Add ruleset attribute with ghost entry workaround and unified update logic

This commit introduces a new 'ruleset' attribute for cloudstack_network_acl_rule
that supports multiple rules in a single resource with proper rule_number ordering.
The legacy 'rule' attribute remains fully supported for backward compatibility.

Key changes:

1. New 'ruleset' attribute (TypeSet):
   - Supports multiple ACL rules with explicit rule_number ordering
   - Uses TypeSet for cidr_list (vs TypeList in legacy 'rule')
   - Includes 'uuid' field (Computed) to track CloudStack rule IDs
   - Enables in-place updates via UPDATE API calls

2. Ghost entry workaround:
   - Added CustomizeDiff to filter ghost entries from ruleset
   - Ghost entries occur when SDK preserves Computed fields (uuid) after removal
   - Implemented isGhostEntry() and filterGhostEntries() helpers
   - Filters applied in CustomizeDiff and Read operations

3. Unified update logic:
   - Both 'rule' and 'ruleset' now use performNormalRuleUpdates()
   - Reconciliation-based approach: UPDATE changed rules, DELETE removed, CREATE new
   - Preserves UUIDs across updates (no DELETE+CREATE for simple changes)
   - Removed redundant createRulesetRules() and deleteRulesetRules()

4. Fixed legacy 'rule' attribute regression:
   - Read function now correctly populates 'uuids' map for legacy attribute
   - Fixed for ICMP, ALL, and TCP/UDP protocols
   - Ensures backward compatibility with existing configurations

5. Comprehensive test coverage:
   - 10 new tests for ruleset attribute functionality
   - Tests for insert, update, remove, managed/not-managed modes
   - Plan checks to verify no spurious diffs
   - All 19 ACL tests passing

Benefits:
- UPDATE support for ruleset (vs DELETE+CREATE in legacy)
- Fewer API calls and preserved UUIDs
- Consistent behavior between 'rule' and 'ruleset'
- Clean codebase with DRY principles
- Full backward compatibility maintained

Author: bhouse-nexthop