Enable VPC flow logs (missed in initial review)

terraform/modules/vpc/main.tf

@@ -16,3 +16,11 @@ resource "aws_vpc" "main" {
   enable_dns_support   = true
   tags = { Name = "nexus-${var.environment}", Environment = var.environment }
 }
+
+# Flow logs — added after security review flagged their absence
+resource "aws_flow_log" "main" {
+  vpc_id          = aws_vpc.main.id
+  traffic_type    = "ALL"
+  iam_role_arn    = aws_iam_role.flow_log.arn
+  log_destination = aws_cloudwatch_log_group.flow_log.arn
+}