Add basic deny policy support

[modular-magician]

This is a combination of org/project/folder IAM deny policy as they are handled by the same endpoint with different "parent" fields.

This API actually handles IAM principals much more sanely than IAM policies do. Email based principals (users, groups) are strictly validated by the API and rejected if case does not match. This alleviates much of the normalization problem we have seen with IAM policies in general.

Team wanted authoritative approach per rule, as multiple rules can be set per parent

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• Generated Terraform, and ran make test and make lint to ensure it passes unit and linter tests.
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• Ran relevant acceptance tests (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

google_iam_deny_policy

Derived from GoogleCloudPlatform/magic-modules#5854

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.