data "aws_iam_policy_document" "non_saml_assume_role_policy" {
  statement {
    sid    = "AllowAssumeRoleFromReadOnly"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        "arn:${local.aws_partition}:iam::${local.aws_account}:role/user/mdr_engineer_readonly"
      ]
    }

    actions = [
      "sts:AssumeRole",
    ]
  }
}

data "aws_iam_policy_document" "non_saml_assume_role_policy_developer" {
  statement {
    sid    = "AllowAssumeRoleFromReadOnly"
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = [
        "arn:${local.aws_partition}:iam::${local.aws_account}:role/user/mdr_developer_readonly",
        "arn:${local.aws_partition}:iam::${local.aws_account}:role/user/mdr_engineer_readonly", # engineers can be developers for testing
      ]
    }

    actions = [
      "sts:AssumeRole",
    ]
  }
}