infra/gcp/org: give org admins orgpolicy.policyAdmin role

infra/gcp/ensure-organization.sh

@@ -52,6 +52,9 @@ org_role_bindings=(
   # https://cloud.google.com/storage/docs/access-control/iam-roles#basic-roles-intrinsic
   "group:[email protected]:roles/owner"
   "group:[email protected]:$(custom_org_role_name "organization.admin")"
+  # orgpolicy.policy.set is not allowed in custom roles, this is the only role that has it
+  "group:[email protected]:roles/orgpolicy.policyAdmin"
+
 
   # empower k8s-infra-prow-oncall@ to use GCP Console to navigate to their projects
   "group:[email protected]:roles/browser"