revert(dynamodb): use keyId instead of keyArn for TableV2 replica encryption (#35568)

Reverts #35144

#35144 introduced a regression that removes support for cross account keys by only using the keyId instead of keyArn. This PR reverts that change.

Closes [#35551](#35551)

Author: aemada-aws

packages/aws-cdk-lib/aws-dynamodb/lib/encryption.ts

@@ -70,7 +70,7 @@ export abstract class TableEncryptionV2 {
 
         if (replicaRegion === stackRegion) {
           return {
-            kmsMasterKeyId: tableKey.keyId,
+            kmsMasterKeyId: tableKey.keyArn,
           } satisfies CfnGlobalTable.ReplicaSSESpecificationProperty;
         }
 

packages/aws-cdk-lib/aws-dynamodb/test/encryption.test.ts

@@ -98,20 +98,10 @@ describe('customer managed keys', () => {
   test('can render replica SSE specification in deployment region', () => {
     // WHEN / THEN
     expect(encryption._renderReplicaSseSpecification(stack, stack.region)).toEqual({
-      kmsMasterKeyId: tableKey.keyId,
+      kmsMasterKeyId: tableKey.keyArn,
     });
   });
 
-  test('replica SSE specification uses key ID format not ARN format', () => {
-    // WHEN
-    const result = encryption._renderReplicaSseSpecification(stack, stack.region);
-
-    // THEN
-    expect(result.kmsMasterKeyId).toBe(tableKey.keyId);
-    expect(result.kmsMasterKeyId).not.toBe(tableKey.keyArn);
-    expect(result.kmsMasterKeyId).not.toContain('arn:aws:kms');
-  });
-
   test('can render replica SSE specification in replica region', () => {
     // WHEN / THEN
     expect(encryption._renderReplicaSseSpecification(stack, 'us-east-1')).toEqual({

packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts

@@ -928,7 +928,10 @@ describe('table', () => {
           Region: 'us-west-2',
           SSESpecification: {
             KMSMasterKeyId: {
-              Ref: 'Key961B73FD',
+              'Fn::GetAtt': [
+                'Key961B73FD',
+                'Arn',
+              ],
             },
           },
           TableClass: 'STANDARD_INFREQUENT_ACCESS',