Add cloudstack_network_acl_ruleset resource with deprecation of old resource

This commit introduces a new cloudstack_network_acl_ruleset resource with
optimized update logic, comprehensive test coverage, and thread-safe
concurrent operations. The old cloudstack_network_acl_rule resource is
marked as deprecated to guide users toward the improved implementation.

Key Features:
- New cloudstack_network_acl_ruleset resource for managing ACL rules
- In-place updates using UpdateNetworkACLItem API (preserves UUIDs)
- Thread-safe concurrent rule operations with mutex protection
- Comprehensive acceptance test suite with 8 tests
- Deprecation notices on old resource with migration guidance

Implementation Details:

1. Resource Structure:
   - Dedicated resource for managing complete ACL rulesets
   - Support for TCP, UDP, ICMP, and "all" protocols
   - Configurable traffic types (ingress/egress)
   - Optional description field for rules
   - Support for single and multiple CIDR lists
   - Rule number validation (1-65535)
   - Port validation (1-65535)

2. Update Optimization:
   - Uses UpdateNetworkACLItem for in-place updates when possible
   - Preserves rule UUIDs during updates (avoids delete+create cycles)
   - Partial state updates after each phase (delete, update, create)
   - Reduces API calls and improves performance
   - Proper change detection for all rule fields

3. Thread Safety:
   - Mutex protection in createACLRules() to prevent race conditions
   - Mutex protection in deleteACLRules() for concurrent deletions
   - Mutex protection in updateACLRules() for concurrent updates
   - Semaphore-based concurrency control (max 10 concurrent operations)
   - WaitGroup for proper goroutine synchronization

4. Test Coverage:
   - Basic CRUD operations with multiple protocols (TCP, UDP, ICMP, all)
   - Update operations with field changes and CIDR list modifications
   - Managed vs unmanaged mode testing
   - Rule insertion and removal in the middle of rulesets
   - Out-of-band change detection
   - Plan check verification (no spurious updates)
   - Boundary value testing (rule numbers 1-65535, port 65535)
   - Optional field testing (rules without descriptions)
   - Tests consolidated for efficiency and maintainability

5. Deprecation of Old Resource:
   - Added DeprecationMessage to cloudstack_network_acl_rule schema
   - Users see warning: "cloudstack_network_acl_rule is deprecated. Use
     cloudstack_network_acl_ruleset instead for better performance and
     in-place updates."
   - Updated documentation with migration notice and benefits
   - Warning banner on old resource documentation page
   - Old resource remains functional for backward compatibility

Test Results:
- All 8 acceptance tests passing (127.9 seconds total)
- Comprehensive protocol, validation, and edge case coverage
- Thread-safe operations verified under concurrent load

Files Changed:
- cloudstack/resource_cloudstack_network_acl_ruleset.go (new)
- cloudstack/resource_cloudstack_network_acl_ruleset_test.go (new)
- website/docs/r/network_acl_ruleset.html.markdown (new)
- cloudstack/provider.go (updated to register new resource)
- cloudstack/resource_cloudstack_network_acl_rule.go (added deprecation)
- website/docs/r/network_acl_rule.html.markdown (added migration notice)

Migration Path:
Users can migrate from cloudstack_network_acl_rule to
cloudstack_network_acl_ruleset at their convenience. The new resource
provides better performance through in-place updates and improved
concurrency handling. The old resource will continue to work but
displays deprecation warnings to encourage migration.

This implementation provides a production-ready, thread-safe resource
for managing CloudStack Network ACL rulesets with optimized performance,
comprehensive test coverage, and a clear migration path for existing users.

Author: bhouse-nexthop

cloudstack/provider.go

@@ -130,6 +130,7 @@ func Provider() *schema.Provider {
 			"cloudstack_network":                        resourceCloudStackNetwork(),
 			"cloudstack_network_acl":                    resourceCloudStackNetworkACL(),
 			"cloudstack_network_acl_rule":               resourceCloudStackNetworkACLRule(),
+			"cloudstack_network_acl_ruleset":            resourceCloudStackNetworkACLRuleset(),
 			"cloudstack_nic":                            resourceCloudStackNIC(),
 			"cloudstack_physical_network":               resourceCloudStackPhysicalNetwork(),
 			"cloudstack_pod":                            resourceCloudStackPod(),