From a808ea3293bace72a2473151b956e6056ef55f54 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Mon, 30 Jan 2023 23:32:13 +0100 Subject: [PATCH] Draft README --- .../data-solutions/shielded-folder/README.md | 98 +++++++++++++++++- .../images/overview_diagram.png | Bin 0 -> 83444 bytes .../data-solutions/shielded-folder/kms.tf | 8 +- .../shielded-folder/log-export.tf | 15 +-- .../data-solutions/shielded-folder/main.tf | 39 ++++--- .../data-solutions/shielded-folder/output.tf | 22 ++++ .../shielded-folder/variables.tf | 19 ++-- 7 files changed, 166 insertions(+), 35 deletions(-) create mode 100644 blueprints/data-solutions/shielded-folder/images/overview_diagram.png create mode 100644 blueprints/data-solutions/shielded-folder/output.tf diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md index 45247d72e..e20c54c70 100644 --- a/blueprints/data-solutions/shielded-folder/README.md +++ b/blueprints/data-solutions/shielded-folder/README.md @@ -1,16 +1,108 @@ # Shielded folder -This module implements an opinionated Folder configuration to implement GCP best practices. Configurations implemented on the folder would be beneficial to host Workloads hineriting contrains from the folder they belong to. +This blueprint implements an opinionated Folder configuration to implement GCP best practices. Configurations implemented on the folder would be beneficial to host Workloads hineriting contrains from the folder they belong to. In this blueprint, a folder will be created implementing the following features: - Organizational policies - Hirarckical firewall rules +- Cloud KMS - VPC-SC -Withing the folder the following projects will be created: -- ' +Within the folder the following projects will be created: +- 'audit-logs' where Audit Logs sink will be created +- 'sec-core' where Cloud KMS and Cloud Secret manager will be configured +The following diagram is a high-level reference of the resources created and managed here: + +![Shielded architecture overview](./images/overview_diagram.png "Shielded architecture overview") + +# Design overview and choices + +Despite its simplicity, this blueprint implements the basics of a design that we've seen working well for various customers. + +The approach adapts to different high-level requirements: +- IAM roles inheritance +- Organizational policies +- Audit log sink +- VPC Service Control +- Cloud KMS + +# Project structure +The Shielded Folder blueprint is designed to rely on several projects: +- `audit-log`: to host Audit logging buckets and Audit log sync to GCS, BigQuery or PubSub +- `sec-core`: to host security related resources such as Cloud KMS and Cloud Secrets Manager + +This separation into projects allows adhering to the least-privilege principle by using project-level roles. + +# User groups +User groups provide a stable frame of reference that allows decoupling the final set of permissions from the stage where entities and resources are created, and their IAM bindings defined. + +We use three groups to control access to resources: +- `data-engineers`: They handle and run workloads on the `wokload` subfolder. They have owner access to all resources in the `workload` folder in order to troubleshoot possible issues with pipelines. This team can also impersonate any service account. +- `data-security`: They handle security configurations for the shielded folder. They have owner access to the `audit-log` and `sec-core` projects. + +# Encryption +The blueprint support the configuration of an instance of Cloud KMS to handle encryption on the resources. The encryption is disabled by default, but you can enble it configuring the `enable_features.kms` variable. + +The script will create keys to encrypt log sink bucket/dataset/topic in the specified regions. Configuring the `kms_keys` variable, you can create additional KMS keys needed by your workload. + +# How to run this script +To deploy this blueprint on your GCP organization, you will need +- a folder or organization where resources will be created +- a billing account that will be associated with the new projects + +The Shielded Folder blueprint is meant to be executed by a Service Account (or a regular user) having this minimal set of permission: +- Billing account + - `roles/billing.user` +- Folder level + - `roles/resourcemanager.folderAdmin` + - `roles/resourcemanager.projectCreator` + +The shielded Folfer blueprint assumes [groups described](#groups) are created in your GCP organization. + +## Variable configuration +There are three sets of variables you will need to fill in: +``` +organization = { + domain = "example.com" +} +prefix = "prefix" +``` + +## Deploying the blueprint +Once the configuration is complete, run the project factory by running + +```bash +terraform init +terraform apply +``` + + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [organization](variables.tf#L128) | Organization details. | object({…}) | ✓ | | +| [prefix](variables.tf#L136) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | +| [access_policy](variables.tf#L17) | Access Policy name, set to null if creating one. | string | | null | +| [access_policy_create](variables.tf#L23) | Access Policy configuration, fill in to create. Parent is in 'organizations/123456' format. | object({…}) | | null | +| [data_dir](variables.tf#L33) | Relative path for the folder storing configuration data. | string | | "data" | +| [enable_features](variables.tf#L39) | Flag to enable features on the solution. | object({…}) | | {…} | +| [folder_create](variables.tf#L50) | Provide values if folder creation is needed, uses existing folder if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null | +| [folder_id](variables.tf#L59) | Folder ID in case you use folder_create=null. | string | | null | +| [groups](variables.tf#L65) | User groups. | map(string) | | {…} | +| [kms_keys](variables.tf#L75) | KMS keys to create, keyed by name. | map(object({…})) | | {} | +| [log_locations](variables.tf#L86) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {…} | +| [log_sinks](variables.tf#L103) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | +| [projects_create](variables.tf#L146) | Provide values if projects creation is needed, uses existing project if null. Projects will be created in the shielded folder. | object({…}) | | null | +| [projects_id](variables.tf#L154) | Project id, references existing projects if `project_create` is null. Projects will be moved into the shielded folder. | object({…}) | | null | +| [vpc_sc_access_levels](variables.tf#L163) | VPC SC access level definitions. | map(object({…})) | | {} | +| [vpc_sc_egress_policies](variables.tf#L192) | VPC SC egress policy defnitions. | map(object({…})) | | {} | +| [vpc_sc_ingress_policies](variables.tf#L212) | VPC SC ingress policy defnitions. | map(object({…})) | | {} | +| [vpc_sc_perimeters](variables.tf#L233) | VPC SC regular perimeter definitions for shielded folder. All projects in the perimeter will be added. | object({…}) | | {} | + + #TODO Proper README (after deciding if this is a blueprint or a FAST stage) # Implemented diff --git a/blueprints/data-solutions/shielded-folder/images/overview_diagram.png b/blueprints/data-solutions/shielded-folder/images/overview_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..dcc3bccd8c1027906475a54339b68721529efec2 GIT binary patch literal 83444 zcmeGE1yI#p_%MnBf*>d5FT^rxmvf>X=AEUy-!99?8C8huecgGYC4pAEg0gTWi zy)gkV@U{x#&*AdBiB`b}a|2ZgLm3%32JjvQ4iWw_91?5__!WXDynX)?o(}HLpK-8{ zj|m*&zd5qt754KL{KD4!eMLw_xS4UsH1W>Odqi#6)OgOF58&mV^(!@7I5<3N*e|?< z0@V&290Hoj8&x}18EHN}D+`vl`d04@Sez`ZVXNQ-ocO?73j@2iWKI_5mbQFOf)syd z@PYTRVO9#VKU3_?1SwQyUXzJh*%**LWnp7sqYy$RBO?>A(KqB%5PSJ=Irt<=;+Ae$jM@5W5mkN%gf8k#=*+L!3<_F+d?eu-a0W`+EV`AdzY|2+I3kOHv1_+Fbh8JMeznOGQD+JdD* zJlszNSpSz#{+BD&{#(h;&d&2cm;R4O|CS1{!qD|U(D#=%e?|dugir-oZwW1g>f2}m z7*+&MLhRWaC-{v?WY>qSwGF$~isDH3Ff+-c=|bQs8`2+-S9mf0XmOapJ|2-JYR&4Q zm)*MvSuR=r8Kj3ZUU4kRzBTe~s+uktjSKSy%E0!N&e%ys`n+tpOL_Tu^-9V{H~4W~ zZtyU4G|WTyX=+4_9FgnNugL2cb9gp#!+Xi1?)YScTE}|- zLjlS+MbDkS*h|?QtQ$PZqGAd;U>^W{oH=Wrp@NYTH^r=Ul_YCKOtx@vTvk;~ z3x%g=5aJM%+VLT+|8m`Fu%ErDiKT^wr9HFtb^e`%E^W5uz|&SJiKC1WA%JzI1i+oK z%7X>oqezey=x8fMroxM!eSYJ2-gbR*S+9LDyq<3&SX5{8C9^tK* zn%faXS-k3X<;j(Wqld4xHhtIbAQR`I4~q?NMx;lG;`*R(Wbw#5_H#|TRHvV1J{+8w zm~*2Wc?fw|^iC&SfPHkJ_u)n*$*G2h22#eXeu{WitEHk|@r?EM_{Yy$h@DKj;ThRo z6YgU{a0vPTcx*UqWm3CX->uDiQ)y8Ny_)hV%hLk6tzYkrjtD1ON0Zf{wXt6@J=zBG zdpwpyv+pQ{xbK#rc?YtD1lo6Sx7&q^D*5R13z64ZpCn2s(g)}ZwTI%}Twk;~D~ z;D{rSN~x8jq5W+PVl}5LgV2Q){+=F|X`McYqVo*L`Uw+mEfy2(d6o;O_a<#D9o!xk z7$oY}TWQOw>1n^@O=Kr`abyB5*wY5o+&ezE#Ck-S3!M5GRi$T4Ic?h)<+&bhjntdA zMc;90r%ogdf*e*G?5jfjCGxTNBDh$Wb+b-IhmJ(1KIY4-`$25OBQ?{zp>O;>w3 zj+PLzZu8UWR3?k5=P~CM>m)c{yvh^se1tDa@qu4C;2F_pYLhqn5+ zi%XX-?PnNU{6)toZS_`0QJvuu>(LwwozHB@Plu}&kkf>s)FuVzqC~^FupP(VjU^Ki zpt|ixIZ}&kaA(T7Ur#-tT`#wsD6~*q{jt`>J#Fh|t|_f-*>iSw*CbuPdoz@|Uh((u zu#iOt8Og5kiGG?dZGlch$w+1eI=jS)G>J7pEKsP6}-`8Ft$PIjk%U zBuv#Qw0Ke{Cquc%`i-U7Lh%gW-OT#K?&Z^mBcs=yc8=3$wS}_stMn`OhltD2MeKIW zy>ALP$6+P8ZjLP&VwwJK(iMTF=PeWWzA*KAb68Ga-%z@KQF1t0vm8T(7;-%bDJ(4H ztmDs9(Ux2MIx**AJ9I8puNl?PWq+b(MCXg0O+!N~Awm?1NlPEf62H@8yB)SkKdo5R zV~;spYF!4*0u{pj$(Ym>6B+~>?2#h(m}b*p!UD;S%n||4jMnDgG##}|#4!#P>Y8?g z`bHactJP(j5zn4g`d`Xyj6`r}$Q^y#?{*MmtWP{fQi;#_86`OxYAPyf&C58(yr=6+r5fQO;nVn<4*A&pWt(G6qTc1rKe&)F7{yP4(oVZNzPN(y#ZF%dBFEC(=pTIU!_#1W6UYh9eLy)3xr48HZIAPQF-RCiF9 zb(8jvQ_4jyq;}>?L+-xGCn20ZO1Mj~+Sz^HlM*Xwm{nu`i`fQhJNg0+zW5%nta+^_ ztO$4UdDLyC(?9Z9$yJvrw~X}nE9NlDKEP~m3VQ$E(&NF<8&U}w8DBYb7nJ_P(BP=8 zs`K6Igbrps-^YtdZ6~Rps`OeN%}43?3#dQXb>Hb=VrK=_FA54D^(}0h|Hg=4U~hG6Uwk

_u4aR(!=6+WfEL#{4A1$|AnE4o7Zz*zD zgs0eaj6_-V1i2M4D@w-}rfkFu$deAp=o^{j6OKRKP%YAZp{zYb{hQTBCekA6GiAMa zAb)9D(1x;7{9_5h@ae0rDxr)JS&PM^u3*CHsRv=63R~I7ovZX8gEDN2KLeOfu*qBx z(w+nVNUXSF=IuwS=g!-Uy!mKm9gUL-HP@8_8$91v28iEoE2BT^*V%L3yTZ4@7>3vl z4+%2j=R0hrJFYW~FP_Wh_0e^Nc zH4&{>`dM)hE4PES-&Sqr-#WD?F*XVq#uaIDn71aXG_ZnC2RMAilvQId$9#}P&pHxQ zCe-o;6&Rtx@*WhKvl)QP&!WiqgKAPvWVO`#Y=P!Wk+-$Fywqzx+-`$W5&wI)% zj!w+NJnDAR8$8F}WMES+?(P8dXRUx+YK5bKDMGe}r2pWBZ7U!}^nLEN8^*Rf=$T9Ne`uX zn!OvU0KTWdrkXx1&_E$QMTf;<8HoBKmWz!_4%MP0jA1b~MPCDn#?^{knpJW_s;CSq zSySBBo|M5t5zc$o`(x6zG8$Msah|)D+6np1LP1t))k-up9ZV5FQxSm=tGtCfOcY+p zF+9PS=h9;-Buhq*ic|q1{v7u*+@7joB_)XOV>X$mCkdjTpU*-2R;BamShk<&AnxEE zL%o+Mnm1Ia>5zHEIg{2N1|$VFxO?hCB@2S{L)`;;Xzla3Cz#;Poi~0@g5f&6V={|P z7;a)9%qrmYuXu;u1R^NkUV+F;EKWx8HnQpk0gfnlD&lP8XU2!%=b&tQ9a1|zCRtD_GS zp=tQf&FOJgIX)O)tN{E#_CK!djh)GBw=vo}jiM2HcF<9|n{V>Anh5_nIN&+{%#!{8 zD~Q3{x;Ob18wkt^!qb?;^y<3B$?i0r{Lw;tsJOGKdZg7PTQjA+gK$iBW=-xGf80ZG zd9o^ioRpmUOlH8~uNq9-)b27_3=bg>i8gNq=t2G}J@>TWB%p{<{qAa=ATG&jWvz?by0?@7w$i9pt=;eb&t`Av z{hq@PQ~~F!JOEBCoEJJ`ZbZq!!)?9Y-S<!hy!SAfCAXGc#e8|6%ikBTjGA}+nb0qXaGqa{{&-)zk^=ru-ruI>@7Y3{NQrs z_vmjZ4TnICdh+e=$Xo3{YRnMVnuo|N((1_4t?LKnl&?%+mk{SLNzQ(^>&3~vgeWv0 zd@8_53&O5DBU4%iB)&y1OKP8=5;nn4v84j+&;XF4zbnuopgfXpcw64-ah(H4Xul^W zIunIK%D2R6>t3(9y;JDwk=D~GDt^C+8dK=*h_JpWND?5Otkb-C)(yMrUs0w8qMW^z zUU&nlNG8}k3DxG7n7RxAmx}h>fxrX(yXHAANPH=M-M`UP@QN_UG`re_=>}_<*>Gsb zpBR3fqLAs{h1Uo;#D`AIPxeE$nN;hue^Lt8YOK`?*Ny^O>Udao=M$d`_MiV%10=r0 zo9M*6s_uMzl6)|wK?47hv}wLm=?2;GA5k!c9;Z^8+`T=F1n9UO9$VZSf;5nUE8Jau z743CHkx$}4g9&tN!UXdV(b&EK0zKmkF}zisvsk*b@qc&uVhQgvxi{F_Q8WG;k~qd+ zm{iwiwA92UUdu@;sIbntuZGjJ5fZx)T%Uc>I~14(=)=F;SgiN%5&DidIXL497Mbh7 zr|{<>hSEhq_tD#pG(#|dBkHC&69pyC+mC`6?_zH6?CKf>_H@qo5WYBhq`UnUaR(QyLltu~L>B z0TaDIK(98~ib-%$sW8|1>^Rqkb11~AqB7)UBxJYqrKfX>_oGZ!{@(jaT{LoGfczO| zpwRwmff;(T4mT^+>MqXGkC*8!5e=LPnK>8&w#fKY1b~}RazIk1slBWDhCjWG0fhpN zNK&tEB}x^jhyVR4x=Z#Y$7F{eQd2ubEy2T?WpQqgb2VV=4vumYBnYVfEL@7X9 zEeEvlTUC9)Aaas99G|3p1HUH=fZu+U`3>rg^z`Nc>CtxacD_~KRY1KD7?i)JzmY+a z0w9CVn*?jH0Ot>}R}?&V0^5KSbV9HJ(ouCB&4Ig=Z2TIucbCmzB7{3H6 z?}?;bKl%*=kTC%Uc>8vV;+Bo%f$J35A6f#-3;a0?#UDt%>bFXie;h)l`w%|j0r%fs zzR1F>@oF-3N6+?+x(qyq4~3N#O6Ej%e$OuKIJur+>0E`)Ik`UXWC;^Yc6Y-JT z{V%@KH#dVr@PnJBoW6C`;k?MeRX;XRFy5T&344BXZLq`t{pY#pK9pZJ^#9m}*GeMF z=#hJ>oSI5+P(caB0_hDp>F}m{pS&BgAwCUlnlsUZryeE{39Y90(C1;3xdED|yF3rg zui7b*7g|#=g%{7;5<;&Bb#dHy`^)dAi%h~=Gg@`m z7j}gwz0K_^@~4~oj9429?YjHts|X1mQYURa3GdQKFE5y%;iJia_t?D~qr)=p0ff?q@q} zbhRz)*0iSO9}Cgs-l|!lE!T3YH}f+`j=8Svx!T>9y9VGDtrxorpNbzQocx?DaDIqu zepSjJIn8hDEl%D&nFigmwPYmxu@qT+Vdv#|dbNMP!2vGXNopR66f-S{4{lLTH^PGU z)Z@Drp1FIK>ZjHlA5_=q|tb8i^Z{z zHhwi$+UF*|Jr_2F>rQTYJrVkj9s7`dzRU{_IPLcpOgnp*3vx1&V5ll(&uuBvg=oB^ z{3I7jm2x#_y2xm685elsc(Z!B#|C_n6xW8~4f5ULf!*N^YX9;68UAZ#*D%80Q}g9# zR>E9jz%QX-WHTFL%4!(MQdFy^Eh7Fgh$TX14L_LPjp#06a~pZ0h!p?@aBxJ-b?c5& zkO9>LZ^z<$qk6;&JWYFqUb4dfHz$B0v3bF;Q9Q+6!}!*Y>Gr*|DK_OUFi;|gPzPO{ zsOd%s!9e+|9KJZf4>q(YEI6-gl${Mq9V9S77J^WuTcH`x z)kHaptO<&AAAo(kj~%c9uI-tPfEbi*qwoj;<&&sq%<$~%rN=ke5D`O^?2vM2+kbf) z{GgNpq!83Y!am;IWkq(z$!#+`PDiR#Uo@|s{VX$rYVlTsrh{_wlNa2-U)=yC!VEuX zscp6^NmTk+g7@YKI0VysnRr5`{|$RuA}#eKu-Y@Suo$A2S)PCKBlq<5@id)H5wG0% zgKR{K*J^46ub%F~4m-n|85O@gK;n9KgPvp&;2op#`7+#62FzJ1bwB$MeG44}8sOCG z{p5sKNkvJ@eab#fNy=)ltI4y@7?(a#5_4lr&W0Zx98{QIIFfs#B+$-Cm|#)ZA_gJM z6hgqld2MkZKlN$}dd&9br6%K#B_gcr|A zvy5}Wc0qY0PiF9``LW(l?>-vDM)Jh5E;D9rUmSF}{M(p_3^TwJ2u!IHwJh5Ma@JeG zMR*Y35W3wLH>kXguslUl0d^@T?`Yn}?_WSv*qXV3fu9y`bL z-Ew0UES!>2d5v{L8nVZTZ>k}A&5ZAp;lKVjZwVWwiKGr9#+G(y2<&H`RnGs@ch9Yi$OzNr7mK9H1GqSB|c|-eqlE zp-o3Z`KHy-XPTv9&_T)kR`h~3&EQX%v8d(bbfkD zrlH@*>FG*|)`-a}BBg!eFdEk84iLd322fci_m!O*_nh#Uqc>>m>8!>PGyJ?qbB6X6;pAdJ!{E1S}= z+{_FOS&BdN)@;i7tf!-EUZ{iVg3avKr^fiedxaSa2rS98pfxcPv?!931Vl~Bi;*ZW{`gXhT!>C|*69fE>3C~Lm zk0?zx^K}?En}=@Xt^8rcNyx`t_>WbS&yRy7@i$Fs%rq5EKWLPBqR~g*oq^SY9hnyEW~`Mp(rwZbT3`2M5z9)if)(*KGC|Dz_43 z;kt#Qzf3351gYNpu$*pUcPhwPCB`=l;Y4*E_0kq*sw91tGIdaO9I&T#y-yH=0I2!= z+&Ra#UghrgA3)6 zcp_QGj&HS&Qn}z?Mi!q;SAew=VOEHkjr*h8b3piZ)Dvioat4i=`D8xw0+TX^^3OtA zL`!GE7y%B!0Wusg`+>O$=_kA$l^XEv-C!(!nDf#X_Iv?R|DbTt`UhSLH2D1adjn7% z1lY*jN@WMwh!8oSN$Gn@nkH|0`Wk@wO$|gtowah~SR#p{@IG2O__z*E5}O!2PDk=C z`uU!o1i(ae^>&nihMo_2Usw8eyBLi=2&om&zDhYz=YmDV>i2+Jh}x0QnM&3Kgf{g$ z0wLJsn!y2kc75m@60h#R&kJqcegIEP*BYL{<;hf|phHX_!n=_0=Lkxe_I~6RV25E1a=5*~pZa4@`&bFN zK&+60RuU-q*fNUHB&_c|@QBKLLWNV4N1=oEDAN5qPWTx*O`-CQ0 zitD&BGJ-lPK$u$Tj=aChoUyOOC`_D%y_E0N?Tt|c?hP9T!7>qE{~V*(hG-EMAj2Ye zypAe4ABPe4Q9zE^lP@%h;G1Ba@%ZH@ZL~^iwwK`m$Jvdq$N?^%cpVuu1>y-m-m5D}jo4`5b?hnOTay?wAw zU0VO`iR8JzHSk{9>i&_KT}YT2XyRH_wzGc;9ZU#}>tR*|Lb5-Y=+GKu!P+g^-Nk%1 zE#w>SPY%|&)EbKv7`<*Tmb=zq%Ek#4>Os+oNW%pO2ELE`tqW+Y0&g@IlKyHFx zRMRh`eLbiCXq+Lowcos6KyrtK_UdbC&?;BgE{xyUX3KESWUhQJgNv zgxhxf^Y{8#NrY-ggTI?m;w&2}~PJ zL!M)>=u{mxFJo9Sn+Ui*;i`AsN|pFnXRGlJD!skb5fIzOnUJepTveLH?lN%_E3tf3 zIhWl;IJ|vs?7sA6Zo)sqDIq!a*KZ?!?P#S!IVc0PUmrx{^Gp*k#$El zlUJ9Q88UK&PgJon@-^Lcf8f`)1a-vQX`dP;Y+Y}J-qG<0{}$gj--*>kdg0qs#p@sP zz(sLBA|u}1#Q0TL52^KKV7|}D(-@I))NyaZocU4lVz)rh9zsDT^_kVpE}`n-e=0M& z3c>99$%ysN41W2f=F{WQG8_x#%23tQ(?;g&Sl+!^pO@E1SZO7j zto3h>W-}&HdtNuTuHkm1b@p9f#`wL^DL7kfk|a50hLqJFjp35IFBpArFth!QUp_&# zZ_@9LUiD7<{6*Yy@mnEy$U&cH3e+3zOV@F8YBS2pbCJK2zw-Qx|u<~a=gbg$@(iLDLgBW!^Jq(diL%1j{J*-{gNxBc8CvmZj7*7)z2W&tvZXDLv9CB zuC)2Yjnhp!vPE8+lcIvH{F}bWPD^A7C#~%y397QZ4 zl~48K@#8(HaouWdJ3SRD4mKu%uY_3Ch?9c9@vLmjFGLh!vM6IFFlQ7&pE_AMw z7B+a@lP{?B^>fb_t-`~C+_&R7HP8c353Pz>D_%c+7aH1Aag5xiHoCh?;Qmg$jlOVR z4Jx2{(X}#9a6Fm7fBJ#j2YveZs>WLsxz_6KxQ2RN&1H49Hl&!@;bJE=OvsHd8+&yL z%UGwP)wpYMskF~I?1&7L9A4v7euqJds_uS$LdY2Otg9fdFs1)d6tdv%Zid3$6VKS=jDL&eLa!~B&WSr`l@}DeR|wn^~?d|=Y2kVh^hOpr&os;r0W_g z*KH|TIQ4$Ax-UA@)$RlgJiDY`Jn2>#wi}HY+0Eg%Vs_i*dMA!S5V~E)Izh>vnk2+D zp|@wn)g=z%ql&S(4#EO==HBJH+2 zM~$GnvUW1`RhteP&nL<}gs%;EzaM&>>O|pDCdHe12bC2s`mwW>eLb|Q%P-uooskPGPhbj>u zXVMWdMyumKyg9ubmnY~}-(xrYGj^Xwr&fRQhY};Y>+Wft+>(lWo$(~;wdUE;`0u)l zDk<3@vu;_d3_QHpeGiZ8lQn|z1h>L%1C@izp}{y7Kb$}+>&4!o<%mJp9o2h3j7% z=SVLXep3$*n@`QDt7nvpU-xWNIfVT-a43^L$UoW0DcG)G4&k0&xATfMegvwfrJ0Tj z!B8xRrYFIF{FS(eJM2kGq15lAO%T1O96ieWnmU$TFHXC-OP;o;ytzId$kpOJF6!6_ z3@n;?x8?~S!ti!lt^P8P>G*PY@Hh2`5?9Uu#ajJfrn@Fq=2uH^NUx_~D;+LQI<_Iq zGkWYx4L4N_8T)VA&`4X$Y#cZYUs)8UxTa<=3-Kx{Q;wYvA&=`gDN8JH19u6yPbf}k znNQC$K@?t-BPHpCm|drOu_l<9JN*F> z&yvTrq=EZ!1eu7IK2Lpj~;lF+x&mSYQETPyv8S!L9B;;7K09sI zVX9f)l3I4#uq|@<5;TA1KSkQ9E1fxRZZgR>RPHN@3o--Y~4w_R{ct!`$P8^14aE+_v2x2OQ>= zXCp|*$%ltF)*uSSv%Bpclb-AaX%OcX%}iuLrR9QO5QUy}T`RCG>e&kN z{LtLYUfOnoZN7lSsNThjd!$a3TQ~1vxYFKZGqn^A!v<-{u^SZMh){(>Qayb;X81@M z^l0OzRWs(GlXP^f3ME< z4Er5L@~SYTGPh<)^f*}VzPK$9xpc zTpTW!m*yQZ3wJ;65QyoRN?;a`qc4DYx!q$ zncz=lmzt}};kvMjUb&MBH>2i`ZC7S9Zp25+ND8@{Ze1;t`$Af_+m5X0-&NCa zg*?t#O&6>Bq4>GSkU3&**{!L(hGlZ-PYeDI9e1y2&KN`X~%Cq&6uY;AiGhm_&eR zoWg+6Q(GkRt~L1?L`748p;&y(%dd&FQ>W5y@aR#@=8_pLl9O+2?tNZvYTiOK(?~eE zKBF=;+6U`#znfAlFV7D4UcCheWA^@a>DuMf-y%{egq3$Y)i|}V<)x6n#WXfIpHeL< zSAmwCZ^xR3{}A;z_|>3U3Avp1aI3CNQ?fK2N2sojjt)8a#X6w#n3 z7=bA}ManLWWxXUqg+x{|AawZ|fBSs!)WifuVEZe%BM&s8uP-H}S!)f;`JI;?95=b3 zj71<*+6QtYj{<97#$mC=i8%Dw5!g<=E-EitGgdCJGdi!;6R(V{b-ezuJbhABv-d^c zAL`FcGPGSi9Jk(iI`5;i5fQxCft=2drdIQA{Cr#z6tjwba=4- z^hbZ!c)M(@`Bz1bs&q}4LDkCqVi5zq=waEFr+lHVkT;OuwrCl^_ zD!BamWt%G zmZwXnzr4NEX(EsF3e@V?)5_~4WmY-fOTX2Y<&F}pH6ILWO^CYweV*U$;Hwy?6zn?! zy>_{py5nidA-5U`x^g!dN+jX_r>vAI9rDI~JH6d<#VnSV@WIFM~2BrAAa{lCD zV~kEq%UCx9%WFxr?{v#)cP4mja%BzHXnZmf4;L%6(q19P)9Ntnj{|O>NebkUnWd$!t1CxOL={~)vq+3AM>=^WkV+7 z7i6mx$t0_-{;aROzb;Ce(?qi`1?sT_HCno!O|oMAT%rALC*94|-MAIcG{Knm`?eKf;ax8dyX*yw@A4rK7n9TPjjmCjwup8QD=4Z#UPKn2d5Uiy zQcfMa=^J4dH&QXX!fzYhaaFAO#jKQC9$n(@u$V!0X_+#58#F;Qr1d=0CZb1l;Aae4 zDBCwD9SRD18%m|S53iT&^XnHbI1RpA@0VT5b)PL1W-QZl$Hggy(BdyDmvU}MZAS~F zl8MJRgo>ZVLShMXxHlqPO3OQWS_$~ulP)GmY|amNg6H?1q;h5ykwfoVPE^T}=wBQi z_;!o#&CG9dYt8UIt}>GgpJ=JI?g!s@p^FNwrqZ_GT^Uk7A0kH9=Wa-jRoNX;t+ZUu z9mcP?a;qwj+c};bv_+ZT6e4@Q9x*&JkQoj zC=R>tazq+-A~z=wtt7){YwKDE&lx^%Oej(l`bSvtYY!h;r|v82OjC_3Y*fzsBQUi? z@>^TJ$=~sLu(}ydhhf*A&ty(tkA@7nnxw#GA^Jv{l824do@zggBQl>aVOY@dAkxWS1Wmo3@I3|5W)yb06j1Uv`*~Uj=q@X^6o^ zc|@CIT%%Dkqu=d$7{?TbgbEBiPRXH)`YKyU!(~1E?*;7=lP&mUEgc*I6KZ^5Haf|i z*cViru5eSS6qltht4m`3a{oIW^mkmf5%kfF?QHzzqQ%GDDXHg@@3bAp`GU{U2b?}Z z7dKJr2*bl??~?-3D%6&slSnBA?SWeLeVA2O70~VM7k8VO;_}3j0XFdq+Arp%QbGq@ zjO~IN-Iu@@>*g^sPZHRuDBnorbiJRQ&0EXiu#tbVct?fS@!m=v1Mg<22}AZ6jiQSy zc%hJ5OzEr)_POpR8as}8(sPaRov!D%YtR*|+GbSvKfkSNnU#{mGTn!7HZ zWdR9?Dz@jyPS#aj9`j%xZW2K+$`m zarEsm68y8*0~c zI!1BUBPO!emA;Okb4)+j{weCG=y9aU)Rv!gi^BuY0p5e=qs0# zg9zCDnCoI3pT4&xAcdD5_IB*8=w5AtWEd{XB6E-q(^!f7K8cZg<^I)ye*&MQ0p-`1 zl}oVi6W?coReSFc_B{cq_6pAl-r9}Exypq6(}dP3Vt!{`<(~UdV>O0NBoGd{A+s>* zNBk=35snP=VHdb3l{kHh}3$ranR#!gLpPoN1i!q3^LKn#mmi(AL z^H?`{MC{#5rQ1e5kqeGF$8g{77rwR)`jl<7@NA|9*tkly-XVOM1~H4#o5F-z_ek z5{`J(yT@+j+Iv$MxE$w3FV4RkI4HMZY}Xw8{!AD*o1%}ND&Ng93d)Cf&{P-Q{k&qt z!Po1_c)X0iL9}cu@@tCH&D4tm0^7_AKAP#aRxW0VRo2GD#?sklE-LvD8(s8ZLB7i4 z{qTiCJKDN;LhG4xfi^985;k^5)Ezd5z_eDPwD*h5?0y@?Gmam0v{F;JTkm_1w|qkb zU5=C-rQ}w_qqde`Oaa+AMmh+M=4fnOw?6nyJU}%DDqAUet(mL{(WqjgCzHhc&5yYXL`3y=Lw*{(2~hr`^{zq zl=yG(49Y9H2%zF**7Mu)-w2!6-#nAdPID5h)c2<~!P6P6T~kxQzC9iR9FJqiA#>X@ zGypnQ)}(hm*`-J)GqjuO?t!4?Z(oQA6jo7pHrL#-H)R=jJlN!3s5vmp4^3y^A*9{!j^9-Stb1&2()WZ zE7oZWRM2o15~`py3o7xj>JuC2Q%sR}4snQm>AAD}M1<&NLxQL2`k!VZ58P$Y(R6b@ z6)ZnODG$lNZNwtOv;^*|wZE<44I;?0k-kAThun_F#=JvhLc&ye23p1hEuU`u+XN25 z0wF-C$_?XjnK=Ui_cM3>rcF5hn;&*rLcIiB-STn`rlr{`kElUlu?ny$XC(%@Pj@iCmzM?hOAWl5 zSs`z-L`0(cVt)Qh^pag568DGuOn*8itVx7>Rsb@r@s5Tt{cB1v$~UFN(!r_z{&x~9 zCWSwFnJlj7KZ0+4jp?;2i|ZNWQV$s_Qb-66`16tJiolZg5dU|8Gwwc2mH?dy6lC*3 z*!)lVu@x1NE2xTnJ+%?n)}VaR>+|z-x$F~tLsA*9G3M{FHCojOrM*BgrY0-T-b5Ey zwB2tDeW0%O(FO}eW@e%7Y$*coG3i6n8t+Jafl!_kwM;HMlZOw^=sMM}2XgZa#B3s%Y zt#$&s_3T97j#_i017!RYYSw?%)p;e2E}SrfCa(JX_&3iGla>EfvBdHiaBmwP?=v=Z znl(8vKe+wZCnaF#f#=~Iw-{>zb<4+PW+u1dnfMvj6KN{X+YZ!KC`u}gy0g(w{WOix zxm+3MpltQ?siq)3T4EX#p)Qy{E5Z4-72&x2LO6KOKr}B0Q>aSfspaUKqaD$Zu;XfB zs)rBk`CEXuV@%ddJ*5za!)d8&J}s@`T*O7*(m!F!>)c;h&{Ah(v|e?|Z2#b~W;g{5 zwBIQD1`AUTvzKd6Re);$*W0)FueWb7&tOE-EH6*+tedD(^9bsJRpxI)jwsDY_AvL?cQ7|M7x5TO5P;Y;`{5!XA@v&%w|@t2EQ%8f;(?=IEAQQ@z>ba{*BPU` zmSi%bBEkreNsDESz|Cbwhc^uL>;~H0>yjf@hc%-DP!P5qjT1%7_N59Ux@&~Tt9H*k5T10<>Vj~M* zU+gn8Giz1Z5%Ah9aI0NhUMIis7dqc4-kPkwzE~DMj)dxgwgG2g&whI#!HJLsAh0V- z9qW%Lnrk>zO~eH8atgOBac!-r6Z?`O8;<6a;BZroE8BM#*7j>FtsC1LbEFwg)j-hj zS;7+YDk@Z8&Mer@{k%u;aH3GJwajAt>ZrV4%j5D;)cgMXy!fhdg_9_wczOdqqM(n+ z7?xut5^I!qLZ`v3J5aJXB|m?E!Y9UG1Cs6vg^kpETrVsvBqviCk(!MHB4m|DOSntc9xS$rT+4`SmMN~W=g?fq|QlW-7k(=obXK$ z*>Il5@t}%M+vFPmc8#Lt6~kcruU}tB)@$~=Lq)MQ>yF0EgiqV#6ciQZbXH{-R|a#2 zGv!laGvYn2PUQp-!`^Jf+IGKJZi77e8o2F#TK|VXFw%BWXv4Iq{K; zIQ%*6TWB*nWYj-6lE}8wecvzNFMP0KupW%}dLuK8zUP^PTS<3#2>PmIL}<9Lb(aD`WM!%q)(5JgFb&4{@T<$vN9Sfud*uz! zT-gb4K_&Bmu8`>_XOs66vp7MY$2B&OWLxAiB+aMQi}ZabGV1317%%ScwW-bw*5-Ybvqg@DlECAb>W2o>1- zG9gp9njSM&K+wx-kh*`eJ1=PoiG6={acV=WWoaShH(^Y|V?FZ%Un^BQY?o#CGrsoM z404a7;)Jx+R6213nyyw-4<=u1b}2vUECNC210@wLTpS$AYHZ4@^Xcn|Fvfx!g*Mj0 zg8TmmUvC)|R}*v#2SO4E4uK%S-8HzoySoO0yKC^^?(XjHuEE{i-GcKSV$XZuyS|$> zKeEmYXHIujS6A<AoaG)Xoc(luJjXnXapYnZXjU7NX`MXOVfQQg+bCeuO)12oBa(TA8M){|$xPq%AAO-v+>^-X z^F}}y=GtzxL*N(oJwLZHNORomgNFcwnF2MLu>7O6ByL#0VM(fkey1zS*Gq`E7_YR|Z|SplMxz(0!3y!k2y%mwf!W2inA?5Nw#u_v-P!3zn=#)BO4zA$O-JCxGt_2%oStc66n811o4Ty zUUB`Y9xsG{J5!=g)~c_XpCyKLGLaivM%P2p2~MmvE(P(^&D1DpFnrei~fy!uF8Dha`OF;v-xv)Ixj$ZXfyIWYSt(HnXg=4SA6yV=+ z!@**VhdhtWTryqm5x-gqR{a|)`!)iU=r~nh^esmz)X*sHKJ8B5e$e;jSO@1Cnt2{FxY1B9*T}6?OF;==5%|<@tHZ11qC8zjG_&K%osn+EPoJ&!VciBm5>aZ<|mpoYRo$d3CqzkAvQDW z<<#I0SVu1Vx#aY9CWthEnaF$r8$r*MY_S4?xH>PDV+5#e2_yM$~feV*q zRDAyJs6NQYO^sqOF%CLFRVlT<=}Ui+Sf=H++!t+Dd#@!a!h;)fKH$l2NE86$4tXx- z#9HZL1_c!lNUevuUE*dwo?fKS$9mvW6KS9Ub#VjXCxEc?Oq=Cc(xbtQ-qkn$?Bb`TW(YYv)|)Vs_ykdx2Cf zVc;?;v^K@je8Ck6!D8&;)lftdNxM#c&Z<1bs8!DQN45G40T+2gxyof)p4PR9=rXl* z!%V!#QiJaUOL7MdQ=9Ts2%S`C+M91_ z)QIJTH#VGe7}sYXgfr)<$6Hg-brC#8V#|m`>icGyB{G`FaEZq!AGOju3dmMG9%w#0 zZAB~MQ${&5R5XQjRm&s{bzk37nk(lB&QsQ2Wm8yv7pn+w7yaskEf!D9?Nj@Jyc(3&75&n#LmF7HMsN<2R5*d^MorIDp55P!N-V(kh?_y1?=nDzr z7*JUm5VsQ!2frE@rGmDosMKrR0DR}+lotY^Klf+bR)l30v2VIE3x^X+z11g>SSr)@ z>hc%CjDL-3DKz`W+SLVbiJW=mk zyj1_N98b5oNOa;<=)hG~a<5-nY)bsKu`=>Ee35)lYM~$p$)rMId%$Ak**vv8x#&_< zQ*!NXyLuYPGLVy1N^JUA%IMlE!#w>(IH6X~Cbzc1FS=ynH~ThNmkDJc;!P@R-9+cGIb&nr z>nk}CfuTMjv%axzQqkoim>LC-Y`l|s8zMr00UQr)&P(|-_vuaM-gr zYt%5*p^!cA9a=yw^Fl=9_ zqU9W}su9wvf{iaXpnHKx&|ZfFjo)LTRXnhuZ(m@eFqNS69_Xb!j%077mmJUeAoPC+1Y0W#*FZPu?p;j-*g(3A1mPdFS=;I z#&Yx0hhO=dA8=OK&ixml0Yc;-Mnw|1gN5+F%OI_wLrvF%o&S9h;GlH~+QVM|gG9g{ z0Q92aEJ>|KulffmXT_SG2LRSuz?Z2MQ#zaA0!*WpB$j=s0v$DwsT5awN_YwY2$2MN zx0Xo+aSzZCR~YX0AdNC0e<$w^wiJWDjh1Cz9*rJTgm|n9i9f!4HMRMTZduHto7UW1 zo0D2*X|VV>@hQ9nHvl7c9jI6{`*euCN`U<=9}*l~&Xk})mFvQ%sE(?67OXjDa?==5*hgWE^| zo>gugyF(6i*(7ttwl@?;Sdz(A==UZ-t7f_4`F%t}hNd^;{fY_%MS#3GCbcB23kNRW zhNc@J3{ed?46D=zA2~WXi9e_R`qpEv57;T;k+tSd!R=qg{zE7;L_GkW&OVjVKc*)b z&Tj&CElkYp_Wu^9Cqi0C|$t-?B!RnJ``mz8NYqiut5ZD-mf%Wv> zg8y$6;o5l_An-ZC9Xq*y3}5PBL^_&7y)MhBCGDV^(f9v84+-)`!#G_e{$Kpn2Ix)n zCNtyI!0LMMSyV)xZy+r#EjJkh5aIxq4`AhAUf>_+!50h`0zUyr!o=~e@;#nmAQ6mD zd(Qdv3+ETmCnV1N*#drr^)x}xqb=2A$2+taD)+wN&Ho~61D$`WjFl#J=!>(NZoW};XBpxxK+Um|@cVYy*mQ;F0(E_#n4d@T_;EDpg#9yAFX?drAA7CC}Pw8ytp^ugQH4m`T4>dWKwK^zob>X zqAQhuo6Yohs@i6O<4n)7rpk+I%&!QaN8a|sIGURT=I<&2PGEnETxPDn&&eST;@Lpy z_?Pro_LRBEf7L!u0B3|=tf&7c z3@)X~Rh>`w;&PAMGXGYZ2bbYXz3TS!|BiB1@Np|ofIR{kx@BJk{L)&0T2$g!W7DHC z`|Z9^lRv?3l#45)XW%;Yt-dV&%cr7$(W?uz90mc5c<^~4(@J~}{3N>mg}nI7#o#ai z^O!w;h>cCXZ5vsP_^&t!Y>>b_v}+;$H4}BrOB|B_&FU*}2%Y|C2?4m5vMbPeN&`x5 z`p0MhJ(vJ6k0Cj-%72-_>WgeyEoA;*d%WPUfI-F#_M~HH)oM<57tDpKCraxjzGw@o zKjxR=yqPXhZ!}wCNfjR)7)W5TE$B_xx)`kRs<5bjQP@y5Z=R|zHUUf298UOb90OcZ zKRJKgiM1{XVc8)gY`^V=+q0i{M*3RmD@DGxTrNRg{fIedVhM!)6FsQu zUZQ*~$<$lcu{Xo-Ss5SH=w}7OTM^mUdo@Ka2%#BTD>LV~xQsz4aOnlGmYl?SdVr{G zC#v%f1OwdRxpu%kyAMkltKO*$&_r3&62)$!C(Q$^9izc90b z#->?gV{{P)VHuq@DOHt(1)9J4AF%6@Bb#Y7xkY6eqTfQMU zH{}Q&s#^cwE+zo~(*OLg_#gC*_n%hKO9c&xEbNe9{)q>0wfO^{FK{S7|4#+Lkg%;X zG+|7J`uE~M2Dlo?P=LH0;Imp7BGy5K76-+(XvM++Uy=?&=#a^FUyiOit|oy8=p8p( zA|LckRcqnvE(uT zS26xiSch=Onj0VA?5105rBwXaDUiVrJi^$x?BuV-icR{4bb(V^*_JdIkPiYBVC^Dl3|Gy>!pD26aoav=BAg}qGPnS0( zH1Mw>0ZvNvWiBJg(T{uDfpXyQ*;xgM(7OU1|Bv}gOW{&bh;j0fMgVPiDP8h2NUh3E+h0w4muT@s6}k(^w#2rgWmhmouSXe&PR-vIy&dAwh))q8r0q4@7%pnzT5 zFf1hNUq1zx1AsFvC85`v%rkF@09*3^&Y>6p4O_)^@77QiW8=^kI>C}eAPx0?-dB71 zS%qJIJlgtV$8(WSkBqbK&>QFH=g-%9o8i#U%*?-2LN093=;-K(;4Np+a$L!(mm`mW zsMq5R9VHbf&;fWm(kTtrLGmJPQ@`jBj|bGYIvv$ZfLdh%IN*`)Pc9_i`RnA)vfz>d zA(>1GmTyM?JZuaHX#B=_MT)s|BPBuvS>6*eQ0`4Dy&o8Vv8*IkCDkR-J(Rm_PTc>cS zcMkzITt+bOv^|d*+Z(I6X~>BdgYS9F#TDgU&J3}Xo|`<@d*?f^y91j^;K1A|%O6YV zynT{MX{ZDN5%%iO%f=ow+`??y^qd7jb=~GCWY1IN-?zfJM)0@}blX1Lengg|c!E zz$B7J?#GOOuE9byv+x~cYTzrw{x>E*49|Jr1od0ZbXB3rIBUR{cz8;O%Q64QV|W_kr6t~>1W;JAV8xW?hA8wk%I!;7slRb2y%apmJEZ{Qo8o_>bXh zkR`&>h0!k`0_StZ5_cmr>bwro{u_)94M;(#x(moG+ke;iLby_^4h2hH(XQ~)70KlO z_W<|7^|G&>4Ua>wj$+J=vGB?XLRxtBP5(0q7bpf%TH+PWi_Kjeiah^5KQKpJnxGBJ zSXW2L#(4k3%Kj2BS2L|0OplN{eQTppwuJxAr%v#z;!qI9B<;@E7N>tN0#ls;pLRD3 z1wr@U#HZ!L`FmT_5tY7f!Kew(6f{}-Mvf0E@jw5l0moB_iBZ-S>IN4jBBJa}3}{&t zN`r*Zg2hiAS!p4DFEET`vlgv2fj_DNs*#HQ+4Rd7xHqp))~|K+>WT5Vu4o1*!5a}b zz}PTlZGCQe(vK#kH*P0<3*L_{5wGs)(!aNBWX&u!XropfhO;;FrK03+oAAd%!1g4@ z!)9PeC>SjA$)(5*Mf(m3b@e%8!HYxWOC%LecjVN{XNS7nlUMdu4SLlA$}4ji2%{og zjK8MP5Cd#WD6J9k^lm7c;JTEt%T!4_FaN`XfM6;1?E}P?E}VE7_xHCT1zG*Os4O+d z399J6Au&ak-@y?9lc@8*V#&zfmFu|E-)2{Z9)9~w5tRRW7UT7aP9X6-G-1=dFhis9 zxqLO<$GXZp(J$7Dwuwg(T=(F+IUE8yqDj}#0og)n3vj2mP$4XXw-W)zALDa|0xT82x(KUw^O&hhc@HDPXXUP27xRXHnEj4Qq;F|Jl# zVR@aEE4y``TXD>hXsk zl8LX33?jCuz~Tbg#aO7_7EcTz_dZF7w0nhy zxy#38(}-AG9K29B?r@$bA+J%?YCel5Rz<<0n6ePuuy9U{zw=asR94Cig) zZDO)-1TKNBpZ9|PT>Y5M9r2UV_R>}*(XJFxA+~29T-qH9YDrNvmFjRt9= zkQZji8KR@*mT&VIeNH^*^Q1}fUzSW@#HUbFz0Pv$@z$NIH7^vZ4qv>tdWTSI_d=l` zrdZiY?X`{wNcOJun{M2P{C@K7=4ZY=6csCYS}R5O4VE{cElzG*g;LEZHfT|AWNT@{ z^|SjBC5K2ot&sb?_EmQ+|CPH@wYSDsuib-a<@3}NA*h>q%B&3hpdabCHR^{|NaGaV zU-4_Y#u&iZvp37u;%ah^^N19t3BcoyMBKMl5@UpYY)YpCq8HZGT6eiDk(Oa?3&N+u zxP}m^<<)i{2mONH5aE@uf>ui!<&|jO&6E~mK%JmntTg3;r7axT0=Etj(K-A8Q5Em8 zYb5q~2|c*{!<2Ha1QgTjtM$r(qQTOk5(yi#B1+U;iHedx5Xku3WMty*#-9<53*;Q( z#S|9CIX+#U`rhR8C;BwzLXw=pn*_>7a?Udel&U=a-N$hDVC!xI?Jnpb0Oe&09l`iMsqA<66^p(%&8 zf3}q(`%QiYlTm2Woo{U>F>~))h~itBf2ws2x8?QPTlbY=m4qa-v&0eU>aX-ppYPB%d=UF_@jDy$jr^m@LMif@j=0lTgIdP5_(d!hRZ+ILMhw zUOn^W5Y8y8SurKMUy|0X-)sy(8d42~^c%K<*F!HsT$Rh+qrCF;<)$X4n^wP0sFiY?LD;uzVS8?HK2<7ZTT7wgg1_siHVrY#hdm$D7@T> zy<%l+PP9v*W@d+cJi=1Ot=k!zUR7J8fT=D7&-DT8LVNch_>t5)I90I&fC&@|f|Be9 zi~O{&86N$3u%av&0>jk%8o?0H^9Ik^#5lIfv18Eaf`CwW2W4iKBzPmoVVsU&44Z+) z#6V)UWm$_Qk&0n5pn8hCa;-Whi_!1l#^L-F`5yeB+Zo-bw*=|X<+=*oKOTP+IDpVFj_;@uL42#|64#@H;m;T=C5zTt8v>>qAWP+Y!sRDSq0pyb%zx+LeSE`{Xh zB(BD`>iol2P?@|{Zq`mNiB5&qf)WS(6Kp3uaRIT*)x{2u?QL4W99HL;(Ttc)WHA@}tq6b-CZ`P4`@x$q~C|0$RA*#6AoQ|XR zcAwG|tC2V5lx1YT8?27@knK!{Chk{uLz1eGBu4EYGIGUP2d1ZUSdI`Ll$46y`gz|4 z(lAL9KtJ{Zet0-nFaR3i0I}#Q6UU?^q)*@ZikfW~4YZ2mtp%fj!A{fZr;6W63}6j! zS5-0R@@b8O-UY^9cFQk6h7Q=9D^!*!day+pR3Gz%p?Q1fLk?@qZ$X`h{Vh-Lr2|`$Rx}So*k%C~5?=WL0-!FtfFp7Z>ZNWp>ya8F7 z>=iNzn7HK{nqx-geB|G$9Yl6U0r46{YJI>s@;ZlUDY}k1VHFU6U&d6Uv20MzBp_*N z02?xhT5;^5E!txe+CJNG(@l4qts|Ws<}j8>SH$#22s;M?1^v_X592CaYX4!>i~a58 z<3mO%Q%jTPx?N$h{1od%+gYXFkLVov%?}PDC`-~MK!~>724C!UfiS_K7_oT|JelB7 z4k!K3-sEuu1|HBciMFR7FuMKB!OfTYU*y?Oqbg6hf*Urvji57FDJIzM({UCyI7~j$ z-`F)acl302jB-%RT7jx=bf+sFA_%EGrsr9jJ9)J;Z!{DvV4mk(8lh7WC(qR%`?#t# z7V(7VWI&rOcCUX6ki+`CmLawID@iB`EQ$wf_y|H?TdVCA&!s5twWL2#TnSYI7rFSY zAOFUM!>`*JC<2b=ZthSy$&N2D3l!RpqZ~Nq)@{Y5>AQC{;ifl9h)J3l7?TTt((tsc z=7p->a*t|3??G?lOl=>s&@7Xo@b{aB8HuHUI%gWFY%NLN9UiGf8p4^9oY{{cypI*# zx=L6+fcYq*7@7lVH`=|XZGZ?wvAM1}jZh*jN-73qB%L^&q?xeY>JSn}=t2g3C$LCW zcDu|~YS`k60Day;b8Ds?xtzs0EzHf&IYMtMRme@|_2A5su#+hmlSn4?!e-qj%d`+` z%fJVtL21O>-1JI0M>C~qXI*t71{v!6CR^dDJR@*!DCt5Af)Ho$KYW}d8lsSFS<)4| zN;q|!W;iiSRKD4R9)~3B9taGfPhXv3$(AKp-%VOg@h0uG#!q7ek_9J3eODUEHka$H z^2<2pnXj0(?MbRQJwB6D56D5h5LY+%llt*WDR)aw3l6bwoO=u_c>BtV3D?@^##0p` zvai~H6x9NmN7`CSR)Fb zHL%=y^~XU47nw@SO?&zr5*-fk*D{Y}n#qQmS5`krs>Asih&tGA`hhik_c)s~NIfd3 znKQG;mr~g2VP)nlMmW7ifMg`eMuhPa^?^JF@K z{Uc5ck%kfD`t`{XysM9%vr>B;vQRLivh!}|+(D$p$KJ~+XhsKFSN-w1Y|BoVxe_LG zA#1~0{O>%$-Oa3HV{fKhh5ZqS75zUNO*&F!oh3#XBKrPBB(Hj| z^4QTqt}`H1RpG=^H7HwVC!w^}Ij(}Jmql1tfrT7JCY8f_ZCDQpNeU24%Uufz8e3^d zm{&i+CIF{4s7HPwi$h^^mx+XG%_>J;(HaMZ5BucDUe`U5gsHV-EPS+8Yda%mh>(Nc zWs#a1!ci_d&o*Nsuk`|F(nuorbq`FOZcxW|L<*JTbu`V6t=~q@9HA5wM|U&Z&nNL~ z=u*Yzr(zp@M&QAqNAGUp>Gx`e~lp5)#tw7z=n2a%pD3$w|3CHMm@)uCJx}g-) zuk!o?=2t!%uuj1$k7_bU<84r#`LrhH@KWldo+Ctu%y^&cy6(T+xH{b6fFMZ0pXx`q zCaB%FwA;x=&xPo@CRxj`K<i6l@{g_DOp%-JY=pk zh{djBS?2XRu`#;3*h4Y}#|+5r%QGPvL)&imYN=;iXEg9poC%>--Kw2p&i(Rh0g>+9H+p`%qbjvMlu|)p4Fn*I`ppF&b0?p~V`o}L!Lz;(jcXE3 znn3Ec!7hWza{7y^ta0!?5>MXDZ&*ZZ#P_3w+%qwqkQ0jHe|#6Jj-2F;iW*SM|uQBSY4QCd?stg9j} z`lux6u8dWj11aYpTvq!D={s5Vq&O3SlP3)~jyO8(yB$aM|BO;s+&^)R#Fz^EwgpeyjQMS;_Ja zmVF!Q=qk6zIJTMCF-wWfB7yUb>2?n&yBC+*#@OaOtgXg*9*=DNgP!9!Xg^%;0A!>| zuX@vSm69CyYdw@Q8fO-S;U6wvx(;UoUe9=X6rTw-y`Gqcx8(duc~gNMh@QBbCIR)$o-FLIo`{-uxIz6Y)FQb<}>qKH^Qs zhqwd-RhUtB-gshY1`*MT!Os!Fy*58zMMln!c~r2doFQ~+&6?3Qop%uU@*P|4OaTI< zW-);gtL=x|ZV|OUF=Ny|gyx_b&08R+;rKcis&P->6U0}G;ux50!sbG4K5vtRR&E>U zI#7kIA14e-3liB#U;d;UOn=&EnLxxa-}70;&oQ_^W3!@ecorRYHmMP+r72BhaXY>n zwbf$Q_uZB;Gd*gzPo&SeN_v_YX&zi5hRS=0V9GPSa_Wj!?=oxP>@oxwb{OpV<)=jO z#uX~1ag~@!S+K3jJ11z%FOtDiwzwshsZ-UwQQy5t^J`aR5`4>^O&4xeO0w)DYzFzt zvs74QNmEKAKCRic$A}`yL-=gTVR@CjhQ;IOsx{zOFlzPNeqxeY(rdQG@#GnQC^~YSt4V_@ostVttJN+jwA z5UGi<=g=exXNn~YZu<_qV?aJ~!Yrs~f0bmSI0AHldjcY@9_6EFgx?MOtA@Vcx>`|K zx^r)iDEnE(RM5ID>^EJwj*0*-`U3r!h%WKGLhcQ)(KtYkEf{3ov(BA1w3!m46n?g~ z?U>S#mC-8Y53RR%91w?&0a4Z`OtgM8>=e8)FrJcEE(sB3G6K)j8;pg2C4sDP%BACNGv%eTJ5@>=pKI1V6AK~xfWDKjs% z^R39O^#pJ<`Vx038T!Oixd~z0fh#TL>iJMDhEWipj!gE58|AQSkQ1SrM)%Js5-oe_ z*1BJ>rl!gI7Rnwt1`5{|rP@5(fJm!%y6q?H;5?Rg>SO>!y*!S6?r_^KKm-!qS%}^n zgE56bUid=QdEZ4fetD0hTPpHa)v~l#J?Crpp5)YAZ*8YKAsAIAanMjq z&m}aD)t($T$;rAXecbm?AQBpaAr!{P{b1xJJkqD$=;_%kdv@Z>6K^|xE{WK3G}cH> zc5ZJsvM72x%+1whCWh~nflUX`lPQ;TSRgJm&W7VcQClxTLU%kZZADW(hC{`B0f)}i zJ4_Ku^N?B;J@9k!ritJ^`FJn{eh-28C$`tGxp+#o|LhJFpkK`6u|NA_R*sC$=<{r1 zi1&E(?S<^(n}m7MWqIv%TxJ!tw^lRc;`3-Kq#V(JnUq9o_pURjA0t%@m4iF~HKl#qM5&9#%Eg2-EZ)>k;n4i8Jx|oD$Qvvp*<(x=r6%yoQr4xR zga~3m#~764jA!LTejVYEC^nl(8T>0;!E;_vcme<>CpHi8YSG{@wE8KJh04H|u~LI6 zSFaaVrbjwdKvIg+t}7B6A^lSXPTLC#L+Fzv#sh>LR_10xIXXPSY9ybg`YbXVp%Sl+ zwLav68aPOxa+$G3{`DQ$kh!cg6n8|f4NlvM(klV?+0*=qGe5pI2+S}pYENp0SFKDL zTS5u;!QdsDJG!BgaGm4{M*9`WKP8eId-jFW0>M$L7Q5?wI(?h>gPt~)s1_S~hj-sD zV1vZJni6zF6iUMY<0}P!HWb~B5YUXC!Z7P#vO&5_?hg5&o$C1|(va40l;-LH$r#s@ z5>E?`T}Nbg+VmLl+a?UzGz4f|bO|)pAvbkA->{l}$Cef%kj1vV22k#Db(}wC0C4=( z&)Gi7u#mo&We z)r3MaN4mRS_Y&m1EF#&5s1s9`xR8ThvdNZf9dA5$9s5YA5bIkoPY&9+ah~j(oZG>- z6mcLf2}jH9H~OWAd=wM3AwTq2wk_C8VL4BS9fRX3fs3t>OFlUrMOI>Ymez5Cj(!f; zmurpuv7>)}176_>`Kg9GZ{o|{kOX{0wOL8J>0%VF=Psd#>06Am%BoB0sP7YGZqv^X zbd=`26Y53TQiA%_wo)_L&CT35`*EAFeFbZDHJr^W^jaDIm|!;6$pKw4OioZ?wqaaZ z;FDeA`?@Ilrx@=SJS1t43s^67&MM`7FPY;j@4I(UpjFJ-r4jgdu=`&NnipdUW?JkP z*<|r`A=9F9T1*|LQqDEbb_(hmkO%-oWNIc8U70Soj1L@b3SJ`(StdK0kSTq^SoF-g zA_)|{&P05r>Lx?cS*L~BTP*2JF*8Dqk`Vk;rqpLj(4Y*l>waJ?ejd{XN;{W1gQ}J$ zD+!FIEDfHs>^AMk=Y#ND7-2y*16lV@@{h)|Zrk;h%N9^<2bB;l4cR*i-qEmdVMW&w zf?`*SZ}ogR!8uinOJ38>bl%bKW}-n%&~T@ z_6Cvy%Vv6#3IDibBZHNWm~&Hm!Ax5&I*}xcsJdRRkK+`mPl%*Jn==$ow4nEV|Zn%+4I%z zghbrsGM;c)3jr0-x}oMk=jQ^=F$#(hyVS}NvJmYzW5ui)JCy>${nyBXZDI&;dOKe{ zM#t*o_wibl@JDe#p=;9h^Pi)XuMMRrEMgs}X!ME;p$`tcjCPYcJ)6A?1;DAffK8xW zgsVs*4mI^MFe+i?9X!*K@N=cEQq%&**bc;NpTT#hlrRlWY)yRFK&lU{6X5i`Gd>!R z>q$%~mC``nVrkB^*p7&&j`ev{JNsdSyEwh`8K=l0*%w8@l?`z(Vp4Vz93 z)V!34Rx2(kB%L$tzsAp1z9#?9_O*0+%gj#jUO)^rpyNj*7}-b4-n*Z*kUf$!@su9J zgwB{CvCPf*8-g$kphL=~rk|?n%1cH4_Y=v6$%nA;exOjsXEY?TpCop`^HYF`X-iUw zyAPN)R7^%*m*CkKvyvIzliHL2pj>3)M(b05pZUOYHF~`F#q}`Vg^3(tREVn!w=ZH@ zQeLyqsdT;Xjiy}hh){532`YsICZUx5q=PL9GCCNPe85ay*G=&bhuQ&Y=sAw=)cJ!Y zj~NyS%`-5lVIre@8ufoF%BUrf@ekApDGFF`1Y^+Q^jHIh4aX@)%24G(njEAvwLsG zFs=@PGJf>v&UTmDO1b>-bK*qk=_n_2i_&);{A2tAVSvLU9eN{~Ca@zwOfpVlQVsAn z^4Yy=zi?`RZH+ z>#vV*&f+}%Y@NPYTp4N$#f-F(yn95g>`4)5!%xV$if3nXoZZ<`*q%u#vQT7cf>vkh zW2%hOLwskjP8lH5-$S$9gtdK`$1N>kem=g}+)sx$z7;C+vc z?xhFu!X{LX$kiK8nshd5ZmbzlmY!46ILWscHRB#N>hox>F|d_v)C|ALITkyQnD zNaI1j0b%?_kQ)IUU+V)js%5-&rMZn$^3`#Jm4R|~Wk&nP>3dTttT&PsaY!pU%ods4 zL6tX*5qr_tIJAX6Bl~R!9hsCwX$y+9FAWIH79?mGebuels*(I60ds@D5*EIZq3d$^=GPZ< zF=CGn3raAeC^t43{)Xnh!o0In}8*Y?uY1;msyR$uA8Z4I!_1e9WCoxK^&KIdnT}(17-p4u*n8 z58KV%#qL3y(io%&E`0E~q3tIxzgXndAG_9HBeP~woC&KHPn=V2n z+M6N#DWX|koGKSv1~n4wil-V6ZI5_*?CcbqWVXAFxzUeNG@Zrno><$ zi<#}SiEXhYw_w~##~(z3FozvKU2f|7MVDR1^r$IZc8M&n9hB2@DqQ+ipN$#f&D~FP z@9o`?G8|?X@Bu?{vex0j9MA1*x{!nK@&Z4uZZNEwXCrVtzFd3|inXk&;G)q&B11=O z@I!UheicriFC8&A6l4DRDrdbiSHBr9S~7vzd%$Dgy8Sy=7mbrUeJtXbR&`BRkis^7T|%DQK~!3uQ+?gxq(0WuD`ZrV6zD_+DtP>_ z+gFg#Z*_Oq)AOfhrd`g52Z=)6=(PIuC$^WpbJb-;<^!5s$v7P3-AdA!oVF~Pz4p2N z!cXp}lUA*mW1lxZv%O6-)Ucdtf|%G*F}?nb)hg?-AJ>r9dvqCE-VdbD<`St-ueU0N zR;kMSSyd^p7}OokXAQ8LrERV+J#g@HHJu0h&H#}Kqgt18lV0Dcf{O8m>}RI33$nmD z7Po=Jd~4*(fxh{wyNzbm=}fxs?Yeu7rAaJy7OQ2_bURDFIQRs)$Mfgi*S2JGSJcA5 zkJN}IFf-!NeBJ5!To%)>Kb*|srnQ5-h+Q{`fDl=lWb0}x&n%Z=ZXDI3cBakix-@BQ z_FYs6T>W7IxA=+iFxK%RAzSJ&LUx=`EZNJxyXeVF@>7rcGa6KkNcKXDTK&-=((v2f zS+bl=Mdo@uBhmo{3b(?3sC=R71Sadl)BSFDDhkq1Y%YgE#^$IDPPofRttuBZ--w9y z?Od;J0p;cOY_qPq{;>8XMHvU9t93?5iBIABS_WO>DjI5a*BkaypQ5!Ms|+uVK~;Ry z=)1rmMu9NR1&bdRv+TV88B%L#p=o=9nQ_GnYmr^GMM!iciDl+QA#^0@wl12A{rp@TK zqdnK{{7_Z+^JKPa>mpl(EUvY%PHK|Tpsa$$dI*Wmg1O=yw5(nnHpmf}mQdq%%zaGL zZL21w^K*!x8|AIbfuf5cZDL9D6~|l(`@=bz1Qury`exr#vXFbF_24btZ6{S~66?8D z6+(@Je~R}bE!KSVQKEWca>Fas_m&9?4|a!^9;`a##0_?*xo1&kp`Ds~_B;72F@}E4#m~H`Cq^bSOx>tX)wrL_{)I^>&am*H#OpI~KsU*1V6NMMbyT4@nt3;rcxx#%^69uFSKH?IfJVeo~61d_i9Y<(5O9i zQ?`#%?IQgEHb;7M9nzNcIp!OA-Mut$RUgiLFePr0$T`i$ABkLv1~+%hokHPYbPO@9 z2NzCEa}`N(3?n?Ce8uHCGC(-LPT11na22ztN7-T|v*MU|CM7-g&La2Cv!8X8pGBYkc zt{DSTGyRRb=a==2WSq(8;94l?oJVL%1ZUTwem~?_&~Bs7e2Co)PeLA=9=~TL?Q%NA z6>;dOuO9z6D8nz$s6q*xD9;10lnZNbvXcs*hM^e=5xIl;^nE8-X?>tzeZ-vG93}TViOSbPU^~i<~5)1~cbXgC5B34FTx7D(-OhO6ykKXh2 zJ2}oV?x*wPKcBw2G|?m^F7JMbhwJ8DBusA|vY_?CgG`vMxQ@6|Hyhiq(!TyAN{tvH zOPNF_bg;JWh? zmE{Yq@@bjyk!}BGW}nu$nlK*C$@R(cLe1IeF~z&Yr**`L9?52>&8~bo+^MKIGsORo zs;`cUs%!g(VSu4w=A=5XfhYhU|U7i@`yjzRPJ(VE&}WXf{SX-d9k+9I2r!bk*g>(=NfJ4R=B9CNSy zA~o+mWd@~+G2d2Hd^z`6@wim{<>T~SS9IxNt&RNY-H`hb5)ml0=!+xGu+n&go5S#> z=If*$=T9F!oxJqk2>32nqY_=t-K;=DBB+pXwJh zn_^M#V~k-+=%GBJvu^>TH2MR_M_t`RZK@#A&6MDOi5S{S+`iAt_Om+j76B zUMJxhmoo8uZR)n{L5SG-EHlQ$jB&(HcV0~g^-IGOe!qG8@sH5DJbH1ye&;n@|HfBO z+EK~?Oz`PptSVGk^K=XNXlm(#2>S zxsRfiAOoyl?c51bgW05N{GFz?td@GWg2z|xrn?c7p)Z6LJg{QzKMooDUw)~)GSNko zvV0pU!0}R?Z^Fh?iR36UNIIHp=d>UICQz+h|0-Z&s4t>QR2pCJ)JDk59bW%JKuN|eLayjT@3CPHaCB!tC*FwA(kPzH1u%M zvnE?98Z$ls6JVkxIQfHhek-#G_`G+{o6i;_U1r5mOk-ugkNYAn{Nls)0Y+0=t}gFP z+^v@@(8?$URYveTx zwxagJkT!%^pL4r>`$|uuGA&1ko<-q(oSxvJfUl0G7FWbD{O5Uk<@+w8zLR&`s9Ntz zr-9ZZ2=6?%2K0i4y$Kqp%lpkQI1HSA!%qhcP7O=b_ z80GAJ4WFGbj46q)-Iq?Ekf8;kWY2IeZ7kjViH3hn>ujM|g?h0)dL}G`Kq>H&{P(@> z5cy5|1u;LEXsMAc#V;f5NpaHYCm>rDV4*SQFRx^Fc%-qBsMnp#H7+>KTsmE(T0luo z+&>)lYe!FZ`S$J1na;M1|KX^29yj~j+S$&#b7Xei-N}=RUr)E4r_9=i-CHW$1V&7? zye(Obx61MUvLKJ^g*G3Nx2AN;ofgBh^Tmbc>*KFH3n^bsAT~F=8|x%}%Lx$*x#1z! zW_0oncI?+bmH{@Q+!0x+CjGi?yHPc!1|#_2_kNz}O1j&aam_Zly%l%+XbtaCj|w2# zw+BmpDdtJFW7y4n8&!?Qvzw(3d&88}VMrf-O>`#Czs4XHKws%vImFn#JVsny47ZG` z4cEG|dyDck%NdLp$-xwgMDQGdML;GRwrT+~2U7Qi?DXyI%U0k|B{9MXzy_J_gK(32 zn@32KkuSH89ZJgjt7uC5b(J|LnooEaRlu!3rX1X|M13t!Pe(TBo*SW9-EybFjz#z} z+&UQ@{=Hu$xiHSnO zTpwV}Fx}2Z&!ilim>KzF=&5>8?f#g+yBHAA{j@1N%Zw*|sV+9BMP*xiL=qWD`^aJ) zsY*IxR0*3I+Fz@p4ovZPAP^@75?hU3#)O%I}}qx0YBs3d|=lH39nEsT`Zr;hRCc(w&9B-b_Va-s$huq2_N6AV z&Panqe7BpK&V0k!D-qr8Bp@LQ+Hayt*PRTU(GM593zOa+eDdkV!d|# zzr7%dD69;3gyi)G?CbjosSl^J$V*QfUxgYg^><4uTC5+BeGqS0qS7qRnwK3bddI@A zmG_gRiw^%3+`4FZVCOob(3pq}X6w2nvmr=z&rE({2ccD8=Y z2P`Px%l0x=y+&4LfKU$P2xW}$y~NsJ!7Nx(HxzpsM>NWbuR?1~6!>sX(9?5yxPq@0 zAfi9t9p<##uD>ng;kfJ12FbTb$`lf@y$DWzy0Ho0JQSxKWAm1L#d#r?1~oqXCgz-5 za;muo+w$I_h5Wvm;m}l17BA&hme_kx<>Ef{s)x{T=g7EVfLyFyRh_&BYO_Ac@j4AE z^x=H;tT&`M_JfGMtx3Qf%6VL{8hPCvMyq2-?op3tk~Fsi!}~FzFXQTEao6d(SNUmJPax3Koc2SjR=TTJ>{z$i(X1*WEO z|DI#hX3;s~#ACN|=F!VK$1f>U06U_eP3OGTwFO-Ehl16utboi?s z6;H%KJk*ktENg!PYPD&$rxI%u-m4LE?3Kjges3==879m$R;s^Lo{;>^AYFbZn1XGWRSmgHEL!l6!{pez+dbRuOrrX9n9|Lfq$+IEiK4aMc zI1cAn?;?I#L(5o`9G3hM(apZcm#q4rRIcOUkM=~?xZgH@=P_)aXNhQO6*FLrI)1jd zUC`S6{-A0@+LOY6|I#-`j7Bdp;?ev6Nb`&96cL&LR!TLkR~{a}p7Dy9FB~m!r$`Ge zRxBxqW*9`@;amn;^M+-gZC<&=Sd(^cbkA5Vb?gx%QXe|(QGMuTECk_k%J7L;{bS-Q zE=*i#hs46Sz1F2pav>7_SI-!0xb8D*C=!%ww{2;w9bQ8*#U`{{e6PBLOlW7nSZm_A~$p?RoxVv6vJ8<7{lA^>2>Tc%nu0li%lo z0J7eXW+H!)&gb8l*nli$pwApId;G`HCe8*R=5X?YjSeeznE&by{$n46LE^@mWO2lB zQ(wL^fc^4cUm*!2^g8lhH8qqP$W) zsQ-gf|Chl2-%q6O8v1D=pC<8NXQW7oI8A1TmCwZv1qTgNtk#9{c`cI;l|dc9v(LSn2r(!N zYPgn;W$kW%nN-bhU0x_faS=|{?8>Nn z&*^&?<<&-f1l6FeIYs=|ARs0<949`*HSw1&XAKtSMBRgR1FKH4@`wwZd!iCWP??dk|Zf?F4flWW2DPYR^2>}&A zcK0WPgTV=a$k`I{*@-u~91;RAc8z!vk;9pFXbM>Io{dB#1ii^2?tbg!Z_0`mSg@r_|XHEvj^e>0U?T|LXKRTBuR~PU{u~ zxb~hIe3Yw}@i*|ke!_Tnd~uHC1+PCm7AA0B_$<&Yh5HMW_pTny6-G!CR(GQ!dEFia<`S-)`iQY=j>lOE>E%GM@W@hPKQuk#J z&vP>xx0B@->)F!QR>8u&Y;+QSM<9AyK){!849Fa1(QiaeXZrrDG2Q4c^|ea!)|YTyKwWm_$@J)g);E! zM79V@|HZVbn2Mqzk%$*Jqmy8k8WW|4x_W?@QCgB~Hyk25^V@cUbOud@1?s5CNVi|B ze+Gyhgm1SKC+)GZvGY`VI_1cq-<<=W62x7gfP^4=e4|GD-)$m3J^gOMG_IQjVuvBh zJv20g4TN9{x-vqMGmn>=q}-*sbHd1dbsBHqxX!+=mi9d#q9^xzI1{;EhEv%0oR~fzJ_TYES#)b@`1tVOFJejsQ`Fy#a!rW8Nct%!Q6Jlz^RP{?xSRAs;}M7m zmkJ8rHdo1E>$nN5d@&d$tq4c=n- z-M}d)C?0>fI_fs*yFY1D6#*np*hSr@gRw&O_$UeevU$}R_yOqKqX5wr2mFCLXZD~mSN2RHRCWNVpo?3S6$)Y;kp6^Hm1!tgWG3Cqa=@FT+|3pJE zk5>lrl?4&4_j4tJW(2~4L72dzB=Ra0G}IzNK}OCED*X*S?F{t5GF%7!W3RUpto;{$ zBy|Dc$G^O6s{kxRpksLVUC;HJANlWoHF6;TW}72R*t7O_ogMql>(?Q#_9k)$y_e6@N ziXM^RA9By=slh#gBa4w!=6>R-+_WhS{@?o6L<=*riNe+nlZqeKn@0w&msM8oRSv(k zypb~nwKg|5=jBPT1aTk5Dxwz^(kcv3OlUiAgWKzZ7%`y!pRwV0Zk;Y)Ff=${kh{_e z7KxgrgY)Bo&6A;>;RyOqZ{%+e{ysg;*7@LE;?AU1?vGwPgCb_b5T$msO(6fA95r!soRZ8wMjoe6TczPKyUfE-vQ{+4zFlMbfrH zQS(p5la&<|1e`X(RKZdN{pPsXc#6`e-H{65t87kBWP4Ncy4NFTP0Nimfv^9cCM|M#!Ym`2Km1gpB zNvLG{Sw&ESME19flg173Dpu2SAIdJisK{>&QQom#kZzE&uF)$l&YJD{2_Hp-)s1D` zg}X%NmejHlN}Pl#Jh_xxX>3Q8S+Jo>?aoO}4QK3?d;G#D^c+!%hNKCL9@??=Eezdj zD~68>97i>60`Rs9Y0071kg{Ui5o!IVWoMMemzvx67YA@TWaZ!b=vJKlk~EZ`J;l#e z2q>EBGLcyaW}us_emtxj&kzkWdcGCC_i0v=%V@&Rfq^ddbZaNxwuLB6;jR2+zLxb3 zKCZI~b}FV}(NbaP-IJg?IsK7W*&nhO1du|ztXaN5$1Cu!$z%&SP?=={^FCSA4(4n{j&xcoVWMLq2KXpWbpZdMrw7>&(O zHNBr39OVT{Z1k?+f}JB&zoiGebuOC-Ni&C_stcrOZ@SY3!>E1~PX#0)1dd1qyuvVu z7$79^?!ayslwwdFwJZ1gU1i&7ruop2KO{Nq1i85Hp_MHP8u@Vhdn5Fz~% zma6Gu)u*+mKWn5yZbl6$UPa7-B1W_S?l+UrfUD-}22G6L^0`b%6n6-Clsp(YMJL!6 zy)~=yNbz~1pI@4?P?WxsJ5kHAV`0(u-ROY_PJP|ZvfwbAW7`F9>5DFBrctb>W+vH% zO-%8hj-vgx4R{;7ob28p3KH#|*H2^cX;S~3CNM*u#kr~E`oY0(R|)_nQ{mqu+&^(0 z6naQTB2*Tx8;VF@(aO>>XWR#(39SoA1!E@(lu}vyXBcrPNKEb#nRDbuW2-vu4$lV3 zwY?ehQhXk7_riao;Hs?F;-MUi-K@iv_&i-XJcS0TWk24{clP+4?`Aj*P`ZtTgzbtw z{T8b->?G?J-5##-W8HKw5%T|GCZ^~D_ZjoYR=Q1PcWr6Y8URuJtdw&2_~ne+#&_83 z>0OQw9!jC_MFIJjs9%e9h&4NyQDBtQ9d8dLiscnxb_WL>>z;wzqIozjs0qeZf)?%g z6i9R)xKpy7a(eo64F|tq0&(O_#&uCv?Zu1|aPiF6+oiyGn(ut%A;EEWb|&-O#`-Kt z2ZWwTGO@0ni0W+;O>oIO)UV|aC zK;R%v4FywQ!~t2(2&I4Pvpx;)GMARJM_eCFu^u#1KA( z;ihR(I*s-Ib2*;}GTGUzHtx+;lGtsSf7@FtX(=38gNeKkq|OIOF0#^(9#OG_$)kB*MK!eJ`1V!tlz?#p8#_xI!yT6fl(thl;BNw?zr+i9BI&;Vm&RB zvbLem<&OrNjVv^C6sL7ZJoK4KQsc4@`*~qzZ|ts)7OTBj4Lc0pC`4J6)ag7jDu$;I>kOM!J_7MvQJ2xZsdC2V#f=XiF$G^`+~APQuYg;07r}gR+Gm zPJ1CXAWwe(UMLa^wya{XTBu$$Mzs`|?2APjLQNJ7)8MYgt<}r0cD`6XArTPOHI9~I z*>zhPaWMUEdf8#{e20q)i6u_@oboIWg!sJOkn~EJeJNo@>A|S3xOSD#FLQ`q!9K^a za=Gasyh%I1*^!g{703C?274PJY^BeU1%C9(Ylu+_-q}L#^taZ6OpFXFx*}uzzIsk) zBb(rtK`ojx?$UHFxj@H=@xEN~HM_ov3XO0U?h011kwqKuD(L5*5@f=@S1`&sinbUh0pU9TW@oI?lQmx~`=Kr&J)H+!W3*m|I)B--Q{w*`nTQe4pP|;3j7zms*i4G~LgsZuZC! zma|Je;gh^~+=aA&G@g*Z0)^QKlwax6Q=XrdskBIBpfIt^z zY?tG#^-_EUmAIYHvQn#}#MqT$rfPRK-`Vx2L=0nCiQ=u1+5#gQSN|zTn1I?xq$~zT z#z24J2y#8BtfKOl5zcVdFOZ5>Oa9%)x++W5Dk@r`a5DiZW(wzl^~bgt_&i2^p||LqPs7yKBNP_5gN?T&;P)8 zlwSJ~y7=sDbnNuc&T+XXQq z`7pRcXL<2$IOjv5Ilh~gF)k*3N zD(WSZJQ1m|P=x3|ff@M5=ty9!)4SmLxfTrETVKuzuYRN6>0i7LoiZ_1!Z@kf+fAG& z0y`hf>7I^I`bZsn6xK+FPu&r84cGYmv=0jZN2yIQ3=uCT zWH*9Qjy~tEX?15$Fz(Tt^IeCaDr|$l=&EsWR8=G;@NsDD)+T!^TladGkTmiH6ivZ0 zRE-6x48Q+rSApp(Ob~9;(wDC)KoH+b=1KK-ygOg@0(J|TNECgxH#KDAGVqhTG-=Nw zhS-DJ)j?=1x(vy1r5;oAj()w68#vVqN7-EibXw7BQGZb6v|A=iFb(YoCR5qx*eaY0 zHQtH^arI}=rTxk=ZcOVFDo)#t@7iNj(C;$D z`(nP!4**?%NaQx=S!h3M-$>_8D zd)13M)7O)OH@iX7eLk9IMjGBg;N(m|cb*01-9!qDK4zROR!|c%Z;%%HQfk-R?~~?O zf{0A;$wXQedLavZ!+8T>7qw<}DIHx*q=HwxfB zi49;R-zm}=cy3?DvOB)~#0hVzjVBaH!{4j@Mg{f9-tP%940qSe1g4Mk?j{YNU(sW8 z$iwgsoWY^RP4FzSfWC9d5uALo2&`o&kgtj2PtMr!J2CrANG6vFPMIOr{a_(DCr8 z?nZ&Z91vVY>;}i&0TS*bv$Wt4S%%aeuWn#B!_9kV6cn5QE+Fz&qX34AJDU+&zKj#S z+aF=;jHcLd6ba=+{Sh+FRqo^{Uiro9=_ip1QXb>XEwD+F|Ps46(D6I+9Esa!QNl%f6%G9_qIK`U5?Y|B0~f+V3B{%LV3#37Ag z8wD6$pJRW(<=B75K*3`cH~RK`xS!n&0?u}ivIZ`end{L;TkP-hf2Yaji1~>=CZqJ= zBcd=EHwF)&S~{L+F`7}$K?ph^B7- zO{t}!o5VtuU#v#_G-)$s9F65gf0tVsZw1|V26-SQ`6-<4Xr}ma|H3^{eAr!|>-swP z!2BM7LU2I&oY#eB91$R zFb@tRshi!$c}wf^JQ)tlCY_9M`(BJUmF+Sd2BZWOSk{Q>BE~C2`sJ{nstbEkAqev9 z>PNBG#>z#e?_}U>?=+JN-N{GU%6`)n7fH&n*H?C6JjYqOd}xbJs2N#t^z`bYuRc9YJoROP@LPdlJ4G^t z7P4>wJQ>&eTZvnV&@l_8C^6~%LIxz$_t5;jrm4v=`6HACEWrmP)SlB5#Xs&kObX+0%zMqS2>7kc7m^Uk;t$+$)0g$^t3w~E(257}}sKUP0v zWHDX8eMMf3$}vtn|F}2u$kp+=Z5g?Q%bfAet06mW5L=8#Z};lOm{PCX%MXh0nE_1^ zkPr2AWnUv`kpOUMT}ezcayMBNlhUinvhQy?^x$Ux>ul|M>-={Kvdt&6%sexU$Tmxmc%33z|AmynPOWgGwP z&^0qYp=+z>F*-foQ-R-`K{>kTq20HdC-F*+q^1kMOe+bVMFIpU?4WAEvAU$F+XaKh zu@{Z6iwr8h9Jv!}{4hsO>7qWKiGq)Z*PH z^Or!$62#>I?%@a`l5&gyJ{5|k4fU`v+7R|l1wgHP_MU0wG* zpg?>(s@l&Lo7cg|3MH)h96n2SP2DK();fHur6p-YI3qDKi>$n6An_(s%ImudML!4X zs|h&9e^81z3}g0w>qvF`tPNqHq)E=?rOmzFC>o&QnX3e|+=|nc_PmMPN4rT@EA9U^ zFr3VEHch#gi!iEZ)ah~i7(x{G4MQg@5MM@Fi{Zrn#xr0dGk-|}HJL=vMg9|s93SSU z_}6U&BF4?AJOKeHq4&{xZKxHpa7X9GyyQ{TvBa!{o_| z`&vx1sWT?ROo3aAM(BX_5$1kk%AfrPRnvBWW3>j@9h(0?C%cQ(`Ms zQbyx)roE5f0j}H&{8s!1{#%z@_~Y?gu=rP$*ff(^AX2^Te0zR?`Y-wUE3;leNN6u) z?=(z$ul}3XU&LK75oSiZ#H4!ZMT}%j@1c0VfAKao_L&NBO1xzUQZ;$ekjw>%tq6$n zv=~2E+hUEF0*HBy+Ia9?$v%K*L!D`>c}&KMyejgAHgS}*bv!B2qF>xaIVY( zI!7Gp?>s$i4KI*fQ-jUC$qyow)I2&9UP6=tC%nX|NK`7vq4$%Du_W6Pi!aCyN#|Zm z^-4*pF>MG^55A9Q>h`iR<2AHE3!)8-df`Qxd8#JX8pHYmjgqn|xsSn2iq2WB+SBfk z3NX_Q0))X4zZ4LO^o-a|+CeD50DWl6VT^`|!>kj0fc3^f^nHvngWEziS>n`rtxWj~ zX)Fdu2`Rf1+KO277}ppb@rcq~a}zXL7oi)&5n}V9OQRn|NalmRU|A0_4c z#n+x~eAwGpZ?X^+-EOY=eq+wLdK}tHjicpS&YDJP=&=Fc5>A4pHHRL=_>o6R0Q-)% zy{E<;{m*G2!&$WwWWVvMM#*d9A4SNsD5L_+-h|S-3XCMgk|e1dW=SVgr{C;1xuxE1 zn7yP1rQWgI0`v$4m+1g%Lt!gaht@bDSVbM_C$&<(sq}bj2MmljjDoa;=A=;at8?#* zFB-*3Bm%G*mXj`S@h}()FymulUV!|IG7lf^fAtwFp)i`V%HS%U8qf${P<|Jqsd&8O zO+(3R5l?JQ8F3}a)d7vSEes>QTwVaPtElT@)EABgI1rcRXt5P3c{%-~;u7HaP666E zxVpb1N|BEHWuJSW*2?Yets))Z`~Jt4oY{^ZI4bpz0wW+>6=noeyFw5C4{9s5mQ*9Z z5g0CPdK3V<5D7;~rDTE{Y5~^QI;6Hg@K9M<-*oGPbd)s3!1A&|Nkp}mNefMqybNmF z+pl+rWodX}Xiz6|WB1@}L8#EFYvn^FA$^77Tc1+TvG2;6Fe87XF_^=>Rfm7-W(_2UGEiF@r6f{B0vAnyWuS=V6o43pm7Q z?z+b>b6ml1ToJuJ6oY8p%@|;m?p}S=F0#_N7NI_4Ip_m z!;;EQKL;2U!n;u;O17f#*<`EMF=AfY`YNWrmb_`{in&YB>XFz87_G1ChO*qAt zn*g9NsYtNdE&Ny!(XT1mbJDd8nYWNWwmLDZz=HQB!$N=}$P=*bOo~n=@7Y1+iPt1&)m)SO`&w%;`j7bX2qU`%-|EA z%5Rr$4v(?q?YnFA2Rnm!F%xL$acdoJuJ`{iFUQ2M6qYBZ-V~-GoJg0<`754+}cAHRJT!czuucaP(rUCiMt+6UFzi*1s-k%{}MP1Bw73gT3+w1NDF&#aE#4 zS9oJAOX;@K)7~|_*b{!U5uba3I@P`MMZ@V|Q{!HQoQX1RM~2Uobk8*`I=|bJcj@Q~ zp(#Ek+etmh)`o?HIxbaQ4iNB!js&>TgUI5Vx_4^m?&z^vH99{S7y^4aaLVjLj3ASX zfcvfpb6q!NS-ZGpa5C^CT~E7Uq)J$krR0a6O(6-=z68u&{1CMV>S|$i1&JXrLD z-ZnC`kvVrd=IUk8&QD^J%b1v#3g>66_E`8_LNWdiWA%%+bY&tH+6bE_fH;TyhK09K zf8kUf{MoiTG^ylkvT z7Z-PrGIIrYG+21?Lqr6U1xp&LHwf^vIl@U!oLh;ANg;Z>u5DN${Fd#)GyyMZDLUK3 z7h2&goTA3?-ZdBo1fNY#D}Eze7l$>qHc%oDKR|s z6lHN9*L6$S(1gUzE$o`ts^M*E#=RL_Gkjr(1s%d4eC;URvOXfl(WB9opMlT4{zPP} z22)4dgK8H?9ZE1|3f9VZpU9bQ^HlI_%0-9y*tN2oiHKJ0ixD0CeJ?p$*|^FEB?g_eyHSnyk#qha2q^v9y2M*sf9*V zS&l|Gi@@1!n%3&cjAGoiyXiiq>?=-_r7#x|!?r)=u|ECoUpJ(}y+TuK3e{C-0v1&x zD0GpO!auD3Nnk9@1(BeZ0m+3Dc86At{Y|}~^RX%ZTXbGD(Br$v2P>}*13?;6G;k!- zM8)bK4)C6;0ffyKjkYHW&>&5OL!TEKrVV)eolAL4`W9^fnL=(!{^=|rKbT}C=hkJr z{Fulua$eRW@mFH-kJPE~S-gp(JNLJ!{L@Q_B=|r7mkZEhIp|*Q-}V0dJ69k3Up9Cp zomoire`J6OF!WU)w#|3`=gkzao(o1K^Ur4y(%&E8dVs+UaqZ!89c2l9gYuR<ZYHSr@a+3_~Rq5?1hqN>!fd5o^klH2W7 z;z~8)(`dlN-V@?e0dx_q%1HH?(?u@m$?s8H!rSYRy{*3)sI+bUmWxC3*r!Z!WU8hG zL9M2R>UED-Sf|Zz>{ACVxg!&vkY+j*z1&`O&h1}%wP(W~xM9=XWz5JuDTBmlCSAeO z-41c=8E7xBpC^E<7cl(h>+qSz7DVFF{F3Kh$S@WO4+e{%;EnsH{Jt2kTVB(^*%^<_ zF3HU=k$;W(5$g3z-XTv4xzPSzEF)mZtkKM!Yl(9r4Wr}txPIra(Q&TMrbUdbu|fRY zB2DSgDrxJ9Pv`2#?*6rxgHeN^TOGAr+gjxqa1xaoXvrgD){^tU#cNouN%IWLvO#Y% zCSCA_lReyIBDhCs{qze-l!jvZ4J53Fl7YMz(phSbcD$d-X4<6BO#8aRzFhS+C5(A6 z+?(3hpCys!d#$`&7L*hfQF+seaVPv=wk=coXHuObF_j)m{!bY8iR$5*e!&fRWS2E0v%~GSRza6Dis|n zXgCQdQkOiahW6#Qk%_{87mPm`42m2YG_sB8m8JU6G5~bS+@PcO*m^u;&;P!cA|FXj zRMzEpwd241`}1110yB_PSIFr6&uEZvOHgEtPc$%f*%3=>z0N#Ea%2Zy!kX5acn)%h zIGVk6CH0Q=SI$&P(Mjy;fXDm3bt4J+Tt;a10{2qfVq6Z2;~G(c#8PQ?r4!4E{99ZH z^tl%#V5n)LAm2ey=7t)h->}?gc}`M8BwG92O^oa~NH>ZUtSP^!40Sn3kig=(CDL400iVx*VCnjOZEb$*YPVJv z_!L1XEIYexFv{Yanf891n1JgCQ8^irjvOB1q>Y36}#0qd!M|>EYzv!7&0g3)U^A%TdR_;P@_@8UYJD6^g(&bS@ii52{wKSDYq7 z+j+~TyNF&^p{$0?!<~`eR>UlVB+Vb-NnDXp8EvaoT7uH3H|e*++^`H+skx~f1_W6c zfs*223rwYHk@j8Ft9|-4-rl2wKc&{iz^|B20zfn!z*o+Li_oKJJi;1 z%*!r6YWhChu24mbgCuChZwWNpm6x?a76py(-or^3UT>WW+^6)iu6$qJN_rbJWh3A} zjQA2&5)^>hMZYqk&zy=37ol&QDI>%ZwDeQI&3V+VR5m(jk%Am1m?wcXc4YC>tKJE)1cj*Z0BvenZ7qwk#(cE zQB2#A7gwYpNX&Ra{yF#noj4#LD!2RACS>vcrsL!1Aknj6{tgc_O%FxTFeXEd;M<%x z-e0~I&qRBv49eb#vY_p;32HqUi+Icxf9_Y^=Et*Zdb9R%MEnl?DL|eA3@iaDm`}Pl z(iH4gmhSvUnd}Oy67quzKNgyxAXhe|22;rj1u|^Tp87(b1p#YjOeSJ|lK+07&=z zy^Dl|lnt8B0Y6a1w+wc4hf&g2^SiyA7h|8)>Pu97(!&@j7AhFTIm&aimbG;i6Mo+{l z)vEY`#Y# z@t8_^XnheHaJ(tV%jxszXuC^(W!}cDAGa8vUTpe{@c!s>j>E?z%8N?c4+?n!+fUXH z)Gh2+(9!ZkXgD8JE@_kf${m1x;^X5t0Rty>>ns4QCB!;7H~5u7oyFM2!E_h~`D)#} z3Hbtu)WKekANm`Q5tb$cK#hv|vCZvRui0?};2Q3pwOX<Vmd1| zysLIOir*jC@#*c_xxI1u$r)6omEvMkTJ}ICdZQ!x3ziIxWM8#Q!=Jv@X=~us3?S}p zS~?~qBz!fo-lCd9c9XB9px`vN6DRg4ZYURqPFnbt1fuooRjuhDI=|XuVPPSl@ZH#I zln6p-u%2~Rkvr{X6IWONxM(Ze6hVNHEaJEh;=<*Ok(6d#5%}u& z)46>B`#Qwv%~^BW@bKX8y$L@+)9mq6ocii;R;e6+)T8>=^>F53$)Piu=yxBCu{*?} z8yJ&_8-jxj_lW=-yUuozQ&TZ1&X|oJ1v3Wxa*x00;jL{lDk+wYI@4RBqPTrkX|B z#uC~vPplf1j*_GYA!6iX!18tKX!7H+=*<99AK-$%+OM<*J{>LAowbK4i*5?MY41Xbi8p{e*T_jC#1~V+4$EP|ljc#tkQRTf6~sWG zVdSNodcT;s>4IO?9)1D46PBab?r_Q)0QtH4warEgSR@|+Z8MWW!*`3iEPkhai?Q_N zUo!(ERn^tiFS7(?3#J-`Uy(0pJ2H0QgeaB3$0DOJ7X@jf*Gf^n&F{htRL?6(x4iNf zfio31#_A@S0MtP#%E1hGy zwBuypWoW~FWQV@1)!I3#9UVY=13>;m?$86J6c)TxJ|LuyR#p6_=Avf1+^k+T zFZF5!^g9XYIg;Yqu_YDPvwdYBLO4eiD80c@`Ftg2Q+z8&V>S0^iNCjH1X zfmPnY!QIe5YJlP&Hz?1KP&)_E-KKHLs9ILJule9>ILgM6v3N+v|2ZFFW7mWHpcrNmP=f&_JsJta@r2kD zkl<<0FSB?WNXTs&&w$BiyTJZ#Jo6*99My?K=O2WStjx@4Uq|o&WQ0~JMVzQ72F{@t z7~771g}R}6ga6Bx1T%|YMw@7LpFr{sFbgzTPMH9Yog{%KVU+?{YV%Zra8ebKxEd!3 zGvO&Tt*b-hYWBX}PA%NZ?o%5w9|;3rc8ylPZ%_5M&5wQwwU_!Sd>`KU*35pfAaNTT zvSoU--zR$a{ou$=DWczkefS#MtXcl4b%xWad~yAWF`m7&dmnxJ-sgHHY+M%$ztzV{ zW5Z$qcBy@zd^pD7B*5VMr) z3v|KrB|J^zvtPc+a$oIcgCP@VTXU_w@GNBnzO_QJu;`2(x}vZnvGXxaG)qab$mXH~13@@Q_Ba?%R6Y+V`Y-5~yU5)n+QT+C zH`&XP;lw!v4>!Wd@p^NEf6i4%vA4S$H%ffQ#P_k|SCdS_uA+sg;o$zc|E6~&HF%FP z+YLSiibZ#2L`Ms-9c(nvmvL^tNMe9GthDlgq=pMnOGczHM9esy=%HQc6R>b|(XUg0 zu^#tM1Ze5_a+(ewEpE);`>t4rB1t8fMz>lqo#&FSknl#mNyLDEQ72(PQaip_(%F#V z$M$?r^2CVdoWg0Ae^)MUzz*)k9342Kg$fxEkTSeBs_bUG=$?)t$6N085Pz6`ccXB7 zP@JQd3gD*mu1N3~PE`giP}R?6-qO;j^CwdUVW;gVA$`}xWNx3{kSAOK@4ad=!ktTp z?U8xzW&V5s^}c?;s{}Hp@h5w?O_rt$vJi;o?r}H+dW`;0Qyy?CfE;5Oqfw9zPenJ` zxHH(TFXLALBAI^$y7rluKYdaObKwP!AjSp<)gb`OtJQqN`X#S?79a)TwVq+%H@cCA zKjVdNJ)ZVrcnngoM@RJt;VyQ&1o(R6ko_K($v_N5Bj&a3@`p7s=nKSb2P$tK#YV(b zKBjjfy{fD_{4E3x`8b^OndMWiL+fQ3R1C|i#RP9?2=$d}0%lEgr0S=hqT@sI6<|eo29WiMAh4>e5eCr#9ZgD<|ttdc}7|dSYAO>s%&2H~-iNt(2X{taZaOe2G z(Yc7q!{(MYna}IZU!t4&i0yVujjPyLp%$CwK`)JG;C+SxyH?66)fo;Jp#Hc$b%r(+ zU_$YTBv2#|Bb=r%7-nNn2TQzNno)kJLqg{ny`Ih<$H&G(FjikzcNpm;mym8CE$sn1 zS*Bq8$Nn<>f~u4D-!Bg`P^*k_P#p}d+R8*?+FHv`{-P{&dMvkdb>Y+>pr-K~1@GZym1zpBSz+Mx$eSek7Ze z&Ro9{d#0&5!kMO{(IouCnK)80?(PPW?k?#PBqSx2kZw>w>29REr15_rPv&BDe)hNY3&bZ@$n2;rc8DY)_Qy*)R+d(i`yF;nI?$ z@S;JDiGrNqX|4Q`2GV(*u9YPIYq!URWy;3&(S|`i& z*!~#5?M4wU(9duoJxkB$e_FZkMeD1}>&=V{aXJz5sNjVremzEq6ieDtEyA4>msqmvf-$Lu z>LufQD9FKigN`(ATazq)pM7V~QYK%_B)4POQ||9;^GwN1)hroiYHLtiE>W8`nL7!S4p`WMFaN#XOaCV->)7UAgJg+lCXz5)8@w?j&G2>5=i`zXdo_3~Kx8$?hI zlx=Pn!DnB(W1$UI)q0B=<9uQ|OfuP)I!cy&W6&&7c9}-_gPrby2ygt=v8)inNs1>z4 z_Z;9oN((1Y+U8^RUL3T>D|H%qj(Fn~eA@FIR!T*N#6kd$6;ez{tmO6vN$jU-F)YX& zO)HtWqsYWK5P+#OaNe69u_B>ilbazB!9+$yH}jEVu+3mtDamNA)5j&_+U;q1Z>UOM z^NDTrqNj!1lE6w(-k}=2ahh%0Em8tp@4ka~+6*7rjPN?GNr)_x@Y#)N|F_D{&8@SF zF0(e=!(F={L1AL`6WvlipJfT8G9$=u3MvtW&!WhYNt>5_W4c|i_7%DL32IO;)kHyW z2N5h$p<+=onb*=0gw9gd=%7&rOHigjmAhnHgCv0l_()KVV?UY0Fl!5*D{;odJxvgX z(}zCCmP{#C_MU^M?Bn$&`q%}tdrMnyGp0#op0a9Kf+%Pecm`aJ2^;(KQJp(IAhjeJ zJ@MIq>;2Fp8wxr>D!yW-?54s8z1*4Wb{VoK)-_R`8j*Cv@OL3tgySWlY+*V+RY~l` zrwABmpf1Y9sW6=hTAz<+6rtGx6wGJKcpy&n^uh3DOw;zL9Sd`iSUuFopPSD;^hT^&HjurYSoxv3e6MbXcF8lNtog`JPp9lT@TO%J`?Tj6%2|I5b z%q{=tjF?`V;5z?Irx(Bt+;h*Dq`E;4tW+&VJ^GMtU#0_KY@<$Dtq~?8pH)V%GOH*^ z@O7ZpV@b(fK11w1>SuNFdHJe4h{twFWf{0S+g<>!m8+}I(d|+`1j%pt z39*C*rM00i<-}z!`8=o+Kt_$q_zRja_BD$Oh;~RdqoX`W%lBs$$U3x%)%i>U zx>)vrE|dtg-H9kxnl5yR=mE8NAp{qCq@k>1Ds~iM9--*r1{l{LQTZH8wqdJk zf?qICOtI>bsIuxA)0>(aiu_FF%$$nn5>0ycakK5^MX?y_WY*b6a0JE{g%Nk{Xp}QW zDjvm~QzMC=8Jwb-RIEQSm(Ps8Qy7)`K#3B{4@Z0Y6*rPhJ;TN^>9$a2^B;M43#1DA z)pazz;4y@35w8*$ z-y56T`OusCI#N`vzjJfwF-vj^d0{>AeKyV$>ByvOVbclZbBd1S>7yZNaJ?HJ36~gp zd5aY)mbf7=RqCQ< zk#67h93_BCMX8D5t+@u0ml4*CCRS0eOf*)53j!p)?*v*q^f@An(~D-5Ko?p~L@y%- z$&|gYNQfU2!!~6c>4C{z=c+1Hat#s>gC-DLhD};ckGwu*Jh;(=) zs~!euDG3kyPhLpf6G2$DY$6B*dM2c#m;@`pMWj9H(Krz4g=lX5EL>VY2AVxD*$S=k zmG!(!N7;ahG#DB8ypH=@cB1yF>nUEHFaS@Z{_b%O}_PJq*aa+MX!}J zYGZoS;C?0ZEy}?AMiD@DI^>hBl;AAjmm!9~5gjq%$!`k-zrldANpzM&p??jb>M}k2 zni)GHVTh*oy6-)_x>P|fi2&;d^U32F%(+e)m1M>&IQVAtAT%^0eXOT`4KYx*V!#}| zfjr!&2uXL+ic@_g#ZVq(1z(*^R2HnN{0pFqx{GoRA5jR^Q6&kt7Zxw9`y?rvRn_E~ zvqB7JuQ)ClQmOeSQ-~~0ZL$caSve6K1fhz2k^$~#=nERF_O4S1#R$BD3DcX2(+~o| z6I}i%WWxdwTRuF7Ot|Qo4w9N3m#8VJBU=WZxPa-6gu#%|6b{4HT6>7=-4Kcxp4#&T zRX(FhF6kQ+dWfogRt&Rh3>&95QB}9Lo#Nm^MzZEYie$zLC_&^pIFhh#M18nudUG$( zgXxSUZre^l{@I;$Hz;#}ay0Mw3kL4uZ0?~a&+QxTIWxtDWWix>wT0J~x=o$6;^sRQ zCGVx4B+Uqkr;f6q-3<(5PCyd zzaXT`ms!l2Sa9_Z!$)!wb;o;SVSaaPT8_wPY1?6SLi)LpGPM$|PAfw=gcgmMg}}mE z&KcGK!;iNS)Dc#Vvs>VM*62Q(Dnv#-))?FBN+|5-u%npe(H?=J#Qp0-??%e=sy|5M#g%>3a}+uTg~0!rg|^IG~Cw-w&R87!<8- zBNKFs5y?odRN^H!Tbb{tVmzm}WE8F>*~B{o-5rZZjunZjz&hQ`M5Doi(o_x*dqCG7 zTs8}p#z$7qMJ^nvI*c>UIXJG4`K@*pM}KgSks~o0X?r@jyr@a22sq5`KQ@p&I3KSq zefp$dK_uY#XsS3L6wiP&{IpsktFRbx9G_tsEYMmok?*qspSfPQfKp71LdGccCISgB z#F@;LKF1!ULj`-y!532a;DTk$rQ*Eng&N7yiy^ZF8^YFvKO{x zmFx~ED{{dy=P=+;k2REQm+sSZ3cmHx85Q^HHM@BzX!M<*8Aok-^nnWEVgN`b$CDZF)<>4Zu$UJ^97VksA6fz`11ppIORI4P zz0OOnYfDu2ZVh&0RV@td-`{sWu)qV`SO#M zwCpN#^>ReAZ$Rh3`Fcvd<9tcR+CX2HwKMCLqwUSj?9z#r;Y@gDY@W@G>6VPB3OTM+ z^@G2}mD1jJ;J233gGMo3@`*{=z>4V-+qHAmY)pqpR>&UMH&nRU8%44NMFgf4k#px3 zBcXIeGrlHa5ra$ zK9h}>D*CM6yS`ZL-wQq4yni|GXHvakPExsjQp9(XXj9WLY95)^lr8!}uSzezFAmb5 z?scY4(bxIK&(EoxNyUAUm!ozU25Mz4FW0${%;{J3cXI~x2}9XK-w}!H$$DCFm$kc| zDJ^zP9!I9?IArte=-N^4(jX}gsPkF(mh_;*miB+gN*6q8czyXCNiM|e!PfA}nZM0; z@PMzMp@e9hxA{y!cd(t4=rEPH4LZmIlV;Kf9%ivPLzAFg0%@Nrjtng#8JY`++K3BI zMMx{&OT(GzG(hiT@1tHEIp&A%LQjn`CT5sY3QlOik}U_~hQJ`AqGa0DDiF2I-TXj6 z4lHr&ZVaCF=IpqSeRUgUP}_1-{7mxOvQ5j+g<|ZhI1=E9nWN2ZP_I9Ud&5(0pIdjn zu_Iq+&^+iiUE|c|ZIUuL4AhJ%QT2c$S>e{`QjaJpbHS)pkE)vIR)5&e1H_ShNk|g|r%h{oj3C)>Z>gh4t$o6&RyCbe_ zvSO1%jrm!^#U7Ujk4J)VmSbLLxk#?yX5NN7k9MW(WRbU2n;a+~-lY6=+L`dmPcVrg z=Ckx+*oTwvPMC!+?J93{I%hqQix1;4!l4JQ*b?@R3_z%nMwR6@g~VhgB~R^z=DHp_ zEPh$5hS*psvZpX^n0xfT>XQ}N1qO+N16fucOG>!v!2L$L(o#Y|eV-GGpyu-Tc_$*8jb6u7 z!qRX!NnYw-BzLH}FHa0cZ>$MJk`R0T#IXFsP}YFPO3+~Ln`6dGU-DMGavJaIY|iS- ztFG+mh{(v2U2)cd{#P%2(x7F!!bP4b*U0<$f`LxJE9e!-FlS$1wlT$xMCNq*Aik8c z`fCv~y1wl4vT(UC$XIQK_8cEREEeL;h)c3{2N;N2O;o7RDWYb1kk%k zhjLnQPj}eD9zfM`ZsYf&?E&@VR>bm|K zjzEtNKqu&jQZjx+)_)HyrUYDHkVIh}@gKa&C{S!K`gEn^1+0%SyoozzH44LkM%%}R zH}D+1U>TN0L2MPp;PZ28dUj-a^5u+TXCG!F!rw@Ct-E}Yw#KBFIawPTwrg7m~t zaX2h$VXOb41S+8>IwUXT!5@uf=NZKJq)JDRTt4n1$bp3qOANaBI%RhS6Z#p`ow}*O zw|XH1%i<;mbNofdMh_Ixc(}#7hCSf(PI~K!(k$XWrY5$8J)fLDSFSEy=Xm7`+69vu)@&DgjO+ zUw`Ii6?Uwlx%-^0f0dXcVYsF%ikC!2gOYPXbbNF?SC)crUjF&Gqr6e_!a%IoXxy`5 zL}o)qX6E|&Lno-o*U)0JT?O7kJ!jFf)Amz6v!o>JDm~t#^1rby2C?#Q;Am9tj>mIG zt=jU<%{J%UiPn!w@;BDMVmc}Lt?)J!Mf#^tL-naE=B0k*!?oGOz^L0Q0B~Jv6k}ft zNAiQlg(aZFXy$C#`}_L`2L|zwq?XD~kyL+-41@zXm~kpg-?G%8F{WKVs291*Mkpj+ z?V5CSTKr+qCjJsmUo#Z<^rM`KSPl!TH_KlvlY# z`^m8I5)hC(InQQXJxF+eZr;3R<$>Qa&m;(%2eTxK6r%-&c-S;Z?aDCcpxQbXou8-v z&_d)>+oJ3-^8Yee%L9q{Tcf3eoOh$_(XoMxYN8=BkQ0k%OmzRDs6ffdT_?XA;a5YE!d;SqFiZlbLporFInSWu_V6%?}nEf(4X6*ETf77EFbk4TK)b;Rx zhNI>7q^__V{m*zo^l;GTZXDH#70sSHvVWnIKr>qm7|DdIzd@_{f96VAfC;3Ai`1T( z{pUGFK*sL2p0Yy(Rj>)#*q*0e-pu>){k4hmmQBf;X_#2{ zNvdEtvaVMGL&$}he&G6p=zIRx+WA2RL`>N7Qk!;c)cwcITZmsUr{&fXt8&}OW4lc> zszW&OJRA=OD;pklodL;N!ks>=L6R;dM-B4(xKJf28O~O!XCVeclM%6R(qq)JkuD_Q z2gwhSYqEjt8;M_e`%=?$nQ!dUYjJ5wgH7S|(%qNYWz#18YNgvUzX^q8=u}b@I%ayh zdORc;4^web`ee#U(qII*swLlMphl+v+;0kqeL;^gWS9ZTy{~I9MeNHUoD+>FPBru@ z4>tpiXZbxdoafOS{8^qUU3Ot~ICel&NTIZJ&ry&M6L}rzD|spj1fg@AXi7b7%Semf zjlOLy7G%d?V`(|)ns^M5`bJJ;rj-u&0Z2pzMi6OywPQC>{D&50AQZ~ zRG{D-dbJB3Z#y{1;1#@h@g&3#q>#$c zte;-?q@p#)Y`sd&4pF?_jplw7mo_vm(3c7H#gTCY?7rwCL>pif=Zm{&laSW4?0)X%~u!| z23<7i;5fJz5xwH(LKZ1gu9t)ket?>6LlY&T~Z3@qz zutVu3yUZpZPOekTJ{#cK48FR{k@mU}=SK)<+vU1`&T6zePRW$hf1KH_n$mKKzx+S@ zl?GToofiRdM5w`|(uafY!_{MxHED(N6nV@A_h`cr&mG^LOtd`5gE~el-U6lC__DqIN z?qcJ7t0FH4=S_XYF9YhtttKqA1KjfgRJ~n)9zvz$mtWX2Piv8U`<7ilAyqL|D!5Kc z`E?8NPIH&<%|&{>Y8+plmx_M-JH_|ue&gW|-SP7j1NykjWO< zp?B4<4`K@%a~%xmNy39IyVl_-&T~lxVR9b?i*5>Q?7i#MCY0tiI0wneZi0S~ou=S*) z6`cJkek50?kmU8;=QeV-m~vE{S0q%fy-+qASqv8)R1 z8X=o8(r(8Fz2`)H(67J4lK8Qj_CSk@as%ZmA)yX{TI*@1u&m5x;iD}8H4S}%F>c!F zFju<{kc?iRtaiS-KHeJ6I9YDR;lt{gT1~~v|6_eaL;(kas{tHBLDpYtWuFNkcu2oIEN;o)7GV{)95%#XZt5lyKeMs1?*Tg6oQ5g z(;_Z6xYN`V@efULi=o^t9k>a$o8k7%XNGCs_)P$Kv>c}v+0$-KBx|4x@s*Pkv!97d z+jh47*yQ6@hH+2T+&g6wA25_r#i2+lKEzW!is~K*!R>N)yr%sJz8C<|MAS|s7Q6#6 zL1JwyKAZ6qUBUo+)=ahjcoqs9{S5`BfO5V-w0hNNqZ*_3e8E?5!+JD_z5omy6nUkJ zIZrp6i7#KiJRR&(oKx4X(s5n(oW0r|7l)&JKty|Zx<4@&d!G7!>WveicPG%bmlPlq zgvM(V;Dj$qUi-7}`16I4_(tODso95*S~1_nZp+}Ls5clO-EVDY!bMq;t#DG2{Uqu} zx<3s94HQ;ibE7W-6aj+Z#eD4aq9`U^GX~Z_v77FC|{qBl!upiB^hpN z2`VE41LE?Gt*vcO`C_2CnOPE|hM|`i_f!QV1sg)?GO6XbpAXQ%_f6;?DL*RKH7ltW zw4tO zSfC4tqy;#LAe;RXapc-CH9$Cs7uvKy~k|&4+)R{*uwy2<=jlf?xILI{kpw z+eyL*;WeN+;CodAb2W~eBFcw7(hUdb0T6FwlukpT77uX752FU8nR1`iP!`{4Ne;sFD3t zhT>rGi%C-!ennPWd+OVaf_F=GHVKzOoPB;cHZ@lVv*v`wjM$8UtmmdvMI$8d%xc({ z>gwut<048_2odNaA|W1cciylCsGfF1JAO}4O)-NwK{0JnFf}D3mwR4#uaBB6h7cWn zOrnEJI?m6ca4n@Qh~lA7LrLlLEkpaaPnr@DVLK?oH>pdALA99`>D)*hzL0l78GU|G zoru)Z=D{1m3UmfI^4eUuUg72`O%`Q!Q+|q_J#5XbSD6w$8dg5iDh6qz2j}-r#NlE@ zcbLrEtpghRxcI6o(l)j6|iPBCvR=b*}99{-OuvPaK#&X=E zQfI_BDJj$k83gw8q-|3Lv=W05qGf`a5NsK`>7=CS;X;ih4Ix2XwE~3V)<1 zb)XPcXhy4<_C&9qnpAfl&xERrbdQ}=l-*K_y-dQyQYg5YC;Cb zxlT6udR|cGqUU&(a)jCwqDuo@NE3MTMrw#_=-=_HB7k6^$0+3eIU0PAZ{*iipwVBh zwQ-z;>9xl$%D{O%ojMuQUoL>%wtvxFH){hlVx$Ku7b&>*;US$rfk0N!_80V?yZLzudjGwHi;K!XAM8?b{NpP0N=!-^esTenVt9BsI{0Cd2<@JPsJ6bi0&3HgzKOV=1wNHJ8N6;FY)#6v4yB?o zJ&|B#oQET^h(Sx=g}!#0$8rxA&m>4#cCui&m+2h?&PHqDKz`#I6qz9=Uf|T=du?=| zS^v_uB+oKUmJdk9Xp{=X5m16&DQ)9qtoo>oz+I<|T8(yk?Dc>PX+|q}%5C)S-!W~B z?#pRw%0`T$ApG_4Pj*W)jx1;;7<*DPCldBDhbJAF-$e=?(8*Ydk$RVeK{tcuMotF(en{rGe*dDS72xmU}guk617A~4*?xT zT_*6YMIN5Ay2y1KJTqs(USZgmAGzK##`xR;m~OL;uK;ITl!3&zGB1aJrMEM_Z^K^P zp`~{)B>71 z&HM4F@HE5<6#bW*SE!M~Q;BtC{5Bpoo(D4M z1`Y*${?yly1Lf;F3c1+Ynd;YEtW!!vM)_@ffr)#tk@4VzF%H%cj)li-y`;9W#5Mq0 z3q$9r^J+LlWa8P8LDBlfkO2U>H~3dgbK~Q6@Z_A^r!`S{szRg29A% zkUI4CW0wj-$${6Id-4mS-^W6FN+5aJBb8W1|J?aemR8a+Yf%vwVj$?|~ri*-nbGzA_=Zo1#PS|=O4O0Sl~ zD9b7%67IU$<=P(Lx{_+IK|D55e1q+Y%(8^aQJPU`#I?M*X|^!yejyoVbST|P`-Mqg zqgAfRV(U+?N<>T~bE$2;3xSt%CC#nn<*XLHpcHkm9IDNt$ZSPEy!{#Df|KD>q$D?~ zTDD7wEPq*Eoj0Ptn8G}Ml2rS4gX%U-rw1V~LzC!Rocn&~*p*KV)Qs(O6Di=T&aZ^? zxDq&{r(auG&-C=p)%mihjp9EV0r!;G>&H zOxKs{NCvDo$+D#9aJ1CF8_?E5WItE-`xV6u*EMqU0*R7gy^3ji|0TG!5 zYw){)tN68vIvYwZcu8;uW|FMEm6KF1LQB(%DZWsYz;CxD8jOcw#7AQzRY&QLccdYBGPIu`O)XsP4K|#_yL-;%Rmp`)I`Nj zZppyPiHc!zCC+oBd0IOyWCj{s|CivQL`{Rn{2+v&zY!E1qQ4iGVe39uF*$U{C3+XVzlg)-xFad6z0cJ-H`Y2RU-XN}`T|HyM**7roqT&Tm?};s$bBgpS z_Ctd7wOUVxh~O7v*hhx>@PeC}nb^A&Ws`)CL=d$33@p~Npg+Y54HYk=1Od=j)kKu` z7t}D^GHqp!S~)O{(o9?C-?`Gh$QAdyNVk7AVa1J?dVo48`T|kg@@o#1f6|ev^=}mz zG@wt-xOrEnd|%I7>~syPm|6>Ap$C0Ji<~?zE843Q(?bG!!kG!)Q!18X;eoeNvMNzJ zIXN7!V-g?HNCM}Xgv6^_KuRh}DI9#Vq`T0~4nAXO9HB1YwSx8Z{Qmj+Bi}++15l#| z2X90`l6{)%1p`pq21}P6q{IC%_jX4-orr@xcntg-Wb5t!D4!`QYTV~hz4xDSBGTiw z8Lx9kSQ_1^Jvn*EhL53wsT<7D&2K!9py*(Lov%Xm*Qe6!how>f`orHlg1X>$r2|bd zA^cy_22vA!th|1viu2!QND>JGG!zPY&;~p`;I)Pb$@my0Y%Io(1TTRI+0R!~RMNvp z^XC^~aS&mfQP!mt{LHHu?As%>(7><39o2slwczTT&!60)&qB(lKZmtoaAilFLE48X z6kt*?C!uH?*98iDebj~C^|s%_s>XyuNC-dXu5x>|NY2hR6r;| zfD}L!NH&_5l`N73Ps{y-ZD`Bl{EtX}2_^tTCQfmGsrdQZ?sadA=V%{MB71wOd|w9< z{0iChUw&&Q6R)X|D3Gnr?86N()Gnb$wl)kyuBi*~;YI9jlLe}YF^@tp=JJG+_Fww` zJP;`oG%aB-M4m28)*mH@{&cMHH-88IQkOF*mv57YUFv_*B8B7v>TDYB2Op0AO>m6| zEUw3|S!i!xi}d2Njq9G;FkQXL|A{U6^CEM_aB(_uhOc(%_YX9|)%|I^Z)>yEUyGjy zP>&SGb?qNXyPT&MvV6`EEsXtT?YgW%-I+@Yx4RqxFqFYAs6KWE#umd_IqN3h1Y|`Z zK{^dP%X?WeHUoX*2$X}AGF^dxz8}cX3IiXO)b)BZ*S`H6n0J&Bh@pu%VWsE8cgnSN zpy;p9c=>yKfa_{-{%~K4`!!@p+5h?*3sN(>zXB2g;lAwYrh%+C{|E=xYKPwh5D9D9 z^?z0N*ZLr!uC*j0h*qS zbx8}pO$pindmONG^xF?Z|4m@`LC-~^nyrm6LxXjmjFthY9{rj`@Gg0ftn)87;lYJ3 zug?a_yrj-X5%C`#K}Q8j$uYFM|9z`06N0~n!Kx4SpWXm;EA$G&x zvlD@LIW#Z$j{6r-;zt@J1YJnb9a#&w*>O=I2LcvJG)fpF6+HB7hzxubYQs`RkSGnX z5yOR`kNGe>W=2TE{>Ct2gqc|X3`0_oGWY|bt%1KKWx&ViaOe8N+1a@?Or@EVOixTy z{WVyCU7{5O>RM=V{}Vs3P*dQyn3zU=f7>Up@d_e`2DY?#a#$uDV8dA9Octn9`cKPE zD8F+4T@Hvp{3{qD{L~FpWg%3nq6_!7PM5w^zvj8TzHrDeAXW88A=sk^=?(cs}~GM4YAI;TOmNxE`rGQFYFSk^PrcL{d@L>ep2#R2WMG0c-rY*+2H5^_2wc zVOHL(ss~hU*}wPKNPgGgFKdu-{{}a}e`o*!s_GUGMCE@7nVtZ1d6|eK{#qmo-elh8 z!F9YD)!f?a_gF@70P3I=K)F}0^6pd782y)-rVIpLD9xZ}l>m5124WHGt;SLvD<~&I zk{r?)&@C5ZS~i6#VDz{aYV+V}$)Fxp!=up!@S2El0-iB0Ldy*AxA5M+hUkC@7Yf^D z6p~j29RsS}vLgmusPSt%sDwe>qhbO94|z<`%({z&Mz9XU? z{-4V9l&nad=dU9vUrt!VKR@#42Pq7n>yt$;(Q&UvcxWFm%z4sCVQjg>%L6V3B2H0w*CYBCHIZSNIKIUU z`8Au;nBKD&j;_Q4lhd&&~hF)ki`&4jp9qFGv9d6$!Zi@iz*1{{i{P z09O?O*ctobx<76kyyH-@!T5*nuL^&R3Sbca|9%bgmnAr7!(=?&6CyBM=$>qcmWrUY+Pv2atFD8@NjlhzGIU>#t-Cb0dJIS_@?l4#EDR{b`?VE>`_JM1meJ0_m_j~p-otO>a0 z_8)QCk(sE-OX>o%3yvalS)02}(@!{_^LE?mn6!33Czw%`tuZ$5TWefi;7Uq!-B%`1 z&ix#|Q$5@0I9=R$SaIpmeJ+@Dog1Wlf)ao4ZBK5XSHIo0?z?2ZQ~2imt9v|TUt8Q}<^1-W`Kl|IOPkfxY~oQ1?U(eZI*m_bA3x07IE0${_zb}91OOrxuHm}Fi0d{dO)JMxVg37Uti3mJPMwQaMZ4pyJ9Fbn+%`My)FpNpGaxeN zC*aMj*ZX~(4>wU>p4O%&K}3*0{yBKPh>~lUXLNs7*WTY;;R(?&Z8y31kzIwwzjjw- zCcOHUvWif}j}?=CO-bP39c73K4nyd@su%(J8$+X5TPpi_&in{{XFfWR9J;tVSL3=gq;7cPshAWzrYl zj6NCa%?IR7l9ALLyUianv`YYp6Om~OAY`rbwb7vfRPh=7oWl?4rz?z)<_&#w&QF3B ziWedL4r7v7-)$IE1o~O$e!S3YMo_0BTz#mQ zL}K*J{l={G(W_>>pw&`@pgfRjd2-v~$zsMgRO!BZ)yY+VO|I1V>a9AzRy((4yi6Ac z;PeEO3jyq65CFKyA9-ngCzq$i@wi&lHWJib+ppm*)e(@F<99tg<9M%h%;(bLImuUV z_E_r^*>Bf*wyz~i+|p>d?*F1+A}P?X7M0BS=^`muF#8Vuncy;__Tl4M6H#P6vyJD% zK>4&2@tCj9YPzrgy!Kr#RjZ5V4VUBoj6!aw$MyNBbmNJjZl@DF^;TSGbxyYmw%X8{ zpVNAiu(NL6-f1+)%g^vu3at3<{)5Ly`>|VS7*&RXre8)H;Idwo?|ydmzw>rH|9pLb zdiXwvPg_0#s~0gLbdY((uw~eSUBFK|adL-cRHwE?X|zwZmpvhONUAFDUU_F5r|_W{ zwy}ForS8F`-cos{snbD{ob`)RemcCgU3GD?c-}_9ReI4uBgv>u7Bz|h*129Mh5f*{ zoNJ;N8L!HDtG(1};-rddz9qqrUU%xopQR=)&ENYeb+=izYC8ycJa{-w!f-hOX;R!= zddhzARWsz^!^-!M&*a5Gn(18&j?(f~Gf#Or%`w8p`-fvTP9#fDy;=4hkCuzWfy9)t z>_t=bFMM?(r}YJu>eD690$Q$5=iz^5TQ=|$x3u3I@_1bm>oo7X*bqO?=DryAjt;&i z6uKYYZ*M}f;lHinv1`a^xBl5-Kfd6v%~k%`6NtmK=%aGF{OWKi--1T&k64aul)TCNV?T!Q0445c7~tlHNh?(pJPr`9GzstF0=#XeyJS>W^5)tZYyly&!BK7Fg zVRaJS<*ax;(W+iFG8!rIGl*yx;pgP4^)?o!x!2IeChScn%FJW1mx6LN_fz9BR4We` z{#A~*W&6X~hHmFcSr+BU1}KwYZN&#N7>*&lWRLi~YGF@nY;^Kgs%?}V#f zStziOSyzI5Jg>Q|sx~U?llSJd~bsn$dl0_#&$!@jGW>Pr;{Z-O){x z!Ng8|#3NjLZULdvZ_{~`1SKU^%U%xKZ;ym)?#xFnI0AAx-@CTg)BTXyPq6NMpGEky z`=a;WOKG)!r!Tjp)tY(bM}M0l53?YiQcG2Nv&(zd7{9#=107iBY!=s`-vjduomon@!e2V<58n{?T5Qr`l=)@r32U z_Op_xP*3{pyUxH2Pi|+MZ`i;I4ZHBZSw83PMqVlErR5jrH-4Qz_TTTBouTB7L}X%A z1(|ijTsf^YJAGMKe-W#FLNL*)(ELrW?L+O{1b?Lpk$1<$qJD(XVrrl#!;l+}>5jlHgySx1QZ+5TgVe+%V+#m(UxiaQS{Mjw>@ z>4)t6(fs^oh!&R-<4#@fE7AFV;Wt0+i&-V%T}~t2zUtQzJRYVdvbPCP1=nIEJ#T=2 z6|4gRge?`)r2I9gX)%dhTBUa85ij`lJL!mC(GHORi3gt`3G8sU0%>%R=?BjoQbtjdpI%3Ac0zizm`(tOa&IWwJ? zw;;1WSyOp&ITlS=RRISJgZB1>pKRuG1(7FK{CW84rt?YTY458}U-ypyPtJ3uUHWa* zwS4{DPk}F96`^Y1crQFCx-9AIv6la=Ohm$NC|Y~oaCd{dqn44S|3Hj&dP`_snizLX zWhYIhn7UtW{a(H@3oagIp2-K{r;v-j_x$CLC&LNXy|pt3Th6TqtRK?RBKy{3rl$ULbMgdIkL{-p0vP(t-Tf(<(-g+3X~a#~FQ6_~ z>Wl8Z4bOXZbhChLzu75Wf-%RtzMKo}01s!i5I-_9-M*`meU~38d6~ZCtzo87r}NGH z^82d|it|f2-JMQ~*0*fOsO7x`jaOr>AkGQ{uBARp{yPmBgEVIv`+ zzZ|{u-^q5AW?NBJD0H{iW>j+bJeJ&Pf_)B-QOVb~VL9J^8SDX!o(3dHMIZ^0|N2eK zRyH@JHmo?YGs)EPr0xOR!||T5VZ4V`svbF;?ZB(-BmLsHp>wZr&-Q6pmJ(4!C7oIkESj{FTvyb4Y`Q6S7_8n^xyqoD2y<~ZhmMVmfVGm*G+OzfKpO8s=$&tbM zU=bf6&X33tcBg^V1ZsXG%XYFFWv(Rf(QsmC@DxO-3>~&NVjx{ z(m8-ql7a$CmmnR&&>-E-5CaU2Fm&h4J>&CyAAQ|F;a*&0#12WL`#-cq0{RZvS)}-Q=PBZ=V*@U4K;;JI6jkc4#>R{g5nG&&@ zlzjD81WilQ9L>#fTf+zY2W zjp@P}VZRRMI=gYDjp>4V7&9Zcmn+;*j3P*~EC#Qltv{r(&6??k_1@l*=Cf_ColT-^ z1K!ffYIpx_wQ!@mA(+^5c)f9|&rXS^l9a&4Q0;r6(Zm_#&^!4Y&EWe-nKB?CPrgWr zV&g}0)l3p+-Skd|0S<$boX=C%)aHP0_3zfNcQ4)J!%ph9UYYh1M0x}u;U46ea`)^u zW~pMotb-`u&c3wl{+2f61XnHDs(Y%WC%?(E-GOH(bd@%><1#erAqH{syv(2C5ICCU zBlicK$On&6!HaVFa}g4P4;1c408A1nm;p>cuP0~+Tn8LernO51EsmgNm}^B)7Bo|L z``eij4PqaT57xm{Bd1+zRTO}6EM!gD8RbWLMZotM2CiF!!^>I4FV+poH$-K~u&{@W z>Y-W>Idq#h#%UmAqr$`pATCzsV4mJ)%($`RS4vDH z%4tmjTg4~8A`s()mhcn#TWTpAsjuk8%CSbGLZFM|dfd9i152*YD<9?Ye)!dFo9X(g zEh+&@76ZAe5VR#7?4e`L>g4*x!{Mya>lkX|lu)AxhFBL#n$hQ7uir zM_7F2BV$q=NL@oSl7#uw?%oPeN{~@7W7Kw#!HeVkcL2_)#|G%JTQ!-I5{A0+qFTF1 z{!|fSTjYqWbSAO|vRVD+gL-IK)sVR`=PA|m`BM1&+d~uQ_!4dU5}r1gk4nn$hOmmI z?ykB|Z^G5e-jv^AyZ%&BPMF7e3sY$QrIP? zr9Md7BxkNO8~>U9Fgg>NSSI1N>V_Zhvr=KID{uJq8^>;#tVdWbVlPSyEGkrDlps9M z^JrJh&uME0shb`hjCN?jRRqE z-SNG@JgBc!%6gwkwxbIIYR<79#&=4LC2YrzQEwNP6o-6IcX5ohs#J1P%hH+i5QB=I z$tjIL^!E>gL8t>4{I_AQ0f>F$&E{Y;&f;^y8|1E6z##`v6Lt5nKPU2K8`JK#$a?5q z#?Z)!9?IbbCO_bknU8>(x6kr&2-s5j9E>M9`I{|^G9v(o)!pIa*4M9#?{@kt z@Go$Y7nU>Mr0#zVW@7F3giTy*`lb?Zph|d4bD)>BgK0*7l{`j)TGUQ$1g%33T%`Ir z7>7v|dy;=yJ1)}v^-01_w4uYSGxalMa7)wbYh4`2y&&jmy0H5x-FibNOs}RA9Bb)& zS#kkmpFIV|-lOtN@WXXx%?OyM*PxhCFy?c_c-3Bxe#~K=*86Uz+VQA99eg;NS{D~f z`rh{#{aG;aS_k90{AJT=$!^HW{sv3nFOvoz zQACFZ2T-Na_6(d9hl+T=&j$GVjQaW?)==O!ND}*cuiHJjklW4%>oVd=Qb)ZzR_Zfgt)DFX9MMpV0wo~Tv|@~5YNuxP7cYFyh!X3{8SoX0 z7XQiG`%A?o+D}2tA3BeY`b!&;{5R3ASmY1TI|p(lN1ZKzYUilF|Gw-P0VcN&v7Y}A z=oJbAIoAPheQD?Kq`ntE<#(6;j=@Fs2OrX+|C2FO602B^KmHeQ)B@;DDU}bqG*60cB*s!}R-K_rCZoS-*gH|MkMa52)~$DnJk^AZIE1En58B#zmTc zrS%w)mg(>Gw0}8o&?51_^z?SicEcEt1R7gZ)}6ihEB3Ewulw_L z7Z=yQdtSA}oxMOHuN%C*H5PMXok_;7A`mjds9=6%2%P;n#7_IrWNmFFR|wRin+&f< zo&-lr_#MIxoFYYlIMslVy}8_BUxENOr9P!gr}jOu3VT43sg&**2TCiD%m=r__QOy1 zyTScLglb0PXVeIQt9m%h8bz@SHs%87E;qQE%zJTaB!;_e)!n{w2i%jK&z$?(5w*-J#VS!86vt z!azd;Zw#$fh*C&IKv1!#|C{;1(I&TP#|(E~qLV2vS+)z%=tgFHZ8eH}FV#YWFDb;i z_i~YAVTHnFz~>7wW#5b`~fLVn=&5rq@ebv)HUgK^q%7n zYFQd(TK@ijw|!5gixG}jSqncu|I~fh0P4{rgG=A4*GlUVbB8e42@UzFIzkTEJM>7TDAUHchLaAkCyol zumP4b;3`N00KX43o$t?D5`+fm9aw15|5iyreYRv10Qe`Nr^Q15Gdy4&lmt{FG@Gcu zQ2rKRpalyx)`NeVMvDe0H0YA%5B{tkFF61yspO9SB$$+6W*w|2H5Ls5H$c$KkL4gp{G~1lSZ1!xPxW{HNoY#;Di_M_)+l zpF97b95V6=19za4nzFBZXG17FO6+vOy#=P8zJ-@r#Wy@;D&w~9YEiyFGX+=;knmZm zFJr9-TsTzv9y=q2N`4N(6DC_jLt-rsE6ZYcJhw$_clIN0xfka17pI7qL*q>SogwfW z#NZo2%A=&4TGOd5l?Di1k_VfJr{m*2qnFkwW@k&x_Cu`9ZC!`q-C#NcHbJi(VMFPq*IKAG<>DSaU*l=i{vl`Tdd?h6TM&JHB@l zH$dwlUB>m4u5acSEN6sb*OhgnN)#W%W66f+wd>OFi5q6Uz%)3bzNyFKvYXEKz$+Qp zj+#zUH;655NPi?^y0l*hW1~3#9O-u@lWXm(^3J2!xTNctu*HLOCn~X>xRebh%)vYc z>dXEJMeK$9%}@BUj3-8^)RN#uY)`l+zjHTX?zH<{G(V_J5P?6pTP1#Y`T4PgP_ZY> z(aeI;L|sVCd{s1hnD_QoNrOU=skJjq>Ft*p`}VSiXo{4lNgN@V<^>1dY@E*X1C0+R z`*l0JK}Zhcga%!~;idP6tW3wnk?HYw)9oo2Y&Z7OvZnlkA- zmg3C>JCp5w3hCYtAODn4su_(5K9O;Bj=gnAr&eW^rmX_Kcja@u8bUwD?euIZ3 zR$;{HbK{!e_ZoR`GIrW9$LsE1? zE0PqQDFs3P^7Z+Q^>D`1*nz!ZW%3zMH=nZ13jRIe+70Fh%?}7^e-Kl9T86{3ufOJ%ge5N2FYik8HNbgTATpQJ5(5WuPYj98FsN4_4;s&8W?@l6fSG>wm!g}2*Rl)re96W_JGY0nih^8UU<<FMBxC-+kpl#VR50aFTXc2usPi z;rZcd+t_+nqR0)xl}%ilnbZD6(=gYAqAGK$;STKXq|%dlJO8YRtyUt*=c=w0r!6^Has@N*D2mw!GOzS~?4_uHDkU>WBKs_Ij4d!LY%+JFJ>fb%Yi0 zTF+PdW(zdKZq-{eU!Z4Tn#;}&z78vTqOuTaV@@6?*w2Z}Uv*7P92c((j97hDkzG`^ zkewR=#h6Wrx=LA+CoZnECjoc)-Qadpu%(6rvtKi**0CZ#YHGl4y!NBin1|^SBJP{I z@|v&x6r+Niq*6RipEhNFpe8A8m4#u8xL7eg5(Vva%!>8LwJyqx#^Q}uC0+YroWhzj z4sAm|T-M{IIbcm22=z6HMMzCTuHPPgtWKi4l_BaYYWpjyO!!3B{u+oli4z63+FlMW zCV7m#`@bwj&=lboBS3w7FT_?aFdzK%49d*m0<*u;>=Y%O=2b#V-uTn|!Mx)_i-Kx< zb*`176?eXK^73(#vfBsj3H3S7wbA8T+c@;}w;YxX*7FHCYt~~%rt z$=A}kI_49E%FkpUWTI{)4)9oE3q+27I=y`B@g!5eb+kre)!Zc)v^!3zzLq&s5u9M} z;7>w$U(VqfJ$yHahdU{9$jakfRXO6PXFk6X=EL`Hb=QyIjx5taqL0Yk9&aCaVuR%1 z2q{Y0uYBP9GEvh?*K9Lr^*=oCv#q61d-Xh%K+5pE(-y97kzT>J{o#^hKoVUD!@vGn zW8~>D%CPXkpvt#*Ex8p3*RXM8r~Bs*K`cXlmEqdSI!DiLRewHvTQToT-GNuC12E2` z@w*x9smqr3rZh-hUi5ss8>6_*m2dleQa6cRUQZoFi=+Euol%ZL zbZZ16T9%{wM!(S*e#K9lr%H6e(HbFahEI$oP9j$m)}W-4B3p3&N0Zj^jtx$qpK8S@ zHm+}qbqlyioSIn2_%jub9#Y}%iYe3BNVGxb5M?b#_LBwlz{w53VD_R0^P0#t_{ly# zx`R`-of)Yw&$4oOhHLE73+mh_Paci=*B1!Zh05`WzfhRFZVx(9g{hoX?eaR?m|0rg z5&1;ieBx%2Vz+i>J=tY7yiB}Xl>gKIYC6RKd~x4Dx&2pGOpXhU`u4LWZPqa#;S(99 zhs4Qczl2@kLn_E3rn8J0teH!d3>+IFo~xffEX_@tF6|Mye5xL|-ZwA4_+g6(s@T0H zWybDBW6blWCw7@UlL}Z}YI@v1+py3bJmIiDYHTMh5zf9BOzG}qKjmAAhd;OyPrt5W z$g;h+>;~;9*hy$)ii_2idoE7us#y@O)~WUsP&kkDMXO{z!|#0%RGBP-oco`$OWg>( zVQ=ts<8>Zgf-7iGS8dyEqO~x**-s{$$oIoFBP9l&0LB2fn|bGCZChRvGsu{KC@!}9 zT}=4lfo3@Y9pfVb?oRKDw;@$J*Zb<_Dd2K_0pGC2i;qXV6m^q@nmWu!3mFEn#mK7@ z*xgPyUiZ}PR2lkGA!@{qpNn+s&#HzYql5NNmEplE7uiO$E>Oqlx;Pq{Hi^VRtjHL9D#-!LQ^=CLxM@#pT~ssu&V zZm`FLyXHLPI!upg;C7qO=J0H$+K3JhRJ$CrEEMGOM3Y;~c{u4(^9!g#xLu5pN#kB+ z^O1DKWxf5~_>BA$F@5B=kAq@^(AHME%llI4aT=vse}0245AN!iv5WT&wnaQS^kb)N z^`vR=OtoEwlS7=@uZxXOT&vc1D#oqM7mVDjxwvhD3{!3Tby!q=W@=0x8;~e|<>yOE zitXvFG1;gw+V?&_UrJ9fs5viIQdLW>ZCzWui+nU`pB<>)o~W>iL!c;*7E;=oF=D5M zOINf~X+q!BMaotpT)i`w^;^L}n6@O_h)RJSDE4r)J~#ch7_J7V_1Xpa&w5FghVdXVYlUkg<0;= zgcvSaoBd=!=PD|#X->8ZzAe9)13->*bv6MeB@Acm4?zX&*bU^KJc^HH%}4S2GTs-mMucT8#pEnL8_#`SMcCA0v@IsG?(_a-k<3pe zPPywd<*TXU<-Mct+ZBScJG1r7r)fuS?>AYB{fu@FTX6JsO@f=Ea)J%JO1krhT?K~3 zrZaabmWoDJ@p1qst*pHGC!rb9t zmS?o#{url2y5fWcTPmc@w4nrO;^#>PcVuLJ8QsdKC>ugnJAvbMX z0fN50vRdk-KemNqfw;WuGaz2Q)l>tcFM_Pqr{xAsE^7c`)_<4K2FALLW``QWeZk`8{c|KOgB?TE+D5Faw%*UqSJ zzzt=ZolIaJEjYeg%GNa()o64dakFN^!PT?iF;wrq_4xhx@H58#XY!(&JmwdkO5lN} zN6&CcdL>Y(VR2p#K>+v(immlV0*%D)nBOIXGM2?Ob$MB&iA5W^TOB{!OE0gfyIyYE z3UG3BmKsUHRjp~9uX+XtSjrR8BfI8<1JNSO!dAL%YqhKL;p@gV@4nU7k_>K1ttQ%NGO9pd2LW5O zYw83cdPemVAT40jP|hTC<`Vw<#mqc^uV#U3sEJlwM#WOPMuEcd`f zZ(?jBjn}IyGo4poxyIId{gdO9d)0Qm z7|My49D5g4(mHF2Ojl@Cfj>wI30-C9~1$RB=NLBlG0@SrPj90~Q*FmApkcD~>h;8lMo z;p;t^wgdP+1;B=w^N6+z_YdZZ!$+?llDB3PBL4HYm$!f?c|J)iGQbf3y=bWbdmPhK z8v0)*4FJU^04S%97dM0XhttUeF>yI=ka(WI*dQN@)8Df2_@_L??{^#nB6FG3s#lf& yLu>MqcqrCzXkgZ~e_Bu8@q literal 0 HcmV?d00001 diff --git a/blueprints/data-solutions/shielded-folder/kms.tf b/blueprints/data-solutions/shielded-folder/kms.tf index fbf47b08d..4ac6ab79f 100644 --- a/blueprints/data-solutions/shielded-folder/kms.tf +++ b/blueprints/data-solutions/shielded-folder/kms.tf @@ -14,6 +14,8 @@ * limitations under the License. */ +# tfdoc:file:description Security project, Cloud KMS and Secret Manager resources. + locals { kms_locations = distinct(flatten([ for k, v in var.kms_keys : v.locations @@ -56,7 +58,7 @@ locals { module "sec-project" { count = var.enable_features.kms ? 1 : 0 source = "../../../modules/project" - name = "sec-core" + name = var.projects_create != null ? "sec-core" : var.projects_id["sec-core"] parent = module.folder.id billing_account = try(var.projects_create.billing_account_id, null) project_create = var.projects_create != null && var.enable_features.kms @@ -75,7 +77,7 @@ module "sec-project" { } module "sec-kms" { - for_each = var.enable_features.log_sink ? toset(local.kms_locations) : toset([]) + for_each = var.enable_features.kms ? toset(local.kms_locations) : toset([]) source = "../../../modules/kms" project_id = module.sec-project[0].project_id keyring = { @@ -90,7 +92,7 @@ module "sec-kms" { } module "log-kms" { - for_each = var.enable_features.log_sink ? toset(local.kms_log_locations) : toset([]) + for_each = var.enable_features.kms ? toset(local.kms_log_locations) : toset([]) source = "../../../modules/kms" project_id = module.sec-project[0].project_id keyring = { diff --git a/blueprints/data-solutions/shielded-folder/log-export.tf b/blueprints/data-solutions/shielded-folder/log-export.tf index 0c72298db..daa657bd3 100644 --- a/blueprints/data-solutions/shielded-folder/log-export.tf +++ b/blueprints/data-solutions/shielded-folder/log-export.tf @@ -23,11 +23,12 @@ locals { : "REGIONAL" ) log_types = toset([for k, v in var.log_sinks : v.type]) - _log_keys = { - bq = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.bq}/keyRings/${var.log_locations.bq}/cryptoKeys/bq"] : null - pubsub = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.pubsub}/keyRings/${var.log_locations.pubsub}/cryptoKeys/pubsub"] : null - storage = var.enable_features.log_sink ? ["projects/${module.sec-project.project_id}/locations/${var.log_locations.storage}/keyRings/${var.log_locations.storage}/cryptoKeys/storage"] : null - } + + _log_keys = var.enable_features.kms ? { + bq = var.enable_features.log_sink ? ["projects/${module.sec-project.0.project_id}/locations/${var.log_locations.bq}/keyRings/${var.log_locations.bq}/cryptoKeys/bq"] : null + pubsub = var.enable_features.log_sink ? ["projects/${module.sec-project.0.project_id}/locations/${var.log_locations.pubsub}/keyRings/${var.log_locations.pubsub}/cryptoKeys/pubsub"] : null + storage = var.enable_features.log_sink ? ["projects/${module.sec-project.0.project_id}/locations/${var.log_locations.storage}/keyRings/${var.log_locations.storage}/cryptoKeys/storage"] : null + } : {} log_keys = { for service, key in local._log_keys : service => key if key != null @@ -37,7 +38,7 @@ locals { module "log-export-project" { count = var.enable_features.log_sink ? 1 : 0 source = "../../../modules/project" - name = "audit-logs" + name = var.projects_create != null ? "audit-logs" : var.projects_id["audit-logs"] parent = module.folder.id billing_account = try(var.projects_create.billing_account_id, null) project_create = var.projects_create != null @@ -51,7 +52,7 @@ module "log-export-project" { "storage.googleapis.com", "stackdriver.googleapis.com" ] - service_encryption_key_ids = var.enable_features.kms ? local.log_keys : null + service_encryption_key_ids = var.enable_features.kms ? local.log_keys : {} depends_on = [ module.log-kms diff --git a/blueprints/data-solutions/shielded-folder/main.tf b/blueprints/data-solutions/shielded-folder/main.tf index fe53e008a..17bdc05cf 100644 --- a/blueprints/data-solutions/shielded-folder/main.tf +++ b/blueprints/data-solutions/shielded-folder/main.tf @@ -22,6 +22,12 @@ locals { file("${var.data_dir}/vpc-sc/restricted-services.yaml") ) + access_policy_create = var.access_policy == null ? { + parent = "organizations/${var.organization.id}" + title = "shielded-folder" + scopes = [module.folder.id] + } : null + groups = { for k, v in var.groups : k => "${v}@${var.organization.domain}" } @@ -51,15 +57,11 @@ locals { } module "folder" { - source = "../../../modules/folder" - folder_create = var.folder_create != null - parent = try(var.folder_create.parent, null) - name = try(var.folder_create.display_name, null) - id = var.folder_id - iam = { - "roles/owner" = ["serviceAccount:${var.bootstrap_service_account}"] - "roles/resourcemanager.projectCreator" = ["serviceAccount:${var.bootstrap_service_account}"] - } + source = "../../../modules/folder" + folder_create = var.folder_create != null + parent = try(var.folder_create.parent, null) + name = try(var.folder_create.display_name, null) + id = var.folder_create != null ? null : var.folder_id group_iam = local.group_iam org_policies_data_path = "${var.data_dir}/org-policies" firewall_policy_factory = { @@ -77,6 +79,13 @@ module "folder" { } : null } +module "folder-workload" { + source = "../../../modules/folder" + parent = module.folder.id + name = "${var.prefix}-workload" +} + + #TODO VPCSC: Access levels data "google_projects" "folder-projects" { filter = "parent.id:${split("/", module.folder.id)[1]}" @@ -85,15 +94,19 @@ data "google_projects" "folder-projects" { module "vpc-sc" { source = "../../../modules/vpc-sc" access_policy = var.access_policy - access_policy_create = var.access_policy_create + access_policy_create = local.access_policy_create access_levels = var.vpc_sc_access_levels egress_policies = var.vpc_sc_egress_policies ingress_policies = var.vpc_sc_ingress_policies service_perimeters_regular = { shielded = { - status = { + # Move `spec` definition to `status` and comment `use_explicit_dry_run_spec` variable to enforce VPC-SC configuration + # Before enforing configuration check logs and create Access Level, Ingress/Egress policy as needed + + status = null + spec = { access_levels = keys(var.vpc_sc_access_levels) - resources = null #TODO local.vpc_sc_resources + resources = local.vpc_sc_resources restricted_services = local._vpc_sc_restricted_services egress_policies = keys(var.vpc_sc_egress_policies) ingress_policies = keys(var.vpc_sc_ingress_policies) @@ -102,6 +115,8 @@ module "vpc-sc" { enable_restriction = true } } + use_explicit_dry_run_spec = true + } } } diff --git a/blueprints/data-solutions/shielded-folder/output.tf b/blueprints/data-solutions/shielded-folder/output.tf new file mode 100644 index 000000000..0110b6271 --- /dev/null +++ b/blueprints/data-solutions/shielded-folder/output.tf @@ -0,0 +1,22 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +output "folders" { + description = "Folders id." + value = { + shielded-folder = module.folder.id + workload-folder = module.folder-workload.id + } +} + diff --git a/blueprints/data-solutions/shielded-folder/variables.tf b/blueprints/data-solutions/shielded-folder/variables.tf index a770df6b5..666094e27 100644 --- a/blueprints/data-solutions/shielded-folder/variables.tf +++ b/blueprints/data-solutions/shielded-folder/variables.tf @@ -12,12 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -# tfdoc:file:description Folder resources. +# tfdoc:file:description Variables definition. variable "access_policy" { description = "Access Policy name, set to null if creating one." type = string - + default = null } variable "access_policy_create" { @@ -30,11 +30,6 @@ variable "access_policy_create" { default = null } -variable "bootstrap_service_account" { - description = "Folder bootstrap service account: owner of the folder." - type = string -} - variable "data_dir" { description = "Relative path for the folder storing configuration data." type = string @@ -134,6 +129,7 @@ variable "organization" { description = "Organization details." type = object({ domain = string + id = string }) } @@ -156,9 +152,12 @@ variable "projects_create" { } variable "projects_id" { - description = "Project id, references existing project if `project_create` is null. Projects will be moved into the shielded folder." - type = map(string) - default = null + description = "Project id, references existing projects if `project_create` is null. Projects will be moved into the shielded folder." + type = object({ + sec-core = string + audit-logs = string + }) + default = null } variable "vpc_sc_access_levels" {