feat: auto-add QuickSight users to ndx-all-users group via EventBridge

QuickSight has no "all users" wildcard for permissions — only user/group
ARN principals. The ndx-all-users group has permissions on all three
QuickSight resources (DataSource, DataSet, Dashboard), but new users
who self-provision via the console aren't automatically in the group.

Add an EventBridge rule + Lambda that catches CloudTrail events for
QuickSight user creation (RegisterUser, BatchCreateUser, CreateUser)
and auto-adds the new user to the ndx-all-users group.

Key implementation details:
- EventBridge rule omits detail-type to catch both API calls and
  service events (console self-provisioning uses AwsServiceEvent)
- Username extraction handles three event structures: responseElements,
  requestParameters, and serviceEventDetails (console self-provisioning)
- Console CreateUser events use "Role:Session" format but QuickSight
  usernames use "Role/Session" — the Lambda converts accordingly
- Idempotent: silently handles ResourceExistsException
- Best-effort: all errors logged, never fatal
- Reuses existing QuickSightSetupRole (already has CreateGroupMembership)

Also fixes QuickSight setup reliability:
- Add retry with backoff for RegisterUser PreconditionNotMetException,
  which occurs after rapid subscribe/unsubscribe cycles when QuickSight
  IAM integration hasn't fully propagated

Author: chrisns