SSH tunnel through bastion

# 1. Get bastion IP and RDS endpoint from stack outputs
aws cloudformation describe-stacks \
  --stack-name mpac-smartpos-dev \
  --region ap-northeast-1 \
  --query 'Stacks[0].Outputs[*].[OutputKey,OutputValue]' \
  --output table

# 2. Download bastion SSH key from SSM Parameter Store
aws ssm get-parameter \
  --name /ec2/keypair/$(aws cloudformation describe-stacks \
    --stack-name mpac-smartpos-dev \
    --region ap-northeast-1 \
    --query 'Stacks[0].Outputs[?OutputKey==`BastionKeyPairId`].OutputValue' \
    --output text) \
  --with-decryption \
  --query Parameter.Value \
  --output text \
  --region ap-northeast-1 > ~/.ssh/mpac-bastion-dev.pem
chmod 600 ~/.ssh/mpac-bastion-dev.pem

# 3. Open SSH tunnel (maps local:5433 → RDS:5432)
ssh -i ~/.ssh/mpac-bastion-dev.pem \
  -L 5433:<RDS_ENDPOINT>:5432 \
  -N ec2-user@<BASTION_IP>

# 4. Run your client tool to connect
DATABASE_URL="postgresql+asyncpg://mpacadm:<DB_PASSWORD>@localhost:5433/mpacdb" \