fix(ami-housekeeper): don't delete referenced AMIs in default config

In 472cc5f the default config was
migrated to use SSM for AMI lookup. A parameter is created which stores
a reference to the AMI. By default, this parameter is called
`${var.ssm_paths.root}/${var.ssm_paths.config}/ami_id`.

The housekeeper is a process that looks for AMIs which can be deleted
because they're no longer used. It does this in a couple of ways:

1. Check the launch template for the AMI ID.
2. Check the SSM parameter.
3. Apply a threshold to not delete AMIs that are too new, according to
   the config.

The problem is that we were looking for SSM parameters like this:

```typescript
const ssmParams = await ssmClient.send(
  new DescribeParametersCommand({
    ParameterFilters: [
      {
        Key: 'Name',
        Values: ['ami-id'],
        Option: 'Contains',
      },
    ],
  }),
);
```

i.e. we were looking for parameters which contain the hardcoded string
`ami-id`. This is different to the new default of `ami_id`. So we
weren't considering the right AMIs to be in use.

What would be a better approach would be to reference the values
dynamically. This means resolving from the template, and handling the
passed-in options, if there are any. We're documenting that we support
wildcards, so also support that here too.

The default value in the launch template became `resolve:ssm:<id or
AMI>`, so we need to make sure to ask EC2 to resolve for us when looking
up the template. In that way we get the actual AMI ID rather than the
alias.

This can be a bit challenging to understand, so the comments are
improved.

Comprehensive tests are added to try to ensure this all works as
expected.

Closes: #4571

Author: iainlane