Terraform Org Policy V2 Dry Run Support

[kevinschmidtG]

TL;DR

The Terraform org_policy_v2 module doesn't support Dry Run Mode.

Terraform Resources

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_policy#example-usage---dry_run_spec

Detailed design

Ideally when creating a policy in org_policy_v2 there would be a boolean variable "dry_run_mode" that would create the policy in dry run mode when set to "TRUE", and have the policy created normally when set to "FALSE". 

Given that there are currently only 3 constraints that support dry run (https://cloud.google.com/resource-manager/docs/organization-policy/dry-run-policy#limitations), an additional design add would be a validation check on the constraint so that dry_run_mode would only be usable if one of those constraints was used in the policy

Additional information

When trying to create a policy with dry run mode enabled in Terraform errors occur. A similar error occurs when trying to use both the org_policy_v2 module with the google_org_policy_policy resource, saying they are conflicting.

I'm guessing there is a conflict in how the org_policy_v2 module handles the spec block VS how google_org_policy_policy does that causes conflicts when trying to use both. Having the org_policy_v2 module support dry_run_mode natively would alleviate this conflict