Implement FAST stage add-ons, refactor netsec as add-on

[ludoo]

This PR implements the approach described in the FAST add-ons ADR.

Add-ons are defined in bootstrap (for stage 1s) or resman (for stage 2s) and have the following characteristics:

• they do not have any IaC resource but share the ones defined for their "parent stage" (resman for stage 1 addons, networking/security/pf for stage 2 addons)
• they have a custom provider that just sets a prefix in their parent's GCS backend
• they optionally support CI/CD via dedicated WIF/service accounts/workflows that allow impersonating their parent SAs

This PR implements support for add-ons, and also moves and/or refactors existing stages that are better defined as add-ons:

• the legacy fast/plugins folder has been removed
• a new fast/addons folder has been added
• support for level 1 add-ons has been added to the bootstrap stage
• support for level 2 add-ons has been added to the resman stage
• the multitenant stage is now an add-on in the fast/addons folder
• the netsec stage has been drastically simplified and refactored, and all its part are now a single addon in the fast/addons folder
• CI/CD has been overhauled and simplified in both stage 0 and 1, and now supports add-ons

Missing items:

• add outputs to ngfw add-on (also fixes some tflint warnings)
• check outputs in moved multitenant add-n
• refactor documentation for existing stages and stages moved to add-ons
• create new documentation for add-ons
• check that add-ons are implicitly disabled if their parent stage is disabled