feat: support for OrgPolicy dry runs (#3864)

* feat: support for OrgPolicy dry runs

PiperOrigin-RevId: 502948090

Source-Link: googleapis/googleapis@8f29315

Source-Link: googleapis/googleapis-gen@cf63d95
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLW9yZ3BvbGljeS8uT3dsQm90LnlhbWwiLCJoIjoiY2Y2M2Q5NThiZDAwOTc2MWFlN2NhMGYyMTlkNGY1MDZmZjc4YjgxZCJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: sofisl <55454395+sofisl@users.noreply.github.com>

packages/google-cloud-orgpolicy/protos/google/cloud/orgpolicy/v2/constraint.proto

@@ -18,6 +18,7 @@ package google.cloud.orgpolicy.v2;
 
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
+import "google/protobuf/timestamp.proto";
 
 option csharp_namespace = "Google.Cloud.OrgPolicy.V2";
 option go_package = "google.golang.org/genproto/googleapis/cloud/orgpolicy/v2;orgpolicy";
@@ -87,9 +88,7 @@ message Constraint {
   // For example a constraint `constraints/compute.disableSerialPortAccess`.
   // If it is enforced on a VM instance, serial port connections will not be
   // opened to that instance.
-  message BooleanConstraint {
-
-  }
+  message BooleanConstraint {}
 
   // Immutable. The resource name of the Constraint. Must be in one of
   // the following forms:

packages/google-cloud-orgpolicy/protos/google/cloud/orgpolicy/v2/orgpolicy.proto

@@ -22,6 +22,7 @@ import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/orgpolicy/v2/constraint.proto";
 import "google/protobuf/empty.proto";
+import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
 import "google/type/expr.proto";
 
@@ -55,18 +56,16 @@ option ruby_package = "Google::Cloud::OrgPolicy::V2";
 // particular resource and its child resources.
 service OrgPolicy {
   option (google.api.default_host) = "orgpolicy.googleapis.com";
-  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform";
 
   // Lists `Constraints` that could be applied on the specified resource.
-  rpc ListConstraints(ListConstraintsRequest) returns (ListConstraintsResponse) {
+  rpc ListConstraints(ListConstraintsRequest)
+      returns (ListConstraintsResponse) {
     option (google.api.http) = {
       get: "/v2/{parent=projects/*}/constraints"
-      additional_bindings {
-        get: "/v2/{parent=folders/*}/constraints"
-      }
-      additional_bindings {
-        get: "/v2/{parent=organizations/*}/constraints"
-      }
+      additional_bindings { get: "/v2/{parent=folders/*}/constraints" }
+      additional_bindings { get: "/v2/{parent=organizations/*}/constraints" }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -75,12 +74,8 @@ service OrgPolicy {
   rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
     option (google.api.http) = {
       get: "/v2/{parent=projects/*}/policies"
-      additional_bindings {
-        get: "/v2/{parent=folders/*}/policies"
-      }
-      additional_bindings {
-        get: "/v2/{parent=organizations/*}/policies"
-      }
+      additional_bindings { get: "/v2/{parent=folders/*}/policies" }
+      additional_bindings { get: "/v2/{parent=organizations/*}/policies" }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -93,12 +88,8 @@ service OrgPolicy {
   rpc GetPolicy(GetPolicyRequest) returns (Policy) {
     option (google.api.http) = {
       get: "/v2/{name=projects/*/policies/*}"
-      additional_bindings {
-        get: "/v2/{name=folders/*/policies/*}"
-      }
-      additional_bindings {
-        get: "/v2/{name=organizations/*/policies/*}"
-      }
+      additional_bindings { get: "/v2/{name=folders/*/policies/*}" }
+      additional_bindings { get: "/v2/{name=organizations/*/policies/*}" }
     };
     option (google.api.method_signature) = "name";
   }
@@ -176,12 +167,8 @@ service OrgPolicy {
   rpc DeletePolicy(DeletePolicyRequest) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       delete: "/v2/{name=projects/*/policies/*}"
-      additional_bindings {
-        delete: "/v2/{name=folders/*/policies/*}"
-      }
-      additional_bindings {
-        delete: "/v2/{name=organizations/*/policies/*}"
-      }
+      additional_bindings { delete: "/v2/{name=folders/*/policies/*}" }
+      additional_bindings { delete: "/v2/{name=organizations/*/policies/*}" }
     };
     option (google.api.method_signature) = "name";
   }
@@ -216,6 +203,11 @@ message Policy {
 
   // Deprecated.
   AlternatePolicySpec alternate = 3 [deprecated = true];
+
+  // dry-run policy.
+  // Audit-only policy, can be used to monitor how the policy would have
+  // impacted the existing and future resources if it's enforced.
+  PolicySpec dry_run_spec = 4;
 }
 
 // Similar to PolicySpec but with an extra 'launch' field for launch reference.
@@ -308,7 +300,8 @@ message PolicySpec {
   // Output only. The time stamp this was previously updated. This
   // represents the last time a call to `CreatePolicy` or `UpdatePolicy` was
   // made for that `Policy`.
-  google.protobuf.Timestamp update_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp update_time = 2
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Up to 10 PolicyRules are allowed.
   //
@@ -341,8 +334,8 @@ message PolicySpec {
 // The request sent to the [ListConstraints]
 // [google.cloud.orgpolicy.v2.OrgPolicy.ListConstraints] method.
 message ListConstraintsRequest {
-  // Required. The Cloud resource that parents the constraint. Must be in one of the
-  // following forms:
+  // Required. The Cloud resource that parents the constraint. Must be in one of
+  // the following forms:
   // * `projects/{project_number}`
   // * `projects/{project_id}`
   // * `folders/{folder_id}`
@@ -377,9 +370,9 @@ message ListConstraintsResponse {
 // The request sent to the [ListPolicies]
 // [google.cloud.orgpolicy.v2.OrgPolicy.ListPolicies] method.
 message ListPoliciesRequest {
-  // Required. The target Cloud resource that parents the set of constraints and policies
-  // that will be returned from this call. Must be in one of the following
-  // forms:
+  // Required. The target Cloud resource that parents the set of constraints and
+  // policies that will be returned from this call. Must be in one of the
+  // following forms:
   // * `projects/{project_number}`
   // * `projects/{project_id}`
   // * `folders/{folder_id}`
@@ -417,7 +410,8 @@ message ListPoliciesResponse {
 // The request sent to the [GetPolicy]
 // [google.cloud.orgpolicy.v2.OrgPolicy.GetPolicy] method.
 message GetPolicyRequest {
-  // Required. Resource name of the policy. See `Policy` for naming requirements.
+  // Required. Resource name of the policy. See `Policy` for naming
+  // requirements.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -441,8 +435,8 @@ message GetEffectivePolicyRequest {
 // The request sent to the [CreatePolicyRequest]
 // [google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy] method.
 message CreatePolicyRequest {
-  // Required. The Cloud resource that will parent the new Policy. Must be in one of the
-  // following forms:
+  // Required. The Cloud resource that will parent the new Policy. Must be in
+  // one of the following forms:
   // * `projects/{project_number}`
   // * `projects/{project_id}`
   // * `folders/{folder_id}`
@@ -463,6 +457,11 @@ message CreatePolicyRequest {
 message UpdatePolicyRequest {
   // Required. `Policy` to update.
   Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Field mask used to specify the fields to be overwritten in the policy
+  // by the set. The fields specified in the update_mask are relative to the
+  // policy, not the full request.
+  google.protobuf.FieldMask update_mask = 3;
 }
 
 // The request sent to the [DeletePolicy]