Add intercepting sinks to the organization module

[rshokati2]

Allow fabric organization module to intercept audit logging including all child resources. The validation block ensures both intercept_children and include_children as set to true, and the destination 'type' is a 'project'.

---

Checklist

I applicable, I acknowledge that I have:

• Read the contributing guide
• Ran terraform fmt on all modified files
• Regenerated the relevant README.md files using tools/tfdoc.py
• Made sure all relevant tests pass

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[juliocc]

@rshokati2 Thanks for sending this PR! It's been on my to-do list for a while.

These changes also make sense for the folder module. Could you replicate them there as well?

I've left a few more comments below.

[juliocc]

This is a breaking change. Anyone currently using the module without specifying include_children will have an error after updating.

Can we keep include_children=optional(bool, true) and intercept_children=optional(bool, false)?

[juliocc]

This validation is already done server-side. I'm not sure we want to replicate it here. @ludoo what do you think?

The condition can be simplified to

    condition = alltrue([
      for k, v in var.logging_sinks :
        !v.intercept_children || (v.include_children && v.type == "project") 
    ])