Handle simultaneous cross-region & cross-account CodePipeline Actions

[skinny85]

It can happen that an Action is both in a different account, and in a different region than the Pipeline. In that case, the replication Bucket needs to be either provided or generated with a KMS Key (that is required for cross-account access).

Also, the artifactStores property has to correctly include the reference to the KMS Key. We need to research whether it's possible to use alias there instead of the ARN; if it turns out we cannot, we will have to design a custom CFN resource that will, at deploy time, query the Stack containing the replication Bucket and find out the ID of the KMS Key (Keys cannot have a physical name set), and pass it to the Pipeline Stack in order to correctly fill the artifactStores property.

Also, to be able to use imported replication Buckets in that use-case, we will have to solve related issue #3138 .