Pulumi: SRE DNS filtering

[jemrobinson]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).
• You have marked this pull request as a draft and added '[WIP]' to the title if needed (if you're not yet ready to merge).
• You have formatted your code using appropriate automated tools (for example ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory> for Powershell).

⤴️ Summary

• The easiest way to change the DNS servers for all resources in a virtual network is to change the VNet DHCP settings
• This means that the DNS server
  • must already exist when the virtual network is created
  • cannot belong to the virtual network
• Currently this is done by using the SHM DC as the DNS server but since we want to phase this out this PR instead does the following:
  • create a new DNS resource group at the beginning of SRE creation
  • this contains:
    • a virtual network with a single subnet
    • an NSG for that subnet which only allows inbound traffic from this SRE
    • a self-contained container instance (i.e. one that is configured only using environment variables or secrets-mounted-as-files and doesn't need mounted storage)
    • the private DNS zone that used to belong to the SRE
• With this in place, the SRE virtual network can be peered to the DNS virtual network and use the container as the default DNS server

🌂 Related issues

Closes #1504

🔬 Tests

DNS lookup restrictions are working

• Cannot access unauthorised TXT record
• Cannot resolve Google
• Cannot resolve Google via Azure platform DNS
• Can resolve SRE nexus server
• Can resolve Ubuntu keyserver

[JimMadge]

Looks good. A few questions mostly.