feat: add cloud_healthcare policies and inputs for all 8 resources

[abhay652]

No description provided.

[abhay652]

Summary
Added complete OPA/Rego security policies, Terraform input files, and documentation for the cloud_healthcare GCP service.

Resources Covered
Resource1google_healthcare_consent_store
google_healthcare_consent_store_iam
google_healthcare_dataset
google_healthcare_dataset_iam
google_healthcare_dicom_store
google_healthcare_dicom_store_iam
google_healthcare_fhir_store
google_healthcare_fhir_store_iam
google_healthcare_hl7_v2_store
google_healthcare_hl7_v2_store_iam
google_healthcare_pipeline_job
google_healthcare_workspace

Changes
Added OPA/Rego policy.rego and vars.rego files for each resource
Added compliant (c.tf) and non-compliant (nc.tf) Terraform input files for each attribute
Added resource_json documentation files for all 12 resources
Added markdown documentation files for all 12 resources

Security Policies Enforced

Data residency — datasets must be deployed in approved regions only
CMEK encryption — datasets must use customer-managed KMS keys
IAM least privilege — no primitive roles (owner, editor, viewer) on any healthcare store
No public IAM members — allUsers and allAuthenticatedUsers blocked across all IAM resources
Audit trails — Pub/Sub notification configs required for DICOM and HL7 V2 stores
Consent TTL — consent stores must have an expiry configured
FHIR controls — approved FHIR version, versioning enabled, update-create disabled
Lineage tracking — pipeline jobs must have lineage enabled
Resource labelling — environment and owner labels required across all stores

Testing
All policies validated locally using OPA evaluation against compliant and non-compliant Terraform plan fixtures. CI checks passing for all 12 resources.

[Shani1116]

@abhay652 PR opened from a fork, which is not acceptable, so it cannot be reviewed.

Please clone the main repository, create a new branch from it, and raise the PR again using the correct workflow.