Enable dnsmasq as a system job that runs everywhere

[ghost]

Which issue does this PR correspond to?

https://github.com/grapl-security/issue-tracker/issues/1011

What changes does this PR make to Grapl? Why?

For AWS we need a way to change Nomad jobs so that they get dns from localhost:8600 (the Consul agent). Ideally we'd be able to do dns_server = localhost:8600, but that isn't supported. Looking at the docker docs, they kinda support it using published ports (ie mapping host ports to different ports in containers ie the reverse of normal port mapping where we publish container ports to a different host port). Nomad doesn't support published ports that I can find. As such, the easiest thing to do is to use dnsmasq as a dns forwarder.

Note: We're using containerized dnsmasq instead of host-based dnsmasq that way we only have one place we're setting up dns

How were these changes tested?

[ghost]

Long-term we'll want to switch this to either an official dnsmasq container or one that we build

[ghost]

Note to self: doublecheck why we're doing it this way. It probably makes sense to switch to attr.unique.network.ip-address

[wimax-grapl]

(how likely are we to actually follow up on this lol)

[ghost]

This part seems like it will work both ways, so I'm going to leave it

[ghost]

I still need to do some testing with this, but this is generally the approach I'd like to take to forward dns to the local Consul agent.

As an overview the dns call chain will look like
container -> dnsmasq on port 53 -> consul agent -> AWS dns.
Why?
This way we get access to all *.consul domains (used to forward observability requests to the otel collector) and then we get normal dns. Not either or.

Some risks that we need to take a look at:
What happens if dnsmasq fails to come up? Does it need to come up first?

[codecov]

Codecov Report

Base: 44.17% // Head: 44.17% // Increases project coverage by +0.00% 🎉

Coverage data is based on head (b1a5b11) compared to base (5847298).
Patch coverage: 0.00% of modified lines in pull request are covered.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1976   +/-   ##
=======================================
  Coverage   44.17%   44.17%           
=======================================
  Files         473      473           
  Lines       13381    13382    +1     
  Branches       23       23           
=======================================
+ Hits         5911     5912    +1     
  Misses       7455     7455           
  Partials       15       15           

Impacted Files	Coverage Δ
pulumi/grapl/__main__.py	0.00% <0.00%> (ø)
src/rust/sysmon-parser/src/util.rs	59.72% <0.00%> (+0.46%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[wimax-grapl]

(how likely are we to actually follow up on this lol)

[wimax-grapl]

honestly we prob don't need this for a single image

[ghost]

I've investigated alternative approaches:

1. For production, it may make sense to set up the consul terraform sync code. This is the model that k8s typically uses.
   2 I've also looked into getting rid of all consul dns. Right now the only place this is being used is by Consul to figure out where to forward traces to. We could do this, but it would require a fair amount of hackery, especially since go-sockaddr isn't supported