data "aws_iam_policy_document" "okta_saml_assume_role_policy" {
  statement {
    sid    = "AllowAssumeRoleViaOkta"
    effect = "Allow"
    principals {
      type        = "Federated"
      identifiers = [aws_iam_saml_provider.okta.arn]
    }

    actions = [
      "sts:AssumeRoleWithSAML",
    ]

    condition {
      test     = "StringEquals"
      variable = "SAML:aud"
      values = [
        local.saml_signin_page[local.aws_partition]
      ]
    }
  }
}