ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
REGION_CODE="ap-northeast-2"
ROLE_NAME="bastion-role"

cat <<EOF> rds-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "rds-db:connect"
            ],
            "Resource": [
                "arn:aws:rds-db:REGION_CODE:ACCOUNT_ID:dbuser:*/*"
            ]
        }
    ]
}
EOF

sed -i "s|ACCOUNT_ID|$ACCOUNT_ID|g" ./rds-policy.json
sed -i "s|REGION_CODE|$REGION_CODE|g" ./rds-policy.json

aws iam put-role-policy --role-name $ROLE_NAME --policy-name rds-policy --policy-document file://rds-policy.json