Add 'ruleset' attribute to cloudstack_network_acl_rule resource

This commit adds a new 'ruleset' attribute as an alternative to the legacy
'rule' attribute, providing better support for managing multiple ACL rules
with explicit ordering and in-place updates.

Key Features:

1. New 'ruleset' attribute (TypeSet):
   - Uses TypeSet instead of TypeList to prevent spurious diffs when rules
     are inserted or reordered
   - Requires explicit rule_number for each rule (no auto-numbering)
   - Identifies rules by rule_number (acts as primary key)
   - Includes 'uuid' computed field to track CloudStack rule IDs
   - Uses TypeSet for cidr_list (consistent with other CloudStack resources)
   - Supports in-place UPDATE operations (vs DELETE+CREATE in legacy)

2. Legacy 'rule' attribute enhancements:
   - Added auto-numbering for rules without explicit rule_number
   - Full support for deprecated 'ports' field with multi-port expansion
   - Validation to prevent conflicts between auto-numbering and explicit numbers
   - Deterministic port ordering for stable rule number assignment

3. Unified update logic:
   - Both 'rule' and 'ruleset' use reconciliation-based updates
   - UPDATE changed rules, DELETE removed rules, CREATE new rules
   - Preserves UUIDs across updates (no unnecessary DELETE+CREATE)
   - Ghost entry filtering in CustomizeDiff to handle SDK edge cases

4. Managed mode support:
   - Both 'rule' and 'ruleset' support managed=true/false
   - Out-of-band rules tracked via placeholder entries in state
   - Automatic deletion of out-of-band rules when managed=true
   - Preservation of out-of-band rules when managed=false

5. Comprehensive test coverage:
   - 15 acceptance tests covering all scenarios
   - Tests for basic CRUD, updates, insertions, managed modes
   - Tests for deprecated 'ports' field backward compatibility
   - Plan checks to verify no spurious diffs

Benefits:
- TypeSet eliminates spurious diffs when inserting rules mid-list
- UPDATE API support reduces API calls and preserves UUIDs
- Full backward compatibility with existing 'rule' configurations
- Consistent behavior with other CloudStack firewall resources
- Clear migration path from 'rule' to 'ruleset'

The legacy 'rule' attribute remains fully supported for backward
compatibility and will not be removed.

Author: bhouse-nexthop