Fix: CloudWatch metadata enrichment failing due to account ID prefix in event identifiers

[MichaelKatsoulis]

Proposed commit message

Problem:

A regression was introduced where cloudwatch.createEvents started prefixing event identifiers with the AWS account ID (format: {accountId}-{resourceId}-{index}). This broke the metadata matching logic in EC2, RDS, and SQS enrichment, causing fields like aws.ec2.instance.state.name, aws.rds.db_instance.status, and aws.sqs.queue.name to no longer be populated.

Solution:

Created a shared helper metadata.ExtractResourceID() that detects and strips the 12-digit account ID prefix from event identifiers
Updated ec2.AddMetadata to use aws.dimensions.InstanceId as primary source for matching, with fallback to the helper
Updated rds.AddMetadata and sqs.AddMetadata to use the helper for resource ID extraction

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

It actually fixes a problem.

Author's Checklist

• [ ]

How to test this PR locally

1. Deploy metricbeat with this PR code locally and enable aws module
   ./metricbeat modules enable aws

2. Edit modules.d/aws.yaml

- module: aws
  period: 5m
  metricsets:
    - cloudwatch
  access_key_id: 'redacted'
  secret_access_key: 'redacted'
  session_token: 'redacted'
  default_region: 'us-east-1'
  metrics:
    - namespace: AWS/EC2    
    - namespace: AWS/RDS
    - namespace: AWS/SQS
~                                

3. Check fields in Kibana getting populated

aws.ec2.instance.state.name
aws.rds.db_instance.status
aws.sqs.queue.name

Related issues

• Closes [BUG][AWS] EC2 Instance metadata not populated as identifier is not matched #48643

[botelastic]

This pull request doesn't have a Team:<team> label.

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @MichaelKatsoulis? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[Kavindu-Dodan]

I have one concern, we create identifier as below,

identifierValue := labels[aws.LabelConst.AccountIdIdx] + "-" + labels[aws.LabelConst.IdentifierValueIdx] + fmt.Sprint("-", valI)

if labels[aws.LabelConst.IdentifierValueIdx] contain dashes, then this logic can fail 🤔