fix(efs): cannot use encryption key imported from another account (#11524)

the `keyId` property supports using the ARN or the key ID.
this change uses the ARN as it's more robust and allows usage of
a key which is cross-account.

It currently fails as the ID is looked up within the same account
and not found.

Closes #7641

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: shivlaks

packages/@aws-cdk/aws-efs/lib/efs-file-system.ts

@@ -244,7 +244,7 @@ export class FileSystem extends Resource implements IFileSystem {
 
     const filesystem = new CfnFileSystem(this, 'Resource', {
       encrypted: props.encrypted,
-      kmsKeyId: (props.kmsKey ? props.kmsKey.keyId : undefined),
+      kmsKeyId: props.kmsKey?.keyArn,
       lifecyclePolicies: (props.lifecyclePolicy ? [{ transitionToIa: props.lifecyclePolicy }] : undefined),
       performanceMode: props.performanceMode,
       throughputMode: props.throughputMode,

packages/@aws-cdk/aws-efs/test/efs-file-system.test.ts

@@ -70,7 +70,10 @@ test('encrypted file system is created correctly with custom KMS', () => {
   expectCDK(stack).to(haveResource('AWS::EFS::FileSystem', {
     Encrypted: true,
     KmsKeyId: {
-      Ref: 'customKeyFSDDB87C6D',
+      'Fn::GetAtt': [
+        'customKeyFSDDB87C6D',
+        'Arn',
+      ],
     },
   }));
 });