fix(cloudwatch): remove false positive warning for CDK tokens in MathExpression

[kaizencc]

Issue # (if applicable)

Closes #34977.

Reason for this change

When using CDK tokens (from custom resources or other dynamic values) in CloudWatch MathExpression, users receive a false positive warning message. The allIdentifiersInExpression function incorrectly parses token strings like ${Token[TOKEN.81]} and extracts "oken" as an identifier, triggering a confusing warning that suggests adding "oken" to the usingMetrics map.

This degrades user experience and creates confusion, particularly for users leveraging custom resources or dynamic values in CloudWatch dashboards.

Description of changes

Modified the allIdentifiersInExpression function in packages/aws-cdk-lib/aws-cloudwatch/lib/metric.ts to filter out CDK token patterns before extracting metric identifiers:

• Added regex replacement to remove CDK token patterns (${Token[TOKEN.N]}) from expressions before identifier extraction
• Token pattern regex: /\$\{Token\[[^\]]+\]\}/g matches the standard CDK token format
• Preserves existing validation behavior for actual unknown identifiers
• Added 4 comprehensive unit tests covering single tokens, multiple tokens, mixed expressions, and complex patterns

Technical Details:

// Before: Incorrectly extracted "oken" from "${Token[TOKEN.81]}"
function allIdentifiersInExpression(x: string) {
  return Array.from(matchAll(x, FIND_VARIABLE)).map(m => m[0]);
}

// After: Filters out tokens first, then extracts identifiers
function allIdentifiersInExpression(x: string) {
  // Remove CDK token patterns before extracting identifiers
  // Token format: ${Token[TOKEN.123]} or ${Token[TOKEN.456]}
  const withoutTokens = x.replace(/\$\{Token\[[^\]]+\]\}/g, '');
  return Array.from(matchAll(withoutTokens, FIND_VARIABLE)).map(m => m[0]);
}

This approach follows the same pattern used for special functions (SEARCH, METRICS, SELECT, INSIGHT_RULE_METRIC) where certain syntax patterns are filtered or handled specially before validation.

No breaking changes - This fix only removes false positive warnings and does not affect CloudFormation template generation, resource behavior, or public APIs.

Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes. This is a validation-only fix that does not affect CloudFormation templates or runtime behavior.

Description of how you validated changes

• Unit tests: Added 4 new unit tests in packages/aws-cdk-lib/aws-cloudwatch/test/metric-math.test.ts:

  1. Verified single token in expression doesn't produce warning
  2. Verified multiple tokens in expression don't produce warning
  3. Verified mixed token + real identifier warns only about the real identifier (not "oken")
  4. Verified complex token patterns (arrays, functions) don't produce warning

• Regression testing: All 40 existing unit tests pass without modification, confirming:

  • Warnings for actual unknown identifiers still work correctly
  • Special function handling (METRICS, SEARCH, etc.) unchanged
  • Nested expression validation preserved
  • No impact on other CloudWatch functionality

• Build validation:

  • Linting passed with no violations (yarn lint --fix)
  • TypeScript compilation successful
  • No JSII compatibility issues

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.