feat(ec2): vpc flow logs supports kinesis data firehose (#27604)

The CloudFormation template ([AWS::EC2::FlowLog](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-logdestination)) and the L1 Construct ([CfnFlowLog](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnFlowLog.html#logdestination)) support Kinesis Data Firehose as a destination for VPC Flow Logs. This PR implements `toKinesisDataFirehose` method to set the Kinesis Data Firehose delivery stream as a destination for VPC Flow Logs.

[aws-kinesisfirehose-alpha module](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-kinesisfirehose-alpha-readme.html) is yet alpha module, so the construct gets an ARN of the delivery stream to specify the destination. The same technique is used in [DataProtectionPolicy](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.DataProtectionPolicy.html).

This PR doesn't support [cross-account access](https://docs.aws.amazon.com/vpc/latest/tgw/flow-logs-kinesis.html) between the VPC and the delivery stream in the `toKinesisDataFirehose` method. The cross-account access is supported later to implement a more simple use case at first.

Closes #27275 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: ymhiroki