabelPolicyIconAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyIconRemovedEventType, LabelPolicyIconRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyLogoDarkAddedEventType, LabelPolicyLogoDarkAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyLogoDarkRemovedEventType, LabelPolicyLogoDarkRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyIconDarkAddedEventType, LabelPolicyIconDarkAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyIconDarkRemovedEventType, LabelPolicyIconDarkRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyFontAddedEventType, LabelPolicyFontAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyFontRemovedEventType, LabelPolicyFontRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyAssetsRemovedEventType, LabelPolicyAssetsRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
+		RegisterFilterEventMapper(InstanceDomainPolicyAddedEventType, InstanceDomainPolicyAddedEventMapper).
+		RegisterFilterEventMapper(InstanceDomainPolicyChangedEventType, InstanceDomainPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LockoutPolicyAddedEventType, LockoutPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LockoutPolicyChangedEventType, LockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PrivacyPolicyAddedEventType, PrivacyPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PrivacyPolicyChangedEventType, PrivacyPolicyChangedEventMapper).
+		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(MemberCascadeRemovedEventType, MemberCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigAddedEventType, IDPConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPConfigChangedEventType, IDPConfigChangedEventMapper).
+		RegisterFilterEventMapper(IDPConfigRemovedEventType, IDPConfigRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigDeactivatedEventType, IDPConfigDeactivatedEventMapper).
+		RegisterFilterEventMapper(IDPConfigReactivatedEventType, IDPConfigReactivatedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigAddedEventType, IDPOIDCConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper).
+		RegisterFilterEventMapper(IDPJWTConfigAddedEventType, IDPJWTConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPJWTConfigChangedEventType, IDPJWTConfigChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderCascadeRemovedEventType, IdentityProviderCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorAddedEventType, SecondFactorAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorRemovedEventType, SecondFactorRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorAddedEventType, MultiFactorAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorRemovedEventType, MultiFactorRemovedEventMapper).
+		RegisterFilterEventMapper(MailTemplateAddedEventType, MailTemplateAddedEventMapper).
+		RegisterFilterEventMapper(MailTemplateChangedEventType, MailTemplateChangedEventMapper).
+		RegisterFilterEventMapper(MailTextAddedEventType, MailTextAddedEventMapper).
+		RegisterFilterEventMapper(MailTextChangedEventType, MailTextChangedEventMapper).
+		RegisterFilterEventMapper(CustomTextSetEventType, CustomTextSetEventMapper).
+		RegisterFilterEventMapper(CustomTextRemovedEventType, CustomTextRemovedEventMapper).
+		RegisterFilterEventMapper(CustomTextTemplateRemovedEventType, CustomTextTemplateRemovedEventMapper).
+		RegisterFilterEventMapper(FeaturesSetEventType, FeaturesSetEventMapper)
+}

internal/repository/instance/features.go

@@ -0,0 +1,44 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/features"
+)
+
+var (
+	FeaturesSetEventType = instanceEventTypePrefix + features.FeaturesSetEventType
+)
+
+type FeaturesSetEvent struct {
+	features.FeaturesSetEvent
+}
+
+func NewFeaturesSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []features.FeaturesChanges,
+) (*FeaturesSetEvent, error) {
+	changedEvent, err := features.NewFeaturesSetEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			FeaturesSetEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &FeaturesSetEvent{FeaturesSetEvent: *changedEvent}, nil
+}
+
+func FeaturesSetEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := features.FeaturesSetEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &FeaturesSetEvent{FeaturesSetEvent: *e.(*features.FeaturesSetEvent)}, nil
+}

internal/repository/instance/idp_config.go

@@ -0,0 +1,187 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPConfigAddedEventType       eventstore.EventType = "iam.idp.config.added"
+	IDPConfigChangedEventType     eventstore.EventType = "iam.idp.config.changed"
+	IDPConfigRemovedEventType     eventstore.EventType = "iam.idp.config.removed"
+	IDPConfigDeactivatedEventType eventstore.EventType = "iam.idp.config.deactivated"
+	IDPConfigReactivatedEventType eventstore.EventType = "iam.idp.config.reactivated"
+)
+
+type IDPConfigAddedEvent struct {
+	idpconfig.IDPConfigAddedEvent
+}
+
+func NewIDPConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+	configType domain.IDPConfigType,
+	stylingType domain.IDPConfigStylingType,
+	autoRegister bool,
+) *IDPConfigAddedEvent {
+
+	return &IDPConfigAddedEvent{
+		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigAddedEventType,
+			),
+			configID,
+			name,
+			configType,
+			stylingType,
+			autoRegister,
+		),
+	}
+}
+
+func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.IDPConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigAddedEvent{IDPConfigAddedEvent: *e.(*idpconfig.IDPConfigAddedEvent)}, nil
+}
+
+type IDPConfigChangedEvent struct {
+	idpconfig.IDPConfigChangedEvent
+}
+
+func NewIDPConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	oldName string,
+	changes []idpconfig.IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewIDPConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPConfigChangedEventType),
+		configID,
+		oldName,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.IDPConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *e.(*idpconfig.IDPConfigChangedEvent)}, nil
+}
+
+type IDPConfigRemovedEvent struct {
+	idpconfig.IDPConfigRemovedEvent
+}
+
+func NewIDPConfigRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+) *IDPConfigRemovedEvent {
+	return &IDPConfigRemovedEvent{
+		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigRemovedEventType,
+			),
+			configID,
+			name,
+		),
+	}
+}
+
+func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.IDPConfigRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigRemovedEvent{IDPConfigRemovedEvent: *e.(*idpconfig.IDPConfigRemovedEvent)}, nil
+}
+
+type IDPConfigDeactivatedEvent struct {
+	idpconfig.IDPConfigDeactivatedEvent
+}
+
+func NewIDPConfigDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigDeactivatedEvent {
+
+	return &IDPConfigDeactivatedEvent{
+		IDPConfigDeactivatedEvent: *idpconfig.NewIDPConfigDeactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigDeactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.IDPConfigDeactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigDeactivatedEvent{IDPConfigDeactivatedEvent: *e.(*idpconfig.IDPConfigDeactivatedEvent)}, nil
+}
+
+type IDPConfigReactivatedEvent struct {
+	idpconfig.IDPConfigReactivatedEvent
+}
+
+func NewIDPConfigReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigReactivatedEvent {
+
+	return &IDPConfigReactivatedEvent{
+		IDPConfigReactivatedEvent: *idpconfig.NewIDPConfigReactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigReactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.IDPConfigReactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigReactivatedEvent{IDPConfigReactivatedEvent: *e.(*idpconfig.IDPConfigReactivatedEvent)}, nil
+}

internal/repository/instance/idp_jwt_config.go

@@ -0,0 +1,86 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPJWTConfigAddedEventType   eventstore.EventType = "iam.idp." + idpconfig.JWTConfigAddedEventType
+	IDPJWTConfigChangedEventType eventstore.EventType = "iam.idp." + idpconfig.JWTConfigChangedEventType
+)
+
+type IDPJWTConfigAddedEvent struct {
+	idpconfig.JWTConfigAddedEvent
+}
+
+func NewIDPJWTConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID,
+	jwtEndpoint,
+	issuer,
+	keysEndpoint,
+	headerName string,
+) *IDPJWTConfigAddedEvent {
+	return &IDPJWTConfigAddedEvent{
+		JWTConfigAddedEvent: *idpconfig.NewJWTConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPJWTConfigAddedEventType,
+			),
+			idpConfigID,
+			jwtEndpoint,
+			issuer,
+			keysEndpoint,
+			headerName,
+		),
+	}
+}
+
+func IDPJWTConfigAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.JWTConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPJWTConfigAddedEvent{JWTConfigAddedEvent: *e.(*idpconfig.JWTConfigAddedEvent)}, nil
+}
+
+type IDPJWTConfigChangedEvent struct {
+	idpconfig.JWTConfigChangedEvent
+}
+
+func NewIDPJWTConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	changes []idpconfig.JWTConfigChanges,
+) (*IDPJWTConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewJWTConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPJWTConfigChangedEventType),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPJWTConfigChangedEvent{JWTConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPJWTConfigChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.JWTConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPJWTConfigChangedEvent{JWTConfigChangedEvent: *e.(*idpconfig.JWTConfigChangedEvent)}, nil
+}

internal/repository/instance/idp_oidc_config.go

@@ -0,0 +1,97 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPOIDCConfigAddedEventType   eventstore.EventType = "iam.idp." + idpconfig.OIDCConfigAddedEventType
+	IDPOIDCConfigChangedEventType eventstore.EventType = "iam.idp." + idpconfig.OIDCConfigChangedEventType
+)
+
+type IDPOIDCConfigAddedEvent struct {
+	idpconfig.OIDCConfigAddedEvent
+}
+
+func NewIDPOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientID,
+	idpConfigID,
+	issuer,
+	authorizationEndpoint,
+	tokenEndpoint string,
+	clientSecret *crypto.CryptoValue,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) *IDPOIDCConfigAddedEvent {
+
+	return &IDPOIDCConfigAddedEvent{
+		OIDCConfigAddedEvent: *idpconfig.NewOIDCConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPOIDCConfigAddedEventType,
+			),
+			clientID,
+			idpConfigID,
+			issuer,
+			authorizationEndpoint,
+			tokenEndpoint,
+			clientSecret,
+			idpDisplayNameMapping,
+			userNameMapping,
+			scopes...,
+		),
+	}
+}
+
+func IDPOIDCConfigAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.OIDCConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigAddedEvent{OIDCConfigAddedEvent: *e.(*idpconfig.OIDCConfigAddedEvent)}, nil
+}
+
+type IDPOIDCConfigChangedEvent struct {
+	idpconfig.OIDCConfigChangedEvent
+}
+
+func NewIDPOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	changes []idpconfig.OIDCConfigChanges,
+) (*IDPOIDCConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewOIDCConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPOIDCConfigChangedEventType),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPOIDCConfigChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idpconfig.OIDCConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *e.(*idpconfig.OIDCConfigChangedEvent)}, nil
+}

internal/repository/instance/member.go

@@ -0,0 +1,142 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedEventType          = instanceEventTypePrefix + member.AddedEventType
+	MemberChangedEventType        = instanceEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType        = instanceEventTypePrefix + member.RemovedEventType
+	MemberCascadeRemovedEventType = instanceEventTypePrefix + member.CascadeRemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
+
+type MemberCascadeRemovedEvent struct {
+	member.MemberCascadeRemovedEvent
+}
+
+func NewMemberCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberCascadeRemovedEvent {
+	return &MemberCascadeRemovedEvent{
+		MemberCascadeRemovedEvent: *member.NewCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberCascadeRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberCascadeRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := member.CascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberCascadeRemovedEvent{MemberCascadeRemovedEvent: *e.(*member.MemberCascadeRemovedEvent)}, nil
+}

internal/repository/instance/migrate_unique_constraints.go

@@ -0,0 +1,59 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueConstraintsMigratedEventType eventstore.EventType = "iam.unique.constraints.migrated"
+)
+
+type MigrateUniqueConstraintEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	uniqueConstraintMigrations []*domain.UniqueConstraintMigration `json:"-"`
+}
+
+func NewAddMigrateUniqueConstraint(uniqueMigration *domain.UniqueConstraintMigration) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueMigration.UniqueType,
+		uniqueMigration.UniqueField,
+		uniqueMigration.ErrorMessage)
+}
+
+func (e *MigrateUniqueConstraintEvent) Data() interface{} {
+	return nil
+}
+
+func (e *MigrateUniqueConstraintEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	constraints := make([]*eventstore.EventUniqueConstraint, len(e.uniqueConstraintMigrations))
+	for i, uniqueMigration := range e.uniqueConstraintMigrations {
+		constraints[i] = NewAddMigrateUniqueConstraint(uniqueMigration)
+	}
+	return constraints
+}
+
+func NewMigrateUniqueConstraintEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	uniqueConstraintMigrations []*domain.UniqueConstraintMigration) *MigrateUniqueConstraintEvent {
+	return &MigrateUniqueConstraintEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UniqueConstraintsMigratedEventType,
+		),
+		uniqueConstraintMigrations: uniqueConstraintMigrations,
+	}
+}
+
+func MigrateUniqueConstraintEventMapper(event *repository.Event) (eventstore.Event, error) {
+	return &MigrateUniqueConstraintEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}

internal/repository/instance/oidc_settings.go

@@ -0,0 +1,145 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	oidcSettingsPrefix           = "oidc.settings."
+	OIDCSettingsAddedEventType   = instanceEventTypePrefix + oidcSettingsPrefix + "added"
+	OIDCSettingsChangedEventType = instanceEventTypePrefix + oidcSettingsPrefix + "changed"
+	OIDCSettingsRemovedEventType = instanceEventTypePrefix + oidcSettingsPrefix + "removed"
+)
+
+type OIDCSettingsAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AccessTokenLifetime        time.Duration `json:"accessTokenLifetime,omitempty"`
+	IdTokenLifetime            time.Duration `json:"idTokenLifetime,omitempty"`
+	RefreshTokenIdleExpiration time.Duration `json:"refreshTokenIdleExpiration,omitempty"`
+	RefreshTokenExpiration     time.Duration `json:"refreshTokenExpiration,omitempty"`
+}
+
+func NewOIDCSettingsAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	accessTokenLifetime,
+	idTokenLifetime,
+	refreshTokenIdleExpiration,
+	refreshTokenExpiration time.Duration,
+) *OIDCSettingsAddedEvent {
+	return &OIDCSettingsAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCSettingsAddedEventType,
+		),
+		AccessTokenLifetime:        accessTokenLifetime,
+		IdTokenLifetime:            idTokenLifetime,
+		RefreshTokenIdleExpiration: refreshTokenIdleExpiration,
+		RefreshTokenExpiration:     refreshTokenExpiration,
+	}
+}
+
+func (e *OIDCSettingsAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCSettingsAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func OIDCSettingsAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	oidcSettingsAdded := &OIDCSettingsAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, oidcSettingsAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-soiwj", "unable to unmarshal oidc config added")
+	}
+
+	return oidcSettingsAdded, nil
+}
+
+type OIDCSettingsChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AccessTokenLifetime        *time.Duration `json:"accessTokenLifetime,omitempty"`
+	IdTokenLifetime            *time.Duration `json:"idTokenLifetime,omitempty"`
+	RefreshTokenIdleExpiration *time.Duration `json:"refreshTokenIdleExpiration,omitempty"`
+	RefreshTokenExpiration     *time.Duration `json:"refreshTokenExpiration,omitempty"`
+}
+
+func (e *OIDCSettingsChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCSettingsChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCSettingsChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []OIDCSettingsChanges,
+) (*OIDCSettingsChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IAM-dnlwe", "Errors.NoChangesFound")
+	}
+	changeEvent := &OIDCSettingsChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCSettingsChangedEventType,
+		),
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCSettingsChanges func(event *OIDCSettingsChangedEvent)
+
+func ChangeOIDCSettingsAccessTokenLifetime(accessTokenLifetime time.Duration) func(event *OIDCSettingsChangedEvent) {
+	return func(e *OIDCSettingsChangedEvent) {
+		e.AccessTokenLifetime = &accessTokenLifetime
+	}
+}
+
+func ChangeOIDCSettingsIdTokenLifetime(idTokenLifetime time.Duration) func(event *OIDCSettingsChangedEvent) {
+	return func(e *OIDCSettingsChangedEvent) {
+		e.IdTokenLifetime = &idTokenLifetime
+	}
+}
+
+func ChangeOIDCSettingsRefreshTokenIdleExpiration(refreshTokenIdleExpiration time.Duration) func(event *OIDCSettingsChangedEvent) {
+	return func(e *OIDCSettingsChangedEvent) {
+		e.RefreshTokenIdleExpiration = &refreshTokenIdleExpiration
+	}
+}
+
+func ChangeOIDCSettingsRefreshTokenExpiration(refreshTokenExpiration time.Duration) func(event *OIDCSettingsChangedEvent) {
+	return func(e *OIDCSettingsChangedEvent) {
+		e.RefreshTokenExpiration = &refreshTokenExpiration
+	}
+}
+
+func OIDCSettingsChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &OIDCSettingsChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-f98uf", "unable to unmarshal oidc settings changed")
+	}
+
+	return e, nil
+}

internal/repository/instance/policy_domain.go

@@ -0,0 +1,75 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	InstanceDomainPolicyAddedEventType   = instanceEventTypePrefix + policy.DomainPolicyAddedEventType
+	InstanceDomainPolicyChangedEventType = instanceEventTypePrefix + policy.DomainPolicyChangedEventType
+)
+
+type InstanceDomainPolicyAddedEvent struct {
+	policy.DomainPolicyAddedEvent
+}
+
+func NewInstnaceDomainPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userLoginMustBeDomain bool,
+) *InstanceDomainPolicyAddedEvent {
+	return &InstanceDomainPolicyAddedEvent{
+		DomainPolicyAddedEvent: *policy.NewDomainPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				InstanceDomainPolicyAddedEventType),
+			userLoginMustBeDomain,
+		),
+	}
+}
+
+func InstanceDomainPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.DomainPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &InstanceDomainPolicyAddedEvent{DomainPolicyAddedEvent: *e.(*policy.DomainPolicyAddedEvent)}, nil
+}
+
+type InstanceDomainPolicyChangedEvent struct {
+	policy.DomainPolicyChangedEvent
+}
+
+func NewInstanceDomainPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.OrgPolicyChanges,
+) (*InstanceDomainPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewDomainPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			InstanceDomainPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &InstanceDomainPolicyChangedEvent{DomainPolicyChangedEvent: *changedEvent}, nil
+}
+
+func InstanceDomainPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.DomainPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &InstanceDomainPolicyChangedEvent{DomainPolicyChangedEvent: *e.(*policy.DomainPolicyChangedEvent)}, nil
+}

internal/repository/instance/policy_label.go

@@ -0,0 +1,461 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LabelPolicyAddedEventType     = instanceEventTypePrefix + policy.LabelPolicyAddedEventType
+	LabelPolicyChangedEventType   = instanceEventTypePrefix + policy.LabelPolicyChangedEventType
+	LabelPolicyActivatedEventType = instanceEventTypePrefix + policy.LabelPolicyActivatedEventType
+
+	LabelPolicyLogoAddedEventType       = instanceEventTypePrefix + policy.LabelPolicyLogoAddedEventType
+	LabelPolicyLogoRemovedEventType     = instanceEventTypePrefix + policy.LabelPolicyLogoRemovedEventType
+	LabelPolicyIconAddedEventType       = instanceEventTypePrefix + policy.LabelPolicyIconAddedEventType
+	LabelPolicyIconRemovedEventType     = instanceEventTypePrefix + policy.LabelPolicyIconRemovedEventType
+	LabelPolicyLogoDarkAddedEventType   = instanceEventTypePrefix + policy.LabelPolicyLogoDarkAddedEventType
+	LabelPolicyLogoDarkRemovedEventType = instanceEventTypePrefix + policy.LabelPolicyLogoDarkRemovedEventType
+	LabelPolicyIconDarkAddedEventType   = instanceEventTypePrefix + policy.LabelPolicyIconDarkAddedEventType
+	LabelPolicyIconDarkRemovedEventType = instanceEventTypePrefix + policy.LabelPolicyIconDarkRemovedEventType
+
+	LabelPolicyFontAddedEventType   = instanceEventTypePrefix + policy.LabelPolicyFontAddedEventType
+	LabelPolicyFontRemovedEventType = instanceEventTypePrefix + policy.LabelPolicyFontRemovedEventType
+
+	LabelPolicyAssetsRemovedEventType = instanceEventTypePrefix + policy.LabelPolicyAssetsRemovedEventType
+)
+
+type LabelPolicyAddedEvent struct {
+	policy.LabelPolicyAddedEvent
+}
+
+func NewLabelPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	primaryColor,
+	backgroundColor,
+	warnColor,
+	fontColor,
+	primaryColorDark,
+	backgroundColorDark,
+	warnColorDark,
+	fontColorDark string,
+	hideLoginNameSuffix,
+	errorMsgPopup,
+	disableWatermark bool,
+) *LabelPolicyAddedEvent {
+	return &LabelPolicyAddedEvent{
+		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyAddedEventType),
+			primaryColor,
+			backgroundColor,
+			warnColor,
+			fontColor,
+			primaryColorDark,
+			backgroundColorDark,
+			warnColorDark,
+			fontColorDark,
+			hideLoginNameSuffix,
+			errorMsgPopup,
+			disableWatermark),
+	}
+}
+
+func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
+}
+
+type LabelPolicyChangedEvent struct {
+	policy.LabelPolicyChangedEvent
+}
+
+func NewLabelPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LabelPolicyChanges,
+) (*LabelPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLabelPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LabelPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
+}
+
+type LabelPolicyActivatedEvent struct {
+	policy.LabelPolicyActivatedEvent
+}
+
+func NewLabelPolicyActivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *LabelPolicyActivatedEvent {
+	return &LabelPolicyActivatedEvent{
+		LabelPolicyActivatedEvent: *policy.NewLabelPolicyActivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyActivatedEventType),
+		),
+	}
+}
+
+func LabelPolicyActivatedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyActivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyActivatedEvent{LabelPolicyActivatedEvent: *e.(*policy.LabelPolicyActivatedEvent)}, nil
+}
+
+type LabelPolicyLogoAddedEvent struct {
+	policy.LabelPolicyLogoAddedEvent
+}
+
+func NewLabelPolicyLogoAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyLogoAddedEvent {
+	return &LabelPolicyLogoAddedEvent{
+		LabelPolicyLogoAddedEvent: *policy.NewLabelPolicyLogoAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyLogoAddedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyLogoAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyLogoAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyLogoAddedEvent{LabelPolicyLogoAddedEvent: *e.(*policy.LabelPolicyLogoAddedEvent)}, nil
+}
+
+type LabelPolicyLogoRemovedEvent struct {
+	policy.LabelPolicyLogoRemovedEvent
+}
+
+func NewLabelPolicyLogoRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyLogoRemovedEvent {
+	return &LabelPolicyLogoRemovedEvent{
+		LabelPolicyLogoRemovedEvent: *policy.NewLabelPolicyLogoRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyLogoRemovedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyLogoRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyLogoRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyLogoRemovedEvent{LabelPolicyLogoRemovedEvent: *e.(*policy.LabelPolicyLogoRemovedEvent)}, nil
+}
+
+type LabelPolicyIconAddedEvent struct {
+	policy.LabelPolicyIconAddedEvent
+}
+
+func NewLabelPolicyIconAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyIconAddedEvent {
+	return &LabelPolicyIconAddedEvent{
+		LabelPolicyIconAddedEvent: *policy.NewLabelPolicyIconAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyIconAddedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyIconAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyIconAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyIconAddedEvent{LabelPolicyIconAddedEvent: *e.(*policy.LabelPolicyIconAddedEvent)}, nil
+}
+
+type LabelPolicyIconRemovedEvent struct {
+	policy.LabelPolicyIconRemovedEvent
+}
+
+func NewLabelPolicyIconRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyIconRemovedEvent {
+	return &LabelPolicyIconRemovedEvent{
+		LabelPolicyIconRemovedEvent: *policy.NewLabelPolicyIconRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyIconRemovedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyIconRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyIconRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyIconRemovedEvent{LabelPolicyIconRemovedEvent: *e.(*policy.LabelPolicyIconRemovedEvent)}, nil
+}
+
+type LabelPolicyLogoDarkAddedEvent struct {
+	policy.LabelPolicyLogoDarkAddedEvent
+}
+
+func NewLabelPolicyLogoDarkAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyLogoDarkAddedEvent {
+	return &LabelPolicyLogoDarkAddedEvent{
+		LabelPolicyLogoDarkAddedEvent: *policy.NewLabelPolicyLogoDarkAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyLogoDarkAddedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyLogoDarkAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyLogoDarkAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyLogoDarkAddedEvent{LabelPolicyLogoDarkAddedEvent: *e.(*policy.LabelPolicyLogoDarkAddedEvent)}, nil
+}
+
+type LabelPolicyLogoDarkRemovedEvent struct {
+	policy.LabelPolicyLogoDarkRemovedEvent
+}
+
+func NewLabelPolicyLogoDarkRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyLogoDarkRemovedEvent {
+	return &LabelPolicyLogoDarkRemovedEvent{
+		LabelPolicyLogoDarkRemovedEvent: *policy.NewLabelPolicyLogoDarkRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyLogoDarkRemovedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyLogoDarkRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyLogoDarkRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyLogoDarkRemovedEvent{LabelPolicyLogoDarkRemovedEvent: *e.(*policy.LabelPolicyLogoDarkRemovedEvent)}, nil
+}
+
+type LabelPolicyIconDarkAddedEvent struct {
+	policy.LabelPolicyIconDarkAddedEvent
+}
+
+func NewLabelPolicyIconDarkAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyIconDarkAddedEvent {
+	return &LabelPolicyIconDarkAddedEvent{
+		LabelPolicyIconDarkAddedEvent: *policy.NewLabelPolicyIconDarkAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyIconDarkAddedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyIconDarkAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyIconDarkAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyIconDarkAddedEvent{LabelPolicyIconDarkAddedEvent: *e.(*policy.LabelPolicyIconDarkAddedEvent)}, nil
+}
+
+type LabelPolicyIconDarkRemovedEvent struct {
+	policy.LabelPolicyIconDarkRemovedEvent
+}
+
+func NewLabelPolicyIconDarkRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyIconDarkRemovedEvent {
+	return &LabelPolicyIconDarkRemovedEvent{
+		LabelPolicyIconDarkRemovedEvent: *policy.NewLabelPolicyIconDarkRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyIconDarkRemovedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyIconDarkRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyIconDarkRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyIconDarkRemovedEvent{LabelPolicyIconDarkRemovedEvent: *e.(*policy.LabelPolicyIconDarkRemovedEvent)}, nil
+}
+
+type LabelPolicyFontAddedEvent struct {
+	policy.LabelPolicyFontAddedEvent
+}
+
+func NewLabelPolicyFontAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyFontAddedEvent {
+	return &LabelPolicyFontAddedEvent{
+		LabelPolicyFontAddedEvent: *policy.NewLabelPolicyFontAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyFontAddedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyFontAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyFontAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyFontAddedEvent{LabelPolicyFontAddedEvent: *e.(*policy.LabelPolicyFontAddedEvent)}, nil
+}
+
+type LabelPolicyFontRemovedEvent struct {
+	policy.LabelPolicyFontRemovedEvent
+}
+
+func NewLabelPolicyFontRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	storageKey string,
+) *LabelPolicyFontRemovedEvent {
+	return &LabelPolicyFontRemovedEvent{
+		LabelPolicyFontRemovedEvent: *policy.NewLabelPolicyFontRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyFontRemovedEventType),
+			storageKey,
+		),
+	}
+}
+
+func LabelPolicyFontRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyFontRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyFontRemovedEvent{LabelPolicyFontRemovedEvent: *e.(*policy.LabelPolicyFontRemovedEvent)}, nil
+}
+
+type LabelPolicyAssetsRemovedEvent struct {
+	policy.LabelPolicyAssetsRemovedEvent
+}
+
+func (e *LabelPolicyAssetsRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *LabelPolicyAssetsRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLabelPolicyAssetsRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *LabelPolicyAssetsRemovedEvent {
+	return &LabelPolicyAssetsRemovedEvent{
+		LabelPolicyAssetsRemovedEvent: *policy.NewLabelPolicyAssetsRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyAssetsRemovedEventType),
+		),
+	}
+}
+
+func LabelPolicyAssetsRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LabelPolicyAssetsRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyAssetsRemovedEvent{LabelPolicyAssetsRemovedEvent: *e.(*policy.LabelPolicyAssetsRemovedEvent)}, nil
+}

internal/repository/instance/policy_login.go

@@ -0,0 +1,96 @@
+package instance
+
+import (
+	"context"
+	"time"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyAddedEventType   = instanceEventTypePrefix + policy.LoginPolicyAddedEventType
+	LoginPolicyChangedEventType = instanceEventTypePrefix + policy.LoginPolicyChangedEventType
+)
+
+type LoginPolicyAddedEvent struct {
+	policy.LoginPolicyAddedEvent
+}
+
+func NewLoginPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA,
+	hidePasswordReset bool,
+	passwordlessType domain.PasswordlessType,
+	passwordCheckLifetime,
+	externalLoginCheckLifetime,
+	mfaInitSkipLifetime,
+	secondFactorCheckLifetime,
+	multiFactorCheckLifetime time.Duration,
+) *LoginPolicyAddedEvent {
+	return &LoginPolicyAddedEvent{
+		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			hidePasswordReset,
+			passwordlessType,
+			passwordCheckLifetime,
+			externalLoginCheckLifetime,
+			mfaInitSkipLifetime,
+			secondFactorCheckLifetime,
+			multiFactorCheckLifetime),
+	}
+}
+
+func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LoginPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
+}
+
+type LoginPolicyChangedEvent struct {
+	policy.LoginPolicyChangedEvent
+}
+
+func NewLoginPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LoginPolicyChanges,
+) (*LoginPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLoginPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LoginPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LoginPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
+}

internal/repository/instance/policy_login_factors.go

@@ -0,0 +1,141 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicySecondFactorAddedEventType   = instanceEventTypePrefix + policy.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = instanceEventTypePrefix + policy.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = instanceEventTypePrefix + policy.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = instanceEventTypePrefix + policy.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	policy.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *policy.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*policy.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	policy.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *policy.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*policy.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	policy.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *policy.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*policy.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	policy.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *policy.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*policy.MultiFactorRemovedEvent),
+	}, nil
+}

internal/repository/instance/policy_login_identity_provider.go

@@ -0,0 +1,106 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyIDPProviderAddedEventType          = instanceEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType        = instanceEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderCascadeRemovedEventType = instanceEventTypePrefix + policy.LoginPolicyIDPProviderCascadeRemovedType
+)
+
+type IdentityProviderAddedEvent struct {
+	policy.IdentityProviderAddedEvent
+}
+
+func NewIdentityProviderAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderAddedEvent {
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *policy.NewIdentityProviderAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			domain.IdentityProviderTypeSystem),
+	}
+}
+
+func IdentityProviderAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.IdentityProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *e.(*policy.IdentityProviderAddedEvent),
+	}, nil
+}
+
+type IdentityProviderRemovedEvent struct {
+	policy.IdentityProviderRemovedEvent
+}
+
+func NewIdentityProviderRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderRemovedEvent {
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *policy.NewIdentityProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.IdentityProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
+	}, nil
+}
+
+type IdentityProviderCascadeRemovedEvent struct {
+	policy.IdentityProviderCascadeRemovedEvent
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *policy.NewIdentityProviderCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, LoginPolicyIDPProviderCascadeRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.IdentityProviderCascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *e.(*policy.IdentityProviderCascadeRemovedEvent),
+	}, nil
+}

internal/repository/instance/policy_mail_template.go

@@ -0,0 +1,67 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTemplateAddedEventType   = instanceEventTypePrefix + policy.MailTemplatePolicyAddedEventType
+	MailTemplateChangedEventType = instanceEventTypePrefix + policy.MailTemplatePolicyChangedEventType
+)
+
+type MailTemplateAddedEvent struct {
+	policy.MailTemplateAddedEvent
+}
+
+func NewMailTemplateAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template []byte,
+) *MailTemplateAddedEvent {
+	return &MailTemplateAddedEvent{
+		MailTemplateAddedEvent: *policy.NewMailTemplateAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateAddedEventType),
+			template),
+	}
+}
+
+func MailTemplateAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MailTemplateAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateAddedEvent{MailTemplateAddedEvent: *e.(*policy.MailTemplateAddedEvent)}, nil
+}
+
+type MailTemplateChangedEvent struct {
+	policy.MailTemplateChangedEvent
+}
+
+func NewMailTemplateChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.MailTemplateChanges,
+) (*MailTemplateChangedEvent, error) {
+	changedEvent, err := policy.NewMailTemplateChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *changedEvent}, nil
+}
+
+func MailTemplateChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MailTemplateChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *e.(*policy.MailTemplateChangedEvent)}, nil
+}

internal/repository/instance/policy_mail_text.go

@@ -0,0 +1,85 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTextAddedEventType   = instanceEventTypePrefix + policy.MailTextPolicyAddedEventType
+	MailTextChangedEventType = instanceEventTypePrefix + policy.MailTextPolicyChangedEventType
+)
+
+type MailTextAddedEvent struct {
+	policy.MailTextAddedEvent
+}
+
+func NewMailTextAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language,
+	title,
+	preHeader,
+	subject,
+	greeting,
+	text,
+	buttonText string,
+) *MailTextAddedEvent {
+	return &MailTextAddedEvent{
+		MailTextAddedEvent: *policy.NewMailTextAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTextAddedEventType),
+			mailTextType,
+			language,
+			title,
+			preHeader,
+			subject,
+			greeting,
+			text,
+			buttonText),
+	}
+}
+
+func MailTextAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MailTextAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextAddedEvent{MailTextAddedEvent: *e.(*policy.MailTextAddedEvent)}, nil
+}
+
+type MailTextChangedEvent struct {
+	policy.MailTextChangedEvent
+}
+
+func NewMailTextChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language string,
+	changes []policy.MailTextChanges,
+) (*MailTextChangedEvent, error) {
+	changedEvent, err := policy.NewMailTextChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTextChangedEventType),
+		mailTextType,
+		language,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTextChangedEvent{MailTextChangedEvent: *changedEvent}, nil
+}
+
+func MailTextChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.MailTextChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextChangedEvent{MailTextChangedEvent: *e.(*policy.MailTextChangedEvent)}, nil
+}

internal/repository/instance/policy_password_age.go

@@ -0,0 +1,76 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordAgePolicyAddedEventType   = instanceEventTypePrefix + policy.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyChangedEventType = instanceEventTypePrefix + policy.PasswordAgePolicyChangedEventType
+)
+
+type PasswordAgePolicyAddedEvent struct {
+	policy.PasswordAgePolicyAddedEvent
+}
+
+func NewPasswordAgePolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *PasswordAgePolicyAddedEvent {
+	return &PasswordAgePolicyAddedEvent{
+		PasswordAgePolicyAddedEvent: *policy.NewPasswordAgePolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
+}
+
+type PasswordAgePolicyChangedEvent struct {
+	policy.PasswordAgePolicyChangedEvent
+}
+
+func NewPasswordAgePolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordAgePolicyChanges,
+) (*PasswordAgePolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordAgePolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordAgePolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
+}

internal/repository/instance/policy_password_complexity.go

@@ -0,0 +1,82 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+const (
+	PasswordComplexityPolicyAddedEventType   = instanceEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyChangedEventType = instanceEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
+)
+
+type PasswordComplexityPolicyAddedEvent struct {
+	policy.PasswordComplexityPolicyAddedEvent
+}
+
+func NewPasswordComplexityPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	minLength uint64,
+	hasLowercase,
+	hasUppercase,
+	hasNumber,
+	hasSymbol bool,
+) *PasswordComplexityPolicyAddedEvent {
+	return &PasswordComplexityPolicyAddedEvent{
+		PasswordComplexityPolicyAddedEvent: *policy.NewPasswordComplexityPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordComplexityPolicyAddedEventType),
+			minLength,
+			hasLowercase,
+			hasUppercase,
+			hasNumber,
+			hasSymbol),
+	}
+}
+
+func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PasswordComplexityPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyAddedEvent{PasswordComplexityPolicyAddedEvent: *e.(*policy.PasswordComplexityPolicyAddedEvent)}, nil
+}
+
+type PasswordComplexityPolicyChangedEvent struct {
+	policy.PasswordComplexityPolicyChangedEvent
+}
+
+func NewPasswordComplexityPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordComplexityPolicyChanges,
+) (*PasswordComplexityPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordComplexityPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordComplexityPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PasswordComplexityPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
+}

internal/repository/instance/policy_password_lockout.go

@@ -0,0 +1,76 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LockoutPolicyAddedEventType   = instanceEventTypePrefix + policy.LockoutPolicyAddedEventType
+	LockoutPolicyChangedEventType = instanceEventTypePrefix + policy.LockoutPolicyChangedEventType
+)
+
+type LockoutPolicyAddedEvent struct {
+	policy.LockoutPolicyAddedEvent
+}
+
+func NewLockoutPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *LockoutPolicyAddedEvent {
+	return &LockoutPolicyAddedEvent{
+		LockoutPolicyAddedEvent: *policy.NewLockoutPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func LockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LockoutPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LockoutPolicyAddedEvent{LockoutPolicyAddedEvent: *e.(*policy.LockoutPolicyAddedEvent)}, nil
+}
+
+type LockoutPolicyChangedEvent struct {
+	policy.LockoutPolicyChangedEvent
+}
+
+func NewLockoutPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LockoutPolicyChanges,
+) (*LockoutPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLockoutPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LockoutPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LockoutPolicyChangedEvent{LockoutPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.LockoutPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LockoutPolicyChangedEvent{LockoutPolicyChangedEvent: *e.(*policy.LockoutPolicyChangedEvent)}, nil
+}

internal/repository/instance/policy_privacy.go

@@ -0,0 +1,78 @@
+package instance
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+const (
+	PrivacyPolicyAddedEventType   = instanceEventTypePrefix + policy.PrivacyPolicyAddedEventType
+	PrivacyPolicyChangedEventType = instanceEventTypePrefix + policy.PrivacyPolicyChangedEventType
+)
+
+type PrivacyPolicyAddedEvent struct {
+	policy.PrivacyPolicyAddedEvent
+}
+
+func NewPrivacyPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	tosLink,
+	privacyLink,
+	helpLink string,
+) *PrivacyPolicyAddedEvent {
+	return &PrivacyPolicyAddedEvent{
+		PrivacyPolicyAddedEvent: *policy.NewPrivacyPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PrivacyPolicyAddedEventType),
+			tosLink,
+			privacyLink,
+			helpLink),
+	}
+}
+
+func PrivacyPolicyAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PrivacyPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PrivacyPolicyAddedEvent{PrivacyPolicyAddedEvent: *e.(*policy.PrivacyPolicyAddedEvent)}, nil
+}
+
+type PrivacyPolicyChangedEvent struct {
+	policy.PrivacyPolicyChangedEvent
+}
+
+func NewPrivacyPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PrivacyPolicyChanges,
+) (*PrivacyPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPrivacyPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PrivacyPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PrivacyPolicyChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := policy.PrivacyPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PrivacyPolicyChangedEvent{PrivacyPolicyChangedEvent: *e.(*policy.PrivacyPolicyChangedEvent)}, nil
+}

internal/repository/instance/secret_generator.go

@@ -0,0 +1,228 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueSecretGeneratorType       = "secret_generator"
+	secretGeneratorPrefix           = "secret.generator."
+	SecretGeneratorAddedEventType   = instanceEventTypePrefix + secretGeneratorPrefix + "added"
+	SecretGeneratorChangedEventType = instanceEventTypePrefix + secretGeneratorPrefix + "changed"
+	SecretGeneratorRemovedEventType = instanceEventTypePrefix + secretGeneratorPrefix + "removed"
+)
+
+func NewAddSecretGeneratorTypeUniqueConstraint(generatorType domain.SecretGeneratorType) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueSecretGeneratorType,
+		string(generatorType),
+		"Errors.SecretGenerator.AlreadyExists")
+}
+
+func NewRemoveSecretGeneratorTypeUniqueConstraint(generatorType domain.SecretGeneratorType) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueSecretGeneratorType,
+		string(generatorType))
+}
+
+type SecretGeneratorAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GeneratorType       domain.SecretGeneratorType `json:"generatorType"`
+	Length              uint                       `json:"length,omitempty"`
+	Expiry              time.Duration              `json:"expiry,omitempty"`
+	IncludeLowerLetters bool                       `json:"includeLowerLetters,omitempty"`
+	IncludeUpperLetters bool                       `json:"includeUpperLetters,omitempty"`
+	IncludeDigits       bool                       `json:"includeDigits,omitempty"`
+	IncludeSymbols      bool                       `json:"includeSymbols,omitempty"`
+}
+
+func NewSecretGeneratorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	generatorType domain.SecretGeneratorType,
+	length uint,
+	expiry time.Duration,
+	includeLowerLetters,
+	includeUpperLetters,
+	includeDigits,
+	includeSymbols bool,
+) *SecretGeneratorAddedEvent {
+	return &SecretGeneratorAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SecretGeneratorAddedEventType,
+		),
+		GeneratorType:       generatorType,
+		Length:              length,
+		Expiry:              expiry,
+		IncludeLowerLetters: includeLowerLetters,
+		IncludeUpperLetters: includeUpperLetters,
+		IncludeDigits:       includeDigits,
+		IncludeSymbols:      includeSymbols,
+	}
+}
+
+func (e *SecretGeneratorAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SecretGeneratorAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddSecretGeneratorTypeUniqueConstraint(e.GeneratorType)}
+}
+
+func SecretGeneratorAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	secretGeneratorAdded := &SecretGeneratorAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, secretGeneratorAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-en9f4", "unable to unmarshal secret generator added")
+	}
+
+	return secretGeneratorAdded, nil
+}
+
+type SecretGeneratorChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GeneratorType       domain.SecretGeneratorType `json:"generatorType"`
+	Length              *uint                      `json:"length,omitempty"`
+	Expiry              *time.Duration             `json:"expiry,omitempty"`
+	IncludeLowerLetters *bool                      `json:"includeLowerLetters,omitempty"`
+	IncludeUpperLetters *bool                      `json:"includeUpperLetters,omitempty"`
+	IncludeDigits       *bool                      `json:"includeDigits,omitempty"`
+	IncludeSymbols      *bool                      `json:"includeSymbols,omitempty"`
+}
+
+func (e *SecretGeneratorChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SecretGeneratorChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewSecretGeneratorChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	generatorType domain.SecretGeneratorType,
+	changes []SecretGeneratorChanges,
+) (*SecretGeneratorChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IAM-j2jfw", "Errors.NoChangesFound")
+	}
+	changeEvent := &SecretGeneratorChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SecretGeneratorChangedEventType,
+		),
+		GeneratorType: generatorType,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type SecretGeneratorChanges func(event *SecretGeneratorChangedEvent)
+
+func ChangeSecretGeneratorLength(length uint) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.Length = &length
+	}
+}
+
+func ChangeSecretGeneratorExpiry(expiry time.Duration) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.Expiry = &expiry
+	}
+}
+
+func ChangeSecretGeneratorIncludeLowerLetters(includeLowerLetters bool) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.IncludeLowerLetters = &includeLowerLetters
+	}
+}
+
+func ChangeSecretGeneratorIncludeUpperLetters(includeUpperLetters bool) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.IncludeUpperLetters = &includeUpperLetters
+	}
+}
+
+func ChangeSecretGeneratorIncludeDigits(includeDigits bool) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.IncludeDigits = &includeDigits
+	}
+}
+
+func ChangeSecretGeneratorIncludeSymbols(includeSymbols bool) func(event *SecretGeneratorChangedEvent) {
+	return func(e *SecretGeneratorChangedEvent) {
+		e.IncludeDigits = &includeSymbols
+	}
+}
+
+func SecretGeneratorChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &SecretGeneratorChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-2m09e", "unable to unmarshal secret generator changed")
+	}
+
+	return e, nil
+}
+
+type SecretGeneratorRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GeneratorType domain.SecretGeneratorType `json:"generatorType"`
+}
+
+func (e *SecretGeneratorRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SecretGeneratorRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveSecretGeneratorTypeUniqueConstraint(e.GeneratorType)}
+}
+
+func NewSecretGeneratorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	generatorType domain.SecretGeneratorType,
+) *SecretGeneratorRemovedEvent {
+	return &SecretGeneratorRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SecretGeneratorRemovedEventType,
+		),
+		GeneratorType: generatorType,
+	}
+}
+
+func SecretGeneratorRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &SecretGeneratorRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-m09ke", "unable to unmarshal secret generator removed")
+	}
+
+	return e, nil
+}

internal/repository/instance/sms.go

@@ -0,0 +1,301 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	smsConfigPrefix                      = "sms.config"
+	smsConfigTwilioPrefix                = "twilio."
+	SMSConfigTwilioAddedEventType        = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "added"
+	SMSConfigTwilioChangedEventType      = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "changed"
+	SMSConfigTwilioTokenChangedEventType = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "token.changed"
+	SMSConfigActivatedEventType          = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "activated"
+	SMSConfigDeactivatedEventType        = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "deactivated"
+	SMSConfigRemovedEventType            = instanceEventTypePrefix + smsConfigPrefix + smsConfigTwilioPrefix + "removed"
+)
+
+type SMSConfigTwilioAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string              `json:"id,omitempty"`
+	SID          string              `json:"sid,omitempty"`
+	Token        *crypto.CryptoValue `json:"token,omitempty"`
+	SenderNumber string              `json:"senderNumber,omitempty"`
+}
+
+func NewSMSConfigTwilioAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id,
+	sid,
+	senderNumber string,
+	token *crypto.CryptoValue,
+) *SMSConfigTwilioAddedEvent {
+	return &SMSConfigTwilioAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigTwilioAddedEventType,
+		),
+		ID:           id,
+		SID:          sid,
+		Token:        token,
+		SenderNumber: senderNumber,
+	}
+}
+
+func (e *SMSConfigTwilioAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigTwilioAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigTwilioAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smsConfigAdded := &SMSConfigTwilioAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smsConfigAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-smwiR", "unable to unmarshal sms config twilio added")
+	}
+
+	return smsConfigAdded, nil
+}
+
+type SMSConfigTwilioChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string  `json:"id,omitempty"`
+	SID          *string `json:"sid,omitempty"`
+	SenderNumber *string `json:"senderNumber,omitempty"`
+}
+
+func NewSMSConfigTwilioChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	changes []SMSConfigTwilioChanges,
+) (*SMSConfigTwilioChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IAM-smn8e", "Errors.NoChangesFound")
+	}
+	changeEvent := &SMSConfigTwilioChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigTwilioChangedEventType,
+		),
+		ID: id,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type SMSConfigTwilioChanges func(event *SMSConfigTwilioChangedEvent)
+
+func ChangeSMSConfigTwilioSID(sid string) func(event *SMSConfigTwilioChangedEvent) {
+	return func(e *SMSConfigTwilioChangedEvent) {
+		e.SID = &sid
+	}
+}
+
+func ChangeSMSConfigTwilioSenderNumber(senderNumber string) func(event *SMSConfigTwilioChangedEvent) {
+	return func(e *SMSConfigTwilioChangedEvent) {
+		e.SenderNumber = &senderNumber
+	}
+}
+
+func (e *SMSConfigTwilioChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigTwilioChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigTwilioChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smsConfigChanged := &SMSConfigTwilioChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smsConfigChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-smwiR", "unable to unmarshal sms config twilio added")
+	}
+
+	return smsConfigChanged, nil
+}
+
+type SMSConfigTwilioTokenChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID    string              `json:"id,omitempty"`
+	Token *crypto.CryptoValue `json:"password,omitempty"`
+}
+
+func NewSMSConfigTokenChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	token *crypto.CryptoValue,
+) *SMSConfigTwilioTokenChangedEvent {
+	return &SMSConfigTwilioTokenChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigTwilioTokenChangedEventType,
+		),
+		ID:    id,
+		Token: token,
+	}
+}
+
+func (e *SMSConfigTwilioTokenChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigTwilioTokenChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigTwilioTokenChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smtpConfigTokenChagned := &SMSConfigTwilioTokenChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smtpConfigTokenChagned)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-fi9Wf", "unable to unmarshal sms config token changed")
+	}
+
+	return smtpConfigTokenChagned, nil
+}
+
+type SMSConfigActivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	ID                   string `json:"id,omitempty"`
+}
+
+func NewSMSConfigTwilioActivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+) *SMSConfigActivatedEvent {
+	return &SMSConfigActivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigActivatedEventType,
+		),
+		ID: id,
+	}
+}
+
+func (e *SMSConfigActivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigActivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigActivatedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smsConfigActivated := &SMSConfigActivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smsConfigActivated)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-dn92f", "unable to unmarshal sms config twilio activated changed")
+	}
+
+	return smsConfigActivated, nil
+}
+
+type SMSConfigDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	ID                   string `json:"id,omitempty"`
+}
+
+func NewSMSConfigDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+) *SMSConfigDeactivatedEvent {
+	return &SMSConfigDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigDeactivatedEventType,
+		),
+		ID: id,
+	}
+}
+
+func (e *SMSConfigDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigDeactivatedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smsConfigDeactivated := &SMSConfigDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smsConfigDeactivated)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-dn92f", "unable to unmarshal sms config twilio deactivated changed")
+	}
+
+	return smsConfigDeactivated, nil
+}
+
+type SMSConfigRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	ID                   string `json:"id,omitempty"`
+}
+
+func NewSMSConfigRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+) *SMSConfigRemovedEvent {
+	return &SMSConfigRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMSConfigRemovedEventType,
+		),
+		ID: id,
+	}
+}
+
+func (e *SMSConfigRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMSConfigRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMSConfigRemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smsConfigRemoved := &SMSConfigRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smsConfigRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-99iNF", "unable to unmarshal sms config removed")
+	}
+
+	return smsConfigRemoved, nil
+}

internal/repository/instance/smtp_config.go

@@ -0,0 +1,199 @@
+package instance
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	smtpConfigPrefix                   = "smtp.config"
+	SMTPConfigAddedEventType           = instanceEventTypePrefix + smtpConfigPrefix + "added"
+	SMTPConfigChangedEventType         = instanceEventTypePrefix + smtpConfigPrefix + "changed"
+	SMTPConfigPasswordChangedEventType = instanceEventTypePrefix + smtpConfigPrefix + "password.changed"
+)
+
+type SMTPConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	SenderAddress string              `json:"senderAddress,omitempty"`
+	SenderName    string              `json:"senderName,omitempty"`
+	TLS           bool                `json:"tls,omitempty"`
+	Host          string              `json:"host,omitempty"`
+	User          string              `json:"user,omitempty"`
+	Password      *crypto.CryptoValue `json:"password,omitempty"`
+}
+
+func NewSMTPConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	tls bool,
+	senderAddress,
+	senderName,
+	host,
+	user string,
+	password *crypto.CryptoValue,
+) *SMTPConfigAddedEvent {
+	return &SMTPConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMTPConfigAddedEventType,
+		),
+		TLS:           tls,
+		SenderAddress: senderAddress,
+		SenderName:    senderName,
+		Host:          host,
+		User:          user,
+		Password:      password,
+	}
+}
+
+func (e *SMTPConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMTPConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMTPConfigAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smtpConfigAdded := &SMTPConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smtpConfigAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-39fks", "unable to unmarshal smtp config added")
+	}
+
+	return smtpConfigAdded, nil
+}
+
+type SMTPConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	FromAddress *string `json:"senderAddress,omitempty"`
+	FromName    *string `json:"senderName,omitempty"`
+	TLS         *bool   `json:"tls,omitempty"`
+	Host        *string `json:"host,omitempty"`
+	User        *string `json:"user,omitempty"`
+}
+
+func (e *SMTPConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMTPConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewSMTPConfigChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []SMTPConfigChanges,
+) (*SMTPConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IAM-o0pWf", "Errors.NoChangesFound")
+	}
+	changeEvent := &SMTPConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMTPConfigChangedEventType,
+		),
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type SMTPConfigChanges func(event *SMTPConfigChangedEvent)
+
+func ChangeSMTPConfigTLS(tls bool) func(event *SMTPConfigChangedEvent) {
+	return func(e *SMTPConfigChangedEvent) {
+		e.TLS = &tls
+	}
+}
+
+func ChangeSMTPConfigFromAddress(senderAddress string) func(event *SMTPConfigChangedEvent) {
+	return func(e *SMTPConfigChangedEvent) {
+		e.FromAddress = &senderAddress
+	}
+}
+
+func ChangeSMTPConfigFromName(senderName string) func(event *SMTPConfigChangedEvent) {
+	return func(e *SMTPConfigChangedEvent) {
+		e.FromName = &senderName
+	}
+}
+
+func ChangeSMTPConfigSMTPHost(smtpHost string) func(event *SMTPConfigChangedEvent) {
+	return func(e *SMTPConfigChangedEvent) {
+		e.Host = &smtpHost
+	}
+}
+
+func ChangeSMTPConfigSMTPUser(smtpUser string) func(event *SMTPConfigChangedEvent) {
+	return func(e *SMTPConfigChangedEvent) {
+		e.User = &smtpUser
+	}
+}
+
+func SMTPConfigChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &SMTPConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-m09oo", "unable to unmarshal smtp changed")
+	}
+
+	return e, nil
+}
+
+type SMTPConfigPasswordChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Password *crypto.CryptoValue `json:"password,omitempty"`
+}
+
+func NewSMTPConfigPasswordChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	password *crypto.CryptoValue,
+) *SMTPConfigPasswordChangedEvent {
+	return &SMTPConfigPasswordChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SMTPConfigPasswordChangedEventType,
+		),
+		Password: password,
+	}
+}
+
+func (e *SMTPConfigPasswordChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SMTPConfigPasswordChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SMTPConfigPasswordChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	smtpConfigPasswordChagned := &SMTPConfigPasswordChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, smtpConfigPasswordChagned)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-99iNF", "unable to unmarshal smtp config password changed")
+	}
+
+	return smtpConfigPasswordChagned, nil
+}