Create CI check in config-mgmt for verifying label compliance

In https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/1847 we are applying labeling to the GCP resources to help with cost analysis. Going forward, we should have some checks in place to make sure that the labelling continues to be applied.

We need to do that proactively in the form of precommit or CI checks in the config-mgmt repo. There is an issue at https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/1866 for also writing checks using a different tool to run against the actual deployed environment

There are several options for writing these checks:

• https://www.openpolicyagent.org/
• https://www.checkov.io/
• https://aquasecurity.github.io/tfsec/
• https://runterrascan.io/
• https://terraform-compliance.com/

There is an OPA definition at https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/1866#note_1099562927 that runs checks against a terraform plan, but it does so against all resources and not just those being updated / changed which is not ideal.

These checks should also be performant, the OPA definition takes awhile to run so that may not be the best option.

In this issue, we are going to create a POC using several of the listed tools, test what performance is like on each, and gather feedback from other SREs.