feat(ec2): support Firehose IDeliveryStream as flow log destination (#34596)

Reopen #33883
The cyclic dependency issue #34592 should be resolved before merging this PR again.

### Issue # (if applicable)

Related to #33757.

### Reason for this change

`FlowLogDestination.toKinesisDataFirehoseDestination()` includes the former service name Kinesis and receives the string ARN.

Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html

### Description of changes

- Added `FlowLogDestination.toFirehose()` with an optional IAM role.
- Deprecate `toKinesisDataFirehoseDestination()`

Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it.

### Describe any new or updated permissions being added

N/A - Users must specify IAM roles for cross account delivery.

### Description of how you validated changes

Unit tests and integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: Tietew