No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I thought the gcppostgres scheme would handle that, but it seems to try to connect to the internal IP which obviously won't work

I have a bastion server but unsure how to best get the postgres provider to use it

Easiest way would be to open a tunnel, then configure the postgres provider to connect via that.
It's been a while since I did it, but I ended up using cloudsql proxy to handle the connection via the bastion, then have pulumi connect to localhost via the socket/port that cloudsql proxy opens

Basically... Not really a clean way of doing it

so far I've avoided needing to "wrap" pulumi in my own set of scripts

You don't need to use your own set of scripts for that, you could use Pulumi's Automation API to trigger your Pulumi updates from within a regular program: <https://www.pulumi.com/docs/iac/using-pulumi/automation-api/getting-started-automation-api/>

Your program would essentially first open the SSH tunnel and after that trigger the Pulumi operations through automation API