From 63c55b29ddcbdb636f3624737ede0d6ca6fc12f6 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 6 May 2023 00:33:51 +0200 Subject: [PATCH 1/7] First commit --- blueprints/README.md | 2 +- blueprints/data-solutions/README.md | 11 +- .../data-platform-foundations/README.md | 2 + .../data-platform-minimal/01-landing.tf | 70 ++++ .../data-platform-minimal/02-composer.tf | 127 +++++++ .../data-platform-minimal/02-dataproc.tf | 133 ++++++++ .../data-platform-minimal/02-processing.tf | 141 ++++++++ .../data-platform-minimal/03-curated.tf | 91 +++++ .../data-platform-minimal/04-common.tf | 59 ++++ .../data-platform-minimal/IAM.md | 39 +++ .../data-platform-minimal/README.md | 310 ++++++++++++++++++ .../demo/orchestrate_pyspark.py | 93 ++++++ .../demo/pyspark_sort.py | 30 ++ .../data-platform-minimal/images/diagram.png | Bin 0 -> 104566 bytes .../images/dlp_diagram.png | Bin 0 -> 46304 bytes .../images/kms_diagram.png | Bin 0 -> 54929 bytes .../data-platform-minimal/main.tf | 62 ++++ .../data-platform-minimal/outputs.tf | 81 +++++ .../data-platform-minimal/variables.tf | 225 +++++++++++++ 19 files changed, 1473 insertions(+), 3 deletions(-) create mode 100644 blueprints/data-solutions/data-platform-minimal/01-landing.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/02-composer.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/02-dataproc.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/02-processing.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/03-curated.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/04-common.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/IAM.md create mode 100644 blueprints/data-solutions/data-platform-minimal/README.md create mode 100644 blueprints/data-solutions/data-platform-minimal/demo/orchestrate_pyspark.py create mode 100644 blueprints/data-solutions/data-platform-minimal/demo/pyspark_sort.py create mode 100644 blueprints/data-solutions/data-platform-minimal/images/diagram.png create mode 100644 blueprints/data-solutions/data-platform-minimal/images/dlp_diagram.png create mode 100644 blueprints/data-solutions/data-platform-minimal/images/kms_diagram.png create mode 100644 blueprints/data-solutions/data-platform-minimal/main.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/outputs.tf create mode 100644 blueprints/data-solutions/data-platform-minimal/variables.tf diff --git a/blueprints/README.md b/blueprints/README.md index 24610e1bba..b2636dbcbe 100644 --- a/blueprints/README.md +++ b/blueprints/README.md @@ -6,7 +6,7 @@ Currently available blueprints: - **apigee** - [Apigee Hybrid on GKE](./apigee/hybrid-gke/), [Apigee X analytics in BigQuery](./apigee/bigquery-analytics), [Apigee network patterns](./apigee/network-patterns/) - **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Networking Dashboard](./cloud-operations/network-dashboard), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation with Terraform Cloud/Enterprise workflows](./cloud-operations/terraform-cloud-dynamic-credentials), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation) -- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml) +- **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml) - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory) - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot) - **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [Decentralized firewall management](./networking/decentralized-firewall), [Decentralized firewall validator](./networking/decentralized-firewall/validator), [Network filtering with Squid](./networking/filtering-proxy), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Hub and Spoke via VPN](./networking/hub-and-spoke-vpn), [Hub and Spoke via VPC Peering](./networking/hub-and-spoke-peering), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), [Network filtering with Squid with isolated VPCs using Private Service Connect](./networking/filtering-proxy-psc), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke) diff --git a/blueprints/data-solutions/README.md b/blueprints/data-solutions/README.md index 9cef8bc267..3c5af881d7 100644 --- a/blueprints/data-solutions/README.md +++ b/blueprints/data-solutions/README.md @@ -29,8 +29,15 @@ This [blueprint](./composer-2/) creates a [Cloud Composer](https://cloud.google. ### Data Platform Foundations - -This [blueprint](./data-platform-foundations/) implements a robust and flexible Data Foundation on GCP that provides opinionated defaults, allowing customers to build and scale out additional data pipelines quickly and reliably. + +This [blueprint](./data-platform-foundations/) implements a robust and flexible Data Platform on GCP that provides opinionated defaults, allowing customers to build and scale out additional data pipelines quickly and reliably. + +
+ +### Minimal Data Platform + + +This [blueprint](./data-platform-minimal/) implements a minimal Data Platform on GCP that provides opinionated defaults, allowing customers to build and scale out additional data pipelines quickly and reliably.
diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md index 8b0e2344f8..e4ff871c09 100644 --- a/blueprints/data-solutions/data-platform-foundations/README.md +++ b/blueprints/data-solutions/data-platform-foundations/README.md @@ -2,6 +2,8 @@ This module implements an opinionated Data Platform Architecture that creates and setup projects and related resources that compose an end-to-end data environment. +For a minimal Data Platform, plese refer to the [Minimal Data Platform](../data-platform-minimal/) blueprint. + The code is intentionally simple, as it's intended to provide a generic initial setup and then allow easy customizations to complete the implementation of the intended design. The following diagram is a high-level reference of the resources created and managed here: diff --git a/blueprints/data-solutions/data-platform-minimal/01-landing.tf b/blueprints/data-solutions/data-platform-minimal/01-landing.tf new file mode 100644 index 0000000000..ff2c1cbdd1 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/01-landing.tf @@ -0,0 +1,70 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Landing project and resources. + +locals { + iam_lnd = { + "roles/storage.objectCreator" = [module.land-sa-cs-0.iam_email] + "roles/storage.objectViewer" = [module.processing-sa-cmp-0.iam_email] + "roles/storage.objectAdmin" = [module.processing-sa-dp-0.iam_email] + } +} + +module "land-project" { + source = "../../../modules/project" + parent = var.project_config.parent + billing_account = var.project_config.billing_account_id + project_create = var.project_config.billing_account_id != null + prefix = var.project_config.billing_account_id == null ? null : var.prefix + name = var.project_config.billing_account_id == null ? var.project_config.project_ids.landing : "${var.project_config.project_ids.landing}${local.project_suffix}" + iam = var.project_config.billing_account_id != null ? local.iam_lnd : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_lnd : null + services = concat(var.project_services, [ + "cloudkms.googleapis.com", + "storage.googleapis.com", + "storage-component.googleapis.com", + ]) + service_encryption_key_ids = { + bq = [try(local.service_encryption_keys.bq, null)] + pubsub = [try(local.service_encryption_keys.pubsub, null)] + storage = [try(local.service_encryption_keys.storage, null)] + } +} + +# Cloud Storage + +module "land-sa-cs-0" { + source = "../../../modules/iam-service-account" + project_id = module.land-project.project_id + prefix = var.prefix + name = "lnd-cs-0" + display_name = "Data platform GCS landing service account." + iam = { + "roles/iam.serviceAccountTokenCreator" = [ + local.groups_iam.data-engineers + ] + } +} + +module "land-cs-0" { + source = "../../../modules/gcs" + project_id = module.land-project.project_id + prefix = var.prefix + name = "lnd-cs-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) + force_destroy = var.data_force_destroy +} diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf new file mode 100644 index 0000000000..26aef12b7e --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf @@ -0,0 +1,127 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Cloud Composer resources. + +locals { + env_variables = { + BQ_LOCATION = var.location + CURATED_BQ_DATASET = module.cur-bq-0.dataset_id + CURATED_GCS = module.cur-cs-0.url + CURATED_PRJ = module.cur-project.project_id + DP_KMS_KEY = try(var.service_encryption_keys.compute, "") + DP_REGION = var.region + GCP_REGION = var.region + LAND_PRJ = module.land-project.project_id + LAND_GCS = module.land-cs-0.name + PHS_CLUSTER_NAME = module.processing-dp-historyserver.name + PROCESSING_GCS = module.processing-cs-0.name + PROCESSING_PRJ = module.processing-project.project_id + PROCESSING_SA_DP = module.processing-sa-dp-0.email + PROCESSING_SUBNET = local.processing_subnet + PROCESSING_VPC = local.processing_vpc + } +} + +module "processing-sa-cmp-0" { + source = "../../../modules/iam-service-account" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-cmp-0" + display_name = "Data platform Composer service account" + iam = { + "roles/iam.serviceAccountTokenCreator" = [local.groups_iam.data-engineers] + "roles/iam.serviceAccountUser" = [module.processing-sa-cmp-0.iam_email] + } +} + +resource "google_composer_environment" "processing-cmp-0" { + count = var.composer_config.disable_deployment == true ? 0 : 1 + project = module.processing-project.project_id + name = "${var.prefix}-prc-cmp-0" + region = var.region + config { + software_config { + airflow_config_overrides = try(var.composer_config.software_config.airflow_config_overrides, null) + pypi_packages = try(var.composer_config.software_config.pypi_packages, null) + env_variables = merge(try(var.composer_config.software_config.env_variables, null), local.env_variables) + image_version = try(var.composer_config.software_config.image_version, null) + } + dynamic "workloads_config" { + for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {}) + + content { + scheduler { + cpu = try(var.composer_config.workloads_config.scheduler.cpu, null) + memory_gb = try(var.composer_config.workloads_config.scheduler.memory_gb, null) + storage_gb = try(var.composer_config.workloads_config.scheduler.storage_gb, null) + count = try(var.composer_config.workloads_config.scheduler.count, null) + } + web_server { + cpu = try(var.composer_config.workloads_config.web_server.cpu, null) + memory_gb = try(var.composer_config.workloads_config.web_server.memory_gb, null) + storage_gb = try(var.composer_config.workloads_config.web_server.storage_gb, null) + } + worker { + cpu = try(var.composer_config.workloads_config.worker.cpu, null) + memory_gb = try(var.composer_config.workloads_config.worker.memory_gb, null) + storage_gb = try(var.composer_config.workloads_config.worker.storage_gb, null) + min_count = try(var.composer_config.workloads_config.worker.min_count, null) + max_count = try(var.composer_config.workloads_config.worker.max_count, null) + } + } + } + + environment_size = var.composer_config.environment_size + + node_config { + network = local.processing_vpc + subnetwork = local.processing_subnet + service_account = module.processing-sa-cmp-0.email + enable_ip_masq_agent = "true" + tags = ["composer-worker"] + ip_allocation_policy { + cluster_secondary_range_name = try( + var.network_config.composer_secondary_ranges.pods, "pods" + ) + services_secondary_range_name = try( + var.network_config.composer_secondary_ranges.services, "services" + ) + } + } + private_environment_config { + enable_private_endpoint = "true" + cloud_sql_ipv4_cidr_block = try( + var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24" + ) + master_ipv4_cidr_block = try( + var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28" + ) + } + dynamic "encryption_config" { + for_each = ( + try(var.service_encryption_keys[var.region], null) != null + ? { 1 = 1 } + : {} + ) + content { + kms_key_name = try(var.service_encryption_keys[var.region], null) + } + } + } + depends_on = [ + google_project_iam_member.shared_vpc, + module.processing-project + ] +} diff --git a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf new file mode 100644 index 0000000000..37c4ff406b --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf @@ -0,0 +1,133 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Cloud Dataproc resources. + +locals { + iam_prc = { + "roles/bigquery.jobUser" = [ + module.processing-sa-dp-0.iam_email, local.groups_iam.data-engineers + ] + } + processing_dp_subnet = ( + local.use_shared_vpc + ? var.network_config.subnet_self_links.orchestration + : values(module.processing-vpc.0.subnet_self_links)[0] + ) + processing_dp_vpc = ( + local.use_shared_vpc + ? var.network_config.network_self_link + : module.processing-vpc.0.self_link + ) +} + +module "processing-cs-dp-history" { + source = "../../../modules/gcs" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-cs-dp-history" + location = var.region + storage_class = "REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) +} + +module "processing-sa-dp-0" { + source = "../../../modules/iam-service-account" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-dp-0" + display_name = "Dataproc service account" + iam = { + "roles/iam.serviceAccountTokenCreator" = [ + local.groups_iam.data-engineers, + module.processing-sa-cmp-0.iam_email + ], + "roles/iam.serviceAccountUser" = [ + module.processing-sa-cmp-0.iam_email + ] + } +} + +module "processing-dp-staging-0" { + source = "../../../modules/gcs" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-stg-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) +} + +module "processing-dp-temp-0" { + source = "../../../modules/gcs" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-tmp-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) +} + +module "processing-dp-log-0" { + source = "../../../modules/gcs" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-log-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) +} + +module "processing-dp-historyserver" { + source = "../../../modules/dataproc" + project_id = module.processing-project.project_id + name = "hystory-server" + prefix = var.prefix + region = var.region + dataproc_config = { + cluster_config = { + staging_bucket = module.processing-dp-staging-0.name + temp_bucket = module.processing-dp-temp-0.name + gce_cluster_config = { + subnetwork = module.processing-vpc[0].subnets["${var.region}/${var.prefix}-processing"].self_link + zone = "${var.region}-b" + service_account = module.processing-sa-dp-0.email + service_account_scopes = ["cloud-platform"] + internal_ip_only = true + } + worker_config = { + num_instances = 0 + machine_type = null + min_cpu_platform = null + image_uri = null + } + software_config = { + override_properties = { + "dataproc:dataproc.allow.zero.workers" = "true" + "dataproc:job.history.to-gcs.enabled" = "true" + "spark:spark.history.fs.logDirectory" = "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" + "spark:spark.eventLog.dir" = "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" + "spark:spark.history.custom.executor.log.url.applyIncompleteApplication" = "false" + "spark:spark.history.custom.executor.log.url" = "{{YARN_LOG_SERVER_URL}}/{{NM_HOST}}:{{NM_PORT}}/{{CONTAINER_ID}}/{{CONTAINER_ID}}/{{USER}}/{{FILE_NAME}}" + } + } + endpoint_config = { + enable_http_port_access = "true" + } + encryption_config = { + kms_key_name = try(local.service_encryption_keys.compute, null) + } + } + } +} diff --git a/blueprints/data-solutions/data-platform-minimal/02-processing.tf b/blueprints/data-solutions/data-platform-minimal/02-processing.tf new file mode 100644 index 0000000000..5792f01324 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/02-processing.tf @@ -0,0 +1,141 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Processing project and VPC. + +locals { + iam_processing = { + "roles/composer.admin" = [local.groups_iam.data-engineers] + "roles/composer.environmentAndStorageObjectAdmin" = [local.groups_iam.data-engineers] + "roles/composer.ServiceAgentV2Ext" = [ + "serviceAccount:${module.processing-project.service_accounts.robots.composer}" + ] + "roles/composer.worker" = [ + module.processing-sa-cmp-0.iam_email + ] + "roles/dataproc.editor" = [ + module.processing-sa-cmp-0.iam_email + ] + "roles/dataproc.worker" = [ + module.processing-sa-dp-0.iam_email + ] + "roles/iam.serviceAccountUser" = [ + module.processing-sa-cmp-0.iam_email, local.groups_iam.data-engineers + ] + "roles/iap.httpsResourceAccessor" = [local.groups_iam.data-engineers] + "roles/serviceusage.serviceUsageConsumer" = [local.groups_iam.data-engineers] + "roles/storage.admin" = [ + module.processing-sa-cmp-0.iam_email, + "serviceAccount:${module.processing-project.service_accounts.robots.composer}", + local.groups_iam.data-engineers + ] + } + processing_subnet = ( + local.use_shared_vpc + ? var.network_config.subnet_self_links.processingestration + : values(module.processing-vpc.0.subnet_self_links)[0] + ) + processing_vpc = ( + local.use_shared_vpc + ? var.network_config.network_self_link + : module.processing-vpc.0.self_link + ) + + +} + +module "processing-project" { + source = "../../../modules/project" + parent = var.project_config.parent + billing_account = var.project_config.billing_account_id + project_create = var.project_config.billing_account_id != null + prefix = var.project_config.billing_account_id == null ? null : var.prefix + name = var.project_config.billing_account_id == null ? var.project_config.project_ids.processing : "${var.project_config.project_ids.processing}${local.project_suffix}" + iam = var.project_config.billing_account_id != null ? local.iam_processing : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_processing : null + oslogin = false + services = concat(var.project_services, [ + "bigquery.googleapis.com", + "bigqueryreservation.googleapis.com", + "bigquerystorage.googleapis.com", + "cloudkms.googleapis.com", + "composer.googleapis.com", + "compute.googleapis.com", + "container.googleapis.com", + "dataproc.googleapis.com", + "servicenetworking.googleapis.com", + "storage.googleapis.com", + "storage-component.googleapis.com" + ]) + service_encryption_key_ids = { + composer = [try(local.service_encryption_keys.composer, null)] + compute = [try(local.service_encryption_keys.compute, null)] + storage = [try(local.service_encryption_keys.storage, null)] + } + shared_vpc_service_config = local.shared_vpc_project == null ? null : { + attach = true + host_project = local.shared_vpc_project + } +} + +# Cloud Storage + +module "processing-cs-0" { + source = "../../../modules/gcs" + project_id = module.processing-project.project_id + prefix = var.prefix + name = "prc-cs-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) +} + +# internal VPC resources + +module "processing-vpc" { + source = "../../../modules/net-vpc" + count = local.use_shared_vpc ? 0 : 1 + project_id = module.processing-project.project_id + name = "${var.prefix}-processing" + subnets = [ + { + ip_cidr_range = "10.10.0.0/24" + name = "${var.prefix}-processing" + region = var.region + secondary_ip_ranges = { + pods = "10.10.8.0/22" + services = "10.10.12.0/24" + } + } + ] +} + +module "processing-vpc-firewall" { + source = "../../../modules/net-vpc-firewall" + count = local.use_shared_vpc ? 0 : 1 + project_id = module.processing-project.project_id + network = module.processing-vpc.0.name + default_rules_config = { + admin_ranges = ["10.10.0.0/24"] + } +} + +module "processing-nat" { + count = local.use_shared_vpc ? 0 : 1 + source = "../../../modules/net-cloudnat" + project_id = module.processing-project.project_id + name = "${var.prefix}-processing" + region = var.region + router_network = module.processing-vpc.0.name +} diff --git a/blueprints/data-solutions/data-platform-minimal/03-curated.tf b/blueprints/data-solutions/data-platform-minimal/03-curated.tf new file mode 100644 index 0000000000..4656fa766b --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/03-curated.tf @@ -0,0 +1,91 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Data curated project and resources. + +locals { + cur_iam = { + "roles/bigquery.dataOwner" = [module.processing-sa-dp-0.iam_email] + "roles/bigquery.dataViewer" = [ + local.groups_iam.data-analysts, + local.groups_iam.data-engineers + ] + "roles/bigquery.jobUser" = [ + module.processing-sa-dp-0.iam_email, + local.groups_iam.data-analysts, + local.groups_iam.data-engineers + ] + "roles/datacatalog.tagTemplateViewer" = [ + local.groups_iam.data-analysts, local.groups_iam.data-engineers + ] + "roles/datacatalog.viewer" = [ + local.groups_iam.data-analysts, local.groups_iam.data-engineers + ] + "roles/storage.objectViewer" = [ + local.groups_iam.data-analysts, local.groups_iam.data-engineers + ] + "roles/storage.objectAdmin" = [module.processing-sa-dp-0.iam_email] + } + cur_services = concat(var.project_services, [ + "bigquery.googleapis.com", + "bigqueryreservation.googleapis.com", + "bigquerystorage.googleapis.com", + "cloudkms.googleapis.com", + "compute.googleapis.com", + "servicenetworking.googleapis.com", + "storage.googleapis.com", + "storage-component.googleapis.com" + ]) +} + +# Project + +module "cur-project" { + source = "../../../modules/project" + parent = var.project_config.parent + billing_account = var.project_config.billing_account_id + project_create = var.project_config.billing_account_id != null + prefix = var.project_config.billing_account_id == null ? null : var.prefix + name = var.project_config.billing_account_id == null ? var.project_config.project_ids.curated : "${var.project_config.project_ids.curated}${local.project_suffix}" + iam = var.project_config.billing_account_id != null ? local.cur_iam : {} + iam_additive = var.project_config.billing_account_id == null ? local.cur_iam : {} + services = local.cur_services + service_encryption_key_ids = { + bq = [try(local.service_encryption_keys.bq, null)] + storage = [try(local.service_encryption_keys.storage, null)] + } +} + +# Bigquery + +module "cur-bq-0" { + source = "../../../modules/bigquery-dataset" + project_id = module.cur-project.project_id + id = "${replace(var.prefix, "-", "_")}_cur_bq_0" + location = var.location + encryption_key = try(local.service_encryption_keys.bq, null) +} + +# Cloud storage + +module "cur-cs-0" { + source = "../../../modules/gcs" + project_id = module.cur-project.project_id + prefix = var.prefix + name = "cur-cs-0" + location = var.location + storage_class = "MULTI_REGIONAL" + encryption_key = try(local.service_encryption_keys.storage, null) + force_destroy = var.data_force_destroy +} diff --git a/blueprints/data-solutions/data-platform-minimal/04-common.tf b/blueprints/data-solutions/data-platform-minimal/04-common.tf new file mode 100644 index 0000000000..4d822b7a52 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/04-common.tf @@ -0,0 +1,59 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Common project and resources. + +locals { + iam_common = { + "roles/dlp.admin" = [local.groups_iam.data-security] + "roles/dlp.estimatesAdmin" = [local.groups_iam.data-engineers] + "roles/dlp.reader" = [local.groups_iam.data-engineers] + "roles/dlp.user" = [ + module.processing-sa-dp-0.iam_email, + local.groups_iam.data-engineers + ] + "roles/datacatalog.admin" = [local.groups_iam.data-security] + "roles/datacatalog.viewer" = [ + module.processing-sa-dp-0.iam_email, + local.groups_iam.data-analysts + ] + "roles/datacatalog.categoryFineGrainedReader" = [ + module.processing-sa-dp-0.iam_email + ] + } +} +module "common-project" { + source = "../../../modules/project" + parent = var.project_config.parent + billing_account = var.project_config.billing_account_id + project_create = var.project_config.billing_account_id != null + prefix = var.project_config.billing_account_id == null ? null : var.prefix + name = var.project_config.billing_account_id == null ? var.project_config.project_ids.common : "${var.project_config.project_ids.common}${local.project_suffix}" + iam = var.project_config.billing_account_id != null ? local.iam_common : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_common : null + services = concat(var.project_services, [ + "datacatalog.googleapis.com", + "dlp.googleapis.com", + ]) +} + +# Data Catalog Policy tag + +module "common-datacatalog" { + source = "../../../modules/data-catalog-policy-tag" + project_id = module.common-project.project_id + name = "${var.prefix}-datacatalog-policy-tags" + location = var.location + tags = var.data_catalog_tags +} diff --git a/blueprints/data-solutions/data-platform-minimal/IAM.md b/blueprints/data-solutions/data-platform-minimal/IAM.md new file mode 100644 index 0000000000..54bde92d50 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/IAM.md @@ -0,0 +1,39 @@ +# IAM bindings reference + +Legend: + additive, conditional. + +## Project cmn + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) | +|gcp-data-engineers
group|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin)
[roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader)
[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | +|gcp-data-security
group|[roles/datacatalog.admin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.admin)
[roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) | +|prc-dp-0
serviceAccount|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | + +## Project cur + +| members | roles | +|---|---| +|gcp-data-analysts
group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|gcp-data-engineers
group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|SERVICE_IDENTITY_service-networking
serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| +|prc-dp-0
serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | + +## Project lnd + +| members | roles | +|---|---| +|lnd-cs-0
serviceAccount|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) | +|prc-cmp-0
serviceAccount|[roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | +|prc-dp-0
serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | + +## Project prc + +| members | roles | +|---|---| +|gcp-data-engineers
group|[roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin)
[roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin)
[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
[roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor)
[roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|SERVICE_IDENTITY_cloudcomposer-accounts
serviceAccount|[roles/composer.ServiceAgentV2Ext](https://cloud.google.com/iam/docs/understanding-roles#composer.ServiceAgentV2Ext)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|SERVICE_IDENTITY_service-networking
serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| +|prc-cmp-0
serviceAccount|[roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker)
[roles/dataproc.editor](https://cloud.google.com/iam/docs/understanding-roles#dataproc.editor)
[roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
[roles/storage.admin](https://cloud.google.com/iam/docs/understanding-roles#storage.admin) | +|prc-dp-0
serviceAccount|[roles/dataproc.worker](https://cloud.google.com/iam/docs/understanding-roles#dataproc.worker) | diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md new file mode 100644 index 0000000000..ed2a445f97 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -0,0 +1,310 @@ +# Minimal Data Platform + +This module implements a minimal opinionated Data Platform Architecture based on Dataproc Serverless resources. It creates and setup projects and related resources that compose an end-to-end data environment. + +For a complete, more versatile and configurable Data Platform, plese refer to the [Data Platform](../data-platform-foundations/) blueprint. + +The code is intentionally simple, as it's intended to provide a generic initial setup and then allow easy customizations to complete the implementation of the intended design. + +The following diagram is a high-level reference of the resources created and managed here: + +![Data Platform architecture overview](./images/diagram.png "Data Platform architecture overview") + +A demo [Airflow pipeline](demo/orchestrate_pyspark.py) is also part of this blueprint: it can be built and run on top of the foundational infrastructure to verify or test the setup quickly. + +## Design overview and choices + +Despite its simplicity, this stage implements the basics of a design that we've seen working well for various customers. + +The approach adapts to different high-level requirements: + +- boundaries for each step +- clearly defined actors +- least privilege principle +- rely on service account impersonation + +The code in this blueprint doesn't address Organization-level configurations (Organization policy, VPC-SC, centralized logs). We expect those elements to be managed by automation stages external to this script like those in [FAST](../../../fast) and this blueprint deployed on top of them as one of the [stages](../../../fast/stages/3-data-platform/dev/README.md). + +## Project structure + +The Data Platform is designed to rely on several projects, one project per data stage. The stages identified are: + +- landing +- processing +- curated +- common + +This separation into projects allows adhering to the least-privilege principle by using project-level roles. + +The script will create the following projects: + +- **Landing** Data, stored in relevant formats. Structured data can be stored in BigQuery or in GCS using an appropriate file format such as AVRO or Parquet. Unstructured data stored on Cloud Storage. +- **Processing** Used to host all resources needed to process and orchestrate data movement. Cloud Composer orchestrates all tasks that move data across layers. Cloud Dataproc Serveless process and move data between layers. Anonymization or tokenization of Personally Identifiable Information (PII) can be implemented here using Cloud DLP or a custom solution, depending on your requirements. +- **Curated** Cleansed, aggregated and curated data. +- **Common** Common services such as [Cloud DLP](https://cloud.google.com/dlp) or [Data Catalog](https://cloud.google.com/data-catalog/docs/concepts/overview). + +## Roles + +We assign roles on resources at the project level, granting the appropriate roles via groups (humans) and service accounts (services and applications) according to best practices. + +## Service accounts + +Service account creation follows the least privilege principle, performing a single task which requires access to a defined set of resources. The table below shows a high level overview of roles for each service account on each data layer, using READ or WRITE access patterns for simplicity. + +A full reference of IAM roles managed by the Data Platform is [available here](IAM.md). + +For detailed roles please refer to the code. + +Using of service account keys within a data pipeline exposes to several security risks deriving from a credentials leak. This blueprint shows how to leverage impersonation to avoid the need of creating keys. + +## User groups + +User groups provide a stable frame of reference that allows decoupling the final set of permissions from the stage where entities and resources are created, and their IAM bindings defined. + +We use three groups to control access to resources: + +- *Data Engineers* They handle and run the Data Hub, with read access to all resources in order to troubleshoot possible issues with pipelines. This team can also impersonate any service account. +- *Data Analysts*. They perform analysis on datasets, with read access to the Data Warehouse Confidential project, and BigQuery READ/WRITE access to the playground project. +- *Data Security*:. They handle security configurations related to the Data Hub. This team has admin access to the common project to configure Cloud DLP templates or Data Catalog policy tags. + +### Virtual Private Cloud (VPC) design + +As is often the case in real-world configurations, this blueprint accepts as input an existing [Shared-VPC](https://cloud.google.com/vpc/docs/shared-vpc) via the `network_config` variable. Make sure that the GKE API (`container.googleapis.com`) is enabled in the VPC host project. + +If the `network_config` variable is not provided, one VPC will be created in each project that supports network resources (load, transformation and orchestration). + +### IP ranges and subnetting + +To deploy this blueprint with self-managed VPCs you need the following ranges: + +- one /24 for the processing project VPC subnet used for Cloud Dataproc workers +- one /24 range for the orchestration VPC subnet used for Composer workers +- one /22 and one /24 ranges for the secondary ranges associated with the orchestration VPC subnet + +If you are using Shared VPC, you need one subnet with one /22 and one /24 secondary range defined for Composer pods and services. + +In both VPC scenarios, you also need these ranges for Composer: + +- one /24 for Cloud SQL +- one /28 for the GKE control plane + +### Resource naming conventions + +Resources follow the naming convention described below. + +- `prefix-layer` for projects +- `prefix-layer-product` for resources +- `prefix-layer[2]-gcp-product[2]-counter` for services and service accounts + +### Encryption + +We suggest a centralized approach to key management, where Organization Security is the only team that can access encryption material, and keyrings and keys are managed in a project external to the Data Platform. + +![Centralized Cloud Key Management high-level diagram](./images/kms_diagram.png "Centralized Cloud Key Management high-level diagram") + +To configure the use of Cloud KMS on resources, you have to specify the key id on the `service_encryption_keys` variable. Key locations should match resource locations. Example: + +```tfvars +service_encryption_keys = { + bq = "KEY_URL" + composer = "KEY_URL" + compute = "KEY_URL" + storage = "KEY_URL" +} +``` + +This step is optional and depends on customer policies and security best practices. + +## Data Anonymization + +We suggest using Cloud Data Loss Prevention to identify/mask/tokenize your confidential data. + +While implementing a Data Loss Prevention strategy is out of scope for this blueprint, we enable the service in two different projects so that [Cloud Data Loss Prevention templates](https://cloud.google.com/dlp/docs/concepts-templates) can be configured in one of two ways: + +- during the ingestion phase, from Cloud Dataproc +- within the curated layer, in [BigQuery](https://cloud.google.com/bigquery/docs/scan-with-dlp) or [Cloud Dataproc](https://cloud.google.com/dataproct) + +Cloud Data Loss Prevention resources and templates should be stored in the Common project: + +![Centralized Cloud Data Loss Prevention high-level diagram](./images/dlp_diagram.png "Centralized Cloud Data Loss Prevention high-level diagram") + +You can find more details and best practices on using DLP to De-identification and re-identification of PII in large-scale datasets in the [GCP documentation](https://cloud.google.com/architecture/de-identification-re-identification-pii-using-cloud-dlp). + +## Data Catalog + +[Data Catalog](https://cloud.google.com/data-catalog) helps you to document your data entry at scale. Data Catalog relies on [tags](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tags) and [tag template](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tag-templates) to manage metadata for all data entries in a unified and centralized service. To implement [column-level security](https://cloud.google.com/bigquery/docs/column-level-security-intro) on BigQuery, we suggest to use `Tags` and `Tag templates`. + +The default configuration will implement 3 tags: + +- `3_Confidential`: policy tag for columns that include very sensitive information, such as credit card numbers. +- `2_Private`: policy tag for columns that include sensitive personal identifiable information (PII) information, such as a person's first name. +- `1_Sensitive`: policy tag for columns that include data that cannot be made public, such as the credit limit. + +Anything that is not tagged is available to all users who have access to the data warehouse. + +For the purpose of the blueprint no groups has access to tagged data. You can configure your tags and roles associated by configuring the `data_catalog_tags` variable. We suggest using the "[Best practices for using policy tags in BigQuery](https://cloud.google.com/bigquery/docs/best-practices-policy-tags)" article as a guide to designing your tags structure and access pattern. + +## How to run this script + +To deploy this blueprint on your GCP organization, you will need + +- a folder or organization where new projects will be created +- a billing account that will be associated with the new projects + +The Data Platform is meant to be executed by a Service Account (or a regular user) having this minimal set of permission: + +- **Billing account** + - `roles/billing.user` +- **Folder level**: + - `roles/resourcemanager.folderAdmin` + - `roles/resourcemanager.projectCreator` +- **KMS Keys** (If CMEK encryption in use): + - `roles/cloudkms.admin` or a custom role with `cloudkms.cryptoKeys.getIamPolicy`, `cloudkms.cryptoKeys.list`, `cloudkms.cryptoKeys.setIamPolicy` permissions +- **Shared VPC host project** (if configured):\ + - `roles/compute.xpnAdmin` on the host project folder or org + - `roles/resourcemanager.projectIamAdmin` on the host project, either with no conditions or with a condition allowing [delegated role grants](https://medium.com/google-cloud/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226#:~:text=Delegated%20role%20grants%20is%20a,setIamPolicy%20permission%20on%20a%20resource.) for `roles/compute.networkUser`, `roles/composer.sharedVpcAgent`, `roles/container.hostServiceAgentUser` + +## Variable configuration + +There are three sets of variables you will need to fill in: + +```tfvars +project_config = { + billing_account_id = "123456-123456-123456" + parent = "folders/12345678" +} +organization_domain = "domain.com" +prefix = "myprefix" +``` + +For more fine details check variables on [`variables.tf`](./variables.tf) and update according to the desired configuration. + +*Remember* to create team groups described [below](#groups). + +Once the configuration is complete, run the project factory by running + +```bash +terraform init +terraform apply +``` + +## How to use this blueprint from Terraform + +While this blueprint can be used as a standalone deployment, it can also be called directly as a Terraform module by providing the variables values as show below: + +```hcl +module "data-platform" { + source = "./fabric/blueprints/data-solutions/data-platform-minimal/" + organization_domain = "example.com" + project_config = { + billing_account_id = "123456-123456-123456" + parent = "folders/12345678" + } + prefix = "myprefix" +} + +# tftest modules=21 resources=110 +``` + +## Customizations + +### Assign roles at BQ Dataset level + +To handle multiple groups of `data-analysts` accessing the same Data Warehouse layer projects but only to the dataset belonging to a specific group, you may want to assign roles at BigQuery dataset level instead of at project-level. +To do this, you need to remove IAM binging at project-level for the `data-analysts` group and give roles at BigQuery dataset level using the `iam` variable on `bigquery-dataset` modules. + +### Project Configuration + +The solution can be deployed by creating projects on a given parent (organization or folder) or on existing projects. Configure variable `project_config` accordingly. + +When you deploy the blueprint on existing projects, the blueprint is designed to rely on different projects configuring IAM binding with an additive approach. + +Once you have identified the required project granularity for your use case, we suggest adapting the terraform script accordingly and relying on authoritative IAM binding. + +### Shared VPC + +To configure the use of a shared VPC, configure the `network_config`, example: + +```tfvars +network_config = { + host_project = "PROJECT_ID" + network_self_link = "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NAME" + subnet_self_links = { + processing_dataproc = "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/NAME" + processing_composer = "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION/subnetworks/NAME" + } + composer_ip_ranges = { + cloudsql = "192.168.XXX.XXX/24" + gke_master = "192.168.XXX.XXX/28" + } + composer_secondary_ranges = { + pods = "pods" + services = "services" + } +} +``` + +### Customer Managed Encryption key + +To configure the use of Cloud KMS on resources, configure the `service_encryption_keys` variable. Key locations should match resource locations. Example: + +```tfvars +service_encryption_keys = { + bq = "KEY_URL" + composer = "KEY_URL" + compute = "KEY_URL" + storage = "KEY_URL" +} +``` + +## Demo pipeline + +The application layer is out of scope of this script. As a demo purpuse only, one Cloud Composer DAGs is provided to document how to deploy a Cloud Dataproc Serverless job on the architecture. You can find examples in the `[demo](./demo)` folder. + +## Files + +| name | description | modules | resources | +|---|---|---|---| +| [01-landing.tf](./01-landing.tf) | Landing project and resources. | gcs · iam-service-account · project | | +| [02-composer.tf](./02-composer.tf) | Cloud Composer resources. | iam-service-account | google_composer_environment | +| [02-dataproc.tf](./02-dataproc.tf) | Cloud Dataproc resources. | dataproc · gcs · iam-service-account | | +| [02-processing.tf](./02-processing.tf) | Processing project and VPC. | gcs · net-cloudnat · net-vpc · net-vpc-firewall · project | | +| [03-curated.tf](./03-curated.tf) | Data curated project and resources. | bigquery-dataset · gcs · project | | +| [04-common.tf](./04-common.tf) | Common project and resources. | data-catalog-policy-tag · project | | +| [main.tf](./main.tf) | Core locals. | | google_project_iam_member | +| [outputs.tf](./outputs.tf) | Output variables. | | | +| [variables.tf](./variables.tf) | Terraform Variables. | | | + + + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [organization_domain](variables.tf#L155) | Organization domain. | string | ✓ | | +| [prefix](variables.tf#L160) | Prefix used for resource names. | string | ✓ | | +| [project_config](variables.tf#L169) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} | +| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | +| [data_force_destroy](variables.tf#L111) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | +| [groups](variables.tf#L117) | User groups. | map(string) | | {…} | +| [location](variables.tf#L127) | Location used for multi-regional resources. | string | | "eu" | +| [network_config](variables.tf#L133) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null | +| [project_services](variables.tf#L193) | List of core services enabled on all projects. | list(string) | | […] | +| [project_suffix](variables.tf#L204) | Suffix used only for project ids. | string | | null | +| [region](variables.tf#L210) | Region used for regional resources. | string | | "europe-west1" | +| [service_encryption_keys](variables.tf#L216) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| [bigquery-datasets](outputs.tf#L17) | BigQuery datasets. | | +| [dataproc-hystory-server](outputs.tf#L24) | List of bucket names which have been assigned to the cluster. | | +| [gcs-buckets](outputs.tf#L34) | GCS buckets. | ✓ | +| [kms_keys](outputs.tf#L44) | Cloud MKS keys. | | +| [projects](outputs.tf#L49) | GCP Projects informations. | | +| [vpc_network](outputs.tf#L67) | VPC network. | | +| [vpc_subnet](outputs.tf#L75) | VPC subnetworks. | | + + diff --git a/blueprints/data-solutions/data-platform-minimal/demo/orchestrate_pyspark.py b/blueprints/data-solutions/data-platform-minimal/demo/orchestrate_pyspark.py new file mode 100644 index 0000000000..ef5084ffe2 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/demo/orchestrate_pyspark.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import datetime +import time +import os + +from airflow import models +from airflow.providers.google.cloud.operators.dataproc import ( + DataprocCreateBatchOperator, DataprocDeleteBatchOperator, DataprocGetBatchOperator, DataprocListBatchesOperator + +) +from airflow.utils.dates import days_ago + +# -------------------------------------------------------------------------------- +# Get variables +# -------------------------------------------------------------------------------- +BQ_LOCATION = os.environ.get("BQ_LOCATION") +CURATED_BQ_DATASET = os.environ.get("CURATED_BQ_DATASET") +CURATED_GCS = os.environ.get("CURATED_GCS") +CURATED_PRJ = os.environ.get("CURATED_PRJ") +DP_KMS_KEY = os.environ.get("DP_KMS_KEY", "") +DP_REGION = os.environ.get("DP_REGION") +GCP_REGION = os.environ.get("GCP_REGION") +LAND_PRJ = os.environ.get("LAND_PRJ") +LAND_BQ_DATASET = os.environ.get("LAND_BQ_DATASET") +LAND_GCS = os.environ.get("LAND_GCS") +PHS_CLUSTER_NAME = os.environ.get("PHS_CLUSTER_NAME") +PROCESSING_GCS = os.environ.get("PROCESSING_GCS") +PROCESSING_PRJ = os.environ.get("PROCESSING_PRJ") +PROCESSING_SA_DP = os.environ.get("PROCESSING_SA_DP") +PROCESSING_SA_SUBNET = os.environ.get("PROCESSING_SUBNET") +PROCESSING_SA_VPC = os.environ.get("PROCESSING_VPC") + +PYTHON_FILE_LOCATION = "gs://"+PROCESSING_GCS+"/pyspark_sort.py" +PHS_CLUSTER_PATH = "projects/"+PROCESSING_PRJ+"/regions/"+DP_REGION+"/clusters/"+PHS_CLUSTER_NAME + +default_args = { + # Tell airflow to start one day ago, so that it runs as soon as you upload it + "start_date": days_ago(1), + "region": DP_REGION, +} +with models.DAG( + "dataproc_batch_operators", # The id you will see in the DAG airflow page + default_args=default_args, # The interval with which to schedule the DAG + schedule_interval=None, # Override to match your needs +) as dag: + + create_batch = DataprocCreateBatchOperator( + task_id="batch_create", + project_id=PROCESSING_PRJ, + batch={ + "environment_config": { + "execution_config": { + "service_account": PROCESSING_SA_DP, + "subnetwork_uri": PROCESSING_SA_SUBNET + }, + "peripherals_config": { + "spark_history_server_config":{ + "dataproc_cluster": PHS_CLUSTER_PATH + } + } + }, + "pyspark_batch": { + "main_python_file_uri": PYTHON_FILE_LOCATION, + } + }, + batch_id="batch-create-phs-"+str(int(time.time())), + ) + + list_batches = DataprocListBatchesOperator( + task_id="list-all-batches", + ) + + get_batch = DataprocGetBatchOperator( + task_id="get_batch", + batch_id="batch-create-phs", + ) + + create_batch >> list_batches >> get_batch \ No newline at end of file diff --git a/blueprints/data-solutions/data-platform-minimal/demo/pyspark_sort.py b/blueprints/data-solutions/data-platform-minimal/demo/pyspark_sort.py new file mode 100644 index 0000000000..f8e5605301 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/demo/pyspark_sort.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +""" Sample pyspark script to be uploaded to Cloud Storage and run on +Cloud Dataproc. +Note this file is not intended to be run directly, but run inside a PySpark +environment. +""" + +# [START dataproc_pyspark_sort] +import pyspark + +sc = pyspark.SparkContext() +rdd = sc.parallelize(["Hello,", "world!", "dog", "elephant", "panther"]) +words = sorted(rdd.collect()) +print(words) +# [END dataproc_pyspark_sort] \ No newline at end of file diff --git a/blueprints/data-solutions/data-platform-minimal/images/diagram.png b/blueprints/data-solutions/data-platform-minimal/images/diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..7f992cbcb514f1e28edd0fadaebfd5b6f2e867bd GIT binary patch literal 104566 zcmeFZby!qe8#k<|$PociLP}5sL^_5prKCZ+l^VLcu@GdyAcyW4x*G#Qa)_A$hLX-< zB!-T6bB^ac0q;NGU*C6q&s^8c?Aa^!UF%+J-S=-+n7XPw(KYI87cN{NQg|Zs^uh&v z*9#XeRTAICgK>KcO}kF8{8h3Vffw-UIK`Hh+ENrQ!Wu1K&06(%;vYDo?9!E#*l8 zUw=41(RaIWfr9DueNo}*{a+U@;1Swr>ACBvD2tdoIdDF=a5A&x^mcGQZFND+TLidt zuylXU;O$`V=qBPVe(%p3BEa?OZLWI^e^zm~6ThdYqRt@gR(TCbor`C-CceLP z^XFYaITF{zxc*VJ#I@VX2C^3}NL^5nd8FliadrG^l96Tl@p{6@grCZ!#UM?VG=Ty` zFxi#$@NhiJ4`w_2EuN2L?DLFf!*yk4HK2;2PaY^Rq`%%uQ5mtvHmMy*R)F1jMMWz_ z6IYoH1I;B?gt0zwzurC7;Z?B%3fL&7`q$$N7cbwC`tOgBV}jv*&4hXahTsc$XFh(C zGU&`;FP<#`Dj!iW=&T4*v7Fmbs<3VHyvJR zXua(V@wtNeLU03iB~#}7ZtMTJ0rQx7c0RYyF26;-(8xHy+i{?<-lg>AIR+Xm#f{f$ z`{lv^MTm|-;keN7qyM)0Q;9R&26X%^I`8~$1%X0G+SPOAej@@fDsDx@x!tBE0)>La zp6AM)KrUF1pF00HI;Adz{J(E>GVsSMO2Z<%EITBp(fh@l-p#P`uj7cHYm23F zG6pju~qNDRhTg(joo4->GY(8K*w}&mV+mFf&JUkA#)~c~1$j!SiS;O?oL{=k9^vz~o zQ7Dk5 zi{}ACfP&U@2D=dtGx%Br=2N(ikRzz);+L?n`2shgBsw}ejIW2gwQBt{s}j*mf^AIa zc}jfsX9VyfRR6?bK1svqsM>-JjPdD--ID33v=||!1&dx_&?ZCM+i>`V{|biEBrvrvtS9~Waa?N6ETgXRojZ2|Mc}UU@FEyYmp5jREvbh zJ`a0W^Xipe60wqTQA1W92HxUvr*|+}S2ioaZ~fau0`ywVd_z>UAq)8W>?dF)A-UBc zi9+Fc4iX2Kp2~PEkOcXUatNwGg`Eca+wo9aq!0SRnd#QS+- z!(oj7y-@qi@W=HIy`r-8xsU@q@lp97?4cC0pxS>&p>Wj-)JbtQAI0YW~g?_U%c>n_W;9j#03~GLR{EffN zz*zcdACedzt{8C*hl7+fRv%ZxCuAhqFIm7R0-_{wB~WPntzcuPh_*g~nraXw+0puk zmLtD$JFl^QeK)cKGa;XX7rq85LUvCMgB%=;pFb~ilqFq$UwhXP?~HEnHJ?3bv+ebo zaIdNIkf`dSUMg=Jl{QOq%temhu%!{@n)YicZN0p9Evwc3%k;413Ey%_@jQj3tA|7E zp`xAY{)PLzd+mgQo1>EP2?nlDr&&r4h6@u01MXF9#&T-(u%!Bmw4^!jZ{-V`oG7GT z3tV$0BV(oXo64@TGxZtwN3E`Q*HwU-nA>0#1}Z8&)pULZ1qJSvwOOkNUMIUS)A|70 zHL?m`nse-Yg#5N^85B8X9W+g9*eE`o6kD2*U7dw;ltS@#tv}K2lr7%s;y}H33~ltB z&SY`d#dk)1z&5VUy68K(0`D68C^5#F>i-Tc4?dYLHr6+~aR{P~M?l=vRJ zv(whn`NVs_&go=l$X?*&>jX0-!T%BQtm#PYquw@1+QivbAz?rGV|j}-Igag zR>#I>m(Ey3Z~f=KaAYCJ-gC>ES6m#6qu)KopgSM>%y;yYF(D62;vJKr^OE`pB`poM ziI!`4UiBKpF zHBF^sF#i5>-N#QK4=3W+OGBu!uOEkI<-)ALc}HbrW;QtmJDiz#ZWG~MioKf59E%*G zEnlEkYT>QwRWhKtL)1aP(7l&4Nu$Tte)PktMV{R=_aL&R{=^do;%^O#5;)2Ah;^JS z>k`{vS}EbHQ3FeVswz6#fpN8LK&cjQ7eQ$F=Gjc^#hKfJoHf<;wz^LCROG?cmL}pN zA{(QVyS}!H<@(c28rsGI@Tj0Ew@#Ll2A%$4#wdwms3P=E;|cig-HW-!gLIC83*+r6 zyKy^3%Z2cXttB^j0_B4|UhMPs;_{>N&A~Crnzmp)*Vq)>CVC&DCb{{-i`FV>WB1cZ_*()2^7_rIJ5aoNBy#>+ zP$2)@9woMJrJ?D*T|MUOSF_~oN6B@X%!#?F$88N*2cNAn7Nl1RSkt#&7uB@=t)Y2T zNoRPoFoo&LmDiF7bC<-q)+b^e+9S!?O`8iBSfkJE)IL8UzkRa|S~Sn0G~<>lWnaPU zm2}X|)E!jA4zjMQ|7MR0t|-xGhhyDKk{o+_mM6d4!5Yk}R=Xplz>fZQ6+CP~Y1hii z`k_&iLi;DpxFeKK5G>a7j!xueP>}a*?8#xo{tGG`Xks%L7@{o+P@g*S1LDJ_5Awj& z$Y<5D4{_ zWX8v)3N^xm#ib&)4zF9PhiiP13hNfOQ~4%L&4~gq94t;Rb$ot8b2azYCtEw-GRkVh zV_0e#bZ|W89fxl^lj%?2RGELV>&-V#F0w}{FTB|Cg(D&a;#A8Hw`Ne2{%x`3*pqu$T5WpvlTf@E zC|@!%nIH@gxteX%5jTn%sJ|%7#3WZGT#+;B+oiI!WFr?Z6{g7es{2UbU1kOssWY(-EcIb{Js zW^Q`2ObLcV^Obvswb!;yP4^mo6w`-H^}1NyKyy?;`PR>F0w zZz@xSO+w2X3h`c!KnOHwwS}Jof!kq>q|jp^2Au z6|1RRuQvxjmT-H|Zu~jxmqE2B+O<{(@KCi^A|~K!G>2iNKE;AJIj$-p1!`cjre9WB zUarUknUt{8%vC;KMCxwa+h8Y-u5L!=iQQ*cUh1Zync(-0&7Xxv8O@1{HoL6(bj4b; zUdoIbM$w6uG)|XiOq=0|`64Hrk60kbc5TJ$9?G7m?=T%;(W!!ojnUT9(YC9dE;jay z$o#~jl9a^PKP=D^NiXP$>zs44AGV0y8q0&hDn=V(wVT!lQ`O6JL_Bafr^Yf3bB-qP zdPz|c@^OOPl~hkNvwD;XPV_^P+8l$I>G6(8=6pd6rFV(avlIy{WmM%D>j5!sK@p6L zm4il<+a#zy&SyK?O<%;ks&!Y$LwdA6AXI~emzS53u?ZXyqnsMsu#~)0 zm5z`LG0@ho(oo5TC-V(rSt*SxJKrMR5w~1Hg0PYV4L4i?;ZX`Nc)M`Iyb6sL*=&v2 z+6p)zwhvrr!iah$mZe3irlvGlOuhL2j$*ebMeC9AFZWTAIcM+!SH+jX5$;>{QjBWI zT36}swrC;O*+te?+bhY^jvfo|DA|Ac!F(sKEOZ+lbgl$OJ$-vdDvWAB?b~e~bF+_X z>2(ZqMCb4%=Thz^GBwg4AsT5C_U2< zJT5>&yYWiYm&sj~6NN^DGWB)jY||b*v?^ulSYQ;+>YA{e27)9v(01hYBre6cZNiVBcy;e_mi? z!`gWjc~acmEOGY>pZ1tdbHtY-+bpoDWW`*3Z?gv)M|`y>Gr+M@!0(QZ@l-~}y-V7v z3aZ5JZ(YxhEgw8^fFq~|Ip=gm*$(kcFEn&FRR+^~?eZ5BJ^^N{?QSYL%*XN#BByNu z&w&OF4+mKO((-1uiLnS7DTSFwZFiVe^kpb(cf8SLUgmuz z3YR!>)pg6=39_Q4dLrFZQ{!Rz!m1fH3i3My_0PH#lx&NxUK~>! zFAmYZE`1^hMD2K!D)aGUqp^%$Jq|&ya*ct$K8xayOM^d}FI{cuRebv{EK*fvX}K`h z;$fdh)vG+J0Vd}A7M7L;o6!CriB68&Hj~5Rp53N3k4g#@I>P2t_8nAcCD$4z_ptQ- zSVPJZ6RNzyB>hRhnffSGyYAraiP)k!@)XwPeShsCM10g>MfrXw)oV-3Iq@h@x`$X1 z{(L?JAB<`x6xz`CW^e@b48=~FR*jTg|M^9%qR&qnX0kd_18;bB&MJ8X4=k!P`0(=j z!tPy9!B=;hht&3L$XIv1Ei|JXpCl9I;CK%E;o23vd=jp6b8Q#1Id+b>;((bHrR0=f zU%!tX$7P~W#l=39#_s8)909WhpSq|U%Z_I^uFNx43A_M{RQC=Y3RlELLa07DF#D27 zY=uS=PabNxLB!V)gKexl8Xpo8sMcLvgoSTGK4KcShyC2^Y#nWU*1k*ZM=~)nC5#wZ zTMrL4Z@gaZE$y(@F-=xofUh0U6A6Qq4jpCWWD12&#OR(r-Tst1ISJ;ftFM0}if#6q zF-*L~WT!;Q!OxkM)Qcs@H8$+r=}Z6h>sMIvtqFY&?Bk*-@S`xry5VP3`)S6 z;_;B9xXv3{&h)OE?_~GKSvCAaTRaS)~ADJw*~R}jEf7ssTK1X+H$XJ zYljyXi%Fp+&COFI3#Pnk2ssypC6b^+K0Z~0GPAmCpv$;&5G55dI{#?4`Jm}jRa;w5 zL(mqV`Gg>HuhoN|ul}QPrR!^-@U=m|jLPlENYmrxpr&>RH7KCj_QoQx`#?QFSU3Qi zh?dU&Zjtcf=AD;*8-&+d){C&1@r903U!QV<dr@Fi%Unxpa!x%TzD;xUaZk;pPYIZBXZ$3Mr(taR%EIlV&=OcJ%5^p*4Mn6wY6XtD@#pRqE0 zoU2c3JVV=5nuQjxTg4I zHptpWDO#yQa1ZCfYJdre!2%GTE1oSdAEPQ~#oAEhSy zq#E}QH?Bel$8F_%v8L)A4C|{AsU*=Bw=&tNL3N|<+8(0 zHhj`|vg8gsD~IM$Xy8t6R_o=CLIa;iwzdV!c0voM!L`syg@tKUiTmxG9EIf~CRIk)*URXe<{!?C4G-(#X6)8h z#da$W0&%H=0nA?EVE(nT!=aql)V4iNbFDv+BgZ2=ki0wHSgV?U*8X==lfYF?KHfYO_r~?lOf0SLi5i z393|3_{Sg5d35YPM|zOP2o6IJA@?!%y-U^n)rPAq4cdD~t*%EmM_I(BZ>p_luPP@O z1@8PZeet1jIb3PTs8NI+A;=^K%;J|?_Ke~D?TxuzsKVxr@UF&O?m=Y-uam`vi7ppt z30n{W@P#YRUoaZ_?6ZI*G>xu({R3h-Iiq=F7wf-Ng=x0xg?6EXO|6Hx0b`#{#Br zDz594H2!=YcU+VydDL(G#~-=T2&iEDSsf&ahvenuJ>$Fs?8Xn%;J%8HTgw$_R$XT% z_R1JZu#1;rdO4EZ#T>JYryD(vv3IQmi5OfuDjP}}MT=E`cU(WnMLN3dVRPo|CSN`2 z5-h2F{U&Ln$uRoIgF=0esf|~=wO_wxL=vB{$)>c}uR~JzW?#6?hYlakzBG{D9NXKp zwYBYJEAV%erR#KTUf(B-O$8Tw*=Y5Zw#Tsb>Q42W?@5H2czZ7*>6@qDtVm8ZdFJ*$ zeJT*Nwz|7p`!aOH-xX%5M8PTPG_ux|qOgOLi8HO1<7jEIw6oN%QUqc@F;rAT+HLM% z_PP*^YC|}i`}bRYG4hhG<5fe}*Z4ABv8G5wVFF){T91RZH8*G0J`_(aC?amnVr@(x zpw@$ueTclF{0URz@?h>YJW3^9?RTwXzLKDw%;s6^)(%IuXW5deJ?=Lq<^7Rh50ZFSv}tJsq| z&Vnx~%Q<;BWkXz&FWqS}9PED?O6+AaR7|V#0kvgQ*G3DTK)x75T?WfX-ht&6+B@0l z7Eq8=C4Bf$oU2Q)IQW8B#=Ju-`&D?Ge`G;J!iGfCl_CcR0T_stRYNTf`mwOFJ2$5c z*6alRLzR&D0qeVWkOYvOm6cpQ@zPB>y@dDgf4b#xmN}h#$;dF9l988HNfA?U`dEvg zD$Pb#pzQsP8m~jP_rlLC=)b8l{FtznX426l$?lV$EJJwbgqOH52UZ;?eN&xmz2E2O z+*yW3ZWh%PQX8+!hmM;V8peG{LEYNS50YpK%mk|hzj{@hdc1g5oK5}3neGW9@Ix5P zL6Zv2z0?roa=fqF;v=vJ@{?(im5e?kZ+64Dsw_Oo)NJhLvjahw051=Of6L8oOM9pMS z`}3P_;9{k}Fx5GaxPm8bbt5m%!_p4fM1N>y`fXhR9IET`x##EA5V_a-Ru=j#elbk< z{M{i((aG~eCrez%xp{f5&WNvZU2&;#2?>FR-czU|QM5>Xo|_xX$xxgmeIN83NYCdd zlmxCf7S$t=5jAZ~p3VAOYi@fbbT;fR_2Rb{uKK>#ouEcla`$P(*uCx?PRz%T?r`Htx*nN8{Rc8 ziFeNK#|ap?Wv;x4K)xAJOq167IC?H(>$7gKUXSjpvk{Whu+u&nfX?~!_S)I34`8;t z*KWY}!b_vhS};SfR4Ra!3Am|oK2FN?q8Z4Pbo)$X>r~W>ng9q%?cT#PoSr`BC!18^ zJlj`^vvLGt)BylJI0cz2XZE9~ocLdPi}aTrmj7>Up4x1h8UW6b2+RBLIQO571(#eX zgO(5+oGXGYRsi?JLP~yK%K64Gat57E^5^tthXsIDkO1h}zn^hFAgmb>Uh}=xGda&w zg8Fg+JW#5P)_+F@|77fc%KZPDGNr6jL3z${myN))4~;Hgyo@iMcG8mSyqS9VtdX=b z>`xQ?oJU!@ebRoDQZhDTzeV7}bkdci$|AD3m^$|f<;9J z1X#h=6QkA*Yy&<0+mV}%=UM$F2B|`U3vc;D{v_@{Ke*8VwoYzTw0HAN)(EJ09Y9v1 zFE9*TK4<)Xwg!-ZG!9rH_`Cn?^3PGpeE}E}mx7<%I**`C0JrE+*)$`@bzZ+001zS3 zg?lRhNZ{YPh!6lq{{I;L|D8ss7@yUM;@WfH8~?{-0c2K&ja84RBE5RW8G}DRBYZ`? zeZ~4j`C4TqT6DGe$J_Tm-d1e)F5gM_C1yYQeJcu0hm&$ZtIAvRBj>~e@ z!Ce?f>$P7#ZNqt`eeX$+4?aTM1me14pf@m^tAD3cKi?p=_7br*G&FWpQgqjn`JsRC zj8~nSgZO~(U?+6go<0$Yy9iD*$N@lAw=d#-JN6qR@Fv0kMOuyFfOnN7h>8b%S?#`P zzs;ZMi@_W&qfvwuk%_!KOZkBje4s=Vto!y?Z&i*$emAAAP=m zy6KRM1_tn3U(wL{ZxJ1D-Gq!3!ahiEZr8E_K;+MrF05;}j33b?jutE%u0U~_V4jeZS5>{C;w~Hk8=2Z-_c-5Y~o;v<(_P>2Uq;Yu}lg+e`(bX|BvUQKB_hPkV zbFd$Ksf2m$P5t+Qo$(0x#@2=|U3D5j9IeX~=;D&?bV#6@ifrP9 zN}vk8lBh=9!~IYwsTlf3AOMrBYR-+!+3We@WLY)YH+@3$PGfSDBRgGNWlwzkfxV5_ zV&GOHCdH#MRaPDc={yK@w^0#ZFrFTKu};9LvNN!^Y~Pc6t>L#L>~jh+wzS;W^-y#T zPspcIv1n~oRaHQGY6QF-$+NBZ?XDl&i`wX5==Q4_nMfb*6*Hy@@1{nNLhC6DjC!Cf z4~_V0n&3!JIDWvxyd!kAPAu!M=g)x+hwrsM!=l`dA6z!JOT+aIt9lwu#|iy|Z(hHi zjZo4Paf;x`TA>%Tw17AHJ^%^(&P}g7Ik4vC+3?(~ULRRs;JUribmxV{9jD{8+O#Z_ z4k%PnDcnFvuuI+<^Coi+*<;t6DkQ*W61u&h-PBNF(OX$rSUFr%LkR+nYUeRL+eRR+ zR8%zjp%8-APW~-Yo8|d0daRPUnV+}KM#l-#QYBK=Snb_Ug_Qy`PEN2$iH&d7bmyCm z`nFkbxKJO<5LWx~Q94td6PC5m$?@I0Yb{pauV)78s|>~-F?sY9?Zb^un3%uI6&x7K zeZ+Eoii$z3i9Ma@o8Al4f!)hulH*Dc=4?J#wYo|O^Ss09v=Z^N%KdBBYS#C`avXh$ zkGVFE!;qLv7gcqeX}zD6k0o1$Zq(t)Th2<1v%VXQC4TVee!DD33XfbIpK8BXk^B&5 zU^|yH#hksj^f@^2xzCa8!aPEtYE4*YYC$_w_CN@nDzOb?xWVImTCzL@BU$ z*8WysD_!zS8iRyHL8_Omn(Y2TLLJ?7t~Hj$;Y2KLp)8L!eJtDC=?V(i9rIFC=k~Hn zTgqK^^=%v#m+MRz`A3r?7q&5jl1KEZ;_X652}cKrnbnMrPm^2^ZS9?+{vc^_MZ42I zy;t2(S(ui-QlV`9L;|oYqHLI&m&Hf*wPMvHPZ^QqLAor}E^T>FeWR zs5yU|Bhr8#Wk~;Wl4mGeOYPdvergZH26x#Sl2~mJ2fQVPl8(H9Tj@wNGLD}tn*Y_C zXro$-MwgQ1M>#o&80AN!S>3gz>V^ukgJ_8SOP`y@F7WiuZp3hy`Ar%q8o9CdGG?8J zRMYJvWN?KVZE6st_ekookxcc1#JH>_QTw%qW61USn}|ox_z5e$yivhX#Mo-vFX){O zGFPT{`F2^a7&ZdGprA6O8C_h;``a|yqr*?NMrs|qJ}~jMd*>R9631ago)%}>o9Sef zmxiO~2bOb!T7vXuc*ws|^q-&f;Y2%?W6PzmETp5_ zyD)_)$e=q+mIx_HKI(gt}$lq#Sm`Ua3AZbk~c2EPhm6 zoK-gE>=EPJRJ1Ino16Cuy%I_?R8zH7*gY&X=V++{S&72OU2LztcWMrmebTO?B%b}E54Nf>M~z;O%F?yQ zE9P5E222JXS_uaJM!R#As*&MaNqK3QNhja^94d~T4Q-#1aM>9awMD4s^P!ONBEL>z zT9|-&72QFnw!An3VcxqamphfA)>zvTCm;-f=-x;+mPtPK{B9gO^rOES z(JMOnPA@vnQJ-4-xx=sm&8NsbWey$z*PaYkjj0qYNo2l0SEJh#!%c1ZQ%aoTA#QGdi!Yn1uC!?O{y5ilU;4SoKOp_tsXWE-~H1 z9slSh^}O7>dHb0^?d5GcW@n?_L=M`i;vP8IYUNPSQ`J3WVc~7veB_-XYG-VcB7q;n zFJRT~6G$PV1A_}XEdR_AX_F?)h~giS=J<&z{IQ8Y3^_m8QzZj@a(=(&bPga_5=Vdy)&o#VBu*CH=m~FRPENTf_~V;$wcfP ziBZW>I~#7r2olH72O{rHjxOej4=;{T==7xJ)SWtHO_(S5*h=b1A-xqE4#R1e%nQIt z#yVJhYivZtS*^ZQt}e}Jj;eN7pa#~c$Wv|)fo3&F2iut7$w?nj=IRB+J}vx;h#v^8 zJk!gIBUSx<%T(nBaW^YpxWa3qWe3}-0n#$Re#?p6;Zx7vyx#nKQzRvMnZK*tR{oWD zV3j~A*LSd0PEKq)6Ek}%w~K1d5IEs|U!@)}c*AofK9-2jrO@lnTUY>nRZACD>r(+g zfeeu;j<>!pKhj47LL%-Jv2ZDphqi-ln}Rsjyy z-d13*y39>xFtF5pm`F%MsBN%d+>Wh=^V{+yAFX!3))ArPDYb5{i~r$xvTVuRW}Q_q ziO>2w!Wa@r;2!C?bg;90WL*Zc^_Lm)CvFQwhgHdl8uiXcMtX)yQzEftGBikP9kKLXwMM*Iq&A; z_C<3o@jdIn;eqfR%t2Qd+re&tDpsbasB>m)c_~N#y>H3VP9BBeFGEK%>XqBAo^XU% zs7S7a(`wn<=Ugf-1RmgrxDX z*VJ8P@ySnn@R6fk!#d7Z>?3;sJf_-<8p(ah)dhdsGDlFOz!vX_{x z?)%9bFThiN%@_N7yznz0RrVI}V z3mU=3E8=UdvpC zIRjt0!us4$o2;(Lj~~nBCgHpi9I%Q;4PMaqNwOOgk|n!I9jEE@J{S-`ED>W||A}gv z+h4GqoBm^_Ty5JyKqPl-#f7|nX|lB1Q{~I-HWeGX#Pd)ma>Ypak-1htr0uIb#c8ws z-JRhDc282N&m~fim1Sf@GxMv)bHRE2eoFF?is=kS^a>sIg*&6dc@<#Ib)J;eEF94z zJJR^0d0!nqMRyJl!$Eou2ItaJD?gKtH_7diWxlaxH^MboKz9{`__qfu^1h~<6%Ez- zs7=i&PNsfX+{UV9p;+f~;>6t`wN#|qiAT_xlp z##J+W!86WzriN)EfofSdfQ@d&=ltuFG(9GaKS%6V#N4h~qj|AlVedk_kE+Z zABWsa3My>WVPZ{|ulhhspI;)YopQ3@9T%8kyz}Kl6?RTInG@0%5f!Pf@W`hIi(g>h z`)c^PS5q@)c%N=>-W@<=Sg9!viZ8Z?8^GhYHqchckyu?@6WJMQcq*uOb383wpC?Iw zVv3_nB6{Y!n>&7d|N1Ief*RB}K=Uhm+ppjd+SKwm_1MiJNY)B^P&5N=O(_i;0 za(waq9mWl<-k2`eRZlg|JVY=I{v2J>*Ob;|iBdyI`e7Zp`q2b(S9&7dcWW00CAfgy z_KlE)TjDUEJDkP+MpjlYsofJypXPSk&9@fcy;+cx%1A)}=Fhhu`>uKwZlTl58 z8m3n}mL5)e<{^?ks5DeT9N-QjY0Xw>)MD>ED)Q^bJ|mOyq_b9DR$(22??ZT6?Cwo5mWsoas{3uky$H2a^^fHVO3Vc*95H!O3l_L}MaKwuCLJnd7B@LyzPxM~eJM$o3|-y} zu4riNRz5=KTJy z2C9n4>Wm$)STeGqc9~FJ1izps=VJaob^pj_p^2g^%l&z}qT)ONLRBTEGMGa$ksYIQ z`Dci0GV-rDlTwZ*n$3zx-X~MU zk1dHtqjSwTmgW`)3-*l};lJr7%@uqek0QSzxOkKy*5b`}p# zjRLmb-?Wv1iCp2}4|O*0&a zZ1T)L5-;X=-YJbTB=3FSW}BLKP3bdT{iS|1HOEMPX<<%Pc6yVso3JUji`iIM81iYR z`P0lyn1KOmZZ4lNF~=BY@94QzADQbjo-`W`oz4KFSHK>JxY z3lNNerX;73%^15(%tpLge48xa8Rhr5*w=%WChks)#k|lJH>)b`1!WQEMqksw*Ztxu zlQ;N3yG>Q{7_1NG@df{oqJGzKh}_`^ zxp)7{-37-K-V z1|(o9;4eCp8T)OK!;7VTeIfKZg|hgGhO6r?DSya#t(6Q{*VqFguh(w%`#+K*FD%@1 z-p4CSALL)GYr(t%QRvaJ1Z}KfmtJa^YG#3|(K8ueyL&AIOER7(LU&DDCNNB4%cY{w zQMz@FsSxN>BUIm5u@hxKsli?=)`Pu1^-V1CchB(Sqah*WQ;v#(G25YF%>bnlk4iIn zlciOKrDX-L0*uR@znq`6?B_d@{d5BkcyrIzx{VF2gn1%)5Cb|DP$$V#%MDvknIpvil}&pS3?58E|!j^5(h}~gl+?&B97jo?$C<$k>o`YUX)tDF_So+y$dO5IP z%#Bh@7Ld@c_>L6xT9wc#9+@;_{Ki)w&HclaLiu6Dk2Rbs2WZT)gyN9pamK3@WTsxk}PZ`h{UNYdMQ zcm`Hm8`*W)NXV5KB90c41xK~_3S_Xw3mjR)3cV2?-*gs+KyM*dD0Y2Y0`cMYeZgG@OXOQ&7 zD;V?(l7V_Ng2x?AcMflX*YRule^-eRyEv~y zqU?vCn$NxSr16LnNOilLah@j*?v2y2HsRNK>-U`YANF>=9_TmimfN{P{=foc#5N{0 zQwYu}e%1%@kDnY*c#bI%0Gygteb`CakU3B9FFApJ7h8?aGqq>4rz`!&ooJTx&_%c1 zfqoyc%%5w(jA}sIezqxBjP#u1&uPG_he(8n^54z+Z?~T8I7J!!KUAsI;t#+3{|NU@m6TyW~k>sYwE^6G|xnv;(*q^5JfutrsP--ZrtfZ}5J5y&0p!hba`FyEx~+jt$~|dTIfk zq8)C35e@tvbA0#BX304zeZtl=S5|lSbkYBtBdMS(@rFe$W{7jg`sc@mZKint(DSzd zPsuxTaF(iRT22nLq-0BGW+qq@E^)9r?lqYl7dN!o7aVtZgbf<1QdCm9+Gt7r4<=5o z@q!x+vRe~>_3t3o-TObCg-m>xvK>aNtE#J)tL+60b#zd#DNTfej{P?|0hBW|F;RPv zovM*&{7vzkyU11S&B}Ayt+`07*NIO_bD&;h1ztB2^C_{b)pzrH3cY1&4= ze}5wrGuIV&vR%^>u)mb+=IS~yFo3`Hg8yGAI_|f4-9-X#Yx(~^Hz1e!S(RQPD(!e{ zpt=7=kL}W?8W-gH&-C!{a1O)j*49=dw;m7>INj#s<&EVqocCRQ!eR1h>`UvbHw4R981$(&5Y~2?HG+t5_rFFIVDB1M8^Z4r8_Jn3~Dv5#4Wi#>)%#w` zD9aKxTzv6klhMFZIcEF)nc#>9b|o7Xdj&-n4140h!O$H1}nnXM+#X6LP zK84p(@jX%V{xXbOVZT2rP)mG1Ler`T>amdQh3_MR{Cg||7(!rN`b!P}{sVMK1$*C= z^H7Z*8gtRf++MMz-JSwj%W+Zeo!l$^n;9HaFC~c)Q_hPY9!nqW494}M>)gObMq|_8 z->Hy-%59Mki3rE*J?!3>LDBsWw0c%O*XkCa7#TS^=qM1c{d+)c>81rq4&!P(eg|)W zf+O<0yc+xA1tAl12K)-WW0kM|by@jr^@9+)nJi$H~7|S#qVoJVOxZ=EMJ& z?|73f74XjQfM+2xBluHJ^5eqls9I@rl*Q=ospjR!~qt3w#AtsM8oEA^hV0 z^;fl!pMVE=QIo;^x1V%g#xrQuyu@AOFp6^Pn_C-ico!ZXG1jwy7ygZ3wE{SNqNu3n zK;6V7#k0pl7UF0v;nBEamw&nEM~-?)Q`30E*wXc3w!Q}He;cCWrz;BRzaZS#8-smg zIgINov$N;ISW9BDb);K2nXc;2~?1$5&7gB?o zHR3;h%z!Y;N5*?Z41aP`I-H83aoyBL? zYlZq1a!0)gLCo<17T(hXiHt<8O??Xm-P~-WaZ*-R-Wn~YI2vp4!se(Xc6N2;swASu z#u@_-w(INb-*GhyiHna5S)vN{ZGjUI=yYJ(D>ol-ZAK19h`@A9P}wo?-vOVgg+rl?znkeX`^RBF{OfyGWzsyWlRaG^O5HRt; zy)M(h2uKS^DS}G3)PVHR-6`GOCDJY3aP}C_&g8ffo!Gu2xO7z!1>;<$^r>^cZ9yZL@V)?FMeL)rGKq!5QwZM zVSnBGg$q&iImOQNFAxUj*6x^_j=^rXbv!la2D+q^@;%#%AEgf&^XM*3s^Yw|D1d2D zR>qVS^j?dzT$>nO+zs6yk7Jn46w1Zu|LrrBH^M?af2? zjoOLP-stsAORXd)aotLfBpncKMl;26?vVx3i8SC8v?)0F9k`Y1Ih)6%rK5;~OG_7V zdsT8O)vG>)M7NL4Xh%)Z7TMnB;6Ke28*bcgcBnfW$$Z9Yh*hfFJ2;3`d!G|)t*x2D z^Vw!G!@oM}6pe4P*DstnwDvdu7|tIj19vyn;$E{B)XTYx!oM6Ikq#myS68#j)cB%T z6OpR0=j*@XQC3NK?29B*{QF5D7UqhhnI>daBRS~$D>(HY0Npvcs^&bQWIs>1w*mb( z)Cy_gazCY2@#RrDA0Te~6DlD9xipEQ{5{cMVWxNE-EjxjOytfCBVQ95HY|r9bJ%(R zxWxc95GM?r_3lsq8Ucouw;R+7dwI6r4(8aSt%c7&`nK_}_K!l>$e-KGuTA3rHI#pz zMZvlb4zl>A9>R^^gZcInb$EDqab?BX!681--~NwK3 zCx8Fr&53gDC-EE+{di+DeL{_I%;Do6@Rgl%Yp{}5lITHhkob(PY~Ud?~C%&+AF z)l3x=|0B5ZJ;HnC{O2Jz5b3~_5g*UGF6%CFOV8eD2PPZJtt7qYac*)7ItLK_(V5^77Cpw#g$F zBLmCJ%b-f!T~0wkopfKU6t>siF1h4gB(-o6;uKgRQg z1=!ia9Q8KfZhpQf{Q$O0!K_KRJRaxJ%DWM|cvC;LFUs+3!K$8O_tlwj_Q(lrC4j+e#uT$}f1x zu;}`u@fMxzXV7>kf_wJ0XiTh<>EZfFw5}`cP6teEi5J8Y`LTiY#nm99icBCrJXDRD z!BgO~{qaq>Sgdx-x?&z>=VYhB`=$c_VZ<}`l%TilGg3}YWrf+I@87>Czxv^)_h$F0 zj#=Yd=6h+d|RfP<^HgP1$Pz4*!kb_S{=T@rI9P2^QhJU#YX21H?ipv zl_%2}#_`LoW@}D!%V(ce+A$W#a*?@h7IraL%bG{5(<3v|)1S;^duFc65yup=MA@zG_Lxn8j zjavfx88md1gOOeBGKLcL)+TjVF;omPBS{Kl=R(5-%Cms_;~Q*T=ACGuC^{5h(%kmu zd*yXAlhOLUPDb^d=LVY(kA^Y=zuuv~y0nD0+KDw7KEl zVu$q7aK(%2{XRjxgh>vr{RHP(V0)EYWm6p5DvlBT<~XZ**JopQbzjd1LADh?5Dsn$cnY) zz+w)|IIOj!0NEb1#cBIK)tsp4=oP?vX;%(D=~VyY(DlawFo0QI9zgO7y3_Z$ZT7zV ziGl)W-|%^D&E(eh>JQx@>`Kx3dFa$gfA8!LFiI+R%-ft9O6=<-`>`;I&xMw<&rN!L zP4L(89r64>d|+iU=w2{+;A&#fhpE#`M4XjP6wP|eEjCg$xpLM)g__s#3#a91&Bb0< z{lyYXhI~TS+Ehff`OMAz!PcBtAo>}7u2hU{m3bYj&^l(H&a-p&@*f0IR0E&}^!1Qw zlHdM1;66f%dh{}6<1#eh{p}i4axf~IFn{(ijHA>f=N13F?@M`EOalw2F{+25!S9>CZ+oCBZBbvYl^ z@XJXZb+h-G1r=xK*J-*ps(dj$GfCBH9e^^$n|!>}O1xjUhPz&wPV$4S-h4Lf7?WON zNak`Oh>X9=YKjX}@$xX=GnW8u7@@~Znt$?ux5sS(NXLI&$olQ*WC(0dTr32fzwB4*UEk&*azx<((qjJdabkM{CqW^9;jwZ~oD z!#pR8saOssAa(h`P6>l`_t4JLkZzenz}kSz$y&sGq?5pv1>rS`Dv6_NB zGzeU1QeORTcabB~QIJ(G^pI;`?WpRlE3l~7vP5pwsu19d-VsB>s6`u;qC`eb9kY@u zGj@w{xk~IQc43Q2NXRW7n(bqJWGXMXV;auBVqdrN#&e%UtcIx2OWlooSBUYAGrdB(%wGSBwdh+}dalCFIQQSa4 z6{5&PqsVSK+(_B~^HMV&!kQWP^s9H>{YFhR_N%@?PV6EMf^awT2PM8dH4Dfu)89D0?6e^@4 zC3M&~_Y7PQ1|;+VOcg|aGXVvDxfvJGR>}#gD)Pp1JXy0QQ#c-zS+nGxaR^_mblez~ zB2*z8IbCA$)KKNYyz^(=HxO;*8a9L3X=iQ>X6PMNq~jd+R_CJR+o%s$3*Vx+;q8rU zw%a{eDsq!4axT*1;;3wRxwkf-sk?rH{iwX28FpDM`EEcXEu%dKg}NRzht?5`a+&es zGrZp@n7w}`JU0ZY=NIROj)q-cf7cg)wZNkZ3zZ;b6q<5U_6f;(*m?%g0i-P?(QDMj z|E=Cw?P;2lGW%X_+EY{^eR`yv0FJQ;Q4%{**r%e}JF6?lggGOwHzoOgZSD<3oDUQT z8Xi2YdbOO?j~UxZO>KB?-AxP+$E(w~uvlLmNNHLLZA^f&x;!Yy9Ge(n%?&{UMgjf~ ztg|?@LDHr>=mORJ&d>k7nL4R2wOe-!o$qsa98_QDO>OqUvl%|$dGI39ERc9 z6J?i8%{sfRu_6(@s>E=EfDX(A{Hj~K_ZdACB*;1vE_W}`*C2nMRVa2tgDGkj#ohb& z;b>s3A+vXopW}_5G7ca&URUt^oWKSt3Gcj$puzt0SMa40!F|;$?juWs`+r#|98_WO zXe9jP|G9=gj~x#5Mv>-gfmD(IEbpHaDMW#UU{s2u_~GsEas3~^CG;Ax-D3VU1pS|_ z`_IRC;~<5MhzL=l|6c|-4?Mv8714)(Pw1})h~NmR-9~s%|Hmx;dJF!e51m&IAru?- z&tU&Mxc?7NyaA6Y=-*Xi#X$szKQ}k`CWEjpY5<3KP*4zP{u62)dGu#RCC$J-qFuV) z5~wKJSAqGsG!;6_C&>6vSH}RiTe|9 zu(oh+i%`94&e6C{NQRA$+Wf@ZT@_+j}?Icc!bwrEc~dR^bF;HHFTU5VCOFmTKbv(S5x(VP75rx%f_!x_`fFl+h;Y? zgF{B-{@CI6zXST~7b&9P7va96bak1_o1NpB#%hyf1b|DXEro9XX0`hWYbL!WQoclT#O+)7aM>nk~*P8+Lw z6r6p&Ac@tyv$O7N>{z~LN4%y>eUFs5LwJbrZ|ew)@Txntq#0b>(RKZtKF`IZ&OvyC zRG?`EazHq3P2J?SN=*qOI7(ocG>evjy-5Po#*rfq3e>p8cI-W0yXo64N_$3wYSpx~ z%JaB*`}oYGAl%e%`C%~FM7^h{t!?2L37?g~;jpshSY9naPE5N$-&rf)`_Y7L1E7ly zy=zw`C8gA&v<8-2D9OMr@CeurRyVoj*L!Ci*G0|^+M9xz@)ueeIrAFZ_CSd|8VldQZd9Re95d_kgGcn*cO>qI#>D~B_GmzY zoPV#K8r&Fdq|Vbx=d!|oZ-EfSEZXWL3s<9@<}#bPI)}Aq3>uogvI)E+TTVOEmHSQD zf)`+PZkLB+GJ5{b4hQ6jyHCOA*UjFoB_%@8G5xmtId;(Z(q*^hZW@e9yW&St7xR#; z$(ZM$6y1z{AHM?Mu1|XTK#BymTZ+o>=K)4I#$3fQ+=K)?I?`pyb% zlyPpcz;oaZ3L6x49Y<9)wJ1{X{SsGjDC-n3Do>oZwdsPHZHH*~3t=DJV9v%mcT$ZF=PLZB8wJzPUIzI`^s<J30y+5wOG7Ew-C%N*juYU z?dcH1bm$;)Q-L)Y_M-1uQj2KI(R71}(fTIOkG7O0i~-eLy?5*3ZnkL+DfMG{b+Xli zOchpAiV-AQ!7p9WEcKUwuBu#$f(D7XWlNOPtqLIb#F{2JM)`1UNyBr)$+C4O!QKDt za)TnO83J2|n1HyBIoXh@1}0N$ultn_=T%6j=BKF-A?I>#G;Ai_pP_~WXCexHuOZ^5 zFRpg3ukuq;76RCNLki=e$~U<5KVwa6YHjdeLnWK4_`QrX)=E#G`$Ik#yWO46 zWxoN%iAig8)Nv*BjvLwRkhMlf=~U;M8XPwAbvhhTpHe4lSCON&i5=ASygan;<;h4S zuy`j45rIS4kCr#7B*X)QvvBKU|@0zqh)b zeR;k)H+u;(X39rdZHuumKfQ}J+ql8WGBSq@(&xqUURBtA_doMS6l}FkE)f6FOH|EP zgXvgpBJ~zcvbX{-r=F(`@B+Eq4g4%?C&=<=!+53Cv@{-r|HfNhqWWjgo#kCUgN;0% z&F5!9Htimdq$Hf}reHyCrK}eXRR{I@M2uAB<=DoO*LkHf<|3zBtPv~bK1@?)o0yp3 zrC-M%wp%_JQWz^#WO{bSki9itC`u+-nnJ#sX!X4rlyo}1lJ7yH2vI>o$+`W2fD{E1 zfb>i`pr-puo_UfQ{q*%rW2B#+Fgli1uwrb*4^dK9PC;`7^uDm~=tIZ{=EIysqQ5=%16=P-2jb{MXM?2L(~w}o zyTZHHLl|pha+WwdjSHN@Pkm36-1g6USpr`s`7t|AiZi0lsNBG4tVv7o%q>rJ*zUdEVD!C88AOd$$XE+o( zYbww7-#}~X=%kCEG75vTW0>=Or#bOqPiv+%x#7&xBqVp#`r5#6BqHiX1yv<3EHg9Y zy658JqDd3;yzwYA{i%c^GlVvvzBK9LNcsUaH8njn7)R0s#KIjHM-mR3v56c6hx=%p zk&Xm2b$#j~Ruynd%mHC}d{Jo}|_^@?F4yv{+HB8Wq2B>G7EB2Dn(a{DzZv&W3)h%IVbFC=@ zarZ19RuY4sCig)Paig>1F}uec8NVO!+Cf5sV-!wYj6RB^oXNF^qn~o?Vq5c!C1w0* zZdV){UqvZej}F${seInkn&sAmAM)136XSy6*i7?dL_`FV_@sgPD_;JG`3b_=0djF% z4DakE0&8*2&CS;|-jN!z*uRZpuQjG6LzEH$UQ$Ze;Vp)8c)S=#k7-}-+8ZawmGe0F zQaSOy7zOA1ua}^7FW!xM^zOEi=ex%NCXhq1dyoKXCqUu2nVAxVK5@d35ubblI2~aD zhfR!!SAgVLOTP(`3PnanKC3kDB80s2uyAttir$_lN1~WDKccSZ_}zJXdd&yzzb4xx zBcz6?>Nu)JQWZtXlD~0bR-O+lT@gtIUt@w=DOc>r?s;_qI5kWXt{T8Ddf$8lL|2a1 z;M#aBjTunhq$wQlFeo)R4D@s~bgEkCWmfZEduGRc7rYow@XUId!^^=9)(m@e?KHL@$oDL%D$IdN9|l&-1VnD z0mSSM^K;kpjpeaZ}zI*r|dC>@Jh0(aIP~ zgoReIN#M)2rD!2njihFimC$`f&Rh*e!f)Yp3Q@IFXNMbZToS+-;dwcy_h6VVQ}lwX zwgVYB20|COAr*vIp|HtD`{a3cEH+h3pDvdA3k5(8viI@rgI!Tb;8i8VD8bC9c_#~6 zc^^&Au15|jEJY)!sj32g=Mm4ra8_zw-gZuLZy1qj^kA5nuCQvc_I*j(a8=C^gIG<$ z>x+Hz*WbL;WTJZ$AnL7_Y>&n(Yz=J!ak0IPC~yq6D2Z{{TF0p=xcNh?X@<%2BJxSB zD}<~02kT2XQ`>WL9-XE|4a6*$u}bFE>`4=w)SoWLfiV^ptwkyJyjp>}<=G>=lg*EQ zq_H<{7;FwzMse4!d0n{85~5VDoNH8VW z&WnY3nTs8~;H+NJlzX!RnL9n7yUwGIFWaPX+4yW26#9)|xoEkhq=dw##&)8}coJIP z=dq633(Sq*W|r^P2ST=JZM%nI!8*PG)t8RyCKzZ0j~#=`~*i~BD_3A7-`Tx1XV zY?9BfAzf~(_DCY7rKKPTy=m9OfDCl6;w1aEk%RY|fh^bF>>Fx{=D-$r5ff^F>`8%m z?e~cl`OiG;>(r%egWAepC+x*){m}XmE;-lw=nK>~uxa)V{DquiAM<9r9Sv@oR1%wr zTj0|czkM`T!6zz!xhcP5LKIXF^}saz7Q->;lV~TRHnD<%Z<5~uQ}paRKUJS$_%G=C zQLJH!ZI2BrSImedDuFB^vVB~;yz2mR>*+|Kq&-&sE%GAAt+pxW%=faYsmw2mb?^?N z8iRKFENI?frixHJMg_@ut6RWFrT8~KZrjb)#iXaV``<*}nW&BFPq8MqA)B*sB#ZB1 zt4WXGB>USW;fcIaTFgpRItRH!Cyd{5Yuk;5sZC-A|#V}l( z(#ca@R*dw;hZJc{!|;iFNeIWS3VjjX=Z*|YrDzh}^ZinnS%iOxO&%jP#Vs{R@x z_33^m-)u2c#@CR9k}332s1u2x*!8?KI6Ae4F9b<{CQel0r=~rtBN)I{vA1u{hGtE^cP#%e-!Dg=2 zOl_o&YZEK;9_5;HAIM$S5xAVOCp|FU&K*t)Cwm@~&zqKWxG9w=#qXDHyQa{W_2D-k zAQmf>IHcCzAs-rh%dOXJ-Rg5{W6y$tG_0~wZubn=?wgxrbOqr7-$7LVSSse}u}yn; z5uu70Il)AvN&>I86z+n`m#c%Eke`tuNXRWqPh9m52oZ5ssaP4Rof=P~LLLPr^xtFC z4K)Z`RzTH>lYTE1<~a5CV~RAL?|Aqy?T@z~w`ao$BOM|L{kB&MYnz=9J(0qtWkj46 zW>(o@rYKD26>oG_U;hNiKz+bLd}O?Uk5m}icwvhdgVO3PIp8m-B?0k;WI*St z3^_U-+uVeT@-Z8}@Me5S`$FsZM9unegsjG_G@YgamJSbL(bvdzs)Ji?h@*zV zcPe5@Q!HIIu}@uDd8of%QAK4~;pV`i8(P4>ac%$(0?*L!j4AanQI8PCBLoeiRF|e@ zBFz^-uV3eW&I^I~`}^~gjUI}oNSUKzc;E26^t}fLh7y98hK?t<8NSY94n zV+sOU(XREXWARu`fNlX94!`|!wN%QXcc(2We8 z1mDTDx4)mAl{K2LcMWtFn{)NoUvINSbke>;pL3eB0z#?tW$t?7x%+GU|A9yV%|Z;j zGd{(Qp%dddrsK@X#YJY@d?tU=fL>>(a2rNdjvh%8> zCr}10_rUJn1VjOsz7hThW^adl9+wi0&m(EtBOLd%j!v{Dt84KNHlJrfsNBTJ-~90A z;FL4eJD(i8@4o>Lp`7c_XF$yG*m5)nhziFOK$vW9xiO;Z(uak2^XGBu5Z7;-ErE(! z^M2EC(+h_ft>+Bn^84fbdiM?uMd%~Crq67X3E|cy=K=hOS2LVyZl?KG=^00{91%Y7 z&^UGymI2MGeUkxg@xN#aabxOF;`CpPMoB|)lK z+DZ6%ct-H*mbU>-K^dRuq3uJ{=U<*_e8(Br4L{S%C-A-Br@T>oNJqcMeOC>o<;O2h zTHH&>+P6?Yi>}GCO2-#VZ`n9D1~%%8t|w{C#QD^e-OrOa*s9-iG>fp+ z)?_JAH4lt%^z`&VoVQg_a&Oz&*@*|n_wX`L(QvJsI`de2)0M38?Dw1XatylL#a>uRAJ()X0!zZI!HVk`vT`YPPuMEKV)PX&& zGasUb#Cb?tYZV!NoFRtn0R$H=&v0~yT`Gxx%hFz+n>!mVrFB=7 zG~WY1)jSY6rxv8dK|{pO>DK!hGxE+nApLj-!vorkZwG6b^{y#NTS-$DKMaWzXDVNb zD4+2CVz`BHyx%^ePMf1rcP}2;=Lo1j2hYbpX>QLec~-4~E*v++;_coB}NBmSZgu1F_@d!P$}k@z?iN;}&Q2 zww1WzPv_Nlm2@q0r|*4D=2cWKwlyo345b`Mb?mVC5-zg5ui)t?>?Paa=;Gpm z@b~Bv9#A-9J%|U#AKj)r!M>BdgCqf3pkn=Jy~ezCt!gE*~lqQ zt>}>7Djm}eH;+@!K#XnLuGyDgv%ahS%6m^zdx+kMIq&M#mIwv?Pas`9z-w$v(9Ly- zoun$7V}6R?o;OzWwaCv+LlyqkzDs7+>L-axP-;?bW9k?zV1BvF74pU9J_}AY*!XZvV{7+-(-^=SS zbL9s!QMM*5(WnotPWP6;m2=KiK8^d@!?-7wvk0xfN|ex4lh&*;*?%fE$^4SdWzQ&= zt;A#CsNU&#B#Pe$zE6Y0D$<oa-cZ>XFS$ekoub&u!6W~#PANrVZbuWQkz1f_BBZC7N;NW~0sAvpssB|(gt%hcfy_I_|%}mQ-ErKijmM@b=O%-0;~3+g_n>B?h`{zLqX%x zp>*e+A9N3Hp&)yI!GrVjAe_xw=^-h@sO7SdBtq20!_e1Y^~(8z=AteB$+^AMCvWNr za1^CuSD;`;CONDz7R%g%2G^`Iy(!YQq*;-SNi;sP{SyIWDvY6?k7T@yaA}}u2^6V~ zil6hW#N&;B1DBjmo6i=|mxWi*Dx^Hyh>(zomaZ9 zB|?<+{(cyiw{JkcdC?wQZo~}|j>Nf4Yt&E;Iw8k$%|$XP^;o9V_Z?@l?15xfmF<>| zaJ4xHTwJ+zuVcJtba*o!kZJ&U258Nqj0!?VMGA~Tyto(J^F)+R3ZdtH?4U|qo@97) z`bX(=!O0a{tni1y_irK-4q!!=rIvief4yk`)d#JJAexWv-4nT&-lu4yaQvX59p^bm zA?yigZwd>xF_s86kJI%kejDmSSAvLu`T*ZM*vT1d702vDqn7xHNA{B)*20|188g(S z_(wAk90C?G!};VA^nQV=;m4%1p^ec2Uk}WRwX1hD*?bsaaRw1t$o{#o37)7mi0OgSS9kL(5v`suKpTnMG-=Zw=vi-B@Q&0eW$jyt9S;#(~yh z&**X%&KR*IgI9M65MOcv?xB<<;3({d%1ji~E|4x4o+V#-zregq)jq zDEd^fe7|>365m@u1z)n+52d+Ie5T z2w#>MZYCb-yyRywL+uv*6|_=Gf9oce!_Mo#oNFc?dV+8diUY%8b@;ealT0WiMDan$ zF*?oWL&8bYO9O$dAFXzY+iLdOgbpV;oxGL`I)L|>&T-6Dr8*rqG2;z}>DbR;P#bJO z-L^xEXtl~_V@EVa<5t-?Zg(egcy^0l>FXX0O&RBI$YFM6YW%L6R#evzzi2F8deX8BY%dC3fxImzT(zG z)Hzv>DTDmRRS0syH8`tPMj9SH@jUF3z=k_5WbHoh-O9t-e2^=a>TkX=Qx_{2+BrJY z;C(G+TMdwJKp_zu;bfetN_~?SOSkCEM1HCdOL}F)7&<(xvXW$`ct=2lLKl8|yW)}) zXOL2J+@FoM>4uNZSoIR3S;VSy*htBRW7_LqP9}z4lk!YNOlaB^#qz5ocbYn3It8$Y zBdb~Zl|mlK$;qPtr7Q1BX8N)qapweaNmr^@dQ(ynn}Tuxzx#Tx(tF3U;axkNh?wA? z)EEvEB0IWP@co&i-Pz$;-dCNeQC|bDX4Cq$XqtZ=)g&}CWGZ8;!=r8Gz}k^;z)?^; zG!`4Ip4VGP4tyc*(DEh?xr<1OI#SDVM*K`|D5|EJZL4|1%O9f|vCD!c`7;Fr6YIO} zS`fH~C)v3!H*ZX5=DjQvoHQoAhRQ=5yb>htmaL%#&|!EZQM?+T%S0l=7WMK%ZP)Oo zd-17odg75**(NA4D(jO+K`ckkhwjRgxrGhATxlLhfY2`Do0*PRIc6hPRrCxD9}El( z<3|~#KOk1WMVugoq>@#OoC+D{_|lohOdrhl<0p72G>qmWxZr})i=KSty9(DXczfW4 zoL+8NZ(_Hny*^hI0<;k`;d%m6TYuK8>Qkv)$r&rPd{>bkT-E0 zJAv83EIaFj?{pO8kRQVanR+4}W`mG0H|&6$`N13|>@-exWU->STwp5NxAQO~To?;| zvw$fEMp+37Nv2DL%9H67ee)p*Nl)in?*kfUax=?ZOnM$!)NZL?jsPf5*VwDJuh347 zTyuufk*BErx}_fcw0^NrFY|jaU3NS5fz>wwSg=)@x_}l$KbTgSqB3U>a>?h2b2tEA%iQaxL!gvI3GSsDb(CZN<@1GAtc=TE}5oAB&3E+7^2z7N)IZ;f5oHZ48>X4*LqIje+kVN&yr=cHhx+cd6 z+ki=u{gx>xs1F``55$nt$-Q*3H2qL*-Wxl+=;X+x^9v>d!nSr(K%Aq_x9ET7 z&CTB!({;p<2Ty0m6e9o#mVm6X|FSx=Y_4+uvxSeUO+SFn#0*z z#5!>ZpEFQpn6V8JhAdNV37D^2SXzcdtgP-!O)B5n(sno9LF*@HlTZjz=A81$W;~A=$h(TTr$}a1=y_Z{H*!x*25n_J zjqo-IY;==&({=0_%rsF~<2ym42eZVCN>F4~y4oMv!<(BdzLX=h5e;%B?h6t9?di&@ z=gT0`DUn+o9#yZ~BXAT-H`V;OdOtWTmfbXnD)G&plm^CX%5=WeRd~PChZb*kez*#M zZ#6aOEd6EHdY9gnU4P)nrxkCZH+NWXdJed4R9z8H+)X@=@;;%&eWit|JC{eP#&+# z-~xc`aq1R`R#=U#FOM1GmcSUYXZ-Xsq%Qlfi0=|#XvpXQB*4NR9^?ftd zGBe5{#d#4F-w_4zX|a5b3dH!)m=vD3HB zylo)-x4X#&a_rfQ&`>ppkqDH?X82OfIGMjqu?vN%d2V8VF5K=#RkHm%d@cy`i z{u7niFD)JPvRdK>>-{yjZ128H1e1}b>$g9+Y}wx0DO=njU{qUulu?x`(X!Mi^a)y) z`j&%}M#?sv>uwPm6(#E?lH!mrDFXrRLxlV(&)$Rd3~nQ2tRLOPQmJ2WVa2l|p-2dg zVPWJ^qWy5+HgjS;+BP!yPy{!ReP-ZWKq4NV#5)GunCJT;c~o`HysA)s85 ziPxbcptt{t%Vzbg2y}axxBW;Tr-*>+pEzv50M&<YLb2Hi0^Nvq1afrkb)wOL~ zK#Hh7Lw^Z+6O4~o#9e3WU0Sp&Lz>2!RfQ=C;c?Vgtt4z5A{0b6*`fC-RZc49e$sl3 zygydY-Wg=ZKK$iLkkI1!YuCIvE1lk%%C8`;q9$iB{Dhc^@DX%`saI}RIm^mpI9SHT zyLFN_CRrroAbk%8v$?2ccg65#MRL$v1J_5B5e3?>b&78=A0i>u*g7!Bd_1dF1;pd< zc%uMq^#$j&>s}X7HWV01eU0u7`Gfp^(D@yFIsVv>kYY+8hnTk_<@=_ z^_t+u&maXAufj#6qoY2d%z?lZfeIsb9q)se`_X>DS|Az+tuIKNeug(UkZ?o5AQ9_S zeE*c82x;T>^YqIGJDwd}+VZ3GV*mTA&>PO#G#88}Uhthxmeue0I!U9njo5=7Ae7N} z+|jyaUGApe($1fQv}~&GSp_qBo}F6cedovNn_^S>qaSw-^v9FqwW0<#ItPb8PBAn4 z+o_wuY4RILVeh~w>}pKK(ZHusxFRhRa!cgfYLa1i`}(FUFvb!x3AnJnXJD5_s(UO< z;CR`F$AoB8d-V07g9hqwuw+*2EnHSzQzN6c@S8abzyPZeIxoxkGjP4({hCVg8K3oJ ziTUoZ;TgL3JZ-_@Q1X0U*cp|)zOGW&p+D6uI_B>sxeriWtpB5SL+CzUh&u=EpzX!g zDla?=eDc7n>+O>_<_^UF?7;6o|7kB2lOTObzCY;;`rq=3H!{NS%7nc?D|!#ZN7|M4;K zXMzIT2E5e*{Z!naTfQ3E5ca-Q##QbC!mr`5zC z4|{#_e_1&eqP>5dU&_7p-%~h{(|2)+&T0LHqT>(|gF#R?#i;#frrzzipVf!$UOq0; zG@?}gRrZ4fboaMYh5uzw;LG+w9kD35ZtI0?>cZjSfDQa3cO`E`Bk!J!uCo8H(-MjR z!+Uy)-2ZRo)t|+M&svBN7nDK)&=>WnvM9@9r8nWuORp?S*850VN89WHADfi$9RJ!c zP`KeHA)%oWV;(!OgU;_Iw1Wh?uUM?FyDHGp5X0r(;Ja+Cx?Nl*42zFPwms_0F`7jw z#8JDUvEF&g6DemOf4rQ4a9c^=4+`A04ii+R_{2duPcN0;#RZyqhlF4Ulbt+N) zzeS$5@Cp)nz56r2Md{7_VA|(eISJ=E;2N@QLtreuY544omS1Vc?0EHDXU`7>W{0~g zak!J;JsL3JX7=Ye7s97JdTzu4f9XYV!=NfMaB@+Paz-M#3&$X?_?(D?z3W;zn2}eV zn)P2P$y>%aiOI{)G$(b~TPvU7+zZ1E{pV@m_)|5+d@>8o(1Gtphlo(@}mos_QF9s)krC88?qA^#fsb zdU`rg31K$7eM7r{#{ftne9&^3`U;$F^E4Fszse2W|7ji%=zzyve6tg953EZ=`yG8N zcDtN~j5MyqQulls+a8a_6bhE1c$IIReH^t6b|@BH|K7OEr*4h+g&W)h9`L~ru95Xm zel37EJx+h1IcDyyr<_gg^6crsw!vMH#a;F$%ZGz(-CO4Y@_Nxl>DNb_<(iP(lJR|= zSDg$QnSMa|9~l{$2n5}2mwwB z6JmS-IDWLp_$a^ZcNbo9C@_mx>+{Ph9$+BwP-U9)rNSz8S~FiBk86v1H%OR@&;{G7 zk2-RlRi!|9b1#|1HJ$YHKBMY63_O(=%*xIt2kqa$3NTVrF96M#-S=~hlQ(ryQBl3U zy+7;4a8?7o-YiTzJ>Ir;Z4&+E{V)W*o9Y{|JTHg;Egg7^#!*iC3DmMxnu|-aB*wtR zO{#j;oJ^z0#s)|Ihx$bipYo_ED*hj*gvkv$M?n@(4=<~Kt!#rx7F*< zM!tW4ah}rsefIT2VBec%_8ow*1NL!CQfJo*a5zE4?5$TPAa1Myy-nB>l%cJytw3s< z62vPl1*%)%wHR25lM@H_tpUWK+#qtxyD=!@;uv%Y0Tl^7SM-7VK-qTs^=@5~H6-nq z*M(2gJC(*OC#obL>irWm1EG{;!=286vYQeRQKzTN=7G5$mkwloH<%gi(VtSX0{)^@ zQ&rWtJhuVx=qwED@FH(Mm!h0LI9IijvS zRFB~;Hh6e=K1Il9@GUJZrKP3azRNt!`3e*-MS3^``R1Hm7n9QxDJiM*tV@RMi2Rdz zBnI2F6Ciuf(=3(F9nVTs=J_XlqzH)zH%{1oExQGLEvO~**RtL^8k@@yj;?pcg<3{N zefJZRsa93mNgOap&p^`3Royz~E+=PGwU058cYOsNzn>ZOHp|fMXtS`IE_lZ30k` zgMf<2)X~-y5D=Q14k>h)0vaprau?A0aF!30_=}qx?ZtmvRQd)wiaF$T4@Ys70w!9T zqPTA&%Y0-Xlu&e)Y{lF6DtW|IN-2k{CPWBSLp6#`q|Cx^9D@QYE_QbI0=uvOcw`DR zH2sD|AC?44_?8nX{kqgK~-<0<{%`XkTJbUqMH3b<`_b1{^ax z9kqZF=SMTwn^hb=9@rTPPLps(MN7HZ&;gg7iOK4Cd&WRFqHQ6xWdgw4n`Q=`kEG-U z9XmAj8-?aj2isrvr4DW)?zhJ?6_61pFdPDL2cLs;f_4 z2_D5+vy)YAN#>`Gmd?l+I+mrFb`f+9)hw*G7?Xg?hCzDvA2(2O3&lE9Z}*+ z60MEizAf7(xs)K3!D2au=mty$Ao2O~ z*3!vgH8hW9-fF&9=5$-#Gx-6kg*4^?x7{HxM-`3bjZ(D`f!%*Ya;A|&iwB}sW+N{T zvkNSmw~nf+>%PYy5mb~CM5MdB1*D|o zUZfjDx}~K-1SO>N(sgN&?ohhBQ@T-7`n#|Cyzl$@jo%-R;Sjv{oPG9Ld#$}Fv6@#2iRfpp5v$7%UtMSw z(pHdYmG*^jF)}}Oi~1_XKss!EX~k4!JM4lK^AEeIa~(p*^OF9A-{0TvBSz-cl*+G5 z^PkIk^EkXx%e^yQU<~O#EpOU1{(45<{@iiR`3MCHgapieQcmt2tFoET7wvwO!^xG5 zS{e49pIz`SpnF75BDtcz<>Fq8IP+^ss-mkx$jG`tfZQ^Co!6owz|^h4W9bZ~Rizc9 zF2H^IR90Czt8j13H_d%+7418C#hsFp_>ECTK&jp(q~&Z8pWpti9@Og~(Te;aGUp)% zi9Gwt_P0vzmTcK!KjeV8p6?zL-uU^&!6s%5#(6XkP1qPlqs!m>(X(HBqpAX@KD|1} zys=yaQb$YMxnJDZ^dww<{rCo)6sj7_FcJYJ60|1|D)h_cWXA1nltzEb=V>{M)<<6- zf!4mmVMS%-R^~Du(*u`_8E4BMfGG96Q(CnZd|b{AAXa_{c4m`$)z41g0u;s&w-4_z9;Rs@YHBJnt!(?fwf>xc6iYYV3SJ`{K9v$%yGo}C321&~ zOB^%v6E~tyvK|1GRu?I`_+{&}FViLUjSI&v;?)}!7yv}k(w;r#c80<@1m#o6Y4(bL z@>V)clFL=lXU>myz(}es)hjErdz#a~HJgW(ltGta5#PCWSPT^!g=t%*?do6HC{I|I z9&L_rIZ5`!k?8(lHJ5)gf!FlI9~|inLxe5h@N}ew6^=V@B0OyE%Us)W)w`H|qRW5} z%QhIeG@P!8I}Mzy#Ch@SWsXLqP_;qI=q!4^7Cqq%hzTXS^=jvPIB*UgK#a)(@AO=)HH7$8F!sZ} z7Z>z*>w;P8=w7j-6|#N(rp@cgkbF0JM5G4hnDUW)aJBaxrT4w&r_0XY-8u3gGuGeudiKw8`U!rHTazMrPzde zmnC3Y`94ZoT2BCg9M19g$*i&hiS!qQW#1CsS{$H~Z=XKRYVvyYp$c{};(FQ6smWRA|%4$e%z#$AK09O}3x1kmze z`tu9!KYp;1JUYP04S`#Wt{J)TxE*h%b)}F}*PYO6557O8wh>&pYxphL#+UC8tKs*H zuu2XR!50Uxh~FnG2I6E*LHBmi?C$VfNbuiluB~CBJF(q4ysatgwOF6FtVWlMWT^cS zrhI%fAM*YEnWCLGSwFYg_)9A1?TLnuqk~( zQM7YR=!csGg1Kf1ayj(lVyGL%zy3lK!3OV7VjT^PqmU zi|$ME+weg|9&zNJSmVWQnZ9B@tFF%~M3I;wjmZ*LR8Tq_`&?b+qDxD94EWD6A4r`- z{xLTTyE&I7zU}L0%L#KL)?7~E>B!DZ^DSxF05yG4zv|72aTD?76*IBtqS<2&0Cr!< zy!KASe{}ma53}^hRx#v?b9~la@ywa`UCPaIOWvVZlS$cM?}-2r!2Tw0$)x*TWgPqc zw?s#Of$TQ2TI@ctn<}`Yp+WSmrGJ1YIx7Wkkw03@W)vC1;kL876!|TrZZIn)n&N&| zQLUgbB~61xjV@@3CB%GZ=qqy`*Nmz3LbVvkXKnJ^uSDnG!7rV~4vbcPk53Pr6`eO~ z%Lyd6CqFp<0ad0^m&(X!yzai$#KI}@g^IjhLVl|`L}~)$BYbbGwR9EyDsMpE-i7l_ zFAhbhnaB+$l$vfiG}0Il&CzW9q8Xl9)EbG0^qFPISTz1Cn6_MJVQpHe?`$D@6T8a5 zMLEt*Gn@44bx#L###zzy!rgDjQCS95WM_Gy!lMR-RjI1q%hFQQx}FMvuf-BLc%LEy zM%#nGnt#hDjYFaQCxPbob*9-O)oDY#S5Yet3Rk7c5U59DQ4qfzZ>H0)x({qJW+P)| zqdNY46M)g-iGEWXHD9~+F?k>DE*ayvw1Qo?-`DjXXm$OLEH`cWqAgd|FYVdS+meRg z=qB4<#!WiVjd%0t_^z9H%wXX43T;OePDo)y{)>?Nh^U~xeZZCf%Nzj}iC|;3NHe4A z+5f;woC(=;_q1P|p0IJgz~p2puvThFNH*}OnYH-UR{btkd&1)DnwY1}0oTI9Qi1Ky zN@p!@CrOih)o4@ry)ILwx$VTyvCfv>!QAc*Ts2;*g!y?w%NHxW+o5i%1%(YF@M_Eu=r=Z`Z$7Qh)=Gi!3De^WeaLU>?(%DlKs7&lpcqpG&k zys>slZ>Z~vUnkbzCCBSXQ;{){8naChW4?`*dsN|~Wn9VsZW|^r9D_|($A=&AY$&1a z{rmUiYCxa*-*dH%4C{v=7yG?7x_{G*Pb9t_YGN4tYuZab@Ci#{K$@2i-TAe(Uj?-k zbM+y7PeM%q>a1B0mxd{tJ$V>xmg@xz=e%WT4~N{L?!uEyc=zInmj=4hevjp~z$vi_ z^U@uKjMzo4+ABzXKiN#L8hJIp`WA(>>ePGj#1 z8YV1I*IZP-&BY4d0Klg{|604?O8>c#1PpeRl^su=sk3s_U-3j;tbkhmp8FZ;$l;hT zdQ8(#e-kZaw2364|5Q|n{N5g{x6I9>mLGq=yH)bFcW`Ne&XQ7R7jMQx#?)sEasG)i#x1p8KlMOD!x=X)8l2gZ>tEN!!b3Y1T zM&%a|K>3}{l_K09suu1y{>6dY=vQB@3v$#mr-9MOQvNlm#4YKjF;T2A} zlZJIKxfpkxxjYM7rx9Tld_9Dfb3934;p8UPZzQgFNWy%}9FANG1n(}D-cpt0ZbQrR z*;JqL;So_@(rQO;A(4L07SPIvx#{e#9Vyq6VsQl@igSu(HlXv)@xb*?gaa%5U<(ME zy4jRE{-9Ir2;Hir9`ZcmLc_lxXXP=oDlisFOR33Cxp=&OP3)CfyElZzsjORz&!QPi z9K`>OAc|4_Zc|lg@!b^rP5Pe&bc@uYHnSx9x})R<0|N_lHqom+NqesZ?KQ)<1do5d zF4Dan{82ZzFQ#7O?~;h65e^V1@F(69dtH?S3-QX>A<#M&J)C3&T8Gv78y>xX+f& zTigw2-FOK!bxYvgGtN(+0H@_%QPpsBj_3tUG0C7k8-+{^S>PHa?u(HK)qmfeJ}4dY*T3NaJYx#6 zv`+Q;E-ta6e;0&`=T7o+-~LEfofN%G(wdW3LJUem`Z$-CrOSnrmP)>+UWWk;Heh9v zO^EYIN9wc7;Ioa$s8=~vsF@h!OoqIwWu@O(ZPOvvx@uN+X%PPT99%EW0=|zT)EhA& zLBGzDPESvPa+;gBGeaPByZ|8(4Rl%bba`{T%+CLxfQco6^!T<8zrA#r>rcQ&7=yR$ z@f>nuJS!x&Qd*u|XSf~k^gy7g{cz)+qn58By0;2PFr}|1c=cg) zJnl0!pS#(mj7fV~^^rN`FTeC%RLtF)*Ph7K9%RnnfZQuB42e%N{Im9JoK`|F05n2{ zuaAN5BZ1Qtm`Ae!N0_Qv8^Q&e0FBw3>q~?y1h8m9DB2vj}?sFs}l(@yga=m)au)Hq--B`8ix&-S5;{*w9fmv%>^8nfLU)J zzMyI5`dcW|ikafo3Yh`zmJ=yTOuv?4aC0fOicM>mj7vXJf!y@V91OuzfbYe^0rKoT z3gIPo8dJo@#YGHC0c7zqfVR%sHeZJu&kt#5+ygBEGUV7|h8h5E$TqmP#`;E6{`Cud z9S$(Rd#Isr{(bbwkAJ`&HIw#ixlhMP?dS5uVAjMvQ_LSxo<=mn20r)Df1M&y#>=k# zmj4<>v&@)NxabFWWk4>&mzg=o$q)*48xv_?7Pgh8*4tCt+lk>}a&0#Jyy?oT%jVll zY9J9taCGe2acPqsN0tiUf2eG~Pe_p~V5=9L>LQ_l*qUv$ccw848RfLgzBt?1F)aw= zroJ+)m>en13hjTkGlFhYT*^=#BD4czAdPF$kf_PyT~*fLZo|Jp^b~z(PnIxWfW)u(ic4=`CnxqU|`6&H;-f zJ79bYfpK-qD5W(tT-kbGCR*(SPoJuHKbOysHtxgoXMp0u3PAPe=V0mxGe1yJb8okx z0TQkg(xISWNiH7aM6OFH#-DYhz+UQoMbV_%fnW@f#XgW$*49f=(~1Z!d@5H$t>hUI z&&@D8hHGB0RDWe(<@_Ohf+`$$tsZdi-fOw_{A1Olaz6D!T@t36Y}teVp2gDA{DA*0 z12;syJgwgb=!g+SYdGVH~OD8f5Q?$mxKvi7b55YvD`I8+tJ z#>U;{zA2zomR^n%Vz_o+ywo!_-MGCPyk*jF(jm14Rs(=tw+HNYVj`XT*gL1VJ$`-v zs5G55F+R@k;sS(_lsBsUqPpCpTl55KKjJJ&+vdAsK~ z$3axix!|07Jc!*Oy>l3F()6m9wzSyp#`OAeH+9ejbiBGCUqPz_^Rz$OIAL<9QrHWK z@?F7Lmeo(?#l=vDm>}slm%szoJZIY!IEr!H0%gw>K+y~PntWfeRTaW${RCm`z|GCg!7l&+pxYziTjloTtAnP?{p>isx;O0)*X$^geH>d5x`ojk zg~eKj91D$l=b{(Px%N&9u3FmKCAI4?;9w7&k>#>R9cIjPt|z^(iTc7cxcU5+4u^h9B9SMu-?sDJvpne+PzkfN0|&5u-|3T zkHU?Qg1k)BA?-Sa+<)nm>j2!<`EjWd}BYHrOim*;v zNxh)+{B3Um1|!fv?q^}ahmKohUBts+`QLSbQ}A|Ga*x7)4!!@|gaP?k8>;m4Be%LS zmg%@Plg+S*7?UhG)u&YXX;+z`y4#yeYWGG!a4h2%xY*2G^f-bL?pz);m-vK!>XGd8 z;<1^d(}Xan0#h$Pa6eEDovev&4J#ld3X1*&S5A#Aw$cMdr8dXrL>vA`gWdVnGdBF(80+_Kx$>t`` zXQA~x%Et%~cwu3&vGIqKfQU%a_ds^j{Ua8i^50XuRY9aW%M)~ahS}xkpVMfwT{i%T zHoGz}8}zxvh1Wibq})mB6dKF3a#pu0C~dKs-Vn6*<4(w@?+#ULDSkB*tDK0G-vhb} z4zH7)HO}&62BL_bYUsFR(~lQ}U4K|iMh}5Pjk##Gc{Dq=`tp>=fz*livw|d;PYRJz z1C2D>9Sc6%7_cY*reM-gq#7pafwO_!e-oo;RCnelN{&(hU_bC!dfN4R*HjpIq$Rz; zl=iv+X8i{4S65-TzrsXH(wyCa74eH5&*FSTApD(ixw?TX zF}Zps{{VXwoeRAe;< z33<{zoM@nlQPem!JG{Y<&l&uJ5w+kr3c+p$jYs@VERp-txS7F&MCnC?`AD2yU!cju z^A`4td5qtYqISPrJ?lz>6iuyL9afWl-<`268CNj(u(wPTE96ibO}06FnlD8wV?2Di z2wV)iECda(aU}k&wus*y1+dgB{#RZO>i&@rdH<5Fd_Pd6Ma3(@9nYHQjPGIW0`=}l zCurbpZvZ_Nr3247>iCu%Z5WXwNN36iI>Ya{qP|)~bZ`qtjz_y4fJq)56FKY9itlc_ zBT8Zvt%nG=^z(XPg_2~&Q6FVG5)g2&y=!H|u9Fxqo*&S$+h@I?)CKe>V0ws4PtOO4 zQt}GQAHu@#BNKEgfw@$>ZhfXN&U%jbL_;X)5?-OLXO>$d80!dx82gtZ32#DOi$2&rPgBBs@Mb? zO-%kS{3&Zy7TZLn#R2{uri1`K8SHkWU+|-J4&G5>Q|w6~&*7W@1{at&f~*@o!g=LA zCYJDR3(BRcr=~^|hRmo|I7FwC6EXmoPdLmZz0R$xa|7*PCA2kEmFwuf9Db+S8B^g) z&4jJ3%%o@1Van4m7y&x7d@z+Lustv9sWym(|p6T5<%9EIed#(^JhBI+njM3HK1uk(%ZGkw=XN?EbGf_IG zdY~a8e0x6FYG&aqs>-4X(G&H%cL;2$7Tk7<5X}lX*2b(XpwFe(uj^-~)3zmDb5eo6 zXg(>j6$JK9Kp%b(4SAnd!I$^$VZp3D4+G?t3_j>gT(d>KLbAhAymwJugT|zE zE8)G9Kad%oykM6Q!9jO`$TvRbM-be|zN5zbN};+D7TGLs0^FK8=2tq-ANFo5){AO9{PHl(es>kB+w%SvAZ$nMVB4w>x7Os}_sk0R9|R^3ZEp8sB8<{C)}>{yi9#jAfbx z(vjT!qfyg9WBU-ScwsuCcU;_bfxpYwdyup@gA1s^PkXT54ROE1LZTFTeS33VpzlTf z)Tr|DGbYG!6kw1Ei&D!~H7vN~M4{YS3AvBNH>J|iYMJrh3OFqlxq+UZ|MNm(vXw9+ zIUzCyL}b>yc1lGOX5TO#MmzM*-S8OiPmuc?uKz+PB4qav{NNTjFrf3_fBG8@|NP=l zL`C-Vv}5x>_UONV4=c!Lk4lQZT36>OL-O-KXKxD|j))qeNt()Es_);=6Ax}Vv`?y* z3>Mr&1X^iCsowo-0w2M8^o^kU!`-_8Bp#eP+2bJ{hwBU@LavoR0mTgA zW=!KbgMcH$(U5_u3hV5hA_wpqes|)OL|lO)Ra#&`EltpsIf9@if(`zI+`s(d5IRKb z;jwjC$G_**->VCG05GJ-U*#zgw-p)R!u=@!Gm6X$uYmsxHBr&sQGXvAZ1Df@^DIL4 z9>fER2XXoTo_+s!EwN+3Q_N`6?Dzwn{eM>)OB89Y=&5Lp3i^LDJ+S&A&wK$Lb|NM_ zuNF{=2}>o-AN+oVkqF~v4hxeGuYbJ&nms%IUhV_P>zxT=K9mBnoX3xRSINFuUxp&y ziO^D-F}k=omu`!{m<^a+3LGgolFU&MYjueIpJ?4Xx4gcZjipXGIM~a#wfR%h(pBe# zKb`-w_e@r}aNzt~pDy0uRK%;h!3AHFYTuf;@gqTW8aZ2kKd$FHob!JkR}F&SJ6RGo zfT-?2-9-rc$+KZwjV%r@C} z^eF29u}c3XnEzcFV0fhg3fe$l?BprdgyDZ5NB9G<{@CA{IY6cU4^pYTk9(%!`QA|V z6qQdc#HtC;?Y|5E9_)9NJKtA6VSi!D%x*O^FV_+X!ASjnR^ZgT#xc)A$=oh|2HVmT zGx&S<{wKw0l@^f;TX)XPp10Ux4m%{ z`^}pzlK*5>;Qrshd%Wg;w{t1Y>0Vw;o12KLO%i00 zwKDawA8|sCE91TL95Ij-0Rii&>Q(pTyN`qUg`Cd2N4B%3d&Q?QljpPi?wLczb?`uI z6*#*=wB?A|WHi#`ua|M_d}Eah;gA1Ihey0BAE<^V4EE+stxKw^4o(h=f6D0W>}tI| zzSunOnW^>={{vmSKy)RiqXH_e@y*H&7Wl$6eY`35y~ z7N%-d-Q&$ay%d_;W9)Y6zq*|k!2H4ABcMOnN54H^MqS(0fxB`K4ja<;0aFlq?jcc; z-{DEDs+F-hrI`j}f94w#-EbbrkfD$Ggk#B*eOM?!2N=czwPtLgo#qW*!dtc#1w z1e2LXlBbs;Y_`QUVFlb{@bOsCnUdR&nCPh~#)lvu zKiqJSt5E2ODTR~cyt?<^#aSxVjkltfXJ%fC%hX@?(Y=smB1TrRt>HIf(gK$IpLnXI z>M3QM@ynbFtV>f}S?7jqk~}M#%eZ8c$rYmSfmK8XxZ~S zsy>Ot`)e03-0E!ixg0D~Vu)3iOj`MCvcqj5E>mjAiTRT5$`EnkMqUoLv)hZ%x29cQ zw<9e{d4b8aA?;ECs2l;OaN=?GySb+ti*JN0Sgs~gqz|gade&WavTuL!#oF(znskJW zEmL}TkU*=f2LhkTnQGjh@z^<&)St#)Sd67BR^=5}Zzk#aaT%8Iov_-81N0Wyuyu7Z!quZnO3t7KB%-FR(2R2DIRh67-jiD)kD zD3fHY1GJML7w2%dLfiVGtiJ0pnj6G8?xj(Q2K=o4%N9g8X&c%@C8WxEs67vhvN=5z znh5o(~?sWSK6j; z9>rb+AIUeaADAAcB}<#U5;jpRwv{YBXv_5Q)+Ai061Fjtf6 zoOqWMq%hr5{~XkIyC`&eOMI8!#Xs7Gzjg7*PxdiRYNC64lD`z0P%3S4ZDz5+y_pAB z5r|RlV^qNKcrC%k+Um~!)YVbJ^Z2XN_W>cK()RK7yZ;;g$=F;`xvFMMtUfnr)obL5eobFQn_%yv*YHhU&5R*n<`rh3CC7-+#@4+p%iyEGP@F$nuAH zKmVLfO?QTRg8jA(vc$xiGZqO`y?L|d8t#3k&w5)#0<+!|!(NTV1Q9F0G7HaGf6_M4 z=UWFgmGKqM2@?HJ{O`wl<+p- z3@%b$KZmc94$r24FlX2pxH7l%ZX`A^+_~8-c5|#mRsq`VUpV1=K3*N(Bz@pHfAq1k zhF)&Xv6iF=*}?nd$-}Xc)uLUJG=}q1qvO$|o@pah_IKV1Yle?ZogG_AEYtM3dke{rQr!`+qFaZ#i(%rJv1$^RimDgr6VD7 zmnmUOTZKIm1|y@J|GGwdpK}HB#Zo)tK=lYl*M2J*ug8yFV+k1+E@J7VrX@ZQv_u?r zY*omy>J{Dxk&PGlvj+IqSEzLPTB@0iMLf_ch5-(Rlmo^A;_l>67cjNgNu^VyA!o_c zuZ$s5p*p zS)+blH^=Yrv&B0phxxF%jJdFHVj%tWgt>|$=BZJb_%8B+>~nBNg!=rWc30}3Fu1v_ z$Wz`6nbG!gE5r?m(GJa+TjdEBekQiki#K4QJHs_X|AJ#~RhjC^sx$5=P1gGZ-<0`u zkdZJ=Ri>CeED191y!mA?&zVBNBD2@@f@AsGJfP``7Wgcjkd~I7c4Td=QDR}Fz4_Cs zYe8Epu840|4x-aOu@^DGoG8G&%PMt^U$5G2E8;?3$#6IN})9~tk<1=!%AZO zAVNATGqaVrjjJDsY2-rl8biUj#0@a&+Z2;CA8?`_balay%+WEKk|z59TOXmxXn(dI z_Jr7p#xlwknV$y~4qgcJzZ_YyQjb&)Pgq$;YmkbSnF*n=lugm})Ce1;tH+$O*6oOH zxVisgq+tF&W;I^wU{3O<%V9x9qa@&i0K^-rZy(+F&RCxbsHm=vi;KJOM~Mfs`N5e+ zgG__r>wDWB|J>35z9OHt?K4jt7&ZQoqexTvo?A5W*Fxiwq6#5B&7z{-V#`WgZBZKA zOqX3S10zTHI+yWR!GpZNA*sBvsgsi~k6_XGjvPZnuUPUFj6lix+6w z!k-V0HX&*J#V?uR)wkV|nvdBj@FHSKsp{lJzMvI;#>mhrk8}Iv9b>4WVP-`YLO=wD z=mH?C{78w8mGuBPZNr2-&0OckW)Hk?FToEud3n__zm1HHz+f<7;WP)vLCjX$0w1eh zsW4i>|2lvW25a(yv9TJVcAGTs20io?bL@yMoI-YpPIWYpDZ?Q_s3 zy?y_};PeP4877?4h;4uF!IH)SXoR_aX6Ks(bZfgzMeG>`QF`&E{Mlhd|t3!cv63Yr2V zW5-VrTAHJyqvZ9-J;eBnCNOdW*peTEc3!{??a6--0ug>JaDut(I`xt7*TtM{ebJlP z#0rlbCn62y5FYJ858a1~?`NP)2Ox8m)I%LUl7D7pBdYFApYH>m(IlWpu}K6?>Ukhg zLG-M*a#Htq$&7SP&j-C1irBiMK9YKAz+gIWjaJs(!fd9?)_@U?+mi47rz|>jt?xyh zCAc4CVfsFoOFh=)VI)RJdiZ2p5GghyF@i4NpHk9ALq^z8m|yr%%nlt}Pptbv17p(j z{Rm91*O-UbI)GW8Paou~%twR)=09p<)_$mRdvpwBM4OdiD=T>q-5#xuMGPZmx8#@n z0|e^+1$kSMNg~E>MNxnqOhq7g%<|i~iE-7p`WB(Ka&~fZeKanP*)^%}t$S({)Unh^ z^%Z)Ojhf#L_DxQpxf+Aw#)3szx^g;(E&0ZO4q&ou(44(IxAeb|$5H zC8lOHJBAW3*@!u2q_IoA>#~&;c&v&24imESL*2>tXKre5jr_VLf#l+O^4FP}nd5O? z{gXz+9mYnc8K9Ix*R1aD96b*xY2k(vSB_Kfi8jDsETCm~0F)(TLhU;q4BiAM2R8Ca zB&YlHv+m7l31)HR^>_A^xiSPuO&w1%vHLB+7Mbxe6eMyb ze3zb^n}&1v!G{K03yh2J_g8M4jzgwZ@c^289JV#)At&=P?D+#Nra&h-^+DmGhnoB> zn4I%0wEy@f>WN%LFA#L^_jxL3ee6WEMo=IQ`$enek63C%6j%ifZ&rkF#QZs&EiEiy zfFu7cm}bsfkbXP{`MIECQo+N*G%PD%SW~$YyglZGp#XC$@jpj*= zkB0U4j0qC;tYUD9wi4f=lebn3yc&ES@oBmB*n_B-lQt7pk2B18g>a5F1#%u>HL@!& zrX90*z3&2ANsdB2G)utbrV*&VjQxJk`}Us^H>)lKBawlNq{4~!G%DKfx zL_dmbJ>`5Y=PX?2>^?pz1w4USXrS9@fW$1RYd$}<(k5b7I&EsAJXVFeQX3&;3Gfuu zQShIdX&;05N~d#jU-*}3^(?|LHB)Y;elsH&am(TS$jioIV+nYi2|mbfrr#>|YD{CS zr_lFK7Xri%0ywVLkC$s6wrV*p6Oy02TTR9=q!}qX4sAa;W7TV@DOqc;6Kyz5`syNYE7U>F$3m- z-WQYtM*gc+BV1g$DRFLs*;r_0`?3AW_aZY3luZHWf!{7kdtNO`1Ta;a8r&`lR1Qj!R_#VkN z-J!VAkLN)dP1L)bqXpc^*sj5K(5nJH1og?jWQ29Y!Itrzw5hj2Gw}Wh zs|Q9hWSV=xmqh6c@nqoSbYP9i9huGyETk2LNixxQg{pL1{TBDl&#$DapH%!h6JH?k z6HqU#I4u@aU=qv?vR_7}#bMU%L0qrU(dfJWmSrPpT$n(-HFlN^~0h z_iHPdyDfSK9Dt$Ec4@jjss?EG4QmrLcH8CiVR9yf)D|_++M|q1<%Cu@q&nc2Y<+iG zi&19~f1kg_m){xlfhW&hPZJVnq_kmz5$OTX>rnyywn1n9$yRyHDj>%^;hfOWbF(>U z@V@*$H(Ok&#m+czU(G?|B-!<1elVL*omw@6Q_=@RnLD@xOWxXFw4tKq2W!O&Cs+Y0_u)%DuMsyhDx8R0mU?-i*7 z;|JQTd3t&g4~*W$T|EAFuOZse9JTkm;Wo}xnW2KZi!^GSvUh%zeL(v#9J8N!VuZ(P znw=i+Ir&rE&ofek1&*YlIBy2z%Xoe7kZQ{;Ud+{2iKk@Aq?%ppY;PC{HppoW{76~Z zxH4th?4(`TXkM>qD_PdR)-~EImL8GQcelHksVh`qvTATM*p(t{oOrz(^t7_mdFH8y34uMCfo z^pxVX9a@q<8F4qdOxk?29vKWg=4f|wkaVE8l-6H`DRyO zr=4XCX~7e*y_CppPa9hBrVxP)=`-b3H;<#J$H?HTHZu$1aaRwV#lz+NdRk zl$vtaT|rUf@;&skSPyAg^6-$B%1&OL#KNR96`CJcb^QecbzPO&khMH$Pc5;s4UvPH zL1}I>(aOuEM)ZUA-FaSj6YSQ{b_tk%01NPZ9DbttQhp#D zgY@`o1o~I=NA6XF4}C@_vc;3^GL1}W_){^Sw@IrG;hg}YT$9p6>An#WF!8G_Gmp=& z$Eu&PfbVgCv=j4IbkgD11M%n%h&vJb_iL7P-9VEJq6d1K{RMgEW_#kRX_?8NC=0q1 zRsEm$Q#H~*fj{s~@y1g!dMR(XjQy&R>tHq8dAyP!{YwN^*QmBB+eUis^n!H-X-EoO z3O+eB6G~uDKW=*vLCob4RiLz>MfsK`RhD-+=jGi^eeY?--e#r2{4B3D4%>-bPri5j zIQALj$0s%RJ@cPX?-q+vTD);KKS%aliDY#DiQ`QsWGod!$votE6r#IC@bW^__zR&`~B0~sIl z)x%&-#C6A+x*W=m$wrr?66);y>Q=@b)vkF!!?3jxS2M&pe-w!&-<778M@@1zST9~kKY)_#l!hyB0k!Wj`ypU0k2JO*z!f_X_8kh%> zG;9r0SC~SvS8|{D8`eFWEF(Rg0(G^f(o(YuVy|b)=mVerg!X^e)zTWd@l%%Cy=8SR zc+xo=QR&#e(8S2wXMY# z6^uD;g1(Y(tz3O<@)nWhjPShcv;T|Z}aZ8+gZr~Ud~dDAm+HF}df0^6#0>bG>+0foisFv(2-fAPqe z^H@d5$a*7LMoF|kk8L?_Y_F_G=(ZtF)olaUrOC=I4j+0mUqOmu@lroXTNvPazZ(OF z60hGWDD>OBLs!mH_11rRapOgiSCBe8GC2OYd2Em?Qt#nKi1|<75h|BGP_W@E{*#ae z32pdNJD)2=#5uE7L^j&h`)N(=*@~D_Twx1U5i`7HwWkH!WUL{QlD%LpWk!|F{ep(UHSoEYcMuJ}3;E zsMaVhG$FBL@bxJ%P0VcR0y1??ybW$;#ns+{XAX*cKZ25{I6U{niSAZp2|QMxvUj0q zgdiJ{rfKkUnC|pSj3xLR4zDK(xRdgob+vE&Ai964-?$W42v7d>lv+XQg~8YU zujg*6Npns(cIiMM8Cv69`7i^A0u<|u&hun3o~d?C_?uL8ckJ>UEqvdUjp;hw;q`Y? zbs0LDg>QddW4gbAiqZDv@H)b(#WqB<(@Yk=eQ*%u%Ys=iHtE_1VY67z*HwZ-@*s5X zhB&#`(lK^OoU*4!9&^%bn~KX$cw3ZC5K7r&uZ@rUF22_2`Ttb;;PKQZbR><`)DYG0 zP}XCLw|+ECm2pdik)8#3Ny`o0Gc=G;xGf`@QgNWWD4!iHq&Lw!tTD2QQG8+NOkooe z_aPz)?+8^O0vV@jtv9Zh`54d)?I}9mxdZ18yeE~@geB9{fycP@lGes%@WnFjqf^eV zBg0TWNjs+}$&jaa>r7!&WQ0oSNGm{*V6F2-VMbJafE_Zp7=0yzyMB}`_%YQaKvB~o z2CqH)kcjG$xw9J<;9f2XWWnfVH#2QdrZ5Xgn~kG4E_*s<)Rgc2lRZDih5g>9?oqT6 zJSUinv(eq|(aEQv{;Rk9N_nsGbR8pP0mG8Sc+jq3d}3k&P|`0Dms+QP9|#Lqd8)PE zCnUN>6(yuNmkBsTeaIoPJ433?2Zj!W^raYa!dDK9Fqi2gqifd}fU5$vdU z`HHpjuB(H37QEC{uh-<)VmT|Ly#pn5Bah%XH z*qaRcJ-Av{O|HyjHtXpOK?A@bY@(m-VcZ+Gp;0{ad5CQWCOiX7nYntN_!S$iaqSHF!h;!wl3_k;L<1baYeP|#1VKnYP z0;ZHkWbKREISc3d#9*+De8GD1WnyWxn4fN5({H)zzyF-9#|zYlYGIcy1CP^;DP2Gg0(9`6Uvh)Y?T@A^%#~jn3%*=9YdVwZLr{IG{GnCmZcq5gQ3rtc zGoNAI3AGcw&^G{_jFoesb+z;}mhz2rWl+R#XGgscAOY;`hel~1CSbLaU?_*Oj{m^k zsC$`FcOgv+N(JbYj%Sf%CA#7h0* zb+I$WLkF6>yq%wcn||@IRP{P4ZPFL#J*~B;Lz~+W_+9?F0)EAHWC_=(>92s?pV7mS zIa}{iQaH$^U~O?vr6=odzW0gWXhPWmN}JScE?KCiF)AMY$0X+INhKO=5YH>2@^n<&4jBDJ~1)dU74b&B=OiT52FNhF zW?dqMsrWh`Kie4fWSXmHHS2 zhnjwXh>@?`i1c!*lf-rPaVOq*Lcl6#!UJi|D8JCU5fKi-QD_brqnGN+AE#4ZuOgSo zv(%Rt9)K)=aLeFXq#snqt1YEJPDjdfCv_e>WS7MGD8fQRSGjsaWFM6_*^P?0%5moQ zz*e`OaCu>&%jjZx&3CQ5uSL`ta@{*8&pv7YJ|OxzakVhMR{6?MEB)&P+QBpLt1+>B zZ91#oQkCw9bDDd$Ro*97W^&d^^C!_dM}D36pb5h8GMGSidP-N8rpXlciqZNh7yx_V zmQRoGd;mSZP1d96Zo2@4#<*uWVQ$Z5o;XAr)Srwez9+63mYlag2)t2<>#n8}rVaBw zQxXPqY`$Z1`ywXG!K{VHJ8ni6N$bw~qD+mEql}P$;~_cbT*PR{Uubv!PZ#Q8O=n*&0miW z@Q2d+g_~A6L4n{tAG`TW4z&Tk)r0BBWybhRRvIdN*xWp7QXm;RGT0hmQ*jbaIQfqA zzFf|ohpAPs-Hdk(E|L;I^SG-`UXS(gZ0zP`koJKcu8d^U^O0VoNSgZ!p42rU0OROY zTViJPzt@{(OcXsJnZvG)wrHietn}K&oa-3~T(193nAD+T{P00;t6at{gz* zb<)Sl!i@y?DH&KtnYuV)BDDO^H6?An2x>&v0Qm*-s zVnXi@FAbjYRhII z{Zn5k93FNU(%s8Zfiuh_j(Y!LIn#Mi-Ny#0d2~503#(~7-9{d$vNFWqNx&x5+bv?2 zPC|jlYKrW>LXlLdS<*kO107i<$)Au>8s{gyR>ep!hQQDVazQ8w8)~iiNtu4*Nl6~6 zl%!+;54RtP6Ky}6WnTSMie?&>bw~1ZXq9u9|L56@I}#7a3DZ{?u1l<(a1PqEYzsaM z9XjUkOHpi3~nWOj?e@XW)IXQ-DVxKWNTI^Jgq_|xk*!nNdWTvbzJTW4q z?T3t5FSD&&YnqJMZ$}rvLn=;m5LVdog(q!FZ+!3M&;(bpdVGI0Qo9a@X}?~hEF?Qu z_-InFQJld>WMIpMAV>Vk!9iyE4C|Fur6HrIz;;HWrS&AP%1Tq2AO&P^H}kq&4yQpV z0>H^C}%9sy_2nr3j`wu;M0l<0~g!Gk4vvWSASzo`y=L|61%$H0Qluq7JM> zxAW1|o3ZI>gd#*%DheMaKMv@&%;$!6`?1%K1@l2K`Q(U?0@QbMZoaTeP&{srQRAux z=1~V6^sk=P7`RA?JqW=ER2_D)WXZeqZ#MZle_3kpGGDq`^&DSKD-l{BU`$pM^fDHW zG}O!?Jz^+C@vNWPX;*TnZ#36GPC);@ce(e93aT7DbecvIXJSy)6#2CGXDliz@xBGn6U;9$||FgkBW9gYH zQaM~Bhvf%vWiNd9iydrkEu*7gmO_^M?L|h*Fm7z&$eb8I?38A|bAfg{yO{6dbYU}U zhq97nQ6a}feagm~m%nb;Y%D}he5O9rj(M2y8UdDpw|sdn`O|VHBIO8OgK1Aq%Djx; zXv!xxaCLAvLWpjhGT7b%hWU6n+Fa;cGnm-xDZt4K_#7JGi5;Hp=$dZ#728{?n)yt@ zwlTkBlhW4dKxj#ye-tJ#&M>eSXtz|fp2Fx^`Mz?mIIO9jH@2;=Sa82FDqjNK+``#O zd-ZIPF;ih_YFd(k(bDaO2k`ic6Kh&%*^C(mgWHqF#`fKmSH*2hj~~iSdv~n=OrR(* zA^4w#!AbVfc^=pIgS%>4!TN!m)DeqR;Mgg*Q|jAjTRVSM&F!Ng%LR-5T4#!rqSMgp z;c928g(>_9L&!IB93J$ab8w9}!(l1Ua+x6J#t_zC1YMi452T#36*&0Tqvgmte&=+Y zNGOpL$4^wPTj+TGw!-?}Ds#U*|9|YgbySq!*FKDhA|NH8pdd&$ z2n;DO(lsyr#kI&*W z1NVJmpMCb(=i1kmH+(!l{8-lFA%^v+t2XhNre#~4X=~IJ3kxUWy4Jh&>-ShK{i%@oAlifoYrlLY-yTAJdrx#X-tOh_?;SNtgH7M!})^K(%3&@cNOb(^rP zzx;TyXJ)HSV*evR)+9tgnKrmf3(Ui}%_z7YDrp*~WwNU&8=uK< zIkxiB`#zsDsa&w;sQFsPd#l{HyhSd;a`=v$Arwn zl-f0t>EnHV_+nD%bXdov=ALa&UrJlRH?@s>^Qk%2x+K+eX_0*MzwDpqOVePUc{kwb zf;=#Ql=~j_BgODvEj|r3;pSgv#VAc05IZ~HYd%_#d30aZ%4eQ@Lk7!x)6nqobvRtH|85L~$&$mTfAvir9rcQ>aqcO? z_OCAv@rOPRaA~@CEUmQ85wnW3ckM@GS$0?~0`{up&X8XN-lvVeF{Ir*EsHs$_56Os z-bKXVZ~~%m_}OE%`P@0NUjKp%GFHu~HWpm_q+?w$Hb|@!Q2=A{NRNk0!wMe`UK>;o zp&gr}N*5|@5H#`feEOQHw)5cX((xfuH!uF$(D%^d#fH)LTO!;alh+dkoW*d@Dti8; zY%HMAG46Wx--wy$rJcR_Vd7l);sf5L8x5T^eVI6iO%?RxstFcHlVL#zP$C@%#>C<9 zpec!Q2b;tq=%h6YkkhCH&dTfKKh(97;)NvzX7dX}Q$7vpEV;Q$8>=}=*uJ{#@|z97 zAJ)nSYb0mFsi}-HaD|gKZ_n&^Nq(lh7pteO`-rG!N&BlHP2#IT5kD?WtZ4W-S40r0 zhf#DRQqz29ZUCqG<*lp~%aYfn{rLCwaF|JS%N@VyCGc{6E6<<4Tp%H28}(>ydrcOR z!=&*=Uia&VjKgm@FD1*bScWVGzU_rlp|&7nb;es1=v=xit$f&pNJ)}DFU{J5MHxLc z-j}m&(?3iw{no|gvBYnL?>FOIO@k>So@}s;rqR|~|UU>a2=`G7I zwaJqK}I#6<>Mu-ZjV-0tqT!)$$3`qpU>ruKC0!3jCfrTj_3I( z=PnY3Mc7)QjQA$6$Fh0rlJ=~h;YQCT4@sz6PRB)SDSKa}vykg9(dO_VS$O=zZvv)1 zQ62DR<9gSUfSTEyR2rsqHqyxx^%$Lr(lHJU{WRehA6aq z=ZiuMsfJ^8wY-NSvqL-XUgJt?Xr{uAw;L^Mc14WeG*X|7A?ZT_*i zHzjv4`Did749|&(-B>Sd!Oz`fasKR{=UB>^X?~F8d|;2*n`-_IDw!3;KqEtbA{5K$ zz7g}lD%#EZ&~VoGufEpb{{rlG`(2^aWWgsBhRdOBk6*BtUH!9~e!!^UwSF{)n#+J555rRrGQlY!1JsQ6`s%_TKJBW=p!PQwix1wL-k#*~8T27QcJZzSU z747(A<*UExH?ODkL1a9+{DYJML-;kf?W*oy6!{TihOy=38Ef|aCm6{{fHS>C)N++; z4`Z6zp-YeD8rIQX)M`b^yaf*W10=ROasJj#_f0>P-MgHJ=0E+D0i_qdgBzD8{UT3M8{^Nb4Z10HN&5ewk zEC+rULCXNZxQ*|{q;wGYJ+N zOgajA$grSaE966BI~5^JRf70W$>OJHgm0KE(=Rh)!@jZeo75=1CHw;@L~(A>^9kyQ zXI{Nr-`0o!6xlr!P^bu;ZZeVi8t*nw-L-s|8^IwK%y>mzL$9b!?Leif+_jGn}0E*?t#>T(#Zfk36{}7^-`V*LY{h|({;9(aGKiqmYX{L9@ z@74v7g5}%1`qyd*WbDzopqB8!rpj)|BlUrz0_yDK4(0|;bY+@r5M9A!x0}y3FsT(O z$_IE#$ckIHW4l6wdRHr!a*?{F6+3tN_(}noXQ3+%kQ@Z-HUM<}zoURL3gxc7#<~Ow zEl{7P3VJEm*;w%jR=O$lhMJik@nmyWGW;;J@d=BtU<~|R^Ie?RQa>ruak#}$x8|6s z;LAdHdV8D@-?g_reSNEd_YdHhY^%5WKy7hULV{>2*%5$IW##1o)xFyIs3?I{AN4bg zJ^|?sV7foN7A*#3~q#satxgsUzTm#wC4Y*3E7_ zq9)|*qCdUxWi;(ghkJV+j}Lch0Za(wM|aFbHptSS1l0-&3C(B-HZ+}2s*^gSUgv=m zdFsJnSQ6AF3hg7`=8Q?pqkO;?hDRcEzqyHXSP)+WPug$wi5OCSH-q02MB*Btej4xr zqo{v@R%xG5A%F`tCc_@)t&^}ZF+D}D1Mtc%e<>gUs_p_PRtq#)I5>9p@!gd|MiAJz zxVZ3SpPOG+)btxg6u0E%(_>RA_f_5kK@#G0` z1*QkdV*D&_R?`-XhlKVau3onGO=q2%H^?cj$)e2V^Ej@a@W!#JTq%io=-L?8OZ#pV zj2~dSbYcM99n$)4E5(C@gUq|2w77FYPD7Jj(*NxH>Mhfun^`n3-0J@c{m7koSuQHcKHC&OLOs%0A zf)eh07vG&#R`wg{KgI*P$c@h3Lr~edUP6?`G;n ze5b<*+1K^h;ni}o@lZ4df4@3xqlC3Pp$@?;sYx8;6Ur3j-pJV+6;j86WyVE>%IpD6 zVR|z8cQICjfF@vk1k7m`jXSKO7ogBqW1IJKK7Lf51FXgF0O6IICo2~N$k-IVYvw&X z1l7-=pj&k&wr$G|+#dz6uvac~^@i#X1GWeDY6S~flq_Ir8^{T-udnl5AS)0clkW}V z5xV4~2FbK)s-}7igHM3E*g+sZ%#RCEvVa!^3(dva8#kAL_W?MU#Fufv%A4b3GZ%Z} z0YMD4Neg^X{7#(4$!X+!0@OQS+dW2q9In(FID@uzo9j~+{A2aQg!>5}$Yd<^Tjw@p zcY}NAZt+Ap%Pt1zft))F$?I0_=$vXG$>@|*St&$%wJly)cjj8#G$wN;H=oI8KwC{i zvJ7Y&o&hQl=J`^E7I2o2_rJyGY68&@zD{qUz)&C&LX^>y4+@)Cf%vAQu&g7XbJz=} zPa&ePlMXYcuU4pt=Z;0tPAZhcfcEnJOw+8Ca#{24O`D1ZdNyggMQzuFMR35ptj+fQ z1K8>RL_=Piz=wyA?IiS`^iI|1#Z-=U#=FqzXp`4m(o0bw0^1+Wdb6*cUu(yevmF1^ za5bz)@Pl)@adAlrFO#-vYt1iz+h=nOI||>pgq}=50n4~3UYK3!W=U7M&O)g}#Vb2$ zHG6DGEX{DHeV%lBc4lTYP`2W628uZh3RgxbbvCWf?2y&HfiFDi_Im0Qjp>Z zTb2Hc7W;#S6$HmD`MJvWp%cHFDVa!P?C{zTS^NR%>m5v|*ltF~Wfl{i&~-a8x`>u@ zFmq;lnx70yow{Al#e_K{YMQNFwMo9`L+`Z*q{rG{!bb#5xab`foQ&bQUt@NtYFyhH z%=B76v#smIW-52ZdszC|T$-!PH@CE~=#)+`?~i3m;-Wlt>Mx+tsP=4#qJ^JS!^zx1 zrx=xzSdI6ZRtq*WmyH+5YuT)LL!T!&mKI<6Mok*1OWZFbc8}<4M-yGjLSXfm8&I6<*{WUOKFUSttWiRc4^i~4y?!; zR~*8~{tUC8RiEMRSv`V!j=4eeSXw5n<-bXl9I<43ZXKer;_@Q6d9B~BB zu4Wfx(HJ_;?LeRh*TeV2TY0v5DdB}eHF-oMiiRKH5FO1J->!6mZ3b*GbU}>@3cTjI*nMMTtC}GM z^lO~}rmY0v$r|`}lc8U>!0(TO`hFnl8HS+0+t&E1WB9I`&RBs-bI;2V()({OwTT`- zFP$4>xYovAF`o=LNsjA9kMh3RFXS0pbA1@(WOFdt|vy$B=@PHB?X~v-@M#kdW)k^5)?V^l!Bz6QK1GW zWU!!@XHcnzsD#zXDN`fV8sjjN8VTXyVbo41zejhk@v%J+Rt8-8o2ub>j(|N&);(mV zA8;7~-sJ^3t`XGUBL0z1KAb-cfRnA#Xo8#&Mn?y`s%5FIOy!>e?K0}7_pKg4+m(aM zExK2Yq_9?#=2@OlMtXmR`1GvIYu_X)mkXM!a#O|{%jQskBl;58Ex055MyUZOe3R zy&P^}yd$&4yX*m|4YtV}geOzgd`BIfkvQhFu%p6tmRv3QI8g?Vd@Ui+lM4`8|_(#4EI} zhTy*b8-)NDJs2&^WWU7!8mJEE2F#Xd92DC=|8XnpU@Om4|Mfbl#*7CSNf~Z6gX(Aik)62JN1exT=^me3d9`r6p&4k!FvcgrbU72Ywan}~tkJi^u z$?zAqhD>dZ59S*UVbwp-)C_pm?r_D6kd`WYqyM(+vtI8@Gy`)#D+&s^kpj}Vd2Gnb zve1QoOf@3Q;?K&-c&F~kNG_4H{+{&*&p}o<+n3d~0z(618@H9)l8_YN!*k8`v-MRB z!mig5m-e*dE>3js6du(k%MJurg?$pVcq~RSXXN4G(Y1brlh!9Nh_#oAfZAT{TSym( z_-DMIQb9Pu%Vf*){v_&GxQu>j(9|PbJK9W>ZwLbG+|G@kKl+fNGHzJvAh9&mvW{L@ z1RcD($B7nml~(IqRUMQWMGNq)k}JR-s5ll=P_X^rzu@EZ$>2&)Z||+|IiGt{LBBXV zv1FJ*It8b|e@gEW%*f$UAqDo%8_Uthl@*_D;CxGTxg>Hg3ZE}bCGmIKvTmSuRs!in zA!65=h4fOTnClOkFt4PNdX;Q%2Ql<3ziSOx@WTf&@2|=D=#=mXSoy)!%RAPp_8u+R z=)PF2ag~fD=-CwUc*me7St{;D0g(a+7j~gLU3q6UZs$d7C!QhhjGO_d-a&tBDg7GZ zlmX_3MFt5irR>J1^y4i{O9#0tr(6KJm5PIx>Fe#ZE`hva3C8sYnr#b<3d1vnKe5E2 zjo$Cx(YIJd&7T~9iOhnMzf9H{NAWKiA^wKqHW*@rl`J`WvOZUvxGv^T$LkYT7I(kN zpmq6uRF>If#m3j&fUSdFNnco8?XM!KWsmQe-GgbZzwOoc=DC;|ET0Sg<$RB|=w?WG z_;txWO4rH{wn>{Qi$%G)Hq(`gfw$c-3*`eH3+1k)UiWG-P!`REFqon!NDK(TeZl1m zZ<+rFS)jNy;)QqOif#T()!-0eZ}}z%7W_i3o$JlkxbM+O!rJ!82c{;MFw?wcgF|wz zZ|+A6`i(k%$Vnuwi1(QU@K15o(VFmvSk=Ph4!*3(zM&zR1)&kq_n{X3Lgnx#1^>6F z(JJQ!P_6}g5mQHe;u?uUq2e*sj*p6xMpu_h0R4im#lRL4k(?SO@?$j1+^sa<7|~um z)c#hze29KOPWZ!KiMhRW5u%Z`vG~0`td@Z!13kAFa%)9j%F@l@{%eS9la7szji}np zwbLa7G7zb#O5+9FyErFmI)3(({rSxPVm-L1!9uW>KOWrj>)+Zy6 z?_BnTaB$fE49i3*&!K`X)Pai$q}^am!%fL2YwU-DfoCBb44Kb{h}&|MSq{dTJFt_V z>~*^RCQJ4aq_+_yfLa3@x|hVixtJ>Ykl@stMtRhJpeUkNsYEu<+XT*Kh1T6iE*SOclB_mn8d(R0t` zHnv6jE4K2v-{$C~HBvs6`a>O?frdRu^$2pK>fHWxzJudJxo1;Zi)DH^8PAOeznk9E z+A=*#zw^s-|48fd#kru?p&V5f12XK-;R(G)+F;|3bL_-*qZysl%BI*~Y03<5Hwx5@ zwq=XAA(9#4~2eC9L)V>fE?HT4l0^YUW(@R7?p9l%oBb3 zNe9D)@`rM2OW5Vtjim0ExOCm~bo!|rQl((@%i)nqz}77Lf{AZd7)fM#l<=Jn+Kk@P z0Z^hnEtO^3H9jP`aYP! zL(8SJHh?u1_z5lF%eS8idFotcbkW)3q}-eX5%hWOCfvvzC^Kv&#?UuI0voRP>m0?e=sQ^#BKghVA?b~ZFz&;O!&(!m>SNWivcp-27Ij^(Q4~2y z>I$_ck4SVXd|k0zCR4*p*Zy25_;h39+@1v%4Q+4oVB5=NdYZ z!Ot!qyrnlv`dFPOkoCsmTED5%FPE1H0T_ual4>~ep?NE7{sATtN!?VQNfa(-2x*3* zT8zplX=~d@E_C6ns8{8Cnr`i04U@lcYfY{{D|lZqb9R(RL(&9m=;yYqn|{dsWU>n>wC(F#4Tkwr1srPY9hok7@3Zk0rf*!W{gSQi zzd~4_!A6|#Oxe+EuAKz<4SFDzLWaD>gSzlAgPv|?^N3l74dRu|FJ!0ViW+nuaWDe> zJ?1BBj4z;%FhVyAIfrv>?^b^G4J{tsQduzV#=bhk{*hJ93680=vf@}mok%zEq0x

in~0C1{tHc9M2Kyaz%lCt@(X-Bux^pUw13p6s%5 zZQqEEi~~;Ha8ToSB<(mW$4A6WjNQ!@_l&s%RwKo?w%s)uf=`)W(O{RE_LOd7sM+7j z@{rAiRQ9BYsPn_&aKK?Y3p0(zE?gA$U0q#`6LMBe5D^vS`^w58en~fTt zou@xN!J0OU4x_7yeReCqM6nWar=nCur{Aj5$ExiLmv~6R>=!%Br>|{YRqSA`nVCP~ z-S3f2*Sc>hu`TeVrNSBuuZL<^r znSrnf$7XJnARVX?TL%R_bP#J0l7oMsK=c5>5UYElZgZcVx-zAx1}i7jV`w%`KQj;` zd_$H)LOS^d6ccCIxo@|vE#!W`3uWQpX~t%)4{xpR>6bO_;D={%&=7>#TBu2{x21Kr zGUhYC51GbV$sX=x2cV{VfQ)k-ybjkc5h$nq232AswVt)(qEh31An$j{0v;6=)pZok zs;#Q8e+b0O4oi=>$DNi3egPUd#x4Kl%UI!O7jy;~Sbm*1iV0)y{>jCo+)B_MhT#{@ z{11dbSAzD<>{&<6)@W!lNa5i;#b2z_uqnJ#5TV7|YM~50rL_XCiLExPZ^}dEs?=y9 zg9wt@--y|77{$v5Yj^9B5(Pt`DpK(Gq^^$6&0DuZvVC5znJ_|XL7MWF*c}TOE>-&> zRFzUSIQ!UutTZ^&*!}dLQ2w6E{%?2B96|N9U)^}wwm4=8 zUniIBTJ3bC#SN2~G#Ar{POR4R1jNN(v%~m6>Ou^u-7PM~$l6?{Wd%ti=uKS5Z^gd( zb$;W?c*^=CGEd~gYFBW&L!G&VUbK9kX1R&yn`Ydos^Ae(u?cj4Y)31$K%T98SIKj) zJ0~Xx;6pxJP=~DmWgg`aK$IHB@&KIfb_E0kY(Tl-itRz0}8At(`qbOHTuX| zpNc*+F9VgB&1=1xKk<)$;)5zcD_h&+o^+9!faDO6Er`$w%@ur|Ma6YfU$NjOfUh^j z#Kau`^c7_VsWJKA8wtlFot+^0_WbKG{#lOJU<6h1v(IL5n&Oj{hi2ZJ8Oo%xR9kOZ zeM9p0dmTrnxkvNWJ!@H`uPQxw-N8?;Z)Q`@*=IGH`X=a@VK}* zR2g*Ilg0%u(yMY}f{Pg`N86>fOc{d!K(hr3wi_*W0QanbsOb2IUO>5ERfI`omNA6o1VdiCdo`*}SQ-HHKonDdRo7_Gq_hp}H z+nql|V#!?6t@Sv(TTlKY{E=NFU2yetkp#7_j*cfl=ughPxwTcp^dbf2?@ySt9t$bV zG8_P?>A`>mmEx2=(oBXN)tg;_p7kjpUqsa(DdK~?cy7N%*b zp2BQm~ z;apNepxWLcmxxKO%@9x?OIg5=!Lh%yrze$u2jFN|M=R6dvPt$9{MgYs-;LMkqn6j3 zIU*P`S&}7FRInZb7G;nfLJZdl??!m;M##|G0l_MHS2YE`bUi-VaFbl-9dK*#3uL-# zK)Fc|k{&@HJWvB{w=!;CLfl+Hx5R1}n9#DZRT&`r9lfVL)>!pnA>+7RR>w5y% z1<3iI7=UW%8+uPZAMZUnmfvt*l8;mq2^v{(AIn0OsGtMF!DbSu*d&x2o553m|F-5G-9;U8H`cCcV|QNaGg(>|DIp;VZH! zdOUX=O1cx0a8NfaAsBHWo0e%I65vYro;Th5n!B8Hw^r^}ROuuT{W^>pKadJYkW*8B z_>ldz{KGW6YKNsNK;|5LAOf)BV*t;%cn4JS19t9X00ft2`5n!7c?6i7CGK74RlVJ! zrc8TKLvJVNDAdVp>`eblk*;*yqms2VHAUcNGAQm|qrbBju50sjX=xf<7erOTF4gNc zoE-sVE`h78%qKS@{{=QgF)vaxUi|ji1%2b;R=$?GJJcrGP!njs4y_31zSmJd6IhpSaP+;XW8sdnkD`TE|$ zK)uMU7PH)}{Je78$9HSnfGeP)S^zQ{coqtIg;GPUibE?XK>Fdt^}dy!01(i_cEHE| z%B9&hpYmmKyT^8+o!dd1bB+C&%N!GDQ~|b(p;}S#E5(t(Yabm%%-YCHB^bc1V{==Z z6T83+w^`e!<`Z?~@rLISI9LcH?x5-tGB9o1FlVcz^fy%Uoh?{sK(J#y(}hS(d57TgZ!4DhLfNJv6QW^PUwCoayk6T znH)M;l?6JBBRHm~A3-Y!g0?qNmCXyJCm;weyx8b^h$t5yw&`OUa}&Cd(`q4 z1Y_p!*rHMbRVX5r8!q2ZsoJPuSd5OJK>9E>RMt+l?E=N|)}!OJ&t5_hadok=zsIv9h%ws9_BA(nRXv+PJss(M3nH6qQGutLq{1M$7M|ud_A`K5ePO zZFH`-3cwtQfioCrIhc&`QQ`Ol*Y8`;#W%N;`# zHdv_o!Nv>)!)$WzG}}k8(flR71=gLaVUQ~LM|sW7-+|qKbEr% zE*`Qj9Yv7GQ65ZS_9|mtaIL48|HPot%=Al62g?zm7?%~bJdke$;Jqke#^j^0fDIbp z6@lEU^@2Ofg==_%&Aw@<+5hHj|$4phorHA}Qn)D#k&vUIeNk6m~!3dr-CJJL89*p7_zch-nR6k*oXBj~Izn z6-H`uRXwILo;%5N7VJ0dCt(7E_rpQ~|9xyTUS8I5ikd7d`ysyKwMRf|jUHH4baWt} zYnRd=xcy{dq&8M?#u-2|24hNUQbC29#!z_w7x^5Z>2ADBH=O_39xRB=XMh}L(I9&M zeS&wUg+m{AVf6IEeXF=2kv{dW72i&bt-`Ktd&Zq^_-z6n1? z%zd&;=+a_Tp`ydv-wx`19R_+K-@Pu1!^KQMJ4dhv2BZ37Q@*?33~@tOlnA)c{|4|~ zyvaDdumX9^_b+T#v+J~VbW{sHFDr4wj5m19-+3=Y%#HNjGELRuGzSb zcw;59?Y^nk=vTbXOqX*TnC|y@0h&K}mp|E@e5#+|Cbt@t5ZGmhk_>=?3(@Q1T$fMH zf@y1vrP?f~A1z2gqr}6S?DsYogl5hJ3`D?^U!jST4xp^;}Vh*ZG%s2QW+3<`<=<#ukPgY}X!$8GlSu_$(apvOk| zP4@g}=e}M*$@2)Wa%Z2U|NcGfZySJuZUda=T}az$qfXKrC%@M95_oaf5i`wmNxie7 zr{YWo<0eJS5O@CUdfHk5n!!ZjFUs0;uAQu%zwbPKg@FVr7-m!yJYU}VZ{ZQh;G-XH zYSI5|xWN?+_;zou=e~7q!Wx$N3#ndNDTC&4B#WsjtUxlK{M746g`+)+kPc_4K4}#F zMX&BaeFKLTNCo{@9r~%8w@0}4Yg!A#iTT`TQu!FB4jAfVBVg^3!iCT6a$akkju59D zs&iPZqbEi|&*_!IoUSx6sC1Bdqi@ENa4?E&6P+M33e*L$X3-5UxP@Z?IB@FK~Gw4inJO z{`>6sD1v0ge2e*C+4OUh{^!Ralu>sbDWReL&u{+Dpg1Zq>|k1SIvr>8h8h7GH((eR z#|&s_r!D-CHvF$_Cz@9$?UT8o;BF7Wo#yQHz*(xzb2P(GQbAh+LaA2%U45U;GkAYj z&vl}YVsspmqDFPK|)E}#og^TIytj;wrnD7%8 z4;e|*xsT5O2okf##U8(&oDKB9=lyw6BZvm*QpElvFLdtj_W(4kkK;D`KVNayI@G|P zLS_HEQNMuJf|1z!_Vp}f%Q=fNmeX{!zPR9=%SN{Gf$Ur<53u!VpBK?%D@u3-j-0h zo~mIa!g`VZ&POg;GRYsZREEPoog(qv27ibQQQc4t1|hZTdI=}f*GOTQRcWZL%OW2bXNcJ4&j|j1eb#@b zPv=AupSnn*w@^kaUmDYPKel087m;l}(ot?9xU;mvun5mP6SAlaU+abHI@1*Y5ZnK; z6e@R=S*}%^ot${RK2U$m7p%x0dn195rL#LY+jH}Y;yI9RS6d!3kO$3`=#1luJ?`TQRrq;Gd_+S%JH39ax9_Q~Ro zRJjy}-fuksdN=JYEj`a6yKC-iZaQrM=^AU;ZFW|2NhOJz!+HP5I;Z_7$MQ-X4=Uij z>02d~mI+G`IRx1`NYu&)O= z_Jk%;Yzsslfbf&OYyv&~V@gU&cDCif#m=+vBlVV7s9Q|54d08c(_jbGR9r~7i|mMf zWXi@`YKnqk9L`Yx+`oG0_nYvogz;{gjp+J^z_RFQ5mRGhJ%EN5)UNe#KYr=tOP024;b+KL?u&MkIX!#EkCk@xp>TeQWMDAZbF|x~n1PgyL0|-c1Eki8(asYDq znRL%?tbjeOzN~)NhaPD^s&4$J)%*kkQ(t8J*$L_ssVy--AKY7b_C zPxmBoll{hn+C2?@{kRPko0#Z8-P#>lC#MqZTeofzv4@3+d(3hts3b{b>)MomtIo1# z@)+5QBhHu;Ue#j12Xm!UF3-IiMMb7TK?2f)!ZP;xUEeQXYt@ShE!4NITZ4enhpz|+n!!Nird zTG8MBzDQf3^T~|mS()E2*7V}FiGe3@s zCgz%0YNpG6D8Viuf)%5;1MVw1tGKABYO_loU=nk9K%wJU^jWp6*He_!Vjmzosd)>M z!gy!bB1!VnvB7HPWB;nmRIgU7rD?sTeSu_1K}o(~TVU5`W;KYXf%+Ap0-eW?CzahI zsOV&6u*6Xp6bzCe`_X8RQg3>RFT($u^#Ztx};Nnu&y%KfBM3jClDyflr z4aI$eaeqNCS1er~b>j-^{U;T~ap`V0?J4XMkQZ{v+7-x!bkIB6f?L@v#B2U&9Z?*W zc|HsH;x0-7tGjT>19;yDx-K8(koMTSAf7+)++M{H%q{$Qe3Ub^qrXnyXu15X^he#( zDO%bW;xaM=L_=sRca+V?YcO5;7Zxb(@N8qYtu5rQCo0P|%gbKTeqm+&@>NcWQN3H0 zZa8amaPeA~)tc>QL;r&mYg+%*4_k2|DS%6PWKLwqevP)Tz1BvJljmNM@7>fq#=)_$Z zDTt6PGVUpDD&!$o#d#X7&>H%H8d0{`lc{#oM*xnCco9_zI~-k}(Fi|W*>3(hqgaiBcF=BI?kwh`=WIL9L!F383QYRMVBMWoYw#~ruFmIDYU=8u)& zRt_a%I_wLNerOeK+)AF7pEgABraBn-n1S)={DkfI8lecNvhXO+a?itH>yvIk4RkPk z_PXbbcwU82zxdl(I_8cMvU^&PI_1_o9HsS?QE^d*6vB5rsiwEC{w^xFe*+h0_kD-U z$TuDJy}0|Tfx2x@{%xd7okPRK=lG$NVw}y)S?%`-#jRac&9nf6?Jv=Bu*XsE?Gx7D zTy)g$zxRM&=KH2`b95IJsVp+$-tVPOdf99lNdL6E{WDQ%RO3Voi8f|db4;-{Z_gnt zMXeX6)LjuJiC;9XQwEhy-uoPt(<-POHxw$WW9yhx0=W|>9M3J3f=`Vc8u&9esQ(zU zLvya%t1?TVCJPF*deN;%@nGJ(2K_&6#R8J#`*>cjcZ<6$yffUx*KBfnmO+?!J5ao^ z9M%O2jg%nx@kgFL-BEYKUtY{9D&nEY*8VDmynl(OKk~9-R(-gz>AP8IwjW*(zg#s> zW3;KNkn3hfpLiLN8bzXS<93_w%P4JRmSb;ZR#&;}=8uBwJDe5mvL{Ie+}}Q6WAxUy zGN&Zv=!ih3#MsA1YtY(a#Wo7GrK51M{6^Z@lkeFQo^-@Z_F80-sH38)TjupY9l3yE z8VzNf{)rzK=07PnR4KlnjgEsu@l9K?w7Ii~Q1ChLz<`KE^+Q~A|7CuN50SrKPaWK> zJ)S~OL4UyG_g6~z^9)m^_cHI*wc?-36QDYJ!V)%F$lONyt`otPcFNENzw zn?(qE7tu{cJBBnPisIwr!OeMeu9Io)R2AxK{U&ynaVs-f{$s%o+<^9$c*2T)CK0#k z57MFanJlpy3fVl2UkVkIa8x?zc`V=Yxf|CK=qIiVAu;w=Y(3pRrfcBe0t@S}!SP^o zmJabu*~3rQmL_yJO7qI7z2MJE_oKP(-{XQeGi=r7kPTmj+0Def1&j3OyRPr^2jJN8OJz#q)5BU?(Y|r{TtA z?(a6Sobq%NHjU@nzr9~_9lK*Fj?g#b#X4)8&S*`~RW}#Q;Uc+yla;%-OqJ@O>TYBL zj2zuVS2Pg_C7PQSQ{UcbN``ha5f@2@<|n*4TS~5%-t;2+6AEcg`bCNnn!<#RjY0AG zzE^anq$QSlwRfW%6Ib_DldNOlNei8SbOlMVMQ0v@4fgi>GJp&8ESuWa>>{dn22o6W zxn|Mn<5w?1WJ3gtwe3rp4BuY~%PpJ2?mY$<$hsyxtPaz=`;hutyiW8>gkGZ{luUZ1 zsFof@uH35DWXh3JEVs4L7{ahZRGKLa%5l^lmKc6}cPCF>sC9;spvX1Bf|;kAt?iu{ zpm`FbX5VgN$x|o$oYfxf$S!G%3PBuq`#gC6`a7_MGH)0V%=g6DOPx$pBQaG%J zS9Y$WAO^**ffA)g@eVBpr5#!7*h5DIn#iOJU;Xh&x3sV&XeR77 zE5wnVp{ZBVuhfOT7*A_#t{++HA03{$x;M2bW_}f2Sh(5|S)GP+BQS7kB5Gp6CsFXj zLfT}+LStKU%Uw^%cW3y%ioS5bP+wwquP8bX_h7kUu5LE@Ky#h3?qMwtsapOA!#p72 zn#mGwI#WC8bF0K=6yBS++fV!q1buLKv_iG_9*amRcV-6FmQ)XT(>D|(3KYz0Nn3b( zQe<#tY2rK$kB9*1jo#?ONBdiMI$ zO3zYl#ZE7h@%Bcdu9CO&V{eXUrCkm!%dC%Omxg3m%S}04r^qnPwtm;LTC;BhX~}xj z?9QxO1<21@s5Dm|&^U&6Nok}xF=wg8pqS~a-F6n$zCB0yIlWW#&u5qTkmk+1|2o5O zT|@&Yo5Q;EnI3iD#Cdtc^WzXV*{xo)EUtSsMMa^F8L@(dZ^EFQcbg|~?)L<*tl$mX zQRl<2Zh_r;8r!^gV|lqz_*+h%`%mUM@nC*r?r(7qD<^mtuIo_X1oyANk))DW(B8VG zq{|otk%nIE?W(>;Ek9bTtiu#N>xucoy6Af(pDqo(D)1hthiisxn$e~iE#8AnKZk4Pzrkgr zN+g&296Oc%Ca^`f*IYNDLNXt_h!LC4o%u7^-!!wWfg@~nz~V&k<;PfWQ`+X1OIe|p3t}M=SqO{ zSZv6EwmQE-`CHOHC5CM&z z{n|kS4mKp&YD;-{d%s%d6f^bS+-3B4>am=Lhavp+8iRaUh`Td-?}%~Q3n;0S82bS3TKFjv$Dn+i6Mej=g?FpOM1lh1WQ8Vd3`}c$@0b^57 zMtdXf$M0W=McK&Yv(2=%*~}B8W>E_5C}_q_v23s8Xl_N}g(CWw*OekoNcGrJu^ZT8 zTGTHX7Du_xne&}|K*ec)sR->03he}FWqt~UG3AgjVr$)*?hA98kArW zWVeevumtkIgZAWxC@9blT`<~r+MHDko#gkssH}412@44oQu5-^zi|xn;hfVCy zC{yKv4Qy&}yMzC)hc|r%bu@Zn8&=y-X_GTmG-YMx?RN9#!|rQCPrDwBk9jVV(5+fV zfL+O?RzQkL@vHkx=)W{kzo0hz?Tx1Onx%w3VAR3He(}xur@rY&<_Y_uYX&S*mp>tEBi3w zD>ubPC2s%i?X#EYxq>;27!#g(_jmg%!?+Zh$(Hbgxy=r4o<0j}mUEm=6LKcUFWR~K zA;&@vk|+Jmuw3giop}@8oxj^ZXoG^n3oUCy4|4yLmZo6Q((xCDNV7OhZj3=QCcmi0 z-`IYAEX**h5jiPW_LJd;qgJzw6Fb|}6+x1ZH@JsyE6KcsMlBkCyy|wk4TI2@@yR59 z`rVx1tbd=yKs_q#tu2Z!a>WRVdEQ$tr5LS^idvT0lv-tPA+HeC@osLs(jmh-cGkl> zofleceaStiqxcfTN3r%YNq4|wOdBcv*YKaN6gJL1m{)tRZl86CiZcr>e<(wO_%uAl z!s;n~U6MeWd~ql!Z119YOBf=UEiPcSMY+Hkss+R!$@Sj$Q>?@N7&-pU_5}=jZ7?pu zUYWQ5#^%}_9lf^}7vnO-9Mw2kdNpD*w}ijS6JmG=w2gJ_oB1|O6d}AImxd+Un|_@d z7#Pv39MBxzD%^yVIfss1+59br*^V(>5gV=4x?)%2;1ke$S*U`>2tsEQtTwdrDPE1hR}o_$yn}(uj!vJwt%TzWD%b&yVWg zTAYG@T5*!7oHZve3a3ANEVx{y-;C=l4g7u@3QAr$%$K5pR$q*Ol>L6{S8_Dxc_b}7 zb#%0LEF!g~f_v(iUVKs@q0)@WbPhPRc<8Ga%?mP5gtkI%{QD&|bTz6^R2@vvS>nIr zp*My8Z7^5EezXR9Y%+@wdS8H;%v)6rA;(KE>>sZUxNj594Rd>Tej)`x&qIF5A^$$0 zh2BeJL;pR_$Y-30Wk=s@3@)^@uhnpWJ9AEJLHbFqY&kzr-V;nL_vus$hQu)-@bwo?=l;;GF%FTl}4U?#RbU5K;i8H02J@b(Kh1v&ik(i z(0e$*KWvO9oj9?Ut6nX}W~K$zncaMN+}}Ll`z6&bA(f*Y9X}a7*BMYKBQY^CLqkJd z-CXPNhTTqSyUpWdmu07jFJ|Tm6f$A z-8TZHq9{oqZSCEclm}49&CShwn;qhkl9DLKTZlug@MY4JPWT z1GhQ$NuygFyh_JhpKr}NEnH2^*wi3>|w%1KSXIP{nCqlFYZ3LJToYD+8}~R zLhuakDc(+*Q}0TK4kW8J#EUV!s>^{66cZEEY|6WL*zP=FJ9E3>R%bfi{(qhFd23W@`ljiG(J&_%taC#FkaP(4N z)-APx%+zkgtueY+0-BUsAP;YGS6R}^-`}55?FI;O~le0tz!5hyDm%Y9p3n#xm88QNCbZ{Ce{qBgji;~%~mH%SIwKp3mCh{ub{CxH+fUmZVd6nP1{*92zON$Bgg*WHAsQ^?j1B7NHrMmkvSVFl_`SV(}8E5cA)VQ`uZ1 z#kg5o>f>|bfa1Q`GogR2#fskaPHYhy@ZfEy_Bu1@5G@BEpl=N2r4Z zDOWB)_P3e8n1Uv@T3WYzD2E9XT2nMor;FTlKJFBA*WpitC$4}B549M6B06aQP7Fea zNEScS^)I%?d(glNu3Si`JYTHpmuh4JP{z8 zFb`!s+tf}+4ZQvn8feM|@~VIP+u6tfA9oXc`G5cN|7RoA{=&H`ir%Y_-OMb{K3cKO z;(wXF0X-J6$z?NDdydhPYuVqLtA)p}bFd{*{4aAPC`E6?N-DD+wz4FB2{jw0m~;JK z4+92mNClkYMTy@p6|bIh0c4$=ANDEaUR0HS1 zcgC5wto8l;ew_1f7PHLL@B6y;-q+r;7s=k?EM7gK`(Ni%q6VxCWfM*X*Z=Jz{&nQr zXMsz3Ap4o(e|`KTtiZ=Vwk|sKzZSB~XMjt&aa)`Ge=RsKXn_UC-Xmp2{;%`@$2GkR z1h$upmyx9Z<9z-Hmhq2k`YH>wgJ<9A1pZ!5|Go+QW57MI`u}*e{}(*Yv>VumbWR+X zFP`-tz3EqLqJ$K?&~EEA(&}j&TaW16*icgKaI6YB5A%}(GG^4&6FS$_w8LsIaJ+PQ zR3qePF7dP0WP-6f)BH9E&rour$T$ zEJmh zhAqd}jqn<5aH|17j@dL2f$+GKlRIjd`3J-gL!qo^Br$fg7sBj=nCZF`LB*3;KQPKX zuW);s^6XDy>V+&xt3(S10#a3N&%0+fSAbGEUwgtng6>?vl;^sqvQ_3Gr{U4aKNpl= z-&bJb`S8jFHPs$vmYDl}IxaQk)ly=hYMYs}TwqM4P&Y(t#M{19IECI98tfEm^|Mwg zNM;~SbE?z#s-{N%ZtJUFYd(4kvg*;~*zpk$*xLJBcDQSP+pqnB`~vU%XNnV=^WAO; zYzdzjk2SVwm(*5_C7Vm;_H!1yM@0e8%jS`-IZ8Cl^t8l_8<)tBM9yAgSRW3|KAcJ| zytoJMdq3W*0DZ)n6@$4@|yF zSSngwegRS(*^Bb-bPe(rH}b9?%@Z6IIovsHR#N+bhzyY{``&ctj&8Qa^-1a<4!Spv zdBgRs-Zc;Z-L3vwH2As5m-5|}CU)biz*T7}(Uw7loS>2?G3y?7G(qds4%#S=j4yMm zKT=ck(V6C&J~i(-fY_YG%t*Mbhf(wUTE6>;#p`hekoL5KYb7#*^`)Nutskb${Cs^B zx5X@(N7EBiOp9&6%2thEqd=hWQOOqewmr%8lr#~Kc3tbpIt&g{$gkK2U+m&BDD98o zKTILo6Rb&(C-V-nTy+K4-tQ+RMkncNPU`r4$~^S5)lU~5O4Gqws=34`rWh12g~oRI z(rK2u`tAur+Osx}6~xczuL_Nm^o>IjA_K-Udm zH{5*$x2|6e*`7VFzi5*q?YxdH7_aQa2v9)P*H_o5d$|y0^YPqV+(yspO2HYMHZg`}k>3m8lo53&Zv}v z?$MdLm-3HL51&5P(6cj|OImG`=Pfr1(fF><$fUMST06n;{l-hv362)IB(Lo_GLH4- zb)CiPg7BIHn)5+ZX}O-gLt~jUF>s*!w9znXrZ;hbDm;Wj`ZGw?sq)>b#z%rFyA>BT zHY7Zt<#+Q|Uk5K&Zcn7W=^3nwKMaj6t=aU>qsVyl(8&!A%Bf*UiPycFMq0>6a%+D0 z;o>0mL|7~A8E-ivM{@k;gW35lPtcg5p?i_kGjW%FwfR@P30(Ia9(ubM)s3g}phIH@ z1SqB6bA)F5N-^TC5oA1oo*D&B?qS@pLEt2ojkn$3y6|nGOb`(Au1C!?!W082k!X+5sA6w2X`NC@|EY+UCK~K(*o*W&&vSPbo zQ-Dj$do2L2zZe%wa2FE6r7A0T_jDyAvJDBBQQXr~P&iYC%80sV+R-}#|eX_~|C#}8~;8A*7N7n60v{lyy&V^h`kRy=c%;BAiabZ%LP&_QHGQyj@vRih8Oa=Wg9Ft{>}Lceng` z`m{-oejk~KojW;r8mLrmSr za-jT=}MP3lo(kZdeO7f!214#*8-T6Lw9iKZj1V#0``UruxY5%?IGlyIN zbQRey)pT-87FdTT#4?3iRM{cEAW|Vhqf`LI_~|}-z%i#i`-RY)#tv+$8734-8!tTI zvS=6>s}9||I+bDjrPXOwKUq)5-HEsId$@0uh*I~q+a;+x32wGLXu27Lb_Jun22L5z z=I;i|g5AC@6ugUk)$Wag;hH$qc@a zJ+!ShKW6X|(5)~>Um57xeOvYx>W2zUIn=p;1Z5?O`z9gex6#N~&bkrhxEu{&PgU<; zL})eOOW?;Y-gdRh*UZF3!5GB7DFMRgnCFeJ!|Wcjj|t3$ol`MPf}uc+Jb)`dnHoth zQ%}>D8zd%H!j4nC*501NtnhVZE54aRjilqI0Lh}h!bf-a#E0*QK~nj-o!t74yZaJSjNP!lj?f!<8u?UeuG!oiVmw2mSyUQk z=^XX-V|6Z@?m}&mXfO4>SFiMg=!tbN^WQOuU3E9NgW=U}RCDjf2UfRj_Na0q&VHTDn z6=U>And!Qaz3<(6z1)`8%at>xp-JSH_@_fx*1ud!d)1{n1-EX-A}vOrD0fEcBOWzN zf6JgSwZRA;_^zgR-^!{xh?75o$C4nAmkV|nwS$`aLqRxHPv>VEZHqi~YfSdLy?Ik@?W8#Cd4&MRVQjnYhiUR~y3))&2&|JXnp@&GoY+Vy2^ z@qLr<1qfIq`{Owol)i(tXeNJSV5%(9TL>9nUv4B7w`x+bYFWy-o_wZ z-0+*Po3iQw4xa2egaK|_ydS(=Ic$`nnX$Ml7g4SIG)B7Eides?bQ04yhO5^{EZhd? z4MNPsZbLfx)(R00Y8q7624x^rgKrg#4aaClmTbfkMM*(Na3Jnch<_|%Uxz+@_aajZ za&g@4=}hE$U8hz_)VeR{tYa;RQsUxd?_d1o?_%*CjyKg>mgpq3uT@(rbS~f%o6BY} zhrD**r{&>PL+#sD06lHN%r9Co`f)FOd$-0(J(NO)1xJm8q;r}akO)eGaaH3p zUP}so5gYm%7RBBt%W1ZTrQtOsauVm#wI(j%INj=ttsUWsN#R{gcP!~*IU$%Pa&?dW z`YTBXmXP33O5D(c^5?e4uXP7|hF{va%edtwmp?CA*eHQUt}@#C@&9~VS-+c^8q|q* zE(I&u^fwWLWGpZJXE)w_;bP)PXvL$|bPiInmM|O^?xIMi^tjZ3(gTVpKEtDcjM6@Q z+heMMcwGFL7*G3T-f=(TLaJR9>MUHuKBBk&#nJxWS*D`_45s@2%emmN zZ(U{?1=_HYT0C(GBts0Ih+Hpw>%!)-oDYI(q`rzCaQ3b;Tn+QzW%th+M_2@J>lwDG zceXwk(IAN!n*-%4M9z`=j3$4F7*&eA(5)IYd?$!3j4}7w79&sz;ZW(=q@Q$E>@bgh!9cjB;2Yw!9>pM(5>$Yn$0p1P{ z9*WN1rrzqFwWQkv^0w`IJbr!s+BZ#)a6U!7se@rue1{_=#(Ff@zL+kmucAaZ&#jE+ z6X%Be@aM!)^S+|1f`zTHIjd)m&wVq$T|U`mg`>t&?_x(|s`I0WQYNqy^#m)6>N zO!G~kk#U!`ENt_T%JQ*i{C4&~-xGI$pBV-52Cr4B6llZYb+(FAew^bX-N`u*Ghw8v zMUkW#c}-z*2cg$r=1K0K>sBrF%F`Cy@}n?>^*}|Rx<9S7h_x+GtXXjL5b`J&`F@p$ zy7$3#!phI2AfOPuqxhurYU2F)=SDhZjfTu%P&PFG)n_3$Z}A_KB~3%HI0i*qQc$*V z=!-l8JNg|eG*#@--4OEBd%Xsm*R&KBVN+aSFFm-d|NE194q9`4jiHqZ& zUSR;IDqlgb2fo&sx8d+p!wFC`aOFSDgKS9pfv$3R2o0qS6Z7;-A1#r`-xoaVu4?_6 z|KIO(12+xuVq#yGF7$Gm5i>_aC+yX%>6DhXg!bZDX)vRaN#xnPxoS$iCKc|<-b=1! zSkAIO#n3kt*Yny>dmmwwv6vyr68*sVt2b7%ImGZ_WnItDrka&4on7w?bD8qb8J6MU z_^b`r(m^!VPBb69)iS@L!R#rIwAAbL;wt23H<`dqW(=#Gelx6vlqFI zT}lo!I1Df{k#)zqRU3Fe2){$NG+G(@tS34b`yfB_P;>i$q82w$$O)<0q;Rk(u1ze% zlpIME8r*~g#&(gW7A<_Q_V&b&-9($ce+qQ-2iv?u;%6X5P7dF%@(u8R2O6h1_h7EQ z`&Z)%J;Wz~j?WeSHXXNQ=8ftcdLiLsp{NLsFtE6*wC8Zlnc9SUyr-1_Hu{maZa7!z zSYA=*R7gpoGUTafWYUOwL-p@?W#9yxZcI>BVtK}6=z{Ny3?zwk$zk7(5JeT zv@s{_(h~jB8kFD}lP|6Iz@hyyXSn?~)?@YCE}PVQWZ2-#A#c5zY7ZBD1j9K2pm>z^eE`R4hj75 ztQi31{=b6)w^w5v{qF29h*kBytP5Dq!@4atB{b$X|DC|Dyz%c?>;+w#iN-|~R~FY3 z4l=kwhE2~;+m|GWKN-0|X%Y(%6B+P5n8#D3h}XCP*)srXZ{STd-n~cz(4@IJGA<+d z?wAQv@@|mglySX(_w)33hct;94J!_7-@YAsDnm!fR%RUk{G<{qfTHLt6_Nya;E5ke zmzPKEAcfz$yHh{rBl=4eGODT$Blb}61?SFdJfi?X02)lOBqg=(0jW;gQ2&Yd2kHZA zc|&dx@-Hs@pRa&;8q=shnc`?GXzC|C7Es z<+N4Q@PCrT|MtEnvYb*j-xXYv{&A?^0CUk*;7!eDb^9-%8vvNPt^gl^fpb=+>c1~J zzkVLLPJpt}j;Z?R_5InFky*V5ZX|bQzcK5-Zvwwit3M%hrN5+ye-jzNf0aB2D4Y0k z8{YqDmVf>7?Rel)im-s4;eQ`A(BLlcL{wf1CHy5r`RCJie5zXeG5FJBY`MpfK+GGi8l6zxd)*7pEk za$iTZwe3f)do9b(uiyNpoi0ZK&)|oro(=8k56b>L?+WOF&}bG`)~X}Z_V#wnWZ7h$ z-lHkI(VKE-SlKiB(^91(TX*}G4`uy~PKJ9Unc8wgh#|RWj1qiA_?+Svs=+b0oTBr| zNlEeMu=uA;)l!C_G8JP!!m@>0PyKY*wmz^G6~gis6L z$ENTukgBaQ5a{z>Qk)I?=$39rNrYN&Oj7KXfiihIB@K`t$>H-vAo1x`>|=<4z#*EN z{2uG$z!=8^35l`M-rtoZ|IO2nv)N>U;q(kWX_nUAQf$vdup#O=a@0+^2u46CnXzD_ zu`6DpeT!wJV1RV*wWOj~poG{1)6o~B53GAqf+??~($!5&CICa3NG7Q&KzemL#zRj} z{|vfxDx(6d7=g)SRu-0sWm$^e$0Ss1t4r>sZkPIZYj!kWvyGqReUi@MYjNbd%5EoN zeDnO8Q%H-;vbs+`c7mePf6NllME{0FAdpz87)-3LT}wuHtRh& zGmu%Z5DJD{k+QGb>ht<43%aW7#?hr;=OdHT?8?WT!z@59>E7Pnr}DjtY7d#ir7W|< zfrM7q?W*c(5Xx0GMALJDqSW>6u_M1@o|UGIP{>>l&!ku73>P?0(im=KQX!MmKBU8$ z0+%WoGaI|&^%(kT4sV%;&i?3>tSi?g($U#T$o_)T?aM1{1`;IF5)u$mdBm)j?5IJJ zrj5NQ!|2~1fb6Z)rE5klQ|Z@*ux6-3eKgMbmk*toW(RyrlNco5JCr*@$%WYYT+*q0 zX}nwseb2^oEbeBThVJ!U5ai+EX^UbG03OF+fr%a3?B=K$kd`$vVxX_DucPx^O#+zo z&421oAP_jgy1Lnu(3X}KCXJJmcZ81=DKY`lEG+U;bEm@tZjnAl9BC+fdwX1^kajN! zdwy(mbQDPWK&Ao;t#n$KqYPo zb+~mw65Z^P$9wt44ZhF!MF*~=s3WofDd)(|^|EKC6ho7_7gOx0KyGiPOFLqc1k!e% zlBz}G`!4w{$(@>!PWd0%b3wpS$y0!#s283f1$$rXrzhURn#)s8|q_W|G;OCcSb zYS6|xq#S=OXl>Td*ZSV( ze-0NO&3txTBXM~&ptXMc%~5L{rp)_QmCNbi)1_@B7*YDP;OQG{pOa&v_o~{1?xEf3 zpi2b?B@2MLF*faEz4EicnLqxzW#$9Ga=;o9ANp&nzD1obQ%dw)`Y7VV#lROC)cM4j zJAKad!H`Mpyt29@`={j}!PeoxVBnXMrl~=Z$J!*uZZ4Z58;76w`_Yr0$xyX?ZRzac z&d`)nMfyOiM8mQdNee03g$00mvK|WySWglv8Y%t#l^sxqFqWKlx>I)bM z>mmffi+lkGDwfcj!Y}me{c9~m$zKDKP_3VPrxvK38EG$}iB%J}16(Yu_^s2yw4A5- zrykqgB2k69C5!A*2S>TDCDh+CPb0lRu5U~OrUDL(t+jSbBT@&?Dt(Vr@Gs*7 z(!?S%Apt<7o(IZo5zs+G-3D$Q(t&GsFt0uP7i;FTRUYJhRkMR&T%|3{hR^}aNZRt5q*SCh6kJ1w zxT9CMMTdSY_;vYe)f){zJov5RNRsxWh!%`I$9r&k7GQVmwlZh}49CD_0W-eSVPat1 z>PjyC2O582w>N1cI6Eq@!Q0)hFIsyKw3zyP@3-x7ayfeO?K}aW^x)%VRjeym%^EVz z54*Dp#zfRVC(rFO-~wXln`|w+@5zjL@9qo;!u9Qc%(g(zm21^2(?ak55}*BA(H{WN zZx{z#+^@=Sn5@b#QgL#Nv2Y{(9OuYN1@z-lBv;KmdCy}9Q8UdQ&9N)0YOZwF!Fyfp zPFJlf7p?szPgD#N&zg^VMA{mq_6Y56!|V!*nj{$gfefTv zjSo!%YBt#j9VkwmwqO%OuXkt`Td;PG1oH5fwIM+5#~UB2bIhLCT5(aBdy!9nxIA5vr9+--Zhp+th_y}vdPei%^Q+C1|8 zC0*x#0u)?0A&JsknHYLl`ptC@t59~erCp?odc`GJae@gOQ9_+e_57T>#30Y+IGW|D ze*vZ|IUs{`^Jwpk8_&bq2~GULCe-6K+t2r!iuI<_bU04F=<0lWO$<>rtoPp>21e3@T^U@FP0H1*0s%?Oyw9n2OM42W3{z#(fk)*a z;r0>GJTKM(_RgFHqbgUVvq-*5206Xz!NK;TU1FN}Eh2I1q*l1A6XxEHiiv0>CD>=O zc^rE4euh>e)p_cQGL37y-g=65QW{GIYT9pqd1`4Jxw3$sBtIaw^|Tl1&337}*LjJ0 zeqpVNhQC#3E}*J$@kP`|uF%N!C&b^S#~YvsCp-Ty{6OKl z&4$xzE(QB}_8#|nGyUSN{YrD)XPRe(6MCJz#%Cr$y{ptVtZrZv+sLD5dY+4mVkUm| zt9HYqyD<+V48TzM(8i^M_--d2-iwM#hirTkUfbdu@2jTQI~;H0M%F|%=ch{h&|kid zV3|-kmvHE_BJtHYVt37?INr<%&+*L_&bGIa^g6)yiVy(|KF7;tJ8*Tie!qp!6&eB8 zkpU4l2X6Nj0FIcmZyi4LE@CLoGO(j^RL;nQNOdS^mr-yqM|7VCnrF5YuZxgkaJSyg z75r%R&WA`C0x`$WmYlkOKr36{z?7zhqBj9A;mKN`@+23vn|OuK?}vrX#S7nsF66TS zb#VI65+0&PUD~2$%X+uUgq#&rT$#%`&uF@!)9DuSLYarjyV*k&MsbK|+t)MB`ej$CQpBpzB3r@Et%Ha<B!@z2d#_xM>jFC%++>;lMOCmk0@fCxna_}sO-J`Lsj?t1dNj*E*J~6K z2~Rl0q)K{eH;xpTR5N)_lTbBodp9R#M}y{Vypek;hZw*^-)N&|JCd`13l2$r@%X&X zU`W~|&MqRBr^nIW0MF5JOZfW$hKY$Jb?uv)3uLfb0~?(6oB%Qc4dpv!CG@(ncrgxM zXPY(lUU3)WOZQyzeVy;hDh$TH&U=Y`!F0J18zW46dbZAm z5u<;#`GJ{aaBF--reTxxX?+n$fA2%$bV|a_wAaK5+Q8blz&iHsk7=u_I~B1si9nJpCC3Dd=NsgSw-w=;LSjF*)m-uNj`Bv_4&6 zqLM~KDI9#QTxQF3P3K)5m~L8D%)e@8-BciAh4$(>`+i!&ff0V?Ze@68>~5d3NrQsa z`z`LcQybyDXa*7Mx33L-TC1KmN%Lfy%V?J5+ggA)lCg3ZzMW3V@2FV{-PUnw1=^W( zARPeB+N!+>T9b5~enpXZU%ezh-=IW+^0rN+7msU3Y`3Z4n0w%fKf1g`M#FuHvMBGX zAECJa`naZJeDt)TcHYIF>VmHA1Q8bhmAUsfJB$rS%-^VXr-*R1c#WOafO;NQZ>lKm z?9%%CJ?I|eI6@-iYjM~UEfu50n8<(K-Hw7-+TUH+#rmGz7&SECiM3-jEw1L+oMKDyy z6DMQg^7_4`!|4m%7`oabkzxJLdQNjdAW zS&>D{)_kX0i$LU@R^ey%fdW(W4x7+@h?5d~FwVAg z;s=)yY#~(UvaOuh0po1?K;WH*MwGZOG8a~0H&NvVjL{fPvAhic+{SXQ>#M1C%UzQC zoMvX|D_dLDh1e~y27&~&M2Y~9pGR_hxQD-6^kfS#)b`Yj{T|HPXzIM~r*^DRmf6FHffiHj^~yz6m+`-`BG$XpbwD72f|O~1 z&VU`(;_8j^U)nKH26J0Q?yM}Z+}u_UY^}n}Q&K2Au~*1p6Kkye(ok9Pt+sC51Qy`b zDnuykC&OQu>FWHk^U}=3%sT0D)U%dbL#@Hrk3?+M_j=McAALgfoLez`q?Q`_(o8g5 zlVX~wPezfpl-x{WoLTFtwYVOi<09M+t+`lpD`C_et?8lyEUc5oUsFH&Iw1(lWFkTn zi2?$IHm&FIh?*M7Y%K}|Fo!4ZQ}x*nBAOlf0`CD|QqzhhCFMa^dTf}2%mH(JIK5$q z>>XG%h^ka)DdYa52k{nsF0pT)qtvNdu_#jUgx8X(FCCBKY?iW#Q0=cOE1m_$mDzSF_?6?pVe6R7Y8%DQ*^9PXq|*R=8PF3GCXtiyV9V`%skz~AosMXCQR?)S6L5^x z&DC`(p7fQ$oJA+>wfQ>?w}`t%)6d5ISoJWq{dX^vzub(cQ|+)Hh(T7KV1>6=m!E1T z=2|ZcrXPe~dEk?r&=MaQ2K3QqUXzAp$l4`ryEflH4)l55JqJK< z75B*_nTL-v?ere2+AfSxz25M~M8gX^4#(v_d&`b@;l~mp zChG_FWrRy_z+{e}gm*@1PG<10Ae>)J50-oE61+tCoQ-n54$ou`OkD$!^Dj*9r1yVyG|RL-?nNF)A;%vI=23}gYo9FYzRKo* zWDC1OrXpLCXlw0#7@Vz}e~Gm$b6S-$h%>Duo$He_;UV~C&hEt_E4MK47Oof@%#Qh-TU;3 z)ufubXZS6zsW~aOp1t%3QtdyIxM(*jnxrbiY+@5GZ(C$Zk9q%${fTOZ(bGa1`0;ui z3u`GHbjODydc_NQN=j6GtDV1S0CRVM>ar;+3}eJuvo$?8b2}aCK_uoi3iPKW3;e2b z1$AVT44?VrpdRFq<(KjmXr(WdN0LXTP_cuKz8P-JK1zUViRd9noFdjjYnxL0cf=vI zhXmgA1^>_rceT{ruRW7*g*U7Vw-WP|q`ZMV$w7)q!{7h-d>mI2L-8fpqguiZ59Z$}zd<}mi-`@HIHi@%dHO_ez{Nzi0RTd!HPx) z#uZ(D>s=4`kR!B#Wh~?~LR1}l7DuPvK7l-x1yAMaa`uhVYj?m^dDsXRi+n4x!j}`3 zNvJ;HK75bJPOA}G)TNXP@Rw^s2v@UlfH7{i!#lHAhD03HYV7TsW_^c#-lBT9%l&OJ zj6ZHK#pTcXp<$ISqkMF=cF$N0Xb$;blDI{1v_pmx!|JP&Swz8CQVci>I_lDFU>mBb zJzWfmYK)C0bdAX+CXJfkm>u8nx<3qi@#yxF&PBwJPZSG1=r_CR%jvIgvovbO&JWC< z71w&*_Azy}udjRL-)8A|TD-O~11;YIb)U8A zL9*4?Ne%a}ee3Ouk<668xHF#n%+S&=gTFa0ot}w8N~Fze2$be#x$csmNk!RgCT03p zlXW_^4p1oM-%?J;Qz~}Ig@)A%3(_==Jox(=*DcB_hD}mt#K(q|@{wGnbNc3TNh-8e zT)T##joB@78lliLHGZ|@qgA&Ym?^QPJA07i!J5d~;!$of$m62Uaxv*Mzv8U6;Ol#dx z{{|CQQk$pQcMwM#xrj=B6t%IGnm%9UoU~UQ?Wm3@Y{qLZ;-5xZ{I(Ez)$kmEtJU6e zx}8#OC65|%r5{|kAju~&jNcG<71p1+W~|2$S&gk%efB6|*Q${F>Kni%#`ECS(IBB< z-eo+ylIYZI&YCZg0lMsa+*i#OR4>z4|0!^6&DeOAbHixR@nz(Sv7Pzevbhq(^H4bT zNs_#u;+LUCEQ(x=qj^wr-+1+*c`-RQKd%$(Ce!(IfoI|hauYm- zxm^>UhcwT!o7KtY)bV^aO<9DYp^8tQrKcBc*6Y!YSLx^mgC*^VAK1A*-}noDc-24# z41=(q|26|Wxdv{!zKW8c;f^TFXi(G`GI9F*!E}xB-j*1zA8LreC0SUzA(Bfg`ftCkIb)-A6n5}QBYLcWI-WJlXftu&(HYWmSpoe|I+n8`-Ql z_tqFAtlXJ@YDcB%T{tj+I339FVXWcOC7Z$9d8rOO}`2C29R4A4+N^bTBu>oq0%TX zgK{NlXeKqSpD~mE0GjP#lJsj+S6gQL}tZb!>{4&AChK&E_rK2P5l_3bS#D!tC>VHB7TP0rI6DHhCf$~ z7LklD)uWYn3qfQ+mnte$bHw4cPC*(b^Bk#zPWC`tRiJD`l`=?#C7X}3)V;eaVtcU{ z0f*xat*o|f-D=JY2@3<5W_)by{rmS-4Uz$J35Y-WX$5c@A``Bd*wlaYT|vMrd^Y)C zLqxZ&NJG0qi;bCqh)24MX(MxXE7U`Io@#bM!fqyAsI%#O{VT&YecQ{qlJmg@cS6Fb zrJqOd{#><|k#L%QQ@i!~^XE#J#rXL6Nx;*BsW<$m3{n6c09bhRbaxXMMCxtph018& zX*X=_$sDbgRC{bd*7M|cczAeuC#&36fWh=nc~9@Q_)428Dk?fSOl@wx*ZErX*G+8r zN@n$)?+k7A^T=O(X`(g>kC|rTvOXB^zxPot{bx7{8tzq@Q>Jkc`wL@0=Z6PC7S~fQ8(|D0BKv zsQp(>hv;#hSTw8V<>50#@uuJ&32Pot9@&Q=SzwHEGI{&rZWCOPU0UxRIp5b*RePJSaeM}Tz15!r^QG9nj9}V zb@maS@+)8jw)jL>5}qFi`x3+?nEK$n%P!e1dXC7Q=hg;+5?8flu9qxXi*gKj_SV(p z$OyuATGdv`IuJV&mHzTWWEvfaN$-_>J;0i-^`?U_;J+gDSiOEASzqlT4h%HJKn9_K zb@lG39pIK|#R6%IWW;QW)Yi_&8|7(4F-ZYP(6KAfnx`LhS(k!28ct!No`-|Q7s9Ub z90KmH*3qKb&n`*tXAA_|6;vwdBK2TMML7t7#i=J9uY1&wReKbU930gR0ljW!nujv8 zYsROL`or9Mfpq-i!=Kp+rrPH%c9%#us#XfTwilAhv(h@R&LLQ)oyB6Vq)gNjJ4X$V z)@~}jv{pY{x>PeX*C%u6Zqw2`V+xDphoRm|NFEZs9}_;j7_ZQpasH~srB|Q>&wDX6 zS~zY%90DR2^QG`u_&L*FfDb$(d<1qWocC=IUviq!T7NVAV<*6Beo0e^5F|ETugeIg z$@9J|yd&@P^G6%#Gj_Dz^M?hMZ<+RsHNB)0pzV-y{{D_5CMCreFi4aFh;fw!USf&N zk>F{G`lqTaa0ys0Kb3#Fe_8`H43qsNX^V_$EZ5lOQ_Co_P*E}NT&&UwBPI0+NaXj1 z^Ou#V>)Nt_@zU_s_PRf2JNfGKrhekA75$!KFI(!$0G>Qo=>e{vPPyZ%NDW{ta!R$v zaj+X0p`mdQL7fWoD4fv4IBK1zE{q*5r(sL6@$sh~Zulm+=lX=l6mB1Ln#(pAj9Q5h z0OhA=Sm2Md-hZdd{*@*6_(3{rmG*cB@$~HorQ^b$>lW{;%e*=V_@C=MLij6mkb&xS zX~y>IPl$#7gk0sRyy$x=ot({YY5E?O4{;N2Rp5*u(*r|K zzn`MXa!4aaNsW|Cg#Ei&AYBk&o7-Oe=F;-VmG|uk)_dSf#f|9Ynet1#1%Q)^LLS0| zIJ)DA+8a5|b_HHl_N#+2NW~o$v%_d6TY?`z0~$Hh;_%<#6>7beR`%efyv>!(nPzcK zjk)qV0?*MEEeL% zm?!c&pN`EsXu8ySu4bsJ)h`Cj(x&tKoEknC0@OWz6rQN+6&Ow40%bV15)bBJ6a@@< zn#kRhz+P^_;IoJsTV>|1=q&uJtW1}U`ja~ED%&w}0+8w^FGxuC$FJ7^oafV(ErJza zs?~7@JUUSr9Xm!#d-h|^NyHBiAO|Ms zY$sVu-UTXLTd}PXm`YwIvbX?zYeE zSggomGxPD6S}o;bV3z8r+hKLr3$7Xq5Bzk>SLi@H5p&8JJY5+I{jFj^u&$&~e2V-Z~lMLo>J%YA;}hhK)P zdqG%eB@=Xexkvi?7HV9r6^e7K+LyOOLS2kS@-|->&Gpps@0R4YWww(|GzSR2z7s<2 zTAjjFeov|$7jVvSPx=!`F-F}6R=uNL0G)IAqY? zTHITIPEm|Tt*TOYKKx?OYQF{ng6XBv7L4&oTx}MIey37+g22Mr;X03~UYM`aUBupmSx>^gIeb40xXHB|LTS!O6@`ZD>eHr-G#AcL58bwl zn8oVJ9-x~nx7SLnZiI^}N97#CkwM9R_1=DfDgAN{6eSIs5~b}mXz98R&I12)(Ek}= zoO6@*dhjm*{nM4DC8wWzxpk9uPEhfT+udHo`AIP`%w>|txN&w0+qge+6XIWgnQcs6itHnF){1cN@p29*pPw;*X(#|fYj#fHt%bB=nYNfu_S+aL zk@}GLB^G>sPI;c*n=OVuv3w_hD{7yS-}2Qr9N)m#`vEhu+*f{bWxD5Mo2|N zv%69a&{wTKc=nRP5Tc`fa@1Y-t>2zN|E>j5o30IQ@X;lj;7SK)VB~2$D(I!fi~h@d zF14+$B%xid?+zDyfk1$=JxEy2<2hNnT-#eY(E`NddarG(+*i@0_IA|!je->hmKMdC zeGgq4IN1Alpt}@mt^&q-ARnc&w)=f6lv2B88}r2Do=s2Xwm|5~w$DWR@b~_AT1P6) zGM9AEO^M?j)~PSSkGo$^9a+Dgs$j{iaoo|RUL|~WANvZ0b-r*!;~_{l2Q+I#oAmAj zKa?(CEE14pxfy0ObLMF!HIqMwhfDjNT5|{3R$g2g0jJqn36|oEfRX_tBHy2QRzT6W zKlZv^)BzK65k^ff@bDgY8UJ5)2Z2Qt7bRxR^XRnxoCH#loq2VQ7b~d=h_ddFA(K7} zc^q;3B7GvO2G|X5%#5N%Uo~;JKmjq(y0G#{UXzt(GOKaPuIj+s1x;`_jBV1i{t<;* z9-LJ^JijF2sgEzIA@a5aZoZ5-zd$SD?U8zsDTiUR*N3igig}Ycx4I%c2X3pP!8Fcg z=bL|HQH!B6@4g)n%@NcVh^L2G3&m6;-M5#ZPmNbp8EB!WOyOAv9SDTe!W57f#37O4 zN%Z!PPfOZ-`*$ivDQ%wTSb#tZ`8a=CdPQG)#ib^z!qC3~Ls4M0o_RhT^=onQ56n%d zI)NGuw29o$OW&xoO0qr}PnyuRAHNJ^Hfe)ao*@{NaB9hJevi=@RdnK1#%Q8}C=wHz z}(t7+CWgg>ne~zf!1(`Q%B)FkQY_LOcF7PY>E$(+y?bbz2wIzhIRxb zx|?k`>a8LN@MMtrL-$)!-q>3cKpl#iod2Isxeyc9MywplKp3f9K}p(YI9+eob`RE^Fa0EyZMmC z?BL*_gTb}J`+}{TmS8ClgFuOJ4n$pZF}1k3_?;V_PSER%R2a-=Z3wf!zP)BCQ2B{} zR4=k0E3;95m{dezbK$kUT@Br0P(1&$NOBDc@PS{se;90587IIU!;y$NK3SV+w9`?%bZZbkLiBxH+Lx}ojG{0a*cBGTA51J7B{&R zu8bcq;fwi@BT6X=FRWyIlqOv!yOMir&aH?DZn&k{Tss*vbGu8EEhRWq*5k&hGglZ=&a)?Svil5038#k~z_H`nJIX>}Euv-k+bo#zspu7xQ*13XB-16jCV zJDh@4H8d3Su3h)iVFJ(GMTFhpg(tS~xB#)hKp2dNhOf{3)?pic`KyVf}sj?ICfO@hg{BuZAI^59D*UbC5m9y7iCc*4VTON`sdhJ60W{q>sO2 zbQhESwhP&!Jcuq13oGCeJ5xlH%z~-^N%KH@z}~*VwJ46C>tRLuBBLR_?7jfDqguOa zT2oV2@3h=%Df8e#(Qf*vk43O^o@nF+yERbeTI!E^K{%=fH03WknjC3@mU&q!`hT{; zI63d?{$pu1Uwfxs5q$1iCbKbNPm#%?*B*DSO?z|O*8X2f_WefT$JN`aZ42%*SsDU^ zgQvkEdCS#1_aFa0%wTZk_EERT|Kl$2Tjsm@>a__s92*!InOL#}I$qj*yjgNIIXT%d zH}`V;@y3bDN0z7aUJO`c_BPU|QHQDBUgF=k&ljt?^{@Zee*U|<-QVoDVK8^g3~{mf zUrnp@BKl0${=L`pu1d-A-jSs{&c%wI-l)8!TXfmn=~_pkE@l{}HI!|CT@H($UBJbi zcfCAeT))POHxI&(yZgz#`*{6XMe&Ot4*R^#7nk}Z?ymZp<AqPj$7=i&-TUcsW7}ZUm&03 zt%;a_Q+K(}k*o{n!R#UXLVn&29BJaz_#w`lcpXJu7JV@Unco~-)}BEX6g+QnxbY96V?8u9b`T@J;E6d zf0>fD{_5Qdu^U+~U`|8C+8v5l716aYH2z{elJ!+OyAf^*jIqFiabr}W^D1XFTY&Ok zxjU}DGQY-z>4HL_3m&zFv?E&%an37ofz?;@*RW!`;1SD_tfRau`2?YXhR}OOUmzj@1Cg#j#Qs5cXPkLii=$s;-8r;ZBc8(&aVPq6%ig5RwWjkaG9z5e7l^D z+^sJU`BdN`2Vt`QktgK+oHNA8DYj8ix$w4T41?* z6DT91nu-X0czlEalZYsvG#1l>fHIn1r{F3Pj1?RmSG8o!u$Z<4C=)bgiXxgXfGPt7 z1y+Yz;;w#X3s){U!HW!-V_*ocanNRo5y%R_B0_inN-0QALk`a_V8JG8f5Zx2V#Dp504$28-4E%-OtwdX1!$Lik}P^g z;t)6ibiwKTRc@Fbdju?~kMeKi!*ul%pbMUwhbkkx3Y@4MK7xwl_6T-NSAPP!;M43? z6EQrxpaPgMK02>y#&q>hpbLKbUd8liz#d@I{GoWw5!2OwfG+s6EDO`48galZ@JHaa z0;a1$CF=l356{-9wU4YK!QrUxQy8}|T%Vb8oQ zWq8_vF(fz`H{NpK+3bfUT1A1;`ZYuvBY+M#aQxwRjy)Hr|9t*S1|aZs^>bP0l+XkK D3gXe- literal 0 HcmV?d00001 diff --git a/blueprints/data-solutions/data-platform-minimal/images/dlp_diagram.png b/blueprints/data-solutions/data-platform-minimal/images/dlp_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..76a49ef727ab8e203aeeb0447cc43f3cb9942f6e GIT binary patch literal 46304 zcmeFZbx<9_vnUJ%0wlOYa3^>I1c%`6?(XjH?he6&gy8NP+}+*XgX>#jzgu73_q{(~ zy{b#?$=NeI)6>)4)7{hEn_wvkLD)A~Z$LmmV1$%6d2Hg*%S~Ae1Y1^ z2=aiG3}f#BKg{%%gbl>SLEZ!RP$1x-SRfEDU4RcK=(~US0-)p|uYR=yZ~~1%!2k4- z0KQ-TqJYoKnBU)EnP7i=fNf{K`gec+(v`#2P73&fwh~gd1pz@LdHH|}%MhOeXudI) zQ?gSM7h~16G^f$lv((Y2aWc1h83n@b#0uP+>)UDLJDHnV*s?lt5dP}H3f#Xm(-PwU z>SAZgL8v4yh0kkgqmR!-Lq|hL$oU2zAD`Vu&wy2iPvFmR;1>s>k)53tD=n>~qa%&u zM;c2TLt1(k78Y8%540aXPy;=vZJjObw4JCeY>9pY`3r|n-&WVg*vih>(gObluC|V) zy&VT3;mbt-{(j?WXKe7FnJjGoEDKm5?aLEddKx;~|8AJRlkxv%*vpgO!+x#n_jK$p zz*uGUZ7t30U$Bz5Ft+3T!2WBF|8MhukYs;>#VTd&q;ICgXKb!-VG9i9{KNnZ{BNK9 zw1br-5x+t)xWd_Qg|0s>-UKW?PnYmzlzzfmM1Auk4~ z<}VS(OiAm@t}L1-%?Ebkl3JP*N3E*#CZ#dx4OIg0Tk66N4h*|GF~u)-ZnG0sl&YfQq0& z*dY}Pfe~~6zWUnf|J;EQXM%vmQN7tER*3#PqgRZ-?!W1|LBYwDQAUM}2>;Db^0wzM zCQ)8s050U2u}b`Zrp5;*i};HNJ}3l2rk*r6S$W9cse#F`U;X>>2A{hx%S%EBRrv3O zq%cnNjD|E}1( z4LMT}+6}Ml^}luTB4z4fA|Vp}gA1MxLL$0)@5T6!Ef_H%Bm+@F7~X%$j(-YJ8f*o! z2=p(d+oFJ$0KQJBe{j9YxciW9IJIE^Eg^uIyYB-rp};@5Q0$;032oP)rvH{eM+~$O zAku^Vh0DDPEmZ;D0lA1B(d%{lD}dF^&YH0j*5e0I&yjM(WJS!pnZCJ`}KE;LUG{Lc27>pUz56`9Vgcs;TLN$ycHZ0duAL{?jGA{B`69i2?9`9Lg5Q zw<8H1GH~BB9yk~&H0#J%A0sB&e?I->uCQ&SYv}Q>=My4EfSz<)2tni2{Lj@Bs?ruZ zq-L-vb90WFW+cUBX1B2oO-nkazf5b}MTEKwCTMKlDd)OytFiDCXF3q)(tL0$g-yej;0X^G4~)R3W>y%TUdBX6PfPq{d{>p<$b!V&0}R{mFn~J^Ha5W(ukT#m?HW`cqkRHjwq_n&ArO% zYNKb@T&_LE5h0U9sl_RkQaH$k6<6B63CrdwMe?Zc7rY3KXL=s2m$PFuK3fc-O~q!+ zA3xpgjv&mL)y%9onQm;GH#fVd7r^3F8jd^>2}Y<}Ef>fe7Ryl@f-+4f$WKjH)v($r zDMt3Zb}^}IU4#25FFSF}abHkS;OgRH{+_MdQAB6m2f}t@VuF!ok(G_DvB6bJgvU*- zO!}xwsiC1kx;DuuwiWmM$wt@hg-lTLV4ta!&1#OHIdk`aI+;!qlksajQ4baTl$RFB zcU?`%zCWfeXwPmwX`O36-hgwzaDV%xf)-E2j{uqS_Auq`r0997kKjdhcE`g`4{m8m zapF$alt~t0_Qh*;Ny&_^apQL=GV1E;mMxDS%F4IlpVZLJt`(ghU)jKH)f%3(NX~dF z%c?cPVSB}kD&#H)_ff2vt+CvntM1@X3Rn4L_<6JRSQ?XKuvjd)p!LXN z>AdpzjxbLwZ9h3!JlDm((p`A@JEn>j+wD;^Jaf~~g_q}VxG+$lsi$@==an<@=M&|tpkLgLUXSz>pV#2N9XD+|t6uaaWh4m?>S-^sufkiq3|LY5qao z=|}xd?RG~bm&X0vd2VRwUAMl3b^8M)wmz=QW_iFj11m3?A1EV(m=nXSw)`q4Z(7=g zjgAa6PL>*5>+4bHw|2|h?~gri;GeHsZB#{*Ug`aOAtt^bG~!quKnlt?IybNTaZi%0h@63m8alC}b#^zN~&t97j`cR;*B2wabv*2wc|{ zkD+vDtciN}i43VdT@L&4DzmBjkBoSDcG)U$GxO#S)dqT55b5!jt+fL0A9rdWdmA+n z>GKtdb;f^ml$A0tteMKmZCW0;Acw}}$VxyOmax0?4Bwz@cpMEcc&^)pX#O^~Jn>#+ zpAp)w=BxSPP0gQYN)-c&1S0z%(mh7ri%$s9O1JK@^M6FBZ5F*u^PI(+7hw2wan^Hi zcUMH%6Q4&rl)^A3D(=*e?EP&!A?DmB)qkP?h^xLUR0EM^b9;O7abSVKf?dDY>X!!d zMj%4aQ$TAJSAF>2fcCDOS)uUmru-Ub3cFF5@zPoK0jyS7Mo0c_Pho9heKe`ksoTWI z0tMyV%r-#m<$TF+#)98ow^%zdm43*r7$VgQ>&yv2) z9~(|(b<4}k9In@jiZio^OyMfA>FG?4!-oXu)9vDV_Yvw!WH5M0%n?*-bnuiR#nYe^ z(+ESI7P`l&mHtz!Ff;m2cP`XD))=5H(oo8 zo+V{IgPZJf_&iX}SGbNW_ZOJloMs7}SzCuns3L3)+bfz>D-_1>;73TyU%ZW2`mncu zyj-rU$jeIGzg;!RfpDz@LR=`fqAH1q{&2dDT*&)*&j7`^vx;cvf1dL zwEH>~-%l0Wl76pAtRJZxF=&0%zn7gcMao(dJVgq5qS+l$Dn40!F;z;{1Hxn=njSPn!YwO~lj)KtWHt-`yrh zaz-my6Sd#tl?;hV-fvGSiVdf1qO9zhs=B)B$8VS?np8iAZ4IOjN1Re#_0E+U|9ofJ zeBie=HDy`Kt~+!f(0M@^fxSQ{Vjb zXE!9D)~_-olIWIYZTx0tV0&9~{5t*ooM`DEIUvp@pMG-P-ulb%TtrVUkF+k<>Gm8q zp4_pB#1q1tta6R8*V5UWQp-mF^1Fq=eS|8E2GU~+wpP4Z z$KEs}Z5@64K9#QJWHt1h{pu=yf}ygz{tLTJIF-N%WhI;{#h4jWF>#kuK%Y)qZ+D8|R7@&Rwqw2FR z$XO`u&1q_q(Wv_BdB85supeg6ef@NG92cio+lL5+ZeVTF6|$AS4nzB}rKkZQ0z=02 z@FQHwC*r+(lfzOnJeN0PZgwRy-O2sZvyf7N^l0OWJO0I+UP+7$_XSB$6m2^E40tY$ zP#Kl^`Q`i74Q;&v;@=*f4cHGt<;esj`H9v|MqAbzvK8&2I+>+~ZxpxL4W`Y9MSU*) zg3Fh02uFsbpGRh6{d_|ID1wSAPYAc1e8JV)Ktuy~zf~CZ5nJ%-v@N4EU-0>^6YuyDR%Mf^w&scn zF+Ju`db&=0m&58Kl?$klZR4edzlO+W06 z<^jhiNyG93K=E@T8@4)c=^LhcxaqvjrBbc9alFP^(H)f~g(3UpJpxB0+ydYAYzw8G zu`Q-MlY@4fgUywKth@zeH07NZeGdIXk+gBm6Xu05Mu&+>f(5M*DQ(xMM2qQ%Gm-GI z)#bQ~dZ@^iV@crXW7S{ZkhfwZ-+EoZO19ubK_4WkZ~{ z{>bOJzeu^gIGt@iR#g;cJhKB4oK)0MrM8358CQ3Fg5hlENr1AC ziDRH!8($oEDO$Zb46_aJom5}J-o&2BI8m)NM;`;of*PX{{eccE+;P#PP-5o>8k^mT z@4O+N@W$zMIT_yn()2clKaW;(Kkhvf({|verB#&P(%*vEfseotlRI?AaJY?ZZ?Qu0 zTz0St7h~djQPooaZfc&Q2Geq3eY-(;ivY@TLbgKQQGM5d1WLy4x}XNF;nORpUP(sN zX_&pqt2Er?Oc`zK{!b-!otG=)T|GN7goH#9+jt$sKE0<+rD^fe>7@EJaI1$lU0aDz zEMQ;D?v5N0Tl5E*jN>ndKEW!9Y(keK-DJHTK_)n5o2#&Y7s2)XKuN$z=YQdw(sH2p z+%`iJDrtKz8oxskp*_EMh)t(Tt=T|ML4mk7N}o}5e;5h>bo&JPyf`~cm0M7RP1h|% zFz#)A8qXa*)UzRK80an~ClgXtUOqOENbQg!?4q(i+2_pczxOrfsn;Ug85;byc)>9k zigH+K+fUk0GM$}*V`*X9N8@~l;^aen0^+K$(l90?u~Yvef|D*F1MT-f|p(8#PM`BH(wEE`vcT)QqJZ;VY%V-wce@WIhj)f=zfF8cCh z@O6Af9_lM;nV+$XC=-xaaX_-5e((+Ve-!9RgLvv~ZdTAsNsZf75Dr2Dwj&;UYUIYN zzzDH(Psy~a2#3$8>D>AG$M(>E+dj^=%g?LG(uB{yV=OR{+*U$p?`kUSe?pZ^i(geu zg=ANEj8lTiYBad^jn5rr#6#2%rE$D1bh7f2XS%<_X`80Vg3^4ln6HxO^IaomBCW}D z)cSlcSfU3 zibXqrWi2n`Vp5gp(|D8hg3 zt5Jwqx3ktwJ9L>E_3b%S-^v}fytQ*Cidh*ga*6LA zg6&vV^mdmMOsKt|lpi{-oHAMrY#hnuLZNL`t}yaOS@RCWJ$kpupzy}d_4Lq|Hq@#Y zu8AD6CpZ|I5Zv*2yaJSQBMyyiP+SG)ktJ7&WV!3UcORo7yH7>k2@4QnqR`A-HLs~7phD~&LbAv zXB&lw$Lc2c6yNhtsiDO1=Z+O#)?1iZQco$gu93RweRh&qKC$@ev6;LozznNCn~Saq zuJ{@eeuBoc?)mFCQcH`RI+B(9d&nGf+n(?Nq{g{nmP?eyOMcF0k8KF!Zb1!S$7OfT zdCkiTQJT(2o2OMdl;a9d_Xi3w)V__-jhPh}LF`o;npA$N1Ss#fa5bpb;yzPju;Sq* zYv%}NPL_0hK~Yf6$C1~M7Gv$V610%a4n<|v)#~Z}N7e!^E@IEvuqxN1M3MF8{_F&V z4|`*+I#admQXVjvamlGZQSt49=$XLXtTa zKw&*fosr3cxDT1`&kGB;*pAkxpBCSiqM#)NL2Xog=(?&X99E%lUMhJ!{5kYE5X6W5 zU~XjAX+dK{tFjmO0J8jUr$~i@r@{69>1mT|i=W8tf7xD_l|<^kp1ry_!$xdALrS7Cc8? zZ?7#vkL1$^*DfNqWNH#+v!#&J_~i6Ve0)c*W4qzZaWi2HJBn!?-*xlPC&&`vw$sZg z%Mkg|b2)a>U$i|<^twuSJwBrhpWx^#t) zz=undYN;Tx_PfRkkf2eLE2tBi5;uestjK&b8wq}5wOsF7TgS2{ATOiR@)Sy2Yqk)r zDdn^~ItCmCT5GpsuczIlq?8Dkn#vF6&1;v#_E7T?zhGiIg@(_vLP+kU)R=X^*<4=2 z_PhzvaNj5{UT_F`(5AZGmQU18WQnHZpf+EK@Rrrzif?o{IP?p-^QHjCMcvj0hV%MX1O$KAHk>U#Kgk>Sv#puNhKP~jHdmBw$LUE*)rVyHgDf%cXuVWX6v5`-@cLdB2syyJ$;%rKRI2?KHyY;p5L$aJAh%P;xq?U zK-4wEW_J2s<(a|Jq=Xpp`8##z;&Jmm{)aZ(gR7&Y_dL9r;rKfEF6r)P@xG5kg7quU z%Z{0B(cl@`f{{}j%>fQmKVCsrR(x2)3LB(9Y@ILL%TdY z^?=)~NaDrbAc-$66fM~|^eY@=)z6f)X6sA)JFIWknKgH>Vtw|THIEKR#&cm0rJiAx z_lLcDvM)W>Rp*qn-FS1I=LXaDKA!CP)=v33+_slkN$O_@;Pu@3@E&UVP@m>5nW_K$ z;f}==GeA=>>0XBiop{+`_F=;u<+a(ZlN=b6{CAsc-+#kG1T@^nAZ9xia{Qh524LZkCyC$}$!?cngQc z8;x{PmMuq@E!95jVT7E537Mr5$!BJkL6wTd=#jv1Nh3y&>LnaoL~-ff$~1j}iry;a z_bX|*ehS=wy%L9FOqZl1#=+qpl>!pf*K%tsxm00JCbQ%+Aa0S^D4P58S4O4X4(%8>n}?UMLQgSVYC#UD-ZP z5?Y3gpWwVfNtn%Cjt1?rQ$R^G(Azt^^ju=5qTCjU_u?slfI_G$OS#%>272_kr99q* zz@(_(S0;3gQgU9FFp}16o^W>Aq3;D!GNKRJJL=SFD>eD%`;{_Tphcw8DQRIIHPzb= zt2hgo6iCXx8X6ipX?b27UUIdb@e2@=6z_VfpU4ycQJyFwFQ=e02Ais(9pxpjHJ%gf zbOyVf(nRdtI#6@Ow&HT_Ubn7;BHoMXxKyp!fp=AVy-Zt#lQ)?9l#RFShg}vSoP>uT zo@-1&u~Tz(b-nzIV5_ZQil>pEl#pO^OQM%U{tdhX}P*v2>cn@jsW5H{asvVRemhT4?o7UwCicJ z*(y{WXfZn4*Eh50aI{)TaFj`OHcQy>A3xK!Ry5=kp$rAausx?%ex1s+*RnvQY0ETW zfGe6h4}DGaE6y4OWNzX~lt=^kB)_x4nO?)+Wbl+eNG@d2y2Q90(TZ+UfPS1!In0cu!zDunnaj#LPcxcDSbj*S+T)+O`wIX;MiEq^y*hg z`T`1ux8lZyi;bo1^c;U-5?*efuaLKt>Wa5CEYkzCyug(P54qV#9K{$J)M!(G-2$)$au{VJFm8|l@Up-1dgAy=NUH`B!iH>*3 z`W%Y8vh6FNFt8On>G>Q%%4(xmPflm=>e}=Cblfs!*(56^cYd?-Oz^;zmyXk!fNnZ;=+-YJp#_E78}X$ zt9Z-EuYU;Qn&P@;f0flGBD`pA+Avh&JVF`%bL=Ok;{hX}R2JyZg8-xh2Vo8UR|0aH z2o#01c4B1w1&t5#QeFU(#{aLD;zrafrb|;NO!9AC2*OJ#2&mUE;XkfEkZ|{{)6#eU zj>o;EM1f+G1Q2e+=szst273ZZ9nKOlHeNL2uM7M|5FmV)tD%Jr2!gtprN)ezEO;8w28?U#{`ni_xFWr(7b zKvCmOCA_(0lrgMaFgIa@rS{O))dN@=3G`*pT7!PciaWSwOqt*~9Jt9bsRW^ZCuFUH zdB=bZ2v(|)SIib4?t=iBHg~2cYwuj=hy5em;P+UU{dBwl%l@MSygb42mCcwIqKw_D zzB%;^X6Jf$A-@X%qzEPuP)t_e>0zPClR>I_`{=yCuMOzrnMq$rX>SSRe}9p5dB?I3 z#8xp-%*s-!EfFFltMn847L47b;UX4;zc$maG9vs#sIaW~uEObZrfC$_qbqXV!(K#P zUDj}go})bhi5QkBFB?EK$!kxPY>_ZXL3d$FWjapGIJTx2mNb;hDoaa8PO#OHGNFox zqhc6YSf~TpChJ$VL7@F0fL&0wYrqr(z6ox1&xP4S^~k?}$8|pL&gCG_LtV|^yp;9@ z+2Af6S{I;-9}LhvYEOj84?KWyb(XEf)4X!&+un-Eiaat*e3vi>t@x|H17nN);gG0Oka(vD>Uzh{*U?h;F#sHQEu3K6rK}@#~Zk9mWI7O&mICGGz3xPX(IGyg@ zd`bn2C7S@2()J#p`i(fC3@r7;xWPn-wT>7m%jbEg=cXr&>0mKKUkavpyn$U!enGgv z4aSQU)#wX@scej>W%X4sbeuK(k_7bmWsi@9Q3!E+gY&3Vke6{O=>t;pUz>qCvRUJz z571F<(10vSwEdtZM#utpbAi_hs!1CHDs`X`U)1|}wApKDC$iOn!j$Hnw#pZcfS?4H z+=ezX{!cFnwV{JmRow6dTMKcYfg9;dyP;Qr5+hu_$g>9&0=E-F=DoSo#Ya_Pu&-i( zu8DI^G$#TL1}UaOdV>q7De^cFcV(1$>ms1MrVZcQyZ9cm_52x_ia^9mApzk?i76CZ zf|#3fAej9o9H^df1^~y+7#7h(!}tOt13<%t0h;)P05p-Zhos~M)8z-ol@kuQ0VqnK zf! zcV(VT4^{-+l%jPP3=6*eMtNg`n&dLyJ`U?HND z0jKqO1dIq!yC1-u#6$q1qX3Kc$$F;*jf7zeprb3EbPEVd7$YFe<)niT z!uaG+qlqNs4c_s9I>rD6ni1P{WnQ4ED924G7Eu5*x&i}_>*?aadBOl%1=*9Q@PcUr zN`eH2ElnIw5O}&adtmkv+7AsFKDsYi69CSRkVzW~NeA_-D=Vgzt-W_lFxw6^yEx5I*f z=Acu0dT4TgfCnOb6w|TbLT$(Za7jH32`~bF0HK_Q*l+^xvX||aurw?XhzEc@J+Q4w z0_O<_Q2%~OzQ7A+0X>@7MUD0v*wo|z&`=-NP)jvo8jX_rl7*C8Be(FXfK}2!Wy;!XP4J{l%fCP8|T}^zElmL#x>(xRPviDvg4nXV` zfEc_Mh8Wn_7peM9mG)==3Fa%-1?+$qAupSl(?f!y2cQy6e>H=Ht|QBgq_bC@pE9Yw zp9q1S+7AyYW}}n1j6Vqd{gDw}l`4UrN5L=xD?9ZI^JuB~57RNgBUPUss*VsL4Tn7AaMD5<2jnjWBkl=#ABzs*izu|_KXpkRKnJET2#wcmY3ID zU&O`1jVC72h&TN`Wj`%7=le(pt!p$l^|H+(Tbd@3spt1zHQNG{T#VGF`(n;~mOU1Q zkj>}wKRs#txxCDXU=ZWCx|Sv6>iLJR zKsF{%gG!Z=#!cW90gt&`;}XB+KS~+gXRPSCLk1m8k+vN{@KYNoW%Z7FDJ?x$AAJ2j z(o3Z{IM}`y%uQzliB#MniR#MidEeJj!|z5&c%;8CZQk<(h^N??wagL{QY@KR@>53Z zQmy6nH+gi8;H6r@LY^%Wh+dQ72mMh>X1e4oK}y4IUNGWJHGrJ`M{LvVO;Cf%P7MOt z?$1MpT+Y{9Co2w-O=pbq`qlFK2@q<#FC#j?C88A(KpLHtY#FANN@lo>&sNk_%bbx3{ZuRAv1Mf5NZeKHcKY zN|w`RFVNrAT%4P8N+%|TASR>Rr94Q^_-Pu8FpR$3x|mv=1R}7ZvC&{y83k28rk!nm zA>=LG)rH;8_K=X62r6{(bW8tv)_%x%-A!j|@I+P^X+HCd9RY{--ca<$&qpZy3~aUF zw!>S|Po9_7?&|jP{MH5zG+Argk5Bv0Xy~{JF{{&Xl2fRLnlQ9cM34?8&IiucCOrw4 zH-Q@|maU&CScY7AC_ZVznK``6`te~CYtEIzqL6H4bHM&&9goN2;jDDxqpcN)eED{` zp+6KdeXPtlZQWsmHH-5)rN~2%?)6}j`~1x!yHZY(yE|0iJ1H5HZ%`S`&Ua)d&0x)h z>mA}ZA*LQuDmG@9KRpBM5WUCftygZYsC~+y)-(bBYrV)GOmiD+lvgQunFZ8UOvSox z#Jhr}r*2V6`FM26bdUYPxwqo<*0+II*vqZ%8+Y(xW94trGQK27H|updFMRTtpP4ZY z3PNe2g1i4A1?^rOE&?Gc@MF#0g}1W~I}t*hH-5dw1*j;4D-jhD6Zyhw%K2V5#6c`} zYD%uG)2NAo9->>RdDaz}T`=K$gG_4+SZ=%)C- z=yc{6oD=$us5^DX?d2&b#vd=0ukHR&w`{$-C?|5QtgzilcW4+gSZX!3mHx2?zv8jx z%JrlPMNc95i*>1hLTzjGLd6H=g3^o3sB_%uu9-Fv#HzjH_X2Cq5i)3+E3&CQzy)s)s7qb-(1@qrzzx=dgusbbmK+4G zq-r-`QM!gvf^n)(kCnX^LeJ^AU*6$5xa}~JY5#-qTAQr1fFy5`7;zOPqO^mii?Ogj zgwR%Sp=m-v$c4YNFU4WM$=^_G`0X%5yCmkCN%;1IXleXKNL-3Qp?b|Z*dApObJDAJ zwej(f!?B_zhpFsB3De(LMbLs#;Q`O|#YXbdmcbFPQhJ9x;fUlgvL&t0)fg|Or==ug znUs$!Wsm8Fr_3%a_#S3zH3=nXlch2^3)raydN0#XqQT<~fN0-VHaP zjedD%ZI)p1x&A`2$q5uPB_4YeH>GXODBZ7Q?O={uW=~-$?E(fJXQ4-0fm$PeR*ilv z2Z|DBof1fIs~UR_h#3{|5U6!Cxww1&vFPaI8PNKvPbCoaz!?O;46uD*0~xuoUU=Zi zWt+7XC@fhv~OSf&YX&R*V7Q=yOrl`p;%z^?_d1K8Ej4>gB zemH-0zF)>q&wwQX?YVfWeA+NxA5 z)pCKN^j1#^uBMa8)P&BJd&0eu4{36-c#9;tx`T0~Gh4JP7!F&X4h943-v|7lyn|Y99vQx`~l*(KWro6SXeZ z5K;N2uJ8CBCDf~=`Rr=v`S#QhuUR_IQ))gDLRL$O*nTLyc0gQQ!uU2G;1mNOkA4DN z6{rOKAeCJ4`j4?}Ce>p`?FmL3wt1-yTJ;mjs!-7fmQPdr=oxM1s?4RU+wNPnmMk__ zwQ3cs;@s%!){i|WEow4x@L~fB=_k7Fh#xM?QD*j?-=k}=MUftGIyD#V3JFK+%D`Au z&L(di{%rLQa24qSYFWLb2r|2MQ#HfOm0siCJcw+GZnE0O(T-sNNvXDAkQy!Tww{fP6?FbQFT{C;c=^E+2kS|eQwBW4O&}qrUlJwc{L>b*V(uY5=FG5x2io>mu z23F|N8&RpCdiD{pyF3~t&n4^%9)8Udn5R$<(CPe{Etn}AzsgYw^%gS6k!Q_j`rAZ+ zgDeX@%KYQN^q)8?chJibBRWFwZ3K5C{R~&67hk_wRKXbHH4D zU1~M^`x>4f6mUL7*b`#%{j*7UQh-fjbWN)Y1nhpDTL@lGLwu|;LodO~mw4qUDd1uK z4;ue_YK-~|v9)JolAuygU2YFf?xq&iof^>tF&u!P*#em(77MECzK7d-dPYnL)?#Q$(d$Kam3E=ACO35rD@}$%%fRVY+TZqpPx5k z`ed&x=inMM7H7m@(8(uggz6bxK5qsQ4!gTPhqlRhWBu)`TM8Xv)OL z0txoIslCD=WoUU)r%x=D1)5x`lN_mRPA-?RxCC?i8Zx)@-AH<(>1f~~ZB@b7=JH}$ z+1xBWYn)f0Fy$AQ78JCl2fN%j_{r9amK92J;RQy%YlFea;VvD0MXIinj_QFdBBdi? zYnMlQKJd#GJXby#O}&Dp2CT)~say4F2`yohyJG|KENNz7nyPdZtR|}xT6@REmLGQ# zKTXxzc~ljjn!Y6yz`P)9Bk8Zf&TMm(UW3lpPuUdHq4MoYtbt5}#+dz*P zBOEKfp?<)ouB4=(_^2`~t5TxG#F)(ZfB6iqj1Z3UfGWYly{t&CM>Xn-9k%#aLMNOe4HxomE^HLwq9B z4=E?Ksw=^DA(=B`HyzKBldaMy_U;h0iL>6jNkxh6Tbz&`on=ta|EP&{>J7wlIJwWs zM07)QYkn*)kC}&kASUC>CHZoio%q4X^yJ6fEXFH#-DK59lY^mR9CgxcZ5{`;s*tf%`VCx5%b zWPwwRoF}zS$z_9Zbn^X{)zVx)^nrzqf`C*;uG^&g2V+k8()fg_cu25_Fx?lzr3HiJ zc`8`*H1q9aC0RZbHwJbCwG`dG@@a-Dg4$jv4jWNX24l4*lRRN|Pf`BSN42GPlZ@E1tDRI%6W7yAKeFq)7C*Tc5?zfK~xF09R@f9|s3DihQNM=%o z;*ZQLCnl^577U8b%sbkW5KeY!_a=<^`p`f~Q^6&RZe!sV07 zDwq`ot<24+PArd2Px%{PcYgn_7b|U(nE%ny?&2bWfel5*Tu@Nj_9L9l`oNu=VVt`6Sl!(G*K}=K9ed6o*vb7?8x(oInV5ALwEO@(wf9X zx%5*dm_D1U@zkKtE3?T0KfBYm>gUeltB+jaXN2`nIOSZo*U#qmUbX7^@k$o0sJ-qZ z>=F(rX6nD?tg==_wNRuGmi5=`qcwg{Zl2CX*<4ay+0-B|(s&}YbW2Ib^G=w+%2T_SNI{4-Jl zWvi2C8%yItXM9qLwe)5!mF+6zC6zU&x=Shj&s)%veaIiy6Ei+&lnC{ksD8pJ+TA;f z#e(az>CUg04%i6Ulrru(elXD^@1hsjA4&ft9U}#W_d!Bm_r4@so@MV0&~ee4OLJ4m zUnh>)6_zZH6F!Uxg=jE(W-Z1ksZBMVX|Xib@nNSXe`0*()^>Na)RZu3@{Zxx*%|p< z+2zB@hzYYdW?^u!>XCx8GaA9cRQNgDpWeWgzh0xzK88x4y7(6MGB!5GU(Z|PGsECv zW~9mdLNqo%RG&>*&6SmV+7#z#Ff&9({1!4P)Ry$@qS`dAEZ^HGXt?gK9_S2Z_AZ=) zLN+DMz*mT%p3>x`m75zmMY;N_{Pl9+65^r~(d$3Cg8^$RP(0JJsG*@UhlTf!KeT$34pPs4u8SVlAo@1Z^;7>F?^aF4C^$)(2Y=FXltwVP&|VO z{mF+t%jJNb->G}%W30RfP5Rw0dn+7)70;Zq?l8G(5)=6cYg+H)2dg0L-FF7N9f zcHpwI_PRag{og3&gb8iLb$b-=2dvoXDG5GNYh;hfF;yM0%N!-6@;(rbE+0j;mkHE~ zLwu<)bBkDz<$c{Q2Bw^v5`}?|iHW|~%hg(b#;s0`GSU<_NE}<9S6T`j6moKJE8E*e z4F^Z_87pOEes1cjti4mQEqVgs+hSx!bbF|V1*P9 z*}Tncc;E!b$HW`7+gRiEm`to#mf2u$)5Y>vI9u9d1Sxi?qWlvtcL-q`B^LT`o)ugq zeMzyX_YVt@ZbipkhC9LfBSIM3qa_P+GRm%tTDIRaLHEH8Qf!Blpzt&{gZuSz`CBi8 zm5SGO3Bs5Zz*UBpdfsDiBP=$h_1D?W$?YOhSk2G}exatNwB9SSCLApnU}Z8nifDiI zua5nIOyA>o+Fus$Ut3ny8#Q3Rr|BmA6|9$P6Y^-zq67PK<(9hDTZ>3>`sU zwcDbJA&vB(9(ohA%E`dP5(_7|^H&Qo+pCRdVa^dk%2Bv=q)B2H(D87&H-8%|BL0xGUdC zlY4K>aQZXh3l)SfwAm*Pw}14K0?AT9fJLA=!r_1&N*g6PFA#Bo@P6%!RzgM>i2n_! zSZ)YAZ8|&SDGl3Bntg7n4me6mW1>Z%4!; zeweqERqVwD!|{rG=o39{>yy1{CM49Q9?vQA8=s%PGq9C#QIqEtbTxG35sMq8B!pv^ zTa~XY&HPqXA}@r72!~1o*SRtw`DJu&NjHR@^JkEi=6df(#Ga(_n1!oYU7YM%U8~o~ z;sKb@hz8oKPQOwA?x< z$-wRf)*`Y$4n%iM_qK$ZHvO$n(N~_+850i9wf&kVAzw5ax@PxRKR+Ddz@f)ppzL67 z9bP15+4OuYxt27TKg+}HWPrKj*ZBq#0}dN1ZQt6GjM)2x>8YDvFqtsTvlp{(3}Blru}uIdJf!hi#6s&srIrclQ*cy*hh@@m ziN>t@ruE%jVD8*HM&He*0WpdKBOXn0peXFNzE;5xJp?zcGfBQv`Un(dR)k^ta%nO# zu{MDqs4O_<-Ca8d@PT~xTXfO-Goa3+-Pk!uG`{tVOHgD!UaGe$%(fk?t4qWEmbrE4 zhIE1CcKSLKV-Xcp&l5eWdC$@%0-*<$(zKthHhsIs2Wc{_@ZF>%w0s}1v{Jh_1ukXs zsJ6T*4)X1L@(=4)GuFxm^iukDNlvBgOjZ2gx^cEAz2Sr!HeT7jiIv~U7SW|X&5k$o zZRE!afS7s`+p73!q+lTXU(!nG@XK}gg^f+`)j2daI}2XB5(hyAO^oefNZTNX_DVe| z?!FW2Y)j$8rHP<^jDTYfD28aEWs6jZpQ%~L6L5CXVE{*CH_ib)5yhS%l;d2a_P1Fd zwdb|${A|_4j~fL>G~CDH%a9npszo{{D=RxYNpAN(4*Ye@V&XK*+d0P~y7t)R8qw=tkFb;hY5jX6`*VvMQmhLuH z!24io z`P#e{f~UqtP=xX|{Ng+QAdSKw`Wh-aMEtfKUK0n0!eoQ>LCohnrDNp*&sd5Sbef{rYd zSxGbemHP8V!qAdr2P0*`OD=X`*A5L0mAACBOCYsc&*!2jxQO6wfHcU}pw}qk#HaJk zb!BDT4`I4S6gRwW^6h5F{QiN_uVR4=&a6>jy~ONhYJs1)8Ui8VD*il%x45cSmX~Lk ztk|BZo2Lcc7omufaf+E&?8qIT(4Mz9bG73c6Hv6PrLDz7*^6nd)oibDeFE@#dRD38 zuY1`K&_T-+AVt&46NCHob)W7eekzi5jiMz=q(qqccZ3$IgO3GJp`4IX9j;jE>suVR zb&5ah%P6S@h{1iGm|I9e!r`DN_#vxzsOcwbuyPTbCx(IR2j1N|@g8b{Wm?|E#D4ZY z0pq3%M62Q2z`EsLFm%LaVTlE$ynT=2<4sB)yN68EhJvCTeU)k$J8GnFILMWSxBM$k zl2f7h8Q53w$D~lg@6?FW7Ck}GRh${HEm@_W_V0YR?BOy%4zU7TnG-Dg3D-Bw6~=$u zr<|`W#KC`3LiA}>8t0;5LxhB-PP+;1+bqh z)t|Ap?UIeU*YP6~4ss$g>bvs@t<&DAFXIPTBx($ma#`$1wsdE6J@~H|ZiHl8TFdx# zj*faiJCQcFjOC}w^_IvYp>*AmT7$mrY^}5VW1$dLB8L?!nd5JgWUeu9#`tQ*0w}$K z-2-*5mj0Ub-~=<$Q$O#bB9+Z;58Hj6?YCWEKByS%o% z+|;K@jEV}umZd?6iXud39=i#GZ6<^v`{>p)h3*j7)iE+4adZ&;&W+HRH3mT=S{VA3 zDh$X0aXV(D;kLkD3Q|lnytwn-kB+X4z-p>sX8pSIc%*8Yh0MokUj2z9Tea~i`bIUY zS=;a-u0<)?Q3;pY)YnK#@KK;W)sSCl#)o#`|+aM zdh?vDvxQ|EiOve6LmxgbNW08SQ!S3^bE~qmy2QcBLD90(+(qHH{Apc2KpoEgGW8x` zeTBB#N}J&%DCG0a+N&}@KL#w}kgd$Mb+1Jyu(?8q z=_m2W;KPf@x(wmc3_jopO2nI@%qu(6IV9UXl09utn;O9)2Hh6d5Y04!681>1n>#@& znXfI#am1yfxSyadzJvL^doht4FY|~Z zy2TpOc1N31$8I_Ka#7UlP^k~olgdha_&j|79E;8T0!M5{W_^T?LqLGuP}kU4`RiBn zD(sI~p*bE5*YOSEKpO$z#_3WzBX}Ja&rOVLLHA33vI6_OHObVOxvtNaiD{i10dXl$ zCLj~D2!aZHmhGrq%aX(5!H-`pfd>HvHo1gw;V8sT>6O)*!`j+9GTKo|IV%c@lpUgJ z@G52s+oUkcj9yd4w`Hd`HhxnWG`2J>_q)^bW|s9PFRugKw8K|wNJu_Vt=U*{TJN>E zFwxtLk)wo6+#XqnZjaId@@c*xKY_uz+FK!EP7MuF(y!bNYah5BK0S9}I7A|cEp#$o zZ8SkuE-%II%7(N0Eo|`rqOHtib5wL8=~c#@Rbik~3$-9ipzy|#C^-iYpql-7wzM=e z@53TtG5baG{G18|E)XkwCD>P(_a`FDI|E`;JI*uGFa;EXHeCT&oLk*+jDqT3*1@FV z`-&@#R^7(%esr`_@%YI?Y$q*mvl<|5p1rW_lwRL^#RmR~#rK{>;_z7BpY1N;F}t75 z;j)ErXj6L+>szz?HixzV)XAp^_A;4{EW15)@;WSMo9@qo6{5j8hFeC0M{{|TtcIi5 zlOm*V=|9=o_dxQ`%BbJoO7BJjE0-cu-!+eiV*L8=RRi{*u`>jt^SJ%`1aDzMr%~i9 z*cDSW7Z(Gx1_)baC)>=YZNIc4*xabGHum2N;K&G~DyPU+Gx0U^t=-sFgwEj5lH`KWH&8a#?F}$molyBT%D^36S%8Ur1;^jfWYs_vT@-~lIiz_GCSsxdsmWFv=ulk zk7UsXPyr~nQ{`H2pljH4#!!l4*h;0)XtOxs7?4s3V}}Ty^)w|k>09E|EcbzHStl98 z9G{rmk6c!a`@4f7p=mdxc)JQ%bXC-usmR^Qnih!z)`1_;%P;vdN^P_EwrzNPHUtaE z#N;;t!W%I&df8vJLX}&9P;{YvV4p-%@*)j=if)gBdX;<0heIAe=Cr1cmAW~FJ{*!|F20lQ)Wm&Dy?wT|FNzI~&cLNu6jN9eunVCx6X||1xjiq!$V=rj)<$7LzQmBl%6U{}x_;09QKh$zm zz)nj&Iu7qMc(K#t8ZUml|IrwXdTWx_xj>}txHIx_ZZ?U|Gb`Y~f# zuX_PZ@vfgvd6f@Z)}fHbk^-!r9S)t;Y4q^QMPu$qorjJZQ}J{VfvYO(@~H^*Xzjiu zYU1BYATj>?H=9}wF#p>u(f2L?lzva2^=})?7@+<{_}=|D#^0nttT)ilN5&BK4`}^A zQ~VDv-nyp!U-ZImz*0c24(KF`%jFGqo^105TE8tuZ6j}+qxfS ziu~s)x69IBO@cNCyj?FC@3kNKyHc~QH95|O9-{I zRH%sUL1Dh8^L8v6oed2){x`s(XAe%gTfE1l;|2=6tjd5E7*$mlU5I>7qnbvwALqD4gG15S5KecNZ)h*(D z_;7Qw++=?^b8~Y;@U#Y{Gw#I7hy>W04CM9CpFivC*<*a$=+g}i4PWj@Jy+^1)1&n( z)l2CsH*|WwrvhApgY;QcfId1to<6)z8$rNcnVk*Ds!=aRn{@Tp99ekabDM|~gX{;* z31o)u3&ja&^|)Pjd=CqIrcYCz8K2gZ3S-n~fu!rJ2d9TCaeXe2-FKScT}|8{qjlK`LRNK z15wF8%6Whas2$FfcB#cMI$!83qK^x`7$cJrQc+Qz4T|E(@;zVOU+zi@Ujl_M8Ae|S z>=H@Tny<{w%&1*3P(kI;#l^*c84h#4K3$T2KXyl2aa?uBB2R#cO?m~ytP2usbUvKS zrst$((@&aU?A0|~*YwmlAirAB>fySoS8}gp6o_}JpzMrW7=6F$ut~1qU zrP-NYM2hrguArAjBp4%lKvzXh@e#O*f?V{oM zJJ9HhZo^&;eq9-#?DQA^Nghc1BX%PS}lA*_|XZ#a8f z!p)+ktc;9^^WE}C{qv2Udfch$Y4`IUOm^4ZRL3CdyGdC-_}i6987_FojD-dD0{FQn z&zoQAFw;Ml&J%iNS(z$oOmm&5kk%x9CkKNWeElTXni1msm%*FNfmdFwkzh zQDv804od|{+yNb^w_kVh9Tb(89?p|awo1MS^gm1zhNkQFVYZFXqV?sveAB|4YoNHi zHOLHutY-^-%{l_fYfnhpY7q1KeBu`%mOfwT_K5c3ck%Wiu-xL3RNaq+XxZOZOhd%? zSA4j@KQ`ZO1f!Bksn(ifgTwa1`Q!FZUu+NRgm;&}dxyfS!?tAQ^LuOFDBZ6U!^m3l z@#xoR#5%f)hW9VIZ&>znV)ff=$^q$J(Xzbv(dkd%VCtHn_~FQ)`JcCQ^P9Ek=t=Nh zj~FycM%XvuG*T}vFVD68DX&l6cDb^4R-n+!T(QcK=q7>1@wl=ceFsK1ve}K3evR_t zAVxPip7wePMK##&X0am_F?^uy8jOoFa9Z+DhbgK`u9>&9c zK~YCzoZz0HE=Skhynfw1^M|!peGKaU1p6_&z8=d^RSI9Qd<_{D)7Tng_Sq=Sc?S?# zPggGV`SvH~fP}sdbSNrtzA3Y^1`!fmJ`ZkRXgH=ZDLHxq&nJc=@^9=`ENU$-EJfZV zP>A^5$58ed6Hr8Lug|BBM{}S1HzYArhS;$bD||abyeaX4R#+`YI-x$?&kM7y{_i;t z0@M6Hv{#cUf>rMqzzJXp(7!-{W1(5w3hdB75`l}Laevek6D${;*(AcB!GyD18nVJb zTs20xVqj)Y0|mT;U*yyBsfS94(G%`kxlfUN6?CoMEoLJIF(@ABRHwjE%Nx51<+KHw zw&T8@rI7W4Nd1oIr5ogX-k0_Jj39^r3mM0)k;PE= z`|~#OSu|>B)V97=uii&|G&vM}1gnNV;+=-wG-?u{YV?dhFxi`VJ?M}TpH7G7v)hw) zh9MHvEu8gy4>tmD)bC}U4*`gNRjJRmt%s6;vARSQ!w05XI)4!^~P%-{D!R0y&0qu#{7>c zyKn6p+B1GEp}7c8VPo*l4I!O0=|^6{+MMwgoQe5wM;=?z9J)RgQt`@^RAcVMxO}$3%>z=aW$Kp2kxFJ-;q0F6(48sXr9>y0#0;m47uU zppJErx&h`D}z4WtNS z$Auf_`+OBdoO3b8oInQr+Xm!2XxNXmWRZ^EWr~K4ugjCj{9!SN8Udnx|5;I97_yW5hYHWo!#RbwEu#yDIWbPLb+-+!blN4hk(2` zt7rn<+E|#?P{r?DpEZzRHnewiu)rq5miF$90*=KChWIX(kU--n^5+Yfh%q9VFw!1k zzuLDEb7D*Q2fB2U3z?ecOt3 z#-#vDFhw3s9m}ZTX~zmnZrn3FxRY_w%}ux-Lqm?v zb%La73MvR;fz_!am%ywI86Sdu0lUrsVaq_T_z{fv4z|w0X>()cUGV#f&Ugsf#0yb* zz;NQphH&byf>+yO$W!if^=98ukb`&HO1mg_s&JcTfQ=F8s)J5@Ay2c=dfXf1(eU5# zN9feP=j}Pe>xHW{)At9D0Ey$&b3k0c^ylF|$|75F#UMs{hgetv4o5I#-id>`iNwT+ zWhjUsu*4m)RM?WH&yb~q)VYnZsoZ!-$e{sGPxb}32o{GVgs!X#@|Fos;0fbwvK?yV zh~BjIVt_h9u6+YJANK5U55?;k{=jOpH&im7&Tk(x(RH6P<=UpfONd{T3tKUxhygN( zdXxfz3eH?(^-LeaEQlHvfl7tU8-5(T_KuzgFPxY@W$j*8byMfn_k$N~hhmt}JJie0 zG5FEG)t8&PF}4jfy2(x~;tY>^u2Z!!|4jzb7x)<-pgl zy#n-($jBc?Tt_!}eLqvQID$=p{-TXQ)77|VgkGPaf6|m=_GgF_ku(|yPw+fLS89BHc_fO-Rk*8MTj~8w0g65Ojz%b;-WNh9W+OKr zspD}Q%%`ZL0tvxQ-fw&pO8^>^sJ<$6CZm%D9;oKAdWZ}1;qF9%a@)>`N&xTop3x!@ zw+_V#UPyN3(d_Y8(I_dC$+q!mzGNtly6_LNR`4zD>?5(r?$ChY__2$q@iP~?KAsp! z#f^JYz;CS(jM|Jo9n6d)jnLY=_rphxn)AnQ%DKApj!|@iIk5^usQk03pYzyG`<)IZ9Y;J$W2!I9jEXJW_Oey8Fe>IKgJ-Ps5)T@FB3XiHKEWU6yOgr)wgDY zsj>uVF~&?DmbZl^Bm{uLDng3W7el;UZaA{myRP_7399X5_GwU2Qr-~z ziOH6Vjk7+qnv-W2#Sd@t&T+Lpt)>0(QYV}1m0#?^?v(T%NZ5#dSfLeTYx8Ke%=(O5 zgxx;{)Zxt0LdSm!UtqQWRv4nrv_KL(JBh;0i6DYR@yGV~AV&_!Qtu7|#t~!gY)t~@ z5{86VqR$;7j(cfzj1$f#=7$JO6X6uA2Mty(*70uz1byE=QN)u}ZaRqEaC(B(=&#J@ zEvDJ|caW0Bt@)FaYR*n7va*7fmM1Zk7wzkK+2L!1V6{;Xz9H=+^7Ucsg>YS6lCtY4 z>(4gc)%CDCaBH0Y<3EZ?o1d)`JMCq)f!#U+2|33;#yA5wys8PKc`Fv6`{P1l0mr5| ztSl^Faviz#GIh5-xw4@^E2q>Sif8B*-C@U3FBGXt#pmpTyDG!yLZF=?+q!iuAP6M|8>2 zQ+i}SxFbHo$6>lGU#56-lPGjVd6R5rjPh3HGMY{YpX_Hs0*T3Mb=ScTvo<@|7k zgycQ}eg$J4>c@rLg6FQG=uvgQzjYs^3k)zw}U$;ZQh;Pi4`i#Cdi#l*Nd2B{H zOVUMIOv@Pc?NQHdM1t|D?8j4nf*uX4$XGl1h=|s=CzK-m-8#{VCwLL=DCPIevD)n2 zNAMdgF@hz&B@r(?0BIG+>EB#C$K-vbka=3$&KL1$HtBk;bIki}gS(q}Vteuk2Fcdm z0gto>fxiP0g(4i3MZ+``Ut+MQI%p+z`)~P-}>PAQ`^vk z!C;b@f}VL5clM}LPMM{Ptw{WkN5=@lY=FS0R@<9Oa^4n2^gK1$pvdVi zK}SEd((A4TO{0Tk`spCZkIj>v^J9bcH->~z!ja`Z{@uS86X;PR_jg|8ZWmMTH6 z+WnSAQ=U`}g;nmwISPF1b^CHzaNvX>pwRpvV9sP-`u&$6W88lS_L2Cjas&ezk-R|u z8QMw&i6R|+$A9^EAV(0SKMH|#0C@SIp$H=|u{dr-kYT~U0|=lblAJLV@BaA!k{5p( z458WuHwZK0-vLhW2%7&P0$?Bi|9?5r%3XIlwev1o0f<^@md_SKVibJy=5ODoqKg;- zq8MSJq3B{p@n6`;$@AkPYhdzZAiye2NiVUut!fn(mgdWy(SgCi zsB|(mS#bXVQ4KcpVTH{Gi`t^*EtOBasfWtH#x%E%8pK{R@>^$q)sViQ-fbLsND9(m zYp^?pfDF)l?U#)&Yi*vcKJjs+YFZFgDK}en{kjsOn&t1)p{?isjG|QAS^T+*gkbIK zP1$tY*6wdV{u`J(_f{yxqahEj24kJ0*j=AKS@h%iFX#KRTUk5{2?6}l!rR1b%K#v5 z5XW;}yep`(aCmdlrn3uszp9@I&!09#8b>O-W`gmrp@4WxK@+MmW(upl8Qz=iTnGWC zM1IEn{;y$>0fvz{mPPZ|7@a=?)`{wr5(V7P|`{@NZ4 z=#4?YFNOgTi1!f8onyB{1k-Aw)-XDfm_U0IX>D$fk!_|qO(OW`&xS;5ur_o1%-}X+ z8F%O5n0#qnH^xOE(02&D2VANk&pE-fDB8Mv>iD>y|4hCn1}26fitt|K?|>C8D9KcS)fIn{0DqJ$rp& zwXqhd*DuCCu*U)=3GRXfxBcVOki49(spg zy9b#9=-YX1*<&A!upRC7+97%!UTS&C0eNqX(;tO+Pz~cP@Uflu*^haF&j_0T;?hwe^?LYxDr;|C#--oPiaQVxwRDU9r{w$pSBQ!Ty2>C{Sn` zJnzESr~9iy+ZR0Ao^VgMebd~$A7n@__w#3dzgB3!x0nNTa z!7fb!NtFWhq}VUgXR)*X+iua%y0vzZO|dKs70{b!PRFhw-j*m*$;YV`bRGvgIzDg_ z9_egh>3b7b=UVlhvY7SHjs~vd(u2RC!fIVgJhERn7P@J$RFvg&)yd6fq{`Yj-cKv! z3c}DcY>jz$(EOF`5x8j5r1c)xhAk)GAw+j*g zs{dq_uk`oBjBmCKjp;}9@5YPt8xfGPNBtz#UzNf}R_&+u|1lXEqAG{=uU=J@z@Xi$ zRFUhFO2$P7%CSeyyA&9>=j(EVr-)~)H=O>i;2&%~k9!`eMkj&9q*eSEQ`?aL_AoZ_ZPxtR9#L~&L=&5d>_DRK)$1WL#Q8C-j7nX|TnHe7XM@LyG zh0B$kC&=UzVth0gldTkuqE{4cp?;>Ii+BZQqO)e$LH&^cBTRkv_|QrxDl~YNP?k}% zor&2A4#GuPX0EWrcO+FRFv>iTscwx|Uq%IuD3g0!=5_vPjCnJt3zhJ@Ihd_AJi!{$ z&uwhxmUbN`>7%>1k4%lY{Zap0QE(-+dn7T){Bd1&buj*_f&-ZE>Vipx{~N=+)xd%< zXSkyCYmZMK=c0c#7i_o%F=TdtZW+vnuY_AMHF$az+bJ5O9O=n&vF3s zSXC0SuJN)Ay!*%~MH~pqjx6lneuJYD0krwsSlzzAEvJ z0y<8KPvyxBdA`C^Z8;q4ZLcH@07s(c@Re4W1!!yFB`)rs>OQm5I^4R`w$iOHsBWyT z%FJr4tS%a-;{QnLJ^m7wnHGF)RvW9tHcX2Iq&&TM8Q-{U;b|glqV`=} z_}dqgA{j(-HsSk$x=T1iv-=eA{iJYsLxm zwfFAZOoa^zL#V#3*O11sG}mY&Usi{$(y)9C>_7Krp@oXN;r$RQQNB0TEp}Q1u>^1C z$o##2{PybM5NW zfqTJimg0Dcsw++2nMntY#vGH)mjnOnb5}xohNWfa_0*1&%k{CVhg8Q=7N38&Ou!CG zuo`*$<*bUzkLw3YSI=>53ii};tJ~_E4X5L-xlX<`mOl#)TWGXp{h(o(a{v4sN3hY@ zf~opUO;;TC8)=vJkziVJTv5Az_agF8Gx-=SQ#<2yfU>5_BKgGoo64#8#6g}k&Mh|u z9@E4sRhvxhaE1r;Rsw&Q?dmums&DdUo(Te&EzFuh;vfk_e%of3l@p)_l|?#&og5Gh z#yg**h4chfP(}_w^9UX;Fz$i|^pFv!LvI4#DX~v19$Y^Ze_;EK$iOhc#=^TrOI2F* zovy4viF({h-@M+|rkW200XP?*p!c|C^Tj9ahAAc%4yt8BYzE#b7KR1P zGz5%zWhFL?DjdBw5+d68z%13Epus^i71ET(lgzeyyW<(I5xkcMH!OMXTqXD$$vpDD zKL18ExsCI?ph2_2Vih$_+;>I=wT4$Q1!^_(5nt3FZ0s@wXGK0{Zd5H)6+sez zKDs8)dE}BYB}CKAK9^uuQvaf&Iaz|86}ciAiep)wKFyp(mJg=)964qu?wtDJB0lCT zgvjHf;H1KbZr>Slkw+G*4Gm=;9I{-O7y<;yAZp!fwAdk$`vR^m_xNReOX*3nYj^Yd z!QJ!O@>PQi9!*dCP5*j@3eibhUai1t2QVqUiLJf%JL6M3ZAE^`K{I2;tn9oKIB+3%LDWSbX68c~luS-&=$F_SSdkE9ViafkI5oK!t%JQz__4V;STndh zErOL9P@GBR+;+sq`)@VUpSZ2-opB+OYN3aCA%K>5FyOtS4>1aLjif}YxHF~m9K2J7 zMh*7Lqx)$ydhXxJNw`a-DATSNPpi^YGYbQ$cUNvOV6OTwp zUN*QhFt9DmdTe)Q%2`cNWk6jf#VzKVl%zBSo=18Z%&?N)qVHequL=EFOU5NI<-5*n z7E=Ch5pHyymwY&5&cuOA%;S!iZ>my9B6M%3#ZA-D;Bc5KQnfcDk16u7cywLTpfj^J zX2%b~t+{HaEu^4AMW#d4uY2JxOgb@uXXHuS&!Qk$EJ>`ZqJqLkrEMudN~$z_T0ff< z72T*rJ+a-m?Xt*M9kTzOtJdRj`36M4u>VHEQYxh9ry9YsMn|=KQPm zKvB}x?<@4!h2Y4MPoS2b`EU_d*6v6BPwE1PNJzlOb#3|XIY}{d!&$j}iluHZy(O;f z@)XW4_3|MoiS=aCCdx!SeB@UUeT&rGVkvtf0)~MV8 ztIcE@RH<$rZ6SfDwb~^-l*FJ}9vE@Ze&mq+*9kTUy{Nog))=i8Q^|>6`}%Q;%=L|* zq!#d>4ubKAI-5)fOCRpb$RGG;)l6c7`?Quk9#MmWfKHgp2c;-ojY7}kA@)HF1vb_2 zm+AV-`jQ1SCYM~H=hb>yd=~80Wfv*K>U0mi$rUV~!|X?)layX~*X_pWU@^xGa|Iz4 z$z$>mNs)uyjmlknJ(a1lFWD0{MftlI<7Mwp8@^dcmhJP#D@|Axvo4dA%UbE$WjvN} zi+?BATx@>TDds?NCSSu3U%q!E1X})x#T~-=rv2Or$jH+!Q(*Q`=e_hUyL7R#Xgw$1 ziIh|S@>Q+v<|3fnI4Z0B*hlHBMeXb_o!yr0nqe|g*^JA8^w3wjaEpb<@x**>gO(lW z5dwFaEYWcOY4bL>%@dy;6LNCjG^1l957HL-Hp9My;!?3mV|jkrpOGEZBEbbwCxfu0 z4y7gyT{g4@38PwBMw+`lx0VT)LvvN9I+u&H)mbe44~5^^h)p<|bJ08SikwfnKTlkU zGX-xlQK~Chq~aZMXIJCmD8Vx!+VkYFL^EEfRGXw1R#avwPohr5BrPP%R{cykAILcc*=w~^R1q&JS#}68DJZGZyp)LNbt^1? zc9NbngfBA$$wk>PbPSH7%$xs6x@E|uV3{->v>zMvAnl4zpG3$D-lN`3Hm?&;(8|n`|Q$~`!2AyPux*{YY3^XXoe{p>nlg(iz`HVsa%69D0 zE>Lt|KN;Xb15<25ya}c_R(%!J_)BNjoypNq_?x&%4JYrI^MY8MF*^+e@#TzVQ&W{r zDoT<@aeI{y$P}1}FXqwWmA|_5Y|Zw0c2idy=-wsu^rGP2h}P`jDr$~eJ?2Ce60N%y z+(vP7t?Ek%tluM$=GaNdelBj0a}Pgi-mIf-(Y**&^6oa6m=R_QoKChJuYs}EPx>{v ze?C5Ur8N=Ga%hzP5IHvP!F1!Pd}xh4R`l6&p?+2~Gp+mLhuACJb$6%PRiQ=Dut>i> zGGCB;C|oz0m+1$#9t7ro^jV`MP-d4N{h3nJ@yshHTAt{HY`^B3t%Icf=@5LJ&JVfJFU4%_~5Yc11!Lu|1^H@0~V~kasCOwRbHXBt) zF>=%F9n1?9N+rv%TXgBrzCLSZR}*P7-oITyw8_2Vdt`{k7mm};O-aN;NrX4mf^w%l z(Zdtv`1!)NkHeoe5JNt&@e6?37GV1}!~^Kt4~pwz9#cQ!Zb`GeUd_N!wqHT)L{sC3 z!93T*DqYHC?*utZ>K}fs6n*B)LvJPY4DqmEB#?w5ZLxl@hwd+MBU-N%9*cDlHXNoj z-RB|l=?*ohj}tmo$>)BYAT3Rq=4Z8v6K9^GR7EM0T2B-iGfxf-7JM$ZW=Fp@M8;ky zdY3yx>>BK-Yw7lU)hq!Po-xmTQ46}W9qXyP7)LL8PR72k_gJB7#)(|M8_JFVM6ZJu zXI6jH^mzl332|vsoJ13qes=V^xcD-2&{IWSE+Z9A%7&CZ~TSso0IGh2CQ;FkHHR_r;9hC>*MoU!ap+01YcLqP#0>1NOOc z##b1&U$-pjlLc9(OzAJN--#R{pFT)<927MP7YpoQ(1)v{HtD5aW0F#uq^5o%QV9h! zLzDki5xQ1lir!sRZHQ5V3lnw{d`f-N$GyHGdjO{y%Q9#G`CQONGYK{qa(Ko{`PmlG zAPOs?OdOY#uX_3O(MmXmhVj*7y+@QrWz&q*q(M=`BveA;`9g@*P?#Vf46EWopA~y! z(5!|_jR#~E)M57{9KM|DMs}W$#c68~Q9uf}CtSd+s`Kk_lkA~T^QHRcot33{ikeP? zhx8RkRZCusZQzJTj^^`;V2Ud?>n7cZ0NrI2S$sk`5w%5a;E1av7fr9=Ya zpeVA7L;5gBT8!2=j-X$|91~{5OiH9?Z;sZM;q*C}DSf4zg)34@^}<2w)2p*YfEt&`5(5=4{^`t`TEod@*A zD6UyK%w!cmqM3g2-6$xWOZ6yxO;n%DMQ4LuGfrB`-!Gc$B|kSNLLUPo9fmG4OG+MG z`JU||UT!?bcGM`kG0I3&cvL$=CVeM45F#mWfz#iSV-QpLnt4SVsO)+y-*i6^{RSYl zBdJc6KY@AARTu`ia85X?>BPc(3;QH~{3S2fPztv|ZOQCYNl)&@J-Khy!uu_nZ<^@A ztubJdKhr}`(P#1rwq2-4KZZtXMt0>nAe$u{cAlAiH&-BCJ)oquIeCviGB0+Fjuv+ig|p+O|-IjsoRMO zPmv%kTMgr7?AWC|*M_9L2FGQb8(%M+@GplH_ph9p4obn(@ep5u#)weOH+X8Q@Gem% zY6^?}v)ipvzCqH#8q2jppJ`$JW6u}pMvI#Buir(_sH!F=Im&T%B<7^5#uhr07AJtQ zPX!?y&#D`h`lju{n>ifFQ4O@Vi*j60>D)8#QVV?>Y4d5e=}&($x@#$zHYaf zn{(%;GE^SG+SV^cXH-h`Gjy4qP;G{ZF2p&Vfcj)wcyFI=C3Qcw+RIg-{XyC~Dat0Q zCe>{?hv|EkiMx4KN!{~1)Bp>reM_#)+(#S!Bw=y&pJn`(l!nJp*|k#G?q22m-OubLNwZ*5Omm*B$I{k=8@2}Ont>zXOlx1&sO6$I& zl2#2IUmG{69+S;l@67tB$hhhqRHz8*!OeJ-$8CQg%iX4`zv}o@gPvx1q90zHFd2m# z_|8NE;>VsnY}}^~k5Z*Tp3L@OIb(@O1nM*4BAF9r6SM|-eXq2`i9*v(Dy=q$WLB4P zq0xKd*IbaV9DY+-d6+foqOL%sYA9y*fv^;0g0(~4B9$IAXS-uTSmaVIUbeZ&rTR8- z#@2+TChgWfc9AAhzoyB{7p+0n#A0uwQp=dKsybPdS;v`c$e(#%rMOf#r@i`XDyvLP zN6@F48+Ub%^5ei{wpH_KVr-ZDuJ|0xQM{ML6aGN%VA+Xwt3v@44zjU)Y0LRr*1j`woUqJyC@1nIpADQN&LhI)hUkY_;l<)Je4743%y?8Dt z1s{0U57>?+$l*F?3^Afz=q%=Mjc0otuZQSuRbBLF*eoZNbAmP2h_i=Xk<2EX5OoC* zudxuq;rAGD-~XU2p4n9B-rClzrNMP+%6=97?VzJb0Ze#t*glO< zKZWAL(xj%*!B*|GRn$~I4f%OeX+gNvP-*b~*0Zcst6IRQ_4&I}>2I;`iZf;V-}y4* zNhqS&;`SX53rnVlFFNMp`+pxvyCU4wq>b^CM)^|}_LmGS)C|+sB^jv2rRJeH<0;Z~ z^ym(V(G`P!C!|&@^cVBGBuzUG;RU z*(QHR*DRh)J@Z;^E4snR)2uXCd8BTn9@{!kXtEu>I?eXnUP(ahnW4LI8=!+FCg2PE-Af&JpskB<`=y=y*qd2d!=$&M8^G=fG`64jux-%n-Ph7mI4 zoMNdF(XMYJ&1x(2QtcvdVV_(aEkQ6PY?ZD-MO1phw2t!JaVaIPSoe{!yx*T4U-) z-QmwAB1xsT7f~2#S&h2Q#&^@z`d0#dx@kloalrgU+c&M*l+BP0F!W(J5`)<7H zt2dCzb|E7FBrfcu$R+ext&$3-7>f`un^6D=7;tTn{QPg2J#K?FGprcAdQr3Uy=!^e zdfOk+Ll{}RXDsW?n&B_1xfId{o2bjVNFP+w7)uaQ_C|DcFJMA2>Fgf1XvtfWYsd^;8A+ztMR) zE8rP|ZOiTrFXB%E{|IlU$fz;;$Tk5kQh9^|v~G_7RP*+2)mHG22I!2uzWQpdg7sB2 zyEQ+l&A9jB|A}a$QF)`kstYyK__>%(TKbGv0C=kM!p{kUe}pC6KI~KO8*_n9T+}$?z{cstO12U3br#_Mi0v>cH^^#vvOg z{RihU0E`UI?5lZOoiej`6|DUyjW!oy$EXon9N=pPOo~{rZ^%O*xB$G_lrD6Cl->z5 z8zLy{Q92ad{M%cwY3*a#vT+uR8o2Ig!ttIxg7{|0@izR4WVg%jc5XH^;Sp9X3&*?y&OU$GI-cv>3b zN(nUXCv{jz3J1}QyZ;^Wb}-5qgPG!fOwB9zD7;!47l8Wwn)*gTh;=*c+q@&hYsaTC zUs_-2b`$-D{lowa?`O75`kVA}1lxIdi*z-CtepyqXm{ZAM@)GT|1lSU`>Kq675~7N zUO-+1;eUdBBUqIgU~U$&Jm_EM&cE3Mubw(U?!R!w_#1OY#324v9Z+cfbdaW1!*m8( z;B__PvFUM_n>jQ4Yj`!Y%na(2wqwxIZn07S@0o(5=*&M$>{pH*EEjLR%73TVU??m0 zh{d6^q}V}%L5QuDy<@|#Ki&a5a*}C$Qk7AsToQSC4&b9+8Zlb2C6U}2ss{r@vO)n3 z?<)?Ers>3h&XH{2B;qFirc4D@0;l~2?JvmX_LfHx%zgZyih%-#30Xn$M<#DjF_6O~ zoaXRH+mU{I0VvQrRkZ&yGqiv;-hY&B`frW=Kn?;ZP0)WceggRF7McI;FJBo60WN`H z2>&-DCh*DD-;;EI*@z9Oy*@~A*54Vof`LzJZJA*HB^nN(iP1~=%ikF<0F#XRbW#1E z89)LwVYg>d{GIXsP3tk87ycvq9YE9n>ugvX%%J&~3qZQac!3!wE_}f9dV!>g`;tZc z=;npyb!STS1Vozq5EMl8ht_dcT)Px|h9L0E-B(tT( zBzLZ)Wpsm+s*mxr;wMLyl??mnk?zMevqx@@CrkH0Rg|KV(md0oxTBq&ougy<*SfO8 zLQ0^bDE12v<9_X;g<#cCz)v@l_qT6a?>z+VOI#Ki2y`Qj+~rH)b>U#fma)ncQcUe* z`SxX_)iwE)*!4L%c?q4A;WRj#SL=R2MPHT>Y46~G)8S~YKbrilpw46cy;ejzF)>#- zKF`AdbvgIT-DYqM4K|C!dM63sj)$!CXWuYh7%9kaMx4ZaZq#=t+hX)Ng&A8CLRAL( zj1NbZ`?E5#e9e8YfnT47Yb=H_IJUA)2+hchj~8m{mTU%rV9m=A)9BM(AK%MFeCyUZ zd;g~`B>jYS5FoV!3J#16FwsHZ_PLzHYlU@BPo_Bz6oyFZxOERp8ed@v1J0wM?k5_i z^h(Ov$y3?%6Ijoa){Sq6OCDM_fwnbHD=)62Jhwn8)6+&zuw~2j%s0nngL$BY^c<*V z18U}EWMrrg3?6Te->SSgT<^|whIhmc_vCDhtgNhnsw~&r6BeVc^)uJg7RURG?aa)~ z-rin#9M&bfN$Hc^GnRg_;qTuXY;vor&^4@7{YiHEfDjQfd zpZ88o$h#)4tgHwIAY5NvprKyr|`&ku1VFE3P>5ZQ(_K8%Ns zuN|$GPAT7)dga@SYlprm9hekM)p4QN!-oh%^=1>JM!tA;+UWTSAkX$wN0zrCJrN+@ zSuSkZhn16hU%1~cle1Xu3}H)FrEoc(G_5|Dbq8hHk-nEn<-9&9F6RXbfDpOQyvkx} z#zLYBNdR>CQ0OBvv6_g8$jdpw>zAtb-Ai%Rf;6q?1C=PDwp-UWAaMY7LHbqh`gPXx zIbJ|>N<&R85$>(0Q28=YC8D5%q%r zzNbvn=r9;R0nspAXP{`1?=o@Je7SMD$k+EB;Lvf|DH4DzE%q?4AK$h3(47y)fLp4p zfql(x@AXPkt*c}CrC2#uHmQ+IKz6_<;T3is_cEplF8oP0by>SgzNh6`jqRS3)I;u( ztLhT<8i_orxEVX4A8W3wk1JPKSNVL;CeD;wgeI1juRCmQ_e-{;lmg1UfvbU@Y3?^_ zsDm~@MQrl>>*wcFPc0YW4|{q9j|sDfcmxEmGj*+`{TDBfrv&U)?No6l0*#_c;=DNh z?;G5HbYvvOE!^Dz#gV(7FS{aeCi9V3K@S%VqwX>vgblVpqfGDjWj!C}M?I8j2e5`c z#U=OU@QGpKfm)y2!u&LOqt}P>*Cg>uDJatT?Zk>9((emE>RKGNw}OfWpX;Y77S2sA z%JW7`jos($fS}f^pRXgOn)|Wsc6P?xMPiu!k$I-KeK*c+7f$`BOKQ~(D|%#t%wO#? z$uBkqCw)|?tv>`OC4JaOk(Up7hsbjk0Une%HV!^8%(hyhVDl}9Uh^YA zbvU!ux=w|#dH_`jliGT=l#t4lYl z7=r@T-xi-277UT|-HYFAZ{0=eaOU>Y*jo+8(Hi z_^AyfGDL8JCH298e~a!YP!uj){ie=6S$%PBr+`#+9uNYl(Z7mdpC4unejjsxa_q*}=bXPt2anb90=Qn4? zQz9p1z$ z9;(aJ3qjaBJp8pwoZgH~ZYb z_l|ML`EfpeF4h`rtvT16?|h&6JTufqgIIWqc>Tkh{bI=(k`YeQp1(3(Ctu)k)83G` z-CbRon7y?rp@2aM0oR)NG47Xxy}igT)oHU}RjCLN>AIhTL_n>qMWvxt-RTZ9C9yqf zUhbe-PVN)=TK3G0fiWgLq>9?Z%e;x%kw!i4WUlR#p*rGrs?TpGrpFr*xB0&_(_X8C zbT7up%}972l4@bZS1^|5$x+PUK4s5=a}AvsRPn_G-s&CANU5d|&J$zo?a4-zW#$!h zb$%lJ>Rifnyxig${?SJkwYJ-)+M2Y7DsA;_wa8zzu;Qj74^snI@jP)kl-SgzZ*NLgxGT}az_7k$V%Aqj1ZO!!B^UJIIzhcW(;DOF zZnSV2fzpM&oj>EZp;W?WVzojWViA;Yk_Us8RwG+_pv-+6`VWH{t8%A{uD|A?gU>}1 zC{;^lc@LU}{P8cd-*4vU=P#(y=TkOUsg?Ymdv}ok@>QwVYJ9WCY>REevA?7lrQHa( zu!0A=b-4+UQhqD^ox}AzhlB6-fn(|z90T$cG+pf};$B84OYJvX{SM}Y7sYdACKDXehqw=bgS>WL%*$pqw%h@eOz>(&g5FE$z$FHJZmA;6VgnhA_`tT?||F5)$ zZ}$d@2$u^3_wN?^rcrem^CAsDPNdZT&OwC#bjEa=bT{dlQaj-1Z!Gm&C+TuTb0yvT z(ll!~SVrA~ww8SC?tX7d)2isKs#G+f@M$q!SOnWsS7rH8NORY-n5IVO%YJNmk@jYV z2o4!Y2=eo4>tO!7JyC5Fmw4PMN2fIi$-MRc=U;IPWWH4``@YmS>$QW;h zfj11E9zCQW^hiv+eOoa9fwke{scZ>II5Okwbsvqix!^0774CEKhP?c2#y*3sSJ9c} zH3GzQO6ozFE0Nz?o?web3-pD|#o}S`^2-kFNn4vG0TzDuuzV%kDs7%{inv-tcPHSi zx^x=frvfV({J3eT@4C|Was!cZWQD1^{=Jk+_p4)i9Q49WF5f*Bv(-6nF0$0N?)o}s zy9pPlGQ&Rei00YxS1L8U!;$Dvrp|EL*hmOJksxFJST-Kf zp~t<^ZkTkD(^LSJw+ZSk`(#S9CA)s&o!x{x_}r&!DYNXFsJuF)A(l5I+*^cm^L0NL z4>5WPjDSeC#4GO-9Sn!s9E>DkpMul$D$A{1C=-dIol?`K zfDOG5d>ogE+UvL}8abHSFB+)0b%w*^Wv-ob@qwnU6iQ!qqQB-C8w#F44~VNF;?Q=` zQ!}nSS#`_QC@Ff>pS8Sx@VMM#Gl*j~8$wS%m-~JZ?NUWRo#d^{QS&tI9erSXtO zhkE>0pC)6)-yZIpHA|XX(70C$?MgAO7?GzA22|#nprP(H|aPwN9Ea4SeP}cizTqx zMp?@V%n9RMD{oD%$7Xl!U0W#neUsWrTs^v|ol~_%Fgp#)6403bVlgRQ^rP|xEK~u0 z=bEBe{%RfmGH-Hl7R}X%_`}7$iPKL~ zTgXs+n#+jiBK0^tzf0a?8`4q;$}BS>5a(bRyZ2QZ#dNq)O7|Le*GeHap_YNfyj~Wx zfQy-PGebt$Y)9B0Z#Htze@=0BB$Aq_`P)9*GZEJr{Jf|5`{+!+d5oO?4WsQJPeeN8 z?HS_Op2lE9e3VfaHG(pgt7i*Lz2Fd8R4Q*kd!Oh+UMsu1>?S(t`+DjP=V&=9TTYi^ zp9hVc_Se;(bL_mFwtTIX+I#S}5)q$ZbzF7Yd>u}QCPR8H3>30`5cR^TrcYf_QeD%o zZ(hV1^etN~)DUMJJsWfOb@?J~I~`IgBV{i*zAn_}feiILDz+5)qP~~0KzpjBfI;w~ z9A1PpbWf%?KYV=keN)Hi=GzczT)C@=S+zzmaxYIUqSlGsLnGK1+)ssmnG7;LrLyxN z64y*%Y;@yK?=4?y4Hm7OM>%PB+0~Y^*`Vu_>gBG8E+nwy2Yk}?!H*hpUhKJ5F!}BN zhVf984gR!C2lhHT(Xj4uuDkIhLR%S`W-IODppSW5M zB2(z?$Nc;-%}eSmA$uiGO?p<-qqUudhVF)V=!r|-FnLVV%$841@tTsI=BA~-?4wkU{$+Hw)aV3?@X$e@A!LY zX-2B3*K)CLu=%WVF=XJyIVwQ}!S*ZTN;FgL8}7w-4^Q_FD|q&={14=N9N~*F|4Hg|%y|=o4R^o*+#+NMj7I8YJ@V zcsM0ZlAX+ILhZ3QCw-EY^|&7OYQOmRJt)Q`(krK|S^1P)RexTCS?!vR3zk}5x|@+o zOIx<0KVU`6>e1X{$V~z#UysODzXRjh&4esMAv_r4w41A0S6%KsvBpup_`a?Y9Y8Qp zvpcNX8=!UVw;`U54Uzu@uxiL+SC0!=&rcjrH>wO+4-DY>Q8kd4&t$}NQFb&dMVNA| z9x_^wFT_F6#hWS%JdCgv{U;0kdzrI%^`4ok&k9hp(h3Oa<3sFr0&WL0q;{G{9{_w6 zYR6h#lTIFzK`-Gu6ppE`ZCoq&x;9Ik70oEw^#rM(REjb$G0?o3KhtmI`AyxL_G0j& z!};O3z(Qw%Em0WUN4mbh7BxtktKKI_xUWkljX;UFHB0Vba9I|;7}8P|VgX~4k$SD{ zorR^nV{M5MAH*_ieMz`{q z1qxq`ACxtkUgKMxpK2dHd=~2bl~H>XXNouTxAa-URx0r+`}C8spe~Q@GOf16t?t4| z%#{pFsr!Su+o$ak4h#wnZgPomP zwTCJz&&t)4m9Kj#mZ%Sx*~VNFXbRyZivnD;?*UOjk@4|RAtir*PgBys>AS@~<$D_! zn;tr5jk?r!aFw=M;^1zm?N0iYAo>;JEl1`QW7hhwL^UfR2UsZPFFuE! zUx0C6;`*_>~dAJ3mN<_ROfBnh+Pp>Mww4AA2YOtmr0jgF71ET;upkx%KM?bOux zLduou6}hR5TZn>+ik)!ox59ZFNJZXs0)g;Us^-~}X|2kj26yX&bpTSRo^Ks`a6S^B z{x0U4Ou5Sh82(Ztf}ojR{O-S179W2xI6LFEm!6R0^3qaLL)FA9ncigT*F>B6ZWjNY zap?EksBQM^w>@=2T_F}#?yBhbg8E5y+}zxKLbXw*D^BKMiq)%YGK;nbtOz$lS&lWJ zy@=nw(QxdH{CzJv&rO@z&#z+f{2x8tMHz<{>wB?vpJcGAGWnhz#jX*Cc={?%f1}aQ zhN8`;CJbg4==)dPvJ^v}!@xu`4#vcX9rX4}(*S>Y+Z$#1ncu?o_s%Mq!?n2`aJbER zYQxEL?rM05MfEdBBBr$$wIT^{q***FUD8=Xn%6=26ogfvRrJ;^zQJt6?3a@*-T-Nm zJKX*5JW_?Nt|p;zquoreH6P?`MkunIXzZYA1$Dc@Fsu>)sO<0WU(_qmXPnJRu_TY5 z0H$~_mEDuU`x$o$Al4be)B_+Gq}~J)1nZxP_PQZ@_Sx#yp>jm5;X5{~#WCsu)hPfM z&WBhy%<6c>InyMYqj9P7i_69xW|lRZjtE*>W3o-_n2gk>-sNM85@rlQ*sGTWpIA#e#vA7w+T< za$`d(F>sW$9*N3=jy&LOpUHaT?350^>(|M#_nB@%r_N zQk?yvwbi6h+}FDif0e1M>9wGdCO2eB++19=*KTE>73W21Xm%M>$k}#g;1%Orje-^k znWED~^2a79DChvwo4_lx7}O0z4Y9XsmX+bCY$F?VRi@fK%WJ#CGjiNBU1x=AgvBoh zz zORRLhC#2&*#bEXqJIijEFZWiY6Bx)q8XqjPMetm>|9!aJG5uv2^VM%+qmW8VF$J5) zwj5T8&V6npj74dhlM&Lr8Ly_%Vg?+J_be@)l2qRa>znEsZCR&D#9xeOh;S+`kuddj z+cH$KeF0h-O!x9Hfl5^RsD{^P77T@iA9p;}nprIKp45Dkp=A{jbN_$Gkjvz01n4|5IrWI6NROlaxpc(Csz<1s>YLxUgt1@^ubdEs2ed{LB%axEH~F5gDc@GxX6c}=bma2PN?VT;1v7xK;jGst&IdRQ;XcV zX-kwhv)VAqQy`8J2CNo6_NSL%9oS$}_uaXR%^!WIq3?8e=6xUXC1ti;hP9Prv8g6m z=}uLxd>L9ahU3i~9Ez9?(^vGG+yU_z}ysW`AoK4K=0{Bg<<7QQ|$?{$h8ga zR7VolveiF)xqt(1@XBakK|+H&0^v8oG}h&MonJW!x0cJpWmH{b9E6*Gk|u6!(2*kiR|WB! zQ{C}z{RjMOSUYxl{!XP-00`7@<$=MBh5hom70LRv91TseCn!%PfXJh~U~DvVu!gFm zeCCteSR5T~>G2moeacS*EGY8*>b9^Y_WNazEiubVX4x%>2LxslcJ7?DpOHfII?Y8I zoZTg#{QHJ6z8n#;eOeXTvYUz4@avvGf+`LUqUQ^QRAk@;+4jIeeg>rTXs)#S`8^fn;&|oHz}z%%5{V08=FgmrbZ0bthfPqHJid*pU{z zp%Hva^qsHx|80PhMbDi&J#(2sjygn8bMFr-v+W2ZxSb>J&k573E zbjAlKed~~yxNntgXbK({cfGjFp`&N0A2woX_byK0Eaz7Q=!Bg(BUWTO@?l<|R`}#4 zP)`$tuvdH^e~-`(ylA1n_qed+y()1>g>PZNMAw4Cw`a`g4vv z0r>mltJkOha00+p#nJRLFay{9(*^i*j<67jx*9tvihsf~(2ZP^L+Oo=|8tiTu4BhlfgD&hA{a2` z|4vdFfFSd;Xtjay=s-Mp6OQJ)T>ri*Ajr57Jn#R_ivw4wf}9m^eFM~~ekZ&rl2hw7;am&#f)?flI=wv)!bo7+0ykOPS z6R0)nr$>C;mCuri6H6m(u*D~lTYcvw3D(gC*VgPh6(^U;vr{K|8)o82{oHc n1c@IV-~iOU|4TFcI;6OfxObJCb(HTI_)~>xDHh+o|NOrI2;Q6y literal 0 HcmV?d00001 diff --git a/blueprints/data-solutions/data-platform-minimal/images/kms_diagram.png b/blueprints/data-solutions/data-platform-minimal/images/kms_diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..b973cabd18c7459bf14518f8372c06cdd65ea7fd GIT binary patch literal 54929 zcmeFZbySpH^gl|efC>mor<8z%q%;E3CEXw}baxE{3Mef(fP|9L(p@4g-7V4#Fw`(K z_rW*hz3cm1>#lWU-9LV;1v8v^&U5zJd!L=3c|uf_r0-*sVxyp-+?SP+R7F9-Fh@Z_ z^Tb30M!qmQy8$n#E~?VvD8>Ec8^AxdAZ=N5MMV^5;5{Y^1}Z7at?NsGUlCNYf8R@? zK0!hMJr3OGofQhk-`6Msuh%~xfZyvmf4!o8Li^_m4D(Ou|GY=@yuQ?Vt^fyk!E%(* zaX~>Lq`&?}l~twN1<1T>rLOI&t*9Vi>R`wA+RVWO#O7(|cs&b6$Ws7#YX@?DP3>uC zYwsf9Dg5~N6#~Hf>tXiC)W0urwGn=-t*AmR;ouCS=4Inx<9IBBO-)TL>eH-Y#v-}4$c|I}bvf8`Q{&kao z?js3uF?F_bbhUD@r@p@LYZC`ISK-HxuNV6F=Px>4t<3+dWbg9#wtx+?Uw^{>jE#f+ zf0_pJwEAC6yZ+>_X}|aN*K$JFHxp0=xj5LmT~noDZ{;e&DfD}d|MT!4B89H+C7@#E z39{9ew6X))y8u%~o;~B_6=MG%Kl&f1>in6?%LT0YXXcGh{+=nse$B2M?E6bLzefS# zh+qq`|0`$_Y_5T{6%-UP6j{j^>Yk`ub9apOv>K0{SaEgcecD-k;M|H9F}&GtcL?PI zM9YQ7-|iFRdWK7X4*zBvB`!~t>N-@B&5|lR&F#Y&iJVufYM{G->{mKGlueLc{#;PP zu`^b?mgdvH#+=|Mu(X+~lpA>m4U^g*<=;R4?5J-`B!}_DP*5@c{Lx1XRA|8Y^FQz| z;K41-B&n>||D7+^_1)$_Gx3OD`G2sIBz3>J2+H;CZvS7noiXX%fIf3FdEWj1PH&|* z=1ltb?c4cik|BfW^DXfkYX+zgQJY~Sv{1ICZ;Yaf0&Ds?P6qwiDhk?XHnFaUnriOazBHp*irySO zen4%u|F(_o22b%Y-B87IR3Nto{ceu#(u#F0-+5|KJ8Wc?Je?{g{J|)%1MZi^2bx-Kh zctNj3pwPfHKdlw7%3AT5HGObEk2~kw>^~YuO~jF;@cQ*@Khn=rAG%LESmuzI-Aw4a z9cLWtw8c#{TW#rsIvJflPfl)1g}MeqoYQO*25Ua!Ybh1-&aZE0hi);4sO z>41RGffLM%9$+mzUqdZmn#M1#zv6A=w;e`jeAhNKIOw^29P;ZIzFsx!vuCg88*1;a z_C-WR3HDYwKL4)<6IViI)o5ZbsF2f?kS^R#ZFjf8c0Z4~#)t>9a;xfLmjmhCl7SIT zG9B93$o`SR$>Yf-Wes%=H#e{1($5pHB~w$Pr-^5axO2oi9#Y93r6XyNU;G^K+k?pQ zaB^{p?(Ib>_{4v?Dad)W%wPplT{GV+wwc%{PlB3U;tbZ;y;@|1>=V7iIOyP`;o-|U zLGp?a~s1Fc(EB{mxrjCD7X}JWBFydrg9i zwzuIs(=NxmrDXOsrzw>-bno}OxJ=XKR#*yb;y1hT>0%9(`3(%fZI>5!U}U7Hw{I_7 zcb73*Sy|a=mMAF69lFETx5$aV$`|4PT53Qlx!YYp9kw@PHawlPmwuVt4{mARJx@<< z{BvL_(MYk9Qrvyu7m%?j1FAP*k?@U;2YldB$2~#=&zj^`MC+-`)rL?*^Hpu`>HN$* zdD7{E&DA&wVWznXZ<^?rnF<*`#yQ%P!nE=6v5U(nh@G8{2Yb62XEH5q+cyQ_#tUI# z-cH9SpzR&MpPxIKSqkhME~k@@PUaggN6PG~XBK=Q17r@3YQp57YqgeY*RF(fso^nw zMC^KX-&1#Xn&-4sb=mkK;0fi&w6t@$Nk`k#>7LdLO>b3a1mVYqzT~uAxfgF#{;`07 z{VEDnU>D|7QQbN-A-%syWQWsyQQw5zbUn>xX@eHKHkEFFJR8^^K07|#8r-0qUp#NU zj|y9izWk6rhnQ(<63Ld^UwkggZZS7KMmAoe1`TwuaeyrKc^pwZpBx>1JVmE$yA=+@ zB?)ou8P?O)gV!PhhWF(V;bE@v!vuAztX6K{ORDqMjE%w!r$(obm>^gSQ zU%OLkmG$3rhK--d+;0hIAc;cOFI>Hhfc{wR8t~g+x=YlLtkE5Abe!YSGVnpfM~NIQ zM1vU%%DC@+ss)US6xA#v?C#)8(K?0-4C!D3iIJ zJBN!bw-baH@5%3?$Hf+&&1(cxUCMjM`wF=e3fxr%XGQUClrpBpkjVAC+V8%Mr1I@F zDGgVDZ+6_p%4guV0xB&nrCq`5J4{PUgJ1pZyl|grk3o$vI@yQ(V0z-1E2AiTGRev( zAAYtRJJ7UuG^3Q;RNb8J*`4~{?q6pWP>Sh!huDa1oaO4`0~{}DTr#fzV6t3hu^6-MFaf(O4ra~H8e&96HT5z92`h59(pKyUj4V=3Zh7=SO)U^rxup5?sWm_}TLv?vj zPV{G4R1NCHJFBt{>c{9{*qpU#N7>@moZa&i{PbD>EqH0hpSa9@nb!*rWveyY*Sn1Xaw?cK}$Fk0;(DYrXG`^TY+(L%RB{|;iPnj zhle{;^(D30FE!;jNW=O0r{oFQIY}e@HmT*AyTs?uj;M%JBD2$ZSZvzMvYp?ni}B0d zCWr)`>v?z}=fQWDN1fF@wU75f@_>C^))vjxbnm7}r-ba2fX+;*P8>~4etmf-bNeb{ z|H+HwqsyH}#XdH|JXJZl;baXKFdN0^3hyiid5w7bCm7%BtqkVo>OJ6gWcobMgdY3O zC69G?OL(9ke8E-zAD~~OR$K$4^-vDFF~`Ilp@|a z#vP~mE0Q^k3*!auTIC_PA8Gu$P9emvL~W#qn*(?`Z0 z9dlavsEL>mt^=sF~m&wWXsCnmu zh09AZNHdFd4A;Ep1!*-uXoTKZXJ(*$U ze7wB!85lJ9mR?)Jy}4CsX?8R7zI!VZvoHpb$o^!kmY;E0Vap=r^N{n2rW1p1uf-FX z!^xoHe6HW(LP^8%a6!yvJUiIF_1w$)cCBiOy$=|6mwoEanhDc}o{^_c0-}B=8COc- z(ynkc`D?(x&W
}#+>aOB&%%`3`EFA=VF#e*}V%c(Us`e%OMSBUk`1btiwwkH-U z`jt_eJhnwWWiF`MXky_C0tVHJJ6+2@SlBCgjYRm|YbHo#w&Q9&LF3N|C>9Ku1TNj~*LRd;UR-Z@3US(x)jT@g>q z3XNXAbTgcP>PAHN$6b!F;Z@M6os=+IT6Aq0RcR1KudeMnLeNL_JB7ctmA;OA#xm6T zQ&_ZpX8|HJSMNE5<~C!xRBUuvT>QC}cIYC{6=M!DLM2;49X)2yd|nhzrFPWA2;X&# zePQvzQ$9F>DIMYCeY$ggQUdYrL}q6EkmJSb_H&2=sdtr)QyP0okM!&|;|wHe%Mz;xe{vARp&$s7yt{DTk4wj_X8riW_QC7L z*AH^$=TWo2mBEObPv=Vf{NANIx#GJry)*LI*65M?C(pg)>x6W4_E_WLpAQGUYmORjyC%s`z`BS~J^^x@R#My9p6e{p}HwAnr zzo-P7j`gsY<`3^;>G0xcVm~i^?LYn2^_b9N)nlt0y5VCT0lF%H%`7Ew^*5bsT-hGZrq>EFl6J z$j%9oyj<@}%U6yO+{?A*Sp0Y6nS7-8scKI;B8UukGthEo~THp=g?rFz}{8YJBPZh;Xcv2gEcT1oq#1J^G`^@AVK{^>j&59xda;O z0=cYFWeH2!nxCvi5=^1a(Rj=zGHAvO9MJkh_UMtrbJ}t+)p`OcRrXB9rb#|)OHJy*si;?F1a-D*kM^XTd5>HXF_U}L$qe-ii~7y+N|CAn5DHEsVA z736@wQ(77nqSB(=5DGCeH9E~vO1CuHs~ZuTK?XFb(mOtPNZV;vd1&$_l%_820nQ%siHiSm`Dr@s^xsc8v*c!`r`Bk$bf%gl6s258Ad^I175gX|OC z9p16d%$BY$O#1BNrdHF5DIq(1yVy1^&S5ECRq+G@1-bW7p`xN~H#Y(j!HJm(kFD>r zOfSCoi^BEOD}^oQlD|t%=y={>7G8icdE(kA0v8dR5<+Z0P^%~snU=Kfy&7)F{dM2K zAh7x6t%fL7RW`#fK8M0!w~tYj*)dXcZ+=8a9z?TU@N=%qcZ_y7B_}^vDnhIkBAmV| zO^i-v3GSS>*v0sFn+b>2l<#El1U+_A4C-g4W4+B5 znf^^wTjH=WjJmR_k?Z8eJUPOYr|;vHdN%I=rM5Uts)IAvq#M2KOli!&6A2^fnCS28$x21g-l&54%JaFe`)m03G4H+Gr} zz;gTQr+v;AAfvLAU-2vnQ4dSMSp4WC(N)%4N$|z~r=j1sMMhbtKztm79w_5u7xh*0hqG#S^KxdouqXj3k^4aOx zg+kE=70yzBI9gSw$mf$1VAA z)?~V_Us4O{4l8NGOTw9fcU&yiSfq7|3`Ea|lsjwQe;1_$i}TB61hKGR`P=rs!H^4m z3enOqD6;iAubT3n78Hp49+yRjB{QrV6Q7Gf+#hF~@E3+lFXlaVlNGKlwUw+X^9*J& zb#hAb@RN<+Gw*pyk?s>O8O0<}CUd&xa28jnyVpJdG1srwiur6)J?|W=x(dHM)&d1! zi>^`hvbCybRNf}Jc)l-@W6C7xQufZfE-u$XN-8(X!CE9!kei48CBM9fvcpvujm?R% z=<j;TYPg>-8zP7=L>sGV`jZSj3g614JJ@Oj27x8unossxe8 z^ic}oC++NhtR5-|7a5COgxfB zBz%2{Yn&;X#HhSXpX*cBHxOur@+3YNpFKXlKG=T$Pc1W%2CbEdv-amV11jxCs^ER2 zjctj~LCATmESZMGdM#JhrqG8q?K%WlNz3E1=_kvbV?a?&qu1MM;2d_M1RG?Y-(=Gv zJRj=3JlTd{l+?9&Xle#ex8j3%*>yRLx@RXRec@o-?g+~R*~$&cMU{b%PcisB z`faD`&4%7AFH6$TEVfCf&zxrXG|<5O7r^j~qHPHRH_fMd8Bfo_BM}oX??nd1zOqri zvVkqqN{)9YWaUHcgij?w#aXw~P0N>51&)#*yga z9DZCQe#`~lqOeeP$=wO4PGzS+%(cgnW}dBk0j$p=@?Q*(sPq z6KnNt0S$HE<@JzMp!Rlp-fZN1GFBGKj6iqw_TD5CMJBDUTUJu&=p>b`r<5s4*cn{Z z*Uwi^*_M6%9ugY_kU84gCJ_+fTL>NNP*YQjLkE%Uq2IxkEyc$pd<5;OQb>!ACp)4N zIp1wlR#(S~*o)0R5;@t6(tS$E&n)y*q2u@wG@-kyf%s@gROOY%7^qSX+V#<)k=8?R z(=BWqd*6kKRi8S$8A#%KNCiCU=%!yn8-X znk3a|6OEFN3wDUi^ZM=+94e!hTU^-A-+=ihinFPz{i{`J)L|*3hStRScGDgDZzR1m zw{Cf*pZ#DoX-udUbUvIEMqacH9oA~jTkam{Jz0f-Urr_XY+RlbU9HVsWF#=O z%@<$%eDsmepfKln>bdvU_qVvB`A6Sml|ZlWC4t8Ij6EQBjNjYmd`Bu-64=$`>S0%Y z*Okzj<|Y`UwYKxtF&4?MC$Casq%$(V$dqHe8sGWsCzT{~w8B1{b2!1|g+nQ@KLJ=+ z!Y5E_#%cUVln?B;*SEH*@VrRGYCNu9bf5fH5%|19J~KVNbG%V9I(D$UMHp6FovWOr z%buVnw71ekWY~#?hCy-vv9MeQwi`a}d?Ht8D-C6nG-hSR` zAzJCZf{m1%NgfXNe3$9v=Ac?C`VD}2@q2#p8e^2`n{>R| zjm}=CBZEZ|=ZBoK0h}Pqi&M8C#=C+=sq;g1>c>^e5EG#4yOVoV&I*1(l-B%W96yeY zHk)0&Cr)K>r)oEKioDc!BZeKa$GdS$HEe$e6l1_??%bX6@?8|A#&}`ue6zh?lt zHmjz?c<_?VRT5Xj_gYnTZ(VB$B>k|8=~b-0bS<9qQCHV4tfZD1XnHRgcV!)McE7@Z zXyDlz{Ps?i>wPH`RXcu3{;<#!5o_!eAKXTQmactyF^ zxPI&6&SFgS&M7OCs>=4U=>GMR&k*^7pKf|xJnoCm)<7dDc#s1tae}w( zb-}OlB$DtD`orGxg(V-HHXE7%PR(6?I6`0zBjIWOvsR)fnGPGmj?XuAkY|X zlrYmwF! z8=S}=OO7Ov<8=b%v9VgsMXrymeEL3P{IGGk^Qp(MN?f)V(a?`e%~6w?VrhRmUkYNz zqlP)3$P;tLh(8)mq}M4;C3tRx*^%Mi4`(urk?3bI(~Zx(T11>KzJxP4zLFA>{C01n zBU(kFWJG>)>EZ?CJMBAJS||K@{EoeIhIppe#)xRvlkEYwR($Eyi?%B)49eUyqQC$yVPnyiIk+js_7T} zzD}zAq%(qewk|#BMp?WCJDilWRs?=~qb;prC>oNkZul#ky~2*vr@@tX+aTrh$1G1- z>y=RQaH-hyh3BofgZtfjI8<5msfg?f~EnN*&Uv%m33l5pdSL@d0If#|PMn8cCYBVhM3LQ(yvSP_s!eMC4SG?f3vMGhKU8})L?gceoaS4rwr1{&tRnCO0Jgw1u>EiQf9Vmm8EFaef1B-r0IEZL-DE`l2CMLhOHgP=Jlnhega4qR z15hF2L?3hhm?3Ka7Eb_J(ZM41AFRedlKH>E(h*PG#G~_wD&5=>{_U|(0B<-V(4H;s znX8RvX@2S>6v#=QQs{8)mE(Cx$ARweROXi@s zb93|lN5JMQAQ4tHH)W@w4an}BEBSw>PXpka;Y*&JpqndkyarSUYs88A=5$LV{|~Zf z6N!X3S853aR$@@-{NIHBTLS$5lA|1o$1*sQ{~Tqs$Hr9aa9bPK$ul(7=?(EiZ#7SK z1^qI^64BHy!fRDk0_5uSCYs`Ji-N{HXlG|v#2U^iP0T>^m1Ny6&#tJu%OIbRqm1Db zG~yc`COt4irEa?7FC!E{!tm2^a)vClFM6@RwbN{rZI(kt&5w=+GG+EqDG8Gr5BnPV z$dCswiLkf4zPQCB+CQ!(s}bt zlq4Mp?%`!e0Sa$n3dJQ8S}ruqdsuj!d#Z^K1Nw7z(h~f_+VPJUmv9V>)QlXYrS)~g z=ZU`>+p0c%^6+{`#@wj6E-m)eQ3*ERFHFM=!||WWs&{iGwu+9*GvP;)VzGnde zBK2+gVWFWh9%av(k|JP|46)tMjMr^9A{9%+VPc%WE%6WT09o(cUCY%eNf71BJzxQG z6~K04u%Bk})lN)1a3?psrH99r=gHNy^6U!lHfmd_F-HD2tHinf=ky-W$ulWk6X4Xh zrRc-u6mDbS5$gcw&y4IyLA_<2`)K+OgZts+!ovu6ioN0QANa9>9VGIj?OQ;Y>--Nn zp+H@>A<1Pf4-2i89!*TA_71V*(Pt#`jV0qH%sV!IsiVJg(!|g+}57%n!&T{D8uw(x~8P%If1{ zkT5ks@K(lA4DKC-`xN#tLE!n$n+G2-86Hk#UQQ!=L*)f zy62%4r)9VH)91DsJI=j!k83`O)lGW#uo%bMvBW}4&#sz>s|TMk z0?|;93rPZta(ZG}sNv-Mm_PZYnEUKUG^iYidmHjzvC!snND+^?#6HD(m1)lKySUpj zh53A2xIc|BwZBqZMLkiNmUhWj?&G|v;t{V8R0EAUx8In9apT^D5k0E@NEEbK8o=R` z0xMV>o=jUR2vd;IyudwN=+^GXe$eZxp2sIa;t^Z1I5E;6^r# zfkxn2KY3Sx*U}eh>at*jtln*SEMQ(}SL)lS?d7S3o?OE^Fu(eHFhcy5Ia1r1jA|4u z?mq`YP7HnEu>8!T(fK5i3xBqe!WpAS>7ChX=Bl`IfBIdUhKp60iMQaK1lhl+^EEqx#Xyrg;g9SzzT>N zk~RI5fQd_h2PEYqxpVw*aPusE{&VZ|!L>(pfWqJ)0aT+S$Fvx(q`>YXv0pkbJ@_cw(4`LAl^_&}^z>FicJO`m$>S zgA&mF5Li}WPK8;oz=))WbptC&d?QFf?}3;xGe*T}!m~&2DF91yB!H7HFk0!Mq;uK& ztma3`Q8I&v%Y<>JCH}QqrlKWNByyyFNg+eUV7P|c;yW?vqN6pG*!+Avi~*2sg*JVW zV3#ASMg?#;90-|=$t9W|>Rifv?4=`4apep;FCaq!=rP_x+c)p>+$nX5CJ3MgAgkCh zcX^fy^2X*9TT8@4lFiRyQP_|D#Z<5cdmpMp!+HRF5f*+xiW%tdo0~I+6eVa>2=EM2 zxeZYDlkL-(!_@3d7cUy7rL4ap1FM1JG`=V5`~X4sW`sFgtP!RAwPhrDFzCom zPz_4%y8FfyFL4iW09=>&w`6Zso?hmTsc^^`YN`XF*k8g;^aGaJXueJQB_J5yE6E;v z+c2FQ6&1rg8D&ALuYyG!j3?I84B&DhR7a5-Vg-!~-i!r{kq90!k!wkW16$}NHa+MD z*zkf8*t#p!R!UR5{`D<5jBEdvbT*zCbd(Z`tEu1f)0bR}iD z6Rvt~mInc~#-6iL?tOrH?W=z_*mD(+?;qv%r7^ry`na9!R6@-h2r!!Nng`+=q{EsR z;_|>rt0+b;S85i}#7fb&cKgt%a9-iWLw%1hsaL%6n* zRVc3MUd7%`c;-@apGN`()d(P}NnM7l*3`5T;uketJ>U##34<~`_HR+YyPNBl-_B2khMAHIgy>TzPKRIpH6<8!dbxdrPS^oz z@Q6`6obPl*1G%m-_O;yc^xATrt=-vTH6>o$Zzi@P1uTFs>Saa$xsBxg2VyM%g1g(` z?RLmrjvkX=?&Ki=A%Te~4kR@0tyXMkFW3PdA3`0?xy72EjjmpVc^ajYuya@g^d{pE zZt4Z+u;E7lcws&uX6C!cJ0R|lY%XtEQUUf%U4h}*i&+Fyw0VGeE%cww!Caqi4Yy{E z%@cRt` zArRwuM1Y1D=h~tX0H%f4+b(r7Z|oJ}Y>%cMySnaM;4Fv(7D7t@HZ!m_(`!@5^@!vG zd-rk;`Y!c%(4Kp%;*@n}gRl(1%1;BS*zh8~9QiAkn+g&@_TO_@!0hOK#v?J_ML-h!uc0xbt}F-jBQAVQ)FFjpYa$ zJ`<~9`NnZ8vT&O*-|YDPC*ax`hMT^J;uF5s{c7$$6dg04hPvT692|VFSf)pzD>c0+Vs#Mv@52ue z8v;a{ia#PUg>IP;m}nY&o#l#O`*S}`j9P!1E|@anW{QgvAbaf&B=tl8Ej?au+Za$7 z>?0PLi<{RP;{!U+@Bo@|bC7!Smi8shWC=Cmul&!r3?t2J%fbF7Ec0o?`K_HZgo~sued=cccRx_+NOL|l!w*k z(gYcPSq0Wq{*}#0d1@-V_<)J`u~0@`*{IQjEx@R-0*>5jFMpWfFIJ<`QJ400+Mne- zTy+&7BeS+?RE^u$e^=eL58my3}SXC8*mD~b$i+Mk%!bu{T-7HNaizRQJYs|2)S<2yf1;Y9vf31olu{wtN%q1%VqIMCN6txd%ILe za3+})wru5MYT%M-!=UPG5<2w!@ReB>`rKV)GX({Kphs&Nx=)o>0@2EV;X2oWjK!Xg za6x7H#JGXy`KO0G##F@lF5;mIsj7G3Tb3*=B5VeZ_+RrPG>&@SH;u2J?!Nz$I9YR4 zl~9&p+Sn)@rj=sKt2gRuVSKDsh>PmqhXzwB093%&aMs@&alevBBRgs8WEcaBG7YkSIs9wM+J&y- zLp(m)v~T4PGyx|w_}u}atgY#Td9r=lne_S#Y1wY8OI&q%vfkjfjSsfNT&t;5S316$ z1C1Z5jeL~+=vLH>&Xv5)i*04p55B44K6&vehKq^*A`~XV%i*W-kDvChL!pcJ!R;Wc`Af!O91Oj2ZieYZ;X-0^GK^CDFY+4Wn#?^MMAv+nj4Z zj0_O7lG5e5S|_fno11R1j~39XSwshoi9`*LQh%p4NK-m~I{#8bE8bN{P_w9BCIT8K z~zTb9{bwgHyIS1)L{V_Ho@6e>1Scs&zdhr`>%{$+z zS{FJqYX>W8Gu5I=G2_kaaA-b->o2SE=~h5~tKh>toAGYEdZb5_yD_{!A;(*1W5$@n ztdDse4v)=|!&qT7OWqAAUt1$tma2sOfrZN=jyVD9IwV$Cbx_#eQI-6&w&QmrUDNPlYcxg#kU0L{1PROg+?3TWKd;m4`Lf;T7mF(=wh14z<7OL=Be`NIixiSHsHH{V! zT}$58Y3PkBb&q)xChQ51$)=!t)%|IU=OdV1j*?`hM$-BZ-0fJpz%z`X{1H0mAZ9 znvn_uF_s*xrU{+0u!3HCdamBeEJ|Dqyuon)D2?YlBfO+$>tA=X_ zWWSv>&Q^@zusMjRCbt~O=3CiXS{jU--;C&AjptP5Qh62^Rn9#$ms1FJu(vKMuzK!P zv-_5+$wc$TIJZ{+_TiD=*^bANz*c02X|@f!cHS0~unwEYaMwqV(;X6f>95z(H}y~a z4@|PSvllK?AMj*$zKzb9s_BoX)LR{_@O2rzTCq|}v)Q;slFvxHx5{cbv@qkde;iP^ z89I9Sv^FR@M%vF}tv`O{=dzz-Rk3?H{mwbia@Z5A3=FXg-+MYgCNJCTx|u@B82@tD z{$g|+_X1HoVdR~kwfn`}h=JtIlQ4|={k)mE`e~ua6#zhpkqLy{9EO!7>TA%nd4|2= z=>x4)NO$e+*j6i#odvh`KIpvHVhB_OF%}gh9X#-%j+!Cpj@Ko-izt% zy>FC^j{7alW$5#+b6^hiTV{s_ZtXvR3N(r^_dKpP>+4Rh_U${Nv@w*YKHM7s!@A#H z(Y=1l=_UK--A9qr69Q>u{W}G$kZ!HH-92c!Peoyt3aQV0J2Yyqr96&gNvENJZ`cbo zo)9Qi(s(=&8bbi0FMbhHX8U$F`I>KXZPEgvu0WQrirVOF#ce%iSM|9hPO6Xp773|c zrSQ=X)AI+p#2PK*V+U*LbFqmjyCEgBn`tMhS_}8NNVU@Hg}w>7(uyJ*xh&3bMK4)s zMt;a%Nh37I#r74~; z=MZlB>bH>oR5YX7#~uQ&1o8V6sW6sx2 z6TRAXG_ItUNW(^>DV$d}G%+$UHB|HvRvMQ3+ZybkIbYEyEiI@0YGg&9$rA0P1wXyx zP0ksRYsw!suo>aX)}4}+DmrX9{6I{M4DgiGHIXADp@E~vySrb5>vG!8B3TW}yOim5 zN%hjb91HF(svXefFc^BkH1=ejtV3Dj9iq4J_F_4Zu*D{XPrhRR0R<$`d9@l?ZBLm{7`?~KUL)14Qmt@~?h z_C7m(zX-C^j|cQ(RSD8-kX9j|;>78iZJ%ljAj@Fv;9v8MK0asmXB~{0Pc05PY#|5( z633d8w?rk+E%MItrvBt7gAG6lW0if6j#ovB+O}ao1Dfu&9dA)hG4JC#cgqHQbwy4q zs*}mipvr=BdU|NS*0%50o0F5_ZZ$*wQsf-EvhZ#R?t*(Jy|<<3SSvD0<^us4QMvQM z>DKIzoZ!{icVYQG`PsV#B8R9^oEM^Yg*I$Ls&UCl0v<2?n&<2(MS{FXLlM2F-rgRK zjasVxwT_kNN=nMlf=Hl6dZ+VbaH@Hi!<4Y`FG*)UXHk^TA3Pu_^=wDuiN61L)CnY5 zc-P5Y^j%?{KK(N9*JftltJW3@iwe&sXa_!K{*c#X)pu!SMj9p)U7c9#$)9zwu<2L6 zu2sd=$ztQ7U1?`D^13*w24K{^^rcl9JC#KalAYT2mxlI zpbYNmCELEUeP*^4`mt)c&y96{ZUMl)sU{`F=XA)+*#WA5wL=Eif{r~=mRE}JeO!#M z$+Q;}^W@^y1o-f+RO~B~#9X?_mFoFV&4-&2wC(bKav#`AZpp7v%t7>ncV+A2Qr^vr zKE5T_8JCVe_2=95pEQ6RzQ}Nj$qst2L+`6^+Ig2MwxAJ2>vp^F)v-L)#rZq4d{wZ< z+o#i~Xv)i5^ETq)*$m5nzRZp3jyhn)*g8+SDcXo8o43a~Xn!(IUq(DP z1n$h{1bnb6eeTHOUTk7aVp8nT+#D^*azYKKj!f!=YeLa`4rRJQRi)&V=oB>$dG8M0 zO+EURpF3^)K8RWgk7nWCP^W+TvDE%zgV&W%pfq<|qb9c=IT=6@ruic(T!2v$ zbxwNIhAgYNOr_@Bu*SFP-q?W}V)RE`Oe|=-h$7Q{RVF=NnqSzU_!EnN)EJqjOjiYD zqV<4X82SD4x6#98+mf9Ul(finte|{yh3(2_17Q zd3|6^PTwokMUjx-Yt!J6JgdG?$Y8!w7rfl9yGZ%ct-_6WjF%}yjw-GaZ0Y1k|7s^u z-DqOnX>>B(`;M`*ZEJ&&4pcv*^=&;)uYO_tS~0Ot!1BMXK)k_3;GB1`t;g|NTy#{H ziMM?gmS&OH=ZcP#E-CUrx=;L?)2Y?j*URDW)A_(2Js_{#m~&eu#?ZInuvJv#bW1c% zD>Au}8Zh#7&$R7cHpV<|2D!m4F89vSA-)wEHF9Zk#I()Il>9t{qQ1En?{-!!s=D8c zB0f0TNhZ^pp?r2`nc>3WUe`>kZzw6bN}ZUG&%QF-YvelG$M~n@Dn=cLL7Ye=rzJRO z7yrVQ(^b)){cPYYEveemT}~>$vavkts{$Hb?X4njqRign`mFLyJpnsiGQESfm0)S9 zxJU8wagRtyyoT=dYcbPTLmO9VwS*6%ij?QC6k6Z-);_Rv0hd2zXY*)|f9=d)UQVwE zc$%a$b+uPM10_4qXg~9?lhM+coYS1;!{wa1&uL$rc%J1_>)A)09SbY>8-4)1Ox@42 zk%9- zv#6?bCz-j;R0>OGYe;*9?f^=M9m*knT>Mc&%V=VB>~*|Gd+bPz@7mCYnYXIq%hW)_ zVZ?G{S51Qn$V>R7^t)7U4t;k^b94`hY28y3nv&g`8f|0-DJ+@tye;!Cw6FfxYHx=& z&Qy*nH9u#YZD{f+7q4p)W2G+L(rc#hMl6x*pTgoHnggzo%tO{f@&y}$!i0=O^^ zr5c~kdPw0b|1k#Q+Wv+)cumLL|FqwKeqN_zUslUn4*a`L9Ca5i0^!4Q`tMJSjvB^SbW4+n&4e*WG?MUa2{f zfxOsKeCxk>9-zvMy%?rE@`p7*{f8UyS3`l5|ApQ>1?sooh|+WZum~t>TLRQ)VwL_E zcm#k?m;%{F6#ui*5Kv{8A~5+cM(8UL*kc;`CSUgi|DqB|;WB{|UIfGU|H65$J9q!j zGgN_Q_GmtTET-G2JsTkugJRZErMj%ci6NRuWp5?5j*nR~Y{J+WW72Zw}cXGW$?4WF{o{ zv*cf0e%3D?Po6~`&;0IZGt=Ou6WdckQ^9S?~?Vg;|&FP;2(8%xh;r}M|9|r!v z#8Hl0HA104ksSyp?+29SS50>m{}^4LEvy-|d{%TF44^S^{B$KREQ5AX~||fLVP+$gz=S4<++?a zTR$p@qs}+ga@DHA${Me{a(N zuQ?WVAESbS8X~|96Bv$R4O^|bj8Rz1EY5>TI+YK7(UM>|F$Hb^AMCy5Q=Cf|2Y5pu zf#B}$?hxGF-GaNjTL`X$y95sogS)%C5AN;`J9oFXHuwFo|G;ile|V;*p3{Bo*ZuT4 zefqf7!xzCnxag`y_H^#E+h7bSI>DfLP$>CeT7psDc0TFahA%JBa?{e+dNCW7-5H3w zKbgMoua46NXM?(%FYoE??X0081CTp#p%BwT$u`cN7?cR*w3gjobex#Y*h zQdcu(cBNq4GB$N3WQv9B^1Yd=ouNQ^CT>-O7rBjXEgh^36h^(Jbf)&st#TYKwr`>G zY|k)hR>wTxgSVM-wj9MG#heI9>y~HUt`bKE)ddOeEP;B9GYh1I`gBTLDY~(YlsF@U z{@^SF9f<2?Y=3{WkBodNQ#&RibR{dbs9AOyZ#lfYjD~_z zGTc(pYMkf*eX&mAqN8Iq>#J%m2J&ZGM?kT?9N0(TzvbAyfM~)~#^MZh7={4Q4{TMo zb#5;A{R5BhDgMAdbVg6!-TYx|o>4MAX=x^V&9o#WOiQLiomFo@wiO+Xz3@KPow*6{xBQR`_cE-tK^C{%2J zR)cSE@#pB!qrJdnc1~PQPIukAv}`6XA0|z_(?ffVd8eazj^O%Sr2cx`S~FFNUshBi z8VNIr%KitF~d?{NrrVPa%F>f{LjyV^eK z6n8CL_PL)vzcY?l!NAROmeO0Jr2LayEBEECJwBcr~!Zb5=` zE>X=!Spf~(EdIUlJM3pRiX=~;U_yI~L=S2%8mrmU<&xw>rgkBUSF((Jj@{iNO*&m) zU$JqYIc!4e=1K9c+QA*0k!?-;0OMdeiEp@tuogGX%_uV-=BWu8L~p{yBRU%NQV$5x z@=5h0RG>C381f{bifb%O{4r?Yuxf^`t|Ezc^_F5A^Eo9 z-KWN~MtcJ$fZV=NAzAvYN?xIza&Ht{q`T=HMKv=Ngc5SmvR3%lh~r~zZp^)wqUX6r z7uO{(6|x>^PE~fd2DhbsGfMJ4xc0&2GlVppxi!m^lSaz^R23AuWXTO*6?*)JqL}lT zN|2_EsFhFMSn9Q1OvR+$;v8|In0SzsrDZtAQ_K{pj>e>*nz4?#yS`{DHT42rFLbYL zZ~jtf?epa9$}%Z?csQJb0?siheVOfv`}gbFox*>x8y4pb6KbWmxGecGc;ZwR8(bQ6 z3W>KYVVGxPuUi`UTaDesfBF1_RSEHdA1Vm&{q5k8J-J=S29vx7NbIt7Q+6`e&~P;$ z1m3zV&!1FlG`bJLk}`r^+vg-|D_Yx&IXPH_A?T$N<6NV4*OM=+$s!9Y^HroJ>otK! z#!0X1pWj@w7Gkmqu;&lCZCE_qwmk+5VODk>(=vt>LZ1^T*jX;}$Gloh2XYjwmau~MdKmGFfx zh3&If{No4Ld6@&A(yRdALqxTutQDH+4ml8YQ=F> zbnFICwE&zRspmhQr5QXAS>?lW01c5MzToRh*^ zkiCK@Mty{ipFH$bn_b{d($U!dL(tC3=R5H%(|XhUs#WbUdwo!7vBV1&J@u%7$zU@- z%N^J0)|Y%2@w3WOI941!;i8C!`<|kKW~pK6Au@1jkAyf^r|4sDo;?SyU=$YoiYfun zl7ah+llDGcR!&N>D1U!N1$v-i{0t+K$#*kNWVE+pS0SsW(-yn&5B$)Jr% zVe<@|bc4E}=ZjB+WHG58B0Uy0-6j8>3G)%Ish^d^-=_4?sWP*UV9i*lZ~_g92$o5X&B zjdgwB-ejzL8R_s86Wa`QSY_0m@fmlQOHtnh9kgA&--GucQdboGtVS9gGu;umvGq{v zJ;v4SURTVlg#6vpliH7$3Y4R`*b4y0n0!P-5NE>@0$y1P8X(VuTNk22T?0B1>)^Rm z&lgRdZJ1|T7@N!#0RV7pR~Sz6bzG!|$soT^O-Q5iKG81!8hH#7P+u3=)J)GQC3sl~ zxGo)t`7X1&{VTCA_0PThYHs|OqoufqzDSK->g7^g9uTi01@hwYQyO;o^bEEuuvCh> z3ACi))&I;TO>p$F?3}0F0<}OlB&|>_ndk%rYC%+h=falr9w?SId0;d-Kso)vzT_vQ zC9Qd}3>Jm1`OLifstupoItwF@)bNi*8{dQKllBfGT4DiukO7k_r|T)7(upn_^$yD6 zscZ1|4DQYi6->g!=$^_=JtMSL}{05LNI3k$=HnxCQbOF^^xh_JBnr}wiPI#lyXNo2b`23)~D zM=!UdlzSaip0(RIz>qJ!veF6v=5YU#=vtU%yo&dUd@I726 zH70BJy1_GDcH~mD>m~AUEj>|i*Te@GnL3ngsc872`P(H!#uPY{m*Xj>Rbd-NNxW(T zQ|Eq{UFzieRqArnF~)i_Y7_urQZ6s^r<#g-33QN9nbdDcubG`rg4ztJ<9htm0frAH|f@M7+ z9qwsoZm8m&(nmkDO6om&yt4a{_ljoP_uIyttiSD2FPDx^Ytbahu8es<&W4|GM!&^$ z+@`Qf(9BIr(yhE)$%u*Fgj-da@#{oRlFLM1ZbqbJ|5zMF9z{;Ju|nN_i`RXgY)7a| zOgml<7x}(aIQN^8y85$T3LmWwb^#^ z21Ec8OUAvzYaXM#8YEfUr@I;vQLq$TLXEO6g&)Jwl$XyXHC)EZnnW`kwga7i<5|IR(#_z8Pn9qQS(CXjI8{SfQIJ2x?{tNn zu-&Z&g^?NprA~5_%wHj0yOmFN&O>UZw>MgPuzqb=aJUE#E;|9Ws!v8b@6}aVe8UrM z?@cwvsZ%aNR4!iP%laLnI|;f*%NGL1?37dfG0pIWHW^Y=Ak@gostG~NwKEWSw4R?d zV@xV@FbtXdt2>;}3Th15@cb%1h#M%|?DMtLX9Anml00ZgHpa0+NPrivs(R(ljFXZ_ zDLf?+!j!&aSqo;yaDHipoSI#3Vd5MVgjEY3vZqN%{8(xH*>wo3cqWZ~lQhATZ}&_a zy|p=I)-okWGOrcPaR?l>3!zRD-igVjdZ%=#?iB#q?yz(_t7=CR-)H{`yrH6B_=Dt0Qq-{rE+DWtmA|{;OO)?Att}k ztvRH->0{hgpwQQ0bNKaFL4I+1#K@}2RHvw7ywLtXP4CDP(us)V?d=^B#Y04Cu#4l| z=APn?rrwrfWwN8mpE!W`y(40lqZpY4ADe#M|1LAoAa^s+3JImSBhz(S_fWIp{1QTF zm15lo>qDhXnw0osM=BbVZsp6YBb2-%4x%8QXf>3No?|vXNLkNr8=K=k6k~$a?{@3+Hi7-E+E8hI8MhUOHKkX zu!pB-SV^tVsmW!&7TFZ^xAq`D45mM&UFR3n!B2!7pC6_8Q9kf~4rClE6@Q56;rYBuWPr$u+oETu2a zw#CQkEhbc*V;0xTkT07-O4tC(T4}@ zdIFgMi@;r1&6hMA`r-t4SnN{H8Demd_vb#8i4ADNcOH27>pF%p$E!UV8B)y!S4`+^kkGBA-icStK` zS4%K`G1_7e_xQ7`Yd`(CbS7O~R9o!YqSGZ^&slSMHRWXK%Ie-Ay{E-2$EJ33LD}T| zH!X!8p3l@mWL-LQ1wYE85B5i*)L?=p^!ZN4b@xIQIEpBBfUFab!gh~+BK}F_-0`tT z9#WCug_0}2?z%6_m4U}rDD&%HGGhxJvJ*H%LDl(GH6b%D)>1R|g9OP5f@ND{A;i+E zcF$yhAu9!ikaAZ1$3~36&B$;A!s5gBIpWPFgx9|nSHu%eMir@N`Ir?~rR`JuT(8$- zhiyOI3MMIV?VxLB=HQ$(q;4%CB61?!cQsY~C?+Ut^Dyyhk4G_M8yb|&F`k$gNrcyO zF= zd^W8M8{FdMllf%2^>x*NG1^@TWpYki*BE3{Vpj+l;sF%g-UHlVz9Oz_sHn`%;NfC7 zv&r$7iv^GBlNZaQn8JL`>Gz@>$wL@UW^I{G;stgz+oXO8#pL#Ro4sU+NW}j46u_el zX~Nez9=c%?4_7%U%7}~&kgn?;x$`SsQbqzbY-1`;ddu$T@!{_JeoPFqm-0-XhNb5g zYpJ}*$>F`6XVVwJe!@PUS#mi z<}t6j${~}@2TIT1)>J5}>1#5_LgPy0bamg9w_p;xh*?F6I9BF$OKzpSRHf{;$*85j zEQiHJ#Aa|vVMdPuu7^taqY3HcTB7EHG3InZxHFVQ)~rL55nPtQk!HFQ%CfVhh5BYf z99cnpK2Bo=k;TBod=Yc#zd zZVA#%v95vg{=A%bSy3azIiX?!#YwWcw0Yb~CB=o>P&<)CX$IXs590)~ny$VT$;Oi)YDo#Nd-$1eEo21) z;R62+Buc$4FIRHT7I7^0`40115!@|Z+4V_=2HmFK-FdTV*>&=O@`f&mk#LdIkWoo< z(!SyPy4P+hzd zPy_k13#i1SMXu0`n!~;F&DJj#bbr{GhU?PdZU3MQoNP`)NT%*6nag-Xy&)tu|749%bk@7+%4_6rI za>`k8PcI#IR5cZfg^V?yS0sL)t3fqmN|&oNR4J?|)>k4pVQxytjW+ORCS} zzaQF6-;5v6?Wo=zJ?vif@pQo$myt?FE{@jKJtlTa^ody2RlBoNigSs3^S=jumX6u! zxXEebqC6!zfcpgl>5LI5895SfI-G1XoIL3iI~jk`UYqk;U@p_*9q+>}!@V3|ajQ`v z8iAG|$s7m+2?IeCw*#SRGf~@`@Sd{_ffJqmbGiTYeC*Vn0F>9-(o*`YGQWOTu~AjJ z-0vF8xC*>FzS<#;n`MC!x?78zoisr>N_m0YP36RQ?F)QKA3d1X-?|}n#u>qwsE|&l zo!;kAt2X*Bp;34_!b-`qVQD~BXRCpmTs9KX&~mIyu-5*WbiJLl&0aI};W~1kY+N{i zga{&7=x1C>17f!m!@(#+ru26nc}*uEWU2gJ6SVjGG#(+volSqv+J$sN3R0DL9;W(Ea|-_21$Z5I%P3* zdG>}wUSNr6AfnB3pn|Sc*WiJ^*3hS$*?sn#D50MaI}x5w$H|!P`2PFR`Oy+Q*0eG& zA>!X*1H1QKZ#=TnB3IhX-i>t->lz+59@fseT=$kfJ^oIRs<<5+K~1T&@HAQ_?nvsR zG>y}Aad=vwFG<4unmo?8o-;un@q*nSL^P{=b2G^eQ8GZec=3lp&{Ts zU{-`wHeb88C63t8dcu0<2O1RwiQ+$yilX5f-76W8Go0-=&xMn=wtNc<_G<@NQq9-f z$)6>>o_>DPuhnJlz%k!GDiMw~Y)ZCS_l%%cevNeZIXc`V~tE>NnYk;Qdh>)HzKATW^s}sWEz*|z)XeR0MarxtNtY&zma_ZW&OpK+{{ajdY@MScGjNCE+W65pq;4Hn-QJS%| z$YbncJZAs)$>+Tew!7HcQ^hMznpX$X!#C=I@>_*W96i6Z1f&`3r{|Odb}fZ4MA%Dt zD!-68g$6{9`J|d}2peWh#Y|7A?R{TcVHFrnhsZYalOWq(c`np`Ct3|)4$2TF1Y^ud zY+6uQ=bNJ(v|%rk678mH_K(rJq`MMpW`@lwdM_B635cyGkSZd7e{+y@<}M=Mrzi}M zeOJu;CLINsW0v73BN!ob-`;dc^{5nf%K4e>KlH|}3?n88Df&AWrp^@(oY&MXkLy9oizc-W>N@o?z3-(ip-j8R%Fuf3P+Gi6mhWTXHWNV2q<>1k$Uq)*^qN5oTWniHKz!!pfbf*3GN_|}%r z@E^d`qIi@~$V2Q9>7$9(?0MJ!cK=t~MfxOFgjWiOF7_|4|4$=YgqCF4(~kbb3!e7= zZd{^*@zkL-B4WtkPXB7)9^z%2)k$dp|Dhiyh=3exGLk!@sPz93|35o&ivCHaQaK+s zLi!*2B(Wl3ww(U3sG|LcK2pFBQm_R7e-{2vb^L!*3zvI}THng3C|9|2)_{#IEx>99 z84Xq)XwjbOj7lv%b!`?MhVPA4H-(D`gghYd@ATFFOxMDb3&N(W<0SAAHYoqST!%+@ zork`>nqQqWZLNY;i{3YTw0zmGxSuZY@jUD%LEGEgZN_>_Pz1QRWo4BeMpxTC9b-~I zvdCu1ew%uY{30*o)OFM?szFzPbPDf61-#RwM6j-o&TI&HywP8jl$NHS5jmYc>wCQq z_k^>PN8zn}u_%|y6hp9KmjS^fzMR31R+BM+)mjC<{V1on(kuPF}#Qzm!sR~QEKA*7YMgL#wZ@D~E;*zm0+HIM8u;y=0-Pp@=yH`>v) zS9V)pj5hA9dCC2-v%Xb-I*k9D3{Vo>dnA)Ne+h_qaUsyKPkB&~4o^;*U{{4~d&QTe z?ZD)bN5SiS>9F&SL|;ZOKK0xG$mSkSP9zVS5J7R5n-=04Xpzk=q4@$U zEM6Bf#wmJlP zJyl+sX2kMpHd9|D&36kwPjdn!zK9QEx($KQf48-S8b7q-c-cr;tpC`k!1ckTzf?tQ zedXsmH3a~b{}#~@EtuGok}ln^MLsO=6G$U!rvh4(2ovtTp&iF3K8C7QH3ElVk}H3y zlwb!%ECT0tAF8%9NfW<{gZ=t<+GI~{tF``55_D$~f7`I&7An}K0Nmnq>o3xeqE%O2 zqmqnU>KfX+RwZtXBji#yiFzoszgoKj2Q7p?@~ohz(k zG`WO7@F+y#pBVZ&z5VAsK}cnksb3b<)4N9j=_rfqDbG)H@r5Y^Jv9Ny8W)OD*wXuh z5Zf9I4}Qlnc>~|rfAUtCqwD--2L|cTLnCZ*zl$kxI~T`8lNQGAz6{WE;Dx)wHzBx* zuX^R3`Bo-tKddxod%63^A7dF7+ShRd7ukrTgO!?`wljAuJGN9j@6xX{R3)R?smv0*q7eo=lr;!;PdAY<4zB18-@h?xytMV zL#qV8|8!3TAq9S&ygxoA;1i%MZ^$+o&HU~X>~GU(2<}z*@EJ+hsne<&=M38d|ErjI z@M2I}oLr!{%`U~1aXV6G%Yn|!dAL@8R+9=NJexxx7rgBXsglU&c5WNmyM?Lmb2YD_ zpVg4p{(3#Sn|kD4UR0quBKfzjj$teaM(0?wEAfPpHK5bbB4H^3gV9fi9#uSvhiL~+ z^{U%%ZEb51T-@Bxqx$c_ zyu9rh8OC~uVwauwmkY#T;S^oBw8@m+<}swe`WG;%x97!9y%v`v!nbKcPhRsu_UD(EM!WSD z5Qv|bSC#}8gYKuSSXlhK=d(K2Aak=oJDl0B6*xtG!pn+3Q3Icf&^Z-5Etj>zW3DALZl&i zTn|%PYTT!`aWl3Y<~?*gw4=zo(XDhKfw2-(nDJm@eHBBOXL6N^A#7ptf#4*jqe+05 zZ5xPp8}V9Mmhxh!=iUO65I#@2*ZOMy?o>_ZyMwzCCQ4#~D9cS10KS8b6Xdb86-xMi z-`M#UuHZvruBJl5Bd*-}vVIX09o@czf1%mw*G>w7dFS2v;7v|W9^>HV_+6BdtLNc# zIWT5>`U5;B`@7?L3(4mW%}hV=b#+3gjPKiwbMp>JvvxQTDf)g-tDt)h5`$^60cU^T z1D=hi9f5b_k|MS#7phiB&`tJ3`H$v!Hf96^KmXl0iH`TXs*kgccUvtjEjLzWtJ=_i z&b~U6PjEE-vDxUr_m2(;_~eC98~U@-MH(ja?kR1?Ch_qWX~~_&tAHoOn_xK!z1dFd zq}5f|;LT^UhkJ6Hdy*Ws?V^M3a{9!VPILl*PITYcugA4}nx&wil(7E`9jZMjx#{hG z_2lFv+Vd?0*Y3Bs#0J7aV}bde0TICR`L~FO2-^E`S(RHN(q3Q<)%*{-?CZVJ^Xu@kv_XWqgTagC6Z#R!2buHHu>ZE~66Y`s3+RCT^T zgVl4EdU9prhDISbel3|fBQCk^sNlZJC}$X!v`-a^C$+3RZ?*t!z*MZHrlG<5d~@#J z>Al|KT1TZ97XvplH|I%+X*uD#8}E{02^Dk61~X$egSQuplk|CC^fYGkdk@}@H5NXEgyN4hFt$HByyCcMb$Enho%Qr{} zb;$C2UcSXj-By!f6k4ROhxj~hNWx9%Lm4kg8hTt_w^V#G`>=7Xu2c!|bNF5`8^YZA zVVQj@v3ztC0pD8o)2;C&njwp5m?OiVl%f)}Bw$QE6D#9`jJ6_IvYtarc%*NYqvMx*-!lf{tu2whRlcAKbkPSkJYmY#8mF`-}pUxHS z)Yy3M4P%VNt94Y;h9pM(KOX$;lP)znpV2ut%>`bx&e;*(2K`^Zwws?z+qs>$dY?Ck zrbZ<>)EYGOH;q(C6LB^rL3r}LKknf5o3;8pIYmgbIVaNge1cnL$A_)FTCuLmYFGxS zU)9ACf4b2u8gVFMDK03{A^^ z@4#bu4-=dC%dYEBdk)0Q*7FwHD`vYSQQT$nu31a)MRaW=<1c)^a)tgsrf9pS0~sK* zZytMZ$ht8HO80J~j|TF)_BpsM ziJEnvNCMK$F;4_77x4&(LA!2<;1hNK`TlqYbJKF~(PeJ>;ScWZgi(RFS%GC^D;-D* z>7Sr~8l(1BhgaWpHl8tPtBB+^86cXk{XZ@~-ZDC$aN#lvWIF?p(y7*wSIBCwzdvt$ zy!dlA(og)6onNi9M0H;-Q7LX}zHELz>3p}|36!>SfjaFc)pz1FE?ncWnY|tkLu--< zlcEg7O&jcq<^(ORuFAL#pw5S}*?G21thKr5H#w(WNN_&P=Df4%VvFOwzioWrJN7Hn z-l}^Nz1|iJ>3kA<@89C2$#U9zKu)oi!Nj5E1Ev;zYc79P@)mQmOht9h$ z>JH9YUVz%+;HHhAdIerZRIYEMBMu1CvA621=1bvmIX2DWJCu-fP7htHt2De6~8iHqMk|^<9x2!pFB5bv{b*8teVVdxK@8g&k zPbBgc&fxgkIfZv+{rDA5e{j~w%BMTv8LQSj+s53~jC~hAZFNcVux7#Pg){<*x7}xZ z9a9h7BMJCFxci$Y>s1db)Q;mKwD;A9ZwWr@xV-q?*X9(4+Y5+JUQh}=!Pv`z$_bx_ zBv9&e!pFYz@yU~+LJTtmcodUFOohUw&oI{)k0p44A*{_2d#J$O;z-aN&o;7)44Ub9 zxHS`%({61@e}!pOiA3`Kb@Bsm6p=WpgcWWQzJC`r=K5V6!BC6E^GaM|mx&;N5-#EE zlnh+WtPq=oC1@>Bf%gj1JppETmoYt54~qHd%E8*1)el_ff{oJXP7K;H!{KZ0Zvx+2 zr3iD^ABW?w+nAldu`+w!dYpf<;2wz$VRl?X6@5stm?}ffVuy+clOwSrh^U$!()f!un(P7KaZAD6Vs(dPutZm7NzK0?ULpIOiVs5<2AJ>c@GgxH92vEV~ z2@-69)mEz55IGSRV2VQQFP6{k=Oj7a4s4{9Ej86A^Z9Wx0ZZ8&lds%}&S@i&>(G>D z_Aj?2Unl!qFR_bG2q=PVA z9v|yLbUB*Rj#g_3W_I3W(!^boe%QP2wxsB;u%8+G2X@`9i zwvRorvjP%r1{}_93w8CTZ97`B3D-g()i!jz?lJ06Ta%tZzAt_}>-$i<8T{Y10NNBh zEmDy+3HaMOqG7Ju*u@N$`4}uzhjjB(WYdmRnSM!m?8gt!$P~nOC}F#!j0PkG{PQIw ziaKdn+e%f-o+FKtYB-UrEG_3eOE^U@Ndf8rOD>Z^ zGP^Nl;ULE!lzBZRf>@zh)8oYAh?bT@Wv^9$e11JdR-~B<{m2u?*n4nF z(E@R8F<>N)C!eb_`p9jp)Ryho+9;YrN_rL{NCPpzm(+oeY!PABm2Jyv9V6tjCQ$Bt z<;BuSNnE}>1l~n?8qt{IsFQk?E!W^V*rpQunBk6t5AkS*XMX(NbLM!uN@j63lV*l{ zQiI+DZ-kBx%e3WT$YsaI`uNMr2r?+nz^2(loLN#R1u7#oDUri0`5!)kS!lV0oqX6P z`ZSWlDy{4rDhJ*gW?YtJ(Qy*V@=)-RvD`NqQ&`Ky(u1`1#dln1^p#moBNoBNx!<5~WT+~YeCrZL5t z*u=nZAw9*$2I-aPsZZkR;$nK5b&tMBGWtLilOL(J**0us>@={WxAvL7-(>wkBh1ba znTz~LxG?=cm^t4)my+af91%xuNMtd1+j@_XR9#MW{c|2*`UkQP-s#5<2js@r?eUm{XF)#>v8^E30zD zgY|K?xs{zt{rLlK>&7@L$BydYI%P}Nx>9nR`Wte9D8yK+f!dcIExJ!Bh}y{NTC8ja z7%tlw)iRg~5aTHQ!o|D(uYiy4?^J=ve~?$0Zek=ui{yj)h!I(z4X7C;49D=z5$lQ# zCRnJKc2aF`%9*SsR{-fC)+2-ZE{Kqlh;Cy%yJkMet=>ZuK>1l3$6j&gWz+vb=rvm*vsb1-XRR6o+80-qumNCi(0~FdvRBZ# zHH9>#`AS^!3bTJ?xuiI1l+q;XaMWn_XOS3&+2CVqW1-CQN|k+1%=R_ZwtKYM=RI+A zf5BdevKpy|sGw|kMp@lJ$X9ja0eElfMjXEL)?}79_l13*rMx^hP9m_8ljT#0G9&1Y z8f4uL^G7oZpH{y`WUgrR+t#{A5^vKa{&s;(5kZtz{XMO||J1RL9^!z!3tm{HM^Pkn zURINn0w1m-nRzf9TAH96kPnUgSThQgXVd-ngYbJwvuqS_HFOsndQ;ARjK_sfZl`f( zm!qZum2-^s(@O=rsw`fJHuXQxgHiE{a6V=zlY4sm$JIZtM39V9P32&VpjkwSn1RA( zvHz46Z0m;K4^$5u2#`zZ*VYN*5STMB^&w(@RuBA*Z{$>*meq(n<0*$1%c4wA4T(bx z`dX(`wm5p!R&0@ABB4~%ZR8@IsMhwwB4`bE4d>NE)OgMmNQ9DaR;0m?j?ik_MKQaF(MHNHZC}cD1Tggsud=yAdYa_tRx8F+M51Y z+W|)bd%B1VYBci*R-{8rAu~IbH%CrQbOt3DzLjcC~H4Y)gPUZ6msAZHyD+ z>uBd|B#faRs)S>EZ49s*-<&sJ(>P*SW+4pbJ>WJCC0hI5xt>o2@-l1Ra$wO$ZXJwM z&)saoea+PLGr={KAmk!l(-~;bQ=LH5ee|v!?)iG-mpt_4oL#m~M!&1beLrIBbY__Z zonmJg-mzu&D*B)n*RYJ>j(VJ2C=+Q;O=tqgNT`|J_@bh)*mp;ve4}QHOrCNGl^r(X z9yw@*1{-#oY)iDHQ!I~qpa{6mMjK92zlk`9iD^3WDe6RG@Wt^cpXsN?sb#ydAk?%q zm`6wswXIanz4-7-Tzfgapf;s3GJ~?NqQQaRam=zhTV}oGp@9dV6;Q2-Vnx0SUoPUA zem*dMCy{@&emhklhlpk*G?nZW%yDh;?H!^=6)yT7QSE_QcE;=qigH>e&9Dt2!0u)- z3df{JkiWmyxxy|s@rC`8qj?cY?vj&p-3U4v1ZM>rifdv<3sQ^!!W?AhYo<3*D@pvvimFO(0kClVj}Lw? zs~a40F$55i%&{GNJSpqq{ivyQvTnEJ7V^9So?%$WHWIl>5z5U--E>l zPDa}! zQX>ER6+q`W%nzl^Ag=XlS(5Hc;9y&j=C2U&jZo!3xJ^8~re=W){4DzvUP>;TQI|xf zp-PdMxPi*NCN&?L9PStovSYVx#Js<-F?!hg);2!wH{LVW)rPq-14P;My3porbV5&Y zsTi^|JTR_caCo`tw1V-w;A&Piu4{7s*dh-F{Y(=9fDC+nzC1Qhd+^P|imp0v`;|5c zr13=J9w>a=DjeAv39&a&JeQP9_47%}I-?EuDcOmG&X=k#Rm65vjW+2;CR0HJ{%?!^ zj)}T`0IgpnYFt{jzYL-1G|D+9sM%ck-3KlM!YAjTxQoavqW%f0jrhl%SwafWn32D1 z?Pt_i=g%zOOeOg?rRC`SS&*0GB5A+7rg^bqX6EQ7MY8|ENp3|ArXp7$RQy`a@MOvc z!)m-I50TB|^n{Yd*q)4YVI5vaL6C5Mx3S_jUq8GNm+&lwR!k-bz$PC*9>ELX-52#d z4GIG&8@YNTF#8CGxp?EOEc5jlAldtXGR*WG)6=Ctnz}v(!SvRBqQNr<_$1*{j|J8p&d=*&CfSQ>wlkV(OF< zj#scTE$2_iiXj_Dz==+uxCaG$2JJPM7{^}j^mTZU|JaP#8KfTgvgk``b4X;h-jq++ zRKR^l;OK+SwCcwt;)lVvpN0_%klTu(Vi`4r9IW*Xu9u_B4|LNR>A8tN`OxGdr;x{X*d(GD_z6HJeqw8ptpISe2}fVfMRPC zrjVREWlyEOimlC?tD-Dc8P=c?tfPWIuI@pF=l7cA>)!q%vMkNi>jE~vEDdd_2<{Rc zUGO!)9k!J8xB$~xy95vd1&_ADOi6W}p!`8r((PKovMGVb$7F~9ftqzuo@X(QNTdB$ zHDw2$&y2q3VqAQ{L_sKCKzrclR!=#Fi?PaE_M~^m?%K$>1yw*_IcMoDV5G!a^~cbK z-+LtPWD`EOm922AQck0_o)4V$u^)TCvEPNK4Gi}F#0&XRZy&d=It8p)rM+rO%fWoJ zOyrN={G*5nZkqdk@Fj9J-?ow(tGih__iCASr6?Su?ng*8Byq$~u{idp2Tr~wa9h_J zsVO87<+Ci6W51e7!bEaZkwd~&I-0dDXG(5cppaqHgb{Lni5ZG2!9`6@`hFeGOxAWh zPBK~$H5{q6<0fE6>+}o{G|0rA@7r@wy6@4XyuK8JFudiwNiTO8{L-!vl7$saPVKi( z#R7wilV6~70?mHHeqL7zMQn#*f&Y)oQ|Z|+K+vBV0h;+g zMJ**{MU2CVLu3*n4$(S_J9>&c%j?M#L>SS{p@Tm}IJDGG-Q`v)Dw{`Y?K(I&M}gr) zd`5G~0$;qbW_F@ezk7sui)?@W1S6XB8~C{W2@qeP%lA5}q`uDzt3I-yaehy-MLUMb ziV%26Hkzy8|2%sS9b;?ePL@2_*KHUM2-UnA)bMCoSYgL~WakoY+UHfFmB`oB^Y6g|L6=_&rMBiHUJbk}y8o4xJ~YDeKJcn(Q19~p;Ep5@Qg zMg0#kGQQwV3B6KlrKbO877&3$$=E>xPvx}IYm4Q#m6-|3EOPvoDb_+2FTNRX@JTB1 zkHKiN2mcB7cip1K8iQ_GCxv7Fq&?N2<7&Kol@JbXjsHK|`^u=glBV6@?(V@MSRe$4 zkl;>mcMYxwClCn1T@DZk?(Po3J-7vTcelHlnfD!L*8Ow;-1YtVva(nQPIvFBr>ncG zyPv8p{mCF(aVnbp@akmguyKGhHJr#e`}2lU?V_iMUOQynnsHiUjNdZ}1RWLUZj_p0X3;yu`ai+)e1$6Hp6%QEKcPgw>vl9NWfIF|`NH?5$LE;f3K6 z5cKlTZ*DK1n1QQ2VsEv}#)$&!Nf$^zk=ZiCVDM6AJgjcB$_+T>@)L&ED|karDXZ_f zZLW(PHbmt~yABA8;610;`0N2Joj&H_ZCR8F#|e9z)?K%w^IyFJIiJ|F-t+3)d|=c! zlRPh=xAQ*AZ{_8bV9BD$w0&kIKI#AsivEy+bi(mkLEy()y^ZFTttq=lS8dF)f7y-=*R$&QHW+ZO zwJkQ?1Y9kS(_vj#v)*S3Js)@#@c{Q_dEC>}{}!$I!is;*)xfm2=p7HP3~ln&hJsb# zt#;BKNOx!AG9EDpV@vY6J(kM=LeB}Cvh$}-HMxR8PQj-A3q8Sb?VdtqBS+j)0!y8$ zE1+1o->M}iO`zzOJdLg_f}+>P%+HK5;`E7Y*&IZp)0(evNkZhQT6EOpOm(-@X4Wmp zjvp2aqa{KLlJVc1#c59BblFsrV3bKN9D2_7Nbr23U{wzlNNRHyUTD{hIu-I(*D#IF z9Gc9ICc0Xus<_fk^Gx|aCr}xs0%~7?HX5R05AaKE7RnkTvY&SdVr~rC7c2E9Q8jw_hxeZZ{h!%!v6~z zOIW^nl<3H?aBy%r%$`|{kcwh@E=EQ>n5unP)ab+nB!q+~ZcSMHACGflUZAVYyUe<7G}&slOjr-h5X~ zXk(OhYj3%Kceyovups7n8N_74t-t_LGSAm;;!$}K3>v@>3)Lx_ z|90^oA8dVq(aMbeL-rpNC_ub40!Ed;Rzp3b;B00`xH zKBVapT;h9NQZQxPhylW8LjJh_bN-byC&XeX=*BwvKst7j9qU(+>lm`u%<~xuD7}US zpz4v&6s!EtnME%VVJ+1##XS*$p7#%Md>AplHP*3IT95_ev|J7`Qs)`{H81P+0Y!}x z?Wy`+lEEW;?!Pl!7M~$&Z0FA*C+jO<1D50tgdg#+4=r#r5k?AM{+vd8C;{kQmDFGD zs6)2Pwfr2~vatD7bzC7|`6nsYRsiyEqcN{KK200713IPxnmvA-5y|QwTD1DX3!@#b zF8axSTx)!y%Y&4&A%maM{?-tEeqo`(w46@>*0e6^qZCFD%$w{m^0Ar!>fkhBoqrXR zIPUZuNZ_+H1OOBL=X|Q?#s}z+=nwQu+IVL1zbLnQh=A851EEAs|Bnu%kf(z_)6V{o zC!rni^yD=@h-STl@aYW?ro7L8_N**`i!8sVMo68`$&tGpO?f*?>Oi={dGPV#Iw(r z8g!olge#loXm4=0>VOAe@G;?4*=+xS4H{yY0?h1?PLW-SuEA;}dHf3KgMauScQin~ z#q*re=k=cOqKDw#kfGP17VwAmUA%YAAD0riSm+Q^50P6@{4O$j*2@{J8p$5azHPdj z-|v02+A&-90ruV9dyBbQalX!d1|-*&aF$0h@4g@tE5GJbCyTkVNY}flva#^)B{6}0 zaliSfLvL!*@AYJkh^<;ENvNQO~bKj*I{pqXGq=e@;U^u z*d~s9si(@1m=ls5F~0RIc;?Z`unTNUpTz`rrG90M!tJea&ly&XM2sm&V?LHYvz08B z(4HObpgj&uVH>%c>7$7J^5G;AFcKZr#XTmEsQ>{I5>g4LdkJ^=|o1%;Erwc7208gos!wdtwROv zs{UO&YH^ygsK>N!61tzvc#l`qv4RH;U@L zm+up>M(E>M#=gvWM<)AmO3TRrIIFb?igW4nOHxd%myHtuXPe7P1jlU95MCXBaYBef zC>y!lPgP$cAyV!=gWVQ}`%1z(XgwlTqUv=}LJ}})IuapIB`c?xnW-Mqcy_aO(G=z} zSe%p2ew;t@4oFy>*BY!3-G8@Led=@YTk2^;DNLP0Ob+S@z%)qgNJJ@o2(u(NpJC#r1pqAe{S!ITBTj#=|sV zNg?qu;WWQHI%pDVad~a-0cp|lIM^ZNsVlBNrTln07KlkLgX`l|(D&|CHH=Z-6Kl{Q zU3GuqUKC*NIIg)nUoJ-d{@G^Zd2Z?FP!nX`&=1ORSoYgW^UMgRf!oz=F5e3Ot{U1Q z87=3LuMR127~Nq z#yUvHMx@7x(wt&jPTFBYLN57h0qVT7;%K2F%u0TDM8&G=3d3m_?*{izpfmUnWeHPW zp*JX|vn=)ybT?+2b{eZvFGxr)bP9TDhb&a|eli`v1&Xomy^SG%RAq^lde^M5BZjxQ8B*{nbGg;PZdsdjF zIm(5FQpjS>d<j?S3Cej&MAd7+HeqHYA@BwxGN{wf;lWH29eGEE3os==t6T^E~ zJTY+Wjke@E3nT|*QO2&7`z*H49y|uP<@B*Ia z?IS#NireJl*zMgMXhU~I+2EPzK8;V|kg5||KmV;K3n2IQdeQH{B>GQG;z`ic%Ap*O z$nZ}$;&l_?&}PTi*kk=u|388zT$Qz775>wTTF-#9f<&E#zJKoGgMt10FQu?e6kL4gp~CnNf%OQVydEec<7WX&u5x-tR4%rg z!8$FRhb5V%%r6N;jOUbXainXohIii@V{^i0m4NRk6+0{&dOh#Q(hV9t7P=!Wcc|knLpGKWMoy^YVt$ z*z)L}E94JEJ>{WWIN@q3nl1aP+s4*EADBL1U{tc7I{m<|zg zAjK%fDvighzKv1hkfz8}cj^U;Uh#P^V|ieHCK=J!KSu!>^t8| z^+`!u1oc}$QLhIcn{rTbO~09TV&od<#oar_Q;mt6>PmWV)jtp?S@-083N8cZYOfl3 zCUAhg0k(ioN;Q-fT#aZ32J^(~aTqKdY`x~3c5#T2AlUpl_jY9;AexS31a+d-9-wII6+x^a!uyvb={BV)D&<-QXC6`1q)`SCHFnM zoBW`BO22O3@3hX*{f#)4K5tED1tpYM)BSg?Ma9lRB%Q@?CpzVCo{Z_W`%{>a`;LYx zu$h&IhprDh3=;l8je`<FqR0jd*Fx zD)1h`5=*tuBqp^j4vx7~M09zD=FG23d^8v_N%nZT*?!@K`axwWtC{mPSCpV3YZ+30 zF;)(3P9IH6sa}!?F%p0182JKfScP)1tEqelJ7y2=D@crzt^EKSaoD4WmxCQY6|2Ij zKo%=svYWktJpL%Q2dv<|PSx5Jncn4a1=z1rOaw(o#f?ss_**u7y?H51$ zFAPM~7nPZXUoZ49D1FU8RyxyUhN4~|pMyeRZaqcTW6w|b{8=TI8}RpbiAnduLQwEj z$2(aXxAy!sq0M}-U5rYT;!+bbaAb&pUayF5odGTEHF{|~rC`#zItSMjFfvDjpka`Uq4-$`4DHbdB@<4L>UBKqFFAbh3fLsxvwP*UzTuspJi zb*p;CLb5(lT$fE0BM>F0>Yn7M&;F^<9w}>eG`*7%d zS7|V4PRM7(H3o@Vg%)K$u{dEH!UKdTLyzlpqQRSA;sjyOl6j`5>^c_uyTyuEuQbb! zU5#lJ5nJ@m&pUCd_9)73cu+O{ecsHO$=0wi)4=g)$`N~T^Klr62;x^VHbBZ4`%_s1 zm}01nCHz+D+DK@*m}Ef9?!pZh~qYK{mxT~ zQpXFrjumAasjT&TC^o!s)QC%AvgN|2^6lP5g1NOLp(6YV+iUdG)5oCl=Gc?v<+W^% z?YKzj^aROD5c~z>w?L(omK~mcYD^~?<`AS`Ydjhtb^mRyi>|xascF1c!NKYSFKd_A zvI93GcV>Q*%tXhywU1fiS9_s~8Z+O>r|{^?#Kx+hvN`|ga#j1S4D(jEP0fO%wtRQLVil zXQ)B$_ohtTX=QrdBb|C36$J;QHj+QjgVVA5l>w{-@{89 zSLO@*J}c_(C$GcPBFprU7k>*GAjHJ~6t?flj2mjV{K7}jd-(W*k{2EMbw_bjzIfUQ z1ZtK>8`>BA$Gy!k7&ufbZ|qWFxyUDqcexX3TTsji+vjq%wV=Z6stWI!KnaeNj-jhQ zvzIiGMGG~!*%f@0=fkphoQm#2dzGbsKv?Yd1&fP28gJ zu?nwBtO0ctq)EeiAe}B!rscqvriw!it3+BeYSS@3N<(9|zx2pN=9rg}`&^sqJaY{- zp7~}BBFaqVmO-J8VLQ}(&V{}N@5RQOV9o^-;~XG}+-F7_@W(i&nu~#WgP~@+37YetBg@I(U;`qCb=6;DRKomk*oPyCxLl>x1L&0@GGjeVnqx(3)@d zPx@fePu{}_8UEsH;}~(}wpEOCmSB}{8>e_C01!s7zrHzwtm6waitzMH&*br*7>!d#J%N*&7fgO8Rgvv4yWJLkoS$B{?o&C8n=|O^w>@n{q z58o_wqLb-un7z=SOOvxiS;hhnS&#W%G2(@32)NK-NU?;9IT&)VE;|>%cv@t{;6HGR z4eCm(WvhO2mMV}P#`{@rXI;tTEY$WM>zgSdM?rejD=8N6QN0}{tYXsF+adKmqBg^L z#48UBG8BE#&Kr8JhYM%o4Fg5)3T}#=S&<&QZ#uO&`n@8c!i75lpsKB6{tpMR{ch$M zkpr%7UmYr$hzAWfA3HjzMf#?qk$Jxu1kcpWY5ZuqF2MXDOkq0|X=)Bj7(ox_gZFuL zcaG|D!KV;+D1&-}#o)*7!!X_@WlqMR!zClGVzlE{cDG*WNe(7MJpT5dR5TrTMX5Ej z%@$U?KQZ)(4VaSymsnnX?agOcG%Yc%&bz#d$#l5iD(Wtr_JLnqMO*g; ztS0QlzbnPJX`m7t@V^j)4uNvf>>R{tgD`}(6Mo&`VoRMOdl)Tor^aM3=@@f7?b0`c zb$l&bva+A>>F~T$S?p|}GAmM#rD5H4fKUYyA1k5Rmmjgh$;-VpP}$%;>W$m_Y^f71L1P3e6-qZHL<-!ty&- zfL981KvRJjC#MKh>46v4J23U9@ZT>9UXIkHRB!r3>xW(Cv1$AF8z>oefd${}^cM=V)p4n?6RgeSpker-K~GweaKZ)VB=hScC9A z_#6eUPgQV3Z^R>6)l%i(GOE0X&dA%t>e@5cm`fSU>!g)z3n0|baMbeGu$xx1ADJuE zMz*k2^y(I|1EI?{{Sh!o@j3}1+4Er71hL-vX&($&b4c5pRbL4E$%k@~oFdKwzHb74 zG(Ne!lB_94KpA^fZ*uIXg&0biNdgDI)(>ZZ@f)6r;8t_X_2Qkh?Fnyg%^1d$;Pf^B9KuNdF-h`t2V(khN~K@(tM zEnQVF+XqUKE4uxX)e`r}3Ode{F>HIEp_Tw)yu$lX{y7C_<(G(x3k^}Ndle{{4Y9d8RA=(OGM>N1lvdME4`YDJvItO@JT1b$EC@uh$hdhC$81%PwL& zno0}xRvO2+vgw4MT(ayG9ae9)(aAT4ltQN!-!z-zZN-ZD76uRM#agxdZwY@lH@*fee+H7iO- zu|@^bOS`Zi4;NPHb#C%Xb(!`aV~{fZth9peV&a%w!*Xv{Yn?VujOMq+oV(fsw$z;z z`YQJ+!iXE##1m>+pRF<@5!z-0JOlS(ENm*}E_q5G6S(Jl@;8i=@(FPh(H~4kJH^si zLAfQX5r$5}3>defb`n}kp`pna%@t&XBxpwbXbchlDC%}$2z;Sw!M1oI-dAQG)%X}{ zKhVOZnNb#d@+>&C@Z16=bxSuiI&zdtGs_o&)82MntxwYB2}KbZ607JvD4n`g27`4{ zGTA{T0MW!}Mq;WEV6FVz+ zBV16|W?xy1FF&AnymFW6W5x@TUCt2if=a9m;ohsMQ07d&Eox+yw|J%1Ty+51c@>w` zk&#{1lZGAAFbo?HpQ##bfzv0m}rCT4eadT-{pV8>Dw3sp}>xSVW%t0bQWshc*w5>}4|EigHrZ=O0=;}Q&B7&5$t16bbA|1uw^d znQZ1l!Mo;ZXZ*3CZWOMobM=vgRw3rS+2N`%4I;Xro4AR+^p!oN-x$6k#y@VMiLS1| zS23ktULHk!zhSIUXuA4l3%f(x`m9$e64mL4=r}Ek_@ZOf&C0O4TaFo}U!oiyg>|d% z+&5N~O5dG%hdRadD%B<=Cg3B4H=T#fq?qA`o~{lBkreR`@X*mj78}}>I|{(6RnUUDeGF!h>)cX}m-1{}_s1Go|>(lt8zFzxmQX1bUFs}3fqQF7T|mD13J1UqGx^cM~?h+!?#jR*l^?z0zf zjuDgtxiLch=mQ~tF#PHTGWaNPf?&wpevTZp?xIz+LW#24cQi#$>}bSUm1F-19KLZW z{EUYhTKc=L9U^?a?i%pj{lpeL5*@EDFm?&b6S>_ostx?9M+-e@%i6xZC_EbEJ?qL~ zgb8y-Ms?JfBt3nfKM=jH_>oSqIj%n-iT?Gj=FzpDO7SI}WFnrfLDm;!f%09@*2MiB zX(kK>8n3Y1~{q z21RHfNRZ!k$=Fc%XY;19vH#8W>HJi>Ng48Sc*Tx}iV7za@6oKy)fpDUc<618x_NR1 z1i`qhh>VojZc>I2e<4+yeg|6q=ZVg;_cQT<8PkBDJ?(lX)2!&nPE9l9hx67UDPG$o zj=GXohC)sI+s12FFjtQgo7uZ^67~Lfkm})fLs9+2sT1Y2TxnMJx{U|8DxLUSffjs2 zB6*PDK+Vd~WuLIXA+E%R70Frm%fR_nsiV#*USOls?MCFRD_OZX8fs(1d$yx@X?KPL z{(uaYK{5(FM~Kyp1nw{pV+BPm(qO;HhF=qOj1cePJHZC06#`$HLa5HHo*Sx0wsl z9mr>Pa_oDrRMN;*wH{FG+Z44<+G-6X=Gwb7KH%uh*|`v{+y>A?}{e)q6<{m%SSz%nfoBILE=cyd>g#k-9kmRZB0n5ZbJmp{#Yj6y?FEw!cd zAx}3mBO{mcpjetOQ|3-{dMeU0BgNNl-?{4TXY<afyw->G*vC_?K}gNU`s*rW zNeeh(J=7wd{nye8GyyR(BvlODw}`zsAMoB^jT~QKT5@HIU`!0SG>*F*d&Wc4TRZR_8GYq}}YV z$|(PvrX$#fDM+Xs`nWNi>V1Dc1*9*rAtNUK-QwM{>MN8MLD@08KGtq%XgF!TBAV!c zMM?WLBrJ>va*Rq`AIM9BjzOGf&Z+x!*~s!X%l_}%Gk}q$R&In44_fPq3}&wH(c0Vv z(xY6hhQB$^%gi*oK3PBX09-05DIkY;vw+sE?U4{0a9>oUS#uD^dvN3;O9U06bGhjK zZpXsKrM9~I0?1m_w4I$)n34K;w<)m?MRxUBD43Nl%%qQlwF(-wvBPj29}}avW+C zar<^kYixAX_lMg--DZ7#{lixH!#Ck?a?WP?NjA-397Y`=u?iWGH0h624G!27Pf01T z{lA8NXyL!zt603-;Cy$UCpQRw)2;KuYLg3ag@{XD;@JFz?(;hR#_JE`Z8<+%W_*mn zcw4enH2(lpBA;}wEcCdVBr4LbXuJF&Np@dE`D+$M$J017Z2=(lXR$P|m|HkNC(esI zI2;A_69;(Y%m(Ya^kSIpqb_=BR&wd>Cx(`bd2gbkazhSUn@#kMC^HZTK;EK4J2!2^ zvp19p9{>7YLqqzi<tQNP(4ywDui>Y%(`4~XuGhA{ zu3Q7Y{*$54&)pqg)j)QcBbUnGRzD~YaOm_pK`Jt3d#WxZ%z!-aa? zAgA1P_YLU9{kj9~$WcU#Da&!bON&FjlO(!Ym;GOon=(pnMxbrY-c(uEl9Js?H11K; znuo|kYS_exw)3g50VjcI2IpqA@p{^A`pBKGltB>C>`g;KO{NFWxsDU4wtUh~axfUp z-936yIO9|WxlpP$FpP|G@wku@!-Df#=4_6vj#3}!I763noOUGD8KG(BxzkU*Y2U*H zD~RYz4(c{Y!h{x=pS*mRo!?3ySR-h?%CN*tDve3ck<2^(+ zjmJRpB_b(Q$iUu@sdsC%cq}>tBT~$DnT?Ia5MM*h&OdEpF)ClbJ4-_YN1-pT$LosP zMPA{kYUyKk9GrDv$yL_WaB^@&k!0tz0HL_-)s*Ez@9%*WUGuee8FTv!)mB95yFmI4 zI&W^!NV>?M2{`h4Hcea_PtLG>?kMH4r;yW}BuG6TZprM?sPNFrR#t?2*SsCVAMxmK z3LTQ7C21bz4y8mGD?QZHjZT`5$}iW~v>Aps`lBSX+0|=p>f2&pg747YZ3y6yB}<*S zKk^4g^|sh}=QA3-jV*@m^^=#zNhPK{-Jk|qnzUNTsiC3|@5h<1odoLfY0sONxOaD7GLPGtf-$M1O^vu@B7LPesU)*cisYcH-=(q#N6K*0N@lm_ zO|q+>={U%7y=PPAdw3%^H3Pg{5cxcaWlNk`9c}Xvkg8T%FTJf489A-gW zz=YktvnY`B=76=An^5z z^jIPJl(t^ax{rb>!CiLzn50nCyj+itvzMMBuAXQYs~sV5oE9N`aw4mbBF^%AdO~;f zD*<(3hG=9S(M^s9#m_;^Y7uJVY7*v&j9OmaEA-9l1;24(1DE|=HY%yUHdt8P6R}7j zhX;h9Jy4Sd6}9jIEK}ivRTigi77o*9hEDo4*c=oehcc&-B7s{}=S*BC+0o<=3DrX` z!@Mg2Nl``^#kmsE{**8kyw!IU!)Cx_r!XJkB3YY8t&AJ#mu3w(?RR-A4(tk1ncSgO zjCP@+R3LEtm7nT+2u8Cr}0@%5$y7!TzZ^_EEZh zSFfc@A8iFdlKF}sm?U<11aRYgG4t%$%cRp_7_^$H!ed+xWKJsk&&X8dnTd z&Dgio5Eg|IL{+0gub|9>gr&p>cos|)YW04NVy*^6&kK*385K^OAIb4?o}#b$fm{6Q zzE&(eK3uLMnaaL%+QBATygvXjz2nDP7#nMcMT&ewx%HG^@F!k#sa_i-4I8=mz|Pt? zI=*#c4&n~{R4=x=1V@^)nu?0(j!v&`1^g7<|*BA=kwxM~o za`Zzf$R?i^O2|*r&-U0s9!O6f{CK-IWb6nl2TR#rr$`zr3@xm8gD{TA8GjYk6UZ2s z>6uFvoENF|v?C(yw@#G&gA|n=-P$95H1319=svuUmy!q0@f-Wjy0J9Kkx@As!GgzE7RxghNp+J9C6$uI|G_L_n8h|`U(Z+2ivoF1^*)jta21!F4{vFm|ix5csyKZ~L1blt%J5tY>RSFLu*LjbM2T0N45wfTd6+-F)-schfp@(f@?N^=@e+cle5(7-ckRwJW)VeRv}<^>(Fi=}!$ zTzlVjd;hMnN#zc5Y@0)oF#LUyAnCZ&3NaZ_I^?Y=(tLg4wEC-#&cJ5l00rn2*e8NM;sB= zK|d;=zH>$Tq_OFmAtUFve5A*Po0!rV6AS=mjY)T|e8sfk&^)srtj&MG+cz5ACl9(hB*A8YPXH$zqWa{Kb*HapwS7?Xp{8=Fz@g(aXYlxHQ zxLlW*K)Lqqo1MXUU@Bf#s?oLIdovNarx*Kkd)D#s+4hFC8Fea{QbU8;Yu5tqAB-4I ziQ~9WwRF9rup9(0pocH}RXK2n_e<{h4qvXrs$MimQM)!LUXB_y@R;hc|y*Gzb`1=iQ`oB2LBrV_E@YGSa1arv! zqE?}9Y6KE5_DXT{f23`3rRS#ACGdQ>bA^;MY;rAUW>Gi(xksBKAJd@k>UMOYorewX zH|A^+E?Hl0YWx9YGcCwU(BkZ-{kc9-s6}z8xK4YUbojQ|A~)>wKH1LM2Wn_|K9$xB zwD4GaVnFy5*(HP;@2lK&`v&@B!x`zjp+E`Yna|{$-|W#ghvXj;*<+LVB;;%K%^wpi zZQ_!oE<+E zvWNws^Wq66WSR(JN8L^Y+Wtd39v8s}vc^3=FI#p_?-M86t!6Tsy0x7-eAs(07 zJ;MbE(+_DHV&g)8R(`@*kQ^d1PyS8Jhi89!3;gMSOFe<}zexNw6#s`H;bWDi@wchU zt1aCJl>CGlQqyoNpW8Rlx;E9S=s6=O(+>J$aG<{g5>PaNI9nc%H+vY=^!FR)Z!1nq zRBKBmr7*#-oP?PEoM&G6`O(j;~=GJg-8)-6biu`Lp%cmJ8dfMO&-#jx6Jn!m;?Fy!YykiJQO;grAr z3zMgB&alzJZaaxd&m?UF^l2l?^>_w^8vq2q)8KO;mH;4@P?Q9oHO~)JOsU^^4umZr z-x2Jq=Rl+YK*(u3JO`o{0Kx?-_Bjx801!FFbB(Wf8?}QZ>}|M zELd_hWpl6qq6olWsdmBn{Hcu^G)Key!TaE(q$Id-yT3IA%6-L}wyw#^$q6mzPnc?D z75=*mTK53O_EKN$K7S7ROSZSR$Qb|al$Wm?0FiHLTW_8TXa@gH8iiQs8Mp(?FWCkk z5K5oh6d|BKR5$uF*eZZtsqls@d=Apr&pqS+D;6a5{|zlm=Z5(&u;JVrZ4$(P+X65? zd?Awtvp-H`P$;f?Jnsf{wX)A}rz*d-q$vL`zoZ5cxvlno^O+r%8UWVXIatO1%<{u< q(7|Cij?c}U0T&(o|GhDv#}{a{hsB_iWW*Q1KM4_8;o=W^zW)c9h62<8 literal 0 HcmV?d00001 diff --git a/blueprints/data-solutions/data-platform-minimal/main.tf b/blueprints/data-solutions/data-platform-minimal/main.tf new file mode 100644 index 0000000000..cd62a8c162 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/main.tf @@ -0,0 +1,62 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Core locals. + +locals { + # we cannot reference service accounts directly as they are dynamic + _shared_vpc_bindings = { + "roles/compute.networkUser" = [ + "processing-cloudservices", "processing-robot-compute", "orch-robot-gke" + ] + "roles/composer.sharedVpcAgent" = [ + "processing-robot-cs" + ] + "roles/container.hostServiceAgentUser" = [ + "orch-robot-gke" + ] + } + groups = { + for k, v in var.groups : k => "${v}@${var.organization_domain}" + } + groups_iam = { + for k, v in local.groups : k => "group:${v}" + } + project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" + service_encryption_keys = var.service_encryption_keys + shared_vpc_project = try(var.network_config.host_project, null) + # this is needed so that for_each only uses static values + shared_vpc_role_members = { + processing-cloudservices = "serviceAccount:${module.processing-project.service_accounts.cloud_services}" + orprocessingch-robot-cs = "serviceAccount:${module.processing-project.service_accounts.robots.composer}" + processing-robot-gke = "serviceAccount:${module.processing-project.service_accounts.robots.container-engine}" + processing-robot-compute = "serviceAccount:${module.processing-project.service_accounts.robots.compute}" + } + # reassemble in a format suitable for for_each + shared_vpc_bindings_map = { + for binding in flatten([ + for role, members in local._shared_vpc_bindings : [ + for member in members : { role = role, member = member } + ] + ]) : "${binding.role}-${binding.member}" => binding + } + use_shared_vpc = var.network_config != null +} + +resource "google_project_iam_member" "shared_vpc" { + for_each = local.use_shared_vpc ? local.shared_vpc_bindings_map : {} + project = var.network_config.host_project + role = each.value.role + member = lookup(local.shared_vpc_role_members, each.value.member) +} diff --git a/blueprints/data-solutions/data-platform-minimal/outputs.tf b/blueprints/data-solutions/data-platform-minimal/outputs.tf new file mode 100644 index 0000000000..e2c7bb8dd0 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/outputs.tf @@ -0,0 +1,81 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Output variables. + +output "bigquery-datasets" { + description = "BigQuery datasets." + value = { + curated = module.cur-bq-0.dataset_id, + } +} + +output "dataproc-hystory-server" { + description = "List of bucket names which have been assigned to the cluster." + value = { + bucket_names = module.processing-dp-historyserver.bucket_names + http_ports = module.processing-dp-historyserver.http_ports + instance_names = module.processing-dp-historyserver.instance_names + name = module.processing-dp-historyserver.name + } +} + +output "gcs-buckets" { + description = "GCS buckets." + sensitive = true + value = { + landing-cs-0 = module.land-sa-cs-0, + processing-cs-0 = module.processing-cs-0, + cur-cs-0 = module.cur-cs-0, + } +} + +output "kms_keys" { + description = "Cloud MKS keys." + value = local.service_encryption_keys +} + +output "projects" { + description = "GCP Projects informations." + value = { + project_number = { + landing = module.land-project.number, + common = module.common-project.number, + curated = module.cur-project.number, + processing = module.processing-project.number, + } + project_id = { + landing = module.land-project.project_id, + common = module.common-project.project_id, + curated = module.cur-project.project_id, + processing = module.processing-project.project_id, + } + } +} + +output "vpc_network" { + description = "VPC network." + value = { + processing_dataproc = local.processing_dp_vpc + processing_composer = local.processing_vpc + } +} + +output "vpc_subnet" { + description = "VPC subnetworks." + value = { + processing_dataproc = local.processing_dp_subnet + processing_composer = local.processing_subnet + } +} diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf new file mode 100644 index 0000000000..373732b512 --- /dev/null +++ b/blueprints/data-solutions/data-platform-minimal/variables.tf @@ -0,0 +1,225 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# tfdoc:file:description Terraform Variables. + +variable "composer_config" { + description = "Cloud Composer config." + type = object({ + disable_deployment = optional(bool) + environment_size = optional(string, "ENVIRONMENT_SIZE_SMALL") + software_config = optional(object({ + airflow_config_overrides = optional(any) + pypi_packages = optional(any) + env_variables = optional(map(string)) + image_version = string + }), { + image_version = "composer-2-airflow-2" + }) + workloads_config = optional(object({ + scheduler = optional(object( + { + cpu = number + memory_gb = number + storage_gb = number + count = number + } + ), { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + count = 1 + }) + web_server = optional(object( + { + cpu = number + memory_gb = number + storage_gb = number + } + ), { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + }) + worker = optional(object( + { + cpu = number + memory_gb = number + storage_gb = number + min_count = number + max_count = number + } + ), { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + min_count = 1 + max_count = 3 + }) + })) + }) + default = { + environment_size = "ENVIRONMENT_SIZE_SMALL" + software_config = { + image_version = "composer-2-airflow-2" + } + workloads_config = { + scheduler = { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + count = 1 + } + web_server = { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + } + worker = { + cpu = 0.5 + memory_gb = 1.875 + storage_gb = 1 + min_count = 1 + max_count = 3 + } + } + } +} + +variable "data_catalog_tags" { + description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." + type = map(map(list(string))) + nullable = false + default = { + "3_Confidential" = null + "2_Private" = null + "1_Sensitive" = null + } +} + +variable "data_force_destroy" { + description = "Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage." + type = bool + default = false +} + +variable "groups" { + description = "User groups." + type = map(string) + default = { + data-analysts = "gcp-data-analysts" + data-engineers = "gcp-data-engineers" + data-security = "gcp-data-security" + } +} + +variable "location" { + description = "Location used for multi-regional resources." + type = string + default = "eu" +} + +variable "network_config" { + description = "Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values." + type = object({ + host_project = string + network_self_link = string + subnet_self_links = object({ + processing_dataproc = string + processing_composer = string + }) + composer_ip_ranges = object({ + cloudsql = string + gke_master = string + }) + composer_secondary_ranges = object({ + pods = string + services = string + }) + # web_server_network_access_control = list(string) + }) + default = null +} + +variable "organization_domain" { + description = "Organization domain." + type = string +} + +variable "prefix" { + description = "Prefix used for resource names." + type = string + validation { + condition = var.prefix != "" + error_message = "Prefix cannot be empty." + } +} + +variable "project_config" { + description = "Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format." + type = object({ + billing_account_id = optional(string, null) + parent = string + project_ids = optional(object({ + landing = string + processing = string + curated = string + common = string + }), { + landing = "lnd" + processing = "prc" + curated = "cur" + common = "cmn" + } + ) + }) + validation { + condition = var.project_config.billing_account_id != null || var.project_config.project_ids != null + error_message = "At least one attribute should be set." + } +} + +variable "project_services" { + description = "List of core services enabled on all projects." + type = list(string) + default = [ + "cloudresourcemanager.googleapis.com", + "iam.googleapis.com", + "serviceusage.googleapis.com", + "stackdriver.googleapis.com" + ] +} + +variable "project_suffix" { + description = "Suffix used only for project ids." + type = string + default = null +} + +variable "region" { + description = "Region used for regional resources." + type = string + default = "europe-west1" +} + +variable "service_encryption_keys" { + description = "Cloud KMS to use to encrypt different services. Key location should match service region." + type = object({ + bq = string + composer = string + compute = string + storage = string + }) + default = null +} From 7bf7b1e34226ccbd6ebe6a326e6d7717ce0e7fa1 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 6 May 2023 21:29:10 +0200 Subject: [PATCH 2/7] Implement PR comments. --- .../data-platform-minimal/01-landing.tf | 25 +-- .../data-platform-minimal/02-composer.tf | 56 +++---- .../data-platform-minimal/02-dataproc.tf | 26 ++-- .../data-platform-minimal/02-processing.tf | 28 ++-- .../data-platform-minimal/03-curated.tf | 28 ++-- .../data-platform-minimal/04-common.tf | 18 ++- .../data-platform-minimal/README.md | 2 +- .../data-platform-minimal/main.tf | 7 +- .../data-platform-minimal/outputs.tf | 2 +- .../data-platform-minimal/variables.tf | 142 +++++++----------- 10 files changed, 162 insertions(+), 172 deletions(-) diff --git a/blueprints/data-solutions/data-platform-minimal/01-landing.tf b/blueprints/data-solutions/data-platform-minimal/01-landing.tf index ff2c1cbdd1..c6edddd070 100644 --- a/blueprints/data-solutions/data-platform-minimal/01-landing.tf +++ b/blueprints/data-solutions/data-platform-minimal/01-landing.tf @@ -28,18 +28,25 @@ module "land-project" { billing_account = var.project_config.billing_account_id project_create = var.project_config.billing_account_id != null prefix = var.project_config.billing_account_id == null ? null : var.prefix - name = var.project_config.billing_account_id == null ? var.project_config.project_ids.landing : "${var.project_config.project_ids.landing}${local.project_suffix}" - iam = var.project_config.billing_account_id != null ? local.iam_lnd : null - iam_additive = var.project_config.billing_account_id == null ? local.iam_lnd : null - services = concat(var.project_services, [ + name = ( + var.project_config.billing_account_id == null + ? var.project_config.project_ids.landing + : "${var.project_config.project_ids.landing}${local.project_suffix}" + ) + iam = var.project_config.billing_account_id != null ? local.iam_lnd : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_lnd : null + services = [ "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", + "iam.googleapis.com", + "serviceusage.googleapis.com", + "stackdriver.googleapis.com", "storage.googleapis.com", "storage-component.googleapis.com", - ]) + ] service_encryption_key_ids = { - bq = [try(local.service_encryption_keys.bq, null)] - pubsub = [try(local.service_encryption_keys.pubsub, null)] - storage = [try(local.service_encryption_keys.storage, null)] + bq = [var.service_encryption_keys.bq] + storage = [var.service_encryption_keys.storage] } } @@ -65,6 +72,6 @@ module "land-cs-0" { name = "lnd-cs-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage force_destroy = var.data_force_destroy } diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf index 26aef12b7e..f13c4e0440 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-composer.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf @@ -20,7 +20,7 @@ locals { CURATED_BQ_DATASET = module.cur-bq-0.dataset_id CURATED_GCS = module.cur-cs-0.url CURATED_PRJ = module.cur-project.project_id - DP_KMS_KEY = try(var.service_encryption_keys.compute, "") + DP_KMS_KEY = var.service_encryption_keys.compute DP_REGION = var.region GCP_REGION = var.region LAND_PRJ = module.land-project.project_id @@ -55,30 +55,32 @@ resource "google_composer_environment" "processing-cmp-0" { software_config { airflow_config_overrides = try(var.composer_config.software_config.airflow_config_overrides, null) pypi_packages = try(var.composer_config.software_config.pypi_packages, null) - env_variables = merge(try(var.composer_config.software_config.env_variables, null), local.env_variables) - image_version = try(var.composer_config.software_config.image_version, null) + env_variables = merge( + try(var.composer_config.software_config.env_variables, null), local.env_variables + ) + image_version = var.composer_config.software_config.image_version } dynamic "workloads_config" { for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {}) content { scheduler { - cpu = try(var.composer_config.workloads_config.scheduler.cpu, null) - memory_gb = try(var.composer_config.workloads_config.scheduler.memory_gb, null) - storage_gb = try(var.composer_config.workloads_config.scheduler.storage_gb, null) - count = try(var.composer_config.workloads_config.scheduler.count, null) + cpu = var.composer_config.workloads_config.scheduler.cpu + memory_gb = var.composer_config.workloads_config.scheduler.memory_gb + storage_gb = var.composer_config.workloads_config.scheduler.storage_gb + count = var.composer_config.workloads_config.scheduler.count } web_server { - cpu = try(var.composer_config.workloads_config.web_server.cpu, null) - memory_gb = try(var.composer_config.workloads_config.web_server.memory_gb, null) - storage_gb = try(var.composer_config.workloads_config.web_server.storage_gb, null) + cpu = var.composer_config.workloads_config.web_server.cpu + memory_gb = var.composer_config.workloads_config.web_server.memory_gb + storage_gb = var.composer_config.workloads_config.web_server.storage_gb } worker { - cpu = try(var.composer_config.workloads_config.worker.cpu, null) - memory_gb = try(var.composer_config.workloads_config.worker.memory_gb, null) - storage_gb = try(var.composer_config.workloads_config.worker.storage_gb, null) - min_count = try(var.composer_config.workloads_config.worker.min_count, null) - max_count = try(var.composer_config.workloads_config.worker.max_count, null) + cpu = var.composer_config.workloads_config.worker.cpu + memory_gb = var.composer_config.workloads_config.worker.memory_gb + storage_gb = var.composer_config.workloads_config.worker.storage_gb + min_count = var.composer_config.workloads_config.worker.min_count + max_count = var.composer_config.workloads_config.worker.max_count } } } @@ -89,34 +91,26 @@ resource "google_composer_environment" "processing-cmp-0" { network = local.processing_vpc subnetwork = local.processing_subnet service_account = module.processing-sa-cmp-0.email - enable_ip_masq_agent = "true" + enable_ip_masq_agent = true tags = ["composer-worker"] ip_allocation_policy { - cluster_secondary_range_name = try( - var.network_config.composer_secondary_ranges.pods, "pods" - ) - services_secondary_range_name = try( - var.network_config.composer_secondary_ranges.services, "services" - ) + cluster_secondary_range_name = var.network_config.composer_ip_ranges.pods_range_name + services_secondary_range_name = var.network_config.composer_ip_ranges.services_range_name } } private_environment_config { - enable_private_endpoint = "true" - cloud_sql_ipv4_cidr_block = try( - var.network_config.composer_ip_ranges.cloudsql, "10.20.10.0/24" - ) - master_ipv4_cidr_block = try( - var.network_config.composer_ip_ranges.gke_master, "10.20.11.0/28" - ) + enable_private_endpoint = "true" + cloud_sql_ipv4_cidr_block = var.network_config.composer_ip_ranges.cloud_sql + master_ipv4_cidr_block = var.network_config.composer_ip_ranges.gke_master } dynamic "encryption_config" { for_each = ( - try(var.service_encryption_keys[var.region], null) != null + var.service_encryption_keys.composer != null ? { 1 = 1 } : {} ) content { - kms_key_name = try(var.service_encryption_keys[var.region], null) + kms_key_name = var.service_encryption_keys.composer } } } diff --git a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf index 37c4ff406b..4c4c2b5f7c 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf @@ -39,7 +39,7 @@ module "processing-cs-dp-history" { name = "prc-cs-dp-history" location = var.region storage_class = "REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage } module "processing-sa-dp-0" { @@ -66,7 +66,7 @@ module "processing-dp-staging-0" { name = "prc-stg-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage } module "processing-dp-temp-0" { @@ -76,7 +76,7 @@ module "processing-dp-temp-0" { name = "prc-tmp-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage } module "processing-dp-log-0" { @@ -86,7 +86,7 @@ module "processing-dp-log-0" { name = "prc-log-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage } module "processing-dp-historyserver" { @@ -114,19 +114,25 @@ module "processing-dp-historyserver" { } software_config = { override_properties = { - "dataproc:dataproc.allow.zero.workers" = "true" - "dataproc:job.history.to-gcs.enabled" = "true" - "spark:spark.history.fs.logDirectory" = "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" - "spark:spark.eventLog.dir" = "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" + "dataproc:dataproc.allow.zero.workers" = "true" + "dataproc:job.history.to-gcs.enabled" = "true" + "spark:spark.history.fs.logDirectory" = ( + "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" + ) + "spark:spark.eventLog.dir" = ( + "gs://${module.processing-dp-staging-0.name}/*/spark-job-history" + ) "spark:spark.history.custom.executor.log.url.applyIncompleteApplication" = "false" - "spark:spark.history.custom.executor.log.url" = "{{YARN_LOG_SERVER_URL}}/{{NM_HOST}}:{{NM_PORT}}/{{CONTAINER_ID}}/{{CONTAINER_ID}}/{{USER}}/{{FILE_NAME}}" + "spark:spark.history.custom.executor.log.url" = ( + "{{YARN_LOG_SERVER_URL}}/{{NM_HOST}}:{{NM_PORT}}/{{CONTAINER_ID}}/{{CONTAINER_ID}}/{{USER}}/{{FILE_NAME}}" + ) } } endpoint_config = { enable_http_port_access = "true" } encryption_config = { - kms_key_name = try(local.service_encryption_keys.compute, null) + kms_key_name = var.service_encryption_keys.compute } } } diff --git a/blueprints/data-solutions/data-platform-minimal/02-processing.tf b/blueprints/data-solutions/data-platform-minimal/02-processing.tf index 5792f01324..9460a25dcc 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-processing.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-processing.tf @@ -61,27 +61,35 @@ module "processing-project" { billing_account = var.project_config.billing_account_id project_create = var.project_config.billing_account_id != null prefix = var.project_config.billing_account_id == null ? null : var.prefix - name = var.project_config.billing_account_id == null ? var.project_config.project_ids.processing : "${var.project_config.project_ids.processing}${local.project_suffix}" - iam = var.project_config.billing_account_id != null ? local.iam_processing : null - iam_additive = var.project_config.billing_account_id == null ? local.iam_processing : null - oslogin = false - services = concat(var.project_services, [ + name = ( + var.project_config.billing_account_id == null + ? var.project_config.project_ids.processing + : "${var.project_config.project_ids.processing}${local.project_suffix}" + ) + iam = var.project_config.billing_account_id != null ? local.iam_processing : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_processing : null + oslogin = false + services = [ "bigquery.googleapis.com", "bigqueryreservation.googleapis.com", "bigquerystorage.googleapis.com", "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", "composer.googleapis.com", "compute.googleapis.com", "container.googleapis.com", "dataproc.googleapis.com", + "iam.googleapis.com", "servicenetworking.googleapis.com", + "serviceusage.googleapis.com", + "stackdriver.googleapis.com", "storage.googleapis.com", "storage-component.googleapis.com" - ]) + ] service_encryption_key_ids = { - composer = [try(local.service_encryption_keys.composer, null)] - compute = [try(local.service_encryption_keys.compute, null)] - storage = [try(local.service_encryption_keys.storage, null)] + composer = [var.service_encryption_keys.composer] + compute = [var.service_encryption_keys.compute] + storage = [var.service_encryption_keys.storage] } shared_vpc_service_config = local.shared_vpc_project == null ? null : { attach = true @@ -98,7 +106,7 @@ module "processing-cs-0" { name = "prc-cs-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage } # internal VPC resources diff --git a/blueprints/data-solutions/data-platform-minimal/03-curated.tf b/blueprints/data-solutions/data-platform-minimal/03-curated.tf index 4656fa766b..5b044b51ef 100644 --- a/blueprints/data-solutions/data-platform-minimal/03-curated.tf +++ b/blueprints/data-solutions/data-platform-minimal/03-curated.tf @@ -37,16 +37,20 @@ locals { ] "roles/storage.objectAdmin" = [module.processing-sa-dp-0.iam_email] } - cur_services = concat(var.project_services, [ + cur_services = [ + "iam.googleapis.com", "bigquery.googleapis.com", "bigqueryreservation.googleapis.com", "bigquerystorage.googleapis.com", "cloudkms.googleapis.com", + "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "servicenetworking.googleapis.com", + "serviceusage.googleapis.com", + "stackdriver.googleapis.com", "storage.googleapis.com", "storage-component.googleapis.com" - ]) + ] } # Project @@ -57,13 +61,17 @@ module "cur-project" { billing_account = var.project_config.billing_account_id project_create = var.project_config.billing_account_id != null prefix = var.project_config.billing_account_id == null ? null : var.prefix - name = var.project_config.billing_account_id == null ? var.project_config.project_ids.curated : "${var.project_config.project_ids.curated}${local.project_suffix}" - iam = var.project_config.billing_account_id != null ? local.cur_iam : {} - iam_additive = var.project_config.billing_account_id == null ? local.cur_iam : {} - services = local.cur_services + name = ( + var.project_config.billing_account_id == null + ? var.project_config.project_ids.curated + : "${var.project_config.project_ids.curated}${local.project_suffix}" + ) + iam = var.project_config.billing_account_id != null ? local.cur_iam : {} + iam_additive = var.project_config.billing_account_id == null ? local.cur_iam : {} + services = local.cur_services service_encryption_key_ids = { - bq = [try(local.service_encryption_keys.bq, null)] - storage = [try(local.service_encryption_keys.storage, null)] + bq = [var.service_encryption_keys.bq] + storage = [var.service_encryption_keys.storage] } } @@ -74,7 +82,7 @@ module "cur-bq-0" { project_id = module.cur-project.project_id id = "${replace(var.prefix, "-", "_")}_cur_bq_0" location = var.location - encryption_key = try(local.service_encryption_keys.bq, null) + encryption_key = var.service_encryption_keys.bq } # Cloud storage @@ -86,6 +94,6 @@ module "cur-cs-0" { name = "cur-cs-0" location = var.location storage_class = "MULTI_REGIONAL" - encryption_key = try(local.service_encryption_keys.storage, null) + encryption_key = var.service_encryption_keys.storage force_destroy = var.data_force_destroy } diff --git a/blueprints/data-solutions/data-platform-minimal/04-common.tf b/blueprints/data-solutions/data-platform-minimal/04-common.tf index 4d822b7a52..3a2d01bdf0 100644 --- a/blueprints/data-solutions/data-platform-minimal/04-common.tf +++ b/blueprints/data-solutions/data-platform-minimal/04-common.tf @@ -39,13 +39,21 @@ module "common-project" { billing_account = var.project_config.billing_account_id project_create = var.project_config.billing_account_id != null prefix = var.project_config.billing_account_id == null ? null : var.prefix - name = var.project_config.billing_account_id == null ? var.project_config.project_ids.common : "${var.project_config.project_ids.common}${local.project_suffix}" - iam = var.project_config.billing_account_id != null ? local.iam_common : null - iam_additive = var.project_config.billing_account_id == null ? local.iam_common : null - services = concat(var.project_services, [ + name = ( + var.project_config.billing_account_id == null + ? var.project_config.project_ids.common + : "${var.project_config.project_ids.common}${local.project_suffix}" + ) + iam = var.project_config.billing_account_id != null ? local.iam_common : null + iam_additive = var.project_config.billing_account_id == null ? local.iam_common : null + services = [ + "cloudresourcemanager.googleapis.com", "datacatalog.googleapis.com", "dlp.googleapis.com", - ]) + "iam.googleapis.com", + "serviceusage.googleapis.com", + "stackdriver.googleapis.com", + ] } # Data Catalog Policy tag diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index ed2a445f97..aa953f23ed 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -1,6 +1,6 @@ # Minimal Data Platform -This module implements a minimal opinionated Data Platform Architecture based on Dataproc Serverless resources. It creates and setup projects and related resources that compose an end-to-end data environment. +This module implements a minimal opinionated Data Platform Architecture based on Dataproc Serverless resources. It creates and sets up projects and related resources that compose an end-to-end data environment. For a complete, more versatile and configurable Data Platform, plese refer to the [Data Platform](../data-platform-foundations/) blueprint. diff --git a/blueprints/data-solutions/data-platform-minimal/main.tf b/blueprints/data-solutions/data-platform-minimal/main.tf index cd62a8c162..d7467bfb23 100644 --- a/blueprints/data-solutions/data-platform-minimal/main.tf +++ b/blueprints/data-solutions/data-platform-minimal/main.tf @@ -33,9 +33,8 @@ locals { groups_iam = { for k, v in local.groups : k => "group:${v}" } - project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" - service_encryption_keys = var.service_encryption_keys - shared_vpc_project = try(var.network_config.host_project, null) + project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" + shared_vpc_project = try(var.network_config.host_project, null) # this is needed so that for_each only uses static values shared_vpc_role_members = { processing-cloudservices = "serviceAccount:${module.processing-project.service_accounts.cloud_services}" @@ -51,7 +50,7 @@ locals { ] ]) : "${binding.role}-${binding.member}" => binding } - use_shared_vpc = var.network_config != null + use_shared_vpc = var.network_config.host_project != null } resource "google_project_iam_member" "shared_vpc" { diff --git a/blueprints/data-solutions/data-platform-minimal/outputs.tf b/blueprints/data-solutions/data-platform-minimal/outputs.tf index e2c7bb8dd0..ac515afb8b 100644 --- a/blueprints/data-solutions/data-platform-minimal/outputs.tf +++ b/blueprints/data-solutions/data-platform-minimal/outputs.tf @@ -43,7 +43,7 @@ output "gcs-buckets" { output "kms_keys" { description = "Cloud MKS keys." - value = local.service_encryption_keys + value = var.service_encryption_keys } output "projects" { diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf index 373732b512..79226af6c6 100644 --- a/blueprints/data-solutions/data-platform-minimal/variables.tf +++ b/blueprints/data-solutions/data-platform-minimal/variables.tf @@ -17,84 +17,39 @@ variable "composer_config" { description = "Cloud Composer config." type = object({ - disable_deployment = optional(bool) + disable_deployment = optional(bool, false) environment_size = optional(string, "ENVIRONMENT_SIZE_SMALL") software_config = optional(object({ - airflow_config_overrides = optional(any) - pypi_packages = optional(any) - env_variables = optional(map(string)) - image_version = string - }), { - image_version = "composer-2-airflow-2" - }) + airflow_config_overrides = optional(map(string), {}) + pypi_packages = optional(map(string), {}) + env_variables = optional(map(string), {}) + image_version = optional(string, "composer-2-airflow-2") + }), {}) workloads_config = optional(object({ - scheduler = optional(object( - { - cpu = number - memory_gb = number - storage_gb = number - count = number - } - ), { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - count = 1 - }) - web_server = optional(object( - { - cpu = number - memory_gb = number - storage_gb = number + scheduler = optional(object({ + cpu = optional(number, 0.5) + memory_gb = optional(number, 1.875) + storage_gb = optional(number, 1) + count = optional(number, 1) } - ), { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - }) - worker = optional(object( - { - cpu = number - memory_gb = number - storage_gb = number - min_count = number - max_count = number + ), {}) + web_server = optional(object({ + cpu = optional(number, 0.5) + memory_gb = optional(number, 1.875) + storage_gb = optional(number, 1) + }), {}) + worker = optional(object({ + cpu = optional(number, 0.5) + memory_gb = optional(number, 1.875) + storage_gb = optional(number, 1) + min_count = optional(number, 1) + max_count = optional(number, 3) } - ), { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - min_count = 1 - max_count = 3 - }) - })) + ), {}) + }), {}) }) - default = { - environment_size = "ENVIRONMENT_SIZE_SMALL" - software_config = { - image_version = "composer-2-airflow-2" - } - workloads_config = { - scheduler = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - count = 1 - } - web_server = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - } - worker = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - min_count = 1 - max_count = 3 - } - } - } + nullable = false + default = {} } variable "data_catalog_tags" { @@ -131,25 +86,29 @@ variable "location" { } variable "network_config" { - description = "Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values." + description = "Shared VPC network configurations to use. If null networks will be created in projects." type = object({ - host_project = string - network_self_link = string - subnet_self_links = object({ + host_project = optional(string) + network_self_link = optional(string) + subnet_self_links = optional(object({ processing_dataproc = string processing_composer = string - }) - composer_ip_ranges = object({ - cloudsql = string - gke_master = string - }) - composer_secondary_ranges = object({ - pods = string - services = string - }) + }), null) + composer_ip_ranges = optional(object({ + connection_subnetwork = optional(string) + cloud_sql = optional(string, "10.20.10.0/24") + gke_master = optional(string, "10.20.11.0/28") + pods_range_name = optional(string, "pods") + services_range_name = optional(string, "services") + }), {}) # web_server_network_access_control = list(string) }) - default = null + nullable = false + default = {} + validation { + condition = (var.network_config.composer_ip_ranges.cloud_sql == null) != (var.network_config.composer_ip_ranges.connection_subnetwork == null) + error_message = "One, and only one, of `network_config.composer_ip_ranges.cloud_sql` or `network_config.composer_ip_ranges.connection_subnetwork` must be specified." + } } variable "organization_domain" { @@ -216,10 +175,11 @@ variable "region" { variable "service_encryption_keys" { description = "Cloud KMS to use to encrypt different services. Key location should match service region." type = object({ - bq = string - composer = string - compute = string - storage = string + bq = optional(string) + composer = optional(string) + compute = optional(string) + storage = optional(string) }) - default = null + nullable = false + default = {} } From acd76a9df0a8107be0bc5f22efeae712ee63f55a Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 6 May 2023 21:48:45 +0200 Subject: [PATCH 3/7] Update README --- .../data-platform-minimal/README.md | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index aa953f23ed..a48b8616bd 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -274,26 +274,25 @@ The application layer is out of scope of this script. As a demo purpuse only, on | [main.tf](./main.tf) | Core locals. | | google_project_iam_member | | [outputs.tf](./outputs.tf) | Output variables. | | | | [variables.tf](./variables.tf) | Terraform Variables. | | | - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [organization_domain](variables.tf#L155) | Organization domain. | string | ✓ | | -| [prefix](variables.tf#L160) | Prefix used for resource names. | string | ✓ | | -| [project_config](variables.tf#L169) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | -| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} | -| [data_catalog_tags](variables.tf#L100) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | -| [data_force_destroy](variables.tf#L111) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | -| [groups](variables.tf#L117) | User groups. | map(string) | | {…} | -| [location](variables.tf#L127) | Location used for multi-regional resources. | string | | "eu" | -| [network_config](variables.tf#L133) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null | -| [project_services](variables.tf#L193) | List of core services enabled on all projects. | list(string) | | […] | -| [project_suffix](variables.tf#L204) | Suffix used only for project ids. | string | | null | -| [region](variables.tf#L210) | Region used for regional resources. | string | | "europe-west1" | -| [service_encryption_keys](variables.tf#L216) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | +| [organization_domain](variables.tf#L114) | Organization domain. | string | ✓ | | +| [prefix](variables.tf#L119) | Prefix used for resource names. | string | ✓ | | +| [project_config](variables.tf#L128) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | ✓ | | +| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {} | +| [data_catalog_tags](variables.tf#L55) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {…} | +| [data_force_destroy](variables.tf#L66) | Flag to set 'force_destroy' on data services like BiguQery or Cloud Storage. | bool | | false | +| [groups](variables.tf#L72) | User groups. | map(string) | | {…} | +| [location](variables.tf#L82) | Location used for multi-regional resources. | string | | "eu" | +| [network_config](variables.tf#L88) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} | +| [project_services](variables.tf#L152) | List of core services enabled on all projects. | list(string) | | […] | +| [project_suffix](variables.tf#L163) | Suffix used only for project ids. | string | | null | +| [region](variables.tf#L169) | Region used for regional resources. | string | | "europe-west1" | +| [service_encryption_keys](variables.tf#L175) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} | ## Outputs From d02aefd830862381637a96dbfe4cb6c42f85326c Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 6 May 2023 21:48:56 +0200 Subject: [PATCH 4/7] Update variables. --- blueprints/data-solutions/data-platform-minimal/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf index 79226af6c6..172ce6f75d 100644 --- a/blueprints/data-solutions/data-platform-minimal/variables.tf +++ b/blueprints/data-solutions/data-platform-minimal/variables.tf @@ -145,7 +145,7 @@ variable "project_config" { }) validation { condition = var.project_config.billing_account_id != null || var.project_config.project_ids != null - error_message = "At least one attribute should be set." + error_message = "At least one of project_config.billing_account_id or var.project_config.project_ids should be set." } } From 1c653ddc1733915fac643e6fe015b36b4bcaece7 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Sat, 6 May 2023 22:50:07 +0200 Subject: [PATCH 5/7] Add PSC for the Cloud SQL instance. --- .../data-solutions/data-platform-minimal/02-composer.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf index f13c4e0440..53b5f774d9 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-composer.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf @@ -99,9 +99,10 @@ resource "google_composer_environment" "processing-cmp-0" { } } private_environment_config { - enable_private_endpoint = "true" - cloud_sql_ipv4_cidr_block = var.network_config.composer_ip_ranges.cloud_sql - master_ipv4_cidr_block = var.network_config.composer_ip_ranges.gke_master + enable_private_endpoint = "true" + cloud_sql_ipv4_cidr_block = var.network_config.composer_ip_ranges.cloud_sql + master_ipv4_cidr_block = var.network_config.composer_ip_ranges.gke_master + cloud_composer_connection_subnetwork = var.network_config.composer_ip_ranges.connection_subnetwork } dynamic "encryption_config" { for_each = ( From c6a9df7640f724370b8a2d0b73b8ce57ea9b4413 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Mon, 8 May 2023 09:17:09 +0200 Subject: [PATCH 6/7] Implement comments. --- .../data-platform-minimal/02-composer.tf | 47 +++++++++---------- .../data-platform-minimal/02-dataproc.tf | 2 +- .../data-platform-minimal/README.md | 9 ++-- .../data-platform-minimal/main.tf | 24 ++++++---- .../data-platform-minimal/variables.tf | 11 ----- 5 files changed, 42 insertions(+), 51 deletions(-) diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf index 53b5f774d9..616d80ad00 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-composer.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf @@ -53,35 +53,31 @@ resource "google_composer_environment" "processing-cmp-0" { region = var.region config { software_config { - airflow_config_overrides = try(var.composer_config.software_config.airflow_config_overrides, null) - pypi_packages = try(var.composer_config.software_config.pypi_packages, null) + airflow_config_overrides = var.composer_config.software_config.airflow_config_overrides + pypi_packages = var.composer_config.software_config.pypi_packages env_variables = merge( - try(var.composer_config.software_config.env_variables, null), local.env_variables + var.composer_config.software_config.env_variables, local.env_variables ) image_version = var.composer_config.software_config.image_version } - dynamic "workloads_config" { - for_each = (try(var.composer_config.workloads_config, null) != null ? { 1 = 1 } : {}) - - content { - scheduler { - cpu = var.composer_config.workloads_config.scheduler.cpu - memory_gb = var.composer_config.workloads_config.scheduler.memory_gb - storage_gb = var.composer_config.workloads_config.scheduler.storage_gb - count = var.composer_config.workloads_config.scheduler.count - } - web_server { - cpu = var.composer_config.workloads_config.web_server.cpu - memory_gb = var.composer_config.workloads_config.web_server.memory_gb - storage_gb = var.composer_config.workloads_config.web_server.storage_gb - } - worker { - cpu = var.composer_config.workloads_config.worker.cpu - memory_gb = var.composer_config.workloads_config.worker.memory_gb - storage_gb = var.composer_config.workloads_config.worker.storage_gb - min_count = var.composer_config.workloads_config.worker.min_count - max_count = var.composer_config.workloads_config.worker.max_count - } + workloads_config { + scheduler { + cpu = var.composer_config.workloads_config.scheduler.cpu + memory_gb = var.composer_config.workloads_config.scheduler.memory_gb + storage_gb = var.composer_config.workloads_config.scheduler.storage_gb + count = var.composer_config.workloads_config.scheduler.count + } + web_server { + cpu = var.composer_config.workloads_config.web_server.cpu + memory_gb = var.composer_config.workloads_config.web_server.memory_gb + storage_gb = var.composer_config.workloads_config.web_server.storage_gb + } + worker { + cpu = var.composer_config.workloads_config.worker.cpu + memory_gb = var.composer_config.workloads_config.worker.memory_gb + storage_gb = var.composer_config.workloads_config.worker.storage_gb + min_count = var.composer_config.workloads_config.worker.min_count + max_count = var.composer_config.workloads_config.worker.max_count } } @@ -116,7 +112,6 @@ resource "google_composer_environment" "processing-cmp-0" { } } depends_on = [ - google_project_iam_member.shared_vpc, module.processing-project ] } diff --git a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf index 4c4c2b5f7c..b88e269f2c 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf @@ -23,7 +23,7 @@ locals { processing_dp_subnet = ( local.use_shared_vpc ? var.network_config.subnet_self_links.orchestration - : values(module.processing-vpc.0.subnet_self_links)[0] + : module.processing-vpc.0.subnet_self_links["${var.region}/${var.prefix}-processing"] ) processing_dp_vpc = ( local.use_shared_vpc diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index a48b8616bd..a1d60f1c60 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -2,7 +2,7 @@ This module implements a minimal opinionated Data Platform Architecture based on Dataproc Serverless resources. It creates and sets up projects and related resources that compose an end-to-end data environment. -For a complete, more versatile and configurable Data Platform, plese refer to the [Data Platform](../data-platform-foundations/) blueprint. +This minimal Data Platform Architecture keep to a minimal set of projects the solution. The approach make the architecture easy to read and operate but limit the ability to scale to handle multiple worklaods. To better handle more complex use cases where workloads need processing role segmentation betwneed transformations or deeper cost attribution are needed, it is suggested to refer to the [Data Platform](../data-platform-foundations/) blueprint. The code is intentionally simple, as it's intended to provide a generic initial setup and then allow easy customizations to complete the implementation of the intended design. @@ -289,10 +289,9 @@ The application layer is out of scope of this script. As a demo purpuse only, on | [groups](variables.tf#L72) | User groups. | map(string) | | {…} | | [location](variables.tf#L82) | Location used for multi-regional resources. | string | | "eu" | | [network_config](variables.tf#L88) | Shared VPC network configurations to use. If null networks will be created in projects. | object({…}) | | {} | -| [project_services](variables.tf#L152) | List of core services enabled on all projects. | list(string) | | […] | -| [project_suffix](variables.tf#L163) | Suffix used only for project ids. | string | | null | -| [region](variables.tf#L169) | Region used for regional resources. | string | | "europe-west1" | -| [service_encryption_keys](variables.tf#L175) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} | +| [project_suffix](variables.tf#L152) | Suffix used only for project ids. | string | | null | +| [region](variables.tf#L158) | Region used for regional resources. | string | | "europe-west1" | +| [service_encryption_keys](variables.tf#L164) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} | ## Outputs diff --git a/blueprints/data-solutions/data-platform-minimal/main.tf b/blueprints/data-solutions/data-platform-minimal/main.tf index d7467bfb23..ba12f8db8c 100644 --- a/blueprints/data-solutions/data-platform-minimal/main.tf +++ b/blueprints/data-solutions/data-platform-minimal/main.tf @@ -34,7 +34,7 @@ locals { for k, v in local.groups : k => "group:${v}" } project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" - shared_vpc_project = try(var.network_config.host_project, null) + shared_vpc_project = var.network_config.host_project # this is needed so that for_each only uses static values shared_vpc_role_members = { processing-cloudservices = "serviceAccount:${module.processing-project.service_accounts.cloud_services}" @@ -51,11 +51,19 @@ locals { ]) : "${binding.role}-${binding.member}" => binding } use_shared_vpc = var.network_config.host_project != null -} - -resource "google_project_iam_member" "shared_vpc" { - for_each = local.use_shared_vpc ? local.shared_vpc_bindings_map : {} - project = var.network_config.host_project - role = each.value.role - member = lookup(local.shared_vpc_role_members, each.value.member) + shared_vpc_service_config = var.network_config.host_project == null ? null : { + attach = true + host_project = var.network_config.host_project + service_identity_iam = { + "roles/compute.networkUser" = [ + "cloudservices", "compute", "container-engine" + ] + "roles/composer.sharedVpcAgent" = [ + "composer" + ] + "roles/container.hostServiceAgentUser" = [ + "container-egine" + ] + } + } } diff --git a/blueprints/data-solutions/data-platform-minimal/variables.tf b/blueprints/data-solutions/data-platform-minimal/variables.tf index 172ce6f75d..a63f07c38f 100644 --- a/blueprints/data-solutions/data-platform-minimal/variables.tf +++ b/blueprints/data-solutions/data-platform-minimal/variables.tf @@ -149,17 +149,6 @@ variable "project_config" { } } -variable "project_services" { - description = "List of core services enabled on all projects." - type = list(string) - default = [ - "cloudresourcemanager.googleapis.com", - "iam.googleapis.com", - "serviceusage.googleapis.com", - "stackdriver.googleapis.com" - ] -} - variable "project_suffix" { description = "Suffix used only for project ids." type = string From 61e100fbd94ff4c33d2ec2fbc3b453f2e09e08d3 Mon Sep 17 00:00:00 2001 From: lcaggio Date: Mon, 8 May 2023 10:04:33 +0200 Subject: [PATCH 7/7] Cleaning up locals --- .../data-platform-minimal/02-dataproc.tf | 18 -------- .../data-platform-minimal/02-processing.tf | 17 +++++-- .../data-platform-minimal/main.tf | 45 +------------------ .../data-platform-minimal/outputs.tf | 4 +- 4 files changed, 17 insertions(+), 67 deletions(-) diff --git a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf index b88e269f2c..1161abf018 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-dataproc.tf @@ -14,24 +14,6 @@ # tfdoc:file:description Cloud Dataproc resources. -locals { - iam_prc = { - "roles/bigquery.jobUser" = [ - module.processing-sa-dp-0.iam_email, local.groups_iam.data-engineers - ] - } - processing_dp_subnet = ( - local.use_shared_vpc - ? var.network_config.subnet_self_links.orchestration - : module.processing-vpc.0.subnet_self_links["${var.region}/${var.prefix}-processing"] - ) - processing_dp_vpc = ( - local.use_shared_vpc - ? var.network_config.network_self_link - : module.processing-vpc.0.self_link - ) -} - module "processing-cs-dp-history" { source = "../../../modules/gcs" project_id = module.processing-project.project_id diff --git a/blueprints/data-solutions/data-platform-minimal/02-processing.tf b/blueprints/data-solutions/data-platform-minimal/02-processing.tf index 9460a25dcc..9bbb623430 100644 --- a/blueprints/data-solutions/data-platform-minimal/02-processing.tf +++ b/blueprints/data-solutions/data-platform-minimal/02-processing.tf @@ -44,7 +44,7 @@ locals { processing_subnet = ( local.use_shared_vpc ? var.network_config.subnet_self_links.processingestration - : values(module.processing-vpc.0.subnet_self_links)[0] + : module.processing-vpc.0.subnet_self_links["${var.region}/${var.prefix}-processing"] ) processing_vpc = ( local.use_shared_vpc @@ -91,9 +91,20 @@ module "processing-project" { compute = [var.service_encryption_keys.compute] storage = [var.service_encryption_keys.storage] } - shared_vpc_service_config = local.shared_vpc_project == null ? null : { + shared_vpc_service_config = var.network_config.host_project == null ? null : { attach = true - host_project = local.shared_vpc_project + host_project = var.network_config.host_project + service_identity_iam = { + "roles/compute.networkUser" = [ + "cloudservices", "compute", "container-engine" + ] + "roles/composer.sharedVpcAgent" = [ + "composer" + ] + "roles/container.hostServiceAgentUser" = [ + "container-egine" + ] + } } } diff --git a/blueprints/data-solutions/data-platform-minimal/main.tf b/blueprints/data-solutions/data-platform-minimal/main.tf index ba12f8db8c..605e31f8bd 100644 --- a/blueprints/data-solutions/data-platform-minimal/main.tf +++ b/blueprints/data-solutions/data-platform-minimal/main.tf @@ -15,55 +15,12 @@ # tfdoc:file:description Core locals. locals { - # we cannot reference service accounts directly as they are dynamic - _shared_vpc_bindings = { - "roles/compute.networkUser" = [ - "processing-cloudservices", "processing-robot-compute", "orch-robot-gke" - ] - "roles/composer.sharedVpcAgent" = [ - "processing-robot-cs" - ] - "roles/container.hostServiceAgentUser" = [ - "orch-robot-gke" - ] - } groups = { for k, v in var.groups : k => "${v}@${var.organization_domain}" } groups_iam = { for k, v in local.groups : k => "group:${v}" } - project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" - shared_vpc_project = var.network_config.host_project - # this is needed so that for_each only uses static values - shared_vpc_role_members = { - processing-cloudservices = "serviceAccount:${module.processing-project.service_accounts.cloud_services}" - orprocessingch-robot-cs = "serviceAccount:${module.processing-project.service_accounts.robots.composer}" - processing-robot-gke = "serviceAccount:${module.processing-project.service_accounts.robots.container-engine}" - processing-robot-compute = "serviceAccount:${module.processing-project.service_accounts.robots.compute}" - } - # reassemble in a format suitable for for_each - shared_vpc_bindings_map = { - for binding in flatten([ - for role, members in local._shared_vpc_bindings : [ - for member in members : { role = role, member = member } - ] - ]) : "${binding.role}-${binding.member}" => binding - } + project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}" use_shared_vpc = var.network_config.host_project != null - shared_vpc_service_config = var.network_config.host_project == null ? null : { - attach = true - host_project = var.network_config.host_project - service_identity_iam = { - "roles/compute.networkUser" = [ - "cloudservices", "compute", "container-engine" - ] - "roles/composer.sharedVpcAgent" = [ - "composer" - ] - "roles/container.hostServiceAgentUser" = [ - "container-egine" - ] - } - } } diff --git a/blueprints/data-solutions/data-platform-minimal/outputs.tf b/blueprints/data-solutions/data-platform-minimal/outputs.tf index ac515afb8b..97eda2a3f5 100644 --- a/blueprints/data-solutions/data-platform-minimal/outputs.tf +++ b/blueprints/data-solutions/data-platform-minimal/outputs.tf @@ -67,7 +67,7 @@ output "projects" { output "vpc_network" { description = "VPC network." value = { - processing_dataproc = local.processing_dp_vpc + processing_dataproc = local.processing_vpc processing_composer = local.processing_vpc } } @@ -75,7 +75,7 @@ output "vpc_network" { output "vpc_subnet" { description = "VPC subnetworks." value = { - processing_dataproc = local.processing_dp_subnet + processing_dataproc = local.processing_subnet processing_composer = local.processing_subnet } }