I have used in the past a couple of ways.
A) Create internal ALB and a private hosted zone so that internal users never see the maintenance screen because it’s on a different alb.
B) Place your maintenance rule say in position 5 and then create rules 1-4 which are based on source IPs that send traffic to the underlying target group. All other traffic defaults to rule 5.
C) In your ALB rule allow traffic which contain custom http headers. Devs would need to inject the header which similar to option B. You’d need a chrome plugin to do this.
To script it you can use multiple means. Cli, IaC, python or aws step functions to automate this.
Funnily enough having the same conversation again today. Have an option D I have not tested yet..
Use WAF to inject a header based on source IP/request host.
On your ALB, have a rule that looks for that header and bypass the maintenance screen. https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-incoming-request.html
If any of these answers are usefull, please be sure to accept to help me and others. Gary