From 1e5ec02f9a5714b73d4e37d92918dfac566e4578 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 23 Aug 2024 16:07:09 +0200 Subject: [PATCH 01/94] untested --- fast/stages/1-resman/_moved-v34.0.0.tf | 245 +++++++++ fast/stages/1-resman/billing.tf | 73 ++- fast/stages/1-resman/branch-data-platform.tf | 199 ------- fast/stages/1-resman/branch-gcve.tf | 200 ------- fast/stages/1-resman/branch-gke.tf | 200 ------- fast/stages/1-resman/branch-networking.tf | 201 -------- fast/stages/1-resman/branch-nsec.tf | 94 ---- .../stages/1-resman/branch-project-factory.tf | 224 -------- fast/stages/1-resman/branch-sandbox.tf | 81 --- fast/stages/1-resman/branch-security.tf | 118 ----- fast/stages/1-resman/cicd-data-platform.tf | 147 ------ fast/stages/1-resman/cicd-gcve.tf | 147 ------ fast/stages/1-resman/cicd-gke.tf | 147 ------ fast/stages/1-resman/cicd-netsec.tf | 85 --- fast/stages/1-resman/cicd-networking.tf | 84 --- fast/stages/1-resman/cicd-project-factory.tf | 210 -------- fast/stages/1-resman/cicd-security.tf | 84 --- fast/stages/1-resman/cicd.tf | 109 ++++ .../data/stage-3/2-project-factory.yaml | 51 ++ .../data/stage-3/3-data-platform.yaml | 44 ++ fast/stages/1-resman/data/stage-3/3-gcve.yaml | 47 ++ fast/stages/1-resman/data/stage-3/3-gke.yaml | 47 ++ .../data/stage-3/3-network-security.yaml | 26 + .../1-resman/data/stage-3/3-sandbox.yaml | 26 + .../data/top-level-folders/3-gcve-dev.yaml | 22 + .../data/top-level-folders/3-gcve.yaml | 22 + fast/stages/1-resman/iam.tf | 151 ++---- fast/stages/1-resman/main.tf | 87 ++-- fast/stages/1-resman/organization.tf | 62 +-- fast/stages/1-resman/outputs-cicd.tf | 126 +++++ fast/stages/1-resman/outputs.tf | 486 ++---------------- .../1-resman/schemas/fast-stage.schema.json | 213 ++++++++ .../schemas/fast-stage.schema.old.json | 213 ++++++++ fast/stages/1-resman/stage-2-networking.tf | 201 ++++++++ .../1-resman/stage-2-project-factory.tf | 57 ++ fast/stages/1-resman/stage-2-security.tf | 199 +++++++ fast/stages/1-resman/stage-3.tf | 271 ++++++++++ fast/stages/1-resman/top-level-folders.tf | 2 +- fast/stages/1-resman/variables-stages.tf | 110 ++++ fast/stages/1-resman/variables.tf | 129 ----- 40 files changed, 2220 insertions(+), 3020 deletions(-) create mode 100644 fast/stages/1-resman/_moved-v34.0.0.tf delete mode 100644 fast/stages/1-resman/branch-data-platform.tf delete mode 100644 fast/stages/1-resman/branch-gcve.tf delete mode 100644 fast/stages/1-resman/branch-gke.tf delete mode 100644 fast/stages/1-resman/branch-networking.tf delete mode 100644 fast/stages/1-resman/branch-nsec.tf delete mode 100644 fast/stages/1-resman/branch-project-factory.tf delete mode 100644 fast/stages/1-resman/branch-sandbox.tf delete mode 100644 fast/stages/1-resman/branch-security.tf delete mode 100644 fast/stages/1-resman/cicd-data-platform.tf delete mode 100644 fast/stages/1-resman/cicd-gcve.tf delete mode 100644 fast/stages/1-resman/cicd-gke.tf delete mode 100644 fast/stages/1-resman/cicd-netsec.tf delete mode 100644 fast/stages/1-resman/cicd-networking.tf delete mode 100644 fast/stages/1-resman/cicd-project-factory.tf delete mode 100644 fast/stages/1-resman/cicd-security.tf create mode 100644 fast/stages/1-resman/cicd.tf create mode 100644 fast/stages/1-resman/data/stage-3/2-project-factory.yaml create mode 100644 fast/stages/1-resman/data/stage-3/3-data-platform.yaml create mode 100644 fast/stages/1-resman/data/stage-3/3-gcve.yaml create mode 100644 fast/stages/1-resman/data/stage-3/3-gke.yaml create mode 100644 fast/stages/1-resman/data/stage-3/3-network-security.yaml create mode 100644 fast/stages/1-resman/data/stage-3/3-sandbox.yaml create mode 100644 fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml create mode 100644 fast/stages/1-resman/data/top-level-folders/3-gcve.yaml create mode 100644 fast/stages/1-resman/outputs-cicd.tf create mode 100644 fast/stages/1-resman/schemas/fast-stage.schema.json create mode 100644 fast/stages/1-resman/schemas/fast-stage.schema.old.json create mode 100644 fast/stages/1-resman/stage-2-networking.tf create mode 100644 fast/stages/1-resman/stage-2-project-factory.tf create mode 100644 fast/stages/1-resman/stage-2-security.tf create mode 100644 fast/stages/1-resman/stage-3.tf create mode 100644 fast/stages/1-resman/variables-stages.tf diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf new file mode 100644 index 0000000000..b6a0045e2e --- /dev/null +++ b/fast/stages/1-resman/_moved-v34.0.0.tf @@ -0,0 +1,245 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# stage 2 networking + +moved { + from = module.branch-network-folder + to = module.net-folder +} +moved { + from = module.branch-network-prod-folder + to = module.net-folder-prod +} +moved { + from = module.branch-network-dev-folder + to = module.net-folder-dev +} +moved { + from = module.branch-network-sa + to = module.net-sa-rw +} +moved { + from = module.branch-network-r-sa + to = module.net-sa-ro +} +moved { + from = module.branch-network-gcs + to = module.net-bucket +} + +# stage 2 security +moved { + from = module.branch-security-folder + to = module.sec-folder +} +moved { + from = module.branch-security-prod-folder + to = module.sec-folder-prod +} +moved { + from = module.branch-security-dev-folder + to = module.sec-folder-dev +} +moved { + from = module.branch-security-sa + to = module.sec-sa-rw +} +moved { + from = module.branch-security-r-sa + to = module.sec-sa-ro +} +moved { + from = module.branch-security-gcs + to = module.sec-bucket +} + +# stage 2 project factory +moved { + from = module.branch-pf-sa[0] + to = module.branch-pf-sa +} +moved { + from = module.branch-pf-sa + to = module.pf-sa-rw +} +moved { + from = module.branch-pf-dev-sa[0] + to = module.sec-sa-ro +} +moved { + from = module.branch-pf-r-sa + to = module.sec-sa-ro +} + +# stage 3 gcve + +moved { + from = module.branch-gcve-folder + to = module.stage3-folder["gcve"] +} +moved { + from = module.branch-gcve-prod-folder + to = module.stage3-folder-prod["gcve"] +} +moved { + from = module.branch-gcve-dev-folder + to = module.stage3-folder-dev["gcve"] +} +moved { + from = module.branch-gcve-prod-sa + to = module.stage3-sa-prod-rw["gcve"] +} +moved { + from = module.branch-gcve-prod-r-sa + to = module.stage3-sa-prod-ro["gcve"] +} +moved { + from = module.branch-gcve-dev-sa + to = module.stage3-sa-dev-rw["gcve"] +} +moved { + from = module.branch-gcve-dev-r-sa + to = module.stage3-sa-dev-ro["gcve"] +} +moved { + from = module.branch-gcve-prod-gcs + to = module.stage3-bucket-prod["gcve"] +} +moved { + from = module.branch-gcve-dev-gcs + to = module.stage3-bucket-dev["gcve"] +} + +# stage 3 gke + +moved { + from = module.branch-gke-folder + to = module.stage3-folder["gke"] +} +moved { + from = module.branch-gke-prod-folder + to = module.stage3-folder-prod["gke"] +} +moved { + from = module.branch-gke-dev-folder + to = module.stage3-folder-dev["gke"] +} +moved { + from = module.branch-gke-prod-sa + to = module.stage3-sa-prod-rw["gke"] +} +moved { + from = module.branch-gke-prod-r-sa + to = module.stage3-sa-prod-ro["gke"] +} +moved { + from = module.branch-gke-dev-sa + to = module.stage3-sa-dev-rw["gke"] +} +moved { + from = module.branch-gke-dev-r-sa + to = module.stage3-sa-dev-ro["gke"] +} +moved { + from = module.branch-gke-prod-gcs + to = module.stage3-bucket-prod["gke"] +} +moved { + from = module.branch-gke-dev-gcs + to = module.stage3-bucket-dev["gke"] +} + +# stage 3 data platform + +moved { + from = module.branch-dp-folder + to = module.stage3-folder["dp"] +} +moved { + from = module.branch-dp-prod-folder + to = module.stage3-folder-prod["dp"] +} +moved { + from = module.branch-dp-dev-folder + to = module.stage3-folder-dev["dp"] +} +moved { + from = module.branch-dp-prod-sa + to = module.stage3-sa-prod-rw["dp"] +} +moved { + from = module.branch-dp-prod-r-sa + to = module.stage3-sa-prod-ro["dp"] +} +moved { + from = module.branch-dp-dev-sa + to = module.stage3-sa-dev-rw["dp"] +} +moved { + from = module.branch-dp-dev-r-sa + to = module.stage3-sa-dev-ro["dp"] +} +moved { + from = module.branch-dp-prod-gcs + to = module.stage3-bucket-prod["dp"] +} +moved { + from = module.branch-dp-dev-gcs + to = module.stage3-bucket-dev["dp"] +} + +# stage 3 nsec + +moved { + from = module.branch-nsec-sa + to = module.stage3-sa-prod-rw["nsec"] +} +moved { + from = module.branch-nsec-sa[0] + to = module.stage3-sa-prod-rw["nsec"] +} +moved { + from = module.branch-nsec-r-sa + to = module.stage3-sa-prod-ro["nsec"] +} +moved { + from = module.branch-nsec-r-sa[0] + to = module.stage3-sa-prod-ro["nsec"] +} +moved { + from = module.branch-nsec-gcs + to = module.stage3-bucket-prod["nsec"] +} +moved { + from = module.branch-nsec-gcs[0] + to = module.stage3-bucket-prod["nsec"] +} + +# stage 3 sandbox + +moved { + from = module.branch-sandbox-folder + to = module.stage3-folder["sbx"] +} +moved { + from = module.branch-sandbox-sa + to = module.stage3-sa-prod-rw["sbx"] +} +moved { + from = module.branch-sandbox-gcs + to = module.stage3-bucket-prod["sbx"] +} diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index c289ddfec7..9f03d6e017 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -17,20 +17,46 @@ # tfdoc:file:description Billing resources for external billing use cases. locals { - # used here for convenience, in organization.tf members are explicit - billing_ext_users = compact([ - try(module.branch-network-sa.iam_email, null), - try(module.branch-pf-dev-sa.iam_email, null), - try(module.branch-pf-prod-sa.iam_email, null), - try(module.branch-pf-sa.iam_email, null), - try(module.branch-security-sa.iam_email, null), - try(module.branch-dp-dev-sa[0].iam_email, null), - try(module.branch-dp-prod-sa[0].iam_email, null), - try(module.branch-gcve-dev-sa[0].iam_email, null), - try(module.branch-gcve-prod-sa[0].iam_email, null), - try(module.branch-gke-dev-sa[0].iam_email, null), - try(module.branch-gke-prod-sa[0].iam_email, null) - ]) + billing_iam = merge( + # stage 2 + var.fast_stage_2.networking.enabled != true ? {} : { + sa_net_billing = { + member = module.net-sa-rw.iam_email + role = "roles/billing.user" + } + }, + !var.fast_stage_2.security.enabled ? {} : { + sa_sec_billing = { + member = module.sec-sa-rw.iam_email + role = "roles/billing.user" + } + }, + !var.fast_stage_2.project_factory.enabled ? {} : { + sa_pf_billing = { + member = module.pf-sa-rw[0].iam_email + role = "roles/billing.user" + }, + sa_pf_costs_manager = { + member = module.pf-sa-rw[0].iam_email + role = "roles/billing.costsManager" + } + }, + # stage 3 prod + { + for k, v in var.fast_stage_3 : "${k}-prod" => { + member = module.stage3-sa-prod-rw[k].iam_email + role = "roles/billing.user" + } + }, + # stage 3 dev + { + for k, v in var.fast_stage_3 : "${k}-dev" => { + member = module.stage3-sa-dev-rw[k].iam_email + role = "roles/billing.user" + } + if v.folder_config.create_env_folders == true + } + ) billing_mode = ( var.billing_account.no_iam ? null @@ -42,20 +68,11 @@ locals { # standalone billing account -resource "google_billing_account_iam_member" "billing_ext_admin" { - for_each = toset( - local.billing_mode == "resource" ? local.billing_ext_users : [] - ) - billing_account_id = var.billing_account.id - role = "roles/billing.user" - member = each.key -} - -resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - for_each = toset( - local.billing_mode == "resource" ? local.billing_ext_users : [] +resource "google_billing_account_iam_member" "default" { + for_each = ( + local.billing_mode != "resource" ? {} : local.billing_iam ) billing_account_id = var.billing_account.id - role = "roles/billing.costsManager" - member = each.key + role = each.value.role + member = each.value.member } diff --git a/fast/stages/1-resman/branch-data-platform.tf b/fast/stages/1-resman/branch-data-platform.tf deleted file mode 100644 index 42cbb3f0a4..0000000000 --- a/fast/stages/1-resman/branch-data-platform.tf +++ /dev/null @@ -1,199 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Data Platform stages resources. - -module "branch-dp-folder" { - source = "../../../modules/folder" - count = var.fast_features.data_platform ? 1 : 0 - parent = local.root_node - name = "Data Platform" - iam = var.folder_iam.data_platform - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/data"].id, null - ) - } -} - -module "branch-dp-dev-folder" { - source = "../../../modules/folder" - count = var.fast_features.data_platform ? 1 : 0 - parent = module.branch-dp-folder[0].id - name = "Development" - iam_by_principals = {} - # owner and viewer roles are broad and might grant unwanted access - # replace them with more selective custom roles for production deployments - iam = { - # read-write (apply) automation service account - (local.custom_roles.service_project_network_admin) = [ - module.branch-dp-dev-sa[0].iam_email - ] - "roles/logging.admin" = [module.branch-dp-dev-sa[0].iam_email] - "roles/owner" = [module.branch-dp-dev-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-dp-dev-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-dp-dev-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/development"].id, - null - ) - } -} - -module "branch-dp-prod-folder" { - source = "../../../modules/folder" - count = var.fast_features.data_platform ? 1 : 0 - parent = module.branch-dp-folder[0].id - name = "Production" - iam_by_principals = {} - # owner and viewer roles are broad and might grant unwanted access - # replace them with more selective custom roles for production deployments - iam = { - # read-write (apply) automation service account - (local.custom_roles.service_project_network_admin) = [module.branch-dp-prod-sa[0].iam_email] - "roles/owner" = [module.branch-dp-prod-sa[0].iam_email] - "roles/logging.admin" = [module.branch-dp-prod-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-dp-prod-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-dp-prod-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-dp-prod-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-dp-prod-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/production"].id, - null - ) - } -} - -# automation service accounts - -module "branch-dp-dev-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-dp-0" - display_name = "Terraform data platform development service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-dp-dev-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "branch-dp-prod-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-dp-0" - display_name = "Terraform data platform production service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-dp-prod-sa-cicd[0].iam_email, null) - ]) - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service accounts - -module "branch-dp-dev-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-dp-0r" - display_name = "Terraform data platform development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-dp-dev-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -module "branch-dp-prod-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-dp-0r" - display_name = "Terraform data platform production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-dp-prod-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation buckets - -module "branch-dp-dev-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-dp-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-dp-dev-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-dp-dev-r-sa[0].iam_email] - } -} - -module "branch-dp-prod-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.data_platform ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-dp-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-dp-prod-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-dp-prod-r-sa[0].iam_email] - } -} diff --git a/fast/stages/1-resman/branch-gcve.tf b/fast/stages/1-resman/branch-gcve.tf deleted file mode 100644 index 8b86517b72..0000000000 --- a/fast/stages/1-resman/branch-gcve.tf +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description GCVE stage resources. - -module "branch-gcve-folder" { - source = "../../../modules/folder" - count = var.fast_features.gcve ? 1 : 0 - parent = local.root_node - name = "GCVE" - iam = var.folder_iam.gcve - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/gcve"].id, null - ) - } -} - -module "branch-gcve-dev-folder" { - source = "../../../modules/folder" - count = var.fast_features.gcve ? 1 : 0 - parent = module.branch-gcve-folder[0].id - name = "Development" - iam = { - # read-write (apply) automation service account - "roles/owner" = [module.branch-gcve-dev-sa[0].iam_email] - "roles/logging.admin" = [module.branch-gcve-dev-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-gcve-dev-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-gcve-dev-sa[0].iam_email] - "roles/compute.xpnAdmin" = [module.branch-gcve-dev-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-gcve-dev-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-gcve-dev-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/development"].id, - null - ) - } -} - -module "branch-gcve-prod-folder" { - source = "../../../modules/folder" - count = var.fast_features.gcve ? 1 : 0 - parent = module.branch-gcve-folder[0].id - name = "Production" - iam = { - # read-write (apply) automation service account - "roles/owner" = [module.branch-gcve-prod-sa[0].iam_email] - "roles/logging.admin" = [module.branch-gcve-prod-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-gcve-prod-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-gcve-prod-sa[0].iam_email] - "roles/compute.xpnAdmin" = [module.branch-gcve-prod-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-gcve-prod-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-gcve-prod-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/production"].id, - null - ) - } -} - -# automation service accounts - -module "branch-gcve-dev-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gcve-0" - display_name = "Terraform GCVE development service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - [local.principals.gcp-devops], - compact([ - try(module.branch-gcve-dev-sa-cicd[0].iam_email, null) - ]) - ) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "branch-gcve-prod-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gcve-0" - display_name = "Terraform GCVE production service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - [local.principals.gcp-devops], - compact([ - try(module.branch-gcve-prod-sa-cicd[0].iam_email, null) - ]) - ) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service accounts - -module "branch-gcve-dev-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gcve-0r" - display_name = "Terraform GCVE development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-gcve-dev-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -module "branch-gcve-prod-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gcve-0r" - display_name = "Terraform GCVE production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-gcve-prod-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation buckets - -module "branch-gcve-dev-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gcve-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-gcve-dev-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-gcve-dev-r-sa[0].iam_email] - } -} - -module "branch-gcve-prod-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.gcve ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gcve-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-gcve-prod-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-gcve-prod-r-sa[0].iam_email] - } -} diff --git a/fast/stages/1-resman/branch-gke.tf b/fast/stages/1-resman/branch-gke.tf deleted file mode 100644 index 02ebe698f1..0000000000 --- a/fast/stages/1-resman/branch-gke.tf +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description GKE multitenant stage resources. - -module "branch-gke-folder" { - source = "../../../modules/folder" - count = var.fast_features.gke ? 1 : 0 - parent = local.root_node - name = "GKE" - iam = var.folder_iam.gke - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/gke"].id, null - ) - } -} - -module "branch-gke-dev-folder" { - source = "../../../modules/folder" - count = var.fast_features.gke ? 1 : 0 - parent = module.branch-gke-folder[0].id - name = "Development" - iam = { - # read-write (apply) automation service account - "roles/owner" = [module.branch-gke-dev-sa[0].iam_email] - "roles/logging.admin" = [module.branch-gke-dev-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-gke-dev-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-gke-dev-sa[0].iam_email] - "roles/compute.xpnAdmin" = [module.branch-gke-dev-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-gke-dev-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-gke-dev-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/development"].id, - null - ) - } -} - -module "branch-gke-prod-folder" { - source = "../../../modules/folder" - count = var.fast_features.gke ? 1 : 0 - parent = module.branch-gke-folder[0].id - name = "Production" - iam = { - # read-write (apply) automation service account - "roles/owner" = [module.branch-gke-prod-sa[0].iam_email] - "roles/logging.admin" = [module.branch-gke-prod-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-gke-prod-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-gke-prod-sa[0].iam_email] - "roles/compute.xpnAdmin" = [module.branch-gke-prod-sa[0].iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-gke-prod-r-sa[0].iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-gke-prod-r-sa[0].iam_email] - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.environment}/production"].id, - null - ) - } -} - -# automation service accounts - -module "branch-gke-dev-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gke-0" - display_name = "Terraform gke multitenant dev service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - [local.principals.gcp-devops], - compact([ - try(module.branch-gke-dev-sa-cicd[0].iam_email, null) - ]) - ) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "branch-gke-prod-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gke-0" - display_name = "Terraform gke multitenant prod service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - [local.principals.gcp-devops], - compact([ - try(module.branch-gke-prod-sa-cicd[0].iam_email, null) - ]) - ) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service accounts - -module "branch-gke-dev-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gke-0r" - display_name = "Terraform gke multitenant development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-gke-dev-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -module "branch-gke-prod-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gke-0r" - display_name = "Terraform gke multitenant production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-gke-prod-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation buckets - -module "branch-gke-dev-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-gke-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-gke-dev-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-gke-dev-r-sa[0].iam_email] - } -} - -module "branch-gke-prod-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.gke ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-gke-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-gke-prod-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-gke-prod-r-sa[0].iam_email] - } -} diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf deleted file mode 100644 index 68314a18a0..0000000000 --- a/fast/stages/1-resman/branch-networking.tf +++ /dev/null @@ -1,201 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Networking stage resources. - -locals { - # FAST-specific IAM - _network_folder_fast_iam = merge( - { - # read-write (apply) automation service account - "roles/logging.admin" = [module.branch-network-sa.iam_email] - "roles/owner" = [module.branch-network-sa.iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-network-sa.iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-network-sa.iam_email] - "roles/compute.xpnAdmin" = [module.branch-network-sa.iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-network-r-sa.iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email] - }, - var.fast_features.nsec != true ? {} : { - # nsec service accounts - "roles/serviceusage.serviceUsageAdmin" = [ - try(module.branch-nsec-sa[0].iam_email, null) - ] - "roles/serviceusage.serviceUsageConsumer" = [ - try(module.branch-nsec-r-sa[0].iam_email, null) - ] - (var.custom_roles["network_firewall_policies_admin"]) = [ - try(module.branch-nsec-sa[0].iam_email, null) - ] - (var.custom_roles["network_firewall_policies_viewer"]) = [ - try(module.branch-nsec-r-sa[0].iam_email, null) - ] - } - ) - # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam - _network_folder_iam = merge( - var.folder_iam.network, - { - for role, principals in local._network_folder_fast_iam : - role => distinct(concat(principals, lookup(var.folder_iam.network, role, []))) - } - ) -} - -module "branch-network-folder" { - source = "../../../modules/folder" - parent = local.root_node - name = "Networking" - iam_by_principals = { - (local.principals.gcp-network-admins) = [ - # owner and viewer roles are broad and might grant unwanted access - # replace them with more selective custom roles for production deployments - "roles/editor", - ] - } - iam = local._network_folder_iam - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/networking"].id, null - ) - } -} - -module "branch-network-prod-folder" { - source = "../../../modules/folder" - parent = module.branch-network-folder.id - name = "Production" - iam = { - # read-write (apply) automation service accounts - (local.custom_roles.service_project_network_admin) = compact([ - try(module.branch-dp-prod-sa[0].iam_email, null), - try(module.branch-gcve-prod-sa[0].iam_email, null), - try(module.branch-gke-prod-sa[0].iam_email, null), - try(module.branch-pf-sa.iam_email, null), - try(module.branch-pf-prod-sa.iam_email, null) - ]) - # read-only (plan) automation service accounts - "roles/compute.networkViewer" = compact([ - try(module.branch-dp-prod-r-sa[0].iam_email, null), - try(module.branch-gcve-prod-r-sa[0].iam_email, null), - try(module.branch-gke-prod-r-sa[0].iam_email, null), - try(module.branch-pf-r-sa.iam_email, null), - try(module.branch-pf-prod-r-sa.iam_email, null) - ]) - (local.custom_roles.gcve_network_admin) = compact([ - try(module.branch-gcve-prod-sa[0].iam_email, null) - ]) - } - tag_bindings = { - environment = try( - local.tag_values["${var.tag_names.environment}/production"].id, - null - ) - } -} - -module "branch-network-dev-folder" { - source = "../../../modules/folder" - parent = module.branch-network-folder.id - name = "Development" - iam = { - # read-write (apply) automation service accounts - (local.custom_roles.service_project_network_admin) = compact([ - try(module.branch-dp-dev-sa[0].iam_email, null), - try(module.branch-gcve-dev-sa[0].iam_email, null), - try(module.branch-gke-dev-sa[0].iam_email, null), - try(module.branch-pf-sa.iam_email, null), - try(module.branch-pf-dev-sa.iam_email, null) - ]) - # read-only (plan) automation service accounts - "roles/compute.networkViewer" = compact([ - try(module.branch-dp-dev-r-sa[0].iam_email, null), - try(module.branch-gcve-dev-r-sa[0].iam_email, null), - try(module.branch-gke-dev-r-sa[0].iam_email, null), - try(module.branch-pf-r-sa.iam_email, null), - try(module.branch-pf-dev-r-sa.iam_email, null) - ]) - (local.custom_roles.gcve_network_admin) = compact([ - try(module.branch-gcve-dev-sa[0].iam_email, null) - ]) - } - tag_bindings = { - environment = try( - local.tag_values["${var.tag_names.environment}/development"].id, - null - ) - } -} - -# automation service account - -module "branch-network-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-net-0" - display_name = "Terraform resman networking service account." - prefix = var.prefix - service_account_create = var.root_node == null - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-network-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service account - -module "branch-network-r-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-net-0r" - display_name = "Terraform resman networking service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-network-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket - -module "branch-network-gcs" { - source = "../../../modules/gcs" - project_id = var.automation.project_id - name = "prod-resman-net-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-network-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-network-r-sa.iam_email] - } -} diff --git a/fast/stages/1-resman/branch-nsec.tf b/fast/stages/1-resman/branch-nsec.tf deleted file mode 100644 index cb1c56cd1d..0000000000 --- a/fast/stages/1-resman/branch-nsec.tf +++ /dev/null @@ -1,94 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Network security stage resources. - -# automation service account - -moved { - from = module.branch-nsec-sa - to = module.branch-nsec-sa[0] -} - -module "branch-nsec-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.nsec ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-nsec-0" - display_name = "Terraform resman network security service account." - prefix = var.prefix - service_account_create = var.root_node == null - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-nsec-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service account - -moved { - from = module.branch-nsec-r-sa - to = module.branch-nsec-r-sa[0] -} - -module "branch-nsec-r-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.nsec ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-nsec-0r" - display_name = "Terraform resman network security service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-nsec-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket - -moved { - from = module.branch-nsec-gcs - to = module.branch-nsec-gcs[0] -} - -module "branch-nsec-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.nsec ? 1 : 0 - project_id = var.automation.project_id - name = "prod-resman-nsec-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-nsec-sa[0].iam_email] - "roles/storage.objectViewer" = [module.branch-nsec-r-sa[0].iam_email] - } -} diff --git a/fast/stages/1-resman/branch-project-factory.tf b/fast/stages/1-resman/branch-project-factory.tf deleted file mode 100644 index 0e6c6134c6..0000000000 --- a/fast/stages/1-resman/branch-project-factory.tf +++ /dev/null @@ -1,224 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Project factory stage resources. - -# automation service accounts - -moved { - from = module.branch-pf-sa[0] - to = module.branch-pf-sa -} - -module "branch-pf-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "resman-pf-0" - display_name = "Terraform project factory main service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -moved { - from = module.branch-pf-dev-sa[0] - to = module.branch-pf-dev-sa -} - -module "branch-pf-dev-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "dev-resman-pf-0" - display_name = "Terraform project factory development service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-dev-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -moved { - from = module.branch-pf-prod-sa[0] - to = module.branch-pf-prod-sa -} - -module "branch-pf-prod-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-pf-0" - display_name = "Terraform project factory production service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-prod-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service accounts - -moved { - from = module.branch-pf-r-sa[0] - to = module.branch-pf-r-sa -} - -module "branch-pf-r-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "resman-pf-0r" - display_name = "Terraform project factory main service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -moved { - from = module.branch-pf-dev-r-sa[0] - to = module.branch-pf-dev-r-sa -} - -module "branch-pf-dev-r-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "dev-resman-pf-0r" - display_name = "Terraform project factory development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-dev-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -moved { - from = module.branch-pf-prod-r-sa[0] - to = module.branch-pf-prod-r-sa -} - -module "branch-pf-prod-r-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-pf-0r" - display_name = "Terraform project factory production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-pf-prod-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation buckets - -moved { - from = module.branch-pf-gcs[0] - to = module.branch-pf-gcs -} - -module "branch-pf-gcs" { - source = "../../../modules/gcs" - project_id = var.automation.project_id - name = "resman-pf-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-pf-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-pf-r-sa.iam_email] - } -} - -moved { - from = module.branch-pf-dev-gcs[0] - to = module.branch-pf-dev-gcs -} - -module "branch-pf-dev-gcs" { - source = "../../../modules/gcs" - project_id = var.automation.project_id - name = "dev-resman-pf-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-pf-dev-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-pf-dev-r-sa.iam_email] - } -} - -moved { - from = module.branch-pf-prod-gcs[0] - to = module.branch-pf-prod-gcs -} - -module "branch-pf-prod-gcs" { - source = "../../../modules/gcs" - project_id = var.automation.project_id - name = "prod-resman-pf-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-pf-prod-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-pf-prod-r-sa.iam_email] - } -} diff --git a/fast/stages/1-resman/branch-sandbox.tf b/fast/stages/1-resman/branch-sandbox.tf deleted file mode 100644 index 8e7de8498d..0000000000 --- a/fast/stages/1-resman/branch-sandbox.tf +++ /dev/null @@ -1,81 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Sandbox stage resources. - -locals { - # FAST-specific IAM - _sandbox_folder_fast_iam = !var.fast_features.sandbox ? {} : { - "roles/logging.admin" = [module.branch-sandbox-sa[0].iam_email] - "roles/owner" = [module.branch-sandbox-sa[0].iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-sandbox-sa[0].iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa[0].iam_email] - } - # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam - _sandbox_folder_iam = merge( - var.folder_iam.sandbox, - { - for role, principals in local._sandbox_folder_fast_iam : - role => distinct(concat(principals, lookup(var.folder_iam.sandbox, role, []))) - } - ) -} - -module "branch-sandbox-folder" { - source = "../../../modules/folder" - count = var.fast_features.sandbox ? 1 : 0 - parent = local.root_node - name = "Sandbox" - iam = local._sandbox_folder_iam - factories_config = { - org_policies = ( - var.root_node != null || var.factories_config.org_policies == null - ? null - : "${var.factories_config.org_policies}/sandbox" - ) - } - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/sandbox"].id, null - ) - } -} - -module "branch-sandbox-gcs" { - source = "../../../modules/gcs" - count = var.fast_features.sandbox ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-sbox-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-sandbox-sa[0].iam_email] - } -} - -module "branch-sandbox-sa" { - source = "../../../modules/iam-service-account" - count = var.fast_features.sandbox ? 1 : 0 - project_id = var.automation.project_id - name = "dev-resman-sbox-0" - display_name = "Terraform resman sandbox service account." - prefix = var.prefix - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } -} diff --git a/fast/stages/1-resman/branch-security.tf b/fast/stages/1-resman/branch-security.tf deleted file mode 100644 index 1742f03555..0000000000 --- a/fast/stages/1-resman/branch-security.tf +++ /dev/null @@ -1,118 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Security stage resources. - -locals { - # FAST-specific IAM - _security_folder_fast_iam = { - "roles/logging.admin" = [module.branch-security-sa.iam_email] - "roles/owner" = [module.branch-security-sa.iam_email] - "roles/resourcemanager.folderAdmin" = [module.branch-security-sa.iam_email] - "roles/resourcemanager.projectCreator" = [module.branch-security-sa.iam_email] - # read-only (plan) automation service account - "roles/viewer" = [module.branch-security-r-sa.iam_email] - "roles/resourcemanager.folderViewer" = [module.branch-security-r-sa.iam_email] - } - - # deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam - _security_folder_iam = merge( - var.folder_iam.security, - { - for role, principals in local._security_folder_fast_iam : - role => distinct(concat(principals, lookup(var.folder_iam.security, role, []))) - } - ) -} - -module "branch-security-folder" { - source = "../../../modules/folder" - parent = local.root_node - name = "Security" - iam_by_principals = { - (local.principals.gcp-security-admins) = [ - # owner and viewer roles are broad and might grant unwanted access - # replace them with more selective custom roles for production deployments - "roles/editor" - ] - } - iam = local._security_folder_iam - tag_bindings = { - context = try( - local.tag_values["${var.tag_names.context}/security"].id, null - ) - } -} - -# automation service account - -module "branch-security-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-sec-0" - display_name = "Terraform resman security service account." - prefix = var.prefix - service_account_create = var.root_node == null - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-security-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -# automation read-only service account - -module "branch-security-r-sa" { - source = "../../../modules/iam-service-account" - project_id = var.automation.project_id - name = "prod-resman-sec-0r" - display_name = "Terraform resman security service account (read-only)." - prefix = var.prefix - service_account_create = var.root_node == null - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.branch-security-r-sa-cicd[0].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket - -module "branch-security-gcs" { - source = "../../../modules/gcs" - project_id = var.automation.project_id - name = "prod-resman-sec-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.branch-security-sa.iam_email] - "roles/storage.objectViewer" = [module.branch-security-r-sa.iam_email] - } -} diff --git a/fast/stages/1-resman/cicd-data-platform.tf b/fast/stages/1-resman/cicd-data-platform.tf deleted file mode 100644 index d99a3d1986..0000000000 --- a/fast/stages/1-resman/cicd-data-platform.tf +++ /dev/null @@ -1,147 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the data platform branch. - -# read-write (apply) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-dp-dev-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.data_platform_dev.name, null) != null - ? { 0 = local.cicd_repositories.data_platform_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-dp-1" - display_name = "Terraform CI/CD data platform development service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-dp-prod-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.data_platform_prod.name, null) != null - ? { 0 = local.cicd_repositories.data_platform_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-dp-1" - display_name = "Terraform CI/CD data platform production service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-dp-dev-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.data_platform_dev.name, null) != null - ? { 0 = local.cicd_repositories.data_platform_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-dp-1r" - display_name = "Terraform CI/CD data platform development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-dp-prod-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.data_platform_prod.name, null) != null - ? { 0 = local.cicd_repositories.data_platform_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-dp-1r" - display_name = "Terraform CI/CD data platform production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-gcve.tf b/fast/stages/1-resman/cicd-gcve.tf deleted file mode 100644 index c4acf1d50c..0000000000 --- a/fast/stages/1-resman/cicd-gcve.tf +++ /dev/null @@ -1,147 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the GCVE branch. - -# read-write (apply) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-gcve-dev-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gcve_dev.name, null) != null - ? { 0 = local.cicd_repositories.gcve_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-gcve-1" - display_name = "Terraform CI/CD GCVE development service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-gcve-prod-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gcve_prod.name, null) != null - ? { 0 = local.cicd_repositories.gcve_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-gcve-1" - display_name = "Terraform CI/CD GCVE production service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-gcve-dev-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gcve_dev.name, null) != null - ? { 0 = local.cicd_repositories.gcve_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-gcve-1r" - display_name = "Terraform CI/CD GCVE development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-gcve-prod-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gcve_prod.name, null) != null - ? { 0 = local.cicd_repositories.gcve_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-gcve-1r" - display_name = "Terraform CI/CD GCVE production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-gke.tf b/fast/stages/1-resman/cicd-gke.tf deleted file mode 100644 index ec31fe8782..0000000000 --- a/fast/stages/1-resman/cicd-gke.tf +++ /dev/null @@ -1,147 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the GKE multitenant branch. - -# read-write (apply) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-gke-dev-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gke_dev.name, null) != null - ? { 0 = local.cicd_repositories.gke_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-gke-1" - display_name = "Terraform CI/CD GKE development service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-gke-prod-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gke_prod.name, null) != null - ? { 0 = local.cicd_repositories.gke_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-gke-1" - display_name = "Terraform CI/CD GKE production service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-gke-dev-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gke_dev.name, null) != null - ? { 0 = local.cicd_repositories.gke_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-gke-1r" - display_name = "Terraform CI/CD gke multitenant development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-gke-prod-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.gke_prod.name, null) != null - ? { 0 = local.cicd_repositories.gke_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-gke-1r" - display_name = "Terraform CI/CD gke multitenant production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-netsec.tf b/fast/stages/1-resman/cicd-netsec.tf deleted file mode 100644 index 335acf18d2..0000000000 --- a/fast/stages/1-resman/cicd-netsec.tf +++ /dev/null @@ -1,85 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the networking branch. - -# read-write (apply) SA used by CI/CD workflows -# to impersonate nsec automation SA - -module "branch-nsec-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.nsec.name, null) != null - ? { 0 = local.cicd_repositories.nsec } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-nsec-1" - display_name = "Terraform CI/CD stage 2 network security service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SA used by CI/CD workflows to impersonate nsec automation SA - -module "branch-nsec-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.nsec.name, null) != null - ? { 0 = local.cicd_repositories.nsec } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-nsec-1r" - display_name = "Terraform CI/CD stage 2 network security service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-networking.tf b/fast/stages/1-resman/cicd-networking.tf deleted file mode 100644 index 7a4b5c17f6..0000000000 --- a/fast/stages/1-resman/cicd-networking.tf +++ /dev/null @@ -1,84 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the networking branch. - -# read-write (apply) SA used by CI/CD workflows to impersonate automation SA - -module "branch-network-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.networking.name, null) != null - ? { 0 = local.cicd_repositories.networking } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-net-1" - display_name = "Terraform CI/CD stage 2 networking service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SA used by CI/CD workflows to impersonate automation SA - -module "branch-network-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.networking.name, null) != null - ? { 0 = local.cicd_repositories.networking } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-net-1r" - display_name = "Terraform CI/CD stage 2 networking service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-project-factory.tf b/fast/stages/1-resman/cicd-project-factory.tf deleted file mode 100644 index 92ba95296a..0000000000 --- a/fast/stages/1-resman/cicd-project-factory.tf +++ /dev/null @@ -1,210 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the project factories. - -# read-write (apply) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-pf-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory.name, null) != null - ? { 0 = local.cicd_repositories.project_factory } - : {} - ) - project_id = var.automation.project_id - name = "pf-resman-pf-1" - display_name = "Terraform CI/CD project factory main service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-pf-dev-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory_dev.name, null) != null - ? { 0 = local.cicd_repositories.project_factory_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-pf-resman-pf-1" - display_name = "Terraform CI/CD project factory development service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-pf-prod-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory_prod.name, null) != null - ? { 0 = local.cicd_repositories.project_factory_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-pf-resman-pf-1" - display_name = "Terraform CI/CD project factory production service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SAs used by CI/CD workflows to impersonate automation SAs - -module "branch-pf-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory.name, null) != null - ? { 0 = local.cicd_repositories.project_factory } - : {} - ) - project_id = var.automation.project_id - name = "resman-pf-1r" - display_name = "Terraform CI/CD project factory main service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-pf-dev-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory_dev.name, null) != null - ? { 0 = local.cicd_repositories.project_factory_dev } - : {} - ) - project_id = var.automation.project_id - name = "dev-resman-pf-1r" - display_name = "Terraform CI/CD project factory development service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -module "branch-pf-prod-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.project_factory_prod.name, null) != null - ? { 0 = local.cicd_repositories.project_factory_prod } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-pf-1r" - display_name = "Terraform CI/CD project factory production service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd-security.tf b/fast/stages/1-resman/cicd-security.tf deleted file mode 100644 index 1fbb444d13..0000000000 --- a/fast/stages/1-resman/cicd-security.tf +++ /dev/null @@ -1,84 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description CI/CD resources for the security branch. - -# read-write (apply) SA used by CI/CD workflows to impersonate automation SA - -module "branch-security-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.security.name, null) != null - ? { 0 = local.cicd_repositories.security } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-sec-1" - display_name = "Terraform CI/CD stage 2 security service account." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - each.value.branch == null - ? format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - : format( - local.identity_providers[each.value.identity_provider].principal_branch, - var.automation.federated_identity_pool, - each.value.name, - each.value.branch - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} - -# read-only (plan) SA used by CI/CD workflows to impersonate automation SA - -module "branch-security-r-sa-cicd" { - source = "../../../modules/iam-service-account" - for_each = ( - try(local.cicd_repositories.security.name, null) != null - ? { 0 = local.cicd_repositories.security } - : {} - ) - project_id = var.automation.project_id - name = "prod-resman-sec-1r" - display_name = "Terraform CI/CD stage 2 security service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.workloadIdentityUser" = [ - format( - local.identity_providers[each.value.identity_provider].principal_repo, - var.automation.federated_identity_pool, - each.value.name - ) - ] - } - iam_project_roles = { - (var.automation.project_id) = ["roles/logging.logWriter"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] - } -} diff --git a/fast/stages/1-resman/cicd.tf b/fast/stages/1-resman/cicd.tf new file mode 100644 index 0000000000..78b58aedab --- /dev/null +++ b/fast/stages/1-resman/cicd.tf @@ -0,0 +1,109 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + _cicd_configs = merge( + { + for k, v in var.fast_stage_2 : + k => merge(v.cicd_config, { env = "prod", lvl = 2 }) + if v.cicd_config != null + }, + { + for k, v in var.fast_stage_3 : + "${k}-prod" => merge(v.cicd_config, { env = "prod", short_name = k, lvl = 3 }) + if v.cicd_config != null + }, + { + for k, v in var.fast_stage_3 : + "${k}-dev" => merge(v.cicd_config, { env = "dev", short_name = k, lvl = 3 }) + if v.cicd_config != null && v.folder_config.create_env_folders == true + }, + ) + # filter by valid identity provider and type + cicd_repositories = { + for k, v in local._cicd_configs : k => v if( + contains(keys(local.identity_providers), v.identity_provider) && + fileexists("${path.module}/templates/workflow-${v.repository.type}.yaml") + ) + } + cicd_workflow_files = { + stage_2 = [ + "0-bootstrap.auto.tfvars.json", + "1-resman.auto.tfvars.json", + "0-globals.auto.tfvars.json" + ] + stage_3 = [for k, v in local._cicd_configs.stage_2 : "2-${k}.auto.tfvars"] + } +} + +module "cicd-sa-rw" { + source = "../../../modules/iam-service-account" + for_each = local.cicd_repositories + project_id = var.automation.project_id + name = "${each.value.env}-resman-${each.value.short_name}-1" + display_name = ( + "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account." + ) + prefix = var.prefix + iam = { + "roles/iam.workloadIdentityUser" = [ + each.value.repository.branch == null + ? format( + local.identity_providers[each.value.identity_provider].principal_repo, + var.automation.federated_identity_pool, + each.value.repository.name + ) + : format( + local.identity_providers[each.value.identity_provider].principal_branch, + var.automation.federated_identity_pool, + each.value.repository.name, + each.value.repository.branch + ) + ] + } + iam_project_roles = { + (var.automation.project_id) = ["roles/logging.logWriter"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] + } +} + +module "cicd-sa-ro" { + source = "../../../modules/iam-service-account" + for_each = local.cicd_repositories + project_id = var.automation.project_id + name = "${each.value.env}-resman-${each.value.short_name}-1r" + display_name = ( + "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account (read-only)." + ) + prefix = var.prefix + iam = { + "roles/iam.workloadIdentityUser" = [ + format( + local.identity_providers[each.value.identity_provider].principal_repo, + var.automation.federated_identity_pool, + each.value.repository.name + ) + ] + } + iam_project_roles = { + (var.automation.project_id) = ["roles/logging.logWriter"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectViewer"] + } +} diff --git a/fast/stages/1-resman/data/stage-3/2-project-factory.yaml b/fast/stages/1-resman/data/stage-3/2-project-factory.yaml new file mode 100644 index 0000000000..600239bf9b --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/2-project-factory.yaml @@ -0,0 +1,51 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: pf +tag_value_name: project-factory +main: + root_node: + service_account_iam: + rw: + - role: roles/orgpolicy.policyAdmin + match_tag_values: + - context/project-factory + - role: roles/orgpolicy.policyViewer + match_tag_values: + - context/project-factory +environments: + dev: + root_node: + service_account_iam: + rw: + - role: roles/orgpolicy.policyAdmin + match_tag_values: + - context/project-factory + - role: roles/orgpolicy.policyViewer + match_tag_values: + - context/project-factory + - environment/development + prod: + root_node: + service_account_iam: + rw: + - role: roles/orgpolicy.policyAdmin + match_tag_values: + - context/project-factory + - role: roles/orgpolicy.policyViewer + match_tag_values: + - context/project-factory + - environment/production diff --git a/fast/stages/1-resman/data/stage-3/3-data-platform.yaml b/fast/stages/1-resman/data/stage-3/3-data-platform.yaml new file mode 100644 index 0000000000..7b416733f3 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/3-data-platform.yaml @@ -0,0 +1,44 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: dp +environments: + dev: + folder: + name: Development + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer + prod: + folder: + name: Production + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-gcve.yaml b/fast/stages/1-resman/data/stage-3/3-gcve.yaml new file mode 100644 index 0000000000..65e2d49990 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/3-gcve.yaml @@ -0,0 +1,47 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: gcve +main: + folder: + name: GCVE +environments: + dev: + folder: + name: Development + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer + prod: + folder: + name: Production + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-gke.yaml b/fast/stages/1-resman/data/stage-3/3-gke.yaml new file mode 100644 index 0000000000..946ef4c8de --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/3-gke.yaml @@ -0,0 +1,47 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: gke +main: + folder: + name: GKE +environments: + dev: + folder: + name: Development + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer + prod: + folder: + name: Production + service_account_iam: + rw: + - roles/owner + - roles/logging.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator + - roles/compute.xpnAdmin + ro: + - roles/viewer + - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-network-security.yaml b/fast/stages/1-resman/data/stage-3/3-network-security.yaml new file mode 100644 index 0000000000..0304c9f142 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/3-network-security.yaml @@ -0,0 +1,26 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: nsec +main: + root_node: + service_account_iam: + rw: + - role: roles/compute.orgFirewallPolicyAdmin + - role: ngfw_enterprise_admin + # ro: + # - role: roles/compute.orgFirewallPolicyAdmin + # - role: ngfw_enterprise_admin diff --git a/fast/stages/1-resman/data/stage-3/3-sandbox.yaml b/fast/stages/1-resman/data/stage-3/3-sandbox.yaml new file mode 100644 index 0000000000..e17353a7be --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/3-sandbox.yaml @@ -0,0 +1,26 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage.schema.json + +short_name: sbx +main: + folder: + name: Sandbox + service_account_iam: + rw: + - roles/logging.admin + - roles/owner + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.projectCreator diff --git a/fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml b/fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml new file mode 100644 index 0000000000..88b3ddddf8 --- /dev/null +++ b/fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json + +name: Development +short_name: gcve-dev +automation: + enable: false +root_node_config: + context_tag_value: gcve \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/3-gcve.yaml b/fast/stages/1-resman/data/top-level-folders/3-gcve.yaml new file mode 100644 index 0000000000..8e3799593b --- /dev/null +++ b/fast/stages/1-resman/data/top-level-folders/3-gcve.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json + +name: GCVE +short_name: gcve +automation: + enable: false +root_node_config: + context_tag_value: gcve \ No newline at end of file diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index d4bb6277c0..485404f526 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -18,145 +18,58 @@ locals { iam_bindings_additive = merge( - # network and security - { + # stage 2 networking + !var.fast_stage_2.networking.enabled ? {} : { sa_net_fw_policy_admin = { - member = module.branch-network-sa.iam_email + member = module.net-sa-rw[0].iam_email role = "roles/compute.orgFirewallPolicyAdmin" } sa_net_xpn_admin = { - member = module.branch-network-sa.iam_email + member = module.net-sa-rw[0].iam_email role = "roles/compute.xpnAdmin" } + }, + # stage 2 security + !var.fast_stage_2.security.enabled ? {} : { sa_sec_asset_viewer = { - member = module.branch-security-sa.iam_email + member = module.sec-sa-rw[0].iam_email role = "roles/cloudasset.viewer" } - # re-enable if VPC-SC management is needed in the 2-security stage - # sa_sec_vpcsc_admin = { - # member = module.branch-security-sa.iam_email - # role = "roles/accesscontextmanager.policyAdmin" - # } - }, - # optional network security - var.fast_features.nsec != true ? {} : { - sa_net_nsec_fw_policy_admin = { - member = module.branch-nsec-sa[0].iam_email - role = "roles/compute.orgFirewallPolicyAdmin" - } - sa_net_nsec_ngfw_enterprise_admin = { - member = module.branch-nsec-sa[0].iam_email - role = local.custom_roles["ngfw_enterprise_admin"], - } - sa_net_nsec_r_fw_policy_admin = { - member = module.branch-nsec-sa[0].iam_email - role = "roles/compute.orgFirewallPolicyUser" - } - sa_net_nsec_r_ngfw_enterprise_viewer = { - member = module.branch-nsec-r-sa[0].iam_email - role = local.custom_roles["ngfw_enterprise_viewer"], - } - }, - # optional billing roles for network and security - local.billing_mode != "org" ? {} : { - sa_net_billing = { - member = module.branch-network-sa.iam_email - role = "roles/billing.user" - } - sa_sec_billing = { - member = module.branch-security-sa.iam_email - role = "roles/billing.user" - } - }, - # optional billing roles for data platform - local.billing_mode != "org" || !var.fast_features.data_platform ? {} : { - sa_dp_dev_billing = { - member = module.branch-dp-dev-sa[0].iam_email - role = "roles/billing.user" - } - sa_dp_prod_billing = { - member = module.branch-dp-prod-sa[0].iam_email - role = "roles/billing.user" - } - }, - # optional billing roles for GKE - local.billing_mode != "org" || !var.fast_features.gke ? {} : { - sa_gke_dev_billing = { - member = module.branch-gke-dev-sa[0].iam_email - role = "roles/billing.user" - } - sa_gke_prod_billing = { - member = module.branch-gke-prod-sa[0].iam_email - role = "roles/billing.user" - } }, - # optional billing roles for project factory - local.billing_mode != "org" ? {} : { - sa_pf_billing = { - member = module.branch-pf-sa.iam_email - role = "roles/billing.user" - } - sa_pf_costs_manager = { - member = module.branch-pf-sa.iam_email - role = "roles/billing.costsManager" - } - sa_pf_dev_billing = { - member = module.branch-pf-dev-sa.iam_email - role = "roles/billing.user" - } - sa_pf_dev_costs_manager = { - member = module.branch-pf-dev-sa.iam_email - role = "roles/billing.costsManager" - } - sa_pf_prod_billing = { - member = module.branch-pf-prod-sa.iam_email - role = "roles/billing.user" - } - sa_pf_prod_costs_manager = { - member = module.branch-pf-prod-sa.iam_email - role = "roles/billing.costsManager" - } - }, - # scoped org policy admin grants for project factory - # TODO: change to use context and environment tags, and tag bindings in stage 2s - var.root_node != null ? {} : { + # stage 2 project factory + var.root_node != null || var.fast_stage_2.project_factory.enabled != true ? {} : { sa_pf_conditional_org_policy = { - member = module.branch-pf-sa.iam_email + member = module.pf-sa-rw[0].iam_email role = "roles/orgpolicy.policyAdmin" condition = { title = "org_policy_tag_pf_scoped" - description = "Org policy tag scoped grant for project factory main." + description = "Org policy tag scoped grant for project factory." expression = <<-END resource.matchTag('${local.tag_root}/${var.tag_names.context}', 'project-factory') END } } - sa_pf_dev_conditional_org_policy = { - member = module.branch-pf-dev-sa.iam_email - role = "roles/orgpolicy.policyAdmin" - condition = { - title = "org_policy_tag_pf_scoped_dev" - description = "Org policy tag scoped grant for project factory dev." - expression = <<-END - resource.matchTag('${local.tag_root}/${var.tag_names.context}', 'project-factory') - && - resource.matchTag('${local.tag_root}/${var.tag_names.environment}', 'development') - END - } - } - sa_pf_prod_conditional_org_policy = { - member = module.branch-pf-prod-sa.iam_email - role = "roles/orgpolicy.policyAdmin" - condition = { - title = "org_policy_tag_pf_scoped_prod" - description = "Org policy tag scoped grant for project factory prod." - expression = <<-END - resource.matchTag('${local.tag_root}/${var.tag_names.context}', 'project-factory') - && - resource.matchTag('${local.tag_root}/${var.tag_names.environment}', 'production') - END - } + }, + # stage 3 + { + for v in local.stage3_sa_roles_in_org : join("/", values(v)) => { + role = lookup(var.custom_roles, v, v) + member = ( + v.env == "prod" + ? ( + v.sa == "rw" + ? module.stage3-sa-prod-rw[v.s3].iam_email + : module.stage3-sa-prod-ro[v.s3].iam_email + ) + : ( + v.sa == "rw" + ? module.stage3-sa-dev-rw[v.s3].iam_email + : module.stage3-sa-dev-ro[v.s3].iam_email + ) + ) } }, + # billing for all stages + local.billing_mode != "org" ? {} : local.billing_iam ) } diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf index 80beb5b499..b5a5030c63 100644 --- a/fast/stages/1-resman/main.tf +++ b/fast/stages/1-resman/main.tf @@ -19,61 +19,6 @@ locals { # automation_resman_sa = try( # data.google_client_openid_userinfo.provider_identity[0].email, null # ) - # stage service accounts, used in top folders and outputs - branch_service_accounts = { - data-platform-dev = try(module.branch-dp-dev-sa[0].email, null) - data-platform-dev-r = try(module.branch-dp-dev-r-sa[0].email, null) - data-platform-prod = try(module.branch-dp-prod-sa[0].email, null) - data-platform-prod-r = try(module.branch-dp-prod-r-sa[0].email, null) - gcve-dev = try(module.branch-gcve-dev-sa[0].email, null) - gcve-dev-r = try(module.branch-gcve-dev-r-sa[0].email, null) - gcve-prod = try(module.branch-gcve-prod-sa[0].email, null) - gcve-prod-r = try(module.branch-gcve-prod-r-sa[0].email, null) - gke-dev = try(module.branch-gke-dev-sa[0].email, null) - gke-dev-r = try(module.branch-gke-dev-r-sa[0].email, null) - gke-prod = try(module.branch-gke-prod-sa[0].email, null) - gke-prod-r = try(module.branch-gke-prod-r-sa[0].email, null) - nsec = try(module.branch-nsec-sa[0].email, null) - nsec-r = try(module.branch-nsec-r-sa[0].email, null) - networking = module.branch-network-sa.email - networking-r = module.branch-network-r-sa.email - project-factory = module.branch-pf-sa.email - project-factory-r = module.branch-pf-r-sa.email - project-factory-dev = module.branch-pf-dev-sa.email - project-factory-dev-r = module.branch-pf-dev-r-sa.email - project-factory-prod = module.branch-pf-prod-sa.email - project-factory-prod-r = module.branch-pf-prod-r-sa.email - sandbox = try(module.branch-sandbox-sa[0].email, null) - security = module.branch-security-sa.email - security-r = module.branch-security-r-sa.email - } - # normalize CI/CD repositories - cicd_repositories = { - for k, v in coalesce(var.cicd_repositories, {}) : k => v - if( - v != null && - contains( - keys(local.identity_providers), - coalesce(try(v.identity_provider, null), ":") - ) && - fileexists("${path.module}/templates/workflow-${try(v.type, "")}.yaml") - ) - } - cicd_workflow_var_files = { - stage_2 = [ - "0-bootstrap.auto.tfvars.json", - "1-resman.auto.tfvars.json", - "0-globals.auto.tfvars.json" - ] - stage_3 = [ - "0-bootstrap.auto.tfvars.json", - "1-resman.auto.tfvars.json", - "0-globals.auto.tfvars.json", - "2-networking.auto.tfvars.json", - "2-security.auto.tfvars.json" - ] - } - custom_roles = coalesce(var.custom_roles, {}) gcs_storage_class = ( length(split("-", var.locations.gcs)) < 2 ? "MULTI_REGIONAL" @@ -94,6 +39,38 @@ locals { ? "organizations/${var.organization.id}" : var.root_node ) + stage_service_accounts = merge( + !var.fast_stage_2.networking.enabled ? {} : { + networking = module.net-sa-rw.email + networking-r = module.net-sa-ro.email + }, + !var.fast_stage_2.security.enabled ? {} : { + security = module.sec-sa-rw.email + security-r = module.sec-sa-ro.email + }, + !var.fast_stage_2.project-factory.enabled ? {} : { + project-factory = module.pf-sa-rw.email + project-factory-r = module.pf-sa-ro.email + }, + { + for k, v in var.fast_stage_3 : + k => module.stage3-sa-prod-rw.email + }, + { + for k, v in var.fast_stage_3 : + "${k}-r" => module.stage3-sa-prod-ro.email + }, + { + for k, v in var.fast_stage_3 : + "${k}-prod" => module.stage3-sa-prod-rw.email + if v.folder_config.create_env_folders == true + }, + { + for k, v in var.fast_stage_3 : + "${k}-dev-r" => module.stage3-sa-dev-ro.email + if v.folder_config.create_env_folders == true + } + ) tag_keys = ( var.root_node == null ? module.organization[0].tag_keys diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index d6d04d370e..5e2d00aecc 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -34,6 +34,12 @@ locals { } }) } + tag_values_stage2 = { + for k, v in var.fast_stage_2 : k => replace(k, "_", "-") if v.enabled + } + tag_values_stage3 = { + for k, v in var.fast_stage_3 : k => replace(k, "_", "-") + } } module "organization" { @@ -48,37 +54,21 @@ module "organization" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = { - data = { - iam = try(local.tags.context.values.data.iam, {}) - description = try(local.tags.context.values.data.description, null) - } - gke = { - iam = try(local.tags.context.values.gke.iam, {}) - description = try(local.tags.context.values.gke.description, null) - } - gcve = { - iam = try(local.tags.context.values.gcve.iam, {}) - description = try(local.tags.context.values.gcve.description, null) - } - networking = { - iam = try(local.tags.context.values.networking.iam, {}) - description = try(local.tags.context.values.networking.description, null) - } - project-factory = { - iam = try(local.tags.context.values.project-factory.iam, {}) - description = try(local.tags.context.values.project-factory.description, null) - } - sandbox = { - iam = try(local.tags.context.values.sandbox.iam, {}) - description = try(local.tags.context.values.sandbox.description, null) - } - security = { - iam = try(local.tags.context.values.security.iam, {}) - description = try(local.tags.context.values.security.description, null) + values = merge( + { + for k, v in local.tag_values_stage2 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], {}) + } if var.fast_stage_2[k].enabled + }, + { + for k, v in local.tag_values_stage3 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], {}) + } } - } - } + ) + }, (var.tag_names.environment) = { description = "Environment definition." iam = try(local.tags.environment.iam, {}) @@ -87,21 +77,25 @@ module "organization" { iam = try(local.tags.environment.values.development.iam, {}) iam_bindings = { pf = { - members = [module.branch-pf-sa.iam_email] + members = compact([try(module.pf-sa-rw[0].iam_email, null)]) role = "roles/resourcemanager.tagUser" } } - description = try(local.tags.environment.values.development.description, null) + description = try( + local.tags.environment.values.development.description, null + ) } production = { iam = try(local.tags.environment.values.production.iam, {}) iam_bindings = { pf = { - members = [module.branch-pf-sa.iam_email] + members = compact([try(module.pf-sa-rw[0].iam_email, null)]) role = "roles/resourcemanager.tagUser" } } - description = try(local.tags.environment.values.production.description, null) + description = try( + local.tags.environment.values.production.description, null + ) } } } diff --git a/fast/stages/1-resman/outputs-cicd.tf b/fast/stages/1-resman/outputs-cicd.tf new file mode 100644 index 0000000000..de693fd560 --- /dev/null +++ b/fast/stages/1-resman/outputs-cicd.tf @@ -0,0 +1,126 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cicd_workflows = { + for k, v in local._cicd_workflow_attrs : k => templatefile( + "${path.module}/templates/workflow-${v.repository.type}.yaml", v + ) + } + _cicd_workflow_attrs = merge( + # stage 2 + lookup(local.cicd_repositories, "networking", null) == null ? {} : { + service_accounts = { + apply = module.net-sa-rw[0].email + plan = module.net-sa-ro[0].email + } + tf_providers_files = { + apply = "2-networking-providers.tf" + plan = "2-networking-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = "networking" + }, + lookup(local.cicd_repositories, "security", null) == null ? {} : { + service_accounts = { + apply = module.sec-sa-rw[0].email + plan = module.sec-sa-ro[0].email + } + tf_providers_files = { + apply = "2-security-providers.tf" + plan = "2-security-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = "security" + }, + lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { + service_accounts = { + apply = module.pf-sa-rw[0].email + plan = module.pf-sa-ro[0].email + } + tf_providers_files = { + apply = "2-project-factory-providers.tf" + plan = "2-project-factory-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = "project-factory" + }, + # stage 3 + { + for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { + service_accounts = { + apply = module.stage3-sa-prod-rw[0].email + plan = module.stage3-sa-prod-ro[0].email + } + tf_providers_files = { + apply = "${v.lvl}-${k}-providers.tf" + plan = "${v.lvl}-${k}-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_3 + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = v.short_name + } if v.lvl == 3 && v.env == "prod" + }, + { + for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { + service_accounts = { + apply = module.stage3-sa-dev-rw[0].email + plan = module.stage3-sa-dev-ro[0].email + } + tf_providers_files = { + apply = "${v.lvl}-${k}-providers.tf" + plan = "${v.lvl}-${k}-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_3 + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + stage_name = v.short_name + } if v.lvl == 3 && v.env == "dev" + } + ) +} diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index f640c33925..51957405ed 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -16,236 +16,71 @@ locals { _tpl_providers = "${path.module}/templates/providers.tf.tpl" - cicd_workflow_attrs = { - data_platform_dev = { - service_accounts = { - apply = try(module.branch-dp-dev-sa-cicd[0].email, null) - plan = try(module.branch-dp-dev-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-data-platform-dev-providers.tf" - plan = "3-data-platform-dev-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - data_platform_prod = { - service_accounts = { - apply = try(module.branch-dp-prod-sa-cicd[0].email, null) - plan = try(module.branch-dp-prod-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-data-platform-prod-providers.tf" - plan = "3-data-platform-prod-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - gcve_dev = { - service_accounts = { - apply = try(module.branch-gcve-dev-sa-cicd[0].email, null) - plan = try(module.branch-gcve-dev-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-gcve-dev-providers.tf" - plan = "3-gcve-dev-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - gcve_prod = { - service_accounts = { - apply = try(module.branch-gcve-prod-sa-cicd[0].email, null) - plan = try(module.branch-gcve-prod-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-gcve-prod-providers.tf" - plan = "3-gcve-prod-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - gke_dev = { - service_accounts = { - apply = try(module.branch-gke-dev-sa-cicd[0].email, null) - plan = try(module.branch-gke-dev-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-gke-dev-providers.tf" - plan = "3-gke-dev-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - gke_prod = { - service_accounts = { - apply = try(module.branch-gke-prod-sa-cicd[0].email, null) - plan = try(module.branch-gke-prod-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-gke-prod-providers.tf" - plan = "3-gke-prod-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - nsec = { - service_accounts = { - apply = try(module.branch-nsec-sa-cicd[0].email, null) - plan = try(module.branch-nsec-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-network-security-providers.tf" - plan = "3-network-security-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - networking = { - service_accounts = { - apply = try(module.branch-network-sa-cicd[0].email, null) - plan = try(module.branch-network-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "2-networking-providers.tf" - plan = "2-networking-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_2 - } - project_factory = { - service_accounts = { - apply = try(module.branch-pf-sa-cicd[0].email, null) - plan = try(module.branch-pf-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-project-factory-providers.tf" - plan = "3-project-factory-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - project_factory_dev = { - service_accounts = { - apply = try(module.branch-pf-dev-sa-cicd[0].email, null) - plan = try(module.branch-pf-dev-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-project-factory-dev-providers.tf" - plan = "3-project-factory-dev-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - project_factory_prod = { - service_accounts = { - apply = try(module.branch-pf-prod-sa-cicd[0].email, null) - plan = try(module.branch-pf-prod-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "3-project-factory-prod-providers.tf" - plan = "3-project-factory-prod-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_3 - } - security = { - service_accounts = { - apply = try(module.branch-security-sa-cicd[0].email, null) - plan = try(module.branch-security-r-sa-cicd[0].email, null) - } - tf_providers_files = { - apply = "2-security-providers.tf" - plan = "2-security-r-providers.tf" - } - tf_var_files = local.cicd_workflow_var_files.stage_2 - } - } - cicd_workflows = { - for k, v in local.cicd_repositories : k => templatefile( - "${path.module}/templates/workflow-${v.type}.yaml", - merge(local.cicd_workflow_attrs[k], { - audiences = try( - local.identity_providers[v.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[v.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - stage_name = k - }) - ) - } folder_ids = merge( - { - data-platform-dev = try(module.branch-dp-dev-folder[0].id, null) - data-platform-prod = try(module.branch-dp-prod-folder[0].id, null) - gcve-dev = try(module.branch-gcve-dev-folder[0].id, null) - gcve-prod = try(module.branch-gcve-prod-folder[0].id, null) - gke-dev = try(module.branch-gke-dev-folder[0].id, null) - gke-prod = try(module.branch-gke-prod-folder[0].id, null) - networking = try(module.branch-network-folder.id, null) - networking-dev = try(module.branch-network-dev-folder.id, null) - networking-prod = try(module.branch-network-prod-folder.id, null) - sandbox = try(module.branch-sandbox-folder[0].id, null) - security = try(module.branch-security-folder.id, null) + # stage 2 + !var.fast_stage_2.networking.enabled ? {} : { + networking = module.net-folder[0].id + networking-dev = try(module.net-folder-dev[0].id, null) + networking-prod = try(module.net-folder-prod[0].id, null) }, - { - for k, v in module.top-level-folder : k => try(v.id, null) - } + !var.fast_stage_2.security.enabled ? {} : { + security = module.sec-folder[0].id + security-dev = try(module.sec-folder-dev[0].id, null) + security-prod = try(module.sec-folder-prod[0].id, null) + }, + # stage 3 + { for k, v in module.stage3-folder : k => v.id }, + { for k, v in module.stage3-folder-dev : k => v.id }, + { for k, v in module.stage3-folder-prod : k => v.id }, + # top-level folders + { for k, v in module.top-level-folder : k => v.id } ) providers = merge( - { - "2-networking" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-network-gcs.name - name = "networking" - sa = module.branch-network-sa.email - }) - "2-networking-r" = templatefile(local._tpl_providers, { + # stage 2 + !var.fast_stage_2.networking.enabled ? {} : { + "2-networking" = templatefile(_tpl_providers, { backend_extra = null - bucket = module.branch-network-gcs.name + bucket = module.net-bucket[0].name name = "networking" - sa = module.branch-network-r-sa.email + sa = module.net-sa-rw[0].email }) - "2-project-factory" = templatefile(local._tpl_providers, { + }, + !var.fast_stage_2.security.enabled ? {} : { + "2-security" = templatefile(_tpl_providers, { backend_extra = null - bucket = module.branch-pf-gcs.name - name = "project-factory" - sa = module.branch-pf-sa.email + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-rw[0].email }) - "2-project-factory-r" = templatefile(local._tpl_providers, { + }, + !var.fast_stage_2.project_factory.enabled ? {} : { + "2-project-factory" = templatefile(_tpl_providers, { backend_extra = null - bucket = module.branch-pf-gcs.name + bucket = module.pf-bucket[0].name name = "project-factory" - sa = module.branch-pf-r-sa.email - }) - "2-project-factory-dev" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-pf-dev-gcs.name - name = "project-factory-dev" - sa = module.branch-pf-dev-sa.email - }) - "2-project-factory-dev-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-pf-dev-gcs.name - name = "project-factory-dev" - sa = module.branch-pf-dev-r-sa.email - }) - "2-project-factory-prod" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-pf-prod-gcs.name - name = "project-factory-prod" - sa = module.branch-pf-prod-sa.email - }) - "2-project-factory-prod-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-pf-prod-gcs.name - name = "project-factory-prod" - sa = module.branch-pf-prod-r-sa.email + sa = module.pf-sa-rw[0].email }) - "2-security" = templatefile(local._tpl_providers, { + }, + # stage 3 + { + for k, v in var.fast_stage_3 : + "3-${k}-prod" => templatefile(_tpl_providers, { backend_extra = null - bucket = module.branch-security-gcs.name - name = "security" - sa = module.branch-security-sa.email + bucket = module.stage3-bucket-prod[k].name + name = "${k}-prod" + sa = module.stage3-sa-prod-rw[k].email }) - "2-security-r" = templatefile(local._tpl_providers, { + }, + { + for k, v in var.fast_stage_3 : + "3-${k}-dev" => templatefile(_tpl_providers, { backend_extra = null - bucket = module.branch-security-gcs.name - name = "security" - sa = module.branch-security-r-sa.email - }) + bucket = module.stage3-bucket-dev[k].name + name = "${k}-dev" + sa = module.stage3-sa-dev-rw[k].email + }) if v.folder_config.create_env_folders }, + # top-level folders { for k, v in module.top-level-sa : "1-resman-folder-${k}" => templatefile(local._tpl_providers, { @@ -255,116 +90,12 @@ locals { sa = v.email }) }, - !var.fast_features.data_platform ? {} : { - "3-data-platform-dev" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-dp-dev-gcs[0].name - name = "dp-dev" - sa = module.branch-dp-dev-sa[0].email - }) - "3-data-platform-dev-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-dp-dev-gcs[0].name - name = "dp-dev" - sa = module.branch-dp-dev-r-sa[0].email - }) - "3-data-platform-prod" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-dp-prod-gcs[0].name - name = "dp-prod" - sa = module.branch-dp-prod-sa[0].email - }) - "3-data-platform-prod-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-dp-prod-gcs[0].name - name = "dp-prod" - sa = module.branch-dp-prod-r-sa[0].email - }) - }, - !var.fast_features.gke ? {} : { - "3-gke-dev" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gke-dev-gcs[0].name - name = "gke-dev" - sa = module.branch-gke-dev-sa[0].email - }) - "3-gke-dev-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gke-dev-gcs[0].name - name = "gke-dev" - sa = module.branch-gke-dev-r-sa[0].email - }) - "3-gke-prod" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gke-prod-gcs[0].name - name = "gke-prod" - sa = module.branch-gke-prod-sa[0].email - }) - "3-gke-prod-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gke-prod-gcs[0].name - name = "gke-prod" - sa = module.branch-gke-prod-r-sa[0].email - }) - }, - !var.fast_features.gcve ? {} : { - "3-gcve-dev" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gcve-dev-gcs[0].name - name = "gcve-dev" - sa = module.branch-gcve-dev-sa[0].email - }) - "3-gcve-dev-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gcve-dev-gcs[0].name - name = "gcve-dev" - sa = module.branch-gcve-dev-r-sa[0].email - }) - "3-gcve-prod" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gcve-prod-gcs[0].name - name = "gcve-prod" - sa = module.branch-gcve-prod-sa[0].email - }) - "3-gcve-prod-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-gcve-prod-gcs[0].name - name = "gcve-prod" - sa = module.branch-gcve-prod-r-sa[0].email - }) - }, - !var.fast_features.nsec ? {} : { - "3-network-security" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-nsec-gcs[0].name - name = "network-security" - sa = module.branch-nsec-sa[0].email - }) - "3-network-security-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-nsec-gcs[0].name - name = "network-security" - sa = module.branch-nsec-r-sa[0].email - }) - }, - !var.fast_features.sandbox ? {} : { - "9-sandbox" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.branch-sandbox-gcs[0].name - name = "sandbox" - sa = module.branch-sandbox-sa[0].email - }) - }, - ) - service_accounts = merge( - local.branch_service_accounts, - { - for k, v in module.top-level-sa : k => try(v.email) - } ) + service_accounts = merge(local.stage_service_accounts, { + for k, v in module.top-level-sa : k => try(v.email) + }) tfvars = { checklist_hierarchy = local.checklist.hierarchy - fast_features = var.fast_features folder_ids = local.folder_ids service_accounts = local.service_accounts tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } @@ -377,28 +108,10 @@ output "cicd_repositories" { description = "WIF configuration for CI/CD repositories." value = { for k, v in local.cicd_repositories : k => { - branch = v.branch - name = v.name + repository = v.repository provider = try( local.identity_providers[v.identity_provider].name, null ) - service_account = local.cicd_workflow_attrs[k].service_accounts - } if v != null - } -} - -output "dataplatform" { - description = "Data for the Data Platform stage." - value = !var.fast_features.data_platform ? {} : { - dev = { - folder = module.branch-dp-dev-folder[0].id - gcs_bucket = module.branch-dp-dev-gcs[0].name - service_account = module.branch-dp-dev-sa[0].email - } - prod = { - folder = module.branch-dp-prod-folder[0].id - gcs_bucket = module.branch-dp-prod-gcs[0].name - service_account = module.branch-dp-prod-sa[0].email } } } @@ -408,75 +121,6 @@ output "folder_ids" { value = local.folder_ids } -output "gcve" { - # tfdoc:output:consumers 03-gcve - description = "Data for the GCVE stage." - value = ( - var.fast_features.gcve - ? { - "dev" = { - folder = module.branch-gcve-dev-folder[0].id - gcs_bucket = module.branch-gcve-dev-gcs[0].name - service_account = module.branch-gcve-dev-sa[0].email - } - "prod" = { - folder = module.branch-gcve-prod-folder[0].id - gcs_bucket = module.branch-gcve-prod-gcs[0].name - service_account = module.branch-gcve-prod-sa[0].email - } - } - : {} - ) -} - -output "gke_multitenant" { - # tfdoc:output:consumers 03-gke-multitenant - description = "Data for the GKE multitenant stage." - value = ( - var.fast_features.gke - ? { - "dev" = { - folder = module.branch-gke-dev-folder[0].id - gcs_bucket = module.branch-gke-dev-gcs[0].name - service_account = module.branch-gke-dev-sa[0].email - } - "prod" = { - folder = module.branch-gke-prod-folder[0].id - gcs_bucket = module.branch-gke-prod-gcs[0].name - service_account = module.branch-gke-prod-sa[0].email - } - } - : {} - ) -} - -output "networking" { - description = "Data for the networking stage." - value = { - folder = module.branch-network-folder.id - gcs_bucket = module.branch-network-gcs.name - service_account = module.branch-network-sa.iam_email - } -} - -output "project_factories" { - description = "Data for the project factories stage." - value = { - dev = { - bucket = module.branch-pf-dev-gcs.name - sa = module.branch-pf-dev-sa.email - } - main = { - bucket = module.branch-pf-gcs.name - sa = module.branch-pf-sa.email - } - prod = { - bucket = module.branch-pf-prod-gcs.name - sa = module.branch-pf-prod-sa.email - } - } -} - # ready to use provider configurations for subsequent stages output "providers" { # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-network-security @@ -485,30 +129,6 @@ output "providers" { value = local.providers } -output "sandbox" { - # tfdoc:output:consumers xx-sandbox - description = "Data for the sandbox stage." - value = ( - var.fast_features.sandbox - ? { - folder = module.branch-sandbox-folder[0].id - gcs_bucket = module.branch-sandbox-gcs[0].name - service_account = module.branch-sandbox-sa[0].email - } - : null - ) -} - -output "security" { - # tfdoc:output:consumers 02-security - description = "Data for the networking stage." - value = { - folder = module.branch-security-folder.id - gcs_bucket = module.branch-security-gcs.name - service_account = module.branch-security-sa.iam_email - } -} - # ready to use variable values for subsequent stages output "tfvars" { description = "Terraform variable files for the following stages." diff --git a/fast/stages/1-resman/schemas/fast-stage.schema.json b/fast/stages/1-resman/schemas/fast-stage.schema.json new file mode 100644 index 0000000000..82bf0e0f17 --- /dev/null +++ b/fast/stages/1-resman/schemas/fast-stage.schema.json @@ -0,0 +1,213 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "FAST stage", + "type": "object", + "additionalProperties": false, + "properties": { + "short_name": { + "type": "string" + }, + "tag_value_name": { + "type": "string" + }, + "assign_billing_roles": { + "type": "boolean", + "default": true + }, + "cicd": { + "type": "object", + "additionalProperties": false, + "required": [ + "identity_provider", + "repository" + ], + "properties": { + "identity_provider": { + "type": "string" + }, + "repository": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "branch": { + "type": "string" + } + } + } + } + }, + "main": { + "$ref": "#/$defs/environment" + }, + "environments": { + "type": "object", + "additionalProperties": false, + "required": [ + "dev", + "prod" + ], + "properties": { + "dev": { + "$ref": "#/$defs/environment" + }, + "prod": { + "$ref": "#/$defs/environment" + } + } + } + }, + "$defs": { + "environment": { + "type": "object", + "additionalProperties": false, + "properties": { + "folder": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "service_account_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "ro": { + "$ref": "#/$defs/folder_service_account_iam" + }, + "rw": { + "$ref": "#/$defs/folder_service_account_iam" + } + } + } + }, + "iam": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^(?:roles/|[a-z_]+)": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" + } + } + } + }, + "iam_bindings": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z0-9_-]+$": { + "type": "object", + "additionalProperties": false, + "properties": { + "members": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" + } + }, + "role": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + }, + "condition": { + "type": "object", + "additionalProperties": false, + "required": [ + "expression", + "title" + ], + "properties": { + "expression": { + "type": "string" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + } + } + } + } + } + } + }, + "iam_by_principals": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:)": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + } + } + } + } + }, + "root_node": { + "type": "object", + "additionalProperties": false, + "properties": { + "service_account_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "ro": { + "$ref": "#/$defs/root_service_account_iam" + }, + "rw": { + "$ref": "#/$defs/root_service_account_iam" + } + } + } + } + } + } + }, + "folder_service_account_iam": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + } + }, + "root_service_account_iam": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": [ + "role" + ], + "properties": { + "role": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + }, + "match_tag_values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/fast/stages/1-resman/schemas/fast-stage.schema.old.json b/fast/stages/1-resman/schemas/fast-stage.schema.old.json new file mode 100644 index 0000000000..82bf0e0f17 --- /dev/null +++ b/fast/stages/1-resman/schemas/fast-stage.schema.old.json @@ -0,0 +1,213 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "FAST stage", + "type": "object", + "additionalProperties": false, + "properties": { + "short_name": { + "type": "string" + }, + "tag_value_name": { + "type": "string" + }, + "assign_billing_roles": { + "type": "boolean", + "default": true + }, + "cicd": { + "type": "object", + "additionalProperties": false, + "required": [ + "identity_provider", + "repository" + ], + "properties": { + "identity_provider": { + "type": "string" + }, + "repository": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "branch": { + "type": "string" + } + } + } + } + }, + "main": { + "$ref": "#/$defs/environment" + }, + "environments": { + "type": "object", + "additionalProperties": false, + "required": [ + "dev", + "prod" + ], + "properties": { + "dev": { + "$ref": "#/$defs/environment" + }, + "prod": { + "$ref": "#/$defs/environment" + } + } + } + }, + "$defs": { + "environment": { + "type": "object", + "additionalProperties": false, + "properties": { + "folder": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "service_account_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "ro": { + "$ref": "#/$defs/folder_service_account_iam" + }, + "rw": { + "$ref": "#/$defs/folder_service_account_iam" + } + } + } + }, + "iam": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^(?:roles/|[a-z_]+)": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" + } + } + } + }, + "iam_bindings": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z0-9_-]+$": { + "type": "object", + "additionalProperties": false, + "properties": { + "members": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" + } + }, + "role": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + }, + "condition": { + "type": "object", + "additionalProperties": false, + "required": [ + "expression", + "title" + ], + "properties": { + "expression": { + "type": "string" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + } + } + } + } + } + } + }, + "iam_by_principals": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:)": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + } + } + } + } + }, + "root_node": { + "type": "object", + "additionalProperties": false, + "properties": { + "service_account_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "ro": { + "$ref": "#/$defs/root_service_account_iam" + }, + "rw": { + "$ref": "#/$defs/root_service_account_iam" + } + } + } + } + } + } + }, + "folder_service_account_iam": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + } + }, + "root_service_account_iam": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": [ + "role" + ], + "properties": { + "role": { + "type": "string", + "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" + }, + "match_tag_values": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf new file mode 100644 index 0000000000..b4bdc9ce60 --- /dev/null +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -0,0 +1,201 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + net_use_env_folders = ( + var.fast_stage_2.networking.enabled && + var.fast_stage_2.networking.folder_config.create_env_folders + ) + # TODO: this would be better and more narrowly handled from stage 2 projects + net_stage3_iam = { + dev = { + for v in local.stage3_sa_roles_in_stage2 : + lookup(var.custom_roles, v.role, v.role) => v... + if v.env == "dev" && v.s2 == "networking" + } + prod = { + for v in local.stage3_sa_roles_in_stage2 : + lookup(var.custom_roles, v.role, v.role) => v... + if v.env == "prod" && v.s2 == "networking" + } + } +} + +module "net-folder" { + source = "../../../modules/folder" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + parent = ( + var.fast_stage_2.networking.folder_config.parent_id == null + ? local.root_node + : var.fast_stage_2.networking.folder_config.parent_id + ) + name = var.fast_stage_2.networking.folder_config.name + iam = merge( + # stage own service accounts + { + "roles/logging.admin" = [module.net-sa-rw[0].iam_email] + "roles/owner" = [module.net-sa-rw[0].iam_email] + "roles/resourcemanager.folderAdmin" = [module.net-sa-rw[0].iam_email] + "roles/resourcemanager.projectCreator" = [module.net-sa-rw[0].iam_email] + "roles/compute.xpnAdmin" = [module.net-sa-rw[0].iam_email] + "roles/viewer" = [module.net-sa-ro[0].iam_email] + "roles/resourcemanager.folderViewer" = [module.net-sa-ro[0].iam_email] + }, + # security stage 2 service accounts + var.fast_stage_2.security.enabled != true ? {} : { + "roles/serviceusage.serviceUsageAdmin" = [ + try(module.sec-sa-rw[0].iam_email, null) + ] + "roles/serviceusage.serviceUsageConsumer" = [ + try(module.sec-sa-ro[0].iam_email, null) + ] + (var.custom_roles["network_firewall_policies_admin"]) = [ + try(module.sec-sa-rw[0].iam_email, null) + ] + (var.custom_roles["network_firewall_policies_viewer"]) = [ + try(module.sec-sa-ro[0].iam_email, null) + ] + }, + # stage 3s service accounts (if not using environment folders) + each.value.folder_config.create_env_folders == true ? {} : { + for role, attrs in local.net_stage3_iam.prod : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-prod-ro[v.s3].iam_email + : module.stage3-sa-prod-rw[v.s3].iam_email + ) + ] + } + ) + iam_by_principals = merge( + # replace with more selective custom roles for production deployments + { (local.principals.gcp-network-admins) = ["roles/editor"] }, + var.fast_stage_2.networking.folder_config.iam_by_principals + ) + tag_bindings = { + context = try( + local.tag_values["${var.tag_names.context}/networking"].id, null + ) + } +} + +# optional per-environment folders + +module "net-folder-prod" { + source = "../../../modules/folder" + count = net_use_env_folders ? 1 : 0 + parent = module.net-folder.id + name = "Production" + iam = { + # stage 3s service accounts + for role, attrs in local.net_stage3_iam.prod : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-prod-ro[v.s3].iam_email + : module.stage3-sa-prod-rw[v.s3].iam_email + ) + ] + } + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/production"].id, + null + ) + } +} + +module "net-folder-dev" { + source = "../../../modules/folder" + count = net_use_env_folders ? 1 : 0 + parent = module.net-folder.id + name = "Development" + iam = { + # stage 3s service accounts + for role, attrs in local.net_stage3_iam.dev : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-dev-ro[v.s3].iam_email + : module.stage3-sa-dev-rw[v.s3].iam_email + ) + ] + } + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/development"].id, + null + ) + } +} + +# automation service accounts + +module "net-sa-rw" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.networking.short_name}-0" + display_name = "Terraform resman networking service account." + prefix = var.prefix + service_account_create = var.root_node == null + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["networking"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "net-sa-ro" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.networking.short_name}-0r" + display_name = "Terraform resman networking service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["networking"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} + +# automation bucket + +module "net-bucket" { + source = "../../../modules/gcs" + count = var.fast_stage_2.networking.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.networking.short_name}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.net-sa-rw.iam_email] + "roles/storage.objectViewer" = [module.net-sa-ro.iam_email] + } +} diff --git a/fast/stages/1-resman/stage-2-project-factory.tf b/fast/stages/1-resman/stage-2-project-factory.tf new file mode 100644 index 0000000000..caa7ae3946 --- /dev/null +++ b/fast/stages/1-resman/stage-2-project-factory.tf @@ -0,0 +1,57 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# automation service accounts + +module "pf-sa-rw" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.project_factory.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0" + display_name = "Terraform resman project factory main service account." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["project_factory"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "pf-sa-ro" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.project_factory.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0r" + display_name = "Terraform resman project factory main service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["project_factory"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf new file mode 100644 index 0000000000..4b5dcc7ed1 --- /dev/null +++ b/fast/stages/1-resman/stage-2-security.tf @@ -0,0 +1,199 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + sec_use_env_folders = ( + var.fast_stage_2.security.enabled && + var.fast_stage_2.security.folder_config.create_env_folders + ) + # TODO: this would be better and more narrowly handled from stage 2 projects + sec_stage3_iam = { + dev = { + for v in local.stage3_sa_roles_in_stage2 : + lookup(var.custom_roles, v.role, v.role) => v... + if v.env == "dev" && v.s2 == "security" + } + prod = { + for v in local.stage3_sa_roles_in_stage2 : + lookup(var.custom_roles, v.role, v.role) => v... + if v.env == "prod" && v.s2 == "security" + } + } +} + +module "sec-folder" { + source = "../../../modules/folder" + count = var.fast_stage_2.security.enabled ? 1 : 0 + parent = ( + var.fast_stage_2.security.folder_config.parent_id == null + ? local.root_node + : var.fast_stage_2.security.folder_config.parent_id + ) + name = var.fast_stage_2.security.folder_config.name + iam = merge( + # stage own service accounts + { + "roles/logging.admin" = [module.sec-sa-rw[0].iam_email] + "roles/owner" = [module.sec-sa-rw[0].iam_email] + "roles/resourcemanager.folderAdmin" = [module.sec-sa-rw[0].iam_email] + "roles/resourcemanager.projectCreator" = [module.sec-sa-rw[0].iam_email] + "roles/viewer" = [module.sec-sa-ro[0].iam_email] + "roles/resourcemanager.folderViewer" = [module.sec-sa-ro[0].iam_email] + }, + # stage 3s service accounts (if not using environment folders) + each.value.folder_config.create_env_folders == true ? {} : { + for role, attrs in local.sec_stage3_iam.prod : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-prod-ro[v.s3].iam_email + : module.stage3-sa-prod-rw[v.s3].iam_email + ) + ] + } + ) + iam_bindings = var.fast_stage_2.project_factory.enabled != true ? {} : { + pf_delegated_grant = { + role = "roles/resourcemanager.projectIamAdmin" + members = module.pf-sa-rw[0].iam_email + condition = { + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + "roles/cloudkms.cryptoKeyEncrypterDecrypter" + ) + title = "pf_delegated_grant" + description = "Project factory delegated grant." + } + } + } + iam_by_principals = merge( + # replace with more selective custom roles for production deployments + { (local.principals.gcp-security-admins) = ["roles/editor"] }, + var.fast_stage_2.security.folder_config.iam_by_principals + ) + tag_bindings = { + context = try( + local.tag_values["${var.tag_names.context}/security"].id, null + ) + } +} + +# optional per-environment folders + +module "sec-folder-prod" { + source = "../../../modules/folder" + count = sec_use_env_folders ? 1 : 0 + parent = module.sec-folder.id + name = "Production" + iam = { + # stage 3s service accounts + for role, attrs in local.sec_stage3_iam.prod : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-prod-ro[v.s3].iam_email + : module.stage3-sa-prod-rw[v.s3].iam_email + ) + ] + } + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/production"].id, + null + ) + } +} + +module "sec-folder-dev" { + source = "../../../modules/folder" + count = sec_use_env_folders ? 1 : 0 + parent = module.sec-folder.id + name = "Development" + iam = { + # stage 3s service accounts + for role, attrs in local.sec_stage3_iam.dev : role => [ + for v in attrs : ( + v.sa == "ro" + ? module.stage3-sa-dev-ro[v.s3].iam_email + : module.stage3-sa-dev-rw[v.s3].iam_email + ) + ] + } + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/development"].id, + null + ) + } +} + +# automation service accounts + +module "sec-sa-rw" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.security.short_name}-0" + display_name = "Terraform resman security service account." + prefix = var.prefix + service_account_create = var.root_node == null + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["security"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "sec-sa-ro" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.security.short_name}-0r" + display_name = "Terraform resman security service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["security"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} + +# automation bucket + +module "sec-bucket" { + source = "../../../modules/gcs" + count = var.fast_stage_2.security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.security.short_name}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.sec-sa-rw.iam_email] + "roles/storage.objectViewer" = [module.sec-sa-ro.iam_email] + } +} diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf new file mode 100644 index 0000000000..6f590c36f1 --- /dev/null +++ b/fast/stages/1-resman/stage-3.tf @@ -0,0 +1,271 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + stage3_folders_create = { + for k, v in var.fast_stage_3 : k => v if v.folder_config != null + } + stage3_iam_roles = { + rw = [ + "roles/logging.admin", + "roles/owner", + "roles/resourcemanager.folderAdmin", + "roles/resourcemanager.projectCreator", + "roles/compute.xpnAdmin" + ] + ro = [ + "roles/viewer", + "roles/resourcemanager.folderViewer" + ] + } + stage3_sa_roles_in_org = flatten([ + for k, v in var.stage_3 : [ + [ + for sa, roles in v.organization_iam_roles : [ + for r in roles : [ + [ + { env = "prod", role = r, sa = sa, s3 = k } + ], + v.folder_config.create_env_folders != true ? [] : [ + { env = "dev", role = r, sa = sa, s3 = k } + ] + ] + ] + ] + ] + ]) + # TODO: this would be better and more narrowly handled from stage 2 projects + stage3_sa_roles_in_stage2 = flatten([ + for k, v in var.stage_3 : [ + for s2, attrs in v.stage2_iam_roles : [ + for sa, roles in attrs : [ + for role in roles : [ + [ + { env = "prod", role = r, sa = sa, s2 = s2, s3 = k } + ], + v.folder_config.create_env_folders != true ? [] : [ + { env = "dev", role = r, sa = sa, s2 = s2, s3 = k } + ] + ] + ] + ] + ] + ]) +} + +module "stage3-folder" { + source = "../../../modules/folder" + for_each = local.stage3_folders_create + parent = ( + each.value.folder_config.parent_id == null + ? local.root_node + : each.value.folder_config.parent_id + ) + name = each.value.folder_config.name + iam = each.value.folder_config.create_env_folders == true ? {} : merge( + { + for r in local.stage3_iam_roles.rw : + r => module.stage3-sa-prod-rw[each.key].iam_email + }, + { + for r in local.stage3_iam_roles.ro : + r => module.stage3-sa-prod-ro[each.key].iam_email + } + ) + iam_by_principals = each.value.folder_config.iam_by_principals + tag_bindings = each.value.folder_config.tag_bindings +} + +# optional per-environment folders + +module "stage3-folder-prod" { + source = "../../../modules/folder" + for_each = { + for k, v in local.stage3_folders_create : + k => v if v.folder_config.create_env_folders == true + } + parent = module.stage3-folder[each.key].id + name = "Production" + iam = merge( + { + for r in local.stage3_iam_roles.rw : + r => module.stage3-sa-prod-rw[each.key].iam_email + }, + { + for r in local.stage3_iam_roles.ro : + r => module.stage3-sa-prod-ro[each.key].iam_email + } + ) + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/production"].id, + null + ) + } +} + +module "stage3-folder-dev" { + source = "../../../modules/folder" + for_each = { + for k, v in local.stage3_folders_create : + k => v if v.folder_config.create_env_folders == true + } + parent = module.stage3-folder[each.key].id + name = "Development" + iam = merge( + { + for r in local.stage3_iam_roles.rw : + r => module.stage3-sa-dev-rw[each.key].iam_email + }, + { + for r in local.stage3_iam_roles.ro : + r => module.stage3-sa-dev-ro[each.key].iam_email + } + ) + tag_bindings = { + environment = try( + local.tag_values["${var.tag_names.environment}/development"].id, + null + ) + } +} + +# automation service accounts (prod) + +module "stage3-sa-prod-rw" { + source = "../../../modules/iam-service-account" + for_each = local.stage3_folders_create + project_id = var.automation.project_id + name = "prod-resman-${each.key}-0" + display_name = "Terraform resman ${each.key} service account." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["${each.key}-prod"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "stage3-sa-prod-ro" { + source = "../../../modules/iam-service-account" + for_each = local.stage3_folders_create + project_id = var.automation.project_id + name = "prod-resman-${each.key}-0r" + display_name = "Terraform resman ${each.key} service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["${each.key}-prod"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} + +# automation bucket (prod) + +module "stage3-bucket-prod" { + source = "../../../modules/gcs" + for_each = local.stage3_folders_create + project_id = var.automation.project_id + name = "prod-resman-${each.key}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.stage3-sa-prod-rw[each.key].iam_email] + "roles/storage.objectViewer" = [module.stage3-sa-prod-ro[each.key].iam_email] + } +} + +# automation service accounts (dev) + +module "stage3-sa-dev-rw" { + source = "../../../modules/iam-service-account" + for_each = { + for k, v in local.stage3_folders_create : + k => v if v.folder_config.create_env_folders == true + } + project_id = var.automation.project_id + name = "dev-resman-${each.key}-0" + display_name = "Terraform resman ${each.key} service account." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["${each.key}-dev"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "stage3-sa-dev-ro" { + source = "../../../modules/iam-service-account" + for_each = { + for k, v in local.stage3_folders_create : + k => v if v.folder_config.create_env_folders == true + } + project_id = var.automation.project_id + name = "dev-resman-${each.key}-0r" + display_name = "Terraform resman ${each.key} service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["${each.key}-dev"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} + +# automation bucket (dev) + +module "stage3-bucket-dev" { + source = "../../../modules/gcs" + for_each = { + for k, v in local.stage3_folders_create : + k => v if v.folder_config.create_env_folders == true + } + project_id = var.automation.project_id + name = "dev-resman-${each.key}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.stage3-sa-dev-rw[each.key].iam_email] + "roles/storage.objectViewer" = [module.stage3-sa-dev-ro[each.key].iam_email] + } +} diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index d7feeb8c13..47cb8e5ebe 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -57,7 +57,7 @@ locals { var.top_level_folders ) top_level_sa = { - for k, v in local.branch_service_accounts : + for k, v in local.stage_service_accounts : k => "serviceAccount:${v}" if v != null } top_level_tags = { diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf new file mode 100644 index 0000000000..653e152b45 --- /dev/null +++ b/fast/stages/1-resman/variables-stages.tf @@ -0,0 +1,110 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "fast_stage_2" { + description = "FAST stages 2 configurations." + type = object({ + networking = optional(object({ + enabled = optional(bool, true) + short_name = optional(string, "net") + cicd_config = optional(object({ + identity_provider = string + repository = object({ + name = string + branch = optional(string) + parent_id = optional(string) + type = optional(string, "github") + }) + })) + folder_config = optional(object({ + create_env_folders = optional(bool, false) + iam_by_principals = optional(map(list(string)), {}) + name = optional(string, "Networking") + }), {}) + }), {}) + project_factory = optional(object({ + enabled = optional(bool, true) + short_name = optional(string, "pf") + cicd_config = optional(object({ + identity_provider = string + repository = object({ + name = string + branch = optional(string) + type = optional(string, "github") + }) + })) + }), {}) + security = optional(object({ + enabled = optional(bool, true) + short_name = optional(string, "sec") + cicd_config = optional(object({ + identity_provider = string + repository = object({ + name = string + branch = optional(string) + type = optional(string, "github") + }) + })) + folder_config = optional(object({ + create_env_folders = optional(bool, false) + iam_by_principals = optional(map(list(string)), {}) + name = optional(string, "Security") + parent_id = optional(string) + }), {}) + }), {}) + }) + nullable = false + default = {} + # TODO: CI/CD validation +} + +variable "fast_stage_3" { + description = "FAST stages 3 configurations." + type = map(object({ + cicd_config = optional(object({ + identity_provider = string + repository = object({ + name = string + branch = optional(string) + type = optional(string, "github") + }) + })) + folder_config = optional(object({ + name = string + create_env_folders = optional(bool, false) + iam_by_principals = optional(map(list(string)), {}) + parent_id = optional(string) + tag_bindings = optional(map(string), {}) + })) + organization_iam_roles = optional(object({ + ro = optional(list(string), []) + rw = optional(list(string), []) + }), {}) + stage2_iam_roles = optional(object({ + networking = optional(object({ + ro = optional(list(string), []) + rw = optional(list(string), []) + }), {}) + security_iam_roles = optional(object({ + ro = optional(list(string), []) + rw = optional(list(string), []) + }), {}) + })) + })) + nullable = false + default = {} + # TODO: CI/CD validation +} diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index 2d10a8d601..abdd250ea6 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -17,108 +17,6 @@ # defaults for variables marked with global tfdoc annotations, can be set via # the tfvars file generated in stage 00 and stored in its outputs -variable "cicd_repositories" { - description = "CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed." - type = object({ - data_platform_dev = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - data_platform_prod = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - gke_dev = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - gke_prod = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - gcve_dev = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - gcve_prod = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - nsec = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - networking = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - project_factory = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - project_factory_dev = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - project_factory_prod = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - security = optional(object({ - name = string - type = string - branch = optional(string) - identity_provider = optional(string) - })) - }) - default = null - validation { - condition = alltrue([ - for k, v in coalesce(var.cicd_repositories, {}) : - v == null || try(v.name, null) != null - ]) - error_message = "Non-null repositories need a non-null name." - } - validation { - condition = alltrue([ - for k, v in coalesce(var.cicd_repositories, {}) : - v == null || try(v.identity_provider, null) != null - ]) - error_message = "Non-null repositories need a non-null provider." - } - validation { - condition = alltrue([ - for k, v in coalesce(var.cicd_repositories, {}) : - v == null || ( - contains(["github", "gitlab"], coalesce(try(v.type, null), "null")) - ) - ]) - error_message = "Invalid repository type, supported types: 'github' or 'gitlab'." - } -} - variable "factories_config" { description = "Configuration for the resource factories or external data." type = object({ @@ -130,33 +28,6 @@ variable "factories_config" { default = {} } -variable "fast_features" { - description = "Selective control for top-level FAST features." - type = object({ - data_platform = optional(bool, false) - gke = optional(bool, false) - gcve = optional(bool, false) - nsec = optional(bool, false) - sandbox = optional(bool, false) - }) - default = {} - nullable = false -} - -variable "folder_iam" { - description = "Authoritative IAM for top-level folders." - type = object({ - data_platform = optional(map(list(string)), {}) - gcve = optional(map(list(string)), {}) - gke = optional(map(list(string)), {}) - sandbox = optional(map(list(string)), {}) - security = optional(map(list(string)), {}) - network = optional(map(list(string)), {}) - }) - nullable = false - default = {} -} - variable "outputs_location" { description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable." type = string From a0f258d1d62602d72751f0eaee83264c4034284a Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 23 Aug 2024 16:58:03 +0200 Subject: [PATCH 02/94] pllan testing --- fast/stages/1-resman/_moved-v34.0.0.tf | 68 +++++++++---------- fast/stages/1-resman/billing.tf | 4 +- fast/stages/1-resman/cicd.tf | 5 +- fast/stages/1-resman/main.tf | 22 +++--- fast/stages/1-resman/organization.tf | 12 ++-- fast/stages/1-resman/outputs-cicd.tf | 24 +++---- fast/stages/1-resman/outputs.tf | 28 ++++++-- fast/stages/1-resman/stage-2-networking.tf | 18 +++-- .../1-resman/stage-2-project-factory.tf | 19 +++++- fast/stages/1-resman/stage-2-security.tf | 16 ++--- fast/stages/1-resman/stage-3.tf | 8 +-- fast/stages/1-resman/variables-fast.tf | 4 +- fast/stages/1-resman/variables-stages.tf | 22 +++++- 13 files changed, 156 insertions(+), 94 deletions(-) diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf index b6a0045e2e..e806d59757 100644 --- a/fast/stages/1-resman/_moved-v34.0.0.tf +++ b/fast/stages/1-resman/_moved-v34.0.0.tf @@ -18,71 +18,71 @@ moved { from = module.branch-network-folder - to = module.net-folder + to = module.net-folder[0] } moved { from = module.branch-network-prod-folder - to = module.net-folder-prod + to = module.net-folder-prod[0] } moved { from = module.branch-network-dev-folder - to = module.net-folder-dev + to = module.net-folder-dev[0] } moved { from = module.branch-network-sa - to = module.net-sa-rw + to = module.net-sa-rw[0] } moved { from = module.branch-network-r-sa - to = module.net-sa-ro + to = module.net-sa-ro[0] } moved { from = module.branch-network-gcs - to = module.net-bucket + to = module.net-bucket[0] } # stage 2 security moved { from = module.branch-security-folder - to = module.sec-folder + to = module.sec-folder[0] } moved { from = module.branch-security-prod-folder - to = module.sec-folder-prod + to = module.sec-folder-prod[0] } moved { from = module.branch-security-dev-folder - to = module.sec-folder-dev + to = module.sec-folder-dev[0] } moved { from = module.branch-security-sa - to = module.sec-sa-rw + to = module.sec-sa-rw[0] } moved { from = module.branch-security-r-sa - to = module.sec-sa-ro + to = module.sec-sa-ro[0] } moved { from = module.branch-security-gcs - to = module.sec-bucket + to = module.sec-bucket[0] } # stage 2 project factory -moved { - from = module.branch-pf-sa[0] - to = module.branch-pf-sa -} +# moved { +# from = module.branch-pf-sa[0] +# to = module.branch-pf-sa +# } moved { from = module.branch-pf-sa - to = module.pf-sa-rw -} -moved { - from = module.branch-pf-dev-sa[0] - to = module.sec-sa-ro + to = module.pf-sa-rw[0] } +# moved { +# from = module.branch-pf-r-sa[0] +# to = module.pf-sa-ro +# } moved { from = module.branch-pf-r-sa - to = module.sec-sa-ro + to = module.pf-sa-ro[0] } # stage 3 gcve @@ -204,26 +204,26 @@ moved { # stage 3 nsec -moved { - from = module.branch-nsec-sa - to = module.stage3-sa-prod-rw["nsec"] -} +# moved { +# from = module.branch-nsec-sa +# to = module.stage3-sa-prod-rw["nsec"] +# } moved { from = module.branch-nsec-sa[0] to = module.stage3-sa-prod-rw["nsec"] } -moved { - from = module.branch-nsec-r-sa - to = module.stage3-sa-prod-ro["nsec"] -} +# moved { +# from = module.branch-nsec-r-sa +# to = module.stage3-sa-prod-ro["nsec"] +# } moved { from = module.branch-nsec-r-sa[0] to = module.stage3-sa-prod-ro["nsec"] } -moved { - from = module.branch-nsec-gcs - to = module.stage3-bucket-prod["nsec"] -} +# moved { +# from = module.branch-nsec-gcs +# to = module.stage3-bucket-prod["nsec"] +# } moved { from = module.branch-nsec-gcs[0] to = module.stage3-bucket-prod["nsec"] diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index 9f03d6e017..54fcaddda8 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -21,13 +21,13 @@ locals { # stage 2 var.fast_stage_2.networking.enabled != true ? {} : { sa_net_billing = { - member = module.net-sa-rw.iam_email + member = module.net-sa-rw[0].iam_email role = "roles/billing.user" } }, !var.fast_stage_2.security.enabled ? {} : { sa_sec_billing = { - member = module.sec-sa-rw.iam_email + member = module.sec-sa-rw[0].iam_email role = "roles/billing.user" } }, diff --git a/fast/stages/1-resman/cicd.tf b/fast/stages/1-resman/cicd.tf index 78b58aedab..a7d4d93805 100644 --- a/fast/stages/1-resman/cicd.tf +++ b/fast/stages/1-resman/cicd.tf @@ -45,7 +45,10 @@ locals { "1-resman.auto.tfvars.json", "0-globals.auto.tfvars.json" ] - stage_3 = [for k, v in local._cicd_configs.stage_2 : "2-${k}.auto.tfvars"] + stage_3 = [ + for k, v in local._cicd_configs : + "2-${k}.auto.tfvars" if v.lvl == 2 + ] } } diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf index b5a5030c63..732b5f0e96 100644 --- a/fast/stages/1-resman/main.tf +++ b/fast/stages/1-resman/main.tf @@ -41,33 +41,33 @@ locals { ) stage_service_accounts = merge( !var.fast_stage_2.networking.enabled ? {} : { - networking = module.net-sa-rw.email - networking-r = module.net-sa-ro.email + networking = module.net-sa-rw[0].email + networking-r = module.net-sa-ro[0].email }, !var.fast_stage_2.security.enabled ? {} : { - security = module.sec-sa-rw.email - security-r = module.sec-sa-ro.email + security = module.sec-sa-rw[0].email + security-r = module.sec-sa-ro[0].email }, - !var.fast_stage_2.project-factory.enabled ? {} : { - project-factory = module.pf-sa-rw.email - project-factory-r = module.pf-sa-ro.email + !var.fast_stage_2.project_factory.enabled ? {} : { + project-factory = module.pf-sa-rw[0].email + project-factory-r = module.pf-sa-ro[0].email }, { for k, v in var.fast_stage_3 : - k => module.stage3-sa-prod-rw.email + k => module.stage3-sa-prod-rw[k].email }, { for k, v in var.fast_stage_3 : - "${k}-r" => module.stage3-sa-prod-ro.email + "${k}-r" => module.stage3-sa-prod-ro[k].email }, { for k, v in var.fast_stage_3 : - "${k}-prod" => module.stage3-sa-prod-rw.email + "${k}-dev" => module.stage3-sa-dev-rw[k].email if v.folder_config.create_env_folders == true }, { for k, v in var.fast_stage_3 : - "${k}-dev-r" => module.stage3-sa-dev-ro.email + "${k}-dev-r" => module.stage3-sa-dev-ro[k].email if v.folder_config.create_env_folders == true } ) diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 5e2d00aecc..f785032f6e 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -58,13 +58,13 @@ module "organization" { { for k, v in local.tag_values_stage2 : v => { iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], {}) + description = try(local.tags.context.values.description[v], null) } if var.fast_stage_2[k].enabled }, { for k, v in local.tag_values_stage3 : v => { iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], {}) + description = try(local.tags.context.values.description[v], null) } } ) @@ -75,9 +75,9 @@ module "organization" { values = { development = { iam = try(local.tags.environment.values.development.iam, {}) - iam_bindings = { + iam_bindings = !var.fast_stage_2.project_factory.enabled ? {} : { pf = { - members = compact([try(module.pf-sa-rw[0].iam_email, null)]) + members = [module.pf-sa-rw[0].iam_email] role = "roles/resourcemanager.tagUser" } } @@ -87,9 +87,9 @@ module "organization" { } production = { iam = try(local.tags.environment.values.production.iam, {}) - iam_bindings = { + iam_bindings = !var.fast_stage_2.project_factory.enabled ? {} : { pf = { - members = compact([try(module.pf-sa-rw[0].iam_email, null)]) + members = [module.pf-sa-rw[0].iam_email] role = "roles/resourcemanager.tagUser" } } diff --git a/fast/stages/1-resman/outputs-cicd.tf b/fast/stages/1-resman/outputs-cicd.tf index de693fd560..a1f5ea48c3 100644 --- a/fast/stages/1-resman/outputs-cicd.tf +++ b/fast/stages/1-resman/outputs-cicd.tf @@ -22,7 +22,7 @@ locals { } _cicd_workflow_attrs = merge( # stage 2 - lookup(local.cicd_repositories, "networking", null) == null ? {} : { + lookup(local.cicd_repositories, "networking", null) == null ? {} : tomap({ service_accounts = { apply = module.net-sa-rw[0].email plan = module.net-sa-ro[0].email @@ -33,15 +33,15 @@ locals { } tf_var_files = local.cicd_workflow_files.stage_2 audiences = try( - local.identity_providers[v.identity_provider].audiences, null + local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null ) identity_provider = try( - local.identity_providers[v.identity_provider].name, null + local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null ) outputs_bucket = var.automation.outputs_bucket stage_name = "networking" - }, - lookup(local.cicd_repositories, "security", null) == null ? {} : { + }), + lookup(local.cicd_repositories, "security", null) == null ? {} : tomap({ service_accounts = { apply = module.sec-sa-rw[0].email plan = module.sec-sa-ro[0].email @@ -52,15 +52,15 @@ locals { } tf_var_files = local.cicd_workflow_files.stage_2 audiences = try( - local.identity_providers[v.identity_provider].audiences, null + local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null ) identity_provider = try( - local.identity_providers[v.identity_provider].name, null + local.identity_providers[local.cicd_repositories.security.identity_provider].name, null ) outputs_bucket = var.automation.outputs_bucket stage_name = "security" - }, - lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { + }), + lookup(local.cicd_repositories, "project_factory", null) == null ? {} : tomap({ service_accounts = { apply = module.pf-sa-rw[0].email plan = module.pf-sa-ro[0].email @@ -71,14 +71,14 @@ locals { } tf_var_files = local.cicd_workflow_files.stage_2 audiences = try( - local.identity_providers[v.identity_provider].audiences, null + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null ) identity_provider = try( - local.identity_providers[v.identity_provider].name, null + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null ) outputs_bucket = var.automation.outputs_bucket stage_name = "project-factory" - }, + }), # stage 3 { for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 51957405ed..2ca83079d6 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -38,33 +38,51 @@ locals { providers = merge( # stage 2 !var.fast_stage_2.networking.enabled ? {} : { - "2-networking" = templatefile(_tpl_providers, { + "2-networking" = templatefile(local._tpl_providers, { backend_extra = null bucket = module.net-bucket[0].name name = "networking" sa = module.net-sa-rw[0].email }) + "2-networking-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.net-bucket[0].name + name = "networking" + sa = module.net-sa-ro[0].email + }) }, !var.fast_stage_2.security.enabled ? {} : { - "2-security" = templatefile(_tpl_providers, { + "2-security" = templatefile(local._tpl_providers, { backend_extra = null bucket = module.sec-bucket[0].name name = "security" sa = module.sec-sa-rw[0].email }) + "2-security-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-ro[0].email + }) }, !var.fast_stage_2.project_factory.enabled ? {} : { - "2-project-factory" = templatefile(_tpl_providers, { + "2-project-factory" = templatefile(local._tpl_providers, { backend_extra = null bucket = module.pf-bucket[0].name name = "project-factory" sa = module.pf-sa-rw[0].email }) + "2-project-factory-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket[0].name + name = "project-factory" + sa = module.pf-sa-ro[0].email + }) }, # stage 3 { for k, v in var.fast_stage_3 : - "3-${k}-prod" => templatefile(_tpl_providers, { + "3-${k}-prod" => templatefile(local._tpl_providers, { backend_extra = null bucket = module.stage3-bucket-prod[k].name name = "${k}-prod" @@ -73,7 +91,7 @@ locals { }, { for k, v in var.fast_stage_3 : - "3-${k}-dev" => templatefile(_tpl_providers, { + "3-${k}-dev" => templatefile(local._tpl_providers, { backend_extra = null bucket = module.stage3-bucket-dev[k].name name = "${k}-dev" diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index b4bdc9ce60..78dfe2aea1 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -62,15 +62,19 @@ module "net-folder" { "roles/serviceusage.serviceUsageConsumer" = [ try(module.sec-sa-ro[0].iam_email, null) ] + }, + try(var.custom_roles["network_firewall_policies_admin"], null) == null ? {} : { (var.custom_roles["network_firewall_policies_admin"]) = [ try(module.sec-sa-rw[0].iam_email, null) ] + }, + try(var.custom_roles["network_firewall_policies_viewer"], null) == null ? {} : { (var.custom_roles["network_firewall_policies_viewer"]) = [ try(module.sec-sa-ro[0].iam_email, null) ] }, # stage 3s service accounts (if not using environment folders) - each.value.folder_config.create_env_folders == true ? {} : { + var.fast_stage_2.networking.folder_config.create_env_folders == true ? {} : { for role, attrs in local.net_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" @@ -96,8 +100,8 @@ module "net-folder" { module "net-folder-prod" { source = "../../../modules/folder" - count = net_use_env_folders ? 1 : 0 - parent = module.net-folder.id + count = local.net_use_env_folders ? 1 : 0 + parent = module.net-folder[0].id name = "Production" iam = { # stage 3s service accounts @@ -119,8 +123,8 @@ module "net-folder-prod" { module "net-folder-dev" { source = "../../../modules/folder" - count = net_use_env_folders ? 1 : 0 - parent = module.net-folder.id + count = local.net_use_env_folders ? 1 : 0 + parent = module.net-folder[0].id name = "Development" iam = { # stage 3s service accounts @@ -195,7 +199,7 @@ module "net-bucket" { storage_class = local.gcs_storage_class versioning = true iam = { - "roles/storage.objectAdmin" = [module.net-sa-rw.iam_email] - "roles/storage.objectViewer" = [module.net-sa-ro.iam_email] + "roles/storage.objectAdmin" = [module.net-sa-rw[0].iam_email] + "roles/storage.objectViewer" = [module.net-sa-ro[0].iam_email] } } diff --git a/fast/stages/1-resman/stage-2-project-factory.tf b/fast/stages/1-resman/stage-2-project-factory.tf index caa7ae3946..0f5c38b3c9 100644 --- a/fast/stages/1-resman/stage-2-project-factory.tf +++ b/fast/stages/1-resman/stage-2-project-factory.tf @@ -40,7 +40,7 @@ module "pf-sa-ro" { source = "../../../modules/iam-service-account" count = var.fast_stage_2.project_factory.enabled ? 1 : 0 project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0r" + name = "resman-${var.fast_stage_2.project_factory.short_name}-0r" display_name = "Terraform resman project factory main service account (read-only)." prefix = var.prefix iam = { @@ -55,3 +55,20 @@ module "pf-sa-ro" { (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] } } + +# automation bucket + +module "pf-bucket" { + source = "../../../modules/gcs" + count = var.fast_stage_2.project_factory.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.pf-sa-rw[0].iam_email] + "roles/storage.objectViewer" = [module.pf-sa-ro[0].iam_email] + } +} diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 4b5dcc7ed1..1ff5c3464c 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -54,7 +54,7 @@ module "sec-folder" { "roles/resourcemanager.folderViewer" = [module.sec-sa-ro[0].iam_email] }, # stage 3s service accounts (if not using environment folders) - each.value.folder_config.create_env_folders == true ? {} : { + var.fast_stage_2.security.folder_config.create_env_folders == true ? {} : { for role, attrs in local.sec_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" @@ -67,7 +67,7 @@ module "sec-folder" { iam_bindings = var.fast_stage_2.project_factory.enabled != true ? {} : { pf_delegated_grant = { role = "roles/resourcemanager.projectIamAdmin" - members = module.pf-sa-rw[0].iam_email + members = [module.pf-sa-rw[0].iam_email] condition = { expression = format( "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", @@ -94,8 +94,8 @@ module "sec-folder" { module "sec-folder-prod" { source = "../../../modules/folder" - count = sec_use_env_folders ? 1 : 0 - parent = module.sec-folder.id + count = local.sec_use_env_folders ? 1 : 0 + parent = module.sec-folder[0].id name = "Production" iam = { # stage 3s service accounts @@ -117,8 +117,8 @@ module "sec-folder-prod" { module "sec-folder-dev" { source = "../../../modules/folder" - count = sec_use_env_folders ? 1 : 0 - parent = module.sec-folder.id + count = local.sec_use_env_folders ? 1 : 0 + parent = module.sec-folder[0].id name = "Development" iam = { # stage 3s service accounts @@ -193,7 +193,7 @@ module "sec-bucket" { storage_class = local.gcs_storage_class versioning = true iam = { - "roles/storage.objectAdmin" = [module.sec-sa-rw.iam_email] - "roles/storage.objectViewer" = [module.sec-sa-ro.iam_email] + "roles/storage.objectAdmin" = [module.sec-sa-rw[0].iam_email] + "roles/storage.objectViewer" = [module.sec-sa-ro[0].iam_email] } } diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 6f590c36f1..0f6f08aa8a 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -32,7 +32,7 @@ locals { ] } stage3_sa_roles_in_org = flatten([ - for k, v in var.stage_3 : [ + for k, v in var.fast_stage_3 : [ [ for sa, roles in v.organization_iam_roles : [ for r in roles : [ @@ -49,15 +49,15 @@ locals { ]) # TODO: this would be better and more narrowly handled from stage 2 projects stage3_sa_roles_in_stage2 = flatten([ - for k, v in var.stage_3 : [ + for k, v in var.fast_stage_3 : [ for s2, attrs in v.stage2_iam_roles : [ for sa, roles in attrs : [ for role in roles : [ [ - { env = "prod", role = r, sa = sa, s2 = s2, s3 = k } + { env = "prod", role = role, sa = sa, s2 = s2, s3 = k } ], v.folder_config.create_env_folders != true ? [] : [ - { env = "dev", role = r, sa = sa, s2 = s2, s3 = k } + { env = "dev", role = role, sa = sa, s2 = s2, s3 = k } ] ] ] diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index 1418d91ef1..bf9fbe6e44 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -56,8 +56,8 @@ variable "custom_roles" { type = object({ gcve_network_admin = string network_firewall_policies_admin = string - ngfw_enterprise_admin = string - ngfw_enterprise_viewer = string + ngfw_enterprise_admin = optional(string) + ngfw_enterprise_viewer = optional(string) organization_admin_viewer = string service_project_network_admin = string storage_viewer = string diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 653e152b45..ecb6ef37ca 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -33,6 +33,7 @@ variable "fast_stage_2" { create_env_folders = optional(bool, false) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Networking") + parent_id = optional(string) }), {}) }), {}) project_factory = optional(object({ @@ -105,6 +106,25 @@ variable "fast_stage_3" { })) })) nullable = false - default = {} + default = { + data-platform = { + folder_config = { + name = "Data Platform" + create_env_folders = true + } + } + gcve = { + folder_config = { + name = "GCVE" + create_env_folders = true + } + } + data-platform = { + folder_config = { + name = "GKE" + create_env_folders = true + } + } + } # TODO: CI/CD validation } From 86d0e6db7ec97e92db56c584fb841a3d7e7be5d8 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 24 Aug 2024 11:15:23 +0200 Subject: [PATCH 03/94] fix stage 2s --- fast/stages/1-resman/_moved-v34.0.0.tf | 16 ++ fast/stages/1-resman/cicd.tf | 12 +- fast/stages/1-resman/outputs-cicd.tf | 148 ++++++++++-------- fast/stages/1-resman/stage-2-networking.tf | 2 + .../1-resman/stage-2-project-factory.tf | 4 +- fast/stages/1-resman/stage-2-security.tf | 2 + fast/stages/1-resman/stage-3.tf | 26 +-- fast/stages/1-resman/variables-stages.tf | 42 ++--- 8 files changed, 146 insertions(+), 106 deletions(-) diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf index e806d59757..4d68172af4 100644 --- a/fast/stages/1-resman/_moved-v34.0.0.tf +++ b/fast/stages/1-resman/_moved-v34.0.0.tf @@ -40,6 +40,14 @@ moved { from = module.branch-network-gcs to = module.net-bucket[0] } +moved { + from = module.branch-network-sa-cicd["0"] + to = module.cicd-sa-rw["networking"] +} +moved { + from = module.branch-network-r-sa-cicd["0"] + to = module.cicd-sa-ro["networking"] +} # stage 2 security moved { @@ -66,6 +74,14 @@ moved { from = module.branch-security-gcs to = module.sec-bucket[0] } +moved { + from = module.branch-security-sa-cicd["0"] + to = module.cicd-sa-rw["security"] +} +moved { + from = module.branch-security-r-sa-cicd["0"] + to = module.cicd-sa-ro["security"] +} # stage 2 project factory # moved { diff --git a/fast/stages/1-resman/cicd.tf b/fast/stages/1-resman/cicd.tf index a7d4d93805..0440a280c2 100644 --- a/fast/stages/1-resman/cicd.tf +++ b/fast/stages/1-resman/cicd.tf @@ -18,17 +18,23 @@ locals { _cicd_configs = merge( { for k, v in var.fast_stage_2 : - k => merge(v.cicd_config, { env = "prod", lvl = 2 }) + k => merge(v.cicd_config, { + env = "prod", short_name = v.short_name, lvl = 2 + }) if v.cicd_config != null }, { for k, v in var.fast_stage_3 : - "${k}-prod" => merge(v.cicd_config, { env = "prod", short_name = k, lvl = 3 }) + "${k}-prod" => merge(v.cicd_config, { + env = "prod", short_name = coalesce(v.short_name, k), lvl = 3 + }) if v.cicd_config != null }, { for k, v in var.fast_stage_3 : - "${k}-dev" => merge(v.cicd_config, { env = "dev", short_name = k, lvl = 3 }) + "${k}-dev" => merge(v.cicd_config, { + env = "dev", short_name = coalesce(v.short_name, k), lvl = 3 + }) if v.cicd_config != null && v.folder_config.create_env_folders == true }, ) diff --git a/fast/stages/1-resman/outputs-cicd.tf b/fast/stages/1-resman/outputs-cicd.tf index a1f5ea48c3..b729f766df 100644 --- a/fast/stages/1-resman/outputs-cicd.tf +++ b/fast/stages/1-resman/outputs-cicd.tf @@ -13,7 +13,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - locals { cicd_workflows = { for k, v in local._cicd_workflow_attrs : k => templatefile( @@ -21,76 +20,98 @@ locals { ) } _cicd_workflow_attrs = merge( - # stage 2 - lookup(local.cicd_repositories, "networking", null) == null ? {} : tomap({ - service_accounts = { - apply = module.net-sa-rw[0].email - plan = module.net-sa-ro[0].email - } - tf_providers_files = { - apply = "2-networking-providers.tf" - plan = "2-networking-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 - audiences = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - stage_name = "networking" - }), - lookup(local.cicd_repositories, "security", null) == null ? {} : tomap({ - service_accounts = { - apply = module.sec-sa-rw[0].email - plan = module.sec-sa-ro[0].email - } - tf_providers_files = { - apply = "2-security-providers.tf" - plan = "2-security-providers-r.tf" + # stage 2s (cannot use a loop as we need explicit module references) + lookup(local.cicd_repositories, "networking", null) == null ? {} : { + networking = { + audiences = try( + local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + service_accounts = { + apply = module.net-sa-rw[0].email + plan = module.net-sa-ro[0].email + } + repository = local.cicd_repositories.networking.repository + stage_name = "networking" + tf_providers_files = { + apply = "2-networking-providers.tf" + plan = "2-networking-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 } - tf_var_files = local.cicd_workflow_files.stage_2 - audiences = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - stage_name = "security" - }), - lookup(local.cicd_repositories, "project_factory", null) == null ? {} : tomap({ - service_accounts = { - apply = module.pf-sa-rw[0].email - plan = module.pf-sa-ro[0].email + }, + lookup(local.cicd_repositories, "security", null) == null ? {} : { + security = { + audiences = try( + local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.security.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = local.cicd_repositories.security.repository + service_accounts = { + apply = module.sec-sa-rw[0].email + plan = module.sec-sa-ro[0].email + } + repository = local.cicd_repositories.security.repository + tf_providers_files = { + apply = "2-security-providers.tf" + plan = "2-security-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 } - tf_providers_files = { - apply = "2-project-factory-providers.tf" - plan = "2-project-factory-providers-r.tf" + }, + lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { + project_factory = { + audiences = try( + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = local.cicd_repositories.project_factory.repository + service_accounts = { + apply = module.pf-sa-rw[0].email + plan = module.pf-sa-ro[0].email + } + stage_name = "project-factory" + tf_providers_files = { + apply = "2-project-factory-providers.tf" + plan = "2-project-factory-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 } - tf_var_files = local.cicd_workflow_files.stage_2 - audiences = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - stage_name = "project-factory" - }), + }, # stage 3 { for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = v.repository service_accounts = { apply = module.stage3-sa-prod-rw[0].email plan = module.stage3-sa-prod-ro[0].email } + stage_name = v.short_name tf_providers_files = { apply = "${v.lvl}-${k}-providers.tf" plan = "${v.lvl}-${k}-providers-r.tf" } tf_var_files = local.cicd_workflow_files.stage_3 + } if v.lvl == 3 && v.env == "prod" + }, + { + for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { audiences = try( local.identity_providers[v.identity_provider].audiences, null ) @@ -98,28 +119,17 @@ locals { local.identity_providers[v.identity_provider].name, null ) outputs_bucket = var.automation.outputs_bucket - stage_name = v.short_name - } if v.lvl == 3 && v.env == "prod" - }, - { - for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { + repository = v.repository service_accounts = { apply = module.stage3-sa-dev-rw[0].email plan = module.stage3-sa-dev-ro[0].email } + stage_name = v.short_name tf_providers_files = { apply = "${v.lvl}-${k}-providers.tf" plan = "${v.lvl}-${k}-providers-r.tf" } tf_var_files = local.cicd_workflow_files.stage_3 - audiences = try( - local.identity_providers[v.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[v.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - stage_name = v.short_name } if v.lvl == 3 && v.env == "dev" } ) diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 78dfe2aea1..5755f9e481 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -34,6 +34,8 @@ locals { } } +# top-level folder + module "net-folder" { source = "../../../modules/folder" count = var.fast_stage_2.networking.enabled ? 1 : 0 diff --git a/fast/stages/1-resman/stage-2-project-factory.tf b/fast/stages/1-resman/stage-2-project-factory.tf index 0f5c38b3c9..129c8bc69b 100644 --- a/fast/stages/1-resman/stage-2-project-factory.tf +++ b/fast/stages/1-resman/stage-2-project-factory.tf @@ -20,7 +20,7 @@ module "pf-sa-rw" { source = "../../../modules/iam-service-account" count = var.fast_stage_2.project_factory.enabled ? 1 : 0 project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0" + name = "resman-${var.fast_stage_2.project_factory.short_name}-0" display_name = "Terraform resman project factory main service account." prefix = var.prefix iam = { @@ -62,7 +62,7 @@ module "pf-bucket" { source = "../../../modules/gcs" count = var.fast_stage_2.project_factory.enabled ? 1 : 0 project_id = var.automation.project_id - name = "prod-resman-${var.fast_stage_2.project_factory.short_name}-0" + name = "resman-${var.fast_stage_2.project_factory.short_name}-0" prefix = var.prefix location = var.locations.gcs storage_class = local.gcs_storage_class diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 1ff5c3464c..2446c1d34f 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -34,6 +34,8 @@ locals { } } +# top-level folder + module "sec-folder" { source = "../../../modules/folder" count = var.fast_stage_2.security.enabled ? 1 : 0 diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 0f6f08aa8a..8610eabd18 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -66,6 +66,8 @@ locals { ]) } +# top-level folder + module "stage3-folder" { source = "../../../modules/folder" for_each = local.stage3_folders_create @@ -78,11 +80,11 @@ module "stage3-folder" { iam = each.value.folder_config.create_env_folders == true ? {} : merge( { for r in local.stage3_iam_roles.rw : - r => module.stage3-sa-prod-rw[each.key].iam_email + r => [module.stage3-sa-prod-rw[each.key].iam_email] }, { for r in local.stage3_iam_roles.ro : - r => module.stage3-sa-prod-ro[each.key].iam_email + r => [module.stage3-sa-prod-ro[each.key].iam_email] } ) iam_by_principals = each.value.folder_config.iam_by_principals @@ -102,11 +104,11 @@ module "stage3-folder-prod" { iam = merge( { for r in local.stage3_iam_roles.rw : - r => module.stage3-sa-prod-rw[each.key].iam_email + r => [module.stage3-sa-prod-rw[each.key].iam_email] }, { for r in local.stage3_iam_roles.ro : - r => module.stage3-sa-prod-ro[each.key].iam_email + r => [module.stage3-sa-prod-ro[each.key].iam_email] } ) tag_bindings = { @@ -128,11 +130,11 @@ module "stage3-folder-dev" { iam = merge( { for r in local.stage3_iam_roles.rw : - r => module.stage3-sa-dev-rw[each.key].iam_email + r => [module.stage3-sa-dev-rw[each.key].iam_email] }, { for r in local.stage3_iam_roles.ro : - r => module.stage3-sa-dev-ro[each.key].iam_email + r => [module.stage3-sa-dev-ro[each.key].iam_email] } ) tag_bindings = { @@ -149,7 +151,7 @@ module "stage3-sa-prod-rw" { source = "../../../modules/iam-service-account" for_each = local.stage3_folders_create project_id = var.automation.project_id - name = "prod-resman-${each.key}-0" + name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" display_name = "Terraform resman ${each.key} service account." prefix = var.prefix iam = { @@ -169,7 +171,7 @@ module "stage3-sa-prod-ro" { source = "../../../modules/iam-service-account" for_each = local.stage3_folders_create project_id = var.automation.project_id - name = "prod-resman-${each.key}-0r" + name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0r" display_name = "Terraform resman ${each.key} service account (read-only)." prefix = var.prefix iam = { @@ -191,7 +193,7 @@ module "stage3-bucket-prod" { source = "../../../modules/gcs" for_each = local.stage3_folders_create project_id = var.automation.project_id - name = "prod-resman-${each.key}-0" + name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" prefix = var.prefix location = var.locations.gcs storage_class = local.gcs_storage_class @@ -211,7 +213,7 @@ module "stage3-sa-dev-rw" { k => v if v.folder_config.create_env_folders == true } project_id = var.automation.project_id - name = "dev-resman-${each.key}-0" + name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0" display_name = "Terraform resman ${each.key} service account." prefix = var.prefix iam = { @@ -234,7 +236,7 @@ module "stage3-sa-dev-ro" { k => v if v.folder_config.create_env_folders == true } project_id = var.automation.project_id - name = "dev-resman-${each.key}-0r" + name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0r" display_name = "Terraform resman ${each.key} service account (read-only)." prefix = var.prefix iam = { @@ -259,7 +261,7 @@ module "stage3-bucket-dev" { k => v if v.folder_config.create_env_folders == true } project_id = var.automation.project_id - name = "dev-resman-${each.key}-0" + name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0" prefix = var.prefix location = var.locations.gcs storage_class = local.gcs_storage_class diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index ecb6ef37ca..9d2cfb59e8 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -30,7 +30,7 @@ variable "fast_stage_2" { }) })) folder_config = optional(object({ - create_env_folders = optional(bool, false) + create_env_folders = optional(bool, true) iam_by_principals = optional(map(list(string)), {}) name = optional(string, "Networking") parent_id = optional(string) @@ -75,6 +75,7 @@ variable "fast_stage_2" { variable "fast_stage_3" { description = "FAST stages 3 configurations." type = map(object({ + short_name = optional(string) cicd_config = optional(object({ identity_provider = string repository = object({ @@ -103,28 +104,29 @@ variable "fast_stage_3" { ro = optional(list(string), []) rw = optional(list(string), []) }), {}) - })) + }), {}) })) nullable = false default = { - data-platform = { - folder_config = { - name = "Data Platform" - create_env_folders = true - } - } - gcve = { - folder_config = { - name = "GCVE" - create_env_folders = true - } - } - data-platform = { - folder_config = { - name = "GKE" - create_env_folders = true - } - } + # data-platform = { + # short_name = "dp" + # folder_config = { + # name = "Data Platform" + # create_env_folders = true + # } + # } + # gcve = { + # folder_config = { + # name = "GCVE" + # create_env_folders = true + # } + # } + # gke = { + # folder_config = { + # name = "GKE" + # create_env_folders = true + # } + # } } # TODO: CI/CD validation } From 2ce6176e6a7788820432d5f2e208fdf1e249bc0f Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 24 Aug 2024 13:29:18 +0200 Subject: [PATCH 04/94] move providers to their own file --- fast/stages/1-resman/outputs-providers.tf | 119 ++++++++++++++++++++++ fast/stages/1-resman/outputs.tf | 75 -------------- 2 files changed, 119 insertions(+), 75 deletions(-) create mode 100644 fast/stages/1-resman/outputs-providers.tf diff --git a/fast/stages/1-resman/outputs-providers.tf b/fast/stages/1-resman/outputs-providers.tf new file mode 100644 index 0000000000..ad57d0da07 --- /dev/null +++ b/fast/stages/1-resman/outputs-providers.tf @@ -0,0 +1,119 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + _tpl_providers = "${path.module}/templates/providers.tf.tpl" + providers = merge( + # stage 2 + !var.fast_stage_2.networking.enabled ? {} : { + "2-networking" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.net-bucket[0].name + name = "networking" + sa = module.net-sa-rw[0].email + }) + "2-networking-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.net-bucket[0].name + name = "networking" + sa = module.net-sa-ro[0].email + }) + }, + !var.fast_stage_2.security.enabled ? {} : { + "2-security" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-rw[0].email + }) + "2-security-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-ro[0].email + }) + }, + !var.fast_stage_2.project_factory.enabled ? {} : { + "2-project-factory" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket[0].name + name = "project-factory" + sa = module.pf-sa-rw[0].email + }) + "2-project-factory-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket[0].name + name = "project-factory" + sa = module.pf-sa-ro[0].email + }) + }, + !local.pf_use_envs ? {} : { + "2-project-factory-dev" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket-dev[0].name + name = "project-factory-dev" + sa = module.pf-sa-dev-rw[0].email + }) + "2-project-factory-dev-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket-dev[0].name + name = "project-factory-dev" + sa = module.pf-sa-dev-ro[0].email + }) + "2-project-factory-prod" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket-prod[0].name + name = "project-factory-prod" + sa = module.pf-sa-prod-rw[0].email + }) + "2-project-factory-prod-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket-prod[0].name + name = "project-factory-prod" + sa = module.pf-sa-prod-ro[0].email + }) + }, + # stage 3 + { + for k, v in var.fast_stage_3 : + "3-${k}-prod" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.stage3-bucket-prod[k].name + name = "${k}-prod" + sa = module.stage3-sa-prod-rw[k].email + }) + }, + { + for k, v in var.fast_stage_3 : + "3-${k}-dev" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.stage3-bucket-dev[k].name + name = "${k}-dev" + sa = module.stage3-sa-dev-rw[k].email + }) if v.folder_config.create_env_folders + }, + # top-level folders + { + for k, v in module.top-level-sa : + "1-resman-folder-${k}" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.top-level-bucket[k].name + name = k + sa = v.email + }) + }, + ) +} diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 2ca83079d6..0c1de45c06 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -15,7 +15,6 @@ */ locals { - _tpl_providers = "${path.module}/templates/providers.tf.tpl" folder_ids = merge( # stage 2 !var.fast_stage_2.networking.enabled ? {} : { @@ -35,80 +34,6 @@ locals { # top-level folders { for k, v in module.top-level-folder : k => v.id } ) - providers = merge( - # stage 2 - !var.fast_stage_2.networking.enabled ? {} : { - "2-networking" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.net-bucket[0].name - name = "networking" - sa = module.net-sa-rw[0].email - }) - "2-networking-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.net-bucket[0].name - name = "networking" - sa = module.net-sa-ro[0].email - }) - }, - !var.fast_stage_2.security.enabled ? {} : { - "2-security" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-rw[0].email - }) - "2-security-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-ro[0].email - }) - }, - !var.fast_stage_2.project_factory.enabled ? {} : { - "2-project-factory" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-rw[0].email - }) - "2-project-factory-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-ro[0].email - }) - }, - # stage 3 - { - for k, v in var.fast_stage_3 : - "3-${k}-prod" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket-prod[k].name - name = "${k}-prod" - sa = module.stage3-sa-prod-rw[k].email - }) - }, - { - for k, v in var.fast_stage_3 : - "3-${k}-dev" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket-dev[k].name - name = "${k}-dev" - sa = module.stage3-sa-dev-rw[k].email - }) if v.folder_config.create_env_folders - }, - # top-level folders - { - for k, v in module.top-level-sa : - "1-resman-folder-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.top-level-bucket[k].name - name = k - sa = v.email - }) - }, - ) service_accounts = merge(local.stage_service_accounts, { for k, v in module.top-level-sa : k => try(v.email) }) From 1e98cab63a01548688882a966d53f5ed109f9ed4 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 24 Aug 2024 16:44:35 +0200 Subject: [PATCH 05/94] single-environment stage 3 --- fast/stages/1-resman/billing.tf | 14 +- fast/stages/1-resman/cicd.tf | 21 +- fast/stages/1-resman/iam.tf | 14 +- fast/stages/1-resman/main.tf | 14 +- fast/stages/1-resman/organization.tf | 51 +++-- fast/stages/1-resman/outputs-cicd.tf | 28 +-- fast/stages/1-resman/outputs-providers.tf | 44 +--- fast/stages/1-resman/outputs.tf | 2 - fast/stages/1-resman/stage-2-networking.tf | 12 +- fast/stages/1-resman/stage-2-security.tf | 12 +- fast/stages/1-resman/stage-3.tf | 232 ++++----------------- fast/stages/1-resman/variables-stages.tf | 15 +- 12 files changed, 114 insertions(+), 345 deletions(-) diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index 54fcaddda8..c56cb95bc1 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -41,20 +41,12 @@ locals { role = "roles/billing.costsManager" } }, - # stage 3 prod + # stage 3 { - for k, v in var.fast_stage_3 : "${k}-prod" => { - member = module.stage3-sa-prod-rw[k].iam_email + for k, v in var.fast_stage_3 : k => { + member = module.stage3-sa-rw[k].iam_email role = "roles/billing.user" } - }, - # stage 3 dev - { - for k, v in var.fast_stage_3 : "${k}-dev" => { - member = module.stage3-sa-dev-rw[k].iam_email - role = "roles/billing.user" - } - if v.folder_config.create_env_folders == true } ) billing_mode = ( diff --git a/fast/stages/1-resman/cicd.tf b/fast/stages/1-resman/cicd.tf index 0440a280c2..6b5a56f781 100644 --- a/fast/stages/1-resman/cicd.tf +++ b/fast/stages/1-resman/cicd.tf @@ -25,18 +25,11 @@ locals { }, { for k, v in var.fast_stage_3 : - "${k}-prod" => merge(v.cicd_config, { - env = "prod", short_name = coalesce(v.short_name, k), lvl = 3 + k => merge(v.cicd_config, { + env = v.environment, short_name = coalesce(v.short_name, k), lvl = 3 }) if v.cicd_config != null - }, - { - for k, v in var.fast_stage_3 : - "${k}-dev" => merge(v.cicd_config, { - env = "dev", short_name = coalesce(v.short_name, k), lvl = 3 - }) - if v.cicd_config != null && v.folder_config.create_env_folders == true - }, + } ) # filter by valid identity provider and type cicd_repositories = { @@ -62,11 +55,11 @@ module "cicd-sa-rw" { source = "../../../modules/iam-service-account" for_each = local.cicd_repositories project_id = var.automation.project_id - name = "${each.value.env}-resman-${each.value.short_name}-1" + name = "resman-${each.value.short_name}-1" display_name = ( "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account." ) - prefix = var.prefix + prefix = "${var.prefix}-${each.value.env}" iam = { "roles/iam.workloadIdentityUser" = [ each.value.repository.branch == null @@ -95,11 +88,11 @@ module "cicd-sa-ro" { source = "../../../modules/iam-service-account" for_each = local.cicd_repositories project_id = var.automation.project_id - name = "${each.value.env}-resman-${each.value.short_name}-1r" + name = "resman-${each.value.short_name}-1r" display_name = ( "CI/CD ${each.value.lvl}-${each.value.short_name} ${each.value.env} service account (read-only)." ) - prefix = var.prefix + prefix = "${var.prefix}-${each.value.env}" iam = { "roles/iam.workloadIdentityUser" = [ format( diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index 485404f526..d30026f35e 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -55,17 +55,9 @@ locals { for v in local.stage3_sa_roles_in_org : join("/", values(v)) => { role = lookup(var.custom_roles, v, v) member = ( - v.env == "prod" - ? ( - v.sa == "rw" - ? module.stage3-sa-prod-rw[v.s3].iam_email - : module.stage3-sa-prod-ro[v.s3].iam_email - ) - : ( - v.sa == "rw" - ? module.stage3-sa-dev-rw[v.s3].iam_email - : module.stage3-sa-dev-ro[v.s3].iam_email - ) + v.sa == "rw" + ? module.stage3-sa-rw[v.s3].iam_email + : module.stage3-sa-ro[v.s3].iam_email ) } }, diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf index 732b5f0e96..932b787739 100644 --- a/fast/stages/1-resman/main.tf +++ b/fast/stages/1-resman/main.tf @@ -54,22 +54,12 @@ locals { }, { for k, v in var.fast_stage_3 : - k => module.stage3-sa-prod-rw[k].email + k => module.stage3-sa-rw[k].email }, { for k, v in var.fast_stage_3 : - "${k}-r" => module.stage3-sa-prod-ro[k].email + "${k}-r" => module.stage3-sa-ro[k].email }, - { - for k, v in var.fast_stage_3 : - "${k}-dev" => module.stage3-sa-dev-rw[k].email - if v.folder_config.create_env_folders == true - }, - { - for k, v in var.fast_stage_3 : - "${k}-dev-r" => module.stage3-sa-dev-ro[k].email - if v.folder_config.create_env_folders == true - } ) tag_keys = ( var.root_node == null diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index f785032f6e..d2128579e1 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -37,9 +37,6 @@ locals { tag_values_stage2 = { for k, v in var.fast_stage_2 : k => replace(k, "_", "-") if v.enabled } - tag_values_stage3 = { - for k, v in var.fast_stage_3 : k => replace(k, "_", "-") - } } module "organization" { @@ -54,20 +51,12 @@ module "organization" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = merge( - { - for k, v in local.tag_values_stage2 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } if var.fast_stage_2[k].enabled - }, - { - for k, v in local.tag_values_stage3 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } - } - ) + values = { + for k, v in local.tag_values_stage2 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], null) + } if var.fast_stage_2[k].enabled + } }, (var.tag_names.environment) = { description = "Environment definition." @@ -75,24 +64,32 @@ module "organization" { values = { development = { iam = try(local.tags.environment.values.development.iam, {}) - iam_bindings = !var.fast_stage_2.project_factory.enabled ? {} : { - pf = { - members = [module.pf-sa-rw[0].iam_email] - role = "roles/resourcemanager.tagUser" + iam_bindings = ( + !var.fast_stage_2.project_factory.enabled + ? {} + : { + pf = { + members = [module.pf-sa-rw[0].iam_email] + role = "roles/resourcemanager.tagUser" + } } - } + ) description = try( local.tags.environment.values.development.description, null ) } production = { iam = try(local.tags.environment.values.production.iam, {}) - iam_bindings = !var.fast_stage_2.project_factory.enabled ? {} : { - pf = { - members = [module.pf-sa-rw[0].iam_email] - role = "roles/resourcemanager.tagUser" + iam_bindings = ( + !var.fast_stage_2.project_factory.enabled + ? {} + : { + pf = { + members = [module.pf-sa-rw[0].iam_email] + role = "roles/resourcemanager.tagUser" + } } - } + ) description = try( local.tags.environment.values.production.description, null ) diff --git a/fast/stages/1-resman/outputs-cicd.tf b/fast/stages/1-resman/outputs-cicd.tf index b729f766df..a6d8b31ad9 100644 --- a/fast/stages/1-resman/outputs-cicd.tf +++ b/fast/stages/1-resman/outputs-cicd.tf @@ -99,8 +99,8 @@ locals { outputs_bucket = var.automation.outputs_bucket repository = v.repository service_accounts = { - apply = module.stage3-sa-prod-rw[0].email - plan = module.stage3-sa-prod-ro[0].email + apply = module.stage3-sa-rw[0].email + plan = module.stage3-sa-ro[0].email } stage_name = v.short_name tf_providers_files = { @@ -108,29 +108,7 @@ locals { plan = "${v.lvl}-${k}-providers-r.tf" } tf_var_files = local.cicd_workflow_files.stage_3 - } if v.lvl == 3 && v.env == "prod" - }, - { - for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { - audiences = try( - local.identity_providers[v.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[v.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - repository = v.repository - service_accounts = { - apply = module.stage3-sa-dev-rw[0].email - plan = module.stage3-sa-dev-ro[0].email - } - stage_name = v.short_name - tf_providers_files = { - apply = "${v.lvl}-${k}-providers.tf" - plan = "${v.lvl}-${k}-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_3 - } if v.lvl == 3 && v.env == "dev" + } if v.lvl == 3 } ) } diff --git a/fast/stages/1-resman/outputs-providers.tf b/fast/stages/1-resman/outputs-providers.tf index ad57d0da07..ab04cf8d15 100644 --- a/fast/stages/1-resman/outputs-providers.tf +++ b/fast/stages/1-resman/outputs-providers.tf @@ -60,50 +60,24 @@ locals { sa = module.pf-sa-ro[0].email }) }, - !local.pf_use_envs ? {} : { - "2-project-factory-dev" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket-dev[0].name - name = "project-factory-dev" - sa = module.pf-sa-dev-rw[0].email - }) - "2-project-factory-dev-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket-dev[0].name - name = "project-factory-dev" - sa = module.pf-sa-dev-ro[0].email - }) - "2-project-factory-prod" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket-prod[0].name - name = "project-factory-prod" - sa = module.pf-sa-prod-rw[0].email - }) - "2-project-factory-prod-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket-prod[0].name - name = "project-factory-prod" - sa = module.pf-sa-prod-ro[0].email - }) - }, # stage 3 { for k, v in var.fast_stage_3 : - "3-${k}-prod" => templatefile(local._tpl_providers, { + "3-${k}" => templatefile(local._tpl_providers, { backend_extra = null - bucket = module.stage3-bucket-prod[k].name - name = "${k}-prod" - sa = module.stage3-sa-prod-rw[k].email + bucket = module.stage3-bucket[k].name + name = k + sa = module.stage3-sa-rw[k].email }) }, { for k, v in var.fast_stage_3 : - "3-${k}-dev" => templatefile(local._tpl_providers, { + "3-${k}-r" => templatefile(local._tpl_providers, { backend_extra = null - bucket = module.stage3-bucket-dev[k].name - name = "${k}-dev" - sa = module.stage3-sa-dev-rw[k].email - }) if v.folder_config.create_env_folders + bucket = module.stage3-bucket[k].name + name = k + sa = module.stage3-sa-ro[k].email + }) }, # top-level folders { diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 0c1de45c06..21e98f6abf 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -29,8 +29,6 @@ locals { }, # stage 3 { for k, v in module.stage3-folder : k => v.id }, - { for k, v in module.stage3-folder-dev : k => v.id }, - { for k, v in module.stage3-folder-prod : k => v.id }, # top-level folders { for k, v in module.top-level-folder : k => v.id } ) diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 5755f9e481..959564ccdb 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -80,8 +80,8 @@ module "net-folder" { for role, attrs in local.net_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-prod-ro[v.s3].iam_email - : module.stage3-sa-prod-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } @@ -110,8 +110,8 @@ module "net-folder-prod" { for role, attrs in local.net_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-prod-ro[v.s3].iam_email - : module.stage3-sa-prod-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } @@ -133,8 +133,8 @@ module "net-folder-dev" { for role, attrs in local.net_stage3_iam.dev : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-dev-ro[v.s3].iam_email - : module.stage3-sa-dev-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 2446c1d34f..6be53f99b7 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -60,8 +60,8 @@ module "sec-folder" { for role, attrs in local.sec_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-prod-ro[v.s3].iam_email - : module.stage3-sa-prod-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } @@ -104,8 +104,8 @@ module "sec-folder-prod" { for role, attrs in local.sec_stage3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-prod-ro[v.s3].iam_email - : module.stage3-sa-prod-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } @@ -127,8 +127,8 @@ module "sec-folder-dev" { for role, attrs in local.sec_stage3_iam.dev : role => [ for v in attrs : ( v.sa == "ro" - ? module.stage3-sa-dev-ro[v.s3].iam_email - : module.stage3-sa-dev-rw[v.s3].iam_email + ? module.stage3-sa-ro[v.s3].iam_email + : module.stage3-sa-rw[v.s3].iam_email ) ] } diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 8610eabd18..4bb7fa5532 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -15,35 +15,10 @@ */ locals { - stage3_folders_create = { - for k, v in var.fast_stage_3 : k => v if v.folder_config != null - } - stage3_iam_roles = { - rw = [ - "roles/logging.admin", - "roles/owner", - "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.projectCreator", - "roles/compute.xpnAdmin" - ] - ro = [ - "roles/viewer", - "roles/resourcemanager.folderViewer" - ] - } stage3_sa_roles_in_org = flatten([ for k, v in var.fast_stage_3 : [ - [ - for sa, roles in v.organization_iam_roles : [ - for r in roles : [ - [ - { env = "prod", role = r, sa = sa, s3 = k } - ], - v.folder_config.create_env_folders != true ? [] : [ - { env = "dev", role = r, sa = sa, s3 = k } - ] - ] - ] + for sa, roles in v.organization_iam_roles : [ + for r in roles : { role = r, sa = sa, s3 = k } ] ] ]) @@ -52,14 +27,7 @@ locals { for k, v in var.fast_stage_3 : [ for s2, attrs in v.stage2_iam_roles : [ for sa, roles in attrs : [ - for role in roles : [ - [ - { env = "prod", role = role, sa = sa, s2 = s2, s3 = k } - ], - v.folder_config.create_env_folders != true ? [] : [ - { env = "dev", role = role, sa = sa, s2 = s2, s3 = k } - ] - ] + for role in roles : { role = role, sa = sa, s2 = s2, s3 = k } ] ] ] @@ -69,91 +37,41 @@ locals { # top-level folder module "stage3-folder" { - source = "../../../modules/folder" - for_each = local.stage3_folders_create + source = "../../../modules/folder" + for_each = { + for k, v in var.fast_stage_3 : k => v if v.folder_config != null + } parent = ( each.value.folder_config.parent_id == null ? local.root_node : each.value.folder_config.parent_id ) name = each.value.folder_config.name - iam = each.value.folder_config.create_env_folders == true ? {} : merge( - { - for r in local.stage3_iam_roles.rw : - r => [module.stage3-sa-prod-rw[each.key].iam_email] - }, - { - for r in local.stage3_iam_roles.ro : - r => [module.stage3-sa-prod-ro[each.key].iam_email] - } - ) + iam = { + "roles/logging.admin" = [module.stage3-sa-rw[each.key].iam_email] + "roles/owner" = [module.stage3-sa-rw[each.key].iam_email] + "roles/resourcemanager.folderAdmin" = [module.stage3-sa-rw[each.key].iam_email] + "roles/resourcemanager.projectCreator" = [module.stage3-sa-rw[each.key].iam_email] + "roles/compute.xpnAdmin" = [module.stage3-sa-rw[each.key].iam_email] + "roles/viewer" = [module.stage3-sa-ro[each.key].iam_email] + "roles/resourcemanager.folderViewer" = [module.stage3-sa-ro[each.key].iam_email] + + } iam_by_principals = each.value.folder_config.iam_by_principals tag_bindings = each.value.folder_config.tag_bindings } -# optional per-environment folders +# automation service accounts -module "stage3-folder-prod" { - source = "../../../modules/folder" - for_each = { - for k, v in local.stage3_folders_create : - k => v if v.folder_config.create_env_folders == true - } - parent = module.stage3-folder[each.key].id - name = "Production" - iam = merge( - { - for r in local.stage3_iam_roles.rw : - r => [module.stage3-sa-prod-rw[each.key].iam_email] - }, - { - for r in local.stage3_iam_roles.ro : - r => [module.stage3-sa-prod-ro[each.key].iam_email] - } +module "stage3-sa-rw" { + source = "../../../modules/iam-service-account" + for_each = var.fast_stage_3 + project_id = var.automation.project_id + name = "resman-${coalesce(each.value.short_name, each.key)}-0" + display_name = ( + "Terraform resman ${each.key} service account." ) - tag_bindings = { - environment = try( - local.tag_values["${var.tag_names.environment}/production"].id, - null - ) - } -} - -module "stage3-folder-dev" { - source = "../../../modules/folder" - for_each = { - for k, v in local.stage3_folders_create : - k => v if v.folder_config.create_env_folders == true - } - parent = module.stage3-folder[each.key].id - name = "Development" - iam = merge( - { - for r in local.stage3_iam_roles.rw : - r => [module.stage3-sa-dev-rw[each.key].iam_email] - }, - { - for r in local.stage3_iam_roles.ro : - r => [module.stage3-sa-dev-ro[each.key].iam_email] - } - ) - tag_bindings = { - environment = try( - local.tag_values["${var.tag_names.environment}/development"].id, - null - ) - } -} - -# automation service accounts (prod) - -module "stage3-sa-prod-rw" { - source = "../../../modules/iam-service-account" - for_each = local.stage3_folders_create - project_id = var.automation.project_id - name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" - display_name = "Terraform resman ${each.key} service account." - prefix = var.prefix + prefix = "${var.prefix}-${each.value.environment}" iam = { "roles/iam.serviceAccountTokenCreator" = compact([ try(module.cicd-sa-rw["${each.key}-prod"].iam_email, null) @@ -167,13 +85,15 @@ module "stage3-sa-prod-rw" { } } -module "stage3-sa-prod-ro" { - source = "../../../modules/iam-service-account" - for_each = local.stage3_folders_create - project_id = var.automation.project_id - name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0r" - display_name = "Terraform resman ${each.key} service account (read-only)." - prefix = var.prefix +module "stage3-sa-ro" { + source = "../../../modules/iam-service-account" + for_each = var.fast_stage_3 + project_id = var.automation.project_id + name = "resman-${coalesce(each.value.short_name, each.key)}-0r" + display_name = ( + "Terraform resman ${each.key} service account (read-only)." + ) + prefix = "${var.prefix}-${each.value.environment}" iam = { "roles/iam.serviceAccountTokenCreator" = compact([ try(module.cicd-sa-ro["${each.key}-prod"].iam_email, null) @@ -187,87 +107,19 @@ module "stage3-sa-prod-ro" { } } -# automation bucket (prod) +# automation bucket -module "stage3-bucket-prod" { +module "stage3-bucket" { source = "../../../modules/gcs" - for_each = local.stage3_folders_create - project_id = var.automation.project_id - name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" - prefix = var.prefix - location = var.locations.gcs - storage_class = local.gcs_storage_class - versioning = true - iam = { - "roles/storage.objectAdmin" = [module.stage3-sa-prod-rw[each.key].iam_email] - "roles/storage.objectViewer" = [module.stage3-sa-prod-ro[each.key].iam_email] - } -} - -# automation service accounts (dev) - -module "stage3-sa-dev-rw" { - source = "../../../modules/iam-service-account" - for_each = { - for k, v in local.stage3_folders_create : - k => v if v.folder_config.create_env_folders == true - } - project_id = var.automation.project_id - name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0" - display_name = "Terraform resman ${each.key} service account." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-rw["${each.key}-dev"].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] - } -} - -module "stage3-sa-dev-ro" { - source = "../../../modules/iam-service-account" - for_each = { - for k, v in local.stage3_folders_create : - k => v if v.folder_config.create_env_folders == true - } - project_id = var.automation.project_id - name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0r" - display_name = "Terraform resman ${each.key} service account (read-only)." - prefix = var.prefix - iam = { - "roles/iam.serviceAccountTokenCreator" = compact([ - try(module.cicd-sa-ro["${each.key}-dev"].iam_email, null) - ]) - } - iam_project_roles = { - (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] - } - iam_storage_roles = { - (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] - } -} - -# automation bucket (dev) - -module "stage3-bucket-dev" { - source = "../../../modules/gcs" - for_each = { - for k, v in local.stage3_folders_create : - k => v if v.folder_config.create_env_folders == true - } + for_each = var.fast_stage_3 project_id = var.automation.project_id - name = "dev-resman-${coalesce(each.value.short_name, each.key)}-0" - prefix = var.prefix + name = "resman-${coalesce(each.value.short_name, each.key)}-0" + prefix = "${var.prefix}-${each.value.environment}" location = var.locations.gcs storage_class = local.gcs_storage_class versioning = true iam = { - "roles/storage.objectAdmin" = [module.stage3-sa-dev-rw[each.key].iam_email] - "roles/storage.objectViewer" = [module.stage3-sa-dev-ro[each.key].iam_email] + "roles/storage.objectAdmin" = [module.stage3-sa-rw[each.key].iam_email] + "roles/storage.objectViewer" = [module.stage3-sa-ro[each.key].iam_email] } } diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 9d2cfb59e8..41fab0cdaf 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -74,8 +74,12 @@ variable "fast_stage_2" { variable "fast_stage_3" { description = "FAST stages 3 configurations." + # key is used for file names and loop keys and is like 'data-platfom-dev' type = map(object({ - short_name = optional(string) + # shortname is for resource names and is like 'dp' + short_name = string + # environment is only used in prefix for service account and bucket names + environment = optional(string, "dev") cicd_config = optional(object({ identity_provider = string repository = object({ @@ -85,11 +89,10 @@ variable "fast_stage_3" { }) })) folder_config = optional(object({ - name = string - create_env_folders = optional(bool, false) - iam_by_principals = optional(map(list(string)), {}) - parent_id = optional(string) - tag_bindings = optional(map(string), {}) + name = string + iam_by_principals = optional(map(list(string)), {}) + parent_id = optional(string) + tag_bindings = optional(map(string), {}) })) organization_iam_roles = optional(object({ ro = optional(list(string), []) From b4765c7d77c046244d42fd8df9f78dccb09dd2d1 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 24 Aug 2024 17:51:28 +0200 Subject: [PATCH 06/94] fixes and moved blocks --- fast/stages/1-resman/TODO.md | 7 + fast/stages/1-resman/_moved-v34.0.0.tf | 190 +++++++++--------- fast/stages/1-resman/organization.tf | 16 +- fast/stages/1-resman/stage-2-networking.tf | 5 +- fast/stages/1-resman/stage-2-security.tf | 5 +- fast/stages/1-resman/stage-3.tf | 18 +- .../1-resman/{cicd.tf => stage-cicd.tf} | 0 fast/stages/1-resman/top-level-folders.tf | 5 +- fast/stages/1-resman/variables-stages.tf | 22 +- 9 files changed, 134 insertions(+), 134 deletions(-) create mode 100644 fast/stages/1-resman/TODO.md rename fast/stages/1-resman/{cicd.tf => stage-cicd.tf} (100%) diff --git a/fast/stages/1-resman/TODO.md b/fast/stages/1-resman/TODO.md new file mode 100644 index 0000000000..0af4cc8830 --- /dev/null +++ b/fast/stages/1-resman/TODO.md @@ -0,0 +1,7 @@ +# TODO list + +- add support for explicit parent ids to top-level folders + +fixes + +- roles/compute.networkViewer for pf ro sa diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf index 4d68172af4..3e0c405a87 100644 --- a/fast/stages/1-resman/_moved-v34.0.0.tf +++ b/fast/stages/1-resman/_moved-v34.0.0.tf @@ -14,6 +14,13 @@ * limitations under the License. */ +# billing resources + +moved { + from = google_billing_account_iam_member.billing_ext_admin + to = google_billing_account_iam_member.default +} + # stage 2 networking moved { @@ -50,6 +57,7 @@ moved { } # stage 2 security + moved { from = module.branch-security-folder to = module.sec-folder[0] @@ -84,178 +92,164 @@ moved { } # stage 2 project factory -# moved { -# from = module.branch-pf-sa[0] -# to = module.branch-pf-sa -# } + moved { from = module.branch-pf-sa to = module.pf-sa-rw[0] } -# moved { -# from = module.branch-pf-r-sa[0] -# to = module.pf-sa-ro -# } moved { from = module.branch-pf-r-sa to = module.pf-sa-ro[0] } - -# stage 3 gcve - moved { - from = module.branch-gcve-folder - to = module.stage3-folder["gcve"] + from = module.branch-pf-gcs + to = module.pf-bucket[0] } moved { - from = module.branch-gcve-prod-folder - to = module.stage3-folder-prod["gcve"] + from = module.branch-pf-dev-sa + to = module.stage3-sa-rw["project-factory-dev"] } moved { - from = module.branch-gcve-dev-folder - to = module.stage3-folder-dev["gcve"] + from = module.branch-pf-dev-r-sa + to = module.stage3-sa-ro["project-factory-dev"] } moved { - from = module.branch-gcve-prod-sa - to = module.stage3-sa-prod-rw["gcve"] + from = module.branch-pf-dev-gcs + to = module.stage3-bucket["project-factory-dev"] } moved { - from = module.branch-gcve-prod-r-sa - to = module.stage3-sa-prod-ro["gcve"] + from = module.branch-pf-prod-sa + to = module.stage3-sa-rw["project-factory-prod"] } moved { - from = module.branch-gcve-dev-sa - to = module.stage3-sa-dev-rw["gcve"] + from = module.branch-pf-prod-r-sa + to = module.stage3-sa-ro["project-factory-prod"] } moved { - from = module.branch-gcve-dev-r-sa - to = module.stage3-sa-dev-ro["gcve"] + from = module.branch-pf-prod-gcs + to = module.stage3-bucket["project-factory-prod"] } + +# stage 3 gcve + moved { - from = module.branch-gcve-prod-gcs - to = module.stage3-bucket-prod["gcve"] + from = module.branch-gcve-prod-folder[0] + to = module.stage3-folder["gcve-prod"] } moved { - from = module.branch-gcve-dev-gcs - to = module.stage3-bucket-dev["gcve"] + from = module.branch-gcve-prod-sa[0] + to = module.stage3-sa-rw["gcve-prod"] } - -# stage 3 gke - moved { - from = module.branch-gke-folder - to = module.stage3-folder["gke"] + from = module.branch-gcve-prod-r-sa[0] + to = module.stage3-sa-ro["gcve-prod"] } moved { - from = module.branch-gke-prod-folder - to = module.stage3-folder-prod["gke"] + from = module.branch-gcve-prod-gcs[0] + to = module.stage3-bucket["gcve-prod"] } moved { - from = module.branch-gke-dev-folder - to = module.stage3-folder-dev["gke"] + from = module.branch-gcve-dev-folder[0] + to = module.stage3-folder["gcve-dev"] } moved { - from = module.branch-gke-prod-sa - to = module.stage3-sa-prod-rw["gke"] + from = module.branch-gcve-dev-sa[0] + to = module.stage3-sa-rw["gcve-dev"] } moved { - from = module.branch-gke-prod-r-sa - to = module.stage3-sa-prod-ro["gke"] + from = module.branch-gcve-dev-r-sa[0] + to = module.stage3-sa-ro["gcve-dev"] } moved { - from = module.branch-gke-dev-sa - to = module.stage3-sa-dev-rw["gke"] + from = module.branch-gcve-dev-gcs[0] + to = module.stage3-bucket["gcve-dev"] } + +# stage 3 gke + moved { - from = module.branch-gke-dev-r-sa - to = module.stage3-sa-dev-ro["gke"] + from = module.branch-gke-prod-folder[0] + to = module.stage3-folder["gke-prod"] } moved { - from = module.branch-gke-prod-gcs - to = module.stage3-bucket-prod["gke"] + from = module.branch-gke-prod-sa[0] + to = module.stage3-sa-rw["gke-prod"] } moved { - from = module.branch-gke-dev-gcs - to = module.stage3-bucket-dev["gke"] + from = module.branch-gke-prod-r-sa[0] + to = module.stage3-sa-ro["gke-prod"] } - -# stage 3 data platform - moved { - from = module.branch-dp-folder - to = module.stage3-folder["dp"] + from = module.branch-gke-prod-gcs[0] + to = module.stage3-bucket["gke-prod"] } moved { - from = module.branch-dp-prod-folder - to = module.stage3-folder-prod["dp"] + from = module.branch-gke-dev-folder[0] + to = module.stage3-folder["gke-dev"] } moved { - from = module.branch-dp-dev-folder - to = module.stage3-folder-dev["dp"] + from = module.branch-gke-dev-sa[0] + to = module.stage3-sa-rw["gke-dev"] } moved { - from = module.branch-dp-prod-sa - to = module.stage3-sa-prod-rw["dp"] + from = module.branch-gke-dev-r-sa[0] + to = module.stage3-sa-ro["gke-dev"] } moved { - from = module.branch-dp-prod-r-sa - to = module.stage3-sa-prod-ro["dp"] + from = module.branch-gke-dev-gcs[0] + to = module.stage3-bucket["gke-dev"] } + +# stage 3 data platform + moved { - from = module.branch-dp-dev-sa - to = module.stage3-sa-dev-rw["dp"] + from = module.branch-dp-prod-folder[0] + to = module.stage3-folder["data-platform-prod"] } moved { - from = module.branch-dp-dev-r-sa - to = module.stage3-sa-dev-ro["dp"] + from = module.branch-dp-prod-sa[0] + to = module.stage3-sa-rw["data-platform-prod"] } moved { - from = module.branch-dp-prod-gcs - to = module.stage3-bucket-prod["dp"] + from = module.branch-dp-prod-r-sa[0] + to = module.stage3-sa-ro["data-platform-prod"] } moved { - from = module.branch-dp-dev-gcs - to = module.stage3-bucket-dev["dp"] + from = module.branch-dp-prod-gcs[0] + to = module.stage3-bucket["data-platform-prod"] } - -# stage 3 nsec - -# moved { -# from = module.branch-nsec-sa -# to = module.stage3-sa-prod-rw["nsec"] -# } moved { - from = module.branch-nsec-sa[0] - to = module.stage3-sa-prod-rw["nsec"] + from = module.branch-dp-dev-folder[0] + to = module.stage3-folder["data-platform-dev"] } -# moved { -# from = module.branch-nsec-r-sa -# to = module.stage3-sa-prod-ro["nsec"] -# } moved { - from = module.branch-nsec-r-sa[0] - to = module.stage3-sa-prod-ro["nsec"] + from = module.branch-dp-dev-sa[0] + to = module.stage3-sa-rw["data-platform-dev"] } -# moved { -# from = module.branch-nsec-gcs -# to = module.stage3-bucket-prod["nsec"] -# } moved { - from = module.branch-nsec-gcs[0] - to = module.stage3-bucket-prod["nsec"] + from = module.branch-dp-dev-r-sa[0] + to = module.stage3-sa-ro["data-platform-dev"] +} +moved { + from = module.branch-dp-dev-gcs[0] + to = module.stage3-bucket["data-platform-dev"] } # stage 3 sandbox moved { - from = module.branch-sandbox-folder - to = module.stage3-folder["sbx"] + from = module.branch-sandbox-folder[0] + to = module.stage3-folder["sandbox"] +} +moved { + from = module.branch-sandbox-sa[0] + to = module.stage3-sa-rw["sandbox"] } moved { - from = module.branch-sandbox-sa - to = module.stage3-sa-prod-rw["sbx"] + from = module.branch-sandbox-r-sa[0] + to = module.stage3-sa-ro["sandbox"] } moved { - from = module.branch-sandbox-gcs - to = module.stage3-bucket-prod["sbx"] + from = module.branch-sandbox-gcs[0] + to = module.stage3-bucket["sandbox"] } diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index d2128579e1..accc877dc7 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -17,6 +17,7 @@ # tfdoc:file:description Organization policies. locals { + # service accounts context for user-specified tag values tags = { for k, v in var.tags : k => merge(v, { values = { @@ -51,12 +52,15 @@ module "organization" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = { - for k, v in local.tag_values_stage2 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } if var.fast_stage_2[k].enabled - } + values = merge( + try(local.tags["context"]["values"], {}), + { + for k, v in local.tag_values_stage2 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], null) + } if var.fast_stage_2[k].enabled + } + ) }, (var.tag_names.environment) = { description = "Environment definition." diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 959564ccdb..b93e9cd6b2 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -42,7 +42,10 @@ module "net-folder" { parent = ( var.fast_stage_2.networking.folder_config.parent_id == null ? local.root_node - : var.fast_stage_2.networking.folder_config.parent_id + : try( + module.top-level-folder[var.fast_stage_2.networking.folder_config].parent_id, + var.fast_stage_2.networking.folder_config.parent_id + ) ) name = var.fast_stage_2.networking.folder_config.name iam = merge( diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 6be53f99b7..81e82db5af 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -42,7 +42,10 @@ module "sec-folder" { parent = ( var.fast_stage_2.security.folder_config.parent_id == null ? local.root_node - : var.fast_stage_2.security.folder_config.parent_id + : try( + module.top-level-folder[var.fast_stage_2.security.folder_config].parent_id, + var.fast_stage_2.security.folder_config.parent_id + ) ) name = var.fast_stage_2.security.folder_config.name iam = merge( diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 4bb7fa5532..b22ae8e792 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -44,7 +44,10 @@ module "stage3-folder" { parent = ( each.value.folder_config.parent_id == null ? local.root_node - : each.value.folder_config.parent_id + : try( + module.top-level-folder[each.value.folder_config.parent_id], + each.value.folder_config.parent_id + ) ) name = each.value.folder_config.name iam = { @@ -58,7 +61,12 @@ module "stage3-folder" { } iam_by_principals = each.value.folder_config.iam_by_principals - tag_bindings = each.value.folder_config.tag_bindings + tag_bindings = { + for k, v in each.value.folder_config.tag_bindings : k => lookup( + local.top_level_tags, v, v + ) + } + depends_on = [module.top-level-folder] } # automation service accounts @@ -67,7 +75,7 @@ module "stage3-sa-rw" { source = "../../../modules/iam-service-account" for_each = var.fast_stage_3 project_id = var.automation.project_id - name = "resman-${coalesce(each.value.short_name, each.key)}-0" + name = "resman-${each.value.short_name}-0" display_name = ( "Terraform resman ${each.key} service account." ) @@ -89,7 +97,7 @@ module "stage3-sa-ro" { source = "../../../modules/iam-service-account" for_each = var.fast_stage_3 project_id = var.automation.project_id - name = "resman-${coalesce(each.value.short_name, each.key)}-0r" + name = "resman-${each.value.short_name}-0r" display_name = ( "Terraform resman ${each.key} service account (read-only)." ) @@ -113,7 +121,7 @@ module "stage3-bucket" { source = "../../../modules/gcs" for_each = var.fast_stage_3 project_id = var.automation.project_id - name = "resman-${coalesce(each.value.short_name, each.key)}-0" + name = "resman-${each.value.short_name}-0" prefix = "${var.prefix}-${each.value.environment}" location = var.locations.gcs storage_class = local.gcs_storage_class diff --git a/fast/stages/1-resman/cicd.tf b/fast/stages/1-resman/stage-cicd.tf similarity index 100% rename from fast/stages/1-resman/cicd.tf rename to fast/stages/1-resman/stage-cicd.tf diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 47cb8e5ebe..224d4f2082 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -66,8 +66,9 @@ locals { } module "top-level-folder" { - source = "../../../modules/folder" - for_each = local.top_level_folders + source = "../../../modules/folder" + for_each = local.top_level_folders + # TODO: add support for explicit parent id parent = "organizations/${var.organization.id}" name = each.value.name contacts = each.value.contacts diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 41fab0cdaf..20dc3ceea9 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -110,26 +110,6 @@ variable "fast_stage_3" { }), {}) })) nullable = false - default = { - # data-platform = { - # short_name = "dp" - # folder_config = { - # name = "Data Platform" - # create_env_folders = true - # } - # } - # gcve = { - # folder_config = { - # name = "GCVE" - # create_env_folders = true - # } - # } - # gke = { - # folder_config = { - # name = "GKE" - # create_env_folders = true - # } - # } - } + default = {} # TODO: CI/CD validation } From de433504bec4b1a938eb44f2bf53ece61fec6bfd Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 26 Aug 2024 16:51:48 +0200 Subject: [PATCH 07/94] stage3 factory --- fast/stages/1-resman/_moved-v34.0.0.tf | 15 + fast/stages/1-resman/billing.tf | 2 +- .../data/stage-3/2-project-factory.yaml | 51 - .../data/stage-3/3-data-platform.yaml | 44 - fast/stages/1-resman/data/stage-3/3-gcve.yaml | 47 - fast/stages/1-resman/data/stage-3/3-gke.yaml | 47 - ...k-security.yaml => data-platform-dev.yaml} | 16 +- .../data/stage-3/data-platform-prod.yaml | 21 + .../1-resman/data/stage-3/gcve-dev.yaml | 20 + .../1-resman/data/stage-3/gcve-prod.yaml | 21 + .../stages/1-resman/data/stage-3/gke-dev.yaml | 20 + .../1-resman/data/stage-3/gke-prod.yaml | 21 + .../data/stage-3/project-factory-dev.yaml | 17 + .../data/stage-3/project-factory-prod.yaml | 18 + .../stage-3/{3-sandbox.yaml => sandbox.yaml} | 15 +- .../{3-gcve-dev.yaml => data-platform.yaml} | 7 +- .../{3-gcve.yaml => gcve.yaml} | 5 +- .../1-resman/data/top-level-folders/gke.yaml | 21 + fast/stages/1-resman/iam.tf | 16 +- fast/stages/1-resman/main.tf | 25 +- fast/stages/1-resman/organization.tf | 4 +- fast/stages/1-resman/outputs-cicd.tf | 114 - fast/stages/1-resman/outputs-files.tf | 192 + fast/stages/1-resman/outputs-gcs.tf | 37 - fast/stages/1-resman/outputs-providers.tf | 93 - fast/stages/1-resman/outputs.tf | 9 +- fast/stages/1-resman/plan.txt | 4550 +++++++++++++++++ .../1-resman/schemas/fast-stage.schema.json | 213 - .../schemas/fast-stage.schema.old.json | 213 - .../1-resman/schemas/fast-stage3.schema.json | 151 + .../schemas/top-level-folder.schema.json | 2 +- fast/stages/1-resman/stage-2-networking.tf | 145 +- fast/stages/1-resman/stage-2-security.tf | 92 +- fast/stages/1-resman/stage-3.tf | 108 +- fast/stages/1-resman/stage-cicd.tf | 2 +- fast/stages/1-resman/tenant-root.tf | 4 +- fast/stages/1-resman/top-level-folders.tf | 8 +- fast/stages/1-resman/variables-stages.tf | 60 +- .../1-resman/variables-toplevel-folders.tf | 93 + fast/stages/1-resman/variables.tf | 90 +- 40 files changed, 5522 insertions(+), 1107 deletions(-) delete mode 100644 fast/stages/1-resman/data/stage-3/2-project-factory.yaml delete mode 100644 fast/stages/1-resman/data/stage-3/3-data-platform.yaml delete mode 100644 fast/stages/1-resman/data/stage-3/3-gcve.yaml delete mode 100644 fast/stages/1-resman/data/stage-3/3-gke.yaml rename fast/stages/1-resman/data/stage-3/{3-network-security.yaml => data-platform-dev.yaml} (63%) create mode 100644 fast/stages/1-resman/data/stage-3/data-platform-prod.yaml create mode 100644 fast/stages/1-resman/data/stage-3/gcve-dev.yaml create mode 100644 fast/stages/1-resman/data/stage-3/gcve-prod.yaml create mode 100644 fast/stages/1-resman/data/stage-3/gke-dev.yaml create mode 100644 fast/stages/1-resman/data/stage-3/gke-prod.yaml create mode 100644 fast/stages/1-resman/data/stage-3/project-factory-dev.yaml create mode 100644 fast/stages/1-resman/data/stage-3/project-factory-prod.yaml rename fast/stages/1-resman/data/stage-3/{3-sandbox.yaml => sandbox.yaml} (67%) rename fast/stages/1-resman/data/top-level-folders/{3-gcve-dev.yaml => data-platform.yaml} (89%) rename fast/stages/1-resman/data/top-level-folders/{3-gcve.yaml => gcve.yaml} (92%) create mode 100644 fast/stages/1-resman/data/top-level-folders/gke.yaml delete mode 100644 fast/stages/1-resman/outputs-cicd.tf delete mode 100644 fast/stages/1-resman/outputs-gcs.tf delete mode 100644 fast/stages/1-resman/outputs-providers.tf create mode 100644 fast/stages/1-resman/plan.txt delete mode 100644 fast/stages/1-resman/schemas/fast-stage.schema.json delete mode 100644 fast/stages/1-resman/schemas/fast-stage.schema.old.json create mode 100644 fast/stages/1-resman/schemas/fast-stage3.schema.json create mode 100644 fast/stages/1-resman/variables-toplevel-folders.tf diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf index 3e0c405a87..25d586367f 100644 --- a/fast/stages/1-resman/_moved-v34.0.0.tf +++ b/fast/stages/1-resman/_moved-v34.0.0.tf @@ -132,6 +132,11 @@ moved { # stage 3 gcve +moved { + from = module.branch-gcve-folder[0] + to = module.top-level-folder["gcve"] +} + moved { from = module.branch-gcve-prod-folder[0] to = module.stage3-folder["gcve-prod"] @@ -167,6 +172,11 @@ moved { # stage 3 gke +moved { + from = module.branch-gke-folder[0] + to = module.top-level-folder["gke"] +} + moved { from = module.branch-gke-prod-folder[0] to = module.stage3-folder["gke-prod"] @@ -202,6 +212,11 @@ moved { # stage 3 data platform +moved { + from = module.branch-dp-folder[0] + to = module.top-level-folder["data-platform"] +} + moved { from = module.branch-dp-prod-folder[0] to = module.stage3-folder["data-platform-prod"] diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index c56cb95bc1..df43082d74 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -43,7 +43,7 @@ locals { }, # stage 3 { - for k, v in var.fast_stage_3 : k => { + for k, v in local.stage3 : k => { member = module.stage3-sa-rw[k].iam_email role = "roles/billing.user" } diff --git a/fast/stages/1-resman/data/stage-3/2-project-factory.yaml b/fast/stages/1-resman/data/stage-3/2-project-factory.yaml deleted file mode 100644 index 600239bf9b..0000000000 --- a/fast/stages/1-resman/data/stage-3/2-project-factory.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json - -short_name: pf -tag_value_name: project-factory -main: - root_node: - service_account_iam: - rw: - - role: roles/orgpolicy.policyAdmin - match_tag_values: - - context/project-factory - - role: roles/orgpolicy.policyViewer - match_tag_values: - - context/project-factory -environments: - dev: - root_node: - service_account_iam: - rw: - - role: roles/orgpolicy.policyAdmin - match_tag_values: - - context/project-factory - - role: roles/orgpolicy.policyViewer - match_tag_values: - - context/project-factory - - environment/development - prod: - root_node: - service_account_iam: - rw: - - role: roles/orgpolicy.policyAdmin - match_tag_values: - - context/project-factory - - role: roles/orgpolicy.policyViewer - match_tag_values: - - context/project-factory - - environment/production diff --git a/fast/stages/1-resman/data/stage-3/3-data-platform.yaml b/fast/stages/1-resman/data/stage-3/3-data-platform.yaml deleted file mode 100644 index 7b416733f3..0000000000 --- a/fast/stages/1-resman/data/stage-3/3-data-platform.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json - -short_name: dp -environments: - dev: - folder: - name: Development - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - prod: - folder: - name: Production - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-gcve.yaml b/fast/stages/1-resman/data/stage-3/3-gcve.yaml deleted file mode 100644 index 65e2d49990..0000000000 --- a/fast/stages/1-resman/data/stage-3/3-gcve.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json - -short_name: gcve -main: - folder: - name: GCVE -environments: - dev: - folder: - name: Development - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - prod: - folder: - name: Production - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-gke.yaml b/fast/stages/1-resman/data/stage-3/3-gke.yaml deleted file mode 100644 index 946ef4c8de..0000000000 --- a/fast/stages/1-resman/data/stage-3/3-gke.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json - -short_name: gke -main: - folder: - name: GKE -environments: - dev: - folder: - name: Development - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer - prod: - folder: - name: Production - service_account_iam: - rw: - - roles/owner - - roles/logging.admin - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator - - roles/compute.xpnAdmin - ro: - - roles/viewer - - roles/resourcemanager.folderViewer diff --git a/fast/stages/1-resman/data/stage-3/3-network-security.yaml b/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml similarity index 63% rename from fast/stages/1-resman/data/stage-3/3-network-security.yaml rename to fast/stages/1-resman/data/stage-3/data-platform-dev.yaml index 0304c9f142..5b150cac27 100644 --- a/fast/stages/1-resman/data/stage-3/3-network-security.yaml +++ b/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml @@ -12,15 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json -short_name: nsec -main: - root_node: - service_account_iam: - rw: - - role: roles/compute.orgFirewallPolicyAdmin - - role: ngfw_enterprise_admin - # ro: - # - role: roles/compute.orgFirewallPolicyAdmin - # - role: ngfw_enterprise_admin +short_name: dp +folder_config: + name: Development + parent_id: data-platform diff --git a/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml b/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml new file mode 100644 index 0000000000..1f093b2170 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: dp +environment: prod +folder_config: + name: Production + parent_id: data-platform diff --git a/fast/stages/1-resman/data/stage-3/gcve-dev.yaml b/fast/stages/1-resman/data/stage-3/gcve-dev.yaml new file mode 100644 index 0000000000..769e20ff5e --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/gcve-dev.yaml @@ -0,0 +1,20 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: gcve +folder_config: + name: Development + parent_id: gcve diff --git a/fast/stages/1-resman/data/stage-3/gcve-prod.yaml b/fast/stages/1-resman/data/stage-3/gcve-prod.yaml new file mode 100644 index 0000000000..e203be07b5 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/gcve-prod.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: gcve +environment: prod +folder_config: + name: Production + parent_id: gcve diff --git a/fast/stages/1-resman/data/stage-3/gke-dev.yaml b/fast/stages/1-resman/data/stage-3/gke-dev.yaml new file mode 100644 index 0000000000..69d7a9c77e --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/gke-dev.yaml @@ -0,0 +1,20 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: gke +folder_config: + name: Development + parent_id: gke diff --git a/fast/stages/1-resman/data/stage-3/gke-prod.yaml b/fast/stages/1-resman/data/stage-3/gke-prod.yaml new file mode 100644 index 0000000000..52975045ab --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/gke-prod.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: gke +environment: prod +folder_config: + name: Production + parent_id: gke diff --git a/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml b/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml new file mode 100644 index 0000000000..9571302336 --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml @@ -0,0 +1,17 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: pf diff --git a/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml b/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml new file mode 100644 index 0000000000..8366bd7c3c --- /dev/null +++ b/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json + +short_name: pf +environment: prod \ No newline at end of file diff --git a/fast/stages/1-resman/data/stage-3/3-sandbox.yaml b/fast/stages/1-resman/data/stage-3/sandbox.yaml similarity index 67% rename from fast/stages/1-resman/data/stage-3/3-sandbox.yaml rename to fast/stages/1-resman/data/stage-3/sandbox.yaml index e17353a7be..fb1f638aa5 100644 --- a/fast/stages/1-resman/data/stage-3/3-sandbox.yaml +++ b/fast/stages/1-resman/data/stage-3/sandbox.yaml @@ -12,15 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yaml-language-server: $schema=../../schemas/fast-stage.schema.json +# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: sbx -main: - folder: - name: Sandbox - service_account_iam: - rw: - - roles/logging.admin - - roles/owner - - roles/resourcemanager.folderAdmin - - roles/resourcemanager.projectCreator +folder_config: + name: Sandbox + tag_bindings: + context: context/sandbox diff --git a/fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml similarity index 89% rename from fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml rename to fast/stages/1-resman/data/top-level-folders/data-platform.yaml index 88b3ddddf8..cccc22111b 100644 --- a/fast/stages/1-resman/data/top-level-folders/3-gcve-dev.yaml +++ b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml @@ -14,9 +14,8 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json -name: Development -short_name: gcve-dev +name: Data Platform automation: enable: false -root_node_config: - context_tag_value: gcve \ No newline at end of file +tag_bindings: + context: context/data-platform diff --git a/fast/stages/1-resman/data/top-level-folders/3-gcve.yaml b/fast/stages/1-resman/data/top-level-folders/gcve.yaml similarity index 92% rename from fast/stages/1-resman/data/top-level-folders/3-gcve.yaml rename to fast/stages/1-resman/data/top-level-folders/gcve.yaml index 8e3799593b..75802dda6e 100644 --- a/fast/stages/1-resman/data/top-level-folders/3-gcve.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gcve.yaml @@ -15,8 +15,7 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: GCVE -short_name: gcve automation: enable: false -root_node_config: - context_tag_value: gcve \ No newline at end of file +tag_bindings: + context: context/gcve diff --git a/fast/stages/1-resman/data/top-level-folders/gke.yaml b/fast/stages/1-resman/data/top-level-folders/gke.yaml new file mode 100644 index 0000000000..a7630de32d --- /dev/null +++ b/fast/stages/1-resman/data/top-level-folders/gke.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json + +name: GKE +automation: + enable: false +tag_bindings: + context: context/gke diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index d30026f35e..890655dbea 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -53,12 +53,26 @@ locals { # stage 3 { for v in local.stage3_sa_roles_in_org : join("/", values(v)) => { - role = lookup(var.custom_roles, v, v) + role = lookup(var.custom_roles, v.role, v.role) member = ( v.sa == "rw" ? module.stage3-sa-rw[v.s3].iam_email : module.stage3-sa-ro[v.s3].iam_email ) + condition = { + title = "stage3 ${v.s3} ${v.env}" + expression = <<-END + resource.matchTag( + '${local.tag_root}/${var.tag_names.environment}', + '${v.env}' + ) + && + resource.matchTag( + '${local.tag_root}/${var.tag_names.context}', + '${v.context}' + ) + END + } } }, # billing for all stages diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf index 932b787739..773ef09db9 100644 --- a/fast/stages/1-resman/main.tf +++ b/fast/stages/1-resman/main.tf @@ -24,6 +24,15 @@ locals { ? "MULTI_REGIONAL" : "REGIONAL" ) + iam_stage2_condition = <<-END + resource.matchTag( + '${local.tag_root}/${var.tag_names.environment}', '%s' + ) + && + api.getAttribute( + 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s] + ) + END identity_providers = coalesce( try(var.automation.federated_identity_providers, null), {} ) @@ -52,14 +61,8 @@ locals { project-factory = module.pf-sa-rw[0].email project-factory-r = module.pf-sa-ro[0].email }, - { - for k, v in var.fast_stage_3 : - k => module.stage3-sa-rw[k].email - }, - { - for k, v in var.fast_stage_3 : - "${k}-r" => module.stage3-sa-ro[k].email - }, + { for k, v in local.stage3 : k => module.stage3-sa-rw[k].email }, + { for k, v in local.stage3 : "${k}-r" => module.stage3-sa-ro[k].email }, ) tag_keys = ( var.root_node == null @@ -76,6 +79,12 @@ locals { ? module.organization[0].tag_values : module.automation-project[0].tag_values ) + top_level_folder_ids = { + for k, v in module.top-level-folder : k => v.id + } + top_level_service_accounts = { + for k, v in module.top-level-sa : k => try(v.email) + } } # data "google_client_openid_userinfo" "provider_identity" { diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index accc877dc7..8a3c49c166 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -66,7 +66,7 @@ module "organization" { description = "Environment definition." iam = try(local.tags.environment.iam, {}) values = { - development = { + (var.environment_names["dev"]) = { iam = try(local.tags.environment.values.development.iam, {}) iam_bindings = ( !var.fast_stage_2.project_factory.enabled @@ -82,7 +82,7 @@ module "organization" { local.tags.environment.values.development.description, null ) } - production = { + (var.environment_names["prod"]) = { iam = try(local.tags.environment.values.production.iam, {}) iam_bindings = ( !var.fast_stage_2.project_factory.enabled diff --git a/fast/stages/1-resman/outputs-cicd.tf b/fast/stages/1-resman/outputs-cicd.tf deleted file mode 100644 index a6d8b31ad9..0000000000 --- a/fast/stages/1-resman/outputs-cicd.tf +++ /dev/null @@ -1,114 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -locals { - cicd_workflows = { - for k, v in local._cicd_workflow_attrs : k => templatefile( - "${path.module}/templates/workflow-${v.repository.type}.yaml", v - ) - } - _cicd_workflow_attrs = merge( - # stage 2s (cannot use a loop as we need explicit module references) - lookup(local.cicd_repositories, "networking", null) == null ? {} : { - networking = { - audiences = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - service_accounts = { - apply = module.net-sa-rw[0].email - plan = module.net-sa-ro[0].email - } - repository = local.cicd_repositories.networking.repository - stage_name = "networking" - tf_providers_files = { - apply = "2-networking-providers.tf" - plan = "2-networking-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 - } - }, - lookup(local.cicd_repositories, "security", null) == null ? {} : { - security = { - audiences = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - repository = local.cicd_repositories.security.repository - service_accounts = { - apply = module.sec-sa-rw[0].email - plan = module.sec-sa-ro[0].email - } - repository = local.cicd_repositories.security.repository - tf_providers_files = { - apply = "2-security-providers.tf" - plan = "2-security-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 - } - }, - lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { - project_factory = { - audiences = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - repository = local.cicd_repositories.project_factory.repository - service_accounts = { - apply = module.pf-sa-rw[0].email - plan = module.pf-sa-ro[0].email - } - stage_name = "project-factory" - tf_providers_files = { - apply = "2-project-factory-providers.tf" - plan = "2-project-factory-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 - } - }, - # stage 3 - { - for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { - audiences = try( - local.identity_providers[v.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[v.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - repository = v.repository - service_accounts = { - apply = module.stage3-sa-rw[0].email - plan = module.stage3-sa-ro[0].email - } - stage_name = v.short_name - tf_providers_files = { - apply = "${v.lvl}-${k}-providers.tf" - plan = "${v.lvl}-${k}-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_3 - } if v.lvl == 3 - } - ) -} diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index f7f080dd9c..12ff730eee 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -17,7 +17,179 @@ # tfdoc:file:description Output files persistence to local filesystem. locals { + _cicd_workflow_attrs = merge( + # stage 2s (cannot use a loop as we need explicit module references) + lookup(local.cicd_repositories, "networking", null) == null ? {} : { + networking = { + audiences = try( + local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + service_accounts = { + apply = module.net-sa-rw[0].email + plan = module.net-sa-ro[0].email + } + repository = local.cicd_repositories.networking.repository + stage_name = "networking" + tf_providers_files = { + apply = "2-networking-providers.tf" + plan = "2-networking-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + } + }, + lookup(local.cicd_repositories, "security", null) == null ? {} : { + security = { + audiences = try( + local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.security.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = local.cicd_repositories.security.repository + service_accounts = { + apply = module.sec-sa-rw[0].email + plan = module.sec-sa-ro[0].email + } + repository = local.cicd_repositories.security.repository + tf_providers_files = { + apply = "2-security-providers.tf" + plan = "2-security-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + } + }, + lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { + project_factory = { + audiences = try( + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = local.cicd_repositories.project_factory.repository + service_accounts = { + apply = module.pf-sa-rw[0].email + plan = module.pf-sa-ro[0].email + } + stage_name = "project-factory" + tf_providers_files = { + apply = "2-project-factory-providers.tf" + plan = "2-project-factory-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_2 + } + }, + # stage 3 + { + for k, v in local.cicd_repositories : "${v.lvl}-${k}" => { + audiences = try( + local.identity_providers[v.identity_provider].audiences, null + ) + identity_provider = try( + local.identity_providers[v.identity_provider].name, null + ) + outputs_bucket = var.automation.outputs_bucket + repository = v.repository + service_accounts = { + apply = module.stage3-sa-rw[0].email + plan = module.stage3-sa-ro[0].email + } + stage_name = v.short_name + tf_providers_files = { + apply = "${v.lvl}-${k}-providers.tf" + plan = "${v.lvl}-${k}-providers-r.tf" + } + tf_var_files = local.cicd_workflow_files.stage_3 + } if v.lvl == 3 + } + ) + _tpl_providers = "${path.module}/templates/providers.tf.tpl" + cicd_workflows = { + for k, v in local._cicd_workflow_attrs : k => templatefile( + "${path.module}/templates/workflow-${v.repository.type}.yaml", v + ) + } outputs_location = try(pathexpand(var.outputs_location), "") + providers = merge( + # stage 2 + !var.fast_stage_2.networking.enabled ? {} : { + "2-networking" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.net-bucket[0].name + name = "networking" + sa = module.net-sa-rw[0].email + }) + "2-networking-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.net-bucket[0].name + name = "networking" + sa = module.net-sa-ro[0].email + }) + }, + !var.fast_stage_2.security.enabled ? {} : { + "2-security" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-rw[0].email + }) + "2-security-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.sec-bucket[0].name + name = "security" + sa = module.sec-sa-ro[0].email + }) + }, + !var.fast_stage_2.project_factory.enabled ? {} : { + "2-project-factory" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket[0].name + name = "project-factory" + sa = module.pf-sa-rw[0].email + }) + "2-project-factory-r" = templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.pf-bucket[0].name + name = "project-factory" + sa = module.pf-sa-ro[0].email + }) + }, + # stage 3 + { + for k, v in local.stage3 : + "3-${k}" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.stage3-bucket[k].name + name = k + sa = module.stage3-sa-rw[k].email + }) + }, + { + for k, v in local.stage3 : + "3-${k}-r" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.stage3-bucket[k].name + name = k + sa = module.stage3-sa-ro[k].email + }) + }, + # top-level folders + { + for k, v in module.top-level-sa : + "1-resman-folder-${k}" => templatefile(local._tpl_providers, { + backend_extra = null + bucket = module.top-level-bucket[k].name + name = k + sa = v.email + }) + }, + ) } resource "local_file" "providers" { @@ -40,3 +212,23 @@ resource "local_file" "workflows" { filename = "${local.outputs_location}/workflows/${replace(each.key, "_", "-")}-workflow.yaml" content = try(each.value, null) } + +resource "google_storage_bucket_object" "providers" { + for_each = local.providers + bucket = var.automation.outputs_bucket + name = "providers/${each.key}-providers.tf" + content = each.value +} + +resource "google_storage_bucket_object" "tfvars" { + bucket = var.automation.outputs_bucket + name = "tfvars/1-resman.auto.tfvars.json" + content = jsonencode(local.tfvars) +} + +resource "google_storage_bucket_object" "workflows" { + for_each = local.cicd_workflows + bucket = var.automation.outputs_bucket + name = "workflows/${replace(each.key, "_", "-")}-workflow.yaml" + content = each.value +} diff --git a/fast/stages/1-resman/outputs-gcs.tf b/fast/stages/1-resman/outputs-gcs.tf deleted file mode 100644 index 5b9f5d8518..0000000000 --- a/fast/stages/1-resman/outputs-gcs.tf +++ /dev/null @@ -1,37 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Output files persistence to automation GCS bucket. - -resource "google_storage_bucket_object" "providers" { - for_each = local.providers - bucket = var.automation.outputs_bucket - name = "providers/${each.key}-providers.tf" - content = each.value -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/1-resman.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "workflows" { - for_each = local.cicd_workflows - bucket = var.automation.outputs_bucket - name = "workflows/${replace(each.key, "_", "-")}-workflow.yaml" - content = each.value -} diff --git a/fast/stages/1-resman/outputs-providers.tf b/fast/stages/1-resman/outputs-providers.tf deleted file mode 100644 index ab04cf8d15..0000000000 --- a/fast/stages/1-resman/outputs-providers.tf +++ /dev/null @@ -1,93 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - _tpl_providers = "${path.module}/templates/providers.tf.tpl" - providers = merge( - # stage 2 - !var.fast_stage_2.networking.enabled ? {} : { - "2-networking" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.net-bucket[0].name - name = "networking" - sa = module.net-sa-rw[0].email - }) - "2-networking-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.net-bucket[0].name - name = "networking" - sa = module.net-sa-ro[0].email - }) - }, - !var.fast_stage_2.security.enabled ? {} : { - "2-security" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-rw[0].email - }) - "2-security-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-ro[0].email - }) - }, - !var.fast_stage_2.project_factory.enabled ? {} : { - "2-project-factory" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-rw[0].email - }) - "2-project-factory-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-ro[0].email - }) - }, - # stage 3 - { - for k, v in var.fast_stage_3 : - "3-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket[k].name - name = k - sa = module.stage3-sa-rw[k].email - }) - }, - { - for k, v in var.fast_stage_3 : - "3-${k}-r" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.stage3-bucket[k].name - name = k - sa = module.stage3-sa-ro[k].email - }) - }, - # top-level folders - { - for k, v in module.top-level-sa : - "1-resman-folder-${k}" => templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.top-level-bucket[k].name - name = k - sa = v.email - }) - }, - ) -} diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 21e98f6abf..fc26a56ead 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -30,11 +30,12 @@ locals { # stage 3 { for k, v in module.stage3-folder : k => v.id }, # top-level folders - { for k, v in module.top-level-folder : k => v.id } + local.top_level_folder_ids + ) + service_accounts = merge( + local.stage_service_accounts, + local.top_level_service_accounts ) - service_accounts = merge(local.stage_service_accounts, { - for k, v in module.top-level-sa : k => try(v.email) - }) tfvars = { checklist_hierarchy = local.checklist.hierarchy folder_ids = local.folder_ids diff --git a/fast/stages/1-resman/plan.txt b/fast/stages/1-resman/plan.txt new file mode 100644 index 0000000000..0193649982 --- /dev/null +++ b/fast/stages/1-resman/plan.txt @@ -0,0 +1,4550 @@ + +Terraform used the selected providers to generate the following execution +plan. Resource actions are indicated with the following symbols: + + create + ~ update in-place + - destroy +-/+ destroy and then create replacement + +Terraform will perform the following actions: + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) + - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.costsManager" -> null + } + + # google_billing_account_iam_member.default["data-platform-dev"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["data-platform-prod"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["gcve-dev"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["gcve-prod"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["gke-dev"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["gke-prod"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["project-factory-dev"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["project-factory-prod"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["sa_net_billing"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["sa_pf_billing"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["sa_pf_costs_manager"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.costsManager" + } + + # google_billing_account_iam_member.default["sa_sec_billing"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["sandbox"] will be created + + resource "google_billing_account_iam_member" "default" { + + billing_account_id = "017479-47ADAB-670295" + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + role = "roles/billing.user" + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_billing_account_iam_member.default["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed + # (because key ["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) + # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) + - resource "google_billing_account_iam_member" "default" { + - billing_account_id = "017479-47ADAB-670295" -> null + - etag = "BwYgANfU8zg=" -> null + - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - role = "roles/billing.user" -> null + } + + # google_storage_bucket_object.providers["2-project-factory-dev"] will be destroyed + # (because key ["2-project-factory-dev"] is not in for_each map) + - resource "google_storage_bucket_object" "providers" { + - bucket = "ldj-prod-iac-core-outputs-0" -> null + - content = (sensitive value) -> null + - content_type = "text/plain; charset=utf-8" -> null + - crc32c = "1/U7aw==" -> null + - detect_md5hash = "2KhpBFsNgFLTtlft4+2vUg==" -> null + - event_based_hold = false -> null + - generation = 1724165864283522 -> null + - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-dev-providers.tf" -> null + - md5hash = "2KhpBFsNgFLTtlft4+2vUg==" -> null + - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-providers.tf?generation=1724165864283522&alt=media" -> null + - name = "providers/2-project-factory-dev-providers.tf" -> null + - output_name = "providers/2-project-factory-dev-providers.tf" -> null + - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-providers.tf" -> null + - storage_class = "MULTI_REGIONAL" -> null + - temporary_hold = false -> null + # (5 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["2-project-factory-dev-r"] will be destroyed + # (because key ["2-project-factory-dev-r"] is not in for_each map) + - resource "google_storage_bucket_object" "providers" { + - bucket = "ldj-prod-iac-core-outputs-0" -> null + - content = (sensitive value) -> null + - content_type = "text/plain; charset=utf-8" -> null + - crc32c = "a+Kk2A==" -> null + - detect_md5hash = "vqeJdjws7rpHdGUcxwv4/w==" -> null + - event_based_hold = false -> null + - generation = 1724165861422489 -> null + - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-dev-r-providers.tf" -> null + - md5hash = "vqeJdjws7rpHdGUcxwv4/w==" -> null + - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-r-providers.tf?generation=1724165861422489&alt=media" -> null + - name = "providers/2-project-factory-dev-r-providers.tf" -> null + - output_name = "providers/2-project-factory-dev-r-providers.tf" -> null + - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-r-providers.tf" -> null + - storage_class = "MULTI_REGIONAL" -> null + - temporary_hold = false -> null + # (5 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["2-project-factory-prod"] will be destroyed + # (because key ["2-project-factory-prod"] is not in for_each map) + - resource "google_storage_bucket_object" "providers" { + - bucket = "ldj-prod-iac-core-outputs-0" -> null + - content = (sensitive value) -> null + - content_type = "text/plain; charset=utf-8" -> null + - crc32c = "unYabQ==" -> null + - detect_md5hash = "weQqYVVKtTmXPi/v/YOGww==" -> null + - event_based_hold = false -> null + - generation = 1724165859084907 -> null + - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-prod-providers.tf" -> null + - md5hash = "weQqYVVKtTmXPi/v/YOGww==" -> null + - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-providers.tf?generation=1724165859084907&alt=media" -> null + - name = "providers/2-project-factory-prod-providers.tf" -> null + - output_name = "providers/2-project-factory-prod-providers.tf" -> null + - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-providers.tf" -> null + - storage_class = "MULTI_REGIONAL" -> null + - temporary_hold = false -> null + # (5 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["2-project-factory-prod-r"] will be destroyed + # (because key ["2-project-factory-prod-r"] is not in for_each map) + - resource "google_storage_bucket_object" "providers" { + - bucket = "ldj-prod-iac-core-outputs-0" -> null + - content = (sensitive value) -> null + - content_type = "text/plain; charset=utf-8" -> null + - crc32c = "BzQS2w==" -> null + - detect_md5hash = "ffpfHrpcJL/w7ZwwdbFY7Q==" -> null + - event_based_hold = false -> null + - generation = 1724165860311488 -> null + - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-prod-r-providers.tf" -> null + - md5hash = "ffpfHrpcJL/w7ZwwdbFY7Q==" -> null + - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-r-providers.tf?generation=1724165860311488&alt=media" -> null + - name = "providers/2-project-factory-prod-r-providers.tf" -> null + - output_name = "providers/2-project-factory-prod-r-providers.tf" -> null + - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-r-providers.tf" -> null + - storage_class = "MULTI_REGIONAL" -> null + - temporary_hold = false -> null + # (5 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["3-data-platform-dev"] will be updated in-place + ~ resource "google_storage_bucket_object" "providers" { + ~ content = (sensitive value) + ~ detect_md5hash = "K7MT2KrZevadcRopR/1npQ==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-dev-providers.tf" + name = "providers/3-data-platform-dev-providers.tf" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["3-data-platform-dev-r"] will be updated in-place + ~ resource "google_storage_bucket_object" "providers" { + ~ content = (sensitive value) + ~ detect_md5hash = "eKTJwex+CJ4uj6xbzxsJsw==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-dev-r-providers.tf" + name = "providers/3-data-platform-dev-r-providers.tf" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["3-data-platform-prod"] will be updated in-place + ~ resource "google_storage_bucket_object" "providers" { + ~ content = (sensitive value) + ~ detect_md5hash = "hQhEy51JiltDXvRM35UeBQ==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-prod-providers.tf" + name = "providers/3-data-platform-prod-providers.tf" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["3-data-platform-prod-r"] will be updated in-place + ~ resource "google_storage_bucket_object" "providers" { + ~ content = (sensitive value) + ~ detect_md5hash = "ixoiiKUUIufpgCqO2Gor6g==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-prod-r-providers.tf" + name = "providers/3-data-platform-prod-r-providers.tf" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.providers["3-gcve-dev"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-gcve-dev-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-gcve-dev-r"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-gcve-dev-r-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-gcve-prod"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-gcve-prod-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-gcve-prod-r"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-gcve-prod-r-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-project-factory-dev"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-project-factory-dev-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-project-factory-dev-r"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-project-factory-dev-r-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-project-factory-prod"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-project-factory-prod-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-project-factory-prod-r"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-project-factory-prod-r-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-sandbox"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-sandbox-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["3-sandbox-r"] will be created + + resource "google_storage_bucket_object" "providers" { + + bucket = "ldj-prod-iac-core-outputs-0" + + content = (sensitive value) + + content_type = (known after apply) + + crc32c = (known after apply) + + detect_md5hash = "different hash" + + generation = (known after apply) + + id = (known after apply) + + kms_key_name = (known after apply) + + md5hash = (known after apply) + + media_link = (known after apply) + + name = "providers/3-sandbox-r-providers.tf" + + output_name = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + } + + # google_storage_bucket_object.providers["9-sandbox"] will be destroyed + # (because key ["9-sandbox"] is not in for_each map) + - resource "google_storage_bucket_object" "providers" { + - bucket = "ldj-prod-iac-core-outputs-0" -> null + - content = (sensitive value) -> null + - content_type = "text/plain; charset=utf-8" -> null + - crc32c = "hoBu4A==" -> null + - detect_md5hash = "hOSd0GG5FCkYkzf140qRuQ==" -> null + - event_based_hold = false -> null + - generation = 1724165862741840 -> null + - id = "ldj-prod-iac-core-outputs-0-providers/9-sandbox-providers.tf" -> null + - md5hash = "hOSd0GG5FCkYkzf140qRuQ==" -> null + - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F9-sandbox-providers.tf?generation=1724165862741840&alt=media" -> null + - metadata = {} -> null + - name = "providers/9-sandbox-providers.tf" -> null + - output_name = "providers/9-sandbox-providers.tf" -> null + - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F9-sandbox-providers.tf" -> null + - storage_class = "MULTI_REGIONAL" -> null + - temporary_hold = false -> null + # (5 unchanged attributes hidden) + } + + # google_storage_bucket_object.tfvars will be updated in-place + ~ resource "google_storage_bucket_object" "tfvars" { + ~ content = (sensitive value) + ~ detect_md5hash = "N97vUaApkSkVsc5eJ/n+Ng==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-tfvars/1-resman.auto.tfvars.json" + name = "tfvars/1-resman.auto.tfvars.json" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.workflows["networking"] will be updated in-place + ~ resource "google_storage_bucket_object" "workflows" { + ~ content = (sensitive value) + ~ detect_md5hash = "XwJtleYexn+10HWW2AfoCg==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-workflows/networking-workflow.yaml" + name = "workflows/networking-workflow.yaml" + # (17 unchanged attributes hidden) + } + + # google_storage_bucket_object.workflows["security"] will be updated in-place + ~ resource "google_storage_bucket_object" "workflows" { + ~ content = (sensitive value) + ~ detect_md5hash = "qNnXf1H5cVwk1+Xg3PMB5g==" -> "different hash" + id = "ldj-prod-iac-core-outputs-0-workflows/security-workflow.yaml" + name = "workflows/security-workflow.yaml" + # (17 unchanged attributes hidden) + } + + # local_file.providers["2-project-factory-dev"] will be destroyed + # (because key ["2-project-factory-dev"] is not in for_each map) + - resource "local_file" "providers" { + - content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-pf-0" + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-dev + EOT -> null + - content_base64sha256 = "o9qjfysy9ElLubXF8AaKExZazX0+ff3Bkz5j/VZLhm4=" -> null + - content_base64sha512 = "kil2VGo8jrAwawUYa5mHbJaZhPLr/2WuuEG8XpO99JOEqlBQzKua/d+5u4m0rSe05OselZGa1XocLY56oI4B2Q==" -> null + - content_md5 = "d8a869045b0d8052d3b657ede3edaf52" -> null + - content_sha1 = "7b455ebbccfc66acd18932023f9e9cf01670193e" -> null + - content_sha256 = "a3daa37f2b32f4494bb9b5c5f0068a13165acd7d3e7dfdc1933e63fd564b866e" -> null + - content_sha512 = "922976546a3c8eb0306b05186b99876c969984f2ebff65aeb841bc5e93bdf49384aa5050ccab9afddfb9bb89b4ad27b4e4eb1e95919ad57a1c2d8e7aa08e01d9" -> null + - directory_permission = "0777" -> null + - file_permission = "0644" -> null + - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-dev-providers.tf" -> null + - id = "7b455ebbccfc66acd18932023f9e9cf01670193e" -> null + } + + # local_file.providers["2-project-factory-dev-r"] will be destroyed + # (because key ["2-project-factory-dev-r"] is not in for_each map) + - resource "local_file" "providers" { + - content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-pf-0" + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-dev + EOT -> null + - content_base64sha256 = "oLhfDRlG4uEP29Zs5BMZjPIQq4MoupR5ebj8TCRhmGg=" -> null + - content_base64sha512 = "bgKdn/XmqDljUqE0gj9DmX1LBMpx7AMsyx8AnRmnn7rNjE3PI/XlgZBl8+4cAqvYeCvkcH+dVyAJuzkMambHBQ==" -> null + - content_md5 = "bea789763c2ceeba4774651cc70bf8ff" -> null + - content_sha1 = "e2cb9c5d8a62354eb07183fb65f047875a91bdfd" -> null + - content_sha256 = "a0b85f0d1946e2e10fdbd66ce413198cf210ab8328ba947979b8fc4c24619868" -> null + - content_sha512 = "6e029d9ff5e6a8396352a134823f43997d4b04ca71ec032ccb1f009d19a79fbacd8c4dcf23f5e5819065f3ee1c02abd8782be4707f9d572009bb390c6a66c705" -> null + - directory_permission = "0777" -> null + - file_permission = "0644" -> null + - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-dev-r-providers.tf" -> null + - id = "e2cb9c5d8a62354eb07183fb65f047875a91bdfd" -> null + } + + # local_file.providers["2-project-factory-prod"] will be destroyed + # (because key ["2-project-factory-prod"] is not in for_each map) + - resource "local_file" "providers" { + - content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-pf-0" + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-prod + EOT -> null + - content_base64sha256 = "SfGgfaWS91Jto+G8ADLc7D1DjC7HRAfAO0+zA/OMZ5g=" -> null + - content_base64sha512 = "6FK9KtZH9wA21HgTO7V3fCCrRAnd5K64kugjyol5cDlz33ERRLwRMKjKVPIfUhMJg56UtM4TZcJhLEY65Di/2g==" -> null + - content_md5 = "c1e42a61554ab539973e2feffd8386c3" -> null + - content_sha1 = "4b591ee04c1e6ee01e69367752549077e806174a" -> null + - content_sha256 = "49f1a07da592f7526da3e1bc0032dcec3d438c2ec74407c03b4fb303f38c6798" -> null + - content_sha512 = "e852bd2ad647f70036d478133bb5777c20ab4409dde4aeb892e823ca8979703973df711144bc1130a8ca54f21f521309839e94b4ce1365c2612c463ae438bfda" -> null + - directory_permission = "0777" -> null + - file_permission = "0644" -> null + - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-prod-providers.tf" -> null + - id = "4b591ee04c1e6ee01e69367752549077e806174a" -> null + } + + # local_file.providers["2-project-factory-prod-r"] will be destroyed + # (because key ["2-project-factory-prod-r"] is not in for_each map) + - resource "local_file" "providers" { + - content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-pf-0" + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-prod + EOT -> null + - content_base64sha256 = "ZaO5mia+nbq3+saW8xHi1SdxXRnurc2l68x5s3S1pa4=" -> null + - content_base64sha512 = "UBHvUSF7PStCZuAUdENyWO5KJdwq/ZCyqrRYMpzefD1MffOWKo6du1kfU9o2O9lbRI487VxqvEu3Z/N8PKxz7w==" -> null + - content_md5 = "7dfa5f1eba5c24bff0ed9c3075b158ed" -> null + - content_sha1 = "9ffd801dfeca04d566c17c19f4e468653c9f95fe" -> null + - content_sha256 = "65a3b99a26be9dbab7fac696f311e2d527715d19eeadcda5ebcc79b374b5a5ae" -> null + - content_sha512 = "5011ef51217b3d2b4266e01474437258ee4a25dc2afd90b2aab458329cde7c3d4c7df3962a8e9dbb591f53da363bd95b448e3ced5c6abc4bb767f37c3cac73ef" -> null + - directory_permission = "0777" -> null + - file_permission = "0644" -> null + - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-prod-r-providers.tf" -> null + - id = "9ffd801dfeca04d566c17c19f4e468653c9f95fe" -> null + } + + # local_file.providers["3-data-platform-dev"] must be replaced +-/+ resource "local_file" "providers" { + ~ content = <<-EOT # forces replacement + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-dp-0" + impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + - # end provider.tf for dp-dev + + # end provider.tf for data-platform-dev + EOT + ~ content_base64sha256 = "1qpn5QbXhb9gM73rDzHkQqaYWJNU2aNSdxkbtmL48tc=" -> (known after apply) + ~ content_base64sha512 = "IfEveLtAPSiXsmIgI1ecqljSEtpR3Gks5VCkLs0p+B/EQxSyHuxOsvE+WsSXS6ZXW01O65HyfGyibLqzRPe4dQ==" -> (known after apply) + ~ content_md5 = "2bb313d8aad97af69d711a2947fd67a5" -> (known after apply) + ~ content_sha1 = "9e2275cf364ac73635e17e376861ac3c0aa270f1" -> (known after apply) + ~ content_sha256 = "d6aa67e506d785bf6033bdeb0f31e442a698589354d9a35277191bb662f8f2d7" -> (known after apply) + ~ content_sha512 = "21f12f78bb403d2897b2622023579caa58d212da51dc692ce550a42ecd29f81fc44314b21eec4eb2f13e5ac4974ba6575b4d4eeb91f27c6ca26cbab344f7b875" -> (known after apply) + ~ id = "9e2275cf364ac73635e17e376861ac3c0aa270f1" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.providers["3-data-platform-dev-r"] must be replaced +-/+ resource "local_file" "providers" { + ~ content = <<-EOT # forces replacement + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-dp-0" + impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + - # end provider.tf for dp-dev + + # end provider.tf for data-platform-dev + EOT + ~ content_base64sha256 = "XASKu15jdK8HVbHe5g4ULiu9Gz8Oqm8ZxJ6RY05Ngnw=" -> (known after apply) + ~ content_base64sha512 = "o9hykKPrfta/H7TCoMyBgJoy6fZAKCoD+q41iR0uz0WlwnXgdyovArDBhHDkfTFJrFPNYIDIiwyOxAhamZ0Hqg==" -> (known after apply) + ~ content_md5 = "78a4c9c1ec7e089e2e8fac5bcf1b09b3" -> (known after apply) + ~ content_sha1 = "47fc05248ac63321757bff9fdb74ef8f9a143a4f" -> (known after apply) + ~ content_sha256 = "5c048abb5e6374af0755b1dee60e142e2bbd1b3f0eaa6f19c49e91634e4d827c" -> (known after apply) + ~ content_sha512 = "a3d87290a3eb7ed6bf1fb4c2a0cc81809a32e9f640282a03faae35891d2ecf45a5c275e0772a2f02b0c18470e47d3149ac53cd6080c88b0c8ec4085a999d07aa" -> (known after apply) + ~ id = "47fc05248ac63321757bff9fdb74ef8f9a143a4f" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.providers["3-data-platform-prod"] must be replaced +-/+ resource "local_file" "providers" { + ~ content = <<-EOT # forces replacement + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-dp-0" + impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + - # end provider.tf for dp-prod + + # end provider.tf for data-platform-prod + EOT + ~ content_base64sha256 = "+AkAf7mnQbteCJTRF5+d+wceuobXcw6Nugll/qE+IkU=" -> (known after apply) + ~ content_base64sha512 = "qVWaCTBAKabrpP+cuMV6lsWumRvIl4cL/7eOMrjLYLze2SqkknOTL/h0bLeaHcmZ5Gal0MljvAdWs2plWPVVOw==" -> (known after apply) + ~ content_md5 = "850844cb9d498a5b435ef44cdf951e05" -> (known after apply) + ~ content_sha1 = "7a9df0e7e42b6a4b1bf182d616733d1128330078" -> (known after apply) + ~ content_sha256 = "f809007fb9a741bb5e0894d1179f9dfb071eba86d7730e8dba0965fea13e2245" -> (known after apply) + ~ content_sha512 = "a9559a09304029a6eba4ff9cb8c57a96c5ae991bc897870bffb78e32b8cb60bcded92aa49273932ff8746cb79a1dc999e466a5d0c963bc0756b36a6558f5553b" -> (known after apply) + ~ id = "7a9df0e7e42b6a4b1bf182d616733d1128330078" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.providers["3-data-platform-prod-r"] must be replaced +-/+ resource "local_file" "providers" { + ~ content = <<-EOT # forces replacement + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-dp-0" + impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + - # end provider.tf for dp-prod + + # end provider.tf for data-platform-prod + EOT + ~ content_base64sha256 = "eFvdBVb25p/9PIn57fqbnwSwdyCPnqEnYIArkIfXil8=" -> (known after apply) + ~ content_base64sha512 = "6hgoo+MsUh7hSl+0Wvvbl7nlHXk8nUnTjWO2UguZZ/MFXskjxA/jzaNKNxvss3GKbGEIxMVuoXm27sKVSD94Hg==" -> (known after apply) + ~ content_md5 = "8b1a2288a51422e7e9802a8ed86a2bea" -> (known after apply) + ~ content_sha1 = "08332943453ec993a8b17779710a540b7f7b50b7" -> (known after apply) + ~ content_sha256 = "785bdd0556f6e69ffd3c89f9edfa9b9f04b077208f9ea12760802b9087d78a5f" -> (known after apply) + ~ content_sha512 = "ea1828a3e32c521ee14a5fb45afbdb97b9e51d793c9d49d38d63b6520b9967f3055ec923c40fe3cda34a371becb3718a6c6108c4c56ea179b6eec295483f781e" -> (known after apply) + ~ id = "08332943453ec993a8b17779710a540b7f7b50b7" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.providers["3-gcve-dev"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-gcve-0" + impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for gcve-dev + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-dev-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-gcve-dev-r"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-gcve-0" + impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for gcve-dev + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-dev-r-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-gcve-prod"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-gcve-0" + impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for gcve-prod + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-prod-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-gcve-prod-r"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-gcve-0" + impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for gcve-prod + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-prod-r-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-project-factory-dev"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-pf-0" + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-dev + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-dev-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-project-factory-dev-r"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-pf-0" + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-dev + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-dev-r-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-project-factory-prod"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-pf-0" + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-prod + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-prod-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-project-factory-prod-r"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-prod-resman-pf-0" + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for project-factory-prod + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-prod-r-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-sandbox"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-sbx-0" + impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for sandbox + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-sandbox-providers.tf" + + id = (known after apply) + } + + # local_file.providers["3-sandbox-r"] will be created + + resource "local_file" "providers" { + + content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-sbx-0" + impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for sandbox + EOT + + content_base64sha256 = (known after apply) + + content_base64sha512 = (known after apply) + + content_md5 = (known after apply) + + content_sha1 = (known after apply) + + content_sha256 = (known after apply) + + content_sha512 = (known after apply) + + directory_permission = "0777" + + file_permission = "0644" + + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-sandbox-r-providers.tf" + + id = (known after apply) + } + + # local_file.providers["9-sandbox"] will be destroyed + # (because key ["9-sandbox"] is not in for_each map) + - resource "local_file" "providers" { + - content = <<-EOT + /** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + terraform { + backend "gcs" { + bucket = "ldj-dev-resman-sbox-0" + impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } + provider "google" { + impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + provider "google-beta" { + impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + + # end provider.tf for sandbox + EOT -> null + - content_base64sha256 = "sxj7XXfYyf/wdly0AuijFHRLvOB8HMkV3yrhtOhJVjc=" -> null + - content_base64sha512 = "5HhvcchEvqjX6COU5RkmuiQ73jnNqeUfkybM1fawSQ0n+VmpXcyuZ6r6CtCt6ljNWy3LuZavjZTYDMk+6P851g==" -> null + - content_md5 = "84e49dd061b91429189337f5e34a91b9" -> null + - content_sha1 = "344829bd4c47592067a551a2736173dda6c180a2" -> null + - content_sha256 = "b318fb5d77d8c9fff0765cb402e8a314744bbce07c1cc915df2ae1b4e8495637" -> null + - content_sha512 = "e4786f71c844bea8d7e82394e51926ba243bde39cda9e51f9326ccd5f6b0490d27f959a95dccae67aafa0ad0adea58cd5b2dcbb996af8d94d80cc93ee8ff39d6" -> null + - directory_permission = "0777" -> null + - file_permission = "0644" -> null + - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/9-sandbox-providers.tf" -> null + - id = "344829bd4c47592067a551a2736173dda6c180a2" -> null + } + + # local_file.tfvars["1"] must be replaced +-/+ resource "local_file" "tfvars" { + ~ content = jsonencode( + { + - checklist_hierarchy = {} + - fast_features = { + - data_platform = true + - gcve = false + - gke = true + - nsec = false + - sandbox = true + } + - folder_ids = { + - data-platform-dev = "folders/777820411744" + - data-platform-prod = "folders/447111401824" + - gcve-dev = null + - gcve-prod = null + - gke-dev = "folders/39661087317" + - gke-prod = "folders/810789977048" + - networking = "folders/843203210689" + - networking-dev = "folders/835049949636" + - networking-prod = "folders/572160545943" + - sandbox = "folders/245438209825" + - security = "folders/251257116248" + - teams = "folders/551661226665" + - tenants = "folders/1030800250254" + } + - service_accounts = { + - data-platform-dev = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - data-platform-dev-r = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - data-platform-prod = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - data-platform-prod-r = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - gcve-dev = null + - gcve-dev-r = null + - gcve-prod = null + - gcve-prod-r = null + - gke-dev = "ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - gke-dev-r = "ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - gke-prod = "ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - gke-prod-r = "ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - networking = "ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - networking-r = "ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - nsec = null + - nsec-r = null + - project-factory = "ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - project-factory-dev = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - project-factory-dev-r = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - project-factory-prod = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - project-factory-prod-r = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - project-factory-r = "ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - sandbox = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - security = "ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - security-r = "ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + - tag_keys = { + - context = "tagKeys/123316001138" + - environment = "tagKeys/534907385149" + - gcs_soft_delete = "tagKeys/281479009308987" + } + - tag_names = { + - context = "context" + - environment = "environment" + } + - tag_values = { + - "context/data" = "tagValues/420824284884" + - "context/gcve" = "tagValues/281476934113589" + - "context/gke" = "tagValues/1084887265324" + - "context/networking" = "tagValues/1085868865377" + - "context/project-factory" = "tagValues/281477339751191" + - "context/sandbox" = "tagValues/918078731612" + - "context/security" = "tagValues/111937801763" + - "environment/development" = "tagValues/1028757044334" + - "environment/production" = "tagValues/1067159199641" + - "gcs_soft_delete/allow-0" = "tagValues/281478899316081" + - "gcs_soft_delete/allow-10" = "tagValues/281483064391362" + - "gcs_soft_delete/allow-all" = "tagValues/281484261155708" + } + } # forces replacement + ) -> (known after apply) # forces replacement + ~ content_base64sha256 = "a1d0rz+g1lEsonOTCLJg1B4fYe3CNQlNHLyQJfiNABo=" -> (known after apply) + ~ content_base64sha512 = "uYx5WoLh/SM2Ka2LpxVKh66Q8KX4/u6JaiJCbchLdOsCwL4soEEDBAn39HRhFr8guPjrUr7EbIVxyuwc/aLJMQ==" -> (known after apply) + ~ content_md5 = "37deef51a029912915b1ce5e27f9fe36" -> (known after apply) + ~ content_sha1 = "2d18dbd6d4a9f0c71e7b09dadc0131310eab54a6" -> (known after apply) + ~ content_sha256 = "6b5774af3fa0d6512ca2739308b260d41e1f61edc235094d1cbc9025f88d001a" -> (known after apply) + ~ content_sha512 = "b98c795a82e1fd233629ad8ba7154a87ae90f0a5f8feee896a22426dc84b74eb02c0be2ca041030409f7f4746116bf20b8f8eb52bec46c8571caec1cfda2c931" -> (known after apply) + ~ id = "2d18dbd6d4a9f0c71e7b09dadc0131310eab54a6" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.workflows["networking"] must be replaced +-/+ resource "local_file" "workflows" { + ~ content = <<-EOT # forces replacement + # Copyright 2024 Google LLC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + name: "FAST networking stage" + + on: + pull_request: + branches: + - main + types: + - closed + - opened + - synchronize + + env: + - FAST_SERVICE_ACCOUNT: ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com + + FAST_SERVICE_ACCOUNT: ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com + - FAST_SERVICE_ACCOUNT_PLAN: ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com + + FAST_SERVICE_ACCOUNT_PLAN: ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com + FAST_WIF_PROVIDER: projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + TF_PROVIDERS_FILE: 2-networking-providers.tf + - TF_PROVIDERS_FILE_PLAN: 2-networking-r-providers.tf + + TF_PROVIDERS_FILE_PLAN: 2-networking-providers-r.tf + TF_VERSION: 1.7.4 + + jobs: + fast-pr: + # Skip PRs which are closed without being merged. + if: >- + github.event.action == 'closed' && + github.event.pull_request.merged == true || + github.event.action == 'opened' || + github.event.action == 'synchronize' + permissions: + contents: read + id-token: write + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - id: checkout + name: Checkout repository + uses: actions/checkout@v4 + + # set up SSH key authentication to the modules repository + + - id: ssh-config + name: Configure SSH authentication + run: | + ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null + ssh-add - <<< "${{ secrets.CICD_MODULES_KEY }}" + + # set up step variables for plan / apply + + - id: vars-plan + if: github.event.pull_request.merged != true && success() + name: Set up plan variables + run: | + echo "plan_opts=-lock=false" >> "$GITHUB_ENV" + echo "provider_file=${{env.TF_PROVIDERS_FILE_PLAN}}" >> "$GITHUB_ENV" + echo "service_account=${{env.FAST_SERVICE_ACCOUNT_PLAN}}" >> "$GITHUB_ENV" + + - id: vars-apply + if: github.event.pull_request.merged == true && success() + name: Set up apply variables + run: | + echo "provider_file=${{env.TF_PROVIDERS_FILE}}" >> "$GITHUB_ENV" + echo "service_account=${{env.FAST_SERVICE_ACCOUNT}}" >> "$GITHUB_ENV" + + # set up authentication via Workload identity Federation and gcloud + + - id: gcp-auth + name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: ${{env.FAST_WIF_PROVIDER}} + service_account: ${{env.service_account}} + access_token_lifetime: 900s + + - id: gcp-sdk + name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v2 + with: + install_components: alpha + + # copy provider file + + - id: tf-config-provider + name: Copy Terraform provider file + run: | + gcloud storage cp -r \ + "gs://ldj-prod-iac-core-outputs-0/providers/${{env.provider_file}}" ./ + gcloud storage cp -r \ + "gs://ldj-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json" ./ + gcloud storage cp -r \ + "gs://ldj-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json" ./ + gcloud storage cp -r \ + "gs://ldj-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json" ./ + + - id: tf-setup + name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{env.TF_VERSION}} + + # run Terraform init/validate/plan + + - id: tf-init + name: Terraform init + continue-on-error: true + run: | + terraform init -no-color + + - id: tf-validate + continue-on-error: true + name: Terraform validate + run: terraform validate -no-color + + - id: tf-plan + name: Terraform plan + continue-on-error: true + run: | + terraform plan -input=false -out ../plan.out -no-color ${{env.plan_opts}} + + - id: tf-apply + if: github.event.pull_request.merged == true && success() + name: Terraform apply + continue-on-error: true + run: | + terraform apply -input=false -auto-approve -no-color ../plan.out + + # PR comment with Terraform result from previous steps + # length is checked and trimmed for length so as to stay within the limit + + - id: pr-comment + name: Post comment to Pull Request + continue-on-error: true + uses: actions/github-script@v7 + if: github.event_name == 'pull_request' + env: + PLAN: ${{steps.tf-plan.outputs.stdout}}\n${{steps.tf-plan.outputs.stderr}} + with: + script: | + const output = `### Terraform Initialization \`${{steps.tf-init.outcome}}\` + + ### Terraform Validation \`${{steps.tf-validate.outcome}}\` + +
Validation Output + + \`\`\`\n + ${{steps.tf-validate.outputs.stdout}} + \`\`\` + +
+ + ### Terraform Plan \`${{steps.tf-plan.outcome}}\` + +
Show Plan + + \`\`\`\n + ${process.env.PLAN.split('\n').filter(l => l.match(/^([A-Z\s].*|)$$/)).join('\n')} + \`\`\` + +
+ + ### Terraform Apply \`${{steps.tf-apply.outcome}}\` + + *Pusher: @${{github.actor}}, Action: \`${{github.event_name}}\`, Working Directory: \`${{env.tf_actions_working_dir}}\`, Workflow: \`${{github.workflow}}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + - id: pr-short-comment + name: Post comment to Pull Request (abbreviated) + uses: actions/github-script@v7 + if: github.event_name == 'pull_request' && steps.pr-comment.outcome != 'success' + with: + script: | + const output = `### Terraform Initialization \`${{steps.tf-init.outcome}}\` + + ### Terraform Validation \`${{steps.tf-validate.outcome}}\` + + ### Terraform Plan \`${{steps.tf-plan.outcome}}\` + + Plan output is in the action log. + + ### Terraform Apply \`${{steps.tf-apply.outcome}}\` + + *Pusher: @${{github.actor}}, Action: \`${{github.event_name}}\`, Working Directory: \`${{env.tf_actions_working_dir}}\`, Workflow: \`${{github.workflow}}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + # exit on error from previous steps + + - id: check-init + name: Check init failure + if: steps.tf-init.outcome != 'success' + run: exit 1 + + - id: check-validate + name: Check validate failure + if: steps.tf-validate.outcome != 'success' + run: exit 1 + + - id: check-plan + name: Check plan failure + if: steps.tf-plan.outcome != 'success' + run: exit 1 + + - id: check-apply + name: Check apply failure + if: github.event.pull_request.merged == true && steps.tf-apply.outcome != 'success' + run: exit 1 + EOT + ~ content_base64sha256 = "kJ/RbUpuZbDOv2nqdxw+n15VOng/kJbaU55gRc5OPL8=" -> (known after apply) + ~ content_base64sha512 = "XC963GpnEHYiR5nMyq6pvtZ8HmeGESF7GDOhmK6xQFYJl1N4/n5W7fGo09vYlqXxDBI2ZS2HEHdKsQzeO68MWQ==" -> (known after apply) + ~ content_md5 = "5f026d95e61ec67fb5d07596d807e80a" -> (known after apply) + ~ content_sha1 = "41caaadbe411c2ed1d6a81d8422ae4191e678925" -> (known after apply) + ~ content_sha256 = "909fd16d4a6e65b0cebf69ea771c3e9f5e553a783f9096da539e6045ce4e3cbf" -> (known after apply) + ~ content_sha512 = "5c2f7adc6a671076224799cccaaea9bed67c1e678611217b1833a198aeb1405609975378fe7e56edf1a8d3dbd896a5f10c1236652d8710774ab10cde3baf0c59" -> (known after apply) + ~ id = "41caaadbe411c2ed1d6a81d8422ae4191e678925" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # local_file.workflows["security"] must be replaced +-/+ resource "local_file" "workflows" { + ~ content = <<-EOT # forces replacement + # Copyright 2024 Google LLC + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + variables: + GOOGLE_CREDENTIALS: cicd-sa-credentials.json + FAST_OUTPUTS_BUCKET: ldj-prod-iac-core-outputs-0 + FAST_WIF_PROVIDER: projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + TF_VAR_FILES: 0-bootstrap.auto.tfvars.json + 1-resman.auto.tfvars.json + 0-globals.auto.tfvars.json + + workflow: + rules: + # merge / apply + - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH + variables: + COMMAND: apply + - FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com + + FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com + TF_PROVIDERS_FILE: 2-security-providers.tf + # pr / plan + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + variables: + COMMAND: plan + - FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com + + FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com + - TF_PROVIDERS_FILE: 2-security-r-providers.tf + + TF_PROVIDERS_FILE: 2-security-providers-r.tf + + stages: + - gcp-setup + - tf-plan-apply + + # TODO: document project-level deploy key used to fetch modules + + gcp-setup: + stage: gcp-setup + image: + name: google/cloud-sdk:slim + artifacts: + paths: + - cicd-sa-credentials.json + - providers.tf + - 0-bootstrap.auto.tfvars.json + - 1-resman.auto.tfvars.json + - 0-globals.auto.tfvars.json + id_tokens: + GITLAB_TOKEN: + aud: + - https://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno + before_script: + - echo "$GITLAB_TOKEN" > token.txt + script: + - | + gcloud iam workload-identity-pools create-cred-config \ + $FAST_WIF_PROVIDER \ + --service-account=$FAST_SERVICE_ACCOUNT \ + --service-account-token-lifetime-seconds=900 \ + --output-file=$GOOGLE_CREDENTIALS \ + --credential-source-file=token.txt + - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS + - gcloud storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf + - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/0-bootstrap.auto.tfvars.json ./ + - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/1-resman.auto.tfvars.json ./ + - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/0-globals.auto.tfvars.json ./ + + + tf-plan-apply: + stage: tf-plan-apply + dependencies: + - gcp-setup + id_tokens: + GITLAB_TOKEN: + aud: + - https://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno + image: + name: hashicorp/terraform + entrypoint: + - "/usr/bin/env" + variables: + SSH_AUTH_SOCK: /tmp/ssh-agent.sock + script: + - | + ssh-agent -a $SSH_AUTH_SOCK + echo "$CICD_MODULES_KEY" | ssh-add - + mkdir -p ~/.ssh + ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts + ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts + - echo "$GITLAB_TOKEN" > token.txt + - terraform init + - terraform validate + - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi" + - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi" + EOT + ~ content_base64sha256 = "YDdQp0d7sbSDrfOvasNaeyzSCjAchjRkh+apfx8H8po=" -> (known after apply) + ~ content_base64sha512 = "Eur18ONmHQGXVmnTdehbKH0AeMwc/wtrfJOBzugqWJzINFR/YiokD6NT8/OUVVAPSpdzI69axy4iMQH+HTIXSw==" -> (known after apply) + ~ content_md5 = "a8d9d77f51f9715c24d7e5e0dcf301e6" -> (known after apply) + ~ content_sha1 = "bceac2341d2b92ec31c23acd38136fb966211023" -> (known after apply) + ~ content_sha256 = "603750a7477bb1b483adf3af6ac35a7b2cd20a301c86346487e6a97f1f07f29a" -> (known after apply) + ~ content_sha512 = "12eaf5f0e3661d01975669d375e85b287d0078cc1cff0b6b7c9381cee82a589cc834547f622a240fa353f3f39455500f4a977323af5ac72e223101fe1d32174b" -> (known after apply) + ~ id = "bceac2341d2b92ec31c23acd38136fb966211023" -> (known after apply) + # (3 unchanged attributes hidden) + } + + # module.branch-network-r-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.cicd-sa-ro["networking"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-network-r-sa-cicd["0"].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform CI/CD stage 2 networking service account (read-only)." -> "CI/CD 2-net prod service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-network-r-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] has moved to module.cicd-sa-ro["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" + # (4 unchanged attributes hidden) + } + + # module.branch-network-r-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-ro["networking"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-r-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-ro["security"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.cicd-sa-ro["security"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-security-r-sa-cicd["0"].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform CI/CD stage 2 security service account (read-only)." -> "CI/CD 2-sec prod service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.cicd-sa-ro["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] will be updated in-place + # (moved from module.branch-security-r-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]) + ~ resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" + ~ members = [ + - "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/fast-test", + + "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/security", + ] + # (3 unchanged attributes hidden) + } + + # module.branch-security-r-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-ro["security"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-network-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-rw["networking"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.cicd-sa-rw["networking"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-network-sa-cicd["0"].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform CI/CD stage 2 networking service account." -> "CI/CD 2-net prod service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-network-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] has moved to module.cicd-sa-rw["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" + # (4 unchanged attributes hidden) + } + + # module.branch-network-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-rw["networking"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-rw["security"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.cicd-sa-rw["security"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-security-sa-cicd["0"].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform CI/CD stage 2 security service account." -> "CI/CD 2-sec prod service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.cicd-sa-rw["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] will be updated in-place + # (moved from module.branch-security-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]) + ~ resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" + ~ members = [ + - "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/fast-test", + + "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/security", + ] + # (3 unchanged attributes hidden) + } + + # module.branch-security-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-rw["security"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-network-gcs.google_storage_bucket.bucket has moved to module.net-bucket[0].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-prod-resman-net-0" + name = "ldj-prod-resman-net-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-net-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-net-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder.folder[0] has moved to module.net-folder[0].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/843203210689" + name = "folders/843203210689" + # (5 unchanged attributes hidden) + } + + # module.net-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/networkFirewallPoliciesAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "organizations/366118655033/roles/networkFirewallPoliciesAdmin" + } + + # module.net-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" + } + + # module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.networkViewer" + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/compute.xpnAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/editor"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/editor" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/serviceusage.serviceUsageAdmin" + } + + # module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/843203210689/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.net-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"] will be created + + resource "google_folder_iam_binding" "bindings" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.projectIamAdmin" + + + condition { + + description = "Project factory delegated grant." + + expression = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/compute.networkUser])" + + title = "project factory project delegated admin" + } + } + + # module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_dev"] will be created + + resource "google_folder_iam_binding" "bindings" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + role = "roles/resourcemanager.projectIamAdmin" + + + condition { + + expression = <<-EOT + resource.matchTag( + '366118655033/environment', 'development' + ) + && + api.getAttribute( + 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'] + ) + EOT + + title = "stage 3 project delegated admin dev" + } + } + + # module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_prod"] will be created + + resource "google_folder_iam_binding" "bindings" { + + etag = (known after apply) + + folder = "folders/843203210689" + + id = (known after apply) + + role = "roles/resourcemanager.projectIamAdmin" + + + condition { + + expression = <<-EOT + resource.matchTag( + '366118655033/environment', 'production' + ) + && + api.getAttribute( + 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'] + ) + EOT + + title = "stage 3 project delegated admin prod" + } + } + + # module.branch-network-folder.google_tags_tag_binding.binding["context"] has moved to module.net-folder[0].google_tags_tag_binding.binding["context"] + resource "google_tags_tag_binding" "binding" { + id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F843203210689/tagValues/1085868865377" + name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F843203210689/tagValues/1085868865377" + # (2 unchanged attributes hidden) + } + + # module.branch-network-dev-folder.google_folder.folder[0] has moved to module.net-folder-dev[0].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/835049949636" + name = "folders/835049949636" + # (5 unchanged attributes hidden) + } + + # module.net-folder-dev[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/gcveNetworkAdmin"] is not in for_each map) + # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - folder = "folders/835049949636" -> null + - id = "folders/835049949636/organizations/366118655033/roles/gcveNetworkAdmin" -> null + - members = [] -> null + - role = "organizations/366118655033/roles/gcveNetworkAdmin" -> null + } + + # module.net-folder-dev[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) + # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYam5Yf1IQ=" -> null + - folder = "folders/835049949636" -> null + - id = "folders/835049949636/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + - members = [ + - "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + } + + # module.net-folder-dev[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be destroyed + # (because key ["roles/compute.networkViewer"] is not in for_each map) + # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYam5Yf1IQ=" -> null + - folder = "folders/835049949636" -> null + - id = "folders/835049949636/roles/compute.networkViewer" -> null + - members = [ + - "serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "roles/compute.networkViewer" -> null + } + + # module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"] has moved to module.net-folder-dev[0].google_tags_tag_binding.binding["environment"] + resource "google_tags_tag_binding" "binding" { + id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F835049949636/tagValues/1028757044334" + name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F835049949636/tagValues/1028757044334" + # (2 unchanged attributes hidden) + } + + # module.branch-network-prod-folder.google_folder.folder[0] has moved to module.net-folder-prod[0].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/572160545943" + name = "folders/572160545943" + # (5 unchanged attributes hidden) + } + + # module.net-folder-prod[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/gcveNetworkAdmin"] is not in for_each map) + # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - folder = "folders/572160545943" -> null + - id = "folders/572160545943/organizations/366118655033/roles/gcveNetworkAdmin" -> null + - members = [] -> null + - role = "organizations/366118655033/roles/gcveNetworkAdmin" -> null + } + + # module.net-folder-prod[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) + # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYam5Y9ziM=" -> null + - folder = "folders/572160545943" -> null + - id = "folders/572160545943/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + - members = [ + - "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + } + + # module.net-folder-prod[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be destroyed + # (because key ["roles/compute.networkViewer"] is not in for_each map) + # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYam5Y9ziM=" -> null + - folder = "folders/572160545943" -> null + - id = "folders/572160545943/roles/compute.networkViewer" -> null + - members = [ + - "serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + - "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "roles/compute.networkViewer" -> null + } + + # module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"] has moved to module.net-folder-prod[0].google_tags_tag_binding.binding["environment"] + resource "google_tags_tag_binding" "binding" { + id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F572160545943/tagValues/1067159199641" + name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F572160545943/tagValues/1067159199641" + # (2 unchanged attributes hidden) + } + + # module.branch-network-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.net-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-network-r-sa.google_service_account.service_account[0] has moved to module.net-sa-ro[0].google_service_account.service_account[0] + resource "google_service_account" "service_account" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (8 unchanged attributes hidden) + } + + # module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.net-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.net-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-network-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.net-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-network-sa.google_service_account.service_account[0] has moved to module.net-sa-rw[0].google_service_account.service_account[0] + resource "google_service_account" "service_account" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (8 unchanged attributes hidden) + } + + # module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.net-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.net-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"] must be replaced +-/+ resource "google_organization_iam_member" "bindings" { + ~ etag = "BwYgHinYa9A=" -> (known after apply) + ~ id = <<-EOT + 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped/Org policy tag scoped grant for project factory main./resource.matchTag('366118655033/context', 'project-factory') + EOT -> (known after apply) + # (3 unchanged attributes hidden) + + ~ condition { + ~ description = "Org policy tag scoped grant for project factory main." -> "Org policy tag scoped grant for project factory." # forces replacement + # (2 unchanged attributes hidden) + } + } + + # module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"] will be destroyed + # (because key ["sa_pf_dev_conditional_org_policy"] is not in for_each map) + - resource "google_organization_iam_member" "bindings" { + - etag = "BwYgHqZE5xM=" -> null + - id = <<-EOT + 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped_dev/Org policy tag scoped grant for project factory dev./resource.matchTag('366118655033/context', 'project-factory') + && + resource.matchTag('366118655033/environment', 'development') + EOT -> null + - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - org_id = "366118655033" -> null + - role = "roles/orgpolicy.policyAdmin" -> null + + - condition { + - description = "Org policy tag scoped grant for project factory dev." -> null + - expression = <<-EOT + resource.matchTag('366118655033/context', 'project-factory') + && + resource.matchTag('366118655033/environment', 'development') + EOT -> null + - title = "org_policy_tag_pf_scoped_dev" -> null + } + } + + # module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"] will be destroyed + # (because key ["sa_pf_prod_conditional_org_policy"] is not in for_each map) + - resource "google_organization_iam_member" "bindings" { + - etag = "BwYgHqZE5xM=" -> null + - id = <<-EOT + 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped_prod/Org policy tag scoped grant for project factory prod./resource.matchTag('366118655033/context', 'project-factory') + && + resource.matchTag('366118655033/environment', 'production') + EOT -> null + - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null + - org_id = "366118655033" -> null + - role = "roles/orgpolicy.policyAdmin" -> null + + - condition { + - description = "Org policy tag scoped grant for project factory prod." -> null + - expression = <<-EOT + resource.matchTag('366118655033/context', 'project-factory') + && + resource.matchTag('366118655033/environment', 'production') + EOT -> null + - title = "org_policy_tag_pf_scoped_prod" -> null + } + } + + # module.organization[0].google_tags_tag_value.default["context/data"] will be destroyed + # (because key ["context/data"] is not in for_each map) + - resource "google_tags_tag_value" "default" { + - create_time = "2023-01-27T15:56:36.985441Z" -> null + - description = "Managed by the Terraform organization module." -> null + - id = "tagValues/420824284884" -> null + - name = "420824284884" -> null + - namespaced_name = "366118655033/context/data" -> null + - parent = "tagKeys/123316001138" -> null + - short_name = "data" -> null + - update_time = "2023-01-27T15:56:39.073530Z" -> null + } + + # module.organization[0].google_tags_tag_value.default["context/data-platform"] will be created + + resource "google_tags_tag_value" "default" { + + create_time = (known after apply) + + description = "Managed by the Terraform organization module." + + id = (known after apply) + + name = (known after apply) + + namespaced_name = (known after apply) + + parent = "tagKeys/123316001138" + + short_name = "data-platform" + + update_time = (known after apply) + } + + # module.organization[0].google_tags_tag_value.default["context/nsec"] will be created + + resource "google_tags_tag_value" "default" { + + create_time = (known after apply) + + description = "Managed by the Terraform organization module." + + id = (known after apply) + + name = (known after apply) + + namespaced_name = (known after apply) + + parent = "tagKeys/123316001138" + + short_name = "nsec" + + update_time = (known after apply) + } + + # module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] will be created + + resource "google_tags_tag_value_iam_binding" "default" { + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.tagUser" + + tag_value = "tagValues/1067159199641" + } + + # module.branch-pf-gcs.google_storage_bucket.bucket has moved to module.pf-bucket[0].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-resman-pf-0" + name = "ldj-resman-pf-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-resman-pf-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-resman-pf-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.pf-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.pf-sa-ro[0].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-r-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory main service account (read-only)." -> "Terraform resman project factory main service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.pf-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.pf-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.pf-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.pf-sa-rw[0].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory main service account." -> "Terraform resman project factory main service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.pf-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.pf-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-gcs.google_storage_bucket.bucket has moved to module.sec-bucket[0].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-prod-resman-sec-0" + name = "ldj-prod-resman-sec-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-sec-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-sec-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder.folder[0] has moved to module.sec-folder[0].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/251257116248" + name = "folders/251257116248" + # (5 unchanged attributes hidden) + } + + # module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/251257116248" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + } + + # module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/251257116248" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/cloudkms.viewer" + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/editor"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/editor" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/251257116248/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.sec-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"] will be created + + resource "google_folder_iam_binding" "bindings" { + + etag = (known after apply) + + folder = "folders/251257116248" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.projectIamAdmin" + + + condition { + + description = "Project factory delegated grant." + + expression = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/cloudkms.cryptoKeyEncrypterDecrypter])" + + title = "pf_delegated_grant" + } + } + + # module.branch-security-folder.google_tags_tag_binding.binding["context"] has moved to module.sec-folder[0].google_tags_tag_binding.binding["context"] + resource "google_tags_tag_binding" "binding" { + id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F251257116248/tagValues/111937801763" + name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F251257116248/tagValues/111937801763" + # (2 unchanged attributes hidden) + } + + # module.branch-security-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.sec-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-r-sa.google_service_account.service_account[0] has moved to module.sec-sa-ro[0].google_service_account.service_account[0] + resource "google_service_account" "service_account" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (8 unchanged attributes hidden) + } + + # module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.sec-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.sec-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.sec-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-security-sa.google_service_account.service_account[0] has moved to module.sec-sa-rw[0].google_service_account.service_account[0] + resource "google_service_account" "service_account" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (8 unchanged attributes hidden) + } + + # module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.sec-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.sec-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-dev-resman-dp-0" + name = "ldj-dev-resman-dp-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-dp-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-dp-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-dp-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-prod-resman-dp-0" + name = "ldj-prod-resman-dp-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-dp-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-dp-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-dp-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket will be created + + resource "google_storage_bucket" "bucket" { + + effective_labels = (known after apply) + + force_destroy = false + + id = (known after apply) + + location = "EU" + + name = "ldj-dev-resman-gcve-0" + + project = "ldj-prod-iac-core-0" + + project_number = (known after apply) + + public_access_prevention = (known after apply) + + rpo = (known after apply) + + self_link = (known after apply) + + storage_class = "MULTI_REGIONAL" + + terraform_labels = (known after apply) + + uniform_bucket_level_access = true + + url = (known after apply) + + + autoclass { + + enabled = false + + terminal_storage_class = (known after apply) + } + + + soft_delete_policy (known after apply) + + + versioning { + + enabled = true + } + + + website (known after apply) + } + + # module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] will be created + + resource "google_storage_bucket_iam_binding" "authoritative" { + + bucket = "ldj-dev-resman-gcve-0" + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/storage.objectAdmin" + } + + # module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created + + resource "google_storage_bucket_iam_binding" "authoritative" { + + bucket = "ldj-dev-resman-gcve-0" + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/storage.objectViewer" + } + + # module.stage3-bucket["gcve-prod"].google_storage_bucket.bucket will be created + + resource "google_storage_bucket" "bucket" { + + effective_labels = (known after apply) + + force_destroy = false + + id = (known after apply) + + location = "EU" + + name = "ldj-prod-resman-gcve-0" + + project = "ldj-prod-iac-core-0" + + project_number = (known after apply) + + public_access_prevention = (known after apply) + + rpo = (known after apply) + + self_link = (known after apply) + + storage_class = "MULTI_REGIONAL" + + terraform_labels = (known after apply) + + uniform_bucket_level_access = true + + url = (known after apply) + + + autoclass { + + enabled = false + + terminal_storage_class = (known after apply) + } + + + soft_delete_policy (known after apply) + + + versioning { + + enabled = true + } + + + website (known after apply) + } + + # module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] will be created + + resource "google_storage_bucket_iam_binding" "authoritative" { + + bucket = "ldj-prod-resman-gcve-0" + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/storage.objectAdmin" + } + + # module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created + + resource "google_storage_bucket_iam_binding" "authoritative" { + + bucket = "ldj-prod-resman-gcve-0" + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/storage.objectViewer" + } + + # module.branch-gke-dev-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["gke-dev"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-dev-resman-gke-0" + name = "ldj-dev-resman-gke-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-gke-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-gke-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-gke-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["gke-prod"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-prod-resman-gke-0" + name = "ldj-prod-resman-gke-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-gke-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-gke-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-gke-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-dev-gcs.google_storage_bucket.bucket has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-dev-resman-pf-0" + name = "ldj-dev-resman-pf-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-pf-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-dev-resman-pf-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-prod-gcs.google_storage_bucket.bucket has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket.bucket + resource "google_storage_bucket" "bucket" { + id = "ldj-prod-resman-pf-0" + name = "ldj-prod-resman-pf-0" + # (16 unchanged attributes hidden) + + # (2 unchanged blocks hidden) + } + + # module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-pf-0/roles/storage.objectAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] + resource "google_storage_bucket_iam_binding" "authoritative" { + id = "b/ldj-prod-resman-pf-0/roles/storage.objectViewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-bucket["sandbox"].google_storage_bucket.bucket must be replaced + # (moved from module.branch-sandbox-gcs[0].google_storage_bucket.bucket) +-/+ resource "google_storage_bucket" "bucket" { + - default_event_based_hold = false -> null + ~ effective_labels = {} -> (known after apply) + - enable_object_retention = false -> null + ~ id = "ldj-dev-resman-sbox-0" -> (known after apply) + - labels = {} -> null + ~ name = "ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement + ~ project_number = 1067134626166 -> (known after apply) + ~ public_access_prevention = "inherited" -> (known after apply) + - requester_pays = false -> null + ~ rpo = "DEFAULT" -> (known after apply) + ~ self_link = "https://www.googleapis.com/storage/v1/b/ldj-dev-resman-sbox-0" -> (known after apply) + ~ terraform_labels = {} -> (known after apply) + ~ url = "gs://ldj-dev-resman-sbox-0" -> (known after apply) + # (5 unchanged attributes hidden) + + + autoclass { + + enabled = false + + terminal_storage_class = (known after apply) + } + + ~ soft_delete_policy { + + default_event_based_hold = (known after apply) + + effective_labels = (known after apply) + + enable_object_retention = (known after apply) + + force_destroy = (known after apply) + + id = (known after apply) + + labels = (known after apply) + + location = (known after apply) + + name = (known after apply) + + project = (known after apply) + + project_number = (known after apply) + + public_access_prevention = (known after apply) + + requester_pays = (known after apply) + + rpo = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + + terraform_labels = (known after apply) + + uniform_bucket_level_access = (known after apply) + + url = (known after apply) + } -> (known after apply) + + ~ website { + + default_event_based_hold = (known after apply) + + effective_labels = (known after apply) + + enable_object_retention = (known after apply) + + force_destroy = (known after apply) + + id = (known after apply) + + labels = (known after apply) + + location = (known after apply) + + name = (known after apply) + + project = (known after apply) + + project_number = (known after apply) + + public_access_prevention = (known after apply) + + requester_pays = (known after apply) + + rpo = (known after apply) + + self_link = (known after apply) + + storage_class = (known after apply) + + terraform_labels = (known after apply) + + uniform_bucket_level_access = (known after apply) + + url = (known after apply) + } -> (known after apply) + + # (1 unchanged block hidden) + } + + # module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] must be replaced + # (moved from module.branch-sandbox-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]) +-/+ resource "google_storage_bucket_iam_binding" "authoritative" { + ~ bucket = "b/ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement + ~ etag = "CAg=" -> (known after apply) + ~ id = "b/ldj-dev-resman-sbox-0/roles/storage.objectAdmin" -> (known after apply) + ~ members = [ + - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + # (1 unchanged attribute hidden) + } + + # module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created + + resource "google_storage_bucket_iam_binding" "authoritative" { + + bucket = "ldj-dev-resman-sbx-0" + + etag = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/storage.objectViewer" + } + + # module.branch-dp-dev-folder[0].google_folder.folder[0] has moved to module.stage3-folder["data-platform-dev"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/777820411744" + name = "folders/777820411744" + # (5 unchanged attributes hidden) + } + + # module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) + # (moved from module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYMzP1eKiM=" -> null + - folder = "folders/777820411744" -> null + - id = "folders/777820411744/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + - members = [ + - "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + } + + # module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/777820411744" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.xpnAdmin" + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/777820411744/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["context"] will be destroyed + # (because key ["context"] is not in for_each map) + # (moved from module.branch-dp-dev-folder[0].google_tags_tag_binding.binding["context"]) + - resource "google_tags_tag_binding" "binding" { + - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F777820411744/tagValues/1028757044334" -> null + - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F777820411744/tagValues/1028757044334" -> null + - parent = "//cloudresourcemanager.googleapis.com/folders/777820411744" -> null + - tag_value = "tagValues/1028757044334" -> null + } + + # module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = "//cloudresourcemanager.googleapis.com/folders/777820411744" + + tag_value = "tagValues/1028757044334" + } + + # module.branch-dp-prod-folder[0].google_folder.folder[0] has moved to module.stage3-folder["data-platform-prod"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/447111401824" + name = "folders/447111401824" + # (5 unchanged attributes hidden) + } + + # module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed + # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) + # (moved from module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYMzPxoric=" -> null + - folder = "folders/447111401824" -> null + - id = "folders/447111401824/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + - members = [ + - "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null + } + + # module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/447111401824" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.xpnAdmin" + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/447111401824/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["context"] will be destroyed + # (because key ["context"] is not in for_each map) + # (moved from module.branch-dp-prod-folder[0].google_tags_tag_binding.binding["context"]) + - resource "google_tags_tag_binding" "binding" { + - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F447111401824/tagValues/1067159199641" -> null + - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F447111401824/tagValues/1067159199641" -> null + - parent = "//cloudresourcemanager.googleapis.com/folders/447111401824" -> null + - tag_value = "tagValues/1067159199641" -> null + } + + # module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = "//cloudresourcemanager.googleapis.com/folders/447111401824" + + tag_value = "tagValues/1067159199641" + } + + # module.stage3-folder["gcve-dev"].google_folder.folder[0] will be created + + resource "google_folder" "folder" { + + create_time = (known after apply) + + display_name = "Development" + + folder_id = (known after apply) + + id = (known after apply) + + lifecycle_state = (known after apply) + + name = (known after apply) + + parent = (known after apply) + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.xpnAdmin" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/logging.admin" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/owner"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/owner" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.folderAdmin" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.folderViewer" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.projectCreator" + } + + # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/viewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/viewer" + } + + # module.stage3-folder["gcve-dev"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = (known after apply) + + tag_value = "tagValues/1028757044334" + } + + # module.stage3-folder["gcve-prod"].google_folder.folder[0] will be created + + resource "google_folder" "folder" { + + create_time = (known after apply) + + display_name = "Production" + + folder_id = (known after apply) + + id = (known after apply) + + lifecycle_state = (known after apply) + + name = (known after apply) + + parent = (known after apply) + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.xpnAdmin" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/logging.admin" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/owner"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/owner" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.folderAdmin" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.folderViewer" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.projectCreator" + } + + # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/viewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = (known after apply) + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/viewer" + } + + # module.stage3-folder["gcve-prod"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = (known after apply) + + tag_value = "tagValues/1067159199641" + } + + # module.branch-gke-dev-folder[0].google_folder.folder[0] has moved to module.stage3-folder["gke-dev"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/39661087317" + name = "folders/39661087317" + # (5 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/compute.xpnAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/39661087317/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["context"] will be destroyed + # (because key ["context"] is not in for_each map) + # (moved from module.branch-gke-dev-folder[0].google_tags_tag_binding.binding["context"]) + - resource "google_tags_tag_binding" "binding" { + - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F39661087317/tagValues/1028757044334" -> null + - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F39661087317/tagValues/1028757044334" -> null + - parent = "//cloudresourcemanager.googleapis.com/folders/39661087317" -> null + - tag_value = "tagValues/1028757044334" -> null + } + + # module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = "//cloudresourcemanager.googleapis.com/folders/39661087317" + + tag_value = "tagValues/1028757044334" + } + + # module.branch-gke-prod-folder[0].google_folder.folder[0] has moved to module.stage3-folder["gke-prod"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/810789977048" + name = "folders/810789977048" + # (5 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/compute.xpnAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/logging.admin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/owner"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/owner" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/resourcemanager.folderAdmin" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/resourcemanager.folderViewer" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/resourcemanager.projectCreator" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/viewer"] + resource "google_folder_iam_binding" "authoritative" { + id = "folders/810789977048/roles/viewer" + # (4 unchanged attributes hidden) + } + + # module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["context"] will be destroyed + # (because key ["context"] is not in for_each map) + # (moved from module.branch-gke-prod-folder[0].google_tags_tag_binding.binding["context"]) + - resource "google_tags_tag_binding" "binding" { + - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F810789977048/tagValues/1067159199641" -> null + - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F810789977048/tagValues/1067159199641" -> null + - parent = "//cloudresourcemanager.googleapis.com/folders/810789977048" -> null + - tag_value = "tagValues/1067159199641" -> null + } + + # module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = "//cloudresourcemanager.googleapis.com/folders/810789977048" + + tag_value = "tagValues/1067159199641" + } + + # module.branch-sandbox-folder[0].google_folder.folder[0] has moved to module.stage3-folder["sandbox"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/245438209825" + name = "folders/245438209825" + # (5 unchanged attributes hidden) + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/245438209825" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/compute.xpnAdmin" + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be updated in-place + # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]) + ~ resource "google_folder_iam_binding" "authoritative" { + id = "folders/245438209825/roles/logging.admin" + ~ members = [ + - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + # (3 unchanged attributes hidden) + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"] will be updated in-place + # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/owner"]) + ~ resource "google_folder_iam_binding" "authoritative" { + id = "folders/245438209825/roles/owner" + ~ members = [ + - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + # (3 unchanged attributes hidden) + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be updated in-place + # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]) + ~ resource "google_folder_iam_binding" "authoritative" { + id = "folders/245438209825/roles/resourcemanager.folderAdmin" + ~ members = [ + - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + # (3 unchanged attributes hidden) + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/245438209825" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/resourcemanager.folderViewer" + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be updated in-place + # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]) + ~ resource "google_folder_iam_binding" "authoritative" { + id = "folders/245438209825/roles/resourcemanager.projectCreator" + ~ members = [ + - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + # (3 unchanged attributes hidden) + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/storage.objectAdmin"] will be destroyed + # (because key ["roles/storage.objectAdmin"] is not in for_each map) + # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/storage.objectAdmin"]) + - resource "google_folder_iam_binding" "authoritative" { + - etag = "BwYcGo1gLew=" -> null + - folder = "folders/245438209825" -> null + - id = "folders/245438209825/roles/storage.objectAdmin" -> null + - members = [ + - "serviceAccount:ldj-dev-sbox-dualrun-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] -> null + - role = "roles/storage.objectAdmin" -> null + } + + # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/viewer"] will be created + + resource "google_folder_iam_binding" "authoritative" { + + etag = (known after apply) + + folder = "folders/245438209825" + + id = (known after apply) + + members = [ + + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", + ] + + role = "roles/viewer" + } + + # module.stage3-folder["sandbox"].google_org_policy_policy.default["compute.vmExternalIpAccess"] will be destroyed + # (because key ["compute.vmExternalIpAccess"] is not in for_each map) + # (moved from module.branch-sandbox-folder[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]) + - resource "google_org_policy_policy" "default" { + - etag = "CMaZgaAGEPDbygw=-" -> null + - id = "folders/245438209825/policies/compute.vmExternalIpAccess" -> null + - name = "compute.vmExternalIpAccess" -> null + - parent = "folders/245438209825" -> null + + - spec { + - etag = "CMaZgaAGEPDbygw=" -> null + - inherit_from_parent = false -> null + - reset = false -> null + - update_time = "2023-03-02T07:14:14.026390Z" -> null + + - rules { + - allow_all = "TRUE" -> null + # (2 unchanged attributes hidden) + } + } + } + + # module.stage3-folder["sandbox"].google_org_policy_policy.default["sql.restrictPublicIp"] will be destroyed + # (because key ["sql.restrictPublicIp"] is not in for_each map) + # (moved from module.branch-sandbox-folder[0].google_org_policy_policy.default["sql.restrictPublicIp"]) + - resource "google_org_policy_policy" "default" { + - etag = "CNr9nLIGELj/rMEC-" -> null + - id = "folders/245438209825/policies/sql.restrictPublicIp" -> null + - name = "sql.restrictPublicIp" -> null + - parent = "folders/245438209825" -> null + + - spec { + - etag = "CNr9nLIGELj/rMEC" -> null + - inherit_from_parent = false -> null + - reset = false -> null + - update_time = "2024-05-17T11:26:18.673923Z" -> null + + - rules { + - enforce = "TRUE" -> null + # (2 unchanged attributes hidden) + } + } + } + + # module.stage3-folder["sandbox"].google_tags_tag_binding.binding["context"] must be replaced + # (moved from module.branch-sandbox-folder[0].google_tags_tag_binding.binding["context"]) +-/+ resource "google_tags_tag_binding" "binding" { + ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F245438209825/tagValues/918078731612" -> (known after apply) + ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F245438209825/tagValues/918078731612" -> (known after apply) + ~ tag_value = "tagValues/918078731612" # forces replacement -> (known after apply) # forces replacement + # (1 unchanged attribute hidden) + } + + # module.stage3-folder["sandbox"].google_tags_tag_binding.binding["environment"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = "//cloudresourcemanager.googleapis.com/folders/245438209825" + + tag_value = "tagValues/1028757044334" + } + + # module.branch-dp-dev-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-dp-dev-r-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform data platform development service account (read-only)." -> "Terraform resman data-platform-dev service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-dp-dev-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-dp-dev-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-dp-prod-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["data-platform-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-dp-prod-r-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform data platform production service account (read-only)." -> "Terraform resman data-platform-prod service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-dp-prod-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-dp-prod-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-ro["gcve-dev"].google_service_account.service_account[0] will be created + + resource "google_service_account" "service_account" { + + account_id = "ldj-dev-resman-gcve-0r" + + disabled = false + + display_name = "Terraform resman gcve-dev service account (read-only)." + + email = (known after apply) + + id = (known after apply) + + member = (known after apply) + + name = (known after apply) + + project = "ldj-prod-iac-core-0" + + unique_id = (known after apply) + } + + # module.stage3-sa-ro["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "organizations/366118655033/roles/storageViewer" + } + + # module.stage3-sa-ro["gcve-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-ro["gcve-prod"].google_service_account.service_account[0] will be created + + resource "google_service_account" "service_account" { + + account_id = "ldj-prod-resman-gcve-0r" + + disabled = false + + display_name = "Terraform resman gcve-prod service account (read-only)." + + email = (known after apply) + + id = (known after apply) + + member = (known after apply) + + name = (known after apply) + + project = "ldj-prod-iac-core-0" + + unique_id = (known after apply) + } + + # module.stage3-sa-ro["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-ro["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "organizations/366118655033/roles/storageViewer" + } + + # module.branch-gke-dev-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["gke-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-gke-dev-r-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform gke multitenant development service account (read-only)." -> "Terraform resman gke-dev service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-gke-dev-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-gke-dev-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["gke-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["gke-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-gke-prod-r-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform gke multitenant production service account (read-only)." -> "Terraform resman gke-prod service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-gke-prod-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-gke-prod-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["gke-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["project-factory-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["project-factory-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-dev-r-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory development service account (read-only)." -> "Terraform resman project-factory-dev service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["project-factory-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["project-factory-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-prod-r-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory production service account (read-only)." -> "Terraform resman project-factory-prod service account (read-only)." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-ro["sandbox"].google_service_account.service_account[0] will be created + + resource "google_service_account" "service_account" { + + account_id = "ldj-dev-resman-sbx-0r" + + disabled = false + + display_name = "Terraform resman sandbox service account (read-only)." + + email = (known after apply) + + id = (known after apply) + + member = (known after apply) + + name = (known after apply) + + project = "ldj-prod-iac-core-0" + + unique_id = (known after apply) + } + + # module.stage3-sa-ro["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "organizations/366118655033/roles/storageViewer" + } + + # module.branch-dp-dev-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-dp-dev-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform data platform development service account." -> "Terraform resman data-platform-dev service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-dp-dev-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-dp-dev-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-rw["data-platform-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-dp-prod-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform data platform production service account." -> "Terraform resman data-platform-prod service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-dp-prod-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-dp-prod-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-rw["gcve-dev"].google_service_account.service_account[0] will be created + + resource "google_service_account" "service_account" { + + account_id = "ldj-dev-resman-gcve-0" + + disabled = false + + display_name = "Terraform resman gcve-dev service account." + + email = (known after apply) + + id = (known after apply) + + member = (known after apply) + + name = (known after apply) + + project = "ldj-prod-iac-core-0" + + unique_id = (known after apply) + } + + # module.stage3-sa-rw["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "roles/storage.objectAdmin" + } + + # module.stage3-sa-rw["gcve-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created + + resource "google_project_iam_member" "project-roles" { + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + project = "ldj-prod-iac-core-0" + + role = "roles/serviceusage.serviceUsageConsumer" + } + + # module.stage3-sa-rw["gcve-prod"].google_service_account.service_account[0] will be created + + resource "google_service_account" "service_account" { + + account_id = "ldj-prod-resman-gcve-0" + + disabled = false + + display_name = "Terraform resman gcve-prod service account." + + email = (known after apply) + + id = (known after apply) + + member = (known after apply) + + name = (known after apply) + + project = "ldj-prod-iac-core-0" + + unique_id = (known after apply) + } + + # module.stage3-sa-rw["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-rw["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "roles/storage.objectAdmin" + } + + # module.branch-gke-dev-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["gke-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-gke-dev-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform gke multitenant dev service account." -> "Terraform resman gke-dev service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.stage3-sa-rw["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be updated in-place + # (moved from module.branch-gke-dev-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]) + ~ resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + ~ members = [ + - "group:gcp-devops@ludo.joonix.net", + ] + # (3 unchanged attributes hidden) + } + + # module.branch-gke-dev-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-gke-prod-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["gke-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["gke-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-gke-prod-sa[0].google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform gke multitenant prod service account." -> "Terraform resman gke-prod service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.stage3-sa-rw["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be updated in-place + # (moved from module.branch-gke-prod-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]) + ~ resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + ~ members = [ + - "group:gcp-devops@ludo.joonix.net", + ] + # (3 unchanged attributes hidden) + } + + # module.branch-gke-prod-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["gke-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-dev-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["project-factory-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["project-factory-dev"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-dev-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory development service account." -> "Terraform resman project-factory-dev service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.branch-pf-prod-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["project-factory-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] + resource "google_project_iam_member" "project-roles" { + id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["project-factory-prod"].google_service_account.service_account[0] will be updated in-place + # (moved from module.branch-pf-prod-sa.google_service_account.service_account[0]) + ~ resource "google_service_account" "service_account" { + ~ display_name = "Terraform project factory production service account." -> "Terraform resman project-factory-prod service account." + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (7 unchanged attributes hidden) + } + + # module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + resource "google_service_account_iam_binding" "authoritative" { + id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" + # (3 unchanged attributes hidden) + } + + # module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] + resource "google_storage_bucket_iam_member" "bucket-roles" { + id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] must be replaced + # (moved from module.branch-sandbox-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"]) +-/+ resource "google_project_iam_member" "project-roles" { + ~ etag = "BwYedUGoTDM=" -> (known after apply) + ~ id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) + ~ member = "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" # forces replacement -> (known after apply) # forces replacement + # (2 unchanged attributes hidden) + } + + # module.stage3-sa-rw["sandbox"].google_service_account.service_account[0] must be replaced + # (moved from module.branch-sandbox-sa[0].google_service_account.service_account[0]) +-/+ resource "google_service_account" "service_account" { + ~ account_id = "ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement + ~ email = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) + ~ id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) + ~ member = "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) + ~ name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) + ~ unique_id = "117443430578520793344" -> (known after apply) + # (4 unchanged attributes hidden) + } + + # module.stage3-sa-rw["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created + + resource "google_service_account_iam_binding" "authoritative" { + + etag = (known after apply) + + id = (known after apply) + + role = "roles/iam.serviceAccountTokenCreator" + + service_account_id = (known after apply) + } + + # module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created + + resource "google_storage_bucket_iam_member" "bucket-roles" { + + bucket = "ldj-prod-iac-core-outputs-0" + + etag = (known after apply) + + id = (known after apply) + + member = (known after apply) + + role = "roles/storage.objectAdmin" + } + + # module.branch-dp-folder[0].google_folder.folder[0] has moved to module.top-level-folder["data-platform"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/1004589610177" + name = "folders/1004589610177" + # (5 unchanged attributes hidden) + } + + # module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"] must be replaced + # (moved from module.branch-dp-folder[0].google_tags_tag_binding.binding["context"]) +-/+ resource "google_tags_tag_binding" "binding" { + ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F1004589610177/tagValues/420824284884" -> (known after apply) + ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F1004589610177/tagValues/420824284884" -> (known after apply) + ~ tag_value = "tagValues/420824284884" # forces replacement -> (known after apply) # forces replacement + # (1 unchanged attribute hidden) + } + + # module.top-level-folder["gcve"].google_folder.folder[0] will be created + + resource "google_folder" "folder" { + + create_time = (known after apply) + + display_name = "GCVE" + + folder_id = (known after apply) + + id = (known after apply) + + lifecycle_state = (known after apply) + + name = (known after apply) + + parent = "organizations/366118655033" + } + + # module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"] will be created + + resource "google_tags_tag_binding" "binding" { + + id = (known after apply) + + name = (known after apply) + + parent = (known after apply) + + tag_value = (known after apply) + } + + # module.branch-gke-folder[0].google_folder.folder[0] has moved to module.top-level-folder["gke"].google_folder.folder[0] + resource "google_folder" "folder" { + id = "folders/219618653183" + name = "folders/219618653183" + # (5 unchanged attributes hidden) + } + + # module.top-level-folder["gke"].google_tags_tag_binding.binding["context"] must be replaced + # (moved from module.branch-gke-folder[0].google_tags_tag_binding.binding["context"]) +-/+ resource "google_tags_tag_binding" "binding" { + ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F219618653183/tagValues/1084887265324" -> (known after apply) + ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F219618653183/tagValues/1084887265324" -> (known after apply) + ~ tag_value = "tagValues/1084887265324" # forces replacement -> (known after apply) # forces replacement + # (1 unchanged attribute hidden) + } + + # module.top-level-folder["teams"].google_tags_tag_binding.binding["context"] must be replaced +-/+ resource "google_tags_tag_binding" "binding" { + ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F551661226665/tagValues/281477339751191" -> (known after apply) + ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F551661226665/tagValues/281477339751191" -> (known after apply) + ~ tag_value = "tagValues/281477339751191" # forces replacement -> (known after apply) # forces replacement + # (1 unchanged attribute hidden) + } + +Plan: 123 to add, 33 to change, 62 to destroy. + +Changes to Outputs: + ~ cicd_repositories = { + ~ networking = { + - branch = "main" + - name = "ludomagno/networking" + + repository = { + + branch = "main" + + name = "ludomagno/networking" + + parent_id = null + + type = "github" + } + - service_account = { + - apply = "ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - plan = "ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + # (1 unchanged attribute hidden) + } + ~ security = { + - branch = null + - name = "ludomagno/fast-test" + + repository = { + + branch = null + + name = "ludomagno/security" + + type = "gitlab" + } + - service_account = { + - apply = "ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" + - plan = "ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + # (1 unchanged attribute hidden) + } + } + - dataplatform = { + - dev = { + - folder = "folders/777820411744" + - gcs_bucket = "ldj-dev-resman-dp-0" + - service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + - prod = { + - folder = "folders/447111401824" + - gcs_bucket = "ldj-prod-resman-dp-0" + - service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } -> null + ~ folder_ids = { + + data-platform = "folders/1004589610177" + + gcve = (known after apply) + + gcve-dev = (known after apply) + + gcve-prod = (known after apply) + + gke = "folders/219618653183" + + security-dev = null + + security-prod = null + # (11 unchanged attributes hidden) + } + - gcve = {} -> null + - gke_multitenant = { + - dev = { + - folder = "folders/39661087317" + - gcs_bucket = "ldj-dev-resman-gke-0" + - service_account = "ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + - prod = { + - folder = "folders/810789977048" + - gcs_bucket = "ldj-prod-resman-gke-0" + - service_account = "ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } -> null + - networking = { + - folder = "folders/843203210689" + - gcs_bucket = "ldj-prod-resman-net-0" + - service_account = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } -> null + - project_factories = { + - dev = { + - bucket = "ldj-dev-resman-pf-0" + - sa = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + - main = { + - bucket = "ldj-resman-pf-0" + - sa = "ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + - prod = { + - bucket = "ldj-prod-resman-pf-0" + - sa = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } + } -> null + ~ providers = (sensitive value) + - sandbox = { + - folder = "folders/245438209825" + - gcs_bucket = "ldj-dev-resman-sbox-0" + - service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } -> null + - security = { + - folder = "folders/251257116248" + - gcs_bucket = "ldj-prod-resman-sec-0" + - service_account = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" + } -> null + ~ tfvars = (sensitive value) + +Warning: Value for undeclared variable + +The root module does not declare a variable named "environments" but a value was found in file "0-globals.auto.tfvars.json". If you meant to use this value, add a "variable" +block to the configuration. + +To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of +these warnings, use the -compact-warnings option. + +Warning: Value for undeclared variable + +The root module does not declare a variable named "org_policy_tags" but a value was found in file "0-bootstrap.auto.tfvars.json". If you meant to use this value, add a +"variable" block to the configuration. + +To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of +these warnings, use the -compact-warnings option. + +───────────────────────────────────────────────────────────────────────────── + +Note: You didn't use the -out option to save this plan, so Terraform can't +guarantee to take exactly these actions if you run "terraform apply" now. diff --git a/fast/stages/1-resman/schemas/fast-stage.schema.json b/fast/stages/1-resman/schemas/fast-stage.schema.json deleted file mode 100644 index 82bf0e0f17..0000000000 --- a/fast/stages/1-resman/schemas/fast-stage.schema.json +++ /dev/null @@ -1,213 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "FAST stage", - "type": "object", - "additionalProperties": false, - "properties": { - "short_name": { - "type": "string" - }, - "tag_value_name": { - "type": "string" - }, - "assign_billing_roles": { - "type": "boolean", - "default": true - }, - "cicd": { - "type": "object", - "additionalProperties": false, - "required": [ - "identity_provider", - "repository" - ], - "properties": { - "identity_provider": { - "type": "string" - }, - "repository": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "branch": { - "type": "string" - } - } - } - } - }, - "main": { - "$ref": "#/$defs/environment" - }, - "environments": { - "type": "object", - "additionalProperties": false, - "required": [ - "dev", - "prod" - ], - "properties": { - "dev": { - "$ref": "#/$defs/environment" - }, - "prod": { - "$ref": "#/$defs/environment" - } - } - } - }, - "$defs": { - "environment": { - "type": "object", - "additionalProperties": false, - "properties": { - "folder": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "service_account_iam": { - "type": "object", - "additionalProperties": false, - "properties": { - "ro": { - "$ref": "#/$defs/folder_service_account_iam" - }, - "rw": { - "$ref": "#/$defs/folder_service_account_iam" - } - } - } - }, - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:roles/|[a-z_]+)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" - } - }, - "role": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - } - } - } - } - }, - "root_node": { - "type": "object", - "additionalProperties": false, - "properties": { - "service_account_iam": { - "type": "object", - "additionalProperties": false, - "properties": { - "ro": { - "$ref": "#/$defs/root_service_account_iam" - }, - "rw": { - "$ref": "#/$defs/root_service_account_iam" - } - } - } - } - } - } - }, - "folder_service_account_iam": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - } - }, - "root_service_account_iam": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "required": [ - "role" - ], - "properties": { - "role": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - }, - "match_tag_values": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/1-resman/schemas/fast-stage.schema.old.json b/fast/stages/1-resman/schemas/fast-stage.schema.old.json deleted file mode 100644 index 82bf0e0f17..0000000000 --- a/fast/stages/1-resman/schemas/fast-stage.schema.old.json +++ /dev/null @@ -1,213 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "FAST stage", - "type": "object", - "additionalProperties": false, - "properties": { - "short_name": { - "type": "string" - }, - "tag_value_name": { - "type": "string" - }, - "assign_billing_roles": { - "type": "boolean", - "default": true - }, - "cicd": { - "type": "object", - "additionalProperties": false, - "required": [ - "identity_provider", - "repository" - ], - "properties": { - "identity_provider": { - "type": "string" - }, - "repository": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "branch": { - "type": "string" - } - } - } - } - }, - "main": { - "$ref": "#/$defs/environment" - }, - "environments": { - "type": "object", - "additionalProperties": false, - "required": [ - "dev", - "prod" - ], - "properties": { - "dev": { - "$ref": "#/$defs/environment" - }, - "prod": { - "$ref": "#/$defs/environment" - } - } - } - }, - "$defs": { - "environment": { - "type": "object", - "additionalProperties": false, - "properties": { - "folder": { - "type": "object", - "additionalProperties": false, - "required": [ - "name" - ], - "properties": { - "name": { - "type": "string" - }, - "service_account_iam": { - "type": "object", - "additionalProperties": false, - "properties": { - "ro": { - "$ref": "#/$defs/folder_service_account_iam" - }, - "rw": { - "$ref": "#/$defs/folder_service_account_iam" - } - } - } - }, - "iam": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:roles/|[a-z_]+)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" - } - } - } - }, - "iam_bindings": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^[a-z0-9_-]+$": { - "type": "object", - "additionalProperties": false, - "properties": { - "members": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|project-factory|project-factory-dev|project-factory-prod|networking|security|vpcsc|rw|ro)" - } - }, - "role": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - }, - "condition": { - "type": "object", - "additionalProperties": false, - "required": [ - "expression", - "title" - ], - "properties": { - "expression": { - "type": "string" - }, - "title": { - "type": "string" - }, - "description": { - "type": "string" - } - } - } - } - } - } - }, - "iam_by_principals": { - "type": "object", - "additionalProperties": false, - "patternProperties": { - "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:)": { - "type": "array", - "items": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - } - } - } - } - }, - "root_node": { - "type": "object", - "additionalProperties": false, - "properties": { - "service_account_iam": { - "type": "object", - "additionalProperties": false, - "properties": { - "ro": { - "$ref": "#/$defs/root_service_account_iam" - }, - "rw": { - "$ref": "#/$defs/root_service_account_iam" - } - } - } - } - } - } - }, - "folder_service_account_iam": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - } - }, - "root_service_account_iam": { - "type": "array", - "items": { - "type": "object", - "additionalProperties": false, - "required": [ - "role" - ], - "properties": { - "role": { - "type": "string", - "pattern": "^(?:roles/[a-zA-Z0-9\\.]+)|(?:[a-z0-9_]+)$" - }, - "match_tag_values": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/fast/stages/1-resman/schemas/fast-stage3.schema.json b/fast/stages/1-resman/schemas/fast-stage3.schema.json new file mode 100644 index 0000000000..fc32808314 --- /dev/null +++ b/fast/stages/1-resman/schemas/fast-stage3.schema.json @@ -0,0 +1,151 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "FAST stage 3", + "type": "object", + "additionalProperties": false, + "required": [ + "short_name" + ], + "properties": { + "short_name": { + "type": "string" + }, + "environment": { + "enum": [ + "dev", + "prod" + ] + }, + "cicd_config": { + "type": "object", + "additionalProperties": false, + "required": [ + "identity_provider", + "repository" + ], + "properties": { + "identity_provider": { + "type": "string" + }, + "repository": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "branch": { + "type": "string" + }, + "type": { + "enum": [ + "github", + "gitlab" + ], + "default": "github" + } + } + } + } + }, + "folder_config": { + "type": "object", + "additionalProperties": false, + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "iam_by_principals": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:)": { + "type": "array", + "items": { + "type": "string", + "pattern": "^(?:roles/|[a-z_]+)" + } + } + } + }, + "parent_id": { + "type": "string" + }, + "tag_bindings": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z0-9_-]+$": { + "type": "string" + } + } + } + } + }, + "organization_iam": { + "type": "object", + "additionalProperties": false, + "required": [ + "context_tag_value" + ], + "properties": { + "context_tag_value": { + "type": "string" + }, + "sa_roles": { + "$ref": "#/$defs/sa_roles" + } + } + }, + "stage2_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "networking": { + "$ref": "#/$defs/stage2_iam" + }, + "security": { + "$ref": "#/$defs/stage2_iam" + } + } + } + }, + "$defs": { + "sa_roles": { + "type": "object", + "additionalProperties": false, + "properties": { + "ro": { + "type": "array", + "items": { + "type": "string" + } + }, + "rw": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "stage2_iam": { + "type": "object", + "additionalProperties": false, + "properties": { + "iam_admin_delegated": { + "type": "boolean" + }, + "sa_roles": { + "$ref": "#/$defs/sa_roles" + } + } + } + } +} \ No newline at end of file diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json index 60e22c8ae7..88263edc32 100644 --- a/fast/stages/1-resman/schemas/top-level-folder.schema.json +++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json @@ -108,7 +108,7 @@ } } }, - "parent": { + "parent_id": { "type": "string" }, "tag_bindings": { diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index b93e9cd6b2..0731af53b0 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -15,22 +15,25 @@ */ locals { + net_s3_delegated = join(",", formatlist("'%s'", [ + "roles/composer.sharedVpcAgent", + "roles/compute.networkUser", + "roles/compute.networkViewer", + "roles/container.hostServiceAgentUser", + "roles/multiclusterservicediscovery.serviceAgent", + "roles/vpcaccess.user", + ])) net_use_env_folders = ( var.fast_stage_2.networking.enabled && var.fast_stage_2.networking.folder_config.create_env_folders ) - # TODO: this would be better and more narrowly handled from stage 2 projects - net_stage3_iam = { - dev = { - for v in local.stage3_sa_roles_in_stage2 : - lookup(var.custom_roles, v.role, v.role) => v... - if v.env == "dev" && v.s2 == "networking" - } - prod = { - for v in local.stage3_sa_roles_in_stage2 : - lookup(var.custom_roles, v.role, v.role) => v... - if v.env == "prod" && v.s2 == "networking" - } + net_stage3_iam = !var.fast_stage_2.networking.enabled ? {} : { + for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => ( + v.sa == "rw" + ? module.stage3-sa-rw[v.s3].iam_email + : module.stage3-sa-ro[v.s3].iam_email + )... + if v.s2 == "networking" } } @@ -43,7 +46,7 @@ module "net-folder" { var.fast_stage_2.networking.folder_config.parent_id == null ? local.root_node : try( - module.top-level-folder[var.fast_stage_2.networking.folder_config].parent_id, + local.top_level_folder_ids[var.fast_stage_2.networking.folder_config], var.fast_stage_2.networking.folder_config.parent_id ) ) @@ -78,20 +81,88 @@ module "net-folder" { try(module.sec-sa-ro[0].iam_email, null) ] }, - # stage 3s service accounts (if not using environment folders) - var.fast_stage_2.networking.folder_config.create_env_folders == true ? {} : { - for role, attrs in local.net_stage3_iam.prod : role => [ - for v in attrs : ( - v.sa == "ro" - ? module.stage3-sa-ro[v.s3].iam_email - : module.stage3-sa-rw[v.s3].iam_email - ) + # project factory service accounts + (var.fast_stage_2.project_factory.enabled) != true ? {} : { + (var.custom_roles.service_project_network_admin) = [ + module.pf-sa-rw[0].iam_email + ] + "roles/compute.networkViewer" = [ + module.pf-sa-ro[0].iam_email ] } ) + iam_bindings = merge( + # project factory delegated grant + var.fast_stage_2.project_factory.enabled != true ? {} : { + pf_delegated_grant = { + role = "roles/resourcemanager.projectIamAdmin" + members = [module.pf-sa-rw[0].iam_email] + condition = { + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + "roles/compute.networkUser" + ) + title = "project factory project delegated admin" + description = "Project factory delegated grant." + } + } + }, + # stage 3 dev delegated iam admin + { + stage3_delegated_grant_dev = { + role = "roles/resourcemanager.projectIamAdmin" + members = [ + for k, v in local.stage3 : module.stage3-sa-rw[k].iam_email + if v.environment == "dev" && v.stage2_iam.networking.iam_admin_delegated + ] + condition = { + expression = format( + local.iam_stage2_condition, + "development", + local.net_s3_delegated + ) + title = "stage 3 project delegated admin dev" + } + } + }, + # stage 3 prod delegated iam admin + { + stage3_delegated_grant_prod = { + role = "roles/resourcemanager.projectIamAdmin" + members = [ + for k, v in local.stage3 : module.stage3-sa-rw[k].iam_email + if v.environment == "prod" && v.stage2_iam.networking.iam_admin_delegated + ] + condition = { + expression = format( + local.iam_stage2_condition, "production", local.net_s3_delegated + ) + title = "stage 3 project delegated admin prod" + } + } + }, + # stage 3 roles + { + for k, v in local.net_stage3_iam : k => { + role = split(":", k)[0] + members = v + condition = { + title = "stage 3 ${split(":", k)[1]}" + expression = <<-END + resource.matchTag( + '${local.tag_root}/${var.tag_names.environment}', + '${split(":", k)[1]}' + ) + END + } + } + } + ) iam_by_principals = merge( - # replace with more selective custom roles for production deployments - { (local.principals.gcp-network-admins) = ["roles/editor"] }, + { + # replace with more selective custom roles for production deployments + (local.principals.gcp-network-admins) = ["roles/editor"] + }, var.fast_stage_2.networking.folder_config.iam_by_principals ) tag_bindings = { @@ -107,20 +178,10 @@ module "net-folder-prod" { source = "../../../modules/folder" count = local.net_use_env_folders ? 1 : 0 parent = module.net-folder[0].id - name = "Production" - iam = { - # stage 3s service accounts - for role, attrs in local.net_stage3_iam.prod : role => [ - for v in attrs : ( - v.sa == "ro" - ? module.stage3-sa-ro[v.s3].iam_email - : module.stage3-sa-rw[v.s3].iam_email - ) - ] - } + name = title(var.environment_names["prod"]) tag_bindings = { environment = try( - local.tag_values["${var.tag_names.environment}/production"].id, + local.tag_values["${var.tag_names.environment}/${var.environment_names["prod"]}"].id, null ) } @@ -130,20 +191,10 @@ module "net-folder-dev" { source = "../../../modules/folder" count = local.net_use_env_folders ? 1 : 0 parent = module.net-folder[0].id - name = "Development" - iam = { - # stage 3s service accounts - for role, attrs in local.net_stage3_iam.dev : role => [ - for v in attrs : ( - v.sa == "ro" - ? module.stage3-sa-ro[v.s3].iam_email - : module.stage3-sa-rw[v.s3].iam_email - ) - ] - } + name = title(var.environment_names["dev"]) tag_bindings = { environment = try( - local.tag_values["${var.tag_names.environment}/development"].id, + local.tag_values["${var.tag_names.environment}/${var.environment_names["dev"]}"].id, null ) } diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 81e82db5af..197c8f22f9 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -19,18 +19,13 @@ locals { var.fast_stage_2.security.enabled && var.fast_stage_2.security.folder_config.create_env_folders ) - # TODO: this would be better and more narrowly handled from stage 2 projects - sec_stage3_iam = { - dev = { - for v in local.stage3_sa_roles_in_stage2 : - lookup(var.custom_roles, v.role, v.role) => v... - if v.env == "dev" && v.s2 == "security" - } - prod = { - for v in local.stage3_sa_roles_in_stage2 : - lookup(var.custom_roles, v.role, v.role) => v... - if v.env == "prod" && v.s2 == "security" - } + sec_stage3_iam = !var.fast_stage_2.security.enabled ? {} : { + for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => ( + v.sa == "rw" + ? module.stage3-sa-rw[v.s3].iam_email + : module.stage3-sa-ro[v.s3].iam_email + )... + if v.s2 == "security" } } @@ -43,7 +38,7 @@ module "sec-folder" { var.fast_stage_2.security.folder_config.parent_id == null ? local.root_node : try( - module.top-level-folder[var.fast_stage_2.security.folder_config].parent_id, + local.top_level_folder_ids[var.fast_stage_2.security.folder_config], var.fast_stage_2.security.folder_config.parent_id ) ) @@ -58,34 +53,53 @@ module "sec-folder" { "roles/viewer" = [module.sec-sa-ro[0].iam_email] "roles/resourcemanager.folderViewer" = [module.sec-sa-ro[0].iam_email] }, - # stage 3s service accounts (if not using environment folders) - var.fast_stage_2.security.folder_config.create_env_folders == true ? {} : { - for role, attrs in local.sec_stage3_iam.prod : role => [ - for v in attrs : ( - v.sa == "ro" - ? module.stage3-sa-ro[v.s3].iam_email - : module.stage3-sa-rw[v.s3].iam_email - ) + # project factory service accounts + (var.fast_stage_2.project_factory.enabled) != true ? {} : { + "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [ + module.pf-sa-rw[0].iam_email + ] + "roles/cloudkms.viewer" = [ + module.pf-sa-ro[0].iam_email ] } ) - iam_bindings = var.fast_stage_2.project_factory.enabled != true ? {} : { - pf_delegated_grant = { - role = "roles/resourcemanager.projectIamAdmin" - members = [module.pf-sa-rw[0].iam_email] - condition = { - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - "roles/cloudkms.cryptoKeyEncrypterDecrypter" - ) - title = "pf_delegated_grant" - description = "Project factory delegated grant." + iam_bindings = merge( + var.fast_stage_2.project_factory.enabled != true ? {} : { + pf_delegated_grant = { + role = "roles/resourcemanager.projectIamAdmin" + members = [module.pf-sa-rw[0].iam_email] + condition = { + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + "roles/cloudkms.cryptoKeyEncrypterDecrypter" + ) + title = "pf_delegated_grant" + description = "Project factory delegated grant." + } + } + }, + # stage 3 IAM bindings use conditions based on environment + { + for k, v in local.sec_stage3_iam : k => { + role = split(":", k)[0] + members = v + condition = { + title = "stage 3 ${split(":", k)[1]}" + expression = <<-END + resource.matchTag( + '${local.tag_root}/${var.tag_names.environment}', + '${split(":", k)[1]}' + ) + END + } } } - } + ) iam_by_principals = merge( - # replace with more selective custom roles for production deployments - { (local.principals.gcp-security-admins) = ["roles/editor"] }, + { + # replace with more selective custom roles for production deployments + (local.principals.gcp-security-admins) = ["roles/editor"] + }, var.fast_stage_2.security.folder_config.iam_by_principals ) tag_bindings = { @@ -101,7 +115,7 @@ module "sec-folder-prod" { source = "../../../modules/folder" count = local.sec_use_env_folders ? 1 : 0 parent = module.sec-folder[0].id - name = "Production" + name = title(var.environment_names["prod"]) iam = { # stage 3s service accounts for role, attrs in local.sec_stage3_iam.prod : role => [ @@ -114,7 +128,7 @@ module "sec-folder-prod" { } tag_bindings = { environment = try( - local.tag_values["${var.tag_names.environment}/production"].id, + local.tag_values["${var.tag_names.environment}/${var.environment_names["prod"]}"].id, null ) } @@ -124,7 +138,7 @@ module "sec-folder-dev" { source = "../../../modules/folder" count = local.sec_use_env_folders ? 1 : 0 parent = module.sec-folder[0].id - name = "Development" + name = title(var.environment_names["dev"]) iam = { # stage 3s service accounts for role, attrs in local.sec_stage3_iam.dev : role => [ @@ -137,7 +151,7 @@ module "sec-folder-dev" { } tag_bindings = { environment = try( - local.tag_values["${var.tag_names.environment}/development"].id, + local.tag_values["${var.tag_names.environment}/${var.environment_names["dev"]}"].id, null ) } diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index b22ae8e792..ddc18ccd0b 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -15,19 +15,84 @@ */ locals { + _stage3_path = try( + pathexpand(var.factories_config.stage_3), null + ) + _stage3_files = try( + fileset(local._stage3_path, "**/*.yaml"), + [] + ) + _stage3 = { + for f in local._stage3_files : + split(".", f)[0] => yamldecode(file( + "${coalesce(local._stage3_path, "-")}/${f}" + )) + } + stage3 = merge({ + for k, v in local._stage3 : k => { + short_name = v.short_name + environment = try(v.environment, "dev") + cicd_config = lookup(v, "cicd_config", null) == null ? null : { + identity_provider = v.cicd_config.identity_provider + repository = merge(v.cicd_config.repository, { + branch = try(v.cicd_config.repository.branch, null) + type = try(v.cicd_config.repository.type, "github") + }) + } + folder_config = lookup(v, "folder_config", null) == null ? null : { + name = v.folder_config.name + iam_by_principals = try(v.folder_config.iam_by_principals, {}) + parent_id = try(v.folder_config.parent_id, null) + tag_bindings = try(v.folder_config.tag_bindings, {}) + } + organization_iam = lookup(v, "organization_iam", null) == null ? null : { + context_tag_value = v.organization_iam.context_tag_value + sa_roles = merge({ ro = [], rw = [] }, v.organization_iam.sa_roles) + } + stage2_iam = { + networking = { + iam_admin_delegated = try( + v.stage2_iam.networking.iam_admin_delegated, false + ) + sa_roles = merge( + { ro = [], rw = [] }, try(v.stage2_iam.networking.sa_roles, {}) + ) + } + security = { + iam_admin_delegated = try( + v.stage2_iam.security.iam_admin_delegated, false + ) + sa_roles = merge( + { ro = [], rw = [] }, try(v.stage2_iam.security.sa_roles, {}) + ) + } + } + } + }, var.fast_stage_3) stage3_sa_roles_in_org = flatten([ - for k, v in var.fast_stage_3 : [ - for sa, roles in v.organization_iam_roles : [ - for r in roles : { role = r, sa = sa, s3 = k } + for k, v in local.stage3 : [ + for sa, roles in try(v.organization_iam.sa_roles, []) : [ + for role in roles : { + context = try(v.organization_iam.context_tag_value, "") + env = var.environment_names[v.environment] + role = role + sa = sa + s3 = k + } ] ] ]) - # TODO: this would be better and more narrowly handled from stage 2 projects - stage3_sa_roles_in_stage2 = flatten([ - for k, v in var.fast_stage_3 : [ - for s2, attrs in v.stage2_iam_roles : [ - for sa, roles in attrs : [ - for role in roles : { role = role, sa = sa, s2 = s2, s3 = k } + stage3_iam_in_stage2 = flatten([ + for k, v in local.stage3 : [ + for s2, attrs in v.stage2_iam : [ + for sa, roles in attrs.sa_roles : [ + for role in roles : { + env = var.environment_names[v.environment] + role = lookup(var.custom_roles, role, role) + sa = sa + s2 = s2 + s3 = k + } ] ] ] @@ -39,13 +104,13 @@ locals { module "stage3-folder" { source = "../../../modules/folder" for_each = { - for k, v in var.fast_stage_3 : k => v if v.folder_config != null + for k, v in local.stage3 : k => v if v.folder_config != null } parent = ( each.value.folder_config.parent_id == null ? local.root_node : try( - module.top-level-folder[each.value.folder_config.parent_id], + local.top_level_folder_ids[each.value.folder_config.parent_id], each.value.folder_config.parent_id ) ) @@ -61,11 +126,16 @@ module "stage3-folder" { } iam_by_principals = each.value.folder_config.iam_by_principals - tag_bindings = { - for k, v in each.value.folder_config.tag_bindings : k => lookup( - local.top_level_tags, v, v - ) - } + tag_bindings = merge( + { + environment = local.tag_values["environment/${var.environment_names[each.value.environment]}"].id + }, + { + for k, v in each.value.folder_config.tag_bindings : k => lookup( + local.top_level_tags, v, v + ) + } + ) depends_on = [module.top-level-folder] } @@ -73,7 +143,7 @@ module "stage3-folder" { module "stage3-sa-rw" { source = "../../../modules/iam-service-account" - for_each = var.fast_stage_3 + for_each = local.stage3 project_id = var.automation.project_id name = "resman-${each.value.short_name}-0" display_name = ( @@ -95,7 +165,7 @@ module "stage3-sa-rw" { module "stage3-sa-ro" { source = "../../../modules/iam-service-account" - for_each = var.fast_stage_3 + for_each = local.stage3 project_id = var.automation.project_id name = "resman-${each.value.short_name}-0r" display_name = ( @@ -119,7 +189,7 @@ module "stage3-sa-ro" { module "stage3-bucket" { source = "../../../modules/gcs" - for_each = var.fast_stage_3 + for_each = local.stage3 project_id = var.automation.project_id name = "resman-${each.value.short_name}-0" prefix = "${var.prefix}-${each.value.environment}" diff --git a/fast/stages/1-resman/stage-cicd.tf b/fast/stages/1-resman/stage-cicd.tf index 6b5a56f781..7abf206c55 100644 --- a/fast/stages/1-resman/stage-cicd.tf +++ b/fast/stages/1-resman/stage-cicd.tf @@ -24,7 +24,7 @@ locals { if v.cicd_config != null }, { - for k, v in var.fast_stage_3 : + for k, v in local.stage3 : k => merge(v.cicd_config, { env = v.environment, short_name = coalesce(v.short_name, k), lvl = 3 }) diff --git a/fast/stages/1-resman/tenant-root.tf b/fast/stages/1-resman/tenant-root.tf index 7c00bc806a..05cafa69f5 100644 --- a/fast/stages/1-resman/tenant-root.tf +++ b/fast/stages/1-resman/tenant-root.tf @@ -55,8 +55,8 @@ module "automation-project" { description = "Environment definition." iam = {} values = { - development = {} - production = {} + (var.environment_names["dev"]) = {} + (var.environment_names["prod"]) = {} } } }) diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 224d4f2082..a39027f542 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -51,6 +51,7 @@ locals { iam_bindings_additive = try(v.iam_bindings_additive, {}) iam_by_principals = try(v.iam_by_principals, {}) org_policies = try(v.org_policies, {}) + parent_id = try(v.parent_id, null) tag_bindings = try(v.tag_bindings, {}) }) }, @@ -66,10 +67,9 @@ locals { } module "top-level-folder" { - source = "../../../modules/folder" - for_each = local.top_level_folders - # TODO: add support for explicit parent id - parent = "organizations/${var.organization.id}" + source = "../../../modules/folder" + for_each = local.top_level_folders + parent = coalesce(each.value.parent_id, local.root_node) name = each.value.name contacts = each.value.contacts firewall_policy = each.value.firewall_policy diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 20dc3ceea9..52564d7640 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -69,16 +69,23 @@ variable "fast_stage_2" { }) nullable = false default = {} - # TODO: CI/CD validation + validation { + condition = alltrue([ + for k, v in var.fast_stage_2 : + v.cicd_config == null || contains( + ["github", "gitlab"], + coalesce(try(v.cicd_config.repository.type, null), "-") + ) + ]) + error_message = "Invalid CI/CD repository type." + } } variable "fast_stage_3" { description = "FAST stages 3 configurations." # key is used for file names and loop keys and is like 'data-platfom-dev' type = map(object({ - # shortname is for resource names and is like 'dp' - short_name = string - # environment is only used in prefix for service account and bucket names + short_name = string environment = optional(string, "dev") cicd_config = optional(object({ identity_provider = string @@ -94,22 +101,47 @@ variable "fast_stage_3" { parent_id = optional(string) tag_bindings = optional(map(string), {}) })) - organization_iam_roles = optional(object({ - ro = optional(list(string), []) - rw = optional(list(string), []) - }), {}) - stage2_iam_roles = optional(object({ - networking = optional(object({ + organization_iam = optional(object({ + context_tag_value = string + sa_roles = object({ ro = optional(list(string), []) rw = optional(list(string), []) + }) + })) + stage2_iam = optional(object({ + networking = optional(object({ + iam_admin_delegated = optional(bool, false) + sa_roles = optional(object({ + ro = optional(list(string), []) + rw = optional(list(string), []) + }), {}) }), {}) - security_iam_roles = optional(object({ - ro = optional(list(string), []) - rw = optional(list(string), []) + security = optional(object({ + iam_admin_delegated = optional(bool, false) + sa_roles = optional(object({ + ro = optional(list(string), []) + rw = optional(list(string), []) + }), {}) }), {}) }), {}) })) nullable = false default = {} - # TODO: CI/CD validation + validation { + condition = alltrue([ + for k, v in var.fast_stage_3 : + contains(["dev", "prod"], coalesce(v.environment, "-")) + ]) + error_message = "Invalid environment value." + } + validation { + condition = alltrue([ + for k, v in var.fast_stage_3 : + v.cicd_config == null || contains( + ["github", "gitlab"], + coalesce(try(v.cicd_config.repository.type, null), "-") + ) + ]) + error_message = "Invalid CI/CD repository type." + } } diff --git a/fast/stages/1-resman/variables-toplevel-folders.tf b/fast/stages/1-resman/variables-toplevel-folders.tf new file mode 100644 index 0000000000..d30379326a --- /dev/null +++ b/fast/stages/1-resman/variables-toplevel-folders.tf @@ -0,0 +1,93 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "top_level_folders" { + description = "Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute." + type = map(object({ + name = string + parent_id = optional(string) + automation = optional(object({ + enable = optional(bool, true) + sa_impersonation_principals = optional(list(string), []) + }), {}) + contacts = optional(map(list(string)), {}) + firewall_policy = optional(object({ + name = string + policy = string + })) + logging_data_access = optional(map(map(list(string))), {}) + logging_exclusions = optional(map(string), {}) + logging_settings = optional(object({ + disable_default_sink = optional(bool) + storage_location = optional(string) + })) + logging_sinks = optional(map(object({ + bq_partitioned_table = optional(bool, false) + description = optional(string) + destination = string + disabled = optional(bool, false) + exclusions = optional(map(string), {}) + filter = optional(string) + iam = optional(bool, true) + include_children = optional(bool, true) + type = string + })), {}) + iam = optional(map(list(string)), {}) + iam_bindings = optional(map(object({ + members = list(string) + role = string + condition = optional(object({ + expression = string + title = string + description = optional(string) + })) + })), {}) + iam_bindings_additive = optional(map(object({ + member = string + role = string + condition = optional(object({ + expression = string + title = string + description = optional(string) + })) + })), {}) + iam_by_principals = optional(map(list(string)), {}) + org_policies = optional(map(object({ + inherit_from_parent = optional(bool) # for list policies only. + reset = optional(bool) + rules = optional(list(object({ + allow = optional(object({ + all = optional(bool) + values = optional(list(string)) + })) + deny = optional(object({ + all = optional(bool) + values = optional(list(string)) + })) + enforce = optional(bool) # for boolean policies only. + condition = optional(object({ + description = optional(string) + expression = optional(string) + location = optional(string) + title = optional(string) + }), {}) + })), []) + })), {}) + tag_bindings = optional(map(string), {}) + })) + nullable = false + default = {} +} diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index abdd250ea6..734695edff 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -17,11 +17,24 @@ # defaults for variables marked with global tfdoc annotations, can be set via # the tfvars file generated in stage 00 and stored in its outputs +variable "environment_names" { + description = "Long environment names." + type = object({ + dev = string + prod = string + }) + default = { + dev = "development" + prod = "production" + } +} + variable "factories_config" { description = "Configuration for the resource factories or external data." type = object({ checklist_data = optional(string) org_policies = optional(string, "data/org-policies") + stage_3 = optional(string, "data/stage-3") top_level_folders = optional(string, "data/top-level-folders") }) nullable = false @@ -68,80 +81,3 @@ variable "tags" { error_message = "Use an empty map instead of null as value." } } - -variable "top_level_folders" { - description = "Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute." - type = map(object({ - name = string - automation = optional(object({ - enable = optional(bool, true) - sa_impersonation_principals = optional(list(string), []) - }), {}) - contacts = optional(map(list(string)), {}) - firewall_policy = optional(object({ - name = string - policy = string - })) - logging_data_access = optional(map(map(list(string))), {}) - logging_exclusions = optional(map(string), {}) - logging_settings = optional(object({ - disable_default_sink = optional(bool) - storage_location = optional(string) - })) - logging_sinks = optional(map(object({ - bq_partitioned_table = optional(bool, false) - description = optional(string) - destination = string - disabled = optional(bool, false) - exclusions = optional(map(string), {}) - filter = optional(string) - iam = optional(bool, true) - include_children = optional(bool, true) - type = string - })), {}) - iam = optional(map(list(string)), {}) - iam_bindings = optional(map(object({ - members = list(string) - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_bindings_additive = optional(map(object({ - member = string - role = string - condition = optional(object({ - expression = string - title = string - description = optional(string) - })) - })), {}) - iam_by_principals = optional(map(list(string)), {}) - org_policies = optional(map(object({ - inherit_from_parent = optional(bool) # for list policies only. - reset = optional(bool) - rules = optional(list(object({ - allow = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - deny = optional(object({ - all = optional(bool) - values = optional(list(string)) - })) - enforce = optional(bool) # for boolean policies only. - condition = optional(object({ - description = optional(string) - expression = optional(string) - location = optional(string) - title = optional(string) - }), {}) - })), []) - })), {}) - tag_bindings = optional(map(string), {}) - })) - nullable = false - default = {} -} From 88c3c0c5e1cdc46a8a9469878d9b3ce800e3da4c Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 28 Aug 2024 07:07:21 +0200 Subject: [PATCH 08/94] doc --- fast/stages/1-resman/README.md | 109 +++++++++++------------ fast/stages/1-resman/diagram.png | Bin 214190 -> 184125 bytes fast/stages/1-resman/variables-stages.tf | 1 + fast/stages/diagrams.excalidraw.gz | Bin 82884 -> 82884 bytes 4 files changed, 54 insertions(+), 56 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 854fa6c507..d76501733d 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -1,11 +1,10 @@ # Resource hierarchy -This stage performs two important tasks: +This stage manages the upper part of the resource management hierarchy, and decouples later stages (networking, etc.) from the organization by managing their prerequisite resources. -- create the top-level hierarchy of folders, and the associated resources used later on to automate each part of the hierarchy (eg. Networking) -- set organization policies on the organization, and any exception required on specific folders +The complete hierarchy is not managed here, as considerations on departments, teams, and applications are too granular and best managed via the [project factory](../2-project-factory/), which this stage enables. -The code is intentionally simple, as it's intended to provide a generic initial setup (Networking, Security, etc.), and then allow easy customizations to complete the implementation of the intended hierarchy design. +As many other parts of FAST, this stage implements several factories that allow simplified management and operations of recurring sets of resources. The following diagram is a high level reference of the resources created and managed here: @@ -15,7 +14,11 @@ The following diagram is a high level reference of the resources created and man - [Design overview and choices](#design-overview-and-choices) - - [Department or team folders](#department-or-team-folders) + - [Resource management primitives](#resource-management-primitives) +- [Stage 2](#stage-2) +- [Stage 3](#stage-3) +- [Top-level folders](#top-level-folders) +- [Project factory](#project-factory) - [Multitenancy](#multitenancy) - [Workload Identity Federation and CI/CD](#workload-identity-federation-and-cicd) - [How to run this stage](#how-to-run-this-stage) @@ -35,28 +38,37 @@ The following diagram is a high level reference of the resources created and man ## Design overview and choices -Despite its simplicity, this stage implements the basics of a design that we've seen working well for a variety of customers, where the hierarchy is laid out following two conceptually different approaches: +This stage implements the basics of a design that we've seen working well for a variety of customers, where the hierarchy is laid out following two conceptually different approaches: -- core or shared resources are grouped in hierarchy branches that map to their type or purpose (e.g. Networking) -- team or application resources are grouped in lower level hierarchy branches that map to management or operational considerations (e.g. which team manages a set of applications, or owns a subset of company data, etc.) +- core or shared resources (e.g. Networking) are grouped in top-level folders which map to their type or purpose, simplifying centralized management by dedicated operations teams +- team or application resources are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) where individual teams have access -This split approach usually represents well functional and operational patterns, where core resources are centrally managed by individual teams (e.g. networking, security, fleets of similar VMS, etc.), while teams need more granularity to access managed services used by the applications they maintain. +This split approach usually allow concise mapping of functional and operational patterns to IAM roles and GCP-specific constructs: -The approach also adapts to different high level requirements: +- core services are clearly separated, with very few touchpoints where IAM and security policies need to be applied (typically their top-level folder) +- new sets of core services (e.g. shared GKE clusters) are added as a unit, minimizing operational complexity +- team and application resources outside of centralized management are grouped together, providing a unified view and easy budgeting +- automation for core resources can be segregated via separate service accounts and buckets for each stage, minimizing impact perimeter -- it can be used either for single organizations containing multiple environments, or with multiple organizations dedicated to specific environments (e.g. prod/nonprod), as the environment split is implemented at the project or lower folder level -- it adapts to complex scenarios, with different countries or corporate entities using the same GCP organization, as core services are typically shared, and/or an extra layer on top can be used as a drop-in to implement the country/entity separation +Resource names follow the FAST convention discussed in the [Bootstrap stage documentation](../0-bootstrap/README.md#naming). -Additionally, a few critical benefits are directly provided by this design: +### Resource management primitives -- core services are clearly separated, with very few touchpoints where IAM and security policies need to be applied (typically their top-level folder) -- adding a new set of core services (e.g. shared GKE clusters) is a trivial operation that does not break the existing design -- grouping application resources and services using teams or business logic is a flexible approach, which maps well to typical operational or budget requirements -- automation stages (e.g. Networking) can be segregated in a simple and effective way, by creating the required service accounts and buckets for each stage here, and applying a handful of IAM roles to the relevant folder +This stage is not designed to allow free-form hierarchy design, as in our experience that is seldom conducive to a functionally and operationally optimal GCP organization. What this stage exposes instead is a set of primitives that you can use with in their predefined configuration, or configure to suit your needs while still keeping with our general approach to resource management. + +## Stage 2 + +FAST stage 2s implement core infrastructure or services which are shared across the organization, and are directly supported here via a fixed set that includes the networking stage, the security stage, and the org-wide hierarchy and project factory. + +All of these stages are optional, they are enabled by default but can easily be turned off -- and then turned on when needed -- to avoid having supporting resources (service accounts, buckets, IAM) created. + +Configuration of these stages is via the `fast_stage2` variable, which is set by default for maximum compatibility with previous FAST versions. + +## Stage 3 -For a discussion on naming, please refer to the [Bootstrap stage documentation](../0-bootstrap/README.md#naming), as the same approach is shared by all stages. +## Top-level folders -### Department or team folders +## Project factory Top-level folders for teams or departments can be easily created via the `top_level_folders` variable or the associated factory, which expose the full power of the underlying [folder module](../../../modules/folder/). @@ -232,33 +244,25 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | name | description | modules | resources | |---|---|---|---| +| [_moved-v34.0.0.tf](./_moved-v34.0.0.tf) | None | | | | [billing.tf](./billing.tf) | Billing resources for external billing use cases. | | google_billing_account_iam_member | -| [branch-data-platform.tf](./branch-data-platform.tf) | Data Platform stages resources. | folder · gcs · iam-service-account | | -| [branch-gcve.tf](./branch-gcve.tf) | GCVE stage resources. | folder · gcs · iam-service-account | | -| [branch-gke.tf](./branch-gke.tf) | GKE multitenant stage resources. | folder · gcs · iam-service-account | | -| [branch-networking.tf](./branch-networking.tf) | Networking stage resources. | folder · gcs · iam-service-account | | -| [branch-nsec.tf](./branch-nsec.tf) | Network security stage resources. | gcs · iam-service-account | | -| [branch-project-factory.tf](./branch-project-factory.tf) | Project factory stage resources. | gcs · iam-service-account | | -| [branch-sandbox.tf](./branch-sandbox.tf) | Sandbox stage resources. | folder · gcs · iam-service-account | | -| [branch-security.tf](./branch-security.tf) | Security stage resources. | folder · gcs · iam-service-account | | | [checklist.tf](./checklist.tf) | None | folder | | -| [cicd-data-platform.tf](./cicd-data-platform.tf) | CI/CD resources for the data platform branch. | iam-service-account | | -| [cicd-gcve.tf](./cicd-gcve.tf) | CI/CD resources for the GCVE branch. | iam-service-account | | -| [cicd-gke.tf](./cicd-gke.tf) | CI/CD resources for the GKE multitenant branch. | iam-service-account | | -| [cicd-netsec.tf](./cicd-netsec.tf) | CI/CD resources for the networking branch. | iam-service-account | | -| [cicd-networking.tf](./cicd-networking.tf) | CI/CD resources for the networking branch. | iam-service-account | | -| [cicd-project-factory.tf](./cicd-project-factory.tf) | CI/CD resources for the project factories. | iam-service-account | | -| [cicd-security.tf](./cicd-security.tf) | CI/CD resources for the security branch. | iam-service-account | | | [iam.tf](./iam.tf) | Organization or root node-level IAM bindings. | | | | [main.tf](./main.tf) | Module-level locals and resources. | | | | [organization.tf](./organization.tf) | Organization policies. | organization | | -| [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | local_file | -| [outputs-gcs.tf](./outputs-gcs.tf) | Output files persistence to automation GCS bucket. | | google_storage_bucket_object | +| [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | google_storage_bucket_object · local_file | | [outputs.tf](./outputs.tf) | Module outputs. | | | +| [stage-2-networking.tf](./stage-2-networking.tf) | None | folder · gcs · iam-service-account | | +| [stage-2-project-factory.tf](./stage-2-project-factory.tf) | None | gcs · iam-service-account | | +| [stage-2-security.tf](./stage-2-security.tf) | None | folder · gcs · iam-service-account | | +| [stage-3.tf](./stage-3.tf) | None | folder · gcs · iam-service-account | | +| [stage-cicd.tf](./stage-cicd.tf) | None | iam-service-account | | | [tenant-logging.tf](./tenant-logging.tf) | Audit log project and sink for tenant root folder. | bigquery-dataset · gcs · logging-bucket · pubsub | | | [tenant-root.tf](./tenant-root.tf) | None | folder · project | | | [top-level-folders.tf](./top-level-folders.tf) | None | folder · gcs · iam-service-account | | | [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | +| [variables-stages.tf](./variables-stages.tf) | None | | | +| [variables-toplevel-folders.tf](./variables-toplevel-folders.tf) | None | | | | [variables.tf](./variables.tf) | Module variables. | | | ## Variables @@ -270,32 +274,25 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | | [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | -| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…}) | | {} | | -| [folder_iam](variables.tf#L146) | Authoritative IAM for top-level folders. | object({…}) | | {} | | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | +| [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | +| [fast_stage_3](variables-stages.tf#L84) | FAST stages 3 configurations. | map(object({…})) | | {} | | | [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [outputs_location](variables.tf#L160) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [outputs_location](variables.tf#L44) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | | [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L166) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L180) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables.tf#L201) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | +| [tag_names](variables.tf#L50) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L64) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L376) | WIF configuration for CI/CD repositories. | | | -| [dataplatform](outputs.tf#L390) | Data for the Data Platform stage. | | | -| [folder_ids](outputs.tf#L406) | Folder ids. | | | -| [gcve](outputs.tf#L411) | Data for the GCVE stage. | | 03-gcve | -| [gke_multitenant](outputs.tf#L432) | Data for the GKE multitenant stage. | | 03-gke-multitenant | -| [networking](outputs.tf#L453) | Data for the networking stage. | | | -| [project_factories](outputs.tf#L462) | Data for the project factories stage. | | | -| [providers](outputs.tf#L481) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [sandbox](outputs.tf#L488) | Data for the sandbox stage. | | xx-sandbox | -| [security](outputs.tf#L502) | Data for the networking stage. | | 02-security | -| [tfvars](outputs.tf#L513) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L49) | WIF configuration for CI/CD repositories. | | | +| [folder_ids](outputs.tf#L61) | Folder ids. | | | +| [providers](outputs.tf#L67) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | +| [tfvars](outputs.tf#L75) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/1-resman/diagram.png b/fast/stages/1-resman/diagram.png index 02c12d495403701f4ec355b3d86faf99dc9979b6..4351088a84647ef72f0920f075e955b55ee797b2 100644 GIT binary patch literal 184125 zcmdqJ_dk|@|36+S37MgYvXu}Sp^{lPl@dad&ay|cN;b*JNLE&*VN*6`CKM?%Gqa4- z$jJKK&)4g^KA-pd_WcjO=MUFaz3Oxv&*SlYJnrjx1nFp<*-gnxxn;|i-KuAm&TZMU zvuw*2vTYRG@F%yA3y(R9-zo2i-wd$iSaxJpZv3^} zSX)WgPI~NQ_}{;B|1$z-i-@c8o zq1uw%^^yH+)S>e{>vjMB#TI(`mi_qUaM~Tc!W*x@S_IvwZ$(HNqqE#94=HGA z)7vH@Y##CCc3J)N&%S^A#?!t3w724(|6Hq#;79SDTeh^&uP@J%QJsl6`>fEmzpkd{ zY>6^Mow?X-kIvKQ-1q;-U#Eye{fr0Z<>j^1;;*V@39)YruC20lEH(;ywWaJyYYPQWNAWXK|ul8PMW49 zITLN|Y|qUNMm~+@u_VufgIR6v>wn)?RBT|~H8eFnH`WeKjNaD@q5eduwZJk1+r4DYV^5v%fR< zTEH_litdYMWCaOH=oSmIbO_QI+lgXs4t$8@*=H;Dpu%4i6DYL@u1igE%C!;yD zH9+7$_w01>f~wS(HM8UUKhKYS;pXD9=`HbN?&SUW@gt$%*=y0CnagEuIX6B&UJ2hA z|LfPUygV@{O;y#P;kY)=xqIeT+$C10s$n+zwp&j*YAR*C+KyOBnYGTToO zv{H2LO=!%2ZgqdpNm-MH9l+pv0QB_Xr$5{5e6| zai}Kfz$uR+yTPh(PDNZ>cVTRDc}i=l$z4ggmaXz{3ETK08%7**d&F5oH2Bm@l!ZF} z*MnsANtUL2i6=GLmA|<*udS@?mu!9E!iC2oCN{RV+Uae%5{B=rZq`d~3zDZg^1dwl z^d!ai)T?WhGE^_Uy}hv%2LCR_e{Nnz6qS04m5q&&k@4h-6O>d`JFJfpT9QW^V+{56 zKYsf3&i41|fcv8l9F8Z<%{eeJF*%XZ1SqDwzfg^b@3Eqw-y&4`K?(R0IU^}a-s+n}^?#kTA-@kvS`ea(X zl8aM$7;et=m7jm1aY#VmH)<1=>Sq4xIMN3LJL?&s%+FYPV4 z-PYdje`u>=P^}q#`@(dup@KChT3T9ia&kez1$lXSMMXufTwQUcRrUQ>5-XO*b^h;8 z+%k(EvMi#kT$?24nQHm^&6@)!T(-#1UwoaBk@51SX|Dd<+}ug`#VE8br(mVIq1xc@ zZ!R&urj-iPN)OvBYWAbZ{#xC`eJ9(_F(KM|3UjFyp`XVlaljEjnpk&)qViC(LF z`R2`efv9(udS`U>^<73jMZbLc^2ZOO3bv!MO=!$d;^XoB%6knv_8pDYsLD-${`~o? zS6wvPs0?-{rrUV3m$Hp_z2AMpezW4ajbiA z+xJ)v3k!=;EbX{c$-keds6AKXLtESfM`|g#J}B;Sx`0obv=+L2Jmszf>>&@u>y`_cb z4G~O&7Xx#JEURZ>pUM14-Y5j z;Of#$C+p#88H=X9mX^PZ9mnR#GYzyaUc9&vf;rPa;rWG?m6Zd<_OmYJ$&DgTZNb~xHvsMy~v(4POH|p zFWMAkBS*=bgC9H)HY&2iQy3aDTT^?VEblY=C8^S?ORRNiabO?bhtIo^R8=rM$h{Nu9XhfN%^O zJ-wF*+AP+@`R_rp@qv%ciD6VuHb%l7Ur3)YTa9qF=W$P-95Jczz-G$yNM)0sdM2) zUJJf(_%@~(I z7dQV@>0P>H+gtJnHxA&!bxP^X8Gad=l8_!=jVo7rapQ*%AI2;yb(%=U2Rkt%)+7@?#&~ zl5dQ!8F9Gl;ejW2@TKgKa(Y{2L`0nI@{8!iKK%7rcUq1U1Z!)dPmz+6l7ClLc5L5H zQPPz5`nB6+XD(lx^yMS%gVh0w3JOm&`1*G{-M)=qMny;GDhDla47ueN(KrNpYo%T9 zov{@Z6{Qzz2D-f8f9C4d6fdu>B^C`4yud)=M!{R|Crc0T%gU|-59Q|OdeelZC7m6f@G~iEYBq1IuUg)^WzqB`B|AGiHPyR6Iyze7?q4U5*}igjGIDCddfN_iaup?| zsHiAn-jN-U5*Q`9@M{l`T4VF6y3@0OVep8Az#0JyKw&e`E%z|TM3u} zxR;36&2tMAZSUW|A09TBjMpquH!$d~sxm|0aloKW)?auAh7p@OHOw747$v0 zshF4;vxu?A$Hu;bo00kX`Qhx$OiZ|ny4u>oq`U_YKA~5m5zbx&Y}k>wtgEdpa^i$h z4Y^cIVPPR|BiTJSEDw_$5D;zONhVPx?dHv!62A#7>gg;T94JqV$#<2Nn`j|%KYGT# zBu!0C<>%%3+NwN1x4ypacOm}On>UUQ4!6YEZxaVTU`AEB2RToZ_O9#zC#B48ia05% z?f*XDPZMqFO8^yFT}Ae3=pxuR)>c;3yLa<;h!a;aC+Wt~4Lmp3?>IS$+m7!}%gC4< zA1Bz_inxuVV1M-Wosy8ytC{+eD9b-Ca{j`FZ*?JT@fi_b(YK24t}X%^Qv8n9co7;( zV{qf3u&`E?gYW^ld*V`3*;!e}`4%CirLu#@hK7a;PC*JO)U4t!(VVfpfz>fG@Hcr1 zj4oYTYKlEZFxo{GY2EWqGpZwSiu3ScwJ4!l>?^f1XLg#PLT+7uE$j0^Ki@)ASNBo4 z^`1R@j4SW;daFwm{rK?%Bm})54?$H`6-&dmZ(mne*RBRuEe(x={QRF+wD}_O121Lh zi`x7sqB&QWSZn6$;^OP?Pubtp+-wc7!8LtMK!AXe)@kkNIFA*%RtRc=hHh0w9jmW1 z_c>9PV8woWak2|HJ==V7`um#>%#570@wRkrLQo$c*{sk-Jv|BM$NFbREG{_X7mRH4YN`jsWV)YK^R(Z@oD6!xm*KC^Qp>bl(`%vhZ99=~!zg+Z zoiGbM*;wUA1why5o&GX26ZA7t^qL9=Gsf$i*RRoz@ne>j`aQMdC53=nTgZ-yi7jVU zdaTTW^6_arX_4m|#i+!%u@p1Y;(Fw9_ii~DSH>sJv{qt|tE=ns6x!^(O4FUdlKaBAs0(obJ&sY$ptsyT z#_mO9jEg(1eR*f7>whug#Fb(PKcbw1s_F#3t<#!0IQr>R;glC%{RRPnf9{8BC@NN0 zS9A07UhjElefRIeU~lrvmjulI(9qB-^}rncBmDg7OEdjHEd};`ij%O6h=^zh5xTdw ze6#HZyWG7se5()n?y5pp6nsE6=j1P3k71#Waz|u?xvXp{`cFTY40b@aarxZ*yyE#1 ziWF<=?!8u9Dqg&>I6qTgnOSAa&%={^M_ENBH5iv5eQ&J@^2b$LCz;;5x>2A`U|E-M z6KFomY8y$!yg|34upn2{NM8Kw z`oVigDz#ZldwZSjPx~Hh^Zp`x#TG>@pNr$YlP6EMx?WlSOB^Iy)DsdGw#mC{ChDS=t5I#|1pNyRJslmoxiYXROgjRPfv#?AeLZjleo8I(nNXtwLMtjE`%0<* zJwI0}x?KGXU@-<6Z45rgvCk(xH%jnU6DbPZ1X3UAGkllM!A&XOF=+#8|I*c zlatZgTY8W@01H9)&%W$pU}KAa`t;st(?0nT&9(LQR&!(UKu=H4YuBz-SpXl`)z!Il zKF`ga#m>V+sFo5C7IwaUTe*?4l~BOQua(T?&|sby8+%znVcXMfo9nB0`uOO*%|KUE zzpcBhE(#fB@7LVqd2|-bt-untUz&@j?0Ir>&fQh#GiU1Yr7U~)3~;Uj@!hy_Lp)j9 zb#D0m`_l?;hhjC1OPmfFY%K)+p)QX_+dqBpp%)&;2wsxzFQv(C03!G2`P~IG(W=hzq*iJy5u@MpH zOiaSAe5Z@D7IFrl`0(L_dW4YRg0V!RY10!?#Q>VxfOO(LKU#K~gf+nJ)XMc8P`dO@Tkr}PuE?k+$ViH?d=Qc>|o)it!@=5pV?qoJi8 zOZ+M%A~FNcyv!A%LPbNv*Yxn=p(96>9M@l7xCPMCvU}UMZ7oFRXtmvxlw1!h>N5=9 zQqsoF@AiN3{CP?+HUQJ#Uz@82Ey@cq6VN0G%XOWddlL_7g`+JS8W^Nn(r}yzq|uDS z95{V?OaDy;pl6Cwh7sOCDz`yjTN|rLo4&Fjl_p%?HZro6ikrY2N-Xp9^UAxHQ4OGi z^A=$k9H9r~D$wvSRZ-~0#l`3i%OfFJ=Kw#y-PjaR!=M(RVB6c<#aWwsd)YMu>a!m0 zWn%-d0pFy0^`P$s$bhxAb!*@Xq_eW}@|AWb&ax1Gt%RJM9J+f`Th~K@X#;$HL4pR- zMSy^I(sDp`!E_pl;8iD5vEj+q`iw#*kaeCsy>!#mbl~StpV0UE#SXmpR?#GUqg=^- za-Al=zUT{LW|ej@cX25yFF(n7=eUT-7i>w;DnOZK;$U-c=3d#8)NwaBpPgs~RBsjk zRdILK-_H-oXx;`gMvduFqOyYC8wdbc;}lCi?WZ2t?R{y=>gtw|zLutYE%U5jwl8s* zdE~OMLI1t41(71TsK^D4+QnZD%8RS3bcjmiqet|!g^EL|X=%TI|86ZnBMMJ$YHE_Q z?K8cR@4h%$>^v3s%8DSJrKR^}`aD$jYNgBp zhz8PF0r~*&E_I%IkeTu7Rk7Qj*I{9_tRhd3+owWKsOW5Iq2u5Pop!~{_TV1X_a%89QJ?~Vp6+3)8~I&;#8MTVfD|ATL%|Tk#_P~GG^fKm(4lrQbspOD zASNaTUGSxD8d2dr>9Rp6JU363jG*KVi4TSRAIs2-8)nd<`=fg6StgwR;yLcP!f}So zc&~|x34m8c2ZJ3+;|VNINJuCxEsc(5atj3I4^ew=)>Ue6Z;!rVk>3UA1`#MEICvGJ zM2_^)GeDQWev#B#r+_2Og5u)hTwGP%-Q6EPc-g+s(qxx**eP0zK$f6U$V8f4*7#fX?J&d$y*E!7{>hKAwxyIn|p2e*)rkfbE@ zT~l3MddVw;kcqIqIZw-riuQ(3Ud>@>I!^B6)qX)#OiUqv(*=BzvY6$rjIy$_ZiG=) zb#?2O5%k&?fnA)GB5EH9#%DtJa}Hkt=e&Ao@n1cYC$a&sxXjT4g8uJczupb(Go%iA zwJT0WI}nT}&4-+%o$v?%ZfjP>iI`LvRd{rPt+Xhj6SN5K=V5pS(Jmz=rHq@ig?fE` zb?GPn0a#st7IogE_^c6MwFk%i~MnpdxK z8myBVQGF;o<3iFrnze7NZLTFP6lw)ZM)0TIm72$&0YT*kN?Ux2I^@!_zx=+haUqFf zhlPcOcbX|FZJ*f@0Z|3($gtrR9D|BUN=kbB_75=ruE-|4;vYr-eB?IQ+8P>Eqtwrv zO)l6GI{3%uDM4+A8;|X!#$sL%eDmhbHI`T`4@KfbJovY7B}&MfpFyM{ZSVfIJ55kI zT;(JN4Z7R|mufc{z_%8BwNqtp|GL20pVxkZ`S*yDW!jUeuKa+b5>(62(X%r3b0HYB zzyo-Hf2)hy04n=yTU&1R5n0*znW&>!Kd>UO`@5xuabaKz)BTl6;XGa?P7@3yPR_oS zRUGXFk9BHM?t&4<2I%0dGM2F{j@QkN8(29gi{x-=6AzOEV|?k%e;)ab^BS z!`tUqJ}4z8>jBAwhLb>OG{DU`7pI-7&bf1FX82UIop7+TJ6Lm&Vk{e-)Ka-;bIelv zY{(c2nKF~td&kvQ<*MO;s>tM(Pai)XY&!Dbb!KKWJ`D|nAy3}Ce7XOmTS2jQhZ;fP zfllG}+7Smik7XSlo%>nP&QAw~b#-=vuAgb)7#bR)xUGD&qN2jvVy5O+Sh5hb6)GyK zpCM1u0C^~?cTim4k1NG$;j%DQ&;?DZsxKe8sH9YbW(_{x`eUzIBhczVfM}xD=ITu4 z>~_O#!ZE*RX1`hmk$zJmu(fBcefw)N6~vjFm|7+v4<1+GcCJBvxeNq1*6Gp?B< z)@4@K)(|z-^i`kSW_%;nYex9-3?Am$Wu~8lgYp!?jGt5(M;WZ-@2ZG<9OC6=VrMT0 znBzO}9hxu|i*UiFKF7j3%N$iXL}r+7P}>)73;;E`(CM5%AE~3WSI^K;P(bYuX!HI1 zTPp6rlXjv}VF+>p1NL~WCr>g!g@Lc;cIUMb#6c@+YHAu|L<}!qrcVtq5?;b)hEr;i zXWl?!CUVyV2N~JmS0~EenX8+%XAw3!_|4)&;&FS0kDhW0S|=d_ijGqkJjuFJnrdP_ z8UC@M;e)5i$jFG_vzz()8MlA8r=$^E%2RsJ#&bnB9J6Q&3=AxCU&_kQKX&T#mY7G6 za&bYp!QLW!AKN{r%Mv+gPHGOWy4KdzBp-MTzJSfg7vZ}wK)?P+e-ynH!! zrY~ox7~<>rbt!7jv%R0xUy&%i?XlRVj~~x+vY{O%-XT*+NNjmJ+Fp1)SD(=03<@eE zBLhf?Vhv^9nL0Phd&Fag!N1!iRI#G+|!fY`vd)a!DTcv*y zr9$N@hhlzk?`wY3)WF@WPyU_fB%KFCk$+3kwS{ zRv!;x*4gd2`00O`=x$i3q5bH|n|aq8UuY%9g@>C$Um|>Kd?I=cDmC;#*BOP%2y1(_ zZ*hH!Wg?3mCjmZ^f9^eQmpndJ4gdqS9s~0$`cP}@<#$$H&;g+v_-Z%wZIDz2At6^X zW&;BQjNCCH9p=4zpF~Esh3?+2NgxnT2Y3K(O3TV_o)Tpz_HfmRx^5QP7aOTEU1jtG zTIG<%_vhv3E6yl0GWT!=rE{NVJb-(UoeNMdQmB@Co5fvNS)2Sq`e1Ld<4(CL_dmbB zdv44pfo57g=AdUk;c`?;ip4~UOaoJ?&i2dGlWc4k71LVL561=u?9hYZT>Qr^oM?k& zCtB^l8`exh@<)2s2<}H`(JCkUD=P&KC3tAYij4qIFAue*oxvFUd}l!0$mj=D64#C! z78a?&zQ^)MM;o7k)$6*H8Lh%l5iu^qy`oc8n;r$_;1dzaPD?vx)p-Mn;}jRozw5jJn7@TsM9V zawK$Slt4f>$*zK%MNZ4nw5qh9hF@HK0eUAPAyMr)ikZ@5mO>`6!g|ZJ7;q*n zEp6qVhxG%6lqa#V&55#0Sow{O4d21zaJta$A&tuS%b*@TX33l3*x+`E%I@y&Rsj%J zfatpNuB&TkG~thtZ)h-|!_A!uVU=)OAUOHbJ<#BTl+QBLkEIwJ9Q+{rE?MF~z3JCK zy=glTYj4igY7DU=qbzT41?;wO-@hN)L+SJ3WmZ<5RDMp5owM^al*{_qdB#$=Ti37a z>FWn(KZ0_Sn|nFeY=?6dc-hFnKzKxiw=F>Kz~G?QM%b1JUO~YgKojx6$oTl*lau@R z?xkpR^3i%oS5HkzdCSTQl1vR>`0~O8qjQ`PKR>^ShzLKwl-a&i)~$Q~x9)|2`M2GiYdsZ4;oa^RcYzAYgxJ_%d`uM$!N=p9-NV0=@2 zmd(wZUFq5fTKjjS{4JVUQT}*#P*+ou?p?eHElkhc{F#eoBLE+q{hyAUD8{-fX~W3(Eu;0KYjcE|Sv=ztz#*QIHHFw3P#nuKJQnUS$w z;wAw8vUP?NwT$6uV`Gl^W-N)qfpailF=65B4OqgE(@K=_+btL?=Xr|b5j7Q6PtH{z zrHvIGfhdwIkSHs~$5;2|3vIc7NjFrC=8vf*dGKoVo#X~>G2ov^PjLq=Z8gr zW-Hd3WCI>K-bhVDGirAnKWR_LYX3i-`kmwcR6s9#@O#4&r<>rN2Rzrj?mQd&oT#W> z2T87T$UH`}$|4_B71TW-JEd*H%gc-KHcR+Q$@ZN)MXr?W5h{(rbtfjSH#Qe{1i=)5 zxkAHU;f&4+eQ>{w)7jLiZONIYTlYDIB&%IUO2ct?=1!7kPy(^vXKg-UB zUDcX=G@v>NY$z6tlY6<`6O$3xT%L5#9fxaH~?d@f}MEl&?Qpq-o6rxo9O_-H~BJ3U{6d!Ow=i797$9)}2a z{P^Czdyx*o;OQ&9L#sLV;q_fuL=In{sp^|AF338fiDv;H<9g%c9XogKBqty0 z(gPhQA)clIv#Z!w9UrvS)eVd6Qp(HkV(zJ{sezRvi=up1wY{T5?)I-e%-C4M+ zy=M$_ztEyN4i7hVm0Muvy=4Gp!Q9Q{yNM?$O~g%BE` z9HB?SkU0hBY%KBe#f!S{-z9{FX?}Co_Dl@6bRBXH@MTonf=iLGET9u{cVBI3(Q&$8 zg`J08QGB(UoSQqXz2498UnqL`pLXw2=Jo6w-V0YCW(p zup`VVsZ*yoX2jrEz~0VbQGR&{a&{3cg;o>RlxCn>z6*bTeS|QA&2!S`$8ir*@G>op zdqWYAL?3SbnlWxhUA+;+$255N?%kN$_;}nA77;nHcQ3G8V0J8$Oz17J4DM$`ZH$D) z0sk?Oo;ye4!eI#>9`n{zWx}Y4mdh+O;8D5~7s>d$@aM5MfXM;={!pX$Rq9s-Yo%kq zfCUv76%E`V!_LIk@V=!~@X*Jn8eo$6TL#&ik9NN3qzHKoynT(b_>v%f&BDU}(#WVo zF@hS)@M@o)bf=)#cvxI4&G{xK86yy!7&@gsrL%!S9BS?1L+ZXN@RZ(4PfuJ1R8nkW zU+;knhrjpqxTA?Kvr_uynblIRojU{S!=}swFXo()(SGFbn3&$0e(=V=WVFyZ9dB-7 zAqhDb_4V`08Cg*v$oR-^T0d`)7|Xatz(gh0?dmO9~DyGo`%ZM-Lblq7lA~Z8yH( z2^u-fy**A-Mu=!#y2O&`Q=U2I&Y}yY1l%4fQ?#1i`SWdGzy8wsZtHt3zYF3OSTQOi zb8{27VM&*W(}5@+2l z+eyBgwZN?Q!RVx=kP1RfZrXhugOyC5-_bx8(UWa|sERJC12# z##a3WrX3{XfJY!=RAg#v+aLGhQ$vHFuWyD?aYT4f(}=_D;8}h7K2Ak{YIYf?Z!dLW zAMW{@4;3~I_l>iqfnL;!cnAVl_+Vq6JIByH0XdqHqXJ|WvW=9h>I?iBtb5rjRg@N> z8Yd^`avZ)Azy zj7ee67A-`r;N}KiED8+{X0&Z7LoUR!JwyIYB$b)1ZRNFk8U+C(Wo2G*aVHqD1kqUF z84y)iM4!HWE5Nm6Wo314U}LOYT;#_j*>z78@i{i=yU>cpsSAN8Jpy)rC5U@^Zh}YC zwPU~GnOuEU(RpWoNYVo;8R1nV5m2FU=@hGrw*TvfC}$Ve*43HGJLcYTL$%foIMT~` zZj@D2aP0p5=GCj)6JK{EwTWRUpdClglf^%Ivb?-pR9s9y`VFwC467BwCYAGBkwmM+ z%s&Dx;X;(dQVRdkk)k6a{*uaFCdot~Yo`JARFi8!pL#+}42#SuE5MejH`yC2V@ZS- zBOTXVXNWBGfUD1*@sRsGijMZPh^N^nHjFil*nRYSdpl6w)v?3S8d=0^1>>9HYlj8} zaXvbWZVaV(kx53oz{9(6@uK8!T_oku zB1oZEDVra-af5JTJe=nLmwEMMLOK7NdHw!_Jrz-9qG;(!w*@-~hoRDatl}&e#ET+t zerVY`i>Smc`I<7@{t8q>9nCw;0CB1G*T@wk2LSUQM*Xsvm#BmU07SIaA9aWHguXom zK(td3HE@B8!wrms^yX1u6n=iS-ES>dm^09x5Qdhn5a8#B%=P_K$<|Kk$AyJ=5YHFr zrHs{R$I}C`#;2p>%-Eq?#I}&?iJr0B%fu9omI`k8b;8L?6V?D4=WO3FWM4G;n$!>g z$eIH%5fa10TQWK%5Y{Lt5cjZ$5&~Vbxm(fw7J<;x*2Z}Kpf}b7(#FhRY$)u?b05zh zU}TI$PZSgsoG*`Q94RR+4G0KeZ13snLb_-mSc7jK&!3*2-X$vJw5DbzEY)l;0YSm| z$B$Ktj6Mw7AtWSU^qNOdP!_SIU5tDLWP@J51UUil=8L>+Xc!+8vo!Dl;m-m_{iEtQLq(_6 zyH~FcIY(E0{W=Gh4)jLyBu_n6M}2*Jb>5p#*8}$qfTEUhq>%Yj( z&VKS_IUXSLD?Tb|5Gt61zazvAa}G=;Jp6veOXG64lXw3XOv#kvGy`~kS$$8ryA&rg z63QC@hl9berJ%gJWPdlC>94#4Z@%gN;XrTiD%fUVG$e8hZ{0(mEc@a=6QQyO0k*A! zqC>F%Ip>WZa-58td7IEK_joD7vvih7e1GO9QB6Z*a(m<%FIWkKEKe}+(OU#3nAb1a z*i6GBATeyp&LD?@OCZ}?ivcaztZ!P zo*t99vZM(NGCbfi_a))0Q8%!V3xEE=-#}ol^=UZq9;u7LVNaFoMTQBKHs?UU7uinm z@k~b#-+;>Tg|xs17cT4%+9v zeogrjE^d}_1_J?van9xjNkSv(Zg@hICFAz3=B$e-DNZUF^zE5Dg(XTGmd1Yq+H$HSdafsULcB}Pf9%@ zpAhcY3eC5w%yJ4x7w(6VzV_a_3^p~W9Hs*n^oCe0V$6*r=LGib+ZT(C4L|3Wr6pAR zwJ&m;QD}O3h43BIHrw66&{SJGfS+o5_cMK%e&q z6CIvs+uv;z*2DO3<1L3PUTDNJ(9sr{0V6I0a4<=R6`Pk@Nt9?+e(R z{~||_f5J>$SQusxX?3%bT!l(>MA9R+~(3#oZEBp?PAvD5l+v>Q04Q=D6c{*m?~`=3O?3Zai- zH*-;d02pVKlqiDC2bquP4?yMlkq+Y|=;6aMcxG`WSxA|gndQNR@DQVwM{os%uvN9p z6_a)v4c28_8&VFWysdkKIWl7J#`pO_n_a%IB^I0T=n>~yOk6fPDDDX=W~wJYj%t*E zPhk{{PG|nH{h1wDJ!piK1qkf=0$hFIaX_DBU$P1u9KnGIoa9ndSD%drjE7%rcl);W z#VpZ)YMdSec<9_d=OlAQPwy?-9rDGu?rN#Btq=zlfwU15N4K5*z=fF-i^&$~j(@An zZ^d{8wSm!?V;U$R+6JgtShPt0H_YN=I45YzDBEv=BS%2b-`fBTO5G_bTI?7S@fMJG zqzRZuumIsox_eITSyu!<=@S8nV4mTW!GNm+COFt8ZXCL&^3F8cePT*A45ElLl{EyX z4*ZYv0uPd(sqA^0diW3snl;SXJ7^VzT{m~^@WZduVt05Tg$4}-i-i+&8-Q~l15jtn zIyiAbhycQ|T%GQf)lD5kts0j)TdSLBGJ^bF$})o2m?G?t{vqA(-wk z0KS<^r^7GA)uP?Olt)J-B{s`k&mXCc^232FlzdqmgBjFHG?+@4*&)6FQ?SyCd+Q}H zUXYjaKt|577~wG5> zx7~mmjSxiv55kF2%+c0EhN8Y7g!MnzKpB-ExonT553E~A<~X@_SXemg%^Rv+yEv6r zr1yUYra&a{aYDioHUFZ7gdcF${fvl~*Jn5vS$bw^b%}3QmESy~pfx5T51I>A<@eTE zy+)pGH#>N$^o0iindZ;~&p;>xgP2=%etko3U z*-mhh8#}je7vEGC{{k@sQ}6KjSVZ=~zyK(y#P7?1C+K@#%vVo0{NKYH%nL*`^v$&~ zxzr|4z~OxRpDIvhDE%D%{L-rusKe|H(%1K=Q%yK}bsL92V=JC3xaeUXxx2`a0d!kl z{B=&SzfO`jYldd4&j%!ff|G-J0pvh$33J=`I>Ot)Q6mbsr3-p`XfMQuH@+wo@DA9v z3h9q(K>abpz?bY0(9-0~;pgSW<0ag@iFTlU#B)gh2y_3sU9k~lo3d#fDXfBP54_3rWnEw7*;WF8*G;S%JV;{O~e!nlo% ziyPA0?K>O?Lt%*N{DhO6#@1rm90*?Zoe0sqRd5lY!E}eMYjt~qM{HpTt(%Zk0w0w~Chh)P1 zV}i#a%lKz@w%BgaJ2_igL?-cRR20vUXRhQndB+wGf#9bVE9PgHTUb^` zO7`NcG0u$~G;(8jDy0j+2mb~;5O@3{JslQf>=JRhE&U5ttY^UxR2Vi#F#eTPY+qvs zlst9T~#&r?OWyZPQX$m^kn*B z8)7&O?MV!}n8Sduvv)*JoqDQc!cl83rkyCm#K2IsbmF1N;pkrj1DJaL?<)Ma8qC1( z0qU-re@3C9p>g8m$z7YX-RW&VVMm<)csgB202-PxG+==DUH$do_Q=qY(wDrven%y; zi0Xe4-vhhA2Umt|?LiffcmSxWii@RTmwUmN;2o!p4idC*6tLf`qTN{P+@JoN1wgLi;Q=}0g>>lehL!iq!xcP_ zL*+xuozJ?FtB*r7<3~fzy`)WCgny{FT;X0=xy$Tq{c++g{vrdaIc#6*zh8n-WqQly?L+BlAx zi+I@SAt?f)BES-hjdjJyC?hj-N1`206bZRRat zEkI`v(hel;F|8I8_C03;qYbD^Z*&>QgSw+zu6dnB?i8v*XIur-80~ibtKlZS& zzZ7xEP#%Urs22T3aI z?o~~-ea@`ZYqm7MVMl#Dq2NKa#d{z>pr91AFG#h3V+%-n(bb)gSOgXNP=%9|FyqXlw?; zb`qe~!($ER3o#nt9XT8O$Y!L`5&7gYRx$&k5)~CqrG2ypn23~Zi!`|(kx0zR&u6R% z(eJC1d8@wa73bs+k%Uw}SJ@!0NYe|G}XKit}BxY?9Omdgp)#Pb`v# zG9LZxv|3As>2|<4kIjvf&Z{jciqPCNPi>ER^5o+Z5y>nvM$#{qXD zt92a59PmDjnaOOh7cg=#Nzh6ftK~$hsw6T42n`&~hqn*8dE26ylH)sdHFa=c8KbJhpvO+?dz%|qK31Mjc=)ghx@R}PS!lCQ0ls|EHS67d<0R6J3fS*H9DNHW z&br-WoMs*ygKGG#z5U#)3#=h85EX@el9ja)?08{w=2%oAcMPm>Oe&TpM0l*`9K7%46Apw5uIh4Y!55F8RaTPj=oILRycvjKT)1=z`AV4Q$J~m+Wrxuzd>!U7=V6f} zo9vyn8;UcMefc<3Knj0#vXVdq9NcwKTTo-A4xIj`KP(%(S9TGnKA#R@W$?hpS-e!z z2ETxE2JdKw93VmnO+wP-`0?Z7(iG&0tpUVeaXc?a8vvkdPbuP@wY10b(TXCRgyp1n zWC&V7xOvSPAOgB3`WyZit^hnhG(l2rUgHi?K~UlQ*RQN3(<%4bju3K}zYB*-1cuV_ zQVKwxz}>tEQ#7IqfJs_+*Zfg_k6bkDWp3|jc37WCwJ7gn`3J04o}E+(#J&Z&fl=WA z$_nT+v?R9oA+%J)bT2O37&_+QTvL#34XJZ^uK&4|@BIBU47BdB;^GzDFfyDtMWIwS z?Dzd9D{`#(QwTXSlO9jZ(qF%31#MwrxikEczV$|V^0`--6rLL^>F9EnQ(ql})&1C_w#L8)*LY^fcC77DvUGD&26o%_0xG6jdvNa%Pxk=ZRlXdpxhwfOqyBVy=AV)&=&!A zbSh4}^teQ7$kHI&*VojA_!2&R>9P!=wPpZQDJjO3enU8ag$VPB4qKe{fCZ1?-_X=l z(~g8%0%B?W{FvA4c=tuc+2`jlV&ns#T>B03cs^S=&0 z=fx=}cR({(5_q7kt(pZ(mmAcD3OTTUzlMtyj(28e3UQj9g7t?n`;%;Ef4TdOYu9|n zQV=`J>#~x+IXUFUR+}|dA3bML%t8jfIpMp&^^dOwf+~znK<>(A57LfKV^PFvq3T7SA_e}Nzba+pN2 z($a~DX~@VJ=v<+~As95VYs#hDqfaff1NNw8`Ic7I*KM#q&f?_`K!-pm``Oq81z1kwZ5%jc4HpNpSl;=Jf;!tj zW?RR_laEADzWj*iIuI-2PhcO-t1wbVigtj`VR2Go-%F1PGY`ET5VZ@)#pb z9}ZEmwCU+?e#Cu-lr)|#T_7b4(@Tqsg|3to)H2z^2cDg)=yVONtd!$q4$`YWDk)i) zR*vul3JvjKwu%psU|Oa+GA?ru8^tN4;GlSOlH4YmAGiZZC}1Php7%bZ_^r2vTFq2n zIUB7QOoS>IiL&GmxLBl=TGgrW%7cc6Af4Iw*mFnsO@PbbJTftyF}`_YWj;N*+n!Xb zZ!{}qA&SC-A?(yjYt>3PE=oGWz8fcCj~!D#d-grmDI)vfyMV8x$c`nDG8#c}$Hlt7 zub|`g_4PkhwaO#}x9=7PnXbZ(w*Jt^3ni`t@|}NyC;OqXk*bml)G9aD0f#|yBz&LU z#&poFb1u8P%AA-gvz=V;7rNexON5NH(u?Kt1 z5bGhm3+bIT+aQZ868zZh$Uh8~ym*q3@Q^uwabdw~U4I|RD+dvWS9IKQl$!I1){{|^ zO_w@JgcLr`^_NBQp~?0^yv@VspAX=^Ko8U$8ClshuQcfA2yie|DVdA8g2#-v`k8Rh zrAq9KN3IEeI*f>2676V6CgpA;6B7WZof+)!*kGXULhazndQggT=*FmLZ|`lBH&oHv zl$Ea|0t$1K^P$IzHL?OQYw*G0Pj00407j9sX)uT5>pbxlS^I09Iak9+f2fT&P}<(2 z-jd1xO3N0)Gf>G%G+F2^I6DmKsk^1+^z(BdP9QG+)caDOKmUI70mb@75#}vhWKJy{ zxQ*AS0pF^m-9y@z5`iScQ{Hr9c>4xqNaj~d7^Zn*wh0|#d|ojhWN8c z*N6$cEhxyL?t*B)u;6rpJ%R)PTZ%P)^!ECh|3KSHUIL0_c)i!QGv~wi@6k(MNF$@; z)qNd&b>VfgH?5h+zeTxq>sCTju-bES1SN09n_kQ`@T;eEoi8aen#O!=l|a;$5-0iA zPvf7#P&TgiEet)@uR*#I6ed;4mSb2hDCawO?sRu?F|`Cuz!7=8?`5CWBfFPPXrVLr zC?K4+D5Ezz(Q6;8|N0m!@X+MU2gy@+rW3#>fRu^*uH$~GC@G0Lr%VVg7h0ZuP=Kcl z`gP~dodRz<=aWr1Rt_VntE)J=m=8+@(ffUm1ya%&GVPOe$Q#xhMy98xnxVTvT#+9$ zQKS2QDQp}nA{MwuDRl_lbB_Xalz!7_hz7_;=C+tr)!JFx^Fn-++uBnPKzOh1S* zvh4aG37h~K9J$OYU(gX(uyYj^74TCotxvsAG4^@L7S5S z2+9NjV5bZDb0yPnE zoyPnpOeLcS|2$R~G#h-sTtMFX$#HwLe6CTF3Fa_DS>msd;^OMMkBtqvCCbeZm!;{% zn3xWXj8-A2B|nBYT77o!P7byiZ%Ki^L^|&oP;3fAl>_f=u(B$%>6NM4!QX&)b8HzX zB)zgP==7}j9nvxHEy)tZmyEF*%-4s+_6JnU->5sUqeDSS$*|`SgcOKyoEZ;8Lt)9j z4d;gwUSF*U!VDoSb$cz3GUzrQCENj0i^J~SwN&B0^ckn85PHI2LttOWKwKDt$KqzE z`~2zG?>09#_lLR?!l{`Q91n%OB$Q}U-qsU;S>*q~KVDor%Ad`T?W^Wlr)V99@3kRH zhaL$iiG^|2JH6;Xu)5xp^r!cRogMXUld#G~V|N30{ng2NqwGH(wRNey*ua4FPxyUO zQ@LKygM!de?>;KTkcfi-Y_D1GXe)kr7!AQUX9CX}+deNFXO!2@_WUA0DS5+vfX-l-6Gp7~Ko=1VhawNfQ|;zPPkInmE&(v}Lez zbAxS)T))gkly&U0=}{d^nhT0J6~9ugT$;j#Pi4tm~Cr_^Fj%O=wrr8XeW!s4_{IRMEkcjrVa@kmjxE{3)4V>9?>H+OTpb z$UtUNw*r}e@#_sb+l={%Jk;Icw$H&lk8PVWk)xQ;nneqI;K^s^AU0=Mfo28#@`;mH zh?9#9gp42`lD8{AeL^A>Hg@@CTd)g$I2hOQN-@i>5jDnaq|~U(O+P)z@TR#vo#zS` zkS*OdM=U%H$I$0fmu}a`>^A)rXX-Tz`0?h=ZUI|sGrl1Fu73`?yF~xEk$)2JBDbptqNAfvoOm|&gHT^w zy27*H=(TjlbWfXbRC;n%hE9%-dH3@ZyWZZ{_4Lic-m0?ikwF(Oz*9>0^+gFJMQ3M! zPnepWx>juK%BGpVc?AXLl{=^2nVM3tD*U)UkIcO&b?W$34xHiGDDNtj9h(>S(O4*f zZX9eQdg=aM2M*x4cAQyY0T<-omH7@cU~5~zKa%a%xx44?&)hSJwyaxBw2tTS)=C+} z#p#>JWLb*suo#XOu!1QT%Z0@Jho+t;fyzc&^}vuJR<1T{hYxnkktT)G>fGuGy+ot^y+}`mScPEo0Eqx@sig07z(B0~k9Xbj1xM4$ zaos(W7TvVV8=!yV%}*)iLX+^|80BS}HESB8DM9=Y86OK3J9^@TFQcyEd-<^Zp{(`y z5k$qkkVJSTG-+42_qH8AC+c%q*}k>0Dv5i_;<3L$bN3>G}NZ@Q{!PT!y;E+xGX^ZMtXIF5{lPq@+-@>HO?* z{fqyfs(yxZ%w>!3@3Y!==YQV#)s=I{4k-(l7(Y#K>V==z6!}0+8XZyz{^~^i@AY3c z&?{|An^QSzXo!0`Bl;~Aajf;R#lE5Oa9+1i2=P?|$|WWE+Yw1nO+Z9ddyNJk zr$Q|5Z(RAbQsZXmBm)CG>Ve0PcX@Yv?EGt7Mw@K^{tXPaP?1r$-s?dZk4ONuNcf&T zRoT^bgK>MUoy34NE-T+4JCO@lyco1u`a0Y|`70PbfBUIIrV$B>3By&Vt>)V8+kTNZ zrboza^xXaM@Oh5()zGJ(wDt6U+iv~!c_u`+-xLD_f4+0-n%%RyZW9td&+6UDIp%E~WRjDTsV9xd}?SAwgXlT+4&A;Z)YX#%L03r2Oo`c$q^qN|1-}}IJN;9^{3T=sehu{8 z`i~4!rd76;)}?;hu=goMRb}R3?qU2W+xI#ipTyMrIL5A0FKC>}pqZf{6C|Y77rlD* z3YPcnH_J+|t$1%4u61$2_X4g9afYbdrLNRBv<3*vJ3cL;_x(elpVB{iOfAjY2 zV9CF)S470j(61?Iu6NayIU@ZGC3Yrh1FbPm#|89xf-{0(ov~96mmnN#LJO^Nk^`u* zj@BA7WCcwdd9p2el4uCh$|4Ft0A_zHb4ouTmX4P1e>))JRKzd^)WVWRx^~&Vz1i5=l(${#x%meK+zkus z<)%9|&g!E5omsV4j8*INNo68jJ7Z|Cf-IWN<>(u7ac)efN?u_hzqBw89_7Hiyd6+O zKV)>eeLQjV@^zw3QnptV%w|}pc2fMSZ$+nOZsr{0&k$qa`;}4I#Qp+@Z_A`t`oY;M zBL5ze>KF$ktv-hiz_9sk7`DTt%yXISzsDqVJCs!UD@r!LgqQA}YuDjE5=`OI8k*B1tyDF(nO8lnyT744b{1^l{-Dd&9=Sn{6} z*?eYVxCZP3CWqK&OWPZCW1_Qc-@Sdypu)aAd(=kyTMU0i>fBUjY_J|+G5n$il#Q#a zPuaa4lfz=0>NqdfyC@tb$*VCJ)GTqTWWbYdYQuL+qAe|JTiJ0v@3Ck5Xic6hs89#@ zVNQbo%li)>HdB{1<;l9qt#OpTYI;zUcdg!+s@$Ns$;xQ*EDM-n=Du^ z{rz`5OsU&RJXGj3@Wah3pys%x)#3&lKTG_~+-_HRQMvD?ynDrxq@~XdpDtj-3V74P z+_+@iM;l;($`h*GS@N7%`CBx#xcO}OzGiyhYq2*nfLzSG=0_+_ST45tCn@@2PrUrN z=fs(?87nT^GJE0_sht=3l9@{hH*4hM78Y)QtU2lmhM7P5fn23wWNt;#1nn&!uUThxyzJX z$7q~ncYh7Wo>KTpn?=J#jcaZ$VNbzoz?cXy4G5<V(+@;hsTKB}2c0q9UbdhZExBCSVdlgoaP+VyANv29=V~N3(FmS6%)yKTE3WSA*MjRYJjji!SJ8VZr^#(gf|ePw=E2;QfQjSB+um3= zV1GoEf$tQhO&+G?!Dj#h}dJ|9_&g|3m?55@wurtqYu|uLH{3pMCA<)znIv;VMdUj8D&(U;04J2!^q4w1geW5W zslHC)JAhwYyPs6|`%KZBnXO_DlS&1Z$?yj^62>KRdB%o~C{>|y_A>7gB`s2cI;N?f zXp-l)dLOY89+;AkbiT7NnCc7QdijbKL}Tms%p;SFBMYUsj+^?^%xDw!RPoL%N5Q4y zKwH!hqEv|c5aE2w^t~P703#V@_VNXw0@8u{M>lM%Rre>}$>yKY$~;`Z8Y8tDrPG-~ zSRd&lv4t|@Bk@c=7EGh0I`tM4pRr4CNL}Aw8Vq60Gh>o?cO-Zbe#7Xn;?Cuq)cH*d zP_)hf^&aHbi`)t|J=%$nR(9#8=r~}|Q@$ZR+T!cGB7c{@4=6Ap+{4-z=V#ld)4V=T zK#B>)C%)(xqbg!ULPMc5Ynn86;7d638}Kx|v_oL~5t)wN@Sw^Zd-K_k4{{?usm5@; zT8WRf)6rVoqBm(B4o=7m1jGTH-0KoU-m1bIt%*e6)oN`=`f+ zoIJUVZwXpn;Qj1Juv4f>+(|ue;b`CzkvYAS8w>xcc&-yIcWv(}J$7ITJHPn&3Z$R# z?tABqvrP#y&>Q;#?N7d;C^O^N0+SOG?&FQh2;T{`i~)6@x|N*>&T>R-+cSM4E=8y% zQg4ZCA$SJU3Tx?$NWQO}AFez&$L?#)0ngmv8Tailn#cv`7J5v2@iq9=DSJo9!DUb4 z=A8j)D%v_<0)q?YznGYco7WmYeXmfF&FOhsm5I9efG>S}V42*j#*xXi@slP^%ia-- z>+u&*vZi&MiI$6c{wS2&6^@FZu@@qmA}RBy?cB53P$;$Dn@&BvfPe24)dt5v<4Dum;<*e+qdsE#;oXT`5UNQ z{!mwO2e3;l^^y47JczG1Tehr?;}()HRd64Vzp^i1uCIL7AFVkPG7tmzpFJCmRP03M znScK2ucY+6L*)Xc#DocT05*s-01;6TCnhA6Ly$uqq)tB;uB3Cw?l{hny?gfjO$YYt z7ev)8b92W<&rzi^mh#YgLUz0$1$ckvdU$;NCvGhY$#JTx!RkkBl{BZ^@vgDIeQ7Py zl-vD0En*(#JjF!kR$}UdmWVt>YU?k=B0RtuOxE+N%;WufJUnTtMvZZ$@yh%&Hh!I$ z2J<3`G`Fv+Aw=0H(>+|}3-2d&x#5aOQkr|+7g;Y@@TZ}H!R@M-3nAKiNJu!=tVKhc zw(0xP%a=Wpe2+0yPv;HUfDkZjN+`XCd`+J|=FT?cq`xlMj;T znwy%u^k#~<=hYd5G-P&HA%t^W1!?7i=gg&Pe;qtMFrUbXTf%c+jU7aORaMh<>(=eh zP3UQSnvSJYlBjSpI@)@X*ICri)znJ%iDTnjK<5`Zh;K)+YOB-(a6;e9o z#NorIjVkVCt z4=Zjw=iCUr(sfryC0+gmUI7&EqdvzOPplDmU)jeWnp9Hwv6OrYccCFQ$vPrhbb z>S9~gIAqqGIl~HOCh#vBFqZLZ5VK19{w;?M&PG0QMswQj=HP4@Ik^*5U1Uh4g-k-z zbse{$bXmK4HO$O262S?|-`+hyzkcv`DRI}WS{3SWl1S9pw&Ordj4=2Y;CFyJ4j$>M z(8AR?V}pfkmbyAT>KCJFoE8?p)Ww`ev&-aqnVkej%{V=3Yk>@}>Zr!zZT>rFnwz8b z+n2Y0N3+HtFb0D@$wUx{lqJiZokLpuuU;A~qurr=nE)?4Xi&~&m8kOav*<*yD`94v zZUj;mG)yJ!xvHwx-yLfi~)YK%XF@1(mY8`q@jun{l2f{6-ub>2AoS(F={O zFzdUtM-5~ zg>#oI(bd$nnLYbl#&-drZ+l+bKgUCBm0Rrr*{xRufWBeT$%o5XFhygn{AqGcK`tf+ z%9}*<+meExI8%Ck3XTV~C&i!v2tNX| zLr7;116jh{#QEWbhzhd_6^}VDM9bFEtM!k}y5rY;1$TQM;u6fP<6!B22Y zP57CMvI5)(J6VI8_PlRi&u9{f`vJ3nqPE8 zpMTtB+MD~@j+_(qT3teE<@fL9+ZT589iX+YAhYqwrr^7)^^hiz6!(UO@vn&*kG7@= zZCzbT;mC3|j1F)hsm3G%{dBf6EfnMOFYkDvz)RyA2@coB^*pD#1D;(3C%&Uc8@@b~ z@4j7?_r<09=btI`i*C_f{Ab=AXu_J5;}&0!ZWLt+M+4H=W7cng&Xkmt3iQ^2Tu?_1 zx#o7NLnF5m%}KRH1o5-}g0VAUY$J#=VN3D+2izbms7_4pvsi z=A(AsT0r9-*Z)!1jD1GBsELJ@Z2QnMbM#iei<%LxG@wtP{4+W;aRz{xr^dfAy1_Z_ z*q~b(85xcVu7S&_y8%Lf|M|Y?+6Hhlm^ZYyV~n;ezPxWQG!uhUp9h)kGl{bzn}AnG zMn~VlHs`#RnHgA%o>Aqhxw(BDr#S)!{~jN+dd-?8w>GZClWNJxVZ*M&X#k=ytQ)Vj zBg+wb2+jS2>}=3$IrW+29ae+Qzg(P=)cSP?mUxjsp(_tDWc#?vLQa<0NzIIw%t0nD`FXBVH8J<6k$A8maI;T zy|M2aLJ+x@k3h(OTU^}1S9W_cp5Z(sh~NRfekP*5nHFK~7#{wT_BQGZrcYmq(x}?w z`-TBqkhcKB5G#*hx@B!WH6dTff0dPwGYkwYxq18zet2S=HVGrBKnmd3TlJzd_fKbl z6<0{8Q(xb75OEB!8(S_{dbJo~oJ3=M>eP$;CxZqqien|mhB6cIQL3Wz75K(&!U~Is z$wX1~&MBSVGLF+qLm3_xz@SFSM<@jP_3g{e`NifmB-Eb>t^?u_(2f{ zJd-c5csiG?I|NE1d9>n|yPq!^`$R;fG-)Qs+TXV2F;ujmjHcRv{h*huKC`v+S*8!7rT_dixvQev zY^YvL7YIgzN&0~k{k9WyDY^h+L0?){dbNp&j|HO;4WnEbv-rwT6wMR^f>a=_p0CD6 zA$FMj^$qfBw(Hmp%qQy zU^TUuCH>ka1U-`w$uv%2L>9v%q(5v7!gRW@he~ zl}J{ip<(YqLdJK*+yDO5da|GlNjN{P>1sw(HVo*(HDb7~io)sJw?E#~1I#mxdNQJ$ zn27h3H#%N=9)wyyYpVY9JO1Z4#c)6z2b(0l5&{`?s?$|U0jjv~HM6>On!(K#^$}5! z0Pq98rd02^DDl6)piMu>pyzm*Cof*OtyyC-8>jQm1>#MC1z4YwboM^P0pug*hk=X4 zMLN<^=e>ROhz@+l{P`T?c{67Gld)DzBy+#G^olx5?4RVF7yQq!cFY8;&y;7dgJ8m? z073C_;-f@7IsBK1I&CG^tU(3aXBH0DPdmSo#>fa1hDNS0F9c%&eH&})DL**6&dy@G zgGB1(`8Rl0*!srCX1;sZNcwHJ<8`M=8m5I0;nC1{SB9-;;TC$m=5s^DeLgq;T>u4? zrJ^X46Wke!mTKt z-+!B#8SB7<>a@#iXu_C}a=bKjXXo5OS#0I}pC3J#&Q3E{dx7Z?HCYKEa0j8QVS5~> zT1a&tGIngZ|9u!x1|NFB+ zOg6Y{Cx71!-hsc#E1(Gj)_mA0UE`FYz+0i7=z8V}m!a^(hrC0o({|S08WT2yc5aa2 z(nX81*XK>xo>hwrRTAP3kQraAwE?@s!q60h$8ed)Z@wO=fdjH`VOafk5)Q!ejhi>k zwmWw*4uWp-fUG4m1GPO8f6#U~_Q&OcVVBRGSxr_T*dsAv>0uwQAOHQpBBf^COg&2j z#l*zmwB6k4uX%;t=0(KD4mOeO+#b$Iti&uYQYkYQtx=dK;fFH@^LNFmefn#Ywvjkx zo?Op)Y^W(IIT!l9m&7b@Eic__HMT>|m_A*S=VW~Elu%yL9$?Kzbpg)*jgp| z+F%8gM{roa_F>Sro5Pl3d6k>PCokyveu0ndZkxr6XO3LW7>I_(=k$L*mT?Y~AO9g6 z0sq?@#AmA3k9M3XAzAyrwd=tP#_k7z>u@5>rBY{1_?pAo*L!1sP-?$@^QOFVBX(m3MM_%fM+*CUr?^vIC}_G@54@Z(Lo zM03Kf4pE*~uZ9?~sZ0dOGS^IhO)bK#@sA#goctha<|#un&_Oq;En^7oSwg<+f!=*( zG#JgGm;vpcq345$kjzd#YQ4Uu>&{t;vWEg$G{%q2LR?sE)Q`+ck) zl(tA?$?Se#h&IZcdxR?f8~?9YKi-%|uE~hD6-}|k4%eW~ks8a=W_fx}(n{PJIQKUJ zI{XWtj~6y(Oql;<-RKt;!D*q0@ad&^(SWdIiWC#|Bj`6?1^4ehJLwf0Eie-l6o71o z^lP4HWpyAj(kyXadfI6CSFiq!cUc+?)nXf~D_nGQ89r^EsADsJq@r-8Z zl7oZxprtgm?Nw3Hy0vTZ3oQC!U~XDDagvnwWj~OSVu%;e5pvjQf0`|qy7ET8r$xo+F&il zyL(Oi;Gn3^4cA_EX$rASLJP@FqH$(Znz^Or#f-I@r3!?XgoG7=@8ZqS>u-fM_PZ%|=E>;os{MT@4-SYGAxS zd(sBYM6w2?K=TDu5in)IL}v*@yM+tieq8fwHeCU)k#7LI#KI7Fm5b60?W6q@sLJ>6 zlh@Pj3xzN$U|bu2d7fNd!z>|dxyK^>VnBZ&s*a~m8@$6(4@E^i%~*aBUv4)y0kI~k zx!qYvoolh-)eXbq|5mf%^iQ?%m@CC7Yr4uP4$&}%47Og{55-Q89n^$%vR+Z*OiX>c zEbK_-(hrp#rLE02#*^i`cD*X9<)coV5R|^f#e{x_n*4%mVl0Le`F^dgxtN%E9d=~w z50y7>xnk+|Q}6QW(x4sDJ!1a2kQRW3NwE9|B;(dJzVz5aS5!++NhxuIce#6aFJ*mO zMh<|Ile4{&#w+XthcFNnGuAvTItJhl;H-1!zRy+C5nOqIcBv}ChoI*-uaE|rD6kc( z3D)hK=q%^+9UsKl!vT^4lnc|xA((`Jvp=-cuX@A4xQ*(ct5jG4)_6I zz_*!n$B^%a-`+IEAmS4Gr|ThOxTg;jjBnKJ?YExNk!8vbj1nz#_-tAXK~2s0qhCWep;Dv$l1$5$@_wSGA)&>R#4ciCInVy`CAbVP9uYnj>m)tq#ts89_x1nhZ3Rz+~ zRP*pDqghglhygHt)22?>7BSsudmEbv9+M>{cY`zTA24YK&yFsgH^{sDC^6f8{dz`F zRxoeH8bg=UL&l9Wa(*l`b-&5^|7ZaM`ZnWZV~EZQe7*oW6&pncZi+bwcvbvibXb^y zxMzoDZEU_PxJCW%-x$$3Ik49kQsxd~aiV$gl0f$o2i|0CBwl8dwX|}dJ-a^}81ne> z_v9wQKl0eG3-R&ergS##}i7kMjubUFqBa7!0{qrnooxKP# z{rdMOb`jMy6e9)>8Z;+yUViPCt_Cx&j~J;wdNft9!@PMD1KMy$-4EpSX)o0owgh>V z)iAXPNg4Q*xX~Mw1`>rZK^uu z-jJ~GTE}lWVN&!p%bXR2x6}BHeDfCzS&I3mXwypjXsern>TK3 zemA&V|s1mcMUNM6^e(em9>w&>p`fr3Y_O*dmN3jAhS8u(ZsT)vDmvU#wGA6s6&4%pO-n0Dn)J+C%@mtW4Z~>{qG$Hi4N*;Ujhu5-sap~g4 zb)Ir?+yR~KjTc|1J+nFkR4?qw{I&482P=jNiFX-41BDJBO_N2!mgxaYB+RmobLikX z2@^xHV^D2f!ghIqsx=@hj$H}B3`|~wtqb!^B_$aN3EOMtw>eyZ8u;|>+Y^}7v|d7M zkyzY^Qge93``52O|M(GhcN;FU?{gDzprux_J3DE&X_TRV+PQOU8{;rxDmeqy;O z;ng?7k`{w_78cHno?lM>A?Otd;L$%BdU;Cec>n$i^ok)%EhN5wpW*vC6l-OK6_^MA zvU+ZvlCMlQZ)SYD^`&8I25-mMy_VZcPZ_=!zgY$<-W%Ec`_clI4SuOq+D(0n#4=3* zsXf~Od^XlLMI>hW9Q~#~InYsgcnVLG-R+DNV8jSqVY1g#m3?PmujpN(^sjkz@6NQc zB!LSUgQiG?Ikx}$($ml%y4%L_9(^d}GHTZu?r$4Aov6N=yvQ+&w9MwFT(}VCzk}O~ zW2k6jAmu+><`%Gsg@47N?~1)|%w*B8vmOv&ZNH&AIxY|tEDNgFv^T4Q zLsKeI7%N3`J_UbgdRU(3(DPusD^{--+Ir+vGBXh{o5XX1mEE$Q8;fID83^!l<%>OsgJ@QRQ*If@@n*{^P!<;V4T#7jYXL&;SWPX zY7aEKT{Am>|0~A?&VVE&W_>Elk?IsBQP_(4!w#Cm@`1}@PWb%kQ#B=n(W9Z%Dv1zC z&Za%LqZ;*1(2bUbAJH&WNi35ZY6*QZ#6JSWJPVI4MT zYa8m(8AFC_SbA%Iej7PM%=;nuoRb_fgd(w(D0G-J67SZnEWVkpKP^Dr?jOVy*pULy zI8W3;ISCwIDTG2lMd|y3XP>k~IAsHPfT8Dj#+zZ) zDtUO)Iks%#)n#;UNj!!0&!6GxstA03pGSzaA0dr*Uce30X?YUYQERzBA`|T}Vds<4akZ`hGeaY?hv%4yjJ-({KUE3i{&xkF^R?GoVGe{U}D* zk{l02Hm#grU&8vjs{Yf}4&wNS3zhE1&*snbmMvZ^s5`T>lh6cV;6t3^yjIURDQE^U zqPaL#zJGrR^2Bp`9^T%Kz&3~1GH2m+@aD}%VxzX(WH!U2K_po^UiH#7;LzdF!H(`g zbxPBl>kH8l2339Cmi9NeIQ)Xwtq<(d@Xiqkn5$K(eHx=KDn@9@V7K0FMOYLpSh8d* z#Z0?h9|5hSk`|iUK0{{Idr#Nxa@R$~K6baU^@N+Def#&vE2V1;=>PA!y0T-9vI+CY z>~>6xXTh4;G&lp#LhjQH^k+Y$C@fG~mDLPQn@gM6|KzjfmkV+RScN)ROiu$UQ@yrI z(Ad^nB)z(|WovzR*F8p>acVKOyELVH_b%p3-q@<)`BPKVa-$>R;ZE$9fyab6&ojXkZ`^ z+<|R%*}#O17Q3J!8ZjcYWI3V(!K8kQ$M!ri0)*E34>rq|?UN@oS;iO+`WRB~S|=dG za>S#m`q+_tGm1XWsZu}BiN}S+@3zEv!Ga@{<}FfKK9wMn$L}CFw}z7q)4zn92gG4@ zE)hNroXh*nA??Z)ukM&BW>^W#ky9m6$}oElibOf4EJuGWSh^LxGX)gbfbGOpQi@@? zfNZbQ_|K^@Q3zk{;?iG5B@iHj2!;AFz9bQjMIfEi-*hQm70DyqHdZ=Uek zaGQb%>bc2Th#3wGj)y2}dPmJVILJoRZ2A*m#d?ePlD&F;sl4X-vq)#zA2!nl(x*Dc_C z5i4b{v)^X(W)}xdx^(~;IMR(pDfITJSCh}9ORo~n&O$Ot2Y9@X_J2C{>f zjo!9OcV}YaN@UP$UWHI@H^Is#Ow&!asiIM=T^#&x^)GE~kO~A$1GsnKgY^X|WqkHZ z`AvKY3bxjSD3QGH!i4avr;-lZB6)JuHw<6wXt4(!26n}Hs#oW1?b{s)pde)a>rsnn-Y+z?4BY-arQ{HMFfKVDB>0pM zkF#aejNuUgU64R1vH=T7#vTL1xGDA*CiU1lOvgq0bFXak-=uf1+Aa-`nY0y5H4Fr) z0NpZ7eB~Mx)gdY_{1eZaAZvMIN-t^gj@q*A?BbvV*?#fNrAsAmp8gh1{}_7l;!h$^ zzFfs)VeaK)+I8$ft9#%tMM1FC*4A-u*SjACVdI>r*NN&A6r{jy3GlHys4ysi7c)+x zsM$^>PDQbf1pb9>3HRDQ0n`kXmuD}wjkUEPNA&X_HR=pG5G|C4zT1o$-QylmSR!K8 z-+4qPDwE)5HEQwf+27%xZQuPhc@X)`SEk30Yt0(CgdPo$@NMyy`_2<5^mK1f@TBn| zYmvZ|A89aVXzJhw;|bcYl&-}nU|ddrd3nZ{BeNeXxCw`-*qq!}sn!rG*gD{eQsosx z-NNko%~65GD|`E5!A8d?5GrMes%l)uIT4YM;y+~Vue$V7jb90L41$BH(EY%VDYfAc ztADo4=@RQb)#xU*-ZN{qN-pAVL#AbjCAMCQ^YwPNiNDU3^FE9{!ydbRa9Q{$Q#a6>r=ypkKco;TghIOV-+Be>r)EoJD?E^@8M*lw`)oA(;ew?F>Aw zVcVnCzbYU}8$Wq67288X{)!3tO6&K1+-26#*vOjj>9e6>ap@Za_-i|V`t)umMvfb2 z7SV;l;Yot1B@UDYol@BsQk=NfL#4elM;vBu6)o2C5fA%dCzqEOlp8&g|no+KbbC4IU| zgO2}|?9I7_;3Ze|recDA-Y&iWk(B1R&>sh7EHOk`<>lHtuH*k1w@%Gp&swqn9zD^V z&Amm8lqz?rglB1@=M(fTw>(Fj8eNHg-Ff1GA8W+}CQ_bRSg^}=>!Na<09UL0lUa`V zNjGkO(682$>0Q^AEB~-UcAchvN4H`u2RU@@@))?4y8ao^x34BlyXKb#M!!H1$ON)8 zOcKbK0*Dwi*p=GpdS}&39mm|R8@jz2&~15c=eJiQww1D~!Jm3SUOtkg+qkMJ3>Yv6 z>F$FEAqV#LPGAQu!XL3sO`t%@VdIWl6thLC^#*63;`7leE{`y{N6c{UATx1s-mq#79Z~@gv z%5?DxmgHD#tI#uU%PbC9`J7d4N zPXDs0$WhT?ZL!mb>O5CX6xi2H7cFWeRxMxj+#11>^*JTFq8>Yhz2q(Dz)Wh*tJzs) zwqbAIQ-sCRC&`0K!_V3oXvUE!6^MwN8oI#DNM z<8^9!UdMZT?3-RcL^73Kx)lEfw#JPbGv;B^tpP;@6@K9>-od!K-@nUUy}P$5QI5Ya zEbMIgeu+l4-7fO(_VFo~q-B?PspjzGWbS~J_u-y?R3`0q(J$iiT`3nI_Vv^l{Ow_9 zF6CGA%&ukS<@d|yXSid}MFK(NtKZjiomh9RIii)aC~*k%PTscd`Kq_4w^}@|QU*j@ zHZ{~qR^K9R>WUQ!*RM}5JNF4;b8&I8U=M~WpM>e+GJJn-Z?cj})h&kcUoRansR%Q! zl_f_lhC4tdQ#Im=R9HChPaz$ntE9NrieJ3L{IQtN#Ejk zBlm8BgtX|*a?D%5S5|Teg)y2hVp_Xl49guP;qoX=)b=f$wsLX*y?>B~`}JR-z^BLa z-(0)@%@(+y#^Z0MEz&z_HCxUvWrSi;&VA(&VOH0yn;BwGbW(9Uo0No=X}WudxzM`a zD~|#u+_LW$E5@=e=tv;Fku~+}8=h-4{5n3tQC8YO^Yyzz67`o1m}O@d{jVFQgs;%p zqsOLfY|>0J=^QI;*UK4iF<4vs*ol~zFr)9^%(b{?@XJTC4Zj8iCQIQSed~L~$nP-_ z6?3QY$zS0leO07p9MDN#WbF20ALku?WMwycdz)o1pwS)zg4H-$qF(e^ZT^Q3E$GV{ zz3p1URc8NeUi|+5ql&kzO%)Bs>uYoQ)3Fm!%m3`9-mfow0;pv5klpXmS67NGi}mFc zK|mo+{CMx48haQs&J8h_*j6YKxOW@LCNVi#BIc*lQ&U!~G5hAWbeE&YXmVom&TWgQ z$?V*?uK4!xLQ62$y?bX{S;_dWI}fm7_>q2Owbh#3sR;`u{mZN44*~X}L(X28oc#PS zlwQxtUqpUx2@9^eH4@nOSnDiCfur6YF*|(u+_}-|q205#D0L2Hkh3z7DUV4+2yyXH z>d@yWwDy;G@MfuzNLgYlwH`>@Rc+^POf^dS`XYL7^r)5{5A?>3)eAWwMwnkc@ilhb89=^Hi{=Nc&*=Zxt(49Eb- z07}YfJpn&piuxjWXKRpKQf6<(g}FZ@A1IgdJUo_uV9P?KM0MY51{>Gz12ZbndHJm# zNr=qR_)7`QlHV(kKRnjpIa0i7F-xnR`j@u#94cEzp7?RR!qLHbCDsTzq$N zr-H??@l(OPJ6A3ruK?P`FFShhpp(OKmTBtg$$2f{d0H4gin#Ktwhle49=0ip+s8XU zK0vx>if_Tfg`d8&EV`bZH`OKK)wvma_Vm!wv+=T>N#KjNH1pnd;|i4@;HB5eSxl$X zsdThAI@~j40iQQL##o&y$48$kUmc5%&bgd}q5#mQznv%LDMuRQC~G#&8j>-Z;QJME z`3;YA?u&(~n6;lDFY#g$nxiI}{`Zn}KD0hO0aQh%{d5(*lkMxc{{{^cRjtkmN(gs@ zf`S-JaEzY`pih~S`Kh5ow4WhDhjdM~AK5zwH@5wG=Kvr@D}28w8Dp7!{`=uTA;7uK z%tF3}DJpk#jrA4iJZ?b04+thu>!QsTufF*Sl?aPDy_ucpzn7^j6gV4*E>uavhyUv0 zcOB6@a0JUtww8Wwdr({k$eAo1%o-MM@R1|^8X}W$ZDcJ~PTZT~;sDTU(n7%5U%4Xc zS;%Z5Eoe&{Od|(s%M`~0OcfOT#I9k*xR)$RL14_;pwXebNKO_^$~$KD)-)~|Wt=e| zoxGw1jjY8sd-FHg1WMZZzY38D`U`dn{8|Q=5pj z9B<3=*mx(74Qqk2+D8iW0EH#IV*a9r#yOne&U{}~bh0pD_}o+b<~ANbK6t9;2pa|V9EmOJ z4&7H`A7)f`?b#DQM3p^TA-ZoIb;qf$bdBL_-@{`UCFkS*&DK~hn~!byKa z?uvn4&z|(ZKR`U`7@VA(D!m6jg8oQ3x?}T8dgf8cXTY~A1y^0c*o$JNPL`+x;K=48 zj7^VW4L?YPDHD1muryWI#_B$m9OZJC;X`;e7cYjlt3n5|=3|DLx{R(lhtDIQY0gbB zVj)sPohLTKgt~rO+>tf!QMqzGmRn3IO#N8Fj04^nxk6?ZXLtzI;sA|P+p(fpvSGiAnkqwX=}T79Q8%!*QKIwZMz@1ns)*IgTa5qN`HMv?U|s`15Q zFl#4ko%Ie!M0k38XB)QD{7pbOjja6_l?)x&B|0hs|HsyT0)OGN{jObe^D9HfY$58) z5AJNsmJuq-% ziCJ{qETBT$@QA$)P+WB@C@ZN)WoN+U*DGesTu{`46*GxlSvc? z)(hTM)0h2ety&ey>Z3?P0o~}O#6(2k7SXy3SWZ93cb71#vP|<|-gijU(T^o1D*LBpv&swA zPSx815da!YM{UT*-5zfgC%BT2#Y>Z9KI<==boS!K8RPUAgZA(!i|Z0smdsIent0rQ zumbYugoCe@4)ApQy0+IWylG+-F zq)Qknd%MWNAp@?2TjHto8mR=q^p1ez4O+n&p|bZGpH6P+Kh>R~wKuo%L*`roL>9sd z>>ng35kHEydz4KQlkIik$C^FzrJ*AGH{ZKEruF*RZArvm^wr=$pr?#6j8Rv=XEJz; zUx|WN?SHfYQ#{L!WVe?@vPczuWphglwv1(QOQ)&H5L(cS4&HO0+sRV=9{h~;b6RFUc>wrY0YufL8ppo9dm{M#r+ z36!o)SMgz@6CA&)&{8$^A&$G<+a;a$vw7m?2=nQ7%b8wDoz^wlG7vV7-aY-!P0Oj< zrxCesN!G)dX337`rMh4_1vBjJDpJw^gzM;%iHkdl-! zG^pwM8Nk=Xo&4`eY;N8DWZFYHBhzeP6iwsuBL{g~=bDKJC%zj+u*a z7;sx!cjL~Tk7S5;RkMR^#QXDyIGj2A=s1S}L~C%gw?6}_^GG{7I@sIbR3f^=M2CH| zHS=HP=V#?O(_80eP{xq@*rJY|({T?%IFj@@4W* zR%kbf-dct4DJWuS)!Pi9_XM2_0MPB(I87l11-v_@yJ=6S76@P==Zbmw9g!f~!dzG9 zPnQ=bpVak>OHSUk_p8|2C|G)7m8ik6V{vhuTS5@yBEvN_itvPGoaxAshlbrvEG^;j z4wUEoXl|zMy7l;fpq&O*FJ;OtzG7GZu?p^!o)4ycMY;RK$n>?{2 z_{#okpvbg0M~+yJ>|6ak{EkX8yczgL-useaf_>_lGdgQtCksQ^MX8swuXo?YQk^E= z7o{ge1^NV}HZXzJHM2Gi@G`%Qxof(PPv<;)`*7W{NMu1kua5qzK;^|(Ozzm;{gmj( z%=~;0MtvEfNX-%~eJ0SS^9LHd-{>aYy7e9sP$kmE4gH{_dp;s901nA(o9)o|2broJ zBqE~ad-Ed)o>?M)8^?q}VUr=fsdSLHHM3l)Z$U^+3Sw^Np!>$)p}qL3%N*}>?1eWc zYY)`fIMi(rBd@Q{#p^_sy0LDcDU_9%zW_uhG~2Vr{mGLvuk7G!B^R~urdwucqP=?1 zOW0H3v})B&WJEOH8El$^>l@^jkd$O*zQ=sm3t*n_^}Wo8M=)wrJ3)^uz*a|4xoPik zi+oQbb2GT7|30`y_&E$yK6KWThb*s#p+BNho)j|PzG0|>V6-BebJ?ep(pNAyxt3kl zeTRvvk}Fq@DWvG1ro>MH{Mmmb<@)st$;rmA&Ty0&&*kNKFa!k_3iswu-_jtzlD{4u zK6e=l!B7ji%*Gaf8MWowyF?H)F{y|4x=dO)e}4H_=X+p^jFt0)f70$F=m1Hzw7{i9 zeWB9M5PY&ehQW*^~FXKNZ1W=JC*DLky%gI@}e*K*_Z`9pyG%Yeb5_vU3Fx#asx{g^L9|rg z|Jc1ZV`$L4JUd32(4Mv%O?0{!!VWymtGY*Kq1pd(G<5esk_rX0FhoqhfxdHa+HH3Q z{NUNZZq#FqfmplM2){SdVpKzUjtTceJB=D%=wIAf(^=m5c76WY=y_^0U+!@prKWaa zyC|_xU8SP= z-SJzKJaZAyJo|pTqxGx(-I#D7xf6wtO_*=-7ru}*0+ z_0O3z43wTWDs;|bC>ro3%Uq;du2)+E?jMkKm^ymIU6Jze@?sf~SoeC3D_y!D6^6!j zy(CTu(=6+bhh@RGAoMwbEdw?N+vaTb@yR?Bt#NmPwssS+p0T{BbSekv*sjIwFQA0x z(gak$H6{{)Y*zgI`NHL6t)NlU(E-!Vi+MttM~k+h{gHk9k?~CXEA#5W?4e92Js)27 z`LhylmRdDMUJ@i`nQ2CHva64e;3~EEv^tx$GBb@`0#)4IYe>$I9zJyPgoS2#6z0iH zN?}0*cgmekOHY6Ak%%Us;m@CLQ-%X-S9H2Dm9tZH=1|#_3O`Frag%%>a|jvhN7_6_ z0B`-Pt)FW180u<1lVmu=xvXV=nuYYc-UnrqKuF}bkwF(c9;T(`O>pAfyKL5HmJ3qq zveQ0De3wm=;U{qu84z#{5f*jLwkbdNm=2b~PJ0A|&G+v;2bx_m=4*WX7+p5xk4VSe z=g-?cDnz;l8xQU-W;@E&&CO+!(mZxV8a3>$o|ZU|b93OYFkSkDsDy-s1;>EZUi7xr z67Ac~$VxmaM1+LXK=-+}uR!TQ$!QJXc@QuyyS{;vP>B}5^cFUl$iVNv{JkN_Bn~^M zCLjgs{pY7-i1zpH-xmy0b4Gz`J4}G5qnFCio-0S_Luwy`;hsDXEP z{9_*q`!1c+_|`}wbrA8`Z<1_$9z0)JM_b$Sls=<0ODrv4pgrwnuKE$$czOI5)Qd>h zNj0q*i(P!SZUwQyFuNe5YwP3u{DX6zoI=t;`HM!9NKQL7@Z^h6GzRRslUjD=q;i)o z7#Pa56g~lYB?@OImjetISS+FxG}urY1o-He=2m!vcD47?;S(lULm@Nbsx4*S^;<10 z2QS2Y&K&>t7A(RohsrYjNLduNZ=bEg>jUOP(PwJp*)Lmm@_H}Lo|Llmkh2r#38M+b z2y#Yo@r%FXE`VXKD4At^DwDMuz5) z0sHJd*9EETxpU`O-u68J)*pB7iLI|`M6go>G}7HsUJzBPNUfc&|&s1b6ii-%K5z}SLXs@ zQHb-u4d`fla{vA$bVoclvMiURK?@N&(iQgIn|E4M3{trBV{ZPK+cv`Q;@0k;mBlH=wkPhl&j&&iwzObY z^Wy4&ze68!gy>eSdVT@QjHae0_K~a`uA)+cy#lGY^z~S^gO6Fn<jPo7x?1jSJnxa^GR%!}Qo;dgzHZ#f{~K~|O^ zg9le~xx10z54L-d-PBC2_zn}qZ+ZYx*wzD&cJYL{uKAcQK5h~87Ua2!hVP0M>Irw;9WVRN1W? zH}ZfdUfn@C2p;l^`Tw8-$FlgbSKUXA8z(Mpz~?CSCdj~BJQy@g{m2qqTZys5X-WBm2zVT? zu2ZyaM*;!21b%ahn}cWM;tU(Y-MA&!b}hCP)>lGurBNlm9Yk?yK6kFlBo`??4>{5T z*_CBY-5-WNeDL5A^_|bSfl`4bu-%L+WClA@#v;P*p(m*;A=Wjx@*wam#r?!KSDvfE zqk#>N!3V=}M?1guG#`f&nzC(w?oCa_^#oA<=<8^5rnMDw@ z=dc0Q?+b?X?ePUnfJ4Na`&?cw*BRK-tZoggfO@l_MK%-(24UlV=w_xipI>IFh%X)E zx4Cn>htT)Z`=lKIE{SQDJ!F{vDym;}9S??c&k1Wlq# z9~z5*pO7`ht*D@UGw4!p6~pK2^!Oi$HlcE#II};#e%%?C&TZ8Iuk3qHu3x{&Y;ftm zjEY7mSCgU#_Bh}g-lW1m6W*xX(A!ogdHL`rae)E8>LxCJb#X(4Dm($`tk{$-tZyK? zwSViUM@Gte*ONjA&9GEMWJesM+^{i5TYib18im!w#SZSnpwl%tQ`1)5`awI0(Y~*aOhzYb^ zM@Ld#-M4QRtHXq?OpfwhSZGXp@45f282J&rp*kcIA>J2~9eRs|$c?*9KT+A^$dRj- z7yRcaDrRzz?KoKR&5RGXSo_&(;)>AyYLDP)k5IEP`Fm`^Ehei`JhKS&}B;89hQ$4)~q9Q7)9D#e61k-uNf~ z^g>D#(58LzV5W@Y!uRJ=+PfgeIq#5R2x$H~*%~YYl&Zjt(FgiT?a8nmjl_!T>{O|~ zyx8++&vyMmzO@gFFH1zhBSwGA75X;!Q8Vjk`mqk2;P+Mq zs-2z=Gm8TUtPmS)*`hOToVzhszjh{i2gKb-ucfc$$L7a8Bz$4Uh7R8s3oo!RR)|Qw zESDEb{EqInrcskjZEbx3REU(UmayVp&7Ysp_-u{4yR@XFj`vTc6Qc@67{9q6g4; zr1xl(AsNK2H6T2RdL8ux4$t!H$BS0^YTaj*Uwqk_7`G2SVpQ=t52qF5y=0OtlPn&8u*nNg zH2@=MJ`s)r2gjLw0x9F*r6fE<0LAZydR3C|A&BR8eCSDe`c&O~N?%835(OY7$L}|g zVQF5UNH;l&Dc^{$IY#H$V0Zwwn$ejv^OARNsXhKye{92aM!D>3{=&oWrV^I zx+M?B9C0%wc1%o-2q^f$w7y|}e&u-U)GvNxN#ScK$V}~8xf979i6Ibs!q2(t{d=*Q zVK!D)44kmC9}!dcMhrzm>5&jhNC=Y@ovd$XZvnt-6uukjd!gPhk?#oVK*eGTu0@Jy zGJ9gyr!$!o{t5PcVWDgv6Ze)a6iGj^TX3~;O`D~WhLx4&3Je2bj5Z+iws#L>c5;KwveOS@Pc^C$S{`f zZdx#>xF)wG$7Sz@=z+#k|n%a9Xot3;7 z$!uQ=+xJSr4gee-ZI1{z$B;-l@UDu1677nsE5S)ipdsw&gPHJZXED#PV)QH0Pe3N{ z7PyO=7-#N~!znwvJRJa9{0 z#+FL3dTUV;fNgp14&>1Ds3wS^IlFZL`Cz^^Q;(b~f(YDL{gwBk`4r-eYG&6KTDnEJ zCZI~I|L|dYZq6qEH5wVXO@iBQt595{T~n<5~N)N-lmWt$bcJ(CO%Le0AUp}^Y{kxvYIAh#378c zDg65|T@rRlwqc087~W_kI?~sNq==X*B^mG2ywKi^yXzVR31Q`MXo;rI9`YbB1IFsC`+0nmVtpWjs{{wN>83t_9rJN{7s zT0F)(T0ABLwFDT+8Dr!A44n#9UF<^Ck60MvE759?fisj>zoMmj2WW>R`Wu-W&TP8~ zSJT+!JXXS`V+a3!t|VuJfGJ01*^T3VVr@arn5&GD|(ALcy=0<^J5&LOr*i97dKiDJlTaW{=pA0iwh90Dw2%UDW*T+m26CDY|=c zq>pQ0m;Q2HxChP~+aV8hzEBY*Bqkzz`i%{Ujf-_`I@p?o$cg)QV>nWDw9ajZD1j|m z9J_30)`QLIweu=2SU4fQJ351V1?6+OjxoBc6|t|u@R~=)n!`zndlHf&96Go!RB&}C z260keWZkh1wFxpRInu?8uqeeBkaSS8eHW*a0fv{9#6waDhAql2RaF}i?$7Ju7Ohj* zBddZmh|kP4Ren?B9pbn1R`67ox-F}iiOHm4!$z-8 z(3|Ox+!B1K`0cBAz~rQ(r$<3RwV8F6=>{oPMxa4bLIOjUHjNynZ0_g)Rlk}~?`0!0 zeVFFSNlRPX*;USf&WxCf^cjZG#8{%nGsaV&Y4TDYX8|_2a`ECj7B@!52rRY?V9tXb zEiH4%0G;j}P6p?A{;5ZR##s;zt1d?#<m2~#4w~YIB zyqb(e>4x$%mOMviR4|MLT7i*0*@9Ih{@uHSER8$CKCu`P0;mMy6o47gZ*S0mtgmOF zd%U)`D#sQ27PLy+I}*3BW;q@{D~qC~_C1Z*fIvOlZ}uT;;ph)0yZ1jXz&zpVGv!Ny zCJDnf=u2zCMcOzL0dN(mmD3%y#~5ZzWo8BoQ21CW+T4Kkb5|EsF#gBc_!&f|bXp5C zf7})o{CSWcyQ!RS*DeY4+`)Ik_Ve`e0+p#64rR9wpIH+JZ{$^eet`RnP>P+*2!Ns< z78>0s>e{o6ZgPP>s_8DxlEod^^bQl1b9Bmc6Mtiq)nv}Yg7ChdFagdhLZcQ}l4>>uV$ zvcMgV^a1!XRQWka8T}?QR8l?l^_ziqT2v>%k+q_N-0mIF6S|reMqXS=pwb~>dBl?o zm9eY4J3$S@Sz6|AzI5fvxd}xl_{0~MlvGmuLf4UV|1cHB&VvV;7Ff}VL|&g&HUIz_ zTE2JB?P2qPG#h0DLA?TU2?!G}ghGYPm>sbSS1JN0BLl-(jBP>S&SAx4p!ekuISLPD z8aleb^*{heIBiG*3Eym6SaD<8eeRW0OB7sLp(S#C0szA3c}S3gBcws8jd#BI{Y6HG z!};@^Zx{#tRA=D*Jm>JO;;lycnh+M_r$KLU449WovB;MpwDuc8EDFAUz5KBXC~xh> zQy(;WnK8WMYRip^!kQ+^UcnfH#o2|08#AZDhJo(e7i`A%TbW>A;UOcj3~DS#@1Xn_ zME=I4kBlKl0VA`B-_1m22FUCh25aMnbYfEte33$5BOlDP_Y3Y{US_H(KL6Li34I;S z|8A}++{d^Wb2zCayvuvi>?Jz!WH^F{z92NnH6WMIVetT!%igio_-)&~GZNa9Pe0vI_RYV@Xi{gT5GrKlA3z6*V>R5L4Z? zMNU@s$Cv{2p@)5%=zW#Z_)R z9tRi#pmCl~|6PE`NXL0_en0|zZwtGXpy1$$?NSjMPoPe+jCw<$w3s^9pzrYr=}h;l z^LMdB%F29^Z~tmWk_goZ))w|z2>G)+3%1<9`eQ6&z7`w7VskSHE$`n4cf8BV-H6^7 z=(G}uy&e0J&7;GS!&qHkzk`h}ABb@G9n_BSrYE03l4@kQ3@sbVGLC$D28N(EzPle_ zT5ynL#D+%3=FK?BXjYMN(u!bGD#zF2IN)$bC9htwD@Q;ZwVuKAQrz-# zJ4{n5b=)d^g-S{fCJx7yMErLCwM+ll&|p=5T6-~6mR==l7y)UT9k!%>spmNsRkK}Q z+yC80@+cF5k)h9lJwjUP;~^JZ?c2{FHi#B00NA#sCgWVIYP@;syeqzRq?@iv&xL5H z-l1#gWz$J^f(atyN918vf&1&`)Dcj@*3Q#GqZKMRC}Y)L#Grof|K01~LS|}$At$%1 z^*a#Ne^l?-AH59*MNZKu?8OA|GrA+E#{4(3IGOC)V6bBCJgd_N_HAttft{| zY}6N&LFu5J{)*1%tl=;!Lj;`|3=TnPv|P4z_dBSOH8_O)VKn?3jDBd0 zgFcZ_WTq67&MmEx0hI$+&$7l1kKc&VHh;jv@9b7AU0-TAHzyX_Uzt$OwWc-M7wWF| zQ$}l4$2O9Yo(XY4?VNL(*1hyy;`h}z>GZV<5!`q{f-l201uEH1lwn5@<^pC0`MRN3 zwKs@xg%0I_RHjm)dfvX=MAv6&yDj|vVJQ~}2aL%2=EBk%MWjW{z8iqq0VDxV2G3dY z{+-eyN8Bj<$=VkF<~~WGC?>Yk`mz;bM zXXqaIA-_jx6J6PR=n$*>2fvDa=BuxSuLs=%V+H5d=}UXNw1fl;8Zdy{q3G=a7B#lfI8#mqb+~G5J-!Kd0|8XwTA2FX&I+4;age4} zpDsgi7!%Gy&>cI@f=6`r_m<6@i9W7Rb{*njuDi=I-6cx*x~t1l#IYr*!{#13K8rDk($InD z`1nk)L7^~f!?4`-yrIz%1smmGuJr!lwWOW%IFe|zyc0m@7C>Kz=d*&mye`nWodter ztMKIa>X1g{^FFy~Yoiv5z^ck!X;GmF`Fki&Bh<0rivQcreT$e1zQrJ0Irla{rP0YB zDBnRE*dV>_Rc7X=mX^zV14ox=xxU7te~yBh@QHA7fs7WQDDq=inOp>o5pgT#4&5Z7 z8A77zd#q+%zg)!)^a$aYR%)*&Md%-IVPjDq6&H)8r`tX2T6JV&tR`$Rge8lRb{snN z8a)!i{twZf{xmwm5>iq+I6C%M$c|}=by3i~C3u>2OjrO$krfv9&z+5@=xzBB8owao z_j{O4)m&eA3eU1y@5``Q0ax}xOpFIOcV1in;DSSBzJ$x7(B9Fu{H;!%+V5IxG2877 zS9RduXf;xX>=-*H&jme_ARQq>NmutJm{c*T5O+yRLZXjqA9xrRC-20^n}E(%4_$5n zb|eA-3XYh$1hf@E8^=)|ZK^L?C+KPuXi-Wp7Q>$S8eyM%&Opbq?@mmP`OqUhM1|Gm zz8#h~aM_a~YX*BQ=K}_TA~`^AG?$SX$j}hRMJb#VMj63ZBN#$D{q9!K{(0Y6O;3yveWEZpsQ0$^UEI$&0p*^w4wYa58WLKWQ{|1vZ>5blRtWg6^?aKRf z3LP#EX~<86<1M#RGH$5{QaDhi0~0hSO|{2OL>skBJX!-36RHcSJzCwL5XJOj-siS9 z^opy^LO*``glD=?BG)2rEmj1!e*_N>Fb#j326;>t2~JtA(3GFRub9z0-oX4K|Zxb%a$ z(!&9#(F5)tnaCah4`AR9-e5WlVKdmC-d+bGxc^OCz9?V>*t2jtE3m{AaJON&ON@<; zVRisU8vR0b3u)tyZJ1fuO25EncamXcH@ci0&eUx6z!|8E<8S#li+OFoqtt$y)(-$I zuC>0T-`EPMbC=-ZZ%Tr{89hn=pi-?I) z3?4x?vWWH)3Q-uLK(M(VMI_W$$Si;;pvR6$Kf1+!-0f30G@f7(SA?pe7EgI}f~Cjq z)Fyi)y$!LNYiFCd37DGs=DOnSvqY3^C{o*f_U_zCUUIsEDdO)2Vk*ao3ee<%oVhIq;^3knF56f{q4f<}G@HCC8gnt|hBk7f>JBg78sZUQxjZrz+p z4)xO_AnU$Xf~AwA=7|<7UihUM2uMjXZtvf{qqw^PgAx?7hY$_W}kHn?LCZIk^g+ztq9?=I%OdUXlNCc1He z7W#t_XJNnPcfgh(6Fi`#)q>v%WNIj)^Byd(Dsg0RAb{E#>RrPw&3QEoT==bzixTd2 zlneuCAAn!e{|A#mpf#!+7ZmARr`YSOQC5d{pEHloo+GIpN_bK@SL4&eo}NqIgL$nV zJ=T28cZ2ty^xG1+3qcNGs7j7@*;FA-v<7CXEG#TQ^&<3n8vhk{2IN`2a1$~%F&W%) z45gXqx|Ou)X$&i1kH|n4JT$}#Ko*}J*DK_X9hfs$KX8LG;QDo{H|aUvEAT+@IF7~= zavPB@#=RS8J@DEIJrW)m#zOB1tQPHvFinBehK3;6d_&2L(gIHwJWGT=Pq-TkU-Zm* zv4sQb1^o5Y&GUe=(SpH<4iHRg4_Bq?Jv+jmC9eM->-`3tsHOJrI8wS#IQ>F~i3DX) zA%b&CC=Ge;T7O^s=A6^-`i6&5)t!fx8ORx64X|=^gI^~C&FT`F+bx{(%DX@Z^5K2v z{%V;_Tf#2pEg;I%PCr~xc(;pl6Qd&0g~8UQqYJCp+cnd*rQ>e`YK_)3Az>IXX@g-L zE@sfz(K41mQYa$o*5IYq)>${38S)5YN30Mel6OfyO zwt&rSId>gBClrhD1cx^IaPn+(At!n8ZrJRplrRM{W5=Q2E^6Ow{|Y^B$nVR)e7U1Y zhiX?54MK>3Nb9bAlWLFUOuoJe07!y^}^EqVUD{@pt( z6wFw35MO|HqJiVDu-9*vgxZSvl>NDL=q7Jk-VA<-_u2~Qh!6}AZPD&@dRbD^RbNl& z-GPY}^4hfO?qykuyNu6)N~X>bY@&yU9N7feF(QeI&VgGQY)9M)$Tnfw47o@wEiqpL z41H{k3m^-@2Sail-s9kSSy?6oh;u{c9i)|8VZ3?UwoomiaC3zI&K)jen0IF(2GK7% z8g+F}SROn}v`lSKWochPCu+l?Q@9D?e&=Fq8+`mUS__z10L55<<96*h2^g|7=69y+ zJ;UXKufEP&uc}LEinVVJR5-wK-(;l}p#k@nX76=|-6YxHFspIp+i?qr89RVur@f2I z!TtNUeJx1F4T7FW`R=seGc&NA!pDmpox`=MjayaE|3=?_|6H&u!4QBHsp7^g?pT~_ zh)pq1Iv5$$A}d}1A}j1*M1~P;U$Iz7UTe`Sd~TcvRYpedjc`#?3KPD@wFtvB6xeXf z!Gbf?VRT0)va|8l@Kq^S-%!QES^9Boc>wview7E-v2$T`c>gqY@2#bE7vxddP#1v2 zm?MLH1pPR){eaJnt$#CARt5pyvQ0LaS{?&u9UEgrDY@TN04+ohU_%%D$cYGtuo4sA zInThCC%T*H3a&g@giR(8#`#+f0jPcEj1JNejpOaehI`;6hcXYi0cI0{$N{%UYze?f z!O!K_yRiI#nE))_R=iEx>xsS*41k+;J%+A0 z@I)IiTp5@I8n}>SMn*z$^#o<5l2TI7W3d0kfsEcii=bz*^Nuoag6w4nj3+MbeZB@0 zY8omnKQM1gOMQGLVIGa!X%v(=zJmwRSCWJ2md9lP@R}v$V6H-svx(6H=9*}RS{15* zo`dTMP*(7-MiEqX(Bk=z;PE_3OM7Q?ZWP0XC2fx>^F_fMr?GhIEKebVG}cPRO!&3O(JRx=b?lB50o^6+ObFv237jj7~~uV_|L3Rw4!**9FHPLbhSF zyDPa!qZ|n{VetVzu+NVofDGBzLu5q!LO~rk54Q}k+_aKPQKjz^5Fi@6t*wS0iol<- z?keN?FzWU8mY*jS0>2h#Ys-5EjR^IM;0<0`Sub2_j}(AB3m(Ee+x_5vCq;V@LEQV# zMK7kkVCFzsfp*MQfdA-M_^h#kOfh~(4pzz@93fa%q-1CZv_nQFxO(#);21a=M#iI` z!SJHpS2tCL*qy8(K(soCuF?PhKQYF4w<0Z)>}Pq7^}nH1&IG1Q`J@n-drsPVdP9=KJv` zLN|^}3XNCPEeIT7(Lh-MZ$hA9z!2PNHVFaA{L;vU*}6y<*$mIy*c{4neFhUg*qWh0 z#2W#702^CH#S(-*>AMV)qm|R^fiYkT3dEsk0JrO910O)k3PR!nu1CdvSL{fXbhf1^ zTvL!N!~aA6uHqB{u#~AvU@%d@9{A1}W}9~K+yJg0fl>#^dq&Of%a<+@{iMgo0Id=O zm|*H7pAiMX7R^|6k8lj8%rT=dMeiAC2bCAL9u0xE%5Ta9BT3L^hv6(h`OnlpzjPf0 zp*zR0&i~`+x5Y%(P+%@zd_ z>FlAHwPWgl0;_IgQr%;)3(J{WIY9UVOa$z#ZXk;2*PU+`Xw`WKlX4mNaSqd&3y+9m z3L%Lg8?P=wg!$im8kZh(MmO>z4@4$ zn9wqZ`6=W;$k6Z|53ww0;0_Z-Wh;g6nspr$sJa%jk z3`6sSBSS(uK%td{ocD9VQa|P8$a5;V^X^mUSyhK3lKQ&?2{au{eDDBaA(yG(JQw00 zz|$X1DLcyHl={^Tf5wjV;0ogoW_JkgBH)QiE_Q4gblwMTKYsXt30et>Juhkh;T10e z(J{o=jT?if?x1{!5^uV3Qzk?(zI&i|LZ^$jA!q{{IH)Tz@@x06kA`}BR!&az%Sr(` z{22Pw(y}2w6qdGdh8wi10{I;}o17Gffq?`?Gxk-lp+xgD1%h>d~lZWsgvV=K9{=u0AaoU=RbS6Zr&eTRcSTn&YMH!vyJ8|*Lz ztd-TxO-VV7g~@k>1vp63WKvlmDx=5yve&>iH9Z}d_KTXfGq_gp*9}PJ9?JC9tTPSZ zA_o`%qg~=ehlc(%(UXkTyf)RR0$nc<>QP?`zNn`_O<<7?SK*~H=Iz_V4CaYhfUpKu z(r;R(FXe;U9W2gfoxI1`zv2gn}BfL#ZQFz{v!K7%Vyj8^2fLqE~K1S^?54BR&`U;5v&8~!Nw*)J{K zP89RK!Spb^#ei!3Y!#J?x;jnMP#rh7Jbd{0^(y2%DCd!rO-yL<^!4%(c7d1_-1!_6klOJEEpl+ zdw7j2uluXIp~eC>`dRqE0hA8r1Y>0C=4O6a`Vd=kDQ5^*K4NCpwXA}ID@m2FsDEB$P-k?;7s~D^cs#mDZ5c;8hDgWe-J%#-T zj;vqx7)}X(?`UuD_W`#3_!wRXPhun!ZvNJXA|OVhfkg<<^8L^iLD88zX>}7Ug{LEF zSy^yLq&KrgFb%w#u_sC$S8ULcHqcKIM$zVWm8_zofB^ajU}2nX#A$2r~* zJ(>dmtwrfWC&$NUr=~2TZq-#(z|;8G_wQdbvk1?&&#`zKvNAHcMTW-4!15aLnJi60 zKqdp-X^H#y)D*HfP{%Q{C84|QuVT#3>1AWhdKp|v&ER9{m`*p3*@4h^^GoXO78Hb{ zyz#Ax4|uikPl(ol4F-qP5BXX6aP%PXKm4cSAY*$?P2SRS=C}3w|F{4xQ2F2kq3(fv z09OVwz~Gj3#0~U!Hw8f+M;MHxqieEiWq@XKbU&20m7zjGHYA z)-3j!si{H?cB+g7!UtE0F?eh|K6@1lickkF6p|uj?qKk>XLhH}&(9+amwC>p>FGiC zb_vP-_zOCcn_J~kso=mkg0P6P>TC>XE9kYt70ZW8Ap+tQ*ar@SEQ6niV~mMZG0IAQ z5Mv_JLE@aYevR-{2Yg4#&4ytFkcs9RokeF0C*91f2X#T<`Y;Hi=1%Xb z0Yyalh4ph<`VFHKXez?0DR4vAQ8^<$2c~@0(=*p2LPJN#9LCoPq`bdq-A(`cnIkEG zi<(kwFgyi}&;*=`Zub12owTUAgKr_qpbb4>i$RFfxPr^$Vcr1`Kvde0H&|W_@%L8& z*U#gYGp>Ev%lqf)xi~qGALOI-@9OPUl9FO?4@O~%jRHZ5S&4gi$Bg)xw7qFEffS(l zMUcY#2GJW#eP(CS{5-K5xG=@K8qi@?p~-`q6>A%7;E?iy7rea!WFSja-nK~bQPfvr zDpI;EEe#FoyE{Eag-Bb0{DB5#aVIRy5!HV=y$V!Hh?Ss(QkdOE!mOjN{v(%?!^kre zS#3_OS`E7HD9#YL8R$%alg)0l0fz_TqdtLlu*DGQq5Z*PpQA&TLWy~fGtN033lxh6B_+_Z`bn=9&cv7@A!4 zXx~Bsfa(_esj&aJ$U8K-#Cg@e3wl>lU&rQz&I%%xK_^Y4M?mc$u4&+e>hB85l&sEO z${08X_BlY7Wqpm~mC4V*ys-Gehqez~UqfaF(7p#-4Q`$w%w8W^2h$Eu3qJ@~_sf@C z3O?eIQrjs7%Rv(X%>l|o)P^GRy=!M+G=(FgQnF5Kh7FJO0`d>e21{#vTGCA~#2T(3 zX5bY`beOsVKO@Ar$P?9|jeEe^6*lI0z^>C=In#6sh=FJl)x)o4ea#0J)0M|~;lK?$ zoK{Z^fw_QXGGd`qhJpq5NFP5Ed~3nh4VY6XDIkyrA~mc!Q5{uPS(o1(KDkqu=(D~ zAGQRC%G@@E9RrXcSn0e-O+9t?ESRZ{#cMEoJ7B*8UnA{9u?3qwaA;5y;Fd&Uk7tNWOE9JA#-ks?bQq}yDok4K?GN8k z_h4!8O^E;S!UN`j=FNgqD!WL#$}A9Dl|NU`v6#gRNgzXA~?%s@j{Ak$wzF7GME1IjJ%gDv> zPH<=AZa@tJvN{BWaPjROe0@)S7l0#}O8AHnBSJ9eX1QN=fAnNCY;y61@R{@K)%8ksK-Ttl zc2e-R=8b~O2`UX|ph1snVfud#*&)I$GN^+GU2JTgl$6MQ-n{td57N9*o@tzdTz4dr zcz{SCINfPydUk~uu6#8)ML?d>W8qQoy1q2=EU|Mzl=20sUUrMdCA2*2<=$8ZWi=nNG zvF}3iy)PfbGs!}Q{FOx{B{z!WCkoDjN#wuLQT!v2epCTK^^HW)|5`(<^_-Ozc#Fso za0nkMT((jD*$QobDy;J0Wmjd*yV}P8#oU_^!K@C?YFHF&LXdu6$#vj5Xl!{w*ifg=oC(#^P*(?E$ueLO21V$3jsT(xX5LiYKOOBLP_W86J`Rnj%~c^tM500X-Y=O#ON> z`2!k+4YLQ(dtO)!pSn7T=#n!=ShA z=9|gn_q*CZ?CBdAfb~CgW^hH*zyl$!-fA!`@LAE`#23nI-FybCsYSVi4|5n;vM-Va zLsEzH4i*9=dzVHUcG!;cB6C6AkCOzrVME7V8m=EpLBx(Hf*XJGmDV&O$8=>_cN?

IW6(kSm$b=D zD|Q2XM9lOE)1% zgn(qjE)zQ!;#J5)$V;}P^$OcR_$g?{ifs@c^;f3no+_8j>~I+ZCh zK2LZ!kiO#}jRWNSi+A*)HtmbTNNrtBO(!6;I5SxjpEmzxEf5b~c|~;gW8O=Us=+*Z zRNvSLuG^-pr@0&2r)$AEtLns?M@>W@#&U8m1~oGqNl;%D;X16%LxL3)nC~}au5oPJ z2J6!;wM(d25GZH!@3g-ogMy^+2ASq7A2h|;tiwZUsVMrfOQ*~L+QBKMAUm5e{v6l^ za4O9F{(;_!hf|G3VAn1xYU;pzw3HCfFrJu90JJ|sXkT4z>|&0%fl9be;s-)oU=lG= zjb3#I&l$Zm-9Sd|p?QMY?P+WL9bsT(q6mVzBX= z$IQg%+1Y7&=$~LN09F^!bnk^g&-xtUnbMoBJo#VfKMU?Q@va*6PJuOuLuy7n? z)Z6)i7}$d`ihid-9nINOf~I-p#}io3M^W&HuV>k^+QOtWH~Bt)n=DT#dy?pSN$ehA!($A>6{7k(#Eg=7IenmPLwm?+tQe&j2&>+Xk` zUoZ^fSmYmn{u1dsY${&?a|jnAL3?W3tNyqt+qB3El1Xh5RIX5*Air7T^2HP4Fto7A z{j<2pAwav6xsq$~O%S#JnjkJ;e=ElQNhk*M%(x@`{gRF|2a<;p44VJ;BJNXSoLJ#? z9B-nX4B>{h%>|SJcsw9LJXG`v4cdZncSv3RB_Ua36GpfF++EIhjg3%*tbr}!{{dAy z02E5sSk*^MKfAZ(qM&fA$3-4B>*l%m)a-qp0}!69RX0$w(-JEqp^pe*;R=S( z;V5-Da$@W$ILzeB>U>ciIG(6ytE)NR-yyh^NJoL_fbR9L#6nUFtO4h|rjCS!5JDct zP-~PS2-Vmh{spF>{-dyA`%@bese!u}0uL^KOf%f5rUFiAPU(AhHpg?zC6Hy{is*CX zf!F;LJ;bt2YWieIpOCYoRv~;EBW6H`0vl%8cLk(3tDD$Bbz-kX;?K2DkozwN`sth% zR3C_>Jk8B3EZhJGgrFKYb}+Zv?)k#i#PgYw>t9krHJ~$)RyFS0g4niA87)@vT z0Cb)#A~!#}kEjmswaxLAVQ|)0GJj=%GP1YO`_FHPm+>q;1n8>00p}AL2D;;-s1Ko9 zqVUJahz(UXTtoxMXGvl{0F$gtK&mxF-v`+i@+^QcU|o_89Qy1HU1rR_9Z2DEji9}) zgoVYpL^ycH9262_IOco<#Fzt5EE`ay8orXVrltf5nZ5>d zv+?zVNge7+l-V&DB=wfm9}pC@p*;%7E-(UWDk?xEqJs6COd6q`>3|4qr4^=*bPNm| zX7Fp+%-$Q6pL14+hKIo&;J4)?1{WdYMYjQ1HOzi-%M$tRb_5_CTcULlGd?m+u*G%` zq92G@k6YpMmoK5WZdGwwLO!VJydChK%TIoarh`aH(Vi)f#U9W%HI>Koz}|1q%=q{0 zq28m2_7{+5V&v-6ry{1@+#!?LB}go7E>)EWj2r(KqL_WRARhu+9~ATzpNMFiN&GGYF-vwf@Qj8TN2O1+Fp5+Yw!JUO(3+gnH?f^vh zRz^Cy=9ZR3ak~h_D1fIN#c=2U4gjCz2)79<#o?SYuP|8{w%{Hgkn5wi1Re$@=J)TW zrCyiOYD|j>T$uSUGHpW_2zNfJntd#Q_2;4dvvd@r@Ygjo3})Dw=kh*CnO=&pc76@p zplgoiOEf;Jvk(~IFv6lk#9K2cP)RrEk44~79Oi%7I?sDRCdj-ICIHKjdf3q=#{0l^ zk28&YX_HS~6MjrC!9nO)*Mo;QD2*s*{#hG>h(=7b!KVj0KqPGnd*PNs{i3$95nJjI z^0~rHydd&>kkyt&COdip}|a4^x4MlDYSDZY`y0}%BUOMj-mEL zAaatf^XJ(g11N=-fzwMkLFB8jGc(gLF(EuxKi>`JjoDG$`u<*wC}X5Sas@>L&HLl) z;W(gp!~X^qVyDNPmFtcLd_Y_c+fc1hrys$&A^2<$XP{-y3U3Jq4@Vj)OO88iO|^B` z_>JH<;7>_S+Ds2?X%H7d*?WUb+Buy>&L^0$%)7*tTaz*U?>a`sl=B1^6#ji?W|-RJ z>EFN6I?ELapdyGDsLqMbXPv^54t#;~^2F^4ColLKU5iCNi}-ux@@3jhn}A>dZkR9Z z01m%fKmfl-7B-)++l638z=_VVSO~{+Mr)-o2uLQ5099c78rG#_2sw*eRT3SH@NkNA zKHyrw23T$7p4$PgvZLcN{Nq8QkUWiCPbKuvqk#W=?x|AB00{YQv}KRrAb~9h=NKvJ-tWqz5^J;zwc(EYx_{Sh#kqN0u(rI}d8ksP^)0mL>n;Om>TxW4Fes`&rf< z_uU?HM%u|cUcK1Yo)`1{Dk{;(UyXn5pp~1yRm0u2t?S}# zp#vl8A>>iC$=j9pP~BNLqAyWRBT>Gx9{p*9#p0&Q#PPS)+yC|7%_J_VNpHt({Yk4&}b^eJ)_SZf`P*W6)K z=ev~d>owbSEd4d@Zkm+b-07tCKS_vNFE!~*58gii?`PgWoDB0$V>s@*FC%>Hf4E9P zMrP58RDXTgWo;NeV11@Dg7?kWem}U$68IWv0m?j}i$V*B*;Eyi%FtB=O0z%O$~Yf7 zbOh2L5^t$=B`_M0jBM{G0Dnmy1GM~H^AiQVX1|8;m)-nHjq77&Yhz_ApUUjxY*Y8F z&!#I?OS+Nyd0Md36aP;6nAbXsC*v? zq|D|FFT7kSaLU$yO|Cf?ohB#Ck>w@-`<5-p*T;NUUzo2iwPj==m0jzjR#H!I)=z@C zG;R73h)l6;G{jFKV+~A^A$~2VNSoIo3>NyCe4p+Ooqm#$!Q(yUKixhuBh*ZRF|A}| zkF1y*@l^2{{HXEYDw&iLR(=C)X;fI~j=VO@AHdrK3WSlMEf)^v%CV3O`uB;k$Uld}V;WIRX&G^6NIUJR|07e?MK$&;RYo zIE0J!?|YPJHwM0cfY1WZUoTi+U3@_de#e_6Q-!-T{GIO%&HU+I8J40_seQTf<;20F zZ@-4j{(X>B8$*YQ@A>a*>t~vOZ|3ixEhzr~|M=h5`S-mse*d2Fzdw~zvDE*482|n# z@aW&M`S&N0ikIF0-jd&LRvJ~Wr9cHA6|Ls8+BNqZ=8r7TvxrX(L~kDvJ{z*<=!52d zHV>&rTKN&z8H&bS`qD+Zzl(3QX*)LFgR2aGUoxkVMRj77X@2A3RezFjQquhRgNI(1 zOiquih82PN_VmAEV9@{Gkof0DKL33Zqd*C*)29w` z?fA(Qe8VdD)PC{C4--ObF5YuR#z~v5^Sw;jpW*eV^Z8Ld!Sf9ABbR30)Cf%_G`GiU zH=hde{d-9Lo&={dCl9F_u&PG0zD|9{#pvETSV5XC z@bxIr-5X<)y!VOfzHiMu3GxGMig|^-uh_=wXNNeF;smw%*Nu;3a-BFk~?{6bp@O99exE zyodYRqxWONmphpvljMEY^q#PN5PS6^**V*8%+Yb<#v2DNKR+&+*)nUSdh*4$Vg*G- z;i-i9k#7{Io1XkTSpRl_g@!EuR;rx`G}H{OjiU_?-HozQt*?D4nCT@cw?3t7-FNy$ z*_@K^O6eWpxcZ^}NWN(fpM354P{G^cMfO;m%eQBJth52`rH?;#mxrCs=239>?o{y~ zp=ubKqmduENcW~qsC^<|LvSnc!CLqIw+l5s^U(7wf1fepGhREDk)}$0WBZt67*EO= z-PeJUV|V7yi=R4O&)#19`Rjuu&o_^s?`8=Jen&}rQq1+F`H`~-;PO$YPSuaOUb*0K zh3-v=CryB~>(aZrz~d)1Lce@bvx~O($L`+2D zPSlW9!`Dj+Vj}pCIIqt_B#N3Ak8dWDudgcXP9Gp1P5F}lzw?@{Au?OHRgJFMadu`>A}KBRZGP_C`Oj|^;<6X0E7j&q@9EJo)>*S<|33IM!{LZb z<<{f-qVD~g-JqSI*xOPxeV|d%Z0!#5rYy7$|GO6qd5jHN4B`cYGPlmT8k`hx7@D~? zK^MGCk?gYGaazl?P48@OTcdmY#1r<1;!Rs-`g}^x#BHPOhyQp?TfJLCn2r6pNzeMj z+n>^jOXi<830>NH{Ml^cTV=%u>E}a}&j%-O8yhQ@mD)lj$`!V-;qYpO`d%>+02gB< z<7diEZ?fMXm@@rx>S&#WRPm%diS%Oh9tZITjk^A=sGq@OB@UVS4z3=dLU$GEw;Ik`hbB_>>FcC(Vk97>z>pX%>2t}Bm?-CsQ} zQRZ2)5MIz5Kew->{{3f`N)ZXIU!D28A2ixo?~Y{|+LvVVs$h{v{?&_^A)z1CyJx#a6P9Z7VNbmJHD`2m9wv@Ga}s_~KXk`!&nqLrmg&?*-?cF& zvq+MCuXB2!kn4wqoHK$~-JQGg+~TKwMfPb-r|#7l_27$TRz0b~E)!X;SK61oQnWYJ zYx-xnh4e?US8YNb-2pZAkDK=5v6Y_*__x_kwJUfIWMrH#&UzY}5)mG`yzS@wWXJiu z*pFKy4aIa!`%YxWY^B;9aq1$uJ`QQ`pT0r%BwvT9;Uo!J$x?eWgVHJOnWK6VKGlaU zC88Trzr>O*Jt|3`tm*ZAoq9A*Q%%vWUt|B>oir)Wi=MqM`Y?2fL#IhXwfWwQ+-twT zBWX{K(YR?Pwr}@Q?7%H4G4;c?+9l`4*xYzd-inA=>pFPt`Dn-a8ln3R{v)@x6}Q!2 z#a(gHxn0+gMvhp2LH2(E<&gxZ@ks-%mP^Jb1wscyGaSx{dJe2sOieso%d*hLR>U5*#mZbCNH)TB*H`J@sc6-nqrD6B6tT^RqsZWJa z;*M%2&xQ8sp0!8Qh0EGJD$ItNEko9&+*h8r4PMHTP!*-G{w#4sA4vnZ)TC?g*5Z`C z4tjS6XiwhzlIvkb3@0g;EzvNpJO%Yrtg)z+;&zUZ-D*}L&!`<8<+=SAiZ?_ao1&37 zA4vRrY37*zx0h3JMXvwIYaVivm87p3;Ge!8LZUbKNvwCM9}3fYiT52Dsnct6;aT?5 z$2=Y9pY}p?KdDs4yYrtEC`mNZ8fHdck+~r0Xn9E@@xFmp{Og6`Ea?Z$Rd+NF$;v7; zzsb0%Im3U0>CK;C)U3wJ*}8kzz7snxD@Nzz$jtP04xO7)C0ElF4mG9TOXG;M;)qM$ z7ni~%c;e)IL_Qn!r+Z~ZzsIQjvxZlBy>|zJv|$I`8|((Oh<^Vh=u8i-V2*N9Q~^eQ%}01v#9Ct=R?F-9Jd+*G~#m(ATTr{n^j$4mWAm|1z^n0r*O`I14i)(R)X+`|09L>}`2 zYTAs9XBlkq%T$r^zKi~W+q=$a#JTSe-Jj9_Giy`O$;Y>@t+pmcDk{va=tnwte0BDc zBtDdp{J#&CrNwD%crWCXtLjPWV6|;O9Tz5gEOTRMWoT75?k|*#G!c;!Nop*RlEj!{yfuI&IntcN%Il(nh@uPae{0K6LiMbDb}r&Mn}O^ubS&kVb17aQGNA-iLIW#s!s zPlIL&1vv?>LDPuV;j}x#O|1jIKXY%aT^cVeVr|&X9Pz8WxT8vWU-a6K=DTreTd6Gb z&JZ<>tn3-kgc zomw{uKibv2rH3})spRDml_)34%zE1)Q-LyHnt=Aaa|cE)U4I<-;6<+<%WJ;O46!b^ zIi!nw9>&zp9#k~(6%L}IO zqJNi5x9{Fbk!Z}T*J9Z5T&RBS{h1f( z0qln^I1HCm%xcfldk7~ffuGG zi|vIka&mzYvC7Hx1od8JQrwf)Gk$$F-p z6Np2@5&8GoeEC)5Cbt)HK(c8UXA=5J!kpIK`P)mkF}6WhYm2=c5y5fR|UCcUw>~!-+|dbh)u;O8h_6pYHjmUXx?%r zi!JOVoB8|auS>2tMYA5_KY(LvK6b%n4i|D5M}fTUM$&167qf}OdA|>R{j=>SBTsw$ zry+bga}lo4qgy|8Tv-*DSpD7h@ZdA*QB7^?vEibsH&SdYjhDXG&FN9hhBHlxz1%{h zn#P?q=M}dae)Wp;5%L}QWEO`1BATEDZu^rgsx2>z5{f*9&CBM>lYIo-6{Nn#c0@Vk z8FR)xtlN4e$LZ|zg6CD*x0;Wp1m<4f`{c{<;~G!IXip|^F62J?)aINOy9v9Q1n=2Uc``lFhNII~=z#S~#gXNYoNw=`*{!UG_qeGj*yscm)l)EBzOx6|{>NBDDpr>E?_TfmzjeK~(6 zlc{E)GItT7&3CH)frF#rQ4&#Pm5078Hs>RDsbK!$UXJoWB0~g?S3cd zIgpx|ye~Ly&$`xjCXUeLQL)Sq;@`%9{h4aMi|4*}DoyD!(km32^K8B{ryFZE%z3|d z@%*F<{{1IJXrccoF5IGh(*8b`5W2OWO06I55PXB=s%z5-Vro=Ej$yV)ZAiz8Bn6YE0kLxUEC(klB^1 zVP!?na^DX=^zAKfYE*8!Y|w0=)jXS(c0MD`vH0PqA?Sy=eHU|z5{D&Cj0=!{ix0k4 zM+_`(?n-K8PrGJ6VqqNmQe5I}hgk`pH`xi7i84|A>URkHBAoZUv7xm=z4iAG2i^Xx z)XgyQv^!?6r;c7|62H*(@`Dg5?M7qWR&z0ppw8P~-`=g2$`xF4KV_Z2fiwQ&@{uTA zY1wt2om+Nj3Ot$18FJS@<|x9I=w>}*1#iiNjO}LL7i~9b4{=QtPzlK)fv&Z#SPtVmTDY>ovUK!C%O_Ur+w*UF?sui&V zR43{Q07O^uZ#rr5WbAFT)E1po@t1-JI8~!V zQjG4q=g@x=(WZuIzoWg?%6Y%rK#29>dv~n%N3rOSYKGVN^!}Q7^Gu2H(`NxSgi&Vc z$nu$lPeM}^ll#-D&rb*R+lz29sBPqHsu(zyn-!}xnBmr&Ju&G!+wuK@(6wIEXmehg zfgibp%@KeOzm3v$kJ53R7rIcdRj(C(%{*}Q)^EMisc{gD%s4o<9S5pmaOnAWp5VJb z9ZToZ^g^877lb_`((Dc?#H)w8CH7sEouBB)by;BC`WNppa{9O5LgzEvdV!~~#%kRA za;WD{Jo(bLu`ZL9Qvc6&>FOmuF9jQ3-U_rdx^K(*zC!H8n@GKruT%F5+|k2FJ-%?W!J+W_7{5E-=^|>&yuBR z+^u>(+fH@gWiyS$GVl6YKZoh%xNT$cY=7LDQ97L&G)56%pnpiq@Du^<;5R2vskX2f zBpx^$>Lz3MXX!!x^PT*s9~G$VPediNm0QLB!hE#ScC5Uz&A-|$j4v^Y)nNNJZdaKd z7i>$Wg7_$L;U4F;_{wT{1Q2m5}DjJ0r+=-!+H6Qbc|v>+3rW))TvS?_&+y zvo&Rx#xo;%8ArZ)O*lS|2%GtQuQ(zgy!1KQhwa2%%h0x3U0e`7g!wd zq4Rz6!)rc~N%7YxU4!PB@W#r|a>cSd*ZTVS1TO^rrdgq+o;3MokoA9fdJCwiy7z4u z5d{SW=>`eukZzQe?(S|7hHeB=+Mye%LAtveq+7bXyW!hBzxV&KfaMa_FlV2$@3`XL zZ_g_i+=4fh@Gd#g5SH~5Heg+_E_Z+njP9+N;kiF}d?m1BHR?wCea6S!Ins4aD>T!3}mfYW_BaK2U;5WH8@WCQPL}`f%FuMvRKb4`MUlV6WoB%jb5n(w&x) z*Q0Dz;EE&nvs0}fv{d3&kf`GH>8T~LU!0g`i>X9OJetB#KY3$P%pl2J^fsTsKqKMy z(pmm{Ie{B}ajR29Mu-HzDN!)q$tV z#mV+?hXRR=5D!Td(SO;Tnniw%zdqLyRxMZ)`?UQCYwV`{Zk^Xpu0f&rMN;DF$rho( zlIx$ohA?u>mVM{NlQ6_7(&i*m2T2SdM`hE5!b<;Dt;3j`npH=PVDbN8{ufLqe>;k) zDmz(QH+1b*X-YrTsbN+sVnM!4j>u0$n%E;m_|6dcsk~%SV2V zb>Ia9pQ0)ssbuc8xXIdg!Fi1^YgH>@9UEbt{c-<{XxX0`BTz1AbR?KgKBLX*Si#N; zb9TG+dXwJco2w!hHyFQX<(|WNG?R1)V6_2D6Wm|}+(ZgI(-k9~Kp0*i3;O>;e|1@iAf8%-Y0wCYg7NOpK{YMNkXcAm#F83@n*OVR)R|_P9L1Z2g{%j{f|y4 zad5gk>s;v#EuhYW;dR=J4&c0|lsP#-OmnQ@D9<*FiFWg^oi{Zy4>rMz(5mrywC$Uj zS)!M;pox){j8ve+$yO$#84#qv4Nv9rdf4s`kFS{naja-zOI9Wb6`KoZNDj06#X@Io zGJJD*o`Vv|WKMmsi_ijVQl#SU#<@Pf^Pb&z4aCbWUiE;Bxb|P|GyH0_O+Cc+o1)P_`(Y2 zEZq4HPhHm5<${t)c&Fj^%$z}GB8p1&bU_}6*@?77k#_xg2RUjyfyeU6`NF3XdE9K8 zNHU2;7(E*}&$keDf4ceIqRrQxz~Z6j;m1`hp9n@ibygxHJEp zG|n%idheyr^HwF+1ZdY5+4F5$+FG*lH#Akjnw)jwSeSGg6`)VCT8q=JpocHN?+g9A zV3dFi(4qLk28g4J&B{TLzW+PbRI!%-T)pv##W^?8j}l9#uh zu#yqKMK#kUOI$Zd>gAdYpgv%q?}8{&@EF@J0ppWA#WW5Qo(q(%#OLjurhT}vN)GmgQE1&uW?=a1&k9;)}cgNC(LE@f&n04v=x71Y{486wBVOQ z%b&P-*a+!Ne?Gq@e0E?$!7{){971Jy+yR=cFo9l~H%?7mHy}NO@c{JQEO7&VjrDK$ z=3}5SS=5w~8S#?cD?wTDwA)h^&@w~!H}x)#?6(8}WdHr37J&NGJ+Xw7dscriTp4Kwr?f`5^@-@)nJfGa21LVp=a|{&wIljLv6awZS_aDU|fvGg$Iv%7j=03|G2cmp}%%b z@-^=Fsy@`{D5B-utn=5>hrnF*uA`d)6^vbdOot2f62+gcD-X^ z$^TIH=eW+Q;UHI>rOaA+NR);jU5-MOCIy=E7NkWBQ21{YolNIKqMix^HXT%PL>TdV ziTZ8^*Mo;dW&t_&REH94(K>&=$MMYO`*z-1?OGR+cL<*o?rZM1ex%9f#}lM$xpUAl zj&si1R*zsxC}D0o9Q>=R?L1`tZ?6Q;0ye2>&I$xN>M)oY!0g#&VpTwMAftr&^zSLw zvW!2L>C7`Lm;A>^1`)aQ&hz|U%^tgQSQ>eK+gJG{-uYxog%EI#FHN>$t|OU+a<7sE zjf&;Tt=?m&%fR{q;99n420l@@4UgZ<2?<1`FaNtuOa3W>C`I&TOgUt6YHs}B%BB78 zN&8FR7rA*CgNP)H+i&6tY%4WqwC;xZj*sfX1oV_2uO9F6gA`;D>5d3D9Zr(_1|Xo% zo42Ji!~5Q5P7m$r`CFjCoLFS#?%XP|=RB+DxoHB~{{)m8my54W+vjqwCpmS^Eenc! zl)<%{wDIzTj1{D;5<(dX*z#caYRn?QF6L>%YIrP2F|Q{MAFc!+?sz{G4Gx>E2g&X1 z%w2)=n&?<2+_8gElKDJFdPu01G*$bt2Jiv}z)%%~toET_LpTrjam6ug9lO{ctkzZO zbVK0#f538!eXarjLyC#V_Q21hDHP}=pjYFR!xRHe^Vu0OY}3_$)o(M>g9YI*7 zo;M(4UaCAbH90;t=rSns%uB4lF3+N!{8b<<)otZxZE&r^*J9<7yT9jJu#gSFG}k)i zaK`nGVRiy!bc{`gTRo6WA`q4w{(5g05tLvr?7$W4ce*{U4h`xwXg=_j6#(|6Qdchb zc}On?=j&V)nU596cEK={mRD2hz^y3+}Qf3)P|rro1FG#9MO9K0GdS3fetLNt|I zgWB#-zQ&s9vjTRRus7fnp;S#_T;7qC5D!HZ5foR@cElfIH_r_)2k46OA**2ryz4`d zN%l(wsb#P+E&f3x%JPO^6g1#poQ5sE@x?^RC z#Ads`f_{YvMf|0*Oq!2=ws&lsvYy+;ao9e?l&vFbc!zT3KRGlrEIEo-hVMc)LUz(` zFQc4q6Oh$dPU!hXCEM&j&`pUYKHi1KpLfh@k*NnRRGEyCqY|?`?KE|xCwjqm)Duco zWFDMHyHmkuUnoxv5O#s%p69wsZY#$krCOWVB1+0(-8vmX<-fn&3SS-;k4sLbizu?p zIBc9;4V|YWa57GUq7Sf4xA^@Ga2uOee>_%}5f>h>%5xC`N?}v@ z01LdCNsK%^h4Uo?k*HF4$gAFE?eqnCEf5ZfA(}CTgYJj%8h+|~(O`Jd;9H{*M|x-| zRb)^W8@gOaR0fOI?N)7c`2cqcw0N;WM@0t^#Jbfb^l9=3i}jGlg%rRod{Jo5wh{b4 zEx^=yL53_vUVh?3=X0I3%}mu`io@B;`8jyw>D`^&(09{IcEKTTrgZ}{)R75mC_1nF6@*; z6XA&hm_K~_7iJb_jf(kFr_-W+oxa9?_Hc@QnXq%E)0*<>WCby~;9QX8pKA3%o>0GwG7v0B_#5eA=e!g&JLt8EvySY|P2TFW}mcp1d>NR8{vA4be_iWVC{jSyU+^nU<_B83D%Dxd(Vz!Zf# zuYMNA22!^WuURZ-xMv&go~bAX}aw~lX7{lDMauwLa!Hjf5=e7G?mXj zuNxa+V3i#!DyHd`V>lY-U>%3tt|0yN`-eLNwaL67>*=kX%sMMx*m=XwJs(uE)!ZdYqR*cA!Wv-O-vZBQHY(HxnbP*Au$6tFyl*^ zVo1OXom%hRn?l}W5rJQnccKlFB$e&!XISr4Dd#eJG%~_ni~z0@p6qEl}nw~hRbAH}{?CHqEK8A=$VG+l?!-OjmR zIy6|i(@^TF>~&yfqn|t}E?#)28UHfCU45<_)nYw$O0vE!Z&idtL7BvilY+3@y7YB# z|58A8JV;L3ZmtfpI!W}6bZ6IcCh@*-pefgaqU0=(!)p_acHd7AW4wv!GOoj8+D z>JYj-4!PYdiCXOkXSwD)%f*NC;>4P|PR)cxWGD8891@=%%T~LD2^q<3AWAFFKX$HQ zS2L!iPA&M;c;EVo3m-+4s!taJwvtpOBb+)>hQDz6!xk_*X_1_M>)+t5i%cW|9}@ zz!&;sAZrP;wvE->!j@u}@q!wgD~~qUq+?v#!^8FaI=qBydF`-wwP`k}$LN#V(<0B9 zR;^K({nq*d%Y%+uG?KoLOTDXgn7*$BWmTVwRl-K_t{W*g#7qYl% zXKj8mVI;RZTB1%b_^^-CB0PJ=<=5$MnLiZ2Jy8Gg|js#3=tIgBHnmL2p&F3~h0Vh{z?2 z5-^hcu1`XSd^}gqhQIdPmY34+>ubcOYsA_!_pik<=42}F21xddWgrar6Bk$L->Ciq-MNMM-#crRNsdgxbX^fkj?ZZA7;L7)3xh%*Rza&xEBBVOD+L>$WS z_S7b0blRt$)^Pi+#-HC@xPC_xM_lxJTn(U3z}L zz`)%Co!%`V3cdWkrf=!=UwbY)+db|tcz+}1gKsvQ;uw2BB99L4TwtoR)zr}!ptXCY zAW6{~KusB?2!ycQRrwHdBaW6epU0ER*5!ZWDQTA*8lmwe79*TJD*bqXP_A1?;CgPp6N^H zNNf`LB+UTXkNSW4GKdWqPW}3+B#V~?WC(krO&(B3C8j2z(-%>nuEQg?kLWc%Og`Qn zUrGZNUpm59J>mH$%_W&qt0XhJ6sVx}#=E0NzY#>6)_Ly3YBR1k!uEYmR}b~--FWq= zUFYG4xcUDHHMJoKK^GsEQ-lmEvJ?O|5DOCn(t~_}J zpFVhb-1skR+r|!wO2*LLPr%-z1vdc9sB87wrAZ0XtvXZ|G>l`I7S#mjjye7*7hcG4 zC1?LF8CuZWhwV%`aYM=mtmGKboRqp2R7V{ZnU1k`eY7$Om1tpTc(+=p zF5@ZkvBd1K18^;vPf0R6Te(gUHrp!PJNj!iKCYUfyO28dLPRllGQX(c;P z>w7FxMyAAmTax5DAlY}yeolte#&EP>_@LTcT$}rDHh8Kw;g}xVI8ivrlJ5XNV)lx; zQV{n5Rjh5q4lUDsv?X1l|E9_FGV_CR+JGHL`@ z+-a{kak9IJg0jj~*z3x??ZjjCssE)@Kx4~!V2F&3W1y07RKty#+*q)b-92=tHJ(&5 zC8WMjfo3ZwQtV?&@TkMc^5H=b35p4IlTbb&>{0>9fXsx`lkSy>fFQp(f4|`5yX8Pn2D#6;H;??LNY5lm6tNhvDh%5 zq_MR+YnaUA@=o-$vxV95W1|@+s1|gl&P$Jv9oit4v~hZR(o8oR>kijbi#$C097stM zJkUQ6q7^)%P#4xo8uUshxcHaFkvr=4YT?Z+T z7|FS#H??86?yZ)e$Ht=~_^ytF#2zr~SyYjL{{E z_D#({gFNE+&TKZAm0%D@pQy@lHU+S;1&HVaTYiqlYM3<;= zR&XG7l#rdh5F#NK#G~U40^JmJ>vwT!)3~1#yKeow>YXVBZ1$hhKnY@E9&Btr)5^k5 zTn&I0ujP`zTkfjT*&;NQk`|ewIq{N1H|c|*zn2qqHogpJ1PEC@WVW8flVw+lP3Bc{ zNZM8RQdF8dpdOM9$KnLzK?N!1@-_{;G?h+TZ7n_9m;cj!^I=}tBeLXQz zTbd8aJm%7)?s!5iHTMMOp zO%Lm4K)6Sp9Xh|8Sd^bwWHDpR)!%=sU}{pQuOl0k*E@4F{I#Gyr&ykPZ=rPJ%o@0V zp1AEkIo0vSyN7+r0hqa|bFO;fq+0XEIuJylioOgbPNElHjG~fN>Yq1Fg1PXwSW?jC zfjUD`QW8L=l-Z*}S;~sqtG(qopha-8IRqwNl^dgtF& z4X{=`rlxF+!UZ3e>Y@}+6E@aq9&+m4NWM^m&(}<6cE4DOL5?fVW?k=cgpDS6rt7n- zB+QgUW>ZsU|7yb(5N1TPSg!khb#y!nv2k&y=Oql`#Wf{3fDh~paK%>F3HJiP$3bc@ z)AMw5QcRFQHsKE~L2+Gub>AdrEvSbTif*X|8C!$)zS%ByRh+2MnXShkIA8-Zm|Bg9 zi16@E3`4&6vix5Zvc#8OJgrbS`Oy=6xKV_>UZPRRk?-`-R%cOPWmh}ml|!bq4snA# zzx}qncy|zSnr2j~8Kz8_2aZF(@0JnYzOKQ*pj`&S#gsI4Gv^2W>F2|NmPAY)WmVzji7eAXFQj62z%t|899_>skuyE(% z;j-xqZ-F!g)`8Mz+?8&!13gv&qO=OKlniK-udQ#PAtXxhYbceg8ti{6>jug<$;t^gfT!eIx)McnEJ@l;ZyCUKZ{ti91RJuI% zi6^<-Tuo(|2_E2j0}b)IcI}lYbmcyopuCMxHYToa5j@}W$4YpuilZQT{-Uk*3mYc! zuw!HV`?rYoSG(Vw-tZ0>IK6YVb)^s(dIbpAdH#FwiST)R!c{Zr-dm5qDy^84Zxb^c zeP@G}Qj~^95|CEz$5L`m&J`-Q7A4l2NlBVHbJM>DHZYwG>Ebgi^YVIwfe!@Wl__J_ z(+j~o>K9PNw~1Q5sROa4cdu%-o4_v5tK0c*md4B~@Oj|{NGK%bIXgoKN zM>_R=KULbqZmC7^J4FITo>fC?U>!c>w1pN}!~nxiN=SrD$Y}8!w19TUOfz+G zNSFf#6Vqk6UJn`9%EIKw>Cmg*as(MDgSTGP)4iPv$|2!BS@@CmK_vGs*LMCuc*Ii% z^efKwGVz?j;?bjdrgNr+d5N--7XUxC2xf8V#E+l9utE$Cp1 zCdNBcq!uUxx>woCR$s~JKFw!yNQCA)$EAFOHsgPcxPo-HQE7kzW14%Lcv^}(Xf(V$ zoa5s?H>(&LksC*|X(Z9OE{*A7ee2k0A+@riF9R8M8sDLyX0hU7v;!X#iPsjO`sT^# z-z*`shHR*Ub$P*CVHe?VARy@R9!j51oM(9xc92Ri&wsUDCtGpl<#XJq_A*cmJfX+N zEYN7f9LD7Yqu#iFK=fjV4KoI)I2*qNFj=?sA78#&)ryD_l%SxIDb4BLk zWY#{Y9bHW15PSVH*>W)b)JeGU{t0qqaTf#6Cp22wX1Q9JYA~5ojqPym-{eHCy(LDv zX7LXQ_xwT7hJtRje$gpI0YC5sdOcpT67VbpxwwtB*qkC=1Q9$B|~>7DCKlQXBx%);8t zLbnZjnIX$W*tP~J9c88*0sb0n$v2n>{--X_vP-TRY{@c0tLAPX2~A{7+@0P_S@=Yo zQaWqHCW`m&Bc??T&1>FY`rq60jeXZC=yvS9FS}n4n%XYWfe3u|?>JXx4KL8S3=k4x zGRY?9Km1MbW?Gpyg!JJg&w(;^aql3vM|piOGmGZ$p>Q1u{U=F=ufu>V)?8NY#j`r|)shRsA>Zy zrDmsWoL4cOmZ3;{Pttrd&v%JPFwlRnkvB^d%(Al$kX2`(B4ZOZgb@GdEDFw$?aBg9 zJYX0l(5V8mf4suZZ=DaBFY&g=`H|N13y;y_4k&1WA#p}9Qf*uu7jPBBA`IP52FOF z>VrH54>Q|oKj13X)kzB+Ig%>>v+z~*yJ6q$dE)aYrRa)L?F0Od2uKp<8%p~-;iPu} zmwogckqLx_x;6gZb+&8E<-Jb2Q!2~9!F5X;g836Wb_G6wfIU7&r~e2zrk_E4_CPDC zqZ-|dVy^;Ns0>wsp?^*KHPwPod=s0!P81Qp=_%mHO`9+ngQ^>r;jp5IaQ-Iykx5jy z*lh3pt962W$9}<_W0vN*HdWlrj-G}TZhg#IRm}m4meO28)x^n-52LnIWZuqkJmenJ-r9R-vN}Bz1mlqN2%+C zYVGuT;nP-OX1A{Q@%4$>b86z?jgle&oO<3((~N2KMgi|ZP?mWHm!jG#yFGV)XB#tH z-!P^q3){Y9NfKvOI@|L;%A`KZ$jE5PAVtk+MMK&YOiGmr0Cb`r%+8PSNChu`v*feQ z?~G)^RN=|7kX+(kSZ8xiK29DRI7RC5&+Zr=zihe&{iCsH;kkPWSPuI9iIZ_7)D#{U zdsm8sOLo4~tCQ|5c;(muQxFX`TM-}{3MLu`8i^)fnLhLvRZds?3=JZy72yPX?DIqb zL&X#NdCY@N+uw@qBlR9n3Aq5np*V zYHRi+6->+sMFbouu-^gKTFw1i7%0moiD~5w|03~tQUQvV@?WnT7+?m8PSrGxwSXVKQjGCT9-+D9#!JT z6n4G?UizXi2|SA&`&@l24SkefU3OO+q?WW*@5129|0hfvBU#gy1z4o_lJ9nIUVa`Z z;DZjGeJLj=rbi~G-=T;nCE-6!bD*2AKlJh3o{?F#FPxfRm;t@zoVs51FqgUuF|Wg; z|K%aF=u4ow1}4HRWisgaSwT>4SNFhTSbYc$N!|J8>KtVSfFaCw?4n-9y{;}Rh~|mVT6$cmXG&6U>1D+c5U`)=XtA(X z-BoKoQ`UkgT`RR(`lTh6+_98FNm7A#JkKJ^ZKaGwfiBIg07~_+FL;{=K!ziXOrVHV zl$Cl7V2a8x-j*@~Tzmody{n@y4R^U^8mwB@C}IK@*H&->?=}+AhQRiFU+iXzQJpM!{!?)*pjnapuje|9-uJT2dS&6%YCu2nC=On z9xWAN0lXm%JGz|ofh73Zov{?)g+_%Qb4ah0jb z%01AUgA+YMi$OJ*j3!tlpylrm5@?C_!Py1S^lyul&G8-gwET*eOhQV_D`t`NewJ1!HT!&N`p@lU%2y_6poW&BC1AKS~ob_R9`U>RmZr`zzv_IUa137Y#x zy>Tzf#bX}*0kCVpYTi5LyT8dS2z**Enlkr8iUjlW088uSR9SnO6G%5@H{kOv1Gszx zGoLG=vWS_HW`+*dCgSg)?ZZm}Aw@97=BwI)^^>luGhoYgP(%Z29hO+PhGP=A1>fj7~RAW)FK0t&Ix`9N7 zCi4&frv;de#;Lm`KX3p>ZTO)C0uS@W13({P(+_E{|SO)%<=cS2>M~4L;(kf%cGgpxahk4?|8`L z20k;hvq^xEgz5$!gpQtnpS~V7>F`$B>aNAK%^2J;NO<`jP|_ZmR@LVW?Y<)huJ*fJ zIMwiCflK3?_uMp+Pdt6mt_EN#b*3JCE)IB0f=(Yut{^k*9<#11120+IP~Q7VBL%=o zlwWebqGYfEV_|(HW?&XGA1r!h%c;oUzehmwI1GDs*vQZqX}uqH;O*1n`o6b}ew$+V z{)TFFe*5eh8UJO&`P?aP=u7_*eYTx9V&bQq7qMwc>kGl|j0>kbKWzpnMU%?%U`5%L zHq$FwfesvBiG(1wR|b4jb9uw&Je53+s>M^f61_G`lHBeRGCJ+qD`nz`dhg$bAOc;+ z21c{}0%5N4(F^VO=&wI|*$f-Lk%WxIbu~7xbjz7Kg@sNUHLr6C^{xn!G)PPQaP*I# zmY#)uR?ZvW-?z+`%vN+^mQG`eN~{Yk$6@4uXwi{9aDf<}1bm!z-gl``qkShXDkcKH z#KlBJMMcEH2*iM6SH9{8Hn>y;9WCICX!1t(0Pev*XX9%X(eE_ya!WrF*Smpf7~00n ztm1TRo4Y)C5$C8keZf(>Nd$QB2^=>$`RLEWXKnY!cdT8QRHi2DxsK+WCEc&GxDySaN0?-t7RaP%BKZXr3 zY`zXrwgiWbzk&7%t)KitbNi`{O&0f~$0YJSf>k?~5M#8{t3`DqzU*JcSiBsnk2G_UIr|=jM|{srBp$?cV}py`e8CWLG0R_3|6WeqNl;OrB*t8+Gz`eCMO0U`S!QuBEE0_xx* zh7=gs)4jI&&ontdFSq=~R@guxW7D03J)RKcYlmX5v%JmAnh3JWD%c+4^8l^*Se3z#O&kra!IAjAe zc;AuWu$py^KNpuhTcC#iTxZGE{t(rdRhD|)VKWxeH>Z2?>^Dj5WI}k8G0!!V>_UnK z(_~@2Y?EQ}DJra0pU?45d3hZ@s`uX3*sJ)}YeZ4frJ-b1W{9TWtlgXTAW3mMu8Er! z*xzpz!|pM?sF`n4`kE=izDSpttb=72rUvfJIhP8dQ}8Qo?x^&?SL!$z8rKSu7y0=a zd5pg#h>B@SifO)nFH*QoU7VL&R9KvA!#p+^h?d7rBYcE0}bH?IgQxgT?R6x%e}Tm*2CUU`9UYu3B3>y2`1i28ECAr#?l} z3u`@Ibg>jvlr@){tTILd_D3IMC#?hrFIo$U2j5(^-g)kK1;S$AH%VDKjPm!{lB`IO z_7LR{7wBqf7P8%3d6lo45a@(+Bu6BH*>xavB;Z+C(2yV9(!s&~Kr!7oCt|ld%-ziM zE#R8Ir2CPWblF~JZQ^9(redQalOkDId*ch%AbD;CwKeFJQGzOHRNj7nG^h@WTH%ri zc2%KlT5>dVp}vr;YM{sF-Cj~y*ue8ky#OHtZE0oW02^v|Wf2iq>k73=PxvEr|IVw{ zS|&jnZO)F<9=wDAEGgWe_;*t3LEvBD+dC=T()ceTq4%(zvMdpT#p7cJI}yp3)gn8n zTF#hn4A{pJ51Pnn-fyW^cYT2z8d{`yuMWiC_!CaHRNz=m4LGqZXn%-7v9xVkfMJKa z@P6#}TxofAI?c%~*I(b2RGdbo*VH|N2-ym%{X(70;ns#G2j41fSJhOS8JlmOSs>aB zo+Cyvf?kPNtT0&~hm4`Z0qDDB4f3%vF<1^Il>+AafFTf8>c3=VT|K1o`dS}}v0mtJ zuB{D-LsKzLQ!)JaSu(kKfAVtw6cy%LmF&w%|ExDSkd|x2K_S>Ex2oBX42Zmtuj1Fx z>$hWc9Hq2Rk4NL?k@`3(`?%bC#%~>cM z8un!*YGDz-4B8ZrXilfAQ9QhRov@t$?MI@hYKS^P@`a|06hUo78#Zf|Gtg{1x%SHF zhvF;W?t}u^Y_ms=#?)V@_g*L*oGw|JO8HX+C}NqaIn|Wg?*5bh9O@?dhhZ(j!c0UOzW#UNay7?EG^Htw`VI+SOZex(Rk|wPkrR*T0Z4pWaQfb%J-1zi`nH zZ!gcEf$iy6HO$=sS@MXzd0yu<<)9;~zw|x(ukC$c8k_&FkT1bc4#LkB&%6&>yHg2Q za8DN=&gROinHoBk%>4CDnOPHth&Jkiy>B=f3Gw-byvO3>W8aPq7#S7yg{;*P9x+O_ zzn`C()>eCmJ52ek*{~wM=z4|YX+dfg5~i{Tl(%9aO0Xf>gf1s;V*lYex?$|Pw>Iyu zUg}gSJgzDhDX^&#ibj=;anQ)?UMi(C|Vhvh{Nu!d=&N zYzV5&J^PdjLSXc8R`bC1{8i0}HqOd3!q8dNmjw%QcGj1|(&B~A`_`+in@GYC9b^=% z&?Kp9M4H%-DXx{Lt9({{G(}R+(rB%R9dz0zsDCiV2DIbQn0HiQ zopz}{*EzH^J4|m#Tyg6t{M%SSJ!RRP&^yY=K=OKte_xD!iV`8TZm{b|)x%A5jz9&% z11GT%-PMg_+Q|Er>)_>c`V<8tdw^+M!$D4B+s2>mK!zKSG72&4p6O!NJ~se5_M zt|r{wx611*`$xOlBKU79F|95qq|EfU63canRd;{&KRW32fmn#><5z{&f~t{MrI}X+ zGSJoAjIht(d3snHa9LoYVSqS%5;5+;kmDq(!gTcQ$alo^s5}yukKGut`rE#)iKl5SumU zd3X)pkE3wKvteF6LErVM75wTo9vu4G{^m4C&ZUOJ!#=3}^trFvy{V2x=1hkZ z7M!==2nRmuUFt3^scY$%>$&rl^r=Lr*G2hXF~DUog;tF?B0#90U*Xgl6HQUVUGa(# zv;>u%ye^+!Rz#qSMNN*MrPnLvBV%bhU<}xR)3(@VE}s6rECQ!PA0ue50}qFynUsD% zFh*jp^F0Yc8wYNfM5pYt`)W71uFpRrdtL-(UM;@@Pr4OQ{;T+BFSA(L$6uCqIg6?M z4e39&v4Hc-%5J~gD5_IC=wGQrLt>N-Oo$-h9PBNizwa?A6Ai)kdYImHUVu;MhI8@e z%eg|-j3xEg4a(GgWpyADhd_$9pUd6v^vYJqeDDohz~BnEW=ItpUxbr4FBVqaRdKY) zLAk?SSY@N^?doDO(Xi+1G)cJ4$u!H)=5Ga5wRf0DWTm7C#&bs%_emCK^5m&!42_Il z>Jj-$wVAYSPrtJmVVuYM*ie!^P`8R@*_gX%Icj~WZEV??t!RLYN4K6OaMbXuj$$hY zWti@1tH&x+41~)?ybar^L(|Jdnk}$ku*?0ZMYwQlUV>}IvoqEf>7|v32(tIv4v6gg z)aO3rKZjm#L{PjBAc+x@XxH%X8hJK3$=Y_OcU47wr1XWeNRqP-w;v_r%~7dgH~GNW zsABN~E(y*QINteQnHm#d4b#LqSy@N{LdY_D_jwtS=m8r`9GgVs!DNDWd8FDO&U8L| z!?GkiE@#bdZFkGvyRQMoOyByv5q+}}-Kx*RQNkBvaFZ3lbdI4bztWqqB*#L3`+ zTngdW+Ct29?iz$Q%Pq%*GeSoUx~_avlwTuA*xN>zj+A=;{Pom&`_-uBSndnwUN!+g znvHJ+&CCqpzGNk*gXdk%2(R;bzy{v-cH<>1Cp$Jy?VktE`Y*Z{C3ZrZuFTam0l(%t ze*Ke&W{fSvHMY6WM@lpmzN!JY_f+>)CgY_WH{5fn5Q(=N9m!~sxOgOFF;;JQ#1S!R z`fQ20hpI*0;IQG>;qZmDgtv^DW`yA0a)n9dmbA`qptfU;zR{{%Hb4B%Q)t)cryrLV zw`(3JlwRXb9?{)w(fWpaTBEm@{PhPJ+yv;tCFKSA)t&a-BjQ3NF~&HJzl>=^`7@Q6 z*Z!zh&yJpldr*QT=M(%YY^@IAfHI(yXIg7^WT{<~?`1moSA=82s~KMmq?i1`4rLgE zCVp>5-)wG+sU(e5SAHt#8|Zbe$ghHRjTAxgwvEKrySvU3>_u~xE!mvKE{>^bQPa77 z)wmlaWx~;Ki_njF93`}uYSg|lzVcl()G%`s%HSgvM>5#$RJrqNsIT7(gYXM^y!I%8=oUyi`R1|PozN}v8=i`tQ#C$MNXbeRYo$SNzj3C^-EZ zq5n;VMf(L#T!@N9-#;kRECdJsxg7KHy6iW&ZfDHv#18}L#E6;i864?X5Q=@5eCdGk z4mbRSP|nKx*l@W>hZm6#j2&+eJSQOB9}qQvE8K3lA_)hFod*Si8i;OpHdlB%Px8 z6_l@D4-=Z=h~O08tUp^P8M8Rq*)VYG#6J$&n7?55y)YswcVf(UG&1ZEHNo;xUX`b5 zP;gi5AgG~HpuK>HYdJdW%Sq+(K5>+=NXUFXZh5|$<|T{t4(a>0Meb|SB(Y4qql$br ze*U)BfNk)%u^lDg;NV}v%#OjGd3voSa`4mrzXsTej7-H}DLO(k~HR!?b#8In#v8y8IwgWWo;Nux0h<4!PQ;P>E z9kJ(_?Y1_deJ1&8h0;GGE=3fceg^mK75F8DS17++tj9gvk#TM7#?(Xg`3unmlp10~$eSf~GE^3RJ>F#N{1XO?EY~E$kGP*wx?e&LjW9mG?NZd?!WQYw&H|mL?Z3#ZM{F2_H=RptI;}~ zk=YszsoiW*NDRKr1k5kS@&Cew*EblPb#PW2e@ckONQlJ*N?dGhEp_9~IVCj%0|x^K zH$Mjj2L}Z|N5BN2eFN7cqL3{NJPNJY=xZ1OtDvCpbT$%~=}_}u@)*Ij05ua$VFq4d z;0WmLq|1kaY4M{+fDu>~FgeCEL42v8Eu*Wa2PlB>0gGoB`qKBx#2#i!eJ=#yt{or* zytD$0Ij~Cq_xkg%(f9Rf@BjVltM5ytFzu-?a_YaZ%#Y#ho9~{XXO5{V|5o{G1lqqqm@r840Vo9S*QlNjHI5hYAYZgiz_|gqpn7sIBl53v z-h*QX6hO#WelC6^;2F=m2Y&bOAAo@pewkBXyWODtxBS`)v7WC{RZ$k23>WHFEYDro z&`KCl0aq|sz8b@J_A%_^tb| zd_Mfw!%Kf)(7a)LfPm`)Xq+DBH3x9Tlludr-OIGVrvQQx3_R)UGDPe$KuiJN_DbpR zrwI<04gp9>h%^QWbm!dAz&Us4%<0U@3FHVXOBF1hLOI8y5#QRm%VUS9{%;gJzr?q{ zEM{P~+NTI%>XzMhpcj5vA;Ho^Mz$wMLv*FCHv~1ja#B)*1ARJ;PGgf)Z{_6JoX367 zgQaFxT;?bH_=^8UOl=$ax4nSPIGa?x^CH$sn$CHNv$M0av9lk|Ij%mr9^Y>%$$#Z4 z(Hrjq@$Fc@i+yT^j>!L>o!D7-CWX8~@{*S1g8vhTSZ2LVk z)3jBnbTkV#p4cu`we)SWS*fV|g(@@78zs3E*BTdOm5`~NNqVAZbTmX|xbwiy69uo7M}fyM(Q9q@rOGY9f( zn9Ha0n1VI%ntzV8yutOHb?aUC3rE4`rS`lmcqE!;2la0bmJF5vWpFTWdpr0%xGK0G zNC2u%i%C(AQ}Hj3E6nrnmzDmeN&p7t6xFij!UNy}F>i>8NmOWc6~28NttKNT=H^a8 zvpFcOE7PodTJIJTFLwv<6I-K^z@YGJF%XbaBZB|_v?PherB*~V>@!<1n$69*A%WZN zS>Z%}TB=(h_!SH+&p);Shxz*IfA+23$X!Q>-1TrGAG8}w=P)ht29toG)oh9(fkAhB zcZ)oxu)a&3_{0IkF$g(Mt9x4DW;y|N1?D8^+)fxo@N8~w3YQ?i{$yba_*e_{5^o_& z!2@g`;P6?+DtAL9j(zzX2OTV^&%zs9meuU9&j z^yU>n6L~TYtTY2tLYqW4%eHl$bpik>5=7Si2;=4TdvsCyKhh%L*`14`v;ib`5lo|| zn|eAcEq(8o1v<^;ETLnevHiBw*Kg<4v;Y=d?O?3{w$kos>{|+exdT+{?bti7It*@n z)Aaawt^y@MC;((-2qaia>YZ+K=X}+>&&d&kf6=%o2ao1o`VHguA2EXQilChT5?(E5 z&uFt4WCzCy$&%%qRpKlh>icUgUWK=Fcs%v)<@r_Vmk<4_2Xo|gstOCU>JE^-a0jYS z!R_foW6BhF4V*r_aWV7B$tiHIMS0tp0VnG!AQ+g=S7mkDzgx+G1qUd5Z&uFVbm)En zs)Nl~O#LMe0oL|AdukxG#F$Ch@^E$mPo1}^IQV<4D$+g=kOT=3YmVvb%zfJYLY{uF zoxsDit*oWEz|cxtYkTkfqk=;4M6nlQ7TD~+t=P1X8eu(U8Da07QAjqD=jR2}ih2b9 zrY9r}Y&6(LofOmpTS71`fAQ?hVg~r8_73%OSYQTD@wBR6i=&PFjyQvrb71BIqe`DC zl}xn4N)evv1GJ)3MJK#-^l`H%!n5|(x(#>eXvFDnRyIU` za?Y8XQvWc`Mjbfg4sGl!a=;8c6;g6jL-F#o{h~`a@AV2u*Gf)CHos&D)|e^PJXv>k zIG%St8yAH@7SmZ56+oCFTRy1#4rin*miK3uNi5;lKZGs_Nin}3*idr~@|ASUQ*p`2 zT?hN^R-+Oqt2JJ{8Ktpae$nIV*B^;nJO5ni(|Hti{;{o69mKk;z>KhFzx=qk-9%Tz z<{QiCWUK!IXg%J(HimpQ-*NQ(L>j&xKyh0}j_l9+>HpdSJhuTB>TGH_^xXWR8H{tP z7{7Ie8`pSVMDMb{1AP|1epNvZ*1J1^?9|Ivoo+kEK%(&33J;&`<_2N-JiIA~{mVT9 zc4+!xcBa&#mjxKBtHy4 zy(X$a8YL4f|M^D;p^>yLt}F5@h3kN(xeR8E8d{U?OmKMZG>S3eJcWPPL&cW}L16R) zcfJ5BhE}F8vyL+TgwFad%ydC^vD|n|DYe(>##tfKdlG}(VN`*a{!4@-Et?x!Esb}F zTpx0;nw;EU;qLF_#FwklC-fcSSJ=+TQ3Tzks(S32`c< zy>)_Y0q&yO)3ePzH^4YOQ`?e(mw}ImbJUsj_*!(nW0H%0uM;vYw_60zBeYS{} zNe64W+AHti;rBlLTh=!nW&D}%fD?m+H71B~37c^VJ0;ZQ%{z8`sdnhi;uXN;@$jrJ zccZeh20|=!W8;(KqsQ$Z(i96z3JW;_-6&gK9iHe%rPCD)O|$C4F|X@z8o%QSucNV{ zQTX8B3J{R#m#)0v(fL7+qPof{haLW#;s*v6IgK$hD?2YS`DeG~xzifLfKj)^wO*`0 z((CwAgrdN5BgX1i?1{)`GV*S61YMEiv@>$p_T0qZy4q&yWdx!$ptTA!UW5=yJ0b za}tp22u7EN@g08m2e8oyPtjzPc2*)sr)^|~cKtJ$fif9=+L=YF{gn}v)WJ5`+S zu*HZdn~Yet-ItimDKqas`2v1G1 z%@PC9YT!OBYD9C$0rjHq=%P6QAHO~O;)KCKt;@V23c$ytk6otgRIMA0?@tTwva``Z z^{>X>)vxvS5~y2sHf3gr(!MrIM$Ll&j_jMkD9VE&eBfo^hW|Wep0U#y+;(x91II$F*ihCX`-r70;;~5=%Nn0W zDZRv3hKPU-v|p9Nx7PR`d;1naiT3JYZkP-BKTIsEM$4tKl(%M)4`M`Cp0U5DOMTFR z(Ca}0%b|MHU#v6V1y&oL8qGI0*5xvIGVV8=00BNc*LL1 zodfz)OLLK$Wu*|^H;%ou*pan}B+@}3o(>c026|GMZ|m@PY21{OpJx1EA|)j2y(qqp z*@Xj5^~}yTwGMj317jC3x(K-qnkYdINDRmMuX`#Uy(++>0e#XX9aQf@l&xhapujAV z+={GUof*G7xgch4pojhHWnxf)25S4Zxn;Ccvw9yNKV7unuFVwOy}nZFVKg-%@9XPi z{#L`Y4EgnNP1G7iF_&4a*h>RZHfu8x5kZj%FMzy6A{bjc`jx%CBylxR>z{!f-^v{g zh8f2nUSn+?-TEiAPGmA)+GvavXa{VxI~jYEx%UQiu_GS&r~hm=Vm_16--1m#l$ru* z%MgDPcI<0jr6g$X17~l6E15Y=Rie0W`(En(>M-N#2PYMkf=a7Mzj$AaU^?~@c)_dg zEMN$bV;6ohH`ts4q)~;x+D1e%>*j#iLkAZYt+em{sBqd7s+B$7;QS!O==3=M0d-hL zCL+p48~*lnBWXCmEIp*f59*W;T^q@EtGKER|CBapqVdOo&)J-TW= zdK@TO(c{x9qBr#TqCm#z?Jc97o$bx-?aiJ0`|Wox!z-N<@3CH;m5l++-x;@p&6+ss zmOSp~VSA!gbGtK+`2C~Z=u11vXrsU$UcsO?maG{g< zi9h~8hzBOKL7pi6z{ni&ZQ%@}_)x zV8q1&20(yF<=nu@gCB7a>~d=hLPKLu`+i8Lg28SQf@7~W(^0u8akl$`2whQ_AT+qSpg7kE)>LYR_=F;F_aN`C$lJw&K?LjU0h+iH!w(V zMEjZXN_QIHqrf|PM}08W&(g0CMgAuYW5bHz{;TmtUR?J3f1wC+f|szm|8wnn|Gzi? zlcis7R*bkE<3YC#r>AXSs#@hvocLcv**&0J{ADya5B#YJ5yc8gxLc)i#=k z{``l=gSf;GD~_QbqWN;JX#Uy@#^--}+V+MXBO#5ZiN|?;cCjQ%YX+!_iB{N=m(kHi zJ46}@;%VA)+HzD0%&Ycg9HDdV`iCA`jEioq1oTKo z-v4^h_U(wa^0pf-zPT#;r^SPF;A~=P{DedpfMi=qn}( zSaok#_rvB#DAbDTY?VKGl|wgf7kY8zfoKRZZ2A1hb<*b3P%W@3XwphqqwPh{_}^>v z?LV~}w#fkxl$F#4zvuu5(-sz8)t^lXi;E0Ba(%$HWsY5joR%w(i&hI(dCKg<9{VGCo2IT zSQE;e>n+wLqh0SGl}MI8cw`>t$@|{jSSet6og|iQ4}i39n$tk^ht0rVKUq1K$!#R( zWIbExevW~Ey(&C}@uJrVcW5Ae>ZWk}Fykk1YPQF?a(co-jR&0%PQ_5#XrPCKA>19s z90+$0Xw0asrP5r8ZASf8G$}3*Wb%Gm54+e79Uj=u5`)pLo;;zT?bJZp?m!*#Blwv9 zEz+ix@rGXin0bV>K?k^DwzhDp z9}ImlwpR{vt6n_{<~I84LyQ7g)Iysb@ho{X3(JUnCmq?TF8gCE1k~meNZ^N{$OFmT z&_|rtFu$;6eHJcB=( zpX))Y#`)LDROs%CSa4in)6&TEMqzV54Kc$bqJnOx1bRB+7EweKYCU zAhc`{Bv+O9)$xHn{8SR@L)JkkiQ&*GyGIP*gXz{yM{Ko+R~e6TYk}j8j{RgLh$>D* z6Qx87gG6$>eDZJvp1hNf{BIY(Z4tr?J+NFwjn2c6Oo!Sa)-s}d&G=QMFIypmK)M`S zXEIJL6v+6DWp}OES^J=-A+9FYdL;N+o^(+A7<^9TwP)g9S(WvDMND(=?z3%<@WW6L z4aR=*aWB*YGJ10_5)i!EQbN57NR|X8ck2{+8|94qHXa?yd$I%<+2XGIlYrr%$6Ktl5|1|$DvCwTP?bf8ViW){v$v0z|||n9$`=B4EGo|M~UqgBKq67&N?R3OU>h2 zWe|xkupOvc57786yb-(i0A5dr9Dv>JEVd#wm=;SLkHsq$>C(*j5Z?aCM8x=|{7|DK zw^OfB1;=)scQMJ?K>R2LasW?+>F>Vn|7j$B5f!RcKx;Y0|CNSHB(ww$=3P(KA>hVx z4?;pjmX!Yd;Uh7HZw(l%syySs0M~dkS_znY9uC^k2VY^*bRJVFy4#mHTUv92j`q`^ zLAFzXH1Ij)ONYJvletq}h4<#%Id?6#1JAJC^wpd`(|GsFX!pvgL2n2-FA0u4!x{o- z@i@JPf> zD>NtUcuqCX^@s7&fCKq)Rm>*$jY+r{nS`I~w5RNQp*e&Am(CsY=X4UJW&M`NBN5xc zAq`O6uo8#4Hl9|-$qqpBr9%{#{EPVa5)H1#)wQX$lSd>fBx?xH=OSVYdOWvqXEpp1 zM$jc6wrYR&i!Fvg(GmG3F&u$+feZX~id>yK}7g`DWkDheM^0igho1YRor3XQuV& zM;aRC{yc=<2bRao7b}mAV^q7j{6xMErIj8!h5uagx1$2%eJ8HtmX$UlEK*3f86%F6 zFdE9c?BMNkU5KT2WJb)KYlu|oo&Lb^wu;};UU)N{cwYYLUFTXtgIVqwM2Sup z&)j1AvK39yY;S010WF!E=}=Qm@LrY(HDT0`AZfU{yC&gs!TftF$1l%WyGzlt&6VID z-edk4!)n!YX0h)*_H;fyA^ljSBejzRHIRf{dq9iB;yEM=5eV_q)Tty&Mr?KpN+04F(6zua5gL?u@4Gb)J;R6nan59~|MDVPwsIWlM z!LLQd7ITBWS`~NAR&DBRBjc;z0!TyV+&GN{b-3S~9qp4L^cp{M6nNhIm;)0!448!` zhd2G?g7{yCENIEC+&4*Bw>zz>OJ9W-J0^{^QY77}3eB~$8ru)W=WTd*6~^+6x(jah-ZXz8@Oeb>2jV-LEIw;4Fott;k zfqvF6BKl;P%FHCT7uCLcg2R<#Pq%Qt8ZHqWvhS?O5j6-#z(BaGzel2Hvq#4DoVQ?2 zjut0f25+ilj*j@tcqeF6@5gM1;-<|o00xsHV!qEm=CaD!f0>yA^ux~14B+=N*yhhT zgoFilmyY?Gt^C z=fv`=TW($f_B8q<)Dwj>q}5O4gRQ*`77@ofm(iIB2G+)W=yHAWk3Sc0aBbHDhEaZe zmWB!frSoY8UVNE6{XR7Y<+XV;vrHTX_WI?n&nUEf)KT&3mHjhnPfU+aa{^X8wQh?% z!~rwANv6aI8sXS~vUu$Fi4aK@FyWTRfYg0IZYZF1uu;n)T?`O)mdVU2c&MC{G9PM; zq+zKn2-Q}??jAUD6Z=yK^KeaIw3}5P2AAIak@tpZP@QYG`k$HSrQ1nfF2{61)#M>& z4nw^QR(4Yf)QH?%Q7Mb@ZYki7$>5zw`G)5SRZ14NJFfQAn{#gL;*NKRY}!$`9lT;sIl?VxOcs4KE+qAJZM67Iqi@o5j3E6f=O!EKHvA-PRe=E@th3Jt)LVadms;WF-A8{edV$gOAMPF7|fPq))Xsc|%C_Mr)%2iqnIVP)q>L zkua!`8G?Vf4`PxdcR($|jL&ciW7QA-Jq-_UUF1(UOpg{{>j3ucSxXL;*hp$z#sI|3>c@GL;>WLy<8vP+E`f01ZkH#6?Y z^?{$){c`6xH{yugV<{&Wx*ZLYbe`Y4_x7Qj3b_{_{m%CMD)o^{w^6&!fqX(iTCEtc zbj(E6&g=RhO#k_{n5pX)Rzk~?4tV5O?!(c?b6CV`Oxk{($S={i+I!R3rki*TbymuG z50^EW>iN6Pej^8_LCSe$G9<4u?*!12ZGH9%*bdzWk0Y%B*}%2XX?wuIk+TiQf!C1l zIsL*XG$0*S67sa)z6}_6%}@914dL}@%lDsDc~Yp3q^Kiphh$t9U88i$4*-0?%7|&d zj$Z_;99$i;j$j)vx!p31Xl>tTIz7AmAe0(?*@_np#Pr&o5?ubgu8 zz!Oa_f<;T6%8lu+s^tS07A6)c?7UKZg8|6?(r-Z;$!LlIddBaBQn(xxBB}%qM@^K?yW|Qmel`a)sIr9W7k#AN(155rKIg=wPEo+Wm$80vm zFq+UlPVyit-TQ)vkDt=E6Ff@ppJZqTu2(Rq*Pef9bZpFo@8WA770kVV=XqBt1pp30 za?19A@%{BO)HysHsTOluv3enXlR51wGa|Nf8|8jIKd;)7dA}@35@5SvT{%p7cRA*b zxAY9^uHE3giSi5de3pIYyrYlV^u|MJz6^Q3Hd0^c2U}GWn|-T^(+;N80VBvhi>EBt zCZ6oVtO3u8SWpcs{+>Oybb>|2ej&#_}X2N$jdK%S*3AXm4ksV^Za|hjKKpUXmF$#Wp6Y8$!;r zHN}s7i;ydLHQ#qr_x(`+p*&o2Q)mv4vu=_5KK%G>Mqb9szMI)|;t%K;s{9xIQfFA% zboU;ES`JgM75*Nu`a@AOyV>Pns4gX#MP;D<&a=UgHHM0`@7n_%xt1IBYZwqkPv7p9 z{TX(2pP{0b624HYsVVouvyxBkS`#$cFnGaiUyQD&>78Rv>3Rd@7)sGDeQ+nV&y7}Uex7xEYID zOD-zekTyTBztk;>0p2yTf5$uxp0lTJ=jLTaKfADGby?$30h>nmYbomW0Liz~i0c;k z+@q<9zX`c@rt_xIg!(nEI6kO8izt^PyeeKmYQ4|9guCC#XTz!y%83)mXi@K{P7)a6jVsOBM5>e@rQV zy6TtWQS7~^1Snv79biO8pYbt5_dVq5>G=69^@okiZno{=N(A;Vx?eYg_@RxdY&8nw z*kd{0vw~>$#*ur3M_BgXzvx#Jm8}}MDE$_i2lrBO=^f)PdC;ow&V{Zad$%;~Sq)hCSt3kI(pw zA>%9gU3|&;-g^aLWze2;5%q+n&DV>s3_QYG6^%Q0anj8Fdos*T1zLdgWjB`Kizc?R zp48Z`%S3x&a2JmE{Xw1sE4d`k!&X4>E#z;s&T}3il)O&9&jc3B1@Dy?%DGK{Q zM6Et+{cdaSoyWS@i(!=VkxS=sg!ap5@&nkeLKhwcVjEFdt}ARE@~PwyXh5;2GeDxA z`$g$KY%fx2*6Rn7{q{7QxlZ~~-ZZ7h!OE{R!B)@4GW>>wgc`%2A)K}FGF}W^*f=y= zz|N$)Dgzmopbq^jEr0vJUBVIh6oNewds&kmZD;-4>8lL>B`32SgGhYUW_2O>O zhFCEh9@2n+KU1OmH%jVKJ?tKba>;3l1P}7HGbhC$k>Uw-p_)dR#N3Kblf8sQ@jgG) z5xGW37opT<6$JPf02TE~|D2;YWo2dMTP|Y-EvM=NC$ma0X03eSoaH`J`Zre7IKmyd zjr2IXxtrRuGKZrtcjHHow~{*4z4Iysnx5JxALxcpVS)3Y$DF;#+rGzLg{D&^&-8;P z;|d=6zw+rDk9ty+34?d}gjesNdEF)50&2zjz1iM1xQ)h)C+fw6+$2ND+yorDw;3UD zN>xsR<8~hFY>)M4O{X$CPF!nOX*0Y1O4C2=Jg5Ps^Rp~Q=B;;BU86b|?CVl>K)Z;D z^j%47buvAs>ttg)=1_I@<|%t%>a3zRn3?>b25%<-KjaQzqr2?OMxedBKfygbq)9iJ zWM33B`khWumu$VIjhbc|nCd=|j^z2CA9t33upYMTd?{jOJO!U8-Y>8Kt_KvwO(`Q~ zm9q3=K^-Cn1fm{ropF0z{Go8qqtI9ae#w?i3aRw3mn=7*P4TB#dUN+KJ%O#T@6ive zMuxk-;~(6QiA+s@f8{m%qIHD){o*3InnC@^-Jf%&7B}Dc`lMh~xPA6(Q6#&#d}3;$M5X4bvEstqX0q_(2hgZ z`#oNDl8qHphaO~RG4&bA*Kmtj-AT>FK}F0$#b4xb^J9-VafkcYl>>}44N$%c1!j=2 z@Rm**Ns6I*oQ45w(oaQGlfcxGn{K-=fE*qyO%qEUr(^jE9+t?))K2-Qhurkv%TM?t zQ@E_i@3O~!q98{hz@|Uy#j7aK;R7CzQe?y1uXbgfwpRY?9eM`T6I7`^P(WsO#NS=G zZP9-`FMKd2UFIjL6f^yatpci`)w0E>qcuOeV@v)xpEMkZ6-}yHGxoB}%JSg{D*V}( zdNhTOIolC0`k!rpQ-?R?+raY5Qn)!Y=s8=bPzc}od(APuUAFlu4PDEDH8;Ag`d16iDl?g&~8ex@{Vi2`tjLh0;HXkEm3VgZ0>5v_Pge>>FfK}l&m zY*sroj($md6N@>*Hp4Uj*A~F{YH>P`$(~Wwqcs#Sul2JNTBB`Co89DoOY?7qID6jw z+i_=e|CUkM2^|?McSBd&zxC=ofLIl=fpAA+g zhUPld0X`LtbxP;3cWDdSpPQLanP@xrHPvGL4QYKd5#;|OeqM81dVPvcQOw$$!ESyS z>Ox;K;~>v)a8Lc`h^w*FL>3-h(%1bwk6@Vc-QfsUPQVf;r-gEs+b91d1I*-C~fbWcdrIYh89n@mVYtALS4uGZwo;o_nM(aJDgl4`l#OsN8B z-m2*8M>D%}ziu-j9cPui3N9{nF!;g;>(a!;tgzVfaMVneyjqPkI22x9DpX!7F#BEd z)>=pIdMWo!W%Cor&PCWfrK+UL<))=`W~jwzy?$(&VMVusR@13rbGENq>idjr{U=ew z2$>8HW3iurK__x`5}(8V;atani~G!pGjXQX|bwP_E-y41(bl}g1RGX*VL>abAwR>LQ)or#o54%W1)_R#o8%Az>l!Vv(c=8RAZn7Y1_7W**3zDaG`BA>X3#4{>M7b_p0eA3BTIPMF74 z76Z3`q{ry;4<^s^r%(UH%{29Nz3rzXo@YzEE}~wZa!GTPCJn3Nqv+ov2&E6O@c~2&+)&0HQ~^H?RDa`{$V=D zNZBy7Xc7>x6q}dk9V(481UlrC=WI9QF6U@6IV0o|wxBx(YY0@Pti=Z!gOM4G-9!GTQi8iC(1J@=eqVdO91nc?91nk~aM z1zbugbS4^;-f$1I>BxwrR^-W!?^gCu2*?ptxcuZizwZuH{CSIi;l3rYj2pb?=66WN z-8n%RqT=Ik@dDs~%`455BVN@%ZhIqd!ZUZd)P9vG8JEWQWCO6{bfY`aQ0+>m3wq8_ z0-cuSGkBFFT=n`h-b7X<3*i_$GCUC}hhRJ!pMa80R?&v%1MW3u@ug8Qh;U&uv_jmN zVu`uzpqN|vNB#*OJ%$>#it)Zi^kqa{9)vHaSrWuNF5|B`5c6cKIppau{ZVLm$_yfG zi`aSGvglE$Fq6YRroygB{x>*5n}yk}toXKBh?$$2QfN_6(?~Bk*29VoIThbB(J{PS%M25ptgiq>l7d!FxmL&Ck7YI z-{%>Xs`OTs0P&m#axycC8q`VPWHMYQ_AYVRK_Iie>QVH8Dj?w^+Z8fR{31K?m;vJM z6bHNI;$yYk%FZwkM(%bbyv|^{Ui*j6X2!OY^>W`Kj|Cy z-tl=#B-z_a7f;P!EhX}FOpT@*s{2%$_rO$sWz6Ha+s#yPY_VNa6dw7>%%84wNM+V) zDYi~h9TQEw*wmTbX>xZiaiQ9qVm^;l8zi;fDH1~7#pmu`b#a-h-{&7gXL(e3pyTX4 zlD!=fe(xC~mM0G3T3$gmYc}k5_4B)$U)D5>?NOS-d*&Wxq@Y;W9jI2yI>cI?!@O>= z9N_04CtX#bDVM)n8baB5OKmpZ+*+OqI4`AD!!ztu9Dde^&<}=1p0AsyJT=NO* z#z#0Q92$vMg+z!}B&$!fSjtGN`Ro*1*U)jGQvxHaHh5^>$#;zXB>C$KO!#pBlxW;8A&+%WP`=F4=#JBirsAA-AA)w7qiJJS#f z%q=Q(&HipZtaVGoZ;iuGUH<%uUQW)?ga!Y}^D+G}IS`3Rl{d#hl;L*CU{^Dg z8GF_moLHWYkSH-DQ9~KY#MS=$EG~`K+#ffKlY7?8syhw)jOK_KqE~pbF&}%3#P3bk zDBWh8LNl-Um*-*=$01ph zP7IHhY$9aP?pjvtyHpU#m!ZG3GOc5n$>>7B!DSiBkh+F37c_(B#3^7&9RL9Z{}>FV z-Gfjac4h!A5U?!*(~U?ccr3Ul=GuhR+8_eZD1{CQHj{LuGcG^#O!q*-v9uZ>kbjT} zoGN)X6}@46-+|tb={^u~)GAQW=`D*hJv+RQQ8Fc=7O$X_Ra^@=YgUSJ|5lcVvT-9r zG61YAF688Oi)t=oEco)S_SbO*%lM<7>5Rm0bK5lSWZ)bi!?R$~sS$i5hS-T;JPP0> zv|k7=rkkCG_<+1qn=Ifoek|&2VP9KY5-i!kv{ZZ?Dl89&oITVPhp@S*AT69pl~UFx z3-`H9X0{08XRUZ>i1|k?=kIlFko{jloJ2phqyj--*2Up)mzOllcWYP_87OqF+XlNH zj7Z-*U30H`KDA^4v>|_jWix@vYyhvq#Id(YgyRoYh**St{nU|*qlLpl}no7s!~`TL00#fsbMJ0SFj3qfDi zukW(j!b%}Yd0WhTe`_Y|)li;li_P|Hj~8dgOpV>EdEp|S&MP0ZQ!RlgDz`x78?!Jd z?uab;#rz37zuiey0X*vCMtkhA=wC7Rey?U7}rv6enz&QF{v z6|x<)tYj&g2fpdf#ZU~o%{vHSb*ae(8>-4|bNasjn<)KDR&lr}T>Pa~XF{hPH?CLmR%`1)TJ2-m`<~@V1}vOw>H9 zwmea{NBV15*i4RC`A^q!FYMjy%^ow{!!*V(KUXma@t&)IAnFk|D_KmKiCmZ{&jS_;JTmQOf_^&$5j*8 z{Lmaynr0;Qw{RaN)9WUo8^6B&M}bRzo6HtCI;qw<0}avr!fPUaBFj4NUlqO{*Hl6 zKpOdo)2gGs{3IlOt+9RHrFN%s-TS+B`_;^O$9T@g%0b;Rj`{IDmp$M3;t@ZX&|YUZ z8^gB(+G7nI;j7yX`9}UeVOd?cYYt{B0-Tgde9_Xqu%ZA!bX)xAIdPSfLPOK;SW{%N zh4PQjfRl4*!1K?WW4DD5@$*YS=@=A^c7ASlX{)!MQJUV4aYsZ~;Q25x+BJ{y1Nfkd z4F%~XojGsRpf;VkZ8_j~2Q%*}Z2*hM-W6^(W zPB%HJCYmaAp-fb)`P(6c*4K^A^ZVG=MYOHSch8vBd`rlUw1 z2Je2diQ-|PwiQ}5;VVCI9h^0%FVSQvKhc)2E;DZOYg;1Fn-m-3Hs)VYuI>DJ#9tOd zJUQ8ga1+*Gt5Vh37g!Q%KUKz`VbOB>JonJwMmY>UF#hGv(KuHR2@vpxMJD>{rx!`9%F~aVf1H;>uoY!E)h|I5(#*{W>;&fn#Ul@bK_)Byi(ezPNV?Xg!hSK&J>n_ue;MzpwlEd80{L z15P;DGK`E)^F8=}iqV@+qP@BNmU_I{YGiEO4<>;;1 zLA5){*yo_)D^^4Hc7z52rVd9>)pnbKsNN{Kv_+tD=wO+8G&rng3t!^VuM!e0e)cFUdY(#S3(XqE|DKjS z<1lT}GI^FEs&8=g(`BK|-h#*Sdj_Jg*NC8%_hbruusNCJY3JNDjr|*3{7^#%$;ee1 z!xe@E?(n#4?9woI!;iz>pY{p}&ti9pOc;EE)auJ54B8qf-LB)5r2=LP85u)4!I{P$ zrCbkE`-JyWX2$0@7}S8oZJQ?oS;D@$nDHSD3{kzH*BR=zUijh0PzaaMd9-&lVX}8n zJhg{{&#kSrQg1bk#E$BEzDSmxM7?F*FqeehDeO&UTHEJaSL?X>>67Zzq|)ZY3HQwk z#4fX(Bh6)Uddz-xmx@z**<*iktE+x@PF*SWbH^nrrN#ocEIE2aFGh&(k0`WWgy6$% z8%}J0NfBaPds}&3Pj>@bWv4*3O|@EEw(`@>Iq4kq6@oA^$jxccpyWm>bg?RP`AOID z@OvR`l`c}Jh)_$PFU=4OvY3H|p!IYt(lu&f)SFzXFv7rZgpq-wTJ++jVpm%tpCv4Yp7;)ZU9uCg@|tIt)h=X%e}kJ#Q$3+G_J zw*EF781v2+#$O|XzZHBhG}J~RP4dfM@3{-JHtveA!YVd_#fZFBa;`hLdi$#l(ZfNz zN19RbaN2K896lPeJTD;no#2zSEp$yp!b_BnYdp!~-}KA{WaItN94BH)=6Z{TdG|v> znzK({0l(Tw_4oBIiIZ{J5}y+x{#i~7YC-~|xN*snxfvIcT0H@BVh3%I<2JSw2NOYM zLGEH@ISGEHvSai&*3ZRHqdO(JU5Y*Dx~yUt98fl;1yQ+2;ZU#fNh^_RMjaY8<$6!U?IV5gzX-cv%OgCmmv6Z}sh4Y8w-d*H*~vwARr*)= z;tY#529yOh1K}d=uyNK+WnP~rjHex(v+v8GNd3-#D|>4;;oz7_BL#UzfiW`nJv(vvZj5Quyz1O^HaW_FKeqGA=m~Q_ngQt=-tq&F4cKR za8DZUh_R~u*1y9N@OhhgiwP$bEzm{xIx0-etyeQn{FR;=izDeb{0B*1_;-%O-b=)K zl8j`*9AItIt2bygI4P{ASDfaBrd>2i+8gX0D`BeyZ^r*HZcbQgppl~uLeon91#*I% zdcW`R_aKO(e`8%M#VV-#97xjhL*Vk0cVx>BeUmP~(VyEQadFyL0-N8~%8R;&uL{ZX z8=9a967o(~p5|AI*R2i+iKQV66LK#bnANx@j91W_*LtRdq{JJ|8IXlKmHiOM5f!z~i((VJ(MI?;h1A@F7I7^zVBgLSQ80!NuTr zEG<(87vRpew9#jnQ#GQHz5ca@a|yJ)mo&3rN!VmCXtxsa4ilW?5`i)5>_}PxQ^&Rc)xnI+IB_~lRw~nekX_~8I4uGoz^VD5t6oK z!*1GQyAriM?U2GIF77)toGkP?I#I^SURzksLqQr>+r)l(}Ovg^W?mrUICvj7khU`1*L)y3aT7!=v#^q^m`l1deQ}GEP%sR;! zm(Zl?p@jK3uGG7t64~bax}vLm&1YVQpZkA=gH8@hpRer@FUDr#AhfdEJ3YKgbDs4% z0mOgU-aV$o(3u~HcNi=;h-S#FQ4Khd*h?+p^}i0GXD=&ZmAzl9r+Yqhft$-d=JN>XBa#DOFlR~g*JkWJS@huL6nI~d+Mzv zq?{riHIF~^drQk1fx%$5UnD*~dAB$V2_pbb(a{XdcY-+Z0T2_Rt35|lo^EqRU5 zdvk)%GuweeO0SKeix|vtD9qy_GU2x*&#|%t3 z<8vGgQRZbTjKl3`$31_NwkFR}D4k;yx9ZhlWsK37|8|bvX-Qb6;H}PI4RX?#By_yI zNbTyqR9)uy%+J# zo^CgQ0}j$~-lbbK-fFkUKdhguXUZK7z(@aqcjUDwI4nKG=!1`TyE+U&GLREA{pKEb zGm(N`B2pX{98VG6G@e&QmsNULs_ncPw-mw-&-6R$s^SVu6WTuDN;_=N2EAHJPL~5W z$TY%Jv-iF} z+TXEBChSS>p7mKo8?utVTO8>e&@Pif_fgf2U6~4TJ++!WaA$uDnL27{@T8PssM`>O%G65K7f=#4-0 zmWoXmnP9QQepu~)ss3y1?%_CPUv0;1eMFdX)X7@=DwAE^Kd??d1yuPm(Z$SgvTyu? zS+--Ad7qk>=anOHH^*`>pI!}JaoiB33^#j0^#OE)npgs!BUHz47{`m11iAQ@R;NpD zGzc>SY~_YS(s;x8A^Dvnp1oYGe^z$7dKz6N?NWoo^n87yEByuRy^-h=9m>8V9?8us z=#@EcYu4B1y}pYZau|sgBl#J-owrzLKXk1xT4zUqk%lg|+vcmRZB7~X2i%$~9y%Vs z;soY_1apCtQ*Rub#kaP+{smN4W6kBW^YftS8U&)SLj|FHMIAL8UxB@Q?Dl)k25M~e zj1>QRGR?xGE==b>KN1!+2>b5to;^bjQrLkTA0%YzvLVhJxkbnod-xBlQQ9eJ1_ZLO zvt2rI=4d&ioYXVHc8btoaJ2i}C=y6l zDAphFQLnu7ZU1|cM&|qA#-Kqk7-*u})|Ma}%vXR*;f&io+HibBM>l1QdrDkn?i&hZ zj3VB5H7#MyA?&KwVwFnUAG{2<^Z%|bqicx7sE9u2Oy8O{QO6qdeb2F^{6Kvv(gH=%gXV}`Ego41MVMcUw=W;bQyoFpRj zn4SLRGmt5Z{Z2#)D^k6Pz%t*T*HBVZnp*P$m=N)QKChv(z#ZOukW86Cz5OgV9@~$7 zv4fvbo2ltJ>`Ztae(my+EE8?5j5%Dx9>x#stFQ!{GKcx8gbk|W+vqG-6nt&;wi22- zAX%y8V9?heU^<{ec;AZdOICfOl1;o_cz3I1WJV zICM58x^*@c3_yPq*WX0{O$hhkv{#e0+iR3Hg*B4Fp=+Uj>{!uZ{kQe^`TL7c$c=7g zR>}6d5WKdzz>W&@!MF$k$f0Wf=14o|g5ccg^*aSl7A{qN0JItDteA|H9o5=6#ebvV zJyCj5sB7*XIe&jHl#SoxY-hNk&}IV{$|zG1m@s+1IGiYD!=w`g>jkY> zWfPq;C!sE1l|KKLeVVY@1ehW7d&Wqiqkc-G&=9j{yDM_fXiwt9BMz8Qt@KHI42Lp@ zaT)nOK-2xKH$~b?%Y#3E~3woHh@;{X>lxQ^1KkEN7dJJV=5k``h+ugt85z1w> zIfU%7x7EM@4P{BZ@ljzk%zxfl1RQ5G*`DenzT3X92ucS_bxwLi6Hg|d?Z@SItcN96 zsVU^cuP=N*;(YIBhC1EU2-cN7@}y@_hPE31zZPKB`}^F|)%=Y5Wn|8)$SS%{XH*$W zSuX$eD80cyLywmb&uaNUtXCK! z=aw>@D`UGKe&4yx`BYhTiRgfrK*sWJh{*;ZFXl)+L~5hSH)i7&J|tS7x~UNwe413* zpO8t9oj*Tn$Dq!>VGd}tq~`>pT%=*G==UcW^siR~_s3n`XB%i+lsyDnN z`P&&0wJ^`7@AuqCD0CnO$3Ix0ZaJ5&EPV3|N3p`)l0_W^PBzG@8Y>5PZ3voEKb zaIt%;n``=04mjn)yYz9tJFn=^1t0?)QvS)?_7PM=D2eZnJLe7`Z&TrY*scF$l}0_J z#HTR+cwhM;VU&wW>fz*j^bgr-8D0rtY^*T|$C4c@w;Xkjf4Nlq)YH_pkpj`MLJAVH zCYFOdX0pDp4;vpl!6X>M`aQVeay-Dj_DEP#HRW^@B}qxyCN;$0jrn3DvWgNZ7@Nx&)Nbsodn_Z}Nhin#s$>u#-hA*6YF7=;jxZuo8LG>SmOU848clZa zLzzoK!b(;uZxM}HhS*4m4GEp2MYBD=W9hls?7ugQazvz*`Xax%*{rl=?oKFXwM)ex z{A6t$KfG2!GbZ>*2`F7r>?*9x#PJnEarf4uvD0NxQvUAs)>K?={<;d3_xy*L^sTui zLHyab*#&R2M>M0tP@NCg(BLou<^{ifj8Ay>_g>B;Q=gI%ro%q65845gGZG4 z2VpnsxQup`!JaSkc1&~Y^`BzW={CUYJT3W8yuWy|_B zwOYB|p#;h0BZxqu`!W4p#z*d6!JBpuAUH3O*nP0}-BPmbI=H?$bTwA9o;5}cE$!Pq zwFfIGIqgKM$9dR@&Rk+7*K%0h@W@~vyqrhnvP5%Z?Fi&_?baN%LrSyJXx;Keb~JYf zp!F8iG|--7#!+NvpFc4vZ>qlkoAK-Z^)bX>4}{u%>7ET`#xe?QWyzWPk~1{!xZhqC z-sz+{9+>?-Y*Fuh*dNb@;@ydIbG6$dNX=j$zLi21YY|{C#VD?DE%8+f&&+w++}2YJ<&0z+vr#I}TK6i)rT}`#{fAjNv*c#4L)m z?hutipzN1~ioSGxs?@rjop7t{EcYiKRnF)?Biqkr>~zheS#_ibD+yqFF)}bpK$QHP z)5ntzdLA**Cy~$PXX-cq&2<@v#IEG}Elk!Ed)9lb7-=}gB%Un9-7)Iqk@nyV38W_l z?X&@4r><4{xYWgbpdW6Bjyd0#N0(Y zo7t|85En8)Djmf2jK0Y`c{uocC$^^^d@pIBMUQ#cq&Kw0rblpXl!+yW)aF$+BA%sx z*&#LhQ>Sp!Rv{>XWMZFYZ@@+T>}UqZkq}w_F5(8$3enxAv?Wi|W61&sMBFNT-51&b z7Go*VHPYc#5Na9yni`HXPY1=9KSfh~u7bh|Hmv}P4{!>M zicn=AWdw?=Q~?tGI>gUZyC+1!F$3UBp? z#0Z0%dO1e%utIsAou#Q?5l_ex8|Z)6KE5e=P0F>pI77W4E8i-s=!vJ-shY7Tv3>Xv zpg^*a>addPc&QC9^r{mu7J4y+OjMYj%DPs|n4C^*t*VYRi8-P1lbM1CLXHz#q|RQQ z#A;Cl1ZA&GPZzG~TU;N%czcio&Fkt)te2o&mmKa4JvmDAuHNSY3a^xg?%3~E^{6G8 zn11)-xSlX5Oxgf8$>2v6t6PoEeiB=60A@>ZoE-)<&bJNs&E2@WWfMXB)YBiBTcmxY zV_doAA53m{byGmH-Q=inm+zP@XHOWq$8taJ>lOuVP)5xp48lUUt|^%g zKuk0?YeJLSKJ()tePM22sp|G5Y@Luumg&)4qlWyeNBDh18{)4D?Z&On-3vNvIZhsl_ob>F>b( ztIqA$Rei)vl~ikXbM>@yiDML!hTY-#H#};h1ES&8-{c=MG>~D26R4sYB66^(u6_0#j5^Lj*VT;sGDCGcC|eMSIRVg9eXmyID$Zz^48Rwx zV2b1G1cHj+xv|R9Snl=UuUBcBV_TAs#AnUZ+C5mwt6u*|S9VpY9+T*C-S8Ns6s3UN z!-^L#H3?+YlKGvj?EK=<@_w|;A=WSUm(|7{TM}7apJ6H(p=fX70yR3Y{td3|op}P( zLP=;xP30_g19&m6!m&sJ4LU898Rdw>h|r*`yV~T}TzRvU6J;EtH8llC7#)nwD}ySv z@%nOYKktTK*5RzcT)ao1m_L4M$V8ld$w>Meu=@bkv2`>c8hTuLLEhbvYfOfrBa$fO zi+@)jK+Auo&QbBsmrHUH!M1Kt@RX>0O!VZK&aRGg9wzOEhb4iJZ8?AxZgO!3n>KA^ zN*znj%>J9>)O`p8+8$tuDX*$Ag-Kr(EnLXqa*AL1F}&Q{2;)w>O)|j2kKg(sH|F=i zsl-7IB|i!gawBeL`dGXgK=uvu#K~UxaWl{^JsACv@}F_|u)ls8jsfz8Kp#sE&-cx- zCX2`D`<&b}|6ej+Q1*M16;S$eh!@k62gldl2TzCAT<@F{r%$$x`BD77S|k%L(a$&l`I zK}klNTQm)pmpJ^AOKO)ZwzmE9(fFn>IT>l zE7(I`F5Ym3Ahxwj|2XhAbA$XpZeBSE;{bZGt-R8(H9t3T5T?Az1iEiP@NZvCd}_iE z=tjR4<;2(;@Z@gkyCuVTw}wI4YCeFjq#zyc&+|M^FBEmzQ#3$oe~ zL$`797K>=NF~yAHBT@a)K7d2x$#7c635dkSqEK`y2cWKVt-CXPW`A59BoOHT`|wBS z0_Cacc@*rdpVi5Mgud%>Qq zW4oNiLY)A1@7*;SqbhGG`jfhcVD*$91ejDf9QN$nMg$|b$v95*y}T}_)5yW>Imq7_ z(OjSCv1$Ux>9Dq4Qb^CzD-LswbR?3gi6aP5CBd#EzmLJj3Y( zQF=(7s}C7APrNfXQC-oGlGwMXZ;asAEki!okv)w=L%d)^PK{;sZ7my?X~m5OM!VN~ zFow=4F_@ng^&&r!WWPow-aVtfDF#&l@i@U!&lq?DWI31FDj*4bcBT(X_kbWstPQRJN8ztWor-wwft=bJx8AefKiQei)gb zn}bw6VIIMYP?t&C3?Sg5_O{<(TbIvYWESBgT`7*UQP~p16hM5n5P8HU7^UNA1o@5- zUuhBA-SmCJf`bIMN*nbzfWnrY%+EV(D)gv%cT#;J7?4OfLz$>Pr$G0arD|{5G{A8e zn#rfP&|0HoA=0;JG>_&62Fd9g=>3Be7IG*)SnP_7^S;eRg-dBbI^iA;5f+@X==z$a z5=g9&-D%QW_t&I+vPHe>v)zCJEO&(9XO=Mv)8u_nUeC<#Jzx?7fp{7>_#zRO9FMdJ z&jW%A{`ibx(&q@O9{s~;?~uA^w+1sl`8jy?aD$P)|7J^|yU>i3l}&{LS%0|gXhu%V zO)|VO0S5osiv$Z!Tl(bJvd)s_R5h-`@;X7?F@-Fea{XH&WXHr~D}eO5JW_ze*mp|f zvP#44fNYNq9MonVy+=tRj>4OyhHf_Ob48P-7{|sUADS9G7~S|#M-x_aTD$!%AGxvU zx3FOif9T2p3wa)E!uy8LeYE66?*SxyduzNc79Cu$`vI*iw){N|jCKao@ompEen(us z4!1Ndbr6=yn&{o!!q2zyTKwzKqK7A$7K5z7d>dBn`!i=j@g9UrXwoRXHYc}PqSBE)RtPjuB&57EESoyKe@lihs(K6J2PlT{h_@SrUPsjfc#*!X>Fo^mg@2V(410CaSRnI|DSL7E?cm%9PG!BGnD|_BR%CsY z|Jg)pw+h$Re4fMSu8xl%Q_W}KBlGfSwVf?EPAvoDAxJUc6>DzGF!ox@t7kQ17Q;yl z=fe_d>2D})+=2La=;qm(Mm35gU+#DQAU#P1x1E3jZm8p*t3==Kd#>E@5ZPKw5(nBGp0?gei2^Vxp#z*as6f0WJT zrE@=)|BW$pR&ckGqGhXWuc-(e>*8t7rMc!Ta7tT_EnBpiN7TWCZL6sKra_lM7weT2 z6r#XVp05Y&$TtFEcvA9MGwLyJ2fGAISCf2QoxhYg^ixT;VLvd>IK3L>SQ^V3H5Zqy zkvVPowjTDlJ9x==Ns*x3wsMQHwhOL$%o92JuxVY2a-czw9k;H0$=JtYV3PgX1BRO> zXWc-`J*{7j#Tv&v{hpo6$^zizj8L~ zbH*eR`!=SG4q--?nk6wd=KRxtc_*agYR&^*9PjM!qucB27Naewu_;@WrpKA*JwEZU z%n~V7*_)GhE&)H(D%uuybLN}9@%PUCZUtai1N;=08Og#@7}8B_B{(pc;XP*|%`C&C6h^eqrhf z-&WKf7&RV!5|)@2YYp z0G~@k=krwpVNBXLA)=UKfuKTv7I-xFuC0biiBD9w(ta+8<)xqF8h0wo8^Q)N|0A1; z1F#6106w}8hzD#oO)9tRU5Js{1=LR)?S9mL2^;xrnw>K$GNFYyF*JuFrqSYxMV{r-!X_@>n=d1OneKRk^n2VU8HJpRl z=C?+y+Rbq!#qesnMtG7Ur0m>(Mh6>M z#rRl+wc6N+#lmP_(X&2 zYhQ}3w&Kw_f_QMNT~BKuioZJZ;3Even<<)izHLnsOF3*I7voK}R&y`^dYA5*=qqK# zr#(Gaom&dbPecCts6+`Jkbh_f8PWFV<<%IeT0t}C;(Twk_)JL!{5P`M6QN%A%|RfL z*ZlS2_Uf@RmURI}Sc_@G=SY6YFK&$mH>q&RICIqT2kT5FN5(i2I~{`;SCDJU21nxk z(#cnjdeZ-^dvXiBUqjhps!#A*4xQhvJ3~T!-3u<|)gsnu9Om>4#b~1Yp`Z$CN0lBL z%|2Q7Ia$u*!{~$QKy}t>1~XtK8R_)Yh5WMV$#+X-pMO{|eC#)a)tKBW4R!=1a6()4 zrqA%ya71lq=wOYVrtfh7{XWiLzr-m@vBTn`R=hR0 z-Hr7M(iCg-izvTd-hO5E{$-PkQaDF^eF|=3HUeu69}mn`C}WUY{UJvs@X-d+brb4I z%oHHdC61lA0IrmmDcfC?nf75I1oE@FUwlws>tta0{wy9{xXL!Xd| zwx8Qf)M-=%5@b-z3nnlQW9RpWM2{j#b2dG$CWF^`{nC3jP z6|%20zuH#Q$YMc=GFij@nXcZMtO(*JxXX3cbH_Zfu&`DAOLTf;V>zDD6Ka3!NBHyI z4^iSR&W@zbk`YhFkJQBnph`~{IuD&xa}G+n$73TY*mX;W3qvEfC$bLZ+~5{4#dA zhH8bv`Tjj@Z0*XeNLd^=sYn5jfhco{syMHeV zU6>0ppgSN0XnKQqB3v$cr)|QDa}svl6M{xDSw&%R$z9?EgVD#U2igZmW>F9)iqH4Z z9vV7N?vqPmQ#(jM#+t=BMOk|+B;KmCo@)U{o5~jbkBfRFz8-B)7aAvIKP$HPAN1SA z!0RNCwj*1AGU)thwhg>w3G}=$HsW(%&v7F){E4^C7r7eC-wyOPg78Mqo&)zxyRScc z#sLL8*VZ~-j0WpB9Ml?ZhMDSdzc^06hWVpizmos21*mr4753!$*w+GbI#A!ZM@tY?KWRGXu0&m5)%=2w{UQ=gCQM^JaBNcV8GreMIVVDOoY=^PyqJzS=EqGAGk=pdsTZ!IA5_>zmq;zVj*U0mi z^AYRso_wWxj`gnFovfJqdwZ%!`Kb*Y8SPOIs7y#S(qN<~<#t2T7=%>6wIPjc18vs(x!+pPKLBubW$-&1jAFZFC zw?GGsuah1{i#b;Eu>Yxlox5+T8=EybRbW%S1qS7;wKDIY6}{sjjo03Ib4DtAD2-^g ztjhKwRyQi`g*Q(35NMzEnfTB;M^D}`(1&d+5a+4>0cQj^!7goH`VFv7VUS`a! z{SGh5mY-Alh_Odno>agxnvxf{XIiNPPKn@ii6~k9l-a3|VT-D71jj;X!8Aph)S7%a(&-{Tl{t7Xsj7je-W+z9=En3RE)YA>R&R>zhxZ&sLy|7|yQZtE6Z zdvlg|z6wPQ)Xi~$NyWrn^p>3$t?emd{9^-uD9WL9) zi^C`a%D_u;>Ds{uZL7_N2yFP{O+kT}`u)Z)P6p=_yei^~UQ5QmWScb}GsL`ws9rLG zUt!0=D)#UeJCqhZ5}aJTH;){K%DcI*HdAaYd1R)|Veg{Vc{ZJIWfA|4tMR_~dL}eO z`cfF3Jkbi32?lzAfcxKw4l6~BKE777!k&thNdf1xiS_cvi28^vbp`_xyIVqgZ{`qX z3%9|rAMiTkE>bq7${(pBj)lA@uwQ|cq|^DS;&y{0VGLLtEFKtxm{4(fV6F*8Pduev zVDfE9J!#>-;}OGY{ELD%ziq6x>0S00_tjX|F`giNkYjU3+C@DyI7a=jgZyM7#@~4( z$bfLetE8v@R({Uhoa5Hj_K5w_#E42%DMB-wH+`5PegqmQICgNI)gtOAc;%VWF^Lps zJS<;xDYb;)Eojwgr;bm&V&c5##zRCZKkamk=NbqJVF^D(>Xd9mT$gls&C82mz(a6u z#eLGrpm;rSmbFby;b$FIKVrI6Hm-BNwC-$vfY)I(o^;hLZ`p(igtSJUdzniTsvpW) z!}%wC>1W;R`?AVc(n1hGvL3&?783XIqS4ij^EmE~tcWU657(=EObq+e#g+K=AKSx` zLel+*XK|3B2@~YYO%Bzl1M~>}+Q|>xuUd)0g3Fo6(t$*iT1Pq9`XnHs0m-E;tnQ~% zqsaIvOC`B?F2w=Se>8hd*sb(&THizKrJc+`{u4oTIAl)l3tUuL_{0Th`n8L+v!c4e zI{(gj2Xfw%FWk!SpJe^iR9*Wf#cnH0p7m2*`t&0JdzIA*F4X{_YPdbza=Urvt5=d@ zKA>q%-bD_~qeh<{iLF=5X&B=;#nmPq5b0Br3Xf5-W-Fc4HJfrCPBW&;Ksn6Iy6EUb zdNx^aA{!9#Hkkz|3Xs1{vA~`bo`9?K=zIibZ!BPolS$5KNFtHGnZ9Q2_JK$oF3qO` z7oG-mp&a%b)oL?SktvH0=hf%fp-@kruP=YRyShzOkVi4!4v@`vy3WqMkeJCZf14%) z2OLardTVJ)`+z>t)5DXCty~htWc?@!-TZictY9{>VD<~3a@xL)p-2Q;!EyB{l)KKw zKszh8509l!6enAYm}F>xaKHN=2m~Zm%&I2Z4TrsV{NlFs7FDI)Q`h^ht^Zwn>d?`} z6XMlZ6vagEp{Xof>Cn34yl-%OrauASX(qZ~%%*#_{oaZa5=>CNCOk}q4AqLDW`57d zs&Jz4xMoJrY5c)RE=IvAZd2@6*}ePTuWA*uXs@c;UmladzQAJHyu3I|46b)2B4H$D(=GA^ zp-6-uDpah7_gIO{fE>C%R!4%~aCfEZ+FsiWb4=9+Z5&2=3s?AaGdO;-SbUu6vwK|@=@ng1;xE)1L*2HJuuztFMVlM@0U~Z}+$3@3;SSkL79D!+ z@1Y@6k|u?~56Yld^IrBXB>{x?W)bp)>)J1a1B&E|Ire zT_R>BnK~UXL){vA2 zkA=G%YWanK@KUMqw)~qv=?Hz#C&*z=zgdun&YMI&L!a^e=98!mmh&%dO2dl-$)B+qqTKlH;7B*Cuk!UIjx%dR*C`mM z@(Rt}H{-b_hSviiu`1x^6OcnP$^pDRUU zu}44tj|K_zvuWJ!i^i1%LOdVfcSLDPixYw#jRTj8fJ{3Qrk(Cg#Np`Zeo<9}Eq8L0}*o z=*YJ6Db#nD(7@WVxS|qSzkP^;RvD(P3S^L>NH|&j_s+F5{3WP|Xh}XJLq}rrU;U)| zQvYD0Ac#NCskm^#@XRYMVv_r`hQj)$Pn|>w*9}a^om?oLe1^Qh!W# zo(w`6!vfm9oa&QIjAIFpd0*G2h~r8@){Pqu^gU6mxWuC0h>Ke>ueW55MEDj4l7q?( zcYs25|-R5#t6Yg#RV9({_hBjY)$|t3i#^ZIwK_G>cNA|}Pa1HVvxdB5d zTQh{dtuFuYs5k4_y-JC{C)BfV7M7QD>0lW9^VLjUt-U$jX#g!h6<{xVsRa#q%Gy`v zkO%}Pxa=*OdBP^~gu#3@RVk$St8>)7F~@szw(4(S)aC(Vx%^ZvXM??fiFwrrjs$Bh~87(U=>gyG4Zy1h+#2HHipDPWh=xj@Va2!?{$ zbXp4BfQeA!!qG)LpW#Bl%fr0f6dC{X!=)zb^O>pb#t_`! zi;$x+=rNtfZNN11jJ;PaXm0#uK)WtzU)gNPpNqEV^!8Akzp;<9jnn+SPx``Pd5N;^^ui=DR5j;T4m(yQdtN2CYZtOBfz)-HH-s|5Kl@Dj0?Xo@sJ(xv@{kS^ee>hfC`0 zHhWi>ss7>zmn>#`0465rYB6v+iv69yb<~;TfbtV=_?;8Z=c2TOl@ZBU*t!q&bHZ@nO8FhYqV2N>G?lXG(A(ARQK@~V`q3D`V zIN46DPd4v~CI_prOJh8wbXw@`1EMT=`K`ZuDf2L$#kMmb9!SM9R+e=~->m=qirKB> zc44Zr7BnUcYPMk2#Nbd(h?Ehm7nLjQ1YWK%_i{BfM&zH7oukWl1($pZ}YQn z8Tjr0sg~|ECm;0>Z0}G#BAD|>%Z}CDPOJA)2X%saGp>7Dr&Z<(IjjWQU(PR1$mBHh zTa{kk$D6^>^g(@5$BHkq-hw?h?ChTLYsy(`%5S#)2V}CoUyXvq9X5D~?Yr+6w;Fan z{Xm_eKX(a+q*{ehZ2o-C3jAHQ!l{AZ<;R6j zj|gELDoAxoBs`4uhzCrA_Pc(7$^&40>;L>l@owZ_K#ks>f+CgQCKrV26cmT zf_4dmfI*?3wT-&c{r}7g5=C$iwH6@IME)x_gfQ^^mdF5e6mwsLvT}gm^|~tcw!8Hk z2`tIXQ1~Si6+|CwkX1xkwTM($Bpub774oD4`%CVfnhtKj=yJcLdm!_T*?t!$>nW_R z&ZF#;TrA~Fr}%(~{gJ(unFNz})8pyZrtDl{#K&&?;+Qo?mT-G=t(k^eZIplR2-`#B0Y)Z8h$0oJG^GYUR*^7E3_+#jF;c>z(9c1 z^)+e$r`jrymyv#c-^7Da`wue6ooW!+#aO@O&`?n81E{IonFcwhgJ3||=yb5&4 zB*0gI#gE8dU;nahyDzQm%CS%tZLc6w#**YSElG^XzEu2W5HgY!Iw-%mdT>fICBdS6 z3jGTd07czw_JD=#a||o72~hmp$-?>Y6^Q*2GAtJAHsm;Y@vmy3z{GEyZ; zhXScw$$p-#J71ie%$>fo3lrc!Ra;hKpAdTRL(z>>5xLZ_RS*lUo{ELEsl8afx}N?* zSlRh3EeWcz6#28HyLy{OD7C~(_Q_(zKVO}nF0s-8d6O4@P%jNn9yCo~U5A9!{%K!}S#=z6}kk zI&^-Sxtwg;fsE*z?lprUQ;?{uZ4D`=TQVE+&?zT6`oYsfg^!`v$#!F3%g>VX$%F5N z0E<#perRA~Ki11zG(CC&Y+#9D^LpCjzbqZRu zlr*{yNaXq=bV<@$5$`iWXP|s=`36|oM!svD zO%dFZdJ!9<2vOyty9w?RLV%=CUj1iI9Ko*n>#v@>9PMu!7Yo5uZ5}XP;aC>VN~*YK z`YhLzO2eAPV}~@F5&Oy<`jIqDeCxwd6=wI=i;}aRU;+v&sA2mJTB%ew^ukX^fseqJ zAl&<$`sMH&p0wdNzH+L>W~~$M*tmrM@?&wmqCoslBHmLK|7-r|3-b&H?zf2E<-@gf z>sjwA5gpyOUFR)j$&)E;2MAD~*fu5Zl)g=O3)N582D%#UIaR>s;4u4h*khd#@DRgT zE0#rPFf_l_|MP;x&OKL9NFaZ8;aR75_j!;sv=ipA=9+QuQRK|yuu3p-1nkQof3@xS zgGBG1dzv-M4Z%Z(b6C z*|@y1+lnxox+Ya`1efFAT;5SeVepxUT*QIIrAO>}MhGs$7{rh*i#S1P`9fcu0n@%#)cY}^AoBvS#FaG~Dh6KXH@Upt+PHCAcJ3UH zeD(K)Shwk~LmGE1{aIUCwhC@Li0}JuBt00|-p z0vHWB!+pK=^WU!JodBZ@BS(1 zg6gf6Gg#L>?QE{StT6e5OP&PcmRuG?S@{qY;N!<-?y|DC z4KFXiLGHHZ=fk(aVr)3%2@h6zlfyylAPDgrO5d7or)|L;Ig=Z89A_GY$`&=fvixE{ ze2kh8gRU6vzM0vaFwPWXShXux9#ve$1maq0ZW<-NHsc{cGX~I`snIDuEqn?5`o$w- ztMd!l8G6mig(FZpL%QMOe;^@+8D1*FwGM)Q?>xr23H5H~Fr~}!cfWH5B$5j$4=sqZ zn6T~cX9WV17>UpjhP3l#!D~-tP1RPXEmW(QzhUZcnptM%sXF9n4ao-xKqz)sDKaR0 z>QIKCFLbX#cWHTjd4Bic1P$+N|ITs`Z34OG(z1^7_qF-iVOL--5wo}gNMXAp3pys; znEmg~3(bf?G)DB-2!0mI7)4q6hTPhP;}@8uq&fK1K}RPSoVP1^in)H{(lHwAhEjQx zI3a{s+fF2=mM0X*;!+BEe9mFRGfH6;d3swH#EI;U8?X>?@%k|Jb(h3g21wz5|FE!< zk`SrXNb~y!H`qzpxOiBir#h)iL)KtSZBJyIA;c#}Qv`fkXDtTcvLI1FRN(Db%8YQ7 zquRevcX$}af9DWTNdIc*s2vywFAeLk@g#qM9v6j0dvmP5O(cu4QT!U_Pki2rYRM9()d`w)j?95D{7G;NX?T#ytjp4`F?HpRxL@nsK02GB zii1A{R-0CJ<@eLFmu4aDO4nsfZR^w4Mcv-TZmm-ZaUEhL3`h)RlS>?lWfC~eUcs8) zQ}!tT6%PTw4Rr?iB0cQ+!E(jnd54HxO|?(Xh}ck})H-v3^%rAsdN?6ddGGtWFTXP>cg z5lcf`4g#V8ev)tmGE&X9_qUse*@G<(FIre1g)nM99IEimB-!E?nfu_STk;Muxx_EI z-hM!&#**uUI@LDipB;6*Fsv7S_-yf(bN0dh>mSfLC$N8{Br&lTV$9cn{_ECbUj#-V zbn}6V-IhF1Ol|dSu>Q~2oBY(&d`?r9g~z|MbB|N|PtFNX3J3WOC0pZrNH{@}*Pk*o zYETT&6041_&C=Ey>bMsd^5L&O5pS^I91j?oGCeG}ovFUR8?|U^>s&}goA|xWe`j^5BOE+$(Uwu; zKzM(brnitfbpFAUaJa9pz~pejbN=zEF03rWtt$kd!uPW`=Optk7V;ZI0QR98wo zW=oHl)VVluXjM?sdTt5ndN)paVzQDQhw64wU@7r->KD0L1RWvZibjYnu0vM1v4!dEG{U=b6iixPU5t(+}l zzKmu+?CRLu4(#hiXjc_;-drvGDYX1TR`-xPTB||F+Oj#<*WV*dot&6}TcTbjq!yqQ zrN!A)mghe@J~}=xVQkSNQk9q(KbXSQHm|teM&LU9kB*u)}>x$1jH_kw29 zR=eZ~c1$MGU++sNOZtcYn*wvfr(n{tsj0KGOS{sFk*P88Z@tfPv_Ym)l_t(JhDmL;`fJ&5YwUObSSI$uaiIRipS^@!DOrt0|c) zr{VCz2W+QmjD1`Md0+Cm)6(7gWs0JtS8KCF$~F~sRGA)nZ!tVxUMY0+l^m6^PGY#I z<1qbtD)os2httxhl(TbJ77sQESl*onD_S*}azqjMBvXw{`y1{1p%N&+J|lSSt!I!wZSy9stg#)|%f7m+Ba&qKP0+O$O1cIKAMorx!MMUa~ygsceNf6-(41NX}>pU0TW*vc`^ z#=6a%pqGO<+vU9CN5_@g_kLKmDxaR6=6pQtsn}YQ>|KfJYC+#+%%HYZes2E8+%}in zboBMk2RN`Oy=wTG(9mLTxf2>Mu=r&BkfCpD7l_82&KFJUJ?xCq=hSeu;l;%43Y*a-;3; z%JKte_i4@9e(E9pvK0;wIx{O4U}^Z8UR?4(XJg{BF@JBcBquFndE~$%=GIX8 zrWSQ~GmEnPPUS=NQz=@|9L_^>7`A249H-jx6FV*eQHAfEoCvdhY-xMIZ4W(7oi!I$ zb4P!>lZI1i*wp6{`Up;p<+b4zw#c2qi6D7#E+ll(T3wk+|d0I#0_RHIgsp!n!T{Rd11IhU1qm2DE4X<@4 z?!~j%8<}Jt90d`$tgNgb#yY&MUDU%%@Qj`_Pwax-^E3-QJUv%L zic^zA33N&2X%Hh+pX#)gbc({$y;tBJZzKqe?emgGquhJKT0iU$rc1xmqp=zLy=L~Q zDjU3De~OgByP7XZyF6#|PDBmdHr6Zs-0osrTa+8j!HJdFoN-Uo4ZEsi|GK?D6H%z; zx7VDS>L*TY5-FIMI*MLP2-+p!TuYzTayW^%9*7Db{ur4XudJ>wZ?5WFnv#nDa3&G% z>zWQd`@G=N^dT#?XsL6ulXK-TJ4M>st|r2c(H2S297#}#w&INSN#|~Qe(#BIB0mDt z;Dt#>iOe;N{$T+dc>m&Bn@`hE6s%cL0J+B9!yP0fud2gdhlnH;K$KTheTv`p(5hj> zH#;3Ds|rWwHvQE1eZAJ|7SOiL0$Jb6S$KL|;h33nb>4$vgAAYh3NO-@A?HTTqAzHd zu5y;@w-DL&bYvF_Q_wjxk^_r!oq#imo2#@EHK9Ow)X=M@12|s)D7ZD7y5@bp)(snR zvLci{m7aR9*RmvZv2%+v9lLt(VT4pfyQaHkzasT2Q!e%;95$CH975CNIiD`33$p$= zsWt3BFQBRsr-URzYgB`!gbeXdI=1W4U;B)!DrAP^ITh)oE1 z>g{1qA|ej1jb~x2|5t>b5X7jGNbRVHkKX=jScv5_XjMx1Jh?ET3blS=|8Mo!Bo|qY z81P*Y7d40Mdd_^=KLiLJo2T=vJUX_{^<=s`Ln|h#m6{G}dFG=g;AD*8IxZ#z(oH}%(6Us#B;l;k&S%Wk`H$aovQoTw(2|RR5W@cjIE?2x^H<4N zmNH>8OsQUPAPEI=qg*S^Ll`h8wx1i%;t?e?GZcG270{EDlOn7h?C|1?z(F92s_tA& z`s&!XRYXMGFUxHyE=Gb>EZdn82(dovXyg)*zJx$#d`^BWTUKPtcsw<6q+ecMjy}~# zw6mGALiimzgHhFLbOQs+{^Y{Jc4WDtB^Bo9#ae1WAh771t!dQIcUh1_C(%z&>hYIU(RGddL4b#Op)EH zWFUPAo=;Gvsdiffvr!$95EGNNL*`eF!^IClLOMLiVq>jBFdv?maDQZ68kh()BiS+I z2GM40YzzgJAWiCn(!}^{^MAS(XGlSFT%0^Q4ziGO%#fa&U5T69ijG*D1PWv}HkNBc z#H)aggDa#t446P72C{iV#^x{FgWZG9Hwk?kqdUR937jb_L}a5&eE%Bnzew03`H*-l zCQm9KvvYt)^iG_*f1Z6zvSaljDT^d{l@x+Sh#_mJU)~ZoB7jU@;XO)IDIkM(U_6PW zM=FRPr;iUwz5SlavCIZ;)c+1KvIas zNkQ?p?~xQGMCvpI2||MAs$lZepLu?1-J9SVOXxl({A75pEYP;ZM9i+XO-09_H90!_ zlU8AFmR_@AVyf#4x?hKG^y3rFwl2~33kYN*R&G&M>IXPBph!55tygVi1rmae#c}y? zQ&A)vSbD%;+q(J2`&J^gl7PgZ`HWYP?%_Y87g)4*c6A}0y~VqsC&cN3A1*Jg zp->I!y)_bqa+AiSNRIUZ|Lv?X>U@*3iQ>cL)lnN-THV`X1r-?~(LbczNjYhP(1JR$FGd#@{$gPeLK3=17AHGKpvj|>IZS@6smwLuDCg$p zh3iCk5Ps!cp2Es>2eT?@Qv7+ol6p|-oy9=n6R~mf=RPTIQGIVYDFZ`2;k|>b<==xN z@A}JocP~Sw?Ivbz#KcmYS6{+FylO@VmfaknegiA-5z1};0!>|?f(0+A!z1B>n~CD; z@S&^8?q_09hU8KxKS?bo*X-=KXca|Uc7il>ttKi~MzXnYf_d1WH^wKE1HG$tetc;v zs6&?pu|QSC*yP>ru9-eU#Q=nag1l4Y1!-dkH>|vt>RaYfmHxH}2xNkBw5K*J@glz% zer|N6Pnyc8z~td>Gd_&xCIbP!12%UY0mi2RT)oNMmO6U!D~{P`a^`MS3-Fko;^a+X z_FPHc_Gz#6WwGFQEu#S?S&bMs`l8a>!lsO%wv}-JNW#Iauu; z|GrZer14|@Ug3{+4uRx;`0!$eVd7_$2nTpp_9xB9=Ov`O z_Z!;Sx{L@Nv0h&d&+yE)uhnA+e|SvH}H^KksKoS{!CGPk!p>(!)b!&3{NW4SlLdhq106R%d%5 zVQ(D6CY%K(hZxjXt5G}**Yd)nc(9z-bWl`AW@@Z0#4J^NY1)tHe)qc}6Q@yT47Mcn zB}A47hA1p&8~0!HXWag-_!*A6k`sL2SE7=kxEZyn09OR8RSl%+9yvr^)f2Ojwmvaa z!U%*zd6jLctFoeZSJ%HAn51u8K_KNFtH*;p8Rwtbk-iktBI~>aryC4wOel8ViJsPR zuUAk>AHlUCqa>tPLmBQm3RcSz8O+TJY4|i4WkLlWzS<&H)mKBkN7s!ksjrP_fQccB zB~Zt%j{ZLH|GTODY02SZ&%le+_-(sRUy30uC>{EImCl0%At9kK3@qS7U<{LJF7T+* zpO$Mkz8ULmpEep7YX-+A(ozb5AZiIuw4;RGWGCVxa(UM1mgc&LPh}H^0P!M00RH%} z+*7fM{iv>*+nJ61BR3fwy!t$3^-2~ovkW)w9PERP-@aKV<}@Lj`Ntn>{Q}}O>yue0 z5Bipyo!LStZJ&#m@WNz2TZR40YI8M&l3}2DZcZ5PD=39c`}-t#;|si~qObB+Z4Kr}|OBJ*+WuE59K{7TPGF^hVmT zg^26{2OgiM)a^I2q(>8mhlR9moD%)e|DoT6K4#z-HU(HgHhHH_@K+)iqox`KBGwvt z!UJ>7zXbPcbiPH#o`3Y0`?0#KZyjQN=in$@s~$Ej6RyZnh{2PQtc5ZshYi0i~?H z`NLZ9{_L%Y97^HOZ+-zVs8@D?wVeWzbVbbTPv_`hzl9T{I5{5j`gP@JmAMM^|0dKM zCds-y2OJZJ^V9d-f=Hha5t03W=PSG7x61>|8|thb^ql{0q6;`~KH zX0#rhD`v~|R=DeXy_`PyCQn!t?+QKiAoo;ar zdr_~~f{}YpQ6v_fxRZwuP@*<%V=aT<5i;{~3mpo)2$>v}kb++Ek82r<-Z5nO{v|xv zz>m@x*+Fgzsa#xaFx~;@+UW_3wz%c|Hz&$=1Y-KIG&&8sutKQd-gTv;or8n@nK{iT z+LHV{e0{fn0t1lr&l(@!pXy7nY|BpX>=A@*8DMHZ_KhsI7h>BuZ_e6(=0y+tj zvoBYZlWfY0Q+R)R60FV$C||$yz6QRz>_A9(V6F3>DgDF5;|l~qK^rMe-(`Q$FJ*o} z2+5sWlI_`pcrsT3z8l=`$=RFV@Le-_cVacXX8%Z@csHBh8j@P5LtAVz*pkCx~(*jQ=2nUh|DTzS|vBs|? zzNjajXXi#)D!YK29#Nohaz<9t(6C_vi93CBX-U|}TEG~TC&pQ16N+ePyWx)60W)|W z{MCg;KQS?*5f_Bb_b4epks2G%%zgPN4)NlCp2qpbdB3C-Xg8iVL-ip+bzmJM4?#o4 z6&M|rw=+83++1B}F*8zNs%j8*!rFn8P_Q=k_pgheMLUI+@b&^PaZC*Y#OQ68zZ5P` zzVXHB7oYp8sw(jOvfrWk(RP0yy-*HOgsahiQ-Pr9S{RsEnx19n3TDn;RQd3S z@@g9bN$@AhA7u`&2chDR7}?(QpyI^ta80;aU5PZ*#k;;kO~JsT>iXsNb9ZmAuaCYQ zC`Wj@-q;wUk^mE_&{CLdWQAF*Y)TXHnI<68+W&V&)!ps=`ozoH#&QwGS3H^vfan5s za2+29!e7BZN1nM0Ohhxc+TLAumKMiUbSKefrF{swxjYjDggtBZZLuGOa6=| z7lo+gcv3qD*{G(Xi&6ihZnpn(EU(VI;v$)${=7U>^a*|$m8+z9g`{W82lFF+o}ZSg z@I+gVs_yQW?Y+GswSG@pKavqt>a=q z5{khG1vQhF5}5>{AZ|R5)P1$Q1DWIvOw3pvb%K2}?Ea9Eb*iYv2r|Jz6_4X&K;oX0 z#$2W%KR+1ZE(j!D>H~_sef4KHbBi=a0PE&zbF%?x_@AzZ!JQ&$3_l=OKChZck3qlC-=yX10`W$p+rS2*bL!GyXYb^!1cr4U8gN1i_=dq^3%RhiRxvJ!7v>*K zLa$H8rbi%m+1}kowYQhIqcQ25?xr-@6@uqV1gpqXsdZ21%7x$20UM>Ft*wn#RMP++ z+-mOb1|S8#FimOjz`;{DjdX~Ra0}-Gd*mhwhjuOjM$`6zf zFBd>hgl4%oQvgG#PsPi^+-KOe8vXFqeL2 zLqdD)Cr4gBDY%!#T*EA%pi}-4;$!ImK6BkG(Z3{YbuJHc~#Xh9OxLM$Y20zvNr=l;;^R;R2pZ0}E+w~fp-!cX=Y(wk8VR+s zrYh$7zyCK-K!Hl!J?gzlNnO0SlNfq%F-SOAUWwagmS%Fx?f;zuhRvWrj%w=|4SvU{ zKAC9trae*DV2Xi}EFb^|_V%v(|J}2}`#)j?sG{4&%U&2O8Lv>zFE)sPrUIE6-Ol6) z>fm%;!ON->mc$2q0VJw@43s2NQQ0w@%K0HxSrh0^62+d#tV{tBD#L26!cL4XNH}i; zJ~zmb*Ndzs@(gxM5A|b=ea}pB{AT5q7g$#LN>QeFtRffa5KIbh-wFR`&Wf?+nziZO ztv0LDs1AThTF^<$he(@K84kUKc;WsQPoQqwVdP=jvKFb1BmJfpClgArx2jK{2$_gs zw4>YAQgZ=hV7uHm$s7GA zV>d?y+r6DLm1(n;HFj|HPgyxKG2!;kA$cF}gm?J`O@3YdAq+OXQ}^qAs;QVtn7pZ)gMB}3#^XNk_fvT8&;TK`=J=eE9sCJoei z`R0V*w0ZUr?&H2HjDSTJ_xL3F%s18g2F|^monA&xh}ZA;$4=$FW~V#)4hwm1R(aRi zMB*i7IpSqGeI7YYM1;&XtJj}ZMRJrm<2Bj(6rS$(Q)~Q1k(#95J>mdX9+p)1uZCfG z$#J*cx;#|MpF5{<_GG^%g7uHBS?{mJytA^M=7gP-FqXsJ!<&QccXA~k&=G)@uDll@ zdn0*06Sftl!c~EaCI5Bf9-8igJ+V0AyxpF1O>2-%4nFoA@Uck#XLYi4z0ND2FthTq zs-Yv@;bsOVy5=lGF(Y}tTTxT5ceqR&@YnC5#o5wbIY$whhSUXnZz7LC5VM;YZRMsR z8}8~8ykr2{jql%x&ECtf<7ZL+;*APLK(}=o$ePN-q@^g;SFtX3rA7uCi~-vW4*Aga z)5W#EkC#77#E=QKncH>s!dV!0*<{tpt_Dwy;vsa(@aaUUZjbP>6=Iurfxu#(nxZXi(U2 z*0GQufEb+SI}@!H+c8x^DPe1B9UtCcS~PxHxaHg_@>4nH^VR=u&`Tt>;@#enyM4iz zZgz?~jN53K#*dtdCn*iui^YoG$?kt*m*#t)E-JFBXty>@O}`?=`Mrja%w^V%Zf*j` zauI^*R)N8*#h^d|0=BYH@F#I&E}S1mVuxuLzY{j9iki+q6pj(>4~R?b`6$0(b2+fl zF8}_O$3|h&$W10Mb?-*XVS#DpINSXm+St+*HHh_bnxbC}mo%Vq4l*NhBnQE$&}3m% zl(O91;)BDq*HFK6T zG}{&Jho)zQ=NcMUE}r({wH%nSZb``*8>(CZQv5F9HAL2=Tq=S3fbR>4gV;ezK>8v1 z<(o8+`Rn*NoIftiffhvxy#)t>1+!*7bgu;dHC9NT#U;G% zg55VS0@YPDwYkT~HUeTI>^BIJWnyCSuGmbYj!w=>QemZy96lr<(cX#YNG7t-fAz{) z7!e|iOc#s)_O0#7YKQICpufNW%*+fG=LfJkrwVfmrBvpL5!$sr0=e6{kEbg#`J)xp ztjZx#n*bKmTocuEL19`QpZb3{qQzKftTngr`Dj;E5>-K@iPclVdBl*f zAE`XIbX|6W+Y=oNO!tJF94yW;OLPQ(5TurWw~4EuFG(Fvz#{B!u1#Q14qh}(H}xxS zCEg^-6&ljj!oj3iz_ z09G5GQm3M#?11oYrGP)3PQ!a$agX|Sc53auT6uSl{n`{A+wfGZsvQK9B@#7a9Z#^i ztBxN{k@uTK?1$mO?{yij_@^jFM~BLQ_IZ-e9PYhKb-1tGn}E_e5RdV3w@SrwG1}Tr zf-LKk<_w+g@S(cB>8nZi;{Xl>G*d?4qzs^>v8Up`yiVfwovJAIk)2eX?!`+8riiF0 zy!zqJj+_zAZgyeeej6Ge^6S@uK|y=l+p>1-;0zu5JZ|9`#!cP-&3Uyio5WJ)N@mi1 z`(TI8jy{&UKqniN9ViMi>wYKGd6UWK6BTG|0oft!!DvQ|&$31HvYHh@lxpVG4=PTW z6^S|O70Wa8%n5EKJA~H2T~(mXd^`iJD-`SY6RBWa$U6wiOL1E&6C6 zgksHxYKsL5*l70~rvG zNFDf2d9!o6eXhOIQXrr(GRQ)PFPTEHqHlReN!pN6fi!1fSRf$W`+Kezi_k~R=*pbn zf%tG2L&}+3@_Vo0WRYuKbp@KJ+epG6rUs;9Pf87xA7lhXI<2fyxnmwH7NG_d=;IE-oD% z9pGw&!$y_Ae*KDx!8Qx3u68gsrV_wt69Pn?veqj4Z&BLC5QcVsuRry9;W|Oc{-xAo z%fz_&Gv~d1ADOTT8eUWhl+7_~qKSKX-0QA4L1>U_C?zYo2}vi#gKTS@ln#bS%`l#g zGG^`0v%>Ymky9ZS-GJ#`Z4&&jo%tP_6`{)65Mf{1M@bvPYJlg z+WF4dbud7wwx1}Gnw^b#d3hBT3O+v}kYhA3Jq>)Eo z&H37sr)+`B>Bw)=fFG4_%b^jPE-3p^gXpMz@2tc5+g_eEA|0j9aGL@w@r)wjeD{ zK*SOTBFkj8!b!5N62YOOj9D2&$r1r!K1*dO zl70Nh!p5doP+eV3>~`Gp8;e^1L`#zVtosk?wvCC&?&d&ZTWhO9e_Wa4(c-AQ6B!1j zyp)ubx_V-I286$Nw;mrXx6<>az(3J8ljZFIPyVAH!3^&!%TN2japna+$9R%mg*$4S zzxQP% zMTY^p*68r;@Q)uq0#FI%!SoUM{Iq8xHWfeFgQ)@OYLxT4hX=1VVo5;(*x9s-inn~L zkLFI3V*9qU_t(NoOCaA)2f^BYx& zYg_Dzz~D%gn;8SeN^Wx{}saOu}E;l+@H*PRHN1wTXROC~0U4 z3kuqfXzA#nwp&2KD=sc(U|{$fOIKB1F0Yt-okx|z?OblXCL%1HUVO|lfP##Si3Jxe z(F8U_P7Wh+U~*z&Vrq(*LASlmc58HO?CsmPW22*$m6c@Nit6ff0QDap9(cI9kLS<` z*pK_@n@JGf;Nh7V8~1G3^!4^iNJuzw6Zwz;9GR;&PvrA_oO45DO?=oZY1S=(LZLx8 z^oLhUmNzp2Xv7|Cogwtl>(!YG!}RoehlANF(lT8I+z_ zdTr1H@#%Q}r58=*=-hIv5^dGFJX$mN*+JY8CLt*Mq)0|=ejg_B&FEBf$!l(6KWVF# z`i%;M+?k=aBK{(Ew>WmeU!mCT{$fgd$>WZeSLu_)j~^S44|ie2e2*zl_l6g{6Npq! z0|rk_-W3tZ9x6=N7?X(NW*6t@1ngGJ?SXI8J3)t<3ZMI}-F&Te1VK@0sntyR58zBN zFW-}pK=8S=!H+dHL+A_*3=pB=E#J)+8)sTt-qX;S4X13(*V!s5DQz=)^It#S9R&(m z4@F4qRW#JqY1Ue;wD`gU>+9|AMxUSo)&uNjO50Pj#$o|@NM%*k$GdM3WMp3B!4)e! zJiPgZ1uQ%a$S6Ec@$Rn01S!xNQ~f}1ncXsR8eW6;!#aE*)csYKpx%YD;{*pj7bRzS z%kb35RjEVS=WMcr^6Xt+hm>4aWL5=xS7m>*xoVU|R@pD$r8BYG9vqH` z^NUTcq9J%6D~A2rD74`iaEw$`rY4KjnHU)*B_*LZn~BHAR>ttTr@)4K^vnM)@zBzm z12lfXUVwT&c{B&=RYvr*`Xh01a-zemoH)Ir6>D9wx;$Lq0y%hy$Xt^vTXp^S7N68q z5{84U>lwK}{~G|~z-B`o4ia)l>3}6_yPb4+zk+AAm}hsrG<)ey($n%HoZzuBghb5J zvSd~Fg(WPV#>90i7N?5h*5&z#V!h!DSryPI$$1{JVvCV!JMec~Oy;|*0fIeQmy(*RtB(E-i$==hBV0`&RWS)@a7 zzLdB488Eiz1r;dB_~p1Wnst5cq@bX{U|y`%^qT}Bfq|G=Pj5}2`Et3%_Z!@NPmgh5 z46QES*Q<)Py1F`ZU}(TYZf)tO8M-EGj4$n(8_Ul!(1H@Vj22Gg`e?3^MakRI8xLyl061I_RY-)nX zgv3j-vawA~PLiV|U}Iy0+XX|Q@1C|!Mmzb#&Z7914ES_+Law0BF6yr)bK zDfG+>-qGU%;V~JczSik=Xy!A1W^|i?E+V9ygO_V4I^5pv!w{?XmxN05rdVL z6$1mKJPZ#*5_*5!h6bW%Zcz~}_46pm&)+>fB!3fl3*;9Um!Cg>uB@yqxnB_`U{6g< zfKcDHW%`MlT2D_8jgV95L(5wa&$gwQ@Hw$F5JgXagan}AV-pkena?s;np(`)p7c

{&CKc>8qQ8nj{|Nm=PdPfb-_+& zT?cyHpNQ^@|5B|m2nwKkxgoK3Q5CT*~u>Wip^H%ou z(Lcr!)W{MnPlpOrO460sk3mm;h)BkWk>aN+pfHk=!4$kd1F;I+eAo3z6)>PVfCoc- zPc(bWO0bXBer}z3hWh%?`*uw$CnpDwN-#V&)>hsBmm`v&q`j+a&9s;aoS_;xwqaJhVJGwu#) z$jHdUOKx}}%HO_iA03tC z1^ETUZxDZv)opB_2dp|HF7mmuf}mgxZ>dhdiz6gRJEbf0*NUCrfbKk#^;vn; z6havl6&&?!S<1)9$LZZn@knyXI4gj}+MW;5U(!joH<}D3#L7D zE9%DXbdG4~`64i26mmn&4QD0M~+3JQAr z=8ePt^!sQM%Oxlw4o;UoBfL9|tE($u6aYrHx3?MeI+q>e6B0a5I&e&QPTp-Nf@e(# zSYw5vrpO5vL^K5r0HrgC^Yo($n(kd_S|^i+ZP^< zh(@)1eLPQroSfX(l|Bz(YCZ@ICMJx`%ywX%8>wDmrWY2Pfn~k8@b$DB>+kPhSXdYt zu^!Kr1B5Te1ZXFq{f1grT|tM02Xx5rYo0_iUY(wDdOm{OZHGT>ZF#vAMA54yPvSY7 zl~(`j>+2d~qPV1_CLk_AXEz=`MD}=ic(k;%2nYyxdwV~SUrS0!sT6C}*=+RIASt6< zTwdz-l}jh6C@HPHZ2_$O>2B$%JvbQ^6?JlCq$Q`33bU8wO_v=fq59?VG46I>$M()n z%T&~_pdcouw~y#K_k3KBmJ;LL){OCu_Ir~c0RaT=UBP5TV&dJR>k-PK(0f`;#Eq4< z06-ZB`})=jM#xN@c*E(4!luT@#}^i)NYK0W0b^i!oJ0x{No2Fsa&^7)3KjqGr?Iio z$H!+_fh`!k69JS+{FZysAOkP1jDdD$1t11Ay_rq)_wQeytocg&h2XPUZ1%?kyy91> z(>Mee+Yww4Eo)$qz5ebD1WVx{Y*<*>nc3Md8$a^?Gx=EM?sxLpmW3Bp^$$X)Kw_!7>~%sAhiZltUAK2@xxyhqm- zry?O)zP;E3#wGRjt6&W#7FLmF1Ndx(&7joP`8gRmxmJ_Q#m(7Px&+h5j~|6aMTg=T z1e3juqrlCN<;Z}jhwND+4l;zUF2mFH9wZz(;PEt+l;PZZhpVgQV4DD8q@bYK!4`c9 z`32EteF52p0}bJj)ZJx7EXr8-yUP_7&xZ?@`~6?OrA8wkXpBQi#H6J|b7KflDZnMU zxDs2wvvYCD#C>jASkN^3>b9}r0q9V`&!4EDcVB=`b})cVVd zQc;PlNm~#xRaM_b_Ec6>oLyeVh;;i-Ei8o4;^X1<9)_r?sR0@5XVG9Hn@oiD7=ZQb z_LF6s+UtZz`M>|FK}=rniJaaAJT4Ce>dLGyymwx^ggZMsKuu%@;hclx-9p5lKPL;0 zOV14EmCINQV7!3FN=iu7JDunn8X7hqoH)8*rsw2rb%x-B?R#!9Bq9Q6K*Xs3>t&el zV+2SWlob_0kq!d^2Fw=xj-{og9EFygGyuJWnkB@=vhQWzz?TBp->__cs0Q(KdHH)! z7>D8D->k2(sFcVg^j0gN1joT@bYWYk0s0ZMvOd=C zf$R>S)ePLjHrd}L&!-3eF>!l)dyo|Yr~u2cxw$F$6S=Iia(oOtMI`Xq=4(O?P1EeA0s;DPJ z!-|>f9^8{3T0)>4cz1QQWm8vUxg=8am&es%z5CDE)==!dJN)miwS&c`J7DP7IWO8t zBYOZhTb*0q+5$kr!NF12(14GND@Hon3;>3R!)ATDOz(P~_m3D*VpS`RMgWA9xxExo z>k>fEOilg1HJAjlg)hW2WmQ#4yzaL^x%+tYzyYW(+mah86eUS|soH!Fs59V$t{1yX zW(_GR+WPvLB_$<6LBL>>qdvT9F2;qXGRLGFN!ZJ?v$-DJ`k z{O&rlPBM}njfi`?-riJL*gqG}jP-5@xNr*Z0@U4ALt`Gy+8_1N{d{|*-hS^Jjk1tX zJMfQV78$^wOMy;6Q`50_0%}P=QSixoj-ByB9JYtkfWw2B-_j%)fVxm=JO=)dJ=S`* zQ4IW0OWpuF)buF`z66AXADyE^LI$F#RU#rIkq{99(yeW5unb=T8rtq*SyWhVt08zWVx{AHs&x>1Va6DRQ zP#M>H^~%@F3j!jiy1F_O6BA>6VM)o+=BB}qA0Id4WRkg6tIgiI@cBxTYd5(}jEyNo ze8)u=5ft<-D4_P{N1sitth8IGw+B?#ZLUtk!r*yq0w00ipZ4YEQl40n6|I5Bvcvhh zvoOBLWiF;Q7FJdwK973<-U>O=AZ4$JI~4-h09bp{wPSmu+f8|GtrJ*x8f;VWAz)sB z@lI>e)6*j%A?=I&DztQXE*bM5fVw$E>V3W>g{=K>1%KXmV|o|?kZNbjPh{rjBQ~3u zng(hA_>7B$P4iDh4rhF1qzphNh|T*;&BW9~{N$0qy6Gx;v>hZxuwqP2O`D${@4%u+ zOhdD>HWDqNbxtR%0199tWx-a1vVwqVFMwnEZ>5lhM}Yh#(A(dZ%#;CbGa&11a=mIt z!x|bGco_1092*`c$ro^TzIonn$+*v{Hf%=T2xh7dqyu@1pB{1az#c|4vywcI@57cM zDI)S}RjNP*f?D(dQxfK}Ps<$|jQtq<**G-jE2q=(auk)qa08VjITPTKR8->Fo-RpA zNzVZrBv5B(>JIYpPip*fSft|g^*3Hk& zjbk!IeLNDD1rr3euUz=;1c*FAw}Ijt?A%00faide-N@8*?#QH8=4v$3kwUKxV1pL4v+)w?OCd0rE{KFNVWW#e*4Hwd{b4`5x155 z5#-g{;$KkjlMD;VC61RgfX(^J0+$5ZSNVfM4q@gD97n##Sw~n=76gau39zyfZk+^Y z0GI$SI@;Nt&y9jcpp+$y6yrDkJ^Ihq17ZsX&5M>5D^y}$Zs${dxp%gfmPf!V0|Ek& z$fJO*vY1X5g5DhH!L?5Gw-7ww*7*2A8>h!6CMJV_IY`ML0d1i9R?08gNdU~6$@B5P zu#o0t;QBl10B8i&XCq;zr$=k%blCs)uIW!I$i>W5!7c$OER)eUF{#&SgJTH6I-R*e zOt`wdlz3F*;%We?K9M>t4Gp*bZj@riow~Dg-Ecj_$;k=GSC|Y334}WT4j7ybRFUW; zMfSzg<6vQ>$^8DyYT;;cwvep&W)zR^~NjA3Ey0^D?(fw*+AdwAeAPyfN zUsOayI*C*1_y&R3SxN8hMF zYofp#hgE=g(t=F|vG6(_9)KfQ*%kb0%3oq+t6$518AfIR_j2co!i+~*fhR3KxIq1PUaWplK(ZDZqCI7{)krGj>I z5zFy$!U%w!B>-DCC$KT=b9V&lcx+28b?KvN0SyZ`WfvTtXFCb2<;dJFswM;QdXqKxX~2 z)dY0lNH-(yl>Gcp&?!XaKW`8{Yj%L*>E=qWQ7fygOn&YUQch~+!sCmJ4oe_4ZUS8# z7Qgwy8f5msKa%-8=|HaLeSEW(vbDLH%xS+1NCTj&z!|UiD~7I?rBYzp*4VJbz#qG?;gB#v0~gKT=l z9}v&ZPLX@Mmh#rzkqlA5jNb9t69oz-eAa30iKGBa%JZWa(~K*q0|?4t$ANP9-OA*V zK&EChoAxR>lO~Tm5#@(JTTMa!2Qc)hi`cXMX95tii@ue8prF|5jizn}pbz*OP$Y>6 z3C%$O{fG$iMUdX#HsO1xjTn7Xd;`@-FLnIm>8*E<;LZS>^s#-#YO+K-?13nhfa5ul zS=CMt9~xAF%`GS}<)^1WM*w#Hx_Wkg{%=CUr>5=4?2HWC`)g~!_@D>iI?t=z7JvqC zEeX{<1Y(z)u~8a8(#Kb)3wp~ZPN49FbK6>4S{fA3De`!IFRu@$0*{VMIK$_4d@&YD!A}d{1!+3BUQ6 zxHvcfnLP*Qplv8<*Ps<8q*N9lY zmmmhOssPdGxZsPe3E7(+AeB#d?}5r8@Yj{IpFj+8JzWpHzUmmV?utbufPtzq`wvpq zf?^rp)BRg*Eyz$`-yUE@*YD1ZnDIQe8J24MK=udZ8QlWF2|-3M1vq@Q*^H0n<@t^R zl&#+5fzu;AudM6@$h6SAL#`I<0gxVCPweiRK&>-$zsrzy+huY<2SNQjAkG;n3w3Gj z@bJ*mx$+e}s=k3idY{k-Yru9Nl%Hg~4Yw>XmcipG|D6j^@L^$gmUEain2-yb@7p!- zOL@ct?fZv^p%lI$Hm;WmotpJ_J3tTuQ3~FUAF9j#Mmao3KJQxS<`)L(u`AGDuCs0V zIoR0=xEzq1FvLjEfiXM{uq`d)n@yL#(Dsw~)WyKYhC@SQVQ%jJaBH8|W6GTJxDr6T z2zAGQy7L5^rc$Dn)>oq4+*uPA6coAc{0q1>(2H*YK;m%fz&%12=2B|Bga7@%2n583 z*bV`28?Qm|c9||L?_N?wgwK!S6HDuj-srul z61{@#?Ch+YY!+Sn@gXh!0SbPJX!~}nPjV}ki0ml}lu~>an{Pyja40@zkCeWEz@Q+ax z+Y^eO3B_|7adKe=>SgUJVJ$ccL>jxqe1HF14)Z{fUvjpd2hl^rk4vA|%&?^N4dQi} zFR_L3_wQDx>*DwOZh#t2GirC7fuOeh)dWBfy<3L%$+5GuqNZljvi{F6I`*1y3_I!T zKEA#uSMNapB5Sy6T|065Mui3FAr+KI zpWRg5-oat>D?buXv$KoK>X2R>t$Ou0b#=XhSUSy!TkGpVHNJ=QNIys4{(*s$oWsgW z=JViQ#~guAXoAZ_6O0cVpvwm0Meg70VBT3A^4dUh4p4R^JG2ifk||3}w*$79+4 z|KnGb9g?UdZka_zGRr8dj53p1QdC4{aTytv$`0A0%w%Rqgh)ooN+BbJ%(#sBKCkZk z^ZkDQ`2Ehu``vv%?&@-0$9WvD@f@#{&yzvcK;(6Hwx;zEx}mwPHe8Z7_7pwx(l<8d zsH}Yd>A8AJN{Vuw{b&nk<(zOj3R}8tj}O#MwvB~0_w({Z<&NCKZ_zrg*rB)Is@{F^ zk`1*LdJGZ=$KS7XX@1A=p4ly5Zyz%=GKv|_8L^i_0Yq|`0mSr)F~r>3+FD2F6VlIe zi)p&RnFO%#)aa$EZVugj652$pst@~02lw=w{;w<_3Q!@@R-XQx$Q!M(KH$rg3yMi+ z@{ESjyXqt2;x;gC89yL(NX80pBoy~s#CrM2o zAUOCP(?VbVWpxLKe2xBX&F?NYk<6dndH>-o?N5Mbgny;@Ngw zeZG17fr!(ZBzeio?;E#NgZAt?a^(XW)^&uhVlUmpXYIddzD%+LK&7g3wE4SJMp2R@ zHt_wYDJgHyQOL^4na%aArR)8~?X2}!C0-nnZ4-ThcB_0qN~toeL{L;Y1SR*(sri-` zEz!{K?(Pds#70hy8#iv8K1~-hyxvBe! zd1u+~GI3QpjGVTKXuk5UzCJAB_)}A*5^f`}yQNf?Xjt05`kUm{Z=9Xlcp2@{4#?m?faled&gF zielcf(dx=dZV%(^$yMc!@Qa6c;>-sG1az|Ysu}1#QxqXfZxHxr9T!z%D8q-AC@K@wOx!m*wNTjFy$uNH~k#fXIRpVVCF7 z6VXdEUe}=m8=DeW92prwt5$h|HYF^KWv%%Loj=clnURG>^1$W_y#Cg-&HUI^&U@1@ zlv6(PZcvhY$wdX)P_^1$e`W$Vdo`U;(I#yVO@E+o*H=;Px$ZNH@qoA(c$>*ln_Cn2 zHX3UY)O=<7%c}$X_wN@H3OID~{fI+Bem+_H2j&7!pGwhhs9VoyXw-^T5S8>7$ufu8 z`L2s3x)tf&GqTTuLdQ`FeR#OrKd*^^VR^MzsQvViOiIgOQ>YA%-u|F zH8mE17srfg7(GyL3H6ViJGS=W9?-ZkpN9|Wi}FfJp5&aR^5I5RmU!GP9}wqWr$diukPiWY%YLfYWpPXg^8uw9_O zzW&GX@cms9O%{1n;^}O^Nwb%1O7ru>-VNa~W4|M;lX(U}e@G0V_TF@4ol`!(GZa93 z)e>s#CiW`7;fXc=cFP7xE>@;JtFhonD(~Be=lc%!Xp>0`V%l_@$sTT=aVbm3X3K zV=twAo;~^y#NlXjtm|;YHm6r$nyP)a0Lfwmt@Y^HvuDFd>SP(@XjOyd9E!ob>Pg~N zDSG;ct#YdxAJXV)X_s+3Z6o08ASmLY5xY641m~_zg_VuXq$-yO>)yRB7I_dV>FDT) z9XT>f{jsxC4oH(sHneNgfXG18K8z0qEOQLNEdmprfsFu5051zIM~2b)^Fj-!D1<(B zb%F7iWRhR=_PDliZVUigSB`mcQBi_~t&x(FlB=sL;x*I{Cr_S4$>QPRfkg>W$}cG3 z0Eq0`?;%jxiL&c}kkB&f`q}La2_T%XVJ+SdlJO>T0U`px5b}?1!grKI)jsR*7kg&q zKs=-NM&$%`Cb-N$v+ua@)dB+pw{G3~`}c3;6ALP#?E$ryn<8z$6rS3@<7Hh|dOFzu zS(J4s)*c*M2v+50wy>~(D3Gi!LD6I(S!})WuFsTODfG`KLZZmEjOU6W2G6w53csnP zV%>6l;#fJ8@aF<1*=_Wc%&jVq_A%75QL@r1Z+d=GCnm6;YsfCH*P_wXr7E%NN?&EX zN7E&N%K0Cw*RHiOOd4wRw6;!z=ruIUK!0}TOzYm`ZotvTfByV2GJ?$?Wos@8G!M|~ zWX?8bW_wVMPP;akPV$7(Y^E^CPEM}r?RCd;0O3}?SM2p?rK7)}OWwicP?MG4bJSpkTqAKKi4+8>9L6!hSnjL`*jCPUzUNcD#n5lfX88IyXrnPPMObCSo2jGGic29Ur>62htlNL^;1&8djaUiI8PU6V zKI8^`d6tfzo?Y0`+qS*0udk&gXr4?!8MejQHcX*^@b&f0qjC21tc;3^!r`g%`~#dr zjaLVlq?VSJjt+~J!%ltu4rFfVMa;IE72n{r;-zQen8cfDh(w~U?soqZIDsHnYr@tf z#KkxNz3jjF#KnC@u#1b2&kNH|Q2|l*eW+^Ju3e}~aQ7oNnRo9}b)Lr!#xs|NMMV5w zT5`R4b9R3I5=Xm{o*paUeioLR-+@jt$5A87%J#Oj+yL%KiZT>tTPai|64y{hfFi7O zzHlhn?v%C~QhG{j z41m1=$$Qf59PoP3VOLt>0$%RkwTtuEEqer@?%i+4Jpr`>zkT3ORKo!yjVY&S^UB%!|s!o zCg8cp&E9?n{m~Ko0R@O!uqm(w^Yin;d;+R%S>+j9s@o7KIPSbK^ZjJe#}(V9wPi$=1l@}Uz^L#13xVB}R@sfH6rmhz-h0 zO2^z5Xf&k;#>X4I_I>&C1q9t~(#$_G*LhHscXU8CW^Ue(2Et5;^Dy!fcm?#C7Y>+% zpFy>b8ZkF)aL@vW9w?QFS;fx8;ctC?dpXiJ$Q^)s)teb{tzZ3X=)xvAy=ls&5T6YAgx#B{AH;exH7u#RCEecTiZW= zjFzyCDK3`m6(?|RP2?B_-H7rC*#Db;j!P$>o~;k&3f|I;Ia5JF^*%qW&t+z2g6|FX z;&;7zbsW(<#Zg|^q=Z?1kF1y&%hs5o?L=L{$KY5&V{gwL`ts4+98>W*O=Vn{AE@6VzL_JT2Jv(!6SKqIev; zmzS3?CDo#{o}L~BCFSxNDa39Ztj1lUszJF9kt^i)LHb#*Xf&QJ0xU9& zka+?tLtH>yy7j#2U3h5dO=su8`}YSv3{+n)(_2SaLy?rG5uJ~g4#fc=bsF~ot+X7Y zS9GiWX29BVFTORJ-BwXJFFU(AtP}z(iSa|8@n}2hR4TI z?32i>7m(YVh+VU@WVRd$#m2_Q(6Ad-Lk|_dV@ui>fNPLv%$;835fM3#U;}daQUUY@ zviS3Rvb;x@-UZjFxEg?*f(TDw?>w9v#?{(}}%lSJ$ zm=)$DG+2=S7#i&Y*_a{+S)BD@37>o%0wsHMWg!X7+)_%Xv8 zd9V4y2e+kP$1l9`hLmmY^ov&K7)33pQN$31K7JGx69Wek6&<}RN1Pkdpzah}0KLPB zPbxdUjFhLG&)otNFD)kr_@oW$9(%kKe(FXJULHmaJMBKQmF8z3%0n}vWj@}V|4CFKa1C5XEic8lLX z;|}u3bLp3XLS(T5Vm207s7bUB!p zX=^*R-4HAZWk^mfg;knr&E*x26BpKC3}0+f;w zJwrpc<)rfoh(!xusNM7GLNx_oSiJJd;D(J2@#p6Zq&7c4znGZaLPA1Vb3nwKB(=Di zk;s1h`n7lW?wI&^Q2vv^kY2mH5;<7{Secn~-G2WBYw7I#d)q!0n!d@!%XnZG7GmgN zoFcT+ptDMve<#t@)x{paX9wp^qyr#T;K;#^1K8cgP>=QYAQHP(#OK36YiMexgI!q| z(^gE_Y5lN>xP+=W+oUwCAnx>Y>`l`%XCMxQ!Y&PL6Vey*-U+5q$Dds}{m{HYa^7v@ zv+X5vIsUa_LLZ78V*SPyW1qw;-nJWeFYi!ow_jad%`q*P5EVtAV}{b}kMI10jiN4> z?uDsdc8`iwI1fccvQty3w#I`S_&GjK`{Zl`lwK&tLDE6a4Mz%@4;VIWM%gg8uu$Rl zdwSa*GJ(pf>s{^E{aXY&-^ z?|L+c!EEC%cI@M6BcuATvi#mX zYMI;nLe)P1b&P;yl{|d7t*vcr;7XAIYKwt^0T^8oOHv%m=o&gYoWZ%E@Z#uqxzFkYzCT%D^GZPUY-J>`oHI*!`fh&WHtG}&n01BmFzgncT;DyBHm3(V%GhvK| zSRm_jkim^jjlW3n_B+1(wyv(xaKBC7i!98{1Jl#f!^7fNKJ2_$tjvNh`_wlTtqW{3 zCTO|QKJv2QDZ;^oCZG(V_v%fnHR@NFM?1}W#~p@8Mo@F3x3jn?x!Hcx|La|bKQOsO zSun_8aG1B?1^SrzQ^Jf2QAz3PCD*$SUM!~I#^JO*CH?8(%%)#OlV9-+{@yT)nvcp~ z?p(nJ58>gJBH%yP`^@I4=>O*r(D*>GM<9%a&4e4~51hhal9IFf`gM`L`Ht6frv842 z8hj0u+(L#lCc*&%W9PZ^#KpyPN6`B{Edo9DB@lg4(HiRhr*_odE}Q?~J^!zMOF;<> zd7%mNFScvO5D0!do1q7qz)AYZk?=-KI@ka1_CJACk~*64caa!9>i-32#rjP5dN$6T ztgP`^FB!lhgoyvQS)we-N&#S*XVYyl1Z@$I6vQ*F$G@K!Mujh@MyHm&57_UWS}}<2 zBZmeD5nKGfU{$Oo5#_rbAl7Otrc`jhv;EvnAn*ic`H=QKg$#d{cH1sOl_Vk(co1h{ z1NBwS4Ga}4WI|zKvy2KeyXD0vv;VoJ!~d!jOj-O-zXeKvp+Enw6+!heLpWR84CWQIa`J`>G-M%0kV!2N>s5TNH+>LK#e4p`L6jnpR z!WP4g9Bsd3ErgfCkw*4<*epyrT8?ZcYd_nfu-bj09c`W z1*WU*Myf`%k4XFYLU*^}_Zwu&i=dGF=3gk*Ngst}!IkD31IVHOTMh_t;3>m@dHmR~ zoRj>=2>}#}f00|Ki|9s9hBNKlxl`D&V zy14`86M-<>{*R(#x9J1XF$}^bB;VEGmz9#DDc^xFwhmr7P-T1ke?N>y4Kq0Y_qDe9 z-@E?5|7}2kyoIH?OM{STZK)n^SvLN=k(4&Yl}MyCC6t_KmB?vwIY?m1^yR1U|Mq;R zZ;LI}9-8ulW3mK=(F525j~;;u(?5H543$Yr%D#xxJ6ux!`+S9D=d*2l#F=WaRBh5U zn@f7Bl|Ca+UujMFgLCo1PbEdfq{JT0HSnnuw!6uH&5xjEQb(3^n$kbB+LRO@FnQZt^YDIVX4d!l%!Wl_W_Qp7unE0Y{eUU$hYt0l9m6vR z;N{;Xj*m<_`6l3cLD?97VUKMqU6Va$>CQ$t)rn=KptzJC`%d7P!25D_siv!u4GAM- z4cF&x?^t=+Q`w%J>1ttY&^9yimd>?t_OcG^vzyUAQrP>Iu))S)=y`?;`+Nk9-o@z}N$*HcQ@EaxF8!e2L z?V}0hwvzs2Ij&_BYQ1fwV2@+RUZRnMt#fqh>yJW0+{g^iij}mO7^o=CApuT%`Enf& z6)=8!ky+L21cD$fv_dP_01K#eD^2@yC^?2u(6kay|r|BZeL zTnagck)PZ3tN>C#R;dxwSWo9uonfU?t4$$>oGjuPxUJLt=uF$58b{)N(jDd?f7^c+ zE?u+}X&Mu52?z3ikV@N1mSc`yM{N4~^{Zc(89}BExB`lWwiim!rqD7mvAbZLAZLSCJB5~sv1;uZ zlY0|PK_6~$PZ~I#I{BNLww#tgI4EPub9O$yd{N>5jm|Uf_nxO##)=ErJfdrAjxE~5ux7!Y=>yiZ?7gKJ zDoYfjGR1)eCl+F6GO}?;XD2y!dIxQZ;?3T-BJk4w)F&BMp4&kYQMm{i1IZ~qKkT_} zI6ulW1BQOKs-WFccJTcbW6f`~C zYRR!GLI{yQASERQAK*#2drhCWkE5BsTTF`c8URtM4ZF4y(vqR3h<-+0aF!oJ^ zT86liqM)%vL@4}YNtnQrgiE3IxIc+_(jK&AWlX>{8YB{M&k z+y*8fP{is~gtG?BO)Exx96eFZ4fWBBv8?RSFLN&r)V_LN_CDZ%iA|B-x$*M^UR~8K z%@-b(Bo{mz->@=C53)@@{lu_|rt&4A&z{5~%&X2Lk?o;p19@}j#cG@)E z>JCY0|Nfdtef?$42QQP8S=iVho$`J8Y1|1IlwChbQ-HBdT%3rR38OjCV)1MyH+_D%jPf;!hkKp!9^+X^rhP*liiGW6i*0);g_ef^6~ zU=!93T)&E8i2fg~#hqTIre1+ck@KqpHxayPc$_ew2LJXdBORR@gFAH=d4?}qY*`6O zm(a_3mkp9vhc3Cv)P{ol4h^RVg;BfSs$Kn`H+~`S@9y7}sh+-zEuruA*D@h%+VX!y zDB};@A7=}%_`p9V^b_&I|%Sww=BXT)Doo*{Ym`m7V zu}@U=)t9eb{&O z^83e#h%Sam(D5St2Yy}sbzSOaotDXzxQM{-o%^V8tn&i46+F}=@NOz~lv7bwS^hBg zM?0D+arE__Z_l4h9enE8<5b!b-+gJJcCS1&1}S^Kyc$;9Q{14GADUm8%(_%cDodwL z-6!y5eNQsY@dJ~02{T-lb2-}&Q{3SmC@1^p#FFzkIz$@V@W!Ux_?sBy-d{i28rn6vE6ue0=^Q^n1m*#I4&9FHpjQm5_aLb#lzf z4Ztx(ub?nc{OIdX6$VFYpn6l|O~%-7E2|?r89>BMs@%l<2C|+SN(49%fpQP2K3u}2 z2q`H;m?+G9+S>~t%vI)6qPbjcyLv8IleR+aHLe=*YlsEZS!z%1~>((uRQI{_5>ym+8 z1ejHCvE94VI=Z@Bf}g-{0`DmoB^AS1-)q_RcRbps(ThEJ07n*BQRT&YWH(eWJAKg& z;8M5;4l!EZ%M+SE(0~pIG|zZQ81M7@0Ir# zHCT$}fbl`W07smKKPKPS)m?_J0*;A_KEXqWf<4OdgFe#6fVBhWHwRc2AZN3|%j`dA zQswZ)tK}QMee-~OAp6>-u6j!`7&zEjSi(X=&YnAWkL`U^6HF?%PzOV(w!?+;Zwbyz zv-z(ofgtl0zEeYZTb9J4=uaI4S9b4A0YNCQiCQ@d;_zB+aRVnr^X_0 z9h^8B_|1t-OeC|ns0U#v+UmuWGz0*UJR1V&oXrR*E;;hGj(7)gkSL~l5MyCg;*$3i zK5*c=jg3-xE9AWG*5cJxRwI0(qBj9mknE)&G+KhUm%BYz+u!f?{;`lr|3jufl1Goe z%Hx}YWW@o%ZFIEAlSvN%u_S$noI(Hl`}tkq11bxw87dGeDk>;hA@X=DL-%lh5F#KMBUIDK#fLn8TnJ%SOCl`IWME!T57a_0o>a!?gNGZB{kucF|L+bF z5gGaY3APS~ty@JzMBEp~E}|&Da3Kj3DA8RFL}I9egk9g-aN~A4XDI$~{i`?lfTRv{ z*nH+~pea}O{dfXkwhF*9ln}76QdB;7#)bi+X8;T!4csIY_2H1tgZTJ7No5Yp`Cx4T z#1jMItx1BcWH9v4+8TzSOc+7@UvB*|876nL9r#j!D0Pv=CvRP=*6nkRBg;I`=Wo_5 zXbDi_!IpvX)n%enQ(r&g^z-+PjZhvqFh1;q^bCkJo@X4c_;|20c~LN)A|2=T-yhgm zBLXssle#&GZHKHJm$RFLBL^!EORDWgk_(w@o*7VV*-)t<_g+?3fSya0-!A^$WeO9_ zhQg7#z2tQyaQ`4n{qbiv9oSB@89Y1qV;pi_-FEOlKvU5f=j&%>WJnW9GYE(?j)x`G zO-(&OY@kCPAqpY$zJ2REH4LES6*vx53Jg>!P@w>wvXLafCY^Y*-PRR36%YYEiF0al zvV=dfx@~*`CIi5}bNwx3c>AE~mzqc(8Xss2NGmIJpN#M#hh4jRvd$eUnggAC@ogZG zAgK#)2rWw(?SgGZ{Ii1PDl0F?e=ix*X@_y=JBGK!jUWm@>=`e0)1q91>ET8v;NBP+ z=WE7Akx!nK081)Llj&|~Y7*e(E#xD_M??VLBKz3T(Xj+PLzO-_D27oSSchs!XceKQ zhn<>l(*#TfZLO_2uQaLtu9}a}|Li`@G>DOQyn@nsqVFK)6+sdMY7g$bNaB$U(GNw9$y%|Wk#c@!!!gJ-g*WOfWGqadO5(pbYa&8kB(tU?m6fm@v_a&5U6PB$$G($e%lX`WgiK zP!HN@OFTkh4Z~PyO4*eDIa9`mDB85xg9!ydd7^s8niV(d5E`u#_tLn+;|GM{KK*NVL zw?H$s)L+{9I4VjW4+ZQ-ZWxe8vh1?tCS|NqNSy_udDg#Vwc)F;UrmU$dlW;kP0P#5 z96bFZB0BJB$ma$$Biw^e{SmxGR#bd$p`Qf(I?IP}2sK15($+a({TRQolZA!sUU|`i z=(4i1=8mxOow0KK`B?~jC-D&c!-!FEWniBp#Nt9h2^Bds z>r2!9WU1ca!}gQic|KlB8X6z)bn&^Rm2gym2=Rduh~A-m1WCwd+dL@b<<-?o1yyMN zfeX4KS9H&B2V{=oqT&Yq-+1G_NCwWldG}`@=>I(@sHt*0=v6VBz9|_vQ`;;SO%}Z( zSv^ln!%%>Ntum3};VEYYVH+EWIJTP%Pa|c_pYDYY*8_^JqDNdkgP39*1Frz}h7cUJ-$gzUvY<~OvpC#am6WrwNpE~IWTc3Xks zV3G+^J}^8}KY#9TD2C-2ivd?1@5VJ?Vz`>An#oM#Sld6uM!+2BvW@B%nE*7(!g)vh z^pDxB8$lt8GKv?$|NZ@%8{VV?*$2%3*q3j>`4_Xub!Q8~I(}ZLYudwuI5L#IV`+oM z#h5@~NyB%Ch9Xw*&lm8r?k?H!(cgo6j(5XE>u5oxj06NJi2=A|T>_>R}QFU8= z@@pyT+&#venAU|hu9S+WC#(*sC{N$o#)ixZ$yvxjo{8EN6llwIL*(QLHjB?OHhWl( z){Z^56eGK(N%y6x5^woUbX5n7zuU_Q@)%y{A3H=<(-^kW(OoNw&sIqJ2!mJ6ZQW;O zWp0qULQRE8V%xfOe`DW#m0fKU4&Tf+N3h{!e!H(C+VRA>qJx0Dj8W+p^a5uhTkIY^ zIUp#=01r6A1H!kYm>8VghU{^N$;`5#Bh19JA(Srt=UO zOm>SBPnGkAQWNe|l;AzS1Z}E)&9Zyk0PYNX+KRx*(2IGnR{gqcezOg~~ zR}L1h(oc=|7Z`jv7oo0D8f?AD1tt_y14vUhRi=iAZ}06y>FmoS2^ASm#*+z=J2;@I zVu_8wcHsDVFF$_@GB@L}oAUBiprUSO+g!aWjk`rj1w-q`Z}uobS~=6BGTdbq6~r%v zS4n4cAUwiB!XN=ZE_N?uH!#k{mlAG1N=_cc_QSBAnrY^!)%eTSLR&$J=S$F)bl zl(I~Etf6>g{u|GT<88JglQVW9g#f97STL3s(uoQ)lD)T;P+&Pv`xho-SBx-(&}1}A!JYjPC~NN8P+zvCN$ zt87S%W!b)c_O>3BZor?LMtkF>s_j^}to!1H6_8Qmv@gyMslI6Y@?{0~H&l8W{N%$N z+l4tfi*PHUB_K-l!BTe>?qd{-0Prz+h_^Qj+Xy*YTujWU#QrHtoX3y#)Qf`=ms@1N zyg<$QU3CQ!C+b}79?tL<1I#ZW%TE^Wz3IT_1I;wc2d*326`RfG=q!`W8j1jPxu!3( zvr!VL`2Ik$L)%kb^-wEq1L9N~pUK|hV3m}oDMPqzNI^5GkXs$Bo7Xq~IdsU5e0Hj*vBvWD1B8_w_mu`=M$1it ziV>NLlT}>RdAg76Ma9Zv$CqKSVsCQl#u$ic+{+iE#ka-nc z4smxfuw$ZU1fs-TboUW{{<|W_>B%-s&s?6zBL5{`lkKehBpYHwT-&9$LN_JR?nQ zp141I$kR-aYCxgEg?quh(6OPek=~-SPc67+GDm4DTPy~XpMjD;NETmnUIklS7HK1Q&J#TdT+A5RXIH)V}0Z)-cJCokXt(@%b{Jw z98!oiy5IL#-1ZgOK(CEvx1xxdjjcX1b_-dgA@^+oOI8#q-fJW`bLl0b59myv>>w~m zWP50m7dqjYld(vwU*o22Cs=`dx%!(K?J5RL#6S)qa$LY6K}x8^p&f1f}Vsjwi4b@L3@1) z0`uh>+L*U@&L+RPlbdxRe|?^tNSQKw^;cF3?dT8XoV`1LNK7q;B`vXcuRkwOkK?*c z>iFcA_uB5Ax}9d0_cpKV+C2g+HW$QIF3ZJjA3rkk!zVWJ(wN3SqgEI&kddB#p$S$9 z+pk6s9Tad7_i%}GN!fG9a8ht()ma6PTVli!m+ivhBC?JdY_mwsw=UBPgsQ;<3y~5m zwQ)Iv_jb&Gp^z~mq7SSv%g)TKIV09cmFT}G@WWiD5RJ_>0|}TAzZTnZ8Go{;xZ}N{ zgQje<@UskH0|@Ng(S+W*C1tgD8QB})jI^vQ=3?rFWM930{ZbPcVv~usaVMKkUEtqd ztf3_6&VT*-c#e{c27h~N>mk|L(P#~*sz8=o;dKla9BVCE{!d`5DcUTIp*Ul$KT$7{ zRQccr#lFGFj$O>m7i?@kIA7P>-|_COM&GQ6Bb5F`%(gW(aqW>LrX3K3q0`I;;|`YGE#{PdTehy z^3V_D&s_bjTLaNZIs{E!j-AXqf-uC$b+kUrx3{|+OfESgWEo`dmause7^u0i{s-c3 zdz1wbi;?XR@&miuySwlA8#y?LbuoDWY)1yan^OvWgj_sN0JM^a5XPkc2Fy$57z=8O zQBZICpKx~lL%x@aPn{4LTq3*4NJ3|1RTJerS`y{Cwr#79-j(|A^H(d6i@9!3~ z;<3|%39VBV7@^6;{Leu&G!TE`fnMMf-z~z!L$OhcREHvMpke|uMP_?0FmJ}3Q+m0k zV|&9J85kKCfkgMq{uAD4=*G2Xx*75&NQIwD%40GJGp0NO$H0&arrqKV_4QXENW~YI zfnXC+^4trKAW{9_4wx)}m)*AcJyJ){M||blvSX{hO-^KI#JkJ# zRd~}!fZERt3k{wyzt0+{Mw4t$hHJY;C%$npeyFK@Qvbxqdk?Q}J2baFo%Q^_7`aVX zuS@i4xyX!LoSMopNxl?#Z{ooCoX5ReJlh*1e_jFULNzAS5O(>&b@iSwetpS~V@)0& z0z-0|Dvf$|xlPXEgyctRyks(!?2xU$_c2!a=~)#0xeb$ey5R3_Z`D=)IKF`N0QP}} zgIE2p2%@9F>dagp)OX*i}av6g-N_9Fm|uzwBKwg77N4W>!KgrfQb=Szcv7}wj& zVFgDuYCycffy3>7>lVWw?8RDpZTY%t2?`}aEsN6{~iKoo!&#Lv%9l0@C)(pPaC-}~)p@V#0I$9f>SgpsQs z_yhf8GHeWRwf6oto3|a~PAljc@;U$$p_zkX42ZgRh8{}*h7!ld#R2Vd29%9X^t*21 zJ{mDN-e0`Jc)03(!qz=fAtIEO=vh$9p^XOD0jpJCj=4Nq`s%kM!1>YApt67r7H_pX zHL*^)iTPlOJG0Bp|EmQERrnj&H8-=V)0{6lPcz~0CEFuMi$DYPgjUx#bPdgo-J$1b8F;bp9{47lTrPa$H*Nz)3nOde@?HL!bJwEEiZy>SuUYjSYEC!-+OT>ZW3{NMyP zGl&?!u%2V$;tOy*))-(%eye}ekFIp~)F*(IfbUZ>GR_+sK7l0#QAa|n%4=gC{E2mK z(bK2Z=#>(i?<#PUmX~j8(UAvLVd5{5*8fB_9wPvDXD6r4b|Svjkl0>`<@?mp@f&jn ziG4?*$^-tB(u7!A2`}|PqF@q~W8nHw=HbqRIV6Kb)EQ#I{=nCOd5A0rLZKKA3i{z_ zJ_>{ia9Q^?G@pouGdsZ5U_Seu5wV&LOTe!{aDtET{Ri4_7%VnXQX$CzSwXAD)z4CR zJ%~#lgDq*CjzSPh9z=MZ2Ud9`GUB_B<4*YbW^cQNfZ5(V0`nOrzvO0%7!?Y_GGHnp zCRX!qus1m)1B}EpFk8a_6!JLv{!gyadKZ!Fwk_na_wk>&BxyQEKNfmMzhs8hG(Hv@ zN&bY6b8FIlPc!pYv=<+C+qIevS7oHZIwBCNVDi;{k*l-MbkIPRGUciHm=v+GDq*x- z$a>cEp3<$*C6|xioN0W(1%FLo)oIsrpLhIFS9m`zllX!$S}ozy)ay1Es!;B@&t`=C z(ZDV(-r^Z>x&ymndmZ0s3A!gvgi$NyBNfx$7a18s0s>$h@g_lF>T9rt6p;tIVTCoL z#kL$Ef3N;3`N|dygR2i3S$;%(hrI*k_Ld@a>YYF!iZA;@sE5v_TPbu6<`VKqLy~qq z&OD-+&FxVXOQo2=yLSIK@(v(Alyot+zMCnkJ3C$4k`z%(p!3$(v-vUJ2=pGV`XP1T z`H-yNPn3>qM=6v0LKdI}B0=}s%PBryUQ3up$MS(nLs`&X3n=PL)$Ei@$+(NTYb1u{Vgml zy^DgcAA{mL-@m6jAaw8`wA^%ZoTc87q|7Wg!`k#Pu@0YA|KY=n=e@(Vw|l7+LxA5F zg-#NjcG#cd$s5SrOyHLB3s2bM{Oj#=DwTb1+zh*4cb(6vO3|`g+MALZ6%;vC!4~i!YMFM`EM9@xPl-34 zi~Vr(*OQtCe53}6uEAl$6NlZp-fOjAiyX0hVG_gJ zp<8$BacC1m(&xj%^pIFcBMa6dTM3wm9E^wL(sIDwc$ zkJ*QH?4Xjqx7Q_I<-vaZI+xR7Ak0S3^@m(&0jcT@Yd#OdO7(@@z@tCNW3R}@z*S+C z!|d!)h$jQ{#T5uX*f*%yf$J!!gfqY{7Mo!F5m;gMa&m*@-am8QexuWut8e zViurg{_`KB&r(vhv$6dc7u81aQ^d1u2|mqG}RE5OH#SwP^?#@cDuW-9f_s;qJ@8a zEVkNktGMS+W9wZp@cw7F)rd}b3T=i+vho97|AWJNBj-M!(-CrL|8V?<7DL}uzT%nh zqXk(`{C_@|=PrM|ewxo&h4ramR*v2v9?W*PaXdcz&U3^zr+&`S4&{iwiwPizomVi8b)TvZ-_Ct*4!;Hs? zzHI%hm5FZGZ>qL-nDor}3RO@)C5-JM3uEu@XJ=z8vY-b~Nj7D?8zQxLbRZF4cXBEO zW#6lgvc=~7*_lf=vbuOgGmSY&d0pAYUG=tz6OX6(H*sLDA)+Jz=^^UiOOU$&#hMw4 z`ADlCC4627jd^o#MpDuYc{Viu!a0*Cb!2aevWm(t6uXcdV9x`L!G?#`{cXZd@|b9^ zkUMv(VG)b@<6|kdD={lgq&;LVIXgShT;$Lp^1w7yC_vTFDg!oKB6CY55>5z=ZV16s zNWWxt@0n|WJdE}9YOk*X)gnEc0$&Z`J(M|JT}$YVNW5gc8RBWV-d_EGJzD~-4)9$) zdQ_O3JFr52DG0!}89v+^m{#&kwe?_o2zD_6Y<3qZ=lOGguLK1nBR9BvNOXwXq)`HZ zy&1|@<3N$;OsC&a3lo@+BFHuV7v$K)?@>PG^`(5;@Lq7^sN*?#TiNvpTAJ!_PM-nF zc4r6WKAxCOapI&}~UZ?qiDBD4yNQPy3_x)m_$C|(Hvl#4ox*~s1hONtU z;*^F!eMvY9=qZwnT;bi8;{Fx8huSNJI5BWYqcn3b?p=3zA)UHm{gH`sowbb zL@IIsY6bZJB>>{T{OCw==fagMMQEb%G(h&-0BbclSq8BqhDmg1f}+?Ebi4=1xjIKh zNy+9*A#Lnf{*JaiohTtkG=g8IrWS$dE-8^(FSSM;kGd2Sn*tBPS;0%57w)+=07n`} z7s$annDvtS{#i`QR8gr15s4AYhp&AW6rZLJRH0{JP+C<}R_22=#lRp*)Cqp_UmX*p zyN()1F1mb&vobmu*0WX65NNvaUZs~&QC(0hph}gw-YE=LyshnQk+C8=@3kXk*bm~X zM1XhS(PT-F(kL@q{_DYVady7kOM}-Qid&ymQ)|Go%*5BB?3#o*t0PmN^nC-sClCPA zHCDPUoQr$8xV--L6k@NCsUe_am^4pLw3yz~|NEwsljVdWN-YrP-_`Mb>@ib+-Mr$w z$%a$+WD3Da5(I1JbOX+{nD8~<-cinR-O!@9<1z&czy6z+COQ1s_IfF zXJl9<>_h_8SnSscLOjZn7Uj<$GKeQ$V>)JW3x;5 z*WX-R@y(UJ7@zUIs)vcQ{P%a$b3WqVwKiXFH1XMn%tw9qM(N^s(8j}k8f;m~l@8;t zx3brBbtD(r_*BNEe)&}95c7y7r>}qhry=gl`o!Dx5BG*NRc89R=`SwV-q75yrOZ4$ zGc(oVHaTRqiTSdu%cQ-70~A}=)p=OK)M37&_zz=9B@+_*y1N@L9A@4ODHGg#1KR~_ zS24#IYzIor7E3W`A<*;~eS0S1aP#Iad=8M6hY|2h5my&&QDWE(#Y^vCWv#8R2jzPZ zy36!*H9RE{ov6rx3S&cK4glsTD8Fsj+piB28W74GC4011$UzmTrEnhb6WUZ9vaecO zLyK<+$^wio%oUFxvlhydKoTLWndDp2`f&SFZ6&iUun&Q@+>)sDSc4z1(gpkw6mNi% zC@R(Mp>#mX#=B+)Q0m40k%@z-1N&>aUoH2qd8ziyZc7` zNv%wdFGPn|lrYq)^;zv`H9e$_>8zz&gI$lD|M017ZpV_Oe~_$j!x8aPdAjveueZf7 z=e}4UC8xPAFWNW5{zl+4B-;R6)AFc9ig{v3l|p`gnFp#Mn*?tpFH^h zg~YyJ@o-`cgeiqplSwBh8WC$o>Jz7^s859c&X}~)>iD!WSCufSACjEeAehyZAt4%@ zzu&RaVAxXs3VSE({LiDV?b;~}_by~DRm%0vImzejqPZ4xZNu{>X}wsWmpZ32MEC9c zag7!EjBWoko-0W$kksj15{n(^aTE?{uq*r$T>ldVzWD*iXKFfBr`;BfIt^R6)~XU; zxgA>bqYGo$uu@F3{&BhRV;et}M|=D0G5HURR`*<_vPX0i8!Zwv%bb3C?CgCjd45OF zs(Jh)wP4yk<2lOu@7`Y)stTg1d(|InyWGQ6rBfYr*y&o49Kl<@`p7d^C|v4b!G)w? zXebS=IC20kRPQK_5Ky$W@g_^WTZ%r`Hf(zi!%+O))6W;t{~_UxT|?>xn}m`jA|}QN z7(2Q(pp0m>Xh{kR1u}vbL9jJ4ZQa`3)I=UKj+#_gM+f45sVs~)hk6RC0}KVh%Yi^< zjQD}>hr*E#C{%E;owc<+W_Y=}!c92lJ^fL8Mp79D9tnM64h)w^#KRL~+Q^B8CKDkJ z3{4*WP^;#2{{H+8w;DOCoIT2sjTRDOF}WNUW|wKrB-wx6>={e4efaVh z@%H1^t&cuDu#+{XGWp}w+j>*Fi$Pk0ZDL`S9*_8X%(c7|J9do(QW_*TPS0#O7|I;; z-Y5{C`=bvdK(*8G=-dkk2-;5ZQ#loIy&X!u!1>x!^J|cR^lXJhg!ZiS^6S724Vv1p zeSdC@1deR_Q2(uSaR1XW%Ehlb8#g@M+LU;@sR`EXC}`=Kn3m?}L80#LRfiYR=h;+b zSlAb^8aaD**PM8+L(Qlm6_Yg%a|w+r~`)dI80Q1`t%}ovGylzK~~uFE*78g8)#4K?(Ln=ffjiCu3fj0 zZE;efq8xYCzKuXj7ZA`0>WeIgyin#sC}Rf0Wd9e45eSUEa zAUSTj#TNhLysc@vg%iK>+*xh!9QhqVDrb+SUSW_V9eo!sekwDk$kyDp7vGG!e=}bc z@!65_RWr`k7ay+lw$MS3gzLFFbwBF!KOE;M zkC;Cf@Os6ro>JYpAnwPnAT|Cqxze(X)SeaCU-YY#>65#-X>@wdItv}OsGM>tlHuT* zuJ;Vnd+@b>(*YHZt;*+KyO$nsa(_Mi%gyPxbG7^0+mjF7TRneIp9b8(aedB{)kSwe z?(~A@clXKu54|=%c@F2?Jh=$mQs>TfA>Dut7dUoo4H%M>O#JnunEDR%8&hn_XfNE| zZbvpLkmpAZ7Uy5{{B(=XKOed*^2@l;AffX|mNUuP7N7+6D+(4=3`k=1$H$oooYV(T z@$NB+fCk~7eM|9xg5Y=jKSnO9lQYU(j`SYCbq>GbPYFQn}BW@b}ojxWx< zv-hngne&-(iA?0)+~j|>4sqrB(0YB9k^+t6i`P*L>+z(G(U|9_bYO^5-7Qnq;9fqp zT}{jn|I6~L)vCVAm18AKzeUSl@T3qeKHn(1cjQsT z@4S&OsWNNoMZ4LqIqdJh-h_E7`%ew6WZ77J`eVL1scE;vH7xy&#&eqqPNJA{6@RAy zqx7Vumw{b^%mcB6-T}BN@-GycNDehO_z4YQ1#&M}TR8$vOC;Bux92g|2;SO|=;(md z^3d>bT>}H;-J-(6$5D3G(K`vI>?UCZ2J+JSssAPGC>Zw8C{w!}Ii+bZ5@eOmQ2P5w zz-9flvO`C^+;(rgH`3cGlBse?za12hHSMN)&0h z0<52M-YObg4hp{z{&lf^JaBz~LDpR6?yS7muAHye+hW@dU%_Exxi0HJ{qEBtj=j_M z2JY#(0OBbxc&o_)Xh#1JdvE;})%%4F zqaY>Hf`Wty0#ee_f^N;e2Y*St4=zR$DP`^)0V zgmxKPG5?zQy6l%%oGXyGcCykxQrhb+IjlQs5fF)7+6xQcg{_7%6LndFb*<<1Enln@ z8P1D9YhKdWPDdTE|!HdY|F6|KK}$9g`T0NJj5C8DCN@=DDBo68L<6cVl1WXV=h-9UK%pq6A2|UFYZp@pXUnZQuiK*sh z*KwTwuIEeL8?mS}7Y)uH*B4t-?^yadhy)bd)8$$N<2c_F-FuWj@r(!(C%@#m(HnZm z*XDkh;sQt#5S#|;4#4>UC@6fV+d25!6!YWWFDkUJ|2a-V4~`Q8@SF0HE=ENWvn#?i zi?XK;2DTZ3j8{-D4LpYi@+!l=!vzM%{EQ6?tW{v}ErHWGN3J~`$tE|pl~;|$c|Y*p z>jyRMjPPhGnZ9`L(P!$X%Xzt z9-d=6s7<7KL->iRMasGt3v+&Tyrs=Ime<|8sI2zj@%#=ab^6+MjIdkcy$1$OD>*a$ z2KRN_>2yqsS&jg-o3T0#?UOyYSI1<)4_YoZvI_`g$mZ!ZI+}sT6qe5)64Z=9YJbEt zFgxH8$o>3}CqfkR78^KmJi6a=iA_A>585=JPs7I;U4EZ7M;8ly;S;FA*7QR9?5 zT8w+aNEFUwIh89Yt^6_FyfKcCZ z4Orlhki4}#;?f#alwm3T*+E9Y{@zpOX3F6k$%YP#E4f~%+SzR`+ zB7$((Cdy%Ecw~;wTs=GT-ZbLC@;e8NxYJ7&F>EBe9sZ9Zq7B8Zj|IOI@5o~i82Ai@ zS)*&H1pxaXXTN6iQ!FRpZr>3->b4H5@y5s#0MmT)jQ;!HCC{F^sHKZ6vQzDELcT4W zQH8O>XN)D)bBs2}bK3L42VJt(*F$|0vba1qT*rJ5Zl|n0$<~*PVwaX8trBOd689qt zDwT>0S?m@AUYN6iDUZC+QD*=D`){VGF0{+2)ngMOI3!85|aobm^cc?PH zP=IRhAs-ZoeeKW{cE!ijN%k^$=OP(PC|Otly#xgnSw1-t> zSi^?Nq09kQhZs{BO+C`+YmOt#Og9cLuNW5KX1xL5RN?LSb$PO~U|q_8F1fCSA9)@@ z7TEDc?lyGpHvnM@e94Op_*F)`Za$I`h%yORUc$2x(ltI%xjFMZp7}qy0EMy=wknSi z&=@f@xx7%1KYb(XK7|=Y`SId&8LL7qew%1?rbb1R9?}}Kz{1#2wyy(jt_gbSPRlF z9xMIzUc6skUWOl-CSM@Ggsq+vcm@twn8w6Ve%fNMbTy)X@+qSx8&<9oU*4A7&r5b>Cv&-}jVxI-Tu}@y<6K7Qrua>XPQ+ z%T@6D*H&k@WH+YOb~pn5NP-JQuH~a-LN=opLsi}?JmY`!CYRkECI?_P>*#+M=iw*T zuwDo2+Iq4Moaq@DnMcw=-K9`B-PkQQi+6_H0oID&N~3r41=+~@(UrnR#rDA1ZS{SN zchTKW>%zhE;@ws#1UY4d|IZ7|aY{j`WCew0THi3u`y_Q$oCG9ED%Ntpk%~*tWXqvbgg!6W z>900xL)cpDJv+LG-N6kBT@0=62duomb94rfM-ClKqa5-PS-o-$Q}e8aJFJtPY|5L0 zq9bzcTQB(X?a=b=?Uq2s`9lvm_}?IbFXy6#!5@}HAdl*P&DM+c`ayFp zW65b1ei3#xJ%8V#H?0PBEs`wO#r(t{N!Cf7hjtywf-9p2xr706<2U)&q<`@IEH=)~isfr;~XL1&V!o zoo8K7^Rc6YR>HUQ;i(p1`foA^0lf_(6Z)F>Od`tL0d_+@$FDh>JsxK!;C6n)>f{az z3@Bqk-W_Ppd;_S+LE1Ql0uL}957a8+9XUTj_=pN_M|Vs`+!Rxe>lXVlWo`=M1^jpk zYo1}T%BE-Qm_>Q##@^+2GkK(l3#JXW9m-Y^yCu8Z7BjE8-qV4*gE7j@DFApzJ?tl; zUq@f5U_N{gc}OnP#nNr{+HG2&ha(aG(E3*4A|z7#Z#%{YD5o`2i*W@8wVauL0NpenJ&A{jae4 z-_O{-qyO4S{r5+5r2qFxg#NV%`tNUFvHdsy_Z1KSz5f4C_px+yBJ^!=wVr37*xxdgIAG$n0v?%E>bzc2a5?DLfgA2gKq`Am+Del-~G%88Ef zXXimo$#J46H%?r?SeMPOIY62Pqr+T4cNy>^=Xd2z|MD(sAO}53i7`g9E6cSG6+t&( zP45Qk6 zNG#|6TZ8fMKv<^AJLv-M0BNG5KyVb>!%?e)2gjI^GBdAAT{-`$H$rrz0we27r*}EL zOV1u5sBt~0Ul;Vx@5|ryM*Ny5SG<`YX>if~g?zx+MKor@e_H(uU06Zsy*RQjn1G6b z+~+oI^AlR=zzU6TbwWUpd-9-c$AVBt7kK&PVX7Ho=4bK*$qkm^FK?B9{}lSU{_pDK z$dYpxwKL||oFE?7k<)vyk?I`D*G#|r{=nP@=075QeU1tg`s1tbl#^que@YEVVZ*k#3C{=TfcusXDvu$)PpJ!T<{#fZiqr1EmXk?Qrr_H zUvs{6k_@0HJ^0s?>+3o;Ms&9E04P(;%Kz46s32h`$PpQI46ZvAKvM+WhG$`6k+KB_ z!&@*|NuByGVBb084j)JOTpUqlfbuZP+%>Ly##{`hQ0I zraD%LI=V+%}#kCj4T-!6YOs6s3fpv)@A`m?L- zze_HE-1ieV=Sz(e6&l8%A5mnj^ zJ1fvF54?)iXo;S?jP3lpwD%9X5uZ9h!ZG+I=lf7I!@om5D&emf4W(HRK0!w)|KA~W zxAwokdF%aK5d?j4+5~&TMN+2jh7*AJ{&!I#UoZ=V|7WPA0!Ow6e&RYu<(k!@_<@rU zAUr(v@hlo{@#uYujNX_5$}0Z<8pV;n!+GP>%AV%Nb!=| zY|1>+H(1~uTble71V5nS3CYr!<0;{QG!x?@(%GYc#r!C=f}^)Zg8!gM0oXm@lEK52 zqLjGXU&Qj{_cn6tg9TmmHgPdK)NPLCSk#G7jA@p&rJ7HG--XsGxIAo2lq_M3;8y>$ z^>pYmiu@TFs(nPPwg`HSvi_BO}SbeI&PqX%9(_kcJ(^xLllLMMlV}6|>2N z`U^#=#im7Re@__F@pYH1m=o;GHb^L2?(2WAtXlFsShxZZ(m-%%>bstS+kaSkN@n}@ zM@C1Pi`msCVY$CuIZcQ>3L^5v*JxRg%!pknM4D4zN`Ellu*j*YNSh9~GE~jtcIJ_g zzP#CAoortj`*v0rtP!Vhyjq1)#R@gJv}axr++teZCw{TNyHmxJIzqaD*MwY(-;@iH%lln?_8ijhqV{O3Z zw^5~9i+-^)whZ*sn>T|85r<1N)$~^+-tVtth(BF4#gzT^RBv4EKI>UtNXm=_v(^(u zV;Zb}bFr*cXf&&Y$aXajng>fVNip}IZCvXoeI`13ke`p$|JDr8ejUV%IBBIUnu#l4 zth*w*-FaUg!u>3d1VU9jX_to7E5z+t9&1Zva)Eic%SlHm5tVlS?$*&?yRhSUb?X(Z_9`3sZBC=tR-M;SA2MJFF>X_M=h8}?(nwzot=5jrItjCqpP%lK`1as@??zS)iM3($;Xovf(M9W1m1uT^)pb&$Z#(&xGX=qc z`m1x#?p-hd05W@o^}cReDYisg`CURE#x=e#d9(I1wFy(LlVk6C07aJ}N_Y}=eW-Qa zmKo+yq`-^2MV(sUsxa%qki3uDG!C6-?++)}FLNm*PUJsTO>ZqXn(=KWXd*Rr&Q6V4 zrI&yB!k9542d)0{R!WLpDLx@zx!<*paX5L<3VwI8d_Hrtw)nl zza_HPO^8}vCz2Hh`!s^Q(4p2`klyOk>La-6tSvh=_6gE(A(<0B(qe14z>7mEp;*X# zov;?thsh!*jPLC24(rbqobDGNRBx+i|B_VTVWAloy2BJOe?g|*;+C+3K38Mq(3}z@ z4K{|O=_#OXx|v3U;2S)2 zypzt%V6-5Yu2s?s*IPx#50_OJ^H|E;GReXMUVd_|8pLFEuh}xF>*gI!1_OrETh(h{ zOYB}B+h`9;@S<5hWbD8eevSBe2yss8BC|GKXD~aN2bOmI~PXH zCuWmgjtQ*Xb{nFIV0`vOH(>8ca)+(GCUgn^Ix;Vx3&J?z(I=80>IwaZLcf{-4CwrM2>zw3LVicPG@63!ibJM&@v zzph>J_RvP5H7wAi!rZB9FLFAJO5Sw%R!_{^vec5l4X)ZNVAt^WqEfP8p(>l3iCU`Q zJ06mtyppHG-XyV0s$6Y@-Bx?!WRam96a`XnA=*S`$&dCZqb(=j+~&$T7?kRxB)=tf zR=BFIOU;8vXnleVuDiDUDtDiq`-3GM0oQP=H?d<$Vk@-@ zraJc&$sl_c8CFr}P?eDV5nJ_?=NoY&vp&l;|I0Xvx#)?AFTy+zW%E4S)OrA) zeNP_DXx5uvVpAKnJAJ#p(o1&gcfQp^t?%OOr7F+quC_DH@Fe0C8X%CfV>x~Ug5EbKcUmil z&-m6E4;km9g@d_3B4}In@hq8EauYfV~FC(+FWUXpxg|7t*YvVk%_T!qVd%o z38&ocZA;`#vJ_5C6tKdpp8z=hzD;9+;u1wIe;g;pBCv9T{ldOe$id>qzO`{=%f{4N znfCc6+TLZC|D-V%vIOwpaDxpM`heU?7xZjcjwt8`v3DDOc3%BqmfV1Imy)$JDrPvb z=ijk$uS0W9g3mmjO1u9Tf0sGPiIm2OqJ*UZ{>MQfZeg_9Vu5vUGdQQUfa>$BYBj4h z;{pH4UD(wVk5+L?+)$D3CvG|2PmZm1Z;gx++036S68Ha@9%7la)z~$Z9-NAHC#u$L zv|4e5YR>)T{p#K)gxf9x%-R|?qkSI?j$Jtinx>_dAgmmb`Fn!?V@ zav#ST$zTSFf0WV}0xX|Wc&x`sYZjT=uou1E%TI)Nn5z-W)TpZk&)664%ST?%=ZENM z>c4^hD7MNdCRs=K_CpKEqA41(=8(hmZBQ|@! zB4(zB)g{@XS_|4*&!>Ul{_=f5-r|mIFFBGGzE>_#B^pS5j~>$c+1Z4opVLybwUDz% z8achC^Ks#OMiZ{NOeIXZhXW_q%-zyM=yd|^DqHC++)z~%-a3=7K_Brc1l%7*=O-9` z$yU#aYBY0Dw1G{B6$Ib=}~Hmx)sOyxuP;zCmzO45H%}R z@KZ+6r#D@{aL>Y+aM8!V)ftITk9i$-MaEm)=C$?c2GXKu)qOIO36Pn52fPdc0WA`9 zMCQ`BzJ~HG(ux3|9R{hU8w z)}+T5v0yh3cfYP^w2s`m!^=Yn6b16FnIVvyA|^RMy1=bhLGXNiNSkfJyh_u`IrDSA z+}JQb-P;uQfvogXg};<+)P8m^`kF>b*p$1(VYjLKNp)##86-oe5vgtV*)=UiS?f9k1a6 zDi1Wvpglz|2S&sK&m8j1qnlDi8aaypXbLC%iWZVn`*P`VUz*-pJA4>lJNzq#NtraV z&Tetnv#GYH2~alWx|aorpvk_5Z>oi>p=CT?TWWFGNwiS5V1oI3Fs}YephN)M)aod? zT#ZDQko6`@zHDGupZVHAw$&Dp&558a}n?#*NU)oX?;o|K_W-Tea*}7x9kLId}SW!Urf(rW)pPnLvoZQU8O$~#U765t+Z~-@7ZF#}N(vlR#aEDt10MCQb zfF(lcn#9G(k><=n5AgjHBiJRq-I?Cge7o?v!7>@cg}_Jm?{x`;-6?!u*QB%<1DgBH zqCe#6mPa~T=o!=@;RYpehQ00x)MoTEq)e3+(VL9-ZC`otZ}!k9(aS&y%a$57VKn+J zZXNCbd)~KacHVUA+oc%T8*>y5@tY7cF4qq&07la}kClS$!nK(!jk}jbvTu8b_;R+4 z-{UaJQ&I7qwX#mIYm_?7Z_Yhq`N$rt+``hiwbNrNWUD`?mRg;`Xz_XZ`%lRrc0-IzK1j##iZ5rydtT0&&t|txx#2|-{uhkiSXQ z^f;jb9U&*t-~5D16v|<0EJ%;}B?8k8FKUO3s2seX$qwwD)i^tbheb5;X#?IiL1M$c zfnP*X={x5LVoX*(;0>lCtWy>lanZw(L5VmlZN?2Js4u$F6P`Jbht4ch&~sY-Gb8=>Wzi(dw?}hzAlkV{9v?B;QuJNhR)$)NpOTXafV zrb1wv$u-xTAwsQh9_DpOiXr~wp!5e=`7q=(`7$Z?T^X~Uq^v6-Xs1_nEqAQLTgDZ0 zOxi8Vn$xbfN5dV>sRhJ?4StE$ho@Hqo~ifGbMH2&0wB&x4g*!O1REo#l%X?YNP^$E zYRg*`uAl&^M82jZeLPoFkdiU_XjtzN0u(t6QhznAE2S_7dXFN;mXi6 zH9Q@>D(cLRamdHS2fwKmC2F(IMKJ*Ohc@eD@rb^Ls+f%VRiT+9`1!P-FSyjVuE8(a^M3T>W|AnkxBEG63U)zk|EC-0Sp3Zx%E^T}ulxRIk-bvb!dg%RYjNOM z1%eIA7^8CNkX*t%J~E2-uzjYsAq0{zy#=}Gl$-71rRzK$Y}G0dZRy=>(b4o?8%9jd z^=sEvloE5AocoI+8@L%t8r{~?xO*E%4DBKC`KW8_YG~`~ufBfl3VMRDKR1dq>IRW` z@Y$W~gKri~8!SnJ8A9?C+x1C{-2_E)+kb{j6YCRQLF5&$sR5S39$zG7JZ-R-;p6o&b(P z1KF#1`%0SFRjrrO+`j-f;9!dHEgSsLdeTyBdqM;$ed2gzO?{_fu;ckDiNMv%o2tr^ z#&^_o1~0Vf_s}EzKthVgB8`dcbIH9J?BIKY=(~CT;YBp&GaZ!_FXJykW3c z@fm-^u`w3b)PI?+XaWpggGD7P6zgy{D&Aa|poL!tx^{kpwKs?d+#T^~?)$#khqE(; z@ZvSuZTUW)?YDa(Dga?NFpM#I_5gX@aqvWNcxp6(qk_px8Uh59+w?%L2MPx z8C&}r$p*W--T4diq!C*WeTpH|#9HPz25Tg8i~+;%b5vrVI~?(O-iNq#bS!AM6rRrd zK@!I)SPC4sreqA(@E8u#kOXIPmAS|dMpQ;-I9 zy-o-ks^7EyKpR4UN}%|`m&dJa=umAG;~9Sje41MJ;+a3=95(7@!>sy_nP{8>pt_Xb zZ3NJ9-XJ57=rp`02u)11EObaHUG`QR(RxD=8jBv#xq^Y@H)w=+hxo~gWD!a56?}bv zy7iRk;;HjkP@jV9#Ha@l&-3}#;(A+PY6ku`mOuVM9cFO_>FAe2w^=GlDp$)}5`j88 zScm~jv4Yr?;Oz?{asOgg2x?cR`X>_u8^?pJY>}vvwU%G%OnM0p)$^4oX3J~!?~;|n zBj@>>Y$wT3KjS;CPBfHx?l_T{_zIUzPhZx@HIz)}c&yYAcFV~MhdzaID3{!=4|exj zkw~X)uVr|gPwkbxH~6kO$8BR@3e7;1hz1yl`V)-$>SO|EmbC1mKc?N3Rs+n{)Ba-& z@?$YD0s}P$I;ZiFD%|dpc`nFUs4D<)Vhz|NEL|{^bHv)8ZEq>cv-v6mkqUhpK{_{Z z_g*6U)k|Wmmh0HyPoAlQ*JJqJa_qZUhl>>exqIK9styu`Ys6)wFvLmnl9tWtle{Fs zvJG^d-;XFw=YNY{J=>Xe+nibqB!88l6bJRPJHQRR!D8nP>limG9P+vvj_yq<#o8?m zgz@|)L-p{u=1obYiwp6C)DmuNom_c@WNBH~4ID7bsqyncf<48*DlVr!ABxyKc4bM5 zEwCSuhQ7lM*7mwj62ao~7j|%kAL`s+BWXs#hyBD3()eyJEHi48M_+x&obuSjHGJZ? z4k7cL6ZkMlziDX13$e8c;jpB93+Y-cD#_qrYjdj$Oi6qi;Hx!XSTv==vYe5 z8~ct%jU5MW#yb_M0*}j_?VCtefe|;wPt(bubJ-rKM@cEhM#q6UaktYqj{G3&} zrAy886S&-y^o+klU5kZY%drwATI2w?sh;+I(XpMToQ`So(3ypbQEr~y5uf)JGNh@v z{wqZC2xQ;!JNTsOSJMb^t|m25XZXG>Odib8PUzTzCE=uj)|+#+Zio;<35AwBL_SYM zf)p(p>}@C7{jVSVw0o`Nla1fDf{n%S9_Z|bN89NKliVf7 zfg`xlkt*5us}@Y2wkLzXP4iRwEh}0tR`MEVlbY&O#a`7`t!X1w{cs-wXv+`}1|aEH z`YfRxn_DwK#}pYcX9_jFyB4~OpHC)^H6MDg+U+&nh#hf;`6z3ZaJfwkIcm6ZWr$F0 zkVNt2oey5#h@F%K{`2)#kJBVInP<=B5KsM?L+$p_)_}#_G22(g7LoV+^ahKRoujUn zbvc|(CWF^O@NJwl2@w|Xb)PkLp3=>H=}WYGy%VAH$?+xOUsNH+ zgqNq>*@Aho17^wT<#RoQc=#eEnk|xD1&k!9NV5rRts%X85b#OHrJ{l&fF_5f69#^= z$(%mJU_oPoHSSHTNL!hBSrgzT%kezR9XQ}}x#D)v%=~_Yc4Pp&KN1qos!(d#w1fd0 z!<-ah3O#b{{lf#38)TI@0y`!w6Wf6}`bOTTgv7~W6XHPUuNr2dvUYt8D=lExNy2pq zR4ACKv0`PVT-Z2wym*Gs>o%O^j4g;=BZt0i!M@8G!N*ynQ8d4%msf36?c^xtzd3ef znj>^>I4Y2-Ldz*#_l%M~T;ptmQ@g==Z)q`E%rZe6pu7<;CtfCMi{ALc{Xw_5@y(|M zut{!iYh!p=6^pbYo@Bli6_3~5SOGH(sVPvi4qZ2W6t748d;0rLDOx&KJ~~!UfH45cjjy;Jmb(*U!sxX| zm$9Xt4aoUmjQ<{~rPmNfU~;2R=g$5CS^vn8eo+Q%4ND?1Zm`CDiB>ButWTOFx%Cc>cib*+_Td$|UgEldi`F?d{7d$Yj~NC~)w)9Lj_e zwZ1A+h!&+mM9UmyPi^Ytw9)vXn3c06mOsiJ_Hxa(IGa4~WV_-}fF&m_i-aJP-bHMZ zK2hFNdDEsD1>j0LiRP42{BolvbabKrt|7|F3!U&zZlDI5Q5iZ36pg&dxz6KPHR%Td#<9 zW~#lO)iL?V$7b9B((xsilX!h4%lPcDU$U4UG(xN1K1MS!=e@xGu0cpvuO%ZG)PVMunt$bBhGRyw`WB08qZ0q2}tM%V4h@bYY za`Y?1?xlHt_n=L|Dp~XR^;G2qQc%mi$Ju0D9M5byL%qZtn!e@6_xr>N=S{xitG>8s zJ>KwxxY+JJzIcYw3TyAnXuEmMnUWsTyH?>Ha=(K)_#oA%JF_nQANpjLkpqRE@PY1FW4!np3vI5}v>NLBo5+0@LQWvCmd$@NbYx4AbNQhu)qz-F( zF%NW&h$WZ07?>eNDdLnwCNsI2>eEJiYZ0FF4A2Wp+~eQSb2>6kBtx-JRoBRYiB$#P zU=p>IzdevOYpPvXV%%89FgSBfq?}lBaN+9r)zeQLSZAMT;gR^XkS3+svShua)d-g? z;4L?~0fOp|g529nEgsFb?eucTEQFTTHjs}s5;SK~oxV(@)zPl8W@k;jmR~cdMKwzv zv(>$b_=du*W$pacJ4D4ml9d#4U*5ZRutQuvx6jKjz&B(n$ttP@*;;kLbLVwUs6@s?B7J?U@*p$4B_jNo)-NjNf9H#S*qEh2ig=m>Z`_wG;RiTDT9&(q}43pG&$oF98w_DqD7upLsQ2Ge2lmA+DtKeijk`POlQR zot*1E+rsSPMR{xA9;{-|jduxXXW^7`&-uomovu^=gZYMMk!zg}$ z?*xaKymT4{rV`~$nokcn8R!lBE^YS&5LBi{YU#44S}}z4>E#EL#D@#sr}-6Js|@%X zTcmS!irFeS19XeAlDtXV5BX&k?7&&a_~)#j*!6nyXdQloi1qX&5)&!UxGBl1h%W!a zjxk;;ajSOgoHNTvrR+;_v9Mk$(IZfn+*tWL=DSeg@AL5wAd5MROJ=GJp4QzX%RseK zfAc3-F78XvYtFLjduocgI8AE2#bWq9#F$v>bs-IK;S^`hD4UG@1VECFF1-Y0BQ96& zH1W}rluQB_gA<8y#Njng&a4KzMl7@!jxG^^*Fs@`wTcuvqV*a0LAu^%VxRv(eV{SS`Rl{J(! zzKo774q)&eZSUHB&?=w>0_LZW&)H9@Fhjm3lj0TLkZfeWTUQSPV%D#?lwRx;@K%PHk zT|8{N-8LDF8XsL~G=Z?Q7EYLs5}!66Q|J7WOK;GvimD;N6HKz0hMsFogAQ97ryv%lP<rr;i%Or)He#vJz^5m{9LyP?8P1tF#s*V>PU zNnL#Vq=5rH^Axr^XC)go%`b^eF%k?a^9PWc&NrF++GS8#5>sApg3@P#pkISmC^mT8rEIUZcA zbI$Ii^tpoyRI`Fi$z$gr=*IcrmM}Lbk7C~BdkK9Dv1t$noNsB-$jCC{Eayp0TWpCW zBE`ZC%Hk%Cba923ek&|yJs{^edn<7QTw9X4rcTq*8$_S$p7;Sy>#EL;F!x2^Y@+$9 zwG{fJ4bg@amRKx+oC{OGd>1yCFKyk%TPoRsaVzI{K~CY3bOTZxB{~e~Z5@8SYan+; zLtf>}@`U{vphnPbj`kb8ZuoCFd%CrIS^06?#(K`EnbiyBN4y+xk>oX$Y|CmRl8#ok zj=X+hFbG1Aa`eg^YBZn zok@J%7lp(Tt+2j}mD@>P^AFxvJ<=B-2C_ZF*5a~b))SrO8{OgI$8Xfw`)Clb=u#7S z1gJ>-O|Br5Q|#FgZbf}_b$(?tB`crR+(?y;?)L*bYSb)pCX-zbFrqi{Apz-^q96_S z`%E`6m$JnbrJ`6i87$05?RtAZG`%N}+cyi#E7pl>%+CrHa*5Dnpwl+XZGeAK$p(`j zyu5#{*xK(oy;uIA4cVcAlrZ~g_OAVI=VQkr=7wA+zGH^w@(N}C0lY}ITi!K31MB7h zuinORlDbw+X%2&u&}qyFW9$8i!^_->*^CfM3H}T+c@K}HVZeSaDwfSHRqM%^$+t_( z)tGfA({UcYU+Y>Hu)7X77_l=+NmU_#VK@@xlxpej;X!dNG~bZQr4%IAi@xQ8+f>rH z3%;7A4*2%qtt^@Ig^^04f5To3qaQC=nCaD$jzTQiF(r@?&k)e-j+xBT2L1>1rQ`zx zZsk#WV$D6);|QWqA|3)Bf^{gg<@QQXolb7TUY62x5U#i^&m( z+MB==Evm;VSgJpi|HKN-{J_S-&Bj7>3?`+o!peAiV?V2Dst@~bg5s8X&y1lq`$`sV zUi&}Uid&oNgYUBB*i@E-V5j*j#}uRhQE;%aIB)cj)JUppE2wGJ$of=ly$3E8gNfXX ze|L{F>E-P`;9jxzQv8MV3I%N>S$7qy0eAW~E*gJ!X;yK0qQkma;hjmNCCCWH{r+cu z`QEu13}Y&f2JRgQf#gRhyjEoR`!nHH37T`NAz^@7cgJa^I$6{x&9v~3ySGg=qpIH| zb+iJfNl1xJMBfA92|61pInV;mVzJxA@8M_4S~a!BA1XD(L59>!ViHMeckG01;{s_} zg68%YN_^|GQupKEJ_V}Kn>!yKEK-&_U|8~(>W7V829Gcj=2qI&bsP6(+PL2nZFXrxj>rsh{<#s z+>SaXQ&er1oEjEIp12LFoh6HfOEU$GY-!fHE3=W|04BDfII|(H;51rKasZVKgFl8X z+b4JDzFp5beEG23p?{8rDKf=r3?uZTf4-76fta{}`-EwU$xjrH zQ(VPburzCv-As?4)|Zr2-OQCh>JF#E!omTuAZ>vEEF&;yu~IR(jH04m5Wf9yI%z&Maab`%4DDq8q^U4P)bw5ocWB_q5#aFMW=6lnW(<^Y)Sj@V%$J=m>J!4k zW}g&D@Df%`T9q9Xm=Hd#X$U%TVH&d_fv>ZsERI1rM;GSOW8%1KyaRgIk`%)CRLjgg z7W!YYbY`zjDqG}XMp&C28J70JuI>Q)j$abEgVyADrUHw}xChwXe(N{zn1CvXhv+kA z?E?S%!7pd6x@!fR_cR0I!&Ukm{i^f&t#Qkcu@2C|g{gdHWUYRBSdQ3-X79Rhin~A_ zD;$hm&QCXtO$s*~O(Q8KKoq$?z5J%;45w`jUxX{Q6of~I50|FSO92c7@(0MmePjKK zZNS>(Pd;rLXOzSjiL~Fe#zB7~s$~!V{1}0rIt=72fXMSiLqCP(Vts2vPFe$C9VmJ@ z2sXF&7r2L9=_VO*i2r~PLQjs2f^+lM@%OQ2T$25)THHOp&O(xUPYj`S=Npg!CadQo#Ljg7Y#&p zSfLhi z&*o62-}(NGehpWyD6&EUNGf31n-+F{zP@E_RaDyOwk0SmI78#&DB{-lfNd^Um7&UU z0aUohPWAOPCj3(>v5SqW0}Ht{g|(#xwWVg~K_H$Rpr4EcOx!pK%d$@Ijj|2JC+Yt* zWoP1t=q4j8#Y^QxgP^452d!xHxJvWIU75XUR3tsx2fY5p8jDrF3c6uT!7B>LeH+h> zA&^T}@78f}e);%O#b=rriD!-Y;i7kC0@p9A)UBQ0GK&YPTo(|UOi(trC$TTY+C}-sGl3(YJy&ZbCQQ~-iXC9?I z?Q@{n0#1h~)mE(AirSvX>LqWLS{V3-)YP>*PA|`~Fg1%g&VMk{(Sig49=FZMFhqPG z;Mm$ImO<@<8u5^#lG1D4mCZaApF)!^26Qq27o|8kCz<)4{co`;0n#gjkqmB^f(CXrwZT1Djgz#% zQcQ5)`Oy-`f!5x%lA(#QTCqxrib1MJAn{o_@) zZY+bB3`$vTWx*D>r{k4fl0CoTm_u}W)xb)s!b>{xWBTQ3BiLsFiasAcj40JkS)|29 zpDcRuC;gxA9Nc5@5ArRD&XmC+BYPzGyx;}p0CP*=_D&^1bIT= zi9^*mQ~|_fj9-pgjporix^sJmoCC55u(yqN7d{q&SG-OdGTPQE?i%LmcCTG-`6GKn zX-=?PQj2#4a@>Gxx?>hvkj^}SNr9RL0CjV<>HUZ?+jbr%f4IFE@adRZ?oV##u?Zi0 zsXZ29RK;2t4|aX(agQr%NhNaS)}UVFBoj%LJcu`y#DRx;`NWM&lcO}lS&hvA>^XL@ zuEk{TkgQ7&FF|c*5p_EWJ+Cf=5i{mT#~wt3u_qY<88#=CaY+%UFTBWxB`EPrHGbO- zIqHl^#VlQ{tv<|;skjuNld~C4b zJyYI$CKFf3;-)-rj}BZ^WH%%*heF|5wt}=-&z0dako3jchJO7TGj?+t5oJFFgl9(*!h%X> z`=u$t$gBpBpjezW_&n47{L;~(UkN!#-OSxC*8iXOuKXR!u8)sM)DsG&5LpIUB1@JL zdPs<&WD7$XW9-}5V|t51k}Zs-5T1y!OVd~$hDS(DQdtH=5@Q<6Aj`aG>Uw{B-~Zq} z*Id_J*UWvN`<(CnJ?B2(&-r}5_r)Q1+VLMxm~DJu85{!tbVcT<#~cWUx!AfIKlPv)9S9mzX}nI;`|$0OB5 zzGhLXK6J{o$dlaL-q|(l$ND95BrEz(9%}UHMPZHMBAoi}K;t9$i;-Dii0E*6z9g+4 zkjEu|!(n^>Yhl-->oP}Iwst%uR1Q4Gnp?V;(xi{hdk8U(9egN{B}8!kSwz7_@ zng@Q@_WmyWYk&0+!&*W0uK!jN)+qB}W6QWn{VkxEPP`Lj`sqkPW%rx6Hb!s}ppH^! zqfKUpk56d9)8?6and-cQG74{RFWl!k;b#BCBdQf@Q0?c$chJNOrWDSn2zfBs{ieoY zt5cL_hq`K~C5Qfrn#bLpot0HkIB4@oB{&u~1xy04=B;dr-6eoT?cOo$BKmsy8@E1z zHC(k!2o6s2MZ9O#GzWb&m8s^ zu|C>|UtO2I88}K3BJWA6o%q}J?t$Lhr8FEJ z9+~kanSVQm<6LZtlL!v#J=W98TEyK6k_+F>ZhEI}DxnI{DJB5=7D55G6&LdzwsEyk zZS`Ic6XI1ak_U!P7~!0O!SLS5ssnpn7iDc4gr zDJ;tpZ9I2JvKBgZxQMsDQ_njn)d9BW=Fx@EIuwVJDC;fgeE-8kvk+iAfNcQq_dLfp z0N!qKH`nBePu!&Ps7F>UZIKI(e>MU4fIc5rR~2y$GsK;!db+G6U))k~eRsef7m$(w zAKUX@7~0f4gU%<0R)IiD@_|!{Lx1tK#XRoE&hD7WiU(eL zS?&uuC~uXLl(h6dHDac`_+~(b(ct(uQIX&l{ewEt4bBI-bfRnB2L05ln6#GF2PFNQ zK|L>QhJH@^kj^L+PwIFebNZk3?xlmc*e;Lg?T7R+J)S{0!c|*V42wN{kL2*wu0^)w zJ9CONETwN=XEbo#x$}C7)6)tqkxYeub&1Lv3O10?qL`c>ny0}D9b+eHo7R;l?C95bpHJ$m!i}F(R++-d`s)`#l0O zXuC%*g?dw4o%b4_Y7lnKuB9Wx;)1m|K5Hfby%p~gg*f3`3zlj1KCh#<3DMi1O#n-! zsZPnN>Mm(}kro%RRDvgP7CuQ7 zzhozv*q%9_rijQb(q`s*EFwsR(|x8Y86cwSryXcqcST&avgLVP!^|vo-XR}e46$VZ zy43K8nef=kl~lgDF2dJCh(QM@O&vx}|cz6uV(=I=rpBw16H08?pqP#(EuS zPlBTGxvZOvl9Y&HAqEbAh+K&_H9*o6ZA7zq5%y;$7|kmsEYj$)Zh~^qdmyL;Y4*|` z7obGGIc<)cX3~PO?#bxekD~qoj7u3ro2`4rQky{@D*$n(PyJa8c^{C?tu=fA#KfXB zH9{w#Z-7S~z@HdCCyixq6a;}BFB1-{e?`M4{TyK>&Mf|D*3Z)PPGEy!frI-2Ok9zf z1aymrs@j;lC??(9f)uZP$k1j@9(61V01;hn&mfT1ZmN|A*sxYZHGPUYAZMY0d-!_I z_V$&++^|&cF9yZ=chw@BWJ!XR#`_0XFmSqXV~5)hIo5hdPUJ;-p`EYUuA^v8hX0ZF zB+cbN@?V@!{gffCYk!$*yAMM`%TEXhHHclB% z`SC;On~xUy=ex(vtlvAUq|^Jqn-4P_Sfzknq11&OdA=&C&_-LXs>X zoQ1@oLAA9%{B1k)nGD*~zOG)4mQ;{i^kt`jF z62UkJFj=fVDJOPaE+OTNbqaYwL-Y?taUd1{6iD22 zV+NNGZ8A_C4l+1SB^NzQ&$IPg^Y$RSiKy+9xj>D*C`bIrut)iDBIM&kFTR>k+DB&% zI#LUeZLr7%WQdP0`pe4^?~xSFnpooyY^hJ_z-Nm*a7Wr#l-}ear?c^polN$5K|-Tmz3Pam2MrfpT$=HQ<@Qga2U#n^ z*r!JaIPBcpqEXDc?884f1GGTn{Xg}VlRx)O=v76z>~Op~MahFyK86nHRfRGiApxIw z%F_k8JM9IFo}ccB#ZVzH6@ht7juqMso{gT*CQ8Hsn@*ifs)NDyw4=)lpy-(iCCDfg z$NBOyAxkO0eUt_d58jP({QS!_y50HXV4%cy zQ+vTR58aOg??cd!-f@eIMI6Ag;NU`y#Y%`b7j~E}O=D<-=$#r@{B;fXDOM`gb!r~B!mbFc0WFb6BYA_jg78(g^`+0Xd_2QO2{FJ!ZQnhrqz;Pxl zYn>uiC`5u6Vu5I}wX#;+AnvEUCGI-^zM9j(8@~&iY|SmrkQcTh((T!AX0Oo-J2|#N zU#5lYtw&XTcl_0vz~p?FwF?D>$X)jl5KTauofIvXDYP&>TEzj5PlmuhtJHI6?HyTX zMAzzCC)mCvVHN^hrmEqyzpRzcK8I67VpDdaDRRV@24e7}H~%CT%fEdizf!!ppkN4Y zwQj}eVvucWiF{ItcG8S|5*0L&*5HUAtt{l5YL;XVVjw=7YLf?@027M<7+e4U{@-@k Z6lL~Et@~b6tzw(W%*4vL`l8#v{te7M=e7U< literal 214190 zcmeFZ_dnNt-#@O5ii{*=7AY$$D;3E|B70^vI-l3Z3PE%8|P?C_4P@hpz)FvU> z9!Em5wQM^D{!J0h!y^3GmMhw)PmvUSWE&?T*++6lQC`>c!PHmVlMDuHk~85MH?}r# zh#pjqJlxP{bwIY=POvzQo|Tus*s7kn_z-`E9fP-^*3=$`B1>Hn{q6eVX@*)am2LO9 zGHr62^(A~tw7zyZd~9JY!~1IUr<9ZnKOd}pX%v)_l44T)_aE~6$yHnb{V(SiFKF)A z^{+pnBH6b>{`E(ZS@+bx|1#H3{{3A4`m>87j_zL{cXxZB>c2iMMCFz|&%ZzJz^gR+ ze|;Jk{r`V?{~vsMZ#ug6?EBxZG9x22DykuL_o11lL#b&Fy#*pijvVob3kexx|JO^; zu(X@(d3s;MfsuidoMhjq_BhPNhgI8 zsG4cnWo`-AF2B0Cz{QnuExa;E;N<^t%&IEgM#6a0$VeU@zit_`O1G>1Md-gy;@kIe z0tN?KeoaleE==eto<7Z5b52ol{&%ss2l;<~@qko%dU|F-z(Coh&W0|%e{R)l`r^fl z7Jq(zh?yqew#}+DQ=Q~Su~p;u1am)8w_mtZQ_J||!^Ui?aJJUVU>GMcC}fJS4dQpa{ceRzng2cPtGPtx>1MX)9S}v zh^ukmcdtp!H0YYDjm<#@%Aoee#^KZdx#PDfCPIxBPM;M=c+SQvCJ335ZQ+TJkLT6P zjlJujg6B#9U$uH^{Mn$NLLdco+mo|Q4`e)=ySn)nGafx^&s1j>cmBexlc^@JtQ;)A z^gkc1TYcjC9NFvJw5Ojrf9*QAF(=#i;+pV7Ie#JEE0-_JySt0$>g65e6*eefd;k7@ zgo%RJ`I!g%xqOTM^9aKNx6yJ~w8S5N_u<3aNLDEkw;w7d)t3g{RQs&ZkF+F6dFX|Nyt}1eXcjp%WI^&0 zAJtZU{ff`#%4lXmyq2}Ct<~GGJpm=g<@OgoJ~&!bRCLnVIBDp_<}Y30Lx;ApN;LFA5(j*8Pw7sb@>i)_KW92=-PR=c_CKyvcbsjVo6nfY-Y z!}I4KDTdNBOFA;kxQ|%`Xr#$4{r>v8GfU%ce0(rHkLt^w9!6>w@f%rLhXMivXFt2t z)qnl^wX6F87uRk+=^*EG=V;c~*9TtE%>DZOOkmsikK`k^G^(+@TS!#Y)%R34rqM4H zm{bO={23)BIrs25D(>9NSFc`mb$1B-?^}EI^!zhL>s;FL$0riif}cN^mQUPYr@4nW~a3$%e@m_KrYuhh<^k`z)xz)wmRJ;ey|GbA+xK$SO(Hs{V zBKB^lrtY?1nV)yRb^A7zOlt_qz9UC=%gf6@zdTG~-&;V<#FSupg@f+yqMMr=S>X{e zF*SWAoxbOnxy`CQ(|w$5ZEqWu+U$teqUK+jc}*LsU-wQOa6a{Qb2hjh-Im6@-%%#c?86@Wu5%2N?wo zEjqk*-QCRD{EEU9H!_X*^{Lc$`A@4Hx%HLNk3oTffoT!)JpHAmrMs(Z{r}cBO<3|y z|2e9lxcZvIk&9cCmqFTNf&oX+b?(QRYQGKRnN3_y(S_F(WE2#P;mVv|OKPdIrk}pa zSiaeA^4xU`T93F#dB^~Zk&#hGrTyImx7aY{iTz(S2eU+@2PeAocCoSTBq82Gl9bEG z>-M1`Au2IMF*!Nyzt=S2dEUmxCfoFdB+7-v)^^mgy@HO7Eu#I=>2U252W}A&I%j8R zyZ*8q`3dE>t!UinaU?}oM$ZvFfLX-iM$?3n;%ZjEe1U_7<>d;`S<8A~1+>DpN2h7q z-EuoO^b1Tr@h%8N>5{tr9;k6BsbX$k^TE5^B;Mr>ODn75Ytv>^pP$icJUq_l{^|2G zmtkDAU3YF=`^4$kLJRJJa3*0odinsI=%li9iZ1tX+(I+$x7^6mNKJYyI~~y1XQ*Z5 z<|bxV=NE|zAM-G8IPOQz*>%OuZD@2970cztZCd5t?)3=`mDSf zsOZL%Cp;x3C5kP*xq4J+o65iX%e9`U?&<66d)eGf+0)bW*52afcxTqPZ{PM)@)nnr zyb9UH-B#m$O*c)vH(0NVbu@dHZ%h>J8VM zS&%ePT{yaP*Ekb!;k??xd*5chy`EWGI&ElpzyG!|U+!MDkO(CSBk3FvKL`fg_Ufijdr!TQwYmqjb)i0XiJgBHxCG9?Tr@{K%1L<@Rx{%surxle( z$Hzlm>NXf@IgX!j$!XYW&Pw}zb-o1M>N-hsKT&md|sPVo$-oew?-#<}l6D;Aq z=qT@cpbE7uf8W(gq0i(Dwo*4`` zM7BS_Y^7DHyG`?TFmzCVSrE<}TRU9x`t1=%9D#$(P3injLHB zuJ_(X!)BqmgKtFRa1EYny?gTb_;_FS^&{0aHR{H4Tpa@#Ab0QI4|)9fz;R#-;E7X! z56)k!g0i!-rTVV|)^v1shU;xxL35+y;3)7ht#CAo;5cFIW`th&zpRgWe&S+zat7d{<(EJHsKE7>RvQuXlR!+`63E(6t} zUl018AK=hw>}Lig`kTRbc%*p_D? zjIsD_to@O+>ktV(G#po{o2@B7y~fS85gr;^k3%;*R8Lyt^1^+*BipF-U@$dnFg|3= zI=SI_d>y)U7lnxP7wNvwpU(=VK6oH#H;J-$EKcH@c1mN3{Ua&hjB?y#j(N+U5fZW; z9h|+ry`3e&0~enrA2{^=J6F{w0rT2wv6r{r>FOSn*U{F-bj*0xjzM*x<&Vz2d(K_H zskjT?^A-8+iv}~xrj>3=bkDbt9J}`W&1kBB)D}_-yBc9%bBzT(VVo&`zq!t$(KQUx za1YHt0AWh<`xh4%`%0{-WY=dDA}4VWjLSChMrQ%{(0ImbYF8Qd>CzbUW!|$G9aV79yYNB%QVEz?^O16-)Ncl< z?s6YA0#v15?dI}uG*yjX?m1tpkgM_6OfNU7tyciB%sYdu-lf4CqVo6m2au-3L&OL^ z?7qTy*w|ubsD7-km|O7h^{V#IXUlhs3kvSMd-pD{X_Yv~39nl(u1#~HyX@Gp;~n5+ zWF$4bFs>c;|eW)mf7A?a4RF z*2`lwu5irhuGKvv$8+cqF(HXNF)?BLJy;h_jIY_@Mio`nfVjB0IWOZ(wY|9WM_P}R zy$YECulLAZx^yX^SHiwa#K?610?_lFri%e33zNMLDQ2|*Kt<){d(>0zJ$SILPZ4KQ z=f{3Jime`{2^MfaF)=hdo7dCRbLf5I5toIuN8U@niQX>lyDCmkPe1ehEmbV9*48+F zy;CUJwi4^J?vp*#5)M7FCWEhEE9}+WNc0PQW?l3Y(@|b zG;XD@RUV?QLni?R&Sp7LY}@u4FG8G0=fB$S<)z=I1c;NBl?BG)`}raHw%5W0UqX0v zG?Ry0^F^^YZ{BR*n(I+~d05%{`t->w@%w&BNk*dd6OY)s{`slCudt>N zBn+1+(GbO+_w1aN0$bsdI-b*3QqtL0xxYg|bRtqxw{h<6yRvVhAYOj>@GH`fsbTrV zMO)ip%ooqqdA^vK7|jBcqeM;6(9pboSCq1}!Q?#%*mnaEpR!NJ&THk=HS!fCAs&V{w zJ^6{}KELpoWUO%h8ip4@+zXyxwpoqLL{|>!>C>m@e| zl5obu{PWTCApD_z8>{J1Ii}|$S@xIHXV!OAV=8KD z#K%I&2sr=DdB2Pd3o$%(b-P%5rB0kMZF9|bs)0Z-_BErQZ+<*0mBrm3xWaRD{U{)U zX06W(m+hT9-$zFez0xgs5KD+Y23Pr} z2{895^xJO$Wq8%-z^51@VuWR7YgOcVfJh9VIj5xM<8ZmKX>#3bDsucJw!FF;Ht`@X zE(qsn2%rb&_eNo%FkYj{58u5Lo{7e)s+2MJ?rGsbptZjSp|M!=njhN*XaQ0o$lKb~ zbW`o1!o`aRxVX75553&t__a!Jbh?$f?lvy{0Z{ z)E-D{#o8EhHYW&2r(dB$*tq(tR?nqv#yLZ28x{GcwOQ^9G z6SKx^A>iJ<-5`@;098Z3zrJ|){=H%lZE!gW8nC!&>X~1JAZ^^kDaLEB(Gh^pXAt529e*Id| zot+%VnR^S(d!IXk=&deIM?=BNK#!N1ZqaOPVbIpm`8GKj&V4#+A9@Mqn|7`3rAwi1 zBh3U3C5DM|1ao?Vniz@euYL)9n4uHn`v4HDn>ZmIL_IUaCL*OBHu)<%$)08?&-?Geb(NR=faQ0U9SK~6I>GvYl12DKHK9xJnJ z-}>|C&t{L7SU&EFeg2(ShMk_r=YhLF+~?qxD(gEll3;FcGL3r03#Q}^15QJC1;XEc z<;oTDOC4m%l1^gF?#CLc%|>5<^;ftIM!kG_vR>C&yE&FG@bAX7zp>LbjK2FPyek@< zxP+JAynamzWQl6zB-u^CtW5%DF;a$a`r`6CKX#rM02O+4I=W}#X0{0Nlk=S#?T^pw zCVm^lCIyhcfv{Z{T#kSa06~498)^9ud?dj1)RZF*&2YGI?aMEfSHeA5CYNqjrQO2J z0Obtn^36*1T}*6W)a#oC8$XGrLC$AA{QY}d<&{ycR=x8$)^Tm1Mg#+caHko?)~=Xq zmP@q4{R+XntOtmPev@=tt(Nbj{{x0jo2*(B+$zrg_KVs;)y?%k8iGb8icXB7`T2qb zTNV!M_txxFKn4P@QZNLs)TW~($tnJDb$uVjN0}~Pq(p$fva&F}1 z33x3|UApr!4X1K`vR5OEkA-9iH1@vqWiIHXhgWJL3ilOTk;`u-kK@y!;Pjcil;O7rSb@VmReX?SnFz123g$WCr>Uwl@Acxwr$(|^q~2u(+D8IZTvEH zfvg1?oak4;;I|+ZOm+#`We;0ZLJ-8S%;3$_mc?VYZGHF+hchHBETFtx0`z3DVeQ0~ zpF4?T-#L_nKK2Sg527i{u|Db*?{`g2^_Y>xkZbU(FV$@L;JGWbK0MK0XfCJr@c3Tq zmiRc6b3zGL{biS$ugn3S_SJYx9n^RjftngGYehl4{_ues7y-p{m-mIHt}cV5V;{*6 z@*@Wh92k0cmpi~ZQ!SBeJ1?Id>fhDfU9me??`HM6In1v;#)onQv&fINc@X_uFDN*e zOI%!crT^nc8jy@0`>znTSAs(ZG(gchPC+sp8XCHRM%eCMTwFZ%^@S8Fmkhw(Y5`&p;AzlziQNwsWqDUw*8m!*5)JPqTn1!| zVC6`bZ+V5amL#F^gkps|Bq03q+H~DrFvm(0V`COVf!MM8;64$Nwy}i+zjBggl_Vxo z%d&nS+nC5JjHnPcjUFT*Ih&^T{{_kQAOEr=Fs8^W>-qrlvF<#ByPZiulFzHE_*uh* zOsj68bxu63ReYQR?Yg@Avq0aF>6e(yhdU~D-I-0c4a#8l~HPCA2BQ`rxJco?^A!x*;T*csf z19?qxsSHQ{l#0sso&wWwzy`h+Fk%tAwtZ7yDt7}`?;&Fz@8G-d0y`+fA^;%xRYQaF zigCIo!HkNEi`$nYh~EAD`SX4I_sh@uqMQwljK1M%WGwEfG@&s!H-DdU%pk9db-Amz%>_q)_D=`rU_)dBe{ zeWbUXaH!-DI<KlxEb(q@ruDSUYFoWWV(xuyGfQEBb(w908h`S7!h`Bc2@0~<1v4W%@WK*X! zFt3YhKMhr?yx+Mt<=8b+1)1Jqqg*9{fTZvCnCU7I&cy=DY_c=h*}&=cN^c5!|ZgSd>H#)a4P?CtqWN=vn> z+%E;nk>pURj(sZ4l3!XAy0>}`*f(8|#lUxpN=e#JspcV<%RHEqkM@s+@;w*`EIhpT zngH;09#>9mu>d-1zCr)PL($gO)?s03ux*J?aXK9EYZxuU<=3L_X)VTUE^al4I*t$pTpcG(y2yaJF?w8pd3`MlrO$|{i4Z+Q#ON(0_zvFo=} zgr@v%^1b)+%zkk1+h8aHy_H@I{Lsy*KG5Z_CQ3Q=AK<;>?#>Vy#wlt^wz;|Haz8ow zb#JeMlee0sC6|e*DbF$9WGR;@NGaa{R|69h_kz{Mbuuta-ch?4eSG|=|UYJGA%)}m5UQnIJ;`AQsgw#^Qev5<219XzPKQiYRj zY`ahW?AhHLAK?jV)%p284SY!u4*Wm$Z{I381()E2sQ8&HHJ!{`6}$|_6v2K>U(@FO zq{Li63Z)h7Hc_jFA)udAq4Ydu141OrD=QZ;?qgD|P(uOJuJ7*be-2LzG7LZSjL+)) zrIby-iM0p&GnRJW?xnvpUfL=fn3`&y-l+@Q1B_vw5SGv~i=`gADY8R0KwHiLkeHdB ztp~@#bjw$hVxgzs%E`&;^XG$LHuvrI?MJ}GfK9hcI*-9Q7E2_gyP3sB zWq=ZLcJ-t;jg5q`Ce!-%ye^u4r5v#)uUvTzjtDi7 zl<0;K-_al&QNYCbfLU|8>%NU0`cDk)2~5HUOq(ItnQ*ql{CXQAw1GA1(S~-hvgYYb zbUY&r0sW`OL3pg`m^*}%=RwIUZ&q>Z`w!fd=giO+*q0ZI<`aV|{r}2>EZzqC%7BnZ zG{|RZ-mv6X>D9xi+ z4nhj!{&do)OK^XccJE2PxJ&A+7^E5PmMHArzWX*~YYf1(OE>LjDrL2QwP3VYR)%g> zC1f3_-owC`(thjGV10y5i)u-SN|<4h2ZE(~)i75_B%GxyBK~kebNu0Oq#bg9v8A5y zmLyop=tuUNY47#r*$nq}LMyKIJ@)16S0#BBc#LlzpSh>_`TF{Dakd~#Q!Op6fD&jE z-@)SA4B>Dbfyz0Ir%RaB2$9Ty-Vr(>K`JyW-KWN~?xKiRdfmFW2kz7digcI3cSJ8MbSMF50=Ggp~6zHiqEH9gy&NzLp z(p|H~SRh8y)1|;_65j49b!{WdNN5-lAoGM10p4x-sxh>mv;lI0p-VV)i~0>WP|r_& z+6@W3_kOSxFYk89Y4Edo30o#5WflO}K`$!+S80C`|pp00-(YxZo$N7B55JGZ#+6i(gxGst-)T#371?P!&+$ zU|*JZPqSr$x*;Lq30;ivb@v{z36c3e4Gmb%ivrcQgggF*ZHZ*6Yj+O^-u0#grFiS-o6xS=8mzzaSk{QdiP3u|j6 zpSJldbQ>%~Z&c(nep0LBH2OuNdp1w|3FZ36#Got^NqnqP=V~?kYtE z#eM?l0Lp+>v&hNFU)N%#1ZX_Ok^-)+Jth-etAVJYmwEQ)2?O8YPCZm4p}zyN%3lW~ z#u+6&fBt;=WbW0BrV+P%!{V)H;|1I82XmKBc=UN+2S7c^ z7usx2CZrYl_+b5t)*3Otl>WG!JEc!vLa*hSMyT z6R|TlrKA5&Qike+;UONL&;VaVyhIVa(jrkE{g_e=TN1$-D@@gZeW~bkk94xm8TYCW zei~7`eApl^CMEzVf^zFguchCS0H?;2PGeW@GXcm;{r_f5Mr3Wrj--ySVjA}FKQK>&4F|E8ZEiohW+~Le2(3!HW+YT#M;+Q`s_LIfxcJq7u@-O&)^8rOr$~mk{)iNPumtxgSk3 zayuch>;-~!h3T206n>y{Mb2~Pq}#buKRojFVYhxVN`b|bDCvTc|NQDN7D+(DqhhA% znigN4UzW+D(KvIa{?2{{*O?*trm`!+L=Y`~5Ow!d<_6?)af(!G;?+zINhz zwTML=;NjWN$G79!?=STbxr#8{xPG;?wrZ^0fXQ~481Q%+y0yahnnc{kG@E$WaUDcb z4S!fz9~0CA2lQ-|Gp3*{Oow*R;e4|ih~5Up~paDjNj9!Z$|FNu^dQ<+mjY0E4qSEg#du@WoZ9^j3ci z_82D)gbIi|*RLnZ4b+6QNCz}@*;Vy&2QHfMZZUD*;jNy z$xj)4@C{@Fr4fjAFQMVxfx&>l=&2bqAD`m{w7D+)xyr*q3sfpU+wtX%ElRnCx#$Iy zGAl&#uief~58w}dYgg=1Y3b~g;GCf=7nGGLw6(PrQ(UxL6#$)IBX**1XG(}VhYlSA zC(KYw6oVsTpWebc?78*1@1@E_2a`60{s4)DVkIKk|6|8Cdb5qcA2sTr;7h9dqH!i0nY{c%| zJ*x|ohwKdQQEF>u73B-Nyt?1(##gsK7oJx02>wJsg{YGq zHv&^5~#{*9ro~ z?SSM>tdyLbsi(41j$WN&4&J#pqk=mdzOFr|DE%_GUCrBG43$G3 zCJhlw0b)Hfzza#u-2Kr-i1+|-!+2(J+K3d^W$+Lpf?!Z!Qjb$Wq%gMkAp0B)csJ%b z^5cia_cs70Oo&B6da6gCAuNfeeHn0Vi3^wUzp9|EE|<@;zkn8c%FO)y8wepDRd?Ct z{HiaKDrzAIod(v&EOv1_1kD?5ZJHoBD>@ANgpN;e+BYl(B@ zZg?E^+c|U6$hx(5XI`ALiW7#50V)$zSLdG|$q4rkju;);OpaexKUpmEpJh1ox1gE| z3aVMv=$?6UrMFi?FWKuTf(Cek0b)7r)=7>7)kf|bB3FK@A>5%N-WdNJcgw<)I{so zkX=!9+Y5S!DnrC{7sS$6kZs)uS~0l~1O`WQ%0&Sl5oRAjfrua*MCJM4Us(rz{zP89 z5%A~{H|z`{{)A?ktinrfz+{J?a~{7sb-!V4WWM{7bG}1mE@s~_kSb#=)Puq{K`HGnYJ1TmM*<=2qalS8qY)SwhWK7IX;{YB zeO5*ih=Yc7gYf;#o!1AS6&4m|tHl-Uy^QE6Y&?G6wcjtM$wqG#7xa?19`Y#rpnsU> z*s=2r_itCfY#j9e%Z{e5K$uBr)v(c-KwM6PxQHSy+CF#@Vj#R$v(b$_%d{Q4#t9VQ zLewQ{MV?Sw^Nn=IUjHZ7-iE%_&ejmrlp3flAua* zEUfokd-w8HZp_TM!ZuMEP??9Cf}o}n{6FIO6XJ*)!%bb|w?5ie4jbg^o*7O4-qocm zZ|je-AY@)EXn2s1?~FSs4GGRt!%%%7&#^T$t8IXLw{G3Czz_tK*REY!U%4Wm$@pGX(D{&*(LXeoc~NXH z@DlGz4LDgk#_}?r=Mdl{pH8L)&@s`X?<5@T?(Wu`q&VwAU_9Jz{ijcrZ8z?~qqb^G zlV{{mveQF>B|zlmv5t^S(jOZtbcq$2my&F+NXh^;FNG1B|MAdi`p}{nYoi$sl$$?4F)ffL6iRknZSechZ?k@ zC*@b&-F1&C-A$j?LH`^$otx4I%SLIS2LqQ(XRGn~^Hugxpo?G~yd zLco2+3YwBO@0sC&p86$|%buJ|%78$;VtpIPOlQupY4S%kD|TUpW4^0pc9g6xE-t_# zhQn34pJ=JV!oxdr@9F1$D29eEWBuu{qmk7Hhi*9row#0pg`l9I;v}QbZ`~8-9w{*r z{QRnOeP^sMwTTCLLGO#(t4awlk+{!u-{HgRZmY(8+U!5HM!tWD`n9of{@L92_I@Vsui&V za_j?0U!OZb@G(d(szR&)hG3Bn3l@oY@7_e%a=(Oxo~9WT0x~kP5EdJfG??DZN8KK0 zo8;;U96h=hq9kJ^O$E?Cm=ma6Am*t+ivV%}NLhwxv#UmuwH}f%4MHmYBdv)x^|@SX zcBF6_zy2t5{G{#V)e?ZL+ze4za96M{#6dXlxB@C?8!5-WePj8GX4?i}loUbfZ5Ne7 zgF}u%_V4-?`O4Zr$${93?Cpta2UkDriG!C4p`Q0nE?h9fYEMyAegwD>bY7-`fdL{0 zTy9GJ;lqcCwH45L3uvOCHhP&u=MW}^Bo6uhTir%V5{TJ{ zuFLiy=MBxU5uIih0^u+rRZvWfWVO*yQg-x>>E7XsGWY9AK;}hW^@0&27XaY^{bl%=q;@)^~OjF!Y=}Cw%UgI3Y@V&;L1N-Pb)D8|BnrwyRp7 z$nkT~KY~>Q z5f~4VH=&dY?s`(Qu{v3ZL0PzXfw0a4RxbTHqg3be<+;{eurDDtApZD+$R5vhYRHAk zM$2e(QzE(CB~%#I72?@Vqn)FrO*r9~4xGkB618|qB53lQj+iB~%dpo&O00<-B`h}~ zaXTLP&)6bhjNRjLAV757YMu~N3C-S~cM1+0;dDTWLK;!u&9qxf1j|CBA5BS!eu7t= zwYY!jQMBwSY>KrPT~M$-$cmOzpIw6`9%yRx#K};+3Ode8SR}NLP!{?soLEs1fzT%z z!Y{ECC=VvaiyD;eO$*<_YHRD%q1cJ#7wD`a9uvCd^>n$t z?|fWd&k8gb3pLL>SMleY!Nty?;C5o^*fN9<*!5KbQej?7#yi4&!%9$I0O>CG4|6&E za?hnwyXMJr5g||OW{^Od_n)PR5$JxD1_lQ5Mw=vLrbk}yk-|H_{p^_(kx_w-ufm}L zK?Igz8nO>W>ZX76ba%ZZ@k1|O97D?rM}N)$3}y-3(_i5fj!iqQpU(r_KL}>$0Vq(J z;anSuZ$ALp9Zn$A@xag6*u%MCIii~#WnsYngR6V*>Oq~rT&w(HYdfXNU>p&mX|W`n z)zIjbZmVx=Y%#3crsqPR4ahFkPErRl%m24f=7R>7^(?#|yds=Dr(p9OHLf6Qb3>@% zKVlVDbW3|w%Z*e3S9e>NwZ%Sh2e^W)y>%{Ax5K0AysudcRez~%H1DGY*os6(Fl8cP z8WGVuJKt+cjnu?KGHFW72>cf|HF69+)`GG;5jmW)|>$=n-D^T>ISn$|C zlSNMOV*LE8<37upU6K+YEriMd(gg>o=RV&P(0jN@H>0DYdAX}3)h>UeYkzSY*p))J ziK&}z`G|!{!g%~A}DZ(;u5(}F9YIx_I z-Jev*L7 z2Q<_U16eCR9<_f~_B{0e(l#emj{-o^8Wo*NRndm&`sQX;2E_~~eHuL^%^B33s7MYQ zm(g7$af5;WREn5Hy`PBOHLloxFv07g0h4Y=mIh~JAf+DZ?y~F7AF^cjL}!jJVx(+0 zV~QVtBC`5Ce)O!03Z1%l=hO32XKW-xC;3eBFuhAea$0_T>%R*;_pe}}!_FR$#5e3DP%H*%S%>ucNc^&tOt{v}Q zNCJisw@t_&NYaHu8{CSvqzs8%6!Zl?6bBMQ|KyhBxYay~N>^BF+6>87Iez^3%tEg@ z5pJ4qE46N6Y)YPjeWI#NJ{rv^CM9(mwW)<)kK6z@P4r51Xh?uEdBUb5BO(}{h&y4W zP@k_$H9;s6ejUP_k=%;9$NJn8|A-8NnJChp*S;y7OPlW!!}UB3;JoSFJNze7LQL;i zMRky~!fr7(UfJL#C#Z27q@N;h-+oxQzbQC^o*mq0;M1km!AIDzEcGUeFY&6X@a{8UV#YH5YhDSx>p{<4$sN;lpOS4R%m}72IzDsuTKu*{G2phv=8FtnB zcG?v*goBh8lU+IYhSD=FhL6p0*irGD*B<}J{<4Fovc4OhS)9)_UI{`$F>2rJ?J|$+ z6URz|>$;a$1`syOWD1gL_JVw4Kbr1kh)-q8_yHo)MbP-okKIk1eJrBgtK&Sg1MC&9`$vdD@GS z%xj5g*8#nV5d!WQG7oU;eGT(3}%%Bt_ua@G#(-ruk^3YraJ46F4#cLB=q$C5*>E@0+gbg!~Pz z{itm+N-|>ByQsAE_211Ux%v}L$Y-^e+G-G_FV6|f$1He8uOOk44F(~g0!dED&cR`@ z_C&634%fR{LXFWFO(Hi?$vu%? zy*$uFA~2J`+cDKeCP-DQaD+UELf3Du=}^Xv^b8^?plHMc2_%rn%)=%NDqv+~Jjmj> zm4pDBU!-*N4YiJ12&Y11z+)`-UUEjz+O)_I<^Zwpjg317nLRpCVSl()x@ktHx3(gp zi-HO3cbnVBN`t|M9<%%6Lwx)mFhOEpcPE=P9nc@KLyiJF^y%l*q@xu$FB#StT!fJB zK0UAzDXVco&G#dn)-170%x&NCcn262c0dn|l~uZr)5Do1i#!P0(|KR@FtRKE{8ME* zK88?jQs@2Xf$`a{^8UC-5^hyS>i zJFztA??0)%e%8a&ez$H6jyz2Frr;;Qk2_d0;PViUeI$D+Q7DiV`j-L&0thPc4HR9_ z{TQTfrmyS9hK4VpS4^fogwEFVks;?LFZ@41TfznJtGsgP>h!?jqxL_cuLET@K*1CN z45L-_5W9*kQW%Y9tZxc}!M0D)+mLL@G zkvTPrzQT-58Fbh7woTSN=2)QNz6cQsd187E1_->dEg&kt)Q~+g^J7c<@4J&Z_*I7LB2R{O1c&H#8Dzo1>-XyiuZ?yG@LjZ zfHDQb>nBV!$38mr11y9S>)*uM67nj{*i9s2n^;(#L6dj{2Oz-vj1IE&^>AqkS7m;z zUBT+*Rdhxo%0eIwP#GUTp!r#>TG3se8>vMQwKS+qav*dQ{C2PehTEA}}?K6qot0EPp)r8iPcU zH}Z*!?jn+w_`(BxokJw{Nr+V|gm`0aZg@;|)nm0OR)Ygj~vixP4% zITFnSlIwP8h4R;tpsfA7=^ep#l>Ybc-!9^M_px;G&Y_prQv>Zi5Et>fv2hy_Bz$28 z^h<2R+_*u~ZXtv1cOvJ(uxy2RA=1y5aD@ZrKo4KTga8gZjlXjNEEHRY$mgncN!np? zl`sku<+oq&jK@!t68i)3d)SumxDY1M-s8FwmpT;bMBEV}kv}PaK{qg|OFb{V`ldMf zwgZ5Psy6*Mb`^}QK(ZrWY9o9FSYT8i5J*BbSRx^mQ8$j}dkUHmfy-eQ)FZv$zXzt( z>A9Brtw*a2#)4J%f9j4bIr}6}`_}UvM%YeBNgCvo`|#+9t-XzX=8oyn;cv4dsYm}L zYFx27I(lUwb%_;gbk-+YA@332sng)nfTSd0LmL_!zXE1~g-9q@P|^&>MU~%96H*jp z>s!03AHQq0J#{LeZ^?DVZ`4(qp!Yy2P0Q=Ep2uNNvtXpWYi(^rsOQ3k3pcSy(zEqo zyHZWb#c%P4lzeTr?;oV$_g4rZ!%!vQ!)N|skOiz3Ms^E%iNIO>AbmqeOY3G`UETZf zX+K1=rUvWGCr<8CdhjKTLj`B_TrQR4a&;XbL=4^D~FRKuy|1#WEbP?6dG$0 z=F5{zFD$Ft_%xQIG2n^DFF%J~SX$B^QiX3h(&gh*IufCakYO++_wbrRV6lkaXO@~x z7=X<6T5L4iQ0@1m;{l`*rc!xd0;s_g>f4lDvJ_{R+X7lzs{cIf%ItTg232vNk22b` z&&J{4Sm$SG|J>Z2BFJQ_r@hD2)U?NeOUOY_$w!uxTRGw+fFj~bt*Zk$zn?1x+VG#f z=KXim7o`!?ZUd4B1*5W~HqPV0sqOo3`KWsy=O{3*i^6bxi87H}pCLtlfM@YLMReo6 zi3i^xq2&*)LbWQ|`U&eZglV~s?H<@c1ljHjKLP#ZEee}?vD7n|s@X+Z&9_qorC7%U=Sw;i&n(FiDE{ieR9 zg$ik0dUH-CXcfCr`^C1c90dI&UU+VPesJ(VV;!)F2rx#h`S|$U$}4?qT@^cTY>@DL zSnCpF`@3e~jPKQ|Abn_<{wf}KD@|4?|AZ+HIza8dFX@!j*O&@#2*pSMx+3SVGGDN# z;3)Yax9jJob{X!clyQ+jIsoafHLziWFZQv*E{r9qD##oe*326w2k`|xp5ET2LOlsM zYS`E&LJyNC#wI5CB`uy77180q-2%QvUOtehdVHvM>#=y9`L!*nrME+D8aI|_xoti^ z*nuTDj9)^L>MOOS#TTQ55(!xVYyyIzr5JAE>F@8C25)*2&I3b`uygdiu_;WbX}2FC zeO3_&o?ieKB38v8nTlH_aml4-j9i^rS;#Z|4R%kvxw&b{v{%-D)8zgvHy99rx8+(M zudJ+@V=$+ZPM2*k-Q2IVH2PDy#5X$uiLoP|HP&A)0Ale(CL~tz%Z}2qiOcQXeki;k zggOb+^zsO;tobtBf8wh;1dMAQJSW|9rhGnEp-k4s*}0&PYV$ktXF=uKH4p4$dcakF zjE?qNJpPWAp}@-*bkx#-ADUfA!n!03W$ zxlc@t9yaanV>{w8^6;S3aR>;o(lvbVP`j@L1mDmn*Ri--Vl(FWdHJG;*r}61J&;1F<-XQ zJb5zZ%d?uKx|{bZpnyKLv9GT$zCA(pz8_2Kp)5$a=f|&f6CH>5IhtNv>-k-`Utb`f zII}8y;_`PgROZdryo-vRUHaEdGUOxB0d1d>`TqGy4QqdI;j{R7Mu2u5>$KBOY*}>Z zI_58c?JTkMN~9;T0d77_|9F{gWN-|5M85@3<_HV_FD}b z$Af}`uurxtQzJDB{*(R+8;V5}HXJ7=CSDB=nmdjs;RRa|*?Cy1Md~Qj+S=Nctm6xIancX>s~mwTGDe))P6ZXe)4P1JKbQ0S4!%#i4VGGA;mkM$Jm0|EpzAySKYl zWl(AJbFU8U+D=9+LJ<34_+pIjgs+QcO$dJto)Y5Xur=3J*YxJE9VH02(&hE1osWo$XR^(G10OkN46lIH&^c~?YaFIrn~Nu{;H-?$AH z9TZ2cz=(-qSt_V2xML2SqQTyY=JspeH4)ScLIT?z?i&N{^z|`IN=gy}9lnmj72+mt zprkpD?YlnNQ{tZlcXeNIa{6Eo7L@Xa>H)?RWN1158gua%;m=EG=AI7;u)i2pAcxh(R(R_Y~=W=0a>(T!2!H^@XFz@mWC4b|*D3|#IAXBI_ff9GCp!z7gdsafC)4l#`0N)CzpNw& z>Egv(m_fz0*Er<-1dH>-p1d<5R@-e2?asn z0xdjThNkgm^WkY_R?H2 zVUK1%#)$p4dT2I8%^{%h3L{|9TPuKhUe14zz@4CI;|6CXKdOe?y$2pGUIFECnhicU8gIo(lF~eqQfl(At zJm{bQcth*T%rw4pwOy;ovu8j`1*(YFA5!Gf69>l@Oe-K&G?iMIQQwyG239rez7&k8 zYsL<;pry-uS(vBQ?2xpVh-c4-t)dZGrHF?Nk0>1#I( zJCY-~4b)54(zmJC|MA9jp0YUBn6W<4{g_|x(gute(G+dq84lbseyPd>VEf{tjMh16 z&hAOYoRdzqn-Z=}JM5kq5D+5_>G3GXhZUC}Ki;N$a^{Q6`V?+H-{)S~oMO`{eD!qY zD`i?9ib0bvp!w2(>IX9z%a!bCZJoH`M`l`@3Y{xXR$YMhwU-cAA4W%yBtPP0P4 zKAP+2<4>}YX~VR_G1Y%SuP>&Jh%Rm%1Lx5YhqeQmiWwpg>e#vS_$@O~8J`7aghQRs z{BjM54x=&I1uOp0r;i{1TjOY%ZHtXQ_Fp59ja6*kyg3c`nTr?G3yXKx8)@E{X`~5t z-4k}d*GAtOsae+zmb&m+%k`HWsC4xg%1Z+wZ)~)fCqOVkC+P!IU>S;aA?TeAjg>gs~Ejyx5jyJX1{ zzadA;s+<;2%J3K_eguL7f{OZXBy^ONA&{Mszu{k$&^$ z9s4*3nhP-YY!B5C{JAKC3Y5O!{3=K$DR|=HruzE60D1Y^mnp;iD2elbLXBMMrs>_; z|AX1}JDwv0s%KJ5BJCXSZ^?k6_U{+z|2WA^nZAD%PYgy3j+`7mW#9fT7Aqgop`Zrt;$9PrQbkmuCq z{}eojXs2;g^Bi71C?Pl3hQV*;&Vjef;6nZUsrf zQG6D0FT;jl|JBrSNqxd>aN;W1^~mDSf{YzyYL(Q2Pr)E!SL_3oIgPwsQ%A>huXE>{LyG4DZFFHj;GOM#REt4a!Z+5YII`h$l-FXz|-Yl)7t&7`|o210%#)v29*EHB^^qF`Sva3qnL zm_!GMF{9KGvhnhk?n9vv;<2Jq&YUi zAd$+PvafUy1&;Wzyuy1~_}6ygD|cwD#xEpT`CS6y2SG zSaZOD0joDSWgpCAr1Xji4Um)?T^?-^O&vU;c-uU2i#I4E$wkyUsDsxrECRHe&b+wB_$;lRaM_TDmKtQ;~W~UzjQ9|&+p9D zYX{Qj-L6&NW_{sCRAcnOChO}wkf9OA>G#a(-Mcr+`7;FtbvJF=#B)8(85?#+k*dg^ zxmdmUhaf1#`^L8)U%qf*?9TG?naAhVd<$CX-G12c;a1-9!p))VN}CfFd<)U8-rCy8 z5Xav7+Wsi@6;e2r>0c4R%EzBl4!%hn*6}{_vQ@~)&tABog07_>q!K5gV1h%?j2UA` z)*CcjMWLbi#(U~KfjRsmf)M9^n zx+)ojzI)i+BY^ug5S@FbQqo^?{<>+~wyQ;xQd3fv5;9JMo|JvtKk7tb+TQ!{#ANJJ zZtR{rGI&eK3*WVCSJpeSEZoD`Qw>SVQHVMn-@Sz8OXgAJFIMKDQTsZLtZZ#j^w@_{ zt#ds0h@-)?XMd!D2XM0q{icA!z2o-5$GPre)HAkbbj%_j*R4Ht!LWzC{{545R{Hem z=}E#2-`(R>R>M4ih+#g?!MQ*`Z;WpAZ<~OC0K+a_yx*RSf4wSDUiiVTWnv>n#iA9~ zDX^+r#OnRSXzmabS_GZYZ0$Ip{ZC~D$X^QW8GFAnMLy)s#uMWW-n|*QYS(}PQ`H(Y zSiWM#ijO00Dd_-vmnA0~l$DnYsstpA>{xXBR*4pA&clZ33suMf%)x_JG7MK(SZHnP z>D<|7wx+SCMMa%WE3*3FyM`5rP;4tt>G@*ze|RW;q}&Ek_!8Ya&F`o1~h zH}~PgV|WlMb!&^N2Bm=8q|<#zt>JG@ojP@6i?ijG*ANHX9+_;+38y7>4xXZ}xM;n_ zu!D8^T^dL5Q1vluJu_HWN2e8ERvZ+IiyL2EAuTVtoys?%N2@*Nt1Bux_36{n-{0S= z`NaP?+ED-Xr+h#dn(y5B)wAc%h1lEU5KN7O*iijNagxQCFY3S+xN6AoDpRHN$oikE zsxUG$2{Iq{Pb^xp)LA9HHqjrc(YeujYn7>(xZqiBhs#_Q_+#SrBf)RHy_)cFODwU~@J=G6NfR%~`XmceQ?dCXzZzBP*^{>7blWT| zHd+U>+&1>}bl64u)}huDGuNzMy_gSTbujPc%a^Ts^vH2EJ2c+FL}9lTAy`y$fm)8O zG{!Q0_!ktkB(vSk3(K3~_l(24XZ9wNY(5Rn&L(x@&i6xo6~4AVS5n5$j*T>@C>ffm zbT~V^5?%k|OV15~-QJqkNA}vR*F3i=>mpz+AW5|I9}sj3kR7Ks$?Ro3YYbpjeE@?A zQ|~}WNjkvJa)6VQX3u!)qezZI*5jK}Y`~63{6w-_AF9)hV|D-c0^Vz8moI!aN`b4d z2R8%!DJ*K(AaWV-?g6WnV8UWQ5PL8L&z{6xG5g;idwg;}Q>PD1>%2r_7lUde-MsCs z7eQ(UV>+psrZ?B|w0oU{>B-5EFKV1>Tez5Kjk?(-ydnJEWw3AOu#QIHnrCTaM49ZJ zbpTF){}u#Aa=V;|fMJiYz(n1R!AoL_E5v&wDmIp0F#PTm?QdH)4jMD2B?aHSPtR0& zJ>GBnst4CfD(+8(OQH1G~3t%=MZyDMSAoJJUS-cwTOBuNDo_pot9@sw{$0 z=4C%IQbo7r+&iyb+}AqsdB6b(@1nexk8p7j=LrcynOpk~+4kf)4>fk&8%hy?st=oM zrg?>1lve3CZ@v=lGx^xD4Z&l$R5IHGUY=k*H@tYoWC#-ms#GZAmVH^IyjZ3gNb6eX zlP?t4GkEsKv9D410Jo7N>yeQU_?rfl0hbr>b@la~i;UW|$?`ZU90$SI&C4tCfnL$V zns1skjr%)ir5bv9dHHS{MYAZdFifdOTp+mzw%c`aa`eqRnS|3H`3FQY;EWTMRH5*ycood()=ZRQ)a%MN%BrInKibvgY>IwokoSnBML$%f zPUd{?e6O73GM@_7d-&^@XRtrPRRz25-nn_R-`KI+OTN4g{3-cXS23}qftsm7xbYC+ zAPJsaK5-87TGta_{iR6HiGZs8`=2*0jucc0Hkl)}G|8Dk{q8 zbiwfsR1;v{kRi_BeHM-2udGf;2FXD_O0u>H3 zosCYTMk$96>rf73N@KUOajaLxFWYAycxd@+%qS~g-r3($fS;pPL*|FB?}NsKKg!Q! z(*$0XAG)rMa2)o!tfCWXiKyXM$E8TWNfSHnlc;NBV$`@oMz@;DJP=3Q;8r)CUmIb? zwi>5}Ynb>`zv5CLx>N>wGae1bFZN#oEOFa0(j_yX^|0QEox|w6@RkPpR^LKx=xUae zFfKIf#aWlO2FwhxTy1LdeV=OIA@ToREzr6(PmSgv;y*J4v58Hv@5@Jwte4q|l@W9l zY9u~*pMy6pT=Y0-yM^>GBZaX?n4u}7kYwU1V@_W16;5DB94I%o*pZPDgF4t()zBTj zbpuk@ySm*|2<1;nmR@aU)S(xLj)ecbn{POa{9j)Xy{Dd~7{Nz{)0`{O7C9INXP zb;-CdU%fhT#KO$1ABE<*3FAv=9v8@igBQ+;?o0b%YHIp)MmINicdq@)j-J z_`}THybw-I%uP4CEb`pNSUar76Cdk4?mpLk8$NsEw)Vp(e5vs1eM+~yeED+6y{k5t zG#AGPMhs)X>MrapCTfefa`w8)O&Xu3rU<1aETLG?GyR5hRD4oW9L=4Mjtn|yS_K+2>GZnO9)25WLKfe?AZE2+2q=_1F$@?egXnavkt4w-c(O}Rar+MGgQs~&F ziz7vLqVjbz5Ce`P^e2rjqhAw9f*OHn)E9o+^wa?F(H38r(7JZ><}#)XKjw0@YCeSh z(SH1%Fi8JCbcarU;;3FXZ{K!wb6f5DW%`>OT8-A!su@#(8~{=0WI11rDy#Y~u6iVs z%HO{h-2O!eGW6IC1Cp!%{lS#v=a5$Er@J!5NnukkLC0i0BjE`NI>7s?E`#W_lVJur zT3RmIwyg!FR-uY3n)7kv&uEYt!kERZ?-4huiF944i2{2M3; z8-YN2_D07C5*(9Z<$JAW1j+!L8XN8UF1S^4SN+Z0kssXJG~4aAR5aSdmO3x`{=9MekAyC1_S=5lyL(sUyB=TK4OBW36a2y`eb0pX z4wO79-|vfe3j87NOcSzO?BBI(ImP4|PyrzA^e@1EN&u;hx z^WIv)I}84EZF?=I5o#U)c{~j91|EOKI%B@b-0Fy z6y5`xuS-l+%t>Bu!K1agjWV1J|CPRi8eIXAX-+_)1ITuOyFz;@fHJl3!ja ziJ$U7+%#}bpAz<*A1|iKJ9p*5Id-S>Bc+-jwaF}UB-k_rBGe|aPS|Ooqf(bf;|$OX z7EMc-AWKL{$oj!vto;RhT4wu7MT(3!(`9I(aLn1H@j5kKy9=DRWq^zJYgb#wKk9RoOi#E)k|e@4YAZmmo#)64B$1M0 zn2?y*7Yu_ojx}xlAX@?wR&Ld>3y6_6w;b=cXdKkE%tld5d`(ysi|qC^&bD1UOt(JE4hN$^ahwS>C?csWA=?ih@Vy z6_Nk6h`XGc zQL}{o{;muJ-w&28F=9H(OV#iRVhl$C1*~ifq9;7<@d>Zo zcjbg^vAeK-@lxl49pplEN+KH|6FcOjRE2Bo6sJ@Ot~xUN9T~aeQQMw9nd2@F|c!DACY;x_fa}y#1djPW|kLAix%Z`72h|yR`m*B0c#%C&Ao1>ud zsqUCi1~fTtq^lVIT+Uod7bx$TG*e4~Ko$v-(+UuS*m>>t?d6>Q*|TSF-@EtMEhS$~ zyWfB2K4dQZ-dVQ|@)iF5;PUD1Z6umnEMBst77au=1*IQQ8EVeG-hFt_Sx1gILZb=O zG2{4WUAN{kzyl(2VBya>brltt6jxk&DD|p{j*tn7%QjzBP2Vj35kE@r=-xeh0v_(> zhu5oDFW_NAgYXiE+5h(gjIr31ZuCsuD)ie7HsF-ev5@@=iMW~dCehPH;1%|x`rQhd z1-yLu?PlXK9!-gOOQ|jWs1F3Oq6^4${S{Z7c^nLH1$Ai(>4K-QFS}CfRrG{S$%|Xs zsl+$rxD&~t{hklrei~AM>2d%V)?bJv#OkD^hO|+HEWzN~wrxw2Pxi`H zV_eougiuht-w+;1!yxG7v159KCZJ#mr^k-8AI?yxVY%PghdR{Q1hc`b@bjrcUYBY}MVLj7!T>ijz|V0*0^H(OMpf zZ&ORZ@RA3kkIhKF{qxX)1MxY1CQ}#>c)#%fbIxD?{W=C?dIQ`67S$m*MB*(53yhwi z&h0tC$gvM3)61QB%A3?Ws@kyOdQ%m9&0pA)49MQvSwz=Eo~r-n=J1Q%+atqNF?g2Q z2tFIH*QaQx6&9mEf><=@(K#A` z`0;zF<4?$N{iB<$19yF_Bt87^?~^CyHeh<=);!nn(ksws7Gu)1$Jj2QYkS;JClk8}Tq zB4habyVG_5zPx9fW#$SZTkPKbK1?S-Q4I}!Q%**ZKUp$WCj2m)62nk|Rv7GSEe`RN z^kxet{rfGV@@FLWR^TtB9(ncVO}VToLKh)TDBMUL1$6sLkcUiL8!w3Z`*-YUb%S#R zUP?bANATE{2=&IPiyjNYeyW3kH5t?#yRWU+MSKSQZ-51=fP7%9vWsx%%J_f3h#ao~a&|zZlHu60}>tJ1a9TyJ&hC6O!HUl7GS2jmbYV1o3 z-m$_ZoP^Q8Y|g>ltDPO}3P1%Tup*+S&U|>4z8Tcqk!m(@>XiTa$|>%<FnKhP}%l>U+RES37a;V21mD3 zkTDPXO)(<97W6--IXmM2oK(%$FqF3@ppxLxl%mlUhac=C^uA7x*SfO z=j019ngrF2rlRq0NPJOoH-^aU)~(xE6tdX*dsfd-F$k{v_W=HTE)5F-ko1q%uV23u zD+V#j?a`x$OeYB(BY^LbOSm(Gy~c0aH2hNQw&52Z&_T(n7)($FAn-^$YZxB-i``7H z@QJCV! zk3r8^h_cjfcKFgHeCm2Z0BO278s9S&RdVJe zX1DCKsDQ&wBc;Bj*L*E5Ur`HFgPD*QMaLE*vO;HlW5E^;JL%aocJA8cM+G8MpB{7G zMv3nY5;xE4tp9oM5eryeP<|va(QD@e9;_~4(qGSm7IDf7^Wa5f?wY{@T5HqLli^XO zVHN>$g^b6vzpg$7ii0bhI~KSS~`QvZ8S0+4{6<4%|+eI*%Sgp&B z4kU|k3o4Xq`*-Hq+VJ&65etOd5FjjZnyk@9!!?$4o8804PRF71&jwH$1VE7Cy@xF| z?OrQMVd?prN>PFoFIYi=fF;IyfOrQZ9sm7y#t-=&`a;=dJba7;Dl_jJI!|7crL+*W zu)IF`W*aw}%;uXl={BPkSw9>pw70gCApr;!#5W8ua9qp?w{bzIhA6R~H)( zQ8h^Q0HYq4ee1B&gh7K=6(o*&b}4K66C1*RZ3Pl4#@dRs1pWERH;~Gv_TH=Iy zzAQtoe0#4G@(q>!BhoW7`@zzI*o-Nb;E%PurbDxUao5K5B5zR7XQ>ZPKmfBTsnf z&c9BN`m-Vc?S^j09x0PRzNIQfy*ccwsH|zE zB5`2zDBPv;pB&<|1kQ*DZ(hDUee>p!^l|GVsi4Kb zFjnM0vVCU*GOhBXVE}3Z|4{Z0UDD<8zWThE6*ZYu;A-A(Zi_+e)Ze)8LUVZOQl{g=$FMJ;zcN(0#qr`C z(&vG9w>pf{Zr=P#)Khaav$I&}2|13U?cj~`TYE3?9=g08I5;0<9(hyXt)2Z(G;Y+W z4C-Wnt7|wqHU_&s4^*^^a_q38=hFl)7TJQ1GXdt9DYGN2$<3orFfcL_g#du=kd;5oEe_e{y2APhza&8&A&vS2#oDzn zoB8Rbn5ZCq8X}2d?!q6%s3ZsQpjp7ta*w9p5R_5_D$86{~2n;wp{O>EVE^s z!NQs zs!TnzC0Jhrf4Mepm(j|6RM5b@LufNQvggLP4}46w1=Z~tXBn|$5se!S)r{jKeb+68 z8z3qdZP|-ks6l>vMS{xC6$4Yfy)Gwg#sGz3=jmk+4LIINDAyco#q_BQcSG}P{|jq* z#6mxj%)aJ2y?f31#Wo4I*cIG@)|gmQKyk`Fs;>ojIXS78i#jN=OQZQ0E?olGZ#wiH zz)hl3LPAp-3hW)=r!P;6i-}2j^1TOAtcLV?OE+(B$`FCc6pWdyMGi@2vvbwpcp5Lv zox-V5Zg-nBTqpAE5@0{Xxd5G+ajRB&2e>(bN4MTySApSA0LkB1O2+7%8nAio+SYe| zGhku@fv8C=A@}+pMl&R9G+|P`?jL*IBdD*D^{=b<0V7*?G~!NCcjOa7lhf0O?a2N6 z+~<1MYsCNtPhsu%lk@P+<$racDix9bE5@!_UF7xmze~Tu(@p5nc0Q&~g5}^TAVTq{ zoG1QrKcR6L} z7x3jLA<6lJdj0x|-P7#vDZi|}#CFOFhLZU*k#OQA)vE)xzD#w&Z$m&tq*fwC5C;ja z82BlWjUp^I3jMyLMl~0EZ|ORY&zk7iQuoOd6kK(aij~*9^zjN$D4)^IuTC4e^oSqY zk38mPQl9aqV4&6*eEXmq`%)|dG)m&@#eNfJQ;a)w5Y8@n-@XQv1@spA7cZ*vT{LV) zKl~tZ;=rWqhT_NmLih6D@V6N-w)hw#t`U3BHKMFpSDqHomS#?T_(cT)kJu1+s6Uqn zzje8iz$X0-If~<$-wmVQlh}(f$D}yKDxJnehv*_NMsR|_tDO1U}Ogx?{ zSx9f6wbYrm=6RPw3kQVU06j|~ty^O;NE{SqnT)P_Siu(la@-vJG9UQWo>Pp#hnd=1X-=VRvGmd%}1!TApWZXGES z%xpVD>(C_n4S6Y`M(X>X^FFrX4=V#o()eylygmB!(oKdW6fph9B7b9O_kSp&&YkyE z)?GwOBK?MgPG`O6ME7Huo04k=OPBSK!_&j-^_V?r<+dU26xtdffH0M1SA)y4q z$MU%aO2c0%KG)%2OZnOqF=qivSEFsGG=TvTC9VW3abK-&of9y$^Uc%i+wgU$j{#Z+ zB(7L*&y)^y;Gw0?rXxDGiH7uIRKk7ld9Ahx!0AcL(XfF2+HrOiPV?hLje6+NvXv`| z59uALyeQ`7lAujX=)J|1iq5;R*rIz{L2+@M`_)KegbIuky=w$#7?}rWeLFxU11z?>C)#d0QvlYa|9~x zeFO(a3Ux$(GcW3lfZ>;&7Je674-5VFu@(ve5%vlR!n;U;>Sszou7)M5Bm^$rC;lKd zV=*vQUQ;%_8+`2kQAX{Ah#)gv{&6KUnjUT}e`DsGIE_#KLi7g+tNm{k!m*ur7^{Tz zM*RyvSHBy9d&KdgsTqe1&3g7cQRK9O_DH2tFr^^+(fL^Dl)8Ed-* zEU{Fk_4xn3lFEzyhzztp^5yUd5fcgalID|rx$z@+}h6TkX*QM#e`;W9-r!oW+jUeZGewX z0oRr4);-Odp?&Q>N*r@P36wdYR~(b*r}DS`ArdoFWRDcT+|H*v{1Dy^RM@^8N2@W5 zYxwA5%6&U%pucRuV=^lr-vmz2{!Sb9M6tp+6d%yg%xp!_7_PZ&k(41t;qUAvZ6I>tSlKZaY^+Th1mDyk3$N5i|yYFk+|hvU)6=jXa#_bR2X zRBL)Ph1yCLPB4lI|7LStGO;3|RPoCmys5M5pPH(MX7es{fW5`wKS zInbdn54MsMZ-t&DTPm8rb87Cx*T5^viY~ezkEzAwl}}j(AS@K8QL7>pa7`+wEsT2H z&_WGeC=f2IZN_pYZhq5Ua=zS`?iCTq*yfi`F%FNKP$D&x)}<`J;gDa{xlmAEnKi3o z5C=2s2O`#d=_5&fOkN7L&1`n;R9FCh@3~1>4z)lqxtw%-8l`=cCQZKK7_9dzY+zpR z@YSz{^-FO5d_M1>Rmbcz-1xTv?_)ALMYkE4z6p;8dWRL)=Sc24x?jDo5v`cKb~s(B zJ@^VuM7i(lo18y5L+2f(5T1%%aELMZn#(Ad*cJ;W1hE_Y)4tsajBK9$t_csVFQ11; zP*7M{MvxNiP2avt?nd9(zm@Y(tf56c6ELu&PXs}T&&>Hk@G$Pt6ZALiHP*%06Bmm< zvZbrCyuVEQm|1t1CNv>4G$PbXA`Vql8MBj-^h&O-t{+(n+t0-%^M3JWlCNy;Lj70t zj`J;aJjLP}Y~?U?I1LQ)@zLBTPNAzfHPAHxPafBaUYaoFaF%ALO5Sj+vl!3wK3*%x z*~LZd0DH~B#DXj)@ zm}#CGqGx&e=8YH$$x!T@{AcvtDo}@iF3o2=wutw=x{t(V31QV73o73q^^WfHpQ&X_`|>k;@3I^2(6=6u3jw! z=%_@lWOcB22d1!ca&m;j;3v@x2J)1{b<^HL3sCNqzRU4G5~Y#SOj^k`(G$wtyaSm3 zcLP$ix-X@V40enNHq2kUW=(3yZ;K9Tsav3syVpndk+q0)0aq28k$={a>D&{pIQ?@Fbb!eP|zKPmrJN=P{ zN?n2OGYg)O&qY~J=i>_@Vztt1G)d5sHg{vuwx_df7q3{Mj%=^pmvN|{;@~l&ujnl+ z&RjC)R7eD*b}2v#4M}~d1LK>=3hv=kfTGOs<~SzD)aK6p>U{IYiWbF0H1B&)sBf8? z3#ZK70c@$qkSmRA+nXDnMG!Ob0P?z83tCP#+#q_|bK7AWxel|dSR#A|!b+T`Nl47XG$7_6YAHpuimzE(Sv3i+ z65u)7(HksX2A}8k+U6QpgzL7H~9@IS^$FKex_3UGh%{5cnO+4b89PyUSiaJk%Xn zxp&u~bGfAR#Q?%wG-d}shDtCrxYh+!#TE{EN?*oGJBu|E*48t7-v2-O99t!k@xC^jB)^X5ksKDg=j+lks*gaRaW2{K$@N%sulhI zn!!L%EoP}8zhhPae)U3)MDelnX}gRbEa8oRofZg*3;OFh!l|AU_8{R0M`=&92%i5T zT0<=&YQ+kK@vRJ6i8m2R-I8y{(#{heMmu>QS+wbeK?5lCWhG|{y{Vw0AZbxk{;<|b zbdqx03wCF=KzbR0dc~K?aIMC}%z6ZJ4-8tjt^<@_yJ+hYEP`8q=`DWN0VT%ic4u-H zx7fXR(C#%SPxk88qemGq$jrPKR8pYtOA+DbS2AllyQs_B&6mSuhO?-Hv8KC+M{SfM zFm{@66b*C3{;c9ZXuTu5o`w7e*>QcCC#MQwDd2$p_vSs&{N{#!uMM?@Q$)hI2OVVv z5qfs{5!3qHC2Ih8Igrap%aZ&QZGQbxJwvY74Jmwt(H$b5*rjV~)loWq`m_Qz4}IZs zDWg=@KceK#zkh$YUs5q!p6K0;3NOy@)dC0?>4tq&M?g#bKot0}$NMx4cr`aJBI5az z{=b@R%*v{XGtf|p3RxU%V5+L3a+(6R-~n%z`a3q@Sy7bpv+SL{ku`weDcDY!a5Zd{ zrx;xz<*Xxp`|!-hhcE6=!RT0l^OU%#ckg8}@1G4BA=d{*sm$oYseSxjHBp#kq0^Zg zpkNH}dN*1ehGGd>3`8j5FC%fEF{5QLP2TfMdts_gw6lLvLN8JI{8D3a8@$9?NpS-@&-)d;l<=vqQ_+YxS3>M9B|u z8cj|evgbAo>G1RqDF;J;*XWaUWLx3RQH)7~_ahfVU25 z8P9+ljJI5#4C(=@FCc>0;xH*8dsmzF4$)y$X&x0Q`w5^6ktsEd=u^%& zWfoVPEUNit30>egY##aXEMHW=vE!?YOoSysIO{~Vnbav`uJyW%QOGbTN5q5lyK6=rk`hNgrZ2aht?SCs2xC& zP!8grP1I~MZcnkZ;z1Sl z8@4%x2Yb^fqr~>rNf4h@FfDi+B`i(2D*TEFS{k>)g$K92alIDy^_j^lWFViOMCvAH zWtAB4H)Deh0@tD|YDH~+qYE;51jOru`i^nW6uX2%t+r&x@K4_WqQElq0Rd*PMlZc0 zvCD;;u4{oakRz7!f7|a0(|9s!17kCa003Bl(=5fDb5yTK-jTTA22Uaf# zIo*fI4-TvqM=R3(@ZrPTA=tqm`eE1rqOp9}t_j&nfiBL@^ zb`Asz5a~99aM$*Y>Ip(E)y<7|ua_;}wd-eQds(5*Pl@?i#qdYg)CXOTJO3v0^G}UW zY2`c~<5FHFfsp#&r-S+h{CzlLc1}*wm#bvE9a1yHML(HcRc3;O>?3|u03`P473N86 zLoX(KqKh_kK>{@|PTGsUs?8A~i{FTBiVLFu7QeI*$FE4}Rg_Dp%NNt=K^qlR%KQ&5 zAu8_ChZW-yn#foNT}r|nN(F|B#n?c0YewB+6PL#kxKt_NBi3}FYj%vCSWEWFgGjax z?@0KTDSEbj7*|=fRo3pvEmG76ElKDCK!v9roww%s zSwPH)tC?O+_~sj|9-@<+qG7;>4RS^mqn@qme!YC< zY@g+SYKPj43GkR8#ycn*K^tW(4jQ=CqOQmRhIz$X%_;SjVd$e!Em`#L$$QAKhf z@~>Q}58HhnxChB?@w`ErWF&c(1%0R#3UP#yDHWQMS^(QRwH$!dh!UXQ`WvsdX8X8K z&s(RMHRon9NW7&ado}1!{+TmNX4Krq-H{SS-{tgC+CIoS9e35D^Tw_zYhaq(3PTJz zGR%HB9M2_6`eA@5`>>yP9d+ZIZIjPWn*ZogOI`iapSF9_!XtJzNHz<}yxGOA1q1@S zRzhR49H6`Q{v##&@xyRo0+)m%>6`upBEBR z#{9`YGfNhhm7&#dHx50}zKqC436)PjaSaT2_;J~AW!Sc@l7vd))pb_T#Wt~4<9ek$ z)MotD$lhqSdsND`##Vthhc8%gb^O0tfDZ&!_SUX6n!;*L@G4YwgkG6UubHws9dR}W|$J7W$BFyp2MDo`4V`ajE zB55(_vYech?79!MpBb1{!~&Gr^T9>mWuJ@g0HLGJ=4KzfMy7^KJTm0!L;NY$Ow>ddCZ%Q1BWOuyvz)qaZ+YR zab||w&0k-@!sL;Q1q)H3Fd~TsIa4o3$-gvO5bzlAh*W^0pK7K7nwW{Rc1M@bA0oZYv zAqeTS!9t{)em;zC;l_tt2Tkoa_xQey)o&=R!nc#mAX4hE5^we0^FX70YYK5~6+#~R zYv!rBaFiy+Yq=LbKW3HqusFR#P!b~{47Z|GQBH^(%xttsew>GG=Aj@bE$0dAv`db8 z?{D0AVYi+=&1Ns82-aB9mcbWuch4JKFIx7Ct_LkUc9aY*M~_D0 zi&yYwW>8S_$;i~oC7m-!@r$Ys-?T97Iftn>n*GQd7`&hl22mtksohR z6n%VlQTu?k^`rUi(R`GhYR>r8)vH)E$v?H+WA+K9#`$1E3O@(6=FOX9njl7XlylN! z%0N5HT4ctpsNHA{B`^V$C_t1HI`}Av0!O~7n)Ay$g%wq*2l}70G8L+(vIly}?tK)&hD`%SGjO@u}DMXdZ! zr`)keJNS~0YCQusp)HlkwiJcFyi2+{fegD$x$E{$y}&hk;H?8sz1M$jp@5XTlbSP; z0x6gHQOGnH&6l!Sw@2 zjx*$uP0t-3JWEP zo6WSnv3iHQX!jmAbm;HiS%Xjs1grEOk=A9aGjrC?X}_>iOJ;8S@r2LWV?(lJBs<|9>CbAN zs+M#>9K^BIG`D8o@`}9J%; zGcLt;I31QqUOCWyOT|2d^)Y7ck7YFY{o{=Vm4ep3{> zNtrD}l04w?iwX(unv%se zZH3oA9$x}g15J*e!;utP^}>ayyXVU*ji0xJH6-#GKN(Df=Tj6E7s2-X)$%GapXrR^ z*Annf7Wf&Pn24qOw;x~3DmPJG9v|co^m)y5>UGk1ijGq6jSfSGh@v^6K$*|M7K+tc z%8>R8v)9}1ZI3)7VSEI^)8|zvhy6UhN)D5oLY-3*x2wut^ZpOWm>5%RfJVMNi{R~{ zwVnlj(Tt9IU#d#6v5o8FmD+cilAyo^zwn+L;Od&HvIyL?z&``#U_im!j2`>OYTfL@ zJYc9zo<~JB6vD`nTaLw1ml(1X=fx=jVhaiiqKg$`{ z@8yc4skC`Jhn-MS5iYy7ha0LNCrB08J;y<=zIqsCVkLW(Yr;@GeF@f=V*HY_sYvr+K6D$CvL;yQ$p#$CIJPI#x>4#YUPj z@WT5~alV8{UK@C(8_)pB)xJ@fU@vG6iSblcXN!u|h_<3UQQ74`${H?~lja>4!`{8OPU2l|x_l@4>CEF+ADaI7 z_L*EQ6GQ%`^`6g?IfWQSBjYg}cC>SHQ^rDdam^HMZ{aw>@|pjzW#mzS@Uk`z zV~4x0?e8gNO!U3V;DsNiKFMuPSl@9NoxY6z#V*xqiycDrlp5Maw{4bayse6>z^xzR zQH@iiZ28!MYE=decR!#0vUbB=ZQ`lXor4c>fAClB#%%h)$DlPehY71-O~rWid+)J%6>RW-FWmj+J8s43wc80=+sn0t>(3DlZAD37phN7yua z?}NV<*TZBg2lO;=t(Ize%xhz1$MXdRsW*OYz4Tmbe_}hO5(XiQssTUs?A>P* z#8yMC(@B>R@w60;824Z`aMSC*VMohGx3CUKu(Laq(MIih`Rh-s!uoLIbA4c=e=jKc zGpvpJr7*pmlv7>ojreYDtrA9L2b?=L;8JJRH9npmu&Eefr948hR}+Q|v#5)0)L57#{Y5?rN$aPh;_Nr=5Q)UcAuK_Q23&;}grGcI#+~ z&yd8knAQYJ6N4cDQ``BirU8EmxbW&}tEHoR4sQhNWl;MD3-+|da0Z2%06j4BbX}cb z5fn(QhO3!9D;j#$rHS>U4`wme8y=2&=I|`m7f;i9^>yPDuN#&LWJNo9eef6LmINm- z1sV2~SrhIw-L9{npPlABUECAsUTz(k(eG&7zSmXG1prd#4F3v}*3Heh@>@;y>tl`q zUZjzzJw2+k;bRakx7!!pVF}+s$d9mVqs|1F4q5Az*1_V&+j|>p|NNumevtw&s`5VX zKr(E^zCTDL3Q0vq=G(8IpN#XpJ+OlRwz(X-*xS{Hgf1EO{~8>FIZ=A0D{`6QatP(! zhbIRH;+4B;=*#!W@^Iv^ot)Xw-w=vQMt+dgYKugWmT6qsCC<)_Zy$YS6%jCz|Lm^u z%0Ip?o#~@98EYC@87ETN_UAnT4&97XyIqT7Yu4_0`^+2iBMj~Xsu=zb151lH#?61Z z#4YWs&qPT@AZ5}${-?Edtw-t4xKag{2g~Nr2y2z+eg2SZ6Ycym$fB*~j+3Fkek88h za_;#|VLH=|lH3+Op%`}x9=;HjgRJMOYJwYAH0u;R?$ebtK$`F;Jj;I5kmz2j+fcpP zZ+_Wz5i)=ysA{zI#FeBBMtKrR?uO}^M+bqrvn)b{n!G?00C?prDpWJSf5&^oHDoaPgNXif5v+9>tKdF=?JAg zvhD}|5{34mvKnM0`VRGQCv$t36s$@F>KDBW32r-i!`R$h%q!qT^~UT#b3%(Ex_p#{ z8hy-OKKV+KBX<#ka7(xI{JjHVe-=4!K5|6N!fWwRqVHL|=Ic7Vu1Z<=b0NiI>F*R3 zXd%XZa!U>x%LXQDb1WFlzKo64 zxwg#a@$;F-%g$X43p_H3!omLpK?uT7R)h)iTf>HGtGrI|KZ31ITdSMgE|XEUizkmz zUT6=ic4drg*^KC&{pP*_D^3h7b<`Yxd|pO+I%v3SnPDZKIK~e!<*>e?Z0f?*#0Q6Cf27H37EL;-E*yW(2>!yf(Uq1^RZ$0SJwMe>M@_$?e@xU1(Y90s z5breq{DF*1_%NI)H;jExQ)-YmM{$&;k0zT0{P ztAXh!4!WOiF~Fr@ZT~4}+I-a9y7ql_Y?GLy+@;wx75T}DPR9Kr&zHMz83VOFE;iD} z@c_Ll8#`ocfOx>^R3L~34+C2B_8Ymz#%6Kd^&2)V{e7a{o34Y6bz~#R7QME`({;hY z^BQ`4=I47vdU|e|iw3yxO_QIrf%-*Y{wXE>_NuJSvFY7=)V_;f0cfMTfG7KD=0IR= zunt^TP(=z@@n>-Hs&tD%M!Jpr~{a_+k35l_Zc$gPx+ZHijWa&YnO! zwToQm38b;`KafU1v}te{=MKXUDi*m!IB#x=vL*K5 zC~xn!mdU%!zr(BnZY&}Fw;y)Ue&p~&h7e}h!S(^C)0w%H5k_mv_3_!K=fIs;{sBoa zu6hk!LKf5@^4M`%GcReP+FaZ3Nqqia{7 z;<#|-itcpSJ!;kdC#O!C5-S60d}5SUGA9UCEAEzTTd1p~B(#p0nGN6OIBL|^V_m_? z<0ud=e(9c}c4~}j-P-AXnW%tb>ID05@uMbv-RCdCwaVDkG{v=*)QCGid<9t6u=atP zcGa93h2V%@XyTp)J$SvcLxP5`ogh`ZO}Ky4#eq> zUrevR*P3&0Z@X&IhsoHFo0`U~nLH8bvDc;7H>WqCZO{bv2-?;0=lAKS%l=64B^53J4k0@*BAw11<=)$}Xq27zcE}nQevOXxoNm9sPd=pwS?6 zi;xNzOVFd`95Or$`tI8^w?$n4yC))1>8{eoubgSjSgLDn^#Cvqv2vhps?3E35Ms7X z+jDw)dKy!K5mEgN%09kifOa4HRS$awS6sJFOM4biSVx{E z!&sE|u@$JzQdM3cR&cskoUr;Pf+jIs18@-z0BOBY2}0h(@Ox_p6~nr zzWsa8$$O6W-p}*g_kCU0TI*UDz10?;{p=oeA(?bXkuY(aus9ze~*d$j>(! zYYPVXx}31XKqi{N%n5!61^0xzkdWU%vG$7yJ*~!|v{Qi;2!0dLkl6 zRb-0xb%5>Ippelx5f7FooR+XVFT2$*bOo zPM~qn?Am9T{FcIFb?1SS9)rdoh=aDy zmf#!NYAF|pfSsJsbU&ECAf!PW1cf|AhP*bQKLR5n))%>{(jr?0N-qF(3vL%%-Od45p=r>SnNRzki+jp=?N?oZ-~w@S@PhY`Ih|{! zw30_J!0JL?EEK_=%&^9?N|!|IHWV_bX5|o!$%Jndd8-~QeA@z4tFGP(!oK%q3Mq%X zX3sM^?g;GGKs)9=npbMb^E7Sl3A4uzn(%8%)4M$DfZHpnxslD%+2XQv>mGSQ0FUD<2zQ&rYUq*tDk=^@I?}*giae42 ztsQzu{+H6>uXlMMOkE*|HS_i6L#1Bkw9?Km|md zl=4LV2}=#k`-5ex+L`0)Wz#N&9B!vKKnLMFjO#;>care&$4{R4qGuQx+F`M3?C-Yr z_9a~5J90DB>EF-Xn@;MJTCiS|HoFrA5Nc< z=!J9p<}SN&bsA?LNIDA2^vwoLX}^YKnkEb(+UVz!KXElLM0%?armcYQn}V2+7+D~H zMLft4+HnTw#1XEaJD}t49g9} zSF<4~6ea35^p=8#7ppe zIPMM7-Y5495ujsQ^-~z<&}E%=>z48w>&LkZ0vlEnw*Z)fq~iZ4)Ry^0dJ=Mq^Rvlev_k)3GS?qX;O#RdChoUug zLoH>h_|q@rSfhI+4onWtpu#U6oQ67P!xeq?4JioPs=Xk>SK}cj3_}Q410$?Vw!7%0 zfihL+Mh`hNI_@53B&9P1FkIrtT%adFk$6e``;|I`IX;~VU>xVaeKNjPuSc7vvKnbl zsO+A07yOMa=+04{E0=HEUiYOl7m9*lJbE-zL94m@^i$^d%s<|416_q`J>2!x#+;l* z{vAe)8#ef0b?h1M=<3Q6*wA_NEeje#AUP<{^!~Mou$Jytk$aq*Lgwy47jX6RRAO}W z5_S=E;-(*r3q6LhGXN{S_PZ*XZ0e5m-^{oP1Hy@oXsa zOMNlGVMkcBx@Xy-*ugD>)lt3nQs%+1#xLULm>Clr64mze3!dj~n2mUBJggdnh@nEa zW@K8bJR=YpAr6WUQom3d@wJWs08tXqGo&Z|Q*b@I4|gAwXPI$Zqi;$afx-U;j6#)_ zAN>6J*w-+K`QX8OM3Noq9Hi`+-Xv$a9|a-8_-&JVDy5&;LPWoB@@sKHKBxa8LbNQr z1qjq0Y5`jV1z0?Qo60m~Z!%qq!GzEW^5K5-PS1_rz&*WBgYiMZXvS5oqX9LhUFo)) z%6FZ1X^sE;Ep+QRnk+B|ZK~diVO0{~KL#zJvRPj7kA9 zHbQ)zMo{i*Nz!rhatP4YM0)wgS!H?^U+JwH>MGG7I3crK2}ml&6&WANr6|(c^U!rX zk+6e6t^ZP89TFNM5KCz6a(-|#jFw%}gR9+9otJ?KVR29KZE!S^*=XRdV(DUh`VUO> zmgMQ*8-T3KQP6tw`#isn@$>ux=8}adZxImcBYB*e7|Hbcn_newl=muks(Z&W_P}*< zn|##9wC>4*NNdhN$HuRv&PQDjHB$?>Lr4_r_YzHACSZ0D*6XmM8~|a$U`&bO{0Vr~ zfrdU{s>#>!{*s8Vl~*d18+A*;_BWn2vwjYy69|u1S~t8~FbiWTnn1(D22ksf3DO}` zi-^xQQi(m+!xyFGS*t4lOcS@WbZw8S{26>b8oSYQC#IUJemw1oW%H^c=Q` zG6=-*5FrDin;cL+LN0!~G8u^ovFHQ%LyWQ0#*Ab|mMD4BuM0Ow;g%nR-<%S2vJEDoSw4J~sp&pxqs0N+W}b8c70mS)r)qz$jq z^ZRAyJ-Cy^tqcl5`qJGCeVz+HN}3+DqdNs)LinQ?2mwgxf+$QnhG1xI4@@WYEE~eC z47lq@esnSMHaR`3oE#l_pOk+c-rO{xt8DI@>kpKNPDp5@`;V`Dkhc*VZKPhv_G+Nl z#fl=OQO3_i34A=qIP0cOYv3HI|KI{EAt;~(fm~@#Q5Q~v(B-!-D(*04wTIYx53k-_HKgn49o*ou_#qAF3u$ym?{SD1GTE5yOS99{rtA3O+p%FuT9a&w z{q+Oqj*kb9T=Ns+cSj4zZlfzPpR0h}hHe_*;6HALkeFv(qMy{pWNF^jhMOa7p7?}H ztyi`XM##hg&cPc+Nxf@02miMc#9Yq(`?V@t`t5lK4?}k5fZ1%AR0tFLO+=mx_iU1b zefSVStjFO~hN?qD?XA`-VxOG zLN}3KP@7&6(){GGjkMv`;*7*dW6y-W$yqYLo&kn1J8pV}dxr}f0H5G9Z@hB;@= zP%lGfP>9U*=$c!|4h(KcYq0(4h1ba0&5YJMVw3@)1eW9xWp(3g50K_)je4AgQ4cYw zQPM*hMTX0M+#MrA7+u88L|PM|s# zRrrfTdO+8z!#*yFf&w7uN=#uFHsBFsp(Zq(XeZ2OB6fca;&Z}e(ym{l?m?K5Yn~|d zxV^27w2@v|{0^kXg2*4Kk{)2w5#ZY`k&o@SOI z5I|8jgoKa#0v7`nANQQc?D#RR+C}8dg!FlB9=8#yK{ADjC<&F%olzB=g(83hGGW{q zVu)Y_R|(?E1GR@*v%vEN4CHoLL<#f|WG}?_m~#_w`zBl?gjZa7ZsJh#{i&(3u`0{G z`Sl3kTN$X<9J-;n00cOQNW|gJkKv$_nBC_CuOt7)0U5|RFk>xD**6H42X+Z*B$^S$ zeS}rJfdum?EIrU5%FE3POhjJi>8<+@HKP$~`qBI#Ujg$a^Y-doSQcKrlLWmfbPX9; z*8e~9{r23pVra~*lKq11xO;nm6d2hm+=8vv%OrZN1S7)HWZ9|MlE7Qi>y z+uM_Va45i5BfPH;lqITc+%kFm!n0(_W;aO`4rmdhv+MX(z>&7W%Y>hSij1Vfad7SN zqmM8TBb_(6OIu+?4-}GVVuzq00S|By^;bV@Zdpj?yE26+9z!PxIV0iG2hNcU5;Jyd zV3IO4^H>higYOj%Hat_3NIF2VX$Pd^u$h4ahD!C^UV^d;R3m|cCO^O0KedSc1$~$i z{vMT{$MX~|UhmUKnxxaaFUD$G<>RD}SwUSstz`2}>&RXgg!vs#HMzj3W1b&Hsz-nD zAWStM6D)$5RgfMRvqx_I$|6JJxu7M z*QBWf$R9~ViR){(C^7HD6~wH2KYBf*n*mFcIFgtLh$OmaJmg1Pv;X5 zkk{3{CR*DK2otA_blIg>m^TQt66G!EXT>bWSHueyLMn%FMa`G>qYdy2!`3zzm_QJp zQChok#DV7sas^Y6`Oppp={KVL&=eg3YE1TH%~jo)7!KtVap)zf12hEWc6mbjk7g!m zR61>Ns>iXl9;q#SG`P(BcAM0#ZWtps1ZHJ2N2Gr)E*wDJP0}}o`1d~|Ayq}FhkhnC zCx?{hw2crdl16Iu{z39W^`H?cwLK^ev?d8ZyLp!C(Di5x#=)t!41#3RUJ3tua`Xc> z<2k2u3;HZF!50Sz2?n9{W?;}sCkN1UVS~UOcc7IZ-ulQUV%%gAn|C9FD?6A1IXMEd zDtsY<)AmEtkBeW4uM-Fvr$bphwpc1MH=-IPgD(Vyws%F0NPR-q5BEtjlN9yqhN)$6 z`u;mS5xN11frUJ@mtgr^9J`dCZ&Sh@vzeLs9rhPQe)7P;p%>+EkCq4Cfr2LR&)nnO z&lTNmZK-u%VKU1zK8BPE932w+8wnxWyH9X_TK(|+Zd?G*q(+v+`xf(Ms+j;A-yJDjbB(>k`BbT_ualnhKH;6 zZHEJTC1oC6pX6=sqyQcPVefb>6|JWf7-mj=LlTZK6Kz$on2UBb-KHu41m`&X4dv0t z4g#+J718rRy?P|U`m~vuqCi!VWd~2r4D%tP>%WstO+hm<>5d@<-jgOY|KWpOOIC87 zy+Wk!++xH^4;HPV=7*sig{GKL{)mv5Z!eOk46PEMjuAR-d2Gw_gzuA?n^sv+aV#ASaU-nul z_6&rW+wQQT1$iYZ1&C8OfN`w>@M{lz9Zcm0Y|;yo+=;`8>!Y&YL@+v_9wE$rnq06`;A)16UG=R8f2})qtVOBp8d^>tA`3%7idsD@Bx`IBL2!UggnYwpAVWyg zR(vGmM#RK6p?)G}k5Dku;1~cnrq)n}_atXHaRCHIB7%9%z)&^#y>#{U!;#&;1LA?1 zrjlgt4&JZHlMD(WvQmJnp{5>3@YUbrqcZ?VlmCL0-j(=N$$%AzeiM z*p;ND^{Ci#UVOiZwz73-i!P;ym5sP*Li|P4?gT=@ppFrEBfRcbOBt86#PYzRQF-qO z9>vu8fI`{NdXf=ppTYT4WLu&EFwF9!}iZHg5jQA*=t_=yuIxxBoyC80Z1FBHP+ zb^we4_%2y^)?o~KA%FcCxh#M_oB;F4(!lEFj@xvS0S^joj?!?NEMm|w_%hH)!_jal zDd||qbDYWcKyHYSK)!AXku;LFr?R@U2$0187wx2N_Z>_@r_$S&cRfMSCaz+@8XzSE z+m#M<2uyW`@@!-i&@ExI6-o({OWGqN9b8>chx?vD<1n-gCwYawKn6tyhT=R1{EU2h z38-@chblST5o{=6e`K-qzUOoQ-RUaL8445?V{R2C6_8!S-Xjnu*ZL{vkv_{i3jc8s z*nv5|fq_}BMlk#k*sBb$Tw=-yz1&to!F=6ORSd7VrhRp(55Qbw6lU@X0qDu)l#tLj zdAZs0)9bP;Dm{i}j)9LAC&1(zZ^}ixJck3YHqSn}X-bW}XLN-T$ zk6_$!6|+y)Z1=~8H^qVJnDhYn0vs`E^+s~A?!dHQB$R52S5OljP)Zy`Q~Q7oq8<); z;EtsQOp9+e1foadigGC5V5vtx0V1BcOo0CoBEiYg0Hm<&SkJ^i(Rdob|7nGzFT9t* zMjyn95rYBI4FA6|)+#&XKctKKQHvb%M$#RW)dEZ8CTb?EMw}WZ3{1RDI34&BcEAV& z1dZ^~&Ry+fPzP)kjtc+-Mlob`i+=3Wr*(jk9Uk7i_oE8s8|hwr1-v=6XB!PBgpPj- zya=^@8pt>dk58B*B-(Ed?@RN}Iy;{b@H%9=eg7<+gNe7esm%veC%Z4wV+loJi8ixl z18?JAIs!>JX%@>uCQU~9#$3A%u_`p7u_Mp!LInbg1@+37uLlhD7F@uq!~}BST)=W{ zwmDRRy@t|N?b%^(TONqGbi_CS`=a3H>OM~#Vesl?OJ7leaTV3mu++hx;BDa?t#~>sh^Jo&KzQR3SpIF1%C)AM$8S|u+5WrQ#@^H0WPeuGl?p9 z?GOEU3~d2Ytd_FlvWX<`xr-QN0M?3g_0472s>ng#fjd-$pVo3vmvjO*%o>xHY@JXfkcKVkT(mqSX zei=s{fbkIh4JhP2;{KR>zY&D=``uJ0Umw@gOLUl*JB+P}`$dM|v0<(j_zJiX9yQ@h zChf#RLdQ+?qmDysfn=7L>?kM~j8L_MnJIid zjE2{oEj?fMV~;)t1GtMgl}X-2jhaz1j~HnL=sJeU5}pCXpX^+fytwj=2#AZL>m*1) zj|5jKv82SMWUUg#2v^Ub`UDxsCG?ZxCTjgW|AfpCBj?n`jr#Si`LGs5(;6B`D1(}| z7nh&Ih9)*(*Co$0@}A3p6M9Sn>&Y!`dxQaE0$C-qkjO=D$7n@p&Kzf7(GOm>THvsUAU>5a}sdqps!r-s0sQ zZX9pRaNQTRYcOpDChfSG%daQ03JSzo5Q$T0>4uYb^z%i;aN_6ymp@>lab=>9 z1|8esxzIF=^p|h303J_K*a9SNt2?(3SDzEM{_EBy9d@T|X1YnqjtKVN(F`>YRoA{` z%<2G>I_J*9&VC|9DbqY?5naMW6GUEFMC_(Ean$oU1{(tOss~IRGL?mn4Ah^uqoXlBNpm3&bHlA-$1LpOo+O zXzq7es7gQzjT?!KLLR3km;y2%=%^r5C)Nc9y&415Ck-3hp2fu@2`~lYAnG)<4#!#> za$2;0ZN`BbQz6mvU{iV6M^JbiPD1-I^B9HH#sjXOwtfqxn?k=D%xI!eGsxiPlLY12 zv$!3asoA?i4hc)JO`Mw5tKmqx=3JqgDbW64jmMYgNby5WNq0NsphP&oJCg(=)T^Ym z6TBlNdTU9wh%1LV=x+~fowCI*Qr&=6oLyY_yu$#?k%NbHe~>mcpj|itzK(U%5KD$4 zt|M^3+KT=dXb*^!6MRg_BqCU)R6k#;groyIo#@zNJtWaz_NInlr&b%>nL;wtP@iM> z5LX3e%>IAmHkf(0P?wA;gs^BGQsQFecPLsv3=>y z=4(Q2RsSbdx=Ry=N)ing7k}Cn z*#{b)DK3D=Y(0oBzQO$jhVQ6(1Xt{KYLe+95?}FOlsHc#BxOi@Z>Xro!m=Zt_2;EKqQA)I?6t?{&g$A)T#<{*^ z&1_QfLtC%!UM9aWTjTF`@N@PfDI;7&z|NX0%VP(s-Iq{C%2ppH`Ad@=aM+&2zQo0g z&m{;X7(`P(U!K}UuTF#cET92~;X~%;gI4F?f@&b^smrz6n;v&C)w+3y5s(d9G;tT5 zZrSYl<7;ToDTrB_?P3&26@>GT^jxNO7u}xUIb|2_@?!5-(c;WACy8MX@!%xWu7}nFwYNh)Wv}k9&MdoEb|c}MM`4alujAeN zrVB3}o8uC*V!NAuoK7%L5RB7IFB@*@eC;R$Us|&*LFW6eF1g^nn!a}3u4QMKW4foO zCTp%cNew&o?cyA~-d%Z+-E-1cZdl~Q=g&49MJ#s&Nr$Y~UkrL&mVAC(%yXto%QXT$ zzQke^&98v~Z}5bn%Ua^#;2_9z5;T^1*AV&|lIK3%ZQa1g_~OQdF=D)?C5pG<-ucWK zoKTZb_q3+MJk4#oWj|8=_QirIba73c!iiaz`eXC?f2N!NI|+Voo=@ zF3Zfo5l**?Z3NiBBy_0*5VJQT8_4hVD_0uew%2u>sG5BbfYtWP+<}QoxTw!QkT%%T ziBs*4hTS42;4sa;cA{y^?lL{uyia7d(qKKNkxij3!U(7@@holGZ>bXR%nsn47;OR$ z(^-*fT?WDi8N0P%Mu*N(y#!^R%&aVeeBpbwS(RLRVg}Ku3?z@l>kjBb-ia1ZG;zcI zPXEd@D$`Xs3`<{r5ywg+pFUnOAr;(Pej_WZKj&uh9bMa}FC6)w&7ZduP9R>XXkH-R zL_oueJZj$oA;wNwPt7LLb0czBi)H2fCEa}De1)#Xm3fy42?7*2a(fD*jQ2Z0F`ID* zlIuN+i2VZQw;S~DDbbAp39aiKXLTG|8F+3Bt&q_`Cc}p)NBS}82QdG>SCY*M-lxVs z&Ul2#r)w@OiZHJuj8d_#AQ_5;X)W3;-izOdr*La~C1yXDzHLZ4*Y|O9FLVGQx{kmY zDyJH@w74ES8!69GgYnH#s6Ypv9hh()`IR3sauJW%1SS8_XT&cuQP?#FvetleeeSCu zKeY*a6JVX={mU7F;Qqq5SDy{3W3%sCRL)1J^Owxov%b6u$=1+#6;u-Ndy~C8QHWZK z9Iw>D`eS^tN<`C2>~wJu=f}-(a*VEK#`rLfe9bU?Z&GAuk692SdDN0}h1~;)>`=AU zVl_@p*3y*zpch`>{T-=XZPjdF*qIbB%}aw4FiSP=YPf*B+pRy4saN8ho^@~WlU&wc za5at4GIXyu--~pIfF$rEGRm{ty8kBn<2Oe%@Hv$RYUb5rDo>hP&NbF<@P2?>dkRim zB5O|}gBBI9)yXX#-G=AapStj!dnFB9IPOW}?7_*0%jR(7@*9W^bz$|7+!i7JV`8ut zLn`S{Ha3FbLkQZ3GjH0X8&D}st!=v|g2=oXx5=7S zXS8WABsQ^lB{IYT@?c5RNh)I5mHdIu1s_8W}E zIGr@RY>QUhW&2w6wPUkjesVM8`Nh6OWga4u#9^y>RBf-ifk6cN?T8x}?5|qx1=;G$ zxx0&Dh&XWz&F-=a8<$6jhB;_ni^_3xb8e6kzDR#b11vOTpr&npNNU1(12rQ0Dp?7| zg*=IcO4MtvKNu5wb?%xH6Gd2qLihGK?d>Y!ngMMJ67aLLV$bG&@-L52SeB!1bys5? z$MqzxR?p>O!a;8-L(i#t*ISpdLd7#k|JPg3>Gk-H7uFWN;9F|}=lA5vP_R7TdW+uJNe=J4)hni*Da_fR4`w0|TNFJC;aes!n#B**wE>DY*0ikt0AfrmuDs{vaBG&|F%S=>9?4Tf4Yl=HIzP7bWo}r2dY~ z44`j+V)BYVwOn?5{YG+yzw<@N?2_^O1JtiC{QO)X6h@vPZANv>nYN2pniCy z^=eOU8J z;9Sf={&c)7C6=K5EW&C4H4MY2Lv7OWorzPP_3A=!I&Cn!U15!`OEd^ApAaVXJF-++;J zuP|yL$lQ7=ldfN1SEfJy{95lTgp^1d0o^k2VfQMiSul!#*v6F@8{{sZAl5))1)sSpz+YC@b60qDWF1C zKP0_oG_GfBdgOL4t~!&S02G*a8TmAiTH1M3vC&9OQgFMT{v_jDfc*A1Y_Tgo8`+T5 zHdf0gFQ2qYj$7VYgG2+I?Ymt@)wSYfwbFoNd1696nQn~o53{^qIV}hUX!N`jj{j>#KEs2?l^XI%%G)W;LBf6%$m?xWd z6cPa~SpcR{l0l=RR*9yNun62k%JK5J23<7g=3u4K_{a$XY!n+;mtP3?yKpP=gdX2h z*VNRt-lHxnUw51vZ!B%l9ro9#8HvzP;wteZYMv`==t7s{Arq%vpdz)LLKyF~E?@I( z-_Xr;JgCPnrGAWXl7wMHsQet{TEqulD;{shbv545W6hTRwjy@u_FN&Hu+FY>DyXXm zbfb=SV?)EeqY?5St|Fb+v&L*3cHR6Jr`z7^a?yp}#?)e%-aH@e0Wi56@rqa^(MWz( zxngj1-Aey@S2&(@jB<07>rO^8)6%MP;;lg_k*+KQ1FF4k_q&7+Zp4IT`Dd6ua46MQ z#|IvlyKtHE-7%02zp;9Y7(g)g!))$#m4z7ohmv8hU9*`mAk0#|BzZHSX+KC`2u`N# zvGU&;CA>ijg!11=EY1xeMT9UqP@|jHzs83QX@;j_qd$#Q2%4W|Iij`0Em=75Ol{-K zLqo)cg}mkPRkQ*Dzv@}vJ-G&ZLoD%$neag=r=jqpXQBMH+G$rc!`SCBCJ2a!Lcu33 zi&Zk0Vq;_+dNdl6EoM^03@)yur_^I+lqddPIb#`|ynI)&Jw!E1d^QqI!BpNx``|iO zaRy?N3U-2oxc;}l7Wac}x7+=qwY4ybe>=zMeI!$mKE-!fl`tNC)uZ<7NWaG?a%VcF z05M@n3}Mvom<9M@zxyX# z_d|$=rx05P4*vQcRbK=S+BG{eM0X4sV{y;3$B(7e)GjxVI>e%V*Apdz8=~E|_-30( zK0(2HIRE>Q^eIZ}2d~txd8f`7FLcAtH;F5)#Am z#y5lhIj198fY~xZz|)KXg1|>b{Pi2w2ZFr`anyL6R5*6zySau(j2>K4F zIEb3ns@p9~EfhevSd|cml_U}pup8Q+!otIybtG9yS972HFst>ed+SkU6BBELVbYuU z=5lBV<$l+`@c~?ud?z(NWjE$PilFLI%&WXPIzkWLPzVuur3zVYxGf(jr=liw)6LS z%^Hw=3WpxnB|O)AjHRTY!mRu;n)g{-5J$~$9Gsir0c3*54m+_W6mT!}D3x(Ew4j*1 z4L8?pb$CYsDXu z?==2>!pRFwKU_vb+~;k+xMAIp+0^9BGx>G4uqp_*_MTiId5$U&j6gLLhWrTLWJ9^$ z86`kLNYzdjk4rT?Eq=^SM4_XH2q$ob0Ko0841mx@Mni~3NQ&;Sj|DR?7G?OmYM*L9 z%$^WmQ_&x^W%9}P6ltOOigF2@H5^uF{@mqeB##nb9&`4f%}j210p{!2+xEH!h-fwl za9j6~W+`jm(_I*1Q4ucv&hpcapcr98Raq7JDunRW#O zeMK(1>DFA#tZ-d*5PN7BOzE&CmI5Fk?Jy+hKpVgTsUExlrC=9wmdzV>AI=}2*Qe>S zVw78TRkAl(XLyynA}Pc2W^KYvpL`#-v$rzz3#tcGIA{yyp!DdCdSdnnJ-y+xedlS! zlb#hgVHZu|7$c^t`=U<4JP2)GamJ*=lS`;g6C&8`nSw%G}IaNom zjVV2~GZQFIAnNjYV&*ufPx*IFR5ZXIW(AQwC}rJoe~ki{U|%EzzTBIFn}?f>R^4D6 z9$}^=mqgIB>jR78cBL@z9^DU@x5@Cb`|~oW_`TlKsc$aQm*WjsLC!3p;3FTd-C6l= z^f|)o6H>*WNp@ce%KNtaYdDS)&jln|E!@_ppIr~#|JJi3x8gDV2?<|>p!UkoI8&f5 zBg2>{XJ-%NNCV@Ku~^6FkpzI(*dGO3E<#YkU=z7{M+Y%+hXrlddvU73rR-i`X-PPm zovnmJp2YlQZQIyPOC;>tNaurntK@9YMt$P{MO<$>T}t7|#sbU$2n>NPAS2L8;zW*! zk4sFFLU)2aTH#@A-ZnIYzI%I6#(&WZJS&wPb>5vj4k zRT?D&~P`)YP_x1L6C3!vfy-y;vTLKkYWAQG&J&8IwvjEl=&Ab=s* zz)L~N++Hn6P|=CX=}7lYG{Cvg52@|kPRhOA4)5g?U644CN*YU1_}o4+< z<_Mx{A*Ca>mt01>b_8vxJe0Z8SB^F#i+z_BZ}^Dml&5hKkpM&EcY96;uCc4}l_)-k z*}WLhj8gojWM3SpYOwf;r4JT=oQ0+C(|&jOX-^h);;g?`O2Z;*MB58RoaYr^y3Q3WWbzm8fGHq3QqMxBm!_Gw8(m?ZU)v8KTdAbN zr1YevWv^ZLxi?mT!li1l9gGVE5vFj|iV-Vla-@(_7oowvS+G>wdAAt46rhJ5<|#Z? zICVx5_$$`55iRcsw5a$zyWQi6(k@(hQ zicbfM#O6Kk5GMV^XUQ_6bt1FOh_}j>6H=k*dnB|V7W|L{`-Qo*dZ&I~#Dp*#z2@nc z5ce}-#2jWb)nUz_ad`UwyPNU_LOy>M^lA#AD{D-^%qvV)=TDT_iL#P3j4Y#(@IfB6 zl!CK2?B{p|4R9zz%GS>zRp`}-QsjDs0rwOV2uS{bqfoG69rG>2{T}G~%27WdoOFBN&P9cX*WuiTZ-_OVI?ZGq9q-gvlVl72 zauBXr+*xdBP9zxwChx?!9}p6vCRGVacf8va7VA<9u_pl>39-%9#`3bV1okthPxsDD z=f%gx1>H>cpn~eRR2*l(ep1F^w7Sxj;a{^4e%0eEnf0+j4hl~U8>cm?Kr+G}l2Cyn zUEmR8qy@`rt2rl&{Dy-E&s2>Edj1Q@+0!OB>Bw5-;27QT!Lh9Vo;rU$mVNuDh#3zo zU^iUj)+NUy(_WX{&Hu6f*Rh z(Lmr;*U}mY-JUFs_GFx*Qxo35wxFiKaXFNFWMQ@p2~Z+gyDCl1&4S;$cG7lV$Hj+z z4)P^fqY(nxP>RjKpf%W3!Fy;U6BsJFX?hsW4rD)oTkYdlp@XXdj(2)!GpzTiVC(t8 z&_S=W3X~S!ngT^gMOQWAE*mD(PzM{Ulscb~JLZyPd89Vw)IfK}UBg*fsb8cpz^l{! zPw>T$tj|%4C$7`&LC$1aT^6~Lb=&5*`gR2s!GZv*z!K!Uzd}$etopV&*<&>4bSn@c z3OMYiuMi**_(^vqj`pWNkxoUz?T}|!r_?s7WdSSRr^d+QOJz{=LlJ1lgK=QL<|u|i zt5MOsG9p&J81z_-uOQz(X2?V#5FN~l`+>wCHaE|5e-Izf#OD5imiX-cnrl3$>nU_$ ze(Lb_7il!L5VWh_>GdUrj2eRLmb^6+CWFC#gVx=5vK&G(`-PPvK01qI@bBXxx`XSz zF90LgJlY|`)j4MP_`WAb%1yQ7tSk#Lij^Bm8vBE?5 zQ$dB0NfcqjHa)j%Oez2+Qhb19T$??HDg?r1E5}GE6-`mW?2AHqNG8M{OV$I>%nki@c@*Of+@=AXemiFIX*c>c*ZEUDb8x#TI8K>{zkU&e9PdPQ+ z`mWASQFSe(hJyDX@q}3ExwRlcEda?1d_%3WAe|w^j-=~}J8{J)Tv+926x*oR^}=|m(uCg7jM zvl>SsP5`O7cgtRTjOBw!VHX&J==+k`hUdE!??5q}SFnN55{SeOxL~=wu4}UgkpUo% zB^~0GzS&`n^mm{4@%8b2OMI|qB&MJ4Id&lhMcq&%YN`_PKKmnai0?WqdbqvgmD9)d zE8W^nezBf=?F#~*m>wN7EEQXS;2Js{YB+8!rJ(%4kzJ3H@^s%YCX~`h%~4XkzHP!X z5NJq&DHmt~#k?(H8w#ql6 z>W=X4%^T-ziB`&T8!sE4>^ylQVU|#Q@Zw%ID!Y#7O3q7aW|D$@p8{%Lgp4Uwh=Bma z1RTIwKqgTEwz1jBPcS4ludk{UGT)Q9I+2W@V&DI01)($Mz*-ZT`LtL>Ek7y9>P#H2 zkmRmsUKDf++Tn+?)G09OtDC>yKdY;%>II~U5A5`6D z!a8@GX$eRS&HoAl4lE_A2Q-uziEJhg#5fT21da@V>IG)D8k)FO6p|i7S9-|Zz06%1 zfkx<5bvR+*wr)**a<&_D2KSv?Ao)?3LzQ6^4*0}Uz(&Y!IHFgBSRUfG+`Kq{9eer5 z|Mv2e{1?&HxxdeKdHLg+T~=f&Bf7bDKg}ZL$G9q$b9XBl<1iF_W)r5!B@3(?jCe4BT*B=!zBvSE4Yit=XSk_+)I(F@ftf{Zmn z&w#W6CDRbaxaKWwUzD5s4orZzeA>L=cK$qZQ6I`OL3J^SLNPJwJbb`#dNCe-(n(Y; zz${i!?hhxQzwP`{ZF={a%JIMp|K$fx@4xK-a}zs_ADami-hr{Xg(8hcK?w9P+<6_4 zUKi6UB*|nr=hUOMJGEV^Rd^W~U!eg!Ki39YQbeGH`pW{}pg_3ZRSoi8SHR!&D0)}{ zgYL;gjtHR;W?HUiWYt2hmF)FRhYTvEOyZp2fRF<$26;T6b4!d5$0EbkW7&eU-}aHk5FNRP&%`S0hwYFkQ+Af~R896X@0?pt8;iC6#Vp za^o9NM-y%B^dh)nGJKLOs=H3z=Okqex)V{NngGE9qrMe`nCz%yC=U(Jy)oaT;-_%% zK|_+`^{M}By@e(bq?ZKE+V-)TIpl=|OT+4alwK=e1vG>lefK}#dj)mw1D@etY-68!puHN3i=7$dwOSsBk zi$5_H;HvurZ-Ve9{iO5(^?XJu4sgj|tZ+zLQIE_3Nb&p<>V6)gB%+lO6n6(a zlR?Ba-47N6!Qk(&2tQs0%GwlTq*fK68TRpyQa{9#IjhjUO8;Zuib*5=(X>kIyz^@`!;JhI{T^J|v zIe8$ju=)|v*Wf=L1<#mliXg?RoP4yFLV;-(six^dGoMUh78q>#NJ9mhnpPs42`+$Z zus?JUD{w2p%8{nbvsw?+`QQ&v&a;XN7pD&3i{!*4y+pym!7aL^6hL+z6CYpdCK#dM z4?!}<8Or2qW>i+PfNw$~AiPtjL&eI9AD{wS>w<~ULxAzX{DNhPE|hb$kWG~Kd7KTa zSx1>0$%vW+KHnqp0=>M1CBiDUof`Y zyVcQU$=`eZIZbjYcedV8W*<_5SA*9+=;L?=n!y5#=Ky$zAlH)SdauX-_t%|24;0{#%|gHi8RHzpVy^8n2QdBnRkB6s($PP^$aM+I5a5-GrSx=k`noiKe}h(4 z?+^Bi-{QIi?{RevjU^P&ef?u&W1~be@#m!*@h?H+@P*G&B0Jn3JF-gteGqNQ#(#H5 zp1SR$Gp_ue`zJVg4mBcG_^iG0-^WEy{((>t?eF*_T_%(Z`Wy*fhKxniv?nLv-$xd3 z|HgjF-+b8*xlKKIU=^$yz~Vdn!qz%|9l4i+i|7qZxRhZ z-svEmD6ZPo^zVFxS{9bi-WsW=HK|AvqNz zO3V_f;NdcTm5`Lu3Ey0Kn?A^F0x8}HdFK~4q)rB>FBUyu=b{60{&$_w((bL#M;FG6 zu0wwpv}&W4_N_`abHG@AVDrm(G_x9G@~NDiyQ; za&DxKNhuH}Oor43iT`fFwZ{K0Yzd`lhe+G#*ETDcwo&Ic3zz%XPlcFhtl<|CznXij zCHd{$!vZ&sZ9X$Q)6}%%_K%L8E3)UQih8yv1s`618{|+va>m-6Xb^a^{J{QDbcWAFni)irRMDt-5rsY(rW6 z^efMnxNtV9<+TOu@4k-x+rb85|4X4mu1~0WFjl{*?8@oh;9fkxueR{~w}H7QW;b87 zx7n?tCba*bSEtf{d(?#z8>`Xw!i5I(wX902THAN;1NPc&->pBo80g<^oL(E&yH`c6 z)vWxEb(CUVsm#Co#8PwazDk{(J$rI};|ZRDkyAI*_*F|SljG)oG_?zg-+8%PI5e|sx}vNi?OwywMo<5x zv3|ivgzq{zd{L$<7MEmLtXAP?P+2)Aw<*;pr7$YB``@~Dprm%dH*PDUA9tZ zn?*5sY+Kf4w^`V%Jj9YFBv@PUmfENxCNw{Jpf1O3zWj`L;wT1%%nenTvh`HsBl}XX&?ypaB$@)Bc z%Ob4GKU%$VuC}&Tu1)vf&AI;Hv74@``|I;*1_s6hHj6I;b_zV($xC-DF3#<|dx>ZR zVE5_M$Lb5bR@s00kf3=g54r??mmGJ!P4A+j_pej1P~6a&HK-Dst(q<*_ttPKByyeI zjEl9{-0;-ts4d5M7#KEYq(1)P(my=rPYGoATNbM__j8*{j=GR zbgY&|YS%|q$o}4K<*t;FT#bkpI}YQr z*SbV$qP+}6(cZfI+fek#s~t-cUY0#>dLnoFxKM6xcz%JZhT6qb=O!9Q`sH?g`mrQG zxv}8v-qm+Sb8l5HH6Prl*!r}nX9DHRrLEj_9P{EILl(pZ0w8wZs0XI-lyQ{LkFkgAVa!zq!7S(%~wuYRQwEmT$5!W>$i-SjwNJl)idnq9) z_~|G8m}24k4&U^1JLI?x{QR%YZz_&!w~#+>DCPL&i^GRGJ_*ma27b@}C03of|MrY( z@a6bZA)j7L#KdYz=XJ>4>_}Y38Kg9p8p3(u&GbR%sEDA#sLB?XmCNT!-6L<*DI7}G zvu0R1Gxp|&d(4tWW=YT0&ypX6q?>Fs6XyG%#>Zc*3&5XZ8xld?=puQ3>ppS1WLIZ} z-3hri<5-KO6$MRA{PXVfT#h@3Yir*u6V6%gShmi036=bzfHVm5>iPFlVZcyQVifqh ziXlP49ircJjZ|$Z`3)mFqMvmmg*9G{tG_oM{<7cwdm!}+ zC5m+6{+_+#>W)q04k-i=*+mo>__dcDz1_9=$YdkFAFpbBx^`BOQoh2GBbIlK zuLgZ^-1JCRZh4;5^b1zSGW#`@cf(`LvL3O^_%6Xtlfh}E)=!h5%-=)&ddX{~_tC%b z@jH6p07`4OP)+NS&FD%?mvtJB72Go!bg$+GKRI!*uqR>mJ9>cd7roH1Vp*B!kh9>tjXTc~)Rq zWCYXDnmt2@UHOA$x>y}0qEezNq3@)#x)#4sMVPnA8w4SKiL5uAMxx3YOih<*OHq`H zw?e5Vt>ca^rX82!5^Q!qYwn=OC9YN>2d?y`J5tW?E4h>ZTw%z_=)=F4sJcB>Nbv9x zOH2PtAum`Ma@wrY&JNNEmBp`}d?0st*S8zdew~na>lz$AiFnx08P6%oOQ~I1>a~eE zqrEzkURM0V7vvLVEvi4zfGreO1 zgJZ%vx*}$}P-eBzo_TGaE3%(Hdzq)mud~~Uv0RV)$2bo=o87P98_q+I(3+hen98a| zd8htGtfE0NIIGAyp1oRw3#M7PA{%`v~2B@kgU6l?xHi$<^hi_qmk zn~w2#mWr*xS$DjmVQ`+KW@t32jXpSP!Ms~LL7D1Q84JGDINP}WIj7*98=FxBwT*q{ zRmAVk~dM#|l>^kvF?p@R3(D?X^A+c};de`xVl=|x4@=MrW)z4!0q z%N{Vv{*z9QY<8VDyK{0GH)ZRcyK;e&wrnoT7#1%mHb3@jHw)0`@sDbaeHU``G5w9v z9ci@r$5&|_;lo<|z{Hq_oNLHaLxD3gMOh(GA^3nD`%c9O{~t3Ap(mg0i^AX}j)!mA zg%g&S*!#=aNr#p*1T`svB1~=g*0fu&T&Vi+tBZ^(SJLQcex6#@P4g*CDs+lhKvU*q zY3F4_JLy1$wa6y$f%%$eibTRWO?vOw(NbdK;yHIdxZN_{*Jw>)X5uml5k82?Oc zo8oCrYO1iK0O#~1&x~d{$Hc|1{o=G@0kRZK5JK z0cq5KRaUnsxj#{`iELi+iH7^a(!R#sG}46u_xH7GXd3#yrD3gqIn88@=bKZwJHu!C z$M+wp-YN27UJu6mq6UsR?{bh=Ru|={t=+JZHt2TSrG2g2i${6lCLBtgzHd2vgqu#0 zn@;*;%*Vv)0(Cz;deK1>Khn%Y4-dT_1y(MzW{@h_fpKCAfwdM>A4|m*{ z-g4l))JE=6C^o-yC~oq(^iEo4_+Mh(_^%rNkh+JDX>$78o8yTOQg1VRR4t(kz2D+w zz|_qe9C`ir`O2G$%dvOMl&Ny$mnJALO;D#wC?3zlzpCTsrFJ_D_jPMc+E~ybK-?{S$U(MWR5VhhGL1xD>w&6=?l4e$y(hx8M>_bt-he`mh0Gd=e(!ahHk+dEz_w5oGsUOR{I{mSt@>G za`upsG{tY}veb1dyR84_=$(=O4kAZs6iW9d`X;`PUCp&Q=WnmBXuowlWe3Q?yEx*?I zzph-?v{!eeSSv0u=aj2LUPnUID&z-kK2pp*rSV(4g?1MDv|BKk72M!m#(-eAJaMO} zV(6OENZXn33Rl)}kE&&Nne*}q%E=h-CKrcFA!U`}$;HMdD7$ zJ*y5!rZ~=3p04F-qAcfMwjpz!G=AUHOWbu8u^hxJJ@Vq;0(x}UMGY$)7r$7k+eZcb zImD}=ySV&Z_*2jH!N-|&b+aQchBlk4Stbr!9Czy$LYl&J)37!!mwzDkoucK-*n{SS zygBD@b?NT>=^!*ir?8GS0CfW6haU?b-0#}jALz0SbH;bCIJ`(5#k*|YpxR6s-`S#A z_tQ)7w#wGl?p1G0GukA1Hn&Ijqov!)GD0?|VBgEv-hx8j9Sn#-U&p*yf6P=clMzW}97wKXQ` z9G8+4Y-YtA6TVIio;K5}R?1R)Y_7Ga$Zaw$Eb=UKKl7;Vy*QnDK0ZNzLpyu7>Vcb> zWgfeZ^)-7*$-|tx!>Qd{HqbGw4t&6lBzv`r{&#v7=C-tW?M=eB*-#-Rw<3PB)G4l zW)q7{e@|!O;xRI_a)d=cJx5H|l_Gw{QRa5pHK%?P@ukZckk%_!=tuntvm?6g4sRo% zna0yUKJYN5@%m=oB|f7(wgIILNu?(qM$_NC6nkY=r{LT7obfUojEQobLz5wOE-4qg zxA0GO=a^;QFi+La0z?vZax42g5EJFnhIg<8_9S04*uYN;n%Nm z1s%YL2|Y^V=p|9|=KY3~aAnTN4?{3VH6)s1nZo)LPAFdS8kaFZqlV;LxCo?W83sxx&8Z~a@mMsiZ zaeTjIOv!(87H`&7E`Y9OtDn;5l2r0VqpImIMx?5N`jd1G7flW;ng0n4`2XuRs6IiD z^vbD(+y2QLCOA-F+@v-hFe5WBdP^rf+2LnBPU>VCI7rrQPK!Dc8!2gHJUgD zE^sz>7`vh?I~Mgk_@5J=sF#tCwEPJN_xnk;;w2;TpR`10gYeU zOOusYBtv9vtHD@%v#|tlr*k7Rh0a z59*JBq5g)9MAq}BrbpGVcrf50X+N9*F45;}fY1Rc(t40xXW|4wWbF2JgF?gBzR6RP1jmmdnm3ryc{y<@8((0|7{fau;dL5V=rV zZqWmmN4Wo=1;EVCrd(&EP1pE%^JiG1S~2Eljmr?buCTuW>fgcjDfZ;VG~6&)cSTsL z_PlVg25F3Hs_?l;A5s25F!;%gj!GY+>8FW(iwl2j|G(`On6(B;{2P^zCF9m$&r2>A z)`Z}b6Mks1RO%eyc@FvsZG1Rwq9RQyKWfZGhzvjkh%FAjYN;ub26~~O6(l8VN)%{G zm$%m}s)FLZ@N!j4vVxS56ggi0_xK3|p0D)kq1AdE#~1uf_e5t6Ni{C+T`30A*(Q4* zwonf=qPqIg@6&RzU}Jq}%XfIMRTx$ow=l`*?jszO*UJUk=xs53Z%+SfV8~)EnnH0Y zof(bsDZbdH3THem(x6c-wsw9SBCFoOka5Osubtx5f-eQz#RAGxf04;FJ*!6AxVkT^ zzU%d#H|EZ={ZDllRiQd5opr_(`g|KEgBc@wz) z%8@hoZGMP~?bWtzj1~$|4cqeYfo2+txf9m@n5|o_>-fBP!0Zn~VjEH}nTos`~$1k3uz=#|5urxhY!SUagaXWJ=EiW&3cgOqp z&)SLbiBCz+hf1nK@_$W!+nUY@qATZe-LVH~bM_AzMr365`Ox8vskD9vTJO zBcKOA%(Y*3F6bsFrL68A21t>ReEs#)Oblp4q%H)nsG^8ME0 z+@rc6Xv&;0R!B$BLoU+`(3z%$<2Z%~R#wHnD;lYn-LP>{Pw{V8TwmYX_5b2NFuvIT z;W-gXG3U8rfQ5@Hhz``p;9@TLAJB4i;2s<}d{QX*G-UBfu_s1~{taj`9}O<_&OvL3 zORdH~asyPd9&CPnCNGT#f+aa+L{T`W+dlqYQggWQXZB9XM*BTwg!ipONT7(zc^p`n zZ~W;TA3V?nj7I#S8O1b$WYG+YSaG?NI#Y`R626>{8A_8td{6~aF(3sc_*VZY`kA)?PT$;nq7H1T=S`CjzdDj<)V>$*wIR)xeRUe%cJ;vh zZ}uRg|I>L4G^1td0d}|M)zg>=oV3ZidI0xWc+p>YKfC0}K={D2fZ&MVI=i^1?_b>F z{>|KAYE`;sL)xtWFQLeQ!`kdw?aA=Vv5IHuS$m?jyXFaA9>C-8Q}OH7vKvUSQ-E9tQ!TAcQiGWqQk1ucGixE6mM;#%SjMw zSSW4gk9E*;<6)A8)~5|SGb`V*DGBcVxgF`WS-jr0hKKu_!4-en;ahGE6tf?jTEhFC zf=Ye0E|T;r;dJ_yzoShNh&3`sBYPXT(9adIyckr~RSR90!#4HtA@jd;XhaTOp(5-1 zzH(Hu9?}iV{M|HZ%^On0{6a=%w#&5Mm>JWtd7MGhDdGBMP0tVL(|(5m;hZ~PkJW{c z7rO2hy00Bu?_Q1?v~u6P)ihI`Bxyx8r|716^@-t~AuNJbf!SlGy0#jdEOrNeIFF7_ zk1rqr{&y%AJqbEJz9w!g1bpyfSWw5~--(PoDvlG61{Nr_1*PrtGrq|#(=)U!AAC&>Na~i8rkYkH zhu`^eS;K#-P2FPEe`3|&lG;L?%JwVv)|Y`QYZvEOs8N%uyFDAW_N4(iy>=f5tlz_o z<;BR<+rp^FN%szU}j|vo;1zY7EHM2?gqa_Zmxtp_B>4bB1_iHpN%e_8QfY3#sZ@>q*oAP zn>W2%)zai#AI?P(n_IaY)BZv7v}qxnT(w;!KJoLsa4c~`%+?;<`^ZB40EW3_S286sO)dsLnSy7byJM>zNngiecxl9 zMEfeCYTps%gE4Bm1nxQ&hu=Mo-#vopOYtPe1L09#%Sv10bM`wsaFgxYP|ghjyJ1_b z1ZOaK)EWEYH9S1eWJj&1PZPIxJez;HAPVNK=-jm}wzL zIX^%~i1zi{0!snhA}AXaofUJtI6q9m{{oy<16Ks~AZM#k_O~7Vw6zA~Uik9fX^M8& zwuI~87+t~fd7eB(r;Pgc_d87NIQEuU7)`hFCzDSWB<9g$Fhzx}2)ko9IyCXEs@yLi0-=g}(?_ zkL9Sp*LL_bmOdWYI6Xb1PgeqW2Urqrj?TwQ$MlZR{tDBH6)p?kahY74?=Y1_Lx4ch z>C`NG&p6fJ(+yRnDO)>~Ww4#XO8_0+pa2p4kRqPFNwtosCNs1o9P$Qc*X7b>A? zR!i)`4IbmT*63werPvvR-PGReL0fc;+Suw$Ju5=0fR*e_hoG8^VGNG^(&^-1_En9v zzJ`GacL%hXjbY=5R8oTY1}=*c5eltfW-fP#U)EL#;lui-mS%$*mc#^ZTBrHmdyW}M zfb)W6J2vAwo58guk9%Vm2*26MVY%~Nt}j14e)}YdaC>UZU6k8BTU7>9AVHidHxF>ofx_d(j%}usmUb>Ek+MN1Sv-rM!SrG@cQGU? zMEm+5T|Yj$esXkuTYTt$uh~0ENQgFcGJHe5(v_@*C~YEWr$r#L2a3AtUX__=Emi?z ztoLsJ(+G`Kx8@@T7xm4yhzN%BgQW=2A<%|kc7t~hiJ%apv$1&JWnDOb`$n1P#31G& z7Yh4C)|N;HOVqRECZkcfKHaUU+W&_-V1Ig{@T@hI?N7*ZTWsv9O!`|jO)h%HXk^mY z0e|zoHez^4s3@i5wS3L`S{c}w3AnzbMloCG4Kv^?c-=j^d?I=IlQ`r2a4{xSudvEq zXXH}s&Dq*Yjwwomg2o;7~gcsZ&=3C?jUcMa2lzG#E{TH z%gsPYEC1|`4A!H}7B3_ORc-Z{ok5og4ec&n%@5!jvfqNg_CXjKTGNV|ykUW1cyjgR z2t|tI;u_pNzKVs&_3}VQG(OEhPFo{5u^+tEaWm-E^wHe>;mFI2YxQ3CeS?$fmZq5= zhuYlMI+D-s*DcEnI&p)4-(bf4uHf`I=y0uH67$46Z1oH{Z%SbABE2ZPT}pqP*c7rL zs~gJtijx$pN|)_6y#BN_=Q>X+myUG4jFsN&Pr8oD4PAge=|%RH}ei1QTpgANYxAjBV2F3eD{8P#unRhi(%_D8sgz-D|=a!M)-r1<+CXOJ(G#<~3LVDuCGzX=MQCBiN=I2 z{gwHsnjai!ukc_~CR`cZR80cfMjgKAmwo2E-*pWlK9`^imcCFMR?!ejWcgVKt!}qm za*@$o#R;x5lY7K6s2JjKvKKN$THc^h9nneC?eMM3l5dQPe#VXnEWTBwXJ8SSZS8Fb z_3vg-_SVk95{900yueF%hJcBQU4GS8LKalgw{pzhrs8kU_wqO%r&3?-zcg7n2h}!w ziIuN#J-ZlEzMpk@Nq=GH>6-uPmNz6sYK?VcrJZPE zQe)GNoWW2u{{1w3xIXU-WWl6|F#Da#P98WQI3izT^uE`twIk5 z3A+W05nIGf*tz`d`NrDhuGeb8ba2nlUH2k)t-Ok_WZ+?GLX6}ztirEwX0Mk zxz|PypUr~l)#~cqq2J1%BB&bbVOqH}9*BBV$jIn@nEm<2{5c;tBXP}sC~*u+xNNda z6f;1C&O4W@Nc8Wg6!V`$hDK!(qNuz3*N#thvL`k}o6NkEPB%jf&{Y*FJQiI06==Qb z7QNY1eGDAlHvWt>YoNd-^RzZ6`1R{O>o)E7+4!!z)PEE}%~I!ImL}v^S@yaID-xN5*0)f0MxoR-;z|-?M5f;icQx zMpvTIyH28|)7!bz+bdPN+HVD@UJrZlPi#l3zG1C+LG#l9`DW4fP%9wgOpQNMJ9N&!hio?wSKX+chI|g z*qZap9+F>DrE`(hPKofZ@v&m(!<@{JuNUN`OH?5$#4$fy91a8vZZDT`0wN_ilWH#$ zzHCyiW@JLk>^s)WO48UEoV7Gj$D+dP>%l$k3pIf_4znF72yc2BrRl-%4M6$$XAzc0 zlrZP}HO&RzYyM8sUq07IZJv^q)2m$@wxphS`sJOgYI`;gKNR-90Zx$ni?B0W^3kB) zg2yc?@wpLf0oQa9&+1C20$Qmlo5NWN^IdRHc@?yyO_DIr%xYgIdfz~-iU61a- z0g_dL8Yk)$SLIcA1s>N`4`^!C_u~daF|V68$BrKG5@GN4toTYw2i4RK(qWX-5JI|iOkaI< zyM0k4ld_0kugWHS+pJ8Zu^uH-i^5j9HD#BbyB zeXFMK3j0+l2UV0k_Az*}b+F%m=>La{_Uaukygu}r)UL%Q_PaD=&86Lbpy`TdR*c;L zbb9SqSj(VL8MbKoVbWCgUG)=ReGeDRpG0sJMnXnvaH?|jc}J0VViGv9xuwg4dQWs^`l9 z9+;Wc5O-{vhL2Ow^lm>GCnFlv%IUb@Jw1_JBTV#UHd$RReplZboL2|=z?+vw*#>H%dSwi-TFuTVzymu{}r5Ku| zBN}TOhJ|wR4fHICd~CD(R}9Oc_>!UlNJ zHJG|7CY+hE2_n&Q9Y$>Jw6q6r5iAcy0<1T$hK2SOkXY9NiEW7`v7&-K-t zL!z3Iof32sESJ6z9R!+J_auR9aHSSxMxE5|}Onrhh$KIjPl^Z82O&G^s(;k~Ufu2{vR#%mNVQQ-%Yn)a_` z7YokZuhW0}xXhFlSLiCAq{`)^`)!-C27)IOe=otwtMBy2K=Z>>IUKa1{OOIpS&UR- z){E;~0IRmPcCs24tUs+*&A;j8*1}MHMFBcFz{OoI_zIQNU}JY$8Z4W#<-^`z>pcSt zPH1sdPtJak6<_n{;^DMbGtM^Q)D=VJ^wXKoj~c`_LllJsn%y(b3=m^tBT9G%A8R%K z|Ejk4F-M1AKyQn3Eup4{i3}soq9@s5RtsvSI6|9YDhoCj$UPFtexiEQa^X$ zluTKcRvg9Nua=nYmIsNR_VNh;ROxZKO<-uwzNzfZP9}BEy%2HV#cTcBCvtL-nSAOa zxTmGVW;tU&b=oV;L*YR#f@NpCDo+pz?Xpe+JSVT(lYf$<@kyq&Pz1!KKG(btu-Si$ z9OE+MRUI740|1JEAfpD`C3_F;Gv+4qT1__Q{J}|LE?CMkW#Ow`*-&Y7C(k?S4ddf% zT=^DRgFjQ2qLKPEgK%_5kp#>1;g2IzT;OlX*1IL|=;&Ble6`#@(^8g{QOH+HeXXC9 zzZ!PHYy7~XE~+N+yWg1RAv5>;b1bK}S5+yd@Neg{{$pL%8Lt=;Ph^Jyrtd$!sP>{L z=*6ZG@k7vx(*40NW*9h%q4>!`jBT*fpG~l_QbtE~u60htcZG~37+|PyzP}qHF7*$V;0cU zu32GJ6+f76SKxW!&jZ0`B*JltwRx6GO9}yR8kVovI9L9_d7Hg-|e|=>05IK zB^y72#cTUp!*O~)H6fYj!n%xTcG`Y!@vmdo$MEID7W1zP>W?di&_$Ne0gWbxg>;1K z&=Y6X#g@GN+BYY3AkF_G1{}OEGb{VuiL;0n#Jb@pQs)og_w8@uu|IV*iurhfUWS@# zOrlH?g(X~WXU*e_^EiN_5V#*l(WF*>>$LvlJWWRolBDv{5V{DXj!Tw>pzhisOWE|9 zGNOrTVVLSJ#N9%OK_RDK>3I$|^+HRoYodJlz5!V0c)~SSwZ8}nCABr`O4cg8MB`bw zBZ||~(t-^urHj8G=NB+G9VYNLd>7Qem%tSd{Db7xilP4nEbg>uWYE}=b^p=spIJg! z#iN-utkQF#Au4btHc$Dl_0@k$HT1=po^MHMrGG&l0l}v<@E3HkHkzuo)8Z*3I{7Rj zniefff+^59N)m(oWBaKQQ~o2cR+iq$bQ!cRd_KVz>BpfSe&;u*1Ipa^uT&PgZBHDF z+xA}e$GCX$g4A!@g)4K-D<;xfXkIqD5hAD>=za)ow$aem0{wut&KJqvj?kjua&S{T z=0dzN_(P}3KI@(o4{!g_$!FwO11g#;{on++i5NPBF(vjCy1-Ql<;n52COOEP zI4)Ds4hHotQnX5H#6SaP`CRoBGF`>~@%1nvdj}u8ut1oY*2>6gSHSr=!R5g$aW2rma zQ?k1Lvi`IQ>D7xC#|6mKUN8W%&=gxs%$^TKlU4x^RzN4>IO;{5$ld{ zEzc$7Uo9bx{E8u?!58Yp@R@}yVu_hbK}?&QO6=FCmF10t{KpcFXKaw|*<2pM=WF9-|mtQveO9W2VW|lgH3|owBI<^5Zl( zP-XHh%_K)%(DYScy0R<*!4cK{{#Wp90%MuID@R42yb2hx0e@esP;Y=1F*guD2~Xh> z8i3-@T?6)XyxmXLi^0)`>_|kf3>F>uup2567HDZD!Iu_HRhynue-0B9nG`t)(@JyW zT<6b&-bFFR>LRF3e0TG{7CE77Qpa~sV0&O^vy5BudoXK}FOt=_@62>W!4Feu;zWj5=FF&iNxhaH2``N6r8!)jjMT*$#32nb;Y z%2+d#6Ev($_F{^ml%)=qTp8mUMo|E{gWq2&#T$juUNkXLJ&N5*j%hCPRG9KJ`R@2a z8kq(6!C3*i5^^XIAwQBul|Mg7w%uoC$#ZAC<}sp+@ATWz$f49_Xppqz%ll` z`Md=HE06%f9@hU_!UZ8jiX@X}ATyXr)>OlbDM6J>5f?Y*$_S3x9XM-B`_M^ydz(&t zlspzFTsRMBZgc4Wa9>8KIId#WZ&e2>p?s;B-W7p%cf9}40#xZcpN@a5C6P6m ze`FZCdhjW~cm7>(FJZOF)3wD(p#zl7|m>ZAEm8_hZ>qYy$jIpCkwQMmuH7Bw$DEOdYCGf+wQyY@wfp)0FC)4 zsU`^=Lx6U!Oc()4M*0V05*!RZ51_&c6#H9;-c<1mM8!x--OWN6fhDCG0LH$;oAWet zKU}=k3cfbuUo3c|%Z~aLy4TkhQ)P+yN3{ctH4Yr2uc5*~464;9uor&i&a!$*KIZ_; zqHzFK!1hDH#g>E1V6TnDuNS4m*?)c8`M$KcoAz97@R|5IoVmftBb>*M#Tf%1CP2eL zzmR{<@6?A9d?>0m+(gJ?kP97K2rJv}3{@KFOXla2r#xEEr&?;q%&G-Vs|Ec&8252m zMyiXzZDO~Tq93k=-H>9y4*^6HaBe_F8~ek6D6wZh z8Cg|WBIQ923w2xi#g;4;Tx1|VO+$s3HA z-7OpT^nvK=HmjpWDO&sTq(=)@d0yCc{un>nicw(#SZ`M|DRph>SHlLE`rIg>06-KQ z(dXyp#}1?cGzuYZ8mDp@Cr3QooV%%H1}akVt=@AD*n(dRzpA~l3+r}}uI`S-4~yx) zn*TAd9;RlX8QYns29z_vTy0p9HDe^zG>dFl^D{oBtX1in;JZDQsWJMq5z zfK*8ugDiTM-tYYj5rEzeBse0nHfTFr5_;P_l>!%cBCB+AZZEsxsvUeI%c`RWv38sD zO8ne40qo>U6a-U%FlNh5rptw9FnM6$`Q>c@XuDqi#g7xx`@QI@w|s?tuQ`Q*+O-@Y zC6673v)?^b+19ov4A3HfsYSh)`MGZf5*Zeb)jKm`_ghZjU1lEgh6iV)WxjQ5Dr)hI zsE-_sfRZV?!7}8E-tW)`U%et?#gU@}s{M8)c@Ak;d~g3P zrMRDjj!I?gG4_&3;Jb5gPosy{X*SEJ0A3{t?lEWI)kqGFA?qj9mf(+;Y+%$%ucA)4 zbw)r-ir1d|-M=7Ap6Vb$ioY0bYh4!$-2d;m1NekAQz=5lbBz+h;NxxSm{P-+aB;Wy)5d zA(5Iu3ItNPpbvEOD&3K;HT?2ICkAvt=)uGXa)vv{5x)#{8riSlFnrg$|11{$`IcZ^ zAkNw`BD-M|c2qB7*a&*dQGfIY(2LgxIJ zBuXM&t42c&jU(YHn{w$S`r#U9e#>--z_M7FD)YyIVg;bX}1*eCiDz;B>mf?)|eKg2tK@S;oaDJUIU4#&p~0iqLZu?2|LPkLj? zvy^qh+s^<1NmK4?{WGq*39|JB z$|oQyRA#V2;u-vR_=upu60=tjg)-62nOdU%2b-F6Re`+$KvSmY0&Ecjs30v!?u~jN~J~TWM!6T0|b6a?l*!kYy*JFe2HFU(-1;8V49$3$@JAd8l zpm!Qq)4|Qg&VCnStG@%al<|H}W}}Y8G+GiVYN@Cn0WR;f@P5uR^vV@~dHsx@$Y{Q3 zVIxu*G>4=lu=TZ{Dk3h0OYxdLWE&ize1vN)t8M}Wurea&&9B_gL24A}OFE+14=jCC zDJgOSm=Hn zFn$kX20OINT0SP9D?PeOznt|x*Z#Gdrr*VlxZz2}j8epB5#^*86(1zsF3!67IK$&% z!}l-i>pcPgw?=yU6kHfwr-q3YH~fORY4+#`NvK@k(Yfy?kX7^Yzyje@5iA`9{?Rm_ zHdKieYfWTtm>>g?TcLFCRzDw!%ZKsv$~h?K3+GVtfaJ3_*xu= zj|doiP(@1vWp3yG2s082vfi|Q5yz&AB2?M@M@;#&n#`t(#L*;}wL>S1gGtsrTifJ6 zyd?+14n&c3O<(EH=|CeR!CZq5O5)(Yr? z?!J7sIk%9$9~6|1360cMFVPR%+wb7sIkKdT_AVEcDPGCc%N!F(NVLbo%|6FqOu2w| z2zZ>if?~{Xg}BXl1~GGm&y-{IL&eUbZ+yf+AsNJmR}#d?XZXc1ZrJG$Qj1YD4H;G{ zxrpvqkYNAr@C|kL&sL*AArd1(aCBoDsLGc=H?u+ilF(3tmuPaVOlPHe6;6V_#_2Hd zOl>V0A-!yH8pE9t4Wv`%=k?t-T=_jFa_=IZBp7nokwa#II{S(^z7aMp9=^?LS+?ya zV_jB?_n8`|1;0t09R8Ca%>jT;<#ihs&uETUeK-ODCv_d7C3gtH)NZg%Jflvq>lRgzvsJuK(t0_5NcQ z+raR3%WGl1mm~XbWbXv1BM`c#lGqnKz0Z(!KN^BUAyKWP1b-@F_(5Fj7i)x~bWp+` z(_@Xi@Ddt)Wx{ag$VhqKv!Xszka7uU8H_Avd6c^>7W`s*{usbTJ^9TTJN8@)Ao(4w zw0WY(**56Tx}?{)f)L9;K@~2s#*N{CK3q8_?$`zwLyYbPUVmpc{xUrJ6|Ornc4JHH z#UOjM5MpN#0-FnPQh-JP7UcchRdzy)&sI_-cyf=jMNZOlsccX=RZ;@Q1gI*Krz3)! zQwTV`(3mdEZ!5pz#3QwrM1xAFMQ~%-K@dS`;5VXhvo8$PI0WYUd8f4_F-XWvGV46vnE<(t3vV1PCeHy!6(i8G){kU@e~Q?=d>rkKY{{Ck0|J*d>+sjz)_ zYBhIwQV1D)v8}!7vFte;as(p*e8v|Dwz{~JgzJ8@LQk~ zfsl(}z;ENJYG48Awi%VezQ~S#ksJQfH}-{!jfm&)4ZWTuU@8XdFPCy@zNnZ#0=_+NI?uh?*IjvF9%z-4#=4mh_bb9Ie=bhPr5gI% z!k&I8&70m<)z*)J(-EQ4m8$vR4f(oBWmacrlYZ>j4%)#~-vhyj78S}cTVvEGLDFFF zn>u;9jU0o3jG^C#a&(OM(dvx~#z-==J`cSNnF9+yT4>kN^&2FnV$-M8ePZo09FfZ& zyJ{v^nQcy_R-=Y#{s(7QzjBa#H_NSfe+Zzf*zpsH*xicCdTXl#XLo1NVj4}3PIUrk z2!aGMA>5Tm4A^{Mmq_Ll*&)E`T00O?k*NF?p}^a4@ryQIX>It1_-G~{2Q_LN2N4FM zBLKRRn4{IOcG3)S{`lGKmJi?r{y#M`>T>^ZNy5t05!trFKx3pV>bs(wjEvW5C(dd} zs*#aXLZHKk9{^k`54j1Cjxr5uboinI6aW~+We|o)ta*NZt(=b90N}YZEiI%V17nSj zp*Fh4IY$R1c3XDl=N>a~!Lhs+oo`ezFCQ9SpExj3ER#x10D@V}IY3^3fnF|cup{LQ zx4b*Z?}ECws7WARD%H+k;khCaM-l8G)=e5Sx@uO-r{F{8KxRdP8Db^3Y3xJhtN+=A zJMzVEpzKaYPenlpK`I7RBrzvN?vB}{7y_CeIUK)QcVmRm1FxoyYv5KKoK&V7^6Z(Cl~Woc@s&kfKO$DELp8P=ZvaqOlwJ~c zb?9|pi$Gk9fXIr+Y2|+a5dmx7@4$tdVY^X#Gd$J+`e!@5e|iI8W`!X`AfxP0t!arN z2i@+9*AdNDYu(*9@Y-ts1y}Ip1AhH#+Ap1{sm1g4;KPV1hFPlu(VCYDub|HJ{C6EV znXE!3lKJZrqW{4@q@~VWS4!O^gO(~0K{c?H{!G_L&&(he^89iW9Sim~4wPv?Bp>i%_E z*S0@9DeBAa{s$StM+Dr*EKe0(H4O+9HsQUYW4W0e6UKRd3htH*f3@|=TB62#(0 z4h2Ze(_&;vu(+dTNxz<6FeTz)XCyycjBsHlh?M~Ha)tbYbzz3ws|eF?Y2Xb?AL+x+ zyLC0=6YX*B84Df7KR7W&f~swqnw*-FTTH7d|3*#g^Ym?aeGpLaoLerKmwW`=QU1Wi zX~h)6VSxU|KzWJ|Af{)v8 zmt$W;5WfQ?NPTykp6LK`2y3NAm(ibefCw#qvvGooxEY855)quFm|%1{3p%2=&x2&U zV=N#^`U4SYmwx{eNAS>*5%3ydMUP{?;(|2+SG(|Q+JJ4|ao<8+w%rC^@&!61;5^_f zzy1!)q!xW3##$s2)B-x#Y)2;~i5lGMEAu!?Fv8k4qbXM#p~_y|UI9FXp%DT|wSjM5 z1|pbIQ6~(TYdLqEPb609rXJ2Tkb$i}y_rLa1%a3v*zWf5aI|LrvWE*g2ZG*8@@0XS zn}Hw-YNdGyBP1+{RI)@@Wk5?X6n9LA8B4sYrqnCflFx=fl8oTc7pu5>X3s0V2ueey znFpL-2tW_$;AN3&2D-89VK~qt`C-W%TVqxE%#Ea!aFOR5Rr5z@94{jPSv!W{%LZZY zqO)B@$d{ROqs0M>mJ_i<93hZ1iG}7EMJrQZ3~cv{QKPP~u4u{g=M_5wSLdyt@F89`@{`!JU-0`UIW=M}-^oUJgA+>K(2sI=_ zRS^G!uM^@uh_$*MhXXaH20$LBScX8HdB24_c)kx*g0`QSsixoN=0c z-frzUn}7sG=Pn?ZIX-)M8Y!;4;Kn7GN8L}#dGMAfYnvh&S7}P1wA{XZJwLeBhyqp? zSX0?Vd@P-8&%-nv%=s$ z4FW={9O{3}H)tSjRuG6*dLn>d&h>!cM8MrzsS^(NCd2*F7Kx~#cqAppVU13?U1_0v zGgN5Z^5?qM&vnZ(Egr>L;Z*Bi5we7>M=jH^*~QdadxpfPQtN~wAl^rTN0w;KqevKk zn%A)0ww9#;Jlx8TJF1r_m-)LX)IjI4r+5)_pO&31YvsATxA`%$<_$031Qcj~U_tCA zF{%Y5B@^VAnXd}*#7&2ph8b+tSJb;(R!w1nkTLiy`rn}2;CR0MVu)e>eH`M?7m7WLxAKsTR50KskmTO%5{i9PXOuG6( zkGAw|R&Y=gS}ylUW`~zM>?8h{ zD4n1IbJ_e}O9H}oRv0R*L_FsQHbgJmQvrkqN@YAkWpse_6@GSGb4uXr=qf`phHPH`E>G!p=%#!Y2Ut0i z6;N(>fX})@<^;kPp|-}Hr8-2l3OeAj{9-K!YgaTv(C(3c+*EATf!o!I= z0rA0fb2|eCFs=O8;Y%4CuiRAcX34ANhg-vBTE?oiuh!_^JG zTJpK}@xaK=PS5^@Tpw~jCGvq*1QIOxEuYDQf6IYE%7_Dl`IOq1WUS+stl9T%8qgnI z%M7(kR@|8mBJ#tW0J!-ui*FCYcJ7yLW1_LH#O!8(N%V51*y3T!1@|*R7k+_=oq=Zj z@pZgBfufzt@qpc)3)u)uaYgfO{h9St6>eG=3?qo#@g zQvJL?K$ispcUiNYull+PUOd=%_Flj=$y9r0+Q{icc!*=vGLYT5+XV&Ob zue$AazP1PAv0G%y#kQ`$O$&2OUy2|n3|0I7gm{?;JgX!1!t z-%2rxa(p|oW)#$lS(cmfWRSF=$HnZXRw9hOyepP7Y7RHIu{q9Z>F0Y7WRw5wN#OsB z14z-jCk&PbCK7q+ z?ziu`3xXG|?tc~{I}+0YtyR@m4*_wwolH&9Y;bm7uOQtlx}o`TqbM#&*tr@0bt0*2 z^sIc6BdYh=ofY7wekyMSH5r+Qf2JCcqC@+4^<9;Kjj(CxM;Kr9QN16>DvKT_n{aaS zl(3k?KncZO3d3G13JSrCT$34RsGH$3sQOw(6xA37g%y1~Nv)uxhyXf;+j%PjM=SnD z4lIq#isPd&UN=gxdKEx_|%91^E7q8jo=r&9b z$J7Keghad5a#Y`kDm!A@?{D0Yu?KNC*CW5s9T@Jv~8U~=2jl2HFgo!?^?mMm< zi5ULyBs(c{?{Kd*OeHt$5MOj=_{2hohB!@e=p!d^AWHat(Q<@^0|5ximpyXg(O~vk z+YyvxyKlSjN|6$Jy71<_?hj%lZ?9ba!x>N1z3S7fIJ|S23XekOxjSmDD?FDTXi7ig zTWK=x*p>nTIHUxS%!L}3qEIN_AKA6JX1AuMo6Rl5aM?6N2Bm3`6jmI zD1FsRu=R<~?$yj2b)22`Gfrhv8fArX4zsj!?@m{@L=b_uwm~uGx*m&qo1V!~ma_RQf(vfpo~e#@ zke-$1)Os1vv+8Th{i3TA;0|$W@(MWE0&+d_F%8?EX5Ynvx#9%!Nt#GjCF_>>e|k^8 zQ<9#|lbFpjhVY;x2#UKudg$MFTv?s-T|K^9Jp&(DB>u($As-k2Z+2`U>f3f>NkM@riptm-WAkb|eD8t>6@kS7FHC01H zJI)!sCConbMv4!0HNKw_EenEN&-1t$%RHx5h)1WrZt^blk>x4CE@zGBjLIJDs=1J-5O*HAss*(5ynB31_H8#;{yW7^~cMz8gd4L`b{4i@t2VwufJjJo-OOS(@rcc3lq9Fm%HtILolZJA7(TnVVLR*_$oS*XIseScg zN~<}?Ne%p%^Gz({keB;Bu;WG`?Q?dQ)rFs5uREp3i}O7jDO=y^nq82{EhhC$K-B#y zoy~Ki0$3j-8c}TowN^NPct^*rncv~hxW8GlefPJE9euw~&1G-c5Tfek3E*k!Jm1&S zDMB5I^{E}cX1EWR=T7ave#|`Fy9s>#`hjCH{z@hXXW5gi(+RPg-s~hLHJPB0{eX8O zuQeLU0y1yFOD3Z)_e?P=YSm3^Q-l(#e0aD-(i0dsk_8^QKE*8B4n%$^UN#Z~zJmlm zsgPe-N!@nm5bfJql{Uis!g(cISmf!qhIL%vj7~MA~Aede~v5H2ioE+>Kv>*Ip&0Y!O@sBBi@Aj zcKOl~?{)}7pT~@2jBhK*um`40)>~TQi|q01urdkS@lQPU<`VEIBL@!|aJGMccZrHJ}i?6;1)68gRY5zSAli+T~**me6uz5lS=6rj(IcDs(kXUQK zXJZ3i3i|R>?Ipym+hb`N#E;)P9!haighG38H8q$^&}G!}KnOJQY{E*slRN;NDg@n0 z_iCcDJ=DXba_j3 z1)$~ummkqerA}z^;vwL@ZBRx-+t$OGj+x5*#8cSRsrK>}d%$IWPT93TTZ_jU`NIkI zN{Td!YXUJ$tIG_NZjOEPS&cKu>VVz=KcDni638|t)t&+ZYwK|f9IR9zb9vKJFv7;I zMnI^h8B)@Rt4RPMBm@8)22j z42S~&6-V&K&&CEFP$Ce4YnMO(+DAYj?!7T?rz#?NlOAcmgG1Sn+7yJB_`-9D=LbG! z4PupHa5%ppQS$g_vE{oKze1WGqs%*f1Y;947=KmPxjuFaAvi+-ju6R!IJSQP>+*Bd zW2>?A#|RwPxUic0dC!ip!-tieke=(Cz+2iS-v^5Oed-6=^TYWU3`{VszvV_}zeSK} zy`m-SJm$A=gXO^+r~n=aS+ta)w;^ghH~~k7L*K;RuOv{a3@S!dS6XZ~|5mD7bPkk* z)bRnGcZ%U9sa$CT&+G&||IquV@ zY`sugK7HJ~{6K$upPJK^nsePcJ_E_nWlg^_IL&wz#}%#>xB1M)s($5*!|}&Nd5sU< zmLZ)qn~dVn{m>f`z{P@O80(l)`zkg?kXG;4_LiZ~R-{6zSwU~*6^p5mpgvEnGj7O7 zV~e#+i;BJ)jkH!@4Y18}?vTk?XnN^f+bj?%?psd`wqS`pIC4-E{;m$|h2UG;u6rB$ zb8T{y_)E1AYq8%@kTpFFIJ^PJ{#HNSyiBSEA|8`ypN^wwUv5m;=Ci3;<;`bhda+NK z^f(rl%XzZn7@-tvh0J=1FV^)BjS&z6Ca>oG3aiReZX`?k3UJk zI|||1TRiNyEbFUFMoijBpNwW5UHNSt=v|F=!$;R?_c*^wkJWZK$$EE%OEzG^FZ%d0 z{*B-E|8e#fP*rtZ+b~KfD4o(ADM{%Dfdfc)NJ=OO99lY*ZUhODlJ0KlE~UG>8|nJj zxu5&KpYgu`|BvyFZx6)7fwTA8Yt1#|nsd)9T!!3ON&oN$>UmhtFm$zY$09;7v*59{ zXjM>wk_Fa$_4jfOF#>3xUY6Yo%k(X)f~JI5dGGf{ojMr%f3Qc>eIF zy|eiw4_e!GJJ&f#vfITf;Du-d1n(@kF!RL|qqdm@RelCjfyshV}EmQY{!V=`0+9SjZwjI0qpvKIKrI>5+U zZppCUffA|;TGbKNONGx?b}j|@UKh(v0a0ovNoYgyLsON@uAp_d!Ob$^(Wt5cR95!MsMga`XZIG@ zF6##T0PEU!9nM}y6APcacJ%D$p*mpGaFdf854x^g28C@LYcV!n+%&CSqC#3~nr57x z$$|pM;l+JAfsCu2PQn+SjU$wh-pOyvEei%$w%~^}`7~4A4lmD^7*I*W%_X6J)JAb@ z(s2q}J2akpc|HN8L0YzYg_0q~9=AI+fY&TekCo`@(w2d6U7kBQIU?A!W^zZ16fDK= zp#VRaI^xH{E`%pns=j$y-D=j0xU(&Mz`}mF+cn|Ub4vhTxLH44E>sBbhiK=Yo%M%~ zyDbONy{-DDiGK|zxKdXiE8D5~Xj0_?NjvQX#^4HjARlLlyJhD!v_c!iw_Neb@9W0H zb`y&4UZhFWfRn@M!IE1pxSuLwOG8hRP==WH*|@8U?;>`Ta4eM-D+pj@WQ;}j$E!i1 z{LxJ7;3`_4*RVZ{VA%@wLn3426*iQ@N69IZlZ}_#DRxXqk(9FwFiV5m-#oQV&(lKT zr4CQfI@>PPH>|?9bkNWx-fG&niQv;)0 zA(2E;3$#ICpvKzlVWxZbD`-M@{QlcURm$n;>1jzob2{)N+G=ok}ZuZ-U?Qx`^$)K~rN*?Ljq z(N?qh6HRflZucjwvFKx8h#5z>LsN%GEN}jl>E~9><}hlh_u@cY4Sr55 z48N{Bt)9M}TRR&6*b@@SE#k?LnP`z~+4;PBHtvA4DztN0JNk{x;ehqM`_w5)+w(x` zw3h_W#+iB23O`*lm9o$Mbr{Az`8D>jjJV_DJQ@lr zz~eVYc6Q*Q7iE2vfH`3if0s+5y=M-xRMYzk)x3vILc`zSms>&C;Ea2ANO$i5>-gvr zDoTPppcvS3f(s=9cH0PU8EcyrrK0Tx7{4DUwZ@KUeSagc&22y!9!v4dMHs4sdj4kl z-OquC=QI&MbY3p_|Ou^6`d;P&pL1E z*P8Z*bB28F;d3dYsWKA_>ij8B&y7`53wN%QaEL+JzQ;yGRo7j3pr!ooE`r(S$qBn2 ze|*8l(mKoLM|B4VG91hyrB>m-GvBi}Z<{21@aQ}&6*n^?bPG$}n4sd)mX=Scqds}g z(5o}3si}RN)0A_l=<&rtpy&9i78M(1JNP6P)YtHqg{J{=&F;;k#$+ z?%mB*+Egxd<^(mdkYk|Af2{lP!cyn+&U)nDkGLa0-XM>@mI%+1Tp?@4%I-f9ec zC+C2g{lh~Xoxs4|&v7tld-A71e@ysj1;A+Qa79;lvHa;9i=b!C!hQM|KXD@8@%|At zq4t#Fe+h=`2{^?IHER9Zc?hwG-f)yYX)NIUX5-!p|4=RQnbTS8 zL`McP|Z~-z8 z=+D2>$+yF*X9GW`6cFAd9v|BQsu;xUvo{}q0rm#LR3kKwYw8w!pv@Tqvh|Nz-!(F$4Gzz<$BO`814zhrnsBvA3v;=-IQ+0TeY| zMO}aQ^n^gJ4gWhGAFuNg4qM9=sd$}zf1i6?2FsQh-bx*wo>pEq{?ppLn{76U3;|t% zf82s5P1GNl$TwnLIE7HoP^LE(2ppzzZ59Ca`>j)j;p}CYO69!Ta$U2E9*O$D7a5;MD(Mq*eN1gw@X;1hXEXn+{1|cQDFBuMb zj41_m=4IivE-DwNBEE4B6Xo13C811P@&=C9&>)qgBf@{y;J@EjUH@H}|Gp{t-}k&t zQuxERziXQY{L}Cmim|*8w3p4WEtepK*ksZgJCbJ77z;Z|T~E(PT#CbHb(4)$IO=ok zxCX+j;T))33jec_EQJ>2jo%*~zd?Oa{t*n_zXXH-zt@svV8}mgejbrtpVqqR5^-}X4cgf@6yDn*&O2Xw1hoI% zG7}07@5uOjZ6U+?`T1Sx5%**rG@0HhZSDWOpOzXVO=E(e6mGGEJ+#>R*Vbn73G^?Y zyFN?*QPRD<;ZbUc%P%0Xhl4w$)MD`zvV4JrjZU}=h}Zow{@rtt^QmpmG=voM$Cfus zSGXho)2bJ2oWy_h4Onfbi=2p}zng3`h zurlIkK$XG|*P+ilcQ`|fLqkKKLw~K%vlbH_HcHY^Ki#|pbbE;5EwLNotDukL-^=9_ z26Waxo6FF|j_>%mpOQy}g0J?n`*)v|t#t0)IgT{KFd!)?*7J`1zq#dcx zrA}wSIS+w8dwUF^xNr_wugT6=nJh*8*>UCno@RXIA67Rg3)Axx-lC>8jB->Wj~>us zGwEE|_k7%wI_Gxu#n(c91t8igs*(w?jm?vPr)`HV*S8>T#1{Q6gjn}KqWBIgGT(XQ z7PIuKF(A?_>uvM3_IZzM!OspBAS7K zekHP@i+=v>QB~`7x>s}EuVYKSLKObqWchH&_%Y^_j?fRPY#!5i)a_mILg9=_n33g2 z#6E$*R72a4;lMzu&%fG;1@io)MqRcYDk&+3Ln-><18Ouw%#RIDF0PfziG|J+MUg3M zfl{r|_>pYG^*_)@-YngQ-S(B2CHEmP(2#5eh0MlIB?|IXvl^p5otD*?AN zCO~pWa&&YARQZ^7aZb)F=?^csVY83@#D)%pxvi&y!P%Fh-i18Eb29Kv9`FuXUrBqy z3bi|?2VKf{s^g-gAx%FJEJSo4#miYaikt~k{Jo9Rmi+&FCvdrxx{H5UzIStb3#V}f zSM6IpFg7y6!o~Gr+u8zN!}IWW@6YO*xU3t)fQ&;psoS?F<+1IAqYzN{>pk#U>TMc( z7U-zkpHoqhf2C7se?(E#c8B=rH~EDAzf#Oe8uXV5(tQ#Uh(dCv12sV2)GF~_Q z)WGWHO#i|H#endMWeO^d5b~o(#;0>m#!Ib!w^bG}SR1e!Cd&2ekNGI1KOr5|pSr^T z3b1=GA1Dfj_p$02Ruu~M2Xt%v|B5GFU!TD9oVnf@Mk>^3t%?Icln3GG|GB_jd)XS! z8vW&@_T)^Rhz-)6b~|r7Qy3T#0VIC>zoXX$d+0y%+TCM!a`L+>UdS!>2O3RQfo^Tt z{mRDro5}^@bJKNq0$ol6B|jY1{rWwPldkHc%fI`xVxw#RSIWy0bx)*e0MTZZ>pdV3 z4h#ze&fO_`SWaPnx$AvHyg*6_Oa0)shvIim>~tL5YnbuQzuTF(=r6NI-2As|A-g&G z0V~pHZ9QI*At)k(Vvucl<;sAYR&xK;Id zStb{N14Q=UL8XO2HX`yXB*te%lRgMyhMxyWFOVzDO(L-<70ZwR zZoRf=f9qVJ!07?Evjn>ICzIx`$k$g3QpsUaFMlN|Dk%+qil8!~sN(;x1cv@AfeLu! z#K3d@@S*2ZgsS$m7gu!2%M;tjhWqXS;6-r{_4XDkhyAY$b~ErlHh4M^Rb_$-+}&8L zX~NQhGQ!3p&YD9qS!g&O2?=5l^^XN^nHV&{bqj7JK0YI=B0BoPUQJWylY+TF#ARWoY)U#o^40`;B=rmSav z(|WVRP_}p-u3EWmtRn@QR*9$cta5Gds zq%;wRbiBs>G6{*UJ$ZAz#6LR0qg8oOxg#v5qvO^Dv-AMB0=aNQ6vzM9R=>!xC8HZb!KE9AUXVwwhr%a9fNjNFUA_N{x<(ZLFAFS||b+z*%dL(bh6 z7s2z8eeXrPs@E>Drh>B*O3vTu)%EU|KIO5CL6Ijj7lpZmiJnnA=*FzzR&{}Kb{TnX z2*SrXet{lTfU`zHRkN4dD_GabPP(Rn%7{<4MQC-d6^Ih@?Ng-pG?+M{R1bnl>&Pe4 zXy^E|v0sI&=p2UW-uqUIFH_keQNeu(CJtOc>WWjp@axwKP-Z?;j$02S;9GvmYmsui z==$}cFea&>FXlL!EVT3#j8jIgq-3CojIJ<$RovtHxs-Ee_9i83U8h)E!l12sxZ)&v z7hNE!?B)XYwZM!qh{vne|8n+-aUt%XSc-olP#oM*WYH*yeX4HKTOr=&{Hc)0G$5`q z^`RWrFxT*sfqtIK78@N!?3(%PO_j0qU(;+v+m3dByDm9DO?zFq5$d9A3(GbNe6)!r$e@JoY!i~Ym0bBOVN z#Nf&0T|mkgmm4Iw9+LacIb@R1->*=hcOD6pmfn8^A zS3AFBd>7>=R-HAcAtIaTMWm-=M2J6YxFRq7rW1|jaxQ6vTkiU^fcA)NcnKT}cG}Uh zy2jw`UL`fn_tnnbTG}>ci(F5F{1IiZ!2R{Nc!ucqv=c4)5GDR8C6lG~=#;qjVbmE^ zI{813<4V|v`{I~ehC7}-B5Ghu-B8um_HPooWs;Ee+TsehuEieIx8GM0H`R1LPlHhE| z{^qD7zX0C0xb|y6N<(S)Vz*kC0&GeeFbjt^xT1wasOAIG6kQ~Qzw6@6Hsb|9K&ZuH`B$(a{0=-gh3%6o_OA4Fq%(Fg0{i zcCB!sOp$ca=~94cwS3M;A9ZQ-v-3r|KFi#$;@5A^d%O0v=)*sJKN}#p^^wNjc2q3K_&D{f*?-0 zUA#bwgxLs=pO%8iGZn5BbcD8Op%=Dg9r${YWlwQiNqKB!Ikid_?DTf4yYYp7Qe!;# zsZS(Bi9gJakNieFAZ<+ilT`h~$}xW2+a-yUJQt7eN;h7E#$Vfq|&6iTs)N=ygXb_BV43f-`0RO zlrGrGgDa~eU%FBoLO8y_MnG=$DymZ^vOF?_n;fiVbyF~np_UO|c_{cp76!8q-OYhg^1ewVxg zPa$;)>@JYy6(d_gMiRT))~xGB_YNB8(>21yogIsj+cVRgB+Q{#N5pNXhr~XlVJo;r z0U+K#i{yknKxU?)H-BO8Nbi6F+{-dN)q@Ys$??~ZMcj4UZ&j^3M!QkrV^|XsI8bhv zH3BnVx{xNiJZ7Q#g?o5l$`I=l9gB4HZpJIHoU1Qo37DHZK{QlG6JlA`1i*`%>y&}T z124BixbMg^f3v3vI&438vi?ZC^E8T+mV_yDIriE?#^7QQGxeiu7 zfv0JrA-AzBU`|?gwLSY zihP@d_}Y?@AOwH~-awtoedi^YC1iClD-e5Hc|t|}Sl^hJyqK+f3{1@t@cdUvcMnJ- z04{)z_f@8QJ(`#XL*w1DgE)EbG(+T!)~DrhJJSFz>I;_(2#qt|u=iK&P3D%%((;$I zCKcsv5aK_R)>DcDo{XbBL?=e?DY8+)deMspT`IVHqK4a+| zp4+vREWb$lrxxHFy+~-tk(6&cE@39Ju_b35Ib>TFrblLX(oadpO5x&i38K_oYTuW~C1mSGtjR5`-Ur{TrwMx*%&Pb&czPmOv$#IkqDm(t zCc);DG_=ocSvjtf`9;JheP1I_({XY={;F`VeQA4TQqL1B1gGCgECUK1{~HNKXV50I zxu(ljUdU=?WR!Xiqn^kG9G_)s7CHisdje)9u&#ZON*`a5Q$}?>5D0xULT9}HD;Lla zV1(G03~zsu%ta$(V8#)vPa^9t(VWkCrI&!Fic8&((Xn=;TZ3NL+kdy0V&092kbxA@ zy4-%Lm1rXjtb{`Npl}60bJ?~%)*8iUn*}A)fE6WclY%y>HzWuMCoAt)hPLweVqcGz zs{}>VMd*baGV3%x^5iY=ShUSBAfok)5Z70I5UkVp00I4&7A^?&4Vw~j;Y2(?R<0E- zJfe7L+oqs`th8l5@G0p}rx~y_2dmuf4MFGqmc6m0q)Ge5$9d-FwjIYbhc+8uRIFjg z3OCO64@Ag|yHe9Ma=1+CaM!~yTEFk8Uwd?mo8q2u~?Mx>;A`6b*v zI4V2G-o#(r{X&|Sm9C!x8d=u$V!T!CF#Hvf6n0{4YN*n#)h=s!&XYFmpviD_YEy_L z0A@MQjS0p<<^EJy_sRflH$a!VbfUVjcpqNmr;+U^$K2JRlhUpea_9E~dj;k|3+*2& zidsHj7AeVeCS_iP~PoCpjfi7ZVVzcTun;J6ujarun8iceR|yeLLc zNMN@H@55IL<+WyX$y3+CcYPgOogCfPEUk4R27q6fc zfRadwJ|-vM+PA9fhqIyWGtZf`M;c6ei_L+0GfT_d?zTUOMUu=uiNO+c%FpGV2+wQ! zWyjL-(=;v>6-Yl&-(&OMaj1jbE8?4>WqN+5a9PwL1z(()tT|Y(-m8%BER@#txNrMAxRU9bn3q8bW zZ$B*khR=me*!la}AP%3P#ZP`Yc~1V_u}*c_9wkOH zjQ>qTOO>QVd5dv+1`Y+VMgS(qwy~=*uAFjS8?5X8z)9ZBukY4N+eHt{Zx-kh?ii1n z8{C##a5*(@A(-VoGcUhZu@Fcd&RN_roSPo%+EG}#D^%QKB`%U_K)U~SqLi{HFv@Pp zIu!!Tbo=tgZFtitJ)2P_c8S8C949eD40>i9(I}s{-HbSM_qq4%yM0$TPPE#w)q1w` z{l&&r7fs=sme(%K$^nIr79=+XgI@5&+MpYI9cLivb z((sR$&btSD>w_yPxiN?cdD_tz`&wigze#R1z`{}i;Uw1UE6%j+e_xvvvyk730Y zJ1B3`TUL@!1dSqzM0M}{15uvQ#(Zhx>`o|I?|yWVY2%gxL%DjV_J~Ya@Q6m3_pY{a zR@=ZacAqCf4Xzg5s)RpFzTsd|d=qTCE)1fJd*Q>Z7G!ZpJ&cSz4Cfk`=Dy#!+DRB6 z%UntGdpi5eZh=u8TzsPG)!4TX3gVgBmuCzi%Mi#+sp-O*{9W-CNP!b=Q5c@_9hi6q zW4cmDJMfL@S{~K_hvyY5YC8mbbXp<0Qhm|p)Yg)5%Ey>%N^-~Z`*7}FJ21SILMEI* zML!W{P5Yc@ad4MNO0pO5ilR$@*zxS!x9+@6fy=LnojD@N)#X0FrlVAx|D7pPvbyA*JA@r!Fscc292t$q3y%jh>ppmiO`Bj zP|W{x=2Z%1&X$w{2K?#%S)=W1*m7g<|Z7U?eihVG$iH~jas4(Gn zJv#8HhW*q?S8y95%2WG7z)gd}wlV`}rvA~kn;hx2%hlQC&ro#vj;l3mqp@PlbZzY? zF4+&yVIDX;ES~7byjfx_+Y!e;U>jPPjGCPCX?(+r{v;bkKuPt*Iy7<2OZa9I%aOH8R%@6^q1J^@LWm21-BQ6zR*o_j{w=vcA2!p_JZp|VSkP6 zjs>SCU!V(-D@8OC!V0cPb((Gm!MzwG6sFIOZ{aKWf4xU$0~%2X@2r;#{Ts z$(gw)$`7z>7QIZrzPb@|r&90xF{CZ>LwSL5B_@!xYu;m~sO%OcLMmd@OJ%#zm|~?3 z*MJz7f+tKc@Y@X!L5a?yd8O{o@7MI#L%S32xP(X3>SW$gudjwFEgp&$c=Ds$+r<#< zoT(WZSt9hyVryKL|IBm)oouwanl3AZqGVPXM(~HaIZGc8BIHa69TC$_oRpMwaTQ=drJ1;w-FW|z(MrpOPg2sRme-DKEoRKj z;y@udG$`1&Lfl_^<@(O*DT4ibIZ<)rubxwhdEd2PXObPBpO?G+DthZB%6NBcfyyp3 zePzjEuSU7AgXM#~)p7-kQz-MCdd&W3zDUNs=6ZK-=(3XCtb)IwA@ly68Ntl;-Ms^S zyxK5@wG%6oqITe#^pjG!>AzT!Xh#b5)yS5JsTlvUR~01$R4Y+Ft!{|=ie_sc>`?8~ zR&7C?9ISDAP$`NCFQDmH4GGVkd(+U_-vC5L=IknOOX;*FY5wodpST9g^DpvCUM|&p zMvP6R69?uqdl~1SztV|FKt&Y1HdyBvW_^0V?1EZ-bBqNv+!rT?!;2!q!?AZ1%`+Z{ zH@Aa>P8I7&^W7IY3#;Y8$Fbe<-FeCS-rsX(x%~+#UaG|l^A{Y`v`1(!oo7!vS8PQ3 z;^^rhcHBTy>E&{o*E<}_yC*c&4sZh{=0$FgydUp=@~M}y(cuu5?i=O8#$n^R%S4Ub zVQk%D=$_axw0Lg)-rcuS)_|>6BvUfzW*y=K6G@yhQdW^Z=tcHQvc*hZXp+3IQJ=Cp zc1aa(`G(7Z&LOEFY4nz<)m@yDAczWlc|Q)w=Q#S4tcj$_Nd=j)Q(G9Pwq|oCU7tB$ zz0`R|vD8*@|I9Mv&yy|=dy1Cb&D<*(u*;Ee+;Dg&2I94^@em}zh^+oN03SMlSDMqi zo*Fp$z^@uK;{xWoVdyBZ!1jQ!_JaA^(tCA*MWGq-iSadTp=j_`>OT2RLJD{5KHJ%N zxi3E*4HGWGVo;vFw5Z=lyZo;*FyR!LGUc-Zz*#^osh2+-2*NbqHOPk_fh@nszv< z@yIT5F^4)QSmT_!py7P)~; zMLUuwO4Aw-Knw!nFgQS_t^FuW0g=MV`l80|IX@*1V-!J){O)8X4;c+WI7nDL2=%Q@ ziwAV@3MW-Q=sQGm>G(Jx#C+b6!y^PgB3QcNQ_OheC^jLDd3JCE2O7!^R2k z8*42MO(q;et6xt;(L%*llpbb5!=>b!n|o8dzBix(XJS<3%n_K zAjUaYQpeqgGum{d2q3-V%x;wn(CB%f{o!+`8&!`5LV(kmv&P(N2*X?I@A%B$i1|bh z*#ccvKAM;AseQdW(wXVA9gtwNAw0k3)6tsHd)D11?|a0y{%Frqe#BTGQYRLi=E_&W zPZmsq*IgW$TK49%LLo+Dven_KgSc)9Pf;@Y{DBKPp|Ys{oHWfT`!8vX3Ud+s-~K++ z1Gief(XS1DkuVobqenJeTwWU8&BjmGp8xRFsZ$F^U%2(2v8s_A%n*tc0u5DH*PRvw z*$gd-+l|-+J6e0Kudl8s*@RL2I!q5bNqePfKt#~&k+LCH$fh^MD%gz6XbN47t$mJ- z-(J^8wiHQYI~h3>dQ9F!Q+%TloMDq9%-9MPvD(>BE3Ff^XX7_k?ozgj2IK`Tso7aG z^v5mIh3Y$uJ5>xbkt5D1E3Lx-hvVE&cED}yy?(Y+c9)%^R2)0L+yc9AJ~b|CZW}r9 zt(*K9kVLX7k0Ol&;&0uv-wfpg_JA7};!>KFZvV8f|0Unu_fdSf`}Fu2qaENHT9NgS zWx{YCF>u)AFyKz1*YeJN!Q89$4K+ZkUU3i?9%s2`1~DI5#^ zZh5mXgy}{q6&kl85_D;6A3A;K@(UmC0te(r>{P>8=PcNBp-9-tiMO9bU%bxE1CI@? zy?)BxL~!in(zMMO1j6OT{ve*_w%=_zNgyZ+UhSx{?qvv}^~wg&!q#&-R4YX&;zoC) zeEvwP{FENS5O5;c9&|b_-8-*474ZEWf2#xF4PmXT;2zM9x!;_K_$y=yQBxbA zL!#G7wr+@&1(u||yueA+abS*Zv zry{0YKk_7kBy)+!m}OSSy1y7O`s9rquc0A&@S02uJouqM-*8jblue-#)AE7@Px42$&|`tw@fR#GMC z`8?t>c~E>30h28`YtYcW;IRLSG<00cZTShfM-C~4&M*-0CT@PXoktRweZgg(4#RGU zt@#k`L>Ci!ShbHr0)dz=^H7)7!sWZxqgZTg#fMWL$Hy!AUNa#MIgkG*qB(LLsu?Z8HV7`{7$@I!v;{a`gs#B1N0iMii(eVEI&x5dvaNtVb0&tvOn zH}nvJnfyqQt4)E~A-f zx?0$kBUdoVYIpATprXE(81+Ny`TE`c!mP2YcQ^0pke8bmvRC%V@Gq9%a;-8jPvaBs z{(^Ppxd4}Y1Jn(6jK#6|0l)I+6^a=rF>Ul0S>7bgANPC=><^<5`WQWtWvH)G)VEXX zsPlDUiGeQ}Utp1FL_D&WPVAZy4;AQ-=qx-*v#Bp2lP60G#60cX9#-^CoYXjEuS@-xW`9u zu5~dox*%#9Aj4%RHqgD|zVlc_zb$LN{4H@YamRBwd_#vm?HDG6@Tn==I4;_5)U8>5 zG>La1i@jmA_Jw8^QyXwlEAppp-yGxQ8&Q|V%**ONXddl8a(3$JlU#{3k^8WG8nXA% z{_R&$71S=nAhW}zP41~sjqJ9WF5%9f`m!(OLJ|Wf2m~3;oX4$gbI4}2}?zE1$Jlm`hC2+vJ+$vKBL6Coekhwh>5+mOu0Ti zIqZ-)vOiL70o9jsukdhXx<3SOuWiPt8dbSU3}i%Yp`Jb4715pbPZ&=YOK5eN(zG{{ zbT*W!M|u%yN=HN6eo^k~kE)XSvDiB9F?iOa$sO;`(N-`#rYc=Lx5YsL0UedO5Y{cE z8n`{}>fq2#MG&%huo1F|E&7^7$XtoW6jai*E)2NGh(C1TPm*Q9=E3z=L>GM~6JN{rPmQ$kNJ=GI(bVWd?(wYB~9|*7+!p8tM9(CW3=H|J)R{rl#t2 zPBSYVu}xY%*{KTGYzM?wRxpxi+h+||Jd$|o9H}Bf%QttU2)UdggMcO)>DuKjIAa#| zYanIbwnKM^Huf!q-910^4jhk8Hm_YB%~zc*f9?taEl!Y^-t9$rE%m%Pe;yda zbv1U)!9n93t&F^tMJ~IFm@;P%&TSpIzqE@O~bJvB-u3?JdG(#PiLsUg5vw4Q41RKPv6%O>1A{o~$6 zV^obg;`N}&*=A{$V(@#(+WA2Ngxb1nc{;8*h?<>>l<()P%_ulak|7*5MaW* zP-Ntt2NuTfC3YHNgb^I-Z?Tjuf1s!k>R9ydX_bUDT#AE2Nr|ryF*n* ztf|n~|&hCz!h3>j7I>`v3E5Mb6 zeb-GJ-#i>Sa<$~u4T(bGGoMilL^~EU&!DjSMi%5}?As(#!T)w-N!vZ;O@O!rOv%xF zX^%?MJcD(=@g)j?0(KAj#?J^VmVuukHq|xES#0&9WAp;yX5;(N>xgYH$j^~>c8S}| znGVz%L&pq>fd`+$0xXUem^0z|+_sPvqz3=YFf>bEHJ|Sq`2Dh|tud-?%)&+GIj-_w z;;;L6XdT;(IW)u{C3)5t)l`y3?A_4Kzxe~1Z4bY8fAH1@(Vs81u|=!tM!v3d#r!xS zj?(WDH`nLFk#(@X$5p9o}@ z2amZ|dz-y^vqQ?{~_+D4gCpV^B?zBnzDEVw!~RIAWT zxVhcPZWQ%3AiCo}A!iCqF-_hBc;(t{7P1k^Uzx-^=Zpdmt2(2YQ-{ozUKEPLq=aZCLd#u6psU0egmT=aR2z@d zr6k*GpwH}hknD`L~@8+vox-^78ZA0rpkGQ8Z|CK<11t7|LY z#Sqi5o0ml@fAw4Wn5{IW4={e8I}C)<*P%8GSQ$ukOSycQ{Dm3xLrQC*jfJuUAGse; zayjGK6p^lp&!kAoMzBJFePT_#*ZdU{Z+K)&oqT&P&K#^kn%57Nl;>99T1}PFHa?`u z*?H0noG@pTE4@Pp5whD9f!#}#^ z*_7nq$NZK7aZ!fEmC<_@%Kc;tAFTWRbE|BPi*_g|9}p4YmA1K_&yYc{7izbu7A3n~ z$KbmAb0=-0o=DbBiofnt$GWSZt&=tUR?+hb0Qt>goFHP$K{=GH8DW3Qd9gcVaYeJD zxfx14y|{q;D_NK3_EM{8e0iPkIrF@ML7q-DeL-AXmw0H9?E~&hFCvBMOqE?e8$3Q2 zWTo6N+)4=uwo#g-k(@aWZK%9Yo!h;ENWS^@;n;c88Qh#q=pIKJ7_lh#?lSp88zx4e{C2E+mj= zF1#>apo)%GU)+|BYZ)22OWC;e>zJ%R#q3`7kDSNIl99>m@e@^qK z;c;{BLD#Q>k;zh15jBQ3q8$=q<%Pk(uY8x^xIYLI^ru*?hZd^pYNy^${gw~S>3*Dl z_I&RP$p4+P2yjE;%5!D=$ocA8%-toY^T$u^{CeE`+d@2R7;D$qNNcI9=Tk{Pbf&4R zw}y=5Q(q#Y^e4oCCIItzc%3WxO98E&t~yNOlhgfIN>lT9S`EU4eCqyAn~bB{iS%(s zr>3>td0&=u*MdCu#fyfQ=k)Lo?FfzSbP?96XRL5uloyck6bp=Pe1yh@4m&dGeGO`2 z3hNRg>^Q649bBzJm=!do7M}BROygYA_119)l9$ zrH3$9`z__JsM}H{NG-QT-P$xYZ_N@i-ub-p(1y^sqrHXAapano$;I>@AGz-4UFV#V z#pu;RZ$Mu7QdsCmXXmRV?})jqC`kG`QeNgqvnZbD&5Q^jF-in{b+*(O-gz)#-do32 zZu}q0^G{iM6n_PO_m&7Ed@I*&1}}K1`W>;IPjOx2_9Xnb^3jZHfcASOL%!-#1i0(* zyuX9~=#P|7Ju1jtft(ps+Ja9;yAQqdq3a1&-AWUo5UfHjsTxTU?qPxMVXF6 zFX#muJ%%jK#!7GWyZ2qb0L7}Y=v(oijdsWdne}vmfOEfp{bowQ>jn5d;#2pPis9-Y)5MHu~~z*oV?a2m#yooL8XV9tOc7e zlf2jSw{eIu&roe$!)MQh09tP zfA^@}X8*f_{bIpjA^ZTFj4NMJ8t-{fPhrl#tqjt-0^FL50r|q*ZY)sh(DJJ)7GR!y zy3)OuA0Q0u-WH246C;3JrWHJ&aoFf~Ca#C*qn$*+emW(b3vSDe5d#iQCt7xo(Urxg zjpitgYXpIyI)~F-Q0UyS#dh#8YwUsBu})}J9M`FkRzp)s-L1=uRurQ(2Ijj{SvKK$ zop%+Z3X&fL*kxvprWyex{;}+?e+VS5mrXM9PWQ~6YeQ^3&9OA(p0@dd0Pg9ZRTvVhk`MCuKBnChCZPCaPeCZN&3 zZFnkTGM+B}L6DDu-~opu^762>VU3j}QoYbsidpF?REh9iHh~Dab@SEjn52`R(^UM3 zC4kn|LvZka%gBX4dC6dLFQw0+;o(4xb~<(PErt7G$~<@M+5z&Qc_nYO?Zaz~cduYZ z51T?1vc+BA;rBA;+Z=A%GJO}pO#g}_R|SicDLtx7k*7uamNsNoYH=V6*QaG6gsl@@ ze@v`oEl9SvNvJgGv9Jk(L49FOZLPipa-l|u(4+80rA|~c&aAIQf`WpF+4&ljt{H1V z2<-8sB#qb4DnH(`Vk!gO%i47JfaiXTp^kRPM=8p!A^JM>c4-rnvRhcP&P?4gHsg;^-3NsN1qRXRDU{ZLJBE02p; zn039`;Q;CCq`RYo2!+lXGeg;Lz_$ze&P}slPf6U^P!t2q;l;@{oxJ|nZ*bRhnU!YJ zJ`4F^_RIS(k7p&QAKrOgXkSnqjJ^*k+=g#O8LAQ9d~UfCBJRg|t|emW^|ZCC9`Z0Y6O^_vu}viZs=r@8SGN zF4A%ur8#k2%f)s2pW+e-H541MzqWRvh5L~90X?rc;6da?Y|jTzqgTc5a=-RfGLOEX zJs@ie$!Dh!;D4Aazet7u`M_*HLr6Vb?5X9q`L7_&Naz9 z0_Ymsw|hJ^8;iekE$$hoEN-;IP+}qk=LBu8eMMIKrFk~1Pj&BT`6-9Z1Z$j{Eb-;*8sPL!|2)93_` zM0&y0A`6nmXdel31%!X+wQYWj3b$Tw0^ZN~?>mJ4&AUAg29;V@Rw!i7)SLp0y zihSn+9+D-uaD5i=Spg|NN@wo#Jy~8y*7HiU7!m`_OSf9XmTzz66u&Gga`?sN0r2o` ze^dCYe8hf5)K>qomD45xtx5AQO5XOkBG#6SZRxVh$a@B<>N*W`+sOU=cvlww~e1{+qTWgwx*h_ zsV3XDT~m`?-)gdLYpTh%ZM}PbYrSjrM>uQaboPzw`rOasIGTjOq(fc|yyDaMz3_wU zbaZ_k2|xBPX=`Cy6EU!*i;P?hM{9RUn&v+T{pu>9JD26n$Cng6GEapz|KcnpQycN$ zjAlhPA#YNozBdZKEikJDIIqyMT!66kibBGXp<#0Fji%%w{L$w6Q&miMB!ZNZdO)mn zVcW$IZ13h`wEPQ9yvfPl_0ZFJ?g zU+V#VZ5N|&`mK{osf#gC$3yQu0Eu1sa?~(;*rg5W(GnSpE+)LJ6&sE{NH((Q;Gt4A zYwX;#-RP?xUPD=t^&hfe8yyKhQGzZLa0z&RAKg##k-dkV1FJ;whJ^9AYC))br(oGi z;ceVpO<7h0Jb11zr^R2MnY2G%9Bn*Z*xx$W5>@|%wV>JuPj8gNmC#57zuBV3KE??8 zHA%UauC`{Bu5!Kjy(IaM*Gi)Gk}%YBo9XgXZ@r7|rQ?4e)U)0gq9HUE!T}R)$w0Xk zh|Dk8c_{pJd@}vQ=v#fHu~VBpeM(dNLVl^SwJ(0T)#@3K$H-$V7cmVR@|14C&XFe# z6{Z<_9AYlNMB(SnH>bgv_jPk^zz$%g`X6ygHP3t9*VLTA0 zPMc$q`2pS#VE{^EyJIQiy{U20+eq?;JQ#kZ1d#7|0Ze+>n~7#;{~)v|kC#!d0|aPn zWb=nM{ssUb5)HHQFM9c2{DT(M8WGjLKDz5==)`eJFPg|-Gk4TKZAwJ~du=@pZr@K8ZU*>zR zJ^@sd#HBp^Cg8o#?8XxS0JdyN783=_sL?|!?^v`;ApTA(`Nd`q>D$)%0)m2paNFOq zYOsK7;~)PFyNQ@zCO54ToF4y5{i2#;Nbj+BhOij;s9`{JB4~iSCI<6Y77mWqR|m=p z_+RoWGkPX9>j0+;@YVfDrq%2tSBy5tc099F%kKcpJs?}4`d1SUG*UJi)S+&yfq(tJ zn|td2fZG0#-i>)kojV0D7*qJmH$~Nxh4cD(mhCQr;r=p`{5zLODM1dJEr?>bm7jSobLtf`Setfnn(F%9_u)tx$O9;KX8Y+prv3I@9N}2=gf1S7j=iss9)Sjmvl?) z*ZInq32+3ws*M1h=st;Lm#5&nv^Uk2Pu$w&_6{%?Xym zJ-UN_^Jqh|zpSoDmtvB=9#|cxsEpgs74r^<+2{oQ#Hng^ZmH7u*}r z7Dl~?r6(bo+UlUHq6ZzT86N6f8mz>VL(`}eoaAIh;`vd@C?Or9`u959f&4u{o^=rbzNZ!#YM0kG~(3)IC*7JJjgZQ)WH(RQ^NrdgzLv`)iHh%AhE0y+d zuO;&uY9n^$w4v~4+cm~X0sGM~;x10-D)I{7jd)!@Hw%kb&2F_VFU!Q#GyQjRskOaG zV!Nu(Q=iLR3`3db=1Waf}F6xIT8HAJb~kOgN*++L zLJVf~xvhtZok=4BSkw~}ze4r~c*Q2zIjqr<4|4{V5kh+c916Sg;n0lD*(UdSKjn&_ zn=KlcskmHYQ{E+(9TT5R(a)v^Pv!fs2eL$f9tlb~%c}8(iPyCpW?Y!LFFV=ydaW-( z)E}cM_p%2=SW5+xs#)P~s2)LltB>n}huZ)rW*sV9`#sh(L8w{Jii)1@hvwD;OB7wV z{cl0)oL?j{nbaPAk&^&CPGYdEFAgg;uk*!;p{>e9kKbzn6O1lcNxbFoig6kx%>`}K z!ai|!d2sJPa;@VUj_%;PcinM{njUiGA@LrmED{oH3&^bs;mm7)n3LJLQpxNhk|YD9 zjV1N)>JJ;K2pAOU#ZpB1z41d@Lg@_lXZt8bVIQJ0AP5OfA` zurAj?ZA|0ylw&l5=W%jWL3_bC9F=W-H5G#+jRk=K@=40eYww2P??gs?IrGfF^mzx5r%AeB2(Fl1_9r-zL3ofZvN&SLBH|nH$vm^3I?;!@*@%cc~Mju z?-(x;_BWRVFCk{TWQKbq7@=Tf`tGSo#!aqZ3vg;O%pt zAzkaF?ySGkCTeVTIva}QtL_YrDw{YC5E}JdKOENS4-_%T8uAErT@e{fd*S0cTzKwW z$%o`YLL}0xjy)Rbzd-a086y8C0s}V`oQY-tO`}ttB^S zBhGeU;YD2CrPX@Df5b_rK{`T$rsb5I5$S&^tj?>SZi3Y>UECH?M7|(uj;ibWIvY5Q z+$|DG+&ozQz1_k4jeY0CI0*T)%dk1Bty&sI*j@|KB&gqrV$L4iPFdT0|LWFdiuz6U zv2^nB`%AHj?+ZjoPlY&L@5TwmQ`3`{3w`XN*ve+`!t3I0|F`O8m#HZ1P_jXRK=j*t zyNyFwcLb>tL;6~!^5cI0DZePD{r0Md#GUL2@8K$mu*-dSBbTk7-o{=sdPi1jx35G6 zjGL(~eR3I7c^p@658YP=8$ZjA+9Wcbg$XtIvD^&#L*BWhuTSQY(uvrSKs{97uT4*POgZ+Y!TI|-@0EM~x4WW%wm!`JrJ?2h)+DQ(ZAy;8<|tI7yzy6+b!31wv1JM^=gbL` z5pwFeSb=nTV_oy*F+t94IF&6s7xCw);A?h&k?F2$ulD^9v^(yJ@FzlOgH|%c=p?}& z)4BXP0*8YCU<^s@hq|KCcUt`T*Tei`i7%^S$h%heX(69sC;fRsf*C0hFpcbaDf1bGZ67p zb^4Xl6{*JWY4j=FtJs)!L%i1@K#TO$6D zFfWBwofzRxafMy8ym@+R25^BKBy*)okf3=kPPGtx)$M#uC?9qgexe_vy9vKi0uKJV zm1$VDw6^5|nMv2}Lfmw2>)W+gCo%gs7BYG^Ttv*$sH|NJ2j=dP3vVXi=d!Z@L=}A@ z`ov?Dczk`|C0xcr`_MBB&|AeKbDJ*2U`BsX(2-%!Q5Sz3EKM)aRT#dKo^lL)93ajv-sgQJd996ee3D%~Qq09&|vA z%fhf=CF4V5#76i-jE78^kL(i$`D{Ac*J@NhG41RpWRNc8O5Sv~Bwxuv9RHjZ)5HYc zVs$>-aCr-LAVe76KNO2_NKV@`ZAD^CCK^%(2{Lm!@inhJBmpf^KBgEvZ}nMvCsZS0 zCr6Idd@`voE|`LUoQtf6*eGj=GqKy|6$%~UNi!A3I2@levI)>-u1i^0fCBdp6|fg>q%ZAl@DzouLwk?m?|0AjpkxXl)uWlNm3*+|fq zB}rFmMGh4W%e~6LumQ8p8keW#&&qD}G$pE%qxr;yV;(RAACv~Vn8)f|Id|YH|3KYc;C9urHFgOt?nOYBC z@@{y9IY6`Z1dzx#7iy~o#+%!N=Sp_Q{T|}7^Yo?T^7UYT+~i$NQm#Y*0(F=@d>6}x zT%~}TdlotU>`9}x{~cCT-azbW)UcWsMK1+DelT`%cIt>V10~@}ck2_wetlzD{%}M% zdWum`?4HcK;~r<$z#PV+$&Y#PoksZR*Oth34Ev$rQFk>zEg+;i>b|Kl#(#@29CzF8 z_B0eLRu})RX*3xayHvZ!5RqMG@|{06Zn5-Bu&%psjHaZ3A03MD z&vUVAU?u@oAQA*&^Pe=A7gLVF1GUKj8Z7FQ8b1x!pWdnh78v#S$pUoHl0j?ypZw3O zH=dMp``Gr`13xdW2bfEf!9;ERMi563^(tl&ufx{XiNn9fr%mQ>NE+U2Ou$sv8GF zn88Z@DKcaw67Y_-vT=vaTDyBxyIZ3Vw?tQt`&+G{LqXd>mheqnwQ=`G#GK@wK#|JY zyt?^I&>kB+uRGOfJQusYRXfQM#Hbu7R@_e^oU-eY+S)^W-akAqLnbuI)-Ha|khFxE z`sVeUNclrgln*_tU27^2rC0drBCD!q5ZYq-iuYJ&z!xQV@fe8p|17{5-KqI^#R6Elks_-2 z{;5tWV4Q_^!kC2?Kw&4*h}-LeFJ71P_S>4XLk9-Q)5YleNz zH5g#AMz184&slYg{DY&Nx*bb3I^Qh-YIrECeaTcCyHr*Kxpo-2i_-kJGI?P}NKIt8 zfhCWYlJ4McZv5jv8tz;xsBl^7%Gk{{6NKx%vzBd1JK0p7ltjIqx`K6DJJYY{8ji31 z91yI8+KBknAqfSxGLPDYOQuJ!O=E{8=sSOowHU0FoF?`<~Jbkp|Uf z?pd*JdoEf!%lgFu-H&k{8ByX}COMo!?zP5L1*YgwVfmvM7g~m>uuXrT#&-oJDcwS5u^O`qWxisswftu75t;XtqfAYBctovL6;82{Hf~?0 zL$RbOqmvlY^{uWn*WpmdB%C?5q*aj)1do4J5@JC)Rg)G225&;4$ z1dOS%e2!;=uT>H1G$ZU#nzQXu3c(=SE3;gU-S5_;*3z0}4^n)bDL$7lde2Og=Q7k?oS>tN3FE{DFs-r7-U`rnBBXy06rIPlnQ%}?g z=KPFnGC-k^359gvZJpAL;isPra<{-ngx;#x+XekFE+o{4N0RWlZC&x}f{1?;VVV+f z#%sjdlaTp7kLaCW5xxGtw7WICs~MCe zdrX)9OSUnEMnD1=5&CT95vJ%1umF$49&Xa`ps}7FCo5`3fm%hcaeeQhK<~ODY;8NN z9x?%aBQ#Mq`iR#)YI`&)fn;pmuG2&)Ua~dZ^V>d_9%U9gh*XIB&u?HyF8co}EehT} zZx~I;`y-aH<^QujrHdnobexqT#<73o*eReO#cmB8G#908xOkn&V8bHkAzKlk1XQH0 z>lTLt0nsz&pmrHp>R>QHa5^VKr%jQQkPJ}^K}-EP0mXwI9aE{ z-&ocp?KExe8Ew(D^1p!hWZXg}FqEO0c_R}K<^)S`@6&}fhvT{cm!D+EsoioKvA(`_ zE{l~LbN>brz_IBQpE8b>;Nse^&-rFy=_G*;qNMuZ(9Zyt^-l<{zKrS*m&UI>e#95s z@@$d{d&i+liO5L)>E%!pqVx9jVaCuUybSNpgZxKae|x}Oq+n*ts5XS0cDwE!5w8C~MEj>U$I7*BkVs*1+fQwH=kwZ8a_Y;M>v?W%mV9`Y z(cdN%qB2qBHb?k^V{;)=)_mT!W`AIJNaYgy~bbqzpz6l8yH4FMsp{hzz&J5G?dl@vt0N@ zuGD<3tlWCP_pjsAG$moa*U4&b4KPsCf(3j8T4GaY|F{*_I_Yy1q+Th{UL`i|Uh&5iill{J2 z6pG4BlV&{#h?|aGlSg6o%`dPAA!hlqO6R6Po(O9c_P#4Kv($1kF`crOIE$t7tdjJ2 zpNAP>&z2g_O8Bv)Ym1FFf5*uyLFMn<@l5PtaUlQHc7*fBbBVCi%+}qB%Xd!$Cw)-i z8teY3{(5C5DqF@1n>*>9>=3U*C=|}_*`l~C8zJY%%z+>Q=I^h2 ztvZ1nP2@$dOa5ID0lbcw7xHaT$?tQOL+&JUtr*rQLh`&w$9I5(w5{tSc<5?GY7#fW zVb@psya@q%&>|TeiV3%EGly!2-s;R?+1==-F%(`QaMV<8JrFiq0HJyQQ37=GSFJ3aCGMS2iPY9v6h z&VzT{H5!2)MJ7f`R{@}ELSmC66Ef1HWIAQS2l{NC?G0-bzU)O@8XzUBc_YiVf(dZikr&-Q(0Afug0x20^%+*__B8 zsoV?><((+TIf6$>J+I*e5$C2pPZF~m*wtsh^MP@&htry)PVkxxm!i-X(vfTge59xP zx^NRyWYA*#Bk9>PjCf%oGWUt?a!^bFDhjcQ&*bKh(l zsz|4X0u|m5ojDk!V~ZJ?K`5BwJKrQpkY69Iwj3T5J)hC-T%s&_)6$Eu(Rd#V2$CQV zJ!Ui-4rU?f-5nT`0iMCbrM?@0(30Oi|G`X)gOw>Mw~<4f&ciW&(WSGpGCTjrys=Au zB^W`HN~V?qv(}|iMy`g*i)MHK$EI(@q=~WG%ho$ttw3dgJ}c_IIJP$Alb1TVmCg3R z?zchEvS|?z7i+$N2S`;E4-BwoAX+w>_d4o&)2yu64)@F+yD(-6^vf}Frrp~2-4K4& zSTHhKxssp)tn;#Rj!$Cg5UBpe)vl3Se=K|?4~I5jmA7RN%lc>jP5l{JwA2L2Do*?! z^K_yK{PwSw6ZIsSuWNm%3@}Mzf9wf=N)Fe}_d+286|!vL!@4TdtGLb3%rwIDedm%- zluk#3i~p&bN@1fE!Sl8#dY|4&jsARtgfx1PrRxL2Fn=f5Gm_I&OC4RJu$ghZT}0Pr z7}M93^Up?BGi~3AZhW!d3~Qct35YG0ny!llqJLvRKeur%K5YbptFXE;#(mN-LI~@% z?JX9-c0SoI&^+w^n7TcFUHcYS5XW9|e_uy!L-$EEZi4M((8u57pqZ0{={|n+Fa3$Z*<6daCX6Ud(7{|8=Kla5I)~TG zc%4QHj8y#vkDHNb2_Nj>sh*N@0yY6NeEK#k2U#mjyu~{`&qYTVEn+}I=P>5$$QtnA ze{?l@?_JRo({O71?N~n6Bv6E~ibpcxg+>0G51tPw%9Lr?R#JyPJS+@x3Q)s_Hn2JG zf6>r=;Woa{3rgBmw5S~)x(3$$c^?&(qyog4C##Ro<*M(1;NJ1&-IH;{i-zogcOfg> zpmFVhZ4y4i>apHtd*7_f5TG9K{`1}*t7R%t1_Yc6_1wN>X@k1wm(E?yZ>=1B|KeI? zVbq?H!a!8{^1blSm8Qme>6!%o{;xf?%;-?ZgO3lrY z)OgUGWK4I_zxISi1#(nP~0Ur;7;2 ziuWW^JxK#?*na;#xwa_A%v8p+0Mmt+1DDVfOJT!I3k~VrQCaa`;8k6K7>BFc(@&6O zPqmec0v=kS=7^Zls-vNP%EcH!1Q6={GGsR(r&BgwW3!^z;*hcBJOM#a!uxYv6}B$x zSV3s-<+tCPi@90T$zFk)E6lyUm1hUFo~MG3Jy~7k{eJ)ILPxb*()j34e{S*oKdMdZ z*H^rmiQr~k!jkXI{b=`Z>kiHYYop`nvdt;vj9ZSeeMKLBCydT3u&aNISG;g#a5Ac! z4-$ms)M8l7R@Z%z-&9K>bs#pVoKFp~bM$xWniyvP(-gt5L=2YK&;jpD={WZGZCSh4 z3`|cSI-VDc_tx7)VbS zck0)u0aq{ds6HlziY^ECp7m3yL1yx>wW}f**!eI(cX_r{EdiUog#kHScDO>m&*9MQ zG)SlwWsA-zeo1l?T|UsN90`Y$-KvV1ph@G~;N>@|kA!t0qgfPOIN~C|$z}YEufpR8 z-ZI_&o$n9Bu?9=3v7wg-rrX|7DMBRQjMSE`3`cIJdc6qATW8Fq+sPPS##&Dde)NTE z;Iu+CKKLh(;2QM+wu=W~6s0(}y(ZaF?SL@xspMpLf3PTjv*$?@2b`XLj7x3FoAjrv zJ|0cB265wKH=E;=9|elDfl#`3{a?Iu2mU(MiyY{Xd|I+$sVXA!J>Qv37?08Mn>;ms=!EkMeTvZh6g|5~zcuI1LJUjuIEG zK0ZpcT{EKa-FbA_Nbu_NC|AA^(rv&EIB9jKID8h*S$f!>K#S>#5W`r1MHK!s-J2>2 zXnufM1GL7@Gb3lc=_K3`qRa=~_5{b5-i^Pne+!jQ-m@rvLm?sHO1A{|=`+jh^DwkI zDULGbfN@N<1W$;gkPCva^>t;Ct#*eb-}P#~_d)6@Hj8Yh<&%*Mvy0ss9OP%nMhjWW3~ zxxOHI9G+PWu!r{scGovT<$kAe&MNgB+H%f_@6E6!P7u`2jP`!`!neoxIg7qa9O%Gv z3(+W6IKYGBUu;uv{&w!RxoMNXLtU|S4s_nLg-QA4%~%V6_<>a-R9EK$%smO_`Bw+g zfx;#x*4o#;A`#htXb2}%SoKCeJjjQ{1Z9^PXiKv3_21Rz$A85<=I21qKXB&hFY{4* zYr}kIp3$)jgW^#zQSDGM`t|4>DRTF@w@c@2JxrB}YU5-}0Z|8N^A?9EAwV|NME-&q zF^4$eVm(A}qF=a{pjL?$LO3iu>@0|}xvx9vS3@JQ%i%E$zeE?4VDETGXSDBao7HXY zR{6Tt6cs4SP8bMjG4$&jrlE^r({Mu=t`k{sVWcaJpzgrPGdDiwE1F|}Z9zJFb;1l9 zkz|3+4m-CVRyFWHG=jL+4-XFSSu>x~P#@&o8=+*s{2de0jYRMXDST@~;&gp!#OA7U zdVDHoBL$TJnBk<|Is5^cxU3#*&zAw;9esHv1u=B0kY7JXsM3yI_zTEm#F%5lUYgls zX5NP-MY78mHt0mXO9w6?(X^%NELDKMk9TM?E_ z{`F`rU;1_~&zYUX^;{sug1{XysNJvmx*P0#EuX>GV5t}O&becnTZoZ>dxF$O%x8;H70%qxIz%%(9F?sDWqUI z=@=2>%77r90t(XJvAq)~10uLieMDf$>G5 zEzzI@A_0nAtr+`zl{ijshin0=cb|G^FQbiJ;(rOsP62RenU|f7Nq#=Y6n`%JDPo@< z4Xg|=^6~sHJ!Z?n@KW}FgDs+a17aIt<>cTE(W5EQ2MwHAfnXhxdd8McBlm$6K6Xnv ztt2X6v1lSbWlfu`fp!WA=n@)W(3MZ&uM>8CbCLKI-;a-sObjPg@2q1tcOBNRyC;Cg z4wQ6U)9gzIZkAyH*^+&VXu)?FRqtb;7lV+0Y8~ zNCLvi&!WH6F8zUP-FTyqpa7I9e?>IJNw`sH5G|7lAM+tDa(M3$PyhrWtTxf!0G0_G z&A{1^G&Y8IlQ_&`+~ZAGPo{-XpEb>AG?cD=^Kls`Cf53bWm=}>ola8TnU(%-NrWSN z#ZDS2!%P$EFP}+tG>)QE@gBFP(>1c=)1j01(?~Z32qb&6FR_4RNESkVKBlBc8fio> zF)ynC2wCC=hkypid8hVDKuDeWq`*$mYC&kvFCSSwiu}t=3o|k>y~!5K+qTQC@){9& zfw=zp7X%FQhbQljJz-4b=*JJ-L%i^y2NRQZX`C+6@*;3$g_g}Rbaf!$E658yED{a^ zC03M}uj7DC=3k36J}-=Swa8DHmZzQIZ`C^=?*tKNZ3wnFwKlI-6R*D@>-&wU1rw#|a)AIp{SvFG?<|shI;%KejZHM}l zj5wWvNZWf=(dx$B#Icv`R*Dr;B*BDu%=fbuE~3Z7H&Z-1`H4(#Wcnuq;79sn@>}OFRfQ zVncaUyzP(TWbtvV#Dj^ZqP1p&=ky6BGz)1p@oFHzM&WoEf?S>j2es|tL#{>yE&Js| z_*(7e4Q!CZ*=1V_bg$ek1M$>YEAYM&BYPuY4W15YAzJq9O=uSmz1@p%HXHrcex_l9 z(<3U@AHj(c7CK9iH*357^vTP+Z!{97xGsKa6Ghj}MDwqihqtE)rAuh9k%)UdB3A0c zNVm3JWG5KN-_Sk;T7RQ2mtzxdUCq?Expq)+WUL8QJ8PV!Z{kNX?P<{$_OmZ3!7E<3 zq?HxXARgvl;ee{;w^Rps=+_#WR_PefVOR|Q z)0D}nJt>9+Cq4~AI%5A8YVhjeW}v0Tvci@iQ>W(pqEOVSTweEO0-K<}``GG)?=y2K z^x|hT=oVwJg=r3E7Xk{ChLhb3LS>^s#I6|glCZ3lHzRS7)U)y6RXGM|k2NL`-6hRi zY5`rm8X~tJH!Z^1u0w##Z}tSKw}1dJIGmQuHfe(m}@T$5me zh$9J|{a2ISzw}vcX1W7TZEY|drjx2#@7UxRp54gI!4kX6{c{Dv9=|oYEd|LLU+m4K z+1c-tgrcG&BPdt&0mmjjo*S+Ea{Ap3&cfQPg=HK?51T0WfOGqhV?I)1_5i7z08QO$JxlZCjYf>tKDf&bluU`>On9d$g`GM&wui+WY^DR-cYI7ieQXwCq-Qc&hgJ+9&1xECcXBTew#FeQKv)$$-H_y z4ChF*QCPCuMHxhRIC8cqtS%;P7>T4dK$m7t@7BLf&Kyl9tJuYTQ+WFXf_*GDGlkHU zfd}tCbNi;i#3Z3&=BB3LRrbU?W}^~BamlomLbHZiWGr7MZQPwZHM6v)5jDstX%lh} zS>a<<-4~Z`BN7yVm}|y*tU!+cUqL(mW!5WZymHI*!S%iMSC5bB=7?WEj|HBuVlk?y zpD2x`_x*MnrxCbK0qo1In*~}Tj^xlkoCU$3JgXj%00Fb5pSyXH0MTRj?)9nFrF7l* zPOn> zAHqa8SC^%~8h3kN+>!~~vm&zQ{STEOD3CO6`LbQYc0LUdSLT4OH<_j`3+NX)*-x+l zf-z#vGyoVu5w8h)RXyS`xkDDtn?aYTwK_oRs3?H2&wlpMKI|vf>BI&KY7P0*1T5ZJ zD{SCUW4yrC1_m+UzO9$uMT~{cOy12S8{%eB4MI zydYk~ggV1)Z8UMsI zqTX!^r}Z|lIDxPtYdXl!XxDj{c^Pm z$MO>5@2NjkJj=1YI$PfdB&A8eEHDmmM^Y%rv=wPyPz3jy)Ux`HNt|u?r)w`RF2-kj zqkw?`ALh>MJrBI1JcDAqk_34#0_Vn}9ZrAycsuR^dDs4C`8HIA{uLE-3kKk?(*C+> zEX=EJP&l{^jTK9Qh4o~_Lpj&gnog7L+*1rIdjb_eIi;{b*8%pY?%X@M+n z@UIJv=_xruAYnsRTrFk9U+hAGsHsLQ2y z#D4fE^(4#7u z9K_J0A6*XIS@J~5h*j_yS@^-Y9k>T5B~9o{{XYu;0WPU0Cl~_;J@VpWd9Jz~Gmx1} zJ5;B^GWMacJ0(q&qP*bVlkPZIiT)|9`-f@6yMsZdFHcP z+ELR9Rf$D>tvC?LlpoS3-z^=``v!wSclduWG%yIvQeTQp1_T#>(RQIulb9SfEw8A8 zPX=S|iogs-hkBYET%B2<8HCKGlzC}$s4YYs#-CP+@&Vv1AMQs*zzp3!rW}e+Ufe#; zQe;JZ^FCZVv^=uy<-i~zcIpdGrzv36a$Q816vaqg=So>#n**PmVp@E8l8*k~A?c}w zMU9Mp&8n&Gf~^737v}X1W5`pD0^R~jnJj8llIVMj#bt6j&Mzdus=fJbMfm$QncXp5 z(qgCT%pYxb_j1|?tNHx{7LCNEh8w3U%I(elfB};SS2v~+DS<4SVI?*D=<7I{QGDg6 zgZiDAP4${Iqj2&o|KDQa0KkpF42Q`!2zRy(<<-cHhT!5mB9mML-20t$f>mq@rrBzk7~ z2lip^ukxoeg(sl_dlA)t%4^sTxhj?YQT@Q}U1+J6G;48kv203wE@k~Nu2gQa2X1yE z_(ICe?C*^Q)4W)+mVF|!CA4vc5V{iyg}XXipqv`Pfx3VDcn=vr7CBTWvj5&+M}O4? zAL(>%5p`$cTd(@nLq>dLOZg;Kcc7@nR#VG&Q~}jXTOj%JYPchMSD>g5urk|N{1a9) zOG|;1(4lIP5O?L_qf5N=)&#ncCabtPM}1;}2ta6f^2k`yJdh7ecXc*a8A(C_GI+O}!;maZy#wQVWj+>Q z+P<3%#fz<%)fJndi&piF8f+ct#|S(A-8J=hifbTk^1 z9_jUFD0DddNj0$PsBBCV_tgbJlK1F|h;#4)kZ!9&@zSQa%*GcFh)*iV0VODCyiS-m zm)MF}rrc6p?7w+2V7>V->hD+m$C`RpJUC&^S=Pg8&O-(0KP73RJeo#eod;7!{FM|2 zo(6dJXc?&q$=iy*JpEX;yJ{h9L2Qw@8^a2*j-dKMx65iu?^?5=b~ZaRACo}p9}^O? zL<<;2jyn^c6^o3L;At&z`ly(!b%-b1TRS$yG8EF=pq@Lr4B%kQCao=%=!4%=xgU4Q z+=lB0Z)uqcYgN$_##5gt9wBR)yUQQ})b?O19hxV<_KTtax{c4{xZBA70l1p4DaQ#x zX0LfIkl5mTK!zUPQQLIb@k@!Olp*1eWTt%{QQlEHRiabZb0d6y_`t*npxA8foTHi zZt1N^;j9gOjo_MOi{~-9+}j`F)YrN<#}cV9ajL%@fA67DyEpp*-%&uQg(`}i(Sc_0 zy>WE@AGph5BGKf|ssNZLLaj{D?*3oJ?r83yw*Xq=>Dq;%LvLv$&QV;ahGFOJDdNTr zJd@9(m!C=|;8PbZ(zROy{XN(&6ndDxD5M`ZBZgJW$5)HdZOu@HD4SsKZ_jK+fVE4-i^R;1g-s4gQ!cC9$ah-Ug$*<{~ zFbk~oc-#5Vp|%NK-UoyFhAZ5m4g#=Wok+<^s8n@mz@&7wP8|O?j9*^5Mgd?z15fn# z1AttyL#7Ax;TX0!Mh3!%X)1@_UwKf+fiPkUgs99_sg}^K^$ZquYPAW3Nhyn5NC1!x z(Qa;hbLV_$+FG8FMkTEwp&K&2p=HJgOlJq@v-_?3th~8Xhqiri1O5+^0*@n>tKJFH z6UH-Z&$mKJ<82Mc{PP_wSLtil2QkHXRgGVp20;=^gh1I4ncfA=6!gXY2NAMVoY$GY zgD*c6dLF}5pDW&G&tA(cfgAB?-W9_I!;Siz0Z201jjv=Kyw9>lUaRhw?S!^H5|zA3 zbw08>;gkqqlPUvI6l^q<2(Q+0;Gma=caP&I|Er;LV1JAq817&sSwkEkv}dw$WB4Rp z`Og{VNet@Rxp$rKM8u6^EAV4Xn+u7>m|n~78rVQ1d`@|#IU!PmLv}?tAc%f%zUFJJ zDa5QNEJ(7Rs=AhU%zr13xm>FbG86zaIF@ff)cp6@tr9x{c|CuN2sCq<*4EZ4RY8SfS3NA`t*A z?0`y-DAw43ET>4)q;=5`pa9?yVn3akpi-QH$)f6YOFRtDnX9)Vngk+CH|8ByUJs); zB9HsM_JKBg7Q0?|oM!TwK@{*f4lfP%1_pjx;&z@*2$BiE$uV0QV5a3>oy5p}L9}lY z5@PXE+SwqyyXUCq^`lbj`f`qBr&Mj1BNV{P0MlYg*B3I8D*x&GHH`x>@ga;dguv2q z)z>Hl3*+w}LWsi{nT6755W6!KMRtn^DEkK?=EidkvD%nIFpOdMpn!&MnA5l}v07sv z?pxKCTN@N!)?>sXulRmfV~%_-OH~%@y1J)&X`qq#Te2p3eB~zZ-Ltzw%vv~WiJ8g| zow5a_9po3jP@-a9<*`2mh`=C-(ITkGgT_Q^26F;waww_HvxVwHs*<=F-dg>l@7Hzn zc3KNTEv1vtTA0eFfWwy2o?eCbYT$~V9QM&YnloDtXCVYgEL3!howuy4dWdpgg7R*d zTm~=T<$#*d>JtN@z+y>o2pCtH{m-)b`4^QEBQd!|{>YW$P~}$nKm6feB5Zp4-XeU= zU8&ef@NZx#wU)=o&JufxyQ>=LX#Du+!qg$+fRYQs+Cm5A@9^`@^?SJ{gXo~Od>`7S zg?|YI02H*tOmb`q?EMnWRvZFP79AFVIgK1X1>_I;q%Xb3fASXy5_Fjde_f8v%vlin zAUYlHG!pdFnZ(s$Q%xZ)ZCblP%Oz3)z5sw6|KkrbO+qIefXL!bIOw;L1T+?I`|cwA z4v2tWtb4n1y^uS(7rib>HI{`23F*7ZDN$I1eNtsvlZ2n1b6}nN#k+zwx7(k-ZZu0o8C>oSo%>yi2dO|Q6oCKt+8+hiv;Z+Rs ze1;Z17^8uVWO*5~xn5fgK@M$4(7$V#6*<3Ch z@})m=Slm`TIn_aQc`>{sjXUM5ftbOEWY!deh^s9GrT)4~`GQgXGUn_!Fy#1K%-iPj zOhUe*w!3)ol}RgdcmA_69svQpvY)#z*TfDc@rrl&2czO% zWeiSZ?N#KbnDj)<+;lbF+Ci7fO*`+x__fV4LD7ovz`Scsx=X|pBZF2fudoH6zV2uj z&mY*6LKAKS|J}aspOOLN1r$T!@f=+2oGux;?g~mwt1K>gl2!(}gp|0cWg(MAruK=D zM4dwg)9>FtuH1+^eA$mQ0#AYIrZc*ft>nU34^w-ho72hqKvSP*58odxU%UHLhX(-2 zed_NBv};DM2!V&Ak0s|`BX)tTor_$`o%`-$-TJ@6`qTYF{a+sv3GWF+FA41y z8pH8j5~lC^Ujey;GHuRx*i=sB<@-A#`@a5973y;E@tzRfWZ1^gN#MgFXmv_J=5Ww2 zeFlXS$Khm)*)R$quv@!)_S%s=pq}C7e;1W{w(V9*OKtuaUipcp%-MIHo3u(Rx1MI1qY@LT}Ry+E8UP_M8E(~E7ZrH*WuOfbVw zm>2Oskrp6H;mC-gyVIbhNlcNpf>?&YovK&)$1x zT8P*2Lj|TnI=+upew?3>s&@J*cQ=4%@9+o9-6Z=&h)?B)=6`FSo zZ;w?j|JXZ11?TB?;FRHb(E}diH!roa(~r;axX0X4mVOYo#9jq1cH;BAAmxnu0QSYtYj5HyqEv|-Be3WXx`3r>kMP4#OS3^ZABMXBI})9hX`nUy z1PHUyUnL>~rxNB{q)A*2|8ry+P?^=9D}SmLBGR%?p{{TGpeYTk`WK_7f{{Rnx|)x} zws*{%V7fd3mA%M=wABI@7STNJLH`dZ|M{~T_ML4vYy1biTK<=VaIqL%`skzpWDJr{ zB7{MNcklH?F*u)^VEYty*1S8!*=uV$^vDC*R`{ELr&D!viMOE-vj46yS{IG8meK)Z zZ)9+RMqTRz?|3TthNe%o-BkiCjY{aFhnC=j#isa+gkAz>A+n<2uOPn$Qh9+m21w5q zlD~=`w0{bq>#J?3uchIIe})f=9NCg%+T+P8<~6=*5aN&41(b6xXM#+RI1`LQZ_w{K ztmTa9H;Uk;y|Q%b$gW;pBhNX zY6I5itah(|atJzfC%Sj?I4pSG5BC~zHbL=Yn zEPq}!{N@VmN&xC@EKbx!i|QDgsIK`oCKgO8XuB4Ez_U(^{NCFqo^-v$$UG|-Cykpi z@wtJ&a_(HKVzgjbhuvkz2ZBrrZ5zh_cUYK$Q_6QP7=BJ7g;--Vvz~DK+!lhR*9?M9 z9G;qGw6^lHBD3o>h9+huq1S2R8{O0&)lvPf*4n>M{J9JdefLt>PckjdUFv;!NHrS? zNPkOzAfY(!3hb8)?QXDuu5K?%#(=+qFMc?6r^Z7y0E_I0Qh979%TSi}iKXPEg{@V& zfd*RJIY2hBQ-H?(KIrnZPAH=iu7-?<%XE8DD#!+<{`reovlLiX*kI~h1btNI8<%`n zRd;IO;O2RGX>4gFDg%YEM>E3^HZVF2XWN!xAAH^wOpMJgiiEPy(qmIbD!lMpy$Kpz zd&|Oz56Y%WP)E?_A$i#y?aa z845>|9vq3AIMEHzGOiuoh&a2tkWsQm&YI=gjIGSv{iu;NAYsDPr4MiwK7{P;2kT~u ziR~Ity&hbdc?G)JpsHd%Gu)@Q2|WD=un&UAZ`W&uKnb=-#?qlby%!q-XuBgpbTJ57 z7>E!-L`GdocWYiy@B~~|1EOZ=-)$3#NcfmhlukOC&M(#lZ=lteppF`T46N7fIhCd< zQ@A7?7civ;wOA!Xe}d^^g2L7F;v2dHmtktIekjdS_dOaT{N!2wTkwYhl5o-JkeZ?~-Jj>x3# z9BX8ohG+Zkq1SaWgM&d)I+VBVqV2(AS)b@)!orNoaB)^6tFT`x?dzqihb23hIDK!_ z2B>Iql_v_S|Bw=Yy-Q-o{V2G>!o^N-6{!;zg)y@p-0u;36^cI=7_j&5n{WY(;FN0~OW{gY@XSAHCwk@mie9No z4)8d=kny#$ZY<4@RDW-^iJvT1SsFo|FbN!PJ6QRxyPc!X!kqZcP{Yrf;fW}0;Khrg zA&9zr%|fv;CA8Pp6YU?r}>8#9Eo_uwdHGpE`96b}7v z@g15l1Kx7hXJyL*meO68__2@=jtcuteIFBnS`A{vNH=oq8R`b{vnYMoq8}lwG`|8v z>AHtji!@WcsW@f5;VakSQ;(NB${s=MVk}axD3(}_D-qKrLL|z?^{q$&|DR>IA^V^^ zA9WDEu%2iPf=Oawop4JUanyuh7e!T<8DpjE5+wvXLS0`lZy@4X4Wy35+regC3aiLC zbueXw&jNKd;Ag$A!#M=o;rX0<6CqAlfz>nbwZDxat9Fe znj_U}V6=ua?!GMdV1@S8j!q=Aj->dTZBS-A0Vu$xPKe8?obhadgEc7tbyOjsU2|BG zubQqu$>*$DTRrPs{9H-x&3T%_mKxK8=CrzT7-soVV9Wc<={DGE=-rJu4EPn4VDN?g*}8uM zgk)lSr!Sl=b}cn>KLf5`wbk%9t|p$B0Og&*qq`QgoZHJHxZ`sk5qCrIy=oI|d8TKk zrmx2UFFpAKOblG9K3Jn;9={>I9dY9O&Woznzssnag@+95BaPW$cm1gM=acYy7#Lz) zKR!^V&st)#t8|gA!2pzJh&^8zmL&SL5i|;E&X(qt3bbckxWMl5$vf9o^1$XfMq%nW zANP}QZH3@E z6kiJon2etzmmDp}iPF}BQ_}QIG8f$obPyW0l&6xo^{FL}KW-bwWA1P03A3U+Gqq!Y ze=-J?*TaQ1yuDkj@YNfq^`%O~G~5kX8yu}?tHPBp+`N^ZBVm3{(P7tluV%2x#CezBq9t{A=Z zQV2w%^kT@7@2a25Kn@5*_Oiw-vbeyMome{@dgb>b=o&GIg4^{k61s6ttiaYlFK-4D zb?;+WW4kbBzsZ|LWbCs6_&OI}BJBmfwS%LNZofg1XHIP^hGi}O^G|GIqTN4d*PrH^ z&l(DgAN*FCE`3&%(6q!+W5tymMj1E;o3!$iFKn7!S}zXjbQek%9GmOQY?h@LWa$!R zhuLX*kUwC&za}xDrDe85+1JMrH24X%w5CCP1?=S;2!rMp0mfaiP_1> z!!-V+f4*Uu|qHg}F#zD`jdLx|6x=JRz`0a&O%GSlCN~@VZM^(~QxcsdZ)D z;)Z3FK+>4TM!XDpEDN-n&dxCXppnN;8ar3gV)kfwASo08ZT7dherOGt&`RJGO!hGaj z);iTVs+D z7JM-eeChaut50`~<{6u3Ev&x_nJL5spQC9_`lO9gGGLK%; z)PhmnRhX*vQyss?pAk>n!aL&!@Z=QG+}rJXyAbnR>#o@{co7%qEJoD~&|^+wiOezt z<`q$-(GxLGQ@{vbl3_k_E$fJSk+aUzJUINPtUI8CStm*w}ozRBow z-LAW~9D4=-wORxN4UZT*{>$_&?VY6e*GCTfYH7Z;$0bvI{L5{ts`DwGX z`Tq2e^VSL4uwD|z zdgL4R{^qqYuOiZUoZeB@@vA70Q2{{!%kl8*HRdRdVza$Hw*vHPP zXhOEpTS9e-FfucK@y5%kVJ?~O&mlqZow#B_1;LW>xwR6RLOt#^PwQ(wWxBNk%OLZe z8^geF_rLPbJ}}^JSPwN13>mIEA*S&BOZ6K|pgNqkmC&xUDBfSd)^LTGW1u zwyN4pcGVAjteIjjb>hmJiuU!JYBWsd7N)EzaeC~H9oWjSGK6z zi4V~~RfmMKl`yA!^2f|LP5az{brODRdsi>AFNz@CS&*HN7nwfK4Y9m|46N;P(9eE5 z6x*xRE~fFg-7`C1VIR?)#f@l`%Oor=Jkod1EQeo4KZ8JE{Bey-X0KlSJwP|IVmxB5JFssC4&87)eK39#4}& z9ypUm>n0=VH#f1qXH_B`moX;snb7hJkS8h##K#49Z&o{wIt*?W!h_|O;s}1Q*;#{) zldmkZdWhu6c|q z)v7+v&C_hszI!G%4Ad&?yk8)X2L%5h8nKBJrL6@WgWWpVC(KtRg>yex8ud^bA6*Jw%=S%sbnGhUCZ1kt@LU9#O%v4HKRYcp${Fup| z>jon!HOc5;J?3`lNjVww;j?Sxs1$vR4J9Fwvk8w1WE>^jyDmO1enZw0t_(X-n&@uO z#LCc$tnov4mQXa^`G+1UJB7tYcfmvJi>pCf2u#EBWZ2UkC(fQYtlh!en4(HF{Zn;R2rH~F?#bi!Tt@bMm(76oD!>HlEE;h>VO(HkB}FPsQ0v z3k(juN2U!V7QR4b+<})u@7U?ddFKcom#j5jMCm=A@1m1o`wS;5Yv=vk1R4*ibLd`} zvuHi;tY;J9(@pD(TCRGCQea}v%k}4ke^ynQ#BQqWsGrRfY>^p1(2$Horj8=(PFmq|ha6-m~z!U<515T5jxjVwaAy~2_U5L(n zvuf!u=UD1B zT_c7oT`}03YblyXk3x8uKf94=?i=#Q9c4BtDLNHj#>nzh4Gh0^|WZY;^Tu$@W0UM^ha}rm}PCmFbuPEOHZ7;CuuQZ{6gIRm36+HtzDh@$Zl2qAq zF>vM5vuJWtxNtsPuv-yC$9G;3A$prcZ{3*otJudShUm*ZcZI7a}KZ5 z-R>I<`G2}@`MdqCsjb~eJ#pLEOjZqI!`NfRFd>U{t`hcd=D1%h(Nq+XcB^eF-5Kr3 z;KUy`?r&;pdV8`Q)^r=3A=KQ+UCe@ohPIbOqVjb0;rcT(4t5+Wawily+^*1N;Su-h z4ZI{@MW=B`3A{on{?E4FuS-*i1$;?}jUuCxr<=Tr7Oy9Dw*EfAh8BBVR8-ov7w4?o z;_T7>)3uH>Gy^w!H{KHfh^Z@lbjY2<9?pr#)x z4&KW4@%HChx|5E@WR+KkI-08Cqir|u7#c&Rnt`h@>C1qHqV@bd-|dl=vGM0dwu1GM zp0m|mL!rZ&OOlNMDiUAetmaC$LmuYC88XN?m)dap^+8Oc;*xicg{g`N9%p6)XGrv>keSVsJ{tuTLK9^XLm7p0MkS;a{gs`Pl9NfP z4UtMpOYHLs#cbPvw1Y7`FGQ2}@qs|}5;W$*PexRwYSM?wLqY;xc1q4ahgs%R4ZJ@n zh4F6?mK=I>^u#EmESRMjIvCW0Zo}|dUAMnAaJr6@JWW=_d?u>%EuxdtP-JRJRxZ@& z!mSogdzpd+VxIWD$N_e9q=ZS409gxZAH_kryeup%*}qwmO9&sJ4Gf7^vl4`QGEt72 z+Ve1YnANSlXn-3M%JV#g3bF|c<#l!XrQl`prAbSR8voS_y5;5LF?Mu*0qGP`O`)NM zAQ2yzac3k!wJhtMyN9ElF(i8#bip{TnnLw{I^EX}s5NzK&I4MZVoL%?pQky=Gl%1L4|e#ZVG+VYr3?;bTTv>n{bKqWPR)h( z5-u-M;OFOm&(8-dk+rZBNlLq0FiW_5tak5V>Ne?8SH~niU-*Ur-dn6=MPZ;6LVmYw zcOhB^w+kh*c-~BIG@t!P8%V$e#6k@$yq}zW0eq98qv{KK28PM6Ho5gw$8BCT(dp6> z^NrR;8yUxGNu-edVZafD__2ej>b4*|DZ=Zsr~G^CYdoYQma>wqa$w4RS%o1KbbQ{! z>dVyjL3#2;?KT+A2gl9q%>=9E=>5h7GW@c?1GKsM<`AwYX@!LrEr-wyZvC7_QwImv z?!S46U%WXnsN@U2H#h67H`Et|^j1Ml4-engPc)bO($y7Lh!IypLIN6t_((#q88bIw zVq|8PKjtl#tKWP@B4VQA)aKI*cMG-}=}g10143YLzEAhe>y?MjO$PVoT-=7~iR z@Dib@K-5W z!HBBA1JCYydnC?!xuNs(YlJvOt_y9sMh+09CK560iDhEB6X^08@1#Ak?VTE@lltu= zk|Rb%l+5y;$hVU2JlYn}hXIRf0H>#>$-nOd3^3?cGC0JzV-b&bR2=k2 ztOtrCiys*V{C=EQd{mHhbzM(n;G3AaxF(!2p$!4oxQa+D{QDw2(9B{* zKNSoN+3*zqc#lq_n|*++(@}d zUZIevH9TEAbcBW>g@mLQOFKbt5bMi4+SiARUa0AMe|OZq&WJdkvnXMpGMm*5RR6onqoESQ$L=1P#8~f3!ZM91q}iG2 zUTubC=&Stis?n2)fN8!Y>b%(hw4?s4eQFM2EOsr4+c)k1ZegT^P^1P9>`@+Pi%s+s z&w51MmJO+mk01EgQ0QaO&^|V2zUkf=-x3MB)lNzU=_o>$*tLq93Plf2Xh+8t=xIr7 zEv!z2Ej=l}j%J9u)oW($bju=1ZU!>Pn@_y_FGxtW$~H~_20Ani^|jNR{&K2!} zw^L|nIvtaSUa)z1NYGn*aAEef}Kxj=~*o0Jix) z7K7Q0y}awgN4t~uH(tK6vk6OM9mMscsX=2o5*F-G5fEDkh*~Zy#fL3m9Nk-;#zD8K z$>4Cl7A<%L6fj_V$_}m4KT3-lU$znPe99iT3QZ+^si8iOfh^+`0rSgzG^?S8P;Ph_ z+Ci{D0MMiSJqzBv{4)I?r2sehE(zNsX;_l52})yi|2Isx?H$V~QF6nqF^$cQ5VLi6 zsL%6a)Kk{=l*y#tW{XP^1xSV zIxon^Z;z{i);q>*={H4Yud~WVM2QS_+XK)a$Jwc3g4`VPu(NYs)Ie2mDv58W0kICO z4uMtF_5=kGHCx1d$#KEJ8w@4!A^^W>Is9+-0iXTm@W?tZT)L!$o&_j!W6I#Jp~#5` z*k5!Fkm}Z)91Ni+{1_URSSWHGHA1boCi(xU$zIHP2_pA-p93a#Jnf_(pcPP72oO>k zjOPb)tBDg!CNPzP#PbS&6a__8leNK6DJ$;PzP|T8#8hUh`n^0xT0Od}M7DakS$JvP zG%&VItcByaMOO)0*~^iYu%$7 zbyEnAlCn1?x&T8~PR@a)T=@93>hJ5gc#Y1f9y~z1Er+3SpIaK)ZCt52K`JG*Y49@~ zFnGGjnO|eiCMYG1fP9GG8Gq%4LMZXLRSX1BO@*+oHM=pS(Gnq+KV46c``gz~xiyjh zVA13@4!3r59H-#x_?IMa*LGjhcaIG=>V$}E|C`)WrM~k|1g~F5+#Z=28AWS3RE8qG zQPcTnxHdi6=*r=j(J0pUCo`~@Y%H9;xrGQxSUANAy0@F!;uNk&0_1MuLCc??_Zt4X z=K(Vis!#O*2D~&MXU)AFiSIGbrKF;g1v?IB>Z)Qht-Tt(3B-ECy|c#umGkD&lPq40V3!& ztF@k<2%(Iui05|Dvpe}r^niw0i~k}j5oSGnuR9 zmbStIA^nz&&b<9+0ycJo`5Yt?e=RS;T5SINx%SJi%4|@Ao%M*(DZ=ccOioC2sFpGO zdvb~k$`LoQFi~c?I6Wa|3Om>z{|67bg22`t=vnY=Y>pl-&(1D7KJ!fQ_(4B~3j&Tz zHC}D1u++-GxEdoZoe&VOAA3@sOjPAC!0;4TesdeH6o#HA3GvATMZ=y~U5se1%nF!6 zmf{oIat4rQ!e4|mRFrE$WHXIB{dtz+q@56sITe4^tv>Mj|5LBv72(w#OmRqYCkJMK zt@6Fo($X?sF5wQ0MppfA%;b!f5MqfftSx&1JxObG2m4}jPOEEPU5i5BgssPohCL+% z>`bvG+@aM+qfay}7-$4+N(^(m!B$)GU~SV&fLXAYdaif;k%%aYKu7*}eW0bM6$d^J zKQ(1-{V-I^K{sAS1JHiJ{(%{ZD-gzbRJ+5HfcEVPVaKEH#SWd}H~_2E)>*hc!r9%4 z@Je7%22;uf?BmE{y0b|$35@}CODF^uM|>M_ie(3f5@QsoV5WR;^x6}7@zNd(@4p9+ zBZHW_!=)}K(G-+9l|_v!zWT(r4R_Jv71gy${|$o+ z+gycF7o1$kTgcX*b9>QtT#_1iZ6%$VxAg{kKCsUpyp0AUh{iFXAvg~~w|3vRX`M3>yrT&QZ+&nz@NEuM!<7A~$Xuzn!G0X1QJv{78oKaCig7?Ul||28L3At6dw1 zo1x7onxT6t#Fg?%$uR#H`_bf9mytLb$_qe%rJ zr=g*t-&0c*XYRYRZ@YWN+LxxpkLD~4r>E5$e3t1W&o8@ACumUN$*E=+b<>QjOiC;N z^$^_qFUWq1&o|P8G{>9SnT0`EAT@w34q)LBAS=A#f(lcc^mD%hH2nmQV?ZJ^^7BwUylg!Z&?k z6ExI}t-;YF^4F2)y&%{`5C1<4F8%6vLpwh5At$#)H|r5PCw@AUN_bXZ3nv1;XbTqpt2iO1=)8dTR(${?R$c~7!ICuH>nP%v zV48MINVZSLAv*5;00HyG{D}X|qedDy&oluyVvm;^n7;C=Vz|IxI~}XVfQgClQX|}c z&yh5NF)gCv%UjSf=mTlM1Hace%}L4gg(L{-Ac4Hcn+75B|F9YSj3q59D(;(e+Hqjy zlU&<*@#>ls(8wGK_o9ES2`%==DYh-Fva)(~ZVeJ}^8@_Lix5Sx{}~4K5jK<4)6vz* zJFzLTK_erKK^YrITb}?ULq*>#|NGxN+i%ZChy6V^7RCmcyP#Luim%)-gXJL9Q2x7e zOGh&JV!%znQM`qUe*eL)e^S^Q?dZS2RIWTd?U)lthf7HhgJNS45iIDIRh9YwTM=*1 zia@iM{Q81}le06opP+}lu8#BnzHSS?t}<2Y0{yzY{wI-#0N`B#UHP8|`PYct(jS(V zSd7#NL$%8exh7tbW#&q0h5({AJu}NPI zR!7HbR#V4{_w~O!fgfWPa~IV?Q4!zB06MU+@T->oCmqF;&uVRjg@H19pk&+4bL)WsM4_fD7jvBF0f(t)fdrRB>9}Q!?cY7`_xN1F{sC?uLNB&d2s5pq;ix?Y2 zGW;Gr;t~^KVMbL#N$ zaAvD%`bAo&ii!$hM@QDQbgdU9w3Gy#*0bODP*ar09ElX3PG3hSrj0pcCdfBbJbWCjR9_=hJ>a2L9;~sk#8RFGA8k`#y zk57YpDRa&B{Nv*(TKE^$;wG8**3H#z^k7j)cmTb3vam`N+D_HcZg?4uz5kFr^?NLL zk6Rh;c1ZgDsF+Rqp-BGU@Ph_z)z<`8Rt?;IMcg$1&Hcv)m(pveM^gA^@swyX@z@)N zafbTd#SEEOV^a*1&V)2wcupaY+$dSQeoxW7yu3>GdGG)M;s5T?7K@p>4-5{Tu7!|D z*EBXX7*3aH;SV~?n441(d+w4>PEGwf`j(m+A>egsI1onz4q;TZ5)^gZ>__YF>$~E| z4igIv4;K*@_Lp$lV^fiP^*he(t6*!G3v3Nfbx8Er`2)rrodg$hf-L<6NBcSMym9ost1XiE|iA8(W zI8$r|Rk&i2Z#uFU*!`6Li=pHW+YTvsXR)2>{4K+JU*F>4N#@JMn}uOg*2bfzRi-iX zy;by5S_p&-psttWieV@Gx0tCSqh1sF)b#JScfIdi?)Hnz6*Z}!@(*+@t*k1IdtQ5A z&Y5c~A?3uFMt$q;m54HB!Gvp6{xvhl_vhkRa69Km?O5kNoaBW{h8?O_BBwgeX;9>W z^;vyx;l|n78A2g|sDx(3%*LkTs11P}IbZ)VBCiYz_58nD07^>fnxNod@4z2RJn9`u8rTuE5Q(^c_L{yX`;r$Ap zZqGX-Q5G=$r6*Y6jtpp?daihcU||3+G6jT@t?QhI#oc0S2_EHK#YyCAK}8mBX0Bi9 z9&W(2*U+yjKqUbQS|wQrQL}5$J6k}vR2)UR6lWD96JSYqR>b@6^M;n7u!W0mW%Qs7e2uUdOc7)V+SAHdD@#?+7e> zBWg6DZDjLj!69PtZ5Q4Pv1(C#@@85-g4EOg-k!g7rmzPV5iwB9Nf@4typYEM> z8|j8PBn5>(!;_dyC z*64~Ioq&>r0SEIvx^S+}>1}mWsCXFYY{{}$G?$*6jYJOO;Hw^^i7Io8=Kx9-T>oBzj z>z`uOnCnb_H;9qIOIeITYClYCOWHLp%{DqOF$!9+7rC<;ysrW7yf!ArS4tTu!QZo{WBeBNt@y-@=6a8oSwk&~G z;^T}v#b@k9?`YuIw$liS>_O2&Xhc*3FZS+9@n>hTA8vc&6fJ)T=-l`65`Rxm=hvKV zZ*Cf1>`%ELR`%K7UpwTbC$g7kXFsp49baLx5Umu}(n{{$NJ_$O^Z}Bz(tMOSl31Xr zKn`?%uOM?J;y5&FKfpP1NB+grp6B}^5Jk%=DuKiJvBnHakTCbJ~EgbNL3U_Bu^fvdcqW|C zsb2FLE^_w_$*X-e+-Q?%Rnx2ECG_HN_vaG|?gypyhGu4*C1;$RoR^q!i+>;QPO1yV z6im&{2d(RCr|x%@R~*dkg#LujprD}4Ho4FpH|`K`?(D$AG&MJ$b|Nypeft(>Z*On5 z!bnu%>H6CJ{{C#VqN+-{V@24{;*5LD98N{m@u&8aFWyW4hnJ@*(Z9>d#0$uYnJzOU zut*0{kFm2WW%oN-+`h5ENWzG7Jrx-H^erxqIk=m4N=G`4m141S`?3dQYTcSEnv_Yz zzc>BHu}zFyPq?8QFi8>&hTyz6UoKTqMI`_{y{4|t`0n!P-w1@ygr{`eAUptfW4qPR zjJl6sQYo9e5FQahL9C;x+1}r8F}rhdc^RCUN%9&I(QDq($w^5~?WLRBl~HCUdvSKQ zh*@()M8tgc`PA$z^{HlTHu@qx{al?5!Ew_8<39-iYDxYaR*yL2{3TX{dicM@1sd*Ok_vO(7h5DBk?;BRoo7`JsZhM$iP8)nP?FUM`w1&pUB7q1} zmZa>jBer{fNx690wrGNU^;mC+Jh49vR~4gNJnKul{N2OScbX&M>~N3t68yR=u)RM| zfawkgFfBHB+3nNo7tf>2NFhtTR^mtCohWmO;yLAd7bs*V(EinIbj%wcIoaK%o|?Ww z^c$C}t*vEU5a4HT`;cB)xv8-qKtl^Q1@!X+b6q;y26!*lyT`kgr{2ehyO1x+Pqj5Q z->a)twpsqUbHi|HO}S#9s$$0Vq7_iuUo7`&xhcd%{%&_XY2$iKu!-F__%ry`R70&BqSsRYZ&-ofjDVOv`Frm zdugE$x6r%&1U(nD7-C<2yFNmi6#ygT#34aJr1bQ%A9w6*Y~n3Vl)`*1?CcT&Sm+SY znB)h_n9b6>)p@s9^D)Cc0<2Dg-;?gM7^`+QEL*nG_1e1r(BI_n z_xfmHFyYqkBD`3>nM4PNZiGxm2~h#jUegEW^Pi4aBmjrs*SNXS`D(bBnNfne2^QBw zO)T=3tdr%%;o;$m%1WiVgOA_7e*Kyu6wzbseYNC9&A`xuW8nP^5fL%Uj0~boIim2T z$zdoKBA?Dnp_FC>N`CTW5@|0uOns79uCC4=;e$lTsi=TYgnjw)B{em5dpw=S@3}by zFE6i15+P!{)(hy2;`)kH^_m3ycASDk&U?p^x=DF|A<<@<&TL zX&aKw0)B^b@J;6jwhGZaNBJ@T#=$vElfKugyfxVG;lKbLWBSvlPuBpmPsb!lXq+?N z2wuYsCNOk;eu?-8fOavx-HJf|oeo5E<@)wkx|WE~70K`EZiVA(h}6ufwo>!nMlGZ- z&DCpr*Q(IU?zc12xN+OVW$Hgt(9qC84Thvtn$`1s*Ee$l7{x|k%*M@5rlhkoJF)xf zGjH%duD22mzNDruoZUI8s9?xv3YNOip$&l1|ID@GjS+#v)C=qY6&2MV@GN@W22@~6 zJ%D^F>gW{jB?UkZntG;H z#g5n1(xQ3bsF_OPu(IF%O=|k#!~2?(x$0L+N=ojlpI)(ps!FLjK*jf`=cj_Ni~D#A zq#Y@M>f(ent3Tc-7=prE)0Ppxp;kq7df<{lq#$gY7|9XUDVI=hu!c;jg5^`Qc~>)FM#8Zpv6%FJavl9YQ*1bbXL_T7`V?xqYwKUb%aELb$m#jm5=~9P-dz z_IG#vh2Q#1k$(oSt74Q2JHp}b=KI6hN?05weX$Q8C}7@FQ^R+3bZAzYBA5-Qu*mh?N|Pe6Kj1x1aaB;hm?`$=gwiqs4zeqJpXyU z9`R1j78?ggX3@vS(sI5!v##obftDq%)Xu)zfBWvFt*`3CU~Y8l*$7|Zk00YwAQhyx zRtqUwxY_5IlYGlSfeNpvug^G!jft5%IRi2dV!pmV#ZrOS?dA*trNzLT(qJ>{hVD%i zYygxaP<@ABTjt5E`}`A3`OjNgV-u4~hYbl+Q`7H1e-eXo=dGHt;O`BX3Q@p% z*8ya8XNiU=s;UNFUb@!Q*OT$_5j4A<^g?axr1c6yMI~9}m-y2ZD_&Da#{@`rS|2^u z@A1;ziq>=dY#1tHx4~U2ChR3cNIUYxYN%n&O6nS)hSm`aKN7o#m9{huTK>voBy`#@ zP%x1nI~7gI8Qw6bzD~~by**DB7ZaVCoDA&l7Tet3&aSFL=iuOgioFCTgRtBWWmR4ldv!=@$=Si!*g?ZAgC)nIIpwflaKr{ z4;`kWy1J{6#4i$Ll?eGRM4>Pjb2M3dkfhgfTEM0C%`BKK}XXen+UVw6rJH?&qA{%F#l-$=UXBz=(>DPDCHE z7ZRO%NjvxmK}KfqU8V`Od~U0&&*ESvL*Vh+Q!Q{CmcvH zfYXrj@_H(k7e!wEtgUrvkC%dm3vzRF4Z$3NM?w-)R73?|TRlD&ENls=v|AChp07aw zWDY8?Ol`By=B>)#msWXzU<`%5)_zK%u3Y>#Ex80wW@&~l~PluecVcriZ zGm72~L9z+NAZY05=zk^@gw}S)a+KZH$;rtLfxiIp55KlzTmVvQCw@;}qZ@5c4=182 zx{xk%bZ{cyA`$@sK~Zbgp5M>MTdSg9{ZJqB=i-9syzy3E`bQOf$(2}YP|!-R5cM16c(RTuhW z$>MME5fBiRZL+em1pMURzsIZiPR`AZ`$pg#b$c}PjfRFs-geh;cJNfOhUi;VqBcjF}nr@$pgM>Ez@jMkz-E`L5}3O2gpjS6oU;_~D`T?A+W1 z;S&J<+}F~!H{cCd+OLTOX`G{mi9u}`g_xhaFcKLVS+m)d0W1lA8!ML(82F;){_mhN z9U-UyE7qv=d-8=kOTf7IX@tLW$YV2Tvlm9Pv(wY=k@eFFPoSMg0}BYc+n&;ssM&cD zzdgoD=rmw1WfG0^dw?Se(PFpb8t=8Q8BHdsj~NCJ-XqFuU}BQfZQ_CzkNekeG?q-#csPXv z{iPc~;Y`0ro@I|6B0#~$xzaKf8AlY5BF``exRP$dB5GeIZDM7O^XGa2@0*mGO4n+! zaeca>Y{SCB0xUv7A@NSv#KffKW;@j}f-{a3V5rq}Nvzf+DiKjsGMjnl#019a=_xmG zeSsobVwq6{TuvEk+r%C}*JsFWZYBWEUqFWg z3lnoSifeh7YvK0dfW_^2@tH>N(eZJw)2IMd_4jVjSeZmdkm!CPEhAIucA^hXK`PU4 z4PR<@+W_X6aEG7i{TD&-dNtsghA@x!HS^>Dqw783xoqF}aV<$oL?|Pv$f&H0jAVp{ zJtInXvLec;WTvF36xn6VDkNlvvN8%~M?^+K*8jMAKF{a-{r+CB|MPmD=k*NU@B6;5 z>pIWlJdWc$@1>vKvt8PIY$N9u7G|$**4(@;{MT8t*vCu3n<63t_g&ym;~chPdtv`t z{mSQEp4EcSJ^VySZ1M0ZxYjoFPi&Eq|MPyAkOGqLdRq31r_xvN-n$pq=oI_vUB~hK zSH)X*A`H5_yFWT)*Kv3Ho>wxWHsXhg$I8;|(s*~aCZRw}??5#o#HVM^i)4a!sVRAxFPR?^vDzVvzht8`>&oFo`P975x6PwK)`}$@_ zgVc1e>O;63M6kPL>eYUQ{AYKa(s*tt6nfFxE}Zo+mr}6$h-(PJ^#TInHb37;t12r8 zbPYXu{P^7B+@xyVN4<*|_v@w`?wP#GO#uki7rnB`ZPD=b%STsaYXZc`7X#p4>9Do6 zbp%0nB2rwVkJZJ+We(*|!kKB*8Wr-i(z}I2a&m;(z2?q#d9N&e%C+8l$o^}Wmd6=m z1b@c2Keh#I{W6?Gs@)TJF6j*n2PRkUYFHo6}nnxYg;FD!$?d zguRmPv^Qg21v$@?6xxE66WD_?SrYmgqFxWm#6C_`V>-g>Tqt+CIx?=`A3^H!=xRf{ z4oQ^V(FTQb(N(OWGFxv|DxWw}VY2c^PeDR3=oS$1?AouPL$-{>WjG04kh|9)GL`E~ma13#a zsN%}@sdbO~pKgCuyDK%R3~$Ol7k=Y&j%A%dHjrtB@#QbRdS~1fZ5ZG7+E`n^1*%J^ z-@(cn?78q;g+a8dudi>{%vD~BWE~EN>5YGioheWOx&eZ&e{W%K?pv}nW-snC!tm8= z!H#T`d|;>-h!TJt^542vpI@B)kq!`>S+XoSH8pjm1HpJ;TiE*u;q{qCQ`BvlCL!EU z-Bu$2{WQ28pOCPYV&a2XH_hDTP{r_{ONj4TE~C1rUTUNo)GMp2`&X8Ku3TXs8W{Ms zIFFSKd+n*#ZF?9FDZn^jq3t*p^wm;QQawL@@K5J0s_bt=LiqOIc&F2Mef2=)6?sJ*jrlq`*V0PBf@_-$cn*{ zYi(_1KJ5DATEoxROPdDx*Qokgwr3aj;6Ff%hVlna#$$y(2Mzf8`~%6eNH z&gbuP3W?}f@nIUu;-wD)r1V7Hx6e_pGemYdz%ttN!B5)Idk$VVluahOg*F*?kB0Ob zg}j@>lTpqSFfPn+f#c&B$+0DIu6y~nSeky;xzh9_43oh4J&4Hk zc3RI)ynP^W8l*7yv;^?or##z-+ON|XH=&U(p##o=O1bp4{k^@{by9U#iM@LIIm^ty ztRcLztIMcwveUlgc1MR{;Gx5Z4;QU0FX-nx#I{U>y9Vay?d!Xdoh<|adn}~^WCi8> z*pXRwu~)&KV0j&Wd=d=&{p#zLjmVZ0zke$k8?!-5*3i_v5gExkFfg!FOia&aUG(Vz z#$?EcF-b|vDavca^d5arPfp&zrCzOkRQ0Q)s>Z%($!uoOP32e z2eh@dd&+5L!>okG#Hz6}pMD;C0XVBUZJPb{I68tJp1Gnj@+`Hd$CMOTLVDY6tgNm9 zj3Jj2oXoIoo9ax#rSF<0sSKnoCV`fV$9~`bk=s90rC6O)%4Wm;e3%-iCWMdc%oWpr zFGPXf2U_7l{_$h%_V)H^204_t$gqy-PnDI5y#j*gPd09{EYNSJJ$!k*;?{v;9%pk_ zkTo}(I{j6XVGseQBAOMrnx&$ah~hMw)0Z#aU*cjDg7*g9KZaQZkK z-|6l^XL*z4wPG7>+1&@|0{1*PZD>d^vWmdxlL`sO;$h%g zT)k!u9XtEij}34I^%a4*pk@p&`rTox**@jv<@Kq+nY*j2i-H2>a5b{tSLdRlB37JI z>FTQs)w0W+d8$DrC9>Frj?kS>M9UcWmG}ZI-eEgDk?Fm3d}Qx)6z|8QR-jX8DsqN~ zhR&fJ@9pW?*~%fN_q5`}jW8TheT!(H^|XDUuEX4e!~D_6ryv>3)JQf=KmesHSzvH7 zC>-9^)!l#n=7Yffy(i0%d2g=UxQ%D<6pz927Iw)?RN#`19XqyORaMnte#+daz-e80 zcsPR6i`-l|GDTt7*@AeTXWOp&#aN**H6?|bWRmw;%=Gj(UUhrz0O_MyO+qbU*SbAt zqgwL+jKBU#laZ8AP+(wVJ@$IM(Du{N*wyx@DZ0GhPdik_-P_TYVSG#A^h;%iS&xOW zS8ia+*1Py~)74bXZ_w#oP*o@_|MJDS&(Y3K04hW8(2!W#wCm-|bzS?pPyvEdxW7;o z5I}_&Hd3I}sRU4oMaCURl2^ zNwbq{{9iACOGoazuy?w-`qVyhdyoI#BNC)OEc{#j{wtHJT9%>EER)a($0)SQtZ9Hh=cm5)puMa^$fUWxN)t z0G61yZ;wOqM7%y=f2 zZDCug;v#Y9(KdlgV;$knZ=~v%^o(Xt)xN%?uAw1^9nhGdvh~tv+sQsxKR>@<^NeOe zgt9ay#)>tnq$^;eN3QB;TvQaBh^Q!w9LLY@63cbrgs$DS>xN5LLc;F3`T12QLJjDb zlmny5%gdX8b#}ici-o+rJZxXt9Vil*>nJHH%_+meUgEl>JpY6_e?d%ES6AOTeed+m zeNcR>_vu@bs85rr<9!UY&ptnL5fU-wc3+IsTmoY!6l!Fl4NXaYZGEy)9!l} z^0V*AqJ@P;85r_s{kwvkp;R+4GG=vj=34tebW|>yOnUy@ADJW8d8i&5&H1#~j{TI` zIXSWM@mhBMx`&wd8<~dP6%-Lscz!A>r7Lspw0T&vLNP*q&$n+?Zm$I(TLOJx9khl& zQE6CQN>?7Z{f(7VRL_4iTTDhq{anc{K+S!@ za}`uSx=T2a{}gO&cx_*U^&`OyHP)&?c`IyLbP-!K&|lIBs_%Bi|dmjL)?% zS<>yZq;F77iHp-5|5O|Q?3o`a4F}$Z4qi;fJwf?6Zgk-3jM=Z@CUZ&+kMQW|1A-sF z=?yhR57F?3wim1f@g?0HHIJ^{LObF1`v;5d6SZiWaQCO^@g}l$n+tZ}-U}BlY}vY% z%jUS6n&rAhAgK5*M_{bp`l!Q$7iUpfzU3R%aF1vd2&gb zPrxnasGb1`xh*UokP8ivc+quVr>6^yb|mtnPq?D1z!@3N{KuEqdgmycXgOp`ySq7X zkJ6|px z_CmVx>j#WSIN43<7#S-IGKvKB4IcaI@jZxm14i7-_Y|&N zku;MK6%7whtN@Qk>KxwTemalRhdY$i@xX>6Qmlyt&UhVpc2-W3~ z>(^IR-C?Vua%R>I*?Sa-l7I`>wNFTU%36Q6*`cK*aQW{+yf7%Fx85q}eki zDTz=Ccn(KToS*@fAmMXd#`Dk3lTQxC9t&X?zchTeV!0xd4V#DR^y$-BiZya_a)TC9 z1Jm=5WIQGBuuBK+J^9$-qLz_SFu-E6Z2YbO*@=hGetZDCi1hW|3PE&7{Zr{Ws`GBx zv-DfH8Z6ZHcRhR-8~c{})5F${%zXz~rQ9a2g-0n#O`BW8bZKr8N!PIL*FeqIswspo z=2aYqhKBktFR)P3vIlQu+Hd;peZ*jK8ms_+IkKsNn#j@0H4b3;YR9y8ZXpIm5*p(@ zJ94e#=#QBwDk?f!T-=kbWm(((pS26%57Pl=6k|eM(~%*X`snHcp*as3Y{bT7E$&O> zT`b$SZL@+H>1(TS|FPWh;~T-(!q>81&tQ*%d7-kZ>QN&jR&rpgLpb^; z`>Ws8*Zbkr8@{}-frBHOI@~^G^U>J5GkeY5U9uB7z1B?F+D(n@T)v!?ntIxU+O$IX(tXEWi8D>Qm3S@bn;)$h92&~$2pj7y zaNFBHm2vs#(WCk-R*yxjZ-B~-lk=f;aBwhP8+p^;KOV$ooVk0{RmZBTs^DwEh|2F0 z27=t$HUW_XmziPP#vPjcvCG6jU*8lc)cp4Wc5NqM3!#T>tgNONF3@jxAa>L5_skbQy;ub^O}I=|mRU7#UUXrhBwS`b&}L)7W(~I_Z?z24)x0Wk_%IGPd;XOf zUN@;TzV=B347BQo$J_&}xl2fh9w5?fvTxncA+Vd+EoH!lj^CRTsk=Yj-;*KIoc%6g z*BP6XUHfkGsV)jAP5uydG0w60&+Gobsmd191|Z{nmkE(;Ag)7tfK!$nUgW#BZS7*m- z5==6hlfVg{HEK9s`1H)1D=r1Ip786x9hz30{`2+CRUUqR2J;36*=Xz}i<#KW%n%Om zMLOB#x%jZ?AQh>JVaO=(f!=_T-?kG44(gNszRFv{zY%#z%G>JcAIu_5i9oY8T^9Rg zUAQ(EulL`?gaF7Glbjrg3NX-Kr^st*J02VuzwH;hiv`-VK6iGS!C&-9`syJhX`Yw_ z+#U6n?c1qA>|gr%l?~Bh_)``a!s;#LhZoJ2y!S!qltXngs|rq5pEyb$k*jcYgMV_e zweOv1aFeh>$3SHv#h&YrPn?sK`qmN>5_5BtX1;fH*edEOA^&L?s7=P)t9?*)Pw8a6 z_AW&B9XmDxm;U~nF-eeJ9`b*ABd1qd3L1>%Qor`xj}#K^~dod%NrOEYxiI1WGCrwi&??fD6 zmGO8Kel#~%*s{I{5dKyOVgTeCAR_KB66JIbGw(s6X5^a$)e z5xzHRx2Py%rb&tJ@a^viNb%k)%a25?>34B)O)kzm!_&qkE6Z{D=hsSTxIodAmX?-_ z;5v0AbxFLwE}c!S{}(GJkJ4<~GzoFu$zr$4sZ&*8fet$MDbTP>F_TCMErX7knP;*? z)x?AYg@8QNfkbwBC|8S1OLQC@Ay9qD6W3hv&NRreAZ+oeNb$F|JF{RvZJNn++XC(W zh_-fEi&@yV_BU(sEWj4(eXCC4hw4z}gt`hqXg%uO6Hg9p!r`bu@-#SLIpHQnEPdpb zQX8O?2t8O?oK|aUn3A0BE4=i*O#jr$li{DGS54kK)ptP1G5p5V%uINp_au#MqR*j< z21{*i2EH6+ojjY?APpI6ip^}2H<5x%TU!|~Uc5+Rvy`;-B*K1`D{Nw)USB>Czm~rE zyxYE|GF-3e`Fzf79ZO)z(2NIngJL9(rQG;N8!GnL8Bo>{VGbP&Hy%FJi!fLZS@NJ+ z70s_7pSJ=~nw#_Y^noQqO&;em+6E1{8nM>_1ra$+%Zu|M1Nr@EIqC~z+FDw|YAo*$ zG$$S>K&jAm4E6Lz@;OAGdGP}EF(XMQ2z8;8RmV@>d;0Va@;I?_4i?ww0#3>MZ$3+~ zjcA5#96)$Zhib_O?FT5n-#-@Jh8#-qzRO(cpcS4TweD*|GQ~ z#*PER!uK6dBA^~#gj`z=tyn@>#=*L~Si0k-U7gj!ukTwkj0#petkt9_#Xc0TYt{Bm z_*n_6>D@1J9TM_%Ph;odnLFSl*E?sR9s^b}!7dJarOWqb z-x;Bh-05VgzV_I@RVNXQj>Ie7R;Yu4MFD3yaoih~TyPqDZ*Om0bY;U3&Jo?VZMw0O z504oeN9Bl|M4^N;jN+`^o#PpvK0wop3LzzwvF1i5{x@&7JiaPY`wV6CzpydQ+Qz1= zynGEFzi(#df$fJb@HlpY8Mx4uPltu@fB2B;Oo^AVMfcXdCrYucUwAIKqBwW@E#P%u zPSb8ArS`)IU*PY(Cmvk`{lg_K9pz%i2hp%0TDBSnxr1lR)<%@HuBPCS@hC-om}UBQ zwYa3@x#k3wiP_m>nws}c{9%Wyqp!c8FSi@{@`Xch883%P6G#e2Bw*cz##s5fFJj!> z>u+rn;1%8x5*y3;tv>1&%+y`4FVmhqdzOenB!d&d5!|4Ec(_iutUtfQmlrZl1Ipol zio923%nBsEWQ*z5jE!`k(c?((IsPD^N()XA&|bPJ17s0Q?d)y?^{IIJyw1;Oe){w& z)#l9^jq(+UguU=zq-h4(qF|_+!ciHP+e<=G08K$*VILF&-f2k#dS_>6^3VV|%`K?H z6Yx=K{wu(7fKt97L16tLOV0)Tgkt*`iW9hJ=$M%NK}13mG{eG1UavM;DY3J&`#>$} zK0mbw^1%5&D@#hZx5px^rnw?>MX<%ED21>a$7Uyk7{L`*LDS!JF+L?F2xbl?zcy5G ztDU4~`&wFB^!Gf%+2OihT$%Z%vf+7P;06fdR3KL#J$h7HULJpR>9m2tS#&tX4K`nA zg1sVb3@)u2gP;^%d^7Jap)j0i@Q8lU6P3H3xle!7hojYM9?L9La7^J7PtxDg9e+zv z2J44JQ~~$i3qWrn`)4?StY8Gu#_(26cB$eDg%MpJi)KnZ%}K~@xPuRFw-TkIWxcCF zXMnxnzb^=ucNfgeZ?4RgA;3DK-3kN%blPo@BTBIevMzkiR_&JhGdIbFqEtL*H*Uie zZq&J%b`wGL0oJF9aH~B{n-miuu@fwV(rJ*xO{fo@W<7rm)1_{9vIefLBC0<&VeW;` zntS`xPZ`;(ty{mIkOJW&5aOwj=FaDuTUhKO*=W2=?)>@Punt^9_9x{%vDpEO6Pq29 z4Kif$QRl)O#SXGDlQ!`tiNzD{Z2+_ZlE`lfkd zQPDw~y+l?^>3Ovjz$dLLYI3 zqO_;){;>u9O=u@2bp-4wI_G#BvI8u4@*G%DQIz)l!+@o)2C-%^`s>#(QyZHgoK&G@ z_*%r#**gd=G_;$fO1(`X`nsv8|Ee*U9z;WI9GOagWE*U zs(52mcK>naDkN*Ov9V=cnXw_|7fhtVV`k^h)xNp@EDaJ|7Gz}I1@x;j+xx1Vv$3Iu zTO}~rFFh>{EaCq9S+zciiF*ult*$>jU=q{;3mIm5Z$qFfDqF%HjY~=jXd-8H(X7;qDLG1RTJQ^y8Dpw?QMz_m5Wb z@$vB+7cwA4JXDGP`t>W^8`}hE0pJjgt56cKbOLB|g3JKZm)uys;!n%bSLVABkBL%K zOKWnn{}@sT1mg98(S+!wpg?X|9a4S2#`0b`YN(wEvPcYQPAJ9A?_{7pd*MQG)$JYS zEiDWz5Vow861OEdj=aKo7P1ZJ;##8 zsg10xtTAAoFE&yqM@nwhKDyyVU{O;fmyX=D|GOO@B#u&r3NSJ<{>RFv_EhREI2H#4 z(E1bP2{FrhNj=~<*p>C*#qK_)&sZ}Z_60riV|bwY_T#f7ts5by%4ME;!|Y-^nHZ+{ zJ#9VoY5igkiTy_TJ16}DcEfW5ilFkX&w4(QZ$Xa_U*5mGG;5;t>&t1>%lY$-q1_YEP-K-jSx6LKj0%` zwVs~}AHRRMBOrtE@54-R1%38#R8$Tyk!%9O45HY_3oSB5(56bN18lnNw)usHevnV* z#v##C?(`4$8{^Dx?HL|^H(!9;AX;ceMa52BmW#39fzM)KLJwNjvtn(yAPrlq`Uh!g zXpjeg@M4#E#BbZPXNg%}_jOVIn|uTwBCF~w8})&><8pW=sZ8BA+!(tCk?tnYxnPH| zkPrdy;4@4CqzUY`v`z-V;KTuHYHA_}WVDi+BHwf25bP0@2t2yK*$k4#o%PyVBmP@I zYODoTA@Ep6MuxO9D=SmMo>%qh8Eg%R=A{pFqncAr1X5cUU7fwds9x4TdC>l=)cdHz zdVM=I&}d^?1UyIZ9o%e+$;ycu>gv~O?sIeP-+#yX4Mspf{Lv`!@+8FE%xF8${{0qj zZabl6uItTJCV4-a-ZU}50&BE~UTSVaN=Y-Lxq_3L-9&au4CC3fvR;6_dd%J)(2=6B)}i7B%ksCt|cHz(TZH zjEZ?PX-+5tkdPL5l6+lU2D_f^iclTzDk!&cc5q0V$j?_bCY6_SCs-xIz?kJGr>6Gf zAACT}SD1kT+Z4hseJ)pLW|PR|lh{@R@2I~Bn#T_$8iAwmsr2Jo=Fo%Tu<+Zie&>x$ zHz{^>HG0~nwgSfc3DfvoNy`!t1fhEQjCU_;CE~L51KmX@Xwon*>DeUa* z=HpB|cGP_aiBV$KlBA(&DGLk6I?E%0Amxcs6j9#F$||4(=g?tx+*rx)IdBKtN0;zXwdvbIR6{s0I7h#!fhJ@g zQZ>XTkpm<8!lsoM4FxaSHm+SwOqHCRoR7pEcj1^&%FCDYdissT#l~I-P+&oQbbhTb z(H3{^yf$qos#3d=7eHJNm0MG$i7X+%Pd*m8?&n8I0xbYiZ-ea0`6ae=qXK&AE5CYZ zy0*~r?i;O&ntSpX#vjK0{lLDy;IM@|P*?7u42SsUH{*`BiMw!~qV)JR(t0cOGY_f~ zVo^c-*Ei5l`E!-~sa*0iO8>ty#oejNc@G*kNd}a?>nIYQKko%#dav)P-30g^E%0{$)z=H;E@;0?}1+9s4uq>$A_VFWV>j zsOC4{(rp2;PvV?XC-@zNs7R+-Oo|w|;5{?KSXNfn12PwOPRxEHC$}Y6D+`>U1UVZSd_!BxX1P3Ko*F(150F63-HpQU=BF5o> zz`(atgLQDfZfrXQ4w85ye*gIFgF7(;61M8fcTBva7e!JlZr2Rvwcy{VD9gIKSdq>( zXS51+U96FR31f=Kf`e0QXm4tI4X~#S+8OaQ00%0Lg4dv9V7Q3}kr%)D*tFwdXq}wv znX8BL9;+RloC_@}>qg^lb5<2q)jk?==&$tVw#}`-l>Mpx^#Zi|Mnptd{Q#Xc82KFP zIDJl@G9So!Hju>`*$f{IW`ow`mdLIwZUv?ODc_OH@{p`GGc$83I(6`H)3mK? z3j^xkT)@4?;-esV9f2>Hk1Jh-V5(xztDibLh_=hPpX+#-TGYJV7EMv5U6%hx4IjwF zb|*?6Km_yKO;`$L6_s9(cl@WMk`y|cH=zcj45{`(BDehlb(p0N6fr5O_B<$>=iRq& z0|H`Lz6=U81h6!xt$qF7Xdy`b($TRU*)d!)m0$t`>kG$a`I)HJf~ett6^%G9#6IBM z^zmak&T6f+?9|lnvD3&OOh~-xmpEXyF2lMYY4QkmD!Bjn@xuWdkyZK%1KtfqsuJ5L zm=A!w&AEH`T5vJGuV25`o<8#waR;wSQvf{EXwlWwTz%lcfv~VJWt}z^P4#ME2|?@T z1gBa1kIyziNTz@ori7jcw*t96jBKYBeFEVmCHkGsLx$bC_*AEb_qDZs{B>O8h}jvM zTi!w4(7z5H|K^rM|6zr;XnusyOG8j8@|)wYVU3E)%J6yhGxG9lAX6#AO4pRCcOciU zQ`b7pC^s({ok`VYd;K{pD-7g1*1mF{` z*(uuJj%zwM+Ef20Ml1JXZ;?kTBqW5S5F+9H&2*$CS;y;^FP}bG2$K}g%A8eUdR+Q2 zZ+uoYP$niaWQKF+GwA*)IAN*z+lad`IyxE;Ar0x#JQt=}WogP-^>-{qp${KcQ}fc% zy49g2gqgo7+x$3Y@Z5R;Cd?6eMk8uI8&&mn#z&Jn-%B54Vq8sy+i`VB+lc)>7`{O& zJZLy@CuY8%#%nhHy1f=Qu}NOyx$H4WcObMC>F^3)=wBrFE)vKUq;|@sJzAryagxjX zC&30#!)mKY>&p``P*(Ua-KB7cRpLf)FilV08V^}nSpqc??Zd}~1q3#Mf3wKL-5k#= zaZ?XGvXf`}`VY7)ndN{Jq)gM8XjQ@W7!-V7Lkyo_X9An5um{n%*fs}j^ulRSRoD7) zCPaJvh^_b!J>S3A%-=1{CGL_BA8zL`5N4d&+z7|wt-dS(p~j&=&~v5`*a%fY%-KIn zR@jNm_w~(TLds(A_rt033Er0GwP6&cP*=o9mBcQ5+CqGkaMhp}F9h^GwI$m;s5Q`0 z>(ta5sMj5JKtb^qtq~3=X>eTP3886+BRSb_;{6t~1PI-v=E?JkU}WI=q)6=wf=2{Z z2bwUrvld(04V(Kae74s*jkN5mcYZr#%*n1jwY+pSaH*rCBfA4#z51WeSFEF?Bm)EJ z+nqlsPIe#0$<%mp3k)xYsgP1C4fqW0WD3X_jYxNdIL6^3dkZ|0IlVghaNWQp$l1CD zCjVmHghMI9a(nJwG^E!wwyF55Iw?p_`jHa8xBPn>GvPVLgI3 z6*dGK^u*Wq1mNz`TR{ibMMvf-KY4+{?%g+?(@b(ElqJPLZOltLgb zEb_3QALYdaDmthdfy)P_x0)9^%l1`kV1CCV%Yi=84WTynmOdbisB752M-=J zm0pBUuLuqr(RTM&elZ~--r2Ku*0;Bdp36fe5D*&PkI56ebd^Fm<^2vmIGty+?jO^I ze#=WxZ>Wej1JC<{0m9eZ1mjB#5%A-r^~25h7CQQz=G1vaA0o-ehrNeO{@|5gR=9>7 zAz9>xK2WS_!OXxxjON=gI>rwXLhR}W3c_c>ZIt^y+O;UTkXWMvwX8e6J-*!ocGQyjW(3 zZ;)`w5=t=4O(dxqGdcC zKoe+mqUf2xH4@^xW$)8g6{(n0>`;>Y(VV;iGWOZrW7(t3o(JR;{57D>$j5vVnLDv6OwF2!mzOErrlFw^J}i z0b3P;Lh<9XlZotG^(;1ITwntc1}ZA}#2z@fA_v*QtCiUtcAMBq*maCYAgl^9WZL>V zR5A$4&&^gH3; zmDQX{d=JA_jSVi~uXcoFY6g={;O zOAB_i9-$gOi;V~#lFD_gV^8ajY6M=apaOs#95nU%OsH|dRXHu(eTenii7rt5K$;7f zKSB?{hTUM*j-D~N%PqZEty)D4Af$B|(c$g;_cU-dREO=;av%}-NFdGwI(AL1t!qAa z6Ay=eF;ZGYboJY}atu_u9UySY526K-g*+5gJmpyAwl*aPhl9{ftE@mkr|~QGm0U&D zPJf)TrWv)eAmPnW;6R~DyLJyNo>RVJiA32<%!1 z|07XskfuC}FWi@bafJ>g7I;---``rmbg1>1?Er@Vs@?rno6rXJwxNNRh)+l+%$-XR z6%UGtoS*p&`T)g#>d}6y#+X&h%M12_v=*3VwHAR>_o}KYHN^2dP!kVk%lsPaWP3j1!6ij#B>Y-Bw zBC82^_|dSG@l1+}@W`mJ;t-SZsm_928YfIDEtbjcHih z5ib=NcvX#S4P@~w?_1owWc1nX1`>q0qRYF#{c&$yqH0){E;R@y#dE-bSjxQc6+W(=g?E&5H zNx&i9Ya5wpX=%Z7$3U|(zi5dODR5??J3W$)CmTIwN~V#--?6T@)-N0A5FAH*SC)<+ zX6#{r;GT@3>3KpNkbxc-xz6~die#LS{&z`~?RIyzkNz9-HiI7#1Ykkybs&14Xu$*! zQz`LABJ-dVfD^5`IQ%g8uZnJ14+|I$HIbgMkn#52#a0M|;nhM&J%q5uFdj`iPyzC2 zf_(knzXQ$3<=|n+L>3s=qh}^iIWfX)sE`a&n4EPv3-+LBzI=1{=o>Q4oeU=7rfGpYJ=fVhfakcVLMg z1r8*fAQ&s&nNkxL1gBm!<56wc@D^*yJb0(L8A%qK7}H{6VN-DFCU!KCC^!rLAemA5 z#DHW<8|(V=#c`}d6ptaR%~N2V4vV?@H}&1%$s@%bSA!=Pzxtcs>c#$*)mr$B1?|wWIvS;pa z$lifE{4XVlM|;-Rb|c!+NV9Hag!CmB7dRS&(3%7Sw6wI80++olokPm)AdDxs&^w`V z`X9M87~WaJKcqBp-$tbA1JtK)CvVxnf}oFFAcrHv$zV?NhSl6euMRu+e`?Mxnp@S? z|ILir*P-*H;$U!Hq};UK6g4@V83&vX&LyPZsgNEBPInXj^ z-mK>WP*@7yi?FZYlTfS&wJ|a=IgiH!&EQ~?&Jm)l0GePvSu9$XAgYMKud1u7`{LzG zC1eabjHGO>;Du&vHuOp z$-U6lgE9R;_t{zsqA7t6>=_u?t&_af5sY^l%}yQj^XG4(K&s1a0Jkjs;4mP!#ojxx zb7^S1Cgvhpn&FX?27L%=lVh*Cv)N@p%y$*KkY>n$J9nxOK@FCkKYIqez6PA9&hmwD zb5m2IYefA1oT9^5FQk+h@%ZsBuzJ8qbHHi_w1a4POY|kGKK5Ps=9{71r~!#H0Lax1 zR5Z2@w4^1W*{0^^GDr*J!ZX^wckou)u}BWn8faK%wW#Lk5{u^FD#4lbpKaUBPyjQ3a?!^8d(_N0Wm6a*v z2k|Svc*tY`6!0;K|ICLjFk1%R>re*ys`>p1(TIS;1L1Qc*(BHn@Dg%fCGt%y#=Kw- z14Nc1P)IwN(+? zL1X+e+TiV?)F^N6jXp|Ef#~@kH!TIsj0Kh{$s34SAEPt?%_8#l!|@4WNgV(Q5lI8_ znh^LPeL&D31BG6&WNTxy`r3&bF1T)1Hn!g3Vf{oes^pqs!_a?(XvCL6E%*@sO*$`A z>u6;weN@5y*L^t#+SGe#hH3Tc)ujEkUULs_OZn6(cnY?Q+S~-L)!`LBVb_v)oQYr? zin~!!0@RyPL;HZ5`86}6=nYpBgLD@!Bvd(oC@Q=`%(pVCS?2tf$HZEB(`E-uDK z2x8YvmvfHL{$E0hW`Fo*UW_MHgl?VKp#~`#MQ{~@I_XpbE37jzhl+q0lX0tph=dUj zqml(c#llvWK74k|9vrrtsLQy(q@#czv{>nlgK3L2(}3(J=>!}{ih0`K&6VI96c{Ln z37Qn8Xh0P(%sqk)$|#*?xDOLnK=9%9gT(X}gN81!g*;dE^C&-`=%% zrVkRDj3V9v#3TR%=*RGS8`7G}d!17NlN5k8NDnnw6h*i=A`%Z_F%ho`ll^P_%MSEi z8mGU@mJ5&~fRnVHq6wbNNglW16|f9T3Wi`_QSh{|4QjM-)Vhs zjwE8_)W8PmfXu!4$6$I(2&kIFZZ`A8sdh>|7i3$-w(ih1J!PWfN2CC#vbjYBVyoIRMkH7L^^lJwDtFKQ5=^t?# zQ_RY1YpD@&wSPJMO?S!yoM*fe)0j3Yw<7f)e1HVcc<4b#z&D}fi~pmRCMW?+k^51NHG^`C_hNVuY=D&h%!o@8O<45H7 zv>uCSaKW4m;HO5|TQTt_7Rm$KW{7|6?!$-AhkI2N>4s)etq*q<2xIdBU*EBjW!Fd} zPLVw3|Hmo9S-Wf4`%Ancrq-~FH1s;LD*MCifv^fXzWQw9w)K-7c~ z3>*a?OSmE^r3_3=buJeeIe$(+fhdc~9!i}cy;5c#DP;YRH8DUFewVkX!pVSL{04BQ zDPjc`E$vX(G9YAJG<^34d5`}ELt7mCX!}rwGm!6PX>d7pYBQm_TVIl55njcxm#lY+ z8ZzBj&QZ*Po5^Fp&$I1|HBQ;zq#LJA5D6L;l%9YLg=Gnb^9Cz#xDPcoH5KY09ENv_ z|NB)fM&zsV^2jY_#Kc_7GD5)hy*-$Uw=@G^DZg0)xP<^Bjv*qtqxrn@U!5b+oOxy< z`OC=r?u@&tg7gw#!2ZYSebnX#b{ugk%fn4Rk+^pnD3_)4AEdYI@PC?6lW#%0Iq3Q4 z5~eh*hQD9qm%|8yInAY{^ooW&p|umFskjxIu@z~yKru>&mZ62|y}tKQJ==-LA{(Ga zIM4@f_R2>jlrf6}e>%859Am%ab>gDQV$%(d16U-!t__{yLN7I^Z=w$VB=J zVHsqWz9NF{ch=0T{L?tL6EWQboefHzs~Pb0s?4eDJ1)Vgc~#@T5O+)BG#UotP{q)< zbMM`|3r>~RiNMY}jxedR6=qIQO~kmF4Fm*BPds)*Ub@KA-o-bK#|7hzi54|0cql zJZ!K+5&Z+<+v;mkf%d|$(RQ^FyZ<}|1s3>Is-_T8vGEF(Sk|!F@R`%}xG(+58@2>! z#ITY(&WFKj5D%3bs(?())7r3g?@m6x)Q)OHcK7;0;#|SCr@2z|VuO%W(9CES=6YCD z!{ujDbEH=8W6v|zXSTS<|KwMUpGJnhN3&goinLGOzpoY1N$^TjoTAeXCPXDorbf}7 zp<;!yu~wJPFaiPG%t9+=`ira<(OUg`i7)A8+mY?4cWk79Yqt-J7iW&!o0#_q?3{L! zLYvQ7@PXC9-`IYH;A4w&COk0)P360={cZMGNALK!6gaZ$i+k&Ut@eWQfbX~(&*m@D>a3Ig zZ*j;KpdAn?4SfMpV5pGD%Sa_08oCNKqLsCEETlV#$uf9C6DSOLFD!~ixE-N2=S`OB zn>K11w68#8#O|cE6rdj_(M*AQ|5gX#(m;FHUI=F7Y$#X+7gFyETaV4*y&6SGUCj#5 zL$y1X9!_nEI+330Ddke*)55K3->Ki3WLUjR4GZ=B(E9?5!YWO>V@!?NdZ8Pw{#`Jw z9mQn9=nV60e93@{E6lh{<#dabc2+$t`r0pd#?{`PQ5;ue9&LGQtB6f5e#!f&V|LEx z?pVk%nm;)(+ZUA*ue8R7zU!MAv^71$1hfK!sB<12Q}j`#ARV5>Pkgg%#Ux`KiAiXO ziDHfOe($-7>p5>UxV|rM;uh74+Q4gVX}Yh~m9|?-uCa2>T*lz5#?}PyYpHSiJf$U> z?0w^P3z~MBHSI_EJn!3ZJS=LAyk8PjFR@8yFv_{Po}=*E18M66G2aj0D$Yqs$yhn8 z@(-xi@Uq*)pV0B|P2{GTT+Luir}@5ov#4ol!#w&5%TTi1#Uv}BTq!655Nb*h7%=id zJFyrkH8eb2QEpFo%!R*u(cE{RvF596RO!LDZ-+j9OwA*{5F|B39O#y>L+RGBwpk#u zC#1(-Vmd-`H*%T2=KFzE7pa@+AH=?Cw!cr?(4peKYVBiZYBO`I6(__Q4C zGRhC=x0fO^H)tV&m>J;QP!OjOfCZUhgmLFW8@$vhYh5$uJ-%@{O*)A;Zx?si`Fs4! zMhXlGjXY7M%Q7WZ0y-;l?3eVf6`$vzlz7AEl|GY$FYKu`p)!%vk&<+ih`sR9*Rv6&eRyB(OH~h`29&^$$iy~m&9;OkXyi1 z>boTYY#-)ki~Gs@hGmMU;up3yA6HSi4#G(Ww=-Bw41lEj8s!Yib}JaCrAx!FV^&a8 zgA}`3Z-gqz#qdgCD%%&|jpN4LW-e@@Acf$IbbjXAtzI)>-yKnYzt`ceE0|`NX4xtH9ZWkALj! z+yVZDg0x%of`?DLM(wWtGKP#-t#UH=)&qV5p}8+!L+7c~kdWT|4#0l6;WIk!7_h)N z0}|*6*lmK!U_~L`N*LiW+vf&GO_9+&FcKs$@Z-q9*76@6tq)HsvJ>w5KI9)_v_X56 z`CKx?bNF>AO5fXa_f|boNEj;C`=uW6NaKNgQ|#H(inQ|IEIba=i8a$t9vX^@^FLZ4 zZn#--!OxCCI#{Ub@`I_A^lk&;lBk7JFEuZO%rhe{a~k*uogsY1MfxjD{?9D*lq-S z4oWTNs3(}L?T|8w^kMr06f@D{33~#8gweS0(p$JqnqH<4cz2`34+P!B1!p)JFB;Mh zn*-zaS3;>;a(h0^JT{ek^gq)T{4!0p>)P#~E%a^+Ld0drxp&5<9>5U$`IJezoDdTQ`EnQe^M;#@y6 z;XRm!uuJTUsM*fFyUPjcJ-K-(IR)ioQ-hBC7H=4xiK0j*c%;7uSwH^u%`KEpvBbUr zJ1$6D@r8Y!8O8L`vW%#^8uWEFG(vg#e9~mptP>kV8SW;ZC*$7GEjqDhO>jPV9uV9Z z{c!wS^?nRn58TSV1-TBn-1#B~9$qIhZ$$tdsqS#p^kU84+3bJ#9O!TQH8BA*j`P9r zirW0I-=hH)R|3dBaB9G`gpq{dflH_7128ffx>euJy&oC_vy8{znSnUnfp;(iKMTFc zcw+P_Dk_Z29u%nfU#X5g4<6B0-#|fQ{TZ+LHQO>h6@(*HtlxQ6Fn8{85W7+yi&e)C zSApW^63-PDuPn4Y`nzV&_j_1w5*fRl({O^?h;w-=qjpb1iJ7gDQIcE9Fm0NkK%D_w{%a{4Mh|M{*a~Ot})Wm!>aGhw-8?oTH z7^=8yJKrdOo>~e>d%sP8gkHQM+TmyY`>$`$mUT%Ni7l+3oKKGA3|AHOUiKjKWS-ZG zv}c-B!^`V{G3wgshB{*|YHDgw52*f3?ckl9o-W6eUh4^U>b)S3_NSryQ8s(-_H7P7 zuVYvf2(uj+xV7NBwKLDKfqG5SP2Y~(HMImntQZ=OTm~Z_s1-8DoGc#r58_zE5S66q zH!(Zgr=Zb00KbxCgM}pl7786{r3FDt&3hLCDs}8iYhPEF;x8UNF z$jD$~B!C%)P)~O{mmzuht4FRf zEAE#RrHnsyLQ(%*ezCvix05zf)GO1hNk7jHs5mK6Q?f<9yQ;h4V2ATg8G9+!?s6Wd zeG$pbm(K4xy488b_fAlo_vBNIf5jh(TIAzfCgZm>=FJB9tP_Cf&#hyc^^@x9j_$Kb7GzPcO1VyWFZ>c~^P&9Liwz*RFQAJDDoy&(GrJLwz{u6cjL3!f!h` z?@4_Q54eDmUL;g`canB8J#;aRbVJen*RL@~jSU7S=snGaCTJPKq}JQuK)+pmPyE!# zlQouJ{?M1GUb4V{hoSOG{RT@rcLLBDEVH08SoKwalU5tb# zECz??FERmf+GGEUsJW2#J@e{vPkl!-pJIQFy*gP=m6yK?*LMB6RrKxG^Pq6PZCAW~ z3pb0-NQZg!&&10n_Wr4%J>&dGOE;6e>Sfn1-ubz-Bw6zrgV6TK<*-)UjC@5Ur8u;| z-Y5nMRNm21c%&MAgCckUQMSI6feJS;0TazHn;}^lzOwCnDS*-JRLF$4Goz)iZiC^m zIl0U?1&UWMM(w@J;+0277~B#VsJsbm7G}|t`5QP3{zm&rUog%Y=lvQC1EO?xo@V7c zROGp^P1Lrye}sAW@6L`-k!L; zJ{WV&>DI1BOU~p(uYA;lrFWQ1v+36;Hx0+;9fwYg`VT0&%NURxgnL^<0shbtRdZCs z^MkNNoQ3XgxMuyl26hZ_H-Mh-18|zy|LKMG$GwZ-pp{{Nb@awvkfR9zrF`;aYvC6t zu#=bxYvm~|+nx=Wi8v8};h3zi%3ntl&#*lIHoWy^HHhskMNd0RJYA7fm_@Aab~q_h zkfCzm*(f15U_yp3M!6VP(xG03@GWmvY6ttsBQg7@hAZd@CfpcYGt_^e#NL9qau(aX z)>inIKEJNtCGEg}UP)qDE|91bu^G_KXSkaA=crHEi80wU?R-Ps3&AcN0&QpOngiR7 zCizabvt~y3={?SfUhEOoTde&fdhGA{-op{ic+14VTX*1}|Ed=WDz7Ew7-sR)U@<<- z3PMP_0~&rH|0D`S5|4AC`yxV8Tmz9u1kpLv#3K7&H$wu0<5Q);a~swVv{gTlokX!E z?0u$IR#dR;jNAlWjaRR1_+u`_LSCeRL~NUOVP~jvuI^a~ZE~o-Utp$Mo;m?j z=+{rWKq3Xq81Eey-SikqTO`a~&pT{koP>uwM9B1R-V*3HLivGKEzvqI#aq_vK?9@Td?p9BzkhcX-M0E&jf>Ym;Sonq(lEx@isS@rW5VMmpS zyF$ng*tJk)4R8vr0c^x;*@`Pyu59YR4E8aW&`p{8`(!Q+0kA6e}&1iSM>L{sz|9MfyPTv%g~EU46xqiPJcAZ={0Lcv&ZW+ z1DV7%S)+W{TUCq&hg(%VM(>=;%`tR%djI`&f{A*|)2YU($7n+E$G-AhRZ`5t>89FB zrVM@Egs1wB|NNlut$J&VEK{vVmeH@5bf!BJ63S@pI-!E9eOfaP)_K z7vu^!k$+EJ=)vLyWllG;E&KO3eA{8iLKN8z^Xmul(30w%B=qU4KY7*3{{2M)X_tqBKB90?JNvv@1*`+!P< zh+3eNLin*{&_v)K;CFc82(L+xC0fd;?Jxn3YLghZ7pb1^Yqn_^;rc;j8O~$LYkR- z&mU1td(6)IazMTTN0?ZQZri!Dr7#=}Jfa&%igo1v(eZKh;!9oSR7AlP@G!N>Ud@|i znO;jCJ8Y8)T_3@c>YW&h*kE+s$rxPL7MCn7?u&i$Iv!Iz9mB~hE53*-M%{vz04Z@T zYZg%%kY!xPoIbE;r&BhE#>dCMA8yaH+PXUC6L_59#56d%;eHbX4J!AwoI4K!`!eAo zEx?l)^<8>?RGyITFo@Ee+=Y%62%1#Ag6&Z50nj1>aS@J}-C*vOVK9{!a1In8Al=vC zM1SE^>%bL@d_%l22(KM5N(PZ#zi?m)emfP`gGP6s>(v3K2Ccuagg20P zL$Rp!@SxA-m}m@EAPyaf*JpwcX4wunEnkhpaxZ|Z2rJd6n7~8;We4WjzuFyYBLvHn z=W)C>?*8Cm+${f$4C_qOIzk%2VuJj_+G1!N5eA0k(XN-h_Jklz@Bx6GNf?z1FWEYl(%75Q15u2g0yMi zQwXe4gIAwLVVLh7KS^vUqcnk;M8q1zt5kh6hiQRbv!Mr$t*(q18%i z|9(AD7SM7c5p*nRqbUH|DcD|_4eqB>%E>%yILh2KtxA9tp_LwI8sNb|RHRm?1d&!4 z%|$nKJ$*bd#=$&6$$Ab3OQ{oU*KJoAx^WSnYldAYky6zkL{zt;9{UN!_EOA~Ks6GN zu9f6JH4srxBsu=`Cr0(7u;Up)^G1cYhV{QG65n3ejb|feAb`rOmRo_PsVpF?0Q+9S zq`0S9($Hfj<-ID=m?Cnww-2~#e!Pqw0RRDIkl&(cEb;V&9zZ7wL=bv+u~1Wylit}$ z$Z0K)PBXI#X;2VqC^0$#lo0|M^2p9=X(#!^M>1w*-7dV_0kA}ibZ5h$AqwQt%x-xU z_1NVv&(@|z!GN*h!(me!o4cmHS05de*PQSNVhn0B6>s0F4@ndAUDW?n?ntSMSU~^s zkXAjNlyc8cSwr}PdC`d{V7wnj;!t~X_IP-f74`Y>bvw4y)QY!}Vh(?&3SgROcfhDi zVM)97!--ZaXCPX9Mgx`j%F#Jr)X^D0d(8PTp!0JSGVdow4UXCiy|po%@>>CBSpLQT zLb^uUa%^LQs!WKOD^M+*k-H!W1m%|0iE~-~Q7Mmwx(S$yU|z5WBtGSN2U)*RUBW2A z7iWfqa*q8@w!sArG&J&1rT*6+mjpqLsJDg-=Q4#%U6q!)6`wW-&v1V0up=FB!5S-!)`{ z-h^9Hu^tBk!4?w~y=S^PXO3jnRS~G&<9o!-CO1HNBRH_gi#m<1Ns2U>SjrCl3>|kv zC~+*jA9~9&Rlza%T6t6~HGjH>=OhFpFg)YoD9UUd!#ATEM*L1fGA;NK3&l0)YI4O6 z%z|ybD?k}DUpoNYxFW@4>mV@_h6BU(%nJ2AsdawleP?ya>9;p*iBaG!L;5EepTCwf z@3oEjp?ZR@u@u7EJ}^Hr!q^E7rg*MhKXYsel$ZbKPxA^?YiQFLbNAf zOF)oY1}bc|TIaJiN3RC;dqDe0rUR`K;>RIVX*WE(EXv zWnMpMeK(9)fKQ9|oDC$amyYcKp08lVH^IdRO`ON#%()EiboQy4 zRFAA(@qyB*VxH$)#~)bxl^r!f{5}bA0GM&;d1l4d+g+T zic1z}A9gPCT~#7jA}Ca!dN9>+60!r2bf3{N1uOInVYX@M?!QjxRW}9?;>FX;kqfGE z%E&-IJSGvSdBkE9vaCeVgpQ@quWS~{0Ofzj@1S3(#1q|S#(au#jk%^i7G2I7ThUDl zS)BZWVij3wqt7{Jp$Vc_l^Owtr6|QLE$;{Wx^*{AwO5R!E2etnbK`%EWDhFuddakY z{X@rg^vrTXF+%O=5C{o}RQ!mRMEIdVb2FK{K&2@N0)PWMi%Gkj?n(MT{3W*Yn=$Ue z?STs6npuFmr~%|)a*$5vF6{gDLhMBPyHf^W#`29^>!6m!=o?eNtb{DQ0n57deizY) z0cS6so;(XA%ZFn3q6DISx5s@pcas+j#MjaLJskG@@kvV771%&HOVATW2qu-MoVlB- z0Y4?BCW?^gIz5Y%pAy$1qT@lDKwT5%hdlD@u7IOpq7YMfqN_CAF;)^#*YRJmbs!i^ z5sYoq&iAoZs_IvF11$_S+LWA(*~A?b;F)bPG}Q%%3dw}Z9jICG8mUHqh>zu6t?MP4 zI{*=+IfA6|CH2%DEplnh-4BsOKLPVKc?@mSnvg8=$L*A`?;x4^!|q*U9sFR>rtEKA_5% z&wTB5)xVw7AXSG*vMIKXhNZN5@=2`v%fr_|0VMEHV3to#1}pHQDwem_)h{VYXFUO| zvOQM?(K`dZRMya+niaZOF3|1h1a6Cs@&p~XbQn&Ma617!D=7FG&Er|BKSgGWB#j{| zeL~sZ2-Qo7D{G`{tU<^)jH(qZxH-Mpkn$pa7mXt+C&OhU%fAf{hCrK?DC-eg82G_7eGjIiWPTvqdmVTk;uNVWz+&084C6{5 z&9=7ouuaXNX+hHH-7Wz14*2S?@;H^%9-`n&hzHaMq%O>(`sQw+7ONogYyGz{eFn!P z(P8yg;OoF7(9oSd3(-#?I>Xy03k~Yh>&~Fgv)JDXLN1x8BR?_yTF=2@g!@qIs)PXo zRbmwSmQHxtsjb|ik+lOAPx!k-1pkhiu{qb1OpREI@*>+iFJ8ENN8DnEvLI1RB6udy zUppZu!JQP+*}19a7WY3`07|T%`T=GEYs7%|+?5?-p7Q@n zX$tqYrq^|#G`9RaiAEU^xa=JLOg$;Ys5MU|cJDrfn?~ghiVSk%HcXImH|h$-l!Lc| z^4k1!VV+I`3J)rXCNa*(ys%7RI_~LR0^J(Y{`r`>V{SoibsoPy#p?7-7S?z4-B=zb zstWA9aO=SB6%;69gqyR?@O!G^;hOlKd&7ndHUaYLknBN=h#s<=u#=7}?wBQWx4c?j zqYz6)WRuanFB*@H4mLd)Maj6C`3Ujc?3&)kCZV)W$@9*c;y}xDiX8DW}ASL|m zzZ1;_v;(C`{f;_?X>$J5gjY{IqA;h@${2f%5n@Zaj9CF7f%tIup1+xc#vXc7#4F)w z2f@{vLWy$BH<|otj9a^gn`s+*Ylj}M`cEOq$f)-5zRt}ad>x{knVg)Qu!Jt)#sSx- z2{sT9g*~y_zHcCIqS>Y^GaOw-NtuA|kFculTbA6E=h99;*#a-p zOg1kN99eS#v5q7oU`&O57SWHG;_o2_c`NYBYHQ!9ruUJV`O1uNrP{+mea*7!I<|ZS zVU7W;WqbNcdZ?i-1L$0dFN&A@98SgW=H-g)B~r)(Lj{4ni+k@&H`Ji+0o1y75>k#B z;tlh<%IHI1A_31Bs#9?}BS64edOv!O)g2QUapL{^up=Qq8&LR`^ixMq9}&Qe2r;T0 zQ@eN9kG*Psa!!TJ{d8iFHBIPDLa`T;bkW1eAIVtI;`{r7P=t~dYo+^_-2RRW5K1kx z!l4F$@2LJ1Av_Gvas_AR4)n}WZef|8dl+oV%0>Z@y@9uI0(PE+<%?}v73LG<$P#5o zwEM3e4S|+<1j`&kazyDv$$Ex(%oFu9hUKAQVU-vXjY4W7544hE{RdMb%8xYU{N?kglkoEfrUhv81FBo0E=!sq@=rE!Xc zstF{1u+ky}AI^>f8+WrlU8cenkK0z2=nZGL;q^G5=1k{x@++>Hh$Kf08ne8`?ZeizG{{Fq@ zkX;SfTI7Fx_^{`VX_OM5ImYpevqR!UZw?|;dxs%gv>M}NvK2>5)NH|x)d%@e$ekH& zQ;7m;E2&|*l{9&vy2z3z9q}a)B?epXXf#+4gr}e9xdMNkC^e%}u7CUUmz{Ka#}MHq z2l3lt;VWd0xiL$v9cqeD73mp1!#OBx5M>@h`@xER)m5eFA?ZTBI>MTb5ju5oBjMm7 zGTiBz;72hFj#nAeemrU_ik1vrEzx7R3N(OS9_e{=S{8cl3K?%cf5wz7FFV^CopORo zqAGs)3i3S(Qw?vc3lC@-odmpY0&$9Z(4`aN8nKha?%k4hCN*Fhxga+JVy*f^V|rDJ z+cC#+cG)1ihA-wQW85fHZ&*DKqr~Op&>}T@yY17rbB4{&2GX5+?(iwl{`!?WepzqC z%Oe8kt_r^Ki^=AH6o!e`wIKU(Awi~+PoGy(ToL?gyX}d*df&>~jqg13# zA>~ywYi6^yBbVvu#2HzHdAfMPlCq!(0635<&f z3BQWs|Ggw&+MiCyo3o2$GX^jtvU#~$0(F9;RmL($L}X8lYv?MIK}Sd9@d8>3l;7Tw(z8l^<8{X& zNJ{*{dS}q{nc})zdS7{tCW(-r0GxkkaILPF@Jk5R0;N8|9>FPtfpj8xBb})6^6@1M zN;I<+;ARa!Og(Mw=Sv&-!5PM2rgcvQEH((eg=%lC50l`p4OW82a?FM%&qrE=lswi7 zn;vy*`sz7-&*fauIM-0v6-oF5B!!6!O`VOyuKqor4ETK$X~e zDWZBO%}?2?7pIX32$cfEE7=mb#ejMrxZl0=7JS-~54!Ni0DLb;OxeT~Jc?WTkV+>c zM7p65nRxW)&oT@!)gEe!5=CrGnEYJ~X0Qt+np$|>NyZfcij&gVi38Ae2!syIw()Ru<*qSN1>yrFa_Wy4`^cRx(nWj*nL$j$ruuv^2}BvqkmzE0R~+o)ec zmR!MD|Bo+>;qm*`-V|@Crwz^e_1?4UcIZ*NUjr6qMW!+DwclSj5izIQP|j4*G%~7v z@5rvL0ahPR9cF(v+27l=j_puyh`XD{_HCiE3?-QVA@7vm6 z(ts)%^JXawbSM|#Ktb*zW-Q55wRGtk^86@ZTJu>HEr@s>89s9wS~Vq6VGZSvL~Wrb zMh0{wjY9X<7Ei@Y(f>R2?R=pD!SZqXRLs-y#3(`NZxHEnD8RHBz=g0JN-d2Lm{Ev<1Rj5P-iYR{qjz_sx|kk( znDzU|WCi;B8r4=VA@4lNY)aE<1w%yWP zyI8DE!!meF?*SghqaluA{7s{#hTR@5@@7S9GcF&R9a9WyG&uF>OMET*iskJCCLME+ ztvxnsH*tbPuSil)RG4LGT4{;Hua0|VSIEkL!nhfGpTJn41B*XQUw;|013!dsO=wN9 z_aqFuwr4h3Qza)`5AD*h$1s66V=}>pKx&}rky|WwRY^75M3HC+G&YiL45pq+N18lT zYICraaMMb7mDPMnT4Ot!wM5UQMNWC1(+Ip6Hsa6v5qWxcun?)w6` zXtx0yBO^q75QqI+5eC66-wAsVBAkLlN6XB7&1AjR?{jxGLH&lS#m$CxUCtQ!Tgsw8 zje9kxOH)qY6d4lG5*RHTIq*|6?*4a&yhmQi?oS6C^->h;+xN^*8qw2HZal1fHvRo@ zB`>2+(bLM&!iC1iZe^{m$xAC&c8vwf<|kFSvi)u$)IL^9h0J$xDK>S^Q>y(`TN}eA zWlxD%(>in`qz$rQWJ`<;#8Uecv*m3Fr_c$^RgH+%N*Q)bJrfcVQjSg-3P(5P_MIi6 z1=yE8`}VP8!v%FbYWxloa}FI^Nq{fb)@uQpMc*#RE4ZO#WV=RE+1VwT$3MTExL3C` z_T}5^+7C?npW94T;|*-{1ojPldtk@Y?`j^FkQHU7$Tcv2>r1r;XUdVcc3Xb&o>+Oe zB5!oxmD&`YXTz#h>)*yj_&OAfRqZ__*OSKy^fdo!EQ7n|MV7(_?~`@``d^hi)!GlW1jagd_3_B8G{?DH3Hjn4TL?AESp1 zQj=p=2W__7SqsD8zr(?gn*gc$-#$ROSNmn;%514>FdMUqyKi0A1)=t8rp>vjjjJu1 zFV2sDI}$N)c189w7w3!B(<>{C&RMD-+x-6STORgpJ)f4#8tMneO~074d=Z|OyN}V0 zZpRx>dUl#~FInyVww7qNS8JPuUA?nnTaJMz$5G|8r}qnS;ajf7w~YMHxAexhtdI)n zM%|K>B;ht~i=DV&J8Ebm=I{&Ol?6O)P_nu(-;fgXT}FY)0DAFVxSwm$Md7`$weN8} z)z%QGyame~w7N79Z79X$!=83KmOx}1NB(`3?j-OBDI}R}5SP$Mim^;Rb7=g{w){)t z6kd8fH5HQHd#1X#H~1S=kNa&4uX(&HySn_n^l18rdmpMZ=!;g+nf}b%hxLGcr5x{p9YCs%!a1T&|Z^1};}gr@C{yE~chcRQmAxRyLRQ zJ6I2_?7CR9N$+R(-%Of%zKhHM$DYG#ZhK^8H7;TSMLdtq=Fk+Gx1?S*sJTZ^?Y}%R zF_El*{!F)*q2aUdttB!z&~5cb4OJYN_Jmw$`xJ=5V*ZcZCkI12%-?}XF*Y-!!cY!; zmdBh&)|7fK6Foy+FlME`g85fQ)2WYap_Qq9s>~BymL~Q+OFVo$wCv@XJq9f@`P>t$ zC2V>qD6%bn-f$XRf6Qt(o&4ahraEVq!2DdNJn2wwP)_#vXdj=h00<%F3FYKSC>|~Nz)7LG@j&$Wm zdQX0LpJ!jBE6~{DV|#k4|NHslk0!QX&++=t`3QGlX|sz+nufV;YJar2xZZXlSlrl{ zHX#oAAtxsw>CSFcP86{2ljn~`-$?XYL8%&a6^LGuUA#*5*utkU+)%lR()T)cPYFSgHcYnH3Zd@6ur6;7EOz z&A_PEWR$Ald-3#M1O5{Fn4J#q-G?PN2lH&%&FS4yxJbF4S=emJM_7huk92NhjSkbj zqwiXk9P=Kf#%4!T1(?Xo>Z*6XYG_#*s^b~{T3<6MZeorl&9h~5*nVj$wKSU$vqv9a z91AIBKld$R{Elos$E5>?H9<#@mL}iWBv5*)NJC=vgMCOy>?5b2pZgnb%cZD4|9uJL z%o-QLL!lf74&+6+e^5}!N_l=x%9;`{y`PKhkM1|D9d`>G+NNlN~zmUX`QVUcAd5Mi;HuW;>4Ww z1@m;r_UaQ8kNbKie0pPjdgLX3eAQB_RT68qOOJCqOV<#nFMmdP=Ql%x;FkJl&TTS) z9O_TfRVQq|o0hRl_r1jGSjj)n+v&~Ukm~z4*i_7{X;4wc7E8k(2ySG!7vX_HLDbyr z%Ud=HOco^Qx0Y>gb^l5&RUTFTv;X*}AJ09!u9bOMmKbS1$$a$G@S-K{p^bNaVm~s? ze_U9!m8re8uk+!zyImEv8TRXZmp|J)vROos3wMYFhOuuEsb@|zp32a3I1o5rt2*QV z+}m`6_Bq$l0bD~{3^hAmM<|Ug~qb&R1I=u=Y{0rVgn@3&aS1`?b`dpUFlS6+V+-=1h|%L z9{%h**})TgC2of8tknMb7=HhCe)|@`+icQhxDe4AYuUc#EMJdazuBjt{7^}oo+~_c zUN6!_@of^qt!Q>$N~g~j=o>nDm%~rk;Q6_K5SeDHP@n|-Ik)HnlHdZp4AsM#GxKu} zY!I^oJ0S7Y!`m`%d3lqT=mL~?t`2eK7Ls6CZ&XvU;<3b2zr5g>?fgr;KUw9N40sWC z5`)DVuXE6)>A8;OSo4e1K3WJ)5SJER*5l@$yHYvl`HA4_+$ZBrd2NBy_pA7#cWh^W zen;$R&7|j~@kmce?)A=xmilYr)1NBZM2gwg%de@TJ-uaP6(uju!xkpfmRtud-PRrQ zVj^!p6pyXi%YAoDOg=^Ao32INiMiM2yO-U}IriPzjfKMYz&xGi=PzLd!8-qC?#{eF zx6NWmbiIbGr|KsMN|;DzpL-zj`2E%!P4hd-hD@$rjPp+8@G=3s@m0QG zV)tekYlYLxd_=wc|8e{vQbklQNgH5>3Hcm{5D%}AB8O1Zrfp){GkF?fRdMaQW9}l^ zN`8rsbH*kWj6T1f=p~kZ-Qh5%QTTKENr|1zAkX!@TcK^2-YugzCogXLG29XHHom9$ zO^>0`!sp=+i*F3V9?DSq4*d%7)}E8`EEHLx%RL_)PfwqEpwiLKD$+*hgpa?P)WM1h zl?(J18r!z}A8R}jGiWeod$#U~(rdTSk~>)ZoL@S}Ep2OY-AeFeft2q7sHz z7Dc$;<<*s($wTxfCvS1yNO<77m5X|B+V@bUh-T+cy7QOiw|IJfsTi7k>)es!C7VBm zv*hgb=AR^3OV^5o3Q$u@h*KfFT`)0`3FcvdI%Wt~#PD5JL(o+@U+zSa3 zGmBexv0ZDZKXmZemFk{5tEEG~*0VhN@tA>Pba#8(-KSgLbH0hCjvSP~WO@HWn#*(H zq3PpwukzPV&>Qe8Vk-L0KrbZO{aJvp&2sxbsPE&K+?k!-1XOUPha9xx46m%pB2P75}+yz^%b- znXfHvdCZyrzL2ORPTG0+AUfx|O#KK)0eJ9dW=;e!%;2#<#*)IFJ{%ElnLNKxcQX^i z_-?V*;dZ6?=*AdwJE9y3YLYl1$64^~hGbJyf7x zrqnBx=CZa`_5?ni#FHvMHxC!K(I3ltevOa!>kP|>w=dZ`?xI^YBhpQmOI0RlR*ent*+E|)RXZhh&-ITa-@VZw{)8B$~hK4{{^h(04$nf=#RAXJyH+{Ns z601?r9;tC<``f!}?8YeBfrWov-&WMLiZ&2uCZhCbay$Xao(%{}{e^p6^;X+B&cpTD z-L3)cBGrz~JG=P5jwpLAD{b8CZY(0vY+(qHrqhRfc=I}ZMJF6Qg~8wEvMKYYv6^`z+GBxoJ4nOp5M(-#}DTKU%za8 z?`u$~6En;Xd1Otwa@F9Fg!BBI@%0<152!Au$coxbY0Xa4x1YPBzLfH(6SvUm4{cj( z4j#E=x}LTS9cBLbY)5nCR-ZSC>hGRT@92DNzaCj**M^eA2Lj`CA|3epSvHyrJnNh4 z7Lw;zOf`|(Dm$n7b-``J;rmyFOEeF9-wQj#ajQ*e?$Z8G;?q`ZC~kN<^A{J*Z^m(! zKdyV3BWNuH7kB#e>pA(SwE(@Pq~O*#A0jWi6=}y%@BJ)A?zc%BpIvf&d2w`gmxo?A zyV90Rtk!D&r)K!q$p{KL48b8{+W?r-LB8&&qab-uSq-Kkab?UGMwwOdI!8|DD##Wk zq^vzo8;13vh{{~F4_TWwcjq|coa^klfulaGFXR~SW)iH4;7S&F>dUYhM zV0V?pldjXGNKv!m<_Ow#?!As#k!GaKzR=wBRyAj(HrOvi4WD)1Q)h_4Os_t05D{KH zDx3d(jML9bqxepaJMT0Xg*n>Wi;GfJU8((}fB7rqn|B*xVtSLbd2VRS)(IfZn<0QO z#>{%Wma{G?Wz{foiAoR^>s->)7r8yoa_p+`*Zd7Li?NzWb}zqfS18t{VWN00w7aR$ zGeCrShxoh~-j|snCUmt~D|&nw}lEze+(2$}#uXw2htTAHNuLp!epBugPNXzswwGxHF)U7oTvRn<8IFqcJ~Ak0&s) zgZEQd{)6x9bsmV{-?ct4A>U|!_}t|Ujm%|z+ltE?_lJjGY;DV<$~^q()Kk-r>fZbp zD31!*wMK^);#Y^UX4>e!t7Y}Iw3YF{^A8rllefROV;cH8~aHeAjw zoGK=Fc+rq(RBsiMw_O%TN^vU__0 zE$WimN!^<+YYH&KtYgT%_T{Po>Q+0J zVD!3)l#oToW4Izuq34GE;uoN&-4pTrNVF|WE;LK8c0>&W^oFD}4^F7ImG&5%&>EYpDrLx$K4x4X#B z*Yo0&=NB(#yx;inf=z&im?8=obUlG*8`h4wU5F-C<@{LFl(w_!=FI1XR8%b54(EiE zPIh!U+V8xx)o;y4+f(a8);1O$(mH0boo&m?YRjxTmJ#lG)3@Du8@I~P%Q(e;9qIbQ zh{9*dU8aDHQr0}3$#>c6ruRaqBB9>JdWo4!MDu*|W z?@*BQ`q0!Cj_}|GwBMtqbIt;BuuSQfdd-jLY%D`n(l1y4E;%k8*juW4WZ8jW_W<3ii$N#CWlda|w)dXY=D4|8 zaPzvv;H*(0!R6EfqjMDtdpEpkDW${_GtzjW(sjE+=g#genoc)amQkRxX2s|TWu#c{ z_;Rnb<2Bv24|RhYCbdLPKi9w2bL;vwnu!JF&A&6F#eXv6tv{L3?@uK055-CO{`$PJ z!0v+dzc&SdW z+Y!k(%;npr`}?jG7i}D`Q!)vfjc{yC%#kcCy6jbucsg^gB|FP|)kx;UXU#iB3deS! z`O@ulw0!bp`_oDl?uMEV*9_MzMy0ss(cS2ujdwK4lTk#=5>j_0i1T7gl-nKSiWj(11NW z@cqn-4uLl+66s$a=y*ywZhKM@^|YfibcchnfP`OSwiBGQX1z1dxn>}^mgPlw@UGi+Qr`yH zYqw^nJNRBz+%VrKD37YUo089CS= zecy4NBiTpMS!0{{(uilBR3cVnsoD)|SVeAA=iTmJ+*NIJ61Hqdml_~xqCC2w%qYiGiP1fYr$VrPVr3P z(t*_izP1j}ixuv2ejalapuE)V>Q-Fh$L-{Vfy z3Tsd+Ae(ATVInL(jF)ryY#xVajP8D(k)1O(JAYclRQxE1pD9BoU)MiV=OXxu@IB$b@2N)H zHVrw2g2LIs-I|~DBC-3}JEGq3lI!^G{Xf-WcB5sh;N8H@sCMb^ERm7%YBBm$qyl9c z@~gJm`!Dwp&+Pp0WJf-$GxwT-BR;Jt`qb(&_r~p$RHzFHS8FZaqW(+ap5*`YC#=9v z5HS35ubNkC2NgBNw}AVPCG&i>@6B;OQBbG~{`*jQd7CAFf4e46#{Y$J$1}cn=+Vfs z|3cDY=Bf6oLUqmW+2_ChBh5I~@6YPVCfIEdJ{#de1DH1Cx`%v4jeuYlEW0~=$>sg~C&@D& zyFu8#uA~4Ci|B8G0Q2q-B`=lMB;{Y9Jc&s`ES9F&WA;~?LCtSerWyNxeOvw@pi*n~nTRz_7ZukY`7;-ctK1a zcpHBLZ+F$!prDO;E{Rnj5U=3JL6I4|^Tj@oLus8@5CMVaj~PA@oFYqNWo0?&2ZGf_ ze8I6yPsXAtRljIA(JjCTBuD`hr1+qqewoOBJv*UyfS>u}r^+R&5>rrMF^Q5dwpA@p zcY$LG-GkYwkw}2#WqGgmo7Fo*QGse0z^-i?W8C0nY%!1R?X}4<>>xxptnLYQ;6+4m zNGnbhk?jE}#Pahud^-r0r2QtK85kH4KM!!>Db&^9nsA8XSq>!NdpqVux?#2 zV5P~x5zcO8`g?uVZW1RGVki&N!d~mU;1fdN5Ec(f;2sd+ed76?B)l20A=x?n?JLSD zaP{~#;)yNcJrOM-wHL+EhDK?$t{du$uwh~WZrb^aB#xA`jO30T^5E@Az~~2TX|`9| z06QuRWA$`UBM$z2T>zUCy==h6$)wkv{vRx4>M>x80FdVat}NLhLE#;^4cTBG6JcD~ zMEXltmnY387U_w-X?h3WWjSH0{;O1-&d^$WKM%^TlxtNzpwTMokPTw6>CwK4b1;MpVMSX4oAor zsu8T%w=!-%WQ0!zDyT^!*OP5#cYSN4z@mW|o*TErUy69nFbJ+dFWJrnnM8qkgIB2< zJUEe|Q{}Jx3}A%x31|_M=L>?Q4*(S~X@_sRFGwPm&$-Wn5tHpccL|UK6QG6__t@iF zHv1+rCGp~xQx2CaY5eE2HNXTS$||7}YP=X``a)$Kq6x&U8K@xuvU)(i#Pel5pQS25 zj7f1vji8CI=(f^1S?AR<3h*Y>irr@1HmC^2n813=rx;KMV|+Vp(6Wkajufgd7=du6 zhn1q_yP88%A01%XY_0}MWF zBHrg`JoP|iIaxzaBCupWyN~W*QnL$*jI6=T&={~%uxkfg_uM-Ncy1-w;*HO23?Zv+ z*irF2R|st{0bdjnjImtL1|V`v6fAH71?PY?j(&3jtg3R{esVhUQXGK9Uk0%hH~ia* z7gstz5Y!k0MY-E^X^tC4xJ1_+o=mtpyudP;WOINBL-@`&Z>}Tp96v^QiZxh)GtwD) z762hXRM4~%wALtDGAlS4JUB%ZS%}9nLK-8mCt%?6z;zPm1VX|Akf$A+y>#gk5nw@_ zc=YV2dKst!J&16yI8vS4eBu;-8-Xd~Ev=;E3QA2C$cU+U@%(v+c_m&<3OypeqS8dH z9s+dg9;l9U1F2OFlB)ORsU#vZ`&LEf-BhEJ3Q?oPJdDywa+x%QvI&B8+qP*L*K-@S z-cBwpX*tFzT->qCjkcHfX0okfK{W3GXOj8JSU%;HsI)U|DGWRzNttJYbj4!o`MPV5 zGn<87Q6A7Jk@0XW9)2<<6+gH$|MCHD`pCc+lWkU6?rn3oU%YpDVQ4cZq_hdj;mf@b zPG7!y?b_Rf(3b#zLi&fu`QLHW7GVR1ivn7VA_mVP#I!DY0jh_GfbB8{Tr9U(a@Cg0 zpYUyZ0PtJBft!`pAAm!7=x?R2jkX5^27769$IEzqW@cs(&!tK1qcpJH7c;M=$bWwK zdT7H&=RjdJWOX_ZE`=}VV{H8!67#Oa#8_)AK-7#&#^ZKhhdxXbi0Z`2kv|`FN?wy` zwIAEPoSdkf1%P0757FS`PmK?^O9IqF;HlALadB}g$6qlmetzyY6E(gR7sm;f6Avud zftB#Ockj%t$?$`Jzc>RMJ_-R8L3e>;3dUeYP!a%izDrmjO$FbS5uY0fOK@LRC!Jkf z4CvC!QX_67>N6dmA5( z6VfP*YDZ|s4Uc-NYib7I5xC7yGa_~p%p~}JKVf2Y_D!07N4uZrR+zjSr<9`^TbR3CdkOm2wQh5AF8x&nYKuv2mu z@GgSF!W0100QWW+Do<{6lWT!Vk{e#-P4{fi;9&=$8Axpt#-~wX6hMt-RaO2?)(;AZ zX&@BVfLoNaxz#xN_~UuJgiSm=%Yb1m!#U*Ke+X3qUY*yICk_vPW#e@~K`i`|4y1-D zmnXiE{rzOhMTM?jzkcCKF~e#Et@6>M#4Sr_2FO*!o3`&#H;Kg!)WU$j5w4nmY$^?LHjj_jf6~?$ zh_Io0TM6PA+ko#OfMgQKVXcdp$giq%jEG#Co9`^5rz}eo&p~Zx(RzX(mx~BPk+%)O%cAw< z_0~k>KUd3Kj8KMwa}+eg-nXKwBG8}h>t<+vftrQV;bbjAaDI>3ym_Q#0VXc zJTEv1z_-#DlG=@PO6KbZLzVF`IWNweTNBYJKp6Dkeny<5A3@GB0=zl+5N`sAbZl%a zdI2gQRyhff-(m(=tQ?UE()Ws#d`q(VeUj4>5T<}O{ptSkaqvrt!F6|cH!*;AoBb7> zZ2+}*5P5-b?K?Dai+l~g$>oeOxtoQAg$Wx2TE^UX5S1V+zC1Xx>H&Pwau$+5YEWOp zaU{ek#5rQz2B7D=_xijHi>$;!iulT=U=Y3*Oe%{f(u{3eubTO|Msv%Y zuB_}bXeu7xd;MU_{rf8sQYuhW5_L%O>wc5g31bDEhQNr36S|kLU9GKE_8x-hZ8vg< z+}v@enK6DGXkzIEZT2;8dLACdstqb6B*|HgXEDT}s#^)igGz#CHZY(g7s%2Q@ZhA3 zqW1zMID%?Nk*90}6-RI)a~+?pe(e>cyhsng9N0h0DF_r^_t}L7+cyGmz(ws2jg`6zCP>l6c3yT*N?d|I(4HM zJaTP|nn!ZOodYz$LlaY{<8z08hfxHMo&F?Ve><523OY;=)-34Z3vxj7Pf>$cP%s$H z&*=Vdpp+BvHiC{|k0hcdD6AE5BmjQjj8<$2*ZYsq(HZ3eNUwS% zKD`r|o|;;UHi7|(7jJa?duX!yWoC*I5U52nU*crJqerxej|Y)KDGoxz8(2a)y9r#k zO4M>?CfS?B#XERSN8t@b&R@ULFJde!ya=Cx~4VIe0#wz#og&!5ki)CSL@|04X+=TwE2cF zlarEyQopWx@cjAhoCO=si#xB+0{jed+Z#7lySp#!9%fE-bcRGEabbJQ#G2Qn56#Hv z99#io2nRrgt{jQk|E%u34M2;lNVrac!izNmvCXZC;KoHYBy-5ef#&d1@L_to9Hbo} zUh(O^`{qA2)+UCya=b2qcElXfy$`mao%*;D>SZcwvanAjwh{OqO_SL;p#1zikPbvh zhUNev9H-EQR>?sn4Y0{kWGW)HjkMnQ?p;b)WQpezDKC=Y|DaC15&Rxnb0SlGfV!uz z+6=0!X-J&>M9C}%%}!La5d1NJJOUv;rDMm4Egs|wsPJ#qF6QKHCti)BqT%YA`ugEe zyh+CM#Y4Q1oF$0x3LXjsy5wOvUS*aH-a~&|o-iyQNCyq+jNOIq7Z9llarXOUoH9ho zAc?X?HI5Sx5m!JK()T$zIYjRRP-{wVkq5J~x zg?HPwD^ET*PvJA~mXnt!ryK2r>bG6^lCb{P0wZ??G<5J{ESrjRDN)CL`SJx){Om79 zzo8IC7a$L`cTt>!PT@sCSYo!MvM7V&L>P_GM1X@a5eZuD_8pKBqBiI~D1=}L6Jr#h zz58kKVIg(EKJ7-z<4w6+Jvh{k;3A(1v028W}~ety=7{P&*?%0t+2N z?mQqF_+ zFIu?TFm_`S-Ii4=DIl?RuOM)gck9+b<^v^mJ%^NyqTu!f+E3+_6H0uD>fDS9NEG$? zj@0@1>}yU`SUYDw;20XCj)l1>@l6IPxn5fw@e*^BgVwgSXkl!TgOxX6haZw~PZ|$> zx;NGk`GQZiq_(!Uv#X03NRB(lHA979A;rqJrsLfad-nN^Z@8XG~AWx_|_ohNL)Wr0TZz^ z6vw32igVZ_4l&%vaDLI&)-HYf_DPxZ95ifq3J9#jP!Q3Q7^6UDJZ4KwU<6T3CAq?-@*0~_!3<;)VJt!eiIrL-zs9jE zza*DdO)colh>LV}ya9mUf6N`)gaK$D!A&M4a#$nzs?JVrj*5>z{zPVSY|Qe>B7=tr zk;8&JplWTg=h6u~@!y3mDN{Wt(elgb&c|bd5gMNbiyhRU(cAC0NP_tX(L2NBb{R+v zqM18LqrpUp8(F*ivhvk$P?cJNLp;vHj;x5`g1n(&iL7ie(hdC9oExsOvak>pe~70U zeR?ze=*rETN9>{y$uFpqIYY&>NJo<5@v^_QZW0o42oCtwD6@6%;Tw0Yz^o`^WouA!q_Q@CZs#vJf0U zLXh3idr`bxA~lR6W_tRk>9w}3%*=q$P@3d~d&rfz=D!We`}6;%IV$ z68uQ{x1`+mf{O6fK|tOT{S<;2%OENR?aVd&m+wC|=8TSsjZFqo?f8WqXa+!C?>rC1 zFdWN(dy(e+`K$IUnW?RrTKF9Oim^PB=53`9o-AAky;1y;@gtsC8R;HXRT~qm`ER`@ zPI9RAvM+otWc%(s2l17VoQ$-zU=X$PPJ6DF*$B~ZLZkydu2K*LWxpp+#y$7y|LIhu z+pD_&!2(b&@2c?;{BZEpsl2L&*xR>{>Dq1tGs}#mX%MQ`-j5;mHJ%IVX~ABi=nicQ z(&7|{CVsLlTD3FU<&Y{0EOKaD3O8oz9#lKpKH;tnz< zs-4o(QZID_4Gll?agidSR_nC1c%U~QBX|r&5%0So9!Xff(4HgSH+Py2ybhk7xtfMD26cZ*eRFfp>sk3}3GiXd zk`zM)E`35026JEL<$}WBqIcTZNO}G17n{V7!AwQ49g;nz;Ia#tAGyD9lf*ys`b#Jk5EkzF4t|dxvJkAqq|7j|Fv`|uxg0e(Xo=fz1iicH zo@JdVgAT#}D8&PIgNW$?P>$F>DT)3a!e*qhNzudjia3?RBWzd)J&J%>6J9lui~*aq zt^cCvFn`KZyclxWk*#+$=wmk71KAKC5E?N|Y&BWvEbhR>;3xj+St`@_Hgyn^Lsj}9 z`XSB>RLtOI7dDWKen6ldO4r*YB)X(JsvxwT~Rzyl-DoQy-b3Q*~o`ADD^wji7oJJZ^%SaTH_b`wuvC=jju~QgD@r_-hkL% zctIQ71O&<3rjR-2XvchGKkECo6y3U#wLji0m3-GIUpS3>whHMy01Z8SdEpivj+09~ zEiqpr?h}2Bny^-fkWUZIfvy@-sbNTa=)sA2&afQJ>#H%fCdS@GI1a@@4HhTsh9cHW zX8OB)D#pc3R5%4=O(V=HtlPGhM+T!RK!_Xdtz$p&5eq9wJ~yQXDg84GOUxkdYZ+nt zULMni)`0)@HnYK&wA`6H0bKhK|0)=xq27OUM-vn*U7;|`VBy;Z}hoAOG`^gon*w&))vS69tM3zEHNx>Y|WIv+h)x6pd{$zk%Xz z3SC#C1=TUscmKs6NYx^~qT3@{0M#wka4hsHE|x}ROs)^g;#}ntKRZt?EiG8bUEdjJRR}oK>Ea)phRc0 z=Z8AnVJacVigUacZ>%jFwIyWE%1|O%l-#AromJOi#oUa2 zr3$EweZ_bY5d83qJJ|Q(V0o4mXj<*=YwF&};u*(q zMG=9Jeg=~tJqm-;hO&{GnHfKNEvfcTKX@pN%*+&-^H5W7#!f_pjRxG&b*f=&|D>nsU_qA6Em|jHN%JVy9wu?s4c)cJj^03ZiV{n z2IEg1NWRs$*Meqf(y>qaR`i3sWhd@CQV#dkG7E9A%vhpZ+@Fzmf(n+L4>IOKh9i#m zB<%=T_YVy4;Le~Z3~NY+VBEco1F0A(Ap)aJNTON+d5&&O|FEb@*zf?%`O%5Ib69AI zh=^ckx&~Fpi5aY2(fn48=M$L=yrrGS`WrA4Bckc>1jIh5dWRzmsjpYda1Ni)C_npz zu=4Nhj=?|zT_+m+$E7oz7@viI_@G_Qz7ccHxVESKNSfs+>tO90jL${n4zMEns(o;G zETY@Vrd6EfNZPc}E z&Jm#nX(RSNZO)p;jcB}af>Ql-ot9IeGk4Qxa7s)~4FW&+WG$je<&4bRzOn)R|OlwQ^|RN;PLm`61OdrERmAhlGz zqv|L+L^SC?>%>cpFg|yho6JyccUHL6J(%BODB5CF$ZOzVfhqrO8PAO<0sEvn zmS!icU>C-Q3rhUIb#{vWDbF)xi^eVx%=sol1nm9#dZ9b*PW|v8}B*@CpOYmH070iSUYugsGzz+V$LZ ziVlMi^S6H%Q{>Y4Y_n_;_*8T`@(E&N5Z>C!W(CPWh%hyCd17b(>W1bVG!%@F9S(21 zY;(bQg(M1%d>9~~yM;{!QVLP`_dU;#Kqj|Jk#uz!ldQczGJ_3Sm7w1(A|#I%nmF}#T!NI9s;1^4!E4v9 z$(x&}mX^r_py325*OX)br@A+f>v><_f0Igsc}V6llCfkcq*8_q4N4(Iq`}dvKY;Wg!H^5Ygd{kFa-%3qr!uLmJ7>0!s5utYzKjGxj6&`J%>utB4 zkw>=u!)1kjeYPtsY$Fa@1{Y?SvX9h)+jLf0n^-6CPAQ%skP%(zqJPzWZbC7vPRWp_ z>j4@s-o=FJbgJ|v{IhG-#+(6F7NTmZtl6md4{{{tsf5_5lP9;)&d$bUsD1GG9^&$d z^R=snB`stme2Nepl;YyV1g^G0tTAtFX^|M$?b_w~BS(&OoH`W&fmvtMaa@w66l9t$ zLdnBUm)CaSM9Bul*hvS2FpHD@H(L60Rq5s1&T}bjKH$R7MDs%nuKCG!*U3Gcz-KAP z?!~U@`fqGjX&xUvQJ)`zh$CidB?~58@CXvGqZlVLB_4ls4wT*e`|r|6hoF$xKTie( zzUMS@ucq$4Qq7GT`VJ_R+HUPQf`+f{@VnPjJO2V*@vr%O`PUDt$kh{;9F66jJ>Ts8 z?ZTrh>QKJGR>d~dDDZFAS>+8DhK7b(+xFx@Jmn?%-iwU9ZJ3cK*otn@s@B3cGj%`ye z(+2BtBOxE1$>fPYirp8ZzzT%!81%3;*i_oxxv*3eV&Bf$01v=z22bfoh}9WVSku_p zn+=oOKmX!v-gB~q+24dEW;CZ;F(NR1j_gX<%aWBVnRRXiC)3H3cb)wKR^x9Qk4~o% zBt+@?yo!p7drAxAemp583X47qWt2ft!9PUX{a8*Yz7`w41{7nw+uqpM(QQ??moHw3 zlQ$>L@;ju`?D_M1hI%cLbK2ADkii>Af{^U?g8xAPqC!idW9ed68~d{q>N)mt-@4eN zN1szqo?rQ~>s`|st5z9unx*U|;)Ux}P+m;b9PjSoF^6?TvRNoGF|qAdrOtJ=rQ5zd z`@N_b)-NjfEUgtqOe3(FrvN3x7j9$)rThk{!jOcLYn$E-F>zdVX8L|Aj59}r}O<;w{NkZkXkSbOI@29Y#a-E z+pDNi%pJs1PgPyPn1duj`_pK1CCNlp%fGa9wu{An9B=m z;P^98o<&7QDiDyc!NV)@z$ue4Ai=T?gtahN*3{Zy<<=Od?^};hKOR=gUD<_fNy!c3 z*cm2ObYy@XcWlZKF^Rhl7hLvn6Sl^@eqbsvhuQd?Mfqy5pNXyYDWy?zsI95Tr+Jik z)q>~bVr;$0*!SByiYn0u(!$V!FZ!_eRiCdHSb0-Y!Y)Wn!LKHp-lW48u!XevjISrG zJg#Zi@8wP2D{-3gp>k4KNmH`_fnNjTtBL}iJ)46US4%lYJ9aet`o5&Ub*Kqd(sSn% z@zu$2zKEejDX?bEnyxzTD!|hsVWN%@7O`G^6=!x{P_zadJJy@fQJ4}u-2JxmRD1g{ zy^^JqS3$v^Tl83+?ZsG(pro>l99|GmHzl$A1oy;m7Vb$7LQq3qNl7hxxCQS9>l5LM zNEgW3J?F5BI{s!0w-euqARp@S*g+bu3IR`CC*_FW6~C!iX1cf`$fw+pJNn7J>b@2& z4y^=HnLB^}kc%_^Q>w-gEnS@UvW4k7w3}>P@Gn{owuUpWDE&s8-bA+f7pVQA%+Kv2 z>>V72>N?UgyoFV1F_j7kg^mH1zuz7V^*#7-Rkwp_tOcY=wbmq|q(HJIP z#*|i>#SxuzoZ42GIPLx1rLP4r+*9_lgV6~PNBT@O;uguGFyv+J2JI19Z1~vtsM=cM z?tx!^wO>QJcBLvcII0?JU|dC68UT+pu{(8ZJw#X2e$XR*zT`(M+UDMKTwC?lzRyR+ z;X*Sdjceu1a>B&C1+#wrR8hc?9xh)Ysj)c~_Idn|WvNB4$+1g{SNqjg4#5?rls!7< zQQ7&KSu3j4dkn(%_{efGp`6X^VuUmNxPW29W6{RGIEwqjmTC0-}&s{ z8i~gDp3U~OwXyLht8g=e20I=fWoz4tLtE<#`!lU#e z@Qnl^BPchd`(vlhmYsu-40>M)atO)-FQ5oJR%z78#^nMe8$9i;^B?vfIk3Qu0z%ATDtY1}FGOu%4>78)yLRqmy?o*EwBN{| zl<6n@2@=wDvV6{R6}J*1Q*<)W97~;gm5am%&$VsqwRgEqrw(F0m*cqwZA#V}bl=>h zabsCoCm$f=2g|sl!qkicuZ>84WF7v<@8|cxGlcfV8LNvmPAGi9JDQe#={a^rY$9h^ zcHod<2dDAY5jm~6HHTLO^2z5NzuvNa0e+*bVoAB`wdC#~s{4q~zf#h_8d1hKZQk6> z>(b~Gr_&!i*z;Eam}*SKzy59G`ktr+PAo6BNFpR5aPe#lbms#ZwF00jS)- z77B1AL@WuV4qo+(80_-&+D5!#Te(fzoj&I&a^q-Kn{SUxpbcYvU3vGRe@y738T@Kd zOPupb`MJimw8$cp!)iBC?-y^%nPn5;OjmB)P+|{r*;}8g@>Yl#Hd2&C5?vCF!}spZ zvHfsqb(K0gM*qOT2BP+yR31-6C+3MC9)R6&Wkc-QLVq5OjkW!{y}jYiCU)hAGOkqCeFFF$bS(APkN19ZEVz~1FyT932YHqADAV|se}?}o!`%HS~myUv3L?>;Nd zoJfMVdgE6tmSO1jLKg4;zcmR9XAuFZ7XOzZp3_j}aAA{*7 zRl&o!IA54xwto;r>(SKuR@Btgbfv3c*^EC6b`TWk)ZWUDPuKb(Qv1S)M|aO zo-=)7=+f6*Tpht9-Q30ozm0(Fz}{@tw!>86A2E%5Di!{+m+A}GI`d2=-Oh{hYIfM+LVs)@LGx36-H?5wVsfw~O!P7jpdrX+g!sT^<+& zg<=N>M0`{w-G&a`yW2Iru&}Kx=ZWi3zkdDUYidHzF2uA9pZtszm`51P7YnRtXAs(i z8i6^*gsezPOmud4S0gVGDt;S?hlI@g!va_JO@Q3<`^8f5(#J=J6woSR&uQti30!CZ z;d{96w?E4UjUPMK#L4Nv;??0s&@byzQrHGKau{^_4WaVX9P3+v=yB;)5x!ETfh=Cb z2v^7SCSn>I-fM_Ubzaid%>Cmks-2d=B8VXxv}n=7zf4U-U0p2PFrLjxlhpOM)>uyV zM)32=X^W4<#4!GGXYj!Yf#|RKZC~C+7o_ScMZ|>fv-1lITCIF~suuu~?Wg%|F_EQ6 zOI!^YZBYH^CNck%P|4rHBF$hu4-5pB^?A?FxTQQL*7sV>ox=K>wvd zA?O*DuY>?blRa4Lf;Z7eCEX22deIdD5)RGnT)BfBlaqG%`t|GWv`@P?6ugD+((iuXk4djH#b4q_Q7%v<-g@+oFe^vnQ0BnF zgJb)=h`^(nnn2kj^YX-{3t)|L&J~7qVW;Y$#~RatiQT4@x|Ke(Nqu818Gh)ib8663 z)>?=ec;wf`DagsmX==k~5^OfGWSxPAQN2d4c-P)VS8EYF3nz{%%LCRBCUMI4UVAsX zZ%c(T1#DZ8w|6bWP7lv5Y*%^62XO-5+-;%dxN);N1c~$Y=t~LL=~S5Q9yeITD3JKB zTRuWL*Q?%PU}Tw&I{SEXQ2^bT*as(;M!}ZJ{%+)%o_Uv+ql@HE^$O6=H&P}d9UNQ& zh^9uPm)&*}eAj9I_R)8$jn~#`p`~j%VCn>`|VvpsX(LfFm25+GzD$?t^q-V zntXi3E4igWPB8w20jMi~q%Fv&P?)G;%#CpP=`d3=oeE9a=-Q&1C4TQ8jG=TE&E?p! z>-O!NdQme}A=0togD$VTySSWZtHfG*G*-7Fc~PRykxWjrUHa@<05DNl?!=(hG?lR< z_S02CiONoOlGF}X9aEXhcc7#a;rX3_Z`{NIoa!U)roBgYLU+r2!`uVDj5W4IxppwRdJ^FoD zMA1WG?x8>)A72hP$=R7i$!W=(X(7u~Ao;Zpzkx6&N~06MGt^3-Eupgar_`&!>b;FD zP?V*zzkaTf%2Kqg$SfwlxEA^>#<=)o%L%=fLKbP&zYX3dUyg}4hV(j6DGv4d+UH%# z<-0@uu-^N<%8P`t^?5I9T+8nab+t_zyJ*fFGkn8bM<9I;-+Qr;MRxe)Nw1+sY<& z0dQ0XQ5Tq*w?koggI#8B0Xs=g15_3+uecx5c)RlG1ik}fZm$aMl!vpG-W9&dV3J$fqgqPzx=(tW}D+b4Zg}m4VPB>Rec|pb0-)6^;x@T&wDC; zygj}cB^*13hVEYE!ZaqA06=#fIy9-5A83`d90WxJ-IP7Uj8gRC=YMO~y!o}8x5|K5 z;Zt+Vu^1n`cbhrwF(Jf1CB>*L{W}tOd6h5&Zo!^x5HX{1U+A3GcV^u2*-_E%|!`RRGxceGfM z(tYhJ+vz*e$eHl$kJhdSKQOs4e*gIKkBhv4)~;n_Y7A^XqJQ1e^b$RpJ_&|ue;IP3pf zxOVwoZaC_uX3xSB`vBR-S{OcN=mfZ9Yrw9IPYC9KC*n=@W&$V^u$E%Pud;Ed{I!4? zCphID(2;J75#Fn=a{-bYot<{>~$CNmqClokDARIgt;XVre8&d_LU4wk-c%N_3 z`^}Vdo^ob_EMH@bmOr$(3_WsJTf81hWyEUK_LS1ca%>}lSWXD%1!&-Z^ypC&uXX~u@sfA9(Aw$8K2K6j<16vlCvRvQ035QO1b?NV zAnd)C7t$WNn{*2wP~7UrZY{;+T$x*AXxhBk-ygZ@M$)>4`PE>WvFk-e`}LMY8AF~} zaLTj?8F-YL3kZ$+63gLzXRM}A-~Y+5Be@^YcHt|1@SzFK%p(V{<1-s-jaW?;Z4e2j z$UPN}9A_FvX%q+gknx%z`bxciJG~lg{csIj0O3MxC@YScUh^;01AaYVxU`3$CP!jp zWn+4yL$hFB=nO0I^;Of7u1W>pWq(fqjG+AF0Q&qfu ze6h8(=I0j|FVZajZo1#{hi@!<{UH47S2|U-zPMMAW0);>zf;tj&Tx51;DKx!KriY+ zMlAi>Kt+Yhr#X!A0eyzkr%if9*3LGY@#Fv0_>CTScyfd^)F|#XXP-E6B7|zgl$X1_ zFU5JN#Wijx0cYFp?Y2$N&wAU|@=mTTb1kzOWD=AW!q}}gH8oW_&8wN2V@jRk&||Fa z-M4Q#K|6;u?V3D;HD^@s%!ftTo&+yM63D1`G(~0NbI!%Tg?^@hf9)Oz{!8kYyK3DQ z_IHksAn9+=e{EjroQD7~_nkGx2+}0gMvY?5k5iqVbFZyjXHocxCWA5$&{2lKfO~;- zy|j2ghYhDk4n7f1ly~t+0?xe7nS1r>6$!RQ)|y8<5d}QkGiz-WW4DEgYG`imH2(`c zQFv*^i*LAP%FOOG3bG_{xlfwvlCibf-wBf$7Ll!F4D5^a2D(kbsh`V`azF$COnuwZjx=qhTAzQZ0KA<`U^uj_5MSmyMT`%_S-!H|t zwY7ERB|kJE8ljgD3JUqVzFd6!fME;vt(k*Z@E=KPyLQd&Umz@O;Ra|9SuRh7>jI)_ zw&LXR{XR(lq!%W@3OG3Kx&O2V6Y1@E-Az!Y$8LVs?mA4tDkIkc%yxFME?-PlCIk_@ zv|vsoCYKQ$AtfaxXXfQ)-bj{t0`4BVI%(vOFKnjRtAOSLk|?Kr$Cb0$VMJUU;$BA+ z6$C*qn+L!iV?)}ABBfosU_K|7ApwIkd!hqpqpLD((1Lu&oAkVBVogxc&3pG5pb<8( z%ZZ;9FDxRz5?}l2<#@Cbr%Y`|jh_voNEI<4yQl>9#BwW*AUHFVDl|#L-xk(&>Mu-W zSy|?gmr3XzP%+BAAks$U#(P2Y$Yr5GQEJ=~$(#iUF@u^q@e2{cAU_;)tb`jXf)|E9 zDT2(Ht`VUKQ(*i>ic}Pgmkh(lq6x$f-Aqg}K_3mWaO1##iclm)jL~oiu7&2a1NLs+QKn##TN$+f%cj)7UL5pCHwM zq76S@w{YvNEs=E1NG!Jx{sxgdP`hi2z^FvVeIGX_8$-T)V4WB`XJ-!&%c*Z0vGbjZ z%doLF$ucp$nv^FSfTR?PDF*tX)jaQ0-S7B`6TRwR;F*rL83z(R(VE+<2}1UVTViyQnaDvYJP?NjzKFq?>U|qw1lcXWEhuOF5Y0GmU044LGUL@hn-$hZ#Ve@@eAep80Z@jnq&#JPw2 z_wNtpVhDn}byxlWPjTg$*ggiyJvkw>SvF00lCJvjgU5nU;mXVJ0=NZwrOVtb)h;=vl&_^KpS=qSpy4A$(oG& zpuCnuP85Q(vHYGbCB?RmBh|@{fe8Y{F{_v7d;@mvwCEoX^C+Yv-<*UKDz(lK_E(3ISRZuSs>2UGzSaVsILNoIvg;8 zGVDh3At($;8dhKQ%~>_I4`=QCI%&5q|S4YA-GBHGB>-HwR0s;SZ^x$B5qFsh`TAFbgHSq9Ezedu+)6uqr8aG9Z z&ieI+h~h`D7)vIXjZjbvJk|9m8m#oJJO{Ym)~bVchcs_Kt?e5`c^^9@dx_X2!=Qf^ zRh9I!!-o$au%z^gN)c*MM{o%aGE#kiGE_956U22BS?+NC&7CE^)5FO4HcYq%KT(zg zv3%m0kJG{ZgZuLx`!=m2Tg*P*nkY`$^+l^!ifA5zI8fcuR= z!S`~^(8{b_zi7m@E5Mx7rcI;7XiHj@;(=%yb$+>w0n0XFZe?d(-K^wy0JjK&8Z)OG zb;5RpCM@|nqxy@IG%5lf^qyuR*N!*m z?p-m=XURaexY0u2%K~u{tx!-mVgH3FKaE;3sehk>zSRnYL7E1u=H}%^rz&j;3Sz|Y zv`znNjxkeB8EhKfL=T{lq~SrT00pY2rFlo;N>)}-j~l?!V=zMD2a0k9z}Ut~rF_hu z2boB8mN#aRU{=W{wV4;j)mKz>o--#e?&=z!=3$Xjh7X!^LsgbWp)@=ffv%0=HF@?N zGT9p!HM(qo#Szu#KT!<~=v#7xc9Kq01$mT zDJjNx8z3!X(MOJ~Goq*JsXPXXnlmlAz|uz)v1$Q~aebr$WS&$Co@J@LHW3SA>oTdG zKwI%NUzb43wa#sQjniNfTgaZt9G=e(!fq*>(>R*gF_yInnoQyJZk>}7=-K0 zA-MI^CY3s0TKn#O49WqR%G~l3Q_re!WK1fLh{C1U?k7B&1!v+m)LxvdwY%g$QNpj) zJHrb`<+hj4DG?O;&QZ$uPCNE-^YoOWiP?OMg{Je{Vmd$o+xEN(6UEy*ju`4c8UE`!<>derBBQHBeI(5!_hviMS?%q&TOm|k z9EOc0YimQ!-6dHv?T;o&XPK9mj6eLY*^mKBBEY|VGW3VY|kVXk+ z$}z+tDj`(*jbn=0YR5-98ftH6_hI6i=PzE|m~1-IC8Hs9>ZYB6dWME==yaO@eeO)! zEj5o>K^y8N4_$ZjNrZc6_xbZ5=$MY{K%3)uVVU;4E^onr+uNw^>ZYEoI?BqbN$uCl z!wvgT4C+Mh`ZYWG?Khp3Prx&9v_@JNF8(bWmrBXe{nPF#HK285R#!>bmVQ8iIvyp-`lcIvjQHKeyrf>A^(%K(w z;f^e*Gx0rWC|)M51DEoMWrE}xI>N+HP(1z%C&=75yxf4bjpcq`%JyC|rj8=m+Ps+n zW%w7Y7rr~%Exd)zln635D&O?ig-cP5 z1?dz`ICqVJ5&LK$5g@Fq?(CX1EnB{8pEfe(Vzd7M1-lIfA3QVQHA85KowtAZu;j?m zqxF*-2XhV04JI{Jrwszk98I*D6k!~~=kGdf*!~`0;;b0@iHwT!7gZ72X=mO!J=jo*;2m4OsV z>hL97y)23c+*zEcDQFDj5C8W2eV4P3z==%x(Hp*|_Mwx9DZc`V&85m9K%qbzJ#N(v z)()u3R>r=4`)*}NE#JU*A4cqfTC|WMgr$hIWzhMd)uNbFk-_h1_HN8j`M zmo$1*uf^Z4E-d=?^M{Y`ub&-gr4lU$E@J=tjioyAcUg5y^K*UGKB}bAaQH7%Dm1GF z_)906v}2lJ)ER_E2H z-4AYb^~jvoFa9lxKI~~JqUd@S|3ei0^V{<#hidO4Tcr(`z39G0@n<`o*k1h0^L_U9 zXx*Zb>-+-SnAW#3xAE%Mz1ZujviX*=mRl`u#4M|}pVc~g!d2zgPG)v-En9|eP#vUa zVSO*rZb`7y%sZA&&5J)bIH?mb^ve5AdxHm--5$_Ke{9KJ?^QE~-!&{VY_cS~^tM+- z?cjlD^=45k z-L*?vsVg&9l)cZhQ{w+RYTshQoGvk`q-QE@^ zX^>kaQFgDm`ikKd^d-Pg>`&Ztdr`DT{Lv;^DQSFO@`M#L#dGNVqASbiEvC|Qbe&$e*r^C@_MzN1;+d_Q*9aWU$*HE@gk zysD+TGCSipAmM!Nd;3@h7%vUtl%!wWql1?5vgS5oZB4Ijokng0ZoTyDXYI~-2SUPj z(w8vN^wC#AoD%AM;z%GG(Dj>t9tu<19XdQL_70Gm`5GR4Z-*)SNyx!7NAVf~mg{YK z+uHu)RS)kco!Ac_@ZPH59#I{#FxUFRt71lgIA3mc3Z~OH?Vwt5hM(A3#8`3H^NV`7 zwOhu1QPYbo1&He z*&gbn36>yMW5xuEWnmq3C-&QOtmE!SsXjx*wK8g{$3VV?ta<eVT_&Z5}?7(e!6ZTZwuEGvz>cQ+||u`i`bP^Y!u zOmiOmHSshi2AJr$u$H&48+K1j5oyConZS5gNBwcGeyYA(Cvi^=1%$Q&1KX{gJ z>NoBBZ!JK=DJnkQZ&M!}b7&%s7z1V7$#1g(&gZ$_k)_Ye-xW`dshaMYfGSF@Fs1l` zHlCl^=3xn+wVIE%l|F)RDH>{@XR4ET!D{V9wQS@YnT7QI@kLr=DW?pXPw z>cOCQ4o22z41nw8wA~&XYps)$;_Yc)OPVrLj!o!2V@_iQh}rL5gj;B4V;JWb8(mqi zN7v|2wtl5n5Arg#*+d^e);eZ9B=>6@i!D^K;_M`Zj?7I!0e!2j4bJL{`KC>!y-R>4 zexYu9P17|3&|c^aeCg{>Fcahzim*Oe0R_ zK783ocihB@t@Rx)-V4>9n&z%tw+tI){HT7i?Z)sWC zQ4ddb-8PIKFj1Mb?NrAlwkZpC*4*vgt=r+-3x-I?#hj3AmbRWd=M6&NfOx*kfn6V*W}2rhy&d)!J%^TR``-~oMh zKt#8Pl9Y z9(d~1sn^py3KM%lB}RMfNlUYFI(x3WrwIckvd8(r(4~r~c$f?|C0NSZcqCU!$R16R z|Dh2g66R7LuY1S9d_vAp*{CW2D5R#Wmi{!TjvFWPAHL(Q4s)yYFMZA)#yDou>n(xg zW+~?w-b&7J@%i$)OL_2?EvA4w`^qLFoMt8W>nf8TyW}jJEN#=<`=#2Iydx>^wxjXX z$kMop)oojvhxy%m^ytcn2A_95YEvd8<#2CNeRB`9O*AXBVEm%r6w^cd8}gzPxw=?XE4J{1)7a;VQZ8Davf z+H8BC{$e(oJS}8rAZ9sd=8ez&i-M3c`|9?QKQ}W!H}%sNH?pR5VKlVU%50{L-a>`8 zmo@Qp<2#E;DZR>lDw7^0ZkuX0VtVkoeNYUX9h;Osi`_=C(;1O+$AatLiKLLShFY-DrhB*yM-s;!-lJ^bwzd& zuxtVwMEO#!wlb5j1<){P?N>fgrmO^m^UpQ=ijV660OqZ22dRT`0A&Vw6oGJw6%>Oo zrYh^2^V`wQhtn5`=j#A21lEFamR9o+-@(&;L$$Eu&p#veI?u;+A>jM5J<)$ot6Ti= zbQgiGAh*YFo4Sjpy$dQ8rG!;2J{1{bT|HTz$@dbJ6CjYe8B&Ah;OGSC9fNSY>w{JCdO zpipzPD2Qw_`46?ro;`gUwR(<4YJ07OxbBYLk2{r@x!*s&@5Qd+0v(+_d+fuiP|KLP zgOBs#RQ0vo^Jsodr=Fw&9ItYF951^uonxQZXA=`Qp#9Bop^t54D&FP+5)LqI`bZweRXeRJqH9EM?d}gmYqMkTA`Tk zpY~0WFw}bPG#EN|25gwCrr_gKtAAHx%aB8ed)u~tLdV=gcg6Gaa@`AyVLvVEH7)n= z3Uo7u#!YDr-(e#$?7qorX#SCM-- zuyn<;cg2PUW^oWaam5oc=|RvHLf91c_Tu}r^@!zazE<{D*QvLTw>g`Z++^w0y-W#f zX{jy_qdHR~$rjXHUANl#I!XoatRuv+2c$6@J}bu<98nxVVcMI~Ii}OwH{&(&Qag9= zZr;-R*_$_8n5a@rul^h77Y)QqSB()%pg<3t+a`=R8AVEq{t440{-0oHzpF878tP-k*!!QihOdQm=^s=sK+eIhIT3*3(K%T<39<$T^Yvso|xg%y6d5v;s ztW8|T(Qw91c29se?LgX>ki{XjIHg8h0T%Joz8svOH}~(RA=NKel&lHlBeuhyx9OMZ zQ>TvG?RWF;U0LHS(HX$+*@@&QW*})`R0`lN?w2|?YS>Wes;_O#A17yBp82L>e|o04 zh@QQBj}Pq?uS?(N@MYkRTQ8%Xn@r5F(Am>CCI1zewwT5&Da-C)`ir5`K`LR3iq18n zmlL@aW1&)q;Ru)i+IF!VZ1aMs;Sp<^HVYd=F*!X-#oq7Fuwo#u#-`%lxtRC{F=(tE&kUZ8^hX#>`L^i& z1wsMvwa_q==M6RCZIoOSJtC<7uzb;dOpcw<%(rB5YSr!+lMA);?=7}eUgG=dX3yv} zu8Hsyf((if2SsFp!2!LQf{b-B_)S`6$}ZJ!s9mwW(q zJ>Py<|Nd6iil(|nH@Sm)%ilVZ*%T=aMLVN&#e}*8>jy$u^Dl6{Cd*9UQ@m`rc=2M! z&QawLphX4)UHwthan^1U8=BuPJO)nn4MOf8>VJqznY#g?l|#vY^&Ae*`nR$}J0490 zSseE+8A{3b*N^G|2SmSIhH+?Tw|%ex2%-fe%8z7d(9 z62--r65*>VpgqCZ;oDCE(9q5x?d$s*^Z(2SoqRhRN~-39&w(Xe`98J!58clJ&pf*` z2+lEVK5yM8`o4yTastW1jxL?eFuoya>+1HF1q9>_xAtcvBO`Awo1+aB)&K8z-NN2Y zjkkNo)5~`sJ~5%x@~JMs{yQ2bS}eV?1%)AM zoDUJd>c&_v;K={vo^md&XEsDN;m`Va8Lr%BGVD~MiNZ0W|(#R;RCS1VOD3f{=Hk=ait$*wCMCd7D7`i zRg&Zj9&j~`j@I@U29t#D?qt$#pzBthBK4s02LbzMGbt%3hVyjLS_^+|*!!2^4)(og zOe^PAe|r|(pAsX4rnmeLU*;v1=54inopL^5rr9fG{~5HKLXmXu+4Eoc4B&m!w-0C| z8Rs3JJs;b6qk|VWIQ7efr{XDfU3Euhm?2a)@O2_bVz5JgrmsBS`PO*y`UgCI9mWOy zjm$N;2AE!{lK<41J}}I9k1>L_aVmN<(tO+SUk2co0!p+AIMC%~R+x-$0gZ_c2wJzk zzmm z&IajIPanyuu@nDN&T)bVj$5rG)_mQUo!PEkyX)!c76sXN?zEa0Ls$+(Y{C46C`gM_ zyvG}C10g{<(EU^gH#JqIbpS;b!)M8Xj4m8IV)9MCZ100HJ2rcqf@T$udxmd>c)(lk z*hl|1Rn;HtZGLW|Mi|@rS;5b?n2TwO){*Ln;yOyN-3BA}+@r~Q`glc&IQr!RUs~Rc z0W8NiGLtq=`i{577tY>xY1pWd{GXf46blmuf#Bfeb8)0gh!3&Z!}_IKOo!n(?YvRzF^0F>gYaK13|- zLxSbbxcLccjT>k1X_Pf$!$aqGb$@gw=Kc?viYE~h1SjPDf^rs_*2HjwtD?myk~r|q za5UN-Hlw^$kBqk@nzal|MMuz3+Dma9;`vRmYqGRVl6<4bi7Po z>eQ6>q=~12pjLFKnmTRT9Bc?EGp_L*E$WSqp-mznD3XX;I3=S8-`U1WgsjA4^%{CI zDDoL^u3Rj41@WaVKe2CmM=W=dLYML=!i*k}-}M+9ySWh6bo44Igt3_*UIsv(0}m;Z zfV42*dAE_`ODt3H)cEsu&f$tw>lwy%A4VB0c-WL`DgL#$K9>w^3==e)ssfH8$_~)^ zQIuXdq$h1F;SHe*QV;lJuKqrqfsP`n|s?FCcOe(e$h_N$E3wcb}`A68o2{^8MapDw*E@a$WStl^f0cffU_; zJa)Snm^5!&H#yZcLuA?uez^SUS(2?-n^I=ptIppXr!p zXZP?dV>!$AgQo82m(<^5os{c{*+d8{`dyTH_?#W4{&jnD$uNA7rwUh&P~_RjHAlQo z?XR*9u6664j-87jlcYP-c2JOsN2H$LK3s1io@X~d>8H?8?#+&IR$%TzlOLfOQ|55g zPWLI@1NsA|x}`;!#-ct16!ey*NWIB>moj>uX~)i+F=NJvsW7}lbi*cvXs07Nk8LA1 z-G2o@MS5zam$zfP2j89CZ?g0fiLhjIc*UdkShA4=|0D6h@US-=71SX;K4c!uz zNY^h7o6LY58oo*q{T59&+H*xQ45loBOQCQ)Y2?bp77s8f4z4LJKKZ#>n+7A0LmwKEeNaVKtQV3 z(HEd3Fgue!-ePNqVVYP^Osm!-L=(C6V6G3|rAhcmw;xSLkGAbTufqzsFQ(cKGYEtJ zP`n9H>(Vp!PSSB~Lz=^brXb}m^sCrCi1{x~K72(NCeiGkrW+|BlBXIppaPXrmcrHS z%z>r~GBE&dmO(G)?CBYdlGyU##WOT4o3JQ5@lqq}I*kjUw$ZHh#OkmARqS>!cV*SJy!jCZqkJN<$alCHc#GAM ziA32cr)GxmuBW{I#%_(-C_*JRloNJNy5R2n0g5G>Jv}+UpkA(nEpSCn6})K&)7nGF zA;y}$p6^8}YyMoXP~VgBt=R+vW^f~PyP0kw95_+6QCiCT67Ld9+RYjC8vO@$yL~I# zPFGw4p-M}+`(kcPViG0`E)N6Gb{yY?tt0=zqbz{IazXBdv;crJe{I2lwu z%iOM(9<%d+0oKpIO0N$ht{IlF0>3AKpkuQ)N#x+o9_eVebMIcqcg=g*%ebJpKf>bG zQ=mHeO)DMR&_nkY1&lOm2bjo%9crb#I&{kAwQHc$pc*=Y&AE|=Hr}l*T6}png$o~V z9UfQ=Hsu_1=$|?-HGUFNM=J9Kdfi||zWUoW;Hb%|28;IGdMVd-rcdP{B2ojcx%4^U z$64)b_b*QK4-Ou0m=;`4%CvvfIx*~B!s~}amy#1qXGi z&Cy96B&0EXrhE1+701ETyk7mX-2bDmJEPe5JGy99wANIQk?cVIMhkpWqP(&zX z)Tsr{8vssf{wjGPVb0cDl&T_k3Mhc|WA(unHr~=7dF&YUUo3B@fzR#4s1UnS>w>RU zRp}%uZ=>a897k5-bR4 zH&&pzLJ}2p{R?dyzB1A8-J97o@+KP~-W+Q^$FT)aReMI>4fQL-gr+kxAPJADrRNvlF-wH^q3eP>T`fmMd4Z>CVB3;Z`)pH z(%A~E&G~9V=JEzwg%7iFCx1!RpU{CJLolAy?09ovUXI4Yv-6w4{7Hj*qEijUwy>-y z@yzkN$)zb!Ir)1@V8JqCf86xse!t#ZnH$y8!HQ8j`D^nzjEax~JN5tkJBasJ2^&j? zG?;{+;PJlrLJMpmaw-mNj{6GulL6XXPk~y0C|y@f27>r&Ae6u3qN{6H4vhZ3hQO6l z)=JKfifk2qMr8J+yo9enAq^>kQnSa+ASZ#`i1J?YB8Sa1-Y%N@(=8{m9*@}B#pU{f z?(*>YWf%L8!FxC6wFt5bz`s7eu*h)Bxz%52BVW(j)Vp2t@WBgp-Ea<>wb-jmbfHDO zo%$htHzqn_GDEq=0NXJ!^I|f)>Tcgzs-wVS!qaEY< z@V%*h28s{6S&Z}y)My|_nqM}pJotuKXnYybNdBHZ19PgCJfbP2)C!S5tlqEDEY*mU zyl-EK<^1Ie>n-C{&_H!ewEtTMg{7MGaIm=Ffj|16UkOvS?7Eu%({@MM=~fNy)HUIe z$hT$FBIB&QzI8xyz=7SXQ@ty8N8Z`EGQl0C{#KOD3{`6~^TDkTE#Ce>|DO-}&nK3d&k7^N(-?#?jQ9O zAP8@eWtD3`tnTq&A39+Tf2m;0^dxqbs3nn=%sl1QH9FiKdZBId38Y<(8#fl>MD{p6 zbaio=+~{n#yvJ07QPw)$lRGeEMrE+q(5r{2i>V)vog1{MSc@hqA!Faa*LwawGTy{` z6*|AyC6_Np_Se?_ecHn1p~}>{Q@=gMYXP`{DS~QP9-Aw4oZmpK^*Viz&Q*{@s5) z{OIy-1RmYI>h2yXgogYR(;dosp4+lnV6|`GzLoMoqZb153rc*8&s#yk^P4bd{jL{5vmg^lx0Eg2gt& z)T1a_vSNiSkV`xI->25Rf3x+L#J2zOYwQh^k`~a*|KnG5c;Iiu_kaB9?$@BF|JSeP zv;TXY@IRk)%Ygr01pLnrGuQg>^}ql8wO!?_{I6flRQ}JE&#M0qA9}<8|32QQU(1K4 Vb@T|I?xn!5aTb%zPntOg{9kFgojL#j diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 52564d7640..8c285bf251 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -127,6 +127,7 @@ variable "fast_stage_3" { })) nullable = false default = {} + # TODO: upgrade to cross-variable validation validation { condition = alltrue([ for k, v in var.fast_stage_3 : diff --git a/fast/stages/diagrams.excalidraw.gz b/fast/stages/diagrams.excalidraw.gz index 5cf62be67147194c888669dc17aa3008ce2c685c..fa7ba7b9e9e903d4f66ce1e7d4123f480869edec 100644 GIT binary patch delta 21 ccmX@o&U&Psm0iA@gX2W)(MI;I?2LPz0athju>b%7 delta 21 ccmX@o&U&Psm0iA@gJZkJfkyVN?2LPz0aQ5$RsaA1 From ae764642387bc9cdb7f5fac43e3513f10d770b1b Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 28 Aug 2024 09:02:47 +0200 Subject: [PATCH 09/94] review comments --- fast/stages/1-resman/billing.tf | 4 ++-- fast/stages/1-resman/organization.tf | 22 +++------------------- 2 files changed, 5 insertions(+), 21 deletions(-) diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index df43082d74..c7d78f536b 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -25,13 +25,13 @@ locals { role = "roles/billing.user" } }, - !var.fast_stage_2.security.enabled ? {} : { + !var.fast_stage_2.security.enabled != true ? {} : { sa_sec_billing = { member = module.sec-sa-rw[0].iam_email role = "roles/billing.user" } }, - !var.fast_stage_2.project_factory.enabled ? {} : { + !var.fast_stage_2.project_factory.enabled != true ? {} : { sa_pf_billing = { member = module.pf-sa-rw[0].iam_email role = "roles/billing.user" diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 8a3c49c166..fe26309d92 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -66,8 +66,8 @@ module "organization" { description = "Environment definition." iam = try(local.tags.environment.iam, {}) values = { - (var.environment_names["dev"]) = { - iam = try(local.tags.environment.values.development.iam, {}) + for k, v in var.environment_names : v => { + iam = try(local.tags.environment.values[v].iam, {}) iam_bindings = ( !var.fast_stage_2.project_factory.enabled ? {} @@ -79,23 +79,7 @@ module "organization" { } ) description = try( - local.tags.environment.values.development.description, null - ) - } - (var.environment_names["prod"]) = { - iam = try(local.tags.environment.values.production.iam, {}) - iam_bindings = ( - !var.fast_stage_2.project_factory.enabled - ? {} - : { - pf = { - members = [module.pf-sa-rw[0].iam_email] - role = "roles/resourcemanager.tagUser" - } - } - ) - description = try( - local.tags.environment.values.production.description, null + local.tags.environment.values[v].description, null ) } } From 0f4217f06ab6cbf68c5b5a6aaa3abc59719ae7a6 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 28 Aug 2024 10:01:45 +0200 Subject: [PATCH 10/94] review comments --- fast/stages/1-resman/variables-fast.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index bf9fbe6e44..e1c1d77a7f 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -54,13 +54,13 @@ variable "custom_roles" { # tfdoc:variable:source 0-bootstrap description = "Custom roles defined at the org level, in key => id format." type = object({ - gcve_network_admin = string network_firewall_policies_admin = string - ngfw_enterprise_admin = optional(string) - ngfw_enterprise_viewer = optional(string) organization_admin_viewer = string service_project_network_admin = string storage_viewer = string + gcve_network_admin = optional(string) + ngfw_enterprise_admin = optional(string) + ngfw_enterprise_viewer = optional(string) }) default = null } From 8556ae1f050b9b5f7f73aa4d48ec4934d0440216 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 28 Aug 2024 10:06:33 +0200 Subject: [PATCH 11/94] tfdoc --- fast/stages/1-resman/README.md | 2 +- fast/stages/1-resman/plan.txt | 4550 -------------------------------- 2 files changed, 1 insertion(+), 4551 deletions(-) delete mode 100644 fast/stages/1-resman/plan.txt diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index d76501733d..58f83bb282 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -274,7 +274,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | | [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | | [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | diff --git a/fast/stages/1-resman/plan.txt b/fast/stages/1-resman/plan.txt deleted file mode 100644 index 0193649982..0000000000 --- a/fast/stages/1-resman/plan.txt +++ /dev/null @@ -1,4550 +0,0 @@ - -Terraform used the selected providers to generate the following execution -plan. Resource actions are indicated with the following symbols: - + create - ~ update in-place - - destroy --/+ destroy and then create replacement - -Terraform will perform the following actions: - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.billing_ext_costsmanager["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because google_billing_account_iam_member.billing_ext_costsmanager is not in configuration) - - resource "google_billing_account_iam_member" "billing_ext_costsmanager" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.costsManager/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.costsManager" -> null - } - - # google_billing_account_iam_member.default["data-platform-dev"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["data-platform-prod"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["gcve-dev"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["gcve-prod"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["gke-dev"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["gke-prod"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["project-factory-dev"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["project-factory-prod"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["sa_net_billing"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["sa_pf_billing"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["sa_pf_costs_manager"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.costsManager" - } - - # google_billing_account_iam_member.default["sa_sec_billing"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["sandbox"] will be created - + resource "google_billing_account_iam_member" "default" { - + billing_account_id = "017479-47ADAB-670295" - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + role = "roles/billing.user" - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_billing_account_iam_member.default["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] will be destroyed - # (because key ["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"] is not in for_each map) - # (moved from google_billing_account_iam_member.billing_ext_admin["serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com"]) - - resource "google_billing_account_iam_member" "default" { - - billing_account_id = "017479-47ADAB-670295" -> null - - etag = "BwYgANfU8zg=" -> null - - id = "017479-47ADAB-670295/roles/billing.user/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - member = "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - role = "roles/billing.user" -> null - } - - # google_storage_bucket_object.providers["2-project-factory-dev"] will be destroyed - # (because key ["2-project-factory-dev"] is not in for_each map) - - resource "google_storage_bucket_object" "providers" { - - bucket = "ldj-prod-iac-core-outputs-0" -> null - - content = (sensitive value) -> null - - content_type = "text/plain; charset=utf-8" -> null - - crc32c = "1/U7aw==" -> null - - detect_md5hash = "2KhpBFsNgFLTtlft4+2vUg==" -> null - - event_based_hold = false -> null - - generation = 1724165864283522 -> null - - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-dev-providers.tf" -> null - - md5hash = "2KhpBFsNgFLTtlft4+2vUg==" -> null - - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-providers.tf?generation=1724165864283522&alt=media" -> null - - name = "providers/2-project-factory-dev-providers.tf" -> null - - output_name = "providers/2-project-factory-dev-providers.tf" -> null - - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-providers.tf" -> null - - storage_class = "MULTI_REGIONAL" -> null - - temporary_hold = false -> null - # (5 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["2-project-factory-dev-r"] will be destroyed - # (because key ["2-project-factory-dev-r"] is not in for_each map) - - resource "google_storage_bucket_object" "providers" { - - bucket = "ldj-prod-iac-core-outputs-0" -> null - - content = (sensitive value) -> null - - content_type = "text/plain; charset=utf-8" -> null - - crc32c = "a+Kk2A==" -> null - - detect_md5hash = "vqeJdjws7rpHdGUcxwv4/w==" -> null - - event_based_hold = false -> null - - generation = 1724165861422489 -> null - - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-dev-r-providers.tf" -> null - - md5hash = "vqeJdjws7rpHdGUcxwv4/w==" -> null - - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-r-providers.tf?generation=1724165861422489&alt=media" -> null - - name = "providers/2-project-factory-dev-r-providers.tf" -> null - - output_name = "providers/2-project-factory-dev-r-providers.tf" -> null - - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-dev-r-providers.tf" -> null - - storage_class = "MULTI_REGIONAL" -> null - - temporary_hold = false -> null - # (5 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["2-project-factory-prod"] will be destroyed - # (because key ["2-project-factory-prod"] is not in for_each map) - - resource "google_storage_bucket_object" "providers" { - - bucket = "ldj-prod-iac-core-outputs-0" -> null - - content = (sensitive value) -> null - - content_type = "text/plain; charset=utf-8" -> null - - crc32c = "unYabQ==" -> null - - detect_md5hash = "weQqYVVKtTmXPi/v/YOGww==" -> null - - event_based_hold = false -> null - - generation = 1724165859084907 -> null - - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-prod-providers.tf" -> null - - md5hash = "weQqYVVKtTmXPi/v/YOGww==" -> null - - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-providers.tf?generation=1724165859084907&alt=media" -> null - - name = "providers/2-project-factory-prod-providers.tf" -> null - - output_name = "providers/2-project-factory-prod-providers.tf" -> null - - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-providers.tf" -> null - - storage_class = "MULTI_REGIONAL" -> null - - temporary_hold = false -> null - # (5 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["2-project-factory-prod-r"] will be destroyed - # (because key ["2-project-factory-prod-r"] is not in for_each map) - - resource "google_storage_bucket_object" "providers" { - - bucket = "ldj-prod-iac-core-outputs-0" -> null - - content = (sensitive value) -> null - - content_type = "text/plain; charset=utf-8" -> null - - crc32c = "BzQS2w==" -> null - - detect_md5hash = "ffpfHrpcJL/w7ZwwdbFY7Q==" -> null - - event_based_hold = false -> null - - generation = 1724165860311488 -> null - - id = "ldj-prod-iac-core-outputs-0-providers/2-project-factory-prod-r-providers.tf" -> null - - md5hash = "ffpfHrpcJL/w7ZwwdbFY7Q==" -> null - - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-r-providers.tf?generation=1724165860311488&alt=media" -> null - - name = "providers/2-project-factory-prod-r-providers.tf" -> null - - output_name = "providers/2-project-factory-prod-r-providers.tf" -> null - - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F2-project-factory-prod-r-providers.tf" -> null - - storage_class = "MULTI_REGIONAL" -> null - - temporary_hold = false -> null - # (5 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["3-data-platform-dev"] will be updated in-place - ~ resource "google_storage_bucket_object" "providers" { - ~ content = (sensitive value) - ~ detect_md5hash = "K7MT2KrZevadcRopR/1npQ==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-dev-providers.tf" - name = "providers/3-data-platform-dev-providers.tf" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["3-data-platform-dev-r"] will be updated in-place - ~ resource "google_storage_bucket_object" "providers" { - ~ content = (sensitive value) - ~ detect_md5hash = "eKTJwex+CJ4uj6xbzxsJsw==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-dev-r-providers.tf" - name = "providers/3-data-platform-dev-r-providers.tf" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["3-data-platform-prod"] will be updated in-place - ~ resource "google_storage_bucket_object" "providers" { - ~ content = (sensitive value) - ~ detect_md5hash = "hQhEy51JiltDXvRM35UeBQ==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-prod-providers.tf" - name = "providers/3-data-platform-prod-providers.tf" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["3-data-platform-prod-r"] will be updated in-place - ~ resource "google_storage_bucket_object" "providers" { - ~ content = (sensitive value) - ~ detect_md5hash = "ixoiiKUUIufpgCqO2Gor6g==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-providers/3-data-platform-prod-r-providers.tf" - name = "providers/3-data-platform-prod-r-providers.tf" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.providers["3-gcve-dev"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-gcve-dev-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-gcve-dev-r"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-gcve-dev-r-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-gcve-prod"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-gcve-prod-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-gcve-prod-r"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-gcve-prod-r-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-project-factory-dev"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-project-factory-dev-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-project-factory-dev-r"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-project-factory-dev-r-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-project-factory-prod"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-project-factory-prod-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-project-factory-prod-r"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-project-factory-prod-r-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-sandbox"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-sandbox-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["3-sandbox-r"] will be created - + resource "google_storage_bucket_object" "providers" { - + bucket = "ldj-prod-iac-core-outputs-0" - + content = (sensitive value) - + content_type = (known after apply) - + crc32c = (known after apply) - + detect_md5hash = "different hash" - + generation = (known after apply) - + id = (known after apply) - + kms_key_name = (known after apply) - + md5hash = (known after apply) - + media_link = (known after apply) - + name = "providers/3-sandbox-r-providers.tf" - + output_name = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - } - - # google_storage_bucket_object.providers["9-sandbox"] will be destroyed - # (because key ["9-sandbox"] is not in for_each map) - - resource "google_storage_bucket_object" "providers" { - - bucket = "ldj-prod-iac-core-outputs-0" -> null - - content = (sensitive value) -> null - - content_type = "text/plain; charset=utf-8" -> null - - crc32c = "hoBu4A==" -> null - - detect_md5hash = "hOSd0GG5FCkYkzf140qRuQ==" -> null - - event_based_hold = false -> null - - generation = 1724165862741840 -> null - - id = "ldj-prod-iac-core-outputs-0-providers/9-sandbox-providers.tf" -> null - - md5hash = "hOSd0GG5FCkYkzf140qRuQ==" -> null - - media_link = "https://storage.googleapis.com/download/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F9-sandbox-providers.tf?generation=1724165862741840&alt=media" -> null - - metadata = {} -> null - - name = "providers/9-sandbox-providers.tf" -> null - - output_name = "providers/9-sandbox-providers.tf" -> null - - self_link = "https://www.googleapis.com/storage/v1/b/ldj-prod-iac-core-outputs-0/o/providers%2F9-sandbox-providers.tf" -> null - - storage_class = "MULTI_REGIONAL" -> null - - temporary_hold = false -> null - # (5 unchanged attributes hidden) - } - - # google_storage_bucket_object.tfvars will be updated in-place - ~ resource "google_storage_bucket_object" "tfvars" { - ~ content = (sensitive value) - ~ detect_md5hash = "N97vUaApkSkVsc5eJ/n+Ng==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-tfvars/1-resman.auto.tfvars.json" - name = "tfvars/1-resman.auto.tfvars.json" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.workflows["networking"] will be updated in-place - ~ resource "google_storage_bucket_object" "workflows" { - ~ content = (sensitive value) - ~ detect_md5hash = "XwJtleYexn+10HWW2AfoCg==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-workflows/networking-workflow.yaml" - name = "workflows/networking-workflow.yaml" - # (17 unchanged attributes hidden) - } - - # google_storage_bucket_object.workflows["security"] will be updated in-place - ~ resource "google_storage_bucket_object" "workflows" { - ~ content = (sensitive value) - ~ detect_md5hash = "qNnXf1H5cVwk1+Xg3PMB5g==" -> "different hash" - id = "ldj-prod-iac-core-outputs-0-workflows/security-workflow.yaml" - name = "workflows/security-workflow.yaml" - # (17 unchanged attributes hidden) - } - - # local_file.providers["2-project-factory-dev"] will be destroyed - # (because key ["2-project-factory-dev"] is not in for_each map) - - resource "local_file" "providers" { - - content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-pf-0" - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-dev - EOT -> null - - content_base64sha256 = "o9qjfysy9ElLubXF8AaKExZazX0+ff3Bkz5j/VZLhm4=" -> null - - content_base64sha512 = "kil2VGo8jrAwawUYa5mHbJaZhPLr/2WuuEG8XpO99JOEqlBQzKua/d+5u4m0rSe05OselZGa1XocLY56oI4B2Q==" -> null - - content_md5 = "d8a869045b0d8052d3b657ede3edaf52" -> null - - content_sha1 = "7b455ebbccfc66acd18932023f9e9cf01670193e" -> null - - content_sha256 = "a3daa37f2b32f4494bb9b5c5f0068a13165acd7d3e7dfdc1933e63fd564b866e" -> null - - content_sha512 = "922976546a3c8eb0306b05186b99876c969984f2ebff65aeb841bc5e93bdf49384aa5050ccab9afddfb9bb89b4ad27b4e4eb1e95919ad57a1c2d8e7aa08e01d9" -> null - - directory_permission = "0777" -> null - - file_permission = "0644" -> null - - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-dev-providers.tf" -> null - - id = "7b455ebbccfc66acd18932023f9e9cf01670193e" -> null - } - - # local_file.providers["2-project-factory-dev-r"] will be destroyed - # (because key ["2-project-factory-dev-r"] is not in for_each map) - - resource "local_file" "providers" { - - content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-pf-0" - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-dev - EOT -> null - - content_base64sha256 = "oLhfDRlG4uEP29Zs5BMZjPIQq4MoupR5ebj8TCRhmGg=" -> null - - content_base64sha512 = "bgKdn/XmqDljUqE0gj9DmX1LBMpx7AMsyx8AnRmnn7rNjE3PI/XlgZBl8+4cAqvYeCvkcH+dVyAJuzkMambHBQ==" -> null - - content_md5 = "bea789763c2ceeba4774651cc70bf8ff" -> null - - content_sha1 = "e2cb9c5d8a62354eb07183fb65f047875a91bdfd" -> null - - content_sha256 = "a0b85f0d1946e2e10fdbd66ce413198cf210ab8328ba947979b8fc4c24619868" -> null - - content_sha512 = "6e029d9ff5e6a8396352a134823f43997d4b04ca71ec032ccb1f009d19a79fbacd8c4dcf23f5e5819065f3ee1c02abd8782be4707f9d572009bb390c6a66c705" -> null - - directory_permission = "0777" -> null - - file_permission = "0644" -> null - - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-dev-r-providers.tf" -> null - - id = "e2cb9c5d8a62354eb07183fb65f047875a91bdfd" -> null - } - - # local_file.providers["2-project-factory-prod"] will be destroyed - # (because key ["2-project-factory-prod"] is not in for_each map) - - resource "local_file" "providers" { - - content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-pf-0" - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-prod - EOT -> null - - content_base64sha256 = "SfGgfaWS91Jto+G8ADLc7D1DjC7HRAfAO0+zA/OMZ5g=" -> null - - content_base64sha512 = "6FK9KtZH9wA21HgTO7V3fCCrRAnd5K64kugjyol5cDlz33ERRLwRMKjKVPIfUhMJg56UtM4TZcJhLEY65Di/2g==" -> null - - content_md5 = "c1e42a61554ab539973e2feffd8386c3" -> null - - content_sha1 = "4b591ee04c1e6ee01e69367752549077e806174a" -> null - - content_sha256 = "49f1a07da592f7526da3e1bc0032dcec3d438c2ec74407c03b4fb303f38c6798" -> null - - content_sha512 = "e852bd2ad647f70036d478133bb5777c20ab4409dde4aeb892e823ca8979703973df711144bc1130a8ca54f21f521309839e94b4ce1365c2612c463ae438bfda" -> null - - directory_permission = "0777" -> null - - file_permission = "0644" -> null - - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-prod-providers.tf" -> null - - id = "4b591ee04c1e6ee01e69367752549077e806174a" -> null - } - - # local_file.providers["2-project-factory-prod-r"] will be destroyed - # (because key ["2-project-factory-prod-r"] is not in for_each map) - - resource "local_file" "providers" { - - content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-pf-0" - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-prod - EOT -> null - - content_base64sha256 = "ZaO5mia+nbq3+saW8xHi1SdxXRnurc2l68x5s3S1pa4=" -> null - - content_base64sha512 = "UBHvUSF7PStCZuAUdENyWO5KJdwq/ZCyqrRYMpzefD1MffOWKo6du1kfU9o2O9lbRI487VxqvEu3Z/N8PKxz7w==" -> null - - content_md5 = "7dfa5f1eba5c24bff0ed9c3075b158ed" -> null - - content_sha1 = "9ffd801dfeca04d566c17c19f4e468653c9f95fe" -> null - - content_sha256 = "65a3b99a26be9dbab7fac696f311e2d527715d19eeadcda5ebcc79b374b5a5ae" -> null - - content_sha512 = "5011ef51217b3d2b4266e01474437258ee4a25dc2afd90b2aab458329cde7c3d4c7df3962a8e9dbb591f53da363bd95b448e3ced5c6abc4bb767f37c3cac73ef" -> null - - directory_permission = "0777" -> null - - file_permission = "0644" -> null - - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/2-project-factory-prod-r-providers.tf" -> null - - id = "9ffd801dfeca04d566c17c19f4e468653c9f95fe" -> null - } - - # local_file.providers["3-data-platform-dev"] must be replaced --/+ resource "local_file" "providers" { - ~ content = <<-EOT # forces replacement - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-dp-0" - impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - - # end provider.tf for dp-dev - + # end provider.tf for data-platform-dev - EOT - ~ content_base64sha256 = "1qpn5QbXhb9gM73rDzHkQqaYWJNU2aNSdxkbtmL48tc=" -> (known after apply) - ~ content_base64sha512 = "IfEveLtAPSiXsmIgI1ecqljSEtpR3Gks5VCkLs0p+B/EQxSyHuxOsvE+WsSXS6ZXW01O65HyfGyibLqzRPe4dQ==" -> (known after apply) - ~ content_md5 = "2bb313d8aad97af69d711a2947fd67a5" -> (known after apply) - ~ content_sha1 = "9e2275cf364ac73635e17e376861ac3c0aa270f1" -> (known after apply) - ~ content_sha256 = "d6aa67e506d785bf6033bdeb0f31e442a698589354d9a35277191bb662f8f2d7" -> (known after apply) - ~ content_sha512 = "21f12f78bb403d2897b2622023579caa58d212da51dc692ce550a42ecd29f81fc44314b21eec4eb2f13e5ac4974ba6575b4d4eeb91f27c6ca26cbab344f7b875" -> (known after apply) - ~ id = "9e2275cf364ac73635e17e376861ac3c0aa270f1" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.providers["3-data-platform-dev-r"] must be replaced --/+ resource "local_file" "providers" { - ~ content = <<-EOT # forces replacement - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-dp-0" - impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - - # end provider.tf for dp-dev - + # end provider.tf for data-platform-dev - EOT - ~ content_base64sha256 = "XASKu15jdK8HVbHe5g4ULiu9Gz8Oqm8ZxJ6RY05Ngnw=" -> (known after apply) - ~ content_base64sha512 = "o9hykKPrfta/H7TCoMyBgJoy6fZAKCoD+q41iR0uz0WlwnXgdyovArDBhHDkfTFJrFPNYIDIiwyOxAhamZ0Hqg==" -> (known after apply) - ~ content_md5 = "78a4c9c1ec7e089e2e8fac5bcf1b09b3" -> (known after apply) - ~ content_sha1 = "47fc05248ac63321757bff9fdb74ef8f9a143a4f" -> (known after apply) - ~ content_sha256 = "5c048abb5e6374af0755b1dee60e142e2bbd1b3f0eaa6f19c49e91634e4d827c" -> (known after apply) - ~ content_sha512 = "a3d87290a3eb7ed6bf1fb4c2a0cc81809a32e9f640282a03faae35891d2ecf45a5c275e0772a2f02b0c18470e47d3149ac53cd6080c88b0c8ec4085a999d07aa" -> (known after apply) - ~ id = "47fc05248ac63321757bff9fdb74ef8f9a143a4f" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.providers["3-data-platform-prod"] must be replaced --/+ resource "local_file" "providers" { - ~ content = <<-EOT # forces replacement - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-dp-0" - impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - - # end provider.tf for dp-prod - + # end provider.tf for data-platform-prod - EOT - ~ content_base64sha256 = "+AkAf7mnQbteCJTRF5+d+wceuobXcw6Nugll/qE+IkU=" -> (known after apply) - ~ content_base64sha512 = "qVWaCTBAKabrpP+cuMV6lsWumRvIl4cL/7eOMrjLYLze2SqkknOTL/h0bLeaHcmZ5Gal0MljvAdWs2plWPVVOw==" -> (known after apply) - ~ content_md5 = "850844cb9d498a5b435ef44cdf951e05" -> (known after apply) - ~ content_sha1 = "7a9df0e7e42b6a4b1bf182d616733d1128330078" -> (known after apply) - ~ content_sha256 = "f809007fb9a741bb5e0894d1179f9dfb071eba86d7730e8dba0965fea13e2245" -> (known after apply) - ~ content_sha512 = "a9559a09304029a6eba4ff9cb8c57a96c5ae991bc897870bffb78e32b8cb60bcded92aa49273932ff8746cb79a1dc999e466a5d0c963bc0756b36a6558f5553b" -> (known after apply) - ~ id = "7a9df0e7e42b6a4b1bf182d616733d1128330078" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.providers["3-data-platform-prod-r"] must be replaced --/+ resource "local_file" "providers" { - ~ content = <<-EOT # forces replacement - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-dp-0" - impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - - # end provider.tf for dp-prod - + # end provider.tf for data-platform-prod - EOT - ~ content_base64sha256 = "eFvdBVb25p/9PIn57fqbnwSwdyCPnqEnYIArkIfXil8=" -> (known after apply) - ~ content_base64sha512 = "6hgoo+MsUh7hSl+0Wvvbl7nlHXk8nUnTjWO2UguZZ/MFXskjxA/jzaNKNxvss3GKbGEIxMVuoXm27sKVSD94Hg==" -> (known after apply) - ~ content_md5 = "8b1a2288a51422e7e9802a8ed86a2bea" -> (known after apply) - ~ content_sha1 = "08332943453ec993a8b17779710a540b7f7b50b7" -> (known after apply) - ~ content_sha256 = "785bdd0556f6e69ffd3c89f9edfa9b9f04b077208f9ea12760802b9087d78a5f" -> (known after apply) - ~ content_sha512 = "ea1828a3e32c521ee14a5fb45afbdb97b9e51d793c9d49d38d63b6520b9967f3055ec923c40fe3cda34a371becb3718a6c6108c4c56ea179b6eec295483f781e" -> (known after apply) - ~ id = "08332943453ec993a8b17779710a540b7f7b50b7" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.providers["3-gcve-dev"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-gcve-0" - impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for gcve-dev - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-dev-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-gcve-dev-r"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-gcve-0" - impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for gcve-dev - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-dev-r-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-gcve-prod"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-gcve-0" - impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for gcve-prod - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-prod-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-gcve-prod-r"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-gcve-0" - impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for gcve-prod - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-gcve-prod-r-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-project-factory-dev"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-pf-0" - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-dev - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-dev-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-project-factory-dev-r"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-pf-0" - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-dev - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-dev-r-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-project-factory-prod"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-pf-0" - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-prod - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-prod-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-project-factory-prod-r"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-prod-resman-pf-0" - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for project-factory-prod - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-project-factory-prod-r-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-sandbox"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-sbx-0" - impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for sandbox - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-sandbox-providers.tf" - + id = (known after apply) - } - - # local_file.providers["3-sandbox-r"] will be created - + resource "local_file" "providers" { - + content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-sbx-0" - impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for sandbox - EOT - + content_base64sha256 = (known after apply) - + content_base64sha512 = (known after apply) - + content_md5 = (known after apply) - + content_sha1 = (known after apply) - + content_sha256 = (known after apply) - + content_sha512 = (known after apply) - + directory_permission = "0777" - + file_permission = "0644" - + filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/3-sandbox-r-providers.tf" - + id = (known after apply) - } - - # local_file.providers["9-sandbox"] will be destroyed - # (because key ["9-sandbox"] is not in for_each map) - - resource "local_file" "providers" { - - content = <<-EOT - /** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - terraform { - backend "gcs" { - bucket = "ldj-dev-resman-sbox-0" - impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } - provider "google" { - impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - provider "google-beta" { - impersonate_service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - # end provider.tf for sandbox - EOT -> null - - content_base64sha256 = "sxj7XXfYyf/wdly0AuijFHRLvOB8HMkV3yrhtOhJVjc=" -> null - - content_base64sha512 = "5HhvcchEvqjX6COU5RkmuiQ73jnNqeUfkybM1fawSQ0n+VmpXcyuZ6r6CtCt6ljNWy3LuZavjZTYDMk+6P851g==" -> null - - content_md5 = "84e49dd061b91429189337f5e34a91b9" -> null - - content_sha1 = "344829bd4c47592067a551a2736173dda6c180a2" -> null - - content_sha256 = "b318fb5d77d8c9fff0765cb402e8a314744bbce07c1cc915df2ae1b4e8495637" -> null - - content_sha512 = "e4786f71c844bea8d7e82394e51926ba243bde39cda9e51f9326ccd5f6b0490d27f959a95dccae67aafa0ad0adea58cd5b2dcbb996af8d94d80cc93ee8ff39d6" -> null - - directory_permission = "0777" -> null - - file_permission = "0644" -> null - - filename = "/home/ludomagno/dev/tf-playground/fast-config/ludo/providers/9-sandbox-providers.tf" -> null - - id = "344829bd4c47592067a551a2736173dda6c180a2" -> null - } - - # local_file.tfvars["1"] must be replaced --/+ resource "local_file" "tfvars" { - ~ content = jsonencode( - { - - checklist_hierarchy = {} - - fast_features = { - - data_platform = true - - gcve = false - - gke = true - - nsec = false - - sandbox = true - } - - folder_ids = { - - data-platform-dev = "folders/777820411744" - - data-platform-prod = "folders/447111401824" - - gcve-dev = null - - gcve-prod = null - - gke-dev = "folders/39661087317" - - gke-prod = "folders/810789977048" - - networking = "folders/843203210689" - - networking-dev = "folders/835049949636" - - networking-prod = "folders/572160545943" - - sandbox = "folders/245438209825" - - security = "folders/251257116248" - - teams = "folders/551661226665" - - tenants = "folders/1030800250254" - } - - service_accounts = { - - data-platform-dev = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - data-platform-dev-r = "ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - data-platform-prod = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - data-platform-prod-r = "ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - gcve-dev = null - - gcve-dev-r = null - - gcve-prod = null - - gcve-prod-r = null - - gke-dev = "ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - gke-dev-r = "ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - gke-prod = "ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - gke-prod-r = "ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - networking = "ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - networking-r = "ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - nsec = null - - nsec-r = null - - project-factory = "ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - project-factory-dev = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - project-factory-dev-r = "ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - project-factory-prod = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - project-factory-prod-r = "ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - project-factory-r = "ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - sandbox = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - security = "ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - security-r = "ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - tag_keys = { - - context = "tagKeys/123316001138" - - environment = "tagKeys/534907385149" - - gcs_soft_delete = "tagKeys/281479009308987" - } - - tag_names = { - - context = "context" - - environment = "environment" - } - - tag_values = { - - "context/data" = "tagValues/420824284884" - - "context/gcve" = "tagValues/281476934113589" - - "context/gke" = "tagValues/1084887265324" - - "context/networking" = "tagValues/1085868865377" - - "context/project-factory" = "tagValues/281477339751191" - - "context/sandbox" = "tagValues/918078731612" - - "context/security" = "tagValues/111937801763" - - "environment/development" = "tagValues/1028757044334" - - "environment/production" = "tagValues/1067159199641" - - "gcs_soft_delete/allow-0" = "tagValues/281478899316081" - - "gcs_soft_delete/allow-10" = "tagValues/281483064391362" - - "gcs_soft_delete/allow-all" = "tagValues/281484261155708" - } - } # forces replacement - ) -> (known after apply) # forces replacement - ~ content_base64sha256 = "a1d0rz+g1lEsonOTCLJg1B4fYe3CNQlNHLyQJfiNABo=" -> (known after apply) - ~ content_base64sha512 = "uYx5WoLh/SM2Ka2LpxVKh66Q8KX4/u6JaiJCbchLdOsCwL4soEEDBAn39HRhFr8guPjrUr7EbIVxyuwc/aLJMQ==" -> (known after apply) - ~ content_md5 = "37deef51a029912915b1ce5e27f9fe36" -> (known after apply) - ~ content_sha1 = "2d18dbd6d4a9f0c71e7b09dadc0131310eab54a6" -> (known after apply) - ~ content_sha256 = "6b5774af3fa0d6512ca2739308b260d41e1f61edc235094d1cbc9025f88d001a" -> (known after apply) - ~ content_sha512 = "b98c795a82e1fd233629ad8ba7154a87ae90f0a5f8feee896a22426dc84b74eb02c0be2ca041030409f7f4746116bf20b8f8eb52bec46c8571caec1cfda2c931" -> (known after apply) - ~ id = "2d18dbd6d4a9f0c71e7b09dadc0131310eab54a6" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.workflows["networking"] must be replaced --/+ resource "local_file" "workflows" { - ~ content = <<-EOT # forces replacement - # Copyright 2024 Google LLC - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - - name: "FAST networking stage" - - on: - pull_request: - branches: - - main - types: - - closed - - opened - - synchronize - - env: - - FAST_SERVICE_ACCOUNT: ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com - + FAST_SERVICE_ACCOUNT: ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com - - FAST_SERVICE_ACCOUNT_PLAN: ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com - + FAST_SERVICE_ACCOUNT_PLAN: ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com - FAST_WIF_PROVIDER: projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - TF_PROVIDERS_FILE: 2-networking-providers.tf - - TF_PROVIDERS_FILE_PLAN: 2-networking-r-providers.tf - + TF_PROVIDERS_FILE_PLAN: 2-networking-providers-r.tf - TF_VERSION: 1.7.4 - - jobs: - fast-pr: - # Skip PRs which are closed without being merged. - if: >- - github.event.action == 'closed' && - github.event.pull_request.merged == true || - github.event.action == 'opened' || - github.event.action == 'synchronize' - permissions: - contents: read - id-token: write - issues: write - pull-requests: write - runs-on: ubuntu-latest - steps: - - id: checkout - name: Checkout repository - uses: actions/checkout@v4 - - # set up SSH key authentication to the modules repository - - - id: ssh-config - name: Configure SSH authentication - run: | - ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null - ssh-add - <<< "${{ secrets.CICD_MODULES_KEY }}" - - # set up step variables for plan / apply - - - id: vars-plan - if: github.event.pull_request.merged != true && success() - name: Set up plan variables - run: | - echo "plan_opts=-lock=false" >> "$GITHUB_ENV" - echo "provider_file=${{env.TF_PROVIDERS_FILE_PLAN}}" >> "$GITHUB_ENV" - echo "service_account=${{env.FAST_SERVICE_ACCOUNT_PLAN}}" >> "$GITHUB_ENV" - - - id: vars-apply - if: github.event.pull_request.merged == true && success() - name: Set up apply variables - run: | - echo "provider_file=${{env.TF_PROVIDERS_FILE}}" >> "$GITHUB_ENV" - echo "service_account=${{env.FAST_SERVICE_ACCOUNT}}" >> "$GITHUB_ENV" - - # set up authentication via Workload identity Federation and gcloud - - - id: gcp-auth - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 - with: - workload_identity_provider: ${{env.FAST_WIF_PROVIDER}} - service_account: ${{env.service_account}} - access_token_lifetime: 900s - - - id: gcp-sdk - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v2 - with: - install_components: alpha - - # copy provider file - - - id: tf-config-provider - name: Copy Terraform provider file - run: | - gcloud storage cp -r \ - "gs://ldj-prod-iac-core-outputs-0/providers/${{env.provider_file}}" ./ - gcloud storage cp -r \ - "gs://ldj-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json" ./ - gcloud storage cp -r \ - "gs://ldj-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json" ./ - gcloud storage cp -r \ - "gs://ldj-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json" ./ - - - id: tf-setup - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{env.TF_VERSION}} - - # run Terraform init/validate/plan - - - id: tf-init - name: Terraform init - continue-on-error: true - run: | - terraform init -no-color - - - id: tf-validate - continue-on-error: true - name: Terraform validate - run: terraform validate -no-color - - - id: tf-plan - name: Terraform plan - continue-on-error: true - run: | - terraform plan -input=false -out ../plan.out -no-color ${{env.plan_opts}} - - - id: tf-apply - if: github.event.pull_request.merged == true && success() - name: Terraform apply - continue-on-error: true - run: | - terraform apply -input=false -auto-approve -no-color ../plan.out - - # PR comment with Terraform result from previous steps - # length is checked and trimmed for length so as to stay within the limit - - - id: pr-comment - name: Post comment to Pull Request - continue-on-error: true - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' - env: - PLAN: ${{steps.tf-plan.outputs.stdout}}\n${{steps.tf-plan.outputs.stderr}} - with: - script: | - const output = `### Terraform Initialization \`${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`${{steps.tf-validate.outcome}}\` - -

Validation Output - - \`\`\`\n - ${{steps.tf-validate.outputs.stdout}} - \`\`\` - -
- - ### Terraform Plan \`${{steps.tf-plan.outcome}}\` - -
Show Plan - - \`\`\`\n - ${process.env.PLAN.split('\n').filter(l => l.match(/^([A-Z\s].*|)$$/)).join('\n')} - \`\`\` - -
- - ### Terraform Apply \`${{steps.tf-apply.outcome}}\` - - *Pusher: @${{github.actor}}, Action: \`${{github.event_name}}\`, Working Directory: \`${{env.tf_actions_working_dir}}\`, Workflow: \`${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - - id: pr-short-comment - name: Post comment to Pull Request (abbreviated) - uses: actions/github-script@v7 - if: github.event_name == 'pull_request' && steps.pr-comment.outcome != 'success' - with: - script: | - const output = `### Terraform Initialization \`${{steps.tf-init.outcome}}\` - - ### Terraform Validation \`${{steps.tf-validate.outcome}}\` - - ### Terraform Plan \`${{steps.tf-plan.outcome}}\` - - Plan output is in the action log. - - ### Terraform Apply \`${{steps.tf-apply.outcome}}\` - - *Pusher: @${{github.actor}}, Action: \`${{github.event_name}}\`, Working Directory: \`${{env.tf_actions_working_dir}}\`, Workflow: \`${{github.workflow}}\`*`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - # exit on error from previous steps - - - id: check-init - name: Check init failure - if: steps.tf-init.outcome != 'success' - run: exit 1 - - - id: check-validate - name: Check validate failure - if: steps.tf-validate.outcome != 'success' - run: exit 1 - - - id: check-plan - name: Check plan failure - if: steps.tf-plan.outcome != 'success' - run: exit 1 - - - id: check-apply - name: Check apply failure - if: github.event.pull_request.merged == true && steps.tf-apply.outcome != 'success' - run: exit 1 - EOT - ~ content_base64sha256 = "kJ/RbUpuZbDOv2nqdxw+n15VOng/kJbaU55gRc5OPL8=" -> (known after apply) - ~ content_base64sha512 = "XC963GpnEHYiR5nMyq6pvtZ8HmeGESF7GDOhmK6xQFYJl1N4/n5W7fGo09vYlqXxDBI2ZS2HEHdKsQzeO68MWQ==" -> (known after apply) - ~ content_md5 = "5f026d95e61ec67fb5d07596d807e80a" -> (known after apply) - ~ content_sha1 = "41caaadbe411c2ed1d6a81d8422ae4191e678925" -> (known after apply) - ~ content_sha256 = "909fd16d4a6e65b0cebf69ea771c3e9f5e553a783f9096da539e6045ce4e3cbf" -> (known after apply) - ~ content_sha512 = "5c2f7adc6a671076224799cccaaea9bed67c1e678611217b1833a198aeb1405609975378fe7e56edf1a8d3dbd896a5f10c1236652d8710774ab10cde3baf0c59" -> (known after apply) - ~ id = "41caaadbe411c2ed1d6a81d8422ae4191e678925" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # local_file.workflows["security"] must be replaced --/+ resource "local_file" "workflows" { - ~ content = <<-EOT # forces replacement - # Copyright 2024 Google LLC - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - - variables: - GOOGLE_CREDENTIALS: cicd-sa-credentials.json - FAST_OUTPUTS_BUCKET: ldj-prod-iac-core-outputs-0 - FAST_WIF_PROVIDER: projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - TF_VAR_FILES: 0-bootstrap.auto.tfvars.json - 1-resman.auto.tfvars.json - 0-globals.auto.tfvars.json - - workflow: - rules: - # merge / apply - - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH - variables: - COMMAND: apply - - FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com - + FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com - TF_PROVIDERS_FILE: 2-security-providers.tf - # pr / plan - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - variables: - COMMAND: plan - - FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com - + FAST_SERVICE_ACCOUNT: ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com - - TF_PROVIDERS_FILE: 2-security-r-providers.tf - + TF_PROVIDERS_FILE: 2-security-providers-r.tf - - stages: - - gcp-setup - - tf-plan-apply - - # TODO: document project-level deploy key used to fetch modules - - gcp-setup: - stage: gcp-setup - image: - name: google/cloud-sdk:slim - artifacts: - paths: - - cicd-sa-credentials.json - - providers.tf - - 0-bootstrap.auto.tfvars.json - - 1-resman.auto.tfvars.json - - 0-globals.auto.tfvars.json - id_tokens: - GITLAB_TOKEN: - aud: - - https://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno - before_script: - - echo "$GITLAB_TOKEN" > token.txt - script: - - | - gcloud iam workload-identity-pools create-cred-config \ - $FAST_WIF_PROVIDER \ - --service-account=$FAST_SERVICE_ACCOUNT \ - --service-account-token-lifetime-seconds=900 \ - --output-file=$GOOGLE_CREDENTIALS \ - --credential-source-file=token.txt - - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS - - gcloud storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf - - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/0-bootstrap.auto.tfvars.json ./ - - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/1-resman.auto.tfvars.json ./ - - gcloud storage cp gs://$FAST_OUTPUTS_BUCKET/tfvars/0-globals.auto.tfvars.json ./ - - - tf-plan-apply: - stage: tf-plan-apply - dependencies: - - gcp-setup - id_tokens: - GITLAB_TOKEN: - aud: - - https://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno - image: - name: hashicorp/terraform - entrypoint: - - "/usr/bin/env" - variables: - SSH_AUTH_SOCK: /tmp/ssh-agent.sock - script: - - | - ssh-agent -a $SSH_AUTH_SOCK - echo "$CICD_MODULES_KEY" | ssh-add - - mkdir -p ~/.ssh - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts - ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts - - echo "$GITLAB_TOKEN" > token.txt - - terraform init - - terraform validate - - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi" - - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi" - EOT - ~ content_base64sha256 = "YDdQp0d7sbSDrfOvasNaeyzSCjAchjRkh+apfx8H8po=" -> (known after apply) - ~ content_base64sha512 = "Eur18ONmHQGXVmnTdehbKH0AeMwc/wtrfJOBzugqWJzINFR/YiokD6NT8/OUVVAPSpdzI69axy4iMQH+HTIXSw==" -> (known after apply) - ~ content_md5 = "a8d9d77f51f9715c24d7e5e0dcf301e6" -> (known after apply) - ~ content_sha1 = "bceac2341d2b92ec31c23acd38136fb966211023" -> (known after apply) - ~ content_sha256 = "603750a7477bb1b483adf3af6ac35a7b2cd20a301c86346487e6a97f1f07f29a" -> (known after apply) - ~ content_sha512 = "12eaf5f0e3661d01975669d375e85b287d0078cc1cff0b6b7c9381cee82a589cc834547f622a240fa353f3f39455500f4a977323af5ac72e223101fe1d32174b" -> (known after apply) - ~ id = "bceac2341d2b92ec31c23acd38136fb966211023" -> (known after apply) - # (3 unchanged attributes hidden) - } - - # module.branch-network-r-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.cicd-sa-ro["networking"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-network-r-sa-cicd["0"].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform CI/CD stage 2 networking service account (read-only)." -> "CI/CD 2-net prod service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-network-r-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] has moved to module.cicd-sa-ro["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" - # (4 unchanged attributes hidden) - } - - # module.branch-network-r-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-ro["networking"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-r-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-ro["security"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.cicd-sa-ro["security"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-security-r-sa-cicd["0"].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform CI/CD stage 2 security service account (read-only)." -> "CI/CD 2-sec prod service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.cicd-sa-ro["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] will be updated in-place - # (moved from module.branch-security-r-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]) - ~ resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" - ~ members = [ - - "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/fast-test", - + "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/security", - ] - # (3 unchanged attributes hidden) - } - - # module.branch-security-r-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-ro["security"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-network-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-rw["networking"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.cicd-sa-rw["networking"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-network-sa-cicd["0"].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform CI/CD stage 2 networking service account." -> "CI/CD 2-net prod service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-network-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] has moved to module.cicd-sa-rw["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" - # (4 unchanged attributes hidden) - } - - # module.branch-network-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-rw["networking"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-sa-cicd["0"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] has moved to module.cicd-sa-rw["security"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/logging.logWriter"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/logging.logWriter/serviceAccount:ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.cicd-sa-rw["security"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-security-sa-cicd["0"].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform CI/CD stage 2 security service account." -> "CI/CD 2-sec prod service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.cicd-sa-rw["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] will be updated in-place - # (moved from module.branch-security-sa-cicd["0"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]) - ~ resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.workloadIdentityUser" - ~ members = [ - - "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/fast-test", - + "principalSet://iam.googleapis.com/projects/1067134626166/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/ludomagno/security", - ] - # (3 unchanged attributes hidden) - } - - # module.branch-security-sa-cicd["0"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] has moved to module.cicd-sa-rw["security"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectViewer/serviceAccount:ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-network-gcs.google_storage_bucket.bucket has moved to module.net-bucket[0].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-prod-resman-net-0" - name = "ldj-prod-resman-net-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-net-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-net-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder.folder[0] has moved to module.net-folder[0].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/843203210689" - name = "folders/843203210689" - # (5 unchanged attributes hidden) - } - - # module.net-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/networkFirewallPoliciesAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "organizations/366118655033/roles/networkFirewallPoliciesAdmin" - } - - # module.net-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" - } - - # module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.networkViewer" - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/compute.xpnAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/editor"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/editor" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/serviceusage.serviceUsageAdmin" - } - - # module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.net-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/843203210689/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.net-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"] will be created - + resource "google_folder_iam_binding" "bindings" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.projectIamAdmin" - - + condition { - + description = "Project factory delegated grant." - + expression = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/compute.networkUser])" - + title = "project factory project delegated admin" - } - } - - # module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_dev"] will be created - + resource "google_folder_iam_binding" "bindings" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + role = "roles/resourcemanager.projectIamAdmin" - - + condition { - + expression = <<-EOT - resource.matchTag( - '366118655033/environment', 'development' - ) - && - api.getAttribute( - 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'] - ) - EOT - + title = "stage 3 project delegated admin dev" - } - } - - # module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_prod"] will be created - + resource "google_folder_iam_binding" "bindings" { - + etag = (known after apply) - + folder = "folders/843203210689" - + id = (known after apply) - + role = "roles/resourcemanager.projectIamAdmin" - - + condition { - + expression = <<-EOT - resource.matchTag( - '366118655033/environment', 'production' - ) - && - api.getAttribute( - 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'] - ) - EOT - + title = "stage 3 project delegated admin prod" - } - } - - # module.branch-network-folder.google_tags_tag_binding.binding["context"] has moved to module.net-folder[0].google_tags_tag_binding.binding["context"] - resource "google_tags_tag_binding" "binding" { - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F843203210689/tagValues/1085868865377" - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F843203210689/tagValues/1085868865377" - # (2 unchanged attributes hidden) - } - - # module.branch-network-dev-folder.google_folder.folder[0] has moved to module.net-folder-dev[0].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/835049949636" - name = "folders/835049949636" - # (5 unchanged attributes hidden) - } - - # module.net-folder-dev[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/gcveNetworkAdmin"] is not in for_each map) - # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - folder = "folders/835049949636" -> null - - id = "folders/835049949636/organizations/366118655033/roles/gcveNetworkAdmin" -> null - - members = [] -> null - - role = "organizations/366118655033/roles/gcveNetworkAdmin" -> null - } - - # module.net-folder-dev[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) - # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYam5Yf1IQ=" -> null - - folder = "folders/835049949636" -> null - - id = "folders/835049949636/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - - members = [ - - "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - } - - # module.net-folder-dev[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be destroyed - # (because key ["roles/compute.networkViewer"] is not in for_each map) - # (moved from module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYam5Yf1IQ=" -> null - - folder = "folders/835049949636" -> null - - id = "folders/835049949636/roles/compute.networkViewer" -> null - - members = [ - - "serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "roles/compute.networkViewer" -> null - } - - # module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"] has moved to module.net-folder-dev[0].google_tags_tag_binding.binding["environment"] - resource "google_tags_tag_binding" "binding" { - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F835049949636/tagValues/1028757044334" - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F835049949636/tagValues/1028757044334" - # (2 unchanged attributes hidden) - } - - # module.branch-network-prod-folder.google_folder.folder[0] has moved to module.net-folder-prod[0].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/572160545943" - name = "folders/572160545943" - # (5 unchanged attributes hidden) - } - - # module.net-folder-prod[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/gcveNetworkAdmin"] is not in for_each map) - # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/gcveNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - folder = "folders/572160545943" -> null - - id = "folders/572160545943/organizations/366118655033/roles/gcveNetworkAdmin" -> null - - members = [] -> null - - role = "organizations/366118655033/roles/gcveNetworkAdmin" -> null - } - - # module.net-folder-prod[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) - # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYam5Y9ziM=" -> null - - folder = "folders/572160545943" -> null - - id = "folders/572160545943/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - - members = [ - - "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - } - - # module.net-folder-prod[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"] will be destroyed - # (because key ["roles/compute.networkViewer"] is not in for_each map) - # (moved from module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYam5Y9ziM=" -> null - - folder = "folders/572160545943" -> null - - id = "folders/572160545943/roles/compute.networkViewer" -> null - - members = [ - - "serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - - "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "roles/compute.networkViewer" -> null - } - - # module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"] has moved to module.net-folder-prod[0].google_tags_tag_binding.binding["environment"] - resource "google_tags_tag_binding" "binding" { - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F572160545943/tagValues/1067159199641" - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F572160545943/tagValues/1067159199641" - # (2 unchanged attributes hidden) - } - - # module.branch-network-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.net-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-network-r-sa.google_service_account.service_account[0] has moved to module.net-sa-ro[0].google_service_account.service_account[0] - resource "google_service_account" "service_account" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (8 unchanged attributes hidden) - } - - # module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.net-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.net-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-net-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-network-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.net-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-network-sa.google_service_account.service_account[0] has moved to module.net-sa-rw[0].google_service_account.service_account[0] - resource "google_service_account" "service_account" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (8 unchanged attributes hidden) - } - - # module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.net-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.net-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"] must be replaced --/+ resource "google_organization_iam_member" "bindings" { - ~ etag = "BwYgHinYa9A=" -> (known after apply) - ~ id = <<-EOT - 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped/Org policy tag scoped grant for project factory main./resource.matchTag('366118655033/context', 'project-factory') - EOT -> (known after apply) - # (3 unchanged attributes hidden) - - ~ condition { - ~ description = "Org policy tag scoped grant for project factory main." -> "Org policy tag scoped grant for project factory." # forces replacement - # (2 unchanged attributes hidden) - } - } - - # module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"] will be destroyed - # (because key ["sa_pf_dev_conditional_org_policy"] is not in for_each map) - - resource "google_organization_iam_member" "bindings" { - - etag = "BwYgHqZE5xM=" -> null - - id = <<-EOT - 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped_dev/Org policy tag scoped grant for project factory dev./resource.matchTag('366118655033/context', 'project-factory') - && - resource.matchTag('366118655033/environment', 'development') - EOT -> null - - member = "serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - org_id = "366118655033" -> null - - role = "roles/orgpolicy.policyAdmin" -> null - - - condition { - - description = "Org policy tag scoped grant for project factory dev." -> null - - expression = <<-EOT - resource.matchTag('366118655033/context', 'project-factory') - && - resource.matchTag('366118655033/environment', 'development') - EOT -> null - - title = "org_policy_tag_pf_scoped_dev" -> null - } - } - - # module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"] will be destroyed - # (because key ["sa_pf_prod_conditional_org_policy"] is not in for_each map) - - resource "google_organization_iam_member" "bindings" { - - etag = "BwYgHqZE5xM=" -> null - - id = <<-EOT - 366118655033/roles/orgpolicy.policyAdmin/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/org_policy_tag_pf_scoped_prod/Org policy tag scoped grant for project factory prod./resource.matchTag('366118655033/context', 'project-factory') - && - resource.matchTag('366118655033/environment', 'production') - EOT -> null - - member = "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> null - - org_id = "366118655033" -> null - - role = "roles/orgpolicy.policyAdmin" -> null - - - condition { - - description = "Org policy tag scoped grant for project factory prod." -> null - - expression = <<-EOT - resource.matchTag('366118655033/context', 'project-factory') - && - resource.matchTag('366118655033/environment', 'production') - EOT -> null - - title = "org_policy_tag_pf_scoped_prod" -> null - } - } - - # module.organization[0].google_tags_tag_value.default["context/data"] will be destroyed - # (because key ["context/data"] is not in for_each map) - - resource "google_tags_tag_value" "default" { - - create_time = "2023-01-27T15:56:36.985441Z" -> null - - description = "Managed by the Terraform organization module." -> null - - id = "tagValues/420824284884" -> null - - name = "420824284884" -> null - - namespaced_name = "366118655033/context/data" -> null - - parent = "tagKeys/123316001138" -> null - - short_name = "data" -> null - - update_time = "2023-01-27T15:56:39.073530Z" -> null - } - - # module.organization[0].google_tags_tag_value.default["context/data-platform"] will be created - + resource "google_tags_tag_value" "default" { - + create_time = (known after apply) - + description = "Managed by the Terraform organization module." - + id = (known after apply) - + name = (known after apply) - + namespaced_name = (known after apply) - + parent = "tagKeys/123316001138" - + short_name = "data-platform" - + update_time = (known after apply) - } - - # module.organization[0].google_tags_tag_value.default["context/nsec"] will be created - + resource "google_tags_tag_value" "default" { - + create_time = (known after apply) - + description = "Managed by the Terraform organization module." - + id = (known after apply) - + name = (known after apply) - + namespaced_name = (known after apply) - + parent = "tagKeys/123316001138" - + short_name = "nsec" - + update_time = (known after apply) - } - - # module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] will be created - + resource "google_tags_tag_value_iam_binding" "default" { - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.tagUser" - + tag_value = "tagValues/1067159199641" - } - - # module.branch-pf-gcs.google_storage_bucket.bucket has moved to module.pf-bucket[0].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-resman-pf-0" - name = "ldj-resman-pf-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-resman-pf-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-resman-pf-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.pf-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.pf-sa-ro[0].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-r-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory main service account (read-only)." -> "Terraform resman project factory main service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.pf-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.pf-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.pf-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.pf-sa-rw[0].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory main service account." -> "Terraform resman project factory main service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.pf-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.pf-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-gcs.google_storage_bucket.bucket has moved to module.sec-bucket[0].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-prod-resman-sec-0" - name = "ldj-prod-resman-sec-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-sec-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-sec-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder.folder[0] has moved to module.sec-folder[0].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/251257116248" - name = "folders/251257116248" - # (5 unchanged attributes hidden) - } - - # module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/251257116248" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - } - - # module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/251257116248" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/cloudkms.viewer" - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/editor"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/editor" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.sec-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/251257116248/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.sec-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"] will be created - + resource "google_folder_iam_binding" "bindings" { - + etag = (known after apply) - + folder = "folders/251257116248" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.projectIamAdmin" - - + condition { - + description = "Project factory delegated grant." - + expression = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/cloudkms.cryptoKeyEncrypterDecrypter])" - + title = "pf_delegated_grant" - } - } - - # module.branch-security-folder.google_tags_tag_binding.binding["context"] has moved to module.sec-folder[0].google_tags_tag_binding.binding["context"] - resource "google_tags_tag_binding" "binding" { - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F251257116248/tagValues/111937801763" - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F251257116248/tagValues/111937801763" - # (2 unchanged attributes hidden) - } - - # module.branch-security-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.sec-sa-ro[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-r-sa.google_service_account.service_account[0] has moved to module.sec-sa-ro[0].google_service_account.service_account[0] - resource "google_service_account" "service_account" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (8 unchanged attributes hidden) - } - - # module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.sec-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.sec-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-sec-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.sec-sa-rw[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-security-sa.google_service_account.service_account[0] has moved to module.sec-sa-rw[0].google_service_account.service_account[0] - resource "google_service_account" "service_account" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (8 unchanged attributes hidden) - } - - # module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.sec-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.sec-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-dev-resman-dp-0" - name = "ldj-dev-resman-dp-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-dp-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-dp-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-dp-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-prod-resman-dp-0" - name = "ldj-prod-resman-dp-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-dp-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-dp-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-dp-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket will be created - + resource "google_storage_bucket" "bucket" { - + effective_labels = (known after apply) - + force_destroy = false - + id = (known after apply) - + location = "EU" - + name = "ldj-dev-resman-gcve-0" - + project = "ldj-prod-iac-core-0" - + project_number = (known after apply) - + public_access_prevention = (known after apply) - + rpo = (known after apply) - + self_link = (known after apply) - + storage_class = "MULTI_REGIONAL" - + terraform_labels = (known after apply) - + uniform_bucket_level_access = true - + url = (known after apply) - - + autoclass { - + enabled = false - + terminal_storage_class = (known after apply) - } - - + soft_delete_policy (known after apply) - - + versioning { - + enabled = true - } - - + website (known after apply) - } - - # module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] will be created - + resource "google_storage_bucket_iam_binding" "authoritative" { - + bucket = "ldj-dev-resman-gcve-0" - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/storage.objectAdmin" - } - - # module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created - + resource "google_storage_bucket_iam_binding" "authoritative" { - + bucket = "ldj-dev-resman-gcve-0" - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/storage.objectViewer" - } - - # module.stage3-bucket["gcve-prod"].google_storage_bucket.bucket will be created - + resource "google_storage_bucket" "bucket" { - + effective_labels = (known after apply) - + force_destroy = false - + id = (known after apply) - + location = "EU" - + name = "ldj-prod-resman-gcve-0" - + project = "ldj-prod-iac-core-0" - + project_number = (known after apply) - + public_access_prevention = (known after apply) - + rpo = (known after apply) - + self_link = (known after apply) - + storage_class = "MULTI_REGIONAL" - + terraform_labels = (known after apply) - + uniform_bucket_level_access = true - + url = (known after apply) - - + autoclass { - + enabled = false - + terminal_storage_class = (known after apply) - } - - + soft_delete_policy (known after apply) - - + versioning { - + enabled = true - } - - + website (known after apply) - } - - # module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] will be created - + resource "google_storage_bucket_iam_binding" "authoritative" { - + bucket = "ldj-prod-resman-gcve-0" - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/storage.objectAdmin" - } - - # module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created - + resource "google_storage_bucket_iam_binding" "authoritative" { - + bucket = "ldj-prod-resman-gcve-0" - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/storage.objectViewer" - } - - # module.branch-gke-dev-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["gke-dev"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-dev-resman-gke-0" - name = "ldj-dev-resman-gke-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-gke-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-gke-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-gke-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-gcs[0].google_storage_bucket.bucket has moved to module.stage3-bucket["gke-prod"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-prod-resman-gke-0" - name = "ldj-prod-resman-gke-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-gke-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-gke-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-gke-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-dev-gcs.google_storage_bucket.bucket has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-dev-resman-pf-0" - name = "ldj-dev-resman-pf-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-pf-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-dev-resman-pf-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-prod-gcs.google_storage_bucket.bucket has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket.bucket - resource "google_storage_bucket" "bucket" { - id = "ldj-prod-resman-pf-0" - name = "ldj-prod-resman-pf-0" - # (16 unchanged attributes hidden) - - # (2 unchanged blocks hidden) - } - - # module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-pf-0/roles/storage.objectAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] has moved to module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] - resource "google_storage_bucket_iam_binding" "authoritative" { - id = "b/ldj-prod-resman-pf-0/roles/storage.objectViewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-bucket["sandbox"].google_storage_bucket.bucket must be replaced - # (moved from module.branch-sandbox-gcs[0].google_storage_bucket.bucket) --/+ resource "google_storage_bucket" "bucket" { - - default_event_based_hold = false -> null - ~ effective_labels = {} -> (known after apply) - - enable_object_retention = false -> null - ~ id = "ldj-dev-resman-sbox-0" -> (known after apply) - - labels = {} -> null - ~ name = "ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement - ~ project_number = 1067134626166 -> (known after apply) - ~ public_access_prevention = "inherited" -> (known after apply) - - requester_pays = false -> null - ~ rpo = "DEFAULT" -> (known after apply) - ~ self_link = "https://www.googleapis.com/storage/v1/b/ldj-dev-resman-sbox-0" -> (known after apply) - ~ terraform_labels = {} -> (known after apply) - ~ url = "gs://ldj-dev-resman-sbox-0" -> (known after apply) - # (5 unchanged attributes hidden) - - + autoclass { - + enabled = false - + terminal_storage_class = (known after apply) - } - - ~ soft_delete_policy { - + default_event_based_hold = (known after apply) - + effective_labels = (known after apply) - + enable_object_retention = (known after apply) - + force_destroy = (known after apply) - + id = (known after apply) - + labels = (known after apply) - + location = (known after apply) - + name = (known after apply) - + project = (known after apply) - + project_number = (known after apply) - + public_access_prevention = (known after apply) - + requester_pays = (known after apply) - + rpo = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - + terraform_labels = (known after apply) - + uniform_bucket_level_access = (known after apply) - + url = (known after apply) - } -> (known after apply) - - ~ website { - + default_event_based_hold = (known after apply) - + effective_labels = (known after apply) - + enable_object_retention = (known after apply) - + force_destroy = (known after apply) - + id = (known after apply) - + labels = (known after apply) - + location = (known after apply) - + name = (known after apply) - + project = (known after apply) - + project_number = (known after apply) - + public_access_prevention = (known after apply) - + requester_pays = (known after apply) - + rpo = (known after apply) - + self_link = (known after apply) - + storage_class = (known after apply) - + terraform_labels = (known after apply) - + uniform_bucket_level_access = (known after apply) - + url = (known after apply) - } -> (known after apply) - - # (1 unchanged block hidden) - } - - # module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"] must be replaced - # (moved from module.branch-sandbox-gcs[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]) --/+ resource "google_storage_bucket_iam_binding" "authoritative" { - ~ bucket = "b/ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement - ~ etag = "CAg=" -> (known after apply) - ~ id = "b/ldj-dev-resman-sbox-0/roles/storage.objectAdmin" -> (known after apply) - ~ members = [ - - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - # (1 unchanged attribute hidden) - } - - # module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"] will be created - + resource "google_storage_bucket_iam_binding" "authoritative" { - + bucket = "ldj-dev-resman-sbx-0" - + etag = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/storage.objectViewer" - } - - # module.branch-dp-dev-folder[0].google_folder.folder[0] has moved to module.stage3-folder["data-platform-dev"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/777820411744" - name = "folders/777820411744" - # (5 unchanged attributes hidden) - } - - # module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) - # (moved from module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYMzP1eKiM=" -> null - - folder = "folders/777820411744" -> null - - id = "folders/777820411744/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - - members = [ - - "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - } - - # module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/777820411744" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.xpnAdmin" - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-dev-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/777820411744/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["context"] will be destroyed - # (because key ["context"] is not in for_each map) - # (moved from module.branch-dp-dev-folder[0].google_tags_tag_binding.binding["context"]) - - resource "google_tags_tag_binding" "binding" { - - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F777820411744/tagValues/1028757044334" -> null - - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F777820411744/tagValues/1028757044334" -> null - - parent = "//cloudresourcemanager.googleapis.com/folders/777820411744" -> null - - tag_value = "tagValues/1028757044334" -> null - } - - # module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = "//cloudresourcemanager.googleapis.com/folders/777820411744" - + tag_value = "tagValues/1028757044334" - } - - # module.branch-dp-prod-folder[0].google_folder.folder[0] has moved to module.stage3-folder["data-platform-prod"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/447111401824" - name = "folders/447111401824" - # (5 unchanged attributes hidden) - } - - # module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"] will be destroyed - # (because key ["organizations/366118655033/roles/serviceProjectNetworkAdmin"] is not in for_each map) - # (moved from module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["organizations/366118655033/roles/serviceProjectNetworkAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYMzPxoric=" -> null - - folder = "folders/447111401824" -> null - - id = "folders/447111401824/organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - - members = [ - - "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "organizations/366118655033/roles/serviceProjectNetworkAdmin" -> null - } - - # module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/447111401824" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.xpnAdmin" - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/447111401824/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["context"] will be destroyed - # (because key ["context"] is not in for_each map) - # (moved from module.branch-dp-prod-folder[0].google_tags_tag_binding.binding["context"]) - - resource "google_tags_tag_binding" "binding" { - - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F447111401824/tagValues/1067159199641" -> null - - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F447111401824/tagValues/1067159199641" -> null - - parent = "//cloudresourcemanager.googleapis.com/folders/447111401824" -> null - - tag_value = "tagValues/1067159199641" -> null - } - - # module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = "//cloudresourcemanager.googleapis.com/folders/447111401824" - + tag_value = "tagValues/1067159199641" - } - - # module.stage3-folder["gcve-dev"].google_folder.folder[0] will be created - + resource "google_folder" "folder" { - + create_time = (known after apply) - + display_name = "Development" - + folder_id = (known after apply) - + id = (known after apply) - + lifecycle_state = (known after apply) - + name = (known after apply) - + parent = (known after apply) - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.xpnAdmin" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/logging.admin" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/owner"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/owner" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.folderAdmin" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.folderViewer" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.projectCreator" - } - - # module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/viewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/viewer" - } - - # module.stage3-folder["gcve-dev"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = (known after apply) - + tag_value = "tagValues/1028757044334" - } - - # module.stage3-folder["gcve-prod"].google_folder.folder[0] will be created - + resource "google_folder" "folder" { - + create_time = (known after apply) - + display_name = "Production" - + folder_id = (known after apply) - + id = (known after apply) - + lifecycle_state = (known after apply) - + name = (known after apply) - + parent = (known after apply) - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.xpnAdmin" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/logging.admin" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/owner"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/owner" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.folderAdmin" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.folderViewer" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.projectCreator" - } - - # module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/viewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = (known after apply) - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-prod-resman-gcve-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/viewer" - } - - # module.stage3-folder["gcve-prod"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = (known after apply) - + tag_value = "tagValues/1067159199641" - } - - # module.branch-gke-dev-folder[0].google_folder.folder[0] has moved to module.stage3-folder["gke-dev"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/39661087317" - name = "folders/39661087317" - # (5 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/compute.xpnAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-dev-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/39661087317/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["context"] will be destroyed - # (because key ["context"] is not in for_each map) - # (moved from module.branch-gke-dev-folder[0].google_tags_tag_binding.binding["context"]) - - resource "google_tags_tag_binding" "binding" { - - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F39661087317/tagValues/1028757044334" -> null - - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F39661087317/tagValues/1028757044334" -> null - - parent = "//cloudresourcemanager.googleapis.com/folders/39661087317" -> null - - tag_value = "tagValues/1028757044334" -> null - } - - # module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = "//cloudresourcemanager.googleapis.com/folders/39661087317" - + tag_value = "tagValues/1028757044334" - } - - # module.branch-gke-prod-folder[0].google_folder.folder[0] has moved to module.stage3-folder["gke-prod"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/810789977048" - name = "folders/810789977048" - # (5 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/compute.xpnAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/logging.admin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/owner"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/owner"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/owner" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/resourcemanager.folderAdmin" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/resourcemanager.folderViewer" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/resourcemanager.projectCreator" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-folder[0].google_folder_iam_binding.authoritative["roles/viewer"] has moved to module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/viewer"] - resource "google_folder_iam_binding" "authoritative" { - id = "folders/810789977048/roles/viewer" - # (4 unchanged attributes hidden) - } - - # module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["context"] will be destroyed - # (because key ["context"] is not in for_each map) - # (moved from module.branch-gke-prod-folder[0].google_tags_tag_binding.binding["context"]) - - resource "google_tags_tag_binding" "binding" { - - id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F810789977048/tagValues/1067159199641" -> null - - name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F810789977048/tagValues/1067159199641" -> null - - parent = "//cloudresourcemanager.googleapis.com/folders/810789977048" -> null - - tag_value = "tagValues/1067159199641" -> null - } - - # module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = "//cloudresourcemanager.googleapis.com/folders/810789977048" - + tag_value = "tagValues/1067159199641" - } - - # module.branch-sandbox-folder[0].google_folder.folder[0] has moved to module.stage3-folder["sandbox"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/245438209825" - name = "folders/245438209825" - # (5 unchanged attributes hidden) - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/245438209825" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/compute.xpnAdmin" - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/logging.admin"] will be updated in-place - # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]) - ~ resource "google_folder_iam_binding" "authoritative" { - id = "folders/245438209825/roles/logging.admin" - ~ members = [ - - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - # (3 unchanged attributes hidden) - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"] will be updated in-place - # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/owner"]) - ~ resource "google_folder_iam_binding" "authoritative" { - id = "folders/245438209825/roles/owner" - ~ members = [ - - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - # (3 unchanged attributes hidden) - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] will be updated in-place - # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]) - ~ resource "google_folder_iam_binding" "authoritative" { - id = "folders/245438209825/roles/resourcemanager.folderAdmin" - ~ members = [ - - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - # (3 unchanged attributes hidden) - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/245438209825" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/resourcemanager.folderViewer" - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] will be updated in-place - # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]) - ~ resource "google_folder_iam_binding" "authoritative" { - id = "folders/245438209825/roles/resourcemanager.projectCreator" - ~ members = [ - - "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - + "serviceAccount:ldj-dev-resman-sbx-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - # (3 unchanged attributes hidden) - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/storage.objectAdmin"] will be destroyed - # (because key ["roles/storage.objectAdmin"] is not in for_each map) - # (moved from module.branch-sandbox-folder[0].google_folder_iam_binding.authoritative["roles/storage.objectAdmin"]) - - resource "google_folder_iam_binding" "authoritative" { - - etag = "BwYcGo1gLew=" -> null - - folder = "folders/245438209825" -> null - - id = "folders/245438209825/roles/storage.objectAdmin" -> null - - members = [ - - "serviceAccount:ldj-dev-sbox-dualrun-0@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] -> null - - role = "roles/storage.objectAdmin" -> null - } - - # module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/viewer"] will be created - + resource "google_folder_iam_binding" "authoritative" { - + etag = (known after apply) - + folder = "folders/245438209825" - + id = (known after apply) - + members = [ - + "serviceAccount:ldj-dev-resman-sbx-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com", - ] - + role = "roles/viewer" - } - - # module.stage3-folder["sandbox"].google_org_policy_policy.default["compute.vmExternalIpAccess"] will be destroyed - # (because key ["compute.vmExternalIpAccess"] is not in for_each map) - # (moved from module.branch-sandbox-folder[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]) - - resource "google_org_policy_policy" "default" { - - etag = "CMaZgaAGEPDbygw=-" -> null - - id = "folders/245438209825/policies/compute.vmExternalIpAccess" -> null - - name = "compute.vmExternalIpAccess" -> null - - parent = "folders/245438209825" -> null - - - spec { - - etag = "CMaZgaAGEPDbygw=" -> null - - inherit_from_parent = false -> null - - reset = false -> null - - update_time = "2023-03-02T07:14:14.026390Z" -> null - - - rules { - - allow_all = "TRUE" -> null - # (2 unchanged attributes hidden) - } - } - } - - # module.stage3-folder["sandbox"].google_org_policy_policy.default["sql.restrictPublicIp"] will be destroyed - # (because key ["sql.restrictPublicIp"] is not in for_each map) - # (moved from module.branch-sandbox-folder[0].google_org_policy_policy.default["sql.restrictPublicIp"]) - - resource "google_org_policy_policy" "default" { - - etag = "CNr9nLIGELj/rMEC-" -> null - - id = "folders/245438209825/policies/sql.restrictPublicIp" -> null - - name = "sql.restrictPublicIp" -> null - - parent = "folders/245438209825" -> null - - - spec { - - etag = "CNr9nLIGELj/rMEC" -> null - - inherit_from_parent = false -> null - - reset = false -> null - - update_time = "2024-05-17T11:26:18.673923Z" -> null - - - rules { - - enforce = "TRUE" -> null - # (2 unchanged attributes hidden) - } - } - } - - # module.stage3-folder["sandbox"].google_tags_tag_binding.binding["context"] must be replaced - # (moved from module.branch-sandbox-folder[0].google_tags_tag_binding.binding["context"]) --/+ resource "google_tags_tag_binding" "binding" { - ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F245438209825/tagValues/918078731612" -> (known after apply) - ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F245438209825/tagValues/918078731612" -> (known after apply) - ~ tag_value = "tagValues/918078731612" # forces replacement -> (known after apply) # forces replacement - # (1 unchanged attribute hidden) - } - - # module.stage3-folder["sandbox"].google_tags_tag_binding.binding["environment"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = "//cloudresourcemanager.googleapis.com/folders/245438209825" - + tag_value = "tagValues/1028757044334" - } - - # module.branch-dp-dev-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-dp-dev-r-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform data platform development service account (read-only)." -> "Terraform resman data-platform-dev service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-dp-dev-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-dp-dev-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-dp-prod-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["data-platform-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-dp-prod-r-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform data platform production service account (read-only)." -> "Terraform resman data-platform-prod service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-dp-prod-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-dp-prod-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-dp-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-ro["gcve-dev"].google_service_account.service_account[0] will be created - + resource "google_service_account" "service_account" { - + account_id = "ldj-dev-resman-gcve-0r" - + disabled = false - + display_name = "Terraform resman gcve-dev service account (read-only)." - + email = (known after apply) - + id = (known after apply) - + member = (known after apply) - + name = (known after apply) - + project = "ldj-prod-iac-core-0" - + unique_id = (known after apply) - } - - # module.stage3-sa-ro["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "organizations/366118655033/roles/storageViewer" - } - - # module.stage3-sa-ro["gcve-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-ro["gcve-prod"].google_service_account.service_account[0] will be created - + resource "google_service_account" "service_account" { - + account_id = "ldj-prod-resman-gcve-0r" - + disabled = false - + display_name = "Terraform resman gcve-prod service account (read-only)." - + email = (known after apply) - + id = (known after apply) - + member = (known after apply) - + name = (known after apply) - + project = "ldj-prod-iac-core-0" - + unique_id = (known after apply) - } - - # module.stage3-sa-ro["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-ro["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "organizations/366118655033/roles/storageViewer" - } - - # module.branch-gke-dev-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["gke-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-gke-dev-r-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform gke multitenant development service account (read-only)." -> "Terraform resman gke-dev service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-gke-dev-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-gke-dev-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-r-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["gke-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["gke-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-gke-prod-r-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform gke multitenant production service account (read-only)." -> "Terraform resman gke-prod service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-gke-prod-r-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-gke-prod-r-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["gke-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-gke-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["project-factory-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["project-factory-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-dev-r-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory development service account (read-only)." -> "Terraform resman project-factory-dev service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-dev-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-ro["project-factory-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["project-factory-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-prod-r-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory production service account (read-only)." -> "Terraform resman project-factory-prod service account (read-only)." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-ro["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] has moved to module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/organizations/366118655033/roles/storageViewer/serviceAccount:ldj-prod-resman-pf-0r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-ro["sandbox"].google_service_account.service_account[0] will be created - + resource "google_service_account" "service_account" { - + account_id = "ldj-dev-resman-sbx-0r" - + disabled = false - + display_name = "Terraform resman sandbox service account (read-only)." - + email = (known after apply) - + id = (known after apply) - + member = (known after apply) - + name = (known after apply) - + project = "ldj-prod-iac-core-0" - + unique_id = (known after apply) - } - - # module.stage3-sa-ro["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-organizations/366118655033/roles/storageViewer"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "organizations/366118655033/roles/storageViewer" - } - - # module.branch-dp-dev-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-dp-dev-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform data platform development service account." -> "Terraform resman data-platform-dev service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-dp-dev-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-dp-dev-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = "serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-rw["data-platform-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-dp-prod-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform data platform production service account." -> "Terraform resman data-platform-prod service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-dp-prod-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-dp-prod-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-rw["gcve-dev"].google_service_account.service_account[0] will be created - + resource "google_service_account" "service_account" { - + account_id = "ldj-dev-resman-gcve-0" - + disabled = false - + display_name = "Terraform resman gcve-dev service account." - + email = (known after apply) - + id = (known after apply) - + member = (known after apply) - + name = (known after apply) - + project = "ldj-prod-iac-core-0" - + unique_id = (known after apply) - } - - # module.stage3-sa-rw["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "roles/storage.objectAdmin" - } - - # module.stage3-sa-rw["gcve-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] will be created - + resource "google_project_iam_member" "project-roles" { - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + project = "ldj-prod-iac-core-0" - + role = "roles/serviceusage.serviceUsageConsumer" - } - - # module.stage3-sa-rw["gcve-prod"].google_service_account.service_account[0] will be created - + resource "google_service_account" "service_account" { - + account_id = "ldj-prod-resman-gcve-0" - + disabled = false - + display_name = "Terraform resman gcve-prod service account." - + email = (known after apply) - + id = (known after apply) - + member = (known after apply) - + name = (known after apply) - + project = "ldj-prod-iac-core-0" - + unique_id = (known after apply) - } - - # module.stage3-sa-rw["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-rw["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "roles/storage.objectAdmin" - } - - # module.branch-gke-dev-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["gke-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-gke-dev-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform gke multitenant dev service account." -> "Terraform resman gke-dev service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.stage3-sa-rw["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be updated in-place - # (moved from module.branch-gke-dev-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]) - ~ resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - ~ members = [ - - "group:gcp-devops@ludo.joonix.net", - ] - # (3 unchanged attributes hidden) - } - - # module.branch-gke-dev-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-gke-prod-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["gke-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["gke-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-gke-prod-sa[0].google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform gke multitenant prod service account." -> "Terraform resman gke-prod service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.stage3-sa-rw["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be updated in-place - # (moved from module.branch-gke-prod-sa[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]) - ~ resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - ~ members = [ - - "group:gcp-devops@ludo.joonix.net", - ] - # (3 unchanged attributes hidden) - } - - # module.branch-gke-prod-sa[0].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["gke-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-dev-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["project-factory-dev"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["project-factory-dev"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-dev-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory development service account." -> "Terraform resman project-factory-dev service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.branch-pf-prod-sa.google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] has moved to module.stage3-sa-rw["project-factory-prod"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] - resource "google_project_iam_member" "project-roles" { - id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["project-factory-prod"].google_service_account.service_account[0] will be updated in-place - # (moved from module.branch-pf-prod-sa.google_service_account.service_account[0]) - ~ resource "google_service_account" "service_account" { - ~ display_name = "Terraform project factory production service account." -> "Terraform resman project-factory-prod service account." - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (7 unchanged attributes hidden) - } - - # module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] has moved to module.stage3-sa-rw["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - resource "google_service_account_iam_binding" "authoritative" { - id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator" - # (3 unchanged attributes hidden) - } - - # module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] has moved to module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] - resource "google_storage_bucket_iam_member" "bucket-roles" { - id = "b/ldj-prod-iac-core-outputs-0/roles/storage.objectAdmin/serviceAccount:ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"] must be replaced - # (moved from module.branch-sandbox-sa[0].google_project_iam_member.project-roles["ldj-prod-iac-core-0-roles/serviceusage.serviceUsageConsumer"]) --/+ resource "google_project_iam_member" "project-roles" { - ~ etag = "BwYedUGoTDM=" -> (known after apply) - ~ id = "ldj-prod-iac-core-0/roles/serviceusage.serviceUsageConsumer/serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) - ~ member = "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" # forces replacement -> (known after apply) # forces replacement - # (2 unchanged attributes hidden) - } - - # module.stage3-sa-rw["sandbox"].google_service_account.service_account[0] must be replaced - # (moved from module.branch-sandbox-sa[0].google_service_account.service_account[0]) --/+ resource "google_service_account" "service_account" { - ~ account_id = "ldj-dev-resman-sbox-0" -> "ldj-dev-resman-sbx-0" # forces replacement - ~ email = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) - ~ id = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) - ~ member = "serviceAccount:ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) - ~ name = "projects/ldj-prod-iac-core-0/serviceAccounts/ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" -> (known after apply) - ~ unique_id = "117443430578520793344" -> (known after apply) - # (4 unchanged attributes hidden) - } - - # module.stage3-sa-rw["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] will be created - + resource "google_service_account_iam_binding" "authoritative" { - + etag = (known after apply) - + id = (known after apply) - + role = "roles/iam.serviceAccountTokenCreator" - + service_account_id = (known after apply) - } - - # module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["ldj-prod-iac-core-outputs-0-roles/storage.objectAdmin"] will be created - + resource "google_storage_bucket_iam_member" "bucket-roles" { - + bucket = "ldj-prod-iac-core-outputs-0" - + etag = (known after apply) - + id = (known after apply) - + member = (known after apply) - + role = "roles/storage.objectAdmin" - } - - # module.branch-dp-folder[0].google_folder.folder[0] has moved to module.top-level-folder["data-platform"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/1004589610177" - name = "folders/1004589610177" - # (5 unchanged attributes hidden) - } - - # module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"] must be replaced - # (moved from module.branch-dp-folder[0].google_tags_tag_binding.binding["context"]) --/+ resource "google_tags_tag_binding" "binding" { - ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F1004589610177/tagValues/420824284884" -> (known after apply) - ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F1004589610177/tagValues/420824284884" -> (known after apply) - ~ tag_value = "tagValues/420824284884" # forces replacement -> (known after apply) # forces replacement - # (1 unchanged attribute hidden) - } - - # module.top-level-folder["gcve"].google_folder.folder[0] will be created - + resource "google_folder" "folder" { - + create_time = (known after apply) - + display_name = "GCVE" - + folder_id = (known after apply) - + id = (known after apply) - + lifecycle_state = (known after apply) - + name = (known after apply) - + parent = "organizations/366118655033" - } - - # module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"] will be created - + resource "google_tags_tag_binding" "binding" { - + id = (known after apply) - + name = (known after apply) - + parent = (known after apply) - + tag_value = (known after apply) - } - - # module.branch-gke-folder[0].google_folder.folder[0] has moved to module.top-level-folder["gke"].google_folder.folder[0] - resource "google_folder" "folder" { - id = "folders/219618653183" - name = "folders/219618653183" - # (5 unchanged attributes hidden) - } - - # module.top-level-folder["gke"].google_tags_tag_binding.binding["context"] must be replaced - # (moved from module.branch-gke-folder[0].google_tags_tag_binding.binding["context"]) --/+ resource "google_tags_tag_binding" "binding" { - ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F219618653183/tagValues/1084887265324" -> (known after apply) - ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F219618653183/tagValues/1084887265324" -> (known after apply) - ~ tag_value = "tagValues/1084887265324" # forces replacement -> (known after apply) # forces replacement - # (1 unchanged attribute hidden) - } - - # module.top-level-folder["teams"].google_tags_tag_binding.binding["context"] must be replaced --/+ resource "google_tags_tag_binding" "binding" { - ~ id = "tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F551661226665/tagValues/281477339751191" -> (known after apply) - ~ name = "%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F551661226665/tagValues/281477339751191" -> (known after apply) - ~ tag_value = "tagValues/281477339751191" # forces replacement -> (known after apply) # forces replacement - # (1 unchanged attribute hidden) - } - -Plan: 123 to add, 33 to change, 62 to destroy. - -Changes to Outputs: - ~ cicd_repositories = { - ~ networking = { - - branch = "main" - - name = "ludomagno/networking" - + repository = { - + branch = "main" - + name = "ludomagno/networking" - + parent_id = null - + type = "github" - } - - service_account = { - - apply = "ldj-prod-resman-net-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - plan = "ldj-prod-resman-net-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - # (1 unchanged attribute hidden) - } - ~ security = { - - branch = null - - name = "ludomagno/fast-test" - + repository = { - + branch = null - + name = "ludomagno/security" - + type = "gitlab" - } - - service_account = { - - apply = "ldj-prod-resman-sec-1@ldj-prod-iac-core-0.iam.gserviceaccount.com" - - plan = "ldj-prod-resman-sec-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - # (1 unchanged attribute hidden) - } - } - - dataplatform = { - - dev = { - - folder = "folders/777820411744" - - gcs_bucket = "ldj-dev-resman-dp-0" - - service_account = "ldj-dev-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - prod = { - - folder = "folders/447111401824" - - gcs_bucket = "ldj-prod-resman-dp-0" - - service_account = "ldj-prod-resman-dp-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } -> null - ~ folder_ids = { - + data-platform = "folders/1004589610177" - + gcve = (known after apply) - + gcve-dev = (known after apply) - + gcve-prod = (known after apply) - + gke = "folders/219618653183" - + security-dev = null - + security-prod = null - # (11 unchanged attributes hidden) - } - - gcve = {} -> null - - gke_multitenant = { - - dev = { - - folder = "folders/39661087317" - - gcs_bucket = "ldj-dev-resman-gke-0" - - service_account = "ldj-dev-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - prod = { - - folder = "folders/810789977048" - - gcs_bucket = "ldj-prod-resman-gke-0" - - service_account = "ldj-prod-resman-gke-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } -> null - - networking = { - - folder = "folders/843203210689" - - gcs_bucket = "ldj-prod-resman-net-0" - - service_account = "serviceAccount:ldj-prod-resman-net-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } -> null - - project_factories = { - - dev = { - - bucket = "ldj-dev-resman-pf-0" - - sa = "ldj-dev-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - main = { - - bucket = "ldj-resman-pf-0" - - sa = "ldj-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - - prod = { - - bucket = "ldj-prod-resman-pf-0" - - sa = "ldj-prod-resman-pf-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } - } -> null - ~ providers = (sensitive value) - - sandbox = { - - folder = "folders/245438209825" - - gcs_bucket = "ldj-dev-resman-sbox-0" - - service_account = "ldj-dev-resman-sbox-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } -> null - - security = { - - folder = "folders/251257116248" - - gcs_bucket = "ldj-prod-resman-sec-0" - - service_account = "serviceAccount:ldj-prod-resman-sec-0@ldj-prod-iac-core-0.iam.gserviceaccount.com" - } -> null - ~ tfvars = (sensitive value) - -Warning: Value for undeclared variable - -The root module does not declare a variable named "environments" but a value was found in file "0-globals.auto.tfvars.json". If you meant to use this value, add a "variable" -block to the configuration. - -To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of -these warnings, use the -compact-warnings option. - -Warning: Value for undeclared variable - -The root module does not declare a variable named "org_policy_tags" but a value was found in file "0-bootstrap.auto.tfvars.json". If you meant to use this value, add a -"variable" block to the configuration. - -To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of -these warnings, use the -compact-warnings option. - -───────────────────────────────────────────────────────────────────────────── - -Note: You didn't use the -out option to save this plan, so Terraform can't -guarantee to take exactly these actions if you run "terraform apply" now. From e8a6ce9bf4f8f88770270192b0b916222cb1c4ae Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 30 Aug 2024 19:22:12 +0200 Subject: [PATCH 12/94] fasts tage 1 tests --- tests/fast/stages/s1_resman/checklist.yaml | 875 +--------- tests/fast/stages/s1_resman/simple.yaml | 1800 +++++++++++++------- 2 files changed, 1229 insertions(+), 1446 deletions(-) diff --git a/tests/fast/stages/s1_resman/checklist.yaml b/tests/fast/stages/s1_resman/checklist.yaml index 4fe2b0647c..e06eec6ffd 100644 --- a/tests/fast/stages/s1_resman/checklist.yaml +++ b/tests/fast/stages/s1_resman/checklist.yaml @@ -13,671 +13,6 @@ # limitations under the License. values: - google_storage_bucket_object.providers["2-networking"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-networking-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-networking-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-networking-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory"]: - bucket: test - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-dev"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-dev-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-dev-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-dev-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-prod"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-prod-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-prod-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-prod-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-r"]: - bucket: test - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-security"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-security-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-security-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-security-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.tfvars: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: tfvars/1-resman.auto.tfvars.json - retention: [] - source: null - temporary_hold: null - timeouts: null - module.branch-network-dev-folder.google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] - : condition: [] - members: null - role: organizations/123456789012/roles/gcveNetworkAdmin - ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] - members: - - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/compute.networkViewer - module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]: - timeouts: null - module.branch-network-folder.google_folder.folder[0]: - display_name: Networking - parent: organizations/123456789012 - timeouts: null - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-vpc-network-admins@fast.example.com - role: roles/editor - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.branch-network-folder.google_tags_tag_binding.binding["context"]: - timeouts: null - module.branch-network-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-net-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-net-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-net-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.branch-network-prod-folder.google_folder.folder[0]: - display_name: Production - timeouts: null - ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] - : condition: [] - members: null - role: organizations/123456789012/roles/gcveNetworkAdmin - ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/compute.networkViewer - module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]: - timeouts: null - ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-network-r-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-net-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman networking service account (read-only). - project: fast-prod-automation - timeouts: null - module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-network-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-net-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman networking service account. - project: fast-prod-automation - timeouts: null - module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test - condition: [] - role: roles/storage.objectAdmin - module.branch-pf-dev-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-pf-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-dev-r-sa.google_service_account.service_account[0]: - account_id: fast2-dev-resman-pf-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory development service account (read-only). - project: fast-prod-automation - timeouts: null - module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-dev-sa.google_service_account.service_account[0]: - account_id: fast2-dev-resman-pf-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory development service account. - project: fast-prod-automation - timeouts: null - module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test - condition: [] - role: roles/storage.objectAdmin - module.branch-pf-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-resman-pf-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.branch-pf-prod-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-pf-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-pf-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-prod-r-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory production service account (read-only). - project: fast-prod-automation - timeouts: null - module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-prod-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory production service account. - project: fast-prod-automation - timeouts: null - module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test - condition: [] - role: roles/storage.objectAdmin - ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-r-sa.google_service_account.service_account[0]: - account_id: fast2-resman-pf-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory main service account (read-only). - project: fast-prod-automation - timeouts: null - module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: - bucket: test - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-sa.google_service_account.service_account[0]: - account_id: fast2-resman-pf-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform project factory main service account. - project: fast-prod-automation - timeouts: null - module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test - condition: [] - role: roles/storage.objectAdmin - module.branch-security-folder.google_folder.folder[0]: - display_name: Security - parent: organizations/123456789012 - timeouts: null - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/editor - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: - condition: - - description: Certificate Authority Service delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager']) - title: security_sa_delegated_grants - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderIamAdmin - module.branch-security-folder.google_tags_tag_binding.binding["context"]: - timeouts: null - module.branch-security-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-sec-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-sec-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-sec-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-security-r-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman security service account (read-only). - project: fast-prod-automation - timeouts: null - module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.branch-security-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman security service account. - project: fast-prod-automation - timeouts: null - module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test - condition: [] - role: roles/storage.objectAdmin module.checklist-folder-1["Common"].google_folder.folder[0]: display_name: Common parent: organizations/123456789012 @@ -1078,205 +413,21 @@ values: module.checklist-folder-3["Department 3/Team 4/Production"].google_folder.folder[0]: display_name: Production timeouts: null - module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: - condition: [] - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory main. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - ' - title: org_policy_tag_pf_scoped - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: - condition: [] - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]: - condition: [] - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory dev. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - && - - resource.matchTag(''123456789012/environment'', ''development'') - - ' - title: org_policy_tag_pf_scoped_dev - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]: - condition: [] - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory prod. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - && - - resource.matchTag(''123456789012/environment'', ''production'') - - ' - title: org_policy_tag_pf_scoped_prod - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_tags_tag_key.default["context"]: - description: Resource management context. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: context - timeouts: null - module.organization[0].google_tags_tag_key.default["environment"]: - description: Environment definition. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: environment - timeouts: null - module.organization[0].google_tags_tag_value.default["context/data"]: - description: Managed by the Terraform organization module. - short_name: data - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gcve"]: - description: Managed by the Terraform organization module. - short_name: gcve - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gke"]: - description: Managed by the Terraform organization module. - short_name: gke - timeouts: null - module.organization[0].google_tags_tag_value.default["context/networking"]: - description: Managed by the Terraform organization module. - short_name: networking - timeouts: null - module.organization[0].google_tags_tag_value.default["context/project-factory"]: - description: Managed by the Terraform organization module. - short_name: project-factory - timeouts: null - module.organization[0].google_tags_tag_value.default["context/sandbox"]: - description: Managed by the Terraform organization module. - short_name: sandbox - timeouts: null - module.organization[0].google_tags_tag_value.default["context/security"]: - description: Managed by the Terraform organization module. - short_name: security - timeouts: null - module.organization[0].google_tags_tag_value.default["environment/development"]: - description: Managed by the Terraform organization module. - short_name: development - timeouts: null - module.organization[0].google_tags_tag_value.default["environment/production"]: - description: Managed by the Terraform organization module. - short_name: production - timeouts: null - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.top-level-folder["teams"].google_folder.folder[0]: - display_name: Teams - parent: organizations/123456789012 - timeouts: null - ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: - timeouts: null counts: - google_folder: 57 - google_folder_iam_binding: 75 + google_folder: 67 + google_folder_iam_binding: 128 google_organization_iam_member: 14 - google_project_iam_member: 10 - google_service_account: 10 - google_service_account_iam_binding: 10 - google_storage_bucket: 5 - google_storage_bucket_iam_binding: 10 - google_storage_bucket_iam_member: 10 - google_storage_bucket_object: 11 - google_tags_tag_binding: 5 + google_project_iam_member: 24 + google_service_account: 24 + google_service_account_iam_binding: 24 + google_storage_bucket: 12 + google_storage_bucket_iam_binding: 24 + google_storage_bucket_iam_member: 24 + google_storage_bucket_object: 25 + google_tags_tag_binding: 16 google_tags_tag_key: 2 - google_tags_tag_value: 9 + google_tags_tag_value: 5 google_tags_tag_value_iam_binding: 2 - modules: 73 - resources: 230 + modules: 104 + resources: 391 diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 8c019e5d0f..126c94f9e9 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -13,301 +13,151 @@ # limitations under the License. values: - google_storage_bucket_object.providers["2-networking"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-networking-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-networking-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-networking-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory"]: - bucket: test - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-dev"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-dev-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-dev-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-dev-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-prod"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-prod-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-prod-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-prod-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-project-factory-r"]: - bucket: test - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-project-factory-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-security"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-security-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["2-security-r"]: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/2-security-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.tfvars: - bucket: test - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: tfvars/1-resman.auto.tfvars.json - retention: [] - source: null - temporary_hold: null - timeouts: null - module.branch-network-dev-folder.google_folder.folder[0]: - display_name: Development + module.net-bucket[0].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-net-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL timeouts: null - ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] - : condition: [] - members: null - role: organizations/123456789012/roles/gcveNetworkAdmin - ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] + uniform_bucket_level_access: true + versioning: + - enabled: true + module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-net-0 + condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-net-0 condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/compute.networkViewer - module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.net-folder-dev[0].google_folder.folder[0]: + display_name: Development + timeouts: null + module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null - module.branch-network-folder.google_folder.folder[0]: + module.net-folder-prod[0].google_folder.folder[0]: + display_name: Production + timeouts: null + module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.net-folder[0].google_folder.folder[0]: display_name: Networking parent: organizations/123456789012 timeouts: null - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/browser"]: + ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] + : condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/networkFirewallPoliciesAdmin + module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: condition: [] members: - - user:extra-browser@fast.example.com - role: roles/browser - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/editor"]: condition: [] members: - group:gcp-vpc-network-admins@fast.example.com role: roles/editor - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com role: roles/logging.admin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - - user:extra-owner@fast.example.com role: roles/owner - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator - module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]: + module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.branch-network-folder.google_tags_tag_binding.binding["context"]: - timeouts: null - module.branch-network-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-net-0 - project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-net-0 + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/serviceusage.serviceUsageAdmin + module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-net-0 + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/serviceusage.serviceUsageConsumer + module.net-folder[0].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.branch-network-prod-folder.google_folder.folder[0]: - display_name: Production - timeouts: null - ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] - : condition: [] - members: null - role: organizations/123456789012/roles/gcveNetworkAdmin - ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] - : condition: [] + role: roles/viewer + module.net-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"]: + condition: + - description: Project factory delegated grant. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/compute.networkUser]) + title: project factory project delegated admin members: - - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: organizations/123456789012/roles/xpnServiceAdmin - module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/compute.networkViewer - module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]: + role: roles/resourcemanager.projectIamAdmin + module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_dev"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment', 'development'\n\ + )\n&&\napi.getAttribute(\n 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']\n\ + )\n" + title: stage 3 project delegated admin dev + members: null + role: roles/resourcemanager.projectIamAdmin + module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_prod"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment', 'production'\n\ + )\n&&\napi.getAttribute(\n 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']\n\ + )\n" + title: stage 3 project delegated admin prod + members: null + role: roles/resourcemanager.projectIamAdmin + module.net-folder[0].google_tags_tag_binding.binding["context"]: timeouts: null - ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.net-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-network-r-sa.google_service_account.service_account[0]: + module.net-sa-ro[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-net-0r create_ignore_already_exists: null description: null @@ -315,19 +165,19 @@ values: display_name: Terraform resman networking service account (read-only). project: fast-prod-automation timeouts: null - module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.net-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + module.net-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.net-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-network-sa.google_service_account.service_account[0]: + module.net-sa-rw[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-net-0 create_ignore_already_exists: null description: null @@ -335,15 +185,134 @@ values: display_name: Terraform resman networking service account. project: fast-prod-automation timeouts: null - module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.net-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + module.net-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] role: roles/storage.objectAdmin - module.branch-pf-dev-gcs.google_storage_bucket.bucket: + module.organization[0].google_organization_iam_member.bindings["data-platform-dev"]: + condition: [] + member: serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["data-platform-prod"]: + condition: [] + member: serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["gcve-dev"]: + condition: [] + member: serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["gcve-prod"]: + condition: [] + member: serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["gke-dev"]: + condition: [] + member: serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["gke-prod"]: + condition: [] + member: serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["project-factory-dev"]: + condition: [] + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["project-factory-prod"]: + condition: [] + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.orgFirewallPolicyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.xpnAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + ' + title: org_policy_tag_pf_scoped + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + module.organization[0].google_organization_iam_member.bindings["sandbox"]: + condition: [] + member: serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_tags_tag_key.default["context"]: + description: Resource management context. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: context + timeouts: null + module.organization[0].google_tags_tag_key.default["environment"]: + description: Environment definition. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: environment + timeouts: null + module.organization[0].google_tags_tag_value.default["context/networking"]: + description: Managed by the Terraform organization module. + short_name: networking + timeouts: null + module.organization[0].google_tags_tag_value.default["context/project-factory"]: + description: Managed by the Terraform organization module. + short_name: project-factory + timeouts: null + module.organization[0].google_tags_tag_value.default["context/security"]: + description: Managed by the Terraform organization module. + short_name: security + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/development"]: + description: Managed by the Terraform organization module. + short_name: development + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/production"]: + description: Managed by the Terraform organization module. + short_name: production + timeouts: null + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.pf-bucket[0].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -355,68 +324,68 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast2-dev-resman-pf-0 + name: fast2-resman-pf-0 project: fast-prod-automation requester_pays: null retention_policy: [] - storage_class: STANDARD + storage_class: MULTI_REGIONAL timeouts: null uniform_bucket_level_access: true versioning: - enabled: true - module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-pf-0 + module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-resman-pf-0 condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-pf-0 + module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-resman-pf-0 condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] + module.pf-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]: + condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-dev-r-sa.google_service_account.service_account[0]: - account_id: fast2-dev-resman-pf-0r + module.pf-sa-ro[0].google_service_account.service_account[0]: + account_id: fast2-resman-pf-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory development service account (read-only). + display_name: Terraform resman project factory main service account (read-only). project: fast-prod-automation timeouts: null - module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.pf-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + module.pf-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] + module.pf-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]: + condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-dev-sa.google_service_account.service_account[0]: - account_id: fast2-dev-resman-pf-0 + module.pf-sa-rw[0].google_service_account.service_account[0]: + account_id: fast2-resman-pf-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory development service account. + display_name: Terraform resman project factory main service account. project: fast-prod-automation timeouts: null - module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.pf-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + module.pf-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] role: roles/storage.objectAdmin - module.branch-pf-gcs.google_storage_bucket.bucket: + module.sec-bucket[0].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -428,421 +397,1084 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast2-resman-pf-0 + name: fast2-prod-resman-sec-0 project: fast-prod-automation requester_pays: null retention_policy: [] - storage_class: STANDARD + storage_class: MULTI_REGIONAL timeouts: null uniform_bucket_level_access: true versioning: - enabled: true - module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-resman-pf-0 + module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-resman-pf-0 + module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - module.branch-pf-prod-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-pf-0 - project: fast-prod-automation - requester_pays: null + module.sec-folder[0].google_folder.folder[0]: + display_name: Security + parent: organizations/123456789012 + timeouts: null + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/cloudkms.viewer + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/editor"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + role: roles/editor + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.sec-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"]: + condition: + - description: Project factory delegated grant. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/cloudkms.cryptoKeyEncrypterDecrypter]) + title: pf_delegated_grant + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectIamAdmin + module.sec-folder[0].google_tags_tag_binding.binding["context"]: + timeouts: null + ? module.sec-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.sec-sa-ro[0].google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman security service account (read-only). + project: fast-prod-automation + timeouts: null + module.sec-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.sec-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.sec-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.sec-sa-rw[0].google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman security service account. + project: fast-prod-automation + timeouts: null + module.sec-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.sec-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-dp-0 + project: fast-prod-automation + requester_pays: null retention_policy: [] - storage_class: STANDARD + storage_class: MULTI_REGIONAL timeouts: null uniform_bucket_level_access: true versioning: - enabled: true - module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-pf-0 + module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-dp-0 condition: [] members: - - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-pf-0 + module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-dp-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["data-platform-prod"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-dp-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-dp-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-dp-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-gcve-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-gcve-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-gcve-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["gcve-prod"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-gcve-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-gcve-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-gcve-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["gke-dev"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-gke-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-gke-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-gke-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["gke-prod"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-gke-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-gke-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-gke-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["project-factory-dev"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-pf-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["project-factory-prod"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-pf-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-bucket["sandbox"].google_storage_bucket.bucket: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-sbx-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-sbx-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-sbx-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.stage3-folder["data-platform-dev"].google_folder.folder[0]: + display_name: Development + timeouts: null + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["data-platform-prod"].google_folder.folder[0]: + display_name: Production + timeouts: null + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["gcve-dev"].google_folder.folder[0]: + display_name: Development + timeouts: null + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["gcve-dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["gcve-prod"].google_folder.folder[0]: + display_name: Production + timeouts: null + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["gcve-prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["gke-dev"].google_folder.folder[0]: + display_name: Development + timeouts: null + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["gke-prod"].google_folder.folder[0]: + display_name: Production + timeouts: null + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.stage3-folder["sandbox"].google_folder.folder[0]: + display_name: Sandbox + parent: organizations/123456789012 + timeouts: null + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/owner + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.stage3-folder["sandbox"].google_tags_tag_binding.binding["context"]: + timeouts: null + module.stage3-folder["sandbox"].google_tags_tag_binding.binding["environment"]: + timeouts: null + ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-dp-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman data-platform-dev service account (read-only). + project: fast-prod-automation + timeouts: null + ? module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["data-platform-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-dp-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman data-platform-prod service account (read-only). + project: fast-prod-automation + timeouts: null + ? module.stage3-sa-ro["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["gcve-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-gcve-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gcve-dev service account (read-only). + project: fast-prod-automation + timeouts: null + module.stage3-sa-ro["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["gcve-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["gcve-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-gcve-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gcve-prod service account (read-only). + project: fast-prod-automation + timeouts: null + module.stage3-sa-ro["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["gke-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-gke-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gke-dev service account (read-only). + project: fast-prod-automation + timeouts: null + module.stage3-sa-ro["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["gke-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["gke-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-gke-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gke-prod service account (read-only). + project: fast-prod-automation + timeouts: null + module.stage3-sa-ro["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["gke-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["project-factory-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-ro["project-factory-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman project-factory-dev service account (read-only). + project: fast-prod-automation + timeouts: null + ? module.stage3-sa-ro["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test condition: [] - members: - - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-ro["project-factory-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-prod-r-sa.google_service_account.service_account[0]: + module.stage3-sa-ro["project-factory-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-pf-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory production service account (read-only). + display_name: Terraform resman project-factory-prod service account (read-only). project: fast-prod-automation timeouts: null - module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] + ? module.stage3-sa-ro["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + ? module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] : bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-prod-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-pf-0 + module.stage3-sa-ro["sandbox"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-sbx-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory production service account. + display_name: Terraform resman sandbox service account (read-only). project: fast-prod-automation timeouts: null - module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.stage3-sa-ro["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-dp-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman data-platform-dev service account. + project: fast-prod-automation + timeouts: null + ? module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] role: roles/storage.objectAdmin - ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-r-sa.google_service_account.service_account[0]: - account_id: fast2-resman-pf-0r + module.stage3-sa-rw["data-platform-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-dp-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory main service account (read-only). + display_name: Terraform resman data-platform-prod service account. project: fast-prod-automation timeouts: null - module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] + ? module.stage3-sa-rw["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + role: roles/storage.objectAdmin + ? module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-pf-sa.google_service_account.service_account[0]: - account_id: fast2-resman-pf-0 + module.stage3-sa-rw["gcve-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-gcve-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform project factory main service account. + display_name: Terraform resman gcve-dev service account. project: fast-prod-automation timeouts: null - module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.stage3-sa-rw["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] role: roles/storage.objectAdmin - module.branch-security-folder.google_folder.folder[0]: - display_name: Security - parent: organizations/123456789012 + ? module.stage3-sa-rw["gcve-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-rw["gcve-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-gcve-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gcve-prod service account. + project: fast-prod-automation timeouts: null - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - user:extra-browser@fast.example.com - role: roles/browser - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - role: roles/editor - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: + module.stage3-sa-rw["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]: + members: null + role: roles/iam.serviceAccountTokenCreator + module.stage3-sa-rw["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - - user:extra-owner@fast.example.com - role: roles/owner - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + role: roles/storage.objectAdmin + ? module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-rw["gke-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-gke-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gke-dev service account. + project: fast-prod-automation + timeouts: null + module.stage3-sa-rw["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + members: null + role: roles/iam.serviceAccountTokenCreator + module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + role: roles/storage.objectAdmin + ? module.stage3-sa-rw["gke-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-rw["gke-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-gke-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman gke-prod service account. + project: fast-prod-automation + timeouts: null + module.stage3-sa-rw["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]: + members: null + role: roles/iam.serviceAccountTokenCreator + module.stage3-sa-rw["gke-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: - condition: - - description: Certificate Authority Service delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager']) - title: security_sa_delegated_grants - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderIamAdmin - module.branch-security-folder.google_tags_tag_binding.binding["context"]: - timeouts: null - module.branch-security-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-sec-0 + role: roles/storage.objectAdmin + ? module.stage3-sa-rw["project-factory-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.stage3-sa-rw["project-factory-dev"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman project-factory-dev service account. project: fast-prod-automation - requester_pays: null - retention_policy: [] - storage_class: STANDARD timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-sec-0 + ? module.stage3-sa-rw["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.stage3-sa-rw["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-sec-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["project-factory-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-security-r-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0r + module.stage3-sa-rw["project-factory-prod"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-pf-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform resman security service account (read-only). + display_name: Terraform resman project-factory-prod service account. project: fast-prod-automation timeouts: null - module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] + ? module.stage3-sa-rw["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + ? module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"] : bucket: test condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + role: roles/storage.objectAdmin + ? module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast-prod-automation role: roles/serviceusage.serviceUsageConsumer - module.branch-security-sa.google_service_account.service_account[0]: - account_id: fast2-prod-resman-sec-0 + module.stage3-sa-rw["sandbox"].google_service_account.service_account[0]: + account_id: fast2-dev-resman-sbx-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform resman security service account. + display_name: Terraform resman sandbox service account. project: fast-prod-automation timeouts: null - module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.stage3-sa-rw["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: bucket: test condition: [] role: roles/storage.objectAdmin - module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: - condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: - condition: [] - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory main. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - ' - title: org_policy_tag_pf_scoped - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: - condition: [] - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]: - condition: [] - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory dev. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - && - - resource.matchTag(''123456789012/environment'', ''development'') - - ' - title: org_policy_tag_pf_scoped_dev - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]: - condition: [] - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]: - condition: - - description: Org policy tag scoped grant for project factory prod. - expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - - && - - resource.matchTag(''123456789012/environment'', ''production'') - - ' - title: org_policy_tag_pf_scoped_prod - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]: - condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.costsManager - module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: - condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_tags_tag_key.default["context"]: - description: Resource management context. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: context - timeouts: null - module.organization[0].google_tags_tag_key.default["environment"]: - description: Environment definition. + module.top-level-folder["data-platform"].google_folder.folder[0]: + display_name: Data Platform parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: environment - timeouts: null - module.organization[0].google_tags_tag_value.default["context/data"]: - description: Managed by the Terraform organization module. - short_name: data - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gcve"]: - description: Managed by the Terraform organization module. - short_name: gcve - timeouts: null - module.organization[0].google_tags_tag_value.default["context/gke"]: - description: Managed by the Terraform organization module. - short_name: gke - timeouts: null - module.organization[0].google_tags_tag_value.default["context/networking"]: - description: Managed by the Terraform organization module. - short_name: networking timeouts: null - module.organization[0].google_tags_tag_value.default["context/project-factory"]: - description: Managed by the Terraform organization module. - short_name: project-factory + module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: timeouts: null - module.organization[0].google_tags_tag_value.default["context/sandbox"]: - description: Managed by the Terraform organization module. - short_name: sandbox + module.top-level-folder["gcve"].google_folder.folder[0]: + display_name: GCVE + parent: organizations/123456789012 timeouts: null - module.organization[0].google_tags_tag_value.default["context/security"]: - description: Managed by the Terraform organization module. - short_name: security + module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null - module.organization[0].google_tags_tag_value.default["environment/development"]: - description: Managed by the Terraform organization module. - short_name: development + module.top-level-folder["gke"].google_folder.folder[0]: + display_name: GKE + parent: organizations/123456789012 timeouts: null - module.organization[0].google_tags_tag_value.default["environment/production"]: - description: Managed by the Terraform organization module. - short_name: production + module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: - condition: [] - members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.tagUser module.top-level-folder["teams"].google_folder.folder[0]: display_name: Teams parent: organizations/123456789012 @@ -876,19 +1508,19 @@ values: timeouts: null counts: - google_folder: 5 - google_folder_iam_binding: 29 + google_folder: 15 + google_folder_iam_binding: 80 google_organization_iam_member: 14 - google_project_iam_member: 10 - google_service_account: 10 - google_service_account_iam_binding: 10 - google_storage_bucket: 5 - google_storage_bucket_iam_binding: 10 - google_storage_bucket_iam_member: 10 - google_storage_bucket_object: 11 - google_tags_tag_binding: 5 + google_project_iam_member: 24 + google_service_account: 24 + google_service_account_iam_binding: 24 + google_storage_bucket: 12 + google_storage_bucket_iam_binding: 24 + google_storage_bucket_iam_member: 24 + google_storage_bucket_object: 25 + google_tags_tag_binding: 16 google_tags_tag_key: 2 - google_tags_tag_value: 9 + google_tags_tag_value: 5 google_tags_tag_value_iam_binding: 2 - modules: 21 - resources: 132 + modules: 52 + resources: 291 From cbcce82a0508d51b9711f7fd13a730333160e14a Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 31 Aug 2024 10:58:22 +0200 Subject: [PATCH 13/94] netsec as stage 2 --- fast/stages/1-resman/README.md | 5 +- fast/stages/1-resman/TODO.md | 7 +- fast/stages/1-resman/iam.tf | 19 +++ fast/stages/1-resman/outputs-files.tf | 149 +++++++----------- .../1-resman/stage-2-network-security.tf | 74 +++++++++ fast/stages/1-resman/stage-2-networking.tf | 15 ++ fast/stages/1-resman/variables-stages.tf | 13 ++ 7 files changed, 180 insertions(+), 102 deletions(-) create mode 100644 fast/stages/1-resman/stage-2-network-security.tf diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 58f83bb282..400e82f1c3 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -252,6 +252,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [organization.tf](./organization.tf) | Organization policies. | organization | | | [outputs-files.tf](./outputs-files.tf) | Output files persistence to local filesystem. | | google_storage_bucket_object · local_file | | [outputs.tf](./outputs.tf) | Module outputs. | | | +| [stage-2-network-security.tf](./stage-2-network-security.tf) | None | gcs · iam-service-account | | | [stage-2-networking.tf](./stage-2-networking.tf) | None | folder · gcs · iam-service-account | | | [stage-2-project-factory.tf](./stage-2-project-factory.tf) | None | gcs · iam-service-account | | | [stage-2-security.tf](./stage-2-security.tf) | None | folder · gcs · iam-service-account | | @@ -277,8 +278,8 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | | [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | -| [fast_stage_3](variables-stages.tf#L84) | FAST stages 3 configurations. | map(object({…})) | | {} | | +| [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | +| [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | map(object({…})) | | {} | | | [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L44) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | diff --git a/fast/stages/1-resman/TODO.md b/fast/stages/1-resman/TODO.md index 0af4cc8830..2e29717ca6 100644 --- a/fast/stages/1-resman/TODO.md +++ b/fast/stages/1-resman/TODO.md @@ -1,7 +1,4 @@ # TODO list -- add support for explicit parent ids to top-level folders - -fixes - -- roles/compute.networkViewer for pf ro sa +- [ ] roles/compute.networkViewer for pf ro sa +- [ ] move network security stage to stage 2 diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index 890655dbea..47a1bfd77a 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -29,6 +29,25 @@ locals { role = "roles/compute.xpnAdmin" } }, + # stage 2 network security + !var.fast_stage_2.networksecurity.enabled ? {} : { + sa_nsec_fw_policy_admin = { + member = module.nsec-sa-rw[0].iam_email + role = "roles/compute.orgFirewallPolicyAdmin" + } + sa_net_nsec_ngfw_enterprise_admin = { + member = module.nsec-sa-rw[0].iam_email + role = local.custom_roles["ngfw_enterprise_admin"], + } + sa_net_nsec_fw_policy_user = { + member = module.nsec-sa-rw[0].iam_email + role = "roles/compute.orgFirewallPolicyUser" + } + sa_net_nsec_ro_ngfw_enterprise_viewer = { + member = module.nsec-sa-ro[0].iam_email + role = local.custom_roles["ngfw_enterprise_viewer"], + } + }, # stage 2 security !var.fast_stage_2.security.enabled ? {} : { sa_sec_asset_viewer = { diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index 12ff730eee..7029d685d8 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -17,73 +17,56 @@ # tfdoc:file:description Output files persistence to local filesystem. locals { - _cicd_workflow_attrs = merge( - # stage 2s (cannot use a loop as we need explicit module references) - lookup(local.cicd_repositories, "networking", null) == null ? {} : { - networking = { - audiences = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.networking.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - service_accounts = { - apply = module.net-sa-rw[0].email - plan = module.net-sa-ro[0].email - } - repository = local.cicd_repositories.networking.repository - stage_name = "networking" - tf_providers_files = { - apply = "2-networking-providers.tf" - plan = "2-networking-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 + _stage2_outputs_attrs = { + networking = { + bucket = try(module.net-bucket[0].name, null) + sa = { + apply = try(module.net-sa-rw[0].email, null) + plan = try(module.net-sa-ro[0].email, null) } - }, - lookup(local.cicd_repositories, "security", null) == null ? {} : { - security = { - audiences = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].audiences, null - ) - identity_provider = try( - local.identity_providers[local.cicd_repositories.security.identity_provider].name, null - ) - outputs_bucket = var.automation.outputs_bucket - repository = local.cicd_repositories.security.repository - service_accounts = { - apply = module.sec-sa-rw[0].email - plan = module.sec-sa-ro[0].email - } - repository = local.cicd_repositories.security.repository - tf_providers_files = { - apply = "2-security-providers.tf" - plan = "2-security-providers-r.tf" - } - tf_var_files = local.cicd_workflow_files.stage_2 + } + network_security = { + bucket = try(module.nsec-bucket[0].name, null) + sa = { + apply = try(module.nsec-sa-rw[0].email, null) + plan = try(module.nsec-sa-ro[0].email, null) } - }, - lookup(local.cicd_repositories, "project_factory", null) == null ? {} : { - project_factory = { + } + project_factory = { + bucket = try(module.pf-bucket[0].name, null) + sa = { + apply = try(module.netsec-sa-rw[0].email, null) + plan = try(module.netsec-sa-ro[0].email, null) + } + } + security = { + bucket = try(module.sec-bucket[0].name, null) + sa = { + apply = try(module.sec-sa-rw[0].email, null) + plan = try(module.sec-sa-ro[0].email, null) + } + } + } + _cicd_workflow_attrs = merge( + # stage 2s + { + for k, v in local._stage2_outputs_attrs : k => { audiences = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].audiences, null + local.identity_providers[local.cicd_repositories[k].identity_provider].audiences, null ) identity_provider = try( - local.identity_providers[local.cicd_repositories.project_factory.identity_provider].name, null + local.identity_providers[local.cicd_repositories[k].identity_provider].name, null ) - outputs_bucket = var.automation.outputs_bucket - repository = local.cicd_repositories.project_factory.repository - service_accounts = { - apply = module.pf-sa-rw[0].email - plan = module.pf-sa-ro[0].email - } - stage_name = "project-factory" + outputs_bucket = var.automation.outputs_bucket + service_accounts = v.sa + repository = local.cicd_repositories[k].repository + stage_name = k tf_providers_files = { - apply = "2-project-factory-providers.tf" - plan = "2-project-factory-providers-r.tf" + apply = "2-${replace(k, "_", "-")}-providers.tf" + plan = "2-${replace(k, "_", "-")}-providers-r.tf" } tf_var_files = local.cicd_workflow_files.stage_2 - } + } if lookup(local.cicd_repositories, k, null) == null }, # stage 3 { @@ -118,47 +101,23 @@ locals { outputs_location = try(pathexpand(var.outputs_location), "") providers = merge( # stage 2 - !var.fast_stage_2.networking.enabled ? {} : { - "2-networking" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.net-bucket[0].name - name = "networking" - sa = module.net-sa-rw[0].email - }) - "2-networking-r" = templatefile(local._tpl_providers, { + { + for k, v in local._stage2_outputs_attrs : + "2-${replace(k, "_", "-")}" => templatefile(local._tpl_providers, { backend_extra = null - bucket = module.net-bucket[0].name + bucket = v.bucket name = "networking" - sa = module.net-sa-ro[0].email - }) - }, - !var.fast_stage_2.security.enabled ? {} : { - "2-security" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-rw[0].email - }) - "2-security-r" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.sec-bucket[0].name - name = "security" - sa = module.sec-sa-ro[0].email - }) + sa = v.sa.rw + }) if var.fast_stage_2[k].enabled == true }, - !var.fast_stage_2.project_factory.enabled ? {} : { - "2-project-factory" = templatefile(local._tpl_providers, { - backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-rw[0].email - }) - "2-project-factory-r" = templatefile(local._tpl_providers, { + { + for k, v in local._stage2_outputs_attrs : + "2-${replace(k, "_", "-")}-r" => templatefile(local._tpl_providers, { backend_extra = null - bucket = module.pf-bucket[0].name - name = "project-factory" - sa = module.pf-sa-ro[0].email - }) + bucket = v.bucket + name = "networking" + sa = v.sa.ro + }) if var.fast_stage_2[k].enabled == true }, # stage 3 { diff --git a/fast/stages/1-resman/stage-2-network-security.tf b/fast/stages/1-resman/stage-2-network-security.tf new file mode 100644 index 0000000000..d639bebfeb --- /dev/null +++ b/fast/stages/1-resman/stage-2-network-security.tf @@ -0,0 +1,74 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# automation service accounts + +module "nsec-sa-rw" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.network_security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "resman-${var.fast_stage_2.network_security.short_name}-0" + display_name = "Terraform resman network security main service account." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-rw["network_security"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = ["roles/storage.objectAdmin"] + } +} + +module "nsec-sa-ro" { + source = "../../../modules/iam-service-account" + count = var.fast_stage_2.network_security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "resman-${var.fast_stage_2.network_security.short_name}-0r" + display_name = "Terraform resman network security main service account (read-only)." + prefix = var.prefix + iam = { + "roles/iam.serviceAccountTokenCreator" = compact([ + try(module.cicd-sa-ro["network_security"].iam_email, null) + ]) + } + iam_project_roles = { + (var.automation.project_id) = ["roles/serviceusage.serviceUsageConsumer"] + } + iam_storage_roles = { + (var.automation.outputs_bucket) = [var.custom_roles["storage_viewer"]] + } +} + +# automation bucket + +module "nsec-bucket" { + source = "../../../modules/gcs" + count = var.fast_stage_2.network_security.enabled ? 1 : 0 + project_id = var.automation.project_id + name = "resman-${var.fast_stage_2.network_security.short_name}-0" + prefix = var.prefix + location = var.locations.gcs + storage_class = local.gcs_storage_class + versioning = true + iam = { + "roles/storage.objectAdmin" = [module.nsec-sa-rw[0].iam_email] + "roles/storage.objectViewer" = [module.nsec-sa-ro[0].iam_email] + } +} diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 0731af53b0..b78cb2bfc2 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -62,6 +62,21 @@ module "net-folder" { "roles/viewer" = [module.net-sa-ro[0].iam_email] "roles/resourcemanager.folderViewer" = [module.net-sa-ro[0].iam_email] }, + # network security stage 2 service accounts + var.fast_stage_2.network_security.enabled != true ? {} : { + "roles/serviceusage.serviceUsageAdmin" = [ + try(module.nsec-sa-rw[0].iam_email, null) + ] + (var.custom_roles["network_firewall_policies_admin"]) = [ + try(module.nsec-sa-rw[0].iam_email, null) + ] + "roles/compute.orgFirewallPolicyUser" = [ + try(module.nsec-sa-ro[0].iam_email, null) + ] + "roles/serviceusage.serviceUsageConsumer" = [ + try(module.nsec-sa-ro[0].iam_email, null) + ] + }, # security stage 2 service accounts var.fast_stage_2.security.enabled != true ? {} : { "roles/serviceusage.serviceUsageAdmin" = [ diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index 8c285bf251..d3d244a8ef 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -36,6 +36,19 @@ variable "fast_stage_2" { parent_id = optional(string) }), {}) }), {}) + network_security = optional(object({ + enabled = optional(bool, false) + short_name = optional(string, "nsec") + cicd_config = optional(object({ + identity_provider = string + repository = object({ + name = string + branch = optional(string) + parent_id = optional(string) + type = optional(string, "github") + }) + })) + }), {}) project_factory = optional(object({ enabled = optional(bool, true) short_name = optional(string, "pf") From 316cc817a8c31f5f002709623008e0fd7d883c7d Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 31 Aug 2024 11:01:08 +0200 Subject: [PATCH 14/94] fix backported roles --- fast/stages/1-resman/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index 47a1bfd77a..e2db91054b 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -37,7 +37,7 @@ locals { } sa_net_nsec_ngfw_enterprise_admin = { member = module.nsec-sa-rw[0].iam_email - role = local.custom_roles["ngfw_enterprise_admin"], + role = var.custom_roles["ngfw_enterprise_admin"], } sa_net_nsec_fw_policy_user = { member = module.nsec-sa-rw[0].iam_email @@ -45,7 +45,7 @@ locals { } sa_net_nsec_ro_ngfw_enterprise_viewer = { member = module.nsec-sa-ro[0].iam_email - role = local.custom_roles["ngfw_enterprise_viewer"], + role = var.custom_roles["ngfw_enterprise_viewer"], } }, # stage 2 security From 03cef39b12ccd74aad428a7bf7d7cc4de7c4a82d Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 31 Aug 2024 11:02:59 +0200 Subject: [PATCH 15/94] fix backported roles --- fast/stages/1-resman/TODO.md | 4 ---- fast/stages/1-resman/iam.tf | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 fast/stages/1-resman/TODO.md diff --git a/fast/stages/1-resman/TODO.md b/fast/stages/1-resman/TODO.md deleted file mode 100644 index 2e29717ca6..0000000000 --- a/fast/stages/1-resman/TODO.md +++ /dev/null @@ -1,4 +0,0 @@ -# TODO list - -- [ ] roles/compute.networkViewer for pf ro sa -- [ ] move network security stage to stage 2 diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index e2db91054b..276f7f407d 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -30,7 +30,7 @@ locals { } }, # stage 2 network security - !var.fast_stage_2.networksecurity.enabled ? {} : { + !var.fast_stage_2.network_security.enabled ? {} : { sa_nsec_fw_policy_admin = { member = module.nsec-sa-rw[0].iam_email role = "roles/compute.orgFirewallPolicyAdmin" From d53c7f2fac779784e48faa9d60c167b42d39cb65 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 20 Sep 2024 09:20:37 +0200 Subject: [PATCH 16/94] tfdoc --- fast/stages/1-resman/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 7ee20917ff..a3ccd7fd50 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -28,7 +28,7 @@ The following diagram is a high level reference of the resources created and man - [Running the stage](#running-the-stage) - [Customizations](#customizations) - [Toggling features](#toggling-features) - - [Top-level folders](#top-level-folders) + - [Top-level folder management](#top-level-folder-management) - [Secure tags](#secure-tags) - [IAM](#iam) - [Files](#files) From 91b3977d2561aa371357bc0f519d790cc814da65 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 20 Sep 2024 10:17:59 +0200 Subject: [PATCH 17/94] fixes --- fast/stages/1-resman/README.md | 2 +- fast/stages/1-resman/outputs-files.tf | 68 ++++++++++++--------- fast/stages/1-resman/stage-2-networking.tf | 2 +- fast/stages/1-resman/stage-2-security.tf | 2 +- fast/stages/1-resman/tenant-root.tf | 71 +++++++--------------- fast/stages/1-resman/variables-fast.tf | 2 +- 6 files changed, 65 insertions(+), 82 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index a3ccd7fd50..53a7b5934b 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -275,7 +275,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | | [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | | [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index 7029d685d8..a415e87963 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -17,36 +17,44 @@ # tfdoc:file:description Output files persistence to local filesystem. locals { - _stage2_outputs_attrs = { - networking = { - bucket = try(module.net-bucket[0].name, null) - sa = { - apply = try(module.net-sa-rw[0].email, null) - plan = try(module.net-sa-ro[0].email, null) + _stage2_outputs_attrs = merge( + var.fast_stage_2["networking"].enabled != true ? {} : { + networking = { + bucket = module.net-bucket[0].name + sa = { + apply = module.net-sa-rw[0].email + plan = module.net-sa-ro[0].email + } } - } - network_security = { - bucket = try(module.nsec-bucket[0].name, null) - sa = { - apply = try(module.nsec-sa-rw[0].email, null) - plan = try(module.nsec-sa-ro[0].email, null) + }, + var.fast_stage_2["network_security"].enabled != true ? {} : { + network_security = { + bucket = module.nsec-bucket[0].name + sa = { + apply = module.nsec-sa-rw[0].email + plan = module.nsec-sa-ro[0].email + } } - } - project_factory = { - bucket = try(module.pf-bucket[0].name, null) - sa = { - apply = try(module.netsec-sa-rw[0].email, null) - plan = try(module.netsec-sa-ro[0].email, null) + }, + var.fast_stage_2["project_factory"].enabled != true ? {} : { + project_factory = { + bucket = module.pf-bucket[0].name + sa = { + apply = module.pf-sa-rw[0].email + plan = module.pf-sa-ro[0].email + } } - } - security = { - bucket = try(module.sec-bucket[0].name, null) - sa = { - apply = try(module.sec-sa-rw[0].email, null) - plan = try(module.sec-sa-ro[0].email, null) + }, + var.fast_stage_2["security"].enabled != true ? {} : { + security = { + bucket = module.sec-bucket[0].name + sa = { + apply = module.sec-sa-rw[0].email + plan = module.sec-sa-ro[0].email + } } } - } + ) _cicd_workflow_attrs = merge( # stage 2s { @@ -66,7 +74,7 @@ locals { plan = "2-${replace(k, "_", "-")}-providers-r.tf" } tf_var_files = local.cicd_workflow_files.stage_2 - } if lookup(local.cicd_repositories, k, null) == null + } if lookup(local.cicd_repositories, k, null) != null }, # stage 3 { @@ -107,8 +115,8 @@ locals { backend_extra = null bucket = v.bucket name = "networking" - sa = v.sa.rw - }) if var.fast_stage_2[k].enabled == true + sa = v.sa.apply + }) }, { for k, v in local._stage2_outputs_attrs : @@ -116,8 +124,8 @@ locals { backend_extra = null bucket = v.bucket name = "networking" - sa = v.sa.ro - }) if var.fast_stage_2[k].enabled == true + sa = v.sa.plan + }) }, # stage 3 { diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index b78cb2bfc2..b774089ae8 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -115,7 +115,7 @@ module "net-folder" { condition = { expression = format( "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - "roles/compute.networkUser" + "'roles/compute.networkUser', 'roles/composer.sharedVpcAgent', 'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'" ) title = "project factory project delegated admin" description = "Project factory delegated grant." diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 197c8f22f9..824cb03ff7 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -71,7 +71,7 @@ module "sec-folder" { condition = { expression = format( "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - "roles/cloudkms.cryptoKeyEncrypterDecrypter" + "'roles/cloudkms.cryptoKeyEncrypterDecrypter'" ) title = "pf_delegated_grant" description = "Project factory delegated grant." diff --git a/fast/stages/1-resman/tenant-root.tf b/fast/stages/1-resman/tenant-root.tf index 84df154ecb..96fedad985 100644 --- a/fast/stages/1-resman/tenant-root.tf +++ b/fast/stages/1-resman/tenant-root.tf @@ -42,60 +42,35 @@ module "automation-project" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = { - data = { - iam = try(local.tags.context.values.data.iam, {}) - description = try(local.tags.context.values.data.description, null) - } - gke = { - iam = try(local.tags.context.values.gke.iam, {}) - description = try(local.tags.context.values.gke.description, null) - } - gcve = { - iam = try(local.tags.context.values.gcve.iam, {}) - description = try(local.tags.context.values.gcve.description, null) - } - networking = { - iam = try(local.tags.context.values.networking.iam, {}) - description = try(local.tags.context.values.networking.description, null) - } - project-factory = { - iam = try(local.tags.context.values.project-factory.iam, {}) - description = try(local.tags.context.values.project-factory.description, null) - } - sandbox = { - iam = try(local.tags.context.values.sandbox.iam, {}) - description = try(local.tags.context.values.sandbox.description, null) + values = merge( + try(local.tags["context"]["values"], {}), + { + for k, v in local.tag_values_stage2 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], null) + } if var.fast_stage_2[k].enabled } - security = { - iam = try(local.tags.context.values.security.iam, {}) - description = try(local.tags.context.values.security.description, null) - } - } - } + ) + }, (var.tag_names.environment) = { description = "Environment definition." iam = try(local.tags.environment.iam, {}) values = { - (var.environment_names["dev"]) = { - iam = try(local.tags.environment.values.development.iam, {}) - iam_bindings = { - pf = { - members = [module.branch-pf-sa.iam_email] - role = "roles/resourcemanager.tagUser" - } - } - description = try(local.tags.environment.values.development.description, null) - } - (var.environment_names["prod"]) = { - iam = try(local.tags.environment.values.production.iam, {}) - iam_bindings = { - pf = { - members = [module.branch-pf-sa.iam_email] - role = "roles/resourcemanager.tagUser" + for k, v in var.environment_names : v => { + iam = try(local.tags.environment.values[v].iam, {}) + iam_bindings = ( + !var.fast_stage_2.project_factory.enabled + ? {} + : { + pf = { + members = [module.pf-sa-rw[0].iam_email] + role = "roles/resourcemanager.tagUser" + } } - } - description = try(local.tags.environment.values.production.description, null) + ) + description = try( + local.tags.environment.values[v].description, null + ) } } } diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index e1c1d77a7f..6698eb0442 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -54,11 +54,11 @@ variable "custom_roles" { # tfdoc:variable:source 0-bootstrap description = "Custom roles defined at the org level, in key => id format." type = object({ - network_firewall_policies_admin = string organization_admin_viewer = string service_project_network_admin = string storage_viewer = string gcve_network_admin = optional(string) + network_firewall_policies_admin = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) }) From b4c85bb0661483904d953d525fc8b7d095762c5d Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 24 Sep 2024 15:09:31 +0200 Subject: [PATCH 18/94] fix tag value roles in stage 1 --- fast/stages/1-resman/organization.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index fe26309d92..0841344a4c 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -17,7 +17,7 @@ # tfdoc:file:description Organization policies. locals { - # service accounts context for user-specified tag values + # service accounts expansion for user-specified tag values tags = { for k, v in var.tags : k => merge(v, { values = { @@ -67,15 +67,19 @@ module "organization" { iam = try(local.tags.environment.iam, {}) values = { for k, v in var.environment_names : v => { - iam = try(local.tags.environment.values[v].iam, {}) - iam_bindings = ( + iam = merge( + try(local.tags.environment.values[v].iam, {}), !var.fast_stage_2.project_factory.enabled ? {} : { - pf = { - members = [module.pf-sa-rw[0].iam_email] - role = "roles/resourcemanager.tagUser" - } + "roles/resourcemanager.tagUser" = distinct(concat( + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"]), + [module.pf-sa-rw[0].iam_email] + )) + "roles/resourcemanager.tagViewer" = distinct(concat( + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"]), + [module.pf-sa-ro[0].iam_email] + )) } ) description = try( From 67a563abcc0781104e5b55b435b92963a9d8d0e2 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 24 Sep 2024 15:30:08 +0200 Subject: [PATCH 19/94] remove checklist, fix stage 1 tests --- fast/stages/1-resman/README.md | 17 +- fast/stages/1-resman/checklist.tf | 111 --- fast/stages/1-resman/outputs.tf | 11 +- fast/stages/1-resman/variables.tf | 1 - tests/fast/stages/s1_resman/checklist.tfvars | 44 - tests/fast/stages/s1_resman/checklist.yaml | 433 ---------- tests/fast/stages/s1_resman/simple.tfvars | 150 ++-- tests/fast/stages/s1_resman/simple.yaml | 840 +++++++++++++------ tests/fast/stages/s1_resman/tftest.yaml | 3 - 9 files changed, 686 insertions(+), 924 deletions(-) delete mode 100644 fast/stages/1-resman/checklist.tf delete mode 100644 tests/fast/stages/s1_resman/checklist.tfvars delete mode 100644 tests/fast/stages/s1_resman/checklist.yaml diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 53a7b5934b..fb897a44c0 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -246,7 +246,6 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md |---|---|---|---| | [_moved-v34.0.0.tf](./_moved-v34.0.0.tf) | None | | | | [billing.tf](./billing.tf) | Billing resources for external billing use cases. | | google_billing_account_iam_member | -| [checklist.tf](./checklist.tf) | None | folder | | | [iam.tf](./iam.tf) | Organization or root node-level IAM bindings. | | | | [main.tf](./main.tf) | Module-level locals and resources. | | | | [organization.tf](./organization.tf) | Organization policies. | organization | | @@ -277,23 +276,23 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | -| [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | | [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | map(object({…})) | | {} | | | [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | | [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | -| [outputs_location](variables.tf#L44) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [outputs_location](variables.tf#L43) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | | [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | -| [tag_names](variables.tf#L50) | Customized names for resource management tags. | object({…}) | | {} | | -| [tags](variables.tf#L64) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | +| [tag_names](variables.tf#L49) | Customized names for resource management tags. | object({…}) | | {} | | +| [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L49) | WIF configuration for CI/CD repositories. | | | -| [folder_ids](outputs.tf#L61) | Folder ids. | | | -| [providers](outputs.tf#L67) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [tfvars](outputs.tf#L75) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L48) | WIF configuration for CI/CD repositories. | | | +| [folder_ids](outputs.tf#L60) | Folder ids. | | | +| [providers](outputs.tf#L66) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | +| [tfvars](outputs.tf#L74) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/1-resman/checklist.tf b/fast/stages/1-resman/checklist.tf deleted file mode 100644 index 55b57bc8c0..0000000000 --- a/fast/stages/1-resman/checklist.tf +++ /dev/null @@ -1,111 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - # parse raw data from JSON files if they exist - _cl_data_raw = ( - var.factories_config.checklist_data == null - ? null - : jsondecode(file(pathexpand(var.factories_config.checklist_data))) - ) - # check that files are for the correct organization and ignore them if not - _cl_data = ( - try(local._cl_data_raw.cloud_setup_config.organization.id, null) != tostring(var.organization.id) - ? null - : local._cl_data_raw.cloud_setup_config - ) - # normalized IAM bindings one element per binding - _cl_iam = local._cl_data == null ? [] : flatten([ - for v in try(local._cl_data.access_control, []) : [ - for r in v.role : { - principal = v.principal - resource_id = v.resource.id - role = r - } if v.resource.type == "FOLDER" - ] - ]) - # compile the final data structure we will consume from various places - checklist = { - hierarchy = local._cl_data == null ? {} : { - for v in try(local._cl_data.folders, []) : v.reference_id => { - level = length(split("/", v.reference_id)) - name = v.display_name - parent_id = v.parent - } - } - iam = { - for v in local._cl_iam : v.resource_id => v... - } - } -} - -check "checklist" { - # version mismatch might be ok, we just alert users - assert { - condition = ( - var.factories_config.checklist_data == null || - try(local._cl_data_raw.cloud_setup_config.version, null) == "0.1.0" - ) - error_message = "Checklist data version mismatch." - } - # wrong org id forces us to ignore the files, but we also alert users - assert { - condition = ( - var.factories_config.checklist_data == null || - try(local._cl_data_raw.cloud_setup_config.organization.id, null) == tostring(var.organization.id) - ) - error_message = "Checklist data organization id mismatch, file ignored." - } -} - -module "checklist-folder-1" { - source = "../../../modules/folder" - for_each = { - for k, v in local.checklist.hierarchy : k => v if v.level == 1 - } - parent = "organizations/${var.organization.id}" - name = each.value.name - iam = { - for v in try(local.checklist.iam[each.key], []) : - v.role => v.principal... - } -} - -module "checklist-folder-2" { - source = "../../../modules/folder" - for_each = { - for k, v in local.checklist.hierarchy : k => v if v.level == 2 - } - parent = module.checklist-folder-1[each.value.parent_id].id - name = each.value.name - iam = { - for v in try(local.checklist.iam[each.key], []) : - v.role => v.principal... - } -} - -module "checklist-folder-3" { - source = "../../../modules/folder" - for_each = { - for k, v in local.checklist.hierarchy : k => v if v.level == 3 - } - parent = module.checklist-folder-2[each.value.parent_id].id - name = each.value.name - iam = { - for v in try(local.checklist.iam[each.key], []) : - v.role => v.principal... - } -} diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index fc26a56ead..1eb3b3be05 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -37,12 +37,11 @@ locals { local.top_level_service_accounts ) tfvars = { - checklist_hierarchy = local.checklist.hierarchy - folder_ids = local.folder_ids - service_accounts = local.service_accounts - tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } - tag_names = var.tag_names - tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } + folder_ids = local.folder_ids + service_accounts = local.service_accounts + tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } + tag_names = var.tag_names + tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } } } diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf index 734695edff..adc6c803b3 100644 --- a/fast/stages/1-resman/variables.tf +++ b/fast/stages/1-resman/variables.tf @@ -32,7 +32,6 @@ variable "environment_names" { variable "factories_config" { description = "Configuration for the resource factories or external data." type = object({ - checklist_data = optional(string) org_policies = optional(string, "data/org-policies") stage_3 = optional(string, "data/stage-3") top_level_folders = optional(string, "data/top-level-folders") diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars deleted file mode 100644 index 3684f0f770..0000000000 --- a/tests/fast/stages/s1_resman/checklist.tfvars +++ /dev/null @@ -1,44 +0,0 @@ -automation = { - federated_identity_pool = null - federated_identity_providers = null - project_id = "fast-prod-automation" - project_number = 123456 - outputs_bucket = "test" - service_accounts = { - resman-r = "ldj-prod-resman-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" - } -} -billing_account = { - id = "000000-111111-222222" -} -custom_roles = { - # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", - gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" - network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" - network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" - ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" - ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" - organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" - storage_viewer = "organizations/123456789012/roles/storageViewer" -} -factories_config = { - checklist_data = "checklist-data.json" -} -groups = { - gcp-billing-admins = "gcp-billing-admins", - gcp-devops = "gcp-devops", - gcp-network-admins = "gcp-vpc-network-admins", - gcp-organization-admins = "gcp-organization-admins", - gcp-security-admins = "gcp-security-admins", - gcp-support = "gcp-support" -} -logging = { - project_id = "fast-prod-log-audit-0" -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -prefix = "fast2" diff --git a/tests/fast/stages/s1_resman/checklist.yaml b/tests/fast/stages/s1_resman/checklist.yaml deleted file mode 100644 index e06eec6ffd..0000000000 --- a/tests/fast/stages/s1_resman/checklist.yaml +++ /dev/null @@ -1,433 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.checklist-folder-1["Common"].google_folder.folder[0]: - display_name: Common - parent: organizations/123456789012 - timeouts: null - module.checklist-folder-1["Department 1"].google_folder.folder[0]: - display_name: Department 1 - parent: organizations/123456789012 - timeouts: null - module.checklist-folder-1["Department 2"].google_folder.folder[0]: - display_name: Department 2 - parent: organizations/123456789012 - timeouts: null - module.checklist-folder-1["Department 3"].google_folder.folder[0]: - display_name: Department 3 - parent: organizations/123456789012 - timeouts: null - module.checklist-folder-2["Department 1/Team 1"].google_folder.folder[0]: - display_name: Team 1 - timeouts: null - module.checklist-folder-2["Department 1/Team 2"].google_folder.folder[0]: - display_name: Team 2 - timeouts: null - module.checklist-folder-2["Department 1/Team 3"].google_folder.folder[0]: - display_name: Team 3 - timeouts: null - module.checklist-folder-2["Department 1/Team 4"].google_folder.folder[0]: - display_name: Team 4 - timeouts: null - module.checklist-folder-2["Department 2/Team 1"].google_folder.folder[0]: - display_name: Team 1 - timeouts: null - module.checklist-folder-2["Department 2/Team 2"].google_folder.folder[0]: - display_name: Team 2 - timeouts: null - module.checklist-folder-2["Department 2/Team 3"].google_folder.folder[0]: - display_name: Team 3 - timeouts: null - module.checklist-folder-2["Department 2/Team 4"].google_folder.folder[0]: - display_name: Team 4 - timeouts: null - module.checklist-folder-2["Department 3/Team 1"].google_folder.folder[0]: - display_name: Team 1 - timeouts: null - module.checklist-folder-2["Department 3/Team 2"].google_folder.folder[0]: - display_name: Team 2 - timeouts: null - module.checklist-folder-2["Department 3/Team 3"].google_folder.folder[0]: - display_name: Team 3 - timeouts: null - module.checklist-folder-2["Department 3/Team 4"].google_folder.folder[0]: - display_name: Team 4 - timeouts: null - module.checklist-folder-3["Department 1/Team 1/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 1/Team 1/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 1/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 1/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 1/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 1/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 1/Team 2/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 1/Team 2/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 2/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 2/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 1/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 2/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 1/Team 3/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 1/Team 3/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 3/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 3/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 1/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 3/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 1/Team 4/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 1/Team 4/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 4/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 4/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 1/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 1/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 1/Team 4/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 2/Team 1/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 2/Team 1/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 1/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 1/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 2/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 1/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 2/Team 2/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 2/Team 2/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 2/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 2/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 2/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 2/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 2/Team 3/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 2/Team 3/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 3/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 3/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 2/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 3/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 2/Team 4/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 2/Team 4/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 4/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 4/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 2/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 2/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 2/Team 4/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 3/Team 1/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 3/Team 1/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 1/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 1/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 3/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 1/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 1/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 3/Team 2/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 3/Team 2/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 2/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 2/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 3/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 2/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 2/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 3/Team 3/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 3/Team 3/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 3/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 3/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 3/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 3/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 3/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - module.checklist-folder-3["Department 3/Team 4/Development"].google_folder.folder[0]: - display_name: Development - timeouts: null - ? module.checklist-folder-3["Department 3/Team 4/Development"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 4/Development"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 4/Non-Production"].google_folder.folder[0]: - display_name: Non-Production - timeouts: null - ? module.checklist-folder-3["Department 3/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/compute.instanceAdmin.v1"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/compute.instanceAdmin.v1 - ? module.checklist-folder-3["Department 3/Team 4/Non-Production"].google_folder_iam_binding.authoritative["roles/container.admin"] - : condition: [] - members: - - group:gcp-developers@fast.example.com - role: roles/container.admin - module.checklist-folder-3["Department 3/Team 4/Production"].google_folder.folder[0]: - display_name: Production - timeouts: null - -counts: - google_folder: 67 - google_folder_iam_binding: 128 - google_organization_iam_member: 14 - google_project_iam_member: 24 - google_service_account: 24 - google_service_account_iam_binding: 24 - google_storage_bucket: 12 - google_storage_bucket_iam_binding: 24 - google_storage_bucket_iam_member: 24 - google_storage_bucket_object: 25 - google_tags_tag_binding: 16 - google_tags_tag_key: 2 - google_tags_tag_value: 5 - google_tags_tag_value_iam_binding: 2 - modules: 104 - resources: 391 diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars index 046f45fdf4..0c6dd8fd3c 100644 --- a/tests/fast/stages/s1_resman/simple.tfvars +++ b/tests/fast/stages/s1_resman/simple.tfvars @@ -1,27 +1,8 @@ -automation = { - federated_identity_pool = null - federated_identity_providers = null - project_id = "fast-prod-automation" - project_number = 123456 - outputs_bucket = "test" - service_accounts = { - resman-r = "ldj-prod-resman-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" - } -} +# globals + billing_account = { id = "000000-111111-222222" } -custom_roles = { - # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", - gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" - network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" - network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" - ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" - ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" - organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" - storage_viewer = "organizations/123456789012/roles/storageViewer" -} groups = { gcp-billing-admins = "gcp-billing-admins", gcp-devops = "gcp-devops", @@ -30,46 +11,117 @@ groups = { gcp-security-admins = "gcp-security-admins", gcp-support = "gcp-support" } -logging = { - project_id = "fast-prod-log-audit-0" -} organization = { domain = "fast.example.com" id = 123456789012 customer_id = "C00000000" } prefix = "fast2" -folder_iam = { - data_platform = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] - } - gcve = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] - } - gke = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] + +# stage 0 + +automation = { + federated_identity_pool = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap" + federated_identity_providers = { + gh-test = { + audiences = [ + "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno" + ], + issuer = "github", + issuer_uri = "https://token.actions.githubusercontent.com" + name = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno" + principal_branch = "principalSet://iam.googleapis.com/%s/attribute.fast_sub/repo:%s:ref:refs/heads/%s" + principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" + } + gl-test = { + audiences = [ + "https://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno" + ] + issuer = "gitlab" + issuer_uri = "https://gitlab.com" + name = "projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno" + principal_branch = "principalSet://iam.googleapis.com/%s/attribute.sub/project_path:%s:ref_type:branch:ref:%s" + principal_repo = "principalSet://iam.googleapis.com/%s/attribute.repository/%s" + } + }, + outputs_bucket = "fast2-prod-iac-core-outputs" + project_id = "fast2-prod-automation" + project_number = 123456 + service_accounts = { + resman-r = "fast2-prod-resman-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" } - sandbox = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] +} +custom_roles = { + # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", + gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" + network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" + network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" + ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" + ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" + organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" + service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" + storage_viewer = "organizations/123456789012/roles/storageViewer" +} +logging = { + project_id = "fast-prod-log-audit-0" +} + +# stage variables + +fast_stage_2 = { + networking = { + cicd_config = { + identity_provider = "gh-test" + repository = { + branch = "main" + name = "test/00-networking" + type = "github" + } + } } security = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] + cicd_config = { + identity_provider = "gl-test" + repository = { + name = "test/00-security" + type = "gitlab" + } + } } - network = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] +} +tags = { + context = { + values = { + data-platform = {} + gcve = {} + gke = {} + nsec = {} + sandbox = {} + } } - teams = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] + environment = { + values = { + development = { + iam = { + "roles/resourcemanager.tagUser" = ["project-factory-dev"] + "roles/resourcemanager.tagViewer" = ["project-factory-dev-r"] + } + } + production = { + iam = { + "roles/resourcemanager.tagUser" = ["project-factory-prod"] + "roles/resourcemanager.tagViewer" = ["project-factory-prod-r"] + } + } + } } +} +top_level_folders = { tenants = { - "roles/owner" = ["user:extra-owner@fast.example.com"] - "roles/browser" = ["user:extra-browser@fast.example.com"] + name = "Tenants" + automation = { + enable = false + } + iam_by_principals = {} } } diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 126c94f9e9..d3561bc692 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -13,11 +13,178 @@ # limitations under the License. values: + google_storage_bucket_object.providers["2-networking"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-networking-providers.tf + google_storage_bucket_object.providers["2-networking-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-networking-r-providers.tf + google_storage_bucket_object.providers["2-project-factory"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-project-factory-providers.tf + google_storage_bucket_object.providers["2-project-factory-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-project-factory-r-providers.tf + google_storage_bucket_object.providers["2-security"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-security-providers.tf + google_storage_bucket_object.providers["2-security-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/2-security-r-providers.tf + google_storage_bucket_object.providers["3-data-platform-dev"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-data-platform-dev-providers.tf + google_storage_bucket_object.providers["3-data-platform-dev-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-data-platform-dev-r-providers.tf + google_storage_bucket_object.providers["3-data-platform-prod"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-data-platform-prod-providers.tf + google_storage_bucket_object.providers["3-data-platform-prod-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-data-platform-prod-r-providers.tf + google_storage_bucket_object.providers["3-gcve-dev"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gcve-dev-providers.tf + google_storage_bucket_object.providers["3-gcve-dev-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gcve-dev-r-providers.tf + google_storage_bucket_object.providers["3-gcve-prod"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gcve-prod-providers.tf + google_storage_bucket_object.providers["3-gcve-prod-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gcve-prod-r-providers.tf + google_storage_bucket_object.providers["3-gke-dev"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gke-dev-providers.tf + google_storage_bucket_object.providers["3-gke-dev-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gke-dev-r-providers.tf + google_storage_bucket_object.providers["3-gke-prod"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gke-prod-providers.tf + google_storage_bucket_object.providers["3-gke-prod-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-gke-prod-r-providers.tf + google_storage_bucket_object.providers["3-project-factory-dev"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-project-factory-dev-providers.tf + google_storage_bucket_object.providers["3-project-factory-dev-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-project-factory-dev-r-providers.tf + google_storage_bucket_object.providers["3-project-factory-prod"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-project-factory-prod-providers.tf + google_storage_bucket_object.providers["3-project-factory-prod-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-project-factory-prod-r-providers.tf + google_storage_bucket_object.providers["3-sandbox"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-sandbox-providers.tf + google_storage_bucket_object.providers["3-sandbox-r"]: + bucket: fast2-prod-iac-core-outputs + name: providers/3-sandbox-r-providers.tf + google_storage_bucket_object.tfvars: + bucket: fast2-prod-iac-core-outputs + name: tfvars/1-resman.auto.tfvars.json + google_storage_bucket_object.workflows["networking"]: + bucket: fast2-prod-iac-core-outputs + name: workflows/networking-workflow.yaml + google_storage_bucket_object.workflows["security"]: + bucket: fast2-prod-iac-core-outputs + name: workflows/security-workflow.yaml + module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: + condition: [] + project: fast2-prod-automation + role: roles/logging.logWriter + module.cicd-sa-ro["networking"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-1r + create_ignore_already_exists: null + description: null + disabled: false + display_name: CI/CD 2-net prod service account (read-only). + project: fast2-prod-automation + timeouts: null + module.cicd-sa-ro["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: + condition: [] + members: + - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-networking + role: roles/iam.workloadIdentityUser + ? module.cicd-sa-ro["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectViewer + module.cicd-sa-ro["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: + condition: [] + project: fast2-prod-automation + role: roles/logging.logWriter + module.cicd-sa-ro["security"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-1r + create_ignore_already_exists: null + description: null + disabled: false + display_name: CI/CD 2-sec prod service account (read-only). + project: fast2-prod-automation + timeouts: null + module.cicd-sa-ro["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: + condition: [] + members: + - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-security + role: roles/iam.workloadIdentityUser + ? module.cicd-sa-ro["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectViewer + module.cicd-sa-rw["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: + condition: [] + project: fast2-prod-automation + role: roles/logging.logWriter + module.cicd-sa-rw["networking"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-1 + create_ignore_already_exists: null + description: null + disabled: false + display_name: CI/CD 2-net prod service account. + project: fast2-prod-automation + timeouts: null + module.cicd-sa-rw["networking"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: + condition: [] + members: + - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.fast_sub/repo:test/00-networking:ref:refs/heads/main + role: roles/iam.workloadIdentityUser + ? module.cicd-sa-rw["networking"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectViewer + module.cicd-sa-rw["security"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: + condition: [] + project: fast2-prod-automation + role: roles/logging.logWriter + module.cicd-sa-rw["security"].google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-1 + create_ignore_already_exists: null + description: null + disabled: false + display_name: CI/CD 2-sec prod service account. + project: fast2-prod-automation + timeouts: null + module.cicd-sa-rw["security"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: + condition: [] + members: + - principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/attribute.repository/test/00-security + role: roles/iam.workloadIdentityUser + ? module.cicd-sa-rw["security"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectViewer"] + : bucket: fast2-prod-iac-core-outputs + condition: [] + role: roles/storage.objectViewer module.net-bucket[0].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -26,10 +193,12 @@ values: location: EU logging: [] name: fast2-prod-resman-net-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -38,47 +207,53 @@ values: bucket: fast2-prod-resman-net-0 condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.net-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-net-0 condition: [] members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.net-folder-dev[0].google_folder.folder[0]: + deletion_protection: false display_name: Development + tags: null timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: + deletion_protection: false display_name: Production + tags: null timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder[0].google_folder.folder[0]: + deletion_protection: false display_name: Networking parent: organizations/123456789012 + tags: null timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: organizations/123456789012/roles/networkFirewallPoliciesAdmin module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: organizations/123456789012/roles/xpnServiceAdmin module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.networkViewer module.net-folder[0].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.net-folder[0].google_folder_iam_binding.authoritative["roles/editor"]: condition: [] @@ -88,50 +263,51 @@ values: module.net-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.net-folder[0].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/serviceusage.serviceUsageAdmin module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/serviceusage.serviceUsageConsumer module.net-folder[0].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.net-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"]: condition: - description: Project factory delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/compute.networkUser]) + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/compute.networkUser', + 'roles/composer.sharedVpcAgent', 'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user']) title: project factory project delegated admin members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectIamAdmin module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_dev"]: condition: @@ -153,9 +329,9 @@ values: role: roles/resourcemanager.projectIamAdmin module.net-folder[0].google_tags_tag_binding.binding["context"]: timeouts: null - ? module.net-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.net-sa-ro[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.net-sa-ro[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-net-0r @@ -163,19 +339,20 @@ values: description: null disabled: false display_name: Terraform resman networking service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.net-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: null + members: + - serviceAccount:fast2-prod-resman-net-1r@fast2-prod-automation.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator - module.net-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: - bucket: test + ? module.net-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.net-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.net-sa-rw[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.net-sa-rw[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-net-0 @@ -183,69 +360,70 @@ values: description: null disabled: false display_name: Terraform resman networking service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.net-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: null + members: + - serviceAccount:fast2-prod-resman-net-1@fast2-prod-automation.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator - module.net-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + module.net-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"]: + bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin module.organization[0].google_organization_iam_member.bindings["data-platform-dev"]: condition: [] - member: serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["data-platform-prod"]: condition: [] - member: serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["gcve-dev"]: condition: [] - member: serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["gcve-prod"]: condition: [] - member: serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["gke-dev"]: condition: [] - member: serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["gke-prod"]: condition: [] - member: serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["project-factory-dev"]: condition: [] - member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["project-factory-prod"]: condition: [] - member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/compute.orgFirewallPolicyAdmin module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: condition: [] - member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/compute.xpnAdmin module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: @@ -255,17 +433,17 @@ values: ' title: org_policy_tag_pf_scoped - member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/orgpolicy.policyAdmin module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: condition: [] - member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/cloudasset.viewer module.organization[0].google_organization_iam_member.bindings["sandbox"]: condition: [] - member: serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + member: serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/billing.user module.organization[0].google_tags_tag_key.default["context"]: @@ -282,14 +460,34 @@ values: purpose_data: null short_name: environment timeouts: null + module.organization[0].google_tags_tag_value.default["context/data-platform"]: + description: Managed by the Terraform organization module. + short_name: data-platform + timeouts: null + module.organization[0].google_tags_tag_value.default["context/gcve"]: + description: Managed by the Terraform organization module. + short_name: gcve + timeouts: null + module.organization[0].google_tags_tag_value.default["context/gke"]: + description: Managed by the Terraform organization module. + short_name: gke + timeouts: null module.organization[0].google_tags_tag_value.default["context/networking"]: description: Managed by the Terraform organization module. short_name: networking timeouts: null + module.organization[0].google_tags_tag_value.default["context/nsec"]: + description: Managed by the Terraform organization module. + short_name: nsec + timeouts: null module.organization[0].google_tags_tag_value.default["context/project-factory"]: description: Managed by the Terraform organization module. short_name: project-factory timeouts: null + module.organization[0].google_tags_tag_value.default["context/sandbox"]: + description: Managed by the Terraform organization module. + short_name: sandbox + timeouts: null module.organization[0].google_tags_tag_value.default["context/security"]: description: Managed by the Terraform organization module. short_name: security @@ -302,21 +500,37 @@ values: description: Managed by the Terraform organization module. short_name: production timeouts: null - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: + module.organization[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser - module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: + ? module.organization[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser + module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer module.pf-bucket[0].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -325,10 +539,12 @@ values: location: EU logging: [] name: fast2-resman-pf-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -337,17 +553,17 @@ values: bucket: fast2-resman-pf-0 condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.pf-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-resman-pf-0 condition: [] members: - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - module.pf-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]: - condition: [] - project: fast-prod-automation + ? module.pf-sa-ro[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.pf-sa-ro[0].google_service_account.service_account[0]: account_id: fast2-resman-pf-0r @@ -355,19 +571,19 @@ values: description: null disabled: false display_name: Terraform resman project factory main service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.pf-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.pf-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: - bucket: test + ? module.pf-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - module.pf-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]: - condition: [] - project: fast-prod-automation + ? module.pf-sa-rw[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.pf-sa-rw[0].google_service_account.service_account[0]: account_id: fast2-resman-pf-0 @@ -375,14 +591,14 @@ values: description: null disabled: false display_name: Terraform resman project factory main service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.pf-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.pf-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + module.pf-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"]: + bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin module.sec-bucket[0].google_storage_bucket.bucket: @@ -390,6 +606,8 @@ values: cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -398,10 +616,12 @@ values: location: EU logging: [] name: fast2-prod-resman-sec-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -410,27 +630,29 @@ values: bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.sec-bucket[0].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.sec-folder[0].google_folder.folder[0]: + deletion_protection: false display_name: Security parent: organizations/123456789012 + tags: null timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/cloudkms.cryptoKeyEncrypterDecrypter module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/cloudkms.viewer module.sec-folder[0].google_folder_iam_binding.authoritative["roles/editor"]: condition: [] @@ -440,46 +662,46 @@ values: module.sec-folder[0].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.sec-folder[0].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.sec-folder[0].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.sec-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"]: condition: - description: Project factory delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([roles/cloudkms.cryptoKeyEncrypterDecrypter]) + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/cloudkms.cryptoKeyEncrypterDecrypter']) title: pf_delegated_grant members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectIamAdmin module.sec-folder[0].google_tags_tag_binding.binding["context"]: timeouts: null - ? module.sec-sa-ro[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.sec-sa-ro[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.sec-sa-ro[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-sec-0r @@ -487,19 +709,20 @@ values: description: null disabled: false display_name: Terraform resman security service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.sec-sa-ro[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: null + members: + - serviceAccount:fast2-prod-resman-sec-1r@fast2-prod-automation.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator - module.sec-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: - bucket: test + ? module.sec-sa-ro[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.sec-sa-rw[0].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.sec-sa-rw[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.sec-sa-rw[0].google_service_account.service_account[0]: account_id: fast2-prod-resman-sec-0 @@ -507,14 +730,15 @@ values: description: null disabled: false display_name: Terraform resman security service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.sec-sa-rw[0].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - members: null + members: + - serviceAccount:fast2-prod-resman-sec-1@fast2-prod-automation.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator - module.sec-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + module.sec-sa-rw[0].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"]: + bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket: @@ -522,6 +746,8 @@ values: cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -530,10 +756,12 @@ values: location: EU logging: [] name: fast2-dev-resman-dp-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -542,19 +770,21 @@ values: bucket: fast2-dev-resman-dp-0 condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-dev-resman-dp-0 condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["data-platform-prod"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -563,10 +793,12 @@ values: location: EU logging: [] name: fast2-prod-resman-dp-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -575,19 +807,21 @@ values: bucket: fast2-prod-resman-dp-0 condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-dp-0 condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -596,10 +830,12 @@ values: location: EU logging: [] name: fast2-dev-resman-gcve-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -608,19 +844,21 @@ values: bucket: fast2-dev-resman-gcve-0 condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["gcve-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-dev-resman-gcve-0 condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["gcve-prod"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -629,10 +867,12 @@ values: location: EU logging: [] name: fast2-prod-resman-gcve-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -641,19 +881,21 @@ values: bucket: fast2-prod-resman-gcve-0 condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["gcve-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-gcve-0 condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["gke-dev"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -662,10 +904,12 @@ values: location: EU logging: [] name: fast2-dev-resman-gke-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -674,19 +918,21 @@ values: bucket: fast2-dev-resman-gke-0 condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["gke-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-dev-resman-gke-0 condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["gke-prod"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -695,10 +941,12 @@ values: location: EU logging: [] name: fast2-prod-resman-gke-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -707,19 +955,21 @@ values: bucket: fast2-prod-resman-gke-0 condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["gke-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-gke-0 condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["project-factory-dev"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -728,10 +978,12 @@ values: location: EU logging: [] name: fast2-dev-resman-pf-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -740,19 +992,21 @@ values: bucket: fast2-dev-resman-pf-0 condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["project-factory-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-dev-resman-pf-0 condition: [] members: - - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["project-factory-prod"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -761,10 +1015,12 @@ values: location: EU logging: [] name: fast2-prod-resman-pf-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -773,19 +1029,21 @@ values: bucket: fast2-prod-resman-pf-0 condition: [] members: - - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["project-factory-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-prod-resman-pf-0 condition: [] members: - - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-bucket["sandbox"].google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' enable_object_retention: null encryption: [] force_destroy: false @@ -794,10 +1052,12 @@ values: location: EU logging: [] name: fast2-dev-resman-sbx-0 - project: fast-prod-automation + project: fast2-prod-automation requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL + terraform_labels: + goog-terraform-provisioned: 'true' timeouts: null uniform_bucket_level_access: true versioning: @@ -806,300 +1066,314 @@ values: bucket: fast2-dev-resman-sbx-0 condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: bucket: fast2-dev-resman-sbx-0 condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer module.stage3-folder["data-platform-dev"].google_folder.folder[0]: + deletion_protection: false display_name: Development + tags: null timeouts: null module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["data-platform-prod"].google_folder.folder[0]: + deletion_protection: false display_name: Production + tags: null timeouts: null module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-dp-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["gcve-dev"].google_folder.folder[0]: + deletion_protection: false display_name: Development + tags: null timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["gcve-dev"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["gcve-prod"].google_folder.folder[0]: + deletion_protection: false display_name: Production + tags: null timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gcve-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["gcve-prod"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["gke-dev"].google_folder.folder[0]: + deletion_protection: false display_name: Development + tags: null timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["gke-dev"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["gke-prod"].google_folder.folder[0]: + deletion_protection: false display_name: Production + tags: null timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-prod-resman-gke-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"]: timeouts: null module.stage3-folder["sandbox"].google_folder.folder[0]: + deletion_protection: false display_name: Sandbox parent: organizations/123456789012 + tags: null timeouts: null module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/compute.xpnAdmin module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/logging.admin module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderViewer module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer module.stage3-folder["sandbox"].google_tags_tag_binding.binding["context"]: timeouts: null module.stage3-folder["sandbox"].google_tags_tag_binding.binding["environment"]: timeouts: null - ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-dp-0r @@ -1107,19 +1381,19 @@ values: description: null disabled: false display_name: Terraform resman data-platform-dev service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["data-platform-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-dp-0r @@ -1127,19 +1401,19 @@ values: description: null disabled: false display_name: Terraform resman data-platform-prod service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-ro["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["gcve-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-gcve-0r @@ -1147,19 +1421,19 @@ values: description: null disabled: false display_name: Terraform resman gcve-dev service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-ro["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gcve-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["gcve-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["gcve-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-gcve-0r @@ -1167,19 +1441,19 @@ values: description: null disabled: false display_name: Terraform resman gcve-prod service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-ro["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["gke-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["gke-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-gke-0r @@ -1187,19 +1461,19 @@ values: description: null disabled: false display_name: Terraform resman gke-dev service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-ro["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["gke-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["gke-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["gke-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["gke-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-gke-0r @@ -1207,19 +1481,19 @@ values: description: null disabled: false display_name: Terraform resman gke-prod service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-ro["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["gke-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["gke-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["project-factory-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["project-factory-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["project-factory-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-pf-0r @@ -1227,19 +1501,19 @@ values: description: null disabled: false display_name: Terraform resman project-factory-dev service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-ro["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["project-factory-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["project-factory-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["project-factory-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-pf-0r @@ -1247,19 +1521,19 @@ values: description: null disabled: false display_name: Terraform resman project-factory-prod service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-ro["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-ro["sandbox"].google_service_account.service_account[0]: account_id: fast2-dev-resman-sbx-0r @@ -1267,19 +1541,19 @@ values: description: null disabled: false display_name: Terraform resman sandbox service account (read-only). - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-ro["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] - : bucket: test + ? module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-dp-0 @@ -1287,19 +1561,19 @@ values: description: null disabled: false display_name: Terraform resman data-platform-dev service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["data-platform-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-dp-0 @@ -1307,19 +1581,19 @@ values: description: null disabled: false display_name: Terraform resman data-platform-prod service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-rw["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["gcve-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-gcve-0 @@ -1327,19 +1601,19 @@ values: description: null disabled: false display_name: Terraform resman gcve-dev service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-rw["gcve-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["gcve-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gcve-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["gcve-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["gcve-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-gcve-0 @@ -1347,19 +1621,19 @@ values: description: null disabled: false display_name: Terraform resman gcve-prod service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-rw["gcve-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["gcve-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["gke-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["gke-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-gke-0 @@ -1367,19 +1641,19 @@ values: description: null disabled: false display_name: Terraform resman gke-dev service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-rw["gke-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["gke-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["gke-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["gke-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["gke-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-gke-0 @@ -1387,19 +1661,19 @@ values: description: null disabled: false display_name: Terraform resman gke-prod service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-rw["gke-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["gke-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["gke-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["project-factory-dev"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["project-factory-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["project-factory-dev"].google_service_account.service_account[0]: account_id: fast2-dev-resman-pf-0 @@ -1407,19 +1681,19 @@ values: description: null disabled: false display_name: Terraform resman project-factory-dev service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-rw["project-factory-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["project-factory-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["project-factory-prod"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["project-factory-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["project-factory-prod"].google_service_account.service_account[0]: account_id: fast2-prod-resman-pf-0 @@ -1427,19 +1701,19 @@ values: description: null disabled: false display_name: Terraform resman project-factory-prod service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null ? module.stage3-sa-rw["project-factory-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"] - : bucket: test + ? module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - ? module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + ? module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - project: fast-prod-automation + project: fast2-prod-automation role: roles/serviceusage.serviceUsageConsumer module.stage3-sa-rw["sandbox"].google_service_account.service_account[0]: account_id: fast2-dev-resman-sbx-0 @@ -1447,80 +1721,110 @@ values: description: null disabled: false display_name: Terraform resman sandbox service account. - project: fast-prod-automation + project: fast2-prod-automation timeouts: null module.stage3-sa-rw["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: - bucket: test + ? module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] + : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin module.top-level-folder["data-platform"].google_folder.folder[0]: + deletion_protection: false display_name: Data Platform parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gcve"].google_folder.folder[0]: + deletion_protection: false display_name: GCVE parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gke"].google_folder.folder[0]: + deletion_protection: false display_name: GKE parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["teams"].google_folder.folder[0]: + deletion_protection: false display_name: Teams parent: organizations/123456789012 + tags: null timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: organizations/123456789012/roles/xpnServiceAdmin module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/owner module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: condition: [] members: - - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: timeouts: null + module.top-level-folder["tenants"].google_folder.folder[0]: + deletion_protection: false + display_name: Tenants + parent: organizations/123456789012 + tags: null + timeouts: null counts: - google_folder: 15 + google_folder: 16 google_folder_iam_binding: 80 google_organization_iam_member: 14 - google_project_iam_member: 24 - google_service_account: 24 - google_service_account_iam_binding: 24 + google_project_iam_member: 28 + google_service_account: 28 + google_service_account_iam_binding: 28 google_storage_bucket: 12 google_storage_bucket_iam_binding: 24 - google_storage_bucket_iam_member: 24 - google_storage_bucket_object: 25 + google_storage_bucket_iam_member: 28 + google_storage_bucket_object: 27 google_tags_tag_binding: 16 google_tags_tag_key: 2 - google_tags_tag_value: 5 - google_tags_tag_value_iam_binding: 2 - modules: 52 - resources: 291 + google_tags_tag_value: 10 + google_tags_tag_value_iam_binding: 4 + modules: 57 + resources: 317 + +outputs: + cicd_repositories: + networking: + provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno + repository: + branch: main + name: test/00-networking + parent_id: null + type: github + security: + provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno + repository: + branch: null + name: test/00-security + type: gitlab diff --git a/tests/fast/stages/s1_resman/tftest.yaml b/tests/fast/stages/s1_resman/tftest.yaml index 2bdff45ff9..c09a159a68 100644 --- a/tests/fast/stages/s1_resman/tftest.yaml +++ b/tests/fast/stages/s1_resman/tftest.yaml @@ -15,7 +15,4 @@ module: fast/stages/1-resman tests: - checklist: - extra_files: - - ../../../tests/fast/stages/s0_bootstrap/data/checklist-data.json simple: From 37ac371d5b78f86c7adcd3544fc093a592072c56 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 24 Sep 2024 15:42:44 +0200 Subject: [PATCH 20/94] inventory --- tests/fast/stages/s1_resman/simple.yaml | 32 ------------------------- 1 file changed, 32 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index d3561bc692..b9cdee459a 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -218,23 +218,17 @@ values: module.net-folder-dev[0].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null - timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null - timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder[0].google_folder.folder[0]: deletion_protection: false display_name: Networking parent: organizations/123456789012 - tags: null - timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] members: @@ -642,8 +636,6 @@ values: deletion_protection: false display_name: Security parent: organizations/123456789012 - tags: null - timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] members: @@ -1077,8 +1069,6 @@ values: module.stage3-folder["data-platform-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null - timeouts: null module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1119,8 +1109,6 @@ values: module.stage3-folder["data-platform-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null - timeouts: null module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1161,8 +1149,6 @@ values: module.stage3-folder["gcve-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null - timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1203,8 +1189,6 @@ values: module.stage3-folder["gcve-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null - timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1245,8 +1229,6 @@ values: module.stage3-folder["gke-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null - timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1287,8 +1269,6 @@ values: module.stage3-folder["gke-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null - timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1330,8 +1310,6 @@ values: deletion_protection: false display_name: Sandbox parent: organizations/123456789012 - tags: null - timeouts: null module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1735,32 +1713,24 @@ values: deletion_protection: false display_name: Data Platform parent: organizations/123456789012 - tags: null - timeouts: null module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gcve"].google_folder.folder[0]: deletion_protection: false display_name: GCVE parent: organizations/123456789012 - tags: null - timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gke"].google_folder.folder[0]: deletion_protection: false display_name: GKE parent: organizations/123456789012 - tags: null - timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["teams"].google_folder.folder[0]: deletion_protection: false display_name: Teams parent: organizations/123456789012 - tags: null - timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] members: @@ -1792,8 +1762,6 @@ values: deletion_protection: false display_name: Tenants parent: organizations/123456789012 - tags: null - timeouts: null counts: google_folder: 16 From 7353659ccd16259b87d878dee4858fa40b5f3236 Mon Sep 17 00:00:00 2001 From: Simone Ruffilli Date: Fri, 11 Oct 2024 12:02:58 +0200 Subject: [PATCH 21/94] Small bugfix --- fast/stages/1-resman/organization.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 0841344a4c..2fa9b5222c 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -73,11 +73,11 @@ module "organization" { ? {} : { "roles/resourcemanager.tagUser" = distinct(concat( - try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"]), + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"], []), [module.pf-sa-rw[0].iam_email] )) "roles/resourcemanager.tagViewer" = distinct(concat( - try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"]), + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"], []), [module.pf-sa-ro[0].iam_email] )) } From 6fdf7e018789f704ff67a68fd6eb70396fb39566 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 17 Oct 2024 10:07:54 +0300 Subject: [PATCH 22/94] refactor context tag values --- fast/stages/1-resman/README.md | 2 +- .../data/top-level-folders/data-platform.yaml | 3 +- .../1-resman/data/top-level-folders/gcve.yaml | 3 +- .../1-resman/data/top-level-folders/gke.yaml | 3 +- .../sandbox.yaml | 9 +-- fast/stages/1-resman/organization.tf | 79 +++++++++++-------- .../schemas/top-level-folder.schema.json | 6 ++ fast/stages/1-resman/stage-3.tf | 5 +- fast/stages/1-resman/tenant-root.tf | 29 +------ fast/stages/1-resman/top-level-folders.tf | 19 +++-- .../1-resman/variables-toplevel-folders.tf | 2 + 11 files changed, 76 insertions(+), 84 deletions(-) rename fast/stages/1-resman/data/{stage-3 => top-level-folders}/sandbox.yaml (78%) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index fb897a44c0..b7c48e5b25 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -285,7 +285,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | | [tag_names](variables.tf#L49) | Customized names for resource management tags. | object({…}) | | {} | | | [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | +| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml index cccc22111b..79ee2e4390 100644 --- a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml +++ b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml @@ -17,5 +17,4 @@ name: Data Platform automation: enable: false -tag_bindings: - context: context/data-platform +context_name: data-platform \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/gcve.yaml b/fast/stages/1-resman/data/top-level-folders/gcve.yaml index 75802dda6e..4aa627d318 100644 --- a/fast/stages/1-resman/data/top-level-folders/gcve.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gcve.yaml @@ -17,5 +17,4 @@ name: GCVE automation: enable: false -tag_bindings: - context: context/gcve +context_name: gcve \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/gke.yaml b/fast/stages/1-resman/data/top-level-folders/gke.yaml index a7630de32d..561dd4eda1 100644 --- a/fast/stages/1-resman/data/top-level-folders/gke.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gke.yaml @@ -17,5 +17,4 @@ name: GKE automation: enable: false -tag_bindings: - context: context/gke +context_name: gke \ No newline at end of file diff --git a/fast/stages/1-resman/data/stage-3/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml similarity index 78% rename from fast/stages/1-resman/data/stage-3/sandbox.yaml rename to fast/stages/1-resman/data/top-level-folders/sandbox.yaml index fb1f638aa5..cd12140856 100644 --- a/fast/stages/1-resman/data/stage-3/sandbox.yaml +++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml @@ -12,10 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json +# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json -short_name: sbx -folder_config: - name: Sandbox - tag_bindings: - context: context/sandbox +name: Sandbox +context_name: sandbox \ No newline at end of file diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 2fa9b5222c..0c93c8ac4e 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -17,6 +17,49 @@ # tfdoc:file:description Organization policies. locals { + _context_tag_values_stage2 = { + for k, v in var.fast_stage_2 : + k => replace(k, "_", "-") if v.enabled + } + context_tag_values = merge( + try(local.tags["context"]["values"], {}), + # top-level folders + { + for k, v in local.top_level_folders : v.context_name => { + iam = try(local.tags.context.values.iam[v.context_name], {}) + description = try(local.tags.context.values.description[v.context_name], null) + } if v.context_name != null + }, + # stage 2s + { + for k, v in local._context_tag_values_stage2 : v => { + iam = try(local.tags.context.values.iam[v], {}) + description = try(local.tags.context.values.description[v], null) + } + }, + ) + environment_tag_values = { + for k, v in var.environment_names : v => { + iam = merge( + try(local.tags.environment.values[v].iam, {}), + !var.fast_stage_2.project_factory.enabled + ? {} + : { + "roles/resourcemanager.tagUser" = distinct(concat( + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"], []), + [module.pf-sa-rw[0].iam_email] + )) + "roles/resourcemanager.tagViewer" = distinct(concat( + try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"], []), + [module.pf-sa-ro[0].iam_email] + )) + } + ) + description = try( + local.tags.environment.values[v].description, null + ) + } + } # service accounts expansion for user-specified tag values tags = { for k, v in var.tags : k => merge(v, { @@ -35,9 +78,6 @@ locals { } }) } - tag_values_stage2 = { - for k, v in var.fast_stage_2 : k => replace(k, "_", "-") if v.enabled - } } module "organization" { @@ -52,41 +92,12 @@ module "organization" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = merge( - try(local.tags["context"]["values"], {}), - { - for k, v in local.tag_values_stage2 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } if var.fast_stage_2[k].enabled - } - ) + values = local.context_tag_values }, (var.tag_names.environment) = { description = "Environment definition." iam = try(local.tags.environment.iam, {}) - values = { - for k, v in var.environment_names : v => { - iam = merge( - try(local.tags.environment.values[v].iam, {}), - !var.fast_stage_2.project_factory.enabled - ? {} - : { - "roles/resourcemanager.tagUser" = distinct(concat( - try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"], []), - [module.pf-sa-rw[0].iam_email] - )) - "roles/resourcemanager.tagViewer" = distinct(concat( - try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"], []), - [module.pf-sa-ro[0].iam_email] - )) - } - ) - description = try( - local.tags.environment.values[v].description, null - ) - } - } + values = local.environment_tag_values } }) } diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json index 88263edc32..614a3371c8 100644 --- a/fast/stages/1-resman/schemas/top-level-folder.schema.json +++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json @@ -19,6 +19,12 @@ } } }, + "contacts": { + "type": "string" + }, + "context_name": { + "type": "string" + }, "iam": { "$ref": "#/$defs/iam" }, diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index ddc18ccd0b..3355b55701 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -97,6 +97,7 @@ locals { ] ] ]) + stage3_shortnames = distinct([for k, v in local.stage3 : v.short_name]) } # top-level folder @@ -131,8 +132,8 @@ module "stage3-folder" { environment = local.tag_values["environment/${var.environment_names[each.value.environment]}"].id }, { - for k, v in each.value.folder_config.tag_bindings : k => lookup( - local.top_level_tags, v, v + for k, v in each.value.folder_config.tag_bindings : k => try( + local.tag_values[v].id, v ) } ) diff --git a/fast/stages/1-resman/tenant-root.tf b/fast/stages/1-resman/tenant-root.tf index 96fedad985..e5d79c717c 100644 --- a/fast/stages/1-resman/tenant-root.tf +++ b/fast/stages/1-resman/tenant-root.tf @@ -42,37 +42,12 @@ module "automation-project" { (var.tag_names.context) = { description = "Resource management context." iam = try(local.tags.context.iam, {}) - values = merge( - try(local.tags["context"]["values"], {}), - { - for k, v in local.tag_values_stage2 : v => { - iam = try(local.tags.context.values.iam[v], {}) - description = try(local.tags.context.values.description[v], null) - } if var.fast_stage_2[k].enabled - } - ) + values = local.context_tag_values }, (var.tag_names.environment) = { description = "Environment definition." iam = try(local.tags.environment.iam, {}) - values = { - for k, v in var.environment_names : v => { - iam = try(local.tags.environment.values[v].iam, {}) - iam_bindings = ( - !var.fast_stage_2.project_factory.enabled - ? {} - : { - pf = { - members = [module.pf-sa-rw[0].iam_email] - role = "roles/resourcemanager.tagUser" - } - } - ) - description = try( - local.tags.environment.values[v].description, null - ) - } - } + values = local.environment_tag_values } }) } diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 9d743331ec..db062b0d67 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -41,6 +41,7 @@ locals { sa_impersonation_principals = [] }) contacts = try(v.contacts, {}) + context_name = try(v.context_name, null) firewall_policy = try(v.firewall_policy, null) logging_data_access = try(v.logging_data_access, {}) logging_exclusions = try(v.logging_exclusions, {}) @@ -61,9 +62,6 @@ locals { for k, v in local.stage_service_accounts : k => "serviceAccount:${v}" if v != null } - top_level_tags = { - for k, v in try(local.tag_values, {}) : k => v.id - } } module "top-level-folder" { @@ -98,11 +96,16 @@ module "top-level-folder" { # we don't replace here to avoid dynamic values in keys iam_by_principals = each.value.iam_by_principals org_policies = each.value.org_policies - tag_bindings = { - for k, v in each.value.tag_bindings : k => lookup( - local.top_level_tags, v, v - ) - } + tag_bindings = merge( + # explicit tag bindings + { + for k, v in each.value.tag_bindings : k => try(local.tag_values[v].id, v) + }, + # implicit tag binding on own context tag value + each.value.context_name == null ? {} : { + context = local.tag_values["context/${each.value.context_name}"].id + } + ) } module "top-level-sa" { diff --git a/fast/stages/1-resman/variables-toplevel-folders.tf b/fast/stages/1-resman/variables-toplevel-folders.tf index d30379326a..30dce2135b 100644 --- a/fast/stages/1-resman/variables-toplevel-folders.tf +++ b/fast/stages/1-resman/variables-toplevel-folders.tf @@ -24,6 +24,8 @@ variable "top_level_folders" { sa_impersonation_principals = optional(list(string), []) }), {}) contacts = optional(map(list(string)), {}) + # TODO: remember to document this, and how to use the same value in other folders + context_name = optional(string) firewall_policy = optional(object({ name = string policy = string From 091f476b126b4fafe4dac3db3d6495c8ae3480dc Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 10:32:35 +0200 Subject: [PATCH 23/94] fix previous merge --- fast/stages/1-resman/outputs.tf | 35 --------------------------------- 1 file changed, 35 deletions(-) diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 7bc9f1a9d8..1eb3b3be05 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -32,41 +32,6 @@ locals { # top-level folders local.top_level_folder_ids ) - providers = { - for k, v in local._providers : k => ( - var.automation.cicd_backends != null && try(var.automation.cicd_backends.terraform, null) != null ? - templatefile( - local._tpl_providers_terraform, - merge( - { - name = v.name, - sa = v.sa - }, - { - workspaces = lookup( - var.automation.cicd_backends.terraform.workspaces, - v.name, - { - tags = null, - name = null, - project = null - } - ) - }, - { - organization = var.automation.cicd_backends.terraform.organization, - hostname = var.automation.cicd_backends.terraform.hostname - } - ) - ) : - templatefile(local._tpl_providers_gcs, { - name = v.name, - sa = v.sa, - bucket = v.bucket, - backend_extra = v.backend_extra - }) - ) - } service_accounts = merge( local.stage_service_accounts, local.top_level_service_accounts From 65c26180a86a246f009b24ac27139793accd3631 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 10:34:52 +0200 Subject: [PATCH 24/94] fix previous merge --- fast/stages/1-resman/variables-fast.tf | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index eb53fa5ce7..6698eb0442 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -32,17 +32,6 @@ variable "automation" { principal_branch = string principal_repo = string })) - cicd_backends = object({ - terraform = object({ - organization = string - workspaces = map(object({ - tags = list(string) - name = string - project = string - })) - hostname = string - }) - }) service_accounts = object({ resman-r = string }) From 1048b2b1f71922a26742c8161386b4b8a65e90fb Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 10:36:10 +0200 Subject: [PATCH 25/94] fix previous merge --- fast/stages/1-tenant-factory/variables-fast.tf | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/fast/stages/1-tenant-factory/variables-fast.tf b/fast/stages/1-tenant-factory/variables-fast.tf index 011708c121..be76b320a9 100644 --- a/fast/stages/1-tenant-factory/variables-fast.tf +++ b/fast/stages/1-tenant-factory/variables-fast.tf @@ -32,17 +32,6 @@ variable "automation" { principal_branch = string principal_repo = string })) - cicd_backends = object({ - terraform = object({ - organization = string - workspaces = map(object({ - tags = list(string) - name = string - project = string - })) - hostname = string - }) - }) service_accounts = object({ resman = string resman-r = string From 6d5888f10a1c7c1057b2325a336fae979b122767 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 10:51:41 +0200 Subject: [PATCH 26/94] support short names for top level automation resources, change top level context variable --- fast/stage-links.sh | 16 ++++++++++++++++ .../1-resman/data/top-level-folders/sandbox.yaml | 4 +++- fast/stages/1-resman/organization.tf | 8 ++++---- .../schemas/top-level-folder.schema.json | 9 ++++++--- .../{providers_gcs.tf.tpl => providers.tf.tpl} | 0 fast/stages/1-resman/top-level-folders.tf | 11 ++++++----- .../1-resman/variables-toplevel-folders.tf | 5 +++-- 7 files changed, 38 insertions(+), 15 deletions(-) rename fast/stages/1-resman/templates/{providers_gcs.tf.tpl => providers.tf.tpl} (100%) diff --git a/fast/stage-links.sh b/fast/stage-links.sh index e66ace3f28..71f8738ce1 100755 --- a/fast/stage-links.sh +++ b/fast/stage-links.sh @@ -52,25 +52,30 @@ case $STAGE_NAME in "0-bootstrap") unset GLOBALS PROVIDER="providers/0-bootstrap-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="" ;; "1-resman" | "1-tenant-factory") PROVIDER="providers/${STAGE_NAME}-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json" ;; "1-vpcsc") PROVIDER="providers/1-vpcsc-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json" ;; "2-networking"*) if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" PROVIDER="providers/2-networking-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json" else unset GLOBALS PROVIDER="tenants/$TENANT/providers/2-networking-providers.tf" + SELF="tenants/$TENANT/$STAGE_NAME.auto.tfvars" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json" fi @@ -79,12 +84,14 @@ case $STAGE_NAME in if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" PROVIDER="providers/2-project-factory-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json" EXTRA_FILES="tfvars/2-networking.auto.tfvars.json" else unset GLOBALS PROVIDER="tenants/$TENANT/providers/2-project-factory-providers.tf" + SELF="tenants/$TENANT/$STAGE_NAME.auto.tfvars" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json" EXTRA_FILES="tenants/$TENANT/tfvars/2-networking.auto.tfvars.json" @@ -94,11 +101,13 @@ case $STAGE_NAME in if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" PROVIDER="providers/2-security-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json" else unset GLOBALS PROVIDER="tenants/$TENANT/providers/2-security-providers.tf" + SELF="tenants/$TENANT/$STAGE_NAME.auto.tfvars" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json" fi @@ -107,6 +116,7 @@ case $STAGE_NAME in if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" PROVIDER="providers/3-network-security-providers.tf" + SELF="$STAGE_NAME.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json tfvars/2-networking.auto.tfvars.json @@ -114,6 +124,7 @@ case $STAGE_NAME in else unset GLOBALS PROVIDER="tenants/$TENANT/providers/3-network-security-providers.tf" + SELF="tenants/$TENANT/$STAGE_NAME.auto.tfvars" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json tenants/$TENANT/tfvars/2-networking.auto.tfvars.json @@ -156,6 +167,11 @@ for f in $TFVARS; do echo "$CMD/$f ./" done +if [[ ! -z ${SELF+x} ]]; then + echo "# conventional place for stage tfvars (manually created)" + echo "$CMD/$SELF ./" +fi + if [[ ! -z ${EXTRA_FILES+x} ]]; then echo "# optional files" for f in $EXTRA_FILES; do diff --git a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml index cd12140856..60a481cd22 100644 --- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml +++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml @@ -15,4 +15,6 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: Sandbox -context_name: sandbox \ No newline at end of file +automation: + short_name: sbx +is_fast_context: true \ No newline at end of file diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index 0c93c8ac4e..eef3ca5b9b 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -25,10 +25,10 @@ locals { try(local.tags["context"]["values"], {}), # top-level folders { - for k, v in local.top_level_folders : v.context_name => { - iam = try(local.tags.context.values.iam[v.context_name], {}) - description = try(local.tags.context.values.description[v.context_name], null) - } if v.context_name != null + for k, v in local.top_level_folders : k => { + iam = try(local.tags.context.values.iam[k], {}) + description = try(local.tags.context.values.description[k], null) + } if v.is_fast_context == true }, # stage 2s { diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json index 614a3371c8..748b6eb933 100644 --- a/fast/stages/1-resman/schemas/top-level-folder.schema.json +++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json @@ -16,15 +16,15 @@ "items": { "type": "string" } + }, + "short_name": { + "type": "string" } } }, "contacts": { "type": "string" }, - "context_name": { - "type": "string" - }, "iam": { "$ref": "#/$defs/iam" }, @@ -37,6 +37,9 @@ "iam_by_principals": { "$ref": "#/$defs/iam_by_principals" }, + "is_fast_context": { + "type": "boolean" + }, "name": { "type": "string" }, diff --git a/fast/stages/1-resman/templates/providers_gcs.tf.tpl b/fast/stages/1-resman/templates/providers.tf.tpl similarity index 100% rename from fast/stages/1-resman/templates/providers_gcs.tf.tpl rename to fast/stages/1-resman/templates/providers.tf.tpl diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index db062b0d67..f779a3cc8e 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -41,8 +41,8 @@ locals { sa_impersonation_principals = [] }) contacts = try(v.contacts, {}) - context_name = try(v.context_name, null) firewall_policy = try(v.firewall_policy, null) + is_fast_context = try(v.context_name, null) logging_data_access = try(v.logging_data_access, {}) logging_exclusions = try(v.logging_exclusions, {}) logging_settings = try(v.logging_settings, null) @@ -53,6 +53,7 @@ locals { iam_by_principals = try(v.iam_by_principals, {}) org_policies = try(v.org_policies, {}) parent_id = try(v.parent_id, null) + short_name = try(v.short_name, null) tag_bindings = try(v.tag_bindings, {}) }) }, @@ -102,8 +103,8 @@ module "top-level-folder" { for k, v in each.value.tag_bindings : k => try(local.tag_values[v].id, v) }, # implicit tag binding on own context tag value - each.value.context_name == null ? {} : { - context = local.tag_values["context/${each.value.context_name}"].id + each.value.is_fast_context == null ? {} : { + context = local.tag_values["context/${each.key}"].id } ) } @@ -112,7 +113,7 @@ module "top-level-sa" { source = "../../../modules/iam-service-account" for_each = local.top_level_automation project_id = var.automation.project_id - name = "prod-resman-${each.key}-0" + name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" display_name = "Terraform resman ${each.key} folder service account." prefix = var.prefix iam = { @@ -130,7 +131,7 @@ module "top-level-bucket" { source = "../../../modules/gcs" for_each = local.top_level_automation project_id = var.automation.project_id - name = "prod-resman-${each.key}-0" + name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" prefix = var.prefix location = var.locations.gcs versioning = true diff --git a/fast/stages/1-resman/variables-toplevel-folders.tf b/fast/stages/1-resman/variables-toplevel-folders.tf index 30dce2135b..31dc84673b 100644 --- a/fast/stages/1-resman/variables-toplevel-folders.tf +++ b/fast/stages/1-resman/variables-toplevel-folders.tf @@ -22,14 +22,15 @@ variable "top_level_folders" { automation = optional(object({ enable = optional(bool, true) sa_impersonation_principals = optional(list(string), []) + short_name = optional(string) }), {}) contacts = optional(map(list(string)), {}) - # TODO: remember to document this, and how to use the same value in other folders - context_name = optional(string) firewall_policy = optional(object({ name = string policy = string })) + # TODO: remember to document this, and how to use the same value in other folders + is_fast_context = optional(bool, true) logging_data_access = optional(map(map(list(string))), {}) logging_exclusions = optional(map(string), {}) logging_settings = optional(object({ From 5bd2b05b041d19dfc5f0d40c9200146a96948de7 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 10:59:06 +0200 Subject: [PATCH 27/94] fix new top level context --- .../stages/1-resman/data/top-level-folders/data-platform.yaml | 2 +- fast/stages/1-resman/data/top-level-folders/gcve.yaml | 2 +- fast/stages/1-resman/data/top-level-folders/gke.yaml | 2 +- fast/stages/1-resman/data/top-level-folders/sandbox.yaml | 1 - fast/stages/1-resman/data/top-level-folders/teams.yaml | 3 +++ fast/stages/1-resman/schemas/top-level-folder.schema.json | 3 ++- fast/stages/1-resman/top-level-folders.tf | 4 ++-- 7 files changed, 10 insertions(+), 7 deletions(-) diff --git a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml index 79ee2e4390..686f36f66e 100644 --- a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml +++ b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml @@ -15,6 +15,6 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: Data Platform +# automation is disabled since this is just a "container" for stage 3s automation: enable: false -context_name: data-platform \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/gcve.yaml b/fast/stages/1-resman/data/top-level-folders/gcve.yaml index 4aa627d318..0638379972 100644 --- a/fast/stages/1-resman/data/top-level-folders/gcve.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gcve.yaml @@ -15,6 +15,6 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: GCVE +# automation is disabled since this is just a "container" for stage 3s automation: enable: false -context_name: gcve \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/gke.yaml b/fast/stages/1-resman/data/top-level-folders/gke.yaml index 561dd4eda1..d41290549d 100644 --- a/fast/stages/1-resman/data/top-level-folders/gke.yaml +++ b/fast/stages/1-resman/data/top-level-folders/gke.yaml @@ -15,6 +15,6 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: GKE +# automation is disabled since this is just a "container" for stage 3s automation: enable: false -context_name: gke \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml index 60a481cd22..43c8c8f5f0 100644 --- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml +++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml @@ -17,4 +17,3 @@ name: Sandbox automation: short_name: sbx -is_fast_context: true \ No newline at end of file diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml index 3695ce69dd..c9942fdd50 100644 --- a/fast/stages/1-resman/data/top-level-folders/teams.yaml +++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml @@ -15,6 +15,7 @@ # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json name: Teams +# automation is disabled since this is just a "container" for the pf automation: enable: false iam: @@ -28,5 +29,7 @@ iam: - project-factory "service_project_network_admin": - project-factory +# don't create a context tag since this uses the pf tag +is_fast_context: false tag_bindings: context: context/project-factory diff --git a/fast/stages/1-resman/schemas/top-level-folder.schema.json b/fast/stages/1-resman/schemas/top-level-folder.schema.json index 748b6eb933..60e348769d 100644 --- a/fast/stages/1-resman/schemas/top-level-folder.schema.json +++ b/fast/stages/1-resman/schemas/top-level-folder.schema.json @@ -38,7 +38,8 @@ "$ref": "#/$defs/iam_by_principals" }, "is_fast_context": { - "type": "boolean" + "type": "boolean", + "default": true }, "name": { "type": "string" diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index f779a3cc8e..641b7ac96d 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -42,7 +42,7 @@ locals { }) contacts = try(v.contacts, {}) firewall_policy = try(v.firewall_policy, null) - is_fast_context = try(v.context_name, null) + is_fast_context = try(v.is_fast_context, true) logging_data_access = try(v.logging_data_access, {}) logging_exclusions = try(v.logging_exclusions, {}) logging_settings = try(v.logging_settings, null) @@ -103,7 +103,7 @@ module "top-level-folder" { for k, v in each.value.tag_bindings : k => try(local.tag_values[v].id, v) }, # implicit tag binding on own context tag value - each.value.is_fast_context == null ? {} : { + each.value.is_fast_context != true ? {} : { context = local.tag_values["context/${each.key}"].id } ) From e29695dd77e2df0e16c28e3f1815eb0030624744 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:03:46 +0200 Subject: [PATCH 28/94] roll back merge changes to stage 0 outputs --- fast/stages/0-bootstrap/outputs.tf | 122 ++++++------------ ...{providers_gcs.tf.tpl => providers.tf.tpl} | 0 2 files changed, 42 insertions(+), 80 deletions(-) rename fast/stages/0-bootstrap/templates/{providers_gcs.tf.tpl => providers.tf.tpl} (100%) diff --git a/fast/stages/0-bootstrap/outputs.tf b/fast/stages/0-bootstrap/outputs.tf index 4b1bf5458d..9ed64fb850 100644 --- a/fast/stages/0-bootstrap/outputs.tf +++ b/fast/stages/0-bootstrap/outputs.tf @@ -15,8 +15,7 @@ */ locals { - _tpl_providers_gcs = "${path.module}/templates/providers_gcs.tf.tpl" - _tpl_providers_terraform = "${path.module}/templates/providers_terraform.tf.tpl" + _tpl_providers = "${path.module}/templates/providers.tf.tpl" # render CI/CD workflow templates cicd_workflows = { for k, v in local.cicd_repositories : k => templatefile( @@ -42,96 +41,59 @@ locals { tf_var_files = local.cicd_workflow_var_files[k] } ) - if v.type != "terraform" } - providers_config = { - "0-bootstrap" = { - name = "bootstrap", - sa = module.automation-tf-bootstrap-sa.email, - bucket = module.automation-tf-bootstrap-gcs.name, + providers = { + "0-bootstrap" = templatefile(local._tpl_providers, { backend_extra = null - }, - "0-bootstrap-r" = { - name = "bootstrap", - sa = module.automation-tf-bootstrap-r-sa.email, - bucket = module.automation-tf-bootstrap-gcs.name, + bucket = module.automation-tf-bootstrap-gcs.name + name = "bootstrap" + sa = module.automation-tf-bootstrap-sa.email + }) + "0-bootstrap-r" = templatefile(local._tpl_providers, { backend_extra = null - }, - "1-resman" = { - name = "resman", - sa = module.automation-tf-resman-sa.email, - bucket = module.automation-tf-resman-gcs.name, + bucket = module.automation-tf-bootstrap-gcs.name + name = "bootstrap" + sa = module.automation-tf-bootstrap-r-sa.email + }) + "1-resman" = templatefile(local._tpl_providers, { backend_extra = null - }, - "1-resman-r" = { - name = "resman", - sa = module.automation-tf-resman-r-sa.email, - bucket = module.automation-tf-resman-gcs.name, + bucket = module.automation-tf-resman-gcs.name + name = "resman" + sa = module.automation-tf-resman-sa.email + }) + "1-resman-r" = templatefile(local._tpl_providers, { backend_extra = null - }, - "1-tenant-factory" = { - name = "tenant-factory", - sa = module.automation-tf-resman-sa.email, - bucket = module.automation-tf-resman-gcs.name, + bucket = module.automation-tf-resman-gcs.name + name = "resman" + sa = module.automation-tf-resman-r-sa.email + }) + "1-tenant-factory" = templatefile(local._tpl_providers, { backend_extra = "prefix = \"tenant-factory\"" - }, - "1-tenant-factory-r" = { - name = "tenant-factory", - sa = module.automation-tf-resman-r-sa.email, - bucket = module.automation-tf-resman-gcs.name, + bucket = module.automation-tf-resman-gcs.name + name = "tenant-factory" + sa = module.automation-tf-resman-sa.email + }) + "1-tenant-factory-r" = templatefile(local._tpl_providers, { backend_extra = "prefix = \"tenant-factory\"" - }, - "1-vpcsc" = { - name = "vpcsc", - sa = module.automation-tf-vpcsc-sa.email, - bucket = module.automation-tf-vpcsc-gcs.name, + bucket = module.automation-tf-resman-gcs.name + name = "tenant-factory" + sa = module.automation-tf-resman-r-sa.email + }) + "1-vpcsc" = templatefile(local._tpl_providers, { backend_extra = "prefix = \"vpcsc\"" - }, - "1-vpcsc-r" = { - name = "vpcsc", - sa = module.automation-tf-vpcsc-r-sa.email, - bucket = module.automation-tf-vpcsc-gcs.name, + bucket = module.automation-tf-vpcsc-gcs.name + name = "vpcsc" + sa = module.automation-tf-vpcsc-sa.email + }) + "1-vpcsc-r" = templatefile(local._tpl_providers, { backend_extra = "prefix = \"vpcsc\"" - }, - } - providers = { - for k, v in local.providers_config : k => ( - var.cicd_backends != null && try(var.cicd_backends.terraform, null) != null ? - templatefile( - local._tpl_providers_terraform, - merge( - { - name = v.name, - sa = v.sa - }, - { - workspaces = lookup( - var.cicd_backends.terraform.workspaces, - v.name, - { - tags = null, - name = null, - project = null - } - ) - }, - { - organization = var.cicd_backends.terraform.organization, - hostname = var.cicd_backends.terraform.hostname - } - ) - ) : - templatefile(local._tpl_providers_gcs, { - name = v.name, - sa = v.sa, - bucket = v.bucket, - backend_extra = v.backend_extra - }) - ) + bucket = module.automation-tf-vpcsc-gcs.name + name = "vpcsc" + sa = module.automation-tf-vpcsc-r-sa.email + }) } tfvars = { automation = { - cicd_backends = var.cicd_backends federated_identity_pool = try( google_iam_workload_identity_pool.default[0].name, null ) diff --git a/fast/stages/0-bootstrap/templates/providers_gcs.tf.tpl b/fast/stages/0-bootstrap/templates/providers.tf.tpl similarity index 100% rename from fast/stages/0-bootstrap/templates/providers_gcs.tf.tpl rename to fast/stages/0-bootstrap/templates/providers.tf.tpl From 6f29c7e4381dc75ea2db301cd30ed7a880d7ae6d Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:17:31 +0200 Subject: [PATCH 29/94] roll back more merge changes --- fast/stages/0-bootstrap/cicd.tf | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/fast/stages/0-bootstrap/cicd.tf b/fast/stages/0-bootstrap/cicd.tf index 1f3d621bc7..6705d4cb18 100644 --- a/fast/stages/0-bootstrap/cicd.tf +++ b/fast/stages/0-bootstrap/cicd.tf @@ -39,9 +39,10 @@ locals { contains( keys(local.workload_identity_providers), coalesce(try(v.identity_provider, null), ":") - ) && ( - try(v.type, "") == "terraform" || - fileexists(format("${path.module}/templates/workflow-%s.yaml", try(v.type, ""))) + ) + && + fileexists( + format("${path.module}/templates/workflow-%s.yaml", try(v.type, "")) ) ) } @@ -89,12 +90,6 @@ module "automation-tf-cicd-sa" { google_iam_workload_identity_pool.default[0].name, each.value.name ) - : length(regexall("%s", local.workload_identity_providers_defs[each.value.type].principal_branch)) == 2 - ? format( - local.workload_identity_providers_defs[each.value.type].principal_branch, - google_iam_workload_identity_pool.default[0].name, - each.value.branch - ) : format( local.workload_identity_providers_defs[each.value.type].principal_branch, google_iam_workload_identity_pool.default[0].name, From b1c9f7eb8e1b05c77d17179ca7016913668f7c31 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:20:27 +0200 Subject: [PATCH 30/94] linting errors --- fast/stages/0-bootstrap/README.md | 61 ++++++++++++++-------------- fast/stages/0-bootstrap/variables.tf | 36 ---------------- fast/stages/1-resman/README.md | 17 +------- fast/stages/1-resman/stage-3.tf | 1 - 4 files changed, 31 insertions(+), 84 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 52f7da0645..dbb8575837 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -654,41 +654,40 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L302) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L317) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | +| [organization](variables.tf#L266) | Organization details. | object({…}) | ✓ | | | +| [prefix](variables.tf#L281) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | -| [cicd_backends](variables.tf#L33) | CI/CD backend configuration. Leave null to use GCS buckets for state. | object({…}) | | null | | -| [cicd_repositories](variables.tf#L69) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | -| [custom_roles](variables.tf#L123) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | -| [environments](variables.tf#L130) | Environment names. | map(object({…})) | | {…} | | -| [essential_contacts](variables.tf#L154) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L160) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [groups](variables.tf#L172) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | -| [iam](variables.tf#L188) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | -| [iam_bindings_additive](variables.tf#L195) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | -| [iam_by_principals](variables.tf#L210) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [locations](variables.tf#L217) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L231) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L284) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L311) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L326) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [workforce_identity_providers](variables.tf#L337) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L353) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | +| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | +| [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | +| [environments](variables.tf#L94) | Environment names. | map(object({…})) | | {…} | | +| [essential_contacts](variables.tf#L118) | Email used for essential contacts, unset if null. | string | | null | | +| [factories_config](variables.tf#L124) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [groups](variables.tf#L136) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | +| [iam](variables.tf#L152) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | +| [iam_bindings_additive](variables.tf#L159) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | +| [iam_by_principals](variables.tf#L174) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [locations](variables.tf#L181) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | +| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | +| [org_policies_config](variables.tf#L248) | Organization policies customization. | object({…}) | | {} | | +| [outputs_location](variables.tf#L275) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [project_parent_ids](variables.tf#L290) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | +| [workforce_identity_providers](variables.tf#L301) | Workforce Identity Federation pools. | map(object({…})) | | {} | | +| [workload_identity_providers](variables.tf#L317) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [automation](outputs.tf#L184) | Automation resources. | | | -| [billing_dataset](outputs.tf#L189) | BigQuery dataset prepared for billing export. | | | -| [cicd_repositories](outputs.tf#L194) | CI/CD repository configurations. | | | -| [custom_roles](outputs.tf#L206) | Organization-level custom roles. | | | -| [outputs_bucket](outputs.tf#L211) | GCS bucket where generated output files are stored. | | | -| [project_ids](outputs.tf#L216) | Projects created by this stage. | | | -| [providers](outputs.tf#L226) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | -| [service_accounts](outputs.tf#L233) | Automation service accounts created by this stage. | | | -| [tfvars](outputs.tf#L251) | Terraform variable files for the following stages. | ✓ | | -| [tfvars_globals](outputs.tf#L257) | Terraform Globals variable files for the following stages. | ✓ | | -| [workforce_identity_pool](outputs.tf#L263) | Workforce Identity Federation pool. | | | -| [workload_identity_pool](outputs.tf#L272) | Workload Identity Federation pool and providers. | | | +| [automation](outputs.tf#L146) | Automation resources. | | | +| [billing_dataset](outputs.tf#L151) | BigQuery dataset prepared for billing export. | | | +| [cicd_repositories](outputs.tf#L156) | CI/CD repository configurations. | | | +| [custom_roles](outputs.tf#L168) | Organization-level custom roles. | | | +| [outputs_bucket](outputs.tf#L173) | GCS bucket where generated output files are stored. | | | +| [project_ids](outputs.tf#L178) | Projects created by this stage. | | | +| [providers](outputs.tf#L188) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | +| [service_accounts](outputs.tf#L195) | Automation service accounts created by this stage. | | | +| [tfvars](outputs.tf#L213) | Terraform variable files for the following stages. | ✓ | | +| [tfvars_globals](outputs.tf#L219) | Terraform Globals variable files for the following stages. | ✓ | | +| [workforce_identity_pool](outputs.tf#L225) | Workforce Identity Federation pool. | | | +| [workload_identity_pool](outputs.tf#L234) | Workload Identity Federation pool and providers. | | | diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index b1807b850d..58414c91d0 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -30,42 +30,6 @@ variable "bootstrap_user" { default = null } -variable "cicd_backends" { - description = "CI/CD backend configuration. Leave null to use GCS buckets for state." - type = object({ - terraform = optional(object({ - organization = string - workspaces = map(object({ - tags = optional(list(string), null) - name = optional(string, null) - project = optional(string, null) - })) - hostname = optional(string, null) - })) - }) - default = null - validation { - condition = ( - var.cicd_backends == null || - ( - length([for k, v in coalesce(var.cicd_backends, {}) : true if v != null]) == 1 - ) - ) - error_message = "cicd_backends must be either null or contain exactly one backend configuration." - } - validation { - condition = ( - var.cicd_backends == null || - try(var.cicd_backends.terraform, null) == null || - alltrue([ - for k, v in try(var.cicd_backends.terraform.workspaces, {}) : - v.tags != null || v.name != null || v.project != null - ]) - ) - error_message = "At least one of 'tags', 'name', or 'project' must be defined for each workspace in the 'workspaces' map when 'terraform' is defined." - } -} - variable "cicd_repositories" { description = "CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed." type = object({ diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index f17a45a180..cd5f045bc4 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -285,29 +285,14 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | | [tag_names](variables.tf#L49) | Customized names for resource management tags. | object({…}) | | {} | | | [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | -| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | +| [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -<<<<<<< HEAD | [cicd_repositories](outputs.tf#L48) | WIF configuration for CI/CD repositories. | | | | [folder_ids](outputs.tf#L60) | Folder ids. | | | | [providers](outputs.tf#L66) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | | [tfvars](outputs.tf#L74) | Terraform variable files for the following stages. | ✓ | | -======= -| [cicd_repositories](outputs.tf#L413) | WIF configuration for CI/CD repositories. | | | -| [dataplatform](outputs.tf#L427) | Data for the Data Platform stage. | | | -| [folder_ids](outputs.tf#L443) | Folder ids. | | | -| [gcve](outputs.tf#L448) | Data for the GCVE stage. | | 03-gcve | -| [gke_multitenant](outputs.tf#L469) | Data for the GKE multitenant stage. | | 03-gke-multitenant | -| [networking](outputs.tf#L490) | Data for the networking stage. | | | -| [project_factories](outputs.tf#L499) | Data for the project factories stage. | | | -| [providers](outputs.tf#L518) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [sandbox](outputs.tf#L525) | Data for the sandbox stage. | | xx-sandbox | -| [security](outputs.tf#L539) | Data for the networking stage. | | 02-security | -| [tfvars](outputs.tf#L550) | Terraform variable files for the following stages. | ✓ | | - ->>>>>>> origin/master diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 3355b55701..df82782c71 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -97,7 +97,6 @@ locals { ] ] ]) - stage3_shortnames = distinct([for k, v in local.stage3 : v.short_name]) } # top-level folder From 7412fb7319dc32fdcd0ee6a77a3eadd8c14d8a59 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:22:19 +0200 Subject: [PATCH 31/94] tfdoc --- fast/stages/1-tenant-factory/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index af30740e85..55e3a29e0e 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -307,15 +307,15 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-boot | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L53) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [logging](variables-fast.tf#L110) | Logging resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [org_policy_tags](variables-fast.tf#L129) | Organization policy tags. | object({…}) | ✓ | | 0-bootstrap | -| [organization](variables-fast.tf#L119) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L146) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L64) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | -| [groups](variables-fast.tf#L82) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables-fast.tf#L97) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | +| [logging](variables-fast.tf#L99) | Logging resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [org_policy_tags](variables-fast.tf#L118) | Organization policy tags. | object({…}) | ✓ | | 0-bootstrap | +| [organization](variables-fast.tf#L108) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L135) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [groups](variables-fast.tf#L71) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [locations](variables-fast.tf#L86) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L17) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [root_node](variables.tf#L23) | Root folder under which tenants are created, in folders/nnnn format. Defaults to the organization if null. | string | | null | | | [tag_names](variables.tf#L36) | Customized names for resource management tags. | object({…}) | | {} | | From 416266862a48d08ba1ac147cf5a83f8346f91203 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:42:55 +0200 Subject: [PATCH 32/94] fix tests, roll back merge in tenants stage --- fast/stages/1-tenant-factory/outputs.tf | 86 +----- ...{providers_gcs.tf.tpl => providers.tf.tpl} | 0 tests/fast/stages/s1_resman/simple.yaml | 275 ++++-------------- 3 files changed, 64 insertions(+), 297 deletions(-) rename fast/stages/1-tenant-factory/templates/{providers_gcs.tf.tpl => providers.tf.tpl} (100%) diff --git a/fast/stages/1-tenant-factory/outputs.tf b/fast/stages/1-tenant-factory/outputs.tf index adda64df18..71ec64f677 100644 --- a/fast/stages/1-tenant-factory/outputs.tf +++ b/fast/stages/1-tenant-factory/outputs.tf @@ -15,9 +15,7 @@ */ locals { - _tpl_providers_gcs = "${path.module}/templates/providers_gcs.tf.tpl" - _tpl_providers_terraform = "${path.module}/templates/providers_terraform.tf.tpl" - _tpl_providers = var.automation.cicd_backends != null && try(var.automation.cicd_backends.terraform, null) != null ? local._tpl_providers_terraform : local._tpl_providers_gcs + _tpl_providers = "${path.module}/templates/providers.tf.tpl" tenant_cicd_workflows = { for k, v in local.cicd_repositories : k => templatefile("${path.module}/templates/workflow-${v.type}.yaml", { @@ -53,91 +51,21 @@ locals { vpcsc_policy_id = try(module.tenant-vpcsc-policy[k].id, null) } } - _tenant_providers = { - for k, v in local.fast_tenants : k => { + tenant_providers = { + for k, v in local.fast_tenants : k => templatefile(local._tpl_providers, { backend_extra = null bucket = module.tenant-automation-tf-resman-gcs[k].name name = k sa = module.tenant-automation-tf-resman-sa[k].email - } - } - tenant_providers = { - for k, v in local._tenant_providers : k => ( - var.automation.cicd_backends != null && try(var.automation.cicd_backends.terraform, null) != null ? - templatefile( - local._tpl_providers_terraform, - merge( - { - name = v.name, - sa = v.sa - }, - { - workspaces = lookup( - var.automation.cicd_backends.terraform.workspaces, - v.name, - { - tags = null, - name = null, - project = null - } - ) - }, - { - organization = var.automation.cicd_backends.terraform.organization, - hostname = var.automation.cicd_backends.terraform.hostname - } - ) - ) : - templatefile(local._tpl_providers_gcs, { - name = v.name, - sa = v.sa, - bucket = v.bucket, - backend_extra = v.backend_extra - }) - ) + }) } - _tenant_providers_r = { - for k, v in local.fast_tenants : k => { + tenant_providers_r = { + for k, v in local.fast_tenants : k => templatefile(local._tpl_providers, { backend_extra = null bucket = module.tenant-automation-tf-resman-gcs[k].name name = k sa = module.tenant-automation-tf-resman-r-sa[k].email - } - } - tenant_providers_r = { - for k, v in local._tenant_providers_r : k => ( - var.automation.cicd_backends != null && try(var.automation.cicd_backends.terraform, null) != null ? - templatefile( - local._tpl_providers_terraform, - merge( - { - name = v.name, - sa = v.sa - }, - { - workspaces = lookup( - var.automation.cicd_backends.terraform.workspaces, - v.name, - { - tags = null, - name = null, - project = null - } - ) - }, - { - organization = var.automation.cicd_backends.terraform.organization, - hostname = var.automation.cicd_backends.terraform.hostname - } - ) - ) : - templatefile(local._tpl_providers_gcs, { - name = v.name, - sa = v.sa, - bucket = v.bucket, - backend_extra = v.backend_extra - }) - ) + }) } tenant_globals = { for k, v in local.fast_tenants : k => { diff --git a/fast/stages/1-tenant-factory/templates/providers_gcs.tf.tpl b/fast/stages/1-tenant-factory/templates/providers.tf.tpl similarity index 100% rename from fast/stages/1-tenant-factory/templates/providers_gcs.tf.tpl rename to fast/stages/1-tenant-factory/templates/providers.tf.tpl diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index b9cdee459a..13f3500084 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -13,87 +13,6 @@ # limitations under the License. values: - google_storage_bucket_object.providers["2-networking"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-networking-providers.tf - google_storage_bucket_object.providers["2-networking-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-networking-r-providers.tf - google_storage_bucket_object.providers["2-project-factory"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-project-factory-providers.tf - google_storage_bucket_object.providers["2-project-factory-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-project-factory-r-providers.tf - google_storage_bucket_object.providers["2-security"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-security-providers.tf - google_storage_bucket_object.providers["2-security-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/2-security-r-providers.tf - google_storage_bucket_object.providers["3-data-platform-dev"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-data-platform-dev-providers.tf - google_storage_bucket_object.providers["3-data-platform-dev-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-data-platform-dev-r-providers.tf - google_storage_bucket_object.providers["3-data-platform-prod"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-data-platform-prod-providers.tf - google_storage_bucket_object.providers["3-data-platform-prod-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-data-platform-prod-r-providers.tf - google_storage_bucket_object.providers["3-gcve-dev"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gcve-dev-providers.tf - google_storage_bucket_object.providers["3-gcve-dev-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gcve-dev-r-providers.tf - google_storage_bucket_object.providers["3-gcve-prod"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gcve-prod-providers.tf - google_storage_bucket_object.providers["3-gcve-prod-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gcve-prod-r-providers.tf - google_storage_bucket_object.providers["3-gke-dev"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gke-dev-providers.tf - google_storage_bucket_object.providers["3-gke-dev-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gke-dev-r-providers.tf - google_storage_bucket_object.providers["3-gke-prod"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gke-prod-providers.tf - google_storage_bucket_object.providers["3-gke-prod-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-gke-prod-r-providers.tf - google_storage_bucket_object.providers["3-project-factory-dev"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-project-factory-dev-providers.tf - google_storage_bucket_object.providers["3-project-factory-dev-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-project-factory-dev-r-providers.tf - google_storage_bucket_object.providers["3-project-factory-prod"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-project-factory-prod-providers.tf - google_storage_bucket_object.providers["3-project-factory-prod-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-project-factory-prod-r-providers.tf - google_storage_bucket_object.providers["3-sandbox"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-sandbox-providers.tf - google_storage_bucket_object.providers["3-sandbox-r"]: - bucket: fast2-prod-iac-core-outputs - name: providers/3-sandbox-r-providers.tf - google_storage_bucket_object.tfvars: - bucket: fast2-prod-iac-core-outputs - name: tfvars/1-resman.auto.tfvars.json - google_storage_bucket_object.workflows["networking"]: - bucket: fast2-prod-iac-core-outputs - name: workflows/networking-workflow.yaml - google_storage_bucket_object.workflows["security"]: - bucket: fast2-prod-iac-core-outputs - name: workflows/security-workflow.yaml module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: condition: [] project: fast2-prod-automation @@ -218,17 +137,23 @@ values: module.net-folder-dev[0].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null + timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null + timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder[0].google_folder.folder[0]: deletion_protection: false display_name: Networking parent: organizations/123456789012 + tags: null + timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] members: @@ -435,11 +360,6 @@ values: member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/cloudasset.viewer - module.organization[0].google_organization_iam_member.bindings["sandbox"]: - condition: [] - member: serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user module.organization[0].google_tags_tag_key.default["context"]: description: Resource management context. parent: organizations/123456789012 @@ -486,6 +406,10 @@ values: description: Managed by the Terraform organization module. short_name: security timeouts: null + module.organization[0].google_tags_tag_value.default["context/tenants"]: + description: Managed by the Terraform organization module. + short_name: tenants + timeouts: null module.organization[0].google_tags_tag_value.default["environment/development"]: description: Managed by the Terraform organization module. short_name: development @@ -636,6 +560,8 @@ values: deletion_protection: false display_name: Security parent: organizations/123456789012 + tags: null + timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] members: @@ -1029,46 +955,11 @@ values: members: - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - module.stage3-bucket["sandbox"].google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-sbx-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: MULTI_REGIONAL - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-sbx-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["sandbox"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-sbx-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer module.stage3-folder["data-platform-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null + timeouts: null module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1109,6 +1000,8 @@ values: module.stage3-folder["data-platform-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null + timeouts: null module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1149,6 +1042,8 @@ values: module.stage3-folder["gcve-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null + timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1189,6 +1084,8 @@ values: module.stage3-folder["gcve-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null + timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1229,6 +1126,8 @@ values: module.stage3-folder["gke-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null + timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1269,6 +1168,8 @@ values: module.stage3-folder["gke-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null + timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: @@ -1306,49 +1207,6 @@ values: role: roles/viewer module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"]: timeouts: null - module.stage3-folder["sandbox"].google_folder.folder[0]: - deletion_protection: false - display_name: Sandbox - parent: organizations/123456789012 - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["sandbox"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-sbx-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["sandbox"].google_tags_tag_binding.binding["context"]: - timeouts: null - module.stage3-folder["sandbox"].google_tags_tag_binding.binding["environment"]: - timeouts: null ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast2-prod-automation @@ -1506,26 +1364,6 @@ values: members: null role: roles/iam.serviceAccountTokenCreator ? module.stage3-sa-ro["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["sandbox"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-sbx-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman sandbox service account (read-only). - project: fast2-prod-automation - timeouts: null - module.stage3-sa-ro["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer @@ -1686,26 +1524,6 @@ values: members: null role: roles/iam.serviceAccountTokenCreator ? module.stage3-sa-rw["project-factory-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage3-sa-rw["sandbox"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["sandbox"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-sbx-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman sandbox service account. - project: fast2-prod-automation - timeouts: null - module.stage3-sa-rw["sandbox"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["sandbox"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin @@ -1713,24 +1531,40 @@ values: deletion_protection: false display_name: Data Platform parent: organizations/123456789012 + tags: null + timeouts: null module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gcve"].google_folder.folder[0]: deletion_protection: false display_name: GCVE parent: organizations/123456789012 + tags: null + timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["gke"].google_folder.folder[0]: deletion_protection: false display_name: GKE parent: organizations/123456789012 + tags: null + timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null + module.top-level-folder["sandbox"].google_folder.folder[0]: + deletion_protection: false + display_name: Sandbox + parent: organizations/123456789012 + tags: null + timeouts: null + module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]: + timeouts: null module.top-level-folder["teams"].google_folder.folder[0]: deletion_protection: false display_name: Teams parent: organizations/123456789012 + tags: null + timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] members: @@ -1762,24 +1596,28 @@ values: deletion_protection: false display_name: Tenants parent: organizations/123456789012 + tags: null + timeouts: null + module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: + timeouts: null counts: google_folder: 16 - google_folder_iam_binding: 80 - google_organization_iam_member: 14 - google_project_iam_member: 28 - google_service_account: 28 - google_service_account_iam_binding: 28 - google_storage_bucket: 12 - google_storage_bucket_iam_binding: 24 - google_storage_bucket_iam_member: 28 - google_storage_bucket_object: 27 + google_folder_iam_binding: 73 + google_organization_iam_member: 13 + google_project_iam_member: 26 + google_service_account: 26 + google_service_account_iam_binding: 26 + google_storage_bucket: 11 + google_storage_bucket_iam_binding: 22 + google_storage_bucket_iam_member: 26 + google_storage_bucket_object: 25 google_tags_tag_binding: 16 google_tags_tag_key: 2 - google_tags_tag_value: 10 + google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 - modules: 57 - resources: 317 + modules: 54 + resources: 297 outputs: cicd_repositories: @@ -1796,3 +1634,4 @@ outputs: branch: null name: test/00-security type: gitlab + From 4a4ba7eb5bfcdab86339ea6587debb86d8dfd1dc Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:44:42 +0200 Subject: [PATCH 33/94] tfdoc --- fast/stages/1-tenant-factory/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index 55e3a29e0e..c253bf9dc4 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -325,5 +325,5 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-boot | name | description | sensitive | consumers | |---|---|:---:|---| -| [tenants](outputs.tf#L202) | Tenant base configuration. | | | +| [tenants](outputs.tf#L130) | Tenant base configuration. | | | From 52545153c73d3fea581e97bc99db751d5c94967d Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 11:51:22 +0200 Subject: [PATCH 34/94] fix inventory --- tests/fast/stages/s1_resman/simple.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 13f3500084..0208c1e5a9 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -137,14 +137,12 @@ values: module.net-folder-dev[0].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null @@ -152,7 +150,6 @@ values: deletion_protection: false display_name: Networking parent: organizations/123456789012 - tags: null timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] @@ -560,7 +557,6 @@ values: deletion_protection: false display_name: Security parent: organizations/123456789012 - tags: null timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] @@ -958,7 +954,6 @@ values: module.stage3-folder["data-platform-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1000,7 +995,6 @@ values: module.stage3-folder["data-platform-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1042,7 +1036,6 @@ values: module.stage3-folder["gcve-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1084,7 +1077,6 @@ values: module.stage3-folder["gcve-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1126,7 +1118,6 @@ values: module.stage3-folder["gke-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1168,7 +1159,6 @@ values: module.stage3-folder["gke-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1531,7 +1521,6 @@ values: deletion_protection: false display_name: Data Platform parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1539,7 +1528,6 @@ values: deletion_protection: false display_name: GCVE parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1547,7 +1535,6 @@ values: deletion_protection: false display_name: GKE parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1555,7 +1542,6 @@ values: deletion_protection: false display_name: Sandbox parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1563,7 +1549,6 @@ values: deletion_protection: false display_name: Teams parent: organizations/123456789012 - tags: null timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] @@ -1596,7 +1581,6 @@ values: deletion_protection: false display_name: Tenants parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: timeouts: null From ec91824d2173d6ccf09d44491aebe576dd4f56d4 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 16:06:04 +0200 Subject: [PATCH 35/94] optional stage 2 env folders and tag bindings --- fast/stage-links.sh | 4 ++-- fast/stages/1-resman/organization.tf | 14 ++++++++----- fast/stages/1-resman/outputs.tf | 11 +++++----- fast/stages/1-resman/stage-2-networking.tf | 2 ++ fast/stages/1-resman/stage-2-security.tf | 2 ++ fast/stages/2-networking-a-simple/README.md | 12 ++++++----- fast/stages/2-networking-a-simple/main.tf | 4 ++++ .../2-networking-a-simple/monitoring.tf | 3 +++ fast/stages/2-networking-a-simple/net-dev.tf | 9 ++++++-- .../2-networking-a-simple/net-landing.tf | 9 ++++++-- fast/stages/2-networking-a-simple/net-prod.tf | 9 ++++++-- .../2-networking-a-simple/variables-fast.tf | 16 ++++++++++++++ fast/stages/2-networking-b-nva/README.md | 12 ++++++----- fast/stages/2-networking-b-nva/main.tf | 6 +++++- fast/stages/2-networking-b-nva/monitoring.tf | 3 +++ fast/stages/2-networking-b-nva/net-dev.tf | 9 ++++++-- fast/stages/2-networking-b-nva/net-landing.tf | 9 ++++++-- fast/stages/2-networking-b-nva/net-prod.tf | 9 ++++++-- .../2-networking-b-nva/variables-fast.tf | 17 +++++++++++++++ .../2-networking-c-separate-envs/README.md | 12 ++++++----- .../2-networking-c-separate-envs/main.tf | 4 ++++ .../monitoring.tf | 6 ++++++ .../2-networking-c-separate-envs/net-dev.tf | 9 ++++++-- .../2-networking-c-separate-envs/net-prod.tf | 9 ++++++-- .../variables-fast.tf | 17 +++++++++++++++ fast/stages/2-security/README.md | 10 +++++---- fast/stages/2-security/core-dev.tf | 11 +++++++--- fast/stages/2-security/core-prod.tf | 11 +++++++--- fast/stages/2-security/main.tf | 4 ++++ fast/stages/2-security/variables-fast.tf | 21 ++++++++++++++++++- 30 files changed, 219 insertions(+), 55 deletions(-) diff --git a/fast/stage-links.sh b/fast/stage-links.sh index 71f8738ce1..a0fd068adb 100755 --- a/fast/stage-links.sh +++ b/fast/stage-links.sh @@ -69,13 +69,13 @@ case $STAGE_NAME in if [[ -z "$TENANT" ]]; then echo "# if this is a tenant stage, set a \$TENANT variable with the tenant shortname and run the command again" PROVIDER="providers/2-networking-providers.tf" - SELF="$STAGE_NAME.auto.tfvars" + SELF="2-networking.auto.tfvars" TFVARS="tfvars/0-bootstrap.auto.tfvars.json tfvars/1-resman.auto.tfvars.json" else unset GLOBALS PROVIDER="tenants/$TENANT/providers/2-networking-providers.tf" - SELF="tenants/$TENANT/$STAGE_NAME.auto.tfvars" + SELF="tenants/$TENANT/2-networking.auto.tfvars" TFVARS="tenants/$TENANT/tfvars/0-bootstrap-tenant.auto.tfvars.json tenants/$TENANT/tfvars/1-resman.auto.tfvars.json" fi diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index eef3ca5b9b..f3568a8d94 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -41,17 +41,21 @@ locals { environment_tag_values = { for k, v in var.environment_names : v => { iam = merge( + # user-defined configuration try(local.tags.environment.values[v].iam, {}), - !var.fast_stage_2.project_factory.enabled - ? {} - : { + # stage 2 service accounts + { "roles/resourcemanager.tagUser" = distinct(concat( try(local.tags.environment.values[v].iam["roles/resourcemanager.tagUser"], []), - [module.pf-sa-rw[0].iam_email] + !var.fast_stage_2.project_factory.enabled ? [] : [module.pf-sa-rw[0].iam_email], + !var.fast_stage_2.networking.enabled ? [] : [module.net-sa-rw[0].iam_email], + !var.fast_stage_2.security.enabled ? [] : [module.sec-sa-rw[0].iam_email], )) "roles/resourcemanager.tagViewer" = distinct(concat( try(local.tags.environment.values[v].iam["roles/resourcemanager.tagViewer"], []), - [module.pf-sa-ro[0].iam_email] + !var.fast_stage_2.project_factory.enabled ? [] : [module.pf-sa-ro[0].iam_email], + !var.fast_stage_2.networking.enabled ? [] : [module.net-sa-ro[0].iam_email], + !var.fast_stage_2.security.enabled ? [] : [module.sec-sa-ro[0].iam_email], )) } ) diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 1eb3b3be05..5361c79523 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -37,11 +37,12 @@ locals { local.top_level_service_accounts ) tfvars = { - folder_ids = local.folder_ids - service_accounts = local.service_accounts - tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } - tag_names = var.tag_names - tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } + environment_names = var.environment_names + folder_ids = local.folder_ids + service_accounts = local.service_accounts + tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } + tag_names = var.tag_names + tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } } } diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index b774089ae8..1e10a3d494 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -59,8 +59,10 @@ module "net-folder" { "roles/resourcemanager.folderAdmin" = [module.net-sa-rw[0].iam_email] "roles/resourcemanager.projectCreator" = [module.net-sa-rw[0].iam_email] "roles/compute.xpnAdmin" = [module.net-sa-rw[0].iam_email] + "roles/resourcemanager.tagUser" = [module.net-sa-rw[0].iam_email] "roles/viewer" = [module.net-sa-ro[0].iam_email] "roles/resourcemanager.folderViewer" = [module.net-sa-ro[0].iam_email] + "roles/resourcemanager.tagViewer" = [module.net-sa-ro[0].iam_email] }, # network security stage 2 service accounts var.fast_stage_2.network_security.enabled != true ? {} : { diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 824cb03ff7..28eae197e9 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -50,8 +50,10 @@ module "sec-folder" { "roles/owner" = [module.sec-sa-rw[0].iam_email] "roles/resourcemanager.folderAdmin" = [module.sec-sa-rw[0].iam_email] "roles/resourcemanager.projectCreator" = [module.sec-sa-rw[0].iam_email] + "roles/resourcemanager.tagUser" = [module.net-sa-rw[0].iam_email] "roles/viewer" = [module.sec-sa-ro[0].iam_email] "roles/resourcemanager.folderViewer" = [module.sec-sa-ro[0].iam_email] + "roles/resourcemanager.tagViewer" = [module.net-sa-ro[0].iam_email] }, # project factory service accounts (var.fast_stage_2.project_factory.enabled) != true ? {} : { diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 86c20bde83..c2e8503a45 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -483,21 +483,23 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L50) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L60) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L70) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L60) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L70) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L80) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | +| [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L40) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L50) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L80) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L90) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | +| [tag_values](variables-fast.tf#L105) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf index b1b56e72ce..3c21dacd65 100644 --- a/fast/stages/2-networking-a-simple/main.tf +++ b/fast/stages/2-networking-a-simple/main.tf @@ -17,6 +17,10 @@ # tfdoc:file:description Networking folder and hierarchical policy. locals { + env_tag_values = { + for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + } + has_env_folders = var.folder_ids.networking-dev != null service_accounts = { for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" if v != null diff --git a/fast/stages/2-networking-a-simple/monitoring.tf b/fast/stages/2-networking-a-simple/monitoring.tf index 0875e3a698..5142ed4fd7 100644 --- a/fast/stages/2-networking-a-simple/monitoring.tf +++ b/fast/stages/2-networking-a-simple/monitoring.tf @@ -29,4 +29,7 @@ resource "google_monitoring_dashboard" "dashboard" { for_each = local.dashboards project = module.landing-project.project_id dashboard_json = file(each.value) + lifecycle { + ignore_changes = [dashboard_json] + } } diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index f48917ae76..1df3a940d5 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -20,8 +20,10 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = var.folder_ids.networking-dev - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-dev, var.folder_ids.networking + ) + prefix = var.prefix services = concat( [ "container.googleapis.com", @@ -70,6 +72,9 @@ module "dev-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["dev"] + } } module "dev-spoke-vpc" { diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index f6ee4a0d59..49fac80e56 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -20,8 +20,10 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-prod, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "compute.googleapis.com", "dns.googleapis.com", @@ -37,6 +39,9 @@ module "landing-project" { shared_vpc_host_config = { enabled = true } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } module "landing-vpc" { diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index f2e52abe5a..6f676603e1 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -20,8 +20,10 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-prod, var.folder_ids.networking + ) + prefix = var.prefix services = concat( [ "container.googleapis.com", @@ -69,6 +71,9 @@ module "prod-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } module "prod-spoke-vpc" { diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index e9c0326718..b17cb0f917 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -37,6 +37,16 @@ variable "billing_account" { } } +variable "environment_names" { + # tfdoc:variable:source 1-resman + description = "Long environment names." + type = object({ + dev = string + prod = string + }) + default = null +} + variable "fast_features" { # tfdoc:variable:source 0-0-bootstrap description = "Selective control for top-level FAST features." @@ -92,3 +102,9 @@ variable "service_accounts" { default = null } +variable "tag_values" { + # tfdoc:variable:source 1-resman + description = "Root-level tag values." + type = map(string) + default = {} +} diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index a3d244a866..a1bf5f24ce 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -539,22 +539,24 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L48) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L68) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L78) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L38) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L48) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | | [network_mode](variables.tf#L109) | Selection of the network design to deploy. | string | | "simple" | | | [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L88) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L103) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf index 44e44ee7bd..cbbe39acd6 100644 --- a/fast/stages/2-networking-b-nva/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -17,7 +17,11 @@ # tfdoc:file:description Networking folder and hierarchical policy. locals { - nva_zones = ["b", "c"] + env_tag_values = { + for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + } + has_env_folders = var.folder_ids.networking-dev != null + nva_zones = ["b", "c"] # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-b-nva/monitoring.tf b/fast/stages/2-networking-b-nva/monitoring.tf index be3a47faac..95bb097aee 100644 --- a/fast/stages/2-networking-b-nva/monitoring.tf +++ b/fast/stages/2-networking-b-nva/monitoring.tf @@ -29,4 +29,7 @@ resource "google_monitoring_dashboard" "dashboard" { for_each = local.dashboards project = module.landing-project.project_id dashboard_json = file(each.value) + lifecycle { + ignore_changes = [dashboard_json] + } } diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf index 858a4d25b9..84e9e03179 100644 --- a/fast/stages/2-networking-b-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -20,8 +20,10 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = var.folder_ids.networking-dev - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-dev, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "container.googleapis.com", "compute.googleapis.com", @@ -64,6 +66,9 @@ module "dev-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["dev"] + } } module "dev-spoke-vpc" { diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf index 095260ae54..dbf7015e3c 100644 --- a/fast/stages/2-networking-b-nva/net-landing.tf +++ b/fast/stages/2-networking-b-nva/net-landing.tf @@ -20,8 +20,10 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-prod, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "compute.googleapis.com", "dns.googleapis.com", @@ -43,6 +45,9 @@ module "landing-project" { shared_vpc_host_config = { enabled = true } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } # DMZ (untrusted) VPC diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index 2c2d344af2..db7dfe5ed7 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -35,8 +35,10 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-prod, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "container.googleapis.com", "compute.googleapis.com", @@ -78,6 +80,9 @@ module "prod-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } module "prod-spoke-vpc" { diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index bdb3ae8d7f..45ae1ad0a6 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -35,6 +35,16 @@ variable "billing_account" { } } +variable "environment_names" { + # tfdoc:variable:source 1-resman + description = "Long environment names." + type = object({ + dev = string + prod = string + }) + default = null +} + variable "fast_features" { # tfdoc:variable:source 0-0-bootstrap description = "Selective control for top-level FAST features." @@ -89,3 +99,10 @@ variable "service_accounts" { }) default = null } + +variable "tag_values" { + # tfdoc:variable:source 1-resman + description = "Root-level tag values." + type = map(string) + default = {} +} diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 66cf2c02c1..0dfc99d619 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -342,19 +342,21 @@ Regions are defined via the `regions` variable which sets up a mapping between t |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L48) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L68) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L78) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L38) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L48) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L88) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L103) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index fd7b76e4d2..da9c1358e3 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -17,6 +17,10 @@ # tfdoc:file:description Networking folder and hierarchical policy. locals { + env_tag_values = { + for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + } + has_env_folders = var.folder_ids.networking-dev != null # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-c-separate-envs/monitoring.tf b/fast/stages/2-networking-c-separate-envs/monitoring.tf index 01ed0c4797..d3750fee06 100644 --- a/fast/stages/2-networking-c-separate-envs/monitoring.tf +++ b/fast/stages/2-networking-c-separate-envs/monitoring.tf @@ -29,10 +29,16 @@ resource "google_monitoring_dashboard" "dev-dashboard" { for_each = local.dashboards project = module.dev-spoke-project.project_id dashboard_json = file(each.value) + lifecycle { + ignore_changes = [dashboard_json] + } } resource "google_monitoring_dashboard" "prod-dashboard" { for_each = local.dashboards project = module.prod-spoke-project.project_id dashboard_json = file(each.value) + lifecycle { + ignore_changes = [dashboard_json] + } } diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf index 3ee211ba72..684709e6bc 100644 --- a/fast/stages/2-networking-c-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf @@ -20,8 +20,10 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = var.folder_ids.networking-dev - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-dev, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "container.googleapis.com", "compute.googleapis.com", @@ -69,6 +71,9 @@ module "dev-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["dev"] + } } module "dev-spoke-vpc" { diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf index 1f3432cd46..dab4d0e83a 100644 --- a/fast/stages/2-networking-c-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf @@ -20,8 +20,10 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = var.folder_ids.networking-prod - prefix = var.prefix + parent = coalesce( + var.folder_ids.networking-prod, var.folder_ids.networking + ) + prefix = var.prefix services = concat([ "container.googleapis.com", "compute.googleapis.com", @@ -68,6 +70,9 @@ module "prod-spoke-project" { } } } + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } module "prod-spoke-vpc" { diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index bdb3ae8d7f..45ae1ad0a6 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -35,6 +35,16 @@ variable "billing_account" { } } +variable "environment_names" { + # tfdoc:variable:source 1-resman + description = "Long environment names." + type = object({ + dev = string + prod = string + }) + default = null +} + variable "fast_features" { # tfdoc:variable:source 0-0-bootstrap description = "Selective control for top-level FAST features." @@ -89,3 +99,10 @@ variable "service_accounts" { }) default = null } + +variable "tag_values" { + # tfdoc:variable:source 1-resman + description = "Root-level tag values." + type = map(string) + default = {} +} diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index 6ee1c93ce5..d07a8b41b2 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -281,15 +281,17 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L46) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L56) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L66) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L48) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [service_accounts](variables-fast.tf#L78) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | | [cas_configs](variables.tf#L18) | The CAS CAs to add to each environment. | object({…}) | | {…} | | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L179) | Email used for essential contacts, unset if null. | string | | null | | | [kms_keys](variables.tf#L185) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [ngfw_tls_configs](variables.tf#L224) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | | [outputs_location](variables.tf#L250) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [trust_configs](variables.tf#L256) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index 9ac7d417fd..e75dfb1a69 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -38,9 +38,11 @@ locals { } module "dev-sec-project" { - source = "../../../modules/project" - name = "dev-sec-core-0" - parent = var.folder_ids.security + source = "../../../modules/project" + name = "dev-sec-core-0" + parent = coalesce( + var.folder_ids.security-dev, var.folder_ids.security + ) prefix = var.prefix billing_account = var.billing_account.id iam = { @@ -54,6 +56,9 @@ module "dev-sec-project" { } labels = { environment = "dev", team = "security" } services = local.project_services + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["dev"] + } } module "dev-sec-kms" { diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf index c98fe70289..61f67d5caf 100644 --- a/fast/stages/2-security/core-prod.tf +++ b/fast/stages/2-security/core-prod.tf @@ -37,9 +37,11 @@ locals { } module "prod-sec-project" { - source = "../../../modules/project" - name = "prod-sec-core-0" - parent = var.folder_ids.security + source = "../../../modules/project" + name = "prod-sec-core-0" + parent = coalesce( + var.folder_ids.security-prod, var.folder_ids.security + ) prefix = var.prefix billing_account = var.billing_account.id iam = { @@ -53,6 +55,9 @@ module "prod-sec-project" { } labels = { environment = "prod", team = "security" } services = local.project_services + tag_bindings = local.has_env_folders ? {} : { + environment = local.env_tag_values["prod"] + } } module "prod-sec-kms" { diff --git a/fast/stages/2-security/main.tf b/fast/stages/2-security/main.tf index ba9b6d8a45..f805234c24 100644 --- a/fast/stages/2-security/main.tf +++ b/fast/stages/2-security/main.tf @@ -15,6 +15,10 @@ */ locals { + env_tag_values = { + for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + } + has_env_folders = var.folder_ids.networking-dev != null # additive IAM binding for delegated KMS admins kms_restricted_admin_template = { role = "roles/cloudkms.admin" diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index 7d6259920e..9db6c3bbba 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -35,11 +35,23 @@ variable "billing_account" { } } +variable "environment_names" { + # tfdoc:variable:source 1-resman + description = "Long environment names." + type = object({ + dev = string + prod = string + }) + default = null +} + variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folder name => id mappings, the 'security' folder name must exist." type = object({ - security = string + security = string + security-dev = string + security-prod = string }) } @@ -76,3 +88,10 @@ variable "service_accounts" { project-factory-prod = string }) } + +variable "tag_values" { + # tfdoc:variable:source 1-resman + description = "Root-level tag values." + type = map(string) + default = {} +} From f3afc2766ce943d9a81ee298e1aca7763e3e12cd Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 16:13:49 +0200 Subject: [PATCH 36/94] tflint --- fast/stages/2-networking-a-simple/README.md | 14 +++++++------- .../stages/2-networking-a-simple/variables-fast.tf | 1 - fast/stages/2-networking-b-nva/README.md | 14 +++++++------- fast/stages/2-networking-b-nva/variables-fast.tf | 1 - fast/stages/2-networking-c-separate-envs/README.md | 14 +++++++------- .../2-networking-c-separate-envs/variables-fast.tf | 1 - fast/stages/2-security/README.md | 12 ++++++------ fast/stages/2-security/variables-fast.tf | 5 ++--- 8 files changed, 29 insertions(+), 33 deletions(-) diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index c2e8503a45..91e6198f86 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -483,23 +483,23 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L60) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L70) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L80) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L69) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | -| [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L50) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L49) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L90) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L89) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [tag_values](variables-fast.tf#L105) | Root-level tag values. | map(string) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L104) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index b17cb0f917..7eeb7caa9d 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -44,7 +44,6 @@ variable "environment_names" { dev = string prod = string }) - default = null } variable "fast_features" { diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index a1bf5f24ce..a5f29ad722 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -539,24 +539,24 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L68) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L78) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L48) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | | [network_mode](variables.tf#L109) | Selection of the network design to deploy. | string | | "simple" | | | [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L88) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L103) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L102) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index 45ae1ad0a6..d73ced09eb 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -42,7 +42,6 @@ variable "environment_names" { dev = string prod = string }) - default = null } variable "fast_features" { diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 0dfc99d619..819ff60a7e 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -342,21 +342,21 @@ Regions are defined via the `regions` variable which sets up a mapping between t |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L68) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L78) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L48) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | +| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L88) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L103) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L102) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index 45ae1ad0a6..d73ced09eb 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -42,7 +42,6 @@ variable "environment_names" { dev = string prod = string }) - default = null } variable "fast_features" { diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index d07a8b41b2..e13ad8b790 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -281,17 +281,17 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L48) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L58) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | +| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L57) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [service_accounts](variables-fast.tf#L77) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | | [cas_configs](variables.tf#L18) | The CAS CAs to add to each environment. | object({…}) | | {…} | | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | | null | 1-resman | | [essential_contacts](variables.tf#L179) | Email used for essential contacts, unset if null. | string | | null | | | [kms_keys](variables.tf#L185) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [ngfw_tls_configs](variables.tf#L224) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | | [outputs_location](variables.tf#L250) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L91) | Root-level tag values. | map(string) | | {} | 1-resman | | [trust_configs](variables.tf#L256) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index 9db6c3bbba..4bd47f996b 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -42,7 +42,6 @@ variable "environment_names" { dev = string prod = string }) - default = null } variable "folder_ids" { @@ -50,8 +49,8 @@ variable "folder_ids" { description = "Folder name => id mappings, the 'security' folder name must exist." type = object({ security = string - security-dev = string - security-prod = string + security-dev = optional(string) + security-prod = optional(string) }) } From d32985cafcf24e3dd57bb37bfa7da19e99c1c6a7 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 16:40:54 +0200 Subject: [PATCH 37/94] damn tflint --- fast/stages/2-networking-a-simple/README.md | 2 +- fast/stages/2-networking-a-simple/net-dev.tf | 7 +++++-- fast/stages/2-networking-a-simple/net-landing.tf | 7 +++++-- fast/stages/2-networking-a-simple/net-prod.tf | 7 +++++-- fast/stages/2-networking-a-simple/variables-fast.tf | 4 ++-- fast/stages/2-networking-b-nva/README.md | 2 +- fast/stages/2-networking-b-nva/net-dev.tf | 7 +++++-- fast/stages/2-networking-b-nva/net-landing.tf | 7 +++++-- fast/stages/2-networking-b-nva/net-prod.tf | 7 +++++-- fast/stages/2-networking-b-nva/variables-fast.tf | 4 ++-- fast/stages/2-networking-c-separate-envs/README.md | 2 +- fast/stages/2-networking-c-separate-envs/main.tf | 2 +- fast/stages/2-networking-c-separate-envs/net-dev.tf | 7 +++++-- fast/stages/2-networking-c-separate-envs/net-prod.tf | 7 +++++-- fast/stages/2-networking-c-separate-envs/variables-fast.tf | 4 ++-- fast/stages/2-security/core-dev.tf | 7 +++++-- fast/stages/2-security/core-prod.tf | 7 +++++-- 17 files changed, 60 insertions(+), 30 deletions(-) diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 91e6198f86..64a034e522 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -484,7 +484,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | | [organization](variables-fast.tf#L69) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index 1df3a940d5..6cced6b1b2 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -20,8 +20,11 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-dev, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-dev != null + ? var.folder_ids.networking-dev + : var.folder_ids.networking ) prefix = var.prefix services = concat( diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index 49fac80e56..564752c129 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -20,8 +20,11 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - parent = coalesce( - var.folder_ids.networking-prod, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-prod != null + ? var.folder_ids.networking-prod + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index 6f676603e1..399a692fc7 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -20,8 +20,11 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-prod, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-prod != null + ? var.folder_ids.networking-prod + : var.folder_ids.networking ) prefix = var.prefix services = concat( diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index 7eeb7caa9d..68b52ccfde 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -61,8 +61,8 @@ variable "folder_ids" { description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." type = object({ networking = string - networking-dev = string - networking-prod = string + networking-dev = optional(string) + networking-prod = optional(string) }) } diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index a5f29ad722..9f5b37266d 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -540,7 +540,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | | [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf index 84e9e03179..201ab2a2be 100644 --- a/fast/stages/2-networking-b-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -20,8 +20,11 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-dev, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-dev != null + ? var.folder_ids.networking-dev + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf index dbf7015e3c..bcdf3124da 100644 --- a/fast/stages/2-networking-b-nva/net-landing.tf +++ b/fast/stages/2-networking-b-nva/net-landing.tf @@ -20,8 +20,11 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - parent = coalesce( - var.folder_ids.networking-prod, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-prod != null + ? var.folder_ids.networking-prod + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index db7dfe5ed7..890cf2b91b 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -35,8 +35,11 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-prod, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-prod != null + ? var.folder_ids.networking-prod + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index d73ced09eb..161a74c8e6 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -59,8 +59,8 @@ variable "folder_ids" { description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." type = object({ networking = string - networking-dev = string - networking-prod = string + networking-dev = optional(string) + networking-prod = optional(string) }) } diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 819ff60a7e..70ae05f099 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -343,7 +343,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | | [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | | [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index da9c1358e3..19c8d28eb6 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -20,7 +20,7 @@ locals { env_tag_values = { for k, v in var.environment_names : k => var.tag_values["environment/${v}"] } - has_env_folders = var.folder_ids.networking-dev != null + has_env_folders = var.folder_ids.security-dev != null # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf index 684709e6bc..0839351f8e 100644 --- a/fast/stages/2-networking-c-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf @@ -20,8 +20,11 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-dev, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-dev != null + ? var.folder_ids.networking-dev + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf index dab4d0e83a..c4a38af50e 100644 --- a/fast/stages/2-networking-c-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf @@ -20,8 +20,11 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - parent = coalesce( - var.folder_ids.networking-prod, var.folder_ids.networking + # tflint barfs on coalesce + parent = ( + var.folder_ids.networking-prod != null + ? var.folder_ids.networking-prod + : var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index d73ced09eb..161a74c8e6 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -59,8 +59,8 @@ variable "folder_ids" { description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." type = object({ networking = string - networking-dev = string - networking-prod = string + networking-dev = optional(string) + networking-prod = optional(string) }) } diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index e75dfb1a69..e2b22acedf 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -40,8 +40,11 @@ locals { module "dev-sec-project" { source = "../../../modules/project" name = "dev-sec-core-0" - parent = coalesce( - var.folder_ids.security-dev, var.folder_ids.security + # tflint barfs on coalesce + parent = ( + var.folder_ids.security-dev != null + ? var.folder_ids.security-dev + : var.folder_ids.security ) prefix = var.prefix billing_account = var.billing_account.id diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf index 61f67d5caf..bedf89b8a9 100644 --- a/fast/stages/2-security/core-prod.tf +++ b/fast/stages/2-security/core-prod.tf @@ -39,8 +39,11 @@ locals { module "prod-sec-project" { source = "../../../modules/project" name = "prod-sec-core-0" - parent = coalesce( - var.folder_ids.security-prod, var.folder_ids.security + # tflint barfs on coalesce + parent = ( + var.folder_ids.security-prod != null + ? var.folder_ids.security-prod + : var.folder_ids.security ) prefix = var.prefix billing_account = var.billing_account.id From 8ca28d26cb4442832fffa0f5d39d89b40495819b Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 16:43:17 +0200 Subject: [PATCH 38/94] damn tflint --- fast/stages/2-networking-c-separate-envs/main.tf | 2 +- fast/stages/2-security/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index 19c8d28eb6..da9c1358e3 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -20,7 +20,7 @@ locals { env_tag_values = { for k, v in var.environment_names : k => var.tag_values["environment/${v}"] } - has_env_folders = var.folder_ids.security-dev != null + has_env_folders = var.folder_ids.networking-dev != null # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-security/main.tf b/fast/stages/2-security/main.tf index f805234c24..0624c885fe 100644 --- a/fast/stages/2-security/main.tf +++ b/fast/stages/2-security/main.tf @@ -18,7 +18,7 @@ locals { env_tag_values = { for k, v in var.environment_names : k => var.tag_values["environment/${v}"] } - has_env_folders = var.folder_ids.networking-dev != null + has_env_folders = var.folder_ids.security-dev != null # additive IAM binding for delegated KMS admins kms_restricted_admin_template = { role = "roles/cloudkms.admin" From adccd705bfe34a4337042e372a96b07457ddf835 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 16:44:55 +0200 Subject: [PATCH 39/94] tfdoc --- fast/stages/1-resman/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index cd5f045bc4..3819f02d18 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -291,8 +291,8 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L48) | WIF configuration for CI/CD repositories. | | | -| [folder_ids](outputs.tf#L60) | Folder ids. | | | -| [providers](outputs.tf#L66) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [tfvars](outputs.tf#L74) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L49) | WIF configuration for CI/CD repositories. | | | +| [folder_ids](outputs.tf#L61) | Folder ids. | | | +| [providers](outputs.tf#L67) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | +| [tfvars](outputs.tf#L75) | Terraform variable files for the following stages. | ✓ | | From 1fdb13b42959997cec6fd955f9521acd10aa4789 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 17:08:35 +0200 Subject: [PATCH 40/94] fix networking tests --- fast/stages/2-networking-a-simple/main.tf | 4 +- fast/stages/2-networking-b-nva/main.tf | 4 +- .../2-networking-c-separate-envs/main.tf | 4 +- tests/fast/stages/s1_resman/simple.yaml | 49 ++++++++++++------- .../stages/s2_networking_a_simple/ncc.tfvars | 12 ++++- .../stages/s2_networking_a_simple/ncc.yaml | 4 +- .../s2_networking_a_simple/simple.tfvars | 12 ++++- .../stages/s2_networking_a_simple/simple.yaml | 4 +- .../stages/s2_networking_a_simple/vpn.tfvars | 12 ++++- .../stages/s2_networking_a_simple/vpn.yaml | 4 +- .../stages/s2_networking_b_nva/ncc-ra.tfvars | 12 ++++- .../stages/s2_networking_b_nva/ncc-ra.yaml | 4 +- .../s2_networking_b_nva/regional.tfvars | 12 ++++- .../stages/s2_networking_b_nva/regional.yaml | 4 +- .../stages/s2_networking_b_nva/simple.tfvars | 12 ++++- .../stages/s2_networking_b_nva/simple.yaml | 4 +- .../simple.tfvars | 12 ++++- .../s2_networking_c_separate_envs/simple.yaml | 4 +- 18 files changed, 117 insertions(+), 56 deletions(-) diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf index 3c21dacd65..0e5e99e7ec 100644 --- a/fast/stages/2-networking-a-simple/main.tf +++ b/fast/stages/2-networking-a-simple/main.tf @@ -49,9 +49,7 @@ locals { module "folder" { source = "../../../modules/folder" - parent = "organizations/${var.organization.id}" - name = "Networking" - folder_create = var.folder_ids.networking == null + folder_create = false id = var.folder_ids.networking contacts = ( var.essential_contacts == null diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf index cbbe39acd6..48754ef13a 100644 --- a/fast/stages/2-networking-b-nva/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -46,9 +46,7 @@ locals { module "folder" { source = "../../../modules/folder" - parent = "organizations/${var.organization.id}" - name = "Networking" - folder_create = var.folder_ids.networking == null + folder_create = false id = var.folder_ids.networking contacts = ( var.essential_contacts == null diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index da9c1358e3..268e942f71 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -40,9 +40,7 @@ locals { module "folder" { source = "../../../modules/folder" - parent = "organizations/${var.organization.id}" - name = "Networking" - folder_create = var.folder_ids.networking == null + folder_create = false id = var.folder_ids.networking contacts = ( var.essential_contacts == null diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 0208c1e5a9..15f7c005f7 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -201,6 +201,16 @@ values: members: - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator + module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.net-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer module.net-folder[0].google_folder_iam_binding.authoritative["roles/serviceusage.serviceUsageAdmin"]: condition: [] members: @@ -419,24 +429,32 @@ values: condition: [] members: - serviceAccount:fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser ? module.organization[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] : condition: [] members: - serviceAccount:fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagViewer module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"]: condition: [] members: + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser module.organization[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"]: condition: [] members: + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagViewer module.pf-bucket[0].google_storage_bucket.bucket: @@ -598,6 +616,16 @@ values: members: - serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.sec-folder[0].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer module.sec-folder[0].google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: @@ -1587,7 +1615,7 @@ values: counts: google_folder: 16 - google_folder_iam_binding: 73 + google_folder_iam_binding: 77 google_organization_iam_member: 13 google_project_iam_member: 26 google_service_account: 26 @@ -1601,21 +1629,4 @@ counts: google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 modules: 54 - resources: 297 - -outputs: - cicd_repositories: - networking: - provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno - repository: - branch: main - name: test/00-networking - parent_id: null - type: github - security: - provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno - repository: - branch: null - name: test/00-security - type: gitlab - + resources: 301 diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars index 0ef78ea332..027942aea2 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars @@ -11,10 +11,14 @@ dns = { resolvers = ["10.10.10.10"] enable_logging = true } -enable_cloud_nat = true +enable_cloud_nat = true +environment_names = { + dev = "development" + prod = "production" +} essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -39,3 +43,7 @@ service_accounts = { spoke_configs = { ncc_configs = {} } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.yaml b/tests/fast/stages/s2_networking_a_simple/ncc.yaml index 1e8f149deb..f5b82b72ee 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml +++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml @@ -29,7 +29,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -41,6 +40,7 @@ counts: google_project_service: 24 google_project_service_identity: 18 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 24 - resources: 173 + resources: 175 diff --git a/tests/fast/stages/s2_networking_a_simple/simple.tfvars b/tests/fast/stages/s2_networking_a_simple/simple.tfvars index 74d3dfb36a..743ddadae2 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/simple.tfvars @@ -11,10 +11,14 @@ dns = { resolvers = ["10.10.10.10"] enable_logging = true } -enable_cloud_nat = true +enable_cloud_nat = true +environment_names = { + dev = "development" + prod = "production" +} essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -36,6 +40,10 @@ organization = { customer_id = "C00000000" } prefix = "fast2" +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} # spoke_configs defaults to peering vpn_onprem_primary_config = { peer_external_gateways = { diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index 844d6216f1..a82fbdf81e 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -35,7 +35,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -45,7 +44,8 @@ counts: google_project_service: 23 google_project_service_identity: 17 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 29 random_id: 1 - resources: 185 + resources: 187 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars index e37c0436c0..7ccc864c0a 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars @@ -11,10 +11,14 @@ dns = { resolvers = ["10.10.10.10"] enable_logging = true } -enable_cloud_nat = true +enable_cloud_nat = true +environment_names = { + dev = "development" + prod = "production" +} essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -39,3 +43,7 @@ service_accounts = { spoke_configs = { vpn_configs = {} } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index a967425615..5c3323f88e 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -33,7 +33,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -43,7 +42,8 @@ counts: google_project_service: 23 google_project_service_identity: 17 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 31 random_id: 5 - resources: 222 + resources: 224 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars index 8f6b1eeed7..18de6761e9 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars @@ -13,9 +13,13 @@ dns = { } enable_cloud_nat = true enable_test_instances = true -essential_contacts = "gcp-network-admins@fast.example.com" +environment_names = { + dev = "development" + prod = "production" +} +essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -116,3 +120,7 @@ vpn_onprem_secondary_config = { } } } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index 69c26f8c46..5ad6e0dfaa 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -36,7 +36,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -48,7 +47,8 @@ counts: google_project_service: 24 google_project_service_identity: 18 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 39 random_id: 2 - resources: 253 + resources: 255 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.tfvars b/tests/fast/stages/s2_networking_b_nva/regional.tfvars index 36c04f78ff..00bf90bbc5 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/regional.tfvars @@ -13,9 +13,13 @@ dns = { } enable_cloud_nat = true enable_test_instances = true -essential_contacts = "gcp-network-admins@fast.example.com" +environment_names = { + dev = "development" + prod = "production" +} +essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -116,3 +120,7 @@ vpn_onprem_secondary_config = { } } } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index 8f9bcaad56..7f648fe184 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -40,7 +40,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -50,6 +49,7 @@ counts: google_project_service: 23 google_project_service_identity: 17 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 modules: 47 random_id: 2 - resources: 258 + resources: 260 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.tfvars b/tests/fast/stages/s2_networking_b_nva/simple.tfvars index 0907742987..f885fffb77 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/simple.tfvars @@ -13,9 +13,13 @@ dns = { } enable_cloud_nat = true enable_test_instances = true -essential_contacts = "gcp-network-admins@fast.example.com" +environment_names = { + dev = "development" + prod = "production" +} +essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -116,3 +120,7 @@ vpn_onprem_secondary_config = { } } } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index a6c90d5661..05de3f1402 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -40,7 +40,6 @@ counts: google_dns_response_policy: 1 google_dns_response_policy_rule: 38 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 2 google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 @@ -50,7 +49,8 @@ counts: google_project_service: 23 google_project_service_identity: 17 google_storage_bucket_object: 2 + google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 43 random_id: 2 - resources: 236 + resources: 238 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars index e72ed28f81..30bb19bde9 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars @@ -12,10 +12,14 @@ dns = { prod_resolvers = ["10.20.10.10"] enable_logging = true } -enable_cloud_nat = true +enable_cloud_nat = true +environment_names = { + dev = "development" + prod = "production" +} essential_contacts = "gcp-network-admins@fast.example.com" folder_ids = { - networking = null + networking = "folders/12345" networking-dev = null networking-prod = null } @@ -37,6 +41,10 @@ organization = { customer_id = "C00000000" } prefix = "fast2" +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} vpn_onprem_dev_primary_config = { peer_external_gateways = { default = { diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index e76d911b18..a265d989f4 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -34,7 +34,6 @@ counts: google_dns_response_policy: 2 google_dns_response_policy_rule: 76 google_essential_contacts_contact: 1 - google_folder: 1 google_monitoring_alert_policy: 4 google_monitoring_dashboard: 6 google_project: 2 @@ -43,7 +42,8 @@ counts: google_project_service: 18 google_project_service_identity: 14 google_storage_bucket_object: 2 + google_tags_tag_binding: 2 google_vpc_access_connector: 2 modules: 22 random_id: 2 - resources: 204 + resources: 205 From fbade44ea10aae0a3ce0886cfa230b740493ec46 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 17:11:42 +0200 Subject: [PATCH 41/94] tflint --- fast/stages/2-networking-a-simple/README.md | 7 +++---- fast/stages/2-networking-a-simple/variables-fast.tf | 10 ---------- fast/stages/2-networking-b-nva/README.md | 7 +++---- fast/stages/2-networking-b-nva/variables-fast.tf | 10 ---------- fast/stages/2-networking-c-separate-envs/README.md | 7 +++---- .../2-networking-c-separate-envs/variables-fast.tf | 10 ---------- 6 files changed, 9 insertions(+), 42 deletions(-) diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 64a034e522..84e72d16d2 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -485,8 +485,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | ✓ | | 1-resman | | [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L69) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L79) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L69) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | @@ -497,9 +496,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L89) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L79) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [tag_values](variables-fast.tf#L104) | Root-level tag values. | map(string) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L94) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index 68b52ccfde..cd92198ed6 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -66,16 +66,6 @@ variable "folder_ids" { }) } -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "prefix" { # tfdoc:variable:source 0-bootstrap description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index 9f5b37266d..606287340e 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -541,8 +541,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | | [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | @@ -555,8 +554,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L102) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index 161a74c8e6..d7e7485693 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -64,16 +64,6 @@ variable "folder_ids" { }) } -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "prefix" { # tfdoc:variable:source 0-bootstrap description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 70ae05f099..ca96abe348 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -344,8 +344,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | | [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L67) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L77) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | @@ -355,8 +354,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L87) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L102) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index 161a74c8e6..d7e7485693 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -64,16 +64,6 @@ variable "folder_ids" { }) } -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "prefix" { # tfdoc:variable:source 0-bootstrap description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." From 01949cbf70a7a3b75c9be3aeec3e405c2f15b04f Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 19:33:43 +0200 Subject: [PATCH 42/94] fix test inventories --- fast/stages/2-security/core-dev.tf | 7 ++---- fast/stages/2-security/main.tf | 4 +--- tests/fast/stages/s2_security/simple.tfvars | 10 ++++++++- tests/fast/stages/s2_security/simple.yaml | 25 ++------------------- 4 files changed, 14 insertions(+), 32 deletions(-) diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index e2b22acedf..e75dfb1a69 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -40,11 +40,8 @@ locals { module "dev-sec-project" { source = "../../../modules/project" name = "dev-sec-core-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.security-dev != null - ? var.folder_ids.security-dev - : var.folder_ids.security + parent = coalesce( + var.folder_ids.security-dev, var.folder_ids.security ) prefix = var.prefix billing_account = var.billing_account.id diff --git a/fast/stages/2-security/main.tf b/fast/stages/2-security/main.tf index 0624c885fe..f2334da05c 100644 --- a/fast/stages/2-security/main.tf +++ b/fast/stages/2-security/main.tf @@ -63,9 +63,7 @@ locals { module "folder" { source = "../../../modules/folder" - parent = "organizations/${var.organization.id}" - name = "Security" - folder_create = var.folder_ids.security == null + folder_create = false id = var.folder_ids.security contacts = ( var.essential_contacts == null diff --git a/tests/fast/stages/s2_security/simple.tfvars b/tests/fast/stages/s2_security/simple.tfvars index 0dff490379..ae5b064e73 100644 --- a/tests/fast/stages/s2_security/simple.tfvars +++ b/tests/fast/stages/s2_security/simple.tfvars @@ -4,9 +4,13 @@ automation = { billing_account = { id = "000000-111111-222222" } +environment_names = { + dev = "development" + prod = "production" +} essential_contacts = "gcp-security-admins@fast.example.com" folder_ids = { - security = null + security = "folders/12345678" } organization = { domain = "fast.example.com" @@ -34,3 +38,7 @@ service_accounts = { project-factory-dev = "foobar@iam.gserviceaccount.com" project-factory-prod = "foobar@iam.gserviceaccount.com" } +tag_values = { + "environment/development" = "tagValues/12345" + "environment/production" = "tagValues/12346" +} diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index e98ac3805a..cbb28d7033 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -123,7 +123,6 @@ values: effective_labels: environment: dev team: security - folder_id: null labels: environment: dev team: security @@ -237,10 +236,6 @@ values: notification_category_subscriptions: - ALL timeouts: null - module.folder.google_folder.folder[0]: - display_name: Security - parent: organizations/123456789012 - timeouts: null module.prod-sec-kms["europe"].google_kms_crypto_key.default["compute"]: effective_labels: service: compute @@ -336,7 +331,6 @@ values: effective_labels: environment: prod team: security - folder_id: null labels: environment: prod team: security @@ -447,7 +441,6 @@ values: counts: google_essential_contacts_contact: 1 - google_folder: 1 google_kms_crypto_key: 8 google_kms_crypto_key_iam_binding: 8 google_kms_key_ring: 8 @@ -457,20 +450,6 @@ counts: google_project_service: 14 google_project_service_identity: 12 google_storage_bucket_object: 1 + google_tags_tag_binding: 2 modules: 11 - resources: 65 - -outputs: - cas_configs: - dev: {} - prod: {} - kms_keys: __missing__ - ngfw_tls_configs: - tls_enabled: false - tls_ip_ids_by_region: - dev: {} - prod: {} - tfvars: __missing__ - trust_config_ids: - dev: {} - prod: {} + resources: 66 From d4f5e0003015650f8ee4ec696b0e56c8632558e1 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 19:35:17 +0200 Subject: [PATCH 43/94] tfdoc --- fast/stages/2-security/README.md | 7 +++---- fast/stages/2-security/variables-fast.tf | 10 ---------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index e13ad8b790..2a1c1147f0 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -283,15 +283,14 @@ tls_inspection = { | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | | [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L57) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L77) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L57) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [service_accounts](variables-fast.tf#L67) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | | [cas_configs](variables.tf#L18) | The CAS CAs to add to each environment. | object({…}) | | {…} | | | [essential_contacts](variables.tf#L179) | Email used for essential contacts, unset if null. | string | | null | | | [kms_keys](variables.tf#L185) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [ngfw_tls_configs](variables.tf#L224) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | | [outputs_location](variables.tf#L250) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [tag_values](variables-fast.tf#L91) | Root-level tag values. | map(string) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L81) | Root-level tag values. | map(string) | | {} | 1-resman | | [trust_configs](variables.tf#L256) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index 4bd47f996b..43e89936bd 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -54,16 +54,6 @@ variable "folder_ids" { }) } -variable "organization" { - # tfdoc:variable:source 0-bootstrap - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - variable "prefix" { # tfdoc:variable:source 0-bootstrap description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." From cc923463685fcd9bfd40b1662bbe1275a0499910 Mon Sep 17 00:00:00 2001 From: Ludo Date: Fri, 18 Oct 2024 19:43:28 +0200 Subject: [PATCH 44/94] use coalesce for project parents --- fast/stages/2-networking-a-simple/net-dev.tf | 8 ++-- .../2-networking-a-simple/net-landing.tf | 8 ++-- fast/stages/2-networking-a-simple/net-prod.tf | 8 ++-- fast/stages/2-networking-b-nva/main.tf | 39 ++++++++++++++++++- fast/stages/2-networking-b-nva/net-dev.tf | 8 ++-- fast/stages/2-networking-b-nva/net-landing.tf | 8 ++-- fast/stages/2-networking-b-nva/net-prod.tf | 23 ++--------- .../2-networking-c-separate-envs/net-dev.tf | 8 ++-- .../2-networking-c-separate-envs/net-prod.tf | 8 ++-- 9 files changed, 62 insertions(+), 56 deletions(-) diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index 6cced6b1b2..9166b38ce9 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -20,11 +20,9 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-dev != null - ? var.folder_ids.networking-dev - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-dev, + var.folder_ids.networking ) prefix = var.prefix services = concat( diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index 564752c129..a9afac1fe4 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -20,11 +20,9 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-prod != null - ? var.folder_ids.networking-prod - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-prod, + var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index 399a692fc7..52f646da02 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -20,11 +20,9 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-prod != null - ? var.folder_ids.networking-prod - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-prod, + var.folder_ids.networking ) prefix = var.prefix services = concat( diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf index 48754ef13a..4e2ef73701 100644 --- a/fast/stages/2-networking-b-nva/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -17,11 +17,48 @@ # tfdoc:file:description Networking folder and hierarchical policy. locals { + _regional_nva_lb = { + primary = ( + var.network_mode == "regional_vpc" + ? module.ilb-regional-nva-landing["primary"].forwarding_rule_addresses[""] + : null + ) + secondary = ( + var.network_mode == "regional_vpc" + ? module.ilb-regional-nva-landing["secondary"].forwarding_rule_addresses[""] + : null + ) + } + _simple_nva_lb = { + primary = ( + var.network_mode == "simple" + ? module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] + : null + ) + secondary = ( + var.network_mode == "simple" + ? module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] + : null + ) + } env_tag_values = { for k, v in var.environment_names : k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.networking-dev != null - nva_zones = ["b", "c"] + # select the NVA ILB as next hop for spoke VPC routing depending on net mode + nva_load_balancers = (var.network_mode == "ncc_ra") ? null : { + primary = ( + var.network_mode == "simple" + ? local._simple_nva_lb.primary + : local._regional_nva_lb.primary + ) + secondary = ( + var.network_mode == "simple" + ? local._simple_nva_lb.secondary + : local._regional_nva_lb.secondary + ) + } + nva_zones = ["b", "c"] # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf index 201ab2a2be..38e11b306a 100644 --- a/fast/stages/2-networking-b-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -20,11 +20,9 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-dev != null - ? var.folder_ids.networking-dev - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-dev, + var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf index bcdf3124da..9f67f456e7 100644 --- a/fast/stages/2-networking-b-nva/net-landing.tf +++ b/fast/stages/2-networking-b-nva/net-landing.tf @@ -20,11 +20,9 @@ module "landing-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-landing-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-prod != null - ? var.folder_ids.networking-prod - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-prod, + var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index 890cf2b91b..135c747045 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -15,31 +15,14 @@ */ # tfdoc:file:description Production spoke VPC and related resources. -locals { - _simple_nva_lb = { - primary = (var.network_mode == "simple" ? module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] : null) - secondary = (var.network_mode == "simple" ? module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] : null) - } - _regional_nva_lb = { - primary = (var.network_mode == "regional_vpc" ? module.ilb-regional-nva-landing["primary"].forwarding_rule_addresses[""] : null) - secondary = (var.network_mode == "regional_vpc" ? module.ilb-regional-nva-landing["secondary"].forwarding_rule_addresses[""] : null) - } - # On the basis of the network modes slects the NVA internal load balacer as next hop for spoke VPC routing - nva_load_balancers = (var.network_mode == "ncc_ra") ? null : { - primary = (var.network_mode == "simple" ? local._simple_nva_lb.primary : local._regional_nva_lb.primary) - secondary = (var.network_mode == "simple" ? local._simple_nva_lb.secondary : local._regional_nva_lb.secondary) - } -} module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-prod != null - ? var.folder_ids.networking-prod - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-prod, + var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf index 0839351f8e..b0a753ec1e 100644 --- a/fast/stages/2-networking-c-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf @@ -20,11 +20,9 @@ module "dev-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "dev-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-dev != null - ? var.folder_ids.networking-dev - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-dev, + var.folder_ids.networking ) prefix = var.prefix services = concat([ diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf index c4a38af50e..98f54fc408 100644 --- a/fast/stages/2-networking-c-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf @@ -20,11 +20,9 @@ module "prod-spoke-project" { source = "../../../modules/project" billing_account = var.billing_account.id name = "prod-net-spoke-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.networking-prod != null - ? var.folder_ids.networking-prod - : var.folder_ids.networking + parent = coalesce( + var.folder_ids.networking-prod, + var.folder_ids.networking ) prefix = var.prefix services = concat([ From b472007e78b1c4341bee2ec4a323f79d7ee9ccb3 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 10:33:50 +0200 Subject: [PATCH 45/94] fix billing role conditions --- fast/stages/1-resman/billing.tf | 4 +- fast/stages/1-resman/iam.tf | 1 + fast/stages/1-resman/organization.tf | 9 ++- fast/stages/1-resman/outputs-files.tf | 3 + fast/stages/1-resman/stage-2-networking.tf | 14 ++-- fast/stages/1-resman/stage-2-security.tf | 8 +-- fast/stages/1-resman/stage-3.tf | 82 ++++++++++++---------- fast/stages/1-resman/stage-cicd.tf | 6 +- fast/stages/1-resman/top-level-folders.tf | 4 ++ 9 files changed, 80 insertions(+), 51 deletions(-) diff --git a/fast/stages/1-resman/billing.tf b/fast/stages/1-resman/billing.tf index c7d78f536b..1d3e9de853 100644 --- a/fast/stages/1-resman/billing.tf +++ b/fast/stages/1-resman/billing.tf @@ -25,13 +25,13 @@ locals { role = "roles/billing.user" } }, - !var.fast_stage_2.security.enabled != true ? {} : { + var.fast_stage_2.security.enabled != true ? {} : { sa_sec_billing = { member = module.sec-sa-rw[0].iam_email role = "roles/billing.user" } }, - !var.fast_stage_2.project_factory.enabled != true ? {} : { + var.fast_stage_2.project_factory.enabled != true ? {} : { sa_pf_billing = { member = module.pf-sa-rw[0].iam_email role = "roles/billing.user" diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf index 276f7f407d..68a9dcb28a 100644 --- a/fast/stages/1-resman/iam.tf +++ b/fast/stages/1-resman/iam.tf @@ -17,6 +17,7 @@ # tfdoc:file:description Organization or root node-level IAM bindings. locals { + # aggregated map of organization IAM additive bindings for stages iam_bindings_additive = merge( # stage 2 networking !var.fast_stage_2.networking.enabled ? {} : { diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf index f3568a8d94..90c69196de 100644 --- a/fast/stages/1-resman/organization.tf +++ b/fast/stages/1-resman/organization.tf @@ -17,11 +17,14 @@ # tfdoc:file:description Organization policies. locals { + # context tag values for enabled stage 2s (merged in the final map below) _context_tag_values_stage2 = { for k, v in var.fast_stage_2 : k => replace(k, "_", "-") if v.enabled } + # merge all context tag values into a single map context_tag_values = merge( + # user-defined try(local.tags["context"]["values"], {}), # top-level folders { @@ -37,7 +40,9 @@ locals { description = try(local.tags.context.values.description[v], null) } }, + # stage 3 define no context as they attach to a top-level folder ) + # environment tag values and their IAM bindings for stage 2 service accounts environment_tag_values = { for k, v in var.environment_names : v => { iam = merge( @@ -64,7 +69,7 @@ locals { ) } } - # service accounts expansion for user-specified tag values + # service account expansion for user-specified tag values tags = { for k, v in var.tags : k => merge(v, { values = { @@ -88,7 +93,7 @@ module "organization" { source = "../../../modules/organization" count = var.root_node == null ? 1 : 0 organization_id = "organizations/${var.organization.id}" - # additive bindings via delegated IAM grant set in stage 0 + # additive bindings leveraging the delegated IAM grant set in stage 0 iam_bindings_additive = local.iam_bindings_additive # do not assign tagViewer or tagUser roles here on tag keys and values as # they are managed authoritatively and will break multitenant stages diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index a415e87963..33161d5de2 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -17,6 +17,7 @@ # tfdoc:file:description Output files persistence to local filesystem. locals { + # output file definitions for enabled stage 2s _stage2_outputs_attrs = merge( var.fast_stage_2["networking"].enabled != true ? {} : { networking = { @@ -55,6 +56,7 @@ locals { } } ) + # CI/CD workflow definitions for enabled stages _cicd_workflow_attrs = merge( # stage 2s { @@ -107,6 +109,7 @@ locals { ) } outputs_location = try(pathexpand(var.outputs_location), "") + # render provider files from template providers = merge( # stage 2 { diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index 1e10a3d494..d6f429a574 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -15,6 +15,7 @@ */ locals { + # IAM roles stage 3 service accounts can be assigned on networking net_s3_delegated = join(",", formatlist("'%s'", [ "roles/composer.sharedVpcAgent", "roles/compute.networkUser", @@ -23,11 +24,8 @@ locals { "roles/multiclusterservicediscovery.serviceAgent", "roles/vpcaccess.user", ])) - net_use_env_folders = ( - var.fast_stage_2.networking.enabled && - var.fast_stage_2.networking.folder_config.create_env_folders - ) - net_stage3_iam = !var.fast_stage_2.networking.enabled ? {} : { + # normalize IAM bindings for stage 3 service accounts + net_s3_iam = !var.fast_stage_2.networking.enabled ? {} : { for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => ( v.sa == "rw" ? module.stage3-sa-rw[v.s3].iam_email @@ -35,6 +33,10 @@ locals { )... if v.s2 == "networking" } + net_use_env_folders = ( + var.fast_stage_2.networking.enabled && + var.fast_stage_2.networking.folder_config.create_env_folders + ) } # top-level folder @@ -160,7 +162,7 @@ module "net-folder" { }, # stage 3 roles { - for k, v in local.net_stage3_iam : k => { + for k, v in local.net_s3_iam : k => { role = split(":", k)[0] members = v condition = { diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 28eae197e9..6ae20503b8 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -19,7 +19,7 @@ locals { var.fast_stage_2.security.enabled && var.fast_stage_2.security.folder_config.create_env_folders ) - sec_stage3_iam = !var.fast_stage_2.security.enabled ? {} : { + sec_s3_iam = !var.fast_stage_2.security.enabled ? {} : { for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => ( v.sa == "rw" ? module.stage3-sa-rw[v.s3].iam_email @@ -82,7 +82,7 @@ module "sec-folder" { }, # stage 3 IAM bindings use conditions based on environment { - for k, v in local.sec_stage3_iam : k => { + for k, v in local.sec_s3_iam : k => { role = split(":", k)[0] members = v condition = { @@ -120,7 +120,7 @@ module "sec-folder-prod" { name = title(var.environment_names["prod"]) iam = { # stage 3s service accounts - for role, attrs in local.sec_stage3_iam.prod : role => [ + for role, attrs in local.sec_s3_iam.prod : role => [ for v in attrs : ( v.sa == "ro" ? module.stage3-sa-ro[v.s3].iam_email @@ -143,7 +143,7 @@ module "sec-folder-dev" { name = title(var.environment_names["dev"]) iam = { # stage 3s service accounts - for role, attrs in local.sec_stage3_iam.dev : role => [ + for role, attrs in local.sec_s3_iam.dev : role => [ for v in attrs : ( v.sa == "ro" ? module.stage3-sa-ro[v.s3].iam_email diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index df82782c71..365da5b9e9 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -15,6 +15,7 @@ */ locals { + # read and decode factory files _stage3_path = try( pathexpand(var.factories_config.stage_3), null ) @@ -28,47 +29,55 @@ locals { "${coalesce(local._stage3_path, "-")}/${f}" )) } - stage3 = merge({ - for k, v in local._stage3 : k => { - short_name = v.short_name - environment = try(v.environment, "dev") - cicd_config = lookup(v, "cicd_config", null) == null ? null : { - identity_provider = v.cicd_config.identity_provider - repository = merge(v.cicd_config.repository, { - branch = try(v.cicd_config.repository.branch, null) - type = try(v.cicd_config.repository.type, "github") - }) - } - folder_config = lookup(v, "folder_config", null) == null ? null : { - name = v.folder_config.name - iam_by_principals = try(v.folder_config.iam_by_principals, {}) - parent_id = try(v.folder_config.parent_id, null) - tag_bindings = try(v.folder_config.tag_bindings, {}) - } - organization_iam = lookup(v, "organization_iam", null) == null ? null : { - context_tag_value = v.organization_iam.context_tag_value - sa_roles = merge({ ro = [], rw = [] }, v.organization_iam.sa_roles) - } - stage2_iam = { - networking = { - iam_admin_delegated = try( - v.stage2_iam.networking.iam_admin_delegated, false - ) - sa_roles = merge( - { ro = [], rw = [] }, try(v.stage2_iam.networking.sa_roles, {}) - ) + # merge stage 3 from factory and variable data + stage3 = merge( + # normalize factory data attributes with defaults and nulls + { + for k, v in local._stage3 : k => { + short_name = v.short_name + environment = try(v.environment, "dev") + cicd_config = lookup(v, "cicd_config", null) == null ? null : { + identity_provider = v.cicd_config.identity_provider + repository = merge(v.cicd_config.repository, { + branch = try(v.cicd_config.repository.branch, null) + type = try(v.cicd_config.repository.type, "github") + }) } - security = { - iam_admin_delegated = try( - v.stage2_iam.security.iam_admin_delegated, false - ) + folder_config = lookup(v, "folder_config", null) == null ? null : { + name = v.folder_config.name + iam_by_principals = try(v.folder_config.iam_by_principals, {}) + parent_id = try(v.folder_config.parent_id, null) + tag_bindings = try(v.folder_config.tag_bindings, {}) + } + organization_iam = lookup(v, "organization_iam", null) == null ? null : { + context_tag_value = v.organization_iam.context_tag_value sa_roles = merge( - { ro = [], rw = [] }, try(v.stage2_iam.security.sa_roles, {}) + { ro = [], rw = [] }, v.organization_iam.sa_roles ) } + stage2_iam = { + networking = { + iam_admin_delegated = try( + v.stage2_iam.networking.iam_admin_delegated, false + ) + sa_roles = merge( + { ro = [], rw = [] }, try(v.stage2_iam.networking.sa_roles, {}) + ) + } + security = { + iam_admin_delegated = try( + v.stage2_iam.security.iam_admin_delegated, false + ) + sa_roles = merge( + { ro = [], rw = [] }, try(v.stage2_iam.security.sa_roles, {}) + ) + } + } } - } - }, var.fast_stage_3) + }, + var.fast_stage_3 + ) + # extract and normalize organization IAM for stage 3s stage3_sa_roles_in_org = flatten([ for k, v in local.stage3 : [ for sa, roles in try(v.organization_iam.sa_roles, []) : [ @@ -82,6 +91,7 @@ locals { ] ] ]) + # extract and normalize stage 2 IAM for stage 2s stage3_iam_in_stage2 = flatten([ for k, v in local.stage3 : [ for s2, attrs in v.stage2_iam : [ diff --git a/fast/stages/1-resman/stage-cicd.tf b/fast/stages/1-resman/stage-cicd.tf index 7abf206c55..1e44acb295 100644 --- a/fast/stages/1-resman/stage-cicd.tf +++ b/fast/stages/1-resman/stage-cicd.tf @@ -15,7 +15,9 @@ */ locals { + # intermediate normalization of repository configurations _cicd_configs = merge( + # stage 2s { for k, v in var.fast_stage_2 : k => merge(v.cicd_config, { @@ -23,6 +25,7 @@ locals { }) if v.cicd_config != null }, + # stage 3s { for k, v in local.stage3 : k => merge(v.cicd_config, { @@ -31,13 +34,14 @@ locals { if v.cicd_config != null } ) - # filter by valid identity provider and type + # finalize configurations and filter by valid identity provider and type cicd_repositories = { for k, v in local._cicd_configs : k => v if( contains(keys(local.identity_providers), v.identity_provider) && fileexists("${path.module}/templates/workflow-${v.repository.type}.yaml") ) } + # lists of input files for each stage cicd_workflow_files = { stage_2 = [ "0-bootstrap.auto.tfvars.json", diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 641b7ac96d..1eb88789c7 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -15,6 +15,7 @@ */ locals { + # read and decode factory files _top_level_path = try( pathexpand(var.factories_config.top_level_folders), null ) @@ -28,11 +29,14 @@ locals { "${coalesce(local._top_level_path, "-")}/${f}" )) } + # extract automation configurations for folders that define them top_level_automation = { for k, v in local.top_level_folders : k => v.automation if try(v.automation.enable, null) == true } + # merge top folders from factory and variable data top_level_folders = merge( + # normalize factory data attributes with defaults and nulls { for k, v in local._top_level_folders : k => merge(v, { name = try(v.name, k) From 542998744d7a12a7b1873efe0f150539a2a70027 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 10:38:13 +0200 Subject: [PATCH 46/94] fix billing role conditions --- tests/fast/stages/s1_resman/simple.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 15f7c005f7..11fa102b33 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -1616,7 +1616,7 @@ values: counts: google_folder: 16 google_folder_iam_binding: 77 - google_organization_iam_member: 13 + google_organization_iam_member: 16 google_project_iam_member: 26 google_service_account: 26 google_service_account_iam_binding: 26 @@ -1629,4 +1629,4 @@ counts: google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 modules: 54 - resources: 301 + resources: 304 From 10de93fa499a80ec3b30a07f0c9343ab858c9e3b Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 10:39:40 +0200 Subject: [PATCH 47/94] security stage tested (ngw resources need fixing/porting) --- fast/stage-links.sh | 3 + fast/stages/2-security/README.md | 17 ++-- fast/stages/2-security/core-dev.tf | 41 +++------- fast/stages/2-security/core-prod.tf | 47 ++++-------- fast/stages/2-security/main.tf | 21 +---- fast/stages/2-security/variables-fast.tf | 14 ---- fast/stages/2-security/variables.tf | 1 - tests/fast/stages/s2_security/simple.yaml | 94 ++++++++--------------- 8 files changed, 72 insertions(+), 166 deletions(-) diff --git a/fast/stage-links.sh b/fast/stage-links.sh index a0fd068adb..5ad46edd8b 100755 --- a/fast/stage-links.sh +++ b/fast/stage-links.sh @@ -27,6 +27,9 @@ Usage with GCS output files bucket: Usage with local output files folder: stage-links.sh FOLDER_PATH + +Point path/GCS URI to the tenant folder in tenant mode: + stage-links.sh FOLDER_PATH/TENANT_SHORTNAME END exit 0 fi diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index 2a1c1147f0..49e756286c 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -171,7 +171,7 @@ kms_keys = { } storage = { iam = null - labels = { service = "compute" } + labels = { service = "storage" } locations = ["europe"] rotation_period = null } @@ -284,14 +284,13 @@ tls_inspection = { | [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | | [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | | [prefix](variables-fast.tf#L57) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L67) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | -| [cas_configs](variables.tf#L18) | The CAS CAs to add to each environment. | object({…}) | | {…} | | -| [essential_contacts](variables.tf#L179) | Email used for essential contacts, unset if null. | string | | null | | -| [kms_keys](variables.tf#L185) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | -| [ngfw_tls_configs](variables.tf#L224) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L250) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [tag_values](variables-fast.tf#L81) | Root-level tag values. | map(string) | | {} | 1-resman | -| [trust_configs](variables.tf#L256) | The trust configs grouped by environment. | object({…}) | | {…} | | +| [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | object({…}) | | {…} | | +| [essential_contacts](variables.tf#L178) | Email used for essential contacts, unset if null. | string | | null | | +| [kms_keys](variables.tf#L184) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | +| [ngfw_tls_configs](variables.tf#L223) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | +| [outputs_location](variables.tf#L249) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | +| [tag_values](variables-fast.tf#L67) | Root-level tag values. | map(string) | | {} | 1-resman | +| [trust_configs](variables.tf#L255) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index e75dfb1a69..f6ab1462a4 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -15,26 +15,10 @@ */ locals { - # Extract NGFW locations from dev CAS ngfw_dev_locations = toset([ - for k, v in var.cas_configs.dev - : v.location + for k, v in var.cas_configs.dev : v.location if contains(var.ngfw_tls_configs.keys.dev.cas, k) ]) - ngfw_dev_sa_agent_cas_iam_bindings_additive = { - nsec_dev_agent_sa_binding = { - member = module.dev-sec-project.service_agents["networksecurity"].iam_email - role = "roles/privateca.certificateManager" - } - } - dev_kms_restricted_admins = [ - for sa in distinct(compact([ - var.service_accounts.data-platform-dev, - var.service_accounts.project-factory, - var.service_accounts.project-factory-dev, - var.service_accounts.project-factory-prod - ])) : "serviceAccount:${sa}" - ] } module "dev-sec-project" { @@ -45,17 +29,8 @@ module "dev-sec-project" { ) prefix = var.prefix billing_account = var.billing_account.id - iam = { - "roles/cloudkms.viewer" = local.dev_kms_restricted_admins - } - iam_bindings_additive = { - for member in local.dev_kms_restricted_admins : - "kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, { - member = member - }) - } - labels = { environment = "dev", team = "security" } - services = local.project_services + labels = { environment = "dev" } + services = local.project_services tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["dev"] } @@ -82,7 +57,15 @@ module "dev-cas" { iam_bindings = each.value.iam_bindings iam_bindings_additive = ( contains(var.ngfw_tls_configs.keys.dev.cas, each.key) - ? merge(local.ngfw_dev_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive) + ? merge( + { + nsec_agent = { + member = module.dev-sec-project.service_agents["networksecurity"].iam_email + role = "roles/privateca.certificateManager" + } + }, + each.value.iam_bindings_additive + ) : each.value.iam_bindings_additive ) iam_by_principals = each.value.iam_by_principals diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf index bedf89b8a9..e670c28f05 100644 --- a/fast/stages/2-security/core-prod.tf +++ b/fast/stages/2-security/core-prod.tf @@ -15,49 +15,22 @@ */ locals { - # Extract NGFW locations from prod CAS ngfw_prod_locations = toset([ - for k, v in var.cas_configs.prod - : v.location + for k, v in var.cas_configs.prod : v.location if contains(var.ngfw_tls_configs.keys.prod.cas, k) ]) - ngfw_prod_sa_agent_cas_iam_bindings_additive = { - nsec_prod_agent_sa_binding = { - member = module.prod-sec-project.service_agents["networksecurity"].iam_email - role = "roles/privateca.certificateManager" - } - } - prod_kms_restricted_admins = [ - for sa in distinct(compact([ - var.service_accounts.data-platform-prod, - var.service_accounts.project-factory, - var.service_accounts.project-factory-prod - ])) : "serviceAccount:${sa}" - ] } module "prod-sec-project" { source = "../../../modules/project" name = "prod-sec-core-0" - # tflint barfs on coalesce - parent = ( - var.folder_ids.security-prod != null - ? var.folder_ids.security-prod - : var.folder_ids.security + parent = coalesce( + var.folder_ids.security-prod, var.folder_ids.security ) prefix = var.prefix billing_account = var.billing_account.id - iam = { - "roles/cloudkms.viewer" = local.prod_kms_restricted_admins - } - iam_bindings_additive = { - for member in local.prod_kms_restricted_admins : - "kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, { - member = member - }) - } - labels = { environment = "prod", team = "security" } - services = local.project_services + labels = { environment = "prod" } + services = local.project_services tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["prod"] } @@ -84,7 +57,15 @@ module "prod-cas" { iam_bindings = each.value.iam_bindings iam_bindings_additive = ( contains(var.ngfw_tls_configs.keys.prod.cas, each.key) - ? merge(local.ngfw_prod_sa_agent_cas_iam_bindings_additive, each.value.iam_bindings_additive) + ? merge( + { + nsec_agent = { + member = module.prod-sec-project.service_agents["networksecurity"].iam_email + role = "roles/privateca.certificateManager" + } + }, + each.value.iam_bindings_additive + ) : each.value.iam_bindings_additive ) iam_by_principals = each.value.iam_by_principals diff --git a/fast/stages/2-security/main.tf b/fast/stages/2-security/main.tf index f2334da05c..5c23033531 100644 --- a/fast/stages/2-security/main.tf +++ b/fast/stages/2-security/main.tf @@ -16,27 +16,10 @@ locals { env_tag_values = { - for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + for k, v in var.environment_names : + k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.security-dev != null - # additive IAM binding for delegated KMS admins - kms_restricted_admin_template = { - role = "roles/cloudkms.admin" - condition = { - title = "kms_sa_delegated_grants" - description = "Automation service account delegated grants." - expression = format( - <<-EOT - api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s]) && - resource.type == 'cloudkms.googleapis.com/CryptoKey' - EOT - , join(",", formatlist("'%s'", [ - "roles/cloudkms.cryptoKeyEncrypterDecrypter", - "roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation" - ])) - ) - } - } # list of locations with keys kms_locations = distinct(flatten([ for k, v in var.kms_keys : v.locations diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index 43e89936bd..a15d912359 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -64,20 +64,6 @@ variable "prefix" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts that can assign the encrypt/decrypt roles on keys." - type = object({ - data-platform-dev = string - data-platform-prod = string - nsec = string - nsec-r = string - project-factory = string - project-factory-dev = string - project-factory-prod = string - }) -} - variable "tag_values" { # tfdoc:variable:source 1-resman description = "Root-level tag values." diff --git a/fast/stages/2-security/variables.tf b/fast/stages/2-security/variables.tf index e4c3a3623a..b13967c0dd 100644 --- a/fast/stages/2-security/variables.tf +++ b/fast/stages/2-security/variables.tf @@ -14,7 +14,6 @@ * limitations under the License. */ -# Refer variable "cas_configs" { description = "The CAS CAs to add to each environment." type = object({ diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index cbb28d7033..13752c5cf3 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -1,17 +1,3 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - values: google_storage_bucket_object.tfvars: bucket: test @@ -30,6 +16,7 @@ values: timeouts: null module.dev-sec-kms["europe"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -38,6 +25,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.dev-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -52,6 +40,7 @@ values: timeouts: null module.dev-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -60,6 +49,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.dev-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -74,6 +64,7 @@ values: timeouts: null module.dev-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -82,6 +73,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.dev-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -96,6 +88,7 @@ values: timeouts: null module.dev-sec-kms["global"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -104,6 +97,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.dev-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -122,36 +116,18 @@ values: deletion_policy: DELETE effective_labels: environment: dev - team: security + goog-terraform-provisioned: 'true' + folder_id: '12345678' labels: environment: dev - team: security name: fast-dev-sec-core-0 org_id: null project_id: fast-dev-sec-core-0 + tags: null terraform_labels: environment: dev - team: security + goog-terraform-provisioned: 'true' timeouts: null - module.dev-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]: - condition: [] - members: - - serviceAccount:foobar@iam.gserviceaccount.com - project: fast-dev-sec-core-0 - role: roles/cloudkms.viewer - ? module.dev-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"] - : condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation'']) - && - - resource.type == ''cloudkms.googleapis.com/CryptoKey'' - - ' - title: kms_sa_delegated_grants - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-dev-sec-core-0 - role: roles/cloudkms.admin module.dev-sec-project.google_project_iam_member.service_agents["certificatemanager"]: condition: [] project: fast-dev-sec-core-0 @@ -230,14 +206,19 @@ values: project: fast-dev-sec-core-0 service: secretmanager.googleapis.com timeouts: null + module.dev-sec-project.google_tags_tag_binding.binding["environment"]: + tag_value: tagValues/12345 + timeouts: null module.folder.google_essential_contacts_contact.contact["gcp-security-admins@fast.example.com"]: email: gcp-security-admins@fast.example.com language_tag: en notification_category_subscriptions: - ALL + parent: folders/12345678 timeouts: null module.prod-sec-kms["europe"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -246,6 +227,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.prod-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -260,6 +242,7 @@ values: timeouts: null module.prod-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -268,6 +251,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.prod-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -282,6 +266,7 @@ values: timeouts: null module.prod-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -290,6 +275,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.prod-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -304,6 +290,7 @@ values: timeouts: null module.prod-sec-kms["global"].google_kms_crypto_key.default["compute"]: effective_labels: + goog-terraform-provisioned: 'true' service: compute labels: service: compute @@ -312,6 +299,7 @@ values: rotation_period: 7776000s skip_initial_version_creation: false terraform_labels: + goog-terraform-provisioned: 'true' service: compute timeouts: null module.prod-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: @@ -330,36 +318,18 @@ values: deletion_policy: DELETE effective_labels: environment: prod - team: security + goog-terraform-provisioned: 'true' + folder_id: '12345678' labels: environment: prod - team: security name: fast-prod-sec-core-0 org_id: null project_id: fast-prod-sec-core-0 + tags: null terraform_labels: environment: prod - team: security + goog-terraform-provisioned: 'true' timeouts: null - module.prod-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]: - condition: [] - members: - - serviceAccount:foobar@iam.gserviceaccount.com - project: fast-prod-sec-core-0 - role: roles/cloudkms.viewer - ? module.prod-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"] - : condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation'']) - && - - resource.type == ''cloudkms.googleapis.com/CryptoKey'' - - ' - title: kms_sa_delegated_grants - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-prod-sec-core-0 - role: roles/cloudkms.admin module.prod-sec-project.google_project_iam_member.service_agents["certificatemanager"]: condition: [] project: fast-prod-sec-core-0 @@ -438,6 +408,9 @@ values: project: fast-prod-sec-core-0 service: secretmanager.googleapis.com timeouts: null + module.prod-sec-project.google_tags_tag_binding.binding["environment"]: + tag_value: tagValues/12346 + timeouts: null counts: google_essential_contacts_contact: 1 @@ -445,11 +418,10 @@ counts: google_kms_crypto_key_iam_binding: 8 google_kms_key_ring: 8 google_project: 2 - google_project_iam_binding: 2 - google_project_iam_member: 8 + google_project_iam_member: 6 google_project_service: 14 google_project_service_identity: 12 google_storage_bucket_object: 1 google_tags_tag_binding: 2 modules: 11 - resources: 66 + resources: 62 From 3595737c72d0689038ff5e303090a7ef5eff926d Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 10:45:27 +0200 Subject: [PATCH 48/94] boilerplate --- tests/fast/stages/s2_security/simple.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index 13752c5cf3..3238533a68 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -1,3 +1,17 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + values: google_storage_bucket_object.tfvars: bucket: test From afc000ae925d58e27fd3a70b9960607fc1138b29 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 10:54:18 +0200 Subject: [PATCH 49/94] fix inventory --- tests/fast/stages/s2_security/simple.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index 3238533a68..51a1309b3a 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -137,7 +137,6 @@ values: name: fast-dev-sec-core-0 org_id: null project_id: fast-dev-sec-core-0 - tags: null terraform_labels: environment: dev goog-terraform-provisioned: 'true' @@ -339,7 +338,6 @@ values: name: fast-prod-sec-core-0 org_id: null project_id: fast-prod-sec-core-0 - tags: null terraform_labels: environment: prod goog-terraform-provisioned: 'true' From 9b0db0cf7fc3fd7871c08c7153c4e02c0ea25407 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 19 Oct 2024 11:29:14 +0200 Subject: [PATCH 50/94] stage envs and stage linking script --- fast/stages/0-bootstrap/.fast-stage.env | 5 ++ fast/stages/1-resman/.fast-stage.env | 5 ++ fast/stages/1-tenant-factory/.fast-stage.env | 5 ++ fast/stages/1-vpcsc/.fast-stage.env | 5 ++ .../2-networking-a-simple/.fast-stage.env | 5 ++ .../stages/2-networking-b-nva/.fast-stage.env | 5 ++ .../.fast-stage.env | 5 ++ fast/stages/2-security/.fast-stage.env | 5 ++ fast/stages/fast-links.sh | 78 +++++++++++++++++++ 9 files changed, 118 insertions(+) create mode 100644 fast/stages/0-bootstrap/.fast-stage.env create mode 100644 fast/stages/1-resman/.fast-stage.env create mode 100644 fast/stages/1-tenant-factory/.fast-stage.env create mode 100644 fast/stages/1-vpcsc/.fast-stage.env create mode 100644 fast/stages/2-networking-a-simple/.fast-stage.env create mode 100644 fast/stages/2-networking-b-nva/.fast-stage.env create mode 100644 fast/stages/2-networking-c-separate-envs/.fast-stage.env create mode 100644 fast/stages/2-security/.fast-stage.env create mode 100755 fast/stages/fast-links.sh diff --git a/fast/stages/0-bootstrap/.fast-stage.env b/fast/stages/0-bootstrap/.fast-stage.env new file mode 100644 index 0000000000..a842174c34 --- /dev/null +++ b/fast/stages/0-bootstrap/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="organization bootstrap" +FAST_STAGE_LEVEL=0 +FAST_STAGE_NAME=bootstrap +# FAST_STAGE_DEPS="0-globals 0-bootstrap" +# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/1-resman/.fast-stage.env b/fast/stages/1-resman/.fast-stage.env new file mode 100644 index 0000000000..cbfceb145e --- /dev/null +++ b/fast/stages/1-resman/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="resource management" +FAST_STAGE_LEVEL=1 +FAST_STAGE_NAME=resman +FAST_STAGE_DEPS="0-globals 0-bootstrap" +# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/1-tenant-factory/.fast-stage.env b/fast/stages/1-tenant-factory/.fast-stage.env new file mode 100644 index 0000000000..5efa6ad45b --- /dev/null +++ b/fast/stages/1-tenant-factory/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="tenant factory" +FAST_STAGE_LEVEL=1 +FAST_STAGE_NAME=resman +FAST_STAGE_DEPS="0-globals 0-bootstrap" +# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/1-vpcsc/.fast-stage.env b/fast/stages/1-vpcsc/.fast-stage.env new file mode 100644 index 0000000000..40c84f9b63 --- /dev/null +++ b/fast/stages/1-vpcsc/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="vpc service controls" +FAST_STAGE_LEVEL=1 +FAST_STAGE_NAME=vpcsc +FAST_STAGE_DEPS="0-globals 0-bootstrap" +# FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/2-networking-a-simple/.fast-stage.env b/fast/stages/2-networking-a-simple/.fast-stage.env new file mode 100644 index 0000000000..592fb344af --- /dev/null +++ b/fast/stages/2-networking-a-simple/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="networking (simple)" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=networking +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file diff --git a/fast/stages/2-networking-b-nva/.fast-stage.env b/fast/stages/2-networking-b-nva/.fast-stage.env new file mode 100644 index 0000000000..3e8057f51b --- /dev/null +++ b/fast/stages/2-networking-b-nva/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="networking (nva)" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=networking +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file diff --git a/fast/stages/2-networking-c-separate-envs/.fast-stage.env b/fast/stages/2-networking-c-separate-envs/.fast-stage.env new file mode 100644 index 0000000000..0c1d6b578d --- /dev/null +++ b/fast/stages/2-networking-c-separate-envs/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="networking (separate environments)" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=networking +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file diff --git a/fast/stages/2-security/.fast-stage.env b/fast/stages/2-security/.fast-stage.env new file mode 100644 index 0000000000..d174c2162d --- /dev/null +++ b/fast/stages/2-security/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="security" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=security +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-nsec" \ No newline at end of file diff --git a/fast/stages/fast-links.sh b/fast/stages/fast-links.sh new file mode 100755 index 0000000000..257f709b09 --- /dev/null +++ b/fast/stages/fast-links.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ $# -eq 0 ]; then + echo "Error: no folder or GCS bucket specified. Use -h or --help for usage." + exit 1 +fi + +if [[ "$1" == "-h" || "$1" == "--help" ]]; then + cat < Date: Mon, 21 Oct 2024 07:31:27 +0200 Subject: [PATCH 51/94] initial work on resman docs, update diagram, improve teams folder --- fast/stages/1-resman/README.md | 35 ++++++++++++------ .../data/top-level-folders/teams.yaml | 6 +++ fast/stages/1-resman/diagram.png | Bin 184125 -> 134531 bytes fast/stages/diagrams.excalidraw.gz | Bin 82884 -> 95456 bytes tests/fast/stages/s1_resman/simple.yaml | 4 +- 5 files changed, 31 insertions(+), 14 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 3819f02d18..21318c5a5b 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -1,12 +1,12 @@ # Resource hierarchy -This stage manages the upper part of the resource management hierarchy, and decouples later stages (networking, etc.) from the organization by managing their prerequisite resources. +This stage manages the upper part of the resource management hierarchy, and decouples later stages (networking, etc.) from the organization via folders, IaC resources and IAM bindings. The complete hierarchy is not managed here, as considerations on departments, teams, and applications are too granular and best managed via the [project factory](../2-project-factory/), which this stage enables. As many other parts of FAST, this stage implements several factories that allow simplified management and operations of recurring sets of resources. -The following diagram is a high level reference of the resources created and managed here: +The following diagram is a high level reference of the resources created and managed here, and gives an initial representation of its three main configuration elements: top-level folders, FAST stage 2s and stage 3s.

Resource-management diagram @@ -38,25 +38,38 @@ The following diagram is a high level reference of the resources created and man ## Design overview and choices -This stage implements the basics of a design that we've seen working well for a variety of customers, where the hierarchy is laid out following two conceptually different approaches: +This stage is designed to offer a good amount of flexibility in designing the organizational hierarchy, while still providing a default approach that we've seen working well for a variety of customers where the hierarchy is logically split in two different areas: -- core or shared resources (e.g. Networking) are grouped in top-level folders which map to their type or purpose, simplifying centralized management by dedicated operations teams -- team or application resources are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) where individual teams have access +- core or shared resources (e.g. Networking) are grouped in dedicated top-level folders, which allow centralized management by dedicated teams +- team or application resources are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) which centralize access and billing for each individual team or application This split approach usually allow concise mapping of functional and operational patterns to IAM roles and GCP-specific constructs: - core services are clearly separated, with very few touchpoints where IAM and security policies need to be applied (typically their top-level folder) - new sets of core services (e.g. shared GKE clusters) are added as a unit, minimizing operational complexity -- team and application resources outside of centralized management are grouped together, providing a unified view and easy budgeting -- automation for core resources can be segregated via separate service accounts and buckets for each stage, minimizing impact perimeter +- team and application resources outside of centralized management are grouped together, providing a unified view and easy budgeting/cost-allocation +- automation for core resources can be segregated via separate service accounts and buckets for each stage, minimizing blast radius Resource names follow the FAST convention discussed in the [Bootstrap stage documentation](../0-bootstrap/README.md#naming). -### Resource management primitives +## Resource management primitives -This stage is not designed to allow free-form hierarchy design, as in our experience that is seldom conducive to a functionally and operationally optimal GCP organization. What this stage exposes instead is a set of primitives that you can use with in their predefined configuration, or configure to suit your needs while still keeping with our general approach to resource management. +This stage allows a certain degree of free-form hierarchy design, contstraining it via a set of primitives that implement specific FAST functionality. -## Stage 2 +### Top-level folders + +Top-level folders, as indicated by their name, are folders directly attached to the organization that can be freely defined via Terraform variables or factory YAML files. They represent a node in the organization, which can be used to partition the hierarchy via IAM or tag bindings, and to implement separate automation stages via their optional IaC resources. + +Top-level folders support the full interface of the [folder module](../../../modules/folder/), and can fit in the FAST design in different ways: + +- as supporting folders for the project factory, by granting high level permissions to its service accounts via IAM and tag bindings (see the ["Teams" example in the data folder](./data/top-level-folders/teams.yaml)) +- as hierarchy and IAM grouping nodes for environment-specific stage 3 folder (see the ["GCVE" example in the data folder](./data/top-level-folders/gcve.yaml)) +- as standalone folders to support custom usage, with or without associated IaC resources (see the ["Sandbox" exanple in the data folder](./data/top-level-folders/sandbox.yaml)) +- as grouping nodes for all stage 2, for example via a "Shared Services" top-level folder configured set as the `folder_config.parent_id` attribute for networking and security stages + +Top-level folders support context-based expansion for service accounts and organization-level tags, which can be referenced by name (e.g. `project-factory` to refer to the project factory service accounts). This allows writing portable organization-independent YAML that can be shared across different FAST installations. + +### Stage 2 FAST stage 2s implement core infrastructure or services which are shared across the organization, and are directly supported here via a fixed set that includes the networking stage, the security stage, and the org-wide hierarchy and project factory. @@ -66,8 +79,6 @@ Configuration of these stages is via the `fast_stage2` variable, which is set by ## Stage 3 -## Top-level folders - ## Project factory Top-level folders for teams or departments can be easily created via the `top_level_folders` variable or the associated factory, which expose the full power of the underlying [folder module](../../../modules/folder/). diff --git a/fast/stages/1-resman/data/top-level-folders/teams.yaml b/fast/stages/1-resman/data/top-level-folders/teams.yaml index c9942fdd50..6b593b9f40 100644 --- a/fast/stages/1-resman/data/top-level-folders/teams.yaml +++ b/fast/stages/1-resman/data/top-level-folders/teams.yaml @@ -29,6 +29,12 @@ iam: - project-factory "service_project_network_admin": - project-factory + "roles/viewer": + - project-factory-r + "roles/resourcemanager.folderViewer": + - project-factory-r + "roles/resourcemanager.tagViewer": + - project-factory-r # don't create a context tag since this uses the pf tag is_fast_context: false tag_bindings: diff --git a/fast/stages/1-resman/diagram.png b/fast/stages/1-resman/diagram.png index 4351088a84647ef72f0920f075e955b55ee797b2..8d3d9665ea9da81bc9b4f0d0748dd117ba3d94bc 100644 GIT binary patch literal 134531 zcmeFZhg;A8`##)W(vo)C3yF5o-b6zv4Izbw_M}p2Dh<-0U5X+~+8c!^BJCk9EiIMC z?|k`uzu(_||BmB#9QPk^zmE68TjTY5J|B!=ew{m3;*M8r#^r>SP*{b0Jr$3p+_c6~rkE)$Jj zmPw*<;`^6**JE!`Uuun?e!6M9Pd)x+lwn-1mM-hpQ~X*{HStGtEmMtqUR_C9+x)%0 zIZ(Iwu;7qXk+;(J#G!{i>23py%5#4d#$QGicRSFiF_8WDf5eQAb9B5^LI3q%ivjh~ z&j0xr6+f-0k--1_GyGtNX7vC5*~UO7ng9Mhsvs)T|Nj^NKQGS6Og}MU3)UhINlQE2 zUknWmEqm|7Ncd7_@PAfSI%@n=`YSKie_M5hr~Mb_e{UI?S_rYw)&JQ+GDeEK`Tu_P z-w$ZA8D?q!@BKZm8o}{@|HZ`^_ki7YMEIRMb-v42Jv==8yvWpg z!n3lnmVb5WXlj;v>2QqWe^X^0-@SitKNqvXqqv&E_wVyJ8cX9eH#h(O38tjCwXg!NamzYO z%gf92^47n8om+EwAz)%CIP~A~UD)wOo9Sg;U0qex-+TMcOmN=2ckkbOo;Y!$>#3#R z`jVKIk%MeiVd3qpe0*l9R~5`oalW`OnVPeU`g=`EqGncK|;J2SW3zop})qVFm7WoZeMk&&5ymX>B^p0+7M(%kqd zUF9UR5I=v`lPA3cN>>jZQBwN5{7c8^Ze}Lm9b0Uey#I#$bvhavS2s6O9`6|2-ZIB* z(Y<^3MrP$NExDVUn+F60*x8K_)cCy`yQ6xRF{VmWCtIQa@5&5kNM+!ho{33k&rAE` z`ufw;(}F@mz2#@p($db=`Fps!j?^&4jal22H4xAVe z&{KcGrxE&Z&6=B=TU6D)S740`3myFaJh>#gZ{Oebcd@-S=GuCm*fM>i$sularf!>${w?@*d@->F&kJFOP7}hdh5z zeSL!89m`o_b#J#8YP`U_p7WnmpxfJ>|MlzF8#itY&lCl0Z}AERDY0Z;bZ{ul$T)bp zoi{S;&24sp0|&PDAh&=!ootO@ABijckkxr z3f0uyyxB0_T_P4KDJ8{;vzsDgPqSl3L*wA9YlEk^j*A;$PrSY5%TIqyI+T6s&IZo* zH+k0`Bv0QrMie@#x>f2h=@p)OD7EBT9%=~Q9y}QtHCXMF;B`?r0jtKr$QYN9ARsJ!+Q=yG?p?Bvk*7|b z+PQP*ewHVhndj>RiE$wIC|~zZ-3XGs@Ht0sUhU+`#g7jUlTy%Lp4;=1&BeuqD<-d_ zqhoHM#=P7)Gb@X~TX%#ce7vltMrrhj3UUq7m{?@ij<4>N*OZi$&Ye3aB_*|M*RIH{ z*}e+W^SvsJu@C7Mo^I~faZ;-JweZ{tlgr#jWwAUcjh&82mu={3jmCEYl|Jo3&N6%{^yf5_GReS4&(*ohsA-6Nx- zRIabiZ*Bgi=TWw?we{azzsKX%jDK(`xQ-4tg%y4K;%VENZ#2_?D^XBDAoxJ^=-Ai+ zvllr}pUw^jY%eb^3MfC}^$w4SaA^?_*jzqy{CL}cGIM@Wk&@e({`Z00W30YXyLaz4 zF!=QQ$J>+4FI|3UBgmnGPy7P5E;YLORZ#O+GMWd8BtX&2v|NIFQI zciF~f^!dfNA)@=lCo&q2PPhEHjW8+Qi!+C_kSBT-3Aw-0!+vg-x8>9E!^b!#Cnx{R z4bs!n;*|gF&^I=Ifm6w>B_=AWtEU$cPIv*H$fhbe57o;~OMKqHu(&7|In|L(xv?XL zf>}#QM8y2;Sw%&~Mo%glN0ZCXOG`g|{J65b?BU|V$Mo{S11=rHy)YOdXEQT0{&vg# z%;$PdRW&dv$rQ0qRsT@YBR(OaxAw;0iH>aZ(H4|Dz2nD=9zUMyEJ%3y@@0FNqgh5m zUsq``k+F-^@rk~=S^OZg7Pq|f(6=IUDB(&*V= zy|13VdiAQNX0ys`ZewF3TyrP!%JH?@t+{~h#pUJPPhr~Tj~_n{dN=kcNujm1_1a+V zExNbO&9Tw=2bcKUJ3JDx6R8g#Jh*@VenLXi-Nhui9WrO5M)uvrK#T_z%_J z%sqBrT}XG-s~$mu^7ZZ=jlJVSo|4cMihDh!k&zK8DJilGUQDtUhK58;FKcVJ4EUIT zH+4Nb*VNdUcEpF|S>2PhmpS5*2S>-?QfC z33i;6gc7RYDrk~=^5jWQSqIZ&+-6A7Iy!cvEpZy5v}VQDH;enPo#&;mXy>UtIz7e_%sK|@2+=VGCfMN8}8UR6}&n0@O7nd4xON9ONMYBfa?2U$N9PQwGz zN=p6TzI_`U9PI9{NZxBi#mZkHzSi*e?KtuQ9UYy0*VCC|tpjn1ufKd*#Ki!8tZEJ& z#~H$k4A$PLN=q96u6Yx~{rGmHP#etPxdp z2qh%EiIL+cPQ=`~WAG#`rPYRonHj;qJkb%XgHc5V&Y>{}(y``*+jtjg~*|XNd|3 z2rS&ETdfKW3mYFF-?wky9qz-YwX|;e{Ygq12^HO2!;?T%PbDQJ3y5W(LBtE9+&ZQ5mZmcaDq#Z#H88VXhdY>qc z1(B1KtaSZJ(@hn@>F>>*`Q}~*Nx+pWVynDF(H~7)nCqYC78Vxf%c7XSDoX^JUq3|yu$kS|`oP(7fQEADi40&^fHgEh53-mHa zxSTq*`)Fq!DKdm%9@%2jR_w~%{OH@aM}GWB^?f8_%XKr-;d!@%m)D;!j||S3n8ZdW zh!`j%UuUo6qngNF8?dpniwX}H6%|!w%p0q>EtzClM)^8+?0tAR)dgmL<#gc1UBdd8 z$0ogtuY3`X%p!zhT>6Cz7X)--9vt?XjoiIY{%m4mVoFj{yGD22jlW})lRn#91ibys zqQW@5M1%1PMQ~<8fu1C1u)6!gXlwK=$qCJfhzOhaxF|yAk&yV*u>cf;lPj|Q=FOYD z+}r|`yo`*ze59;HA_`f}uV1&dwc&6Yq}%c+UpKA2uAnzao>dzh+|*y?#m&V9{Go9+ zXw>%7rF+TAda_rqUZtR<<#2J;_dBCi?`{1aS6K{ zRw3uV;VmST`_jHklI`|QQc78!2YI42G5h!Jv$wV;(g}Ui`Y8@k;s1L?i-(7YVH>cy z^Xu2~j}NPCTA74|gks(}$o3-g8gK2mb?X*CKfm3_2brQ*8-mEyOE0+WPtazP48wH)4*y;KyWdQDLEIa&ZpyL$-J?lVs<%n%w#jR>a&x1aAf z_&hy58yXs(K7Cqe>=7TMasB#{>erU#&gXkduK@0XEVaFVFC`;W7AtZDEYbr+}3Sx`3+S2%=F(s7k&3G^J;tMQ}4Gq59cP2?Abd%wwD38 z_OR#l>RjEnd|6mXh^eWm^CL1ZFE16pmHn1;B$0|vO~P^xvWNHY-!Cici9EPOnx=fi zck**CU=C%)I_fDOAK&QE4wn6<#nuhwEO0uIe+ZntHnIygVFF8QTwRF^R*&!w9F@&VrLT@3^QzWOZUvilmej zS1xfCm4L60PiZEGj(X|~F9KR4YYqv~9ZmH3_3fs7f04NyH#fK8>~(~=oSYZ#%5P=* zW{euS1Ji9X$`DS5q;9^M1klPj0UdXDcdV(V(cQ2x$_jlzTcrFnm4MpXTK_+@{d#AB zCQ=go6pV>*5L1o29X!vT?NQm@_%Sl_;>O<<@Z>LdDsKGs z1P=Y|inn0avaIv(@9t(N=~<)Ht}^nQMksa_nZI?h6BQHd21!Fs&}Wj8Dk&~LXdDgz?Bu$K#q$f~V$xc3X&Fp1VdV87L?~3CC!iAtFJ_J?8l6JSa4EWn zS630C^v=%C?%A^k%)YFwEYCiLgFu^NVq!Gq$ks_-FzuwJEoT)_38tN;U!nj;Q}SD} zd2UKgO^r$x+?4{%<=VH2jC=NQD2bXPhmFi`7M3(c4lQhKOC9bU?8Ehv5PAW>UYa&mWjrbbtx*-2B=a)<60et%}E$4}@!s9C$4Us6&M z!C+-<%&+;~WFI3t`x+t?_mQdDKN9_niE#l*Qg(Em6G5$FA|iHI zu2fv^fUc8;W$&-?W9^hX7**d!@6MuGPXzwB=ZLqpt*tieBfT7rsMYVzTo<#wizqDTkN7Q52?+?C#Kz+#BJ$@gPeA=u{;|_e5sC*6eC+G1uBk^aRob zSabhA>y3*(K5GD2%GXy_jhK^)X?N}{Dk_57pe4B75KI|77Yc0xIUIYlgN6owB5HMS zYo82$Q^T~mx!FKZvh|b2X^qQ<=?0~(TqVnk%*ZjXUWNC+S;KJ5v>mo zd*PQvCeBB6$)&d*o>;#`r8C8=`f|qu|03dwiHYS+4aKLL$H}fJ3r!)V26o%@mAjx? zj8Yu3|F++GAxGuY*4E!^RNF{Z1DP6OEeW)m?{HU@kiD_gcQR1AkQ=fc% z5{K@wW4#q_B9o8P(|L3|S5{VzCGIEYF}ZeauCYy6x_xF-6WIR)E-Oh-AfWT26YgN7_dCG`|_XH z&CRx-()yt>5YY72hJujLtyUXhK|w=ifQAF*>y-3+$c}UB_S7#;egUN5VP-Z#Av$@I z^n$UeDcfcKk7-KBUj1B|>FsK56$9iI5YW)m6B818{pJk??UrDop0@TIkowvFs-;#6 z%JT==Kqnw&2K~C=KC!U zS~@;KLGgCok#eLEzlZ(H%*@OnH8wO%lDtF^-9Sb_qfVb@;gXe?FLxXND5yrHWrXuD zc=LXO@bMndlShvpJ$z_+;R65f+e3S#%kMw}7^wM+Lw#N-i0b%hekIOm)nMAQL@l;& zhdZFtlzIQYFrRM+!DD46dvJ5&3B8*CE@>H=hYue{M@J9mDc)Fj4}Tq)LkpA%ECapQ z>gCn1Wsbcex?EoviG<``!qm>Pc-y#r*lGBSlaq7&=TFDJ@{Ym5bM1yCS)4z={GwSn zN>h5Qmx#U{Hy58qaYd{}iB+U(NJ23U04~w~1bhm~iN=-VIbD%u6-$~B76$}rv=>`Q zMnQp{?CI}+`1*oUz}Aud`)O|BhD*U%tU?yGR4v^l%}3fz|=gq@YuYh~IDOg2{P z_3PJ@YVl-9wOa{)4<+jtOMynECMDHtTUz!5R^LxdMCvZGD1+EVM8)n?&hm zW+qEiz2Fg&KWUV$EyF<%NJP<)PtedMlQTSha9w6*$#?IXn3ymxjowk&;;jng4{Wmq zeoASu4lGpw;u;ybASWkh+!0B4WL$S`f+g&29F|O6K!7x14FzPLMR#JLrmCi%;+OJ3^B&rw7mvaKEN!TRQ(rKRggZa@*ppsWWhP)&5GvcI;s8=g6Xqah|H22B)i zDx^bn=+0~i1%)}o2b9lUtgIpu66a2zrtq{(QdlAuDX2px(LZ-dQx056C&u9Ej}p62 z);jARqk-WWK|T4zK=`rwI?)_J7-BDKva(1Xu#W!xi7&halq)RUADIOeN@0NwsxbN# zf2OUjrI*lKCtQr)&&`nBG?5A3sO^6dHH2~ z`&V88`rZwxv}>pka>ERyow;2#@NF)zHei=1xJ6R2W;JZrE#HzWI{Qae$SEb-}-UzFx)IEI~GdctvvSs9Tl%=I5DG3Q+WBuccmoJxJ zde1_qm$4RWVaWADn%JrVg#)i7ec={AT%)>R+z9W119aa8AYm%hf~oRXjMV$;TXEEj zuYot^JjXKR=Zi+Y9&t99_zKW!Ra5@yJwY!tHaAb*GA8+E0_~O}xIz4TR8-WL!?dKI zO=KK+6%{%3yMg6}111TY{Et8=i4E4_QBetZt-&droSeY7X(@sQirM`c`(Lr>>g$`F zJZbM=W;!d-_3c}HQ;?)RL@%xp>GR(T%>Z_P|NdRP!^aE(k+VGy*5vEw7hF}2x(!-z zf4>HF+GdsZ{!x=l}>#4VDfqpChgPM(~YXc^{1cxrx%@2`WF%H}^mL`;1rY(#^X zEWV2lN3=FP_D4$9HTN6osn4_*8@Iy%vDZoXGbQ*$DcLJV!jkB^72 zpNPLefCYY95}RntIotxZI+3&96Sgw8RO3-9CE@bTI&kyO;dMywXl~JkI?+;Q_ zkHsG(oi7~8KRZ1$7yS=__4_)Et(WBbh6g8pO9UP`V=N?O4_|3w|*wNk&wRaR8JP3sY$vCzb$uW}Z`pnMhe=7RzKr~lm z(K`cPqwV<_DG?FWBl_xcG|V6;LrzEAkowTmrqG?)_CqbHzDJMJRCMTQYddwn$So^l zvEcdiKp_Ed$iXo+Hm2QpSV7)(lh>^BB+8-Nm?D{!AR@QKW64Q1^h1ksG=+Q|3ZICQzBD~diw--OD zKxtr@t#uneQ7#ZX`X=t^Q8TlOoSYD+@-gCsR{dkg?B5A*&-NcSe1^)m4^2Lu_8#sc-U}To8!*>Q2meYoY?Wj^%CD+Rf;Wm;W0+qKcaADQ= zv$L}m1g|Dla?y|*-fB;HPQCL_+@!%spE=`JCFkes8#G^#nMr(ecL+8J z_j#?aoN){NmmnGb_EfT^kfqqWF5lYQ1Mi+Kv2BaIeS5#S_^o{(XH=?z$tH%O)qwWh zKVa#Lvje~mmf*I*weHbZe4bRZL(YSH(wBuwX=q!AILC^0E@EevWYp{RjkS`*M3%R& zfb3(BKHQV1#v?rvSYN|5OllT!U*g=#;v#sA-O1nwfOj%afq=I&0^^1 zV<`Uwxv|Pqe7nb#C2D!PTS_#$zNs3m$Y#sT(DW1Pf-2jxS7YlZ{jK_tzcsZ8y>2?T zgR1Aw)fu_eB$r4lE7yv-^nCp2gvzJs(|-U+35@yu;2=-dD=HkV*pia|VckPboUR=T z%u7^q1R&u`r{tP#6uvXoG#1gP%Oyc+NFl4DG6;CEZ{IO1D`kHEAi->s^iz(GGmuI^ zU$_#<-lsGr1OVVUoy4iJu`$%RqG!)OwX{&t(^F=1+3?)r3;J^n zePUQp^e-}2?}JXiN74QAaN{jzt%~yUz;^WDN2jOv^YNX(aDk+j2q3IjIbuUqr4y}Y zXbl+@0xHdK-^vLY1s}h?VO(xCf1k8cLRyJb=j2;K#x2WA_hF+}F5!b=*Axz3Xbx|0 zZ%3wWaAq80GzCsEHvSB$uw0_f`*%>5sIQDeCZA5|NE0j;yaOG~TH;pK-v@@I{~=G|dSFVrk+K#9n24`QLh) znjuj0G>M2)Qc|F-vdcOowZFZ-zEn_BBK2GUE?gf64<3}2%?mqB{9jFqj>E;Kh3JG) zQih?_E6U5yD;xz$7uvcv#1WgA2;%gnceNovBr{1Xn@J|2^>##r*ntD5PoGAQAoPm% zNSgeBX&~SX+HDBqSaF0>NmabtNI8OQ^EE28dy(i0D(nO7Xt8 zH`OnL_ac9ALwjeZpzR*-J{-q~f(2SBSwD_;k{Qz%h}CCMGJXV+|5@bAxNBEQX=&d} zdx9eXUEY=zP|f)A29VjlY9DBxrD%yG)<7q4OIYiJVwY@ec+=U-RqNFz$}*Cr?2y`b zlhHfJ-S`ds&nmI?cTT0Hm#jB8H&@Q7ujRt?6KO|)oS7LIiqUO3PdT|g|7S1&P?W{u zTLpL5u+-p^wdZPx;Tr@96^=g;Yml0 zefRF@9vYJgXE2?UdN~StIwx-y^dV6(CYN+v%zO0c@87>)-aE;?-ro9Cx3si$>3yP$ z`ANIBl-)2}L57L>!7xVw)c`@I+hYL~0%DP8q7`)E;zcQhAUFrQuJBxap|`iS_53qy zsayZivfoHk(*}1~Og5ox4P&uW6{MpMz&Q zC4tX_2%`H)8Np%W5Myao=U?O0uV{RY=}mP`jtwv~@?UdaKYxh{#J#s~AA#nw)w9!5 z=yq;=P|bYA^D zXGo#K3DhIf50uk$YI&PUv6Fcg6|P$P`h`X%MXK&I zJcoR-$2X0rSrCB*RIAAkGGz@YXr=FZ9h<>A&UqPGC$jE># zF)1ktTst)-Mcs0rD9a5*rvGCn_4+cv3~&ZFH#e{8?+ry9L*+3Ww1xTk6X>&ZadU%p zznyWJ*SLG{9^cvJwp6)ljV_2Ugnq>l2ryP`)lj@Zs0i74rThn*bW0}?s)EyLq#S5S z=%qqNe54wD#AC_?a(HhZR41a!XC06v?eP5N=8P8 z2KU>qUtboG>0+s&FAAlVZlkdPI4zj+v;NDMT?>rhYG!B89ynW?k2M0hL$MN0Aa@I8WY_w9x!Z+NHO>iqD)z<}n# zj~_oGd3dX;)}t3Z_96L8{-829?3;Lpii(Pk?3%0g_6hOv6M4d@y!axR300>azmc1F zri%A`pw$kRcQy~uPki6DWsbqa1mW2-^ zc8LqSHu%NF^v=k|cAK6){pRqcl=d$Y3JTqC-i$%Lntzs_o(@BfwKZ=m-Iw-uReJYV zWo1sC@eO*$d3UDdz-IhdeBCwvC~UZs*aN zqsxwv0>DZT&nRBw+t0GY_!KGBb~NJ+9XZe_hT7vFvtN{;F@gAjC|+e_r+tGH4~^b@ z>NfBIdFaYBM^t`+P zb2tSF=b-nM0b&{82io}&y04wLQHXCTqepZZc^gRWgn_~MrqmiSZOh|r9%tu0ItRqX z39hE&$Hn*V9ohN@lggVn+NVx=psd+k1eS%T-O;hA{oxWEt~m41t2g{00Rp$FhAl5G zp^G;e4C+dGhz@CZ&!G#=_-j>#aZ^#f^4j_(NU$4ay;;OXU`!y8}G3jNP^Ka_VFK`KM>hLwo3Cfl{d}GY zwKo7Yi@Cp@xN)N`^)z zY_}}E2lJSin1)U{elI=`Rv;V=L`+q+z4>Rb&+oZu;g7d>60C3t09tj?m~L-p-~ety zk*UY9f(no=HZF!;ibA@v9%$U!tJrc!2t30IRj7^N+7pAJAt4)U^*pS>2!Kp8VZ7x@;Tw*@n>cw6#lDdw<8Ty;?B@^TTQNqN<%&)nA!$O`{b!p*lmd` ziSh9y37VFco1?7>U=lcY^9*R5%5YtW+jmKz>+9Es2kZx}>v7esD**p!djPzlsmED1 zFLeya<^6bZyU*H!(9#U3`H>WAxy|nmo~o)uOI*Ao6xHRhB|&5=?w-cY*G3f^WCkj)G34>co{9HEbVnw5>nEc z>1p6)kJ&zj)ktN%*u05y*{cVuRS*2+`TXph3P7hQ%_h=LMg}j=YOw+uYY9pEm9i&} z9(`+8EOdNJ25f-AXxhPv^mPKvLrx{MbdwCJXPC^($S1V zTuw_zT|G#LgOd+wSvC9K1L_RfY(FyOU6<79)!*-fT(-_Hf9x)?8y_7-3_U=hn+nc!w}f_T|XRA za=lZ#Q&WssSXh9+{Lo4Pqd0r8@SSIlra3dY+W~BF*X9BB-H|7#kJvWJ$#{|z)%?bL#W^GCzMDIb8zTgj*0*}Ndyy~!`;mns)2_=%Oz7b@f zk&R8%Fgg(Jg?Yg#6jks509sfm0fPJc`!j9cfd2DQnmRchU=u-ms^wv~sfmd@!U47s z6qT*5Erb);KfCnh*cUI5fIKc-$bxzUmp<>i(CpCbrl#NVzG$I;s0uxDs8J5lv21wp zAe(ua15V%6x1!#h{Z^3b^^YEfuubzWP~)e`mISftkz81q0l(k>uDk&FH#4II z3p?QKzB5lv&CPMBG-4vO=jw5aHwM2CE9ro^$jh6;F1kU(bUgOnJ#yvHoV%py4+Ry3 zC$EftOjr42eGqaHxKczG!;5f;7i?R%S^^e!J+-Q#nfs16k3e(f{{1-=a8J(_(7*w92&U4MmufTd~a^J$eF><s=G;d;;BIO0~ZS&QE4qB6St>74AioNVJ$f9%b7`;+_!n~k@Ny53Hf2Q zQzGp#Ffo$e5DIQ6$4CGIb8_%=iDmp~&=DGPIA9;34mC8~Y_*X++s!tV&vy<5?9!-D zSFA|n4_Iz0H6Px)C$w+hj*;f3F#1e~1(od$jr%k>a6C%BWa;o;;wb7FbFwM5*rG!- zGd!$j%op?$J(zK{_M3-~U<%>zl=>{089soPrLp}Z({>{hVy=0qO?N<2v*HT;M`mD zuXeB=fNB#NNi(5Q=f8>3rr@9;04B)tW~lh!<>32pyE=R?Rx7vAQvbu{`mC`k8sP!u zfz0|uiZlu}_2>*BU$~h3_0@wqY(bEX3StPi0`$w1^331OpF4u1nN39G5hisAHk0)w z>b$rYFBSlvMf8)}YnLbDJnf*?pkVTlh34kvef#cf~BYlEHkfeUY5pQ6j&82&FNrhV9Zh@t@<1ieO%ZT zU*C23^j?;hT3-kbbpk2{Sy{RP@HDAq40n_G{{7(cM=kk`f-y} zr|unyQCBLFI9F>?*wR_{TDKs)gvbZlnk5GI*x{$ddv6UgzZ6}RFBY4UmdjqBZ3%e0?|b8H6UOcAni?aGsb5?Y1KZed`@bK4muq%j`qa{uoI3c0)Y_v=PiJlHLI!V z=|T1d{~n?;fdH>Byh{-qe96&qr}h{&?jv+Pr~s&R_!DG3s6_&9S6yRHF0SdHKVL$~ zi+#(qYZsb~3=9lJ3q(}j);bU6uBG89=jQ%|kk#1Oh*=73%whN-^WslzGB7DY<`SXe z%1%g6M_8@{--Daae1D!T^OT%c;y>M}$A!*wAmGy*K;>n}zm1s;C5D z1uV2U44~K&;i^#3Af&*D2EV+stLxDdC(@+sVyddDaPLS|&~(xMeRJXY%G}^J#2}_! z=EsEW!m^re+I0=R5UT{o+y~;DQxt}Bj4x8!Qe>V$ngBk6%Lr#}Wnlrq3CT#sW9lv# zM#06;8}@3v%QA$~h4_5(DZy!yI}Y(zsAvj-o5Al)&CFoHX~hf-P%)W;j?P;cfnhax zlAk|1I*Lj^-CxC8swL=ah6xJ5_TyjAIW(BPQ$r!o9A{{tE3c@yxyF&zeJj=f-x!uP z8mzGmzd(P`2SE8;n*If&v7nDWGU~?WCfb7$#xUtoj}jdCgAfsfg>AtcmmVjoXqKm; zt=gatGu&{o)r1ylnH-CK1=@3|+k7NB|}t zVx>{txh8I27WkF>b`x2=US~(gAyLr@fCfwmf`KE1aN2G?)7RJM4aZmI@OxFh%X=G! zFNXcM7eJRB^wZPLEtn_)ZWQ(0rj3p35Lf}OUvxVFzk-R&>jInm`YKvt6yhodCFY4K z+6D*HCj`!tp}fsIJ;B@`d|cs-0%)^f6t={9xDj;`ys{uaAJTt9w)RCUt35g@x3smi z$d|fsW#ZrU7>Y2OJgn|M+sAGqdu^aP8Py;1D}=3N{X8tplPCM`M!-oMtl*5b#**l= zC;UeW-wHUfXeUOA49Ux`ZbUdr1T1(|9bIwqMy`-Fe~@tWw=!;6A7q1~;qH=>B?`0a zg`pesLpST{w$WQKcp$I#jHUpV$cW7JA|5dl-!yzM!ob-<%L!Pz=_A4_#Uy zYkT|Q!!*tcYB3n1%|(zfc=bMB9!f|KaJ+cmLqqzd+=u49*Gy$wcD=M1=tFm7RCVWF$rf_T7kVm!qf zBx-8PcXj@}@1>)|x^SdB52<3WPVQV7JO=lOexrzo3G{Y%qla8hZfTR5Bb#23xjHGx zfUyUpcXZn0?YypBnS`_ajG=_cmgDg_CoSX>x1g%lH2zAR@gEo}$q>)l4D7sJx1OG_t>9r!`d;R(r-C&K8i;jeY zsM%$&OUgBNu3>fm`70X?cCG=Z2L=Y>41G+MdscA!i+Br2A0B1^UyI%i;aFR&zV^r! zTui2unU&Q5bRE6sYX}>D0fB&-lyFCl8#gv#w9PQ3Xnu+_X?WtqQ}}WY9g1_hjl{4! zYk`0J`rnnd-rlORGEXdlYt^*a0<&d$#2>guRMQLmvf!0f&N z$N{IBK zgnqhme`90TYlEFKqvSoetoBsAys846S}oN}&jjcDY8&0c^E zBYNT$6(qg?gMWryH3-2n!LfPZTy6EK*H@^%i5{+%4wY}`^7G0E8VjNb`hP%;n>L?hAaxp9Sl=Q{lKB{#6W7>gwD4i zLcjgG<=wl_U0tx%LA?(g)#pMd53Xl)lR$hTA|nCcaErHjRQ6oI7snFTV2$IC0aTRY z`>i&3DhNT|{g8ABoL}53uu|Zl?S~{xN<-#GlCP-w8{|&auKn-9E8=%lFBCJ(+!{g( z=;Ji+JI{8-MLUM8)zW6wi(;b^azDrJM|_1|fZv!^xU%?kGY>Jnr5xG~)!RAl^5Z1- z1`+*-4R3;7!~y%yMw8{N}yQ6moWXk*kB`huEtkOLi^ss zhsTYWJ8QLLzX{9ACR#1Pwtv6P_Wiqe7xE5-1Trmux_O82`UFD9#l^)&8=6sNcj*!^ zIQL=CLJ!|C-snZtIw+M`eBfM4a&l@D)7^vzWPEp6!FS*{l|+}A-y}G?vLmON>hlYz zb|f_Jm>q0liGAv_&gX8JwWXko{?>^Tp{0>r9=vO4ARHDGi!e!2jV){V_%UW{4%RK$ z5Ao`Krh{ihw0zRUA=Q;cC4;|D0;ufSGkQ8Yif3~xv)l{6NXdsG{^NljKtN)VG?<^C z409&jiy9i)XU}q6$Fy3|td*G=H9M<$rv1hO>H*>a7LKxuJh6Gj@K-?ml9m?yQn&`4 zAYf~Q-SxS)j*iBZFpw26m8Z-7K=$wi1|VUPEMNmEyN@BCARAyA(v|#Vy>HNSE0)&y zg>9@Cnm#8{W@cptFY!YOgY4e?U)Mq$+`#*BV9AhQ87-SfqUcH#?5=zx0R)V@s(`+H zc!l^%R}!Sy5xAdtx|6*A56xxV%E@F@f5qP!^Pum!K>EV)^>|N z=WGNF^zczYIM*^lIdHg`$zf~#eoGsV{KkEBd zN*j#R0;2=)({;aa?3IN!?K#8z`FZ`6nFioM3ji@06>tDJe&dI`IG; zVg00oS3c*I%~;~n=FdlF!Mui&jq1~VS?K$>;8vSPO1`Y6)GR#KVyS#-N*H5Ntop&Q zeOOg{8=0F|wUt(DW<4z^0Ipcw8(J!hZg#ZOtCuewOAQkOy??q|lVO|!aL%cm%y z6+C$d9w9uJp`t?J&iV}1=Mm`Amet-aaAzS=U3_!9yY_~k-yf<;(+thc#g1$pdNnWN z2*M0d(HDVQBA?LL7r0gYxkkq!z(K=9wL^LMa{LR6Fj(Lk93_k}oDQi0Zz)Nw zbDQmVuc8ib(K}2ERmeg4D>L!CsY*?@){XsuH5RXHb1}SiVzDlHHGVhUH4%)h$ccuA zh79h{U|@>OLIwS*`0#276spK9zqjzcbhrNN?`~QaLX2n31Jr8)ndF+kzy~ zfE8_pOLB4H=P@*gF%HHu^JAM2qrjMzJ-+6RsrAd3FXPz{u6TqB9^Jq&%Z$+g!B0oz zU3Z_W87y(RK$EBvJ#q!gLA-TG9Ay6j8mZ@Z;XxL$--hJk z^AD?!+MwXVZghkk{b{)A$&`Xrjoj)1D2IY^M&=S@RTk0X0cRFWWqycCg`Tee3;P9z zi~r{NOdxj1mnF;s0Bz2%_Kl8@hy6buY*3~(MW${5l`-`y(Wwkb_VoVC(5x|EUtCsKwXwgyrnK~KRz8Tqe9|!#Xy8)ReUxO( zMhhGpg4h}z`32F56Zz%q*IR{;)nm~N`}v+#@;3kx8o3dqBx(>k$hnKqmWAF6KS?*b zYiJTQzFA#e%^S957u6r8Bt2L|IuG$&{Aj2S5&54G!-230^rNAvOOzpxWDL2R^Vg$4J@#VTZFS zz09a{OtSX8w0X-Np2Ei}GUxUSXtrgLP$7-E$R4Qm zNXb4tm~6O{m5+P}IB9@pG5TTvnuI4hnIuxw=TNI>s7~EMx`qhh?c)=-bQb5#kUII| z(yEB0-nSq+rEK$g5bOra?Y*EbbWs9I0fz+p`ub)G|3Q~!-417ffvK(w| zc%B13s;Hv`CX~eq&TTg_%*&!*tf|3>C#Gz!dl*`MNRfGuJqJmH@fW#{Aj@o+!f}4+ z;u|XYv)f_d_D!Eej$qae{tXqAi9of#_!1HiNHQuCG%t|a(VAnhAK^YTQ^+&G;?}Hz zKhcqH5&QtXiJgjNfhY3I(h~~Srv*<|P(yIGckR>y@z*kf_Zu|9!`Yb)b}o#eU%zn! zr{&{~F4(Ez+4)K6tnn?WaPi|YFm8yNp*?>=?p9`x{W8V`*7@^B=g!TIjeYy~)G4~p z%0tqs{xm&0S)sngXcve?7!TA1)SYh%#fPFsC;n)w!o!AO{sEm^ipKdsKk%AK{t113 zGM*F8d+4aC*U-JnASl=j`*67Ge|%ic@)VM?a|c{ttf%GCT`9<0VvT)} zoRyF14`&`iyJG&P$(u1iFM5l^lERq%X_1On_o~7}<3?+f@jLNvkkI7S8~E0}K;=i} zBL6*r2!5@5$#5I|X?p7VV{-C}qvP?%rVnwm{~l0<5q^IN;5qD;559GDOhSN;dVN$^ z7b63l@-;AFN4MJGsZ*;6xEvvy!+6*cUR+APOF*UYxvkA{-Z;>(+oq(u&uwxrU^`dz zDlm=ad!i=}$Oo_{S5)lel0SIlhy?}+LY2hDcM4v0y7(f)xys;LPbqcdD!e>MU-ir? zu(wtw9N9k)O(&(sr7TITta7wYpyeGh{j_c@9a`j_g4epUDOt*o<1^Pegco2kos4rXsBY{o;o>x^M zh6k}BctBR*hQgE^iZdRHwY{Q>q%jk!`66sP;bDr+A-3TKcot;2Qupj|9ZgTwU zI`JsdbM@0Ms^?*JAz^}~(a%l29@o-XQ`C~qShtiF&Q|Q!heL?hH;U5WM--)&cESe* zL!vTOlKFVIZ3|=2y&9Ol>i2zwge&vH@J}Cqf4;-tJD#QZv~~D&ON|{ypqQ`3vsV>j zMpD{!@GGvUe*G8QbM_y2zKRM8a_lB4CEqC9y1K4~V}Kekbm$KOhDdnf!C{4<-7$4l zO+JqJ(<7@uFB(=4=u_hJms~P?rqL=V@#eex>`gKAY`6d#7nl>N-zR7ylGClO(>xu{~Dm8 zscD885Im$tFV)Oj4+#=*WE46qcbjS4fpNo#ONZcL2U1KXgM)>I%D@^HVks$m*45(e zYUGE-pI#cH>utu>XAb|w`tam14EuJzT0<+Yc(^zdg`7`{{= zSNjwy-@Nw=s4!Q|)X|Ai0^<{aJ2z(7s}RR&Zg^}%+YPO7B>0(h_ZpOAW_xNqJ2X~<(D25eIfP;0)$$-w&LVw3Mv+K zV}uNuVlMqwcsyj-hkoE+fN8`J9a`2mQ;gkQh!mOuP>)JKUE1$5>htDIjO+ORp1TXH zF9`kG{MNADuPdAB=p3?o5eBpbO${{A*7p-{-$siHqRtaNH11}SpB8WR_1H6QQ|@TR zKX=__+qn}10_+&~<5Lu`;4+A7PwFL!gP)g(fw7e4Rynwy{Goq?0myu4fmh8m$ zB(xDCKY$lLC(R*|2@j_@$=cZE+}LtJ_Eg};@_~Q=6w&wshKpyt`RCJ)8kaqi4BHT1 zY=_3i>Pyd2wj4>>FL+*O;5QR+K1iB^!pUNVhCoQ|yz(SB_X|QlFzm+S!4dy)AZTwM zyt>6MMY_=eP#K{c1;Q-AVT@hkAr|N50j42W)@e?sEOZ3Sfl6xp3h%WPzzt~DQ5Ah8 zj6LU|Foxv`NCE<93cTZr%L8`1x$s)lwmoOVi2F)ocej>{kTBduL|8)`2dms3Am%?h zP^@h#Vt6L!=3p?|$*7;Asm1O)O+g(9=Fd8kzG@8FtDvqBc? z6!d>P^2?}ss&E{2k67`j5q}i2`~tNAViA|@QjBI^^W|xyy(VtNi-(XffTji#~Dn}Q2YP7q1_Tv%wBH!8Q+ z1OS2?4F%u&*+io|sNWFbl0EVmxJ2gj3-a=abdHV*{u(e#0n!CAAlgdqI0r!G3imMFAQ|x6SW6%ghfpf29Ij@4G5$ULx$&b=(((oB%(OaqIbvpJi$@K#(DR1{ z>8T)}tM&e2eW%6y*MED4N}oRc1qK40Gxj3zGT42DPtP#7UU+l3kMB&n%A7I)b+GPI z>|NMQ0Ke#}%aq8~>8S34vaY`TjdfBPHo&bu(_6Q*0Kmpg+Lrk8E9^~oeZJN2k380mIFn{*0uTM{W^pp^D(|4}S;^HyO z!+&&0Ma-Y62sy2+z%jA1A&XDS0>~AH!u0qozbSIc_5+(oKOTT_6qvkd^W&-Z_w^w} zniB+RBUUKu?FJkn;EtV|A#W@^bkj-tSjvQgMKGDWn zo!!oK&;YGFgQ!xw+ z8yuQJv``*I7tI=SgF(nq)G0WJ%3Jd?IfxTW+8`Q87aB$ ziJYcSKfF)ggQuYMyKx|scp>qWN4TGay1L08PzK6z+zWC)Mx^S!<1Z*9fT0hs|S0>JlG4BPKF2N|Iohe_AxFJAyv$7Kv5xo0IQ za1O+_*+SQZfiTPQ-=_~i&x1Gu&`2Sv2RcaLm6HH|E&2^IDKTtqvwJSkNdY5 zAystT2QP1E_p!75WiqnzP){W%CPLyItP&{yZVEg|gZ4*P$??{ifntvJAcVwmvQ4Ce z#`HS4;d%%=P2_&-xgR=`eHU^=fQQf+*^2LZehETo%o3GoaFYU5pJulAa1<+7=8l6$ z;WNOpxM0sFGS32N&~P0&`T5( zVfF0#T64iYClyTy;mcs{y;sMb;Yq35IJ=J9M$!Li0q7z`bTy%5aKt`?(gD2+YycVH zWRPFqeuJ09e|LLr>hvmgxI&ihM$-;i(97~Uq45#iVl3O4qgy`xs4{i2xd`88++~c0 zKr0Pw9PQ}dBrDPj*czw=iUY}~ayzE?$C~q+aK}NZ(IA;?v9;w&=jiBO>n#nEhV%!< z#@&z+2~lIB8oE5py4+r)rV8gft?H>5)~Rpb?!wdt{>*PW9jo<4rLZ+dM@EpSCjivJ-^IKGPZTR3a;#Me z<9>t@1df<+Hvh{QYyz_idIZM4`;+~ae!nTR>OrCeCxuG_AW^LBw_`c!&vxT6EDuaC z@o?0y&Yf^g$4)ID`VSNNR2m_M9{>~qNJRqvvm^_nZhexYhY!=x(%wB}gQ$zBdL9TN zdeH4#d6G`8^Kd}N0_YVTFp!2I<=bF?dJDo8xcK!$A4)q9im5nb=luYLBA083Mf>jE zQD_D+Q4S0gMJ&ZInQkp6#J1J~Oai0X;2#XBqedd_9&y6e8AVEFwq{@^!>v8*h7hWL zfif1P1I7S??hIl^5ysR{N=mf%tTT`s zEdj|1p@d-tQdZZ}lGo7wxLzEFJ=`f$>^Dv43egpzS^gNaQ;4ud0qVwhgv+ok0UP61J1Cc_0Z z1aMB;Iwq;($6?ZQ62lPpuE}wz1M;!tK7QiFK%i8pQY|b%D6TplU)8o>pdjyjKYaA4!9r1IhAhWRl1xh;qrZHW!Z(q;tI7B7K|JluvJCJbuJEo1 zLu8Rfy^EFA8`9m(A)FTClZOT@6(J|;o70rf z18hD=i9_ic|C^fPNFg;J{ocK!mai~O1{OO9{p1lz%?|5Qtk)UY#>DB5$fa0_&DN#Z z)2Oy&CwU_pzWnq#c@I~W{<)AHfeCtq6Xc9=e)Ia;V+CLksc3_KZ^Dk;##(#K(>TrQ z8yafe5xWn08YCA-QFVh@1L+`Snq~LInT3Ryl@S^^zgLiePeNk6JG6bO9G z74Q)T7N+{u85pyNyL*G}3~Ee$1sL!C{P82WRm)rA*x|!K=HZVwh82U02vhh7ga^7! zh@#Xgqh~h5VL`$RX45+tFme(k{Fniqn=>~x-A)m~dH5$VP+)neiVz+#HUuB$L3An& z=PLb|7a%HZw=F~Yiq1bsFM31I#onHBx?)`TK(`p6Yz#n1i5`L0g397D8V!txVuBeC z+6&m~4eufQJ2t5E*rc+nyBqUX5gN|CZdc&F3Ml*=G@k`8u+p%yZ{D~;E<21v5kOmU zttE2hf*Hc3rMK_d%g6kw=)Bz+qGvLHK}4}OvoCuxYBGQI^<0{}%p zRHK4}o)NCK*0#3f(_{E2u~W7AG2g=(AiDJ=L&LQLR=XEVkD%OoSx43E+c1S8t2BuV z1{lm`+?v-HP>vgDnH8F-LOyQ-!dV^09_e$edl77q8y=fKXVu?fB=ioe>H50?5TUS) zf>6@6iVAcaXn)+fAg8xtl=#k33@=&)t}_)q4e4s23NuvomEr2pjNNToU3(M&3kw_S zv$Y41^Wk9)q7<3ud3bmW7M>Ef4jLz>KN*pF+2=-KoYaV{@|A*h z_=zJ-8L~QTVyuv~lV&dz1R1`ew{AhGX zf}u)9+lWsF83-CF$kUG)*)fCrhn+01UJWoM+&cP5C4}a)v0OWH@tv&ImqtQK;9+5G zg1;X>{)W+Bm249l-$A4omiDn^D0=Q|s~F(S2k8B$FiVQ6Vhl*pm%Gz)b^bDO%9@kh zXf8dyygnY{OjN79IDBfy{yitXT|sVPVnko?A40DIlMa|Lxw?uu!a~Y@eq4TVHiF}- z5z-BWU&`EXkb7|9P$Ts~GlNY;`6X{;bQIrC1uv130wvKP-Wdg&G@#osg<#D(j7+&s z5~l!^l*|Lt1FVGSWeVsDV^Uk`*sBntP?RHoqT*fY%fdIwXDP1k!c;PW;!@H&hCtkc zeGFsMAAf$>tgs#ZH)Y9fnHqq7x@1^y4v#x9MDH) zjXFqwuNV)}8CNQ78>)k1bPs0V<^Jx%(f+qHpdtuRh z#}1ZUVO>G;A091JQ1pCDM=I*Rb7()LjUpm9&65Xvd*fwT8x7cTsz&J6{+=GACk}70 zJdk*>a+O7CwqoGg7cpd!b%30H2bm$6PnF=|B>pIBIy&>G&U;R(K&6T=2<=dmy}ZS- zqp}x0q)S(#xu6e{%67^JsM~-N0gx2C-y;sj7L9viMh0wLhBDcRF#_0Upu-4aT_VR| zDZu2W)(Fe*Zl7Lm3x9!7iIVt{X|*`;mHsZGSb+mCrV8;IR9f>0w8uHz6R5;Uxh4=Q zYf$Lh(xW;}eU>KZGcaiY0DHmv*~|7OV9k(daw3C?gyu7E$V zJZqq*rPPE#3C5dYoWRRg0rs}nl4FtM8N)bR?w&R}Rj}ew=fkWHN^7eKF=wF2z#uCa zfyH0Hit1nEWv#jx_tBPssFZP=XhtvH!*N}00b3DC-S?UF$$OaV1S2K`tq$Y`3>SZ4 z|KSyy#4*2DS!t-F1EoV}M+bNb4iG*FSgp|<5lvEnx_y0Xkgb5i%2z#+L2QQ!Dx$~{ zv-A4u>R1Iu@(+NWVbt*hAZ8GFnCArCaSp(;X#}uuPXy@=Arh!P#O&H{6WANad4Cy> z4(C6E`FaO@hn{}^RbtnaDWB?P0rH%jv=N}k)s^X75RSNoRDzf%0+;oG^cZD`|MBP* zY(z<@WdYQDotvX;XBRtgV7LA<%4t-?BehqwxZ_Y|Ld&H3uopGB`a@loAHY}9JTK;p z;`Q?NSs5957$Onz&`=Q$3drh5S!|pyU6MsfgMEa)2q_;EQYck2R8B$F*Y^C~VU`;J zJTEvnD4jZGps)YmaAkLQ_pLTtIMLt7fH+c9S7#^1c}sL%AGH{%_czUbdKp8uvqCwV z85Xczm~d_6eNXT+k-MfF^Pn%2cA7lgIHdK4%5`0K7u@l{bv8=XNzK?-Np&|~~Z3_eQ(%{UmaUS>^=2s}J zSEnFKWrZyTz+==GDCq5QFp;%cX7R6&qYu6$0{BCFib=~U6o?@b;F$@954>BpEC2Jj zKPI(0_qWSLyZH-V9rMA8H?Dve1Mq^ugSUeL*?wZE#7>hh-`=B+G9L9mg{*Ary|?e) zp_;p~-3t?6aEe%m3keTJ12nbb-Pq?~b0sixXtW7rK0t*@4RZhM_1dxJ$ABXs0>%xT z;7gE#cMk;(bL<{=?;_AE2saNf%!imHyS|8#g)uBP`O$eWPdL^`Fp=RyCaq0;2xjm5JXAB{B|u$yKZIYf)=HHA=75iYaIgv!WN{|$l1zji-%8h zN8aY2@gLrq?oKebKh!}#cAC_Q&|<@Zf-XYwcjwV)s8S%zlRSPre(02U9%7Lk*Fj(D zWMn@SUJW~n<6Bj2a3l?u*0lwsmdo|$)0_FdX(dAZEgKJ zP&`&#zoDk3jOKh3uzQbY48Ov!eAE0*b zXb$KcAUuj~>R(c~UeO?=Z`&pXojC#q>j@oj1ql}Aha}m%upBWFe-%Ug5bp2|6GJhb z_Beq9UzLBdp)HDnrMpdJ-841`UJkS|U`(67l8OpVRn_~I7;M0or>koa zC7|f5SFg7FOSC{g1X15X7s5jT7lf~rl>G4tlt>t2l;PsKzab!ZFIJ`|2p_I(@BK#k z!NEPe46t1$zJR^h>^&$X1jE%cFq)e9u5y~65od#y4*e&)@kh}`4^}6LA-KC}hR>cm zm%nysC;9TiIaC5^o%bXzB*lN@Wr!>;7Crg7Rg1$x3BL!}<8=iVjjS_i-~%OYgtHy1 zo6`fu8A{yPTHDh)an{hqAw#(9vG zkt|+DYfk+hI@Od;`_OsXh$a|na;9B_lQu9&)lZ1z3a>EhEFYK#$}0TVc&!WbV)RMi z?EpQ>wmHQ$guZ?KT3s*^Xd9enu65djtBcsEp;FsD_* zqiD<=EwNIxv9RD_z?4R~rVT3bMM^-Sd+n|TYw*pE)yt-J!c~yY-}zlY@Ps(##IT5< z+X{Y;sJJ!PzMMGHEUNqFTGO(pPk;Msy4Niapqe?7?_&uKMf(Vlai3jQ2{{#L`gwWadDXWGapvErs2_e6&~oe+BK$n)z2T>y?_4$ zEN;OuB9~>K-W$jXjtIQXcpC?5>(FJfD4W;N$#CA=NoH)$feVu_83bHmE-G>?>Fbk=!%1J0 zP^{6u=%*lUL}Ai+OEYNaRUkP8_|C!tZIJ}uc;ZN1~jVnu$Ms5(nfoG2{nrB+C15a1RgU6LV=y3&vJExB?ONh?}p^&f{2^$bw;16y9-0 zPn}cJ*VJD7s+>--lAG96HB9rexVrY^G)o)mjWD*!PoK(x`-&ukr!dUdPrZG+e}dg_ zGNa*q&&q~Da6eylmL^&bv{Kh^+!%R!(ZtQIRF0Fx>_|v(usn)r2${I{ZA2?@$H_e( zxpf_#kZJ$#2$B~p(3K&zamRf{Dze?RR)SjG$JbXdWnID0XPLp;PcHSI|7|vPcd|&C zB-Rt-C>B)00&V<%k6z(m_`E)JNL)N?V9JGFPp=OJxqrbv36kvR+cEhl@=R-Mrz5da z?8JG)>oCUs1QtdrBs-&9Ky6L^@J5-yb-5LQG=TwvufU93RF=z!XWQI)z)xoTzQ9}g z`}>13fKkPEW}54s$YmbYrc;GG7@!{Hu_1ih`V}LUg&896Xncm`r;!0VP&p$bmW*yx zF~Y4u6r7AHMGDlLNsN%nk87Hk zuqmCIq{Bk8kh(}?7nHn}GPKmTEuPY1A7)ljqBd@7m?}{hsp0^|#ZI^-ii^iX^?nSMRSkzw7h{a1Q-QiBNCMjux?A^0UV)%UthYQ6exxBkBCDh z4Sp=BleE)7FnJO%6Uc2qwPVO6X6uQIr5Lr7y5n%Z z)W~APNP(pFb&bzYK7P`xb8`@;s|Nojw|fzYJ3tIqJ%zXH5Gb43%F@b8sLj~n!eqO1 zSBp}fwj5k5Lc!xhPs8c;6fg_)k&Mc`JUmYte974!VE74py5vOuDS4fKD6~}MIO3iP z^7A_sJ(b$hA?3?UcSpklB285VO2zB9Q%33nPPCSRB3i^u9SUMBD)?FS!tsz^3S%>v zL&4zIf9U^to`DP`6u#gQgzsq?o;~}}urt#G6lPT-{3Nvxmo>(!zCa;lMTizex(Z>B z+kaes_3-~uKtiTf+H(w$%w6{vf>wWozwFx80Z7uX+dqb>Tk|V0xecse8^D5+lWxhM zUqSML%z2D{2}k^3G2p9beAYVJ@9+MuQ7f)3S_`;uL67kUu!rId4OzevFU@mOk!C8d zy8-eO`#oZGB)O($1=VC4liT_bOca7L-gl42#QbRg)Qc&km)<1*}cf|QFG}zL74MtqNX$T$7zxQ_WZbzkXdTVU(D>ESG&As2v9VgcHcG8UwG143 zN#ZpOK>yd*H)M}o5CMRMp=0b!m--2u0tzW?QiSje+HVZ@$W@!6*TJ4|f7FX}0rq&e zLP>V&);`UG2>#a7`ya|-!H<^Ooc4Z>5QABO0dTue>V3=xk_D|PrRr;NDO7tv?*f`5 z^D)FnhTs7e6jk^Ow5XRc$3-q0TWb%icyyyHLtHW z!5eMF9`9&JcfLnk68hGsBRPCiWU<9`nA^ujXVDJg+@wdI-6wlhBR(B=J2^!~1PH!y z2tqOdYlPq0Q!H}Kz(6C0**b`Vu-l>1@`4?wi&sQ=I9wsHP8(k#NW_&f0tC=!KbHeP zB!Dv*di)99DW}hI(g|;$llug;pw^_J z7PU!n{?#ZhU(!7*Qd1{QZv=K*zr z5YVl91d9T~HZDHCQ-X;w$Uth>!r81Wz0|rxn5VrA5et3-l^L)SRyMYBqel<~_C?D> z$E1$4GqDu3*IxsnfL9{KAn0P~f5GYnR^3~yEinwai#i-3G}PO>hKsP+s!om(F{^=u zCB8%4TDWNl(6?H$2SzjeVaN(G7oH6iN*LuVDal+tU_7FDynQ>_O8+TM%@~}URX#^k z&55v*;I~e;Uls&1%p=b1Bu;muZ}{{BSTl;io=4W+t(DYuy%k}ET8u+xq^T)X<6NWY z{tlY}HaTT(tVYU0-oOMPFZhywB+)!|l~m4!M^e%o+8lyw%E;Sq*vPW%t9s@PMBNg3 zpKt7wUh#k+K31y{WE+9I!?I-}9Y@Wf|KJf<*UlhK>g(+V@PXspaVpG`P6n1Yx83?p-Dh*r)F0+khfwp5OMt@y@Y&^mJ|98~mRC4enfs z0IP$DkB9`~bO7hO1_o|IGNpa1*7ak^$Wn0ZG^Nhjvp|cz(Qc0Kk7&Xed{$Z?Dw=tE zup&W=e*ldEK?86UR5~*;u>h08pw&fSVL|!3;#7_RZ$rIKMIHi533gxL^I(YAdKWYZ z_N4HM6KuCl!Tob>?6J<|e0$P6YeezBM*w~r8XoX4At!3)V@-$|3btV?JW(+*XRU8=j>%w0le>P1QsQP9 z_gtDeo2Ry3UHj_|$@%v%Vwv_e+a!kwh;kS8V(!4$D_}WXZv2=|=Htu3!}urehgLc) zH*SG@xpg<4n|2^dti|I$!CV)*R*#^sq7U7J0~Y3b?l-}lmRZ!Cec!$fglQDQFLFSM zK78^-Us2Hpg#^8a2@HwVywkq?TrRP+vMPnIH&y0EjqkBtNG4pTC_}PSUn7WN)=MV_ z17lM_TXzc^>(@^KUx8xe{iBs(cW*yG#h7b=M>K(np@sz>h@AjQ(w06P|HZ^Uj_&uO zSfV|Mdi?*|F%%+>c0y(B#{Z`Uu;cC5b#g17DaX&jr4j{3pBFD687xQOX_OQ%E$zUD zecUI&d=ot@7+HS|Hba#G%=bBbLe|%T+))L0;x1pa=HTo)4!tnLBG^hC-WiBfjNDK0 zYnDNck6u4TgL&URb8T(0e^}<+`-;M=Pj2J*T0CM5F3B%Ov{>WtXX5-$JGtUI-I`tjuX zG*cHH&&)teR`hyB?%UQ$woDjL#VShy69x($__vA@z`;m8plx7qf}$6tn{kDc1Qe{4 z5;2h75)uInVgiR9`2D+=@S4SH$6ybFX3pSK$L-it2*N?e%y<|;-O2AOgSj?(E9tsQ zJP`t>g&4}oNig~KbF?BfPkJzL!bKvFQ9Hn5v@_|_aJU$)QwDeCwD;<-*Q7sb$Q%9j4sRYOcCg}%{nUL?2 z26Dzu7t!?b#@-Xmy6dvfB8UeC)#=lx?~qwto{RrhKC~F;kI^lJ0Pt{t7haE2O>)o} z_X|%FMd(0ruKFg*!j~8f&mE~V2enCS9S_=BFGqX6GE83(vPB0qwf5X6c@K33Y#Z<5 z)&OOh+}UC&W@*27nUb@ZU^CSWJQe9DIg~NW3WOo;i2OrcN1)L-YB!o@5>mtUU&EJh zH76k0-fi?u?#9lx?u-LM?k~W7p2IT zv*e;z6!*wpJ$aoLQ|;f&Su6w5rkRY4k?YShR_1M_^7 zyO0qvLyjT_BGDY^LU6tzU38!bRzlb#bDVd z`x(%keUh#u@zkh}1)^R|L{lwLgnVEiMiiHOF)lA8D!MuH{Ew&-6V7u}c2kd2!2yj6 zs>j1Q$EeWdYdfFBupy>-bn{_sJ&O_m-JQ$mipOs{d3v9oEMlZRRx}lj8?t37g096) z?wtY)M3<5YPXKciBnTnQEG&QWYp!uxNMqn`|565~!B-cj3CB!0o;-M7huIJk1%<4Q!#`NcYPfje0uE0&0U{0pmZ&TM zG7#_r*cj*@a3f!CuL7X~9$%83PFV*D5-*RxGivpyLRv$aB{1V2;y;ZsfejEVC;~tK zT!zN?D=d@_%rzjN14Kttl7TnCIdC|M#z>tq^bIN&l$l~gZ2*M*Di#GEEnFD@dIY|| zxxaNl69*~chkE<^@RD;VFsf@qIaSCqm5FOyE9Vyy>gev?9o>RYf`dk}XEJI}3*$)p zGn$&;cBOv>%LsXigL5H(Dp)?F!yxh~#PY=}@o;hBRPkt>IY$h)4`@Qn2%r^&0m2}T z=%7rrX9X$lih=|v?-m@ti*T%B)f9pm>fd+xsNlOG zA!21^MR^Qcqxw(Lz&UD4HL)+?p`VtFAu^m4GN_? zsLxRD?wHmB9!Dq*p824uw6V0bbaHwRY7-{_ynO%KwhZE4zzXk&hnrGSU&2!!uMf9l zz=4>*Rc@Sy7sl+&3;-B>P0u2uqp|zv2!K&1z%HQ1Sx>0o^a>y=uV25$51`M2_M*?y z%@H{dU=22k*SGg?u_1cU^j<}QAi2k0d!qQk8x^t7Jh5Zwj1Y*s$nsV{tUjq09OI?pjpt< zaeN~85=;t26mmz3wg9w*CJxt>(`bgBdA{QgY#dNOU}j@KBQ;h;Jmh@7fQgXM@4oEf zXO2cW4Ns1NKgwDBQ8P$$NDToO$}=;^lP#{IKTa80!SyhNTOIe8u~1YDW$DIlp9OcI ztOG6>kgVQF#7e7e86Zi>w}K~i17Oob7&;IJyf6Fuexf)+fsDz$`}{KyX+Vv_X=3=; zSOUe-=gVY-34{#$qRxJ-A&Wi8j@W~ohhJ=`v_VHo6w)vW0hkANRlU@RSV%}Eun1Q8 zJ0FW%u+zgAWj6SjNeAQ&f(Swah873-8HxhjMMzMfKPmlwi)}N1STbD{6K8(ZQ>;aNAr(Y}3C*Buk$o`Me6F>K@ zfS?Bt&XP8vZ95IkCs#?-83Zl&!y6NP=!wypP5xY-l*DD@U+xC$SaP`0aG#;%z%m3` zglTtK2p=klUPL;9!qEuPVxameNrPQ7-_ zeDL5fXh$#{kbvS@BZ8rSg(wuQH^_xXPZCqY*Ci^;^7)7W>fh25dSZJ{%SXeBg?u>` zm=LszlMm3(q8;B#%Sz5cpd7e9@FKj}r_hhVt1NKsM?_RqJ3heu;N08;qww4!9C|Q{ zf`Zx`7J+E6V08u&H`J1%S3bbIP$olkcN8d8+)NzQyw(2WrTX>H-@ehNbe!B*j2jOg z0?5uRb~x(y$;&)PoiO$bz7;YgtA{w^m)!l;%a;t%Xu3||be+EdB$Osm?9GG3*ByVP z40uL~ESE7V<1_?|u5`jk2(ma-9GKOFA^>KMD0ds2a8LkFaHZL{%@M^J>T{+M3aF!u zTD!Xqd$xnB4kSLw)pfKG6nit%`Y>~kh9x@ziy1ygcw~fL1`0pm{g6tki5MbMU=$FG z7lo=o6mecM9w*8JpOYUDd~m|oknMRQ`A>f8bs%B;n^=Nz4&pAh-oZghoX&QqPY&7u zAkeg`ZvcKllf|fv&(X7dZA02Y<8dae@p>vk7t?K*q|mDCcuJ_txLnsjl70q*r@bFq zwEHzRtnY(b4kolQ8kIn#jEUyvbf9AQQ0c>!Sma7C5GFhq+%p>M>|5(610l_`@@w?Uef^CI2AOphiNP*Uk4tmJ(07 zfoWx6CT(qzSM$)9$4x<3Cq_C=AI<7~3E>a$6v02hDDpEE4}&U*#3x({REw>yA=><= zPzm6HH#)%_We=cV=u$CU$&(xj`>_{O?gCN95RefKc^XJYWzqo@LhxU^Kdu1o*a+v$ zrjpz}KFkUGmBFxX(k_-9_HUTVhsAct|xfKV}Xon1?`5i2lfu&PGT1@B_XyMb{z zFnJFvJKEZ$a9n-BD{S4@do|D8z5t*KX}@Ho&`{Kf^KuoA@ALMB{*CKOIye(JLB%ej zz@5X+MyPpgaY~&pLEhO1RX(^{)iFqO4-7Pok6Th~oJYE>il-0I{DLdO!e^!qx20VS zGk>xj+FC=gMm%~vy=>k5^nHZ$SSA_D8_p>6z%J6i*R|z;*R`iv&>&L@2iH*35cTI} ziAXsYdg#d9ZELD_Ynz!#<6t&1Mszk9IJzAdwGkuRhdp2a}i5Bm;B$-KKKCjY>6urMk^-OrgP|C8_o}- zn8R*}YO!YM*0|!;-e@TXk=6ktTm$?Bd=OYs*de^&xy<)z$;$sZ#L@u3HIw^{4(63| zuh0L1+6vzNT(PxyTo5z;`1Ol&>mPhi_4qOA;z4+IaHns>=I$SdfV!1vNo zIw2AQHl@zViHIO1TQjR~ar(^HhOie%9v~YY`LC~3z{Lsw$~=JEH->}foZo{qN4By# zec^2Zld=wv$X;)pHEl{=6UMg49@54&zpwc%id}3&)6G^C|3oims)%X|Kxj|-D~t_l z33`*ox^;epVW&Hzf56{X=Y-tjOT^wkXal|hKNB(0hUqvAPQawjc4}EYcxG2O%OR}_-6r6kbH<=BhEMY(HiHHhh>Nm8OP#YBm?#+Bxsm+fDAwnHP zklT)1;W6TaJowGd+)#=*0k?}v=ONVBd|LNFzsusPO(4bNq<;no2zLM#P>>@j=nwwm znnj5~t|0T7u{dbt4eN2h3pU4g6B}`Zj>XpaZ>XtbHYhU9=j7XyU2X8lXbZDFfM}RL z!BIxU>^P21r#OxLn+hpg`{R7h*x9wqd!l_6=zVs zMRyM)0hrnbpw@zj3hOgJV-yp9qZxr4dlyN`26aW$)488Q3g3A)y(mD~N=kaQo z>BnwF`>)~ILIo%ViMk#(QU15vY#~e|dnKW)gUd9-nMN@82}p*P0?F%URvxODTP%mT zVc`v~jC03Rr?&+tf8&yncJAP_E9)S#0aOm9Ux7^1bC1fU5l45xR2ZpHx<#KpwLSKwC%p%6vUr4S<_a~#Y0weV0%2WocA z?!RF}DpNQk%ubwf6Gj;;fjQoWpe@)v@K<9jgY(rk8XB~r#yGMuvJDQ)ctacz&_iTD zucrc03{>QJzHGq0LdQfTB)mY(5@jBu-R)}DzpY`Z+`rm0Do*Vo06_p%h^|QN+2RT8 z7_CL!g&B7fv_-GaFv5ohuXYWBMr(MsAlcCkPJF&tQV3!AgnKoP_~T(P*@B`B z9%FNLBG4;|rz{2lMZohS;C<dx=lLX~F!jKxhqgyL`D0!53A= z#|MyTP?0k#J32VTCjR}ToFvAunnp(>O9y-XIpue|QJ~k<6 z>EAUMehE;Wew*fIYF_;`DJeg)G{5wIWNBP!-2FH%bw#uF|6O_Axt`NR=MRwWwAQ_Y zBElD36XLjDH@CJn5B9Y7G~mx*tDK(Vr-UnT2*lfI{@>5<@}W>J9sM@BdATSzkZx-5kF5;&-QX zEo;Ki{kzejcVp@>*{^=9t=Z=?@w$%t{`X|YZsrvgrHhXLq&Qg@)LqQKo2q@8RHi=b zj8M_oU~7-%=k8sW)p=Emox>eB{!169D{kCh`_yZZ^*@m~m5F^PyIQ-Z7TQflR5fX7 zrKQc1?iJm;SM)Ia-0Jsq6Mz1{4=N()-_uwVzOLleouFq?-#MB1v+#mbYQ^_Ft9!h5 z={FvYWKG0x4mD)vZ3ejfo_kZF)$KBA16@>vVb@fmN7WR&$c`kFcY#R!%Ud>thyNu# zu7405XCRH?rI*jWmsZH==Ih^iNSmZ)<-JRK%y;vrfj^^2@tUW;r}D!R3hDXZdoNnq ztI4=mO(hqNPA;^2RaA6pXm)7CbZXqt)PQHXQBRO4_90{0;?kn0m$B>dzZWpma6{nl zJtL*7G&MSF=V;YsTOe3(xF=$GK~J1t&85Be{mj}80pBAhyjXmIR?{9W!?g>_I zfvuQbNV{5armnWmkmVDffXSTE?;is7O?6M{Fy0a!|3Trn=Uj=oqSLSY$z(**-35IAGewciE^*YT-bbG z3+8>YCz$TCGw&^XhXz4@L4%Q(Serc!L2deNqTZXbF1Ayot?bTh-#S|EusviKQP%ms zK$9UI*wQ<&+EuNYeDhmJrv`siK~errD#3$c3NrO@ALqgi(WhQs19Y(2ey^gm@}ix~ zDOr1You-NN72G=J@^K?-bj9g{O?_oTEN-AADsJt zXvG2Dvu1abEy$^@ER~O?ToPiA&ft5l{~>Gc?Q?Y2)^C2S(APbQG zyJj=0*8kEBeg8K8f`krEbm6`0GqvU(j1U9s^rEhtMHh$peaPX&=+P;QLsS%*3)N2_ zJE$JL_=ue@`PIiH51%PhbDy(bWOk(m)KH0Q&I~6$&ZXH zy>AstZLaHhxZT6S(dj1p@sb;_)w?@zYdb}qB`FXI{=2d~^nKyd`f|@un^iOY4m-M{ z+`QrqacHBOhsZ@?U9zW z#SWT7n_hOW&t@5Dd|aKV+#|K;oYX^Vrq;w`1x))HBBRu$9@?4G(k>Z%&RI0s&m6t^ zV8uWLY*=}vU8oT&_EoK@-iLl!z>U|c^S4F3F1(a*EHc0J&2Q>HvEr+CDab+CA)Yp)oT{fG@F6Y9_`_xQQE8gle3 z|K*i$hQ(t?3lD6{pVHZ@5j^>SS^!3`^YfBzT2H+5LA3xOnN3-a zWAqx_asGegogY2MpFECLd;5C7^`k^)h9Iu6G33mG92j1+_RsSC|f@NFY^7-r!M>xLVZzKQ;{rb!7nk% z&Dd4M%d3LUMdVk^?h0M{;751(gpKy_+Q@kydt35l*FuCWvu^(4{(YT|H@{iF+IM_D zqH@nrzT+NF8=3i6bsRq!g&(v;O<)$4g8vA(EWa<8SH8mS!=DK(9MI`0A zd-v+<@VAJ%mX?Kpg%PQOcHM)Z2_=Xv(Ck{b8AU$#~{`#1dAxVgXb2J^wF*_p3@ZvNojb^MvTjD@yN z*KR5>AtouCh3Z?UR$~pd^DH+M_#ZJ)7gCQUw>~~UJ-hVveW}ORV^dmT#8&$D@4@mb zU;XGumux7K$1nQjAoI2d35h>N>NE4a6qlbYm6kqr_i*!FS`kiYTe~&&Xw#zFo{TJs zwLJKhfycL^tv|N47lwPyjlZi79bS#^o$P-SmTg;_9a-#r-sU3yymGl{@APO=;P&ZX zIsyG0bP*=z0*o(WR!`g0)r(&tsY1uI$!L75&{FpXm5g zroTF%F!Q`P>)`k%Z0BllPJN!jKZlq`iU)>SQ>Do08zu$YmobutLTRUs^R%egu zu;Fmp>l(HzrX`0)<+iKx2h%gCaK4%nnTn?wnYz+8Iwdkm6}z838@;;%jiuPpLCa5N zMHl@1`hJ}qxZ%6Le(345cTQJM8>>EuyZ0SU+c$?(KOddvect`-`|2~=ilw)SydFzC za+`&iTE2L$O{Pq6YkNaxOtirN3?EwFmp{JG#LwdvmsskOaxkS8pdFk?OkY#(Un0!ZKp` z)7#`^kxS?J8Q$!@GvnUUec*gn!=&Ith2XY>?P|IvsRyGxYrf|8v6?>ADRd+L5^PtC zZ@ube?BAC4`S6$b`5bIcg>18h7YY{l6y3OcHlW{aXm4}er`((DvJV^2YA#j0U0LYJ zey5sOn19@_&gNIZi;wf!Z6_VYPgfo}*8ib&*0+E(<*ogJyCNs#Oja#8uJL_$K+OD+?=g@p68_cQa_&}Zqg zC#VYe`W8vmuYJ_1AFKCiVofa`DJz*CY%4#+md|a~Uv`$7BBw_GfJSheqsa1wr-L`_ zquJif8RTiHPi0S`ijfx+GEm$S9{|Q?u_;_HqC8xt6(rJJmQpSB$TyWRz6sL zahJqk)w4%ouX|Eo=09GN){4d{7&o;})q2?65q{cz^U2lA*%f)(CWdAy;rUCSmkiw` z)4!TAq`t591s|<>qLM4DU+|&v!~Sm38z~z%&QJXE9(iyt?u}dT^!uvIZ`aPyAp=oJ z=9>xbA|a9Es~)}guJ2+%sN&JICJw3|$qDYe%$qZ2wbS1(RSeaxQo?)0I8s1NBfmL} zRNnf&?@9dyXK@ov`@$jXm~#^<{EYsqv%h~hYSqkfu*YZAyNgUjB;{YRF1|C}Fn3&`d@h@GxE#VT0 zOfgFmtQCU$-@KWCK&8d$sS)0-#p&3&M~&VGFKO~JFrEC>vz||#S)Tj7X+7hOz{2ha zPt`WVO^P1WZ)U$4xx~Uu^(VPt-D+{{0v@9MmOT{fmS!Q-Wipb6urfDCH~Bp z|3qv3+g^N2JJxffQS9W(!tD2E=i6$$1?sci%A09FuQ6hmv4DanA-RLe$#3KW%uIP_ z+r#LNq&!wlFS4`h`%G)d>&B^hzN;cbWY;7 z@x^?;x6xSFc>kQQrq{WIxZX-z9gm}96#Rny%uG(j=9RwA)@9END{HTCM!wB0i_+&# zGPr%#;5P3SZ;j*l4J~0WzGT%3R@3N0i7IOB;3`4mIl6?`V%0)zyDU^=TiI#TMy<+E z&@1E)zu&=reC2WRXhIY{_TG8@8JrfoZJqtg z#>7tgaqq2gSz1`m*x7tmSKmlizv^ONOI(p)xdu{&k zmdJaE9)nb$b;wBMW)M0C#)b~7?axn}D;hlpd@`FWPb#d*s{F0})4>jAV$+&DwvT>X zT4%50p*X^oU+%qrR~p;p5Sth4Gws|rj&6d1FDJK&QcKq=p4RHo$abqJs406^ko7F5 zfV<*Q&^eZCr}MWyI!JYlgY4SJTe8yD=~mm3^`}!@-9Em*x_WefXB4yK%RmO*C1RiG?pgRjhh@!s|oT8iG5!KmEoY`j0fA zAB)TP!KYnq5BrYOn(Na|8|dZreLYe|Y52q2QAlX*!w0SRBA#7!x0nqF^k)l~rhF3L*xg!NJ73(J zJQi?TM{6@^$og<9?#A0W&adna72RfSqB=}=yi9h6Bma-Gw~mVP3;#t&8UzGHIwb|9 zy9Mc#PC>f6yHi3D2?-JD5|Hlh?(P`6JMPBs`Q3Z|xa+KSShJ83=AAwJed6Pj5hwx92dL;HJH4TQr9myD@I`)#0s0q5oojqbMHNhg z{%!S@vpcbB@ivTrvGGq{V_u^gt!&GgK_~!&nQ?^Q+KYP*|Veh2JRD!qGGp|dO!tl`7 z>1Rfz$2(v+K;QIb(<#<*VN(d6DpHuTqDkmB`!^yBRKzh@{OPoS#(Jb(Cjg21ui z-?jp7ws_{G`M8SMG36$k@;hn|l?-`hEuF;qBciq=GZB1eW;}xQly8!hZUMU#z_s>1 z>3KKP$MnPTq*GmQSQo^VES6B_UW@YE`)A3zMg|{RL@#~w%5#LUQ9fLkOXtzjVhmCo zUH{@u#o~oiFQB9Et+dgJtNf{y`M26^H@o8Yg%63`Z^B*6ztzdm>Siyw^o_ZRxuuD@ zp{-L~_DPO$Rf$uji&Z;rd(ZHfWrxcvX7K)!lp^sjo9v*PAKv+^WlpZ{h@@r%#miMz zhG#DJJgBc|C@?iMN})`JgHoo*CzF;V$Dcz9@jTWRUIZq5m;4zLU4WfBx^9eltT|VyS_tKUCQdz7;FsG z%KF`FQ}7K%r>Ip``b)09&li)yeB-wT-z%7j;U!CxYNY~OmS;|hO@~~&jYqR@W|J+v zjX%ndMuTz9<@~$n*C7&Jp%Pu0+7T!fKu5uTN7wESpgDub2x(wTY#>=Kp9fgH6wQhg zCY)64;C8b26RbF|QLh6M1@hqLUb$lZ`lW89fZ?UJrC_9U}Mcwd>OUABD)l&Ob zjy;k<`cT_Mesy`Bz(-Ok-g|%HUmWQ39}iP*ukN4iOr_M?Z;W=#6@N?^u7N=G<^Oo# zK*(goUSkG0@gj}7n1`^%ODgD%Uiax$^JM$&Gb}FM_RJ&|XdJug$jZNk%BntZ!$y(K zYi>{4DdNz!#wi#usF2tV9T>g+-Ms$7_nh&DN!}Uf`rcpV?L!J3XI-YPU9PWw?%`;D zJyOO*ALxD1=`+(IqpzM%TYM&J`>1c*^vQ$g2CqY`mV-WlV_eOcuGR|p!NC+uE^RB5 zf+!On``*CI#Uw?Rax1%|)3tO`zNGom$E)r@^M*hOq+4`Y0;tVvQzobAC<8GOSe4f{n#0p&KfgHD);^&j1jJBrlUaAK)~n7X z!7G3zHs%a;>9Pz?Ln5hOq%dA)iLB!Gg%3Fx%F`N^HHtcL7U@nXYEO(zm{!c~qX!U_ zyg!{5W|kDnd{{5f1Y!)L1%O|Q&c*I&68f+ml0^KGuZCk0AWx#!jSlLApj(fzih}qZ zxRgg==BKnxy~{2zf^w_x%^i-8N{3?7rB|CzMpxN`;#}gWPyIes``S%2^Y=P2_{pua zLL;am)fhC_$-1Kt77rR*MoN*h1AE0;^WIa(tEhbwtKvo)HL8?P?vE2c4I06It5ofA z{WZwKMNWn!}`a z?1JX}9;@u<(XX7#gJ@v1K#ied1`Ox(1`qK#o|{4(b#Rx(Vf%TV}^wjiGY_tl^5QEvSR={$`(iU3D?8vcFJO<3I+@5ZM4Kt6qFz-FNfs*?@3=}^JiV0@ZmEQe~v9{=|rv3MQQ0~ zF-3Z+AoQzXM@5gWQWnf7F{rg2(Gm(3JcIQ3_ZmSUwG5m99__mz#`EwYjheV#-IW*3 zp6uItiM`I|BRD#*x;#76vx+^wt_Mz)X%Zoho<%lG#Yj}ZA}F?RpHtiF2?JGVTDe3{ zh{q1*@#!>qJBko@Gc}xKPnbv`0jGtdu1q|FjMm*RAF?tswdf-R#!i>LC{|O0_5lnO z|H_!31RE_mYHDkjl&Ezg-@RBLRrr^e;3HF-H+eX0LIuNgX>h!#JkqE;kbD4DgCZKp zgC>hUHrnsgCG+v67ROoRig!^{8hn9iTW2+Q%D-T^)P4q;fn~LTG!ucBEf0@8PZf|N z@_bBaiX9$R15Vb#6DS?S4_2uFC#^!xf&rUSp2Fjkt!kg6X;J)e#yR{D2|b_t)M^ED zduLra}cdN9qK&AaX7n!iSt zvx1i3oD^FOmaL$;4imy0TKPN`AWnl)+6<>;ElQpO@m^4T2^$)d$}^R=?GGYgXn2_S zdw6)5XTBDs6;D7+bxH*)6XEnZq*D;Yq;Uz4U{#u2#F<}wwI{%CxF)VC!HD&=lzt?^ntMJqiOV*hPiE&DxUVm3N1pK@wpA-gIxV zD1Qor2J>VP-*EDr7oFjWyr4);Ypw60wME86!Kj@SUBb3fRIrwd&2motUA^1!AV7l zXDXS2)=_zN*~1nN^%A{OC(MDV!hG7@?VYIGZ#vYfw12kq2kGFm74>h?QfL)tSYawS&ZwoHsH%#AG2V;ljTHl+qF zpzr$>^2l)Ix(o?<0Tv_CQ&^J`c? zcYgq?U3T}NY^X6G9DzOH8^|22c=Dy%IGopa4-YM${QVTXpDDw)*;P1@_?wE*VpnQd zkNY)OVSh{aA<_Tdvg}N z7C36gQ;eCqk2h_%IMkcY4;B+AVt&E+FDE(f12UrT_vlS>Z!(>?oGLu%Wpzv3qll9- zW;L&9>?LcJMK+v97%TO>ozit|yBI)km5P-Q zphO;(`YMn31p40b!nRz+6Bl4zZ&l3h*)}yX9Vi==hSic6tLRJTQ|AJ+QI_)f5tdB# zCo4XL;bKmxLGTkhmA$^GH3tVSW5WBXl8Eoim7R4Rc3s801?CD47uWZQFG#Cqh*|UC z)B(1L*W?)ED@tK>{fBKbmY9i9f`85J=F{6Yxzl83Y~%?wTwH*N@T|-8u)g9qx68AS zv9vK=b6{Txna|MiOqir&FqGc>Nv6Bcb}snz%Q-o*s1kIvCA^PmT`xnkRHOde3KQwZ z|1rSnD`P_2yRY&&fp)d?2d`6IH2Yv~mLw#i(|PT#G(@&k^&Q?8e=Mu6DXwMBYkt;^ zYt@jBD15-8U5Grubbbp9Y)Z9Og~>!2C3-)nc${&oS+am{+QC_k%MHG>zhbrb>CJU; zkKoI=Y`}c9WPGX4{Ddjur1l*Fzj@=`3ni4Wj$dK}XpzZ;^CSwchh*_upue!1Z;q%v zoNcRFfQP)3ju!+JeJ92O>JLj9Cj^fKy}DWt>PVHH~`w%SbVU(p-#zU3F!; zSK%apzC(O>fsW^LSWD7t4a58#IN0vL!pvq>e0%7l@)+n(fSd0fFHw*Xh9cb`#DhgS zM{#9ZqF<%BSSawo(b6%;W3@5YNauA&9d?Xa;|f0Pg)Navo(bo!v&S|1XFO{=T0RQv zA@YT@QsH56i6^cm>dsY`0{wEDv@UZYTlcjBqkfHJO7 z^#IIb=`1iIGgcg$g-(+ULRf-rDkb7PoC((s&e(m}M_HAR&l)2O^Yr z0JO$jqr(_S_sSvn2+@J?&KovXoU^XYK2IJmo^y^UsB10N+_x^!?C`)cgUd#a0SmaY z_30kAk+*bIAZ$n38&#pD%5G;a)%f;niMozR(1kVJ$zz~5i~jp?s&E<&&|*Z?wm?w| zCxSwxjLw^6-6>lIUmblL{_RZp7vUQ9g~lso--A^w7Dg7hoc{=PL;QsmpST_;cO_Ur z-r*GVSaBqS*46<)I;KX5Xb!6+3~QpcWr7GOm^Vs3aO=*ABt!9!^V;lN!byzZaTamI zni@ZplDdQTxgIXwE$Lf99YCn4!`Qa2B+J-l#Cp9^QL%BvgWv!GLErDRxqTkHtLfmu z1N~Svt`il;gdY!s+MLCj4fP!+uH74DL26A#e3?BWytRf7ByW9 zXA)q4-@oo$FAMr^y5xFfx0_eF9Rm;FDpDk#)8R}2JPGjQ^78R9jDRbj@-G=oJ2D8?{{8x1ZyRi93Fe*yD~JQ*t7Y&(Tpr@PCO35RXMp06{6?60I=Yu`Jkrq_Ca)Tilr4`z{u^ z&5_)R-g&(yI>R85Ps-lT)~d#;#yp<5zk3jmxQ1|SVnWGMQDo8EjLL!<>s4Ok)R?9P z1!J%#6)8tbgHRsWud!NHEwr>Rcr!c61yhGYZqsW~x-i!A;>renmNB2@G^{T`wgD@y z?dz-`5LB4!zTNW~$bnAZt4#~-26l_wzT6xE&!&tr{V4Mdgf=iUe z80d0Kijo^sop_N)#f+y^lJ}iz_TZonHO8#a?@^Z9>8m=PQ{$xf4}inu&|YOwA;*kl zkp*!e9yQPd^V}l&9ak8A&LbZ5lRm;jAMP=%y7D!L8WdS^-^bC_R)9diw1-dIIC;Gu zapL9uhJJ7}6xz3+LGUu1y0d3M1a8I;)_c5gVrFb=W~^)LG?@@g#GnKDzWRBBymk~` z0OvlEv|5+WL{ay3z|C1yXzbg^NE=MBw;komN46#U*2q#P^hifOH>|AFIe1UsI$T01 zF))^v$W9(4pCSnI2u_#8by&Q(5J$i<{!t>s_`?$>OvZih=b+X!3 zrGqSTNxglV{v`;hcOG#HG$`qq-ZH*r{PmceGngiHb!}fVC9xnlX>Om2FlBCsR;*SK z??r;j_D&^g;{6NF>G9z?Tgg=&3d5KF`pg-n6 z-Te58ikDzhO~wVtm6W&j90^vm$IqpcaiA?p$*<*cV-qVTqCO)8&CYzz{v8>dkICD%D~SAMv*Us9`?p(PNj&p9Y*M= zMDhx0J=a@2QyE=-vfY1=Ij=hX=m8pTb#}P^@Zt{#fR#-)}U$kXwY%T$CNh zgL>z&+0StBc*Ba?#JWtb0HbENJqrg@VZjXoj~4wunRO*OzJIEgFi<*b;=?g!eUBWw zb7zW$X?3Pmd>b==Y(9XAeH#vhA)uI8py?t172#x|tfOCz_&*}PdZutdo?DkON{b4I zhWUrL1)bpYs<|~6&tHxuxgDdf3)QgdRQwwxf3Sg7)uv34SC0Hb=^^QpJ$4`1cIZ=` zzBwg|S|ghr64pE~$ZH44vu=w>Ju*|EzQvOX>VTM_f9WFusT{T#w^U;!CQdH|CQNg> z-HDq_%1hAqgJavTO$1-E;hBZ0#R)$B#7r1?{XD{w1ue}FCU_)SodNJLPPPg(PE&;a zQd#X^X=jzRbSSY=wwX$CjLS4UZ_%zCx^qwA!Q$Y(e3};I6$^Ohh(T<9bX6}VhjzwC zmnx5YKNjBcIvz%umRToDXM7$Ki8aQ~EBHl`w`gn?Wc7-aigjx7zRMf8gG}oF-oX#= zbdjR$N-e!Crt~2rp=O+$6D5sxh6E(|fR5(`xJ+h%aNpMz0L&SvOxVc--hqXfSQ2gL z09k|<4<)G|gv(D^betbE2C2s3Cf&K^{yNm&;Kl=5RY8_uAI{tr19@OF+xOQ+aavoK ze9~LB8rl5jb=D-6@J}EN`d_S{6t*pF5*$8?*Vn;v$C?F`NI8)HVL$e~IIl8R%9D?@wC5;R zv#@(rtQL-fqJ+sHi3N2U_$r@(4FzBXpu=EZIg>RQ$nTHu{OzEt@G`hec69>TzrVM@ z&cqC@y~5pzc-T3oLy~J~y$@0r|S*-qug==!*?bg^{y`WrTq#O}1~><(7kQktky6iik0nmQ zTOxEr2lsdHV3I~36ohibsR`w9GJCKV7@soJ74iims}?$0cK}&bkScn9U)3?_JAF%5SKANURvB7UTIUaL-2z%IgkK zCzaKHG*l~2DXK3hYNK%pLLg(_pmwDoXX$`UI^sE?sR(y1-oM5(`o<)gvkO>pVN(Uh zgv>Duc8dz}qVeS&0Ibg>5Y4Xl(?6y&Cx7L}P%j{|Nlosr{ko=enF3J@%Z_e3UX$2WR)eMkF) z>lT_sh=SeQO&X`EAe7l-*14NhmJ;K+W!Ig8`ow(3;_1>N{aIH z3jM};6WZB>Y{W3@g3de|kl#9oBgAfT)L_J!ii*+>0j3vt9BZw*h-9^WGO3f%*4gpd z*`P6yHiN2m;c{^?W3yI^Fn+#4KWkXyyBi``*5>`F*F-Ik=Z95anNX}&I<#9tdmnfAE#Uq7P-yeBlWoXTOeyvy{3Ebs8IA5;k_rr z#$@xnXbY9dVjnoqL5icitehN93H{*5AM8jri_0`mn0+SWO&#c!SLy8DQ)-sj1rdbw zfNym+?f?noGrg58^+h85A9Wb;@apvOD6-+709OerDtg2RK3i2!uGmeRRVMf2fMOI@ z?S7mefnnv@u>}PT4(ZwO{gKZuf2hM%%03w8))8gGeHe63!kkeO+cu=HPyz^-@QUvnXFi{5GVt zbZ+8!{X8VT)aEih`OGp^Yujvhb@isaW9Rf5+7u?K0#X;3Id8>d{gMb$^PKhUb3T(c zQOasc*&B=HHP(M~<|-HdP9|AaP>_>ZP?uRQ6Ieh?h{hmI5!#8Wl@=P$+(8y!)?UsTXrjtMLJ^rCI;{CA_H~P3n zA!)h`t@LmC#P<#X#&I0^M}A)8=J(yIu_a$4t5#-yI;>Z@*oh+kD|A%%hBE;(mZ>_g zZ2bM20No!igPTLc8=J^OnEJ*(uJb3Z9!X{MhJ$6nIY+#Qw^$xZ$U)%mSoy6u1%Wx2 zgZfWqZa3vvrPUc3HdAt3d-L{aFGrq*>^JCN_defecV(ovFc9f(&{@jp%DigU zk$?OgtHMUrN7z6{r7^CFlx=7Xv_K=wl%qf82h-QZijKj#@v#)ok4=uZhB02s&$w((`YRuKCj>V^ zuEB!k15;@z1(B)7RZRo)NE>3;#mN@6!Mc-d=C;SL} zP2jIfZ@26f8gZ!j9O-j{T^|DShF#H^HS}c{bvRteZVntfZ;My8KpIWD$3>CrVwP_h zLKms$*~FD+ztm5aLJ{SN`77%?VrinI$89*{Q5PfTOHxPz`|pqTq`9#( zJZm~&G58;j64HfUM9Ig(#Y}l_EnI?Dehufc%Eph3Z6TqkCZ`(*mgOBMZC$>s?EELq z-j_ynO3l9=DIC>L24#tx0@BMCp!m@~w+%UrDJB%TM z6ilta;=Ci-yzgU3GtZSoqjvGZ^TKz`cT+PvGjV{-bcMyKJXo1dloK_nG)xndrH2QH z!9b0y9B<$Q1#gJinlDb_UDsdu9}{JdS~+Thdb>{C)5f=}j$28*bsF8l;xv-uP4`{C zL!*2RJNX>O#<(<%Btjlw=7o#Td1RBj$p}pC#@lC}0=LKAkDji6P+Hbc-l-=!RTJYo zl(LAecxFf&uzI_`9zypdV;_uQ^n9b-`jl&2mx5BG{@8_e%FE_|PAPf6^`UOhv#Ie@PmV&P(EZC7Di9lyjB4AT8i0ZfY}qdF(%f z=qWK~9;7IxIdk^;rY9%O`?w}&42P^6hobU~@nft2`uQ~1!)*`gg2wsLCTq6gCnWZu z6X8T=W@3>LI5g5PP1d~)x70e>u#mrSybpNWZb?vDVd~}z`3x^hC&Akuq%nWL^)Eob zo03au^2^FB!0Zm?Dsaw)?9%@H_4CKuJKM3BWZkbbn8z@UCLeF-nkjsD40usu$*-p| zdYf*k4=xW)cq3E-J|}bV-;$#9NhC$X7{Tc5s`!i3=zpO}PcAKcnw9VfP4_w4VDfd} z=@ii=*CR`8Jbm7DD=J~?I@=28hwm$3?scj%JM|7u6NW&9hp7wr7`Dvl^{FT#>GrLo zs)rP?_l&kB=iz#wBuSsj%&AO$uI9?|A>C~?9GrV9w^Xb`m+p3V4D%@^ZKv1<5G&|6 zExX0cgcpvx?g(~p^>r>!{`_ATRW8zz55!H zF)cNsa_9u6x|~U*UYwlJ1qW-T%2(Y+Gsz0&mlx1je+ekWF!-c7b4^j-vW33BGXLGH ze$sskBjA>rp=+?$h;13^ee34iyI%YYg{0|iX~1kUnJRsVc(xE&z4 zLzIw^ZjD5KW?q#F#Sjiz*A%5ySQ_PVT%ycjwRkt6`YVfzjaUo?sTcR9FZ8n;IO-f- z?(a#&XpIq(OmhW-lW^wCKVtJl8YLxRGfLXZy4o*2OWx~!z>oXj>f#*QhRK)^7b5vi zE$-FPfsS(RFRhlfKUX_^-Yu6yctX6kX%8x0+;Q~WM)4_!T7Dslf;t;1HMU=s@j3Lg zJDia6T30MBVcSe|gfOWQPVd@+zv52KvOuPI<$jJJm&r+(rhIkqXh<6@z3H7^XkD>W zcXd@Z6pi==TWG(4wa_+ac0XfO6NPql{E&(6s(+(w8q!Vm%7Hqdm+^YI0ur_8Roz=- z|L>EwZ+6-jCLM?c2PQ>R@@=$L4E9NJBs~Lm$eO*{<3^mZ;RUaJ{ld6~D%~m!LwPQd zA#c$5vfc1kls)|%;~V8RPExPx4XG&@c8}8)x~)#{mpCuTL9OZfx<)430r<6EXWO$L zOS9bcMti$%;jL+M(LEb2w2!%CS+wlU)HUp*zS(sH8H$aATj5_`=sqVSEq0IxzG6%7 z=yM!}Qe2iiBb2k_lW2uiTBOm1O}JCRb5tAg(Wi1eq?p;O>P|ev*v=? z&IW@|8Qc2Tii7W-5lb?3je;aHWD_AuzWFs8n*Hdqx}N)h8T+79SlcJx^9l8ATief< zN@NMmw}gK4Ft+9{fNFxomV=GU-g3n2b(Dh!qLXMF0diMxT+7)gBeWjCy zsP{tW`R*tVH7L}F6vt{;G=d%yh|6rvTC!mg&Ei}+mr32wp(iv;=xM+pJ>7Y{2YM)* z5i=@52rsVzqNno1!-%a3<;SO&lTDh84mpnUG9 z19K^-fexxogbxC2X`4Ccs;sYXU@xicmjgCC54~=+&BH*2Is{VwlxPRlYp-9-yAJ&` z@2&7>FKQka>wGTnN?!89J^j&}7O<1NX(xy}mJs1Z&A&gdJGRmucGM4&9EU<~YQfJ` zs22!iuJ1&V{H&fd9=t}l__lNEVD9fHT_Dw_>IxF-;JYg~kvNh$hnu0HsG+y6AuPkU z_#Cn>7_zEn&*X)tV)=E3s{k0Qsd0^^aSa6lFep}cLBOISUopp!m+@&OI)KIj|1`ts zFjnQ2`a@}-{?iWLWiT@Y>+~8H$P4&7!2v?l?XlMn>Y|>Ws=}2qKpc?kGd0o0y2V0dsKHE_WE6F(KOroihd`b|VvrKLEgE9a2^TWlg+d=GdxzrPg!|6tmLXI*1A zoJa5CY=#pYev1>S?DkLghPwto6R5TKklGbJgIJ04rYZ=YTg}y+hGeWjhoswALCdZ# z*TNsiE{?HuYa0vxBWT8qo?gyGyIjte<41@vj(-RSL^CG!-(874zwq{2?$HylWKTAk zZP`Cg5gc>5k)11@d>JEfA{Pwv<7V$9>#bv&!9>Ky8zH7{pID=3vC7MD2OL0wBe*YK zqR+DbH@sK#2)aE;_htJ0&Z+0d82uvK<)Qk{nHlzd_foYbUX6a zk3A0SZ+&je-*#A)-W?sM-!0ibGCQxW3EeF+gw8vRp-tH=eUCl`F&@N^`uqQ^g0Ox-52 zhRr{CKu7nA&vI zH1v2us8`2SYdkah-B?Du@uAsUJ_k$*qxM+5sjUU0;AUqD7(>VArl#iRre-GOw*Ku+ z;!7YgKp8Fgug5>Xssyu_8m#9wc!n&eibRo!x!sm0)b*Ytz_9Q&9n}eeIa9@XrGh4& z^G+TYr-D}#x3-Pfo!c=}R&x;;9=1b>Lyt?5&t}0c01cGY;N2ng_|GOlEdQqRk-FZ# zRN!afNR6)b7@JVwe{l2v1ALb5f_?3mm%L1&ZP#EFlbl>mX7Q5ye!0S9Os;+-xYTdb zC)syl71(?Q^@aM8?IqxpqY}>=Voun=ICYML=SFbkMh*gzz z?kW%u(udri1?rm%LmZyhXU(8J*}K62ahmSm#cnlb#>T4ii_ko9QZV?!C@-a0R588T zDk>?6oZ}OisNk!tV)*#&%>AD#|0lo%_KqJK8Uuhsj_6H%o2t98!d&DjVm|~47Rqz)=yhhG6cXVKxEA9&d;Le@rBxpo5QPqXchHtp28rAIqb+_^hYdu z@_^=9Q6!-JI??x8o1>xfjQ5PtSeZw`nzK41Tr;NtSqrnU^6l~ESpUIN(U9qdzfUbH zGB@=N-ri2psf~p9;A-|JH>+Xo-rdqG_ztMau8}8@xsoFla0NvRLY5KUuZn6hgQam z8IUurVPO?*9r6Wv|zRmJ{`%yPL5g^ohxF za3q}_cgkX8<6>Iln5iM6CyndJ=5N7S$3pWMA`kjk0df)q9Yf08~>1hw;hv}>s4*~8Q4jqS%|pC{M3BOCj`EL^_^KV_-i=AxzQ z;t==~D%1MC1jGr9iElCouf?|lzSdhhnZ$IFTyK`HfwIlMvz-6181es$#e%n<$RFS< z*;8?uMc%BGlqi$zl(G>^W-ko?`os%|0Azp5{=LPvumMNq#jqVq0|>pDiN!YUf*g(~ z^}uNCX=r=L*)KF9L*9t~6{L;Tfu{8%!(CK=O4|0jb7$%7O#S94nUm6yBr0r_J>UZ6 zZ;s#xqFxAGsp5dQ+`x66R9`(Vz~9K%?Q?Q13D?6VtFnK3m!YKS*N!LU#X>r2-yt4BAb#du1rH*Cn zAC8LN7em@aX=G#mMuWx1wZ8RgLtCY8gRkZQ8V4u3#N`Z9di)QRlwv|07^#`ZW4OXr+{Qa_t}n&aJA}5 zGV;VkJtPoH*!O*}EUd9mee`QFV;|vP2VnW8%J+K9J-b2{Y}Bs|N!FF4bi!~w1^*3$ zLu5fuS3{Yalnnhcm?neg>_HCNADzjhj#9tJdv;D?#I5xFxL(N&q4GGoQ4VG! zO!U2A)KM+c=f&8R12!v@i)-TpqLT66YwW^KFws=DD^{9(Es5yr<$7=5sWqJ#*0NS$ zQ2mn010btI3O{DUN+rml<)<%dDQ69ogqs!)kIXDgEG*1SjEziy@5Jb#m?Bzei__D? z8hTUHvBmHOiM&kR{6FZA^hnXY=Ra|1IP6dq*Sz;QtX;iJ;gdrIo1@xpcueB{div34 zdSu9nA+LR`5-EY7QYVGNF(;?D;wgAAfdK(lwH^2T#6qT80V{uRa^7h`e;xBqum8gi zmg>9430+t+M!+?rJfXZ3Om^OX9=G}KUq9)SJB2_f1B-V5A*z4R`kz|r{@0fz!aoG_ z@0l>`f6)Bjldu2!qyPIWY~*T1<{TXS0mxG?1VAThoO~>-oIt7}zm*fuEd^jEkvvkH zEUA5T@%DTVBlf>w7?PJh`|ry7S*OGcP1pD7dLA1C+e$zGP}6p^JX9`mKS->4nI|1? zE3{6cgIWO|Ms9n4SyZvRpr-wr?ao*z!*NsAV8YZ-JHL_bGTd}1=rD^K-d>5VkyG@1 zE}_-$#6Z@;|G*p*8RS(Biv+2*8a4812xhnnl zi1+ZaT}aJd!KsF{L`e7wp`UXaLVf$k7_itE$<3+*3kr?tD3`(?Q7#%NW^Ygx%ER*T zgp-5b?vDqCP2ntT3!PfE3*b8_gy_cUxZ^vH7&D>I55QaD9?uAndQlDEa*Bj0|NOQv zk=#5b%Z=x9CIQ13jS=bA-x$|~ap>kx5j#MECo#R))^SEu>eA_m6_|0n_Gt?*0) z;^VPJaUnaDZId758BR{)GVF|o3}v3Pkb?#>NLdG|p0}r)lU24U71pse*GFwNrEfDo zM-AFHJxd1Wc@D~WVY%K;ELQ4tIlYG(|8euZQ`3tVziS_uknL)%mu!amY*j8VFVb^4 zUa3yu6kee>8CY(LzJ93UUQNarpQo(Z*zZqI-ER#dA3mM>bL};4jl~JJq&5;7R=hm( zDEF9TiYZb*>RiV6;sfErp)b$yF{=oY=eHCE3ZBr?x)|P7f){)U80r|vwG_oYVV5V4DMkRZ;W^~z%je&hwZ+%T90h2j*5h@1wE%(BOoAh#`k#WjYAuOR2K>y%3WR#v_LQOx2VTb#e1 zcg;J-)hxzN)bRHhp>0kW5Tnp9BgctOT8wc$zYVIocF81zV(0d+LDAacZHIP6b#e{! z78ORs9>_VYeF-0`wO)}~ASJEPmiY#6X@QN3m>{3-GACH8FNUMpLUCoq{v&^qUB5%j+B~ML5E@0h}q&4CvWKDlQ zciS5M@aI~m+sl9O{k8B``o^U*89FNdz?+tq7Xr6U_?4G(3*8-bZd8_A{G77rbxVt{ zlKFY=^MtqbvQ5Vinifd5y?;Tu&Vn8rtsLp=q8r5m-r z0Hrr$rR#61<|sggg_oMQ?PjsEHSVvNKAFgpxkk;R`a~o2nCSccz!+jUd?dIFFQ;Wt zPGHQ~Pnn8G`O%W2an7W&X0>0d-=EO(Hy1XF#J8_khuOnfFK(Y_GIr;_38e{jp@NJvLawK~NcF*wsc@(YIUIAO6F{K0-hsgo8|ZdVn@pOYw|GA}ots zusP`GRQcnl$Lpm|t4(!Xn#N6@XkpgdkxvfoKsx^zLdb)vVctzt=onl7+@1L2h)s@7 z#DlkeUGVdua{B=@CY(Tt9X6SlnKu>_bd@V&v`TIZC@)$ z_+EG1@VG|5AFggw4?}jJ-@C~-DNzvQ^EhiaFV%2*I=)e>$BFxz5d+ob5}hmvoEZ|@ zR`aO~Cu{XY-OJs)N4L)Q`d)9*j#n4-GJ(o)kTm_=DWgtHAtY zX0=@QMe42FlfJ$XHSu;^JXt>EdyRQ^ri;e)Hk?hA&MQx1aU<}gRed?1kmuwiY^a54 zj#lTy4tx&(#-Kb5|qoUM;)KKgr^r@BHwVsyvc#A zLBGE)CfjE*YLe{sU3u{krx4P=m2I<`PxxHTTTju`(d-0U1k-0md{gA}EBh!3+etgO z1SW%aLvbYgjg9``@B3w3ndoz#_rSDNJ-%6G87QS!C$nmdq$mODd>u_>iQghbf~$5I zt7O>kz96kelBEvfW5&#!Ps(MKQjEtCeM#1Heygt8S28VPIxS1NZQtblGG6}l2>z?? zq1~$qB=VJ$E}aq`VwW?Dp!!fBc8*MOFBXZ<%9mRKhUr6Ry$^%xxrcZoH|d>%T`MQ& zQ%FA!SEmkEk&3tVv42T;i_xF*XZk?9uOic{Gqd=RR4 zJ!(CyJWvQ~&xM)8FlJrOdGj>*Ia0Ir9cBite|+@Z^$t>$aMimo9S@?plFHf7yKf^l zRIl%vntDSztx;BlpJNkURMHn*$5ZlG9zg^%Xn5%{E2mULOApVJl;7jhaehS<33E|@ z=y%uqD|oNy_uU1GkUmvG>3$*e$~@9j6D&S}Rwb z(gRH7t*z({%VG6huQa#@Z|(WZkZr?gq!_{IY8p%t#WPc!nK^2^24}~=^Ydc$Fg{RT zpAOFA+AqpKk>t|Od~S4uVt+nx9!KNiKgTvwG`mZ@U0C>J5SFY-IeVnMvRXp%5oRLa zD_w|$H4Vtlu?dtIk=p>RB9)#A*VC5UixVGLV-}4sW`yK@|e1nKyqDqkX7Az4W zEnOOT&NUTwwwIDhi;u=&XlVu`yPfXapy~By(hv&<#R}mauz84EfuA(GC%WOHI%fEO z)@qQyM>;1Ea6FjdSg|1{0~16-yL~+}FMIg54#p51waRj@x5GgrLwU!|WSwUds5q0A z_%=1@>O>wCB=WAWH9P6RW?T)*QuCQCmBNs%zq*IOHjUNivSKmszH}63@vTgS-kb`r zz+C^cI(2NH`A?^aZ8pB!GDE3LmoNIV(I3%6DB_|cU6a!9jn)+;X!Z{1)eJWsdD4A+ z-Lu3~j+@J2Lh0YD=&Hsf(bI1j#IF_&VKdzF9kv|8-8|qNYw6nRFwLHwVspN2jehnB z&1oZ14#Gp#tjk-EVD;Xnl^|Ptr5B&CT>jzbn(>f?UiuAF8)i40oF0S51!zM~8X4Zi zaglpZ>S%m7$%8XZTMcwM1&a?9ya!YmgOmQS+T%QTgtK%?FtYFxd@U^kfZMd67 z;3F_a;AKd}f%pwXsZ?>QtG#a6Z@a!<-`trXKpE5)wqx}EY!dO79z%c_TR0a8e)?nd8 zw&U00&V#>(a<*yVo>sWGsh(G;f@UxRA_7o{g&6Q|JKH3pYnPb$Gg%NQ^e|~cp%M#* zgR*N|eUS``>oC4gTNJ{Q%Q>&!{-NFL`gTnE`Lw#gmuySil~CV5tI+#4+jN#FJ}=YI z9?TzycVR%=xit9isb5S4%E{@6OXcto{r#zu|84#F=c>$kAotxHIRn+y_3y4Q3nlIs zzVxe{9xuEQ;pgGi?`h#ppL3@&l_VvLbuCMxxYttMeXXefTEV}+I`h1G6DYWEO!kMo@l7y#Z``wQ;i8`}m7mz};yYtY+xRq{sTT;Su%3Ad*X z-8Wpe&)*yWG;j@{OHWS{A|txhQU!D}*&A!JGc&M{?AUrT4xekaE9m?`G+k48TY}>Zg*k}J2=Xr9GtC?hGf9reKi?wQf&u_cCzxIYc zGGSmtyxDc#_}syV5YPKqjl@=yJ8k$5`H9EMAv=7Ku`PR3#|aKHXyM>;MSK?)dPJLY zdJbC6e7EZof({ku&(2YL)%ipr3V9;lNeVCPlB%kp-LD<53q$|i;*)2&S7y_Tm#mbF zMO;?cOkWn4A;R|nH2ESH_> zvRxmhg(mCwA6zo>=JSvzuHQ{LaZ{!Hsf&V!WV~OLv~@jSCwS(3(a~=_ebqBJt`H^r zi9?0ysfVWp*Q;{;tl>{zGRjvTe@YKP=Q(noKX?`;onOpmaf2j?4h_06rvhD9G2lED zTI?(^}j-M#6Ak3Z`@asuUawQxFBSWhoI9>1}(|JvjU(N6*q z!4UD8&T;s1tjJxBq$O-hLU$}p^RRCRd0)w;(v6(XHe3y*4AqfhNU|F;PZ5N$wzZMS z6ufS_OnP_nt~_n|vUS9YY+E)|bJFSNAf2$&s^XuJ5MOt>k-^HWG=+g3KEcF@6ONs7NMd)!`?z4hu?GEh= zHY1yO+ELkvJETMqI3PHx^9M=HM+t0?_dr!fvu><#hLzg4Cr1^}Tf(7VfcY2f+LNC$ ztOq8<2YH)0V$G&AbXqZ5q2HZVu>-s)-lcY&7JH84X*W#y-*H(-Pr-tSLU57V_VPFq zr#=ioY98~h=SojQ#7S3ZQ*Ws=s>hGCU_X)W@rkiN$qzXywuCfCMN{p;LBDgHI^GAN z!!{+@a=$_!{*4Tl7!Qleu;x6exsqYaDbAP#14Z<=Z#BNJtk28!GgZ zjUuQ?X%*G!h3@=nE*ZL>CrT2i09Cum7R(gRoML9AjuhHEV?{lb>sV%RIqr)(X_2j| zT}9-nEzhEe?~wYRsM!-7+eTNh^XJ~9{|Kfh*Bp)72QD2Je*bx9m>V%TRsb)L6* zb|w8C#)}U&bn)e6#tSiWd!~$tzIsQ^u6W%`PrCGcaU{2-&5zXz*0Ii5jL*2RId|3p zdk9-wRsvtJBiUPru-2SS&HL9$#TVLO$+z!PAbkD_t=BwzB+-9-i}|@q&5XRp2>478 zZt?8+x=^qzO1b-i3RyF%O7|3+BCy@iqPy{Jp*wjh_8sE9`7jPR?i0ZuoDIY}pEhld z=l&7>DgKQ*I5PFc?g21JJB_~>6gS2gg~o~3B(w6-+ZfwVzOIhCsII*WQmZvwDFqyaY1h$tNJtFdA3V5= z#KQQwQ>xQ4Hq5BzfhztQNo3>oT7@j-0c(s7wz|s;j?a$vo70f8{DfBq`vUemZMp-% zG6{zC<<@0#02#2-VwVafFv}#iMin=S(w9A2D_6`csDK$Z%m>=kYN}@lhlSsyf7;r2 zjQ%X{{+qEBa4Jo6xoC@Bb)U=m`=DJEX}Y{mc#^c^$B3z%$9PX(0n9T}(=qle2Q6v=lQKTCu4iyBKke8d8mhtM z$d#f^3lETMH`aAsohEf)7}|0um}ziY!rj#{1Z# z`nofm_B9?9a3NdQ{^`OHNs5Khy7Q{{E)gx8&nPuu$fp~80n03T+=!#%9vd)FJ}x`V zE}uxl88!&wJ#8}A7cZ00F{hJXUpSut1-^cuH+! zYuVccMB`%&tS%q9BcVn)cG1a7B^t(`HinWev!+gu(#x}U6me0`Do!-*vx2Uls|0^p z+Ao%(>ALth`Ro{L_i0RtK7=ko*i!1iYx$D3;>;E&GRPS@H&h&NYv zqu0russTwP?oAaL7*x$od|68o8B!*PY*FMa^)7VXp?^QTp*3U1Z&B&wo?3Yu$hb{^ zK8K|>JALk_eD*a1T|BFV{@z^?fEnsC%N>Y(Mr_u?gO??%`#Iv{liheN5pKXJG;2MQ z1rLE`^gS?qDuJHQ_QjWuwa2XCzPRsEd$L2ckYBivpY`{=*sAmbLCG2{$V^yNKY|qm ziy7K>Ukf#&>^20{i1|75%wEegI39DRa%NG&6ndWBx=LCbRYf@rkexW6F>r1a4IBwz zXgzT)K>f$Op3Key_p8Wm4qxkIa&V ze;2-V))ZGWp7;!_0AhbMHNR)-&^oZcd=9{wi*2xAc>SJYZp3MlH)Bl!fke+qu-~ci z>m!uVbm|21to^@&G@bd~6z5&f$oi_FHl!F@pi`bm>I}tItoUy@|2SM$Di8RaT7fiY z3K4gPR3A-}?7pW4a;>ReTmhc|SZWjcd&qE**xpt^NA~$a1LJ$-<|^B}T+N}+D7H2j zNK-J(bP=(MFEob-wjwXIVp&N2Jm6Ezk?9mI9x4X8pT4KBq%RojK<$YVpSvhN?aZzn z7PyK73(AUJ0-6-vB%qjJcivrZ#mX-+K_FP{jSDUz9V<61P=NX&4!eRQ7vU*V@DB>2 ze~R7A6=HG=coGNAhSv67S(HjH&0HMV&{Fjp){Ty>C;wWxS>CsN7jRf~xE5+yaQ^zY zT;7W*{TYIs#NJKuk=LF#mHd_j{GN?Z|M-0`nt!SUYf(b{u0wL7;?(ELQ7?J*-@*or zl~EPL*~9+)iMp?fWz94t_`b2OP4UN-W}k!Bw^#kTNTFFVt4@ztglpH)75k-R8UCs8 zXsg%ywVw-Kj9u>+MNHANdT(FSXkxl_Emu+sRNXqFMn=!uS2r{B*)@S7qLcHAT+La0 zDpj4IL&zPWad&7}uM*ZTLYu;Nf0-nP!8n@@I~K z$G5X0e|5)@MhZPe9W_P0UtDbb7xU&u<*SY(KTT%x9H38)%|VDE0f=GNwT{;NMp<6O z_07)kv4=f`XKV_GIPtQS8N^VxU?cXU`& zff~>K-s|`pbGC|bi)Vn&T8fJj6qNx-(@FpKe!^OHfG<_=;j6N2l@9_*iRt{cmF8kUpL)cbx58Ahl@l^h=Q3n%%edSPcn~3FEjT^xP8wkyt}?sP_-_l zy-k55igVsgUlSg9h0R=Q$~07;-1o!~K=Ho)>8O)pyqwt*_kq2W5q!6)hz^TOHtxBZ zbWdJDU2p17ihHm8XaZ-({SeW(-Cp%c60r;m{QJW4&8DXu@oD29NcYmNnA3Tb$Opu+ z>U7<&BgICsc3~T^$Eg)n6nmxph>2fn3KMBR28L&MPYmwKbH7k|9-}^IDBH|TrP2@x zCgX{3+46subKSxde<1Aq(s*_JQ-m#_fw0kc?4{rBl=xP4z8Nzy9JMjnAp?pUTl$%g zKU1M*vCJQ=qyYkH&KjDU5z3o)w%A(H(_+6>40P2LyYt#|D9iq zTk^e`pK3WpCAMPIYUtsb>3+Z+6>UD4vHP+3R?XDKdXfYY!J4pBr%t+*{w-Q!<4b+} zNEBXHKD)tFvz@fa)lr=3U2GMOv5_#ZZ3dw|6+YA0$aW9Y^XHXdcn+_|3|@LjtTHF_ zA8tAI;^r`>3GA_Qhi_xrcn}}vNk9B_%mUgSz4`Pd|L+A5Pg?q*2*aXl=m@&^Ajx1$ z^-IPfSkwH{?(XYc_;K|5I$}MSQ5Meev-@q(e=?F&Ki|v6K(0NHW9ukD+|GqLYP;K76gxX$e!IeC(8F?b23mae=Pe2bj+%(Lr>#3W*Zu| znE>rD1Hh<){Pm%`9Q@D8p4F=<_HeJrI{lFV*kkWbnkGd!I7hyY*4>gudcR6HbFVcs zF{?jdVhJ-!m$0)wpB3m!67o3{lQa!o7Lvxgnvw~dh83mdR!WpuVI!lRtIO+NL%TnO ziNHj%-Qb&?f33`s7ZtfGv@~_z^shumH9f4q?Scfhj6{+_APra<`RplXY`e_M)@QNM zfrBxO3AgVHc-9j|=YP1f^#!5VO_}o&rg7ll`o4vRsM6wRWPt|qr00I@jt}HXIo&Yv z>0-u+&o%LdXXw~zc%q7tA=ktH$Y;kHwGd;~^r$;1t_eeIk zU#-TYl+}V>m%6gl+SZ=W{q(K36$tsIx!iJb;o;zMdG#}viR!9r`R*vk4H(-gHL$Ta zhe57%A^;c*M98~-P$q(`gvyp-yM_8Aw+KiJ%2y)TFRs5; z))RumX|Zt|4wMG;L0uT+*p64t35^ZfX{@>*Q7_3u`x)7{xR6P@XWQR5i$sTS>V-)bBH3GcRi@7qm z{iTwOPX3L;Y3-#CO`n~j7!7wds5X?TNrdo)y@x(8ceA_WiTAsLDk}~MP#EM`7*FUf z7^q~-u8Tnhnb+h?u-stxah+Yg>w{B*<2>wQmV%bD!^pcX=c(8lcyLkd>lGo5J2*%& z-f||y<9c|-@rRW9Ipd|Cc(W-MVs&EW__@V5Ju9!6CWPd>6zM+fwYy9TLAA(mIkeb! zM0Cz?VLfsb_|4_gBS~9|KT0iod6r)2*Ut?h6aRsjTXy-sp23Z- z$&Bv=KoR8D=+%MkWWn=>WNf;^6K)|=_MfNAD(A6ZW|CpOfc4H>gO38U{H&rDvwb?Cbo#-B0G&(XK&QNv4=!mE%Y~)pmZGNWd3pM6*o;4{rpzTwiit7D~k4QuJg|*d83#eVeXo?(tM%6 zixk{Xx012>BO1H0PLH&q3j8^{J^v=%TYzQ@m3uLuZyLuojvn5)w?jmuCZBdw5m}Oh zbz3Iq)GmBE0LJUU7UcWbVZdX0Su3W;s%MyYi{MEA&I-e&I;FH`UJlRGM7Qmne|ZSh zw)ZgX0|c~{DELRj=e_(@YqE=j20_AK0yfq@6&KN5_Vd?+hl_JZ^`|(QncAp2?iU8W zL&lIo)PL+MnfFZc&ktBZgv7L_6QgDaYHW0sc7Y#$=zrXnKDP2m8u)<1_g`^3jni!M zDD``@lOS+wilwU@LmvkNsj4lhsV-2i@tmVI&RD*fo!O^oLmZs-*OCN-zZr(S4Ug30 zQOhY=h3e90GH;6Uq??pXiJU|e4xd}0>;NuyLTcjkG`e;}P&&_3cVaTsfSK>#qQ^?@ z%c~<7ITQWKk><2H6XscRj|mnMz9N-BJh>^pjWv+wt6R<1t(m&&OVf}zLhbD%7V_DK z4$wyz2eqD?$b^FkEo{;66XGDE1V1c(8kf7FvYdAqx7|pYD`uG^ zo$zxjzp)MV>Ra6xjK5U#EQ!>My6~<3HllL!;;`x>MUzZy6OI7D!m*xVWfetrxUcF-A@}_eQ&w=~*y&T?DJ{w)% zj$a4MBKKjJ4DGL{PJcNQ*z4^o70R|5W6OP2-$k6~zALL`a4@GTc)qJQJu$b83iBeHp1=T}tOI&^rA&F= zO|lXs<6-P^hFB)*<6;+3O+ZmQNw@osj- zY}xf`bEV!tU2pj5+vqc%=(U;_d@j+7>sK?H@rm{yGO2nS+*BuoTB_J{ePM3p21v|j zqHy*@$8Vc53ukI<@QD-h z@tHsaClA8(GZ{5Bp=`PSDQt}pAW@XfQ=$?u!aomg7e7I5WYHDteNc3Gzj3CpZ4heR z@isNXSn;&wnh$zJVQC!;*&O&l0rm_HDZq9G#yu{fw~Ip+g~SwZ&{&Ol=<|MZ>NrQ} zNjyp){#kR~XKEmuTRLK^HFs=;?{!4FXFptOQ-YZe2;_O~Ir3%)0*UL$EPU8=cOo#N zs`+QxGxP@!^>x*1x^2mzjkt!B7{BPup2}@5|L@it;5P!|c2Xa5S;O ze4!*H8^#8I4Z9*-LG<%4`bD+0GKQ3@neVGH@2M+oB<=9@+-ZowP}Q_c=_f~rnW;w# z7k5sEsp#djrH{+J)i#7%g(ICp;q!wZiJ*Xjfu{GgRx17nXKWB7(d6FsoK-mN>Mi!2 zSIJL#T(MNMr*{{3(SY`7ham^8%AqK=O=hsA_>5@q#a!i_Fqr!;T6H zk2ZL78+x0o#UUl`YvWV^^t>2y^+=w|X5#9edVEB&kR`uOhfO=2$QaF@KSt`)MW^`s z^`%eQF4ZhPi}x#RYx1rMac>(&9GY6AZWwP`ko?_`AbtGHnZzB&DcsEhWgb7yiy2qz z+h}PpkZ~dT3?>U^??(k5UAC&w;O! zi?YzY?GJ6E+Odj6YZi)EQ#K5COoET+v4{v#FemapI(+1Y?<3+FMtcx#DK4SCsbKrl zL4gHIc7aPflmBybDIpebNuywW->w zX;q3QzfCafwyD~-7>>mpOm$k9I8xpL&x4dp#1Xi zaK=po2H<=dJ9rdB*>c0o8VhVR?G&Q9HA0ncd&4|r5&g9JQu%ij3j~xLn~&xivRKm{ z`|yF9#$$_O8cpaqE4>_8YQ!EA^Mah(0HU%N6xDZ_r)Ku{&}j0%CIr9w!NsN1@K5u! zzRM=mfFov_FSBRcGt}sQ1Yp)RwWHBT$)KMz+GdJ3>wlrOTdtS<&X!xTZg-Z6!z#{u z&ob`cPw*`Ac7@p=m65FZkhsZDNaMkjK@9>F5xn2v<%i#8u-k0@i}OSbcG{;Y_9T&I z8ghj&?zQ5Z%&5~ZVHoqj<`a75$SgTkwP3i#8*~4;c=W9K%`{sSo*su>T8dXruGs82 z5|j<-724N)T2BxK4#slQx6l4s^c^yV{Is~wZb5fwHefd{}r*`fBtNE->D$M92&4#{5k#st{^nwur#2M+` z@_SFxNkaSAy8azH8CnG*UqU{*z7(3$=)vzFyY7fPf5z^9?&qW>qO>M$Q=WynZD^z z7jwtFt7}Ca@s%jSPH`-ekDB_^1?^uA>Dq=IJ$ke(Ig5o7 z`t}tLw(YAh+2D|55wcnMw;Dn6l&2TZA1&=naC4h^izoMqJ9&-@fie&Fb}GzpbD2cX zE755?I*Ht@Hw?!W4_zX{h6)pKI9LY{-3nybBx(h$7n5q6JoMkyMP2f1D;79k3v?aQ z35P`_XKl6qfKls|ec!W|mH)ZwNAStTv#u`>0pcwR3i^z3Ki)GVvg4xd>9D2!@Ni(e zqv)a=_-aq)WMt?6==VU}(e@zqC#861Ca#fsvFa{;bDfMxSDE|rCwsxPwm-n!IBdhZ zki6uKZwJvhlmB^$)>?Jz!Uv{_n(2O=MK<^^ zN7w2gixQ&6`Jut$JFK_Iu>HYwgVJhC$9w>g-&~{{s0K7p1na&!W(5Mt(gbMU@?#+Q zBPTvA`y7p?*!epJ%C^06-g#p5)90mVfXUQ{nfH@~(NLjHear~S*PAyUtdDIlX!|OT zGb0p>MGUL(Ucd^y;jO>-Dlud-{55ZV;%;b1G3VXtPzg3n3T@X710hA`TK)?UyI=v6 zNls~Rt8WJrgl=^`G3r|^Yxqa~dt7&1m-9^u&@rkC+UE=g4cX%^)#o9Y-$eg zDd;fhISV?kIcQE}KBWta>U;Lnp3L_3GJWpGSv0`ci1FZamkosm5XE*?*EYgm#{~0- z$BY(7c|#yck~QB;rV4f-7s()!gy5Va+3_GH7w{p@FXTIYCTMW5*s?0y^K}LZjU_p@?%SJ8NT8aUX^bLT`ht@QRT8fiZ=mzS?x^#Y@E{_nG! zygHiydZc>j^^rlCKQ6sf1_Ox=bz{D=_I6wi?M`S#VKi%?d%zgRCboT+7_*H0hJJdh z3eoh3DY;-mectILO*29vNZ;OqCCMunP@OjF`U3BGHrBGdM5XxYtt7!P1paFQ22`r- zzLeg4W}C}OS%Lylq=S!jNSs+yh#qJs#7lLJFMKq`vE;c$~O(RWW_3^}2Sb@1^S7Z7uD!GjW{ZKH?L zL+zfGRkaaJ&TlQaR^zi<9bqPMlUy37dvbLPYV{^KrK}Kx2p?uKE)n{NL}M}8S^3zw zxQS)ylk+L5kzquFgE@IFZSaywc>C`kp^Oo;Z8o@YRpgRLtmM*fh~_*fqv zIs#BU+k8%T>!Ny-oLkHoz4~)!_y74zhUd68={W*l)er@Z?Fji%`(KJqz70r^n@fBg z=vP?R z1g#gRh3u>HgBbx)y zA9wSx&Sk>Fz;HyrJtNP)>D^#)okXoa=^kCpx7&FIT{N^h;+d3(lv>9{pc&li_lgWIcc%qzoD=1Rrgs^U)b)0WU%ps zy+EMiBbq1+zrIGhj6Inr1c zj@9KdQNQw_1N-@!bk_)$SXlBP*`_xP5I*f+7yzqDAI^U^lUv0)SCo=JSaL;dSFrEJ zPKPW_?{vfmLYI-U5==2@CVp0mE4xI=r1kzGTT(Wg7%x{QbSnfN?JW?XuKk#{tcw9* zl*A_(<22U}5R5NLgwYu=bP%qoCGdH64ZyCy;`mK@J=2`7kO8T^%|Vz)0L{aXc(&?s zq3UtYZ)f4TO!HChm(i=Nrp?`>(OL>SD4<$50hjbP6-HdFwU6_b0Ykf!YXfqwsf5(? z<#9ee{M)M0ou_ct(7dPuC}2h!g9GOu&b_YY-pa}jOS0Z8sIS5y73zVk9~6*Wbh_3> zOKE$0 zNc+Guj5sV-CLb${n3{_?#pC7Fzo7qt02#jz)P5}4T^jNj6+RXR9MS8CapaQ-1LXP2 z!P2aE4ttQRz%ZM_E+LimRgcLuZN_)#tb2EY;kFmv1-51FNY_$U5C{NGUujOx{|f)| zr9(w#ES8>&3EpC}Fx;%dR?JusY`J7g+@#rqjT)QJkk>4W%eVB{aLZjBsr*JZ4lXGl z0cgN`J>HkNIoyz`)diHN7Y9t-Bz6^0Pm#fZG3W-_D}ApU^Wnzld3l7557r=NTfMpZLd`~B=Xf)u~_Qaxk#P-QNSl!g7>)Wg!8sHVoQYjhB(X_*n zs=>gntW!HP%uBwAH-@JJG*qKFK8%(o^f%C%cspXf&JZ#c;x}Y<$IpSbU0GQPB2WOE z$8v8VA5*S3mNe$LMX9YDdqdow@t&l{9{pfd(86WI$R+*a&&XFRK`)GMK#6UA1LKvR zR`FRu-fk~TT|UHw1+rU#_v8HxkVX6rB!aRPYY**qKI5tEqA zD@SB3XMR^0(cGpKUlMKB4>Ld(#ine3Cp|@y^Au$%R~}121hZqh>{6N6qQiX->QnT5 zawWbudJVJ9w>rDv+p3+Gk{xl_sDuJBT67vs=qMEO5@O$Kd%!SJ6Ds4ACS5h|S2kz) zhmye;o5TaAuSEV>^shXg`?xbt&ErSE1tYrZ;3Q*a{q&bG=r5UbJ{EX}d#W@~Bq?H~d&IdB|O5*tYMlX3AnxoHfRk6F; z%;{+i0cz4$?jCsKkuf3m=?6g3R<6xt?eDTu#<@+ZuXB^kfy3W1jie z(epvJTH{5r0ewSfJMWh&U=#?W@a@6KV7>c6|4O5FK}zRQyD{e)mq>?^*6)t-J}(3L zQ@T4~qMY4@J~A(t9z00!^(UpS+0&b9E{MZ;%q%p;IA>Y4=^_!8X-7Em#a-$JHYH== z#P2~GA9VfkPjj*sSeC5kNEKFT%`*5T)pFv2jThZ4r+!!)TjT``Z`NABiO<;+_@P*S zaERe_Ik&-J%1prLR#n;n4*Gt4#bMpg7-rN`3OuRqCpqwuu~7jEyl(Vk)?_9HB>lvR zGp1Dzwv(;e!vm7xMWjwvQxJh?S>r`6eSX8S6P0$O2m%HUn3H@iJIeY(Oh4mpE#%x> zl0WOrIHZ!yQWhvCb$>Af`!=&2jrIYsk*LUNH@m!v{OjvvV;mMPDk#NYUr0*VwXlyL z>P}n0We0g3`xlEZa*S%9gj{jwICP886+k?J0y1^kT~0&NRVXmw!~tvi{UI(NqjDH& z&cxqd#u#~r<;T~^qT64IWv&siN9q9|%TRBaw>svWHh-`H8wSW-lgxUjRyU{T1HYdy`{%z>{xh0H~L!^Mb(NW9sG)rql`PaV1al85CT=q2>^oD zKZt;LIQLJhEa+JkG>zM@z ziJp!gY*BJKMVddjZ&h7l{&1Mz%>V*4@8RV#d(h~L>Vb#S56+le~sF={sU9<2*G^7L}x|6jR_v} zOl1ZY<4msfX@M;<|-@4Zbi4f^lj5YwTXGe<`G4wDraSGg^bN%j23pI)`= zOi2u__Aa54$i8xV(0jtc-A9u98VZn!o(D@pXo}D*xaLUuLP{UlM-ziUX6)I|C2WtM zzpoQ%S7X~Gc97};tzj`AKHtd!6w^&&-lIsY^@4-dF8O_J<6lCfH6WCR@i0dSMnT1j ziQ<>)a28Y+@I;jjvUm=Q9(jzoKJmAV5X*jsi&WdzJz?x6z8d`_r-ltPaA zSP6hKl|(-mJZN%9&6m1jc`*lY6{zC*JX*C+>ZakoRDv}qS_=dsM^(^4{9~sSk14Jq zRmcz5C5$WDD_ytGu{b|zNo}-3x8a$})~HjrSzP`QUF;JRE`K@c-VJR$++jK*uI&^` zc5gaBPkg^)<9+r82k3S4?Tw0)6iuCi6oTlGlUQm@azv!0$TM#*z$YxNgtwx@(HoSpLsmFdE-AkkN8!_>We z*DbM=PH`GL^7Oz46@=5e5j9tBF0o4HglU7XRkMa6kksRSPEt_?rdjHjPlc9Geo5gfk#F8T3yQytG0|KUA-=91gL}N1jBu|KTtlIJJsx%ZF_}{w@u#p zL6CSiPsGUfc=ufKfS_iq+aOC`L@8Y~v&g}kqNXaMU}ZpXWd?ino6_20Xk#<)lH@O! zS?{m5LGzBy?z;2mit}5omB}GPOs~r4ZsI(}fIU*N9X+?!k;vL_W;}h2UA8M|=*XhV zsw&aolPF>{VlEc_;u7E>^vU!lldUV-F>^D61=rKVsdV!08-TQ5K8}bg*9LW`{0%y7 z3v0-eN<_-5ky^NSsx%=V5X9K86U0VEXb9=1GlhV(@pJuCU6;skx&*Q+{iDWR~ z{Mxy*UMwz=Yvg!Y(}a-XYoTMWu^UgAEUlb`vfU&mrZ!QG_d2VbB$YJYsXe?hBNh_M zS+ctoA}e)$m#~dZ0yW0;(OTJl1Rn)D`uDSa=nFmOp^ZVC^6V^$#jIH^%zh_~P-dMr z&H{Rr5y6&b(?OE)3Ut>^Exr(b)nkgO@OkXOjDjt-iB`>p^x7n@Sz)}U$@!#`zo+x? zfwrA{<%6)g0oAW|eG=lU zRaH|HFapZ+LbDa4f*%$Rv3-QFS+<;CNL*!#Z?1h~ijg^20+eDc@GgZQm4(igjh71m z)Ds?F695O`4B+g8G`%^@1HSbq3y{vXA$M&Q0Ob-Bu)<356;RJOjDL^wQ~UK1@~)`6 z*bMYxz`+Q)RGs@#{=lfqgH* zZU{frNl9CcI_C}P61DB`Gm_{yd-PvJI_k=C4m{t|S0+fexH{xAMA+Rc5NLac<$EoI zjdD^^=KV!zsRizaez#k9uL!whDlX(NMdmZ_j;2(5?x|yJxXeMBLx(;R^VRm9DDuC1 z>nk{j_zI~GC7F|egXITi0d)Zy*Wd>1O-oUQk`>((!m1@nizc%Jjcq82tZzs;e>XOo z=?XgV5fFdK%Pi`|l*84;0L@`g>5o!xR6#}YEzt$s-C0jSWe^d~0fC4Qh;CccKr%QU zlSH%lLw&_0#E6R(c|1|28NsR>Oi$|2$m$W~9a9s@Gm9AtpL6P*u}Fa8fkcG}`1oSO zFTea;(Y|9*^9M8q@{Fg+2`mZR{wVCkC-4AJx3OQ}_w`2DL_XmD>T!m0IrLZRVimf3 z^UDqLqL50%12FxslhGl;e*WHup-__Cs})g%#PJnFWJ#kk2sQs8HmX302155T06xwf zYj9%ltYljN!YS|ijRk&un_NOm6zxX;Gb`}nmWCxeG7Qz&aRc(IJyJjdM5+<+HPc^} znDo$v6FQ;cGpzwqvzo_GHcAk^I5gKOejro~YCo;3dROZDXK)u^(D9G;O$iRb5_q`P z8*?-=x&fG+Rd1ohb-r4{5u${&@t4c7Ly(!Ae%mAOYr5_Zr@BwKr7?_&Y0{u zBk}o$&Ipc}3%qc@Pk8=iqW_e>)&r_*t3H(5kIk0I8;Rl&z<3t96 z9vqtLexd*q2+#Pv2Ty(77!#W~7;C%wqLyo9;__4x?UJtCmZiyE`|7n8b2Ay6n#OXz z?|^uL?1@8ww_k4F7ftMYjhF5A+E;6rqIM>(NseK_7=k-1~{>#phA1&w^z2vu};eAj4~i1apPbR_-9~H5Z(*oD3!Z`^_!`TR6Q%)&>(9b6Lk*5q$&sgX_&J7>Q1^1IG$cE4u zSzY`<#$Zk**`*5IX;Ka0D=5H zuwHRB41)qGacavXRk@%lIl)Vtv;&*(!KvTi5+@Dil8fr!OEy zb*+t?Os~~KC#9V{*rUnij!$TxeCbLqze8|Nh!Dt~tE0W6Gd$F70@UrR6DPYWhb7ix zz}mv**1IV(q?KxCYj0=ko;ZVnj?C)4Dyr#dpBpi=xS19lsgM>nHNk+Lp7T;tqOXw2 z+SIBB7CUr?ozX&nkdP;JQ(q!?UTOJO+^Zme?#FvSaFOz$_ehA~tQ}D>HU7=pw*2CV zc3g%O`L}rza2vU``X9x#V{ZMso?h5O6UzMrY;Z1U*q&54*u*jjNyXvqMZh{FZyH*h z9g6M*3icEosxb5AQT9yvRG3Z~7{C`OJnCHF)1;bU3hNDfJpOx~u?s&!|$nZ?aW%6aruu zVI_F&cs(%=Go?wlE_i7G=SQ6nPXVxU`yU|C)^MO{HKtXpuJO6lHk?I5Xu zi%WPo)Z~K<_Xe&RvkBdS5zluxl`rla>20%6fu+#8b2{sAjRld-si7-8;EYzB(%dOc z`|=_2JSMo@3F~2RPn)(`WQ`bY;VaPn&VXAvsa{jM@+b!M2D@K{sY$G``lc8V#P8L*+Bet zJ&ofzZ#N6YljYrii|Ia5QvL`5B86>QqbR-W5oE?AY+&AUJ+@C}mc}4BW`DneDR2-c z^D~_wQaulTE(!#*eR-?=^=PFppN#-YcwMEe+Fv#`Gxz-oi($v)mt-E@TsG;+NBI625-6S4oDiiJUaYJY#e-v18j z2C_r`ozwri`?r@cT3ZY|Ypcxx2LT6?{>vh!Wq12w_-@oDgxrI}5_W9@2)6bM3q#<)a=@&?O4+>!_bgJO2XTP z%f=@d!oKWH+AqH+Wg7TAJ)PVXNXTNE*g*W5J43|hQq!|=F&<*1R9Rr6G;U)EKX{IFUwL5_pcojwib^AXo z`nZ)Neew3-%|Jfk`Mt%^5&E%j`5u3iq4yHo^WKkm84+3>li(bBQ*Q!aBE4XqB!!qZ zg}vM16GD)d`%lOGOrs>je(G9>gRY@vh4HLFH^Zoe;)h*}z{jcD<-9BO zwV;fc#$%2yJ*GH{t+5^s3KadDllY(TMnTQCljyGA^u!qc*+TXBk-?6%s8TiL%rE~H z3^5VSg5DZ$B3e{2Qonz%e~G)r;mdx z9Q;;`nwtW;7InB>g{UIDGJ$XqLMw32)?4ru_aF@m}Daub(nIPcX8(jhr`0( zao35O%4anQe^^EQ(5?Hl<^gR_t5}ugRdH;ux-N1N9BEM@60c$>=^9EV!Y<8=P zF^HD~z`?rmBNPJp_=srd@wtKZkH@Sphd9$eE~kDDoDRc<*;OvUom&6*XoAmqf-_`CCZ3%~yWrWlAf!Tw?7C4BH5Kc zqi>}LdX*>*=GOlDuPfi=}`9RN<+)$w;}+di@!_TNwygigcVrjv^EsxtWM7) zN>_>ygp8z5!2S*uQFHwD70+Dk()O?>aM^CCkTRe}`5#T+ z0gq+-zONxlcJ_+Qtn5u>lf7rj-aPmQBUIpUl>WI?g(_E9!_QogCPU z{G3AkhgvB$$L$7VPLEziw14;G=j2dfTE7;5!2osZWLiZNHK!4$xNK_I`pQ}f(xw=h zplnX3$-IkBM5l06chmO)uTbqn;fV|8ZtfoqM=(Y!=C2IW;vPiDr)%DofWAqQY-c`E zlkYcGh0U{}&fRnblcWi632?bZjZ@`joK)jg3w4vW`6!yZ=jl|XqwJs7aTPpSOnNfc z*u|Ic$v^rSf%~F4z_g*MQoY=0)O&rx6^GZ1FO6E=Il~` z!g1Q_h*P*}4MY)`Ys++)smM8&Y`VF_6I>i~1FFOdM1Pv8UkPUjHYgUeegQFFzW4Fs zK%UK0XpnZRrpy1%)+teI_-nTB%N-AclnI^srO0M&>OUS? z67)i)1$AyWF`^;mcIg^d2@BO5DCwP`%%N>{kEz*RdGANA^QkPun}1Ks3I5FkB!d#E z=tMPX;1xd?YT>t$zj-|!50gDkR}cMqWQ#AqV>~cU^X|@}%Z&abEA*UUpZ#4x_G_!pYob+mgVpQvKq z-IsalQg$sa{*mj;vfA(YMUy91TOP!4>^V&sNqj=mE?&>Zh;UkYeRaP1&2at9+lStT zq}aOywUR50Roai~e`j9O%UFCLkwZS;Sy;Wp4~H@NugK5Y?CVgPY$C4ZUmGc1^C! z%}sq8t!vxYy=Q*9_V4faIx4Ga>VgW=H`eTk9NT3`-gGD8Eji{}^3l=gg!W|EwZn|3 zEgzk$&0gU&_BtfnzpK67RW=N^g@3txeT;gtOh-1O@CbqX^xu!SZ!cGZV4%zf7;YXn zJa0rq-R+07c6WCVgE1uZ>F&ui)QvvFo#}Hh=h~Sn z9$pIt#oC1mp|R!L$<4}q)iAeyu6JlTUe?~7Tc2wn6x>MsZ>$lxp*S-+>hbFCy1RoO z9U^zCxr#{;Fy^0C_m^#?un?HtZu=-hL`YSr@H%S|7kTwK$Y1EEvS^Q^9Rvj>5m!#uii3m9hY@)$z@tavC*xTK`gq|sUvJEr@d=f{QGqh4;oZB{(zX`Xo z7iPi3`v-$t#!BPu(%ByjK&{**^;jcf9dy^5By7)&?Els@p!1~~ZOE%vhFA+Dfr`qG z?NIWD6W31E)3z14TzL`t)V`NJh&X>H5>6z51K|>7CO+hL>9U!@2U3cIOf)|}<#K&~ zJMBe4!o;Vw?wBJWydjuuz}*T>ew1pCMtD*T&(wk5UKVZsvsXiWYvS@j{wv1b|Cud6 z|5Zzu8R@N2Jn4xFVZCaKknYOg50=h1-@sl-m-wE2AL)V4;Gkwkv-2(!E$pXK*?N0b zoGr#yPZ7C&{TX|4zKUZGhXeh8S8vK=&5|g^Sd>V$jMBLcXI_~^tI8ij|MV2K^vX9H zF}FDp-t1Y8e$VOFwBZ?gU-q@bVU<*E7CM5P$>NF7dkgRE$hO_i%zxK`iAanU$F{CH zG#p?1bHjsy;=&9Niu$VqO6kn+H$d$ib_fg%O+7;Rp>x*w!-!&9@5LA4)e-t#Khr6% zr4#i)6VG6b_Xr=MxD!)QS>$HT&tLi2Jp`Qo|6eP;K8mqTL=0xIW2N!^(mm0CzKCIM zpWEjZ4_?fE^^|y1WoYC5?|gZV0qz|(W8Oi4UD>66YF$<8l)=Y`Lf9U#Q4l?aocQVy z!bf~UU!+iu&7>~V4XBY(xR!_J~Nyakf37mw#41;FpZzv%6=GvW;0uav{O-FQ}m*8=ny2CH=uUSwI@T z?lbsa(%xx*SDFqrV}t9KI|$2zy;?=?&LnLA=Bte6Zk-X10y$n-lHpOGpV>N;TC_fN zfPiv)Jz&vjlpGH_IPbMKcUQ zE79FkLfq|}3k)toXo#}zD${l-7}P7L$Ay1b zwsrGn`IGxccmz|Z@BE~y5jSCteeY_jc9iVF3k5&ml&c%VF1TeH?8T= zM6~}un8LfS?jT@zi*oNHiar%H5_VoSgf0ktRXWY`@H`=5E`9K#>b2VISckRrI*lK? zF~lK{v8_iBKh+J(!Pbi^w>Piy84-F0s+sR;_}zC1&*P#vBi-A)G1=+4XWn^@@G+(G z$aO3KxQ>?Y5gnCLK#ACgW<##F({6)M;dewEAt6SFW=)3jh8UVbBGUPpua721M~{zZ z$^1857@rRZ*Qa<*_0;Ul*vp?RdF-4e+sie~UQGL#r*qITy5aGUlKc8+#$)@`i^w^8 zc6#Vec39;xBIqLpYI? zA2*0pj5`v`Id$V3h4s{uwz!T}?}Hkp*zo?<#U!yJ7lGWQhITdTfW@zy;M96ijc?t| zUW^6w=L%9q&I??D)Dr!rc)9dhdw~y*D?>c5tsj5jk>@%Kepo`YR0;O0m`nx<+3zt?2x@{xY=1``5c=sopt01S3x@XjGD(EaM z(C#pHt$t!qtjjBf>mbSu;Yc-16%&-s!TUJHXEz#$nqh zn*EtfmSL$3h~%PbWtQ8gM_elpHOT5ab`MDRQN@*1E+|-0V{`IoZ)y$ZKex-1wYLV< zD=I3qqMYPC4yQqx?X?w8S2)r&TQ18w?-4WHTm5`xDc{nh2K34sM=jTr^0&7o$ z>19SN3Q_Z;9t4NSk-Jy!_Ye*-bg|)d!uRhFdi82YeoeLhX|xL{42v;tPe!|4wP}ga zh9eraBwXQs{8oI&C&jxV!@A%8bR%bJ{*53Y8glmP3I2>4KJsw3STj`hS$Ww%#=D{) z@GTb?44Ka(Q~l@?By^qZNw@LUHB=?iIlrZK@3Ud57;)z1z&*#M5BL|Dil}iu%hyt3 zN5Y96)q8YRoR=UbmL%Mqc;)LvmlMd*f+6xmRc0;1KexI^^dU1>`f;-){~WPmCT(6! z0QF~Xj?2;~{7c-La@xiVMnNNA!qHk+Y}tw)TEzYIga@%1T&CkWl5ZP|VYkIa8Hz1Z z(<8hz`4~WW$e@cW_m0kNjr{F=Xcyg+pp0*Y8CR)2+;q3MO&QW##7jH+&tM3d9P4#V z!5c|6R&x48MOV~RQ@%)?(AMKzRMMU@0mRs)*;}G z91+zNqipHC_8RkGt6Q4j5WNh)T4471(!4Jc86qBavAa(?G^@vuBWVNA8BZWC+|e=f zpN0KsLyKyi8LSIg=9w|Fgx}wp8b4S5`?|r$Z5lI>f{pWwu^`Hhvb{BJ%GrH#QN;}! zK7miI&RpDb8v31K)4iVcWP9V3nv89`0#l=S_|~4z{?!|7Rc1}dE%!wx4+_he`uis)AN3{DrvjV4&klCnp&09v?FHevdoAtqfpjb^f+;t<9c7zS zmuVj=#2>hRbNFyOJ(Bku7^0E0r5wb95^$u{U{hzJ`HRSO1G&g6hh#!h71_whi(g;$ zoje|JU9pM;6c|znSmF(v%Gw#VZ2hqPz3=w!emjTH_=MO6=DDb7s3|LypB>S%;sX-$ z_;fs*EM_L%9Lb|*vQpWG{_MLppDXoS+LBlL9qc1FaQBF~(P~pB^-yU}Q7|q%71u!{ zwB*}M%tGR^tKZD7@gY{zjms|hdUx14=|_D?Z-_Xopzod)0;b%ey%gWpmr||29v*kd zu}->Gw}Es=#vkqqe9Dv6YpWrCsW)@a2V=p0z36ol#DjnoGO8R&8v2$2#?;`KqNuJx zMd;Zqk9-$+{|c*X(?g_ws~ET{V{;G(uMZVh4FofPlc;Xz=k)HwPUSs6l^dhSqYW5h zd4&=f?=9?XDoo$DEEaMneP8A7l&hCZrziJeA6nwiuECqG4KKwI3DC!A>8h6EIIsA9 zzBg;bJ{>FvG5;xj;$E=c7en?ZF?jXG+M%hZR1Mr=`Y{v*^c4NkrXB)_Sskr4N|Isd zl4ZU-{_H|-5pRqwOF&;)o}4yquTANj_lM|UQEWh3R4L~@pI8#OpaB|1#D$XEII7IvX4=Z z9G|^QmJkZYc3WEuj@7iWH<2Y}W*!}2kNfZ5mFC9K$wk>x#={`B`PlZ+vi{LjxQe-Q zpb-gRD5l>a{nTP6>qlPL6XZ%pmEo5Y`d<8TfY{ZNzKtRe~dohj-{=jB3ql6ne!1N-E=}~yuh%16GO%1AUGLi_QbLB zeIbLMF#AOyI`hV|KLvRT$psC~Joom zeT!L$ct$nvcy9u$u)KuKW>)0D{;T$T2KvqVUT{})7Ej+S&7(%DSm1rdefG~jKsA@e zTIzlb|%HC&-0Hvo#h7T`bDsGy>sL( z6b}7}hzNR;Is1Dm8h)~qkh71CXerK5U%qWs(i5>ROuhDq;m%dXc0jQ}AtJRAM~=u; z-Mxo+hrW3JS{|7^QkHp~;AHLd=v?54Pr;NLG5W`_JGZOz&q!$fdh6Ua;Z08Q29HPN z;ur5w{c4XL%(B#RoM*QOU+iXK4854OdU%#HR?Z_rE+RR$`_^#3M)o~xXx^3L$_pW( zyz6c0+Sh7Z!CZu-g)J_NuPNy9Yx$&JWtsBu86zQ)VB@|=%Z`|)sYaShRMOK-uV2V)sJr}coasC6raZ&`U?N5s#&o^|M z@2rN|Gv9NxD13GqW}D9kI7u)*_WpMhu8D+FgKON3(x2wpn_P0Hp(_5fymjTS%MdLG z$*pPW6Th9V@mX=g)~UP~7=nQ{^2D9C(Lx#JS5oWZPSC04ht2DW;0&KlX&(%aUGpl< za61LYH%lYB@lP#tO!vnOd30;ZbBuyw4p7ozaBJbbje#zI#3ZD-#QRIzg*kS*anhd= zk{hO;FdZ({S82Ij6HPsR%mt4e4#P)dJfEA3GW9U-JO7Kp7;(LfAy#)&GjUA#5n~~i zvQ|3+(ie9%L2jV;+*1Ux=Jzx)2m;WhCITh|I}z9 z;~>EbH(qZi2HP!#mdWVsn@R&>E1Jsm{L~Peh#W@)KhBBPy}t2V5bK)|wEx1tDYEFd zM2^byW^-3IAzPDfYx;9qh3(kOJT9+^?yqed!;w8kRuGsGta%4tJzd%aU#ql8*$vttC{_}yc6D-y!D7r<;|YI z?hSQ%N>9ipPMk>??smeqrdv^v%Kni2t&DPRT}oOgi#xNF7T~Xb!e-{z>84}SUbT8$ z-IniPwLT{=PVRNTje>+<8MP}UtI-e+P4k{hUtMU9p_i^%8Hi>nQ0o3?q3%q=nyd}9 zxDkIsFzeHwd1{AKW;MP>6+w>38Bn>hu_fHa}HFV{r19Qyjc5Ze`z5pe(H4a@u5s8`1{NLiRwZ4 zhwpuefI$aD6UGhmitJ?^V-&MB|B{n?f6=8XxcTzub)-@%L3q@MvDVXN49#H?2QRs1 zJ0BmFmVPB%do61W>j}iXYpwyNi`{UQ&x$G}66by01}GsBrmU2HkC-oTyG@DvYtUY1 zQ#|w)ks7^?B5)92vHus{VT`rcZ1IvD4i+cE+z)S%JC)6F?P&==3-WUNQ_;$cQ9jb_ zM|K+H)J3vJ<=VO{C7o={dPlLC_NhKdM+A#elKJI;wr zR7?L}jP;CY4Mg8fRef{B@PB_(joA;WPDN2uRb@Y#`A1SO17*cHanCf8BHk-&TwJdu zbyRo;#VFVRy?feMgFBS&xg_tI$&f!;_AQEK$RqghEZI&3FuD+Aee-OWpiLy9WC$CtcyHLfrv_iqVx zKKy58UElTMLeD%eGM@y2(c5lluB&b3AWA>W!Yn8MB(9;1tA(tU=KGu#k7j(@s|RSC zv+{65FuKMSbEc$Z{-P^vKQB$-1jT;Sx%v5c^w~;uJ!l_ZrIryo$N(Z>*3fcYp7syV z&(lOs6TVjcV=GFV7+mXKH6Xs^@d@0}lQa(E`!Po6IayBYG1iRaTDv7K0 zz~>^~y`z|(ne*n|uzGs*I)z7fx6;7O5Epv@?*8fJ-=wL9fl|Hoyl*9j|DiYDhdzU_ zKz~lkRzH7v!PW5crw;8CU zPPqI+<9+nHIdhbfjfCjFGk?i@GhUCezNXI)4gwtygsW?k=}HLh_s?^h@TfPeW`>C>d5DWl-^!z8V~Qly4Rwd0uCEhzcG8P>xwv~8 zA5Sg}u70 z|CaUZ?ELZhLXR4438SK;OIF`?zLCVk#jzLKE?}ZBmX(!@dMjyhtQ4z*cljdd38QDr9(t?y8iH`Q`5=;vtCVyvArk? zd6KnvP^r?apfSH-xTb=S47+RY(T)lEn(G~eMVJ+ehSb&0Bkh6&t$q>YY_Z=|loI0Y zL4q~E4;{-_WbI=WvJem=)wQ)JD{b_B6x`iwOIZte@4c-2^5t^9Z40>{3vPz)*@cyw z9FvIYKU)c@QA7kEj8Dn*yNI;3&mTUlxd+Q)S-^PY=$LMhOw%BZ$LN*VE-UGYcrO%T zwd9W>>r75=u6F?8M{ALc*o4(^47tkWz_faJWm?>6L^708NBAgD%fN(MWv6W^3}Z~p z%u8qAn~ZoTQAPWwD=_BZ)V)LX5klVs7Z(@hY`LxJn#%nA{FD^^#k0#vZ%Og|++4FI zZBhYOcFVCJE&k|U*W-5(UJod!mz7s!D$yaQd0$-!bEASgmDUSas_AHbSUTU@50bu} z524)BJYLpw7XxWRJ$Vc0$N{DnS@Z;94%^Xu0qbaWaV2p@Zt)b-`F6tXf+Ba4s`Qm<0s zP}={0nWE!MpjMX?RX$7oTut)z2~Jx$Da+W%xfRo3MFW+uNQ6UZy(cOvYPQ_BbfsMT zm7eIBm>37gM!dC#n``W?)HeG-7iZ@r9{aYjv0u~vMh*IQU&Jk}gfz6Y2=(H>S5)Ah z=iFK4XMOCKnGa-2rw_iZ7<8FO!P25KPm`>%Q60;hDn>BmoKW@kXLV~nz?t?|V?W+{ z-CQ||h=}-yeB4s2u$kRnUr&gLAYTh|FOQ6j1R3Gc(oVyToV@&Oy$9bnITO}+Hsim4 z{{FQ*dCQaJ)OGMe>ttH@DF#M^k@w5K?E}xWG0TeV?3EA#HbO!|trEA&nB-(Z#0ibhU@BjJQBfPw@87>`oOY65ycKEiyn;8|ZH|>}Zdyu> z7QOR<3Y)R<`NakNwSHl9vxv`^;NY&)y~V7|Onw0YW}RQD-@mKr=+I|dnY{o0&h^!WzmJcztE;h*(d!h!EBF|W7cWdV z-Ub%fXljm+Y^KD;Nm`yX1|-~g+W8dEskNtQdcSNmWK~sFO`OV3OC#sz)=*ZqKV0qC z)f0Y5U%=R5g42paBV<%Rhr;)i0#$#lBra$UjWqPAQ9{@q;d&w%2M^VuxRyEYYd^#!d#6kY{M{O#oT7`wZ9YY9_nZcWMwL+&#(BFln9v(G~$bkf#EbuuB(OPKKKI=9MS zzv5cviQ)gjmtf`Mva+%=Hztiw??y#Nx_fv82M4pUvPw%!V~9BLertO3tER@y)m6GW zOrJB!f{~e-S*<8Pp9mkH`@`ng*RNmy{E@`Ni{&K2^;dP^t&2|MmJ@6r8Xlf>C@Mz4 zRP^`tRiyn|X){~zasY0rrlqB&r{_7Gr~2W;hsdIL7MNaNFE1}ig*=nuYvNss59Inq64h1I0*FPy3(o77M0k{}+2Dlw3^d%xp5(97wEC zd1bdInHX?UY%n^al$4a1n3%Y)JO2LVciNunh@!E#hm+~z?B<&hQBY6w4ve_Osc2!Q86)XhO7ts`>bqiiwg?@BK#{=v=S2S+r)|}_dlJU zo<>GuT|S-LTWtSz+4GGLMua&XB}&1lU$3L9JKf$c0a3U$5SxR80|HkK*s9O^432q~ zqkU1~A0rmNBZi||zop92D*^MBm#_2X1p4vPVzgHr7ik_=R9&Us!3<9hz@h%0x%6+@ zO%}f}t3O|v{(&oUKu!})BW*?zWfT9;FF*KTqA)}r?Z1EZ;F!$t-SoWU>3W^#6`{>z z0@lpE{I<5XnVFdkiST4D8`9w4TJ`Q{aI&_L3H1l2SZ#g%o3n@ie0_b<$pmHP<$F6j zBcq}cg}mxRLs3Omm%3uhjJwU5G{1^c#3v-65p!dZ8yXoI85$Z|SX{(&oTcxbx#I>? zF*D!rG$>E`>nJM^{>$GODGUw?A?CEy&_)klDX^Y8nkF{TV)gL2`fz{OfOlPdi(gn+ zn25`|wU>ktYVlkQj8v!6B-(tnCQvC$9J(d2(3%>^!Y!2C`d?1Sf+gX^hqL|6k?63g#{ls z_v-pOr(n<7!3s=f2vQB?SO}%Pkp0$&a;+YDnwy(5>BH>rFP)w`_iIovGow2x-8y=Q zt(KhJHkirC$OtPdYoU;CHWu>zh=>R?Gc$hDVsJ`1IXRM2QymWv4?DY(+S=NnAZe5u zNI+ND7dv)#c6Yr$0)8Wehh(#x^{0y!COvpOdb2%UQ|Efr%u_9jR}$BsA;Fc*m&Xy^ z`uR+IR^oL5;joCS3j{n%OG_i8tiZs)vNHRq2o3+K9NoEza*Nk~gPfe4V9)GqY!`+V zwFVU*`6w-35i%*?)G#8uuhsys11U7-4DFTc{TEh066sz79-uzQ(9Zwg6pWxUHJ8%;`2D{9#k+U!!rBoN z6N68KF`R6UM}7U82_ePCX7;r&3K@1)z#H?bsqGiw&qz7ZEb99`l&i$e8=0< z7d#$;5F2=04_D!f_rf1PXo1y(f`51SYs+2;BRuxY7~!P%?+P0mFN4v1{`~o5XLh#J zuNp8_B$Z4685mA{M8sQgkoW8Z=h6#V(+MFtF8q2rIy&&>6%`d(Syc6d0p8`x-(}4% zW0I1RP>DE2#l^9xU}nJAl6W2SR;^RKGB^V}4BLMH2BUp}|CocL9KOxM+?=!0-rRgW ziblSmun-BAaHyHZq&NBM^2{El0S^xkto`-tZn0ooJMJVwk8}6;rtplHv$R+KOnS8e zLerF39b;q83$1}{COwvE23w6Q2M}2kzJ1eGSI^GN%gf3#GBKgSB~_;V3O9Nm5pivG z^;cEZ_}G|=n%ed8qz!V~GHI{l&@fC2&`|8`Ul1uPE4lnz#;YASYF!QlFV^7+`M(Br z-NnI}R1?E(Kdf4rJ8*2G1s^Gr_Lbp1G;Z^I;JS600Z*b27}80=UM(@_F2`o}P@hp4 zAE$}@KH#?R#g@(~c$v{fy1+TQS^13O-6A&84%iS_<(aN>B{QLaOUaKPPe0A$f;->r zwxHWD|HWivprwry@)Be*jS@ZIZFd3hh4|Jo30?;?-IQx_etr%S){ynqTAn?-N1mCJ zsZv(KgboI{3Nj_RyfTj%m zwW^gCo}Slm!=!@lv|3}u`VHW1G4I5fVu^@}FZY*Z1XF|@Ru$0E!H>pKbRX{Nv2G6|F*e?z4lK;gwR3d*E%Tj@p8jNGG+aDG zRYir8l5+RVoi)DJxH|#jyw`pvCMM>r$H_O1w4XnJru}z$dwT~4O5I#vb$549DoXkE z!5vguPs1Vef3Ruf0=8XtW(2^@sSl>h_$@3fyu7?{aH6H6s9_n+EG&dvCQ>Gg*+3l$35hyNDoaVf!E>71ikybV zIn(M+8i3NAw<*8^XX zhYuf?ltx~99Y&+7GOc{CFlY}Oeb=z%(95}UaCQQVuL`+eQyTQg$m3t9wto^d ze`>9Mn8t*hJwMKvmiSM!s){$4mVPEM;K^h|Ma8zKVMs9cp^DdCIUZ}BB5<9XWcaI@1Ntw$l3WhDL*{5F!iOLo}RKY;1pGL^+8j1F|psUXgqv;>S~^+ zALWzzT>waT>weXE&U~$SxW(uUM*j&BMOsG2?pa)1+??Slu!x7))Td`>kfAuv+IDws z$;eWYl87%CAu~fH1fR(@_y*CTU?N&OG!KYjkpWjXforgn8>V`FU%3~Fg*C57Lmw4h)UfR{nU$5pq$ zaN91j$&io`)qFKZy;^*v1FJe-{#a7~mX7XjaHrFySp9&DpxzZSpdx)~uNaf+EHY#2 zB8GDJylP_1J$QGXl(NSw`n5cM;t=}va4D<0E68cOs(Z=tpGuIbnGT^yj!4D(jx7!= z0kIQH`=@k}@xvXWR*NLgw)(f31mD?r3z~k67PA@T!;Hu+7CP5|!Nfv9u`W+RL3Z!n zJ;*`uucMMW#xnCSJlCEj#=+r{6=x6F)o(m|+%oL@4 zQo;X(lZpzl*Zg~Wda1=I6Bid(t(T;vq=trulF|UAOd^SWku+Oa6u^JKg%)hqVQ9?y z^&7Iz2g|72TcXHW+1ZO|yjE6Q@HKNhF@T!uYHML3>fBCTkJf!_W^+~6>pd<++hf<))<}5X-_Jg;q&~vy zt**5kFNK`!>+cVV6(|T8NbJ|IwVqeJ0sQd33eI+Ca&>b~P0hey?i)?rhZ5@LR6*j9eBp|AVWO+0o(Qe$$^2XcO`Kx7OCq zdWCMD;NW1Q&Lj{;Yf#j1XfQwsDjOIW$Wd8`-_<(r8B9$;~&WYdikA_oJAdY3&w9$Hf6kc}T2Sd9)rdzGnaaz31g#`~LoW z*7(a7bfNo5NO(9n(+yrJ?Th7(m`7-_YD^`oXg8Ha+Hrlk+0Jo9pd7 zbF(c%t!I|m3AC7tctvPaT19;sH^&&#ySIKmC~!J0;rq$+nLQ{f@GoBTeeKZg4s@7x0saIECrt5>hi z-0OjxR8>_~RD96Y)ipQIOG=soLVzj4%gf7UGc#3YBLDK`$CpokdEH!t21z5AbP7v; zvNov1{HXt7@5+JpspsE$TeSiWMQ!c;f&%xo0V?7RgVt8dSY~~_5(8hr2dhMYX8c|BTitt-O+Y|^hQ?ncO+#B7utVMJ=+?5>K(QgOt0O%Bmb89TPft(L zcGhGu_lciorxKT=Dmc095OG&`_iv)ta=)TsMUs+2FbIV_-51sE8ksrSe$X;9 zGHPmS@_Ty1{ex7MUJRQ0=2TUbbk>9W_aSG3IFKZsF)y#6r#F)<;3le^3&{;aN$`y; zATsZl7(_(D&(=di9$ymuEGgk}+D=-%f4{YyjNiF$db+Nv_t{=N74CQI$T4i63Oy3N zSW>4SW#g8t@gcLrAmBi@hun5}=n%+^`=`L{;8_K;3On0}{Ut;pR4x8l^J+tjf$qs9 znT2H;$G?{x@+b>6Qi=DZKy`8Nn@+DuPMus9Rpc=3RH2I3ihmIAr_faRC6Q~=E{HT5 zJ31vLJfnuwcaZxA`^5e|cM=c=EL~OnXzA%vBb1pof}!*)xzGs7%!cc83xIV%UOS9J zS$KG=3biZc5;?njdzl#+Lb{Fh>s&b~DO-n!9e)SmbpK9ojeXA)OMi?iNJAqbCx_aZvk*FgW8&!fCm>3-(3=! zrG1-}*3wGQ5KMSVMP&pAZDuxJFO9_(ifQxj;LK@fMhv<88=tx*=T2ke%Y|H|k*Vpf#B@vNSRzC12^K6{FwIOC28l;=`SVnDXLg>5eN#c2BNycs4 zI6bX<7$W*2x1eC^^oMqZWz!w|sCj{F9QJKV`PZ*GSXrAJsHc)W&JQtBxF0%O3z3FH zOcynrE7mCa6xWR5e+A&v)YMc#Mdk41LE8eoi2(hqN^ zr=yE-7G+!wSQ2V@ij+*|r5jN-?V?M6yv5MBoVo%Hb?$vu88vAA0vR=5OGmNzFR~B% zY*R)|_>H!CcoacO;#RDBz0(Qe+uj5UfC4kBS;B(yg&&DxszLTnDn`;e`hfL_K|!%Fl&cJ3uW|avY5XU^QGlt0OaiHs7^XEeH3`s^L9zoy#kO_W+d_DL zthk~grfX?Iue-N^lBo$*W=aSK`Rl^&bay`820+{t6dFWwz*1aYUE$w4j|LXPWC zB9a(fYp5wH-4D9C(su;lCwou6cj%LO7Hf!{!aLQA^%yx>YpZ7OCSxMl1Q=g0+D=SN zB#39+W({jE(CHylKqV+HAt5NtrA?j-msyX2ckQK>RpBb-`l(rSrc_jddyGW(pq)+G zn6xuw;u=5%fFkxj(-@#N00<2u<|!>y$0H(=`C3y|HShKye1Y@D3s74c(TRoeY9j1L zrAD{47cnD?B+>6$&Aby9MHO7#?w>Zfpsg;`H_N0vGh9xeP?Azl3wA%^QT(MZXSupY z1E}{gQV!}u`4j_m9CKj)-2eD&=Nds7G6$*R ze4`jrPjls5H+c!T|da$1c(p?75Wy3g$|_Pjo}k+0`Y6vNK)duZ@3` zla|(GP_p}8Ep*fv{n4XlwtV?`*55-zD(tCH#=Ab~72>j*5dFG2Q%5AE)x3!I-rj!i z8IC((!L`<85G8dhEXM(@Vv00e?#sx@^#Dtgk(M3--2y-bwS5Du(BR-8&}u?`6i8VV zD{$v?0oAY7{e_ZGBfgAXB7gt>9TGaTUTqwQh1z1ZcTdGtN0WELNS)!3RtfVee&4cy zG7`Vg1O3osoM~N6=jSXM12}7eJc={uPEysl-|n8wfsTbSFKU6IZy)%yePZGkKmg+Y zSzeBF;VIinBdTOt17xQ+k!zXFEf~f9FRVOaK0XV>VoD^BF`?hO8bw zd)_#2%T3$^91BC_m0xXQJsNsDC?DUzWWg^gttOZM{qt!t z$cRZnGFrsRynnX|KDe-;0F*+c$M`Rd|KcxPR3|19g|XSyV4Bqd(g5tC|I0QlF;Tmw z#muJaw79K6d_0Hm2Jqn)naIdYLfC{tFgRC^N?vhsadI*Q(I}vzFQ0;LN=b^3 zxfld|0+J^llg{e)_KfqU2hvOqw>^Gw|I*r;3k0-#NN6FX0uxZYc#3hjK1|QeJ=W2& z2AuE7qb$IaZ6O4$-1Z|TF74izFJEqz z)bTs%yX|U+PIg-p9PYZUCTdU*aTMWpQfSrXh$%3{}@-?(=Q>E zvwAZ?CH0MDg7}aa$SJz3mcz-YeM2!v^+u1i;Z$9`i~KKYI?%}*&W~wcL0TmW{4yzcz+!T4^TsZ*a{-* zA$S^qwpc_FWT>)|pr?cd1_E=R1XHuqpM_%a)z#G=-U&eK1x;U+M~`5?n_P+@@1YMuLDF=S<@kE+OIbk%Qy-RflsBJN9hs2fx1tX&6!>h$xAy zMxF54pwj_Yg%L1T=)8#P0Ewe!ZGC;g@M36a2(5q;t#EK)V3%1$T)b^!g7D@OwOrEb z^78V=M%UsVkXT4&yR7|B9wE*?01ExCY#cx|_wyD-BYKbP&>##}78dgKn%ngNM%Wtu zhJk@0z-31~1mF7=AFxW`SU_13g&v=;Wv9e2YWtN@ZckNVgQAno;$&}+f`-;6Zwuu+ z!_3n>@76-7MJ_|12LNB&<-hSTYN*Z+W;b+|?j0VsnuG@hy?1irf;`Q_LcnP`#@uj; z1-XhM;=6o`=kcbddy8_e%H@-m&dx_EaEO!fyLZnLnhW#ugRx)Pk{-zmUHM4(=~p{+ zw70K7sMleN6-g`5ZyFdzAzZ*OM@I0ojZmFDXU^C4Qo(3t3Gs*1P|qu3P&DaA_cY!x_ej*m?3`|P2U zXtn=MYp|$$G>_uv2dJ*QbKWH-b`~*d6d}YsN~)^mpvVA&gI{40ZPB%LbV!Mde+TC+ zRHowcJLrJ?0(J(-2&xd}KYs#Vi|qnT-P_aCRudRn$Iil1Qdt=u7A7Yx4NtLzj&+dG zD2#d1`%SN}uWv49Zvy(G#l^+x)r+3!F8Yg7Y|S>L$YnzvB>A@i2n(%)gV-kpVPrzr zV5H#SfF^;W{P{ymK|%5SIi#+jRnjET4*)7b$pE;a-TDw+zwmTQ$Kaqc2s5*@H;`3Z zUuXe-Mnduj(o|hjgMIMjR(XSz00D}fo!#>NcK&fZ*gr@bt-R+Gx>A+{nNmn-#5qMp z*U+*6f`gk+AJmnXd%n>p4D-Kf{0Krw&`jN}UIW+(w(>z`6*Ve_uNj>)eNii}Owmn+`>xgC2b%pP)kQ*N}T2-M#Diao8 zfAB9X5hHDb!*+bnCMxn^fUx1KUjJJub`r!1Vs{To1N)#)$(ECg4NTv4V;vZ)6Oz7e zE_HZD25q~iAM1NgC!76jaIk00zBZ`*iNoi~5+}P1W&*0#M1rIH)w$yofn=5vOn*J# zA_Iqf1zLc`wSek?BSM{#T0VJmeSLjprP8PiH{HHw8Z_Z@P~iLNd|SEs_&`;ZwL~`3 z(V6;bHfY<-<}1>aVGbWA=&;(?Ch@1Yw>T%KZ(zXut>QKaLZCFOtENv%6L8*r3KmR7l~r4N3AW1}Sos<%ZJwTj zdIkUh@;h9bAumH4k)YKCdkI~=pg)XVN{XCR-rbX`1f)a2EwV}6C2%jlGJ%Uih8GhP zgNh);aPnle0BA*M^@yICnSojax7pO>q#KlaT66A0z=M)cKtRCQm(_*uNneq-U0pqxr|$Kue?Q&ze#*uc)xHRTi~}$B(fv=L!?VV3E-Vb3J_*KS1_$Gu zX`9|m_cB2qA0L14;6Z4%xkdMIIlxF{-{y**iLv<#@vVk|p__^i)D_s4;!^42B(ecM ze8p!Y_6hhO9E_XO{iW-MGW>OpAV9=r(fz z0CHMf0(~Yx082|*{ac_c8g0r@Qy;DI2Vz%<+u2YfrCTU;T%Cos6jEK-mka|_8)_Q1K4EN^TG;g zS=d2|^xT*P~Kc@zaYq3mX9W#!@Sj)jfQL)_C9%PgiJ{eP_u zaV+m}nRLeHvn$HWsg}j9srt(!Y7kh0e?gJgv??ZM1ZD;e>M~Fv@$-8?9o1pTD(2MJ z-(ON*ep}urPuj*{C)|Rp0E*@;bUgw?aC9smb5MqW42%g1LT9|qX8g3T9O!bH@uH=z zteebt5pVD&CGGX`oj+}Jyu$y+S{|4Cq z1X7HRkLxyg3UG2BLj?pV$lJ1Us8T~&7wFL|zsG0k7wv+|;4>+`G!c@a>QRvq5l~;5 zhSX^@U5!ITq^+eTO&v8nGz9Lkvbq{zA1#bT5g`c$j5vOm_oAY$0DKP)4qW(?p*{rW z50!FIh}?`2eVE&J;{K3fL6)&Pcfp@K%7WY6=rl`hOwYFvw$=OS9hsIba zpYfHxHc0Ij?!DtNG&krf;?VA&9f%;Apg^0%Y4!j3ddsk^wzg}Sy)7(6kyKC=5lI7( zRsm^H5CoBsZb3jm(m)Xq3F(mT?i5s7LKV_**vy8NKH&rTiaX8bb#iUY2b5jd2R&%>FBh%uT&gL9o2kU&>MLuyKj zN5j}FH@DF=bII<%!po@rglhA2$+W!>*&d=BH*e~p1hC_0XK!w8eYCx?$TQvd<%?7s zj#$LU@L$o6@4H@Og620iJzc8bM1uy(mDIBulLB&K2|$&-y{c_WyNDb=eLo@B{epX+ z;6Bj~{Kb-kfc&+qJup&6To^e9#Jl#C%f}oU!c`~VKhVF7e-3zpn+kC0!Gi}XD#1ZP z-N;zy2(o*;q6D<}PZ@5=9Ve0n)f4?YK7?nD&voh3-XxAht$)9JxlohLhXZ^^^LQtD zAsHe3KH<~5>wo$CL_|@7_>Jp+r_UdFN;d*zukzL5gZuaUTHpNGZHit1^$xz&-)pa& zzIcUtgD8d{_sBqKjfcvA1LzqT7&xaMbPHp1&=vA?a)gNy9k*B7Z=vnMTL3T)+5&JD zldiNWR7?BbXGcd5V`7Kcbo{_gaBVR4B20idIcGlJSs_Je0M3jONk~Y@FGJdPm*%4q zI^6$-zxUrlb}6J0!wJ9%jcsi?2jyxfmX8W!YR5K1MneTB?$NQF(gPjss(06fdu%Fo7n^6- z7wY?9tAD)~GEF=+!Pfp_D*|x@4c5xa3Of(&TWMgIj~d(KfZ_u*yLN<5VDkAE=L9%| z>FMb=i97#(xJVN5L|z@DZlj+7l?ZpQj#((w2&8;2e*`jWC=I}UoSU1&Z;(r!nfI(6 zrFSiFN!Ug7l;ik{{I1jYuoR!_q8UEvfG%d{^UH(CRuT4mCqt2C0K#J4gr9#gMCO=# z)q{(u@{v8|W~eDCuR3ll$fe619RC`*vo?Dli~sOpue7wZ$w@=k7L4QrIW+Nl%|mI&nzC4F3a`UgzmPzRwA0f>#!G=?#>eAb4T>C#%pWcY`Ld6FI=A)({3 z_>S_gWMgLIiL8QxUuLE`5G0hfl9Kzu^}R@i?}cJXUF{SW&3?SXnA11|W##y%PoF@y z1>S_Nq6tI>eu3KHYHcubF|z;^0F*~uRP?*$wQJY11qp)$jA1TZxIp9eid0Hca_U=X zUVYS!7q6$C(0`SX8WZ-Z%r5L~^c zOW-Q*`cK46M8roG`PCp>Woc;%ZFub4dnzhu)hn?m@b^(y5FmqZ->f@6^~GJu$dKhr zxd060$Vr|oo7r9f)F9uzO=s||{+nUH=%G%0hBlw-;z!KZ5M4m4Ia#9Os=Ax--8-?Dencc9J&Y+^E`zENbZ$CI%JZbeb-Fp&%K$Ga*i<`y*ji&;LQNe4mgeZ< z*4pg!j~^X8V&Jg@7aW5*bZx0Msi*x=w5=?R42zk9a}gW%!MFJ(z6&70g(QF0=1pgwvia6nz= z|E25YmX$faE9JtKMMW9ToohAZ1QQm6YDW>Qp8tnaXlKuhSQ2r75P>JD78e&$GtifR z$5sXqiP!_`&HPZs(BPnk^~7J|+B{ZFOcnU@K(cr3J@oM!Sp69qANVd`K6YgNT+9EE z;}RLCEpT^WmI}H2Ik{8!;3CLqKq*jqSFHixe5j=rjpe}7&15|H(_$-cau0kGo;WyY z7F)i2?SQZL8yN`g9OsiCa>gEON7Z=_>=VFrgNc-PUq> z=DIUad5NVaC4rKF-Y611c_^0&V(VMmwf~4=e`c}I%6uVXz~aIK1FP<=tD~di>pdQZ zoV^4l+O7BfC?>+Kz7{d?!lQUSmHsp1_wwtw?}llX4t~w&giE$+0Vs8 zb_T!_$|3>-ZNTq-c0CJIg`ZzP?ep%PiS5{n z=g+wx_DgJgHGxQnfeqSQ0=BMI`RZsXEvWCri5MVsrz&$iyY3SnuBM=HjEZVwWvU%q zxCOg1ynEHN|FPYWgE48oj~7Is%^;s)W4spRP%p_t!8USl{~B0Jr(CvMhlVPUIxxP7 zX`iZ!0M(PWKVV>OFDktjxh#8%zlBdP8xvDfQ4tlru8z(!eppmg6jVi^s;**#0EZ?g z-d$=l``NQ<@18w`egOypK%3gy^Sr#9z#w??fUA_-uQCfo8CqNh36U^=q2y+ zaF}hKy#SU-FRhfRvXT

  • j0B!szIK%w1hwWr8mb1O3EoE|}Yl#w47-VaCdINOzV_TWCfOhY#6uF-Mb1*#}N%7c)&YEMFvL6 z60Yerv;;i6to1Xq8i+!XWO7jHJRB?wDFP1?fku|`9i|naS0lw+@CG#yfP=w5ATxlL zMu56pTy{WzLp_(0OdzxU#@aB0-wV)q6a;cBMr3IIfQO`{rq=5&p=OGWjYR^&5XF`3 zA0SWef`r>>;Hda+u?5cF@9E46?8t>(Z-1@Nk9x;p!gExPtT1F!eD4F{V2AvM8(}Zr z|E-!Qi9jf?>M1}1BK!S3H8IilN1ZSJQY7DFDGZ7P1)Z>G?Gz^vmQZ(r(P{#s^VrzS z_1Yo7qrzYkG3?F6Xw@0@2%C(`D!517VP1u7tgP69YXi1JD3;k&vQD$I&R~5(`GHr8 zwOCzSn=Pn8p1jzq!g^O*`^@0Rk4|@u?+6`>0-Z<*h@CC(F32b@{$0_Hrjs>nS17}Kz=QIb|*QEfkGZszI4@mkBufw zS6<70Cs4b#c^)8rqaY`!$@rW=4&u=QMA_NhU0C{==hydlM^`f|{s7?O?fzPxy2}OaHF_UV5)n|?gGy14INIVXj)pk` zt%(_!I(|S8Lkz@yq%=Z~Z+G)tK!Jr99>AjPK>@M@YLN1bjJIO3v}iO7hnxYF_ypIa23AwTt-}W7-ylR0GRp87%qNnV;2r6Xj zr;Uv=t}Wj`y^xiWp{X#|)#cQ#B4!Tw37ENpz||Z2;BXac7i<*J91vgazTSATcla>q z_SjF(>jSoS0<*~91O5GX(^YT&Sob({Sq=k9=*yno$={Dc8<0UzK!9GhN>N|P>!e3% zECjNgomf0!oHhP)VGnQzs&!%Pe~cBStk=eYxOfAN;BXh6j7u;i3qQ$1GlF+8GWP}0 zl4}bX^(ZMVe$*Xx{8{tcCtbWTY~Zu0lBnxFc&p0*(GgjTkYi?9{~@Anbs~1Bur4 zZ5@_tY9Ms&6X2lHh^FCp-sW+xii(YW7aUB5=jZ2ViHWySd%|!Rt(R3I3p4YAqYh7P>8kQNNZ*d%z)*gDcs)Nim+asGf98eW-EP0_ zWH{dY9jLunbgK>QOz^zz-m^iM0>CuT-#>3&lxLpSoYc!3G;e&UPMjFckXN(AI>#4{ zzRd%44S^pW9U2?R<~~5N$IN`7un}`Lcm4-}ul|+?0vGI6kX6x&*>qDB?tMEL=J4kE zU-=u!zb?OKueL5>etpa-PB}yEUV&-IRx$a5AbA7_b*d4A?h%+oUx;`Z}u$OA>iCoS53+;$nd zwmmc3G%Hki((-Hbl`GQ0yslFR&&vc`OtwUOh-VcRqF7Y6uvkESc8H)gB;XPF?Tdh# zd&)V!R8_^b-I@6Dqb2i~bv#o7hwok62GwHA`2N$4#^wA8{)K!)y(hjaDDI2coI&kj z{g%mo^l463)&`UX!BmqoLo!3oY!|!BpcU-7K;a3}I+(r}OCFNlQAb>pOjb0;hy&$O zNn96rpp$nHh-0l95G>p6=K)fp$kA9+)7RIp^*)t3YWg*gC7@yK?&>aCS=o5KVL;P4 z^?e96py%A`SuX-|-$S`%SB8z+F4>Km=BHDOIe1euc?*_g?=c?_+?2mON|SOW*PhFz zn97tptl6e{I}lJwtNaS+$ruiK_j^Gr%%@&t@vOLag;GjfJduwq{Yr39Lq-a?%U2Cs zqL8tbcX%S{94n0MipCcKgPhL9#q`!^!v6b zPCkD82nu)|W1yw=0JaJAq8BA>qcNygbmVaku32#rEmGg`gNQ!?y_SlZr|?V?zk= zamlPVSxk+%@AKpFS&P_gm|)%kIN~-_9CiMTs38Duq-X>E?Sh<~80BC_bKnnoWZyuL z{q$-0FBM&50L4EBzEA{1)61+LkRmo|;9fi0O16LZbKE2Z+6fuKlHz)9`PUpbEHEWQ z*R96BjxWX;zp}h+WosKGxPhuIB0QX!9>WK8m#FU2)ViJ25eVyr`b!?C&ZzZps)hl9FL@RuWi&kmG41~`KH9gTC&Ov%tnZ3ITk-8-37 zxr0={Mdgu;&-gM43aV!;qW*#Ubb9d%K*smCSO2~oWd%N)JmwXC_T@1R45z4*)RHj@ z0F}J8I%bj%6n}6kFuVqC=Y*CL!wARlS>4?j*eymBcs|I%cm;e` z;~2v14{G>5TR3F6Xhr~w*Jd_R#l^+N$;XPVPPU2wDZ!A3(E-s6fdZ8<*49s~GOi(Y zOg@1JoFFCj0l*IeKJXFmQ`a;ewixYFJHR(s6dJ7SzP9gj$Tviqv4rS^Y3Fm0oapK* zs(nu3J9OyKMK{o71U^-@e9cU{ctWZ@@`20h<@m8YK zuQf}-&iug8P|(hcFh>ft!dU#vdwCHN9jwH&Vs8vPQvyOl?y0KwB65WX2PZ+9OG^4t zMjIQj9Q_3`wPKQe)o2S+$EYB0XW*j`NI|z!ZeZlgtX0*srFTuKWH= z__i)Pe=sb;j8&w;@$7^@nov6kVEz?CXS965W#H%12?RdIZy_`MR5gd)%>#bc=`IkQQ@`u zp<4zaD5VC=og6^Rby)qGZ`c}x7l#`E`r7SNa|((RhKJBugnn-oh(p@~&IA%9fUiIk zBgp*H?p-MvH20GG^dMU$Pkf-EVH!{`7&KrLEh1p;r^hTHA)sDH40_IWNMq_~hf_1l zM=W^G_)cO$$|%RF4VlxPV_@Ln<6HaLISrQRgUdT{aST1DAj64%@tF4{$?pzK#4wU~ z!5ZL<=xT3A(Xs(Lq|xHGJK6b3i77mU(!Xr@mQjo1e(WxF@Lfr|L8--EjG&_sbNf=^ zxOo}h^Ww#mmg-6DR1u*;zFJ`9~W0Z z*Ms{iDlKa3SPb({lt`4{pd?}2#BD5gYr2>rtD~JIa5YgNfo7opN~R%Z7d0_G0EX4I zHK9i%u3*{%^$2SUjCd@-$?2cazS6z$;SO~TE^emtfYiQRMTY8Djq%V zxTv%gh29k>Ye07Bi?Kuf!FlR0(*{HXFc=(cAk4P#3JD141cqC_^^>Ld)CL+cbnU=3 zN!;!<*^1vu#!vr)ViTJ!?%XGcWbgrRF7ZNqe*UU0lyTLRnvN~f@=jpmVPa8=>FR6~ zCJa4@ZRi7n9RofMTX35X3V?4=oSnmU8RKExIEW!_@>Pl;xdu-))xM#IErL9E7*N1* z501jDEDXn%FvkMVi%}-{fuUjWyLVuSenMx4+PtVszTV@_8|-NRJ`^(F2pgvW9_sAf1^ou;(^aP8M*Y{AC zvoS}`K(CA;$2&&Zl$2NR0yX(~d0TG;0C&e+-9Npu@#|N>isg}!L->MVHez&(sILLs zAEo*@zx7R!g|QO+e@n6XO5pYG{`Vj6S{McB_(dN1J*SJEy1B8jd-rbFSFa%d{9=;; zZQ=+zxx-c$QbZVz0Ul6NiqOb@0RIXy-3b)JZ0(zm&m1S-jabpp z+>FsOSWuEOGU(7IeCS1v-;%Q!|Ry+qo z3UFl|rrP46Y$i;)fyrOFa_2ND?0x|8^78N;I>DU==*!Xo&1z@kk?Hk;dWg(zEiGdn zXW@N86DJxvmT`wdki_@( z@pEv@16#+tiUk)4oK0w85SFjp3GIL023>#No985l5&ZE1*naYgzDzaC5Flz0!|-=R z!0D{7Pj0*L1q@!yu9=P>m>zq3g6N|G2{qT#%h3`)taSAC3Bdx@CejH2vv7)=4crig zPWBfsgW0JoeF+t^j6uy76~dMx&5nWH1w&(T{=n&K=t%i&=gI(y15v=Z6D@R)0s7RL z*;(;7RF^Q&-{Kn;eT0Qf6FOA%q= zoLop}3ShMWIsz8H@g?Jx(U;Qlwpi&EHnXaL*YW>!w6#IFLD2Q3sETAe($lQTr;i@@n`i zHxrV`gSwc^OGRa7Ueg0@>`np`Kj~Oyd{Qa9dP$kB73k&S5tZA*r#`y(^@3=4o zfQZ?m8O9NEdgn_!c;jPYE@R>focHQ=yX(aCaZAr%-b&`U!JMwUWh+eV8K36Bi5{x> z(WoiiQ7`2Xwg1sk)>a6gj1@+(Ma%p4x-6c2&3ziauRRjXxG}N8oq)Z=ep~^#(g4NU0az_R8oR!LeOSLMOnEU zG6q;h;SGJc`xGUFqQM7~4U3sW_mxYo@m^h3&J?8Bn~>&R{4QCo>Q=+MQ>nL-A1S4; zhH}}7?(Q!8boO68VX?#WZZmV0H)M|!UH@?6;)Cme;UPfk@j3t4!UCOL4RFIh0OY@a ze^Bz4@AnBz-nU=9+0C4D$?#t19pP*y`qZWOHMgFo-(b;;*vkDd&i$oyJc_k0X;`yv zj^_RI(4>c55kk+x$++Z+S{A;Uu3>|MqjFih>h)fsd4yf`?2#Z)QBfiL0^}dWU;@5q zuMX{EZd2-<)9Sjw#HQHuj59B~i8kQz&#!BtM@(8Zd+4u=h=?8D5w_`GxDCF^0zDOo ziy)ugGk}(gO3*$prGt{DSrDktF}y068Ou_Y*uUVUeB|qmRUmaFMXrt+B~iZ6&~d{o4zl7{?`jj zX=_I^I>)3EQI+xB^|LK^})~4v+EziQd;sExKLf=#((WyXwrZP_iEux@(dFmBQZS#^VK!7Nq(~! zBhzHFj2WhsgV<1)>XM?5Mc%S0bZYtfB5YO3=J-z0JF2X+8{f~Xoo;D}X-IiLq&lU7 zfP!lfJ>7cthKAW~M(%>paA=a)eYd}?oZBY2h*aI2|G~d6jEKnVmUm+s0 z^a1za@26w$eK^$p_i^<9pa1Nr`$crjG5dNCUiRg`&YVxZ4`{MdxfnG^Rh-{EzwZJ+ z#nZ2}|NC2#qIVVTCH392RM zX0GFBMzt2dqw-N%u#rinXQUDP@-}|&$P(F<*syr{acTD~>+$?}bI-O{`IGa8J+YeY zbjE5*di(a=zJhIZN6aL~V|R7Mn&!aQ9Jd@C7ee$@tm^!qKeyJo$%IKhECieKHz%(y zP}tvP{j6Z4Howlu@&2LXOzK(|F-tnb3yyJ3uf<}T(b#6CY4aYFqQ^Tz6az{;0(#>6 zZnOQ*^@-^zV>6uorOp>+*2=x8fF~B^%y68c-OKXmkl@I3hpIj5N@n|XO5e)P(6Tw? zwHDsBd8#DkNcki?OSC7u!+q~9r#lsqU0XYMnOS4wUlxx1epvmBI%WD+0qxbEhv6A1 zZ*z2Z+Z|~JsV;zam*Z}Xa{8t1b)(Hv>f3MIuyQRdm}TwsofdxmtYnZfU7U$OyqD!@ zpxmlz-jxjt1uYL1=7N^XV>yrbK`M%pQ{-h18tV6({W0dbNAl%`TW!J|W#u-4b8`Ad zZ?T*3zhf`bI?Qjl9H{zN__e=;0WS{=e>h)uSFWWoml^|kEhWRjD&dk`8AZDAKO^(X z$~jWGVbk}1rWmvE%RFVy7Ftt1YDgp_>rbP+I-26%OH;JIZNeceA^y(hyx6>g4Ntx@ zGwTVuZJ)%8<JcBksPxVD9-Hu-%49)0w{ErW z%im|oqD4iCk4lPO+T1_5xXyla=)31e`bwA%%@M2}Rl^t~#~;;3eBCSkB<%%qiA*5Yyv^(&+Z}_xY{ECN=s9`N zESGF}Vrlc`^e^^8F2mIVrVlDAXMCm3Poa$Z0&U85eeUT4;RuIW*B|edSuzK{PLKVy<}Iu%8;Dw zj4YR||A~dvaKrfx2kX9?tg+xg5&sjn1ewVLW)BI85*z8XSZXC^Rv7b_$7?JHZ@X?U z{aYUFa`n>bjMK^9H?PtiSc$syiB){Td99`Z?{7SdH$W&%E!h6dc7I&Ma)Lcu$vdi+ z@2yG~N;wNB2mFpj)+FhiJ^Uilp0(u4*!HPi-KzzYUuGseHzzbTX%QF-YJV*^9Q3CF zq3~lZLn*8BnSf)$z0~>g6DjpVoxWM!Wj_>)cvcZlb+R=1<8H zy_|HZPnPpd0FAWZ=!ajQ1Jy%Ch_!ORRjRJ+3{kpuuW5*t9(Ej=|5~)Bu5V=XAzV%> zZvUS8JR;JlE+2W3{Jg6LIu$2)1Pd!Uhw2Ty-)!s1{YqxDW((o=#DMi0fYq?O#68yrhp+kgpk&hW#Fed*=d7K2jb$V>KuscX{=t>rwNJ;paSEI_@c* z8?=#jw|_~$e?ZpT<`PTbKXseO`R1auUdLyu!8J?pL;|tBZ^YA0DUU6fA@2h7DI>`o(*{91-hmiWIhG!?W zcQ5nFRYZJu`Mz1du^soXb9CPe&H3~DGUjvDUL>TXsPU$v4Cfcg7Skro4PH)=kp9Iku%`|QDl8#nLm;)kbgWi{A%jljwMU; z{6u-f;f|HbX6+mGtyvWuH-}j5t`1Yv$9a{nT1@{#W+tYb|I?J)T!`0l<6Q_d&T?67%q8n@rOZXSjWh_2RB}Z3dr7()#>STJ@t9w9vN5G zy+||fb%)xaST6Zmv02W}wDy7B?uuIjvt0j}N3L9)wzjA;KcG7Jrt}x5ps7d19h2V_ zk9iRRuD^H^vHa>`xbxWNV2znqZ`#y{v~(?#t&2Rfn{z&At;1@^3p&g*YUJ6-1FFZ) zyEDZ6s`oyxc`r++#oj?DEY;l6R!}hf{(BDFkCSCZlRic7j#38ML@eut$>-eKe=bJw zmiK$Fvc@0Fxb_TnS-nK%)2Udx2c4rao$flci{}q_~ zUCGV!M}%ZiO{v}{>r9GbJb+v~w_96F?S_KV*A%PH#(WvJ$Bk*$tfq%lA9ETRM4K`9 zJ($lO&3m31;JkeH?4JjBrJFf8cvhEO5;Zg$nVas}8>k;tZ}3^UIIct^uzJBpF0gle zagQWUNNox3KTDehUL!Q$eKc;AwkLn%)+soqmdnpAPG z-~SZX&guKBpkaoi@6D2I5l-NqAs=lL=v3@8{puszW#2Sesi!_+Pmq<(Z1lzCEoXk< zeDYJe)LDdhb9GTDR4$jeA$ir}e&tbOB{Zhv{ z+m+iRy5<@xgl|zScs{He&??U(6}~ID@iL*^?C|}0>XMK@q{x(fA>Y>5sKkjSnPs$S z_^J8|uH-xkp(XcSEg8Az=cyp5@yDA~J6`8f?m(5jQ|y8yA*P^36WjB*c*Y@y#$mer zhCYZ}vCMyCU6Yu8CfLZ| zRI%EQKfV6?;Ar0)1ZoYB@*6uTb2MeqZchw)DiNh5nIsbWZnal3|8d$$x^(Ti|A=)p z8*SLy2FnTqJp+Saczu%j`Hg)Et}P+flr~$c_iuX6edXZT7+Vx7F^gV}6n-(MPphdf zesiLFx!O^wxq{2-Sn`U&&NV~cr}yXMnN|Kdk@D&d&EOF(d9TBS-kInp`=+|>*lUVi zCVambbM4=`e}1Bsr^Gph95u*m=oG)J=TOH=plxKuM~8S(=Hf6apSymN>*g~P%t3OL z2Rznaoiw1^TXxt_B0i6EzWrlk5=~^JzlLA@1NPt_F^VNODxS5Rv|Dd?DY5u+bKBfJ z6Y2ln&tR*2;lbOxKb7W`Pt7vc(Ipn%>>eGS5IxrVJFXT<-eB#Nqw~@|F&_FK4cxKz zih`b`=sS`qIz+j+liXnxpH%v$&9o$Xm3=GhOay{4f*z3hC z1@*M%c{&(ci5KgKotpi^+QjH;m}-dqu>9p9s;|PU1*t|0UV(ug3E8jc)!Tn*w8dVq z37{+&Y#`P=weWSNP(3s+@q{heF2m4)%CaloO^5A%#i17d{gCmrF)FDsDN6pUk6M&E z*}qf%=J?6?PJUmRljTOWk?`yIx0~Jrl#apc2O>#yI~JUi+>K2M?KjbFTTZL9uCIsK zV&t9T=f6~ab4`z;o>nh!(o*V46IJ<1_vrl^DOytdvuo`1aUpVdiuHd9zul}FI`5j- zWu9%dus2bfUE6&_PWxk`zkGY<$!?wbmU$oYNLh9%K?<8LmKrykHT=m-^){?dU+`}l zB83`5c-})ErR%mo#$KmMxGSclrVKRK>D!m?|G-xAh1REX{E$iO&gW^98%ELCP_MXc zWtb#1p17onGAoTGZC|p8Fm*q5J>EyY@>eutO7?%1{J^C{( z(nVZ@(RDJ(aQ0+bbaKHxbI*)F^*6e;9fPcGlBc?JYZ|MyJZ^0}MT=IYDSoD0K5M0| zp<7n=Zsj8DGI@K>%lDn{>BE9cH#4oYiRqgjhoK236&6!Ha?(gJOGdGoa#7EOfn}?A za8qGLHe0l8=}*_r%>larS|wH{de`l5PSL0?j%?cu-&vU2-umSBA~dOH?|(a7dHdml zqG;E2MgpzzifU`=!`Y&3(LGHnu3WA9D}z2d$C7ok=TnkxG*>w1Whx@8ew@c1I3VRD zmKa8DB)IVF;qv6^G}q@p>cX!!%%z>^Pt(+R^2}hxYvZ}D@M~uA)%9m4Va8!cg~QEi zw$ASx^B;RsJ9MJmQi7IUBo@i{i>sco8kf4#?9B*+2;ys$p>%%&x?|q7VPfD|eAH2u zIrNTcty8;J=*(7>c5-mwe87Q*;J12@GeY^4Wfzli>82c8A)2*9l{3!aG{UxTjd|_- zW~r(_-hJO;o{%km?IN(< zzqnv!d6@GF4XVXRqieo&ahmOOoSCIT$L%;S_!uR?aR*sCA*eJ`&wGv0tn#vE#FMd2 zd4mq*t)htUnoLZAeVQLRQoa@CJ9{pgiSgyrWz@I(IHbgDKwP_Zm)~ft?R%%kW7sCB!eVR>+F11TlQ7x5 zS@MY9kv1SGC4)m@MqIuF#hs7F(xw}N$Aqtm#edFeFn`#pu_a}cYItu-P_TSB^BZf z%=>xkB2cpU9_zqNJ@tx^v5UoGnFFgUb?ysRu0A$m+=;bwcUqPVzYRHvyluTE;9(NO zz52_&VVr$ILvsE*N!CxLY)0d+K3>)q`7V|%g@xUu!rc5B8%guu6=Y-;eWNy1XJ*l8 zP9E3p%yg%5?BY#iz4fxP^y;b$*R0Cm3CkH=I>$jQ|72O`BfW?r3Us)~jvtg-6XNIo zm}AS~$)0bwIlJ4%J7~vh`a>RGlySK$2Spr(!RvF{bZ#aoMloOHlT-9Q_MPXrthxW( z8M4D7`*isC>GVm31rST4(Ho;+|6Me5NazRMqZp3p_+4nxNwV#{YSl1UDQx7~G3H02^HFqSeSEa*0jAP^~ z%2s~8+eIE$-zj=jSYJbvCU7$)T|VrJ&U!b~hFE+`Xp+>0B==C;hJe9O>fffOL%T## zLf#Zg)isH6K2bD&=jSG<_)lNeQXW*~5vW%G-6?;DRedtoBe|pfd$R4rkq2=PqneeZ z+2mZ_Z>C&N&~0nYnLs4^X(vV`Ol*Kr$(OhP(3GNA!uB_%Fu_eXvbJ}|WhSgwOrB6U zGdqws%{2Y#fU0Fr|E2U-hRdANFZFoGHvMdM3W`l1CNj?I=Y?%pMV_(`wblPqn198X z_Fd3NR^OYeIg>fIb>rN7yK?wTLmscVS9~3{h%l?|WZI~SRa9AP|Ijq16!aL&HNVTe zHPdLFdX_O`rdT(yQWvO{RCf-b;$rFvapL_=Z?d>dJJpn(PnZ0AlET3vw;W9uf|_yP zVyeAUgPxV~ulEEDkeJ@JVZ1{yg3&d}!Y)>ogi*mr)CN|eN2NpoDWNSwCOuD4uGb}~ zm8$}LHFN4io_6i7>uiuj{w*^8`MYI_QqIOQOn;tEwS7l-?l?oM)(gxJ@HGaS`0$;y z&2?G$Pm@Hw1={Gy`8QD#-FEsnJ4;dJiDJqZ-i4YkO%&Uy*{mZ zo;rg|2-&vztz53qi}~Tu)^}Qv&ZO<9*iUW;x2lc9KT$z5>CzvHfkI( zBBcn*Dt2ws$=>NXZOZOhea4hRE1Nj1T048cTjhx5{;;Nzlq|ax*Ho#=rBPNo`jck@ zC91X0P)MIsJ9AD!i}z>{S+XKCbHD+QbH%=wvwKq420okcW<+NKbtAfd_Qfh@sQ!{v z4*4@(tVT}&!zN$qd~edZWvXaH_!C55TvMPxjQ2fW6`*1DhpOF3n0RNA@zLF29u}FN zXV*m>KnelJ9mYigv=U=-(8ojD5Pdrd(D_+@eh09X;h^w^1Q5wjYQh7HAKv$nA;wZq zT;AbxQ0+?&Zx;RohK2-25Jn}CG7zo;H)(t-$S*ndxUoJ~f3GC|HsgY{x?6mPY}FZ~C%$oIDqlE!m!#vKA4`t%e=W)-bl6Sg zn*fEIG>;m7`G#M_zo~s5Q(7kSi&2o*j#5-)EQ~yr<4GDbaxuv4TS1NdCvndveKKK; zt^IL3hISB)ej)jBjmAKcP^r}s9+{Xz@JCatH|hCenYWF34tQYJq~$PTEqV zUg*wTh194g%NNf>G&B*<;xUq@F$;*A8^*{Nw2l|T(OH;55p0d2)>Meuf`kBaGy**Z z^xYD~7@||eDdqSvKPpxSjcIF{IQ)&7iobH1C2&7*TT2T{`QRMrB<62@|B058+-XwI zUb>E3M6@w#cNsNvTO>Lzm4U?tJvJAZeOXy8up$6=9u%0vr<7oA3u+Q3la3JMmqbFV zD|8Z4Pa-Ba#l|3~x~?nA8mygnmYzy%ihkI2zf#4fP*H`MtwAgKMAvAttFYGX+qXf| z0O=E6^!R{954RtfikTW1ByQwuX=!1=&2-@cPKhTFo&?4A9EVceb-}KamaFBXp&iIn z`3{?4`RJZH@bWW6pRiTVP|Z(amk)r>mk~d_9;?|P4T1p)j-`k9=P+nhBMPTW;8FwvBK(7-St&B_cxVxj@@m!3LIsZ(uDC;jDv)jL( zgq3fOpMcza=cHHD+_&sec+G*uMex)!Gcy}c23-*bmeo@$AmPD?Z>r$=8&2?Wq1Av4 zK+DpO&bu2fNL5v$blwEgKGDcV&K~p&EH4!m zm2J#nK`1-x+QFWjK$*TJ|I*E^-3!D8)o^I=X$~PkJr%pbe2j_T_2;p3LOWk|-Wt!o zeHR+a942Qw*`fueF<6{Q%{EF=Iq=gEatAIavlr3t zOgq{2%!oM4de3cxmf}iE;&yg@>6~<+Ke&N-LLe_f4-J-9$38D9<^Z@Ex6O(7Be9XXedGX6dvtDnu2&;J&ZN4U>`0lS|bw!8$dHQHTpYV(Vrx>w+G zpW)bl);|PQT%#PsQcz717>r}Q_<_>)@Xeb1|(4|>(JI-12yb!wIzMbp> z_O)?s-FS#N%LAg&F~rCGx+EjToJh$%ptKq8l_NGfbnOvBFA+7)saneV^ZVAu=u~W= zht<2C+}HwYF8ZqadUyQ}(CjiCbV2OWT_P=h)Pa@t2Smk5ZqVT_X;)!U{#u!;)Xx4v zG6K&8!`3s!<%ZCJfE^bS9Bjc8evp#=b+tBT=Ww%QVZV_{;x4)bh6qSepc+FjqEA`` zCp9%e0i2#vWTB-~mpLghN?3LaDIuj_qStRIDzR{sQX#@)@P@{{yfSco9()=T6An{q0A(9SY^!$NOCenEv>KqwSdx1x}9j7=6!^0KI*&&WqKQ zc+r_Zc|cg!Z<_+)

    QYB;{Z^y_JcyLLi20j9`ZTUXDx{Ctmy<8&m4c1=o>q{!B;m zJ7g9-?woPycOv_kyV>>55zcag8Blvq&y#w;b4vNq2NS($xKa`*?=c;3bN+*swqi{_ z5t0bMfXf8q(X(P5BXwLf18fc=iCD||JQ3laKMO-nRekXNO))Vcum)ikjnxRP-S4^5 zd78@E6GTsIGUXi)|4XzXP_N&i;CoxEuSQr^gSjGA=(6#i>dsF2+qbVPbN@ud1vdf` z;U8~#L3sv=pXW5E`m3-K z#5D1@WJ4~GA%w$2+s@oONrK@^T^*d#u`K7=xFCT;Bn4Y9wLxY8)Gd#9BJQHcNJ&Y_ z$gxC{@jzM^jds^-h`g`@ zU}5nrzY%>~<O(CKVt_eZ6Sj zv%9jlcMCK%=^*y_fo>EXa95}SH4w)=oD0h41W)z!>FYPTnPxwx4O}z={n!8`Do|zN zkOOw>G&aqDhfz%0*AXO@+e@ILw$n-Kfr&!=%8BokRbeqAlFwYZd$^0*H~7e~ z6ZCVS-a)PmHgItbXO6Bq2`a`WaV>+9->aU$M<1NfnSzhh2OQAu>Orx+q`!y(Gm2N43&>PrnI z$w^6d+|Y}aq81`J0O4$V@{Q+HhwrKxvGUjC&%tkV2^M-6 z@7=Mn;ciMIr<|l9Cx?LRH}u>&zZbN#H~tfD@xmGuRrB5>bgUr8Gn^41%zv`ZsDNXb=ku3nO8m9?t>pZ-2JVK6>4cPya!( zOW@t>lrpldV9HG>pz%l+;k9f%=~Gcrp~&p@_N@k91=Qs5Fo5xO!}=?!()O{E)t|xz zWPZs9688KI0GA!Cc4K>cKBu}dODHi$Cntm7zjq$3ISeW`v@y5~96Ry^wLxAJO3+~I z(6!$l)gw57f#A*u;}b!9e?lvQ55x^PhAaWLn8wCmw6hTgV4{?fF$X&O@Z=DWOJAtlj&0 zhQ1jY4QWnl^fvMi>*TnkX*H5c}9)|>PG%BV1G<7`Q z4q{|bE2kD*2{MgU608EadQRX-AqcWB+^@?*oI(}Su@Zx6E1`eX+q%`cF8)0J?kHEF ziIj*)EQBn;RZegk`ivaE3VTsFg~Iay3`hK+m}1V^Ih|}3PU$oP^B(M(py1#QxC_F1 zl^z6P0Rcz6SAywa@MyjEu_^n;B)v<5@iG%yH$ixP&}Ia`6m&~#I4nm9UKHAJXam(5 z%NL0YZZ~^LPQo1t4uIt2V~{6+QV4lI+A1)j2}=Tr8cO%z$VdXOGlim`zh>eqUufL<1=<`|R#SKySUZydpkSqk8@DZVH?0BXGQ1Ur7VI-&bk-8bex_8_i8j!;1LH(#bZh3 z9ljD(k`VNHXeg4`b7tWmL_%a5w0Afz5QOp_s1R3?$1K3!ykt`rwK~l=$xV=#~6D+J55;tBkrl zR9};?3JTV6i(`Wiu#O1|h({w;xGKsOXqO2KwNVQOHaO$uhQmB0PtZ$jKsQUrXFVBa zUf$Y?e$}`Gi5ox*Bmk(Tii@A1+11sJgH;|oKOvx1&bl;F$2J`m(m zqr|IbEl_(VJVLTXZ-K3gg9@xhMb7xLYL=JbU=gs%kz4cmFCWhAdfY%L`bMD=@>4%8 zh_{D_z`^mgqazOs8%HaJr_RxLlnildNBg@ypFeuOz-4ff|*B- zJWF36+MSQWx%f%+U;~__5WlS!fF z1!{dxF2DOCNh!Cl-4;tvNs&7EVvO+`p~ZsTw63RD$lKo@SempVIB>CQ*g|*6SIzn6 z9cYPg@sPa-+KhU*>Vvb(U40Po+UQI1B4J+TJ9|byTZN2K2KsRy({UqxeX(CU@JHd; zT3%XRh3@Sty)KSk%K4DPC3t!EbAVU6m;Ei20=|X)=E)+>H za)7UWn#Kp!jG2>It-`0!8@AQycd*I{rrqeg$YZY`;~%sml;NE+pYm${E;F7R!c5MG z*JxO==kP(lj!;Ih_fWq_Fbr|^K}E!c10KOahx5g67;iIYe8y=p8}I~Z-*va-{X15y zI}pZU(ox-H+|=K{jhcyIGRJT9O2+Nh32N$AXT_e*_f(MRqMC`PUCrCa#m46KWDS)q zfGKO&i?l(~S5rdl>*cn^q@$*|o3?P`0@6L4!l9y<0H9<>B>L#WOu zVKIXO2q45WjU8O8foh&E41J4lGx?{dDmQ-l zVodPkqhuFA6^WbJ{qHAKf;f-k@yxeNyLP=W*1Sga^ef3D9FUf=r>N&GvzKt0Y^eYA~SD-dcG+sHYUdKXxfJl zgiH(g2dN(#GF^zy_4IJQEKHhU6#!#0Hs5ousLXHLteD16QknN~<~ze{7v9i}LPGC* zM#si(lG%msM{a?%auAUb?-0cuS~dtlgrhGC2@Qfkf(m&>8%Ym6aLB#F`l>31zuF(b zvjiIkqw=+Zcn&5sg35r2>2_JDwG#F>qyQK0Gi$a&uX-zj@0_m$pi{V1w}7RO zZUS`#+Dr&-uvjD+j-5Rl3p=)p=5B%9Eg422W&!ns>D0<}H=2rvxUm%qNmL62mk;6) z)RlO3K|w))^H6Vhk zg_8HwL_~@Ql!gHDpS|)nG<~&IW>3|od1s-b+AksFgl}Q`PB6b1TWz{JgqH__O$4tM zdLmvtQ3&k)+4S`-)%CT0BJF)?{vHt;y0x*WdP!M$-K|U_glZc*Ivgu);jiH>)6M!-@p34^m^atxu5&KuJb&v^R(eRcJMlC(y_t8 zD%0Fyrw_oM(F7)Lslt{tf-_5`0)=N|Q&ZAd#4(8x#d&=D8rST@Z_V?GH&EVN8$Dy{L;c_U=H-0}m_o4y_aHG;*}P3{!J+ zr6^m_AY-UYx8o)`hS6}er!-~D5HrVX03JX7jSA&?HQQG7Cw9~B;7E;U$gU|h zI5#&JMf(TfyzNcrDtRW z*ES??xu*tWz6!`Z+Q-X>+dFKp;U4J1@q2yE%N!Xjg+eSLaDXhu>3ejO8~z$qHmu() ztBh39Ga(|t?;(ESQJPq+{qP?8i^$D`k*5dAwxbcQ>ezo_?1&5W+@(7&nxz9zTD=<@ zxRKFvo{RVjF#5qT%K4++;%t|JQv=vTev(j=)j1g}oIh9H+{)ql4S3jg856@Fj zqG~#dpC-LW+^*5 z#5g#TF*A)rJKa!=0_Nk)u(yRvI^EWW)<}#K3x+)uv1IS_(ax`9s2Xb@ zPLR4x=jXG4yU52v^ej~`V=UsB{w?u=tQ&Qk4k;GWE=N6KC#G5Kll6? z)lf>r7N)&J9G}LAI@G@ITU`i{E|F))5ctc<`s!SViN(5)&8aH4@GGN_|hBXm=GA zhk?lecFB^lyO5&rfN2qU8+xEM97Xf=rdv?c8+*-b8yGNoDQ?YzpZz~(MTPvbGBTt* ze>Z$gCwB{x?h2I=XC2l6;RJ9MDL>123Snr1UvlbHMORlTx)O9*UXuo1|Ag-}e|}Yc zI{nz*IVPlmsqp@`o_v=u>ghP+!#>`m#nG1? z>FK=&Y647D_jUgxfB)0?9(!SPiG85Txj%$bU<;Y7*=?dYx2l=o+auZgMY8`m<69f+ zN)fA1ts>gi1~VU`98-38b8Z=-=o}WPHV#v;2C4@lcGp97O?+%XP?*35I$(SJ8wj+X zo;QHeT6hG`x8iHQ0`D8Vb>m>)Q&wi|^x{!MEYt1O(m_LQ+ogOhk;@Cpm2&L;%BMXu z?w*tXGvmTXQ|E2E{*~YN91p2XTF-28czA1g>y?oHLpL-SUzSO}4ZgcJ!fEE%;)>2` z@fZIHvq$G=!LhV!hL-*xT{bncxwxY};rxjy*i zy;7iL)_aW>bH@{)x-a+t$YZrjwL;o806_^}wpF(`eK0J{%%0j$EKx(~UP;)w87Kz{adFUN0p* zodW`g)4NSlRuXq>`Eq;;;h!};P^6h+vn#^*7P-O@$8JhW0dDR~=24iS@^!zt!J*%4 zGiT4KlLxVVD6?C4M(+WpvCgMp!2RpuQyjZlKQG`{NsH_|1K7|uapo`Q)yk1`kD1TZ zz0@jb31DXPo3ecx&b*_v8fOWnq)`$Mk5<=Ef(!0zBJ>CGd#J)AWqLmDUOIh^HD~^M zxLU8a1MMw`Aky$Q=j_FmSD;HNfT=NY+IA=o5d|EmP!KcltS_($g%iQBgE zvfcz@XyYYocK~?b#_PZ7O^Hc0GO`;XrWCPUw9@AUYWQd$Q*d1Q(=kKVfa@XcY-OfF zVFbe&Os=I=wWts6v&z_KGppjFb)Tg5c}{Ci_&RyC!6wz%RNgZk4#d~*YpQ;vlmcB4 zSzo@+1p#-eaMo}mxote(l}lqSQU+(oyf0`P(&1ku(4RBDy;gfAw`V<5Fd-STh4WnQ zRL^=ppAV*@erA-JU1epSEZwf=W4*hHOPtp=gt*RqO}-l&1$ADnj=}xukb2!~2Si>D z)J6z+)rB)dcuFRlwDA*SYBFlZWBc_59z%1%5YyT;=Qh+@^MLq-vWsxvhANC{_MEHK z`kV<}0xP=L?5q-v+H8nbFm(*$tYi%h?)H>w zHT)JV$3b~T(oql%$jcFvODK5NI$MxCaMTgnUi^v3FV%{D0X$>MW2)I0GL z3WKULOz$LJCVF3&WM^m`bT2>Eb}+GbP`fMcbyA$*d*ZiP@*RDENAV=*(CRmd?nafO z>9i)lha;zK=SfG9 zoSq@G>&P-m+PkDk(Yn zLq$arj)!^1eRy+1eY=TFm|MbG)m%cVC|TuzhVJ6FwZnz^f|e$kG;u~Bf8s`1J0xf? z91Qx`Y6&1o#pM55FA=)F{%b-?psIA8^|!?X5mg>$E~n?(e&-_$^QK8GnWy#a(^g+p z)D-gT*ar-}h^W-F5POl+q;v54~|7`CPI6 z_H#Wa!rh3Iiwji~$UjYiNE;czcp#MirbOu|DuJYaFg~xDp5n zK!)7-+$d|j+=!>|9@dIo6ve9wnWMpHk0i13a)-b1Xg2UimKN+bP~)1q4<*!X;Sl)^p@>+{f300Ox5?iPFoO1}q8S7~LI zuhrAil?|2LQch{~Ssf#SB{~lU1qFfS^8m8k*VhM|t&tpJ9(XgpknC>j@FQugSz6=f z75+0d4C4XFd{#Fwc+Q*#ApHak?LhxkJ$k9gf#OKDcNVS$pB-=RsA?NOqk&Ot*APi=p>>COcRf{Kt-0J;(ah_XUQ<)ioXc*Ebc z>}@=fp|w=LzFhwK#Gh!z`ugI(TEd!zI}i!;{y-pYZEZ{T>EPo|9^=5yRG9iKok#WX z5qJ|d^Q6`CkbHA$@9Y8m0~mq`RAjphd=8zFl}R-?6%;~slFct1G-+L7-G^qN3pv1I zRu&cuExN|4v6A4*t$T-H`h?2_2?!x$(XjDC9rgbG`}X#Bn5ZA1df8!1ACv+oZiZcP zUxu!p2sUijd-4Vj7H|*6kD;jtSBqAKhK2?mGXRe_YMpv5Jp%X>5#z!AS zrGa=sH1Jr>P$I!%27y{3OA|a~WGmThctB{RJ62&*PC}Dd=0RZaTC&WM{2$P^IZ$JLGDBI)b~0fN82cWjT83Ei^JPHznW2@S*uB@?l_p54fyX<7q1Q zC`#sY=gy_+nmR+)1y*NO4=eUGYGuu%n~Lyf<-Z9QJ9TQ{kAz=_h~YjOe~J?D#NnyadOwUm~;QXHyzsh>TDG zEEq6pfISQP?a|VqVfVo9iPm^b5}CZ`CiBeg?R)YBP@ohvOH51bBkOZGEx|;JlU3ch z%V;tD>&XU+@{^-E*&se(|9czG5pYw3C6Ngh1TtiH8D)L7gnc+TIcK;igL*@R+imF_ zsW7zW6Tr@Z0J|(MA&UaQ0=gEWSH|N_nrsE$0oP5gL>}hvdT!BkU=-o!QTtp&4bgCN z2@PnFa7E^#z+?Y~t{du%B!ysDH;y-FG@+VA7zeHwtW#rV<*4t$#C`y1Js*87o|T@S z*y0;m4VJ>;-Fh|uq6L6-4dDqHFJ73dVX3*p`$(0qY>m(&RaNc!dBb~tRC_5t$^pR- zed8xL7G5XGi1fN!-ujRAD^F~LmxS5;upKFKJOa`PYin2|@q>7jkkBt-@c=jllNRCY z<4~YMthJ2|M68R83lg~EzsxRrj+=uH!m7O=9NZ1{h`D*HQVLjJyqvFIeFA2+s7O@v zf&J@7I1hC&O#V&*ybE)&!6UM0z|FtJjt>sD!r??*Y8rHavooF$v;6g?tR}F~_(}1} zf@Ao0SpH1{zWEoP1IRBaDG~KDLDPoFH=F~o2(H4zY}@{lJccK{1{)EP+g2>LN~5Bv zI5j;j2K#Mi@kIqFaZj>BYe8D7!vol}jamdx;SXnHg;9FG$(Gjp1=h_9E3G^&IPCCh zlW{;JjOAAD<1@~gQ2 z0h@AJ>%V#e7G`kW$8mv`ybK``u>=7Yh+bzqtxoubf{{0jN*i(l&~yVkqpO~^a5SWF z4UV8I(T7<=x&Raw5JS1w@->LkKtZADh*<~~R(5il0jxaCS<@3D(vGLw@YLVyLFi%2 zWDSLJ&Y`1yWssJnTO1j`Q&GgE3^|(E57G2~Y95HN zTw)8U2ANIa&kn0^Tn7q&LYx76zW6w}0bO=+5oWs#c@g0AL{ScBM@K@J1G;lN8!Ab0 zFUeiVK?DGm9D+c}nBNzPO=8!^`B*hz860IVdNcavg%7^fp@+5osQ$=twQgn)y-OvC zR8zQoffpR~J4@0VpPV$-)2kVp1&7*@Yj$QyGOPRh&F#A@QvhZNV^;=X33?O@1Y9Dk$_*nU7Q?$eAQ7LgK1X35o+SJM_lGJAjR=sO*%=T?EF7N+rJOH`cHI%pTapOJARg zfBhQO1vJUX1q){Bkpb&*HjInZUynK>`%j{f%bqTv7Afh8Zk*%`*E_gAsn)4+I;eHn z9PV$PkSsX3d;(4!_UO^D3SvYa!I2Y|xFFYKW7YP0Y}&M`*uWmPu))EqGz)vSZH7V_ zy9|J&5(5F~GrI7ZVl2N5IH8Qp`jUDL-g#IzAW@~viXn-{wFG+wJ`aAW)>jP$Qnid^ zdQdteDW!2aV9VC6G;+i(z!I`50+eLII}Q+YdUiIysK_D~I+fHP1<#&!!#D^P>+tMc z`b{{o4dE!?RF5hI!t;^oE$Aq+Wv-xtsua&r;R;nmv;)kj8CU-Dtu$R7l39;BY9hCK zat&9*ZhHk_y3S~}$$|1R1N)Liw+kLgN3ddEcYh|4h+Gku^BjH8~7~&q*etmOL?V19Go4Pf4FDyu4aWj@MxOS>yLMs;U z?x+`0LsV8)&ZRr;*bxK{3=X&sFzd(N!$yxSwGgV;de+lgTC}U9AkzSV;xHuglUL30 zFNqSlz)Dj>PYCC2kI+6i0XMW3Xci=#w3%?|GUwJF`@H@lpU#;`MS$EL9}cS2NWP2j z&GS*^z_a+tuEeaYEYRlXwt;J7k+{akmh7{>2FWohXriUK+UJYM1~np@9ldPO^5)-i7CoCpF{<&<7!t{4#1!NPRUlkn!_GcOC2dh9t}E$g!K{;P=pO z*oBAq?-zu<=LKXF;yrNf8Z6c(*Vi0AJ|y5+EO|VKDcqx|ronx6l>5kJt$t1b$he?T z@;n$jwoU4-$X;_DrJi`jEMx7)NJD<^oU*8-<=+8Fd9aV z4K_(#V=ocQh67w`HWr5FW}`478>cHp!Ghy73gsVkvu$p0a!#96%fnva`#TG>9Xo1-#5xD=}f=f_m-G*MDN`Hh%45g)JIeO5~@@s3Kib z2d%rIXz6S3 zq3y%gWL<5=60#8DvvNBlY(xE~=eXS^IxX#xR6uDu#)3OZDo;VJ7N@15RZoE&4d6Ir zXXkbcAg?4T&4)PMjx_@x?2JzNRBM;6F%h|Q#4fvSLb&brp`4%IEAda4e$SVj5Pgml z8(ArExPSGkw9paK3`8071m@-DiaGTwngv}K8km45=F(e`?4WC~Z$N7gFJ)xM^3kKa zq7TAI0$gdaHbh}iY(8OSYht1f#a5Yz+xWg-C(xys6R|-|ArykJ{QQB-5AR5wEO@}9 zG65~Qjji)$#NhaN8TvEGlc8>)qdOf3S!Gx0jeK}4v#P~P7NZzJ4KkBF>Tw0QSm*c(Z;qi`RKVdhA4@CV2Ah!Rf!{eDRv|_c{44A9yH=CaCTjVJ z84n$u2e3#b@#BLM-rk64g7OvOFOk;!iRn0^z`vj>7sh%UdLY8Z$$1690GNw8j`3DG z^=2@{=pM&MO+ zSlB^C2Q4RX)51tO4h%Y2>EngPdV~lG`e0b?Gf%)8szHwE9o>&wIfx5ccYgF;4)-wr zR-d{wp`}R?s~uqQT9FTJdMI48**H*k zNnD4X(+lOYOFG0lsIO7W)uMSHgsfYz4$RwLM#g0w4*>Fi_q*;>`i0l4)>OuYDwrfZ zc8;?N+rA1+H`bk?e^wqGq<*DvgN#h=^G^OsY8lo8nR+QoFOse4c*FJhb<=smqcyU4lvFdCmGCDkEo+g0 zx1V(PxXEM}q)sXazNr4sxbsj!p^oYicw_3~%|iF)U#`Ai2{(3;_W{U53oC5QR>Rr%;?=w1A% zl$C2=y*dF2mX{m&0enI%0Wz{(NXKc%S3nDnGK`6tdA=KuOWtP5&6#{qdQmQ7)<+-gGch) zu2@C?@#U?r#igFEE#>;E#Y#^rcwI*NAJ3iemp+xDZP$ITO`V(8skjSsmc7h)AK&sV z8;yU&nq*de)VZadHs()Tb4*90Zk0X{V04Ps?(#mUlp+X74DghwD3B1m47kEzj?H)B z06OzZ%b3luC&>$OJnshJQ31n4h(H#E>VoIH)p{Liu2=AFObFNV|t4LkP2r2Mh;4Djv zi=;lU0%r6!C`Yt-(bs^6j&VG_d@x)I=r4jq&__VfiBl55%jQ3CzF9`YHbt@VU4MlJ z2mPw}quW^1-78Hp%TtYYpVKaPm*LJw`X~?%A3H`UXiP}}orU-u|J;7(Ie$yRCIvVVM!xuf5+WQ)LNa!k6t4B}{NfWagg)c2#atm=rov2o*tMjs)MEVQ)ED1NcDwM3>cy~za*Z&;(mcUxMFL;qdcCC-+ z6}xr~2L%t?hbQY*wGSXw#HiprrsVt{qSXgvkmk<}0jMOvu-Wq^Z&cNrLGKWPG6?1d zlL5jI%^1MCgsJd))E(?l`(uU@sHuu|c1WE$2tLGg0XoJU`tcaRros%t3Q6B*7onT> zcNil5M=VmQ6rox}$j<8Gceu7=1f~=6{MD)3yF2Sfapp|15cp@qrj$U_2Xv3~J{3+< zkp{z^USBZE&`;#@Q+awKRIM2;OP%E!16o#XUSse3{~mjUAim~lXGn+iOq^QEr2c|Fq1_O&SLXK3 z;C?nuYeR%tWkLM_FV}lCu zLXkc5HD+Y_x&48&+Lz^O`w<$~>^z+uuN#|q=MQg6uu0b$zCm+4D<%mnEI0REs+q56 zSOMp6At!GwPJ^@(8^N$439(50k+ooSmdSMsq9L_aQMoUBU}}E;nY5StD*N$}>ZGhz z{*kMFKYHG;+R>9c2BckXL=&xo1R*J@8OfH#UVy(e@5Yu(pa5eM&E^RlPb-(FC=jXl9-`TS_R(>Db&>JFN z&BDHi7n_--&@Qyvi(ris<{D+&c5BFDZX2JAOzhVw*sQug-) zF|OWAs=1ag7!_FhC|xA^`^k?E*n1S%L&1)H$F_s8Hl7bNk-%q0$v?lmcBou(7 zLkdH}EI}RVQKIIM-Tg{WWb~SFNOb9I!TllK6y@^oD~Q)vToEG5ii(gKwGLMY#?mQ- zMqzy9kl%ge?*Qm@c?j*y(WB{2PwLD;8+pSn2Dc8d9zvBHErk*0Kx8LjWD_8G$5a2L z5hr)EuqfB_+S-*LtmuR2sHxE`v{fw#m^wa7TxkH zs1jt|ATtXWp|><7`2`V91C{8UBW^yzk-;?pH_6Y-12K3Unsj7{E~TNGjoD5w@=`@`hG+#F^ygq1j` zgPFvf&^gWBy^Z`b+!&mKE1(Ok!k2N}3=;|%+1&+MB{jeDSw$9Fl55PI^^H>L;c624 z5#hw(&M@*OEIbDi!2Y%AbDb=ZQ~17%o@<088`0Zw7LRZ!KKV7#G>@n^Gr&{;M&~G1 z5Fp*wrYphOT8(jlE+dPC=k%C6RtMsloy~8UXN3G7_)lQP8ClTeEDhTWm%Y%3aSh^6 z*e*kPN(_gVpFH3v>9dB}nGgZ_Nsue`+5m;BtA{W;GFMN;9D7gooy0PMXAZ!-ey3t^ zv6%nFUyuCJj!T?yg!Z01L?ECJ@xnYOdi1yvVQFwj5nhVBAUy5`>Wnh^?6$?W^0j&3 z(K)te*E5xY!^XZY5Zt10@uarP(fHP#rtZ zy?gg?&2fWVwrD4P-Aqo7avrl&;8M6IATWTH3?AEJ(4WNy-gxT3t{ndwTRXrTUZWGI zIu0E?mI|;-_bMmUd$O{!nAHW1Z&4S0#n!f~PunG<)VuUcO-&w&l(MjU2PGw!pC?*& z%uzPl)3C7AYjr~9{bOjz!olH-BqK93l7>~?w=MjWQEFoX5m8@PcZK|Ez@0nLay9+f zQ6DR%?^AvaiVj=0={zKx4V%Ur1p=Dv-*okt zMyCfaDpYwU(f8y>+1MO|Mr9;kaa%EPLc9Zj-j)-&x@2TKz0S&?)I!afOTgDWU+e0| zfk8pn0}&mD4p#8=M8Eouz%tdnaWOB{g$(WHp+~xbs{`ch!TtLySkfbcGnkOSgF6il znfyqC8L!Z%sB6f01_($z?{X+f;v{d#ZA&OOzSJoRf*Z)Z2}`C{CPZU4y?$$^x2R?? zrYPtb%@tWoJcg`Ihf^>XyGQO0C3E!Crz;&6aaImuNI*sMbIjVKME?tX5#{AFWla}W zPyfL7+DW!iHk49JUcci$Ud!0`(r7W;gy(1x?Gw?S(u+nCr5C?J8?dsvO0p2#vH2Ft z5a?IzAX)15oZaQ+1n(ZqQu#d$W)zK;aI?qK1`qCVwZ;+TG@*^@Jzt{s?ST6`q1+2y zE0pCKK-`gBzb*|v6%*~lb88q3Cf~fdnYCLrve&rudV-fA8{18)nYj^7cgf>k8Xod< z*nd&~Yv}9O4me@IR&h}dE$3szlxmjEDda0-r)3UHE7}?SSnH@1_s->l6 zV4xDhi+Hnk)KKWqa5e*aK~DQLjtJyXy&;8+9syfFx9}&rC5L4aTF6lwQU5(4JnmiN z`gy?e`h`h}yICZ<{5|IycxxZEbOaV}$FqPSBb2w0dtmwp?Q=a+l+@HdlYgB{Rq}g? zY7^60)N)9X!7L12u!1w5Ab z6LGb5w6zx(7mt}WgPy{e=F`|%BApQz76%w1^@oE;!<#^(C4GprDox$FZa{!%7)(%w zBW16UYqWx+5LW}-(v#?D!qukCJ>2^so={AV+2W`{I}OPI#<=FOr(;v54-x^-zSM$A z6qLOMr=(|M#fkmvaL5> z*#dkQ>?TkR!OE-x7c|Ph21O=9Z`pKpb#pH;F)-*IQWyG>O9bxV=*P*5s!xt9?4rJY zQ&dF7cML>(!iz>kLp3D;3AJ3D?Um)?)*DKtbxiiI#lr(Txz-`l-l(SQY_XdF);ytezf%T zRmk>DO{J%$g||?+5@<&N6EN$-DnQcTQIwa1a~<#BC!&hNB|w|Ezb>X0?~Z*7dC&&X zhafT-kUA>(W^0lbZ<*Vqk*eyhGKL$^vP#R!pb|R}s))`Cui-GT9XN&Pw{4!Q!1ydi z11C}b#F~8`aKf1~3(1V-k#@wZ!*k^rJi9Qb1{D-+E#^jBptWL0KP@i4ga`UdoJ^ag zFxUcIGu(Ac0y9meg#&nYaB7YW43O-*#oc>sZ*vDmW84uq1t@z^k$R0qj1jVnap$>rQc_~pI>&hpNA4WG&fLo(z`qE$_wBi>9AhAWT(e`s!auPW znN_55QlpFY1iei3dKY9MEWyZ|MutJ&b(M#=#8D3lkb^lM9p>K~ULEVC>Q%cbYOe8cT zQBXXPE%_5<$kvLA(#tiGTRttu)sJ+2)yt8x4%9f!*`=&jul7}Xzo31!th&sqD@A7~ zj!28oPuQrop{6Dk{b2V)#$`Xoyk29zY;|4hynfqwF7xj{zg(!nmCI|vYdM>bhJ;zEp(LPVoOx>j^Zyf zV=^smHSZpNvko#mRq`+_?9?_Z+lwdU6fqtIWkhG8CNA>d@HeYR_1a2Z<>Zdcz$Zc> zu>&&h5k3Ork1|5Hr)ZoVaE)}c=jZZF*wg#*uEob6(^?FqXf&-i_sf3Cs!5)?(^j*T ztelUCxnEg{iGLCGQgd4*Zf%2?CZ|9p)$y7q_oo(Di;jKNli?u7%aK z`*kK=qqTnlr`x`!rtJCGn(Xq= z=-QSh2>4TCvyIm#vQnCQslX6#mkfCgJ)POaJDGG>clk>mJQyqcQHXlx{>~Ggn*@4& z%?|W2?7O;i=PU9%Om8$))v*9Il}Jh{>gqmHp7XLv8tJqY;h-nDo0a?n*OJl`tYf}r zknfw`yxc7+aZyA(ioRzP_VDiRXDoxNX_kSBN=izglNA)mkNW@;xI_R>rTWQA7uDyR zdIlXFyC-KD97%E-DG#}|0=c4jw3|~_dIbi#1gF2f>#}c3KcL@a?~vm#^?>`xkzVvi zD2ofusYMB1fiiVz3{>A+iLC_BV|1`=&dB`YFS5hcYuu{qbsws$bKog~+(arUM$PygS(WzhQW(inR!_5T220i+@)Lp12+1mt^fc4 literal 184125 zcmdqJ_dk|@|36+S37MgYvXu}Sp^{lPl@dad&ay|cN;b*JNLE&*VN*6`CKM?%Gqa4- z$jJKK&)4g^KA-pd_WcjO=MUFaz3Oxv&*SlYJnrjx1nFp<*-gnxxn;|i-KuAm&TZMU zvuw*2vTYRG@F%yA3y(R9-zo2i-wd$iSaxJpZv3^} zSX)WgPI~NQ_}{;B|1$z-i-@c8o zq1uw%^^yH+)S>e{>vjMB#TI(`mi_qUaM~Tc!W*x@S_IvwZ$(HNqqE#94=HGA z)7vH@Y##CCc3J)N&%S^A#?!t3w724(|6Hq#;79SDTeh^&uP@J%QJsl6`>fEmzpkd{ zY>6^Mow?X-kIvKQ-1q;-U#Eye{fr0Z<>j^1;;*V@39)YruC20lEH(;ywWaJyYYPQWNAWXK|ul8PMW49 zITLN|Y|qUNMm~+@u_VufgIR6v>wn)?RBT|~H8eFnH`WeKjNaD@q5eduwZJk1+r4DYV^5v%fR< zTEH_litdYMWCaOH=oSmIbO_QI+lgXs4t$8@*=H;Dpu%4i6DYL@u1igE%C!;yD zH9+7$_w01>f~wS(HM8UUKhKYS;pXD9=`HbN?&SUW@gt$%*=y0CnagEuIX6B&UJ2hA z|LfPUygV@{O;y#P;kY)=xqIeT+$C10s$n+zwp&j*YAR*C+KyOBnYGTToO zv{H2LO=!%2ZgqdpNm-MH9l+pv0QB_Xr$5{5e6| zai}Kfz$uR+yTPh(PDNZ>cVTRDc}i=l$z4ggmaXz{3ETK08%7**d&F5oH2Bm@l!ZF} z*MnsANtUL2i6=GLmA|<*udS@?mu!9E!iC2oCN{RV+Uae%5{B=rZq`d~3zDZg^1dwl z^d!ai)T?WhGE^_Uy}hv%2LCR_e{Nnz6qS04m5q&&k@4h-6O>d`JFJfpT9QW^V+{56 zKYsf3&i41|fcv8l9F8Z<%{eeJF*%XZ1SqDwzfg^b@3Eqw-y&4`K?(R0IU^}a-s+n}^?#kTA-@kvS`ea(X zl8aM$7;et=m7jm1aY#VmH)<1=>Sq4xIMN3LJL?&s%+FYPV4 z-PYdje`u>=P^}q#`@(dup@KChT3T9ia&kez1$lXSMMXufTwQUcRrUQ>5-XO*b^h;8 z+%k(EvMi#kT$?24nQHm^&6@)!T(-#1UwoaBk@51SX|Dd<+}ug`#VE8br(mVIq1xc@ zZ!R&urj-iPN)OvBYWAbZ{#xC`eJ9(_F(KM|3UjFyp`XVlaljEjnpk&)qViC(LF z`R2`efv9(udS`U>^<73jMZbLc^2ZOO3bv!MO=!$d;^XoB%6knv_8pDYsLD-${`~o? zS6wvPs0?-{rrUV3m$Hp_z2AMpezW4ajbiA z+xJ)v3k!=;EbX{c$-keds6AKXLtESfM`|g#J}B;Sx`0obv=+L2Jmszf>>&@u>y`_cb z4G~O&7Xx#JEURZ>pUM14-Y5j z;Of#$C+p#88H=X9mX^PZ9mnR#GYzyaUc9&vf;rPa;rWG?m6Zd<_OmYJ$&DgTZNb~xHvsMy~v(4POH|p zFWMAkBS*=bgC9H)HY&2iQy3aDTT^?VEblY=C8^S?ORRNiabO?bhtIo^R8=rM$h{Nu9XhfN%^O zJ-wF*+AP+@`R_rp@qv%ciD6VuHb%l7Ur3)YTa9qF=W$P-95Jczz-G$yNM)0sdM2) zUJJf(_%@~(I z7dQV@>0P>H+gtJnHxA&!bxP^X8Gad=l8_!=jVo7rapQ*%AI2;yb(%=U2Rkt%)+7@?#&~ zl5dQ!8F9Gl;ejW2@TKgKa(Y{2L`0nI@{8!iKK%7rcUq1U1Z!)dPmz+6l7ClLc5L5H zQPPz5`nB6+XD(lx^yMS%gVh0w3JOm&`1*G{-M)=qMny;GDhDla47ueN(KrNpYo%T9 zov{@Z6{Qzz2D-f8f9C4d6fdu>B^C`4yud)=M!{R|Crc0T%gU|-59Q|OdeelZC7m6f@G~iEYBq1IuUg)^WzqB`B|AGiHPyR6Iyze7?q4U5*}igjGIDCddfN_iaup?| zsHiAn-jN-U5*Q`9@M{l`T4VF6y3@0OVep8Az#0JyKw&e`E%z|TM3u} zxR;36&2tMAZSUW|A09TBjMpquH!$d~sxm|0aloKW)?auAh7p@OHOw747$v0 zshF4;vxu?A$Hu;bo00kX`Qhx$OiZ|ny4u>oq`U_YKA~5m5zbx&Y}k>wtgEdpa^i$h z4Y^cIVPPR|BiTJSEDw_$5D;zONhVPx?dHv!62A#7>gg;T94JqV$#<2Nn`j|%KYGT# zBu!0C<>%%3+NwN1x4ypacOm}On>UUQ4!6YEZxaVTU`AEB2RToZ_O9#zC#B48ia05% z?f*XDPZMqFO8^yFT}Ae3=pxuR)>c;3yLa<;h!a;aC+Wt~4Lmp3?>IS$+m7!}%gC4< zA1Bz_inxuVV1M-Wosy8ytC{+eD9b-Ca{j`FZ*?JT@fi_b(YK24t}X%^Qv8n9co7;( zV{qf3u&`E?gYW^ld*V`3*;!e}`4%CirLu#@hK7a;PC*JO)U4t!(VVfpfz>fG@Hcr1 zj4oYTYKlEZFxo{GY2EWqGpZwSiu3ScwJ4!l>?^f1XLg#PLT+7uE$j0^Ki@)ASNBo4 z^`1R@j4SW;daFwm{rK?%Bm})54?$H`6-&dmZ(mne*RBRuEe(x={QRF+wD}_O121Lh zi`x7sqB&QWSZn6$;^OP?Pubtp+-wc7!8LtMK!AXe)@kkNIFA*%RtRc=hHh0w9jmW1 z_c>9PV8woWak2|HJ==V7`um#>%#570@wRkrLQo$c*{sk-Jv|BM$NFbREG{_X7mRH4YN`jsWV)YK^R(Z@oD6!xm*KC^Qp>bl(`%vhZ99=~!zg+Z zoiGbM*;wUA1why5o&GX26ZA7t^qL9=Gsf$i*RRoz@ne>j`aQMdC53=nTgZ-yi7jVU zdaTTW^6_arX_4m|#i+!%u@p1Y;(Fw9_ii~DSH>sJv{qt|tE=ns6x!^(O4FUdlKaBAs0(obJ&sY$ptsyT z#_mO9jEg(1eR*f7>whug#Fb(PKcbw1s_F#3t<#!0IQr>R;glC%{RRPnf9{8BC@NN0 zS9A07UhjElefRIeU~lrvmjulI(9qB-^}rncBmDg7OEdjHEd};`ij%O6h=^zh5xTdw ze6#HZyWG7se5()n?y5pp6nsE6=j1P3k71#Waz|u?xvXp{`cFTY40b@aarxZ*yyE#1 ziWF<=?!8u9Dqg&>I6qTgnOSAa&%={^M_ENBH5iv5eQ&J@^2b$LCz;;5x>2A`U|E-M z6KFomY8y$!yg|34upn2{NM8Kw z`oVigDz#ZldwZSjPx~Hh^Zp`x#TG>@pNr$YlP6EMx?WlSOB^Iy)DsdGw#mC{ChDS=t5I#|1pNyRJslmoxiYXROgjRPfv#?AeLZjleo8I(nNXtwLMtjE`%0<* zJwI0}x?KGXU@-<6Z45rgvCk(xH%jnU6DbPZ1X3UAGkllM!A&XOF=+#8|I*c zlatZgTY8W@01H9)&%W$pU}KAa`t;st(?0nT&9(LQR&!(UKu=H4YuBz-SpXl`)z!Il zKF`ga#m>V+sFo5C7IwaUTe*?4l~BOQua(T?&|sby8+%znVcXMfo9nB0`uOO*%|KUE zzpcBhE(#fB@7LVqd2|-bt-untUz&@j?0Ir>&fQh#GiU1Yr7U~)3~;Uj@!hy_Lp)j9 zb#D0m`_l?;hhjC1OPmfFY%K)+p)QX_+dqBpp%)&;2wsxzFQv(C03!G2`P~IG(W=hzq*iJy5u@MpH zOiaSAe5Z@D7IFrl`0(L_dW4YRg0V!RY10!?#Q>VxfOO(LKU#K~gf+nJ)XMc8P`dO@Tkr}PuE?k+$ViH?d=Qc>|o)it!@=5pV?qoJi8 zOZ+M%A~FNcyv!A%LPbNv*Yxn=p(96>9M@l7xCPMCvU}UMZ7oFRXtmvxlw1!h>N5=9 zQqsoF@AiN3{CP?+HUQJ#Uz@82Ey@cq6VN0G%XOWddlL_7g`+JS8W^Nn(r}yzq|uDS z95{V?OaDy;pl6Cwh7sOCDz`yjTN|rLo4&Fjl_p%?HZro6ikrY2N-Xp9^UAxHQ4OGi z^A=$k9H9r~D$wvSRZ-~0#l`3i%OfFJ=Kw#y-PjaR!=M(RVB6c<#aWwsd)YMu>a!m0 zWn%-d0pFy0^`P$s$bhxAb!*@Xq_eW}@|AWb&ax1Gt%RJM9J+f`Th~K@X#;$HL4pR- zMSy^I(sDp`!E_pl;8iD5vEj+q`iw#*kaeCsy>!#mbl~StpV0UE#SXmpR?#GUqg=^- za-Al=zUT{LW|ej@cX25yFF(n7=eUT-7i>w;DnOZK;$U-c=3d#8)NwaBpPgs~RBsjk zRdILK-_H-oXx;`gMvduFqOyYC8wdbc;}lCi?WZ2t?R{y=>gtw|zLutYE%U5jwl8s* zdE~OMLI1t41(71TsK^D4+QnZD%8RS3bcjmiqet|!g^EL|X=%TI|86ZnBMMJ$YHE_Q z?K8cR@4h%$>^v3s%8DSJrKR^}`aD$jYNgBp zhz8PF0r~*&E_I%IkeTu7Rk7Qj*I{9_tRhd3+owWKsOW5Iq2u5Pop!~{_TV1X_a%89QJ?~Vp6+3)8~I&;#8MTVfD|ATL%|Tk#_P~GG^fKm(4lrQbspOD zASNaTUGSxD8d2dr>9Rp6JU363jG*KVi4TSRAIs2-8)nd<`=fg6StgwR;yLcP!f}So zc&~|x34m8c2ZJ3+;|VNINJuCxEsc(5atj3I4^ew=)>Ue6Z;!rVk>3UA1`#MEICvGJ zM2_^)GeDQWev#B#r+_2Og5u)hTwGP%-Q6EPc-g+s(qxx**eP0zK$f6U$V8f4*7#fX?J&d$y*E!7{>hKAwxyIn|p2e*)rkfbE@ zT~l3MddVw;kcqIqIZw-riuQ(3Ud>@>I!^B6)qX)#OiUqv(*=BzvY6$rjIy$_ZiG=) zb#?2O5%k&?fnA)GB5EH9#%DtJa}Hkt=e&Ao@n1cYC$a&sxXjT4g8uJczupb(Go%iA zwJT0WI}nT}&4-+%o$v?%ZfjP>iI`LvRd{rPt+Xhj6SN5K=V5pS(Jmz=rHq@ig?fE` zb?GPn0a#st7IogE_^c6MwFk%i~MnpdxK z8myBVQGF;o<3iFrnze7NZLTFP6lw)ZM)0TIm72$&0YT*kN?Ux2I^@!_zx=+haUqFf zhlPcOcbX|FZJ*f@0Z|3($gtrR9D|BUN=kbB_75=ruE-|4;vYr-eB?IQ+8P>Eqtwrv zO)l6GI{3%uDM4+A8;|X!#$sL%eDmhbHI`T`4@KfbJovY7B}&MfpFyM{ZSVfIJ55kI zT;(JN4Z7R|mufc{z_%8BwNqtp|GL20pVxkZ`S*yDW!jUeuKa+b5>(62(X%r3b0HYB zzyo-Hf2)hy04n=yTU&1R5n0*znW&>!Kd>UO`@5xuabaKz)BTl6;XGa?P7@3yPR_oS zRUGXFk9BHM?t&4<2I%0dGM2F{j@QkN8(29gi{x-=6AzOEV|?k%e;)ab^BS z!`tUqJ}4z8>jBAwhLb>OG{DU`7pI-7&bf1FX82UIop7+TJ6Lm&Vk{e-)Ka-;bIelv zY{(c2nKF~td&kvQ<*MO;s>tM(Pai)XY&!Dbb!KKWJ`D|nAy3}Ce7XOmTS2jQhZ;fP zfllG}+7Smik7XSlo%>nP&QAw~b#-=vuAgb)7#bR)xUGD&qN2jvVy5O+Sh5hb6)GyK zpCM1u0C^~?cTim4k1NG$;j%DQ&;?DZsxKe8sH9YbW(_{x`eUzIBhczVfM}xD=ITu4 z>~_O#!ZE*RX1`hmk$zJmu(fBcefw)N6~vjFm|7+v4<1+GcCJBvxeNq1*6Gp?B< z)@4@K)(|z-^i`kSW_%;nYex9-3?Am$Wu~8lgYp!?jGt5(M;WZ-@2ZG<9OC6=VrMT0 znBzO}9hxu|i*UiFKF7j3%N$iXL}r+7P}>)73;;E`(CM5%AE~3WSI^K;P(bYuX!HI1 zTPp6rlXjv}VF+>p1NL~WCr>g!g@Lc;cIUMb#6c@+YHAu|L<}!qrcVtq5?;b)hEr;i zXWl?!CUVyV2N~JmS0~EenX8+%XAw3!_|4)&;&FS0kDhW0S|=d_ijGqkJjuFJnrdP_ z8UC@M;e)5i$jFG_vzz()8MlA8r=$^E%2RsJ#&bnB9J6Q&3=AxCU&_kQKX&T#mY7G6 za&bYp!QLW!AKN{r%Mv+gPHGOWy4KdzBp-MTzJSfg7vZ}wK)?P+e-ynH!! zrY~ox7~<>rbt!7jv%R0xUy&%i?XlRVj~~x+vY{O%-XT*+NNjmJ+Fp1)SD(=03<@eE zBLhf?Vhv^9nL0Phd&Fag!N1!iRI#G+|!fY`vd)a!DTcv*y zr9$N@hhlzk?`wY3)WF@WPyU_fB%KFCk$+3kwS{ zRv!;x*4gd2`00O`=x$i3q5bH|n|aq8UuY%9g@>C$Um|>Kd?I=cDmC;#*BOP%2y1(_ zZ*hH!Wg?3mCjmZ^f9^eQmpndJ4gdqS9s~0$`cP}@<#$$H&;g+v_-Z%wZIDz2At6^X zW&;BQjNCCH9p=4zpF~Esh3?+2NgxnT2Y3K(O3TV_o)Tpz_HfmRx^5QP7aOTEU1jtG zTIG<%_vhv3E6yl0GWT!=rE{NVJb-(UoeNMdQmB@Co5fvNS)2Sq`e1Ld<4(CL_dmbB zdv44pfo57g=AdUk;c`?;ip4~UOaoJ?&i2dGlWc4k71LVL561=u?9hYZT>Qr^oM?k& zCtB^l8`exh@<)2s2<}H`(JCkUD=P&KC3tAYij4qIFAue*oxvFUd}l!0$mj=D64#C! z78a?&zQ^)MM;o7k)$6*H8Lh%l5iu^qy`oc8n;r$_;1dzaPD?vx)p-Mn;}jRozw5jJn7@TsM9V zawK$Slt4f>$*zK%MNZ4nw5qh9hF@HK0eUAPAyMr)ikZ@5mO>`6!g|ZJ7;q*n zEp6qVhxG%6lqa#V&55#0Sow{O4d21zaJta$A&tuS%b*@TX33l3*x+`E%I@y&Rsj%J zfatpNuB&TkG~thtZ)h-|!_A!uVU=)OAUOHbJ<#BTl+QBLkEIwJ9Q+{rE?MF~z3JCK zy=glTYj4igY7DU=qbzT41?;wO-@hN)L+SJ3WmZ<5RDMp5owM^al*{_qdB#$=Ti37a z>FWn(KZ0_Sn|nFeY=?6dc-hFnKzKxiw=F>Kz~G?QM%b1JUO~YgKojx6$oTl*lau@R z?xkpR^3i%oS5HkzdCSTQl1vR>`0~O8qjQ`PKR>^ShzLKwl-a&i)~$Q~x9)|2`M2GiYdsZ4;oa^RcYzAYgxJ_%d`uM$!N=p9-NV0=@2 zmd(wZUFq5fTKjjS{4JVUQT}*#P*+ou?p?eHElkhc{F#eoBLE+q{hyAUD8{-fX~W3(Eu;0KYjcE|Sv=ztz#*QIHHFw3P#nuKJQnUS$w z;wAw8vUP?NwT$6uV`Gl^W-N)qfpailF=65B4OqgE(@K=_+btL?=Xr|b5j7Q6PtH{z zrHvIGfhdwIkSHs~$5;2|3vIc7NjFrC=8vf*dGKoVo#X~>G2ov^PjLq=Z8gr zW-Hd3WCI>K-bhVDGirAnKWR_LYX3i-`kmwcR6s9#@O#4&r<>rN2Rzrj?mQd&oT#W> z2T87T$UH`}$|4_B71TW-JEd*H%gc-KHcR+Q$@ZN)MXr?W5h{(rbtfjSH#Qe{1i=)5 zxkAHU;f&4+eQ>{w)7jLiZONIYTlYDIB&%IUO2ct?=1!7kPy(^vXKg-UB zUDcX=G@v>NY$z6tlY6<`6O$3xT%L5#9fxaH~?d@f}MEl&?Qpq-o6rxo9O_-H~BJ3U{6d!Ow=i797$9)}2a z{P^Czdyx*o;OQ&9L#sLV;q_fuL=In{sp^|AF338fiDv;H<9g%c9XogKBqty0 z(gPhQA)clIv#Z!w9UrvS)eVd6Qp(HkV(zJ{sezRvi=up1wY{T5?)I-e%-C4M+ zy=M$_ztEyN4i7hVm0Muvy=4Gp!Q9Q{yNM?$O~g%BE` z9HB?SkU0hBY%KBe#f!S{-z9{FX?}Co_Dl@6bRBXH@MTonf=iLGET9u{cVBI3(Q&$8 zg`J08QGB(UoSQqXz2498UnqL`pLXw2=Jo6w-V0YCW(p zup`VVsZ*yoX2jrEz~0VbQGR&{a&{3cg;o>RlxCn>z6*bTeS|QA&2!S`$8ir*@G>op zdqWYAL?3SbnlWxhUA+;+$255N?%kN$_;}nA77;nHcQ3G8V0J8$Oz17J4DM$`ZH$D) z0sk?Oo;ye4!eI#>9`n{zWx}Y4mdh+O;8D5~7s>d$@aM5MfXM;={!pX$Rq9s-Yo%kq zfCUv76%E`V!_LIk@V=!~@X*Jn8eo$6TL#&ik9NN3qzHKoynT(b_>v%f&BDU}(#WVo zF@hS)@M@o)bf=)#cvxI4&G{xK86yy!7&@gsrL%!S9BS?1L+ZXN@RZ(4PfuJ1R8nkW zU+;knhrjpqxTA?Kvr_uynblIRojU{S!=}swFXo()(SGFbn3&$0e(=V=WVFyZ9dB-7 zAqhDb_4V`08Cg*v$oR-^T0d`)7|Xatz(gh0?dmO9~DyGo`%ZM-Lblq7lA~Z8yH( z2^u-fy**A-Mu=!#y2O&`Q=U2I&Y}yY1l%4fQ?#1i`SWdGzy8wsZtHt3zYF3OSTQOi zb8{27VM&*W(}5@+2l z+eyBgwZN?Q!RVx=kP1RfZrXhugOyC5-_bx8(UWa|sERJC12# z##a3WrX3{XfJY!=RAg#v+aLGhQ$vHFuWyD?aYT4f(}=_D;8}h7K2Ak{YIYf?Z!dLW zAMW{@4;3~I_l>iqfnL;!cnAVl_+Vq6JIByH0XdqHqXJ|WvW=9h>I?iBtb5rjRg@N> z8Yd^`avZ)Azy zj7ee67A-`r;N}KiED8+{X0&Z7LoUR!JwyIYB$b)1ZRNFk8U+C(Wo2G*aVHqD1kqUF z84y)iM4!HWE5Nm6Wo314U}LOYT;#_j*>z78@i{i=yU>cpsSAN8Jpy)rC5U@^Zh}YC zwPU~GnOuEU(RpWoNYVo;8R1nV5m2FU=@hGrw*TvfC}$Ve*43HGJLcYTL$%foIMT~` zZj@D2aP0p5=GCj)6JK{EwTWRUpdClglf^%Ivb?-pR9s9y`VFwC467BwCYAGBkwmM+ z%s&Dx;X;(dQVRdkk)k6a{*uaFCdot~Yo`JARFi8!pL#+}42#SuE5MejH`yC2V@ZS- zBOTXVXNWBGfUD1*@sRsGijMZPh^N^nHjFil*nRYSdpl6w)v?3S8d=0^1>>9HYlj8} zaXvbWZVaV(kx53oz{9(6@uK8!T_oku zB1oZEDVra-af5JTJe=nLmwEMMLOK7NdHw!_Jrz-9qG;(!w*@-~hoRDatl}&e#ET+t zerVY`i>Smc`I<7@{t8q>9nCw;0CB1G*T@wk2LSUQM*Xsvm#BmU07SIaA9aWHguXom zK(td3HE@B8!wrms^yX1u6n=iS-ES>dm^09x5Qdhn5a8#B%=P_K$<|Kk$AyJ=5YHFr zrHs{R$I}C`#;2p>%-Eq?#I}&?iJr0B%fu9omI`k8b;8L?6V?D4=WO3FWM4G;n$!>g z$eIH%5fa10TQWK%5Y{Lt5cjZ$5&~Vbxm(fw7J<;x*2Z}Kpf}b7(#FhRY$)u?b05zh zU}TI$PZSgsoG*`Q94RR+4G0KeZ13snLb_-mSc7jK&!3*2-X$vJw5DbzEY)l;0YSm| z$B$Ktj6Mw7AtWSU^qNOdP!_SIU5tDLWP@J51UUil=8L>+Xc!+8vo!Dl;m-m_{iEtQLq(_6 zyH~FcIY(E0{W=Gh4)jLyBu_n6M}2*Jb>5p#*8}$qfTEUhq>%Yj( z&VKS_IUXSLD?Tb|5Gt61zazvAa}G=;Jp6veOXG64lXw3XOv#kvGy`~kS$$8ryA&rg z63QC@hl9berJ%gJWPdlC>94#4Z@%gN;XrTiD%fUVG$e8hZ{0(mEc@a=6QQyO0k*A! zqC>F%Ip>WZa-58td7IEK_joD7vvih7e1GO9QB6Z*a(m<%FIWkKEKe}+(OU#3nAb1a z*i6GBATeyp&LD?@OCZ}?ivcaztZ!P zo*t99vZM(NGCbfi_a))0Q8%!V3xEE=-#}ol^=UZq9;u7LVNaFoMTQBKHs?UU7uinm z@k~b#-+;>Tg|xs17cT4%+9v zeogrjE^d}_1_J?van9xjNkSv(Zg@hICFAz3=B$e-DNZUF^zE5Dg(XTGmd1Yq+H$HSdafsULcB}Pf9%@ zpAhcY3eC5w%yJ4x7w(6VzV_a_3^p~W9Hs*n^oCe0V$6*r=LGib+ZT(C4L|3Wr6pAR zwJ&m;QD}O3h43BIHrw66&{SJGfS+o5_cMK%e&q z6CIvs+uv;z*2DO3<1L3PUTDNJ(9sr{0V6I0a4<=R6`Pk@Nt9?+e(R z{~||_f5J>$SQusxX?3%bT!l(>MA9R+~(3#oZEBp?PAvD5l+v>Q04Q=D6c{*m?~`=3O?3Zai- zH*-;d02pVKlqiDC2bquP4?yMlkq+Y|=;6aMcxG`WSxA|gndQNR@DQVwM{os%uvN9p z6_a)v4c28_8&VFWysdkKIWl7J#`pO_n_a%IB^I0T=n>~yOk6fPDDDX=W~wJYj%t*E zPhk{{PG|nH{h1wDJ!piK1qkf=0$hFIaX_DBU$P1u9KnGIoa9ndSD%drjE7%rcl);W z#VpZ)YMdSec<9_d=OlAQPwy?-9rDGu?rN#Btq=zlfwU15N4K5*z=fF-i^&$~j(@An zZ^d{8wSm!?V;U$R+6JgtShPt0H_YN=I45YzDBEv=BS%2b-`fBTO5G_bTI?7S@fMJG zqzRZuumIsox_eITSyu!<=@S8nV4mTW!GNm+COFt8ZXCL&^3F8cePT*A45ElLl{EyX z4*ZYv0uPd(sqA^0diW3snl;SXJ7^VzT{m~^@WZduVt05Tg$4}-i-i+&8-Q~l15jtn zIyiAbhycQ|T%GQf)lD5kts0j)TdSLBGJ^bF$})o2m?G?t{vqA(-wk z0KS<^r^7GA)uP?Olt)J-B{s`k&mXCc^232FlzdqmgBjFHG?+@4*&)6FQ?SyCd+Q}H zUXYjaKt|577~wG5> zx7~mmjSxiv55kF2%+c0EhN8Y7g!MnzKpB-ExonT553E~A<~X@_SXemg%^Rv+yEv6r zr1yUYra&a{aYDioHUFZ7gdcF${fvl~*Jn5vS$bw^b%}3QmESy~pfx5T51I>A<@eTE zy+)pGH#>N$^o0iindZ;~&p;>xgP2=%etko3U z*-mhh8#}je7vEGC{{k@sQ}6KjSVZ=~zyK(y#P7?1C+K@#%vVo0{NKYH%nL*`^v$&~ zxzr|4z~OxRpDIvhDE%D%{L-rusKe|H(%1K=Q%yK}bsL92V=JC3xaeUXxx2`a0d!kl z{B=&SzfO`jYldd4&j%!ff|G-J0pvh$33J=`I>Ot)Q6mbsr3-p`XfMQuH@+wo@DA9v z3h9q(K>abpz?bY0(9-0~;pgSW<0ag@iFTlU#B)gh2y_3sU9k~lo3d#fDXfBP54_3rWnEw7*;WF8*G;S%JV;{O~e!nlo% ziyPA0?K>O?Lt%*N{DhO6#@1rm90*?Zoe0sqRd5lY!E}eMYjt~qM{HpTt(%Zk0w0w~Chh)P1 zV}i#a%lKz@w%BgaJ2_igL?-cRR20vUXRhQndB+wGf#9bVE9PgHTUb^` zO7`NcG0u$~G;(8jDy0j+2mb~;5O@3{JslQf>=JRhE&U5ttY^UxR2Vi#F#eTPY+qvs zlst9T~#&r?OWyZPQX$m^kn*B z8)7&O?MV!}n8Sduvv)*JoqDQc!cl83rkyCm#K2IsbmF1N;pkrj1DJaL?<)Ma8qC1( z0qU-re@3C9p>g8m$z7YX-RW&VVMm<)csgB202-PxG+==DUH$do_Q=qY(wDrven%y; zi0Xe4-vhhA2Umt|?LiffcmSxWii@RTmwUmN;2o!p4idC*6tLf`qTN{P+@JoN1wgLi;Q=}0g>>lehL!iq!xcP_ zL*+xuozJ?FtB*r7<3~fzy`)WCgny{FT;X0=xy$Tq{c++g{vrdaIc#6*zh8n-WqQly?L+BlAx zi+I@SAt?f)BES-hjdjJyC?hj-N1`206bZRRat zEkI`v(hel;F|8I8_C03;qYbD^Z*&>QgSw+zu6dnB?i8v*XIur-80~ibtKlZS& zzZ7xEP#%Urs22T3aI z?o~~-ea@`ZYqm7MVMl#Dq2NKa#d{z>pr91AFG#h3V+%-n(bb)gSOgXNP=%9|FyqXlw?; zb`qe~!($ER3o#nt9XT8O$Y!L`5&7gYRx$&k5)~CqrG2ypn23~Zi!`|(kx0zR&u6R% z(eJC1d8@wa73bs+k%Uw}SJ@!0NYe|G}XKit}BxY?9Omdgp)#Pb`v# zG9LZxv|3As>2|<4kIjvf&Z{jciqPCNPi>ER^5o+Z5y>nvM$#{qXD zt92a59PmDjnaOOh7cg=#Nzh6ftK~$hsw6T42n`&~hqn*8dE26ylH)sdHFa=c8KbJhpvO+?dz%|qK31Mjc=)ghx@R}PS!lCQ0ls|EHS67d<0R6J3fS*H9DNHW z&br-WoMs*ygKGG#z5U#)3#=h85EX@el9ja)?08{w=2%oAcMPm>Oe&TpM0l*`9K7%46Apw5uIh4Y!55F8RaTPj=oILRycvjKT)1=z`AV4Q$J~m+Wrxuzd>!U7=V6f} zo9vyn8;UcMefc<3Knj0#vXVdq9NcwKTTo-A4xIj`KP(%(S9TGnKA#R@W$?hpS-e!z z2ETxE2JdKw93VmnO+wP-`0?Z7(iG&0tpUVeaXc?a8vvkdPbuP@wY10b(TXCRgyp1n zWC&V7xOvSPAOgB3`WyZit^hnhG(l2rUgHi?K~UlQ*RQN3(<%4bju3K}zYB*-1cuV_ zQVKwxz}>tEQ#7IqfJs_+*Zfg_k6bkDWp3|jc37WCwJ7gn`3J04o}E+(#J&Z&fl=WA z$_nT+v?R9oA+%J)bT2O37&_+QTvL#34XJZ^uK&4|@BIBU47BdB;^GzDFfyDtMWIwS z?Dzd9D{`#(QwTXSlO9jZ(qF%31#MwrxikEczV$|V^0`--6rLL^>F9EnQ(ql})&1C_w#L8)*LY^fcC77DvUGD&26o%_0xG6jdvNa%Pxk=ZRlXdpxhwfOqyBVy=AV)&=&!A zbSh4}^teQ7$kHI&*VojA_!2&R>9P!=wPpZQDJjO3enU8ag$VPB4qKe{fCZ1?-_X=l z(~g8%0%B?W{FvA4c=tuc+2`jlV&ns#T>B03cs^S=&0 z=fx=}cR({(5_q7kt(pZ(mmAcD3OTTUzlMtyj(28e3UQj9g7t?n`;%;Ef4TdOYu9|n zQV=`J>#~x+IXUFUR+}|dA3bML%t8jfIpMp&^^dOwf+~znK<>(A57LfKV^PFvq3T7SA_e}Nzba+pN2 z($a~DX~@VJ=v<+~As95VYs#hDqfaff1NNw8`Ic7I*KM#q&f?_`K!-pm``Oq81z1kwZ5%jc4HpNpSl;=Jf;!tj zW?RR_laEADzWj*iIuI-2PhcO-t1wbVigtj`VR2Go-%F1PGY`ET5VZ@)#pb z9}ZEmwCU+?e#Cu-lr)|#T_7b4(@Tqsg|3to)H2z^2cDg)=yVONtd!$q4$`YWDk)i) zR*vul3JvjKwu%psU|Oa+GA?ru8^tN4;GlSOlH4YmAGiZZC}1Php7%bZ_^r2vTFq2n zIUB7QOoS>IiL&GmxLBl=TGgrW%7cc6Af4Iw*mFnsO@PbbJTftyF}`_YWj;N*+n!Xb zZ!{}qA&SC-A?(yjYt>3PE=oGWz8fcCj~!D#d-grmDI)vfyMV8x$c`nDG8#c}$Hlt7 zub|`g_4PkhwaO#}x9=7PnXbZ(w*Jt^3ni`t@|}NyC;OqXk*bml)G9aD0f#|yBz&LU z#&poFb1u8P%AA-gvz=V;7rNexON5NH(u?Kt1 z5bGhm3+bIT+aQZ868zZh$Uh8~ym*q3@Q^uwabdw~U4I|RD+dvWS9IKQl$!I1){{|^ zO_w@JgcLr`^_NBQp~?0^yv@VspAX=^Ko8U$8ClshuQcfA2yie|DVdA8g2#-v`k8Rh zrAq9KN3IEeI*f>2676V6CgpA;6B7WZof+)!*kGXULhazndQggT=*FmLZ|`lBH&oHv zl$Ea|0t$1K^P$IzHL?OQYw*G0Pj00407j9sX)uT5>pbxlS^I09Iak9+f2fT&P}<(2 z-jd1xO3N0)Gf>G%G+F2^I6DmKsk^1+^z(BdP9QG+)caDOKmUI70mb@75#}vhWKJy{ zxQ*AS0pF^m-9y@z5`iScQ{Hr9c>4xqNaj~d7^Zn*wh0|#d|ojhWN8c z*N6$cEhxyL?t*B)u;6rpJ%R)PTZ%P)^!ECh|3KSHUIL0_c)i!QGv~wi@6k(MNF$@; z)qNd&b>VfgH?5h+zeTxq>sCTju-bES1SN09n_kQ`@T;eEoi8aen#O!=l|a;$5-0iA zPvf7#P&TgiEet)@uR*#I6ed;4mSb2hDCawO?sRu?F|`Cuz!7=8?`5CWBfFPPXrVLr zC?K4+D5Ezz(Q6;8|N0m!@X+MU2gy@+rW3#>fRu^*uH$~GC@G0Lr%VVg7h0ZuP=Kcl z`gP~dodRz<=aWr1Rt_VntE)J=m=8+@(ffUm1ya%&GVPOe$Q#xhMy98xnxVTvT#+9$ zQKS2QDQp}nA{MwuDRl_lbB_Xalz!7_hz7_;=C+tr)!JFx^Fn-++uBnPKzOh1S* zvh4aG37h~K9J$OYU(gX(uyYj^74TCotxvsAG4^@L7S5S z2+9NjV5bZDb0yPnE zoyPnpOeLcS|2$R~G#h-sTtMFX$#HwLe6CTF3Fa_DS>msd;^OMMkBtqvCCbeZm!;{% zn3xWXj8-A2B|nBYT77o!P7byiZ%Ki^L^|&oP;3fAl>_f=u(B$%>6NM4!QX&)b8HzX zB)zgP==7}j9nvxHEy)tZmyEF*%-4s+_6JnU->5sUqeDSS$*|`SgcOKyoEZ;8Lt)9j z4d;gwUSF*U!VDoSb$cz3GUzrQCENj0i^J~SwN&B0^ckn85PHI2LttOWKwKDt$KqzE z`~2zG?>09#_lLR?!l{`Q91n%OB$Q}U-qsU;S>*q~KVDor%Ad`T?W^Wlr)V99@3kRH zhaL$iiG^|2JH6;Xu)5xp^r!cRogMXUld#G~V|N30{ng2NqwGH(wRNey*ua4FPxyUO zQ@LKygM!de?>;KTkcfi-Y_D1GXe)kr7!AQUX9CX}+deNFXO!2@_WUA0DS5+vfX-l-6Gp7~Ko=1VhawNfQ|;zPPkInmE&(v}Lez zbAxS)T))gkly&U0=}{d^nhT0J6~9ugT$;j#Pi4tm~Cr_^Fj%O=wrr8XeW!s4_{IRMEkcjrVa@kmjxE{3)4V>9?>H+OTpb z$UtUNw*r}e@#_sb+l={%Jk;Icw$H&lk8PVWk)xQ;nneqI;K^s^AU0=Mfo28#@`;mH zh?9#9gp42`lD8{AeL^A>Hg@@CTd)g$I2hOQN-@i>5jDnaq|~U(O+P)z@TR#vo#zS` zkS*OdM=U%H$I$0fmu}a`>^A)rXX-Tz`0?h=ZUI|sGrl1Fu73`?yF~xEk$)2JBDbptqNAfvoOm|&gHT^w zy27*H=(TjlbWfXbRC;n%hE9%-dH3@ZyWZZ{_4Lic-m0?ikwF(Oz*9>0^+gFJMQ3M! zPnepWx>juK%BGpVc?AXLl{=^2nVM3tD*U)UkIcO&b?W$34xHiGDDNtj9h(>S(O4*f zZX9eQdg=aM2M*x4cAQyY0T<-omH7@cU~5~zKa%a%xx44?&)hSJwyaxBw2tTS)=C+} z#p#>JWLb*suo#XOu!1QT%Z0@Jho+t;fyzc&^}vuJR<1T{hYxnkktT)G>fGuGy+ot^y+}`mScPEo0Eqx@sig07z(B0~k9Xbj1xM4$ zaos(W7TvVV8=!yV%}*)iLX+^|80BS}HESB8DM9=Y86OK3J9^@TFQcyEd-<^Zp{(`y z5k$qkkVJSTG-+42_qH8AC+c%q*}k>0Dv5i_;<3L$bN3>G}NZ@Q{!PT!y;E+xGX^ZMtXIF5{lPq@+-@>HO?* z{fqyfs(yxZ%w>!3@3Y!==YQV#)s=I{4k-(l7(Y#K>V==z6!}0+8XZyz{^~^i@AY3c z&?{|An^QSzXo!0`Bl;~Aajf;R#lE5Oa9+1i2=P?|$|WWE+Yw1nO+Z9ddyNJk zr$Q|5Z(RAbQsZXmBm)CG>Ve0PcX@Yv?EGt7Mw@K^{tXPaP?1r$-s?dZk4ONuNcf&T zRoT^bgK>MUoy34NE-T+4JCO@lyco1u`a0Y|`70PbfBUIIrV$B>3By&Vt>)V8+kTNZ zrboza^xXaM@Oh5()zGJ(wDt6U+iv~!c_u`+-xLD_f4+0-n%%RyZW9td&+6UDIp%E~WRjDTsV9xd}?SAwgXlT+4&A;Z)YX#%L03r2Oo`c$q^qN|1-}}IJN;9^{3T=sehu{8 z`i~4!rd76;)}?;hu=goMRb}R3?qU2W+xI#ipTyMrIL5A0FKC>}pqZf{6C|Y77rlD* z3YPcnH_J+|t$1%4u61$2_X4g9afYbdrLNRBv<3*vJ3cL;_x(elpVB{iOfAjY2 zV9CF)S470j(61?Iu6NayIU@ZGC3Yrh1FbPm#|89xf-{0(ov~96mmnN#LJO^Nk^`u* zj@BA7WCcwdd9p2el4uCh$|4Ft0A_zHb4ouTmX4P1e>))JRKzd^)WVWRx^~&Vz1i5=l(${#x%meK+zkus z<)%9|&g!E5omsV4j8*INNo68jJ7Z|Cf-IWN<>(u7ac)efN?u_hzqBw89_7Hiyd6+O zKV)>eeLQjV@^zw3QnptV%w|}pc2fMSZ$+nOZsr{0&k$qa`;}4I#Qp+@Z_A`t`oY;M zBL5ze>KF$ktv-hiz_9sk7`DTt%yXISzsDqVJCs!UD@r!LgqQA}YuDjE5=`OI8k*B1tyDF(nO8lnyT744b{1^l{-Dd&9=Sn{6} z*?eYVxCZP3CWqK&OWPZCW1_Qc-@Sdypu)aAd(=kyTMU0i>fBUjY_J|+G5n$il#Q#a zPuaa4lfz=0>NqdfyC@tb$*VCJ)GTqTWWbYdYQuL+qAe|JTiJ0v@3Ck5Xic6hs89#@ zVNQbo%li)>HdB{1<;l9qt#OpTYI;zUcdg!+s@$Ns$;xQ*EDM-n=Du^ z{rz`5OsU&RJXGj3@Wah3pys%x)#3&lKTG_~+-_HRQMvD?ynDrxq@~XdpDtj-3V74P z+_+@iM;l;($`h*GS@N7%`CBx#xcO}OzGiyhYq2*nfLzSG=0_+_ST45tCn@@2PrUrN z=fs(?87nT^GJE0_sht=3l9@{hH*4hM78Y)QtU2lmhM7P5fn23wWNt;#1nn&!uUThxyzJX z$7q~ncYh7Wo>KTpn?=J#jcaZ$VNbzoz?cXy4G5<V(+@;hsTKB}2c0q9UbdhZExBCSVdlgoaP+VyANv29=V~N3(FmS6%)yKTE3WSA*MjRYJjji!SJ8VZr^#(gf|ePw=E2;QfQjSB+um3= zV1GoEf$tQhO&+G?!Dj#h}dJ|9_&g|3m?55@wurtqYu|uLH{3pMCA<)znIv;VMdUj8D&(U;04J2!^q4w1geW5W zslHC)JAhwYyPs6|`%KZBnXO_DlS&1Z$?yj^62>KRdB%o~C{>|y_A>7gB`s2cI;N?f zXp-l)dLOY89+;AkbiT7NnCc7QdijbKL}Tms%p;SFBMYUsj+^?^%xDw!RPoL%N5Q4y zKwH!hqEv|c5aE2w^t~P703#V@_VNXw0@8u{M>lM%Rre>}$>yKY$~;`Z8Y8tDrPG-~ zSRd&lv4t|@Bk@c=7EGh0I`tM4pRr4CNL}Aw8Vq60Gh>o?cO-Zbe#7Xn;?Cuq)cH*d zP_)hf^&aHbi`)t|J=%$nR(9#8=r~}|Q@$ZR+T!cGB7c{@4=6Ap+{4-z=V#ld)4V=T zK#B>)C%)(xqbg!ULPMc5Ynn86;7d638}Kx|v_oL~5t)wN@Sw^Zd-K_k4{{?usm5@; zT8WRf)6rVoqBm(B4o=7m1jGTH-0KoU-m1bIt%*e6)oN`=`f+ zoIJUVZwXpn;Qj1Juv4f>+(|ue;b`CzkvYAS8w>xcc&-yIcWv(}J$7ITJHPn&3Z$R# z?tABqvrP#y&>Q;#?N7d;C^O^N0+SOG?&FQh2;T{`i~)6@x|N*>&T>R-+cSM4E=8y% zQg4ZCA$SJU3Tx?$NWQO}AFez&$L?#)0ngmv8Tailn#cv`7J5v2@iq9=DSJo9!DUb4 z=A8j)D%v_<0)q?YznGYco7WmYeXmfF&FOhsm5I9efG>S}V42*j#*xXi@slP^%ia-- z>+u&*vZi&MiI$6c{wS2&6^@FZu@@qmA}RBy?cB53P$;$Dn@&BvfPe24)dt5v<4Dum;<*e+qdsE#;oXT`5UNQ z{!mwO2e3;l^^y47JczG1Tehr?;}()HRd64Vzp^i1uCIL7AFVkPG7tmzpFJCmRP03M znScK2ucY+6L*)Xc#DocT05*s-01;6TCnhA6Ly$uqq)tB;uB3Cw?l{hny?gfjO$YYt z7ev)8b92W<&rzi^mh#YgLUz0$1$ckvdU$;NCvGhY$#JTx!RkkBl{BZ^@vgDIeQ7Py zl-vD0En*(#JjF!kR$}UdmWVt>YU?k=B0RtuOxE+N%;WufJUnTtMvZZ$@yh%&Hh!I$ z2J<3`G`Fv+Aw=0H(>+|}3-2d&x#5aOQkr|+7g;Y@@TZ}H!R@M-3nAKiNJu!=tVKhc zw(0xP%a=Wpe2+0yPv;HUfDkZjN+`XCd`+J|=FT?cq`xlMj;T znwy%u^k#~<=hYd5G-P&HA%t^W1!?7i=gg&Pe;qtMFrUbXTf%c+jU7aORaMh<>(=eh zP3UQSnvSJYlBjSpI@)@X*ICri)znJ%iDTnjK<5`Zh;K)+YOB-(a6;e9o z#NorIjVkVCt z4=Zjw=iCUr(sfryC0+gmUI7&EqdvzOPplDmU)jeWnp9Hwv6OrYccCFQ$vPrhbb z>S9~gIAqqGIl~HOCh#vBFqZLZ5VK19{w;?M&PG0QMswQj=HP4@Ik^*5U1Uh4g-k-z zbse{$bXmK4HO$O262S?|-`+hyzkcv`DRI}WS{3SWl1S9pw&Ordj4=2Y;CFyJ4j$>M z(8AR?V}pfkmbyAT>KCJFoE8?p)Ww`ev&-aqnVkej%{V=3Yk>@}>Zr!zZT>rFnwz8b z+n2Y0N3+HtFb0D@$wUx{lqJiZokLpuuU;A~qurr=nE)?4Xi&~&m8kOav*<*yD`94v zZUj;mG)yJ!xvHwx-yLfi~)YK%XF@1(mY8`q@jun{l2f{6-ub>2AoS(F={O zFzdUtM-5~ zg>#oI(bd$nnLYbl#&-drZ+l+bKgUCBm0Rrr*{xRufWBeT$%o5XFhygn{AqGcK`tf+ z%9}*<+meExI8%Ck3XTV~C&i!v2tNX| zLr7;116jh{#QEWbhzhd_6^}VDM9bFEtM!k}y5rY;1$TQM;u6fP<6!B22Y zP57CMvI5)(J6VI8_PlRi&u9{f`vJ3nqPE8 zpMTtB+MD~@j+_(qT3teE<@fL9+ZT589iX+YAhYqwrr^7)^^hiz6!(UO@vn&*kG7@= zZCzbT;mC3|j1F)hsm3G%{dBf6EfnMOFYkDvz)RyA2@coB^*pD#1D;(3C%&Uc8@@b~ z@4j7?_r<09=btI`i*C_f{Ab=AXu_J5;}&0!ZWLt+M+4H=W7cng&Xkmt3iQ^2Tu?_1 zx#o7NLnF5m%}KRH1o5-}g0VAUY$J#=VN3D+2izbms7_4pvsi z=A(AsT0r9-*Z)!1jD1GBsELJ@Z2QnMbM#iei<%LxG@wtP{4+W;aRz{xr^dfAy1_Z_ z*q~b(85xcVu7S&_y8%Lf|M|Y?+6Hhlm^ZYyV~n;ezPxWQG!uhUp9h)kGl{bzn}AnG zMn~VlHs`#RnHgA%o>Aqhxw(BDr#S)!{~jN+dd-?8w>GZClWNJxVZ*M&X#k=ytQ)Vj zBg+wb2+jS2>}=3$IrW+29ae+Qzg(P=)cSP?mUxjsp(_tDWc#?vLQa<0NzIIw%t0nD`FXBVH8J<6k$A8maI;T zy|M2aLJ+x@k3h(OTU^}1S9W_cp5Z(sh~NRfekP*5nHFK~7#{wT_BQGZrcYmq(x}?w z`-TBqkhcKB5G#*hx@B!WH6dTff0dPwGYkwYxq18zet2S=HVGrBKnmd3TlJzd_fKbl z6<0{8Q(xb75OEB!8(S_{dbJo~oJ3=M>eP$;CxZqqien|mhB6cIQL3Wz75K(&!U~Is z$wX1~&MBSVGLF+qLm3_xz@SFSM<@jP_3g{e`NifmB-Eb>t^?u_(2f{ zJd-c5csiG?I|NE1d9>n|yPq!^`$R;fG-)Qs+TXV2F;ujmjHcRv{h*huKC`v+S*8!7rT_dixvQev zY^YvL7YIgzN&0~k{k9WyDY^h+L0?){dbNp&j|HO;4WnEbv-rwT6wMR^f>a=_p0CD6 zA$FMj^$qfBw(Hmp%qQy zU^TUuCH>ka1U-`w$uv%2L>9v%q(5v7!gRW@he~ zl}J{ip<(YqLdJK*+yDO5da|GlNjN{P>1sw(HVo*(HDb7~io)sJw?E#~1I#mxdNQJ$ zn27h3H#%N=9)wyyYpVY9JO1Z4#c)6z2b(0l5&{`?s?$|U0jjv~HM6>On!(K#^$}5! z0Pq98rd02^DDl6)piMu>pyzm*Cof*OtyyC-8>jQm1>#MC1z4YwboM^P0pug*hk=X4 zMLN<^=e>ROhz@+l{P`T?c{67Gld)DzBy+#G^olx5?4RVF7yQq!cFY8;&y;7dgJ8m? z073C_;-f@7IsBK1I&CG^tU(3aXBH0DPdmSo#>fa1hDNS0F9c%&eH&})DL**6&dy@G zgGB1(`8Rl0*!srCX1;sZNcwHJ<8`M=8m5I0;nC1{SB9-;;TC$m=5s^DeLgq;T>u4? zrJ^X46Wke!mTKt z-+!B#8SB7<>a@#iXu_C}a=bKjXXo5OS#0I}pC3J#&Q3E{dx7Z?HCYKEa0j8QVS5~> zT1a&tGIngZ|9u!x1|NFB+ zOg6Y{Cx71!-hsc#E1(Gj)_mA0UE`FYz+0i7=z8V}m!a^(hrC0o({|S08WT2yc5aa2 z(nX81*XK>xo>hwrRTAP3kQraAwE?@s!q60h$8ed)Z@wO=fdjH`VOafk5)Q!ejhi>k zwmWw*4uWp-fUG4m1GPO8f6#U~_Q&OcVVBRGSxr_T*dsAv>0uwQAOHQpBBf^COg&2j z#l*zmwB6k4uX%;t=0(KD4mOeO+#b$Iti&uYQYkYQtx=dK;fFH@^LNFmefn#Ywvjkx zo?Op)Y^W(IIT!l9m&7b@Eic__HMT>|m_A*S=VW~Elu%yL9$?Kzbpg)*jgp| z+F%8gM{roa_F>Sro5Pl3d6k>PCokyveu0ndZkxr6XO3LW7>I_(=k$L*mT?Y~AO9g6 z0sq?@#AmA3k9M3XAzAyrwd=tP#_k7z>u@5>rBY{1_?pAo*L!1sP-?$@^QOFVBX(m3MM_%fM+*CUr?^vIC}_G@54@Z(Lo zM03Kf4pE*~uZ9?~sZ0dOGS^IhO)bK#@sA#goctha<|#un&_Oq;En^7oSwg<+f!=*( zG#JgGm;vpcq345$kjzd#YQ4Uu>&{t;vWEg$G{%q2LR?sE)Q`+ck) zl(tA?$?Se#h&IZcdxR?f8~?9YKi-%|uE~hD6-}|k4%eW~ks8a=W_fx}(n{PJIQKUJ zI{XWtj~6y(Oql;<-RKt;!D*q0@ad&^(SWdIiWC#|Bj`6?1^4ehJLwf0Eie-l6o71o z^lP4HWpyAj(kyXadfI6CSFiq!cUc+?)nXf~D_nGQ89r^EsADsJq@r-8Z zl7oZxprtgm?Nw3Hy0vTZ3oQC!U~XDDagvnwWj~OSVu%;e5pvjQf0`|qy7ET8r$xo+F&il zyL(Oi;Gn3^4cA_EX$rASLJP@FqH$(Znz^Or#f-I@r3!?XgoG7=@8ZqS>u-fM_PZ%|=E>;os{MT@4-SYGAxS zd(sBYM6w2?K=TDu5in)IL}v*@yM+tieq8fwHeCU)k#7LI#KI7Fm5b60?W6q@sLJ>6 zlh@Pj3xzN$U|bu2d7fNd!z>|dxyK^>VnBZ&s*a~m8@$6(4@E^i%~*aBUv4)y0kI~k zx!qYvoolh-)eXbq|5mf%^iQ?%m@CC7Yr4uP4$&}%47Og{55-Q89n^$%vR+Z*OiX>c zEbK_-(hrp#rLE02#*^i`cD*X9<)coV5R|^f#e{x_n*4%mVl0Le`F^dgxtN%E9d=~w z50y7>xnk+|Q}6QW(x4sDJ!1a2kQRW3NwE9|B;(dJzVz5aS5!++NhxuIce#6aFJ*mO zMh<|Ile4{&#w+XthcFNnGuAvTItJhl;H-1!zRy+C5nOqIcBv}ChoI*-uaE|rD6kc( z3D)hK=q%^+9UsKl!vT^4lnc|xA((`Jvp=-cuX@A4xQ*(ct5jG4)_6I zz_*!n$B^%a-`+IEAmS4Gr|ThOxTg;jjBnKJ?YExNk!8vbj1nz#_-tAXK~2s0qhCWep;Dv$l1$5$@_wSGA)&>R#4ciCInVy`CAbVP9uYnj>m)tq#ts89_x1nhZ3Rz+~ zRP*pDqghglhygHt)22?>7BSsudmEbv9+M>{cY`zTA24YK&yFsgH^{sDC^6f8{dz`F zRxoeH8bg=UL&l9Wa(*l`b-&5^|7ZaM`ZnWZV~EZQe7*oW6&pncZi+bwcvbvibXb^y zxMzoDZEU_PxJCW%-x$$3Ik49kQsxd~aiV$gl0f$o2i|0CBwl8dwX|}dJ-a^}81ne> z_v9wQKl0eG3-R&ergS##}i7kMjubUFqBa7!0{qrnooxKP# z{rdMOb`jMy6e9)>8Z;+yUViPCt_Cx&j~J;wdNft9!@PMD1KMy$-4EpSX)o0owgh>V z)iAXPNg4Q*xX~Mw1`>rZK^uu z-jJ~GTE}lWVN&!p%bXR2x6}BHeDfCzS&I3mXwypjXsern>TK3 zemA&V|s1mcMUNM6^e(em9>w&>p`fr3Y_O*dmN3jAhS8u(ZsT)vDmvU#wGA6s6&4%pO-n0Dn)J+C%@mtW4Z~>{qG$Hi4N*;Ujhu5-sap~g4 zb)Ir?+yR~KjTc|1J+nFkR4?qw{I&482P=jNiFX-41BDJBO_N2!mgxaYB+RmobLikX z2@^xHV^D2f!ghIqsx=@hj$H}B3`|~wtqb!^B_$aN3EOMtw>eyZ8u;|>+Y^}7v|d7M zkyzY^Qge93``52O|M(GhcN;FU?{gDzprux_J3DE&X_TRV+PQOU8{;rxDmeqy;O z;ng?7k`{w_78cHno?lM>A?Otd;L$%BdU;Cec>n$i^ok)%EhN5wpW*vC6l-OK6_^MA zvU+ZvlCMlQZ)SYD^`&8I25-mMy_VZcPZ_=!zgY$<-W%Ec`_clI4SuOq+D(0n#4=3* zsXf~Od^XlLMI>hW9Q~#~InYsgcnVLG-R+DNV8jSqVY1g#m3?PmujpN(^sjkz@6NQc zB!LSUgQiG?Ikx}$($ml%y4%L_9(^d}GHTZu?r$4Aov6N=yvQ+&w9MwFT(}VCzk}O~ zW2k6jAmu+><`%Gsg@47N?~1)|%w*B8vmOv&ZNH&AIxY|tEDNgFv^T4Q zLsKeI7%N3`J_UbgdRU(3(DPusD^{--+Ir+vGBXh{o5XX1mEE$Q8;fID83^!l<%>OsgJ@QRQ*If@@n*{^P!<;V4T#7jYXL&;SWPX zY7aEKT{Am>|0~A?&VVE&W_>Elk?IsBQP_(4!w#Cm@`1}@PWb%kQ#B=n(W9Z%Dv1zC z&Za%LqZ;*1(2bUbAJH&WNi35ZY6*QZ#6JSWJPVI4MT zYa8m(8AFC_SbA%Iej7PM%=;nuoRb_fgd(w(D0G-J67SZnEWVkpKP^Dr?jOVy*pULy zI8W3;ISCwIDTG2lMd|y3XP>k~IAsHPfT8Dj#+zZ) zDtUO)Iks%#)n#;UNj!!0&!6GxstA03pGSzaA0dr*Uce30X?YUYQERzBA`|T}Vds<4akZ`hGeaY?hv%4yjJ-({KUE3i{&xkF^R?GoVGe{U}D* zk{l02Hm#grU&8vjs{Yf}4&wNS3zhE1&*snbmMvZ^s5`T>lh6cV;6t3^yjIURDQE^U zqPaL#zJGrR^2Bp`9^T%Kz&3~1GH2m+@aD}%VxzX(WH!U2K_po^UiH#7;LzdF!H(`g zbxPBl>kH8l2339Cmi9NeIQ)Xwtq<(d@Xiqkn5$K(eHx=KDn@9@V7K0FMOYLpSh8d* z#Z0?h9|5hSk`|iUK0{{Idr#Nxa@R$~K6baU^@N+Def#&vE2V1;=>PA!y0T-9vI+CY z>~>6xXTh4;G&lp#LhjQH^k+Y$C@fG~mDLPQn@gM6|KzjfmkV+RScN)ROiu$UQ@yrI z(Ad^nB)z(|WovzR*F8p>acVKOyELVH_b%p3-q@<)`BPKVa-$>R;ZE$9fyab6&ojXkZ`^ z+<|R%*}#O17Q3J!8ZjcYWI3V(!K8kQ$M!ri0)*E34>rq|?UN@oS;iO+`WRB~S|=dG za>S#m`q+_tGm1XWsZu}BiN}S+@3zEv!Ga@{<}FfKK9wMn$L}CFw}z7q)4zn92gG4@ zE)hNroXh*nA??Z)ukM&BW>^W#ky9m6$}oElibOf4EJuGWSh^LxGX)gbfbGOpQi@@? zfNZbQ_|K^@Q3zk{;?iG5B@iHj2!;AFz9bQjMIfEi-*hQm70DyqHdZ=Uek zaGQb%>bc2Th#3wGj)y2}dPmJVILJoRZ2A*m#d?ePlD&F;sl4X-vq)#zA2!nl(x*Dc_C z5i4b{v)^X(W)}xdx^(~;IMR(pDfITJSCh}9ORo~n&O$Ot2Y9@X_J2C{>f zjo!9OcV}YaN@UP$UWHI@H^Is#Ow&!asiIM=T^#&x^)GE~kO~A$1GsnKgY^X|WqkHZ z`AvKY3bxjSD3QGH!i4avr;-lZB6)JuHw<6wXt4(!26n}Hs#oW1?b{s)pde)a>rsnn-Y+z?4BY-arQ{HMFfKVDB>0pM zkF#aejNuUgU64R1vH=T7#vTL1xGDA*CiU1lOvgq0bFXak-=uf1+Aa-`nY0y5H4Fr) z0NpZ7eB~Mx)gdY_{1eZaAZvMIN-t^gj@q*A?BbvV*?#fNrAsAmp8gh1{}_7l;!h$^ zzFfs)VeaK)+I8$ft9#%tMM1FC*4A-u*SjACVdI>r*NN&A6r{jy3GlHys4ysi7c)+x zsM$^>PDQbf1pb9>3HRDQ0n`kXmuD}wjkUEPNA&X_HR=pG5G|C4zT1o$-QylmSR!K8 z-+4qPDwE)5HEQwf+27%xZQuPhc@X)`SEk30Yt0(CgdPo$@NMyy`_2<5^mK1f@TBn| zYmvZ|A89aVXzJhw;|bcYl&-}nU|ddrd3nZ{BeNeXxCw`-*qq!}sn!rG*gD{eQsosx z-NNko%~65GD|`E5!A8d?5GrMes%l)uIT4YM;y+~Vue$V7jb90L41$BH(EY%VDYfAc ztADo4=@RQb)#xU*-ZN{qN-pAVL#AbjCAMCQ^YwPNiNDU3^FE9{!ydbRa9Q{$Q#a6>r=ypkKco;TghIOV-+Be>r)EoJD?E^@8M*lw`)oA(;ew?F>Aw zVcVnCzbYU}8$Wq67288X{)!3tO6&K1+-26#*vOjj>9e6>ap@Za_-i|V`t)umMvfb2 z7SV;l;Yot1B@UDYol@BsQk=NfL#4elM;vBu6)o2C5fA%dCzqEOlp8&g|no+KbbC4IU| zgO2}|?9I7_;3Ze|recDA-Y&iWk(B1R&>sh7EHOk`<>lHtuH*k1w@%Gp&swqn9zD^V z&Amm8lqz?rglB1@=M(fTw>(Fj8eNHg-Ff1GA8W+}CQ_bRSg^}=>!Na<09UL0lUa`V zNjGkO(682$>0Q^AEB~-UcAchvN4H`u2RU@@@))?4y8ao^x34BlyXKb#M!!H1$ON)8 zOcKbK0*Dwi*p=GpdS}&39mm|R8@jz2&~15c=eJiQww1D~!Jm3SUOtkg+qkMJ3>Yv6 z>F$FEAqV#LPGAQu!XL3sO`t%@VdIWl6thLC^#*63;`7leE{`y{N6c{UATx1s-mq#79Z~@gv z%5?DxmgHD#tI#uU%PbC9`J7d4N zPXDs0$WhT?ZL!mb>O5CX6xi2H7cFWeRxMxj+#11>^*JTFq8>Yhz2q(Dz)Wh*tJzs) zwqbAIQ-sCRC&`0K!_V3oXvUE!6^MwN8oI#DNM z<8^9!UdMZT?3-RcL^73Kx)lEfw#JPbGv;B^tpP;@6@K9>-od!K-@nUUy}P$5QI5Ya zEbMIgeu+l4-7fO(_VFo~q-B?PspjzGWbS~J_u-y?R3`0q(J$iiT`3nI_Vv^l{Ow_9 zF6CGA%&ukS<@d|yXSid}MFK(NtKZjiomh9RIii)aC~*k%PTscd`Kq_4w^}@|QU*j@ zHZ{~qR^K9R>WUQ!*RM}5JNF4;b8&I8U=M~WpM>e+GJJn-Z?cj})h&kcUoRansR%Q! zl_f_lhC4tdQ#Im=R9HChPaz$ntE9NrieJ3L{IQtN#Ejk zBlm8BgtX|*a?D%5S5|Teg)y2hVp_Xl49guP;qoX=)b=f$wsLX*y?>B~`}JR-z^BLa z-(0)@%@(+y#^Z0MEz&z_HCxUvWrSi;&VA(&VOH0yn;BwGbW(9Uo0No=X}WudxzM`a zD~|#u+_LW$E5@=e=tv;Fku~+}8=h-4{5n3tQC8YO^Yyzz67`o1m}O@d{jVFQgs;%p zqsOLfY|>0J=^QI;*UK4iF<4vs*ol~zFr)9^%(b{?@XJTC4Zj8iCQIQSed~L~$nP-_ z6?3QY$zS0leO07p9MDN#WbF20ALku?WMwycdz)o1pwS)zg4H-$qF(e^ZT^Q3E$GV{ zz3p1URc8NeUi|+5ql&kzO%)Bs>uYoQ)3Fm!%m3`9-mfow0;pv5klpXmS67NGi}mFc zK|mo+{CMx48haQs&J8h_*j6YKxOW@LCNVi#BIc*lQ&U!~G5hAWbeE&YXmVom&TWgQ z$?V*?uK4!xLQ62$y?bX{S;_dWI}fm7_>q2Owbh#3sR;`u{mZN44*~X}L(X28oc#PS zlwQxtUqpUx2@9^eH4@nOSnDiCfur6YF*|(u+_}-|q205#D0L2Hkh3z7DUV4+2yyXH z>d@yWwDy;G@MfuzNLgYlwH`>@Rc+^POf^dS`XYL7^r)5{5A?>3)eAWwMwnkc@ilhb89=^Hi{=Nc&*=Zxt(49Eb- z07}YfJpn&piuxjWXKRpKQf6<(g}FZ@A1IgdJUo_uV9P?KM0MY51{>Gz12ZbndHJm# zNr=qR_)7`QlHV(kKRnjpIa0i7F-xnR`j@u#94cEzp7?RR!qLHbCDsTzq$N zr-H??@l(OPJ6A3ruK?P`FFShhpp(OKmTBtg$$2f{d0H4gin#Ktwhle49=0ip+s8XU zK0vx>if_Tfg`d8&EV`bZH`OKK)wvma_Vm!wv+=T>N#KjNH1pnd;|i4@;HB5eSxl$X zsdThAI@~j40iQQL##o&y$48$kUmc5%&bgd}q5#mQznv%LDMuRQC~G#&8j>-Z;QJME z`3;YA?u&(~n6;lDFY#g$nxiI}{`Zn}KD0hO0aQh%{d5(*lkMxc{{{^cRjtkmN(gs@ zf`S-JaEzY`pih~S`Kh5ow4WhDhjdM~AK5zwH@5wG=Kvr@D}28w8Dp7!{`=uTA;7uK z%tF3}DJpk#jrA4iJZ?b04+thu>!QsTufF*Sl?aPDy_ucpzn7^j6gV4*E>uavhyUv0 zcOB6@a0JUtww8Wwdr({k$eAo1%o-MM@R1|^8X}W$ZDcJ~PTZT~;sDTU(n7%5U%4Xc zS;%Z5Eoe&{Od|(s%M`~0OcfOT#I9k*xR)$RL14_;pwXebNKO_^$~$KD)-)~|Wt=e| zoxGw1jjY8sd-FHg1WMZZzY38D`U`dn{8|Q=5pj z9B<3=*mx(74Qqk2+D8iW0EH#IV*a9r#yOne&U{}~bh0pD_}o+b<~ANbK6t9;2pa|V9EmOJ z4&7H`A7)f`?b#DQM3p^TA-ZoIb;qf$bdBL_-@{`UCFkS*&DK~hn~!byKa z?uvn4&z|(ZKR`U`7@VA(D!m6jg8oQ3x?}T8dgf8cXTY~A1y^0c*o$JNPL`+x;K=48 zj7^VW4L?YPDHD1muryWI#_B$m9OZJC;X`;e7cYjlt3n5|=3|DLx{R(lhtDIQY0gbB zVj)sPohLTKgt~rO+>tf!QMqzGmRn3IO#N8Fj04^nxk6?ZXLtzI;sA|P+p(fpvSGiAnkqwX=}T79Q8%!*QKIwZMz@1ns)*IgTa5qN`HMv?U|s`15Q zFl#4ko%Ie!M0k38XB)QD{7pbOjja6_l?)x&B|0hs|HsyT0)OGN{jObe^D9HfY$58) z5AJNsmJuq-% ziCJ{qETBT$@QA$)P+WB@C@ZN)WoN+U*DGesTu{`46*GxlSvc? z)(hTM)0h2ety&ey>Z3?P0o~}O#6(2k7SXy3SWZ93cb71#vP|<|-gijU(T^o1D*LBpv&swA zPSx815da!YM{UT*-5zfgC%BT2#Y>Z9KI<==boS!K8RPUAgZA(!i|Z0smdsIent0rQ zumbYugoCe@4)ApQy0+IWylG+-F zq)Qknd%MWNAp@?2TjHto8mR=q^p1ez4O+n&p|bZGpH6P+Kh>R~wKuo%L*`roL>9sd z>>ng35kHEydz4KQlkIik$C^FzrJ*AGH{ZKEruF*RZArvm^wr=$pr?#6j8Rv=XEJz; zUx|WN?SHfYQ#{L!WVe?@vPczuWphglwv1(QOQ)&H5L(cS4&HO0+sRV=9{h~;b6RFUc>wrY0YufL8ppo9dm{M#r+ z36!o)SMgz@6CA&)&{8$^A&$G<+a;a$vw7m?2=nQ7%b8wDoz^wlG7vV7-aY-!P0Oj< zrxCesN!G)dX337`rMh4_1vBjJDpJw^gzM;%iHkdl-! zG^pwM8Nk=Xo&4`eY;N8DWZFYHBhzeP6iwsuBL{g~=bDKJC%zj+u*a z7;sx!cjL~Tk7S5;RkMR^#QXDyIGj2A=s1S}L~C%gw?6}_^GG{7I@sIbR3f^=M2CH| zHS=HP=V#?O(_80eP{xq@*rJY|({T?%IFj@@4W* zR%kbf-dct4DJWuS)!Pi9_XM2_0MPB(I87l11-v_@yJ=6S76@P==Zbmw9g!f~!dzG9 zPnQ=bpVak>OHSUk_p8|2C|G)7m8ik6V{vhuTS5@yBEvN_itvPGoaxAshlbrvEG^;j z4wUEoXl|zMy7l;fpq&O*FJ;OtzG7GZu?p^!o)4ycMY;RK$n>?{2 z_{#okpvbg0M~+yJ>|6ak{EkX8yczgL-useaf_>_lGdgQtCksQ^MX8swuXo?YQk^E= z7o{ge1^NV}HZXzJHM2Gi@G`%Qxof(PPv<;)`*7W{NMu1kua5qzK;^|(Ozzm;{gmj( z%=~;0MtvEfNX-%~eJ0SS^9LHd-{>aYy7e9sP$kmE4gH{_dp;s901nA(o9)o|2broJ zBqE~ad-Ed)o>?M)8^?q}VUr=fsdSLHHM3l)Z$U^+3Sw^Np!>$)p}qL3%N*}>?1eWc zYY)`fIMi(rBd@Q{#p^_sy0LDcDU_9%zW_uhG~2Vr{mGLvuk7G!B^R~urdwucqP=?1 zOW0H3v})B&WJEOH8El$^>l@^jkd$O*zQ=sm3t*n_^}Wo8M=)wrJ3)^uz*a|4xoPik zi+oQbb2GT7|30`y_&E$yK6KWThb*s#p+BNho)j|PzG0|>V6-BebJ?ep(pNAyxt3kl zeTRvvk}Fq@DWvG1ro>MH{Mmmb<@)st$;rmA&Ty0&&*kNKFa!k_3iswu-_jtzlD{4u zK6e=l!B7ji%*Gaf8MWowyF?H)F{y|4x=dO)e}4H_=X+p^jFt0)f70$F=m1Hzw7{i9 zeWB9M5PY&ehQW*^~FXKNZ1W=JC*DLky%gI@}e*K*_Z`9pyG%Yeb5_vU3Fx#asx{g^L9|rg z|Jc1ZV`$L4JUd32(4Mv%O?0{!!VWymtGY*Kq1pd(G<5esk_rX0FhoqhfxdHa+HH3Q z{NUNZZq#FqfmplM2){SdVpKzUjtTceJB=D%=wIAf(^=m5c76WY=y_^0U+!@prKWaa zyC|_xU8SP= z-SJzKJaZAyJo|pTqxGx(-I#D7xf6wtO_*=-7ru}*0+ z_0O3z43wTWDs;|bC>ro3%Uq;du2)+E?jMkKm^ymIU6Jze@?sf~SoeC3D_y!D6^6!j zy(CTu(=6+bhh@RGAoMwbEdw?N+vaTb@yR?Bt#NmPwssS+p0T{BbSekv*sjIwFQA0x z(gak$H6{{)Y*zgI`NHL6t)NlU(E-!Vi+MttM~k+h{gHk9k?~CXEA#5W?4e92Js)27 z`LhylmRdDMUJ@i`nQ2CHva64e;3~EEv^tx$GBb@`0#)4IYe>$I9zJyPgoS2#6z0iH zN?}0*cgmekOHY6Ak%%Us;m@CLQ-%X-S9H2Dm9tZH=1|#_3O`Frag%%>a|jvhN7_6_ z0B`-Pt)FW180u<1lVmu=xvXV=nuYYc-UnrqKuF}bkwF(c9;T(`O>pAfyKL5HmJ3qq zveQ0De3wm=;U{qu84z#{5f*jLwkbdNm=2b~PJ0A|&G+v;2bx_m=4*WX7+p5xk4VSe z=g-?cDnz;l8xQU-W;@E&&CO+!(mZxV8a3>$o|ZU|b93OYFkSkDsDy-s1;>EZUi7xr z67Ac~$VxmaM1+LXK=-+}uR!TQ$!QJXc@QuyyS{;vP>B}5^cFUl$iVNv{JkN_Bn~^M zCLjgs{pY7-i1zpH-xmy0b4Gz`J4}G5qnFCio-0S_Luwy`;hsDXEP z{9_*q`!1c+_|`}wbrA8`Z<1_$9z0)JM_b$Sls=<0ODrv4pgrwnuKE$$czOI5)Qd>h zNj0q*i(P!SZUwQyFuNe5YwP3u{DX6zoI=t;`HM!9NKQL7@Z^h6GzRRslUjD=q;i)o z7#Pa56g~lYB?@OImjetISS+FxG}urY1o-He=2m!vcD47?;S(lULm@Nbsx4*S^;<10 z2QS2Y&K&>t7A(RohsrYjNLduNZ=bEg>jUOP(PwJp*)Lmm@_H}Lo|Llmkh2r#38M+b z2y#Yo@r%FXE`VXKD4At^DwDMuz5) z0sHJd*9EETxpU`O-u68J)*pB7iLI|`M6go>G}7HsUJzBPNUfc&|&s1b6ii-%K5z}SLXs@ zQHb-u4d`fla{vA$bVoclvMiURK?@N&(iQgIn|E4M3{trBV{ZPK+cv`Q;@0k;mBlH=wkPhl&j&&iwzObY z^Wy4&ze68!gy>eSdVT@QjHae0_K~a`uA)+cy#lGY^z~S^gO6Fn<jPo7x?1jSJnxa^GR%!}Qo;dgzHZ#f{~K~|O^ zg9le~xx10z54L-d-PBC2_zn}qZ+ZYx*wzD&cJYL{uKAcQK5h~87Ua2!hVP0M>Irw;9WVRN1W? zH}ZfdUfn@C2p;l^`Tw8-$FlgbSKUXA8z(Mpz~?CSCdj~BJQy@g{m2qqTZys5X-WBm2zVT? zu2ZyaM*;!21b%ahn}cWM;tU(Y-MA&!b}hCP)>lGurBNlm9Yk?yK6kFlBo`??4>{5T z*_CBY-5-WNeDL5A^_|bSfl`4bu-%L+WClA@#v;P*p(m*;A=Wjx@*wam#r?!KSDvfE zqk#>N!3V=}M?1guG#`f&nzC(w?oCa_^#oA<=<8^5rnMDw@ z=dc0Q?+b?X?ePUnfJ4Na`&?cw*BRK-tZoggfO@l_MK%-(24UlV=w_xipI>IFh%X)E zx4Cn>htT)Z`=lKIE{SQDJ!F{vDym;}9S??c&k1Wlq# z9~z5*pO7`ht*D@UGw4!p6~pK2^!Oi$HlcE#II};#e%%?C&TZ8Iuk3qHu3x{&Y;ftm zjEY7mSCgU#_Bh}g-lW1m6W*xX(A!ogdHL`rae)E8>LxCJb#X(4Dm($`tk{$-tZyK? zwSViUM@Gte*ONjA&9GEMWJesM+^{i5TYib18im!w#SZSnpwl%tQ`1)5`awI0(Y~*aOhzYb^ zM@Ld#-M4QRtHXq?OpfwhSZGXp@45f282J&rp*kcIA>J2~9eRs|$c?*9KT+A^$dRj- z7yRcaDrRzz?KoKR&5RGXSo_&(;)>AyYLDP)k5IEP`Fm`^Ehei`JhKS&}B;89hQ$4)~q9Q7)9D#e61k-uNf~ z^g>D#(58LzV5W@Y!uRJ=+PfgeIq#5R2x$H~*%~YYl&Zjt(FgiT?a8nmjl_!T>{O|~ zyx8++&vyMmzO@gFFH1zhBSwGA75X;!Q8Vjk`mqk2;P+Mq zs-2z=Gm8TUtPmS)*`hOToVzhszjh{i2gKb-ucfc$$L7a8Bz$4Uh7R8s3oo!RR)|Qw zESDEb{EqInrcskjZEbx3REU(UmayVp&7Ysp_-u{4yR@XFj`vTc6Qc@67{9q6g4; zr1xl(AsNK2H6T2RdL8ux4$t!H$BS0^YTaj*Uwqk_7`G2SVpQ=t52qF5y=0OtlPn&8u*nNg zH2@=MJ`s)r2gjLw0x9F*r6fE<0LAZydR3C|A&BR8eCSDe`c&O~N?%835(OY7$L}|g zVQF5UNH;l&Dc^{$IY#H$V0Zwwn$ejv^OARNsXhKye{92aM!D>3{=&oWrV^I zx+M?B9C0%wc1%o-2q^f$w7y|}e&u-U)GvNxN#ScK$V}~8xf979i6Ibs!q2(t{d=*Q zVK!D)44kmC9}!dcMhrzm>5&jhNC=Y@ovd$XZvnt-6uukjd!gPhk?#oVK*eGTu0@Jy zGJ9gyr!$!o{t5PcVWDgv6Ze)a6iGj^TX3~;O`D~WhLx4&3Je2bj5Z+iws#L>c5;KwveOS@Pc^C$S{`f zZdx#>xF)wG$7Sz@=z+#k|n%a9Xot3;7 z$!uQ=+xJSr4gee-ZI1{z$B;-l@UDu1677nsE5S)ipdsw&gPHJZXED#PV)QH0Pe3N{ z7PyO=7-#N~!znwvJRJa9{0 z#+FL3dTUV;fNgp14&>1Ds3wS^IlFZL`Cz^^Q;(b~f(YDL{gwBk`4r-eYG&6KTDnEJ zCZI~I|L|dYZq6qEH5wVXO@iBQt595{T~n<5~N)N-lmWt$bcJ(CO%Le0AUp}^Y{kxvYIAh#378c zDg65|T@rRlwqc087~W_kI?~sNq==X*B^mG2ywKi^yXzVR31Q`MXo;rI9`YbB1IFsC`+0nmVtpWjs{{wN>83t_9rJN{7s zT0F)(T0ABLwFDT+8Dr!A44n#9UF<^Ck60MvE759?fisj>zoMmj2WW>R`Wu-W&TP8~ zSJT+!JXXS`V+a3!t|VuJfGJ01*^T3VVr@arn5&GD|(ALcy=0<^J5&LOr*i97dKiDJlTaW{=pA0iwh90Dw2%UDW*T+m26CDY|=c zq>pQ0m;Q2HxChP~+aV8hzEBY*Bqkzz`i%{Ujf-_`I@p?o$cg)QV>nWDw9ajZD1j|m z9J_30)`QLIweu=2SU4fQJ351V1?6+OjxoBc6|t|u@R~=)n!`zndlHf&96Go!RB&}C z260keWZkh1wFxpRInu?8uqeeBkaSS8eHW*a0fv{9#6waDhAql2RaF}i?$7Ju7Ohj* zBddZmh|kP4Ren?B9pbn1R`67ox-F}iiOHm4!$z-8 z(3|Ox+!B1K`0cBAz~rQ(r$<3RwV8F6=>{oPMxa4bLIOjUHjNynZ0_g)Rlk}~?`0!0 zeVFFSNlRPX*;USf&WxCf^cjZG#8{%nGsaV&Y4TDYX8|_2a`ECj7B@!52rRY?V9tXb zEiH4%0G;j}P6p?A{;5ZR##s;zt1d?#<m2~#4w~YIB zyqb(e>4x$%mOMviR4|MLT7i*0*@9Ih{@uHSER8$CKCu`P0;mMy6o47gZ*S0mtgmOF zd%U)`D#sQ27PLy+I}*3BW;q@{D~qC~_C1Z*fIvOlZ}uT;;ph)0yZ1jXz&zpVGv!Ny zCJDnf=u2zCMcOzL0dN(mmD3%y#~5ZzWo8BoQ21CW+T4Kkb5|EsF#gBc_!&f|bXp5C zf7})o{CSWcyQ!RS*DeY4+`)Ik_Ve`e0+p#64rR9wpIH+JZ{$^eet`RnP>P+*2!Ns< z78>0s>e{o6ZgPP>s_8DxlEod^^bQl1b9Bmc6Mtiq)nv}Yg7ChdFagdhLZcQ}l4>>uV$ zvcMgV^a1!XRQWka8T}?QR8l?l^_ziqT2v>%k+q_N-0mIF6S|reMqXS=pwb~>dBl?o zm9eY4J3$S@Sz6|AzI5fvxd}xl_{0~MlvGmuLf4UV|1cHB&VvV;7Ff}VL|&g&HUIz_ zTE2JB?P2qPG#h0DLA?TU2?!G}ghGYPm>sbSS1JN0BLl-(jBP>S&SAx4p!ekuISLPD z8aleb^*{heIBiG*3Eym6SaD<8eeRW0OB7sLp(S#C0szA3c}S3gBcws8jd#BI{Y6HG z!};@^Zx{#tRA=D*Jm>JO;;lycnh+M_r$KLU449WovB;MpwDuc8EDFAUz5KBXC~xh> zQy(;WnK8WMYRip^!kQ+^UcnfH#o2|08#AZDhJo(e7i`A%TbW>A;UOcj3~DS#@1Xn_ zME=I4kBlKl0VA`B-_1m22FUCh25aMnbYfEte33$5BOlDP_Y3Y{US_H(KL6Li34I;S z|8A}++{d^Wb2zCayvuvi>?Jz!WH^F{z92NnH6WMIVetT!%igio_-)&~GZNa9Pe0vI_RYV@Xi{gT5GrKlA3z6*V>R5L4Z? zMNU@s$Cv{2p@)5%=zW#Z_)R z9tRi#pmCl~|6PE`NXL0_en0|zZwtGXpy1$$?NSjMPoPe+jCw<$w3s^9pzrYr=}h;l z^LMdB%F29^Z~tmWk_goZ))w|z2>G)+3%1<9`eQ6&z7`w7VskSHE$`n4cf8BV-H6^7 z=(G}uy&e0J&7;GS!&qHkzk`h}ABb@G9n_BSrYE03l4@kQ3@sbVGLC$D28N(EzPle_ zT5ynL#D+%3=FK?BXjYMN(u!bGD#zF2IN)$bC9htwD@Q;ZwVuKAQrz-# zJ4{n5b=)d^g-S{fCJx7yMErLCwM+ll&|p=5T6-~6mR==l7y)UT9k!%>spmNsRkK}Q z+yC80@+cF5k)h9lJwjUP;~^JZ?c2{FHi#B00NA#sCgWVIYP@;syeqzRq?@iv&xL5H z-l1#gWz$J^f(atyN918vf&1&`)Dcj@*3Q#GqZKMRC}Y)L#Grof|K01~LS|}$At$%1 z^*a#Ne^l?-AH59*MNZKu?8OA|GrA+E#{4(3IGOC)V6bBCJgd_N_HAttft{| zY}6N&LFu5J{)*1%tl=;!Lj;`|3=TnPv|P4z_dBSOH8_O)VKn?3jDBd0 zgFcZ_WTq67&MmEx0hI$+&$7l1kKc&VHh;jv@9b7AU0-TAHzyX_Uzt$OwWc-M7wWF| zQ$}l4$2O9Yo(XY4?VNL(*1hyy;`h}z>GZV<5!`q{f-l201uEH1lwn5@<^pC0`MRN3 zwKs@xg%0I_RHjm)dfvX=MAv6&yDj|vVJQ~}2aL%2=EBk%MWjW{z8iqq0VDxV2G3dY z{+-eyN8Bj<$=VkF<~~WGC?>Yk`mz;bM zXXqaIA-_jx6J6PR=n$*>2fvDa=BuxSuLs=%V+H5d=}UXNw1fl;8Zdy{q3G=a7B#lfI8#mqb+~G5J-!Kd0|8XwTA2FX&I+4;age4} zpDsgi7!%Gy&>cI@f=6`r_m<6@i9W7Rb{*njuDi=I-6cx*x~t1l#IYr*!{#13K8rDk($InD z`1nk)L7^~f!?4`-yrIz%1smmGuJr!lwWOW%IFe|zyc0m@7C>Kz=d*&mye`nWodter ztMKIa>X1g{^FFy~Yoiv5z^ck!X;GmF`Fki&Bh<0rivQcreT$e1zQrJ0Irla{rP0YB zDBnRE*dV>_Rc7X=mX^zV14ox=xxU7te~yBh@QHA7fs7WQDDq=inOp>o5pgT#4&5Z7 z8A77zd#q+%zg)!)^a$aYR%)*&Md%-IVPjDq6&H)8r`tX2T6JV&tR`$Rge8lRb{snN z8a)!i{twZf{xmwm5>iq+I6C%M$c|}=by3i~C3u>2OjrO$krfv9&z+5@=xzBB8owao z_j{O4)m&eA3eU1y@5``Q0ax}xOpFIOcV1in;DSSBzJ$x7(B9Fu{H;!%+V5IxG2877 zS9RduXf;xX>=-*H&jme_ARQq>NmutJm{c*T5O+yRLZXjqA9xrRC-20^n}E(%4_$5n zb|eA-3XYh$1hf@E8^=)|ZK^L?C+KPuXi-Wp7Q>$S8eyM%&Opbq?@mmP`OqUhM1|Gm zz8#h~aM_a~YX*BQ=K}_TA~`^AG?$SX$j}hRMJb#VMj63ZBN#$D{q9!K{(0Y6O;3yveWEZpsQ0$^UEI$&0p*^w4wYa58WLKWQ{|1vZ>5blRtWg6^?aKRf z3LP#EX~<86<1M#RGH$5{QaDhi0~0hSO|{2OL>skBJX!-36RHcSJzCwL5XJOj-siS9 z^opy^LO*``glD=?BG)2rEmj1!e*_N>Fb#j326;>t2~JtA(3GFRub9z0-oX4K|Zxb%a$ z(!&9#(F5)tnaCah4`AR9-e5WlVKdmC-d+bGxc^OCz9?V>*t2jtE3m{AaJON&ON@<; zVRisU8vR0b3u)tyZJ1fuO25EncamXcH@ci0&eUx6z!|8E<8S#li+OFoqtt$y)(-$I zuC>0T-`EPMbC=-ZZ%Tr{89hn=pi-?I) z3?4x?vWWH)3Q-uLK(M(VMI_W$$Si;;pvR6$Kf1+!-0f30G@f7(SA?pe7EgI}f~Cjq z)Fyi)y$!LNYiFCd37DGs=DOnSvqY3^C{o*f_U_zCUUIsEDdO)2Vk*ao3ee<%oVhIq;^3knF56f{q4f<}G@HCC8gnt|hBk7f>JBg78sZUQxjZrz+p z4)xO_AnU$Xf~AwA=7|<7UihUM2uMjXZtvf{qqw^PgAx?7hY$_W}kHn?LCZIk^g+ztq9?=I%OdUXlNCc1He z7W#t_XJNnPcfgh(6Fi`#)q>v%WNIj)^Byd(Dsg0RAb{E#>RrPw&3QEoT==bzixTd2 zlneuCAAn!e{|A#mpf#!+7ZmARr`YSOQC5d{pEHloo+GIpN_bK@SL4&eo}NqIgL$nV zJ=T28cZ2ty^xG1+3qcNGs7j7@*;FA-v<7CXEG#TQ^&<3n8vhk{2IN`2a1$~%F&W%) z45gXqx|Ou)X$&i1kH|n4JT$}#Ko*}J*DK_X9hfs$KX8LG;QDo{H|aUvEAT+@IF7~= zavPB@#=RS8J@DEIJrW)m#zOB1tQPHvFinBehK3;6d_&2L(gIHwJWGT=Pq-TkU-Zm* zv4sQb1^o5Y&GUe=(SpH<4iHRg4_Bq?Jv+jmC9eM->-`3tsHOJrI8wS#IQ>F~i3DX) zA%b&CC=Ge;T7O^s=A6^-`i6&5)t!fx8ORx64X|=^gI^~C&FT`F+bx{(%DX@Z^5K2v z{%V;_Tf#2pEg;I%PCr~xc(;pl6Qd&0g~8UQqYJCp+cnd*rQ>e`YK_)3Az>IXX@g-L zE@sfz(K41mQYa$o*5IYq)>${38S)5YN30Mel6OfyO zwt&rSId>gBClrhD1cx^IaPn+(At!n8ZrJRplrRM{W5=Q2E^6Ow{|Y^B$nVR)e7U1Y zhiX?54MK>3Nb9bAlWLFUOuoJe07!y^}^EqVUD{@pt( z6wFw35MO|HqJiVDu-9*vgxZSvl>NDL=q7Jk-VA<-_u2~Qh!6}AZPD&@dRbD^RbNl& z-GPY}^4hfO?qykuyNu6)N~X>bY@&yU9N7feF(QeI&VgGQY)9M)$Tnfw47o@wEiqpL z41H{k3m^-@2Sail-s9kSSy?6oh;u{c9i)|8VZ3?UwoomiaC3zI&K)jen0IF(2GK7% z8g+F}SROn}v`lSKWochPCu+l?Q@9D?e&=Fq8+`mUS__z10L55<<96*h2^g|7=69y+ zJ;UXKufEP&uc}LEinVVJR5-wK-(;l}p#k@nX76=|-6YxHFspIp+i?qr89RVur@f2I z!TtNUeJx1F4T7FW`R=seGc&NA!pDmpox`=MjayaE|3=?_|6H&u!4QBHsp7^g?pT~_ zh)pq1Iv5$$A}d}1A}j1*M1~P;U$Iz7UTe`Sd~TcvRYpedjc`#?3KPD@wFtvB6xeXf z!Gbf?VRT0)va|8l@Kq^S-%!QES^9Boc>wview7E-v2$T`c>gqY@2#bE7vxddP#1v2 zm?MLH1pPR){eaJnt$#CARt5pyvQ0LaS{?&u9UEgrDY@TN04+ohU_%%D$cYGtuo4sA zInThCC%T*H3a&g@giR(8#`#+f0jPcEj1JNejpOaehI`;6hcXYi0cI0{$N{%UYze?f z!O!K_yRiI#nE))_R=iEx>xsS*41k+;J%+A0 z@I)IiTp5@I8n}>SMn*z$^#o<5l2TI7W3d0kfsEcii=bz*^Nuoag6w4nj3+MbeZB@0 zY8omnKQM1gOMQGLVIGa!X%v(=zJmwRSCWJ2md9lP@R}v$V6H-svx(6H=9*}RS{15* zo`dTMP*(7-MiEqX(Bk=z;PE_3OM7Q?ZWP0XC2fx>^F_fMr?GhIEKebVG}cPRO!&3O(JRx=b?lB50o^6+ObFv237jj7~~uV_|L3Rw4!**9FHPLbhSF zyDPa!qZ|n{VetVzu+NVofDGBzLu5q!LO~rk54Q}k+_aKPQKjz^5Fi@6t*wS0iol<- z?keN?FzWU8mY*jS0>2h#Ys-5EjR^IM;0<0`Sub2_j}(AB3m(Ee+x_5vCq;V@LEQV# zMK7kkVCFzsfp*MQfdA-M_^h#kOfh~(4pzz@93fa%q-1CZv_nQFxO(#);21a=M#iI` z!SJHpS2tCL*qy8(K(soCuF?PhKQYF4w<0Z)>}Pq7^}nH1&IG1Q`J@n-drsPVdP9=KJv` zLN|^}3XNCPEeIT7(Lh-MZ$hA9z!2PNHVFaA{L;vU*}6y<*$mIy*c{4neFhUg*qWh0 z#2W#702^CH#S(-*>AMV)qm|R^fiYkT3dEsk0JrO910O)k3PR!nu1CdvSL{fXbhf1^ zTvL!N!~aA6uHqB{u#~AvU@%d@9{A1}W}9~K+yJg0fl>#^dq&Of%a<+@{iMgo0Id=O zm|*H7pAiMX7R^|6k8lj8%rT=dMeiAC2bCAL9u0xE%5Ta9BT3L^hv6(h`OnlpzjPf0 zp*zR0&i~`+x5Y%(P+%@zd_ z>FlAHwPWgl0;_IgQr%;)3(J{WIY9UVOa$z#ZXk;2*PU+`Xw`WKlX4mNaSqd&3y+9m z3L%Lg8?P=wg!$im8kZh(MmO>z4@4$ zn9wqZ`6=W;$k6Z|53ww0;0_Z-Wh;g6nspr$sJa%jk z3`6sSBSS(uK%td{ocD9VQa|P8$a5;V^X^mUSyhK3lKQ&?2{au{eDDBaA(yG(JQw00 zz|$X1DLcyHl={^Tf5wjV;0ogoW_JkgBH)QiE_Q4gblwMTKYsXt30et>Juhkh;T10e z(J{o=jT?if?x1{!5^uV3Qzk?(zI&i|LZ^$jA!q{{IH)Tz@@x06kA`}BR!&az%Sr(` z{22Pw(y}2w6qdGdh8wi10{I;}o17Gffq?`?Gxk-lp+xgD1%h>d~lZWsgvV=K9{=u0AaoU=RbS6Zr&eTRcSTn&YMH!vyJ8|*Lz ztd-TxO-VV7g~@k>1vp63WKvlmDx=5yve&>iH9Z}d_KTXfGq_gp*9}PJ9?JC9tTPSZ zA_o`%qg~=ehlc(%(UXkTyf)RR0$nc<>QP?`zNn`_O<<7?SK*~H=Iz_V4CaYhfUpKu z(r;R(FXe;U9W2gfoxI1`zv2gn}BfL#ZQFz{v!K7%Vyj8^2fLqE~K1S^?54BR&`U;5v&8~!Nw*)J{K zP89RK!Spb^#ei!3Y!#J?x;jnMP#rh7Jbd{0^(y2%DCd!rO-yL<^!4%(c7d1_-1!_6klOJEEpl+ zdw7j2uluXIp~eC>`dRqE0hA8r1Y>0C=4O6a`Vd=kDQ5^*K4NCpwXA}ID@m2FsDEB$P-k?;7s~D^cs#mDZ5c;8hDgWe-J%#-T zj;vqx7)}X(?`UuD_W`#3_!wRXPhun!ZvNJXA|OVhfkg<<^8L^iLD88zX>}7Ug{LEF zSy^yLq&KrgFb%w#u_sC$S8ULcHqcKIM$zVWm8_zofB^ajU}2nX#A$2r~* zJ(>dmtwrfWC&$NUr=~2TZq-#(z|;8G_wQdbvk1?&&#`zKvNAHcMTW-4!15aLnJi60 zKqdp-X^H#y)D*HfP{%Q{C84|QuVT#3>1AWhdKp|v&ER9{m`*p3*@4h^^GoXO78Hb{ zyz#Ax4|uikPl(ol4F-qP5BXX6aP%PXKm4cSAY*$?P2SRS=C}3w|F{4xQ2F2kq3(fv z09OVwz~Gj3#0~U!Hw8f+M;MHxqieEiWq@XKbU&20m7zjGHYA z)-3j!si{H?cB+g7!UtE0F?eh|K6@1lickkF6p|uj?qKk>XLhH}&(9+amwC>p>FGiC zb_vP-_zOCcn_J~kso=mkg0P6P>TC>XE9kYt70ZW8Ap+tQ*ar@SEQ6niV~mMZG0IAQ z5Mv_JLE@aYevR-{2Yg4#&4ytFkcs9RokeF0C*91f2X#T<`Y;Hi=1%Xb z0Yyalh4ph<`VFHKXez?0DR4vAQ8^<$2c~@0(=*p2LPJN#9LCoPq`bdq-A(`cnIkEG zi<(kwFgyi}&;*=`Zub12owTUAgKr_qpbb4>i$RFfxPr^$Vcr1`Kvde0H&|W_@%L8& z*U#gYGp>Ev%lqf)xi~qGALOI-@9OPUl9FO?4@O~%jRHZ5S&4gi$Bg)xw7qFEffS(l zMUcY#2GJW#eP(CS{5-K5xG=@K8qi@?p~-`q6>A%7;E?iy7rea!WFSja-nK~bQPfvr zDpI;EEe#FoyE{Eag-Bb0{DB5#aVIRy5!HV=y$V!Hh?Ss(QkdOE!mOjN{v(%?!^kre zS#3_OS`E7HD9#YL8R$%alg)0l0fz_TqdtLlu*DGQq5Z*PpQA&TLWy~fGtN033lxh6B_+_Z`bn=9&cv7@A!4 zXx~Bsfa(_esj&aJ$U8K-#Cg@e3wl>lU&rQz&I%%xK_^Y4M?mc$u4&+e>hB85l&sEO z${08X_BlY7Wqpm~mC4V*ys-Gehqez~UqfaF(7p#-4Q`$w%w8W^2h$Eu3qJ@~_sf@C z3O?eIQrjs7%Rv(X%>l|o)P^GRy=!M+G=(FgQnF5Kh7FJO0`d>e21{#vTGCA~#2T(3 zX5bY`beOsVKO@Ar$P?9|jeEe^6*lI0z^>C=In#6sh=FJl)x)o4ea#0J)0M|~;lK?$ zoK{Z^fw_QXGGd`qhJpq5NFP5Ed~3nh4VY6XDIkyrA~mc!Q5{uPS(o1(KDkqu=(D~ zAGQRC%G@@E9RrXcSn0e-O+9t?ESRZ{#cMEoJ7B*8UnA{9u?3qwaA;5y;Fd&Uk7tNWOE9JA#-ks?bQq}yDok4K?GN8k z_h4!8O^E;S!UN`j=FNgqD!WL#$}A9Dl|NU`v6#gRNgzXA~?%s@j{Ak$wzF7GME1IjJ%gDv> zPH<=AZa@tJvN{BWaPjROe0@)S7l0#}O8AHnBSJ9eX1QN=fAnNCY;y61@R{@K)%8ksK-Ttl zc2e-R=8b~O2`UX|ph1snVfud#*&)I$GN^+GU2JTgl$6MQ-n{td57N9*o@tzdTz4dr zcz{SCINfPydUk~uu6#8)ML?d>W8qQoy1q2=EU|Mzl=20sUUrMdCA2*2<=$8ZWi=nNG zvF}3iy)PfbGs!}Q{FOx{B{z!WCkoDjN#wuLQT!v2epCTK^^HW)|5`(<^_-Ozc#Fso za0nkMT((jD*$QobDy;J0Wmjd*yV}P8#oU_^!K@C?YFHF&LXdu6$#vj5Xl!{w*ifg=oC(#^P*(?E$ueLO21V$3jsT(xX5LiYKOOBLP_W86J`Rnj%~c^tM500X-Y=O#ON> z`2!k+4YLQ(dtO)!pSn7T=#n!=ShA z=9|gn_q*CZ?CBdAfb~CgW^hH*zyl$!-fA!`@LAE`#23nI-FybCsYSVi4|5n;vM-Va zLsEzH4i*9=dzVHUcG!;cB6C6AkCOzrVME7V8m=EpLBx(Hf*XJGmDV&O$8=>_cN?

    IW6(kSm$b=D zD|Q2XM9lOE)1% zgn(qjE)zQ!;#J5)$V;}P^$OcR_$g?{ifs@c^;f3no+_8j>~I+ZCh zK2LZ!kiO#}jRWNSi+A*)HtmbTNNrtBO(!6;I5SxjpEmzxEf5b~c|~;gW8O=Us=+*Z zRNvSLuG^-pr@0&2r)$AEtLns?M@>W@#&U8m1~oGqNl;%D;X16%LxL3)nC~}au5oPJ z2J6!;wM(d25GZH!@3g-ogMy^+2ASq7A2h|;tiwZUsVMrfOQ*~L+QBKMAUm5e{v6l^ za4O9F{(;_!hf|G3VAn1xYU;pzw3HCfFrJu90JJ|sXkT4z>|&0%fl9be;s-)oU=lG= zjb3#I&l$Zm-9Sd|p?QMY?P+WL9bsT(q6mVzBX= z$IQg%+1Y7&=$~LN09F^!bnk^g&-xtUnbMoBJo#VfKMU?Q@va*6PJuOuLuy7n? z)Z6)i7}$d`ihid-9nINOf~I-p#}io3M^W&HuV>k^+QOtWH~Bt)n=DT#dy?pSN$ehA!($A>6{7k(#Eg=7IenmPLwm?+tQe&j2&>+Xk` zUoZ^fSmYmn{u1dsY${&?a|jnAL3?W3tNyqt+qB3El1Xh5RIX5*Air7T^2HP4Fto7A z{j<2pAwav6xsq$~O%S#JnjkJ;e=ElQNhk*M%(x@`{gRF|2a<;p44VJ;BJNXSoLJ#? z9B-nX4B>{h%>|SJcsw9LJXG`v4cdZncSv3RB_Ua36GpfF++EIhjg3%*tbr}!{{dAy z02E5sSk*^MKfAZ(qM&fA$3-4B>*l%m)a-qp0}!69RX0$w(-JEqp^pe*;R=S( z;V5-Da$@W$ILzeB>U>ciIG(6ytE)NR-yyh^NJoL_fbR9L#6nUFtO4h|rjCS!5JDct zP-~PS2-Vmh{spF>{-dyA`%@bese!u}0uL^KOf%f5rUFiAPU(AhHpg?zC6Hy{is*CX zf!F;LJ;bt2YWieIpOCYoRv~;EBW6H`0vl%8cLk(3tDD$Bbz-kX;?K2DkozwN`sth% zR3C_>Jk8B3EZhJGgrFKYb}+Zv?)k#i#PgYw>t9krHJ~$)RyFS0g4niA87)@vT z0Cb)#A~!#}kEjmswaxLAVQ|)0GJj=%GP1YO`_FHPm+>q;1n8>00p}AL2D;;-s1Ko9 zqVUJahz(UXTtoxMXGvl{0F$gtK&mxF-v`+i@+^QcU|o_89Qy1HU1rR_9Z2DEji9}) zgoVYpL^ycH9262_IOco<#Fzt5EE`ay8orXVrltf5nZ5>d zv+?zVNge7+l-V&DB=wfm9}pC@p*;%7E-(UWDk?xEqJs6COd6q`>3|4qr4^=*bPNm| zX7Fp+%-$Q6pL14+hKIo&;J4)?1{WdYMYjQ1HOzi-%M$tRb_5_CTcULlGd?m+u*G%` zq92G@k6YpMmoK5WZdGwwLO!VJydChK%TIoarh`aH(Vi)f#U9W%HI>Koz}|1q%=q{0 zq28m2_7{+5V&v-6ry{1@+#!?LB}go7E>)EWj2r(KqL_WRARhu+9~ATzpNMFiN&GGYF-vwf@Qj8TN2O1+Fp5+Yw!JUO(3+gnH?f^vh zRz^Cy=9ZR3ak~h_D1fIN#c=2U4gjCz2)79<#o?SYuP|8{w%{Hgkn5wi1Re$@=J)TW zrCyiOYD|j>T$uSUGHpW_2zNfJntd#Q_2;4dvvd@r@Ygjo3})Dw=kh*CnO=&pc76@p zplgoiOEf;Jvk(~IFv6lk#9K2cP)RrEk44~79Oi%7I?sDRCdj-ICIHKjdf3q=#{0l^ zk28&YX_HS~6MjrC!9nO)*Mo;QD2*s*{#hG>h(=7b!KVj0KqPGnd*PNs{i3$95nJjI z^0~rHydd&>kkyt&COdip}|a4^x4MlDYSDZY`y0}%BUOMj-mEL zAaatf^XJ(g11N=-fzwMkLFB8jGc(gLF(EuxKi>`JjoDG$`u<*wC}X5Sas@>L&HLl) z;W(gp!~X^qVyDNPmFtcLd_Y_c+fc1hrys$&A^2<$XP{-y3U3Jq4@Vj)OO88iO|^B` z_>JH<;7>_S+Ds2?X%H7d*?WUb+Buy>&L^0$%)7*tTaz*U?>a`sl=B1^6#ji?W|-RJ z>EFN6I?ELapdyGDsLqMbXPv^54t#;~^2F^4ColLKU5iCNi}-ux@@3jhn}A>dZkR9Z z01m%fKmfl-7B-)++l638z=_VVSO~{+Mr)-o2uLQ5099c78rG#_2sw*eRT3SH@NkNA zKHyrw23T$7p4$PgvZLcN{Nq8QkUWiCPbKuvqk#W=?x|AB00{YQv}KRrAb~9h=NKvJ-tWqz5^J;zwc(EYx_{Sh#kqN0u(rI}d8ksP^)0mL>n;Om>TxW4Fes`&rf< z_uU?HM%u|cUcK1Yo)`1{Dk{;(UyXn5pp~1yRm0u2t?S}# zp#vl8A>>iC$=j9pP~BNLqAyWRBT>Gx9{p*9#p0&Q#PPS)+yC|7%_J_VNpHt({Yk4&}b^eJ)_SZf`P*W6)K z=ev~d>owbSEd4d@Zkm+b-07tCKS_vNFE!~*58gii?`PgWoDB0$V>s@*FC%>Hf4E9P zMrP58RDXTgWo;NeV11@Dg7?kWem}U$68IWv0m?j}i$V*B*;Eyi%FtB=O0z%O$~Yf7 zbOh2L5^t$=B`_M0jBM{G0Dnmy1GM~H^AiQVX1|8;m)-nHjq77&Yhz_ApUUjxY*Y8F z&!#I?OS+Nyd0Md36aP;6nAbXsC*v? zq|D|FFT7kSaLU$yO|Cf?ohB#Ck>w@-`<5-p*T;NUUzo2iwPj==m0jzjR#H!I)=z@C zG;R73h)l6;G{jFKV+~A^A$~2VNSoIo3>NyCe4p+Ooqm#$!Q(yUKixhuBh*ZRF|A}| zkF1y*@l^2{{HXEYDw&iLR(=C)X;fI~j=VO@AHdrK3WSlMEf)^v%CV3O`uB;k$Uld}V;WIRX&G^6NIUJR|07e?MK$&;RYo zIE0J!?|YPJHwM0cfY1WZUoTi+U3@_de#e_6Q-!-T{GIO%&HU+I8J40_seQTf<;20F zZ@-4j{(X>B8$*YQ@A>a*>t~vOZ|3ixEhzr~|M=h5`S-mse*d2Fzdw~zvDE*482|n# z@aW&M`S&N0ikIF0-jd&LRvJ~Wr9cHA6|Ls8+BNqZ=8r7TvxrX(L~kDvJ{z*<=!52d zHV>&rTKN&z8H&bS`qD+Zzl(3QX*)LFgR2aGUoxkVMRj77X@2A3RezFjQquhRgNI(1 zOiquih82PN_VmAEV9@{Gkof0DKL33Zqd*C*)29w` z?fA(Qe8VdD)PC{C4--ObF5YuR#z~v5^Sw;jpW*eV^Z8Ld!Sf9ABbR30)Cf%_G`GiU zH=hde{d-9Lo&={dCl9F_u&PG0zD|9{#pvETSV5XC z@bxIr-5X<)y!VOfzHiMu3GxGMig|^-uh_=wXNNeF;smw%*Nu;3a-BFk~?{6bp@O99exE zyodYRqxWONmphpvljMEY^q#PN5PS6^**V*8%+Yb<#v2DNKR+&+*)nUSdh*4$Vg*G- z;i-i9k#7{Io1XkTSpRl_g@!EuR;rx`G}H{OjiU_?-HozQt*?D4nCT@cw?3t7-FNy$ z*_@K^O6eWpxcZ^}NWN(fpM354P{G^cMfO;m%eQBJth52`rH?;#mxrCs=239>?o{y~ zp=ubKqmduENcW~qsC^<|LvSnc!CLqIw+l5s^U(7wf1fepGhREDk)}$0WBZt67*EO= z-PeJUV|V7yi=R4O&)#19`Rjuu&o_^s?`8=Jen&}rQq1+F`H`~-;PO$YPSuaOUb*0K zh3-v=CryB~>(aZrz~d)1Lce@bvx~O($L`+2D zPSlW9!`Dj+Vj}pCIIqt_B#N3Ak8dWDudgcXP9Gp1P5F}lzw?@{Au?OHRgJFMadu`>A}KBRZGP_C`Oj|^;<6X0E7j&q@9EJo)>*S<|33IM!{LZb z<<{f-qVD~g-JqSI*xOPxeV|d%Z0!#5rYy7$|GO6qd5jHN4B`cYGPlmT8k`hx7@D~? zK^MGCk?gYGaazl?P48@OTcdmY#1r<1;!Rs-`g}^x#BHPOhyQp?TfJLCn2r6pNzeMj z+n>^jOXi<830>NH{Ml^cTV=%u>E}a}&j%-O8yhQ@mD)lj$`!V-;qYpO`d%>+02gB< z<7diEZ?fMXm@@rx>S&#WRPm%diS%Oh9tZITjk^A=sGq@OB@UVS4z3=dLU$GEw;Ik`hbB_>>FcC(Vk97>z>pX%>2t}Bm?-CsQ} zQRZ2)5MIz5Kew->{{3f`N)ZXIU!D28A2ixo?~Y{|+LvVVs$h{v{?&_^A)z1CyJx#a6P9Z7VNbmJHD`2m9wv@Ga}s_~KXk`!&nqLrmg&?*-?cF& zvq+MCuXB2!kn4wqoHK$~-JQGg+~TKwMfPb-r|#7l_27$TRz0b~E)!X;SK61oQnWYJ zYx-xnh4e?US8YNb-2pZAkDK=5v6Y_*__x_kwJUfIWMrH#&UzY}5)mG`yzS@wWXJiu z*pFKy4aIa!`%YxWY^B;9aq1$uJ`QQ`pT0r%BwvT9;Uo!J$x?eWgVHJOnWK6VKGlaU zC88Trzr>O*Jt|3`tm*ZAoq9A*Q%%vWUt|B>oir)Wi=MqM`Y?2fL#IhXwfWwQ+-twT zBWX{K(YR?Pwr}@Q?7%H4G4;c?+9l`4*xYzd-inA=>pFPt`Dn-a8ln3R{v)@x6}Q!2 z#a(gHxn0+gMvhp2LH2(E<&gxZ@ks-%mP^Jb1wscyGaSx{dJe2sOieso%d*hLR>U5*#mZbCNH)TB*H`J@sc6-nqrD6B6tT^RqsZWJa z;*M%2&xQ8sp0!8Qh0EGJD$ItNEko9&+*h8r4PMHTP!*-G{w#4sA4vnZ)TC?g*5Z`C z4tjS6XiwhzlIvkb3@0g;EzvNpJO%Yrtg)z+;&zUZ-D*}L&!`<8<+=SAiZ?_ao1&37 zA4vRrY37*zx0h3JMXvwIYaVivm87p3;Ge!8LZUbKNvwCM9}3fYiT52Dsnct6;aT?5 z$2=Y9pY}p?KdDs4yYrtEC`mNZ8fHdck+~r0Xn9E@@xFmp{Og6`Ea?Z$Rd+NF$;v7; zzsb0%Im3U0>CK;C)U3wJ*}8kzz7snxD@Nzz$jtP04xO7)C0ElF4mG9TOXG;M;)qM$ z7ni~%c;e)IL_Qn!r+Z~ZzsIQjvxZlBy>|zJv|$I`8|((Oh<^Vh=u8i-V2*N9Q~^eQ%}01v#9Ct=R?F-9Jd+*G~#m(ATTr{n^j$4mWAm|1z^n0r*O`I14i)(R)X+`|09L>}`2 zYTAs9XBlkq%T$r^zKi~W+q=$a#JTSe-Jj9_Giy`O$;Y>@t+pmcDk{va=tnwte0BDc zBtDdp{J#&CrNwD%crWCXtLjPWV6|;O9Tz5gEOTRMWoT75?k|*#G!c;!Nop*RlEj!{yfuI&IntcN%Il(nh@uPae{0K6LiMbDb}r&Mn}O^ubS&kVb17aQGNA-iLIW#s!s zPlIL&1vv?>LDPuV;j}x#O|1jIKXY%aT^cVeVr|&X9Pz8WxT8vWU-a6K=DTreTd6Gb z&JZ<>tn3-kgc zomw{uKibv2rH3})spRDml_)34%zE1)Q-LyHnt=Aaa|cE)U4I<-;6<+<%WJ;O46!b^ zIi!nw9>&zp9#k~(6%L}IO zqJNi5x9{Fbk!Z}T*J9Z5T&RBS{h1f( z0qln^I1HCm%xcfldk7~ffuGG zi|vIka&mzYvC7Hx1od8JQrwf)Gk$$F-p z6Np2@5&8GoeEC)5Cbt)HK(c8UXA=5J!kpIK`P)mkF}6WhYm2=c5y5fR|UCcUw>~!-+|dbh)u;O8h_6pYHjmUXx?%r zi!JOVoB8|auS>2tMYA5_KY(LvK6b%n4i|D5M}fTUM$&167qf}OdA|>R{j=>SBTsw$ zry+bga}lo4qgy|8Tv-*DSpD7h@ZdA*QB7^?vEibsH&SdYjhDXG&FN9hhBHlxz1%{h zn#P?q=M}dae)Wp;5%L}QWEO`1BATEDZu^rgsx2>z5{f*9&CBM>lYIo-6{Nn#c0@Vk z8FR)xtlN4e$LZ|zg6CD*x0;Wp1m<4f`{c{<;~G!IXip|^F62J?)aINOy9v9Q1n=2Uc``lFhNII~=z#S~#gXNYoNw=`*{!UG_qeGj*yscm)l)EBzOx6|{>NBDDpr>E?_TfmzjeK~(6 zlc{E)GItT7&3CH)frF#rQ4&#Pm5078Hs>RDsbK!$UXJoWB0~g?S3cd zIgpx|ye~Ly&$`xjCXUeLQL)Sq;@`%9{h4aMi|4*}DoyD!(km32^K8B{ryFZE%z3|d z@%*F<{{1IJXrccoF5IGh(*8b`5W2OWO06I55PXB=s%z5-Vro=Ej$yV)ZAiz8Bn6YE0kLxUEC(klB^1 zVP!?na^DX=^zAKfYE*8!Y|w0=)jXS(c0MD`vH0PqA?Sy=eHU|z5{D&Cj0=!{ix0k4 zM+_`(?n-K8PrGJ6VqqNmQe5I}hgk`pH`xi7i84|A>URkHBAoZUv7xm=z4iAG2i^Xx z)XgyQv^!?6r;c7|62H*(@`Dg5?M7qWR&z0ppw8P~-`=g2$`xF4KV_Z2fiwQ&@{uTA zY1wt2om+Nj3Ot$18FJS@<|x9I=w>}*1#iiNjO}LL7i~9b4{=QtPzlK)fv&Z#SPtVmTDY>ovUK!C%O_Ur+w*UF?sui&V zR43{Q07O^uZ#rr5WbAFT)E1po@t1-JI8~!V zQjG4q=g@x=(WZuIzoWg?%6Y%rK#29>dv~n%N3rOSYKGVN^!}Q7^Gu2H(`NxSgi&Vc z$nu$lPeM}^ll#-D&rb*R+lz29sBPqHsu(zyn-!}xnBmr&Ju&G!+wuK@(6wIEXmehg zfgibp%@KeOzm3v$kJ53R7rIcdRj(C(%{*}Q)^EMisc{gD%s4o<9S5pmaOnAWp5VJb z9ZToZ^g^877lb_`((Dc?#H)w8CH7sEouBB)by;BC`WNppa{9O5LgzEvdV!~~#%kRA za;WD{Jo(bLu`ZL9Qvc6&>FOmuF9jQ3-U_rdx^K(*zC!H8n@GKruT%F5+|k2FJ-%?W!J+W_7{5E-=^|>&yuBR z+^u>(+fH@gWiyS$GVl6YKZoh%xNT$cY=7LDQ97L&G)56%pnpiq@Du^<;5R2vskX2f zBpx^$>Lz3MXX!!x^PT*s9~G$VPediNm0QLB!hE#ScC5Uz&A-|$j4v^Y)nNNJZdaKd z7i>$Wg7_$L;U4F;_{wT{1Q2m5}DjJ0r+=-!+H6Qbc|v>+3rW))TvS?_&+y zvo&Rx#xo;%8ArZ)O*lS|2%GtQuQ(zgy!1KQhwa2%%h0x3U0e`7g!wd zq4Rz6!)rc~N%7YxU4!PB@W#r|a>cSd*ZTVS1TO^rrdgq+o;3MokoA9fdJCwiy7z4u z5d{SW=>`eukZzQe?(S|7hHeB=+Mye%LAtveq+7bXyW!hBzxV&KfaMa_FlV2$@3`XL zZ_g_i+=4fh@Gd#g5SH~5Heg+_E_Z+njP9+N;kiF}d?m1BHR?wCea6S!Ins4aD>T!3}mfYW_BaK2U;5WH8@WCQPL}`f%FuMvRKb4`MUlV6WoB%jb5n(w&x) z*Q0Dz;EE&nvs0}fv{d3&kf`GH>8T~LU!0g`i>X9OJetB#KY3$P%pl2J^fsTsKqKMy z(pmm{Ie{B}ajR29Mu-HzDN!)q$tV z#mV+?hXRR=5D!Td(SO;Tnniw%zdqLyRxMZ)`?UQCYwV`{Zk^Xpu0f&rMN;DF$rho( zlIx$ohA?u>mVM{NlQ6_7(&i*m2T2SdM`hE5!b<;Dt;3j`npH=PVDbN8{ufLqe>;k) zDmz(QH+1b*X-YrTsbN+sVnM!4j>u0$n%E;m_|6dcsk~%SV2V zb>Ia9pQ0)ssbuc8xXIdg!Fi1^YgH>@9UEbt{c-<{XxX0`BTz1AbR?KgKBLX*Si#N; zb9TG+dXwJco2w!hHyFQX<(|WNG?R1)V6_2D6Wm|}+(ZgI(-k9~Kp0*i3;O>;e|1@iAf8%-Y0wCYg7NOpK{YMNkXcAm#F83@n*OVR)R|_P9L1Z2g{%j{f|y4 zad5gk>s;v#EuhYW;dR=J4&c0|lsP#-OmnQ@D9<*FiFWg^oi{Zy4>rMz(5mrywC$Uj zS)!M;pox){j8ve+$yO$#84#qv4Nv9rdf4s`kFS{naja-zOI9Wb6`KoZNDj06#X@Io zGJJD*o`Vv|WKMmsi_ijVQl#SU#<@Pf^Pb&z4aCbWUiE;Bxb|P|GyH0_O+Cc+o1)P_`(Y2 zEZq4HPhHm5<${t)c&Fj^%$z}GB8p1&bU_}6*@?77k#_xg2RUjyfyeU6`NF3XdE9K8 zNHU2;7(E*}&$keDf4ceIqRrQxz~Z6j;m1`hp9n@ibygxHJEp zG|n%idheyr^HwF+1ZdY5+4F5$+FG*lH#Akjnw)jwSeSGg6`)VCT8q=JpocHN?+g9A zV3dFi(4qLk28g4J&B{TLzW+PbRI!%-T)pv##W^?8j}l9#uh zu#yqKMK#kUOI$Zd>gAdYpgv%q?}8{&@EF@J0ppWA#WW5Qo(q(%#OLjurhT}vN)GmgQE1&uW?=a1&k9;)}cgNC(LE@f&n04v=x71Y{486wBVOQ z%b&P-*a+!Ne?Gq@e0E?$!7{){971Jy+yR=cFo9l~H%?7mHy}NO@c{JQEO7&VjrDK$ z=3}5SS=5w~8S#?cD?wTDwA)h^&@w~!H}x)#?6(8}WdHr37J&NGJ+Xw7dscriTp4Kwr?f`5^@-@)nJfGa21LVp=a|{&wIljLv6awZS_aDU|fvGg$Iv%7j=03|G2cmp}%%b z@-^=Fsy@`{D5B-utn=5>hrnF*uA`d)6^vbdOot2f62+gcD-X^ z$^TIH=eW+Q;UHI>rOaA+NR);jU5-MOCIy=E7NkWBQ21{YolNIKqMix^HXT%PL>TdV ziTZ8^*Mo;dW&t_&REH94(K>&=$MMYO`*z-1?OGR+cL<*o?rZM1ex%9f#}lM$xpUAl zj&si1R*zsxC}D0o9Q>=R?L1`tZ?6Q;0ye2>&I$xN>M)oY!0g#&VpTwMAftr&^zSLw zvW!2L>C7`Lm;A>^1`)aQ&hz|U%^tgQSQ>eK+gJG{-uYxog%EI#FHN>$t|OU+a<7sE zjf&;Tt=?m&%fR{q;99n420l@@4UgZ<2?<1`FaNtuOa3W>C`I&TOgUt6YHs}B%BB78 zN&8FR7rA*CgNP)H+i&6tY%4WqwC;xZj*sfX1oV_2uO9F6gA`;D>5d3D9Zr(_1|Xo% zo42Ji!~5Q5P7m$r`CFjCoLFS#?%XP|=RB+DxoHB~{{)m8my54W+vjqwCpmS^Eenc! zl)<%{wDIzTj1{D;5<(dX*z#caYRn?QF6L>%YIrP2F|Q{MAFc!+?sz{G4Gx>E2g&X1 z%w2)=n&?<2+_8gElKDJFdPu01G*$bt2Jiv}z)%%~toET_LpTrjam6ug9lO{ctkzZO zbVK0#f538!eXarjLyC#V_Q21hDHP}=pjYFR!xRHe^Vu0OY}3_$)o(M>g9YI*7 zo;M(4UaCAbH90;t=rSns%uB4lF3+N!{8b<<)otZxZE&r^*J9<7yT9jJu#gSFG}k)i zaK`nGVRiy!bc{`gTRo6WA`q4w{(5g05tLvr?7$W4ce*{U4h`xwXg=_j6#(|6Qdchb zc}On?=j&V)nU596cEK={mRD2hz^y3+}Qf3)P|rro1FG#9MO9K0GdS3fetLNt|I zgWB#-zQ&s9vjTRRus7fnp;S#_T;7qC5D!HZ5foR@cElfIH_r_)2k46OA**2ryz4`d zN%l(wsb#P+E&f3x%JPO^6g1#poQ5sE@x?^RC z#Ads`f_{YvMf|0*Oq!2=ws&lsvYy+;ao9e?l&vFbc!zT3KRGlrEIEo-hVMc)LUz(` zFQc4q6Oh$dPU!hXCEM&j&`pUYKHi1KpLfh@k*NnRRGEyCqY|?`?KE|xCwjqm)Duco zWFDMHyHmkuUnoxv5O#s%p69wsZY#$krCOWVB1+0(-8vmX<-fn&3SS-;k4sLbizu?p zIBc9;4V|YWa57GUq7Sf4xA^@Ga2uOee>_%}5f>h>%5xC`N?}v@ z01LdCNsK%^h4Uo?k*HF4$gAFE?eqnCEf5ZfA(}CTgYJj%8h+|~(O`Jd;9H{*M|x-| zRb)^W8@gOaR0fOI?N)7c`2cqcw0N;WM@0t^#Jbfb^l9=3i}jGlg%rRod{Jo5wh{b4 zEx^=yL53_vUVh?3=X0I3%}mu`io@B;`8jyw>D`^&(09{IcEKTTrgZ}{)R75mC_1nF6@*; z6XA&hm_K~_7iJb_jf(kFr_-W+oxa9?_Hc@QnXq%E)0*<>WCby~;9QX8pKA3%o>0GwG7v0B_#5eA=e!g&JLt8EvySY|P2TFW}mcp1d>NR8{vA4be_iWVC{jSyU+^nU<_B83D%Dxd(Vz!Zf# zuYMNA22!^WuURZ-xMv&go~bAX}aw~lX7{lDMauwLa!Hjf5=e7G?mXj zuNxa+V3i#!DyHd`V>lY-U>%3tt|0yN`-eLNwaL67>*=kX%sMMx*m=XwJs(uE)!ZdYqR*cA!Wv-O-vZBQHY(HxnbP*Au$6tFyl*^ zVo1OXom%hRn?l}W5rJQnccKlFB$e&!XISr4Dd#eJG%~_ni~z0@p6qEl}nw~hRbAH}{?CHqEK8A=$VG+l?!-OjmR zIy6|i(@^TF>~&yfqn|t}E?#)28UHfCU45<_)nYw$O0vE!Z&idtL7BvilY+3@y7YB# z|58A8JV;L3ZmtfpI!W}6bZ6IcCh@*-pefgaqU0=(!)p_acHd7AW4wv!GOoj8+D z>JYj-4!PYdiCXOkXSwD)%f*NC;>4P|PR)cxWGD8891@=%%T~LD2^q<3AWAFFKX$HQ zS2L!iPA&M;c;EVo3m-+4s!taJwvtpOBb+)>hQDz6!xk_*X_1_M>)+t5i%cW|9}@ zz!&;sAZrP;wvE->!j@u}@q!wgD~~qUq+?v#!^8FaI=qBydF`-wwP`k}$LN#V(<0B9 zR;^K({nq*d%Y%+uG?KoLOTDXgn7*$BWmTVwRl-K_t{W*g#7qYl% zXKj8mVI;RZTB1%b_^^-CB0PJ=<=5$MnLiZ2Jy8Gg|js#3=tIgBHnmL2p&F3~h0Vh{z?2 z5-^hcu1`XSd^}gqhQIdPmY34+>ubcOYsA_!_pik<=42}F21xddWgrar6Bk$L->Ciq-MNMM-#crRNsdgxbX^fkj?ZZA7;L7)3xh%*Rza&xEBBVOD+L>$WS z_S7b0blRt$)^Pi+#-HC@xPC_xM_lxJTn(U3z}L zz`)%Co!%`V3cdWkrf=!=UwbY)+db|tcz+}1gKsvQ;uw2BB99L4TwtoR)zr}!ptXCY zAW6{~KusB?2!ycQRrwHdBaW6epU0ER*5!ZWDQTA*8lmwe79*TJD*bqXP_A1?;CgPp6N^H zNNf`LB+UTXkNSW4GKdWqPW}3+B#V~?WC(krO&(B3C8j2z(-%>nuEQg?kLWc%Og`Qn zUrGZNUpm59J>mH$%_W&qt0XhJ6sVx}#=E0NzY#>6)_Ly3YBR1k!uEYmR}b~--FWq= zUFYG4xcUDHHMJoKK^GsEQ-lmEvJ?O|5DOCn(t~_}J zpFVhb-1skR+r|!wO2*LLPr%-z1vdc9sB87wrAZ0XtvXZ|G>l`I7S#mjjye7*7hcG4 zC1?LF8CuZWhwV%`aYM=mtmGKboRqp2R7V{ZnU1k`eY7$Om1tpTc(+=p zF5@ZkvBd1K18^;vPf0R6Te(gUHrp!PJNj!iKCYUfyO28dLPRllGQX(c;P z>w7FxMyAAmTax5DAlY}yeolte#&EP>_@LTcT$}rDHh8Kw;g}xVI8ivrlJ5XNV)lx; zQV{n5Rjh5q4lUDsv?X1l|E9_FGV_CR+JGHL`@ z+-a{kak9IJg0jj~*z3x??ZjjCssE)@Kx4~!V2F&3W1y07RKty#+*q)b-92=tHJ(&5 zC8WMjfo3ZwQtV?&@TkMc^5H=b35p4IlTbb&>{0>9fXsx`lkSy>fFQp(f4|`5yX8Pn2D#6;H;??LNY5lm6tNhvDh%5 zq_MR+YnaUA@=o-$vxV95W1|@+s1|gl&P$Jv9oit4v~hZR(o8oR>kijbi#$C097stM zJkUQ6q7^)%P#4xo8uUshxcHaFkvr=4YT?Z+T z7|FS#H??86?yZ)e$Ht=~_^ytF#2zr~SyYjL{{E z_D#({gFNE+&TKZAm0%D@pQy@lHU+S;1&HVaTYiqlYM3<;= zR&XG7l#rdh5F#NK#G~U40^JmJ>vwT!)3~1#yKeow>YXVBZ1$hhKnY@E9&Btr)5^k5 zTn&I0ujP`zTkfjT*&;NQk`|ewIq{N1H|c|*zn2qqHogpJ1PEC@WVW8flVw+lP3Bc{ zNZM8RQdF8dpdOM9$KnLzK?N!1@-_{;G?h+TZ7n_9m;cj!^I=}tBeLXQz zTbd8aJm%7)?s!5iHTMMOp zO%Lm4K)6Sp9Xh|8Sd^bwWHDpR)!%=sU}{pQuOl0k*E@4F{I#Gyr&ykPZ=rPJ%o@0V zp1AEkIo0vSyN7+r0hqa|bFO;fq+0XEIuJylioOgbPNElHjG~fN>Yq1Fg1PXwSW?jC zfjUD`QW8L=l-Z*}S;~sqtG(qopha-8IRqwNl^dgtF& z4X{=`rlxF+!UZ3e>Y@}+6E@aq9&+m4NWM^m&(}<6cE4DOL5?fVW?k=cgpDS6rt7n- zB+QgUW>ZsU|7yb(5N1TPSg!khb#y!nv2k&y=Oql`#Wf{3fDh~paK%>F3HJiP$3bc@ z)AMw5QcRFQHsKE~L2+Gub>AdrEvSbTif*X|8C!$)zS%ByRh+2MnXShkIA8-Zm|Bg9 zi16@E3`4&6vix5Zvc#8OJgrbS`Oy=6xKV_>UZPRRk?-`-R%cOPWmh}ml|!bq4snA# zzx}qncy|zSnr2j~8Kz8_2aZF(@0JnYzOKQ*pj`&S#gsI4Gv^2W>F2|NmPAY)WmVzji7eAXFQj62z%t|899_>skuyE(% z;j-xqZ-F!g)`8Mz+?8&!13gv&qO=OKlniK-udQ#PAtXxhYbceg8ti{6>jug<$;t^gfT!eIx)McnEJ@l;ZyCUKZ{ti91RJuI% zi6^<-Tuo(|2_E2j0}b)IcI}lYbmcyopuCMxHYToa5j@}W$4YpuilZQT{-Uk*3mYc! zuw!HV`?rYoSG(Vw-tZ0>IK6YVb)^s(dIbpAdH#FwiST)R!c{Zr-dm5qDy^84Zxb^c zeP@G}Qj~^95|CEz$5L`m&J`-Q7A4l2NlBVHbJM>DHZYwG>Ebgi^YVIwfe!@Wl__J_ z(+j~o>K9PNw~1Q5sROa4cdu%-o4_v5tK0c*md4B~@Oj|{NGK%bIXgoKN zM>_R=KULbqZmC7^J4FITo>fC?U>!c>w1pN}!~nxiN=SrD$Y}8!w19TUOfz+G zNSFf#6Vqk6UJn`9%EIKw>Cmg*as(MDgSTGP)4iPv$|2!BS@@CmK_vGs*LMCuc*Ii% z^efKwGVz?j;?bjdrgNr+d5N--7XUxC2xf8V#E+l9utE$Cp1 zCdNBcq!uUxx>woCR$s~JKFw!yNQCA)$EAFOHsgPcxPo-HQE7kzW14%Lcv^}(Xf(V$ zoa5s?H>(&LksC*|X(Z9OE{*A7ee2k0A+@riF9R8M8sDLyX0hU7v;!X#iPsjO`sT^# z-z*`shHR*Ub$P*CVHe?VARy@R9!j51oM(9xc92Ri&wsUDCtGpl<#XJq_A*cmJfX+N zEYN7f9LD7Yqu#iFK=fjV4KoI)I2*qNFj=?sA78#&)ryD_l%SxIDb4BLk zWY#{Y9bHW15PSVH*>W)b)JeGU{t0qqaTf#6Cp22wX1Q9JYA~5ojqPym-{eHCy(LDv zX7LXQ_xwT7hJtRje$gpI0YC5sdOcpT67VbpxwwtB*qkC=1Q9$B|~>7DCKlQXBx%);8t zLbnZjnIX$W*tP~J9c88*0sb0n$v2n>{--X_vP-TRY{@c0tLAPX2~A{7+@0P_S@=Yo zQaWqHCW`m&Bc??T&1>FY`rq60jeXZC=yvS9FS}n4n%XYWfe3u|?>JXx4KL8S3=k4x zGRY?9Km1MbW?Gpyg!JJg&w(;^aql3vM|piOGmGZ$p>Q1u{U=F=ufu>V)?8NY#j`r|)shRsA>Zy zrDmsWoL4cOmZ3;{Pttrd&v%JPFwlRnkvB^d%(Al$kX2`(B4ZOZgb@GdEDFw$?aBg9 zJYX0l(5V8mf4suZZ=DaBFY&g=`H|N13y;y_4k&1WA#p}9Qf*uu7jPBBA`IP52FOF z>VrH54>Q|oKj13X)kzB+Ig%>>v+z~*yJ6q$dE)aYrRa)L?F0Od2uKp<8%p~-;iPu} zmwogckqLx_x;6gZb+&8E<-Jb2Q!2~9!F5X;g836Wb_G6wfIU7&r~e2zrk_E4_CPDC zqZ-|dVy^;Ns0>wsp?^*KHPwPod=s0!P81Qp=_%mHO`9+ngQ^>r;jp5IaQ-Iykx5jy z*lh3pt962W$9}<_W0vN*HdWlrj-G}TZhg#IRm}m4meO28)x^n-52LnIWZuqkJmenJ-r9R-vN}Bz1mlqN2%+C zYVGuT;nP-OX1A{Q@%4$>b86z?jgle&oO<3((~N2KMgi|ZP?mWHm!jG#yFGV)XB#tH z-!P^q3){Y9NfKvOI@|L;%A`KZ$jE5PAVtk+MMK&YOiGmr0Cb`r%+8PSNChu`v*feQ z?~G)^RN=|7kX+(kSZ8xiK29DRI7RC5&+Zr=zihe&{iCsH;kkPWSPuI9iIZ_7)D#{U zdsm8sOLo4~tCQ|5c;(muQxFX`TM-}{3MLu`8i^)fnLhLvRZds?3=JZy72yPX?DIqb zL&X#NdCY@N+uw@qBlR9n3Aq5np*V zYHRi+6->+sMFbouu-^gKTFw1i7%0moiD~5w|03~tQUQvV@?WnT7+?m8PSrGxwSXVKQjGCT9-+D9#!JT z6n4G?UizXi2|SA&`&@l24SkefU3OO+q?WW*@5129|0hfvBU#gy1z4o_lJ9nIUVa`Z z;DZjGeJLj=rbi~G-=T;nCE-6!bD*2AKlJh3o{?F#FPxfRm;t@zoVs51FqgUuF|Wg; z|K%aF=u4ow1}4HRWisgaSwT>4SNFhTSbYc$N!|J8>KtVSfFaCw?4n-9y{;}Rh~|mVT6$cmXG&6U>1D+c5U`)=XtA(X z-BoKoQ`UkgT`RR(`lTh6+_98FNm7A#JkKJ^ZKaGwfiBIg07~_+FL;{=K!ziXOrVHV zl$Cl7V2a8x-j*@~Tzmody{n@y4R^U^8mwB@C}IK@*H&->?=}+AhQRiFU+iXzQJpM!{!?)*pjnapuje|9-uJT2dS&6%YCu2nC=On z9xWAN0lXm%JGz|ofh73Zov{?)g+_%Qb4ah0jb z%01AUgA+YMi$OJ*j3!tlpylrm5@?C_!Py1S^lyul&G8-gwET*eOhQV_D`t`NewJ1!HT!&N`p@lU%2y_6poW&BC1AKS~ob_R9`U>RmZr`zzv_IUa137Y#x zy>Tzf#bX}*0kCVpYTi5LyT8dS2z**Enlkr8iUjlW088uSR9SnO6G%5@H{kOv1Gszx zGoLG=vWS_HW`+*dCgSg)?ZZm}Aw@97=BwI)^^>luGhoYgP(%Z29hO+PhGP=A1>fj7~RAW)FK0t&Ix`9N7 zCi4&frv;de#;Lm`KX3p>ZTO)C0uS@W13({P(+_E{|SO)%<=cS2>M~4L;(kf%cGgpxahk4?|8`L z20k;hvq^xEgz5$!gpQtnpS~V7>F`$B>aNAK%^2J;NO<`jP|_ZmR@LVW?Y<)huJ*fJ zIMwiCflK3?_uMp+Pdt6mt_EN#b*3JCE)IB0f=(Yut{^k*9<#11120+IP~Q7VBL%=o zlwWebqGYfEV_|(HW?&XGA1r!h%c;oUzehmwI1GDs*vQZqX}uqH;O*1n`o6b}ew$+V z{)TFFe*5eh8UJO&`P?aP=u7_*eYTx9V&bQq7qMwc>kGl|j0>kbKWzpnMU%?%U`5%L zHq$FwfesvBiG(1wR|b4jb9uw&Je53+s>M^f61_G`lHBeRGCJ+qD`nz`dhg$bAOc;+ z21c{}0%5N4(F^VO=&wI|*$f-Lk%WxIbu~7xbjz7Kg@sNUHLr6C^{xn!G)PPQaP*I# zmY#)uR?ZvW-?z+`%vN+^mQG`eN~{Yk$6@4uXwi{9aDf<}1bm!z-gl``qkShXDkcKH z#KlBJMMcEH2*iM6SH9{8Hn>y;9WCICX!1t(0Pev*XX9%X(eE_ya!WrF*Smpf7~00n ztm1TRo4Y)C5$C8keZf(>Nd$QB2^=>$`RLEWXKnY!cdT8QRHi2DxsK+WCEc&GxDySaN0?-t7RaP%BKZXr3 zY`zXrwgiWbzk&7%t)KitbNi`{O&0f~$0YJSf>k?~5M#8{t3`DqzU*JcSiBsnk2G_UIr|=jM|{srBp$?cV}py`e8CWLG0R_3|6WeqNl;OrB*t8+Gz`eCMO0U`S!QuBEE0_xx* zh7=gs)4jI&&ontdFSq=~R@guxW7D03J)RKcYlmX5v%JmAnh3JWD%c+4^8l^*Se3z#O&kra!IAjAe zc;AuWu$py^KNpuhTcC#iTxZGE{t(rdRhD|)VKWxeH>Z2?>^Dj5WI}k8G0!!V>_UnK z(_~@2Y?EQ}DJra0pU?45d3hZ@s`uX3*sJ)}YeZ4frJ-b1W{9TWtlgXTAW3mMu8Er! z*xzpz!|pM?sF`n4`kE=izDSpttb=72rUvfJIhP8dQ}8Qo?x^&?SL!$z8rKSu7y0=a zd5pg#h>B@SifO)nFH*QoU7VL&R9KvA!#p+^h?d7rBYcE0}bH?IgQxgT?R6x%e}Tm*2CUU`9UYu3B3>y2`1i28ECAr#?l} z3u`@Ibg>jvlr@){tTILd_D3IMC#?hrFIo$U2j5(^-g)kK1;S$AH%VDKjPm!{lB`IO z_7LR{7wBqf7P8%3d6lo45a@(+Bu6BH*>xavB;Z+C(2yV9(!s&~Kr!7oCt|ld%-ziM zE#R8Ir2CPWblF~JZQ^9(redQalOkDId*ch%AbD;CwKeFJQGzOHRNj7nG^h@WTH%ri zc2%KlT5>dVp}vr;YM{sF-Cj~y*ue8ky#OHtZE0oW02^v|Wf2iq>k73=PxvEr|IVw{ zS|&jnZO)F<9=wDAEGgWe_;*t3LEvBD+dC=T()ceTq4%(zvMdpT#p7cJI}yp3)gn8n zTF#hn4A{pJ51Pnn-fyW^cYT2z8d{`yuMWiC_!CaHRNz=m4LGqZXn%-7v9xVkfMJKa z@P6#}TxofAI?c%~*I(b2RGdbo*VH|N2-ym%{X(70;ns#G2j41fSJhOS8JlmOSs>aB zo+Cyvf?kPNtT0&~hm4`Z0qDDB4f3%vF<1^Il>+AafFTf8>c3=VT|K1o`dS}}v0mtJ zuB{D-LsKzLQ!)JaSu(kKfAVtw6cy%LmF&w%|ExDSkd|x2K_S>Ex2oBX42Zmtuj1Fx z>$hWc9Hq2Rk4NL?k@`3(`?%bC#%~>cM z8un!*YGDz-4B8ZrXilfAQ9QhRov@t$?MI@hYKS^P@`a|06hUo78#Zf|Gtg{1x%SHF zhvF;W?t}u^Y_ms=#?)V@_g*L*oGw|JO8HX+C}NqaIn|Wg?*5bh9O@?dhhZ(j!c0UOzW#UNay7?EG^Htw`VI+SOZex(Rk|wPkrR*T0Z4pWaQfb%J-1zi`nH zZ!gcEf$iy6HO$=sS@MXzd0yu<<)9;~zw|x(ukC$c8k_&FkT1bc4#LkB&%6&>yHg2Q za8DN=&gROinHoBk%>4CDnOPHth&Jkiy>B=f3Gw-byvO3>W8aPq7#S7yg{;*P9x+O_ zzn`C()>eCmJ52ek*{~wM=z4|YX+dfg5~i{Tl(%9aO0Xf>gf1s;V*lYex?$|Pw>Iyu zUg}gSJgzDhDX^&#ibj=;anQ)?UMi(C|Vhvh{Nu!d=&N zYzV5&J^PdjLSXc8R`bC1{8i0}HqOd3!q8dNmjw%QcGj1|(&B~A`_`+in@GYC9b^=% z&?Kp9M4H%-DXx{Lt9({{G(}R+(rB%R9dz0zsDCiV2DIbQn0HiQ zopz}{*EzH^J4|m#Tyg6t{M%SSJ!RRP&^yY=K=OKte_xD!iV`8TZm{b|)x%A5jz9&% z11GT%-PMg_+Q|Er>)_>c`V<8tdw^+M!$D4B+s2>mK!zKSG72&4p6O!NJ~se5_M zt|r{wx611*`$xOlBKU79F|95qq|EfU63canRd;{&KRW32fmn#><5z{&f~t{MrI}X+ zGSJoAjIht(d3snHa9LoYVSqS%5;5+;kmDq(!gTcQ$alo^s5}yukKGut`rE#)iKl5SumU zd3X)pkE3wKvteF6LErVM75wTo9vu4G{^m4C&ZUOJ!#=3}^trFvy{V2x=1hkZ z7M!==2nRmuUFt3^scY$%>$&rl^r=Lr*G2hXF~DUog;tF?B0#90U*Xgl6HQUVUGa(# zv;>u%ye^+!Rz#qSMNN*MrPnLvBV%bhU<}xR)3(@VE}s6rECQ!PA0ue50}qFynUsD% zFh*jp^F0Yc8wYNfM5pYt`)W71uFpRrdtL-(UM;@@Pr4OQ{;T+BFSA(L$6uCqIg6?M z4e39&v4Hc-%5J~gD5_IC=wGQrLt>N-Oo$-h9PBNizwa?A6Ai)kdYImHUVu;MhI8@e z%eg|-j3xEg4a(GgWpyADhd_$9pUd6v^vYJqeDDohz~BnEW=ItpUxbr4FBVqaRdKY) zLAk?SSY@N^?doDO(Xi+1G)cJ4$u!H)=5Ga5wRf0DWTm7C#&bs%_emCK^5m&!42_Il z>Jj-$wVAYSPrtJmVVuYM*ie!^P`8R@*_gX%Icj~WZEV??t!RLYN4K6OaMbXuj$$hY zWti@1tH&x+41~)?ybar^L(|Jdnk}$ku*?0ZMYwQlUV>}IvoqEf>7|v32(tIv4v6gg z)aO3rKZjm#L{PjBAc+x@XxH%X8hJK3$=Y_OcU47wr1XWeNRqP-w;v_r%~7dgH~GNW zsABN~E(y*QINteQnHm#d4b#LqSy@N{LdY_D_jwtS=m8r`9GgVs!DNDWd8FDO&U8L| z!?GkiE@#bdZFkGvyRQMoOyByv5q+}}-Kx*RQNkBvaFZ3lbdI4bztWqqB*#L3`+ zTngdW+Ct29?iz$Q%Pq%*GeSoUx~_avlwTuA*xN>zj+A=;{Pom&`_-uBSndnwUN!+g znvHJ+&CCqpzGNk*gXdk%2(R;bzy{v-cH<>1Cp$Jy?VktE`Y*Z{C3ZrZuFTam0l(%t ze*Ke&W{fSvHMY6WM@lpmzN!JY_f+>)CgY_WH{5fn5Q(=N9m!~sxOgOFF;;JQ#1S!R z`fQ20hpI*0;IQG>;qZmDgtv^DW`yA0a)n9dmbA`qptfU;zR{{%Hb4B%Q)t)cryrLV zw`(3JlwRXb9?{)w(fWpaTBEm@{PhPJ+yv;tCFKSA)t&a-BjQ3NF~&HJzl>=^`7@Q6 z*Z!zh&yJpldr*QT=M(%YY^@IAfHI(yXIg7^WT{<~?`1moSA=82s~KMmq?i1`4rLgE zCVp>5-)wG+sU(e5SAHt#8|Zbe$ghHRjTAxgwvEKrySvU3>_u~xE!mvKE{>^bQPa77 z)wmlaWx~;Ki_njF93`}uYSg|lzVcl()G%`s%HSgvM>5#$RJrqNsIT7(gYXM^y!I%8=oUyi`R1|PozN}v8=i`tQ#C$MNXbeRYo$SNzj3C^-EZ zq5n;VMf(L#T!@N9-#;kRECdJsxg7KHy6iW&ZfDHv#18}L#E6;i864?X5Q=@5eCdGk z4mbRSP|nKx*l@W>hZm6#j2&+eJSQOB9}qQvE8K3lA_)hFod*Si8i;OpHdlB%Px8 z6_l@D4-=Z=h~O08tUp^P8M8Rq*)VYG#6J$&n7?55y)YswcVf(UG&1ZEHNo;xUX`b5 zP;gi5AgG~HpuK>HYdJdW%Sq+(K5>+=NXUFXZh5|$<|T{t4(a>0Meb|SB(Y4qql$br ze*U)BfNk)%u^lDg;NV}v%#OjGd3voSa`4mrzXsTej7-H}DLO(k~HR!?b#8In#v8y8IwgWWo;Nux0h<4!PQ;P>E z9kJ(_?Y1_deJ1&8h0;GGE=3fceg^mK75F8DS17++tj9gvk#TM7#?(Xg`3unmlp10~$eSf~GE^3RJ>F#N{1XO?EY~E$kGP*wx?e&LjW9mG?NZd?!WQYw&H|mL?Z3#ZM{F2_H=RptI;}~ zk=YszsoiW*NDRKr1k5kS@&Cew*EblPb#PW2e@ckONQlJ*N?dGhEp_9~IVCj%0|x^K zH$Mjj2L}Z|N5BN2eFN7cqL3{NJPNJY=xZ1OtDvCpbT$%~=}_}u@)*Ij05ua$VFq4d z;0WmLq|1kaY4M{+fDu>~FgeCEL42v8Eu*Wa2PlB>0gGoB`qKBx#2#i!eJ=#yt{or* zytD$0Ij~Cq_xkg%(f9Rf@BjVltM5ytFzu-?a_YaZ%#Y#ho9~{XXO5{V|5o{G1lqqqm@r840Vo9S*QlNjHI5hYAYZgiz_|gqpn7sIBl53v z-h*QX6hO#WelC6^;2F=m2Y&bOAAo@pewkBXyWODtxBS`)v7WC{RZ$k23>WHFEYDro z&`KCl0aq|sz8b@J_A%_^tb| zd_Mfw!%Kf)(7a)LfPm`)Xq+DBH3x9Tlludr-OIGVrvQQx3_R)UGDPe$KuiJN_DbpR zrwI<04gp9>h%^QWbm!dAz&Us4%<0U@3FHVXOBF1hLOI8y5#QRm%VUS9{%;gJzr?q{ zEM{P~+NTI%>XzMhpcj5vA;Ho^Mz$wMLv*FCHv~1ja#B)*1ARJ;PGgf)Z{_6JoX367 zgQaFxT;?bH_=^8UOl=$ax4nSPIGa?x^CH$sn$CHNv$M0av9lk|Ij%mr9^Y>%$$#Z4 z(Hrjq@$Fc@i+yT^j>!L>o!D7-CWX8~@{*S1g8vhTSZ2LVk z)3jBnbTkV#p4cu`we)SWS*fV|g(@@78zs3E*BTdOm5`~NNqVAZbTmX|xbwiy69uo7M}fyM(Q9q@rOGY9f( zn9Ha0n1VI%ntzV8yutOHb?aUC3rE4`rS`lmcqE!;2la0bmJF5vWpFTWdpr0%xGK0G zNC2u%i%C(AQ}Hj3E6nrnmzDmeN&p7t6xFij!UNy}F>i>8NmOWc6~28NttKNT=H^a8 zvpFcOE7PodTJIJTFLwv<6I-K^z@YGJF%XbaBZB|_v?PherB*~V>@!<1n$69*A%WZN zS>Z%}TB=(h_!SH+&p);Shxz*IfA+23$X!Q>-1TrGAG8}w=P)ht29toG)oh9(fkAhB zcZ)oxu)a&3_{0IkF$g(Mt9x4DW;y|N1?D8^+)fxo@N8~w3YQ?i{$yba_*e_{5^o_& z!2@g`;P6?+DtAL9j(zzX2OTV^&%zs9meuU9&j z^yU>n6L~TYtTY2tLYqW4%eHl$bpik>5=7Si2;=4TdvsCyKhh%L*`14`v;ib`5lo|| zn|eAcEq(8o1v<^;ETLnevHiBw*Kg<4v;Y=d?O?3{w$kos>{|+exdT+{?bti7It*@n z)Aaawt^y@MC;((-2qaia>YZ+K=X}+>&&d&kf6=%o2ao1o`VHguA2EXQilChT5?(E5 z&uFt4WCzCy$&%%qRpKlh>icUgUWK=Fcs%v)<@r_Vmk<4_2Xo|gstOCU>JE^-a0jYS z!R_foW6BhF4V*r_aWV7B$tiHIMS0tp0VnG!AQ+g=S7mkDzgx+G1qUd5Z&uFVbm)En zs)Nl~O#LMe0oL|AdukxG#F$Ch@^E$mPo1}^IQV<4D$+g=kOT=3YmVvb%zfJYLY{uF zoxsDit*oWEz|cxtYkTkfqk=;4M6nlQ7TD~+t=P1X8eu(U8Da07QAjqD=jR2}ih2b9 zrY9r}Y&6(LofOmpTS71`fAQ?hVg~r8_73%OSYQTD@wBR6i=&PFjyQvrb71BIqe`DC zl}xn4N)evv1GJ)3MJK#-^l`H%!n5|(x(#>eXvFDnRyIU` za?Y8XQvWc`Mjbfg4sGl!a=;8c6;g6jL-F#o{h~`a@AV2u*Gf)CHos&D)|e^PJXv>k zIG%St8yAH@7SmZ56+oCFTRy1#4rin*miK3uNi5;lKZGs_Nin}3*idr~@|ASUQ*p`2 zT?hN^R-+Oqt2JJ{8Ktpae$nIV*B^;nJO5ni(|Hti{;{o69mKk;z>KhFzx=qk-9%Tz z<{QiCWUK!IXg%J(HimpQ-*NQ(L>j&xKyh0}j_l9+>HpdSJhuTB>TGH_^xXWR8H{tP z7{7Ie8`pSVMDMb{1AP|1epNvZ*1J1^?9|Ivoo+kEK%(&33J;&`<_2N-JiIA~{mVT9 zc4+!xcBa&#mjxKBtHy4 zy(X$a8YL4f|M^D;p^>yLt}F5@h3kN(xeR8E8d{U?OmKMZG>S3eJcWPPL&cW}L16R) zcfJ5BhE}F8vyL+TgwFad%ydC^vD|n|DYe(>##tfKdlG}(VN`*a{!4@-Et?x!Esb}F zTpx0;nw;EU;qLF_#FwklC-fcSSJ=+TQ3Tzks(S32`c< zy>)_Y0q&yO)3ePzH^4YOQ`?e(mw}ImbJUsj_*!(nW0H%0uM;vYw_60zBeYS{} zNe64W+AHti;rBlLTh=!nW&D}%fD?m+H71B~37c^VJ0;ZQ%{z8`sdnhi;uXN;@$jrJ zccZeh20|=!W8;(KqsQ$Z(i96z3JW;_-6&gK9iHe%rPCD)O|$C4F|X@z8o%QSucNV{ zQTX8B3J{R#m#)0v(fL7+qPof{haLW#;s*v6IgK$hD?2YS`DeG~xzifLfKj)^wO*`0 z((CwAgrdN5BgX1i?1{)`GV*S61YMEiv@>$p_T0qZy4q&yWdx!$ptTA!UW5=yJ0b za}tp22u7EN@g08m2e8oyPtjzPc2*)sr)^|~cKtJ$fif9=+L=YF{gn}v)WJ5`+S zu*HZdn~Yet-ItimDKqas`2v1G1 z%@PC9YT!OBYD9C$0rjHq=%P6QAHO~O;)KCKt;@V23c$ytk6otgRIMA0?@tTwva``Z z^{>X>)vxvS5~y2sHf3gr(!MrIM$Ll&j_jMkD9VE&eBfo^hW|Wep0U#y+;(x91II$F*ihCX`-r70;;~5=%Nn0W zDZRv3hKPU-v|p9Nx7PR`d;1naiT3JYZkP-BKTIsEM$4tKl(%M)4`M`Cp0U5DOMTFR z(Ca}0%b|MHU#v6V1y&oL8qGI0*5xvIGVV8=00BNc*LL1 zodfz)OLLK$Wu*|^H;%ou*pan}B+@}3o(>c026|GMZ|m@PY21{OpJx1EA|)j2y(qqp z*@Xj5^~}yTwGMj317jC3x(K-qnkYdINDRmMuX`#Uy(++>0e#XX9aQf@l&xhapujAV z+={GUof*G7xgch4pojhHWnxf)25S4Zxn;Ccvw9yNKV7unuFVwOy}nZFVKg-%@9XPi z{#L`Y4EgnNP1G7iF_&4a*h>RZHfu8x5kZj%FMzy6A{bjc`jx%CBylxR>z{!f-^v{g zh8f2nUSn+?-TEiAPGmA)+GvavXa{VxI~jYEx%UQiu_GS&r~hm=Vm_16--1m#l$ru* z%MgDPcI<0jr6g$X17~l6E15Y=Rie0W`(En(>M-N#2PYMkf=a7Mzj$AaU^?~@c)_dg zEMN$bV;6ohH`ts4q)~;x+D1e%>*j#iLkAZYt+em{sBqd7s+B$7;QS!O==3=M0d-hL zCL+p48~*lnBWXCmEIp*f59*W;T^q@EtGKER|CBapqVdOo&)J-TW= zdK@TO(c{x9qBr#TqCm#z?Jc97o$bx-?aiJ0`|Wox!z-N<@3CH;m5l++-x;@p&6+ss zmOSp~VSA!gbGtK+`2C~Z=u11vXrsU$UcsO?maG{g< zi9h~8hzBOKL7pi6z{ni&ZQ%@}_)x zV8q1&20(yF<=nu@gCB7a>~d=hLPKLu`+i8Lg28SQf@7~W(^0u8akl$`2whQ_AT+qSpg7kE)>LYR_=F;F_aN`C$lJw&K?LjU0h+iH!w(V zMEjZXN_QIHqrf|PM}08W&(g0CMgAuYW5bHz{;TmtUR?J3f1wC+f|szm|8wnn|Gzi? zlcis7R*bkE<3YC#r>AXSs#@hvocLcv**&0J{ADya5B#YJ5yc8gxLc)i#=k z{``l=gSf;GD~_QbqWN;JX#Uy@#^--}+V+MXBO#5ZiN|?;cCjQ%YX+!_iB{N=m(kHi zJ46}@;%VA)+HzD0%&Ycg9HDdV`iCA`jEioq1oTKo z-v4^h_U(wa^0pf-zPT#;r^SPF;A~=P{DedpfMi=qn}( zSaok#_rvB#DAbDTY?VKGl|wgf7kY8zfoKRZZ2A1hb<*b3P%W@3XwphqqwPh{_}^>v z?LV~}w#fkxl$F#4zvuu5(-sz8)t^lXi;E0Ba(%$HWsY5joR%w(i&hI(dCKg<9{VGCo2IT zSQE;e>n+wLqh0SGl}MI8cw`>t$@|{jSSet6og|iQ4}i39n$tk^ht0rVKUq1K$!#R( zWIbExevW~Ey(&C}@uJrVcW5Ae>ZWk}Fykk1YPQF?a(co-jR&0%PQ_5#XrPCKA>19s z90+$0Xw0asrP5r8ZASf8G$}3*Wb%Gm54+e79Uj=u5`)pLo;;zT?bJZp?m!*#Blwv9 zEz+ix@rGXin0bV>K?k^DwzhDp z9}ImlwpR{vt6n_{<~I84LyQ7g)Iysb@ho{X3(JUnCmq?TF8gCE1k~meNZ^N{$OFmT z&_|rtFu$;6eHJcB=( zpX))Y#`)LDROs%CSa4in)6&TEMqzV54Kc$bqJnOx1bRB+7EweKYCU zAhc`{Bv+O9)$xHn{8SR@L)JkkiQ&*GyGIP*gXz{yM{Ko+R~e6TYk}j8j{RgLh$>D* z6Qx87gG6$>eDZJvp1hNf{BIY(Z4tr?J+NFwjn2c6Oo!Sa)-s}d&G=QMFIypmK)M`S zXEIJL6v+6DWp}OES^J=-A+9FYdL;N+o^(+A7<^9TwP)g9S(WvDMND(=?z3%<@WW6L z4aR=*aWB*YGJ10_5)i!EQbN57NR|X8ck2{+8|94qHXa?yd$I%<+2XGIlYrr%$6Ktl5|1|$DvCwTP?bf8ViW){v$v0z|||n9$`=B4EGo|M~UqgBKq67&N?R3OU>h2 zWe|xkupOvc57786yb-(i0A5dr9Dv>JEVd#wm=;SLkHsq$>C(*j5Z?aCM8x=|{7|DK zw^OfB1;=)scQMJ?K>R2LasW?+>F>Vn|7j$B5f!RcKx;Y0|CNSHB(ww$=3P(KA>hVx z4?;pjmX!Yd;Uh7HZw(l%syySs0M~dkS_znY9uC^k2VY^*bRJVFy4#mHTUv92j`q`^ zLAFzXH1Ij)ONYJvletq}h4<#%Id?6#1JAJC^wpd`(|GsFX!pvgL2n2-FA0u4!x{o- z@i@JPf> zD>NtUcuqCX^@s7&fCKq)Rm>*$jY+r{nS`I~w5RNQp*e&Am(CsY=X4UJW&M`NBN5xc zAq`O6uo8#4Hl9|-$qqpBr9%{#{EPVa5)H1#)wQX$lSd>fBx?xH=OSVYdOWvqXEpp1 zM$jc6wrYR&i!Fvg(GmG3F&u$+feZX~id>yK}7g`DWkDheM^0igho1YRor3XQuV& zM;aRC{yc=<2bRao7b}mAV^q7j{6xMErIj8!h5uagx1$2%eJ8HtmX$UlEK*3f86%F6 zFdE9c?BMNkU5KT2WJb)KYlu|oo&Lb^wu;};UU)N{cwYYLUFTXtgIVqwM2Sup z&)j1AvK39yY;S010WF!E=}=Qm@LrY(HDT0`AZfU{yC&gs!TftF$1l%WyGzlt&6VID z-edk4!)n!YX0h)*_H;fyA^ljSBejzRHIRf{dq9iB;yEM=5eV_q)Tty&Mr?KpN+04F(6zua5gL?u@4Gb)J;R6nan59~|MDVPwsIWlM z!LLQd7ITBWS`~NAR&DBRBjc;z0!TyV+&GN{b-3S~9qp4L^cp{M6nNhIm;)0!448!` zhd2G?g7{yCENIEC+&4*Bw>zz>OJ9W-J0^{^QY77}3eB~$8ru)W=WTd*6~^+6x(jah-ZXz8@Oeb>2jV-LEIw;4Fott;k zfqvF6BKl;P%FHCT7uCLcg2R<#Pq%Qt8ZHqWvhS?O5j6-#z(BaGzel2Hvq#4DoVQ?2 zjut0f25+ilj*j@tcqeF6@5gM1;-<|o00xsHV!qEm=CaD!f0>yA^ux~14B+=N*yhhT zgoFilmyY?Gt^C z=fv`=TW($f_B8q<)Dwj>q}5O4gRQ*`77@ofm(iIB2G+)W=yHAWk3Sc0aBbHDhEaZe zmWB!frSoY8UVNE6{XR7Y<+XV;vrHTX_WI?n&nUEf)KT&3mHjhnPfU+aa{^X8wQh?% z!~rwANv6aI8sXS~vUu$Fi4aK@FyWTRfYg0IZYZF1uu;n)T?`O)mdVU2c&MC{G9PM; zq+zKn2-Q}??jAUD6Z=yK^KeaIw3}5P2AAIak@tpZP@QYG`k$HSrQ1nfF2{61)#M>& z4nw^QR(4Yf)QH?%Q7Mb@ZYki7$>5zw`G)5SRZ14NJFfQAn{#gL;*NKRY}!$`9lT;sIl?VxOcs4KE+qAJZM67Iqi@o5j3E6f=O!EKHvA-PRe=E@th3Jt)LVadms;WF-A8{edV$gOAMPF7|fPq))Xsc|%C_Mr)%2iqnIVP)q>L zkua!`8G?Vf4`PxdcR($|jL&ciW7QA-Jq-_UUF1(UOpg{{>j3ucSxXL;*hp$z#sI|3>c@GL;>WLy<8vP+E`f01ZkH#6?Y z^?{$){c`6xH{yugV<{&Wx*ZLYbe`Y4_x7Qj3b_{_{m%CMD)o^{w^6&!fqX(iTCEtc zbj(E6&g=RhO#k_{n5pX)Rzk~?4tV5O?!(c?b6CV`Oxk{($S={i+I!R3rki*TbymuG z50^EW>iN6Pej^8_LCSe$G9<4u?*!12ZGH9%*bdzWk0Y%B*}%2XX?wuIk+TiQf!C1l zIsL*XG$0*S67sa)z6}_6%}@914dL}@%lDsDc~Yp3q^Kiphh$t9U88i$4*-0?%7|&d zj$Z_;99$i;j$j)vx!p31Xl>tTIz7AmAe0(?*@_np#Pr&o5?ubgu8 zz!Oa_f<;T6%8lu+s^tS07A6)c?7UKZg8|6?(r-Z;$!LlIddBaBQn(xxBB}%qM@^K?yW|Qmel`a)sIr9W7k#AN(155rKIg=wPEo+Wm$80vm zFq+UlPVyit-TQ)vkDt=E6Ff@ppJZqTu2(Rq*Pef9bZpFo@8WA770kVV=XqBt1pp30 za?19A@%{BO)HysHsTOluv3enXlR51wGa|Nf8|8jIKd;)7dA}@35@5SvT{%p7cRA*b zxAY9^uHE3giSi5de3pIYyrYlV^u|MJz6^Q3Hd0^c2U}GWn|-T^(+;N80VBvhi>EBt zCZ6oVtO3u8SWpcs{+>Oybb>|2ej&#_}X2N$jdK%S*3AXm4ksV^Za|hjKKpUXmF$#Wp6Y8$!;r zHN}s7i;ydLHQ#qr_x(`+p*&o2Q)mv4vu=_5KK%G>Mqb9szMI)|;t%K;s{9xIQfFA% zboU;ES`JgM75*Nu`a@AOyV>Pns4gX#MP;D<&a=UgHHM0`@7n_%xt1IBYZwqkPv7p9 z{TX(2pP{0b624HYsVVouvyxBkS`#$cFnGaiUyQD&>78Rv>3Rd@7)sGDeQ+nV&y7}Uex7xEYID zOD-zekTyTBztk;>0p2yTf5$uxp0lTJ=jLTaKfADGby?$30h>nmYbomW0Liz~i0c;k z+@q<9zX`c@rt_xIg!(nEI6kO8izt^PyeeKmYQ4|9guCC#XTz!y%83)mXi@K{P7)a6jVsOBM5>e@rQV zy6TtWQS7~^1Snv79biO8pYbt5_dVq5>G=69^@okiZno{=N(A;Vx?eYg_@RxdY&8nw z*kd{0vw~>$#*ur3M_BgXzvx#Jm8}}MDE$_i2lrBO=^f)PdC;ow&V{Zad$%;~Sq)hCSt3kI(pw zA>%9gU3|&;-g^aLWze2;5%q+n&DV>s3_QYG6^%Q0anj8Fdos*T1zLdgWjB`Kizc?R zp48Z`%S3x&a2JmE{Xw1sE4d`k!&X4>E#z;s&T}3il)O&9&jc3B1@Dy?%DGK{Q zM6Et+{cdaSoyWS@i(!=VkxS=sg!ap5@&nkeLKhwcVjEFdt}ARE@~PwyXh5;2GeDxA z`$g$KY%fx2*6Rn7{q{7QxlZ~~-ZZ7h!OE{R!B)@4GW>>wgc`%2A)K}FGF}W^*f=y= zz|N$)Dgzmopbq^jEr0vJUBVIh6oNewds&kmZD;-4>8lL>B`32SgGhYUW_2O>O zhFCEh9@2n+KU1OmH%jVKJ?tKba>;3l1P}7HGbhC$k>Uw-p_)dR#N3Kblf8sQ@jgG) z5xGW37opT<6$JPf02TE~|D2;YWo2dMTP|Y-EvM=NC$ma0X03eSoaH`J`Zre7IKmyd zjr2IXxtrRuGKZrtcjHHow~{*4z4Iysnx5JxALxcpVS)3Y$DF;#+rGzLg{D&^&-8;P z;|d=6zw+rDk9ty+34?d}gjesNdEF)50&2zjz1iM1xQ)h)C+fw6+$2ND+yorDw;3UD zN>xsR<8~hFY>)M4O{X$CPF!nOX*0Y1O4C2=Jg5Ps^Rp~Q=B;;BU86b|?CVl>K)Z;D z^j%47buvAs>ttg)=1_I@<|%t%>a3zRn3?>b25%<-KjaQzqr2?OMxedBKfygbq)9iJ zWM33B`khWumu$VIjhbc|nCd=|j^z2CA9t33upYMTd?{jOJO!U8-Y>8Kt_KvwO(`Q~ zm9q3=K^-Cn1fm{ropF0z{Go8qqtI9ae#w?i3aRw3mn=7*P4TB#dUN+KJ%O#T@6ive zMuxk-;~(6QiA+s@f8{m%qIHD){o*3InnC@^-Jf%&7B}Dc`lMh~xPA6(Q6#&#d}3;$M5X4bvEstqX0q_(2hgZ z`#oNDl8qHphaO~RG4&bA*Kmtj-AT>FK}F0$#b4xb^J9-VafkcYl>>}44N$%c1!j=2 z@Rm**Ns6I*oQ45w(oaQGlfcxGn{K-=fE*qyO%qEUr(^jE9+t?))K2-Qhurkv%TM?t zQ@E_i@3O~!q98{hz@|Uy#j7aK;R7CzQe?y1uXbgfwpRY?9eM`T6I7`^P(WsO#NS=G zZP9-`FMKd2UFIjL6f^yatpci`)w0E>qcuOeV@v)xpEMkZ6-}yHGxoB}%JSg{D*V}( zdNhTOIolC0`k!rpQ-?R?+raY5Qn)!Y=s8=bPzc}od(APuUAFlu4PDEDH8;Ag`d16iDl?g&~8ex@{Vi2`tjLh0;HXkEm3VgZ0>5v_Pge>>FfK}l&m zY*sroj($md6N@>*Hp4Uj*A~F{YH>P`$(~Wwqcs#Sul2JNTBB`Co89DoOY?7qID6jw z+i_=e|CUkM2^|?McSBd&zxC=ofLIl=fpAA+g zhUPld0X`LtbxP;3cWDdSpPQLanP@xrHPvGL4QYKd5#;|OeqM81dVPvcQOw$$!ESyS z>Ox;K;~>v)a8Lc`h^w*FL>3-h(%1bwk6@Vc-QfsUPQVf;r-gEs+b91d1I*-C~fbWcdrIYh89n@mVYtALS4uGZwo;o_nM(aJDgl4`l#OsN8B z-m2*8M>D%}ziu-j9cPui3N9{nF!;g;>(a!;tgzVfaMVneyjqPkI22x9DpX!7F#BEd z)>=pIdMWo!W%Cor&PCWfrK+UL<))=`W~jwzy?$(&VMVusR@13rbGENq>idjr{U=ew z2$>8HW3iurK__x`5}(8V;atani~G!pGjXQX|bwP_E-y41(bl}g1RGX*VL>abAwR>LQ)or#o54%W1)_R#o8%Az>l!Vv(c=8RAZn7Y1_7W**3zDaG`BA>X3#4{>M7b_p0eA3BTIPMF74 z76Z3`q{ry;4<^s^r%(UH%{29Nz3rzXo@YzEE}~wZa!GTPCJn3Nqv+ov2&E6O@c~2&+)&0HQ~^H?RDa`{$V=D zNZBy7Xc7>x6q}dk9V(481UlrC=WI9QF6U@6IV0o|wxBx(YY0@Pti=Z!gOM4G-9!GTQi8iC(1J@=eqVdO91nc?91nk~aM z1zbugbS4^;-f$1I>BxwrR^-W!?^gCu2*?ptxcuZizwZuH{CSIi;l3rYj2pb?=66WN z-8n%RqT=Ik@dDs~%`455BVN@%ZhIqd!ZUZd)P9vG8JEWQWCO6{bfY`aQ0+>m3wq8_ z0-cuSGkBFFT=n`h-b7X<3*i_$GCUC}hhRJ!pMa80R?&v%1MW3u@ug8Qh;U&uv_jmN zVu`uzpqN|vNB#*OJ%$>#it)Zi^kqa{9)vHaSrWuNF5|B`5c6cKIppau{ZVLm$_yfG zi`aSGvglE$Fq6YRroygB{x>*5n}yk}toXKBh?$$2QfN_6(?~Bk*29VoIThbB(J{PS%M25ptgiq>l7d!FxmL&Ck7YI z-{%>Xs`OTs0P&m#axycC8q`VPWHMYQ_AYVRK_Iie>QVH8Dj?w^+Z8fR{31K?m;vJM z6bHNI;$yYk%FZwkM(%bbyv|^{Ui*j6X2!OY^>W`Kj|Cy z-tl=#B-z_a7f;P!EhX}FOpT@*s{2%$_rO$sWz6Ha+s#yPY_VNa6dw7>%%84wNM+V) zDYi~h9TQEw*wmTbX>xZiaiQ9qVm^;l8zi;fDH1~7#pmu`b#a-h-{&7gXL(e3pyTX4 zlD!=fe(xC~mM0G3T3$gmYc}k5_4B)$U)D5>?NOS-d*&Wxq@Y;W9jI2yI>cI?!@O>= z9N_04CtX#bDVM)n8baB5OKmpZ+*+OqI4`AD!!ztu9Dde^&<}=1p0AsyJT=NO* z#z#0Q92$vMg+z!}B&$!fSjtGN`Ro*1*U)jGQvxHaHh5^>$#;zXB>C$KO!#pBlxW;8A&+%WP`=F4=#JBirsAA-AA)w7qiJJS#f z%q=Q(&HipZtaVGoZ;iuGUH<%uUQW)?ga!Y}^D+G}IS`3Rl{d#hl;L*CU{^Dg z8GF_moLHWYkSH-DQ9~KY#MS=$EG~`K+#ffKlY7?8syhw)jOK_KqE~pbF&}%3#P3bk zDBWh8LNl-Um*-*=$01ph zP7IHhY$9aP?pjvtyHpU#m!ZG3GOc5n$>>7B!DSiBkh+F37c_(B#3^7&9RL9Z{}>FV z-Gfjac4h!A5U?!*(~U?ccr3Ul=GuhR+8_eZD1{CQHj{LuGcG^#O!q*-v9uZ>kbjT} zoGN)X6}@46-+|tb={^u~)GAQW=`D*hJv+RQQ8Fc=7O$X_Ra^@=YgUSJ|5lcVvT-9r zG61YAF688Oi)t=oEco)S_SbO*%lM<7>5Rm0bK5lSWZ)bi!?R$~sS$i5hS-T;JPP0> zv|k7=rkkCG_<+1qn=Ifoek|&2VP9KY5-i!kv{ZZ?Dl89&oITVPhp@S*AT69pl~UFx z3-`H9X0{08XRUZ>i1|k?=kIlFko{jloJ2phqyj--*2Up)mzOllcWYP_87OqF+XlNH zj7Z-*U30H`KDA^4v>|_jWix@vYyhvq#Id(YgyRoYh**St{nU|*qlLpl}no7s!~`TL00#fsbMJ0SFj3qfDi zukW(j!b%}Yd0WhTe`_Y|)li;li_P|Hj~8dgOpV>EdEp|S&MP0ZQ!RlgDz`x78?!Jd z?uab;#rz37zuiey0X*vCMtkhA=wC7Rey?U7}rv6enz&QF{v z6|x<)tYj&g2fpdf#ZU~o%{vHSb*ae(8>-4|bNasjn<)KDR&lr}T>Pa~XF{hPH?CLmR%`1)TJ2-m`<~@V1}vOw>H9 zwmea{NBV15*i4RC`A^q!FYMjy%^ow{!!*V(KUXma@t&)IAnFk|D_KmKiCmZ{&jS_;JTmQOf_^&$5j*8 z{Lmaynr0;Qw{RaN)9WUo8^6B&M}bRzo6HtCI;qw<0}avr!fPUaBFj4NUlqO{*Hl6 zKpOdo)2gGs{3IlOt+9RHrFN%s-TS+B`_;^O$9T@g%0b;Rj`{IDmp$M3;t@ZX&|YUZ z8^gB(+G7nI;j7yX`9}UeVOd?cYYt{B0-Tgde9_Xqu%ZA!bX)xAIdPSfLPOK;SW{%N zh4PQjfRl4*!1K?WW4DD5@$*YS=@=A^c7ASlX{)!MQJUV4aYsZ~;Q25x+BJ{y1Nfkd z4F%~XojGsRpf;VkZ8_j~2Q%*}Z2*hM-W6^(W zPB%HJCYmaAp-fb)`P(6c*4K^A^ZVG=MYOHSch8vBd`rlUw1 z2Je2diQ-|PwiQ}5;VVCI9h^0%FVSQvKhc)2E;DZOYg;1Fn-m-3Hs)VYuI>DJ#9tOd zJUQ8ga1+*Gt5Vh37g!Q%KUKz`VbOB>JonJwMmY>UF#hGv(KuHR2@vpxMJD>{rx!`9%F~aVf1H;>uoY!E)h|I5(#*{W>;&fn#Ul@bK_)Byi(ezPNV?Xg!hSK&J>n_ue;MzpwlEd80{L z15P;DGK`E)^F8=}iqV@+qP@BNmU_I{YGiEO4<>;;1 zLA5){*yo_)D^^4Hc7z52rVd9>)pnbKsNN{Kv_+tD=wO+8G&rng3t!^VuM!e0e)cFUdY(#S3(XqE|DKjS z<1lT}GI^FEs&8=g(`BK|-h#*Sdj_Jg*NC8%_hbruusNCJY3JNDjr|*3{7^#%$;ee1 z!xe@E?(n#4?9woI!;iz>pY{p}&ti9pOc;EE)auJ54B8qf-LB)5r2=LP85u)4!I{P$ zrCbkE`-JyWX2$0@7}S8oZJQ?oS;D@$nDHSD3{kzH*BR=zUijh0PzaaMd9-&lVX}8n zJhg{{&#kSrQg1bk#E$BEzDSmxM7?F*FqeehDeO&UTHEJaSL?X>>67Zzq|)ZY3HQwk z#4fX(Bh6)Uddz-xmx@z**<*iktE+x@PF*SWbH^nrrN#ocEIE2aFGh&(k0`WWgy6$% z8%}J0NfBaPds}&3Pj>@bWv4*3O|@EEw(`@>Iq4kq6@oA^$jxccpyWm>bg?RP`AOID z@OvR`l`c}Jh)_$PFU=4OvY3H|p!IYt(lu&f)SFzXFv7rZgpq-wTJ++jVpm%tpCv4Yp7;)ZU9uCg@|tIt)h=X%e}kJ#Q$3+G_J zw*EF781v2+#$O|XzZHBhG}J~RP4dfM@3{-JHtveA!YVd_#fZFBa;`hLdi$#l(ZfNz zN19RbaN2K896lPeJTD;no#2zSEp$yp!b_BnYdp!~-}KA{WaItN94BH)=6Z{TdG|v> znzK({0l(Tw_4oBIiIZ{J5}y+x{#i~7YC-~|xN*snxfvIcT0H@BVh3%I<2JSw2NOYM zLGEH@ISGEHvSai&*3ZRHqdO(JU5Y*Dx~yUt98fl;1yQ+2;ZU#fNh^_RMjaY8<$6!U?IV5gzX-cv%OgCmmv6Z}sh4Y8w-d*H*~vwARr*)= z;tY#529yOh1K}d=uyNK+WnP~rjHex(v+v8GNd3-#D|>4;;oz7_BL#UzfiW`nJv(vvZj5Quyz1O^HaW_FKeqGA=m~Q_ngQt=-tq&F4cKR za8DZUh_R~u*1y9N@OhhgiwP$bEzm{xIx0-etyeQn{FR;=izDeb{0B*1_;-%O-b=)K zl8j`*9AItIt2bygI4P{ASDfaBrd>2i+8gX0D`BeyZ^r*HZcbQgppl~uLeon91#*I% zdcW`R_aKO(e`8%M#VV-#97xjhL*Vk0cVx>BeUmP~(VyEQadFyL0-N8~%8R;&uL{ZX z8=9a967o(~p5|AI*R2i+iKQV66LK#bnANx@j91W_*LtRdq{JJ|8IXlKmHiOM5f!z~i((VJ(MI?;h1A@F7I7^zVBgLSQ80!NuTr zEG<(87vRpew9#jnQ#GQHz5ca@a|yJ)mo&3rN!VmCXtxsa4ilW?5`i)5>_}PxQ^&Rc)xnI+IB_~lRw~nekX_~8I4uGoz^VD5t6oK z!*1GQyAriM?U2GIF77)toGkP?I#I^SURzksLqQr>+r)l(}Ovg^W?mrUICvj7khU`1*L)y3aT7!=v#^q^m`l1deQ}GEP%sR;! zm(Zl?p@jK3uGG7t64~bax}vLm&1YVQpZkA=gH8@hpRer@FUDr#AhfdEJ3YKgbDs4% z0mOgU-aV$o(3u~HcNi=;h-S#FQ4Khd*h?+p^}i0GXD=&ZmAzl9r+Yqhft$-d=JN>XBa#DOFlR~g*JkWJS@huL6nI~d+Mzv zq?{riHIF~^drQk1fx%$5UnD*~dAB$V2_pbb(a{XdcY-+Z0T2_Rt35|lo^EqRU5 zdvk)%GuweeO0SKeix|vtD9qy_GU2x*&#|%t3 z<8vGgQRZbTjKl3`$31_NwkFR}D4k;yx9ZhlWsK37|8|bvX-Qb6;H}PI4RX?#By_yI zNbTyqR9)uy%+J# zo^CgQ0}j$~-lbbK-fFkUKdhguXUZK7z(@aqcjUDwI4nKG=!1`TyE+U&GLREA{pKEb zGm(N`B2pX{98VG6G@e&QmsNULs_ncPw-mw-&-6R$s^SVu6WTuDN;_=N2EAHJPL~5W z$TY%Jv-iF} z+TXEBChSS>p7mKo8?utVTO8>e&@Pif_fgf2U6~4TJ++!WaA$uDnL27{@T8PssM`>O%G65K7f=#4-0 zmWoXmnP9QQepu~)ss3y1?%_CPUv0;1eMFdX)X7@=DwAE^Kd??d1yuPm(Z$SgvTyu? zS+--Ad7qk>=anOHH^*`>pI!}JaoiB33^#j0^#OE)npgs!BUHz47{`m11iAQ@R;NpD zGzc>SY~_YS(s;x8A^Dvnp1oYGe^z$7dKz6N?NWoo^n87yEByuRy^-h=9m>8V9?8us z=#@EcYu4B1y}pYZau|sgBl#J-owrzLKXk1xT4zUqk%lg|+vcmRZB7~X2i%$~9y%Vs z;soY_1apCtQ*Rub#kaP+{smN4W6kBW^YftS8U&)SLj|FHMIAL8UxB@Q?Dl)k25M~e zj1>QRGR?xGE==b>KN1!+2>b5to;^bjQrLkTA0%YzvLVhJxkbnod-xBlQQ9eJ1_ZLO zvt2rI=4d&ioYXVHc8btoaJ2i}C=y6l zDAphFQLnu7ZU1|cM&|qA#-Kqk7-*u})|Ma}%vXR*;f&io+HibBM>l1QdrDkn?i&hZ zj3VB5H7#MyA?&KwVwFnUAG{2<^Z%|bqicx7sE9u2Oy8O{QO6qdeb2F^{6Kvv(gH=%gXV}`Ego41MVMcUw=W;bQyoFpRj zn4SLRGmt5Z{Z2#)D^k6Pz%t*T*HBVZnp*P$m=N)QKChv(z#ZOukW86Cz5OgV9@~$7 zv4fvbo2ltJ>`Ztae(my+EE8?5j5%Dx9>x#stFQ!{GKcx8gbk|W+vqG-6nt&;wi22- zAX%y8V9?heU^<{ec;AZdOICfOl1;o_cz3I1WJV zICM58x^*@c3_yPq*WX0{O$hhkv{#e0+iR3Hg*B4Fp=+Uj>{!uZ{kQe^`TL7c$c=7g zR>}6d5WKdzz>W&@!MF$k$f0Wf=14o|g5ccg^*aSl7A{qN0JItDteA|H9o5=6#ebvV zJyCj5sB7*XIe&jHl#SoxY-hNk&}IV{$|zG1m@s+1IGiYD!=w`g>jkY> zWfPq;C!sE1l|KKLeVVY@1ehW7d&Wqiqkc-G&=9j{yDM_fXiwt9BMz8Qt@KHI42Lp@ zaT)nOK-2xKH$~b?%Y#3E~3woHh@;{X>lxQ^1KkEN7dJJV=5k``h+ugt85z1w> zIfU%7x7EM@4P{BZ@ljzk%zxfl1RQ5G*`DenzT3X92ucS_bxwLi6Hg|d?Z@SItcN96 zsVU^cuP=N*;(YIBhC1EU2-cN7@}y@_hPE31zZPKB`}^F|)%=Y5Wn|8)$SS%{XH*$W zSuX$eD80cyLywmb&uaNUtXCK! z=aw>@D`UGKe&4yx`BYhTiRgfrK*sWJh{*;ZFXl)+L~5hSH)i7&J|tS7x~UNwe413* zpO8t9oj*Tn$Dq!>VGd}tq~`>pT%=*G==UcW^siR~_s3n`XB%i+lsyDnN z`P&&0wJ^`7@AuqCD0CnO$3Ix0ZaJ5&EPV3|N3p`)l0_W^PBzG@8Y>5PZ3voEKb zaIt%;n``=04mjn)yYz9tJFn=^1t0?)QvS)?_7PM=D2eZnJLe7`Z&TrY*scF$l}0_J z#HTR+cwhM;VU&wW>fz*j^bgr-8D0rtY^*T|$C4c@w;Xkjf4Nlq)YH_pkpj`MLJAVH zCYFOdX0pDp4;vpl!6X>M`aQVeay-Dj_DEP#HRW^@B}qxyCN;$0jrn3DvWgNZ7@Nx&)Nbsodn_Z}Nhin#s$>u#-hA*6YF7=;jxZuo8LG>SmOU848clZa zLzzoK!b(;uZxM}HhS*4m4GEp2MYBD=W9hls?7ugQazvz*`Xax%*{rl=?oKFXwM)ex z{A6t$KfG2!GbZ>*2`F7r>?*9x#PJnEarf4uvD0NxQvUAs)>K?={<;d3_xy*L^sTui zLHyab*#&R2M>M0tP@NCg(BLou<^{ifj8Ay>_g>B;Q=gI%ro%q65845gGZG4 z2VpnsxQup`!JaSkc1&~Y^`BzW={CUYJT3W8yuWy|_B zwOYB|p#;h0BZxqu`!W4p#z*d6!JBpuAUH3O*nP0}-BPmbI=H?$bTwA9o;5}cE$!Pq zwFfIGIqgKM$9dR@&Rk+7*K%0h@W@~vyqrhnvP5%Z?Fi&_?baN%LrSyJXx;Keb~JYf zp!F8iG|--7#!+NvpFc4vZ>qlkoAK-Z^)bX>4}{u%>7ET`#xe?QWyzWPk~1{!xZhqC z-sz+{9+>?-Y*Fuh*dNb@;@ydIbG6$dNX=j$zLi21YY|{C#VD?DE%8+f&&+w++}2YJ<&0z+vr#I}TK6i)rT}`#{fAjNv*c#4L)m z?hutipzN1~ioSGxs?@rjop7t{EcYiKRnF)?Biqkr>~zheS#_ibD+yqFF)}bpK$QHP z)5ntzdLA**Cy~$PXX-cq&2<@v#IEG}Elk!Ed)9lb7-=}gB%Un9-7)Iqk@nyV38W_l z?X&@4r><4{xYWgbpdW6Bjyd0#N0(Y zo7t|85En8)Djmf2jK0Y`c{uocC$^^^d@pIBMUQ#cq&Kw0rblpXl!+yW)aF$+BA%sx z*&#LhQ>Sp!Rv{>XWMZFYZ@@+T>}UqZkq}w_F5(8$3enxAv?Wi|W61&sMBFNT-51&b z7Go*VHPYc#5Na9yni`HXPY1=9KSfh~u7bh|Hmv}P4{!>M zicn=AWdw?=Q~?tGI>gUZyC+1!F$3UBp? z#0Z0%dO1e%utIsAou#Q?5l_ex8|Z)6KE5e=P0F>pI77W4E8i-s=!vJ-shY7Tv3>Xv zpg^*a>addPc&QC9^r{mu7J4y+OjMYj%DPs|n4C^*t*VYRi8-P1lbM1CLXHz#q|RQQ z#A;Cl1ZA&GPZzG~TU;N%czcio&Fkt)te2o&mmKa4JvmDAuHNSY3a^xg?%3~E^{6G8 zn11)-xSlX5Oxgf8$>2v6t6PoEeiB=60A@>ZoE-)<&bJNs&E2@WWfMXB)YBiBTcmxY zV_doAA53m{byGmH-Q=inm+zP@XHOWq$8taJ>lOuVP)5xp48lUUt|^%g zKuk0?YeJLSKJ()tePM22sp|G5Y@Luumg&)4qlWyeNBDh18{)4D?Z&On-3vNvIZhsl_ob>F>b( ztIqA$Rei)vl~ikXbM>@yiDML!hTY-#H#};h1ES&8-{c=MG>~D26R4sYB66^(u6_0#j5^Lj*VT;sGDCGcC|eMSIRVg9eXmyID$Zz^48Rwx zV2b1G1cHj+xv|R9Snl=UuUBcBV_TAs#AnUZ+C5mwt6u*|S9VpY9+T*C-S8Ns6s3UN z!-^L#H3?+YlKGvj?EK=<@_w|;A=WSUm(|7{TM}7apJ6H(p=fX70yR3Y{td3|op}P( zLP=;xP30_g19&m6!m&sJ4LU898Rdw>h|r*`yV~T}TzRvU6J;EtH8llC7#)nwD}ySv z@%nOYKktTK*5RzcT)ao1m_L4M$V8ld$w>Meu=@bkv2`>c8hTuLLEhbvYfOfrBa$fO zi+@)jK+Auo&QbBsmrHUH!M1Kt@RX>0O!VZK&aRGg9wzOEhb4iJZ8?AxZgO!3n>KA^ zN*znj%>J9>)O`p8+8$tuDX*$Ag-Kr(EnLXqa*AL1F}&Q{2;)w>O)|j2kKg(sH|F=i zsl-7IB|i!gawBeL`dGXgK=uvu#K~UxaWl{^JsACv@}F_|u)ls8jsfz8Kp#sE&-cx- zCX2`D`<&b}|6ej+Q1*M16;S$eh!@k62gldl2TzCAT<@F{r%$$x`BD77S|k%L(a$&l`I zK}klNTQm)pmpJ^AOKO)ZwzmE9(fFn>IT>l zE7(I`F5Ym3Ahxwj|2XhAbA$XpZeBSE;{bZGt-R8(H9t3T5T?Az1iEiP@NZvCd}_iE z=tjR4<;2(;@Z@gkyCuVTw}wI4YCeFjq#zyc&+|M^FBEmzQ#3$oe~ zL$`797K>=NF~yAHBT@a)K7d2x$#7c635dkSqEK`y2cWKVt-CXPW`A59BoOHT`|wBS z0_Cacc@*rdpVi5Mgud%>Qq zW4oNiLY)A1@7*;SqbhGG`jfhcVD*$91ejDf9QN$nMg$|b$v95*y}T}_)5yW>Imq7_ z(OjSCv1$Ux>9Dq4Qb^CzD-LswbR?3gi6aP5CBd#EzmLJj3Y( zQF=(7s}C7APrNfXQC-oGlGwMXZ;asAEki!okv)w=L%d)^PK{;sZ7my?X~m5OM!VN~ zFow=4F_@ng^&&r!WWPow-aVtfDF#&l@i@U!&lq?DWI31FDj*4bcBT(X_kbWstPQRJN8ztWor-wwft=bJx8AefKiQei)gb zn}bw6VIIMYP?t&C3?Sg5_O{<(TbIvYWESBgT`7*UQP~p16hM5n5P8HU7^UNA1o@5- zUuhBA-SmCJf`bIMN*nbzfWnrY%+EV(D)gv%cT#;J7?4OfLz$>Pr$G0arD|{5G{A8e zn#rfP&|0HoA=0;JG>_&62Fd9g=>3Be7IG*)SnP_7^S;eRg-dBbI^iA;5f+@X==z$a z5=g9&-D%QW_t&I+vPHe>v)zCJEO&(9XO=Mv)8u_nUeC<#Jzx?7fp{7>_#zRO9FMdJ z&jW%A{`ibx(&q@O9{s~;?~uA^w+1sl`8jy?aD$P)|7J^|yU>i3l}&{LS%0|gXhu%V zO)|VO0S5osiv$Z!Tl(bJvd)s_R5h-`@;X7?F@-Fea{XH&WXHr~D}eO5JW_ze*mp|f zvP#44fNYNq9MonVy+=tRj>4OyhHf_Ob48P-7{|sUADS9G7~S|#M-x_aTD$!%AGxvU zx3FOif9T2p3wa)E!uy8LeYE66?*SxyduzNc79Cu$`vI*iw){N|jCKao@ompEen(us z4!1Ndbr6=yn&{o!!q2zyTKwzKqK7A$7K5z7d>dBn`!i=j@g9UrXwoRXHYc}PqSBE)RtPjuB&57EESoyKe@lihs(K6J2PlT{h_@SrUPsjfc#*!X>Fo^mg@2V(410CaSRnI|DSL7E?cm%9PG!BGnD|_BR%CsY z|Jg)pw+h$Re4fMSu8xl%Q_W}KBlGfSwVf?EPAvoDAxJUc6>DzGF!ox@t7kQ17Q;yl z=fe_d>2D})+=2La=;qm(Mm35gU+#DQAU#P1x1E3jZm8p*t3==Kd#>E@5ZPKw5(nBGp0?gei2^Vxp#z*as6f0WJT zrE@=)|BW$pR&ckGqGhXWuc-(e>*8t7rMc!Ta7tT_EnBpiN7TWCZL6sKra_lM7weT2 z6r#XVp05Y&$TtFEcvA9MGwLyJ2fGAISCf2QoxhYg^ixT;VLvd>IK3L>SQ^V3H5Zqy zkvVPowjTDlJ9x==Ns*x3wsMQHwhOL$%o92JuxVY2a-czw9k;H0$=JtYV3PgX1BRO> zXWc-`J*{7j#Tv&v{hpo6$^zizj8L~ zbH*eR`!=SG4q--?nk6wd=KRxtc_*agYR&^*9PjM!qucB27Naewu_;@WrpKA*JwEZU z%n~V7*_)GhE&)H(D%uuybLN}9@%PUCZUtai1N;=08Og#@7}8B_B{(pc;XP*|%`C&C6h^eqrhf z-&WKf7&RV!5|)@2YYp z0G~@k=krwpVNBXLA)=UKfuKTv7I-xFuC0biiBD9w(ta+8<)xqF8h0wo8^Q)N|0A1; z1F#6106w}8hzD#oO)9tRU5Js{1=LR)?S9mL2^;xrnw>K$GNFYyF*JuFrqSYxMV{r-!X_@>n=d1OneKRk^n2VU8HJpRl z=C?+y+Rbq!#qesnMtG7Ur0m>(Mh6>M z#rRl+wc6N+#lmP_(X&2 zYhQ}3w&Kw_f_QMNT~BKuioZJZ;3Even<<)izHLnsOF3*I7voK}R&y`^dYA5*=qqK# zr#(Gaom&dbPecCts6+`Jkbh_f8PWFV<<%IeT0t}C;(Twk_)JL!{5P`M6QN%A%|RfL z*ZlS2_Uf@RmURI}Sc_@G=SY6YFK&$mH>q&RICIqT2kT5FN5(i2I~{`;SCDJU21nxk z(#cnjdeZ-^dvXiBUqjhps!#A*4xQhvJ3~T!-3u<|)gsnu9Om>4#b~1Yp`Z$CN0lBL z%|2Q7Ia$u*!{~$QKy}t>1~XtK8R_)Yh5WMV$#+X-pMO{|eC#)a)tKBW4R!=1a6()4 zrqA%ya71lq=wOYVrtfh7{XWiLzr-m@vBTn`R=hR0 z-Hr7M(iCg-izvTd-hO5E{$-PkQaDF^eF|=3HUeu69}mn`C}WUY{UJvs@X-d+brb4I z%oHHdC61lA0IrmmDcfC?nf75I1oE@FUwlws>tta0{wy9{xXL!Xd| zwx8Qf)M-=%5@b-z3nnlQW9RpWM2{j#b2dG$CWF^`{nC3jP z6|%20zuH#Q$YMc=GFij@nXcZMtO(*JxXX3cbH_Zfu&`DAOLTf;V>zDD6Ka3!NBHyI z4^iSR&W@zbk`YhFkJQBnph`~{IuD&xa}G+n$73TY*mX;W3qvEfC$bLZ+~5{4#dA zhH8bv`Tjj@Z0*XeNLd^=sYn5jfhco{syMHeV zU6>0ppgSN0XnKQqB3v$cr)|QDa}svl6M{xDSw&%R$z9?EgVD#U2igZmW>F9)iqH4Z z9vV7N?vqPmQ#(jM#+t=BMOk|+B;KmCo@)U{o5~jbkBfRFz8-B)7aAvIKP$HPAN1SA z!0RNCwj*1AGU)thwhg>w3G}=$HsW(%&v7F){E4^C7r7eC-wyOPg78Mqo&)zxyRScc z#sLL8*VZ~-j0WpB9Ml?ZhMDSdzc^06hWVpizmos21*mr4753!$*w+GbI#A!ZM@tY?KWRGXu0&m5)%=2w{UQ=gCQM^JaBNcV8GreMIVVDOoY=^PyqJzS=EqGAGk=pdsTZ!IA5_>zmq;zVj*U0mi z^AYRso_wWxj`gnFovfJqdwZ%!`Kb*Y8SPOIs7y#S(qN<~<#t2T7=%>6wIPjc18vs(x!+pPKLBubW$-&1jAFZFC zw?GGsuah1{i#b;Eu>Yxlox5+T8=EybRbW%S1qS7;wKDIY6}{sjjo03Ib4DtAD2-^g ztjhKwRyQi`g*Q(35NMzEnfTB;M^D}`(1&d+5a+4>0cQj^!7goH`VFv7VUS`a! z{SGh5mY-Alh_Odno>agxnvxf{XIiNPPKn@ii6~k9l-a3|VT-D71jj;X!8Aph)S7%a(&-{Tl{t7Xsj7je-W+z9=En3RE)YA>R&R>zhxZ&sLy|7|yQZtE6Z zdvlg|z6wPQ)Xi~$NyWrn^p>3$t?emd{9^-uD9WL9) zi^C`a%D_u;>Ds{uZL7_N2yFP{O+kT}`u)Z)P6p=_yei^~UQ5QmWScb}GsL`ws9rLG zUt!0=D)#UeJCqhZ5}aJTH;){K%DcI*HdAaYd1R)|Veg{Vc{ZJIWfA|4tMR_~dL}eO z`cfF3Jkbi32?lzAfcxKw4l6~BKE777!k&thNdf1xiS_cvi28^vbp`_xyIVqgZ{`qX z3%9|rAMiTkE>bq7${(pBj)lA@uwQ|cq|^DS;&y{0VGLLtEFKtxm{4(fV6F*8Pduev zVDfE9J!#>-;}OGY{ELD%ziq6x>0S00_tjX|F`giNkYjU3+C@DyI7a=jgZyM7#@~4( z$bfLetE8v@R({Uhoa5Hj_K5w_#E42%DMB-wH+`5PegqmQICgNI)gtOAc;%VWF^Lps zJS<;xDYb;)Eojwgr;bm&V&c5##zRCZKkamk=NbqJVF^D(>Xd9mT$gls&C82mz(a6u z#eLGrpm;rSmbFby;b$FIKVrI6Hm-BNwC-$vfY)I(o^;hLZ`p(igtSJUdzniTsvpW) z!}%wC>1W;R`?AVc(n1hGvL3&?783XIqS4ij^EmE~tcWU657(=EObq+e#g+K=AKSx` zLel+*XK|3B2@~YYO%Bzl1M~>}+Q|>xuUd)0g3Fo6(t$*iT1Pq9`XnHs0m-E;tnQ~% zqsaIvOC`B?F2w=Se>8hd*sb(&THizKrJc+`{u4oTIAl)l3tUuL_{0Th`n8L+v!c4e zI{(gj2Xfw%FWk!SpJe^iR9*Wf#cnH0p7m2*`t&0JdzIA*F4X{_YPdbza=Urvt5=d@ zKA>q%-bD_~qeh<{iLF=5X&B=;#nmPq5b0Br3Xf5-W-Fc4HJfrCPBW&;Ksn6Iy6EUb zdNx^aA{!9#Hkkz|3Xs1{vA~`bo`9?K=zIibZ!BPolS$5KNFtHGnZ9Q2_JK$oF3qO` z7oG-mp&a%b)oL?SktvH0=hf%fp-@kruP=YRyShzOkVi4!4v@`vy3WqMkeJCZf14%) z2OLardTVJ)`+z>t)5DXCty~htWc?@!-TZictY9{>VD<~3a@xL)p-2Q;!EyB{l)KKw zKszh8509l!6enAYm}F>xaKHN=2m~Zm%&I2Z4TrsV{NlFs7FDI)Q`h^ht^Zwn>d?`} z6XMlZ6vagEp{Xof>Cn34yl-%OrauASX(qZ~%%*#_{oaZa5=>CNCOk}q4AqLDW`57d zs&Jz4xMoJrY5c)RE=IvAZd2@6*}ePTuWA*uXs@c;UmladzQAJHyu3I|46b)2B4H$D(=GA^ zp-6-uDpah7_gIO{fE>C%R!4%~aCfEZ+FsiWb4=9+Z5&2=3s?AaGdO;-SbUu6vwK|@=@ng1;xE)1L*2HJuuztFMVlM@0U~Z}+$3@3;SSkL79D!+ z@1Y@6k|u?~56Yld^IrBXB>{x?W)bp)>)J1a1B&E|Ire zT_R>BnK~UXL){vA2 zkA=G%YWanK@KUMqw)~qv=?Hz#C&*z=zgdun&YMI&L!a^e=98!mmh&%dO2dl-$)B+qqTKlH;7B*Cuk!UIjx%dR*C`mM z@(Rt}H{-b_hSviiu`1x^6OcnP$^pDRUU zu}44tj|K_zvuWJ!i^i1%LOdVfcSLDPixYw#jRTj8fJ{3Qrk(Cg#Np`Zeo<9}Eq8L0}*o z=*YJ6Db#nD(7@WVxS|qSzkP^;RvD(P3S^L>NH|&j_s+F5{3WP|Xh}XJLq}rrU;U)| zQvYD0Ac#NCskm^#@XRYMVv_r`hQj)$Pn|>w*9}a^om?oLe1^Qh!W# zo(w`6!vfm9oa&QIjAIFpd0*G2h~r8@){Pqu^gU6mxWuC0h>Ke>ueW55MEDj4l7q?( zcYs25|-R5#t6Yg#RV9({_hBjY)$|t3i#^ZIwK_G>cNA|}Pa1HVvxdB5d zTQh{dtuFuYs5k4_y-JC{C)BfV7M7QD>0lW9^VLjUt-U$jX#g!h6<{xVsRa#q%Gy`v zkO%}Pxa=*OdBP^~gu#3@RVk$St8>)7F~@szw(4(S)aC(Vx%^ZvXM??fiFwrrjs$Bh~87(U=>gyG4Zy1h+#2HHipDPWh=xj@Va2!?{$ zbXp4BfQeA!!qG)LpW#Bl%fr0f6dC{X!=)zb^O>pb#t_`! zi;$x+=rNtfZNN11jJ;PaXm0#uK)WtzU)gNPpNqEV^!8Akzp;<9jnn+SPx``Pd5N;^^ui=DR5j;T4m(yQdtN2CYZtOBfz)-HH-s|5Kl@Dj0?Xo@sJ(xv@{kS^ee>hfC`0 zHhWi>ss7>zmn>#`0465rYB6v+iv69yb<~;TfbtV=_?;8Z=c2TOl@ZBU*t!q&bHZ@nO8FhYqV2N>G?lXG(A(ARQK@~V`q3D`V zIN46DPd4v~CI_prOJh8wbXw@`1EMT=`K`ZuDf2L$#kMmb9!SM9R+e=~->m=qirKB> zc44Zr7BnUcYPMk2#Nbd(h?Ehm7nLjQ1YWK%_i{BfM&zH7oukWl1($pZ}YQn z8Tjr0sg~|ECm;0>Z0}G#BAD|>%Z}CDPOJA)2X%saGp>7Dr&Z<(IjjWQU(PR1$mBHh zTa{kk$D6^>^g(@5$BHkq-hw?h?ChTLYsy(`%5S#)2V}CoUyXvq9X5D~?Yr+6w;Fan z{Xm_eKX(a+q*{ehZ2o-C3jAHQ!l{AZ<;R6j zj|gELDoAxoBs`4uhzCrA_Pc(7$^&40>;L>l@owZ_K#ks>f+CgQCKrV26cmT zf_4dmfI*?3wT-&c{r}7g5=C$iwH6@IME)x_gfQ^^mdF5e6mwsLvT}gm^|~tcw!8Hk z2`tIXQ1~Si6+|CwkX1xkwTM($Bpub774oD4`%CVfnhtKj=yJcLdm!_T*?t!$>nW_R z&ZF#;TrA~Fr}%(~{gJ(unFNz})8pyZrtDl{#K&&?;+Qo?mT-G=t(k^eZIplR2-`#B0Y)Z8h$0oJG^GYUR*^7E3_+#jF;c>z(9c1 z^)+e$r`jrymyv#c-^7Da`wue6ooW!+#aO@O&`?n81E{IonFcwhgJ3||=yb5&4 zB*0gI#gE8dU;nahyDzQm%CS%tZLc6w#**YSElG^XzEu2W5HgY!Iw-%mdT>fICBdS6 z3jGTd07czw_JD=#a||o72~hmp$-?>Y6^Q*2GAtJAHsm;Y@vmy3z{GEyZ; zhXScw$$p-#J71ie%$>fo3lrc!Ra;hKpAdTRL(z>>5xLZ_RS*lUo{ELEsl8afx}N?* zSlRh3EeWcz6#28HyLy{OD7C~(_Q_(zKVO}nF0s-8d6O4@P%jNn9yCo~U5A9!{%K!}S#=z6}kk zI&^-Sxtwg;fsE*z?lprUQ;?{uZ4D`=TQVE+&?zT6`oYsfg^!`v$#!F3%g>VX$%F5N z0E<#perRA~Ki11zG(CC&Y+#9D^LpCjzbqZRu zlr*{yNaXq=bV<@$5$`iWXP|s=`36|oM!svD zO%dFZdJ!9<2vOyty9w?RLV%=CUj1iI9Ko*n>#v@>9PMu!7Yo5uZ5}XP;aC>VN~*YK z`YhLzO2eAPV}~@F5&Oy<`jIqDeCxwd6=wI=i;}aRU;+v&sA2mJTB%ew^ukX^fseqJ zAl&<$`sMH&p0wdNzH+L>W~~$M*tmrM@?&wmqCoslBHmLK|7-r|3-b&H?zf2E<-@gf z>sjwA5gpyOUFR)j$&)E;2MAD~*fu5Zl)g=O3)N582D%#UIaR>s;4u4h*khd#@DRgT zE0#rPFf_l_|MP;x&OKL9NFaZ8;aR75_j!;sv=ipA=9+QuQRK|yuu3p-1nkQof3@xS zgGBG1dzv-M4Z%Z(b6C z*|@y1+lnxox+Ya`1efFAT;5SeVepxUT*QIIrAO>}MhGs$7{rh*i#S1P`9fcu0n@%#)cY}^AoBvS#FaG~Dh6KXH@Upt+PHCAcJ3UH zeD(K)Shwk~LmGE1{aIUCwhC@Li0}JuBt00|-p z0vHWB!+pK=^WU!JodBZ@BS(1 zg6gf6Gg#L>?QE{StT6e5OP&PcmRuG?S@{qY;N!<-?y|DC z4KFXiLGHHZ=fk(aVr)3%2@h6zlfyylAPDgrO5d7or)|L;Ig=Z89A_GY$`&=fvixE{ ze2kh8gRU6vzM0vaFwPWXShXux9#ve$1maq0ZW<-NHsc{cGX~I`snIDuEqn?5`o$w- ztMd!l8G6mig(FZpL%QMOe;^@+8D1*FwGM)Q?>xr23H5H~Fr~}!cfWH5B$5j$4=sqZ zn6T~cX9WV17>UpjhP3l#!D~-tP1RPXEmW(QzhUZcnptM%sXF9n4ao-xKqz)sDKaR0 z>QIKCFLbX#cWHTjd4Bic1P$+N|ITs`Z34OG(z1^7_qF-iVOL--5wo}gNMXAp3pys; znEmg~3(bf?G)DB-2!0mI7)4q6hTPhP;}@8uq&fK1K}RPSoVP1^in)H{(lHwAhEjQx zI3a{s+fF2=mM0X*;!+BEe9mFRGfH6;d3swH#EI;U8?X>?@%k|Jb(h3g21wz5|FE!< zk`SrXNb~y!H`qzpxOiBir#h)iL)KtSZBJyIA;c#}Qv`fkXDtTcvLI1FRN(Db%8YQ7 zquRevcX$}af9DWTNdIc*s2vywFAeLk@g#qM9v6j0dvmP5O(cu4QT!U_Pki2rYRM9()d`w)j?95D{7G;NX?T#ytjp4`F?HpRxL@nsK02GB zii1A{R-0CJ<@eLFmu4aDO4nsfZR^w4Mcv-TZmm-ZaUEhL3`h)RlS>?lWfC~eUcs8) zQ}!tT6%PTw4Rr?iB0cQ+!E(jnd54HxO|?(Xh}ck})H-v3^%rAsdN?6ddGGtWFTXP>cg z5lcf`4g#V8ev)tmGE&X9_qUse*@G<(FIre1g)nM99IEimB-!E?nfu_STk;Muxx_EI z-hM!&#**uUI@LDipB;6*Fsv7S_-yf(bN0dh>mSfLC$N8{Br&lTV$9cn{_ECbUj#-V zbn}6V-IhF1Ol|dSu>Q~2oBY(&d`?r9g~z|MbB|N|PtFNX3J3WOC0pZrNH{@}*Pk*o zYETT&6041_&C=Ey>bMsd^5L&O5pS^I91j?oGCeG}ovFUR8?|U^>s&}goA|xWe`j^5BOE+$(Uwu; zKzM(brnitfbpFAUaJa9pz~pejbN=zEF03rWtt$kd!uPW`=Optk7V;ZI0QR98wo zW=oHl)VVluXjM?sdTt5ndN)paVzQDQhw64wU@7r->KD0L1RWvZibjYnu0vM1v4!dEG{U=b6iixPU5t(+}l zzKmu+?CRLu4(#hiXjc_;-drvGDYX1TR`-xPTB||F+Oj#<*WV*dot&6}TcTbjq!yqQ zrN!A)mghe@J~}=xVQkSNQk9q(KbXSQHm|teM&LU9kB*u)}>x$1jH_kw29 zR=eZ~c1$MGU++sNOZtcYn*wvfr(n{tsj0KGOS{sFk*P88Z@tfPv_Ym)l_t(JhDmL;`fJ&5YwUObSSI$uaiIRipS^@!DOrt0|c) zr{VCz2W+QmjD1`Md0+Cm)6(7gWs0JtS8KCF$~F~sRGA)nZ!tVxUMY0+l^m6^PGY#I z<1qbtD)os2httxhl(TbJ77sQESl*onD_S*}azqjMBvXw{`y1{1p%N&+J|lSSt!I!wZSy9stg#)|%f7m+Ba&qKP0+O$O1cIKAMorx!MMUa~ygsceNf6-(41NX}>pU0TW*vc`^ z#=6a%pqGO<+vU9CN5_@g_kLKmDxaR6=6pQtsn}YQ>|KfJYC+#+%%HYZes2E8+%}in zboBMk2RN`Oy=wTG(9mLTxf2>Mu=r&BkfCpD7l_82&KFJUJ?xCq=hSeu;l;%43Y*a-;3; z%JKte_i4@9e(E9pvK0;wIx{O4U}^Z8UR?4(XJg{BF@JBcBquFndE~$%=GIX8 zrWSQ~GmEnPPUS=NQz=@|9L_^>7`A249H-jx6FV*eQHAfEoCvdhY-xMIZ4W(7oi!I$ zb4P!>lZI1i*wp6{`Up;p<+b4zw#c2qi6D7#E+ll(T3wk+|d0I#0_RHIgsp!n!T{Rd11IhU1qm2DE4X<@4 z?!~j%8<}Jt90d`$tgNgb#yY&MUDU%%@Qj`_Pwax-^E3-QJUv%L zic^zA33N&2X%Hh+pX#)gbc({$y;tBJZzKqe?emgGquhJKT0iU$rc1xmqp=zLy=L~Q zDjU3De~OgByP7XZyF6#|PDBmdHr6Zs-0osrTa+8j!HJdFoN-Uo4ZEsi|GK?D6H%z; zx7VDS>L*TY5-FIMI*MLP2-+p!TuYzTayW^%9*7Db{ur4XudJ>wZ?5WFnv#nDa3&G% z>zWQd`@G=N^dT#?XsL6ulXK-TJ4M>st|r2c(H2S297#}#w&INSN#|~Qe(#BIB0mDt z;Dt#>iOe;N{$T+dc>m&Bn@`hE6s%cL0J+B9!yP0fud2gdhlnH;K$KTheTv`p(5hj> zH#;3Ds|rWwHvQE1eZAJ|7SOiL0$Jb6S$KL|;h33nb>4$vgAAYh3NO-@A?HTTqAzHd zu5y;@w-DL&bYvF_Q_wjxk^_r!oq#imo2#@EHK9Ow)X=M@12|s)D7ZD7y5@bp)(snR zvLci{m7aR9*RmvZv2%+v9lLt(VT4pfyQaHkzasT2Q!e%;95$CH975CNIiD`33$p$= zsWt3BFQBRsr-URzYgB`!gbeXdI=1W4U;B)!DrAP^ITh)oE1 z>g{1qA|ej1jb~x2|5t>b5X7jGNbRVHkKX=jScv5_XjMx1Jh?ET3blS=|8Mo!Bo|qY z81P*Y7d40Mdd_^=KLiLJo2T=vJUX_{^<=s`Ln|h#m6{G}dFG=g;AD*8IxZ#z(oH}%(6Us#B;l;k&S%Wk`H$aovQoTw(2|RR5W@cjIE?2x^H<4N zmNH>8OsQUPAPEI=qg*S^Ll`h8wx1i%;t?e?GZcG270{EDlOn7h?C|1?z(F92s_tA& z`s&!XRYXMGFUxHyE=Gb>EZdn82(dovXyg)*zJx$#d`^BWTUKPtcsw<6q+ecMjy}~# zw6mGALiimzgHhFLbOQs+{^Y{Jc4WDtB^Bo9#ae1WAh771t!dQIcUh1_C(%z&>hYIU(RGddL4b#Op)EH zWFUPAo=;Gvsdiffvr!$95EGNNL*`eF!^IClLOMLiVq>jBFdv?maDQZ68kh()BiS+I z2GM40YzzgJAWiCn(!}^{^MAS(XGlSFT%0^Q4ziGO%#fa&U5T69ijG*D1PWv}HkNBc z#H)aggDa#t446P72C{iV#^x{FgWZG9Hwk?kqdUR937jb_L}a5&eE%Bnzew03`H*-l zCQm9KvvYt)^iG_*f1Z6zvSaljDT^d{l@x+Sh#_mJU)~ZoB7jU@;XO)IDIkM(U_6PW zM=FRPr;iUwz5SlavCIZ;)c+1KvIas zNkQ?p?~xQGMCvpI2||MAs$lZepLu?1-J9SVOXxl({A75pEYP;ZM9i+XO-09_H90!_ zlU8AFmR_@AVyf#4x?hKG^y3rFwl2~33kYN*R&G&M>IXPBph!55tygVi1rmae#c}y? zQ&A)vSbD%;+q(J2`&J^gl7PgZ`HWYP?%_Y87g)4*c6A}0y~VqsC&cN3A1*Jg zp->I!y)_bqa+AiSNRIUZ|Lv?X>U@*3iQ>cL)lnN-THV`X1r-?~(LbczNjYhP(1JR$FGd#@{$gPeLK3=17AHGKpvj|>IZS@6smwLuDCg$p zh3iCk5Ps!cp2Es>2eT?@Qv7+ol6p|-oy9=n6R~mf=RPTIQGIVYDFZ`2;k|>b<==xN z@A}JocP~Sw?Ivbz#KcmYS6{+FylO@VmfaknegiA-5z1};0!>|?f(0+A!z1B>n~CD; z@S&^8?q_09hU8KxKS?bo*X-=KXca|Uc7il>ttKi~MzXnYf_d1WH^wKE1HG$tetc;v zs6&?pu|QSC*yP>ru9-eU#Q=nag1l4Y1!-dkH>|vt>RaYfmHxH}2xNkBw5K*J@glz% zer|N6Pnyc8z~td>Gd_&xCIbP!12%UY0mi2RT)oNMmO6U!D~{P`a^`MS3-Fko;^a+X z_FPHc_Gz#6WwGFQEu#S?S&bMs`l8a>!lsO%wv}-JNW#Iauu; z|GrZer14|@Ug3{+4uRx;`0!$eVd7_$2nTpp_9xB9=Ov`O z_Z!;Sx{L@Nv0h&d&+yE)uhnA+e|SvH}H^KksKoS{!CGPk!p>(!)b!&3{NW4SlLdhq106R%d%5 zVQ(D6CY%K(hZxjXt5G}**Yd)nc(9z-bWl`AW@@Z0#4J^NY1)tHe)qc}6Q@yT47Mcn zB}A47hA1p&8~0!HXWag-_!*A6k`sL2SE7=kxEZyn09OR8RSl%+9yvr^)f2Ojwmvaa z!U%*zd6jLctFoeZSJ%HAn51u8K_KNFtH*;p8Rwtbk-iktBI~>aryC4wOel8ViJsPR zuUAk>AHlUCqa>tPLmBQm3RcSz8O+TJY4|i4WkLlWzS<&H)mKBkN7s!ksjrP_fQccB zB~Zt%j{ZLH|GTODY02SZ&%le+_-(sRUy30uC>{EImCl0%At9kK3@qS7U<{LJF7T+* zpO$Mkz8ULmpEep7YX-+A(ozb5AZiIuw4;RGWGCVxa(UM1mgc&LPh}H^0P!M00RH%} z+*7fM{iv>*+nJ61BR3fwy!t$3^-2~ovkW)w9PERP-@aKV<}@Lj`Ntn>{Q}}O>yue0 z5Bipyo!LStZJ&#m@WNz2TZR40YI8M&l3}2DZcZ5PD=39c`}-t#;|si~qObB+Z4Kr}|OBJ*+WuE59K{7TPGF^hVmT zg^26{2OgiM)a^I2q(>8mhlR9moD%)e|DoT6K4#z-HU(HgHhHH_@K+)iqox`KBGwvt z!UJ>7zXbPcbiPH#o`3Y0`?0#KZyjQN=in$@s~$Ej6RyZnh{2PQtc5ZshYi0i~?H z`NLZ9{_L%Y97^HOZ+-zVs8@D?wVeWzbVbbTPv_`hzl9T{I5{5j`gP@JmAMM^|0dKM zCds-y2OJZJ^V9d-f=Hha5t03W=PSG7x61>|8|thb^ql{0q6;`~KH zX0#rhD`v~|R=DeXy_`PyCQn!t?+QKiAoo;ar zdr_~~f{}YpQ6v_fxRZwuP@*<%V=aT<5i;{~3mpo)2$>v}kb++Ek82r<-Z5nO{v|xv zz>m@x*+Fgzsa#xaFx~;@+UW_3wz%c|Hz&$=1Y-KIG&&8sutKQd-gTv;or8n@nK{iT z+LHV{e0{fn0t1lr&l(@!pXy7nY|BpX>=A@*8DMHZ_KhsI7h>BuZ_e6(=0y+tj zvoBYZlWfY0Q+R)R60FV$C||$yz6QRz>_A9(V6F3>DgDF5;|l~qK^rMe-(`Q$FJ*o} z2+5sWlI_`pcrsT3z8l=`$=RFV@Le-_cVacXX8%Z@csHBh8j@P5LtAVz*pkCx~(*jQ=2nUh|DTzS|vBs|? zzNjajXXi#)D!YK29#Nohaz<9t(6C_vi93CBX-U|}TEG~TC&pQ16N+ePyWx)60W)|W z{MCg;KQS?*5f_Bb_b4epks2G%%zgPN4)NlCp2qpbdB3C-Xg8iVL-ip+bzmJM4?#o4 z6&M|rw=+83++1B}F*8zNs%j8*!rFn8P_Q=k_pgheMLUI+@b&^PaZC*Y#OQ68zZ5P` zzVXHB7oYp8sw(jOvfrWk(RP0yy-*HOgsahiQ-Pr9S{RsEnx19n3TDn;RQd3S z@@g9bN$@AhA7u`&2chDR7}?(QpyI^ta80;aU5PZ*#k;;kO~JsT>iXsNb9ZmAuaCYQ zC`Wj@-q;wUk^mE_&{CLdWQAF*Y)TXHnI<68+W&V&)!ps=`ozoH#&QwGS3H^vfan5s za2+29!e7BZN1nM0Ohhxc+TLAumKMiUbSKefrF{swxjYjDggtBZZLuGOa6=| z7lo+gcv3qD*{G(Xi&6ihZnpn(EU(VI;v$)${=7U>^a*|$m8+z9g`{W82lFF+o}ZSg z@I+gVs_yQW?Y+GswSG@pKavqt>a=q z5{khG1vQhF5}5>{AZ|R5)P1$Q1DWIvOw3pvb%K2}?Ea9Eb*iYv2r|Jz6_4X&K;oX0 z#$2W%KR+1ZE(j!D>H~_sef4KHbBi=a0PE&zbF%?x_@AzZ!JQ&$3_l=OKChZck3qlC-=yX10`W$p+rS2*bL!GyXYb^!1cr4U8gN1i_=dq^3%RhiRxvJ!7v>*K zLa$H8rbi%m+1}kowYQhIqcQ25?xr-@6@uqV1gpqXsdZ21%7x$20UM>Ft*wn#RMP++ z+-mOb1|S8#FimOjz`;{DjdX~Ra0}-Gd*mhwhjuOjM$`6zf zFBd>hgl4%oQvgG#PsPi^+-KOe8vXFqeL2 zLqdD)Cr4gBDY%!#T*EA%pi}-4;$!ImK6BkG(Z3{YbuJHc~#Xh9OxLM$Y20zvNr=l;;^R;R2pZ0}E+w~fp-!cX=Y(wk8VR+s zrYh$7zyCK-K!Hl!J?gzlNnO0SlNfq%F-SOAUWwagmS%Fx?f;zuhRvWrj%w=|4SvU{ zKAC9trae*DV2Xi}EFb^|_V%v(|J}2}`#)j?sG{4&%U&2O8Lv>zFE)sPrUIE6-Ol6) z>fm%;!ON->mc$2q0VJw@43s2NQQ0w@%K0HxSrh0^62+d#tV{tBD#L26!cL4XNH}i; zJ~zmb*Ndzs@(gxM5A|b=ea}pB{AT5q7g$#LN>QeFtRffa5KIbh-wFR`&Wf?+nziZO ztv0LDs1AThTF^<$he(@K84kUKc;WsQPoQqwVdP=jvKFb1BmJfpClgArx2jK{2$_gs zw4>YAQgZ=hV7uHm$s7GA zV>d?y+r6DLm1(n;HFj|HPgyxKG2!;kA$cF}gm?J`O@3YdAq+OXQ}^qAs;QVtn7pZ)gMB}3#^XNk_fvT8&;TK`=J=eE9sCJoei z`R0V*w0ZUr?&H2HjDSTJ_xL3F%s18g2F|^monA&xh}ZA;$4=$FW~V#)4hwm1R(aRi zMB*i7IpSqGeI7YYM1;&XtJj}ZMRJrm<2Bj(6rS$(Q)~Q1k(#95J>mdX9+p)1uZCfG z$#J*cx;#|MpF5{<_GG^%g7uHBS?{mJytA^M=7gP-FqXsJ!<&QccXA~k&=G)@uDll@ zdn0*06Sftl!c~EaCI5Bf9-8igJ+V0AyxpF1O>2-%4nFoA@Uck#XLYi4z0ND2FthTq zs-Yv@;bsOVy5=lGF(Y}tTTxT5ceqR&@YnC5#o5wbIY$whhSUXnZz7LC5VM;YZRMsR z8}8~8ykr2{jql%x&ECtf<7ZL+;*APLK(}=o$ePN-q@^g;SFtX3rA7uCi~-vW4*Aga z)5W#EkC#77#E=QKncH>s!dV!0*<{tpt_Dwy;vsa(@aaUUZjbP>6=Iurfxu#(nxZXi(U2 z*0GQufEb+SI}@!H+c8x^DPe1B9UtCcS~PxHxaHg_@>4nH^VR=u&`Tt>;@#enyM4iz zZgz?~jN53K#*dtdCn*iui^YoG$?kt*m*#t)E-JFBXty>@O}`?=`Mrja%w^V%Zf*j` zauI^*R)N8*#h^d|0=BYH@F#I&E}S1mVuxuLzY{j9iki+q6pj(>4~R?b`6$0(b2+fl zF8}_O$3|h&$W10Mb?-*XVS#DpINSXm+St+*HHh_bnxbC}mo%Vq4l*NhBnQE$&}3m% zl(O91;)BDq*HFK6T zG}{&Jho)zQ=NcMUE}r({wH%nSZb``*8>(CZQv5F9HAL2=Tq=S3fbR>4gV;ezK>8v1 z<(o8+`Rn*NoIftiffhvxy#)t>1+!*7bgu;dHC9NT#U;G% zg55VS0@YPDwYkT~HUeTI>^BIJWnyCSuGmbYj!w=>QemZy96lr<(cX#YNG7t-fAz{) z7!e|iOc#s)_O0#7YKQICpufNW%*+fG=LfJkrwVfmrBvpL5!$sr0=e6{kEbg#`J)xp ztjZx#n*bKmTocuEL19`QpZb3{qQzKftTngr`Dj;E5>-K@iPclVdBl*f zAE`XIbX|6W+Y=oNO!tJF94yW;OLPQ(5TurWw~4EuFG(Fvz#{B!u1#Q14qh}(H}xxS zCEg^-6&ljj!oj3iz_ z09G5GQm3M#?11oYrGP)3PQ!a$agX|Sc53auT6uSl{n`{A+wfGZsvQK9B@#7a9Z#^i ztBxN{k@uTK?1$mO?{yij_@^jFM~BLQ_IZ-e9PYhKb-1tGn}E_e5RdV3w@SrwG1}Tr zf-LKk<_w+g@S(cB>8nZi;{Xl>G*d?4qzs^>v8Up`yiVfwovJAIk)2eX?!`+8riiF0 zy!zqJj+_zAZgyeeej6Ge^6S@uK|y=l+p>1-;0zu5JZ|9`#!cP-&3Uyio5WJ)N@mi1 z`(TI8jy{&UKqniN9ViMi>wYKGd6UWK6BTG|0oft!!DvQ|&$31HvYHh@lxpVG4=PTW z6^S|O70Wa8%n5EKJA~H2T~(mXd^`iJD-`SY6RBWa$U6wiOL1E&6C6 zgksHxYKsL5*l70~rvG zNFDf2d9!o6eXhOIQXrr(GRQ)PFPTEHqHlReN!pN6fi!1fSRf$W`+Kezi_k~R=*pbn zf%tG2L&}+3@_Vo0WRYuKbp@KJ+epG6rUs;9Pf87xA7lhXI<2fyxnmwH7NG_d=;IE-oD% z9pGw&!$y_Ae*KDx!8Qx3u68gsrV_wt69Pn?veqj4Z&BLC5QcVsuRry9;W|Oc{-xAo z%fz_&Gv~d1ADOTT8eUWhl+7_~qKSKX-0QA4L1>U_C?zYo2}vi#gKTS@ln#bS%`l#g zGG^`0v%>Ymky9ZS-GJ#`Z4&&jo%tP_6`{)65Mf{1M@bvPYJlg z+WF4dbud7wwx1}Gnw^b#d3hBT3O+v}kYhA3Jq>)Eo z&H37sr)+`B>Bw)=fFG4_%b^jPE-3p^gXpMz@2tc5+g_eEA|0j9aGL@w@r)wjeD{ zK*SOTBFkj8!b!5N62YOOj9D2&$r1r!K1*dO zl70Nh!p5doP+eV3>~`Gp8;e^1L`#zVtosk?wvCC&?&d&ZTWhO9e_Wa4(c-AQ6B!1j zyp)ubx_V-I286$Nw;mrXx6<>az(3J8ljZFIPyVAH!3^&!%TN2japna+$9R%mg*$4S zzxQP% zMTY^p*68r;@Q)uq0#FI%!SoUM{Iq8xHWfeFgQ)@OYLxT4hX=1VVo5;(*x9s-inn~L zkLFI3V*9qU_t(NoOCaA)2f^BYx& zYg_Dzz~D%gn;8SeN^Wx{}saOu}E;l+@H*PRHN1wTXROC~0U4 z3kuqfXzA#nwp&2KD=sc(U|{$fOIKB1F0Yt-okx|z?OblXCL%1HUVO|lfP##Si3Jxe z(F8U_P7Wh+U~*z&Vrq(*LASlmc58HO?CsmPW22*$m6c@Nit6ff0QDap9(cI9kLS<` z*pK_@n@JGf;Nh7V8~1G3^!4^iNJuzw6Zwz;9GR;&PvrA_oO45DO?=oZY1S=(LZLx8 z^oLhUmNzp2Xv7|Cogwtl>(!YG!}RoehlANF(lT8I+z_ zdTr1H@#%Q}r58=*=-hIv5^dGFJX$mN*+JY8CLt*Mq)0|=ejg_B&FEBf$!l(6KWVF# z`i%;M+?k=aBK{(Ew>WmeU!mCT{$fgd$>WZeSLu_)j~^S44|ie2e2*zl_l6g{6Npq! z0|rk_-W3tZ9x6=N7?X(NW*6t@1ngGJ?SXI8J3)t<3ZMI}-F&Te1VK@0sntyR58zBN zFW-}pK=8S=!H+dHL+A_*3=pB=E#J)+8)sTt-qX;S4X13(*V!s5DQz=)^It#S9R&(m z4@F4qRW#JqY1Ue;wD`gU>+9|AMxUSo)&uNjO50Pj#$o|@NM%*k$GdM3WMp3B!4)e! zJiPgZ1uQ%a$S6Ec@$Rn01S!xNQ~f}1ncXsR8eW6;!#aE*)csYKpx%YD;{*pj7bRzS z%kb35RjEVS=WMcr^6Xt+hm>4aWL5=xS7m>*xoVU|R@pD$r8BYG9vqH` z^NUTcq9J%6D~A2rD74`iaEw$`rY4KjnHU)*B_*LZn~BHAR>ttTr@)4K^vnM)@zBzm z12lfXUVwT&c{B&=RYvr*`Xh01a-zemoH)Ir6>D9wx;$Lq0y%hy$Xt^vTXp^S7N68q z5{84U>lwK}{~G|~z-B`o4ia)l>3}6_yPb4+zk+AAm}hsrG<)ey($n%HoZzuBghb5J zvSd~Fg(WPV#>90i7N?5h*5&z#V!h!DSryPI$$1{JVvCV!JMec~Oy;|*0fIeQmy(*RtB(E-i$==hBV0`&RWS)@a7 zzLdB488Eiz1r;dB_~p1Wnst5cq@bX{U|y`%^qT}Bfq|G=Pj5}2`Et3%_Z!@NPmgh5 z46QES*Q<)Py1F`ZU}(TYZf)tO8M-EGj4$n(8_Ul!(1H@Vj22Gg`e?3^MakRI8xLyl061I_RY-)nX zgv3j-vawA~PLiV|U}Iy0+XX|Q@1C|!Mmzb#&Z7914ES_+Law0BF6yr)bK zDfG+>-qGU%;V~JczSik=Xy!A1W^|i?E+V9ygO_V4I^5pv!w{?XmxN05rdVL z6$1mKJPZ#*5_*5!h6bW%Zcz~}_46pm&)+>fB!3fl3*;9Um!Cg>uB@yqxnB_`U{6g< zfKcDHW%`MlT2D_8jgV95L(5wa&$gwQ@Hw$F5JgXagan}AV-pkena?s;np(`)p7c

    - GCVE single region private cloud + GCVE single region Private Cloud

    -The blueprint manages: -- project creation -- project-level organization policy definitions -- billing setup (billing account attachment) -- API/services enablement -- IAM role assignment for groups -- VMware Engine private clouds creation -- [VMware Engine Network](https://cloud.google.com/vmware-engine/docs/networking/vmware-engine-network#standard_networks) creation -- VPC attachment (Optional) - -### User groups - -Based on our GCP best practices, a GCVE private cloud relies on user groups to assign roles to human identities. These are the specific groups bound to the main GCVE [predefined roles](https://cloud.google.com/vmware-engine/docs/iam#vmware-engine-roles): -- *VMware Engine Administrators*. They have full access to the VMWare Engine Service. -- *VMware Engine Viewers*. They have read-only access to the VMware Engine Service. - - -### Network - -This blueprint expects the user to provision a VPC upfront, either from one of the FAST networking stages (e.g. [Networking with separated single environment](../../../fast/stages/2-networking-c-separate-envs)) or from an external source. -The blueprint can optionally configure the [VMware Engine Network peering](https://cloud.google.com/vmware-engine/docs/networking/peer-vpc-network) on the peer VPC by granting the following permissions on the project that hosts the VPC: -- vmwareengine.networkPeerings.create -- vmwareengine.networkPeerings.get -- vmwareengine.networkPeerings.list -- vmwareengine.operations.get -The permissions can be assigned through the predefined role *vmwareengine.vmwareengineAdmin*. The creation of a dedicated custom role is strongly recommended anyway to comply with the least privilege principle. - -## Basic usage - -The following example shows how to deploy a CGVE private cloud and connect it to a VPC - -```hcl -module "gcve-pc" { - source = "./fabric/blueprints/gcve/pc-minimal" - billing_account_id = "000000-000000-000000" - folder_id = "folders/000000000000" - project_id = "myprojectid" - groups = { - gcp-gcve-admins = "group:gcp-gcve-admins@acme.com" - gcp-gcve-viewers = "group:gcp-gcve-viewers@acme.com" - } - - prefix = "myprefix" - - network_peerings = { - dev-spoke-ven = { - peer_network = "projects/spokeproject/regions/europe-west1/subnetworks/dev-default-ew1" - peer_project_id = "peerprojectid" - } - } - - private_cloud_configs = { - dev-pc = { - cidr = "172.26.16.0/22" - zone = "europe-west1-a" - management_cluster_config = { - name = "mgmt-cluster" - node_count = 1 - node_type_id = "standard-72" - } - } - } -} -# tftest modules=3 resources=9 +## Table of contents + + + +## Design overview and choices + +This stage implements GCP best practices for using GCVE in a simple (but easily extensible) scenario. Refer to the [GCVE documentation](https://cloud.google.com/vmware-engine/docs/overview) for an in depth overview. + +## How to run this stage + +This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management and networking. + +Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. + +### Provider and Terraform variables + +As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. + +The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. + +```bash +../../../stage-links.sh ~/fast-config + +# copy and paste the following commands for '3-gcve' + +ln -s ~/fast-config/providers/3-gcve-dev-providers.tf ./ +ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ +``` + +```bash +../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 + +# copy and paste the following commands for '3-gcve' + +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gcve-dev-providers.tf ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ +``` + +### Impersonating the automation service account + +The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. + +### Variable configuration + +Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: + +- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above +- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above +- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file + +The full list can be found in the [Variables](#variables) table at the bottom of this document. + +### Running the stage + +Once provider and variable values are in place and the correct user is configured, the stage can be run: + +```bash +terraform init +terraform apply ``` +### Running in isolation + +This stage can be run in isolation by providing the necessary variables, but it's really meant to be used as part of the FAST flow after the "foundational stages" ([`0-bootstrap`](../../0-bootstrap), [`1-resman`](../../1-resman), [`2-networking`](../../2-networking-a-simple). + +When running in isolation, the following roles are needed on the principal used to apply Terraform: + +- on the organization or network folder level + - `roles/xpnAdmin` or a custom role which includes the following permissions + - `"compute.organizations.enableXpnResource"`, + - `"compute.organizations.disableXpnResource"`, + - `"compute.subnetworks.setIamPolicy"`, +- on each folder where projects are created + - `"roles/logging.admin"` + - `"roles/owner"` + - `"roles/resourcemanager.folderAdmin"` + - `"roles/resourcemanager.projectCreator"` +- on the host project for the Shared VPC + - `"roles/browser"` + - `"roles/compute.viewer"` +- on the organization or billing account + - `roles/billing.admin` + +The VPC host project, VPC and subnets should already exist. + ## Files | name | description | modules | resources | |---|---|---|---| -| [gcve-pc.tf](./gcve-pc.tf) | GCVE private cloud. | gcve-private-cloud | google_vmwareengine_network_peering | +| [gcve-pc.tf](./gcve-pc.tf) | GCVE Private Cloud. | gcve-private-cloud | google_vmwareengine_network_peering | | [main.tf](./main.tf) | Project. | project | | | [output.tf](./output.tf) | Output variables. | | | | [variables.tf](./variables.tf) | Module variables. | | | @@ -96,8 +122,8 @@ module "gcve-pc" { | [folder_id](variables.tf#L22) | Folder used for the GCVE project in folders/nnnnnnnnnnn format. | string | ✓ | | | [groups](variables.tf#L27) | GCVE groups. | object({…}) | ✓ | | | [prefix](variables.tf#L81) | Prefix used for resource names. | string | ✓ | | -| [private_cloud_configs](variables.tf#L90) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | -| [project_id](variables.tf#L112) | ID of the project that will contain the GCVE private cloud. | string | ✓ | | +| [private_cloud_configs](variables.tf#L90) | The VMware Private Cloud configurations. The key is the unique Private Cloud name suffix. | map(object({…})) | ✓ | | +| [project_id](variables.tf#L112) | ID of the project that will contain the GCVE Private Cloud. | string | ✓ | | | [iam](variables.tf#L36) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_by_principals](variables.tf#L43) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | [labels](variables.tf#L50) | Project-level labels. | map(string) | | {} | diff --git a/blueprints/gcve/pc-minimal/main.tf b/blueprints/gcve/pc-minimal/main.tf deleted file mode 100644 index 2d9f5c8ef9..0000000000 --- a/blueprints/gcve/pc-minimal/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Project. - -module "gcve-project-0" { - source = "../../../modules/project" - billing_account = var.billing_account_id - name = var.project_id - parent = var.folder_id - prefix = var.prefix - iam_by_principals = merge({ - (var.groups.gcp-gcve-admins) = ["roles/vmwareengine.vmwareengineAdmin"] - (var.groups.gcp-gcve-viewers) = ["roles/vmwareengine.vmwareengineViewer"] - }, - var.iam_by_principals - ) - iam = var.iam - labels = var.labels - services = concat([ - "vmwareengine.googleapis.com", - ], - var.project_services - ) - # specify project-level org policies here if you need them -} diff --git a/fast/stages/2-networking-a-simple/outputs.tf b/fast/stages/2-networking-a-simple/outputs.tf index 007b7948cf..e38837c7f2 100644 --- a/fast/stages/2-networking-a-simple/outputs.tf +++ b/fast/stages/2-networking-a-simple/outputs.tf @@ -26,9 +26,9 @@ locals { prod-spoke-0 = module.prod-spoke-project.number } subnet_self_links = { - prod-landing = module.landing-vpc.subnet_self_links - dev-spoke-0 = module.dev-spoke-vpc.subnet_self_links - prod-spoke-0 = module.prod-spoke-vpc.subnet_self_links + prod-landing = module.landing-vpc.subnet_ids + dev-spoke-0 = module.dev-spoke-vpc.subnet_ids + prod-spoke-0 = module.prod-spoke-vpc.subnet_ids } subnet_proxy_only_self_links = { prod-landing = { @@ -61,9 +61,9 @@ locals { vpc_self_links = local.vpc_self_links } vpc_self_links = { - prod-landing = module.landing-vpc.self_link - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link + prod-landing = module.landing-vpc.id + dev-spoke-0 = module.dev-spoke-vpc.id + prod-spoke-0 = module.prod-spoke-vpc.id } } diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index 2397e17797..b3416f2db1 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -57,7 +57,7 @@ variable "environment_names" { variable "folder_ids" { # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format." type = object({ networking = string networking-dev = optional(string) diff --git a/fast/stages/2-networking-b-nva/outputs.tf b/fast/stages/2-networking-b-nva/outputs.tf index cc16c4e842..a143a24150 100644 --- a/fast/stages/2-networking-b-nva/outputs.tf +++ b/fast/stages/2-networking-b-nva/outputs.tf @@ -26,14 +26,14 @@ locals { prod-spoke-0 = module.prod-spoke-project.number } subnet_self_links = merge({ - prod-dmz = module.dmz-vpc.subnet_self_links - prod-landing = module.landing-vpc.subnet_self_links - dev-spoke-0 = module.dev-spoke-vpc.subnet_self_links - prod-spoke-0 = module.prod-spoke-vpc.subnet_self_links + prod-dmz = module.dmz-vpc.subnet_ids + prod-landing = module.landing-vpc.subnet_ids + dev-spoke-0 = module.dev-spoke-vpc.subnet_ids + prod-spoke-0 = module.prod-spoke-vpc.subnet_ids }, (var.network_mode == "regional_vpc") ? { - regional-vpc-primary-0 = module.regional-primary-vpc[0].subnet_self_links - regional-vpc-secondary-0 = module.regional-secondary-vpc[0].subnet_self_links + regional-vpc-primary-0 = module.regional-primary-vpc[0].subnet_ids + regional-vpc-secondary-0 = module.regional-secondary-vpc[0].subnet_ids } : {} ) subnet_proxy_only_self_links = { @@ -74,14 +74,14 @@ locals { } vpc_self_links = merge( { - prod-landing = module.landing-vpc.self_link - prod-dmz = module.dmz-vpc.self_link - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link + prod-landing = module.landing-vpc.id + prod-dmz = module.dmz-vpc.id + dev-spoke-0 = module.dev-spoke-vpc.id + prod-spoke-0 = module.prod-spoke-vpc.id }, (var.network_mode == "regional_vpc") ? { - regional-vpc-primary-0 = module.regional-primary-vpc[0].self_link - regional-vpc-secondary-0 = module.regional-secondary-vpc[0].self_link + regional-vpc-primary-0 = module.regional-primary-vpc[0].id + regional-vpc-secondary-0 = module.regional-secondary-vpc[0].id } : {} ) } diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index 2397e17797..b3416f2db1 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -57,7 +57,7 @@ variable "environment_names" { variable "folder_ids" { # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format." type = object({ networking = string networking-dev = optional(string) diff --git a/fast/stages/2-networking-c-separate-envs/outputs.tf b/fast/stages/2-networking-c-separate-envs/outputs.tf index cef97ca01a..22a6678950 100644 --- a/fast/stages/2-networking-c-separate-envs/outputs.tf +++ b/fast/stages/2-networking-c-separate-envs/outputs.tf @@ -24,15 +24,17 @@ locals { prod-spoke-0 = module.prod-spoke-project.number } subnet_self_links = { - dev-spoke-0 = module.dev-spoke-vpc.subnet_self_links - prod-spoke-0 = module.prod-spoke-vpc.subnet_self_links + dev-spoke-0 = module.dev-spoke-vpc.subnet_ids + prod-spoke-0 = module.prod-spoke-vpc.subnet_ids } subnet_proxy_only_self_links = { dev-spoke-0 = { - for k, v in module.dev-spoke-vpc.subnets_proxy_only : k => v.id + for k, v in module.dev-spoke-vpc.subnets_proxy_only : + k => v.id } prod-spoke-0 = { - for k, v in module.prod-spoke-vpc.subnets_proxy_only : k => v.id + for k, v in module.prod-spoke-vpc.subnets_proxy_only : + k => v.id } } subnet_psc_self_links = { @@ -52,8 +54,8 @@ locals { vpc_self_links = local.vpc_self_links } vpc_self_links = { - dev-spoke-0 = module.dev-spoke-vpc.self_link - prod-spoke-0 = module.prod-spoke-vpc.self_link + dev-spoke-0 = module.dev-spoke-vpc.id + prod-spoke-0 = module.prod-spoke-vpc.id } } diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index 2397e17797..b3416f2db1 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -57,7 +57,7 @@ variable "environment_names" { variable "folder_ids" { # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." + description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format." type = object({ networking = string networking-dev = optional(string) diff --git a/fast/stages/3-gcve-dev/.fast-stage.env b/fast/stages/3-gcve-dev/.fast-stage.env new file mode 100644 index 0000000000..84282438d0 --- /dev/null +++ b/fast/stages/3-gcve-dev/.fast-stage.env @@ -0,0 +1,4 @@ +FAST_STAGE_DESCRIPTION="GCVE (dev)" +FAST_STAGE_LEVEL=3 +FAST_STAGE_NAME=gcve-dev +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman 2-networking" diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md new file mode 100644 index 0000000000..fa27a5f5b7 --- /dev/null +++ b/fast/stages/3-gcve-dev/README.md @@ -0,0 +1,170 @@ +# GCVE Private Cloud Minimal + +This blueprint presents an opinionated architecture to handle different Google VMware Engine deployment scenarios: from a simple single region private cloud to multi-region private clouds spread across different locations. The general idea behind this blueprint is to deploy a single project hosting one or more GCVE private clouds connected to a shared VMware Engine Network (VEN). +Optionally this blueprint can deploy the VMWare Engine Network peerings to pre-existing VPCs. + +Multiple deployments of this blueprint allow the user to achieve more complex design solutions as for example GCVE private clouds deployed on different projects or connected to independent VMWare Engine Networks. + +This blueprint is used as part of the [FAST GCVE stage](../../../fast/stages/3-gcve/) but it can also be used independently if desired. + + +- [Stage configuration](#stage-configuration) + - [Project-level IAM](#project-level-iam) + - [Networking](#networking) +- [Architectural patterns](#architectural-patterns) + - [Single-region shared GCVE deployment](#single-region-shared-gcve-deployment) + - [Single-region per-environment GCVE deployment](#single-region-per-environment-gcve-deployment) + - [Multi-regional deployments](#multi-regional-deployments) +- [How to run this stage](#how-to-run-this-stage) + - [Provider and Terraform variables](#provider-and-terraform-variables) + - [Impersonating the automation service account](#impersonating-the-automation-service-account) + - [Variable configuration](#variable-configuration) + - [Running the stage](#running-the-stage) +- [Files](#files) +- [Variables](#variables) + + +## Stage configuration + +### Project-level IAM + +Project-level IAM is controlled via the `iam` and `iam_by_principals` variables, which allow controlling authoritative bindings on the project. + +To manage GCVE assign the `roles/vmwareengine.vmwareengineAdmin` and `roles/vmwareengine.vmwareengineViewer` roles to suitable groups via either of the above variables. + +### Networking + +Any of the FAST networking stages can be used to provide prerequisites for this stage. The development spoke VPC is used by default to attach the GCVE Private Cloud. To adapt this stage to production (or to a custom VPC) simply change the configuration of the GCVE module in the `main.tf` file. + +Peerings can be configured to additional VPCs via the `network_peerings` variable, provided the service account running this stage has suitable permissions on the VPCs. When running FAST, network projects matching this stage's environment already have the suitable IAM binding via the custom `gcveNetworkAdmin` role defined in the bootstrap stage. For custom setups outside of FAST, the [VMware Engine Admin role](https://cloud.google.com/iam/docs/understanding-roles#vmwareengine-roles) can be used. + +## Architectural patterns + +The patterns shown here can be achieved by combining this stage with the relevant networking stage, and configuring network peerings to achieve the desired connectivity layout. Different patterns can of course be implemented by modifying the default configuration. + +### Single-region shared GCVE deployment + +This approach creates one GCVE deployment in a single region connected to every environment. When using a networking stage with a dedicated landing VPC as in the first two diagrams, an additional peering is created there to allow connections to the Private Cloud from on premises. + +

    + Single region shared GCVE deployment with hub and spoke. +
    + With hub and spoke networking stage. +

    +

    + Single region shared GCVE deployment with separate network environments. +
    + With separate environments networking stage. +

    + +### Single-region per-environment GCVE deployment + +This approach creates one GCVE deployment per environment in a single region. As in the approach above, when using a networking stage with a dedicated landing VPC as in the first two diagrams, additional peerings are created there to allow connections to the Private Cloud from on premises. + +

    + Single region split GCVE deployment with hub and spoke. +
    + With hub and spoke networking stage. +

    +

    + Single region split GCVE deployment with separate network environments. +
    + With separate environments networking stage. +

    + +### Multi-regional deployments + +A design for a multi-regional deployment with the NVA FAST networking stage is shown below. + +

    + Multiregion shared GCVE deployment with NVA. +

    + +## How to run this stage + +This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages. + +It is also possible to run this stage in isolation. Refer to the *[Running in isolation](#running-in-isolation)* section below for details. + +Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. + +### Provider and Terraform variables + +As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. + +The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. + +```bash +../../../stage-links.sh ~/fast-config + +# copy and paste the following commands for '3-gcve' + +ln -s ~/fast-config/providers/3-gcve-dev-providers.tf ./ +ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ +``` + +```bash +../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 + +# copy and paste the following commands for '3-gcve' + +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gcve-dev-providers.tf ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ +``` + +### Impersonating the automation service account + +The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. + +### Variable configuration + +Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: + +- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above +- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above +- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file + +The full list can be found in the [Variables](#variables) table at the bottom of this document. + +### Running the stage + +Once provider and variable values are in place and the correct user is configured, the stage can be run: + +```bash +terraform init +terraform apply +``` + + + +## Files + +| name | description | modules | resources | +|---|---|---|---| +| [gcve-pc.tf](./gcve-pc.tf) | GCVE private cloud. | gcve-private-cloud | google_vmwareengine_network_peering | +| [main.tf](./main.tf) | Locals and project-level resources. | project | | +| [output.tf](./output.tf) | Output variables. | | | +| [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | +| [variables.tf](./variables.tf) | Module variables. | | | + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | +| [environment_names](variables-fast.tf#L32) | Long environment names. | object({…}) | ✓ | | +| [prefix](variables-fast.tf#L48) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | +| [private_cloud_configs](variables.tf#L53) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | +| [folder_ids](variables-fast.tf#L41) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | +| [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {…} | +| [iam_by_principals](variables.tf#L27) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | +| [network_peerings](variables.tf#L34) | The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {} | +| [stage_name](variables.tf#L75) | FAST stage name used to find resource ids. Must match name defined for the stage 3 in resource management. | string | | "gcve-dev" | +| [tag_values](variables-fast.tf#L58) | Root-level tag values. | map(string) | | {} | + diff --git a/fast/stages/3-gcve-dev/diagram.png b/fast/stages/3-gcve-dev/diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..78ae82b24d7e881e72d0845f70951cf5f8884027 GIT binary patch literal 47499 zcmY(qbyOV9);){|31M(|cY;IkV8I=NGX#QbaJS$PLU0T2GPqj?NpL5)ySwu>&%O8k zp5MwJy;d`+?mBg<&ffd%4p&irJ2HLz4x5i|QnC8)f!)&SDyHjkMv9lY>#_Z^ z*A{8?lvSNX1Oo+X7+jA3|1K-is1^v|MT^?J(*OVF%TMHB19Vc5|KEFdh5lk?^XMsG zbZ|h3lCY{`|GiLXZT;VX{~3Os(LpbaCv9kj{Nw$m>pBxD-oJj|S&lnuRd;fB*1XBH zfCWaWu(Y(a^En;&_`d=F8TVSVbAFy!Fyp8Ip8~YszRo0!|L;L^agAxTDreB3o)-)Q zJ>mbJlL;y^)N|JV&*r~pszQJR3S)hp%QD08?+Ao40)v~tGbK^~>#mrIiWo&bM^v?b z?*9VyGB2_Mv4HnwT?jTpNM*t{J;e;nQRY8&U`F%4Bl)CRsEEwoMm!Ti-Xy7kPmB}n zkWX0?3*RIwm=h>UyYF5$=!+*6B5i#7_asrX;SiA^S}-V#S`W=KL5rApP&#;65hC~f zGFgRJwM6Jl2zsZoXslL0oR0ci8=kq+!(uz3bkr)8RbOI=Ka(wn)oeR#>^SN-lOVqL z6m0crRc+Szz+L2rFPFd)E}z7{4h@elGHfIIlf?c?F-EWH9ObQc#mekyd{}r>ph(+s z+c}C;@V}>Mmm?M+ZW95k(>fHP*jI+k4ELp?P^vgb%YBzymKP?JUB{7TJOaPjN|nyO zYm@||r;(J)f#wQF#DWJ_Gw{#mj(7a;;Ea}Q@XV30F;2Z?_}a<&rIef%Q%!seGDo>V7B@(E>`JM5$q8#`}hjO^zbek8HFw2 z>*cY8jt+x&Yg?Qh$I5vAKp4NtX0>a1$hW+zYZGyFxJ5>9G((yuRdj-MyGt&6uN;`C$stsnY`H^N0feB#{JOQ2H$)1ef?N|y zDt}2}CeDmZ1gl=jHX@ZOy|QhJIBBkAuMPglemofSH8iWsP4p?sT#QRSPfL(wpwS8uwFIpDOIZ;bLIa8EnT6=8HBo5zO?2F*CBJeGO>31Y3c z$F{OcO5y`}L&h8gRX%-e>B4?wo*9ORvc@M`{Vw9SjSbsrgy| zJvl4N{~MmRZ5@>g1P-^Kyw0lX%_usJV-e2UH5mR{rakhD{++bs-Hon@7el&YZrap3 zSZgM_H6%pj+`QGEH@Q#t-ZG7R=fq?c&%v*x1H%jYxA= zJS)NuI?^~d%hk@;WM%qwc-NPEF`h2_5``^w7*xzqq?`NVA{%34ioMASL_blZ^cem~ z^+Kif3Qrf63LC<*`4fC5?UFDh(z))L8T{Sd-J8SfO<4s6$$c%ib?9#g5>ZF2Ix8)i zkh9IH{a0^Ddw;7Jn((F}f(`DuGT7UkH}Iv}zo;~a{HRpXjFQ@LRTN*(fL>$6;?rH7Ze} zwF>XdaX^muJvi_9wMsACGauZRZPc*$kS4Yqp1T4d$nd^jZ?-dT{Z{V?~oH zrRC&Mt)|Pq!oP|I%AWOfQ2_ia3`!ar0s}!8F$h>n^HU<);B@(NUJhg}ob}5xwgV8K zRdwZx|CU<{Q5=Vjw&G3-*R>Hml8)D{qnbf@nzm@o{QF5Q^N$60ko zA1F91xm%kTUuAtZ?7!&Lt%OpTK`C}hrv0C*zK=?c1Qwqu==?&0NsW?uoSR+F78Zb; zRtq|vUV_YeQ6k%m7D-KU6r8R7@-*&6WsZ^3ecLqR2YS~sF81TrSj3o9LcJa9TPmEp z*L&@{=CifEeV$;RB4qC8ZYJt%(WeLEBfGyOtZ97em=o{B4}{$sI)AILRwc9U%;o2v zbybg|R+%p%k-T$-(=65M-R1gR8KeX6d;h46>&R+Qf}@mr|@C zTKG_`ayIegZa+IJU!(qR&VOqbF~dr~mwJHsLGQD2Igfn??v%VGM{PM$!ux9G5k-t? zQdp72Pf|61w4%y=;fhVO0-la|PYC(ma@|=9dl503W(L&T`P^VIzN#EhH(?Tm-5OUG z&mHoYwVl)+&DgXaS!;V70n12I&@B{-w>c4}U^Eu(A1<@b_R>ecI%`X}Knh;FKk3(dCY=ia(EBafl9V_6LAhiKdL9hKqi)4 zTXlT;x)xeI@wrpVM7Y^S`qs&ei_-P>&lIvKX#mkwDU+U9e#GWjv8h)=b)+rpy^p~7 z_&BibK9UIg!T|{<5qf2teUD$#ddcs0)G7&HTnRedVG}%y>>l%pzgsYZW#+!& zTUvR-r`CP}FimP=@aSKNaEWqjQFPFg74dyky7i}4>P-NDZmsN>uPUW@B!wbPwvt-w4cS4WAL+LiS+ynOw z8=PF7NnclFfQX0!P5YFMdrEj149f_Jcx-+S^ASbuj5kp;{a`PpNJ8s)T55hDP%(?* zbb0$_Kc3`PYIRydcAK=qpHNqy%gYhH1P4HI3>&CB#^S1NV|L$M{@Ip^zB7@IT4e&S zAAG)d>;`<7A|$M%5+F53Epwvf-Z3P%&=g*GnJ94KV0n5y>LIQN!TR%wUQKBIU`0Z>Gq1(X z=oG5!e1~EFadyfIjwv(d>*>8z71SW4V51}UZbV8q98(Y;5uA|`xuju) zTI#5sO1Ty8L!DXaS=-l;kZjpF3L1KPYO1w#I4$YV>@rfO_c0kvXL=={bfmph#~O)< z3wd<`uYrAl)VE|0vmN<$gaU6hM@RYBpeR%hlx8H_F>FCJ=Tn_Ib2 zK5G=)5II7|hN!or(DGnjOFr%bcQJfqc`0+NU8^s@TmI>>r;lHac9gfZK(D%vy)6fph$;1h7I;?Gc?w(!*hi-Om>H_hVAP!;Wx&C06+RCa0bb`iqD>3l`Ev>F+0Yg^p)8uG&q* z$44Q{xeikfyHMqiR++q=Fs8HRy~&P(*UeszsK2pEzETO3aBIlrzg*&7Qx*#%#=-f~ z)B!)T?Z|6v*5d2iesX;t^cSpJi5-!T!-j|eMw@YecW#9U&M2<0rA2LQhYKMBX9x%- zt(7O&p`MJxvX;P#i*$xF82?gb_MDtq2`JD-xCU5 zL;$vA)eD)+Yx-u6phXVHOIAZM)fswH%K^h9XF1xCf`ltq1XGEl+IfiUKpQ4}-u6Zh z$t!o{lpEnk$7L)u%lbCQMw=^jjuj?DK5Ey}pB%BrL zCN50c!I4ZnHj^%`d_8LPS^T*oid{la7u2SS=3I^BBAw!3(xfELoLfTb%eyj&@hkKjn^Mhusx`7NLn*}D{pPI{R02QL z=oKJd2Z3Z^V2xOa-FprdDq8R^A_MQ6kq#_NY2_pvYGWF(LPxydaU<2v9^8HuC{etB zOa~#T=6xjTh*$Qa8vHmo;Bdq<_m?t~J1zu#FKf^3Gvd#gQC%rU3q{g|l$<{k?L-%K z)b3OZl4`qJLhfZLqzX z;+d|K97p|QX=*5_O~v*bp<)3cE{u_W@%t=n%f?#6$htP~QD;5D3euSc7zl=RUKihB z2}Ql+d$gn5K?is!Z>E*xBEG^be{LR?%i$%@*T^%7z}^Knzv&it1Uk1LHjeiYnMHPG$Fk1iyL!^>B# zntKK_eQEEE6Y%_DV;ita^uxtJA56}r<#Hh&O+RFDk%;+D+GBNGkkpf0?$>6tZrQG* zb(qhN8c}P6?x~kL`40=@Hb&^UmWo#%3NiVav}Y8O!A$=8pqro#;dfZbeCDOZ*+=xF zj}{uL8-9it-PDf7{1+8sHoi(qz{_fA@8KaXCP0Y0mVOSYQ-9P}xQ*jsZ&IUs# zbS0n5r7Hc#jTI)1&EAp!u=*Te^r1Au-_0ruz(>mYudZKtPcA>L`k;HHE7y z?~+kWu0Q!R1tgwWy|q#)t|T;TPPVsj?6YA1VP&eS`uD`%rO{QRl&Wba#?rw(5ud2l zTyl>VUCFyZX2Mb$N;bK2(ct-DpD1o7G|Tr_K7X;~DHx^2=u!gWiKjtktmV5Phmrc@ z)%9$jCjoXqOK(c&YoxMBw8rrYxLQ63Rs8wSZ7$NpaSjrZ{dKyv$!QH52Ao}X75;_d z2mM{}C(}`}IQ?^agXUZ!o_{(Ub84&*&EJ{>Af6r4c7?DujOi?<^x z9Ha?ai%J3M5;k8ZX>k~JU$@U3R`eqmHN;{BM&PuSBhlqz0$g9E%)LtRNsE?;2l01! zI5G-z%Hg+Q>(i6-^U$OQJ{uQYcFde7pBgM|AHt_6SY+e}`@;8;J%P+)Nt#BF5AdD! z(jrUbSw7F9^U+y=@aIqqWL%7v#vV2zY7^X*#KF=`8%Sd@2k-L-OvD4#PQx(Toi+hG z9N-niz4b}H$78+So8nVxSHo5CxRkoNy`@~8 zTpB(a$3=X_aCJkuM`8J2~s0xX2BL;KgV=ymi%UY9TwoX=+$*E=&;vJVJ&Qove5K)|bG~iAbKbv>74EYA zfyKwI2$)?Zr%#RfD#_7Y}0G6sr>=JN7#(! z<_LWZdqyb{0U0)F1^x(%$5gOE$7B1}WCa;>80_#H2*1o=1^WdGt= z5W62{eB7(cH)0F+6N8cHmNQwdIQ+x=Ei?1$D#l_gyRU9`HHd>#D9;GPyT+zGq7e(+ zq*6Nn_=tm3lP=;xl0T5pH+jllQuH>r>!SDR^xSP{;oLVI+I%aNc=S#QSc*PNMjk-Y zhJgWA1?itv@e()-^n7?;F@3M`#pQ3T{K-{1A}Yf6kozm;j+5#L*9xQCS4)pOT$gv} z%0f{q-&7QQpWjbCj)4{vA2B%_sFlr z3rxHa2`l}jXn(X3 z+462D@Uz#6?3ga^?lhs+0DubxfvBqyJwPPP(ynf4>n52|8$*B`vwN#B{z0|V2TsLMB4epSRTt<_W0nqFu&|h5d+(~`!;N%5yu1b zxuvB}F!O1C%I_&6>?FSA>B_*Xq=*IIRWU^Xqel+G^!doI>ag;1?>NJ2A$Dby!{w;H zgV*?Y*tSR`zd53tv!*NY(z;UtN&kUX3Ws43$TPgHu_SAJ#4~ZA$asS^OEg}P*uM5- zxbU-0PgR_$!_}arH@~py=~TIz-lmqJG}!O)NlzhJkh)Kk<8elQi%iuX&q1+8VP&~!<)|%g zHa%@VH?pn`C|0&c9} z0XP0kzBGG6U#gIbKtAWoIq@QHf|#9O`akK}Vulp1mwQtT+7%>wlf}8sOwVlko(q<~ z5g98=sK4)X#8%bBs30NMt(#U-0p8jag`jt)y|1GPx#*VfY0(?&;X0n5-W|2^nbMc* z;Rfi;kiFl{U|6vM=s`w#V=Xi}Hc}_iv#Q8HYfyxO69v)on3jL-U zC!o)w5{8S6h87eXJEDl&&j^j6uLmjTu_PT?WzJsIa^svsC>mvdzW&DWjT&+MwRC!{ za%fi81OG^zLleIa#g*U~7B)5}Ie8Wu<0g*k&l3if97z-e1O$G7N5xt><$Gv$rnm;? zK@kw{;j(EXHtXh{d@0pCKXI<>d?Ja!WmoO5Sh!7M1~G&7A3oBvHn+WOOwnLF57^=0 zS?g0rxEY)V8ka-?{cf69H zWEf~zIbv4csb}97GGpW?JhQ#M9sUBF?XH>;!2spto6n<-RRz%HRd)!QPW300oZQ^i z{e83yrO-Yyuh&y0n$F4f9gkPUaPaVB5L21ZsgI+$Z~xrxS9YxR;2W{*RBROc1nAsv zc-`$5#${&4jE<@#*!F$mT%AxB4QXg_Ge@jFRY>JVIc~eo^htmVi;99q;4&X9nb@yE z!}rpOc&v;Un_b-R4;#kvK490{&f}G8m8)f~E+lRZrJ44{kTwYm8;xLx4QYGSXc{t5 zUb%W0$H&LVefzf3iuo;35|&Q`h^%!bePYUc_X$$YPhk;zRiI(uKZi1^7i{c)O?E*B zQo~##f_~bu85{fxgDeV)+gos>gII4@p{P%; zuvl(yi@?Ih0$QiBg_)jmf63Z!w}_|S%zvVZxU~6OEw%XLwvmU8P3f{!K8dZ-^^mCj z;Y|J{j$?jvzbvUzo%yN1LM1!U%KqWz6qN=UKdSL<;9x&@zzWcK)2X$H3j{r-`Fz=w zEprExUZZr7fsNc(5qUy)IYz$x&kLZGDO3yt(XKQk;CJ|$8k)YG?#8TLq4E3H){hu1$))u{GNoOhJD0rguG7w8C)hbF6dy zm)-Fckk>{(=H;&+Vsge61}(hOQ3L_NwPb{4n=7~Jfo0ic#-OClnl=PaVsUoG$3XRG^$yk)z(~FT|f*!WSi->zQ?o`HfJM z=$&iX-VAePYoLJhmhnV^;-9|$euA#cXuhS+gTFPWzv;7zJm>4IL;ap^WnlLfnw&N7 z516~s#RhlqO#*FC?g;DdZnv|hqL&jWr!zfPDqP`m|3;`Mowx66>!`9u+*)aX+&?T}`l@a0_1iwc%J4)mfExk#M*AlPMWSkdiDqdDF&SERqUwhw8;{)A z7#P}^ABjJmAq~*82kVG%+K&DV5R8rGio{{ep-42gJfGlP<1!yiRtTe&t&RaUVClII z26cTc*DNaK)rjb`#>pQ}rwv)e#Hi`w`COQ)=K-EYx@b`}q_M+v8|9HxJ5_H(F{EEV<=TiC7A|(Pk-cO}|F0iQcRP{iV2C=?dDD z!OSv0X*C~8E#6_+W)pQ5iak$1A47r!gP&H`A@vg9>TEv@jldovMwL~A@=ykaJumvB zpl3Bua?6M89*K9beqm?H`_zyJl9Ti6o!r_>3CrX#Y1u^Q==K zMe9xN5Fy@K({OlmNc`-;$@|84>*oD8(OwJcpPFA)=PEm%bh`?M&gC2yJN*2%Fr=n` z35<+jli$x%wMLx*homSr*izu!Eui(b8g&la#2`CFot$yu0lffhb1>4lG9 z>tBid?w42ns5CxdBIK+8$nizP#6Y@+7JG+Ovyy%?*StbHXqIzoWpg`eC^I2#AE;u{ zR!%VtD*d?s2|cYO7R)XWtvBbHY#NNcr?Sv#a5D<#BtdpwhCiRp-F8k+&Lp)b936S~ znM*fGm)-f+&>y8vVg_o}*5Wx}7qAq-twEwbVanYSk%!Dh2m^7?ZB@laB{8Zrq2=NX_Nl+Rvcc4arBA)@-dxlRJp@&$=yHf+rRgq|#1ddc1H6V(ns)!KV>NoWtK>5cBnOb^_ z2x@@>UCAMRqvZWE&lgpk%{@(0?1_93rG<%*EE0*|6GaA)G&kw-O>^eP{v_^qT=8{1=XDH&XIjC2FCYgCU;%6Ti|&2VV>>J<>q7fi!da9JK?S* z(7HL=U7X9ll*pzOR3O!jJK$o1b-aWjSJ%Vs)P$>_B3PwO3G(wWM&i=wW@pguW5HVi z`SM96vK+ZB`YYYCwS_p!C(wdCJxns&kl)`IjZ(gWdwv*AXllU{LsMBhR}dQv4|vMj z_;j^q))k_}%BZ*anP}`H(1abt6e<>ldm~(xf7zg2iz8$^}nAJmO@Gw41|LBy= z@a@$LYQORXpN|>{OrhhPASm0o|3Ex`%8bdoH~?8gVBUrU7O(2}HY2;gIa2LK_}N{r zrSAnj&8WZ0+APs?_?1a#3Iu(7UgnmHILG;Ud?V*ABo`8l40T#XdNgWa{{Cv(BVJvX zsr3b{p;bmWZ3<|1P8}ljv41={8|S7eSn|$q5wlT}S#a!|nDM0)BB6cuYcXIPR`(Yr z1Fx;AY&923V}-Z%5C9C+-bqeAL>nO4-S4gtJvNWvAaq=#MLBralcS&GI> z^6+Z0Wof28YCcd*d+2_)4F?gE;)hnlK?vukKhV@0)8*7Mp?=Z?AhMoHrVgR%j9MqQ z5Tss~CE;*NB~<3v#ZAx7&u7y4z&veEWS0zWzPDGT7+sNq>jiV#su&Y5Q@`hc7 z;UFJ3Kw+0VO>Fqv(l68N!QPjK&x$p;L{Kh62R9M5xTy=1*&m_@{YGsc?zf(n$T}!p z&R=wb4-Pzma(=d%HaI?WY|JpMD-}Orx1Is-xBDcExZ1?jHiB?NoM`2@cG3fdbSSha z>M6FfYFSYiG=SY(Cd-04Tk793i&8CdFh#>m_xJ-Ti1A+2DX3^-tYN8pKSYS-06c7J z$JF_nq+G8-ix|P7;hi0&^+3j85%W2dcCnh&CYE`H>6VZ=PU1T=M=pc{$MtE5cdSQ5 zN>&OnF^RCJhAnS*`oK(~5}3^NXshSKMJRT=MdB18%#5Pa^ZJOt&MBW+)=HZk0pLrA zsSHlv7*-TsXgScWGgI#*rQ{Xtil7(yAXT!u71?&jeJ;`FB$(jKY+bA+7dc9S9%J;! zBcj}Hu{qmm^N*DqpIy(x)x7;WfaeT&FuswR(uZY zX7s^u_%u*ygSLq60wpP3PeD0AHHuw!hiB%qAC7{$dat3B-9I?zPpq7-pZ11fB41qh zg*7Y%j(w8w&mtE|5h9Fjd*I|fTnINjoLk*@Tk6^?*L!@)Q&Xu;IPn_+Cj^uNRB~FfXzm;pgN9 zcksS8>U;fzDR1o02aQQ@9~UiMXZ*O{b!AXoZF>1=FtI*f!pfJnRGV?VUUVy6+_wP@>@emQFSw>`rhLxq`Y9fC0zf$m z8X8IQ0{~8+{=yI~vP}a3w_%eWX>LbUuhXk0;0OALBHO6>6qK$z(D0qHW}dq*M^Pz8 zK8S5fp=bGWW)e0-WWo;Kw@$R`*M*tg>Dop;?NvXysE0rYko} z;an%>Y++FZr!B4fw|9WORm3ujgMc_bs4c ztF(coB&B6cPl8bxNQp`)nvG^En5gy#sb0jH!CN}pa5z`S7m8IXE+C5o(3ypq~DesU)&y-~8 z91bNP=$*&eC&Y?cY#JIG2LCqq(;PsZR+BqsriOT39sG`hCNgU)*><%8s06pI1z>I* zeox*HX9Mg&Ga_BUnUj6*g(ZmS&Ee~i&p#bDEbD`h@Mxe*kNwm)CRa8I=6hD&t)8tN z$Fq=mX|N^c3S5Q!+qVRwUc7g%yMdw2ZX?07es9R2wIOJy=dZ{=O*G7(tO7jr?!f~G z<+Y@m71Pq~2KHo;#s?|ajE^seO@_d79;<5Si$&n@`-eA9Rd5x^5dEJ(GDNV_5Ar(< zBd~37roxc3qe}z=_9U&yIkUQ1x9PwhJ#^XjH=k@lUUa=V)wobvz3eHm$EJ1%<~g>@ zOVn@n+Q?-uL{m4fr|+J<^&~J*Gx3FiSxyu%1kN+-rM z6@REYWe@Px3vhtg(fg#;*msgW@lR%cC=TMJ=B_`D@jWJG%45J87qh;%5<4; zDD{*^Cn=(8MwrU`fpc**tNIan+Ga5V51r_fF20t{QdFBvYzc!+mQqIgFgYBA4H@!c zJl%*_K3Q-c+1%msTkS?H(}BSK`ied<=HXPuuwwP!s%@34$MNVWqs)?9P>PXy^5{yv zre0=6sU`aj&*hI5gs;1-3^pnS?{a3PYs=6=TP8MR^)F?;Dy{GzyqOh^Nx!&R)y3Aa z;tH}Sk%rjDE!RAE46n;6?Jh4YK2Xke9iZ7Yl@GHHGh2kYpv9eK#{+UB0%S0<57$Ql zr5hYs;-r}$8ykD}`mJAPR#p~gd0$^&DTx;>EbJfZA3Rv{v6$p(KbSO8X=`XG%@+rI zWc)Dg?_LC-Sli_9!Lhn|VQ@z!{?wGy20Y(<-xv^qDnxQ2gzNLCQg<6r%Xe1G7iE&F+)<4vBv0=6?UUn{1v7(0)#+v+=gCKgA+z~Hd z;ysrL^=Ofl|5%S)&Zoa;qh21H#imj&(mOm2!wuz$ee_J&j`9Cvg!aHAM}6P!a}UD9`}#tUWLPe6G|O~U%XWONOMEkBvOwyI4ldgOGa3b? z(NJVYK(j~82DEzdA~xG*ET|KGg<{`ea+8q3VQ)_q!h%ww>dYILOAABA(2khY)BB~@ z-!8AGSMm)-EHuKOW{J6&^doB4=F6pN@;}Bc$IW*0$G<3}lM}CzSVXX5u(~Kq;A_?K z7{eX>V8_!p3zj8x+&`6`$7ss>M_tCU-U?sA~MU86_ng7`s5T2sqU^YD-F~zsYO-$ROSkAnD%Gw}MF5jl77OzbDVQHrd**&B<|K^MiI$e)@bP)nz)5@_ zmS>y<4cJ~ZqQ-|*-E}-aV$dt4tJK3ttGgX9MU%dB{j@dS;(g2cLh`jt0cy?6+my;> zZ6bLMXz1O6h-lSq!yAAs>yc97R8h(R6eV2cveGE4uB%^*LJ&rzq7dElX%Lvl!azRO zsfWkgFe1m7h`S{3eJZ9-^N|1Yb@Ix7e%H79rN+{9JkzASMXdwOjMlOGdL=3Qe12)5 z4b!)iJfRz9j;4gm8lq_UaXyG<{HS_{>! z3OWTDiAWgyFMlaqH~QmHtx{l84L?ddHECbgjEI!_C;c3hWzi1gOb8b%GdNd!Qod?XujI}Ym77MsvY33M&sw@)b({S07ARuK7gNS- z@FEO)`jK^^(G8lHewr6WBqae!BHJMOdt!BiF}Tmng-RJ}U4%=Kjds84Phpq0=g`d= ziVRv@+oQSf-!o^Fb71wA+aIz53b*F9j-Q{OmvYl8zuhlSMoz5HN|_pX-Fl69&IW$d z*uUYD*1m&41RLM(7V5CdwF+I`nbphb0^f5AL1NedS6oVRO0iTUMKDNxZ^BR$%cE;9_ua*>#U|YDPLM~sQOJa+>}Y=!+>H{nl~D3EbTT^_AzLw&8xJ> zpyu<4mfqE=3uBId%S%tMf_i)D(UmqV|NE*co_F(@zh5_(P=zkwp_bq#nEiuRm{WFR znperL-1F{qCNzRNOZa3YAO{4xQ%3tN9zXJ5l&qcM%z~;5eYw{&Z(u_fA`> z=5S+!2zl)FibFKAyb@*N{N{MIjF+JuTG#gg=B4A5I7(5<=})}t8bEU@smiaRVZkto zIjeBYYW0}hA51IPIl_J|DrV;v{W5#=;Ep2#)=dd!->Mtg$d0R<(u9zXrAGJ2j)kM< zeYONm{|~u+06PCJUUP!KmBRH|!vLL_cksgfBnY37u=r;Kz(DqNrh5`R76x=97*;C& zTM;U1Iw6m)e9A19A_9vMw)CtzwX~%8;HD1&NImfW&6{7CdbGg0y}gJE*_ZCt_O+E> z=Tn0*npjr!6)&QBp&!tuQICwdzdo)EWN3YM;6gB;GYP&(vu{`Z`R-Fc$c4o1I3g?z zMl@-VdLU%D_1IDI6`v>tOuglVG@=_pCnZTWP_%?+t4xCA=6fg<0jR;n9tj%oyt~{_ zx+U6Q1%H0Z8Z*_scV9L$r+{N`7&J5TAg#TeD*LD|72VVxe0l0)S2=LcTkhH7dZ-3l zq}1>`v9~o{c^~2rgcW135ryRbb4m$YS#8{b7lyE{TU53p9`}<8tuY8O9eV*yBE}C^{W=f`mMe(L>nS%INL=xWO8J7EAN;Yv zH;*SK@;hPNCY#>t>DOdJI^~Be&$p6sAKeKyR`F`1F0c}A4qlrvb zyF-}f^vZPJPMJy2XL(~qd`zzR{?QkC$|gyiDpR>J6OfNRb$@Fl4Z?6cu1R_W>it(Q){-_8{aMRy64Y8Ze=n~AZm!*~MYA1J(*UQX} z`HC@^!$*rP>xEgqY9GA`5Y1f4miR0))^$M=WkXDS&RYt&5HnYDIPTm$UJF_%rocbw=)T*T(3Vb&%X9F$W{&o# zEO9*+@LRMNG?YL_CCbie5`muKh&terIq#h$t?1XJoGu`pFddWl_T5fXRmYsM-xMiZ z9|LVQUaT*SZpNkx1kUo`c6d287H4JtP2FP3h`?;0YZ<6Z;K$a8~_N;|_J zwt^lA-U9|kmCG#`RH&e`wdDt#6N3MAzb}(5;|kFnwUuo$*#xtc&8IWUitBHZv%blM zZ7ici>hC~FcJvW?B}R6Ko|MR0scZDTdv@rbM<(?ZvOmrH#&1`%0p;rCk5(fl2wz|x zb^dcNx!w8jQ_&BNB(`GLzi$p0(guH zm+OBX)uJ z7-+js=;~r23cb|cSVFmmW>A1m15t&(TjH3$r{1mbdW;k>WG)?OU#L8vR<-k=&OD%G zm=;K7vPlX-JiaR{xl+F9Kzs!M8tflnBW$j_u`2<^PNTow_=K%TCxA$BCHayHZeCTeyn;V}H5DtshXDm>D~#8gJW<8-!<=LDsQyPEonI zKr+|ns2TY(h=mDL%@1#d*78jd6^Itjsk(H&+@y|eYICdz=X6#>kfhsoQ zF?sv7hk(NZFh&qyRphAs{mzsS517E&5V<=OX02tXZgO-Sul1A7XIz^5#a|Q(Hcs4p z;wz>VOTf0E<0Z3H6YI>QY~!g*l*1-N#dcLPhlvVTohb}U`o%@CjZ7*6@BQC1+?DO^ zK<+DJOW`w2H(i_HPs@!KMJ?9&ff8`zkp79K_79K%Au zg4r;qAtCn!RAOdOS_hYcm0Kg=%XpKd!Sn?iF&zbBM-~1>9fx5Oh!fzz*u(IDXV_XO z{(>PL@dVpP00V~01Fl>&;K*6A0M-N%Oe$QM*Y2$aJX}i%aw}xAkmsp=4s8y%8CO*O zslxp79K9k@m?QVoOeDw=KhpSipeo?9K+J6c^wP!>;NftP3PHYnqlOnxQGv9HCh#eA zRZOdX1A~L}KTp`KSv5y>Cwfu0hUkn%TxM{EA%iNNqH2->=?tB(5eF40i0L*Z>lR2~ z%qD3qDb$~Fli`4;0bjLM6>q4ax1`cff8y+#PmNij5d8qzRO9NYd-uynBz`~ zG&0%WM*qCvx!czdhi|lj>|6aV7h;#=&qc|*sw))e6Y!m~+NCH>0V8RbF83yM#7N3P zwrJquxB9z(l$T=XdDF^)e*#DLPSg2|2@u^jJn~SGXtbD3jI`>T0yt@jgC=HV6m)Fy zvyXs4tuIkFW!3YYR{mu4Jq9B@pP$F$&3f$4QrkP%qlMxpQcTPMz@Lzr(v!#TQU(8cpIsXaECG=zJxwR9IGBD@iK9%7YJJ+-aSG=UA%Ky9o;uO3| zpn(ZPzeksgy(zSzG`_xi+xaTjLtP;N{t*a%0Su07D3itNuZ}yOMd*~$!?0-OR{nm@ z>ZvmMr4iZc=y%$Ke}cE(aBkibTDxHh+NbBsRgv9Q6z9!ApZef;IWtNZ!7A~_EPMFJ*{&jL90$A9bVN=4X2v}R6K*eMZSO7f% zZYT`E@=WG^B7U(y!#@A}!-o%hz86D$%d^^yFuHz#GbHKu%c&B*-QQ|Na^IV5&%1v5 z*j8o0$$|qgM@?l~A0MA%jULwJ&nFfyrWp}YQDvO4A!V1E8CFo*tFXWI5e7$YMJ>53CgNER;Kl|v*EuJ#(6;_5RM3tE zr7-9fhIAwztHa?OkI>busrz~~-)OC+`jjjfOcfXy`0d*_e<~@v44*CwZYJw=fY}Qk z_s3Bui}*BqMp!UEJa~F|6pMZwxCOKxK&4=sH*j#^Xa|(jgXIo#uFu232Mg=#>#AkR zKFqhKrlwQziU21X!gs6q@DlO?_3e?Y%GOFCbJTg^p5%O1L+~eGC5_&V$&hC&q;T%N zZ?K%8Gh;O-=)QDUDP&;tBGe&(*B?9Po1h0{zNCec{q-PD9zZ6%`{iOmvIxF65 z?d%kr;*+*YZv@>^cWGo{t1+0f`4pFoPk~^E8=xeP~1pKpsX+fbTe27 zjzv_*n?}9f<|85`>W@~DinuWEDm!2=@WJ5$IfvSx>KbyE{v7$P@fi@C^UQ6(`1 zZzZHm$=z3A>k>_GPFDAPCGTJ0@X2P95%>jxewPcQ{ZgR=kwCNo4CNK@s}p^(qE9+f zULR)wpw9J9%ArCv7wPW$*zdgz(9PtbPGHhhivv#&`C=E?1J(uO`rn1=zkmO>8Uy-@ z?S32j?ZDX~B*CH_8y+rhVIeKTFL6+7IWZZ?=3BKJGNii`yO|XD|FQMfaZz<`)Ud=L zAxI-2sdR&Yl+vMe4vm9!cQ*=1NjFG$4Bh3>B_fTagwl=Vx4G}ltuGhEJ^K4m3UdNrTsg+fbK%6OyEN`!Iu0XDPUg z!KvZ3<94?DBC|Fqc;U4~3bPpXTi?pKU1bLL+!fQ>XFGU^Gi@q9!V+a zJ`E~3#Otoh-aKP2>$aCC+FU`)n(8k^fu?kZ=%v>_JP2Xp)ZSzKYV+8=IhVhAa{5{S z{wS{1F~YR`KocbQZ=;2eLaRG{fY$C0p|per!?)kgn1LNvdo7^deK+2DWBqJcRL52? z?oO=$iL^{rf%k4joM&z;kxe(zf?>JC>wGT~heEJu%W`uxqYE+-43&-wC*i2bG^)3p ze8cv6!;Na!(>mPOP=*}*p!_SxeUb7pv zmtDh4wJJ3Y<^V;;yl+`!I>Kqx`2dnx%LwQ(Lhy00m3?l*ysp%st@+a}zNbtyWx4+( zP+&W(qTb6yOc;Q+Yag5Jg{+jB2giC-uw{LpltnFl)d*Ngii$W$6k1?-N&prD4A+Ib z-I^Vjh*^3+G0vil4QS4O{gwq*Bt_~g9s14{2zqM44YCq-<_{BiNg7(riI1iHJ1Re& zJr!{fYtziuV?;)A%);qkv>NtY2s@BXmfx^01dae-V1E~Ok)1d62wU4u7d~9+k-YTkCm=F6T<<&7OU5!CS7La*f0GiVf+YuoTk0i%V89~c&VWW zyVk+O5+OL*K+;#@F}G^H&3j=tw~|a7-mW8UX`x^w9n|J^UgCG`@QTFLp^H1W?xe^d zE8CxQSa5Z9mGES)?4kBC0zdY*OSyJU!C?7lx34`C*>vnTo}p8^h{5XUvPzX)Y0EYY zr;%nD9@vA5?je+*UA^2}92HS&J~!@BgQ`alab%3TBFt9S6Ywz7xc0TuUy*-sGawHw z?DH)%@Vd^%*_vy|qaBqpzWyQgrw%@LCcSp4;WTZ}J_hr{$FK47-<~S*$KVi7E+u1- zzd?JKEyZPd(bgpRx`6=$fed(>i8Ca&HqN|Ae)H(ah?=6ir82_vX~zBS@&76fZgA7) z;mkXmq!SbGxX6xMAB_En6-i)JnW1ajJ)Q8)8ULMqcs5`vH4tWgkIw{BI2_Bc7y&}v zW>wl5ZDZiFy5)}W{qyR&(!nLKfb`&G#$#)tp2qXsJYa>x7nRD6<437JlCktjFIB1A zYT;4?%}*nBT-{=Cxr>V}jd(sfUW(#kG}I*Yz#dr7WFsme#*x;hjA7HqQg|41&i4Lh zuBrU+q}87rtQako3i&EQc0P7IEf|4HvGc=*!T7&TvrwwZ<_s%;Dn?M@fhw_d6j zLoo&Qd-vqLBm2-Gm)Y-&e42#p&f!%gFp(|-D^8?w4AhC8%*l)QSiRn9X!Jx?Vr4y; zt#@XE$xX|qAHo|glO}0}2WfG)gZK5NBME3}mx)L=gQxN^(vZUpd}Ud*h%UE}9?h42 zzLzJrIY~u1fjyrbb|h~1GF{bpUlAOZwxsmvEzux(f`HOdmMhK=VY2@`)R_?`C z&3dxn3Rf^1i3YBh*6t_t=*9>LkF?QcNJmjU&eJeu+?Ksc6lR^y4!?`vSu^$9je>h8 zvqQ;zn+(ILN6&q4jmhixUm?9Vw1YGY*DFRIJvrI2j^`i`JSM3$n(1W6jOe&=hzrz4 z-YLz!EIzLRg#JpcR+4E7M-s4L!0$mh{GP|5L0&8IoIam9yz|FlG!ti*uun0vS~p)n z66fVy_)QEi{#CbC7E=+u-tjf2i3FF)b#7zg=fL6`-_FSy)F%q2kc%L++OfI~;cs%t`3#Ds4OV4~{?Aj+=F!diLh@>7~=*R?W?eTlt zKlXq7@d)|Jc7-KyoPv?ZO97g(Gy2!;Q}SHh`e7fAaE4VhHkeG+pcY6 zwB@#@*ST)d8-JF9$Ab~--gV9*uTuW9W>VdSUGl%X*a|y->9{Jqn8}G-%C{pmVrimL z>+<75$-%8g$34%E9N>l$9G|k9qxJTehfXJZi+YoHqv=$WRveMu%V?o(i;4#`LA&2_ z)d(PPR#dI-i*BjX!#zYFd{gwL@3jxhqL*=1;B*qbPxgazQ{1=inMZ$&XD-ggyy5RD z7PEv=xB01*PeXz0RTsEn{@4Y!#`eG6$CbWX`N5vATO$kR_{bn|@#?4uE<| z&;9NDw&}Ifi4;E^`>yM68>2UybOGtR3RUuefF`VT5DBBhEc7(#_C+H}S$G7)m{)qd_t7V0l+nmi3`Q2;{?pB>>_#e;O@_c}H!w_>kf1+N0 zJpU7qMPj5NKYY^R*iIfBw?c=z?cQ})J`Stv)~y`d@FNOsQ?#YG-*`3b!6Z-8o$y(J zY4}|qQNq6w>13vljB95?qphg2ZnlaL($IZ+573P!Ms9==x1gYB zcVP-v%VO$bMm6dI+_xbr@^C%Y<&T~;%U{Td%o*x0obv6pzgi?Y4nZaEWrn&ywaLib z^?CnrX@pGUYf8;H^D)x1I&G|7)P^9a4mSEvK28S2o`^eHN9A0YfLaK%P*-wTR%wqO ze-N}@#tLN@zg7YlcBfZ^)u*K2X=Qv_x}CF>NQ|ZP*im=q0~F}N=4j!1<&*jCls;)D zW8$K(j?U4LeRwG`;2=(7PGVIvZgP}UQtGQCV8AuvY;@!osjzdvz(B`D_cu6SiWa)B zuZT|D`tUmt6^3NC8D>J5@I|ZCQ$YTykf;KGT86)}?6>6eznIRp)3_o+{3B>^mg)Vj z=_MOwK7U&ZvbB_?jc2TRMMqz`FW;D#85YJKmF_LL;j^XwQ2&xl1e>M2sn-*ptTHgM z{^{}P+~tPq^2E{u1wrEVYLUD(_-Q4prSobsEPA=0)K~Qcxz*5xXO&~EQT!_ z+~PMHQL$;qY9-y8rCv@o{V%$vZL2O-A^UqkT9MxeutJp!0OW$~<562l~` z8k81+Qj_6V7IcQ746V*kQ^p-Ot7EMf>-lT6N4`ECt~aif{Og&kH0N)&a)bOw=#h6j z0%6U(EJgCDCq+kxUb|%LKVVh6Em5Tjcc?I8X(`fya-F8yLHSN8wTJ@SMPF16mW09K zamyE}aF45Z2_|2>XO$D!RxYb;Ho58=nXOjDt2PuYji%exFl}cIyXkX_Blk*xOu-&b z{H%y*=mV42gBqL&uZrkT-;cbzS$KE}+3@|zG=_>;F~IavJ45egUh!P&;=v5o<*h7d zCGcRn2VFLe;ThB{i0@P_TXxSL6>NJ~YhvFn*dfaG%sI{u#IEL=h1qsitQf?8bfwP1fbJYPx+n@5L7i1P|=)!>1mWyQIcuProWqz;GzU z&54s8rCUCSUsS=F$OxkEPUBEJlm5PcgI3#2(14y_)u$VDxBfb;P(H;tFZ%S-nO=;7~T*jD| ze|}c$2h0SL;s-!Wd5@D;%0B{@%ZR?PHdP2vNZGV}x3_L*dYFhg{=O%t>p3rorBhSr zhZ0ey+R2`J#e;WLE_0?VW(JrWH5x3MYw14b(0BbbX`Wp@LfMoo6l(G!e(?vW!ubN2 zpZnsHA}+BSKzT!3-Qk`mO0qWNIS@b)rC`8=^^mu7q{4sbL_ef-e*iE%BFpc#n0Q_I z?)um=ZKlp@dbMuaK&{1#%k!-){k1QUq8kk|ckhE*kI%+S9mZzMk#$XEh>FE#A~$~P zP*I`whsU~U*JXx4PRRFqGwFx^1I%9!5zUsF)2)MP(}2CTF&rJsK(0#_30~_{THpJH z{L1RTinR099U`n(+IGr+jrNNxw8C3<0%oFI+B!!b=TvCFt2d3F`6#1(IJx1h7g0CY zw#)hq{x*?SMKeH#(&PDY2yFmJK$cjBYw19q=$pKI;Q}<_xgsZ07?~(2soIrClLAkw9CP z#^MDV$edO!4-JKjm)6mKlL=Dosg>n{a{b+WVLv`S!pCRyJQ0^X&b+6=k31$mkpf0A zQTEbdAc7FZ5dt3*K7K^$bD~lUB1F02M-)SeY+peVl_)fsi6gJyOo#3?rHGGC{$ZJJIa#clD(7aJ-Dlv!=b-eeI7*5CN!9t5 z3Zz@O&*;Uf4lJi67aBwRr*2|%>=}&!DYoU*@F`!V2kCRL)XlUGQwdB%0BK(5r>r-i zi0i=K%nkCh2=4MY?+RdB}&E7O>du8IlgSGa)xvZ2BG32to zB(M>4Y$g(G2U4?%oHs>ia=$y3?w-IIy1h~Q=cv!*BOsN&Ngo@3`SF*xjXry8ll5mg z()RQe{itOiO&c*r7WT8vi@!ITDjGz1D+eoI%@-QEnq7B4fj-OyMK7UIQN7>u-#UO4 zzI^EV6$;uT(W|rFE@yS12I)>R^u^F2tcXS!JcdWKR+uOex6--TJ;v?dUGdk6Ga zU-P10seZY-oKVX3E>?9n-+?+?k0Y1XTX#h`tO37`MYAla8qZTs*M8ix`F4t6Gxjn; zk26-^yRB!1K_F%jEgSM7l?^#60345kC3CLkp<$=l zxVsyh#a|kMJj}V=-#vnJa%W0o|Gq7%XviScMN5hGS$<3R$c0TbMhJUy%p|s`uGsE( zLE#zkXzrfcoqw_Nf}!GD9Zj4mpS9KIa-`?5f~Ii)M`6ZC1yfz{;FNWQxFTmR@<+zQ-`|J(7z^c|}or7x}4yO8AK#AUJj&`dQBfkFx1@_g&!- zFja~hy0zbTbx>jaTFF`xO~*x}KQ+e(!`SsflROsYM}XV->j9(Ssze9x;xi4)^69=4 zEvE8{kQpZunED`#ZtWR}yWDqo?G7&_D85x&C~$fXMG{{?W5}sF=}7K4&C0usfHf&; zaZCxEfi`yehr@{z-gU}UiXA?{u6S-b13X*5yjQ`Nb~_HJwM)OpcIe{Q0x8?{pPvW!v{06bFOK7t|;4e29N>1HDpa`uv}Tz1G0M8KN}) zwR3E8PEadqo%)jr|7xr&DEa1eI<(o7NC`+!WxP%Y(cm|R-gv`ZZ*-Bc*d9g$g2^CD zh@@jQqtqam;@#zD*0bvc0pXc)a_Lt`p%Z-yU`v?#9XGm&*7PPJI)&_oxzRoozliPG z&g>HrPv^`(_Jwgk=S{^1bY-}(rY0n(T1Q>r>{}NGf-dPjan73Hs3Dz*NJ?(k2M zulw;$KC|agcO-UW8ymkaIu_H%m`YaB7Oy|WY^F<@Hz?jdt%nQWGA}yLMp5KH!FIdN z_^PXZrHi3T=3q!lDk~EbpnaxRS;s7TqWnm!)f5p?6q>AphsQ}9h=+?3N*hZ=xA~NB z^!koz#|6rNl9%Z`XhxNk@dvZ8#BA~JrTS#t+H20M@7#Fq9)VAub$pd>H#&1(|NU-3 z+-hWw4Gngsw}^B{&O^$UI@RN%m9c-Z)*UE4!H$?q!HC%iqjPV+RN&jF9ON2dsQND6 z8P~kQI?_`~?iiD?CZ?K$)i*8Q`Bf`kG%WY=;o$b!AGT33R+jZBc(J5mQh~vK92m$Po?H?#k2RizfbA~>}Q0~;la2)y&wKs814P_jv8qwCVF9LFB+Cn6=U(Uz{u z1lGeJvdCw?B5_-Cgji};`d?9c^*zUW?$L|7`<&#mJ{>$smbnvt@Toq)*DUYL8&VQ_-xL#8G~t>Y^%AUe zH;#8ku4CDL`=oC?_n3~_i?L2VbzJh9@mhZHCXq1!pNZ+o`O@8n z2TUIW1I>KQ`sbXaVoFHn%woe&)1$;UZ@<=O2px_RC@l|B`F8gAQT3sG4FM*mN!V0T zXABv^b>w_sbT>y|t~9Pi1R>+o>i>n)eT-&TEho`qp4)7-t8n*3h6$ruh2wUIR!?Us}qxiiE2Kr^-%+@IaALiw3 z6*7N&o*GtP0d4CN-5KO1SBOujXl`V z?xDDw!EL>s+PrZ3sVVHcM6HH%?Dul}p}gm@pYvN(iRC&BPFc#LMM5#(@kdxMo!cy{$wK(%+i`nV+#~Co6=ENgt ze>tbx316*1?XYo9i)%xLXJ@pn1VhgvT2MJ(s@>UbKea(78cL8*h2_kuERQLqeXFw7 zfBMpy(asHd?!m?6=8T}r5kkAhmVz0SXjkXIO+#l9X*ji#vy|l~!lBb) z63$fP(B^4MQ#2um%M$A1IhxXj;$ex^AiH7^7(CKVooIRoissY!Zb1eUAnqjXr=45n zr*45v4PKzqGZ1`~6y4a@W821tvj+JOZU1cyC%5m@IeG{)yglMvysNwTiUdPPazx^OFv_9=_;z3Yvm}8(3BH=*td$ni z&0%57QDis7ZxZBtCbcqy&dq%7q9V!-3rm>HzPA{z40&|G7M|U4sc7k7P2JWJ8H1Wo zQR{62GBUq%2z=gcM=CmeKBZ_!pWj7hV(s>C6;`47zaw&m~Nbl@+mO z^{r-y>mfOj8#nVe%T^E*pulasRYGWXRJl&)>aoFG{^LrgM4XDgo%vOpkWP)45D4oGGd<=Zz z9W0~6K~O8VK$%`ep7EuSyZOf$FDyO^%zl6hjYK?Gveslj=&_S|kf6dVZ5$Wp|4Z_V z!>Od6hbMRaj_X>nw)RZZQcx@t`@%Q6o(KCgW7VH_Y{&Q(K2VQK+9gDx3N{LfSH)8E zLEl_zjy^7(HqxqRu$z7qW%0XYQu(IQlu`SrKj(#^+APBQc~jKlVQv-oB4f(O_K;7v z$QBL0zOKjd&4IB)UpHqU&u>!-BM1|mcglXM=UVIkR|`PH_=-x&jr6r|t3dIGIS#}2 zg)(!X>9qq#%V`oB24aE0OKHtkSO0y@>Wkv&xTg$$#S zxe-&Z@}u?dBep0@Y|hHfPTS&&9je{hX2te5hAF`2kz)TO`1 zy8-<{l3#QcyaE_SKE3Lr7`sS@#S`_dj<&3`c%ev!Kc%BJxv|J|J=FO`{QukkI^7tNt5^1=I2! zX@beoqIkGT73&;?)e5P>cZHntoc+CXB35q^%S}}o!xVU91VMQ>-(!hcsuo;wn@p%> zZxF_-TY-mh8)j+x=uiGu=yM@uL@9M%g;z&ED8r(E<8>%E&{&eobL-EL>5dF!3Vi!x z*Vd^(5~*!yL?JI~w0_01q)QsV?8R@mi394!@Tafy|>`+t9g?fGD$_GMo@6jp)G)XA` zP(fsb*O((Yr|&CHS#jmf?MI(EwX@W&pB5XmdBP{OadpciX$Gn`jObO#pJqKQ^A3#p zoNV5k(Qy@r3J-+(ZA4aJ#3F;8YJq`I_A3=h&&-Dz^J9cgP=iAQ`M!5j&{*R8XVcjB z)5t6oNKg_*5k9}eQH2j2F{&>PoQ2~6MXiqPk!|}Ay&@XCBK@HDF*lcekxx(|r zGj>W6A?Gb+f&seZqaW<--`kc0v4+)n*>_Ah1B9kHzh8l+p8VUdJuZ1vjl?@3en>uI zy&|DG1B`^sbcMdcE3{AOr69%MID7gr)h!h_Eb*>N`rT66HT-G(YVa@5%$7cw4n*>#@NE3G*;r5g$p z*?*N#e?a3>%0jvxWfhP|J%VxBt-p^J9sKt?G)kaxE z!FZz z69=fIl`xvze!3(L+)IYYWqtRWHiuKurHz_+VW8mQSn-$^;m8J2dStv>9}$tGnEGO% zHU>{KQEKSxTaLE(Q?EJk9Gj%O$zgvp2R^hftWCX%;A=1+@0QHKSO@A+4pjr4*{KSB ztcnI|;fF$p<})ty=h^bJj$Q16mP5w19g1z2MfwfC*#@e9f(&5Cx#Y2PR`^Vai$Ig> zXXMxjWcYcpMK5LZiM&_#1GMz#!eiHYU;Z-+WOJDcO}?(D{b0fqAL3?gGK~bG`>R85uEq!p{OOwA4Dd%gS8o&NEE7*@(+ zam#!6BXNB=Q)K?B=U1uD1&7{}r0Bm*yEzHyRb@fr>h&Qu>)Whx;eOgUZ50u;(N6`w z|M=PitK~k>86^nhx+&8;8Paz|AC0)qbQ%>f71MngM?EEQ3Z@lw(=^TUG6^{ls({H% z9a_i#7(9dXrwu*5;hqoL3r!#GNA!tv*f3xjOWsrqsfkvcVhgP+tOu4@&Z-p$poK1qeqz?2!Ch$76b>u= zsrk-K!95p~F=4yE^Ym6UL~*y%Zv&xXWll8;yb!4XXb{u`RwsmH7a=>(;JUOZ!kCd9 zG&fl{ZKk}~xLWiXoJX({z5CF4CIH2l{T}Rbj;Kp<5{2@HCNKaM&egN;XJI1FThvqK zHz-ZoAu$;V5cez??l8HINl!d-n4FwFUH%t?ppUW~`t${t#9A=-#GC(8i0G`rl8FInsjf zLHEzK75lMG)C0DQ9S{c`ucQX)AbFxMiEzQyzY5%`H&9_B$Pj}BrLwGcL9)k)O9!hz z_)OH0r<$VofZu(vxLNdn58*}oT^Js)SlDcUDI4&Og&I8ON8iNak6)NU3(3_Ta%wqe zF?O)i|LJ9RCR~nxCcq*0v~fXJ;7l^;komd7D#1m*x00#jU5tV{$C0w#g# ze;)3C-z$oPce0wm-cmZ1A+gYTedGPJfu4zG??#V!-aVrJ)5g!q>Bu^j{|pXa?PZBG z6K(?LOAPoC7zU3x$y5eDo@XfQstZL>J`v{qcf5k$nD5`47~f>d=jA6nGJLk0XDVi$ z{;0N@3F58NDHnR0uMbbvaz*xfww;%;+pwUVgDh-yQ(Wq3=|BH&iepaMKg=ypiI1Y&ROj@Ri6>`7mTHh$Dm#J&# z1Vcghg+eqBRjJ8{7%i!0Rxj7K_fU@zz)MDe$RZOeX6@kCY``IpB)(&}?fOM^of)4A z0R~)xwdzw6a!ipZ^;IYFG?gKZCipGurh1+SSPXl9{`S#B;OpZxP&EiSe}B&Z6LMk@n9frra+s14 z05^q_Vou-!LE0fMVs7I19GDfRru58O6%is{XUo7yX_+7zD1d(viIR`CoiB!i91X%C z`vITLTren)S}iH9sCF5la9aofTXHV2`?}bv852DKMsB=<&RhQ4HKr7kl)4a46U&JL z?Do4`FGCKe=N;5jcqs~WVA-qHR8Xac5r#hhcVQrx$edYj6TyW&eDuU$O-W>u&=ZJc za{x8{awFOJb6i{y(A^S&JN0Q9`g{Po<<-qBzg|+a^mj*~mhv&k3i0~O9SGYmKLF-^ z!g&P+t3Y|#3+jDfv|kD{TvG)^KHq^;RcZmNpPW36k$61FQu)N)RHxOQ>s~l4pCNe4 z7;2K|dVBr1z-D*8f!{-WU)wChgto4=0_3FVQ?CKATLX&aE)0fr|GVqW*MT$33MoZw za$pOVDE#;q>5k~X&yw><*sz-q<#_~sUTTxITEAIm;o1gGn z5&{#x5Ky3*4N5kF(z_^yC3rvs2ND0bsre~Ag(7`laB2194YZ4y0LN zqqYp3%{XH;qzy4@P=|of+!!b(>G9v*F+W>p-3GE_Ue0?1Pn1sLJOcm|p^f(M7DcOv zLA6#kP%GY%=?y7z!Vu`kg1Mcfq@*v8hk4*eU4h6nt~ZybXz>`ofjoD~|3qx}Mw?tL@>2r}wae!D23WKG?^FXu<8 zCq^iyzZ{>zQxsT_Z`}Yw`cn^?a{Od{b`l_jHZ>R<9OUj?014Mt*&Tr6B6z!W^rWp& zY|w|}UgLubS;w`*-HF0zYQ8E9LN%?vr--Ap)H-IK0_isyG00--)SrEf!mU15wh;6a zum~Y-sxsIYfDT0I zyZ18)J9-83#U8jYP=A9WtyFZb z`Ey_jNPO=4{>tU-=3640{r()0Jz^m~AtC5j-uwB}J`-t@&l!nPJIr-Q?bjD262oGw z439hBp#suSs7ktcx=kPta}B5T0tjH9cn z_2{tJ9+!f0iF&gk5fRlF_%Vn=4i4%AF}W@oM7H;sMbbBkN;gw-B*>tu>K$E(;qw;MQP)G^Qfr`d0WEN@T{*V-bS z)$XnyNbLNLrer0A*}dX`m{Dd0zjkXR3S-+-=ZfMcA`rpppa$S`saY)|tyBez?YE2#q(AZE_fRL~30iLrU2E`(A+g)L& z_~Y#k-&H8y%Gzh!(vd`!r#_g&APlSH-|HHc3jNvc%*5;^g&L$EGI-ShhA+C$8Y$;F zK%>8y!8`I#@0vM*-Yu79y>eQ?klXT^8@~#6eD_ur`Ez_|D99-G_k6_zRTd;ocAR47 zDb#%Ew3jNu0PJq})sEAtc4|YsKLC&pfv0D~m&59)6Nj3cGtz@^chx>8taTkJEPPnr zy5i&~X|#GHon7eu;VZ!vFjY!JL32m7VJ(ymnyIO5C*uHas8PlGLWw3x8U7ESFyfO> zIO%1CBY|trJlS&W)c>5(nHf9|V>tK-W#1y>n5R`TK$xv{l7d_};D_hq{xn^(|YRyL}fZ0ue`r?=0f1#6pNNU*Fd zVbTz8Zu=pBq--LV(0mqrmQd_fXH^wd>K6c!`AlozS}E0-2hZ4C2|szU!ii%>)H<_$ zG&NwZ!Z2>#v7QlC9P9t-H+$K_&K0q)aO`QaaTJ%#z>#x1mvQehz&qT9?+@>U2f}5V zj-HnR$E?*4BnF)RgKACa&8SO2fbs=UAzyxmC<~el5=M~okNVqn_}&cPY2zr}RDTC@ z{b3gXUU>Oz7tC|E!D3w7*5$&f^^(SQ6lBCNBl(B9O8NCX=max7nagB%zE76MB*X;` zjR`!o;&)J3x?*AGzXuoS4BGToB@f0UAJ+mEr-1(9A@7<=KFy4P_7U&-@g*` z0u$iydsw>>%}_7Z#yrzzRamL^!}S)gArg@r9Z{drK`kWafGc#=tzMHr>{GosFlXU9 zD}6_u*f*eA2F1HKN!F<~4*;nUa^)Lcni^2n8j5~a(zb&4gOt||k zynNBNMLV4KV&Lg8CrGv)_TEt~ZBvB#xb!}{u6Cr$d@6v?A)gZ1!Dl00S)o7fgg_tm zJe2xTqBHs9YUigLc|V2sn27uD+pCyV*xj#2qln1+xH7^ck2_CPmgs=!-+)W}62$E5 zl8Y^7{LJ}H%5|!c`N^Gy{VpvQM`c>lB0~W@kPjAh!1bDkFm3&KK^jsMkTtbI&9k}n zhj0JvKJ7Krz7%97l)t<{EXSDPdh!nQFL}Q#>rHv^AYenY0lr2vPXX4e4__T^8We+~ z2R2+70CP61XkSAf^H&nMDv6w`8^0~mYpO=l5@+9jA^_Yz%XLEl-FSU{Jk~!vjQC6= zVQobm6|oXHGrQy)?q)X99qhF)QZldkyq+_(?Iw(&YUg~(;ay);<4(Gha<=tsE_MBw zO~XoOwnULZ6ZhHPQnbj`x$!Vt!}1=m42v+!t$1kiU9ZTH35iZEprL)F zm*MrMkza2I8-y5PyRh3E$5T_qzeHK1J=-~o!b;#PwgXDwqrtuo15_EByxZP_MQe2} zZtKw?%S!{QGCUe#@iJndez|$+9~;5Ul%b z`@%wppTTq2xf%FOyH(PF61vZy(`mT*A9eX;Zn`mo`TZ!NN9px8lY_rlVp2cZ2)R*0 z;N%T95(D^j2ea3I-Hoo@31-=J=Q?r?ZYap^C*V?3?slHP@%<8&q;tPS$p%BCAJV_M z9QpK=RXZvC=fi;Er;kF{0wwS=luQkG2H&Q>RMPvhdWnq+i4=4piH}A zR1&6S{rwkXs7RB{V`1mD$X=aq=V$Zx!U>dbiuCuLIPkZiInUqlf2&v+SjDC)F)WX1 zg<_z+!0hVGsJGkNyM>uV_q=(9!ip|blP%4Ef{bqUT2n5$?)k(0JLg)%=tjHnbMky&sxx9d$GPKMy=-BuphV8FoUaV(S!l5BRjFT~6-=l3aXSA`~ zAN^WB5|GsGOtzSfW!IY$BsJqz=vMOEpmcd#SC-*VwoXuGy8Sw4W@WSBi_^sOczHHK za5QI|#d@LLDOk9Bfwt6w@+$fX7cxi}o-{NTwXmn-lDh!3(FIsSYuv)PPqE0^D);zG zfhDI@{hr6rdOnL`{tVhoLozlp+FimXbLK^dn5so?qP3#+)Dp~H{ z%A`}SlkYNW_6&CdQ(<>zgf0|&Y^LI8Ek^#t+h+oQ`{i6~(|69EQy z(Qa|OYkrCHaQLGj{{Ly*sO~WXpF95Xax^Y9*Ocu?vD+inxA6z1DuK|B_Y+d8qL_pQ z{{KWcJE-Yz$HCc?pD~87=^n0az6a3>McVUhQwYh0p(n-@=*S=vJx4zubz1796CshF z3uCI}%)gcMA-YyJi)+#q7cqG#p&Xnm7epd>(pVi2#v+j2Pj${qZf5?Z#FsUReO?+?`XzgA5 zlAJD9|A~EX%tVuPt4m}5m7n>hy0dw#c}~NdE-in<^adcydlQCK@fpi^0@jSEOKD=9 zY=p!Hx%UTB^A!|E2r@v@wZO=`w10@v%DsE|4S&;S1l&(c_qSe2zu`9L5~~ zrc+yiV7x#Kzuh3y_`#VG{bz&j4=PD{Ii?;-a2mn{#fq#@&jf;7mrqF)3GT{B4HK)` zXqu}u5Fi=g55Wg)WlwsuNj{)y?hiS*C&DsTZw9}vna`rJ9CA4V6ls&x!|@Vm`y~cq z>1+(u)O#Z$9+hd=KT4Y_m$0=RH(pWt!0Oa@`<1@C$XPPr7vi~kh1%mfa$d3TOMtpD ze-?`U@e}hsz83~mVY?C~$0(!RJoe@2af=$$e*eLFvS@3e)4bS8@S zIsU;@Lms?y7bU6R_}P&aM+bq2Ykg@H50lZ=je8@w?kM?f(*vNCAe~lm@CB?0r2ZmL@&|?X6tGGf1BQ{nP_gyDRc&8pwrKkJJ)+w+KG88y)Ly z&ai#nsK==FsWa7I>2H11f3*Nvcf$~$ngy16*B;apyDaOoAQ#$0Wn@aI=z(s#w}9`} zE`JTl4&dZI004fnJAZ#lGn&B?sNjBYW@ZdLR4?wK9`M#G({GuwZkq&!?M_8vkz~A& z+;JsSk{G-xoQAoQh1@D;hvKhBUAMj=0RyRCKpKq~D3HIfTNJJ=4Te(64e>$4#+40} zwoHX)45n&;ADo&J@SDCrqT~QwpEC1Xqk}Q0_) zD|8(Z#-~)~(y}k`t7{>lDf!qcN}y`lXd`CC1-)_s)EyyVI>lEdrzu#ep62IP?=O#=9kC`Im}FG{L>@C-;B&-^m61TOqx z=*Rs!Q*W=n0=CokkH-$YualrpRaNzob2P9b*l#_?8GX6-h)3q0lm(7JX%pS%Da#nJ z)_TJZ-;GYRZocD>Ja{la-3F8dW-Saep4A*%F>Ad?HG)i#bhXZD*)k`#@P*X(3|0Jm zF{TVvItofVg9?rBaUDsQX9;tzpcELUIq(Zvk8 zUF-PHfLv(XMyl2DA>2Fi+Z+45eE$O=+EFJkp<6gQ+y?+71mxA<0kpR9z7jZt;%IAY z(^n6znPR|!Rh7gCOriq>fzp%Ebr*6zYfd~BX-BqDlOL0TZ#Onyr2)U%Zcw~n^~Dn? zO?o#DzzzgE0M?4lAY^#T|I>Lw1@~BYEKb(!}^AHltWBP7^#m{3Xq%O?$_=3K5jP=XYbUuS^S>?v

    tk)LVe;A643mF z1^xy!p*u?Vrg{+&pHv$uRh}H0d;0%w}uN ziBKiO!9b11I2LJL7!F2yIbx0wvxnW*^xbqKT356dV4Kv z6<5>F5Sp*st0raiq$!AuO++e$jmsw1Pl)n8kzJs7RBy;{ZzYDp?Mn>Y`<1a&f zwzXBVsRr4d3>a+aPy#-q!Qb7Yd~F;U|%K)P2g(TeA?)fX223Va4s zlVhd2HkOu**nvnN0LTyp1@v!(9_xL*4n+0=WzXUtIG3-#Ke(Qlwd>&e-kE=WYH>+; zZ&(kpzbY0+TGND^th!Hkbz)jFgG((w;2Grn3UTNJQdIKm7F%l zZT~EERaJQpe24}c#Qpmmw!dD0>T}QoOiuxyySn-WoJ3z=zedZt+3TEIDlW~d5EiB1 z9sCk-3AO1S@!t6IWghvK3Lg%Zf7B!3bCI}lzS8bsZ4{k|gHipnA#^&{*49G%A5bz- zxPkkIdYGJw%BU}a9eM;4!Tb-xF$ExE;B8c@uM1;WD7wAme&HugkIkjg@dI@V3oZE#}gK0&t@2 zebQ@<`)z@G?;aVn8Nvv`&4IlDxB>sW1Q{9z$PN$!UgxUpj}1lrr#x$w>QC34Pr?DauA=B35i&i74e{_^?5 z?xeM=$Ud}xK(DEoxRYsMjYrUwDSuT-N6xp5V=<%ffbk>S$KYg0_weu#fR<8!f$Cc* zE;rhqDrn_brkil&L^0QkglXyMc7~Y$VT{+w!b^zIt0nde}az-I2l2Q6*-t?@t#QViidXq^v_*VzBo(@ z>_CBw;aov=?OGRAtg_O6pR^65iO{^hT`a0;!b>Z0(HmoDt!i>vA%r6dW)U z9s>LE>-TTfVvTH#d0|ymXK-sk0Rj;iVu7KN(INzDDCCJgCwtkK#kP)6E8!9sE|s;Ub%J+mm0 zd&FFWV`GO9_9`nYi8w4@Ax##XoYmkwP*YboOZqjK{u~k!2o*?Q2BxHB51j81t^=%L zuqvc~&(#1+48Fs2@Khmv9{N^R=ipYnOT-c4+7t4tC@=3-i7KEE$6NDwng7O(Lu)k@#6@(QKS%zjEqHTX|EQ$qkG4Iu0MyqZ%95M=Ri&czGi56xDbNuk=*Uu zw?W_mA`?ntLi`@XKH=xjp*uXYscUp}bZiXx$FbJd*7kN0&&Xkt-gz{?I30oL*z(0b6&zK@Qc zN!>v~mLG#x{e#O zZ*Onr*r|;fz_-wXTwd;;|Lh8zI2fZm3mE-D6LeE}+4wEkYJuN5sokx9$g@@AQF(O@CpCWnx%)8Jy;$UD|}=BBKw`eQ1x^EdcP&epeji%U)$ znrsM6wsN9_dq z73>t9kcjRl0Wts#LLGb^004${M^{g8t$h6oVto5hwpNi^(S2HKFRd)xm%2mE;3KJnEfe(1T-HYN;s202VJikzIXSt; z@>SN=Tv@?$2S5^FiUsI?|Nec5z`E7e$#33VQRI3lKLU9XG90hj_bm9qk(QR9kQ87$ z2plkf)6=`H?vAVj*h22@@Xy8*sH2EmTe)x_uafr0Hl&bddv4(nrm zU%%=@H3Yf~B!Q5?Ky?tq^YiJ->)*X=P2#q%vYC?^-UpQtwub0W6>K)>!~htZb1l5H z-t+Wue{~oT+&Vl2K~ORwV1lG%P{r|C_ZCfW|Jzd(Zrf>kn+sUQAsd)IFeOtOjfRgJ)PV2 z&m(f*cKsW-Zk4K)Wkg(THy)9OcbVpIM6wZtmH;n*fKr0ae3~B(j=d4CjLA4+Vh1*tsQYaQkGLK__h5frP@K z5ac|x-kPp;>@-rut%Q69HPO~Y`7*$wSM>7$e*qTHJ!$2JX9{5J93l?rbRRImc??7T z8H~t@;$)5;Mmb! z@%rk`*-Gi+FZK!4u)BV;&TrI9Y9i>!btxi}7NQsu2Fpn67+q<8ce3zO_!xH=l@)$4 z>la3p9^Z`eduEWigxrCp>&`+nF?#AB#~xj_yPF@o78dc8M-{AZ{q#;ay{V(RdfPjm zs65owpNHr2DOq=6)PHFzCrMnbii(5v9|q9hWd^Vm!6JF9!GT}^_jA=*JVqZ-1`>W+ z)UhwA^vlGRG#Lttx0Y5nR(~CLQv`O)dD$-1b`fY5PY{_@XdyOgZKe*nweSmL1v!VD z=RB(c8Ha@2g^ruJI5lnUO;Ec98p^Ps?}dsgyRL2$aBxdYy7jGishFs!M-k#6e1m0D zgC~W$0OSiPDYmCiu|a|^c?Jm#tPkM9Rc3fViyH)M3Y0};JI?_dkt(o^DJlKN<=WcX zM9tTr@`H98Hh5WeZN7P@5+oNWTO1r58X6kb&JPqI9DV$lQChnF^QSx~J9H1n-^K)8 zEgr2tNB3(FHXdI4&(|Sv&3EsD#SXGaSeVQo#WJmzlWmrt{?c)&%eKm+CzoFYO=^iw7q99FIZf0uGS7dkQKGNySWrrsP*N<9 z8fBYYU{jPHt|mC|V~ZSB(}*|HV6IiFp`5=;8|?Ei4>fN?Rj8_Grhhx!;0Hq@{)_$_ zIs=^^Cp!HnN%nKG4X+2*Jz{RhRKO!47WDFvbq5zUNL}vS)3dWpv8`qa7|?5!b@xHn zCkK>$T?LV~Ae`-#l0N*pzeM;0I(Vx%RG3f!5v1P%-wD?B#(}iUf~nEkwY@zL#A6XE z6d{(d*cBEfg3;pp>`u;Eq{)x;&GgwmHZXLwF7MwLkkmrqXMf;*0k55;2WJJWG9E52 zRBg~4LLSz5!2@OZsA5T5T5WnWK~8olf(uI$hf=J29sOl(4D(|CCmdgzUY~P=4zMrYEKWG9f{uO>$-lfTU%5IH;&j zt{<#)xcAR{4<8>!)BLa?j17yYG3NRIDEkVqDz~lOrEUpD0YPbykdTy=RuEKDK0P30)}kyn)XH+CX-b=p)rc>qK!{%yMJa(5Q6O&p z;x=*KUK9nZ)m;s84hIQT`{^uxpUZaHr3oN7OW5tJblDVU6JQZq2&EqYD^h&|Y9AYkPNm zl$wS4$~O;~4~+NuNRwikU;ZWIYC-saXff5Knq1L7XgNXF2bJm>98W{Lx(aJL#RA<1@6NnvPkT>2WB(xdL#euA( z0Vt&-83^RqGl(*U(gvbcbU z_?Zb?)a8;QKD*4!{O>kbClgTd)C*l zU%_sKl7!$ZKtx*Q^^;MH(9X(CNYUMZ?+ZFT=`f_jq9XWlfY=mGAdEO7(SjZ^D?eK}mb zfR|0*yg>KIn~jYPxH`EYv3jOWfKW||;W9}Oa9o11^j0OFG)ZU!>}IvF%VPLU`Vnd4 zRgxq0APw(KI{S%i<@-_=n;(DiMZ&WFZiBba;G6wqlX+(SyUcm=+bGxcl-xU=TlcktN zcjKv{p&@KYW>tz=GhU@2(woz2W+^o7PKHYcLPob|>uK0DXqit24Z?xB%IaGJU`{?!M3|1w*IH9a zsR)4EH*YScbOXd%3M~_?qV0=O>^e2jR|C`q+#O&CqT6j;;N)>;(as-$JyQ@mhODgS z#>V;X$5gZHbpSyxL7xrYwCH9lIg~aSDq~|^&rkO;F)+3?)Ya7?+-w;>J$SbPV}Ty7 zJT2{Vj??!i{v^6ktJI14llg8SfBZZjTe_srZFh@GBE(}^&<^)$S`TRbjt>tVSAQEP zm6r0RbPqaKb(=!(v1-9b;*FmN8h>{7a6C}1!>nfJ28cLyD&T$D*)7#bxeSX6tqkf! zkZJqAgSiR5&$X##;KE92rctt`%BUnJ|kq)t;u^Gp&$%SO;xq2aRGE!Qcs>7 zbb6hk`um-r7X}Q6o{rAY#3U|E9qGCY62iEM2%zoJIGXi%H9*PGDNE)mZ|e=k@>qbT zp_NYrkVp7KG_VIhc&>64%!HWG7y~+xeo^G$w@);zI%s1179C(-q4GSK1T4Pt6rr03 zH4XY%%@Xq$E-w6ywlEK&VA_F8Xd%`FKL}vP_EW#Gl?-Zxw!fYODr3?A^&V*`xLPrB zDL(`3|KQy8g4MQB^V&^@@m$laZ(njbx{jfMf2}XUm>#kdSBjHJ3jZ1A`rwYf*-zUU zeOBkA_Z@G1AV}wDaOhUeNY!KT-|&%!f#LPSba2oum zFc7(lMv5gdva;Ush35?VmlHtAcvkPSv7N!w?+Kf};QjlbsD9d_C#P^K(edG7DU^ea z%?5lL(5q2>UY)2F6&BV?=?;99+|<+r!|KrR@c8VqpPQkMiyboEcJY&oe)=}uXiSOA zJSm&-0>4>t{I`G7m4>9u(@>wG>3TAn_d;A4e-j zy zelM3Oa=Mt2D6;YWlKa|854`E=-U#@k0BJ8OEabPF!K#(cAApjM9$f*c1DcCh)NvZ{ z0=OSQhG0>jNt3QF;=`WeeJ1D}Nkcw~bN?3GxYVJTWXI*ET+@o_9_Z^{4KkeX}nKC$S!njY?p>#l>S9z3g^)DX)6G ze7U%$dOW#vA}OIQ#0DBdp9n%NF82g|Gxxn;9&{~L=S4}I@Y4Y3S!**XRue1*6&9?t z0ENOd%os%Diw?cxCWSe2yc0Dz_zD;p&@y;_d?YIydN>XdgR!xsK0mq^GhxOwF*b%v zG6vH&uo%tF%~T#c-Qe=O`=J@i9t1_8vl5na#goEf(nzc1IbDXG3?ea2#=WP@VJj5b?NtJ6A~baH;V8Zi=&eGP zZPQ8IuH`t)Ke@Esh;&~aE=RoSPq>(O@1AJairN$B$PGaO zBzYdHmAb6--2Ihv#vS8)WUIX``D1+jnZRz{uH{`9;NbLQnqz%~^rY1a09%x;jF`4r~29 z{1DLi_V)JklX+3EKj=Xv9bnvF10D|M~0RtF^Vd>89qSXuWzd z4IQ<6NdKyVeN;kwU06Iv$Q0Lds&WqS%+@ute6@$6QfWuv9lV&6yr8eDT848s_+cJ2e;2Z|{$XMn|?s zgU%VW6csrEN`?Ins3Yeq34rkRTe?R@MnWHIC^hv8CT0Mz=j;VH68T=aH#(g~D}tBh zF_nj*=gU{G4q(RysF$0x9hBzzT2;n1(R!cWzrP{&1eivEz|b)8-98}Qp{#&eJ?;5j z0Pi|G&%tkQx}=2r=e+nesdA!Oefa~o20kV3Y*em+n62mpLwaCt;9yWz+=y3=m;3Ss ziCDq%>vg$B-Q14bg;{r~2_?!CJAbDTE34?^Nc>`nP~FRT`fD_ViYbVL+h|h37cXkf z9;?UEN!!H41ZGnBcn~)N?HX7vE?>Qc4k9HaJUBjvt}naKeA|j?4g|T`IXNZjtkiV$ z^mDHPy*6tA6UHA}iVT#d7sv2c-pE!O1Rv#w*_=i}^Y-J<8 z^pQgoW7S#@YQ*yHSxq+b3^$_nj>9}2n&C$N7kG!LKO|(dPbsWw9pc8QS@Pe@;me7ZW?^j!$Pgl&!RyEGaGq%F%Jm%Gz2- z!8Rv3^}(BeYXR782D}sIS618s^2-}Jqyab?#=`b8Oiaw}oB$wpK7=1Y2MQL%?2{i8bq|t&LvSJ&}}~)-`yRAS3!JAsyh>OZK3p7HC!v~Chx~!S?k2} z?AYee>(Z4OV>3n;i-Gmj)PwOZp7ed`C7GS2$d5M)eeuLlhSgNt^Ab^#WaB|K?GvC- zq6D3F-pGr)eZVhT8Bf%+GHtfI!0JbWqU=mXDFudAo%VSr3ORJ1p*wKm0P)5$!h7 zKfe^)lJ3V=WFQzG#x%pW%-xuB!XW3cT{yEyiG_POR!8l@Tqx**nH{%w#v(ohLqwl> ziC9u#NC-Ggriq$))YY?0->N@s? ztoLEhrI2HOK`!EJuJPI#t6iqhy$%nLsJ~oU@ypBOOBAs%(339Ykww-!3!+n%0eLUG zcHpKS&%5POQwfg@n4kEFaptyzZONTCrzAYB0;*UbQaN#@^ffe^P?irVzwPesf-alh z7eMNH;3C1bHJ>3-_t69~hnM*9{LZUJhF6VOwJsxYs5+cJ7HK7lW-9nH#xtg&bk8M% z0|W2B+Rz1_4@_DU-7GXTG)zp3@WCKJ7zSpfJQ3h{pb;)}+qVL)t;U&b!lD~$}Dge$bsA-E3N%X**& zN)Kg_`#cC%2&%IU%nHr3E^%D6qX#kufJ!_WhnN>Yiyhobp~F1`dKQK)uEb0SC?t`Q zkpObr)du5SzYYxwOf&gjhpjrXQ8)5(a$r9@+xvNyeM74U))jg%gfI@jfPn4Vc(f|z z86z}#I_m1?u};?zuRdV`boWIR!f0}GER>a%&CHn24+s1DUSvHtHZ+7ZnH_FBlqRIZ z$f95iov)o`V9LqQ=i~X^Xy$Z-kTA8|6x5k*e6Uk(VuGx+w4mS}yD>z21K|q2CyY9m zHiPuujm0XHV~~hWyn93gdoi^y1ZQWD7{h+>!FoU`76lBenU!@p**`I(?^rxAH$toL z37?l8xuXcU1{6(R>+usHd7%_{^?Ull;88-$Ls>iW+qiARq&V7Ve+bEj_b+taU4lQ_P&8~WI+-7Emy^C@HN-Nddb7OFuN^#*>f7VK9U*n2$k=)>U6`)SWB=n~Mv83x|$e zL~NP|(0w`zFTt7|gboheHis_JXgwf{+KpScB(Z=r-vn|E(iI!Z9PI3X5hQ7y>O@8k z{{#9P`WU1Z0ck+5PMkS56XXWTpcj~fzIHljUS$))qpVA91=adv&6p`Cd zKjS0umzoK38P+e&t-4!I-U#Aexv!mke)1`=`mA66cN+f`e+11vX)Nm6Q!yn)qi%LQ zX9m~$m$okvaAV8ORkwZiAZ2RaeM+P|e=67c4riz&%xN(8+Be?03{VghSs?WlvsOO# z^Kf%#_L;}XfP??ujInT)s?FfgYukb{BQ@sO!UOdx3#|bA#Ov74IeaPAt+5ur70@pT{Un*s<f8ol!&9%zzgG9_o{a3rUbr981u7Eg%cIz|jv7VJ?$Obue*3ls zBK*hr|q0<3)A#c5(V-X4X4cgWfH=Pg5pQYQ%Z6>`8 z43OX}AvgLMSJxh8M`mt(AJyx$?Boy_aC6t}A~7ROwjfsqVa*NTnurs)1>{m_C28>s ze<{m2lKPzlW78mCuQd1YlwQknQ{I<^aRRmu^u7q>@|y{o=+^Via4#6`HSKE9h>-~Ca75&8uObEy5sOh|CTQ>z0_j6tw^2SZ! z>N_-?{oz{o!$Nl|W0IdfnrY5T#(c5Ts#7w+NBfW#DwPg+Za@g>;epg-!^OpI6iP)P zkG~l@E00x(N(!%9&a*kNj@7vl15NUP__*c6GEb;B#A`U+%yhNx=F1}glZk{d5~6F&^FbuBH}1`JUQKK5FI!yuTs!vK_s-SEV7e%+ zq87`5@oX;yhcBGO4Ifsa?-zw|277+lf~R99Ly--6>ka*xCuX^Nog}$_o%-xIsnIW6 zxO*Nnxn3oB^f7*ON79Z_hg~l#n&1~9b>8*f+NdWwBmLc0wi6pxZzX!)H|x7Cj(vs) zOZOim#o)sQF}TB$m9RlW{{?^qlzo*2b%gE{;Ox#S@>BNTo|^>`yN#cVhjn!OpWM}! zQJ`!4P$Bxcy)xu!7ee>b19yzm=-(8HzbV+!OVNE$nn_ee>TWWt*-CCX|0an9eg!MV zid8p^s6>J|Yunb91o4&zIXy`{o%P94x-H-ab(xbYYB*3}Om;S5F|}8s;96ylR%V^3$Rr zB)H-DO+eiQ+G)JBWDfij94#YPwc~mU4G=jwxe%B(q2ezuLxM_etykH6R%WKDrDbI6 ztW?@f*7VWgVRgW*9D$(u*gEU%b@ur)xu4kN>Z-?n#+wLTm#*a5hrzyi$$WvJRze_r z3-yKtg;&+_3tvk7`u2krQx~E@Ob3fhe{{CGPG zZ)@RE1oGoo!7qLLHqTmIPB#KO)ipHWsF+}A*g9gkGEjMdG33J*4Y2jz&Q2THZ~$nP zMOjyGN)CLH&FMq8r0Tg&fE2-(kLno(kba(<^+Z}_p!zd~nb_F{odyB00^o;e#@pHD zE`s?rx-Wt+f1H0a>$zXabW2#oKI7nld}vHYgK~@>=Zb4k0c~wN{K@o;K!Cp6hSHh2(Ovj-?RGzb3z%|;9Py4-@S&7jb9n0 zH~Y(PT+%9*IAqk#O@Q36_m!xBdK0_8+S@=k(X2S#g<;2(@dv8@cw%hN$;_=)pEr~& z_Y+r2JbsK;kHe$~=svIIOKWRUIFQHGG&3~xTCHEY8RR;^-sv3L2>|Zu+#Il|yybox zEug>94#_7Bu5XP>!sWqX{wKXAa1PWp!uz4Jfw za)Z+}b{IO*{@z|0$SY;3skn|#!-F*o&j+k;P{#qpX1hAfgVbJMTN82FGDQ6{1f~(N zWEc`a3k!PdYq+@K!NIh?y?uRXwz9YP3Eg{8ZDJG91MyK)vjH3J#tYEt0jMmO)932u z*4WtCYFK9M1ZsU4-yvS8tf+_#23-h2dP~3n$P0Kwu&9AY0MZ9SjONnNS)qV=vb2Kg zA2_MaInE^jOF#?$31+9>UPCzSK{4xRUEQ%d*LPt*^t${@_t5nX$3=yMfo^9|3qnh+ zM~o)Tciwh9z|ovPSlN7<%=E*#=6Nd9))%SXygP}Medbo-O}(sqRD;q1dv6A=`2B2c zWoBo$2ANj+SD++d%1c*bZz?F@$a)?d6Jti17%$=xtM>^|Pyjc*Cm@*~RA9}Jv82>l z0@ywuFRuW&75v{MKt83Qpc^O%K^G1C4v8!Z&|C6GP>|Aq-m+po0h||8+e{$f17(*^ zt>+jlrta>0@aaWGy#QF#FC1)b&8exW`SRs9E$uY?g`$#@Rn%2c=QT}e8liQBWMQ~? zz@CMX^DAmzN2oEac6vKE+?AQ4hZA0{(s-mTi z(|b#1)`H9w+rj8-4;lysZsB54nL1=$*G|*n*Xn$s3T;%mLz~b&RE5q1W6SXhe`#D- zIZ{iLZca;BV9Y9caL^HwFY@Ad4ks0h6Gh)P#kV!G17@-1BV`jO{eySn$m{^8-CG;e z(AHjCUY5o(GdHgUFA>OZN#;st@gLDB!1-NJ@IZ_Q$8%v*WB5=51xiB$CnQB3AI{_9 zKxZN!>D2n4(s1v&ZF_O|RMa0?2iri`uM$Qv(XV4#;3ZY|Vw@S;q^eMDDM zcWF+O`XfStRQXs~0ajy?>cz8f!Yf1_W z-v$Q$rYb8b0rUd7H*DeF14oX1gb)N(Rbom?Z55R=`*}I|Mu2c{pLPS%%WE|{*cuMs zFc=_MFBp7GWBZqP0b>^eBp*H?OxhrjRZ>(0G$H{gOD~N3b~8-?W1}g;GY5_vANf?~ zvOCL`dBli%Xn%ohj3bjVNM9{o)?-z3Z?c~^^oJ=oX|8P^0kI*sY!Qxu1?^2#J5CBQ zHTLlMx0HHWqu@)%!B6K8Sde=wVLd)cc3xMfxqu^w)6S~c%^>H++3S78v|Y+r;T30{ zfH{(yKCyv|UGn--`ouw_lu7Yb#=T@!iFl#OnRvJ@?UQqs1 zHC|d;@eCBJcJ(0lb+nz0fL;a;8iSh7N9Am$2(Z-i=Y~g4FwLePgy4MxT2G0+0&EwM zB?^i^2*ouqG=zN#=+;pOIVk*?l&^jR1-!7>$Qbd2((^#?4C8L=H-Mtx0SC4l&CPIh z0?6~}> z*Y<`^Yh~9xOF4ty*|5)@dooSd=2rYTwUu@=5}&V~rtv?h8Vl)^vhY8V_Ecd2`QQc{oj;^w_wr23vM7jcO=u~M*Ku$g??GF0M_6%K!CZF$Y zu+>ykBcV=JnlAywKeWMBkmd)L@1NRpQx>Hk(e&eoGRrNqlIshu81&q-(scS+&slC1 z(x&di4&Wn0&($t_{SuAH^N&ha1*x+ib)9xE7NQkm!^NY^Bivd=Tw;M4+wF0;CBtN{ z=>J51vg$Cp01tBR^cx;vV5-(@ARecrs3<2pI~GpTlV_ctngV9=u@WAL4fo<)ar0l`RFtjYV= zsj$CGsWw{E632ezlqjZo#O8#Do^JJt{iCGl;HsFCV{j#Z_fBFILvh!2eImt0xF$Wn z3)ZAN4mays+BjUrIs5v%M-mN#-W@#aX2zxw5v=O}o_kh$y0p87i@jZaXz@9{sc!nX zdM@Q=P+%Y$k%IQkh?7J@0aOF4Sw@huJC1Y%y@4gzwiJ4SNUAEu#=?5nYzS~U$bi7I ztb>B6Uo@;;Shxux)G**uB{IWKDnLUs1u)MfE)F&}0O-K0EG`a#;{xh5q}_Vu(=t?O zYOAZaIDg@?{F=Ac$>9X1^AF8{4Htn->q0KRt~WJWc(oBGzY#`Mc?Ci23U!Y-NY4~! z#8=KHpke}eD=@ccYH5L<94*PhGhj%Yy7+14=Ng0Hbm+c`b{zZr0z&H4ni!3e7fNG; zr&P8$%KtSV?o$$BAnLkCiA(nnUYc{%nV5uHj<#5H_k{{~AUW=Q3f&_0 zj}JssG>M7wST4U`W4c>DUcbco*sJH*j`jX9_S_@#c7)r z(B(O$1V?6gEgawp`zE-}e*E}B8afAz4WHHM!f9qgTY_*^L4gfe4*>iJyaxDnP)I=h zF<6gI1*vf)YW5Oycpea zlp=shW?syNJkpR|4W;zr;cr^d>BPfroz)Q&6EozDk;@1M&J&L7=uUw&9^j!|pL)Ub z3V7Zl8j$DRvkVCgd;-z}oddhYo-`dWvZ7PgCjMxfq5A+)nyUaS;x+SH|sCMjp(n%`@#@6KVf88OuZ!@H@; z-N`Obt8R23*#t;m(!zfrs%5on+OvDV-CUmV4+*(%kP}-$M&a>EYNEANlG=R5f&|f} zGBB*QEb#f*;mMabBw+*LHgVO=qe~Q{@89;me|iuu>>H`gx8T3U$xGe|XT$$*M4i5v zyZFiaJD*Pu3*|(77Hqqf&(fbi;vUOyetN*fq7y@#K*mK*FIaRJiXba1D>RWO!_iTu zU`EQ#H6k{KEmtvXXS^>RwFnP7G&i6S2c0U~FogDty8TL1&jnNz3J7GEWu#&F=lq`l z%YX)(Pz9&r4-QzpL)fyY8*hL8Y*;|&62q6cq@&|5kU2oFK`mi-V66*!^avTrc-R^i z_N|hVpji7Gmsk@Q>RtR8L3~tdu`isOP=?C8MhIOqkZ^;8s^Gj{T57RwYiUU~I|>sX za0P0%E0px>ttqaB+SH)lRA#f*i$pRuO4wTHloUh=79f6LFoxSGM#PEZ(zIC19(6K7 zY1z#qp4h-R^fc?vhoO4grVhy~umgj$2qae^#m2zEFz1d1izn5JETA#@Sh?!tM@R_d32a!%?lgl&EO>m}~Yxg0ZnC#e$a*{jMX4 z>vZXt2|(ZNJB5KE;6*)p$=&k?1$lk+W zwfqB+WQpCPhhhrDg@}kJU=RE0st97WhLGe&Ax0NtfoPXzoAh2)W$Uh`w-K}~vY%gO z*~kls`0gt1l-|A(^4F(a91N*{L66$B4%EV8XpK4Ib_mkwad2GAEzGuCA38SGTvvxE z(lEtm&u%rCK-q#@a;m+8gZQGMh<}snXF~uU?PDCt$P0?o|JDNh+?O@Li@ktTY**rc z)1EiC__-vVV#i?CFgz@yni$3&$4a=twP12cdGy^W-JjCk$dJDr^>>u>?D34Ek*G&Xg z>yuBsNw6g%(K{zP-Y)v~kg935XU67H9CAPV4|_|005%*1Z)bP7yjPR3ZT&MoVa#EA;pMb>H| z)9$S=5@IUdWatqEf%y4<*QyI3;2Q)@-4CnnpZmZCMlt{H#cLH3(L1j353M;!cQ8^S zxJdbbZicdU%wN#;-iU8y3`%E=h1cm3`x{Aoee#H_t&^hbK+d!`aMjVc}i(XG{=2OY?k85-6Oy zZ!{6AED$Zsnbjs~Y(V?I0H+SGO~W+zkF4NDD!tZIja%iqZ{nl?rv>bm+xpK}QVs%f z;ZtS8sn98j1axBGSeT(&N&39zB4r9nCTaLGK!$@6#ufXGi_R3`dGj)MWerWwPX#0X^);X=x*Dbwjo(7aWpi3s|o?{7pB zTQTHE=+X5R7Y*sc7cuAG3S($w{MddiZP4=Z4>!%5&=h{6C9jPza>M`-xSVI7!C@XJ7v=1tGN_dqXB-DtcN6S6_zV1*I^?8WV@%MU868cpIzs z-|m@Mac#gfA+Er_?Hi}|$t+eZR!=QT@6h%$jWQivN4L9)4=y zX)IV1M}KQHDu{#~LtW?)PNVH*>u^8j3e@fq>+3u6$iFFkh>wjQ?8Z9)k$l1m1L{3+cB z+Xb?Zj1d>BJh0|FiA4lcvNQ-1LyP}vZ~4P2pzp@;!7g7r0e4WcX-cisa{P)V_Z zVS4Wu9Kj7%d*Uf(XXlI{nr!O$dIR<<(KH$ST&##-3SYLrzYb)1?o}%52CD+X)F8o1a{r>>6+W>K1p!*u=ple$B z4fpH_zLSP*q`nON_w9mo)S0c`YU#|$&Mi54N5m4!Ruh9|Mp> z<3NqRj&*qGR$|G?5x6v;J%6;z38%mZ1OARja2DI#;Sug8)D5@y$-i4 zWfQ%=&E~Wf@x%8_NQj*-U#c9A>hG`OH#uL}J+j_&ubs}I!Z^=*%=r&P3_5S`I|t-A z!N1=e+BG^w8BMrZmgI;f4J>1Bw6R*|vY+jS*4xjY+l`-G5L%_s%E>$HG$Cur(d>39@WJ^mSe)heZny|gSD;1gxc5D6J9~iXV*4O#eV~rHE zx=L`a0b5zic&2U9C5YT&M(-K z5t8_OBJEiIh2`q&j|M6^%tklNUOn4@x1rO&M?Lc^2IXj8B9|}yRFp@3Q4ULO<2Ore zdWnG6Rx^PF5j!^zU$~uZjELE{#mfoJf*Lt_UZxGF=^rc{D-**gu}QcZdi|ZJ+7_i} zjeOsYVeSP>&^*RGCi#%Qb0(%f0-;otRW^s;x=nYsw-RoOwhuMG#j|5MP5q%;?bYIu z9%ZuCp`Du@%jMz!oMy7@xn@iQi3Z^~i`?DL~_z#tebM0p2K3kvpf)AKKoVSgE4g!xx(y_wrJ* z-_|)VDOJ{@5}lRn2v?^Vt{CEnGZ&jvBW zZ>EzCR$f{jHjtHhq*$5S*xSYkSqat7K3FR34cV#K7u^_qJFkcT;1f(afkv8fHWJ67k}wNBazr9Mn@T}?xt~nV#gDAV;aN!K zvlJfr-E7Zgl|SFajcW5S<|aMg9>M_a{`s=TnpFxGb;;6^^VxCYxqHo|Pucj};J1fN zhfg{x-eeWp`o0S`GFtM-s7Ntzb&6sVX>I8wBTKqbc<>CpBoTE4bN^A*{-MBi|B9gy zjqe2M2)xK|w)R^|;o;_jo{~=m7gZp3_-$Vf98^*trHpJ0DH)&15sp%RX3U3-w$DPd z8=J*YhjT40nHCq745np#2qeBP@X51qCHj9|nDX<yPlS|v~v`l=n{o~ zn;&Nvq;HA56xevCo~@j5Joari{b5-4yRI0e^v^9F=9U)Adwmsm3B5cw?@V-SlQ)v! zV8lE>3ihoKK%VKl42_*Hm@h30Am3e$W+xE45)|B;r>$1W7=ixQ(2(B=rp!~y>AZE* zKMdQU*co<=X=kGuW492}-L8;h`;MCnJFa3)v&=V_{Qch=G>&=r+3@xB^dz{<#ZY;j zDEvJP`cscGf-vVl$d{UaN=kceq!e8Qb<#ZGks4x`tV64+-P4lAb3%i|79HNh_oCpp zJ^4A?3MW=)4Ae`GImzKOlV$`7eTx0*6{q!XB8w|FLow@JD|=L=ONASw)>xZ!eSOGS zf#cQl^75S54sfQ1(m+G%D;!{|y5&u!LwB4^5~daKzDbh%RGcM6-Zp z#M89ZSSM83oH*8D?^F6!_rTES4Y;8*RjH1s?<;CiY*Lz)jD;3=V#C7n>OWbV4VYq4 zYp+p)jBQjnxsGOKb*0k75h@ovm6W%Li>FjN2SKS#}NHb$@6!nSr+eb2373x|;SwCQx6;w`s*V?I54YZEgQNIk9%H8}J%BuT< zIb@^>>L=2zCMeN&t}<&22Ms~dveaMVe$K|@j?YsSvE=lbw~z4gjumXQA%A#3<^|HjiGi~D*aB&eaG;`iqKP@Y_HuQBEEQoas*E~A&JBvt?2%fV{LM@k4WvzIRc zvfka88oiDhTfy4_9#SBQOhzDx3u9n8`gN6;|1vt-9Rr; zQi@Utw>TF}IhvNZ;ZoQ*D#N01aeEbJXDcfu$4f<_rmm2n@oFtB@|UEhs+#xJi<7VPw!^=ON%fF63O3Q(pL4;nnh~7qW0KvGy~c zS8>(j7nbdNR9>)j)S&j(C=KR&9xjNU?{~+YpLvCM=y0^u@1CRu>v+|oests|K?If5 zS{$Am2kUH+b(yyH%g@|anpKiT>l;b$d!*AbpuAnDl0P^Po0vFtBigu}19q&OYY*v*W`C21+?7MNb6dBcfuum0Wl^ zV}gt9)s6kjGBUcGV)`W)TKd!qZTeTBTUp*cf?a8(Wo53X zo`i$y{qt40U(B5%`}NKv&}~rET7CbiR>TxEd^TM(&a6jlyt}UQ_1ty4BbCbeWakp~ zFX!R`9p&n+0O#>3vMz2U>|=?Z+q-$EqMO&~^lhg;2T*Dh6lB<+K`VT;Jm3u1?D)H9 z&B0B1Q3KaP19uNNXRr)T3aR9`htd>p5ilA-$QNmasgZqg&| z+tj{+rXJ;Wcdn9N#PM&wZXQQQX^AOD=DVtU)jv}9H#e`!Y`TtTWLWtw6H zm+B>t-mt5+UG7*(Udl1kp6iWFT~lcjBpCt%Sb$swjmT@`;Le}OC}%$nq>lz?ggU1g z-nl{D17@UE*Y2b>I|AXr`$x=*6!il>kmcZAoA{p@!c|Bzbc>iLTRtGf$(d?(Z5*W? zWz=|Zw3koprH2TeiGYWa$i%Mh@fwsECi08f@Qb8^g2G2E*SGe|3ht@K zf$RqIt2l7}XvGo!pZ_@&347`j0ZfeEsPtBtFU{agKoqWV;O_o#pO@wI-NF)3gT z3M92d1JHF?kME;YmK_54mEd<@A89(YmExWg-6Ez#Pn)+>ftW;_-oZZq7QKi5$9-1ScQ>Q7HQ_ z+A4qGr;`Wqf7amdus;iR1K}jRZL5#5^c?P&Cbb9|4!j(`UE~uwu!lrHp_{AvR#bF; zJaG=9EYQM-;e7+#Nv;vzNcecA2yKumbH4dGUB$p+9RhvQe0Z5v0Tz`UXpw3PLOi$Rl~rGSFZdeu{SPAJ$-U^pVyyG zH_(^h_pbX+H|F7tM~BM=db)M@j(K=i=&YId@wC192W*aU%eUrqiT~&>b5vP6+S;C1 zF!S@r;N8H-PZFws30yi{2XM7Pek>5O=xhy8DsCx*A`lcc`@(D<rxpz~bjTr(VH%`t1($W(M9fUU>2esmTiY<^80{9NcNtf+5sj~FHzatI7%@9w0(+8;d ztG8GV;MLCSBj6zE3Do?ME)Dt!&W5idHdJgI9fe4g}lJi)m(>uNKf`iOwRoUgI*#M6rR6L*&O z_H5KSoP$Dlk!3VAw)=iFWG`?uI}w4+%W~^&S!ddwgjS9c3&u?hxp$=l00~y0C5P1 zZ-Z3~vV%!UNS@-tDXnk@T~YY8<>h5;Y7nOe;TNicn`vqWLP1YX;Dpi07>g?)H6@hT zb())liwKA*Ncuo3v={*aG7y?m173Xac0&A)pzvUC?+!#IfzK|=D)9~-9azwPlNs5f zAzl&=so7Hc`J?1qm1vUR56=!Fa{;f0TM4Gno;YbZAF#jw{A|A#80sML40;AX$u`ed zn@YZT6`D~St+*}&`HXArwVrplW`CX^j|AU}g23XDiUBUAj)8&av)WZM&9e@&Es-a< zdMMD>$y|cjR(eC{1e`{sm?c_W=w78 z=@gbuw`*^d=YUDc;I#gO?ae!Wjks%`TNTkakE>&1NN?Pt5V0sFtNPvOGjB!oqCT;@ zTJJPvzb1nDa9LT1{KkxuvO=x>dRA=ZTx#*?P{a>H36B!yr0n#?h@qr#_P4+72H|K* zK~JH>+S80nCzAYIUzf==7RQIG1L)i1ZvLDsV5ghFJBg^Vm{|PsAU`9jDx zZ0dX~O-Zax^4ZMgbt-gq!FT`~1CV}jgJxPH_}0C6*it302$yz3+)7eyyahW4hYbWn z%4EQqg`lqmrSJUAOmSHmw%Ct5yKmpGjOZ7t+Dddo1OY?Bt2cO4%gb&M2n3O| zphgBAQTO~SxkP;GIduZD>V}ZzTfwmE3;91Y^w%1$FUVjOek*jF8jAKhSXq5P;sSSP zP20Jy%I&a2qp~NEmBMnYaxQB~qwG{uQ+Z^XEQW7(a^bBn9;Vy!W%~^B5NQ^sd|F>P z?0teQdu!j(ZLT?Bp~Wo8lgF_gbNU8>lGRDA#H0y9QPrcd2))-9iLtUoLWhGgDkfFk z+H6s`(xYy%g$a>~1*Z8e{@N5#KhH*&n+H0ertlR@I+8Yp(Xw*y7I}MS)nUsoM+~=J zM4Jei5GZp&THD#&TmjuS_zE5+R%G3eP>O-=`|VroIHGYvII`e2;_0J@&)ZAO%FuCF zpk{=GM%N)Q13;356I^gO!!YsCDijn^ofYrOa=n-vEkC}vgbI@a?@P54o%5bC`ABqWHd^@uEg|a?Q+xKxzlB5!n%(7P$kr1UNWkpfhDndr~D5ElxG7~~p6p@t~*?VVK zMz-t_e#fQz{(hh5|9$Bv_4 zc2b;7dzTC~&r7kd8eFS0X4b(H4Q)-`eh`~KN5(=k7<(s_n7Rsk{kw}%TT}FqVgb*) z`6c|**3f6({=%h8KW7#(7f?yaoI6NLNlM;``3=1xsM8MUrv3Q?sr?8j?kN3%f($V) zr+P6s5H<#;U0IP55I9+MSOv{d)f2M_pMTC^Qwksj5&5@6zBKb?E(FJjMF%G}wV-LO z8#fpu>Iy7}pP!$CjlxO^?ag=!toC1vf3Smb@AN#y3XyBmUdezTZf=|BjB#P%41lbF zy9AaMeKU)*tozAlcZRI$sk9S%S`eU0pkU|Vm|6UT(U^hH@89$Lv}3Lqrxwum?2sGg zcBU8q;H?6FfVcG45TaaLBkC{+uE@1YxHCXwE8sJ9(edemg5tu*(R01RMMJjPL9!q= zwoIzQ)012>!WrsYKJ7zl9^CEC0<_@HM>t~wm_BWryA1Z4;$5dXOV)PmF^Jgl7W=^j z)Y2eG1NQryIDObkN|jTB$r=O+Ruz@z_Vxt2H=Nu&JXK%69^>S^#jLdFQ-guFc0+qR zAyRKNnq%~Hau;JZueS!%Qi_+?;LcK82}YJvi>Z-rROk5(KeW41Y1os>oV~6pc3QDA zt^Y00c`}xa`AsR6bag$RR6>)H=R7ThRge8jn($Yl4QjEm?K=KSQ{h9qV@(Hczu=Mf z_IBiJc=QSmzFxj66M1KMj4yu|=Bq8K5(yo%f{j^Ac*s7&S z0OeEG(DMec=B6gcrq-O+4cph%wgGSI-m?!b(@{~qR+6vlY76FrF}v+$_7}LOb4=z; zxY}1MK^(@RBB=xUH$dBn!pdCvR-=KHkCJEiCc4RdhuoS!DXQAboGOb}^#|lYL8I{s zAjRx1{Er}@S!&EJl^GaF6M6ZVQ|?I88ie?{oEa{_6?zZ3J5Cp=naj3Y5j(hrh12Tm z>j43*L0Tv;EW2HRm&OQbCth&()~(AFJ)f)+p&W4J$m~fwi`g$9KYbEk8esP-A>Xm% z;`#F!imJ!(_>f6ZR(jP;l%kVbZ7v7fk%@x`5B6gT1qs{?7qehru?vcd-}A`H_-%4X z-Vm4QC8jfNidL!vT!y}9Bpj><+Kw-Z6}_UMY%6yzIv7^WBOgAr+?4!NfW6m-ll5!^ z^YV(#9c{&y%7KQ7_qn$tSBFC~e>{!bLTcC9eyuUiJ-=W@)bLE_91l}QhLGrC5$s~u zqb8mz__=2%oR8ay1W9@`DXD4qC)I7o==}r2DG+7Ck6zW zq@HD{XSkkM_PEj90%gmV^sF?-0p3Vqibpa0V95D*3yh_2JV_s1%^o5K8N*sJQ(k))+hY z!8@SzLcDNq;*EMt-yAj2NYOf}r}w7vr@y7hTt*+Nf9zo@_l2;3LshfM$dVJnoiCOy zyo6K$rg#$c(o$19a&6O=DmHu3@Zsa!H#b*eWH@?9g{j?N;85?GjG!BK=T^GBu&oys zN(UHYUv%9%p7xmrV=#-;`kql>Ycxx3YyJ$XE3!NLrP*W(aCe=BHW^rY2$xVg1M8=)NlE?`Z(vqidjP~jFx^E>wi(N3CnaS@diq`(YLzQ0 z!B^EgzP9g?85Gc1sj9v7qK<*5y6WD{>}``If!#f?Iq%dykGojI$9Pbx=5vqT@WYg> zzJ$qNI~5|vObv~$URL*0yKHh>`;NgK8M2VW`eP_cM5oWM&P?=F>~R!hxNmS@`+`wi zcF2=}n0+i?z6OtqRYtx^nn+)8PEF7F?d(+~%l?fX!Ak2f2+A#_7&K@xJiSXs<&*Id z1Z$s?*~E=|XU|iP^wBSTgZgS?#0Xm`IM<&IFo>nZbmZ{i2FXw?D7)x)nZ{tOa$l7G zv@_mO1QhH!c4n4Sj!(aTGlX7UL)M=H9P{l&`bXMf=*oBS;FqEz2oK@@>%1O3d}8X$ z9+(RNiI}ay90iTn(c6uiYI?x*4MA7}bsoms7Ylylt!(>zM4jNMimhkKK^_Yf`UiaK zDX)E3V2XnGlwqdQ)7Nic!^GcV-{ka^R2H`^+a-yWKRj_y$CCL4-t!BvyQyF6lq=&s zz$D&xvWQ0`pR=p0x_{`&$1lw}+h6}){&b>XaF_k@3wBFA1#2JldQE9}E1NcMF%~fz zoGrBC`N`>YyiRJSJSgX>TARqxBN_LOsq?SvFylJvX(wE=X5xf5bbV9!@}YlISwTx! zoaqmfUxTWqkx?Sd_ok_rz>~q)D?|}QMMe1pB$@rrqH4$U%sb8?o;^RZ#mDOCT|OU! z!9dDdld&880a{-IpJwup)n&#oNME_8$g$h%xcJxlph1;}1}^Sovs{Q&T#{2m3K!mwM1%{Nj!8NEZ067ojXS<&;W$4<;F!>e zPjR!SV5{do^-d&{($@CdpBglGJLvxqzjUF6>-$o%L0WpjYgU7ZlQ+G6d|G~1EZmnl z#Y9x_!skD|dGqnA)$mm~)kde~MbEgpj~^!~YtxvS+i?pSiEi0!`pd0(Li8>hp7+sL zk`%v)1b+#Sj@Ij>DQ9D!HC_3*q3y!s#I2vZuLh=lWk4>I84rnzc2ZJtw)fBn$Q0Y9 z^DM3OOmrO6o-5s!NGeK+*OS~Tm0#u+B#z5{*D-~(DF>R%e-D>hv&x-A6MDCQl=km@ z-#jRI0K35YA$_x6a#Ode^-)cua?=qLeQ|;qL>w;pum7P<;|uS04KqvKY0{W+Re93k zy&da#Z1u4#=1#u9&SuI-IjPy*ooD>+H$8uc-JD3jDc(NMs5IKKcwK2%(@8t`c>;DM z5#C(#bDpg46W5OMw2vL5_HOqE!j8)K6QwJi3Uws)nyCD(bw(!f!z8nwRhH}js2`KM z9npBxfj-0brE-c+Zc^Tzf$X*THfQlZsU`+jYS9awiC1p(ZeOlD5@)Y}=x#t_UBO$6 z_W6`Gc~x#6lSG@rKSm?^5j8eeo_%f)xR)JDjb0omTgXg`f9FuM*w#|Dx_{L!UiLMF z=Q5_#I|A;WZ#O!5qnFLQQ_))G@apN``(H4Wa+%O%1g?x1?H{oRhE)S3P3h`zFMn== zMZ4NAQw6j;y03jwuxJl_lKa6kH1pc|)|*}Cy{Qiae;5jws0u9G4Yq38uPp~U3R@UG zQwm9m`7L%)zqi)G=wV)OUg}`f&)vO^*<(57nPr_mie1&F`7_Q>OnWnVlNW1ec3#e4 zn+}scezT;eE4GOCd5@w%=f1g#W1S72p`xKCYbS=U&!tXA_w1m{O1-W)>61RE*p=I0 zGs+ay({!0;WmSE@X-Uni(uX^OdfKwboEs*Wc>?rBX>#KejIAw`B7A~=49;!+F7-mU zrOGLI?lYayrI^$|&g{;wE!xAcGX3TbxNcP58=pNUd(&uVNlnsH?nN%95zYBN*-kkP zAEmD9q&i0~{ZPC1o<|vroB{e+C}MMLbEy%GOXZ!F*DvX-jhg)7nd@5)yq-|AXib0f zXR6~)$1(kZ*sPEnp);PbsVixV;eqcLDo4z3oNI|n5?K!Tc&WL{DZFN(K5DFR?2;U) z5+*m^*YqTPFs_Y@=6$tSwCPSV&#Kwz<@;u}aTDkD6OO{JA@_RTSdds}H}5NIQRO@D z^X5tP3nc%9BxXk|U2QcAl2R5}9{*ma>0kLgQTXPiHBIIApZtTAo}oc+g?nvWgk+1c zelRx3&u?Ou!Rq#<^p4Hy0S5$Nc<(evnU$Lz?sNaOam@Q&2qhj_!7lH#x$(XmG}^Zr zCv8hNeQl zwXODH3YUIwS~hO)WV;Zt#%r}~6!m(bNy}7!o?WE!`UTnIC{D+)tDkgA$WM&hKJG}> z_xhYs2YgSRm(gvL)wy%G)8sSn`h0DiYIWZfMkamc^Z^sT-HEFvCBlYc!3$Qc4yyZG zxC5oskB|tGIZ041I|-bO$jMUus^svaAuLdH=A`GAP24%&c71~BtlsH5rCLXJAUtT1 zz?u^X-d(Rb1_HfZKeWhX3H{!`$7{8$zl&e^{%Iri)BB14O0mP>KcWNqxNv=UMdKHr z3MS2j8twmxTi^OG)?c?$D^BNovIz;(j#DT&EmIyxdzSC*F{)Bd1NeY#;ytxH9qo_!nM!6jAq(9hA+H9Td!M+WKE zF&+{UyORGCep&QjAGcB$AD#b#_{E%Lo^{(aJed~4Oyv=E@m~Zr)wM~9ZxP39wf~HM z#ODk1+9%*ft7T|hWBJb(OhV%LIY9KJ_2F^NRM|C|3$q6c5#<$Psg@oAg@!hK_72Q{}<@M);(Kji9Ey)+XzkYcv zJIqJ4t8h?A7<3q--Qb#`%5*Uk*=skY=&kWIV6@gfwvURx$M;(O`gRh8R_F^*DD3u8 z2xJfEy>M+j)8?&my~~)O(^~D)%k!R5>Pd`zPhNUH|GjcNNGi=q`sqeN7xF}_uVmxU z3)U`qQD#YOKlQ?|a&On869lh>3O(*VOY33i?-I-5(IZmX;j{nqG;P&06%|%?7uz?I zC;U>7gN;MC==URrt^MjGn{-xB2|4Sm*=ZBGh!{=S-yN3j{4f4mGq{vtcKBAVR}@J6 zz)XR`Zaoo{-&I?4#d7P>PXVFASx?qKHvSS^u6DunaKrdP&ql#K_wblGLU;=UlJalZ z+^ED(FYfA-Epw8n?nqp@l2_Z(FngDqM<83aTy|v}o@TB3rva~$X^$o|q}2!OezBw> z-j;YEJiNjm#eA@i&1%E+U00WbG-X@ogQa@*;afqL9rPN(_b#SOlKWL2Ws1*BKMh%~ z5ARBke#2`$_)kuWX3Jk7d;rp_m+W>mBfNTR8WwtxP&Y1eM|ALHZIKIsDo2 zjk3+yVWxgUz?0nMt+(%vm$`Z^Gj3-|e*rQ4dvs{UIuaH=J$BlE6S03ILEn{4wM|Vk zkXDD5FYK6b{Ft)QE%inv@ZQ&VXH&!MkEyv({;*xmSNyN2`KPM$iqD1Yo)O1pT{)AgY5 zLHhp*urA+a6+T=m8G5~eg7hhkJO^G+;@feLQ@4H?k|zIJN1{VUazwf=EKS43*>&noa$ZX9>8K9wIW zF@2*n)A`DqxBfnv`)98AcUH1Z8aP;Fu#V^J(6BFI6>_ zO7`her@bFed!@Q0v-YSkwwn)leR-S6tk*o8`&A!R4-IsYnXB%dnxqNe9Eh)-%Ukpek3#z}{bb~QIHH1Hs zX`a`fOJBnvZ$#&ZAO8!f;Q8m%<+1)d(?(`2c`d@GKQ~{jWZVBj3Tq-+iDp3jP=;Z< z6ux|~dUb4WYvlQ>A4i)P;!JW)+j%o@PhMP%n=bbX>Zvo~z074_ezzm%M3so9oz$6y z)Zs}5TSeP`n~r?%?qSK4HDTNrPZ8=q` zj$awSvq>-}zWCi~otEBrHiNvRGx@qFD> zV1+f~6m6K~OuIO5lXKYh{$-KSyE-~icRz#||6M!yn?k#It^cBH*sr4$uXry?Tn+r# zVLGJ}#~hpX?~e>^K|Us_pxZp&UnZFmCECoQ$7FbG=E8$|PTvC&e14GvOA$ zb0>%1@vcOY4{t~<5!PPcG!BeRc5->K?(a=e+wdbTR7tY>_T@Z!B6=2LPVKkXufL^j zp*PaF1u|dDs)OtA_dhjnA;rn5>=Q*=(m+L@g-x| zor03>647~l-652XJVaWFPe*wgtS0?mqb|f(62}C1MDZt9d3Fnj>B9-lY8#eZlHn+l|iRc`xpKl?_;@>UfB~6oArrG^WGXvK3Ko?*1PnrK!;$C;q zF4LD57fJO@(J0yYK$@8fLOoo*KsL8;eh4TtzIhD|0(?XN7y67FAH2@WQrFjHrg|mi zd_!N5gX0V{6}UiL>qz_NhqJSm0YCixsmIfx^gamumD?3whiE`xs=q_8sEs1KXp0N4Zyzzm0 zm+rm?=zaLKL-EHKo~H2>G}Hh!A5Kr351f2*D(bKXY<8rXZ{4}WibrAWi^0U>-AVcF zmZ8JUc{1y@i`FqnRGoqy01kWmoM{_;0tbgbKyOt?AcnGsi78o#up$5b8-C5K0aN&Y zD7Yt3+{n4lM>L-t;aE$Lq&6@xR_PTCBAA$Z(LIrXk=+5j^uuW@cysu)H+LG+r$K~i zF7RSrdJx)=_+BI2VBU`KbwVFpb?dN`^4+`dreCY`KK1o&`zq-Lhg?%dX!a*&*1;&9 z`tQ#tC3zFyjZ!j=K-U@Mm!QBvq8Swhh4;A(wiS!$oCo9pEunb;-5UBdD{E_>omW&; z@RL7({!BDfHjN+}7sgQD>8s;|+oPl;Be7nzHeYb2J$3Vgj(hmL#3|TFBJw;NrhZv5 zU>*>p-*N2fOPf^Q+v&YO5)@8eGiij&PEG16=|MLtwhYT$t4Nd1jTBi?l$kV7RGl+_ zgrqT4FE4dPz4f`XcR_c2@1>bLNse0u$tsVBjpU3kr9WZvEoPkEB2Bnjb#{VV;^Xa2 z?Fx7r*9WjPL?9|lK+r-f2GS&|jK&yGPDnsq0Zn98MhK#b9zKlEr^uL;kN_>I>DgI0 zMW|80P#*UOATbclfgh=RT#jzXK?U-uQ8_oftO1#)-^OJ+U7zMg#AT=UZ>;xnR2TpQC)Gv&FXLUgh8;K zpJ)7ve$QPHSwSPju~5@mUw>ImEp7@avjObVt$K}F{o=8#PG~?8&CoC|u-ycxv7$dZ z4t63a%8W)C)y&(1-{CPp;(Dl4`u0dv3euE9S3zRo4@=7Oh**>jPxnu<_A;7^8c18r zxz`wk2H(ob;sa)F_&dFBp3HY_SLxktj@mu(WPGA0mnl4UAV$dfe>RO!wQO#_e{`wC zMt%R)JBpMP$Df@)a5h>}vzC0Gt~QZ<|I;43hvGy5|82twt>v-eq%ddy>q7nW`xJVJ zLP+q~8Lv8%^NWIUkuJl`Bp&e78Hb{4MQyDCQMpr4WcS40-$DI1f(GA9>i+{Y(ImtT zKP&4EJ75s9RB9*iPW4RuP3!5M9OwVmB~Scl21v|;h~|sX9sIU`07sY4+Pi4r20BtE za}7^0E-qMC+=;71YD|~a;^akZBWJJi$w;w^0t5}{)xRzXBfdwWOC3qZvhwLm6QV;? zQV; zp)lfPDUN-tlm4%o9Ssc-3cw%?Q6PRmkm7Hmu4TqJ6TW9cqN1(T^`Fbc2c0!`c6LtA z$HSdZeJ9lx3G1+&7psPv|rRJQ;2|-wXzb1;w#?P83lY4UWb{bC%^L2 zH0_$$^v`B$@$vT@#slTC86x39-|M4}6#W_sl;$pRsp4^GSa< zej&x-Op|Wx0+^d7_G=fvjepAp`+7J!)s9Z%w86c(xjHh5t8F*D})|A5slpCbv2U<#)LR3vgR7sqj!AX#no z4hjej3fSMowe;`>fEa#*TwuXrAC3~gjl=~OQP?mB2MzwcKEWuXyr#T8r@VE<39>Df zO!?o33J($%{NJQSFzN4I{g2x(yL^#`?;7=i1LHq_MAd2Hl_YGt{@IX!WzHS$dzpHa zFZR31_c4?2UCCe(66#{JQ7ps{%2KzkgF)-}J>T1=>6H-*I2RU}@@b>Ld+yx1^~?8Q zS7!9*rV!nG;ONyk+jr0J|Gfl52SQ79#ETsN{e(|xBD(#jwH0I^%!iJ_ zfeZdNTbX%5Q-%MThm7T8zFq-U!t0Zf-UNnGWZ&weUYvyTtqs!>d=X!g#3??OQ^XET!ET(<@kS za8ZB|!szjKjtGY+AsyHS^!FdR+i?UoTaHZENwEXKV1b99KO9YFbaaEC5)nq0?tgMb z!6?W%N=o+B)>7gQxP1S-9#(vYsT~`-B+;~Ap2(SmJYfLofVnMB0k+xTZ{b8f*-Yu= zIk6Hp;rApUodP;z-HC-)cnnsbzIO$=0UMZ1Ik*{+(Y|x{ZjB{tp2a@^_MJHi5e8p{2Rd1>Gj!VMV|ajuCN&JmDv;dwqWG<5dj#epds zqWx%;4>&U)N{XJL2 zyfXWFE?Wq3z{)}rgga7KUjEq2D={gFFv9v7X3cQmz_4m3ek(+`pry%Ab+~OhckiCiuk;6Zu&8mm zXS4%G=HXOAaN2-8qWa15m)*xY3`z`dmpB2%C@{7i zjYYu6gApV6)S#n+Acgc)<}7e&Lqm>7#pfW?RZ$Viqc3z72_oQrh(aMAGf8|<;l6wO zHj5i)D{U22#>&g-j^6Qq@}%OkE9vmb59;#HOC9a)i{Ni@PE*O?gmJ+Cf*60;Cu~sf zifah324=#U%n|%A)G)I)7?Oa^R8>_KB&XIOy$o_hLmw6j!JdVbGL-#Kl+=0l$ReeS za)d+IFI){C%I<~+KlIVV!cM^Vkl=eZyiSUb|2DJe>A}nbGA@o;1W&M2=6?;9Jt6ud zfmHM5vsR6vXo%yU?G zLJ1X*jh;|Dl=T=s1&(6OxS1Nk3fr~5-|kep_G{0P2EjPD$5M6plqa+A1SAd_4pj^kbFwA8-RVt#-|RNBg@X^$qgAIPoq2G;QQO z@s5yW#JC3@oAt;q=Y|Ux8_RBYh4w^flIg6i->d}hz`YQ88U}_xl|0F2*_txt2uZzm zqwm0WhMXX1vUt>-22i=e5A)axKDsrwD-#obmM_iCme5+R41joVQPB?{(VkzZHVE<_ z*6JP^*kk!21bHyNI&xbH&wU`D26Vb$!ZRJQ_UFu@HEb9dB)HT&J3k+5_z|^tP56mr z_?N_#!C-j_Pt$H06eo5@MA)v<6Ot(h-}10gE3cgy6k5Rm4hO27lXLt8$ixNpQpI5M zaw&|!CT9e?&V*E@h6Xr4!`Lt9Mt_PN`(5u+gi;4#GUcJ^NVPss>;ax{N5m z?AF}c3Pw6^9bs5GvJ8DkTd+k{x9&vVErgJg3d1)zZ3RqWBUQ?_jy)FI*xEXe{oo2C zu4e?8GN^4W%+0ae2DH&)U%EVt;d#ggTP|0B`J&hIR@HL~kK)&k4wOSY3NtE(5TA4g zWm+61IoNR^2*(UyUTN=9oe#$jfukIh!21{iv{twRc=I| zoi}&8z}a+_ghBxu0LC`fv!23oF3(}Ig@$NH16^J8Dj;jf`l8|(gF>$ccZZxO`>vYe zV%eAvFABq3I%wKeMZ$T3n)|NIft*3S#M7b2ST#v{S6ZeD7c;k2{EQL+p2u z3Z?^(i;7ARA#cDm?c+!P8`0wcO=c}c^k-Esqsy?g`T+r=@Umr6ze8TU?Le@5DZ@L- z+%XLl$sp_?`L5(yZxq=`pXe}z8Wzrq`ZN-v1WUi>?p)g!t1<%)^58uMoG-C6Y`)q3 zrLeFNqQ~bQBSwt+b3T0{cH-GK(B)wGlQ)2VDfc66*OzBAz=Ch+^zcmFP~V(vc`mc= z$kT<4OYSgQ?!}I-aN)v>3cdBD<|0_g=-4Z9WoXO)=uO&Ucs{s@ySotu}-@O90{)( z+afh4?0b8?lIAYvh3Mb8bKW{10kAFUYE!3&o#T_+CMK&e!<~W2PI+}TJdQvcMa`X( z@(T^Pr#?P&c;tA6MWMDG@Io|T-(U>!tEDfgyTuF`T9GTq%HOlHD!FqR|530%XEvERxy}`v^2+YS%l>vGc&Vlmlg3 z2J;#FFvdCcu^w^P$G#q3ih9NBHw4ypb5jE>I2D)%Fi8eaMd1e*g&MhQ-8a!iOp?mQiz_Jq3w)q2y8%S6V{@)D0;im+$ z#V;i#D5H_warR=J&kaTUVhpRP@Mjno2(tw!If$&p(VG`096@3xU{qm2ZkZ<#Jp9D6e-+)T4bPWC_p_=ajmu6?tgLQUZY-fg?@vx22iTA3c^#cFJX)&^iNV?o2m+m>xFBindmUAst6E1HX;X}>I~x=)TCzLW&7~yJ#m{u+rIs&TcEyIdWRjMy2QkuZ;SeoW7^Kg3OMwtti?8 zAxd`V$h>GTR&>Z8xYt$=Ja{OD5WTSB%Ny>Sc3_Yvcq!Mo-ZIsW3YYJ2O5NUJC|F&g zXYQ93YIM8oXvQGDaM)G~Z*Sd>RtK*dgJ?&QU=W*5vF=sAB4QvrckRe)wF5PW+@7bj z%du%23;}4Giy92jrJ=XjI;?Y&q}cT@?3kiw=6qXXuWJ?iU?~Ip4-%KHd3mdTpcr@`Vn^x|#hGNbQHvQh(T}Oe znH(Nl$A#%?hg9o6<-{-~cn|YxJ?=MutHBzetnOrVS&{mX-`Si)K*?Mlj7$WU%d6W6 zl(8nQ=3Ca5mxKQO*wZr=?gNHLpv5v2*OYVVt@DX=ZmF`$0rPBz$;J)AXBKLQq*gp7 zJIZfI;W7H(%?po>hm^yct$D>q4+Wo8^#7i0LL%>1)lcm{ldvt1U#lSeH7q?}hKDmU zFn9xRju)*3$Azp#_ZgK8M155%OPTaZ3^+gOdcNQ1GZD=t+U#-Se_LYz-GhI&Tv*v( zPdZy0{4hdd)}yF^^7_RPp^}!Cy?MeULk-856YsGHRZTjrsIiStsAe48y=}Yj)P~^5 zE=k=F>fnP+x$8LeTh>!BbQr$Qp{t9htK(c}9+0rO$%n7wtpwH}8#xqK!G$NkQ-dy) z-h%A(F7wH13QyKpc7}<^1z!)7q^ZP)1LpUPqHYsazCpEv?w@x5XWM^+>rP->bc9JF z1_OeFgMr}0rqQv+2p{DN(Uhwg5DMw4Z45Tlue3Zuk|hPj%kN!zjPIjdOD#D8ZONtd zCZFA%`sP~36jOxB5rM~5`g@*u|5VeQ)ZO`}6ouz9{bcdSQX4h|~qq?O>_4n+Uk?i7o)y?-R zglvo8<|9XrkhvEjLJJ=FLd8|Xn{#|po*MyH>HJgSBO5%nqN!!Ra#3Ddc(aY#PPU-< zP=AqIIS#f)v@FioQ{poMxZkyn%so=^xU`LADempn&a$A8sk}0^(8ss3_p-c+*)AYi zc-c5S>nV72vW-Nv=T$GXBrl$8>oA}`F-h2-9_%&;sPFL@+1!AIm>5It*`cr!gNb9; z!~cNC&^KNx79a zKTlK$-j~LZ^!3_}z^1O?KXdY@+k?{>-hI5L6<}B)^x2g{+Ne}BFmFqa>>Je&VT*Y| zI}PMcRh>D6Au~FG<61Ty*%pR&c1!3EV)BoGW4*!As((?(i3s)L+@amuKsuz@+uhx5 zED~D$-Ru|x(lzUPvd=u~9^b=G488x4mUKfyYC@O3^70Cm;9zQogh5oqDTLwXhF1yE zVk_OA#q1WYSr)FpXm@x7cs_mE@m}uc{++;t(Dp989F;r2&v72+1_4oMZ&_MeTU%sn z5<#+R^2WAP!;vR6KkRVQIl!+-K?HNN|3pzG5ap3gmo^K#_$3)mdOxokFdv!N_R8NO zxL{!`oyZ%d1bKF4lZYM5sK`!rs#b)!){SWQKUaQJ_Q;I4$Y7VqXmSo`)PQZ6+vzOl zqfuO*<#rPvgtF!3ZZ9{|kkH9x*7?VUKVTu&!uwRa z_Av4D_sFxi1??Rw%}CeUC3Ed~!k_cDK`M!H+(yb*;zb{ouu`+6zf&<8$jkg~AeYpj zV9a5Zt4vydUiP@E3Wq6eulASCnswbX_3E5TE>wed?g4OM#m0#}p ztA-1CJMwJs+7-#u)Y43#qW@>~m0j-|F`I1f7TasGHcj;ai+Y|BKOzadtN81H` zCZ;_+6Xt2U@4Q6rlYiN?Lz<_EyL~6^p%SYFM!QhP!y!!7hrg$ivE&GxC4Za#^1dSNiP>kcm}8?`_7)$-+~LHMB({F z2=Kbgu%K)58-+TYQ=f%bzt{Uj00xE;j#rqeh9;?&7bczYnz_ui z2S{4daF-cN& z?Vat}CQ2PttkhH4{J7+#FTJ!8gGiNIXJ2HQc5j%gtW@hqXBF-%2ldiaMf-m!ZYx#+ zwgY=46&3$?@Ay#97p8cBT=*^sJE-R7W}v5%-<)9glcink0XuIuclRBak7P-u+Zt+7 z5yKIGS$~JaWUTkd-Miw^n{(Ts$UGx^d2468N4lO+rfk<}M&%ga)!D{DUYe@T2kAmT zZXB;^^tU;F$Np*XDb|Y0N+qTUA${`DcU7G$9v&V*rR}wO`GBS)`Q5+ws_O^$#@ozSqQEx?^vd z3{7ZgX$g~f3M9yOHa52k_G}4wlnn>BprD|@u&4N4XhQ-Q88XwPWBIS0n)9;%d|UCu z@5Q~n&XYZP@^LPtLK`_=??bavtDj!V^MsTCV21yTqehCi3e@fyq?O;|n7_qwz%aw| z{(VMC2X#jY%sD|6|IvX!fB*QgdVnyXJA*edW?ziz1f~bcSJQ~BMQ>uB*LwNJnqbZL z#sSm7=)FeY4|cD8ZCD`-_#7Y4+1+6{veSab3qXE4x|7Q$p@D&@-o57A%cuTD>{osV z5uF{(Thr3gIu34hVcBL{M0(lWd>Z!3048uPVPF!Ie->r^2!Km~gedh1%UIi)!FA08 z$cDiG4u-=4UKnH*6$#CQZ&VMZH7p!Zh0GokdSYgmT|It4HT7?YgUGG)~2jt(O!q9 z(o#&5Lqh`q?g0s#`i6#kXOmdSwU})rdO(O4cR8*iQH|aOW&^QcU^suKfYIHr^e^?S z^&`!@9QU*wcZ-5~$ZB}RS(A|DdHVRQ0H?&wDD!2C2oBD2URwnrjg!_G_yagQ=y|}= z4BdGGABOG+D&yL|DfnIFK(%N5>jzmyO+`iYl1yQ49_h=5nNor<1Q`^f$c6z5>|@Xx z0fzVs)joPQdt}^XSR(4sE?kA%?R8B}z=fz7;nlV1kPn+UGzXU?CqPmHMxhIxA9R|4 z;DYYEGT&(mqZVYzD%cb_5x5or;Gt79IX32iz|}Mw5@`1?7XW@H^1)j0{Dp0S zE9uVsncCxo$@}sdJPFwt46W2l#Uq7)On4`wo?b?bY}PPEo!o&@)3XPo>WUV7*H$wP z>%sx~KELr>iigLm?kCZb$#%?ulf1pX{U=9wzWjlCzClnQPB|`mNmDF5YIZeTUfaG`oJy^a8M}AsY4NPNKLcd2dv!U?r zKUty@5(7=mF02Ohu8?lAm7|g81TS*9YDtKQw4zUSt5fEg;O*;dlnL3=VEXOR|qBKd2`Gm3%wd2Lu>+$rPRxv@oMX zZ{k^U9F7TE{WEik(f3T-SZC%WFzMjAwf3CJ6wdeQ8@?GDZ13c(YCO)Hw=Lc!>fw%4 z##8jsoWa35o)L;KhI~ZjYA)(TWs8a`>TWyyWbb|&6_r!sjVDijB71E4EI;LLzEo+_ z{>_@6{6)+5)BW0pwbi*f6Jry(7Pa;c4yaRP;u8{{Xx8d{Sd!xRk=ss5iQ#G~1yn+i%3A&d~M4q{UO_j%?F;)2DWlp#=NiiY;e5cmCqx~ z7=FLA7?~HNaA0z(`c9u@yB$p}Ot)BCS}yhO^(}+t*J(1y;$Y0(0qu)aRWySML=N*A zEzPSU=eD0Da;x)a&khX@72fMAEj0iiq5p(>f{Go$3y2zFNxdzg7eyGl&VL6P5yx6D19GttEnIeZvytETbI98w3byw?nQ{+#s! z2@$VA4I`xc#%f#7FgaRcCjad8x~<_?F%cn|aOy^D`OyJ{wE zQ2oqDz3YQ6X~=O|vVHXQPH>rrtq`GOWI%2>8UDNDU!Q+@m0eMfXA}RRf!xVFpGrk|@xrsMro8-F zOdZ;i01weX)E_1+?+zRY`#JayTQl~Ea+4l3;LzfoHiA}F#P~@f3t*J^3Uxc+(2Txn zii*1q9O(Y~^{i6^oJym>2*e%H4%^|LhDz~JEXpUps)%Y}i2$AJ=(?8zvE z`~poH2$WQxLH1Xfyq9b<&aVHio-I1i;7QEEs7h4S^v)eXrafTSqN!G-Cqzg?{`dhv z7i0Zb)YNEq?P8(vLP~LXHV$>Q`dQPDK6^8#~yYW37LopOj<1e(fHda93v{*3e59IePSPNHru5 z($VI&x(b)v&XyJ{oHmk#3W2!GoO%<RdtTmtH8HU{^SvQ{ ze%hc{85pn^fTL57rhPkbh|0P;T5@;2Jh6S^VUifSfdCMj8<@<5J0mvEgB%>oi;HNI z)^v7;j_o6nUSoFLx;0s@KDb+5u&((``vY%oq)O8_DPSBKjE)YjCZ_j0J31hR=q>|I zH$N}0Dq!Pa9Qnu@-M(!Lx~}h}N(fZUKumtf48ZjHix&_|F7;(fwvoVXd7qGQwZQ3w z?ONG7nREfmc44v?9SJ1EzzvbQld<4wL^$Hi*(4WHS}M0_&O#OmU$NebiecoL2tWOr z3}DJ&Y!&^gos1I9&h+4mB6*x&8WrZ^dNQ`Tqo*hQ+1;krO0w%z@ zgS#o?ei{;jj7b|79|5a(*fb3f!IFDK=s^buG6$9x7RRkd{NW*oM5WvSeH*l-m6IRA z^?2AXO_mI4F2MZu;?+3%(a|hG&w_#}U@+$`^jO@xw~K5uJ`9J#t05yA`sv3|!)gC{ zw)QPD?xY*eEr`Vu%Z+ny0ob$!;v8_T>bhU?wzk$u?O9ZUoFw=$Be*tb6M|ku%x`HQ z%xe73=0vfF*sxAVGqWF1Hv7fC<4pgsxAs|gj}JrSVV&~g{E5M_$5I=mo{W9{@$H)# zk~ruvpk0K&>3uR#nm}+I8Vs;N1+RkMr?v06JZfsWd2|^TszZcHkNEz?&3~hG8%h%w zFYd^8V46+^V={r&4RIE|FQmMn6}DJ` z0Z}*ph8^3fy?Ho<6&a?|o7E{XD#Rv^o?ed{@^i`3Qtv zaDDC_V}MFhXz1wBP;f+qDP|tkf^^LXYru&^_(LB`h$$`$bWgW>j6n|2;$A#=yn`YW z^)zcY;e%*FqHS6e1eJ%hyI+%%s}zoH1<354hnZBmz8u?K>^ z6zAXyZk@URR`gW-{*2ySdx_c%nPY{M9!MUPJ9a=ur%ccodmuUE5+Pd!0WCgz8zfhe zm(NZp?{Yj4G?sYCIgJmkEgqf=G*a!O7h7v;@MM4a(vQsjLJ)s|V|Q~~oAX?Y8c__6 z-j|dq@9kYf?Lb7~Er;$;_V7`W+4&1^CnL+Uo4ey1h-?;vBG(X6L!Pib@^5sb|JfsAl@^k*xbSbqO}zTc%spCeuT87tGe1-CK8Oaqnw;WsC^xAmQqujNRUy) zCe%M8-@zqO*1Lz!;~2#uOP)h#JaJbrGVv^}|JjAj8&94)S7A|L2f-^fa75_o2@LGn z!b?Gl7w6XkW0;qVW(&WYA!hY}Fm%KELW~lA5-b8(U{*pg1QaglPZgkMlZCy(Sd^k* z$7=&K)kqy~ftBqw4Gr)g*^dq_BD~%i7%-PTe*73OL;xZseY85s;k#dS0`h9u^zleC z+h_V+y=`tr+8*1M_Pjz*h|U|k*_>+77xdDLi=*@NC4p7IyB46yei36Au@iE!7xXj9 zH7alXTyAI(d{YOuk(Bf5pYM;iv$(-TTu3vAo-LlNr1#_$`Nz!%A#i&(;(=Nf);cR2 z8}f!J@FkjBTGDfK|Dc|tdJ?X1<0H0hG@M}DNC15xK_QZnQZj&j7z)A3q#7`%(D%-T z+8Gk;_S}#a_*DTFL0*ZH<4waYWUW#Tzf&?ZMXx5FJekMXR$S~_qBGu;r*Zu{Nr9d!+x zHg1%WmBqFT$L*h!lLEV+fSqIygHE6Tj0HhRFpz!{6(*AI+E7tnnMjCfLjJe6yE`nm z61LMVjg3q2|Ar7PD6RMfXp|psKgCMtLFi$k9Y2w(Uj;tSEj>MKd{dxM&e-HaHp`sa z5CkVPvtI?Pa{{=BxPefh{beIDl(i##I}w^#ABQIhFP_;nBzB&8v8s`AKV{pNL|4~h zY||(R$sVR;WUvPTnS_DxvjE?v-d757kl7o>|BS$81Tau;`V^XFS6%VeNUse=Kc=Pv zdI6cy&(Zh3wKd0~Lr@A;;`B!t!JG^bGoVK}0OeuEiK0n(tFDTaVSU<9W2vR%VQWsc zl<4S%XJp(5a(eqV*VRE;wAwFS62P!dRFsULxdFlBLdgcw08o!fX18)yeWW<4p@sd& zY8a7rQ#epDcxBYk%43AIRifw%U}rKKfs-#W7HMJJtYM^=o> z%^A9?bm`J0-j~QSa&3jPPpPRb;FiA>H4QiBaFFaRE@lI*1;RK}vfy0U6npGIq>zPK za{jFb*2UUeoOV98Ke-LOn^U-H~E9V8VZQxxT5CHo%4K2l2 z@I;jfj^UHBuK55+5i#xgLj;>~_T^h=?H+2=>ZLOme(ChqjUSUdAujk%Rx3q87M`&c^u!-0TS$??V*8CkiPbiTqA zv{C?r^jJt>`fmQ1=20;U3Wx|2lT&)}Pr)7mnFexY*u;_1Ai=S-vja&DgZx-;NQ>>? zJrMyX7)??jGc^%Xy=X*(%p)O@o1YKW<$w|$=<~jbjpc{3RegO5QeEJ)$>Px@oImby zOr`h@Js-WN|JMC>A}d1~mCOS7p)eWuT6XaO!KTuq>U1*kdE2{_Us!sDo7{T+WZ%6< z9EZMt`$n~Yf0aR+zBMl#qoMOwp(Usn&A5crunm~b| z?Kk#rW-YhlucX}U;)kd=grCslr)@M$rrJRx;wSazkYq>Bt}t%;`n<_VtYO%hnPdC{ zvdx);u)6%R?kA{?#776M0~fBebg=#H8faV$^(RlW5|z*2ei~p*0GNNwE`UvB z=q&iPvr{T3rLE7-*7gwMd4K=o5*@5ikc}CwYQQPZ1AYv>xeCu@V8BKM$Mf`Q5TRO| znnn*t7~Bk&AGGdu%mg-$B!%3)=;w@n=Fe=+_YNN|#T}70V--LNhn=jbu`#vmdLeMf zu6#!*JO-VQK~jX;46WXB(O_gC*zl33=H%qyF{s$&2+Xek+NDc%KtE8Jp^0`TOTGJ*&b16|gPNVw7)Z{&xcK0WN+!^{Ty05l*P}yC+ z^vCS9dUw+0E$sUpE9*W}yn6UX$$wG$kE2bdali&zjq!^SCQ=d{FF_bTecIi@c@J_V zSR&fC1K_JMp2Mvvm0vGcb zV}Izn0~XQ_@ve0goP=Fy;6prSL{!Y3_UF~3TE>*?Qu{lAJ^N^A?n7ucB}GsugprQ!mZ_;P zl^uv-b&&I=r$3+3TwhN{PHs2<=r{>UZX;T*cuE`&S&`ge$7T(ZloS0kHerv2*BCjN zidfks6N88B`tt49h~f%KTuk18#F?L#449+Via&b+xjtG&v*}=+X6NKAq={YKkdgfV z`1%W|D%-AW7~Tj1!j_P3kQC_-1!<)l0Vx4VMUawG=?(!Y=@PjB0cj~|=?0M!lS4!@)pgpZh$IV;yVFHRoIvB9XC@?-A1)Cy(`>ayjauF^jFQlgj$~I^7nHQI-g@R7`Y4tcfh{wNM;N0dY}E4|wOgtrieNS8ibjJr}s7rA@YdBynz&S6M~^-N6E@`s_` zwwM%y{t_|qKG4%)QL@C^n3^Jlwb2mS_)#5xCMboNF$*lq(l9BRM?x%X-g(Vm*^Xne zv~e`ev$$fU$KQWcb_%{8h${<5AwZb$N1<8fr%V%nbd&6%hgl4<`^;DwPl}LhFBq|eno!*zvksek6>g_%Zi<% z3RePdTc5E@SkDvHF_&M3RJR8XL$`zh>`BtbjP!V^ zMp@=^eX`33822t>35x_M%e z#FN6=({;)39}_RD(b8!|0+lPCYjIZdVVOoF1$fXSB#12dX)yOv+ZIfH`nD~xZ^#M_pdoeHXKE7-ZTfNmEpXeAA;tjiAf32Q&VbCchEf(h39Z*-Q@ad<`q5a8zRPS zfs;s9RBH5nB-7fQmTJL?2g%@jPp4NlUp>?3w*XFFTeCFxyh54Pn3Cbf-r(`PwCmX2zDGm*yF00y>9ekCt7Gbel zVI(&C<6?6fN$?=wN}V8)#t|93b)}|h1yN<_6glF*hNx<8_^K}#PQRjd`FK6vmoWsW z7hz#`B()9WKj#|y;v89UbnLDm;)E4TW=X~?*_?GLZGPH48CcPlrH?zh?<8RafOg)L z)^Cv`iRV;c%%Gw0G&Lin&+Yu>)th;}~ODB#3rL+D$-*ZzLU<7TFM=@du{c?gb! z(>Z8SdFaPyEJI3dp_cv8g%t7jx0uz=};&Fi&DC zTo`uunX$FU6>}2UPwZyo>G~A6ajMlxT~>WsRgbP4dp!FVdG$462Z(5ghqWd(;31F; zXx2XxC@QdD^xx_x&SdJw7{v5lfB4jX#^*hTVCL+{w}Dw+B)NlX8NXN>1TH z%I@44A^9z?_-XKb^i17SP-x-F5P=qgpdcvBiU2`xA^cY$>V5@v1Dtqsw_SMriEGvM z%*_@9!~%S;JhGk+bs^4BCkVq^;YSc#X1w8c%!eLOz=Qmo>{l85dHmOrw@xTSS=vm6 z@V6D42m%SdVrpVpfa^LWtLoQ5YiG;=7!~NuFONGU$&trzuC#xqFT9GzGV_F5#u96Y z6%~4vB0@$I(Kr2l8FH@Dd_%bNjwIfX5S`n@Z6PqcTBET~ z7{>e-nI#F^)Gxndv1Z%8##zu33q=z}Aljp$Nl{%b0@WFSFR*;alI*lt*xpH?*Q3rI zLTTU|>$uW~0!)57-gw~xKC+}?x$6%R?ggmb)enb5W0!!X0&E3XS@z_}K=2Tj{s1Hp zcy$;6k(?zK1aRO(2F%9XT+0&iTU=aV*HDHDqJ6+V6CCE2mxCAFOM(!g*7o)s92}sH zd0U2#X8Hj{eejB-34mOw3 zkQZsQAAsdMbl1Ih`fZ4z%?U_0JXzG;$51BKS5`SPIwxTmv?92XGDc zcrg(X4DdKwS?O|chb0GL9V#_|@gTDM(nFS71L~&h*CPO21U4Z!oe5U3ntQ*fVt%q6{Rj;aIeB>;j4PmsLS3BCS1%c5Zpi0L2DO^%bc8?ft7u@H;}HPLe-* z&>sYdDYv{_i;XzY-@ga&Dp(<92vk!Opt)CoI)au13R(b1f$ODN@cFV6cma@^2|xX= zZEUPc&20iSUZk!pn! zEFSfLXKA$Y*qQp*=AS92e3wvMo<2yu-f2Pq_dYpbg>)s9e#(TGGc z`a{_Rz!)&d0n9B&m`-@7zMPY{{CQC@MO|G_Ca;bv6$bG;ctffUCpBKj+~-(rcl1IU z6-1Gf2NG(QmSrOt-x0UW<^M5-4h#vT%HT>P9<65#wHmBP5Yd2M!g7Tl1O`icU5f@$ zk+fg|0~vTa4P=~l*4E&vya)~CZF~&*`b$~tl4**H*)s(b~GBd>gkj`su2nc5uh<()*T%jY^<(|0o&*d4?+i|egCVyD)oQ2 zSMyX-NNH$P2rvT8pqzvn3)R8GqVtMQN)m+*dx-1}Dk^bkFi&bBOznO5DagMBhgJs% z?MUh3vaE&=h(_@sTO7kx^L6wr;urJXurY3w%1%nXAw=uoB?$~=56dbk3^3o;n#=vl z6E2?}nnI;zE@L<)1_fyu;}ym$f7;cxEO)9o*yGV&Zb&^W2abZET^voD^*sVv(0D?| z6%cSWp_>^?2daozhwe9#KV-2%)pG$H9c?Ww@HuY=4u^^I$Xoy;wr{jzu74c-rFn&6 zHztmrE;eUzb|@|4+Rv_8jGAjT@8~=4X5>>{6oEKbJXDswF;n}Q%+HeRxvw_lfufS5 z8KQkN9?IX+`y8YpZI2nR*A`?JmzlH;Hi2~H(9Od`OqvZ;6cP^11lR=9PzTS<%z&E% zim4OhzI%AMDd_#~Z?}-MyEO)R{W^ppQ1w|V!3JVIHB?XtS|?FD^qj78NI$Ct@hfyL zKxGR>6u>|+B~8$n29!}6`_JjA37GhRNCx_HfD-|n0lX%FM4*!k;xB2y(LlThk^)l` z9)$cgR0&*2DDXs>w1@vd!O>uaMZL?<=0Gkd2TT<2kVt2h>#nT2bz(~=MQS@ z=-Ug$D&`_LrRy_E;)Rj+M3Fd}xkpEM_M6haZ!BV$+lf^+-n3;ni$oR-tgPBn`$ywM z5GXA_*S)ganxn~PFC?Q9uad3l=w*@H|5kDNDf+t7&WAMeZ!g?`On+y$A2-`cB#viT ze-e#x<$Jf}a`4;aWMI~WnN7g#7yx@M$$B6+1LSsn&>cu5@O4=b1ZhBScdtVW4!mgY zf}aUIRaPdZPGQ<^Q0_q2=tA-4gOL0Jx`MM7T07<&Au#P08v|}I64OsU`=GptqwwHI z#p4idju;vx2^YD}r7v;k$=4r%pr=fRoO#)~c6|$)g#N%`O*xZ>A<K454InvNl0q% zGX<94=#1XFE*2r5t)XDBRepN#Iprn#b(`R=r#k-HLFSTvnO#|S4QJVrOmKJqDJ~ux zA5Rx?d<;+l|r04EYY;XEHZj0l3*D5RQ ztDRZbgB)J2scRPkk*vITrb))kyN2&ZUn;=b!#2ZstH|sxdy^EWF5v5CabF*ygvLtA z)_$4><$UK0Nj5gnXw{Bm0?h$b)E&}g{p01}h#ngo3s2k2o7a~fi~~BG7i5rpaOjO= zf=nA+Z@`8JtMmi$|wv>oCDjd)C>OrCrWzj%beE+H@NFoOg#m^iGikxawKF%gpChxTg1IdOAz| z56)*Q0QrYN$YA;x%v5o$qsNx^Ig3*UYz?}*7WnBZ>1O0WOmPJ`5Yn937ueVsS1|o{ zex|nu=K+idP!6kpHmg3%ql?V5ue7M$0aRpS~hxm5>puXg54Grs3**UOGVGn0^+TC}=m<2q_Ze1TIIL(`5m` zOoX^HRqe=_(47h>9MBA*sRapiR|RxN;fUXGaX>>u1F9G5tOqA9`+1--!Ig}am`E5lPz`>+`&!AFXzX^91mh`1v;H+> zhOi&Cl>X>z6lQIn7uX|i=C8QzZ=DXE(+7Q9EnVHI_oQHZ92#4bkT(Cig{JHs>3k|K z_vI%>C7|+xri4HmTFTHz!p?*Q9(bizhH#qdN_dYY!00OwQ^V%IT%fyror1N9UHxZo z3ICZPYd)cYJ6X6O1YKYZh(4ctt|Hp^~uI{s2zZ%b*%=Y!x7RY=)gOPP=jB96dlcL4fG)^ zRLz25#0%uvO;*@Z0Rj^3T@RFj%w)K|DI0`fx;yTs&z?zm9@=vyh*v*AUnInE1i~pa z_6iCM@l6sD2xc&B=!dC=&3;&2SwZB1P@DjFA@-lZ_Jtj2aMi&i0T@>mlgb4hJ2P-o z04oTqAeqPi{~ZbGV8vWu^}0h(LWWxWe_9-k(BWCU0qsWUa>Qx{zx7iFH4JKGMdS}A z)ZPWjEO5$}3%^q$TG%>mrCx_rQ7BwX?nB((R_ zuP4A)kh=1@jX`rQK7P~=NG_+e6s545qbq7X!5|EV%=r3HBfeyz`YDhx(&F+W4I%l5 z`w0UC;UNGA%EjeUsHFh%GU#Z+Apy()XgBI}j6pZMtA|qB8dbRImAn(o8(x7?Y7>xo zIy&-75kQM9E0|eH0cNN-OE}5A-!)I#G5ru6pdXVwifU?LKr`Nz z`5TxlaKq|_QUvXEqnKxXPM?;n@cXMje3)2Rcsp$LMKu?q1jFtwhc!;`>##yT9;A%X zO^eJu=_ek9p&BpprH}B%YOjT8|H;nO=Xh6GxK`c`T}o6!53M0+H@{8q2fhR}9zc5! zJKTFi1sFbnJ+#m=1xN$Gm+El(3Xl9fK%CN`Fn<+m^DXjkrH{=Z01yIv#@phd8o59o z%gAVg(Q(U+!j{l%;C@t1Ku#{g;fX%SoU*b1wwP{9_r7otj&Wb9F`J4?FEG7;#_e^o zk`HA)WCL(Iae&bP^w{HRC}CbT#0b<4;rah9#%t4kP6|qNpkju7xnecdKnW!)yzsPM zn`;AZ_UO_3#zx5=2A(UuP8q)?;&g=~0+W=3`hYkOdl2Qb0waeynW0rzx77fh^RzM< zbTE(0`72dH#I+c-ynkRh_aVW?8UV{c`{@~>D~JsE{cvVJh-HD&pj3`YO0ajR-BtVG z;Yqb$G=V=m`tW#Dg*NY9m+%&MzR=;(@ZB}>p1Z=ej4zmOhU^CEuulV<6g)FwC=Bqo zsvi~m`Ju<-B+Mhec+7o4xmF?6BLTS7%^*Q!ZH~bq>2=L&Sjhg0vhq$16*?)bP7ZCvC5!a`YM~gkPz_yEsA)`PPsR3{BEGer zYgLIp=ZvRO+WOD!gg46|)4WBPbXzo*oxL#OP>h5}ioO&hgn3!IR)k$|eMuR2KdXSB z7bzogs7*<-fwQ$q%+BBhu$wUo?IF`3B-`PU=(KH?rTHL+D(~4QA!o`$XWOyz5c22NeN3h;)>j zZJ;2{q{Rc%f!C;7gHp=e)x7zR7G19V8^$X$?Q?Rm^vYT5)!IY+<|+rCb>wsZ0WaZIKaZ|o z96JOHyd$k{SbW;nILreR`wX<#5!+?+p?Mwgn7ep$B&=rirDA_f~OYTWT7pOFPvl#z^;IFAPc%kU9RoujA6+c6mbiQ(S}jcKO`M!$S@qD{S` z=Z`?%1FQvVdB|Gfye>1RNc~zan`C+Zt52JPTrJib!=_WKOKHO3pC zD3bn9*()ES0;9@6)iFLY0%!0Gk-JKo;F}5FfRKX7$g}_y1~?bwP+2_OnsTO%FyOo?&J3%w8;%ZW52G#_26q8jm%5|z_-B|E z5e#|oD&K!Vw(~#_O^PVkz`1tVzn(*mHKpe;dyA6EDC3vu{ip**}JDRqMsN^S$U-LJ1^Ggh}|>k zX~tYk+#X%#rwX0Pr}rP*$-m**tksHv_7`Ys$qFx$6_6bAz`wkv?Lk%q}}H9P)j zZG|z+8<3J5!4ns#AHbW@PXY2jPQcIkc?LsGb#?G)1praNDcBNfeX!|` zSACoa#Rb@@d&C4sBw3kSyBO}w(*I${NySE7t9uv&<0*h9tC%|W=x!H_B?F-aS zm6gC@ybX&3$eXa_fOGYGn)dQGd!$54{^PvS?haxYeS&>yr;EV6e(FQ9&|PlyN9QiTwP3I2 zT^Ahb`%2dn!ds1Di13a(Tn+GuuVZ6Jt8BcD2Wm$txY_X z3qWIGWG4>u?b~Yry_NN70OAN8ZysbhfVWznnhZ-o5d-20>=1~XH2^*WDKsWV10Y#& zDTCTf;%r-{Y~0Yx>kAOb!PN!|{t5d^AjJj+b-+)+Q4IkIoK1iV1xhABY7#gNg$7>Q zKw6%VnrZ~a=fj5(>tNkcl91>;e0coo^61rKF=XDrW|GMUa%>MJ6&3J!pqmb9Zm$L3 zbtDodd;<{+-Um<}b++)};17j`U=ar~&5SPzV0B3H08x7Tt26MnJtC0ozZuCwxnp5G z%@ssR4zSyRzf})Hj=v2Qj%-El8crmI&Et0--Z}jjs-0E|4Gq-QDMi~x1kb81#C1BFOx zh-aYX;HnXJLauG@B-Fu%>B63 zR27My?rtFVF2^8l#%cj1xYz<-+R*d@#&2va;}lK{4_}FZ%jyXDqs@zeeu+RD@ITPD zLF=KcUZY?{c*fnYXAHi8-~j3xAe(fGJ?#Z`1H=R%%9U7wBk?O;yh$b1CqUsSJ9%c| zTJrHD4nrIWc;Xd7HN-{LZ3AQDAs6;BmIt;5N=c)srw4rUlAPD;Y zZ<>?SZk4+ej$dZLqtWqT5@qNGrB&(I|F%}crKw56i+o+2B~`K>Fj+4#Gh|04@mGv~ zQbX4k0KU|HCaFeQ*N#Oc59DPlkHzlzM1PqTdv?7OAm=d17Gfb8$HUiV4D>FX`xNRoQ0V~Q=kDFRz%~LZ-SW~B9RJSXMhW9EVGLf#i@7=w#%dxyyryNdHP0eQ;SBpTByPu_>$_C|FdBP==;| z*v;?Oj!;lZa&|n3O|^i+VAdI4`a6^lMA?yLv>30Om5`tb&TLUR{I z9kl<|X?$Mt=R@5a@+<|K3Kw4%I6NpLvf~gI*>4aCbF4rHH6_K7`ux%JYyRvh9{n$E z3Lcwqc)S%SQX0H0zE(25VrhWzz8>Dv)H#V*oysxz=*MBwX1TzavmFn`7a*MQphT%v zU0f>C(@jh`@7}osH8ynNAWlI2Xpv2b(p~`TF-$fKjuK2i7!3^Z1E!v%OX5N#| zYIg{yNT|7AEaAm=wes}z7WJ#yK>rc=)UX*qB!FzOXd&@jhk>@W&^rbc9Q1e{jxhV- z*|W6RSeaZ+Xk*645=k#ZCIaMXFbbhx%ZQO7Ln{9@$A_*j3$qyKA6@V}S?)(;P#n3{qRS4OuUY@wS=N7|4z z{VV8?b3%f?bn}h36G}h6cCupNCY|~4dq?~hQz7dEZlugdWKMf4<`JFY)rjbZTS&~7 zzCQ3!V1+rwAOPt8bvXJ~H6Og~AYj3shokI;Nc}zwaFxKB{XS4(IXRj6ErD|cW>xz7 z`ilns>M+#WzLTi{ig0k2O&0-GDm0G(39?Yi(OdyWz?Vvh=j}4+?Sa8q?lU>Lx^6b+f-O{LrWrs>l9P161cXlr zd8fV{52OM_M6oENL|avVf|Oq43R@j83Iq>h#Y4LkIOjyO%1fp}tA;P~s)Q>|;M{*ox3z zyQ2K1S0wNoUXI#C23ES?p#S@2iwwhaWA}@rub;So%p3{sYCb1=L#`um1Ve9L2|QZQ zaBW=DyoMWc;4wS*ayK;W1M$a-fVMfIEt3~^Yv;Rsb}w*s@bW7&FI0`w`g6LRzw3k&y$Iy&PMJTohzjh68~17Ch-eOtA?E-2_m zHlE;RJ%DS=ndQ7cn^UHhFEz2W{oYuAhpnIU#rd=Kv9IsS3SZzmefWpA@Nin3cL4m! z!)f%2A6>)6^@N5y@U+D^#JxD^SH+C~JYeYhzKS75pjjZxP8imD)2!;=z$EkXy0t^f zPg^_N4~26+e6;r~(^ghD>oAkUZpp>J`H6daY9=`wQQ4OeDN~a%&lqzbuu-O%``{Ew zLicfYV&eFC#~el~04GrI&!ri|jgaJ&6aaR^+Ss|dXMy^FQYYr`Qb#9{9%4J69zKQD zup4i|L+&h=DxGM{3Y;YJA?o#lsAL@_&%MjE(!mH#~kG z2Ye#?yytt$JbPYNm9B3^hetgt? zK6P>0Qo|0b-udI_P+;7kY2KiM2U@lxLNo zbkd(1!Jp~1j#X1`24lei;s-NAEbZT*Dng~-l#~q_OxlobgY+AGmLb!H!(5+(R2oWB z^p2gS!$)f!VR%%p-}pACm~Nk`&@ zQ!AM0nNGyPW=P5>|D2nG=RKq>Ai)KG3_!j`|A1#|Ef9jhW)C4m3l3EkvcUtN^o~r^vVLCd7DaomVFTTYE>F8*LTvO@oJrNT_<9|Z&&1m)W z=L(~+kOmWD`CQEoaZ$B&fj_#MS%JylF(8BMUS~yWJ~NZDcXHC|Hoq?Df)DlTbZ(e% z@e&CcgMaZ%?dZ_=yn;;L-j-PEXc7v#qdBvH`y70N0?7;fMuvM`y)$;agUOVXyYVTV zR>GE9o>3S-+Nj23`2c((D>k|9v;Eq^cGbde{F11kxUi0vN=sj>P1{W5;goXvdaiUn z(3iS3gnJ`Y7VCE5GV?SG%Jc4UdcRFd+53?9WTrM0$Z`UbHdWZ z!&^1UE^R|XD=G16%1h<7wD!Op0uEApYwL_bYfMZ`bV_5KrrT(M1Jd&~zF0pKrA@H2 zc``F{c5FQ{Y53rp$*bC=mM3nwbx|hRh5sbQy^XiYDC{sRAKIFEpsY5ve-T8~Q4^hV z>G*p;-cVR@WQ0RmxqQ#5q@%4T?Zo+^UGw?d1+uSqrhiOu=*o>|!`GCw!g93F1Tu_t`BR;;05<;AeodC(gI zF-q4%&Bg09Y40-Aj6o>(NO3nVWOHrCgR12dzus4%E$;GNXsATQ*ZdK{?}wwu;pifK zp}Ia^P>O&Ms>vNk6Q3`GLp?|aXLwlRO1J;)Q~X(n=k1x(Zz0~_2Mn7Jov%*zFNTS_ z^phm%E>z?Kp4r&y8tEmxO?BaCxadBh8WH&j7yW=@rEFjSsm!@UzUpIgp_#6v!eUjf zJ5HO(sP0rryTdV;HAm_a2V3pq2!t`SZ*g(z>EU7mF~o-zTN{(GkQzcVJF7p=28G3& zn_E7Uo+Td!zP84-Jelt62@a3)JdOC}Gb14qN!LgqpFjLtHT{-d`uiluGwF%S11ggN zDJoiF2z6XH!U&}Gva_wVzxz%$9O{mpdtJcJq-i8*SJ&rCmr$xp@#bWyRX7R%A^J!7 zPf$#Q&*e&ag9O0@$5@vVnZb7hJx+baO69ITF&~B=b+xTmQw=v01ga_n{nH*+nlc2M zJqgKUX#rY0U2hgQrCP5${exHZw?4cTs*qI4;k5}aQE(K@ z4Hxd92~U%>#364p)fOZV{a@_ram~rneLU21^CyT`Oj_VS?`2l%`W9C(sV_+__I$p* zBEIC@&z>N~>$GJ~XPEV6O#K~+)8DiC+(EG`<^G>XZdX0)OI$zL+$CAGA09V1mzGxB ze^Grr5|^4HDa_Bu66Wh&ceJDwBRpep5-5A~5AUKLb%(3Nr0rwt`>q!!u3P;T*AKk3 zhJ9Q=+$V=;oN&{DV>gAUdRx$`{oN-!JvHMmbEZ%E?Y@neOKxyho0J^{0fOQ)ZueEz zi3r$w7IsHw+w3|*SPa@mdUXdu(~YTOr7!m0q1Aus@cEwdKEA+oqdYJ#ul^Nv<@}!T zt8KzbG}e6jS4$1`jp-5xJF9N68B_yIY;B*7jSSqw&b6>CC=*RJ@*P>{D62A3@t)33 zrsQMwm8tozvC&z>fAvUd#)RU|upJ;|Or$g-t^!=l`eSpDKAgS%*-Pgoo0kSmip%rE zwJj^vNkjdqUCxN>$gCST7Kg1MXhXz4Z-Dz4Ola)~kWzLP{W9 zydsv`Jgd@TEoqZYpD5p|**Lwt_o=E(wb4`WorF?vAJ{HP!i1}TiiL*8S;JBZG3Mug zVzPb@ehdYYDdN{sQ{upXS@9(o7{0^9wA+o*%PHv7BrE{@<6c1D@T`e|| z46O@JtdUelpK3$xy?%|U7;$bKUD12{;I@BsdX?H`TOVo9A@d6>Yz93n1^BmJg?J10 zqS|8D(YLvO|F@3bB|Y0ipQ)VieJaP&-Agbqk^5SG!$r$P!R?Q)T-jtKS$~q9y(s|& z-MHTSNTJFU$>aO+y)fYmLuz?#xo2Mr6H6^$1JyG z=!7@s5xACBq|EW|$>&D) z^-U};7Hra5P~tMkW)H#Rl|B5)R2MR>sJy-No@uSJKsvv%k?%fxy!@=HEOu|2SW(vM zAf)b2PhE_j8au{p3D6;1{BLSR3A2i3E)L*-FI@7uK+2`3lb`$0yH{6_jg0Gzj=fc5 z&(APz%W6}`WMmePwSVt(6dBXdz_9Oh1;O?Jtj++y1omnnkeb=>(D_Hdaymcf)agt` z<2kF99pZ}7rhkhqd*hAz(5*OU9Oj!L+LMkEE(53kqcpJLzFKK4%K7vuD|eb&-HZH+ zdX)gxDgl0nHS2^eO({IRxIuNTg!@cJ)6*O*<)5>@IwY$_U5mf_Xu8wZq`pi*FyU3F zj^5Vtx-9lIH#aMh?XDfCGQ=X2oV8M3!2_4w>v?Kv;bspn%?L0wo;PAJ>>s41FH(K3 ztZ>5-I}O#k8S|*xkyGqeL2)Tsha=-%?=p35JvXulv5~h+Nj0Lo-mV1FfgT=rxT-$w zOGpu%M$yEWj2>4%xEXWjV?k-c*&2%A#$6qu4k|ee)znj+9&+;ahKx&tN>lj$KG18UR2Z_bhH(R4XA}zMl?YJiR_O79RVq$GwHQsqfy~pNKzxw_`$lxWG zZ&2aX{BY)q+ZIRShSHP5X`@Hwdz+93T(n5uVmZGs4v=3B(n`Qe*HFBi#F{2@`i ze>2AZbZZkrl$_5Cj@}+1K7@7C%C>iOdBoBCe~6n=BLxRRh|T?R?H0UA=hV;<+OK`Y zcH`}|jt7SokG93Dt%>86aw=Ecfb$@!ceG&ovv&FP5&oZO`e0+pF#J>z`1p?P79~1; zC0cB8Q2g;J@NnpI7<_p=_|qx@7kmXHhTCRh-scUpjBb3pEO(oA)G%6UY3i>ZPNFa+ z|Ar8w*O98F&w4#gPBLWvSXtRcxQm-NrLv1kxGrV=36Z7>FH33bL|xWRHq9I*B6V_) zEt#N|7qgOF6djq29=H0BqP!CMmuB{UG$;Ld>E0(=sz7iOl7__kY^D%eI!P>lE z(jVa~U%YUXl!PSt0&h8(hQ7T`jLm>IwH=XnDy()PQ$`Ykd0|*q#>47~`R5O-QNR0U zDXXt{_5Gg$}u4UxFrD+>I*L&QVYWG8jv37HyMV>HE4HSY04pjA@Sto z_g#p!TJ|p*t~Ut)V@`&D`Mi+E(e1`ZQ28L@xNm*5v-i3PVRb2_=iJ|kkBdLRGkTZX z@|dqiUcMsYI_5@;b~4iM$4FUTrm=8E?0fF9u|dZKvrqaQ#W68KYd@CK-JRl^;UcO> z;t&q$jn8}{?RQeQ2B*f|R)^$v8B$gCK5Cx?IXk;X?k=|Q2=m8QRyn*p3(4F(B=tB= z3u%Zm(N1(^9G~q@keW37IFK%`k3$Wtb|-=;PCWj^4X<2ocx5+FQIJ z!T0C#G+imnR4o%@65tXPMk0~D&;keg}$|*fAK2A-7Q>O zbLQl$xx;?3DsuDM_F?9rH7mC<{l4aw)nl%h+c&2z$&IFHBYO;~*8E&N658t>E)}ATM!{}YZhF!uH2Gpw zMBYLy$zJ;J*Ef25dwvdUI>ZxmpS_4EzehKFmX&2kv9egs7_(fi_P z90qM;qj=A?Jf9$?YmO&1`H{uN4nC)HM?#KeRq6bO)G6xtTm$-J;(mepl!uzB%MydDDIsv1k%cwEgjxI9?x8L zeQ4v-RN`L5>m4bo-nur*b`r?}ovWKSvoyBGaS(|spM2E)F`J09JZCj&u&dFb5p{2q zi_4yLZ6Im*Wk3Mu)1lV=&uVU73VrjG5v;=grHMVSy!Tul**Y1So9p__9CA0RN7*@g z^J@)vj2EeOcU^4Zi))sb^X)zJYIIO@mcBFIxxCrp?j%E=(tB~d7F>9%3+}dX7<2mh z@%d=nV&);*+@3oZ9-iZ^uAPEgy+dPPzJ7h>vlsu!N8FBJZiDfu!{z)@J$!0rnA~-C zrWK|wrtJ>uWn_!0f&#Nqe`ik}Z%+UQ7RURw<SKCaq!7Zx7UNV?ALcRjHw z+-&D=>Sn#mnj)3&SyL0siRm8vo@i>j7#X=rT{JeFhj#J2pDi*M?j~jUytEwCx-W2^Gj)&Ahd%ni z@|J!Q-1Ay@(vxG-goG*=XN;5Mh-0TWb+R)8Q7gDx0CRtBX)zN7sbt6*f}t^RfgEqt z3ZYCQa$z-g+F!Myd_VW8E8Z#BvW#aM=ja>cH5P{}ua6(i)ESzb`^;{txq8W{`g{GJ zS8yOzT1}Qe!1Btxx4qR^e|p|T zY&f;y@Z|u0j~GX=v?VnDIM|CiJ&HLp z?k2r@6^rBSyp?x%66+loXEZT9r~9>OQmPwXD+ORh;WD0)U&dGE4wr4S^);qSkn9o}DN}74rj|1+P`E7Yc9bN3MZe|Bv9u4DLbibec z`KqyA$HJ^Yyz9p0>vPtq*q2kMLLV9kC10hz`q_1o*DhnFMknT(ET3Iu*x;+0z4lw3 z3i}#%&n>oKHKhcKcdGKD22_F~9x=%JsY}n^&(8T9|Du z~wMbPK)1B#C4O#kX=#0V%lDzx&GEA_Yk{JTr_Pi{Yy<=t zr7IERxif43dQ6G z!CfQY^YLHGyZ4UodJ5@w(R2 z!~Y6D)$PJA(PfBu21S)wc?K*AQ@zQ#jrd#Y9;YXZIBjf_!R;q+cp5A}vt#^~j+7wNH3TB?E%b=MP!?Fr_)&v10eB@w z@&ZSZd$cZ^4A{Q(*s=taMe^CYh1%@7nwinvzse-^O-lYLQR7;J!i7Cox=7bXz(Bf? z`QlFC>I7P%l(XP(^2lLpk<>m@9vJqO();9v$fL>_!XWe3-_H{{g#4Ow25ki12gV56 z#EQhXXPDvn-V$mi>~JIv6AX>S{@CASq<_PcQf2`drZ^jfY7dySQ ztvDHP!Fu^<^S1(RIbRh$l~x&_j%`I@_JVAHndP%g@juqVPlIk}RFsxcdMo-$dUKQCVDFH;7}XAkD~f54-DO%bH* zAG4)K8KG*$^N@qouPck60^o7^@n78oO#R8d)W91wy^%S*;>|ZX8fOupS!1t35V>&m zMpx(pu!*|LI+moFN-;jddL*P56gijLS!LSWRo1O%8#YtF#24A27L{&CQTbtpjj|I5A0md2>IcmWn|zx<>+~G)$Cyb+X(r>L0f^7 zTq~YeM6XYOA1?M@a0u(a9+M1;?K2&qKvJegE{G&ONnz+tS8>`7pnlyI&}I7N@W;E} zCm3l%o@3ahtKh*iUl5K=6-MH2=|6wJ$Q>Y9>_cRb2Cj@}oF~b( zbUhWe(q5sESm7r64;eGIFX`Jvwxve;)h`tf7nT10cF-@Ptb@udm7YK687);dKGzZ< z{7R@gzymv^=pFs@>1Sx_ZkSCL+e_`q=MMyA^9D}Hcv_$IRi=D@a2fI+Iy=HvR=2I< zo4Al@k<}16stnKu(&G(U+Gk*g?Lr@$a6zmpOF%9~5PVPI{XHHlqSp@;Bo*?M-cx)= z|As0F;PskviM>Qo>^7a-qZV1z21C9F@?C0bLFD5y#zv>u2LjSZci+eVcs18-FW(@ERg9?#b@daHNBI zM^&a+=sd8-!_$Kq_euLmcp?h^B`{jU0BMlFM2iFS+MMN;C>G*%9U5@qeeBv8;16n* zz{{Tidf)KM7W+GD_O%U)x{7+m_Q@RH_Wj3;TIGor4K^ZH0|rMve*6Zze4Eo&?`zdF_?@P{qX$C2K9jl@w5wCtLgQ_9_1ly3Ez7^toDoF$ z9Xuap$kG1$R8#rmOC9pggiQ?YoX7~-Pi%vY4?ymo6lAE&Yib?7ficPuj`+`Q90~p> zbn3Qf(a47n;5~FJ56l&TTm_at+9(~rY2JSt?Fhj>9pmZSqPa|{l{5hkTj? ztSp9clR&yP#{>%lp(p~qc5!j7zd`64ES=JYDRr8*=cc|JkVjE}vu5Fq;XdBKsO$bFma)HAVF17zNH<1Vqj7e5fQK|vNQ__q`f3&J36dD zO9X`Bv`9|~l`vMKG_T*o(^K+fnbCg$tWhwZT~vc|A0h=vP3~+rp%YQA*8?}=vAzAB ziXkhYUyA_K3{*sUx)bnDfxG`Nix$4GelL6QH)-5du>Y9um5=6VuOCB1t9?F?vZ4jw z)u(1)uE+*Lt%aXIK~6FA>e3r1s~^z?WC_3$jm)q4zOwRCK(i#t=dZMhXSEAQrEz1D+9pDM(GbJez%=z(PKQ-~^wHEh^>2q2DTt;B zp0@oi;>**`)`fYcG;9;6EqRRsfqbrfnWlI+I4AqVYM^?kvY*Ua`vELuBO?_8|NBgo4->~gV)EmMa{e%| zNrByQp#{@1Vc~XJ02RkhAQ`luKv`yq73HBV(EdI!a4&xt^_lDsd17EK=I7@-{HWG= z_0dLAG4wtYG;w&B!6*WTgWAG~b}&H^hePn`)2HA)^rZA5Y#UJMz{v@Ot;;5mn*nj% zKN=)4z=gcfqKrU|Tr1KA8@tlU^>^<`fr-tPpd?YKTL`8_Ky&w(&TRh2*q0uda?py# z#9NLOIsY#gKv)O7AK;})b2af+AMJ5&RsL;v75C0$io1hUfEdK3dkB7P$h*Q|!I)Og z;~Wv2LN+Re_BLo1S)$Wl!@1lAHKu{*aic) z8ipv>{SJKDY!6+FuMMXX#Ar|Z`P;7z4h1#7RjF;bmEetk$c|}FNKs+wc zhNIvBym$s_Qqt2KVWvW^rVY4?fDIvZ*fuC_K4F%I}FCvemRQFtMm zoZou=@;YmatqqE24uC(Ic69n>w&=NzZ)~nK?g^RR_*ay`bC*Um9%elreGglE$F*5P z7}=0~KJ_M%D5gv8?hR=dXHyI-cJrura^9rdV~=CD*ziNb!y&XyG;{-i)5kgxYhS_WRWQfH_7wrf zJBT`4AD4p7WJWVQN}$FAIo;^wAF%8zEp>z<0+z)|J`9_^1e;HD8=C^%LNNTQ0P9YC ze0*3uPmth3b_Ci(*aJ5(cEH>h$p6KUYTmZY1I_(Wo$FHwg%-s?7drs~-{#*Jb|wfY z3$;J0N&IOA<#1-^Jj%@w+xN={$SFV_)&-PYP-6o}2LiQ;*G?PI;Zb%8X$k;?PgTNf zUB8|I*tNjWRvRcGM)2I#c}M)VhF@t-AB~~#nt!oL-H%5mu>>x*W7Mpk`7gDxuz^V+ z1wk7dm7l`NSj}8;i>uI(VzqZ+<|3Gd(dF?p;W?UmHO+2!(lHm#O{8+8~vV$f6K>0hy znHX$gu+7NVUD0=NC{fI%>^*A+mvL~{L2-zaC0{ipBJRg;^`EFG+x&u#FTOAV8X1S9c2fJ)j6Gy22<73D@<9VBrTr0GQd}r3>x}T>w0o8n({7Sf6%|B0(US;Yaq{m;#X#otNkNxlTT`k&)^ zSJGo=eyDpgo*US`_vW`@ZqL_kVAUcZXvL+;h)4_ndw9UTdzo=6n<^R92p{MuZE@XbZ=ThB0+8 z$i#bl=jtEXQRe5-RU&ozLE6y!_)ieRAh*cj@LP~4QpD40?V-A^O3dnFz(weS zI|{^(k3vA}C$|S(PDze#;c(~`r_~E`>%sK^l5|{ntYM!jIkuis7E*i+# zLq%JL+lY%Ae=q*VD~}5LN#dZ{%xDHaS_`xc8~L(G9zoyI%9XB6e8i62XX(fS!{%ce&ZzS@9{3yA8gUySq&=gL6C0YMxe5Oo1u zE5H~Bz3*eJpbcqkbQBG<2~g@m3yG}kumCzQ=$rzY50Z+lTjX9~{SgJUbkR%`bMp_# zU28VCs6)5n2K@R=c+iie7>gV!QBk0_hK1szQZP<53E~k9Z}?XOz^$!K1&jZr84$?z zEd<@O(WL&M<>vE0gQKH@F=gR^!4{SB;9GiFPbmD#UgE>k%i?^7B8GFWkd-TU7uVVl z_?5YUgiqlcN>+%`rB}~5zhpXdVG4f;hHR(47>QeyTV-zkX7?01avCeTCBDbW)%I8N zCJ)-3Jx!jHRfED{CrNkvCs3opjfYIe(bzclr#IGf9R^)}vnSqhekoJi+e@l26=jX6 z0j<)cb!R5nt*2;>3tZXWnK9P#B}OeiBq|x7#C`jdVmc%>deu-<>Z`lU4mVV+wP|}R zvgazd=QVQL6EVeY8*_1NZc;n@-YtPK{g*ZQmMokc2w5zDvVgdE>s$i~=BC7nP6GV) zScy)p)1r%fO5%LIbqZVSRPcApMQ+4^cOk8O+H@f4c4xXuNy6iW!R188SM}{?teg%TNwR^U8JpH_ZnAY@J@BNYpbcq;n4OUgiYy|!!*_jFT_|9xI)UDl z>}X%=eg|MN8Vcy!JH<7_h2%-s&F)0iRz>>L%WXggm5^_u}l zReb_56^hyG2^pce0y15&}y%?6b7aRj|7?{9yO5(Pa zo6BDkID7Xd!=`&3lDL}+GIOd)J4o9+4ekb>v0|w;c9kNLtRcIt=_G-I$)Y`-l1Zyn@M251nbAm)BXSg)oywP<7+jA3GAQuiju z!(s(RJ>rXGcEf3`)!$WcU_bmc@Oi2zO@UGIi+FX(PFU$+aBp&WPOu@d<~plqNbEJC zx3spkgoJt?+{!~k63Pr;yC94fE!(5lz9*xsZtGp2q^C8(Ur6xP6Q-ui=V-bwy}#f2 zkyV){@vie5$a!X8-mQC*ghaJc(c0FqVMze{1y4UzGgcdMZ!a3yi{N}0s6098ei1i| zEQm(alMr(+OscH>HnPi3gizgF9t;&2Dp2_WLZEwlWBg&WbHKne!kEd+5Hufj2EDAQ z`lLoTk=&G*XR3wELyQh72gY?k(joXAJS;2>w3U5)9Rc!9pva3Wp0c;U50qn1fL%Ih zTokWdU06d1Eg{w`+PJ;DUZK@>Wb4;m$2}t!c$7R>4@Oqo{>^gx-syu`ucNlxT@4#uv=P99b6H8I)=rz%-N;XztG#5&f$1QxKRQFB1|fM^*2Ok?uUTxckq39Q2_l*`BsKDJN9-(Dagh~uTbKSn1GZE~Rn z#yD*h^I8l>SImUTL}ua=)mMIxFKP+-qLmegzRBk*P)RI);f7a>rZ3GOUr&7K?xz+L zZ^*gJFQ||Ti&_BFZpV2OcDa@3)tY>Ubu1 zdfP@T&n%c9G*wBZq|iEB>EGoV3Owu9W5R%fr7AXpylaih8zb^5JAziJGH7`KZO)+c zMibbmd70FK6n1U^bfD<#>jNy9JutVteDqJtOQ|vqTO#nxs|PaGM>(L=5#&-}=8B;9 z4EHgsMU!!GIBRAAff;Cj0$w*BSNRzkdS|;+t@MvI}dMuS60W3#h_FJD3py3w8k${4OMfLgX3XgmA*#&~xY7sEhPCXi`OoSPaS2Y$C* zen6-%H&=9`rm-K2dLkoSoWjWWC|2b6(S@$Qz>ql25TG^mCKr!=uB> z+58romh7BdQ2*Ao@R~CC&?5o6E#@zz+qvB@pp7m&-(XW;m8Q-p!-4Qfv0htrnJ~U7 zb>enz-v_qK_%7r$=XtnVvME zsa_edT=gOM-b7QD#uE3mI!9}_Ea1>9z&*2ggdqM#h)_|wxjv&@b%3|#i%=`3EXtRg zjje;%-?U_nU+$RJQ}2QE(_t^##B;1&Up4$#X5aL%7UA41A)*1AFKz!}KpKoXAY z+t$$mJVq_2%L9^bs?DZKfogwL)GMGH8ZYj!IS2vl3!OHU(%RsT6(Vkjpq@3LGY)#g zZlSb9U?hWmftIF@_I98+gWFmRIzfTLOT*Q6-fAtp6&WN2PQSl_(*l4(iyWx)vEc84 zv|yDj7Nn#gfvClr@}+zk0K_w==I8r2j=^T2R}rAHosT#PLqH~>qw^g|I|3OhV805w zbcw3GRiXD*56iT!pQo1I6E=+ ze=A>IE_v@>)6j_jQGYy`t_Vyj63rd~lZ*xsvm!}_JN^J|+W_~JOyO}}>&CJPxD_UL z7F4o0``wBTZ~}l9988t@ks<>Xi3v^5+-9>8b;2-)Q4<+%cR9Y4-JptE={AnG{pjMT~i`W=C^E+=?6fawy*Qh=ya7s!PH zsI(8{m9%l!_xIsHQR&@IhJ^JH-1zQ*DJvXkMSwOW$;#@wI?Jh2pBwNMqd^lA(D&!D zUVa?d=CWJT0f5?al|5WfV+3)5cF+B2n1agYzKlhto$2x zOT%_NaSFel$kVe?g_y0MJ+C|qx$>ij z5n*37x7LnOt=i1_C{KMoEz`YHGB?m38y}8}#6KumJToNX%2wwuMked4X$3(MF2PYdesCwg?HVo(u%-E>Hd<$cu5=!Iw&wV%_}5VmZf@hafrx z1I3l}Q@x0K#pp)hfs~Mtp}Zn{!}S$8xkgq+bn{3bAKPJjxAehO>2_S&3u3+4Oc4o9z&~l9T zDC^-9BqVxRsUTIfNrejVF1ofg!Gdw0jmk*@15#Z8B8yXuXuY8a!$XSy79fsHxM*mt zKxE7p1DJ5Wk(1YZN&q5}L(ogl0?aQ83V@LzFblyqtIBR&IRtvN1+JY-Ru22KIScn# z*zj#V&=CcZ9RRq2OOXxnCUDky3zo&y(*dtP$W9@E|JDH5W@c)tTcYg7M*=wk*vCCG zTNIR&vjyC70JhDD2I{?f3JLo^_jY&ThoPRpoALbYEFms#)ABjM%7Iw!8aP^QcD67n z2H-oWW54`_*FS7fnG^3Uthxi1x@sO>zZzm9^MdTN+aEG{cJAvgSL%GO%9-*)#BlrD zcAP1~bbyScH@RoaQpFT`&gwU!b1n_(H%bi!_YVK$@eXUA9kx!{C??-Yg;|>ogk+kM zuwkjh%=StIhK?VstP_PryRlO84w=Lxpa0Z~mW{@+r()jv8ksn8MX5=OLvgHHO2*Bq zLAR4vK=T3l5~+xRgNK*TB_=t2g-7ZOsm%zct|XD&IjS07rS(Mt^R1WChg2?URhY}x zDv8(x-xmzgAU-*m?2kN)M_SW=Bt<^q87llhui2jz8^~vK>W;HKY28N+?%M;S!_`IK zFn##gLJ_R5?_NesFBgkOG&Eph7QARa~uq-;2?l zXf6=DH@Yi2d*1{$tBSc!cOPnOQIW=a`t>9F8c1^s z=Apqu_(RLqr#fCP#>WZhe3!SHFZ@VmFkYwV%fLq5Zp>aLwoM+rnq8N~{!1j7Db^MM zU8_;lydxc2p#9p9TDzISEbcjITJG*<*!ZECcke_5JUU}sj4P&3PV9hK1d}@(MzUlT z5TZW7Lc@z|;q=p#l0fRP_SzZSt8@k)n*g;1hPsjB$S z1X^>OatOW3xV{B0P9p)l+{&j6yFzLUj!6eJN_=zg+&sT*;#JFM!g z)@bdhgp@Y6%z_{2&Mmdqq^Ca=44<vAc)mcejxSykAh1dYmRj}FWQIM;v z#eu_1FxR|cx2@xv{vLAY0q&kZY3EmUK;BUuT^I)UdqmA9n2m10DaEn5xi$3WD)>cc z(U?&u?}J+I=~FL~D9ypr@AbX8!{2wKs&}I})a$?}n%cs?AYm?!?566PL^>jR?$TL( z=Za|=f?p1J$`U>LM*JQFpm}^~8ROq2+c?-?q-(2)DP9W-KW^r*|8aq`7iOyUtj+&3 z9;0ua=e7))j{(}j3rrz&zbsr++-4y?Z2LEXlIacbVHd<(hX-PIYL&s!Q@*SZga_2> ztT>tZIGY;M&%6A*NL-3Ntu4e*<#2>&PV$$ChtjD;>twEr>k4qe_E7F<5Q1j34TTsPJy&pATCkWs6)N&{5@P*euKhM*1x z>{yqh`k5o{fJ4+%@dh|d`o@ul)c5-u_20`Jp%@q1s`f`zKUj8vM&aT z+7&{e?k_E-4d+X-L;~)NK2J$|LnkC(U*1!)kcGxn?NSb(8a(7QAF+we0jx28wM_XR zW4Z9wRF9_M~=Jt{t<#YEN!jCKbmQL%49m74zP(yOTuz*#7k+!4%ZXZ)kaihKNAqPW8RkHYw1Q z!K$Lpdg>zNiPq0QY`S)yTL~lYc!FnqSpK8`OQ+-Rz(>UGUZ}il->`g&NEc7KHTJ68PUmW|+@ClQ7SsP*XKs`X+4ea5~OfKD2cK zZu#fBXF;kG>ZY!Sq0-G&6~57x9XXW)r3##tx7bNOEI071fo2Avl7oVRqQ?{uqV3So zffHqWU{=Y>%p947%>@*sfd*(Ud95cM7!li}Ilv40F%ptg=hGQ|L0ftn1f(nDiUg38 zWkR*Jc>{G>oRYH?^NcNiM4z7FCMGufc)tF4LdQ$~+HJ*{LJCG+-mwr=kIbx*ciYTQB# zjo4-;?11GD&D*ptP_|sKc4yQKe?N8b+Pwg^9Xb5OwxkWF)rdV@-vC1xsUG9_2uj~Y zD?OKiPA@BC$_4k(RONc@+Ca0s%*4znjj1h5ym@b&OC6ac6l9p-B`?g_0(z!NoE9JC zrhoI5ehbWDiA)gb5FDR&7=MS6n_+sdu!Qdk?zfK2jM#6VrvjYx_!gV@;sP5n@}0Rw zHMTn$Cpl0F2weEd)GI)Iw*$~&?9V-1X z@Niy*2H$x@7{MR`s4)QxfZTKhEiydoOAcRhZ(TXrVoXKc|OQdk=6$$U+8HIh2}Nvi|UY02RS2BQx{f^%F={ z{D=PXe{f0=46t+L0Xl(At0HJm3U+IN@?R5(-{yaaehT<9<00P2zd+1X#w z3ItX)@eQj@Gq>V4miy3AjhgDqLoE~xFn6VeZNCM(>?QqQqKNq76dC#C-uIgSZ~@4H z#zw0987%xG%jfJr%8}I*e0^}vEH-Du-yQo8DRXu42+jVwkuU&jsR^;yFKg5!|C}wL z%RQ4%{d^dhD;bnqQ#r-iyD;pv4b&PDKE+#rGAmG@&HOLb3UE>XeKZ{OasG#FCuyo3 zo9hS21aU#Yr50!%7#dRk%kkmxmHAJJ6kO1)q?{mk=C!8FVI4pv)M5gRl0bj|&Yqt1 zKbIU+Knz3PkKy6J7f_nKl**!LwOls+o{^P>3nF3Q3<_8n_cTNV206fG0O$Fa^tKNIGh7VXa(bBQeCuv@J9+)pxm1373;yaSuyQIbGfLbT35zr8!1*P`=ePRhSa42v<#B23Vy;9&y0H7~z z9a{&7=cuTdfo=EPrE2;=73BNNqlGMhtgQ<}0*=ue9l%uN=6K-QH1mBM1{u)YN?Z6L zn*)A4+n+NX1Y$s3WMn@{`-Z?H@ZyE_)rqlJKY(LH{QVg|GGO802nz}VGkILQc|eN- zejcWSaVaT4hXqiKiWYvzQvubnv%ML^!Ak&40G&aQJYEF@F=_B4urOrablV(E`&VPycC;)r)^8@Gtc)J-6ew0L~dHZ(IGOA|{Yz&A1b?-L-1mf?H>}7VZybFvzfX4Xy z4WK6`Bq)gcIt~RD6&x%gGV&SM9Z0?(>57Sn1o-<`J0E9xq>EF40RW&9el#x4dMC#F zZ$vOQIEVqh(bCT+Uj6qLpZ@;9O>M-o-hM|B>>Lnp-fsZp=U%*ba1zikG8ZN%CV=I* z^QXD=jnp zV1vO)kUb)`vsrNfib`U^LZ?BQ-`C(4t;Gu>PaP79%FlQjOl*AM9{aCcDC=Sd2qFT_ zfn8wC7iZHAzG@cApVk52?YF-F(>fp>bo%4}7GpU3i+_-JH0dBFg(5TlKVpoF^i3zE zv=;^zENWAh0_;PXxUH^&W}`;!-tHX;)f*<)G^){G7>Sl?GM32Q`#d?d>oUrYmc8nn z?8v>cJ?fo-mBpyx14~-$%MeaAgl61|9)AEp&8Gu?;XlZXMsZ$RUnQ)5StqsW1eY@3 z&rPcL^!Mj!f2X1Q`-Sky70^DlsB$)w>oL7+t!~CfSR`Iz z)D~d{pK1O4pE-K|)aCQ`Juegi;m7&^lSKDT@Q?h^pLY>H-7h;qn)3F`1YLJE^GQsoN{>A2Hl>=nQecmg9ugw#!tU& zV+j41(hA7Kd(laXCi4GofZz*+r0+kBV3L$qU#nyzD)R4qsU@2(_jfTsVDSDgJ@bCc z{rUg1Cch2@t+Ol$A?pEVD&82>H^_nROf z%u-7Oi>*IkG>7+}HSF)-5%wYf@2lgVxBo2i6b*$A#&QC*(9Ws8z-{F$z?hJuc=r!7 zY^s-yjWwN%P^pc~}0`!00fBe&RL2g~6#L$+G&Vatvj}U#Uzu?hSH1_(3 zD)~Jw^3w~V-6p5#B&7W5x_jKt?)bb#+5dcRhUDh{M6Dap zytD8TK5)A3_Gf|n=W`j7=a!Lan{oN4urYN0>j}U&vBEDXQ+GLAq?h*tktujJ3x2te zNrIV-3(Jif=49_bD$f3g2XZl<Zy-_v_A_{0>7`XagIH@XJvO{aKLi-gbmu{%xxk-A?f-XE3?T_mY@Op&YE(l8PR)MEZYmcjZ^ zHhP3q@cL^lT>A!zzEU>f$foEkN zEbV3S>Uc1qWSmOz9qbcuSXHn4PJ3}TZSHKX<0bMPZ@VI=&8HNmH+jrR%cbo^MkZi@ zVyFHN2?>Rnx3r7~Hq^h5@kq54I&`m|j`lHiE)%fDg?qm9p*oqCbjIEX zf&#K8@{ivaZ;IzW!W(W$46jfR1{w=xoai-$^>+^hV=1vjdKOMR9WE?*yBkT$o);Et zmN&b=1)tH%^*E~C>H6G~kt1@Kz78>SYxQLI>reRsK|sL#@Hf(ntA7fnx0lA2<{>=w zs_8N#n`lyZZ%_p$a8bSWeVnh{K_V0@xjSLPa-R;}#yYa`oPKYfEzMJRS#PHE4!euM zLWV@k%7jIWp2hwTGXRlVk9km8X>4w2zky+r-3ZUC3yS0^_ESBP(f*V%IO8FCC|;SCP+IjD6*103n_#mRt-^U3m(PtF0K=O(vE}D zaaVX|L+J#Nqs36@QaQzqD%4UAzr3LaCF2rKA(QB%*|Y^v&3o2vQdq?Kdt?J#+4d}h zfkyb}!C`!e-GA8=0E=`o*_i=T3()>hYf!e?Y5yHw#WGHIkCxkU2~7Bp7?tf3zJT^U zVbwm1XMvuvZeDiDd9!yA66`94{Tgf8LPg0%(0ma8=ufI9 zPBxWeZ4&)5dnm>Ev;lS|iJTUOL_B>ym%SSFQFeIk;}=r3^=ofS7ay|{+l1>C&w0!I zg8ZUFtE3HMs&X*kS2NyRA<_yUuVuU;^|ne{$00doz2sjm``ptXhq?JF^A&2#@PH;~XE^2g?c~gyGc$J|yAcdj%^tsx zONi%h+9O#NN_|gFJbQcE1b~<>B|4tkHP$(i1R%JS#7ncYvxb*w0l0AhPVknN_#mQh z41pSfod%fg0cqC4<1rHj3l$y3BLzeDB5g8&Adq<@?$e1@c3xk#UnHic{SWU9H+}Ot zLLAL*~tTyin+;Bg~| z4m)$DNVl!~C7QAe-6P0k6aE zhuqjXOW76;b7eqA!S|Xf3CEQ7`SIa1suvTpB7=AQgCO%xm1XNu7KGC%QJXo%>>U-V z(q{6+45=|A*=*(lS zm}$zc3nK&604``JH7N&VJ4!UCS3)XjZ*h2HBpBmJbGT_Supl|z1BMMnZrxYz{-pb> z<2M|84*l`_AcM{Kj8kS_FJ3?mV#vG))uft&>CMGL8l>f9hUJy!bVJonAnP)+XS@=h3q1Y%6iU<7buXQ=Rztdjys=FJX1$-i@LQb=>D1el0Sl zV?uUkcQH*wRL?IaDo9W=*8&pJH-)-Ps%y4(xit%&JiU%fy|;HfL$5^(V^BH2TPR#?c^ICXUyl)Gi!PPM?6qza}=yQ-B*aE*pfXRqvz@_gWY#`RxSlqP1o}3gJI68xIx^h!92DM#%O)0#o5-u2ZuBg`4$7nIe>7=a z8G6{3U=7rZ4S8W)Id&54Bx%_)12pBodEmX_%zv>j;t!fY;us6_GYm`}5+6zw(_4&L zN=vQ=$ljIa2ehtrxwwL07}b4ITfGiSXIOHr^w7XIi09@@soV-`sVsqMUgw)yvpu3N z!%K=UAaWj@3^p)QuL-lD_4LLF79ueaRCV3xE4o$Bk(Q4Y(-|N#H_r{_bC>3KS5#Ng zGv*Dvf#rlnD(R77FvZc36E_tBsa& zEvLAQ`^v6x*{O=JA=9z-NDFqE!c*tkH&w^IM4qr~OX5h^8Zv#?pH;{Zd`SW1VNndy#ss3ZZEc#N*}z!Sd+K@c+7#d@x}2L zQ=LyLy{q2`Lq)q$3%>JtzeCNtqeaSAKZ)$27f^mfl1sPC8R|W+S0-ySC3n|c?h7{8 z|4@Eb*EgKwR%&vZ)L-jpDH^iAYOI$_&AeGQ*smV7SZbCVvQjbou-(HaT{XH9Qo5BNy4=KTcYLD>R3nuJ0E>h}VtT^5k%iCt_<=6A)Ue`VXTZey zMzXWzkl59n6`C;eZG!8~i~`A(s%uo$gc%1smUe^RY1;hOF^@kg=ap3Qr*8ccbBRz()Z8s72wAS zSddzQg&t-Zs+iYR@9=^BFl-e>Qy8M5p%hiGNRi1XX_sa^>#e~yHTj-hv^LxyYx0XK zOJ6}&N$Pd{A9NV72-sHhFonx&su#{M+DfC;&|ICg9NgV1ZjZf1jNAgz_^fVuQI#tH zH8z3suA&9vdkpox;mB)`*BfHBE>{phkbn3B>Wn9{^>hgI?dOD1s&T2S#Q9;^oY$<( z^nZOOr83>C(FlKPW9c0=iK@3pAeo*M)!o^8*VMor8k);>$KkQwpCEqbo&WklY3ZBC z3}#=HvGlNhJ$sLluR~i6H#5bmklm3jFd7^G{(ZO>6@}^*%ID$(QqreSUq|vnt{eM$ z4??L0;-2_E)h6?pr-#SYT=v%t5J5kt%-Z%d)xfW&w?pUMmXc!ugX3iJa^dT*3<#gc z1E@c1YQ14+zmcV74|n`!pC{Zt>pf?N?EwqI4Vs=3-n!>`$J5mLI=cfuv35Qd@*((o z{|xH$(JD3?e5M((bR6jHpzG>bxM9;r50{(kj74wbrxVoP(7a(DHnaIJQ8T8h+eJI9 zKgH6kXlfTMm?wQZ9Ht3Zb!_BQe zF6_7lzk(VmBnZnMu%RBeCnZDu72*kc4Mq-xXY(TDq5hnYvT5;MV)b2eXp=>4rH()= zXl(oOb|)lSVhlaAKm3@zJ%lY@!kM+LvdF~565h0Q>|U;MWbm!Q%{3*zvT3Hb`1fkw zPec^R)rD~TrEnF&%mIO09rP{FSS_QB(%RUo9>=YD_RUK4ta{u%0y=ML>M^;MB2zO{ zKACu3M{xuzJV#)5Qyc!kOPFvnT+xWbUT-0U{MzB|>n<~`5V7YEq9&hoWB?z6%PrYnGbN=>&*DF z9zFs_X{UtT+U;4E`~y5Tq}LrJC-Z#v6=MdGBC=Gpu`B+vnJG>)bE!?|F7D>1O$#1f zHfpj|lyiJiIXaM={)F+J+HlA_#>Vh{y2qac@I^3}u<{j5&ag;s54sA{$q@Zqkv1l< zH^yIeJyIF@>{+mk7fE?Vc#wCB4Lvyu4(reNSWF-45nj#K zFloT}UNYBjrkDxcUU595PSn^NnjF`w>Yw-Er44PU&`^mMa$dKa#~*Nzb2W8MRLl%G z4DHTk%I7$efa&T7mQ)m1$|DagI+4*LRQuL}+SHtXhWxzsg06dHQK|T6w4Eu_pR~4I z20SMkwj^#$S(XvdG^6|?QwtOMoKY`f4c8f7bO$vtNNp7!cF;{2h7+)FUGu| zR`m|KUg8GtRg6U&M80F-uv>Qz{m?<7@q5l+gplL7QTUOIw{pk@(vt=219HZI+34MT zr>1$YhnR0%7eYU53dnxBy86*DD}#fOEqLimTeH68IeW2t6@RcXhE1>1B#2x>LA^Jz z!29m*a;Naz8>6os8{)0#e0Gj<)Sz@kw(A4o<;$mUpW`$_NBq#F~Co(()om4utMoKudd2AgY`NLd!l$G1GN zWB0B7?zPrIKzK4z_h=t9P}|XSp${Z(@JVZ`s%xn1ZmrFcvjAO=*XZ1a^vonppSbtk zGa4&vzvm0)$UgD$-r>oQBr zc3NY9PsjO<;i&8NJbcG*$26~}=c^Cw1UayHn(aN`$|Fy=91i{oBeR1S_zcla!yW z#=LI{Ah31pmr8+DbFUi#bzlXcs_UDi})rQOv(#-7#lq zX?3aCDUMUKn4@44T+iUSA$iI`)tPR|eVlQV^Nl95)8ZIL^(o?|i{Yi*3D2B}VO?b9_HhC)Ack+`F#Cymr zq3p_W#U(T$k!4P5$9*0$*DkGU#*`=|h*nBC6;`)WUxa{w!|04zsG1lHUp(75j{ypO zAZJHt)+c+H!Hpz7A5nE4t$v`dgm06J8bfroT(?WRa;0WoL7r{q^o!Ipd7y`TfmiuR zS47~_)Rph8DNkMdUD5;gWQ%;Y(!GM^s}atzC!X_X4j$&#KjVFdv)VM3rlk+h;GupW zUi-Kr^&lC(o?Xm4h0kRvl~O;WD0`RJ{kyrApZBaOR@@+RZ^~RhD)r{1;~-&1l`0`u zbM}%xS(Ll*{4L~H(62+6iVnH0B10v-`?n?!`#(pJTq7nQ#Ijr9>|tg_L@nrNvsbWB zRIuH+FEmN9%OgY3Sbg^Co;62<`E#*0BI~OF7G7j}M{OObj1;o?Jj>LVhz3gxjVGd= zKob#@7;>8*f4+*tCaN=P5A0DEPlQX=TyeI_`T9jRPIi+=$3&=0u01S;xlOuzKbTTA<{<9ZdHLPvxuO()p>UL@hEb;m%Gz-qDCvF@43_oFz36fm& z|Jq2IKWfhyz($5Vv}>dfa%W-X*?QSvs7}`0dVo%jQ(tcj>#iG#jyPKP-nrxRIIL%t zqM15#P|RFf8m-xsAa!plXV`uElgui#G9&KuzyMIoO$y0b-Eir8Ee!A+R`b(eeATFx&EvRvn1;C zk*p&i5Tc6+zL!Ta6+6X8?{P8d|6!I}Xq^_wXneXEl}{!k46*`rp8H?yyPZFl!=vcqqI+_Af{Z=P^{j9i&StLrV6 zY}CPr-B~i!-@j3-;~Wyj8$HSX*&z4^T+Sta@NMdJ*wGh=V(t;lANrdgpdoMtoPpxo zC)fP`xhPnqt7)%O@HclvwUSZM)38Cf<^J_~$6P6e0JO@Wi45P0a zYYr9|;WDkWK&7earYQ-r~L)e);m5Eu|sCF@x-1|z$F z^yd3T^Z}H$)GWaA+8vYNw4mWq;a6u`68iV*@}%%A%)J3StzP(=KemHfd8d2Ae0!@q zryl73FSP^#fkW^b?f;kw!DrNc&hXTfhUKk)kfrBVjL-Ri!)LxTd&{frQD0dwfB!pz z9j8c|mE%*Kf57lT_%?IN<+vii4Y$cy_O3$(=e21=Q8qRAMh)TqDwZ*CsmUFi zT;GR+->vw{@2N(!y7v27Yw^^oeSdzfWsR=8m(lse>LZN|c{S%j1ZJsE{dLq9+ZjJh zU7SBu*J1b>r7qdXS@)1zY1|MzAoXTIEyMUZyZ5Koxmo}BvO6kSgZ(eoN{2ST{~Q3v zC)vc|bg`-z%5C&(!k*BBM`l*E@{+II(rBYq%VG%uLpMZxN+xOe;H>&yV*I_vA8~QFB`5=un#2 zRK*h3_m=b~%o4@&D<+qvpA71U=*y>0!(1+yIzp6Er|q|Nz#FsbXI^=X$MxQc>i$G| z-Sct|zbfLO{&fQdd!@f#IZ}$-LLADOOb@ow6&Xd+;s_ReO30%r&yx8Ju;i#RI1kzF z)pz~6F|W;asCI*)N|xB4A;PeG5cJiz$% zX?}H=Iu5t8$Bpy{Uj^|z`2{>~n4Rw5J4ilXROKg1IW_Z?7fSLn4ZVbiS0S;9$2Qa4 z42)u~vo^^wY�JhVxS*0u4%{q?7e|_9V=_t{rhRp;Ur?V<%4kxnaZE8ut=O;2pRd zs6TD!uQ$!V3O=*W|t z4xUS9keELcJkwREoQpHp%(rFCJBv?_r1D;V+5Xz+XYG=LF*^mUEkx0vhER?wO40rP z@|)>Wb#WOuvQ%W0nmg4Hj(jx9))B3+Z_WF88mE|35}-fbZYNq`f1OX(%C??X8a##9 z*AJG z(|Hr#Kabkvq0^BYWu&_sS%JroNc&wrWRQ%X?5c^692y6CMVfHikpOZ)qfGKw5qv`( zB3C@Xqe+!)E8l3>aZle1&ElZM-uPA-BEbj|tiQkJIRgQ0m#3u!$K{}s%{a%&sCiuy z(!dN6{Gw@T$hSbKo)gKqSCbkOVlt9+eTjW=f3-I}d^u`||7`WW=vKKSD-Pp(k!EWD zFRrtGZ;XKFCOea_Frg=>Rs0DfjBPa~xOIPb$$zI@$4Grk7__d|>*9%pMA;C{CR$MKF~s3tBl zeJUX5&5m+uL*#TjqCJ(t+>FRm(IiSbLV{PL6Kn>jtkTHgFGmN?%Es2>=ERDxD$@vL zi_}9FbUqepF;m`vG`|J|NlJ&f`!cEJ^oC>jD(P*(o!vEbPfHUn&P;$_H~-R zU!!t-$vn{q&P?iV*Sp_JbC(fdszp#^G)jGN@!?{1(s2TADB0~g60wlXb=%{^jr!c7 z4Mvq{DvIA-r=tgxw1;2&HRT!=mfT7wXiv;Xq^mn_OKyKXYV20NYnn}tbr8Ql=i*Eo z#|Ia9sHez;ui`d~4nc(6{KV~dYd4O=jj6@($vf+bakh#39OHU|w{AOz{rcjA#x!O_ z#R0#0*4aiokCU;VeR~IcgUhAVcD;oL@%>JdkoK6XEuf=uPi1sx)t^{BFwpim_^qT% z<_EW4eR%m17-c<6?FAuV-T)~#aAK&;I%>~N;Y$;WJhX!O4(W-aZLegX?#I2$rRIhu z7s=#aBel60^Q?IRH0nAqwEaRD&*W=4mA$E}Ym{Z&4J2|3Ko-jdV@R8BYvlF?&!Qz* zhZ>h+Ch$!HMZUVzVO@zQ>>ut$9q9vn&;8xQZvU(@VY|-w|iJ3 zxH?BPk!9pHv*e5)*)@V=Iop5W<$3h-p^KxNg7xiI()Je&cda1LD1|o;Yw|d+#-m+~ zPfFl2F+27d-zqb{70TzycOVM7nx62F85h;}b|;nkc2|Gely(op_zt4Ax^9eI^slF( zF`5cf@^fZp&(2Z!=9J@M@##vg&v#!GMMOCam}0NziwaoZ8ha*7HGNYSX1u?i)yiN3 zR$F=nJ?ty6r1t)4^Lmu}BeKk#tRZ_-+3!Wm3EuO5Z+==y&sH5J3sCxoWBPJC9!t2So7F`jYN5#KIz`asHai3jR>{3+&WE*GBi!D$Ri^OE)3p z!^Db#vx65qX~XW(B^pJCZ!LkT(?*znWXwkt5#+-O^@9e-O)-%7=14z(Mu35X(XhL? z!B2NFzh5UaC4ZY}KS2DB`^7Sr{ERHUx06M$SENqI^s|X7HafK?J;$Xb;uJVQL<+Jh zujTfgv^tZa$azOsr~c;5mF8VDGbU!H%#{r;wO$TUHh{kvvW1jZ4HiYN4DdjRJ|;zqGnsZ8A$dJ`CYZ zJ^PL3WPXlxB&<1GLep1#y<%LH(RXEZK9{;M<=I`fWl2m2`q_6=n})?!ILWPVT3j1b zVtE8)Ke~SP4AZP=Sk%h*JZTvwQ4QwbE2_%d{2kYs=Zzs&+0an5x=A^rF~{TDHt(!C zpK5cxa9%JOS0{&@77h^L&`@_*&u${)GJgC)@lAgDr>DaRo9P`^Rqati{ z`y~rx%kEO5XExl9K;Acla%S1LK{fN{s536(n`S*P3xDxW${eP$Fm1$s(}JG&JeF9~wWAcINM(-jSg9c8-&gaY zOjMFnwDgeT0dS@ksmCJpO(_HBuC7u;;mNlAGrR|Zs+g8H7n4=l1k^qlR3ZT2GLh>q zG`HoO2k&9YY0~A>yBlvXopHRtoU*v6ildgmTq;3i?MG&W}aPODG_`AAe zN^`E#Mmf2n6_KrVca6Y&sw78)K5Ss-`qn-~P0z$>`2T9`+{2;V)&Q>BJ9~FyS2*tJ zLMby;h73)SY}qckR1;Fhbr_>9l(A`-sD$J;j4_Ex22El_6Qi~vmngugE6pv_+#>DLJ}C>EfVPsDEu+E%a^TjhpdosIp?t@^ZJ; z;4UGJS!HO+M@ez^jb&rV!wjBFj*6V{=;IU@AxLgehB(oh?ik^d7bi)lFBK3EYmZUV zl*ez$1EY>Rbtp$IbY<$1W|)%rzDiDc-poTgvh8M7yom1=W9)A=U&p zILdQyEibe0T~={<*Fw~8gdIqr83??Er62-TKOXeR+j%I}@XYxwC$GkJLzsIc^U~m? zSW^{!cN5K0Ll@(Dk;Iz$ov;}`&zRiF0H7>HYo4V27wzej^jNEPUlQtIqK58J$rR`UvhMOsg%jtj1}6BZ2gVhC)nJ zhjFDm@l?mON+H16-$yKR)wf9m1la%t^fbS4z`?S9 z&`%V9dtGnS-Ch05-VN}0YSgFJZz*sM63G-bl(|ct01Xq4zPcq}wq#$bQulQ5eodc> zIA=i9&V^SHt7E-kpP{M$XpS6#>l&t@UIXQY38Rd(P6#q_m0k+Aokvy1(~(vo4<5U# zrkUUbU!ao_3x%f{RTuZDU!#P2Cn%^Vr5c?$8>1jYX_JzJSl(@5c zm`#Xn(18dN&WS)}yZ-QX*g%fC{scX8RXJj$ZYONJT4a<6k>NIbAH%gNXa{I|5RvGk za=vcS5`--D_$}e4m5fDvFL^F)gTGf>s+idjrl_W-k$fO#L}`1`Y06peZ`9)4fvmSh zt(!)wsEbc{E;Kzs0cAGDd~2&yeGJ}UU#?iA20aBN3udFwA8|7&eNo9Eqr}(9`Zc8K zSJ_PYH}>P0Yevown*N1lzk?0tm=QBhVt;HdJHDW#33o|@MjviPEJ0D4Y1`XBJTH!? zyk~>pEWJTlpvL}cg$~_F|7_*oln4s?j}``MyDj9@G)NiOM-6&7}1~r z|3x07?vP`=i|tKE$l4@%OgQLT8~T2-9k<7LT)q+t!W@+AtSq89TkvjWa_@5CI$qva zlhesg?GBKIf|FL8dy&EVc{_ap_N~fI-`XDDliP+9o&A+Cez88s!YWx$NqFbTlR*yGz-3BMiM(>m}h?FLTOWMjzEMsnF zQ}Fi0`5&FEo2H+45I6)7M18B7?k`Z)9sHg(G1TAv!t?Xeo(4N#8sQ#@sYq%fwij%V zEQzXc_4xTTAE1Go4J{|Nzr0Lw?UrfkpFKO9)AibHVDJY)2-K(>ZosAn@R zoNDAh)|Jg$+sjn3;P6{q(#@^`VZAp4AiP%LX?gB|b7+mc=WC9y3DC>-%vr@P#NMET z-!KcJHmoQPiC<^7te6ya(QW!P-wHbpzckt>M@1UozIMvBXy}Jt8GK&=g9^HYb;L|( zJeYY6qoW&mwHkKS^q%gQ#$o{?zZ!jzu=BS!eJU$g`XAyqo_QpHH-jqbwe>KadA~G_ z$egF72y|q1j>028jN=g5Gd^t+s!{@?j&)S*ki@EqM_){AT*Q$pCo^MmQ~?T z2EoJ?6q(uzKQ_$GoL!souG&@6mpvGT_^J-=Wd8O+Vi`Kt5Ar+F#7!X!${I*(Oa&!QZzj@)J9-gS%kq(yAODca~5q}e}=uIhQgd^Vgl!kX>!2`wESB{tHx zy>)Ve{#d5p+~Gr1?y&iCtu(;~j4o5TgX0_Q{wL;4NCIyDQ}I7m_G*@NtzaVkCmXNW z(;#M8k{y`_SKlh>up{q3&|C0NsT)Rn??m@`b%*9p#54v*>~trH369Y%L+9Z3eS z*j?v7o7IkKhOgpRnPoM1Rx4q-Lh2lV|GW)&=L;BA{Ccu&S`R)TWt3p7m;ZJfCtU(c zq_GRwJ)$dRUy_pnI1(JRvSHP(z)T#j1OV^#S-=&+sc00180odS^`IY10dmO)3CNX{ zRiZ4ZNfGQ{SK5-D03TTLrq<3Jf@z^!VxAaGJq3e;@^Is2aPy?)lf2|f37JZ(R~}fo zG`oSWOt8C`@FoyOr?0OhHF}}_{V#_rtTxWLx!W3ix3Ez^oRsTSp*SrXU`1n+7zSh3 zN}i)kQBCka;+Z*|;mV<4QegT6Nd49NMBm^w|j+hm1FBoF<|p2Baifdxn%Okrxt zBs?#`faWM3o9VBT=boz^S0&(2Ix-GE+K5u!5LRrEk8DWIIvb0K%0!uv=Xsx3hRr7! zLT*hnci?=B1sUhxje^v%d00_jC%&NR3-eOaOL>rvtARxqxd7A^sU=8$8vh$9qo!4R zsDzCmEd_TmYYYP~cs%PhdHglv8zs)|4iAGQG2YSe)OuW_iyY{W`kCwS><=2A#2&87 zjd#0U0?QY-b>bQ91$zsnm+~Tjrysv@KT|40>@Ty3!eye4o2(SXneG4rnmKe_w2A1* zcDwdu=O6QxNW6mi<=1$DpRHZJZXinCUI&hu&bI@AFSI2H^WY8m%XTj(``$isVN5~q16KMeBvEK0phl)>|AvHyYzafH))f~?&Fsj%o0YG?AJ^>8dTrBnu9 z>c~C!u(i#^XL_2|cY5OdI zD>XN}nO&&IDvJZcscn-@G18Jg_7AqAPD9XqZJW+jb(Goie-s+D1Vv(1tF=E77}%)Q zk|t_E?YhN(8Ih#vUj}rnqRU)SdT;`|s>8KetEw$&1q^{O5W8!&`u9haW^p8)BsRC& z`R|{i^Atqd1+qV-F*5(z=Y!c#JSs1gIJ?De0}m{1m!el0hOtjL_)7nx@+H3Z>H+@# am5UKqb)h;s_^w$=PisrN6Hm=A-uNfl1@m73 literal 0 HcmV?d00001 diff --git a/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-b.png b/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-b.png new file mode 100644 index 0000000000000000000000000000000000000000..58b9817d51d31839803bd20378efa4b9f2bed319 GIT binary patch literal 197974 zcmaI8by$^M_brT~fPjFAfTVK0vz( zj|g4q-huyaI4VnuAQkqKtRNvhLXs8}R&`5SpElK2Ri8lGW~=|%gqI+-RsT%`$5Zt8 zn7qM|>wS(^_Ne?08WY1#lc*jd%LF17_F|EtZ~DSYVjhtn_9^RsF?(;G%~3~(JojAW*8lu=AM5|| zlye61zkg`hm z)WbPD6*Z`uG04zvv5D%#gsoGGu-WX`7_tgHI6um+ABr&Pn{uOXtj_T5QJY{G<8wA` zOsJ2a)t+cH$+IG;=QEZRO0Y(o)frMQ9JDIm`09&kTzc@jh@et!nO)1W@~`!*wdknT z#(}!*B%O0YL8)F%8zRt$UCZ%exa5*^avA41>uC10-)gu#mVP4dY|`o^apr0?!bDML z@}R0-B73~_!;d0Q>xVTa^o5)GxT7oVlYgt`If{BjM;VTf2=e$=ofE8GJXRm{$zPb^ zyBT{XXB7MPRB#I&l(fA`xUJc9vh6DrlZyABse8WVkof+dNTC-WN?>9Aw2bd31=%N} z#JurYrNt3F`3F5`({fL~Zz}M{^&D3)(5aZFFDh}dmA!WD@6Pw_(LS#5V0RHpTsbI> zFHI{T3mOX@1Djv{8}l!dVUx2aUVN{8 z6XPA_Pe;4u^=+HykBY|s`fx2w5|`epPj#|Oyh9>4PMI7YRn;mw-5qAguF=CE@Iihc z#)orZzcjwKDecurf^zIMkIrR=)GcAm?->6qH}ht_&(>gE?&naycYJzP*HQf|DZ9?WXl-T%hi z?>7Nx*N@SBHjGEOV{W3HHTgN+ymJp8((m^F_qnF1w?vfxyzu&;IJ-v_*8}+HdUFRA z_y6xH4+32xZ-zau&^qf3mV>E@;ZePZ`a(m( z?@^JMJvi9eGqSTsM@A?EZr${&t*tFC-idNi*3!~?`7+a8CVMbEJp9D#QXlo-*@4Np z0iy^rH7GtF)$@fXhhOPWwzVOu5h-lU%*&qYJ3BjRX=%K~(^FFwHq&%CXedv0|8oa~ zG|a{*Z|w6jGZ)h%1UER#tYpscJcc)FZkQ&V#zg_4bJZ?8`% zR*KpmkM%!qfO(&g;$~CT!A9lmygBQQ8#nUQ3VtpK^YZc*>eS-n@} z-}QfF$tSW;j$0kpIInS&^af%O(9zM&&(E9mBxEYl+Dz93;w11mnz*~4T$~+EPE2%n zcgHa5(BYvwdn`FrvlHE=D0A7E`1|+o>gwvxpCSQDE-o(8(jiK;PR`DEv9Xz$m@3Q4 zw973Xh)CtAwzjsKn3%k8F-TM5Hf+U|l$4y(l9!iva9|A)(=0KPc5-s^@Tif=+&wr* z7VxZ)qX`WTcH3XR7cSvwZy(R+$`~R>G^2hULU1wLz&gL#c}hWXgQ8iVd8ANh(tT?n zQP)>S7c;Znbd57wT3ZCUUX`7n zNE+UQ2j&VF+jGBmcX!Xv&p&;_t$Y0RX--MW?zm|x>D$=rnsGhMd;bhGr>>5K!pPQk z)|l5{j;6MzMnY0DHagneR#8T#r({Xu3!# z0|NuNqkAHZjEo8OEiEn7xE*b6ZNGmjWh&3b^T7lBWVSsC96>=r=H}-2?%f+L(sQ-5 z+uq-AmdsJjg|%53%y#5XT3$A**8U)w@8;$fmypof++0>!DJdZ#crc_wf@RvS%Lbzr z;33@JlzMkP@J9hScOomQ3lS_;$m`deF-)=Qw>kC-a-A$)w1q7@C+B6G(B%&!)|Yg{ zd|P!YdU{0<)6?v?{|IknLlCf;_72VLPC54VBywR3_4f7kb#w@$ZOqh94h-Nj$)zjN zZcf*_B6>;XMQ&khzH0Ol5NV&9I?qn^5kc#TV=+8C+~6*7++ThXE%Q=G2iAn|I|0h| zxL`_`tX;K)wiW(~<&2^tJ#}?;J-t~S-;YFEz71)HFqMRa1RVnd_LYUDWq4Sa)8YG;`LHm|fR9;KPqT`OirnRBqV9>@ z5?&@bTggrxSaBi>&w_+g-I)Vh?y!U-;eq=@%pemg{~y0cM@>t|Cs5IE-8_Fj_$0M& zbo{@`&;Ry6vt4T1*I>U8q*);7vOcC|Tc4>TEtaF2!fk&OdoT{BH|mf94}FJ@&D(E~ z#EJL9A6xKu^P|`B_ejBC&ge% z@SMdf%1NS~RRd9zk1%=Ve7kXRYHF!;CN8fwNWXD$gg~boYj&wrFo%_`oR^rwsQI4N z(KNHh1v2xH#L5#4B>gvX^763^uioO&F)&P3+Um*4!2|N%-rgc2KN~L(ipt8^13or3 zHv0Sj`WQ5~wkDgV^w;5JXQ6E;Aa-eK$@l7PcB}qK*TQ1;V+s+Z>_6yC;es*l4dOE! zsxn9@k?)nrLxdJRt)ln(GY{Vp6!4xYD;u{;p$^~X5GIiojMa_eddo7!_&&t*{QIa$ zgjSxYqfJFS%AR`Fx14p2-D(eMHXn~{?oBVXu}6p4O-lavAd0mtM+>d3ty^+F-hZO7 zynb+aI8*1or_`peum2sg-X5YaJ0k_=>=sW3XIM~s_KNyKsfPrCUvc5gd zt!#?@%D0TE2Y>REsp5eAD`5;@x6USWrNUI)OLbRRkI3WVqzw}hN;ZCKgE#Nads4vsg3v3wYl>8cLy2&_2D&KOOzu|M{hQQ(CEx z7+|8(E+5r^n!4-vXQSO8%C)MN*)*T;&Mdtr;(oViPCcR1_8kf(Mn&^{3F%m(a z?hMvj4E_U4ou6XRsXjElI&MSvHVDj6nBtc13zkTmYlF`ub&%F{#!776XLU~d*iI*s ztQP%Doqk&E&;#>>3qOzZ?E}&tO03xz`r?m&y`(05@}~f^i5v0HH99t?p{|~-mKP|J zCPh79{>!A)_jnF9IlR_oW59<9wmb>R)US{f_oaB#6!)wyoxPXHul`F= zu*_a2x_%bL z`#56q?5UBAw`A12;)P0Ka_j1Sm-LKG@rh2uWgQLQu@AN(I5LIZUMmv~H0F69tu?4@ zm`B+z8IKL0q{%m4+TI}4`4WVNbpK{*pDO?d7njYXyAR0#VGRrn3=hBLBmO6y{(kI@ zLV!K^9PR0FZV|3;+NYdQYg6a(V`2BzN@>%}rBcqlOv@Z5-3pGR^SxiPpM|0b&c1%g zc!|*VTpIh8+}KucC!C|UQCATmk#?J>JCxSr(XdR3c5iqb&-kQV-||r%-&F|D<%g@o zAp)j0+gdl6jb0;dzDS3L(eLI)bRx_8>k(tzkc{eIW0xqu2pf-uBkuCR(o|eNMT#`ew|gf zCgF767}an1M-_Q3|F+s|On;F+A07txGuzbeS?@}Aid<^l?1#}}!f4)!PMqh}QBV08 zy&IOdRyf?(80$`V>PA&uwck%U)W|am#uL4LLQ{u(SbR_NFjYyW|32*Y@ROrdk@_oe zIeBoIlsS<0@iNBKGkwy*)ljkyrLz%#UDrlPGV61Zy)J{A)FxirT+F!h?c3p*ZUr&q z~hh^0hpp$g)%G1E%{3 z4n|q2;N~v_vpchwyJhkPC5M|HiLW;|xH|4r7+fBy=Lc{j(FJdMWmWoHT2o2(rFaszj=CdAQ4{ZcVhlKJ^Jhergl%(5-G(x^SzxO zGyVKE7Ab9;t;M`X-q{ zM0bZE+mo|L0a`k3vpU*;(#BsbwwsE#PFSgt0hsDGb&onjJuyKntvV^5Waw9Ly2lQZo+^JBkf zS4FozlKFRi8Q|!`USs2yDOWC3W&Y-rTspb)j6=oK4qudEYnfF+{;EnlxP0z!qk<%2 zUhZz7*de?9`)7(6eT}2k*3o%*9ntX)(IRQeE`l6LhX0FKNbl#TZ**7lK}#E2U3W(4 z8NZ0%y1jmWbg^a7`N`gYda!acWycpcFihImjQrcvXgW11yBD7r&-50{mNj;HLXJrSt3)&W~Y57W`;GoKJMdRg;WV9eGSM z=aaJ>id`;O_PVWCoLMTTpWo>37ra7XJ=AH*q8#$A-S3?qXwGygedca*iiwqof^qxp z4)T8j`->|o@(k$;PLo)g($n0DwPOZkd6OTL%`MaIb2jEbJ0fl$~!xKYui4FF3Q?KV39W zHz2{w$lM=^W1hI?kupN};sTlDzpPHW)N7UMtB!2NY`qby7xz|I4?VO^qGb`=ulUcg zBSycol+oJeSVUILwUVOen4pCS%zlzLY!&kPwz4XsHkPo*v~coh1Z8Q4hLH*|tr z;H@dA^Cv!=1;hDI+VMF`PuV4nM;{E8T`BfvqUH?y_V{+>Fo~h@pylI;khLmEN5|(1 z<=OrnAt>P9Gtd?%ik9m?7xTimMJk&5LvNG&9IdBhyG1eDVljDsED{SHDFA0;v%<&U z`wtSI-@jcy6h=II+=*lPU4Fu&h4F67%${ffpSCl{M++4R9KEu&R^;p4isIj9Yfju> z8@_sNI4(PS_|X2A8$q&&XRCKh_}gW@fg*OPg!|;C=ZGJ7h~l&2RZ1s}?Nz0J_Pjl_ z)QS0obH{dSsWz>q{&HjTs^C5s-EeOEr{iz}SKs7gS@MOeXNVF1UDZs@=$Gnt3@1r> z?Y+YK;W(#>qY0Y!zl5l;)hdSZIih`W+`r{#I(#nDv+SyDUR(Hv<}7Y`0E3Yq;SxuS zF5@R#`He()3;O(jvjB6A7s2_Cq-#V2aWOfQ2E7rn5BpX*f?wTbd~C9LQEzW{jQs4P zE;WU19?eB@R&z@G#p!q4t&4Y8E;-7Fecyh$6_4HKWV@<0i&z@de|JJIL24aYQDCo| zKfY``=jk?nmMY=9;K@KzgjU+?yyAI->44>UG~3pDt2eeq{(*&vbz3Dr(eaI$hIW^c zCws0}M?a3T$#f;qc+m5Gy;dEOvo4WzvneXaTt?`!#mQ&SR--)i93QSX_IbTd>*;=A zs;ljCdU7Fq*>60452+OgSJwC$8{COr*o?BD@LEIQ^EXdoO>E-1M zor8mI-%M5G>9a;Xj#_FNb7#-`;GWS!w+XhJ_oA)K>B>6;=vNCF@{|ioc-XJ%-z4*S zaZv^oA|&gf^li(})&{SWRSrM8DL=q9!XqaBjb1aC$0_E!tI(FVHI^&Q`p@>4Rfnua> zq4nEpr^ydBP@P8t*qJOc^P`drija{{)Pit>$f?N4xaexiCSg zk!R1Ao|Itzv3U?tyqL#`;cby`73nX&etxw}Bd}I%P*#A)hB@(fe&U0K9vj#FLOW<( z{@e+>3P9V*j>NhZ#+xB@P%I#f1Dr^va?Y@Yo8%2rYTOWLW;=|~0|#Qc9{BM6Aim=i zBoy0j6gLRehTd`1|*BoLkW{8z=H_XJw68Ulpk3 z4X?h�hiZe(-iyTy@p$lKAfRnljI~?!`VU*L)V$aqH#{uk2gX=GNBH9Y&Za>7$9o zw}fepG~KxuD8izh=EowPqk8CZFHbFR z(V<$Kk-YFr(^$H4&gpUgzqIP9HGkh@zl6Xq>Q!$=$!DpRLQwW|N9lUqVl@kbs@1=s zawB7qbL*G=Ux*n~{wHGkfvUd=6!&TTT=59GHBQm@(Pzkz-V}#ELVFz6hk~>pB=K;0 z`p1UN8Y)>Uw_@-=H;#l96s|4)SJgSp2@mN_f3G8}D|=XM5M*f4508T1zkd&GQbh%4 zj|A4cUx>XY@(E(;{SxfF|9Nd(@FR+Wa$vpc>gslP9eVIN6Rlsro?BX?!3~jMXJE^wFr;Wc$Cnfv)Q7vmMBgcH;FWOh;buQ>F7h-hK^qm8ht{NqS^tWOQ_NWuk)R3Sw$%Y8o1ZQ5{2rgBVy?E)EVvAf^u$oO?h{Nkz3a+c>*89EgEP26vR1l?7xdu)l>`l~^>UH;_F4rWz zf8TNWciNMBu^S7@;^HlS$f&2ucYgo}86k8DJR+}~y&sEWftnsLc+}Jxv*a8=mJj8q zu&}UvPoe+!UB?0xf>qVje9ks1m2;flT=4sxyUjLuBX6OGnZJDb5-3&j&y{}KjM#VX zbaZtQhgCJjN#ZnT%Eo^E`W0nnc(E&%ii(Qj$-f(}3Er%Iakr@9RHi@;Tg~Tmt*U@-2;+ zD%~(Jj=4&-D8+rJr>DWe!NTh}VHE0x+Bro<;`0tJ{t{4*4a9>XzKfWv82f=;&_HEIA zHbQ!zlf_u!)Hz5@eW^l1Ro?&J6Z4W>bAXhn=r5o|-+eWG`v~GB=&LDnf=+{%`!es< z2_p5Zq=}9&wotEeW?+C7ParlnR>*BzpVk8fDa;Tcto)Q+zjB||KbpvYkmKpy!!DGu zJ~3?WnL!Wj~N*&Dk{ioRNlN0XN*->RmIe~QqC#M$&seTJ6sq`NJtnMPzKhE zGqIqQo{vu}P07u}Bj)qxp^=gKa3j`n*hLc)338WIFW(}hf0l831z~k61RPU0o3P=duK+rCqqW%*b`pZ`TaJe+v zB4U)0m@6D8BFmQ-XBV=;(9;{4m}qKf#Kpxeujc~YlApi7y9>lCJp;p#6~dt!SY{_) zQXy+IGg<})b{3Z6@85q5))f~QfBDkX)g?Qqj4F%+^L}!20op zfLuGLY4!yE&~<$*ZJOrsVu~H z`(J2im>C-WnzK9IQHdaa@Zf>y=}0aRMny$io`uf@1awM+aT9wu+1c6I*r+0>?cXTez6CRwk)Ln%P4R`M z=0qcMyqpP4U3vMzQct3@3&c@%eZBWYnR#YrCIOS~5RU~Y2FC+g~_b z(K>Z*{WCKST>(-$I@9rNrl1Aw9~_)``2ZJgU@*Vcc-3Im{}oc_;p5%zZn;P)BP*+^ zMslxpWx8l!z;rfoL&RcYVxS;z>AX}`g?(PNR~Qfw@PJ;;DYkpnFDEAl6t`dRu$^%! zbY523rB@$WxW9{lyF@ z7^b~R_D)Vy#fI;ssDBcZ3;B=`5hWxgO~nRCd3#^vsAL0K{@T*=EJJA54VR2ea45UV zexVgo;bdFu>({UE-n~1a1v{94L4(*4i68{dLJdL z(s8h`M0PDgwSWYf$Z0*$QSfgzV;;H=R!_G;P6!B>4b7gr-3`GJ5sgp_5SbR5T3VK3 zw3ZA1^#WK}oJNv9is~REBMS)$VU3qN6RCj^Eh}@{nQuvW2K+Z!M4KoY2M0&8knd%8 zJe!1sL{?UoTairW>BZ43m(|$s*eH-Nd=7@ywHaMO7J*Q6GnAE;1sw;r-u}uUEOk-x z`RQ5_5R-$|w-V4aH8t6fy36kb{v6fy+>llwv?zyX8#h@^)m2p3+;{)_h%IkycrUbu zFD;oMBO~{;4h^aDb4X;fgouF{H3lPHl+lS~OyPi13gog^a^U&mJX} z@#f8&lRZSKM!ulS@YIwSd^~7Vy|w7*=+wBI=H)@$vBqVigq?X=>$Ibqs(zS`}7l$~hBx zNesGm+&nzhOe{FJ?3cP9V!bQ19A%W}yhYKxu)}FJw%tizv}`1b_V%L`wfB`hq(!7r zPPH6W)_AK&0+>0lF&Uq5FlbkOCr9ROH`;ywfWBsGc&jsEW@g5X(%%Fl#d&dUZF2gq zyWjISMQ%GPfg<dgF$affCW1tdgU;AtnLnhHKVqZ^m=0{_67V z>U6YmbG9*JRG9}9t^Rb$dm<37(~vXC1-*i2-9Y~%_c@+x@IIS?hvCPxoSZupcmxEl z%fBf$uHG89eIOO`(cV){QzGHEd-VA6ZHmuHN#`vDdh64*NA*WDe0G1D(j_D8P!J#} z55=>CSlr-ybqPR4u&zlov$nJk62r;vqPODfM**0am?K4cvx}&~+Kjf=)*F&;4ESBG ztxF(~Yt^~!)O#K|I689F*45X;#uF74t<@sQuB)4xoYZ1_X*!bs3MlrsR%l3uB5vmU z#oc?)b}KfCrfOZ8sHw#eYQo0G#!^yJCMH=53u~iAu7xrwv9ScWxC8Frt)-;eHzq5c zIYHHZ7Z9+_;5j=rMRNVrxk+rXfX_KMH8nLoy=?Xll>Z{_>Vc!N&8h12QkJJrp8`sO z4aih1E-oGjFZG&x%ESc7qyI!u+zDGHvxFU-`WH`&(}As-!I%1#C^h)YO=mta_Gb&w4sL z-}fP0-O-{t{@QU*>YJY!^)L;pX(& z4^;B=z0|8Zrxn~wnS1x|m-=4$WGcI_jTC?quUG4Gx3aIh`+N(M_vP7E%42qmiLvmSpWu-4fu_~Q2q@u}6TUQsC28Ts--LsC75q!lwnD(9R?WXZ~ z*;vNu25(OQ#7uSDKUEY3K;pd^R@alJ#&vYu1Keck;CpQEF>i9LeuyGG{bISmaBetyELs-F*sJ)NA`L0j!UdU$Vo@#!gds61+j z*y^sYc8)5R-HqMb82E(5#FhjmlxPM}{~!XA8($jU^!o$*Xd*`$Cf~0a35k$%F0;R_ zw3n-^Mm~6|-m|hcLsUW{NMQk#L!BBYX;Uf%-et^4$Z!xUu-|yYYvqE$M6mzS>32v0 zVAd|9o^s1k-Y1rJ1Hw-zD5GU+!|pyIbuuBE50FCOA%Bo(jCK7`5OF6mDJf|amohnu z1M*n%eM&HxBpb@g%U=NAt0mS2ph^||ym`pcQeDs2_{~Mwq5Xn?VHb&?3+Jt?@K?nK z;yOAyR#pr?NuNKfzItVDV^iozTw0rUiTpGW@;m8+2bmAsbYH!CrJ^z@D&Hd+K?YUE zoKbJ*!TRcOULynmED@7VP1!rg#l^+qaVt;HGu?Dv=T%in$u{^4sQZw6V4H#Dcy(CW z_>h>`)6H$F#uI_;wV^poPhYs-Fz}1w@#Dqy@lpo-wO`mm=SzvU??Xd(NG}CE4<7{p(jRPGG)xJu ztULl7F)}t5>}UZ<145U(|BX5RR~oc=*k#z{f=R5#?-dlv|p|iL^uU@9(!q^d^H<#jQIyIT>(3cxY(ib(zaif%PF5@F+9ur_>hB$jznW zikY#kZP9(=s18W(wg^8@dbNBsG&E)|uF)AY1A_r$tLx&ty!?A`aByaM zb#=nn%C>Gt0x@RNmjVxeyRgQ&>R4v2h^ANXjc1e0-pP=T;%$rh^l4yhj60!i^(Imi zl6+NwRMB=pFJMh}E-p(l#L^O2FV2pSF@IIr*xGJEZyJXKfn zv782=M|ejcuzP`50jyR4%+-o?3kFeUCw_Kq7HU_QbPa2a=D&g>aS2m7r`{l|O83(A zld6_h;^Fsv=;|0_*Or%QaYLY)>FnwnwkU^2Wyft=9^)rfJXl5!+n+-F35-rlC;_;W zfSD-NEJtTDW_4a2g7^j7mv|`ty<3q{QR&j@%PT9>kQNIIKgeXl1ci!GdP#VCdfvYu z1>N1B04Xc0e8|bQwVtVZeTv4SGtb-=j50pDB|U4O1oNhTEU4kYrMcH`$p)672FALP869zX-NrDaHW(Kj)H4asTTiTCyqG`HG1I?kK#q5Dtm zFoHCP^^VQ3HH?v7tviv63Hk?W>c5$>x~rSo$xM1c@*OT(%FBmC0s`ktLxT^roKVPA z=@xg~-13EGWkY+D@x59mXJ&d$O3Rt_Zr>DEQ;Pvw#MM<%TH4&q37jU`$J5Qc@V?a|TE*4COpSy`0X zb*{3y>hry1vtqI1CV^ZIwaI;NY3@9s*P%M$rHKa(4jMj#hTYo8GuRiKs}VrstcHyq z>|I~KBKUZD4>u;Wi;9@=LmMwo*J5Ju2?z-AL!%QDwKO!wbW+`Rr4Ts_ZeQLfCQbs@ zpr@xdXVX;@$P-A0q>crqp0&yXQ~pfEtwH~kC?nvhSCk!kha0f2B^ zZY}~IZbs$?k|{bqer0*N9kB-<%dP3!?7bTEKV{+~A~zW|bABN9fI|28M^0Ag>+L-} zI_m4}1aD(VeZ4@qL|11gcpH1Vx_&u&c{J#!2za_c{qB7T9zFnt;Y05mA+N|}x};D* zD?HlBN|~IkVVH~{<-Z3k!?mMsWCVIcUOqmd7t#vWj)>ltR~4HU$!_lMIzS74`SPW! z%R#%dd1gkCh9)a5Z7!T^<~Q|2a71o5=k;nZ;6wf`HC2plRD*_6n~{r;FHw#rF+P6h z#0#)FSww7PBt=w*809@OiU;`ktqVK4z8B6tUa8PCnDhQF8{1ZRr6a5*b;1-Lf|)efspNsPVFTBp`!r8{xh&dCYNHn2$G>v45&{RE>qXDK_4IO7EoHi?EtqG7#IjGB=AT8zKHe`Mr~ z*;vh z@q=>1P9<~f)c}bB@fb4d^@`yMbpjc5GxCleJ1ZB}4MHc_j0V=$(>xSlv-X^C4l(YE zSs9951qW?=PtS%8#lRDtAL^(PZKcJ<(h3TN1qI2h#xk*7>St!qWWugU&L-BUj5LE@ z!F6+r1xm-$gh$abz@FNgnJq6Y_}i{S#;`nG)vkwrTwb{e8ZL!w;9bq1h_SM=j#+UQ zMy@O^xm=!~Ks^N{>&3FPxp@h=2ILqF3=A*QvAx@DWYoK0vxfZ`(}&>W<2yP#c=!l- z8Iw{zCh>eFS}ZbtZVl5kC0b;Xo1*FckTxKucJ|}_oFEx-SWlE4A0IP1vKz62A?g{l zFG2u}fyx1R4toIpR6#+(%c~9ut3}!Tf`X_|pP)&AS_?_iW~%Ciic0!QKpz4+#JD&@ z{-@orIXgO5z`JZvJT^Z5iY5yB6krtZ+`7rHH__AcjDo`NQSe=2&Oc;R)6<5AhIig- zRN5rdtV1+RO=%MoCjvm2^*NI_HEM=I00#-AxI|qN-H1;4bRw6na?X(XV3xCbe|0G& zld7sJDB4al;@N}F7RLgSkSw9_fTMiVf&HeR{@l+%Ks!do8gAXH&d$!TgMhRna{H+2(_mnH`n1}0D@7)AqQaUuTBf|L3@9WRGqfaM zm2&`E^X8R6&e`90vb3}W=d!73rQO_5NdH9PP&p(sm4P=Q1ftM#gdqv%$4Mw?1OPMV zesr=6?LD41Yk=AEE4eT&??W}W7lRp0`p=2kPl!?L)Lh0M)fGpl8OqG z(s3tVov3J#!)&aqpsAwno#;*#YAh^NV8FNhxn#!;eGHhp-~6gY!H8&M^41EpDgm`- zXJ>;mKQxq{j&2~M5D6)L{Kp$tN#0w``9R!(gpi+~|HVmwP;tm&IB*M_;BUr4woD*D zABP|lmGLi(qE~!XADo=N6iEe_^*9Seu>4N6fE2-sxu;pnV0f7UAq_1lH6A*ukNeW% zVl;>kIyLV^(yXRyI3V@X(V<7&`f+{UBIcP^P-r%obD?HKKXZqRnUhnu(dR-@=ptjq zsO9~GY{gU{2r{5XCnrx&RXgrb6L<;8LF(&EDTuECP7#E%z1>~*!G~t-2_W78&txLo zN6;M?9xe|o1oT#@$ETPdv$GKp4`oaRs048QKwlZt(ZON0fJ+EtJY>UA)DJMYE zV#MnI_AQJ_4Fa^k-_P;x1adOCNuiAuRTH0>_rWLXiw+E9j<0x~RfNdb<_0f81 zpKiSe2c#XCM#U1XVuP08D@ssYm#-rcn2fE4v%)1}BBX_;3$4ZltKj;)*t|+TE!jbT zzR}0?hqDUaXY-S(CDj+?{1`#wE|mw!TLDAHI^F$>*Zl7Q84=Dckk~COEI@N~l937u z2xx9=!`AtyyK{&v?Jok!qP#p>Ash0rt8Rq^P1H*@HQ>aPL$xrAYC9GkIMj0!Zd-~` zzPQSDgWI*xV_r+z3}tGtb8r~IWLrrE4L3yWCt~j*rbHi=JhV8_b^wm-#cfAR1Av&7 zk%37aMh1#e9ROG4c+T6W^OdtcT|GVCpgp14algsJNStabOY9i10^kHa>HsIq?Shcu&y!%Rra!#|+r@*cJ zlT#F5FL%a{zCt>txt+iftiqiaa~#o&G)pm#F@+*%Pov+j4;_E4%l~l5St!^yGu+iN z9h-3=E>)mrOx=RNl+m@wI@qD+;}}D7HGeU()GDYDpX06_gG)TDs@Ju&>aMV7S~B+d zgvSYG&~?O1KJjPLe$u;;f*yG}e9w~b`ZiTxl&Ik;jnt@^H#jBV?URg*^URZyV}1{4 zC{jkAFEO_Gl7x~Q8)r6`b8;0|dmJ*R^ronE)ZYz^=`wmJ}v%tR^5hK7O3AC+JVNIJWOLA*KZO zs4e(BvN5TX70Ca%k$`Tq88mNdV#3ME*_*&&`RD>Wrm3lEYHI4khaXpyikZrlHq+?i zAJb^?L!ox!GwJf@>RO=q&uwfZfBwuab`i1u1rtA%qe)X1AV^R`<@I$02h?gF->aOh z_P9Z@UscA;v=EW#C|>=rgT-}3=qe$wfJ$Wfg^8xY{xdd=HP5+NB8xm65nTJpq|Cet zO(5U7HTJ6H2DKyxkY)L@%dd{mqgo`;Ix+?v+Zq{|dfPlP90wc+aL+E~pK=`9xGg_D zNIh~cQJ(K+u%hdFzwZ{rO#vdW58r|H=C8&E#9w~7u!x$I{SRDjL2t)kH<8YFj2tHF zofu}N$kEk%9C`+7Z~mQ=h43mrU9Bb`xW8qI)h81o8`@ZTc`|CYpR$_&K&bPRbS7Hb zt57vF8y-T%5<9zt&Mv8rE;+w|b}_d14HwwNppyV+K(WdX=aqszP$mFqkdTtr()06l zgOZ2nOPzfeq}V+G2ju7P}*=ZAlS*jKDGra=UN)W6F^3y$%nIQA3uJC zP8d8wZ|*!{q7v6P;`N?UCMYro#fBz2;PO0N?o@sFs6I z4h0H0#+7vpCdHPihJ+NiRJp9~S2e5Sv4`E*ntl4Lvb&C(L3*n^6*al&0XTs&Y{^!c z_1-1n$l#I6H3;iXMY`a;CmH-G0Q88c`1q$FR99;G0^80MiE&z(mgd)CG%xcwUF`Yu z=fKZE2lD6;tRFX{Y2Lkq6NJ5VvgvJbc+Tg1r%iaP0x`jYg!DUedtkYwBKIypJ{Q@mZ#o8x-b9VgE?1>_bCCr zKyBQzx5&kJ+L}4CBys*(DQ_*8d`;{vs{N2!3{`+t z(v$!14b3o#joV*afs9$oZsgIhbgmU-!m-6zL z4~8E+PMD(@j_CT!`c#B=ceSOe-Oejmv*0?xe2QsBX=tx1E|hpuhhl9%YZGrn%t8LZ4WVXZb5!z3yvBJvjwqR6*ZH0GYJ~)e zxqB?>s^f*j{ywoqo{=Vo(sv$@iD3z2);l7>ElU=*8EkQQ=+NJ`XDE-Sp4|K}bM<*| z!R~t>@=R z&7{vr|S=*aL8I7P27ho;rB}hy(75>>Gz#J;Zh4B__lv*fasrzQG#JLMX&>GFFfq#Nswz-Y zP)jI~(g**M-=N~277s87io60GDa%xUYaHhboKXc_YX9Ty?F(JhcR%!Rp`yZ}GZJ_a z9Mj{zzjJo7UUuv4Bh5r25ubDPK2-bt?Ty0vsCP_(B9GDL=dtzXSieRai^ux%1hs{X z@pux&%X9w0xF=G{l=`e&`U%?CoV3k#SH0ZN?;DyIme@!shDHXQmd0XF#<2l<1fIL? z!*pc%wHtkEH^LQJUdm+4yj{(`i}3`T{L=1dqsx?|2Qq$B=1XJcI{*mxjLWdGu}`Yg zDu^gDRNISEujbm@Yz2d>MjWk9QM@Ew^#YW%RoyJsbuvX}G}ImE{=Ux1@E4;z=_UE( zjN4?!nI;*m4@atjq8b4SDJCHyS80DGmc+1h+;SxUVR<>>547FAJx7o;;czZ+U_dz( zZN$rE)z+Q?$UaL>M85yy(_>lC1|rA=K*kz7!d(Vq0Jt2W`(wTX$H|-SyF(DBLL^3h zxVev2MC2InAXnO5P>L7=ATV8ySl(GeEvj{1k#iRB*kPJ!qoUa^%(P7T<aZg6~Cj zRl(x^XsYGuXne+kpt0J}L8#kignwe?VO*^7T1C?3>R!;q>Xx8yY@Y3-6&(5p4(H1I zL^H7K3TdC3*;+UF%(bl%T+-S;!>hV$Y2bt`*62p; zd6G5=(?scLYlGY93I26!c#7KuSr`OUjObsjH6tTxnaUjo#ekaoTzl`l{n)jL8Ldd48LrG$egEP>Ro}4R#a>S65fgL;*sf`-IX52M6p# z;Xm}1Xr~pPLlRQX`7B2RRy0BLD<|IR+1c5amP~Mq0hu*=2-pQI2Iy#L%M@hHz>nd= zXy@!aF3bkNlA}sD^%qH$zK*@7uHK^lf)!bUK>X#6CRK~C4HtK8Sl;?Xxdh)&x1|b* zDfBKZ%oUlSkU)#D0#n4B0*RA=bkBI{H50suPe%Ux%O__Ffq{(;_(f!-X%7|B#!wMX4Z7D~M8 z&ta}OLDv-{;&=0s<5pM%MHs)>@H8fPUPeD~EvuYkKuOHw5;CiwO=`r?`J$X-UGU7U zekRj0^%t8rb4prM=S+1;zSPtVU99x5#e>jaIyhxEr*)b24K|oGUH#LQg{St83*>n- z%&*p~yGFY;3D2pSga~QxlX<^ch>0-O`NOi$IfjaraeshN#~h5JGMP0ke&zT6S5KE> zw)<9_ks!1MqMVMF_P4?Z=%(PrH0T3tY;0KX2Dkjy^i{!60bgX`C7Aj{f8T5P+Eeq7 zRgj;b|J45L;h_uc8-ZIPGMTJ|m~KqrY&<+XR-9UTdX2UG488f#V!fcngTwbesc62< z@Egc6s&MW#cK5+Q-ZD_at{r?Tl}%>Ajwq?9P~nEe$(fMfr@a0qiU8xAKYn{$%w)5? zd`f_ft+g8OJmdMN$qz`KKEbo@pEqra70g&Od9!nmJ_`_5Wt~nG33(G!l)av`Ax0g| z-NlWTdCD3;B$}yA>Xu1p?@2Ei@dSQ9Vfvt1kXyh2=59(ANBqRWqcOC%-{_b)OTYJ9 zRqw8agk{A21Lxhnbd zop;b};IB^-5#~pP(dKhp%I}@sN@;^D5W#R%9?a6$hl^2TyA~bJPTTIh(T$X%=1lA{ zDFr7sI~*-QqIvIsW9#ty=+qQ=Ye;b&kuZhcK5ED7q^6&IBJfd+hB#h+Gwnva91BaO z$AC>2`d(r3Ra$YO$xf~*Bu-$+Ak&sA&u?21CAZ$By6+d+5tU+~goSvB&hc31N1Uig zhIQeZdzhc@>wmsY1JXX`5TM-a^9N1e9x-#a1Pa+)9$M~)cLj@m3ZA?t5_I!kVHA4P zmoYf)^C!7U!y8@#-Laok=0J+6E;eJl-1Qe!{9RhYntX^V3lsskYe0RGLcQ5ah^6kk zmbdk4oQEoan$#eqDp`zjoV(g~;s7i8hJSn0@=YqSf8MR>SpCHdd!U8E^IK6_xv+}> znp;>{7%W$!9=c%q-I(AIOx^lBBum=af9=hrr2GlSOKRMMG#)~mAdz%mFZ-K)UJq9^ zoF1Zy^)-}bmsc03RlFCY+!3caMLCD_N^cm!@BPn*g*k#(2s|~Ql7i3;iR6~>=h)a; zn1m=rLHCu+Sd;EJmVp}|BtYOmK|%TcZQe|RY&x%fg?O6+`=$hsRPdXS!U%fqKQZ4a zF_#~L4P}8ZcgvO^{3Vb7H=lXiSV?V9&p+l2Ha1T%&v1lJd3ty-YJC3#RtM0QlR2#u zOxzvbK9Z4@1;Lnyn7~L4QxmFq6Agd3{^Vd>cA0bZT&2< zXR{=uMmdLpkr6+%1vqr}(N@qE;UZh11^p8(d@lekUM?sP>o@X1>ghn791VSRCkWke zf*E)`mKvjjM;6haRwp|E(lV<7rAr0)0bC&eA5-rgk7XP8k1OIL=`xa;nIxm^kgX8e zBZcgdlCl$$B$Azs5Rs9JP?<%@ib6t0$V{P<6~Fh@{XEa_>vjKe-?!pA&+|Ax$LI52 zM{jTM@f--X1RxpvMVsWW4`K>OniCai|YCF-*0ougE2qKTagYS zKL8^1UaloPERhZU&)vD8(^;ETy`ka8rfIvpx3A)}5(7M=bDj_bpcLt1J&EKU{$vR-LAd3Ju zLgKN=$*+C!$8dH=A=ts^@-cz<{Y*5XHjpJBlS_-;XB3yM9hJx5vz1-&_Vu>_^Ipd^ z+pFGxDzDV~0x%mOQJ$fzVT&>~G5NjF#Kk4=?beZgL~WB4MAIonvbQWIwmTl@kAqq?Sx5Ty z6H9v4xr_eB#m^2u?~Cj`_@VgLL0#`_9g`9)w`z1kSAv$lD~J}%oFiL)dCAG)m@;!8 z(=Os^?#~|*J}ZltF&%0b=`E2gDiv;jBoi5!bMpJ~{JUFezVn>V+)oG(-dZA*D%?UR z(RT62l}%ac6ZOI5Z3l%r{#;S|J2E6Osd$OgaYFG=+T>GnVY(Z3_V#aVixE2EAkNCK z9=bOykA*cg+4}=f&N|I7i z4JKwll1Wmn;g^@7Df$DpPExnyo_tcfBVVYnu&{t$dcgSG*!A@QK*D$pKwAua`otaT z=H>?OVkd`e=Q7d2zyQ?$`z#G#f!pweK-dGN61pe8$f<+Z<^Yd3$l{B^}B>sr*0;w6R3aD zy17;S)({R8bLexE){1Mlelyw)tr>N66KH11!ND#q0*{sS&YLk{ErZ9W<(N6^$-`l; z%IGlrSwtO7SBJ)}mq+p@zgEu9@7JhyZa_V;XbqB32E-MvEHq}cm;dzM2Tz|8c@i=* zFsJHQ^01KPy*?q;H2S6N>vd%;k5~`~0@{Un%&s$NIafG({I9k-(#_u*pd7%6#Qj zv#f$kqz#MjVV=-W(R~CSRKO$B)=?9dY3oJQ1+wIs`$27?v52tVb}Wjm=b;{#Lg6Z2 zh~;;z={pM{Z3yCi=Q%cKTWs#JTa^&KNQ`Xob(KzPP5fafWXjtMOPWD9UM40Pyh}of z=jXWbp7=uR1=j6FW#uf%8q^u_7<>_z-EzE6?^RF2X;xJNy>Lj=?Ds!szFNfcUDLjC zk%NIJlm!cPB(BC`yjjYU>Vv^Z?S93KjvJu_)u#k{GBz2AZDA|{$+B|28k|aG{IKT&(Z8!%}|$kvAQkfY9fueWO#2Wp#`B(`WmgX^m>gw0gFTgWUH z0mIxod}#u*n9tCEefW9>lFD@_q$P#wL-ly?9_LUTP_g0f0 znhFJJ;HgbLlmn3bp9T$?kl+bh67=0*xE$w4UK8#^@A@0R9c?Cb4Y?$%6?6;9si`~J zrD=I2y}y}*$i@;@yu5TPD-RqAUSnELxo%LVdV21inJU;nBBP>;^73AI&6>jS(W2RS zoAWGEVIX45%Hj>Pfl!@f-@&@5`=v!j=1jkp{`jEdwqL2A8v`pE2=wzDe49JT*k0Kl zBG5~!y=sL`QW>TYn9ab>1Rsy`mQ)L)U0E7%udk~M2?=>%xPMQgqr1BjPz${Et;c;I zL5P6y$~x$;l&BJXTUCzjYzlmhZ{FDB(g228BS%a0!QYv}C!!Xm1f>goB@WmVH^5vI zLRci7J0Ue!{QIk`F?$H*h9vGIr=knMPU-vO)m3s}Wt3yEC1mE@dD-E5d7t_|T}^lu zZ@=uka?Dgj_2(bPccwa-lvanyGQWxcYNodJ4EmMq{xE=jOXdNXc>)xT&upn+Vq+t{ zMtBT=zV#XP7E9j9orVxH-`EvKkZ$WJeL>jLAb&JIshC|*ppDLJ>V39{fi!l_S>B{O zcOFA-2#wdGmZUaXKy1#y@hYrrE*9T9A;vr-M?4R$+L|;^C z8r{SC!B?3=05-D}3hLPJ6d$;ivorIA@ZZ5Z_9!fa-n9-`xc=^vMdPXbB2Q==$(WycIs9#9vh^vB&Y+S* zz52byp0d{{cdTM-`0@Frk%7UXGq1=1Ck;^OB*3qf*|6TCxnFPt^XSs`Cy@FoB zj`H#8tGO}!ssw|7e&UK7;Z>>6BN(r6992_Q-wU1=4wxx98ePB;?1wKtz;yeVlz-(H1caRzMA!_~9D~|7z zEw@;Cn;osE#cd~Z23lD`w*{yk7`iK4uW}zes6YKK*;vT(`FTs|7D*7+pC3;uS$a(1 zU4&-gOZ^QsQXgM>BWIRO`LgYqMAl3del2AK6Z|yJ8|u7J?~96w>1k@}_a~yNVIQ`% zgs<3>$#T-@^y#!acLWe|$B6_(=k28DW9~rd%&dh-G$xa6xNY}k<>ilQXzV|C>-O#Q z3I`uR(*wQJ-n}^w9;ka<*41qX??qI_hW_WrFjQc7v~wbMIHv?6%?yG9E2}*k2HJyn z{yF$E^YT!WnP^}d*!2gcNf?`!h)B`GuPp35*cmYCc*i_yhbpsn?RzC^l_eEkgZ`~X zjur8{3){#tx42b(6WyjI4HB2RJi0G)me>t3+!GG05g0An+GySLQPCg^1p^Kx%GY*L zm_XN;J>vKw?}n}l8ovIrvnv6Ls#CBM`TQ8V2UQYGo?we`Nl;%(pX=|=KDIMd-_dab z{XBX`a76ePh874;?VOx$RQ`pU1~AR5v4u}=Bpqx~(Hzv=C~-tp+hSiB?MTWU2?<6x zs*~N|!(bH9dA0LaWF)kLGOBOiz75aHgUfPebo}oP+%pjNSFc|EZ*^1f-l=F8pD6pi zgNA{3kmj11+ea^!%-J)~h#G1U(8nuNiQB)80T940bH3{L$5XzoQS37Qzox!G59MxT zYPtl(?L?X^3CN^Sv3GI`g4_yVH#LEvOo-)&F#Zzox#6HqOKWQ-C8bSFsJFty5w1p8 ze-JWCba{V=H#eFle`3$YeelFSgVu*H6cfff*f$|!_ZhyDWOEnt#MUISc>bF^{l9%G z2G~H7mf@b$)^jKYuEQt`Y1uc3?Xgr*1kmFH8f*G`k>p-uVadz>`6ndf-`C@8EYF_* z>hnQ|Tz0>}KAII`=3%$E;H-kox!WgbZtaw%KKp%ZCZk`O9*t|{z>wa*tuh5Tx4Qnh zx-S=wMzO(Lxc5maGbiT}$2OJ_-`LkOl9HcGUAkZuo^QnOUz+JTuy5b7A!T7^Y^y+C zxJb!_u10W--LTBUBVkP=j;>uHfKGkCZcc1cdh3+ z9lOWxueBTZeC&+A-EM4uTz%zJOm>muZmwfNS02^;TG#Tv{Is`R3`=E~p2hbi1y)sB8?~#JY;5db$TUr5HN1>u z%+Wg|k0LjZEByK}BsuWScVfl*``^BI?Het!wIcb|soRbytest?*OiiAoo~B6o?Udd zai5=z)1I>$&y>3AeR4U@T1sq5^|3oTn{s_lXXSW)vf?q~?q^<8R~t%lKHtU{OpC_MM|gMyA5B9`J2yEbk?y=s%r5gSCMo1AC>v5-JKt$ zW?xIxNd7%@AZ4y5XkEX5|5wL=_~Tu4&QJOtuLb>$WzOwxQ|%lZ?Y`1~cImQq=a*ky z+U^$B7R<%XL-?J3j$zh2~w`|xO!YZ^#$Y~)=ZK7eUQ$7ybADh*6yb=BXG z{HpTE)YRRyG;~_fj0;8-C^oIMBKLr9J>9WC}uofN(UO(ImTs=#D5g%Tld!@6pz?CI)ig%0*?%fEqWyi%^t zg@PfeG+U>_!ajyMA>8*PI73c0da7%aLN#g~T-{N2ZXX~)3cQszpi zlu->=NglPS_hSfXg+3B6*RWZUMHz&6hwK^w3X^WD7Y;Ze$7(y^CF2qk7=4@dlCF^_VA>sv_v3@|q0Mg0$A7#bG7>V-(&fhi{ z4n#`u#!Is&R%mfVM0AUv!#AXGkwWjz>n^9KK#5F`xa(H9&2^M{lvHbp68Z z%pf_qn&Ua;y1tZPdmo@R4DyyHb4B;6!AH61mU*u3qNviNwtKVd z0>YByWS!iQS^}bhL0Ni83hoq)I{2836gKD2Z@>xJ+tV}mso1VLZZGL^N?h^x^NV7W z0$DMI{|iAYL>{0JKo<97oW#I{{qi@gwb#SK0#~OWf`yWBY!d|XDMm0W`UbWHN0u;%CGmwz%5yjl56vjegVhh+V5U#2l3>OCpub1tYCi~ zZIC17!$CI-xNAy#96PL{60ab&OtsdL13Z zb`Ll7QRU1O2%!i7Gyoa%`K}GiP4z5UIt|{~5t@8_(w3GM!$(5A@y&R^eQxEzvJ3}J z6=p(PzqT|bdLAX^d}rR4{z$YTN(g@%e%C42rq^KmWTtC0AvvUf6dTj?$RGLdnMP>IQi`^!{oPY`?uXMr`8m+&2G1CdQQ5#dasK>?^~%pIsqLow*h7+9 zA3 z%2#4lx3p*@G6Cv(%cc;W-=CxfVl2?J>00sl{I3?^?Gxv`bDgVy4gY}%tUqb-_Ua^0 zo6b8NpzYtn_EUl9Kh`5ybaJ#I5|=pm)aF`c<@ZUGVnT>oU6MJO+?K3rft$jYdS8XA zYleIBQH1Q5P_9qkZIWa2#j;c2*uHHuU~4L#RQ2zpP+hWg_`;H@f_@H59At*v;ffE2 zcWLXL-92>3ln<1i8dWPSy-Pea!Rl{8`&6RzgYgZ$vwKr!3NF`i@rp-;Nl;5(&vFj! z?6P3RNQoJW>V|#tRQ?*L`^MMbuA-IOE7-xn@7x*ft(a%~QEl2uGn}l`19H&K_;20G z^dbW4pZ$Lg%Ab#5jl>c^~C6vf(FDX z`DyBr6TMNbFD}OIbRPhzZN^gBCu6*+Y@neK64fJLBXhkIAh(i)W@^R z*k+uNE;370e)x-b?)5=QH3`XcE^Yh9`P9=lx%ft6_^Efbl64k0)~k*Gbhr@splioi z2q2VtWl;)e26nN^R^>Z8N}HqN@~T#w;@tvP9?;Ps!i`LSdgS%BeoWedbNn4)`b@fA zp6H~|@smqc@88@?+ z=(bqg3SL`QjyD%RZEVu(fe++dWPLQ~9dD`c4O&ktm;g{miAvKawP0wS8aY^ zm=fpm13!639FpR*3NBXA6*!z}(UGa=-s&1o)^0ijN6vM3y~-2l0mDi0N0JgeL`tAsvBimy``34?#<+ z9&rl}o{$c8CwU%Aj;l@Kui67LdB!6he7x!V95pzsgS3x%>Kva9NU*DN+vX1l+oh|puU*|QF-S|^`hBaeZ81wI zAtJ<#3AM-vRxH3Io&t+oc{exK13u7dGz+pJ>C%&KF*JOXKtC~Dd-hyM%E<}E!nu1` zaj86KzF1~z@vCr$a&v9%pDKKv>IE;yVDDH8FSE)g_Wmh3V&@l9AcKsI59m%vWcn4E zt-O;q{p3FNQ?8Qbm4?)keVx6Je7+Y#-KdPv*(+t5(iMTD_9*e+$Oa zsyoe%nDR{(`RySi3>PATCoY`iSLJ`L&$0FB^P04TFOp^3H-xs3%{Wh-qacg=`Rf-c z3aGTyEu;QR8bPh=-mj8^0qlKf0a#?tr!`(?rn&y*%NNpw9;LgFr4AW);44= zq0Y|CS!LyYAE&>IkQdDi*DBc`l6xUKFS8vu>~)oc$|y~#p;-mW}%DJXF0!Zs=@#CD%Lc@ju4!Zh|v`Qpd{b8~at z8HB*uf)PB}26sG6k08u}Uj+mN2%JcJYg>KS1e%`{XmA0h<4)jk2Ql-f%J*_iPVJ61 z76O}$DERLK&wt<>@cszs+|B$nhaU1L3MA4sqFcY_=H%Q{@DrDjNvi)s%PvhqvcS<2 z?qk9kB=xzam;apK6YX^VyyB$^ofXEL{}P(KFI<4r{eq8=+2rSsJw50%5oiaeD;3p^ zzGqIbS{JzOXSfNn0v!{wt)PKI>p``HEz}2QoO`k!wn$=&plZ-_f}>?7%{3)g?DPvF zE9=cMvu{=Ryq40!nIE=2Ftrz}E#EIYn?-u_B9tlGS|~`3(!Y#bqAH9O{k`OD!mp{Whk_w`){2nj*{O?x18 z$gHXVY5}QcElwnXbt=pT=|HkqR)4|rnxq&DW*+Exz@I@MU;h!%tVqjg2PW7k0y+S2 zemMf5z*WZaV@>4hWdH&5u6mB2a`526Lx&6&cwj<>CExg`aS#-G@HyhJ3Ls`AaBH^c z`O=T!%@4~eb|~hCB9C*~i_}U6f9zlC-z~f~qGijj z|DP_*^PA-GlnjD89Hwe~FkJ-;8w8F44E*!!7srv+6^IO0-j`W-0&YeO4jShF0yI2SYpq(D4G2r$u%H!~6u?X|eH1lb<{No(sMV6!mQ zVOrE1x>j2oghVsI&Wan$cG9U=upeRNj2-t3C1Pb(cmc9<^YAz{glLG2ydT+I`VF(&gq9;%wpMg`_%^Z(4YzI5&9QUEB{AD6kx;$!O2v<2EA~J_puBne08gupPYt%GD z6B7p3aK!mY1{HWz6jW5ODOpRWif~zM zwa|{Fre9AgYD^RF3vs`mOhdys*p^|}nn4)OZFU*D z4mA~mB~}Wkgoqu$xyPwvnH#c0+a1@|*5H(fIqgkL3qIc}a3DDH;U*;9C#fia`QR;l zoR^3618{J#iJdQa(TsmXlz^(58s1~3=YZFr9VVs5ZU6fY73FOVk8fDyhy5j3<;BGY za_aEkt7@iK#{N(UT=U~XhIHa`BK8kYQOPiuLjhuwRp z`k~HBEXNDe-P_w5)X+yk>+Y_=P4F=^GrM7JpescZz>;cO)SIqPkX(Z?Wn^YvLatMq z;uQlX|!{Ho;2|Z!}Ni@(g5miB* z=obt{d{I9-=JdXshwZtfxVS2z=VO6Y)#+(vu_Ha%N26%y=xU(9($|lH?+WXO#PC;3 zmWy6feq;FjWMfr1oy|4$k2^@+yE+4{YWPP-KeWqa_fTs7hpj$?xRxBX(+E5I>$>d> zu(L%!ipu>yHDZ)2-}s`&RC#0qYkW;G?Rl zI)pGN7>K~jj`^gb;yF1vxg&xQ{M?J2=x9Cs2?S-d1kTfw1SLTm0a81ofG=-X+KzOO ziBqF*w7tE{4d3mB*q~z)(znP4+t8Q~a$kYh)hmr0lKSszN#X+y1H`6mfEQO>pRb3B zdcC7tSNKv!&(etz@!ZQ-O&o(AkBAk}@Tn^gaBx-&4*l3}erY$^Jzry^yJl+-=KjKo z47zP`B|w*A8(C*CXmg0UR-PaR0%92)6Jy->0tgR@goplR*9|v3Cj1%vEjm{5H;`%# z4Q+rGkC0G=N`%PCSrp}K><K(-e&8b7A~>ZBzJ$jw4#A-g zWn)K2G`|)G2qbf)qzDb4vak?RipM>{Rtz#KXnpxm`puts^tiWA&;n#;Dpxa7TXov1 zzPal(<#OoNJN@7Kdovj+#?^w47Hd&J`b?H-bjtT@X0yhT+)?mR$ zi}J3m?N&rYii~^u`V?+2T1ULpND11&6+^K{YL$?K3U+jgu)V7MF8Z+-zo#mFJ~Pk# z-f3~o=FCP>?yF>V0)4nDp;^$^lILy_h|A1KnAWWzk;Iz@^;0!bJ~bJbN%LYvvl3GY7$vug_7Egx~ z3g&r{YGb~BCl|UE$Xo&YG7^a+b92?`6R?QT^ijxMxO8bdHMPfu3(ktc=(2H05+n{k zaie@&5%U6knO!XM8GbLAPK?YNM~{w*AntP$vcj(?$3RjX0Xd7rT|liFpWK!ZX^4yk zpSk|)f24y7iXJ_pHUYt3XaGyi>hibq$-Q^bvAX`E#A@|}qxWi#W13K6 zrQG}Yp19{r@{AOW zM6g$)Er98VzHov_5Tmb-*XubOvt^vENV+3y+Iti$ShgQ-?_^%K;ZR&Pql z#m=$D`bgB4%Vuuc+kJ06OXI4hu1Nhc zOdh>+?kB~yZ<0zMNUyrp%Zp!0Vj!@npy)O29;>;eL>z7=Fs?EirpP{q zu%f{hksg0{QQ10+?eThRUjoHYtGzh1`H5b7`y+(*??-w@qFG<2ppb+F;*dUICx%6S zhN}?r1wKACL;%AomH(mWt~zh?+qW>7gUYWru}DzGAO%t$XYk<%oLirt(38^b0?{Ij z!~Jk{owxVL=6f&k%eo{H#hdr=A^376ou{_HD@^!!b2`cD(vI@3x?%HHufJIZwDp3g zE4_b2nx$<~)8zH@v&uiqN7!mzSz@k!d|2K&<&LKPgZtZ)+=X`GK6xfJxhPjocKM&S z`;fQIIzwJylzSQf4~4VbtFA1M1S7~}_-X5Ye8c+f$|}6# zcO*7<>7s0!$~DR|Cxw|a&-#G>w@Y$sF_>wXd>%#EScKie$~vaL!mha1ucQ^29Fx+w z_Q4471tl#@<_Q){hHH0iUT=7ZeY6RzEz8LeO()v092LlBc`Wr>TAh}ONn^mNi{dqL z^_^?!+zcTkuIEGCD6?hdsF`uKrmdq*1aWk}VogTXN#62U=j(1GexBH=;$_6;#WE8* zYX2CYu6;D@{Eq?|*@l8%)enHk)5KDNN7bM-Po?ea?9UaUMs6>)+gtJXV9?|#^jrR}m--|)9t40{s>$y--P-L;SHYQY zj9hoW(& zA-UakSN@HxDa!peon4&pa(MbYQ6Wzt9C+qD4NuCB;q-ymopsFOSO1| zg_jgmiu!U->6RmAg0WP!9lX56$yrYBG^USu!*NtKj(=RO|EiOojO7h7xxD{l0agld z{AOnZ?sLeo@acdyUwL5>qu$^*;yqM{M(7o8-`Tm-B62#f_pu>O`)8gw10h>Jg6B8# zt2rL6qVzCCK`3Wsm9EK;;5si)Pvg@mv#0?eeW2rKquIQUvn`?P$=Nl?$jAr~gFQ(U zDGTr3zC~mLh`r-lTCqDTkQ1V>+d zd}B*}?ScQ+8US3Grz#QAb>Pn69Jk^2>Frvs?HSY!b0iRAZ^9+EQXL+vM$ctracT|vNJJvKikkNfR=M4r zy5qo#G=8oPj97Mi6je4L5w1CG;U_SLMn)QaJ`3ClJ@h)Usuzwrm}DZ( zF)%VBAd8zP>l|Wm@Z#fUrpkF0RDIhVYl_x`EDE;>9a4FaCQ2gsKy(1w*VK`Wh0bplZ7$0OG^F%=L@2<{_;w|2A~5Z2hpBo^|Yd`Kd673O7gmmr)dO{ zY+ejnDkY`CM^P9m#LC*Pm=56VA5AJm50=1a03!xEC!is_JDkxH5_axX0*&jGaRqjb z{=*OO%+i#C6b~Ohxt}NQ?%lUvFH+HQga=7UNSp%IT2r@QP!M$NTSy&9A}U858>p~H z3~FT_p4Y9dh4;pOOh68SzL64@9Bp^QEWy%j0rG30be9N?x(5z80NKR$97l74D#Pwr?LC)*k@uQ9WW^=e4(saf04<7q35x2J zLcxB1;uq)c!l=JY|BmBD2x!@6?=D<*rq};VrWt07DAU%jgB=DWMmoheDZm`EDp(sa zR(7@ZMuIYr<4=7_agIi}i{WNyhx^62a%kY<Yhe%ZnYSq;VeG6~YZY&wE*iGuW0Fc>u;>>c&iiRVU2c z+R*S77}Fbxv*=;La34bc5$1}|=7LO+OAH_*byE$kLk2o~%x?r9dHG7 z^ew6qoV%FIQfP#wrI~rU3wwXQe$J#ZJw2_PEWTG(b{W;*<^3g!b5Pv^)_4@Sh8QyF zf@*m-S!qJ%{MC+00M!gn+Ink)f)F)|KYPky3}7xGBEZaJ zp_-rwu3V|MjnEZJ1jc^S+4PD!k zNq({1vE9#P&?it$(Y`Gat}K3}t$?Q{C2x8Oi^L=(kS2U6mjn}6sK~B`Y97ONo&$Im zC>2^#Qj(V^Xl?zHC${Q;wE)9-I-KqvK0ZpAj*!cXd^wMW+qsxpf%QGYMelT-gF*r$ z5gK%pj}ONee1VWbq=HMMP{C5ilz5v};^?7nWcK5jXNB1N_#KB2_u&)_k9)?Uod=#& zUBr8e+>9%W&HIY(4w743ZFf9CH|3j;-vHduv4?O@ zOWKatN2B*#`P#B8agI8KMciH!Np?B{P=n$JVs|lYOVG+O4DG})xbW<0Nr^?3ugBQ< zZH(~1js1}Khn^!xBcH@I7ZLxjS5Ksl6(#M`!|$5g+f6D8)#Lcnxh$}IL&XJ8pO6>3jN4|M&fA~D5z7Bj!qyA<^XaRDpe*O9AB}`>CDJQoN&VgjBOn@ z{yUG!4R-5x0d?p@ES!b`DG2{@{T8-HZb$Q{wfF9O-5qv6H;rShIW>+yu|zY`;rI+N zyvVRB@ePn(;5ab=v6CLSz^70UA0I!;WQ`zI+$qW5ufKiy5*rr>F%wX-jJP;e1LLt3 z@#X$qVwLisFQ8*9^H73{Xc_u{geK7LYE5mjrLWdG$rMFYP5fP&pvn<J|Vb>rEOqobTKJ+~`7t*J@R5>znJzFq$Xe1Oz%BI*WUPe*(EU$ebp zQc@(voQX~`-l-iNvcxCiT?!~~xGQ1TuV2AQdQwf6Sg<$n(ycV&d!i`G&E>%6Z!Y$sHC7?u3B2bQ>{Pq>#Xoin1`xhDXCKZfeY&Cf!RuF0GT7!g6~ zePK$_?OL>4WWx3BQ6WN&9X)PM=K@CA8aa#G{PwW zem6}!^G~ueN`!edzRVv;SL3Z>u1-9(I=;iJxBRKN0IkLPzHMYvqj*C}yrhT-P@94T zBA6A~bk6|1OU%DrfFU6x8And&QVr}u%oQYLwwA}XSn#2H1#QR84JwifRTdu$sBR?W zkU9eLS5|RSjwfyyq@k#Dh$I>%$75I~SwaKXKee^Fp^D;ufLLb5stn#j4yp}tuhrGn z3kgoA4;>^~6$Nt3%Rdec4Gj-lTX9?OQO1r2cpt~DpfTSqV$t39;Ial@Eb!)ts)Y&w zHzZy_w=U>D5Z*uVmwvrx{Ew}y>*?_V%d*(CN8Y;)z9k^XfG#0ED?nTwLMkUth)lVn zHPR}2I~40_pEejC9B3IJ`-+M&L+_YEs$gXdzXsvlj*&l|?tR-f;abA>3Cl;(#jo!h z;Yh$%Q|B%LQ#wocLx{DP&oLm0?nmVxk^5j%@=?CeA!5!@HbcwKq!uVnG1v zD10i^tKK7Dzk)?8Li3A=LF4^5kmKtIb`f3$p^0uJqa#P#(8@}bYgVPp6DAOh16T!C zcP9WZF1{4;H9oj!czk38i1tBJOIp9{X4mWC;uaH3kwR+Mgu@KF*5^K3w#*b z01zC5gM*L^lh)7r@&b@Ml67R+;NgjTtKeA>XO3+1z(7(uAoxNYuww7*EPLivFsdv> zx0of%xV32#Rq&7A6@SFmVY3 zM^fPI0B}Q;0qp76{YkQ0OcL18&O<%(_AQCVB%RBJ3VHn$A{+N(U}|pGN+&}9It`xo z<73OUMt1j+N(az`-HXkX_fnaU-8G9m%b1b7tNV`g52B?OKwE5ff$)%_0~MSrc=U*L z@VuYj%h97C4S>yJ9BzmL8-S75_j~~&IMD`!xa_)~+_`ixp}psDz^E`otZf8Bxf)dL4wv2jsT zANHKmN4pU~AtsI008ts*ah&OfO2y2?1iF_CZweYp6+&`K3hD+>FZ|U){IY*3mf9Q0 zgdD~#SK3(4e)<#!cnCZufLQ4kv0d}?_t)l+`)5q-kXG!%t;Y|Ll;8#|q-<1P3#o6m z;50$6m!Db-)L^_p| zNbD5-a_x={G0VAZBg52Z`q}NTn4D3ID)8~qx1kt79RPvcpSb}aJS%Y1B+oDOA!|5w z0nN+&-P@$I_RyM=vTRV~5o_j!-Y1t*<`C^Okk9xtctdd4N3+|ox8TM>#FZc;4^0G4 zEW-ZY9KUbp9tG0nw+V%sV`*W*m_0K0z;p_PUgOxYAoM681&?@)hT^4yOm|-4$~TNI zkS$_DUEa?f3fQ{w;4RpAHv}HtXQZwWzboE#RR{TM;IZM02XD9p84%p=Po7|V*uc8e zj5Dt2`#v%fyiXl$9n9DIXc8M6hamsPhxgr|j1RGopZ`rm1M-n@5*CCWhJjvk=*Q5R zqHotrl`et^6G4wi)I49)Nh*x+F2Xi3H8Bx(EVC2|qGR}|n5etDE$Wo7;cphhNds9q zrWQyZMxwC2ASwbk)O7XO{_kyFAIYO!Gdm>nyI_XbV$Dw!MPV&j-o@@EOwX>SZ^kARXv#1%< z+CS{7nqR}K9Nu2(%gW4Ma(z{3I(KMTT2%Di>(?ZnAHNoY6wGP9A<6*(3h%@O4TbMU z5NUSq#MuY2n=O++(J(7q9M{CDDL5_6dt(s*h`9TZLW77pJ((@oOoZSjT%0f?fOPNtnG0#d+dlVuFc_I3R4s6|)P*hu98bBQ`S} z4acJw!XfVs&O^`RNo}o?3UN8a0k*=3N<57VMQV_VkPaII7X(?-OYb?hp^GS*ICKQw zZ+&5At_A+WpeW2 zMX$RPNm~tGnsE~`7cJx*`*xZ}=_`y_NNoKT`!WIsAlo#qrK66{(B6+R#if# z9L9Eh8GpBZ*4O?^E$%^4(YdpB6l6T1_L2p8cG?A20lvnOEGy<;g?Nk%b&uQYDxQ9< z5}miZcIsKlhSC*N>f{r08?0oOex}DGXN0Nbr#uN2=26n;n7O!=umOZ{qokm=V4I5Q z+7dO{IeGpm&15Zpq+vsO_GF_?Go43Zj7}cbu?_>!!d|=nz#ro!O!nbd3Ic*w_ zjsma^ZnrKE!N)==!#?hdEYr$GtDy3-C4DMV4DPJrN8)RN0=J@rqn z?AaAc(8xaU$3gXGL})mVwU_F+YTP&d(gy|UJVbFO;^CSK08kpdjGd9=B7lG5_V2Twm`Ium!x+4L6h{9-= z5Ma`n8>&9#;Evg?zr>*xyY0q+du_9fqmvU(i&|b;Da%Qj#yCexv5Al8dqS>i(4Ax* zco@f0K?XBgLWXmV>tT6D#Gl6zCd?~1i47$VR2Q23^3~4F%cyPtD=&HayU@j(BgxQy zfbR|YxxU$cUdW>S5|%H%fFn=kg;60k?su# zn;ov*gy}t%Em?T?KSqU;nm+U7_9p>6+vhui#U3Y%hv*@JxM5x^6iDFXg)xsgM^=M880q$^j1p82Ji| zEJ_t=`6eckFc)9%b=;zsIPhZpE&b`kkBd>mzT{~6{Pe&nT8aFYPNsa_8f(Xi!;F*4c7@}qraGn>_FjMD!kB%7~-F$>E zAU$m@otGrPp{YfVU_pL&Gnz6hoRysukw{j$5A!*uj`KrRC#}4@FVUjX+9?o#CdjDgh4us<9Jh6LT|qf^gM zSgB*SS_A}w!$cygqMkf)_xG=`{cZ<*5Z3hQ8Q0eLDl!!090^+XIu{;YbZL7i^((H| zZ}Br#w3^PIIz_)@{t8Fyt{V|7BD3i84=RP(Y!qqGD$9f&|DA9BRIkRCp}zFNEt#uw zZ{sT6q}hkJ0OCk#3Go)&%Nz;Eb4#6<>iw9eu`-7#aWd`icXCc7{gRpxGBbR`cX#xk z`KW&z1F!GLTLBl;jea^1RY}47qfcy$U*x068K7OXhASQp2&} z4_pQgf_68|=FZO-3LehT zK9Ci5xY%rM!|BZC#%x?2O~pNOO641&47pF!9vfUPx%-gsCS#;3we|tS>=y)80*?fF z-Md>2E~m1%rKOi(eLy--LXZL4bS@Pl&cJA>MSL8B8m<6c!v4|j<8c1`yMwpPg`pXh zh29fq(OjsOOY8oGbII_u$5`bsW1=((9ym~cR;y~Eksb4GLnT%!3HmvC5?Q4Ff4(2V zfFXugydCv-Ae=Q=wJ0=l$7ohve8`=pSP0jhm z#Sfb9nSMup#s1(f&)(K*oH0^-lX8DiM^}rCPl`$zua}vqkyE1NIXHRIeIKW$5D1*?}SJz7c%t^d*a)$8i{L*cB<-`t&?IVb+4vbCpD zP}4j3pB^1ZZYg~0MsSg3-N!oD*7W1SuHS9LT82kN`^Dp*$f}OJ76=PflUH?Ir3=&L zJutQzKzWLlaeLE+of^kKL^^NUq$O-!Z6VJOj#SKOk=Xb#_eI+3>6XrECKK@+=QSBG z_UN8V+tjgsr7C%i=D<{kUS8_4WXYK7aj(b8DycOb1O5E~mK~g&Dqp@nW_3q7G-v!a$5AO~P zAHV3+{Pla%>9!m;-4pT7A+|j9!g=PzJEE4`c1>3cyQMC!jlK5Dd6|&7RAoK14Lei% zNk^Z_mA1(h1pwnatJAYx4@0SQ6Zolft{Cmq9THBKuwRw#JM(jZ^*vwO{Z$?{Yt`u88~WLQ6a z{8(O9wGMU*+y$hgE+A^LI5Cr=dfnQW`$phkz`1TlidRD=lY1ARa81_w>sNlY``w?c zP;Ovecy16^8{p z%U*Y7+x}URi~HgB?XoK^eQmVS_24rG2U*9&zIT$vk(u%;--?Z+WRdRI+^U~D++68H zt*z|5`b^Wd({2y!*B;6g4Z9(c1d7+Gkbp`bNsh-T#R%i82HC<7+ zTL!Z?Had#=4!JYuVl{E(k6_}`Aw{}+0R{<5_5M=Mz8xAhrh6s^8e$f-=7$`4y38CX z3o-<6+~D*W**z*M(sWUoHsDhPhdX5bCewYo^1#-+J(IE8IM zS%pXlF5C8r>DlRk z?kR%winvD2mS^IDIN-(MyZ*;*R7yjYyB?tW$on~W#(Cz&#Hafk=2kHEy8Ge^>Mem4vr4iVpv6W|e zoOS~DU!Xn=p&j-fro&4>Xb`oVf=vxKLlZi?7VdcqmZULjsQ!xZ`e{BS6G_tpc1@4@ z8A#ax??F?2KM`&?+d4hqFT5c5&AA%*9w^LK2%V#baJs$aki2Myt| zJv(ib+6CYy1Uf?711B7$_naP%sv3DOk@CD`4m;wQ`w+VyMaD-xS7Je6Fi|{Lc+tAi z=Pa&>RuR>rrexHvBK9G-e&EkzJt9I>M~pue?w_xP-oNPKB*M)wA4pvZqQ^K*MhjDB z1Q`2jvf~Pp(1m~EbyjhrNRp9|Xu=a!Qw!>uD!2#h70||_H_fpzG0+LcynYSS4^%|% z-@h=&@4|*ex3-+6-@hSm5RmNXJ1{v)NlMB~Lj`{)Tm(d+0bU6Cv2UJN$`P2Po&jut z0mZBAJv)v~BD2SFsd62MNz31k+6(AJhH(Yb6vZ0k5?wPSp4O{oN&fSF?No@3`Xppn z!~BQXt&=1UJIypsDfDjb$5fX7e<42ziWulEVA%-&wC}wC7NF{P8j(*VV?6Y$uoUH7 zwM-v8n8G5&T32R-v$L>wkc^RE3d-# zC1Zg8p;MBwvSRx1lIH^_ z+kyaoD9MOe`r1_jQ=~-fQPB&%%E^MW`(f_^HJ+;Op<7n}A1;6yj0d2d=$gh4!+T#J ztvK*b(Pn${Uk>Hh3>x`wUkDL#ZqeV{x>nP|jSilKeEBEtB0+cqVXf(mHGQ66b}{qj zu*g)3xpvS5KrDzFz7_eUvlHbZ7{!yk?)DR%|MKxJbmyQC0IGpCh)Y0)1RQ+8!-MWG z*M9s6>Wrs3iEc1iCqTpjhLVsF9Mvj%JY@#HC};@4^YsfxU;+xSg4I4`_kl+=Fsl@a zFinM^yUFXgB7T!@(Gqv#A@7PB-Z#7SSeQ8x3rn+>PaSbjdSdHta1Nx+apL-xkRMBQ z&12$6yg{UIsf3v9T;>)(7C}?5>*x%)?Lt+oRW3t6LdcS72n1-jpde;jfY--hbiFC* zy0Ty3cg=hJLK4qBPV4!0Mvu5O9|y?Aqy{XfwKa25032!qul|A0ASdntfJvaVMY8HD zl5=tbp`p5`m`uj?4{AU+5aB_nR-Y3!^v{53uQV-$p!8EMCdyMdObQ|2Z;K@m!{ zcr_X8ELo?Io38~vC_e~T*!Mf=wK?qC&cS(Alq#qltXBc-LWpU6_ac301rP#IN$h)p z?X*C$1zz72VAC)?1x6uDGchKj5en>h2DxnD_6G$aUWyY^Q(u9e;>{|Z>7oYE+?aCw zOl@sjybmm?W3_?txH-j{rGjkgN;T7yk}NPIfHn#oPbe`dQR(6MhBGhBS{`&9kU{<^ z@T?#HeME>BH-n8iDjk}-2eu&B0nwZ&&8^qnu;&@(cFw7ESE{yP6^Mg!__3?+E*YP0 zDktqN^TmU+;D&*QORO-HRB#Pyg)$0;j$pc-pZ^Eu4bW)~iJWA%wfVzg0~=waaTZDr z=&>My&}~g)%xG|EXwsSo&MQL6CIiu*;la_QVwZ%o2i7n)Qq3vB!d<7G=a zgams?gy*&C*v!j?c^tM2p+uiBv#D^SvZx!zQOYMarlOhalKXF1CeMTt{hq!WCkr!4 z)C6%O7)XVO_geE88cjD$l_kH_nu2=GoPq$cJ6ZRygJy+2nd7p;yE>#@z5l?SXYmbj z>>I7}hhXjBzXV@J8x2e|&2%Azx1pwn_?g7>Cy0<7*9$kVc3*0FevKF>MkJC}o7~Ug zE4%f%Ac!uRh*DDY1FiCdNoB$~&z*G@b`)C%F9N$nbYX1d?#Zqv zU*wAi%A2o~DQ=rVXLK0s8_UY?s4U{>e}5SN%vX1RM`fOqDC`DJ&Pc%STPIWl^`|69 z;D80l^ww-sO|KNBQo>FLg$O)N&_)6c3l#y;@7(?>uRVa)2ucsAUXX2ydfnx3ff%X5 zZHYWJVQ_lwn)L$4Dzq1X`ro8Jk5Xn7pykp6GU`V*pg6vkeO2Ho6tWAKDIDK$`LVFG z<6~i|mudpTQMb(Vf$!9Al}obiIRC_TMVCil7Ucz5C^wm!1UfA6A03ax=pK# zi<$n@U7+8*3AV0a7s%so4O~)jal|)PAWc4EW%UJb+>2KCAQOg|An~tgL6av(B|#YB zYD$^3xpAwW8DwE;>@9g!&o+jw#2MMyKNJ@Jg-Gitsr!w70WUd#jhH2Kor{xr3BGbGVJI^?Cuax=l(7@w(NSgAvi#nkk+z z)PsX}&Gp7x@4^vlFwx5P+gIqiRj20<^k~4za>oH`cpP&9rQ=8?Mf6R??oQyf5X?QH z*^1o_s!|A93|c!XiPon2;`f@0?79KLX=hgoq)>KtStDYyW6ZzLQZ=bAR2VMSJ<|j2 zZ#RF#ib7OY5OT1|KgjcCqV!l7H^Z=E4FxA2yfMMV_Gf}T#tUpo>O>S2>41-D-Pv=8 zijbTYEbrUeE&+y|St)?<0~mQDb8i9yM4#Nm!pB!pQUV$}8)QggW79`Oa{M8plpv7- z(!%oJzra}}Q;9`(66@=bu^LPZry`7XV*cEP{t6KU+w=7F6oPmWkfw(4`37jF?(x+P zIao;m_(SlzvGD@)U2?uo-qNXmEp~<(r5lyexy-kmsI0gCsH~g_3AADm2nh@(k?e*4 zQo-%=(E*kWkX~>PRLxSG<{UWO>#M@>w!lPEtw%iKO&Tmgh;I_DiiD2|}?StlZVVQ1G0nz+3rx^#stKxM%=7zE^8Z05Rr zu+nI05t0$8^guFW>xU60#RPO3Kx@hn@#V{zzqHqb9cN%5Y}SJd!%H}o0N8~|ZF&)S zNmvf1TY$T!R*UoEO&?Rx&4a_X(tR+V!b9YO_6q!7A+VK}(972s?pR!ts9NB$z;grc z09+{VG(cYJU~5ZBOl+3fRHRV~mnpm(g#_^Z#w8#a`ua5vn9Ic~GTaZr`#T@U5X{?5 zOduN(IGaf@LsutR+S#EYCAAR#U?ZI#9Ze67CU%D7Hh5Ni;?9&1430cLE#UW zc(u~~a)9D|4oi}fNWUcl!yYKAKp=zVv-(P(KHkg6r>M9X106jVyB!fky%qtF$oi&e zCQ)>nLLxTf@<`fJQ5c`rAo9ybj5W9#WsatwzV9V{8;eHwXOWEvmy(k~<2zxO(xeb> zwH-wrW8wTSJnu)CpNc;j1>FCqns99HFjUQbbYjzs<6UJavizB<=oKL(kOKV+&IIxz zgRgyk5=4ZHyim5lR24{C(At5uLJF{T8yeuc0DF(Tdr*M@bOUcXEdBu?Mz;3$Ktz;y zhL3`P{|xm+tjMvBxAz$^o3MgmOZ^ep{+7fFAM;V`Zg6=yD+>uoUjbf$<_O$`0aaCx z{{n0jC{-XaS(BVrMC3B`&U4`Vkd3{ZoR|R44=8hCGpeep0x|;|H!<-5+ zehK)4Kp^geC_!N2!UlqLmKIwk@N&G-xujH1d?mWhwB%#4v`-G z8iPHu@#JXq_CI4b!|07zh2M6;w1X3tG`L-N!<&Y%CJ6Ze%;&!ndl`D7W?x{lngYL& z>~4V?GY~^rNw9l0m#pkgX+uz{dDs!&*K`~a8b$!4!Mci$jlBk_c-RtnWz9fU>#|1) zl>{GU6N4Z~9fzot#RMK?tfEK{hf6=N2m&qLZ{088iW z^fWgVJ`%`NXlZGAc}X9_@q~mo;2W{FW=1T)kOh#5ikTD{3@KS`?iZ^UjC`91X;^s|Hk%fd0yg`WGU_B1mHe`%wp%deylLLm#XzqjRE(65E3kB zdx(pFqI7Ik*VcxF0hfrs#3@;+`bjO7!_;_aNDm_9K4 zWjh>w`uw-ULy_$cMra_RqJw$An)qM%CV-PzUF~najd9}!u+ac8K&6M07kXu=XE~^K z7uVJv#LL4VLtVTuH}})`@9aQqdi*%8=tWdMNP6IK8&>9p!o#g2*+LgH4@zN>CgIuU zGY=4}3cu9QW{!ewG`Rt?q)Prb?I5LyjEI17n@t_X9Obq|@#tMqzs6p5GE{o_^fDua zZk%>zX25ntLoma=2=?_5en6LM`r<_sc+7w`&B+ND%vW+QH?3CRfn=78>m&4+Fn90o zx5XUn>7j*Vbh!Add5PZ1XVj}vPX80bitbm9OY|xIP+d)f+T-U>*x0_f3Qq3sTO&ju z-P^3RJr5WA*LiqpYKDjY=@~wT`ZE`CbcqGM=_vuz2f>O(>fEhLZQr-D^;6JXu>3r- zOJyXAbR@)gkwv1p41Ku3n?F z@(4u#OB|U)j7Yt?R}7Z4=uhpMAI(wDC_hx=N(SQ=0C?e;dn_OTb*nh0xRyqSM+L~%%r4lX9H>JkUc@d&v0XduCAI*kx&|HMMYz`iUr@zdnr1nE5Oi_aeXLHD6k5yOIhVjRH*J)D`HG6n^7+gwzDC817-484 z;dF%eg@Z1YdY7{6=HN`;ihpmI$A`SO*mjKA;L1lkF=0-K!g=#w7YfBYyeI5AA;-yc zDTjD>Grh=|_Q{&=y+H-FvNx0iKpi~*qo{Z`I}X@!AfEtw15eaEWOk{cjf>~06&4o* z*$0Ard3boxF)(0o0(covLc!z#ZcZ?*Dlmuy+og9JaBek$Qa*tZa6Lf1ewx{aeZ|Cn zn>+k!4;yY;Xj?CrbfGvS$yj|FxOU*vMvWM5SuLgO?mAS)tC)raGDHC1wK5&=tRt1* zR)h&0wq#*=+JGR+%J#JEw7=eYZ5rEyOOSXA{4QH>_2&rHwM-s7#lP&+wcoMEM2OS3 ziXFQ2+x9J?T1hE`Qc2^U)sYB~7ymB9BC;iRP%{|{_*(%=acSoi^` zr}6VOf5qi8s{)1A`M6fE!oil?+eL^W_WiU@pyd<>ULZqb*zGVpimS1%bF{s+mnKtQ zPk#lRX!$PfHV~7N)_H9GyxJBsn~HG#c%QzFCP7_Za<@gNGv7EWC}{ChljM1gd6w4v z$v19cg|x;C#aRt>`*%{;axrP5S|B|G{ySj*vAvXyHUaQXp_>OCsx-ZX>-)o?`=t-z zlQA=Mj7>jdCb6j#q@#ODi+RY__I$`W)A>A1t9Riz|^A4Xk(V zXU_(6#5y{h>9IpmL;1i(E;<=Lx)V+6B*HM3W&%C8xQ^Sy3&{&zH%5L5n7PL2iJGah=g zCI0fw%NanXVyH^*GF}c)JpKT}F<`lnO+zBlVS1nz!^F!O;4qKt*; zZ8n`M^S*?uYz?TEpk8W~hGw3J78Rk>=tP$@gp?oh&-=YX6$IGnAKdzHipMxd2%&P9 zaH4Ww+2*m;7sNQHl`?p^{MUKEH~MD%j9No~AndtN+V zG7c_ahAgT~X9ICT;SMM-G@XSyH26IZeMOc{EOtOiUv*WVXCZ~BV8aurho zL!hK57O*yPQz3yQ65XSILNZUh zd>qf-Yf4&j>=q&7QS5_)xj1!M!VvLKDNnx8#|JU?Nz4rtGs741XOCI2^u{?$&cIi8 z1VxYzqnkVVQm1o43@xoff^gKIy%M@v^VAU95C)z)9zGNa;a~3Wzd115jSDUWePtwq zLLV9MFe*i;kM+<0{Q|+f?YaJM544Ms2Xlx?+lkvwC)|=$c;wC^MMj*V()17_wfq8X zzc_GRfl(7LUkk@|S8X=jX*|l5E3LT6O&QTgk^e6;Li`w3C9Q%aGhrP13lln1GRuS$ z@Iy8iK|zFHd>}-XnopuKpJwF|2xi3U3|i!1!oq|^8)_NdCl^^A{`*0Mx6rqH($FQv z6VQ!$m)<=Q!7I~zD46VAxB9q?hHqLNftf(~TDmN`#Z-tqfZt?l6%2&9vfr2uL>=D0 zu9rC7p{c7d^f%fd7)Eod4-3?}N5zo%*?1Y$zPI%>=1mbIbEJ{!!YLx0YFl@N4lJg})%>ze6D^%dn zz!uEiw)+uzOn2QbaXN&)HFtmF3u{0EA|U2VPT+mFxZl=a8TbDtszMzJ>R3-w9ot~i6$U5T! zlbq>AubG5HH8E8J-#sJAK68}C!;lG6>Icv#$EyX8INaeoSCgSm_)^0wLQnJki~&n- zVPeD)hW_!^Fty4`C76&^b4BZ8edl&;zbyMud(xvLh*kz6$4a)K6y}>yb1A-@(KenJd#_K^lT$f8k4FpDEvTz!%n)C=Z)6TDwf{h z`VF4G6_EG19eSnreR+dIbm;x+(F+dTuBt1y6JI(+Rf{0J5pa3O-S7a~2c1%jP|@y# z1&7zY-vL>wEnCB{d)~b!?UPV>&r3L_kSu|=SG`UKngBHk27^8l_&KOTO{b`9I}M|_ zo9^Slas)M%a1Mk4ppjLy=n{S!TJCs2b!=@bYz zhAc{y6)e-KQ?BNnY4T$R4qYw)`QgtC?6h~`ghhoZzlA+1I-~GI!?30-SW#Nq+8|ND zRGkjOOLk7dMvVxcHJdsO{!G8kAX`a7`wNkKi|J=jr*oUlr&6Ph49yF<6k(TZ(33#$hoD1?fgWIc9YNQ9R*_+ zaj(Vt@(^VGF~y%dEKM=Z@we7a-I~K+ArSZ-v~xXko(Nbt@{v(d0Lyl*(M`qWWs@@Q zzMUcCa}bv&1PY~7W>L6O6dgBi7Z+|RXfbBFs zyK2;;K=KmVZ7!;puWu6je7!SW%{IK&v&6I@9~>7HhY(C)jM#gsLkUk_?c+MmUejTlYOE{fnay8pWqmv0*h?STuwt%|KPB8zheLcv@90S6Mu6gC`STbYl28rr?F_ zcxm;g5yJP6C?4Xu>qXJa2~bN4AuQ=JvSPFhZHDXH7V1o4OlGpo)F|@v;U|u#;Mf9# zlX6WKS39bA;RsB+aIP&n2|{#*1V)*?Q{i-z8@PJW`QAKIu5A5tW--UcWD_(}6nEge zlF$&Qj*5hU&8R=|Br*w%-*zM!=0EK|Ar>};J0v)a&zeV&x(n*Cs_KX$@@QFGy4&g` zR)2(&7X`vB#%!X`^uwbS1+%Ev58p@J2%_rSav6TlTP0`cH~uamMo52_x*^x;kRoHs zNe-V<^}l?Qdbw&QuSXP;>Ljs$IQ^1M5WNzZ3Q?xk=_b0#7M*R@m@$#YQw**hyYwOG z5^?AfdtM~S!tK-#!ZM4QqZl6~FshU0jyUY(rg740{I64(W(|G0N9`o3i&wh3y^2kd zKvbv4IWxP5j_c|BEb zwl1!Lw!ef_*qv4C2o#^3TXD3^3He@{o=Vc6K>CHQkYBRw#a3a{6C|He&(MGl%3xXX+$7ZKr#Tc%`u?VH&La;A(o0|J510X-R#Hwp<} z^0hb_B(xz^2y{k)UpXM?Li&rFYs6`Zfecc*)C z??IHDI*9_jH)GGg=E9*e_xIz-aVg2J1iO(Rj&LRj4jeuO_Y|Tv{6NB>zXCCZUf|Pl zbGV8PHk{|<@ofRjcE7GFb(9fGVsJxEpjC(}WR5D7kD|wPflZ#uPaFLFjq_ zULDNLUwPDK1Vt+{E1d25t+%bP5TuTztngy2#Khv!XSBi$TL5-lG#2wJO7xYK_~+dNhHQJ!F#q9Q{$MnEf=(COcd1u& zS?%MWIM`0l^QmtcJ0Kq9?i%{rMF`+$KFB2~THoQT@yyVPK^ywM*ulH^H5eWB`x$flKX7c(fE1hKgZ9 zp!}pZUyb#4;~TE@#YU@@eSfO|c4fX}^;s7M|7$!Cttq@>Esc82tcF*~zB-pM(!q5% zmFgn4zGqBmE-WiGK>5EqMdTYW_(r8Po-|qWeq_bTmFZ-DlmavK09C=%;A*5=y~~+) zjpA;~hmM&6aut^J8@dg;2)Ci{#HUk>PqC4AZVKQmdO&`(9-#-C2vC=L?u})v@D6x;n--)EYXDdD2kci4jSGioJ5<4;#^d=1Bpa zGC{}`0^yV1-#!?G(`>b}=ltL9v*v%@MR3D{R-2xl-boytGUlSo3OAkzx2vZxau2^7 zC0?|OO1`CYv!k%%+0b!H{^YwG*Gj{2A-kM`RK%Us_|b3IxG92Ht>gSNmcP3W4R)DX zA$KMx%m0i~k-4B?!0e5FbiYc$)by|pcyYw|PVw`Vo=Jk;y#YL#TMGf&s#F+n`Pcj( zH1A&(&_%@Dbfg(KU^ChMBx`5P%>Oss&HvqqeA+KJp07<^eo6Tqy0NMc>|7q}x$nK+ z4;gW|5oXc_0uL^rO20I2m6?V zv+*cY4k56!0y}K-p(Bd+7f)OOx~#ff^Sg2Cj755+B?l*)b zEB4&M!72VnQ4PtPJZlL|Z~K|=%;sj$=Oi#>|d=SU*i%?CX%G=L+hvf*#rkq-g0)#ZL1_7IyC?HKK#!&l}i3Qzif`j zhkXTKO1#P)e}3A==~?E_@!3eb^G_CSi}JHQD+1fV_yR#IOeIp}83EOUk@VtT^TjBb z3jo?BAmDW>w4T@T5OCX;_IBz^Xh8rKg!#Y30&8*jg23?bcYk+vIq|E1r6hrIj&(iw z>?);V@$YiB_)(wvx(gb@^bt(q$86xI>fq$<=;-*(Hq_S_-@gPNBVF_A1Q4nUARssf zi6nz z;0)CG#C>#Vt>GM=bZ(Z$!+k4M8ju0-@G8?N1ruvcmNsbWz()eC#saSna)2~}5SNtv z3Eib+DE zeT0Je;fEKS3xBu|_sDq!OUZ6qABk6Nh@xSk?)#3L-$nYBfMG{vgh-v0o_Y^zZIbUMsf3Nd+Y9+vXRj4%d@8Eo!>9=q8$nX3_ z%yxYP1wlkNYBaO=Bkt$S$%hO*J=zdHEv>HU<>6V#lwK|UVm0x>wU*LN8q4>~e+a1i z7k*#=F9G$l+^_#sFF#)X52}y9&v=(hihCgk>*qzs$K1TOmaftX=R1loFgwrFg!%R9 zXA^hbNrnf|P>3k87_mOQBc>Y4?@-)|2}2kqn! zTaka4QjGZ8Re`}>1B(_=43vC2ifB+ncU4i0R+D}`d1=FBFIq6Xz3L8%P3yKHb6#Kr<6 z9n_1Q)Hj!Z|E`8n-OEK=*dh=sifLA0oxUva{jerJzXV3;K$3tzE*-a7Obq&j6-wDagh=`)f}*Ty>9!jmVNh9dzHOhrneogQp=;3CLC!F6D`Om z0V544b0H}VPCtK9q|rajZ$YfT`h5U|{h-twmI8gZgeI^f4==MnfqZT2@84Rmz(WLq zRK@v^w1WeC7YF<>2%>n~SgpZ<-SqbABsgvW?FOu$T&Tbch8M7Sus}Z?h74rgWMpdC z?UYWdVpew)-1BPojh=uj_W*CM_WNA|MzNpi4 zyCT^7g4FeRKy=^&d`wR#Cmk@bk(bBpg%F0U763bej4eS3Lp5X^hGPlLazW4|3aoOZ zq!q@!FcIRn|7mXesye=o)wr=w!rvu>Ye}`^Jo<6HupW!8jh(&Svdj=FLcZs^u`0Q~ zp5Vk^*Q?Dfs=(}-{gySq)qeA|mW24K#hM`0COt6v&V<1?IC4x)Pe*&`!x|d+45(9@ zIE5wu__KBEcEeQFlo-Vamb9xek%y})eC3Ucx^4!|4$@DAX@U2C=XEzojf=$YadPg# zDgg}(kWzfwL`6jWfkvS!a`aX*4{C6rt7x(;9s%c4%`vfP4fr_kVUh|djBu~RC=P6p zNF$~F0_GK}L=4(|NM%?N2oN>E$qX0z3b}LvzsE%p~TCQ&Q-N99IJn|xNbptBqD2{6t+Xb9SKzRX<#n9Yb8(13vhXU>m&~1G* zV27DLP^JavF4^EV176vf4X@0ZITJXvXJz#@PaC(P9p zCcfpGWxxl3oFK4mED-n(Jc_qZmO!ZvT5CuY7|IbtT9aR2opjuZl(wmBhTI7tfy1+d z#-yv#I2cdP-7t%b-^xTu=`1Vi?P0m0%~55&s1@C9PY?I3X0P8p75Z%bKF!S{qE-&E zoOeCTScVLm;f!HQ)cgKAeQ9Sa%j;_PFqf9#&SZVe@j+>6UT5d_Q-k4e5AE%(*bQ6V z8-gu#;SYOP29oA+_$euz8kz;qzAY_JXu*ZQgmYWjdGqS_q5wPVwVv#A2PxN@vCs7M z=I5Kc5uHg3H*=-l3A&z{zR*nz8p^pX;2v=Jo?3r($4jxlKgx0T>q8cF1eH({IwF;n z+Tl^d-P~to-@n(SJW|HNJ#=X?>Rr(T-d%SVuVOOA4vGCg2lqOY#eRt8P)ECG#fj_s zfI*}a)(9=JahC0_Im&NQS98qqeMgu1lsJAg07X)R%jZ&L9X#bD`MoTvVm zRGXXW`uYLapYfx$4)(6wsmE9&qjT;10!iY73&)LOJfx~PnSkRC_Js5EG#JtxxEUq? z&p@!reXY^fb2_a(GsAvpX3yTnsXbzX`%=W687LqS!J^zz|Dm$71F~b`&;(Pa*kl+q z(+D^%fTI8qSKOS>AOhVcg0(nu2S|SJ1qu>QbFODU2pFeJb_e(JZ3IU0|7Rihc zrwM>KmRd8plhZ(8PXmc4obf z9CGV`%F}V${YY52*{VMqA`&2u#|fxKE7`sd3oBPJw}cB14lYP{BUJ!bqbEvAo30k= zMM+QYrR&O8PJ%oQklzBO{NI^VtF^7*TmvDI>Ui;RL;@%*y7z?`cC~dDobG{_8%8PY zhCbj(HF68wYwBz#)2~=eEH%^(kG85$V^qc?xr^=JzaOKBmMyopcMSAB!GNOjrD!{k zGE=5V)?1f=$?qw6?&6OOlrJ}D(EO-}=KEVdRR4CQxm?+M?5g_C0A@JU>>pr3&r`on zdBVs{>r&BpdcAd~R6L2{bwP-(B;b4g_w4Vy-HfOd=iqQqPxA6#))X{HZXU zD`v6N{tO@wfXaG4dx(4AMa011?&hY$Tw6wZQd)e<#mtHk$0ga0miF~l!F6qI-I=$~ z2yWZX#j6zVw>_g-TH_PPo~_;d4*%f#*2BA8SXyRp_(+}m3`#S2Pj|5S$T6h3J}lig z6qskA{o%V9JCr6QE-qa#-hR;+h*O#3)6}HM_C>p<=DR_2qy1vhJ=YcY(sB4vPiGhG zoZG=#qRz{Q_bhy*Tt|IcQtVft&-a z44(E4IIW0>poTNU)_*{>sCq6yC|yYwnn-Fu^rZXUhQ1)chfmbs?zNqSe;XPqX8y(@ zaD(&|WGFx^=!6b!_$|*RSf(EyAM>%J?tq+YX=!}1r==Pk&UjQ=6cUgZ8QN{2D!{gY z6=Y7;3px|o0^^(b5r?3Xx(jRN_G|D@#KQs77x>q(Pz3Xd1{BaC5Vkl1GdUmQ58wC_ zq3_m*=TVzaJp9?nwZVaRT-Xdk_LP*AJ@;5O=1j0l2jmK`=I?Q&Nh&}Yz;npA#)K}$ z6{usPlX4YYnVQhXfxb`bl_?y!Ct5l>mtRZ&t2=@Zfr}Ck5gm9o8L7HiPnxPW zQXYlhyaCw1^K47bzm&yBf~$RPCSMHTn?GHgp}ATSyExvw+L$4cc{Vxjzc<%#_54@m zmRFx7+f9T4cu-yhify{~D?fa=6L{9tHhUbM5)k=OQV)zEFE$siH|Gv^#4fu#>o1m9 z?pd4*RbF>?b(0>=T<^`#F@4Vr@aU2avv?@|#|ZR6n(-lvjc9w}#NV^i?ufARd@X#@ zp_A-?-9L21a~V5%wXpd6<&S4q@RJR!J1R#lr*(S63Z*&o)>!pkR z+nBM=5Nr!bt&kk<2|PJAQhraj5Bus*2LJQxZWWTF;dQs`>6Vr9#+~Bxb7cbT+q-9J zll#L`V3U65uYSMzx7o~ABj`Ook2nKXD;j66yGfQ zgXLqbrdE^mWa$9|h^|2~7WV73FW?KeZmi@`v z>MAI*U!0%Y+uMs=rH8FkBeU#;Vf+Zb1LR?A&e$NmfE!zM5=tAet^||T37{o{ei2B3 zc=sfc%O@<||9De(F%j^T#Vtw<=PLCEzfStGL?(rgAXA%3@@#nTjVc4+%dyMMpl!g! z@Yq{z19XId>w{2}w3M7VOXr=~)s>|>b`O~xeNopn(-ghSmaRu*JzsTn^{zZ-a0J^# z_x^cz*_7WFi^-=$1P$jJW9YXCJxf9$L}MEcR`k_pUz(6%{w^99V?h4SBWj^CTRQ=N z&hFFsX#EBR!n<20iI-RP(yn5tEw!Ld>3Cx$n_sv(x7KZ8acl5U3-6^$<&HD$w^=G4 z(7h$~ALQrb!4zFIu=lBI4V&-PI;m*v9SV|6!?+=5Dg#^ zMcbkAO-XK1@2&r(coL_$u!wEb?e=X1TZ`A#GefuH>ZKClBVW@f-fFJ5^jN1`q=p-9 z3f?k)Fpt%VYJRkD$2go<>GdRs1iKr|V}KM1no9F;=TKI$Bt=>1F3#ANT!iP}B>YT$ zB!t_C3O*H{*YyPjI~$Z}35@)9Q@fB`1U7)!q~bC{Hja+`+b8+oxxaCd<>IyF1+2k6 z3}j;;F&m!}>somk>7awlj?gD)6h9w7^uI3DBkIw=E2|(=Rg`4AW9mD=wP-EV`16z1 z%C17m5VIA}iOSE!NJ-aE+W4ubOd^EqBiJN5f8!O9fX7N{=_m4&VZHBKHoZCFr^`0-U z|Fw(YrS))WiVc_B8>9@oC%T>8!>ZG7o^>MX=P*|x;P%Js_mM`03R7Ji`o+al#?ld+ z&R5%7+B6FP`n>vnG#&Vhh&cXgzk!IrO>_7c_c}2#Pqt4gwqYpc`xjVAvgK>ew9g&3 z<42_&=PHKRj#e}(d3g9K#hwtNmq~JQ^RPW+YH9rw)6gR4qf(z!to`>;t*Opk&%-0A zK~-T|`I(iKruEdWend1c5W#@BfM!MVAM`erO973Z5v$>QlaYAshv>_B8Gl3sPpCC0=3f$EV#-5`+29}^PD`LJxM4m~CrMA1 zVM&5-hJqR#Jb7k~0YicY^o4^%J+SQ+p^5==_Aeo!+;GTs1iBP0=vbJUzjh&CkW&Lp zeSmeoSE&G2_vD>qmOdOSfM}8lHV9@R!Ob2ETH27X-yA?x_Y)Q4<{lNGO~}c41WCUl z5uD!*@jcmE#p1W>u$Rr*4QF~#5Swhj_t#oU^WG}qq9FQ0-M-uRG#W(2VdT77R`m?0 z_W1IYQy8=9kW024jvhx}QyJzVt)Fu_DVTY`SHi)(t^;f@L4*a~62A(>2cRW^9n@eq zZJNmneXSE*mEi8#mDcm|y+$b*^^(5swl+-%5x3Nu5fAN+=s__49vT?P1RaTj#}Ic` zMuzP-3umC#0pTBZKIn#gt967ki7B(xSG69Wj}Hy)fB+GsZzZ&>F3{36{Apibjtb2e zEZ~mHKhI`vYyPl3bR96HLGN$5ctpx@n}u2S%4br z?)%)mWDFz`A1PBk*&%=k3>+MYDFkT-%n(}r&bSm3M9!0;d|AB;w6ZD&HrU1yAYITN z0LN7-(E>nP3rkCuq;F6~gAp9WSW(`O2kx^vOA@$-=t2N5pe2AY$J`aNG_{X`+6c}| z2=ZL@?6|m_Gh_rlP>`Gewwxlq_2RV5EGz(I=j~53aA-?cJ&Mv!~DOa@O&B&^NBGImU z2s@t?`J8ORU(h&p0Fw#e4>=hb2igZ;~f0Yk*F^cyr~&rg#2PI zN1_lX7+HbuSb(43zo)7qys)g_WfGzT_nZ_n59mM*4W6J30}eANo{f!jwaVKd$Obb^bv zLgnOKQ3#KCLOL|muy26l(n;;UqJ@352@bQD_EV#sW#R6(i+AnH)trju{0iN7rG|XO zw+sY5uYPzRTo_0&lCYqne%!ANRm%D~F~Z5sL&D3p_qpk#Py=`6l8h2g=R2wUg`&j5 zoXD9o8@HKwq4G@poZ4SoUI*-_`nsR)VcQ(xX16WT(o@ij>X0a*eBJ8cnayw^krBDr ztO1cu6S#W=(b~ks%j*;n9t$qr*drLrz*-Q?2KERY9g4=|ZxD%2i%^i3&>ZgoP2w4l zNJk3bfmW243;CULq-R=y5D`4KR_SnXUIT)?2M*z&f|c_A4nn0=m15RMj{>b36cYTv zQWpr8S#fbyK%9n%08A64_sQ!N+6X{Wq0G;vJQ^)VsyHEL1YV(pveMF^?m+T_>+8YC z7Q8Jj0aJ(81Uzg@S}lO7_v8t-;BhatFCNQPF zneRmyT+Sb+Z!+G~vkVxID7cmD>HP$0`-o(uG^Be#!b>W(I>$@#DrlaOiG6|B7dgMz zklJdPI7JyCoh!ix+*;HSnB$NiN4`7(rm#NCX;v}RBF*3&#uKp|$&?Kj3}1Ep|6^+q zr)uZs(EFd@Y+%O$rSr%1^jT?fc2sPv82EpH{ixtE;7y>zc29l8c8n<4=1-56*z>dTv8r=bo#KIC-uA7<$qY=B~_wZb1nRjAA1Al zDw2=_tMvXG1wr#7epZ~uu{1rAR}`8&=tO&+!KEbVyLP{wS}K|Oh=_@i;*61z&c!{L zWJNm$IZl7<-sP52hh9_nqq%~i;a!CUKmmI$^#Kt6q4)?|14upsDG6q%Bo8kxFu<=j zjINP>`Q_#P-@iKqnZE1kG9d&q9QfMx?%D#h4ZJ;j`-jS-B78UK3?NAnmU~RtO0EV2 ztJdrz?^Wm-R>ZEG3JRoLcJuMDe4FIEp7h&&~OFDM9$U8~K)-TtIhOp;u84F?CK(9PP)K{YF=&r@HqO z?dRLuU_9B>q|0_2;#|nI=ONk97u*^^jG@-8mB1K%&0K;H^bx#X=T*B*(aV=EST~Ul zUa|K^Mn=L8Tm_i;5XRsg2ybtFb5nYSGG_?sTMb6mBg4Z%*o_o7kHFxUylAnzhgOL4 zY`r&y>H->6PaRF|pNL)8{zGyyG9S5h#BK5FlbFyc(_3Z<(UHzI_v}0D{-m216mB|1 z*(zy`@?|*ico4PZ(? zRIOQ|B@}p$ixQioud~~A)%JXwdZ0Nq(s{4A@JA&y&CTuXe1ftc)Tl&!o8M)S6E60C z>FIv+&t_8fC>k%ZH>S&3m_f+*dT*?xYIkjsDcwIR?=-$ZV<>z2YA}#S*(aj^_w%o< znJ&w21eBxc{*M)x2SmL72q=%fwjBKJG_|H(NiFCt$w;Vo>O+7X8p?TdH=m`6uK!Jdhb5S<>SL9;K$C|^3V8BEva{f2;K$zWA^Y1JBJ2y7%-_D@f z4daKA0^1vKah{a88;GF1&KNABWfmK?w_GIqyG@+$IUXs|fB8vznB}2o^eZnf>qnYh z#mtn#o$)mt#-3IsP8wHY6YhLWnmbBH>UEDea1VgN$8tV=mpXQG?rN7Ttf{5tWY+*k zb%Zs6(KnTO^igk)gauH`SW=v|8@lv}%9 zXGGd!6Y4|6+H2-+&(r&drA&kt^Yi2%?^EEKv)#@RkxnotxFke3 zDSt5P?`@XI_~Nh#x|UsU2M!;$7vw2jkDdNag$}R|#EP0IZHDpMrr8GIc0Hfl4R`d| z5p@48xjxNJ7S=7>`(FQY)o9+g_t1ks%p}m;p$oo($3Dvgoy5Iq4I77h#M#d;OYWWY z^h(QA8n*ARyux_y&!48tw;wokdG%_@Q+T-F+ix2CcAuczzL(F$vyiwN`NKcWRxz3F z{PATgleXO@0Vlib>F3Qf1e+IopG1RcZx5y`-}?J&jHISb&NdhUmvS11`q-rxH#x93TUo_wtc{SkG$L&(%S9z^fGz2 zPtsH&zsV%O>c45L4O-j|8R7Y%9w8eszM_Ag8(7OTUOR5#-K^MXP#@Y7r$#bcNw%nm)YHi)oE`S}JXeeGzvULO&^z;dMzcyDufk;efnmgv zPIAC`H&jzkdVwdL3O7wANX@-lS?SqBXLrjQU0KJn)?;JRaeH-AD=n+4PkwtiA%s7? z=xmrB30jYzxCF>`Pp{=*$}grDDD90!m9a!?EiSGtnSS(&!?Lz{L4<`4CcRa)hmO}i z*W-9Yv6S`!!5S$B0WI~Aiz?>mc)5v-Vm2TkUrmjMCEt-q4%`4Sk}A`6+zJ{C0>)I9z3XC2L*=b;RPO4_)p z*1Evi-P;w?_z6zkew0kvAD*o~Ka)87LNbv!I&l5;KSE{*(7W}Sv(y7Oj5I0vTlwA9 z3^Y^(l|$_{+V_0^cz320MVEX-sf!<2v+pF7qMu!A72Tradw~1M@k=EMr30Ev&IEgN z9S)teuYgIc@*j@LYBI}L<9Nnj7pjj&3*%ZayW>bTfPqpTEJ~&EKpmMeI_*_uCj&weva7ehvAWKn#GB z89m(SegWnYNr3`4`~uv(jPBgo^={3^7@pgxbI^ppf-Wk~`AAWN<2?J-zkd&R$Z@@q zSwsT^NbyhjCmvPM7N8lm%DK%$=v@S7f;f@rmvjX(<#KMt=D|qX5aFyn{uJlWtsJN< z@h_<(&!#f1Z}nCglCOsyJIre^z6|wUR8=vH-e;n1x*3)f{eSrS>!_-}aC;m+C?chF zcSv_P3Ifss(hbr`cdLh%?iP@imhSHEmhSF;7k+;Cj{E)R-NPZUVehkJt!F(o=Zvr@ zbcrqR&dYA}y5-j8=HdCibSD0i z0Ctij3{ledhvSS{QydexubHSQmJ1F}e@I@>ph6g0)@>Huw%6q!ZqFYt?pptpe3)#- zE1zW2UEWHEVTl*8cf$z#`-{qRrpxPxl-Bd7=a5E(K|WHH&TsOiQuonG>@UqIfwwuG zw8RLnQKymep|NPa4Ph)BBsj2odOm_OG~IfrKy&@FA;*R=$nex{(q$J+I z{Y#&&PN7A$($sLXap||ayX&SevY;3HXV{ahU|AUu51G?Wu!lf!_x{cnXyW>j*B_gh zlu5iq^K(T(q23!Xvh4PQ(8KeZ9(*|IF|#DQT&#Q9^)Z~_ILCF5Mi=}}?-jFi7^}jF zg8p*&D;Pl0c(7KP$4@ATI4o~&VF7d_K^~Jx5J1IBaH{Wi5d6|@nD1)T_ab0m{m76- zbqqYlMCWa+pOuj{^LcP35{L@%M-3Q}Z3u2qx9CcK7P~>EggK;pdMFxBqE-cn=;Uo; z1_mpDl}}vYLxKqevPHs?(Y3EpBd{*-xd)V~8jvnq!6OJeqrQ7{r5k5M?x|-5zlA|e zFc3)gz!D~k4(!w;V<5(X>{~M(mgM~cx!d})@JtC92;{F2fNX*akjKNv#Y-XxOMeR! zJ9gkv=OatlfC(9j2_ci#yCqxo>3Q79wpJ0rBM5@uyP#Ld*6sykC;W7iu>Dx!S`uL| zAbMFKG~C?W6uz9d2g#IBVkB_=dT9JQ^P5~a!p=7X+G4a9{9@jS=gpp4Kii*|;9-Bw zmOy_1&krDtD1jyrAgH2^k&-|G1WS;TXd;t%P0hK{QFH*LH3A?b(HNq`kL;KD zdc0461-9>UfGPk)B_M#$dXUs_z2!&<6;mD=LZM*i zk>y$2SMo|hH@N5F0M80I&Jle>iQ&PYwxL!UZp>*#j&*tYJw)Omo2z`Y(t~fQd+zh~ z?G9!)H4p4-BS*-Vm}H9Y*XWd&&-{GIa{9&Ye7D;fGeey#na@$LB%J#w23;iet0R!v4$>4)@>3YcP|3Q_uDu7*c0 zggB)EeORkJR@W5(;{+>riC=t@b{q?N|2LTbR$xy_%7T7LZuHZMQHZ_D?p>sDG{u8FFuUp=7wm*Dm`IJXS zRk7k>B(cA9Iy8wAUMQ@O$RLgF9SP8YM&)_;7sZV| zjnsxXu8&+YA^^pj?x(*#Zs_u4LmmWx>oK#&6!;c~6MDe24>bf>e;x*M0&+$ALEYa2 zsU$odmLjmof`CpN#P9%S{|XV&?o91z{&HksI2E4YxE{*h{bIgHK8C_aVYJvLQ~Gyr zO6!SEdcN&q`9aD;=-*M=j9k4_KG@is45vJGQ$ia`900_aL06-V7mMoF{#NO9q{>9m z0gV9~U*w-ZsbEh3%`Ge(02G&ddk$xB!5X3C=OqG#QKfCJ{7dx0=hc2;ee9A>6&26B zw`D|v*e`#YX%tL2_F!2Ni_#H%LnY^x`|=7it+2xu*;o#SWec!v1HJ^uP-0+GTV`yP+4j9t`3kkSEKMsDX_wh~s zAI*S$1jen~eLE}8>+Vlol}B*;Prf>;2M05pL0G3x<8>r-@|`=l-d&IN{|Ux-E_7swres)=|D z7@c4*V0`ck0r-FL?UVML!V#cnk4sLTpLSV_-3Q5NupjWjb098)E=!6>>PAr6BAo;&}P?_!a$mvzmi#Y^;gwUc72;BzAarUTRfXh#u;5yCyKp_ ztIqi{sxMZapH*=AX7b^i8v+v56$}I}_Mi8@k4-oDdr+K8H*vP}Xxb>0ICwv1E!7TfS&kfLuYS&1iioG!=LbepKH`)zzv9-1T{+#gOXw z`CQPd{eCGwP3~qcV6;@7#*1F-ZuMiUqXM%GL3Rj7h54IG#UbMRswG&F1@-8KAju}z z&vdo^G;tl8u=i3DAU&=3JP&J=dD3_YCHWZw&@+LAic#?CPtkctTrRfD-;ByvRnf!X z`h9{gBZExGhaL!?HWssOo@OB3vjO4sr|sYy^y$7{&S|>t2WOmWYgGJO;=wLIG%%s; zl7iFt?>CAvFmF@-4X>wTAkBzQzsW|kce<^@eFMMmIV1ktJB;(>Y*6(7TecvCkf8j3 zM`jET;j7-uRk4e##~rb1qnLf_38W8wDhzGcV#agRbR+_q`_n5 z=>VS)qTZ1+n`rT^=~rJ+U?@X@RPNO4)o0)5Cd~+5ksQ$Tj{G!b4MK26NL)_Rn=Y$b zd!JdMkH*w8=Gmo=c45(TOeI#Jp!Q4ph{N4)pH^t{wlYob-w z(Nu^{SZS+8TXbU`T5}W(lt3H07b%t?#{7{Adx^ zYXVw?B-5o5iv1m?RhFuwKpn&1@V9wKHvSq`+S4>u0SG#oh48nfe{FI)drL;F&{hi( zZ`1#Nj1$+#>pn8g>+-aZDcw{6YdMq=VcH~W2L;ur%i zy`f{gWcI3QmgIDP$%}0LDt_~jR^r#1rpenhGBpe8Cfd_GCGW@TC1WI~DV75}X@6u; zOr)Go`Z2O0g6H)?c8VyoM4}CcAdAI|K|s+0{Xz|DJ1y@kVP1#-8%YzRw4K9Of!Z2e zr+`78t=jUkTR|In9Jo6~l!XXxJm10)88+Df4w}S}*3?u76BCk~>671_ohs3s)zD%^4~Lw-HgZj}_`0_?+Y{uupU&F@?+kooi?h8BMyC zTXPxSpPO`4fIMnhp#huq=7-yQc5u1%*V@SS6IsJ`F^yuVtm2Fjx}|X^H=Dj&=0o6y)eBZFIN)& zp+Q{Eus3ofW^59mhR)T?*n0H~EtnAzN!QZJFW`-SrflmZl)03K!5|P^#>H!P{+zbl z_2cd=E@VxD(s6JZt0mo(NNxT9K5~$vH+Ma-+n)hpm*Pj|Tw?6}#>$te#*}qoeMhwn zS-#(om5%ynU5U{*g04~Vyyf4UM+QtP! zm)b-$(#BGD@-+cA)PR!#A<2O!nbtA+?sYKNA<|PGL)zL+cBw8_!bUNwac^$xX_mKi zg|fc~SqkUDS<9w}f9v;?HGus7&hPf`oB#g1e}zu|zdzzS{eN%gLV3eO$D!pvs{?_w zA?>k&$fvpGLPe*~x>yq>}-evX|rR>8@g8;$slG)0S&ka%f?;u$3VcvvlV#wk%;S~$9If}=d9 zzjW%aD(=$-wZ(y0{7Zi59-MmobjJNM1a~}f$J|Ow2nUb9MY!FC;PhpdLP7KiQ{%_? z;Ty#!gt@i9bB{We3&jTn+FAPf^`IP9gDxJ@%{rw>}hAGws+S!hnqCGApW+dsQED0k!#)_asB*+I2RSB|v zWe)}|*t$v#MW8iPJ}rzdA#lQlDoQqjQPij%vPsgYlp+Bg8y^g*O+WR{_Kt!s&u7%7 znO*-abPx#2(*sJpX8zK|4qp!x>^l&?qGfK0i zGF1?glkdgfU%@Rk5X?-@hsUL$5%TtqF^8LNTUyk_xRQ}F^is3Hl11B|l;r4=zC*2& zM*M`xD^G(MO1QmFVp&B3GNVtMUbW8~cF1&UeR)G+9xMHRbzPXZ&02S7?M@Imo?K-5 zNNN8FeU6fvWvKTDNfAb|;WZLOTWAmeOU_m(dhglRFh8e#<#IwK z<9C(`d{7Y)!y3bDFXfb9ME%MwU>Gy!ELGYJctZ?Nmew5pCt5J3!}VC`p=DG7Jf>Hi zRf6~56Y$A7WL4vE>fCQb5;%gl6S{CVbQ-2Vsb`CC}I+``HkR!Y@~gmGkIt?}n=mEBdXv#M}S;&w)DQ2JTZb zZwAjLjd#Rxp)tho`8U!8R#g@cXShelqM{awWJpnw9&`9&lrTLYnify0Zpm%kG#iATB4_c3 z!!MgA+kHb{Rbp;G(&Jts&_7J*xd`g72aCjv9qYK@H^eerP*+|u1w&v;CY58=<5AIg zgA**_MFOZ%U0=Ye#$kb(b1gzGo%*`@sPwjM<5N-P6bnh5J6`CkN98ko;oh{XHZ7+# ziI;Fi=O&A5XvyQhnEz$$AU~UC{!fMirJ3~G@|893i!~fVr<~fdzi!5^`bF(y5-Z!g z%d1OmgB6%!6AMfQg*36wPUaJILD>w#aTx``AQ|u!3DY?^1>#2epeoX?X@t}kG%&8N z>EA0?N1nm4_aR=xQSL#s zV%KHXI^_>;qevs2J$t}fPrJ3RT$zdvPHJicus*5x)u&iv zow@Md<@-*rqWo^XA4U!>%n95>{tyOlRi5~ZJ703YZeu||WZKceZPlyedAeX^SrFm; zY|`fSe4iICFRj({`?Kx&(F#%urglodLM9}>60T{tF{2_{#=ohz02Qnt0Q!1OO|&#bMV=4XM@dba+|O*J-0 zh235`m{8Nr+}ar~ZpovgeG6Z63rh;E_7D>JFfx(u9aLZ5mWz?Kq7(95DyN`9yK}=P z!IxdHds;PN?B|XK30KF+b3AeucIif?4hX=*PNKTJ1 zO$yuNWg7;)l)?MGj<20g*e!dkY4=BQRda1W#6#&{+nrSCs_97QdFVlFjqhr=Vbj+ z%*W*>(*xNe6>{vTt@T${jUq$uaIlxr89pB?kh~Rv^#R21KD{SKwUl z;AT!k3JJvE3)Un!jP5R~adTmRA=@U=VUjA_;C7()VI22sl)b9E=5e8AWA}_h93J%J zS#?i>iBkEP94u6#rq+G?&+OpEBsej0n@rXA1QH47#mP2>>JSk)@9GKctBNXmMEiw$ z5AZJmrw@luIS%U>D(8`|jfj!@~uIGFRyFha1wwGv>oF4tFZcQm*EjAt7|A<);tBDiKVQ`Uc+f+rj zSN<<{iuLVZ;JM(XZ(VFWF*8d#X6sxhv)8RMnO3cU^z5Cwk z@~qBRUtWsjW;IvHx1(0VbFr#63k2LCYiM0}vCr^`P|$|H?~DzBBU<{)l9(ZNQpBAs z{1vqoft-bb4tQd`J1Ym<8|#|7$_l#5thNV=>E(U#lI-@y**J^UL8vPyz7!bQ3-ytc zBjzKmc-Tqoz_6&RxanNH$zIHNZidg!r4#9%neg2E&_vKPY&z_^?y~=7hh#_<8X&XASiWMr5dNTj@yK!aWM;To)pq=CgALnpyLUdGuUIc zmBd47!3Z20>e1txM+hZUPfjwNejfFuM~Yv3jKgpB9UAM`S}au^m0wti-|{-JMg zA(o=7m{XPD*H|KC)_lMmN4ex5UHV z$KPpXWqNMS$3@^T*-ELkTJr}+#G*}0bm8|a_QZHSSG6CM{ogmuwd0#6^o#UU1tbrt zE55{2&L>%G4Gx)dK?PeqV2LXc3D&VkGB_3)TSi&F#^{4gNn!p42qU7(u+Co@JDRoW zWKC_++)XP*cKBHe8Xv2> zA1XyQWzH$kIK1b@C*_JGw(asPVq`ols>y42W1Zjl#IjJlP_dhlkPP?Z{5JXP$r=0p zS)|7S>tcTX!))xRbmi4a$K$78UD4wY#ok8`6Z4){jZSK)y(pv568(lx{tkaL_eOe^jT7yk$u1JHA{-- zqOjkp%9;_6fKU#ghHX6F@W)jvIn1I|6nS%wci( zeT>`Di4PCnrg=~C>m!A4qBy*Mz~m0$F=C5PspG8pfA{(po(x%^-?(w$jeGoeD>OB> z@2Da`rY18>ZIG4Wn;{FQi%px2NT%s0=a{k?%C+~+q@2J4fMd^I=1nKbm%&djg0v~v z)TkEQ;P@HAIs}R|Bc{sH;avxnKifzZ0^YMbRL0!7;Ck=kK{~5uR%J+A#MzbM4saYz?#e2EhM2*7< zjQE)3vxf{29$0p6=;-zzzQQUD)pkQ(xA%}~@j4OhrF1F;bn1X~jWFK- zZ0bm630@`%S}57GrYUH`tIWgT5t0tj^=R5A-ev*{v8Z2$-#mRx^IzjG=!c|yin@1j zbF<&mHxH!nf<^%qTSa2u3jfpTkwZ;GG(x5WeD%*z3#rTOdMG7OT4K>9mg2%w2t@IV z<_x_&yo##h*sU;)ufk;w;M0%EU}Z6G#PQRwDGrfV?fqtxU`U}tNypf)U75f~wxNTJ zXfwWy-20q~{AejPisydlL}Gc$bc9{D$P%E42z?>{EVP{}ggCLLtb;YURgFscOK1%X zOZ)peKR&moOoxx*w5=!4DV}-vf;udORr!-+v|Q#$E~j~J2BIIjltkV*U5L2o2xf-< zlGW2)LRdb}*!sbrlHm(UeAPBZ}PC@R#Og^3BTo|h*GplLDs7>vipx3%Kzf&Ot!Rtp968AUZki! zOnG|!7A(AI#+%wtjRTqni!(C4VIwGF%G{j{C6~0wZ@kZffB(G*3s;4vj+b z%of{k;sE!*$IWBar8o~x?~}(A@=e+f-qPm*Cc|`R;gmnV7zZjxw98)h*maavAY60Y zUXX!vK^Qytv7Y(xs@xXE9dW_Zap$gcRIqH^WRWiC%K#bBGls3pNG@d zP5C|d^XXOHTYh(bH&f$&V%FoDD+xl!3tf^$E6M5laN1Lm>}fOP;8qg`#I%v&iR8JD zmN`lgy@3DMd|Z9BaMz~0xsnC-kO8|JsnQ~UpVF50a`qV~Tzp(Y#NFKTGI#5A7G?uu z%ye%xE%}te24@E-wGj2qBD0Fn`8 zY45h}ozuR0n#>uKW{pj@e@hjlAHt7###U&<82~meuS{A#M166g+??+qx^n&kz1FuD zuCjnH3G2%{1Ksb8N(RK_mHHqWs^sn%JU= z?B@?^IwMv@Gl`&EF0)0+Rn#jit{m@5>S=a$LqOg2W1 z8(MrN{cG%WZ@qcMB+=BLNd||W>nW&$kqC%9tIcfDpoYKiPJiWR*A&)szbAj zCVI!CL5)VH9St{>x;VXBVR47aCL|m-g2$sCRur~A1_swAk#GC=i90Q5{ULK;CL0}f zTvEuyswh0U4c*bReO^MFrP#88q{cBLo{l${$~52N2rapuQxga0 zWc_)Deb{zgJb;*LIx8QiA++BV*1&s@QfHOLL93yO`DIXRB-LN|n)H4bDMpo(uh4JQ zt6tAgvE33nyxR2erk(R|U)CWhbdqQqcNMMEknH$JQN!p*QX zOCHpfmB;<_`*!P|;HI?uH4W{>h%TX~hg(s+p}k4P+9i@}{$M@E*J-Z#9NK2#pLxT* z%_F^khjp)hY}xkKxm&5A-L>Z;tiIbzWsYk+9UGv~HGUl3Em7wQM4ffpPHG7ANGxA& z&NA_`U9GA2xD#Z|5{18~x8x2+hVW8 znVJHyk;$)Kf&o^0vPVoL+u*g+rqhH4K}G}-=6{W6Rs1{um4ffhO!vC$?0SC1NK^5; zVM35G9}|uzyT-Wqzz^}xKmU$Xxa%Yzt<$NC9uLtAzqUnSA&AvT?j%<$mh*z^vU%2~ zn^LB8Hb;k5BVNP&xJJPmEbb=G;{LOq{WeQXe@t299C5pzDP+Y#9S(!mf`-YeNbkb@ zdgDeXPqUld7KPn^!%rp^PhdGG$={ubh5hSEL_}~x`b~g9YM^^{WBIY0r;y0jZPLpw z7fIFk16`<{WHZIG>W^K}t~uqDg>$YEW~cf?Q|QM4i?>ipwSqCBv=TT`+_a7qG>*oM z3O{k<2O12X<0;zR1W#9N|DpHrSlp_K``(TY`xf`@3gfeI#Qr?EoGAdKV?a<^68!6ZGRjO2)^jX6vH; z31MkbvtEq?V4t0pg^@!pevEq)(ILEtSFW6BcbC}Y#AHTH%M-@@yLY;IEYH#*Rc2vy zbAk5`p&y5==o0-cd1$z3+4&p_zb&kWRKcV<4^@GzsP^-7Y4>;r@i+}Dr{tT51Us@8 zriV+pE^M|0{AX;BlV)Y+R(X#2A#xUO<{&!(9G3X=buMk=r$z{{ z;W8P+g{0we5R*kKQEQ&}rMXgGT90`>F8Ze6(3i*i#8C;HkG3z-a?mmLuzF-Pelm{} zZ^3-SI`>%CU6W?AuV@;h6=`2`bhdJoAP^}{p;4qT>CBmhnZk~o`j=ZgOIb4#RX;zC z&4uzM*{|{Zc&mZXUq4It0zDsdyw$Ep7f$UCP>eCK-;nae`X)GavvPA0$qF_+R@h@D zAc^F_@!j&+!g^p2wLZY$UOn|MY*@c~sG0ch+Q0b5aQ!fK zRT*}ene;MyCtgiP2B^#QZP=$7f6}%;t8TXO|JPLz!j`V`RMFx|Rg`t6ITZY4W~#c} zP@_y4ia&d3gsrU6e?+tUkcoKiIkX-gzpU^YiTBu2z(SfS4v2dJtTzb>Nv0?eQ~t*q z&&CSqePCdWV;=xqGyhXQ0K*YBsZMMGEF=*7d*WO=7SG{w2YAhV01yJmT^5$%o*v1i zMIdslt<4xCC3&*g z)zIyMGeM5kG|PoTwwQzxSnE#DQSM1xvrO5E>-eJT4n!-rOM ziW-Xmg{SkuNSb}v9iZ-{4rNi>!`a1htY7MF!` zop)}9-^AUBQ5inH2j;k6lrc+C+o@;d`!jIuD}oufiwKnO_cAt7&Uspoh=ng#ONLG3 zYsTK`7F1WMGKm=;zq{meY-4rEQ?szaTyVzp_Q}*4bP@T$Jl7$Z3n&k<=v6@T79j1a ztFFc+c02CC0q`o&tj&V#zE|4SZeXjSk*F}5o|k7fk|72dP9#DJN4Np@6rlCk7#Q}Z zOAQ-RXZO+pRu<^v3IV}OfWW!|jcoHa) zv~N%M!S0R(*yu3S*~p6o;6jeW8e#nI5@)*Km@O8b=cy*O)G#~U_s;glTS5P+t5hyv zzUaTLi=LLE-DwNKY?pDA;^^d!0H6)Su6+<})Y$&`5cRu@#p{-=-FZ=nL}^Iec*@{Uc6$akY* zsl%he3huU4a-*%;MszIxpiyLj!}byG<0Xlh3Q5*pCA1K{I{=p^@jQ!|$rK>AUT*aT z;Aqec7#JMPE)X3VnK8Bv80D;{s{vNi_*)NnO@NbZ;WQ8QD?W5ngyC}X@$!Zc@yC(| z07=O>KC@AgE|-3zTGn6Z`?XU%=()rxw%Zv7RTxmN2ZG&GgaC6>Au+ZfR(XP{bsO%}RJ`A+Xo;(NqMOug_el4h>td;Wjegzc@b5Sz3V z=}JqXD$mtCl!R9n3s+1@CXFRd4v{l|)rxbSjT`Qkvx0_Rm@Brz4A6gaSU@T&!n8M8gDy4Tj!nLWcFCY+~GNTKAEElUDt zD6CU?RS$$_I^AnV5%yKTJQI^I62jXan9o5aZfteMmR?N14V_TFY&55Qpt`o~jP4gF@G==~07$~OTpSR5e&Xc3~rMnpRto`wL$IJ>nE zK)o1nS^;SAf`v#spuYrjE_)yJ>C(mMG`J}*0c?dLXyRX4v3t04^)!@|do4SLfZ*I$ zV`6Ol#4-h5{Vfn^Z@N9;4{m~ir~xUiNJ^+kYF(1Fv{I>7(JvbF5^L)pt2{{qc24Mg zlI;wUd#*Z^5JjWQOd9J#loT+gB^aICPr(0 zwBODqO?RDVo4b4jAQth%l25>hX|(D6)87XNWdC*&yh{c4!ce>^b zLaPArM!8f!|5V)j;Y0=Lg4rEd%T&!vW~t_tZRr9wFZFZlHvge8&CE1r`;9#JG__EH ziyD1g|IfR(>iDegX6=?6yTJRwJGVYNs#||FXl!P^1N>}nhTQVhM>Z(zOeRsawVPD4 z>NIsHw*n!^Oiy?Pz2_)`XTyLo3Bb5rR@xE1HoF)xiJ2d%a6WK@P3@&SaxUW8Ug-ybAUdBXZ^qXJ%dq^cBTZndPK*3`knckvQ( zr41RCez>Z@$N#_mo4jredex-1twVX2*Bei30-^UK%IYKw!B!>B+)%VpKXR%bZW~2S zi$T*%K7KzI-H4nQUpwQyTk71IzAk??SnaiVo*Y1-SGi&I7uTxCiXVdP@l+|*jp6)= zpJHn$J>{t?q{T(`XC%nI0=t6#z;UtYXR)ecw!Wfn@=Ym!GOtz0buq=pdIs? zi0>D8%|ag2fB_2Njc?+6dsFY6e*aG|KyQD4zwpCx7_OgeB1cbKn<1c06r_I7q}zD6 z>`#JUDR8ru*&oZj+8NTu@`H9H{}UZpT+6H$_;hub&?v-N5YSTOoB<~T5PKFOZZ8Fm zY8<(>lm4=$q)y!i*n`NW^DuYDFp!&IuBgQs>+XcOIxM#m)4?5}=5#J7Uv zB$#4oBF<|Ah=p{+GtL9KS2C7-(4k^-ldU}8?0x&m%;n8YP z3TS_<7iuev2k_fGzW~D}JH`3(pk*=5rh(mo*pG3VHJ#T4(KyyB#uSk;)98d3Juf_Ggqs2E2*fpD_HC#5} z!|4&BQ)BzdY2xw~rVRxfUb&Ya&QG+={wO4`5fRzu z9X0^(3}E5}d|g0qnA2ktxL6N&o5HKroCx!PY8lWskWo`_0=^JH8fv&x6G|cs&KTqaDGv4~%=B0`$YVQOjr~--o)6eb0~u(F1r-1< zk~v~lQ9F#bC_eSPhveSiX1<$6c(;|yyF|KhGM^JaMk;e;=M!CsMy9L=&mzrU>823J zHZr5Gz(_4ixuIsGOU8&%q_6%3#+qC;{EsC%x%yP0zgTZINd{}N$>+}i6w%Suwd>pfb7AxM zsOGNKF7v5zWlXo$`^%EQg*(C==n66`YujOgKtyPIImbstp8`3;Hc*q>NJLf~#oNCo@G2^yVa3T$f!9FEB zd+2nh^ZG3%56>0ggSqPxerWl0%)(deaeV?PbDAz@E&3bTZ!Q39aTK+@ToTuQ2=^k( zkK*FuGy&HWpbA?k9RMgHU}0ei1zf^O;oAbK0TIa~U@`wh7qg7(BlsTrLfn_&G0AXp z^aX;7YaToQ)OyVs_+v$mI-9c1zk37pD+CG+-lxvOxFauesv( zF62s{Ce(gS@DU^Zz@wf6hucGw^VBGHM+B01!sCN3vZ`1VZbJs~Ys?QuovIYF0Nr&3L(`v80rJif>n35u&<8VMrlxgfX%Be%$Y2ASgj? zJG<0PE@4}ZD9=F&6xoeP>c*j{vb2pgO$ab}N=r-2&QXw)1Dw==&^qwKya6{z2tEpl z(EI`|n8jdY5Uz*-0q$?L($+usz~~7I?Cw`B8E1$4c$Kgkf6esQ3#nEht2&{}md6KS zhZ=M9kZ0?3z*}Jy36x*X73Yjei}!NrpTfeBa1dO%Kd);#6Vo(lHyN)ZOQ3ui?z5on zKm*NEds|<9(kYtc4gh2n0#`fo@O(wQ2y}A)Pqn$vD+i)CoM)NANi`vo$j_MHZJ{EK z#8>5S$E+NVF~?iMUN%+cW31yiVU zxtLA;>|PL6gpa7=zOU_8iOt~G*UZdisYZFOWY^$-t?>TVUJvtsj)JcnAjUzBRm&k}Rhj~`IJKMQfNk7_GIBF$mp6#})I&{*|{@t?T8SXDo zNk@{--;^Ptz_d9JF|XiSUz-RgEe`nD6dk21A@;H+NQ{=cI97G?)FrvpP=uQL{W9Db zomt{wwMKY?()i@a`U*ob3m3VUgXs`GvUPWFfjK_TV5qR`f!p8!dSI~W!s;oih_>B& z>DY`|7HH;t@zQND32k?WoXx{v@_Z#Y?sOIysCr5y;|?+?n|)CHaaDzLN{tP>(;EB+ zIuY6U=&b9?d_`H1TTsTgX961o0a4Y9`-Ry>*HTW)duEx|s@$nkb&K<}%lq49rUyK_ z)`1UVM%v6h{j`>*=HPX%8njVSe_+(*>hVBvzna{B?xJilxhtwh_J|5vyL{4b`?cOPf)e{hQXiIMraDzYW>Q&ZTKdnQFw54 zEF(v>GLpSpQ}{`7wC z!X4wKh~4@)YGOx13SgfZrZRb~W3Qz>-!-+^?)eLv%viG74yt(?imSAsxDPg-dxzzZ zCz4zw7h2;+dA$kiGkSUL4z4L%w};=G_HshF5E$H=lE*Pjg5oF$>-Ji~xT3Jis zG2U0(LKWf!cpLt!)9Hq)igKSDs`Y83EOLLFU+E9cbZ%TInN4LaKj4R4tkvw|uze<> z7N)nw+IATCPuuV7r$t0OI&;8@Qy$OJ?Eyc!nSD>_Ffcy9DKvbRsIfAX+|*)#2K#kt z!3+WA_}=Kz_i7})pA?0pX@wm7p`JM;!<1V!r(h~*l>Jo4gJ~PsCp%xd?xoCM^%px8 z~lwB#wiLWlV3!pv&>>L89iXK3leVs&hf6OoWthxW?d*y11lkU}|; z#`X!b{%$nkeL?4(QpbCYOKeG2;rmqTe60o*sQ&bsB&%PD0F!&`bT_y!EGf>gIcZ)U zJq!TGqvtnQ^=Ec44rYLV0^7s!eF!*{RA!%`YjS7ATbCY&$C^+;eAU2xdLXvBW-~g5 zSEuZF=@utW(;F9Fu$^zLp;8!CUw+xI|qeih!BS$ z78Pf)Eswu0+SRw}@&3S#83iXqTw395GUcTizGw2?kE$Gcku5pHxmXmh#oE=sm6wxI zl(rWu15ukrjH%pK`)%d%lGt5CYaYi7tmP@(oX#F+GhQgpn^O<Rb>X3rs1V>VWjXQJM>V~B! zr%-uqC7wzT9??ilAouPV4*wwZADXj`92L!tZZy@Z-9lusSBGqEO>Tkt&(o-D;U#UMlW zeLK$LZjjVhD15a9IrT~Y1UhfoihhX5GxM77$41M^%_N~6^M$$2j%DKT6Wo<=`sh7P z>P$PGd3e<#xz|8jS(^$|N@9wt*Sd!IT2O+WFB_GR;l{Y+XD+Dak;9snx2}oZ;`?{D zj*ee~FSftkFLWcnc!%okZd@AU3n6=-sZf3jY6kea*K>Akz+#rMtQP9B-v%EJnykmX zysf*p*;nadC@dr*BA5{Phy4{N;2jZIvQo z(NZ^6SYe^{0CWEAQ9B{qx&wWdk4%smLp+hsYP=fxu6>WbUFIP0SitrjmU|lVgYKnL za^JYD-q8=gk4>4H;%gJRa~-fE-SNJ82;-E5|39|g0xHV(`vOHoK?EE^rMtU3bU;9) zq@}w<=?0OM7LgJVq!E$sGU)C`I;25T@E-i%-}=YBvsmj>zhP$Hcb?}w=bXLI-nP<# z-=xG{-_A~1`Pg26U|_CvEaob_t!>Poga}h;$Ez{k+bFfqes9Z3_n?YW)-p!M)%TI4 zYTcJ7naX)zbKI?WvXysH=DeQ0I^3+gRdrB)JgJ>x{f1z6+ckOXQ8ph&M!2TRg8hmm zf2S#Cpt6hIlMm@Ok6ac9PgR|%Z|%Bl^H8a%Y1=s1#K~|3o>4;L!`zx0 zEw?b*$q{|hEw+ep`K?PaT|4+G*6j+_;=J+g3(FXcwQmGWTw9uD85<%=7A~LaOI;6H zR1=P5j_vf4d7@9@X^`}90L&kKaM2>PzH+c3NoHjtq{u0{f9@Fyp#gu$kXQ6to)wK_ z0lK=36e~k1^9a&P>5eYH^v4gAM-P{!=qFUt(k9xJ#IA4CH!~WS5e`W752$ZBdR~#CvfYJI zE2JYbp2YH2t|Hm+@NB~HNVO129ea$E;>{7+Bj$D@ygHa?V|hO2=Qr;--uEfR!i;Kd zbECJLDdCte+f2@X>Mcsu5pLytxrBL zrJ}ueoo6+3E6TALb6b+7&ge!xE-YuDLe4H*7v|eM z!bnPbPUK9C%*$ysEA4y!w>mM&5f>T0dQ)gT>3G85q?@|0u&5xXrmywhN`3uT=8EM0 zXV|$ppC6S)b)&#Wd)IN-p{Z87?6sWMm(`xPe=_Q+cz3f&tTpevRaJhfGgoVNfvO;s znBS5HsqV}Iy1Zc$@uro1XLyu?%?`pPJbQA)^lWi;%bg{gl4kX@Yd&rOrOIG<5t~A} zD(6qC&GduWpJO~%q+a?rA?}xT!zt&P?_tbBpqu)A&c18BRZUs&sWNk5Fib zA4kV8v_quC0&%y?Wz?O+Xvgr%rr#Ic@HRmgani9F>f&;1&!Em4t^Dlg=lJPMmbolf zAX=>nq3fR9>!a4q`q!^yis82~GOVcdt)69@#bYNo*lp>JIhY<#OdTQ|j1o?)y>pIQ zPjqV7?7kAIHc${os4+8G^jlVb|87yBR{O+Rq8}x}K2J|9My=oh#w~X-F-PW6C>&eg|F>>3k^C-aP+6lNiW+_e*Wua3oS~dgaY?^acDJdJ+{{$$qe{- zpwY)&7XQ86cU~gZWcW3CHoEw9Pmj8TghNbm+XtRQ;qALWM?qmw<@qjKsHwDe-CeEz z%M)8_!b#3+PO7t=*{Xd8iYm0cW0>} zl#>BHJUA!nAi<$5F+%)_yCU`xM)IcT$#^=%dY&B5MZ$M)HJmRU2Wgc;CWbD^3FV*r z>l{`b7T>wJ99}F-l0S>gs_)X=5q<9Y#NoO@ZS3;mau{=HMwG8dGKe z7avh4*NX2MpP32Gc)rn-3AtcX@!BN!4Tv1mNxkd7ZM{R_<8<;yTY)lAUO{l@56$4O zV$ZzB*(edWPh!r8eSf!w6zpGo;qh}g_q@$Bt8AjxWX>P=uxVFjFmlOz--3;|eKDx# zNryaIw9R4qU$2$sK0i_s{18Ou0Au(Hnvjr|H@y5&Jt1DOkwbm?S$px=-%y2fHsK`J zRxYpFoidVpNA}Y?{>5Fb6;4WNPrPl8qnEG}1Pt^KCIl=(&Z2HMI@5%kbbB5ww;hw! zp0uno;3Bbvx7I714lr44ez~j?{cbhqf*78q;_=0=>9?}8{GH$Q7>D2X5;=|yC^^6_ zr`WEKbzAQcZLKeDH#HdNiopMm)PBCYZLV@C^6dst<>T67lC#PG)=)$2RS!@ell zka)Y&Bl{W8^M(l$zT`n+@^N{|3}siCMOZvK%>H&bW&dgUdGfMaq0N++aIVT12Y&304jm;?w5M-8W?LsC zdW;t?)P7u_wC;ZuqK}UTS~>BULGtu>U0hsT%lj~szndQFS(H>A_dWK?mH2d0o#4_Z z&^{1>w={f^o%}%MhoPS$6QOax=XT?UNNCnznqQoH(MF+=&s!_eLxH2~Wo&nb$H&1a z0!*6Z6%@q8#H`A1sT5@a?*ba#$F6Q}Zo)oa=8k8XSy;d%2qa}h>(`|9Wn^SPG&a3Y zfS=!-I|-z^+FmI5ywrL22$kn{Wh_^A`of2XBz!t7dEVzK(T*Qk9@82tW!WEC1Hu1S9=iCaW{TM0W+wxwKJ

    U zIkgEl<+PuM8`2mGj*t)$jj84Yd()?k?&+EihW9_lt@BRSKfAp1LRi4!*F#=3N#%am z``#=QF^F zN+xV2W!#ipU0rQ$KUGx;g!7e$9AzEPdMR0mwkzYa2!k#lOS~Kv3HQ4fkrQy%)Jcey z`1aV!c!jTw_TKiR)g0m7aW~2a%elE)sW-m_99MdhyEiPbO*lLCL%pIO8A%n3nyx*7 zP3k|815!KDVN)+Xc77HAEotr`6g;Sy>Z_mZgzq04~S^>n6M z?mj}u=?|&wGUoDNOT6m8d6<5RL~b5ddg;Wl0Uw=Bg)?_cTZc@id;z^ITqJ-`L$hnJ z=*>C_dI(>Gn!SPVX*M|7e&Yl z!Xmu^TG-Hx_Ba81!hfJVGZWJ(XxYP8m-O~+mKrlI5?&J&%1M*Ds=@gIyl%zM)@T$6 z(|wMfDJ%DbW*>;^-*)WMH1Jsl|3;s4SMDFrLDOq;Qk%N~^tIb4{JdpHpms=zhpGw?)UP)L^IXJls=cil{sqJD_+qDEI!b1WhvB3k?`R4yC9f=V#2 zO?8`ni1DMfb+*RI0+g=7;>5awm}+TdrPAe>#y;vBo;Sd=YA1+z_39fy4jqL8d(R`D zG2Ch7OJvUaXtGb6>mcrvQD0E;CHciQ6h_NRdjixNnz6>ik9kh zI{q{*ZMKcjWt6kEsH(hNnUO#|y|@AQ+ZXUUc~iXXcnX|_=cIn8%L!mWEcfIIoL{Ga z>Noz`?@Erv0UMU$`hCpwJ`P4kL67|<_%8okT+D%2FKHWxK_keekrEIrZEni*v$L`J zfHs`Gygc{}f6UAThlS(Kvg_*hmF4Br4PM9ab_hO^+74wYmfi30D>b#aDczDxQo{6s41M_DX32tysxm zQ?RTlP!{a{!C}^m|`&coMK}1wj1CMBvoj_Tz z`i+i`c132DmGQu0V`cs1HVCT6$_$m@9Fv!q7tf-(K`X_sS4*4F<;6gjnVH$$(^Fv* zCzlOx0PN2Od}_ef0gfDfeDwxbu)3QqK<(l8*aj6tV@kv>PZr@h5FHsR0|HR@ixU-* zw6Lg0M${Ro-oSe#Ca&%56!YY8Gc#MaMi5Qjy0RWf7jg>jS_UR4v^@x)fS*9x>+)5t z^vH36_r4$l)SPF0_?t(j$c+Bb!>!$-koSa{3 zYtO)H=i-&D#|guuE1D+wLR+u0%KklRlTc%xX>tW5*v-kQtfXXM zRyKF&YM*RL-LwMB3s`l-iq~QuU#SpkdRfz2LC|k7IXF7HqL1|SxODOCjF)^o7LMRC z?|$y)HWmgK-*~=V*HEZhq*X#KDmvY}-H6u(_tU5K%FVGvt9yPr!F+#jZ=I)dOy3LE z0|@)?A0E>F6}0{`u_nd@i(GcO~LB_ zP+$LE`XiX6SXG{!oB;PECo>ZnhZxZRIM&|Y4vDYomsfw#SmWjRu*(aRJl);D|M&q1 zJa!CXUG>>BqNqjq3!J`7_W~$knPCL1@zj+0UU+U%R!AV?Bo&=A%}TT)BO?W)Y?}6F z)n&`AUPu2FRLmXf2;(<1Gc%2i&B~&6bdZrjC)$vb3w>YI$w~lDx;T89$an>m))Mji z_ZOcF3Y(D1g6&O%Kyp&jZ^cx~z_ZO3_}(V9-A1VB<0dQ?#Z49+Ykc^Rc6SNQZNa5U zI6v;1v6JJ53Ey%FVhV`TkUCD*0d$bac?dI`HY_tK9;RtNbUWzL>du#e3Otj#mlIx^U6bi69QLm<*;;c3cE~XFN4c!kTzA_oLrXm zUYXV>qh4&vMIbf}H`b%RL`fUFs*xZ(%R{m0+*v!Aaxio1vs8Z#WpYjJyTC?`-M!ag zt-Wbedh992`FsKDv{V}+o=3!GoHo9FMWwQ@H>T9Jyz~W0AbI$Rqr}Vv+RV#su(HBOH^LSILxfAH{hiI#1nD@h12Nm z{Z-IGR&`>*cX}e(hT7cj&%}d5m_~PpXYue4r+$}aTHVKCZy`6lO8P7dTO@Mc$Lm`| zUTlU~+bsK2Uy`9Rw`37M?($q~44CZLBenyhQy`y%tu!!Whi$t%I@UKgX(jL>P0Iyi z-_=zcxzX6$Ifp`8o}A!Mzv7~=Pad^sdVvdxPqqrvz3>hr8dGlMkP5@z{KCSUq$EgO zJ`h1yFTBH==FWX}2S})4WEob4R3&>h;u?=Z@(Fjqcg` zLE8kPyNvyy`Bi`FFSm~(iio26bNT4qvX~Hd7Cl12h9lT$(o22g{Ai)p>(-=?SoEJe zSz%!v;FAONHAl!8z@L@0jfI&R%9iPw8Su_VAi>-j!aC%0@4A*D0s%Ly0n)Rq$8qFm zxC;;^Ik9-SxFEv-iyLeV49f84n(FEpFR&DYyH>2

    _n4cdRjG2dl-fPreZ2Pv8h; zhcz)UPy%Npyfqw%lU8JQu)T#8wmbZU=|J*PqQT^=#kQ1aL_~cp_neNfIy2{jH6f3Zt!&RV-WM$&+2^# z{!Wc6xjL8Nb6UYpm>dW3Gg* z5pwJK)zxFL-m(^$Ej0^2N`T;$`x1nEU*BZ`pX+t!TE*Wnp`oF$Kw!~3*60eSeol2Y zD$%-fdjaX#oUbeiT{G~TQq;I%QlvP!O-8eY8b#U_1#>SlgiCso`JQ;q>w`NHa6}p! z8pzsSkVm_13^ReB?g}^fvSwLT8vnpd#To#bbg_p*hBDCM8=cn&p){k96Nr$>ZKC zs*nOtzVR&oYm_T}xZTczxR5FRtBwsz8>V*ohZsWD?vuj5yVtw=8OO z)&4?#{UNQ9jL1~tqIk#LlmuGSUm8mX$0Sy|OH5?@H-?{K76x?ZFOGJF{w&)+u43F; zsdyHyiL;!7g2gm$j3#|}HBZjT4O&kJr`LH6OSEXzGp@JoU5-wGRD%z@m@K&&)VWQ0 z&UtDDu=l`5ZS3n;RI1_W>GvrqQ>%_)uO4QroO>DIH!IH3L66N}M$=b^DQaFH^}ZxJ zYU}$CA1KAs9jtCG^RzKOu3DSi$;Cxh#Jj<^>xeW960#B~E}A)WL)TOaRDNM^ZfzV9 z`N|1-csiQn85omQXLIysL@#wK7iSA@+~DCmr`2~KQ^xRh^o>f#F{qN%JU4#cA6ceb zn!UPpN%^me@zY<3h@Wjft=Q1d{tI`81U;d)fE!2Y0ln0)^+?Uf^V?}Ul`zkp?I%r3NPC;~ z{)_9cIjh5$!B}w4bY!Un_D2M<@ZMNqwIdVtMt$u#816VkMYW$d00Fn{Ct8wH>8jTH z4!|Cq=D287_rgKZ`3dMk2P&JH(S>|_*63Z6v51P|e_l^mmGYksNOK}S;nl-(jj{RF z-Q}zlZLPZVliO2Mn58OaDjgFva}6iGenj0~(cT*com^N4hqo7Y(X8WNQ-*?K5ltD@ zXMNvy{6~E8ZiUPfCCzY=<5CJ-d(_Zb9=qblD8d>ZaOdbgJMkwo9S%WvaT)~^A$ z@kI*1O^b%=BWQzkqY%m5PS=oYDBfG8fDMfg7ma=C&Jon9KnYhQ- z*ym_Pmg%3FEr#`Q#2qMe$Ki9No;@7OP@@(v-Jwa9)eyU=4~q0T+Y+phdt|{`xp{J5 z$uJm!nc8r&yIMD?vvb!it}6@HHBBJ>jlj>7C#XsO&y^1D-wL`^wTOKdy;RMD_Ry4; zF6LHL#MB-J)omLQ83B$UUDxw73XF_XmeJr~4kU(9jfa!_pWAJXee$o<&&P=|gFIK- zeC&E6CrcDk8^--MSi`DGsJ`=ak9K$x5;-A|f!akeU29lcY`<_(RY4`x$$N{jSmtn= ze=2EOKzN|*=Gd$aTeU-R-H4A@(a9^a2|;!U=B)bl(D}rQ1kG-EWPF4q8yBIMq&1@6 z)N8^NJu5TNl9iPOQvfkB2v92F>@;W9l{S||Aob&N6ScLf_(#UnKmI|eNMe^ML+^@Ebktocv*Xdy-Lvl)&p&=kJ zydj0eS%5_-jZx!%8asgqM7-*FPayak7E%WXi8b?GM_dthTX9Wq-m-$n) zf8W%1zZVf$W%J6+Z_LTaLGp-ZWmL+s$597<{_9J>?#b(cQB(Oro*9BAA6J#Fjs5T~ zrRkX22P$uqPm5hld-`Z?Xv?WrGqbJK&j7BfTyj-N&wV#({ zU+i4<&d9Z$%@%sj4u3@PoXdwwNlU}@0O5uLKzQTQ#}~51FRHJ$LN=Dd^)2g<+(~Fu z-;GIZ9I|*42{6?m(a2JnFgQh}!8vYBi>yfw#7OPXEjy)4m6d1xgg}~d2gzmI>rJi^aR{YTA9P`t;#J2x<&I zq~&};E^m+QiiRr&6~0rUmq*-@M%ss5N;09Bp$wcq_R!y&-7rCW8QQNJdqn!H4EH>E z=nhN=5IWsVtI8|8PtvIm+s8?rsHb$>Zkq?23|z(M!3cv$7!8H|sd{$Mz0qS|lx1!! zNd-C&hdBeU#xNnI?D)Xs#B3(f_ooJWpVgQVNN-gh_MO?orOv^C4yxlzVYl!=1#J^{ zMuLK|B_^LE4$iVqh0MjQY|6|_YQ(9mpETa2=UaUUE2>=hOplT;C2ua)&XFqS-JZeD zbjuGG6|gYAe(m`5dS%y4N&MH+wn8I41~Okc=K6#7Z|4y`9Wx|XEyh6yJ=h!g$*QXs zIh29A_1@_9gNCTd%HP(ZjERu3DCEBLj@FfBIT#1nxeua&BwcLKBo3th{+Isfp$#WC zzUG(@5nqo+^U@osR$sX*;%pZ;K-k9&l0$q?qG+P(3LRCC*AqMv6H@%%Gd1_MHO;{| z7*XpvzcdqI8$da!lcGd^g3MOKq9>pGz!|8lX>lI5)5O@($IQ_iezyK=@^xME%@vJG z_`%4K=u6LIWuv8$xcD~PQ0J!G@LXlcwzK;bn0NblNowF>B4i+azPpx3Qv_KvRW{Q1 zbd2KIXZNgV{K@sU*5wrUvl}#lZx%8kPhq*cU%ApcB(WJU_nk2KhElq~?!4i`z#>NM z{~;qtqXip{|Fou$=3veyZR5&|yV5!a2wv*ZXJV(9`wiwvIu3skUKYoflO!+P58lbN zzLywKR(-MS_m^5mKBn&7rwLh{QmtywZ%GtKa^Ghd?)ZkOGMe@gV8*}4;o+=$dKucd=;~HF#c)`O)A=J5T03A&w9( z=tem+3kmM|pP9-91R$*A59qA5g3$d3u2Ni5bFF|zTX5F+HChxLg(^Cp*(NYud*)@~ z#e&3WW4dNEe_K6|XK3rpi_ZNPG!+tl52*=+u)klxTYl1qA`*h2VH#T2r)KElVZMXuR{j|#^)v>O`xKGKJDAKp%z zomQS=!y|s-4$EG+3QPY|RrC*P%0|I5cT!CSS-2emzgq{TBsIp@&fYx-2j349`%`<8 z7*xFmBaabC9Cq@l*|RSd`5A>}ksbWpW#t(vF6kdw^&5=#Hn4rtzRpghit3IJbefVR z=}a7n*Gr(P9>6`En3x@$9hCaW!)CXI?#G&F2>lW&zqHoNRKci4UgG#JzRZCi-m`*c3Cyg==trKfr2Z zv)x3u^j{=ksiTTME{3JPK1KmK)cqoT39}Utvy|H}+aHW;pWqdaRABog&-N+U^EIx} zdj`&-x6U`BS;gq3+Kuil8kgS)3MfmI7mjS@0*$Uj3{`Uk_%R0ss4@yhNv`W&eG;rO zK&!8BR+N?Dhe^rPM;xI3d}?8BrEu@^1JXpdLgql;`ALvG@J` zmp%2YB(wYh^)~&E+#~V zxhmcmJKy`2%p!0y}u7Zm|#)(>}3 zdBWW;-9q1=8n0M*!n#g9~hlfi#AFOtGS!tV7&GLW$hI?KDFpghIa2aVypAH zf&bNvYVhQ;7YP3vs_)U>|8h-FL7@i!*kzHS3hY`2C(QP`Ap#yyK5CI?zw1KXCbC0&Baurg{*HGFrp_qk!sE`nL zO%6SrIQKctZu%R&w9+sPXu0H8A=|go1Dsr?;o2@^Tmhj=d(5rawa)JapU+&#pLjS& zUHj&a0TW*EAu1vxdzvnPbMU7q*dHDrr%U)0cv{r!E%FezheYip>X3K4(3x1x$M&V`ue)M zsp;wI(NT@Qoy+-W(3#fJArS_vj(!?Q>~?phj~a3Pxo%wAT}N^LZ`7bKuzh_f_xA1E z>3)|U@E=JjftX)o#ZR&aVI0Tiili0(d)8}*ix8{Fp?+gy1IAH!`T3#SSy5F5-9_-b z0bC>2%VDnZ;@cewMgmOn^ttJ2TMLUSlQtZ%1PWBv)0=_b-Sp%nGXi7D@f60h{&X;; zi$cR4=1oU$(ev;)!HhL`QbgNgMR|F3P0ht3#owO?rypIoU|CXA{%>k4@Llgn9uPol zpxOZqAM3O@`A>+L@Zb7Abu-?s+Nzp9(jcd6D2G`&IXNFb_!0aMea^HUWKv`4s7X?qG+H4UJm z424hN)ktv+GUH_K@1=!_iK?b%6~9$D{H_K0B8#D-IimR z$Q{*jSpUm?6@YGlWlONMlV9jOL@dD|6*c{>dDAx2{<7lj? z?;G%i|9B%y3*Rp^pWZrAL#}f>2%F@+WMrPRPx@_?4-B!Oa&w;pKrCKoN*_xH2MYOT z{jdz+$`kZGA5$V?)HTz=tlIDLARQ?aB2LXKGl z1#*-Kg1dL25!2b)dXvi3#H0-Dq$NYn@>EIg-_KQMgmF=1@As0*%Bav#!50fsFmxSu zYd8(Ol#fO-x_1a*YvSPFg^m&h}N%M%FtQVz=n zW$MrxKaGtS@@~9ll3@M;KT_I+JE^s`l@uqWYgvVnAQAT_3Lzd)RwP6EIbfg^5qR_t zQoFh87m^3d0FXF8zziD#rFm`WzY~p+ufv9@U!T7ZP|Z_gPVF@;)v`uL z&I_jYD(Anot^l!K2 z3@XRB;Byt%wG5=>28)Ok#S%R1e6<3V{5NrN6#|}KUccVjlhNQ%h?A0#fE$*gfq?-u zzfn*;uU!>`+&z*mAX{j`Ic&`rwdhQ&m!X_D!W=+3Yz;~EPeFSr$=zo3h!;x|=5Rkh z4iIA9jO#GvBn0-)#v*+3UA$^SVYCLIhJe#_Z&%mQ^thMD)q^VVyYU|QUCGe`(e7L=c-k&FdEKRT_@=>ZK83yqpH}A(WIQ0`&Y^N7 z=SDHnPzs2aqiYL`p^+-@y86reV_f$;gHf!!*N>gmXC?a$CZl0LKbk0&1;{X zO`BHH)%`TFy|Lj5!@dB;^dM^hkOZ&c>gq2Owpia_>e-?@@!>W=%D;H<1O%#}`b|zI z?)j4pu`^7Ho1cO7krX_dyWJp-2BHdvkm|wZtrR#rmau6vRrnUI)S2%lVN+qC;s%1g zL%tfR@WP&ZFwQ-H^lDA~RgNWZB0_MI=`UgMUPbW&9tb=OKA(`Tu{?CeA@s}va1SUn z=ym{hq?oOuqpdwSG=z_bXKQN`AD{?;Ai)x#(|mNI`d(WVz)QGH|PLhKXD}{qNC~158Wrj%XUt z`6)rW+y|5~mR^D&0f3G>aK#};<4YZJ2JZ7g0<-QPj~$+}C!F_+?2tlq?h%-yJw7`H zG2%*4*o2;(TFX80Z#!s!DvHwXm)#CRQavYSKo9=INB^1*OmxgYcU~E*uB-DqThE2F9WU(r_wQ2YO7#yY#{p$l z$*1M%T9PL%jUo*BCgl64Iw!lV>;S?w1#p38W_nf+p0U2WoC9|k|HgGLs;?%`1G*U| zoIV|b{}$F0r#9Kfe%5uFs}%O9V3aB%2+3s`fr2%2-86!-`4cxtw8i!~>uN z?rYg5AX6ANIPs^5HKQoOG3|A$=A%qB?9ay2m6WBq3;1lM^|F4c&uetq6GRSouS#s% z|CLE`O0Q)-+NP6w{vMV+BSss;iFWYM*no#d(4kukZ))y@Y8lP6QvFFpcZm|+61-EallMbvx!N>s^@2d69Hp3%#wLZ=O2yPP>#Du= zium){*%|N*VrBmk%^ny)>&M^MknmNDVM*lR{*%Qx9snGI5`hMR}Ow>X@GPo+vd7jxwf&a3G(;j~xsEQ!6DZZbmNkme8mL z%@KC)mAdbT`@r*RG2FjF&r7UF9|y7!Abzn2FHaoVYFskW+Nwru_Z^>lwSYU>Y-VcO zBFeT3vVq`llarqHeP`ED{9gi92BiUXt>r$JyfC@>Dqp1#qlcRpB|`Gp{N+3p;sw#d zE&t>EKg8W3Md1{Nt)Zu-b@Jz+Pe)6OQ1~9asG;)z4~Xo~b^9A9bG%%JGUZ)V`kOtk z>me7>fhh3s;Y$F$oGJ08;4h#H0rEh=rNbfv0=K-@|G zqu$Qk0*s3GE73b3C%{Hd`(f+@i(GBPC*2XaOF9k>bn$X-o8tgT8C4Ua7iMJ4!;m&e z9RytsEUn#P#el>V1!Z?_AFoxpz~Kgz1v9g3x$MF9$_ns*5~!-IymyuGl8}&897A4Z zYG$?!cvqS}EnZk@Ss7%A~vI;2=;iz1I4vXlOnj9l1gV2TYTs z#6-$KAhrOfhy^dq9YU*DT~g9S6q(58)>emoG=+rk`XC*g(Ag@$ec9UFgvRCxWZ{&7 zrrZ-RucJeL0bf5IUYJV$^cSOV0XJ^9Uk4c-pm>M`A`-eFWrpLH_xq1JC1qtqdLJ;g zAm0SD=-ZOxmo;@sYOS2-FV)TA%Ur{MNwaY6_K>?%>No-YjgMkq=uj3(Md^vLVHzEv zWJOt7tp-oN8agVf76^n;&kg0|=L4GPt6lwk9*}=dEEYDl8DL~V`3KAhV45p4A~Sa3 zk5?5`Z0u8Y^^w02bRWscK$|a(GSs2*RGJdueKcVqPp`^IusvDvYj^$|qy^+iMhS_( zkbN7}I#Pxjg z`cIF(38<|5wzCQ+6;PyrhDw7w3|epHL_FqKJPi$x@aX6}ckYaRe$hMs+;wa6N`A%h z%2TtbXltfUZ0sR@oY?77929~WROsmF5I-F;u^u9d8_zbLa5P9o(LoLY6aL@^y;K8| zQh90{z`yGl=>$@5n|T=@S!-KcALJJAYhD=<)+D^2fp|-EFC6H94|9ibkx*R15%$q{ z83@9$AKP&MQ;oOD`N8nJ>C;%RR z;de0~0eKVZxBT^YJ?5Gk8gFbmDFY#8;;jQ})uCT1T+-9r|G_KvLy;z>D2&Brm6W+g z{-L4*ls1xIeN0VHugWkX3b;pPF!9$LLC?NARCgw(Wfp;v+(L&+?x(3Jg|D-pZ^V&WhMg@=BtO6oWv@d%+h- zT0C&P1(v}xiya6mb+xsi2B>;vkNZShd(yD>Dn0D(_Fj(HnT)glfoqc^{+eLYKp`=1c#dlP>eKEX`?_IwVNI|FY1{Si>+5-Rr z?!OF;QB@N4J&iXyy8h26^``4*{`vFLaA^OcaAv?YC?#=U$y%|p%6n{l_gnv6?M zVB6Bs(Vf-uzS4kVPFa}}FAVG7`F30W%JtLG(82~EvyNFnkd-&{>w6EB=1^cT_JY?k zuu5jU#(;AH(FuApVp!iG@z?j>dlV~M4oscZG_P$)jwn9#F{$QsCvq*qmnh`ANf`b^ zyUx|l(C{b7hq!J}pMJf~arJ+JrY+`kc1Yq--?DlDB<&%fRgaI$lGj08ikEW%z6~5# z2(*^PJz!uE;Nb-zj5!H`dfQnAJYdMxX##;X1S)MOkg!8*NFou{&+&41PG@IV^ft(GW>?Psy9iK01KNvS1 ziRGU#sM4p4jfd!$_1TjyG4uSDJy|pNIZFy{h$2lv=O@1p73y2L?EHMDniKXUpZ@&M zlMIlmkBk7rOpYHAC~z^3mW=IMHVqnvd4kHUtR*-phd06H7)EN;nAIr}Yr}SQGO7LR z&OOy{_GEL^?hiv&0z|z}2UP;(y>fwQ)JUaAlTM%dq&G z`vH5zXRgnOqD|V++V zLx(9Cr)3xFhV!i|V5h?}FVrXmW;C4UvvpZ4knwOKqi^As@`ugJz5RD_{sU$ImFJ){ z63EHQVmxDZsqgwvuXyZ}lI?>WX$dixeGp*s#rKd$XO&mTp|?I9(-I)8bcF;GNn9d({O$4W6> zFkgEB3=0B+@2dyc>Z|G&O!5JghgE{~C_kwT@u?r@|KG6~_~6aY>k0l|QYOsYh)xDl zFg%`$=ev$duJT`2|E^7w{r(fiQmXWqyI~XhKtjy<$)fVk3u_bv@_*Dz?`OT@-n>y!RfYZl+%R&a693YyG6HF# z7AhCS6i*--a;up}A#T6M;OSrCZ_?7&{y$JR?5XjZ$w2dGtNaO6s|08GOTQ9y zbOl9hCuLnMpIZq{FeMRz&w@max0#p4YP;)YdT|r6x3x3{_r9aw#RWCe^7otU;Mdo% z(ji^TkVIJ=^sz!974k;jiPA>~{N)o}n(fD>zniOK1l7yUoH+ca`D)2*rjDl5BWIwI z0PE+vh)#;~xOz>CQ3h_j5H*?b_+;aGr-XD?Ay;NjBRN&MjDvmVL=d z-A4(hNFn6YgsWP3dKJ=E7&{Sh+dlmLdt`_Sqez>|8d;3E4k8@o7PYg^OhW8 zL>x%8ucTT{6s4kX{a-8?K1hU(OJpP&lIp9ny^)clb+Q(jkFGeaZ4qkoN|dV9a$+!Uz`9CMh#JpAoa z-f-Mr+fc?s&y`VMD_5i;GBE)P;daajOH|p8?nDVEa~D0m%^ngvGP2Qo_o91r3~gK- z;&}nTcPv#c<4&2H6qJ^xy1d4d6Nu#^WtkvL;6#(Lwyk$FReZv0aN26f#dGamcroqw z__qm#Bi0sPA&=(EI)qq@wzk5UIxN`#Mj>hmNLYUEiR$Xo*LYze;`8dxHzL1x%+5|~ zvete0@TtIYWPxsyfsMIN2h_9lG(!-=essiChvR=vd716}1qSDi>8kR+lxG^RPkUeq zr`kSys+yXVAYfM7WPUF~in#%gLZD+tvd+6>UX=mH4QrQKaMA?%vz}n0BoemIQ*C&i zA}Zvv)$-MXaWGLh8G&hi;5nU*l>HxNvf`Nt1XTaM&jp_=i$0Rw>d!@Qpvh`4GPn9ux zAH|;t@`o>*TFlK(cx?W82J0sY(ZSAm^5>^-4RU^YBY1KAN1>m7Bl&rBk>Bm36#1La zVaL8ZsvJ)dsGpgJI(&pAOh84oak^qkjS~8l=@gK9gL&n5Z{PQ*t;Rv9TWF4z99Sep327Eovdx%TK8lzu$ITnl8>6U&_lrwzs#rm{KKa zXCv~cY3ohD_!(KnOO|75PMbsft8Vx<;dqM&g`wr2_?GJ*4FT5&9{q^H-{c!+!-2_^ z7~CY8YK&^yRaz+iCGya%<|w}%PAHt0@e*22(8CE7sBGZu;Rt;nakjXwdLx_8q3HzA z!;LMj>zGvh1pX;*T5QwKc7vFtNy4{#=*RD(`;{am6Bro_rKNwpFVxd#Dl4n}Uaa{C z-LQPy|sl{EkYA!xz$B{#bmhF|4NK zcuYyMDdZhP8Oq_-U}0wzhOoA_JN;QG=H)9`ecW(IR8Kd0=bU~c`U!(y-SgeJz7t(` zr0i#9EFR{;f*(&b*!1@&(RZ**gWKUtIX`biJ2~NAI~19Cw!|JU7oV0w^K(yynNg zdn_g-ybB+<>ui&sp6elNZ2eJ{U9u3jH@jQgsGVcb0>m%A9t~DqsVf%SOYz2c<}2|P ze1NJ%9u4O7n9jbG9~G@|?CXu z=y$Jgk~n|A(mb7+`8s(6yO5lr47^-#tCsyP)PQc0`Q4@C)0~?WBa$&J1i}u1x--($ z@i@Ca8AF!vzUwtYOIr$xPcyWrCu+CzaWcN-ZL%jFceHn5V`B_^BZb}n5F)>ix+q~w zm~-BHFYa>&P~%lK>r83*p6XItT^eqrnp_a_AHc%_J;r}p(vUw~j4db!<5*iB3IgXJ zZ*eOC)->mr{SD?C70Ytn0HVSm%HOiE*7prphcL>=GZtf;1^ zdH;7C-4@#u^F9|hSN0-C8H}JabjzL6vdYn6MkZ#KM;Lnb#P|u$IztcW6JmYd9C)79 z%e@NQpprFHNflUF_(@2NIBDML8veJAN(QA zS0}>C87jIVZ7ruFeWt@^{zP&rY@uPDi}YZ`tIdPw&_~=g5>|HY?L=s47eP)cWpTPr^mfiq_cpNpYX} zGO<(IGkhyE`+*6%?(V+0zkDVdQxLY2Gw>(dX>Syc>1EP0?_YRUS1U6eUp#ena(4Yv zL1wOY=cP@z(C(a)mxJHWW4dt%?nt@1xYVtMpNYxwHI4&#Sl^Hr*Hufo`DH#Ubaku{ zlEjq-PKt=!Nf(}if*~1|+OMHezzWt& z!SL06@b0IT;{7Jc`$|gMXjJ}7P~Wb||C^=oC`j%EN_2eRDN-~xH%8(VpZFbZi+s*6 z^g%hPnYa~5g$UjhdxU6VTXai}EwMADBy_wq&G3?5pigX7$mznud2-HjI8VmI z18@q)zI(p!-X^$BCRrHvm+(A9n5oC_3lYy$lesC;-t#-U^gIpb!>@1Hp<`%hE*lz? z!H8E^@06h&t5F*r)=G|iCo$J-b*Yyvq0h_AUGwoRg_X6vhS-YY?-MVhGA;7nUM8YD zVtRThIyx8i_3h1{XKK{7{?MKpot(Z$aHx1Dc9>?j9v=ps5etVT^7b2f&Kxr75V47N>wu#t10odO6VwS_kpg!dMzsv zlSq45OHwMK<2S!!#m^(}8kj{vX@8a+$mscsvg7+Pp!nYhW**k;&%N_JLTyZ?@)go~rR(Wib@ z3+r32jIOF}J-JiJ+-T1DyyGzT51cz?Wp^Nh>RdghX1*@wgZ1sT-0Ni-l9Ut*Q?U(Z zBr}NE@QYpQx2y9+KY8+b_H}8=mn9-X>OkF1GUpoM`=4dh)HKg8%Jj|aSI3J;Bvk&) zZRQUlkS!cNbGs|ag>qNs=vF$jIJ% zWF@jGk&%q7LbfC$Gkau}%m`6QMujp{W@gX(y#Duf-}m!+9e?p@*OQZzX>}Bi7H?+lPpGY__u29}c}8t= zbm(Muw|PH!e%(RHgZqJ$ja%Hx3tqvfD1THkVV<)*$)hlwO(=Ij1 zqXxGpbzq)QmN>j{g zpyqibmvv9xXx^9$MAHqI88dEHs7w8J3HJZB7MMTk2GGts`~E zMc-MHMUd#8kTH~XcDQo=TFCe%V-nr|lDqz95K-CNik$W2^GYyPs z+PkG?E?f*C&j<-WE*o(}O!q-qZ=S#tL2?BsF3H=wxOaAbmf=$%D@^q)Gjxy@%FNHK zb!&*w`FVziLR!Hh;P*SHp~Fu2Wm>USi|ZsCnOzSeL_H`%TUH_>jLw}asua+V{@(At z5as79ajd3tb@hGcfdIxX6_v@di&_I8M|YkT#CBWYy!o|Kwc+9aT>)6rAaU280(iw3zHJm+FB{hk1nR)Na+Qtq}(fcPv-QG6K zc#zni_rCtt^*!+?;;>n0jfuzH^{VYO|m^b-0lH;K8>Y9o{eq zdtXWm%OPogs1RnOTe&u?3Cr{7yLVDI)mG#Fzm%gJ<3fLF9x`ea-867H03BHaxEV1bGZ;KraZen?mqWzA^)S@?CDf zY0x7Ro_C-fRev^||eoYGAw>@;<+$@;ThO3C0p42>R@7w0lpdorsdfKfy zW~O$iIY+fSh1Wgcan;tr_0+$c$N(9wee0cPzz|txeEzMRy|a*G$9gR}&f)OY`loZ4Xv*}}t5-0kw({7K-j#ZS)CVjF3(GSQgnWGE&z^xhLqhl< zvK^kwSX)~o@%#GqS+G>kGBaf;WVN)kpj~lyC-7y!df~G^s+$0g6C~a+G*Il+w{G2P zKvsU9L*dX%FP0-$z;ZM;HbTvSB$&Cmx!CM5gdzw+l?OW>840rfXYn(TypKtzpFVlE zgdJr#w2#RR#&H-PgL(;a1=dG)wzkz)9Y@xwLL(y~T&XNAJ+Objv!|!-WX0stItV9t zA$R*Xb#~fgv;biD)K#R|gBynF7Pu;aOuS>u)(1?7;o06s4!mZzvic>CbvN{NIh{%o z<9`uD0A*{(-=q6ZnaPMnJ#P(a&kPQ@b2xIZo-(O3sRly%rc9Z?x3Ins^kaujEHTOgq!G(E;`^m}dXAKn*mUFqDy!W&pxP}Hldt4KdV zqPc|oOe|8|lfGje2kUQFA;GDv%+_hj ze#~9a($!rUu317*3RW2(Ev|`1*Pn-wi%9bi$^fi2gnxEUu)ulT@bQ60^d$mMpcYb1 z7q5p(2J7naPZsPkA(R``2S!7<)C^;m? z9I;G^E_-J@CfZ{l48vHIT(6%DWCDJ$;X=@M$#2KUrSdgA#rOjoC#MB)CDAAF+I^R& z)cugQH@=Fqo{5)tG1;j>zsBW^Ff83%b9nt@7)tnt_2$&#;*qvL82%*4&wuaU zJ@4DMAC+B(F5o4?YFd=Z6ASbkeeZz716kCr&vPVn0_V{v*%BvdlW?@w+>$(l8f4N$;S@ZcwGCI-Ta@M@1yLAT*PI z{k{UvKw?r-ZFRNn^}|cJ&2+whQizfL_;@k0er=U3I3lL@DxBhqyqk9^EXqD(6ow^) zC5Q%^+z+{!Pyg6h`mi4!`FSvb*kwi)_HjNzP((n2*Z6PeHue)A{rqr^E8;_#8=syI zq9tp^`i_r}gGKF#hf@uQU<>W;-Mc4lAFWrrq}X!}VmMIcprT{gWTjpO8bL7YokvsZ`W`L)=%zDaY_MV}F3&e$(2@DgLIr z`v&R(=qcWIc5YxKQ-=eoG$v?mLaBfn0*A4^gG20ERCxI9zrVlXK->`Mu;kd- za=(8&APF#?WTbJxsx}XbQ=bMt`WyIZBT@TnpSA{(uA5dKxZVkVWv@_m^}M*3bU%{G zFxuKkO)Z+Us`S2ye}V${>w8DK2c+~wVs?5yW$%D$XJ|Pk%QtTEB z1!?0XmzN!I1m;y=v9``u zV<$U!@a%a%$3O{m+19Smr^gCx7+2VTfEWltTJTDrk3of+n7G(#2+c7mllLz<@g3YB zhZ%%=M@O3llwmx>!a(c`%ue*?S4r^cxTVU`WkDd4)Bo}mjhkY`e#%9aYayTXKtkb* zlxcaX{M-n`xwB`l+u4z zTB<@J5TpjSZS63d>cF@XjQtbfQqSrZfpve~)bthmCrQNJKB|QLIPL30U4Mfw&(5+P z;v$f}Pt3VRbQm}vDNdJ8aY2uXU!bI@2!{AEX1*j{r96H-|5nBBuRnjXnaUH%WkYk3 zwQ(Nei4!>&quXoS@ozYhb?AdGDLM{4OiwQ!kg|(V_G{_43&JBM>iVPW_CmcU3><`0 zZb4veVGOBBe`oTGN4>_$OKl)*fzA}0hwwh}On#X8kgt7--wr`r6J<9&JbpE>CF(&3 zpw?M4F*#YH#|0`fMj?noV<@Mts3>yln9Eg_sPik>oCq1@derf2tnuF@Sm)ob_Th$~ zD7FitZF8O7WW2e8{#dfPQm9x&=ob}D*2_(4A|n2df}Yz0YQ1aDtjY<$@tS5{fBZy5 zMvqZBG~q3ar>Ll?u(b%Bx1A02F#Go1|F^T&7^W#ey!+L+=KI*bZILHtCnl`y?ADPR zz)|$Ky{qd%WTcM#rBnU5DRo1`m(XHC3FP=r91k65TwZw+D;O%c$H3Yvis3u~F`PZ92Qd^mH+AxcPA$v9CCAq^=iG!%;u-TfPa(r1Xuc;z3Iu#hoh zT8IngO+kBu8!kFJ8gK>FO;C@KHA5|wkHH#H_!9z+;L+#fb3>*O2?>dPSWf2MyF^q} zkKpBiey1x%_>sf%(h|~aAlI$&Trkns{|sRWDgyVGHD)m4D0x88;VOqQ!h*IEWdnXA z;V0L+=c77hW)ASt;G)S-E=x{Gfazf$#1Efen9Ja-#46zI7jzmmGBI(qwap!T)HZ$t z`4(Wa@%%#w#b%m+?QJ}y`z}{7JZo)jtr0OJ1jhnSY_MU7)l&3bJ!xvs{rEP>XVfjG zjlK}yTw-FvZQKQ#c8FfU>yEj-5%0J_=Z;yE$4bOuBHBdy+3SzSExHRGj4!p?|Bo_q zu=du9J*Ld$Y3Iv*ttu!ie&IH_Z92RB*Z5EK5&g!)U*fQITbNF=c#p-z!~{x@5B>eK zd5uv~J)u-=m5w7DkXpo?gJuvz7gGgp(63ucN;ZK8u0<%F3qMWZE4?bm6T#;2|A&iw zpGLY|a8MAU%Fg4ZE~eUo*TZpAjeH~*KL*}u3gp@9>9P9}v>1?8EJFo{s|nxncXN|4 zDhg`n>z|6wh{6t&D(u?Y*_pRVB);`q=G?hL99r90KdZN>`3S=Xoefi9Y;>+c)xL(C z@ZmWO$V0gh=)+1#&0G2VXB?k1j^O)pnT7gg!E%}NV~y#ThPIV%SXj8=0z=iIypvp7 zSt;)G_r->y5VMth z9<*BuDUG6IgvPS$K0Wz%Zuv=5Pp#Z?EJ*~zp7|Zs5C@6#VejHOE9Z<`PFnW;b6qVq zep%_ey#WQPN&-&?9+%S6_fXBW%6$;4gzW($eKK-#9N?nAJ}}29;Iz2R9D|^(ut%>q zXrnkGDV388*5Y)>Sy=w-xiTv%sP|AS>3)WV2ue~ku((MPNt2hZ#7>Q(9-^) zqE0f@)Xbcg#NQKXKX(rP|8#PMzqs29tJ^gjo3oCV`$Exa z!Rzbm)SYHE>tci7cS&B2*dJr9e%<~?eBengQMi&Q$(ku=N^&{8a1?WpnvT0#k~i3$Y!e-LP^Lgy@;X%=?QOf zAXF!U$M^6Zo(s~X7ZfQYF7Qb0BAWO*dUQ$=R|uRZNEq|cg$|k4dH{A*wh%juwNp@& z{P_C4a`Wqc6@rfDbYx&!oFu1}W+GOJEE=x2Rf{hpQs1R6_zI{OD60C?hGqpFIDzFM z4dz*w*pw#JKX>lktvbfDTj9)i58s2~ncZfkd?&(hedE=4l_^wUf1+V0vO%IOFwBc+ zkr<2Zgrj&c$=IEooFMTzM^YlUIL|AA zVt$VQ)$4c9qhzkUVK%>gTs~PTt8bH|)>m^!NMgafRBLhB7vN=fd?oiN6~_y9>g9;= zG>-dnIre$W4ES{3c@f+}-gX3k;nc8Dn&H?!0>u!hq~d)=r*pgHkqv!f(shyepRp3} zdK7DlZJNqF*WQ2paO~jTGxvnA-K!y%s@}Z%!OhLg_RDv1-F_w_9+ztaKQZZA@aELG z5UK`3yrp&b`wt)Hb9xCIVnt*8qkOG$QB_R--cPc3a)^k?$ewFGOip|A@%t^+iIY>7t%RNS%@h*p0s;381$L zsg5X>pnYL{XM7Kj?X{fN{a?P!jnpq))JU4SPDjS-RGwA;vdYKqilLI`tIYBr!6HVi z<1^D=gl1 z(f(spt*jH9YGSOzb>x81&~TqXkpgX1!fODpt_W@lx}lk~rHDtY1B(W8K~aOYsW1+84#)1s%!%rth> zQ%PS$A}YOaohq%#5D?`b1uR}tbM*6TC&w=3+UwI_?X9ofrwD6Ym#}m_%Nb{2kZ|@$ zd09n`z`K*mksdBa1@L=^x9L@EAKKN+VnO?1?DdoCjgSlGuZd9|CY;>ebo0aLsPE3! zI@HYYBiZ3@-5^H=`{ZB6l3~*9tcC@1L>HGsiWqWh!k5a}`I73Bk9qU``KT=tXlMTO zfw|uL_*QJftR>stDSBGEs7ias0;WC(JyA1UgeKbGqYPz z&b-JOc2Lvebel?Qq0_TVCHYy;Pcl8TF?%*pB-&})MeNtYHmaxFuVtDq+8LdnqsnS@ zB(o?)cDL(sc^dir%2KYglj4n89UZQhq!l=0Dh2pME=#YI@+Ov7JeOKjJ=j>2QD2ex z$|Bj|v*MYDc@LjH2%ERQy9k-x#UJS94QY3IydwQky_lWZD(@7_QYI0z^-|HlkoYW@(;KOXb=mLU zU;N4x)KxHNQIvL$qy40fwfQ)2_Lj5njmytV?vd-u1Tlszvh9`2{((;;`gED_P}IYP z54zg4hI(sWMPY60Dl7clCRAPXDHPH=hl=o*aT4#UoL9}RJ0CoiwSUOq&Yl3bWpYIL zRz|KdzdLs67SE_@&67QeWoD&=V&cxb+r-%R(kALhOVC(l9~fF6&)$nihB1iigwd(i zF^-NN-imT2)uGcOkNC|$zO`Cydp|17y{NJNXzSS44I&<53Sy?X&SxRby(OnTi%yYn zP`b!my3k1dn6G!5uRWB^9gDffskx^x+bxNLj)aViOfKqV1O-A&kzE#cA8A&}$;YL0 zA*(7ck8K-IOmHjZG=jGN)-ov*%K~i4_&T?M#AVndM8#Sd3FR>$0PTDoc&Bl6`95jO z@G_L4`#XA&lr#j*K0y(ELcs~>#831#Ql#~W#!iadyL@;zWkbd*8l(Q-PfRy?4?!@f zc91hp&KfDmwD+DCW`0sLTv?__jij)*%RNoSOh)s?&sRZr+>BO$e@eTB=7#Yd7w%xr zpLv|Om9zRLm9*MZNF(GPU&%tQdi*^uf{f{>(tG>MHx`7H``j3lg2sc?ShDT))ux*r1+OQiy{HHJ-D~?>o0!ZV zr71k&@}$OaQ=s$=yN~{;T?X5i{oJ{gKY#SAZ<@DJ$};!Cn@cIZcnBB_!LT9A%p{8b zB6@raKqUJ9Ju6+eo|l&Lii+O;&F0wD^uMw4%T7>w`(dIz<`vr8+5+=4>m}SKdv;~2 z?R0Q3x*oruwD@p%`5Bvc6xoArvIp`@U0k)FYiQd3;9p? z4(Dz>SS;`Z`?d1lx+{zy!ad0-wkUrl4`&Mfp&@ z0X5?*H0+e+OGh6uh6TO$c&_!dFh6H7H!JhLI{S^n`hr?{nzOr_mAyIwQ{wZE3N#q- zX|r8CECDA2J9XdmL-WUnq%30e*eOa9$bx|TlT>{Fj>5^_(sCSw8PA@Pg%g=VTH`t2 znKP63TKRZ*NDmyS1qkK0Pn2Tx)@)(b=q;sw^}D0&oSb2R)%Wl3fDh~NVW%56w$T~5 zxw*lY0#nS>%>VdA3JMU$4AJ$`QwfhAxgx+3T{qIixb#ckynQDKBAEGkPR`nUrSlzz=nh$9 z6cFN_34C+4Is9PoF@9Frll;_kw{LPaSxAS-L~p#?-4rd8)psX*pTL0DN1fOKZEdYf z9A?ht^{o4%H6=tkl^;CkK3n<1we*E+#zooyft}2W+nj0PjHCy$mYf)Q6RDZrSh+5f z#hndgS2-+2df~Hy)vbG(g@F_}@l*~N1>s36PztFHsFnP2EmrRI&#tvv$=&y!w$_&r z^->d>35xJD30m3HdK>9vZD)>fL{bq;HRaLqv_p?ykDd)>EQl3UAXcY=KrAoIl4j-P zR8>`-UHvy#)&o7?R@+sH5x^-_$ByZumfiWi%ZpP`&=VjZumEJy-wzGlpWcIVET_*F zs}>Oz1>_v@W%a;)5w}o<7McLQsspOr#KQrfXH=9bfC}I)Kq=7Z@8^CzJ2Qii1x=kJ zW)1K%X_%Po;PauOriP&ubcCF&ECHhjZw4OX;XZgDDCy}%KxoD&xNR&?BN<>6X3PFb z>o92jz2O-Hq=ZSjIN<;Xa_PM=Lq82QJOQCaLIV!8E30*Akid1oA~vx<2G2Y!NA}=4 z7W<0Obprv|-dsDJK4XNjh8O-1bbsjjpF-IrSaRqS1n70q@}*N+O#=`>LJdBmP;Vm91rc!5?`@MOEU+9 z=urF4@Qws+G0|k13^i)qHO3&~d7s^FpACk3D$~7Udf0X~YOlN_B4Z-b0D6|(huG+wQN&8^?fha1;_97k9wpeeMkewh3$E-t?B5CdaXI6UUJfvk$0K<)q_`%eP{ zK%?Q%+J}ix3IrPN&gQDHhzQAEvHBB)C0_d314GV3?Muj^cb)3Z_?2Ua{utI~TL4g} z{I)K5AD<(@mN2X#r#1eZ;g8wb<42EXB~V~40o*KIJw0qnSpa6j8AEDZ)8m`3+uHuc zn+Gi<;rVMAdvRs$AX)GpbOKG1N_Fm+*=^Hl%7ctLc*AU7_kE-+7c+j6AA6e7^V=ES zf@lN!S#62O{-K}8=kBk3h$Csuwob9kUhdkH^IJ47qx%y5UR^7V zbk)WmuaJ37svb}-oNIs2#=@}RxP2&2v0sq)d43T^c}3@^udzpeFb6&8;-Zx10+q;O zdpmyIb|HF!;s9~aRklak@#5JR<$mQI;F%-uIO}+nqIorueBYs4I@`RFH8sNNJvJqJ z+q_BHpbV&w9W&I|U;q2J9fr_bbmHl%G|Jkk3M{p*Ki@sQ9F8Lr?GStmAE@}Jvi|P& zxt^eQFH+_Mn3U;-1y!BBFb@;3QTSd75PwLwHK;U1@C$NrIlyyHNWbl{LM0aGlr}#( zSpi%SR-T6Oc629%;k7lcY=k?tZ`zIbTdChaUvKFNgohw$k(3Dp66$5|>6Cxl3x3_* zJ?Ea7)VjeOBjz#@0+VYal3>=KeZ__#_!F0>`|;Zjl93Hp-Y`^Gj{!euX!r#W8yJyI zoD{~5zNtv0yL?$#NT~hOfDej6+F<;-3VAU%Ei0kzT;OjS)+35d_#$#GYgjev8w8cvx;azCb)U5M$`~Td4)+XV~UQ}*S&3Y7BR=Bz0LOsZk)r7BU1M>h)QS1n{_;*^#ZFTunc4w2v-liy!}XiCE@|Oik$A_ zqxeTPrC!od*Kh6_9ZLJ3V#;!)B|<|d8~S;VSQ;d283@VP@ZgHJ&KmBy8gY8IFv(!( z;bm<~>DtT(KH1$JSC!foYgFTZ^6-}3TuthoR%5tvqVewI#futg6V~GId=(w%4r>z))ozUAo31FeD?d1sUT`n9Y&;=Hkcx-QbuIN_3`O!I8db+?%keq&-|Q;R z#Jpb~9&t@&Bz+)V;^9)|;-0O zeg}TCs6gjMjuU|_Y^-pNN1YHA;N+aaDS(`u1PtwnkN=424FHbo!L5To$3>HE2V5Lg z(vSIhcpwwvrX09x7U)fMOsZ5Q<_HoCvi6NTtW5UPe z4clxsj7k*PDfcHboTHzwQDqgA84oQx7A^YD?NVM)OW)$}; zL(L>8F%hYukPrb+`&AxTQ{xSJgEDI-r%_(aBY6>KS9bgW#l&!s1vKH;psRSvD9jKE zcJoar)ywA>kI>RqgHwXSYii2YB+us;H{|{O zjTjZMHv}@plQKZ+8bk4^Uk{~`+t7{NhL*lxGwk7oSp(9n^0y*hSzSmlE}FG270!!_ zQfFUGI-O@(Dm*gbq|Y$cpys!|_N1JfRew~=0rlxj-;T$Yo=S5bSQzibbtL9`9 zlmcLh8@E@JEh@eOK8C&ngb`=Onr4S}Pud+weO|wo_C7(8sJy!1he2>%iQt0dNV~Bl zP{kpch9XqfN{pH&oFAtkzPYorbMHZ#_O=o@Xc^YQS>;?!-9VXy{~DV8-Sj)NH7JDp z(d>;0`&aYkrdd+g65?LnA3>Zsp7DC}3!?ucI?HoAX|1bhd__gYxWNaJU51!WvtEFZ zoDE(x^i@!<(404Mxb{KfjKjX*$N%}t&Lr9nEI3E-?w>=iirN?{5`Zbee_&g!{~eE_ zl!kR41j-r|94Lq(t}!$;#AB<28hG0F(n%-OyGZ+rS733f`xBgzVGhQK5INv1lmZ61 z{JgW{Xq_-7m4GltwpM6WmFJBc^9WI}u&~HhPL%d|QC{xm?2P#qoghOIJl@_480QW& zgI2Xc4v3di&%2M4fDpQmy$=#&?Tj=}S1vM<|I1#DA*JPU$4!P)Pm}H40|-ff2i8?p z+ICBxpQfX~K0U?3FYxgbYg@U^wHP>(7#TyE(-LqQ6S0tmEr zg9m`gF$&A+j{p$77R7wt#De^R4kWu_Fw(PSa`L=Zy5{{Z7^m!IDwRU6|gt;-CqLJg&_Bro=&*cK7U6>2CNIez3L)UwQWEu zVS^Cp_Oc%F(}oWsA~3<{n2UtNdlXE__?WCY9Hb^GNfh{s(Z+pca?XqxnpGe&kG?UN zBovJ+W|5@}uhZV+Jo-^-?-?=@au;T^kj2E&E9wtxlah`rRZ2)n>>ErG^#CzAT^ z)vjd0Vz5A#n_%&+yAom$>yOX@1fiGb26bEeLD@){I{}s$TC9c!=sq~5+nbt*m?l7n z@cn?cCm=BJzr4;p96oEig6`dWexxonbp-ej#=zhqaC3J@s)TL%&xUfxK}2f=lZTzd z8G^HHueRtTo?9PVTM6`9J&$(bUV>q%Ky<;{G6o zn>TMlC-LIBAcSR1)CbTp0$ypPS~W(XgNsWk+Q-HRB(*kqQRmWS1^aWRN-0x=L$iqQ zXT(=b5c|)p2a)MMFHO7r}l|O=I7G_%I@gMwDNg{f7aX z2|?Tlwko5?5Qz-+|Hb}rx-A@Gk)?>FvIv!Bq&#&03ti7?(x-(gP3C2`e7k2tfvOiS zow2KUTItDjt|sz=wVyd+P%jZ&5IH>0A{_NFI*~iO%Qz!)~EDob}-jEhp9SnTsg&t1)-AYFL%tb;`Irl4m!p1^}|UDVqux1CiA|; z!kTzUn@O%dnX#^`-K#D5edUG%JJTT9n{kWQT58QZU6PyA@}ulG=3ahEIHtkwC#UpR zx;j^qhK2^3K0MpNSIo;kL&|65$TmApM0*uAza33Q_D5^sDgFEf>TS}|-BJtDV;x8T z?H`y=Up{leXel8{`iCs_zx_nC`w#7#d(z~$_~fEf{R&RT`mAYo6FqCXhV#;3z?7Vy zx!K9RqKF7HlGl{DlW144x!mKMA$TY3^!&EOy%nG8B23i8NQR6G2|l7byOgYnro;#k zN|W=}bfc8CmE>36&;5m^Sv+kOW0&3rnyIeM1gDS^oel~dJ$PqndNDNv6Ya9HTHd{j z?66u@G9#+XeW0<`W2w?~nIdVyaZ8QM@XnJv0b(ojbYx5F)MPTjMh>4ee#BpV zJw#I-zX!1-2;1Lk3OZ}gWAshvYPO6OFI{-#Hz9wDtK5@B_JqlB*T+tgG6h*BMP5s2 zdXe)lM~x>V2nlBJU9wXHEVg^DYSrRCGBU61%awn9ev$m3%+%PyL>iJ8SLnPVIohIC z<}Zy=($K_1!FBx;_aNy6iR6k-=G0XFuY@|Ex4E2GX`e^>oG19Mi3{Ot} zi!T#6NhMIV)*P1-b4V^TcbTs9$?CQP(F0l9*AxHd4g&aUUpw;Gg)}%T#}%*nxpHT} z^_0t#BP_J6Nncv{eJ(^O%8*K3B_?`e)o_C-N@ig>`oA6So|DwH(>Hf-duh9!mI-V8 zx^^g(`i`gi@`l#N`~7ZYGMOtJPMiJz7V@eWnC`66zm?U^I;>WCOJEO)8H>>W@O`dF z%uz(1e_+Ha^R-%wH7=xufmObra#ycYF73mRmJt6bS~;`9CKg$vWo2PL5$%d(J4Ad+WSzpW?GOp)ZeUigk_M3pTeM)w|V6wdJ8>`e~wcI)R2te1J%; z*!fab!{OZs+PD?SNJ<#)qaZ8I6nkh_GoHlI77IAnUa^zjRvcj)0oOMI>dtM_{0?_8 z&*44t+9J*JqahFD<8`#O_>fbAZ~>LJ_gUp^?=3ygjJTQg#hi;uGG>~ciPB|fY7jeL zN_)BFBC^1Dj=u4_L%(NdU>7YD9*4ebF7;5%SF_H*gG(<(LCj1_$BiLn%q65W!T#Tf zAAhrm36aZGx8viK{twni6kJ8#_rEKRV8I~DGZ5QgFj+^3T`#L_(wERv#bGZSDK;&3 zxz?Syv39L5b?(=XJ6nP}Tk}U~YJyuVv^-Y=cM&y*(o-=zX3iZZanK$6OJqw?V=sr{ zMsF;t@AEVvw8qlH!r{gZNLKhxyyXd^s+MJr@6em5<&pJIN+P;z^Yyfo?EV7>lF)yG zNd}aqVL@r~VR&S0VzZ1+GsTuPc4uC;xJ__Y`2W{gkvGj=8$>nb<#4!P=Flj0R9UvcarIp4a^aBA%(81s&r-#S z*?Rri|1^Aglgor+5d&=sO&d+7kt!vDWYzok?*|6TT)y0bh@Vgj49BU!c&j#N zz|XpRdbWtLKx{0T)|}XB(f~5U(EIn>Q2TEPdEp+z#g6D$0-Pp(Xm9WVaAUp4RXr15 zIRkvsRU!&zaM@(xoskEpkI0Ez+M^C#@EB1CpJwDe)7wA9uL{jd97g6?l*$~fWwEQpv2G4W(CI7 zA_H+xlk+g@@e)*dB?uNp)sUNOEBSq%92GhuZ#XM&3T?l5>kniCFWv0jp54O#AKqx{ zjQ3U9et)9gp0s!V^payXa@0$+zJJKg)kVhMQ7vEf?BLq1j=`a|TbDI?$aH!G-?^;| zYU=33r>35xK7f1^9+#}g?OM}1Bg#IjRX1%&-;O3oXFZAVCnJ;5ea~`YZR*A`O82dt z{gnO*U&FNyWNJ&cTLn6nzQBMyPztwh0XXhI`UMw%c|`?Emx*%_kbo?Q#tz}&VPe1| zE|8U#mSSHYZ)(zRnRNM3l85NKs!|*o8-*6vw8ZE~tp#qHo%?K8{2H00N!5AW#t#A0iN z3Zf>zNK00lg@jm;RM58rAcv9{ldzDsrSTkyqucvuSD<&ds)7P@(I0<-)xpvbBR`I$ECzF9AOh0FapPR)Sn6>PKjpr2e?%n!YBXfA;@l zh3MsCXWSi3M@Fe-q|EllEkKHmU2As^1=KS3I|7amj0%e( zG@|KAki*Ul05eCz5bkNTVgZaGAda0n^$&rbz}*;wpmJV@R2fM}0|Q!U(y)p_YI1U| zc;xBGg74kC3>Ft$jkNS@1W#sWtyt)9B2Ef8H%{|2nE#6;BbJAl&IP;&YWjqf-I^vQ zzOV!!J`eO3eFQ<-hzLVSGtmz6GJ#JahfbfD>B#ZpZzo-#8pC1keF>6Cec*}s{fIB^ z=wHztlnng8iZJp~_!rQJ^**OgJ7lQ(IJ2-DL$CPgBaqdhs~{vrJy6a|%SBIaeQY<6 z4@2VmiM=1?{onnc8Z=dBct9vcZRh2OPp=)kIaT}9izpIy;r~Dm6pJCMb97g6l@?5-uX}nHfNQ`G08fdPrG~~soc#zB#rEo;@$_6n zOAArj!!z?hrIVAA@F}801j#cu=YV&M@mdr?IC=p}CLYVp&;Qcs_YZ8NfWx39!KVX% z%Fe_iRS@iu!2uG1juRL*@}i{P2@-Uvx0a_`!jB=~b9A~)Nm-c>UGA-h#o0$#a`NK> zP>IBJq=G<^lb1iQ_d=5OQR*e{hte4iL*=19gaOnLh=R^)w^ES@U<2X=m>!BYjpxhA zL;;}&^1b){`(@o1-}ODelazHlk*T{_BhB*l`p?})gWe+_ zGTz_;9~=}C69e2H3+V2{hrN5!jAUH=} zGAk7`B=68(;?=`WsPQ~jE;H`&V+7;h_VQvRV2bUjx11S}hXXlyPmk*8qpsJO%af2& zizsIJ5@5o*dGm$ON(4+;=wWfn?%lmBx%(GwnI4z;?bU+!WzlT11bsXq(Ez^>k5FDg zfh_6dj~{rA=S&-n(vWTU%4C85o`G-o0s2x6|F4c`qi{Ku(^30AQDbmSj&JA;!S=2oY)lzI~&lhnv4v8ghYB>a>}UtrgJ?{QxImwb5W0@OK6R5l+V7g1 zPct!n!-a%3K#_@t7dmddP3&1LC{8v&2opx3PzN9Z*wl0kTyUadmX5A&TT2T^M0WL- z4$G04=lfa?;d}6ZHSR9^irJ2iPc;!v)b9~0i*QxFWi9a*nU#!N#{{NK_gVWiKV4a& z+85tN#8W+?JAU6Wd{QE^EW3f~_ncU5Zt!2#fwIgroq;tQanX%xnt$`HWtqQz43N8; z%^#gowI7Q4bh#&1Ci8IM-Y-NCtk45vf4uaV57>NaX7+b5H`e`$dY^7FPumx*fK{sx;4R}n5OT>Y>kGCewkSAn&|@x*j$ zYHp5;`T(Xm){4ALOEZBU0{6lPv462$i#S7Y)^r|6E;n}adAZ{+UP$S-{u$m7Cnd~b zA+jB$@l4n=Ch<&YIj8={R9s`q(YLOlelUUuH$;~XlDp0rWDO!|$uHi3Eltj>Eo0b(Y;&;HrX zz8l@~SLBs9ZvKs*ot$+4_WB+M2!r&d`8yR>T)cqG6N3{Az<&QKc^WkQOyKNU$c#H? z=it>t)iaLJLd1>u!~$X>m3H0;R$x(7QJMcSfbD`!gLp$6bc?Of=SP2#+_*6E^~Vnn z_&PC3xyYzSLwpVqh0b+?XP=R9IXuy^R}Puttr?XoqA{X6xe zgNN6gQ=rIS)s!X5wf`(@Anjj1{{7gI;9lKuy+^6-4y4W;mp2Tp9&?zTW3BXPz0;B(59pv4Z=O`IjSzB>l z_rE5=R^YVTF+RM$WJ9+1CL>IVDn*xYLpNLu#2k~qJ8^|2+ zpn!BCHhDQSJ~h>D#*?6&4H0%-A8rZ2RX077Xkup8Q<* zq=BM#Lo(z9nZnW!mC`PGNl8iAigXWSx8O_N;m_~inEe+(ktFQO8u+RjmIZu>?LqHw zvV-P!YB}ewH4y&d6(cbaCZap}9Ur<;x-@BdvA6;8=&q7aC_Ri%T3sWvLhrdcXeS_;? zjQ6Au`bzPAN%asZdK=1OWpS;f=f$~~mDb%!SHGZZ_gEM$9OU%_Aq~Yw$ zh+=$7mNV?BIa;nbl>P82!LH{cp58VdqiX>h!vEoaaU;C>t(93WxBRY)ww$IsuPyZ^@6&RpaU zL6ne{5o^Ntp_ybRT4O2XvSn>V>B3t^^#9?%Y_6CS_ieYF*;^#`sy8M%c@wl4JuNNf zS-4e_bJKRh&4eWN(DpwI{xHN4|l z$Btlao!jPWz>5NZNm6x=7sV7_oE59;neDVkm`}^9sr90Q-Z#HY@$lrnO`(wW4!ewk za88P&5pPUO9y-c>oi@9z`=b2obq7DqA>YeKadU_tWS9G|7GP+|-sg5qhZTf27z=W~ ze)-{lnxwQe#A_Y>Sy#vIexF?AGNZ-FeDS&J>~B(ytJfG1GB1HM%GT)T`2sR|SC5LA ze>?FKmg~>Vt2HPeC}UeAVRar<%D}WbQu`6vixtSu%7W$h>`B;}@|0N(>%2-VPS<4K zhUo{NXjIuLOokvFc3E;Tv)~bhXyM_*rwJ4==F5@dc!N>~-8?F7M30ufCk1Rl7|pEZ zHS^?@Pdc4?SMg?xV9;f{C!Q@QBvPH-HHv0I%Sp!IA^L935E!3xbfxWR!Th(U!S7aw z=hNbtCi8U@47jT4gqhJ(`b$P9B(T$jqv4J+*Tcn)SbltGvZ2JB?(Sfm;_x}H6w3Op zlwC?3Gen!qX^VpPeS7|JqK5)+k*BAIi zIHNp=%+aplG_7}=eyAZm0U`jItR_j}!&`HpdLV2=D+i0}>;)zaP0G_7HjFHYNlQuL za^e8kbM`FSaLfaa6T}))5@(bf=`hC-!oy+r!V$%J>2|N~XO%eNbK1NqlIQF09wXw> zn?pBRIkGqDySdazMeK@FkkCu%;QaWb8R~sP$7g z26^=MF>GgVO^RD#Geg5Xg{QoIx?y5D8fs?T#>FWA2M1}HWUZBBk1%hpEu81(Cd^G9 zu6c2S3pX+k@gSY%YLUf=56kvBjbZMYZ%^fu?^QOuUaZX4V5H-H-8;Sf2_rl3ETi#Y zAq{97e`WpcbPBywD}T6w=Jhf~!~6kErD$SAN^k>S30iRI@7#xWHNVg`@y;qL;uaS- z8TDFUycWP1J98IQ8PpXIaO2?Pgc}@2%KFGKW!HALP+58Tm(|t8`}Umt!?gL{z=;eTECdt5DYU(K|(Ldrp zu{EXA_znjCY?$uNZI6`qcE2>gNue`E5*bBqB_qcTTm=*?9Hs5SL=eOgO`Sqf@w7fYxpda$mH(UxtQYg67sQm1TVdaj9ymh_=bh z(Kf=Yo#ED2Yh0t-%dd%^czA28UfthW8%&EQ z?%6afrPz>={P6j~;qH#;cYw*5f%5SV-R^xC3}~-%ld(}s)6?_2^Kz0uB)xEq?kQ=A zBoXbERL)dIrTl1}g8nc*p)-;!9gKWwCbl|cvaS97a9ZsL4~?m9>(`6xSCP(4+vECY zZ4J+!1UA0u&f>AKr?AE@EiRt)+j91Q;+Odn8ro8>w`UlMrQj!>!M79?6+ws6_X!~S z{Ahi$;m#f=Ej2Y12991&A+K`rCly={G~71v;Sgf@^epK;% zKDe!a=gPjz7H^-1IP&M8ca1aW)+l)9pF!uw^YXl4;>q^bzp8`X9IwQ@6^&YgdOy|^ zWwHRtLZ=6+64*lJukd@s#ETw5WXFiEPtRq&yj4+Oprd@9*dXO8g%mIGRkP|3rk=E~ zm;aqQbe4qqh5RX^OC0(`@!UISWn|4)zwh{oD3zE+#pr){UZ2cSG&>epRPHbAD|5|g zbu3g`b-kT90qPsVtN}>T)?q(!`dr#lZ3gVrZ)^P2MPA-`SdJkk4(bKtU(gt5o&W(W zl2Fd^@Ti&oBg{TSM8ooXB~MX;<^D#UQr+nPvZ=y0^rMRoHJD@QN1Wz9D<5>xuh#9A zg&b;Uy~huufgS-mZ@$fn^x+BPV#<2o-Y(Nm_CW(5rdUvh{ z)<@RqHvOmu)nkoknC~a|HOD4WE{)W@@(}vT!!^sjp!C*}pXbN$WK3c#sld+@!h2h^ zS)-!f{Yt*auk3!dS#*k{Eqi^1jnQJ)4}R%C#Qxt%SJI0rlDpY?FHD$k8+j1RyNO{$ z9V&IO3dIqErI$$yjcOJl?GksJ>V0@di7<(ag2JqNS{d*oie`)^Km|v>5clxm;+L@< znksg?Gz9L$-|OP)N=REVd$rq9>=Vw7(3bDGroMl-Ko|P^_syceQGQ#Qidk^r!?RsX zAV|r%vdVkmB-(qif zmN(_QeTj)4Flk=u;-rcZ+ON5%=|#lOnD}uM{ar*{W?w!z)O{g!h$r)J59#3gn5cfw z$}^jCpz=b+jjijJCmEV`T4I zI=?}xj?%1~+s$aUVu#sH3Ho$q2}8tOo@VAKYjz zv?i!zfcuWuE(P!q!7FR0o-e)`nb*5=BwU!@<25Rea)gf->|k&8o+7-1^ZUQ$`E zN6r`iS=}O8Fq6$K{ub`2G!Ry}@b7Qbsnx?K!4yM&69LYH7Y2B}>I0qa^QvZAu33{e zk>AXoIN~}sZhV82ldZ(qL!Zq`}nl zt;g_?9g@~hxgJ#9RoBCNmxD`s?sxXdRAEyypPSvC!gZ(jX`H8fymz1XVr0TrFF#?q z64!~TIjA+Hcb%cu*d6wao$8`uSKVv>gBj`+w6uTWqS%IL_@~aFuOqeS5it0!adqhW zaKpuoae!6mF`?am1@zTiZ>+bM2Sp){Hv^gwIK}ZiK}&&YTFw4!sD*qm2nFNR8V(an z8NKxA{@uW*a+W#_=bP_h2OCWa{mm^OqX@sBvoRGRP~WM5;ZW&TV^)h6NtX8j8axo-WAh)O9T!bq2Z&}v^wtO__M1;i%Ng* zMaO9-_jxy~8fu6WfU_4WgqPsa^c#8`AVe=m2-d+^ zhNd~FSAmbR#n!EzpPz@WfC3x>pf4K#5DDus@E%|>p!EZcpOf>5ixWhAc@ZLTFTvVW z46dUlU&w!e;s#(qsC2@cX|E%^gV^(EN{Vwfir&$=`wScnJ#^R*BEmsDM*0`ASfbd_ zn>H0JOIbQ6|JuHjV6hrTc!wGIUrfZ)yt$1GpF^&aj&OIxOFJ9Y1rkc~U&GD9$AH*; zA^b`D)PS!`p~aL020$wwJ{&zd0{rSmJ&bH!EX742qQx~O7OSd1 zE}Uc1U&Tjl!{|?d=xs&{si~$Xub%m1HlfIx?8q1}W=)JI%2Jh{+eBz){4yKh&x_48 z_s`Ub{evrwK%|MKIO_8~#p4rwM<;>#mgX~Pm1LU@gVYTJZlj0K(N@a7d8pnj?6oSd z7r%6#9ud%g3!MfL>dt?C;!8UFWGbzPr0^y}pU|pPHb;TSi_akmBS5DNwz6CxRG3*< zRG2o;tGZFPO^;z5u&0su@h`lnbm^#6#w(Be1C8y-hVkjTf3h^$hLquYNj^mAOYb#R z+JeZ&H=WVv5fvWB{a~8=!LpAlw{^z5c+U_7S}x-(c!3C1T^~*dYgWPgzO4;JsNUN@ zP7+D`51LXVQ|e)hY!CxX4pdCLW*=p|@?hGrjKX_wW27Hm_#9ov;ELk|UO{v;e1v4u z>uwde*>RdM;m<{-qoaL(M3v5XMJ5Vebe69t5AA`jJ)RJ(bbs^iQR+-YE(^FP(foL2 zdPP5~Mo~hK&F2BSx6I3gDepdmMiQR!91*Qw?9<)MyN=B_)wpLn(rH4~=qpI^l&eM~ z95=5ZqQ{c9so}1n6D@x4Eh~t^p_LKK8tjw1@VG1e7*U9s>qSL8$@?w@j)VH%r!RG) zH0Z*@YU1UFRKGrNbeJb|eW*jl%5qo=g?q}|A z#Zpa~7;lG@Nx3t7daE2C*=5N3v#^+zc7cz$~dXPbZ z^oMZ6mC{mg6SD+^yRpXj0-T8`G=%?)X)1g+eCjF%KT=k)D7tVXWVpkwaqBQ2%!lA& zdCn>);h-0czv@$hF=0JWcKB&xscgJ)imfdveWa}8Tt`eyXlsa~ygcT|{VazLbGDTa zluVK=voRB24EbM;TvanYk9@c%Wd?QOXz}{g;1k zE~1Bq8V`oj$yf$Awa*g+(hGs!bOd42minB_T9STRig()Z8|{bb$3-xG>CB@t@5UPF zyJ8^9-%e-{`DwBFRhG=-%D_Ve@~qpqXSJ>N2?MbdH}OAUREp9dLk#$yQu*PHR-{~$=VCGb;QxpU z%{y=TD*oB{T{MQucusUX(;6!rsk9G4doR7X)(0AceK1a2(HcmQL=)B~7MdFI$hGyi z!;t;#t+WuQ;i^z|T^En!P$iYKd&(PVqQ$5!d>IaH(Mco##Y4bqjjY)O0`p?eoStq)$E z9$)7OYT&8=P^t-Sr+a~JEfYbIbQC0(gBBmeO)wa|LdHuD#_GZgT%Dj}dt5yS1zS&w zh>gdo*ZGncVBRbny_cS1W@d<|Y5SgX8&1B||JVT|p(kb2tMecnN<>7XpL(JraC{}! zce5tK9lP@Vfv2cp`QeAWmuoYW=@@eMhj!PM@G1Vtik~FxE5*oOui1CL9j%eh zBV1?a(=cJ6zWEU1gOn8%3IT?KdFy0tFslwmI~D;qd|8_l{P^TaA_0glh;M)lAr5IF z8b9mxI_I(xY*%=5CmDv!s$?iN)(G{Ke=Ef@-VNXy4zjhp$%2MZPlT>L?{az(0_P?= zP1Ec`psd8zd{bA-zM3&3jL*_3SBRh1k_?UM>)~$PLbkFyM9w5#XEvTKyxo4}QXBm5 zRSX)riTz){MMGmH!@Jf>t3rgFADeo3bmLg?`ACDD45~o@*9a*od&$AMcS%$*qJDa45{KM z1z;7d!JzLtN*b1QajDSEbGEnt#XAWT&Iz$3XcPfcf-~VF&J;s(YbhVH4p[$1z9 zB%3#gqLYa_wL$MJ2Gk3B7c`$w)zz9gg8<#`a8iXy0>l?IR|&H&pJuIXY{1*j9x(Oy zGOccG44FLux&{sb@G#E!uBN6paWNo9;Nj*T9UCK^dT@oXeE5#jP(Mz{G%-1>J$EnV z>mcX?izw)8tR^6orx5FZZ{bC(xHr0trej_N1_V{?w%*A48*dh-Muc{<>%C3I&W=m{ z0Lt#BH|OW)FyMDM;7aoA0wgv*VG70P$B&_SmxIB;K}$+T7J8Y~a10(tI6cQ*T)nm$tpJM^Xjc`# z9OLoiz4S~0KLg4gu)C%R>_GG~L}7n}vFzH-g>dJ=Ai{h#kilp}&ZF@AWyK7o%dRPf z%k(M88jXx-#iXh5a`ozkA)Ji45-48i!(oOtz8L6ZfX)5U-91tMl2j%Nu+W0MJWnV$ z@x@@NhUBt%5idZ}`I}G}pTQ#!6{*8BDqh+ZpsBRcVMDKgV8o44kWL|T+xq*t1O>^? zX90^q!Ko!*&HtE*_ExX~R!+o-wu1wN+e4V@7L~t2gzz!rVVPvw-`Nm$Te6G&0xvL> zK37sI1}qyQ#EysS&&yt?Uuqw1Uhk4tX#@9l=}y8GKGOePYVLL1pJGe)OkN&fZfuzVZrZ!Jr>vsn__%_gUT;r7l{3&dcZy(;|hTew-nA306>c%z0#&iRm}lU zHEX0aB$dr?Y{0>Nh>EhWc=}c4D`=2FE-*Sdc@CEz#PT(-_L+E>>F?dk`0`~Lq6<_R zVXpigun0-Z$c%y?eRPTj5WKEo*>d@BcBcB`0H5BwCqL554J-pSG6@HPq<~rArl!2@ zi7PKAJ2%e=3Q4C8kchDds%kSa`en#e#cta)(T0|X3OF((%n1{r(M zQb1N4=$PuXXfF=EE)ElXAgk+49u|xQZcDHP!CwrFh_JD=ob&gCwrg*156mO2ut>O@ z!OxJSr@(ycbl7FpS)R(tHQRjyHjcD43RcSxACN>ul6aRK6Nup874u|)N*;==zrJK1 zSN}-q|BZkr3jBd(zncx8!@boo@}dQwW=rELLNI5xog$4ln2FV5bA|HNPZ;kpo+&l& zSo{0R1&(8ro|}T1_TmOASO0yY4X1P?fc^J_XBVq%AuSm?UI0R2$E%|Cci)3x2N`%s ze97Unhv@8G!+L87RNMG4d}J_F04F$5z-5>TG$vUa>^@cFK8az!Mn>9;bAQ;H0(b47 zw70Xvxn6i~>1oqqXa|nf@Hv0nao0NpkB?iVY{`f*(6zrRsj9ZJUQY9p*cbwVU49PA z|1JX6@t^YUNZA+fH<*V0QyrUH7^2|AqU=$AD;FYU0Pt>9$uc6M!+x|V=Rh)1#mU8J zo=MH1s@s00bWv4sq}LCSDP$=9Ky^*1PA#vj%;;3h(!uDAO6+rkSusCQXMCQFtm%aI z@Fs4@f_>6cQ>4c-3~%0Yj<3o}PNpbQ7wqy`))s-C*WzdoU;~n#DYy!K+fWPy6R2B{QI2pEK5BLT3|!_#yB1~*AJ#5=-Z%~J58!KnqU zYf~gKEYB>R9WRP!Qff;|Zd1PyRfdyI_XDVt?pIt(fZklv4MD+OjXIiw`vc0i-9{6d;|0n-ZFHPtoBD?ux%rdv49B9wMD>C z^jFaCAHM<4etCI$TJjRvf#(Il>Gt-zDUEUe`&e(k7js!WAUPWbScotDA0-;lzOb>t zdGimmHSnv8BKAPPc1;I_)`f)%^|W%ZYgPOXG_K`@xx-B;Ik2Li6B4nUHnQG>dpHMI z9O=KZyo~gSp0+dnr_O9_1ue2&DBX|auWOJcm6OKMN(FwV`@vQ=EcOnujbD?DRIQb% zeP)z(#9mI|qZa4?XX!lzfpCbNLPM%qs`o8bl1Cl-yXpvfPLQYrNJtJW7KH78fQLAI z4iq@RD5^oyN?#wwXNZc0csxK3)zbQ4IxOV$gGTfL4bAsinMH8-Hlw;=&ND0-P$2;h z0!iwfe3e?nEb2ceCOjcnqe=D&Tm`leObm=^RS}qUdV1+C%GZWOfGNPJx28oQs-sE0 z4cGt*8zy;pWTzjCWIjzwfH-e}c44eNxa95-6234s#ocd&e}h2>jF3+m37-OolQWo^ zl?5pe-vGRQQy`7jN>0`$LF1z$HmJ7f=yJGf_G)X;tyLJON!qut>i|tYf}V-FE+yO%>zrl#Bs(h5{oay+xprUYkR8X4yc-oA$^zA&v(z%R*Y|Uo#&owy&2!;zFrZ`XsHtn88PBO zk!NK&5TDY?w6?SeZ8cmSZ^4y`f*43EaIL|zsUCX|!w{6c85k$%fDj1vPNDJuq%xD{AgI9HWB>l<=2QN&$P4qfehXB;C$ZCC{x;)e z+hw3}Ff@2oH<^u~$c!%sDMvBLc#zD^(#eUF)^9Or5mTI#lUDokwYHx$U+DtR4ZCWE z!?={=ic}3eT?$hCv#&=~tcC5QQ?rOTjn**LZ{NPU3}o|6IP zXLk!IQU@(S0}PQ>VZ)D%k(sr%I#6a#4vdZEs4y9G#_toMSy@^(*^M_gUJk1O6Z5g& z#jzST38YlO`a=`h{yVX=w4wrT(e?%VY?Y3@Qs24C^EYR^!@=Y_<8;nS(Nl)e+M`-x zI6Rm<*qy}>x|bavbQZ7ssV9&D7-&EzGtGD1%isT*1a?SuSM`INwnRVfEw*N2AKIWC z{G>G{OpMhgjHqP}&_))p#$zf6{H+U@Ic{2tF*nfh^$H!59m)b)h$y5W zD(X#n)vvZ#C9*O%Q+n0s^7gpaSqwG~7~Q#aofI;lVdgLp%|D0ENJ7dNGM+OgihQhk z>Zir`%8bV62ob6b$N`kKOfemyn(&tTa^8>75h&}*>S`c#Ux**9kzb>efvL*2Pj=0eT%QuIrgnn1ER!)oI z6w4VYop?h!2pFNV0UZLcqodXAa8!3-Dyw&q1WUs=vXiMy0ht@$jENP^rt_{&e#iP- z@wBVr1d^=;1wFP{Z5rvM`a_@O5w$Ro4b1mjy{7Y;y|vOjZ`3$_$H2h2bYNOd zV56LiSaSMT-goG_xJWXxVJ{o2Gl*)K2OaZVK*SvZgw-d#mQ0~M| z{|R^;pj&DoejLO+4#{>^26Ydwgm3wuw}hQrh5C?}bCCx-hRj4ZlTj zLkdX%rSn|5cph@}x&irf6vn|*3zN0*&^uM~*ZBOOIbf2S2mnoRa5+H07Ww%#+zbd+ z)0RigqKqL9VOue7>YIeLXicaq5iUjwA*G|lICG&24M8V~S=xxb@u z9>bTwdxwFKY6RUG>>p5kfX(Ii^!?og%?i;?Fl&FuQokK zAdK)rMwXt{t}yS8r|fOp{sssLu4dTF|B?e)|Fq-?PeE9AgoOUVK?`YsG=a`h{XgqN zdq;^J%1@ds2z@d9Ml;6%uQT3b8Z0iGRvdzN$XkzZHO`kn_VkD|^!5!$mvmfx*?d}# z0D-4zfij)OCJSPOsH+t1Hm<+H?fn~C(gwR?7|(z+4T+--NBQB=VD23WD#<49msYl; zTmpjrqQm(>Amr$v4(A`xc_@Dk>!F+g`t2d~I&1Xk*mJ2@V&_)a(uBm1ns1(M5(K3U zZljWJ$jRxk{~ZeqHGc)Gm{h93<)vJ{9J8q&DEru!j3)~D@}I?F9OSk`w1P9C8oE5Vk2*8X$CP}2U#cBiMEun6&R%z)5t zGeB;(T{l(Fg-8Z{#GB`y3HSFti!ylDTH7w0>(PX6=wTove0&%R8i;$lem$XI1r+0u zP2%ApD2hk)kvLS3-S}Ky4x?Yyi=)e#4eUWNG2BM2I2hve52=H&Wj=6WAdr-B2a5Aw z^NKwx-~WB1!GCY~9R?Lbd*iOusn)op`_u2hQT z$@=^3{?r7#E*;PtJ_FX>!`jU|}Jyc``% z)mh4?zahGkg~ob&anD!bA|R#oJ8%%O)3G}G95@ER|KW&ovNVA(s~Cei*7$yyWS*)F zdON(^P*Rc^6Noi`{Q~k|1Wtk0q4DhW>-3X@r`07bUCr3yl}B&Bbs{j(q=<5jd<_Dd z-}PmEer&l^)J6d|O48Nr&DPP;zk_Oe3$KYmmi%X=Xbu#7uOYuxn&5o-je$%~d+z#I zcNV%Ix>VeCPS7TlFB8HYD#KL6p(l<-o8%kNkMWHctwC(OjD|P_Xkpti8=B^qH$sX6 zQ_%_EvYdnx-g|-+jFZz&fJ188` zmAkJOwZTk-3&^XJlDy^iha>4})}V!a_+7=EL8O0Ur>znklAu~#$+$@43o11FWT?Tw zH3sfEbaeEQ%l#3B_}?2!ryb?z5*K^CGh$>o7tUimbWxfkY3F7;Y%+c1_1-@azDJct z`SyPh(pg=M6=Y4Rs`t`V; zkNH=}hOPY+a^zd%B3U|TftW}4q3w*7Kz}oR^93U9$CF(%tg*FV{xx%d3DxshrswND z4%JN$HM!QNbl8KpX>G~OOP7bIzElsIZ(|j<2h8QNLrs>~skFUv*@}kYK_Kn4&KMLdcX1H_ErUw!89=Zw+3A_0 zil}JgKXR0A2pfc06=-@_R#&Ud`{|?T*mbJ+z*=4lS~v=dLVte5?QZxRz{Xqsvl!li zs`rNt>)++oaPg_pHA0yo0c?bk!W2OaoyOn@RorM5-;bL2Plm?1i5i8V9H;Snp!w32 z*u#YT2@2BX9nQ^ zo{uzygNn7!{|p5T0}>`3IG%v(OILR?^ez`{8{M0|FnEEE;0HGQw}x(okibAHnH{is z0LuOnM*pm=Xq1{Ms;eW#%)qt`ozFXe*yIuVg2n$O1XpP9=R4J!7f5<`_TKJpR&b7ZDXl{+|cl-N*fTKMkqMi+ofTT z0k_*{5p9&eN6DTI9}ikuNx98ba!kxVxQ~~Y+%D@{BQm-8D-BE#8H*)x%U&ufRi(BT zN4^9vFcdF4Nk_*xzQF5~m;O6g1@7C@CWBUkC006J$(O9n2Sef$hK-nP;+U6IP2F1+ zJ2KXADsKLgjfFYChfe~W-OTOd;@`c)^LYfyQ<&ZIE+qxvcl)7p{xf1iX(3;e_6M}_S2f%qTIhlN%n*xPcR2>YiB2_a{+pDdN$xz=JwAx5wusDP*JJt>*->Vftlt* zT`fqTyMnczsfKeeCqjN)gQBJlWM$G(S_94>2^7sV9#pZsYIjM;*c)3&t4+d^Py{9( z+IIN3PclFm6-D<0JdcnM2j=xMO`)TF4s=mL$cKWM)oq}nC|#$oYyfxjt;~R%Ov|NL41j#n z#YgHHpvVjJ~Sh_wVamnVQ+{x_=P4lYH1 zA3i{jslVQcmw9nvd)Wp&Yigu}N?TG9UFQ1;9_os|%SbhCG?e87muCK$7{FnhJz2=e z$)R_)&Q@7nS~BJ9Y^8(D2Qc!%vI$SQ^{`yL+|c-VF8k$ZGr-CxLg;?LssT(o2u;s^ zwZI337u3+OF97+YTl^yE5fuh7+1S`))lQbMbfVKlHx^_H3#T6g88xS&1D6dbSh)AM zV8Ffn)2BSTq4d<$AW=nz-xI}fd-V!TgS*$0sr*!P)f>ZXIMWpvfo^t7V+9iL=~Kv* z{RWSwI-t;#)3@T~Vn2TDT0@DMf$|mZ&u=%{_vJq;Yz4!)dTmXV_!(9P;F>;tx{^jN z6ZK%U;$I5rwZz(57(Q4G>D>jca6`f@O@AYq%8Ue{wP6~eYYUiF$Jtc;#U4L~uUx%) z6(7)_=l>uU2|df*H!fQPno4i<1~QNnW6I!zYMg~7vLV^GD zuiZL-q@-zXV78V47vqlOuc3e*6^yc=ll*1-<^ssxJ@++;VSvF5NlAH>dmNSbWMcul z+#D@g0&ce!&Lm`HKpYu@l_)+cbg5o*w;B5E==JPx*}($Xm5<(V0S;*oi} z;^}Gqx#btqo^xpUbF*NlBc+^&f6c+OS-&j`Nv>oty4D65!&Zm>%16zWBlBBq@Fv1N zdE;G>D`-fT1kLLQf=!+g1r07ypj!|Pt>xnJy4Xg|*^Z29(s7=NLzI}dEt?_qf@E-d zbh)DyzpO3xQgK{qQ}{r<-7ZH!J&+@+Q4!yjdcH4ls`!WVcj>*);IQ^s9IqxrWMqxC{D209Jf8 zY)}`0HZ@v(U#-`MCQG`8^BdzWC?mOie`Jz0R(m5tQECUVc%*|jqwe~ztUMna;tpsQ z?yAWyi96c~J+OUxkrIXUnr$)my$@2m<%T;GJq`&68}1hx=@?e|zDM=kVtxuzxHasu zHEY^liG6iPixR$OQykSJSe?b=LsgfC^EEvZBV;Dr-vB*>d7oEEDyx5RXvm^W6WEqX zNB^RNyo~ZR;jxK94LX9*0#OepP4xlep+(OtJv3F#tQ`!bqx|xoUvB8A z$;S705e7kaHr7T#dP-wVUHb!ad=4a%Q%kHDkG zWNE+I50pLMr|$b3esT|zTgegnnE?KD8!cLO2ELTD`f51J!K zM1yrt63@Z+qzU`V5B|WD?;%Jp!(h^$58RRO?Fk+JbZNc@Fdf}alK!Me^CmXE;h-H{zT-5_x9C`FV^p$dCqUy zWe-@-q*f7)S7@*f7rE#dEBjf_`{vK=TeGCTOZfh3Q$uw`S8YJ!85hfUsSK@u-VveB zjdyoj2bL2a{4r`V^74&ql{W+ig7FAG>E2KgNmv@RSZNZW+}*a`g`{nT z)-{!gH~K1+J@e^(MG|Fl#vxT>Io-GDKN=(b@tRVNcpdqFhn`T))3t~R*_qz&O1Qjq z2xLF>zm8vO>=UpE?Mn^<{*htGXGpAEE1fB?dE@R<+x{cG!8W}w^;x(jl>YbbkC)f< z{Nkwo!-f!?VspP?L|qTRgSz{#TY$Fgc0j<9s~g{FH7$GV#vB zCih33T?8}*`vg`gm%`zDD^gPxRZ;t8jgQwS>F(6km(cknOXHb2nw%Ls#5AJO=o=mn z4z%68_^Z6KojJ*)D<5doK(iU|FLe+{VN+hpGQeT``49)Y;~<8@a^>Yx%-e_8*$PcG zp8V)jz2kMS*f#6aU)_GGTB{C^0$2E{$tRY|E}E)DGY{@HrWRA$oc+pQWM{TE(MWgL z671!}?s#1p^ZT>vPDkp;I}Sodd1~cLCKg%#dPIM6KNw9E(|digK3~BCMM`oQcTS2eVn3LmWarY!Gp$7ysA20~$>P4-wnp`*#D3p7~<_bGQ)Dd@sgTfghcA+C?;z54bgFVw}>xPc}ueNNqO>?L+58u4y)cvKqiSf`sY zZUUo#bLSVU=lV1vD~u0c<4eflw&jjDT#>x?ndcw-C)xkWb6{R|)*uw1Y z+EM&h()|0M9t+)3lCAa$e<}_ow%IyIHidq&a)!zlL>CV9U%(AuGZM7)e=J-M!Tg z&bn#KCc?fIUtnqc2thed2`ZVYlncMtyZnaJgnVp_5XJE)J3qy#{w`*B8pk{J>x(nj zLpr~!ZbyeFitrwkZgueZs;ciiTH}}abqd&BVX=uM30@C*Vmk%t*d~<@?Q|B+msX9JOlphQx?40Qd5Jo{t!oRhGLh0l zhe2EShYb|{-rLw{k%~YHBFWHc1cBAW`w_bReWB(x8r%7m zTyvBZTy@B#X!5;qyX*lv^11rdGmO)JXqRYmD;ns97Js`O`PQm@vr-JbTc(fk9|(jz z@_lm6&^?*rx@shY#Dnh8M``+EkV{Qv``m?D2FGp9`10?`2?DY&=@AEyS|N2_?BwCD z8zs9bhIp$mTH8HC#mCRBWi11q#-Exc@%(03(rCRzO}x#jhONK;#~G)5&FA{jawvH*=H&pMssTen6pw?`TC zou}~zGdDR=*Mw1IC+W_!TX>Z0xD1zq2OV^u5I?afsu!G?oyA+&l(v`LBn;tzs8KYu zNZ~67lmCce5c;H-KG1dJdzTRQFPz3gR3OP-6L>0Ee7I2IuR^i^yIv3BgK>kfdCEKB zWdBzE{N)a!Kk?{=Rozu%4b_~%KEIOYhhRp%Vx;IYCqXSnhq?CW3Tor#?l0b5!@8Or z!56_!B7#}wix#@^aRDV+HEGYEJxIU`W|oO6JWvLn2(GhSv~>rLJeNgSEIl$P&mFBb zbHkdOx_;01^?$SgcN*a2Nh(*4D~lMzRp z&#Ir48iV@2c-l(HX84cv*$Q1xkG*F)+Davd)1!$Q+(`eo_dO^)84aFzFD<)V?tF;3 z@9Eg$>al}nrJCACYvJA;U!^jl0`0EIicz68d>JJu`#z*Iy}N6dBqTI2)z%H{z+>C( zC))?laNE;o-AZWi#NvuWE{=wiE_QPQvf3B{7Up2hm}d-%hPATjpBvV@&*cAw&L6k1 z=1KMAbpHZ^5}D?xnP8ybeMKKl0>4J&hrS&d=biF z_%zxyL^OUw4D23rHdAM7A+(g%?n8}}JwxPVHNti0NgwdwsNo6`0IWo?LU^h%J2qrF zWmpJ#x9F#?p`P-rNq32N-keStrM&^}4E4y!q3v(yTMk9hE3dC!SN+)aE!@D&?)yM= z{BVYI>InEdd*_J=)%qUX&fL-{XY{Y}7_8CIbXfGz^?aO|l*Gt6U}N`P#YexeUbSpL zFV4Z5O#_ven|j_=^(|R<-zHhdoB_Y@L9`o($f0Ds(&*aEM&*mfQmTt9cReMZ&uw$5 zt*vU2um2(H4!QN*^}?P;YwCiwtweB~Y%c4XLyJY&0ld+-)Zk=_vYJE>IIii2x+)|| z7~6hxOm^fIXM(;+BaJ~P)&tJ%RJT43#WRuAg_y9c9^HaGn|m@eg3U{HEk!h+8%~#E zjYl2guuJT1>>^sW)-gVBPz?4(Kdk6jMfzjzxzyVz=0>M=oo1Eh>A0PC4UXNpiPMCB zR5ek-*fW~FxiO60kz<*-sYl?o=rOtQG0~z-m7`^?ae?a(9nIN9&HLK6XL_t`*+f{` z+4xsNZfBB&7aD2soM@V>ZggkHK8;rqq*djxG2v7DQ*Av=kTp>JD`QRi(k^mjz+x6gUc4<@$z)hIQ% zdrwVCFK^yx^liW?Mu$96YEtZZzb4)FkT*mt{1hhs03iM9xyAKpKEChihWcWbO{@aY zk$>7MD*bo`Z^X3K3Ux}C$&&1Z^<=rHyn2E2|$3q#|hPGs5 z_@JaSw!XUlbF$BqYTwW$Vl|7F7|mlM z6a5v9-}&)*1V1?!v+#R&!i&S6d^ivcMkN-4`8%o<50hJptyDgURNQJG@;d)CxLP;q z30ZNNZ|B2KgOyEf(2uL!-T7(#Zk^k&q@|X~~%z|l%8RRm| z7i+yP_U0N(Sj6B;1b=P4ZJIwcP|*`lk?A!l9d*=OA!WIy#a~^Wh5m|@<>YU8ny@b0 zYvKIkfO_VIy&0ppXv&WaL=)T+#}s_u_m z`t8@jG*!k_=YN0r)ZXY7u6?~SZ7TAL)3mcQqE+%n--9;>Bf~Wj#FM$N_A4UfA}|+Q zT|Bl{8Vl-0@bOod*8V7IO&zC@OFe#5tM^x)Gp=QvCGRiTtP`x_jYkhf9>Q&O7B`%N zp?pN;=g5EDsne!>D`|JvIf;ullv%(*c(X-b1|DG=KTXY=^TS@fGuN&4Q1xqKfppt< zg6v2yEbsHK&cN+)cz)LJGl2apSI4U7_So+sr{nRkg&@0LK|9I{{v*?=OgK_JL*&7m z-dja1zw7qzK67EP{@9~8IkwxF6(D>(<`qrHaiskF*YEvvh8yGBjS8}2F-Q`t3Zsw&~ zzRbZ@Te7LYbJ?ZQqq`>iEf%#*-J>Db95MqQc4WA?2b(2i=h-aue7{Y$>@@Qv@?kI6 z&y#19-oxL$q=YPvdeiQhGFMx;xok&PGhAaKQ&4p)PjzVS_{GG@T(jzGT*n!4az?DK zq#Ca=YOX@RUnw#@nfLdHpc>qlpVs4cLYa((>boW#-cB_X2Zw%TOXHjy>SC5<6;aN! znvVH9=FWO3i!9=dAGW`^Vl371Y?zVM%^0ef!@u36>du+1U${d$Z%qm7jCG5cf2uv? z)YbUAqM25wq3e92^3vsY0ZV(MY4)ZzbZK>-#rZX(U%FhfH$VCqXRXSWni!0JE{@(8 zI*ooBdBV1RSKayKMXlmgCf^a;c3JwmzQ(J^&#((v)HmXmx!jvO$W947Z@edG6zCi2 z?_gGLKO;WrB2kZ>G#f}*FwS5gasSJ3({4|1zT2`px9&{k)wk@5?&4y+HgAbZE>^}d zy;r$a6-jDDtH{cq?yU{QbKR188rnP^RCssMVkPn>tnA2d6MKg+B8A~G^5`ULP0uh* zdFW*{7_2dVZ7aKEcrNq$T9*Dhy6v6aoT>-t)P#37>P;3tdOd$3=ysfQ!7^gI6(^hD zbBkRtDShhrm8!=wsh2u2!FqRhVr8t$*p{Qu`9?4m`^MUhjl@PBquc0{Iln#%x_kD0 zGh@3s^F3jSck*Jr^Mc>$;5d4XAR?tF!~D3SH~&|J9A^CNS^HNvf!BQIr=NDPn4ee= z3&BGQzeUkfLK+JXB4h!46NYdkjOkx^e(y@6tt4}2yZ#C$m|&oJ>1#~sz1m3OniCUy zQ;Qv(M%rUEX0wqY}QkZy`_6rsJt{YPsz4_>#XmV<@E_Y|~aSHQe&TRFp zv_X(E2?2UqP?JNAv1~RiOzilR75V&lVWS@0fB~7HoBx+>Ob2{vtWA zdoiZ_;6p33fT|l${}-!pDIE3{K25hF70c7&(w$2&)aj6*k(*CD`<=T>YxZu&fGmWS zV3u?+aj_#~x_3k8uF+&K+$CNs*y$knHXHWr)#q?Mo+*{lmSfA-yt@qKaU}VqWjsl0 z&grLJ#%aaZCb?XFq%GY1gE$LTBxTxGa{Woa6~CS23XKX^RwLPUH4gb^y3?V=+=Hwr zA2B6j|ITNBQkp$NUvTz7?C)ZdqkK zo}l>4P7w52$$4ig&Z!MwSnlgnv*Z2E9#DzD5Stsq(vk&)0v#C>L&0vvJQtIPquq=v zE>~90+3+QIPdqYch=}wad0X(9^==2ng95AP3N+|6bN-S6#Wq~-?B=Ti?f3B0-=K5i zBk1Ei1K3AoTRMs4{fZ7%XP4$kNY*_$cln6}wYzI3V9g#^K3u~l6xFp4xYDWB6N;_q z^6~z<`OiK%bGHf45X1erjgQNLh>ei135%Wqy`+<+G#pPU1N{PymLsO}&3>9WGH?~} zmN}9P&GD%|?*|`Oj@j0(-C!2t&wjD>ilS1n z$g86gY>qn=WYHpwwqG7+Us2O_<;SFUJnece@s9W~tZq!XS^h%Nva~($NnRsL?olIY zGPSGwfqsp=2*okgrr0g&c_!z1ayJ^QJDaQc)bobgMAfUpBIn8dY&7RxpV}U)v2vw# zy|8Tc9K$Pr^|xVq+S-`;I{p2o`|g}p`)88I)`kp|ky+mzrgE-Tog~{s{8ylM4V_ybK>l&BN76jN$ z$(5O;vKWRv%)9&=c{63KnRfZZoyY(ca!F&h)8fGS0N6%SbD!6)CmZ*Q3;z1L@y&E} zvArx$(sQ@eVS(JOb-kD;E&3Hn(%$G7scxo_2a1cvj=wI#HBFz6mMBJ)=lqQhXJvC| zv(QOYjISW~>a1EyqvXnAvCyfJG}nlacwcWagxwcWmeb9cSUq_ZNfIYSxvw6uEfaQp zAhzdqH|{S<*@5BStJ`@Rnmir3N9R=kpLj9N-&oOs*d3+iUK2Fx4nmpFF-7l_eulcE zA?VTn2YPY6!b)+yzK%~@Tj@5*dQ!4oH{1jCObTAiHfJh+@6-oe#M1`*9?%j^IYkDp za5Ns{Q?@b|U$AQyJPE_wIdDAKC)pD28t!bFknfSW-fEc;ES@QaxA*k{2KC$^b7kMX z+FBAe>*=?*UOnjk_V-Yyn>7jdUiYnAJ1RM46&)54DRmtoMtEWeoIgx2PGf#ZQh2>k zbaZ|6YO!oL4m%>b%dW8Eq`QPUOX9k{CwBa-1i{rF3bN&urMXwVS)~J^>bE)f*irRvwtM4f?BIMw9SNIrNm?l-*7ch&OPi z7^o|}c0fLG-vGOI{aDq+bi`NYrq*&2D&9cX*?)AfT;iW^DtGx{;wODBP*J`^uO_g8 zr!3blCHiDmlJwW!Ou>^bG>Rf&AE^ipm{WnEkO+xNJFnWDU)fcwRoUrOTP?TIweV!; z--#`&+TS3!k`ntwyxYYew<8IG`xb|~)WrB#LTR(&)%O&|9SM@LEkhFzND>2ZD;B>9 zYFGWv7%~>FVncce_dZ|bMDdy2v+?^`w(1|N`lrGiGJf2m;7det^s zwvr~dyhZZ5E>m7vzFyNEhin_OG8|*TQUK>OvAJgd2(P{S?MR*XYYz%}s)4>vif>k3 zIUHj}_YwM>GTP#bGq1-9k@_U5=1fkC+OHM6xBFrAcsgtCrf#WDf3%*XO(kdR(a&w! z*w7!oZul7s`!~Z5SC=?&PHIGqKX#A`U!N>Th-73by*^b5>T}&xu9o86+PLs+F%}}~ z30YsGr7V;IB;h&?;S0HmAHW-DKul`;8vyjNwE)G3)$8EMJ}n z&bCdq>jMM7{+=9iYK_%Ye&%;D@*T>RBO&8-G;{ocX@D+D)^oo&oV~#6Xgd01-TCJm z$-g9iDAszuVd$Mu3!2t`En%uwkdc{vbG#3ig1J!lgG1(fQU#a}y%wfzfZzFh+(E6< zzOdZQz4~4c<_~@)1>3*Jt9OEil()i-yF2Kjf1Iumo8}U~KK*MR+wwC9g!rIux7Wvw zjGufss4sbw#JM5xY+O1f^btlR`i}Cu2!?GOddKuG$E+Ka^%e)Q(S3FA)X?--zg$%* zsIQ(F%|n!@vqy*|Xnk~|^J@Gitv2d;=kW`r?UW0<(!4ZxT@Uq(28f=F>tH4wPo;bL z1(&+ibGJD4*Kgjbhg*BmowQ<}HPt6|U2NY}odldBbv!?_V)%}nIUajmaLlRIpRE6o z52+Qp6V{zj8*l3FcvYaB?{FCK1*50p5Sk4k9|7%R6 zQen?z?`KQI!4<;Ju6DJjUUP#*;@Gy*JI$B=gCi|BwIG_rMSF|s2JbK-{7d#`9VXBNjy998^&gh25$B{bz%Uzj6>GqR|VEHNaemT{0K07 zi9l>|>)9MGV_bY)laFAf6jp!0*x=CkEieN2Bb>+o!`NE@W!ZIo->8TnAdQ4{NJ$71 zQc6pRNOyNhgS4K~jdUm=pipzoqTd(Wf5#K5v{HA56>>g3NHC9 z!oz#k2m{35+|W&BW2)865PIBnnK`v)EsJbP6%*jKvlDxG;dRvGa^OJoHg&8lz38{I zOiu0FxA-;#mq(4!-sfA(6W+aZv99h+7xTB|2e{s0k5@iYX87eDqwPBTlHhO{W~nCq zSgEHp+MAsO*lNHVQRFz z_UWIucAPepY~4Kqjc@-g4$3m`SG8g>3D1z#4h5p&TsM@YW8Km0@`^Z|Sl3_kO0IB! z>FiqF^+S+d`r5JnnfCb9%4{*61A8ldbY)KUh}i3+Tj4_Ak`+Cor;=>BICvZ0TK)LO zdfniO_n{c0@q!<+P9Nn(eRNjp(_#6i0_7p~0ztR-$4&gJawL_>aRY-#Q_07FMH)Qh z=&L)c_Y&HuzZ`PF8?CA0X>SNqpBRYQz_KT9BMKs3l`Oc_X2Ll?F_mA#Y}G8EKzoC_ zry7VjD`yIu+1NarKU){su~AnHRT-J?ry)c?^L)Q2`qRQdeR6cNe?)j8KO*#Tcc&hg zdG*OB+(;$ruX(n|-))7jMg{$SL}(RHbjRdqIx)$^*IyT4g4mTJ^hZzppg?-#TsdQy z!;>;(d!0Ts-}VWs1KO72og7>X_Cy;Vr+C?r@Hm5?T%qfVkJ&#%A+v?(^w>4zv0I+? zTT#DO6HGb9Yjs~0T&91FQsHjj@Q5)SG9_El^7{Va(raP;anL|IqlBY zJ@qXoi9yaci9*%V#b2i0*>ecwz+nn|-XgconOkFZbw+s|QF*hvwU2OYMs=n>hRL67 z$`6{Im-UK%6B?7F9YrkVw}X#bHk4i~;$9rpY(M9z>+fa75H;+64pUN(H_gXZaBQ{D za0CPWMOAee&pbO*6z$Jz8L~^m`76h#_wTE)CROX{Am|kA59S_4(fakIT83u1QLS=} zj7umOxdv>ulr3T->(e}<{54p1XnXp;D&SqDzL#O1CuO0Oo}t6tLU#IxdNrp4j%P0& z#Ts0Tsk98!X<9vbuR?;rn|txtb_7y*G5r?<#C)$tx?(8N9J7f zlg;*jMa(v3evMwr&teNNH^s+zRWh)1(rVHZUVn-xCjGlcOH!dOxpcVbiO@>mRNY_4 zY+Ij6`|ZCaZBsZh5wA&>8!vCA+Yo+G8@EY`jk|^YEPcqqjUx3Cx5f4YOis4=IlfB@ ze4jD-jP)Mo&lq?1WCPHhoi!U|>F~F__XkrpJzpK^p32+Fm?f4w8xQ1LGbc}R`CyCq zI|RMo$nQX#?X`h(MI@wqHz5!RESa$znK+7&)K&xyAMBQ#GyIHRP>h!heM!@zEVjj9 zWb#T?nB<3{D#uTpYYnr|I?IW*l>H#(23jQXlDF5nwJFamd5r&BQi0&$aR1bBe^0jC zDpFry%mGr^)=AC`C92pHC)TT9#|svct+b!eD0rGA!%z*npCOuSJH#F-EA?sBbR*N|%oA0ZVz#%p!B<6d2;`7wFdXj@Rp(|Ctn<+f`AmO-Fplj7QNyJkg7MAY8iJ_>Ts zZ-{mfs!2$oh%CRms{{JDLY9%WeP9;?*OoLEn-46JKrIJGcrHK~n0aAo$z1Lq36|el z+V|6^kern(bVfHN+XB$#VDtn3yVoVZ_;K&I2mIJvV$*2HI?ACUp zR+eBtxuNl)z6++ot@EM1rdQJKq%JR8^w?{FyAMr6AQ}ag-Q2dT*7Pix!Q7Wm4G9R? z0u+%U&mC|Y1&QAkzcXLikb@)?x>!N6pl93B>CWQBejR{HX7m_SZ%(p+&4L5|bmT=XI@@!P3)$k(m_z z(JY`fI0H9Q$aCEJ%GABXXuQ(l{6~(i}MH=+&XfY!1?GtqQKK9p+817g0`mF=( ze&Q49N6Py4rSo?KX$d=g#lyaE(Jy|Z~m8P%azlUP@6Q1^N z&6k>O9qvXWiMJ>r*qwD2RRd-h`zmSmZx$w8hJjrb925j_p5MTTvtR$F&qxShA27Fp z)-xi*O07Dpu_91XzRCfevRW*#YLe)V0OthdZDE1|-6W8J7S#8$G=VxNmSL z-jC~o!3Puq0t$+PmtR_MGqbWn>jm_jg#`vOva;$FUN?F5_YJ_metG=hKThSJ%AH22 zwC*@Rm<_&(+*DDFW%+uH<8saL7DhlH4Pdx~BNN1{8c(@bh>af9ifB}CU!FGo_+08@ zlXi0Q+E0IOzOA1RTnB!?#S;2x{u<1JW-boO!50PSxM$FSV`o_n{e4wcx$~fQ1r_z7 zgSz?{(3j?Z|33Hw{=m>84HFgk0Ht;;vBn^Cp553;jg0i&Ue?wHNEQfNVNlrB0@{ z-p8hj=!{|K80`j@oG-f^mGI3m9!EBl_5jT)j%EYI3m^W<*LT=j2B&G2fPf()mG5WaMnye59mIrD|Bnms@He!^aLIwK4i%!QxjFNtIUqJP1Pvc!`mQ`9 z`}q2NXua3wZ~TE(aqfQ;)hNOF^kS{*tj)(!Kb5NQjFc5l-58a5o*%SGhw`$_ z)Sn8?ajPgnABRWsV-ouI98;Z>ZJ=dnH|Z_R*Lb%Nsq2fSu@^bR0+B1nOhY9yo=|?f zUsqVDkUa>!QO&QVlR)DQF*G(VZsK_W7Z(>;eX&5ldC`NX*q})Th(Oi)Ta;V3KqpVZ z@67TTXo5^3cJNZHtXM|8qG&-o3oW(K+tR%>p;`zSguhpVl~REvl-+ly`ZY~WMT}av zl_MtZZUx&s^n9KCiT)h_li(P72nP?7A2m)mt?S|8Y%m}^VY5| zbSkiAx<^1@EH5yUVWeh_6O<0Z?FwaX0Nqm|pm`*zi2>XeMHwHAd|vFLTIfHm7bzfEzHd|#oPqj zhuC*S^V8EhHt%mg#cs|Dhfq0*Wl-q4P^J~T;44Pm4~8&@>k~Y=(NcDH9DlXm3nNS4 z`}zuCh*ea80R>16g~PSy{{a0OE+5IT8+g?D*Ui%(j_a;2R*3RyyR+3zbr>K7j6YR7 zz9*-4FRT0Oz;{V@OC z7cG)Vd^xp*=U%zDBqzu6Yi54E2Ha~w2V}MJQr66x!wr-OgY$O1AqE_*v19eim$0ph1O^3zCqNljGnt z#yon!$jIlo`~sXGbP9y+7Xtdt7I3Md)dgBy?%((CTVm5FL8Wp8%YmI8`_rTcWC;ROW+eSfd} zsMJ8dotQX@LpV3AEdj&%2P>$*Z=N(j^$p1>+uC!fnH6U<^`r^m*Y+Q(|ZpmU{?7En{WJ?xM z1#xgEbZbx5(hoEX^Y*ts-`M-MNzOwe$E(o8TxU)=fOsiQlu&J{ePs5Os83GT<5jC` zY2>zIM783Iv4VjA^vs%L75G1d6iR1CNzrms_n0_nY9@_YK~4w77|U89m}qMQtf)#W z;GIqZz_svh16U*Io;uzl&I_0Q&z+*wb~uVZGmZ{S5kadHw&%7I;{$ws!qFRl%0fh) zY$JTh9K7gMtAyJ#jV&~hk>d6DLOy2o<$qZl+7PKEB7Y5IGJe>elz-H?gd zTKh{VkI^wE8N}#j)RSvASU3r&c_Fh@h+d_{9*iC32s8_6D&J{j zq;9VS$=gP_3MV_RraVSvUpCD1R;&%xLVji7Be7fWk;YTW9O}VqLuJe~Ja9=(gFVa_ zNU5@!DYB2*M#;;1?Ii86b@>tqoB7rCg*2@RcLRqUTpOjYQz3A02atoer#%!sZ^>XY z42R3U2-mSEKw?jdmzDiJ>mf|x0!A%J4K(SQZOd2jsKJry?(X|uo90grdLm+`%gjSc z?>bBuj?k}#s)#9E+)kGd*A^EGxX(y1-Q#9*2aTBQvPsT-3l==T$Z-)z#I0lc$(Xoi_-0%iD z8>&zP2srj)jWp=(oiqOZG6>WOSvn&}PZyWs_?ePNQ5cqO+1^l2(zRqEYp~L%N@ck` zn60ere)F9DD&z9Sb*f-_gV^@}`_p>28(qWgum@VwUv&Tq=a7TA*L+az4xx;wMyTOSsK=?_gtg2palCp-*|hxcP7=vy%!e{r zSnvM|yxHGai*F;nx*b}^Q}FR2?+;EY*3mKR1g?BX?~fHjP@6=OwUmg>Us2?*CV=~D zSZIiMa>mnZ$AAt8^UdX6f#eTmj=fgW0h9=-rekm1f8X5Ik+(kl_J5uNQUm^5a#+HU zlKyQnhK=|U;oBg9=ZJf?R5vVq9eL#S;`n%DIj@+L z>Y;Tc;7Mu2{c+MwXY_2@^(S3Ck6N)Beg;Rm2fJ~J_x_p@^3%WNzlUnbwI(FGhjQax z&vl^>2rZ7Q?`sk#$wAfRTMdxkczQ4L>eewiR|XETbgX70gKpXzeOOoj zGy5qoJJlRh1U*y6d8SSnKYTq|;>4_j4Y#WyIf&mHZ)|GWi6qK>^}Ugz!zhzyPJjM) zK7rJb@$CODc_77~Z*k?Jp+F4yRIWKOJsyI6J2-XiPnm3K?*adm24>Gvj%Y^m6d^nM ztT{W!Oa{LZ3KF|$sf(j2d9S?Y<6Bor7!uN}64If?F=7fDgx9uz_&raS=>E}}iMQBM z%mM-CFRH$9U0Q7)YpL>t$LV@c;GEX0JLLUxJV?pXM5X%R^YQ)9p|o(FVKm;mv|?AE z23N!Js%0nV zN)Z0b$X5AY{nX5H+wsIZ+VwwWe?MuKWc6#MRY2#2?L|==yU6z?2mTGNl&;<#^xN-n z9)}0~*J6XjZumr7w0El5C*{R5$C{L{64P_}6e-i^R>h5FBjfD+S)E`1v!*1^@Dss( zI;z@lm-K(c3JftMaxlLj)^>^0n#HN79J)^#fWACXqFb*bg57dv93DfETCJ@4Eb8ZP zQyogi+f3&y)niQmp~m-)?T-=+}_&R zKR{;@NXjs`CajdAUZNFmp;PyEV^5M(HjcB=DY*A%GrC=?*7? zVF3J6u-jgU6w-Ft&8w;PA&hX3Xd@ zd;;P}N~`9h#kk6Mm^@!CJ7sh{*6S;h(M`r^ZV555)#;6WErNcO%o?x_yw-C!nJ-q~ zjX#bpSp+q2dM9KZA$750Xd33B@20Ns^3`!uhwb@R-1W52U;n%mf96~8_*1qb=Z_gn zKCOjGH%;f-_Dq2j$EjNv7xn88LSqHBs*@>*NRAiE>v$f1@#X04I4N0}Ge^9TUbSE) zeW~$^`~I3@tbRrO+K6;8Tk`mEQ}~o}nF+}d7AE(wt|V%YW>Kd-W!)2A;r&9qTZiyx zBUqT@(aP6;&GNBRrE~7ZSbS|-z>>0fF6gH(N6*Q)W2}AHeFmoEIY#+YKQfZPDHP-8PPTk3jwtF4JAvMLWi5w6w!#sjdcXDLExh3OMaI(tNfz zqA8_Xb9o$NP>(#?1L0k{e)_4RgHtJGfcsL-?+Z({(GRSY$Bqqb>_1h>nr^a(RDS&v zRq(i_O;~NBKM3dXhh4fjOa-^oo06>u2aY4}bvM?By|!oFFAt)5Zi?u;n6}M&Ug{BX ze$Oz(eJN%Tx4P4{KeRY+p(b~1EI;G(acenC)9C@`{&}q+-CcP$SE$-ONmEajknQbmdFkCgN(5n6p3KA+K#dA7PPRkB zIa&*!p)b+0Z45f;whK;9jcqSxyVsp(=#H7WwWZK+py@t&Rk3eh|B-z|jm#zSx(Icv z)A+UccuAXfjIJVyjKIuVM3mi(yN~44%@lrv$cQ$G@Dc7renX@o@$!M#iS)Zp{BcT5 zp+P}A+uJE~iu!z$En$|DVb;{# zYMhVfYUr3{(0k+MB%;z&-Bz-_R$m}~6g^71JZ_sY8`oett#RE6aH7CNM0md#9nVfJ ztx;kSbn!fV1U#go?o-=yNqJRMO8{rI8*$+$cSxY-O_o?g#K#s{{lV}h=Pal1!Z~wm zGH73O#M+&e_hBsa*D9L{huHM5hGdc7Sw^D8DRED~h`yyUFpMU=v!?bGyM^cCJm%vT z5#q&aV$X+*{X-WLTf(J9R;|JVcuz2NP}5*gWV7ftfB*2<hwRUP zP#(TyiJU&PWs0;Dex*)@l;r~zjltbuzAl5>#s+qjyQbyHvhwHWZ#@#T80=3bHH*M! zh6v{&Up3X>JB>UqAXleM1(_S^No~$iHxS8x2qqNxfkATWmp2-QV8(`%TwKB|dq`*^ zlKh$I?Vg%nB=CpwrUYT};L>zdH5x|} zu^30M4SIZ5H$5l6vlA{mCI<#|Rdo#&B_1T;_|eH>Wb#n$5r zGN$#0kjOnZS!Ee;$H?)l=L2%cFa0K`G8X2DttBlD&-YtT*4~+hZJum+tJyOftel&6 zEN-}S5bdEfV~a@9#;Og7YIz~jT}_Gu`3Y#q`p%5HirMTQDYC?<99{RNdqVYs3Q@ts ztI|c#Sxq1@zR9I7arnyoeKkKZ4G*$O!fWmMTQMIt!=@ke!x+Si!_z0Ka6`)AOiD0! zwGHHu7`(_wJ$47&%CdzG7xlJf_E9QPCam6{O$q+~eOCkFu|wDdLM{4_$&^ z>`o>2VVXZ+OR^cJMl2lmEg8sdXoW-H?UPjsMWLP88_M6b zY;rn@LO-&r6_mZ^x@sZ3yYYcR@$Z|gA0ZxdBvrVXvX}-^q9$ljsWRY*)Cy{7yJQ=a zCl6<7niQi^(Yn-c$_gE{^fq49!JN%0ARN)Ey~pQ5-m?^}MJsyaeE6+d#V6d6r>zoQ z+EbGR(tWIQ?&^(W5awCJsk(0W*^Ob36kd{Di`NR*5`kRYgm|M;F;1T{=XkZfl=R%7 zR{StE+=&?FAxW16dhjk`Wf+gFB~iOaz&E)IhZ@8~#1A;u6MUcRb=Rj_&wMDZSp7RhSNZX8vuUOLb*2 z2Qs46<88%i?_c>l50gUp)IaDHFlc`B=t+-R%d@n2e^(nLTuzUuSpLbD8vjq{l2pD# zyPUF}FH^!V{Kb2o>1e6AmMtFi_zI=aWyz16fA`tN;)R~s`zH)R z$Z)pif{`g!u+$OD)2&+MiaaNno3XaX8!v5aCQ$S5ByM($2uV( zCwk*BorZ=p?2+QHgLb9j_NTy3Gw&~XjB#*ekOfCDfV+ilb$nHbD8#%t++X)gNSxcG4QJ6?d3vt95p< zMXWhT#_bxzHmU$)dqWE|EMU}KohoQD; z66HKV`~^NSkb0@88ll)C;qg8HGHz$DeQ`FQX)Vr+)h5Hg1Nu27FwvvkrYY#XE7*tH z-xZU##_JPh^e_MM<3;ov8H}yy;sgCx=F=yk;Q`m(gOPdlpZfht&O)}txg1P04Zm!? zHkaBsg>0;CehK9vsO_XzSHG{2Rw6~E*KKbWke{A?fGnN^w$iodKc58;<_3Qi!npkS z&9v^c_z&Afrn%+Hpc4&3j5W$QTu{h%Wl9Lg!*>fF5?|3}^K>dJ0{a8ow?dxECc`## zVfZtOly#R1*C0tYjY`%I3t9y|wf7<`>h`nvkhwAlj@Zsv6SqF}9y5d;)1SgzA#ENP zk%img%Hf*U=!FI;7<2AYDR-h3^R;Xq@A&HtUT%0wt-i;R()YRg$&aK$@3jvRj z?B2kP`8r1MjMXXg$1$tn6-NNsfaQYXNZps0?u*~zp!CP`<{|Z+bW`LC6cMugRFl|ZlZs9B7-1E`@K$`z%)ZS3alQq&oGl>od498!Y*UmtS-*> zW2R}F>WA~Z^iK^F!e)oe^?wGPT*_u}s-={LE@)=%n5bXGX_)|11gjdsIX z>sR=qAWN`}EeGg`Y}nlJ!y5zqv0Im&?`ys=RTX}G4NLsw$-i+_GRsyipN7X??DHdvl%Pq8TChl@pg>TH|2 zXb#VLu^MvI-s40H(fR_Vgj3n% zG~a;TCLtl=VFHWblu9G_zfWxl`St&(2+(TaHp-x-u@^DxH`3t9=_61Rsmn5d$afbz zP-6TR6+z}j3KyeJq(n6`!I9nkMM)pc$jLbf_{_hBDIYw~&Hc+pBGDDO3GVf?^3a(h zZrRhDKGv`dEMs_PCVpkF)E=tOx{)Zt^(a3)q`J|Ad~U*>dY0y2DcL8GMhds?r7-qW zY-DjhsP)Raup9j*583`^x;D(#`Utsk*smGudIPQ5vQbjC+I6as2y+j`?Op-gKw2iI zPB@MGPlXn#TMvF`cSZGukl^aFagPd5be+v7B?PtzMlcD#`de+z4$5nCu3aER!4|oJ z;*oueqkAeB^(kd0J|pdqMl9Kfe&Qj!+1shq7NsX(_UPiw{O_?L;khV|I2L`Od`cYi zhj=NM8)}3P=f6HC{Fxy9*t96s`7ll%RWXBswP1UgYQE=Ab!yG63dI8J^yXSd=wf9) zm55E#^>+Dio&2>kajj<~LvhLt_G>M!55tevW~ARdIXL9XM70?tj+?!zDrTW_?A9H? z(T$*UY=5%j{|XMBoatfh3(JbY_88CaV~hPx_INU_`7H`94z`dDBEWXUj}^9|K2}$< zDRz2BLF_*Rb5OWNY7pB?&|W<~PoBD+?Tcs^qzzm??aI)wP{l)js(7ICJku@Qb8YHB zT7dSKD}iF5u{f%!?!!D1cymkqW5Yt=Zh5&%Y$Jj*xTh^28sgELKeyqnV9OI#{f{cZ z)e*`V|5Y|^S=e#Pc$x9y!-Y<^B-`;6zeJ)4x@ZTxZM6+00V_h*kp~p#bgE*CD7#bD zD&&FJW9BQ+AF#23-l&<-&)>gm(f-uMAZ^HEZEfuV8y)U5DX9Pu2bfNP4-6Oy`S|#t z-McH02xsU(>@3xIAU6o)JUFLiim}hRvQHr)fkVa59jspY{bt|}784)eK0kFhYvQ@B zh));YQBzw>ha2b=(qRN=$9Tct0lh^N2htZXBLV-8yHr2n$o%EY^ud)+FU>_n-V_vU zF4X;1TSKBL_~zBc4GlO8Fu+f9ADDhMd2wI6gpGKe|3o-2LZUkM`KK*OAO7uuuYsx< z9RQ8BC~YS6TGO0KR1;Y^Sf2nn)vyfm^~Pv8r#c`+Y2U_&rP;Tt$SI4&0eUSFxxdNW(>JlhocfQEQ28~`-lCby1)prZzKl{$+HM_bRgbglX z7XT6iok6w|lRnBI@#<^l4AP?F2-2sDuFsH%rh{+o@g9FHDmbFs1952*}DUA8$f z1}7#owY5EW7CKyJJP#M+bU{~D-U8yQ+}vDM9XDe&>310;YoHzjr3*NxoBKX#VDAQ6 z>eYcgDd`#rfFd^k=UubMfO-w9%YYE?U|I_|;Lyny*H8RF@RKAeRnWaQWQsdr*?1)v zy7~LNk8%t=WuPk=7{|%WnhHakp2|* zFy`1JV_XrlABfOyULl4sGX7y;1B1!(@$nRMFD?FU&@+69ifVEyB8nNa;!f%jN&9hO zsQxN0J*5#}90<-2G)lmt_MrA~8bG%*U>9`FK-t0raY4UB9;da7QI@DK0J0>1%E40bcv+B>Q5JkQ~ir!utNgh zq$__iczky-Fct_q7k5fZN??F}Z)?j@`l_Gw>a^hVXH-ng#n=F`^gztBYkEaSx}`B& zKa%>#m^80hV6B$Qu@ehi&44V8tL56~d$08kTColDKSsp`@m!wHbYig*I|ByT;bJVo zOi2m32GN3=Xs+!&HwBGE5a|qGlr&zxGrxi@%QCjvd- z16Wl9Art@hJ783U&pbphfLb1@#brLvp7-kQ>;!*2jfz+LU_l810r0;5H-%rw%3_Es zI5|Oy2(_!|N}FZBC@mq;8q8M5`zLO>B@hqfnc(--)6=6xfhR<8a`W;+L4%T;%atI@B?meVzz2hXGOVf( zaL(Yb6=Da&0me>Toa)P$QRi|@3=C$LmZ!5=-ph-N-{suqS5}U}))Iz|KLWwU%?+9? zaHa$*0MK_VN;3`UUNKb0qwdn8T~AO~8fpD@a3>(a2=e1t8~g)3b#6{hP8Jp`Fe%eo zrJ|-5`Jx0S*9;sS{m!M4zP`Qyk_FY51F<0D1?cZ6F1Gyb9>vSBX*^`nD!>a$F9QK3 zIOxIneg7W6iz&L}eL?~wHtKt6W1ufSdxrKb3X%^~;nM^sjRkmmpTB$|b_SQxkEW?^ zt*<-4XB(Vz_B(E$GF2}RuRA+>--aHK-GuB|O*X!*#dqT;vHI@l3htYeRo!;_r&y^4 z)o!LmO$Ww{Qx!vx3%~uK+$7Va$1UUGEU24p)URCXY@Xx!7sS~`A*=b%NrXiknSuQ_ zgUAy+k@0-JM3LD0ZCv5l1I`3pzjm>ENZTewCLd6%-iT?&6b=jw?C9>!&CgE-gF+{# zM{f`#zb&6{?Aw{4$4gIyFZF78X< zyONT^N(QD=9aD*6EpjE1F)>%xjKKNb9{#pag#`FjH8v=ZOk%FjeGhgMm>w%O?dt5T zAfa9xDTtGzoqvoR@1r9K@;u7xg)AgXpCdb3_DL;lY{G(qiteXYC;JT%&IYC0=SYYv zC@Cr7%MF4ua8!$(JE$y7I(rZk10$qr=wyElULmlXOWbyAO)tQre)!urct+qHxeO{V znCib`YXBL1aPI_kwJ9y%;+zYdaL^@xEBbA&(^a3a$=Zy{>v$R9HhZ1aK2W4Mpb#Fl zkRQ#@jvd4Kmpo>nLo#JDc}AUY(4;J|p@N6{#i*rX;9fK}E9=H`f5z+DIuP=b&K&s} zcl`MA1A=yL@QW}DAdJEiIRo@jm?rI0VmQbgxfgHx&F)pEiBT(jQJOg!E^i%okiNQt zz&Q2uXI}RMD;b$C=7O5*gFU<&F2WlWO#x4cXj-4$6vGw)nyG!|8GNP4$jF1U3tLTS-M0m(zAL5@B?d$c@5zx}3-@dIDTiSbl45EzQ%(+NFRw`iw zPL9s=t(a?x=qPVz0mlvgil}Khss$>_%2Wst2?MfwIA42Wc-UlKK{%epgb*{~M+DBw zI@9JF1MRbX&GHSt+ zrI5|M+U39_sQ9@?BK-O6%wF;x-UO1U$;JwCOQMif*;k2`HHmgHWRU><{`Kd>dX{rd z?#KcQ^Ah%@QYaXoGf6dnpHZTIdXKZg8vR4N3CQm=GxguTv2%0Bl9JIxO2MtLYFFVC z6Px!viH8w$6P`}g-CU_W}KTrfhxXWwGRwIdPIty^UD48Z1B zGI1DTC&$O;rQ^;1Se9IgKx2-Sa$M|;0loN@`;??47A7Vvjg=J@Qket(-t~G};Jyix zcSy=W3LZ@O08aEk-wzk)C;^FHwqf0Jp>)TjTH`JUF--oNGUyUrLsOve)KUHxQN2fvyefGnn9W1gU zC-O+2^!PT~qQ}+t;k7{EQua4y4#~)Qa_QLA)Q!!}57E(vmADl;GLWv^Q@`&t+w=~4 zaD~0VX~1XAFe*MC40cUyT0%p+q9_BjtDTKaOvnXX*_oMx`CI%jNuhA}plEF}kpj#At8z{SCXR?m+E!+q&IwrKR?tu*z()a$0ow@VuQf1AB{dI9As9PV zke)vAzv>l35=alwpBlg4|4F{u{i^?O>(@5Y1?&38-m)PVdn<&Woa(q)x09RSu{4tu zZBCYxpAEWfBF=Wu^eyn;VXu-k6?mCcjOmYPWnJ6&X_>VA%Jw#u(m+E^q;U-PY?^6Y z|HR!8LzOtjVKCzx8p?dZK+db3uadLAvJxqsNs}G50#3{prC_56?B!NvtS|plI25c9 zTKxHoRl_>&4%(Rqv@4>2vlNyK40WqT(m zuI&5v8w)@0r~1KhV#4~dgMB^jByd6kn-QL&K=tsf``IzjbYyw*&1{Vwto0=i%uX z9^>8JpBwW@k|r%ybqV8_M`9RS>e3=wyhizsD@D$ z)o87F@(!bY5N=)%n31{)q<)x*r)X(rl?j!AeEaUbd&vaY*9H9_%Bb`CD#5>zJwCmen`4xj_L1V>Fe7TKoKSdIARrgVgs$;a8rw z-r}rmKHnjCbc>>;`qY1;`D!%7rDx)cKt>> zg#;`!4J~84{;&(~rDsxqtOZo>`R~0oYr^W&vzBa_@rgbrKB?kJTu< z6@4P{-7-iupmH>!FM6Irs(L@0R($gAL9egELD_3B537j9%zm?rDfa}LX70QMVIGr7 zeUyxq!%bs3-ap%=j1K8T^O%FAA-0#tzYxvb1)A7*33xBq2PeGi>aB@5SgI)*xw=

    4{CDw0_!&`UB-EP>eK2sZ{O4I?<;cI^4Qya)UI#vxa~H+ zEkJ?9KX&ZjtSp9bQ|vxR!{I@r`eeFLQvI(STdrfkodk{?k`k=Yg>jMzr-P5IplJdR zm6IeC3$M(m!*k{V21@g1eK4RXy)QfBGSlq+wqHqmLZEY+utlxjh=bo^wCG)P)7EGG zFTnL-ZwVCw9Ku9sKFp_;$_xPL)B2r@jd%r-hob9 zk1xFv7P}I`V+<`n92qX}4piw2#`lXH z9d-JA+>FM-+nO00EX~9DmZ|8X<_T@TjcbE9n*TP6rz)uGhlENfs=BZ>@9v=oQIwTs z++9PV&@zmo!NaMup?yjj5+Tv%d@$ie^6Yx0j8vu-%Jf^IhZbFTPF&ps#6_Z#3BNFJ zqz^f-L^Sl>XCDrG&_I*@FD?hWR%w-lQ^p#DNY+JzA2xk>h&*}M;<4Pp71;ekKMncs z05%W7i+7Z$q{RkFbK_;pE;&8*b~M1kx%KE5^!t+W zDV$B&7L*Irw)1J99LmdEjeRp~i#3jRrPRw7DwgrA{~#D?&mq6gn%p9~^xu8lhPW>L ztXpk6ey*T@`tShG$qI0&qQ9GIb%3@@$Uvl)3 z^V|&ifP;5$d%~zG2GZ8&PUg?|?mf(XCR3v0nw^*PxrCdJ@t&cQl18=tm{zEY3)7~B zyJUE^2#kc}_HU;)XMTIFz>>(x=OMgpV7|^&3xkf zu)M@VKAF+de28iCQ?O$Cn;W%%_^^oPgT;rw8#|q!ivpv9Ikp=ObEhmh=vL~rxBZSA z2IAs9>y1y}W=q?Qc_@*kRGp<;@Khq!M)=r2_wi|KxD>}2k9~a7*A{!9Ve*rqbr&(w z&!uF>l)DrbQ*jOeqEJv@FP!YsJ}Ne*KQC2Nd1G82hEq^*w;O zu>Ep>wWKA7pj@bncVdFabwRAKzQDgasiY!zWAAupJt>P51bp@%dO)ou?NqXmO>EC^ep(CE3Fv8b_};asx+>Ql4^*Z(>V zan9uaSL;G*cn(j)!*020Wp}aq!}F!sWz5#I^u$bbLopGd@&z-SZLAB=!MXPg`OGcu z6!)N>bG-FphOgfuWSiexa8&rC_im{vwaBHg`ym;*a?HiGvq{E;l8#SN2&I?LM3}Ip zu~D&~T)T!-=)(~E{f+hcn6s11dUaJkHQ^@)GcyAWLF@tam0F$w_oTg*df~7zLlJr^ zb_}YSK4^Gd=&fCC zeN?KO-yczU+wF9DnoherFi%nO*ISeoboqm6n!Ktcb)>W7f!Bf45f^$RDVtSRu}Ias z^ULF%xW0P9^Ob6TmIoo4<5l&KU3;fn=X&C}(L?sos4@vKDLgNB`P0-3e^4K(g_vUQ#{C?g8xs`>;Lm|O~PC#P#vy(g!WY7g`P*FRQ|{4RxR(YQ3ggR**G@EfN57 zz5MLqgMCb5bc_}QbE}ti7A~#V-!>reoY>y+Ki}!y=OPtBO<0_LH8XxwvU!dqF-BK+E&Zj?n5Vng4?uD)FFi+x)*tzM5mX^WACW4M8TGE)u* ztWc?1roR84m6JI*ca6N@)etCorR;qfAxm#stZv1%c_YgN`F4;cQ$F{)#~+(T zY7)4EpJmDrbo7^^l<}y^Qfj?Ve@Q0DN)%IZ-GU{wXzh#B-}^IRb#)z#>Z?QRdrS?S=p&d#66;scAsb z@U38~uciIw;;M_WmK)qw6gL&l%1A{6432D&kjjf=8ZW*iWUh=YqTdiirBc|gWaZ3N zma%0}Bzn&(-`3Vu`0Z0H_DhxiC#VU+OY*yv-EyJu&$3apZZCaK9c+Fxt$K#cPrfnI z`d+iSdXV1o0lcGfoIfrz8WhdN-=>6CK6H7a9*?GFBFn~_LxWJ#vMws-C{Hv=uWGIt z+vr5Jn{CGvk=j(4dL13Ve-oAHRy=iX!gt)0nD+RoXbR>RI`Lcf6Y%Hzk<(Kfj#8pR#F4moJCSi z?r}NWOTxYd2Gl^d$WEi6`joTv(-QX^6}u^8Xqf}PGeRv<-#PiHzffn2#Huhpu!_JD zQA5-eN46Pr#@+tpNRbf2lG^dbJWjQ|>rf(iCEJWU*lp7*RpmJzlHOU3;60d`8FLPI zQC|NXE?3sFCgBzq(e*yclm*%ED=9HlV%%rT;UiXK0R{Dk^?jkk1w~$8rHcismi;c; zk9Ti0pxpXSgO#>kQsOk|*w9X>F9TdT^5EED}(f+0ibF#AVS*CkAHlg=)72l5r&(O^R)Dl4Sh! zmy^o8KU$i7lUMC~F*+p__J2703b3f6wOtey5d;M3k~HXUP+C&D8|fZ$NR>`eIz_s> z1*CIm7`nT=<1X}^bIIp_&_$39Wqsue(!=FAmQk+hyFE$t} zRo@`wStG(gf!wQO0o7U^>#j#R&~6z;cUNJs;DYK~R+M*o@AEYaKDft33#MdQTVz7$ z!APN6K5ll*GPfW!=H=H81s}U=@`kF5TA^paDAu2ru12i#Og!$#EP5(U%<8i**6?(j zo15rU_`BQR*2t%)vlC#uyjka6KkIsd+tF_HSAF(MHouDu+LyN1#UH=#esdUip6M+v zA^Q5%p<&^lT7YIo?Hx4u2!WI%*~vTbnF!G{qY_>Vp^ENaH+gMoRW%{N_$snX@g-q% zM5{g%7|kRq{IK9YqhjmaNlBcb)# zgIvdoXU2;36i9Dw%e58M%QPhvz+cUZM9EC zleSC<6<@aFx|xxIPkGL3hS983MK9VZKf0vhXrsa{b2{NI(tD;g_AN>Y2Rk`e9f4|V zE0RgJp&;ejM0KhH=`-*iYP4-|^R|uUQgqTVD@&|UuKU2c%#zk!b&ng4JTo!b5bvZ_ zV>HfSW-Ha*k(yjz@&0-_N`G~(xUgK6fGv5oa#4F@!@AMaTDF>`n##*wSj5eid(;>b zBo_5puB3u>f8RbhuurSFrLVUw!74AuG*ps4W^t8yi>n2p(hGPbpG53h2pU6ad_(JT zlI@m9P?2hIK|yFhv7Cxin5G!{M}RAM#QQWZzX?7AE9Rk<#yzx`Z@b?7ER!HX>79oho0{3(O;ZCs ziauK(%>egc;+clbX+q55L;~>on??m(`NJo%-Z** zmGO0KI1Q)Wgy!d7TW1R55v$m*R5$OlTa$JiyS^n$ z$XaT+ki9wl(kIhTI-Ovt?F>y!X|y&Cf^Fi0U0<*4sJXcEW2|BqS1-0gUE8h-H&9)> z&mmJ_9P<<4$kIge+uaU6J?$a2^z_x!cDGub$6~_$$t)|DHV8`YT*~qpn0||b~0qcg4VFvsYlDvhSs*y)0J?jh#T1WFG zJsY#>b93jL+28Xn%VVx-9h%-5CpItOdglu>;;URt;+WwnGrk>nnsr_RA&b2WcP4!r zWd_aw1Qpe0@_cN%Yy4GeaRux7syX^Dm(9sr6Uym@CEeqz@8;{6BwiX8W^}PBoJ8zF zt!p;bXBos1Yn7X{!1U;=R_X-cgTE{@mz819lzxv$QcR{JWh4999!a>SGmH969sTpW z_ex+<=)^ChiCee55c7INlOLyja1twv9gE$yVn*EHyzy!)rMa9ruL<9Z6td#-^mWc? z3-Po;Frjf^r@z#Pnizw>OtX#*rX|;%E_Dc1Y4&1;dGl877u5JV0^)>c+HI@`6VZLT zfxosmwX`xjeMnVT*TAxkvBzYUZR_at%GFp}E54|5cC6#~%&6e;m&O>1BIYpx=Wr)W zp~<-)V|H=HKI5cn$n_~RMF>RObYa`B(&vjA4k++~I1L5(oA8bdjo2I=OT21^cST`L~IKSyq8@)TWuaFa4f1dubpcH<)&fbvQ;=XIxZd9sEDtMRbOE7+m05q=3U0^Gs4L?n*s4N8Pq0L z4-j@J@1~gZ6#|MZPkrP{4Y)Rj98XYD#f90s==O>!y1q*v&-dJ5;7!o^kX1wZj~C52 z!OT6$gzc-w2r)|_GAL!Uql>3~{RkF<@Eg{|IH6PYv(ei>I=g%3D=Htsf^CctrlS=K;i$S!3=zLL?h%^^ycSwxv+>43mxviLW#`S!+(=pSNj zrJ1R*1;zaQi_=;B;dwtDYY%d?1_PYUzpi>0Ku=@!-}6fW2PX1rn-G)jNR=KJA*4 z)|Rcm2Q`OMJxIWRRY8~xnp8k1Auuj0JuyGUPU(@sG!|CqscgIxH-#!6<^?EJ# z1^L;%FjC!l)Aq_i%|A~7&NHqv2A`}Nn-pc`{M(4RyBHxR`1zCS3ZdWM?)HnjJ7S>! zaXU$)zo!upM4uF+gU_H9Y77}@T$@cs)YNSZ*0o-KP-Fq2s@a5*OnyvlKYGn6G&&jn z=eNJ3G-FgtC8{wlcR=R%wun43@VWN}@3a?3mW=2hVKWmfUK#KFwEmn#>_B&aF9$wSDjWcfn@O$%rOC&7H zQ{~laIfR_ONwc>ln&4H2|L=a>afSUU*WE}%|=?A~CDW6`=|{F0jD2Q@@!BmdSUEZZqf*BM;ex{L z7YK80uOIK`R2YD7R?)qBZfEKDwk-MEA8_FARO`QWHj>Dn{XD_xxv2l_Yj6rIUJ3m> z$vgu*R-MmXU=IJh3FEyxhW&iY3$G;C` zQwJLHkcAcR)8F}FWm_i((UN)=jk&;o0}b;f0BfkP&NlgwO|!kf`j5r9iwU78@}{KJ zTLGIgFf}>>pDnDW7uL6hXymGrSBHz<{oJ;IBPA=ZMFJ1a^FY}XkHfG&{%I%Hqugcz zsUJLST25fIW=E%4-FPeokK+x``smn{C(*|Rf z(xw*3i&eK)mh5H0#^xKju>Abo=tsE$0u&6D<*C<6bIV92P;o52n z(vOiF@KTzWp9G&ZqI@RMPzNm*&7iKRq(B%A{ithW12^EA;O4P=f&$LAaGX(yVI(G` zH80c05oXcG$g3(#u)K3(&@wW!kb2DJu&!@s^l1C%)rOKW64GugiTBr=PoIMJi}g6Sa)P|doxHXm?1xJX?^X?+4&KJYSzW2{E&l~ii)86M(3e1GTG|S zpHdI*bG&>htHR+U7#^D(ofJPbI^M~_7_+&F%W6z-Sz6d|Yp4G?%+K$8-ItQ2k6gh4$rL8zJIyLYp18zNiFmfr=LFg#4B z!X6oMLSk54U+d?~-P{DPx_Wjtp{_AR_eDqucTt}Ytoxv&<*u#0xj5=28|YW@v$B8q zwK0sKPTg78e_%85|T+ z{mnvPI^*X>&V{$Qpt_ldX@FTnSs~1P6lU)zH*2lg6}i=PU(jFp4VUdn@Rxk)z0W@; z+I+!}%-qxug-1(;gdq9(`U?Ln$;kmHz0_uMki$#m!rc&?MIeYG`uiHU=UK(+t=+JY z%;q2|{{{@K>q;#KXjRpX+fJ}JEw%U3b8MWb$Z2AtExw`DlD$en^?e)LNQrb~ zdYwT3AeYT*+^K|wHkKl@VK(;q+vQa)!IVkVm)TO#y|aOqBi1Mh7cw@jN+*XTPFGR# zNDRT=c41qtDOVxo8Xm4&r`egKDIzfq9!Zp-TnC5FSbQ*z83fK*$%Mxy2?V}Y-*dVq&N2Dr$3&z$HHYgRlEBJYCKAi?9X+1@rlpEOKyosZTZnvi)pxs3AJiHs z{hp)`p($TQQM*kK5@CH4pIcB|T%PJ)QHf5LmR?6!nPsy6*@s)xA(rzgsN}~b;sd%d zFH^eqxQ-?pt;1n`XFWSF+cAEg^(Mf8&%KVz$45V)1>QW=)U$Q*CD9pvXPMMf8okB! zj9YgSn!C4FQVTYuDWkjVjG?@jYmU(5+2M(UlgwlyPLHKj`0P)frRe8K438(O9SDP3 zzlo>s?%rGpTJ*GyI1%C>XiQAjb05{!g}~zbwlVk4?QwpK>9}WS)K*2%^zqm5Ilse5 z4BPW0{pAFjEDqy*ekmYlVnQY9qWiPgxHs60^8zO8x2T|C(#>H~<}nMs@d3kzxUjy& z1y+MJTA;uOb|%@<=xdnUWs{`-{xn{XNnTyXQOh8e*;&uJFNw51bNP+Og}$tW%Bi+qy&9P17jvucM(Sr}bx7hhHuoZx8v<{8&DHN?)=&H@-ZT zNE<}gas8fAR^#1-e!5jqP1L7cfDFE zAYUkh(vrJMoQMG-epl6}l;w`p?YB{tyXQc4gscikH`37wlhn{Pp=H@_}E*;Mm zuDD~2fYxNvvD53mc3=puei`lC+cO{7txJN{Sh+7|g7_jJ(F=UAITjV2xAo|1XTJbu8i z<9x8}bj#FRASRmIyv$#D&2(YSt&g5R>&#DG0~)gilN?SNC9Yq1WxC*794_}G`F5`V zgT4I1;5kYJ&EeIQ1!Q?wG7yec4^6z1MDXcn;Fm3sSv+>>9cS@8rrR= z%g;$z-y)ChE=56!*n}cv&H23Z#?X^Z29yl#r1QZ~_}2LI}J<7 z!m~0`w82!XZCtVA)V8u}#a=#Y&-;9JHvD{q*di~lEfxbmUkB0sdH`+T#(`M2Tk%J7 zLv;M*r$sReti@I5%ifa{IhNaovYgKtb}M#<7G2oOqT#B-#-)8HC-@NEO#(vCY8#p3 zkrBzypdYfb>Lnf{9~~>WcaBa>v~`&!Xz8%bYcR+!0QvDiVkXevz`e#Zg+(wlTp;)n8=%-4&tPi3B16x8altvvwS zan0M^)^E0Y9}Tx0l>xt~_iQzBi&)!b!&DLy6wWimwPYnD)BMxUHb&3dfF zmKB$jlqMC_O!q=-(tWrRiCUIzSPl+AI}So1qlKC07DXS&L1})A}iV1)rTudS-@g6Rc9Y-wiwAaa!y4> z=0wNd5AUO)FR-@y<+@%{HB4j5#YJA+F*0B}9f&bPnO#)LLC&60k`dQD-*a+;tX;$i z;@Po|wKz}roXoEg;YmsHLP7U{&ykmYQlu&+={i}RmE{{nO(Ep5_xS}WI{I=hnCDEL zogs8EBDD7AR)^&Us+wQ31%YKP$F!%h#`I#!ql!ou=Y^{FxMXSB<;VJ(7VeN#5?OdR zjL%u`tJxEcYp<+m70raNNfT6C6~$%Rz*Tn;i*9nirl`wL6(WypN!KhcFQN9HA}smV zs-OLOF2A0=!Yng2GFy2u&Q>CQuv9MEcx*hk7cbC1WZs6;UN;*|65o{-2O2^3i3vBp zx}@=oHFMHBfg7ef6hb5W-%yBr>D6ISoHC_4BlAtTDiMT=tH19y)^c(^3dBbsfdGS` z9a0q=@czAsk0!lJ{=f(L7~?1Lwf2RJ710q_L_u-O=COQRPNHJfyqa{4F_uqwZCfI- zRViS3PEn?cnn7gq`~!x^PqZ;8F@vxM@cuM zRJnCB>Z>~&+mx&2sK2w7S4_xOf&zFHt(xyK16m6OE)z;%=lAZt$6s$qW^)}Y!T_{= zlPxI&^$dQaaF6t(66O>yb`yMJqt)S2t zt;}P!yAdoQaRdT4amr{cEX<*yo73KgH6BkJleN^sdfI|lm0*yvR{Hyg)IBF%oj+(- zEd16L2%<*t0FN#%)?K&))=fbMV1$cP1+&@M+PPV7s@`h)95(A5w4zfmI^wanyfbsd z@AT5RK+_R~ei3;+8KcS|gE&SGFGME=!Ih(cmv?NA*V&3Z1F`-Szl z1?klfXZsoXI9|S{xIW(wV@Tpip4qrP+GH@Irlt>N0dczrDi3~Q!r4u3;gFiEaVj~T z6f86e&DzqMW8n}cC8bPTLqo-5e%gr0n-m)K#X!N_+)U|4S6Vx5N>*_4i$1N$`|~qT6~Y@*E}?!R=ida{A+43r)#!W_q8z}hTzJ@#r57{0E=9B zAKyjHpJZz|ArA?jze-3TS34H$-%T?B<&0mRp&Vs&N{^Ev>XD>S=lLW79*2*8v9cJ8DAT zc@D1->(BT5&)2d*@;KDfgG@$3UvR%(?yS|nElPmI`@wgADSFb<&(22@m)Sf|Es9ti^iA0+5I;k#2 z;PtKc8e&=mwrH()69@mzTt~K!si1eWUZFO@)z~$9e~pMK*LbqWsU>jn`Ggz;1|W7Y za=mmrn}~?()s;f}(2=GS6YoMz?r_S6w6oO06F1L=vmlgc6U5B(Ql!Ch3zKB9!z|+`^N@x1)986x##Z|3+V169zogFf zrf1rG^|K6w@z-yv6g+9b14XJ;=+w-9Wa_9Y6A+LX0iUW8?L>iSu4h(Z zCDH-1xFl{Z45N)&5)iG*3S0Dm#KhC&`jJ+Wl|FO>;7QAi zc3ea_x3v<%q*e3FWl9p4SomP8V!P`j+YAd|)We5bGEzU*W0;UAxmbi^>C%Bs1+*O)x)!EZ z`$x?hkyPoRYt$9BMd3O9d0BAQipx)en$MOl<>lw8f`1Xf0T^p`9_RxL6kx(9IYGn4rq3-A@{?3?2^w%Aq+&kwnyMQLrCSk z`*Y39D!BkP941{`SgUe@O?+SNtGjHyHF-L~ku-e_hB=WZyw76#1|WYrr2MSYgLY-! zk7dPHK@i~N={Xnl<x{#voI+?qvSbo~irxdO23M;ZnJ}85loP3sZi(4LC)n z$H&rf^C-I2BCgc@8mP_mMclj@IP0)v+BZFH zpK78V3+rS(hj7Je&MUd;FZ{+eg`Qp*@@fh~SoAqOJmWmCAVFaKu|Ipvo~KUi!SwS- znPHNrS8`@F_-xeLs+JqwoAvK)ULeGK;_4cfbiu~Q0m|3`s(*2TGqtio)?qpNOMbpt zK}uPUe98y6!y&zqM?5v$ADPvJAf<}b#E`f2ZLRE;wrp?$2=OmvIjnw3+f*s*7q{fqnp1{2*7QGEZxEVxazZEPSS(zdl9J z$YVyz826$LIA^a(QlKg9{PoCM@RyX<3B9WdWLuV4*1}~C^!b3NMoirGC9GkDo%QJG zctTZeDDs(k^zDhrvavOK1LEoa-r0HlZiE2A+UD)?dLo#?()n~Cvm>OT@zsmq;hdOw zeGB7YROI^#1x9EYep$8;&?PG|m1yBN#f)qQrQ@Bk>qoxt>HvzDulcJiqh4FLrLr`s zSHHNRa@PI!CM`8Lr~p59mz41UgIi^xHcS9uN-ITNXcZN_#EHO=M;6Z1*^dW`1m&8U z3zHWgmzm-i8RfLk5SAS5%zXs-0*e7wobQC|K0AhFerBN4U>V%S_9-mwIeZnsQYLN5aGXTlA|n3o_UbW3+S*AGFiX zxl@SdvhW!tfas)GL<>MO0G7RgLP6Rc`laGB)YoWf6<9P}l?dxv>mk^ayK?5N(kWlf zc^-h2KcP)W|1b``VB7hb23xPFRxjNfx5e?*Na=D1$LEoebc7$f+8FQid#b)0-E7h? z_DyFj2*^xLT^Xm+L~Eb!RDKl*-f<0RON-00mVCMq3hzIOirRu zyP78mQ{%%bdrDzA3w0P+r55w#9~=F1CJ5N5JVqWL9o_Orn;to2#GPAq7>Z#XRp3sVywAKF_$l# zX~Evso|S_wM7mmDQTt?Lh-V$`@EQ^L9{KZ)m^uVaT%I9wl`XJ%hzC#wjPC$3Bl)pp z(O70c9_$zd!uN(<=zBGm`v^N08#HG*?TkIZf}fvq=v*(B%2wvp!Uv~*rj;yY>Uc6S zvu@SgtiFvWAhgylJpo}8h3?cRBFAs zl!!~oKNbow&X{b(e* zOuhXgG8bq?&ZlCLAC#`|u+{L+Fs$|sy~YL{-kryf79dj0x8wenUA#}&$A5b~FO z?Q2z>WOUwE+6UnxI_}#A4(Dc8C+YgY4{>+P`+6>13sHAjwweNPPHK^hb29;qx4E={ZFn&;1 zIx{QRGgzz!Q*aAay{F0y9@2d#Y-XzmEA(p-PrQ6Sdr27NM~L0fH&cOFpa0 z^x79=D@ennU`?tS!G;fCUE6&MV9FP1%ih)I=4FR>enexh*ywJ|!8|!(W#xd35rJ6~ zE;ila1^(rPT$`V%7OLDM4nmWsG;@4E%e6-)#x~*s`%orzT$DLK6~Xxu`{BG+;$EW= zv-bPlsyA=B;?@Z^7bO{hb7eBw6NvhU=w#nv7)XS?Iz`+c&N2bS1h<{=x(_Vd1!VDX z|8Lz%_fw6y+o)Zc-kz`G={votI5Numct-lIUI1%$P~ypW;6}kFyI2!`uNYtx#qy_F zuE$zoY4u*G4kK+OY8mR5-EiEy^@G1#<|aX488gL6)C)Ktd%JJqv}oEzUt9IDBccH9 zG%+x0wX=r83ciY<8#n|+4Zk3vz*t%J6tpMzFRyC{hSlQXO1^YIbAj@eT3$X--oN|m zZ@LfvMGi6dQbc-$8eDnCLQH>Jy&YybS(Xhvc*+aFAA`Na@2>Kie3xG2s52ixoD{#) zbEn??oo{H^ahk+6lk;bj3&z$EIh;RR%z|&v^#VbdzgIhY(O%hNZm#n`)`ue~JOwd| zhwr249_QGaEv=J+m5IO9G-yuoe>kB#a|;fyY$W76y~N!SW49OaPrXZ3`oCyRqkn2@ zen+G>;{S(m6$px$-z7NSDKEfLS;!wQ#rbOFP7+o5jL;ydLa3?}=zN|9LQ5wCHA9Hm z;H?jeUCW98{Pxt&1e9t5?H#h?XoiW?l@UKcmqyY9_OE!O@_GP&M-0+evAX$xBpqvmC?> zU@xe(NP;q{`QQT3sm~piuc$5(7nfJr;D2jwfG2zaghu4gkB!Q)M~>Oe3;y|>UdV6d zfGG0M5o7oN*{t{eC3n*8`Xj{obGtv{mH$xT{5kzQt(kEmIk|B_bLc-;-GCNmmVdPb zy8OT2ZsR|0M<4r-QHg-}x`qE$3%__RlddnA1b+@GE+DA+e|z`;aY!9S$ic^AVv{pd z+CaKsAiZu|-Yr3ueBgu5#&k#Wo;2(Hrl*svEV!Gs&g>cb`ub*wtaNokO#kQr(oqgUaLHr4%G$G0 z4dpm^>4qhJcA+D$w!aT|H6tW!tM&w91|W{v?j}Xsd3w!6cj_yj+gwxs5OEYTKnpPT2;TwzbD&6%37 z0G9&dJBXazF-%(2 z*H;pk_UQ0P{wXz!0K;nvt+7d#=|QvOZ@PlwP^;cR5hr{CykHzp2X`$Qz4-%?ptDDw zQ*~l5U#{C!2dzBH+2sJ_31D?FFg=(A{kpO7_P^jh0OVBKvLS;`SyoO4JNUY$E4A~RuTjv0D>cE6>a15- zpMJwSJBLQ3Q$853tfsH7fZsiMiV6_Lhp<@5$*s-ZhJ={8#rYHhH*H&6B}zt9{+cm58f0613=4tsYB6w}0us8bA&3b{ zxDJS)02@iKR~eFioI@okw!^3n2lS66F)?N~CH-<>ek2>&(#+RLS{zB(_{XK?3dgcp ztY4broOSkn_O`L>TR$h(*%&4^WS9O=JXwUs1_7aL0w3g-&wR~?7z}3UGxyAS{f6Pvrq2p!J$GFhT3UpuTN(}*XpXS1#jC$B|#|<5}&TP z4Zt*Hj7Dvr3cN*^?d=&mY(AyMVHs*oPf1?~Rv^pc=QidOAjtsJ6ojAT#jjX-^XgsR znK_OEbOID=2bZS>AHf~@dEoG{od%Ah_U-^=!2W;>CGA!C~yyU{kVXfAh^+x5~uo$At%AKMZkkFa#;(I|E9Mi7YHX<31Q+X9q_1_~bM( z^p~NT1uy4aJ;;!eptJm2x8bqDh2@pDp?MMN79Ib9o5=!PK21$eekV~%94tY*z$Yl( zT{~c7+@y6TN=$cPE}Kf^U%DcJ$E8t=4M*MwsFAn}JjFwI1gr#eyY23)^%ktemywS> zn%hqWj1g^Q(C4^<$y#pE(iGtmkI7aIepV6f0Oo5tG2yn>+8SyVnwp=O?$bI_Qv(EK zM^g#W$!>8oOuoK;>jxzA(*9|y%fc;fpg!pH=;)#HH{KZkR6b<|Ky+;wS$TU#C)8bZ zpxg)YKq01K+XTpNZqPyD;xTzJ7a00iFrL(sc1^G%SXl=-?B3(C6+pn44NPa77x6LJz@pHW>b34RQBj!_G%k^cxQhlt zJL-8gU*ZbDfOsAeH8{OSdKtIeE%}CKI6>>Ll5RsORJ(?wP>q9@%nlY*5r-v*WvmZX zw=?o(CL0`_ahyAo^VI`950IzWFV5?Du(L49Q3LVec#_cUq`HQ+rUS>HDle5U|FPh} z=l~Q@0yuh-yFE``pS78#%jJ+P8j--kz^3&8@quI@uoK%;H6g9~@6!fPojg6r*o}Z6 z1n)q%ZK*?iF*DP)0$X)NK6B$nnFE}x;*b^)_!*N<%Lp_$+B;m&BJCz}y841Lw+i0? zh?@s;Ymh+!ouc4fh!cM-ePeQ6e|&{fckRxj?f!Ae?g-czknetOfYSoSw}o%3IG~R1 z_*UNI=!f@8*N0<(UU61{@$KXD^&r02<7&-j{-A%cRU#U0dLT!=5|lWe9=fxq0;H$* z4yEz@?)MQTJC_goPIe>3(@E=3sOw;Bm`?%_;C^5EQ<0`Y?M8ly`3*j~`6+ z0)=amhcgYIVNWUHOE%o?@ZokYffsXUu|tW|)AsB-W{&K$zio6)80lWduVlnesuRY= zD-E#%Ap?M6Z?0En$3QymbEgMa2s~NM`ppScW#<@#C_b)&J6lkx@338S2{X0oWfD1Bp;p8q_ERLG4=s&yUpRv*8~EpWl%J z87-&;%t;)Rz-F7?e8yPVW$OkgUPek1j(>pU`)V2+lDhMk-ZorQi5isy>m;f8`Q<>A z%Z(jsB(#=12)H68l2=jUzIE2?EII2M1)jQI+S;H)O2e#F^5-^pmZVC_%3uK2=c%cI zUS76A*hc5=l4ozKk_zbgYX3#i9VsVkuiY_pon2d`czAtY!H#l#xbEYFQw!^Um3LI5 zAsD1N%PPZ8?ywY+!!4^8lW5^ToZOH@+)+AU`GJsQW`{+=({svMRGXxk5ztdd?ZAdN zXmU2Vz|;Xk#6fbm@@J}%QOI!cYp3CSG`aq_?*L;}qm2TAhgJeJCBcFnDl!>>@p22q zIoL7#yPkP}4csu}*<4q~8B!!nSS9^oq~2b1-xV+-z~)e5uCH$>!{O6_uqdj=^GMR} zlFe0nc-~w;2{cjio|P;{4FF?LC0>~4E(loupQ+jCw3vE;1ix4qGcjR!bUeEzu~mNn zlh6Ro0yq(1XtL{Tpzn(S0*5`Kf=u?Qf#Kaxi~Rh^kI&k+pk-cRiTp~c%0NE>sPodP zX)cSCui~ur#rVywRbwj^$|H1*D7c{j+rIUR*vbPSv@ufq@D?rb;Gl6p?D1Mn4XErT z-q2iJT&`Xs^``>e3~)x;fM+9CrZ@>@U5SUa>iKTmP~X2-hgfKu6)jHHJaYy3-HOUS zV3Y@H2=mLk;t1l%<=jU)XWmuoTiq$>tou7>$N(cN{9>%g%mJt%J`a8av=(TdyA~>I z>OcwdvKGemACUTVky{LSvJI--|0PdW;3CJy#$J$0ay!gs?UcQ(e@ zi9)oNG88`(utfMS)j%G$gZZSpP(cN6^^2R_61oI#w0|FB8qHCI5*@`u*{ilFp z-4s%u)-40W;fLIxrRD|^ctfm|!qg$Vp;yln6Uu;?!7&+T!CqURZ8`=+^yAyGh5(VE znvstC{PlqPcky()YE8C7!S#)Uh+7ZCX7@0QD%tIEO{WGk8!ou5KU(x9NZ+W_GO2+$ zA|wzsh;!F)cdtu9RwGU$c*@1b#DB(lOifm0+6rhT2booy5?@9R6QMcvElSG?!oWIBa$S8nyzBB?l{ddLozJ3f$gZ zrE%ZLZ@xGRYmUy*n7u&fTTHggz zFiwtUrew1WPQWTM5N1DQcnm~qKw&?d%z3gcD{!-zt|H3*(aKDs;kRZT>sg$;w6pHI zTkOROHCP9;EE+2{Iy@n<>Kq38kxAv7u>SsLAAhC=(7e2r7roduhLNz-dVjS_u}KIC zGwR_yws)vA?(OO6J3Kymesa=#c$)c1%ReL|-E;NgY;Zsl*1NH}3*P%;@+E0*#h$^~ zd!XUu+jY13lF}rdb_2_p*|okA9r3H^uN_4e7EJb#hYx4PF@wTKYg;=cee?VzB;aFL z&D)T+R7)Y?Ug5cGGLDswtQi86mIk)@PR7j^L^P1l`{0pxW~#xDLV*LbygQEUrHvyI zniwrkF3BL>7QSrvM#%q}EL%ChW*?w^!xWBj01NZ;O@z<#pF4v^Iwsg)dsPGki7#w_ zb>Kg1W{iLi+`+$9-$yWoHdD4iR#IG+cy<0$y$4WyfdD>-u$i1*iZ0Os?x~l ztI9i#ljeJp!?zGD1@0m3YAP0i!puUagzJ)j$i_mBzJ*6$&hFNORUAi-`XIsv(r`sM z{Cei0N|fNDipGuVtI1xQ{zFB@_#EvmvlC2np4POH#!=1|{_R%?MZsX*+f z&ad41_aL~BTvq7`md5jyyUuq&_5o`nQbjt9Ld^4F&I`aT*pwHXxY-Y*@>~LGxHkqm zuFAdHS6BMN29n*sX5rmE$H%UhKG90IVx&>UVEKVo*e)ImW>w^H!}xIOZY&BDQ;v1f z9Z9$=$_5l(fFA(N&;U1^BG6R3!wJ_t|$lY-I$VsQak_xi2KGsp!8R47oqX7*0tTzB{CsbJPzZ{up8?C%i` z+<8$cQ&nabuDz#ErxOx@7u6&p;+vj|)0h-&Zua$U(;(CznEEY=Y>O01y1lid&FFeE z*WVAsO!j>VOG4pVKN9C7x}fkJz5Xe3e3 zSVvvy91M20uytYpWA#l9vy#z`%(RKptGq(N&{ko1;zLfwlWX0#16Fjfa4^vo)&u=c zhFeB(UC7gB#s=+QjKE1BI78groGe`S0FZeFsLGuNQm0v4X{~L<-?G$t-e6Y) z*W4eU7YgzxxN|DZ%(r*UCv{dQ>xr%5lct%Y1EYb6F9Q+rOHPwMZ`F}ezCF3Vw%xKs z#ULlhK5!GbrT}Y%AUl!T-(Ie|gciS-6uTUN7=t92gYT*%QB#$|{fi%tSfXr|1V&3& zN2{4xPu}OxC;`Yz%s5Ycembx1-~aWiFirDv|8$m}@9ME+NMv}j>$*B~^;WV>=A|q2 zBR0;Ms_G+Wm(!kLIzfE=M332BVvueR`&6~VXMvh z$_o^kpWWOrSq4YcXszM#vw?(b>z&wf_{(8bX_+py)#0xFUY?Iz8!Q6lUPWwga=7hx z%if-^5Ly&UUOYVT|JxL7<5KWxIYhdRpXffZYy zbA)0td_~WXH^NTcDz}S|9hFDx5U=4SEDmE6Ms3t?_jDRjGHp4~(9z!ah|l7>r`1+6 z4A1J2ho>#CXiLdxGJD?B#$eh;DVa|haY=6_^|*vZm76DS6V*UnLtB%ux)lWy?basw zYG07fmhMNN5^)!OgsBr(I6^(FpfhQWFQ}|1BzjrK+II)bDWl@z!fKKDF&9=nU#&Rn zxx`xVKdY9*?d+P;RM8N#x`%dWe!R>O$tCFe9!gxo6?hsZDo-<;8y01sKZC6JBKcj} zz7dUu51N!YX*;{@hBs$2=QcuuAk6u$W8`D-2rSh~cTBd%`TWp?efrRkPWDfapg@6v zp2T@_-Y2lY4%(Ttt^x&DzV16p?ME2*qeNS>{WtWUS`}Fo$H!tiz4@H-_V_c)MDeXwj@xxlZFC!!1Snd^xWEQZGNSq zVhv*a>bb;^%COH_BN2x!N`i093cj09JQGauxEFxGeouSmX!7+v#2d1VtB(q_zq?&e zhx)E?AVj-zupcZW+9eT!DG9%v^$5PJRk~40N^c*fOFF;zDfel0W!Sx$KNSi*O&Ela zxNn~0dh%bjM_+n0iUA8d1HBP>l*s=v>)dg-P4Ue!Se$rsycW))LO)OFL-4)YaXc_2 zm$beaMgK?U=|Jx7Y4fh12frJO5an>6=i-K6!`bpnD!=;aQb<|3yTx*jLNvWc*{X)- zlZ*US9q46{?8{B**!YTXhp5M=4fb@MvqM37gy}%IWoWE2+3yAULyg*an$DF`R~TL5 zS3it(h7A+F!lI9>qbcDI(s_Sr_+=;%e!bgkce-+~ajs(+n>?Sj_9@)d17%Ng0e|2Mwg0xGL5Y8%BuLRz{(K5!BXk?!u4?(Poh z?!HUUIp6pHW88c9V7vp^``xkjT650lnWZ&W*!bAiHk4+iWr+{3pg^Y3hrSXXW>c#v z=;_HqezqUiFRDNMcrr-P8HZv^>+ETdmMT(HR*9zrXDcqBSLtmNRg@)sIK&<<2TU44 zi3)xqW+qlvMtZELeInx?ewE0D1_8>rYKKaDSMC=);Ok#ceo5W6M?{2IIaD%jJD9`w z!xsFK=BP}G9v#iDR(8bbpIgxLCsI6i=rSUeb=k3QF)l-|J508e)F{;#7X69(Y!c)I76lk{-V}wX{ zaPhv6Z$rDey%ezUx(OgV!?bd@Xj)T2c{#eU)P)V&9GGY%Yb;DXHICQf+SmR%(9&|i zSsWX%xGy@DrWJEnnFbFuFk=9sw*O4qwTg9{xv8JWZ}kK`=k3 z*bgwz$jqkes>PXws-da15MbDrKcw-?Pcu0VVM4@`+bUFSkX}Ric+(fFR-_r{2?_oz z5U62^D*5e2fvV29-23PhbXULC$hz2RWetB{);O%Hp}Nr9-)&4LDQK!R8C*NFD8r*~ zpzEU`2O2Vo2&Bav=}aaLoJf3&6U~zE4x+bmehZyiOa%W~AZJ}3v-~sV(x$;2rm~>c z;$)kgz~>J^@tJuU0!C0$Gs&OB<*lQr0grQSo z6ASg1a&{%Th3(IyRrlBE9kbB`AW4@;2h4|EoEDaio=5(N8-A*Z-(r%TWc0UB-lnG_ zCKq`?hs3ZQw74}lx&BSuUx0=A;xnH;IAvyHdUM=hP2g=19v)zL#P7X7c^!XwxhTWO zG_LRhYJk>()6>C%nuAJ#=&i^=l0=p~m6@5|+R(hZ`YWl*CaOOo5(?@aI<%0(#LT0} zp|XYWvYPK*bZXoM7hPi`+wF19Yp+hx8FlqxOHVtXcqC;Ipy>A+D<3|@y*IuK7%eFcjqWOD-14PzrHR-&Mm1R|iCN8QP zp_aym!twJ!Lc0g|>NXy4R2S_{vD8$dyey|@X*%oR|9fZO&0Z3x?tI|ydy_~DVx_Gu znZ_%?4u9maDLwbP_U8P*N3F09+~c7C{q@g>kNX?t|DptdgFP*zJPp&3$J%HMit0~g zi+?uyy>3o=K;F&2TPrjFKV@Wm z?pm|1_X$=V4b`ViMkcYNFg$bo^-Pz)s3yfz=eK%Q73>;=udUE3fHVE5FaA3)M%W*S zr5ZepvW=gSuWW$cRWHHqtXwkNsH16AJcKRyNj4gpAyU5if}FqiH=sZ_{*$>WwN`^t zQarT!8wBz~S4d^F#H2b}uMZ zFcLx5NpPIADZur_^&JM!{}lEBo6E>RpU;0Ip6eq-LX&4g&&EQ}G@86qw@^KG*__s# z0Y%uIlm?TC{-bb9SZz3YmV=-FzgKY>G0M=k82bm|ry_U)8l)vEgtoJ!}m7#o#jW&_O9;Bd@~L3O6YgX^MIN7r-)Wq8oKL z-WEC)FS6`iZ9e_A--)NrVmN0w5ohngWrf7p#UR`GwGo$C(lbg$rEy5kcnUtX;^+;s z@z3VG@!2-NqO7GwE=BdxTAMV?udpp+&f=HtL+6@*2Ps=wX9-; zkzugUd~>UtC(lVRH7&ny#6y(_v9s!AsCfln4JRNv2#ze}JOaoZuUKw6+1M9Qc<_rx z_!FQAMd1P%H@6Q`A5==vYn(6l_R6*bYG>yY`&hR33BqJ(&GxnxRE*tf=RkGrJO*sk zVCF-!=71!D??*JRxcc$|?NhHT@`@4bYje@T!ItJnN;9*asS#Ow+e*#y5u}#av;}71 z6dGmh^fjgACAm(CTtp^55OoOV*3le|CdsoM&^b>F;N}Ro7WEf#B9?+6Y)ltyKRUiE7 zJQKVhpd|S&CWSrWaV^=MaQR|V!uo*AlURZ}eqnVRY5^BDxU#gexZ+Ow$va6>NlL=f zlk0|^szhD*#iFyKC#Yssffgqo%o`UIuSM)mpHoVHs|Xii(xEjNDnskG^_4FoRT>RO zNDyx+`s?)4^-4_|FQOIo+Yr8o%MG@clmhGBpW`NR(;Cg!kLSZdv?wn#T(%1vcc1Q7 zYJOJA<6+-yBqxqzmRlu>2n?DZ5lRkHg4vt8_&MkY+Mjv&>F|BH2u+d2!rh%=u#h+_ zIgH-Z>h+Iuw^yT4zo*ism$(vRmHYG76$88`~gK-gA0}B)^7o zmJv$Cg!FWeTV+%H5VKYLHO-g)uoB+QqgkZHEF@_W7_zGyPJtZ4dwc3)>Df@zVEMg7 z0W7?e3R6R+@Fy=v($4}7uhBqsRBrv+qA#h+tokltb6pbA7n$a86u3@h3=w6FzJ;aS}Haps@hj<+^m`0{e$LC&g&f$y` z;6NQi**lh3meWg$Q)!j4M{$FJGc)=j+I&P=U}ooB_IT63b&N9;vip1ZD&_XmQ$XbM zk{`I)IC=TeQv1CzG8C`tY`1G6yM@VnBEB45@2%dhgG2n=oe^Pk_{^H83#?{=$%!iO z%f*l70?Vz(k+0V@@o1JjT=BI7wbscz|c2QO2k$$s?vfr__oyEVEXht|MKoy!{ty;i|{e<5#>|u)no=Ipu&R*g)w}Ek3;aWmzs{U;OU4PQiL+gSCLbb9(%X`zB^79{ zg-1i6Q=Ovz}S+xJJUu8;+e_6CiM-pGAXZS{?89 zrKQ48;KN%u0pwo`40y=4wv{edlNaTKX>)i1nZz)}q%Tsps!Oh~a=f#RlnS*m><;B4 z$})z|xRhhckVLsEER!)jpY{TNl;0BZQIvnJz^sr-k{6$**jOMQ>ks<86>Z_2*>24+8M-Y+CKPEvj* z`qDmjd%rff^!N!pTU7dZqb}P$1)Q;qoBNEJSt+gdAPCi-HY%V?+1lJQrJEO2GgNSs z-dsT*ZXeLyDcX`>o>0@C#H$)nQTQA%Y(DCd4z%~r$}wN!;-uiEzFZ=BrWfTr#xCdL zcAq@;DN?23k8Q(X&ZMR3CMQQ@`d4G^$?C*(R3t7no^va!<~C$BSFhRX(`~J>oNdu= zE|_e$?i8{Q+u!`~>6jQ>J9T@(bE%*a|2B5w;vAvZtHrk@vfwM(BW4o4d8M~ca+-oG zSspTyFESjg4J*^A3i+f$TR`eS&wIW{b-C{)q}T`oFf`%k!&Jphv9hI3lX%y^prLk7 z9N~@J;I7jBV(KM=Uq!Dj4O?kMJjqY6IC&j+%AGaMxTWoyZ8@qANh==@9oXU{i zq}*CDWq;7ok=alOb^pi%%tB9nAh9um-(~pHmJg4aD4sT%$fHGzS5e<3 zO$9Gl7v(JG1CNcImuF4^vzD+-+t0d9h!rpP6Da5*M2zTF-Yr@~q&IdK7c-=p_X|J1 zp@&*4BPCgkO!oVQ_U|oUAG67@;quYl>3SQ_q7o}ol8sD%yi}r%z?icL2bb_8vSN0i zR@p(pG$r z95TZ0;Tr|Xpr?>Qe7-^;yLyx!fiu6{vlv37qXe_y-sG9GZal7uPh%j6RhD4SXkU;Z za+{#cERrsc{X3#dYp|xAo_R!n3v*danr{ABj9qOrx4`(gMJIiGXPtdE**v!(%TTF< z0+Xk~($%20h7k=EIRMg$wdFdns46%(+DhNvSy|f=sIA3e-Z1Ov(H!|XPHua6^FgVL zs!G*YosLO$lh%!u5sh?DUer5!kmlluY;gY{g$3`ce&oJtHh7x0t`trehedE0ozMk_ z0l2jtTr6pEDo1-D=sJS)vamUnmLHvSe0g!Fqi;9nv1qL)I!9xOqX{^_MJdRR&+@G3 z8fUW;+3k7+CRfB+@V|`QG_bbHEh%zY0J`*=P5@lYP^$k__?h-$HL$b5D11|QldtGQ zIIpz5i9Ao~JIyDb^?_;TjpV`my=ySLFn6|OESjsBA5_3Hgwq6oQE!9B9dw|+9+Qpx zee2jl>wpkn&iCJU5112)4x(IVLx*h(?Q%cAfEk?a1ZJtfKaZ*}_L z7c`IdVH2=0jA^kChlasWq3Lg)cA?6Po9)g`Okgb?R-=4cDi^-CgEtRkCuN@#3lvbO zpgavRd-Xi}>*pImiO(!7k3;sRRtF!&Xm<8-MnoqimFZw&V~ny zimi7$PGreH7iSisp!}8^YRsskVyVz`kUSn6Qfl)2MTU+L`uncOOD!QqyUSqg7i8gN ze!O5hgsP;5$R8+!csjV&WqxU_$<8Og9geupO$6?x#Ju38A2+;qYHJEpI4L7L@JT?8 z%UEhdv_ArAT2=6yfa|Ne()ik;9bJ4b2(hNa*)_BOyvS&mpSDo?MI;kQ;Q<7@uY)A9 zMd=}V6%)tKUSN{n+d`5FwQ6rh1J)zYZho9B_7Py?qLKI)4p@Ios$^t4zo;}eHzo4N zpgZPpXW$~M@Hoh?Go6joD`PgxNM92elss>_*A<0`+gg1(NN1QvOczVTT)S+KP-1@- z*sI&q$%PErrT#sWDEl5&;+?#s-4`@NmJvY>p<{+{`ARvA=rLrC;|h#=$8T>4`*si zFi-0>HMQ*OD=m2GM;wkTJxbozuMK$}#oozFAxwqJl(fV8zZAH~wm*P)EVa98dug)? z9_6W_4d~5_`=LWXj@Viz$U2sH3x?vnnxg%kG|;G3iaOgItch2^PoM zHhx=V4e70YIgaSYq|6= zQvnn4%gT72+_IeJ(#pOrFMS7q9tE|9t7li~9Y-(t~eq1hZG8LUj9#-;|GvTU>10XK% zoA3=@kl3o6&8Y8wB0hYcv7P!vaJY?gY*VGI&j?mLEd@sN-L4y(aRF>*y@&7d8BY!n zCNuMiW~OE3XC)LrW4Wt1LNv|e<5V8j+d>uLIwyNkr*UG#FQo&SxYeg;>OACpG|OVX z(3j{N%fn0T5d+#GaU=$&#T?s^BY=gPr3=~Ef55w~%bOgS4uUY)I3~Ee=Iew_JQmjG zLN7coFK{j8KM=dmTOV9EFg9iQIz16N&u0sN_1tG;967nDl#r&=sIZf^b4#jeDAMfk zhFH*CfMs5+#o}!9#raX(YGKktf=TdRm|TZwpKxWZMRo>Dhn>FT%&taBpRsZl=OFd; zLZQJu2;`JnK-Peu2J6G~;cWIy#qNb?>hayvhham;v|`pe;i{BXxmixxhZhUC+0yqz zgahg?iIslDnYF=Xsev?js*&jrJUMoIw=j*+bfh^UbjTt!_wF>UV=&%$2yGb)nCaST za*G}(X3YS?s3|EZNDLQKB&;?NBQmvA+M`EyPfw15o_}aYZ~6#6G49ZDSE2F&Jzm0ngEHy7*z4a3_9W5QA#lAX7-3_8&Ab{2Tr!D}ydgI9$XQR>2>gI>9)_U380nSb(Tc=%4 zjg7`02+`LYKfvEtXXOcEKNXq-2C4EbEsxwU>O_CPtRwMf|3%72P|MCp$qyriH5tyE zB(F7p`@27K?G-Or6b(&fE%*`+&Sll*^eN?2D+cOwZsc$3c6ZDG-b&U$UsMEeKPfXc zDK-3~ygIBzxT(42+P*IForUv}tg<$Xnqvgf7cif&-_)lkG-X5gw-2nyLj(+J*=~yS zynXH-9?w7x_^5u81oZu*6cxqfSY^t)>|06AYR%6Rg>bWuRlt5iffOXXTA#NAK87qATIVo0o?w!3gw>^XT)>PI;B$y(hLVEW! z>i~@bJ0UxsV3z0(z`D0^!qo(XkBE-oC?%F6K7ucIyP5cAl7Wm{j2VWZ&l&9sB2pSf zyzuy8@FPCPi^IaMC1$&B9s^joC;2;b z^-lh>Cf^GzUI;!Uk2*B-vw!OPzVH$!xgj!Ls-SU+1UUqVoHQ#|2b^%aYp(Q>lc`rY z0K}jM$I>C2nI z=;43;8UxlZN*vY^!+tT}mC)O>vAFEBraz-vVMS$mSyARu-2qh(S7KW66xDFy(!+`=2(65O$;GkrQ%zO!(d%2qogBKKliBE{6y}yeM+6b(LhjnTX(G*zB-ETuY`aRwH zVYREm5BEG;Av9ek{{Ay@~nXz4n(qUVcA z{o4h3P!&K&AKR=3=l9I5!X$CohDzF!JvykXq9Vx0HBvyYoL|h?ZSs*bvv)KkM$sXM z*bvu+rQ|a-M}^Ie>{Jdcm}ST|GLNN8XJ#42=}5jmzNqXjaGvJFi`UV-TTKvUE7Dpy z)a%4u)sdzg=qu1}FdMqAi3JanQ$u|NBt?+SJJ45LG08qDDm1eb2)*kKl4gD^>_b6h zA&B@#z>oyRLsQkoqd`sj4%1WwBqWCev>>m(0~SDh^-_J;(3W#yl;!sf2HuhwjxJ0h zf14RU$>L}xwXW}lK(t)(a{U;ba?um~nO8;-#3e7k^uCcr@MVrg7{%M*EO|YT`t@tr z(F+ zFD~{WLWZ{8UbT!}mX-MA&v|E^2}DyqycKuJyY(Ga)N@w~s&WS;Z(1P7T^5dVH>y31_r zjZlcb(Mx2Um6#-ztO4`M#5Yn1${M0A3$}HNh-BE!pp`AVD*YcnI%Lw2=7Z`oV1_A#K2S-pvsS%_hicX9tcvM zYiA^9UqF?=jg3{%B(y5`bNb1zBih*+g90&~Md#a(w0AD^a@{gx)o99b7PI;k>!-S9 zaH980K_2-D9Y)BmpcolKJ+=Hy(@>sqHS|nagpMo>Q%c!D^PQY06HiOuG@t=%3Ky%HE%^~-{VM?MlHStDxvD@? z=5q3Uxm5NF%q`%9(>J7cz5;`N_gG=9K7R+a?5&%Hy@IDrr~}Z+%pw{ z9!dr%5I&Db3w;TY8#w~bp(zlIyBy5tAKF=2O&_B*e>d?vH|H^*<4e=+0_k?$ zJbMDHTwZMVG>waau!({MsLxzh#hSEVpbT}$fFAEygqJ%XcmEiSn*iK-wKOQ7w80eK zty-(x4|!$Jvw4a`+p*P)aREBxV^}XkO{NGaDEGY((7hDsf{>`&oqeMIyyXP9Z_;L#d_emb6gE4nqM;v;V2n1^cKqD zpd%5#lZj{Ij``-;{|-=MUD`vPIeZ83=0-oZ4y^uI6u3O5CWqpK`7q~>v3Fj$J|CjV zHevj*bmS4IgT7iu?)}2XS@}}rBLlb7Rgv2_E4^boS7Wkiz&eaZ}C{kqq25O|uf*KE`Ru(3)kndhN%a^wy)13d%!N43rx(kRuoyb%j55Yqhfsd&|B%ROH zK<+6)JkI#wY~N(BT|3eSu#V@(diobJx>;h6rufqjc8v5*t=MM^94c8BwF-f|EH;ct z64v;;d#!rEh@hAvWoO&e!1$mDEe;9WCxHJ=4LD`)GyzIl&?>ZrJ)6gW3xzKCfBSE1 zX@H)Ig4zP+8ZeCO%IDefPk=2;m1kmdv>z!$d+Ra$0f0jms;w2S-Jh*MR@2!X*5krwMOHZeJbL%OhWEMK_ljzilTOV)75 z`PSgY7w@pKQI*zAd_R3FO}h_B?y;Rpq!w-`vb@s#>`i&Swr(AK<2;6HOZCEgmS;Y1 zt42y1oM94TalJot+MmRCz|G#;WIQX@TvF9D3%2;2nWNy%_3b_Gm7))@^vp^P&W4J! z-%@cL0Dc=T!0vL4=49>KTzI^|o`GT{t{?X+z7|PzT0?B+fVp*`W_LDR9e{@xn5SZ& zOdpPQgazTmt^QCHWvYHETQu4$dz(h{6JwtJ$lk(^MKs}(VGbql(EDi3aM!{-8rU#i z+xk7E2GwN(zPlVPs)&Uh8!n)nxxFMWO9QAO^_W9@N`>m~Z=O;>!ko5Lh7J0CCG+}7XV#vp~>_VdL;8< z_H&^l(x71(Rt}v(oFene)%j6V^GVQy?L=PlYgLRL9l6DnXpOjNjR54+E2q|g>{z_% z4l(C`efY>U>BWj8j|s?fZ-^1_%_8Vj(~(~k88~ThC!BN zY4H7QWNZbjDA?ykVQ`B2jOC{#I$ws9ONq8)0sJD*N+1Z42FnYeGeUecO=)UHJL0s! z`fnM{PHxg!Raw!B;?&=cm_9LKQo!R|h67f4VloMsAuNsu-k=gljhi1oP~eTxi5Eyg zfIwKzJ<82DC00=E$)(jH(#vCb?wRUj5dl_i-jfH)!}hML5&12RWs|5(4)9pA7NwR* z774r}P{)bUP;EGhqyo%3FM*TbFH+;R@_IMur=!j)+3LULC7j`fd+A29i5n`eH!EdW z*^68jy}Pw`N?rNs*%<|bSvZuxEkcK7d`Ny4vo9TjuLUC4e~AQgqD^%I(M5C6iUO#50K*&|v#SC|4L+QQ05O1sc#_Rlj~6U7$3`!iGy3Ly_D{gnWdU&e)mW-C zZ^CocL*GINN`+r!U-jy|i+N+`0_|qeS@v$|*u>sEGNL*#E@1TfR9$mv#$PRSrssY7 zFlMhd$DfQx(<7*68&=Wm(%l|pYTGCSlnDvS-kIgTLCX8-DT8ciRVtw zNz72S@rwq7~P1ePees^f?<}y{v#K=d6^OFv$t02T1D!`x;2dJtZ< zj2j@p01MpS$%y!urHdV;0q`8x`O&&_tre6*?b@3#L#(aB6t4}uUo-#=>SywELTHj)HRG<6Uc7D6y z&Jr)(GaIo)$ktXaX@r(G*E6q9kJg9+j?Y0QNWin`!l5-4A|gA!#C@r=7aytP_n(-w zB^2;#un7aNmD@ zNs;62Ge0_M{k_D}=!dh0>-x-g;`gkggtqT$8dx&5d*hZUFv1TnG^^t|H6)q$dfN5oylS)hu5H5%fztMwm8+$wN=tqHx6~@w#?Bz09v^;u*@C))5>DpUf?P3K ztiEN|HP36{(2#2I29#kcHP5)L3TeTOq=xg+h%a9W?YAQ|oNb5*1`v9AiXr>bO>nY# zu_we~CliTpoD)8huDpRB?6e(Qbi#h~ZQ+)kGLEFddfLU=&hqGZ`EQ*P{%0VFPHihI zhY*O9672@HKoBl+?Ka0#Bo$v!TthA=#U^|hBw1$$Q3U~mH z4Cem{M)ENQFVkPykc#(wBPR z&B~rAR4d;ziSV0rHi9P*T)-DWu}b;|+VkcI)a={8kySpgUj#6o^_GH&ESGJr!_a#% z$A`}iAZud8q=F0wGG=7%Qb!dRi~yA=z(t_bXt_Qy89|5zTm^(JO<4uTr3J=Oz2E26 zlO3j6=RuKXBf+X&RV?)d`pY3|gZs31AfQ1JQ0t(rmTgh1~ zQPoH|3jXgN$rpd`;h%r#P60d3V9N6A|6Yp>1jBh3ed#@-O>g4>0eXj|{@E64 zb~$M7sPy67D2;3oqZt2``uMx~sJ(tp^4}j&iH?d`$fI)lcer&LWl~E2NBG_$*W12< zlHu zhUKpb@z0(stU~1f8MIa&bVDAxKDVWTp;ZA8!k4R)%QgP>p98^XD__Dt!?m1%7f}hf zxKasm%nY06G_#`%dI9Cr;72u;vh(4e!|6l8leeSTgt`@^I9UFD0B$UH5*oybjej0_ zg}@D2!RX&}S4W~ z4p^(uZhk*)I%gQN+g0*1h@DfwCBTXL(rHHRh(L2GIs6JXz%TK|GO<6w+8`0v(3 z|8sjjcgrU_EjKsgY+vcpQg(uK7mi0-+e)6k+8;0)m+DYs*h1ggE36}VTs(puAi8uQ z%uTxgu`kgtEd)E|GZ?df9}@}+@}Bi}I>VQjG8}{3yZ0MK8oXL*tav6kfqtfU>Q0{T zEWFv5e~&)Yf8a?KR{P+&h>xRgarE6)aqeZhtxfV{nl$IdjqzE#P&-hl9b3mjYPd5^sisN0^vJV5(Rqt5_#4ovKLv#qGxt!X$Uzh{(Fcu6^B% z4976kGPlenLmp#dzC=J|D=Y2l4y{l?hIrXyuudpW#G;?x=x1Y0Jv$@W%=bNabdLRP z2tH+z8Ch#ilPhFJhxyw;D9d{hm@-EPo)^DK{NJJ4x(YbyOLfj{e<}9O$a%sue~sA* z&}-Gibmhb}kw1wFFHX4)Hl$~fO;u%?{?UTjOFT&$s&?=Hb&2S*7Etzb5jN?NpsW*8 z!ByZdG;YqlHO%Qq=OBp_JC0=86u!a!74 z5vjL2?*knpJu7^;>hD8bV2i!HFJlVwMmg?Ah9Iz@!)`^O$meCpJL%4lJk_B9*-$3t z^0@6=TuokA=EkWWd4J#eKC+;w;He|j8W$^>*nbFrX?}Jtw|7dd>Qi^NR>`YC8VHOb znNGc&QohUYCM`?QQrX;{GgW}#=a@-6Ds<1J>YEn+ErG6N%{rBHC_#zA`)jA?${ErRrPoVQRLX)#NNOQlwC6{@rS+&`)= zPHQ1p@cHA6tanL9u&bO?AB?rChKl!@y*1T@fvGr4IQ1%RkLIiz&w^G>!HCd3tnadfVfbdrY?Ifq508>nYxZNFQ;lW{nIW0|_h z{jfE|S=U>gf>{-Ese+EKa>V~azXFVLL_Bm02mCzF9x~+F8Ah}(EIyCmQLAfR-boQc zRe9=0mR2Vco+ghi^Go6hO=o<*FC3+!MtaXZ$k2yV+H^_${hv24R6u;8h&yx{QJ|Qf z{bv;T+{O3|i^7TX1k* zUa8+@^p^z_A1*EgS+88RT!O-?dExqqGk6!rVgZ#{h?fWk6cs~L+6e55oMd69;QH{2 zbQcGU=Vpw{RAp#VIo<~P4v2pV`*A@GYOVWYk@Bp--!ujE%(HVqF+Jzip+*(YiaF_L z2LFH|ZmX4jrK}x=|CS(NuUguP^P7bwOMKv3(jIP7HOr)9O@B_;N-J_PBfL@aKc-l$ zNiGEWKigv=!QuS8VeXqcu6Y(JY@Eoi*BXz&tDHcPYi<@Ee%u~ks9kD-;HufWRZyn7 z5h<`5I{$6gjdPwh?K(V4+|(h^y2s=GZMcZ@1!BtK`5R6R+#-C<>gMAq1Htto%O1)c zg@{~hlhcvxoLpvgV{?0Dc}+`UTPw3hAeHPwQ{wCQx{Ttl%Vb-RK$8ciPxO<_l`}wU zN(hEKk1VG{PT+9tuwhJrTEM@#2`w9qu3ZnRe%j-q3=d?>{6wEL|8zlk`c?=+oZ8l! zNtIaF6e_Cb1#Mhfl9AoM)cF;!z9k1fXK7)`@zqMP+$XuoKHqw+-lOzd+mHWaSQ^n7 z%kXKcvmAD0l%b?4QhpGVc{k2O5BfIx%UX$Z(^iWk3)xEVIv=&*Ijjy%7cXp+JbbthDS3LCYud%wRX4TaIfwssEkiOxL*hKAXaW?Aawm!jxLy5&o5K^h=~FzUV5g8BlYgBHhVRp z4(HPG$SNV<{8eXzi@EkI&88Q}hb@>9_@LnrEk>yNuDM>Ow=l2+&cU8+_wZ-6q?DS( z|F_NfN0jPLot~#F#5xu=)nzmi6*LlsLb6chKZJ`=j2j?B;Ny$x^iMsk&Q>5GQ_?UO`Xui1)}qZ*iiPlvd#UJ+nbZOUbk^YkamB6I&7^Li60I z>Z>c2(-6U+<8%=8t=HY5zW+$W@_qLAU%=0_+V%*3ZujWQCRplH1n^|(YpU1nth$6? z{Mg;E6IAC)HdudI@d_wAN!PAfSPG*Um+~=Ox{TeRv6s9iHn1?NB}M-IUo61KL$t8f zog07u1Wbc!<_V*Bnl_iGY^)WUwH{h_nvznka#~7B%�}q&!ij1LZ6O6ppb^Z(z*b<>B!>dn{rWZW?dOFaUB<43G zd5Pymv=sJw6P6uq&OqHmAmzL*Vx^6*hr?B$Ci)G&!9sex45C&$8jW5m8?a_}8R>^xPXY7D5_$9~L)K0n_&+<0Y&b>#jL-C-&7k+Ihqgp!v z5dk19U})YtHtEA@>l{K6HE|I(cuwt8?($2}b1@Z68&U=MS^6MNU|iGUq*|Hi4arZ} zCXAyUcLP01rdO7h!7zjuO^N|4>H_R9e7nzB0Zk|FoEn`Z84+p3*g9DIdw=i&P;E|! z)y|jO7M3w$9U|EnXuluBjsx%9>p|j6M%gTL%;%r-A7zZ^fo9iGS#F)#chXrJpJi>| zG%0s{d#~^7O{9fTU-V2OIIz#`e=|ARN5EWFxmo?Yjz*DkaH8F4jt)#VA@4ZPR~2eJ zIfmYb1Bh3SOjyXi|5K$F3Tl9}GzAsPW_jDp`nO#mGjruz?;YDC6nWFd3p@X);JQiw zJ>8>_t~v2CRSR8%5X|m)OoJ-6>DR+LB*~%he})byU&dVq5F zV?w_8Y2jb79G~Bf3L8*+npE6O9KhMB#~Cg5)_#S{f28kX-cxX^z(l-E)C+$VA&Ab? z<#9~()}3>ha4`~j*UH)zG^SHx{(<*6V`8MI>G*L8##!}i(ZMc0R<*$e&rsVR$kytA z{sx3eoI*iN`mSi8?geGvGd(rr|DR!pP*Azj4;SU*El>W)ZaWVpN;TX1bK7sA|KTNC zJ;g+aZT3Q~!Fag89%^7C?Gkz7WF8UC8hyS+Q(o%0ZDQ3kECx>3E%M}sgt7l;tN>h} z763_M^q#;9f;?Mpo0K3y!8Fube}f1NtlL0ZAaH&mK)W@V_rU{y^6@=cCr4g*Rh%N_ zK{QRnF&h^6U5U&!#n+1^zP{>ng^Ufm!a;mdBaS&0fIoF9#Ga&IS8gP7#Vv$_kWoX0 zZ%kofh)Y`Q7V(P=U9mH{i!<_EO*$BXnNpr4L_$l~V^x@kg^NGRLVtdqu79xNm)@pHN7q|SASbQbZ8V`-KT>cETpLxJFlwIx&Ee{nWg9;)zfc_X>#JYA`6_g@sqhb zW_+NCwt73i45o(4u=NmRHsnM;?`I=X1Ar9o-zKWf22!hvXD-{_YFQ4-2mh>T_%*kr z*2_z#C->3HP2Vz0?0sdaBaB*UB{Q8C2?kfK8+NkB2lmwX+i&r=IR3I5eWHRGw1O~o zchGygxLxVtT{6)LfAi&m@%`#gTH<&@5?1%-n`)M&S~)EdG3#Pis$MCLN;knCzbu%H zrQ%Bf)0lCZDvIjz*)iE%T+XEPUZ(OneJ_6>w7=`7CLk?-e~V9-tg5Pf66paxF4Gor}|Djf-4w#*Tl3@TiFMRby5k;5Rb!yVVeO%e>RVQ(Ah>oNQJ_d zNbwid3oOX?T$aMd&Rc_b#QyQci$6U0{rj=Q9yj}e+1N5%T=|`d)O5c8NqKq#0<)Pz z;ZRe`<+nmp>b~ z^$8^&a#Hzl8OqXVla6B*+joBSj1yk^|lAl2ACh-AGxXd1_wBTDTs%%f`Ei>M82N$|AWFpkWUd1RrK@Lfsj|gP1cNHyk8(`A4vR2{3=9DX} zDL^1Lu(FiNVe0t|G}u_zGvbNy+5G#?e?;;MAtZoGi1PJrGaUz>DSCaIX~3??GpGS} zsp=txlE zduA8c?{_>}bA0yPe3j(;DfDy<)g~(pzhQZLM32Zaa2(y9C_|~zzP5b|EQ+W993${ z-j7rRl1_G4YGq!@O$8LR`Sp4atmP&^xTfsqWB5nKrH%sy9os+z>^#sA2XuqVV#1Qo zo0w}e{9e;g{yyhs$_FuZ$mM=^`eZEZO!Nv^HjdRStAm<-r;I2NX@cfRD|Zx~^q7V7 zPzpq;8*2u&bW%-3ZE7^EW|y6BgSBN@MZe<4y<55al3BtUHS^P39#^<3)5rj%*_=DI)e0}p|$;xr4$ zy8c;L%qg2aWn?Z$0})d(;=|;qhZeaOknjvwS<$>#rABqCWF_%;xIh5V9dJ3o2C&zv zavm8Jmv|{q$vn|_slT<)&;+};jlJTC@CTDM`oAQ8hYGjz2D&cn)dPA%)FRPhNBg(J zn|!EZMLolpeXV6_`CcWD|4)(aRsf@t^Oi}T;T z=Z536s@0Yj0rScNpGW1W6;{XUXiY9Yy$yTcJU6e@`K05u#;*CTd%aEjXeGrzfkQC0yu zD+|mGW5g#$*7jeMBA{1yniovQsbAs3giD!f2O(~g&HnfOYd+nZoltVLb{ zIe!z@V+ez$elkXR0CRe4v+!PuRFPiR<%02`bQ!k>o+WS?j6V*5Qs!% z!d$-}5@K|V;e+_s zA}t-Qz|a^<(4j-9Xx3wQs<> zogOo%e&?+v!|SW#z@Uix`&X_h;+aJYrK#i<7jOPPGt?FQj1wkkmH@$^F0*wYgL&S~ zVv)K~(|paE6v9Xhk9$XCZL4e|pXoEG>shF5|UmKZt_e#-k1ao-Dm z{!Il}z7P+Xx&*#k|Lpi`Arb-t9HO7{FZ9Qyh8soVVLs)TO<8!x7bf+^erRIIa+O0` z6-EPQAbP;;Z&t)ddr~WNw;_UN^K=(&2@Oo^REbO`44%rig}K9O&S-rLqnn8WLYM2H zd~-8~M6+t?Lk%65P?1bhe-nqfSUP8$i@EcGf?E;t4HO>1^>8j{uG*m))PEXMKpnmm zF78>@a+t1Jv?M@&6Cvr{$quzrddW(!yzLK9mxo;3`HVU%*IZxI zJ|;_&2ULEve&;VO1lfM}GZ=c$k*<1jv!3$Mt+Q!Hb+)Q-kG8>l{)g)S)7*8wHMwki zx4HpQDHaqEF&0!LA}GBCK}0}7q!XGX5b3b#1PDr1Iud$0^bVT@LQh1H7D8_!LMYNg z2{m+bBm12DoDcU8xbx+GpLyn8)7Dxu?^?f^#dTKM``j&{|Gm?!IhXr8ps}w-7gvr& z9Kyebc8J_RJ9pr92od#}f87@%d&~$nDdPR1fsha1(te|xTani}(bPv0{x)0|6^6Vn zh+kT=8R98DV0TozZ3u&@SbC{y2XqjcwP#jFV349>T|s+qGiRF0(DkjVU^R~_{T{$~ ze=}1ppG$05w2tp$uUi1_R9?mU73F_h*#&KLcfk`30Ubzbcz*@0N`Bot1jK_@gbO-P6l!xu1F3 zk*}qhEi@b_G$Y$=mT_F-)5iSdb>e)Hkr{$PO@Y6dwt+nqQ+qby2YObtyBMd&Yet{M zOUzmFTq+PV+D2fakS_}>MapBiuaM+Dm+auV!YnY>pzEQh{B>*mXo_%^wmWcnYX_T>Vv)r1oTp-L9SS=VzqdYR7e!YAq6?!+XRkYS zkb4v&94fzB3HJrN1rfnV9E&V}7%m4$LKQZQ)>D?TCzGJplFy zyHcKk!yRwMYa(c60j0A{hk3)nhSbBI>=7V20kLdhZw=GWFRWU`R#?;JybGn;9~@I^ zn-TU7jx^Vef`an!%}8SzNNy_;a+IVwvHO=2T%|s{R4LWNGq;0diErJtlb*=G-CH&< zFMPD`C?WfGf%i^eflYzwT2oJknqdr2da7yk`u7S6#%-+6x+xp`og7jAWP-O)FF}*V zd1+2%rgAEQ=YmB|m=~Hn8#27f2Q_;8tcrcqTmO!~^gjBJG zlLiL(ysg|N6gn`uF>WDmotYHnaEA+s)7|U!{tl!zM5ty`;uiMn! z!&l3$@BV^cYxD64YP%|vQTj~RzScf1vtn+wv{*wQx>sitLD*(sWLLtG=d-OYOdw7x zskNHL2lyd>`{B($jFJS)x71IS#59%$gk?MKMA`G%lUxRxpBS;?Q1inHa9eb7eTN)`9KukJgO?3`peZR-OJ_$zOk02^T!nI9N;2ys>+P zckzvJBVJ&9|A{E`)-C8zkfVCTFe&jA!wM459?*YkXbF1@FZW*7NJ;y~HOc_}BBh2Ubf`ed zN>S@t4hupIZuUAW`|hO%b?LHeY84fSN!IKp0x1g_(LD0XESWkF=9TYOdtl5;fL9gmB&{)xEBZe64$yMV(u_nJ&HX`;GflNV9)SEvIw!Bi zb3cl`XJvI^dH2mmfV;T6VyJ=#4&IiNR@x(Hj|osa5m=FT(W=3Zx&D=e=Ul8iyX1Y<1bMpZ_i!5XkX9 z{W)HRyp_#AmUb=-QZ=Q>;)tAE6_G%uY{4E|UfjyA7qOys#A*k(^0;7t^Zpzb*2^~l zEyAtj>1Wy7Z2IFP*+X}jc0e|lJoa!H+g{>Nf`X?ynwi#M+Nn8^8EHS!B>f-X$eAbGe zd7OR$$L+SaAN+!*(wj6eWN=4+@38Ag8_wPNZDWObgjaZfN`xZ!D)-N$?9T4O%qlGw z=RSk6dv)H}`iIXU^^VuL@vJs#UDa|oObDr%L>k=<9F0Y$Uy<|AhA~Kw#mv&A78_>qi!_ z5Ca`@>J$?twvfWm1X~w}QsPU)27*(lU1fD^X8iP``iI`XqW4}>8=S-?`ci?_wa&^+i`4`TIW~!nel3f~r&6H+fHF`#@vnv{;SOI%5gq=&cz`hN0U-70AgDNsf$`snAX7|IKoD;cAs zu$lW`OO6C(@)_DrkwpnYQ0GSATn4kq8i>Kv6+8&D_;d9SzFIK0Vu66>O=x@E_~{I% zc-YDGUN~=(wKPxCWALqg&0>^XK0uKLoEwq<6}|%kc^CBgIWziyqd905-br}`KOWWo z;$Ts$N}sAVDPwyqVw$NK`k8T;;tw;+D+n=Ni6);?;tTQuqn!*P zdLrcG>Ok%29|+5a`I&lKA)de70m)sH-_ka+D+Hn_83@m>BH{Lwldgxa~JaNTY>h~dCj;~wZ1opG=Jw!V?G_t z9GtNcqOcKt^eyP}k|sh_;x>^?nBORe{tVqks^aPELwRy%xcO_OYVI;e!RcL?6)EON zuXVww{+(ZZjjzc=_X0WiGsr1gsl*AQGe&fW&=ui4w$^@=H|W9w5f-drim<}(6&aB@;o{=GL)HAi-^1{2 zjPFtR6~z*{{kk7VybgY14{tdug!D@mlg;)wW)_7Bp7W1`-m(Dl&PKtVX)|+PZClZ* zevikPJ!DJWU1g5GiEkP{r5{_h9nCn1fMh3RIyJ1pLk3T`LEvZ`-E^vu*ZR7zus|a+ zPv-%Wb@qF~qHP|iKjYfwWFRRjA=RjM-ox4B#TFgdAi1=zLX)M3@%22o`sLT;IwEni zrLvl;vsE<}%8`|ut;j*EoM2MLR_Q>x%YYgvX z3Mj1V8&O`en;(rj%(q$kp#2~Yqm~j@WvPAawN&haK;QKqp5=dMgiv+;%x_Y6`;9u> zwpNuoTjE~fAx<9X9UgRfI^s8`?`k)+t{>m_*!R}49=E9#ZVmrCQ0*xv0%IP;x+xPo zBtd&0EaGU~Z$r;oh$a!!@ib(3mizIs%eoOm5IHP1_r}$NHblYkuA3f6%PSUh=CuOkVA{|tw(ivPkuY!Yfc{j0zrQcZ`-*|95L%TwvRs~ zYyWQasZ+0R%_y{tzRM^C=^L8?{x{cYR`~EAPtTJUs4PxLWRzKl_(+$=7T~LM^4*gh z*6<&U-yIcONb5n1S>XtS4zyRocKfdi-esi|P2`^$?`u!VGy4AGLV!GX)> z9UVW%!t}M~iZ_g|i<&56aJ!z^3QtMs9i1^=#k`J$+-tBa*VTiS=BU$8%_MXcG1UtO z?@bn++E1JK&NJP|C#+ySa|*CNlF;X6euYiiccJxMC;S zN2!i!&5ZwT6vns|^URv+i|0BP_n;ZSauJr2jxi?lX%B2M_dLjj6rnIXR8L|>naGAE z|NN?q_E$)ZiLltg0}twmSZzNFO0IwyXXiqt;61~0s`$M9h=h3i&I#WM1M`?Sn`zMt zmmZp7q&z(IN@sT@295+elYJA>kJ>)$Mc}(QRkL+CFQMK@)w@uHa6=0)ad?YcKPp11 zeuMHQ$I|8Sep~VPTqv=gl>)>Ky}DRqI&7yj9C=;wZl;#Cs{N)bI%tDkEHI@8s+(JsJ;U3hqM#OO`)El;obg;>R zjhb5)))i{KLvsr9TN7`Xs8tGBgraK!0~U?9fv8j0%nZ>wCTgkrgB-9;#k@9Kh!9HQ z8mPnYlel{*npe^4uFXu2WmDO4KWY!~^d&s%#`JPy|C%mfc)UuvP#P zcp*g$3(zv+qHsMBIiDd`@qUW~7ItUu?zYhY=ju%%Tg(HyZns9g_w8xGbDBdt711y5 z1Hm`s^NU6{SZmR|&D!^1S~mfg(4m7AQ~aY}-SIEGm(rAro1p}UFNyjCwpW9HEzh;@ z#i9**oU9FvS`H^pN^K(}w!)*u)WZ_V@TX=S~^$G2K4N`9?WeqZsdcAs_z%*#9kkf#KO@r2kqd*nXRf80r5jsbl_k W>+Yv3S}abmp{mLnFUl0nKm8BD__Xx^ literal 0 HcmV?d00001 diff --git a/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-c.png b/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-c.png new file mode 100644 index 0000000000000000000000000000000000000000..321a8b2f0b9cfb1e13251c174f6c082fc7c7e17e GIT binary patch literal 111501 zcmdSB1yEJ(+c&z^N01hfkPz9Vq;!X{2}!9*%Jae4K@d#WAY9#vSSXe?X@lo+ojpyf`Xv<$e z2|a#q@HqM0^ggcIcJDYTzNj=Y@|YK+^_ce&(ERTrXsRMh_3sU6q5cE^lYj55P*z#~ zy#`hOfAoXo&gMTLm$&|{i<>Y0Huk+00+ze>mg9d?1%~F14!`;Py&z%{-E_*)OI*u` zIs9F!e2-rKd+nu8o&29+{r~L;iZi>%AS=wU<$=++Pov%P19#Bj0d6nMvSM5iBjvX? zSN@K&fDag?6AGdjmE;8myMi^n;~^~(=9?eAGmETxAhJj&nr8I4#_RbOZ)YSH|EKA8 zn;N_W$Gih?QCr_?a%29fMI#Yd%mZZK(UVQ+-GnpT5&L7wk)*@mKGjATCM$RIG_8p0 zXr>P$hX{w=;0w{TL-DiXo6@JE-h(Ekf$iW>HDW?SzPD^5`OsR?n5ZbIA{0}uafKf% z&_6f4+VCi(Lo^UF#8@3}$ns}Byc~osQJap>RtL9DIXivfEPkZg6viv$*pajEL}@oe zL;9MJd2y7EQ8>Pe$~;M}tMwR*J}EEv+?lA~JkNIv)?J3zU&rQO=wFSz$Lpwb1X;3)|)zaQ(XtJm*)NC|% z>}a^exYt%O57RBAJaW zE-WZ$sHoV>Eo^k%+w=^8aBAcKX|mv1w;||N>+#7Zdqc;>iQV4Y1fCZ2e19Dy8)g=+ z>g%Cn_R!Fb{TPN)6*|;bp!yZKb7gGcduu%LDV5e&4i~Ah$jKYU=oYjY2hltaARk$;j*zzQI=1dzOO4H3oT_=$qZUYh>hs z^o*13Iif#{yRhYR^wP_4f@{h-$9Ubf+6OLUxB@HA=Cdr7mqxQ>$2=sDC~5Hcp;+#Y zI7x$F3wH{mifQv8MWy42fI4RSJ<8MGxbI2LzB}1v5majCPMJvOrld z59PUrbMeR`w3c3_MrO*yM#W&tIXO+(4^vjUdu0?BI()b6rsyOGC-!O0|N6+3NQ~~U z0vMg>`ZE_z z)8E|?7G9!Jaw{}HKZHc#3pJRJS50{@?_4{mdaAUHD@Ke;KmLT!xp1QvK9$>+PD zi-ATeM7H-A6)qb)s{VP}?k!4DOzec1hge92FTkUGV40T_XNf)i{FJ;^r0xlIqvu1` z&X-SnJg=%nwM|PWiGUH($y2}Ra=+?@*#@iJtUE4uCcCR@Dy1pX+?_SKtL2ApKZE9; z=2y;FPVU@!G=%e>cpWq3j-CxO=7zoE(_v5CMfZn*q0}$1JHq0borN+#q5qkK*#~(U zc&nOSR*-#7N9i>&79`_3y|T=yk->69&oB6;fm0!D;B4(c~5qPrh+uqwQX z$ei%u_iSk5nFz8Jd5ZE=&hhXoT3&e+UmYy?vXX4YBUNCSCM%U=eCU#ZG&v)WApgc+ zU7Re98yi#3JndS87=3&EzVxmnL}Q;LvC7Y-rxCuo@A1K=wXdzlT$3l#GbZ51tsGWP zZrfKAy3KC3bSWU9RXc0JuI^yC)5qn0^=@`nE<*Y#q`sjdwM0H2%Ec*G`pyYXlbe$d zrS0TO5{`~lc00ZezcfVA5Mz(;ZOqeB&`{fQ+x|1~Ukbk$-yw{EUOJrYR(*fsYW4a3 zX+cE}eYi}D@f*~`y4B^%T~|joO?_2S^0h#!Fzg&-4K0i1FI3U{9vyyuD5N1C-qia@ z;FMQw&uK~Fq<&QWqHWlQy2r^YTqt;Fj-(A^KLu)&IJCr7=ydUy0(Af#znoxVXujy& zV;F3<4Q1og$HxkO=|>v2yz4NhTj5p_@QJyr>}CGkt`#Q@4NV|5JG-BL;R!1UzRqDb zRpM|f3f9HXkkxG&d4uiFny}23$!XuFuUY@?e`14HnvZ3_BMKm=+SQ<-dIoUJDvfZ@e0@{)mA&8RJO>kLnLlzm#XjPmrNH9W`Ox_qMTb zsQT1bg9iEWwP(NXw&L>>d7p0@fPVO?BkXx;FWu2_dwPnd&2YJ9i7`WkrD?)g8EigR zLN9PnhuMA}R(svwi15z|Rsj`dn;{9$UHg({5>NIY#U?0go$gKqvU0}vi`B^LRpiiE z`@$b)*kx4YaVxOI3C0p>|EcXEIl>qnMI%b1m!|uv#-9Q^0X^GpXMXu7mkdN|Ro(_a zFaSd1dQ_-!FiVc6qwi*Cb zrBB1GkFQ)W*^*>4o~+1Q@1q3kzCfN7(0YM^-}3WQh__yV;giRSbCS;4yOq)A;kK*! zh7h|AE8I?N2&?{)PqQ~dRao|5mSJB~iafAw81K#O?WO%i+2f^JzI^c2@aUYG?4OGN zwZ{HB{XS%SxRBTL&mPz?*Z|A{s;>{yuMfubjApbQwH7Q6%@dF<;)$g!v9P<+FgkX? zF;S{Z%lg`j3kJtTZ@toa5fq%N8gUXqwW}KMW{-n8>1cs-y4g9#QJ!O+5K(9Hq4bbz z_eF;zP42un#B9@0V+2KAwy4DpauQp%cKMI7u@&kr=jd2s`Ti6G?^mftxfd^`i45l( zJ1dS5_hwWZ4u!T8AQDQ^`JPa`{=B^0Tual0GcJ2><*X>_MCR<(T!PT6j+f)NRc`5% zW^ZTdX@d`~33 z90I9cts50(et+Dp7!ZSGT&!07BL>eQ*$^Lj5G#7i*&h~wpZ*Og*oX_0EV`r~n|M?S z(uRX~NYtrPL2sUC?w!{WyOc600a!8gXN=W-htStD2I(7kM;D@evOY+%F5@y4}zouUIpNv z{4OrI51xuJss50zvE?gSNHkg*bEE~yWC7tZ?N5{SKylI(5ZfVp;s^gFRbX5dE-1P3 z95Bo#TU1PIY4zLVp|Kt%a%nCPJ_SWjG|HtBUx%74wsCMY)}@m!fncN8=&JCHm_)>I#n>_fbMp7udwBBxgZ zK{(gZIvPhh{1dV+zSa&EuO8}Ten)8sS$}7U%Cc+9FS~-8(~82JvCMkG>`x2@FPT0! z4>_OH&fiL1-r?)fu)|<%PR*@qNIY^c$Sf11iac%=LwhkMGniBO}Boe`GA-1wu;v;UC;D)9m_r*%?ya z2Z69}906Q%|=Ch*S|Z_m@mh zGh&n1@&O%@EycUa4PLq}#MaU$2oD};l(`W}r><}!jZfUt0dxU`wXX7K_3ETDPgnUz z2&9oDQ*WJdkb?@&?~U&lfDfng7dDEuEpczGIy}5KSLdi;`XZF#;o+j}qo8IlyqNm|*wDhFJG#)WooB??X zXoH#K`^xR@`@XPXkXRFwa#H^qP?m&5D=AUgCXi$_St0+OjG#etD*&PSVyxeEr$dqbW zY$<7Md%iZ9ohKm*X$ycX@!#(7R7UhkIMlk&TQJ8v`NIkemeBV~-L4oM?}#ulTP61E zWO<$NF%OS8p^Xv6N?3)UDk=p{)ey#Uh2l-Lb6oJf|NSOdb`>7YA(h*`@mU zm`^#t4cfrWlN)Ym`P`6s!<)%y9PFkLiH`vrxeATXlso*GNRQX*#8(+X8M1?LaB!t(Fv&Wzm#u<@zdWeLCgnKo(wY5E7FzvMPQNi`Q z217ElaZB_~&tK%()A2T>c6dcCeEm|=vhp8Lz6~c4;2C#!E(XRJ9Q2$WhgHOof3uo0 zNdDlm428NKBAisrL)G~2y=Lym<3nZT>rP3@jHia+#Y#b?9bd~wcBR1S^!6NYTzDAi zF5-D+u1tOkNN=?A+7k;ymZ1ZtHKqr`3S^>~5ou*@Cl|LPMs|rhc1cIAg$zuO2AhTb zW8G>;%GV_sV&6ndq!kb9UX~UI>%?(+Ry(&`6hlsqbLQFq3)cDvn3$Xt*5AcU>XL$E z^uaByqclp3)nGlnVfit@$n#pw&-M>$xm}hgBxJ0n>!gr2G)&p9_Y;PQR%=)kt2n_i zHdgP4f(MXmbGS0ez{M(2abG{OC!!z^SQB-=4UwW`N$dk&;m~ru{AP*!XQ$UZ?kQo8 z&$~SYT!AV#AyPwbD4ueb8r=eNNp-CK|!V2t^jo`aNO_Q&@eTOM$Bra|<&rcbdU6!X& zrCZ4(MOnIy0WSA!SSYcky(D>L9Z=rnl-o-XiX_um$s_))katuT0{H5UeX5Jo)GS2BuMWkJk z7e|~kTqjT*ywvJ$tbxVDe1~;@gd6OBTUY^8?=l0!sfr;Zm5nDA&LN&&iG-XP4lL>o zK1{1DsGZn7J*k(!5V_{x>}62rWhA2?Tt@SDvVi?$Lw`7@#T7aX)tJEpI?huv3-tnx zy0VpoZZ3+-RHS`+Lh9TH(5Exl+?1Xk@)m>HnbmA=`%>?o`1B1<71q_cIdn53laR(fBKo0d<7CRR=nJERLSS@ar3Yz*+t2KD1v z&YZZuH;#X6qhTg>RrcoY&LbWXBUTwo^XUknaO^j3|4?{>hMPv`F9F;UTS(h&_!v$V z4D-2nk!TC4683jHAhIlew#w3x?wb=z7{G$P|62F`53>POT*84va$F`X%tPM#>X><0 z5B4D1lQ@6M@-*a*reQp&_+ji@uK7;i@DsVOgY{oi9$~&N*2L)pl=c&+H z@VrdyTU+3a(NEvK_~;C;oHQdE2v&g(6_EU8j_mxyVg|T>Wg&oO{dB|`Fk|esI{N6y zl2rx>Np57) z%cYeOATA7&e+^K<=k`Qkp0;r;|JwrtOLiHu%6t^q%G^2l9gC1fmuiL z5r?yFoM>tdn}u4>$NkR$+gEwbY^dK8j2w|Sx$mTmm4QW@aQkYszoy(K~ zQEKe=zT7UVX<1?+Io%3#t5m)p8k)pmtg*V*KBSQ3PP;n0X4Sr0d@69>X6^>&tmIL? z#8aB-R$g--v)xiS)_>by_veq9p-LR{uky2z{vBSzld z#pa^^ZrS6+*nB{Lr-BUHU9sZKgPJN2d{crAmt>P_;Jo;;F{-MAnX@41d#~?9oZWAH zNxT$MByKP6HB-3Vg02kvf&1LSSx0W`mzK@EDJh*A_E_H8hQX$7S84XOZXlsO11Q>D^Ly*>j+F(ZBNn*af}&YDg&Ok(VbMMJmb9 zw6oXLo&_HVj!2C1apzUC4~Y#a=|KH=tL{Q#ecDaaSh1AETItZYk=)_qez)5TVzu4q z^(;q|WleYV%eBw``UyZpLZe~t&A-7Hjr_STt&*INJ=0|HmjqEm=8+C%ZhmP`Ky_1J zo&>|EuC-+i|9EF0tKF74Ly*?4QQxL$?c}iP9~A@AsQu;sA2qRnTk{vnfQeHC^1{bOU60QURqBv{FX3&D3h}>5)w)4I z#=>`<`NWdfA3Cwe;`OSq;6|!*SC%sOQ=`9|@EQ;L;E#&Dk-K@tGGF)) zFkwK4m>!lSv3Bb3@|Haf=J>t*-whX>3I+|JlJ%9sDc=j6CIjtT^k%)(pG0}gCV4ea zT?{twQ+0+&q3q5(taRLHa*bYwqt)kP8)_$&4=HCk37@FOFvxrJ{@4R8^5c`$`8_z?kDV~ z>AP|=FXOQE^!u}UvF4@qxj`Gv9$fX+%_cV|HJ(VOq}Pa)M1{PiXT4|a-G&bR9%anq zYelChQXk&G5IIffXD)|kU~1VP%yi|{sY$v=QPN2eN2k_~Ul;JCAqcrlwM%6ZIU9J-84cQ7yw5gj*sLi$cv}vm?Mv7;^-{E&<`Qqi5u@ff$GAug(fb~ zU5-}m0(-5^^pkQMcK8L9N9Fibq{f~xhFuXM`-a|Ods-pc_2cfBOJhfV-W3Nhw}QgO z&kkjjZ3$rMTx@SgCgf141g?9s`|fA2SFfs*J1<3%z2kOcwmsbz{4Nd)Lp^6caR@Z- z!qA*~gxNkLn5Mx>1$d4=S9ft}FdsXfGfvvy{knZ(*cg52t3jS$&f0b<$^bvC`S8t@ z4Le?C$|gw`oncn3>iqNP(t9R#3Y>p)0U{5p<8a2+QID_Yqvl*^S_$tc3`BrMTk*PB zEuD)FAa_xiElWSIf4gfO6Msl!t603;Sj&tMl2vkS>Tfl$KoCGjs-@V@|*iU|Ne2iG^ zPw7CvhTlW5JO`7@OWoWDGj248mpZD{Z*PafL~v{EXU&t_FGbe2gV!vtI67^G24Z2h zyd{T9B=If-d;(WJ<^DY~GxclL=jd+kmRt0e``0G!b75kBGo+{``Buq;1_{xu(E)Qa z$Cni??gBG)R#xHyVe4~q=cBYd{5yodTm?TQSFqrfE_I9Ej+MGP&YpUU=1ggSbHA_g zyrWt^KF?@aV2CsnS?5e5t0cwV5%de7>lukIr5>z-awy_BeU<*| z4G&bn-E{s$xwE1{ByUb5S=D8yVr6^z1{_G;&v>*qqS~)~j$?>3f-^wEExVyl_~P5m zP@LG(ZK}6oy{Hd{is#xu{>k`?MfjK>8v3STNunozxv@j?rnm4FCT35OENZPfnZm7| zO)CYqK|nE=SvXp)B$*QCU{TS?`$4h_oV{hIeoe|fKjz6kPuW^wns0C0q{0bX4`YR+FihD-xdBC^xd3yf0WSW`-4TJ=PdfU zQbb2|SeA+XU|bIBtfY&Cz~hNqchoZi49w;#Dm0k8G~63E(X?#ThZ^okvTk1_iA@wQ z1lO0765PN+=b<)Q)#U?ri_N`0T>}>CahU?+(~LRICNpw&3n|T>6sf%K5u-YQxoPC7 zm~xI4&FRkOpN1!?`bnb)IP!;{2dgDlrj^Lei&A#d*q*MrELum&8kMn!1VB)?XY{4$ zl`!S7D4(s#7 zdoRY6xqH+fBTaYL(|1Ag%`(R1dj{3|@^j<_u46k1=sJw8)1E}#(F6*$EX7KIs;(9j z|3sSW61HDPw1|GRy~?ocop;W3(>O|tppk{HV@EWPZPe8drSDMCrH-g? z`3m!DW|IfKDJC0V-Mw&~f|(AOk-Xv;R3X@;9e+MZd}~oxKOfQ~-Y{rT!EM$rA62xN zCYobL7KxF0JKVwL(|I%|gLUvd9OLdg$7o^varSZNq3b)p%*e-}4I3c(08Av{FHZG% z($(m%x&_Z})yeB-k%QAAGLQ!5(Bv7hi|{xcl;G#GiZE*gOY7|Y6AUTx)F%{TFlDXj z(?b^Zds<$2JST;$=bqJMpnJP&DOTn)JlAW{ob()b3e|!)#B_WXMeOp|RTgM53b1{u z^F!r}iikk99GeC*UzNFt@SGl;u~;9|FR=2`)T^Q4UG+9(&_X}pft`!h|LQEP%)~ZE z`KxiUUs{H#^A*l0&W>W!_o(0ZZEDxL;DRpULrCbEZ% zXXK37lJnE|_Bxt@Fk7>q)78r}pA)gDw3)FBakdHNRJ3ifb~rn2f$jl{HP`c_Zg%m| zR*^F|8)zdNJVNUI_{yZ_uJ@ewf$jL~J#tKhI8yYV*nvR{qoN|HE{@&D`#bk0{R81B ziHG6A1XnFt_mS1A6Bk!Lp1if@i`a?tA72{SwJmT^@jK6!AmaPsgtgqP)F{KJ&(7*i zwH5+n1IQiI=jezqUz-gGka;Y9+exj3PY;Nv=KsCtAt5n{Poml)^b;{MIF`X_g<}S`fYn_MDw97CRbXHC& z3nYg@mI{T142*oT5TvdryfBm#UQGTxiS9DuV*uwM(uNntU1=4iD#udV_GE|=nsxMX zEO0P@jAFSZh3ng&ry_qXtH^a{VfPQ!QDLIxR#xV=->kof-SkQ$MJ5%FsS#}TqUmfk zouRH06}5eMgY*82Vm(A^d)w(ONx*GCVO{xd)%)%<669p7KODMl(N|}g4l9jiRm@38 z_Vl$ZRc9c>4$n2qE4DuSVEYw;G-u341GI4T5W^eQBD~7VRPZv@)RH;t zrXax_yosGVJ3O`QBv$?*7yi~+08V%tt8EOZUCqz2Hzg{AOX$Cap^`eOhs%oZS5)kSg_qR+p&E$<)tSQgI< zdj>iIt)uBj8@Si8PbF3g2tUA2?#M2qi_1jW9rj$I^jBPmE+pEGk*bI?#C%bX%&zMh zqszmF&fM<~xZOCSHvv$?OlkAeZ<>GpYh&q*3Lh`)>0ntc0>b$wJX=`tQ6+`8ECeT% z&7nU6cj|s>r*|lEJ6Gz8aEa=N@7cK>188A4X5CUnsc3Zb~G zB9xS%M9;Ba5n$FkUUzg49V18A$Zmc85k-pH`aELRf~QE21vC9eC=HLc)6D_DZJPCw zbmh~3{4ob7hdX77Cbg9n=p$)UU8vCU*`YMG8&OwVK|{i>70S`E)T0R_DQT*5wGH)} zRP>B*y5|~m2Y)?(j>WF4TQkPk#CEi^x!j4dn_oCeJDT9L^2i+#RbK=Q?w+W*Ym2xQ zlIj?<=Wn=U3hYY3WHOgZs5TAmGWv*bu=hmPN2DD{L2M?2dfdv%K-caB*u#>X>dVN~ zAJn=A{8{qXYsCJ&J7>Tn(k4D%-}=10+^J0>&~QC`P$lNye{2UJN7zH^lb4Lu(m{hB zB1?;&%Q#et0PVD;ecAu)?B!R7o;rX0nDS{e_3^ydsX0eOJ5OqTyi)WsFA)DJ)VgXv z6n2FPuYNMzn{BY}cMnJK7h^;7_;kOuFW|_z(=rTH>2fY@E(`5{FWC?4>*{~OfSbe> zAL)LOvOfQu#*Vi$U-c}Sg@SaK?AoDskdHE=yCVNOa6JJ%nn{m9+|t(X;Ms$5-`GtqeC!&vK0~4+qvMO+y-lUgK5MEqY8mTgl4B52Mszuv zX;6&xe-R=Rm6DQu#hQc@xOF;8i|Yxb*aeDfD;-V`F%qNKiqpL(<~F#v*yQ)9Kaw$U zq%Ka{>0LO;!o(hK)pNm)NNG4**voH`to786bpMFg6V#D8P_w*fNZA)h7TJShBYRh@ zgM*1i#15rYeil)G{R0)B9|}Z!{nsyphK?aGa2yBEdYc#Jgvtw2e`E>AduRR-3#;ZZ zj*-aQ*b3B=PHePVVbSFK&15)n!OyqQ_yF!`VHB50<&%vHZkW^5aG+rATU3_wW-49m zYs|rmlf=gBi~Mi4mxvB#fS_?3hIoD~+9N4^R!*MVeza_8i7hAJy`aA5qN2j+4Ct$p zf%*JlW#YaW7`wqyN{G2bVl+C^UEhYQlZ)T^wt6ZdXDIbCxI~ry<@6Z#;7Z~eDj`Q`fbP<@Nm)aq$NgkP zy{A;&BIEc#HC2JE=i-Lf_WH~+FL%>y2sBuA1FDddko-DB-ZT%lbaG^3GMW2fVL^i9 z51F<9Md%n6{+#$H#X%H;m2Gz6v)Sl&9GKEjky0V*lH%WEuU%TQB$V4O1WBWue?8J4 zK;2+zVg!-ey!?`SGiSDsoI-SlVEb+v;dvYu6;=% zpM5Z5Vt%&|b;{K3Dz9>9{@wKxqX!1djv&2bJv9@LyNC|AwA3x*?9d)TrB7O&Kbv(b z*h10Nr#3)br6pTlo3%v9UCwg6X>mDqnUVWL-lP{zY#V-zeTAsH2G(=QyBqC)s)gP` zcn7LoGxrQWsYZ-3ewWc!(sCOFOAEW_7f~eDx)A+t*y~}=K;MU7;H_}&ut!v7H|J2_ zmldTBcaArXM&C5lKlVjjKav4-9M-F8^RaKKrI3|v53~=-gaq-$`1|T6dkqX zVHm$v)9{B(?cxh>Ld!<&Y()}*I?MBza>xtfd1XrFvYK^eK`S6M_etda;F@+UjpEka z`&+^-Q;xiwu}`ee<&M5DLZT)-e`TlnpD5v&#?ZsLj|-W7mwxS;Upty@Mfp4tZUH{D zJwd=5250W!r^v{~(|LrRcY7nntz?ux!V}!QOL4*iO3wFXb_9Md7S+DWo|K>3=n^~I zD~ju*#br!jQeI!)cHH^Zpqc22UEyR}k@KQ%3~*InM|7k&6 zye7audhwj%_UoS8VSzw=@c}8cbjc!F!hjbDiV>>n>w77x1byv1HkmF8Eyy*FBer^UPaM2LWk zTL-!B4etS|^gJK*%%SbRJ5REMHxxENT$Yc=ZoTX{)jdf0nzE0axMt>Ei~TPF^QN-6TP$@ZNaZ&-Xl*;4$bbMr}> zdh*#j-}J&{liAG2c5QrzoGB<%_Ggc^1-Jk3wMi zX~ON}FJ&H&U@%6FhG!&a-_Xulmim%28t_KigMkeG6C>}ws!Kn{+6Ok?5!rhF3thF=r!Uhg~{L8j}f8rw`ZdB$$kgqMae~R+#2<4dxnc(j7wu^~j z<~GiYA=<2bVnlB4S`|8^a0}CTDyPQ1OB6z3m^S)DRKW|r^eB462aW3^cvM|@% zBU{n7Bn>L8SZGSkJi8nJpMj8t(Xg>3i?T#M*zb@A(9v>~*#~C*Pq6?f{eQ1{^<*@z z+KLtrr;KE&hHwFf8qhAbvY+a>EKcie6zr8{%jhg`IWj$Ww|>W3noI$4LwI^JYIhsI zul)G;Fc0GNowpnNGrTu3JN2Bg+;e{9o^ z8@4x7ZCfyIYin!IJ^PJ9GNHZkYAcr;)^EmMN%U!Vs=V(DiO0nvRkB;jWP7sbooeQ= zzJWoF7Ld_7ylHoTIpCS_)br-BlN(l0RW)(Cv^kuq-nY9Ns|{2R90WRD>WA?FHT$6v zs;!-kD9EzaUJT0$Y}(Zb`=eKDjclKC!z>nCeEYr#Ty3PqRIjeAY}nNlHr~~!9(;L< zV#lpn8qDLcW5mV*lR58Y8DOoga=WyF$;3uSueuaxWQb-C*WaE^1Fv5!Jb}q5tEp|d z9JU2w1LLaQZ!nd$n69)O-?U5Qu(XJuwjJOb-&rcr?*XcHaH!aB&&iAjWP(27{Y?xrK%vZ16va6w2uPE!?ydKU%-fc$^N=Z+jpOW&9GO}7r znI`)E`}fVw&3#L0X=$rATs>MRlP2X;KYskss&`>Skr5X+VyDA=ihw{#L1D~FFdnR1 z%=zZc8)oJbRVyc_s^*VhCDQ3_QIL>~aft{CbLF!Wo}yG=USD&dgoTGIQ@_Yx%Yf!i z$0rUNnVs62vQ-*b#s|2$yQ}xnb8)Gr%d^$uzjzT96*aO`0|CF6kO&G0Fp5v?`ebq@ zm!+5k^~^9|SzBKp-*K65aCdien@U#i8K4K!5Os^o1UT}c)BQ7Q^%Eu*z|i?xoP|}> zRY`#8-rDW}K71d3Z;5J!1Eg&A-CgWsKIp71D|)l<``HEW5kWOdFlpN{{IL{uu$xNs z2^LN+74saginCk$$oUtXK1mVSc8qj5`$R~h_t`m8! zL2cXl{}HQncGd*4pXl#zCZTT1lz&n_XSaSvkXhEBLQ8#HflgXcJZJzAC?W9`6XmGD z``OdmHw%uL5^_%AT+J+o^xCP8UA0XO^{cQ-G778-NV%y z*#N|XB|`C%_;rfoZl8D~qLU=DyD+!v>QPs918ErlU4saQS2`cBwfbYsJ4~Ao4i3Wm z0j=^qljbL1@lNphZbioNFpWeI`|XjiR(~;9jhHHQ1)wf!p3}5FjQy0BmX^nUD{9c_ zfsFxHEc(B}RyeC(f1l%>wtV+Ta5qnUz3s4xtRdpB@;|{`^VDbi-)b(y`ddl9J9F3i9{iWvLpi5pFB0C%cTkewqTqeCseYf z_P9OlMK)9TrgOU`qfDf?ehubjJ!y0SJRpp{NvO?Uo;bP04hJV9 zyBt}O&C5J@o?IFU5wP3`qqZi@W%t`B0UHy|d}#LNz%i=iuX{5Avmdl+L!M(MK7X0` z`b7)6z8ND!@3J%hYfig^pMf5a-o;AM*^c8z4mQ2*ok4^@3l1Vn_3#$UySYkB%Im%L zG$R7=e74kBbMg}q=HR~(Rjqmm=+Ca$3k>1FfWFdZI<5aGQpf-UVyZ5|tuD$-y$rBF zJ4zi2#U&!zSzlk@)Bx3u2ew{^5%)d|-_%rBGG-k?!3!sunl==iqCbA6t1@O$YOY!O zB_O9;vJ_(n>#<)LY>DJ~oy#U30IluOqa$I}0I=se=OZ9`HOhJsahuzCKeJebA{$QJ zyD`gA4hxJ<;<;X4-;WDHSTx={B-4>ArdaRCl1m<8O>wJmoW9C8g>s&&4)A$=nkPy0 z(JH#CnKCzpK9{p{QZ&;QAYE91o7b}EQ>G%qU7`bmP>y04JsJmpy{>avgN%KKsT=fN zC;pNc^ZVaGS%(H`kTT}h*Jt(tnWa_#(9Jz4#&Fe`%DZU|x^vKmlvo(i<-X^=>q65b zS*pjso&dglJVEFi<1{~6@$+pQaR`@c{L5*Ms*X=26X~bh(d-TqM@>3d@ot?RK=L^q zHLGr0+sVqiR@I0sE$w>ULqy!t_yE8!Zlu2*S}Y1~`!(a}|H;Ai$a=z@ zHrCCEnE(Pl{2sAP)fY!hJTI07c*VrT#A4XLGg}LA!;dx| z;rqp3FJKGBj{V<*TpaNK1i5iIfj%x{|8FsFGQY=^80J4}3HrB>Wx;S%#@ z@(+VaK>V322+>XflE;zvB(G?U84%afN?b+ds8@Zx_*|RZj@7F42Jqzo@$4biYkVb> z&{19XM1tA{v40lmAI@@^ytxac^lt}LOcPts;lq*Im%6_TFYKw{03g2$8jI8s-F~uh zcRd`*_*BPiLV+=lkRr9LSfS)>zhv563}f#lyT#OE$ZpHU z`&&dzxp#Z-!8wKbmnVJeu*zrAg-73P%~vQRBz!ZWxz&@M)NYizfh#2*&p>=neg}X4 zM;6L3y?)Kk&d!%FUn0oF5D*X?TJ1ofUu4v5{CIrzzm)Zh<6x^S<>7@aO(yI}7>WeD zA{;qvEt(K=x<$ooMgrB8hAchPg#+usLwAkBXHSr))8CWJkH@w#$nLTec5?Y(CDwA_ zV7(&7#P)1hkQ!@%bv^M1_PsO&pbS{(Bq1>Dm4&gDOWdfBDgbSc0ED|f#>ySQ+AIJeT2UG;iErxGdA z7gJ8|&R9nz6PR9GJrCuE`h+{N6^*&{$fvSPlCBFPmyueTDyY>xSrUAlQ& z+UfOiSu#N8B{6a;$hmmzmJ~XLVFyw?@ejw=8oD~Aq30$X6k5|SG)A)M4K&cCd{STe~Y%1U{v6@WllC6U>#?*pLTM3&!O-e3F& zGgz&`X>hQ27J#vp1**l4*P`QbE1z2fHVzty0g1CsYSm@8)G9wo^AxDR=@Gyf-eGwy zZIpnmHX!d8Vg;@JhKPpU?FmqLWUM7Pcq{HF`eOiS+5A@ZPr}?PglVPIA)v z)w2eCC6?<2eT_(o%}A!aj|!lFbA~d+Lf)Us$~(H>yLsOGh$d#|8j_}t{4N%8KoHaA zd4zaUtnEpC>?=JL=mefNIhJhoW(B)NwZ|FXyvK!KmyycZWi4teXW|F~DhVyo`$^A( zp8&6ngSSS~H)G3c8~(OLoE#U|paNi6v>mtW=3_im3k$VwTk%>%qNl`Eh~MBR^V6PR zL;y2)O4~43bfmuIOp4gQ_(4kr++C8|Oh&acQ6=G&z-|z9e8!(`eAxA*Kk4UGgN1&_ zSUFa<2B%eNNuEl!g$Jb|%R8Njw9L6G)8Vbu((2^8L&M{QsZPhOzDn(**+*reI(07d znt#z3kf60Eosf=Ic~^NZ^WggVk|l2f@T=g>UpT>Do;&(H=Vtn5J=n|AImx1EY0Yv znRPaKgxOAhQtx_)V#Mc7JH8cUy#EpOpug+M;QIlHgXnA>ek{`W}JZ9UN>1E!7tM z3NVJZ=Z{Y`9{$5Zc^X?L;clO--veV{W%%1qmpTAA3O?^&yQza$#$_JF_2Z1Me=@$# z3IzembvqljtHU~Se{>Qy>VXq{r+T0yf0w4?C>pe$B8c72#}0t2TR~1wX^2^Oju7Wv^lNnD=J7Hm zIQyN3mpflM?*ZUunIz7|O$YbvX)1pwzeIgi<6y@s0e8_Af!c zx`FtGLGMTj*gA~p0QWsOFvIw52Lu~OBrTQtqi`BEd(rDJk7>Zt5Qqy-#eVOMKu2C; zdKGmK!@(VVzuM7ptvAWh?^)@7!#Yt)QIAV+Z!fRynpCWPW)c=Qw&h%1_69WwRR7dZ zhXpV1fQUUoG!y0NO-6^yH*&PAxc)mgG`4915Z{ngVv~Sh;eMfE?uOvhlhNNi#@C9Y z{+R30@Z}p14k*W0Q!yr4?2D?`y`0LS7sx4d0kGZnV5>dfA{K! z85e5IF@C6&bFID^<6%_s>G`dk73 zoKhU0>it--p_fe>_`D!)R~NhjR?ADuD(Po812YTLTeiJ}mDiv$iZx@Q$gi_cH(3OJ z7w2;@My3pm+w-n2Ki^zjJRl+hGkJiKj;_w**2TbJZK~Wg}l6c z&xxvy4RdUde(5AKG8zb^)%q4SZ5W4GBvEm6gx;JOhxjRI0ZsgY*!ha&-!p&I8Tj%Y zKa029+!W{LS(*>+xnz&&$f#l+?~XtMyPBA~%R6dNlRBTv$;Qp)F_~yc9ET;m3ewWr zs&{d)C~$YNoGux=)(@k#pnLudF5ua}e0Xwt+Sl9rLxLvfcfm*XOHZc=K27!v*I+om zJYEM5qK}P@afXeLk8f{n9a z2CgiC{k*!m`ixXTL4lZvY()|LrwFa?9ai$KUgvcS3(C*b)Q z7~H?ve*ONaJs7W0tKMW%(@{=CgB~@l5zhtrjdw6BTy4zEQ6-JvN8q|Qbe~e&~x+Y z3TaJE%{mJD|3%nafK|C}UBjpdDBazuq_lKOcefx)i*$!d2?9!YH`1XXp#mb^T@sQa zQqu6vn)$Nm$ zN!?zuGBU7O<;~18JC|=Ezfg!}Qc30x7WzHk?1PF$f%8hn(9n>L$POaQ+0o9`=~l(| z_ICb@`vI5d4K8c&StJ+_q@~+{dRXgCmUhf_Z~OM`TW{~ruaV?28#PAnpH9uplol5| zH5l6}X=#l_Q3{7gL>wL*Oxp8@n8PIFH?(1%3g6vy+p)wEM9_4qjd-f3{~}ZlU4l=Jn4xvJv%;3mjs9 zhH~ZLR*BJ&;T?5#b^QGNz~SAG_gmgS0b1=_UmqVA*Tb4AF)_!hdWlL0V7pF$g9upCuO_-mYoDFTy?#9_SXh#A|k0XrLbN({Oc_AT^iY zSWVZ!gIOmcYW(;y0==3+VYR=zr-z=N9u<>}H{jA2<)wy}Rt-F&sLvnYqd5<>>|D8M zAe$+G(RD-9-u_(#;zE~N|Gn5ImHj)E+MkP$kDZfqq0Ww2A!bx| zY;^SJbY0KfoZsd73G}}~W4nmRIWUW+RTekhGMbv22w8P8NVo#K2X(Zyt?leQ=GE$0 z^^J^BZ{C#r1#=+bp)qZ&(O3F@q-xmW?oJ?~z84T#Lf4}3cW-&@JSJ3h2uRZMU6m?P zXSrKiB)Kke~?X%74uj{d0sR7Yvk2|}Pcm&AF7Q{pc z>r$~txc7pk&cDR_v|hTMCQ>pl5QAu;-(*!8I9X&;*YujIkOWdqu%lx#8e{wOv`10Ucc(2`0Xz31DvW}n~0Ct#D=aB z#jUQyfAho}EPWFem#yR2{-h>YDw}N?RZCM7?M2dk7p9k=CD2I8$WBjA;(?P)NZ9ji zs;%X9bacGy5rT92{UtUpAD`nwiwZl|rytIR%E?lU%P3eB>zkX?w!{>pL z=hlTDKSW`z0_EoiAom3RqN`tD+KbC{*~+{t^yZJmA^gzwx={L`@4GcFiNkdD?Aaq` z0X&j1D=lq_2d;dDsuYHrhJFV!!=+69;;%M{{4g;OYKM8y%jbMaMBG*m?$8(gIiezhXEMRSE?2KG@pt{P|ku)U$Z{)z0ce#JQq{x2V(Q&?amFm?;|ND3L zXDY;UP?RoXlb%>+x%?cBEJ;CeP)T^+^5=MHy*GFi7EcP9ZT)xwUtPszREzWCUh^TV zRT9~jR-uZ5&)(YQJ}<_WqvK_D)1Sfx3+AXJTV@Q!WmeV2n!Q`gD8)tRYdbw8nb$g1 z85aV6k4_Eki9Y2)+WEEE7TVF#(H4Tq!_BSf%2u6IlAl*_Yo^j%+QFghcw1n>_tBFl zf0jDXA?1oT3-ov=rKZvcnYQ@eA-L^C@xHnmZ|4gapqh8@-n~x2QJGCzT3LxpNtxzO ziiyF42x~V{{_6dAK~n>RuC@K*rRoG%S65>b6UVtmK8tp=puz2#_YjpB40z=trTk9z ze#Eotk&%-JOPQ;vU`mB`E-RRz1($ruMe*O<*ch^|g}ELZAKyFieJjr(R#{RK&Y;jm z+LxA|-cgY$9#CFT06~dqUQyq*rZ^+R^zmaxo&E_WS5? zwtnlN`Q7y$$%;e;?=&M#4IS$9MR}*x{lt;P0HMc0@A0L=IB|Z>9;x*vr((JL&83yu zZJJ)-I*pIYI9`M&dpD+N?@oOEy*?MfY(FPhaZygaN+2w3_-ndRUrCFSHtu5OBtcwN z9xI{OSDW|S+^;pqFMu+Fq=qg~gXPp1BFR?wreR}vO%$!9 zNYLP@g{x&NmLgxjHl}~qCO;=f$^p{V(pQ3FotrES3VSE#At5MEcSt*ihBO%P>f*(u z(IUzCHV4G7VAd_UNE#X%O7$udY@b1d)hbk-f@^XT;7Q%j^pZlmJIu^haC}x{VBQZKlV?MC2N~-P+m&Lvg+ZHF^2NCEq2{01wKe<^m>~QLtG(kd@tG?5 z&Q@sIEd?lMoSEenrNKCOXfg`#sTJG{OLOn7Eb#D<9K>hd)M(%ddQ%!ZR@>DUmENdv z{BE{9^Ny5!aF>4L!N0j|!@-g_&z5_<@lo!aX(05vTcauG%7 z7@lT+{tlaP)ctPR*C$t24976$MX&MVPnLE)m-bt|4@(}Ckc3p}vjJWQBWwelO(yGpV?E15kCb(s$>E-QC?$ zj$PST>7Y>aat8M=9KWP-Yx+9V;;9P&!b2}M7shc33Ck&_;@$=Gu2)%)zV0{TE*zNM{`%>MqyAm8iANPuMvwl?wH`}_L<#zL{FpPon?XW>$F^$+Ijf+6smn)4PmkH(&ccGu>mf{(i%ZRGTEv)Vp}ySYL5iEsZS;*o zyY1c>xtlwumf0HXdNu@W*m2g24G-79B_jq?pKXIyb<_5)F%>m!`|>S=O$V&N;c*LD zd!ym;`2^IG(qg)x4^0z%1Q=gam6Ih{zBoyln8f?UDv`THS9A~_|c3Qqe6 zr{$teeifCz$w_@oOw1cMUT#fPypPA-KRQ~dcbI{cb+vPKsivjH1EB@vQP8n5L597; z^Y!)RFlh`jpNwG~Zf!q3*pMz9fvfm22R=SNIXQU;Pj%fud;7}na_8aUAyg8iq@++y zu@OZGsl%;xbo_ui0RTEgOfN4l*m^O$3=9l14<2ynSAH5Dt$p{-{_64qSrP%7NkTA5 zxfvj&(b9gNn0TL^O$!wb)LiwM@puS1H#{7VGZy@jNP$PFe*+os0~8^u@(T!L$BTL9 z6HmolUFr*l6)f@}*J*Ac#U+f9ZQ9WXy~e1cUQ571R>*bp>Db zT3W(YSEtX}vz1q`rz?OKOlMnn?S^03>R zmg022y4F8V*#z#f6z<32`T0Mfa;2lADsO)xB!{#c=hN&=mjL&RyR9a8)~3^>OGwnOH3IO7-yZ z@c8W~f45@Zny%16Fw zG`098L`Y^JI-Hh*;3)tc^6>C{oLfqTEEN?Mb$WWrU5l`d1S)eeQXAh6 z6*wH$j0#H>yi=XduVY`GF|)|*gFV-DgpOIuAzDM@yVf$KgQ zd-5aX8!@Myu0Ij4@3*aM>I@2($40%e=fi$8iMExaEwebq`Nb_Z+xEM(XVIoDF==%t zsnKQZXJG=DbyvR5ihugqBVI?k#%fhxy*^(Xsgw{m!*+UUb|vI@1Wl)R0%_}TDfz67Ry(oQZ*6_CO%G$#3(f*)h6di?HW4hn& z=EbL~8w-snk@ZAd0~c$oC7aD6KU1e>kAps9Qxgwl{9?`6QSR=g$vo&iS24;3ZfSaI zC?~m3>4Ud8<8~KB>>}s;)Q)TITghk9OyhjKnERUpKW_D#D8jLonhCsQxbsFtMCu)A;}40PnK0Zf$KrF#b4qU}d4q zG%`3?dBHFA_i~_oYH!b02Y~Kkx04!Rvvx7DB#y_<{1`A)V`C173?w0SY;-`PMX;4d0geijp1S6kceC2)s~j7*a?8PRkt z;r|c$XK7s||62h#VIlm;kVwi6D&hdUS(c-OHZJ0jQ)c7ls}aYlQ6toumL9PS2`%Z! zQ}xrsy$#eTQ!&5G{#P~caix@*{1mf}er~ilZr5h!@2Yclw%wZm#3orL&*js&Gx|z; z#nG8*25;|!0C88@%Aea;x}l0hmuF!)PM*0i^`L(#TMstqlU&t(^h}K<*$){{`}$N z;|ee&NJyTjK$F*1d0lYAm5PG@v%w1t~{^d8^kz$A+f;p&nX{#q}ImZ7e6 z?oe+Z#`In4SUQ4NU!(v0Cfz*$>BSggu1n-MIyR3Xc)A^WlO6ls;Kb=dB9GlxN;m5k zAU?J;GKKgMo61pLzf0ON2|c;oisEY_=1!`-+Nb&}d)NN~iGTnAcdXrmtk7r1L$HwJ>6}yTXGiro~U|C9uq8v8w-~{)e zqu8htXQs_hD*7mXRo z=KM19HFbWdT(POeT%DXYybLtpg`zQ130UhaBr1O`NV0UeY}c_QtnPAffFmp5^q@HB z1_DA^;u*O*d36so94cNUqL+Yjn#Jmg?JU^hsM6DcJikzpy6SOyA71HdMny%%#Kgo- zY>2pzPr@$|q=D;AjJ9>xhS%z`a*9}iNG{X@esU@&69XSNXIz4ey^gL+ROA3r1{Z?b zM+%J6*b8o@{pVx`o99Gj6;v}DEq`HuBlzf^JbCi$S!H~@&cp#c8eEogF^ZzusQ&|0 z!|0mI%F3FWQl<9ky3+i8W!BmA|3Ja8Lc}l2nn4G=go&x+`p==@Sw=756@M@9sF0A5 z+1Xj(MPyMCd-H$-u?!Jc*4nr3?&(H1J8$pCe~l3L2-ENA#jUfgslT+yUn&x5Sa*Jk zd(+;U@xAUmWrv80U>Y^&jw#Z*4iKKeGy|d{q(nRe4Ze#CzM3>M`$@&grP#xN4t!!! z?i~qYq7?>pV(2;2po{0r@lxO#EIoVXyF#F!z2U?#HyMoh`0*no^S5s` zh!6g*BP2_`e=~WSs~ZDZ|2$T>3|%$4x08!YD)-~tu!0d+oQnNW$B#SWYvbZNt~A?! z$s)whMdfsLbv-?gfs-Wo`>ca5pT4Ug{ze|1>&R)uV>B+{qN%h+RPI~62Pe|OU6>3& zl9k6yh)22E)@UIW?SX=TgNS$3{@zH5`e!Lz&pP@I19*7&&(ukDzOmF(Uf=D1_?rny z(Lwq&YOL7kU%LVE-a#KppsEzNHB7|h+O-g~J-7|agOQQ3%&@L|YRX`!3Vz|2A|9K~ zyXsQcBm{l~&5f2{{&mxV=09hIG{1-vYLk(Z9fGYh&(Rt~k0)`e{OYer15avZjkt<( za^ctAq*u`FvLe2oWu>(@wM+Q8K;=6LkE1Xpt1Rj;70c{jq*NR4QU6+q+_0-G-UFdT zVXbxcd?ZHlj{om=!#%I5lg`?TPb35`uF1PiPh#_ZhdOW|L_WtI! z>$^CwQ=Y$q7LvrNyzdsz!b#i=l3d z1XY_%cb73`Ls8}f|3@T+S#daqGT`*|uF&nlv7%v~7zQ}|PZoYRGK89Sjvy&oNt}ZK z$tC6c|0p$xacj(<$gH|D@rosDR_OD4fESbl=l6V*VZhU9aCACM&Y{0v7Wf&_pNq79 z0)pP^KxSraY%U^*NpO4%;IVGsI=mr+3^8b($uMeG+f~NI0k#@-+r-gC&40zAyt1a6 z$D>n&icia$gu}g3o(YPZ&i}XM+nB`(zd~_IZF-3hx#*k}@rfKoj4q5WR?X}$pOo7y z*{tU=Uhyp~pkn+r2?l;?7g4dst8Sxs0djHX->b<7)@<FVlw^!0UDclT!Ahfe_qd+i1`F0xPhVwq?mW7VRr z{!OWYbZ>v-Vh5@|2Hpr*^mUd%I*pOcJ3_a!*qBsOcx{FmAcRQxSVVAS+-YfaSWo%v zhr%M1!2hp>B)R~VGH6<%nB-3^E%Vm(VU%65A-unO^$Iow)Wok}y#gT&1mEO)k3vAP z*M13#2QaUIHNlDR_*a?)6Z_#(M+79)2M-=xyLQdr-=B9nwaSd{?RsxA&qRgU+OFrX zU%#jW&hLdZHxr$Kq!}C>4E1p{6!&2MgBySOvMuet3y?W8uhu}pe($(|1vHDjy$GnS zMH;!lx-+T)tD=-URG^j_h11>Db>C@8MneNPwu^$>^4rg;8Ur>WDHb}qC6EEpvSE!_ zK7I`89g|wj*q0WD5~OO#r|?YW<>l40Gl`sL59H*;;b>FULSbRyfn=V-GVwupg3f5_ zf&P9bv@cUr_Zb-4M@QqP<6~o80APdoC@Kmq<{)UMa{o9)%YYrbzP|qYH3k%$)YO@z zJWu53ZC}vzXNqSgCCPV)Kl+LRw5Y)nYBSEimVPagOQu)U2=9+p-w&lN%^zEGn|vhE zL_L4gh>5iTAAo)e0c?c<7E#f3)k3od=f|tP$sppsvB$y1-Gwr0 zq1i`(ojtN`5iR%&Fbn~w8-+)|=Cm|4yncWG46{MZrVsjAaqgr&NUSvz?+mom)g@vq zwY9Y+BqV@=GFoo%J=p_Qdc54^qh(hNF{f#mOb%4ODrtiE?%!`n_Z%J>X=`hPstywa z!+mF-9V=rG%CN(&iB`|u7u|1FGDJ>>^OZm;1%?I6Z>-z5ZLO^((6(nAc!Y(?X*#@UR%M&AKlq$Xuf}XeuM5U(D*j6g<%1W zp5)Iqy7eq91i=3TLZiU}VhjYsR}=c6uw!6jC!Q|11YBJ{>WtE;K)-z(miobrV=Hh3 zE#8N=BLyni+1bD~-pzs55^qp?0IUE%1FHbh+|uHAHcux02Hzm&+im23*;|OL7f1Lg z{dNvzCtO!{cEo`p+&$Wd%^*Z<7F1$-$G*L&iobyFeRO>QbdG?cd-)lankMLj@vlTP z|C6(wR%{Bv!OpeAg>ER%fVzTsz9blha|)d?fFK1Nrg^RUDeh7tg2&;68F+CJ?~y~h zINu+DNtZzI_YT3tBd;2H6NAXr1}_B^cfD zA~kCH7}m&%?`5%8;q2U8u~a>*fwh$tPahwxHF03a3(0U6m{v9{NwAVYG)Q@2=j z+(vonw71d)_XtoX=uLQdH}pXO!P?W)Q_Q}xv2k*85_9i0rLeAug%hkUgcdXkAquAc zF)+VC?wucus2P2wcVnler3EZesFn$K!c*Cr_W6n_JF`d1Z! zufI4ahui($O87R12fY1yr3UVE02gLM`SyX)B@$PBL)c zkU*@@A9yXl>?)OEMRGNb8!Lt ziQN`i2M~yXID7m1v9s2Wj+~}RlarIjH3MQZHCAf2wzd)ypCA)Gh^FeZgtobNY<#@`u?*m8kV6QkwP%$JcMB_*X>VVeH-?Y(E;KP4rRxVY@YZ`L5R zg5~x2@#9SY)8f!j)Wn{??(XoYC?Y+7g>3KIx;i)4^8tzis6$~xj#gCb2BcO^{Y*$) zC|O-y)ituUu>r$H)8R9$(2>n(wN2e)POh7toSjXxavqs{FK3y<+GBS5!VIONsK+8!8Zul3cyHcXeb11&_%MPLm93ZVBtpS4fvLtd~{c65qiiDE*j?>h$>D#dlbV>hfV`tTu%%tgp~<=f!kAgp0qO3lG| zpjkyQ(`#2+SI^E6r3_sEMYzmUGD05s4>vIH2gqFl?cVyg`Jk^^ZkMkwWp$8K7u;A6 zbaZrrgM!$M>cP;#24GS|BrS!fwCs=g#etT*{5Qyfdhhhjt*rFG9@t48KtM=HDfld~ zWd9UECozYyAnX~=*7M=n+4IYbv)1#yi098Gfzda5Y0jMt7J%hlPnXqR_-_csVz7xI zd=}STw>%h|o!x++2_!KDuwi zmwy4z3}|Ks)I!)TR(&aT_EX%D6wlAkK`{VdWSMDmWBNR^N{TCZ$0ErE;72M+T#_sV z8G=r95I@=2UN?$cJb(TiauK<}Q(vHOSGr<1T)m~FzCb1j#UR~V45g+E5)l=JWgc+0 zEdcVnmDSqo*RLU$f{vjX3i<=5e&s`$I0gk^!4o?yF7^k+VdZ&ydu!i-W>X04p~1ly z&~)YE<_0S6D zAfFCEPqc10A2O#^reBEpBw&47B@qbZ`VG!Mx?-7erFh940QDgRzR>b-V2qlXL0BFk zpe;qh6M&!w8H%y)2}?wWVa*d2TieZ%LbYNP5DUQ8a{-_UmIE#x9{1B(K{K<3u&^)~ zWsph(Z9&e%BPX|eJT{LbLKaCxO4?vEQUJ6uZ0gv%VMYKpdp72|Fd&EzsEJ>=0yqY+ zqe=J-^7t8a4Hqq@fyc8aft?kiIKrlP3+CrFD5{y}pe{m4h7lf}MF(aH(f14+y0{q@ zIQ$T9i|{J%U0E5J9bqvGyNXM4K7VUDk-vRy-5kCufo&xrbXkoP%}JxEEzW&fyQ<5Z zV@UO-uGf0Ko)#t)$z;KX1CwQHt;0kv4k;nsMq<71nreRdA1({FE<}!D&U1cxpOo<7 zox-;k5gRyjb34b;dHD*_4V9mt3O7w+#b)@Te^^hSP%<(wuo+Y{2nl(w4`xHf z2j){Ch%ZjNy!9Y-!-E5=q@D@Vx1$YC*@*88)27q4V;Pwq+o*AtCJrXFvUIj3yzV`5!B?t*rx+L}6uB)rR_0c@byNt{oj3 z+TGi;wd0KFAmg@_7Y?TqP!;_>H zK}s+F@Ig>a%v59^L0GFhSIH757M`aWRg4BS{EJ5hUTtD>pBiPR-YvZyFmSemYeGkF!lKmsL z@aOG(UphAn_0M0IXheNM6C{OOJguiPfJZCyT}oCCIqrI7zYN-~hPoH4zF-*<@&2O< zYYzgFJ--p+;Uzrw!j;Br9-m4W4NWcvf4_#5MUKEP|Ch6#Ly>%AOl79Ceds-=J&YVU zVQp)Vm8d!qcwn#t)c{;2e>II%1>dlpmgz|D$GjV$&@I@~CHE_bBb7Yy>*@-lCJ zXQIMq_5A;fAA>GH&eGvYI^bGU-g2|5HuAFSDXPhipEdOIAlTz$P=CneXu>mr37@=+Vq3lSy_Xx5!3p4^|%g;FF} zjF3jUji0}MmFMO{^c}tFcc=}-10~l(q|5=cI@@@#6VCEE&WnI?9l#fO-3<&4ISi`v z#(2)5z6YKVyh^!bILN!p(c&$>Cz`VlA^l^ZEJKC7yURsSg_LDQ2FwnCUNOjyvZ!>d zFK7^)jo+C&MJKd1l&n9K7|{N2IqBgBOda4ZyeUTf5g04zTevxFwL{O&jtM5klFijs zriM9)4ltRvgV`s{HoVhv)P4-1@-VAj_XP#PR&NbJB^*nJ2~rmTr4vZ7U^6RR*OyQu z`nO~`{9{}3W(foI3|$X-i;>*Q`H4Z%e4UqJ`ME3E7qDX9LRznak_il+@FC4jO}`de zIp=?EZ>uzaa9NA8JcHWm$Lgx$Qy@z<*J|ItKl<~h#pkG8Mjh&qUKR=bIH!lxQEDahlaU%G;z+lyNqXJMf9A=V| z0v6uX%1W*nh6>{bZo6?dptgXNgb)fa0n(6GBs8Od3nwEzT?Hqorp5)De87jLjRZA4 ztVLKEP-_Ewl~Goj5G39cE8gPp{B$b!7#7 z=a1lDklaTTptb^z82Ah$eSK|R-CtlyYH08RA|~DM<+XLyzqBtQ8>Y2bRQ2Uoo{^5C zS5Iw7oZsh>TX)A1@Qi-JsGVn(M~agRY=};6$t^hFS~EG^zAse{yFC5Hz?wKLYse=z zP%zZBv;ftP{-Ko)p$Sq{RD^WMIOEbV3pe1dIypF)RazWenALaqf79 zS-|+0s6U~9+QrY8MsbaQRJ;UFsUF9w=SzU1%5NBnmNTxPq!UAJl2S?|K4SZZk)}X~H}6 z$d-23imuh}R5J_?LD9HlBb1(zl5z?~8Z?sqb#4a-cj%e<)wymAL$mc+A+2L_lAFfVzJnRQm(dWrL{mx`uZvq=$x|)?6l4 z2=hB+y`s-;koXCF3|h%$3(IGm55?CUG5?&QghK&_;fH!I>8~>iFtD zb5|Zcib=6jlw`E)?zMBh3AcH%DdlLGE?|b`BFTRI{MlqdP(ViZz~2 zQoQ=HwniTW{N*!9&meL^JCAXrYZsV$fw2WAFK8;GKNFxl$7fRZEc|#=B6@6wS{-S9 z3hTVSs-RkV4_&_-whC@&isME|=fAxGt%j%BC5n!u$w`M4t$GIq4`qxf$+y06jdkEi zac+gJ7;Dtn8+40JPhMe~Ybv}yzfE`2m3p3>fx_RO@N@(fk2I^ak8Hk5lUvj+#de20 z^leN`Olm4Q2?IoiJy?uRHAQ4zMl&F^!DWR8?sxDV3JJO$DM5@*YvEL$X*K z*Sq54J7Qv&xzS=d<2YcwhYD%0747j6M5C~Xy!K?=uIl0hdSlpReAW$BWlzf7ncd{i z`ldI2sbK2Ota+^!8M-q+(niZ>y7memO@S&nFZYWfMT9wt+Y2J`l<^ALrki$KsLxF^ zRrjjO;(P49tmI>|oUH^^WAff~r`@`FT`aRpTUN1mSYo`JsUSzZrlhDS%&cb0K4=i~ z4Wj^1A0i?Mq7Db`83nOg7w5P$dVWKL0W=T(a0hY&I(&AGm}(B0-GNy}w2jRa(}3U! zqz&VHVId(yeSI)^M^TpM7nv^1hFMnEy zGNXj(9ba7?pO|0;UTQkG`;+B4wMsJ4GP$_FNQn8_pY7OLPxup)oL~KFok=y#6S$e5 zKkauBu(3X&EREMj6L24R?HL82qrCdvyPq$y#XQ$&V0{1+7EN)VuA#`u&Fzrb%=c|# zqFi%2Fr`3xVpEB%FD*&M=V4NbOn&l2 z0l5YxE<`T&0U{ET^{uUsPRn0G?^VtaNmeanW?=XUJo~pdv# zv)AX>k!qJqD_TI&fnKB!F2s*YIyU03b28CM~7$TsI!Ks2XK+*=zWBg+lamNon7FPYX_;VxOpT4TBSx}W^{V3-k z`4!faoRL$lumm#a&6&m5gqYGODM`;)g~g_x38v}x9E*yG0+lBE z$+h2NygF|)P*h9^hwdqd#dPAMOadlf%foniTG*u(MA!bcmLu0DeW(4GN1B4GDFFiedh2Eg_8o-(^ zJg7yNJE1-2-~6BjNOfc1A-`)Hfgm+iE!+)y05JI+O07r-+W&4-Kkn}|oH=x4_6xze zO|pE_&y1RG0ZJOk??2zwkdlzRGx?a1BEJq+29l5N!`XRd{EOa*Yz^W`N+R zZ)_}LKgk8!7RP#dr;G=Iy?NY2Ubi%0(=w{@@!fAl27b|8x!9**~!QoqRixsx&jVRKct#Jdv^N7p3Uzn2-7vI?AEE6z-jv z6UhikIc1>-Wmudzv{Ln7Zez41xytChAT;2@sHv?@1050e@&4YPv9Ym`H;V1pnJ%$` zqZKjIPKb<2)#MTc7XS}{Z2nR{)mr8)7vxc@2Bb9wuV$SSCd%|A^C31^S%JPU3c}DB z06R`r)`+mMZvz7hRgXe*q;E)gb^LEWKGE@9pF1%PJVGx4y79F?84PoZ_##3;W}+9N zgiqBgZ9YJ(VmXXyRe%Vz%y*tuWZ+k2DlwE<-@?Y#IU z7({i1?@HvxQPrbPeKuY7L8Agg=o6HIBNKds24Q?du_%RL?sn(lxuDlmvEN-1zSBG` zI-2wD-5lM|hQ`_4V?&x={LAXxXaE_@6V;b? z>9)cP8D%nyVhc?(B9ssJ1h4N|rc@Rbv$kMqI73ShLeBs@Fq|n`#15i`QN4XKWE&V4 zq$Xmho(6eD`~2c?JaA}v-TJM_riD(Txyi_Fow6&VlY^_0^V9c%B_180TaiUaM!q1!zKyM?gxve@9bVRyJ2>mk1@XygXWLS1%Z(TvlI8(16uf7EM-84w_rw z>!2e z_ZM2hZw429ma1w$gkoGN5c3Gpkio*WbYSrGDTmazv9Y=zQ?_9d~_Jo_xPP ze}L>O?^r%<5Jp|)x8TjiE3~IS+^%qwcEC_ucUp^rWGz?7_JBeBZ}4)EU-;Z{(u#GV z_(z&-)3%>#j+Fq-_xz(6|JU3ZT$1w3lK=jx+Bzd+yRj zcji6`PZx5t4OMJId-1Km|JO+20KlLQa-d+K58lbC3J5r`;(>fdiV*^ycIZn4GE0v0 z@Aoh&mX{~bW-@#@{=I#ta#L?bJUM6U{xP2Tsy;DFY?Mur1$jY9>sEv3?h-stYz(6PF9c$S`%itLW}X6c=n)$9f>Uyf zC6AC?wGBjfb$Bass%{i>@@LMvOC}l0pL5CwOLmgD9vq^U?9<=J{HYpdb&3=6dO?M( zzM+5-oRSE(e=xV5InpuP*tD@7_b0%LTzecV>2~7tK65k2qzV!rQxJEA4Q2pR`I9{H1>L9BktNIE&Allz|>tFHLj^}b~qOzD!| ziLD2(o@vrZ1=$aT^Flmq@_&uL7{=`DLXsYGk2H*S3vKAnhsH)=l?n6QM_r4gfto@!E&+WA?fB~ zRv1}hP50|!jd)K6WqNdB&9>5dsXI6ErfvHIPLzB(64x)0#oA{HI&UJLH<#dVAifD| zS?0X!rND57k^YqE=>dw)T29m+E8~5SUzribr3zBU2CJvMw0Wx>3LJQ>UQGqX9Ce=( z`(~}#i|G~K@9bb$WXYaP54kh7sf(xb+ThVbNO}x@JLL#)|EP?>cvjzf?3W4$jDi^c zXJ_FmI^Y~=-?qL!c5qbOzdzO1mRnG;3Rw{H-du$tXyMAry`X~gf?5Hs&ftg!TNeBs zH>)zR=P_w%P2hzCUjwAm;bBdxXn_M%^v#X)zEW2F24_0T^7)PRzcA6yE`L`s;Cfh9JXP#!9>z+!{*5U} zMBwGVD~XlN@XbJ{&IgHBxuw4{+0?~ukYM9+rl~eNn+|-k-r(W1cCOP-j}q!;!QE-` z4QR;8r~P5s&pp8$^rjl6>$8mc!h55~BJcE-Pn7BMkK=PpZXKP~3glzf3btvA0TBub z!dJ}9{Rw_e4jdPw*QJ#Pc1g&q;JyLA?F4`@r}2l%#>P_^njjn~fdL~H=I6V$c7Ohi zkp00~Gga?EUb6z^kIRqlcwQAaoZua>Z{WTFHoEo5b9)=yW@0cr__NPv3XOssa@ECv z7X-KA{sV6Uq`)ec8ksatrCGU8+RWqRO1y3jaWabT?H+ZkzmS}w<)vDpiBCm4S1WHt zFuhw$ior(8VnU3Nj# z$6y9!sns_$^aqlocLKb_0as@Wa3a+7%nUml+Xv(FpX#cR#7~rgSD6Q!6VyaeQCPs| zp9JTKQ0)M12o)71PJ{{a9_f?YP<77EHl3*f@y7mE9u8iC)CxBQ zr}@CaZ{9x(Yir}YcJg#b{>)5ID=H~{e82B00>C@_DD&-G;PEZ2tOO3qkw)7+Jxy+q zbn1R&!wWz2mX3Y<*2(qisnoY&E7QvAos$K7IL>DShk5_(NTToH&M&jATeW;)&3E#1 zi$^In$(Mb|Gc|(No$j27mA$q$DL9)3wHRb$ix0xLGMlH&trAhtKbIwqlYL>vVHpa|MJT&jAsh_^(&&maSD3nDX z)l2~n1Vs+UKzR=4KMvjflv|gxdSTAb7MrQ<$5(KM-)~5@vF(2pdjV9i6sall42Vt*m@w zpz!`#hYLrnuiU+gDywk%RI6uKeiVt)24wSR<6nbJDZgxNvu9nW?DH{$fMl*9D!z4z zWnoAb7r8qbP>RO2$?`&L3@IeGwN*U2v!=3A-HncmpJA2&UFPB^(hMV=+4(#po>s*5 zNdj6P=Bk;SmOg1&&4o35JG?m0)l16mubRymuq8xCt2sM6YiY%Twfa1on}>%H?^exy zHfg%I2qY33%IX@EoIG{$!R4^ZdWbGq!3A=I^iD$O^2zb>_Y78+ig$G-^)*8spG>23 z%QlU@gZD^3>4R=ah>uTC1ZH)wSr6N!k`WD$@dt5rxTT%cq_$ci?xI&k*aWh@nAZFL z{hyEnFBM)nqb^(zbOw=_P;B$Y0c}}cMX?n(-kp=v*Ai-}A}jp`Xa*|-<3C~oC^xeG zbtmX-cIc*4f^al7S?}0sZ_2j(D%XDJe?^9jjEo4Tj~^pIaf>Lp_Vn~7=H}8*5(;eK zP!m`kzkbxj#SsAA0@y>N*BdDbe=M}w2x0}4Sr|U=xuPi9gk0V+{Ob8WQJ8X8B$Q|h z=eTn*)z#NSB?F6|-T1?^)uvE#;kfBPR7elMbocjj+_`h>)-4TZLLQ_~GBh!7ray)| z($9JF4pgq)I=m&&u8UHO9?cY_>|y11fP6Hvd_8!%CtuU~;{%J5PP(8xBBlDw9h>lJ zlEw9PM8BN67&Lx<1QY?qvCZjx4Z~ac0w{EVxr3wrfKD>71jY;8Y$xC7qtnC#GHeu7 zRO00s!1xr~0WAh#90b2um#S<DIz4G8-~UY0y0>j zTefaR<_^*wh;KU?5K?*1pVztV8yE}ct`=McZ|KD2B%ItNWESID$ZvHL7%{BF>Ffxm zJ>bG`D=4&A`=5Ex**qm5ww%{=oYhpC7n4#l8sk~q#ADDA{@$6`ET^*fzMcflnCDXL zE`qc7cHSm?k8Z2$4(o-v=?@Chv|_F^I0I$_9|{~|%$*|~XAJP3d`V#2JHU4L{*+_L zI}sIy(8Kz6_SYJxf6jb)(Q2!%|6uOPNYE7-zlexl>>bcZ=)7ds(bnECGH}o2pa`x8 zd}zSBc1vtbOfKd3(V!nhM_=NWm{>Wkzp$t%J9}zvw=EJRV6LFG!;La-5X~cy%~7|q zoIc$NR8O)A?58`4bJ)4iyo0(ZEjwFhR2FX*n$!mR`i5z4tyv*9m~9^ zNb~JXe7c9#G=?vJ7U>#^=5BoXH1wKYB|<-71Vk<+utK6I8#|IctUbuYXEcwJpE`aV&1Ea(ODY_J`%h50H+}z(8xPh@ zjHBSbo}L~M{`zK@P+d5C1BJyaizXeU36<4)*vJ7X9}KMvxEYIF0@Oh5BynWr*kU)( z`pYqBDstq9l@AD?bHCg)qt;l-xrkYtt-Lq@kqFP?8b8|L}ZPX6s&P1c9aFz_a2jV`$vY~6kA1R7IsbQQaOgTH8;0T zET>l>p+v6%m=S9PFwS^@``_Nt-ChKZqIlC!75a0o%+r}EDISW_to_5ou;H+s{Vf@1 z7Z4iyKvx&wH1*-brw+Qd8xc)$U_|8QwU6OTM@R5Q;d>{1q$za_4WZvS>8@SBLp9s* zkZcO}VyHJoqRfz_WmrW5qJcC`^7ie?;bCv}$E+5c^DIoOi?gwh`Ztg<+zRCIuX}?* zDtYL^iix=d1|E)RNX1!sv9m3R&B0&#i!Crz3)R{m0>vW|;d0~*6 zke}aKRb{Z>U~9rQtaC&5_^3!#OUIF)={g^F8fwpP;zS~*C!3_Mt45M@s2Y!`CZ)7g36{Qr*i=kEM1gYueltkGV5$n507PeQ?}B~>Zb9~-tlWi-3it5sTci8;OPfoy zS=_LYu-^oTpX8Ao`u%(PFY$OQWFOKnWNU5RU1;rFr)&G<371?Zd~>jW^YZXC@)(<# z)Kg}{nN3y*Xrf;#2h;-MvEQKxtMUT5AI?RH2)1t>iy#Q%A;^ zZzPu@;^3AuIN!KKEDOD|1Hi*~;N*s8PSNzaIPGO7VuH)ffo&1Q68JA2IKa?lN8&eN zP^Tm$*RggzjGZOqMD0q6nN+|_xrTzF(_G)9-oN&9gYt*^B0?J!g!tg3+uJH$9M@ZL zDWr4L>0au{6jG{c`F`Bl`!<91kjB1jZjo2PLMc@YwVGkR#}s*)pF2K|Nr|GOWjH&S ziKZKzTXl7GV68z*J!kjV22B8TzrYZJp9qu!bZCG~+FnG;g5&`9s7PM{huhfNhK7Wo zX$QtXCueG5;U#pGb?I8+<&VY|xcUp&VAB-dBjH1{pyqKoh(bc1bFb^mTsfUb$4^ao_%Q24eW{J*jNaKuCh_VjTMP~ z&260>a@g_Lkm|$6kI%%?%uL#fU#o$Vl>gI}j_wDFlu_%aBiKVrWgga@5__doSPrWY z*E%%2A@yld{1kNH_qDNyiLLd;JyX(@J0I#6t-oTH6-YMqDYi(+%&pT5t7YK`J>lF) zDf63b%RJm#wM|VUFsbS1&qf4-{%Xk=B_$hpGXS-*NxL38+UTh}m_07&t-0@!Fq*4l!b zgwbL^f}-OAs09%3^I_xW?>np(oSRA&<*#t;SV+1Z!`a_AXjBLs05ux~A?VCJ4(`9D zjr%6NGypNy3{jpZg2I`zL_4fwj;N{x!{}wOX)uAxeIBjxN~zB%rdCIjQ@3o{qGmg> z-l}vb(Q>Rc1&;s(Cl(Hl9^Cin=zjd-dx?6~L5Ybs;6&NjXjUopsT~}c3EDc8$#M;>z;^^;}Bo?sBw^yFxQ;2oWdfw485 z3(+81Qxku{)3sd~clGe_FS*G^1yX-zZy6h2Rp>ck!Im%eb>bdO@6Mza&Ojx$cdm4L z2;35fv6S4TyE@lYiSn@HY(I#r#sg)55UYV}Ljr<34FzQh2-e6e zgkF%7k(rs95rtQ1c_9pesYe7Tu$*{!c^BlJtKs3k7>Vp;Zp8?jBizS0;X?=95M?@c zNVp10!F&COQVq8L$b&)lajl3K*ol07eW9E^Q=+np+|k(^(&S1~@X-`t0-I#FiF}skws(cbBf0x_Roe*fz3eNQ5}J5+Judu! z2$E2^!9Z6BGvDuzV?e_}`_yD^4TVBm zqy8w_o;`cW$Sy#{`6jIp*W&nK(j+g7zNfv@N7x)kbqhOhz!E0cA0iW!MHj{qoZAm7octE<5F3j$aPp)+4vDbhnGZQpb}8 z(xd=VF`%lurzOGe+vKA1aB-oL1Lr{>buw%Gkh8P1o7*n(m;I=^ko$E!PXe*-#tn0n z9633#Jhr@X!`0IhbLGgmLsNT6OEEtVayJ}^l-NX3!)K_ITs^*DrSQpF=qRG2%i7y7 zpri}dw?}k?Toj)!QV9`{CR{xMDt#4>u=f@}d7CC*l06IsiUL@T$87*VR{-!bqu4@- zj#PHE$>GrTo*yR!qt?QXD zMEks%-iH_7dI>FyGyFy}8!%B+#&zx-h+gjjPZ=A-gIQ1La#ftPQAb9s?K$|{BP^?A zXk%mB>t3FbmIf}9U>r_ynTU`rXaH6LczbS%DkSdEFTL8J10cDyw^!az2VxL=$3Rw= zV)p5){Y0@<^@)P`B(D4!_&2=bJw5e> z2dj>#s;KDJ2AM;GiXQtlQPH_4nm{mgbReooeqYGM30em)Z%$z$@ukb~pTHZq0<6c_ z$cX&th2sx?lsJ~Ww+jdhTdU*iwS4p_LxIgzwA6Cucc|$(KII@&6p_#}1=T=arlX}r zap(|JNzMj736__TtMPL){Y9N`y9gK5K&YFcJI1AQ$t7W{MWdE<+qNI*3W6mkA@Q&D z!vKL5`{T80TanDxieBOkWk2YO#t4MyZz195{tSeeIL{GXL>(G9L2HYPEFa;89ME$kqj4m*wm))?M)H}m z4;DKnWJU&VB?9pwZ)PeQrjl?}5=m-g&CJ$3!6SA302nZl{<|HL1 zCwxNu{h1EB4h%KzZ5EH;JNo{AAw|Wu&F}2uCK1%Y-|&C)CWBZ;Ov-tk;oHf8WB^C) zVQ~DZu%N=jXJ}78wz3jjn`^?BhQ`XSeft*w{23Nfff|S*X6j-U@CDerPvUz4K@x#e zxcwayc33S3EeNkRz)_GO5Q~VqZbf|2VW0TD1JCxAX-B#8Z@KWyU%(5Loi5Tl@3wf zVYMfpVG{cBBasya#q|#L@gcGMwzbFt=(4W4-2kt#kzhG4LgjAK_JsWf?`51L6zz z5P-@__2d;X&&BjS{lD1LtS;Z3RrC5SebKL>ISg7^Yzf%VfOmkFi3`F@h31V>D0eW? zK7U;qT@BD_)r!SV`$IPdO|T83AfDywcxFSs;~Q;eyLnY1;N8BGst&mQJ+@PVx~Fs@ z0l=p?J8%0p?SuI^ctr3uAhuAtZz?OVq<^J5!^Q^mpthkQP;xRmH@7!KXSapI6;L)* zRF1lr+aQq$$~=Iyjpz>l?AaFGt@U6J+=%^7M6nDtfyuxEL>wNhUS8_?b3N0>h*0z! ze@QJ!wLptOZHnCvG#h`(_hS=J$+kU%UW+4e1fj z1)&`h5khMqZX(3(CL_~`3kO4O@d+CeK_)R7Pt86a5VByIi1tf$wH~0ajE)jEs+#upkHAt=QY06$ z<`ynvhu*%0gkb<8j)3i4IvHqhiHK`zGBBLv;qfc$tMn|PsSsc%lHM>o6FaA<=r&pZ ztvb?_VoiRSJ8LD`ml9fKJaO!PdQ5M$uI3M|bq)Oo=8}?otf`pUT0eIC>O5gj3!Z#1 z{y|`7cBsfhwaeugqu{Pj&iD28UoGzA(x(&)-_t^7r4>=Qn7wjr-q9SmzDri4yY;-V2*Vo_vT^mRzFg`kZ(7hbU)GmvRpeMQ?C#@HP3{Cfmwz}HYOSpQ_ z__2QQXq+|%3W<2b=qxHK%3?9Pw-WDrXQzrR#Z`88$)}OGPK(X&A!BfkVw<>TCUl09?je46Xr9< zGUh3FkH5Kj(z))$4yERkK-(V&Jg1oym$c;P=Lf=*RKKNS-}#L{FJ?NZHIVzm+dx{{ zY@pHyb{2>LNN1uf;onfA@%b6RN_u`v@#3%!){?K>e57^o)=Wsy2Uv9F%9WdHrIaaX zM8)1oT#Z+86%}bBcCV3~fh_=}BbZfdk8bzi&qp+4XGyR=>AW(1wsSF_j^X~asQ!+hAFLl9>}+Tris5gbLNXb6O$+#gXm2bw?@j(_AE|)R`FMk$BK0t^W1aS zf5>#y)4N>vRt#m7bc{SBON7T>WN)xu0H{Ltck_NYON;@x}v}azzL@n z(r$L{h~%6c`POsBomuE-VBf0y3cl6X%Pf@F#KdT5X%R)0*0s0N;EjZI4VXMQ29@&n zkyz6UJTk)TzE5yY8dXy;x89?P&iU#yspvXzF%pfiYU#9}-&PYMq4T;2kr6$;Fp|)? zv!_lC!GBj3if?ETknCq5TS3wwIM;X;fn6fl4&ee!6DgsklTD?U4xy97_;afwjy7%DO9Z!=TVgj+=PH5L^+34!D=s%Ija9@~#>D zpqR-F3+>j25cQ+gnU$tdZ+Km%UBctP}W;pCjkZc{_l0+ayl z7;-*D86Xx#^O>kc&`&46nOM?L9zdANXYvD~xTCTkA0V}PV>>f++~IR}`MCJ4TVvzn zd&tS@K3t6p+6J`gCH8Yb#vrW>3}_=AEOdfI|I$LcRtem-(CPg>HbyK6q@|_R)IOk# zD3FKBFE1fs7<9(m^z`XJe-v_z6nhzg;2HH66Fn!8kNCHYYnVwhkpRvC?;pg~>e5mX zhv+>)(k#2UzYr=8y1g?a&s#2&bWXp5WCE*V|F6+eew85>tgEWSp?()FGSvaMV0UY5 zZRG&{J~2@$+xb@TFLr+DywW9YP~N|fEC%uo%R=+sbu6V{`*V%P2kYP#99TdDP|u*E`#Du zt;8Yh;+kwu!4CxNb?oslFF|_+*kM#*;SZRnr{wm$F%DiDj`ji$@yOB=4EviW-xR;3 z*yRFMA9CAF-MTlDABnD`)XvyG0h`Cg#3b+^klx!NDcamXsPNwDu(Gi;-bE(L)Ry{U zGQUr;bUQ8Ci!jj>#Lh}nlW&B2YiFmDynMw`#>Rf1NWs&boTf%bP~76aj}&JrAe4fc z{jw|_{^A!{G!%f9q9+1dm#tg3;`%33^?}lWeT~qIxH3bVUIh*0?rqN;rq*CRrl+HW zI+AE`(|5h5zPOoV^tI~hRr7}x^bHQiyDfkP|LN0ZxuJ7A{CHfqpO8CscH5m7 zq9+1gm7g%b7Z`b~v7_S~W_tY^)F14hOc>op66yH0{*)V8N=kGMe6brF2h1+8@rK6f zyTyGKRjj)kdhQ#Ytwm-~N{heO*I$y<07A~ZRlGq49rFC2Kh*m7@G9ddTCgT+8)bsiCtMr1Hb+q`gB(xCDHLRO%{fsA0+$XErLU?@xCvS2fhuAxPy}Gvc z@`1o^>Z?Hw?S6YcFH1V5KUXxDJRosZR!=MSG8tF+QP>)x5XTpRuKgrx8<1fH6i7MI zOaU@X(D=J1C$RE>RKe}t*UFefz{eVS#F}aobDGz79a-O%Oj9egRXP|}5aB}hO6uyu zCr*e+Nu_=bYTqkn|Q68&f->| zZ>@atpsVN!SA~-S;xPwZ{lupxdY-e}5w6jcuX?>>b$e%kkj2LPvP?JqB9A+hf5y5} z(v5ES?dPA*&^Q^w!fOyDJswGP<-S!Xwb{GN3veFkE+i1HbqyC@nVX%3Ysav8#7%;e z`Q@A^zQy+hwe$|Jvkrr}tAE(?(JmL&6H(G^R5wl@O!VVA#54YEFPGuu#@<+bafcCa zXmk`_`Okxf=Gl2zzDh@U*4lLSC`@}46(7hM>qUc`L>C`XVZgevEg! zZ}H`R`rXr-& zRRLJg%ME=$1G>XCW#qsT5_=d1I`ksKFgzfs3C1x_=G#x1-j=9+C+YU4k!S7Rw8RPj zo2+gi>(@4OgLAF(JDj*~^0f!KJ7x@d-Rt`F&3M3jCesO>mg1R_cPm%?%m6K{W(-R9Y=K+ zXs`sS3@FlG#r^ieoO!2jO~AA%C}gn!(RoGxG=cvZ(<>|2m?7@H1PwpwFwv{q2QyuA zny%|b?%T@eQGc00aUGHO$&-&snNHuz?0)(k6uA+c9ePKkU1H+(JA;5%b-ETO51!?o ze;sW9B2kYJE%hjzxm@BhRG?Jub()z9Mp%yb;gQIj`B1hlS)B2Doq8a#A0r58oD;MJ za&iY?G5&@BZ!UA~!g&Nw0(DnV!@y!m>{LoWrF;3obcLHS2X_*$l{r-InhcM7dHy1O zXx;sEMK(NkeK%%`kI&-jiJ#1b>a4b|ZhmIQ1|CxWC8vqKvgV6#tVswGWQa~T#KqgO zFUH5mCs~jXs2wQ9ZtRTODXFixTe2xj^n~WElW$4_j1P*Cq0x4F?kCL_N6l|M<<0fl zF5Gt;oA=^xqx=3| z!dHK$y6W@PtzPd=4wI}@ZK&8rTz)@LWzxY#Mq8Wmz=0@G7e+ClnfcwOGgs!d7DWJ` zlrFnM&<|t7>z#PF`px%*Fp>mUQs%&_22tM?`Id`GpD1qc)>GV`N8L``Oh6>y$^hPC zIZ%0k{AH$j|21OK6~C1b>38pgV}QJEe`BF3Tb9H%%gC*{QoFyXHsrG(gW(1<%8fY8 zu)|Lijb(McAX zWK8PkLSIGHku-bR9oxGS=CPgl-uMB0!Fxj?0-wk+7$Xz!3_(K#u(d+ICF^9Dq;~Bo zGsTJ5m;PQkMrhu@OK)@^@ib)qOYH%OI1T)HPksb3$lm{!76;-jp+A^NG=Ba(DU;AL zwr+5=hL@z7 zjHfWL0J0N+^U++J^k$YRjc>tqZ9-M1g(;(=%g;J+CgUKQ0F$4cpI6N_2_vpBCtH|4 z0gvXIhrtE4g$1@{vJ=tv(w{oOl%yV_s+ElCUk>*!%FA=io zO&R$y7nqjd9`0|pdwP+0y+m*rC?6g?!Z3mjF$`<`q3XO%ANEve&kr8{tt1jh!5qR{ zqnK^j0`OQaY&VvAM)T?uigEiLT$ldSRYj%-CMZ6E{9f)K@U+ms*Yfo-xPg57OSNeY@?jKZ8KL43HcRRxT<*WepQ=99 z-ygmC_%~1g0x|ZUgl!NKE@yA7Czls5lK78NZw;C3k*ujQF)%(h>~cT-0{f|gjJRt{ zw6&Hevb^88QY~8FY86B1faFAbO+_20Mmlwn&^B@mLL>y85)Jfw1Go2_K`boD|TB zF;xgs(|cC@1UCmEJH%nf<%%v{W@bQ#)V3zZrd@OE1!oR(TL1E4Dr+|`=@j5E?kX5k zQc8+@QK9d-oAGpRRGQd@BeCsZU;(T%rQAXMN~dX3tg9=~0RndW2ffN!aS#MQ%E}x# zLOp!$y`Ex%^c9(Jd%U4iSH89ekq`J^jRezfyG9&Kyc)4>%(k^z%4}qa8 z?;E*vm0DY1x4Uc;CH~~>bpGCkH~VLX3zv8#AMeB@Qq>~sOvUD-db1Ead2c%SK!yX90T@?c!mi^f9`|Qv2NGSv6ZJ;*|`x#e$ommY(C;g zjVFE!^E92LXdha@>H;K5C|`bH1DmCV9^1~5g5oxhVrI&Fs=mZXV1Pn zFhNfpduY(s>sVe_=fl&Jg(?32u2C{KAIYy~CnpD7%D?}O(Ru%sK#i$%#(Bw14wZuH zJ~IU#RXOE;ZN0_$`YB&-ZZ?U!_tu4_zuw)t;Yy;`qs%K>DSvp~a`@-e^w8e<`LOYE z?%9V8YBz)U`WbZYRE{9ts9Iq##Pc^<2x;&j`G z54QK`OaCZ3d)HLmxVUP!#1Qnd@Zt19mzj?8FJm-(4|g(%`26{q=)1t%Y9H88ot(6O zY|W~vyTDgPMeM}4s@Zfs4z(vM<>Gv&;(vV?!2giV>}y7+DoNkJd(S`O4YsSCF^SyN=B=;bC(6v=;7)sRx@lHe99b^*C-hVZr+^1 z&DVSRLU3cCNg{S0%NQ5YY0BJUmA$dHbY0-VSgzU+?a27+WPOLb*XK&Qv`MV??(JQ_ zmGGqMzg&Qi(U{FIDO$U8l0m!0{eVSjoavKMn%@U~ z#J_NJcV+Z#C#6*u5x=fCq_?s1Xwmd#oK#qxfOlPUuLEmFY>HKP@`kkT6gOxMb@fxR zcShQ#95oC~u3!RQ>dND0zTWX=q2=d}q}#Wxnlo_pUz>bwaK+hMnTcuM!{geH9j+q= z88eDXw->Zc>B&PS$*xQo6}~x`m?TS}zK7l!4!N-H#65?cD(s^C!9|@vW3qMjcf)R_ z{*l?HL4b#Jj_o37+6ZE(#gKLE$=trrg`3F7L8QCYuomH&vw+*CLt^52`wW#}DW$pS z3G?w-cka0D?0X`Zlv6GW@EASPZ(lkSIF*yLU&O&n*i_Rnr!P@YJCpKo?Vi9xFUT19 zOb=D4<+E&TELU6;sf6K)^NDXYV;dFC^<)f_x9g?Y?Ij-d;jiOSQ zJS}Z(#K3rBLQsgGo5J@oukoX_bpM;Ns3Y8K>{t8BMSO-^Bbcr_jw19Oq7&CNKg)13 zuz{1cV0JEJ5DE7F`zH67n=`%|j*VrS{FZ!Ze!j6us-{ZU!Ot()L`O4SzxC~F+B^{- zFk>va{8UsfGn+f=vwe#0tMEW5V)AwJ%<{63Yt|J&dLN4c0- zjuXRKFyF)Y<)!#RZHxBts-98XeTGMsHMqOm+EpJ93^mx&7Ub*}fKWn29H#6dBG2H# z0roh{9#Z0M+WIcdB`g2R(w@t#Xoz&>7&AIwTKr)F6c35fHRqgw01w)Bj%&SEvU^bZR2hatdvk!?s*m)E-dg=NH(?fcr8- zg8!_C_t@m;gO-W7+U3wWI5JALwa6{=M%x?l@eruHK5Rbq(*E=ijm#ALSpE zDf?OWNfMM+ByB)!4cjKjFg6Uai}X&SlIif%8Jf!*XlOy3gz_{1e)~YJza3rvA4K_@ zMdQxo_Zi=-CZC?q(~#2i*=Pfk z9Y#5&*Bm749{Z2y?W@hq{TXEzr_dVaRq)a?=aJIwoDZI!!LB=JS4rV@ZEL5ZdiAQz zNQAp?9i7b)g7bb9E8{Vn*Y*54(xYVz%K(1?U2!z&3SdYeLnjy?b-W;4xcd2Rg;Na? z6mHHLrbyOyxw+w+8CCWNt|gCRmFXAL^r;v`9n{oJ@%^%tR_7+)+G#D+h4xN$b$#!= zNv4^uAZurb6vOx2Iqfr=&sR_7X6J6${XH((guh=Q4rv(xVH}bmAzohj7FRsc*YrX5 zI~u(}5=E(j3GN^kCGsDpR`jT=qqkcdtS-M*`&#nh(h{?r)XJqO1F! zt!@p{i5Zhm(N!9MpTb^ON5TDlO|Zx^t7UQAkU*H%MrUDi(&R_YxB>1SHL(m|&OmQ< zZq5>zG<>j7M=?&qIGsPttgqi#rZ(5)_HCbyT(x`G<8za(VrKyB3 zH7%hWnX;bJ-ii3PZ)3VMC*skX>0*P#EwfJpEnXaJ4GS9!VLQ>%T`8{&Qh&7ZXnC>B z@$Cuc3+?U2hnK2_*VjlWE;r3}af(g;oeyNxTi4hEEGd9fC2RRxY|;GE7sgwoM~)z~ z#C@Y-UaGVj)7jTr{#kSI*LCuZ>6Mo<>f9D%J*z8mx$CnxOpA=|e&;2q3a{c6$4%nO2lE9k)_m9%era$xxakUs?~21a z$gc%3@7{4EJpMMSxP&OwM)euH9-d9RcS2r=<$P}_kN|YpAI}Wj01NnWkM(tR^%7er z$mQEP4BOcSR_+uea6g*fXaA*{2rHl5I?>T9?Rq{+g!{xdTKxtsnfuq40|o92J<)Lw z47C-rvQoYJJlNG0#ybZC59&5$y@+GJy47C!Rx;fwManf+56<9*XYS3_7j0^Y|Up(GDjIB z1!(P+u180x&Z_0DD=JNRT%9dWZ#+jMJ+yV+VKfJ|^y9&OUiAUh$TiaLU+{D@bJ+5rb0qoz(E%3TS|_gat7>EMm8W@XU>edHy zUq{L^9L3^Ret-TWpD^Jy59?>vYlJf3&aMqZ@Mu7r1)mgql#M@gsq@s5N3L9$xH{L$ zo}b}pwt+8!^c?g!Vwa1EbN~tA`j^<36TChnuXhpxcxEPrNhQ$pL*ir6AQ(?Px4TA9 z>nzo^9%E{d@Rad*C&xJT2mmumXq0fs>ETzoxD1P_iO9AHSx2$Gt-L&RYYpz4#hcf5 z*EDKk4*lnU8!~9EC=ldRlypo@h4~pbtL~YYJJ~&rTWupqyy5MlQf$`&Jt%H-QoYzW zTh?!>%qDVHz>2igHoLf{upRh^T5v63JxN$%b_`tlveMJd;rE`C(|K&xr%AezWAyIk zFZKL0`j6fOR|pysfMbFh!PUg*kWYPPyrw<1{nK}W)&Yl+Mgt3OWU#(WBHl`;>8+U! z8ozFW%njli83VfacozS;chuUtx|499gQe>1P{Tbd4lP1x+?On+sT^R9zZK@Bb5|Wp z4f@!Uk00Ke-4jVQ$Q=|3{w$=>V1@G<1^owXmxd?D23yKPMU-`~f_^X%f~k0u2ZtZo z9hg~u<++6`iu%Zr{DK0^00Fw0{`nexjX9o3?LP@`@@HwG=dKAbhe21BjSB2)-@d-S zO&IG}wK0p)f%^iEPJI}xf+O`m;L;DHr#s`bv(ICI1^Spi*Xa~9v|Wj?ztcAiNDhOr zs;B3}s3>j+L1P@rAoE+S9FW~!(%B3r#)sdr;#gCj$k6u~iv}Tppi%4Y;X!nw1o3gR zID`b3)SXZBK4_5jK%o~GyXiB-B=%%kE3-E$PiuN{F339tV}ItBF~dhwf&W)El?_Le)Axy+h| z_iW=bcgB2zmoJmiRR>t;bMv~^Rj(^r_J2N;Ce@Q@Yy;3|+@0^ge`c{{!yY~QvaYqz7Lm9`InmpFN+Gl_e@B zhJOO{x`vcq&}I${17MY%or|ZY;rm2n55Nu%&u8W{9Q*knPrel~0S6o0K(LtLx z$i1_8_>l4;Tz)P*`4b5g0nD`b>3Mk`@bLMbNn7o)ejEmnY^!@B^?&kx>RpqYUc zl&Wn4vS1OoR**>!&|*XwTsE}P?S>(+sR^Ep5O_oAWq|4SKKQk_#1=3$VzVqC1HCGcbyRxkYh$QBhdK&>6qmK{L`2V2Nm%-hxl) zO#YC(tZW&~F*-X3XkA1YA{qi63txjxFBH++GXJTM3r`o4{-~oBenhf_O)b$tElN;W zxMYQSCtAQogRN`EXJ!lMgF;hMQbf$qPFy73&Lz8Ik)2-qzxQ+Z_RqGqw3H9cqCrUc z3_=2Yn~O-)xjaxdT3TBdf|M6mtOb9!_Rm%fFsmzTb2WsDnBbk{QeinCag3BpAJl1j z`#BkFYvRL`yf6oxQ;?MB9|BEfL}vSaBnj zfzGEG7pV?4ZZG4!~B9p?eggQll~S01Q4xNXE$T6=@-%$Wzq#?UVXq>3*D zz=Ov}ngy=9Q{l8;UwtE_Ta``ld_aSQ&Bl!Hw(VQ4zz*b19yaUOJJoeIc$QC@e&-R4 zyt-XR==n5obvw-HKtmt=4PxK$x;`ZegUf?}u!-^UY|8(TgG~n-Qr^($FYR&XBR$T^ zDb>RIBRY+O)bcRqf=5KqQ&V4fn9YrL;Q0TxuP7ILRyMZQY&=ow$tj{nPaH>zmcKFZ zeIv_5d}pQkSR(d*g08DM=Gg*tBuV_+vvVM@hQ1E8vVS!RfnZ-n+|qJb4{T1+jXcK^ z@%f1b-cK8{F@#Aqc9&_8x^??XZ!qW`d4>s^!p_jd6Hj}w` zKEoFas;o}tqo^bv)OrZ`)BRw6BYH7ABQ=GmLo$C@U;1VyhaXU+{CttvL?ciH-t;7= zW_jQ9%=`q%S0x*3oSP9Ig!Rqrz>kUP!nULML5*Mh3YNOF*-|sKrvK?q_FuuCU}?$2 zFpxJC4n?F4S{VNhE(eWi=GWGM{E&a)y+eOPJx${&ac`#HN7XK|c>Yn_v8AQio{A5+ zk3Mvp=iPi%EOGt?9qvUtGphf0@1Vc=SN-oIc0IXnvt@+|@o%-K{%Byi+2SBrG5aUs zHxvqYYAGYvgWLydJkUh%hSj`!!pXGU@+F11vu_?6ze>k5`=;Tl0J_h@-)KxN#Gsm( zuk`Hd#f7;$W$jhApM$hXTuN$jZVnWpyH*^GOq-pp#DD1)K82aXuR-HI9IhP!IHALc z94#c(X9vNlc=7W*~nW7hbJm4kBA$2Q_hID2OrnoT+Hp4`h( z`?Ym|rCRuKP?N5!w8zKP znvZGpj!u$DP>JjHx#yZwF`}w;MhZ?NF$s;i^klcze?OE95oyz-ePe1Zurzi? zZe;C6k^ky^i;1ReZDBFFHBQNt+1@IJ|0)ApW9>?^Hy_=el^G?g-#<&^LRRc(R`cy@ zXm6;iO;PdI{TOm5EmMuhc9kh?c&soJd{A$NTRE4eIsIiIQfnp&SXfABCj z?YKp6$}Y_|VW|&wG%5;ddA&oQQ-v-J4^^Fa(`2Ap-`LrCqBnzSdX|!@blrSSI59hK zmu3{zdIakssy~X2!UM|x3bMT}X(H4OiaQ)GSy_~5?!zDEG}`0v*H*hj4KB|2$}-aLSz$>I z7yg)LmTa)=!IFCZ%+&acEiP$_@=fdW8tv})*2AJj+j~>(g1V&J+1ZBGpK{LA@^L?)xrm z%6n*@HV1#0C8g!L*Mz-6wR5`!;e(%X*6K7wdnP(xvZn>^3d3tLfZrdMMkE^+iXW-P-4#@Pa?`=KD1J zQdfikMVfa z2SY|R`CKP+ulem6J0M0`W>Y9#l@@+|n1Qd{xnQwZD`@5_3q^B()y8(2QIWxiw4F7P4}&coY3@#zMqRogShTS4xAa0KgN^ls+-Zs6-Tsa= zM|3Q7O&m>yNJ_exlpZo&RIlF}r&`a-*GPDVctizDCo5=4h+1 z>aO*^f`x@{0dkwx=lM2%(uT!+p-M#J-^>i9>8`WatfzlN9+RX}-QNVk3Yz^aZZ^mU zAj@%G^+{v&IJxtejej)p9H zxCB(`4{nAtuABNH$Q+MeUKMBF%C(A05uZ%PK+OJ)CpJ6(#E7y55rqwokB{!&rDV`X z`GM?O_WzBe>zY&C)ZExk5e^ac!9RfWlZsqC_svar8?nvswjNQmLjGWMwTrNRl3~1P zyC^T^AyT=-U!^22`3cFBN)u*Icha(3ic_-X4v;D&x5~ib;gvJLOmg|tXFmx(Om1Y= z^1LTcS#MleEBDj+a>}!I|i}kuhLAIHEiJzOF@^e{)+U%wo%Tspy}EE=fyYpL+lPNa&j_v6<=g zHFf)r{QDudEe|4|{(`;pcWm0&MDVHL90hxpy>4+m@R^VIT-bj$kjvJZb2Kao$l)ho zaI*g(Y;Xq#zE~cui1E{DB^wR8{om6p%Z2q-B3F0vUXU494X0396!FOw+YF|R7FA6)Om!RfJ=<+U8| z*>(Qc1(qMgFjtf^m;wMwn(zPIY(hK#G5 zVS(8=6EYN{`gTYSZIWA(l3;2~fkS;dLf}8wO~@i2Iv>Ii}GQ`j!w_S~_}r*~NmWZlrN}v|hkG`US;=k+h6;`N5LxO@p({G&R3DwciXpGvNj!yiI zP7H3=4S`J#1pE*n+*L&q0RDm46-33gYlw)`LQWO>iPNdW<6Il1gu z%r8B4@uFg}>*lHAKWZR~dHcS9&-V0kqYdfBivOOZ_bz7B>WU<}WF`JNFl9lu;IkdZ zb9RIntJ6k)Ecby+3Gr|gxb3$SQd^WwQPS<>GU##inGMk4Ife}VU!sXG4W5W@7yYFt z$8$54+KMx^%i*7cygoLXQY`P|$4WjxZCRD^1*e+u2ON~!nN6R)odZ9~Kl+4EB|N%4 z&G|k4e}M&&^&xCFOAs)5jP=qLocE(Tl9GCDsekRJ;_ssGd;Zs=k?0vWgUmhWC4Zam z`rv=L0I3jIqf8@8RWf8w9t0i*0X@8#Fdz}5kA81?Brn!-Li64#{SE^EE6>xnZuyu0 zTdhvFLHYAe1}Xvd0Tv;o=?6s6tw+HJciepZJ<<69U=73^M!Y-3ayn}GiRF|MKiG@J zOU&Ai^;>ktV+%J81|i@i>2W&2I~;`;czxb9+G+Yxd1 zr^XZV@*59-%a0+X*FNyc^XYf0U(pCS$^tz&1tgxMqal8N zSrA?j_Z_E88jmT7PdZ_s?b3%@J$|tV3aSrXm&r3A=>er~b5qHEcprP`Ev#Mk^#fU! zR19BWs~dY23N6DCY1n$4Iczi%k^(-A@2OnNx`o7)6x4=wm6ezsO-4rMJyEU$1se1s zjbbKkFSBymN9k7NOXz!S^fQKHAsL;j}fIbrwx-|q+}TLEog4{N_Ec)K3a z4dhSah@$=q5WS1EZ*ap_xZ2WIoz><)LFDrF&jXUu7XX2PHUI}V%uLz9>J0WI!U)9U zCdjbTqKJe*QSv-I>LAd4JkhzCU<|X!XfbkGP!NBN@@TbQWF$ORz*WV2u@0Fo1kW#t zJAQR}SM}^wJxAjY%>NU9vl}j((;PYS!r9rVJ*^L<;@@T$;HuBigrMi=BK24*j*uqJKO*{=a+lJIvQZtqy?; z02Sig_$KoK_E@%AHG>^Zti(^o;di)NuW=__O4u>AxxM`_vN)pGKoju#%es?+dcEaW zHo>4LiVzAL z!ESMUYcd7n>7|x-yMK3yrdltfZ)&Rd4m;bqa~ZKBLGJD~NNc)mS|5y=up5l1g^6MI z_P>WlPeDT??wC1UxztZWN8mS1zHj|oMssQc zJ`J>+xZV;#yobYIM*o)T$( zkRTyvZAyUgkswBe0yWD>FD@3sq-A*3dGKS1FW9VwPo_mO(qScpzeWewgCDk$gFq(4sjMzp z7-WD6fp37c@dhsyjO8G*jENEVC3Z2jw+wO*`@z-a+4JXlDwFV9LIPW5`IelgyXSEZ zMYSG*a1P_muF!e4W!VJ;2UqoDX6DREz_vo0gLxh_FSVv9U!qGjSbF`nA2x)1qjvD2 zqw_kopX?+p9G1~EJ$LTN6kn&&5}Tl4*w_B^rz4PwLP!PyGwqI93L!iffW;v1+l=JelmKR3hb@~waA zzSPKxn#*TW^Zi$6FaszxWBqRH-V#=aVS1ZYSI?2orYhMnt3l}bk^9CT}^z(y_>?l<1Ip|+NY&bXk z?P>;Qu|}dN0tgyX{vQf3dJGLsj*o9kQRb_vhbIcsV~?Do513HR!omdt__^hVMP3-c zmEXS+A&Hy}q_><7*h(xRTE=yt&5RBY)QNr_*mLs1mggbD^dX(eVI0Fou+0Gu{w9oG z*g*v;nh`HhX6XIfbk9KT%g&yik@3B?HNZFr;^vmNwp$UBFj0hXIU^l+36?Kdomjo8 zbpe$E5LWU=$j?7J}axx984oR7fv*8fw0V=07g8QGSP%7)Z``FOHlZFR_Z=@ zu=1hf(mzrDMtv|yDr7a5^Dua zDYKDBZg6Jz+w6DtV!0efpPWcA#v0vSh!He1J1|XMgWsq2{q5HYv7=>|L^e-@5LN+Y z&L*tT7^^YEYt9lYX*9ABK)C)@82t2p4UuC{ zhQc0Gu`7v^b);)uZ!#Xi4s3h|E*SkTQ=I8H*w^ zWQxp{DKdlznWvCsO6E!;6eS@=rVJ&SGV@)}dfku5`}6yqKki4pZXM@b&+FRP-fOSD zR%;DULEt7>*Facpy8Lef;mm=>G7iQdwxTv#f1g2sz{C6f`~2UBXMtOkqjssP&qU(O z6?kN!MdJ7jPZgJd09Ue{9?a*irfNOI9>U~?XhLY|aTHt^uCFX*3@kUiwh?LPHl^=jExnN?ZBJtbX&^AO=)THPJevMJnf49Z~JxGXPSQ{ip zJS;d&RO9}twKy@Xw_A`o19*sBr?C6%D2V^G@@W5iF8{G5QZ^E)Q4>N_(DnE7lKz`n zR8Xk(`tem)K2+|Le?^!YaGJZ z0OXN7artf}apeQE*~P#x@s%gsScb^3Qg~i`wrraV#gRpIfvFbIt((BAk)$S(s^~;S z2deguV`vIL*akc$`XyXhxq>0;lVRx~DK5^B{U@7x-SB$F9?2_CB5~Ags*naUm;9TS zIIDoA|H_%1Bq0HF99+RTSpTfx=fCgH_#5YTz3)}hE`3;aw(C>z(zy8n7FoUDkp-&{ zKNqQI>;H{)%rO+C`|t|=4caA;Aw)O+#LS%!AMTXNduho=^8I689F$HQI7V-a^AAz_ z&uz5_>quNNm{3-`&z}k+0|Y7%#K**S&LuL^dYT{nn_i^|DXXbr>mlU-eWIgmzJogbWw{(CL<@&rm^Ke|J--$PEOdk|HUp+LV$Kezq_+X2<`(A zaIAaz65?1yYMS!#fBD(DeQ>GAc#;5-hRUABuek)7iz5&j8yFbCygGK95Hp4~ujgyr zp{SwdPWFIRBr7N9Ntt+3r>2oNEJzIl3KuFlM2_oo;^ z<`Xe|CRLbJ{}2CKr!{pO>AbUZbBChZ7AwryrBunlk`|(ekc7f-{qTWrjuxjUo{*A< zxYWO#^V{)(ZIdhUwD(Mn8=WIQ0nSsgg~$^^LnEvjwr%4%deoBG7|sX4%z_lnzj|19 z1mmz=m4w%P*OLplQt&A$pVclqZ|Um}8;tu4$R)l(ZghNU^q|dMU_J+UFpn02aeHTY zRUw^(kQ&Uz%_QIXsFlqpPWVm#4>B=7eV>|?LIYpKBlMJL)nkD%X1)zYOBOLVKq_em zyWoG}X?D-^+891#$*bR<2GP*ntNDOcBd)XO%| z)NLIho`J7G@7bjNlFR??WQfJC0G2k&tv>F zhC8p0ZUaoj7+jDFFQ{!IwRsbn@Bn{enr)ZO)A)FUeM_zv?`z1i)1i@!%T|avV<*H6 z#wZ+Lnib+Qf-R5>x_TIL5!m-Hfd3_pwUJ{w?Vp?Of9E3FdE_nNM8HgkI5g0@K)pxsBJPkQXB%XqY6)41ADtYA_}x%2LIni=NkxTwU~jb-&b|Yj{Ltn`?0K3a z+oS9t{@@=zf$S17me26%9ikL5ZeN|Yxe+mL?k91NR1}SL^}&OGX3cfZ;A;6kmfds6 zKIz|F2rlTiENFe3mR#0`kB=nZbMR0=+Uotu3i(`c(x@2uQwD$aQlkOQ%DS$>f+T`T z_%coV?V${a*+L5nI1BDFO8Ad_mZOdmJCtOobMRrvTu-~oezo3BS{8|3(^)Gn+Vw)A65?%7 zx^3he(cy%3Mq*st;Xo;r)&QjO0?`BH2fqkp@~FKrVB6UL>w}Q6Fen#UmLf1ggu+r7oY$;eAT4m6eL2tmnX_VYD8I$Es$?q`3bqc!psrFr!6mD+*pIW zY%+LrZK(>lr;q_a)Oc)EBI5(}Fc%;i0;MZd0?7W}IWv`i`1lc*0ip9y*H1XrsbNII z_uA)b4_5@xA097pOi8{E>Ua0v_Vz4{y>ZJw=5YHtgNzgDtst)fZXRP*B&^l|KeJ!4 zoMp_zQ1{}}(ueftgq&xqn-QNY44U!DIs70E0bWDn%&&q=7cK}uQ;P^exA2G+}<_@1;Evjg0N?jq5*%-`{4TBE0kyQ5YwdW*Wj8u)-_*Xp50QP>X;Lm)ZBd zd-JBSxcHzSL<3~JSKz{Y75*Y<5;3l87S~^O945lLALLq7emwVVtAyXt4 zp4#}l##7)T*lGY`)`5#W>HY}`>!yiMe-jc}yD~D;=*wMvMqTf>oh9xh+1QLD!$LC2 z$qyc=Q6N~rcls)ibhphPnB+mTPoARu`V6PB418^sRaA&Nx==qdZw>Nn3rHFvT}W7M zsX4~PtW`GMiHX_8$_`l;fcbtj2*`*B9}@iN6jekC&NQ8rBO7 zUEh8jJ||G(tn0suC(dc2KY{f_K*KF;h;4vWdcU;$iL%a5pEwU4g6a2pn1KvXcA~8U z*f=FWpO-HgFspsnlhm4;q%~VFuT_GHAmd5+Q5MuJ1;5k8xK$2e%dD(S8;BeNuR9?j z%R^C`z1K&W<2?I@o@dfXJqU z!xVJ207jwU;=O(s^pE!4V|}&j_yYtAK_NqlUb8aY42?)sG^lfe)3BIlQG~%W8`Yyl zSwaR3DzmXfb^S=EUO=%1UMqN3xVnfRfPBoWxmQTIE3SP)nGS(F^hlw+jxAe+mJ)>C z!1uGc#GaBSASz09x8()hD;tp&Q5`@uuOpI+$98n9zXC4_Y z24`$(o4NU5=QWGsZbVL$X;40muz@BCPA7gG|ILpEqKdV=dPK}IudbYog}_6T9>iW_{Xe+ZNwG{d&CBD=?07UblVd(1ypVz++! zSsz3%*dkKkOgwp}^S!^{0em9dmKEjY?|Gq`1n7~46~Z|XZloZ;7XCPOO zU-_=ouNeCNSFiqtxX+R7C}L(fZYl-&)k;yGjE&{QBUq@pwerG zV5;4$oUe7}%snYp45L{&PuvkD3@N+x-R0T7M#jd@W56hJ+|%9^U3 zo{(VJo^}V9^+gQF5r(^xy-2h<`u64I*O@$UU;ThwkhUw}9gs(kF( zgMKY&bv{mf&oewf)_zDvriLIh=c=4Kl|9z1joM#N4~pzKksfHhg@$hbx`sBZ(zSHU zB=8%=tjiEk(RW6igL4Ez+ujaJ1|wYNqm-YquaHT==Y)V;FShnHwZCmUmyq|ynTB*Z z9F@f1PGE|vcFc5KQWDFm;<2XSch=qpv)&d$z}@83nMQ!c*G z=YZA>1c_KgtWURZFdYcp`0ABM;3{y&Q0m)tLn9-qd7w4cix?7uIGU<-`mU z8MReA0~gN=LsM@D0bkZOdys0S2Na~?4wZ3?Uge= zWweJR+kI!RNG{O4f0=sQBA4po9U4JgQcs@n%QvE20eZ9?^GQb?nvfwO2mMfZ3CHK= zXn~dh?EW9m`SD{uU4cD3N$EDPVlrPEo;?I8F*)hA z&`8jIus~rd4io1+^zz2k>>OuT2=F^Ds#`5}a~efTd~sFd9o{tPU|~sK^!DyP^GF->N3SBsMTMbFKZmLgz@Hud zF}@Q1@#M2h^~C9fHX!mGLWl(K4H7aJJ(Lh&*&CiDtYU9GJ~*f_nTv6dcfb>iiUfnx z5P1JUBLg5ZN)244u3GZf9j{%3Shtq8wgjFv#x00){Qz0>VCRmIIAeXoroS-;S{aBT zOH1xqx9}vYOn?=c3Te=v-Yo#UM@9I06ir%A&LY&lAuf&V529^&Chup2IY1CVBmU~E zAX=(R(dc6v6kU9ShPSDaktd!at|L_z*!7rJI9oNSk248gR6>&hFQiJBFLPB3@00Ed ztv9i2Ot9MHg!9+G*xdxPQA+@OU=^iu4AaoLBGpZR?tD!!+U_u8~SOm zv#pI$)TS#-J%PUV+DW(ouVFw1mk?+9B|_ZV$;q(TA{2Og!`JwFGi+hCc;VY7@*3=P z?@NWS$$foE?(aB}X-q(8;-&eReBD|mkJ*Ff|}55!%^((;rxy>yS>PedjNv-m~eu{UQ> zdo1)@$#C4C`1tv0l43{Nw7~_#f-ic<2j8Y`@RfIa)9HQMwmVDrk#n~}?%Q=k-ltOD zUOH2&=H^f1tr)A%J@5P-zWw2lUh;fTPpWGw*hrOCK~q6s3LhXTpO8CU<%wRsL`p6to_7+ce7N?`aEzScOYP z_jE?v6^v&h!!pyUc#}Y4&POCk_WHAjbqEz5s+S7{l(TXLNu$Snllgs268ytbH#GKQ z-e47Z5)EOg(05sH3yBm#FCr>0BP6yVS_P%BySwDIUH~}}44Fw)TiYDSshM!!5vL77 z-=Y`>)_-#ra^NX;0q;H=spA;Qdi+0$p5Z>)=+N?{T=Lxqxk>biN+(!iKM5qtcY}n{ zrcI>S!D-&;Q9;7fN&EqT?Y~f?fy`HF0`8d*0}zLY30n^Uar8>XhOez0yCugbOegk{ zF6L#1F8CRHxkmlHOK0wDOzj2a<9q-KE=F9j3LrT^svHpVm1`{NWK{Te~hD zo=JMy78%ovU*Rkb`{|348@VXoh$*V~9YEq&b!DR#4eWMT=4tJX7zlqP<}1kV{z17t zfN~-^REaa5)vntlcx4k~Ru8#+sumZ$Hobq@%>%dV+2Gdj7LscB)6%M-^P{D!E9AZ6 zMnss#t*hEAeLIHMJ?z=f9fkCvJgZD58Gkr(t206l%-a=({UM+OsT~R z-0-`_Out;f>jN@M5J>h2b3edWqorNVzDvVK2e*X^|=V zLhnurp4VIbU!oF+*zpmtwUPd)9U71Klh?L2u8yxjushpt&Ck4rep^WTIbFks{>xDO z)&eQ(^mN{E@#6P~+UeHT)I+5R->M_Sj%hLT{XcE(Q``Z_;J1@15m+t3Y(%YBc%}6Q2K%ij-iFb*k-gpP!cGE_c1K+kyU8PNl z!hH?>b9%+C{_<13&)jyxQ*en&wim&YD|leaZC3I!E`xmMq`#a(N43teRN0NZFV-1J zDN?xF(TG3)IXoN-LKGVX_wlXT#|HDD_?=F%2@VcH_w_q`>F3d!6G z@Bln<$d|Dk_x_^NI`*fgIPr-x5&20WaAe6u0vZBeJHR$ZcMw{yQVU12@#fDDBD~+c8ooR7NIek|HkycA90&>*t zw=0VJ9#8vJemHPxgu}e!^_-seg(&h3i!0$3C7wCokInL1_=w**_Hpz2ZLf@12n%E+3@D0>`)mDti#a7T_$((VAB2>(tTmnr^OxjU3jXLgeYtBfC+Gu=R{WrtOZ+&9_febDcKlD^3Z=cLdI{b!I^8bWP{>fWAWKy`sfp0i(ev4|- z^D;P6A~!4aYo+gy|D-%J+r4Tlu5(Sa<3eFj5JV({9#lGfEY~?xujXQ+` zeCM7hF@{a#DkQF8WRlb%uEJA=jcou#3xYiy5x6|u?W&5Jd_!9Y6_YqDu%;N@$%XG~ z1#L9gQVy+%o13=@3ex}B(v3UxDcldi8tUI(aFCu7!(qs}S<{W)A}2R`a$XJ;+lH?L zM0SY3G#Hycjn7HEVTP8H?2Q&&QRs~TK}Cv(52@BLrn8AY$JT8wFG=&&6<;lRZR1-? z)0cT__ioBJ-kI={tfXW7RnWJ6sng}10PiGcze=~($@qK*$|F``L zmlE{)FJsM!?m|SA-cE_FGQm8wr~p1zr8wO_S{1c6aJQ_3W*e_=R&fb2|LtE4gSS+z z`wdXvtF8DFz00E`I<3*+PFE-EWa7P+!3?@jP&^rDua zQw+=!r6iDQd2YFZRQq%M$1PD)XIQe5oh;BY|_;}_0np&CxiKpPn`1=igT37MIiDt8zRxEP3H zpa$Ma2$43T%jn&pPPh&c2XrPtQh01sUgS8ea^qXatIf#RaEM^{S91edZecA^$^)K7qF7Kp3G5B6-D*^an6-pX z`D2U_;7w-DEDvcs=qk3{!I}Y39PMkQS6iwNzrfQt`$+$8LIMxnZH;6ZX~YnsMlJ2D zKoNp2u|0}$MMXuw2o%Vu<3S^PWYvnR6#d~xCe=%TweaCUn!!*HJl%M_W&tUHLxA8G znf>!?hBDAY zZ(DED9q36IA(ihYTBxW2OkD45uGz@Iuwv_VFqiv;-e3nAnXOCO%f)$tXv&1kd3O!A z=dc{QoLB4aRzJKl5^rFAgdt2#fea1QW_&6%N;)5%gL2Os=Uu*h1K53^(GUUP1S(VW zu;bX~vD(G&`y2v+rhNN$9w0rE@^-RkAePAhRG6$;=97~01XhH)t;TICt*lJ!>pEaC zbb<-kVIrS!TOzKvePUrOaiFx7AW9q#hCsjCnqOH z$kEz!bau8mj4K{7X9}MTR#~4gG3d_z83Foifr+%)D~dPa5>R(UGK}Yl^fL2Q*VN+5 z`f}}hNKnvKN5|>8Ij@QNaSSt5;S+-pg6jBW=NhJet`EH0x-<%W4`n%Aeo8Ig?sb3g z88h!3=L|Pp-YgSA#`PF#z?j4Dt8}%;H4UbXjc7o~(>|I*VM8SqenrmRebJ|D+jHzKV$qFyl*jEA9U+_=C`aaOqnlPv9S8R zwb;kV*ai1(ryPtU0r0`(JNL%`^tyg?!b%UsI8Y(L;8EeO_FY=to19a*#Vs#xyvchm z3MN2key#tm+cDtS`siFSK$h#{9}h2;foGokmk*qI1y*V3OTe;q4%iJ&Ca4E@z%K+A zQ-A3ZatI8mEi5e1$b)8w8%4!Sh;INzDzDF26!+agwP40{z~M`cdQ`+D~}02QQJv8IUceF zLkENu7}vbn1(*cQ>!3cj(hL+|f`X3d$f7PKIqyM;AS%t$X=}RV`mUve+fFvE#mlGi z!}JyjQK*HVn}%+pA6Qu6^0?lmphaDE zeP&e58{SF5VPP>+5I`_l;j_bfM+Tz56iBs)O~T$8%gf85r>$)@T!ZE!(0)lw^&s{D zK?Y+D9k_01fV;@xVfa*N-hje_qep^?+IYFSr3Ladl|!k(QD90WCLs|=BftCStAA~> zyyay=H&!0|@G@hN-jD0scYX#-8YY z1~c&R&+Mi@_g`vGssibeSy3B^Z0KjWX}mK1+YEY;n8K@CDlu zzkskX!uG-wcxw_^lMZvD_RcP(r}B-!?DtJ*%ceJ*sGBOPmR*fZ9X7v%Q3UKms#C3~H=4)f)Wr)?F)b_F!C3$9T)N%%N@Hholyq3fS*6yPglG@qq zDHNt$6Hj%Gs8#*dDOlNPt!RQWK1W8;h+fFKN^xpKRu_!P;CF(y03n$H!UOObn;#4) zijrG__g!vh9aX8ym-YVQxlz!t(6r) z1H}bVk=Y>x#wGy5YiI+u$}IoHw*>P8Y4wLM(r9?R{}ltQTRqUOG$V5v)8Fn$hVc>BS6 z1c+CG&`Yzjf=nJOs~<}Nres7eHb$JxR$aS>Y*`_IDwS&-2n@Klz+II+J*(WBcx6>_ zd`CAuGx~)x2E`X{J4k{|L7rY9@!`yEje-4|5!bedmDinanAPcja@&{f`0w%JB-Jyr z#ljagnO`wqUO(Bh1?c-MN(ivZXloNC@fVER>^h>KlAV33j0xjDy1GtCCh|=Q+?7Vh z)D#RtXriO7e{8bqpbXK#L3co8?>o&PW!)bL>!_auYgnI6{Ku^s+p-1PLf?eJ>=r!yBMhK%;jJ2a9m1 z>n22IkXivl-zE0zb7=_8G`s=Y?c-z?zTJXp%SCigFeuaoXXog$-eSvec$&BcokIeN zOAlN6h}VL}q-uDFpoj>AE0ESo=uK2tORpNblaop3hOu0-u(e$!LMp67pzvdNgpbdJ zu<77X-OEtL9?E>|5B|?S0Ac_}UWGz_0-ps`gT$e>a>NmMwtUBEW8}{`$ZA3e8@y-g zKn1-4bo0M{`7)Z0FivlOPxg=$h+JTH*AG8I3XKFPa7_{|s3S*g;Q9k+aCF=Oz9Ek! zd=F-(rw!ihaHJU$J=$o?(tg;40FL}cr@lm@-SeoA1&)xuzP_N&A{G0AWWlPvRrP@1 z>CUJ$N~=@J9ilW9c|j4=)>fJywHP{7%hqM_dyXJ=#%CIvjss31c0f~IJ#&9LqWc$| zYUE-C)u*w+79313Tu5EW-;s}udW@n7-9gNufG6w*a)}Y27%y)qOTXsPlgsFZgLtW) zDA@tpfRGUQ_A>~JksK1F&1I-?_LxjyLQb%1udFUYBd!ImFjSmG(*%hXVPl6@F;I9A z;1*W&G%XLQ-M@-&kCV8B<1Hg2gSu8y(j9A#bdvtK-R$(VpqN-6#PrL{7XiFwRJmwt zzeg__&1`%#2)xkl-K$d2&p|wCuuTr2%z)rHPW#;G`-4cRunXvq7i5k|fs6FpO$ysD zI1TB~AGAEYq3eOR4F*u36c)b0Rq)Kg91j>e@;t6k`N=Ljk?tx1M|*;egONhiBp7kw z*iso6A5Xq{GqlB#)!???vu__5WoYWdlI}y4;qu%MOB)+pTi9E+Adkaj9Z+h!llj;l zM)>%=MVgOs3Kn{LfL`#kE&**G$(MTwFS27~18?Jm2*2209eJJjY%o5wK&b%hu~o61 z(YpXGB!VnJZY+mfgEO#>7&-?)ZBLM6BY&(CZGRN&e+=!bp+I!fo_7}i9Y2ri>UOgw znvH%DC&?D9kZ@r5C_BUsrx&0C895cdkWiFNYmROdVHS}M@)f9`;Y<=b@$~_uq32BzbKP8}oIUb2hwlb4 zct8HN7$WB7eK-_hgIU6nor_DUN+~WpToX{$LJmA27BRm8?V3{Lb3jFxzAht4MuPro zcmGv!q+i>1>_|pQ+HNdpNDPRfx(v$J$H%Y-U^EbaS2(`9;Kq#?sEP1zpxv&nsb!2? z2wQ+f#*<6N0cjb2(6G?VKQZwu_(mu1FcxB!u}arKYjO?*)DPRb5+u#}TL8&^gqjr+ z0ymiOq@TnS7G34^gexNuPndY3I?gmC-@cc4WbV-qva-G-L_>*0!#>vny>{#<6`3|b z6rT|-psY5ku83#|D<<7tA&R>v(Vv|E**$~YKge2@^qG4eb$NX=OIu zj;l*9q6vhknqcC?_O{a;0R|s5giepFEeA!^v$@9~Ijs4y{bG(ok5rWQH0^$Asv1lP zpp%Se3VJr4Cfo(_Kta`&b#W<$r6r=Wjjb)r#N(?!Bg+}9KOoNZ4jE&Qu<)H;ou-c; zXHmfnU}#{wO!7L?av&Io4rN1C0BIuGbZ8LVC!)M2j2sP#SpuME1JTSRg96k5;&LqpCe_hAw3SGulEFWzmTD-;IiZ8#k9J^wQH|+*bi_3_?6s)bgSa#H84_OP2)|q zIX^)#=-4H#1hLHTj*XuWGcWMxb|;D@K6rp(CD5g$q@^eOY9}FBJv!Pr>`46i*RLel zW?t^G7jPd@4^9IL4LM$9qk+9W=3~cfDA?G*x+DKsXMqIq)!wXDMqvQX5z7#UEHD@`b zk=eN0$*I2L2~&PrHTTJI;u-h}?#QV##^B-g8C85t7}9E7)lcrVmm58Hb12CI-vzNl zSb)S%0M?6W0k(TMn3OyE*Y&$Cx0)gGrHgHbHj_8z$6&FE6~}`fv%G@6i%s|NrE%p|z1FdI%`|{<+nIF*KEDrj=7~SCtq4Y&wmkqKn zunBmLD?WbtvI2IPz+E3f=Ios`S{X6x<9f`d>??izJ}O+fgX<$eEZN1j&`_*RV4TZ)inELEelaD zx3y_yVSEtUX+E!Z_b!SY}w(>MC`cRZ_^u`P5mvm zmX{k5Bk53fVc(A@TUqPx4ZSm$Qy+Yx|5m7t?V$0Q(NfW*nA?&2wFeX=_a4zxjmf-0 z#iH6a*pIF)u4~yc962y6!BLy?E&7BO{Wu~BIEU1fl+c-Qadbpx@=rlq6}KrgjfPnI z&2W}bSbVAVSx3PEGgzVy2KIm`R6Fjko=G zetVhLj7diM1%9;GGda^(F;;wJwjwV`A)f9EY?45VW-7Mz6*aU+>2oMcGI&v0wAbnn*o}m5X z3Lh(F2WkecUVIYVl7+w+!P&$Xey=No7y$FZmli||6YZUJ6hsqUg@b*aJ?Vk9wd)DB z`lRx6=!3LdHRDkReU$1ix>af`{iB7F_spdwie|IIC-08<-qgzS@gPa2qWzTbipY3> zUio}p^*hMQgQT_TI<|F{5pdcbR( zU&TKoG3OpUYecT4hMkHifvst6&HQWw8u7l<0RB_jh03193%kCb^6If$a|(OgPc@g+ z=**^=kuCQq)WlZ7Dy{kKa-YnDy}3tJ$ztMzPbZv?|FPN=su=Wiuj+LC*V%LN*1?sN zA|dsJTY1)@gtu8@X7+#Bc$q=mtp|j88+jGXkc2-U-SJJ`NQvQ9rml`N`=t&xV&K}D zljxIg{vIQ}GQunI^r+O@WV;QuW#g!W+94hBRU7e>k_Fa=<3=&v>y#H_0v;W{^=xiq zPVb1-`s87mK=lU|h2O*7N^jl|;LZyaIGaVfoPfy-wNs?goBu#5fmy1HKa_Ju4J<-J zf`Ja(62Ff2Yei4haeL*VnxHEq>t=;rw@xXSKChY{z0hKp^Yqfg`n{L?zAJL*ANio3 z{8fGboZx8u|0!BAI(J{3R^dHzs*8kf?&G?m!0PoXjs~C5XM3BWvT^I=0zn;+*cCp6Cn#D zYLFyh5%;v&vgN1nbhCe}iBcuiDOZJ<9F_#dAf*$6Nn6nnkuZ9A5A3oC6|d$ciP5ko+|2kv_YXk>YWPD;UiovKG^J)E@h=po(h$YzH?T) zUO5*OtQ>i*G;GhUGp9yrs1tr4rn}eZqt71w{gK_$BV~K1ueOEd;=VWcg4YN|mcN5M zYjfDb7+FByAR}uVi*8y07lx8eriWnF{zOl zs4BgA^Odkx=613PGNOe@MsfRN50j7>#@YH8VI|R-h`Nhi2DZ)e;$eH9;Ea?1Q^bLFKO#^>Q!tMEYLkA;pjugFKU z3kNku1u=G^$z9`P({fg5`=v#_jTxvfK*d$IuP3g}>p^w>vp>6|XdvyF6dP-a+uhEt zcb1Y~@oTM5G7Z}=Ezk$`^|^kfLLunpI{D<>Bo z=2rQ98|gjf#mQPdFYnF~+AB{NOhd!rORxR$jNW?}+v8qZM*EFCKb_gMnJkFng97RB z)~&1&CIJz>N*h^iKQy!JPOh#x)bR(fZ=#5co?IS&{00@0w`Ih|??TyB_mtRSWvUA4 z8kjm>zh0izykStqT0z6X5a-QVsOE0gl|3}CEJ=3^$2!f(%g=B}9bzA@o_+a%_K{Ll zR@Xq%*+;C`Ea>Q&lLaVBJSlZ0N*LnA1J0k>NIL%o=mUC6|sX_3SR#UUFw=aA8)TGq?%ay}A7npd z)qU^Z-?bZqDJ$kvp#+?nc?lEI06j6>Glz18dVVJrXUWHa2cx-euEv4ynUY@^N|Rn6 zaQ{QIQM4cYa5Af6Oj5!KxuS%o`Z9?^s-Cq6z zLXc9ea`U@)-j4*Zt#P^H_?Cc4Q%<`jn{y7qo<79-+(U`7%LEKf_lcj7-Z~T zSy@TQdSE$vA(5CA85m6*n0WCdLTQ6mhVY-cPhs*nKW7@%lsX_2a{0Cl43I>l`YS=3&DOp?RDzUr&873nov2t`z znog~G$jn#=pb#>|(i#~(zzDq>r!M!sS)aF;TOiblWIRf>0=2{228+#ghBB*Z5t9Id=6|~ zISS-I=1Bbi8O`5{uEyFR7y=;jmyyTR|HxO@zEyy|sER?)dOJ7;S@N+2dP+qoWkSsy zy)=Mdw+F@LxnyK|u_g@-fhHO2ElI|tlgENuNsJwAKa+pAyB!o#6%EXTDzsy_tk(l( z-lR0J3K`8&GaN|VvkMzRHRed_p%ip>W9()zUN0C&K{SUzrtB_y4rkqGZDzmZF$Icq1_o<0$?Klz zcEM9s0I47zII1iHOK_(4ry(Zc@kOlV<0_7?Eu^E*j3$0=X)+2R{CyDRC^fU>ERfyz zp-5^oi-r6M8B%nNbRp|UM+e9ijof^hlp8nXAh)Z3LZG@Z)7pn}-4X%jJQ zh5ef-as|2gMn!GLfXs{x=WEy2miyM%divHtSzBFMiB`E}W;Ou4^Yo4lzFW5q2$5d% zsv0&-r+tx=)Hh@dJ1+rF^aV74I-R!;`hma?6<+KTz^vRd>3Vk8TwLBaY@|v&%}r3R zVFro=5F1PMNR!k%&ab4b1+#mM9NYd;!$2 zabbQ->Zlw|+UZ+b^!{9t>}R}w?f%fS<-&Yz%A~(Lj~u;XWbV7_PI*Q)Wt}-C_sRD? zaTzrJA6b$NEI)b}M`mo%h#YIIl^5`|_ zw&vqu(#QiS0n`e%#OEg$6q3JLVNq9KTLR(-#(b8;K^Wu~n0+AYKeJ7`H5TC8iKEXm z^e%(6ZMa$k(g8Z(2(ffXKi@=QqGY^`Zj-iwK`;&GkNW|1VpbibQ4pa$Jv{+KgBinT zTJv*cBo@&dOdW7H4tc#KF&;l4Lw5cPWqg@i#6nBQn-6^r4i|YglBjCG^RZPmy6SK_6PkAvMA4sUDkh0T(aIOF%#PUt}im zPX_ZXtJ8)1UXx5>NBCx0ibM$~PO^rJlZ1EI=8dd zuf9$S`*Te_mS5wE{*JITx{!JbRzTo$C*4IK7Z(dvSLl{<)Hc=emSDKxhV1XFl|Z8a zuAJ%nFypyD3({bbk<(X?8D~^iSEH5TP6$(EW^%}1Mjsd98OItVY}{J#_}&|E0m}}= z2~>e|z^XBw<9?aqx!>lgJ*2^yxO)>N-#89C_{exhJq_!%oUDC#J1t3qs*c}pd+Nda zSNWG}!yK}!?k=919+Y{US~X+TqR2HpPIF9CTw~{&Y#qYRJsv$X#_t%58F|MHojl2` z>u$rG)oV(tJu>#pm|T%h6$hXM91-J%2-A*^j!CNr8Obtq#!&i-7}pEkxKMpO!hxxQ z|IS+Y7F`7zzud%M=^7o6y^mJ()S2h@Rcrd3vD|z+Lxt+=q?)$#v6tBK0bloTy5KCN zah!^&;k3dB*HiQ_9hjt_u>}k=>M(p-u6$Uwafx9Y{uXeRDf?mX&B^0(^9?_lH-DX6 z=~NkgQP}G-r=eIEp_6)=dq^-&jr*<=$Jeu>G4X5W`_+c>Ru8G{Fb~U`FFYU;p8BnQ!+JU?5^G6Wjp{iXE6wZq@Q8W z9%5V~cQ3XpaGMp(U4gvKXHYVVsa!+`WF52lNLny%JMLP7Sx!*prf}B*bUq`JB;!@_ z^yxKZj+#apc!PWQI{NDZO+BX+(Kv#)hNxZ7(+RwLR(1xGmfz{&G6azZfR8lC+rB;= zE+1T(D7SNMJ4tTWdgs3^)Qp@|*PEiCN#4Mp>)%lIH9z7NU+?^@gQKJS0t%M*$v;f} zPOZUTQsN?BHC6sSXpJfMt%c~v-7!OlLMlC?6^^fLy>n&L4JQdE1v2KH=C_uU`@;9{ zk__IQ6h7Zq?l1bug5U6Pspjv6J0`VbKYu>Lg(ZGTt6V%Nl6NKZ8^5EQXz@kPu)@_!MVUzG{cdF7xVc#=2G9yU zzP{olEBm~C<@785pU9-$hVSVCBqgZ#Fug|~3t<0Qb~?f~!g;^DcQ>BN`c$}28?Sg+ zpr0R;wEO7;G=OwgZx>KMciV`NveUn?yfjPI?K{QIZ&TvrOOi~~s@(VTu4!!8$rLuI z#;NdpWO|XwT`nSvXJb6=?%kc3`@)Ek`ffoD3jdb?CHNWd0Mcr2H^Izwvc+?JJIKkP z1%Fef0|3d%TBHfdQY`kETL!+8U7U-dI$YZAm8oMtek4n}jN{%0PhpEZnA_OwpSrsj zVcFp6Ccz$X0pRW;)(}n41t2yD{1~ZT0i-9^Gg|tM6o@u5b_+1(g z#8a0ps7~6&#K)@?e91tYidov-88Mb@;wky_6J+?l=T{C;JgBqSDgI)_X{zXAyyw*l#Y_JOhq5G(5bxumBwqHa{FS zlt9Z9d+6yiypw!&a+tU-qg27uj|b;QC~q%`l+=c-ZE-l(^p6#u6*hWriIpzIe@}BG zsUTGSC(olZkDhB8{wgMx5FbD7R)scXoW>^_dAt!OLZfnpLh6^084?_}zq3(HOiZKu zpO7)g(!h|TUMm=CX-O!U5!|j^$pf`6G0`}g8YU-W?SfDrxj}A9^z-iV1Ued%UhhP% zNE)P+`zHSGqTrs0#0@U9GRM6%!nUNp7>PS}YEuY^jsP)F?9084q<|aMv}+%nv*P$3zpcMYr92$%zb4eJ zqWf5ucYrmY^}yi_#?2wy-K3Jn15+#ZiP^2d!(36h6B~7vM$$`g03`o$^B{EKpIm@uG+&`lU!tg^l-;(p6E`JD;hld`yOV{_o3|7F}(H$yXU; z^3NAiwbGWZ6&2pfwa+%F;M%M_)qOvQ+AhUEZtT3lm)_g!?<^K--hN3QyfotP7$@JZ z7`_p`5+yY?fSxw!+jexgI60Z~f0Gs`nbWOwY(9TFXT#IKSHDC>1sZRhZv zx|OD7c6a)@i) z0D6OQ`x&gxE&_+Jru`ElY)ps`fKi@8N6FBjGt9si`Eyd1GgzLI^6rCnNSOFmYCJRu6&px4w2)d>EQMuPf~K%w0)a zQHwDPIu$qH*mgaYtx{*PLnW+qL)eAJzOV%kt}DwDW9`ZQVdhGv+v)n0~j zkrBHIdI;ue^513!P$9V}(RsO?jCU|xeCGPdHnUffYjNQE(^}>mH1R*0o_&>N(TqBN zNm|nLXP}FbjE7R<^&{dpm`VIANNb7rF-_eiBsKS7lUh>NwmlmE$_IR6@<#g6gc;4q z#P{ru<9#EUrq$0K1nL~9s-;5iolAX0Bi(WC0b{_F#QpP^5tc|&+x~s5lmh|J@-3q$6uD*n#*{#DVCPrZs>AWia( zhBJrRT*ys4Po+*PaR#OY8N9>)m>(d+z{6>ZHkl z=QW*3y{|quPqI3*sk4l~DQVlch7Qunl#j~}9pDd@HRf1n}*KDYGnH(X>yJ1x1j z52ddz^=4m-|Kd#OqLhWi^{{ScdV=Jy+SSFSM))Z1PKM?PtEE=03y$xbzz#M;fHkI-UbKcHKwExmrmF8g1}owt@x$=6`zK%d4xqziFv++fUxWOpa2o$zG1s@y|+5#!RfU zJuZvgHj5D__us3`gtiU3x)8twML@peKExPLbECDsEr+`ao^WCleFh@#%u8<5F<{#@2i%iP=?Iv)xOWN46AtK zxOf{SgiA|#uLpG5UPL+wG!0BlNTM;;x$j@VNxm+XR9sx_t_gV#>cFVG zcT-uC0R+-*62P3s{rij+nZSZMIO=ifh&b`WMl3&{P<||>7Y18`iylk|SS6TY5??$F zoCt0DduSuY#Qgbur2v@Khs9_JYXHT-Z(Z?2AsQjsfa1CTyi^?M_;H=v_cIQU@@=I=r!&F=kx6eFarpNl>ihXxv8JzZUdqFYk) zSrZd)Fr0x}0n^XwI~9BPF6*x2;`u=hgXNW#?WV{~Q92T2Hs=qnV;?d>$ij)l@xXW{ zC=tZ_bUnF|6n+h4NdVc~r-dynEo&DBLeRsQby|RoJw#_dOr1mU0~QGE5ei94BbV?P zfwLuktjZj^!)5Dk(u?oP;f_Q5(*)KmRF2Y&|4l_kRDrsvb*v%_15__e6WdH2q$pfS^p}`u65cOtbHu zm=4-fv1S~2f8$EgHnCx^7)vw8B9ZaLLWeS|mgJW?=&IP;CnqF87g&d?4kHc9_GRl= zH6cL*A1{P_oHlo}*qWLe>`nLmRCTyqL8erWeB~f@{CFQo!F6?mxC?RqP>ds z*`pG95l|#-%~e&mg$)8LbiU7VPh}4kxtHSH+eVxyu3$oFXo;bxr{|suxC`dBA_e+| z@?NopGP>iVXVQehWL)anwEi!F@vV{P zwQw7k*m_?Ikii2e$0@SC2abqr!u{s+tMnK*OK;TatC>1it4~GbEusP9UM3@DyEF8* zE%oKO7AXUGp-P>gHL`waxnP|N^baeOhwD*k6xJls}TvF4-YM>p7fCCCIhGW{wbs*_iS-Fh*cAHGVzk>eH;|=Mw{|dBG zo)*V|ELBEt#1JH+@sCmUoIGl%@Z|;LQF}(4dzq=b{@~kDzZS2yn2B{e=UHQxqJN~Z zaDJ6DfOSJc*!$O_XlM-#K=rBNq9C^5mc>%Yz5rN9t_CR&82(Xg+A+^c@v^=?^T`u9 zKR*03HvjwgGnDrz*d3T$9UM{zg@V&QW(O!|qCFt4l!#M-N*ZYYc;QzV)zHWzsG?{j{Bz(1bpbL#etM86KRIv3pFY2JI!J!Im7mIMapl&}pS8O)W1Y509W)6H zZ*`sUsqedwr<4F+4Vt~4w>;ffEzqEFbuF|0)K!Q4a`XWBH*)Y*0nEyFejNuwfu)Y;=@y#e{6@_U*h!j(owgpo@x{1^TFktGHE_i%AkdHyy1vB8)x9y&-`Dt#5`V)D>)fuz1yG1XWvqwkSf@wtUEAC;Yy zTUy@T-}Gn7>4>OPi>8>zeY6K+o9{Ib6B3*Afc5yr#6WXoVPA!!o*)#vi@T9Zqy;#N(3BH zh`zgjNhL8}V^oyxUvh#!LJrf4d2+T`bhjm&K*#5qu0wmS|A>~Vi26cv_jl1gQs_(e zpfkrBCng-_GP_m^14`OnFFtxd?VXiUY9z;9J)0W2|++X1Ox;@LZp>$q)WO>I;1;Qz#s*rTN(tUyQI58P(Zr7`x{%I z=bZPP^X(tEH?VfCHP@VDj;kK|i-t)mWPhfcXUTp6ZNte)`ptd&;y6nK=4M;iG+Bp-xe%1?p(160 zrG^KXLjbcjmf=RAL@?EHS8;T8K|9LCz_;)3pME1;FV-|+JukL7r18q+S2^Gev!l6z zELi_5|8^AAy3iy76CP}AZ0Pq_F>`Z2XxkC%)q3Cyiyk=fZAYLtFughcyN~g#jXITa zGHC3$IsL$XriBj4AmpzpS4>7Ol7U*q!*Ge@Ek^9<Q10+I&M zk3pFX5vHGB*uh|d1p&fyBYH#kJw3|iG{A4^DhF~K%1XF6@XSh3qgRwLPcyBQ75S_3Dd9=?a8A1{rS? z6M+zfa?5YFe2AJ+SBi<9c?HketO}ew2&76;h@;XHXtN1vC4mdLEwu$0TyHNP96I=7LR#~ZJmxcC(<ssPGT*NT3>3b|o*vRc zfvDcdXL-eS@?WU%PTgJOrum&}rJe>$Rp}d;t!%7jR9UYdyttOcKjPe3TU8Yi5ZN8W zb+FNQHT@^*x`C=vyDSvA4IGA6Rt)$7`m2P=`rjWAA{mIi&J7$0+M~q8x^Gf^$0vo1 z0F$^$KPR*GZ{NoAK%DZI^Oc&Cjhuo<*95oYj@*4zv4i7vtJgiD%QRw|ng_?M|1kr1liZ@LN-rczUh8cNxbKn+Yur9CluY|XhcTKyPU7WA5;t1LK zdGyUp!&l4ZBK{Qo1vbFVzs~fp*8q4_68HG2m>+ccUqT*Vg^cZyyg)lb{{G@n8 zbHjPI@f9i<-Of2;m( zh%SR(BT@tF5gA7llM6dm!_Tkyo^p6lSb0p_r)K23+;A~LZpgwX-E(U9Qw5B@`O)U4 zth7`dA&z*P8X7s3&q=G)+P7I9y>~DUW699c6+Yp>6bL6ebIgUW_UmpDA9h-0=|QL?ird*RyTADZqGc17 zf(n<{$F~?hgeOv@ahohm6)`w) zV0>h9h_~OsY-^pz?NE9#Pm@GD!4ki#v9(O`_j4`9D&G^=)$lnSp+zbxH!d!pF~a3J z_dm^r-+pUK-S;(IS{O{xk<}NBeR+KTqs7keQ9;FW<)6>`**I_b7WCwc!&BNm2- zmn>U>vi)Q{*Y(yLlw;W6llwN#t_@sA4De%&PfGqcvvw7p6Ry9fB1u2_2Kzsi=^5r$ zgB{2NqJG{?nH{;#?w{XxMUdNYhZHhTPI6`M9`9aYC;s`mUuV3pe5&;YYmD?#PcmD{ z>SFU(Mr7o6KNIQ$&1@wN6=m0jR>uRv*K!80kNrz$=uSP!e1@~R&B9XiUOVY*4&EeR zVfRa9V9>&%Zf`rfVmbO48@D+!B4Jb{@bKXcs=#-nb~m&42OnCR?b)DXVUfPgg#rgf zpFp(!N%FME97pgBhb#`IM2DfB|D{nNju77J#eINHzN22b;W!&`yq~+li@MQB=h5CE zb`7yM{9#;nSkdv!%k0vX?MO3;B==o@eb8jwcRP;NIayH1xJOo8Mi$rD{^xpGaPa4t z;-uZL#B6bWbFLhm_2;uWW7Ts$fM3i9q#hYAWbr*_P{0#eGQ*=ZLkh$j$&tovLr11YLkS1A94B=2nr3WWdESxP5Q}}^b^G!bQKen} z=^q6BD3^c{s3aEp5>rD$IVmO7` z8(UjP2cPh9erhuQrKToZR_xvx@W>ar#v_bn$YOO(`RrXNW#v)(mRF+ArMLEhL@M>W z71=@gQl-gUhU^NNt^N=kmf@j#MSHnyr9o7Tmw1l!^p455(BqR$rffOm8y|L2tYPl& zobav=H-@(@-11BMa9`+Si{WWSW#$rEoQ8(+F)Ah>9|7T3x>xw5nvGrKQLC1x%os9~ zizPJfpt~}7#`>=DhM*j;;`AU5iX z{jO1uMg1v$c#CmSG$vIz)`$)9mUa{8wYvz)>}*-*%YYSQ4+@zv7P5cCh6&UCq(%Aa z()DO`>(Y9}UMlD|W`K3nLq2;AO)}Hh)|uRv8uxa3;*poER;H`FmLraj-M%O5boiQNV}Loz{uV}!*5oP4 z(Cb}8thfuYeL_B9eOoFisW>g~(~b}+xD6FTg}8aTF}C#XK23z-@IpXPPtSE_)7SdJ zI9xX8(I1M7{j#$YA`S$2AF5OH)<1pB-8IxAqAZsjvW1O$NbdX2BZFsm1$O^T70_D- zD)GaNM46Wa@8zS-jWGmq;B;gghT=(hlZrAKrYU4oN`z6~NiR#rMPgFew6=ObLmnA$Z)Z+pU!I>?I|OW|NoeYf^St)gt-o%*bMwmMqURy@=9T%9_sX20uEwQ@pqYe> zFz+O}Wp6wbaB1CvY2BEog0)p{JI-c+51=;MNz83`FkN@=Mc1h^l*T%1rOn6v{rh|CL7|^%+k-45=B4J$cdZKQ3U0L zQ^mt5C6sMY0@$w+Fk|Ce=cNC>;iFghQ<^HE%NWPwa3Gp zu0UH|pK``(w|*#6sZeOOJ1BViv02Fi`=o-x{lB|djS%kL3LsJDY)*#L&8rwMdXPdL zODQo0$mRO#;MfQ&D;sGH+=xW6L?SXW$b8eC-SIlkoUk^!p7oME&Msjqe@XHpIln9= zB|E*PxxHWfY9Ji1d2;e@w!_B{*gPr;dIHfm3e8a~Yqc4&@Z$JKKjTkuBprObuTN3t zVlT4JO;L8F4r&DOdie0rivt;MxIl7}yG8jH@io+|lkI`f@}-QBOb=6{0hSg_IJ9^` z*2++N@)u69t`6-k@a59yi#;H`uz}qZVWWh(Peq z{%!0cwq&z^(6^q@Pmm*LNWm%;Dqx-KOF?|ldsDxEYk-h4n-W;GN?mN^eAfkhlrlZ` zMNK(m3&zu~LZ;3F`CM`DmJA>mdhjrn{%^^y1RE!?&4aivwJwE*<83`;A|Z!&aIPd? zamc>J>qw?i@a&<2eVQrG`|LhJ;g5-r{S7!|lj1R|6N8@o7ma@zK$z$zi@f-9Y!w+v zGy;VBKzjnATTC4P)YM14-wjNGLLX)OX^>&`QcL*%*plNCW;(!pGk~-v)9)ty?1kJ5 z;pkOU*=RR5H-W$0kvDZeo|*vWjMNamcXR}P>ci0gaUd69C9N56WqKh`AR_-!2z&%@ zjanizO=OuE=KT34cUEy!x6}%lzIm0u7_bu+(%F>-Y`>;kqHbv zM(RmbwLO#-PM!Xsi1*{K9^{EPdOMYl4cq(wd;oNE28R6VYInd-plbn*O7ZFP>HRX( z?K0vw1DSo(lE+e9xBd%2)0)z&ewJkP%mn=TKV&FOB&LC^sSiWp1JAS}>BoC}%>Ikd zzcvNYp6g<-Y~^w1>;;8Q-v6Q!!L9D_j(rK7j++0=n)tt#8x~8*w|V{_vdA*s|J|DS z5AFxB_&~!MRYL$tw2|+ zL5CuH=DT>lk||=qLSOGOs9quwLk|9a52jWGm;SyPT%7+r^n`p`00aR33J%}Ne7LHP zs|W(*hR2&iROA0eBykGTr$z zz5p|NDvjjOb0j7e+6YPLq^~^rEG}Jo_&LO#(K;ba%vr$>=M}HMI(+36ffq+)?B!iI zBVO&b5e*1ESStRW$pDwZ4SHb1V`GR25~ys3N&~MUW)O@i$XRL#Z(^R$k~6LHZ}XYs zi0dJB^N#jJ`M1d^7rI;Rl4Q&vCyou4G+}so zXsZ1?)P+C_ld>`hyb(?!28Tabb;W}pbG@7a}B!;m8XLaK_+tRpEi% z*WB4jN0RPiQQ(6K{1^LwmynPE05WW_o&fh3DiTW0SE^u&B_S(ITG$mN1h5%UIl}Fm<=LL+GOE%nv_ls=XK;E?U|S zF#ZAiy%0ynLbY>XeUSS?p31A&uP2vAfzDT1QUY#g&wzQQ7T^g&1QBWJKmjrW&GEJW z3%P}F%R~xyC|n}_dU4=iF&E@%dsOFG71dTozR6ty#z%+@LlnXU3_kJYJhRFP>!|5 zzyk#aguxW>VTs5CtrZ9kkXZnh3v$b&gM(neQ;?c!U~D`JP~-Txnc?u&A_eqpL7R+; z($w1ezG((ip%RV&=l~G$(^3Tm1wiEhZW(qDqf`eRdVHMIY>*P%&E73v43LM4!#M!Z z6t19=(PN1)p!Iq1>0Z+f$$?Ic7lx&Np&BrfCDQ?EfY7TCEw8ezfRC&2 zBm%t7;Z;_hzjQ4C#RK9>CMJm5+U8ZLfe!&Rtv9x_>odB|+9a&PQ9ZX3mc8?0MI6~* z^(jZ-OQzrD6*kyvi18X)GBDWtK#3&xZ;g_ZdJ=AZcBr%dhb-L0Kf-;ho;mv6x$%70qEDwNi+_4)ddBNQNOrzzkJPtjw>MA zb{xd`0V5L=z!yUpuMO^nz~tw3x8)PjQP(b3i!8y)bY0o>=b4!9j~4?ue44M7er zE}*f3u{|y12KU_qawkZ=V!;>^vPOr7Qk9+nUAqNn$e2nsfTMuI9pEkSGRa{E*2VNR zKbW?TfOfJDa3x@6<>euW00jkCU}HHTg$1x8!v7Dfk1s(f1yO0v&bT*rKw%1cKXPBd z+u*dTD=Vkx=F;H@Fk@=gdwB{7An{tNsEmU73f?V0NEr%g(*&sr;Dw+RGJqDgZ$I!O zdXxD3W^4#BMPY%5R3Tm9rE-@ZJ5L>`D` z!$7W9-m4!@fUHqaDuM>E(8uSxh&)j4L7ey<#w1XF>lc6k3?V;Mj~{2xLIlq)WV!+t z44jBTdOQ*6$AH%5d`xo!6(?)v8=zktQJZ^6nEgLsP+`(g7bHEU)A3hbPe^0%89ML(oz|jL}7^9SlVFXZMfIQtnBUob+Aa1#X7Ro+24^G{oQ$d zh6|@20b9fKhwb!PRiP^V6Qf2}IS;w|j%KhNZ|50aRcJ-V6(9U2B(=m>%%;2w z?9m%0@%S$n;2HbK(Vo+Bm#LrfJ>`Rd`^U^N7gwD)&Qh=L`g%=a<*Z|p<8k$|&l#_@ z(5cf!N*fi6PPR(_3H|Z(tk;nU^0ki>L1ceMpByVQ{9X1BrOCVcA?Q}{GR4*`~1btNQk?UL#J78e7n+m|Z z05ceHA>bo_yU7ZXmoS-fF*w-ULoQg#FHi<^z{2YmO6$`Y&E=T$lIB}>wyli~&C{pr zD=X?SjU+I^&;!a%W_tR7bB)_U4mfltB#`@p>pDoqz3+W|`0Pm~d^>e+Dljaag?(`EjwzkD}vbP%GD-QFdc_q1bc1%GY%LB*MDX_2!K zT50LCdkcnSzTej4yI-#>Utrj?OlZb3VPeGNvK?bo<_DLpfAO8Dj<_Kx?X+iWbI{!- zDTsC=4T*P$UdfMhs-5XBM8mU!$k4OP?d(DwiQxj<`=33iZpuVw3e)g!B4L* zmdvxIz2=8Y--~X234Db0!N|bOp}L6Saq6G*k;RF3x5`2hx)?_jqqucH09fAhADpaWgK0)uLf ziAhN%D~~-!&Mp6~Q@06h8&xFHVIWvO*ZyJP?t-soZ@&kYY5AurWHXV_xfsJeIO)Gd6$rgDCaP`&GvUk2Q8RO_Bn#c2nbW) zCx)2(f_O+nNIl4=rlxpE8No`Ahezv41T+mqU%be2Zm|6gWIOPdp}_-vCM}*nP!_?P z=Ov92cgDatA;c|7L71jHtoOiZ09KV2gSEN&*K(=UhjO++V<7FgzSbk_Q}uXZNgXRZ_XD zXSmsH55Gry_nm+g_rYpQqE%sf-rQ-ucMj2BpTXGzOHA?7mqy(mBU5=i_$S&S70wpz zMem4N>3+fBL?btmxZ}_Zs1O*Ffvf<;*#^-QgR)6sA%T9fZSWx2hrQ)w1ZALT>N5Ot99!lk44Te0s)# zax6=_TqUvMcR$~-H*TfURhx#SX&`_`nIu+&%W30msH5>b)j4tLyEd5{WOnp#HqNZN?*_wVDe8v&XN`P6VO%;B? zDf*^u&18UqL<+KehHz(1VW#rLqFMGy#EXoNuK@ze`nsk6R}kfoaDS$Rdb$^wc_2dr zw;R%sqiy}roSw@ws78d8l)gY#YC-}Dgat6hd6}+;NIBA7Xo0E+>dfpANV`mXNwdtI zqg&Wl%%uV?p8vT+Lt-*+PU06eF%dP6JnY@154xRx!mg}-kN&hj5k^zpXj)}J;@IE- zJzaZ;q`zFH+rSU2qSV|d)j!=OzFi{`Mm=A-JSh}?UpDqUtCW6^vm1AZr#(I5*2#)b zH7ut$8n-c{^K-2osyVh~T?^fy$Nu|xj~Yj4g3FCT=h7~wpY1Q81_{Pt7t|`pKOU6=4q)D&)Vd-552dwxxzpy7JuB z_1DsOgdA_v`#pAMf6=Y#xov7-RAcM7RZj4pUXvhN^ChAE!6Jr~N&CD%-6wXF8&v>s zP0pm>Uv#VdZ5^zxLR{u+C~^Df!_djXHp z$ms>AoueHv67C^0eV!|4l!z!g2#+$W`Yhi$F#)-%Cg5nQVg&IsF|6*m8=yECK=5oJ zYw#(4?sOF2WLV$QP=`EBSU@9Qj)VQlydCFcFJxQeGW))S@X)3Rv>V92{U8`v>`gdR z!$w3VfExfb*MVvW)KpKbHYj)@H~`A;D)TM?9z&wOeBrVC3EUlMIYE_+h>3In2Mk$Y zZ(lr5Xq13y?KoW{*k7L@q|M&O<``t|huhzCVAw4el5Ww2LUb+OE#RmlM1I1QD=WP{ z;-YArRjviUkJ)6w${>FK!TsQeFAuWwpXNRR*ixkCF!56*KqsFUn z7uYE{E;KMj^W!6l-uX8Gqj`HS+B+;%t>=ODdw!rPO_fsj zW1z2kOVs#UUAR3YB8cRXB=Fi*vb6U}T&TQjsGW4D?#8gU)|I1wSwHeyNmowwrEMmk zLw>;%?$n#7vMMbmj~AZfiCmnoJwCwdp(l}itgbl5Gd|@pC0(!_kWHVL;8vwEYb8grg(ZK5W(p z2L^yK-N+>EDYE*qs7BuOpXduu6PuR1^=DOC<#Tvc1dnxxr2J&41kswsa6xWf zs+cYbdGi9s^7^-a0 z-gx!7n+LV?L*JLm>UV^)QuB=Z*psq0g{XCJmpY?n2f2C+pfsdL&F31$`HUkHa3>TVss1Q{HFQY*bc#N5q70Kp7H6x;6JsKClbVI zY-~h?8F+Y{gM@_{Qwl^u@Y+DZT3I{$C}VHj8}B;beh2(Zz(kIZ9Xw+n`9gCBb}1mP zSpETB31I#Hi3^5x`pylQnO0_I1j7t1EuZq51?T?;1qvBX{PESsq_cXMiJzx(lL)72rlHjxuxTspR3cRJn-(3mHH#(NO_#`I2K8DBjJ^)08rj0 z#LpkKH4=m~NJ>eb)aV|CfNuq7Qv56HvwiL|%R9IHAb$@8*u}*9Q4mZ5`)t?=JA!K` z__M>^2ev1xLz#VGw+jS4*ujJA$RuQI0Acf#Z+c1fn>JXTmuazLA;qSROs(BUCuxan z^LtcS>6tN-wSpQ+w_xwelad--Mq;RgChY8OSEn9tFL&hPw(aw}?V39nQde=0 ze#{R|KqFsbnEd2_EOxfO?guRVJNHQY&qI*SiScZ=s>Fr*p<&}f?03WMCW;HOL}mAqE%%AL z@69U%%9fQ9&G6PkR`$$Qywz0d0^b{M67eE;O+rJWx~7EhzsLN@*7xySPQGTP`PjaM z&m$qvwQ8c2Oz%V<_tfO9!RfIezOSRpha`2T>NcB$ByPBJdyV{u>99u%3QYCheZa@D z7+_s?<@!fUNATo|K6ZG%ZGZRk3o$3IFgv54$(vq$N3Ep`^HB*L_Pk~89|Q2ZHU->) z7jD3vwHn%B$O8Otcnq7DYB7M;349I9?mdUpLeK@|nOf%1fYf4v4)_nBOqFMZ@L&F9X$4Uj%(A-L+C9d_(0|KgOJl|T z^a6<2%>2OW=Re=}F=~WBDLH;UCIWCygIptoPmR)(bQ48{fdE%R@aCp^;s>1FVMRIK zgJH$}IcVR35A92;aL}8$A+La4ed>VeavKQAK#6v>9CQb)62JuooqVxx1bFh$zk{v! zgCN*;m~_dYK-&=^R}Jr=@wbD_ABgY;SBc^}S)^?m`=dkq$f{ALY2Nd;Eul~jny(fz z2b1%kLN7o#@t#qC{P1t+9^%2quFFCcSmE|^E$J^UIDcljpro0l} z5^B(6BAR~oC&^^gO1;`{JL^*~!)6RSLlUo7LlISx`|p+^v7sRa9*^r)N2JMPD{|{n zbvCOu;)dmgib;+*oOgvDRkiqE+NiW!ET@=gyB{(;S3feCwbHG9`8mP%bbGT-Sd=;D z+icBx+K8^}sS^>OepQ@_!F4Z#GwfOqHj&%`OYLgA^^&FL-mtZ(L0OX1aGbkSrKr4Z zxXDezXPC*_ari76a)j#%$QoA1$`q@*I}8nfy3X@Eeh-6=?KMAnfuh9YAji}USppc83D~&oeX%SY zPk&~96Ds56Y|&#jeI<~T)kMv3RpRCCY9y1CIP+y7+HSEmQFsYA@gwuq6IpAt@3y~e zvzwXAst=@d-FW%kn}0nlxMH&1Q4Q=;MBk46(OxZ4v@dI>%EBXe@Z|NiS=+eiVU=fDzehK$K}5^|C}l{wByyzv9~ww z8qu$-;H=!5j0(4wE-Uow@)RNOK#|yVBQ2`apd3B7^PPc0^3X|mGtN3^_tgPjVg_CE z0;nz{@5N0|;W%5@Up6K2INGS{TP5J}JF*Q(NZ?L{`dabc->Mr&M z_3kwF?pRu?@8@ftso!*nIMY6SQ`wn}sOz`tJVfZB%~E z!U(?Et+m6(cZ8eyvO!wCBCE#(nymHe7fVMLM}uOg&F|&nIJWm9el2H8Q_Uqjmbl%q1xQ=KsU}Iuh8dKawLL=9gpQP?lx6x}8^{Z(Wmw(D; zvYjR2oUi+}Ep*@%i?C&GPw{XI%z^e}O&K;5DX9AjwVnsIEje%8^PZX4cjLS=)~U6y z^cJJ;$QJgF#9stq+jj=uN7YBCo+GOJPra&I4!h~V5!2DLcf(>|CEAjWnu~!?|A#}@ z-u^QC@o)-%kZ31AO}8Bj@W`ThoM%G$%lqfrmp66v)P{d%@A*Em_55_H-{1ZTOGv)+ zGGWn^joZ(ObZ?&rlh>yW)n`-fx&RQ}Mo3XulxSpFN_V`bM zotsM{eaM(Aj~AuF$+3;>F`4JoofcI>^R!NrPF3=8@Koa9;?=CGmd4{;c^6ml2eI7h zbgKAKD#hc{y4I?{WH2?peLv3srZV%$c7NxG+a9(=p3awCOUoaA^t#N7?XPF22Zeue z=?yljuI_gV8;m|n#hV+; zp5sbq(JPbeT-THmx+U3-OV8Ur9UgmoNowEfQR`^tpDW)pvSe#(Y3i!MFxfMEz6wWo z>V2-Lnzr8S((8}9e}C1H=u>WW_zm~7AJfs8cUOOyi|Sw0)tq+q)=+ev)eLmiTCjF% zqK0?W6g+f+a8IO$#N~)yBDaV}z2md0JF`ypnFl*|W;JgYDDk;ItzCWE7Cb(wh>haE zZW=uA8*vzn&;{=U*-S7RH5H`?&OuX?9#f*1*G>vQ zn>MGjWWms?qlVDOfa6sTsSH!MkH`3YZ1KM-bBR z^{aM4HiDOew1NBgBX6r6uNU{Nll=W1se~zli}PlZlKNYT^NlxHSpW$zM4_UffEd)> z1pc&)7JUesTX=de+VrvOO!y08RCloOjRdFbHbEIUShGhhi>^s}vp@EdV z06~TeOH0)F0ssDPRv^;nN$-|ltN85g0klzma$j#q?KEVO#~aCrinh@kmb{#x`jiN%1Ve+OT-4jUo;<)6lObTh_|rt`w{K5DyAL+0uHQkKT2Y}! zdAD%f`$}CtPX#Kq2bd_K;)d$+NlCgYDvOYe?)n{sTwqDpsK>!^ZcsA?R>=VK1Hoyb z5y%zzczBTclB@0r(N-$CBL~K?d$E))tEs7ZU&I_E4H96(GLTaO7Q>g+w_q37jj$6@ zP#EmCgv>vP<5C%i7bEIa(bS|16@QAY0`8mm__uB#cUijC@_~hV>VVq8r`4Veg=`Qg z(fXTvvEc_8MbN`AVTj^)VFTI9tHN$n&{V_CG++wtOc~?w4nx@6m5p0X*J-P&ikX0J z866wDt-Hr~kVyJgLai`d>rMj9+1c%nJyuY{MDkNVTe)-Qg1Aof_K;Bp{sXUnR}8Ek zgMBR6B0!Q5JvIdLJf@=BoUWhFae>4Wkc<)qweJ1_g)1BZsS@A(Rllk2fYM)+L>jc7 z($auTf9HXm>A2`<1eBUP3+HV@wy~?PuYmm*_^lxP7TjtV8o~4xY-GSrt2gI(4>};Q z5&VXg$YJ{k8eOccL%Ye+RM7a4mXs`d0)1F3nqLr&mgf%(F1)a*<2FFCw~fxg)+!H+ zl;4X7oTmv_(29(XrU~zOiVdtC_;_$c8s|6|NPq!`%gW&6+&Oqb#3zSS){nyE ziVOd)Q_;F7MGp3$Ke)1CxQ~Z7KR0LK*bl(2Q+%+Gk1$x5e)#Y~*%sIqNqr_PS39WU zaD#zPCpT2f_cNp{{F>p1ULg=%p#KwzI&SF%&j1%xWv~Pa5lZ<^gaI@r5Z?oHCeI&w zK9GClki5!Gm}145N&o}I`P1b!fqAxXRtRC?2aU9bJ$5&Vo)k~h5DwZ`J~ zg@$gOB#k+`27NoaQ(i;P5iwi2U^2&GKD2cw497s)CXl4BuVLL1zc2Bzyx)z)=kPj| zr)^)f7%fHb!Lb6U)aLAan zeGn@-Vn}f6r~l`WXV*6V&2T^1`80?aW;y;d?Y_BSmZl1?WkuovlZ3$)heKJxCts*y zCQP^Rkha^m;XM5`{yT+|8o+TNt`+mte1Gi?>hqa~ufDu}zYyya;?XdN@%Ih>{_y5M zi-1%3m)fl{Zg0et4-Wx@|GjwqXK_OO`WecV992Yd&wQgoR**eWDvF4q6e|BzSJ!&(qYcXWe=JDLO z(~wjaA&hEU!z1FfX?D5qT)-y#mp+QrzxY2^Di`95%e|-wqn1fGYy$3s@x|c>LBpfZ z>58qi)02qytKwG72*(&?JTFHYzGtyvVf_72{bk<~bqr6I;)lyLcasz-&AZ+7m&4^S zd>?ftPZ!RJMSSg@TKV?{NYO-LnJYmrRj{Q!aFOt0^Xb6cBqqVp>htY^x=G3;SXKE; z5hwAqEcxUa<}3y=8u=JwVs>sG?D1<+Ltut=C=}AM-}nK&YiqqMT|HCbv7W9Pb&cpH zO2^x`w!)k|yluU(K6C|r+#G*iR{y$Y_S`bOV}5mJBy|h-uBx+;xV(;ves2O4mqP6k zCE*NKiI!NIV{c}HJQNaC+&7!A35lyI9c3nZ`e6|h;Fm7uVvk6+z+N9Ukl+f5{VrF< zze*ADb^320uA+vnh}pnmQY78{^Zg+x)ZTH6X^v<~@_Lb-uv3V{So9`wvCR36Y5(S3 zD1F}MWc}FJ<@h*`nqP;m;to20 zCUwU%J0Wqof-L=n)6&_;aF-&7vtL8fhzb1~Hs&pN)GPF;`rrY}1T`7WS%G7t>CJJ% zv+@h`v@8bRvtE~-1L{nEYFo#st{kV!LtJvoj3WX3IAOF(4>rGicETXlzJy1<$EY8w z-OrxKqe7ER3rnH+`k? zx$Nu7#oHy4n|@sGGSS^jk6f0Q$^%j}ULpzpy82opI-t%!rkZv2X#5i5m9j=}zF2=&0^(;nO zU;9;S-}!w{N;1mXYPqSWbe(jx?FWb0>w~FB5%!szT5_s%_mER))()S$$~=dlO0*35 zT(65o#oRU7=!17gCa;_4)tNm}?g-UfAUjj%jhGKVSB}Uhor+Qjp}S{SSnRMUWo_rm zBP1?vxZkH+qpB?LwjpFbO`a;mB^EWmr1qMmzy03GlgH%Ef;24Hys79S!47kB1w(eO z=c9E!Fl!OeX6L#XkHuZSDtIXBMK%+lc&oR7r(Q5!v7TQqr8afMT6PRw`!|u6S&EFr ziL6QDNiAnY!IA6c0bgIKe4uxW^kd)k4z4NDB~&DrcEtQ@YLxEh>Wjk=@{oOdDqakv z9c23Pm7d`IeyfOenKOcp-=k-BW1;2d)aBd4>+fN+)2Y|5TkS$+r6=UJYAf{dr#jKp z`!E#v3-$y3$t2ELBP(C{gHJyvVvM)Y?~59ZCVra> zD(S-%Z7S`Q=1mW=!?eJ;*rLSFTg=*@8MUf=H#&E*!vNG$hXqBr0UYr zi%YxQGc|vXl2_hd`$9gHo^Btn^1UQ78u_h+UGo+aa#frKq94XZE4cU_U0OGKALaWf z6x8L0o%r+8QaGm1vKc)Stw7UJfUiu_qLUmmNjaFW1dz^=Mnl_cITu7bd$?a{t zszGNmsmLu_hufhy)E4EJm12rK(q$Lu4%g@BhvGHC;87gzVuOCjil`#Z@k=01xX2D+Pld@Bpf8U5LC>Ek??055ErtTlrZhtxs;vzQ@Ttm zH+s_Ocl)2W7>C~N#zi^9&qMRcHL1K>^lc4SCwzPQ>V~%bOukZQ;Ab-az8a8ACFpM)46-a)^QjdTKNJr3Uv2&(C47>Y08&BV(M~UPtAEq#Pp4Z zG52eUsoWq}_(1zBd+3pi*Ehc^r1)x}Nz|8K!ZgOu;c@t*oT%y<@9iPOXR#sA>{?_~ z5(qKhcNkVVEdInbNc@UzKAaO5)rSCWV%5qCNbM!Y&sO&(VbM*tCB_%)Jgs()q@d%8 zwtqrSQ#Un5NIrk@B|^i;YHK*jhti9)=tmUxWuGa_pg|p`sQJv>kY=8Nn96#o6WJ9b z_N4KPQ8*7vB61puWmdXQoj(#;SHg+A+Y|%aa;NHMd*h z_%O}m*ZA{_ICoxd3(Z%o;}K8B2Ywf4E?U~n-|CCd^7PuOPRh*JU_MWHA67H&?B%(n zubge(8=)l?R~^yxs@~OMy!AnKfvWLl{BA;dyQk{nz!mpyOUiH7RAH2hIc-e*Nh(eD z!yz1rH$s`QH5Us7gI+1WOd{2!M?-%PpD@cYJ~+(~%5-yUn+=imoNl6EIf$X;i#yuf zxff@(?p4_Kj2+c1rDi`he7ff&(V5k`lr+koWXlF2_tk~H+hABlWzVG>G7^s)qP!NM z!wB+E`6ba&?;*zcE;7n>txqQRsl}t}wmU+D!4H$m@t9(yS4`x-xm-m|N?5G8e)0YM z(W>xKAuFsbZlk3p58uAr|FZ*-#&Ru&?8B+o&lL7W2#G-x@g`jCIa5G+pgQ)+uQUK+FUkc>voP2 zhz0n(ss6Bz-R!K3)%jvtF+t4h*`EkE3qzt4zri&{3NciPb2M_nyY(htuPzOgHFhFu zCT64DdotRJT3kfy9@aCxxci5}VP$UUweIM&)XG*b59y!z$tG6G*Zq_x#PN5TzkV>m zBlqplWBBCW8cO}!$-+DQEun8p=6*qIkL~;|baLCN0b%4*7!s_pfwv!OJMUdEkz1X0`V$=CKXk`C&2vU@33hWsnAEZGmqJQiwemomA7ghV)f-Ss}($~R01kLHNUL$m1J`Z$& z;{V5n0SX3K4SN;FDg-G8gSQyzdarC(xTW#Cp#43{UpI|K#L2wZYUC<&u$5b9hr>xk z>%SR0GScpH?r#4uT3RKf&PNezJuRuV726`h<^P2rlBOt2ioX36bg+JJrl+RlHM$YI zTD_*?A&qv@7qv#jzqE}$6tG)_w;Nll={;V3aDQ*-vZ>YW__$os5^7Vn^!>t!>gX?d;`LLmOuQavSju^SI@juDmRKfLdLlfxBPNDVW?HG=t$syG_DL*3Dru2~y(;)q5! z5(SN{{jI!0k_zN>9c^oMYU+no6ryN%?EUsb-J|Bv(8>2tM6~qNG;Jgs{km5@(sk0= ziC~Fzh`NoGYy`Ws|ED$BfBK&9rt!`4SUv-Ghiq0Wv(^y-x2# zEA1rvvsg)aF*N;R&H>vUbleQhP2KU-=|70Fj)?Xu`TOXqFf&15hy8uh6Z@`(Vp@$L z(cFRli=slsC3KNjRT)Qr?m%-KHbT$^izsUGCQh6`O+`bU5udCGC)}3*! zu3BUlOVZl!8Wa*x6U)#`Wy_8mj%xkXYTyaV}f<$=g}wmg~y;9>KbYb zX<1YYnz_p@1q9BopU0GxzZCwoRK>QgYjDG6Oi3O3)ul2$mX1r+D;~|!wEM9-s$e92 z+_LxMCssi8l+;zE2{B>QS6DopqxU;-NlY##RcZKBvuqk6C4&{K?rFWoxc2zuEv%@m znYlJ&gC?2(ueI}zYHIuPIO-Enlqw=vc!&a0rHE1l1p%ch9YTjl@4cfSib(GrMLHyO zqy$tt0YdLZAe7Kc=!DD(zW3($n_08g%vy8)faKMw>9}Q=Z z);blnu83GF4Q@_~O)Ta{ba}~0w07jMnm!A$e(DyZmyv;;SC5v3XE_Q+qQ?SUccef1 zbii#{&xjnJ%&;VA*BxOPJM}{w+;exy&x5f!7+IfcBiNN9kP&-^t8s1|4#t z4IO8b+wHxJq_a`9MN%;=972SiTq?3PL*)rQo|I&7$Dgy zbzU2@9JH0eXsBnYqL=d;oo$3C4+>V%6slwBI~C9MaBmfGs}dP^?? zxJgsG!hYsF4gw(}x({S3W9L%DR%wNGDj{*tus)GfKR{k@#82bYMWCNFNkf5lkqY;{mO zu^#^+s9~lfDD{ag)e|0+xF9+RR95NZ^Yr%>J)n*9UCZU^8}xBlBB9}}B2AvUUi2qZ zk+0*=ZO!on-PGjBV~Z3;a{+o160F|%aso?K8HA@%9-->uc-ZC3Pud`}Qj87q9kN)y z%6M3?F#3Wd3tsFhOypPb^F9v{VE2N*u%##tefn9UMvxt)J+r}C1;XR+q4^l#Bl>Q6 zs%i&L8_$^_8$}Lhhy)7NA*@5}qVHhIhw9~(U$U{_WI9b~`(w$cM0xBNug^-nkJm5k z862=!s+F?o6pA?rxcgC-J9w7c$&hy`t;I2m&3kgKvQp_JD;UDYga!`GYP+b%^vEi4 z#^i0t_%yjLv?~m`3K; zuXKo%)S|8<#+T_;#--!sS>W_ZUlRqv%Nt{R64yBQS^Wq^V z;gefiVI2+f#HIO=cxVVes;7!RyQI<3Ui*Gk?=yMqrI)^}a1S!=@W!?A8z;qfOU(WI z=lon20Y?K&1>|S3qyv-&Q+QPL9NK;3hNG`14?+7A?IJ#GvH?E!@!-41h%XN8wa7R#8G) zu!5ykTAb`k^4cvbiiO@(iJ{zxj0;S_MEgg4+*#Uk3+;$BN4pM`@G|)uBdUi*$bhRy zfN@-Vl!IcHU5oqx_Yv)73R$K-761-)S+tGfup0nL;5dFQtvHysI{s}O;iwc(m3Qkd zC)9ul6T;VY-rt0({BEus$y%Z=3|8WL`X2tpU;hTz{;o9GWH&t!fDlD<}e_ zK>L-l{gJ*S-0Z}*arpIoD2Z4ULiCywJ%mcP?%S zy2AEKeHduKe<|KCKKl|KWX$-echk%82eaV;36=$Wfcb(FBZu+t$!lJ{fOxHzK% z8>^hHpNvu?SJ%ojXnX!j^xx8a_CtiwD8vr-wf;mWLJUtXi8njNiL zZ5MpKHb`HHG|~}qbqz9mI%1pPyA%=_8?$4#I$rn=T7#9&%Y;Tu==_AdteEcN_HU~$ z$cCtv2^6fh`yjSSpe2*Xj|aK(EFrOl^`(7gd|EL(4$Hk#45M#L^!Z#8pOYbH#%rWs zNNB58G*suTA_t*&Xp9gT7u&tX=P&Fav8zQv(uZzN%PTjq;mAV|r(m~5C{DEcy$Ffe z3Lh%oE?cosZE%X8WyLTi<(?8Mr)`z}^3K)jvAW8XC#N@YB@i`pvg7|K;YPf{0Nq%s zXOX6s%}(s=*vGU2w_#FHh$DG)9y>&R7nrxCI!#ApyQ*tpI|1Zkg3Diz#3tit1f9Nxbg z3ti3a8PJO9yqsn*MrYYnqLAQ;_IRf@QoHeD(7Sk$3whXAG28KHQ~`rtC+ArFLALdF zWdc;b8EwPGe#GTi39hUaF*3`0u(qT?x1v*@Jj!}t!(yTYG|@6aZ_Qi5edS!p!SP8& zD^g9-{6GzUt)jl}RxHSsL@ls&rd>i?Tky-|rjfO_-~+d>)>=cpC%tas z(2S*{qun?}p5UN1&fK-IY_ zj@a{Ev09GpOPzzsC0Z0O2Rq9%p-i(@Ex}Uw(x$;BsG~&7kP3_SSjoa|mN9aUWut9< zZ%=MdL9fVFx8m2aQlnn1zTqWo=3}v)WN9WUQo>`$cuWJ^k!j`fbhOl?^J2$*`Bx$Q z$ZwpA2&kdr8EcJZ)6IhR8$uFec*;@Qz_$5%J0dfdk6)aGm+K?JlGG@Jn# z&G+C3ZF0-gS95?hL>&lT;CsHm8C6q5RE*(>TTHHb+hR((YM%>Ayv+yZ3fn3v zMwzb=4g~-nC9wJ3p;mRp3qc`{MuYN;6&~Y_*1^iby<;=%1Bs)2a}yPh__->x?0}%J zmZ&`z7dn^rSl8g2=Dla2Yt+ zbn=a5^X|&?;K7kA$x_^OHirZl|6@xD~H40F+5Q29M_auUQS2hy)DY>Kje-JBl|fj zvvP7^;{#8rxmO!a1a^laZo6x}(iIA8x)4G9$l;yBq=0_}JB-8CIh=I3)-uKwtqsi) z_^z^OanLNQ=B%hd#dK$QB<#d*PcbLwSE;)ZY(oNbS-dzqEQ7?mk1x+5ufH64vM+$~UuZ0!fN z@AjsJLSb|I&ebX~lunA#x}7Q+An>7Op5asAO!dXw?`>ORIhPYJLd%o<``4DLyH-J9n}Yr59>*F{Rx=00?0xWv#pc;Xz|`>`r;|S|>fnrKL5W@b?~Leqqa< zAWIGhg%}b1L`(M3A!}T(#=&t%URf{4`z&~V-#vX1td{Kbd7g+QWw`qFGM;96$Q2PV z-F1GU-0<-V&|BeEC95#m3iD%!{G2gc#$(hb{N$nAriu}2!3EFS4c@sKfxjD2Tej}c zR!Mm#sUElclu5%*<8JWYYL!Jti_-$f=1Ss&xXKGvXRrFxE)U#QWhi3zMt0Ke4thSk zB0Lu)rb&65i`xonO9$dM6@mGs^lg9XsJM0K))BgHv{MJuV^dVDa z7S0Mk=S}t3x5r^3GVIZ6vi^a5%5pQQ2O1r!)pWa4(J`Q!PE?PsD>O5N949OW+3uz& z>D!-7?p0U4k7Hw33GUTjeP9Z922@Hq#=|mc$ii(q*h{se599Upn|kqOD!ql?`f2zW zO1?c*Wwm<%+;_`SqBShe2fsEWP1W)SIRiA@ET>zWQ)hTe6AC=m8-m_$+unr0c+GVF zh>Wb>G7I})OEa0_=`OA_?!_?^Dnmp>oll4b5Wug@=%H#|XDnG$b0pMOXBRie_Mg$! z^{KSMFKq6pW>aXrSzN9)+ltf>yE=w_+qZH+l}9xPTskrP#laWi1x($7EWCHMv`-4d6zPZE zN)nbuLG3{%vK;Kv*18nw!G8Z9T|3M+wWyY$@}bAb>b)HeB~6FYKc^fzBv?tbW?iq* z|CAsoPy{ENI&gcMD73J7T(+lD=aY>mQ;w=>?7taXWI@tPg1 zc#5n8wAa&;ofOx)3Z5VE$9umKSb_JtF>~5&d*A<|qO5QmW zKuI<9x!yKxJn^>26*Y(EANQ!37uD&ae&|r|ePUMnwmRsOUn#dg^L*%+W0M9Z+ccO* zDfIa-KA||IZBO4dvbjwEvolwO2T}`Yj3tTtSnmXIE(%Hhq+4%&^o-Q-etZBWqfFR{ zZi{E|xVshX;21Mk2?oVhpaD8oE9N{D4{q})+!MX(|ALgBRy3S4l8fU`z>W6Dord!UCjX`3lP}eQk#a% zHz~wdk;uwmpbQ7L zL#_$>&ghG_8grw1mg&B5^cV?-rGIW~43EJZX}1lOMdkwy-t=SNft6me#*n;L-4C-5 zPM06l2e%mnK0jMxa(+Y4J1FRe;F@G1Uhwb2nLrm_^;H>&C%GF!yY&?A`9!Tdpz`fRI`%)+!5PT}T zLwv^oV-vBigY$MZy~$WJ_pbP}5_UTXgQ0)HV>g(bbaj==#%H{3B(BW>xErKQw4H(ij9MCeG%ClU@Mig#l4yh0$yO>u8 zCszJ66-PcNj$(pWXj*rVtF;xJyco~vaQL;cXL9o)9bFqzz7aI6WhST3JU7wDd%_+- zLaiGEVCuM04`{a1e>BlZxR~CevA-EevdbJG;8b&ZlYSMy{m>FHhkU+&}5j22)Zm+(a0T(_xKoA*-h)*4dwsR_UfdKIaKCV(qaT)Kw!_DK?f5 za7_vTj~;AMpGl&droOT;vEz0kB=H=umq&0IaFa5@3>`Pz@z?N8#*UbIvd-Elzmb|2 zjh8G-9#UDUy^fm69^#yFT6p`Ar=~kSoHA)R%XQCwedBT;+_Jjea!q4NS$VD$20Ke& zvL91GZwwtn$6SZuikG`0(ztQl^Fex{DG#!j1LnsCNJ76K$2S=`Xx-q-WDfXxHM9O3 z{v5?;IiRR@dGR7&51r-RTThZq_{6j3jaTi-oPL8lZqhSK?cOSjm2dpoYss!UK;odN zbt`N;bnunOm@l;j=&2d3gE1rJSWWRUt1|n~l7o69FhR3@tI5t5XD+nWYB$Opbvl^>bFn3j-a!Z&fN@sM37-na1PfK8&w`uINy zUaB8aD}SOYjKRe|tocV!6K%*B? z7@Yag!Q`EjR?eMYeLvv5^c~Bz37u8u8tt}8jHc=fNgskzMU!}Vf;JbeQd39v-*@KU zV+p|SgnUi|jy15G4D4Wzln6Z+6(vlk42YgmWy@c}vG#OkIF@G#%Ej7pbE~Opi&;No zWlghLqmtQD-g}+BAB6DmkV;s8f~d?FS~z`&qaQhlrv!dD2rp>KuA_)@aiD#~h*ILm z^B|4~aj73WO;8x&6N4_yrPVj+P>wE_&3*+ybuGc1sGgu&jP2%v~IM7y9+JEB%y7 z{DN`TCD8tNi|3l0=Q{DE09Pxs%#O9xbwtpDrx|#u(YJ1@^Kb`mJ1z9QcSPNp7>5+* zA~Zc_^S76U@iuHzcqK4$Q* zkku^}*fAALilZD(qohWoJ*yX$t4d^*Fu)K_#ki|>(9j;2-%p77Gf14t#I)J4-Gmdy zq3^Y*!Wcoq^fet8O?i6;bY2T`@ECT0H$Wf9t)Y&HE7^j{zP_(~?;YLzipTZ>_Nxa< zRLJWa4Qewa16h){9l~Oq#p(OwgaYrqzwPnxZqWlVFEaoE!9WZ2gFTSD0uD8ajz484 z{*Jsa*!k_bfZ*9~G2m`HSb(GQtQ^7T?2$2DiMD`+`9~b`S+BBY``o9B3jTh8I77Cm zN5O=~bY-X~>x-K;6zt8=bu97O`01|zBMC_GOLM=2FTlUl=C&_?WCIKAMZ|6GKw4t2 zD@cnM54kc=uCFkRn@|%QdhudIHX(Gi9ve}eG_eo)eIM?9pdhY2-Z|LGh@7txdafUu z5~BgpaWi(6+=1_UhCjHI_Q+Ny80dd?AyS0}12pcj54D-^~ zV9yKusK}0KK9Quz4n3W)iTM(kB^yTVa9(a^UW}^SQ+6w#rh*^9Be(skU;9^Ra2egD?X$u}cJ-$Lz}6l?|Kzk( zV$_7$A7}EsQU!g6>*wHs#LWkz!h-(J^)+lD97q{@H?0#?ufk>c(EO6NSdt8>`>ff_ z+!ll+8*cp-^vmEj>zt2d5s#CF1M4efx6e)9H6Ni~=3$#C&%C~k>;rDgOfrlRROPIl z8I~b3W<(_n9#9q4i^HP1-$#;@kuw7Q)yj*i154UG5gdrzw>>8P%EBIp**~7Eg6HecK;}8X)(FqDVJTGzzMDxl-K`$ zt<;)=cUC=kV8Aq&`DW;U6$|`aST$#OKqoD}bx^l*g@jx@^Viw5P6)s-o(rc80pwH@ zGHSZlimr7GWZ+%FfV2Fgh;-B@2#qj)OCn;ozuVqmY@aP1O7420OyksvAtDm_Nx&Bb zSu8z6JF*&UG#66Xpy5WUllba1ntOw-YN{NSSkCwlU-&+I0T|7{3YZb#cf#avSM_(? zGhiKbV6UsAWxskr;@9u8q1k{22>5sTJMR1RTlb&xlLT{Y$?P?okvV-k)c-HVf0(hs zgl|LyWYByhATv`CY5u#|fuIYPu$G#z!-`Aih$t*TDE|e|)JoTXJN#ek5?%f`!f?u2 ze*Z)O3gA=Ge+wr!@cr*=oo?bsT)YY-M+W|X@{>*%{|j3|X2X+D8Y|{8zg}&oKGx2+ zve?Kup+Hz^x5oS2nqYJo!G`mCL*N9-6)}-9mLo5RIa#;*Vhv<%*4fblc}erBM>Pd? zCHD4fy6ctl(C*rpirOYYCA|*Ij7DBg)lt-Q{($?EwL3+h z{Aiznyv)jU+KCOpUhj5+Mz?9&j^tEu@(aEcZ1#OA*WP+ACgk$9@wa^KCLZA>_QLLD z?U$tUCQCM}tKaLZZyP{U$!*ro(v5i#4(Hc$`G0lK2)*VchbP=-pmLJ?ce3!p8zXQ5CB`oo3Qxw-0u~fOfG>`r1gL5L9}{>xa;q2 zPqEYAU;fKu`)`W#|GgsryR)r8{8dd+RgH_Z6w~a}spMYd%^XBTPJjHhhwsKMChMS% m8>BxNCI7A~5W)ZNRl-xuDyb2ZH9b1r%L^&RXD|taxBmf&#}?TD literal 0 HcmV?d00001 diff --git a/fast/stages/3-gcve-dev/diagrams/diagram-single-net-a.png b/fast/stages/3-gcve-dev/diagrams/diagram-single-net-a.png new file mode 100644 index 0000000000000000000000000000000000000000..746b2d508d6f58310730bf426ff6d975976f2a76 GIT binary patch literal 94231 zcmd43XH-*N*Dj1=xe-BWDj=XBAYFO~l>kbW5|FOaq=a6i1{=Mo^b&dvB~k(c0wTS4 zkc5O@L+BlnoQ?N+-}gEH&X4nr@nvL;tg-jntIRdmoY$P!+6jB1rAl>;=^7as8P)S= zAYC%DEB0h$>k;3&=dW4Y3ms8SKxgDY5TBN z*6-?5uABGP8?3^Dg8Vkk9FXJGviPd$gJMV%1mb`+zDlUoxn#{FdhyDkP1}{`mY%@g&d4f+^8($TfBIFHH?RC#Bn!B`&G>I| zhVK7yDYki<>T$-5S3MZK@6GpbCxWyM=F@#@bD|#K(RiZMxje|oezj$etk$t*2*0EI zx7JqJ(e?jdm%3&E0j~6xsy#s(oAOaX=G=f^{eEcpx_Z7%b zZWgHb2`1c@EJT*VusX`4k7MPe^lnAc$IjCJGn9_n_QSX3*ww^DF^v~5>w(fx-0mQ*AW77mr7Ilc>loztHI0#iurb9{#%>fbKi#R>U?P!#oc~1&nyo#NJIX-AXQ&F?{JW%)%J15m-GVS;;xXpD2#pfiCU6obEfu;KS2*@xX|0_q+OQ!paeHO$! zx69GlXa&fB6aJVh_Vo2Yaj?VGl+*wQsk_nI z24#~Cw$riN{-V4hJ9E|4=dEr{2OnMEs*DA%@tL%)y-;o~Of=!*_0|Gwu*BrEvtNO| z5mtK{w9{0>o57L*>liCo;(KBPtwFQtgE94+zx>$zt-Pf`4}|Xrb}xjrj0EpTLt@>A|~CJR=7P*qiJpr0PNtLUsqXeik8O}O)SlkMHzW}MN6cj8ROBvRk%OxBc* z3NX!AzAT7!=;%aRo}84}HWbv=*{oJ9dW9(I#7S4$Vtvqk*v%A;_V+wp_8S)0ZiVm%`f^p)EVQYH44Mf=D% zHDU1Zq1;cZyzk$eZQegnbCuwoGf+m{;Q%YeJyei|6v0teU?#MF4gAhNEluH-6ovwm zDh4Ib@U+S%Lsd$MfwGRidXS)qaa}pn()-@^?h!D%h{xNtvEAjh{S(1(%j_KBJK&=M z$*#&@vPtdRaI1|}QF{CA*$iV%&#VV8J9~JuOG2y+Obg$Z?BFXQE?!ezEn_AaJ9LMM ziRtDmX?O4QX*_0A1(Zb-5)n7f#|{sT)c!U@nbF^i_j1I%wKymnod|2W&ki?7P*REZ znpo8>Itix>q&djiOYM`l`RY!UX4ffuWZ&=#(eTVWd(unZ?{)9x=mD-?TAibVbwJjdJYa%x5B$h_98?TiSmTOSu=~NtQOU( z+mvN>6}a`1Q@7pdz@Kld_4Fz+voFA7uLiHayx1Pa5`gQIT=B3lZ;KFWLj4(}XJp*| zlXK(p%SPJwMy2D+q`eQJ54hSDcV+_88&GJp;?Y|lV)?v5@fhA<-#5VJ#ULQW{vU5p z6T@zQS5jH&Tm+TiHDej`g7)-=_F39`J^b9g_gu<4Akb(EFPd4X*2|{QsmA+#J+h71 z&s;|CCommo{G4%NKiJIhIHhqx+BLwFLfx>k?0_!MHG*%^NBn?wvpH9_XYqzZUVe_L zL;SFfA*s%s|B798c&M0hzzqdYnNkF?@Aw#waIC5>)}$J@APnxUct`Hu_8h{M=H_aE zvUAu+f&-|OL||IW+djXJ3hB@x>bKXpElVE|D5PA=XEWxiHjcS zQnt(tF4R^{YW^xc%p1Nt`Q9Kkiitvv@DxT^GQ8inaSc{mUJ#RE@g->u<$>gZXzCQ z3nc7r(5-mLkaoxGtrr=L^S$=ZYB@q~IKOp7{qRu-R6^DpU;C?_{9G7vGBQd6`ZdC$x6ngxJawQM)L(LHe36qLuOHQ^#0mr&aEhy$=hiAif7by$ReH+$laxMdr-T&rr=ZvtMI;?GtFqa$ z$?026fA^T&Io+(?^&hDl7>7JW6w-gCX$ir2AHry8X4yqvJ)YXC$~rx;74*SjD4oyI z71_+2xz#!1?-%mGx;BQ5= zv9tTA?xN8Ho3}@XhbsUtQqx&A1RqXQit| zo?8Y6<$gEbPq*&1Y<|WV`^Tpq!`WmpDV#0J3-W|X!8!HbJTh)P)N7;NinnjT?zC7` z2kbf_i=KeePQ8+Kb>k8o@tWd0G8E779{%D>638_cz&?bos9CsBy|XuI>|b4bcbFm! zLyJCCVL@5AsnylJoFHOQl=IolafNTkRz2`j_7>&(0(=Hdp@sCZMx~|lrw!NEUQ$&y zW@QzRcxXR)ofY~ic^zhKs@Y+VtM8@dPamYIJ7j7igS|DOS z{R8s_JWi6Jh;Eod57Q;JAmzj_E8UQrH2WU4p}Ysz@B-qF?UO0_?#k0nZ>Ip~Q*6Er zA3#J7WACKqe!AjOHjax6<5ANJJLOj$t`aMbVku9gMGp|0N$yUV6+wZGKiMOz!BKjsskro00Om5Qa6{-uA>xarf-0kS3viJn$^&KgsOufx8c*7;Ln2O1awTZH_Z6MxcYQ z{#uq8M8YV3Y+FWH_bE9&#rhqy!s_Zm30!jhL-x7VGln}4*x|&8J0$|75?dVosElc;6hGV$uc19_B#qD@w zb(~5iM+an&TMJ;&*Z1;Rp`@h3pS+Mr#hj{sEVrcnv9z>QIbIC6mmPTa7YEK*0Q#c% z`Q-w0B?CmlAL7}gH)emE#@H<4%&peg01+Pg1TiJ2V>=k;^f>#V4E1M5E-qlne4~OE znfuJIlr4@oo6cSJO`gM4VH7#xnqehz?_0Fxl_>Cj7M-5VaCx>dPsysOlY1vtudLss z;UQOL;NX|&i3=CE&xqpr6c>TNv=g!H(zhfg9F@5;D6TK#Xov#C)^ivD0 z8Vxw}=rEyF0fGs3_LKW9afNqEJBd3MQ^&Pf*}7t0G<2IB5>)V}e5GLEmhy6RQb9wp znA1cev0U#%zR(Hsj~a5KKW-Uh)%}>Wb5v*7CV0&YniuF)g5`&LQL^YBM-3JZ?qi^25yI1P0;3&pqCO84b`bq}iss+On1x?BUa}Pb+jR$O< z=roJW12D)`aH4}xL0&XiHgIm?eJ{TNu*y^nG>{8@!19h)S8KKT9oqVml9Ik;mfm@x zZ>sy!bgJmjsz>7qinbmjcePu{?WR2N`0y({&R=pEy2o?Y(6Xc2m7@tl!GtKS7wJFLCh7G!k7Dim1AIl(&IjWFW4=m%oZktJB?xpegwNA~!4?*3VmFmvmGQ#kN}CaP zpWpSirZF%y7p6>=fzvuG3cZw)SMglSAS_g0tUF!r&7gX{SvW54#v#1t#=HEpZ?9du zbLo{q2@8n9>fVTqgu8N&Z?nu#)jco4&w0rn;`LLR7-*1<{qd>u?{=-14+MtCm!`gE zF@Kp^{pOV)y5&-1BJTtLwdl6Ew3rx|kgUn29@OS2!V{hi*EKZs-WtrR!TOM%Ii-h6 znU($dlLQ1ESKX--6XGK}Klr%!+2~nWwWc?mvQXPDuJRW2Fis#c+TM)MmA2ISY(kG* z9UM|a`HiJ4C{gPYr{_voQ=ePqxRn_FZ)HUaEJrb2+^3@AQ!serj2h3ngP7VBaa34;L(`~kI%b0^!~HD&rBtAp-SqyR~F z@wD1WPm1@<=RZMfPg@r^`cXai4J{i*W1d;{~b>&EVupjkiH+a3Pe-;F#P$4 zjGwT!0q?UP&d0_JQw+a}4Og+apY%Y5H>THMBbn<;!19rXqFZF^o;Qm;yKM<;=AEc^ zKQ>|Lu59;hI&?(not)9F+VK6{H+(X?pp8%mSPS-R(0eR%!F63nYM#QcT8tK?N1R+B zCRA<&)|Ne+l4>O8&b**p-uQ&4LPqo3G-%Xf7aPw71;duJ9j*slxm3)rJgZzB? zmSB=MMm!?2JsKK1h}$31(W&)Og=rOpiiwLGPK?UH`ZF_sU1j@WOM1_*y(tRZd8mf^ zejjckz|U&{9$Rz+Dv3#m7r~iWZ+Vd#yvIgI$0fxEPyZ&L&O))aQqFq{I6Ypb(LNtF zo3DT+fj?w_Gg{O&)V=bAkd4a=L>6 z@*V8#q%IPuxQRDVO?N9u=+L|NE@P_cDsD=Aj6EALKnqXuan1n5c5Re|mz4OQ_G2!8 zRyHmWRo3aXabKHxQfX^WLujKXrlcvUs&#jRtcX+6Skli-s$aeR(xcAk#iU{k*}K2+qp7Uw^n>?C|y z6EKi)QB?P?6!i8gmPjpxzY%+0GwcEOMDoquQWmNUa?+2$a5~l44~7k87Q)XKl)TMr zLpy=cyUcFcJQn0xFYDX2N)_HUS{kv_jQ4V|e8iv=sq#_F8_SpdE;@5!H4@9R*WW(t z@?**gmYq~L;h5T&AAV==WP?=s*NkM=zzqG{C!{lDbV0o;c&Oj^O0DuV*~`1wCqv%i z_QSK^e!6*fxQfeb6a5pv(dQ*mSyY#nfq9u_c;`9l=rfHr_x)re34CBY5^t zyZaSKi!nls<@t;sPkUf7Vq~VlOsItzhf(pXd3}OVqK2ohX5f-rv5>Rd1hky>*I=N> z+so(G&kSF0aeZn|mEs1+=lM--uCE;lOX#F?+O6%|s~2ejB^if^;4T>$Y?9lxGp0Zk<;m z!vOsNef^ajnIPLTLq_=y*WWv2|IhQp|6k;te{q&z$A9F%D{jHBRmu0#`}h31j5Rqh zSiD=L=+j?;0bku+(>8l*O|vwZs=KtG>A1YQeir(<68CmcSbnr_V@+mliBR1B zjZot>vHGjltBZcuQhS85Dt`P*QVtXKdr@8F=z06Gg&D`UKm&$QeTVK(7KQUnfXjM?7h7Nda8WKdR#Wa^-J@=Ee5P{vS-_{(>C?c{m+?1~D@CH6j7JpO3? z^5_?qkI$*75YJ)V9`yP(kNiVEdqG5{xcO7-C+$I5Ky63C;u`V&&lRsMXTE%2=*i-5 zrH^Au@sN)DobutyVPQ#TZB_I5lw|jZt07zm=I4}%Adt4Ql}N2O((u1h`|D^uk&bma zWAFmm%6qW#s`z-YpB_SVHHzp&2_#b&7k|!)CY;9?TQTvUQxg}2YKp0$lIIz9Gk^m4 zcjNd28Q1?VDGdNh!gM?S*6VBg-b(*o_Kg4-lV6;UuEXnX&npR-bN&brl{skhFBbsx z!#(%kC1o%eT62N8>{SnuNNqCt8-|g&2m|J+a&ihYXYTaB859=^%T=;HQv*$NFZ|G? zYwVQ}E-&}nw_z-4~_3f3R2d^=m@P7NnuZvL$ugnjxS!vfl$VJi+FPFz5IufI!l z`Uj{}_qW0f8y}^lP?v?1Vc2;`Cu0AzME_aZGbIHTy6V``+!hX`my+6#u z+Y_F`%zTmjTZXzF9 zJLwmD zRQ*2%Ds0}u8JZy&?C|J4_SvsP;r%4}Mxcj752Nj*E>T3&DRYDCnV#wmJnGEI=lT24 z>(7{^Jo|r-_6X(32_gE9VNI!kY=Yc56v&CpFVV&pfg1(vZY}cDcjZ^FK_!>@doNrl z70^_PeU50lL-7HPKUs-_rgioV1$xM=*Bbfl+_1(TuN+>XX7Qn6B73XF+IM`UC=}MI z*F;o*`!2UBb)??Q(X_!D-;vHn8MDm5I*?j{ znL!Y==5hc=K8AF((i}h@5;e>md3)9aEm<;LQF))EBkHaqvbH>Mc?pRx72v}LE^cQi z+`e2Lv(e!uRq+v1pX*HyfS7`ENa_7_gBA%ia0_HK$W9IU?u1+FV z0ZS4CcnbZw%K6%>4!k|tryU)f4>qwCWp&wN_Z~_?dRt%TaPx+SQJeK+4?PsE{H=Ox8;n%MQM&>m*uhMUhcI_q+*O{A}6(1~Bqpdca>*?DNx?qFn5#kxO_kx(ChevNRjzIscP%L}8UyEkx>cLLDFwB|2opL{j zNtKZ0XE*jM-g@Vx{QUJxtG&$EIR}ma@LY)-vQlFfb=}Klghjg?{VH2(5AI9~)U&a` ztnL(dt4}$3gMFSmnm#>@@mYW7CDm5o=k`x0YF{)^#!KL4s)hs;Mcr+EEd$KnS?&F> zbHDO{YV_I~Tzi>KCi7u8utc_atg*{_s8&JKYNNAV%;V;A4qziN_f5MVvLvZFIhHH zSmsVDm;{tsYmv>)!H$}midn?X6txo8*dB#~jQ7G!^v6m^R=N7p3i8k>JiHYC=uQ*` zPtkmSU-_j=>APN#>F>Irr!5?tq<&FjLa1x3#c7j;_~@9UMbo#xw0k08!c0}%Di7`| zeCJcJc2UywbWo42-hQ^UQB@x61VpsT1@1C;Qw^aH*u@L@+zucU*SH2!*f7q&8X?RQ z{wMF(yd0QgmRYANJqe!P3UY40tD-;JZkio$I0z={oo;WvH~Sb8vue|F071LdmAvZ= zEiZ^(tV@fI4z|Yo%yijS`5c04{Pu@A)4A;W`mwRD9g>Z=-t$MLl}8TWQtUSY==JBbN{Nd zuVC%gyN$2CnC7h4fN{&=(%O_!;FI!dwLyk=MqZYD_vUlp_H!lG=pMzmWT;f^Q3+zQ z+||?FGQh5Rd)`Mny@20OyZtBgMw*Om*76M#grt7ltwkIB&^4!@hpA49CH|y+j^ujz z5Sf%p=wX7Vx7?1|!03^DpoBczKZ|Xb)34@kfv`hq-=r9fn!(D1ADGALluwPGA(JkurT2_XQQc`(4Vpy zuh@sDUN-IRH^Bt?4(`ql5@B6Mb~W;6qscT$7@L62F~vlN^wHHl$!XG$1eo;(s>115 z)+tfFxJxmv*7-EwuW>)8@DI^!iqFB%WV_3sCRxnAaT&x_Y2BSxeC|1ptQwIGrLv57 z0aG?8c?@N;oMGqVlbghj%lHm6=pjt$X&5-zRc~xeBNyE_Q_=#^E$rD`eJP4>rs#7f z-FQh`!P;0u%tq$S;B(Ps%^z>dIPVRvenp}{C3TAXT((3&>8XUv~)KtR>EiegX@S5UwC#v;)e0;nBxcJ@-=Eh`Vkxt$wyb#!mi(|TcGF;j$6 zHmwwCZIG9fxu4u&W@u!pNRK1MAn(tLg&@Gh$_sJ6cCK0D?{h52;w*_(o zs(Si|Miv2IOfHS(J4)eAlm{&bHleVfOlapu9o~NFmFX zz1j$Q@vp*!#_hez^lc00roF3Ra0^Ec85pZdDOV3h=Z}UQUvgC_C8T;9v*r0)Hdn$w17NkK2GG=webau+Qv1o5@Bb9ElttY!I~{`Zs!`%4 zQV)5PDV-af&#I)^Mee!ItmQeQO7K+3u_3~h^}av%*k98O#hhi%6E)J2Gr;g0TAXB; z5iJwK$TArMoh~bpDC8;A5E_{*H^1McfLracggE=*+LmQl@cE~W46^si8%n{TiyuEU zs8)qNd*Ko~9zXE9#*=9(r19Rv2kXq*B(4YiPeJ*8W@qgd8Av1ap-oAX^dg0JU+A`; zbKRy1%6Z(W(ykW&eTdGBsd~);e}Yc#ah`n1}!v zuUya8ConQ{)teMMkR))c2EC714jg}BsHda*ke%~#2c`BxSf^PGArtCf5qh0TqI=cD zYO^2E<6Qs_BWmZfp4jD7<&l@w&fgyxzR;*ZB?r@1;>gz34Y>huDknc3WIa)9b95yu ztwY~F%(IJ-f@KTLCx=8mM&Nn%BZ>oxaYkSrI2G&`je{Sqo^+yEIx>Ziky~7it_f)2 z1%pGPnKq4LC8fpjc_f0JwcTqU*XE$y_l+Cz+%q__@>efh3J-qUKom2YKKFEX|L!}E z`do9v{Oz|0VW9_r_45S|9VNnA-z&*E2r+3c6&VVeZjUz^r!b{3uW4B9(QT*8J_nBt zf1qO*ac!3ykZk!Lx*{BFvp!i@wlFG8Gt{UKOhflHuq?_rMaFg(Sa9Ed0AS4!qRdhs zbe?uB+;2gyYk=lx^{DaFljFnu?D5uZUa4Tvu%Qqdh8VR-`ESA&cn zXxWM#B~>?7lspXBugH#7#Rw)&zS-`@Syfj1%!$TM$~md2W)3ReH}V@AA1-PCflP9q zi!7EqyLY(?YYcOlICISeX{?IX621 z#+j4GSIz26Ir>HK9H*deM`b9e_Vj}uu*-NYe6mZH9qEbC_LC+swD(QTCNf^- zUG6|qrpYTIC4*Vizn**(5!^-0V??F*gt5*&4hIgT1K=5h~4tU+bUuoiS3bn8>aFS z6vzEdDPwq*VmMt2Z8)Da^Ia%Ivwk9H)}doVE|t=$u3m4tFo{TEVV5*9U40M&Cj|H& z>}=%PiKKpf`m`^hZ0UGs-wrsyxfw9W&6oi_$57)5`DaSW#~~u3-ucs~_>6ZIn}Q0> zj@4c?6#ra5h(>GJM3_6f$grSFrSz8i_rgTWhL?PIdv7iWD1TjgNi(G2?|&|1y00UP zoasi(KP^EPJc@v%U7p_q5@r9LIKitx*mMov4KI4EG#v@TJ=yf=ImP65O7z|^YA*en z`BI&*G^clL$px(y%pKR{kP|Tm{bpz9Q>RqF7F}y5IBl0Ew8*`{hRPL;_53EY7P{*PaL550?OvRw2- zcvt#xRZi00d<${rlli(_s|bhR%8(iF<4EgzC3ZO^xJFDot+S8yuBU^gb7axS%XWO!$yF zeMawLq>-1*`XcA$<$XtA8F!cveo`z&;|7!@X?!SFN}1dI_RMW&>oyxNcEIL##uWgQ zjsH$vnto>p0WSi63J7z}jNi=-Hp1o$28OQH9bKY~iKO|OAB<{0VbW$B4*zx$qR_lm zh?wfSntpPeAl?(M&4T`U(lSb831GBHF1^PuTmY}xTkM=vxniT8*Jr zTZ#Z8cQ`r#P#c!i@z7^(Yc2!Vr)`;}15-j5)-jE?IGGR(fW>M88|Ogg(V>xd6~UmY z5fI^O~exCqm5Lf!3 zFVSdv<>Ys5;M>EG_R@2tuSy_@ovYu`CF7dK3HC}HAt&Za5pwf$ev$$}b08`n#Zj>jqo!7hR_EyWA-$jmY$klIf>X#&-74;O z#>pNA>QH35wk0%C92Fj=epl)okPPFf0D!xHl|{)&H8Pc*-LJZ2#Ng2ju(-qFcoX5I zzBsXQwZXsH$c{rrol@JMxQzz#8^9Nr(4_ZHP8-BEkOsX_bDliiQuGCEV$KA!7OVVT zjRjPDXthcw#JAx!k;>bvyk}iml0`Oc@}))n_Q(y1Qq#57+6nP8UV$Pyf!L$moW=P8aGfE!ObGOhxDNrZ?e33-4^&{p|PX!{2Bi3@oEfOcELoK8!EEKr48y@k1y&%>yJp zDzzX?{c%fUY)fq2a$i&F=xI??qnULWnFcIf$D#JKaiWvxc)+*vjaVZ}=eu9TIwvl` zv{Zdu--rG@n;NL1P6EQPq1E8XyUPKI{sA8@fBt0VNx(BJ_%u~iZ6Qgg@rP7K9ykIP z2A+?->Tn-bRU2`><=@Fkx=$nk(L`G1%F?`QMJm&p!aMxuUo$srdh+sY`l$BJ&d5L7 z%rUqF0fUf?s~C_HS?c!~I9M1JgSb3AH@&MsE>cjoODR}8MchJ%9-nG!rP1V z7>E^>t+4yvX@uEv^X$<9XB> zMdpZ`a`TK5?+muPKAv~vikeP`+c&KM8q|0Y9fJIT4U{ObK)&0C+_-c(q|UTIKUiiA zA03W|9$G5yX+Ug5Oq?1?t^+dnxngT0a`FHtf-#%^=bvj{^`@HpNT)r&)9H&a9vR5%+;pTh~}1# zhvCEH!;TPV(L0fJWl4TOiUe)Pf)?eG0fIW>tKWNk^6r#t9w*x)%TwD?n|?MD=jm`k zoo*v;zu$}PcrSFFB>%=mr0nRNN`@Zhuo{R{4rj^h=V-4g?0mG4lpLQ(6TET#S{Tch zcm0UZtbmmUk{{vOppJICkx!n(!=o?U>)0PjJ;;apAKpL*05>(MkO{vslZe~4W-22n ztWAxP(r@CjbuB!!D83r3}gX~(Wv2C>g%uhioGp?Y| zOm6c;7S7jWoXXsi^9I?~Q&-fO4=-rcj(JnPol^#RY#+S>FH_5D{&Az`@&NADD!n7 z%zAmT&iKl#1|Cv+9>CMmCEmPw$D^@;=q&O;4RLxxk_Chuga|o5aZ!J=3~|1WZM9a7 zhy(;tMa{I#`B18AgfPf-$UV_Bj6D)YEY)3>Vr+vag zqsM%8j)#HS0yAUFnDW#-94H&XAsf?d$6(rzlnX{|KI6(MYt1gafAaieh*{_4IU&#p z1S#@~;MhbnKM${|+~%y?d-7CLdLE<;1`hRWUQL8ywx_?@OYo)C^=8bNCB~e;#MCe4 zUmg!uYS&RY>N|-Uj=TrnN?R5WIX#asG4d>oBibhRgRg6FRPE0z0r)X(NpxZYL_;>S z^Lxtn3+q5Y^#f=dz_>J}Z5@qKh}P9cK$n4x71*<$LHRW+PW_puwUJ&x>5yYsl={l# zk5PrswFCWXCazD1R(&nof03B{KbW~CouAam6tdh9omr<>)~PFh%W)Ey-uLOVdPFvd zm6W7HGm)>9R}E1vF_r2Id%j6Rp0h(Ul%x+-=X}n85jQOV$>*F8^8bR7N}zuHf6Yjl zibTrT{wSXW7#^8Fm|zvvP=Lgm89qRzO&`}&0R2fx0vT7eIdV9_S!F6c!I42FpMXG! z9|X*$8Mj&8)yf-y0ZwKIu&?#lg7pL|j78GU+@TysSYx=$6c2s{KxU+KYyaI5Uf9mH0 zXssFNIUBVy@|VLqe-NP2{(b&mLXAM4-L9Ocob>d6h_g3a-sCP6CTU`RuEUPdntxyN z%Dg@F@3|TP9Q?=YUCrmr4srWGL;)OL{EA&EPc(e~KVKUArD(vA2M}|wy`|6oa(W(rD*%^oIhlWJnku6`?`Y4i)%M@+ zg0%m$v{FmFpfjI6%&q~PiRfH>DA{!Mr>nwT=ADuy?)^vZ6cdzkt9>OxdjMYKu$Jfk zcgTYsjQ=O0_d}zB*nje6CTNDv+jE9#~MW)TFt&OqY*#b|O zuu_RNsJf*a23A%qGGk6i&bAIy@BKJNy^zC$=YN}DVcKR4D$}?ldgNk0l*XrWco4>` zH9^{`twEO_6ww6-U%I-maEpi^)239{n)XA-Hw4(vd|Ps>t-O)JG^og1X7LHo7+|tz z-T)Il7@zwo$%44mk5!0(!=ZkQdIclVeRPZVU}vE|&(vtT-E zR>61PlL`4t)nm9r&URH*VCI(#srv8y$hut}<@g6F$-W?p!IVJQ+8 zG6CuLKg((}>|+|~1E`qEbZ-TfNAtVeq%LU;t& zkjuZyFAz9BeiS&Z)LQ=&dl*~b1e0r=r`&~Nr>ksQ8n?b@KItL=YGj<4Ui+$FYM>d% zYz*iw=L4yG(!$k0s!lN0CiZJ764rO`Du@lux;Rbwx}0uI-3}!66?WdFv4d0ssYi8f zdi@97?JCNjO4J85rUM`H++PAc@tN43B(BegXZO~=i92j3i?BoGR%tR`1$3G$V%0xT zfJ~;i*g0@DO8hy6a1&v*;r#_0n%d=Y=_X$y3{cah&4B<>ezDGJs&jmEB6w~b{`0WI zNxeXz`&fxETj|uf>^Keu2diH~4q$#U{V58=09iBnebX-nliBydxl-2LAF@BJT}`DK z#U{!Qgyu~@e`e>6oz&ZIFefk}_CcpD(~0L>n!@r*NQftnva~tV#AEDJ$VNJ10w5io zm&z5Js^$Pq*r*REGx+YgJnO9J);E=GS+#l$JzGy@3#>DX7^vRtGOK(&4X$kW-z9#& z^3fbL4y+mhwr`f^gf8P4Ani2A<-VlplJQupy{%w+e4HM#nT+6cEePk$2%O7bjU55C zu6ht0x=@j3s=uF-*EfEe8(v%K90V+l7FzFWJ7g-wOxHl(!^Pj*>9PwK)RPADQ-E8l zQzUS2hRUSUZCBk?&>QvT(`Ccxk!(Kg=EB*o;&HsZ(F`>RIQ49KrE_eJxm+2W>}WDj5C+X)7#gs>3Aw%EM~QZw5j zw@7Qp-V%;o2bWHOB_ZoSKh*(H=XDRDKK?J(7w={$f4Zv8Bx!}-;5eKXo_H%3+IfJf zHAoF;j<@idF_!ZFV0-y_W!Di*6(OHySOsirVGdn4H%iKg;>P_Mb^+OuI#c=mKAf>} ziLqC;yR*4^@z`nP?sDYFD*dLwgkVxhgG=p{Z-Z0!r>qv;dG}p)xyw1Kxo;H z8mx*|xc(O7?Uen~leSNa2fx?_eCfV^Hq`8tH>hxTPDiLWz8=yS0A4iM&bhiDK_SFj zO8a#w;Q&$})0--90HiQmUkxe}2gQv-w0sWsJ*5E?Ct4|r$2Ej{pe{=Z5!cx3d77l{X1c}M~*W?0g(>tsJ>GdhZTVQd9A>G9Y}uGfJsgl6U!muOJbP-Sj3*KITO5|O*ZKqg zWCXDD+|Sn=Pmp+Uzs#bQxK8)il|8;4IuJzZxj(h-N4>DwBNNybH_KkZGyiJsm(=EF zp&r-u{j!=QO-q&hyVAz|>>XNhVVzaa?XZ`JzGeYm6wY%sIUY=f-Ry@+8yB2*$D;p? z9uRj*Pb;D&#cPr^+ee?c_6gvzG$w1m5E@jhthW~2YD*>jUIiWN>n#4RrIVXXwpsg> zW!7q2^s&*cDs*dRTp~4;K3>1pbOVsBUz3B_nrc4hA`9Q@iJOLsQvF!qQf-MuNN7@| zzi!s@*&k&w?i!cY@41PjO$vd36w(a$LYjp9wvpf_za@pzd$_?OKr|Vri{uw>#kS0r zlsXV`JsGX-p9t&qH4gIqOiU)Ey}1skpY>t}Y58lQ@N7Xbv$?Okrmlal=ya1AZZsL1 zy?)#j;L)Et<5t_lhm(nl8PBD@``v*w#ELNnly}ChIZ=1!X%uVvln|G{UVAfN{&gY2 zQU#qC+j!NoZNY!8i+Q6sf4#A?0}61!iqDJcmW##Aden~v1@+r1RyJd=`(~())J=Gz$^_mF?k~2s`@}y44$}Vn zzW|?rrQ2}%5!sHo`?Kn&3TW;`*=vY3)1d*SJnH1_H0j!T>M{HJNqXzlt3lGtHnY4u zAKW|u3Zkv(8oPW#NZy-*o`(_= zIuS%+;8!FJ}73cruOC$ADr zqTtRSNxXpavjxZ6f=?-ld_&I8zl(uveb!k(>uY|eyN z%I!&CdD5}=I0@SX@Th{v;ZIhvD_i4!W*{Y{ixz~Q*v5Wba_%(lJ8+g~Bv9;5qli;o z114}u5ap_6DEW5aG#NNT>yPYk6bTNwY=@DSv2jt<1GA_X%Q3+s@yb=By7J=C zP5=#wq((Lonhr;5mgB&qtWxjh3JY@d zOh48Kg79vLt}m-UutrxWTKw3@Jz(DC+h8>^&cR%Bm+9`htovH$1}FKeb}gE| zI`iQ!dYxiHNI|IAd?UmUQ&Ph5=|>leq&_>lp|3OcN<=sz>UzsmNui}S^OstgYO06D zKTa=cKkXdc3i|n5?Q=z2MS0^B@C#E$2I0c_zwi2!1?@0Skqc$<8{gXa-Q?%G@Z^!@ z&OfnXVgKwN?pLQDAl-Z}#&r0QEYRjY?t}@F{LChfxPj~GWhhhLAA@vD=od}DLlf*_z2a_Q&xTF$30$mxv$pm%DP`m~>7_hooP z^EZjc?J=x7JEFU5%=#H+nB$t5nso&iCr8I4W`tnHb^zJRR9u+OU1|&~`nDk2sAw%a=_a)H-7yaPwpP+UEFQg?zUk(<|JI#_5JMxD-%bd=)Y z2}&Iz0?aY6pT-lJRy8)vETS)q?4{EJCq?dA9~Mb)AT5`wzFtwnL7^Izj#E|m(5}{( zPUKh5)twBYbG_xy%`1n}v0b?%t0yxmOyqj-N1h0w7^kSXTYDZV4YL{JqqiZfB~0shA&;IR5cgh}&qTf9mR&#&nmOq+!_*xYFP&*+pM zbJUn*;q}te4H0hYkig9h69(S>4rfJcb=909eSPE7v9*8(>*^9SWDYwr=J(*@p&D2A z6bQy}i4Pp9JMp=RgE(i;i0BG_d=GeA(r3*yx~tXyfT-r4oJvq%d%)mVCo7bq*lf1s zvG3cplo5UH(iybjRLo?F=xWE=Xy5IvN&qu8&Xv&o9Za-awGTJ z@TzTryBiV8)wzYH(+Z)fjG-;;egYyqg6aJ6omuy_rP$Be&zFh5vBx3X#K6-JjOe{u z^S!^OJ~mrS@f*TuM@pyOI`N-PJx@V-et5l2M3`yXZNhd7Rs?wa=O4rIu<;6qwv^6O z8x-W{Cr9f|?pnpy<#uieF0PuMoe|Y=ad22{Wi2AL;PWN9^0Qj+31_O&eVewoKK6ua zE$cwHrDF zaJSL6Za-DfS{K-o{_NScQynjH>xAaG)4Z12F2BtlnD+t=^@Ccz&;m8X1u6)SX>};6 z4cAFSJt`a|f!Vb+h;@QDiKO=Y!2kTdBGi+IYw|qXcuhn0#Y^~$86~--+^9COK>qvD z{5siCq!{nP9 zruX~<77!Xzr9Kc0U$ookh5GN`nwt;r*!IgtMJ2NfWM$cNr*I==?m%$if{^0xs~6>V zb)vrbTi+iZ%I19O_cS>XR{BuOBRV=b&Esiz(pvIDlza?R^vQ+$d&0K|Mb4>KGyWaR z6pWA(!{)5gBc1^L8;@Cha-kl$5{cri%O|JEKf1S`8dH`ORejC)9;OrjGAW19+wiER ztQ{*}RSA<_VsC0F5+ zBQC4m0qXX>#De2-@^xp5p8~=mDWdcbHjRd4=;*>k-#pHrj)H@m#fTY5yJi^E9>^aE zIu1jQbF%!<=Ifh5g|hzO2c+b}!)hJlKNu0*Q#9DQEZg=RYdIIeZ{+zO`8@b>p7X`) zsA`3f=x_O=ormC+;9P7@=P`$#nT>J4+Vt}_w9@$x5Qh4FG^#wbhWA9ww*dpz0-yf0 zKSFaoqPpO4i(Z)_Rxonl_b29mf5I+@bAX54^Y7t(S%_!txjjrZyPIp6KY$A2KTf8R*|5C+!xc;=_x6gDWqF7T;q+4&vB;mIoNMk9@k=SNT3OdZpGk$?Wf?RobGvZAI}{c{!(U6(Sg5xFjxd$4fg-AV~{xJAEXgn;CF=MkQy(K zMgQD+QF<5hclLmN1lEhwyboUeL|?THI^uFS{?C}g4TdoN12+PQSonW*We6witQ~{f z73W>ZpU#^l_*WNgG&W>!GD2MLwPfP{4il_J8}wAEZ_iasw^+CBaZjcGd(VTJ06PPA zY@q$^fwM@Bs7hw%zJ~j61~Q-@Zfjjrw8(yXBmDEffxf(XHZJq>^b- z7lbD>n_1hm^wnCVlwXR|^p|5`u_^U#7ZiU`an)#>s?-nhH4d)!B#NV2LcHR#kUXFx zo=Au4i~dL!r|oy--6@Gse<&N@f~dk7J|{f6Ok765byFDdlB#EzcAyGb6PG1$VDVJr zy{X%(f2F=$0DZB?beaBT_we!??6_R2uJ5&z9r~P@ZInM4PHo>8W?UE!_#=zJ28z6U z8BB|_elWy(dQel-$%N$LO3$csiJl|%ik!l^Vy^v2XUuvYq>u_Es6|a~aTk9k-E*Cn z^cA}SZJPdh=6mE8!2>4H&+#()^c?=NP$(~A*^iJ4JdQErUWoqgfVy zXL^h`%U~4zN}}DTw}?`?%%3Y(KdR>aHM$$v7uTVVRS&usG$G96=+DEf1nZ5Op;^8| zwb-ipG}fFJIzKVNvlO1`A3u|6VBJ}3@O#5&@&lYBuRi{EvYfYt2e&V$_{pac`sX@N z2xi%+ZQ2R+gNNM_+{sMZ2^>pMeqlW&pH=7IrrIF}H)_mS(fNh-M4*+js^y5Mv+u`} zN2c$P1#(?kOv;4vtW|=_;kj6#zH^MZHPs$20v5`7zhD^_5Tcd^Y?63LVz%FJ1rs688dGN;w&JN_si4qT_uwv|s=OOHNdji1b z#LL#-3pW$GQw|%!UR5yl!>e{fmc(}yz!%&qLx)b%#`-zdclouvrsvgRSDo<0>Oj;} zm45sv|EK>Z9|#lXU%@+c`6|5uQOlf+68~gMyj%56Ov4`@X~VJU4wLDiaYp!$^Mu{y zj|Y2uzDqCTz1e!bZdSVU-yC3bSMoo@%l+UG<|Fnna5y!NX=F~#l0P> zn&C$=k}lD|_UQkX=W~hpCtk@TH@)mu{OfZE#j`vl%jvZCHVpPfYLQ?)y1`h@M(&h` z@6WN@L%pQrrw^Y_6?{-rc}C*LWs~PFjgi&?y#IgZk&QD&`{;*3sS6U&x9J~5FUNP@ z>@2S=KA#g|@JtabYh3Mlo}7z}i@p7({J8VhABX$YpD|ox$k%zn#9jb8`3A6gPg z^e?WK8*YyIHU$?(?uRG!Z_36ct8dSZ?R=iio?iVzl`9a?bsf`Voh{q zYHT!7*WL!s<#);!J&xOCS<2`Ytt}3&az68dXf99M0>z`ee)O?>j zYuVky3su6w8ajFXw=rl()cOu53`Me5i(a{#+IpJM9bG1(+U6fwMB~ zba08_2;cvE(ZB}$q@I8i<;TfZMUc0_gb<1&YJ+O>J-9-)+qfWSJb#+ccL;5hkY){` zCni?$Sx~eusry)GLgBn;|B3 zU*PLxX?_WPE`i4;qmel;zN9cS95EwLwic8z`^$Q# z?l`L2zxFYjP}1oZEjwqchklkOeEeGJqj_c3F28>CMhVNo(F(RJ$%d~K%d1KFnO&HB zSSvT%$%APsrgm97I%lrZ$qodpp;XJN5Zdy%a60O zic9ER2a;odXrPur3svq1aJ)4xdo-Iuw9jrjI}nI3k;xf%ymLhq7D*yF%wky|c6hT` zo`%i(5~bdK+>bha+kdz7dRlcZpGdVICGlo&MUAasdSc|RqUd*ZRi=AcWA@l+t=nuj z`HQmsq|036roL*|!_5s*BFL4-&qdBnWpD$$wHpY1S4Fa99j)TMr+!al)Cg@Rwx^5P zoA@;v$G)Dx{$w2d^P9#dTT|JF9O_^6hBKe#T=8`>#UhJW^ElfDu3L+r$X zd&hk%$G&wn(C^ui>ng)DR+@f1pLD^O+FAId4(qMI(8Ren3<(Od`3d0*|!I?JI*U#%yGx<4P* zeN_`fKvuBwbvjKQjl&o1sJZLZl-&64{D6{KCz7K5WPlZKLH7Q`7tI5k@PmHV_2Jp+ zxOP&}TvpYafk;MvP21JYH{N##qgMkT>xUF5pdAGk*7&lX(j!yB`K(QsksXVL{6}4D z=5u@BR5`ab3Fi*Gd2w{xT*Ok`K0tl857skNZ}+G77TW1-v1{U}X&1Qf zR+l5~@AwY6lQI}5R`~9Yf81+LUu|tHOx|20z@5bx(P>AY-ntaMkp65u#T#E(a+>m| z#>WP7^05;UgMcOQ=V`11JFc{**ZXmMS1rGYSr-yd6ziBnHC8XXp&_InpVVAn2z}PN zNqtrM)8q8r!qOw!52NP*g{$l`C0*P*>b*?n@sAwPJnE46m%FoT5hIf zhf0U&P1Q~tg(jqQ0?kadaX`Cw@LbTw$bmOv!qp*c_!Y@W;rI0nhl5?uLZb@@!(fXl zIxJwg+)VeYcK7-LmCzeZwxQO9kAbp>kuGRLAD_y6K)to7S_aLW(kJ&Adfb$dk(0a| zfKYw2vKU^hk8vx`VUh%HEcDaywO=n%qTz>k*}+mmK<-)VdPmuWSCNuqBGd_nR?qk{ zHfgr5@g>|~(f5-r5MC*&WH(@Jvh;#v(C6-R4i$<_HCF15&BhGTzWsMz2FK6R3*TM} zD#WOWd)Pd_?YQdN$AWgNW!;))sP%$q@J#j@9M8)32K5R8E_<*6x$*Lif%r8Nsh?qt zww@RAt2O3oW%Xt>iqQ-d_Ib|f8?M~+2sHF1I?gIOB=0YtOaczmTjg?yxYEAbD>Mx} z4Lh^;%;7JD5OI4>#Dp_dFBhP7y$$%6ODR_*nszzVJiq8$Z`fKz8>?P7RA!e%zbhPH zV>gT4F{l~k{n-_W_AA}wn85(OF#!#I!(*E|wPo4fg}z|g2?O4dz|f0s>G{}GnL2&n z6pyLkSHvRS*k$xpRvj1^LX(H&9=3k&Hg21j^#SM=>1}#umV-2tGmevuhHcINhS&TLzWL{ls|XR66`o-JG2X4 zVq;H?j=pDib9cYKzMkR#lGv(EGXzxR#ryu`5Y0E4YzMFUAWFx7wpXt z_lBI1)WIE}2lBgEEzDfUdn{Afxqckb6k8i#gG*lXY-K_sZY@nCb&NM zz*lAbyvzm+6%z5lXTwy#BTfH?k-@J@T5KuDINB3A~`Uz2$or z@3CHI>biZu=7m56yzh3V%2Y#bZEfdhQ!C2LZ%#(!;^;9&+uGXtzImR@q{*f7Ybzynlg|wa2Y9 zye~kR3$o}g)gqla-$xAUrDPNo0caUxW~hXGE<2OV*x2!h%N^&x=|Kc1esemR#QIV# zjB&w&KejZZCJv2c2?3tCA0;fVd55HRr}oA*U1=(=1?v=&zUPZTyiQZv3*}wtyO7FO z^JY6m^^3Ul&COlQ*8b7WujF;Pf7oRF=riP&+~Y7YxF>G4?0M|OFT+phjh%5fMWZY2 zZVOklmt?k|*@rcB?yM(c&}axyU$?>^?l17nr&E~j#rB3iOQHF+I?XM*Q^ zSlr^-YWI6T>*CGrtZ1NTD@4~PJ5~JX;R-stK+&)gLU|E78Q0)!{no9bmYJT^yat*d0Z(r)LQ>eXp0Cwpe0PM4+^RwVIFMjq6^dB`5i7~<8iIg5_o zJo2Y(Y^sH-FARSe^l~RR+U%c@jng%AKd;2Ez8UEEQp@;m!j5zP5?_w-4X5=%dELih z>nA+du~f7Ss@kl~IX&#$Fkd8p-WAOk#+C^^%_BrKcgf znHy%fG)4gNC3|npL(L|4!mR-UhNcO*aIc#~@#wB{m%|TdrUnMf0myhHBtT1xF%`G8 zw6r@@#i-jj+tQMGoNmaXuCGr_ywaPM?3H0AT;- zw>~JL=Xi&kClmLMPRp6pMa9X79bMuL%y;U6C|DeKZ|=^aBmAzXzXeQ!lYV0#H^-<1 zX{sq=_7VDD?zdLm$D9pNIyW_=1#~PHygFlY7lEsLbDt7Hy`Up0i72O+TUi2Zz_=O9 z-F9!lIqO{?niz$Hm-+B9!Y2$1$@xz$x;zeh88PuHZWTeyZO^{C8jWH&_hl`(Ikhf@ zs7!_5)(4Zs6pbD)eyiK~M+@Lf4aMXcqkVSIY$rT?*U?zw>;y76YF%{t=kdH}=TV-T zu(Z@+p&}X6-Q{bLKD;oz=%g-Afc(n1LC=U0nFq-lvjrTnA6oZK0jCX=ypRRBrpVw70%yW@cx5b2Fe~w8Q4GyGO&Iw9`wXE)~of-shkufA4QeR$oeL z2b%1{De0Ydb89tsR@4%U+~@S{6J z({+gMd$*TUOK>BEhoJ3zmx?>3!D|})f$PL^wp5w|4?eu2VCJ$C`+b3^QsBqv@N%9% zFX#9jT>)X0-D!2~TCRad!0Me-s*&J$xANJilV?U78xi1Qa&nldG5G?4FMro$7*f0H8iJK(C<#VRU0 zw0r<}jTqTI@y=yrUftmt4ELFH=18s4X#aL#G7=Qw_nu&Qc8HBuQ~Ws6Mtn|uwd^jh zvC(UHx+0Fg>2}vTGb6+6ay5Q-c6PBPu&k|gV*~V5Z$?H&TH0$N2`8sB;4r5YlVYPO z<;*HHDs`OBcBaP1$2UiEXTHf98Lj3iKtI9f&hG&-Kx{&%3BPj`Ij&@uByjO#Aak@P81>9svv~T7Jgcnk= zy-x`;%9z6BQ_i!_9*Aq8NpM)Ly*GpLGjU_QfYR3GgW8hnsN0(`Y5P^#UGJj7(04oi z+AC(4<;P|eaDu2XVj=CC>hW!KMN%BV6ZLTmBt9Shu%mi_z5d<0DQv6 zbjBP~#l_97UQrFolDoU>HhFno94vxqOHNLHyw(SWLhIa4&E)0fWn^SLJw26`uXEAk zxAkC3W^_q}0i!0Qw6N6tobV*E1ToVJ1tiHb9&(E*f_u2kzjeSoX zeWq9_tmm}j!#>lS{KBuL_-*q&Xz{Cvp71j`7x}i!jyn*qUkWrb4f7s>z4nGv*$ZJ> z=o>o|#t0UDcdOqg3*0Fk=ZP8zrt=2#MxTZPy29rgAcKRRIzsB@bhG~9uE+9b^uK46`~m4$ej!BhE&#W43Uzgkkm7Tz*Et5$e(b3E|&?c1Fl4yW;qE<+Y)L*wu2FA)77e)=8mePd8ZD~v!4sypMb zetc(XxjP0`123teqjR?fEpoy{;*k0}yw^m*lO(egz@(VoQ1-ybs~6PubU4XqY_g6B zX>t_?zB@mn3uJodp14lu!{1lWWFNro$(_5MyaHsJZ&y!G&)nSYFaPKM{{F&&DCBEj2s;u*WjEWIk8~YnO96h)rvGY2nD=S zc3m!yR(EzRI1;IqazMxhW-mKC`)Mn!SDK`M&INpce&>)ml?aR?b5Lq5JpnA>y?k-U ze2@bUj4u=P9?Cb^Qu#W+lp^UYE=7|y+1K5@g<}bo+2(O&JG99V^$>y|!j-7_JcMWM z93yF>W;;NJkAve1BD#|I7CN~&FJC%t3=)45{7INI#a;5gUa$ExP?uCvkfYC%$1y`gLNs8{)JRO0M{<>>N(=i7>svb&}uhYU5@ z#n4x+#D16)N&Et7P_tTXeod}`^U3OOQz&4iY;6o>Mn*=iWk)I~C_FiB~ez4Tm?G9HPpTWDnyFn|xN90bDi4r^S zP1vSv(#)sPjXcW@(qV=L2XH?D*@=8uQc|*$oh==o)NIm=(y}Xxwu`MYJO_=tFkaPX?=67xVeH0y>2i3E>#!%weYzy28~5hOA^6q&^E=Xe9bMdOce z6_0om-#KJaie}#i?g>Zu>VG96)p9PpLrNso$bD5k+7GN^E-$*PiDzwyk|`9q5vWl& z3nZ{#u(L;Hn$&nI%T~+9qnL$``CTB`P)rcAwNghOemu!Kf|c?5)VE`8k7q&C|pmGQBl0CE9&s9|0!JU zcLjq|VlXSG*ME}x@ud-oj&QWX+WeFLFtSzj9fUTm8*k4MCM6(f3v{CZc@dnCmt1$e zNYAg;F#a>yte!vg_tkSx+DvA&OiR{B)oiwyv(tDo#;?slX`U2>%a~$glzG2rY93@| z%XHjM5I2usZ!8O{pcfK_8P)4YutmQyA(VB*jxk^Ej5YTOM*W;%8=dATUFJNkkZIPD zRaT^n?;)nZs8KMIsB|7hCcr$GV<#HSoyOotIsJ>*&6&mO$-{=<|tf13K2 z?a%ZQhAW<2IBH93_&jaitX#4ulkoePvi%(>VW# z5^nwLNN+n$zO`4XB%nWN%Z3LovI|X@hx?oLvUWX$`54!&eFKf+mdCLoW<@O$jnUm0 zHgyO0S81gu3_S(r&0C{>tDp5}o5QpMK6k%5{Euumj|vSjiTA={>PRbDAMt((H>^xa z3;U=xgQvOfR!0$G4CSNa6l1}tU zS{XUl7Ny?o|d^7^qJ4Qs%L@vC36SB`051;Ordog>2J7f}v9>;EHIaQhP} zxJ!@d@*LjPB+>oRH0W^-`F@#&bU`ypdu(Z71#5ra0-esk^&UH>-DpDa+-`mIuHY0n z!F@s4BX)d95^^6AWIUZt4by)>))|ed9GyS>DUJtr&LrF)VAmW|bcn4H?(H=fn+$UG z6%O&?3qQ1|xVZ{X8zt#sCrqNPf)v>4S2+JkZLTJHBN>)~(gO%Qb{^pS&d;ZONM(?qYB({+?}UOMI_;4pWN>i~Vt3Qe#( zCrsbs<3;*ktmVZ45qK8hDLwcHBx#5XLcgZZXF&~4PA^dJ6CE7CrhjAMkRoW~V~Edr z_WrWhD~s(|-=sY145Me@vag*kWu@QE%uyyK%Ia8=XonWm;)PiLoutn7T5ak$C> zNZXps#%Q4Jz)w}yP-6yzMuhWUb<$iwiyEas%NZG~EPA`TOgXEX?oNw9E1vo`mmXdm zE`xtwpY4_*0{`K)TQLC?J%Zk!|G)^jU?h)S6!Q`W);CWT-@SRnnv_F;fAR1^YR584 z^^~z+1d}fMp0r&zFfS}D-?6PR2?=EtVsdkHRqEp7)!x5Pkf$oQz=VGcLIw~Hs5aZx zq_iyBaN+leiHmm>7c(Wk`}h(c7q^>fd|T0oMIBtAOjBWzWy(WG*9%In(@f6H@Y2z} zdyQ7!S72!)CMpFUedJHIo}$7EnekkB_~=pF zhmx_nAq6WCUZ{G11q)**%bM&2&S`yxU1tD(Y zy9=7fA2CJ2z}RefRkQ2Vv^S_4-wJzax{ev{KIoqDujdFvh_&70@wZwnsj_?7_8)T} zM+@hWR@kPz@VN*WfH~mKd{ekN9-| z&wQOs+%<|)XGW3gEf!m)|2H%&qI||QSbuvq10wLW9wawU+dD_0FS>%o@^mHX&wf4< z$yPHSU%v<{aPHc<|EmGpkUWfBk)oEY(Mw|AVMwknNWHNt`Qaftol4=>27925w>-y~ z_4O6tp-R`)p85IB@Iu@(#>!K;%CFtl)GMT@onit|Lm&xEa<5yxAcLNNG4qqU0#}%B z?P)n2=f~F9ien;*tnRCtEwLaY(P^mV6a!tsq{PAQaXirUO?C!ql5cIvPKCQYfIoA8 zO6je@!9K~$4#x{@^#78HT*Y5V1fWIP&Hpjv4io)-_h8F=CU?q^Ey8nEKF*Iv!fb(= zCix3BmjY+9$UjkvT`+2kq?A(CQ&}lr&;L=BoG^M78k#+JBuk#M{Y3X_szux|U$?2z z_}OE)>ZUQ}n3pSthXjvX#O3%>ZL9MSo{EkHpDpG@d6X4OcFJxXKxB;mku zo0gHz;AWw9QT$#=Lb{CRc;^t5rSa9-r?V%*;%#=8FJ8UCbv$lU5~r0yq)I{|WTAUq zZT_6YTC1nG(Lt<0v9{JdEb&HOX0@-q){K*JVereMg&_2;_wG{SuURPl*2kbx*Mq^0 zgYS`;GVxd|aq*aFLIGj;>l-V-p0Xm@bKLrLnZ)qaiM4+v_j?supuR5ma#d%n{5!3L>`&fbR{S29~EiOKCKc_0L3kJ1X>%1|8$*1D`W3cA+@a)SNbog8y zHtoG5Bp?914kOBEU?gDiP`*2*ecBL)wzRoS#7|dQ{`x%Ex@quxa$lx4Um}Ou@K?Vl z;bn5>G}cz?=K~*&qFpC{6IT-83&XcC)p<|atZF^IF6Uyro^BgK&r|Z085@jTo;*q{ zE%Dl(NF7t2XFIQTTU<#S{30H$yJq7m?sP8!KV-^&SVpK{6ojutng>Pl;LTYOb1wAk>(57SLnT20s56AqQah-Sxz^Sk?MzZ~K4 znH5dd!{{oML7 zN*KO?W1P1h6>(N!Ey-yhavbvnV``=;jhn^n0dq7yL~E4hi6-x|ohzunNyJM&G&UDq zPyylfia`6of~(Yc9b5qM7eOKdH?bC!Z$72v$ZI1DE_`<;U4e6i&3Nht0XC*PEZ~O6tJCg62c+Q+Gwxv6|gRO=i9UT=JdJ=U8vs} zpTf`O64~u2R$zoJ5RJuR)UW9Nw6X?EHOjl8J}Uz4NPf695+kQHRQ%k+`TU3g{Y@|$ zI4>gg|9*tgd3)UgqW6*4J!;2#@_y0%?TAP`G`a~IEwAmaG||*>J8^zW_!=nZk`Sz? zc|-R8#G9b!E@~9Z0;6>qSgF@#!b5j$y6?ZKZ$EaW_8VtV%t6dtAidF$JdPzPoEb0)>ggr2g4a(aGf zjlOygvq&618Q&!lj_G=gc?xnWf6TIAIPu4K85&Ak1FL3eZoI?B*5vcMG^1V<0do~Y z2>a`yxFou@&Fb z8}{7L3+ct_-~eu&(=K|D$Vjf-e&Qm?agjVe`SjG?qLxUI0ri#sD@faxo)ZxpYlDtB z{EMLdgiqvmr+Ko_vCVQnv~&p}d#*LOMaW^}gXZv?wI@AT!5LHjsYoqoLUd)NZrx#w zXu(vqw*z|BTJv8@qUG?XA>Oya8rhwEkbYTa1MI}D@+8fo+X)Qx$&L@=dA@?Jjg+c2 zFNCz-)WZ`O?&)xb97B5wuuWCfV$g-OX8ET3p8e(rn!U|Yw&Z?P$y<2a=GumP7J`y*!&YC1$ujI9d{eFFYZTd<&9~?t=>JN{8f0l< zsu~-=qDdhLuRw#V5-fH+mDHW{G$=E=Mh~0St2?i}fg;oP92JzrriCXiX|g&Sa9TgS zlxsXv3)IDai+AG25H7BO$xB)^Hw#bvRzFg$-w60$MEjzr{>Vmn($DRt3Z{DL;ZT7R zE$#Zh1ncL$R3*+&;m(XmQgmip$W6&4`^c!VJL_MO>;@5}to1`^(e+Cx;RNF?L46sl zH>bREx~{IaZ@1!#rs&Te2?si065+6(U9H-KLZEe(9;}}8nL?3dl-s`!AMqj(KWJY3 z5X8o2*V>#~#e@`nv>T7g=&ic8sGZ{c=G1%Jve$T{vm|%qZ1tn|jnPbdI`cBy*4pwj zr&1`X`eKV1;cSinn>4+-?0C54AFali zVu*R>{<}w`^c$L`r{M+BiPKGEQ~gc|Y=q;<9RY{w2fb$d}6 zRO#D?L6PTy#zdyPaNMg-34J(7zxuz&!edO^ z8J<_p=7(HPskMeF#+C*#Cz_yiynVgH$B7cpxjnRCalLjAY|H)amasi<-(s)M4Ozz$ zm#hy%*T17vhw2a*umgAUCF^}~4>2`%Lcp3+p;iBkXZ1}v!SKV4^Lel9-IW!?f^oNF zJ0GjxcCN>S(rdh2#V@Ho$+I0tt}-v@I?U5<2CV}t-?c~3KHh)xNZ9-MNONuEX-=Of z%oIA&dPWaXIXP&YjP6^!3+h-eaybkwQTiyQZHSLD(K5qm+IGx;^jZjheWD@}l-`um zsurS)EM3MBn&tB(yx%oH`ptCA1^#kUpjl}C1c~~{VP!@#GiPF)X3Y2on+&NA=c>KOoAXv+#ku|-Wg#YxuuFqYQFuf}} zl45F)Ehptt4a~LPU`;1q%HAw(XvX(0R_w3IQSY@C#76KLb-hvI&)1qbrW0NU3X8YN zCU7`2U&rVt2-kV(VM`<#d}x;oBE(Zua#hN-isPwEqIHf_y<40Mv(lG74?{u>b=f;b zHKVcqp@LYF8C@4&Oph5;`MldMet z0YJeAr`6G_VOh>P8&Vjw0>+qXi%bTKJmG@PEh(fMCIg3zN4+A#c9x zezF$(*bMA4(h@Cch~6T-zZ~!$H9N(#u3ubtcE8^Q&G9;)a|W6UfH$2U9kEmaVHG%R zYP4#!7|`dKU-;@Ll$Nsi3lXCSt=Msgca+rw2CGn>%EQAW1p;}A=-*{%XKPDr$%Le& zpfEHz_&QPooR>S23KbR>4kr?@QsL(X(?CL^^K^TH9#4isNnJfrDjV?sM~8>Zs8Gec z6SszU6y{b|4Aj(sJG;BPQ%zI@r5MM?f<#D&h=>4!;+mJ9p8n%U_tex>M+eyQ`dyg@ z6&3YZB~(mFOACB9^7iHiw1uAc$Jkaz1_^&E5$5Pr-1_ZQi9rV@Vq3lI@gJ4^$yb1( z_W5z{LPVYalkYo6i7D1Guml#u#?Yb%7A($Qd*tOn zfqfzhD9UObw@XV)wY0SXaHdlPlnRwKZi;}^8&lH-pN;D@EX~QG_#}9+5-o>9#Gir& zsuT0y-y8$$k9&OfKw?PD-Vww z;DeEokwK(mAq|8v73LF!o+k=myONjJ9l+wo%qo;=EX~ZKx(pfX4?Y(aF%lb|@67>b z`8gKdWVvay1R1!qoxQzggB!c%v{Ih3`FK7x1A~*TtpXJ6;4FAw^5JA-Xr~zPXUliD z*97?ZT==pkCf|#S_5s-mfXV@#+tqkoMJ1&t4KB)Ax)0FP4S+)d#Cy*T6%-hCM^Iy z{URbs#VZ>O*%8cv^X9agb-6vAm~tBj1i91REOmSjxN)f1@_MRw|MDUK-Gza%u`xvU zeBb-teXiEg`~G?X0)d?G&csJYAOCvJ*xK4^!j@Fjc=aPID{D8OHb5VAxV=zkAd%O` z(o)8dN#o5?4`buSk}oR%#&In0Wq}SW-jdsP$uA^C8oc{zF&HFgCnvA{ zhV#b{KS^b~-QS*bT27x_Z5Nf*)#oYy0GO)BQ5PjiCUX^sXNR*^9vSPMQ0iWw|e) zXsIv}NBaR7zX#jr`OjuZ)XupO82V>458vGrBvse{Y816wmJ{d_{37bCG>XQ|fa&D@ z*!${Os~9khQe^07gS{y!Dbv%_fO0RB#ssqfi$UxA$Yy`4z<_KeA_78CP!O>ny#Ftw zo;Xvsq{^yluUj|po}ZsQpG?#hO1D}37a-1~qR{QJA+l9Ai$YGsKT=aub90SFMW47+GczAn zOz0R)7}(X!+Agp&zSh5I&1_ilZZRXO_(uRr| z0Ci~%B!ddrrOIJtRn>OY&%J7%9v)P|A82KO#gBVt?&juJsaZfvPj3|Xf!56rEptc$ zzQ*3oT+phy=ICjh7_@a z_y*-~YV`=}(Jp)XqoCmQ{M=X*;LAkrJIrT?U~!(fz2OxNfxP%Q6+f_EwrlbAJspQ` zhG|mID)<;_fIiaGN4z85y=M4Wyg*1)xoZ0Wpxuh5#$}t29zMLey#;e4013x#sWk|w z58Pc`FtHc-&zcQc3e?Niw#J~$%*=#@gd~xjTE`!3x$r9kCdV0@Zh(FP9UPdLWN7eo z>+wKS18plvRNJH8-`iG}6sk#ru334nSa{mH!vb1_xK{n-w{li1PeU5ig`{ulP`#fnmjJ;D#=+{qqXz9 z8RXdqq71+=pFI#&Ac>?RBU`Ci|7Olhr&&K@RuL8!wua}pc?t;7lc#^Sl`T`Al@eEa zH_!hWS*Hl57(^RVKF8j1+RMNmxv6<(I=cMbu!~zQK|w(ilZ{W0o=HhbdFV-@V z-aqwS1aa05dcW*f0^T_N1n{;&Xy|x&=8m!2bT}_wH1o6LhN=~6l`Mu5gSCOwf`r4; zI%{{hBzkOMZM|Px%X3Vl0FjM{KrAmc5D^hIG&TF^*F^JnN@bjCXnW!`2!S85Hh{O^ zp7`{4hcw)^1g_)@p$nNHz-%+}-JXnqt|0QdSPUcJJvu(7rJ(^n&v|$H6mV~5Y)O*Q z6eW1;a)~UfOKl;Pa^FBu1tO1;96%JBPM4cnR8WC~oxP&Cc+ikVMOoQmu2zL2y5yM~ zsO?>wm1Q_lsC{~R>gwv6%xUf9=xCWN1`P7=W?%2S%XRaKLYz=Bf1wi7ksLXJ+wwV$ zWb%^td>>lBeEs@WAyZ79zLzZ?D*KJklqGR%YYRBHp1pciC8d$eVld6|QPzRziw7c` zIkYod6AjUAcfw~ki|I0)F4h+YGzC!F0XIKofbkxDH8?ah6c{2!Don9VW?I_qo4S&`iq|9Lsk@gZWymxsZkF`@9E zcZ%aXkrK~um#5iEk>DS%Tzc_D*$;4^cc}>NMYC#XvXqv&dNj^)(e|nBN^=$GK4syY zL99#ZriE6SyXuf_zkdn|2xxa+@Wdu0^jhzSfUbVw|Bk{QSdMSszAdT80YAESd}-XD zf`Ewl%T`NC2_~Og+I?7QF=cnO(go1t$oDrrv$Gx`ybxhA?@!?d!Y2^aG`XGrXl%R# z#%2J*JF#nL0LGQy^Xg1{|>Ad14EdJxsg!?aCShpLrF%a_ev~Xo*SW2&+p`bS)37& z+&9#j?5ZEM#^>x~-dM9Ytm5)WnIqeB_kkxCAx6mGBs~gIIuN6=8Zlpjo>aVy4lo^b zt9$m{tU0;H^8yDaQ@JIJFFxZ#k)H$Epv#=>Jl!Yke$lz0x|8+$(+YiQ&FxwUZ(P4_ zwMDa#>DKy+!0l%E0yhBxeENAjL$Uz$KBU>1hdpeW{nW9Wjoc{6aXb)|ovD6>^EO*P zu2++(HFuA)#!SR&zd`DWcv;v?pL~u^0&5r9&e#}(F(2>C+?@P&{-*Koa<}0oAOivi zkQqw7xw&0Az69}0refaQ#|jXvDk&*d_1WTMTRQ=tCyR%de7@k_G^6C;;K1j7rv=1f z^*oc?%QjrV;UYa1mX!^I59nBSB=|A@GIhY(!U7cPS$c8@LUJ-9sIR(?3|+fy}t z{Y79JTLW$Iz0YgNdx*SnRKk$N^9PNY^8~%MfMfd&KxzWx;|M zsV9kbnzFJQ5i$}LHKTp`r%zpqwj8UEDLBgcIb|4rQ6@-4S_@M#GKLGKf302}AfpBm z2rcco;wPc>FPvB#QVI$s+l5KzAc=K7UaPd6`Jx^Tf@@$bTBVHV6y@ayhj4y7hVVWS zvoLurBaG;uae7p(K;o>bpzz|=D=zOlj}M>CG&N^3#ltNub#Y&X=)Wop`~)RKmwXJ{|_8KrH~{4mZ&N^41x7 z%<9*2LE_3W#9U}@c#0(I{XNV1+>B0^H)NmP$&wBv=e6@|)FTscdELK2s>uBCVRKUx zoUA4`HhoKWLqkI_AvGzcyl+?6*O?d@uV1?cOatICniv@=<_|;u)6K^MpZYOvRmI3X zhfX@%=Je%lj0lvg1{=G|=rFBOR$nT6c2PQ#el9KPgf9o=?48zeImRhW1hJ(%LNb;s zugmMd!#8ZU72w(!@ZJB~ma}5+pi0E=PUMb(eQJ{suD}o??-mgk+q$sV8ydRuBZ1CS zg>YnKVAuJ9`6uE}>()Q+$Xw{8OBH@9KU|*XUmA%G{)07Y@X%P!DLPjPPviz;r{k?# z9#<~6eZ|nob^IbK+R0$^E$l69-xpx)urW6q80}AZWLA1~Jx8Fc&?+zOv3+@^Jw=+g zAa~nfkBs)ah=?fd7n*NztL->~pQq;ysv66=J;P7`Tz77KmU1?)A1P@l5Wrq`%`=YSVIFdFa_u64*b@uACraYg zySBond|HJ-_iT+D_`Etlhp+#VbX!?@nnt=x+p`pMja(l~4OVr8bHerm0Y$(fQ? z=tnorC!N~6Z*Y@@-JO)ByDNk#i>&e}O^l23K1O^_%Am0mX~dfmw{+F@8mE% zU0KX+Lu#R~)Wh<=nsmi{he}s;t9Z}*F(DE9sP6bw%H)>BfSgDze_Xk#ofw9 z=!^RJBXvGivXb4FZM~mZcXAbOkhhndCvhbpB+Qjfrr%&dCr*@cf~e-;5aUP%Q_zry zzJ}s0(MTCu_T1m#uH=<}f@$koJ1cixClHg;!qS}InoMyHmhDTciDf-28Un0G*f()* zN_9!Ty!?UHx5g3JBe!{e?eZ7L<;}XuG|g=PD8Y`D;X!R`lrRMoU7xzy6+f zz9$mWsF*8wIE5>+V>!b)Wz~i8KpjsO%IUD2Vbg<1X;WHxl?#i9JfebdAiqZNv4GF)v%q3mGxh*1zG3?Pj^*_)cq8m zN=b`3hKJMZ{kz{;@Q4*nB>HgPRSvk6* zqM{HD;xXG~BYpqJO9z6)Lm6pDrXI>G2yF5`GmgNY_e3O9pHG(>f5s2Jd(T}<`_%=r zGlm7Jeg}Gd`}?r({3ER+7Hu-Sd3hSq)5fw+HRpYG%cF7Shle${DP$aN3FYOoIuyA- zYxc&BZ|+Dv^>R4V>GUQcA;lA^*lyjses%VMRONEIysxRnVJYKsl(yQDHMM=kyVfn# zC2GN?+qUfIPy8XJsmYqz6~*YzGq;WV;^+pi$%wH0gR!t|`cnFcFtMIX>s}6y439aw zA&*;IG1J>!UFnvLcIuZz7k}W2Xv&1f+B__>FzxV&;`q^{t?HkebP&k1&qgCFujM|| zGqE-ieth+cNM2>gbpJTdz`)u84cU^%hev)2FPJQEVm5e#>oUte>5WHq_f$das`Yxo|0KmcYs z4vTtq_fT?aS62jSWE7q5kO^FXyh2DwexfG_)@ZA$J-nY4^FfR%>q zyo@xS8NSg4zReR4((g@#-yfgIH5Sb1=xh{9F76w^EADK+C;gyRREf$Hz2Rm+KtL%DtpA25Os2+^ zeJ8Vq{Dmsm$)y`-idlM~9tsvD!Sgtt&Zu@M4 zIs$h_M`lVOC)i(lPmAAaR=f3}?`kz6o9Ap|qHs!YcwoNE?%$U7dq}^gK{t!oe}qRK zPCQiZ1_EocIo1o|!G_iU4hsY2q12b&x_sX0^uEVDtbaFS6<~H+Q|;Y9T{d>9x_g}; zCpTlnKYU^Ou|Qo_%bxL%rjcx~x>h-!Z__A?`^v90ui10E#T5UUNs=TuEE-=S9gLRR za&l&964@K+PG+VXZmy&XdJA=S1`Q41*`AILWn4y)DC=n3T-xunO#Di!J_!m76G>;g zm}~ABpR&)9-7ynL%IrOQ@Hi6^h!n1g&{Z}GeT|A6PKU1^+mPKnu^7>(R3$vATYUF7 zisF!fLRL}Hx3MyQKO(!B6@PBN4zGI9kd3H!x7Lp1ITfypTv~dTWVct6^WpQnu$;KJ zP48uIYj2SUnq_UwXvoEU**|dn_LU+lcS1|!!GLMq%Li0~7M_-+yk5eT;ayF&ZZ8yA zsHpVvn*R+S@ieTOlO1&a3-O7%k>!~?U-eo|5e>K#mHJDe{I;jw{Ne)S7W$=DTW&^l z*{SPVNlBikorf@q;b&>WiW!;t2P1J-hiaoO%DKDcQ;$7f|Cv8V^ZJf=iq4$05cFz1 zyCZOh1{vM?(rRXz(u00cd~s=G3|9mqzLU*Vy}>L+#?>IP6Z7u!%TsV~m zc9SZ8x+}_ivS@wzaxqZ`BUkh@g!=7lxpm!9Ytp@Y4^zJX`g71x*X~8vHoA41w}GlNSCiE3me$nfVIaWNciV9S<2G(;65s zW_n+n-I9c_iW5dkwrri2Ti@Snl3VuoTBtM&dy^a^`~OpfvZ-IkCTg{Ell6$LFV`Pr zyQOLKw^{X}3rEFmVH$%N^Msfc&s&)sNb(z;x)srlf2jnwRxbBu%g&WIO723?JLpRV zT%}r5Q;G9gONLorDxCY-;R7QZd`Hq$xG^#Dd)GbUQoUZbD{*mhtBs824X7SCI#iRZ zjSdfLE9yLyh~wxV*{Ys;QUQOZ!ZC6W-b#nx(%g*kA**_JLCC;Jw6@b{E$Ya;^b*Bq z8X7QIu`5e|T(XyzJg&Ty*OJgtJ%~M+C9@j|{5j(uixp-}UU5oy=%)XJHahFYK~Yxr zd|joEvICj7!vqV9fCt+5}cwY)sF+$k-Icy*m*b^Xvm zMNaNVPe-12BiqObz)f{33aaS^pZYOAiK-ID%8`=qzZIi~0aH?o%T;PmN|4mJhs{KJ zf76vVFu?#uGB|B z)1W7JEdUF(&-Ah$WtN52cs|@MC^UPyrJyUki2qId#B4TMg6D2BM9^i zCy%hC8sp_$7`>eqJMhqbZGZo2Ouuyp^^NuR-zMY2|7p+yUKz4iO?^AQ;zD!G15Q)@ z1Rox_YXa={NiLR)xu*

    TbrA)p%_<}0bsp!zqx%=*ZbNJXF6Mu-c ze|YHR>>RJ7jrt8lCQer0lgnNsS^n+AgKM96OL4%W3E{#4PbY%upFO`Npz-di5Az3r zlR!WyKyilprHDt8{~!Paw({hsj;SjaD~=RC=nV{t+S(uDuBs+=S z#6#6m_>vH}P#;Z2dS&QuO5*X*#93fMa7*gCDFY4V{gC?&qRQ{Mc~C#$^Cp1ito2fY zgjWLt^=IIy?j2rZ7C^f#h37hDfNf+6L`-b-1;9H?!)_wj3L~WwK2iVNzQT6Z;kW;m zKti_A&&E^6)$gR6N2Er7)so$tw^75`@JmruOh|6Ll~#b0&?t7H#o0ympjywn-JVd)K z8Kvt`Cc-6JkC=V~x54MlxBnbL1Ne=OiQF;$vKkg~*n(r?;+B_}yZD0f5IbRozE=?q zeaocR|AS!=9pYkU+D|#Oy1InqUbv7@BnH)zzxH%I;wBBj0&JN1!2{^I`1U?_r>-aT zUP~ow#}lE(!w;gG!)f?JMG+A2igLbNrG|IKfQxQmpfu5wUJ zEFnWj`#t_>pLf~wT0bS$Osv@^dp_`%<>%k9GnsZ{v<+C8kMef@CR&Mk!(Sw^4YMJS zK9P!s;!agr(Nbpc|4(%dD=2$oPmZB`AS-`u!B0oFIkPmP0_}%>SoQ6ndIU*A z6f6jPRnhE72==bIemT}L?=8I)PRS(7Qell;s`W|$fN_3zv zN9HP4(EXop_Q)I<;)y9lHzFwokWL_8(cpz`D< z0N}iiKy<%-W7Gzo89yUKpt+Mz)0i!OdmGVPW> zydOv%0l@+*8u+g?#dB$Cey2@h-^L?=;&DaZ-KN|gR+E;tXb!l=&CT7Sobfg%XBpJ@ z&`_?_l#!89Q5gmT4H5GTDi%P?1RYi*zJ2=!5cB!zUr`Ye@Kd&s=^5f;`FjYxtUX?4&^|5vnCL06;T`Qr7MJ`Z+L754E%8UXp1yuYK|wcw zb%TR^EC+iL{~JBXU|KYteVIC^bsTVhyHU0vPZ->;q;&yx}z ztt_lx?{=^r|I#ZlAz?hc+$L(YJZx+BnpfSW_rFcvK)PXh@hu@3!_)jvImZnoK@|4m zo?o{rAglpJ#M!~2gD>LM^6bG6F=}mEe5`98SJGHF5)cR_Jj`nX6!KKKfnxYK@4{8{ z#Md=ltnS^a+KglRFK&`jgKdF0rel}*w~7iAV?cCrWZliM7NJY^7zEtV#fBD@8A#MU zgf3yo=QBaiB9bm9F0Q7cvhSrt?YRsc>i*(?3j&Qw@1&lC!<#Re5>I)cVy9qvf*K9| zP+q7jpX^~;`4z;a+=NGo4T1$9uetANUK2@I_#hPRs33~vT_Uv5 z;XcCVY9A<*$WBK~3r&8wpCm9>RLJ8fqHl$il=SacihBXC-rs##?Yu*g+(9ez@{r-^$fg)=>6@A}-jlJNS@A%MEKb&%T>0T7 zji{+>kt1UgKB%i`%7#3>8U9=ZQ`V_uSg(Ou4wioD%7P#HcmH=eR1a+69B%jsgof}! zQR1+`Q>#c!q98GmNChffOewazgg%jPB-21~2H}@Ikr_Wod}^^b^5&q4s2E`3!^2-e zd__lR1ZzYL`N-ZL825FYg~i1Zn2Zbzfzp-QMHLm!A|fInbtY``uKY=Q(UA_Dj3&70JocY$to_in&KC6F(k zP=SC>=#K05dH7gW$p<`)L|Cc8lsEd%ZH&!dO-ZhKY)h(wBFj&O0FJ1}Q`%E4=9!@uDkqinZf-G;H_ zDwksVY`D)w`%J5WOAbT+jFX9bYvJ1-z3i7j=?=HEtQZDiN~haML*v4m|8U9XMlwY_R z2q98F7*%L71L;KUq_Cu97etA$K@-LpftV2VVm`gFum^6{KrU`>G7CLFGySYnbJ*|( z4Z?<_g9C6ew%w|Mxu(wI;dFU%4vo2qsj0GwP2l+qkB-vQ)5|5Wy#kpb{5bTKAi|~q za|_4?A`H+};p9}&(eZ@FFl+`Zy{tQm>q+me91eKTwYIdl0Lg@xmy46LqqFlI zdilUkgX~DF)};glXqoNuEFUiUA0kJG?P_;lY`8xz7V4DADc~^aefg=I-P%pf`>(j^ zGqbsG_HTA9f3j?I@IM^zn&0o_FkXvHP30rfQqXohXlw4>xYRQJ?Pa%J9lL$F5ZcYO zF8`rkL;3I7jPC~xWh+~<%ZF5@pK=B);uZ#3V%U&lnqBc!62{2KPii`L;-)(Z`8dVU+W$o}T5; z%E*5m8@RXd^njisikZX);rs&;Le10EO4IKL@r;20^A#XpG-xGzIWBW$MTxd-mbdgz zESI`seaEWyfz*JaglR~;!4-i4$Hu|=(bZ*cWu>a7R_}c&6t=L?9uAzoEfss1fhhTh z%*?fQ{PI1-!d_=tQqf@e1pU|w=z_{=n6t#69_<>yQ4OtfT@lSMdT(lK_(cL6^pc>CjpdWMdto=Vwb65PJDnZv&dUnh{H%PMwFNzkK>E8k$+yqF>h=|Zwnn(az-Kl2 z72-b9PexXjQrN4e++xC!#0Q+2;UKjg z*0g6TE-RlIt0&j#1Nge0V|6{}OOjFbiztnHoARw>*n1czse$Uh)(vL*gxU)izEq{R zgU??}&>Yp1_$Xd$-@T-_4fdW#5vLZ=rCM!3vV+t zdWosaQa??SPnhYW+&Cf(#UHOC_rHGm(@l9X#Ro?xwO<$02A;_AvsldZwP-6^_hjzQ z>iGAlBO5y=aIo^NaXA6u%Tj0w?;1dX`}>vv^DSPITMn-gK66s@#-tLg7lb!n?PI}G zj@;Y+I=7rh;v=5RG{x~ygURi``iVOW+>zkf!EsK{%uGW`3A~Z|w-&pAb|%TcUh98=3@p4|bW5CWh-XlQ8Q;NU<)jW%-(Yy=JFIA7mppT7dcz_0?PHm!ss zcHz^y;d7cqt~>D^oEhoH;wI$Ir<$XR`xse$0mFVb?f@6e-p+K7Er+Y+z|{rVxK%~vI+ zn6jw`KQDkihuwbW%omAyKk^q1s(wb=dCuH0s@nc;9@RGWBa5;)NJQziiNVp*^%+jE zLh4t!$iQfKx*td_rQE7{#Cbz5(l znMoC+hE$pjI{gfdwr3~V%8gzaOcSj#4|Qa9d~@0YP9Kf6$OhY${V7%Iw2LX>M*Hm_ z6rI8t@XGlPMSR>y&`r@II*OBrUo$>kK`zeo+(i<&Z9QGsQ=2!{a&K2Zz5H9??P4#@ z|ELHYd*v{~6IifzY+=6yBzG=%Xi|1FwcokdMBkP})V>|u8 z$Zc+>;p5ZPre5mloxwXr`&sP>j3Y^4h>wjq0}BqA%80P`=0(GCvMx? zHA!vMV}9|4NU4Mozdl)m_c7| zgFz$K_4rV-i3QMxEPJ#g0|J`?Xzm*CpnW2eIdFD%W=MYB<$6a_r~>3O=7)!eK(n*5 zvVz10?ORzJ@TXz7r3!n?3CK!IH?wVW<<`K?0WKtr7y$tRZa$}~>Ig8IQ7&3gbG3NL zK;BPDnFa;G-@!g``iY5&X=-i;7DW)gr|3|X^sKs);xo*(k`Q%|%01&3uN_^b99?gS zNG29>dv5Dnv`ZD=sm-Fhd4GstsaV?^H!VRnCWLF`^mQnas7@kr{ol3r_ZQB)avu8J zif_c4aw;`HyE~U3$*(m3tqsG_E-13HbQu+)Z}yReM`yna<_ehufpuj!is(D6vAdX? zcLZB=!eY$;GGJqeBEa7KV}liQ!gAb8rEnp2<)2l}VB62`>FqM@OIiG&cG zzw@aN`1wzPR}VgFz^We^aRmBQiki2aq+}(qg{`bU=jX3|QZ2};y0z&n04`hN;^Jk- zy;wJIT9}!+0!5p)<{=YPa9G$Os214Sfv+m)ysZs1mH2LQ;MT%#Vq;?mPIbagKRfdP zujuc>BBnqeZ)wSa!3M(x*yTWtW@Rk~GeJpvt7p`TP>6rls#xFHfD{4tJU?*ety!;z zEdVnWOq+ngn3R+R1T?@AX$RkHeE~K&gaFCZ7#H4|nHeCA4r;GM0t!L_XvJ)RuO39l znOfH`6Lb+2+%7?VAdhsh$GCBYjSO;J5oE$AakeiE^1SpEDsx$z)u(S7pKHcP` zCV+c_f`W{XDSz!96A}`V;YetNPRPA-`uw}FC?|U@ky=(mR4aUVnmZE{2?>cT>t=U% z6!w#jqP&gOUm)4X*RppS9Gy|ro$y(xOvUjn8tlEw8QQ0{wAj%S!HK{X`G>s|GBVZs zNi}nt*3rEx(EM#&Bzc0<&M?Bp*mp{Tj`#FONxEuNMH{H$VaN&AKAX;)b~Po2~M z4>B0#Z~kVjZ1&~dm|{|(8O6yBi>}5f^8561xEVEa2#Ia&bYDKViw8+^bt< zx0J|X;`TD4V0L$WVgg|64dB$Bp95bEj1a-Vq?1?vrN{0wAOQPf+%7FE8~dy!K^+MK z4^ZqVDdGEz+`z#pFDu*o`&Za)pP}R?StJ)&T>*`X_w_HJ(>5eLGJxa~Dmz%&wRLsC zBO9CHPyj3nNSndo;g4bYaB}u^cNY{EYL^;z0{Qt7_TK(JL9u7s%3g)_GzmF*uYL)< zh4l01!SCOj^d!u!tVmeOuRt??bMvg7(mRm4oMquA z=QgEb&2~esXhiD5K>1mFtl~Fd^6{|>ld4^T?A7Q_+QVxR6d?QY@_v29Q<+?)s0T$6fr-C$#k@~M33c|e#b(`I{i zd9ibe14$U9_&~6Y$-^Zh+uYbVh3X4zekj6;NJ-sS`_q9jb_r6d7TF`Hl7UkF7yeyB zOe~^vF)%RjyP->$J<_pi6pdWd#CQCAfJ&v5EA9wsCAXZdd@ZWhS*#X-aAy4C1uLi8D z!a3s9g5TwcK;NHj)vLD4Q=28GGhe-0aZG;ajIim+J@|asBeGfV*sxDw@b2K_gIQ~Z z)s(o(>({Txs~sQgCOpqRIXw-($FU3}B_@uJG_J$BoJHlOc*l%Pbyc{emU`6(wyyhn1YPLxgZVw%xqG4y(z>`4!-maeW( zQ=-CWzndG%|7#rI+SEvReF zLY3CKRwmRsG*Yuu?+z4aIE6qUL*)k)Wj&Be85oEf_Fll7L#T+4jg9Oy&gy>vRRs3INPAr7R4KrNvjSIV~s` zh%AkIKfil_w`hjOpKVVa!0j95^tRV^k8esRNpH=~*+OtCGwEwU3vm_I98|R@fi@fw@sEgqL_Ne4Or(Y9qH!4A;)0?^!dOB56uvj|b_110*6E{ZPbG#(1FRMY(jv-1}qdgNn}-3zghSfncRzTscvGk zgyjtn1aexS?+T>I-495&<@o^94El@YtzcJF> zU)|Wa^Qfk(>OePoe7_9hqO$D#0lvi2;$lmXfCwma4gHF1hXMYY^#naA{0G!eo~MW8 z0xtan1GXUM@^n+w8-8nJhnho#codk|f@yGS7>kn#^jKpeE3%*x>(Dkdqy-FH*virp zDD2R4`CRVwSGpJUWT3MxA7cLrwqc|&)xzFFkLDTS0App9_xSql+W~x=-OZ$n;fj$XD zcO%^s?P25==H_ne!;JdGB%m5Khe3lvG>Qv6d*LOY!bj(-g!66>R>D1EV%#zf=o5jb z*|oPs$!dXO88DjC;^W=fkg@}M>kRgxJYPUOcolg~IuC8F@gJQAftUzn2z_8`EUmap zClN;Wij5d7JvR^YvRSyN@uz!RY1sQk++SR|gRt~SqyE)N*<`4 zv#u*C@TU53v_Yl^?_g$WiHZj9pLRAj+&4x)Llp1?%^8?hLXMg%pB5Gp^0U^J<9(|L zrqyiyIh=D~ezgtH4B{i`H-(e&Hm&SoFs2p}V+X)y1(h1~(YS9t!OVxd>Uemx>pdpG z8??1G`|Hq~|A-T}@4I<#PWjH3Bmw`Te_` zUnuecc4ErjQm-Srm-W!>jkAWD+ABNd_aVX;6%>Givd>Qh`AFhV@%M{$y5@|cA_@|c zYKt+J-9mAwyg+Ye2e597vX0L5O(GVM)-1rJ+9VA-2z>&rl7ns&8(T4!w2hPuc zOIQ8|)guT_c0tr7-m{BJ@U(2|=&ERDVLVd>T^+c&Z&*W(~^kYFn4GqX~054z#Al-4Gj^bx^{e;HKk{!{Xi2KGi;Jv#AP=EJNQpf~d6xQEchY-~e&2c+P&%Ubdv`a| z5fjZ4y58EOoEl(=jrxHjo>#!5>{nUb3heG~!~}c`8Y^+la}G&ZC|(G*U_vd5`HJ|B z&aU^-wS4u2h9K#!noNu%Cu09S=<*9i5$7#L8CfD%3GgxMdd=rKY8^ zRt?5k-l}jx5Hnow-CWSPOfFpb^3x%;&|r=9|F{!_6K5924x^TyX3E+S3e$(y1~(^{ z7eaKr{eVUBo{TN&%mM>ET$MI{EqtH(^|<`NYW{PaqbyY=qCu z?`tk2_I?YMoU!~zN~++@D)-v&`_ZK&&^%Dj?-NN&MfK#QOXvr2q|lyI!)mbay}JlK zzXF#4Z{ilbCLwTU?I#}(y74dVDfc_?{HF0AsRc1Tq#!ONM=b9nqAW2pR*U#Qo(jsC z79pPYW=x^iti!ZJM~_Ez^bO+oGF4ZAZ2spdLzwudLUA8>u%locF_Nsq0hD8yw-y}Seg^nc_fPrhz_ z2?s91?{RNx$=L+I)k_?szhX~3IXS^hhZF`f;7(CPc0dzIki+BSFVxg>Km?naIrI%9 zT_GVQB@`E59hxZc!c+e^USKQ<}Up6*wj?G_X6~x2gAcE8tsD^ zkgozD3gofB`};AF^#@Ug^zD0J{#2}%hFT;iDi z(2W-te@;)8@1*}zKoq8<3Kwj0 z;1R$#_Tt>PZBj8~V7ggC`kL|6_Y%l1f+F?r(95hkbc~D;B0-0J!l&ZbY4`)a?UUwf zh!7VD`+a>jkhPTJh%tExc|&Rq2D5tXiKSuJedaJ>fnOwdCvnGf$&M<*MY_ z_@&godzXzQGSZNsL7CTrb45QKBSS-glh9%j5)f=|ZsLkSG=*v~>frm){LME{sJtf4 zXc(ISSc9G+L~9J;GsQ*79RZtzq7AT%(Gs7>+FHiHDw)wMT~L!$H*T-pH00DuP!1YLz1WpT_Jc5n{?91`>HVQ?u14NWFk zcHqU@l0id0C^-02e*VDlFcfP0zkgF5#t~vX$sLkU6-Z1=>oa6W9pYv~S=Dpv+>&5J zLQHH5Tnoo_7293_3!!8ne4rL64Kt&xpzsBzAK-7Qd@ttRX2S zm9CTzvqkB-KL9_;Ll(y41D-NanzM3o5jKBGNJs$04JCRn#;(t$VkCI(;&KGvsfBC8 z@-S7<9o0YX)P~OeDP%3u)R7?CUD()=&e}r|)56hVb>p;;NH-ou=Fj|(`e(TIe|mrx zBo9#llJfq(x3hx2|2FOi>v4dC;a~;`z`@B0*hox@l082yt*q$EuSZbCch|wAL6&A@ zU;x%4@rjANJc{AsP;|iQ_>0a;TOd>Alch1n?UkDnGXlF{tpIvB(DOpWYR{!MFE7u> z#|Oq~3!p7YCaCJqA#(?#mIrEuxR}=6+(Eettr>aCGmZo|!ye9GC?amsK5W`-l*oqV-7o^r;R@xA%}yY1em zQWQpG79o))o%R!=PJ?swjEtS&V+>hZfB%=SUt{EQ?{vF^C-qJLCb?L;itA4>f$<^e zwl8_6^7QE(tPTKu21iFx-qc_b6!6;-+X8|D9v&V~n8D@xkU>WD45hT1mr?UwikYt1 zyxDx5rU&XEzZI?tdB+@rytCh(3Z9?4Lpg0Nn_pW(Fm^4_I7oc$c&ICMgsb>@qi_FBl<8Q4c`{JwmWGV`FQStJ+c1F<=2f(QW7u^7@ z=1t|^CZGKsWLADY<1thSihmemp98@MkfgnX1GtYvS63G(PrjE};y%!ThC^0EVmGJp zl8ylD8Fl0nAZA@V4Exc2w{mq^T6+HT!!)9@0=@*Rw?f5aV(JYlOOF_t-YR}h^c}xdigOh^ zcID^tm#8Ubqv?s0=qyWo3W_3dQ9IR6)&0d&9TirwyT~bKrKI9*0B0Yn4WOwB#Uii< zasT$f-#{^=^I*2hUczo)1J1iKJ~*PJq^0d09N^$$W?&#*{4IeF6)zAj-*X7H=snt9 zC|VLL81w#V^^Q2;+ukmBDrUQFVNC#Ldr)yTZSYICKeK3lncF`uGT09XrCQfmu$y0N zXOKz7Er=mfXe3w(=c(}mUV%)379X#QLny6%WzSV0wYu%g4^Pv9N6$W~qp@P=+BN}h>yo3$RM?jKfugw{d?jOgvC2Gj?bRA}{sbHfQh$?o;E2p=N7 zKg(b4;^O+?uJif&95w7t*?jlh>wOFi)<{K%yriLsfry%h*LvkfopRDW-Osm@_-Pi6 zvW>GRU-S*H7BM13yJkL;BeN!RMqA=D4!aXLv!0?ffWL(49)4a)E;ilZDRM|;Hj0jo zzFYU>Uh|MG&g}`a(QmO~hl146QBlC?y@wqDepQi?it?g;fl@c3*2+?~YhA!43XIge zpcn3oyVGG{X(`}Z`qjJS-4m1?#PeGCmHUI{m6EgsK-|5O*0*BI4@}J5&#IApg=22B zeDBsRsYgOhoc~^77tI_{`9Gv@+xh`9F)@`N;G6BCr1x1Y&CTH?+0M5Ez!Z#Y3|+mv z>W^0St_9(OkI!juM;Le4yyTf;oAxT;kOXjCtRulMN5u|eRUE0k+eQh!jDLUs4t)Rq z0W&i}JQz=bBN$%ID`+P`KL@f09sOErKH#p74cx{=Ldyfp^&rQPvYzgqdwp@T!3s4# zTnYLV3m?^vD9Ftv!pHyfdrlO<^o;)Q?gvQZ9DwI71Mo~f18BfqcnRO>vgr0?Z-rqC z!)KHkTA%P`%rgf}ByE$ey;vQA?K-=Y=82l1*V5Q@cZ`azreA+g{WX9(5!e=Z*|yhv zMXO!BRqpCe`^lF*nf!W~F0k{vW$rbwhX9xh^bdxKASJ0z<3SN_J5OJwD~u~=Y=IjB z>OgR+L@VBbW&EEK2>fp#T@DckX0I0;x~ zs0|NyQ9O+?wXmS%cd~4Jd%b1op;mdnDJQhrj*eXPQ!XH*MtR>%IV6;o*+T{o(HnIc zQAP_Oi3|*;(3|rmp?x&E2_p|%&L!K2nqU43j!I9`%=-mc2i%8{LQ(@=NyahUW9aix?ZInoa$WE=JjWB$|B38$y- zWY{C_4GTY55DmYb|Iv`%9J3cXm+myA^8K3jIN6zY4F01u8NV!y^p-b1a&0@!=fdibwOXt zlDh`nejsu;HHpY=XD6=$Xa)vaIT;ymMbg1iW1dGB?(VV}WuAvpHOJ8C{|_8i>m*xo z#RJe~Aj7Xc@bxx|Kvj2>$4lMuHCw$64IihZuQV`VpcaCxZ13P;Y3>pQ6c!8w!O(Dt zXyI}p6pDmrZCmZr!N`~w^_U>lmm%^ zH^lQ#pFX|xI?g^?g%&AruQM|ZSnKdMKHidz0Qu6@wX#=Mz}bb$Pp2C?gbEDWHBJvp zq+<$K|HI5wPJH%_SJ=50o_feWGpmsJc5sVaJC{mjd<#{E>g_{=SdWd^Q#K7cG{;;W z1Gr_e6LHhx!{iT$UuFXmGG9?dmXUr*ptcx2|3YxjOv?!B64V1M8xAxgbg zTMq_|hXzZ^`pv!mIKKG!h+m;d+zcm*A4F8__ms1!kK=cUZV`_c7Z9EsxVXkPjmc-! zUGcg&Hld@-hUx>_0ST2_A3&%E#UD&+p(tSHY=GGSq1~;^{~Y?gXj53ouZEpb_3h(* zYG`4t`l!w<#}dgvt2@Q*&E?)Ty9*pR`*zm%AYoXIQYui zQ_OkfN3sltb&aY!o6hqosqgGUXKhpMAal+Q#BX5ui2T|Ql>ILHEGzs$_lf$wQ-jwN zmRQMjomn0;D;wB-LL8^PQ5qa+p2089Kx%`si-e*CyBS*8uNHKC-so7w?{rLaGz%Kb z_Tv{>+#{2jAwvUr3+3tMNJwKc`u6E8N;etu40(9vYO0>iZX}gfnyc=O=D%W$@n9># z9+2Ajq6~H_U_2@O&iZ@3bIK!ym$STE#}<=0KXjWr_hoE97gehLo#k|lVf{uehfCCv z%P2Cm7*r+l^8U$e`v}u5^mIG`HlV@xTIYJhcz^nKmo?LVIfeUEj`@H1q_t&Yb$V^) zN&44#ld5){mmYD-QY`9hjn;<7YyqiP8f2Ls?(L~gp9<&Ks8j?t#E>kD+^{cE`NpaF zw_is@g0VHTQ}EFlPWDB#L+EIsAUqFTY=!Iz^$zC>{8w?emHBGGjh3aRh9+!>V3iiT zf#3Ep0J%e^lEN~W`27n*Wl$30h1LuYJ`dE{;C0 z%S8ToYfzAM5bmAj;vVY~MJlU2eC~`jc++7_%f|WIZ~!azJ;-Cvw-S2YPnpBzpV{^c%ifU!45!;~F> z^c$DTa~=(>BWJXcsQ&KVBGU2~!M2QIzQbF+z$YOAS($}gU#YmAlK9W9yjEh!k-qah z9LhGtiAkBzh#XT7ymS*&of_R~`H`V{{t_qu;&pLg4!oQBm;rvyWo(F_06ZAmG7{xy zg!t8#9{kl}>rW%aH!z5_?@N33WsV*}Jj7wRqj7+M%TULMidl%{cIVI6yml>KGHy(r zZn>w6scYxnKKO+v;s>`Xva=&9xwO(bCmDOj+M+i^&_m0Pn1zMCTf!#4dwYA|{;XX! z_;w|U-6;6F5qu(oSeo%tV^mE@=6%x6fQ4!aP&jQOb}zEt0o?*p z)09$7O1_p93CtS~*}{_yuJZ=12XXbM1)PSL*S9RXU7OW513_sAg%&iN>L>wnu`)9Q zM>c%SYp{L%Z~;&RTdo=ZMlrU|QRnuavC5(*{GZx`HgyN1f#k7iX|peJxnE;(Hwj?-C-d)FL9Yx~Saq@W zK#Fk#3CRSsQ(e>U^Mc3^x%l_{rDxhPi8|aqt)y#xViqb!U3K1TbuZv}H8UJ~`tbD0 z$x~LTxAZtkp9O*PcGz)dyG<3r_Pp}N5T~{I$NcL}X65xa6W0Rci4*5u8{binYup#^Ag zP?Ca#a`xprr|VKxJ-=PYIbq@C*_g=8Kg75Z^k?HVE`oaTl-Wv&Gc6}j^2tSM+xo~Q zV}V=fQ;Riy;s6B#Gv(D;!K`(KuxjldnX7N0X(@33zC^mh3yuF5UGD*pb^o@HYpW!c zN<_CpNJT_h6(KuYWbeH)vMZ^KkiAz(R`v=Nk*s9z>`i2={En;c=l^`4=l}a%ukY)7 zi;L^?d4JyHJdfizkMmBpFG;1YfdTZpcu_d+-nkQ+6li4L)A5&D4x;3K@BaNd!?}>i zpb(}p;VgD`B=BUgm>zVkcw|{wS%{%v`v*40z#s*Y4r;`;XbXVz zgS)P-sew2h6^+cnpYgQt(de({<3mz>w~-Z3--pwKK^*%@EJ zVl!2q^7wIsw=5BgX=U*8LcOMN;==NB^kox8Bp&dVMtj;n-MVKdCc;qD5J?N-zai=> zG(+rAXJjaDZft;_rBs&{_~ajSfOV1VPf5EEJ%lLM_wJqiho2`%GS6`_?aJrf?ETO| zt7frj1oqx{Q`RbJRf>Ik^3|5AMZR9v2i@^)!DH1Sk-T0*z6)wQL4YDlf^Kbic(^O% z>({TK{!8ad>WU&2(|rB>wjkp}jEsGus~VsgQc{RGDNC4wKZ9febyexrgFOp_h1meX z%Bh~yfwge!i*=kzh3cB%1(=jX55A7>Fu)NtSS$k|Gv!wRR2~u0-Pac#6Jw5HmQ8In zw#BIm6c*?S+L_vN_o3*45S5r@wx!J)Db+2UZ0?b+|hH{Mp^p(sKi9%v%hdP^Pi)EwJ~|3Xl3ca>Tw&G?TNHAP3FXV_huIqltVc~%MXcaf)O`E za?NdZPc7(60VxwqX@$IxW%~lW=Z?Mr<{7A?+1>*OV3&lOHFZvInS|;Z#{*O{Nax?{ zi{jgOT3GC$A0R711_C`RoyRNr*L|h-r}&+(K>B~WIJ=O9iXA5bJbTO33D5J0fV#ur zE-2IlZXt2Um=h$A*k2bn_FV#}PLQwl9)`#hi2EzIw$}v-KhOIV* zd>8BQd#_4!BKMVL^c7#w{qlDnTk6!c9vG!=JD60)TgTV_bBzG@xr@l<+$xM<@lB4} zEYB*w!APD7T;FnZ`#Xwpmdg!I5j^2}&Sq}EJ_<}V{zFr`-%C-1UrH%uEX*#1*dj_U z?MydYx$`;67F;A+70l1f1c@bKXfbWCTq#Z)Y77@WF;4ZkcKh%Gg9>})McQ6;`{1q$MiCAdI;^vg|1$?!n-k%Xv$f` z>T`=O0wvBEQ-Z)@e%-#$R!MpK%$(eRX#tceR1IK?iG(iVvPmbI7ugV&dr;64aJAz{ zk4nby7B^W~f_~ULY3rF@$hpV z;n$2rb!L4f`Pc*i6n8q?+`7{9#hIpg%Df<`b$Vb!s?ES)kI7Wo9wAe^WP?vZXpOe&VYEH3UkDBBr2O-rx`W22)G&SU!3jxGXf z3v@ZZmlp67)-eEHVD|U|i6iC*ZV6u_guzD9*Vl*ln2zK4gGl9Wg=@4H1?;y`r(&m{ zG-&$Z!2{1M)cALG#Z^1GlK#C?w$a&Ez9&`4VIa)XfIh*M zPu$ST%-k+fySx}4>nQeuqz5Z8ah-WP<++dA@atOprI95(n8=Qb` zdU(?~UckgLCSXaQB)medjB^OhozpSOrvu)^cOsa82mf&jiXy=D&`P2$rCp7*PPGk{ z0`pPT^RWZN&-*(%IvhfG=s?X=_N4hlSX7OBLxG1tOGQ`z`Cq}t^$&Bl2_G~c%7qlK ztU`V|qp<&TQ`4yriJd#nGg^ZNJa+POd@FMV)@6ecOL$F&4qJ&SsBn* zFa}A;Q4y2RJqzs%;fa@*Qxt}7AB-SNXbV&`no2CDbkW#zXYZ%HcT_i?rSRpO>sQoW zdQJV0+~aciu0k1?!u)@ zivX*DsLxnynsPg@%%Hfkr-sI<-tsVx5ulaJN-xXG_-J+E_CGgQS?W$+$|Zop4ok~7 zR!-1D?J}Us&e`UK>U zow`83>N(OMnl;gEJbtfNW9NBz&UmmqJJhM->m{Qj$OuYXD-23aqx|j%1U)xInorinP&9o z1A`2T4TzD}tq#C^*nJ39YJdlmWbebJVw>WzGags2T&YJzch$2a+|lNEDmcPHjsQz8 z3k;NVYhlKvLaC?Udzy@RtiE{pW&$|+neO~)95PBU!ibJm12cq}04jw1Zda~oiVrzj zKeLaDB}RX6Hsd86B-MkP)EI$xVg9nebJH`N--tk+k#mlXYLh88fQxPK4Lb58+C*_~ z%N?Eq9(h?%2ffgY2gcuhuO7J3@lR<;D((%3lpl6M%`h*o$jcvuZr{gFVYvT--|5&qLFrXzE@hr zabPT*s5+zC+$Hct+L)ipj4xGU$Mh0+v|?JbVJmYIO4aY#s_dOivKeZ))@C2dvBjNC z^G*1Rii9oG9>;TZH#!BMwB#nQ$Uvj>%uOpT8i{ zhtWQiMjVn`Nb&H-UbI!wOQEdI5s5_L8WM60zmEeTTNx%2fOU03GcyInWrD)p=1(48 zcvj&upepDi#3AW@^E5lpnIWVjL=-(z$JsijMAJ{*u-iRc5Bya{NvY7Ng+XG5Ql-|O zII|E|o1OC`r4Mp*Ma`G?i`SP8?)-r@kn24iDa}X@$r7omkO!GHPJckca0l;fY?zyxmcQ$bNl3I9r`4s7l3hVEufV7TerKA^2jM5Gg)_UfZdXSMB7qG1h%!s%DO zO`Y)ubqU3pJ2WZKBE(AV!iX@Mdo5o%(0m~46#(J`(}A07GQ+x89RAbSN=bk z8^vRRnH@WM-}eulxlzFXAiRTI8Sjw{Gs{#ww=BFn1sk74$32{1*UTwNHw-@gXDM7LdS^14!l)=o#y zi4y{cJZq?yONqAoT+Zn0ezE&;{zD7;_?xH8Zoe8`Soiq;$)mU%jp5f;l^?AU^wpXy zUHK-*H-)qgT-6Z!8TF|z@a*ULULw|BMz8OTAI^A?z0HOwlut0vQ8-N}kK41IE$I0K zlcxxKtH-mZ>I**achx0*mgct~oAq8UzIz-PFzX>|-6t_0hdQoO6ap|pGEtnlod~U5 znWz%KZyr<5RBR6FlkZG0A155~?t4?xA4I)iqgiQ9AkGxuM!^XoGodF>kQjZ(V;^C1 zp}w$LA(+EN+ARx^?d^2CzO^fypt3v*c(nBNX5sS~39SyEGv=Zpw zh24-b9rK+rO}~N8%h;`b1&{VGa;IV%y;j%#d5=>N)(Gc-FImsX#Ixo7 zTtsAcBl`r+dp!oi-itQ#zNI4aIbb^G!Y;I_x0|!W);CJDpqxj)91}O>`rpe*nh$mU zXH>j?zG61^RL7o*Ge-mT*edTJ7SJXaI&px1IF+OO+~Xt_U*WWtseF}a^(Hh9gKo8w z%+t4rNORD84u;?){yO@tsFie^74o3Bs>9h&^T&QH;NBmlh&2553nBw7VB*DR#g_=2ps2r`;E`{x?uzN7tn-P@| z{o$lX!QW{hlgD&R-6_srnqH>`kJ&SUahTkP+Clh-124bEKjg-?D)H(!iQ}2X>c*$< zaSLa4usiNFAc|VkGiM-tmO%VW1Gd5+OiSsh0R8Z+VU1~xr%AsKSN8qZ$%sQp9!Y}a<$*d~KL&%biuM(rA@ z&;5&q9N2d`&^nyfgQYTg8!H=Xy#V*1B~Ir46X!d7tUa|DD?1^HXd-3Pq3}w`!_6{& zF>)f|6SUjS`oX+$fNqA)B%5lVdOv`i*2S<-4cFC!YMuDcxg6T)OUDe*N7z=Fjhjc!O#uODQ7i zsmz&V0Sgm*+z!XTm_+9#TfzGx%YsH1o2>oH^qiAB0w4Wde5~2o-f_+3k`7$vQ!s~x6lUnn*P!wfA&>( zwtwg&jpY0vA8MsirGX<@Z-E(A$I)#>d(2J$xh_La%TXKg1#(t@oG0Iw7LMP4PyJE)#iSN*e zkGg)u40(6iD}h1)BO%0|7xQ>thfYtA>bZPKIx#<)vXnGUJCa!`-5?{1$Os}KJj&qOsbPC;VP=kdiCc52>4BO1_h@S(zh+v1|MI&Pfd zh&T7p^J(@H02OmZH_BV)rO5Mk6H`i`ZGX9$BCA)YXH`mnhV;39Heiknn+&`Klij3! z-wI~>%S!*I*xK1)(<;K$E15l4ZkAecnZF%5VP3yY_?d?GrPm$DkNEz-_cx2a^ZNyx zG#{31&XuAN)j#?`oXAuC*3Wv9M67XpsiLwOx;Ey*)+sv_l(+xM_K8BvH5MNPU7Vb6 zmJ^Z?<$Jb#CZPX}>all>tU#kP#VM#Z-cr@nOA<9oet&5i^><5Vb)^1$+QZ*zzUb-_ z3q3ugVfC@sV(W5ot9wVnuNn~A{+-)1#R%s{nESuWSh(w` zgx#(qLsI$@Q*1k63KdkEfS(hw*k`DfpRsQuSq-~jaF|IOG9eoXaqRgYSf zv-PYM+;w?GfN8;o!CqSUrHQ!tEbi^k;d$7!|#z$Oz2sreQt751gTyzjFuK}^3h zvFTgE%l~!aW(INk%L(})-A{o4hQV3M4bnQ!OmeMNci~*@+`0qRo_>&{`7A2KOzZ@e=4P)^h%Vcqv zIm5?S2FdQ#tKozz(=?RGS?*)|aXB;XjmMpZaN$H5=3v>>poBNJ8|NqPantzKAml?} zq3>KVvV%$EgKPAQk7NQb5}9aERovU=k5+_;a6yxMebml0*@hFrEN+bjt&;#z0qcPp z%Y!T;8H!qM9Ub^CeuL{@Z*Un>ABOYV*_~}|mjQyp3%V$_Z#&+LMt@Ss0U@763!x_4 ztAr1(&a({+ViBf`d!Z8$y^T!Z(-}YBgxie%(MapZH=Z|9Qd0IqG7XW&uyC2W25@S0 zy^M$`(f;TKDTNlb4~jV23^t+CB(xEPJ)s!gi$N#5{ZTyjnMlaV7Ev#ki6)Jw(G<4GR=a~Cgeq0i~p{(dRqct&HS zz_<~BFOWXMb{ASFWRT01^RMj)49k|Jt`V?Z+u835q?c-^yxgWmv&@ zdJrvvX`^F!o-o6}!ZH)Aq>ds^C+liJ`mB!GY5lF($&>P14UHI59VP;3^@NdK&uO76^cv= zMZd62#24q{CFY6=BZ0#232TGMN3P^%4+%h z=elP#SPhgw5`dxHT)EQ$&`n@}wSWSPVL%BrCGdj+qoS&$Bq9@(mS!R#@B!F`Zxdm( zhHFDosXp_(J|*UKRbopy@*#`YOWqlavNxs>!#|bZgSW6&{mo8V&Jako?Uk$^{wOph z-uZAFsrR#I3qO7U7l%;-s)zvXc=&@xwzap1P#@q3u)G{TTW&RsH~OZAoL9wMG_TOk zQ0!@M7ba#)zZe3*DLi~~cJ}ZLc7cvvN3*b%jne;GFfDWN=o)vNoQjm zw85yEqGDhi{v@5d#0b<67bj=VEcCVn02rby=)Zse9KVK$<;^S>O^x5Fix)2Z9zL~Y z=#bIL4mgc!C>J(j&M@%sOqqkZEugI0S}EqYHdOqYwJ5B(Gfrql-Pb1xzGyF- zxrL$O8Z1`~Bc8)e1YPrrqg*mk@&2ak&dr-uYW98f!O%j9qeEi4Z0he{^KJwI^~MHe z>^LfB!BIe$wV#9}sBRS4z7EA0;5X1qVDq3N0xN>C0efc*pRa@={0OB#6S=K;TEHa6mM^2m&ZCL^m4S91{XXjc+ z#cx{_NS$sr?0tAn!Sz!9Vr$8_5u?n2yB*jfSrzy8j2p>w{)y8%l8AgRZQHgDCfr3_ z=diYml4ut0h>P#%dF@Rt$;oP`PRB!9SEQEG0<#Yk0RR#|BA}Rgcm2t=pYdSyGBc$v zgdVi}F$t~!jvl!hX>C(j2k;sac&f|-5;)#U8ia|N*)NPDm|+S^g8g1#Ai~bK4hw<@ z`KmaptE%Ye=-xuO${cKr5?fS+Cy4$6wWyJ2cxY1u2!P#9Rlv%qJs|YpEO5b!a{K)w zb}ubXlV2YV0M2tqKPSsEZhH;Y!W&;q6M_H~mWdDm^yFBez2;?SK-vcaxzS6A6OiZ@ zCMRHTkZA-5lsNUm0GU5>nY&Y5PyU7ktXk9C1wJh*@7zh0+)g;|2q8ul2S30t5B~=# zW|YK_1%?wz7`+^4vTHhLe8^CDjz>&zWjP`M>!hwV7CydTKy4;m2<}L5nv3LsY@*|( z5Zz(E)m|IWg$%P`5;z+hNphJ0s-ANAwr$uB^AZ*oCqW&;O)NLJ#leLQl2<`HVdCQH z%+k&^7*YS)=&0b#gSAU%PfuY%0cG<26@3GP8dm_^Y$&k;a3km?ClPS@ zcL(@}*m-zL;cHw_z=`B#cwsmHS2C&-0;faJ{!jFc-ddtchJFRqsn~obT%;gzdk`zn za;)a#$Lu4tPS=btjpM9CFKRpIlcmiM*z8_KqYGnUg(0r7)uR)Eu8gjg!>_3`%i^XhKMr+@wesWt5_wV z3m5fjRaIA~*?e5L#I)#vh|(0vd7BmWGXs^C!{`UCUvbR)BWxRf zwF$}u)ymo1+MdYCz|&l@kJI8JQk;*z(6yG{wDP;r=sOxSJL90o+-RA+_b2|j11YB- z+R~wveQJK*;?~0M3$huCz}#5EkhQZmItMEZG|$Bak0|#jguBUu1)bL@#MKiCSNu0z zGI1#OV|6t`4L=WmJXX?^v27h4&^$kGXmpfLc$);%m=g!rDBa;ns1=a^V3{8y%&Lk?i^ z&ST*QB)PY*UOY^={jck?!hMs8`OHyMJU+1_+kA`&HrDVcfFlt}-39DjmI*a9(&R#X z@S&M`Z2*p7%EopJFr+=I0bwuX;g6#k%0VB^{70NF8}|fmp(iCy9mtyoaEf8q%tyD= zwHSg>7d`8137xhp=k{%Xpb75`$SG!s`RyDaEFz<&L$!Nya`l=eP7ahVHt}!zsBJSN zw=T5yvfF1vrv00sxr-y@ab&)IGMW3gQIug=bT6IQ%qA!bpR6&s0aHiA)+Z3#>!7JO zye1(3YJeFFI=i0^fO!cRxEOwy2(_vHj~_=tPjeakx=4Cn{Vh5ZXG3{ zpr*0m9Hi#1GXI<^&#d8OR+QX_GRZKPkcyw97YV9_p#Z)WCVO$$MR!ZxE+ zENKxAY)}i&Qrq{^k`dz)38z0At&M&@3e6fQAQHKN!ZWp8Y_)~+v|hM!R`>LM462R9 z^a``>;W$lL9sd<-i4$S`$0df@1wNtCJZe+0_aW;8ynYR*cfSj$Lqb65`&-Wh{k3E6 zkA+uk{hG&yPbhUW(FniCd1iqI8tF6Kgqgs02A)p!5pnd;#$9o#GMI^~!R!FrN602DPLdlF=0?e)Gym)`>gRCsdy*V^ZZ-cN0Eo7E@SuU z!|tzP4@1I9aMsYeKuESVpZ<-j|5a}=dTQ-vAP^*gF#m)RhNKoS@{MmQ2d3%R}c< zZOID`6p#>6q`x-r5YDfRBi(B^)cni&_j2f&`pMH{#p}9SbZY%FzixNe<@V}qo!nAo zZ+dGrER4e)tLVUM8Y07)b}rk4_XwRucN_tI#5Zr(Xj#nW*3xAkveD?uwvip5RwwW; zowUlgQSV+e4DK%5q{q(|0X$w&y!pPqlK1lNP<`E8U)S>C#!9@RC@T%lDTcK5!>#=y zq4U@aUU?IeMfV3J9K_o-HKD<6ioU<8?Q)^xF~03{0^3KezDxRU)@Hy^PM&wpn@Ysls`H3aoF*V&7kZkVP@ArPU_I$og1RnQU&9c1HM4nof3LhlNX~|{mgZHg@)KJAL zjlQpgJo%EY0nylAbPl;iC%7DIWUzOZ*QdvG8__!lVD{Bl@%!?r>#}>wzl2;IDWRm$ zyT@xKV!|fb^0Z0#1+YZJJm%`^M&tB3p&ga4)AAp(Qbru}sR)R-ogH~{SNjY@osPM) z$rI+UnfZ0anfo=DR4QEgI_NRfw{!lJ6DHhDO2_okeMz@oW)GDdrg*&Mn4Bg~dkj>e z{?EQwekvF}*|ei7Nz@&|?QXYqk7qo{+ zxF*E^(Ct$H&C5Q(eX-lMvFEGQwM-Rd?h-yz79(Sl=eWDh!WYYggEB)U5#kAoq*h~J zshhqPZOp2rwehCHEC4Sgbl(3V9u8^?|3}o&dYLdst`FcY)@oSm*GdmOqJ79mU-X{U zhvp*Bl3-Q~d;OItX@D+&kO*aO^Hq6tU=FA#l4Gw*S>H*66kz{z!9OV6i?Vk z#>;e9J+1S`poC!?{SPevDRmrvMSR%OnlL2qCgR%y1iL(7pi&7;S4R?v3rZEHv&8`L zUa`th``sH}xEk!-M4)e)4Op#QY-DWc#7)LX;y35XS$sx*7$r0ZxV?P6m=(Ef5*2wq zpV7;0mHe(Dk^WV=my%@(8Rl%$B_x*d8Y&DRc%`JJju~I$F`HB0DW14q;dQ)MJ&EX% zC1a$KlK;nmpwj5c`UbL1qHWS|3fFG=XEgCs(Cq>zR;dZP++^uR|l8^h_=Lk4K zQQDJd;;9Ua3^t(`EtJUY_Fnd+U7q!M+nl~8kw*3KvN;h$P=umQ*2Qy!4by3YqV>F9 zWM7jh?Dw0zpRi+v%3`VCGLS4sZ_0D=`P7rI>M^4jT3SUUYhxEgBUh*UO0dwgbqEgio8KrFi{|W ztzv8Q8sc>9{gn1nqM}SJED%VQA%l)zAjA#GfRP!Z^vs7RSMGZZ{uwYa*1nhE>-T$e z9u6Nz4m&!}Z>`l_+qwNco}yW=19)r*PXLGk>=x8P;T5dsG#lx zbc3p?!t`0>)li{3f`Yz#_b!Pq*eZmhqc~EJpI5n8*NtLxLR5l0s;Z_YvK1~$G0uyk z!__F41!R?_oPGMrmCi4n&CLtA8SJka>Sf(UKaer2-o5)1>^QmuoS+=FUWXG%LSiC{ zkqvtZo>%6krW~o~VRSpuoQTWu_4Z~r--5P;Iamyk(ca-|K$Y;T`#q&p0h!Sy4mbt4 zAPPWU3JL2qs|2%t%f1Oxl?N@ZxJoy#ZZ9{}uuWDtf5)xKb27y>8naR)X6w73*5ktBP9i4$)?uzc8g@YKCI{G82?aUot}DjQK3iuj1&sBf%h-)>iF{IN(xv{gtP> z7=MBf2M6Ww@s}`pW(dSt9DWau71O`un#ZS;n+*{(`qi*c5^CKBrpM;Yxh3M#(`PW# z7<^65pxR=Xg}$@QL`S0#!rcD+<==!2; z)X3nNF10L7QS7UYJ@hcjF-VrFlv%Haw>O$zQQM2M_xAgo3r(E94Vtmdq5@aNcdOjX zNq%IcbYO^bA-I)$U(asU-Gv;KW+tj4Dc#Kf+)J(%JT7jl5#6H58NR%4XK}Md@7cqP z*il>?TU_sb=&g-htzPJmsPXNZu$`T<5>buG@Vy*s;b_qm|DW*%`Te0IF1GvEHy_=5 zW5jCxNNcGpcG%5iEF7T_gej1$08aGj!K{bqV&NMLCx5ByuM#9iq7G<4CLz-bZJQ57 zEQA+ePg7IJw-s>H6QetGZ@NeX)`t1Pjuv1AG>$qJ3#(DCjS=@x)WZCC3C>@)q0{cjJ(M`f;JlysNNOZ;!g4i*J z5YCoP&#QW@R+A^b>QLSD`a&L`szIY&uioH)`lrT2Lr>b0nDG%AUH`-gB8Cfue}&RW z9@+?<7B?wbl-=^Vz~@O8T|Rzwl1hpD-5YLtozIk_QP=jaPOa{lyDik6Z@2!bouChT zcj7-NjUtIjuOr`=#mGzI)U{x!bkgiq+!IYj=?H{aY&ZP>8UyER9}d%s&s$vQm3Y zkGP=9w&YgD=F9Fk8?m_umZz-QsA3g3*r2w`G`eiE_x0_A{jE>XgSmOS_GqzrPkdzB zr~BNusr2`&rF;|E!RnnZylPdF{C03GY4xXea{^<`Q|Utj{M_+OuP>YIjCjKLt6o6s z104~tEf48MH(K*qHj>whbNZcY&b79w%YS$6!# zoz||z|Fj2--}?z2!ao;?9%;X`o>PDAr^?sq z1ai%tswl#9oBo%-hm zg^C(Vn;_YluVdsw>pXHM2K_!QFSUo}wdYQ<`3eVu7%GKn#q;Fz#eEjW#>`Ai#dmz< zDapxo8_VB{C0&AV2#zA~0uRS`y$SO>Q^unBrQIxVC45hl|BbUkKO%V=R5t5XZr##&qtq7?#RtgEXvfI&b#KYdEP zKjyeF12Xa@c3+pH`w~ogFaNu1YH6tx zGTO2pSlm1oh~IS>mC%Wo0gS2euUv=iO)O>jD<7XI8IC>_2mU z-6F*MKt4zH;#Mc{lSvS548HJM3i)VIcG1Qw0aj0_T8dGnaYD&BI#^X1Bx)G()n+lo zkd9>DhC&DzNTG*-+f`^KtMO~Ow4nC+YVHX-70 zY=F0F|7T3+F_`rS9}@o`DhY{m?$5;2bXrxk$F8aLHBiy|HufgAsw8kt?>44`AeEq7 zZW>29kBa4$N>+%@Nm^=F6WffB?)!MVmH0?>46Sj-`th-bSm9__GNmL`W7>*51gKnK zdIyH%^V`hzr{?C`r#IJJmmFQdPsAQ)AxV3!|KiNq3k4&MqWa4NmuxG&CZ}q$JCJyrtmq3nD+WQJDDI&ePTb6BN@+~?ZnhnEZTn+CI+dH zF+E)@&WKV;X@SoXJG`V=uh4UGts;y;tFlWH!!S`M^c+R3B_y-seENlB-bu2lvZ-_) zKfwjSRsy9&C4vt<2}tN%Rt_op$mp`Y(Dg;TP}>NV>A-tIm2 zfO2zVI&0bS7rY(1t`+3vIsaU!0eA@;5N%b2CKc;rk*K{zKN?bJX5eoyz7qHZ-7uVx zegUPVpm|ZN3;wUa$SN_z%uiBk?tQTdh7nV@wYvC&Qjnym{IXZ4-nq*fk9~=95 zIXe6i`)QYTQ)xcIeOc2NL#OMner|c-wLIQ8#wtzY2m9v0@NlE2P2lvVr=~7wl$$kM0__(^mdni%ix()R<{vJRW z)WJzhN+Og*=vns5;)Ho>rtfDKdeU~?v2RLzJZer?+4QI}(0)aQDSQ?`zt|Y`H<~kZ zOvX+eT2*W^Z;H9UDVAlP%a{DisN06Gw9Gb1)UM9FDeAYJludwW;nkQ0Hy@{!kiNMU zAGchC!W8K(rb0h+`|=a3K2~*dDO(Qt#hp3kHf4tk`WN!7>MW$n!aJ-RUiR>2d2o4V z_Bdxvx)lvG4TqeSHfyk8Vw)^@=Ttqfff?TEBEPl1VLnoHQ zyvt$nU{3p`KyzE2%**UTNS`{iQpbbx*P0Qy!o06_-BK2_)8k@vz63z(TF(}zfJ7UF|YeM*N+|I zd@22AU)lYMlJl#Pn;%+5d{o<$%H*4^`d;>w{r=&4eEE%4U6z}xO#dC5I&%{@*X*xf z&ChKg+v2n?v#NV^%_4Ow{qm%p#=D1-0SA{SR$9hhXL8q-{9@J|{1Gtiqe`=8WMi9U zes0Hc{^QMwJrS|$Mg4juSpi*r$M}vfm<)%s)wn6O^l5&b{r&D^lkn2os8-v;K-v8>`R45GOb1q)0~7JHTS7ceL-dda}L@!XCZr%)9ey zQL#vN`0(MOv9SX9PNA$7&V$cew`5#i*1PZ;Y4p{*di4(ooZ1u7)eyB~FYUdo zhZZT39}_bgc)!e?^5p+g7V~iK$7q>v%0yb^<7*)FC{ z_G7%^gZY^S^DdJ(!E5s&`sHC`3fhwg%fq+gXEx2g^qPk#YR_r3`R9C?gn?mkEJ#HYwT@=DD0l;cB#*Rvw&i_QfZNR5M|AxJF9 zJ|xSeLui63D?I#bzZd*a)2iX@{FBf#2KIpHH-@)4!GIpgHJ&QrxPrcuC;samGht6kbF0L7JBR8@czZZFAGrvh z-8;&1!f-avJqT93s++n|9 zn7J}g)2e^$4fBmR<{`zZ({lqATbNnZO7yfN5BAV#8eB(JH6npzOiO9EjTTfgIemM# z&CP9VWJGu6wBus!*)GP0cb4J%9}DEGG^o!5r7_r(N-*Rj*faC3s~I=Dj|V-Yo_>;2Y0*R0^!La@U@Z5LoCpJ&g&t3<#VJ@(oP z|5+4u6(yc;YOjuH;+k%-(UrF?<$S%T+oz~F&~Z~$`#gh1x~>EH-{KXvm1HnrM63_K za6nR0Kf}A?nzoyQxo)0}#p`fb_&=(9nP?=5X`Lh9zLj`&*&>8O^2oWtZ{{%@z4r;i znVmb~5d;8A1J4TpmTW2qBjW_Z8a#D?{aRXD3|-;dN`H(YTtaw&wj7-^_0Ax-Jp4hF zG#4Sc4mc1=JE^ z1%oytx~eEGPka3uv>a@2x=b>z5u8nHYuDixgGMAkT1Xy2?_D-EPI90#oNto(K{5n&5D}3Q`IB37kSMVV~CEoIs!f-VPEPD@nG0|VU7JGgS z~$T&I|A`VP;qk3MeZpW0S;@{a8S2J`t$6EmTqf zpe?&{^iVO3F^A^?Jmulf2A@NeRF+!~e!%<(cm^VR)cR^^C6T+HN=f)<24N$Pq0dd> z*4eZil7|EqU*GF9&dp??ja{&hpQT4{Lpf2gDO=`-h8=vcnt2j`!s{pv4X(u;Q9)P= z;n>EWl&xHEo_v)RrM2Lr2|6BpA5LKhNk~Q(9QKf&)Z|*?g;|MF>ZG}&hd)|+fX2lm zD1pQddk1sy6xJT@49K>%ogKym53L-Y(F9-Q+l-jX*f-2fcb7?>3X@KyP0{5L3M(~V zxIrk6A@WfmRCWD}n0&}CN$GjUJ3AL>TzQ4ufNH93bSSkPH^Sl1+O=Z2ed-5Ui>0__U;**sV*ve{j6C+F3^#fL$qMVv+ zo)jyMg^x!;Y)24mX%u-&r8rHcrj-9$>4BwJohtO11k4}#G;I}*BCLl6*hYVn-nDx- z!BjbP_^wqnx4Ndv+nz9+-{a!*g}Hg`XM$87L)n>E>5%i%AkD6bIVL*(#Hj>wfsv5N zfqqlQS3lRo4ob>i4C}s;Q*<1y`|M}CFKbs3Pk;IJ{rh+5=}1oTzkL!&Bz%+bA~clx zb1wS`6Xi2?2z6=^Ol|6j5cOH8~HF5gq{~j zl(ck{-5v;7j0_DeZES$LyPRCqtNt9x+5GWyr07{y9;w(=I@+oh??|TrejY{5-{Z+4 z{9>`ok0JI$9v&^#G5caW6lvH>It)3m$YyhFv0njfhU`RX_(hRY$LC0fTnDrK*3Q$v z9i9kn)g7gD%vl^8F4d^btnG5HOL@-RH+p~qlU7Y06FKPH2L01Ev1 zj3y^0I=fy(Kx}GmPCepi*)>~x*!R5l2eNnrTR9BA$?-|{yA{GD@_iTgPM@{m@%?VS zp3U;91W~1OOb#D98uZ>6CU$WMwkJ==(=1X1+ z6?)55($oQGH`+cqV%}FExvLsxIehk?Bg5zXzF|=W+~1FLlf^){)r29R-@PG zkUFBv^?agX>yD#{k^auDu6SuWJ@GbQ?Iq2@(XVx9-jWx8yHo?#)t&#{xHJCKf2;m* zsH`J45BIcP8lMtZ3r6V8YX{ifKD}j&;Zs}B)<}KDrNp_Em)(EE+9rsOmgSg?yqOWl z(nRG86{h=F#Gdy_d_MS1WVs>4%h5Ytq;3Z>Pw;nprCTrFDBo1eWz3kJe6fFy^hJMw zOk0sWQ%cgJ%ApgCKl{w62_mcwib?h*bx}DXN1^uKcSZ%IFGHV?L=>L7yllD9)fMoX zNl-!TF>Cn8kfnCHB)$#j`N3CVhvI!mCPchzw*9(e{`kJCu!)hRU#6Iw{l`EqLk?!G zLqiVnMzgd!2c5$C?_NEZF#MqBdedxxc+&?)KAcfSD*^nK%V|a3))S^CO*saq9sR}3 zjS8O5Xv-N(`F%AgHy>+$bmH`ZC3)LNqskAijywBJeVU4R?7XhRl91kx-)iz|_n?@n zRCp#HY$rvo^i0b&2%WFgsM7n#Q361$kTG~2nS}&>mqO4tW%4n7jcWe4^ z3iD|9)X_k}V7`;K!}AwJU-*Z1oVOoguNQ3O z80ly|{OJa#nI&nuTV%dIa4hHkKz}vjqIF#ot@`QKaoL0Uv}gHC8OCG2g;TzF*Tx0> z_9n~~nFpUWrA438xZJjH7hT+An~Sg1YDew;6be^N$&-cY z<;Czh9u#9KOIEW+vOaCRmd_4L6Vp}&4Hi5n9PUc{2&*7!_Hphnq2uwl1RQSP-o13d zz-iFbt+^wVZttE9%P-biLt>wp4;zRjz1tRY=yw4rfgMrWw?p}hQ~$~aqf1z1br%|C z5LrH+X;37l)qWC?iFXt|zwP4LA4yHd!}Cu&q0@lneCPN!^qHp<3A1Tp92W(82>PQy|5VPH%7(H3AE<5tD&H?^XL`#RtXRGq1 zVe_4FzTo-xUovUgLh-ken@n|Zh`wMMQ&bgs;9A#vFzfRN)v4{bLjD2=CY<2Nlo z%HSq?UW69WyEXl!{ZZ}U*~1<3T=d1u+qWovORij;U3w;XKvFVUF)-tiKte6n2X%!cZ2vrU-{ zveTSCM+wg(Q{-jS7bkkjqmxJP*z8E@;`YyE3>I^8%INPC$}s=ZC93b;r9D{Lv@C@` z{er_dKQOTI{d@H!*_F9Rj`uS@ov$cTJDLAMw55&bP01Y&H3?2p_S=*E--fi`TzxF? z)tKW#<8uMxjP9?-Uo8~`%2^e}k{&&Z&JBE|k|fKxA+wQQq?mh7b=t5dfdHI#Fnu*B zs%9d85v_QxSd5f(B_o4@KdDj-JR%3PuS$meO3ucNd}Q z!b+@-+2E{5hN2EffwjU1F;@%2R^xn?wyf7pBpKR{%HHi#iE)ak8v0gp6OZzW=!+n+ z$7S#hi2tyw;-8Ky#B{BAiQDe=or7?d;{szXlgQ(X-2}gurHFe5#-Kz zT~B#Ms2hFbd%NQwr{L&^S?n0?4K70S7@~p&*^%w4Pw0_I=b5;VO1=G`RloyvE5R+M&$dn2F-lR^$)+OZD(7e_pWX~L{z|V z!jziuI5#dXk`{dqpShVwNmzSdn06D2 zxM8H;>p|aTa)2Q*V+a1ib)`RDf;y``qt@uVtak4w41>EX4l%;T{JqS-UtLeR6&t_$ zc6M22gO$rS_s?(RCllw=-#+`#O@Z+4CE7ph9bdUi$q*WDXi~*z-dJJg*`-0)B$h1x zT$1T<(x+Voq=ftE8}5-J{36l6!>_t{I9A+oSo2Que}B$@FCzs{71cfXJ9vHhd;Nqj zqfh_+Br2ODA-Y+Y!+Z)z39=EyDaJ7(vM5)N++t<EZTQ-}u=xTG#$@x%qu=W7O}O znp0y(kM5)8*T{Bm_R?Drb=rKDMdR6gB+~Bp_YWExzwUK)oN_IGS(LtX$*xbEH7M$0 zt|)2t>*TS-tPpj_nC(iBXPxY}hKCPs+N2!w9@U6-U7YIKQqR-w645wc_ExRqa%*VR z#nLLB71HB`vaL)lX4O6JX`M6fon70q3!V=#v$_n?(cT>SK8Vwt%655qAYF}}j&b7g zW9hJZ1_P0lI*0FhIwD&?y4*CJ2JO!XJW;Q%w41inuNKj`kYV!b)Won8{pK!in=9-MujyF<&qz_Wj37rimsA(}wrMA#K_!Gj@IMtK9fsH+Piy z-#<2u?rPseuI^gjySZ{SI0P7?7OkLul~jI<@nf>xiB>j08=q=bp1fBwZ$HPv$Yf`C zFN#x3yY>4aGyA41R@zPPgI-4%U%MC^E|-$;G9_UyrLWlDAg4`zuO#8?S3E^7shB7Y z`8;+b3q9L>zm)MPD)Yr3D+L8vscAhW=LRLrpNl0?9;IP(`B1gyBAVIQn0V%NDWCU+ z5B}5*jor~vckjrJPR(4p!0c!$pZ6BHpjnM{G`WE3bHA+A3>$k}UurIO8vlG9>7nAE zygF%YUz*(7^CoxnE-zkCwWlvCEm86N$HTwLd@(G0_ORu2p+%4Vnm?I#UqMDnWAuJf z5|V>d?aR-|LxatF%F^Oqeo{B#I(=_q=~-YNr6khXX=j{>tL7C@77uICutBrit+kKMT8r%Qa;(at0Bg&^6`O{ zlM3M2p?imHA1ph;p;i_l3_lpbvPkZkjRaMgU4bp8Z2nyJe zBsP*kKtOU71SCt&ARswQj#nj0l$=2%=bV#>M9Dc`;w4?+lJn(GUAmw5?fGVA&6>5o zZ|0w=#abK=r%s*PwQJXJhpIi4I#H{7u>|_rL!69ntmj-EnWs6${x*o$Kl;eDx1hk} zX;$$W9e>zMuywBmVXHL1ySen7+KhmBHV4b)VWs8_Q=&W&wO=7LKKHQr+l~fixjlL7 zzPx-HH=%CWT@tZacV^!PnHg!%>>RGN(bs#~>mOUKX2@5KCIJme{lH(`(UT@a^)aO;Y@X)fJOd12TH9YdOUxe?;@-nQ#fzcMmRdbuYPYy9b^`ynTO*gDjhF6w zJzWvQV6Kz_b@6=4&w7IFG_M( zky6%IYvUb&vMra_p+4i59_lb4EW%5qsDG~er&+~$LI=14@$T=g+^DK**4gN%rk#GQ z-Kz3?vIY31S}vm(GXWA0**`nj67ZRvdD#9kPq)HIUqOF2%WaXRPF_Yyx0Y>iXzpr3 z6UA&_P+EcnQul1ANgC&MrbqK}7rcnaHg?P$jQhFBO%NHqqUZI;Ah7Wh-*|3MKLgU# z9J+T({@UXRCi>uzictys^bButvE1a!Ig1VU^W=UwfIHY3Vh9NU^%?`REjT_hYvhMDm#q;%CsYHC<=!3OW&%A@pM>yn8H!0*yng|uA=aL~=nzMW~Tf1Ib( za(!&SHtrPKzQ0Et8t+~A{`|{u`O=q8oJiC*o|6(aV&ktq>7Kx5Dx}Rgp2UZOmm8PPXibA ztK;A(1Ijz^ad6hubO6QCY_~D!k8j7urZfb}-fg|YrJ7BzZ`u{DnwgJz-nw|<7nwJ8 z=g2NWlo^M5FV*FjnBgLr$AY0wYs2LU88_iEep$WmDz%=8q#N)mCVLAobWhKEMzK3! zDyE7|?7d4eWRspZ8 zDi04Xle}J28jaO&CTlaT0tA1OjGtzvgvv>nWZ|#K+m)uivA)__`XJVDE>~-NRtgpo zTQd0!KIQ1_(vEViXWHh9IMg?%?OwKIU^w!wECD5!mtB=EY3-% zGZr@FXqPmOGYzRmn$?!fJQ6?m@PaSQR}Q6v6UZ{WkJRV#mfDHwavNK{>(=b0?=RnPCF$fO^Z0(c z#x(>Jq}J;pE*3c%q0d&DYyRBTP|oH~#K_4*BR%K-74=2RK0Z#w`jhvy0C6~99+-f2 z)NLT$#Kv}@U%(Nrz{Mu#4+cUEC4Kn-AHc4OI+VJBw#QY!Hnra;5X7PgOP#A=7|~IF z>i>pGuvP1URMw15ZC#ahoxZvKqGTjX&cxZ}tJYX`aZt#&dO6|r+X5GNp{uVeXwo;%GHfZRzX(}VyE1JX_IxjaZUaCjbp-{$LpTVC7}g_U zPQ9WL&_sMH`_UoE@F`D#!CYd>8>k-gO^;r@^iB=QWMeg`M`|051SYy}A)B~K! zxj{{l;bDrx$w``O77L@}^UbE3-t14GkP()sF;CgtKtUc7-qN{N_4G$ue|C_NJ@Mh= z$|}$P+1P2r135fNz>Lgxa~Jb#|BE=YT6ihlk7+Up0OW>%yOYz;h<=r>A=3i#)EJ9v z_!rV%s{sVC7i&mv1&}sC%Q1%WUtanFy~2$SAqr$zea1Q;85KoLQe4f3Sje?aUCWXc z@e+Ik#_?88{8P;rSu95$c3$Lp1=wV^r)ZJlRajc$1NPY$C&=`Cefjdv9as9@1%Um& zpuP{c`<031?K=CQMw%LBqMdozr!I?Ahqj-I=ZMd&;*_M2{ixrxsG4a$Zi?%goE%w> z62}VHp%6BHC+oSr-2Xs!h%MnE|AAcP>H{JZyjh^cem4UexbZ8C{4|Xw?}gd0#|(p- z8nn5zs9ogQ8i$^+<6_BCHR*sM)I-n+qGBY|3wT!Z201iopiqj~+x8qvZRoWuK*I@S zK@bqT7jL&#Y@6KpH=PqGyL{>ftE#HJPIe)k2s!3wO#H5#R|AnE!HWswGXfZj5fPbw zm<&5|vo#PyZAp)=&yUMmjxyHQGpg>HWPM{PEEKtZ-#gPhuevdaJZhuLD9hh`){G%4 zDib|vH&=PK^ikr8bR%CBlSy~L-5~GAos>8--Zdhk)PZ0609o5lmNFGF)=g%G13r+E zQ!i4B>X7cy?UL-SPSycR_8U*vv@f(<6Cs# z>s6?%oT1N^VGtKrh^!m{G^pzgNG^q7p)yKu-RUTH8eonb3PDeB#WHEB3%D7iDedps z_X)x)S!kpyD}R1sv2F-OMoKOCde^CcZOgznKIpT5tQtK>zrZ%W`|xEcJ5aBNgNNT( z3xPF85uBup(GeJbF@qD$cHMTA+GNJ(jwYB#-RA&FwV0}t1SmHXcKJfmd%!iCcmZ6sY z_R-FTK^mwn3D8`oAZKkGBHHg94i6fN?k~-SitO&c0nmgJd>0Hp)mnFc1Qv6hDZ1t_ zU~AE8)eu@F*O#Pd+CynkQfMTCJhH2*eM0rPir>h*zsKQ3=~q~vDtDTYSNyj`cz6DO zFtIQ4XSDia>%|D>A;C@EKq8aOsN14_EZNVn2dKro^b3H`Al~4x20Dwk-wh#W*=HC^ z@R#(FPp&4C5o^u6gz)MTJA`QDf|sGPW$)pMbwZgTK-wGg4q37Vl@XbC46Zxp)mhSD zmd?dBBS43N_OP?_>Q)X>q^W*cRd-jnT(+EiQ{;0G3uWU}a@?G%w4UJ!pQSvh81r=*YDu6A1329j z1_N5}Z>_$&8rwT>42+CyebO@Ol;%FBYDnhfz~bVd>34)qD2BqI@f9^Sg}FM2?a3Hl z>uoC>IaxK?xVA_ogfC4(c%cp>%bcy?)RL}=bK^A4mP>R{X_35zV_Hrv>}hEfhW_WK z_2|4*F8Kw6eEG3rf@BFkWt5gXV>8IYTwGK()zon1>2Wfo*wl(j99Va{ z@BrG`$D145spVaH2@?}1aBztID`GE+dY%H=fXYlb{oU|%SYT*V9o`5FA%)WNc~!St zTeN;m)kVA#h5CZ#6QEEpae|ESIwiH35ARNx*V9(rF*e6^7MI>6N7yC|9xt1--T0?$<{Q0JnLT!|JTPfNs!E3?Ni{DZw}hV@ur^JT zp$&Wv6u_u=Ov4;kSW&>_Yp4?14raou0CC3`f?gB35B;t&BeuM&X~2`f5-FHH^x*~u zq13g=tC>r$_X29!VVH?>hqRC|N;xj1h!CTc`yVr;96!($j_tkw!n`C7*FmO8L%30; zP498ApAiA|+-Hlc;5UrRyo9I3(*kH4qI2Z&lVK`;L4kmvhgB{Fx6OTM|GoZ?|99<_ zXiF(5z|a{8J*u6O-s+ftG5EKY6WBw_@@*(EN{w&F?dPlj+HVK!ZX&PH{up!_X1X=X z+R*&%u3Uo4gMXvlmEe~xa5#RSqy|rY^~xS{I8mLP6Zm~;yW0ibdyKTd{tqsbXIQ3L z_~AToih3SK>wx?k7jOm}XhMl&>Yis=cEQt@r$v3=^X$+!fdsv^%%U%yL;h~=KOQ&E zSpjrK=YW51_k1>trZ6wRP3OHib!(bNSNq$vi@rj?;NOPT+h&1B?^~q{Mt#Wt9P>O6 z$gGV=#jmfYV+t3$ZPag@>lhl}{FC*4JE2IXl$ zcyf>`I4&aQs!&>{E-laj%h~LG|J^KLQU41==G9BJIkQOBf>@s^G`~9RW?nvM(HvEa zGKf+)1qA#H;{$FrNmv=u>0*lpLj*Tw%c+(zzQvEAL>ZSCymOlN@}5hBTDsDh;8{IxGzCkEyFrLwI#aWyRcw}D znoCyuaN|XgM7v)zh-?U1j9K1%OH4u8Y~nV1u;U%mOV0BXwQi{_;8jx7(rGLs66^DP z7vL+ul+e}l5eaF@K%iXOA_6)I=N^w@hqBBsq|%3z@$d~d>HDpW7TO*Z+?9l#o+dvs z`Z&fAWX)|A)7xx$^-`1yxtaf^Hk>PBBXxi&$?3?Vrg0V3M@E`bN0%KDfnBiLWPUN$%cS>YT|2No-HUzyALv=1GV0=FTIez0ypmFsmi@EULpsIut zDBVUIkF97qtH?>Dy?2ALg0Wm^MPu$w3gXY3vl=>6825VHmdbXdumir@xA}>N0t~lvrnAu8n znr*r>py!RXrNCiD&hNU{CRdjzZ)R;0+F7|-WLxmWT;LZlDMXM9o4-h&T_1cm#vuKo zjwHeqrr*yJ)LKc+;49;r+HPD8h8##OY~Vur0GFJ`M}73A6nq>x|9;E@-j()Q+PisP z%KvT;9w6BRD$@OfwshC`)x_fD!ckX|XBv=li&Z$pT??zi=A`sE%bY4h)T!&(fP?h)^XZ$*0>`YtzTHSuSX`|7f?Ibin<7uy zelx!D{?}7(JL;Dr;=%LRm5ISi(AF=YPv1|_^La_&{ZaL1=P%dPUM5`1H5z|Lwi2QA zw6jelua2}~p;{ktdZPl`_#%ai)9ke8Pw4nLZ;0^9vk5Vs#^W*X!0$#69O_%kUb)f{ z4?@Tv(fac_a*DQ&0{1k>w)M z&CqrTO%;4B?vF?1+z}g0<(h}`yb0qNk(K&$u;#7xZjZfngfAGM#%AA#v}jv5~KO!PG{6 zGo=0}*G9<0K#i=C7rw{CwL{EtA^A~$unbkMLE1gh$y04nsut+N)^WoM7;-2GO3NVS zwaVxAiT7z7Hm>lld?z<|k1(!=KBl3({^^TpL?BZXoCi@>Tnc3$Niof6{OV)ib8ARc^xo3&DAiVoycVM6k2XD?* zPBrEw7RT^ZmaX5%R!U_WOhNu_e|%nraJ?(!jlN70n5~KRC@t%vi*?HpeYb7y@9J2} zZ`Afy$cJ6MUOG15|LFd;`$Hf7Va~y5&bZ_>@pS$H4O{D&an*5gQSfu2%`N_#-wbx2 zEUsm`ojSP1Q%Qx9I4cWpFQio}5+)811*~k`6*vkV)PxOAh$n~3F@{xeSp$g zy?b+=9wxXhAG{dzh{O9!Dg|8peE+3*@SOsNlCj3#XgpK7=oiKoOOk1~m_iuDF##T> zqwQf}9JV$$z8w5XMAx&`bMfQj$snRo(~e1k8XZCk5x(z`4;hiZKrFp~ zl3e_)a&Mw8-ZYJQ^ILZXM`n#n_+e#=hGWWUo$VXdxpJ>X_V_>a+vrS@@dWVXbY7)U zHetgSM*tL?M_rlPa4*~&Bp*;!a~-^%OBxwmkKciU!|c?8p$i3bG)vgP!4WbV#B}Zj zg2}!@R9jDHt!pEGt2M9C0w*mHZst!sv(kCiGN;LuBwVAOAo%oaLSeWf>$)Q5fs0gL zyz_R%uh4fV_eP8xgROr`>f4vuG)zDL%fFhHx+J@JJKZDZlb?67E|9p`)Tb2v(X`87 zt5}|up0A`(Y)KCZJDA)21Z2a47)G)R;^mpAkAbws1Myi5??tt$E2@hxYjwK>H+KZ! zHebu6yAD#*ydo0&&CI3sWwcL52?fCtV`Ik?hJ{1&hzNg)cWLwUJVn!}0zC*t@G*5+ zxMXFr=ArlSY6uT`5QVq03QI5NT@~Aw;nmDzpiG+3PSerNZ1=tI#dS(cHI}b_&jj9n zteWv`rdWdsg4#*be-(;5K}tcYusdb6nQV}^d0O|PSJ2Z{tXQYr0x;GG7GUI$E6jrg z%1oBkI0|#60Q;fl%47GKk!Vemy@ggQNjTO9*DcKkxz8s_*c*MNZ$ky*k_e`>t#sK| zNbe8F)mvM!@jL)iA>Dmhg8HX9Lde?w?5O{ez4fr6sb~zWfNeTY7RPPy#iuQ~-4+B6 zPIbF<=g_ObQCVF=EHZHbZ=Y&ECBW$(rl;G2iG;}!B*9LG-&^Iz-tEnY4X4NNOPxZz#O2Pfk}KTw=P9fpghNW$yeshvkvPhuP-}&RA|??vd!vu}Jxr;5E0}oO z?Ag295ol;3zSM<;_#zB$9wMh|qKivSpR&BHxA#a8H^ zFw-9~>S~jO2^v7UonLGU&KKp@W|r5h#3`~{ z&-zqisB8v@7REmahnu(Dk8lxVsn9HM;sFlD^h{MW?cH-ceBk60v7@OR=h5y872uK3dgYlh*XPy38uYvXRC$<#meE^L=02aXTJw~)W zt9HSvZ?)<9JXG4-z~G)Mm2XRd&gObs@dFi8;?`{rk-H?#=mYma`M*Mv;El)7|G3Hj z4l?+PcN@g;cdc#o4(PdmJdx)DkN@#RqKVHg$yV-y{;W;PMc2Qp{tebaxY4=ZC>iE2 z&c8n!2xvp<|1yaea*qEEg8>(}ilh69F8@TN%mMsUPU}_D{_a0`;WkiZ4#cvw(FzW} zy^U@dE&~p&zpMRCsQ2}hVjkdcztth?<3T8%dWVI^M54@NjJ7v&dk^Z90~+tm6zvem=K`)9Zo6&0 zJp5n!lD#1K2PhvDqd?ev(E&ul6%Izb!0Q@?UeRwcO4BOQ~ zN(yO=@3iw%q?m+$iC>J9*3Zpeu62+AkIhSZs_c7<%oDHXw=+`ffrErT|kIXh4`|IW?@6Zdf~>(w8rTps3C0r)h= zU2e)GaZcOrj=mA0P2EeGG^(z)to_18lNLXoN(DsTbe4DHHW7&vtfdZ$dL4SpWa6*9 z?xRFv*vIJzoAnLoXV}0lM#p{bn|9vS5fsF;ZySlRb8vVc)h(I3yGZ9Boc?^*=5%By ztYct60qXl(7X8BT9zma6XaxDRu7M8i{pBse=bk@a5cB#Fm+kguS&CyZ5Kl#A(PLA~ z=T7!ZTn(90*;?5+On8NbCE?=>Rl^el@IA~cj|Si2P}?Osoz+`b`QvwFbu~76+2}UO z`xY`_qM5uD8y!-F{B>}Ahb*3zGf4*)B#no_qa+$BRoK4KpId3=NRdD6*y$hl^Kuh8 zUqhUvL;3TRQV06ftgERzp1#l#Y11$5~Mk z%OI+nqa?G`?)q4J!Ods;=N_x$WLBsBd|IZr|Xa5z3ys&{PXc*AdWF)2PEt$uzxVW66aj4~Mp^Ss`@H98egHux#}B z=sdyM1Ow}Uf_QM%jI>*^t`SEH1$mmZQY(kqinE}Xe$hy|(ZvScUH;umW|ltG`f431 z9GgIGPsxItlt32NF?3yq`if8e zYNvQEq4kW{<5ji|A|jk9l+O9xu`Ql3wf+4E_pdg?6XdYpha3*x#S3+qz{@Y?%ZN`U z;c{%mf6D4nhYwOYMI`g-V>#}vRZze+s(00LRM_1QCTexfpeGK;=LOnPC#RDY?VClAX&SFlgtD02TEelD|oBf#d);qf4_o)44OAZck9301j z9)!NJu8yXyvE{eu*}uwgf2nx=@E1vy*_QM}7w&GA7!!I$rAwojPGd)xGxwbf(O)<| zip>Y{?9dxIRSBO_5Ik{Gw5WxrqLX;maY?8U{xD*&^e6-ASJV`Q{}eS}kUGZTkAEh5 z@Tt!5E6_xTqrjjaul?+hIgkjHc75cbYT}2#@?%00#ySulPJEHlrfB;wbl^3N_Dt8l zyd^Bb#s(JkCvj=Ci{D?$n%8c-Ux9`A7al87s1R%thzbM>*6G@mK(u~w?~m|w?^Qf_ z8!J-}6Kns`{^@{FEC?we;+9HREzW5uu;o-#%&76nAF;~ny3u;IzDvc38rCv2KiFx7 z<0|zT^VGqWv5a1j_~V=84L<7;R*iK#&1!2|1H#FDvnRMh^*9}BtE<@PQCefc_RP2% zI+pjXxSkPVbL?+9QLc%txLyP;l}EkblgEnk z5|Fzwn%F?p+%J|CNh_t%EaDc&l8|$1GJnVlkY@k~zLr|yz(m9g6* zCYi5&CWl2W)0Wux-C%>3$#>ou*=}5MoDIjd+}W8uVf1%6J0=qMmket}O${;ZUW>=m9%w7{p#1<&#c<( znMjk|`5hSXU*>U{AKJ3a%*4V+LCRyG4Aa5Pen1bd0o1rBwr ztU9sq7z2nSXqyciZxP4;95ti-Qs!v zxYfn8#$fOL;YUv}&nDI4G6qBh+&5oaPZ65Z9sV^;*;WerF9zuz{cW=aM0_HYF2_iQ z96;FY((EGvP8|cWw_|;s3J*^Jm50-*itpf=0=b7xt>S7MlRyB%CMDb5W!QZo<+Xcuh9?YR?x0BrwIu=v9OF<5Mr2@_`fQKYeSXtW5*1FDMLVS!M*F-f^ zk2#--8<5otIt-EFy-ldB;I;L>%nD>I!JUZRIHYoK`WsH;ZGg=Lie1CmXGhyg+ zzMf}~+*%u{E;S4(4^|#5-4hQEXKC#bPMesu>KBY@0cb~*j!{~FmIZyl`!S8$Ez3u7 zJXSfQBUn!#5UOTB8WxesEKeMe&FK@cQo-VInWV^z$eGg6^ljRtNXv?uc^9oJ>N26O zBM8*jyhzB~*NH-P34U2e<@pr}bj|6`6a)fK&zv<}OfNuCA+h-N)-GKdg+j^XT88k< z=sbCw<;0EufOv3jpeOaK&0t3OS7m;gy3-=1NfuEq01o1fqD=1Hdl)sP&gb!>Cbw`U z=wxwkzI+t8$dw>qNwU3)#&nm8NQw4fWJ2upf@Lf)u-pCeTq(sz6Cj6~q=LLib3Q)) zsR<3;ezO1-OX0LZM)hsoJ>*0oJG7{*PZdFAcEj>^c3dKbQGLVvBr?%!^GV_bS896EMp+(cKFHf=a-CN(s5`psJM&h98(vpuIRp3|h^dv^Vi!N8en z$#h|5ec1!G%Kk@?a@@Qs@cMwL^}CQrfY*-gqfb(-^oIJ)fS2qSu&MM~^cHcPeWiA= z9fi~4>1$@h+-@DvqY+3E!Ubz2t|FWMb!Dl9#IfvMcAyoBL2}+O zR_lWt0z`fw9RV^btEwog3Z7H9MYG^qqGG-F`GOs3K@=*Psiu=4viSuF^d^`rdx&`E z@hQ&E$sWKxD|wyhN$|lM&+qQA*Z%|W6oEt`{TCwa8qPUS4vFL8N;*RM`ek6EX{7X{BJRCNt?z0QLC^f3*f5h4QB z{T6me>m8?rvvT2z>splFg`!t!MiAPuhM|x4i2k<;WuYAF7qRr@Ph4_j_h+R(-FpI8 z^UW(2=c#M$$`si{q+trMaP^x(D1Ft|Ywh@68{8w3okAC@x!nBH9eI~lsRGL7M_^k- zFWHe*2p%!jLsy)h5~k6@@xaMR3}UJarmD_VL*12Z7l%5hsJihdq|7N+zw3LKT&+(M z6%ZCKQ??K4NPA@U8nflI9t<}m_2-6F?l6{><7BZGvT*74gO(*vOi2S~B{t~&84KB~ zR4o^F^$x8akaKeCpA^=TzTlDMFAn+l<_j`J3;?{H$>Xo+}?+ z+Q<;ZC$JLK7cUR%#c#1IG=h{`D&`jMj@>DrFM_IGu`ggbSRW>$PZ2$PZlv{faRSi#TQ}DX6Ge-oZ+z_m7qYjES1MrpXJ#2q|!1sz< z01SysdUe=U*n5*jG~l664fcVfWN%hNk0)?Ry>hb2ce&mNdo6vdR`1T3pI4;{ zPfl_EQuO5a9IqV*0j#7~^Qm7fDR@eGUx+jzPhx-2+;O%G?=th7IafPI4uyHX!5U#} zUcMt9M!&k(>~}9_#DWuS21l`2=ewURC6ER*Hs3=|GfHV~w%6mB6+K>G zP5OQAEzNG&ZLFA`9Wkz!n4e)$=RP1`FfxhDCJ=A-TKYxjglavDf?ZKwxPBN!rp4wQ zR-vZr7^!(pFLqIi?wduih9#a3KTFE!eBHBw2I1)bGBr!eO>?@xIsi@?+AK%SgiB!F z<3&f99Z-KaH;$4w(O1uqyHM{PZN^kb&KQKQCwhL9nC)s{;e`!-Mj#zWW88uUY}~MA1Kw{mAa!!q_kYx9 zOKUU>z-C(R2A!=@{V7gMOnD)MY?6LzCwe};jcn85pPm4FO2YdFacZElH`mVU(D*A+ zCD4mCX-&oB&>Kk8VhQgH*J*dlu34HKhT8cyM#q~%Jy#ZTp0RzK~<6Ail zYmX8xYC2W#bWf6zwu!cQ+4a1*_#hr^E+xEaw$aSv6$G-!5r|`nGL&5`*IfvBTB(!5 z55{DbgxXdIz(eP+&vz-h%G4MQ$E#z@eD%r_HVL9x71w!*==aF zPyYel)B33zHFI;xx7fp*+wzxvZyD=g0aG-@bwohQ9XAd_xgyfjIEAuDK(n%n5ke8D z^`tA>n0{I;T8_`J>wD-D|9nb(-*dk2w@0>3wL!AGwk-MtMop7(G)5%^O_jz`8b#8P zYFk^Ku9(gt;mQO6%1ZHhOE*N44F z-Wk384u=B>V=ir&hrIcmRnzaSJP6og>MZ$9;X>@2Jq=3+LNkTgH?0y_%Lg8jym6wu zyFo#uisV*&%3soTbs+u5&xy0c%WRx3{BAh>L{c>9x3bC2PrGfom!l3cGMwrC`Q|i^ zezZwfk%!ZFV3gYRX3gOL@7}%FgW<&BwQ5lpYR0TXgInq2=4F&!soT(dF{5^ zhbIbJ?w`9){eHYxmseLRv|r?5vhggfQEYLcX+}l+dVBe7ZR+k;1AL=2+A!rLw}+)i zq55#rX&`-a|81bp>opBM@!+kb$A+Spx>Gs#reODq+Jyv8PCp$Vcvb-=-1xs$`Kt?Ybd2-@O2Hs+{0`gn2Lagn_q3>(Xpw0jG`MRdMJ5p>RIi zycd-|K&*}%s*iQBIgLq3tjulHL*c3_uD$xXuy*#-v7QVAVfIETlh+g+AvC>z)_v4U zJ>>RSTyH16gU-oKPo9%W*GyPA{%XHP`|c4h>O9BKo;~HXtVLrqX28PowB9R1Z@)Ug zFu`{NFLOBWXlRFC*Sfn?6R(Zee&^1Rk|8bLUa1Hp`!hoE>%$w<*0*B5wp#{T0zZ)UsPiN{PTG|f3lhp}w!BmNjR}VbElyGoTuzNNuDq6rgV*_;gY6nL}S=WBvTZbO& z4p{a=%c}RL`|j8mCsy!P?wWEWrp41O*=@NePddF)3NAXsTs{8yxK+Z}b|kcZ@b@Oq2~wjS z&H2i!F01C~lK=c+%~xgEydfQ}C@`TnlZQ={W>JdO#^$EU&nm;D zAwBfnpE@f5-!z<|gGT?i#i%aTo4q|s^c>K`nKj2~UAlgW3PF}d$~V}4nW*S?VZ3%M z-lFnpiG9f_#B-BLp^iD3F?%hO(7k$ebNMq+npap~2W5%L+#BoO<+JB~b+8T<4g@Rm@E>ui`yX~~+lEJN*Z$V`X@7}BrMVnv?Hwm^PiFb|0+p_+9W670n z`U#}h?camU&*H|((*+MjBIXq7rh;%u-k_{4Q3} zsoq>_Y;rDd04Vi9{u%U-{kv1+d!>z9EdE;M;Gm_5v-z!Oo=WROXP9@&$UV(rH--VP z7$>$FlUw(1jKQEs+2CKmEy@2tRE)nH6?WOQu#Rn_UAVdTvsJCENgyzA3xeSo$Q6kO+-G(u>2E* z`2!{I?O($Ibq(zU&qyAC(|x2KU8lMbl1-`GXr1OzK_T$!n*tn?uin2Ib}+Egw>Ub8 zTb&d9KGQkKaxblQ%H=C|+D&QKDN$&<_kw_k0VJ>UEs?lT)m2+0FVdvD*{xJ%?&1`u zKtuXG6Abr#sUi*N>XE^I^-Ng2T8adN^OVXO&XvKOUc*(-*-baqF|VGb%nNP8Up#~& zTZh%|Ix(!L1agNp^ThRbzU6iKD=H_oGxqePm#2|v*K}zVt&CX}f8X<}A&jp8cbmAr zZ`@8GH}iTx{DMp#@U)(jev9Ck4$|ge`>w}gqQ}+3`zrggA{!~!_6ciMp&fNk^TVw_ z4oAmP#MF?jI(D4Af~3Fj7xk@8fOFP7c%iuXhqiXWLFw;eRGTiNb5)SWIhXx+M@erP>+6>) zFasA&xO7(Z6B+?aO9_*Sqbmk;fywRQ#PRy_Do6o`%I*1=fx#pWL363*BJ_7SRAr%$ zO~9w3q39^S7fPGWSc$GgrU>;9zF1R0KLXM-D`zM|*UHjv|HAk{kN%X?}^TDz53Zrqso4ooxw*4V@zLH|iI{6ADfzX7~}+Et>Yz%4hzH92}kA02~%wwH1IY{HoTZe~h2 z*vA~^hR$dV3Nm=c{O_v|^k(Q!_}Trs`*~6O(}N9p(5a6K#Ml8V`gc~?Z+Ww;>7PJq z_{(V8su^xymms8#DcVPc8m?1P?+r^eBWI$SQ64=RKonvxCfhOy=* z9E)Zg+B~RO39JmS=z0*n9LI!uBw^!*Y!}r;gs_^8lW8jX(g#kLUizgxHKy-9KaBMa z+bw2USYg)aI?hdCK%EP8Kl3~)>{aT1mI zvx?*vL94TFA~~KJO?gk|z-d7J!N$>PV_c_EoQqK7U|Uy06!&D}Sn74mHG@eovcYp| z@6s^fLhIq~WwZF6Yl(oD^O$4LKUXRw$ zT(8c!9jU4OD3eKHjf?>7J=w(Ux3Dc2&(7DX-2pv`FIBqKtV6@N3l_#10fF9xC()X` zs7X5RoAyxJ;i!TVDA*FU91h(rtdV?DMH7-#)Hr)&>>E)Pb6KwI7^BI3Dbr%* zl3M?sqJjw`(`O@ZL+dS_-u2t5bqy9F%Xhl|fK802zv$D7=HOV#Wsdw}1Db?rDR+_6 zd;L^Uw+a=Cu2(MM$>Z1N7#%J>Je7JPr~H{)vP*>(*HnJjoYWNbwSc5Rvq*t8S4B6r zLbsSHB&zZBD5|1;QVm9vKfy!$G}jY+hlH))w*uSzU7}m6V21KiYyA^%WXJ5I)7-03 z^B>Lwv+uT`XU+fID~V>D?_$(4$130(K#6tEe8UJud&AJ>4#DGyzppS9s?q1dpv(Wl zt3Y@39xC8$P=8J$puOlzVfTVwxIKSLKZp!C9)Yk!|C2ZEO*3$F&x`$sSQr-H(9#E8 d{%@`>Mg1xD!_}XPt)U;5kyLzDD*pD<{{}b3JrDo@ literal 0 HcmV?d00001 diff --git a/fast/stages/3-gcve-dev/diagrams/diagram-single-net-c.png b/fast/stages/3-gcve-dev/diagrams/diagram-single-net-c.png new file mode 100644 index 0000000000000000000000000000000000000000..40b36fc9b085fc2bf398f8be7a015ce25bdbbaa8 GIT binary patch literal 107552 zcmd43by!s0`!9^5C{m&Vf`p*bp>$&mA}uj=DBayK42serAl(f^Nyku1=g^(fokI*T z^X}m}zu)&c=e+NK=e@48ug%3`X05&Ij?ewM*Cz0zf)vp`s(Uy%I7HGPK*~5ccosM~ zxOjJO0-r#bHv!ojnVdHeRMJ#+1%_lFO61M%rczRkT8Xs`L=x!2&Tt+p3AT7?khdViPR z(s;5{j}+5Lr?=go5?||L%t42NBs)HmAHD_j3tX>N2+^GX6miVp0f_%mO#MGyk^_1< z!$0z9Ky%)>?juPcb8zDDcdKc0_+N+GOI_@8;NS?7;Q21r|K(w{{pW8SanjU(>i^$b zioevw@uB+&<|vTsVjpAO{(E4-Fw}1nKoYG``oQeK)&6>3I^F>YpQ=9v-RYt`E5?!9 z>F9kjFvyDBxcz?olobBUi-P8({bs+WbrKVoS{FMxlw?C}j(I{3OHc-Lw`2n;_8|+0 zATPWM{9M_U%IGOHwfxbm=G~z=ZLS`Y?xJ@qL7diNEK@2TAgG=E1uWPpI3Xcn*7Gz~ zG+I+dcgX=R&uI9;&d#5B=i)?xgqYYykeiFEDX#_u@;F&H;lB`qh`L;Yn=jMx6)*FlmZrSZGR``OZ3(OOYVl6OdYHtgN zn6jf#+sxD>%efj8ct3B)DLwQ3dK2lJSZ$+UWe^?Ei|&a^ zPxlT(ta4qho&`pI{+tf=+zdw-U5n%E;ya6$_Qg8_HxL#OU=Dq%|N z0xEvqyWzwd#O*fVBVsx?v=1(y{27@9+`R68&Y+FQGHPo5z#4Y;V;_nmK?`h+fM;3d zPP}vYa8$H8F6TT;{MxcZZHnjONg z`(`N9U!Ggr+ym*;+&eN)!<<>2! z!uKkGMTdQmp^wiRERgsaZmk#3kat2(|`4cN&yto$ADJtw# zVA~G$A4ms5S(ZuP_)_gFzrj4J3SA+WDQapAoUs9B?=$JMlHHdDhvlnT#&XJ@beJ!7 z%~M&B1XXK+$l9Lzed5b2sa}$J{0qzPJGrEl-3$2*NFvnH^K^HdPKVDuqq6JN0j-eK zd+F6bQ+9Z-dU^+#C1Ylv$<|=ebjZedqTD=G0DTc!Ei2o76W985)>GZg4DP3HSE~bs z?n+iqKP07f!Eo&rN%X8ZAkHo38Xy`w@+PCeU}8y51FM@J;HBK+EW z(20TU=~FH@?6X6NX8a3o&xqxp8^{qbcxy;c zlb-&DLpvvfveFh@tz;aD-YPB;kMdg+*|q>@A1OAC@1E73!^{o#C+l1;msv>hNeHZq zSmFsNxHKb$oId|>+N<+f*R1E`w*vs}m27MK{ripH==3^60%O~Y zY|dC&a04=ym7N{6kg2Gc(rx8t44*w1z5HH#evY)I!A^c(<&78KnZH!Dmg(%$azKtq zRpV5CLsMgI#mesk?pL~`@{Z^WA;c=uS&9g+&1?wt5Ij1}i)<~OVxqn0g(iCEl_3sd z!Hl^X!~~?=VKI0aoD+}{xJf<;s(hj#o|Uh_w>XYE3!>UNO||5kC$r*a4KmAMrY*^V zIZtXj^7fs#%kH)vZKkjW#mNO_1i&n4!&jXI=iQ`l-t2vt%kN$_zQw`HN*+N>qfF#S z2Y=#|V?NKRTe_b3f+2%hrn*=cP}X72=gZBD&w65t3XAhuI5;lGEp4wh0y~PvdX3`ID4NpGM1E&#s$@ zu}~DLA!05j{*+3@X-JN-=;?fe(HGA}9VKvnzDpxAXeY2KFhJRJ!f89DZoBuGbbRc&v=d7PdwqBh>syiP%%&0Pd^OsUuI?D&0Mh^t=Gx3 zHfRfYkkH*H%|3g0FcuK-*jH4nQO$7gzHE}gFS8goj#ZP&o+i+%fPlZ8+>h$%8CLkp znBbfXiBsyeJny6fRoNL|2)_1nQBFzxd{`rCEU;!a?0(H02t&yhDpi{KC}#Fh1^%4G5se5b>=XMBgDo?SPj3zJzWC;zy(N z%T7Kx+K!cbSE8FmH!KVtJe9zJ9PV;SsFf?2SI$=!$8#tv&m5Z~XH%k0`&Ic}6JvxN zj^k2(%2P|6Y^%R}`?Vy+VYM6eUa(NP8v1N7Eyvz=!zn%;tzHPTldWPNJwxydMCt;u}auS(tytEZ|z z3M3%w;u^1~B~`kK8~rV-+%`*t-A_TcAsbM|RTE1XOi*#Wft+9KXE`GiD<0pjjhMJf zy=g1BMnXUjn(g`Zf&Cb9deDbGqn4>>uo73;=$M)D3uj*y5uv8DaMzuC$YYkl%{jkx z#{~O*yQ8>3zlk%(l24@?e_C3)d)O3AO)V30m?;Fu!RpG&tPEY!(m6SdK|vodjS%sx zOIi8h!^1;_W$sr16Eu_*c~)022J=#d+Lyj+HO0 zwqNCXYn0^QLo)^g9$D32W;WF+@67Qs4N7_4gXo!SY{GHm!5~nP_NIP0FO7O&?VFzH zO&70fEp^bxD0znmM&>Su`O~_Xf%8A}R6mVhX1SD!pXH^ijISzCkVb^%=Zkc^Qjn3Q zc8kuIzS|V)5O}9Zhl^|7i1+Q=EvS0U^mrWO#$c|M+KXXzly-KGGR<$3bPm61mBF0Aq65uQ z-LrP6Pd9PBGHiSF;6!)eCwR(fT3vd$`byzb+F?uYhrqDP-g>6}bAg-sUIi~E;{%R2 zN8dqT+M*f8-E*`;2CFWM;5U9#BC=&pf$#uB_zzjiZ=!Kb-OmPzSR~ zRDhWa+;p$M95Hn7Xf)IRxTC#d7Z`aZXQ^_3;ZVKlPQpgftL4T#303P^K9$x11?LyW zvF84VRIzJdV<{6yTa{PZgyznRv5!MC)^;w$-;7Qk(pp-dS%wH znxyok)f7O}sQ0%#PiW1`9E+;PQW9gwFGX%+r(3}XOjiP_pxo|K;;EzdEF7BOP_Ac@ zEdSgLu4qXDf$gF>NvY;ExrZK+Dm{pN!T&~L-2+3kmqJ5?7-H?-fqH=)g(N}jH*yZt zg96Cyv(YeR&*q;;>Vw|*B`F;+^kH?Pa`NsvAU`MWF)sI$U19Ubj{`doamysus3DFy z(khZlAkZN1fd|s1)?+t(F8^vrY&Tjqq4sN^$;A$C)4jXD@?fa*SVsydydwU$K9|Pv zc~WgjBYG@9=Rw7BiWsPM3+a7!kV_k$J6JF|DFk>xiijTzpCI!-0sAjWOGT*3O#6AM z>LKI1e(C|Cfy5*PWD$QOBj5QyvCT%UJ$YkxU41t9KC8kJ*kL&W_ZlcVBVHdadcIdVye!FV`(V*-Yt=3$Fae z_e;YeC2cd~b>7<0td^PKJa7}$<`0-Hb{Eq!53Dl`KB`W*dJH6WGGpUN27RUy3bmy<_zkJkt@s&S?_3n$nu$q}W;3+`f$CKifgLUCJfg|RYb zPRvHCFdn&dOC>h$b<2b*`?)HCmS>;oZ%DmwBiS6`oV-t(Z!=v8Rtw0<_jJk2ZVSrj zjCa_Jc-Mcbf69(|zg-Eq;phP7%)Qzq0ArB{uk1${>Xmq0wst*a;^80<9;Nz3baxqPnRYGNAk!-HJ?r2InFN5(TXgBxO=%t0Bj&6I`|BCvN=K zb9J8<4H~pxz8v7UF!Jj%l2K5Y1NxiZ5qI0SGlRR>+n0JsOvQJ1O9sbUO)HJlnpJ9b zgwtFZqL;6Ck25ZVxzQ!c(xW~n*|YWqj{KoV183}3hrZOqbEBw}NwvP|nV+CR*XeC? zE+~BP6Ke71@$PMX;dw7jFO2XL;oM0yI>?|{dq~foBJsp1fNg#)IpoXk+>_R^e01|e z$5CB*gx}@dx=nYBIx7RW1G=}a9EEXsJ7h1bA;6YC%XxopoM z=loN7x6jM8aBt$`T3T2n_wPM{Ka!01ZmAf|d>_y`<4zD$r165G9CK)7W+p<)!o~*O zEP=WTCIc>*SvoNA_nSAl{W z;kb?8PgUdueNm3Rcy^rJ4S`wm{X`6yov4v2U6R#b$oJ5r9LUoz=0qgK zyLovDNzBSr#$M_C8~1gqJ$*`cc}QP<`}X*P_{a9Jg|z+B1!ZWC(h@GMmn!}}8?^6( zh_jj++F3XtOqXBZUIlb4RZi0oLGL$sBI|czHm*=7gYY3@8uXjfcyY1{LyOIg?d{D? z3;8IX=x88NKv@_wMw$2KkqXGcwGe+cZK$5WG0ktPJDxFsM@O-dMD?^u`K<6#4z543 zXMR$^=<^>8@>-WOO13m+38ObD*rSX**lyI29rrjTc>*MjIgAqr_06^ z9lMEr;h*jdVGC*B8+YpI@6s)Ea@X_z;=K|^qs*j8O-D-F2gg1Co_qwT@K+J zab2Vw_2~{NWGJJTk8j>&msq_Ql%b)0nQbnf`dCisQSge?C>~bh%n177D!9!n?Tbq2 z^CEuR*rd{)BiYuSt43q+=<>=+q`s1CmSPzO_Ro0!emZ2dTjZQu?&FsnHd?gVL5@1l zlac=BPHTAZ1O^`I{30rZ)ZLn_Ksz9qA6&b#*V-LZrp?)o@vWwH0&14QCuX5lvxVc& z-lQbu+``j2V>Q8!14oAn;9RpEHQP*W!mC!YEr@ZDb8bE{ zFd;tMBCJ>cd5`vdvrq|5$uC-EtEJ(edi;y+FUpxnzJb~=G=OfPR<~QxRpafacT%h>T9Lygw9C#%PG3Do44!B&rz zD(y6iIt~o|+H@CQdPcS2wPi`&`j!Hr270e4WS-I_V#Lwv+(Opr6bD0M#j^boHn(I6 zg91w>tHyq1rA?S=x85e4*7Z2s-n-vKC`%j`T;``={~0br+@<;0<#UVj*QIAgpJQ8o zozUZlmgS}n{CXIz3ErLBpkcZbZ*7{2B~~x9C<*<1e0*ZUnE%+ejXw4;7f368tzm|>WmEcN*55Kkk2nTgH(4%FSn@x$1YwOVCR8rfc$>y4eKct zU)p0=d>l^wgr;jRICb+sc?Q6?UoMl4nvE)q0;4(W3LxUYr5P8C545g$bU?X3-z@Ke zmj;%X>0YOaAh#kucBKct^1)#96F%*XOr~dWtmdW_ecItkllL^3mL;+E9{cyi%!W^* zX^N17m%7(594D5m?*Aj*^4hSRzmHZ3YLebCGXEWTDh^u8>)MLo;G6+T0PH6~skJ}x zbz%(d;OMS13VshKmZfd}`pMQe4k!n5#Q4_VKx2WdLH0QuTRn{fFe%squyzj*DF3Sz zC2#}hwP92ww}({L?L^#vFK$|CR~O|!`5H5}IPA(QT6u0P_93vnVJ}X7z%yD;HI`*o z()t7IjlC8QB~SnR;s5CdTQaj6%b9$(hG4IVMZxa_b(=B&(dP+a92{>C)*e}cBS%n{ zY`8eO_g4=9(LDlbI*JUkqmj}n}b_ek;3rlBckZg#eMUy)+ z^6w?J_D8$wIozS4JIp~047A~%(^JL_k>Yl4Z~8ZI;Z=ebmhHNZj;dB)1CoS278Z7k zOuJ=p3#)!A=w1-ge#ZaBU+-v6m>XZqu}*`o+~wkDw(&jN9i;qJDbKMcz7 zlK@2->(!j;@seNTs%$~rOLLm|EHsi?rkHg7ModYIXO*pPxzR)%ON@^X0V)Km)y)#X zex{L8&r}*?!sG+KW4cIS43c3e{+9sCsCa%-h14)G?2xaV!pu{EoJM`Kzp@;rb!fb-kXhtZQ3Tp zI%6xMe)lf<6YtF)^mL$en4A(|oR{0PsL10oS6fYytKIoHjvEE!h(T4bL?h(t9%;PO zm33c-snp5dqlmECA>_7P>?`ypFco-Gf3M*k_{rvY83`GhmxU$M6{Ph`XyAWnU&pdM zju~HVJkxe1-v+Kf38k2jD7O}fcyF@N99d1&u{~QQ&MWG$5O5%dBIduNG0qvEYij!H zK>A&W-0q-lz;ClccCM?x$+5}A{sBK@A90*5TbGO*^2U3TbU)^{P=@b!KJ-6HQUC0J zY7;ImM=5OLU|_*SnqOQvQTjO>J><7SaB8D%`|`1reBDf<}pqI-_b-m-+ceW zh(=$jTN>7=PKDW_3qs2D>Ynoqb1fzBuz)P5?Wuh?D}$hvF|rloRP~kpSU{yQQ7*ba zx>onzV&xK(c|mA4oHB6|IlFb)F(7rRdshpj^pjE|bu`^lk(83peF}=cI;}5^njYhP z!oS*$dPO=|>WbNw7L#=lN=|J&ND9cxK5asu=x-do2&bF6m`p^ZvT#jSLt2_c>_r5M z4r_GrG7qZs#S(r_X@cG>q@2tJLs>XGi<(w}c|AEP3H;#TA=B-N7GUymupDFA~T zO3+9sTer+%Ige!Pj)RRBGBh9rZh~5fcqsY2((&}iz^@Vs55v<{KEvX=&)vr&A}(9m zwlpt|QOQW{J7;y7JsSh?(VM<+sUU)He$#X2wtOzJ-ch_x6>xI?1uXQmx=Y2_(!ML1 zS^hGy?(w!9s5i!kK9dQ8{9P~_O$H`2j@k35p(?gi`{6mY;uO@mZ?6teTmeqIb0Xp_ zd=gAN7t4cRD3^|t3f_&Uc(^b!#NcfGP>Le=K2f-W6tJ;T<(M-JnFaSYzI%ULqX>xY z9vePXVeOW&u!MoKo(lA=I0baVzB}@lz_ub)z+g}k@kM;uP{8^G<9vQe{J_E2|2hjG zlE6WJmESXZhA2WS$eSFwd*@*{Zow3Adjl3X-%VXDY`D^BDCA~}ixb#Ts7W-h{MsV< z`t~i<&cH6fJ0@UVMbP&v)XrFYpTq->BBq>dbgcH1qSAet_vUlZ?=(c&2u~U6fbr-Q zBlT;_iXp=sU^O?l!ti`w@rrKBxl4cEC1EsIQ&(G;{d3;EgzY=6k3k&QM=dJR{m+*D z6M1JMwMnM%O&;Ot?~?2G;AfvB22s9+52c3g5RcP&&J@>gs{lkZ=?jMRMbg_s@sqh> zFg;s{zt-463sK3##5m<9M6)|SQTPa*T(Z5oMeHuhP<~j{#uY*r@1^e6!dnzC;<7#F zIG)2Nbz)5i?dz*b`*gKXEN^)n&QK{EPLTHyJE+TmB3zubQPpG?44`R%-QfezHW?24 zkp+XYAZxqGf<1u;WQq5qey}t2G@_T!(i;+BYHC0G0Nd>;Um0+`E&u`@LjVsH1ngm0 zLyi`>VS1cnzRtzG;1M-V>|>f(W`=q1^Ec*7Uufqz(3i8ZsUBuaL6WGr<~`xr6PwwO zaf#8f&SmG8#PtSA8O#d)OTn&stZbaeHM;QXLhUB2FO99*nVQ*Vmr2fa!~--mXb7E-h_62M@ODqx!R3>68-bUh8$G60Ki~pH%b>F zevqP8qZ?2p)3x^C-HoV=D%+WANT#=O=HN2YLo0ig&9-hy0^^ZWk+*;}r6sYUFexcI zsL@51i%34_%x~aep3qZiaOtYAlwA#tbFzLb(_zB-IO>O2+qZ&ouH;n6=0pMXVji{h zd*=_M96TFrfrTAFj`4b=J8&mDL4*1XW)Bx~QX0=5E;@5>En|a=uxg2YH!o!ih=FnC z?XU!|S@1AMitf`(D$~o$^j!!Z3*h1sVC_uVdhSa*MPNrj@vCPs7wa`3`C(Z9PtO@n z?T`CeTQ&^_m#Pq-7tJ2Cy%(GCcJ>$_M?J@pDQvI_vzyY zxwmC0?v)^S>B0EJ2eLkVjN)BJRY_uLb!8b@FC|_IJ{RUJU5T}>9m@FH9i(je>7$cQ zM%PFyIu5WCfRgO{!^wGDmh353P2jp=`+0E#`*~x<6cn8K$@HBLVG?fvFgK^<^{M|G zg@IK>EDU?xX5qoB$AmX-tnCu!0lo#mixvaE0Mc4}gSivJ5tB2ZfL^ z><_tFLQXy`gE{C6H0HJTcw{A_u}?2mUt6?cc=>76j`AoLZs{--Lhx|B)0l${cmb4` zHY%skzYjoW0Ox4GiM<7&%F>-|e*uZDJyzf|AiVGbaC3$EMR(Yk2Q|9*IwbVzp_si+ zRs7G;91GIZN;MNr!jmM*2lO`ohx>UZex13*!SMo2%JnmGybRWWC6NtZw>TBP(!K4| z^Yib20j@KwucA6$kgO|HQsNqlzM*5Fw_|{ew4~Um0~$9g-aDYQiw|9jV7Csvhgn-z5| z{(F1>w{ET@5URvV^OMeV9)g{0G$%Il*_Qz3{W{pKVKYpum>+Iqx)#Sjva5_KLSq2rC;ymDWiOR76D;nwN$g6sCL{7Y!VgcVPqYd&%TDA?tm~&RZu490I}G@ zrPVyd>)>$5Q0lmGub+)fk~Cr|_b}CKbt!gUXMe=7`Wy~~9Kew?TdW_wSFh*1IAk4o z5CIIv#?5Q*cW+euZFTv_8ai6F&TE7A&n_Otrf8PBD1KIwGy-+Th0M*?J?Ep=*YPl! z+?>rV4+aQT3z^=mS63}>eG{6H-OirAzJ*sqA{^S~TMH3ZCF(n4FU-AbLy%_bZdM!vq#)`#wTXO`Nilgkg!U4D{w)7Y!a7x#nXDeckj#!rNq#QX4 zs%Uy%s-mNp@HE&Z&M-Z3A;*fV#gnCLx2`RpPbxJah-NeorA|F}=k=}UAy%C}yjPuH zS~PD)hDRIKt>G(*0MYKDmz-d4QtxQRB|j zkNq`}7QJ;c)?vyvwu_HnMYJ(r>5UaeAjARPWM9>vcN|5(%cbC$9fM144uRp+3a5n^ zIaomZyj=>tXKNF3mw=Qswx=A>OTTIY0wSu**=TvjrNWEi(Q+QrjnRfHq>4X;+jZwa z4-W7&pp zGhYnho$jH!W-6H)gAr3q9k*_4A!B*vMO?UT|E_x@C*y5CV0a}p-PX-c(!6!UQo9uu zLV|+vF~5Com?IA~U2LQ?Js87x=CcjIikl8^IHg{l3sM(%2DosXJ-s$<*7X1FJ$Sb- zjY8-~*9s&P0ej|pHL_?aK(p^Qf}eT8M}7bC+p&?*=DFC`ML zO(p6G@j(-!`=s!eYze;jM#XL&oAB|1DXWn7G; zl6G}*Sv$=vIz|5kpKQ1Px%PzK9)ui^aRKAJ-Z{|NAY72OH3 zCL`pYtwg#5dM*spweik}Sy0%`C)G!`OC8FBp0kz(+LYh~*Xn-wWaF)wxdiN{O|{g# z^;2$!=Ot-{O0Oo}+tv!7({nN~h#E~78-|A2&O>Ilz{8$dRcB(@)c{ZhKxY*JcF`MX zOb}z$*UOqDn4_PmPQgC8>EgMWN-G-ad<@zJ)>_hN-Nyzzda`2aB0!Bfh_#%%a;wcr zex}04UOZ8Q{CK4zKfDTsw^{KcW%nkQ&lY{*dlQbLJX?1N&JpoVZ_0ytlZ@xh(Kk{1+!8%yVL_9M(554&;;qpiH$hw@-l~AEM4W*HyyFdO zO47r@q)|Z303Ts~Y~e16jDlj8b1X{&!U$)f>&H@#YX1JW^<76_l2VG-OdnRl=h0^7 z=kc5AxI?0Pdz(ZTO}eFqhZE?a3|{Ckb~Ec6^3w9WKFxEE@|~14O_rU$UM&&`E7spD zjMx}Av6^;1Rz!GTmTyTRKgbpr+k2H8bhH=w7pDr#*~a!f9x~j3>DodoDhe|!CYo(r z{4IY+7D*{CS1muR@fiBSArjVzMppyI6XM~Lmsc1Mw=;aBbpEWVQBR+eNCN*KT)Gg9 z&(%7`aHWf-L>Ejimd?S0bnNw>ab`sz7BRFc5Xj|U=7pQi4l7F`!mz`3Lr5HJCpGwF~0LQHpk zxb#ZKR~&RlwB@u9x3t0yH^6gZQ%ZS>-%8o8DjF5>q)Kq?QDMS*Zw~z-ow2z$dc{- zlVH+oPn*}qtWB>O855_Jzb77AFYimdz_%v_?nXT# z{3_?Y1g{&hm3SKcr>&g!jG!6NQu1f&p3qW!^ z7DCDaE+n38O-kuw@gh@dZ`pkWi`G3*KytanMaSR z$Cv&aoc;q66;%G~?SWXn|M2-(UjF(Le}xT=c=`WVPVbsgr%FspS_DFcYpm1-(CH_w zRk5^lmxcdkvj=i^*hI9p?9cv9d;gDz|EC*l$*28)kL>^FJO;KIHn(9m3~VrWc@H1D zIAe5VDmfL}&^Wehg=CA3R_D@dY*{*}LPcNCAXX>}$W{y_<(EEFFV;ElRY$0*tNZ)= zhg0!cH2d5@bHdF1!&eIDeqmtvxPW)_3hnA;)v9s2AX4$KM$HOXi5&yp%sly_NOpTA zs_l!K>oI5!K&MY=>fN>81NbJD^#N&DU!QJ+hqH-E&hSRXoh1AZN|zdPQDJlvjV?P{ zSEau{1%!su@L8yS`jpnRWl@-x_GuIbW>QRXs@1{A$6sm>-I}R&yeiQ5I`}?n(SX`4 z*b4s{9o?5Gus5b{OLX_{zDgG`aWmps)7OAaTOaJ8gL=&alq?FFC}?kBWVCEq(op5J zF+>2LlEQeK0K8t2t|1M8QZZJeb$xe8sJkpoG}LVD4ZN}jC+^LQdXku+4YJ+WM%a%`}?hS1*RzAv)-7i)3w!A^t#8B=_V*9;+fRVn>UZ+%vZXj6~&N0TNZ16 z73@q`?=AY%+3Zjm&(=9Bik}-PDGmPm+|nLSR|4DIo-7xznn-Kfbb-fmXrCa*^(n~7 z$5I_ONAhRku2IRrW>#oo^Chb0<{QCWje?*5d;?~!ru2xE@|6KdM`z~p{HP;@(vUwf zQ9>8#LG<3RCHH%+CS_EyHE-`081h{c2BReG7V_WVw-NEmDFa^UI31pBGi}m>dMN0b zJA6gVRm7-fnn0q`g#<+m9w*=oh_vh#DmE-ptJa{QaP7_Vh#W$n{<8+?i}dx zxZ5=yhm|y(TI;>h^s+j8*OU-*pTgcHpEmsT$bBnUR|xdT80iNg(x3W;9H?*8KD^ic z)wfUr?rj7#0Ga}x8nQnL%cX^9qf3qvjfbOoiw%B+>vce2D@4Gb($C4C7}|2j8SdCF z7~Hn(;Ep~!4VNO^skPgv+NA1$bBUd8v*{;yvmSelcAyUz`-ZtuC!70!pAg`kZV6j` z)cS1S2B#|#w0qw3>7z$Z_Kb*QhWHasfu`e3AS{le1?%^M>{T+CqQMaZ?1qujR0A_|7fLnS-q!H&wYXvYZjPr4yz`QCL zET1YqyW!-G+Q^-*vUU`t4h#&ep7-|5RY+d#jW2iJQX_Q-zPm$2^$4-WKybNs@pzPVb~}8_Vp?HO#xOC0|}%*3{JKV^HG< z2M3|z88b68;tq!lfOR12@^b7>#>=Tui<9krdg&&6@4CZ}2D5b9J42HPmzz@6G zV%aszfJdgk^EWXym3sePA)b3>R9(LTjoR}4`t?}jBSsFey94}y4>Su-Qdm3LnSNqy zikc^*b6fcGdO7}v+`xVqTV43_Upg(iJRt9JU!Xd}wRtP4D65atI`9XJKnty$)V?TTg^h{YEF0vN2g{_u{jIY3!@3!JZE950eR zq@rn`ZxGXp<_R?Sr%GVX4wk~jQS0Rh@o7MiV)eZ>hbxYck0&N3ICbmfl7%aw7&P$m zgrdZi)5nhkhT&o-fL*TDg}WdmF!env4e&yt>=I5r=?bdCPbLyM{Zhh9i zg9d0-F=?e&?`FS*=-XgtVUd=RvCxoqcXtOAvdVTI-OW})2q+BD(qlc{zpSim4sxn{ z^%F4vm6qzU(FL$NKztV#K9N%Ln1pm0QSn<%jO42TS2fVM{fTV|t(eEj_T=e2w23x5 zuyd}#bFDAY^^&#K@Ra zSSY86v$VA2iQFV3B`x(pT0mag*x0n30tA^)mESH;8b^0`H*jnem@x!6wc%27ME8!) zocAdcQ|_W%>fg(x^|R-sLMmzx65}2u{$OCp%$*r9-M>p37!pYGOUv+Y)bP-qfX*>K zS<3=83~Egqm)(T4b|Zo9ghsT%yXQ9$ziiJ$?&?O_q{PrOs1xp@0W`*w8?LaG#LUo8 zSBYR_7J;k!4T zq^dXAnd5sx!md>XX&p#;*l|4EFx1(4qYC@ei1GqniHIYqMD~Adjm?(nDo`56a^eF8O2#RAg`6-beBt$fe)FK zm6g3XnoG>J^z`QV#=V+u+W{7J?h9C1Ir92qU=Wyf8qQP71U={A*eNJ!lu=Zq6SPYU zsNerX09gL|qka*j<6iArie|Y94ItpQ^NqE&wdUsLWd{S< z!NF$|5=}}kfGP<&I}@db81xm&;UZDMws8|yU|?X7;=UT6Xxr!x)MR+@@S$T5N3|#* zqkveZrM(6{c(7^WLheF7Zq)gsKUoB>Q;b!<_7Fm5{@7 zu`WDEF;!1l`2jWcOu4CI=Ac^}nR-@M7D!Suu#-q&#;%1(fETvk8u$NQ_K5QB}Dl)&KVQ47ArzUz!lf(DrgAm-jh zbfiE&en-M9B;c4f>D6fiG&=T?%ZIJ#81dJL5l|Mh1e0*Fjmbc|*ffgxNs*~(UF%sV zPjn?}e#oC>H;0a$nN=V@q`@<5Ov2h>bu}YN~450cP2WZOEuPXvM|Q7g!&M0I2Wh8ZqxFa zn;j(E)0&9>|7U=AKvC04a!he`w5ujtVKxhp<~A1 zggAN)UELx9Bfk8a8jaM%e2F3$_8KZrA$|6~{_?Qr`}gl28ftVnE6dC44OTAjtL87b zfSuL28nxorHZwB=Hbva3^GDr10s;bgMioSg*j8$am?IApQwIQqb#aD(_rL%7zW@{z zmI+ms6kio@K1X18<6Uc=l3ID-<@1qzC;W1zK{6;{t9WN zLw}e%N;(zAr%zzo6NI8g!H;e%DY>}` zCiab)@%9gzy1?a!^PWqPodySa{#`lcOyVXUCteTaN0!+T~jGGbT=}X~)fmaT6_e{;yBlm!I>j3(Os~hbuU9 zJiTehCB3q_@YsmuVEn#KiE2ERgs4-Z4b%q}B_9%YNlsYSaVzoBBUb#jN@ zJv@M*s;*Ahv@JAgXk8~!pD`*sE2~0UnlVaJN=gDbqOzREPuTM3&!78mWwMo@Kd3F< znxB~o`TRH)5!+={oLQ%{_94>pN5r$XpE56m{`Mjrmfw-z`;IwBKml{d%F3!%q!k?> zFJ#)Ebb_D{Y+2NSyA(k#HimOG+0~4UvVMOuv$0`x{Pgm1iysj-IFEZ}sPo^_@f%3$ z)?^M0d}NK*Qda&u<#v9!0^l5F=0^?+QI6{H9Qkb-yi`v2G>PI$BqrW^m za1z#Kj8e*1g<{6`aNmbKR?^o8XrNaU0{@tlzJE;0qMaWJ9eP+%;?=U?`=?P|PKV1~ z-~u)IB*DSq;V7Mqyo!pS)Vv27&|;8yw7!5)_|ABk$5jy(v-dY`AI#N`pT4 zhw`HFlF8{GQO2s;pXrcFY9 zzQqWwsJBgf%R4bQt2ISHwYQYX-ZInkk64sr>Mw4EiCFP_4Tmko!i@TF>U{W7Qr~Eg znEO-THMx90v9;#o%;Lm3)>Hwtu5#X`dRG#3&E*I)>dcO00zE06_;!WK8D=$%BTu9ZfxHS2*uoQOBt1G%k-6pqQbLB_puk%h- zZrxi`jC${XU)XJ1=gnX?MQQ@C!3PHaK2f`4#c%h|ne1|wxzA%q(=5>2TeGD~Zw4d2 z;Fr=fmK$I6UlCKg3hrk}5dS1gr8-@V{Wk!}d!H@(cSSMr#LEGKlq4k`)1LGq3$R{< zEmMkfPO~Z8!otG9t3CUREz3^@%O@|75E4s*VM}L#Lsd)>mFARdUvXe#W0Pl$YFV5B zke9V}Q8`ZT_!iOw;^3 z2?k3t{&L-$1I$nrrmwxNO%eq1I$wze=v#Y1YR0GyAi|;Z+J7S_*9)*-o&FnuSIw*p z`$l&67N8ZtOGw3*n%5_3a0G4v$FuEJhI8aw>@W8RTWD{2n5^-%zqVMno7wy1PL@I!6ITN zx;vC^qy$7jN~F8np;NlMySwg2-|yZ#zZ7PMb7uBgd#$IARf{&Io?5s1W6_RHf~?Sf zvc1tR#Rr~R_LtIoc-sflq8KP@|j)Lya61LMm~+n)BXoc?wjW?W=l=EQx2b zEaxZQbf6&X7wrAPp+BJ#hC_Q*iShwF3+UIv$?Ef!5h5wZqNXRbaMYcsT-vmU=E&Q-KzbUv*Is zXk51Cw~M1m$8?P_(JU<-;NM+ZQ~JnosGEO$M2Xvn?*l!=bQL%`AAc!K#N)Y`_o)2> zRv19)MML(Bw7N%CbTqy$vx*D-Kqx~K}1BvNa_r*GsnioHQt;~36RJZj8v?S10R69e{y#zx`l z>a1v`TmZlpq?d_Dkks2OwLQV2f%yGKe2QZ}UbFya6`t^r*J;Kn9u?Y+p37wA{X$pf z0By48^B6DE1x~bm8kiV`EML9@`o#oU61-={1UeLj{`3RQc@W zW~qdLMwyP_(~=#)jY1mXM5ILJ)o7EFh4rMC{jf= zrWA!PI|h8#vl=T;L$J1ULr=L$pI^MP>MUZ#6YFPJ(AH z!KE1OHuYMpP{{W&YUJ#T%gYM-;2B`U6-$*XnlL9NB^_J)Y`%7M0n?pwdR{say2KOL z?I1onHdd;_w6-j1tn%vBBk+?3bbcZ@m_gp#>|YmXe2g*KWY2zw2k^H6F1PE@o%P|MbtK zK+dzu%8&YFDTBHfJ+WpN+ZBAs|2E8<8OsY)z^%=X9{z4Wbwokb0 z10;4FuRzW3$ByHA`SOLT`CF6MlYd^AqmAL~u&=*+8a}F#%|`f)7!+W@VOXK*kx^UYzCjF!Ro-^UVPuhLjEu))?6$~Y0zb5h64NRnQ z$DfpO4H^&=8Qb5CEFlbT+ z@InCYt24x&R>47C+Fu{2n8Uf22F<8d-GR7`&B3P!k3eZ@)jI&yrcxJuC#fJI{@(eF#Wo5_du!;2%hyN2XA$z`jnE`B^K|a%0 zGsCv$Eq-gb(oJkqYFS?&2d=KJ*eCfY7KHDR#&{JOoXOqOZSncQbbv2DsqGmLLNI0D(0&-X#mVfzDPY zYpB+fhbLUYs=;1bTH4w9oEgq107?>FOgL$}2FuymSqg|OJF=-in{|_jAW0H*b95>g zyiFS`)K202DDQN*ZB$7RwhF3wcVAyJp98~%6ooIq)|B#8BENpcAtVfeMoDH43=9DH z7}WFUD1HWOD1N^k*#4$!AXqcX2|fBD%V)Fb+pOcfQ$7|iMN@)hKpC;e`|*?_wUQOK zem<*7A#8KH9#ml5nrZMRH$SS?~Eof+s zq=`>Y52e?-aR#ScU^@iDpzF+bR4!j7@jI-Lq z@S?1pJRc!kGs{*^cqN-RIv*^uHeQ#QPq6#`0gW%X3JV8Jd|?X!PAn}g9Wg!0`H&0tEf0^I z6tCM00O4Ene1`|1lL|P?Wh<6UYy);&CZ6p9oGo|c5&#LIcrWw-Wt@RP}SnDLNNwdTuBO>zd>EY2tz5zH6>{n{4F5vHQS+&YknC?{o{7x*Y zVSHY+xVV6e14jLu^QDLf4<6ie3wiEyjsZjQd)R)^)YQa(hWSs1?u02d`xq==k4t+;N3M`o(;*T}4EPx~ zfDOBjsC^`)P3&UeC-H~lLqy5QFgiAoWu}x7Zj)Oc&17!g#5%^<+YS9kl#{Tz4WtM=d%*=&(20qqkQ}(t2Kn5p%BF!iD{16WiK(vp!H1?2yIu zS71K^6@rB5#h2EMF>cP6T;*iG-#BX?N%Y5R=TO)3*`3;!jzUQ`?{2LzF+UD(5k#7A`M<_do;*JEtY z*x#_#>vXnGb;y5bLfv_}1<_Z|C+8yi`5gPi_k@r*!Q1P`YJuAd2gV&PM%b^0Q?;G) zE}B@q-=Ti+HX*6>0R?tD>sn@u_4VoEB^QC&Fn6Y}U?}7&F9q!rfzxvK##19_XJ?HD z_XIM?S}H(1d5O?U*ug|qz-zbaetWS7SgG6H+P!64-ssMr&d%Zq^QHC(@SQ#kfKQZt zRPgk?jiFZnyjMCv_wR)pe^OsTQZFxEvlT%vb~*TtRS!<^Th2TR=5B+zSI?bf;r-GQ;OQZ0WuV;C(OH>9<= zxEMSynnoIwVeIgw?l@LuhFI2y^F=^TkrESw0)4BTH3SUO0A0w;%=7>R^*z(ezyNkA zJl@CS=3GlWoa&*CCsLPaTxuO=&o&XgZ+K?#$F`57!Q%(rU!`3vgmoM+6 zIHkM^diuk3ABzU`g$Ci2?uKPq-w??jqMi|!hMq>=@pyYSO6>_@)!!GNiLe39r#lp^S% zatC<=qZ8uu&9jLvJYB<)24^P*xwvrF0)MdXhX5`ALTzt=ej42Fr;zxmfRNQ~j+1s? zc1~cRv?Bec`!yAoF|(}<`SI~-rd)OqI_i@XJwC$DGc2O^^fW$?_Adau)Ne3g$LE!i z%vU;cuB)ozVTk<}8~dDyXnSX;*MJ?2KO6R!U&vq4VM{tVoPe@;d$Z>iZOCe6WtAZ1 z2;d~}qo}3oWDqa}#{RW6TFf9MG@|&}SU;$wv@|n4{l{n|Q7A~>pola96?B>FA=paw zik&;YkONpDI3(o0F5*|~G(RjMiHnIDRz1`!2FX^)$jDhge^U5@zR|o`MaymHB^U#s z-+)fxV5uE&!q+!97F_C*lEETmP{`xLhD!$3Wq_t#E{3p98aRV;+n4+{04{pU6xZFE z3*O9Xrsib1Gn$u|*S4C-$nr1tP{lz9x}`I)HgiWLJuzQFvI($h(XU~i0%r2`M#4um z?+f+WR5{g@yPqSzts_)a1E6}>h@Wxptd|GQ#Ox2#3Kfex7muH`cWv`AT;&{NVwYh5 z46;eRKz@hQhtHg=Ad8=(%c&YHS$O>PRK3BJ7T=s*{RJu|_d3;^78W|T*N=%MTus7p(iMz@_g)fCO=3_Oy1%;XV3Gmr`F-ws8z={>@KGn#vZqEl&l3E`cvnMby zGxxeEv&5|}FO&I3MMs0CQyYx#po~0tgw)dB&cD>E_oCWU6)+Z3QlVxRbYx^d077&R zk?OH0EH7$@g@pn6N`8c9>i&^g?dL-IY_JHq(JGSrln2nT?LVFV_I&# z_?V(3@wkM9GSorq*QTst*hlNSMeQVQj zRsql}em9y-d3seP&{Ycw2`#7hb$0Sv&o_ZFWor2RUw2&l8H{O`%&dBO_d{UD&;}|} zdUm$MW+oM#!R%8jO5Xylnj(ETgOzach+c_Wk7Hu2c;kltZ01qx;yhbJ7B25$t5In# zLAko)O=R+p?L%x1YlS(U_Im$=mTNv@?Lb(?HneZ7OiM9w2QI3C2>gVPH zV)CL6el~(DOP7vI~mC9Ov?gAmmsVSz{+_Be*U)~80%aP3c1X_^AhqB^+i#?gTg>$tf2G0 zj-DQczwTcGrb-L3-6lz9ZDZpjdjj9P0`UVmbA9AQto2w|BUbyjEL74Ybhvx zdVhY15}*F_kxf4U&c9FU-A_sR`EzzKjUcIkfq|f_udYyG{+ixsf#vK1b}-?$5ILq52vVUD_`R?t%TCDOC%9( z;o6ycxb?VHWE^s0FBxrs&=*Xx+sDCT%WN;ACvr@OEATyjS`O~;%U}M97hTrq3+^5S z9WiA94TZ0Yl)rec6B0jBOLp43M_9i*FO$rYQ8L?%;B)Ram%{<<6XtCT!hMto)3Id* z4*NzvITJ?kBrnN=DVx8XO?aI;qw+`f(7qvJv_<>3hA?xwkX8}M$8x^4)UKz-FHk|o z8^B-zQVqlcrA0+wLTxltLtFJ;a&y;G?eW;HqVjh2lz*X$mGpy=2f#nh!Nb<1 z864WsiTQ>N*a1iY=o7Wrtq=d>PBxibe8I*epF7frrpoj+AV6YM+uO$n3lnqP+|j|I z97Lo^N`8B3HVOm{46%~WQN)ZJC&00SInABq4M3zpbq7Rib91u=gO52EKftnqY@xUq z1I)hn7y7@lPP?+Y`ZX@jYO?HY;n)%nOMby*nJcelWhDP@@%Z=UP+cHCDqy%9T4-W6 zQc&&8PMY(Ied+ozVvf%r5nd!xYyy~w)P#cvo-pJ7LB4Y22#=kb-xo_YqO{pE0|u2# z1tYo05*dnGk6=xvzXQMetpnEub4<9XgzavqfVDC9C0hAfHv#Y|^$o z>(kaAV}?9^HSeP{VipG;$m37ywqH9<4H+7cC7P`A@p;!?N7uIN;YB?zlbKbddkOXi z448PdVei?Mz3b5WLZ_!tGN9w6h3|}BBtl^$aoyM|$31Qvlk- zQor;X5r(y`bjL*xv4Jfa5dEd|nPXccrVa`USfbF*&Q8z|wzjrH$kPX^ENA#iCj@Ml z-_&arj+iEmFpkL+h(b?JPIf9&W4c$s)?Zf{5&q(TS^&V31)$>F?$3*s@PV-kM6Cl? za7P%s*Z(Mxp1vsBI2p>btzpx0NNP+>3{XHu=3b2r57&W--=OdAYVNMWVoH3M%X(vw znlEX0X$f?^ptnwmrmfK{ok*96n5}cM6BYdo{?ybCSgfR8*Tq_eUfac^CmR~Zp%lL2 zVFVvEHKn1xjd#p#*MA#_Pg?h+#kxL7mz@PTSF;cD3sil(s_36mg33zG zXQnsXg67k3-$!>VSuc6Qu^umwL(yEUCH2&}U~f87pNw<*ri&CiBN3OTUmh=6{af>Q8=rzZc;|BpW53v(~;PY`ln8cpBw;xj0pc;(|h=j=&vfm~(K zeEwW}=i)F4_ZKI)qPvNBg{aLQ^Zx0{ni1$7&nQy}@XTenJ4#1eMDksN%uy0NyNLt=tqa31AJ^|cs^*UZ@s^R15rr>_*Y&|juCnmeb}59MAnddSOSVXbsait| z$m$0NDWH%^Dqf&rLh&mBlm;06qV~q|@$tc)L~Z7%mOrY)R`s>t-NOS53oBOA5ZA2# z-$ZXK`l}lxroE>^QNl zFK$-GGN030Yrbwo2Slru$KF->U8OIqc@tZjh^w@h&!ksLYv83X^ziUB)3I6?0_!m6 zl>2z>Im^V7?qdu$V5g6jWQk+M3_9(U872HM1h=c^dvRJrknS^KOnSGG}z*<6{wKwW^OWoG)dFY!)&V2Ewj**`j> z%+;hKYJZM`=&#$*(7>s-br!yZ%VTF)tfI*99M)0&?r)n2Ks{`fm5SRGq!kVX*WKB; zekg2puaSFidZW^XqiVv zp8Sr(oZk||95LcZ=zh@K+U0xQZd6(jGBQ3%C?E?B=ecp%;x?W2h~qa5UN3##q3CD* zNDpa|!R^&7{b4Y7nmnqbnG_1&rA4!970K{-%I0g%~X?)?xU%?gswFOx|lZO zl$Y@qH7|uR-mL~fgOg7oqR`VDH^S9kj)F;%?WuIv>w`ZhTh9c(zj~D;LHe?lMs1bJ zw8O2%>Ig^4k?;4f8i%=$%AO024%Msadx=_iabw7PlmYn4CIp8h3qqV#RwI32gKmx~ z@@=DJF}sJyJajl(a&?Mz27Ql*f(05|MVW6`1_bHm?HKVjcfRfjKFiC<>HqdNiHi{LLYmMo7*Yw=5E^^w>8XKH_oQ- zztBB8i4XgAkuPhn_?3wQcBZ_8O5Q>oy>Ya%^$d&FRLFhKYKH&#mz*zDJpHoZrgEkK z_hsm@kTO3dt401|{=V=~f~rmzaLUc8U5ad8>86 zm`Yt0UrS~lgch=rCf z6hUu^b&4^*S_(%p@wNRR_l1g*rN=fAR|+A5f(K0sj<;8l|Ci*3fUtXy)`J)NMeOWg z?_wp&PBq@8*Io$-aD2P?BSH}7ZO-HBP`Z*<2On9UL^=2=Amj@Iq4#qCI}B^>&%h@8 z{~q=z;%`B09R^$I4~MI(hdqY3)Un<*E)=oeY^eVs3_#m=gLF^!dHL#K7+T-$HY^1R zzCiKsSn0v^$)?b%4Az?^iSJmlqJHw}3J;5ir#V+RqHkm8ugw#jsRuYPbj+Wz%Bw|?G z{8O5-p9dKAt|{B2wMq-j!!-$)L3Lr`Z)z;Z%-@x1K8?J}NE&XHp)$d&V?CrF&0%Kq=8Nx3I&&+>(3Nh!^YA>?C|_#1ke z$7`CjMzW-{gxM$FA-3%mu*4(FPqbg5QqoURvdJL*UcF+?8XLgBCB}|E*$3e#_c4#aBA$W>s$P{NaAG_smCjteQm3)PFE0-dkt_am+N=yO!8dre#t&(+dWFWMBEf9N+;pu`11VSF4>FZuFL zE$i`Z|i;%Z9oY+)vzb_uJxxxgoa|H_*J6r4uvA+FHXMj62?euZ7I6S`jcJmqDa^x&Um^} zs8agb*&Qz!y{0vU_lxWTyX66@fcF0Tpd9zDU#!=bEVMH=cHwnu>Cu%|+C+(GCM`T; zU&-B!D$(5-P6z4&i_dtr6RHwGf3s&Z9(A5D^n2G~eDFaj=`Q!BjGrL4PG5{?`mW9R z(Ow->E*s(H1(`>u_Cgu_li*WX&W+n{S4bvOX8EM>r>rA z8o?J_&K;U49Fx7(7qVsOZp<4&$ZnWMUA@}lOGVsKDMVPD=Z^4W$EERWS~sH8!p|Y% z$VM}k@qI=_XKwxQSxFbu45}qZc$w18D>vLq^ed;XAxf$ZC;GgJoW!ED>{H#n3>JJA zncA5mnh-~@QM(eIT5d+^R+5gISSHtby^Vm+l9qAulbtxi6@UH=Kxf)RB##4#@?fZugM3XA}2=Biz8> zA3s2A(`G#QIBv)l`ct`w=i2rR-ave4>DBMKv$Tf^`Y{9cT2gdy5m}qLVCY*oXTjTR za1yUY1`ckLh+Ay}I=a(K)6Yn~9;~wdaCGkQ@zbNK)GSWZdD8-aT^D{;M-66Ei>Zp! z9RMrA3!x$Hn$-n=Uk3{*V8Xi82Px zf^5-c-%m2vL=5s{=R10f$)$RVsj{93&#D_pAxS{*)*ahtS3I1x=L17U^gHhoXHY|) zpR#Qq+(u)Vsx$8xse~Fk%fcsbVHmI%zqKGCmS>IoZWuJ{enoFYP0)YiDPGP!3BmL| zCJTLQXm2}Ei`SM~%!hV_y7M0IYR^{;;_U`)YvS{Ct;NUb+k21ack1-}wxaFex~4vd-a@K4J=prklFDy3dc0XCu)n zEv6h#Hb)G*zedXXDKgyLUhUCi12(n}mhNyO9VDNvQLNVr3|rvqaFSrRQ9nCd=QunK zhiw~BONNL<7}%dg)T)R5*Y@67rzFi4<*xq8+9*UlB)0Bnaji}7*VzI)zxvH(`_(&d zetteqj$6;1q?xE*nfSb!o8pE1Ok{5n9Ky|2RU^XRwdHPWngO~h*4EZqT3U8?c7}$A z=&nUmJAm47ME|VCZ3A8Cmhe-S>nxv@xsM+L2CFLwXh-H798%9?V4nJ-mJDI5O*Xbo zA07v&#;NW(wpq@!)5@2b8v8UzH+ViY!4>}AO}yl zUG+48D*&uNEeo&OeWZvgP4wE`4Knq?m*P6|)6mqDe+`+n_NV*pGb=Za<+{P)5zJ&T zPfVj>{?M;`mL66CY|NQwe zwxt=7qsYLOII|kl*473np024WH((*M=eq&aH&7y$sO1B>{42=K@sO-!rtRhN1}t^| zaHSg=jR-LF1=PIrXlbn`&O|mDL{lGL3viVY(%S1u&CfqBycOV6od5gvA^bhR^qR>{ zL19lHD1o4%(qH}5+c#6xU+-K3r|@Z3)L6H6gC0{@I?;`;_9kkMU4ab*JOHs#4P*vD zdx!x8ctyEdKCsjF9Zmp?D-;I)x#MPLZZ6=kiLGi64pt4Qc7BNZ0PpRjgySlZ{481X zgy6D*Fak*G__zu|nB#oYXW$S)@_DbWo(Mjy@83hAD9@e&0_Ax~YvqY^bNvfXvK;vz zN9E($-Ee2C@vmnKWGO^7}M50WC2D!{y0V`-(09wgpf%7?t9azs{7W zmHuY0{t8ZnCZVdDP*`Z?;!<52*=saqUIFgf2(%O60d$ssOv+kXUKgtn;jQmpaa>1B zllV4Fhd4e@g$Va3&yTu2jx{S7Cw5Nzc8k|m zUmYlg81_e)seL0p)74h7s48y?`r zi3FUjU0g1}6+=Nuxnb`LES&&(2A4cAPX^Qny-ovVX@RG~c16;gY;bVU(v0(avkn>e z;xyRN6D@Zf`C%qtIo`7xcB?&rz!nq`0BDe%t?e&G(+Cp2s#=&w;53!_UW$qG6SerE zsR{dy-n3Z0#D%7+^7^EItsg?t-~KdqM%Xj`%Sa22Fq__Q%KD_I>*Rb%vyEPNK*|BE zqxD*(Kns#S06cg=01m1ruq9|{Xy9fkWDf%qi5E~_U!Cp{au<~Q2J6PdZHAB_O1b5| zLFQb9@FIXLJ;NV7_#s9R#^rf^Uaa5VWl#b%PCm%!n_%WERq=9ug5zSWv*izyL0Ju;7zk!$zBbrFR%lM;W!*okivw!~AQXV77PXWxdOI{9^(b#0mP+)P6N*#^p^@ z8>TmXa~l7C`D-aDR2W#dCignDclP$2elU7^dK)yltw|tq@9OU6wwk^E{gjmrFBCir zXgz>oXnoxzQ@+|_iVMkS;5HAKLjW3R1tiJCzurIm{G+16ajh>2NRF3Lhd^n^#=!w@ zkq^Ly65BO7spjQ%*LbJXJcC8{8cQK)rgeOmVml!`>)LVi!aG7zaYbFiW1$^qCja{1 z>8?`($!XKg{Bh)5h%C`D6hhnQ8r7+H=E%4Es|@MxHiB^I`6Gd1Htif%QgUAd>F^ZU zDT1;Y0$v>EpHV9u$e%xqPK^=Q4;Tk>i#7e6i#)^+X$=ky&CAQP-z|FEx6Z`KxMkhn zdkR)J@S}FcGTtw{08&pLZtlu|S|mPZ%;Mp$!rN7jN2iF8P!8IvdMv{To*tXd zbYs2(O=scg^h8Ny(6TG83SEfQcO5Syf(NPw;fJl z^6zV(<^n2)zp7H_sTS`Zpk!1<$e#6(QTor)q6?k825S01tAcWG2{&z#38@n2+Aif15~j_;VL2;8Mra9qeR2 zBDgDP_0{Ue#dvh%PmdOLy=Y|-c9S#Y?8QW}6?F-3MOZ_t#rETynxAOhxY+jzO8&ib zE&>AgJ?MK0ZfvnpKuDHo)XSV4`gq=NKQsqYbEiKxYZuY>nRG2}o{7FJIO0XpMz}en;YvE9D zfWXCi`?t!cx6WMt6zynjft|}dJbqw@lpf-+?o1tt7aA6{w_^@e^o~4`fB~b`7t=b& z=Cr0|hs?M~ol{3xS*~`zXFLz;N6zP>NF{uYz|ATbnLX#qvEm2{nTa{q(6l^es&|s5 zBIpOw$6_o8;?MRK_=J_WgwmZ)R0pt+F?E_s^O={Y~WIN&< z&RE=pbt3JMzS_3WJ9(oQA7^gbZ<4cz=*N<#gkG5X2JTESK2agAn2AF_IYO;5yx8_G zInppvPy{E5G0a@$LU9O?ml_)Vc5*`a#IG;T7aXl4HWrvf zZCMNfnrD06wUtMFxwDP+k%8l2$a${Q``f45cR!9eu$vh&2ag8)ROU(m%y8GwP2mh`6rafp)bC$nH7>Sn zWn6QM%TgD8%QD0n_g29LfRJ>teeDkr8eDqTV@C?j&jZH0DC=;#w_l?1yt@ zuTNK_hE-)Vdqg0bA8T%p8=MNwwtSfy+NRlav{!>Mx*e5BR6JdG_FU%tU63M^;&;9l zC#K-xzBsN=?N8WV9Se7_INKzBKqBOtJFr{C+U-oi>Nw5JaaU&ze=;$F_;yH${+u+V z%cNrcw}8)R*d5uYwINj+;=VUGH3mZqTUjY@zMa}MS8}4{x2B~K3zKuZcPO~crM~|a z_H$KbFEEAHOD1dZCC$#d^pRG-`(d$fC*t8?)>*?xQ-10zPBB8ewDMX-JrYzqc$YfVQaKlB~P733hFDLogqgjBy@L-uH{-k zYr^U3>|8YAwB3k?7C@O7GnU6;Y-}tG@{MF1fK@2NTAP!VQ2h+~VCVfJ{9}>Vc5DcEtl6+g}l4vDzA+{6`|6HI1X8RFRTYIMEch)FP@l_*GgF)kH-6#;{I*l$iz zj`d%2ery%F<3V0HKkm7#j3^8~K$ATV+vT$(@cYSbil&?*^kR(`9jUTt_uBi~%R^&- z2RB`7k15&^U)FvYy?kI?L&a&KXFA`W!D3?Jx$xIJwVyeYFLxUClJ}Bx;H;#V%OWS) z#Tc)w_@1Um8J3(Z2?s*`*Yn!~Dp@bCdyoK95G4out&HESy)zj zrGSvAv!;EDGnh;-xM)p=Jb@oPK}tLeNTY|6fccIJ2#LUhn%Yl1omj{{UW2521kC&8 zY8GR-@rb6yIY5Z~ z)dZS8=jzwR%MuB_cK;_nP?+xTAMKbl{1M5KDY*k(aj4&pJ=v;lfru#c(>yu8XS6HC@4J z5svH=0+qy~UG~i&t@dma<>BkjC@lc5?5nS_Z2h7impq2>tF-0i z#6pmQzHO(a3#yFLeAA|pYJe^ifxhP=++ckEM+~_A++Z0m69E=@cH|Bj(ekl8dC1*T z%ky_gy+3uZedW@u?5m9TT?|*4Qve;eKBRM;;PzHp8aTs%_y<7m=ufH-tk$v>vY@a> z$Y{&fmfM3#F)^HWMq6?Ezzen4aAgVZ38~2N48@e#x=*h-R2*#Ygejgixndu>yStfj z-l?e(^o-gw&H;E4fEAP!6re*Ho~k~k#`AYL72`Y)fOjY(n;0*!Z6}Zhl0FS=A!AY+ zydN<{;;2YG&H3Kx50cbs@lesdl>Yt+%12&b9H{SYrD*Yv_;cW!I6lRnRGltY@C1M0mfQY8TpBkaCOe0773a{AO_=O8nKU>>%59)B%$RUH#fxN&g-K8GqHi+3UYw2QIdILYtI4;+)inqZ@cs* zEo3e*t+6b^w?K1?R(+=gPHtWZbhKvx9tU|-!2PW%CpXWO0;t%p{UxQP{QNICIXQWG ztAG5M2M`Xxu7GU~om9vj$hvjm{y?L|L|y}!7JMlh zEZmfol+4UwMAS|IYP3b21g@-(0XvYJ0wFJ*a0f9#!NDjYtrR#R02Bdk_)Z~KjVd`! z&7`kijesSPi09An@G(eGJl+~ZCs)+e^Z)?{ez0Z(b~qdkUZH_&KV(`i5l&R?dXh6^ z8TWKfXgH7Cyl5cabihW>z%Xc94&YnhmjMlY zK|he6g8(jOCMNKjho8yF$vM);p54mSK83R}02OJrfS4XC9QE?+Y#*cw5%m=ji*{~yx;(v{riCm;OEOV-KHs{E zUC%))>NyD_!u;rM(hVx_gCjp5Qs&vK(}ue8S)zsC*W5P0MUmWv7qGm^ps)f&Vxglp zFM4S%4pl4Dxr<*#d6jo6Cs!j&{TY3ePCLHODrGl?qclE|lG|rzt9>-LMS3T2-Eq=w z86>9vCfFaO2#;R#n8i&91Qix|Uff(9`o&+>)GxMfX6T=nm_<7k)Uf?X=$|cOMZTS3JN_? zcU~J;-Y#KlgK2vcB-FKt1$}D(0`+elTL%}{O-&*c(Qi`a9zPTXd8glb?J6uiiW9g~ z`q3efj*bp!BQLnXLc_yP&(5sO&9N)f%szeutwT*_=1O8le_C3a! zK)(Sn+Xwj$n6NvXh_%Yfk82X8%2C}0J&eXV@FACo`=G2as+SYl`GsWDuaLNlrG4?~ zLFvKyDn1^}q#-%0J||P)gCznOxtjvbb}hFSZH}?a1GBI(FJ|Z)F!~ocHV-{Q1u?lb zaqdD2$tceYrGZ>oSLYjBAHmBFK+_$n!?3SD#554XK$gAe+S zGS=`p6lP|DQ&_CZ={sM0J|jS`{XKYd(JqkZDrh;rANRVEYdvPig7yLZCG|}uj?C4L zlTV8m(fdsJMEzp~gf^NtDPg>hj*bB3eD>@aH8u6mpFbg~;D+nIUutXl6QsTpO-$ZD zB+Vh#04PgKqX6x)g#|N7)6#)a@3#|>dg<-$tzKyf)PLI}-GW}Xb=B1qv$G8;VGr3k zIP&xIK#>v28UoQhdiwfcac%;Ixa-L#cmPlek=%a1>4EQ;&z~QJFA3iqD*#Ntuy79` zTL5+e@;#6h2sR{uf3@(VPS-m1&(3;wMp3&9X)7pjfV?$;TClUT@713rmzLT|NJxN` zD_7S`@QQnfOl3s{W_2l`4$sfeJG#1PsHyL>6F_EEO-+r$PpJ)InS(IkpXdh&8OV77 zA}K1WjH;@0a22(5jRFf;W>%KEx;nUx^eauxoBIhdf;1vLyaE7*PEHaK%^G`pN=oo6 z53m{mIWjUb0zMu_CZ;;zM+9x_>F$gh80~=<%+2iz90Wil$?p)Tz(Lg5KOtWRE*%!C z$B$mqM6WCxjEux=*b~Hc!)-c}ANWEkBH0*Xe}75u?(B@}G*J0Hk!zu);)v)e_^fiQ z{d?G#!iKCe%7+M_;%-mK*sA$xJ#WMg3Svf*oe{RS?xns8cmN6^V%GM-mM^QR?dxT~rJf!v0}gI)+uCXdB&T501TYTphmwWgCr=g>?1Icwpb-YXbu^nl zfBsklC%EEfh}8mExKJ2i^(aa-!EywNsX@WP6sPim!NHr`+aSFXd(4|zt1ezV-Otw- zOo*?(3vDsV+T#&TLQ2x*X2`h{y zlFVt8{{zyb(9^4177`*xz6z4`D2a_Q*J*hs=o8{$CW$p$gikh`f{9}9Gb0=&Jj=Tc z^S|ZU%6K#n#6XE%q?MU#m5~`c*aVJ=3YYITetcZXFpQQ@!aBJ&yzF^9HK{hUy>=YZ zCRsB|VDuvMZ5+wm?8;$U>b||8gadD^7wt9EyVQ&Lx^s%pur%``b%L0KE5EuTLma!e zcpF{O{BtzPsNe7WB8uD1e6rpfcuMh}m5*s@A{q@JwNxDrmsh;gBJ7Me%*%_@NQ!=c z72oa@l0wW}3^xmR8Y5j@@?BAJ z;D-9}0l3=6%`14Ask49lKp*k_XAP103T@1uU}A7Kn#E5aq?d}2O}t0)LCoY zddOhyZf$`peafgSt zdTRed9s6xki5H|ZRS6(7^XTOegakge^FzchMR}PSW#D8u+?v919qTAVj25kPZ6a;qx|yRc(?ie8JbHpi#q{sJX~P*teL%SN_{7iJ%q@;*(S zA6ag+U}fibo{zg~6ICr`xX!busFCiHo*QByVvEV$+3u^Us=@{i;V@{%{Vg+T{{G=^ z8<*ALc9P>92)=eho2s)j?0ge=uq6cry`7z6($a+~Bd!I1sEtgwvS1$mT(yCDMT?0i?F!JER@%>D>PtZ_=E7noJT zVhzZQ_3;S_p=5lpTq_K^A|Qteo%uj>t1|+@Xs|sXIJvw!K>RB;)b&mCl_W4eF0u^V{Sw)efYeRb>>` z35jZDbSR?aSn;vDyN2HBA}~prHu8+IhYg&`Adf~U_|v`eIGT_ptGNC|WA2993;`{_ zuM$w72ErLN$-8-nX7_~S+=LK!?|IFx8#U9G*qEcsimeRJgtdPOD(5YFJgOe#zqn)` zx#DBK2;W8u((Eqy?N2 z3gYPzxqcFyKEZ^d>?Jox`Nivg+z|2?UWdVWlyaETcN^h#2f;>8l;Q6-3FlO`#@DDQ zrO>=D6d?Bs7X&<@JF(~^yi|6nVtE)UlA%k`zVOapDU3Y?LQ;K#LkNQaTCrOU-BLK! zs^JNXoc${TDJUpzdV8_IR#v{&(*&@=BD;(of1Sq#XGtCHP~iqdBf`nno!^3>`vp-b zY(Z_Ut^SxRD=VbjPGOylpm%9zW(Kqd-wz)GP+D7CH>Rs(XFNhgGAMju(w;u)`_lt# zTuBKD=tV9Q;$LR&BeTfTJK985{Fo|$rhkwLl{;L^bW)rP7`*)za`T0W1 zRpQ|^MvhW@w@b$T=H>GpeUm0O+c%<{f%<(PW)eDvJq-6bhA|*U^g~fh36_Vb${3z(kLR8<`(<4bgv7rk*4`5tCt_bqw0ZB=kP=NzE$drMc*SQ3K zHSoRF)tUeC+57wZSsp%r_AI}qCa%liur_HG%Y3qQ8JbZX_Uno+F16v|@)i~rz)2RP z#`zJCeGBB$664}b3=AN(y*S?0M{oHYrTuw6AubM^Z~#)$p|t~$t$ynjgK_6hSATzH zY3bhnK2fwQm~6Z(Z%M$DSN+JD{TR=#fqA^H`X+*(f%|XL_E%2lBQ-aYx-RMIxp~7| zK_;x6G2?n)ib}P-u=2J|@B91GPgO>iG395~HH43p4)#jcFVi9r2g@H5!-%qmM6=!3 z^Co-z81-*w4z$x_Vur%Zc^dU}i}K135~mmjZ4V$yEt-JJ3O~711*15Z}he=B4F~e^3xryQ-?{21Kb!N)<)oz`weVeSvPx=W$;B^=ru6kV>eH z?n<;n$LYFg0M#?$iU)qW^z`)GO;;X#Pih28Dk^y1{p1%D6N8A`$cUyy&kojdNJvO4 zf`}*qRJN|CDTs=})#`PRhz;vZALx>F$6`o_d4jF8an3hyBM3Yp_n9*;B)<3)|7A6ZD3HSUer(?x9X7LrmM~7w zAAg52pbOxK%Qm58ggD3p@`zv>Ep7eARP*nBC^5kv4x0%JD=P}SEEH2THA#X+pmInR zEhGWJEKqHP!~n7YjYHN??}&>ai8eD+c>NmE%|EOuu(Za8htmNSkdyOq$tg7Hr8Bpd zt7{#UN5aK7w1tIRK??~E9*}6jB}tk)dwZ^B^N|6sph|Ukfcvj`{Rie%dULwv_urCl zA_#n@j?o4teau=ja>VpH>uIPekA|w8k(A4$A6aIv4n|;`|1IVoCUcmB)q_C9_GZ3z z7oiN->f<=Ll{e75BPTDvX6-AH1uz^82U1qn3XjSgStDz(>V?qW@iU^2{J6fhjX!<8 zzUX&VOT&o;L`00dg4c0yaK38P2vUYSY|TunY@t(>PuYEI)9#91SUxW!ukpo+ z4q&h*&b?VKm(q+KPx!C(>9ufE9R)#-1m&C7aTE^^4~UR&u|pd;^CwRzz3*U`YCU@8 zwOcw|kp!6o2m%XepkSh*38Gp|6n~qXRGWgGg+JvJ>jxqpM&h){lEHO&Rd7jZ6+7X2 z$&W!?eST~W`W1)MRs->@D`%a7tEefTTwmQ_^wYU1y#DZ_r~k)(xk|<7obJNJz-7hs zUZ!&iG#AIG8x;RO2th+7mU4s9rM9jPQc4(`mHwnUr~#RLWJU-&Q@4suVhSYsbYZUk1*RBWpuxhbeR~CHcU^7Q}-6q6Im!DgeRCc71{E(g5 zql2L>*Md20jQErcA|5f((J~2an?PeH`uPNcCl0}_qY+-h1?Y39%AV%Et$X0Wjg0Bx zMW)8ni}W^BJrId9%_n|&M+Vvgw?+paEuv+Tz}x*~ylyj*kTWn7SFjNDR+xXA86naI zc%c2gJt*M-?~!e%%qHQkZ9JL?6Iil3HGIH$TT7@c=aV8yutM_|zWC@d3F#cie`86Y z6~=o@hXn*lI9|LMYHrqnlyW%aI;YZ0c+j4jmY?fnL}*U+e}?P9^>8hIZ)t&Qijtxt zBpeX&mbbttqz%gPPaEr^rbS|gp*}?V_u*b$x38bQ0DLF@v5sqPf6LI=N>vHMQ zHYO2PHinE)JHHFL$JX)inbmh6GX5L?X)MJGle;4~qjvZ9ayxDj3w90+42+H{UQdYT zgsGJexjh-vYR4JyqW;5&(fE?t2pahn$`%epIgnp?L)V%r3*?%?BLFo`I)SZ3Ro|Tm z#HI;QogYqZNeiMPbp+Nrwbb8z{NID=<6h4{Y>*of5D)-7A;f=iQ27e`t!7cF({K`@ zdk?TtbDeg~<%2iOR{6h`6#GJi0GAXRo(T$~`F5*O*>w~*H3i3KozA!SFXK!r)`*e- zU_hl?_aIs!Ae}U5mepkGtEmzg5;1G0R^@6vb9&^ucmD>& z>(2G8L(jR!8fIn^5D}f7oQQMXhXJTPaY;^i9@C?+d`ei>h0AQ5-b#s=%o7;?f9_{J z^@tGBLPJMKM?)i`sX03^0HKFC7fA3CaB8~`c%x5meQ>uSE5D1ZJ2L^NsJ2p~=ybl)tc20Pg!k5qq%p$pkSi%okf+*43+nbxz z3gjxGyxiguFfX~a^XmQI`;w=GEh`z8-%>pd$096TF37QOEey6=#8y;R@zK-C=`g-! zV)EgXr^Pek?Qda}^8QBf^T}osNmpFltE>Thf<5$_OP6NMv#f8$-){TQ3=RCzz%Gm` zV*K(1-y{~@nf>hZlO76Zwa;3C-3j5Ln?H>jHTE9Mw$AI6*bywPDe3C!!s#g}_#T27 zfCe5r!D%BWCkMw12>JgyhKdldWg(D(a?b8I_=T`AET*`EoSerT$58Hv{{-871Pb^^ zFlaXxz>Z&&4tkhZAWQ`h%+qLDXcYi=%lEhT!1hk|eG7yt)MB zQbl<=wLU~N(3FP;UW%<0FV^QF0tZQy3x_9=)E< z&T3GLPLlaCJ|4~O0p%mu_DD-WBV4=AK^hMKSFez~zrEdT|3GPi0;^~#ju<~OBczG6 zn!rz<)@K3}kq3KAZDl3f;)4XxQ#d_77ULpjYzVSkgMV^JXj zg`KzQ%T9~X)$x;Gy#YZFUY9bXkeQ^!v|HC#rZqx2q+@%sEA}o-k)9`a!~I~h zxA?Dp;*DRE*n+6fty^cL1|v-m%oYir^FL!?D1z<{E$vU6nuw0N+FF2GL)FRU69aTS zX=$+nE)Ui1;o)J=Q&1SFf(`QvXuNcMgPGs%! zshOE8y2s`DNxo0O1SGJo=n&g&J*$LZSw%k|_FdLWt@)}(y+78)u%-T(fCx8*$8~&3 z$KBmsK;XvNwr9)E$vJ!nOe`(^KfB7slN(xBQfC2$z}@cHg+LwsX{E}1Rd;tmx1jd_ zU;(D4wzlQiRZzO0GJE4wTEf>^(4ExF{xZO3%MTc zqh-7I`%|0P44+`8W$ci+ok7r*6 zp)g%GgP|_VOZUbeZ6RrCa;z^60z87Dl9+4}3&U*-iPcUNFL;7!sP@g8ONQ#pS#)Q` zvTIX*Okc-noEPX$QOT466#Ma3s7Jh~Yz+&$W6pd`Yo-^Wc=;ABj#q)UPOF~J7+o*C zJ#N)-4>$P?G*;~#AUdF4zw^`r-v((I19tItW_u1P>8)VXGLOzXHS!PL4W@Fw#%KJv z7a&YI^wvk!3~3CuczHkyf{;N*#!}~UKf(zYe{4*q(!oeXL;?-XDuRoM3N3|a`s%Oe z>#{PIF+U4qb;kPg&&3vHSc0@pU#?FJzgM8mtg1SZuk`VHvm_`LDA>P^@K54(=VWCa z1MKR+fR!*q`IPw$ZB*@mkm~i?+Rp{O9LdS|q@{;2an~Objeb_D&v8|aYg}DxS=!%j z6`q!j6O4&!AR$qjpQyH3(7THZ(o-Y0wh>IsZ>HWv;YVe27H5|dzu2&{f5{=6+?qpE zRbH{qRPlS@p|DSV-qciQHHwlwYo5eYQu?nn$jCg%qoY4Wx%~?Z3bRKHEa>POa$K=4 zMoF`?*jQM1k~bpPJp6Mn&Qc~yAZjUUKxUsU0WM-X19AUd)eT}OIG@w zWUA!EYQtyD%)12NTgpcxN?-d92K(1BDdt6_zptu8S$|NM|BRBpa`nVET+E=r>L;^p zbY3Y_3AzF;Uf=ExUZ_-0*VlsF-M@R$7k`3M_ww>S)z7Gn%+%Fra7rJR`H;;8)*jLF zSp2l2B9P{-%uGb%K78V_ccal_{MgL4%Nc+Z)3`Fm_$~Dc;=L!3+^qSj2zi)14E`UR=bMwz+}E4Ng12+lG&>nYFuysYaC1|kw-@Q=x56)-b(mY8jXm?Al$qCe|kMOR1M6z9#gs;?le#m77P_#Mml zn>tLoC8{8p2eOM(-Ux)2sg+4yey%WToH~~n#7WI^{1BFXtAUphO!N}U{7}9vOiv%q zc*IEX`h>^aq= zXSRRxj#dWtD4+K0;gBI;xLgXZRvf7m37|g8%=YaN?n~Y(*=(o~&SqT{*vOstbhV(i z55C8j!ey44@A~eC2}=t#?tPq#c;5V}S!pF!XBbpGpzxAYcQ&mZlGNleHe#Q5u5&nY zelB$7eZ-3!Ak3G{8?badfQ_L9{De`hJwSO(eSBq||eDd}t|E_B~W%3cT+ zKPH;3qWlZ(lShV`K_kX%H5{-dEX3b`rhrv`h5G% z!Z`FTlpWy{78~nyc@Do1MLqO;_p(SZ2#ofPU9fAIeX*oPR$77+2yJX&LNDI9-%j)F zJ{@HQ`%P~~rmb(EaxELR<`&1|%W_>2O!PN>mCG)EvOEBJa-E2;4d~o#h1+`~jTusD#Jr_%i-PbnCei)H8&8{*l zOWck8URW+#@^hoZOnqG^eN?wIO#G1cDq2jZcV3L$e*XCJV>-G5sD570V~9RfP2?|g zskC|f#q=C2?;e9^UtlMnN1YodKQ)d77YjnuXhsQImy$GGIC@RE@yNO=Njm4v49d)JeSmU6C-;mNnX_7O0L|OU$w?^kLoEtw zod5D)1VIe@M*rY`2a+3U62D(7{rb# z9;bIG%B`0~9334^KHd`XB~F@KLe*4`9_hp8%X+Q#Rfwuo#%?k>r?YD~AS;}kSDPAV z$k6btrhBR?rpVp(BtP8Fwx$S~%Gq~hHW+L8$9On#YEfZJX{AzF%=X`{#fV7QZ1gQG z7n+>&ZwfUw=9Y-AY)My7a8*wn4R`wZk9=?S6}+70duim?j$B(SEW`Me;!@l?9A=fh zW>P{%MkUP%zvxSjXCq_YQPGhtr6u?;BW`7Msm$9VGES+51faUXaMdi^zKC%e+f6=> z5(ur4;?Wn z41O~;RF-a78`(HMaP5y!T9+d69o+xkaiaFbqEDJdt=2pDL(3>3Q+bp7x>;UPm)IwZ zg8b-6m14)gwCWqm?pos5A{y*zI={N@oRPKk)-EtpR&8Op@WT^ zzWcp6sqxWqed&a(g1iu{Zb{jVw`OgOy?s3@^@8bT4N{&mty4wd3_G*+LkqaHz}%d{5BEnMHQ;F0n_zdbzSlcM*?zt6gQ_iEpz z`q%pVSIi+8(d43lqQoBnK_T6~4IwMYUqQvnlZC;ZmNks(mj~Zwv~>Z1IDzvb|EIxw3g~baH%pk+*To zhoYRM=Lo*y)B&>5j^}MR!v_WWY%-U0nc@b;NuZRa>S1J~bxNg4H8S3g?C?7%lqZxq zqJUTm1TNHJ_I zesuMz#vQ-IdN=kLO1M?gw64kT(YbM#EBHn%g&)lmi*12%2d!s!!lB$`adrir(x=aB zY-m#R%Y2+F*!j3vd0i%5_$0YjQ)aRJ=3X{?4p?Pt1NV-?*A-|7@L9yZHfM zAH!2Rx5M7Cw4dWDQ4`PD zm@d7KOKJn3#&qO=&BrAR5SMZ?40+H=%>*r9`XYv}7ZHR?`kI;=tpMj-IPYbA_9hvv~4bmI5ILmH8XvM zN&hRW+0!T*q6gMKok=F9f28*hD;(^o!n-z~OREf=w{C8UpjNPq&)3?$p~VY(qUfq3 zTcx&-uQVzFyfS%Uq zTbX@Ubxfo_fr@ml9wXyWS#^j@6teV}6_^IMaPM|4Non3n-}~BFtH-#_gIGd`199ge z2yz3?0!W|$1_^hd(=n(huW)xh=-gc(Q5!^(I4Jp#eq(A3YL+h%`mSkw$a9OiNCs| z7G0;TzG00eC+g2$-skN%wXzUFZD^Pq=$<2__{Hn`jqG>mZ{sX~Q5un1n)IpjA-(`T zmYlUYj$F(n9;2Q?1MGW~oHd3y)Oag~HWNv9er~%X8hSE62=}oB2}AWJlQsjp^UNGc z$;aQst4*Vj@s28LMI`C7}FbUsW1Bl;AX{2F+vsYh?C4ik&^!tX zwrDvE3*XgX3J`5&w4`4x^O1S(DRjnZ_oq;WNZH!GX)sv3BDt!$66-YB`(1bLEHnKWc%VcpCRA|HO|^T=7o>v8SB9oi5@~)#HeQb{g`C*A?xqDp!+Y` zUe3eJp<1NJuD^;dTufkPW_nZeZm5E5;pz^%#OS#D;kPZHtD~kyqv;w;{pL7@rbND+ z7K6h`ULn*%wOXlYkvc-c@UVD6H?gE{n*;Satr@Y9RZEeWs0x-B_$jOqnugYS)^ao& zA>AN2Gq)RxH<_>!KkiaJD5~mcCB2D|a-zE*)b{X?qz;0B>L9qU?HO?{6U)n@6VF7x zxyiYyp((n3l_2%5MxzQPLvBE?u({?2P=oG)GhfsoZ z%@}2m3~gm&2yM$0aBko9uyk1*jpL0A)eAUzZb5=AnDq)UYMX_90`sJJDS`%If!cEx z5PYh_^@g;F=z?T7S?-JC?dDb_s7RjzP#_CP{7};Z!l<`n?9HVZZlB%dId|9vg8TX& znwn0{S!9 zqX~1Yiux&SQ{&xZ#OcdAW52e$^xbb&RD8s|VO8(j_ys7nb5iyF&YMboZ z9WTgjleNJTq))bG#JNM!dhzEz_4GMz=$g$Z4?U{zPKl@M7SDt2l|0omCnx75SV9%X zyht;2D1Bh%Hrxeca{E8gfE8?N0{M+aL_Y%87b7y4x$|<-WoiokT%Zp^FL!MCp&+B_ z)2G7ig$xpCff8sw$0r+}f{y?&$VGABBTQ-X^MQgnm%f9=9PzzpQVmzjmHn;#od`L%PH-%wj+EZ!Oqrhn*AZ4_cP@+lF9-5j&Y%+ zSXS}j9OrlM`mO#in1RXTP1V!e(D@wl$_?De4~` z8XXcvovm}uJr>8H$Em1d`bJY)v(jmp%q@c~>C$0{;S zGg2en-#*aBQ%MYLB<2K^X^w{|1RTt_e3=%eP**bP8n~LhQXf3x88>h2Zqvu`)1BGc z$~V55K(v0_O-tFv?R$f|Ff+Se@M8onK13IT3XoXJ$zch0&d<+xcbg)NKc$Wt-97&P z!!aKE=r1hen4>jAa-tTScm&O6vWk6eL7#SirH|<14-|q4dO8gxx<+Qmu4+)I!u=bM z4VVnKB9tx?OLdmB?{+jU6mv18aDxOywOHRb3*?eVS%s0VB8wM!rN%WT0r01_*MR92 zyO-==JHK=FXV)QFZ9~?RjVgs!0l#|663z(59!IsIrGmrp6~3b6I@gPv->oT;!{um? ze&ERC1Z@1;!iOl&X?>AH#jQ4~At;i@vwwr%l9 zi!!oHIM5>FiVw0ET-_yh&<04#b}gDIRktC{S<|A%A*3+S(W7t{CGcw~Gl}W>RD+j? zUR9USnM9~QVLrG2D%8WGA%3~8*Ld>b?pGvK3ab4lM2?;qS;jiweV|#Yl~+^*Q~{ux zJyZFb$ZQ+}J@pKf7REj8q$kiq7FI!mwrj|%g>NNJ&2J_`k-Wl(K`KH{4v}DWlM##9 z;rIC_nQTf!YRT6(A!(_(84PpC64CTWp=AAsF3}<0yV0RnW5cTR~-;C+(P=)9OTjOn?2tXDPRPfo}UQ;YITo0yK&IxhsFwwg9Yd8F7A8U1}Vm-8K&- zh>h~AHaE?!Eb@x7xt1pnc%?z*bVSk15I`gOgPDnFss;~D z=?9j>hntaiuWyKgoct#MFrl#t80*gtbkKJ)-2cnHsq}m~m#3-Q!*;qsoC807kYz@I z%$Dup;o1#^81x|3oL8IVZy_=vF693%hMHD?Ac|B&SZY_(f2d5{(Pa?$fiQTT%US#na6g|Ts!*$?`Ez5e0f`P(&$teI6#VHEm>5xQs=9D~e%Og^)0A=;P<{)r8@fw|Pz_7%9lT_|$;XX_3A6vjG5eTt%Ut{CqK*s41a5tg-%k9|! zjO9$?)o`}c;QDwWrful^Yh?w@pY&&{;&FeqAKBl1o2ALq#`~zUsnWJwLzlzKviVZn- zltg%WLyQnR3MxDR?UTxSeY7!|k(Kpm^BpuHOH+GvrW*!TURvw+*%-t=-+b3z4sd_4 zssh(KpiKd|_+8BmP=i5z+SthGn!E=6)~OqZfMWA$S!iu_ytFogW{0;Q004>PL$qC=qDiAIOpo!hV8FTY|e}2 zISdf~0YWfX&%hA|j|k5P^d7K05$^v37{|L47ShsvAYuit6R?b+kpsBT5K^9} zya1X#0>45qaRtkd+}y6#)?YrDyyT@;K>uW9+yS^5ya{u*X;8k3y`&b6f>!{odwBfo z4F!Rq!4OOF?)n1$#N_1sw0Mmm%Mak0f8$TX5O_#-K8z{D!;gXNpG&*>ww)kNP8D>X ze*Pq;M&h+W&1E3Ff?EW2sVfhi0o3D{s#+yhj&oqd2yG*4hT;G?FHIi zd|VubFZ>mD5)&PrX1x-2Vi_?pe{b(^&^21Ma{-tzNX}si7SXi5e*GG7ByC90hE;x;f=fY|NhdN%M3W<`r3->C> z$?Xh@l0mxyo3IvQfLCqShZ$X9;8IXB=XDLd#5$vR{7b~-AlxLS)^tjoE1EYv6AHQ+ zg=J;TaNK5P8G_PGYt^;5P9~B*oPaHLPEI@SL;hM{fVKoL7FHRROVk3G-ki8y@{eQE z(9i@5r^5?~5lkcZg?0P8FF^&~CiJjpXOki#7Gd+f&c$J#f%S&x@eV}^2jXLkTB*UE z@J|2`Dy^v4{EPGA#S0e~m&G~`FFw89 zygEOzT_igNIwcqkVFxdiS5&~gK2Bx?_V2*&BK4|}iDpGfNziC`49FOO`l1d4zP-O6 zg93D)!2FQ{CwN1a1_lPvjs%fvq>PS^4oJlTED5#(I5)MdDkg6>%8_pZv|8u(ol&ca zZh8q1zmJBClEk8>cZ>}T49v|pz|XIsuuyarrzPY|^!gCZ1~{~VaNuH&w%hIpSk$jx zeE>X`L5dR(509^$k`jK(zymbU&GK7}0UYko5J2T<9;OGN;ATt3MST8zV9E%PESMuO zf{RpwX~lrB?pelZGc1B>3}Y)TCbqM)!;i}2c034}+0wTmsvq9Kr{d#}jgPng-Uk6c z=%>vxR3%1#3jXq)>b?i?io(P)eSLkivuQwd9}BhhF&OcJTgv2+)E;I-L4lOAGTWm^ zuiP@hUZrEVyITSuKMIy|dSWm+0|Vcd#6MkbMjSwB(!_wXAfWQ^2Q34eZc`Q6pknQ& z$u*FKigxrd7KNhX$HU8i{E5@ph0X(0$9M1K03JO!NDw|LitO_(^>wbWpQJe~Vh#G3 zPGevqV0E#QhCa3olqHwQcj6{}Q7t+w0lu;9Kv!z@xx?dtPyUm=f7u33(Y7pu+prIM z^AD<=LY)xQ`1CtMV2R4pe$J6i*_v-^>hOY*0puy5*1$^v=BrAP%;-qNQ$D_{oD`31 zh6I4XVq#+I1s1cZt9Zi_qkEQNs;gK5g$KUn_x_{#V3m2!>j@zxbA6rw;!f=K>j=P` z!Jd*y(!(yWB}|=M?t{>YNWlA>vm#aAg?m@L*@x_>b`vut(%Zv-7uAb>|9DUt0cSt( z;$RP;`Wg(lR$%(UMh$*g63G)oLjuH)hhaZe-y1tTbfC--HfRJ)a@&4YRaMhNWItUv zOd*5h0w}EFIeaECXF;--8V9r#`i6%~MZ-XVaPyMn82%{*20-k8ZCJJk;MKLZ^L~~~Gcl@4QenP|JWrOnWdkzb3x^SMr@dt+t5FK4Z`(6SU zyEPP!NErJ3{QS0O_k)6hUZ68WcLByPDhhb{i9D`syRV_S2>jcG1frpnAX)=lV}I(i zQ%TVJ2MalD)Z2?T#Q>HE)S02-vd7}%$SzSiG&-x@(mK&ZI`5ZtPar0A@5(uQB9*N2@pF$A(J;{9@xi#df6Xj8SFFZ>F-y)Xv7s1 zBBf}+ThFFOBi#+QC+V5+LQnXA09v**F@d3m&<3Uy%(K=2JI>kmb{g2CfhGWfF8qX< zS%HZZ*~fZ)Gq#rLHo3(hXU zjn>qt{fAA!1y+xD00Rfd39vg*(_m;5Vq*ad2_+5`x4%51SLuL)hbBYJTlsf%mo2Vx zUWeadFwxP`DJdys64?bZooMj_fd~uwgR85nVxQz+zn-ddv=S5Rg!LQ*GG>#y= z6O31<;pe2hZvMIiQ4#=yJB1O~CTao}HoP8qG4b(lLSsNkLb>pbJ*XH1!y9_HK&ipx zJ^l$cG9WQp01^S7d+;g9NJyLWO=K;Mckc#)h%`V(uOQ3$h(U4+p7d;1b8bL*1N5s7 zfswv`8R(9JwdVWkC%`{;KRbjD|>Oz1C->OEc<+Sj*bP<96Q*q;?zG**xVd*fG3U~R}zuq8qA=qxbO@)Q`S{PrwY9rm;Y=Z*}HoL&U?tBZhV>b_5+p7U2VNZ{eXk(-U zyFO~_U!dNwZBG!g1UB=O;gC$%6cPBn(}u|nYo@h5UU-^mcgX|PxK~z;9tLNprVcLA z`{&&BMzk<8#eu}VC*X`>Tmxckagu%jjW!};I6vVQbmsf}W#9npxlDg#B)Oe7uGAH*LmiSR6%@F^aH`#Km)q zM&f#twb#*ZzxVP&+`4rueN>Vf2V4(f?HrB`p|=#P1a;0~MM;c}j(+B53Y#I^&8_Mn zqU?9Lmcxc)47MVQ$S%}0FtEl>`bmv)EjhMt$pfT*Qm#0t3c{IlotGBFKtnc<6?QIVx3=-z%F6u7=L;`qdZN0sK>@NV_6CkHStpk{=FwNZT zcUO+}0MmPQc>xxB!!tAWB_%KT_&gztY302xIUo>1h&5)$7XY;d+t$3ir?5wX=j%US z0K$i{;~^XeLnputuCzVe=>=sAIEj8>4rt)^01qBe-@r{_C+>&*hM0upV?(3)0Vq6p zfDRr&PvK=l-e}cy!N$UOJ%O7OybdPGf#4v?<@=z0`+KB3E@*fjtSLNr5CiY}KNf@M z;s3(b4tHgmAAK)>Wl4w3kPCo?}D_rFn1V#XPhWLIsM3D21x;iA-aZ*M_ z_cpE{it#pR1^7b3{vtvE>~iNbNxsKAz?uZA$=$nmJv}}DC6hX|1T5vVchBaZpBvC^ zrG~yh9{Pdr)kP1=sK6HnKhwS4UFaBJ-}|47FkG7qmebC1Sxwf>OcKeI>mVuqT47IA z6u$cG>`Z}n2Y2o<_CrtC49JtB){G_uQMkE@lH9y_-%|t8$H>5-95$o?6?s(nL@{jY z2hF}VP^$n-Od&0;x%qi*$la$F(0%?Dkg+GFd2+_wsI!rvj05z+&*}l9JohKpbZrZC z?>t7_(lams6+rpxhpnf8oGf4oil%T(i=v*Koxve3!IijBGKF`Dj)aghNaOXssF(OY zSgE!uM~l|TV8ckB--CG}2v{*l?jRBeY?M&S^-F?)NTS%~t`rs=`g~XC%z|&>4q=D< zm*F+1Mkh09w`7%P;!7Qf(+pRT}o(H|b!a{D-tSm6?J!(JbctAK4`=Jby+E z<5X4TiN|w$f26nn9!>|{#<-MCoqk03tpr!tCI5EW!fx9GZB=#kqtjtHQXp}4bvFTt zId^=izqa?W?*4z9&Qy=8YKkQXpZ`lyGKnSbZTu|Te$LGk_HDYMMDzD<*lk!M%w!|l zvNy>gnz+7(L#}s|SUDgfeNt(a?a`!fOXefMT>L=+F z|J^169Sxqd+71dU#l?(J{(;2;1)2XgpU-qgX(rhdBMaKydq3S+=(+(Not4z%1?xyZv|Icf4g0Kw)gT1h(AbJ4$2LMgsSJ!q*+Ug66 zOGWUA?*d?cP~jh5UR7NDU-9(1)-mCX`-upoYyd(6r61rHLjV@#z@7nic>gzD?44YY z?*5A9XLwB|Pw2WTbKJImv3y0=%=f!jNQo2HgYb2V9=lKN>4-5a)q9z9J5PjkAc z?KcjSMYE5NHcG{`*^Y+0pG!PVOR&te3-|pT5s^KeXzSsbI6FBc{W>YvnU8G#qgB#A zN6LPDN%jg)%H0tYL>LWlXrVd*JR890tzGX@{0ujinFpCi$HyVMt*Wng8_pC5RdxeT znWH$W*j_tmO0Ei~(O;6($*Cp3;U%4S3E(CcQd`qQvq?%q_af~9yeO#E5Bz4nrXwO& zd35$@RtdqI`7RooNGNFo975S;@PjZkjP}kxv}d{L7@nOVTzudH!LSeVz1Io~`kdDb zXVA5IwXDAc0v`+weArtaKAiHt3t2JOJEa_3N5>RaGv${vtIgiGfU6Df9aiV6-}GPM zr+Wk=*w?MZ9^w*LS$Sa^!`z^DOv^t}jG)W|*2OI?w;V7Lh)$;aAtgGukq|rrR08rl zC#fvp1RUl7bQT~ML0SV-U&=WA^_xHfK{+VQ+tH|KqCB%#c!UwUM!x+`H_b3)BGgm< zqdu*fd*;`P^&nk1)n#O4AeBEthUZ>O&utx2_FmgU93X141a)t9*`e()fKqZU@LcbM zyE;@;mY0E3(`g4AQy6~a0dZ`|pq9|R@H06&mJgi7KI76R6>&j9Jy4d0bGVKbehn@s zGS|l7hbpf`u} z>2kKYf_AQ0E(nxB%u7H~4pmf0ma~@_S3F*Ql~e4nyH@UdN)&mKPh>`!LwwTd5zV3Z zr~mawJ=$lQquSEro+wC6^iU)M<5;MjwY7a%qw^w+Kq{qaV}j8jw_rrixKa|tmhJ|B z0SI9K#?Rw?^(o zcyPAUWM&YdO$Aa#sPD;9Y4&fB?^E{}*liYcVf)#5AAzAm7$<{P{Y0H3g8&vJBPT%p zj0=HXBGq`Oyknc^(Kc`PrGx81+2ko{LhUUC z9t!P4tW3Kp<@fVV_+75YCZ@`29#+Z`gft-H1cEFNN33DgMcj#+ShF?+iuXwy-y@Hx z@iv$4R{yZx>y++(Lq_!Fq(2uh!O)|CLe;+0aAOiJ2c>22zUe&FiDG z1{V7vXP4b1Z-M)GM;vpG`}FNFdbcru?eW>!1AP2o5-y-!*GL&dRduiheN&Ffz&x4(?OYb|2$$gmp34(@XH) z5Kq1;4{fG9-an=fA&ytm0qE%*hcI z7G~$*08N5VYjmkx=XK(UblM1N)Ch7A%%L*JM)1p0(5L9)#9|=DgUQ3HB@}r;g3U1Fg*mLf*6bzk5(1I#*YaKnaOM4j5^hYI_2B@81Qb0Weht|c`hrwILYVb4NM16u|Ns+k|ax!%mB zVNY^DuJ)O=lN8DtyAmlJ9YUxifiy%q_r%F16_u1w?mf)R&ThBE8Vsgg-zH(Zn&jXg zoj?Txr`0F0`3qBG3t&-;zrNDp#CwY-lHzS?143t@f%cL^Odjryz;6~@d%;5i+^NyC zU}^7!h`V4&iLTyWk}CN`i5D(T5=bGP`vt;EOiWBjxw36RuO$b&spEdrGR>0+`qXgh zE;~*Hf1STDC3;JzXQ$3)Z?aWJyV8*S=XL85I0a^@X=t)56b|x*EG_9j55!N$ZfHx6 zZWFAv*nv{PDh{UB?;x@7Z(7QOPPJG3w|LsV&gJBNt^th$sNiebQ9%GJF@p9`d{}|~ z$?KIl?^}aHL#$S{4kBdX6=?B1^XwuoTOaxtc#G<5_ zW&Iuc@+R`MiuYU*G<7mFec=GvGcH|9c{#l;wIIARS0~!l)8l%2kQ*7PkaMJ=sEGIA z!O>by3bghdU4AFYP~%*`re?1jw~*0S)73$Lu4Hn9Ldeff{)z;lR7QHE+c=2|1XZTL zt_R+QyWtww&%ELF%L&6dS3iT{0 z9D)2jjluJrhu_bKr&M5iv%q>nO=~InQXaTQi?DkEIT@@#dwY90ko~^Zz2i>+%oCUd zb$lY+55IsuFLeERp>-N* ztu@V0^2xi+i=V+5+FyVEaG6gq!e<+uU+@yo1^ReOfnYQcxgm~`Lb;KuRJTP!;;QSh z*K;O?VsaPO@2oHY6QHhs9nkM9Kwa-TO~Xxt&+iO`b1BWVXrw$i60Nvc(exB6_B$l` zKY4&2423r6$|Uo7daU%uL1_duKA}ty)HAY(4DSd^j!>C^p6B{V4(2OhN6Ui+5+v|& zQrp3^J2OK&h;Ndy@`$sedD#W$U``Mra|4Wb`s=rY& zF;~ALWml~Lb>I$Kxe%Q|Wf}$LBMguv?-;eXR-+pSCFT2m=!%=e{674J!h{OD*cR^n z`{Rqd@TMT}ad1sc)(si@b<&=~m;`y3OFgvaK_ZTeh*toWBqS@j{@NJ`;dRv6)wR37 z&-LzSGqhnrV^xiA9O4hKlxBuZs|y*P`g}2n0kq~LBO(AL4s+y(wr2xK6G0#cx@FL_ zcZ2#0^q@hUE~_XnH#d&U@hb?^X=#zZl82Q7;VB%*+kLo%gliyt3)L^ECvv-=DpKP> z$YBo82SI|xFNk;#_xD{dPAi~-3cZBZ1rwmWT;ndF6uQG)L`W zAR)^}O@j)i;k6ewv}0?G2S`st1k>Jus~IGga2lr3u0v53+_~Aon#h%`6F8Pokote< zdJ}Le-}ifz1|&(5A#+3ukuftRk*QILGGrbyW}b)4q7WHEC>cuTsgk4!nKD<(EXkIc zvv!}~|D4}B*LC*wy{>P4V(ivbedih9czTW=aJ_nE=T6 zI}998ojRqU;D@3xetMz=Nf<0;APR^}#02ltHHEq$N09uv&h}&ZEW%O~DIdOSdh6zG zx(?sXg>>*$xMIFz$C}=~`}FYS0$}%C>t0h@j0+m#1{aCPSda=A#mI<=wdGwawQVe~ zO>+>@6&NU8=IvGTHE-D3q6hTE+q3Tb$k(p3xCkY$-=x1pbZ_a5rF&|7!{%MyHu8pQ z8`Jk&n@jcB|LQ5wBVW?juZC+W{z}Dk;_d6#{&qAt`576B1UAhMB?}PF0CDh@Pm{1` zlWpfi^;mvur43dWt4LTmgM2V=2hVg97UPI~gc|{<+yBD9T4^O=g#yN+?n=!jlO*UP zaINAN2x&mh-u8A2;TXo4rWBZ%V9CSC2#NYRb}DM>cS1I}cnVJH&=S~`;8uQ)xCltI zKC-njg4uAr1^S7|rrFr)j2pvIu!?3m8CTcS)x!#hG=^St%xP!xp}DK z%1prj(E|8U5rGyDbUp}kNW%rvFx(s5A2F*VX;+4o>%=5ux>aW6p`(ktT%`83J`cnk zbrR?38ipS+j~3O3Hpcs|k=Ex=nG-*UI4>3qJm_~GZtfjqWZ@spp%`*>cFrC_Ij8HP zq=PZmc-+9XPieB!Vq%Nfo}l;4O8UUh<93r7NM|L!Sb_5*?f(6SHExRR*g~ILTkp4g z{qci4?Rf=^HL6@gXg+sz^r6&%xCR4_a_rkN_hcD*Ev+^bOz`NfA>1HzHGchi197x! z0Rv4sTY-;KT3sC+o&!#+tJ}<5;u=x0dIlXGJ~aIyar?c!v+wom*N{dXKYBDgA|k%# zEfTJG@5UfcQF_!qGLl}H${BJ^jAE z;NxRB+T%w4xYYpq^Kx_FiHT$sR$5<#z5|{Um@e0qO^d-(I5>gCj~zWK4vUe=i@3qf z&6Bu9LOF6}u$zfC95fUYlnf9+2^j_acmni+X&fWfw~HEOG?HL}#dP8aN>I)#Gl&z& z8fl7785kPYfwqBB<9`)L$Z-JHd+2X|1X{u*4{BRoxm$4Dt1dS55OdL7NqC2;dZiuC~ zZJ`Xb3C|UHA44n;v=GfK5#8{urrew(CBv)dWPhF)oaxdLxf?H{e)weBDe&+0?!UAB zUqQygUTnL-EDJ@EqnDTB_riae}9=nLS`OMx*kdYJ5%4epjq`?Y~8{?UtN6O<+Gfz ztM!s8S?XPhk};uxAUuK7{*Ua&o_^T1FC4*7STHAA2}75YiK}9XqfR z`oDa^b4GcdUD`F0jaeDHiEb`!#SnVP#C37#kpL-6Wm+97uid`A^fB=``Ock2jDI1I z>u8#kiQ65E10JP^u=>X;wPEZG8w!BYg1WV^5?UKev3GRrUv2(1Hue|C0^rCwwn1ob zwB$FsObb5)3P91B{1WzI*RVfo52nJtXk#XQBg_nqtyu?CL@>;B zzG;g?iBRE4A0cMel7#1gAlJDT8}Q4ttz6ess-)hyb8#-4k_Z>x_Vl=7&H;EKJ4coV zq3}$i5%f9xZK_Mh9D_5fTt#8-$!2Nt!q>$_l-6s!0T;53>^k>T{L1e9?dJgUm|w~Y~|4M>n7X{aG_u)R+r||V`IOLkE;|t=+;{U zxzz{R9Vi)`JK`r!9OdVSPq{rX9a?QE}RHlM`vXyBk7d}-N<$BDe`gYk2C&Fy88 z6f%B$2UGn%&j|y^R6{q7peiC#g7X;qNyO>TiPKY4g1Rq$0MyYb0|>=7jS}tBIXDy` zFR_C=s26^5=Wcqht&Jtnvq&ls(R`)<<4QY?5zBg8IQRDU;<{VhoLvW*~^@jz#jWM~qX} zym{%M9n3GBf8{eDtMkKkQ|n;?!&FH`nC4uW7?Samt}{t)YFY5y2C3L6mOK`+huIa2 z5Lk>@5+&?IsSEQ2Ji>%Mm|JoCh=Xnknu)+RXxuswVg%u`tyUUzSE!vN81gYU%`=IZ ztuNJYZDgo$(@@OJ%pfbk%4sA=S_WiTVb*%kqfMJFW_)@&B{uf=LXmCLj% zOgudnt$;dq(eg-2Nf8C4csj@$9u45(5j~q;y~>EH9+hOHp(#d33Z}Hc4i=q1RTxa`Di`$e&g zA&2~Y$_nuh2PyLF65JzT8N@j_Zi}z9kiJy8%z6(Rwb{q~@uel$$enZK$ydkjfRs!W ziM`Jz)_;{g9ZA;2A%2$0JR`L~sau~v{B)lFSPHoU&@##x0B#*HO9zEa*<%=W^M6?n> z-&^awc7=oHtY*25a2rMpPD-U_^Ozj8AlN)YAdEPjsTfFx#6&{37YD{o=mZx@`m*Pfqa+Jb=jdR#^Pu9xT3u#qBVIkLoL_lOu=aV5X%bSD+g}Z_D;q-h+H0MI zFwv+Xq|`N`X*7yaI5X-aa?gPZmL>-?iN5W!JE;~(FOW6}VRAMEIDj8mBPUpipp@#l z#G9P{j6YV+l4NK81PpV?%3>AGf~y6a0tD56v$rP_qEFhpb zeE24+-Re#FL5@=i(%)AP9yuBj{vm+!;KV%aX&^onq@hS6T6mEV*o53moUj1!a{2lO z0Mq40q95i~ymTefaRsTEDrY%+57de%)z$m)@z5?6q^DnpXci?=BIzBLB++Ey$i-`bGDQI-iOaL8j$2jJrZ>KEqVQtQ3<1dq!nsIt|EQ1sy(hW>If0lgOhccV3PDghY^|eKW%O1gdA^l7mii)pcs10jG1Z2tRqHC3L zlc%Xt{&zWW$SDh<=Kwu@|G9np$UxUGgIkn-bx>~-=U zpNY$)=jg~Rgcn{!8Zp*3WZjERQ(_}IL9w|)`lMlW9;&q++g{^&K-E>E7u`*?^$C<59OD7AdZ<_XsyxhU#J?JFKpDmZcmACoYmnd!& z@675*FMrbTe4_r>P#hIRfmbzHk3I=9x`}TPFX2yjQAcNKejdB161LT#1LTQ?E*=4V~n3x!35T{R{MtfqXL)E}W_@L+KrFZ*D zNTfazq2LbroQtB5i!=q8W4MS98ocY*z>_#CPCC9N*7`VzZ#_pWC~wC=r?!ECYWtD8 zZ{NPb!_QQTScf0BPu_Eo@0FurMuxPy3iga8#)X>9uCdqj+JtEzk%5jL_^eZrgoK@} zjCz6vI#=6=tsg#2z0Idlf~I~s*4dX?6c}DHQ0mqr(f01{$4lR9oG153k3#ZmBt@(Q zr*XsNkcY<%%@4L)zwf_n*;lcccbM(=4mBqmh z7g1r%O;1n9kP&!Ve{xRP8=IEqgJJF<>6jTAg;IBtm?^A0bE>GWF8@322HmiAa517h zBJT95A`kna0kGUwF6*^3N^|bvKIBpWUy#Vn)}PMbt0zT08>JAM**wDVih~kLQ&USz-Rsxu!Gxhu z-+U45#pm8$Ur4f`;m<89st2<}@45Ul@jA*)ke^MLxZA-C!##-f0k;-N5xF&j>}PMG1ksWnjPCEA-`QI#5vdd@ zx>Ev9_ZEfeP-#c>$8q%G!%?CT{Tk%n*RQABDV%37HsFgMCDwP5V^;ATheC=A$u^E4 z;nd7pFtC*v^n-Moiz^GKW6r3bp*14;`0gy%XaZ~D&1UC>D(8z)L^xFJB3kx=s+Gwz@w#au3S$y;AB*yl)i6%=&<^r)d-uk|>` zksgR@D2M@wfByJ^8C$Y0Q(Zs~a6_*3SPU0T0A~oMygdq@vOm9nf8o33^GN$kdpivc z&DWV3uhDmVnn|$24U2EQ1|Y+UqLnHoX7Vl)Mge8|Sl$i$xvn5G* z^q=E2zQpp%%21uR{$Nt{68aj$WAJ71pYC$^0q%nGSB>X!`FnAjn_flJie@PHl#|9EUrWEYQu10FEbT&R1`$ z(5Rcw#v(68CIJm7#vMG#&&Omn&Y=Iq*85mkyr6u?5(VAc5up?k6hutkP*MURNF2|H zC5g->ATUsWrZPL*6fpoS1t@*HjX!Q;qQd;L! zxpWDuI|1#fN_QHKU51@@DeNVSmr&HYX=nHAzjGW+(|1Wc8B^jpPBKvnoVJvHe&2)a zvd`L&%lT$2GH(NiqAqg&(j^vg8%6`QEOR?Fp8-N=KgYKQ&ALp~?}J@e6F(v-7#$PC zE@st*$BVUcxbJGhc{&t?LTTO<`+h7X^b*qPlvRBqjIPFW{iBbu0xs$3lz(~F_$kHW zvl00TQTgRzDvh|8BB!j&t8Se_srX8gj@zJ6fhkq?de~? zG~QvCI1m{@@R7*o88|^XK2@-B2q;YaLD4 zX`3>2`36FKjmz|voQrU9l3jlgF=bh3KRJ(J>5AwNewpE-*58>mm+576p#G;NSdoIqa9c22>M1ajSEe8 z$jy}F-*i?ujOy{HKhDlZ0K9X|L6nu16=@5i(fq!7zw604IcDgbIo2Hz~{!v~>Ch7C~AI>;|5==1xl|MI}tPZ6qyr}_DqnFIUhPt@1E=bBmKLXhF;xL|Cmbh;B$8}2gO`f`Ps03ZlkrVvb#^W zpHK0MGP+uOC;Q0!>x8UL&n9}iB`wd>MvNiD43`Jj>Q#zw|5{!e*{N(qah|)ce}r0T z%T-gWf{S8RO9``kPG`Og3GuBaV^@LHZe47{2`MyZ9QmYbCxnAm78ZD3HQe=A7r0&` zjvnRX6O%7|_Kg3edwj#Umu?u`vWk=Ryg-MVZqhHn6-#T6+ZjNmbR z=j2J@RHzp{YW@?SnBs}yNFh$ocvYIaKaX~v4%1S0tn1xyW5}LX1=Wiq`!UE2%-)*I z#u7+OOB=4aiQZAum1kmzm+17wR|LIp8NV&u22(`<*o>uusra68PbsU1E>qA&aqoh> z==7;m-rfeb1=>fRJ?UwmYI3eBdw8vHSj(d8K(*wD&z;)qhLfH)+|EMiud5KIFDPr19FlnpaS+K81^jf3#g zr7l!djG9H-Q)gDht*#wlRhIjgHdt z$y#y6xnkkI`h>g@;m@JO9HIR%Tg@kiyFsNPmeTz`bjYK|Z~wUc!u#%zQuVj-4K+jU zcl;;x7)+;i0d_o>3iI=)G2ducKn8bGs9SPIL&Fv|Z0IJNTUuTg!{#vI-aQD~UVa$>GYq$7M-=hU z4;;QX4b_#33O5u^S*cO}f)R%=PAQC_QJ2Za4xB+}kzS?aVOehUsMrowxezl535nd$ z>^_`sJ1+a%3-HXz~Jpw!eMi4m_7Bt!^h=+H$mRwy;k zX|U-1f$*s$O`J;xH~*2uQOC3uF0$&uXzQJc!)WWhxchbyiKy(Z%JbVf}Tz*j<24`ZDq>S6|jLb}9uoVl#JQ~S3k18xX za{weT5B+|lad2oTAn6SdVZfI&x6V>Eh}-rPkV$-cAkqY4ti4?bkrEF9{4U||-<*N= z(T}*-FQ89crHCHIP64S4k#zurDM@l5jtSYB+1XtIUyzTXes+r`l))R}jP=ST|8>Fm z;Ggf`ku110tiG(Vii-63JEMy{QTAjWib5-*hxHbAs)CA6>`6%9jpLxS^yj=so1-Tc z#vDS5by+8I(Pb43ABZnF)?+CV?A~CqQ$@u(>gWV33&_n-R|Z;MT3CQSvJ%JWI5kjM zZ*TdEGp>tRl_O>uD5C(IC{aA`vq6CZROdX`xF&k={})pl^B+@srN)=Kwo2E_tLDdF zYY^E|=wL^}WSw6?%JC6uMvnuCq5&KrWS7zPRC4v%T`rXq#6Y6Z7Qeb<#ej39=TX?$ zvK3=pXB=Gk!Rc}Y0k=xueEkAz8;YD^H1vslZk9qrFEg`c`nK%~F<-~Vt^hOr;0Q4S z{Jd7<=76XPF%7g=$^6tAxw-$%6wVl>7vJ#?T2{{Q)ew;b@J)6&85f3z?(ZrLpGHX!+O#}4Vp1*c0*zW{} z9f(BflDnA*uGiK^C8_n_;mXLp{@)T=DHTi0N!)Zu2S=pq_`b_c`m%Bc$;=e5WL5DQ z#?T@~VjKP=NC{XDylp?)-*XT$9=u!)&yXna7K^?0O+H-op@HrPO|;3OeUG_E4qGRP zWiyR~&E+6bJ*{}@j&{ef7pdLL{bXb1Oh5=Y=vrf%8XIAA>bQ!8H%r58jq= zrBUF*`SVQTHdk{)O`l&ynfVvNjx<(-xP9A!^>zhNP*Dw{tpL|r^mHKH(&^!jh2ZnjDy!7JFHEJ*<=@KLj?l@Y`4FNhrJ!~c zJdrFW5oOJOMtCeZ-3V2m3i=pS)9&QDIeyvODV&#z;)Aq?&}ig|mAv384_X{}s3rt( zpe&DpZS;cIkOnjWWfOPwqy>pz%(kpHg(74>N^w7kSP=jL%^JG8i|=nMIYshF?3dj# z!7#TQ$w+>|b6cAq7VkS<+{}ZRe(?0A9;ff$c0a8M@X%M;NB8~3-Q+_#MgIDeB?Qq; zwy>OMew)(gh`|`hpI7U7vcH6wz(zz5M`9Lg9>;;t)4?P+B9>gtyLzpcS<$tfIa$m7~VO z)~Q%UL%e;*fd23TR!&p-;#aq~u+8I)*F>=Wbl%XnMf<5AGP95faoKv6<`4EnEdEeo zXczxsr3MF>>2cIsPE~VXkb%={= zV|^VglalYTVbg^sCT(e~T=eO9JSyB?D)Ky|BII{ueP{v5wV04vNm7zov;Sc{k93db z7!jCaIkEM4R8R2pN3sQ)!PUb#bLsy_lAHB0w>$CPJwDV%r z7|{=Ub3K#t<*%8M6r0rwqocLv&amHbzGifCMdi{d<~^6(zLcH(vo2S0N1@zNuOOp4 zqWyVFREqpfBgPA{rzjnT=Jum828sWB7A-BUIBrmJN;>V%&S1=tLS;ywwRsU%;OZ~o zlF|DV(3g+z+rkPWH+WguhVIC+zm%_N^kl;Zv<|3HYzSTaReqMA|MBzEcenrCA@Bwj z7}+OPf*icAt(^g$?s4}Ug`WU4ceyQXY~V0+#n2Gm3aE;IF_uR+7gj3X8F9uSy{Z;} z0%}NR#}u4j_Y$L_dV$mmXHCo;B?%w+UycZro>by~098!tKD@9Pk6W*x<90h&hn|J5LpL7r!wU1(l*SuTsFpVhFaJ5)MPes|OJ1D_nZl?_xG_L-iG;-gFGx3GQn z#&dJGKuW6|Ty%1B#=;LAOMd79gaOD0;b~M<6kvW6i@*9Eo?nF^IH)iN38dZ5U|Zl@~JBB ziMYZHpuv9!boTr5dHstY*mg+IeLH3$l=_(V6;Fyn4&%Xtu<|kBpb=u-L7>{TV*2>E zY{b3VCy#s5@)(vK>$kt{LLgrFjEV4q1Q- z(_YwIQ3N0zC6kS~cq&VxMj4Bw{cYXZKYBdhn~mh+pMTq)q`6(8R|F_fRMb>z=Y;V7 zKLe!$W(HiPoE5+7OMXU`IIPTUQ*-ApFO(0emG*4@@kTwJ+;+|j8hB0 zSC>j=V{41fAb2={pX7Cy5fIQ&Rc-Df%z4}2VnO<&rKxFWD0fa%v*+{Y{glB&Nvqo} z5F8rU)sT6i3VYk5JcD82e>I%wo=AOs87J)tTd1LFZ!2W_*4I73XH zcHwba%0+h>w$4f{CcRj?qet!aV3Pn{xIq2Y;O{NX7Y8(K|UTC`j z`Ta<@e6%m>>8;|HW1hQVy-%tf8gC8axWQ6#+F{i5Wj#G94}t~SVOP)M0b*tqB#~=` zNyr9M!0$nLhEgtoR@6Z;we=7fC#XX8!$AW%`U1qIIOkC$rg#KZJrWU&zxwCB60(>5 z)3;l41bUaWd3}gxEenwG|yz9)>ox#3KgYH=FK>Dy8d1w5b3?*F1dBE}mqytR^ zL4A1*$OeL7ekS<34#3d?VniSVuxxLOeYZrW?|mV0=0lZB7c#>WaoiwORNKDKK*5bb zCQPg@cJx@GrG`ZB(k1^D1D>}jHii_HfS$y*qSamx{EPFG{6~FXOM*>K(hBGmTzkK< zK)t^yHt|>@Z*RL7mEL4Z{cbDoAD(~dG^rY3E@5I~f}Hno+S9m%gb2c8<4;EuJm4=h_J-B2QF0fqUGp0M#EO3FdGnLFg&3kqWX>Q1jR7d<6%%s-tqKMm zl;dj$FH~6QltHXYb8;G?RF1^i*;@_0>_E5>rC>LMOvYVCKaf1|H<(1oPEiL1QZqLG zj;>DPxXlTFdAHxF_|}3B;N@+4_3A66!gx}6t|MLxdkhvlAQT5WhYO6qKWR!U_3quo zgcukA!GFUEk{d_(4mhuXIMLMAJt-q|je9=|Mc|+LK?0$lvj3$eVOHvxIEew}2Xm4P z45td`xPv)kohI$c$5)y&P6jlqs{q0Y(oKCIIWUwXr|6?YffbLs9%ME*9-qURefm6| zmH5rLkFV(}XRBD6+8InF=iM_ib>;|4>+ttBce}Dz9LxmJ6p#?q8|^AUhN$O3*KH~S zP8i+%U@TzggtUw+h#~+B_IYtJGXCtm`gC@b!{IIkP8`y&LqTbB-gZz^g-9%Ooy(WecW@{O9a^>Ih(nAai?aj0@U0k(8)oimXb3Fq!4D#;AWb25V2t}8 zWMTs4Aj8M^1W8S!ge0C4Uf=Ckyy_~vLTF(1SLJr^VQsB9umafY%1U=6gYNE?nE6MP z_AX9#nnMt_xmn=D{qCnDm=RU2+n@ru&P0O0I3ggxip>81+{xeN_H`>E9Ctt^Rt50* ztN>oN2R>BG(0qH*pu8D95h~-iDHU?nw6tRG+=1)aK``i@x_&Q5i-lYoa~6)p4BN=K z=LXA?(kNY{?mwwhmwr@JYkkn;k(^+t&1bTPScU1i0F zplX=-u0xBvja!PtBUYUBv<&@wL9Ct@A8%r3mzJ7} z(j}VAPV2P7UlFQG_@(%dRwN|Q8?=De$^B@Kw~c=$2o1vpI#kj4-J4)#5x@Z+RB!Om zEA%44XK!5~qA^b9*vWg5hTn6_%IG->Gkusd#Cky;Q7Ni20dOeJ`T^8B5uVcuHYALI zJ|vr^s5&Ab4*L3vttYlseDCj@ySqoYPhh71NzNUP>dnW4(RCXOM`eG9F#eB>?1r#HaX-05cv2k!R}nl)r5o|!b=cFaRwdAqR&@X zJ*u=1yKCcNb#=Wg6~2ah=6pC`S>vgtF+do>tDC23fYG;IPlq*P4+$5b$t&p|q^rm# z(I?|Ub#Qn$y$wR%UJ2DU|49n=Gmh~Z>=HH^^qu}BH=sMA`TA=X6)VL*XA7LW9R!(AQ5aEp%RZNA8P~pe5w>=qbcIAk zG1k$}VT`90dUr%2l$B)I_BIsLtN4KphNK^8nJosq_?e{@_}F}JtCy|vJ(quRI5Yvl#{U%m$djUk0%ohTSE z-foG+<^1T=i6ehd8mB+9horp=bUxxaVrIQb6Ln5W2GWG#T>}sPv3@^aPp?PnoMi7) zJ->6zGvqAaY4O!BJ#DxCCGTsNM~t|l^jVosU(|W?wcU_75SvNmH}Hh8ZRO!^iPY1|!!XafZq zgl+qp96ZWDAnOdzHBbatn6%j12N)%l zmoGsHfO*&`XH^1EkTv{cKRq^+^AS?Q|DW8cBGgyB?=7%L88I6D-~0+|9Rup}Y8P$3 z+;-GY3Q=vK`Q!NWAmQ=2%?0VAE*10A{;N8y>89PgM@-O%O6)B|uta>cJ$~25+&nQU z=?F}3vfd?^ynLCx+lZ(tjj@0ai?-Z5PM+`|U+6$U3HRaN&@0-quc;bVMd7%wcH8DXEtc0Gjo_-X#(253qHoCLs6|qAmCM=qxj)TNvrlWHn zYhha5z6l8){Cu#qo|oD=us{YsPptK#yAo7i=f`;9DpY35Tvfp_E~u;y|6x+HfLa&? zB(cDYk-P?*`Y%k0Bdn#12^#;7Aa$~)Qz6K_$;o@WOJy=uIB19sO6foNe`yjI5_EK> zZfa<7MB)GdKUYNu~xKk#-ZPiVr zuz)Un>QK&(mmOm__bgWZ4OCGZ$n%-8;Un=A&9l1XaV={>F>&JW>jOWtAAkPA_O1I{ zhdJ+PbNns}&X>m9#>@^2#6TBQLU(2VVu9wV8PX#MRrhl%-nkPJvbtK;uLn2Ni?)L8 zr6+9X1doDJxvw&vR#taDC+CD&Uf77Y`pfyh9er^nt}j?rc*gRb)1f8+!)s+}+2MJ; ztO+>rdYu;>J>i;_Nd1XJ^$#dmIACACd_OY}TBBiD!U15iP9yG|dxYRh9h#M${dRO7 z8gwF{vvKv&HAtmcyu<0{?VdzdG+sazGP+D2wP(sb=C_G9-2sRj=;%)Oeu9_;>RAz| zF?E=|Voy|E*aX`R6*4hVImLzoEU`+n0I$3W;a5=GVl^XKoeQZhPe;pvtUY@}F>k zSaa9jqrGf-8IyWpqr3@EXreUI@7IFude3u)vBaJ_W2v+Gf0Zxr($Z*AuQ`xWmx_>Z z;|w;$ZbiEQGzqd{aWZ9A`&I7uPJOi06}x|}{mQJ(vO-VQ6K&~fFPykoIkQEnoI&U| zAfsl1ja$32@{s@z^n=2aIg)7a7J`#pHdX_kh|#%g+6Ju5elcClDm`U_{QNV>S1C9# zCLTUIxZpF6!bQZiAN{b%(2md%*VD%Y0f@s4lFd;D!eKCD{O9Z`4;Qs_tulVXSl**Hd@^=8^iH8unUu+&8OPE8<`IS z#SS7v6IQ@E&_=88SyNZ_D{!25533*M{OVW@*ZCDT8b3#i6S_HpbtX!oruLxQx38n< zx;#Q~PNzSc<^R$#bx-xMM8-e*gNlg5*|QX~*%nZ3LtCS95N%F~VXL67Q4b&v-S!~l zxxF)%fCD6c1fF8($hijCgpskAHr{oj@Pa~vP-*}ZjzZYVEiNn|s5LmiQt78UFNBwU zmoNF-R-cw}54Ir)r#C05snGM0Wh8=4fEc9e(gx2i4@!Uf>7`)GP&?7V54LlWSCrjn zoIF3}Hh7N5nP-SWqX%&@M5TZd1pdRY#l{ia{NB(>LA<#=g1D6@Qk~%`@NukEL>NMJ zXqQl=gq|Bxanytk5!EP^yLV&#nYSk2kBf7}Hv^K1=Y9fh18ALzi7&dGIB4-_8YM*A zZT=icHHS^n+_)2eMNWf>&79Gr(6sM6uJ9M!H!3BNP-FE!$;+eIu?fBnOzv?NUC|0=NWohjQd zPUe}U$o(8{F=DUp{{1Y##$sbh`{vG;q?n>)?%aGq{bSomJ$^Ttr+bUv{BRG_GHp71 z=HtxFH_k^$suG^vYs1G)*7^fIs6-v?K68$xDOV$<41In<+8BjxAV*Ap)zrd)i9(Fx z@;4daZzJWLhr}<+Hcb9~zK(CviLAW5J2Yscwp3TAQnHw6e}uL6NMe^V1u#;_xk~sb z>N(Ec$G*c0BrRn2#Di64Lj+0m5xN&wpCRr=FkAsPt^rKIa0iGL%c04}v+is{bOOzX z@&g!*Lxs2S-EW$k1I&hfG>1xku*_E9+go^y7W)?X=14yH9}NHAur;mx5jfDavDK`KIFuOqQ_|%fk^B7{NPDJ zGL8D^%kuKMDGZJy$;fRG61AhT&Q^Go9T(|+B>W>MrQv4vV-hXulCB0`z2bsBSFOSs zsnc)1ha;l$yzyz+AHBFB=efQtY%uX?+^l@a4L6B}Iu}lR($e~WmLW8P8Yee9TNJzx zTTCK=`u+RCG?;0=4th^+vv(eM4#x6T3Gz2yNmu`v8L3a_pul+7tSq$corwvn#gK9X zX&kxfur-AO10UTXh>9uRo)>DI9B%2SN zPN@1R_yx)CGz~klP1Cf}+%$JaL{8BG+FmESDaU9VfE)cSOCC8YaD!-C9p>uCsnM*8~?a*6_`fK>vt zzCh>lpYMRY#bw`(#YDM+#E(Cbxlsmhb>G<VA?ay}(*MCT9{kF6z@;>*Mn35%DP5 z7hHXgXD%Qik(e_n*mKyvFQ?@X zGLclDo4H7K&Z}p5__@`HkY*J*=qtAbLoY9x_*7xM5&Xg)>;A+w)P&T^kPc-z@IGAe3gx~Lv1AN8YtvLY_YUNz6qV zY0d)A$*4Uq{_cCxs;(bW*PK(r=sDVvYy&PR?DXgOMigwX2OBX42quvb*cn3}k=wcL z_87Pk)<$4vf=7?*xLf5lJGX>1ql3XT`y(1#_7q(CIM{9>isLQyxCLX?P*g+&w8!e; zea3fPUp+(Wfg`FV3iR5+p~uJ1@WeCGqbbaW5Q(}g!tWUhVNlzPjh&+2KR+BWi!a43d^17W;-wJBjpS){D8L;OGl^lh z(ULYfm{gD`pO-CNK%I-g8lT#fT(#p;kDr{pf+8>w+a-{+;I+~5f!yhdH7QSquNd_T z6G=w>o!A}v4g#z@y;qN?1|F7ka&UMp6qz###V?}K(ArmY3BfCtAaDW=J=f~F>U@GK z6+2mVpI_yN9KvVZ`p=3%&D3?Y`NgyRtLZw#JaEXnV)B2q01l~vG8>Lv020-y7~W;P zY&7m}s=nbR$6oKWJ#fu#Z__h_MhBUbCw23?K}ACfW)02&Niu3cHx6z)a$n7R)innE zl>Xe>Rqt2`YvMB?`J>q(4Dzgrps;na+ECf5j>>mb*Z`J1>iNZ!deX|&v}=q}*N>b^ zXV1@@^{;EkMCn4-(e8ZR{_}26g_v?LeH!kWpu;Y?Tii;Ufn7+SHRBu$GorNe# ziwWGzD)n}dQP}uxpj_n_Q%x)VcS`Wue-!6#@^)vbcUAVD{ z2}~Am0UE)JJ!ftly4*`g0Y2zrnoJIzQ&Axv{eSIxC+nlSL2+%)ZEemipurytmm*+d zvv@2P~FN{3M`Rd-KrNl1(HSH;rkAy z_wXjLcw&}*=)M}UtVt6DunBv@Cm(LC#zJqBmNSVx(&7_>2*sv)jnum?+!yycy0ONt#;gAmpY%W%;4 z_Um7FXmYWfVhkxBC^7%4QW3*+dR`Z<(LjUf{zuEv%C}H0Z&{ia zX_E}Jt?$f4>8h)4`2-wdGJgzhxyq|+FB;n+I2#IQzyJCf7VHqn->_V~h> z2>ro>$vD98-t8D1eAaDsl120M>9@$2K7ROss-dh|3uD7EaD}xmUN~YX4_NY;tT%>e zn=M6SCG;1wL)D2KcTk2(u0m2j(In22v-hXGReUS4^Yw9VZvEeWYk(G6cLVs3ikZC* z-E?gt9AL4(Xgz%}nJ+y1NO+C~nNm4*u=fYjiJM;vwg!{A!%ZZkM;ZM)DH?=oOvny8 zQOp>AS)$5Zrs90*Hvb*xh!#)00R;2#u0Z@p_g@9FAiaXZr%$C&A46i8#I=P0xMSzy zq`doHX7QGRfi>8;0C8Q;?}i@8@zyO1TU(;U9ze!LY6$c_(ds&hC+Fwb7{vFioCI`? zAn#g$QKn=xP~_OppTZGm9`rnhT3Ze`RO!(&I*)<&;H?U%hMrzxdzk3YOZnY%H4C3c z^NJ-_mY2~L4~3r@5Se5&%w+ny4v><(%F?^LGP$z)CiS`XVK0X{neSK*9a*A%GjW%W zF3!&j_cx%#MHZ?5h$-4c(tnhne%eD>9kswt_nyw!+_K4v(a4a@BekWXF72gKS@ zqS;B4((3c8a(s0&WFKRQ0Gg69IVG>Cs0}0~Xv&(zrcnWdD#ES7I`ReayFRIPIw)_+iY??n-uKZW}MMH=f23f*MXb#V03ERk^0|2caLK}C{%1*4-BNs;Iw-{(6?ukBS z1Z5!+5l=7WzbAZsw}5Pkw*)wUhvI1!m6U(Gg#FgztrTfu)RoOaCE@t-wh_>;_IF9y zNJ5N6LyGnLn9wO$@`XFJ`I8Wf`EwUjPif`2u7Vk={h}lu59%s&1Mz`fXB&hq5!-2p?W&epfjLMwxf8YuCAZ(R-c4<97;v9UK?aEfN@h zSUbAp+UI5Q0v!;j#-P9&9upHf`FrSmzq(bwhQZsc$uC`zIjV4kd{J9lYmnP%g<%Go z`5hC^{eN8zstY%Icr1z?X-VRZ=*?XDUzknOiVCJ+8AxI^;9gzD7LW`vksQA6D9S9N zZu9pnb5n}xU#95M+tz%2k9{7{FVeyOet(#{f%0A&%3$OHJnk0aDMPKYN$~x~i``e5 zhiE_n3me~sRtXeyB%@KI-rRRwa)j0cIw-PdBO-h}(t$iFB!mnY-eAJm-LvWj6ce&7 z`!!h_EFZpe2)NNzbV_&56uZ%qbiN`C$tH>Qs0Y0>EBRtW zAE80RAMi?;rAfQ#uldFyX=WKR7Zf8#Y4-2`^Wj*L*V52!*y|h%F#w~QGTzcPlD zT;=CE-Dz$vDSozGetL~VZhOW!*xEmj6Af2!oS=n8o#rhVH4Ot?B!M%gy4frdHCjQ# z8n`sh!5V`(2Cc}oyBmZKaz?%rV&SDxx&s)fNkjKK6ON?PQe+b)A`~4Y6B;27j5+rA zBEGeVijK*v>yUbnYn*LgJ$MH*>-f(^!3OXL(QpdlJ*K94;^;9VCf|D_uJa3rH9KeZ zICBj_2?qz<0N~Vj?EVKs4;dUO$}KxkYom!CrOVt!g^x9&Q@$waPiSTm-GjJ62xD|* zj=tS;vO$=tL73%rS4kb^cM%e{M2PO22(o zVAZji#PFfroc!!#vgr+;6!2P*CqXYvr;O?;QKJ3m(QC9`b8v8oi(jdCcy{3lygsTs zDsgbQ-nu2^KI-Kc8>Uy*(SWOy$>Pflwo=0hWFRD&2odx*v)~L_~Bsd+g(H z2{tW%)a@snXZch?&2#5axD%F;P@#Zz3h@XA zV@AuPeuMg~Kt^wF2Zhl>!|&j7`cnJ)v`o&@Hn+AZuh*ELAt5TdK7D;_>h2$6E^+Am z(ff$Lsvzzmb2<~v(ucYp+EM{9(8DFXi&*4`iv~eVWXCrDjuI2bVbpcw5%ENo7?pOM z5fV5VW%ls(j0lN(qs1;>C5lr?bzI}KuN4zgh39pH-oEwCt2<6ybTuGURnB*zL4pYK z4xdY)VwYR@*KD(|`P@_JW7ACv2i41+r{lVI?>63HRzogzcV${G`u2QyC^uigL{<9j zCR5U&567l$8xsubZuD1)Y`=WuIlxp1Df@6cD#gG)lal>Y7M?iF*1C9dZ`s#Fxo;-_dOhFco4pbkD zo5%i6^A$+lOq|!Xw0x4AJ1!e8%%7HH$x^S?JtEA$Vuf5`L z%}J7C=Oc~;{(KlHA~~&sknr_+ijdJZ)i@Yz4dAXN3h2|*(RD?|!#4b)V19YoiMfZV zta53d!dvgABg{=0&zvXRPPxz$yl(!TH;3iqNY}Hjss5PM4_QY%OpANvX}`BDvqq3! zj4@bWn`rD`H4~A$eWB|&Z;r|h#+>f5`lXe*(Kj1gYO?v-PbCVp){RHg5C1IXR;}GI zy0AX;{55I0{`o7t;*WF2YaU4Iq=Qjkmig3`wC@@l1n}Y10wQ-bmFjN&sLEcpRjaaBU!- zNJ~o#jgtHZAs&4kKsfe;6`c3g68Uu<;hKZua)&4@GxOS8S}jIzAEefpzGYPP%y_C!kQf0lr%;#c~r4bR={wBmey9HiOi2}sAWLzf2YGfn~B?=rNy}ibuC|#*W)4`h$A1Gglv>%6gEJhL#DM^NH z>VfWS1zQ7=o2`{{Vu4HJB!r!3jV<-%X`aO&daYnb*cf{);=cQXuYKkko{@(ko zwY6a5-O$Qjo^7|f@%}plW*3*)$R~KuTfM0{yH{eeoB6W5t?B_vxA-h2Q?Wfa4=hT$ zPWCMy@n=fp_&qVNSZ^m!FEuE8D=$BEnsrU?q0GgJNuE7_oJ5{F>CK!C(yqO5JFDV` zGr`#`HYd+I@lQZQQ~tm`PoE7}o0&-WHePYDE?!=5dx5guOtfM$hyF}#%D*`iiSBg= zCnwZE29Zz701Yx+_k#3f1s$kEuDOc?X}^6>r-$KyPEFMx&yDwS47pL%i+EZhJi)(C#y+vRnEt7bu&J-Ld#4PKT?)&A z6P{L#O79Jg7h@_%>qgd>B6dB$e|e8(larhe@9Vw}GEUQDWk-sh$=}tLJb5%*iO2l; zo%`p;_4J%=is<+MsGJ`U+{fj;?rjh`Re9wCtx%VncG1%+YEJG1Ng;Oe57y1DsZm|$ zJ3QiTdfmx`C|U$|jwNW-zldv+I7Q)3wP$dvNed(+EE=U!?QjJMcu4#yIHjel(GTT; z){mq2rwZb)Kkc3hN~A|WCr40CZ7mG>FlKh25)x(vNwvqHkI12jt$p-9VzbF#MLdf7 zzNcNwH66FU-8nq8+A+0cD^N-C2mu1&1G!XHMa88nSK<;Rqt1>|B6;2)76d_0pAGt5 z#8YHp^2^eM=dATml4x3ll1h*^Chp<)kT0P333dVG?igS5LNoUi1z@?$a9;rw!|(<( zD7=|vncQeBEP>_^$OMpZeH_Gm!x4{Zj0!^l0!cpXyXC#1d%WiNwjEX^em6+8zJkdi!oHclT56R5amzo&I2IPNm{G|K!;@ zbtQ(c)0u6bk`5$G8B~9J?Ex?~rsOm3aOU#m)W`Reobnw^y`x&xEd*)wl6JKi$a`l>Nf+ zXRhnPMO3A`MO_4L@0@2MskQoWkB?57Sd<{{tHk5%Crr;uXl@%)K2N85LDWw1Gj{;V z9w8yj2oR#my}!eMMB?!zFiFSCCPi{OUWZ>3^}s#iy; zTO`q*Pi^Fr_F_=GK*BkwprEYc6K)5bB8gWRI2-koV`IJ_!aO`~_5bQu9*fC&r=$ct z%k*k03?KUnjss5_iV#4f;R0=KY^bTI&ZoYh*{E+DEbc6LP3yX3GqjFGL`H^}q~+xW z7L-;_R*RAJW*Y-Aawk8N7b-Lco|gfFHV0h~xOlHqYJs#PK$h zeNs+sv|yv@oaWWn@k85#>Bprqnu4@Vy^P~&@0NqIee*+|D{xD3nFHGN%ToWwN=R8X z4!2DcIfdOedE7LyU0i6P0H=;F>sHDI&`$B$HLK3 z-yNJeot&M4Wj-7?plIX%7qWMN@OWr4+B)`Oy}A8aBO%?_05fwKJ>RqL_U$gQ+k9+} zc5sJIh#<&-!Y>p{2f8zQGiNEGVJR5t(ZPaoehXyOVWUpm>Z!8y-otO<4y~Jfx!LA2jX$3~( zh~t_2M(+$B(iUqwAis^iSde2w(T@fyn@vA5@LRoJ(6a@;YjNK_tSbcuH-Pk%oD!fYa`m98!*1Dqw^Vycu2?VnV86@$^v+3 zQ0M?yEU_^7HAF-piq6SNB*XA5S=H;(hx@icw^W-as!~$ZQ1y`gB}SrIM5PidcTu_^I1(|+Os4?8K=g+|q1_#bbhdCORhjE^?Q289B#gf%&!NR?B z7WSH&MB=?58HHjlAl9hyP=f*tdSj&UF5w;&{Vuoa&?rK@$zR96V`XIpA5rK1eg)9q zZk#nlgG>_Y*^r(CvY{XGvqcL6<6ej@)a~b=>d=pmkC?2)j-OYxAuT-yP83M*cOf?p zFN1~yNE%aa!;n-of7*H~I9i_J7^dbfftl7nMSNL8NB=zXs)M53ilDsbc zUWvxk==iXydRfT*`oy6+&`i9}KN|Ynl9YIj>W9T-wOPxM+GL?4c84lEBNiXi0rHOB zHsTeS=QfM_74E?}y<=&e8$#39i^1HaV+_ZkzJ}P164s+!9k#V|O zW7)5V%WG|-6DQldhZy18rJlCKiYgVAXDyKUzOr9M(TM;QAp5ccpC<3gbN7#lLfPjF z0rxM@c`zcM;^GUVzrsl+;?rxb5IA)?H6LG@M}Vz{jc1r)=iN@91=mJT&JD9G4_ZiL zhlYnM!RrO2s$lxcDjW!Xo$2Vh$HxK8impoS9rNxAGj85v=!0Z!+D6|OHW`l8I!9OO zMbRHnX493_ww{anCTEgQ_d&=V4>Ffxoa_9HVsT& zfcG8}9IRU91Pwo?A=MBR0Bt9N-U3v#QwTG|QV`wjIyp9%QbJm^@_=2}Ir-E!G6ebc zWFL@^RaNhGfCLTPL)~kUN0B%g1BnZj*ArDg000csOqfTPhpv~4Q&U@Jn5i;7;%TR1 zzn5Pr%AT2_4eII_mL)I9Q{~wl;C@(9eywgrMbjW}MDiqTIrR0xSJ$kgg^)!OG_<|n z83u9sBQ3SaO`AjSGv(sbOiT2s=yiLt9RKQBv*Wc`?XE!;E}~2)vuM0?Ah2t8smXN3 zT_M57>eG_kAj}drO*xa$E&}Fu( zSzgP^2FAYbUZL?(;gax^|%XxB1?|_(EzSQG}PTyJtc`6(n1UkS)Vzk&);Dd8Dc4b6D zM*i_uE0`WMlW;ANP`Z6`YZaIA=b-M5 z**&P&)%gC-;O`;|M}$#U)aTOCh_dHMZrAjn*bT5QD{D1q zcIY_T*?|$?lwIs7`3z8$0J{KL4KXTM;A(;|ho|v`gdf0t8 zom-@AI3bFb{khH=ZIblvhHkYwWva_p6v&%_!33MzA*+tSLdxvn%f2*h-$t6?9#a$2 zwmGs!f>VtRykRW9C2%YQ>OA!OZkvbn5lpey5h>-@J6N!GBDx;%$4WYmGOaA;BTc@ z`Y$d3(hZb$m;_zNKy?z9k_G7=)W~y?+>tkv=eQatf7r3zktw#Ny#Mg7ImRct?O{cN zpZO&!>PWbCs>V}jk8Zq?6Mrl$O)X)Y@s?QF`#F16y;$CWb`w%v-M#VIC*BDlp+uFF zXVNQJf6zl+#Lelry+Yt9QFXAgHs$8e)%cO_ zN*)p^`S}bnrGkOPyjBly$UJFif4-`hCoHpDH>}2d2bv`~!Tp1NQDJD778X!Rp#|Id zbA!Edt~a4TP&7978}yi1zcXI31ExjLXLZ8)5J5N8(E@}87C2E65eIPK4S#UsiNJj< zdSdX#s8)y&BLTzO4V_`6uqe=oz>x}cd{B0;{=aK|PXW{1699J7BLOMkd^4Cf%AxhQ zKX{gxU%&Q>z|Q2EKOrXF!V6F64=z!f@m`A@{f-@Kyr~QK(gp>aW!90haA9TrN}+;o zO7h~b*v=Gv#+U3`7g6S@@iT^bT&~&(xa(k1SUa+DTwtdsKPU>?O5a#erx-1y`4TPz zfYs`8isnrnJO!KY%DU`#)0!bb%;+F|x9~5|)19Ez2bE z?+s&V0wxM^Dmq^Z+GYy5fsty{#;H;hS|PbIsf1%*X*{>_=BD-_wI=Jv$~?#Mx0~@E zOLnar>Gq50d<4#WQhItzfL#F_7g~Pu(g{T+ISUvZ_5HL-aVnG$zQYBMfMOhg*iF-gcfQ1z-%s|`# z&2_}W$T(9;)J)aqpk+4>kUfA(fUy4rX9VvAVDoc9UmPfO0v{IKk>zD&K~Dfac<`u1 zkUxj*4tjH^rna=U8bERfr7V6_aN@p%#2a*5$u6ymfZTleFbyI`d7uGzb)xg#vhaRVdWc8E{ANbj;Wo!@+y|>|rUymEL8$Q=y9!k&Hl{6w?%7tewJv(K9 zZ?0rJEe$m+nb*lv#V)QGVa_e;(B$q|6vuMCG?Hz`d)(^nO{x6E7?3mUeyq90gR@>b z)cC-e>&%M>Wq*1o1zus?B`nxHjAd1w;8Acn8r!k8#@?Tv<3Z=c=l)b=W5e%xFC3ig zz>^a|4>NEGfBqNEMpKX_~wHwj@H4apJP zr`vcZK>r92K0-b{*lS;5P`-G9=qLhy>+pb`!rOuTfXEP_V9Fqc{n#6*Acx_)F~E4} zfP@cfLkc=lY4YiEsj{AwWdAnk}yQQ6M0k zPGwz2@ixPBK_SV(fIbBUWIt>l^s-@M0%n7#q>yKXjFz?4Vb3Rq>o``;EVgoL;CXoA z4zjdW=y;^p{bFGZ&}#Dr@28N|p%R+hWv15oe3>H!%&j)5uc%Kes%GSP6t3|dJo@%) zcfl7P8QcfDmlx+^=n#k7K!X-wViZ~}X|Jtb*ZGQKc zb1dBNAmqhwUym5kxmUOLa-jV~?vL6N=Z=ibcB=Mcah9jILfb}0TfS+UZca@-FHF`i zlZy|OW7)Egf*{G3GfNDg!9{V=LHQ{Kz;L^){M4pB28_%-{x3#@GmTs25x~H^xApY} zbCcOm=S%EQkCFYfEEoahk(=MsmqF*F2uaJy`98es0~{2H4SwHm!iDOq+ooam z8E|Lr`*pM=2+$myE$ToCAg(4={i`S5Q@(72B#EGViQVKcvmDj)c@hSar@X|xP;`BM@fdx+LNPuJv zO8X>!RbLmDhDWYh`gyuZPGK(N8u8!0j2hbZoQugIHm-UE-h`fgtN-ycjEMGXX}@|IT`g}b3m8N!0B`&3u9qUJC;49jOIfN zg`tYDsO1+IFZxnd38~;WFX+f(Kx6mx+nYY?`+su8hu`0!^4@M5QlQMtGWJ zRdm*DNcYU1(zE$%`X78u_HwJb)X|hl=Sv-EQW48*6cg@Uep_cpdHUz+^`=TLJUi9S zj-SkR>%|f=ylYiqh{@Ce4I4ET8X>eJZdtVwO@F z)zG%&h$=HLef=u8>2^YCe3kHf-OV*_mz^kqwu`#?$PiWX*Qot+Z6&JIkB#UamjF_{ zp8}>d_*XXgqV}&jgcAN*EO>oro29Lb5+w<`8ZifAVaUVi!?C^UzIl7II~~#Pjsf#| zn*ZGsh`5;`=+r4p{*d=GGBRCq9=fmW7lZ0tIu#ef7AVew@}14;$P8rsz#D{kM^&|b zb{neQhuN;@hM>cVw$)-_1XLO%daG9Kb+sTIfg6Jm9-)b#yUS8&Z+QFrgK+@@;n};7 zbS?_J8hE|sM+2)C%s_4;7O@+^0)r(N)NhzzVYN}dDW)cIso7Y&CQy=pbii|w>G|oI z=P!)rtt`j0AmtaGnQY~%7z=vZX4y<8wM}K}(hw2Zka|9>y8*7Mv=t9}`Enx{5t2n% zz^CzTU#I;J6kX34GWwI_g~ZS~pR;cCDjcnil4B=(r`6$e%^?B%XwQfzIz@?W(Q*J$ zezLnc+uCy;g%IW4(X3fwXlHA^wRJp;3EWq^jWITNgsK}*t_1mXQ2vH3 zYXE&5u*`(tAin`V_-b|>0;~|Qw9FStf`Euv*a9{|M)6gvGB^Q%yP>NptfIh-{j7wN z*1MebzOr>r)fHI0h#q3cJ~()I;{yW+oqO7&6-nqT~Cs=Bx3 zQwpSX(AxPT$2xAX=?IK|fq6YzXc#(;8rtTJ0EljL9~QY@UH~Nx6EoDyZtR-yBuiXn zbVinOPuIir?=8`|^~IPL@-0M7H)&ZupN+L2jVVkV#nkC^e~o#F$!;j}EdTaMdYAY) zIr)C`H_pHWqYSDEMb6P)aRV!D&)DMp((jjzD;-_uMC{D;LtE6iO%sari{;|vkYxV> zBD_AD!m`RY$)gA6e5fA&_gI}c4;Qm1X3gvmIyWAnkm7s;1a<9~QaOw9(ZZL(QqC&n zOl&6Zfqp|WzUKa3uck#rpHr~^hGowYIN2b!Edc`j`^Abq z8U%c>t=;|%{=Go%1h2~xpmfQngSD?cobE$D;Nnn`lM@ODKHoU1EiNc<0{S3WGA=?@ zKk`@%to(pV$4Z-{=~@P;Z=x10XeEeeF}P z)PC-X^Q^sXtlfCNctx;21Uo`t=&9RH-_psE5N1g&E3^)c*N`%o#5DW}%;(%x0iSPb zoI+t`KTkpR(gm$S5$sm{(h;!h2W89w0J)&{qsI|lAIb$4E-@Y5cGYQg_2tDWFx?Rz znLk8M^3qGmZJ2fVK7~*FYX+Ef9G)6AVBB347+@(N3#M@V_B5c4j`MY5zg$0K#CE9- z^UssLOi^OtLJHXzqP61>^bF(~i^(zt7Jg#roYY3LPy5NAdY)k8Hf0(o38pZz^cgZ4 z{22OKR~daUa#v3|U8_nZ3=b*XO^ht>ls&|{D%b`?(^RaM(?|*pxoLM(%84&oT_WwO2pun9KS%fB*b(i2X4w^9mT>V&@N2T3Ro5IJ8h{)Ib?Y|%%bP82gXBim3D z@i(NXXZV0QHH#1zJi5&hpvl_#s(nq2c;m$lB2+$&?;pSf7<%*#xXG`_x6bXEDXi_2 zhs~?0ICF!oJlPW)Db9}{*eUziI5e5X8O{I@r5An0K>#8R1J=*8c8i1{G2 zCL9vd#x-C_o?wBK5eY8`D2F{i0MUrvTHxHRA|y>Ou5f)k!pQJtjn`WdAhejO6kr7i_^WpM7Ym^sF$%dl5oNut1Vdtv4S7^LO9?ie>Ri z^+Bo18C3g)%D}7u`4w8&47~g_UAB0+xS$NO{ zQG}j&_+$J~k+3mzruKQ=<+s=#VAprl4vPVZ*<+XtF&H+XeQaD&k$n6+u^7(q@GWR@ zmo1-eY`mGDu>tx55Fr2)@--?GGqZFbURNcI1r%0xl|WzH(b?(m>uY6eYieY~30gRC z+ua>8%-%je1K$y7@%9lcfMJJ$kROUCp!kGk#;$&GbaMLHLG7p{4%4+ITj_s5xt`0j zA~P!?o1z!Hy}SD!9GZh7N3^1M-CX{gNIr>x6$=q#aN{Z<5e57N0ultoCMh}i?x;k6 z7r0$^v<8Ljpy#9xT@?a~5U61g9f-lTYG&r6&fq0To2RCxAf5zi6U0jH??B@6`t|Ej zLs9^bft02f@w06ns!BgZl86L3YnaX8Sp@Pt)C2FMq3H@jnHtgf07$QmS0ZFl;=tzS zx9;DsAiPKq0nEEkQGhBlKW$Jku6ViQNOFFPg-uvMj2w%rw_<>V#1#*;cs921rdg;a zfG|(}=s$QCtL523gn*G&gZVtdj{%yJ&`aX>OWF1Lrj(iYJQvXT>d~8#kc(WFqzx25{t;X7RnKH$~>bqf?(`e3Sg$0Gq6y#mr@QCb0A2I}e(A;gQ1 z=be1{_pO6N*~I~{zQCpjlrf<~HmNx|=!Eq;`2cb5eS!2E)_zd6?H(L}htUOy6+ui0 z%B77;t0#MytG&Pbt`kpv%$BU>8%Icf;=KMLzjyN(;P%9!Ah>t2%#(&`{uPECWRS;! zP=coVz2!#Vhp6W-Qnz>I^pSffK%)$h5l2TwUB7Vy+}Cv5!=QfvF_dz~xbO(;ttJp& zv9MGD-0oMTRt>I37&w&Hl+8RT?5_zvXf zSs?Kv(NgL7=lla>k)I%H3%v`D5|xM7AU*VXFLE|tZav(D_5oGg?PezBMp0P#`i;x7 zIy%PokY@`gNb!mRsHmuK#l@+>(x_O2%;3|Q=S|Kj5pSz=rCzfG|2-z6kd3rY`(}UH^1Dy{W&){9piLlx; z&sRsyQG*OJxj^v*bptd2+e>DvdK!z9D5xy1sOiHj^#AB9I{d>%8serI(U>R zKRDEv&`?huL*%<5La8@trK;e#d$5=9+O;6?;3e%na;Ci<;toIdJPx$!S0ob=wcFM; z5BV_Lnhy{4lx6X%`IK%tm~iU4yeU4p7xqR}R8&(l5vpAt9u1WNvSd#{-3<%^iV*B1 zYhW2c_~gVrSz8-Fx$a=Y#M02&C`Lw0^z~Yyd98SK&YNYs$vT@TUL^%OY8)zDuNlve z*ClvPcYs}wXbcKF8W~ho5FyL)+FbwrS0g+_;So;$IrCuk`6(t}bkMZtyQ~muoH3tOlg4)zUik-LxCO z#}2*N##mT2p{GuHVc(T^Uf#-bPt9yn&qrZWDf6d!`ETwv_4p5<#&ZWp8~>Lsf!>-B z$&I(Q8`of+Z)2zf9x4`)6Q+yfLxy>Cp7D7|U0*zNxbJnv_6NTpvBIy#h zA$H*+1Hu@iBX6-N{+7>%!sYau>=gw6yj|$en5hHwm@EfQhdcAy58v z)a6V>eq5t$#R2E8kkbR5M&1+GliQ8YJnhyvHp-fK@NuS#T?}WQ%}kopG_DN9Tp;ZQ zt{Dym2<0+UdEa*j?z%fvO5fW}d%&Uy1of-0J0XCb?~KF}Zont&V(=ek6Wphu>3 z97dg(k&dvjTG~4W5|3KjMsv<{)Gt32S(Q98B4%#VD^rQ46VNFxzk^y57A;WR`SIb~ z8jsG%8m$x4pbpqa#nrAO-4Hi3%aNrBc}x6n-G0W3xab-S8v=`U=?Sg}X4ZM@4Hja; z6n|pxXr@|^vkwhaBzlqf$4{G-Bw?j+=zc&g9e(YEEJk#yER^Ur^!j8P`_{cjP*(yQ zy9hSR zzob*8jN!&63Qhh<)6v!jc@uPCzU{$xt^xZTkhd2{{PDTc-jVqlfT2qZto*2`TU%SS zxL_xYfqD}PDba?IQ8C=J0vo6Y1l&f3hByx&ez4mDArlytK>&IGloO2gqk#)KKF&qE z$j&*fD`erN5Cj4Ix6CQD7(A6P#%Ykd3|kd?~6#% z4q%yJC;{|!PZZGh4h#-9)z?Goz-1Irdw?K;laurM_3QW0pxcQVR2V`FLC;!NUXIgG z^5hP9P~Ss=^83F)$jI3A@)C@|aJd|0U;J?Q@W8^4`tgG>v<<9r0XanoCf`7s3=ugB zVnNK<`mKNXwd>3&ir))udE8s9QS`H;Fut7v{XPB|o01efBVFW^g7w8$MX~&1K^^(0|)Y|sV&734qC}tqj<7fB!i0qTK=0cH*$52B zmoH!7R3Wwm9|({I?H)TJA|kgK!3>Be`FH z>;AK_x<(iK!{9=%FFLV$biVcw5V_n(p}Pm8y|ceRZ?+LuPl1jK@uMHc0KgU?L7tt} z+%tn*39@1M|6!(Ivi`R>fF5Xuef{ukfT$2;8CLns_v(Q2*~kdQd_=8TTgF;)5&ec!~mLmT`W zTHgi-H*)P~;{B(RW)?j+OgekT~gG)f%jKSO^P5Sd^>x zw!^>F9GOZ5p!v@Nhw!wiZblqd_F=D|1%>G{Dd(H<+0P%1c1qaYB9x`1th@cQ)Z?oz z$x@>|Y|gWv^75;6PWPYOPjzl|{P_=g27cT_!rT7e_xACeAWhcD`OaDfMkipuQ1suS z#no50A@^O!fEjj6|LRoWe-0SHJwk#$$NnGC<35$w(7J!vTK|`VAlYfa_JM?qdJkcm znMy;M_^pWfsesg9>|3;`pQm!@-WZyxqFz&G$!tE`b8?>U94dTNHS`aMfVk!3zc=GH zvEdfg_>R9*i+fj4SR4dDMUL!vq!ckatelUEA@&+UA%r_4dHf&w{(tK#G~8;;ecL{$ ze0x=b>o1>@NY)CD3cZ?-WIxx~tNOpL(alAL_yK9^ao40L;Y4J< z+ffKR$% zABB$q?f$(-J~_?qV)5T8pWN~IjIw~ZCRW{g-Pf^2&nbqxsZ>RP1uQN6=5r_AW`?OU zmt|?93gT}%p`2PX?-_iR3YlG_6Z$tCNI5>hMntL^$oT%tZj&{$b$;d^H0|9yRG1&a z^|eA%V&C(}4|Wbd9sk52WYl_6?#0c%cQ8SDN^5Jq5T3}a-Hrbt;GWXhmpn8J1>OCM zS7$#6eH>&Dj0eIsxhQ@1eHH1CitvLgZPy~#R>opN8tetRIgbYLgELu+R^IKKN9J97 ze@=j1kaO5N!F94f9r2i1`$lELh3VhV@Gi@}^r(m+E=rs=yz`nG6^C~R13zd21{U@+ zjK12opWiUu;2n+>s$!LQOw-locmBAEVFQkvW#+Aol2u39gXNZ!KQSRMj~-N{3u$NLp3KSeOLesh z9z7^y*eHWDaax+~z2CsBO>~Yt`H-Xfu=RcG1zB}&eX>#Tina$AwWU1!env)btUgPdD#zLN zxJYeM9QNhR+3d&EMoK9>4z`6wy4r}rQ(cI+SydYTcJk*77u9Z$-CjY))H^?8m+=mI zQ_?Q{P;1}P^QcP4!ZkbRiysfZ?H&i?W#;<@mMdW_&5YLNmGzeH7fqY8w0%}Rb5N9z zb*)IzuFbl}MaiM;NReI3e0IMZ`M_W}w@k(!@6Y5r<9A)H{sRlv?H}L+1`_ikPrD?t zIfu5@i@60F>z3W{8N$UJDytN{!m7=MeWZ%@I~~>fWSLbARE#fQ*vi*&8N2eJO-aj| z{*5ttz@3uqUec!4@4Oo7c~(ybm%*j!YKacAHf6ab zS(&+}!TO0~{EpdcvYO`3lVrPpOZIK=F7qnA=a>3Ywfu-;x35ItASWY-cXAA~wSsZu zp-C+l8OQLuAv^8h=-)JY^aZN7wVPIVBkyNA$G5A@KHM0{M$s_el~H%ddVr)hghGjQCj~ z-uS;1OMwycp?`0+dHAmag@k023kDT1Tb~9#*~CkcD`hQ1wEd~sMy#f8nZxnI{w9cB zV2M((;`W~YE(>*d>Bf5@+pC?SCgkcA5g+;QWdBdEhW;-Xu=F#br{~-&@AM+><@`L) z=2$KlSEhJ&bu&L=tZKA{mzR){th9Np@@loLtT2J~CC*V~`gXWzCDZnFC(f|=?5w3Y z9mx3TFF1*bUl8x{-5(zs>l^ENw6r)m`}jc7*!g^s$BBjAMR8`!-G_%Aagwn4IFEe( zttC|KCMu{Y)2ln_jPn?)bT8&qTqme}VEuZ`*=ixr`?I}wsJWN#4sZxu`-aAzVE1jl zKm+$CB&0_$@+D%ya`F*k$;-lzohvKx#@lXbFk+8W?TI4b2lfKL`Bdq`NxG5l(orz07 zVW7WXIfLcdfa&<7r}*4fH8s0fvZ&^)heHQ@dl4tflC}YKb&oSvv0R4=wwu4r@_pS` zDIQ>9bZ~T#z-Ev~{h_W}V0^gI;|=-+Hd=O_gqBQOjIu*so+bOYDbR7Uey)VtVXMtNSTuC4^yXk0Gfr5=vunGMX5 zTa-G@AEx&k$nEs$51j1XI8|_|K1mh2G~@nqhmc$Cyd$C`^32)k%Z(cW(VXECKVlf! zw||sxfJ!@k;GB$$@_BX1?_U+1B=iT7an_lAVM}$jhq+MXD1kYxCoe9f$jV z_ie}Q@@2z+gp}@__QNgD=G>QDeyhe`=cw*drLn;oE_N_S6wo@qlNPaJa=Bzy+kQvb z`_R8PO%-<>ky%aIA%a= zf660<+MPUDy>sD>rr^v(Mq=|?)=ID1Ma5>rh#=N@xR9ZF($&mp?D$?pjJ-z3g7~g( zN0s%2HIT?qa~8}{`uYAqYy08utqMkS+T7H zq)&I46vuzcOk?K?mM+G>t`h7Y8=6*J_G98m7dc;y;OJ&Lk9)44&*0NQuX6-uCaRsY@pw8mdV&AKoRd2jI@kYW9WmF|H_-=c zF>X3@-zS>431vn4zxZIB+Sv=6s#uq0mfJ{RaY(dwx}#$kp41BXbm;6B6{zujg`NUW zfBu|%Iwu7rFG$0>{fL@zl}LOHJm;F81H(AIE>jemT2=(HTt>Ere=* zzBc#Q<(zr*ZJ{ldWmbes7u8*GL~PM|#7F!<5-#y&<~FA*jCW4y_mz>6`~x-}J3g5C z`T`zSq-Y=^9z9!)j*gz5PwDrqLDtTlaUb|Ih%2QS zE#XS4NXt9NOz|gh9pI(HXoEY&_tmxXz~D5(voZPS0EXkB^yJV{1KQ*|mt9VLs#K!9 zkkA`uW)`*IuyX&^R9S~dx)|S3D0~GN1IE7{NtuasHy3-i*<;m!R`sA{QRd-6Lmynp&+y(!zrEYtB zGbcKaSzLZl?~waLnl;DOu9 zB`^KnWw4`I(e?vQ5bX;Vn(X7jVFQrYn$i|ril{j|vq+jq+MeJtIMugqDhv(`>f*JO z>eliRzWMV#9=nkJyynwRS}T$|ct!r*HM)x1sh=Nk-*B5mUBv_i{b6sB@xV7(zOOPK zx0Hk|Mlg+rsxqAqWC#Cl?Ko~?{QUXWG!Y6@{B=cZBcDEj@}8|AOBS2h*i4qE|)i?DmndmE9vP|$;!P+#Mx0& z^e~{Eoi|)+E#S(h%MR?ehp{d%wLA`I^U@WIvbunU+N9Jb3;Ke~(45<@Zm7XN&(>ra z>o{8oi!YXMqeK@QEAxPG;_=z(W?le(W?HI5$J@)n9feH8w@KnnX@-XCmq&FldZZGu z7hR*K@^YgcB7gWld!Q3I?Q0tdo}~WyOr15K;ViP-X0tiT0v|Tg73Ti1NisSuH616C zb|<6wE@IM9lRyOImidE!Hgv-A(o5a-cnl|7SmmfIk_}jfnaYQWva}zY|27dgEuCjq zDIP4W_WWr6o8x-1{pmH2>#A^|AgRmFIt3w=i|8=5-VxAb>s}lkMaH`94Wtl=3RQ4& z;#V$KZ4(JuJMgh6tY11##Sd~jT!zonhz6jjS&iR^%NC_@3CCo1Yz?j}ZL--I&$ryf zUryLivs)FVoLJs73VPI}gU=lmSjF+u`7rTtY>?;G*o22wN*CSj+s6$8nw|lAuE!Kf zt>UZLcn`ayN3Y6An11b`IW0q(lGdgV->WuRnh>pOS23lc1t@5%Gt5>v<9Ue(9{lvw&-%p%hzfRp5$M@Bn zK`unMQ%_B;?&KEb6YnfZJ^JvSJ9or%WbDko?(^PU50RIRN=?1Jces1F&1LA=K}A(o zRAj>KG!=E?u0|jIF4Sh*zLM9mjO{2&0&9laR&JEr@K0k;f%a*-g?xwI%bMZEC<$;4 zN7{2ngwNep)iJ~WlPs48i)arr#LrnA--xC)e+ZDTLSL19zQCEv*@Coi_dABPwwfX8n#C?*RiL7R08&iVt<1t3w0xzh8y+ zbl*o>YW=*V^`&KLiTdi-B^D5j|F3BD>IXGX{Td?wz12+(ae|1$O%2Wr38_fOgSf%5 zNneioKeB;?795X?j&5-z1=c1`PA%AM`5O_Jck+CO0jP)nop1SLy^nv)w-^R~if}C9 z48g8-b^L#i-ml(XL!Fcem|4iJ?iS>r?ryOAgu`t91^11Uf?HB8kU@l2l$|V8oaGJu z)?mrZPjp0_fSV{9jEm}me>9oPcE@In%h^EfjXw^iPrlR^IE-)L>9a9e!&EepA-NZA zyZ$J3&A%DOp9r%MV%KKXzn8iC8{76 zVz=D}sGipxpIBJ0Y*z$&ZH6;w|9Q9E+?a_nacb1d!n2`lcTOy1>lG9Be@K9){%{1U zSaD`+oy<)uE0C`8R!)>$EILa){AAuuxavBA$;0|*wAc8&>vZQXWmGg%qNkALTU_GM zwv2rYpO?<+8x!r1_x(EF7(Sr_I~7{nrjEEpK|{?hga3d{|LHZ_B)T9`HAXel@E5SO+~fL z=Y>rE`jw1l;!5l6y3uMXtwpaCIgzsy8QejxRDIc2K59zhSoMqbNP>)F#aC)*=iQhpG4|VS8FeX7?${4Z%edO@ zR7Ppus@B(3-ypcWxHuU1g6~lhSVy5`x!j+OWo9fQd$RL|EoJgzi8QFih^k2O6(#qu z-E)qv_ckQ%tae8QwHgMo(Zb0j4XY!2@O54Dort;fI<^k(YsnUJy}LW|sfjRG7^ida z{?yODFTB^@!w51lt-7Q0n0AT8aIYMwWJ#0FVfbiwcyh&NjuaVmbb1U*V(?|0k-S{p zNQ(9^zP$j{0yca+EMj*uvNYU>1lIV6kKlrkaD5@$cWCe>zfF)a78RA0WY3Hn%`OawBhY9wfl3WY8AwB56({tB1QyFX^Iyx)EYmH%`I22ISeev zaZi{S6pEmB59kyKT0DyGeD3}({g?oezPpLyxTarodp|vsffdVYrhD>(!z4WUU32j! zH>b;9&4J`2GxLEVr-orADtEp9Wou&xL^y2xso$7IqIA8HoEc?w4>^DMMf4m?bjjH! zXJ)1Y;Tt`k$%9+*=T1-@+f258$R`%dxmIqiPhS22p2?%W0^G!IPE8R$Oo)cApK*Gi z!_&?=RyRUGL(Kub5AST{xd#2Ug-xWWnnJhVSK)e;GwwJdXqnPLjH-%`g!oVq1BbI~ zR*;~a!laSfH*#`nE=?JARb?vot$mwNd^sgm8xj|@H-}!mzvZ&1C3=KM46A2)2Ae9& zin`163W#_J0;c(26mK+FnRJ$9a^%gT2)tcZ#PodNjn22mX6CfzHd(K`d};wis;QE# z4fQLmXpa{GNI8gFX}#03tNGcNL6wR^^ym7=#LuIyWt6je0&>y&#+qPLfQOPu^reEc z@B^U>+`(0r&7kCX;WR_+SO=H++{X=SzG18{4qn^5|6m@n|2AFXvbXDW6tjah(zMqwZBl;Yd` zZanr=>AjL;@7QgrAG|$;l@mvGl32WE;EFPbf+$H2Y zIld^+b{&ZCg(;@{#yJkCsJ8k!m?VgLXf3E{xpE9w93cCoVOsn-x~SQ z^2EDbFj+oozNswNPFG2^ze6e?z|vhqgonZsm{)~M+drVB*B)3#M(PAdkDk^2ak4eF zkdB`t^1G!jh9$Ztn+0DcVWw}YpOm4`jE9D@a-8Q;D#2|X52$cxJNs6+FAl3IeIykh zDy$?Zn-wD`W=MqfwNbsB&Sj|;dGZc87&C`kT$V5rHe4S+nD-lQo`-^Mu3ouiCh514WGbn4E3YpJ zB7WZV50ZvgYlsiII@V@dA`#^(_F)Zr_Oh$Q2`NkUe@a+ae`F@0xlQu#@Bbsd#q$C!jT`V^6_L3ms5&CKRef%NZ(w$v4Gdr1u(pEsd2pzf{_iJy z^~3-B1Mkt-_8%vyf*x%|i-k9Si`vbzY$bcrQ2;e}DW3FCA_{9+biUs2bUG|QY*Jm!Ocj>u zkGYBmnIAnT2K)v2_ceM=7A6fI2aV%mh#WDj|=d%0=cjoPe0^t(IjjWm=v!srr(o>)fd)3qILbl zG9=3Evu+NHoT~~Gs1WKfj`GW5xaGOI$-3eH$o_$-=O$VBD666da#Vu2W{Z`HVm*KS z8kbc7Z;;8<+Hi|$qkd%IDQ^Q-&f|A`^LkC}YjkWxk%Cx?#!zyDOw|Ob$x@#B`Vs*) zK2&m5@weYX44D+xaScw3x#EhUWDc?|lM<&wYK7O2g{J9ECwyZ;Q3;7)ZsTq_J5qqk zsk%daX%?_q2s0gNAd?WxT!DGtSh6&@-fi-~T7)5%3F|&e}*M83Y{W#-=ILvq(@2=cYHQFEQ(M zJbaxUlbcvxn;1xIt810~!AJ$&#@03gnvbATQC>j|=Ph~oV)?lq8Tb@FgNme}_E)bf z1}Qfa_vz#u=;!a8jeu2r`=P-m;$NtSxT3f^QQu;B|H)35fnRBTPC=R3^SKBw%6e`c z=euxrM^P64Lknd+C9wIE1EA9(7MUe%W_qG$>o|%Ei=WeGJS}{q$UVkMzs4zW=N)6% zJR6jY4eDvv2X-B<;ZI}#n@$HL3@6Sz`X(%8p?+~m#pSZrJV!~%y=#gZb$g7EuL;c- zhU9sgQMi|pgQqjK*P`tEWz|HlaY|qG=F(~CA^F|*%wgZxe#+NdA>lXOUAntwL&S_z zQc}Scyix2x_R1@YPp*COKnSMS?-gUKcbMdQXMu$vqjgu+xM-=rMh`u;2shouyYoDvnMN zM#buCdxT#1?GhtNz5}tP@d1`RI=_@-8#;Xp5OlnvD=xlkMw>D8;Eoo_8k+^U0uS6v z#N~mm9sIJUFS&jG=pYa~ETDFQ9IPCf{D3n33CLvmvxhqQF2=?tH;0yMLat%N? zv1mC%__>BDk`bc!qV}QnRYUV9)w`KF1vLR!&%8Z zJg%@A@U5m=HBONhPY1bT4OHoDPoIM=69~>U*c>|L|GE!?cPNsp_bpC0h`oM+OSay3 z&P_RF=eVkx?i{Ngh5n!yhH^bp0>hkOaS2iB9;Lr;Bv$;HV<1y!547k4uK^v4}0gJrN$K7bf3^oRZ!n`$N?2WX`VegF(H`7;v z6=mPhiP#}-aQMwDVo!NufQ?Si)KzJwxo3Gi9UgPL?GVL~dGv})4iCgu0Um}H2+y8k zdfqwx8=saDrI)pj#||)8)C1!CJ@LS|ycf7cbtTlIu9rT)m$W=?MkI4PU`T%&J?0C# z`G;fd(4-zMm!=%6v|BN%Xzy^GHTJ_@xjOUVZU?MQ%~* zkvIQ-&+8KHrS)ZYNsnxXTXNP)He;Sy56$%S%T@yCYlj$TBesm6CPw$|B>cZK=9;iG1A7lKEvbnp7_;KtifNSWxE!Ka{|`S%H6w6jf&sv4FB zZ!fNek;Ok10)^j{yaSuv?;F=q?H7ImKQr?fuq&S1tzTjZxLhZ2p0124{dokxuxl^1 z{Of&DPnR!kmN0Q!dEa?vuJ2}Mq*A@4B0Lwdtc7SRnOM%ApaE_uiwJ#?;_BY0u9@N=yc+Vk$3B_8}P+c#pq(ZsiS;S2R z!UCKFa&*{!Wj5~#Ye+C5s^O_rtOifr&#sWinyDqv3dTL8fr%@e-FJB7XrU06VBeyV zBnr*3wAFp zEzYgFiHtk+R~W=4B!;U9n*{)dBl4_DU}H^z4u1WG7_5YjP+@D|{j6|6>-3ilHJOBq zA#|<@b%oa8;d{UOjkP7mIsqXmfKTm@c=s=Z6H4}5^26HNH0*_Rp36Z*8R6Sn^=5I#N|c;#b8R)|LJqsz%pADS&@m$n_RIAR??+vEu? ze=31Dw-`8Rtll55X@siItQh;XsN>6iA(We^PI&MCcc@$2rtCS}blhBX+85_}^JU6Gy>wX}yka9!zpx^*l#J^o=;|AiIK5bcH>kOf%B% zBvD^97Yz@bYWOe8~umE%GL=CdAcBOSnBz={({J;% z2XBBkUr&uxZDT3vW}E$wWTJNOJ+|~AppQq1Adm4{Dhg2pi zO`K6r;U9F1Lxv?VWTFfDR13B|x9=7U3pm~*xNk-7L^>WJ%5w|*Va=yY67d`1dI2$<=3RZ@E%$Sfj zk$>cv@CDh~IgGhUYtrgWJb!^sEM9~TNG?80`y*MiZ0ZWNL>_FC!0^>vluh2fTnEQi zOo-aPfZ{;*4&uX|C}?U$?OSer-U^n4(^C|2wTfQHdywK?&po>UPNRt0_5~INCMZ*! z-tb88<|0*b@K?2J4y7=gGCw8(QMnmJY!hSLtJ(& zUwk*oShw{FAN63TGC^W)jn-|)p|9#DwuQH4vdX-Njq5uMCqI!5mC`XTt@zz<>%+?p zEB^|}Pa55Oar&+vKlcOJSY;1q9THTtWHE4MmC-L)It9l8$)guL?gh%^H)wzC+aUwX z@xb$R@qn*QtAiVQuoG67e$xvFbSkNST{5wr$;pVaHKy`J^v?RW1G zWa}ZR^$cF7fmM^Vkdu+9tD(~NP=N`_7^nr6 zkWDO|&WNt^^y{}b!rS<}?ps=J7`pqaTf4(hI<}%I@jO$m0bd1m8TX#8Y(t}*wq5t` z8+XEL-^$D&;T98qeWCk^0Jp>d6NsL^k?X?7V;r@o)mW?}O173bT3e~YY1`c%pKOje zazK3wCqy2sENLUxDS(f(7!|<6$gsav(M`uSCBHe(N(R~M3)u%3X4a5$U!y)HAIRjG z^e+32m{#v=kDCrK!{ob6b0ThRojzllPRx#-Z>Ts5L!4cXifo*1TSNNTq2mO_zc`;x z$C8mzF+U=TIFoKlujDKTlz&RsoTW#;lo%7JSH-z~tHQvgX1V#~jVs~J zm2bkk7cqa_aw#3P@E4i=mZxXNxx^~o8PG(n14SK9lcaj}s8Y*-i~Q| zf0SPu!+f6W(#Q;`$)(+ zSvMp0WAP%AG`kzR<)lL4thxv1o6Rb^)uI9q4oD~O6lSrSexfeUEw$-`6Y7gHKHr+V@vf}ti5}5(tp(NkAz!)xi2exIq&f?^ZUB+V!w^jG{qoV5e zSMpUIv>p4I$5Uf5vM+5X+tw@tL(W1drnsuUsWs_w&XX`|0zDwh=wV9B7d-e8DY?*M zBA#pJ%VaHiIhB3whEPyXA($s9`~etr51VO}R=1pc8kL=|E)*lIS^rIQmW1uSBw@Di z=Egb4T9J3#*eAvGBkbF&B>NivqM3Yjcv*giqno!yOrteW`tT#|Xsx?J-ga{cQ>}H} zyfdR>tCbtqqf+ChnT#D0$$mQ6}MO32Qlne=83Z!RWYr{wMXiww-*W43puMW zRdq~tp9Foa-~A;E_zNC|g*kZv)=NT8EEiWApl!&{&S!tO11TJ53b#XVQC<7+H#cbU zRVD*n*tZ6JulrIi0#j4>Wn`KEO0K7zfnV+H^O&zHNcl?D3mN77krde1K<1oL;O`w} z#w)=}nos=QLnZA2Mqqk**eEgtZL{9CLvF@Y1P^g5Q7jz0QbB-dgdN%$m9n?lI=%{q z#DWrG?3rPGs*BeSo8mQq31D zJ52ZR$n;O3qXJPxP+C3(#!CHT|1$t7hMTd^;iB`&NX}{=o0WsPL8V?N z(qj`HfPR;Edibn7%eZ>v*a~idp@M9_*z_L?pATS1WKM0z7|&)vb+;FG|4&-i;spqqsU8_}OL1`G?Br~4Jka6Pea z4SEmNy>51ty*ylFlz!+VFpzd>ORL3ro-m)2aB+eF5H;{?1s>7cb6*A+ zq#pQbhcQkJeB=^cfL!Ls^mzr7Pg>53q2uSw9Na%@U81|WlAz z`l$U=6s)Ckw=b}7=zxO-!H~H=3^Dn*GE}=)@bq!jkM4Aq_-Z@s5nP_qfYCg_pgj9N zg|!!y=hRZ7#RMychU+#C+bxLJ)TETL`A1F}44HdXYpTF>FBv#`8;}*koI&BB0|j2W zTZj+fXd(gQ)i8+@80c;$7fT`<5pAR~JBdnWLW#XC*LRF3a7=7>hba6cS}&%NSmBpG zD$~}T=as{_hH{SO3G#N{uY;?hWDMGaI>A}&R~{@4G6$?3Kz=A(1s)xxYZ+nC-8L~& zG&O<|%`w-0Riq8EoIe~{9*UA~0QWJ%kG-uDhE>0FpOGWrR3gwN6~u`9?AO?Mb6Psu zz@)|EqQy*Er3(Au@V>w``gP$BNMDu5J%iS{S*5Fc3G;x56M2b)C+OxJE5abZv4c`m zUgP7ov}C5eRE}INB^Y0F(#%_VKPGImx&$=V`PYFQ?0!Fh1_JE2*Z%q!;ahS_VXW<} z{t-n+7p3vHMY)3VTChHnv2NA?JP&J!Ku5V8zN}cLI8%N`MUZR|V}nL~*2d%xH?2WN zRcjH`pWRx-KocGXlb4w?l56J8B6$2Y@w0#dXY2+X5T4&IqJ_FwNftYJwIGIB#jDv> zDkxX@PY!tVHwukaJf}$F#Ubt=h1&WOATQEmi|0*Ez;xX<_AdulLp^kfJ)BbEIL}W?6-PCWKK59*fc;~en$RP@pE(De5p4YqfO(o}sEk}{O z;2Klzhqi0~I#<$4lK#s50C2HrGj#JAFDIjjyX%~h(B71bg9uoFHrQD-g^@nVYsh9@ zvl?Qt)T#i5mt~h_k`q3#$+cOD9K9S@&$AB$s!6VvXbACqo(H&c*fTK!@(tu7ZoGpB z0jNaNDRP-w$;vL|Ovk=otyRC6ls<2`jUFn45SChD6ZSGOV8RfZ%rG;OR4*J=3;>Bj zV|;v013r78Gd%V8prwr~{kYi2->c7;$248vGGiZfrool!+O}2$>UI0 zg56A-bPTm^0Ca?2Q${tjt#ItN6l3UjBcvU8MY+h`XdsiD&(eMhmC}63R5yC`$I)qR z?Ze3;xI!bThL57D7)Q0Q)FJ<6VznO1+CZzyyL9@Xe{7DL4^)Jd3!u2CA(mD(roqe5LFEbO0s6uenKf1ZiYFGh>pZY`N~kd>~U@ zpE$wf30x&cdJ#{PedwUL6ncz5s!+J3h`Ic>?scEM3)D(lPamuuv3#PWs=% z?+w!50ovuSkS=~uM+kH-CIeldhImS>BaN&wn+*@;$MSU%_})9I_!+v##pqsJT7hSz ztfh91EMyPRa&h2DxZ?L&DUAL-%C1E^pk9+T{3>h+Z!facg&wHQPxUpCMTjA8r%j;& zS7s#2nTijh0R|{W1%w+JVq0B6I#!)eYqJo77P=YO*Qd!L(u!{I!+Z5(8gp_h&mRmwv0hVObbGwxIge!)o?krm2R*wIk-JsB# zn0$=}kbhs34|GsRLJP;AH&j3zjg~A29KR9Y)Y;zVwPVxeatFvz@JgPyT>zLk{2V)W z6y|e)I?|=vm*Nu#{Lyc{ekY`I-0{La5?ina)pQ$E$(YSqDC=CA7?AEwPR-{N;^%!# z$kNG&GRLwlUR%xws6t@Cy#^$dOHzPS;Zk$F%qc*>tB@J_+XJ#k78`K5IyMzQWjpD^ z@wX7v#rhxm5(t+562CpZ*?-GkZk;gzl8l~_SAF#G+3|V*XC{*u2ne0%VUjd>8ca9- z7MeCm0ombLA{N+I;3(!(iw@M5J7U9=_+MqH$G86vWbZ%g#7@5b-!Yjv9v){-)t3L) z0)iUK_+w8>oh25l1L8d!S^d-+SU4&7Gc!Rj^plvp`GK;K@l83~iC}>`!G$pq>Q=+E zA)CG<%%={P8P_xWeq1F)p3vE=)|L=j76g%ivbGXY%@oKU}Ta^Ew42qpxwLR zhqc%DF3x4i1Cx&A2t+{RlC@?_JjSYiqHMLK8h_1~X0LeF$}fXKaj1+1c;o7AV0KIR zSiEA%PH%cccJE*Dnsm%wTOBrUwU!=^k-1N??{@g>czo69+cg+Fh_To~$=%PLb`mfn32mJBR>w*g@?KAKH*Pe~QVuB2 zB_|qCDm~smWm2fY6Jv_>`db1q%?9i>6QSaMnb0u$w=~xU@?VkP|Ma8($+u$)eY%e) zA?D$UrocrCh+`c;)nA`o9gWoEaRGdO(T4m_%KP76dqU^~g;nQYW)uep>CF5KocgR2 z1ZZYXpXjGw2}Cvn>giKLT!*43tEB(qNH`8Z9DjZt9smA6{LvZLDQxOhyus%2IjYK9 Kk4hBH-~2E5fU&s% literal 0 HcmV?d00001 diff --git a/blueprints/gcve/pc-minimal/gcve-pc.tf b/fast/stages/3-gcve-dev/gcve-pc.tf similarity index 62% rename from blueprints/gcve/pc-minimal/gcve-pc.tf rename to fast/stages/3-gcve-dev/gcve-pc.tf index 2cbd1e1e21..c7ea19fc19 100644 --- a/blueprints/gcve/pc-minimal/gcve-pc.tf +++ b/fast/stages/3-gcve-dev/gcve-pc.tf @@ -28,31 +28,40 @@ locals { } } } + module "gcve-pc" { source = "../../../modules/gcve-private-cloud" prefix = var.prefix project_id = module.gcve-project-0.id - vmw_network_config = { create = true name = "default" } - vmw_network_peerings = local.ven_peerings - + vmw_network_peerings = local.ven_peerings vmw_private_cloud_configs = var.private_cloud_configs } resource "google_vmwareengine_network_peering" "vmw_engine_network_peerings" { - provider = google-beta - for_each = { for k, v in var.network_peerings : k => v if v.configure_peer_network } - peer_network = each.value.peer_network - name = "${var.prefix}-${each.key}" - description = each.value.description - export_custom_routes = each.value.custom_routes.export_to_ven - export_custom_routes_with_public_ip = each.value.custom_routes_with_public_ip.export_to_ven - import_custom_routes = each.value.custom_routes.import_from_ven - import_custom_routes_with_public_ip = each.value.custom_routes_with_public_ip.import_from_ven - peer_network_type = "STANDARD" - project = each.value.peer_project_id - vmware_engine_network = module.gcve-pc.vmw_private_cloud_network.id + provider = google-beta + for_each = { + for k, v in var.network_peerings : k => v if v.configure_peer_network + } + peer_network = each.value.peer_network + name = "${var.prefix}-${each.key}" + description = each.value.description + export_custom_routes = ( + each.value.custom_routes.export_to_ven + ) + export_custom_routes_with_public_ip = ( + each.value.custom_routes_with_public_ip.export_to_ven + ) + import_custom_routes = ( + each.value.custom_routes.import_from_ven + ) + import_custom_routes_with_public_ip = ( + each.value.custom_routes_with_public_ip.import_from_ven + ) + peer_network_type = "STANDARD" + project = each.value.peer_project_id + vmware_engine_network = module.gcve-pc.vmw_private_cloud_network.id } diff --git a/fast/stages/3-gcve-dev/main.tf b/fast/stages/3-gcve-dev/main.tf new file mode 100644 index 0000000000..4992c53667 --- /dev/null +++ b/fast/stages/3-gcve-dev/main.tf @@ -0,0 +1,51 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description Locals and project-level resources. + +locals { + folder_id = var.folder_ids[var.stage_name] +} + +module "gcve-project-0" { + source = "../../../modules/project" + billing_account = var.billing_account.id + name = "dev-gcve-core-0" + parent = local.folder_id + prefix = var.prefix + iam = var.iam + iam_by_principals = var.iam_by_principals + labels = { + environment = var.environment_names["dev"] + } + services = [ + "vmwareengine.googleapis.com", + ] +} +object({ + local = optional(object({ + export = optional(bool, true) + import = optional(bool, true) + public_export = optional(bool) + public_import = optional(bool) + }), {}) + peer = optional(object({ + export = optional(bool, true) + import = optional(bool, true) + public_export = optional(bool) + public_import = optional(bool) + }), {}) + }) \ No newline at end of file diff --git a/blueprints/gcve/pc-minimal/output.tf b/fast/stages/3-gcve-dev/output.tf similarity index 100% rename from blueprints/gcve/pc-minimal/output.tf rename to fast/stages/3-gcve-dev/output.tf diff --git a/fast/stages/3-gcve/prod/variables-fast.tf b/fast/stages/3-gcve-dev/variables-fast.tf similarity index 63% rename from fast/stages/3-gcve/prod/variables-fast.tf rename to fast/stages/3-gcve-dev/variables-fast.tf index de32e273c5..afd625ba92 100644 --- a/fast/stages/3-gcve/prod/variables-fast.tf +++ b/fast/stages/3-gcve-dev/variables-fast.tf @@ -14,13 +14,7 @@ * limitations under the License. */ -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} +# tfdoc:file:description FAST stage interface. variable "billing_account" { # tfdoc:variable:source 0-bootstrap @@ -35,30 +29,20 @@ variable "billing_account" { } } -variable "folder_ids" { +variable "environment_names" { # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - gcve-prod = string - }) -} - -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Host project for the shared VPC." + description = "Long environment names." type = object({ - prod-spoke-0 = string + dev = string + prod = string }) } -variable "organization" { - # tfdoc:variable:source 00-globals - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) +variable "folder_ids" { + # tfdoc:variable:source 1-resman + description = "Folders used by FAST stages in folders/nnnnnnnnnnn format." + type = map(string) + default = {} } variable "prefix" { @@ -71,12 +55,9 @@ variable "prefix" { } } -variable "vpc_self_links" { - # tfdoc:variable:source 2-networking - description = "Self link for the shared VPC." - type = object({ - prod-spoke-0 = string - }) +variable "tag_values" { + # tfdoc:variable:source 1-resman + description = "Root-level tag values." + type = map(string) + default = {} } - - diff --git a/blueprints/gcve/pc-minimal/variables.tf b/fast/stages/3-gcve-dev/variables.tf similarity index 59% rename from blueprints/gcve/pc-minimal/variables.tf rename to fast/stages/3-gcve-dev/variables.tf index fa0c99e697..833e112c1a 100644 --- a/blueprints/gcve/pc-minimal/variables.tf +++ b/fast/stages/3-gcve-dev/variables.tf @@ -14,30 +14,14 @@ * limitations under the License. */ -variable "billing_account_id" { - description = "Billing account ID." - type = string -} - -variable "folder_id" { - description = "Folder used for the GCVE project in folders/nnnnnnnnnnn format." - type = string -} - -variable "groups" { - description = "GCVE groups." - type = object({ - gcp-gcve-admins = string - gcp-gcve-viewers = string - }) - nullable = false -} - variable "iam" { description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." type = map(list(string)) - default = {} - nullable = false + default = { + "roles/vmwareengine.vmwareengineAdmin" = [] + "roles/vmwareengine.vmwareengineViewer" = [] + } + nullable = false } variable "iam_by_principals" { @@ -47,46 +31,25 @@ variable "iam_by_principals" { nullable = false } -variable "labels" { - description = "Project-level labels." - type = map(string) - default = {} -} - variable "network_peerings" { - description = "The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix." + description = "The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix. Network is expanded for FAST defined networks." type = map(object({ - peer_network = string - configure_peer_network = optional(bool, false) - custom_routes = optional(object({ - export_to_peer = optional(bool, false) - import_from_peer = optional(bool, false) - export_to_ven = optional(bool, false) - import_from_ven = optional(bool, false) - }), {}) - custom_routes_with_public_ip = optional(object({ - export_to_peer = optional(bool, false) - import_from_peer = optional(bool, false) - export_to_ven = optional(bool, false) - import_from_ven = optional(bool, false) - }), {}) + peer_network = string + configure_peer_network = optional(bool, false) description = optional(string, "Managed by Terraform.") peer_project_id = optional(string) peer_to_vmware_engine_network = optional(bool, false) + routes_config = optional(object({ + export = optional(bool) + import = optional(bool) + public_export = optional(bool) + public_import = optional(bool) + }), {}) })) nullable = false default = {} } -variable "prefix" { - description = "Prefix used for resource names." - type = string - validation { - condition = var.prefix != "" - error_message = "Prefix cannot be empty." - } -} - variable "private_cloud_configs" { description = "The VMware private cloud configurations. The key is the unique private cloud name suffix." type = map(object({ @@ -109,14 +72,8 @@ variable "private_cloud_configs" { nullable = false } -variable "project_id" { - description = "ID of the project that will contain the GCVE private cloud." +variable "stage_name" { + description = "FAST stage name used to find resource ids. Must match name defined for the stage 3 in resource management." type = string -} - -variable "project_services" { - description = "Additional project services to enable." - type = list(string) - default = [] - nullable = false + default = "gcve-dev" } diff --git a/fast/stages/3-gcve/README.md b/fast/stages/3-gcve/README.md deleted file mode 100644 index 5fb0cd0b8d..0000000000 --- a/fast/stages/3-gcve/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# Google Cloud VMware Engine Stage - -The GCVE stage builds on top of your foundations to create and set up projects and related resources, used for your Google Cloud VMware Engine (GCVE) private cloud environments. -It is organized in folders representing environments (e.g. `dev`, `prod`), each implemented by a stand-alone Terraform setup. - -This directory contains a [GCVE single region private cloud for the `prod` environment](./prod/) that can be used as-is or cloned with few changes to implement further environments. Refer to the example [`prod`/README.md](./prod/README.md) for configuration details. - -With this stage and the [GCVE blueprints](./../../../blueprints/gcve/), you can rapidly deploy production-ready GCVE environments. These environments are fully optimized to integrate seamlessly with your Fabric FAST network topology. Explore the deployment patterns below to find the perfect fit for your use case." - -## Single region deployments -### Standalone VPC for a single GCVE deployment -

    - Standalone VPC for a single GCVE deployment -

    - -### Separate VPC Environments for individual dedicated GCVE deployments -

    - Separate VPC Environments for individual dedicated GCVE deployments -

    - -### Separate VPC Environments for shared GCVE deployment -

    - Separate VPC Environments for shared GCVE deployment -

    - -### Hub and Spoke VPC Environments for individual dedicated GCVE deployments -

    - Hub and Spoke VPC Environments for individual dedicated GCVE deployments -

    - -### Hub and Spoke VPC Environments for shared GCVE deployment -

    - Hub and Spoke VPC Environments for shared GCVE deployment -

    - -## Multi region deployments - -### Standalone VPC for a multi-region GCVE deployment -

    - Standalone VPC for a multi-region GCVE deployment -

    - -### Separate production and DR VPC environments for individual dedicated GCVE deployments -

    - Separate production and DR VPC environments for individual dedicated GCVE deployments -

    \ No newline at end of file diff --git a/fast/stages/3-gcve/diagram-0.png b/fast/stages/3-gcve/diagram-0.png deleted file mode 100644 index e91d5a5c31312ef30f5a58166bcc748bad81b4f2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42378 zcmeFYWmr{h+b&8AD2it{|LYlJB&NTHz;p~Aqxpn;^tRbXJ?!7wneipWU7|M(M> zCIkP#I;u#C!c>kD@4!+^v^)ZFy;G9S6&_T3D0xHikO#YoC-gD)swzk1KfKp9Sc zsj7^LC@z6eh=NQRuBlWICW8~pDB*Dk#<74441|7Tb-lmmJ2rwt+55i9spOK5PNK-wUW61F90NExKNNOY+Rop4w#S2$~)o`mt?@2CA9q3O|#@z*>4+~+rmZLs4!U-TXR?SIYUVMLPN0sOz` z_UpdYIs{;T4dz#!|C{;w6(-;OuWRx{;bj3HS8S~<$o@YI{WA$*_|A7h168=4ogHae z*-txy?xz2KZ6_g$o12?(g*x9xE=YhjNw1W*xtb2kV8>Hsez{?BE&@){=I%XcQ|J7Pz%ieHy`5PCS5gw zEG`b8uK29xJ`PLS-Y@-`5auU)MieJ2ECx=QRRD+$Lq2@iBGgg=jYwa-jD3geg@cCXWcBFaKp;aB}4L$iR8O9eXg1tvK;c;vFsmkemO?1z}7%ytcYZKFGau;Q-(moNJ)md^$upWiRhwp(L#?8=blNm&U_4cKJsQPa#RZE(WJbzU;@7 z9P0F$5ypSpTs0nGt0u-;9*Oqrx^c)URA4?ff|@N#yKCC<8rt#pG*rO@KZaG%#IhO~ zm62fWyNK@ss}>~~1OjQ+{9wxva3x)OLMN7N}emay)}pko^k%trziBZcuKe3fhkt(Nsi&$@m-vLHO5;dLrdcN%&F(;nmbvJo3LDbnoj_(9I4PZElni5$bSr;GJl`UX0dgH1oN36M+!hUGc z95*meOy_yxgJwW~j{c#Y%bsZ_R0tj3la(lU65ht5Q|z(XqMt>dnwgFerK8&^^wnXf z-46nlE$_!~p-UgUTRb}}L}{8juJNWQf?hCzPTgGh<^wA3_d5B+9#K(K^J>(-%4Ajb z5W2mDR|<6NTG#Kx-0lt%jm^mT(A4C{X?=n_UvJJ}d^x+4{PwcC5fhhy9)XA9C84U& zJvIqnokT?%SGDDsUX5*q`eS{4vfkd_?uCKJ%F3?n-b3P`is8P0C6c-K4`Ff$h?l(f ztRRHp*yYg|Xh#rHWZR3Ddo=xJZ!ArhPQTXUuT0Yg8K?r&o~zAPtgA)-4R7d5dSuCO zw?(!aYyx$5YVCY;**Mz=R$Z*&K9Keq(*I=qkS1JmP!)W=OeUtIex%2rJyQGBZLLvUt(=zhgBf)|SZ6x_m z#cNmnt*LKoL29$*3!#&yqw4_|%TG^Ib%q$h8-heZughjv$7A1aPnJFE?gX_oPs1TguF-u<6nvCbUtJbJM zBXt_9y}oCMMk{vWPtt-cOjv{e&QG0q4~C`uKM^ttdVbU8rP^L8NBGHQ z=S+gG@>y(3nsVv03xBHF4<$Hpp~)NSosL_tn(FtFFBHZ^zOTXdWJ+(}Y5PM1JlF2z z;N8@~2(K4O3slv3nwWAR!kJFkA9p8nWg=C$_Zmg9#+*Up`f=m&XsFYHA2+ne;CT*;5NKiM*d=IDBY2e&s(~T>G zs;Ifn9)R5}kM5NU>?lg6Eye|t?rVrb(8>DhK4;7P-}lI;Id*fBNV#(%v^{cBDOXyO z2D&4x{mOv-V~h>E(HBB0bz;sui9rE=vU-G%s#0sqHzsCjb%S%{ENCqqv%(iQlxFFP zff^e+!XC^|Xy|%YRZmy=8`toz1k@(V>{Ms31Fp|@4Z8C5KY?sT zjVJ~0jN?L~dhK3_ShJOH=VEwPcX!jZkkDM0tIZ#e?IcbO{0qg*g+F*5Rgd8IstcIF(FsQ`O5K2=*l@ERy;DaJi{;8G)c741b(sg4A0Tcywr3f zKohVb^xK)p@rF{As#mjqy>HnAeUZfs=<*j`Z?n8qM7*4Ds!w}w6L6`FVW}teqj=9xcyIKT@~8aC2*+1g%dD7cYfC^p9eWT z=gh>7r%1eRZWZZCNrT(jpzn)Aq_|r+t*(Zqk#X5bqw06LLxai%y$;`aJwJZIX)y=0 z)M`AX#Se3Nk66{On8t|r>7#Dx`uxwDF6WY~2? zrtg6@??JB=NelwRFRy{|mz`oNa`dZrKDt-m@JPho^^+w+{U?xS3+$y4qO z_SNy%ISOIG1|BNOVeCeJOU>?b<3XK|dXrnaLJ<6HHs{_HXR2_h^EL=pILURdsG!K` z-d{|!)rN{uojH1Qgec!lGlkr1>p);{`IF-C)jm|tQ#Udc6T;^L^)!n8c#6-qR@gq4 zFWOuy>c(Sz_h|Qi`Gbbu!DCxn+u^iZl2@*Keo2Zv@HKkv4o_VUm!h{k&xGxiFnxZy zQ~a2z3_{=6=^0pfhR>$oAE%#8#m$YU?TS{(!ij|FfORE~!O4l$6>u zlu`rck{lFmSMrs+^%~@$e>aXK0;RhSYDFnWv$DL;t z$T6QoU|)Ry%7Jz2A_>+4qeM-c01f1);a-6M3>|FyRyWe6CtOUDxZT39LqoEFn`4?j zSbY|GtUYELsx4;7>jlFQ;S0C@6y)Q>UQ`5U!DHrm9@O9*a<9kwlWia{P@MRs2l0Z- z0k(rogvB${T5^u7z z-D%022J7CNh>rA|Pnuz=>Ol%T1;7qHDptrA$zB#vYJKNywb1;m)nz{@x(cHW+=fX; z#-`_u>wLjlq?k%xn)ojtW{1@Q$lPnm)ItqHx>1@izh;PRYhmbN0JV1YP^jg_>!xf2 zT&iF(FMsSVMqDQ3OZU6oL}>fsC2xU#Gjh-O$HJm;Y9d{BO!_Dvjn;3(YQ*^5J$W+WntSrtufzTFV3+DpVH*@ z+S{YhE9JlpC9<##vAwS46@4GjC#ucql(u;ei4Qoc&Z871#<_tx+nq_88q$68FKEj0 zfZ+3oeo;FKG~4I7t?lmezK5{HN+TYsM27I-GM2ClW$V zAm^NoJOWEF7}1LwaY<7@|7+3W4@A_U_BU0n7Wbfey%yG2u>E1qRVyf{^$GF`;>Tc< zw&II9=lQA7`+B8Z4>$Cp+updB@PBU}3{H%cA7Ey(0L94QO{Rv6A_vz=4W6v&DtIqoL zNj9agxLma_kk*}0e)4Us5N3N`we-v``i=#9jeNH}h(8cX*1yx4cb;>C1wf~ZPS0=u z5l(_~-<;A|9kwZ{R5TILt`Z?^8(Deq8t-78+K#KdZxi^B{WKB5TI%uvtn`fX&&e}` zXeKLL<=r@kK~2B83+-f4q!bl7i`9?aDLTNfi&e1Oh|Z+~-Ba#_F^LIC??mFOhu z`KXIZPR9JlWOdrOk}EtYl-8Z&!+tb^nUJtZbtfp!;C?; zHgu6dY^fX|q@GR!W)}s@5v|sVdYXI{_>~CXW}slC{@w50%K7kn1Li*cmlPFE5t9xb z3Vav&xN-Q}Uh7Y`-HZHvgZ7`40f0d27$9T}n(ibLa&7kiQ505D|4hyC-|OOU(^3($ z=RlY5#Op~XA;Q%7qn`Q2KjfmBn7>ytZ3y5_CEX8VID_&Y6&&S5xgz%8Q-w)U78RNz z2yZqiB(lRzhq$Feo{yYp#<{1{6wnyWt;8RxXR*&)gIcj^P*CTQ?-Xs*~ zdG$4t{tfw)dQ=T{C6#mLI_ogMyh}PGGS+_Go<f2P&k|91QT-e5v*-&x$=JQ*Z}dXOb52DPa?O_dSS33vvRgEA-n^U> zB3a?SmrGJTbz!S6Iz#YFOHcWVX~h`0fB?ZA-w&0Lsk69n z_xUbnb`o-hHoRhF$R%szbGaMPOmU~|2E*OWbXQObff|yvj6hJO?4yn7tQB4vRY!qT zKeazr|35BLTaX;WBWr=l+RuOjO!}q8Uc#FYj3GI=M(hKFqZWHjh_z(Vsxp>x*aSHT z>mJUBN2SLlm};n0&(OOEM^s}!DvCMDFiZ0IkdWD?2kE!?ur}OoXQ#SV8tLeI+u<;c z-lDNZJ{o$I*d2;gWjw=J1|5A>jVYCVj{>mgnM!2+=f=Y~`v>l_o5*Fc=J>VY6Go>z^FNLM|DhhQ5lp*|ANMbV8lo zqpBQRM{FfTDx?}lwgzL7RHB>a9g*D@>kh+c1>36Z9jCZfEwzs#6e}dFHDF_1?>?!r zA6_~n>AkqYGj&z?y)U~=e~!`^#MV(OtrB3zp#bW{bM&aNUvnAiUkz~3hTA&S?<M|XHfdKRHBRu&g|w6Ig(bh3){<7sKI08jLKe!ngGdKZgs6gbLp zLId+apP)ikFev%X3*+%C#V*G$Ax5vqY;%-b*CNk0*lW9l6IcmYc?Frli2S$XRoWU> zO>OXW2N_a^E0_gE#fAovq`b}-aM;eDOZ4kJxOZ4ot9d=tt)l&XBm2whJ@O1|(zc-s zmYPd9I&DV-p>jJUnxE*1a4VwL(gl0`h{g;pdza;Q3LQeGys`4{uS6483cZ-x+OEAR zM)|79um|=l&U&jm=-vvS+040bV9Hia-eF&M4pSIJTG9d96CU7szXa1x2onl55OPSx z{PeYYmjY1cqB^&3d_+I{8EN{O^RW&rcdGVTgwg+~zGe$RIPKiWne%dv4!wqquWm89 z4wvg1uM2p!yyebfx!|E!u9iKp+a4{X9I`;lYCyI|B09#VZXj?zUK4yk$yp zG($nXLf9y+PBYVM^VvM#_a&hYX1J)Fg5@Z+H^WwcB;UPjFc^I7*4PD;z=#=a^JTgF zWb0k-;m6oi2w&w_Ox!cHz7%WyJkKC*QC<1iWjIowZM_;6GjzKJhp)%2XZ=3)T^Ek~J7k z5Y1uNU}SSYW2APTZXR)~njoi$z|Abo9lSee->$V{S3kehe&T+2epDsOE9U*)Awe%q zia$rvm6@*DB5e1Do#X>Ew z&EoT+?M)WcGtg@V=3t456`tKTKkvq<8t7(o<8kn)cqh@ULKG0hDE_ki2NqAR`#}}E zy6@;+F~Y#3J_KBBUSfAteNs*2$RV^o_;3Tc_%5ZgsZ^cGqm`NkQwptQ#&1<6`t-{c zD`XokUXhmejcb)Ns{zG&ILb3<$*$qjM^i~uedoKZ)&oCrd^@FfgJeVsIr7#zhaJdB zm%Zpus28WT-OR!4rG4yX)7owKV@_D+=T4`cmz%bavA7Fu(Qhe(sZ;~q_Rg!0EJm`B zPuZAzZx+xuj?Vi*Df12pf=e%-_51)c8+-QOWlyv_;p}xd6Myd`UZqEHyUcsDLu=&! zv1si~>64NK$JABk^=+S*9+5W54-y10#~WrnXMqFmA*3Ws<#&36GKO>;R&v4=4?1_w z-)ZS%PZe|Al#(L-rrs1wxqdq)7^xl2HTuK!OBPTVioH_V((3oy?H|QO4yvjuc20*v zp<(S24zDfpuIO`iMtDHi+F`%p$FF31r8_)QmV9(tj^gI}Q{(95xW0)y zq9ZjthSJb%VLyoY%X0$A@o6%Sh=VS5IRa~jVDR}EI8YlcU8l{~l=+v@QfQCP;d#kb zg8cMuUzm(xxW%OTt=|P5>*Z^Zx!)@34UT(yJgT}!m=aC4POg*L9TbA+f-)NA!C;-) z?~LFMubY=LiB<1arOrjmoCiL6BT=vyU>>YQc5hC1gw@IESeQo#o@;s7%;I#trYdj5{iW#{j4^ zB3=ysgJLpLf1?KF;|^%tJ9oF^(|RD+d>lV_+i<8`ss3wWl%y81mgzi&X9r^@gET0?Mh>{LTiyoX@L zQ9KJkI~%D#RmM@d--jm<{I_Yn!xMwFUe7iY2pV!v+1T*bnx=;~wR3GcQh>+Kd}Wb2 zzU$OqdOpeKd`1+Bx1~Ughs|#=NAMHcSL}9s`xzOP5wXqit-xqGzPd-*7Z z$I)vO%f)BywJyKolUdemsry{AurW}RZ`v`6tS#$pCtewk&PKQOyT;AEKZiyf{`=7W zT@)Q*4mNiA-ferlDWxi5>~s?>WM{R4-uB9&EoK@2Q8ae!3e%RN;b+&$peL$=M51lZ zBPvgb?ik)FdSQ64xM9$Id5!HL7rU{z35|og>|VTLRIg(CmPXmQ?+NX}nCxE-nw27F zFJLF_74H$sAxA|BGC0mKH@bWg=Af{%cPyq^zs=Wn*F}wh`=r0YnW@*#Dje$Ik>JNt zFiUhA*TnLNYVf}JLt+U2kQe}=Z9&s!$*D_ynXl0WeeQDBx|2tOERjs1P9V%$xQl$T-ABSowMfNz zoN<^AeNR$%&$~wZ1zKrQLgnn*w_NbJS$&C0t6|im+}XmgZPw{B@n#u%y_U8Dy&bQ< zIU@?Dt^9teUIZ(tRf}@iQjh$7mqAY>IJr(n1Q}eVp7_F9Mk^EiAqZ1Cee#7S5RtDY zMS71mC05o0%pFgQ;o3CPv8#ii+HXUXoDKvjjkt6i}?A z|0|mGq>or)dPrb~v7x=*{Pq*UiUK^N`Jv}ZCpbC=#rUCxBC8W2BjESl00e9QJIpdg zP;(*UZzTNj>|(1Yg7ma8@Ic}^z?18I2?$ZI6!>a^i_S|4c`c93Ji;sTy$nAVb=!A4 z^`{D*)1NGXb+|0?>%OGTNdfYTk=j*OY$4A|dS^XjCuCQ9e?%%>=+~@Lk`sjL+^Xa{ z&jEI8J(h7Xh)^!lsSCu+`uGqYCQGe<8LZ52N@3*oN%j3kfDs%wWhcavYP{_kt$_*L zrc4#r#|MJX_|I0P>o{K~O2iR`N7$ReHE0eF<-$I2I6yBOyK8LnME6G(p9xdCjZcL7LsM%`7I>=B^4TyrvR!23_#b5q2Sqc^inQMfySn& zI(0McT0IG9Ii3pBZl=8pvWpCk-W^29k^?p%(H-FB-VQg$BV7&hBW(m zHkC>!|A)uoKd|&ssSLn$W7rNt%#GE{Zed~)1p2-2 zT3>Osc_WoujomDnSlaGL3yv<@Z_Seg_iHvnBQCxY8JOINp`xm? zdTu}l);y}-SCbWourLKBSGxPMNGHm0%3yKsvigv)l=b zAo_UBE!-WNF1@2^YApNdT_qI-p z$K31onal|%N~6% zQ`nukz;o17$3gIO4VPj%qg?U9DC$j>#Uow?P@~J>xI4A=AE|dPQW%_W1paW?3-8Zgl~h9?OE0H z>h{T7kFqp9NQ#fOfJ;S2UJ)}`Vd8@q=9P4(Ucszhe*e`RCt%#aV;-I<^$v?x`}4HM zL)xJ{X?iq!ZlXxQLg|sv#xOO)Yw_6Lkh1WdVc+Zj98p8SXJyRmDP;g{Ukxc8Uw!Ob ziRjDA+Bth}quZRK)iF+KXk=5NT_M@%V{4pn_1!IjUI*oXH0$fPsk+z+gU-FMe5KNN z0>sN;L=q1u&hwvVm$CHvg|z%&Z*g^=NF)-EHs)adbnNN3w-B9rqt3E3&XoLof~&10`9qMXng@+3(B3 z%qD6cy%&ox80Z(8Xjph`RC#c~Vp(%mRd{rKHlRc1%Noq5n((r~PML%Adha;k==ia4 zJolI&T%@{nmcX&V0|$8hgR>hzNvm7>!cUSnji3F>7rzwP`Lur&*zX#6poc88hO9{m zexA+#rOl3S7gIfCSJy?;&~*P9Gq_>biW*#(qNXdyDUJQC&Mf45WPW|_F0+Zy9%~G` z$HtgHyIbvkcF5~!EVL*fpxg*zijAi1)|qAQJHBo0rBs#ZmZiush>7`{0RdRW#$s3x zJtpq^)<)YLr#=hHA-S7{PbMsJ@z_c=9&hUQ=cR^miYPvF_BM;wzcR{BFyr`m_60xm zWs3+!&_uhGkP`LFVyE4C6D!RcWR3~fAaS9|vJOl$g$AI?Yx!*S`FS^lDS$FL_dj_! zBNpYGbSL&sVpu|<2CY0R6AzH77kQXzgdxxLT68z7O=Q1#E}rvHu>x#|%dO?DA_u

    oAK0J+(cP-r;~WiA3b^nqwWwQRZ7 z6$9wZqSvmY2O2&5UQg~g0j-Sz(Te?xZHp=v7L4l~8(74|8L2^|$s8OU$f&5;OrPdo z(a_R{C)(6&S5&y}LvJ>utM=38k|46m3noIoESobQr!3T}W(i0<(FT)Os`imv&$Iqx zuI_H1Y6S=XVu~4hAT%SXzJlUsc6(D#rz-VmXSF4k!~FHKqpI`n!~97|-phY9`W2`x z;{zJH6r^3YMl&PcBR=k)oy7-!6zlN0Rcf%(ia7V#93~_d@WA!HhPqq5OxW73>gW$4 z^9h9%zEFQ7;C4j5Ih;x*cyTi1reDG`*&X!wcuG|BQUI z#N2vqjN^8Fg;Dv3P>O^GuMeb9U_inj(;!k#4wZFnyAHT=RMHX6(QE@dBN&)f9u+IwVA$t zzcrRU5by{?sor8*4i@aZi$_UGsZ^>$gG(P%qr&LzvOmw2z@(utj9B0x2T2FIq;TjI zI#*W6o-(Nq2gjV0>w&fRI$RHz*IUVaE=3ZAJfLPZV~_D!S4T7X=wE+K2o+bwO@S23 zCSzh^lAnXZ1nJC+w;jF@C9Z95B2BiN^L^BCb8EW1nJQJ427yF?X$bQuBuGy&h1?AS7MGq3ul;05~^M(i0-jiFqTCoEe2H zMhR$}56537u&F+o;5Y`J+SA9>D3MU_rWtxE$iaZvdXX(*k%q1~T^8E;-Y0sB>W2-p zimG!?hpp5S{&##-2J*X#$-<4HdU}LM*ZB@XcEqn-P_SkXb1Vw6OOzT?=p*u4TQM?3 zbiJ^DOwmWMb=2(@4mxjzzuCsoQ>=5k43Hd54N$b0ZB`D z0xLb)on|+rwq>GZyVS%ro=JqR1G-IFsuS)L+NOFn|t`{sacqz)rmm z9}?5CtiErb<2h`X`6<3o@8P~C74+hrDc7R<)^4}fy}lwA{N(ejw5`ttnq}rQO^*tR zq%S6L4KzSQ>rk6ZT2ulRcxXQ3ub8DS=mY~zKo{nsqotrCejTn2B!_dJs2$7;wBKIv4w5m= z?sXk?E!iEc%O4-kj9BLB?oiIvTyUDn7>#@^tZ~2LnEI$rw68PWRad1!&dDo0$m6Y$ zm#JEC(R#Hzk)z;VBT#6`b71s2e4l^|`tnqS_Y&`%5`0d?H7a|m0!=`$n<`N@I%R9W z6b)sd!Cphbp*8qu5jER`78(u`KcYyjvFk)bvt_)$|pz zEx)wnv5_))Qff8PM07CFzp)qe%MZiqTesfRbw_M1Y{$6eL;Q05SR)y=5DD2vR1r3vkD-^$wA`@z zUahFv?JKihnCR_6G{3kD7wh8HG^YnxPn!I5mU$@K^!ES^K};h)$4$9o0h;h{kPQ86 z&-LCgBmcB`I>qqZPU>_44=AQGWMd#Y!f>ES+BTL_qPKeO$8?z~DXoN_{9`rcg5-k6 zcOz+{c^m8N>;|1Ma;;IX}QgQqvAvw(Db8Msjbh~0uc$0-|@)ZS|HMTPbnfZNm%N8HhUMzjb0np zhxT5(dFH+TL=?UB!upvr9k*%}sC?G?RVd?AS!CsdYdNvSCTB%)6RGyI6{S(beBaJ= zcs`@s%^rdi3%VMN@DqiUJDsRly*Q`}4QehZV2F|}>})2J?s;Qk-~dH<4Zz|^bL4jF zLnz918mzF^WqM-3U~mvKgx!efTrO5GJPwah4O!pks*nJ1>wWE-!Ph;(Xnk;+P@a+W z!nMyNubevbBqDkjb>gAiw#&pqw@@4)&d^eJe@SM;e{Ly5yF+76yYuAnW3l_Y+rAD4 zGBhcltxVTmnW3Vq0qQOcS++1%w8(?0Qk+mGG*ePuyPQzQc=7nq`?Fd7ybp?kSK`bw z5~2!5LT*O}6fI87)Gc+2^V~v(v!vI-!z+>h*NjjX$!*QY7)+#5rY0KtW5;opyV*ST`sbJS$C6&0Z9H{EXi4RB!RQq~_@7rL7r0*iSfUJ$+<}Ktnc_r1$lUVDJoKUpT_r_UA8}jXN=#p%&kovX9pIz`dATCcX#Vxo`0u z6ZFF2#_sIV1WB*>If;0@&c8o*I-EnEW=u}#?^i~x{gn_J@N06LD>>y-f(hc0xh-ep zn2{tLKyY%;0X2}L(cSS!0(6j{!eNr>RMK~A;n zHSc`^H-#tQqNySYc@F)#r|~p^2o_Pn)F5IrAO{CJ{8ph_9Hn`cO4(jCopTzG!y@{{*lY)|Z2sqeq?U9YETAHV7V0=%raFT?fqk!9FP zJPcZEk@Sm-nZ+jiw^-Jj3BG{haT+afn2It;4OBYgi=4k0?bNgCv))nw82o&ihE=zn zM(+*OXsq~Dt>!jlY-9PBmw&Rw=J%`EAWSbT_R7UHM{M6LuN%UR&hr4DHC4TU-6H>; zn2~`BiHY~0dX69S&iA#EIHJG^dtNvo`#sO^A7$i5pKac&?*4V}e)T8vuD-wGBp zc$14jw#vPYw=oFeSEYKeJ9u@3B+2i8Vl?^!y{;Q1Xw3+@^=eh*qe&JE4R!#nE#j2|6vXQ)0*+x zqgD81`HN{OOiEk{>t+BlCDZA=x#-w`sV;zm{Yw!1Mb&1S=7wOl%Z;c4BFmE3%Dn>$ zXQw^6$vQs$Cqpg*$+6^59~sbK)ciU`UyHglw~3&Y1~|l%7~@uJ^~#h8;BzSF8lqGp*h~9IiggBL zwg0r4{nH1rhWtM({F_U<%zbT=kt4@=pxvpn3aZWkAK)VXN4^B=LUF%oHxSJQ4U^p0 zT-0mqn?_ASp1S-JS3)u)%X$$`gn^8MF@9o>128kV!;h^dJI>QdTN_Cd4_xo{BSxwJ zQuDB9V^R21VPp^E3BSssC+T^bqu`eUAA&@1a*`EI|DLQ48Xo>I!d`+O705O;8xK~G zh>zy;v=N-Jnl910D&!O~=s)r^hOPPx^e^=ByV4721>yiWsY!$#*9xf~GT8WG!fUxw z?YhH76q)*ltvu(^d+++n<)>Gd`=Nd^g+uD;mKUmaLdw}}T$})^Q3m}V2$JrHr3Z;} z-&wjA5ImP$C?9=H`E-uvnV=WH9o})DsCVsJ^PUv>1Q2B5Z>=&aKWfn=-&tRaJ(9V9 zw{zyFUE$K=lI$(a46Y4xaE}H$_P&q=qG(F~mT;0LzE`CBStHK@m~Js#2nqg)WWXh# zz!JG2leTaKIaw5RzR2`Q&woIrd_DYA`1)@j z1Q4i86Vi9oR%%$!cs=;fl@uhwP^ZhL)?Ce)Mohi%%N9$u@sdv%bk3h8Hv&dA;EK%H zZsjlHri6e!!!(FnPN5!1nS7A^0nxtl^Iwejw`gzoAiF-B)9ah?B(iK6wm$1)Jv4DH=Oi21oSviXYnpI8v$FK;-xkz&Jev1CN4GpJLxDN=w6hXL-%I zL74*Z2q6iiicHM`IablYtlAgTb4dG@6D^eyL3q1J$yYIDh zJGXnE#*_+Wp7P)9eOf25S#Ar%5c-MfxH;VQf$)W}nE211Kkd$byoT<5#d!d0H-{Z; z#%}X<=D??4y%YITHBLJ!av8kJ2{rZ`lH%gxIokCWm%t#7cf%>VSLJV7@l3uXNnD)} z;wx!E(ihN8+H2`4I1oE37yU)p8aT>sU%tSpriBH*0s%S~+#!%DGt*#p%j#Ki-U$Z_uISzYY`=6C0TyO-K#?q1Wby^}0-bWb!=8#_8l6NUdB` znfXcLtkeCSxBa2CKb~c=PNNM4E2{#6CH=fCn4NrU^nZHiUW~H6v z8MoCS?#zns{Tp%f5Ok7ofVSlTk2aesiRJwoH+6Tp5iJ^S&Ji(RZ~2hzqovuxoYJ|i z#Yy9#D!s{hpG`+Iup&@n%qCTvQeT*cJEU=0(kjR~#l5m$59C!&r5vDMrk+&`G3pD? z750Y{{b+uP`uRENC5;EFyt2i-Vza~d-p`Q=)lRt-snGy)O+|fe&j*SGYRYyON8LbW zbhT(ANBrwO>#D2mil6B^!&C_-s&B^!WZn_;SFXpj*zqdLrCtPWV1B!`6BfCYV?M!q zV;I!S8{x8%o4(F+^xo9ehc3TgA{t-WoSjrdhTpHiwp`FF&L0|y)svn+RchqE(X52x zbSQqo3--Jiom9>i^d?&IIz?;0ySD6GkdlxHyJ-cOD8n*sWB#E0!SHhSDVmd{$Y@;#+mlA#wDuJjM}CQcEcxpc-`(*u?R#b>$A{cGsN=WlC$ zCDNS$pG{^VlMwK|yV|nK27CuH*~7E!22cGFir_F;ZMePCA!ITAF;U(lnuIU7s{I;O z=;sl<;N>bj7GaiDHMkQ?$Qnb$Ln& z;$i0e8Ca0~E%}E?w~XQrJ)E41fX`328dNegW%GrGikQ9At+9yWAV9u&N~gre#wM5f z>M6k5q^zu%*QYHXj1C=0v{WYGJ8}0qoqVO+=Aa{e z1fW@^a_N{_{ij<-aO%Hdz+0xgt-Mq}PPlVgu(^4uw2X|nuGN$GUP}{oHh1F0g|O;M znDPsGArGVz|3t0X!K7vy5Mly5A>PU(X>R6m*Hu?ZK=iyy$K2*ms*^Gj}`$f#1IfV2sn%o&JUK-8uPOlH$g=_Vj!9eq#MN2NHJtH~#LCtx|lY>&+&;VUL8dIYGm;W#$QtZxG4 zI(Qw(gQ1t%F>k}qde_I5m3J6teAa?b)P*}zc{ zSPou?ZwP=?SfWuzoOIXxI9{>?frp1nA-gqd-H>9vb?vQh_n1DoVsEy$ImHj{cah+s zT?F2%?J=zZK7uaDL)A%=x)2uWbHuL2B8)zU@J3RjD{{wC_v7`fK;sKQDitLLR?LJD z6Bs3#HL)Nl8AZ%c*HR?QR^2gWMX5@W>A73^gOBsY4M%Au%b9+ z!4@_~t=a-)n6{rMUoN4OipM|7s={wbTG;Z$^G~*4q{Y39Q<%p`w4f&!zPI^WTZpVa zerGvVLQ#-#5F#B)hNs_hLBww0SAwzhmW0<1rsLTyheo&%B7Q z%$&#~_wvPk$v@Ga- z9r_qvU_=+}Q6Cy^nz$S-bf>u&kX4?B4PySx7REJVlG|c4Ux#uCzR+tRm3uBL`UdRb zeC!^L0zcld=}3u6LO>9zkohVsm(|IhNYFegX1U0kFJCR_W0TW4f{X3lW1z;?U7P(b zS2r>3XqHwqUj~0drvhjntQ21#@gFl@Fa<;~0BUYwjhcwTB}rEeTMQ-WnUZuf#y6HF zeJ}U!Ni4Y7vxaxcnxqmrNvDj!Rmydz;lV{8e3^Guu<`_Sm~Pw7Kpm-4r3YsBzINiE zj5_d^R`I>wp`&QJzgf8#&kA~sAHL1>nM#6?L0C8p4i+k$-H>b8p71^(pzne@s;(U+ zQksgQ(36meMjGP=^j?1VV+<6+Zr+kjfmImFjB;3O@};-OyG1Ckgc-zxLMIW(5F>J7 zLOq1bQ55Tyuzj}+C@T1qy=K}3G%YLn+uUd(MK}C1)Xhc8uGC=a6}3mG+~aqxu7|9W zFxX`wg~^gakRG_nTcYV8Y(y>kBatUN%aAzt?&f+5SzDLq01UaVH}x9(b)Y?p^w=`K zlXfPPy7T3Z9-mzB|J zlBOs}XA@_Ww$N(w1&^Xt4dYc!obe<|n!*fpD$dvwh=8KCJI0DD6Nr981l;d<1>JT9 zILd=r`EhA{#61?AMM_UzKQC;Y?KA}HyEognKlselK|ujG7!)NrWc>VfDR(1e1otBP z9InZE?eauwl71aLNF5g}?RR@z90RjUnOjgsz6v{5OKhNM3A7$?Yglc+`=Fk>_00`| z-a}H1E0NamCK%#y%9qUqI^0zC_*qSZ=DHE7Qlo+5*t0rwP@>6s2$7{4-zI&J4I)~S z9jDAHx~gzm5yO%VA5zIf-U7-kfbK;pCo21yvp6|0iL_spQlzlaVEh&XRLL;mLS6Zw zyU$eU^bK$hMHVDerw`>(OjFNr4yT?dJEi=Pv`kYaxW{xbbrQafF4p(h_IeTrbQd#{tCN&4oQC4R3B$wEf3pFfv8rO zhbj0K6?+tonIpE53V6_4`txt*x#MwiN|nY`xN zP|i5Y(S&Tue$I?$Al)13$Up;+8drR96g74NW%A_lF9z1vvS#+hF6m6174p~}Lpgxbr?j|x0K7K`)Hf3o z8`rOco3t~$<2*cf5|HCCmGv=PD^g}#FUDVb@#pajB{AmV@@&0@Q>Xe*tA=GgytiCe zU4tKkN-WvUmiJ~Rj6}BFY*JhD`lU|GM<|3-RWTB^S&qlssOJYHQhIW7J>KuhPN63W zk%b(VrpKj1Ew|Y?ptKf-utLeR0}~)XZAD_$?>#cLp3|Z9ebHK1Q7x$;a`+vqX0`AK zwfyEv=uuYS5l|u;RrWA%;*{sfmu8hnG8f{Uj}%W8PnnU+HGo~ZiAjj3k5`-Y#z&-~ zuh4B)c>>}dLF1kdJNUXyU>-<9(^8!8p+uc7o*n#Lb=)700C$3xu;_-l<)V;c7CIh& zF8_R?+EA>9tR*C0yjJ$&Gt|%TTLv7V(~6{3sc!1$SfBv>NLA~PFk8N8sv3snO< zn#VHFX9aVslKUYfV1tN(s4BrQv1o*?j{02b3VM`{H=2i7KyM_A4f2PZbmC&%idPiG zdanQ{ermOIPd$o3H~*+&R&>Ics81?SuBUCs7Te|(>%6OzQysEioy`)F@9i1B;Qdd> z*zCO7B0q$s2#6p9vRL*+%+}^edPMUe;JZ=D4I3}P?mPQKjQ~sO4}V}OtzW(m0_o4% zlBN)%v&;s!Y!gREptYORq)QtUI4o9`6V<#g7TKxDc6K(Bt<2g8*vPI08g^} zHl1X^Ysm@M)JcKUqHX!?CWOHxZgGWbS8j|#_=VhMZDb^@f(4Z;fW=j zA$1-FmbTki_~DrqWn!6>m59xR!cEI;)bv{vkyTCFr#09*6?;s|IhZ2tcbb#LJnW!Jrr zKOzdEfQU#*H`3kGNO!{^-Q7cpL5CnAjkJJt3Ii%7Ekle*w*x3Obp6g4@AJOvv%Y`8 zZ!OlW(KR#oxzE{WpM72X+WRgfzRe^ynz+yCY#$Is+eGdfwhB16`0gP zYhzxN`>9nHTwk!b9|xFPG!uU7$!ZiX5bQ{ahx7rRdzx^brp@WV+vD2_^zIiq@03U)uW)CW%~~?y1Mq#Doqj`B=9gUw>c@>Q0k|`E%^ISrfTBJo<@eD+zB8(4{XWhF66XDz zru+_Lk`@-U78Vwrq8znFXl(*uWq{hCd$QJ6j#3Ha%|D>eO;Iii_G*+(-D_Uut&Mjx zn$0C-WJVsxZ4yE>*OX>`7s?Pou=R+x|>-P7N{A#P-M5Z<#7Bg16 zl`N5(U*bMMLv>W6Fc!}(u43U0$g^>9aO@Q>6mi-ao>rK)*z_wfWrI`Q=CoYrt(G04 z!n9%d`?c?YNf|sal$FK&u0EktVIq8&MT>sQR;>7NWN5RzBV+%>>-!juhU2+sCVAne z?O-z-P43exrAf+ezQY$B(#m~F&F_Buh_YL*MH^V`=|T=;%sWHsM)%!8oNdtLMx&*z zz0-bqjz2Ook~XsfVorijQ;n`>nIhgewKjuy=0@h)&kx9fcz~hSak7BTvk)=eX8!8g z%PKi%5eeCbQ38Wbq;{O!N;-}h4 zX&U7w&8`>&Dy*}oC)#%!PL*CGcQXfm3RRuz>h6y6C~-1ks|R?rIWITd5WpE3KR+Qb z(yQN6=))R{YwXRWq@*kYjBcdg6UgGTzhehV%^fEquq-Q5{=_9ehTvtJ#OU4$uezFz z8eL-bA^r@;!hm~JwwVp3@;6JQ85@KVQ)GI(tzbFS3 zV->20)17nuUV7b+n6}}h@J8dP!f?8v)21U?67hao>Z%e{O|#?*W*%JwH8Ypw@pXX# zv}`8u6WiV==ZddF4h5-{!EqF#ptZx!i->7>a~mL|&^nD$owu|Fhl7H1&mon=n`pEy z6Hh7L*)h4*eo3hici$XYzpyoE)Z#&ej8zt(Wx?fI-sXWA9j#}m+6%dhhv>NmFT5b` z+$#0kS^SQuq(YM+Ko_F$h%s`-cP=O#m=;=cU=Cz(L`l`emO!zGGLWBZ zzv?i!Fkz+H`v!7f5M{L6elXm;Cj&*ws*GG!LUr!bhV{|y9|Ji-ZA8YcsU^#&Hb{_!N<*LL_D2GD2o zYd!G(1c5u+fXtU2pvWNyJZ`ZtrvZ~w`NPJprw`Q$C_rWwJW~D?Hd3%H^P1< zXLWxMvJ0A$}ZS9|C?2|$gBn!#sro2 zh0Y|Y@mu{Fulo=QI1PSmQQMasAP$Nw;he!7Q=i2e#Z#jOed+YaPyw+BI zX9kRp_v&plH=i%WjH4n`rW%QvW`*Emeg51R_#)a96}sy{%kvo?uoOmeU9F>yLKSKq z*Tl0=3g)}`!M~HPrL4|uKg%VqSn!7HILivxRlrwmE1TW1DqxR{1U{-+V`3dcIWcZt z;5)-D{lrFfGXmkb>+x2a=rFmZ-u)$J(=eL+RhmJx-r;HzbN?t|N}V_$RHQ`o8-g>xY#A^L^yH zzv$vuU475`=9<`z*H&Lmua@Y3NCD`yRUB8)GN$CtYS>3`!d2VNRyZ0K`U1c3wbnMC zq)#Q1lGXeB7pa);+*2m9;6M;R*Evt!1EQs&BnVly3jVEGza`vi3b}CP;d|g!?-w2} zP#&VCPH#r)ILXo!);>XC(8$lck?_JaIky4?cOinzmI6#1kSt!Y z<0Es|>P>${0=7@ikJ|b9$2-r(9fAHZk)%73e@9xc*;fLcQJ}nko-8Mf>l$pUi8D0K zw~VtNO)Re2P(?N!gdOH}|p}R(6?9Cyzf_dkB}IK+Lh+<4vib2wCK^ z=)@)<&0FX%%J>={E~qULwGP5TuoqN02QLe|T<)zC z_0XsnzsAlB>)nR*VZIJ!FJ~6HeHoCn|mZRASaFk$))T37;7!AD_;xgiP^(hNIVdeuWte zxa0y6<|A<_Ai=C4Dp9!aEr2|?l4Iq&6mc9rF-qbn2$OeiL-(mXy>Xp>!vp9lEkyJv z;56%@D+#li2a->f9`L<7(#q2vwLfATL>8VBlkKYP{bVsnYvS?UG zrPhZnw7Wj|y936C;D2J&8gN!G4C3pzx0*fgxaF!gG7?x8LznA&A8veC%e#9(pX{yu zKS zGFR6kF!xKG(;!QB(*wA@gAQsp#`=6W8zb9OS zst_;jnF*nTWjQ)(d{B7Nj<<39)oYsf_)O`SVV7+jB0OPMr5@;AB);c(c#gd`fg7m({FbGvA`a(IV_^2N_HC6LY9 zxLyTYG$`?JKp$OrxI^tpHY?_!h%+Q-BSxEZoJXvLS;iIU&QmeVOB=3F^=Vl91;W@~ zv+yei!<30@@j!8PcZufi#rSh2pMzKg&b$ydR9{~LF^RQA+%l-+RW)fuAt#GBmKkBFM~GqNYeqA|#X1#L zIGp_Zl4%+U$lxr|Fc*4?{gEI%dGh+1)J;4qRlYzMASauY$d|k2Fj1cNgV$*B0>m}( z%QtV{>^~rd!LAOC+)>_IGG=2! z7BVgSF7g&MDm$~|oRn6byu>?vWv8>3?-?{R^Q4=oj(NHAQ)oZb*>>w5{dx>@{%Fs(5_HOg7NU$5(>3JQ_mSNVz zAHni6*gQNQOop7kZJtgSszI%zTMj}3kiU3mn8 zhVvXW-w^G&((@pit)h+y2k2QU_=*LEak<1viZgK1YcsrE?&8`O4SSui9e#Q2%e(t~J$95|f_&Ea^4vF=E2ZoHD1+_3Y$O%w_)3iULG zfy9D5#g{To6?-6lUQE7~1hSM=)i1H$IVjRmuTQ*taG`1s#LXlkUL{9|08`v1A;Hd4 zW5P_|{SuG|Yi;e!WCjUhQV?s(Mc!dRXVOME(J%@!iq^~r5?k5=agIzPy9A33%ZF+I z3^o`Ka;o7Ez?#bMJ)OO;3q_KhPUgJ*>Me1aX>8Pdd~Pc~zw!1{tFwL6UF#2MMnlKaXJg+-B%|?~2arKRaAo3Cpe?>C z9&m7X3oldDm*WJ5q=TgLgj@uEIlZD988!zZ3|(2MpvzhN!O&H;DB7TotySx*!nU_D z>2aRQ_A2&1#D2N-1W4TXnykNa^X;l^BY8JbI z{R3~Dv1;A=v3mVo9(f~Q5Re2)3HeYAb%*ngs>pt=btlTXzy0;4U0nsagI4a|RImR= zC|gW=nu~xr%BCO{QAP~$`zWT3*n3T5!>akb*=rMaID2)?;it7kE8gyiY+yx2BmOM? z1>kW#WK$8nAb28LuN$aX^q`Y?AoMj(G6j->P#bPif@Tf6DOU2T$#F0s>mR^elw2v> zxhMj5{VzD)dOR!L-JyBiL{A}#w{or$ar9lIu9VQhr)6N{voaLKSFW`6;Gh!l?P&JN zYQKf9M4=G%8F&jK=jB<=nwB_()=z{`D$s_@s9{?r~KeG~Ka&&-@T8H48!{IV>eKERTX zIr{?+O6PG+Z3K4Sce63c8;U2Gr!0BLYg+a3@#X<_wv|MN=;FYhCX~e|P&RRGzPb4o z-(`#Enwlq}2nWYd>mZ`hdCI0DD-gmp)qUcRyLP0pJ1HPv<43 zy%?@0q71Mhn~H+eOE(4C`JxOLkw}tD_Y;8l)S&M`#R_9y@~J_!#WhgT;|X^JkyB@t zd50P_wtabTuNhyy_2|`UiBWxNWZ;TKUBWo>)ud`Xo06)+5XayM0n^0R?j(%q;7Tu@ zIveJ^joyHSz(!y!R*u1F#+)Z~Psw%ln#ZT-H&*k4XS@+xX(oY$hmAKpP0W9D0P6Rw7O0L=H}*8VBYD> z9A;+q4#|d3JvZLniLi3}s|9Ez3$+?ce%h;20FI7~jMjnR#ld;BMk!w6q=e<_6N*}A zLuJGEGzk`%iOHWPi}F;TYoz!u%fR~HlxQz>icD+Aw-%&YGrwD!)KsV-<2R#)!*OQemE8KKP%QTw!q>QNhd!|=(iw{0> zjjf?+DppTw{tEb)kFygh^ zqSUtrfDRD-k*ZlyyE5YliSXB49)8MZPy(w?Q>u|r^LYqr2nK?qTYA9AR2~xyz z*}y^=AE(^AN4hiJS!z4#W-`fvVUlrr@5SL`0iN2LSbF>|O8eQ%z~J}IMJq6pwGiH? zq{`>UVfh`+vs19NG&vQ18xh{o6#sX7k2v#dlT0pB6U=7M3YmGx2G~kK+KIduwpr63 z)46NZy+M~>c2~;<{@IcC#oj_VRd?;ML^Kwq-v_Uk36G2T1L#vL-PLcZzxN1Em<1&k z^lROF1&Xg!ra}OweP!6?_yFIAg=dMi5yeCMBa)ssHY4G2pX<;4wpKOIhq01E7@#i| zL{!|80qHH^$N)=({N6W?DO1! zS8h7&gccL>@4lr)CNfBWdGA7!K0dIPCYRDJXi$1X54qpnC1B8Pa(?@Y*&S?Iq_xR` zhJ`>_ypjMSXBulX{j@&jgEs|TmAe_^Y<5aE;exfWMCIX}Oup*6r@_xaJ2UCwC6lD$ zYRjH<^7^|9l$1#8i96R4TbOy1(-O?$QChTV&Y!S3Q_tKK@p&~!aBbFkU5|K9`uOXn zm!2Yrn+sEG20rs>N0GAF)TJbD8d8~(Agzs?0xJL+vf9m;j{urB%TRcKlAVpY=ESjZ zkr3|`>+N4h$96JGB%c)tUNcxylqM5r&(aBF(B8jzdi63Uyaf9-zpgE7Ps`@C7kxWF zEG10P4t>M*X^Hpwp1q5UkmSA%ZkVA6HQ*E|z&Uf~Cs4Au5z{9jCPcRIX3{SJD&mtK zTdMX17ysG`AAS!%1+B&#t662ID06HNwcgK6RJ}d?)nZL4sf+#CoPz0#bf?S-1A2Lw z+HowUD*UTj_lx+4GX(KL>s_AHX17>&x|*0}Eho|+)_2n^2I?$2xW#A0R-SC_44eFv zxpHvdaiW}i!%cj|*ybTOd;oj59szNT;{Mb>Sl)ygiJ|OXc(#4W=7QJkzh_g6k0m&< zSY$NQ;wzZ56lOA=6Ba;M_3-RgDxIlEFN4jiGD#tN7*l*=0b;T|8TFL>;(7LgiN?iJ zcZ+Q^{>9SLB=(0rk;ca1b2fh4uhEe8NTzJ;*CCl6hkEdU)#~8~F#nHXD)%KiJfTxr z_BOm3u6l#pIt%bC^-94Xr+z#Z$A61;?W1sQAsDB*As(Cx~ zaTa+fD{NYF$G}4%`%HkSzri}2zAahl1uZ)-xk6lkfRPwY>weku#hu4&~Zh2hwszPtV3jO7vN7#mB3Eq%z(E#W8O+OePpH zf{guKos;H*6r;XSgQ0IbfuZX<;S`nJxki9J(M(VR@87Yo;H47oR4r{1ID7=Zq(|^( z>r6G-%{t+B#1hNpNhRNwecqzrcQYL!FjtI$}QB9wDDNt_kLx7y~tQe zoc*-3n*n!8g$VwbJzE&?a(ejsGKEUeJ5n+k{)U8Ca7Jv3t1@3l1zSV_yW^U7T@j); zRmh+au}Wd%YSNSy6WbRd$#oms3c0_nt~A)~s|@FMH7z2TL&Xrb2!w}Uao1!zNSKeE zP-2i#|F$4Z(mgzP^5L$16t&<8>kt#wQB-unp%pv|>=A$9H!{yEk_rxu2FSQh>fCPt zha4<;Z1N@daWW)Bh6!1(sO{YxE6Mf9HSVm)+Hz^uX;WQj$1bnN{f$tubcCT#$2q-M z#1m(X4FTt_i5V=7A}8U_?k*a_gh#`xfqUoA%XCHVj=cD6vE5y-4UUO0MQE1$Zi`kT zM6q&CwU652B>)2->qz27nlvcwDQ?GpP zY5mkez7CQnA~IGm!~I3ri)+tO-&%d3*CoL(v%c4YHop*~ny2`TrENe<+q(C`$JL{{ zJ|Q_{0tNLH)A60f1fdwry}F(|{Hd;!QDAV_ufl`47pSXXc{8VUs48?Hg2dn3X!)#aUD~(dD6!`cuJ>jpLg^36VifKO`FJ*h68>y2*OJP)g^83hJIk0 zj|YX^NzW~BC}?tU-1#x=N^Zr#BE$o7f{{Z>;yA`cl3g(#-w6^ADLbgrz6jY4+ilIGAL@bVsk`fPGTYJ#c?D)}r z;Mq(trDbGp-@6wV5%EYiIYQou@nsx#XIEFgtV)c(xJChj9HFLIS)0a!^zK$HWFx3z zfPGA#9WY}{)YeK!Ns0Ss_(LO~WuTd=pC5^Zr4lvUz{4E-O;DJFKAc&~+j3wZeY=5Q zxL^clE9oO;RXO;M?0t0=*~My1dIknsc7|)Dq@?nJ-kLaVTl$hHW_nCe`-UAK!8Obm z7a1wz6ewn~v`9cm9$xa@?s@nNte9Wc(5()vfe}R7?piF$m`;k7hm?kQajb}3pL2de zWEiKjb{VOzX4Bw@Ha2 zzkK1M>+W*5J6v7N4fa_}LS<732CcK*ID(;U6#lX2AFA;^d5vvAf4iCxTUGqsCoqPt ziH}97Z%(P}cS0qp=Uw3$gLl^kZdn!BQj5n<%D#WMRA@w^8M-lu}qN2jjKg7lb2p0S*Q*~>Ye5Y8gT zdwNjVhzbDWrD*S@(|6~JF+9V}GwSR!tzu3DE!cOlLVw>OaF682xrwu&y~1MvG{4q65-TM!hk|@}E~xWo z2FhMuGFxVTn*oyhqCRZJvY_zh%Uf+Gx4h#;bgr=)K;LQi9*SUh+YP5vCuL~zY+wUj z?(nr+S01K9LSo6V298SKR4`H_z4y1v_M~KUtKb{4j=;rCKF1+Lo`27e=ki|H8LKcQ zU&{{Qh@*NK2gDTVGqXS2FM~C-qCKX)5vDfz;edh3z@-#$nT|l`KX-bl4kM2w&QYUZ z8=T1@A?Mz;o~F5!4Fw3tcs4DlXRg}2dB;ZL0`yUmLF@u7X%1CCo)7k5BE*-oUppe=RAUyX$e#HD@H0Ka91V}uxLoWO`ryB7=x)d$eugpRxz>0<&CWj9nrdtV z67^Al@>m)BXnOaUkb)v>&qzrrieUTe*U_8@{ocZ$Gl_qjzJ?j>xUB$@;ic=VK>%#) z+cMp+Q)xv(5?5EEf)WCvsJj36k{D#W?ii4Vz?4+aeN{OR3Ako6_e zbe?YFMmGWgQDhqP51_=22iP{peM~JGBGLX6&?l{7-irMfCIM zn1Q>!OkZoPqZ4)jqeD{t^UIrO2{ze#(VT4`W?=!U>-%-~qqiw37*9_Xztg*d^{ibfC4h zJNSM`agSx}FnlT(%({TXpZ*6YW|t?#rF!q8M7LTAlMtY-$YM=DhYV2ibAv(+x>w-( z2Z|$;+7A}j$oL(en|FkzVXvc*qp{@@2VX7a4XFH=3FxYl9$#c>nk)J3tqu-4CT#)Q z1Iu};fj{y5;&h9g+j*`{9Hb}1A_p?^@12;XB7bCsPbNuYp!j_*Q1F!1rmM&$-QU>5roZJ8CqY2 z_({!fbbz%!Rubu9-IrOtNO$9gL9P4MZ`pG^a~>HD&Rv{)Yi|O=<4R0nVfkU`$BtYq z%6Tf9WCd3Q2+x-n<(mq*$#W){i7#>Bd!=;{`e52e9)kqmLY4T8jc zvTb<4{D&)aH6f={b8aJY#4D4IQ7qao&{}rw2KiVrn=DTJs8!x!v1gZOYY*k2Xt{W{ zPS4!sh3{Co;b>so+V1^?garA_G_}Ef7$`Ysyq3~)I2RHRIunHE6l3na7IdWqNzlib zDGz~qpyzV}ovIPXrgjFCsN9ED z1=oy!4k=J|j48+dd%dTbVaX)3mJc*?zXDECN7O+G#@Yp86VOg{J`gw1HgM+ga5M#HBR$L|Yh>NGir^*c`cTC6 zR+Ltr3v6GHkQ)YwA$7W(^z^7HmzKfJ#Q~IgpCc&kQhCpdFRz}qd$#;aJ^d~csAsZt zu;?0gc6L@h0e3Gw*A}FT!;@c&8I+x5>cMjiDn^I4Z`HkJw>O@yh(H)(6{(N>m44Z9k zDk>>JP#)*l3`@tB>T>&zxRz*D(?ZS0x(Y`2_IIuOK@Sq5rk&jfDpo1h7RsHuzH1!9 zwC}A}aLx{Tv@(qwIrQEc$N!|*OM&1Z<9UOn^nC7-WozTt5??qJ9L_Iv9J#M@g4Rh2 zjd&CqWk%kC=Sx;97ss|ha!nf4;?>di42x?6VRn4xheE=MlKb>O3|!kADe5|ACZNEb zfccEd(@iDKE+EdYQN@!-qhh?g?58Lxj2ne<4WRPZiv}`7vjTkbtzQ+{&9uI-Hyc(X zPP^cQRNrS!^Qx0jL9rKpE43&54 z3Eblssc*g=Qy0v?6Cidt-{H4gukY4l<{~)>FRV82zo&BIPgX$=eVYL3LlMsfMUU0# z5F(wwRgKsaMy;$P-bNSUlBd^DaM;BrZ%pI`mEBbFZ;1AeKiXiI5A)Y(VnMpbUOa+3 zDnifs9h{ctSjK5EX2D6nFJL~-iP1)*VE`DGUudZOnKZOHdWTS5EEM4OjKR{QKnTw2 z=45Sk;IYT6ZyO1cW{RAMZ4bgyM%DD!{4gi{{1%mD34YV&D)?zPx$A2$JNYJ-THvR$ zC(qLoY%cs4KD{U!_Ff<3-Uwh)&yKOp37T+n(47uvM~>4)KUu)Pyjdx6K~H<3lGA?q zP<`?3DbJJ@VDq6RHKDyO%l$cpxAJfUR@;YHIqq6mzEW}?-aF_ko=J=E> zB;?ZbS>1{E`fL8Se!WToWS>|{rC}`6b1m1jU+>6fJ)RNX_iV)KqFH^d;;1Ji=TkKP zLmP-$wGZwp=LJOq0f9lA4K8Kt5=ZOKPDx;4Dsu4Qa7Of!qT=_te5Qt<)1i^0MQQIB zmn^vJwiuc=sujMh4O5KbQwUppQ+aFp-lNd}eCn-smE#sfED#~?7rbmN|7Frvk@N8$ zUacUYWzeA(TRo3@L>8cpDYp|omS zYSwZ|paQ9jjxkAXyL}IAV4VGHzJ5MIHbKRdDypkL2M?z`;|WxUtD*Z2gd>G9dv+sv zF9>wy?L4=-2M&FHPTS{=BzdTJ9)nUh0p!T^5v#9%1$)sE4}XRN&_xaY9CUg(+6+>6 zmUL%#RkEWK<^a+8EmP3eG_~Ncd?f4OqbQ|6cICqzouT}yi~Y?}zoVgm?P1$&fyzC< zlURgGl;;W#(cm1@B@c!98*`f(w*1m;{>IASqc(ybut7NtYDmZ%T|SOK3wu3WIaSv? z<}OvcYVh8H;eCT+&M1fc)BY6JEIQaU-+H|!)qDlH3y*W)&P>A5+O{Z{#{d&a@Q;1@ z68(2(w(x54gjwyv!!b2p)8k$Qq&qg%G+|HAN#$0le#O&pGru9(07t#D>n=sQZ7PPf zZze1crycv0pg#u1C#vj*m*phsqSMv= zvu}$eWIwqE_uHFusvYwwRE$?oAj9%{%^S-_dVzTEkgZ9f!^sK2EgO3jhr|KFiPwfX zZQadOj*nxLysGOQf{DA2wqlO=ssewIO+)wVh0S)21GKb(V--@B;BOwy8f69mG_ z%hn5rY~-MdaxkiJ&3%r&F)hhl$w|kmfB?y47SvU6n|J0ozuGL%>@d4Tr!6oJrS&q+ zNOfeU$@@Vz^qh$BicMV_vNwy_gej4!dxqmI$~0BbB$xbWXc$(L^M`zggZ#a-xrC!mQ8Nr zD|!*G$mp5tc#3Bea}?3~@MOb1B092*=<4-s0oC}6%T;Gf#z1F*UXfxw zc9YqVT*VxlD1N$DVqfu{?=|r~LDsU_B61siTbcx2o-[fm-$wKgx(1!v~D`2cX|+HKqY*=@Q2n z8stP|0Kup_z9N8;2x*LMIw3CypAO}%Nu2#aT9#|~ zwm^_MOfzfy8X8N2l=@>;^ZhQq8wZ}48`B^pI~~xyoRg!{<4HDgaKf2U8S0KyoPTK7_`*rKU;vzHe&u>QWEZXqoDLgFh(#3nu5Z+ zhFU=6JW4f4|QX){h}o` z|AODh*hU-Wc|=(=!I5PNB^b_GJo?K8jc&Zk|4SB_s^>C;HOU6&i@;RzdvG1}--kJD zzol<)A63?Bru@0oBPe^Q4u1v1{4b7c;G>mnd=IFm9t_#{-T5p|WpesLzef&?GU~|> zN2Y~GAOs^o>kU|~BZ1NE&!$6^DZow7GhoOifGoHZY)n=6!Jj#$oqzJA0C9!>pMNd% z4=190t^>Zq{_8shy8dN3rTV|d2ZosY7|-b8^koK`MG&+6O>8)s~Jmy*A6V3vC zP0RNCP=2M~GZB9S%miQo1?K-9o$;8$J;U|5Qi3b(^e=P%?gFz==x<4zjtg(c9bL8Oxuk za-p98O{5I`mkGQ>*7H%9GBV#dqJ>RfjhpMzbYxm~Ykl+a@${F+5yvgFgv3Kv2X6#X zpi<{+t=o05iB<9ceg?qL%3Alo76YiWLP2A)+q#5FV24Wym#-(GcLw;<+`= zTEIyD(3q~lEpyh^SJTcOQqay@U=Wzo_#e!YliM|s)V}BVbL(Ad=r3V|tgO)6BnFJx z6o~R5unuaTZ7k!zT7bU>1-9z^A-L#J*rWfQ|6iB?J&2}kV04pr|BL7=v^N5yU1G&J znQd}t8aMoXTg1S7iI7|UYs~dy_rVlZ(7v2A^3#{numx6+UUupT;Qz94i~h{$Z`VK& zT1!oh6u)VA67lEWkGRp3^zpxz??0DKgy`coiu~Rc^B7=eZJ+%$2S7ictjxfll#uBY zd>N$ue}2v_A2l?4AsRec^N+WZevftR2`#JGZn+&}VKFrgJ3+E#f6n-tI2AN##BSRE zW4*99+gv*y)+@Yx<##uubt>Bfh3Fm-wh$h^k?&=_fYaB@{M~Mnn61)a{%@82H5g}j zi`N!e>;9>&U)_?M$`lWN3nBiz*$-FY2kCUgA)z9LWp8|E)NJ?thr_SOQpCA(1U)E@ z%j!8;^n>yYu^YEM+CS+JXL5cWY8rX!?isCoUa060{%4ZF3i-VN%R{R7@3iA4@eSgJ zH_)>24aoWnQcT9#uC>Seo?M8A+W^2ynYB*_ujQ%Q|Ey**2-MkDPY>WLEr(RiKp|?b6Q#|-X-A+$zZS}&o z0DUpj(ui7PJ|xZP$g9iu$bL_3j8&HiJf739bu^1t_&GUx*ck& zwmx_BrbOp^nG6DQ(q}y)vvKedhMmRA{3?q}5uF&8@NkjYu+Fh1lKM@@(YU&SThjpx z`*sEu9BmL@B0|9-Ne6kd>)BH?vVA#emmF~g_hkaD*uwZWU+5DD$5`6;01c>$FUwS-7DyiBi+yVbdMDi)Z zva4oWh@hf+%DE&CWKo_=jvK-Fq_2I}EzySV1;Vsbc+Va+%;_6u`bm+yzm?2PK> z-zK^j+RqsCVYz>&x|MOk zc0Ff`kiwy^bMK~vWd82jyqnTff?eB|+3@&ORY`dt#&jJaVr{`eZfF0%gN;@BPEqBy zPgk8UqsSN@Eak7vVai$=IxYkqBqJjKo?lF8=gIXq&os>pi?r|IUM#-MLkLs2+jmIF zLwd@OhHeMJ4(XasGETX6c6|rtPJ{d(NRXpwp+UiP?SCv9R0Quiw7K4XE)-b zxUF|O<$T{*#_BOCZk7Lt-hO;)4ECB{>+z{=Q%U!=uQ^`WjhP|M$D1#Ad>4;h4wvR? z=eR=Jm!3LqcWw%Lej7$GkL0{Nn{B<6-%{9_etNhwRk6az6Lfk_f9c&^&tpXOc?pR= zUYcPVBWr-!6!}hXjqA2fYQVr6$HneFl~yNuM%T<2_8DtwcKi&%2lbXQs5sIijJ%Hg zs*`!f4j!6)p^5v`5w`CyD1hGtw+Sg@cX@rpS$FyB+OXsv5y@%c1b$TwUcw?vHgI$Yz=rh zo)HH3V}IfdY*;&0A|!;0re6JzU&i?rj;8)~$|9G$1=AP4vPCv&`8?@u-O_}L)DNxkFKd}b@TIn#2KUb0EVwLpvgMLr|Ra*Y6sV;+A&mb^>3?MPM%P zjTPU1wQ@fY8-F;EDE~yov5JoO+|DzSi=}o|FVCHy$&At}=0ohT z?AY=)qjS2HAEuUhux!+-c44Z0|DjsI^|Z+}MzTIT-qA`=s!b}nY6p{R_m$Oo>_28N z*{yS*dBZyxcUv7Uuh*_N`WJ>Vj%Tc$TW&d+j9TRya;n_e(rn3!gde<}8rftVjPTid zPf>mTm6Gin4C56?0G5780C*nt>`8~^YOSGRnn9~Czl*Ckk&;3(AIs-UB+nHLI*0{i*U~`)Z9U$e?{F!LC3=~gdT2gkV z3?~oUr}ELkAPpTBO)-zlw1jVTy*Em3d2`|&_CJuShRao|ANqK8{ z2GS>^s;vo#NpDs#sXY?6>06ah5U8m>{TiIaqIoCH(2&uikNE*&rY7!r-O}g2J|5|r zy2a+tpNBqWX=itSzcQR9K>k&)Aw1!`c03AbUev!@(zeD_>~6Q}(KM9XAHJ6{-X2=y zbTgaE(4eIyE4*auF)bw3t+=N@g6$nBdn>Mhvfuo3#`UCcy9|BQ^z@jMlamqAG28@( z6NKcNp8~V@m&XMfUL+g__28%3aZ@oRzfQ4QU$kvjBs%v0T2nE-)U#JL*P8a`zrwXZ zRdDvkH2w7q&H$+zSL@2$XtV5l#Y{>REgp%*)jFl}F zAAgqMoz~R*<=P>-};p;Qq3wQlRM1~-~&c4PMB>TsuoxMiK<@5i7gGx9bJ8nd&I}r$+ z%fgJah<@!fw=3v4TI#>R#`&&`y`)ZT8TNOZg#YK~e#6+`SpN5G1rr#Rz_q`)A`zlY z4bb#&jPUDq;|3bdf~);Sv%2X;XqKUZHg_xb|9K&Rev}6_0eWS{FuJ)_x}f(5Czwd0 zV9p5Sf?E2^E{sl%b647&5h1MgXbt3ez6v@*6`~Z6T5NI!z@t@yN ztYmokKR@wdAHAqW=n(w38VAjD5d3y=zo%auJ^d_TB){Y_f8gqGB=qamL>+yfIDeP% z{|`e@a)m@upf%2THJpZ@ISK{`hkubiQCGp9sLJF{@3)~2U-OY%tDL*`*We-$S3!+EV>u{ zUtspPxeC#P^}tr@`fpSC{T?G8aERO8D(v_EbM?P(+#Z32x}6ji`G0;6lM>Bw$EF#v z{THtO#e&h!zXYa1!wk6Ozjqaycl*)cXKAR7k7g-X4leE$3)+q-lX%u&v`Zt{1)Aq`1!}3F!Oh2)##28VRH(G;9Nt*9|~}1t|{?9?*ng@hXqViz#e$f)*rn zJ&YU2=PbZXv&$ce)c?m40d;h#+o*_$tk*4P%IO#xyJdfnkV2Z= z-XuU$mTbKvBq5k$@PMOjbKV@GcA+g$$9A*r0O(-Ik?i^vnY~(H+k#rsTnF@+P2blw zM|Sx4)(k-AH$acKZqSi!5I0pRnKf;ck%1wtc~E#*n3RAZ6i80?4uRCk?7+A8vaZWExnO3Km6f8o+3PW(3S*=YhOKr$yFx_oXuHOUd zt?jJn>FGOV;_Mh*0H2TmI#;{_MMLsX?bL9|gW2pI)aGXu^*DiV@ishS~hwA;@)xOUtO)DUlg1Yi}094*f9 zR|_p#uEA?ao+Fy5wjHJ%m5BNY1TA4e$@1DKmECv(=Yg(8IM{o53gfi@nz1dt#(lUl z_dMs%BoieTI$h8!O&WCN*DO*=yZ^@SYt0Bu;{|^0vZ3g;8S)m zKejcvLS~{~-yci#*|E7can(KsrC&u(Ha3iHr$0q+k@0<=e%<@|Gne5F75<_pT2}sk z%V{}lXREQK^3laAX-`3|j^)5>?k13yjD229an~@4W8-j4%G_nDf&F!`>hX$iG*<2X z*Kn1{HQxuI$Z9UEd;doQ>U}T{_P>6L6Z>vBYE{kk0F`iO6^O+|~5A56fvUg48{aNk@K0KsB?suu+oOv#%K$Pffuf8sA1zm~>&G#R< z0u2~wOl&^U3&k4}j$+QQi21@plr!>GnWK4`o=auT*5RS+^mZ;iFWJCu=2qrXxh;4i z2nl$qM04akflr0%nv|4HUu`j7TlW@5EmhbpQjc$vkD%wiEomsmck6~y(*l8P zKW-Tbtk8~2NdR=CrNcbq1v%sVn0troFM;5VQCgmRm24htxw(S4U2h!he8-qP zZkSFu_Oe1QHL@^bxBC|27(8d`aCO*(Zs^uk`Ny8hoWmb?v-v+HnX5lf@qArbdj>RI z1A&ESBFPXO0bU9bpG~{G9$@C&w1c41qx~#cqacmuV+8+7#+rsh?d4#QV&!FQq!ImJ z^STXWV(c)qtiS#LEAQIFq0HNG&XdX^!l0a5hc;(ogwQk&kr-_!tn*=ra)^=AsF1UE z3?n3GrH}|0(H2EBY-JiPp=}+8ZJRO{E$#QbTr>53dwt(u-}U|T`D0u&yz_hC-{HOQ z-}Bzj{VYeG_5S_B=3(%HEF5&iHMNLc5y9tCh3WHI(n(OIlDg1Bxgz3E>g3>K(G34K zEg@>1enbxlJBV|R^3lIfyGw{wwYdrMkFZ&#X*vcb_AQf?h~CdrJA^E zwswC0bQ7b{D3w1$L+zZ>VE+8EBsRj+u!%ZxG%4EEwbgqIp3?f6ViIba*ZOKpf@v1D zsq16$t_I80+f#pbDVQx=>isfXbHOCebYN-4=XLsbFkJ5y@g+-JpQ}+*^{m_3F7|b@ zB{v+n!@(zMntQ&k;-02jSCCwHVgzWU0XO-J05pHHJ@}3XH7FE6NwvdK+@F)CRaE@A zSy0f+*cJKLk1EP6#^4$rt-dNrprl#ze4<4*$e-g8Dvcj8qw?V5IFN$ZW*=wnp;D|) z0U487Kus_6Zfv&^rrfP}^9T6k9D>iu7fRK604<0-duC_U#K90r$N@Bx^bZg!xL<8` zUg`<0PdFhpjxA{ok@S7HaMxBZfQf)`KsCeV%T=$P@JaZ-x<7l|E&fIh{u_soe7?zU z6R;aT&QZUJ6KKdt^UNZwwws5Xk6#JHiF-aIA7HlHlYBq1fDerzUG_5Pa3_x&#UpZu zu(edw}zA^)P)kvjmyic$X6aC|SpZs2U&b50SGnlVIZ(xS)k|B}F(%@H~zchgX*DLy%p@9KST)h7& zerhyF&9>`KVIH7H6@3_7j^^aYcF(Ug1}E6q@H}23m+?Lh0);6!{U%6+5-;(H(@Ac+YhQjl2|e% zAWvX>;dBB@PgLR31%z6EW+e#9WfU3si-Nw`PyR6mcl{lhQB^u$%LD>aV5jqRh5b-m z&OElBS_igkHqZn;Ft#iJcuj-RSH{A58QsiJ<;?fv+xL%#UEA|&m+xbp?m$Ws~4zGzh$SI@H zE+ODOZm;3d9Exs>c^_8VR?G>Y^g<+}ZlKs=7~2a>YfCzZp|MA`9(?wtoc!Guz@1Is z#8)#ny}uX|7ZeQA>+ghGKcBS^pA6I-q($WKj=5cP?J=}WcTx(lVs}E-q+((bi$Nxw z6Or5c$H*dj&pFVJ+}YWv0!{>%fIpSN@1eWFQfARJelthFnzaU!BWh`y%< znH`2(3M2{J%w^U3;2AQmGj=qOBO@MDbcnlc=sF>oY8|H~>n_{-M3%{RRW<+d&CwUL zXyM<}pEl)^y$9rND=$DXsdb=6J2f0s)9I01G0&Ugw z&rLULd=bT)_7zWE=fcKX&*x_- zi1xZ;%Wt#xqz^_M4h%EvPSIBid}Q3Ytc$;b{@}koFC+$%BcOo?zo9BU8@J)kE_LK^ zK24E1{^AT?w~5^8;#V zyA^Aq&F}WR3e!jn{g@<61yb`X9Y(GREct*W?h&g?zMLsbj)wJ&=1bL$iJVMmRnJ!l zVzHfJllhmTY}49fe%N^{55e=>3n#D)B}oa=I>7Ty*(6uPFZaJfAOl?@2kC&NC^yg^ zSZ&2L9p_FM<$6S}6Vg6-3=S?q4lcOvX3JZ~%LP^eo3nG>IqFFl`QB9gdkEz2X-}%b zg(%p1oc$Xl{|z<&H-`W=XBP;USIKrrs$91Uyl+v*9duAMp4$~A`Rf&( zg|FaKM^ozcN*sItgf~*)QNRp=@L{cvn+fdlL}z2gq*n^L->l@a^G#l)l=Jh_@xgB4(I% z;exSmdom{910A<N|U2gs8lF;Iw+5)j_l_2{ycQ=3uuX|N-N0J%+?jCP4#INRBG z9%N2AuyQ19olfxPGRhpNkf*pZ&iC-GW0%18WgIpGeTU;Bt4zX&o9X3PTO3Yx#|}}% zv4P=2(4s+!MH5M%ZRA-t`=lBTlwwyYga%X#2?l6WS*_)oP&#hLkx0?e!^A>D{5}vqpWJ3&b zr|WPRPXX>CbZCvmiXuTKi5$_dX1x&7am_=G>L$B(y{w(}H==|@E~S(%F2>HG%BH7- zq~O%a0k~N7O2u6$s5(^pVcvWuC3v9tv3!GAYE*aX7MCW%p*f=EogkP~xWxHs)eVuj zL(swzxM?*dy5xRo%!&^IL1Xo`+d72R8o!E9#zQ1+c0-@ps$v7t^W3!mDy;TTWPE!^ zfdCI0R1fZimC&8&p|Kjq--pN}d0z`lb$iEsNE%r^3Dti+&efGPc(?SLnUQo#mUf)Q zjn$d#Zex|>nYZz78!uYO-4ui&(a^WmHwV5nzV@f_%`l+<2Zyi|qFw!xZ?EVKt%D!? MeFw0&ZM+iy0joU?3N@!?TzoMa` zQ{kY4SIR}7KSD!$izXu>rt(H_z3y0fiDF7{&__{TV>@O|%mmU5=D z2gzAsdpKovdSG3qJ5ex2LLz2&g#<%FOcO)$E9MJLBdG(=nVT46E;q87vOi}(QhO;f zXr9+0r5G{S5t1 z@2@9l8fX|4zn|g1g)BgO2<*zQXT@kZT)+QFiuV65_J8l1 zZN&KcVhW>n^6k*^_UzRe*>!vz_!RoDJ^fk@_O=}FcVw)gV^EAT{SJwI{2OKldB0HkT|EAqZVoOsRR@w&CVzb+)n+tCrW* z-G+b73#NTNgO#P|8cuZ&8zyRv7EyEEmGl|5JIUugd7oOHbm%zidQvWS?jG%>kx{fU zCtgyuOrQ9yX+~1uI^7me29M%7kJ2I9_oImbRR#rX}W?^IzUdtbl^m>Temq*xOe$i}rj?Q#0!pWx(!-F0z5w9** zQC-_0&Qe)ZT^+hTLShgB$y3Sozo|&oqtEn^Mft%ei!wLyf=pjOzviR#PXW05dr)@M zMApJUNLGFKefec53Jbp4-|79TcKjJ4D7@^9?J%NeNB!hXUWl(iZREg)LquzDA(cm1 za%ARoBJ<%8{IgN!+JV(_NZc%6o%3j=OhzBHem7wTh%MSmjszPA@J-C zP1ex47RTeK?Rh=cbHT0?yuumJ&7MIU;fIX51ES9y_~JfF$vZXzJG zBzxIY_3qNH@TYey+l9UDF%g>V{bL)LnrTqwWX2iBCCI z)zVLlTZ+1D&L_T;Na=cq?aW5(Gi23^ICN(;cz@L}3w!~S36heMvOPXd5m}z|Tnn9W zQXFR%VVBGrP*qV)5pj8G@H(8l)WYNJOtRwhoKk@^6CJaE3|ozBFDv}@hTq{AWz*vp z)RzAfW*4Q<&6p*BVTl#tt) zT4{Yko(GfPc044F_j`L^>+4^ZF88%iQ?0Ge5JO|A`8+;X6oql;s^o+w3nfIU_wE)B zwJo+cZMRS->ArveWMK^Mw(y;N`Yvj&chGUTidE|$^lGC!&KxTUxAx^RdOHmdi+Nh{ zA66Rh)9g$(Y_1BWHT#Kg<~iG_iQ+D*Fr5#6Dy&ha{+Twu_x@n9YplY5sr|ybnoYcj za>OBuv%O^O#JfxN%w5*-Bu;uN;$1qb>GaD%qR_s_oyJU;hT+B~4F4utw*FrP>8Y+6!3pvqjD2pxLlw3RQPUtIob- zrSJ2tpCkK8Fa-`&=Rj~L=}rku?QRQh9IcoS1`H@Plo6n2_vH^>94Khjn^mdh`a}tpv~sIf)Ee6kC&$x2ff}7^s;b#C&^-qbdhah z$fp8sEIA2jNIrEE56~*;ZtD_t8a}pm=qM`iz`M0Fu&m=Z(;(_`=J-@C)b3V`T{5qy z?ePg2DKr)jE}mnAPEB#J61nE&EBg439dPnJ6gp04Vab~moWld*bx+?I})Z{_T z2A}XW-$bQD;Td6wQ$Wi-$1EBLUB4n?3W~ukJTRs1YA)6Aw4!|VM7;}p1vqkX;?}_u&~2s3ltoFTy|KU6E*%g-(A)M72FEGM5T@ zdTZwh@r{mA8b&$Il_WHOc7OLrta$1GVw#Ivx6*OHb!UJ(%K~R0vBS&g)JUx_5}?ii^}8*0bKz9}%oRQ)ZYvec4s|dMKIpljymjYxR%vh7j6` z8jlhF5G~O@j=jxCGJ86ROLqMO@1E#0TZgh4xiBNv8J|K$Z{cJrHw#4^spFBU#Rn zIM%kfyGQorNmCQ;RwMh+)YKYcW6h&)f2lxFWf?w?InE^_BKBsc+F>a%Xjxw0g^gD9 z(jA+C4Ig=Q^hVr%wQ3JKHCbmfT`zlCv$W~C{wWQSilVo72vC^RdDE=!C6(Lr)FQL_ zSMB?UrB%H;tf`TCYyDxN-YS|&p&+bT*oGw}&1f*>nuSNWhaH%jgcJA+^rrYZ&nz;} zSFI*~Af~Yga^31|jx#%=lux=}p05d5Jg3$CUiWC;nPQV)_%pfe8qh?V#Ca^5HX_3@!{m8giDU4p}mz+I5If1qAM-UFdboSy+NO0EN~T^ z1pW@ExmWu1YHCBzG0WW*ZP_+{?wiuKR$XSk=xUpiytH_ zD$Ie}>F+3lhoWD-3W#Wn^J4qsky=#?1;(SB;tGN}>cMtf{`=|O44lzWZ(D6%_5$ib z#REiE^EJ_i0(JAsMiWnI9`)(+NrTH+kqp0yxgz}bg-pJwO0|OIlQ)LfEuQ84^z*O$ z@?xNkQpk}?ib7sN?nQ*Nw+C8O)Znn~K$>O}yRUfO5Cy)>pgA-mqHkvhS1TFz-dpH~ zYFazIvDovC=TI7{7d3k8KFMo^9uzG zbb$cU#{8vt-a4U}2FY)!GmMFfir<1sgY5tK1CoglY+i};kri4^GjiVtI%$ofKemkN zW5fl$GBt@m-|&4PF`G*qxS2tY;@Tf?nW5#s|B_HnygGL*38tw=8IZ(+!mBw9E%-2+ z0rmX@1bDeq?3F1#YESumVvgQjF(~+EDg@R9ok&po_vj(r((Cac$Xm(({{QDQp!a?) z2Zx=*R)OTF?4eBg)d3&6D^k;d`-a&$0eqsd6fdP-&d;p&gFl`o;nPH-9*glswjnzW`VDJjQ#KEkKXw}==z&# zveWOJ1%tgY7>XDj6aS?to-W*)mdt=oa)XbAbN<#GH;+HKyg;Z|_k&qY1zz0B86jZM z3-(TEn_;-_`?QL4bGMr0zyCEz+Tu)0+}) z_*XpHp|entefa(TNFofaHv#AdBL0zV>c}BWC*>KTDc;N%yX6WB^6`ZhPFe%1%6!6E z$M9YE{n7H#fo4@bSY;I+Cfm!rNvUA5? z%ABK=^5g+y<@1-SmkA9LGzQVs19k0g7Ad^I=ALco1Vjc#w+{QdHdGUbTo@3*L zkS**m&rc=lmf(Chjf`DJ=D1W%$Ufo$_AR!}0GCYrWw{h;J5$6*m5cKrLpVOS*S-C5 z9|%%=KFo=(cu})f2dE4Bm%BAFrzW5 zdc5;zR2EJ-KV^QI@Z$@bnWNE8-ROCyRy;ZHCT6p86a-^pf^99T3*9m&x!g zU?+G#zhxd*tJ#9^lBt&SBJ{z^d-uJY6m_J*z7JC1aNQHG4SI%0bn1w98?58KwOcOD zN$0jNwZS5TsPYh;e7Yz(rJ7!TH~K}G#e8tI`=_g?M6BN%x~@HN?-va3#_p z4dU|fBzs%OkJsT9L+^`y8Mh`O^UM+Vxg^9F`r590_@a?>CnKiVh@B^}Z@G8=jU4^Q zH_Rm5-jGETe@NLudz@0hp4G}{KI;*qs3aTuWwPl0oQ$pz%Oooq9A4?| zvRX);m}*AsQT`QH!C)tYpty+&sR(=L9=6%9ASF_WQkf-8S$Qz@kUs!CQ z>3NKvG@zGT@f-%CZ4DFse5T3!)r{aI#r*S8RowqrOt6kA+pJ7=3x(upcApLg!;LpT z3cKH3BOS~AqQlScCA7bKfdNf>Xam;R>=rH;E_=YE(uwa&>rv(-nu|vjaS8fVQ#W0P zg+*IO-{nA}GPeR9&gc;(;%WEGgd^vwg*Q9vKj4GS4B7XTZ49c(GyldvkYxy$vMqk8 z(9@@POKU$4Nh#N5OYApDz!l-T?EFbMM;7Lv%IhItTw9@M8{5GSqc~u7gM=hFA!q%$$j9Klddgj< z8lB1^g2tL`B(ttLT0UJHOBMYTH~gpmL99@8!`L-BOo7FzU9|0LV6Ls<{6S_uRvaH5 zd99rU7VYv+6`?r1p6m*&g(6o{8+WTkx^hapu?eWFJf8gldW~4phwP&oXwiG(DLv9L-(jF~thfG|l z^-RfHu%7u+n(i7N^ZuURy5P2~XG4s7%W%_QWJ5!X4f``T9OTxbvBedcZ4#HQk1LIN z#spMpn&+94LP%-L(}EYLlJe(`{?-Gt`l>|DJpU_cl3Il5;vu_rYgXO3;d1RYmWMP9 zy=((`W5XL0F5&b2_Q!w*B3OvD5 zz5jO`J-&@*K%%xdWUk}5JO6|>$-$y_Ewk_6t%yvIv%c;fS8I8=`Oc4KJU&*v>p<5I z51adlqu?#6$NMH3SZS_S4h6UB=qOZ2LyD!BAuGs6&*hz~AZtaOnsmF~=%{SRMXDlV z2WM^c9~?nL%NO_u(;LVlf2MeiD^d?PQ zcw3$UHXs6SZMvLj!>LlKmb79w+=H|_c8d0gP@D{$#Vun^SjCn!YxebPL4jVn67*$t zt64kbVD0k7okreBIO17{bTApxa|_>6AtJsID*fzhQG!d8d3TM)YCX*tS(2&lSGRh? zr8w80bCZYD==cHZjnSW)CS0n{H}%6}bu<_!El{I4i7w)6kxuiDUjtsIJU1S zSqz;e8K6L7Fv%^Pw>bavo#;M*&iuoV-bw;SRC5hOOW=lC4T=zyVWEde6K;KueD__1 z8ZGE8gwB~92k!W1H1!7HVn_fE4{=22uM|6@J{-)C&hk4gV4{b#GJ;ITR%MCxRp9U6 zZvJL?AVL2Dt=1bjT(6)$5Ls+=>k7aqXDjbuP(;w6DAt|cM%h6*J&La-lQG5w7!+SR zV(EH63uCa?Ir^Yx? z-1ti<#9?)b-kRmz^G8HxeTI~uPaThI#<3(W7%|c70%h8ZWFF>{#T32B6^I5P1CH=4 z0|q(^H87u1OR9C%=V@oKBsvR4fTsW&=@lQnAC+!Lm8VDe9V7P?=Q+K{>kT_%SWXFP z+8=l`=NEsw>JvkNF>Z5{vA2=z8U_VB=kQIlS-^dVftF(tLy2idp7V?!OFA0gsEmOHa0H`z;7G~+5Na{?RIUVVhhKMNO_#Y@wj@V z?-oI$0Hx3p4*V|&a=lvAxZg`uV{)_AyZr0#<>=}lXM_s7A5x1rzXHe0Ka`5j|G@k9 z@m~Eoc#+R@^K7j@GpWXzn%^r>&70o?Uh9+&O9iK_!?J;j|0%w>4+GuI7Y9aeX~Eul zmrc>a_2)FAPJZK}o3CSpVu{BPpVxeuM{?|c=b`jyE-YWsEPuP94wu8^6q$Ng>!;t- z`_(vXwYqaHGIV#>YFwRo-T?U<@Y~scnoku3m~ln{_pVFX^^a$Yco^|yL@NNO&3qPO zKk%(f65%2Xr)tK`kQtWAtTr@8g+sdY*o4&A1K-#QK3E6P7oQwZt=H8yuq+Mhn66{o zH<9TqI;f<6J&r)%5O>P{fN}Cdj>6o|b>abcY`C_}B0$^l@=DZNRvz&|IpHXIVg zUb;A+)s68%IBn=w7PTgBPBFk>ZD)JCI)wM-Nmq^0Q2s)E1ud?lb&$cW`!rEqNK1rZ$_j{q(-!& zY??T##*;+Had%D3XtF%TE3oU4=Pr}s=>hdDTU1K3snyIEWjnv(dbnzT9 zq80cYFZ{;YeFlcQqXlwCo{l&*nfSv^!RG^fHv~nZ=WSuOc9_>+y@Yi2Q_viK!ZwrpCs^#Kidc_#^Im30+-X2?>k_B;DfTqM*yB zm5q%_-j5$Y1fAD!)6!nThjVXIP@EiWXnP^BuA*BfeX6G{T-CYgrhS!!+BM)>0Jnmr zX@z8wwL9y>;@vBon>Gr(wmP-0O}_WFHNG)`FUK!}mo?*+VixK*Tr71_mQT*ic!Lsi zxty=0q~z0qjn&omjt=+Bi#j`QQBm*LufxwK9`veI6&DxR*C!9X42S5~zS-HCZ?WRO zbLVScUj+BW=xA(I)D!u>-Qp|#mP|(6=FtQ%R8_gT%RE>$=BcTvH#RoF`sp}1aSy5I z4dsgn2e-FBW5$7#C;H`C;#(>kC>gZmX)2pU2-JFHH?sCvuOzuehIY zacET8z_|qJh4zQecP`MUH`Au7R0^tBjP0!+vnaQnc3Uw$?DXi@Nh;>kR92=sUv)Lm z_TPYzu+FH zAR^jbA1ej%W|2rkC|o>{rKnu`?b|m;Vx}tR4GMB+M@O!*n8ZYnqwSYCT>m>2f7Hcu zlzuCi@Qi&jVq?)OHG^TNm+ka3&2gkgim1!3uJvcV7Yg{~GKBaXG=jEa@`@iYdg`5DTvZt+Hrf=)^1ow}=`@PdNtX9g06I|n;QZ62_GQEwK zBVe0wI1Bpf?oy;2pLeS@ffmcXq+m#rjaIl)23v=8`Ptcbd@_x5^|iDpsHvy=`|T0^8R_Ziot<*}`ZFaZ9P`-+ z$9v2E{{D!&C!0ix9InMVSO1-hclZifB4!rSFj|Z$gT?gX z5uG0T7Odq=Nu0x10904Gt88I2szfW`EW!mwV_ZAdBEK-;I<_Qyf;3oKsq$(uQTZ?g zu(bskb=c<3g+yDklH$V6Bn}a3u`J;+F-r)9Oyl^(L_&PL+wOu4(|uQK3kwQL$}~*- zMfbzah}Ou{$d1ULk)_iO-VH@XTg@SqPklC5S3kGo`F<`di*66u;Phcg$t<{g_pVAK z#&}y>fKcqJprD{~f{+h`69|peI=$LAv-9(5N;x_@I^e5h2Eu4X6&BO`y1KdsL-X?1 zT3cI_1YK4j$hR{2BU-S6*Gl&R7hmW2moEUZl?Pc)_p8x$HlmS3_uT&4lUu)7)y&(gxe3<{w6+cz=8 z`Go;+!r&0E&cT>YjRLhOnDYCGhzO8AR8>{swojg1&C^#?dunoav}4%s$i(QMxf>cv zAn-~?1~;d4`t@G;_V)JApFhXPwd!V>{n8Og^>EjyG0L!dQjO(w=_}|VqsD-`^d+%e z{VmOwISU>&Y%X!JKd&^pVMf~%^a-2}(Q5~ZDcPSJKj$;TpS?7(q99s<369w42rBZN z%>~e!JL;MT+Y!4KvkXjiwQcNb&Llv`77z!1MkBJOZ6nHa;=vB0a>@~xiB$38T5OXR z%wMEo^v+$*S7n%79b8;0z+;Di#!z}RD+qiZ0Qvl@m%WHEk?4Ssyr zhXD6ASVt>8& zUqfTN4ZhPPpRTvD=gt4`IKXF6uUcf^C^Xp&h+&~YB zC11mVZxdk}Z2Z!n4j5YhloLq7nduC6!q7s7?xwI5Ux~Ps0Uow9Ie3qwX~*xHNr(nN zIQ=VMuJ?IXpXpj(y>}V)UndP^y1p_&DMFOxQH=9nf)pQ!;NN55q(QT6sm4c!yO~&+ zTp4?dP+IXFX|nk7A4Kc7E_pTb2>rN+bQDDd^P!NDLrYEK@iEEbmybPfZPBKX>fO!* z-9cLS{!|Z`Tke6KG`9@-Grm{GJ|_J-BfOd;d8va3*;0ci{01YP-XEsRWCTJOuKUCQ zS@BDsw_x5yZBHl!pX~)um6mv1%BGP^tD8Hy3dXJz8k%cnTdkF(qk@1q3M7RVR*a2l zn)EO9uCe|l)~G7VpDq0Cf&sx8CN?Wsj!(u_T3))qEweFsW#J~CH-gAAeOt$AX<%bx z~C z`>pxyJYSiXJlXWwnGlB7(jR5?@A{)YzGd+%m@V-f<$EN+B)pz%C3N5Q@+aWIq6jf@ zbX3V3>hA77U=lrCVrKtOxC9mhC+bLeHD5K@D2|7W?8~b;MX+k}Nb z3JnR_k@cn(pthZDBhh@ zj}zp>hQVtW`$gXJa&p_UqOwn)`lY1MHmIOKdGdq>^f}EmK;J`xHm&|v_U``CB)?3f z{D-|H8-}jeg#$31esEjzbyu%GAPxj6pub;#Zbakf!Ii!5y0jmR{vJB|*QV$a;P0b}9QFI*^av2IN@cwa^{tGl_md7bS@F*&-p zWQp7Ba|||Io^K^5Cxcjo-yvQpsy_+T+5<$JdTbaF%CH)jt<0xx?(R979O~HE*lNdv zIm+_#@?bw|Yz!vKt?zFlADfZ!@>U=a2;kjLSK7_*E_T4_dX}Z*T{gxg2_u<2F3%6) zbhpeRPvsMMrs~{Xwx;XE#Kctgdb}?a$#}U|)WCpy+C+N+S(2xhgOQPuwbgP{TyJBQ;fY>z6eyVv z48&7fJ~%iC4Gm3`3RB|O)uo}Kd5=XvBc!3M92F7qEmV>ebd0QTY;@7!@-vU|+%mI& z<@@SbWYW=$$Wm(w7n!GC0jSy{~-;4twp}PpD=hVdbuY$#&pZ9 zoDRV^<|-$5Enq8CK4EjF;Sz~Z&ehb{wPc;xz&S1!?KW zG(mu?m%o7GnwpxP+&6gC*4cUAhv3?^`^P5qR(RO_!ef`+NrH##V}^-acL_8>9_x;| z^1J`_4^Zt@zGquEX8kf*8)$h4MuLK*@!FQ{^I2mc^ z4{CkTD@&}*fEmj@LMeea&bhAgJn!_BE0qu9uu!-mVG!s_H?8Z{PX=Cwv&d@Fr>p7c2Pu~L(z#tuYReTQJ+jTMLG?v3fXQ#S8oe98e~ zH{^rUlBv15&j|^X0f-nD?N(!iuDO@j^tW#>*MGC;^ZeE6_-SQ-il`Ndw3XjIV1 z(9oBIF@{K4um|OGUDMT0mTiyw=2|1@P7gNdb~5H8Tl?=i--Z>86zZOC)@+S_GIo31 zKr>G#A|f*5eJLz_+ahNCC1FibQ5X%S%rV$}dwctAEenfPb$w4s`sJP!LIQ%!$hDCo z+v!?YaQ5Mb8XC7{goL%KmoATcyvGMXB1O5HD35vm-5=cbg=WXaa%!Wd4;+=H#83M_ zoH0*+KJi@6#>9#m5o%zRNQZ<42fwB|bZ_M1<>lq%G}IE0mRFa5Ip0;=H^;UccT$RV zltFuU0-)3q6ptdE*=H)J31`E&wg|`2!(-A>m8t}Ao+Os}!$RzuE5Ggce_`J&G*1ks zeiH{SsVV5Ar=t_Etq~um&%Z|-!~95w)XXbKBls2%55wA(xiWsVW z1U9)Fs_Ejw^-gczM^F{;UWdTik||F}ceR$(uMNdm( z_fKWPB4iRHe*LwUDzEUqUJ>T-a2elOI-0Pq8@<^$0tzKMR`G}SY;MUHMA)cOoY zkLqd*tiwaXKi4*-1z(Q5Q$#@PP+XWF%|}lX$ed%tTj+Jd(hXZaUivGHb|DD}^>ziA zpn$-j1$P6n$A3%;)iW}2@0{A18PrW2Ng~1^0K89*kIB{FzkhE#RqeDh_oIb@Pe7o$ zy1E}6TQZHZj~_oWs~6rr)Y8AxODY)%X;JIqCS--zT^hveEzSkcHd}%z0y?q2Zsmno z6+5T`V9_(lptyt@`ag{{cR9#bw%?5vT$$vZ7SKcIFkL2%v7cte;XOZ(*;MMpnngXo zLY^ncD8FGs2aNH=sFM284-lx+qhdkx{8lY|xOggzF}Joh5$@#WRS$>53k$oC^5_i> z4KXn>k@^`*GF#6q%HpS7T%DcE)6>6eM71MU3-a^1E_!(h-K>=a*G->gb5Ps0^?uw@ z|1S0PskE@m`smJ(x<0~DV8GKF=U=pK$GW+47IR#K;7pb&tu?BR(?2R61>Bwo! zP(2r=JvTwSOZKOr$pIH$Hl+aBYNqv*d7hgiq`wAucKpa?njV60rfr3 z!ra_(xcLCEYt8q=ywB*&xpYT?*j|{tJZcfmURvycf@HzT%e%a^^mJpg-qRg`mLvNf zLErfJ$&|~?3qeO1P}d-7zI}_vl(lv#dND7$0$JEp@gZFa**e{7@P~N+2df^82i?R) zh0ON^GJeW$0qJwr*xxzXk6hoaQy?RaxfB$xknqwR;G20A!dU|;8#Duo4t~|aRYygl)C8bw}hJ=(DS_Nv$%gf+) zfhb1B@kB@m?F7*Z($6*QL!2!8Kqmj?s}uc(OQ$B)n=8Pv)dCh0IsXpK$Mf`nn~SSA z^Wx%yzKQT64iBD{m9-;P>*?V^L_{PFqobpPUc3A%PO5+ph|>j@S&?B&sIiHOQmLn> zr%`9KK*QN?P-&?Hh#56CQUtf<4RmXTJH7ore<{RGJja)YGxg`#4*;Kg$gDsdI2iB8 z*eh&E+dfW)H`8^FVfQyLL_J>;-J%`ryzIH4hF~i(Qst3ZOn7=O^4l z&@f08+6J0QDVV4AMEUu46CrAs^}aJ~>-RI?C0+@i9P9F8uG!6;n4HEwX_`IzuG%Fp zFH2%}u*S%1JMH-TwZX8gqoX5=t~6T!8=nggi8^-7%#2Z)?e}|uBO~jV(mD+{zr}Lx z`gL})6i^8Oga8oIU>4;h5M(aS&NQN4wcwNyCvsH-?~5Dsjxd7K;cG}2FatoJouE(X zM};x(pJc-b+R=uv(!%T=j1%*n^=<>3D7M2|D+R$iX7%Y#s$VScB7xCi5^yHcjT;}lt2XQ zVr|?ntGr!rvGf{!#q)hfn%#5X2apU-@(o~0L9fl+Np}eZyGbMTCcHf-zM;X}*qAAgGYJ0J9K-3yfJ6=C?(NE!kAM@;M!Etg^jZw3v*%Dgv28GAdTl9ywU4ziqk z9UYtwL2gZ}>u0;c%VWNa#zbpzRf`49s^iu72CGcHKO{pgOm0cP0*`F1=g-4;QV2ri z6ci#`w($xAsPTdIqbs?<&}-BQ$~T*vn^r?3BhaoHgUYI^2wpB8o{|C}9#mQx+*_}J z-MVPigcbehnUvO2I6WoY!%_z+Jcp5L$YVuy_m(bu#eDK@pCvIYA>P9^97zWU&V;M- zQ;3QgFG0~unI2iit>qd`8m)pDeIu9unc_0hb^CbS8fQD_D@U3moi2%H-&%YrH%%>x zO40jqug;ldoUl<|Rkwpzj@vcY>%C`bLaGYW*hWlqON-1$=(QF(M73j4kE`%7;3@ zYSODeyE=~y?mNY}wGtN>2dv!Y=4Jr)S{a=7%iYu^rsE?=nDN}=7r!W?V~P!+1vp5i zSD}yu2c=;$ay(?Cf5y$OS5Icd<$mbA?zVb9Y^5@0WxRa$^T=Q3{FTziWNNX#>KjR) z%@-c811_d&#tRA|x2RfPF!BQ@Vg^kO{a>m#NWsvHaK4tSms%9KE))W50j@ zJ0E-e{UacQK*X)n)G_06;bNRu41WbDEIZtzy12Oa&GKd06EH6dU^em>VgU*Vh}91{ zpX4}w3o4Du6N?jDkra)sifMsmvH^N){Ds~h*7*KSZKK2*mVGI< zC{8DNAz#O@{7Z}L4Pqgu)A%k`_I2gzUG6svYarelI`R7T-}dgE-s7(`7-M3?_aoyN zD?;Sn7_a&vRPf0y7% zm+z#6b+ZczC3@pQFlcB!HM;Lii;!ekOPGc zdzsh8&nM?VpE13>%d$yzECIW;S9W3ajIm09HeV2GH6^9`>_z>RH`wKY<&<@`kXmunzY3`$E^r z<{KLuvvcC(Ddxj)@^1pF7NEOF0s41PyR#UCem>juYHhnQ?4lur*?S{rg0|Yj#dH9d z62!jm*3wWlVG-q03UQAxYrJurO}x4V^i((va(PY))j1TL$--Lu@K?9y$3T`B$UsX> zNp_C@5uR1J55%9W(+2lv{r<3IOs9f8o1}WDr?;u=5LbeY15E%Ypiaird+?L6iOJ~E z=w(Rh%m9bDu71mQ_psYuFGYAYg?|goFNE}Tc7|_|tLKW3Y@}bRm6&;z`W>Y zgySx6(Fc&p&WjTPUApnxklt&?q@<)Iq!vlk9b)o0{*qq{UUnv45%2`4OA~%Ko0>cf@W{Hlx)7JNy!?DQMa8X^ zmDkSB4E{W7_~3Ev8du@7tel*-o*uSl2v|1ny=MzcONINB{0IQ}|4}-5ICxGi>;}&- zQ9ByvG?~J5YkPcM>o(89m!q))=U|YQR;atK{1)fCQox){x#XlIi>19>%(PK|Tp=i7 ziv!gV4vV@*4`HA0KmG`>Z$6q|NcT^5F`q%mK>58PK#0fA@e z)WpORDWMvvS_SnkTQs=H&dzH!yeq)Y*olD|1tM*J*i8Z=8k{y56&0n@Z+s+{2ONEi z8OKETwmZG+6}aRJ7J~#Ek|DsXN+&gwa(e;nHUSK3(9@BSkT#I}{6Ti+j@J;VO^NiAno*Z7Ov~toLpbd3dFf99!w4j9i_T- zzNuKqbid+5S~4ai!@nEXRawyB=OeGvm^1o5J^k_NDW|T9eq*LQ*he5SULI3B2I64)>w9cMvzdbf=YCHC)>F-U zh6&)l^1nu6ym^RLfwP@mKtMnrKDZ$a>O{6ud^YAiwOG&Nkpe;zz2JgGL-e|>D~Fj|6*qm7zeujG zfr~WU_57K7(c_n3k73%An@L(1X>wtga9Ubn^TTR)QEAnS`du`-YyZYX1&Hyzy**i3 zS*Qq}BS=lIoH@b)j}UioxmcoVmCga2@2a1C2cNjQx&n_pCAw7yro6hu_M?+eC~1j4)86Z%Ny+K(-Rr3N zQbg~h>YIshPUlCxpZyE}mU!ZDfSgovZ9$JR9I!f=e|N1=XQbx!cIpM?*5Zyy=Kla|4~O z_I8jvKaVVUUPaziOMU*_RbIYpz9lSVCL9J@C$9|nk8f|kcJov+UZn`$XvOYBmj|^9 zuKoA<5=-dU)g(ZWd_ncbwo1UrpfRnH6_{QewC_E}MID^QD>Mc;ZK>QZqGoM+L(cK> zJ4#3MG0bVlIP26)R2h0@u^jgI_UNd&@ElD|8S8!+nV9tNf-r6^1|}xJxiL>9xIGx9 z0pu{^^P$uE&};LPMx)Jw?jA2-ZIO9-dC+T|sWR=NbiFTMzFZffQ7KJLoi&VFd;dF? z)nwGyUjUnSeTa{j*Jb;sm|GXfv5BJI7ejgK$UvZfdKVV%vuurid9N34Rg~g=5vMl` z?;RSFXocS6+F)esW=WLlFj!urw`}oUGcy#M%UChZqER#{%0b2xKVwi}^cf z!(sqFJ6RryJWS@UyV;^|%Q|D7R^s3V=xvJVbTjIw7m|?VKhn#le2w548NMus2L~lN zol{d&>sgttk#TxaDiKOi-K^v`a9T353Zqz|jjb(366s11tj4kr`S+=im#j@d)pb1jtl-eH!-4l~_`7n03U3LJf&o-;&J%%e8 zieLKr`mFfI9`v%ZvLas$J?Mp>f_h(ne}A&D`_o(j5fKGvSv&<=S5S0_F1A(gMK6ns zjg<}=U`;PY-Y(Rudlo1c=HuLF#+AN*zh$9>Q8D=u8=LpuQWs$4Ib$P5`U8C=c$gas zEzjiTGZcG3D_n++@3YCNDMTrE*;g7y&+msjJ8f-ksrGI`ubMU%7VpoTS)S1$4YJEX zd!k;|B!=5lO_5&Bi?#p^bgXrC;8;HR)3DGg1%qC@#qY-`q7xi<(RayfZgT8)%!}h> znwB|3;1Qcp(aF6*L<9;w`fh3I6_PxL-x66sv*VeWi&n;zCUveNs?3z$^3)Tf zO!0GrlhcApZmFpz992a4j*szgH!rO zd|?*ujDRUyWkdjxh`S{PXt(}bI|Vc2tc?2sB`M8HUOk*#F2_ay;aKyeGVSKc$9H3g z7Bx^(d>HQvs1fl`PK|kh3gmY`QZu4n&{i1bR$|NY$Wy@g{WlE2sZ8UAoGvfUje63n zfH2nKs1*r8x31+Rh|)@f05cD8{c?{F*YB3{AgMfP|)@BE5L4oVYsSV`V*?s?s>xqJ0;dDik&ppV!HF@dOhc(p{FRiIb3DP1 zc9gt!z&QC4L;77aH@t=erJje!`{$OLGCq*<%HtyM|?wl)>Z>&5jN?A#XNSmbI z0Qe-2()(IX?|C%m-$1p^a3;t7?ddlb#;C5ZERWmYHb~nkPdik#aZ<201wA6xVQ!w7 zzZ+&I_yIPh7c|#M@_<&zg@stPJA^!5d(ib5rYI`V!&j<3!t&@*@x*8Z_>BPJH`@lF zAB2@U()OTk9vq=abx`O8_@_l*#I0sBbFjC&d#}rww{>l6D~m_QW6atU@SwT*c}?S7 z8EttN!t2*FuoYYGEi)8&?=Ik;E;Cg-x8oh^WyoF2t-%%f-c|-_9_g z0Nm8q^!HAMnW10R>tW)Rb^=MSC$>s2pU6xVRg|JphAf5FAJxWBRu}G;e{lk0@7E7r z{5XX~xq^yFk8SL$Utl5?^);V8 zgIPiM07~MpfZvw@wF!0g5zr+&ApYwHS7au`oXec; z5%oeNB2qOrHkm9X=KZK0(SQR&!gK+;tUhQOGn^GupV9LIX>Kv~|Izi{@l^N!|9G8@ zkdTm_7Ma;mI3dbbkr6^Tc3EY2vXWIQvX7BMLJrxIRSC!5WbeKA?{TEA>w5pbpX+x0 z*KyA4^?W^_k8yw8@Antseii;>lu-Qi=|Q03D!dIXy#mG$`-J=-`-Jz(NQ7RGg#N~i zyOXlK(UtA&S6^{sSPXl{jIaErujHybrBAz=bX*^aEB)F~ix=Jb7uVP4orNPbtSf6} zH1twoDfUTouj>yxn3xP_8CP#?Zmu(Gezik?G-$-0USYNNIu89;E?a?W_#b-7Ib4!L zj>N>Xm8`E-JApr1E1ndD)4zT3oly0dJ!_?ze9;f-Dd7-myK6B9N#V~W-rdFyi7tiZ z1h+0J;mkPu9Y5*pLxx+i$j?|T6YT$;n!dZp_rkPfOZNst?GRbJs9uGA#aZTIVE*W3 zB&RA~U64H*qt`TFP;~Zf9)C(E`W{2pWHUQm@pUfCx>Os!M@_dkY?4xM<|mielLI(< z04A8gH35DPuq>eY8?s${I!6ea9nCs%5;zG!-tuc9C@8xSkeDm4d{nPNQWKWau<5|~ zE!aN#GO9N2qDJBIFBRXtk$zX0WCCK#K;8odN5+h_fa|lbtU8W*d&3zLKCmG4^UuSq zw)+}2pb6QBhyKu>l!5l-4SQj-<++r`!;ssKoS@-3zF=NaB4ZYzBAT+e@H0riR;SC} z%NfD5M}T{TkPs6apO|2vSthguhQ^3ob&b`ti~tei~Hppqsnr+(7SvoHn9TP9JKjG$ zr++c!E}$W+OFAzM;c%3@jXTWVc(s&fu+To&jEx7O@PSe0THEsM zX}2;Y=Edu56$B3`?(wh}uwnmdlwPCJXsFOyTU!_SCh9-EAS^hSfoy5u;Wkr$xTJwMSk~u$BilCu)Nu)KECS%i=4C6IUE90q~2egRs*9(9!e(EX$?lVsJ z?|-YU9X4n%Fgi`<@GYj$T0{7&9qqzkp{Tp}@T-^A!EH3hl^vEzMI(GU^9t@H`F#30 z6yf`WqKym~In6EwSaB8U3( zFtsEOPSQ6lO&r&Xf3;;jAWKxxykVfl^nlMhtRp#`DkP{xF-rOng6u}qlWk2(RO-s9 zE%jSkkE}h|s8Jg7qUn;PC4H;O{+fevSDCv#Pp*7#N+~IuDe$dkqloSHywKUH5=DB` zV3N2mTaNRSeFQS3$nx~|@_l=*>-9s-mNv347??M|NMXc9<1_^a208}WFU@{PG1$0B zs^WRuLt(;~2GxJo;@n?R)qg~HCmgg$|t1$tAM*b)>X}*2>2 zTXw$=T(_4|zi#}X<24!Yv_?)+yoy=f#D?Dwf$R)}2h*wP?7BVKuA-_KGhcaTW)-^9 zI?O`NDBpABP5(vh>c}F*v3dJ<^&Fj-0va2~pAw!o@BT7Z{^cYm`}W%^I-0@eg-2!- zIWilQv-SZbLa(2v^v#!a+`3WaI&|wALRnwMSJ_4RTi zYbT0$c-Z|s>~;_43;QoTLnx;?e@{8jXN*GMiC~@__fq?`erR(gJM4N)aYo_Gd8wn$ z7ZyGSY4-5yCrJHRoDdedZ$rFKpg8&;Rpu!+w*JPqim%|6 z*M(hox~`BJ@II>4zrU z?r4@Jpk`qzi0gVd%3R;z=@+F7kA1Sl4 z(V+&iFR#Cxp?mw*pwP`nBlpmM>0}TSd4CHZJvexI;fSfFwODC@nAG3`?3hxfi_cFi zKVd2mxD>9Ptd1eO(TK3!tSezXUFaw|d2JV#kevK*G$Z|KM_QGB+{)2tF~?`oT2gB} z$%VuuOZRL`nXYFd|2b*JJ)=QsUXoprYNEi;6q~ z{tu)`K#PLTGHPO&RieLLS2{<3*1BbBN&S1apJ7!xcD!?#>t6ZK*WWd%V5JhI0s zjgo(RBSzdY_0y-&+q`@9BX~v!KiiOzy=bY&XU${6)PIP~f4+VX1VMl3zc{nCzL;T9 zI$}%7g_E{Y!BBCT#OzVA|0pv59X!5;udlB&irN6B<5g)H6gS#k5H>-Bi#NIeADzD; zlQSS7000@l`rZ=mh#Uec-+N(7)V*Q+r~j9qohB|f55{?}GZH-A*Dz~~O+tOC zcpOY;Qcv$mqUrfXM4UkMu(9E?ZWAzcVE$6A`z-_r*a;7GocjGpxZgxY6}l{2fL6=1 ze0Fg+d$qS-{T@l@46D7ZRYlL!pdQwhE@(k}Y#%1Oy4-nKUnfK!w0f*phHTawd6DEy zKfz%Vu34T17U$VwLg(9O0~`!m=u^`K3159uNc}nBK5+GgbKUos+Nn4F*t2hF{2O8Ju1sd9d{Cq$L-KS2+(aA<2YYZ;zeKZ7FQ$PQ6 z^zA|3H0ub;1ZnOFtL5XU1R|(mVq#*T<9kaJ=Z&c4wx>OdqgAQ(rj%|zLa5VX1w-u| z;XLQXWUOTiB{Q@8R6Bo+3VZq*({Yq(L^cOHEJR59Fq_jM_-uPI64)<*34G4TP}MOc zg6s6qn`?prF2C0I3%=j{{P;t!y#0*C49mQtlz!Thb^p^_WEumo*I+;dOAQE-xsNjk zHA*aw7Uj#&-l%SZMsoE&htIBSUF^7l(FkHD1K15Z^Gh`~HE(H5WzeS0)Z_0z{p$4f zu@`6arnJxe{hh8fW3ZKhzVY_mJ4G&9F9CFzB{^Ya*5%MECM2|V<8XUF%f5aOL!?_M z5xO)bD<^9JHC&i~sKu;4RyaKIF+`xw&s-s@kqf5|9fiVJh72kVpXY6v$$wKJ@?_h7f(aRgNC1+ zQpLpAQKHh0Tp|@pjJ-zm+9Upj96Usu%xB-V=g)z;s-&cJjq7;45@vWb z1|H)Ad^Q%L4C_q}>-~mw$(NjwQyEZsA-HlVz6H~lmzRapB|LYE%+t>TH&-#F@p5BR z)9Q4W=*5d1>1xklA@**;;g&jvgstLZJUjqPcTzu^l#GmUmbdh;!oz2~^Ru(FZ|WEx zY&|x{ALH@pR`rE2S@Bd_mkckskcMKo>2vd=eEE<=^@dFMmvz0M(p1a7|s6E$Ikzg{ObG0fRi&$;k`FpPDv++MpdgSg zd=sO5NjsrF{U!3h*9B@T7}}6CihR({CXxaaC#gm80Ab{N`d~PwS;qMFmqBa;k^vBP zhKQTKBPgn{E+p^(i+Hbv5t9n-KZis%pcg&8kV|s(XqYD7LAavl!|1)8hmQ)d^I(a+ zl;&W!X{L*~wPDQD0opd77TBVSpC?@c0)O_WPk(;8r0ojqSp46iCXJ^G3JXu4Iwc?| z2)bZPOUt({t#TluwZt!*5gY7)L>{!r4SoHiejn4)UTSL5m;i&-*!`YTp9IGEgyJds zTX1%#7)i0I4eya&fMGIUauN~}y2kavFNdJO_S)@kksq*K1>P^Y;kWA)1OAgAkzNA> zMi-&+NyL6tP{YtK<3B(aBqX?QJtt?yWrV%Yoryo8Y-H(LPrqw&b9w!a3_#v|sC*yj zDh-`2u-lV!0M8C<))%_6aFrd>YI2vRre@XFo=Wb>9wS(m+O{U8is7}Fi-SCl%jNpK9PZ${NZh^RWVp>kT z)nq^LZ<7dJyMDa`hOqE|5={U;v(;Zbj|+@YFGZFLeKE=5Nu!4a&v+5+NFSz@>q3hC zk)?_p~+1ITgeYm`z8W@eO-)&O_3NfLff_Kf+LmL*vI&l)WDR%vFOLa z{IiiX8y2x9`YMT##G5hlw)nSKIlU0I?UqT#dcHo{LcdP|Y;@&PWwix8FBm*P;C(a) zCxIp_3|UXl?FsNI{MSgj2>W4y?g(KdzhJ;IR20TTZ?jQtS5O*lIwjngWn&G85`V_) zjsb{r^4z(RFK9p&4mFYr;{Wcm6$jj;HVZl|ZZINb!!hVR`TlKM;^UALAMT`pzygG+ z(E2(-IKSCHwO=8*R_?A-p1n7YK?<%gjBAC*KMJFT*jNkBE+;Qv-kR$#hY?NVGgY{R zFfq8M^=pFEm5j$|5_VPz;OC0}S@>GIQ@E37&J2w;B$k(#H$Dr&Z&tHtd`a=%0Mn9T zX}~byDfjnp1Ue?p<2c`eMpNEINm==NNTUJ)At4-5t9$okb>^uchcdzCn}*3lMtd}p z=%IJo;_s>sXzM^U<2(hf0^h%zgWyaji*mop$gS`q(H8mpGZz(aV*CpptuGAwQ?mod zDTzklPj>$KGl3wIvY57)djIA>i$I1Ehu!M|lHb#&Jqw4_m#Lap5jW^;?1<=WK7quVI;Hx90!ZoE))l z36Gg(hKDFG$SbswwBEF-ich(0Oo-j`d3JR)RfZcEiftaI?EjDjTZf?GH z-S~7ef}BLZ)WiMSwQGusH88L{MokSlv*A!uHq40OKx*lKw&?+`aHWRDRtOna{XO6$+T3u|^-nWT3hXr)xrX=eQx=dEzSjI%D<&q^13dRS zOy%=V5TJwOK>GwJ_Lo`LO(n5K_M=A~XdAc28cr_(HL(eYdra7Ff9DR9Q*&QmspF*P zQg?5!{;gZyc3OP7%PT8#f)o@KPx-uAHcFrZ2i`MmDdSnF;Sh%q8v4h_N!F_pH(TblX&wm@Ffah7d!D)O861C8Q)g&Fg5|LR z8-0Jm!Tu4kma(siu1|OXZ!Spdmz9Y>~&d z_*PCPz0Pn0Mt4o$W)HQk%*L^y+2tYUVuSaWmpvU4phEk-n)d>?%n2^mHg23G$uepHv8{mjqC-cQ;PW)x6{VRmvlb1+&eZ6hD zFS(k2lQb)9oa1DxqoZT3yDUbTk&(ZcxbvwjMn+mX*S61QOYq90caLU*>@J)6BJ1nw zo=NdqSy+fWO}$x*wSMG$=T3Ax0mtSUNy1;Z$~rpe<)6MJ9nagj_@5j|^~quXIO#$W zSo?UF8Q=kE;9!ez^74ZAwFs2`k;0aN0v3Acnep)s*w{ggqQ6SOUxd==`!v11>0u#} zj?cCRCMG7Xu9qy>a2#%M6mqS*pixqPTKy#Z2^2XE<)Kib9*Qb`G@k&?@%m9^wCV9b zvE|jj;}@^YUZvJ`?4rlG*$GVz5-Eifdy#e?0Ch znmp(%kaa%|Ji(UGPtG$=0fAZU*>{neX5sdjz`higy%{Q0&U=i$dU0tR6gp9i%> z0UR2}nPIR!pp4=Z9=LgNj-xJ4$`g3Kg3LNL?0ZfApN#Xq?a6-Q8y${d^iTxieW#uGWwj()g5JTsGops0GzX|r0(PE zWO6Y;c8jieJGIc)E^tpBVNLxf$U~KMHU0E8!ngzCE-S`0r*;z1H-_%}j&s0b< z?&&OgholZVMTaUbiw9N1%;Y3j`r6|y9>yFJp{e@`8Az$-Bu1-yv`0L|sNH>PG8+CV z4XAPqsnI*o%~H?^k&g(kl$wv#SdKBWJJoulfz^NIr zaAGChp?1J{pkpWMrzbf=C3O}oH^ddsZQ2c$7N4z6AkfJouJPkwQ>f66bgGAm`%|5@qZUb^-<{`I#Vq?39LY1>Uqq zkn>rk*X-Sp&ZPbF>?iyU1#J-ONdEG-R^Ju;^b^6uD^;2@tDG^$@nP~+N#^%(w9325 z>1jw{F_EQl#&VJ>zn}Hq#-yHJFh>)?#=GRUmRVX_iXCWE!{l7EjOihTa-kld%4My& zvypVUM@B`-?`f1Ob6fm8Z@KrqW#7JCb9LPWvinvs)6J%f>7f)f&`M1T9ItOgkP0<$ z#?heWpy8GAI|}-=>s(4|`A8|Hh^;cc)#YLS>)poe$)+R6e!Lsj@GMBZ)NkAHaQHpz zG8y(Pi_*7GSzCzhF@;7I^-BAfQ+JPwnVW(j>oe}DgmPwyx7 zd}Mhj`@7L|??#f7N5kKZgqsDWHG%SjBO;P2&C}MOaI-3y5K^F-X%Wh? zjo#+Q)~8F2Z5?MD>2l@fR#t$U{ya?Q3)C2QUpC(00?(Ki5fSHkwwXZC^O{yW1mKp1 zg#`c>U>lNRE#hG)KSCz-g^WfJ*x#>42sV1=tgPFVG^#gaUubjK^^I96x4C|ZOfFb- zm*3rDZwd*nr&loT+?d+(N%uf&PL(aNS-=$uCy0a@VC*MdZYbz{ZBjTU5CA(cDD%N! z71+|4rw~F_2ngIYMU$=h5YOmHou$G6plpma><$~sz(D)_`P=!(%_QZIE6v;Eo$c8_zrUF8cr1ETDlf#aMaVN> zY~+|EznDb$O)0@r7vm`<%2{--2Ydq*`}4lu9A7jM%walAaVc*pimG=nLOKM{s04a_ zz}`-Jf}Mq^O*is;zWpflAy2%#*nAS8f($u(`;~gs^XHj>`T}i~j;2=XzNhEzn>TO3 z`}a64ZNlizjtAg{4QueP!1VlD5A8$3E;Ny4EouvVy9;~}ECB$K83nqVcD89P{IgPN zi|U2FNP6B1z$afX;2_?((Ku2Y1!Z7ljKuEsl#8(g1Eq20ck=B_>VD-wVJi~_ibLCy zb)vJdV;*IK6wAumdfSAUb`dImP=-X2VSVsT2I_SssSwK2va86LE19TC`Zbw@*3ME^ z_~0e?CH2at0{?vPPvc&y%UZ&<`Ub@h7lxXb?p&V?)LK@0Bebru{S~B*UxfJHJ5aTG=1^}=m}%r58^u zWM#L?rM3dovOu-*YXi@<3r-Jo!5AoUn$v&)t1{)^peO1YXDr z;RJv}KVM%Q%gaT`kSD8AQ~mu^$B(}X3k!>lmE`9?7zC>Rid+NFZQ;(4kdWPJTTc*q zl_6FF!b05*<$;R@@Za154yVS31K2!GGyTac5Z@Usf>**LF_wV#q0-&W()mR{R*$Dp zsIvg6axJQFi)e9o)?@Wjj7m6|dC=3Zr?~?*qeHC*BvtT`zRyq$RV=($!r1=@p^J;D zlaY&)or{fy>CE3N1OCG%hHrbb3ab`NeL-nN{Ry?Pa- zFO<96#-Ww|eo3_U#ZOiV(w_qN{p>7fszF>rp{L-=28^%{0xF`{z8XgCNhWar&I={t({>VY9biG2&4@R>F?#nbgAzyl7GWO)q z=F%=*fDa-ax=W`30W=Y~puBkioeqzt1}|^O5o>Ep`+ygc%euBL^= zbRLGrRYJT#tmkJR2)`gE=2^)g#c%se=dgo}OnJ0na=9nb`(vNS4DDE%nT1J(OeuxR zJt>U1lxDOl&lx$6tCb@EHo)=f=(-Ovy&K5gE=A*K*~29}%H^k$C>Nd?glp}@?XI(a z>w~9Tn4FyKbSNff(SUStdYatTSKruotEI}93%8~!&mBNkj_U)z6!lXC4AcTEK-u7S zpx=HPC2_Zlj`z-+&6BwHo@X>%6&_cBo7J~!cpyz`YtG9YmUqcN_9{uyI`m4wFoP1& z-gg&qU*NIxW;Ltlaq6!wjt)QcfxqnVC60n*jh&boas};Kf|$ z&tK1QL3_Ls$Y02vSq-l~lTRbMD~9tQZdypS%?OGi)mmdg-9*4EaPAi(bCmLMwjv7 z1N2wkpA=V&Nbsu+1#fzS5+=yD!7{KolAHscG+XA9j)aB0wV>_{8Bl5)YQX(O$zal z%In;^H}pcjGF+5nV&!q$WiDP%o?P%W(v-c9L>^FphS@?flCCRO zfEq;i+pbkOT0VYos&`;=W~K_uO`7G_a3I;>!6xxe*H@*0xOV1qx>MppLQAukE*QGG zG1-OaFwKGO0IdD>?_2CdMs`((UzRHgkKQsA@OxrxQ!Vx-y5IV`gX_Z3_oAZ9>Q7Q3 z+kpk&Lr2GL7k1h!=vIQ`sKQEVG|`(8Cy@1viz)AX6|5RTSnDZe04(}3$PnC8t}90tuY$x+9Rn7j@E9%} zI!aFNp(Ul-D64)!+$7vZ1i0Tp;zkq z`9>!M1X*rLL$9AHau}Z9<5|5ua4;L2U>a2({3TCmy(U8o-o3EuiqUga6+9b~Xq;1*W#pMcG4yeVqY*8P`2s@9#Wj{d_ zw{yoJC(oG~3@eEhGZ9icU$j3lQ)KbUHD+JW?_T~2QYmMOGI=+vK^$amJ(|ZJtvr0KqXB(FW+ZfpxS?uik zj?)iL@Rf2D%5EcykFao8E9oU7b;(GVj1rL;W|j$0&#Ua;XL&>1O)eOdVrkX=|J3~I zcxXRx{^muaPb19YXZYKeXi)a(8P*u<8Rxz=8_m$zQqQAH(M75AJ)1LSK2TaR!ZsEu z+xvd}-EF}9!gjfp?6yA4>3I^4p>rws!~9NI(0FzGRkK$%JtLH1(PrFP(74n_ce)wu zdKIdKZeD-cG&_1DHF;Pg?XpAoS7$Q6LNOH%|bIp%X>b?&3dsz(4eygT<2KUrc zsS_&eRaVJd^Tn{bFsA%#Jm#Qh$4nDJQ}(-gT{fMJR3O-ZQW5MV==k)Hr$JRVHZ_H} z3HX^fdkC8H_rO(u!i6EN0iYVPLh^PyB|J=He`NJ5rAbK-le;N|412{`|Ny4m~kx%F6`aHHw(U`nWg7m~O~)pt}y+2&Xp!WR|Hv892qd*`$nSkuy>gK+=#+o&^M~BflC3FF8%GTQNCJ9TQAF|4~#TiEqm1IdnEnZUGdNzVsEIvm=KF5hB0Gl825?CsfY!HNb74Ig2l7J-)uF zv^~@qXbsXfZkL_Uo|~VchA#!LKM1ZI6&-^xJO%YXF1tM%vE6aaAmT41p~#M-r!hofyVMYBU`&lJVG!or4bct|yFVG!OkiCBWy8D`7zkBW zRDgxqOnX*&*-2a#J455IyHH8VLkV=|(9w7nv?Mr1XT;o()hl$G-u?nxFsSAjSS@?> z9^o}8v6?7kJ!E=LcsS%h%g$?O_971k20m3aX{SdDWoFb-da*j43mr+}pZz;pIB#R( zOqA2}ax%FxiW66##vSI14o%8*Htn9%jte^s;>Y>ueqOT6=ciduFf&(XTNMpD!&#C; zmpD!904Tr#ox6jRQ&rRP6DK$nN_I9Zv+mvlQ2poFTbDrEJw_4W8W;Qj_g1+q+w zhBx>%+RX;^uZ8qa1bp&>OepkDGd>zAJZM_jrRu+DpmOu7!+ca;^wQHQ?0vaoTRP9| z1{r=NJV<8So#rv8btLROSJd3h!-QzR4=y*hwi)yKNB69c91mT%1se(^h(oZYff@qC zj|r+V!VF}T(TJdt4E7OOH9LXJ=Mc$v9xg^MDxu>M9qSZ3SYM>E+s?SEr-GtlT59Uo z^<#3z($Zg{*#z5Zeg$RQ{>Q&OHm5&>clz_n*^wy16A}gU}^B z#ADdHM>Te1=m-7wP!XZ0G-ma31D%k&LI4e!184z(_Mv5CZZ77zvjuMm2jSw?>!zk7 zZxzEY*gz<|4Q_yOaTFAC&hTPEaPL-)5!X;xN4G%1mvsQiBE2&9Z_0FP^0wZIbYx5Hr2b z7C9Vm92>>?m*&^n7HXk)2mpmu>jh6oSZe5j<+f_M)(QSq1u~NfCD#3&$f6`ukD-1| zOt?%mpC6n6lgWy0#$ON&Ilyzh^Tla-SssOxTvb)M!`X=632hi5At~H7x8kl}uB5W9 z)miPX<`T37!7zqn3=ZbZw&U9W|7_~GuDE#>un}8gYIt_>*q!T=; zDm7I>NBJJ4J03h&@AreJXUD_g6Lcs+M`de7x*i8EAZQ)`W8t^>$<-y-th(o4^!CTI z*tv<{-_lsQXW6$|^>CK;jOxcC9!C_sHtfjH0&mYHcV80y%UpE#RQbi7HT=L={I}%pWe9S-tIHQf!bPcqOu)Nc9!A$ad0oHsZqhnd%F2 zyf}lxKx@zUrL@B5zrVz$B(q$iJJ}-rySVq+pN5A$n!6zbUwnM563Dx)s&&23qSn%) zRNU5x77A+?S+-vHw~`TPx-V5ea_&;nTMcxb8uBQecV``-y`0OW3i#^}qc(utdN|LX6CZ9BMiFn$4} z8<*%e>+h#1;|GOilBN?3gq=ES7`iCPs2&zhpF?&YhI{7o4_b!v??$JD^>&PE-{i90 z9l&YTrAAT3)v#3;AjmbI0afbbQ3?te=nuRDvmZ~-(yXG?)F0T0VX*mM_dLnXt)x>- z3ARri9TvNsyrkH3m`%rDQ3no)SznjEatrX(T6W|KcNH!B(+Ey)XY+kZ)^xu=mcbh&Q4`J3TzfRIHg~z$ zcH41*!AylHP*)LC1_BNcYFFCn=;+wlEp&ahh4W0q$Y^ObI6m$?{DWpNbr@{i);2bd zo;bn8^h%RY76yS8w{%hkASXXFGd~CbAq|iSuvtL<*rPO{B=<{9xV8spn>-7|J=fPW zL>-|zx2aZT5TMc)B290w&Y;p!{aL0U~1~8dAXa0z%c*AZu^+LT3THN1wNRK;OgsD z-BcC8c0*e`;`3+G%b$vhn8?>q-4aN4ku!y!qh$Q0l=B#r z_T9m8Q!LTTfpM~fQhB`5rQOXEwQoXaKUI+(2}gMDKM_ju0)^ zl5JKGF&lB{5cCI6o;N+Ty1fmcClWjyyr0q`*W zH3poJgfqZ{x`knzPhbiS(qNK<6#0N|k#5o2@BbGfe}097Nzy=IK|Pid(P3XU*!RZG z^M`17we-R}apGPn1>rlcJ97t_yNVnuc?4_5(Uj-Ftst=hU_cD!7YL*?8}lg;D+>z(G^nSxX!O9qfLH`F zu^22aTzo}=q%%W}0RK0?V^fE>FMICXxz$1X`Y_f<4dbtg@0Ia%Hn`jucsBY|C;SZ3 zf*PgPE0R4E+`IO`(ZGPk{%BMlgRtQSy_08&$jT{Ki~Cme%N+->s$1KvCm0z4^(;fU zwXJ=B01it={m_{W*bBlet}<@Emi|^3V4Aw|v>UIZqR6snHLR_zfkFaC3j>83J#kU}53q;-cn(1}N(p;j6o|fP=Ys z<#bWvLpFqI;G>xvNBoJ;%afhqz8i5=G^8+=y>n-LNhiZ#d?D`R&VsUcpMIP3IVFds zt`!jijRSr#h4A(Pv+?e{2Qu%PuIs)(2FtQPz{Mw2Yi=k5_h@*(IYaN&FlZY)kwnvx zTff#mw|UNwtfw{b8ed`=H!xLoTq@mdzy01#{TI_I35ji}zhEu~FnXg!4jw_+qZ#=- z;n!PG!7T7~pY_3uBs z^qmhazN86P+e}94+jyaXEDe;j<74^jleld1*hW+%rZEfJ*H9so~=fdSr^Kd!lW&OqPBl*P4&=X%Yn@ON@@rEWu~`NG-P#V5iAB`MY@#*~BlC!<6+^)HFs9esN z4M!nSthtMI@$-^-pyNA)l8Gz+Qi7AQx_ke&NzUkU6h{Ti>P)9_b2DdfW>)42J;HT~ z913)--glv0?=n>mPGZGKzPXv?cGFw=b)r)yql;1IP-PoL9i2r(cN(|S=_sgHp zLO!w!Q$#s-J0z}xfGD28!wt3TfmJ;c@YIdwLSORR^mHtO%!FS1bB5k*N{XLTK>4Hl zU5P>xiXMb6dHEVsmLGBw1um_2o~3iRxR|?&ZJG~WNR`=K89ZS}eautRZO9RIF*TU! z;?uZxoDD(exxM(R<$?CN*%zhL$q=EwBJR3#n)@5wHT%sjOhr)};j(s%EwG4aVNR%n zPeFa3fY>dg(O+WJvACgpScrSQxn9LgHClFMrcr}Z_9}gJ-BeqUX~cWh^^#1 z;^{B>yu#`p#-G3He>JE>covAeJ^(bj^&{L{)4m6qMBo!#Cdh}B|Wd4!Y#NL zA0?-7U-^n1?Gz<^Xj4E!R;_AFq3Upop*?7y+1q&)Mg#4#7(vcUgNqhk#}?hB^<6KM z6gbVM)J)6Q%~0?b^q5Tv*Uj|aE{e^QS}5J+oVcna2kZic>xwGrJcK%XoF(e?1s^h@ z!1ZrvulqMS7F6WrKWL7Qh%t*DqdPueKgzOo!nz`z%1AqOWS|jZMK!UXD#rf`?(>1 zyku!w@8Sil{{qDqUOC;)hH@2Rd4~WUrt;QW-N3jWLs0||tGQ{yBbj1ahiOHb?fP#5 zWJ0${zP{31z8wik@6=Uo_FX0KKxV%F#y#^I@4^!n<2 zye|2^iV4^M1i>KErRaYB(N|C3Z)_!e{9$p8Q=zw|IX;O)Sg%_(&_Sd1X+X)sQmY7t zAIrEMnB#;=%J@iicK!N!X)|JmNcB?;bni@(u2u$Ou_R(F78cio0!3^BK33>g#MCZG z1V3~zt33N9(9t?3At@*6&eU;v8_sSC;pMSApYp9?UmG026K!f`Y$sgVRAK9=YtzJ^ z_rZ;YXGP3$R>e}k>}L&Ue)Wd#g+8gP3Xf$?ihFpUP^Rq4ogy5TyDap(rYibeC;n`J zkU>z9kr4>P`0Z&NL0Hg!pN<%N{_{un>{PBCtZ-H)8xU2jR5X-SOdLdvr=m^_Bi(@~XHF^2#lg*NFmm=#8ylv=tQ4HQv!_6f%sUBo6 z>)ubv{?Z84le=8{C_yl-V6-K_gpOT3bM$SYXX2xHbL}U1Has*4c%ep_8WhWrAG-+l zQ{#(ax-la!8L}W>>9VB$8`t!WrHuQiRE1(6B#QIJNYL?ZW0n3M{C`)U%aaW1j3QJh zV{d7GgS$gsWfK6P0_FXj&Yx^q$->Q=;LXjPOM~*&F8E91SH_Y8`?^yLlHUu{bI(N2 zaLU4A`AfmY>%;aYe0wZ*(|$;C|8Ew%Y$0BW1`E{Re(nDxtN*!|W@r1b<~LEOv5Y9KAi(dT zmb|8z{^N$!Y0#{RuxE7)r@XCQuwy)z{$W|!J+3I4AFosR!!zW-)zG`E<~B7HFD$5< zw+f$Xj|xk8{rX-bm>l53tE0f01h%t^va+>}jofuNx1x9N z%<#NdvZE)`fTE+wgPZUJFYFbTiv#m>`9ou%^RCD`>tjnBdTi>ONtMnea5y|)}X6Z;5 zDLR(9j<4?MwSZOTiEHH+%IbMpCVJPs?{#&F)*0$@2RfKcbqyXM3m3v^0u#!K#6h#$ z;Gm4P;DM{OHk~~^7`9e1&l- z8(NM2enX+EnarC@D=@@wZ`b-J6pVv;rF<0h7l+Cxm=9Iyc}A#Vq^RDf+TOQvv!U_U zIP7p`@mJay*32-&-lC5tC)oS!=)2dsPphcRubw~KnAQwocqfaVFY!jx51qtDMOni; zDrXC>x^lA*wN%`D?Z1%pm8judVZo+33L(O6MIY+$lu2r`X!OgAw)LD|zOV2qn(8&t zmIV=|`9{?mP?r2Yy^Juj%$uENG^_lym~U*$NKG--)o<57+V+AXqagax{1DNP#3!@* zmtBRj>P&crcas;mKXCyOPnI;Y?|IGFAO&>XJHc0q-Ku2Ecxm_ zi_eBeTFtD1Whe6W>*3K+c1^=Z7cV664s3dhI-0(Kz}}meQ54-NodL2Am|WvZ^ALJk zT8A(BtwBRBjmdhA@&qV$%Uj&f#|MlCS%ZViFFK4pfA0=1@B|FSdii#Qn_pF#(!sP) zMdhf)yjGYFCVWHUAfO1I+;Cbg+tPJQ4Nvc+_vMiw^l(C%v$%$77|C36uxbjk#!bpd z#W{%EXSM&T;L`kXSh-Gc`k=4-)KGq$W=2PWJF$4jr`m%)58V$L7VCb#w3BD|wyT&u zME~jso#mUF8g!{nGaa*T+fLxe z&AyjGRaIUj&f^D_!&#GjKm8exN-CyXLMsaBi-4ZbFL>37Vz=+X01)cBfxH7mu9}YG z%vQkF!_I9xxPAGiu^mYwqAvsHS0 zgo@jNT1N>tjKv)LNw@Mcoew*aCHf$xNCLGBZQNlbq-9q!__3J7nJVH4g$kEtvE3xg z5}j^Lp&PYb;GGAhj4w0^(t_*LrNtPKm_>$-+uPWU7oKMnzTPCGCYw-0d@flP;@~VM z2x1!;&FJ=)Fs3{BAOcL{r3J0HHZDJ0CtC3_jT`y+E$W;u__zvvj#3+_?MB9khqk(rQo7;(gw_qtBUQbK$9gY+X>jDBfe- z(HbUEFi8fA>s%*r&5^n=4z-(|@-Pd?15zN%oURBTULK)mzTT6ba0C-d|xjTypYJp*(G^W80#>_xk zq@toiQM{IC2gYHh855gQXG@Fl*|TqfNj?NRe{F3oJqxs^)bX*9;V)G0EMqAu7s?W= z<7;Lpwpwkw9m-mihs;rzml$-WoMuVRXrUflGx}(IpZi$s4NA(W`N0sW5m9o?Rzuoh ztP+p4NQ=P>OP1bCPP6tUPGlv)Ei%sLc7yu zu%5nT#u@p#r}&CW@tm#%oEbW(?W6{=wrE<sOM9<8D=d-wiV;X<+0 zT!A-v)?6+>m7e)__C;Vt)X12dkAwcw@Ml#>mL&>>yzc0jqvb;hx%BJ9tjj_|w}3GV z#Y%7Q%+OGh=$+LT#*eDysI1rH!)9vg>hYp(-F|sINri=s(t(6RkYlIE$IC|ATl4rD z7^6?<0hJ9>G2rnn3`j;)!5C$6JX(t=)9nN3aExTs7l5<0qxI2MqBGAq%~NT^c=tW) z?T_9_nP9dINEb%-oGJzmK{Y9|g7wvWw?FC-qU$Wj!k3jARZDIfu_Re^qRg$mEH9dt9_EyMe@|Ds|J{0PFvQgZx>&xMRP9jb2Dn*Wzs( z@u_a+SI^xSKT-s<=f78Pd`yLB3(%_M?k5-~@JJBzs`OoV^&j4LWoGStAZEXS>-Q>5 zB`a5JyhG)_)h_ueTFjX;lB*+^gX=(*+su+71gDST!HG#1npj8NC)UtuyzJiBODz>T z3%jmxD<;f-mlK>?`WD}lQ(3x|A20WtJJKXXIR?H1@WO`fB4=u;w=IfZu<4sS`ucWZ zJ_cY}X` zIk(;)S?@oM480(bTXISEXzK8Hk#L5jcGd>rVsot?4vp6G*yCj-{{WjM9N-P{{kOpJ z`CBhUar5_&&H#FxvZ=otCirLC3k{M<-5=>k1Mk1(p8rAv@h%*{+m~j`E5G@^e@prQ zpnG^REeEb*=a16&x6p@r8jr%kUkLtws;B=~3XEU1zvAYcxmXaa{#LX8!!q3yk(-+S zTV(T(8gze^YW757`-ABdj?;K|5kqbK599TYAkYHBDs)hIpO8J4kixgdKibpZswwL9 zPnQvTT^+i8%fW`vLvyLt4^zE3!nrN|M>y;7=8&J`5o6E)o`s3;F4gA z*IN9Z%0vH!_uM%9t$rS~^myqt{)Xfv;2Mhw_xevt=?}sGJh=Dl;BaDq+LPFjuz9}; z`OU7!_r_9#TgM2*vr`wJr0JTP_!U{CywqqJraQLFDV~mTR@1i>-TTs;*#qSN^OvKF zlw(O>eW3$5L)%=F#;s~}rKeh4zGWjQO2nq~lT%NDyI=6I=t@mjyZrxg({Z&?8FyyNS+Cc&n!MY^Xksx93*xht-ckHF!hGu1*mJa0H?F;l(BMJFAwjRJlHVG+vj%d z#A(vgjnASpdhGK1>BDbo<1Rm{+~yUpRuu|k`ZAwgCm;O(Rd&{KQFZGc2LwS<`lUrg zkrs)e8wm*k=@1oZq+7ac3_?L*kWyg40R{;P0YT{yLArD3&bezw&w0WLKIz z+N9ck(5gVs77aq%^|?VM>!kAvKQjH%y`N_y4nz4gV%fwQvo=O&#lLo16SUCn^wzA>AeGk=qx)+E|H;7AO$y zW?r}hT$sz3!L{NJ&m<+A6aX!)8h5?XLT`eir;3W8W%FT3CJwPct`q?O6TR1-T$Fj| zn)zoh2jJ6|a6{x|_n|^{5wi>CY=||{whW`MmBUKR&j-fXj z_ui0wjKbYNm4~g)wc%Jcpu7l4Ha9Z-_b01%j3!z!)$k*c0xEj2u0Xb7awYYQ<3j7p zg^B$QOOy+dERy>H`pvb2d*j22(YH+%GIU;#>Yn;H@V(p0{wuXOKh#FqO7`E^r59TUDnz+uVthr+>hOW)wlOmXeL!G+5OlSj@?3lJRUi;j}T+ag|dJliO? zOy>v{KpVKPBc(xtaSY)5W;#b(kK?a(pPdruY>Bi2Y(tvNq}KV2Z=(S87nkAc+K<-n zhg}MU?8i4w+WkSsnQec1a*=^~-Pu%H)IrT2Q-8Zjxx++>S@p_NOnFFT(RjWu>kE9z zC`HMP`j1}Y65nb9==UkV!}2j!EjPr~8YDPY~f02rP z-HsU&`)D#gj^keU<_PkU_le8nrBNI5;T18NRd(e2ahh#+WgGa?7k$`9oo`4)Z|ot- zcUFpR3*WgzDJ?A zMvR!E)y&VBDkg&M>;QS-ZN)G_x;#neMHL7pCk?PHC6H{5T`(U($SwY;uU+3;YB9En zF5Y^C%EWJNd@W#6oBZ66BTd;l>7BtCl2;9U!&rr%JUr?rqo`<6&{5c5jw`WwTN>Lj zsw(Gr(Jxw+=jFkskkEWfwFdB8U+4AP9oDX62vQI14L-B8=bNc+?eY*ud_I?*kY$Z^ z4be^Y{t1(UZ;}1j*IF-cBM512)vR-JnTM4Pn;L7|Pl}$eo;9pPUFmMFzo&7!OCW*Z z2YF9xwB*wTS~qIie&#aP9#2At9zdPnKoP0oBcw?WhLX)ajSlN3Q*MpFz6WFSGtu#Z z?3cMbWbf^XZQ6}I$&IimrI3kzM8Xd>Wf2U*J)zM4G;;_*T--(&U=?=F(+zCF_r^NT zL*H0X1gv@z-O8dZ-EV{-TzDr$ino!7QJF{+>*46m`~aWLmBuiw zt)cj!BEqTS+N(Xzt_upWHp*Mg%*Av~IcwzdSu|H_~5x`y{C-@`e0?d;g^eYuv``FU8Xlz^Z`$hy>iG zJUIlRdo-28HzC+RAD3Dr$0zqp)Q6)|q#I?_SV%--{7r$btk)#swWD&3(4PU&tVZ;6 z&UwpZ3>E6~9%k+xEJ9HKjnJZogP`#@6$^X#Z;}(X)w?E*o}%oYSukh*JXA5+68DQb z$y3hasFC>H`&Luf#NREFD2jVeL6^VF(eslSgl*-80pTWV_Ek z8)nmPVRWAf8`o#ujBPyq9%ZWK#YV%`>XO%Z_y!@raZdn2)W>Z?vow~1@nv<>ew%5H zVXbZ%76%nvs3!}vinsV}!(Jwatb^`F(N;58L9<6jak|v-)c^2%W7+HW5{VzjbP>XP zl~&VgRz!g+2AnL>uJvi_(t<+6w|^XzUE5Y_+5;Viz4sE5;R9K<0?eU?Ns)(2tG?cs zyANL1K!UtURz19bo}LOkM0^_u`BXp|Vd9Mj@yVVb{ZZx>m3&b z9T9_b=4bHUu4DnAG=&tJKN+^1Lj>6|AQ~_j-tl~dZiAP;TrIaMnmlw;xfFlo>2#g< zsCJROt8VT2a?}y7RdT8Mzy?JEIeKS&gKeJhotNpb8rSUcRL-Wk2hsfqrSn%qS+n*7 zz(KM1x~#&p+YoB1zEaFILTBkWR8yyZk6=e{*$xV{6%3VGD66{OnacX^ z*zOVZwsBk+`qc3R?l}2wpO{N%pSaTynQ|&@=Z?#5laQ%iH!=Lyim;8Kqnlgt(Y$s1);4>&Y^1{dqmMeL68Qz z8P=@Y@kbWoms`89j~|Pl7iyJ;@z&(a%K1ee18dE&-DJwz0}ce8y2!TQ2H|MfGiEcP z47$B@E08>%^n9s-e#Mvl*M)@@z0245MHN%OR-%t=MOr9FxDEO)=?+_jSm(&)NE>9s z6DbQ2;(l}q?CXMdu2R-4gAmetGu_s|DRH=@gi z?ff211W8-eN^Uc^8-5-MYaYJvRIFNyjib`{7H_9-M}P)qjK0HS`YO@{F%X$a2e8RATz8%h zli-_-)lyl!;VO}yEpFs!qv(&H2exGEr(?|PW#8POssG)d1=DS?JON+^l_s;MG}{eq zrIhpr2uI$isWf8YKrph19BJ}v*c!)A4i{jY4l)yE=>JjjUUWBl z)5F2Tv%P1_kiD3|$$Hq+XnwV>k6y|>b4K;NZwCr#8i-l%{@}ebAv!J3`O{i{3w_k> z?GvvOqH+WHnLy=i^rr)2W?e_k6%gh{#uHXU6U{m{1C6PUz}OnXCdk^^d>Rb;YxZ`K zFXDDVo+^JY>&!Y0uh4lPe^r|G%7_EQXAf zpNMK0qz*b3&1Z@$(hR!KNZ{YPGWG3pe7Vhgikm`XFZ)J@aA#@Kg?B5Y1ju{r`CGPo zmp*O@Y$|1O$=`326HBXOK~b9SK}qGr{G(3dB)JC|Cx!Pb0uRRI9XT%(;*cq847fpr z_X+q!&AV(nhnVyOZCc*EFPsanA-xyZZPhGjr!OD9W2zAmH~T;*b5Osxe{^DOG*RKb zAl+2$u+&H1ixfM}OvHeY8#Lg`!{LNZ?cOQh?uFX2~e>rSV1|qHkZ#X6( z0&XSKDz@FR$}rIOfAcbbmvzad#9}G20eGk8%HJ4E>;M$cR`^t<<^2yVfHa8d^F3Yw z<3z|}g1pgHz`F#YH}-cuz?XJ~XiXTlPXDjZWVbai0LLP~VPAaCTD}p=57i1aYh#gg-PhWA) zsNhhDmIh-EP(ByK@yz;tHC4=+G9XJC+~Ec0aKP{TUA4Z6@Avp|?u49!!)j-z&H0#% zi_6ENA`KJu3Kb2FxQgguKm-H#P-@r3sK^xoZWZMFft7E4{U2a~H;?b`($doV;^L$f zekGtH)7FMoB)t!V!LHc72mz{LZHi!P4p~{t(jg6v?~A|dqnn}%v+8*W;8;fh?Ev&? zKno-|1r%uj-UJd?maA}M&x;q7yfETQiO4gEB;;R3{~m_7qVD9 zJpL=Yz6A|x6w9nsqiI_4d#CMXH4PRY3marJoh27$@01sA0X3TWfb%C)UOG>Cp5$0j zJEc@zj+(H3%yY?P4e8&q8Bh~8t^D-K6rN(>fJ{@VbX@Re1o@&8&;`X0`flWXi}vf{ z4ZFR?1L73qMF1wh!t`%2j8yK)T z*l0#pSBq=1JEdi0465zQ2c2$3X;qb%QxiudEvKnIsho4G2CrZZW}tPAN}}M%EV(97 zf$wcrR&AhL028(%a=2%JjWz!wP32iJUsLy)_8uv z`274vP6xn?2;lEFU&h@1Y%18`B2ec6 z1-kR6qKEu6#Mfc8ce$VJ?A!CF>ftP(Y;TuYHxNEl=Xv$r7CkXAv$aIui!i!tsAp(4 z?J!}9-d)yvDwqDOeIA^43I4qtiOjoFi85nlVHr&L>3zXu@$H*8eYyRFb`o}CUHm(& zm4U2XoP4%3Tj#A8uunih+1s82FxC^41kZO)Jm$4JE6d8>-KXwN$r!(v9`iK$d1AkF z>{DuOdm+A3IQ;CHg%l&PK}Y@fTMc45Jn1KF<2y=MU%Yxn&AI(i(+d6_#{2WGU|XT< z{fUv?{WVkfs>H#&f*aBfp3k0*pW@PW#p-j<2fU?mN_jS!SLsFG_bgRLwW#LS?VfTG zK2NRlu}n*RfGBsC$FC3o(mOLCyMW^PFcaD0;EV-2%dxSsMJcc^3cSGeas0>sF8Iu0 zKY|~Va&i}Nrc~rE9A3m@#K956V{8<|)^gml=F?i@Wa-cGEc8?6;2Y53i-3b3a0P}7 zez9SS<1`Xtir{R9fJ2S53yn2qyJv$&?pcJ5dP)zOM4vmkV_vIZKr+#?V{Z@1pI7eZ?hbs1h%JB3>Wl$* zGGMe!PE72Rueg+#JDg_PBh&ne&{Th}Cc&5h;LB;&$(p=$VA~UrEuwLa3P41+e9S`f zH2wYk!@|OrJ^Vlh4oLX{x%@@tU|){<`pm8;8TZX+?2!P!oc#tC$4VY`aB#qPVxUef zHw!jjOrr(b^ltW%X`rea5vPjD)xBwRDnm0VU|FwURx393yZI>PS7k z>T^F6|B{6ZFBI*N=tcc>6zyVQHd#C4jMUQopl_yKWqz_mS7K3m;20%~dEKnI_!Xfy zsbXHwyFdU{eVnQHD8K?YL#v=mPfdyp^u+64U3{+wse9Xv2`b!tff8pm?EEKFFOX^w zF9F&I&=doXnDwUx?b>nRluQPv!2Y9N15M$YF#ux0bo=F9Ox8ZwNGTBt6?u0CK$}JK zPVJ9{q}ifRt^ym_B)S5#_VB1MfrGW|!lxB0pPSfM*g279Dw0(c%>oX<|Jd27k$_fT zpk*22VUAGv0+z49*K5R2D!gFs^@G7%(n(D#Pu7aldCChf-9Cv}F`M)p zn2%pt*QiF_y>SE9HOe^e=4)?n4~$QWMC`^j7+WO9hB;mb8)zwCeWAnkc;>?aEqRXa z2iq23!#&_`bhvicgDtz~=H@_Vo4e)Q=cZ}ZYg7xD5Wq+6?RhTl%}*FYc>QG{+OYf0 z#Pb0%4VC*t#gY(6Z^$Is65uvG7P9l|{eEdFiXGds*I|5;1^vqv#`_m5m|0mPo2@t# z)iq50(P|8V%CS>GgAUO|k=gF7B>E;Br^=*uh^L$3@{KS;+mJTAbOQ+nwc`eCU>CY> zsVLys&b{PJ_XQ+&U60kkE4RV zZ|T~AI9&@)IJCB|ZhUO4b8%-~+JypZd$N+SkYFy@Bg8Ne^^2ynFf!Hz`Q~6FG9hk4 zfd<(#upbC7-O*D6*7$$l|0(bo<$|!+^42W64}^^+RXrD`ZelF!-+7mR>v*8)rbQE* zXMl&# z=Mxgh^adFj*w~;dIr+JuPwX6>g4D8WRN^u+KULud1NKs^+64pP01(ACpwIoUzJSQe zqPN9y@a|wdC~z!A-h*vmYzDT=fE$2hEA?py(XO7Jjg1W+7;QVT!`cURgIfSA1Msqi z)kTAaqINw-yiZJw)60Gpf2FpavcWiPOlKv_a|iK}4*f_@vebnp?(5y_IqK(|(_swv zxK^J7eiWx8_c9ox+;;ZD*~CU#ANoNilhW z_`<>G*t5V7?5M`aY|>~@W70B}?7$aCN*QCCI8&I?I5>xx5Q&2$g9(c`!Pp+~pB&l@ YdS2~`{T84m`X-JcY-PG(C;hCJvqSk83s$F>-e$?@C=cCm(o@b%j6d@kow_GWypy$8c z;+N)4*rS3=NZhxxT|(Z}{*SL^AWWLo{O+3fO?{))WIk;??rbHujC#VHN1|Xo<`7XQJj#6q;nZPH`qHMEBoSmgtUN@(UIgD$Khazco-L6BqZ>tv;rw z-}(!(8Fk1@wbAM)kqbEGg2gGS z@)rJ79SbMdiKWTOZ15Qqu-N|g4JqEyT3q5PR9R6b#7Z3+5fM>X$hjUE-yyV0pWJV3 zVYNtek(|6#oHijoNgrix)%D6@one=ZY%O9y=1zvNSMaFtagfaSvfqI6@XDW6@1+^D z*?i7>7`*d6sai|XNXtSpI}yLF`yfgAV=`;4i#EC|ApUfnvd`(PY3fP99Huz2KPIT+>L2X^$@3PI+?`xb6Dq-O(rLWqkc?79X7VH!{*y&YA5#a#ib(i@0N8!DJPe zc|uE>Wmuz5g>2vM-S=r|?>_Zn7ci~Ow&N2qUoQ?A*>V}Gi!=B06TihexRCpOXfw@! z2zhRAVZqY(MM-d$o01)-sp<1$-sDdy?j21f`L&hxUzc~v$M~*X5Y5%RSL?j^NLH&0 zx%DottMpyY$oBiT<71)~`x;N|f#0MS*lHj?4g!oXF7chVH+VXPXywf5GbOp18^!f@ zHV@^r3Ws58i~9s@+-}{~bU!WLsd}k;Ps729J^S9=DPsv!!?VnKPw|&-#mfPsA0Ow( zuCh7W>7e#%Fq=M{XPBqP+t_pS`z#hc{MjSgZCCS>9t~3Bk2~QT+UDovN1tM&T!d=Z zBWb)oHSA?KD4m_CL7tU=?RE^e_Y-GjUjNv|cf2qy*_m^}I#(0@t2ZX+lc$PpaY2!u zL`g)XN{*ei7(a~9XnwrZSBytEOEWLcKbz2OCdP596urI%HfO>D0CJF)5GAgIO?T5) z7!%iE8hX0cE~sU<1D$u%a>+oGUwhSdB{!;et(`J-XNFSL!O_v;UPnDQS~~E?S(PI2mpfB{6A-POH(M@u$$zyU#8pA>kp$GVR!ED^6%=j)+SuKj=AAaNpoA zN$Zgh5ND^{(&Qg>b}ePw_)f1l=i()6u|Gi^b^d&aM9Tc(bEzpG>(Z(+$odc>x`edr zUgWHSv8R{!@!*hKCA1e)aY@8eKTr(|Ez9! zr(vDT{0pJS5XR^bI%RiijHz*Pe8Rrj;u1qFsqXnwdNA0e&zX&uJlMF~cu{t1V6XEIeeJhjTjbRSrABUBrGb7}!ksRagNu8pq`d<~h(a!t z}>)Y`#tm0(q;Ht2wmT+DV54PTjE^^My_J7EZ&K z(y?pV4NlLErZ#LwpcEtdm||m()3I*pp>DTFI-SDRz1l{`npmb^E=3`9O9@{$l<}WOHK|B78Z+!2%FwM)Dx)RJQ`Ye za$Dr3t1F*~;A#8*7&THHf%Vvs3{{fXHPqK&i$h?sQ4S16Q#IN9!ys4VotOTT-`e1> zSCgN4(Yja>#!aEwxXa?tIRa}&BDd>dyx;0< zeRk zvr6N-`sZT9gPWV9(we@C3kb}vZ0s++pCD6XLM^7wo1x0;>mQAa`)x>;Ir~k|&n--^ z(?X7uL}0_i!=<~VjCzvg9xguHeF>+F)iIc^+IW->j!L|J1oppt1(_GLn7%ly$(do` zUCLILLRLIiqF-I4FxZZ6jn!hSo@bVI#agQGS$;axwk#27@6+pRCG5H2;{>baTLlKbFQ6D`Yt^K(Ffxmr42*)l}4P z9}Zu{Z4^h!maiehU+6Q(<D2Ro_XR$hO8X`TaBsW^ zW;mmLC(x5`%Qe@(ao((RYf}ryw@crGuNBD)jCXJmcOAPH&hx!NXS$r??>~U&1?vU{ zwp^2}6TJ#-DgI zI(+%!nUULw9Ro0i;2&d@J+Qm<=hL9b-Nh{)w?^)QJ20LW%1u>3k{8H-mmMviy0N|u?*vr4>{r)%bd0bSR(mZPDL*lFbZd>0#GVZFaDUvijNRe=9#W@@oRENGku{v>J)r;VtDgic zuOk<^4VIEdGc6P+$!G)2@u7OpJ1SDeeIn@+;`>8a>MtR7@2yH{Hh_c_raLb0p%<@O7e z9)5?eTwAMFMl=nDh^eh9Ij1L)+%u_!@(83OBo8H_VB|mxeI=+X{?%jm!U98%gq0~L zvya2nMNUj`YybM?jXMX^6S<%?uESM#myl_6p}&~?A1Xm@%{EUa4yQs|tZa!P!=3Qp zto@z_gY?O)34#m_>v<}l#a&u1lt|Ty?{Wzjz6u${r6zQ7LqhU&k5BY{NWjDSBMmvB z$*&X9g&1wYHM-mhsuCqH(NBNe`#<9%z;*!N@4&!F#Y)OtUGEt~;d08yR;xIieHc*p zhkG$&>9@!COL@VjPwN^VgPr07HQn((2lm&mX0UsX#TifdY%@7g3((QQN=q}I;!f1_T4+d3W}i=~t#88(Y_0)T>( z5xy1REOC*{`qnPlQfTDYZ#m}E-ksazXGS!QvjU*;Ms~fK~fCm2D=E)H9Am^AN_-gxUcM_JIDW|wU-@$-?#9; z8=WRw1q+W1!g=5MKlqihwR9EPGz`kXZ}xwX{u31=_%cs5K+S#w8V>n-$Zo@UL@03D z%eBAY{3ftv=^+l=P5z*0=Y=RE0NI7$WB-`llAM4pV-`FByz6%k1OT-a?1o#|BPsAk zun?fvB>$?5tMm|nlMVNCsA+db#gh()S?`frPyZW{Nvx@E4C2kv5d9ORp)CsI#JtQ2)T;U}?`xaHAr6(;{v=diRpY_hp*{n{zD;p7;gj0k zk<)=6`}5nuy6GJ;SDOOiP^=NEbiRrts-#YSlH$d6T*iLz7gBz55Q_YmdXI>E;aoS~ zwY>dQu6xj!o4MKZ*>io#I==D53_Uw|aP;`Qr0C}z7$G6rm2%2#x_akz7kAs6oMKfT zW~K!Nc`OUvh56OXjWP_QrmwiBA8|R9vqBc4Q(mH``n%%WKdEl4ZOLClmIbJ}p4W$y z22Ag~sSJ7!&J_>uBJg`sd~9Ok68o0-b}Y@6&qnS8+0UeEMaRCVXb=XM<<>mB$Jdrt zII5>P?5eFO^`ZDqmx+&{o9p8*>|-dS1UjmN*91vd61mzJSM8am%#sg=^fxCE^}Jfk z)=tesPnk*s;Z2rS8HErxh|dTGy=%F91?5P|(v#vqn))Fi^;i-D|FU>4MONCvL724g zzPuT2-({9xyD2Ej0{c#2IO451vgl3;OwLZ05iIvLJ#c7Fpxi02l8^|Zs&~mSg^6~{!-lT)jK{p91E96ZCtp17TAHFbQKv?tnX8UO_ z^QsBy5_>{Gw8Frqn`*>in<{zAbq@c7xznP8;2jaxmas!XYf@`Av%G0=$c_H0ZWh}~ zfpBaghZA>rT(66o>)Yi1S;W2|%FC@LbOIZt7L4@9rq1-26mHodC{oLN7 zl^kl#+NqpJr#9dclCen58rUt2#NDs7_X+!I`^?g9a(1)z^gxO|uZ^AYB-@9~-O0Q) z`8%ll&gy=A~IKMCMa3_O7FFCqO0ei?}W z?fntL(>P%GH}<~24P%yJ9=DBoiOqh(mJ7dJ)cUCjhkpNtVtjlA0)hRxnV6QAR$J@i z=*Xq-Wi2&K*?Co9Z}}=R1{)lC5akINuAxU}R}<80*ReDM!4*ey4^7(Qvl}dG5@|EH z>!wN(B~55xjUFp`BWm4~jt|w=%)ekAIosFY?+3Ikaq+X!Q=cvdHEW;*XJiC59Q1qp z_)LtCzkdC?uC7j7N9Q=Xe96bsJqRo&BO_z^HuR)7Lrz~`zs%t2(+2_q&60p@0@O7+ ze-7f};-arluTOE|!biodJ9q9-Bee`;B4o(optHBW+IR^-8T#qD3GV=Ulq4758e&_b z5mZChpPNS0(tdud)U`h-;XeBgpNx+_Z~1Eb6vhh{b;qY(mo2xugJd~Jjcm)=;0AZL z;+T#kyZ@$R=!3AZOTi$FLf*@T#Jqz3CGzS4G+VLa&BFp7BH_9T7=AxUiO= z7eOKIJ%*N_>DEOo?<_lNOK8xT?BK-4nf*~ZJ$S>x=e3u54FOw&lwoQeEH*F$xTvzK zmi`M>uSb4SS>>D)RwK~7FJHbC6ohl0b(C%<#K)u2XlpNjfBy|BOG`^TJN7~a1%>Uy zL*wVqKgi!LE2*f6*Y2a3n3&Kk>+kRP^77i>-(S;w!&Rao01%dzmYa*q(!xSZQ}byF zH#c|xY1#XYPI`L!B))z{5kAoi7Ch_58X7VkW@cs(5>W?#e+hkszP>)x*qErOXzsvh zfUJ}h9y?&`zkb(Gmynw0QM9bup`oEHFl^JTt+$o^T1sARHo5Dp4r6&8Es zcc%0T4!6s)El?P4tKQgQ23?E7{f+h zQno$4u&zDKH+}t*>hc=X$4k^P($}HJWAndO6v&c9uU+NTr`S+PN=Z>xQOTMgA0IzG z^+zc_Q}R#v6f8Zrva(WX=sWbGt}nAP zF)>k63JVD#UjG1vs@!Mg=C+!mQ5Wi%cj-z5;gH)6T-?XUXIbywy?ZPP*>HGHv_KDg zZEbBSk@T|i*^MRm!QLLy8%>#>!LN^xCq)l(o8nX;oF+XJdD_dh^1i-af^=!o(P*NS zG!6OON=>poBemLr)LL)1Nyyyv33km)&DB!&5r6p_rZDm}=zh2jvjtb!13eonI|T=o zV8bL@U46RN)UWWjaFTchTb88N4yv3?;~Gh_9k9HJ>xrI5e7GyfHPUi$iDt^_TUKxcH*GIoWgCclOkb_$v2%zysnhp?xSK} zjG5nv#GdT?u&vC^4D@29Oa9m$4VR^jUgptE%mu%&t1(6}FEV1c!i7m$TRXc^s&9>r zjjOAx)UC0Zpns7UbQ3NRI}9Q`FX(<$e_tO!Ls4n)@-b97{_D!Z-1&LrV0??XdP z{q$TuMe0c8yLay*A`G8DhlLp#8KJD;Bow5ipCxmDDk&-&)%)gpxf{q}&TF{$+l)@{ zsby4GCx#l>8ROv{0nUcA?>$vj)w55ZPkW2HySsIYjbxuZ;ffyI&yI8y5bt-xMn^7_ z(~I6;xkap_hVJhY{XoPY_tiY-)4t;~_ajfIQ++SdtOsNT3wd(|u~MNARu;By>af`y z*gNYQ-PI@A@?xCXR3@8bboW_xpdL39Kepp*P~sQ4l_hA{YaTEiS!Ur=-MiXcI+OD9 z;K^kalhgFW$n@fOmR@owWn&WbhOC6K+|+tz3uc3<4tj^Pky~Vqh|K!z-J2OWK5=Ej z8ac8z*J}U?QhH|=T9ctp<+g-`gt$1=+XJ+_HawM-lr%In%GPFPqyyBu`yAiDf6oCc zEh%9!8f{-$S%Jgv=^@4N3%qzA-n#Ybpr@_PbkhZX6AoQwLA`pBv|qH)38B{{c1n$J zGlx*G&n_;?9ePw7bgL>E7#fa}1AF^#&jhRInqO6Aa56KKX)Ye6!ow^3&B95nL*F;( zo&H)~RdSXoM50hD%gfgp=r?I;h98#wI%-<9FnRn~oo4?-KUvybU3+LG52XjO?M%rD zi(~nF>CjL%=I#)J1eZ`n@3UXaR-tC?#x$m7%0BA0a&N0N@VQkq*O=;fq;}y}DC)IE zv5{1j#tFTcrpR{rogQThSmD47l^@Y7iAad2k0F}{KZBCcP3}97MKKTLc=yUnzt%6F zj3>cA-%P4c)4j%?(bjXZONA27ZSnYvzI9-jZDC@4FHMt+iMQ=0H94xO$TxZig|c=SXo&?mSE-J$Xv;qB&VQ& zYi51R+FY{MaCbi#AHT7#MqJY0=a`t7SSEF>#6CPUl#?wZEu9m+oYU8*u4p9^ubSg$ zsc0(V>g>$3@BQ@YB||q&O={>XM|#o119CV6%l5MU<;$1tHEeD3j3mQJ@V2!6B6Z$( z34=AH+B7nJBdzHbPjh5<@SBbG1w3f2eW+9gta6_D-*?hzJPC zh8WlTR+nmE^Gy{M6-Pk5yoEC_ZiHsN1+<(}M}Nhn>%NekrOwcmna#E3gV>7rdASJ4eB}Nd@v+FUm+)SBy={?V zNtNpzNxrhXLNDY{yeO#77F%p&yDGU}T45F;q2CQafDS1o#_!x7DXe9^^KJ1MRE&DU ze9t-TA9nUq_`TAzQwN11!0x56Pw~IxjDt-i_pK=UJb3r8(Ul<#7|zwbtB~CtkC*!e zt1;99d)3}Vo=3rO+Tp1xxBGVmBPKEc=@V!c=H!{1nlL3OeB%_Ya$$|9Uyq z^-fmVxBBO6V|R7#Cl8lsqb*w|jxYEbKNg>mY|ui9%+b@(rXH~&aw0bvp?oeN(Rb-T zEDQK*{8H`8;C+mF4d7x!L)w7ctqf;nG3yy?Y02JFLeMiX6p9=%Pg2*%)={@Zwns~? zZnQq@?mJzxr|tq!6E$>ZS z6j5Z0Q&$GvE*l9_J&-vY`;SMbzkdA+89Y*XgNK*)8Ygi_2TqQRJU7%CI8Ye(eci4X zQcjqJeH}j3G7dQ2!K$F(f~{GTxF?ae#ud4*N?Ed)b4Oy?6t4b`ST^B6c$OYEy?c#y z5xsLxL{0V)#CNXahc)+nD0CEOnYZ8XR2SM%#04hCXQJ@i(G~ z{aNs7l-tmX-6NB!e%F+C8I!g>=}QW9EuMxi4|R$ID=u805N{uQBK@MDf_&+WeMwnP zPR_=Ll~W_Cn@L_-In!@wc$ifSFgFl^BTmys1_oe6BI}b8U=SACgPPxxjOSIhRRoj| zN9O0}YidNaJJ-ms0bgD7fPXPgm(Er3=}QcH{aT&!A_YZJVPWs<lr^=C`r4S*=OMhedxU%-ahhu(A@#fCdmhJfY*HG z{YYcI*mz*i-XS_L+H1-^Qe5Tg;V)e-j*MquoKv(a;)RsZYiu?is<>lr3OnvnelaugFE>6z%_4O>3*y<$XO(8L{PJfyY^-5;%H2N+531<;4N#q zxw)-rDmyrEI((MY6|yVRy#3L7QVOIUG2n*zcP?1R<@!_XVG1cat)3hSxtCGVZ#35T z^rp&41_uE(*lnbE4Jcawh@rY>w)iS;Rd-fVqekkiG&~^`*!i^rkA^YLv(9;*uA$H9 zMNzN+p-xOuTG`@b^@d6WhuhAIgQxVNo0Hfht|Th@e<+44x%Em@^?S?H0M3)i@yGeL zl@m*Mc$m9{tX3awVf{Mas za^>a$W^s~K2=Q}D#cs48_ii}Te~QK+bDIv`pu`(fd9P#}-P9Zd4cCdka%wLUm_3hMN zPm~|aLWVM5? zKlR0;pXJ!32mVSJYBz%W@b=mMst|^g%88PTEzN4(7ORz*u5n@M7in`GiNzsDLnsq%e}Cn?qG-2!de26V<+Qqb81(}?qi#|y%3sx#!2+31ElTgV(~}WSCD?Y z`okG<^;sw068t#rn*n=k6)@xoc#{o2``0VDzfmul#YajkzW?=sE=fjmBdOuNZUclr zA8YpbcW#cGY&QPr%zz07ZrGrc_vDz)`ub-5Gw#g|gbss&FZKyGa&g#cu!DN2)@P+K zDXeV&DOlG$Q?K#OfYSJ;rl!3;2#WK;gO}#!Zz|n@9wQ-) z!SJvpQ1D0!jO0Q;Qday0eR)wBP)Hp0$D_J9`U-^inQo`VAU0F{$3z;_63Y+woIF&v zRjYCxcGj2rrq8}$u~>l)^<0RR9M;AIR}lXwgFR&t6cQTMCS3wJtM{Q}9`OFM_v2oK+V_iZD?o+P@4Ez2q^W!9#ln*+Ys?jFgNAJN`|o3-o^R)Wxkz88lX|T&EZc7 zBTOxJJ0)*F5)D@shncM!rIF8_cFD9Q!(8?krF6*aFFT@>g{%%&wt8N{11+68pX=#? z8r{xT-T0Zky}heGOJ^qb6C;^LG_K%(D8pvy1DZ$jF^%BEiF}`MXG*JbTvo zC2%8E>tPiF;mh!q?VME@O^<-1; z=xDAco7syO47(EPfXEG*3Af6v)vr|T8?las@O$`l@SemD^bf1fv2f9dnu$w}r=MUTLi!(G{nv+=9^xP9F9kR#UxdIdl@X+ZQnPqm__nKHhho zva>dGQiZAy*JggS1OM{ESJ_`%Sy3FUt*f(la*`AmFC5MEqJ)6rRY{2~4)XZ%8|8Z) zJw3zc%B0gtNJxO#2r*Gt@7vgLG&jEs%>xRqJ7(QBvN4yKKSH*tLjUwWA?U@0L|&A* zgog*QnhWB@Eii|m=5x&kx=_>&TiS#(Rb-x*UrQP$rj|E-djFu?U$0|w%6EXae6fdH zcrj&S*y$j-WeV9G5YQ&x@$f_(Sy)(zqOGi~1ajo4i=iR(fOsq-D$2>;9!W6oCL=@W z0EC2e4!FU_#)dx@?dIgf?O>>{&(6li#?Edg`9dD>4=AX@6hy66-EJt~f~~ezo-Gu1 zu4*@2Pr{8qPnp3c|*uOu{Qp_ zXqKOoX7OSE+etBnvGg#M8MK7TxZ!YN{q)<3Xw4Ce*ZmT-CuV;jQCh11hk$(=xu$z3 zPS$_i@{?HqZ{6x(YrE1CL9bE>ZE_TZ22M(P(wDs)iD}-HtQ`zbl$Yv%evh5OHTDD( zf0?rDzvIDN3efy1gimEjiTY78i3%GmVSe*1?c_nvww0+2RwLMD1M#x|*GX;SU=KE$ zn$JW8e}exjHUbOHVliJwA^vu`85%Ca)P%JnYX)4!)HbHXf=^Oy)?yD}OC${M*T=zMSDRVN*m z$@UdKbv)xa?OTDz0vN}5aL2O5lCFoL9$u|H#y}J1@~5oE`wixxp&rjUuuIJKAJm10Ljzfbo!%S za3IZn4KnMRI|30e!CWBkaR~2&qgD+NTT*5&D$>rmtg5_spl5dN5q4fZ{y(d%jOQ!6 zSe@p^&Y~S;*vBk=&V;9V$3{y=3Tx(#X#?ujbpDQWBC$5LUvYj4_!_`P&tz8^yZ z-)aoiK2SDAyH=Dh2phi8S=M=AAWQZYTAZU|Gg{G<%oWL@re2NaZ!tfh?YNp8pjz`p z4lDUpQhlILTcqvR%r(&u&(;V?d!$Tn1H7)zzC)5scTa{cLZiqoYHe9nlL}FM{40NWcI?ftZNW z;7TZ^m(fjwLMH|Xn^SLQYZMk0(a_KU*3ifBkwMi>X;_x1hvFGq94K`mS85vVBQ)7K z+1Nf)!*~1Lg5SJ(uCK47qqDn-A^@N&27sJHXfY+7SMnHM%J zR1F3P(Wd()jlU5L)|GpYC0%sUcOmHP+A-AP>sVaMeZsJevU6;bX|I*~%X1P(Rvhv9v7=4INhd1s;vVul$` zW)}^Wj-L}2rsp&2(Pak*s8%UoF1WDNCUBw9_xVhB(kCK_x<}E4~D)8+cQ(Uq_T?E1RjI}QT=pJuvKiz&#g#( zX>BbwtObHb>y(K%uI{>hoo&s!y|7q0pIxna>+PwY2%RhZJn0g*BCf{TZ4SKWFgt#D z+AdH%y;;Nu7;7Awb*xr1rOd=|;iIT#y6)!0C5GWRSu$?=+pG>@a<&DE#yJ$XkG!-3 zS8i(MMp;>qxisICec&S(qGlHUSfr;L#(-?(T=8KgsGY52#k${&zfp-DYbt+_;f>C5r+i$I9>3grKf? z>E<>uGGgL14HLHs`T6r_X69WQWbCkjfB;4hU!}INpa4l1s(ApXXg8=fQ1xJFH^^J8 zsi`R|;|IC`n+Ylr(JFH1PSAl>rIn4%`}MjnU!-VRXINK(;?4p~P8!(M$|)$ww6zN9 z?=E}msP69W?&Wnn+Zr{hUzt0QpO=^OlaG&Y)MjyUkaG3v)vMe_IcHA4_?Emk$E!7r zjlpysQ+O^Bu9_aSje)>jEJ|*;E+LI6Dp5y{rG~#NS|ur}vn$=K^l3lwvooA)g4lKq zT7p_FQZ@6F_WKI=^@%7N%*V!mR(j-J_^d*Wr2au&QsC%%zGIVGqy$=eUhyo+W!7MU zFndL+>v|bs5-(O7K3`m|HY}JGTQR)5-fcPA5R3Kn_fsfs(2>!^YKn4-vF%?oPSj=? zc#u7_ltUhT;{TOQ$u$A>p}X3jZL@tFUR7jYb3HGJiON28S(~9Q!A!Mc$%ytzWq-*? z*XN(rCRL&C@aJIiYFhIatV_e&TSQ=KeXMdcIlX+UsnMDsN!zHwADWj$kc0?GLg-41 z!bU~8W@cuL5Z>iyJTMOr4;w1O-h9F}R&#KzNgZ@U?5*CeD+iQ>#dgQU#H^{+$lI(= zPpA8N`ud77dunSBm0I2%5 zK0P&ZAv_YFQzyrtbe;{dd~54f}`)_CE7zGL5G%MY?=?>Z@xVaG{HzUh>3~yWIQtR^4N@|Jlx&; z%9ZX$CnjD88zOZCQeped;NalS&W@gdMNU4u5 z1~QDRt7}I8(BR-RCd!K!w>DA4)TF^NF&dCE^t|j74lw=J*vkV`IE-DHLYQ}~)(whW zu9qh;sS_TZS%1AqYpgpO@3SqDrYdKb+{b6*aU-9Qs>bzsSQ;0)r}~3Un=u)T?+%mw zWu#?TXpBn?XMaK>I<9^)sZcY&>@BATQ^?!5>gR@Un6Q(PlG4!)6o0gFXJ=(Km2`ft zs|#8d{bOV7F>Nfqtg(iMhPjSlr{GT5{iUn4wEB!Nq8j49?l0r^+jfP;L`Sc!tyNU`9~y*hiK_k`;ydHn zU*k4ypK(OcqkgtRKtUb+r=ZU7AqJI7TM#j2rur%O%oQ+n2)ThENMcMPzMI#8VWX}0 zWjbNF!_*Ht=d@2GMs5QMM1l%eOb9tmra+zc1fssvz-Tlw?vB7{LiwtX@1ndaixO5uSD+;SbA7s&A+fD1jHzP=T#-gQjC$4(k zyWu0@FLUK$*4B8QYp(RwGb2oHm%*@g$oW06Ie`B9`T-cX60xQP`%B1A-xpa3lEORl z>$kPKi*|+yKfRu2&e}Q+Z+zzm=CPm1NF{TcN-1Ua5mPe8#>Q?9*~x%SGRzX_Vag-l zh;;KRtd^QcC>`Ct@NN5%lv$?>+AXMwX|`ux-U(iP-i3jtJ_eaOvS92khV9_1?$`}-gkwuEZ}?@@(~ z3rV!+W^s>8YP}}Jj|9U`X7NFRf{X+xdmCa11X2b9S~?wBltGtq6Nx#j4Z@U&TIkBUS@7zQIANtJGrsyTNB$(BS!%6M|{)@0O+} z&#QJGw^reX0n<(6el!pI?=)ihi2aRL@HvuECGWur{ywK5CVMbB`7Rn%USGa|yfZhI z(J*I6v2=-Ps<(n-+FNj-wVqq-&8p4Dc-^3uMkSB%o$*ZZvLI*|m7X;lXYtQAstwpI zi{*mRLt)X;(F;P*rE9ccqARIoJPECnf3atKm@iFuYxjq`z46ulv(GnSJeI;W=gJx> zD{wQCRvsPz`woCecT!tQ@n*_7lnd5T>MExURoLM((4&sMN`*@p9PR7{t zmtQDY($r!#7pWK~FidGg*=I$-w0soS>c}>5!B~^!cvZ_-WQ$L^VX$5rekS`!ifMXI z+hcCnjck~yzf46wzvf=;-Q*^fYv;-GGJgE{v1#hD^|fB2z5RS08DHOA zi`-~JBk$fMV{T)(^+vAUQofV-!H8u+VGQrU$|>RenzV*Z^(Ywuf0M&4WLlW7FT&Wy?}xET^5a2z~7{^GIJ&BE-Hte6I4 z{cOHsHRXOUmH@1n7|_V**xZ;7X|d!gb^5C8tgzgU+%K%fxtXI9kYt0_Hqs)h@DqfM4Z+W12J-DdsFY0v8%cB2p{{j zS1p#dOI64RwsxfRGK5K7+VfZEvf=#%<-D~;M_*p%9d{)7n_9sk?jDfOGg0Ih^cfkm z!Vc8zmnGW=r-glH#xMRJ*zWnPykA&c;`FxRG>n+w#;tSwPKtWx?Yynj$?Rr$!}MFU zZB!i6G7H?QVDU=GmD?@9$9=kP)9VS4b-xfGeSKKR(ngSF~kReLSz!CsWlN#+5Kg=ju)~=+G5e*+NX6Nuf z-McxEe~E&?id3>}L5_H?#V z1Gu=bg9sUtjlhCi9##IUT!tt6sECD+^GT`8Oabb~=zX+`-lg;WSC6ZA7nk2a@EBI9 z=*C325N?MO(6jhv!W9!m^ZfhnQE9?`-NE|^tL_w5`z5k)MR@Y`uLU=7A%>;iYcX7v z8&;?}S!OUKC>^5dp|*YS$Cg(J=pJX(*H1PzNrS303^xJKOb-IEIDvcdZq`$o%6OfU z_JMN{6@SxjO2xxU`I?ncjL-Yhf|svPpW^#;_MV<^{wvn?hb2MvYgJ+o6)$!GKump2eq3G#j7z@b$gXx z%HU1#FYbrr?|aysceb*2HlpoqyA?!Z!2>(H+ib79l3C9 z)1?f7^mi9g^dxt%SrhB=O-{<%E!~Z)K3==X`V260QV$U=-{+qGwj#}y5c{31e0nVb z(fDNj%vF@6r=5VIp)G`Cvqmu6DhT1XeDT8cW$GmivEg#PIdN`-*Cj26=bWPUMLgD5ccdlZPk!Wc+w{J*Ffz$iv(BaKeK;Xcu+=$3JxE zoTZf&t_2_>l84yIC$|O@BcEn*{K``e6T5;x*nCN~et-J&1~I`kO8hSR1DeRp@z7r* z{G=MBpaoNVSU946;2!yAt>nv_&dq?MTN!0M8(M9nrHh}{cV|i!yHiEEeaS-5*;sJh zh}iomr2hgdjBM4%=GH?laYWT=w;%ffmsO2?@5ydf2N+k5?HG2N@LQNu9afECyasI& zwHkX9>v-PH%Uj_)XBhF?I@7iFUS?RtZApimH#mU;Sd^AK5j%w$P(Vm*d zR_i#8ztCrO$6eWq2%f*=G46^gG_bY(kCErBU7AZXEv0iy9vz0?s5JJ{%byPM|p&qqqjHL#%wWn&9-^USz7t$+Z@fGF=T-n>Aexlf;LO=v|$#k#}(@M|a-?DDm@59e~ZF+4e`iUFg}6_OL-KwYFFS)w}n zeC+}#cRPMl6;8#txVXK5l)bay6LLLJ3;m8e&^_YPYpn`6{HQ2tp6VZ2I|x1t2CI+k zwDOS1r;4~_0!nJO;hC8iph^KMX^lK$Y;<&aZOy>QNYw&J$DIU8?xp4BS>mAg7ai@7 z3Huxf*AVwZ$3}aYnSJj8lSDR)V5;}onz~d!Im~roak0M*=tHba%a`6imagp``taey zj~_q4f1C1u$a?FrDEIDr_=uoLi-fd*bcv+2w9*D00s=!zH#mZXl&FMA3?PWoN~ef` zionn%AU$+N$7*d`}rV8MwZl zEP?hYF4XD;X?HIm zB#P}{fQjC?Ytv><^YMB&G)U?M5^3)XiacFd>`=M zitEvP18Cr~kw?Jyv!muE9}fFK^aT+>zkNq1PO@)ud1y!onwAQ!tE=1FSbCbJ5{pTx zeVpU2sipNU>&~4!(C~P8{dIJ7`{3YZD+%ee;@B_rKyq#l4h``M2!Na&P1!}9Q!KOc zSOzKZEbh;i{HbCx8%>>o|C)B*3+W+5{M3{9+Zn`AayGb4{P3s1DbwTfm$o7YC!$hP zDcm=Bcp?L?i~`doBDl?e81XqenwY?9IHS5cnL++E7kC!LX;c)^4!GeyLJyZDA}T5+ zJ$)c01>5^hpvsLk7`{UTSC_zD!dzZn9!?|}Z5T#+dYX2e?d&qI$3#bGtH0asMVAKp z`==C^WMm+_4LsH+n00h?;K)H^0Qf|~x9aas3AmlP{o2cz!d~uYUOxNpRSA4$O@@9z zzO%CfZx2or7!K7A+jJ5P1vr+%8CEqK`JiTQY|xo_D*O4X&f7a;S{fQ4gR+-toYIGt zl9Z6R^B#;XpWc;B2>p9-q0$!*0OELedmA*?C%q~%Ojz4{{X<{~Fyb6E=(oLWeBoqa7%9q9X@t)1V{L8p*s7N zGaC8lHg0a7k*>VL^yLAGviB~UXjL=&`eepyuitAa3v^~Pzmj((9<%;ocK%!mU7_~J zj0_BQ&^uaM;tdLR0@)HcY=zHdwZWJIWhr4o(x|+d{1^2{LFfKDCx>My{^ZoW*AL{t zJTzA87 z(qDwJ3B2deI7;D`CePyvk50f1WMO69r`rmHeg1cV0lMoQ$y?8Qy4GwFhQm{y&w3C} z{seW|?FV_R*tckaOPupq=0y#||IA#N#|WL*zM!HFL&?9h(KuR}AZY z+iKv1ovn;6fF@KcCEQVPWwkh{xmFf9i^p zbFB3D<#=xNopz4-1&PHi!<@9AKLvyqJ0w;OR|9PNlXrj3ACAeq(^`0R;C{77Lkwga zje`#yrtn)X)6o&NwA}ce;)XMq;#Pju#$Kl1sWW7B zaH~rljTKM#ws7_l*QCQMh&6tkZ*hIfhU3Uafq2tGg6sR}(WCMDfc^dbZk#+FcC_x; zN9M1};_LcuvNHv&ARNF?? z&AdnZW|N$gqnW0Lvsx!wyu=HKq{KwiiTS?y z4cI5MY!P1G+|YOB*NvX;fWw{F3H%pIMV5cKB3r_y7y9zfoH^6|#Oeu-h67DAYx_p1 zOZITOzp$lseWPl4c7BdrQ(9zlSVl*@V-sug`-zC}6E3OBVmFkQQf<#d8U!NuvWMzt z8Kd(9-Xx_nl187jQI51m-ch3kMiuHcAGJ{~u7EEtv?c!ZF;sqap)}qmB}6}b(q!`m zZJJ-scHsVq%aNXW29n>7 zv7=yFjnAIT8S`od{k^pjgW+7V0{H3cTW$3KFP#}amXTnK1vc&b_wQk(Ole6;EM zC=eEHob>}Gy`kTWO5fC#u};B$@S6AGR=@SgN4Z?f`@oZdDzB_Is8--$I)C=;S-7;2 z^oSwwiod6A4{)})zuUgX&Ki3;=F|5k-Zi& zcqOr^%xRrT#*mD~=00Av`IY1Qe(IW5rb?;qVVW`|Ame>-5mJv~foD73@NG`CX!LX< zzL0u&OpIvPutyjP!*#yxtu0|b0I#LC?-idwLrFsoNGT09J_WrXY@H<_23|H$$~Fj)8G^ z+0|MGD18%V`I#{Oo}RkNho&Il2GeJDl`guk@BZDp&>G6?LL?thaqN79x5mXA_FYmz zC0>-3mF+2$3Oe~!D$K^#T-qy-6kUG!G|h+u`RBClO1u*Jncp8UGbkopJ=se1@hT^} zg$yUvuz!Q4Ksc}RPPIaX3V=i=a&ngT0I^99zwD~(57K`yI&T*R9ou_*>%*f!6$dZ^ z`zS+01^{(OM;!@q3LI?gLvS2>a#c|-hE>pY+g==)at=DR^KVN2`=D#MG||Nkzv*&5 z1^XJ4g$SNRQK3L~{=SmoE$c1PhQ|Kw-@YLn9YtnA*bj9=Ru~d_X1({Jj6QUtF~;~anI zNJoi5_f?o8JLqVN$>o`)q| zr=%RM)T|al?|1emjqs~I`nNt!p~Qo#_x2X@iqP8l!qX?4ow8moE<+!!B0<$-cQUUP zM6Lm*OdrtgrTpc8xLh&Uky`U;;tREz{~2UxebDjtfRmFGVsLN}QJs)2kJPGjS3*0|3$KkDCA<&+)?2>45CQeSU*m{#t z_$3iPS`X#&r0DAM4$Pm=xQQ3o}of#EH&ljac~bhQYD`| z$Fb%-`aExbx;RkOsx$UO@~0>p`k7Zb4mRW#whm6X!8$$_@^DGui8xCT;JfIW@9&==@=bRX8mb?w+iL$=okPDjpdZCM|kavIiX?{NMlpZ0=)pLErcYdLcJ2ZO4c-sebP>GZT zTQ4kz@DA*$m&?MrViS9)S|T`JnvEGc2G{=nQCb`nh}^xUV+7KPFx0j-jOa# zDtNpz;ym$DoV&fF0|NAE&1!vcJfn=iI5+q0ZaQ}#U_yXn3yn;C^(y>C>EiUpV2LG5 zv=eYhTcHtD;%V}KU8&a>P^8Ku3$uJ>TI;}l3oSH!ClN6P%}J+o zvZuCMZm5DkIp7}ZOh@s$LD|O3oxlV&)Oi)XwE;yMrdz7#;ya%CF+8J7?x1?4g*Nqf zn%%pJG*#xkh|rw4*7A{XtK6?Tbd2q?`t6w|c7dljqdh%YeRkt)>VSJ7`sdupb*M%> zs~oHCHCqVKI<`IA{Y&g~IY_*+t3Hwll7D?E5rv9huVQ%u>_m@})!-{Rp0OcL;>hVhs~VcjJm?qr;EJzW5n(0<07mw&ouf zw!S;5O}vmVw&)ORQe-GhP}rVaB& zc(Wq&E)tYJD`tXa)SVRcT+OVkybNz>adaJf7PV0{{bBC+{{HNa(TB_P&np5ApW@U- zX`>P;2ykgvj0X6kRSbH@E9=?NS;J2)V>#Gjhp&ZtZEPhut&^8pAlcjS@eGx;QSHUa zIK%{mgcE2WOS^FvQF1~K9B;FJ{Hh}%)cK_?WAwmZes|MEL;d^ed2)iS>lP7mZQ~S1 zO$m6usbM>jM#G)X^^`##z5aIBED1_!;r{5>exk%;*F!SI^YnDmFe=g?2K*2(j?Tj7 z=rg^zS;n5^QT9W0bbvoO=470T3k{Frdn-c@)!^wfzL~~_w)>ic`!_lp#TWk8-acCA z=cT8YSSrW$1J^LHEflA{SmtW*j~wskInq=|BZ?${Ki7!N2Qm!PsE1L2yU}Vr<(&Mx z;d2g}D6ny;C@a6MnkJ?|P@2o))cI^$_ly%p{lA#6&VBw){Dl_+f?K=0ZxU|H9JR5b zeVg1ycbA4(_p=q6VbRMky||ez->^K=^o~9&x|6_~TXNQ}W=Vf%> zwcjFd$T2*6g|+_scam%TKg%>6ZM5x5v3Is$Lz1fvU~AiZ$Co8P$*n+8;0f&Ny{)T) zDr1d5ShqNLcKw5;x{SQye-Hk+kP)g};c(kgL#>GTg1fQtFUaQ*dg5e!w>U|ZNSS16 z{dW0fhJ&3e{r6qL;O+{_eWg60XFyF^Az>)Vdl9o+%O(1R8&~38pr+KVCSD#s^zm`z zU6iYvTSftt)Y;0^TW_jRSckkW-H5nxm7u)qFJ>B^z z!}-FVLnhPu)P>wAkp<$^%Rx%D@7|qXh{#&wNcYd|La2{?z<)!IXqGfO19ex4Eb`o- z%F;*$X$_riBRSNE8$y}{!cAYai{ye)yvrFX!_03kVj`&pChta>T~0XmM$Wk!Ry8Dt0{ywg^!C$WVgaD1LY1&Ns>?yGO{+loS|`P|44batn%zP63t` z0;XT+eQy?YOlb{cZ`L46)>KwLSdR@lVvVuCJP3u?qZKSJ%k`Q4`C8+RX#3BfDY8L~ z$G?E50lanj=ZpKjy}kbH&D5ClJXpwvK;(iYbwlvvbV~N*EYFjgEF5z2wSetDJqirz zIl%Q$enA`ye)Woip0^}2j*1r#!bTXJ>}w9jsPS0cyphEs;*QJlcE5*_3bx?-AqPAN zxk?ou83St9XU}|hmWDio|JEN=W_D8N-dz`rluxlG(a-n zCSodmadI$t6rMxdfrK3V+?aB3-nTg9Z?*|E&`WyeXJ+EGx?{>P&v6`YX`>3laO%Pf zE(ojMzWqc2ba$$Ryl_+XXY^mlwXJ$UsT#_3HDAt;*W365(q2Vh|FYCyhad}l3fdxv zAXc=;Iq>I~)8QKC^)ZS+df?!|D=JF0?WlrcmdiO*-UtjlT5nx#I6YY`YB*_?Jz3u~ zsB{l=BB_$|W77(ncNmM8ZFoOAnKcqGDl!&mhH9Z?%mVVsT2g4_(Fj#@|wx4K$i zmW{5S9LJUvwd48eq@WM=9E`|;-HW^>93Q_zu) zv0*=5&LK4g1%~+95!5veb)n79WKM&{XSOH$!IzggrzNxh(A}M49;9bJ-rkpaP7fA~ z{0Umm1OAqV%xmp~N2{o!0u3Pj#$X{XbkzMAHpon-VNW@o5D5TgBU+PLZw@!cH8(}T zQI3L&Vg+VhSgiLK7+IWz{)Ud>TIjQ91UkMmKPVqQ`_5SY7&xuN!H;rgL~p8TOD=ni zZhktaSE7i@7_Q6OpljM${C?%$2 z;^~OXUD?sT+mq+LMs38X>1)cK6oTv@Y*U5BTs9L*U zVprI?MaXto+C_rXMxw#I+!7I}UO}cKwVAi-%bDgnpwDzTW{|%P+uA+xTs*6m71=_O1$N&fYNw1vf zyPpo8?NkwVa-7cYC2R-IqHgSXU(fR-AxSlmtT>jTKPaf8cSW9TCC{c;lr2iTzmS`Y z4rn+gA~3MxM03lJ;vAQ(FAaTy;&#%FjqlodyyTJ}C0CINKq~^Qj1Hm3{2|D0ZF<0| zYR2L@K#n%n%&ng;*D3Rz^mw$t8wfHxnse0fp7@#T$z1L3IU=3HW*5hbWB3cbnILyM z6FTepOW47PoYHY~Dir1;_q77*`H{+pmpn+Nl_qrqC@8j040f?eiSUxm&3SL325<{> z=i*SKlLd||aa0#L|3*&hH<4-SX1Vjphb`N?i$Bs$dyd?_*5^BNE{WE=_UGtz#vo=b z+pL+aJN9hUBfaU6bPpqb?@p|0Bo<{}RKrcaD;@>k-LEN-LKtAba=rFOnO%9Yt<%8S zQ5$wMdZ{hMN5=<&6AaXGiFzoQwe`TSr5Q45VIhC56F4&?$ALwH$t^ZE?_9ckg=saW z=&q!8Tet!9!$0q*Xpi#;pWeUq;K6U`&R>(u#$$)4$)i^zN9<$4X@9Ye_U=?cOy0z> zi_pl1By0p6zqj5Ea!pD`=Vxckh_^J;Rv1zR9AA$duI(2ii3{`PJL`2YfsJ-?aRDZ(HHINrfi7?V;9#uEt+f&%4djcfr)Qwu6+uBA zLx-5@>4)pNwni;ExQ0U={rIqBoPel+pgRJOS?O;8nl0R|FK`WIx_K3EHdT`>OOUo7 zzanM220Ir1Ct!rjb#}~O;+_p*f`eck{LV8gv4d=wx>@L@(806vssMHphUYh=KbUYj znxuTYXmZ_>_JpQqWMv-et}_(w_*gUD2J`=xFA5B_$U{0GV|)%zHT1-9$AzUn2NzhdEz>j##&s$DAQv z&*(=8>*MK07sAlHwep?a-K?B-wbQ}NIz59EhURy13LeM0)6DzX>#Til?XC7=z8 z%*?qlx;5z@F*#dBoK~$xj1$0N?)$*Mk=c$Qfwu~Qczjg8FW;^LyBJKze%(2)3opJyu~6l!KrGf3`bY&6>dw)&L?jFA*ID1~aMT$DeB^ zbx;2~)K30VDZH1kmDPY=D4X+-VGALgx;5S)W&AB&CP$yeUwJ#@nN`l_P>c#yXb)fC z-IN|pCnB9$^S>c2Uh+uVVu4AlEXWm|6y51;n{_*3qAG9gEieLLrOwI8f#+Ks$9IQ` zF|{XQN+@gXTiE=Xk@e4vHw7xvi>g zH~AQiDK(pdn#OoF!`brDp5r0&bzh;YlKBs;jVm6BSskdNr!&010(mmz(e~(1vIgBn zqs-Ia1jv57GSC%+hz33L{ymqA3$2YVgb}EQVCoJr5mAVn!qbVOM?)~y5^PHJ9ooyV zvzc?yhsfM-6TAG*=39}RpReyTcXf3lUYf|3qT!}44ZLA*Ht0;#5yK6)TVfhveb!F^ znXk>O+&V+*Gyv}C+`tW8DP1-q=E*K$j8q@kH|1Y%6;HQR$27L;g0vVq)W@ffdPuk1N!{gU8GyLE#w#|kSImdc|skrBz*3{Xxr6D1! zPSgbgf{nnlnvdEwy^BMOi?6x3-8L*Xe9$-O1veq-ge3DiB)E@%ALNUedh^lxuwlZC z;Vu{KJ2orh(*FF(C-pN$G=Qwt%$Zllk+s3x6QG5bGo$71>tIM{_f7}xY6wY+?%%)9 zGTPnEl5<^5L| zFJf>Gx!|_?mJqz6)hmH4aX&voRw|oLM$WzF zNNON<-8ZJc&v;+}E-nMLHWT=Dg#6kaFmFO76#eEV(mLN2((cTz1n=}QFp6uy(Iak)9k3`t{c*1K?{2vN^oTiMCfZG^Aa+Au8IR6ujDt3*ted!*l#?#~b|(G) z7FVaS={0>9oaO21kmatsa6cKbX;byn^Ic(HCv@OcW(22j(1YRty+drn7T&_pIq6%M zh*Z$R{IpnMgW9KXE$X0PZ8uKDhR5O2&-~X4gRSRq4*&)OaR?F7q9vTWmWFwsCq9`3Gc zX=;v@Sf2NN>@F%S3?(JeJhtEJ=NFmRJJ`^4yNiAp%huor+`jz->a!?2DA_5^5ONH# z;a9R9F76alBDwl$gCc z%fLGQN+xBZ#4n+Ti;ncPo47T$RsYv0yYq7FN;T6c^=kFfR?mL6hF9!hT`BJw`W5I` zIZn)XBq%^DM3fs1T?Dkolp@<*%`_>l`pCcdLVJ}J6>ELB3CgRj+Nee)17DMh)YaCa zK0UXF#@!ZH**7>Cj=MxNm!sc>Mx)CeN6lOrLm~=W#cRFe`Qj!1p z4Ko^znV+|vf250x#f$kFa)fkJHLdNk8rjopIBjP92 zKfSG0)-XLT@DkXd6*XM$U;g~5xs;3<4gT@Wu-x2Sa9w4kbDw==u~#~FrB&Nh&<86^ zch5s@klE{~;Dd8XSOOWR(5l3s&)bi0Pd%D>3arY_dZl>+K}pF-y%x|~XLYHnY;|L! zQPe**nksFKy*tUpVTN51li-{o>*C`f946-S)13ULa*5Vddbhn6r>A~<1hj2Ve|b9@ znvy&=IU83-iD>q-J%i`#nDpjNaKkg_)#U3UBHKM$vJp(uPpD*lw^XMG`uc7;_SRS?>V{9m0%FJKf0Q8y7RCeuB&wrs_qzVyg}UEgAtuje}{V_<#nn&8vKqw@)nz(qvS@em-C?48t%T+ zbR4Y~xq9_2bYmnXM;aT=j}Nw$X-rI!Ffr?N{#`mSr4#kg3J)by%dx@mks*YK8iIl# zYpAH4zs-#PRtt?mkaL0iGeZ4HK%D2AjFFAfYuLVavntnSpr~A%fv2XxLhL{wV-=e= ztVb&flhIOY=S7)+=u0D=7dOw^-%sq-Sij4?fpIzH)yg`bU=J;J)Tj2XPersNL zO>ezv*Y)eB#MRf6T=WRU&-aCeGX8tT`iYsYUnX$@HfH?ik@)iyslP%Q~&`MA- zRmSPC@%hS@%NqS={kk*$s*eKmB`0HPVI@&%TcG)}xoxQH zr=XpwuBFu`q(?DjxwOV~a}ml5J{QD34ac8g5+ir2m3}xr-gU41)~0Oue*`-0Xzgsc zWwq7yThGe(j*_Wu*|a7?)7jM}A;%<*o zuT+#9_rAD6Axh3DRsuJf^YhjX^dpShTn8-Dz(WTkC^R65mCD(dR=?>=KCLwv?GoT) zdH7Txq$svDdq17Tu<<+)#94r_fPf(Y}H=9pG=3|&NNz?QvMtIMCcExUH7$DMd6@dvl>4!IkQza^bo8xj8_53N z7ddB$BHm_797T5q9A9NGD0bo8^f-+8ME&%I?*04OIXM>eEHETMADZ~!CGYBrd-3AQ zC8??B!M`Vqbo1(bx4Froq`p}4UAAWTS5$wmnD8?R#8_XS$9y+im(WR0b~cTlvM*ed zw@Lxg%HZE;&L;#-_X@OxuS_g0Iiw6gJD7r+nxp$+-){<%9{pPUQ3>7d>jXjE4z%2G z&5Kr5KEI>cVen2|_f$xwws9(rDlC;wGyqkZJd)i`i61QytdK6@!F}b5oZ;HJeLgyZ z($TL~Jz+xRXUU$A4&Y66b=Fxnt2t(uW?=9Q&l;~OS8Xk8=K0|dGi(N z%J@@)NA_Vn@17Sex82m!wi6cHiL!fy`EtNW6cIV#-258c*V>g}wDDRS02hoSdA@%uu6wH<4{`Y{+L86tp)sPRz6=dimo7 zRi;$zVwxi&E^rDwLv=u@4J8i{wp7x=wY5^OK==>B?kkrlwPmke({?w~)_y#uXt>+b z1@Uyu3Co*9oy^L5b{@1gmLea!wNW!?+z#5`5?^oM3;*)Fou{CKg%jNml0KuK1j3i; z>7{%&ra?FT7VjJDjm`I&mLu;K1F)rbJ?r1k0Y9-pqS z^9QffTHZc59kJ+Y-_Kmf@w`)NX5f@-dm2eFCYWF};@8y2ll^x6>riAMvko3{FsPvh zoCRc5FP3vF_X2hSH8F_qCtJ!LaFxlfPC4v>)rl2lvQ34rRP4*&T00g9g@a27%%Od`sw!}SKv;)ol^pR`g?QkRxcf~*)H!5mQ#;X& z*3R6*f$Qas&pbjR&+UaxEbmdPe66drug0H&Hk#7G@XSjKiLg`Yce6kA1uA${raX zi3!6wzEA{+CqbbF6G>3b7z1NXsEU<&D#dlr5QdSRiasGmox%*WxQ;(F*yI?FM0CmC zsD$G}@yg#sj!ZcG`~oF+sceH0c@EIJN-SgixNLm7%W$%s7U}GK3w6-57qyZ5RWzyQ znNMx6Dvvh!&WG%#=7sMhhe%ckbi`6M#<$jd;!l%YnDt*TY%R-0D{<^>Rv{mgiPb;z zVe~&AuSA-g@P?eXo6Nm;*S*elZYTRKLU#IBwM&0<+v;>xo6bDj?vo~lQUAg*_efQq z+u!n}{EzPW`T5DoJ+7z_dkEuRDEJSV(#F5In;08kYXMT?YsJB5ARHzd4GUI2`>gUg zEuY-X08I;g(Hlu&VQjh7kaBwREe_B*E4UHBIdoBayvC~&#{2+Tz{f|turxD+$E6ae zp%IPI&Ff2pehc(NK`|7|DE%e#nupFazABH!1l5;)iuHsaMWD%1Lqq^`2vN%kyM(13 zYuY&B-=LVz#&fo`$C2)j7rZ{mb?p3ogsAjto0-HX!S1+;piWz-w~wq5>nx?=?;D$) z2?DQO?faUDuS6kAk{okMFyTR6i_3PJ$>z7D75DI2H0$#3T=TBClwWs)aNpQ+*2{2$ zmRIQTn_DGq^>rh~egXnGvg|jps>;&Qjho1GkdlGU2s}BeD*cRWbO|%D)7w}tIv=Dq zmQ%5weUvRkS8(6uDUH_jKEb3(YzdFhEIcJWDuj_d4GW7@!uF{OlzFK!R#@n5U?=Im_)Fx(mTBzMrH>Lo!g|sq z;Q!%^4NJ699-*z1(6PI6{rVl7m4xVM!cwCzTN$WZKBYuIJ3AKZUbMe5B}xDBK3&M? z{Sw(HoPy=H*K}O3=6GV>H`XSr{H-z5W#xRjX$AWug7g1f6N@UjMIzGvQ2>wX>QM{02WzaOASO{4e1kKy9eVP|9EX5z?0ci>jN`#@m~iaqx9j}F7v*w~cDHfz>4HmW@qb>-#1 zK(D`fGXs!mvvV0{Oo}ul|2hTYoTUb|2@}TSOvxz_nYz%vL4hX>q(?#3>vdPhTkxts zxYeUvG#RH}0yICcbIZ0W*bJ~FWEY5Mu+T*{yJ1+;eWW*PX6D?^_AmM_%J(cLWt5lB z#g4A}8V3_}MpI~#Oyi9;%uKl6;Nc?MzQhu6*58@RM*1m#`VF7ls_Rs*b3KnYz7I{{ zbh-I|txJ9p{wmXs=)$RuAVecCen^R`-bzVeYZNS7Hp=Njk2$-xE8yh=b>0)UySz$k+k7t;%41+}A2M~%K5iHN} z1)oA^w5?bXHACH-0QGBbd^UkF!rA%McCI`m1h+?>jv6sq8ff8qMz8`ECWt$sTLaS} zFW*wUdC&gc)}`uZrI41Z(n2-Y8c^ve2Ko7~4U=9UVt|~<$FG)>P72!pBKWrMS7C3W zO4#=_BbI(P4PYy!mXAUamYr)asRn!Ey=w(py5}_~9$f1O(eocv13Gq4 z5RZPciLIn7{N#g_*>+zrD>PJ8JDp64&T4!)Ud_j!++ywQ=yd!mS9di{Ji2)~usY;f ztP_d5dCSY6iAeO!i=}r5VmJ(x3!_^SE$#ajHxFLICE6WH3?1$+GLd<|*tu-4c{6ok zGW@I9W*T$<Bq}gM8P?UCqri)>HU^{$*uVut~BKl#(K%gr7Yi z8;FNtIBNr+crn11BAy_h;rc3r3-tjE34$MvlDeD<4IXo7i10zLp@Dd+u@TfTS?SOf z3JN;KY9d#|26}sspl1%}E|c9r1JYYdGN|g?Z=hGha2zW@oUo2WMlOxjNkV9|*~BsV zC6#DccKOoX$h+bMZ)Uqc*eJyaUbmk+Xr;=r+3qvh)c^TDeUbk9W@Bi&H2ln{XJ@>ezlT$W!&}e1aECUkEh@abk|l?vq~vSJZl({H(*tj5mT5( zsxW0r)%&pC$!ljzK`txONcs8WUJGq#*vXr&|M)s58sJyQU#$Oe{@T?ct15A+DiK#&(*;c$fw%&E7vv?^SXX-USH`}kXu zoXq|22y}Ud!SO=+}eU4 zuZVvIKiklBdi8Z)1PFmBg%t483ibXZbgcD#XU3uK%t^IN%e=#uSJ} zsQUPH2}(Pz(Rl#(bn89MMrWE}zcGr*s#9E9<9n8yx4Dxk(+m5YUP+(o(!QVc2rNfb zsR~N!kkC*Tq{(N9#yRiaZHMM{v`E7|{Wq$gp%GzV1tk^Kf0uEeHJIxNS4}2lr{F^GLB5`KJllG z%-#<}}==Eq{A6PIa#qw4~3;@cwttK@r*UJ6Dvs zfq;ZBZJs9rD4r?axf@L?9!Kr35IvWB_+<8c%+1#`y7cMOd$rn=eMm~@DM56cui24Y>MYhYk~Y^)ae`GM}#L79Jt!Ux9N0dUngR}9-6u2lKf*10Wa8Q)zo z0)!nR6CcBP|IwcP%b`*HQwII5QjIYDqpyfs=c0GH5lO<3mg0QCZ0v@VIdG+i( zuorCMBI?@lx0>=J1X4wq_noDmS{D4mTCv^{jis$|7<}hVT!Fr4Gs__ol z!SXBUj`ifAD!WN;s-71&mGGIr)?Gg^E~P z^sjwSP3monRQ5RdP9x-oT8@AY$&3DoyPfQ!KDO5v0_jBmD|fvbLS}J8cg2AVtyqx% zT#hxZ#mZr3lu^(@Ri20z{~aD$a%7;6@YKuee6eFC%|(>TiOF2VKhg>pgg5CC zeipf6FajR3GZ z5;$7oG+GS^Nj7krjru($@jN}o=I(g4-Au_IJ;vua`;kz#)SP2Xo@xIeq{M+qs>w5>VCrj_H! zp@Cm=Gk<7kffKD*_eUY9%#RN5?PhOyo?H5HR^*hNS+Fe`zw`(+;1?0{_{^T51$0p zE(-8D36?V*3D~GsN3iuU$jMSkQAhcK>9ZiGjkBRwH|{dkcLaTyZ-3F?&cpC`=MZF1 z|NFXsw#ODKVOc}`ur$nf`c>;B(m^3pwtcmV?wd&V5VD%aKVqgo58K+0OIvbH_p5i% zH?z|F_yoetA%n#KoTkANkemx)wQYV3RGF2`%pqiLC0J=CPW#6x+xYwDCME+zfkJ`_9Fa=?(a`S?0ejVFyXI_-QZgAlm0o4 zB!IeQ{(R~fRL{AT1j3e9O%hm1*cG@NV*gxX*8)g%Kf^q5G~f!x{DTi>#QH%Xv-xLP zHc0;Wdyh=d!~52NkFOW_?vjt@sd8;9wEzAIn{v#kOV1($-8(DZzg16jHV-+6t2;B> zw#i{A$)6(Qw)gprPu$f>g{BQtcGfOqLzw}|D@6}{rmxoK^Kd5272W*5?-0X)UpnBJ zIQ)dgr~c{s=bjoVR-?3ZMux+$on~nQvBfGkZMy_jQ*H#}4D%H|xb?YKI@P57bVE(o z_(`ohF?d_?nWq`BZ@T{t&-de}x$>sysjyh%2JiXdr;%g`6P4Wp`vENweje@Z^w7u*ssjQqWsg(BRPn9nu4 znQ2l=7L_GdBU-XIQB1yv;ccHE84oTX+;~nFh(8d!nP8Y`^PQg%0IipC2HDAY4&`2( z&G3T|N#e71jeqNg>+jYuQhK@L>F`|4bDKyHLm2MK9p@b%?>0AEa58)jQ85_h=k<%{ zy4$oKs?~7#YqhXr>iw#Hu_63?g)4S-1&6Is z6E7=c58$96mOQ{3C|as-efI9KAloA$nNY=lH?fl%!Z zOV(4nrcmZ~{L7+5ml=7J4}H9EqB_$h0uJ_Ey8KVmq}QCYxgl~{Tfe^F&CF@aZUc^_h-Y4DIug~IBRxP#;Wz4ekt(L4euWXEc(0i5 z|6DORc(g74TfdnrxhQ-FVi@%EzY9qDY$3jEJ_-_G0%b_}`-?1m5eXlkHJvB98d~T5 zdp>%0%@R|Yly!tj6Ie2KWxWH8G*Q$9Jx#R9x zwdi?1^-ZDLKvy)eLTb{x&f;eg{Ulq(_J<_yk#`)L%F_cyWonw7unIqXY$*G8hpJJx z@jywjm_kL_qkV7KkZ0&n>=r ze)rW2c6ZOp61*Fkt_I4w%Id$o?Q5P-b&UaiT zzu`Dj)O@>SCg;nj*~sG#w)O$`|A|eIA5`ihIDV%cJOkit0VbNruc1S-cLp&reNU>4>xfk|(f$Py9D%QjbYyNlnjO`P6(Nk;(C9a{z z=f@B{xbXGi3=01|sB^x635tfv_D@8^|0jt4D+k49#zfV%xhO}lVdny0cqW})2>sgKibvS9+G>17`7wt$4V%h!fqBb$f2RV~{OHaKsMNOn+nQAMn; zO$k zLwwAt9`Um6Gy<~~vXmSedw9RXh?<-=K)_6#8+W*AraQnnY%km|jC4gljJlIyKG#Ip zS-X5x zvdi169~mGyt4t6VY}d3r-`6aF`WBA9QURUB9uAW5LR#)jX7n}d(hs~uD!9^>Pruy? zr1-rULa-}URL766AkuZT-ZWBuVth~3Nqz5<7oysq^*+V_v(B({7uS0?t$L3+&QuU~ zGg)4&Ci0+C8W2c-yqYHMfi69nmg6Tf`nfCjejTSg=`3-bjOWA7Pb!5hXpU*Rg#7t- zWiH<|+MhzA)Ox5nl^~7pC%&9742 zuo<1lVfm$Y#=c?BhnP4H<9J(H&n}4S&m9Z@_nugegDg_wEnHVaZc8nO@z|728rq0B}pJnlKl7LwD&TF>+O%}UurwkBrxvBrPt=+ z2nP6-NB)16eR({U+xNej%v3V#AS59f%8)ryln8~)MUqUJ=dnz=kG1Qsrq`a~s)A z>B7G!0Z%Kb@xr{p*BEj#WXe?Z$U@9=4;fs9WOxIi>(N8c|F6aEsUHxoj@|bwG)N=> z;m!|c!XFFlZ~XJ0(|fn{C~~C#d;UVadlmu2{ApBwBkuluQV*iJ{WktPs3P-4f)a&a zUgam-2#N3ZgSm__nH~oUVf&3!^g+w(Hd`b#C$h=-nI z{2A0V*Bxy=ek^pzW5>$Y#<#qFTbV!0Q+tx9H{WdbX{NOG=VBY|$e5z4{Id8uO}o0{ zew2>1mXvVYSG`qm%0*zYogzB0Wh^v|i8;#WdEERvhV0&>-HvX)xx5mO<8`k1+RIjZ zSx_yNWG_fRT=k@LZ5vsyZaovh5T)+2mfGiVJKV249kzp+vIeJ^J=L%0;->NINx97E zU1;FZ!hNz%;emQ>C+ z);Y{3_J-Ya?6Lm*SgSjP-9D^>=Cz`;gL{(I#O#CB5|8Th#buxAS3TE1QEZ*>Rr=T9 z6={1nXHI)BpS#>BD}FBfD#_}guae_}gwvO{uT^Wh^$(k}il=R`JuGEM-?ffbE)sCQ zbFY5#%${VGN_tnPQ_YeOG9Z1K)I7 z7HI-E%j~OsCkIln@~ltlmeI6V2y&-BW4W2o?-K|%$;@((I> zN;1S}LHfT!9Pp(XRMW4L{=WF*OT&2W{uwBNKb(~pdWASiv0uSwt@uBj&?j4n>P~q7 zZ;ts{h#BHFuYB|5M7V&=1{7f@I1PB5tFhW4PLkI-gJ&TC1`;~fCg|4OU6%Oathos_Jybq+OXZq`wd(h`tVUyCt?3D7n?F}I&`S+em(9(>3b!( z?Rrtw$f*2mcCyT5(bE*s@oDlN-=08Lp$SWeUZoV8qC7U{u(B}m`f29*l4rJ)%DZdj z-RBph^&LK~vaqsEv$42cWp&^F znmISYj%pQ{&248|@t5gY7k>N7&6#U@{flXISmM3NRFR3~Zv#HuvMDsR-)NZbAMax6 z)9BPPipA!$)2(}+Zg4bpI}~h`eelgx?3i>`%oOtsgd69g=Xx!sB#TlYSD~0&#*N2zaA!=$a)Np| z)5RI23|bazE0{IVy`Os?x$XJ~j}_EZgtz+?+IFaE#T2k0(YO|Db0V7-z2~#Y*Z)p^9?Q_j&ii>;fPOc3y#HQOGZFxcIoOO+5$p=k57x&t; zc@CviC_MKTx<@KOG^7}K<(l$1_Ul%-Uuk2vH_%i2UHXDG%xU+;X(&l!_6(@RWUrxe z1qZ+wDx|jwzY|CLVJ}y(c?_LH-y6u2pJKpl&MfiYeNmq=Yvr>ck4C-c3B_FKV|6Zc zec5tapdMA7R-VVmM5I)Ap{jOL$?$FK==%GtPg$jxcf}I6qMZH;)4q*M@`N$JD z8$W|lfGque8mdFuKc3IRGxTaXV=b!|+n=_-8k^j9hyP_UTG_sRCjYTwU88HzUfX-@ z>JSg_t^ii`don&Yu+D($gTCT!G&c1})I%`2;f2M`ddJHfvQh$RrPX@hgX4pPn_A7< z)}?p5WtkH*jcL$FRm6ECL`j8bOlW#bIcAt+lW(gtj8Zsv|BBZ@;U%c@;`SRYtb zWrM2I5fPnmO5#vpV=6f@Be{%fRSxFbbX<&o>Y(-TL><;+!_rhPcqto&I~m{;@8V3> z{h~vUd7GEgn8JF`deGnzc01fdS}w9i<#ZgWwDTLI%d3jxo=mw%uo46}o_hqHCVjR& zDchGLPO@EmtEy<~cz2jaSOI!P6$u7@?b>2y0iqti}rxm8fN!at*Yn{=`RzTxca~@ zg4(=OiEzoFuIE;QW=4Ka#bE(TJ?5<`3QKR9;F1#&*FKK+o^B@XU%^8)DMvrhls5Z{#MznM1d#z)Ppa-mse-$}~ zk=Vr>`P&r>?)dWl?c|Amj!6^qQ)D-{WK;1@PRJNs-0%^PJ3M96v>6@lIQWr5 zX7b9-HkJF5ZA-SXbz`}&tmW2?9oP?|v1@IGpJVe6K2)Rb9$nYgaZtF{{_b-Ft8@69 zW7xF1p*Q}Mf9YqZx^``dj>W5FwRn$W-_MfmhM)I7&kbG%@1nu3^t&PBC!>}fJ^rle z-z<7Jcc+^8hPc1Bc^=qhn8dFQEiqWV3)A(=RyOOxC(DyjWWt5xo)s%;+UVfZX*s8g zD6k6#N3_N6&4KSAxz7J1{GBRzn{%^EUmz=;eb_Bk(ck(VhWp)iYTF&!86kOIW5X65 zW(GEYoAq!?b`=T@p5DpHRo6_SpOex@Iv6h2Z!X`fGSfAk=42!Y#?CV7LJks-Ids-b$T<28>y z)FyN7xpOX#3a=Ifk&X@#Cp}3!oTJka*9||g-gX}r8j5FSxf)8j%Q4jxcm17iRd}#v zY4=fr8?ie%xrO`dZ3YjrU;$^dYH?FpOCw@QJWC|Rvevn+hXmQ9{d-BwCi|-kc5r_u z<{*v*ru1_@A%sbxawN?9mA9*ALYg2Kgb;3#bD#1YHCP>~_YaeyWrgGm5E}p3_wYwV z*1{lm$T9hulH5GP`RDo!p$JZBz)+ANugK|`l8_ke;X=ii$fhA|z$9s9>>nBUQG<2~ zlBmH}5Xw~bNAeD>ldF&Ykv2ig{T_?_+=E6|ci`UcZ*U{c>;~YV`YAH_M1sPEbt=zM zA|4a@-$lq;k%r6F)9$B(@G+NQKf8phe7OI(O*tkO9sev=_l|kmHoe_OjHzDC2*(@hyQgSJ~XzpT(o@lL+kEX zlZX;vY(acSIQlaY9D+vQVyJI!_Q2xkh=9tEy*OGp+HL>Pf|}jTpMY_luN{O^0E`E; z4>+$Sk_5blh{!cT35aq*27riMXXL*t2#f`_*Dk--i)ST8ITEl>Baa;Apvw3#IcYH9egN8Adxhq0 z;=z!ofTV$%SbQJ|j7n?vDo%si1YRD3tZ+F*_07!?sWDZm5b@P7ZEfDGQ&Z*uoUWy1 zae4i-A5ZYMK7I+1WDpR6<5FNr^3c5GW@pEvBlPxI8YRpx2G~P!vD1SGqT=F=cz)uq zaI9t)7C>UePcAAlGU24;fx|*VLT84mMQQNRaNa6LhL7X9L?@pNlI1>*)I`AR&<8v+ zdl27X6C7y+@_8gPaQNxdrvNNSCTUs8`NekGOB%UXU$o+&zL7}3i2AcB*IyzpbpxPywcYxsgXEk$B zSIw4$dJjfwhGIp=&jPgG65m-AeR$v$Ed#F}8~7kWxpa7?2hqbMywS?pxD-Z^cbL8wT*V2<%!)6!JvyOZOT zc`s7Jmgek2vv^bD^_tjbHQks=v5+Sj8Gg-=rC)qF!~wV)mGJ|CRX4bOb9HX}e9;cY zEO)2E^vWw+?}{;e;o5zN>&YpD%A`DFXXh{O5+Bc&HakT3_6{ia=(})a&Qvw_w{%;) zHd%IX^`L3R!Eqv_X?^Fmy=q}+*C9bV+#(}`k2AdHiod>jI4h|b~ z6HX;D@(|9VH+%^WjvI3S8)3E5uM|VsGg%vFaENGdDR8`?LU1eFe}6dU<&~v{S-(@G zj&Wb%CSRDJ=NAxI*>X$km}aT#uyu9Cgtr55it*b6UEc}$4Yy){xsirwfu>t|j#tX! zKE7B|;*C-nMD5BW&Edl(SOx9w5xa;zBW(c%y8!*JzFe*Fa@%^nvZx>XAiY;PsS5wjW4X0x%EyFwnE- z`C|noB{M!oD4W7Suy~T!Y=HJt|CO0*7ybc}-lswlj3hlfGC~{KsW4UG5e1U4K z!n5%p*{9ELi1D)W+nYTFkFR$ty}qnPM*0=Rnes#qkq!(EoyY*a?MC5Dps#pHRSw~1 zri(W8wq3$>-I*Za&s^W5l_x%ai1dX-|BJJwei%(&slE{^q(`Cuv;-B|Y4VsU13~ZK z6<-{!b|T@)$Co819=;cplCm=H(GzlT#k+A9w%0e#PLwU7|NxanvU=8>T$$MpFW)|YXyXe1!s9l zs3pJOfTyqw8Rs}TIHbI5OWz?0d=(hk`H4|=aXx^179f;%b{b>=z@4CBY2jf0a<}`^ zCjSNv<+mg}t%H_d?)HB9^3haiB8{Q#xMrqS*N1tLXH2b7#ghzbEduZhgd(g5%TFDQ z93xn5K_TWvaIh74x34wtz^sId9*LGoh4?q1l0fyy8(O85l+3r-6!Oav?3-IF zllKnx;aaf{oC+73O&;p)wH0&5yOA$K7i@7$n6b-Wt874vt)-qij;WLs1;fXVbW@TokTzw6?Jay4xE{F@#Au%WC7g_!I@dAJJ zSWCvPFybZ1a48a`|NBFOerDgN9ghOC!7&_q1p;C4CByh&T{t+Ki1)(5IfryTju+Lx z{$yw&To#qSpj|L8Md>B005=<|lVTmlb{sU8S&1u;vLhw~4{sx0>pwmaP`84#X@qhJ zAiC7lo~jJR#5CQqD|zm?s&uCy){#V}@~305=Zym3UwajlM+Px6N4p}-`|sb~7pB7f zIF=W4qwcr!TnmzKndhy4F|%Jr#l;t_kN?Hi8K0ZOQ6C8D)5-D^qyH#gFFid zhqcX39o)<-S~`}gyw__0pAFGp$^<`MaPP~QHuKK>Tu~Sle#Zpwq5a{am62gmnS|;l zW=oFvz3zS-(G8$Ghxu!$!qfWvp-;VL=H@)}S1v#=#M+$3trS3(2*U$M6QDAvX63Cd zV1<;r#lgD)*#FKCp!+p3VN;^loo;(JzC|0; zy0~uHqS=E=s0og=o+|;Doanzz?%&qfV3n-Px8o6o`TsV;|A&1p8f>Q5URijOh5_5f Nfg^Z@EIC7;{{y)%L+=0p diff --git a/fast/stages/3-gcve/diagram-3.png b/fast/stages/3-gcve/diagram-3.png deleted file mode 100644 index 599c2e10c0d33850c66bea7a7b943d9367c7f42e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 50554 zcmeFZbyO7I+6JmfH_|OAf;7@n11Km+NlJ&pNOy-LB~nTVg22$--O?a6bc1wv_uZ(! zbIy0}x9+-Y-TTj7>-rDFFtPW$-*}$qeYXLM^3ph%6qvVe-NJeC{OPM(x9(={QFP@64IO}fI9xG6-HkO@U5>$(A$W&)XI;QGuvcxI49{Vd~@0*I& zE_Z!j_$FxgePEQEW;v*#Rd5cSkL*tCdkoZA{SUXpU-poDH!QpfS0=2YB*b=e5_7~; zwlK|_ipHIcvg}q7IUH18%v#IJ{*<15-6>4xgD-(j_mu1UnI;7N_b;!hFnRtw`w#+q z`1{Yz$V`ae4}79;p~T$0!3UoZ4k7&gzz~TD`ul;z%lAlfzdz$6h9Vr}_h)e3{{KJh z|GPG`c)UGbJ8<{rbU#0HzP_p*OxVD}Ea~`rx^I9BJodJe8_k(^q)qpe&(F@< z+S&$m-%K7>3D)0PNWOubk(8G~kq0kj^$mgbAWtUTwJ9oU9BTb*CHbPWY9qhF) z+CMUHyl5t93zwxwVDu`(SNmVxm@gU^CFXe{CCm|fzt%(%#&BHf48r_sf?rg@uK_NV%_q zmzGGSgo6VDWHYke*i0Rd4~R%2;Y9|mVf{trIyy=B9dtY-H;S91M^DD9M#%nTC0V3D zE7x_94L&h}whqzCOdm+Pl&)$-Pk*p6ZEUARsdczr!@KYYy@eqJxHnj1&O^i-Kmgkt1rx2e;iQ(l$)5T)>tR?QH9 z{5x!g6VT$#guDN3qH~E^^ycBcIMG-mEHYz@S&Mx-96Kzd{5_ zu;>oeSayZkOwG`&ISrX&?Ec2esK#LUEU3a`ofG6C>1N$*<=V1*sEz z@<&qC&8Q@YylN9gDHHk7OR6#rPIfpXDb<2SFurAEk>TvnoNS3nYjaRmg<<32`TL04 zhEef2K7OaL!SZ zRfyN4d96nIIs>Dtf6=yNNzZAJJ@Ha!T2wN&P8sFY)X%SkkZ^6-II=A`F;^@|tWxyQ zblJY4Ud|C2I@F}uJzCxHA@iq~9OBU(rqX^bKe2J}{6%q{Y(Rjk$SytAWT$+f|@!IlT!1% zoU6BXAaX__%Hz;dal}MYEYl%tw%NYnTJ<$iNw>6z@Jo@s-7y;re`Bv-9~cq6p`k6( zco&P;l;bCxh%#R9dUM68T0z~<$u0w#L+&ezNv|?>Q%q=t*ABAEwj^2VpP?Vj8ud(x zh*Td@%gcKhM5pvYwezZ{?Hzi1y0w@Pcf7qN;2xJW@lV`r^!0ymcJ8OB9Q{uJUy(s2 zFyu$N%#w6lu3Sp6G#x>9knPRSpHws}dD~qjPb%a-^vK1dN|X}#)HC6`aV$KwBFUcd z-~_3$goSj9Evi=P>()OJam(YXE2vtF!-G9)rA+Ka%}b}-*=D+#QqnDi zD==8YrGKce=xG5((ueSUaw|PAI)sGBZSpmnYkU{1STeX& zvxGNr=MBb9@pHV7m^Zah&0eyvSn{7RUD*qFmzy@TkdGS{ldRoNbiLFmRnMw&QWS}g z5vZ{^+-XQ?yK6Ma!6GGj;qQ4d^08?vAgjj7!YSSEYB_VSUcvF1!qMBhY^U!%mwIW; zUMpLxJ1+*@x6|rK(jQs$FN~P=N@ZPp+BFca9N5M9RV9jOp{aXupCPn#v_#^=IOp7* z2aod{8-!MWbw7Hy>K{Vmk2x|lqObx}6~n|5b6JuQHz>r1M#?PCuX_!yzFF)vMc*AA z)v)g>j&s8!CXV`1?6e`e!+IrXOhrwNgN{92=q83-wf43fc3)ncF7zA?b>{q6)hji^}{Fb!puYn2o!Q0=~jzp&v zzCm59q-js_EG`YKFU9Pq*oH4HoVWR=w3ek*$G=oL<%dedr0-vce*19k_GH^Dmi^kb zi2vC!Y8CEg3sm5sS-%x2F4TRW^gP{4K~IG z^k$@UP4x9SdD-R%D`gqw6Y8x`#~Gq16-}g<2Mj{*S65Yw)%hAFm6lE|#$*q46pvU< zOT{(eGIG9ic1G5&b~$h7GKpHxi^`j}wyQthXODy6;o-Fj%L+JN98}7x=g(AmU+YxZ zTWpK_`v%@XMm!2&ntk6oH;lzBD$W@4G<<}up&dG%K9pQMXye`!onBdlp z7NVfwbe%C`WqzrnlS$rRU;LUoPnEZR-SaGO_d=zqqvPm2TryI#bSt&fh;V$#a&sS( zCj+OWPxukSyuaSA%Be)Gkb$K-S>xh)c~zD>>)e;0=SM5a?{~wHx*^w%4up^o>y#7& z{oDypg>kS#U%r&db5Wfb8NrjYf$q&_e)zmqsS)*ffahhem6^X3?^vnkHjkWv zcV0t}r-l1Bzi1UMYo=49HTY{wwjnCCBFdi?+1 z%fFC9^Rp1w{O+abey`glNXBhuB}8Atd|BVnVOf+TsK7pdZex~|e8e{l-D#3XFEr{B zZczfOb%C|!#{Pc#x#)(mt~oGD7UzJ;U%Z~gdseVttbks~*d?5P^K!7cr)CER%O(l< zh6>Rx^2s30?ICrG&EGAO`0PH~T{8+$r>a3(@6Fa+K$_2a+4cK5k(&?@)q?xC@&pY@ z<$l@9|6=ow+PFo^)f$|{7htKBcC3;v<%}pR#;j>hwU`F3)vK&cHA;0OHRBXCf0}Q2 zLUcZ(PmJT|ZqBR*(s|&W0@1Q#LIl0M`Ey-s2(W+qNzmQjOCM*Kgc-k~7ZEtvVWaZF z7i#UYqxgLY6L0@{2iQt;2-p61DX_2w6wRgH3L>Z(z_eci4t^n;Mn-e3QKitR!}6}~ zI*q3bynNDa?${h(^VvpS)0CbDMf|XqEv)e%?Zb-tqp-#n$YOiUgY7v)w-T;Mmgnjl z!;!yBxmhU$R<@)FC;#>wFGRs$sl{)UO5M&qzUJkRAH&e}PvxaynMQ>5g6Yqt7&2O= z85m}et@yE7%zrA1=FyPenY!=c*Vq?&N7CrNq8FFBaG<`k`%`Qmb;iafP zWZhOQ+$y-NUR88!?Fw8y*W?w%osG8jI1{{i@d9D?sdL@g+^bFq(Yp8b) zpt>2^fBeEJg+Yy)^?vqVq%?m{(ON?u|B+4OY%sZ1z1M4Z0H3^%DDT|Lj37SFd9CJ;c@9FPa{- zco}?8$Ff&On#_$BlvoL5g7?r;XEkdNAM(F3(pR{s9N&`ihNSZo!||u7)DFAuAu@s_ zx|j~m-2J4D?dYf|y0=2as`=*ht)F3|xH8zy~W6fkm*3rDy(9C&6a*BXyq{CFSq6V=s?SBc@Qe3>r;< z%v91Y5K_IjFxey54=Wpmfa#{oayz zdPdTsFT~w^SKvX{o=4d$*hp+u%34%lbx&JOB5o=WNO-87m?a9X%183FNFz1%wc7^4 z0u!o!eQ?8`-<#>)zgXin8(ye$H4EHR?Ln-i2v-_ z7n``n(1TwmM4;e&oZ@_(XZyUWig$d~x<9hl(`gUHp4)tHEwn2%=S7&jmLvPyDJ??J zU&YsKZ{FU3NmeF=XXrfqDQ=sB#n{>W(1b2Ab#g!@M_jLN)taN#df6st{CQ~n)@UVK z(}>7cRCzY1tfESPZ~ex2p&h^dPYt+U1TT%9s9ooP)qI+qKeYl8?@{uOk~uT7@p|Zl zqVAZW=T+AFc&Qm3PhDbP*qATGNSt5T-D~oS(0F&pEk$c(V1XsiiLQc@&zwkswo}ue zW6HYCROm@Uizx)YZ#rYxr#M?+vKsBj#d*tAXlD4I1#KIqm{8ZEcal!0k!AyS|v?5;|zJ2Cvn2Ydy zC5{skJavwn^f1JrgT4l-$)@>h8MXmgTa!|Hco-%LD3U;DpvMAb=f>636_>DhgdL`; z4iVG>TT5(O?jMrrmG@?!>;!#GnM72Ot`Fz?zmc?r7w<$yBt5Cf&yMnXV@pG&iGDEe z)AeiR4YKm=%-PsfQ^K>kV z!z9i5SzE{45(0%jVg}D&XN5%Y9o>IK<5eKV=sP*%>Uf*esW#5 z`g_ass6iu=jTpv&vD>q|>-^>~IjkD%S|3bu7|tb_(Y|bAKdwfKe6<32nar zQj#=eH0Tu<2hs=ulFs;J`=h;J97_I85NNs2(upO0Ic^KRKjUPM5bn$qShMd(Xi+?2 zAb=KzDT+i0%dsI;>y|l~n+gk-G!&X_u_({vzt`Hg9Oh;0a6Yz~P!MV^5G>S$k>DK? zWMrx93mg%Y1uzLNSW^jUVjCSBB*)dSVcsTYAp5b^neD-H^zZ}qZJ1xZ+N#hKBeVGv z*tvvDOPO!3UvmoUMk6dW(50}O%XMkbVX|_zzVKVBsw)iF?Q6(wsyjOllTL|giSwnF zzTWir5Z11Am#Syy{1tUg0RtLTTL_S@+o)pz?q9Tmym6{$ zdAO}Q0zQzykam!9AU#OQVQ^)J?kX{O+p>y;Dc5@`5SpLZ39;@YQ-t$bOk)Qqa9BM? zKWMlgqI!0f^90tz?B69GiIA`vxMlyE9?^*I+b<69W2LG}G9og@*Dl~CuPLA*ycmomdDom`a<_BydQ5h z-iArZVe1cI!0MbY`5bY&hyz}5w0;P~H069$T{Y$G@t8%6iB_&On&4950&qHxTcsuZHSz}V9OW}Is z%_;{Ijv0Zum6~WsGPTA@&y<_j)mu_~8C|&2$I_PmLd6TWU=#{RU$4NEs3hKx)hUf8 z&88?6<@h0ty@rJ1ELgh7tVAmr5f={YBlE_R{0`^6mHE>Ti0j4+4CY}?ZTh{V?`4oF zs`09qn#W`jHs&v>p7|cuMw4oh@#|wPgKv-y5lnzt8`b~PMMnz0-+emyHir_Ia&lzW zQbt&xL?OZ^+-T)a@R5y5L>V@Z#K!wC~ z@%2fpTj9WZ*BaE}o3DtQEP)Y$-b7B!Ca&~?^IeH|B*(~ccgx!1p#7)vNL9y>z%iC5 zQnQm)ZQ(=IJB^>CRXS|553boSl7Xv>Zi~>gg6MWU+&jhzKEnNke@;Y6GHssmzSggr zU>n|EGhUwbpfrVsL0locFtdg9oaA9{$?OY5$4E~zG-<{_v>&4Z$26i1^tPf~Hj}a9 zrO#&KeF=C8HoBQTNO32p^`&wWM>|!|#Iz?5v063+1hPqTI4Roh?&dSSquB$c!6B$V zh3SLQt>Sq-1NZjV%zuDV`CaEJqtpFcO{^|bMCc_!y-YVfDL_TBWgj3+f;%@^5jmyn z!yxy#4z4bgB{+Vhnbv!v#)1G|-nyuE7oEqlH>h)yqu+a8IohR=ZWse4rm&NV0Ll#r z|05Ejm6Z~S_Eek7O9tlBUsct;I`xW8+>qIO51ObKQRr%|$O}0eb!!%!6X z2rTH!2I)uzKsx_dR?GsLuSQYeJMd7(-!LH@$uW8E6RtKS`Xkleg+sW(?-a5*Vm z_}i->*?&=3ToL!+DVg_3-J@?K{)fHxfRJlu@0<~EYWr?|sP?OK;Xj;M&E;-3mgE4@v7D=M^+2KZU<_m%{ih@mM5-h3#=E!{3UYH#;UmWW%&oVh@Wh zUl^(>s=QJ%5|b&)7J3z^$GD&-@=2}*DlcaOaTfLqj74o`bt$#Fq-hh8V-s*%Tw+9_ zz!60c4CrQhCPXIn;`O@qXt8})q*C9jF~KX=?8%+%60)AW;h~22dKw#ywC{|l`OHUG zh>5=FjX0dm4T+rNk&nEd{nvr=QGf$Y;CO)e>4x?Bt>lgUWNn-KTmU?-KH8c&8VHH2 zK5k5$qV>6`xJMedUK+DP+GqI{eWrxyJqa4-8hCejm1`Cw@ z782gkxA&)yFjy@qCY^TB$7h^Yn1snbZ8-031aOlo3344T#_*cm-Om!aY$~8w&abi@ zJG;N2)o%=Wij>w^!}VSBRp@I_PZ%83oS6_yk}y8<-}#FjWxVLOEmh&fb*=K1*3!+!6#@y>*mi6dUnCaIQP|7>S(8DZ5fGjDs{&@0kfIh!^#5XyY+7wr2iFFe+3?M;Mwjk ziJ=%bl*T~<_7xck$B3lq9G3~^vJ%3k;w$Yh0Ry8o7IUORs#WxQ#w^qdpU>014M3+SQEZIP6fUEv!xiQRxsA=f zj~C^5m)F!K6Q2bjF{x~ls%P;uW+Qps*&fve;vnpQ2U#Ly0(!HwE+VL5lp>sgKu17g zUe_7LPx2*Q4*rU_G*ydAU)=o%4-Y+`4^|zn-&fxAj(=!1TF`ghQT%IV0l+(Qr&)x@ zgw-W#mvd7SDUJl3&`!_r2MZHD{iEX_1k!z-+E!;nrS?tn&SRd zn9?1#B%Xs>BTO%7HItZ}bdFZc`Jag`38KYE1eFp^!z}6Y_n`X^PX$NrxikmJspr+( zC@UzB47{D)GTxAR=_O+Nj5beZ9&= zAfRmmO85yIqt10AyT&3#W`?k7ci}Z~AH%N)d&WUYjey5wG90#Ai1y}7nOR>dlWOnj zIZ>)>%qr0%FcoY9Zv@K)6xTw}&zhJesX&NYFv^0kxCh7Cs^9PQ+l%{s#uh6ng%4hI zW#9Oxj{tCdKz-sLydfVk_$n-etoauzs)a!CoQ%mye=b}?$Dr!$sMCBYWD2Fg`F|hG zx8AG0ou%$rKR>_SU7J;8l%U{X99&!(SuxOTLsS^p8yX@dQ*>|Zy%)pF!5Eg-G^Jxg zgt1maNQaM~d>5!S?v4Q^N~dm-PB*T>9rXOW{gEslvpj__xBkT4nt2OUf-n4Iq&+ll z{3<2;QJcz=Ev>{0-VA;xGf&*Dk24AV&18*&Sfa@>4@hy2JO?_R=WSCqhxQY32P|7z z?@kayS2il`mbWG==a-k4S5`EXmG9^7x~ZtBAR{9`mlb=Zp;7T}AZ>hHlPe}Rw%TUC zb#``kW?1vFyN8Eftt$gtDL&E4;)|>GtuW&$r>p2i43u$qCd9-09EiY6a`oyBB$4TG zv?$`Hm@A}B2p!S#C6wG8H5_}06Jy#a<6XN1Y|HeeMZSk6)KN|KEKM{upLa@;+|}nU z9b%uBRwsLU3I1hRJpgMFL(V{IrL>B}Yj*DQGS~5CO}-(?puZG{b_W9n%2{Aq)yli~ zy}U2zLaOZ2sV6PJ3vRj#2rq=}YO4_|ql~-i8aeIGwM22~eVXm*>Cq~;3@{*CT38@^ zS)Q88aQ}XCdU_jY%(ri+N1IwF<>GK9K_Q{)qM}!W1Q57Fyf8T#8IzQVurL)B)zjjk zp&<_48i+F4*6^KLslrlsASFcgogM-P2pggImsTujNGM{?nNZHuz zK1MIOaVt>#|LranAaUm7POl;}{Oort4+Nd9Ix`JXT#HaVKx$G&@TEWU|)%U?;wYlr97Rw4K^@ zVbca?n>@8kK1$`#-+8vq`?IG`$*dJKWnhjKrEu zpPA3oHYdNL<6VxcpIdy2#?16rQYbfz;Lht5b%lK_C0d79b2M;I7u||Nh!}2F@OhHU z<*fbIfzqVh3uX<~o3t9JV;)gGzRbnR`DHOyXJ;peUfuVvUs1Vnv9Jh{f=$!q<0QKM@o4@0uFiU4kmSsPbOlKlX(_46sVT0Y zp9%@0z8ezoLL?}+s3=WvdP)jpg-cdi8ZFBptGxU;Svs_}wG|;SjK<=4vSYxrzPRX{ z3SVgS#p2umV?ZTG8)L;f)s9MV@}(J+pt zKq45JyPPmfNWK~PYDB|}bsz-=VO{Chs$Hu@T!_nd$cE4`y17ug%ij$IkgOYuL z6}}6~hd8j-pbX*hNVlznzL>f6t7&zdVp(KO`{^IrG60t)P$)Oc*W(hK-Yx^t{vdG#fMX z2Z#~b;r{-9Q&ZFW+M0aa6Jk=*sIaiPwKYveMSbTikBgJttu4!(FoV}tGj$@a2N}_y zQo#}YiH3g~BDES~&vO}&tFpNc&mzMaLuo&t^{yvC%4_=_-VPs-lEp&;(R@5|S8*br zu<<=b=UJPv7JMWXN-Lz#icowLQBOPc;;y}n6rAp7-iShAtHC>L1~hdP*1agKOG36I7lVm9jW;0FY4$0YwM;_K-%RK}e8(W4j zC#RyGUZ}0)xdeQ6AbM?cGZ+-EkdTla{Xr*NTZ!1aFuy0#PoL`NwT05oRM;3nq3vU1 zm4$@_F?Cimq7jnGW@cu6J!8ctZfCG3$$1Nz4u z8vE`%(%7y#}R?!ZDs{r62tO3i|1VE2M{;Z5E7d< zV&XM|)Ama_4@}EmMZ!ayd1GJc_;fQN(g?6ST6`L3@7(bvdG0}?T@`f{ro z3JQM(6B84oTb`_gB*r&Sa%QORKT3bPPnU5BXx{iK@ za0KmWLh-vg6wym1Iu5J@Y&;0iNtnsJCd>_5-S#|>Mc#7XXXqZnKyZAtwawW!{3Ja3 z<=w@H5QdJQ1S@6gy)FEr%ZEspKROrZ1f?gh9|#Xw*hTn*^iBnIxv(xQSSvN@R<)uS zBQH7wsH$^#q|ZUYwS;jRA-pL^6Zg;JhpnN5Z68F()|cLm>OlE52}vxw0k^h@gS?vU z&dtpo$- zst2us-$Dp^g3`^rCFl~6v$7-7u8MwznW(91>Kv5Ni#48<4s?Ewe1v$ndo^d_jY$Zc zL-yiRuw1hW>}$bji@NZiGnAXvd|7O2IcVT?{MACmcU}>}u{s-d>8RfY-+y9l^lb&y|Y_mcB z2n+xICd`sxKcwzS<`DjkY2%wt7Zc()i>KvAapj6QCb{>Acl?(+^xq^(CzzG;rxO^r{%!vM zYo+6Vs5pvn3t#{#QDeZyOcF-fNk~`NhpGddin}mhcD^4zan{KC%PokYlsKSc+)H{F zx>$?SUXdQG+#Xkff|g8{_`g)7e|WNQexdS~>6L8^otf*x{;1CqrBX--{RtY?I~W4&mpn>?NbA>=FYzljN!N3)?tfTqGZ}aEGfa^ST1aIcq zsLZiIUelfsOnOyM`7N4?d?c$heEVZ9cdCi2tE;W;U1@4m{RC=BlC3)y4}svb7?*P+ z$^Ey{|7t9+`Cwpr(~{O#WVwFJWlHc~?at>&m{hV-ri#Fhv9U3Tfd4z(vgkXK&M@Dr zQAEP)p{t@wS=U)Q7Vo~kzPh?PF#Zgp>_|L#*QQA2-??7`R@V31*&iVuCwLfEv&KSz zNh3?J7l$0uBX}a}EyH!4+kfg?TNe};+c`Ts+u9acK!PWj=Oy31koc3${yBdj6?7G0 z+VAT-cE>h<7*AT0TJ`nM!FF|Xi;ay%Lq+AGz(E=R`A41PI5N>@LmBV?tJ|DX2u(aY zm47V?v!rFSq-b{?+htvTE8b$Z>f1&GV?8=PmX#$%tDYaqR`2gmy%XHq)%9HVEjbO1 z=l)V~$sl%Bb@lrCI+&v$G<7hm&oc_$O)Prw?_JV!Ai&VnKQX1*Xh=%=H~imzLwQo1 zCBm2eIKM{Cb+%9%WN?63Qd0x(G)z@H<(CYikD7qZm#EynJ{zf*l9EbEEqcJnSY289 zLbe;8ot+IJ5FmII$m1{nOb|)^4$CwMVf7n9l&XwEvE(c^zHIvP4J=U;9a~gX)U@<; z0E-MflTzyI^^*IDNJtFt05(KI7#VB#1B`b)CMsv-MSrYk2 zSo_~n;plgWf_yJd_A+Xlm>6^SWY>n3r?O^zFeSf)hShXUrQ7iq7Abqzy4*o}g69*v zrI%V-69Bj?Ij{CJ5H)%jWO!Yl&**4tfB*iS696ytJ%tupwR zqa#NiEISeVmCqUOJHHxYVq$9Dj&%o%EvKG*6jHlW{9VY&5`g~A@ly3XZ9$JS9^;4; zsuY*~rEZNEDkoRx+g!=`(DutL)ocLqi!CPj6ciK&FZL6zS&d)F%2vA`GE?by$MBl; z#*27eU6jvwV!{0Cu6LU7XlQ7n3sY0y&c1rtlJ#$ae5K_~-1HIRYlsEL!K4QHecJh8 zV`G5s>RNjomFkqu<>BjY)8}vHre0iK_>jsShs3}|@mDS`+_|s~JocAxUY2BKVJ6?c zeH#R!;j8D*KbDvCvvPy;jGz*7#QrpiK>W&+j<`Orzph>(3l6?c7rVr`d*m;6aeL_o z@Y&hfac=kZDYdgdpj3FdT-p@inW9lx{dPAs%e*XL!79QSG zq(2KbSM9hNqd_RZVy=bG^W9k=a!g~%N?{mm5C9SLI6G(!rc7#CINKY=AFhR-&)6hVoF%RwP|Fjp%u?rS+^QypfE%KKHubHdH|`i6(f0D-`|G|xEcVaX$!{X0@OWZ;{Auan;2sozabO0veg zr$$M`I(-N`n{nUAv9v6_mxC?Cu2&c2^~~6KslgkqB}h7i3I>V#`gM4Ct?n43n6y?@ zloGQ9NBp;BuDj7&aidLw9gB=ditr#FiR`soty;Mm)U0*|WFqD6@H&D4FAh2)C>=s< zvah1KwmOP0m6I|4rRQ>1>@GL*8KCQ0W#*@ydRO%Et6O8m((YrHmX;vk?C=M`D9?|# zblu$C-2S-Kn$?bMIfD%ibfTiV{S@{tGj$$fS10$iYm$;AN;n>hv&Vh^-pmvZwm` zU=H39`I@C`ErFyNUq64|8B*6vTsYaC*VWZ!s&w9+bDHre2dSfLWqBDbply6^^n6+D zxLlObvf}?$r!jjREmr)3bbKEQq#455nO6weIt8W2aaO zGhno=Lp@f}U<)fUhYDb(#*xuSFz^*QR4~7DzN6>+fGCxoTOqrua4#R65SEY8i>@jg zX-?f==_P>{`DjG`N4HVRs2T}JHa_O+X)~>^n23Y%R_y^6_mSU?NfJC5YEhUFvLEll z)QXgmhglJn+wbZehH|P7V=oT<&JSH(ntTIFn{Qy;A z^XPnhv#!2lEW;_zTa6I`3OsY9jHZmJq3VC*)SL68hnDv zQ;(ey5X$;i4|K=ATD;PZAtLC_7s+xi8yblqc^q%)0Nt!9BPwd7JC^@OS+2N+hUQ;v z(rfsuIe;)p69W11joSpAGg)T`0a%JFu1ki_UI#2Wy zW;~ALy3F=+sIu?=X-fYwW{HdlKWAQN(3O2ke;1CtI}_I%sP>4-9aj<2OiJqb=mB|; zBrIt?J=%kny7-yepoUaM9L&hDF#0$?F+EUjMn{?0bfj|R;G~i-tZuIptfZu*fJ=EI zZb$l~eSHK`Kj83tdU|^1JBgv%RrZf~c!(HEOG^#ezY}|VdwUIhUR0z<$T)ub@esKR z{!Xpt#eBH?I~WZa*$+QvR#u;~p02Ki}bO$h)h^OHm?jFTWZ^)5Fg${s);XQi#q`JDRa>8XBF2Z`ZTnyNBxm7|U1u}(+#D+aBZGsNbN@{x;I*&?)lYO4s!et}RQH>bY z9tsLY&)IyaSiGQJT4v_E!?hvxd|eTjy@j4QAsb_+M~_~YnhpWAj`OTd?23RQ_ztU( z5M|G0sMp0EULa=II;;<`uCCfG_aw%FCWggy4LMrm8v=oA_w&tiC>qw@@p0RWm*3;8 zsjk|*F3?DjoupB)fArN~U%6o(Yy%0KMYx3x^*@FRI$J@xH0-MG)}@%Q*&42G-7;=u zOryb!f0=puloU4rGEeVgN0p~r5!5iNXbZHkCKeqWq_~I(AG@>5^W&D@fW^f{RaI3C zSgUr$ctZhDR;-ma*4LYEZ7hH)$IYFf0b^*ML$b)vFKl9ng={eSte8rw{VkQ|g+?kb;nVz{(N}b~-MHd-!P^JK}=PUT^&uHo^b#--85)xFWhEjZ~s}8+39nG)W zaI1&%WZPSd9hZY#nW&l}D=W~GHXy<;FD-3N*H*75L-^M+Gcra~Nuj|~b|*Wtg@s&H z&oZn;kZ^X#q2A`B1qM@94q_KOO=4HOp>1Ed`kOA5$*@YC&IX+<6C4*+%XucY%$!bT z2~{79aJ|ce1nP-Z0{D|C>F;y+AuTN}zy4}m(PAJ?4vfSD5K94@Q^)` z^eVzaL#DU`gTY4o_>Pe^JLCyQhY6wNFws3|QH_P8iV#P~!aYGIQYTi|M^@mQJDMjZv<9D2e}5T-;z|cz0+jU_0D^7QK__QCcyZ3y z%F)pgM6ua$4wp*Wzczi7g}hq949iU!ZX&evNUrKy$^Rl*)prc)(N*Db71r$eDOa$i zz5Yh6lsGNaIV?0(K|_PgFOdkKBCK3>`&lw7s^(PO^v2JhKj-DKckS)WN_s=uT3S@q z)qB_L<4?{G*S~)K8iG3&WAq3#Q2f&BkV#0PH{#2jDZm2|VQTl?IbSlJQQtdMVxE)t z5CCA4%&aFtV!!p`uMBMgY&@7+v3QI!zPtNIvUhHVher}_@Z-*%JNsw*7|3VU+jZW3 zx;4%=y4N@o&@C`B?X)opvsD3Pkb|9_!~;yujNYSR>s_y&ii(KnTF);KyS~`Bih`e` z&H~3!qO}aR3xS?y=huPzs=vEPfFxo^I&DpMlv`g|{yWfaCbEd2zcZ2RMYY~V$@69S z7Ox|_&9)=j%TISDas8pPn#OGZfG3i(RlC(5q-D^*^ zjtRb`>QzmM5Oeqdx^WV|W2i4zkOjEs!5VxAk@+q7h49|OluP6SZl5A|wx@_sOMvNGq^pb>@zT=-Ct>Z7`_Y3h&Db zFpxyH6L@|5n&`scC7j(&6fv+svcLt40oB~_v{waIp57OQUg{q9Lv z{vrl8U`(-q<0$|P01qcUg-31>!H6*rHr%G#YO;*@lAz=3EfFSbD$oWMoBgf{gQ*wy z^4wk1XV8eRQXu6xHBPvC2f2>2EC>kDTS!TdftJ)wRAd z&Cyl(+X#HUEpmdhx|0_7GPaJY73q?Z^ia&ojBjc{=0mI2+2+NDLFxYq=z1`&P9^H+ z+Gw6RP}6$!rw1{{d7ZJJ^Hy6&lW+rT6<=5Xy@7Lst+r*JrThzJlh%ZxRUf zXHcBS87$WrXI{+n9MmMl$F(saoWmqn-kh;umb?R01nr0!u|3l}+;PL zMDP#R?N;*hGxsS?(v6pmE*abxJUtxoNjY;lWLcId-0cUN22x+=S)Ur7GAJ#iF6U8;^NPi!BkyySSP-!mA3 zHlBJHddrvhBB%_ccmTSQ#|H)oogO7AroIB|B_2|6_VU8QLd_MUdb1V$Ry6&ER`QJ` zF}@SwYHp6raMNcLf}jkBrG&hz26(nk```=Z)Fati#B)Hir= zz~i|7Cgi_bpm8SWs$7IhLYaugo-zcaOs!6VKzp}bOE!tmU@Yo9q z3%l!HyTRtTxMk+%=D^&AFME1wDlw2uU%9!RgEFnuKRM~XxA21N5P;krbv(RK&{hJ? zITfi{K!PqWEe^7W)Utr0)~O_u9& z2C#o?YwO_PU~kXXxi~gft0eyXc-v^YwN+|G^ec-eO*{sLZz6zOs?s zUp8A)FpkWASU1;nU&HP_Bfw^6#>NkU>>?)Sb(IVOu&yyS@d*F*$~|O?rqAkwp~1nv z^>b?J0Qd|G<$KBCl(y7Kz75i?bANrH?s>F9PC?%1otiOZTBwL#0_HM2L=c80p|5=k z6W``Qpiro^{}vZA2_}jj69SJ`lqeXz#lPC95?Y^~Ez3If;lC0au!e~C_DDh@lD%&{Mz)lhUAB_Fb(=*} z%82AfM#&c0*=62H_DWWS%h)Y*_jSF;`99C%JdWdPQ!~7o z2yMFG%RfZDNbV8Mw1h}x=4cG}pfx}(aL{a4(nT{FUzW;ET5XRPrxy2eee%Nd^7FCx zIGSi#IXO9FW2OZi{M=L6q!o;XuoHDTH}UI);G&bEkr9ie=OuA*dI}1}OekT!=|rJ| zf&wtC?ww2K> zmKg5PjRI+l=yWu4=+xg>jWU)hXQil;5gH!f2x2w|_DOYXjq1n9AxbcDXeppTy-Z9F zV+ZA4;y&%N?dG%ByR#z#Pej?l7ym=F)ZU{ZY{}Tah*FOhH7r-?GlvJ~PG+rn?SaXmJ z5t%mp?3*tyb)*vMbg0PNTW#*^_j6JAlb9R%(C=J9bh9`&SA)2;v@{~O4VuM}UaxNV z4G~m@UXy*DQbfyp{`~#$@Ps~(m+n9b!No7l%Uh}(%~8;SVyU*a_Oa!)Qydqw^76t8 zBX}8Y{>sq}3l6@2<@xjH7}tdg;9SXJCYrNOus421kHq6Vr52Kxm*=0vU`~BwZf!h! zsW%@#!tDP5PL6s>>^$xT+M`Avw!vgbw_4||5*oHbv!KhPC{7yjwI-jzUS|6GDDt|O znUV($fs}mkS zc7loQvTWcuT0~E1W*cA1*+O>#DWaGeIf%0!!^xVlSfNWx!qR^{= z#Jz~~JjRr_1=kS$JR#d_RXWXmx-t8C_{L_Moz9NvDf?Fi@7ONZR4%yf%!>r&jXpHc z{l8Gve|NLZ_WC1{++!DFPtCRruNWRS`Ame~$*A-BX^-B}8q*uifHtSV(I$yCLN~ve zZZ^5BoA6U*Za)>teGjoWg+TE_oA0e%RBLWa_OE4eqQdSh$M5$$&a39xTyU7pL>h^~ zzyGHjo;XE4JF&P`OWvd+(9JPonn5IJYFSF5Z-wgc9w1LPGS)KS!?sLija983bZ>dz zvIhb^DFH}T|4?Q?9RN-D-Gua0hjeQP1mRkoszS3qG=Mv@ORp%nJrFx>(8%|+DB`P5 zk>%6Nsg$Od++Xy+a$T7H)>hY++VX6-C3siweN^4Zvqs!M`+ffHG^b`8wfI(DY7i+F$tI@$Kt&|J!iRPg|^= zg@G15EQ*=9lIph>gi!o^=#HqTD`uVWa?h{-z+LwP(dPTi%hDRLT#$B5T)55urz-+* zs;B#SLa@*!H)@J%HhiNiI+pb#C8K!G+c__DW8d3uH{4I(OemPYCf(}wTwg2Ea4>$o zknO1zM8YHFs5@PQRDb{mZh=(+}-<~qGrg~(?%FRnpjgT9s$_+9}E=0{D8QyC8WxVp#Wow zejIFgH}FSU#oq!X`kzWm3oUe~+~+&}!&Va83wbXXXoY!|-nbBbCya<}WuNmj5Ezj# zyK&oX3-Mbk^UyE&U)D#a*5UdjIZ?f|Xny1N{mCb3$)Cp>?th$*xS~f129dwR3d{kf&6fk5D!5 zmRHZAWp|o zf79_@kEZj5l>4vyF~6G!9zyeBi1texHC=<3$ypTnxa<{^=_Db>SRkZtADJ0eql=|Gst&QNrtfTMiYXBL6Pl~c9$OCjp3g? znx|&p1~;f$ch<#gvdA1?&28%lX|-t5+X^9=cw%zfLu>0}ZP3WO^>~qK?RcA$>;hFM z4yVo^JdcW~PjOVm zN_*Ucz`M`+4~7r6$pfA~tc9Tym9MDq*CP6@SGP6jJ?@l+U-@ypw~x;_^p*7c`3oxD z7GK9}(;SmFZ`_IaU=YPD{%Ua{p-%>HwAzsY$9rs1>hbho;Mro|>0kkll=j$_7O%bf zg*PuGJq6bG1}2vqap-#)Ntvjp^hFBZ=IZ5jkxt9Ceq2nFXqFhoH+FX`3%9eOtF2LP zQ%045zKYnAQbFN}HWFeMX{QgE%irbG0!DLvJb6|mFWdQ}kQHO^AEaA1a>{v4V2EfuY!3D{ z3D>lAvh}II%+$>Z$V!8#Pk#80X~pObU4pJ9PlF)0)tZ@J{j0oI#r~*i`vnIYtRm|_ zbfdo^otHRGT)r{<>aqCmqq)Sio9@jrr3)Yn4}y}gR!(u(hRTuSk3GaS>g0T z#?4Tao63D}dp(|JT_W4`!Izb%Ix{r*Yx`0@3X?V`5hPKY)qd6{V~KRD0JU?wJB|5& z3Vh6Y90jX}Hvan@jiKq|X!q~Geip}z5+_UhBls)v8n$td*d*AXOxGk0;KU)>3=8mX zoWs1#y=|=_D#0ku!+cB$2ajQtKkjL~>+l5a+t0mIZ>A$}Gf}Xe)uuGu#k6v^$soH8 zHI1u^(k9EEW@;UD4;1xO?O_)o6Doq}Dd}1@AD&5rw2P$k8VnuTqPKL^!$5vZ#m~X! zmL@jhcnzCG+Q)^IhNOL;Xn!;INFM67*OxlScLA4uuvF^g#v-LDyD$BU%|wNScjQhdXv29Nbw9GN>^S zAhWXaTLK-J)uPzuaM|3j>l$Mb?IlaOzZA4(1Icl56^QYbJEC1;v%WE&yC7yg3p93? z`QnN}M_CbfkDp#SrMYj6E8ZlGR(RCBDKAgJ@$P+$G_qAjU#R&8z(#@=q%L7N38^iQ zkql%6Yj4Pj)@G!el2}o~9@uLdu&08syImkof}FMz;D{f<_yVE6d>_~F7(ua@JVJeo zJ>!(kqt2><^EHMaR_A!nuI{7a5F`FwTl9>3)pV@&6=_zc!<_XctRHAQ+PR z=#QW4kZXU8Oq4i>d1h)sh@!6S?+v#D4B#Aw>N<2$7{nT$ASop+P}Db0UO_mHV(;|; z&i)C8O=>i;t~=D z1VK21Dy#2s6D%BAQTt~Zw9q?>8Dk{s+UL1ig9GDMW|{;;V08I`iF4)374se`DJdX> z2UAK&NU(@HeE?QdQxgX?nIaZ`{Lp+MT9BWAZ*FB}C4z>p@cLC9oxQz1B0|DkLsZ64KRHf{1rD&5DQvho*w{{# zw`D+K099WE!Lw(vu@;C$z@bedHPBHkGR$;zueYwDM}~*FxVX-t;IDw}-?6o|y?tA; zla`kDz3bdnIk~#=@iSHh#f621@7~3%Cms^z?k;?V_EUVLq5gLHt$S5;aqmb#YX9ol z=YoN+O`CZ}p@pq>32(l}HMcA)O0V!*`)9qHa+FhYj9yzD?RjRXM=c=NrQ#wgFIZ<^L0~WT(6^|7P#H}SsD)2Zd|E(E48&3$(DaLm zISm7N{;i@WmS48{V<@wWz!l2AjGdhwc9i0fe4cq*G*UuTR8(Bt1o+}G#_a6uTwH{w zHIk*77#N1Wd~yHw@d?ZXvLPt2_)aRRc>aaAi}Ujl>G7i#W5PMb{Mm)=8{-o?)}1Wk zb{?O4iwf=Q_DVXtCNni8M46?F54!wBDxXM*Gs^fhEw-c!_&B(ybK;=SNrHFaQ>De> z_paaa9ZglmC3iwAdI&1yHD)xJC7jLj1?InQ=>U<%t!&|5y0ZY<242-P{0U-D?3w9B zv#l&}YW;j3$Nc$YBzJmgX4Cl;&{hP+QL(%eAKTk| zXK~7Nb4i(rwPSJ0-@m7ww~#YMPfkwqKY8(DVR|~WV*<*mr%!_(K*O>&ajeRxue-a@ zukTSx3hOmeaMwHQKvxmkU@6W~bS`gtV!(QGKQGGFw5vpa{uDY&a8+Tce@VUzxWsx%&7|3c0BI|NziDH*So zbC)hXjzOYf2LdC~O4`5XF@fM3JtfA21GBj_X04|@PbB!JAevh*w{4c7I4zAW!_RfM z%Us|QyA~bqBZaK-uV3rLDJ$@{gR3lE6$yOwHr7_wi5>I`iUMCu%>Rw|ou;QuGZSm7c_&~>L~ zx3|6LvV#$*rb(bDaq6N(()MAM!C)W!c&9EquV0;^a{l7Krhfe8&5yX>e!qT6v?hW6%-b{l-!HnN{N2GiMx_O74+W#NWA^fSs5KuM^OCqsZK64;8WYG09~!c ziHnNP^1ZtXk$T>n#ioVEk_+YEBc#HB-DG5G6m997_y=`?neeak!K_*zN(C-3!Fc5<&P_lme=7ingbgp6kY!WnJ5B> zpHSEmqxdW@BaUnqEnBl7+}{ZSUA)^8QX5NSc{Q#;728(z_%WDX^ZCmc-GI3Sv4DNa zgY)Xg35sJvaS{rrmy_gAZdx3uf98FrJd?tYGNA6Il0#30;MregJ$*Ih9gT&WWsiLj zj^PE4%E+YGqE6$-;Gd)P(diwWVK{@8Fsg6Gd}lDMo(0*b#ZRc83YLRm1$P03e_!!Y zBq4#I>?uN4lrAB`8V#fgcOa(Ola7fAbHPTJJs%9WKZhZ%%`88MnQphk^|r9H@^wy- zll|3^BEM{*$NkS$FOa4+{(eYcGve>1v$C>otLB+hy{QpoWt9z>d(&U;mR-zLguhnP z6^DOO2%<^gDK_kbQP>2Yp^}4zO;i@iL?Afj0^_X~G2WP~`}fgtIO?0%C~Q_?ST0>W znv>r%%!;zY=Z!db_}BzJXa93UidjC8dq9Fg8T{m*Iet54EDCVpnuqKDuGd~VaG|$V zV~AYgq=a)i*R)1jN~)cY(!vn6;X__#Ig=Z~%X~ej%6TR&{?aL%&fp8Q$3o-`jP{)) za1zeoD?p%c{Ejo&)P(0&;yC2~V^GNd`KbaVk#w)nd5nbnVncm@wPiE7la;M%tI@(7 z#8cNsB%Q&x2m&@HRW_x~>uFE{reAOSm^)H2)uF_14lmtPc)aE>! zi^Q(iu2I#f-Ty^gJTBEcPB%N5$yhRbPWp_f+@dcP<}*c7fT zHiV78Fge(i009?^qTKJ^ecdxT*OR%e3dz!XoVb|S93Ke*L6<4~>2*ySkfrz1BO)TU zRoi(nflH^cTgw&i_aX@2BH5#5g|!QDT_x$=NYiadJB@51?ob5ay(k1a1y{m zMjb6=A1-)4$hLBSBt`3`Ikdqp3xm~Wak$#BPX&A2m87`wk1g2D^DIHZ@Kv=OesLwn zOr7hM99Qv%oF)A3|LhrJ^XO8>*02sFWdmOANB+ped5||*58zt{hT66&q;0u1&vugJ zK!ar}RbF1c=5ceP=CAYj{@tyY8fqLLa*M;$SOl4Ui&unYqJf?hc87@gZ&(_R82Ko| zU=Jzs8DV_IN45~^up2=fLKJrB4P4;OgM12zOm?t|{{Qzi(tcMdu}8Y>?+6az0Fq*h zzwd(G;{T4{3#5dY*wpul$;q^u&#kSh0k46ywtsa|H8{I&0dY~(f(YV?MKh}4PRxINQk~;(^ zf%W&Z9HpW#eqSP1o?`yK(?iCd!yC1qauxl(uFrPZ;Tmo^Ep$!?X28Z8CnqW%zaRN~)niK^C=#y|9~OVhej}f;0|<|d{P$^G z98M+c{{KBp?kx7VewU+vJPaGPO)WXY@0~$z{SJ|{E9~Cl*1n<*_rq4ohp%?@;Bc*M z7 zmYdMPz(D>C&?K+0Lk<+jYb@@$JifM8Y@*<})!iNKPjC`v`_ofShw`#AFOUrMzxT(L zoa|ov{P|g}%O_CrY==t<3v;LgX9;Rum7@42#a9M+B^UT^oc`Y>1qVi$vvH9x_Vr+O zU|&u|=o}^im}Q=z7Yl&`9115@4UMMaL!p)Eewa0!P!gP+Vc9$>e3-}M@OFPGDS5cN z4-O36x_OgP)ajTJ*w7ajzW`-L5A?4$*Vk`Zzy3-34V(sgQ%10rIL6w_3Ucw2y`Z=m zUwr!rIH{m-E`}48h2cMKMbm z8X6|NeEFzKNkO4N{L&q@;Ly;;u^N`MqhG$@J>|V{L3UzwrW3en1uB}FQBhH3-xvZ$ zIHNS_{*5ffE8OC5=^^^8bmIISe;@!lx}umF8G}ovr>9rInE(h`&^lL5>-jq0mseB= z@`F@=AoT|X)Fd$*8ymmnkl-dBA6O_n#esqLqyrJO@L^;d+`qeicrejJpTsEdHPFZa zK+1L$As1PJm0LWL^V~TzwoA^lqS?@kkCLhz9Iz_bgXu$74|HE={h#foURqFO@~jm9 z?{EW=D>#xDqpGU9tmnz8NBW?+pn!mcq<6OX7ib*bR=$2sU`NFH^5x5pUP}v$z+Rvc zaO}Rz$x$!Ye@-B%d$Z`VSyoQ9?}=Hy7NEl#Bz1IXyzRzdK3Ju!EZlg14g=W&G+;|g zO0q)J0k45|7ccF(jNZ3e=UdQyq>sjBdh~DH(e-DLm@2p0!UkZ7>e%qhD}O2Df_WN| zAU-iMwxD{ZSF;S;6V~6-{CtnEB6^)$b=LI6#aaT8v#;&%?WE@s0B5H_`0+RWG$dM2 zSGPZo2uO3kS=r`Q%PY^GQI!zt4<-E)gt>##0(&YHkN0p2$^L!N{Eh-uagBhGxG#+| z(bF3OFIY=!d~vbbZC>|^qB=JQUPM?}7_=UNJ0P$}-Y;tv5G2H*&+Z=>fMtoL3|+vX z4}pa>SbE14&=kU-rQ=!Xnwn%s^Xo?l;aA!V7zUjGEEshXf?{e>K`JlUi$<;xU39Nq zQ&vsM1W}~}{TCvakZ~2&b@R>nal!#((frhFS4~X=zJI<@!Uw7|cV2_?dc4`WxmvF1 z45(%j{kpW?2#AV)TqH!GKQH`5`a;?K-fw5)V!6H8%IfOC_iP0?W!QxO-F}A47Bhba zZEWlhKs0>*n0TJs+ST>iK}Lr?nAYC_=3c|@F7TtT{|i)NV|hF4vhDwE{;=R7e;hLJ zVVriu6B*m>0$x>zv#2k_$PDE;^RV-vQ-@wP2?wR-RFUF>KVY#}OO znG?a5H>H_G#Z6)3=n|#n5^-5zJ7n5K9@5N~JC>P8;XI!awaAi~>F{CgQG2UI(3PWD z0(n&wcExqjqF#C@%Los*%TRsQQLJ#m<>bgwMt2QQvPtbGEBUr4dpz2GEx-X)QF&z2 zdTOOY+j&fkF{QG?j3~IARjWDB!eR0Xb=%fUVN^toqB^hj)I(bpeGU|dXxmwgrIgr- zy&B)n=u01Wz7V_N3nut1S54gcNs3;7v6iCfb7ZJZwL7|_rceDU#-3lw=sux^ zwbl99+RDL~;nOD7J(LVVz(atT^6Aqj+#lVvLL3 zY*kfFnDHW7QMg^;;uRU;9S}ySosHbd=xk-6vfV*DE@qa6CP>`QMcdBBWhzGMCm@M_ zXD)|XlBofjTfDh-P>GOX)cRV$1@{Ph`}y&4^oIBB7A}QNYcTX0 zVEbVvKnWb_*E;n>_2cIkRtjmhv&L^Q?cZnA`&O1;eJLo%dlxh2ezA&WXR1T=&0jf) z$cx zN=iyiO@N(U_|as?p23i^76nxDhX}6m@?ErFkhiL?Nl)tSjM~f)u%l7R)LYE#v~*t-jEy9Z zk$LvTh>^?jt0mmhOOD=M4AnhG1aNq>v9bBSCWmNS%dvHp@=0>Csg~A|=(3f3jv4-pp+D+l#u{Xpc-tM+8lmkQ!1#R$; z<$b(JFKxz|fta?pySw|N(z4+cO+ZV3Kkb{yM~_yBT-!Q2czNP`x_Y@VqpxK|HY-?v z+;`<`)N)a3yY9-P-j*92W0N?M?C;pPx{h1^ z%InOIy7i64#Nt3M>^p&g_WK);h8?X7h33QmhLnAP!iqKsVeg0;wLLt%cLPJUriM0>UA!vtI<(RLfW_@Eq;z?B3VqJs7}+(*s+a&eLB(Te`ft zO2oCLai?~Ce7LpM9%L0{%#!_Zet)|I7Gi+#o-gy=x=h*!0@E`gZ&#jjYQ7g}(NBnt z#kLXvB+=8gJ8&YFhBlAS#sbJhKE#HFh4H%=w0I5?;^Tifpy9poVFM0HB0c#}HT$3; zkoJS5nT`P%Vq@iQ^Poao3+RpFzkK=Yw{O9xmxjxNPF^5zwX({HjBE!CG9oP4AyT2?!(FP~^dMoL}>H07-PXTsRiIXx~FA@%r zcrEmh3{T$%?Z1alqyx6NASk3iF#c zLufPm{{lU~mzS8s!z#HZ5EpZDvZI=ogVSjd`nS}~XyurMEBv#rqlZrZ`f~Gmw~)t- zb%Kv)H_|2T)7i6UUm3hEOYdSi{jEJxgrYM2O1qS>aOiX_PJ)ogsG})vkhPWAEQjo2@_L^Hp3Y$Twni?(FP@ZvY;A*Q*KK#b(fb zeKeC-oSZIIQY$T-QvcjAiJq2}&}nHWPLO_|WWpK& z0JUyoW8=}ohi&ccjfteAPg1&QzvM51&^=T0DgUtY_0s?l1 z#xyiF<6>gi&zv@2|P@UgWjqRqAM=ajcMG zx;0C0^N@yCqThO(c86Ko_kLJ7`EmKH*4CVi^zt#TIGqm(^9YIWL&1Qp3La1pU)MU% zfuXHomhuiB0MnSyy}cxO5)M(%Lsr+?W?9M8!FwcgGI)#s>Ty9ULApie1&# zu61w7O>e>(;t3*HgQ6h4(+pUmPLdx81ou-Nhe`?z7WNYFRM+<3uYyE-5_M&UNi8r0 z|L=U|u;2%m&+X~#EqP5VQmLu>YMoza{4}a(efw`H=Ai7+>wFV7_V)GoR}BmZSX7`E zQB!Lm66NL9c=Ip;4jd?U9ne4>1DgTMnM{8Ax>xW!tR{e(W-yr&r|P1rpWC2i$wxd0 zg`{oqVqcOax8@39hPUIK#vSn-gE@khQp=u3M`HoL&b0Rx6-ColcP#O6>F)#^7#P?r zE-W~R3i{GV?z<%nE&Kv;i5Al1fr9qO8Y^6&7CBt;3;DBisl)9yWKmq@H)< zo+J28USHKl7gVtL|3dwsAtoW&t0ZHJ-vgy&iYZ(@)DUYxP`L$ha&&YQlK=R|v5=tS z%0DvH6ZJzN@fq8l7IC1jACKYI10#keD|J9huOksvc93|?I&o0V#+)Yc=BU#kQ7uZI zo>^^bEl)3O{oo&35o`%xH2kai>({et_$Ij7v9X0Z(X=}K=?;K}TABXU+TI?6GuYV~ zmE?)HKzN+-r=^7cW`yZgL5g>T#RQ3o@b5i6X>(W@8QT&h*xA#IigXNH5*XIO`%6e1 z^|Gr<*2>yi6|py78x$If_hop&UcMjKev!}rN|$mQFNUKgl8MwH&q%UlalrS<6w0Js zrp&%^5O>>SFp9-`L+UF1wSAe+cld%$VQ}hA<}=3bY96d<(vn;fMMi+D3xC~>N>A;y zisAVhaIi3M+HDa>g}PfRf9mW!SgcqAz0)^D^}giWV^U!)btU zR1v0UxE=Ro05^xLiox)v5&*tJt5J_`G1867cJ0cCPpdn_0(L+8JG~U^1Z;Ttk-yb_a{Hr_T%L$m6 z&%-Wn%fe)Oh6M(v_tEx?k5E(m^6l*e#fqCHP(WmKCAt1wS&0_eTv*^4q!DJMqkFI^ zASluT-TgEG571?*ZfG1O9h=*gK7f;H41V@DvqfC|wRVLS4#5I;wOU9Dwm3I+o&|82 z{XpzJ?NsypR5!%?qiP}sCuRa;4`ld7`+$5CVk%m-{?apb_4V4$z&zeCVE=HH(IKEP zf%H9(#FK@Eg*MX3yNuvjdZL)7f=DSK06u|shP$CSg7l&4!U~x_A2Gv$r3Y<$zJ2AD zy~-0(moj7*3#iCw*_aiJMD7%O5H~D`gdOh#543I@&FgPJ6s3#zZ^%NI&Q*oL|Go(cyS=Wc-1jnnRlmXeG9n(XuTj&Xb6+1T)_@}YiJ#UzR-^4llJa(oAd#$`F&}|%8deGw zO6*QL-S^X^>cvz89;7PnR2girb{zW?u^bo#)pvS=;@4-u$Jsk>NzGu0OOiHbARH#d z@?M$$&uS#YNg{F^HfZ7fQ<0cz#uxcXx{Uu+8w!g_pE}(cTqb{f&|vR{FTc@nr67Mc z0hj)Vg@L%DIUzjW@avRzr)@faiG9gPIx#rpU(wjft9NZR{9rZS4h8hTu?uV9)$h zCpIaUuJ8}@(B!99*y%FZ`o%yz|6*_I$Z*v~073?1i{G{j@RtZFY|4H`2{E7>^w??&1*pgat$__G{05XR;w1HR9+1{mC%y8UU62VQ4vFGmzW3aW~;J4BO z0J~2!sGuELI(IuP6I$=MnLa&(DuE_g4uWF#`XL?;W#yPgg3OAm?#rg?sm5E8rqhAG zT_O2pZQ?Oep|J3bl5H1bHwTmL0v_MaDyyGy{(gOQ*owwxs;MF(fb@^Z;4|HApX#9beG=)H_1>k1C~2ZKftPqTzXT(4ArJ(rpO=(W_TdRcO2w zi89Y+HJbzE}rj#{i!(RB_+BCoaJh*U%#eSRP5yWuX6{9yeJ{$IpVh+wI=?=B1l8Z ztymF$V95l$8_<0UGf+@qT?4`PmbMe41mvoGkb00k3RH*(Qchl8Uf z@0X@r1*3>a|LAAWimf}D<4r+6TJ5(321kU1gn}#qPi{i30w!A^c$r;Xgv`ULG#rxU z(yk|oi4g;BZEeB9!Qi!PAu-G}Pd94?AUb5ZVEf2*;evV1e&qh#^mG%~aFq{DL|{-5 z8KWo?aglVa4{$xfTA01#(11e9Kxbd;DUvK28Sr4!(TduJ6s5`iSqOG&d^1$}c6MBe zA&VcbT|(6Xc`Z}?_GsmU=q<0DyvBwGGy2gJ$@{mst){S3Xiqgey+8H&d*iQgO$w9L zy~5xdN$TtvPK_5IQm$crB`qhD4|c7U9RnbN9t$8#A|WJnc5;eON>WhTo`EzQ>PS=5 zvHbjeu)PY{on*<{0ss}8Q&s?$zPwp;z$BHEm8HBt*$>=-Kyd&W)25U6*Ek)#pbc_9 z04!DW0`~0ND|_ z%+%DaY|7cJtn+(zhg2Kl2Uz1xZj5LD67lig>|J6Al5;Fq)Kvq>pSG-=Ki|T6=C79$ z{++oam7G!YkrmcSybNtAY3?V_vGrwn|s2 z-kN6EC9|~Z#Ct_I4~awm#RIUffa0ZjY<~mm@<;Xc{9;#{65#s%myMEO(7G6Wh%NsN zBM*^$k+F}~zg6B*pSRaYp=~o$YN~U3u>1Nc0=1zwJ|_I-@lc-P6nx?!tE?uTPk58w zS<3wC=&-2(=VJA=I!5jN`}byVSJ&3mR8&B(E(LIVjs`m2{8XU@P#k78AlLbZw`d`T z0AnuOEAr-g%{LcDDmKBzNKd*R5&&Om=guJ`3XA)N!!OD2zdJXuO%Sdg)ygXpzwl<` zMQPFsl?VxK0G@c3(?nQBsIk{j5Z%(}viIS*yr-E|i-?*CU9Vq{QS^ujsi^STR05Ro zr-Q1V)i9wZ)@A}tYINVzsLw5#%%Ss&P-W?13xvHuP&~^J7 z>PRLBQE=gKa?&b~J%LDyi}TPqN!$xgI8Z~ZE-&jF7`)ETE@DLOe`RMRG`iU&&Np!i zf9*-8K;y*-mk4^^2-O7-4fQjaSR7KCc z57_QW=HljNjR@FZO=h5{Z$KF9>*K5DzJ4t$(||W&4V{{U6~2QNNH%#I&0p?cX91c9 z@gJ?}Y3M*a0YE&%cMpKuK+R;T?+FS7@C|vMCh>=!&?~&fj>k7~kHQ>b6_lV0-^nQO zMM>|vTCG;iCHqpaplU~(vo!#cu@dTw#;clPC)^e z8@&47gLB7rR8o>LI93}N&`HuxfiDnLrLNA-Z*p=P9c*ncBp!qAx`Q0cnjkD$5Cpmk z>wcY?5dpU;g8QD}jeSi3_(KN*l=F~S8A4~~Z(8sXO)j!I6=!>QYZba|z}ma|p!yNg z)nOfHdu^`gF)fA7WDy>GdqJPe)|ki9X!}xis6T2)|EGf3$m)cCy0% zgs6l>+BdMC1AxNeg36gIS8uJZD1fy7`G<#%L~9FmD)T#2-Cxqb#-=AMrWeeeR#t7@ znVNs#5>Vy%A%z{a$Y5OkR5D8Z#=fWJcOwx;bxQaIZ+A2p9>rcXB4rZ4W@_5W$8i(7 zIk@LA*@`?E#2-9@-!UCd(fM0!_-hM+97XQrslJzOHjp14{+I+^edGNBOzKu{%2Wwi zYgFO1$k-&4A;s*=C#Or_caBmI79-T(Qp1t(e`gl_n`gydz|`w-SJSQfFl!uiOj6G8 zH8~P?FE9#iX1HvPU)9!kYwvCWT6&fbha}?_UnhW`C&@( zceeHl$ysHvyOVUm&!;*`&_l*=Kdho>oAgJF!qRf9F*NJV8=!@MRlP|3pD9g{L#Xq|yPdK*PUr^oi)+5xAjPyr7>`x#?&X-~ z+U`d#me2U@3(&n&9jWJL4Iz^8cb&bHtB!k`=b=X4L$#br2E)Z|!E{GenmTJZ`Olm= z13plR>Tn`i-MUp3a4`Dm(*-dxgEv5tn4FkkZKnsj=^1EbE4hL%=Sl<#e5l|U|J3it z`nODgBvc+c*m#zQa)CZbbzf^0ATuiscI(}K%+1t{ysUnC$%D_$B(5yD1^52S^0$`O z)R5%L0QcF%2QE@Z?dz2lQ!`L91!B~ z@y^fl;m|8(cJnB!t6w~Sei@A4akwvByyyo>AQ1C7@&_O<04grN2c)NRatP`IQy&0( zK7m9a+*27yBilo}+yC9UKsgPsjh6$W{H84|gP%u{Vv4|3ZJ=(+4dJ-zlmW|nbNRAr z=W@$J;Ks~*iIZ`fxb6F2jJYwl@46Vvw~`6a?E5~gNlv2DA;2=5A(#4zKi-~y^_dx> znt_GIR8KE#;Qf2i_<1lf9dFNi-DTVboN~w$?%N8|l{^M+`3&P%d|ago@KY!dZzxYs zpMqoo=-d4qR5!LSP~!{gs`b=vID?l9K0g<-p@6!WAozpd%vuo9~OjI`YV>K^w0XMJPf7c*dp}~o6ku*92bF^onS!*%9V>2rE*Q<`Sl>;yO4%6G3H6KmK zJ&HI$B5zg_;fn@n?|LC^Oq&$+i>V9{r&yH;%y;;kOKprv{y7W!*=XkX%sEB z{rseK$%u)A-DHzM6#{+SGw*B=pS?hMpsh__@rBNed?;;~f^?349u^9~2BO|DD%=EQ zWPLO?%97k+H!Z2j(kd#9217P(R&PNScvztwF(!zC)I zhIRvBd4bE91;xdzW)h7I4Vh*9CBZUQOUns(Req?&rKK8=C1%&Mw6sYm5Vpag>tdhw z_3PE|{@e$#a7Z+2p_mh`U0zOFnoaiXD!#2~whLa*vEU5G#Ul5BU z*&;~nMlU)BTw)u^T{POf(AQrEC-3%V{?26N>&K}fU9a=9I>pg`3p)X3c6Q%kBgNla zQt@~MzFapc^Gs{3Hrv5f>Za*r&+Ih`9v)(Q^9yU)5JoK8sUd~sg=i}*9BcfhmX?9R zk_H*{;sxU~;KQT>w&JdLO4%Jkf^di%q!#e_0475(1hg*(?O>(SW`SVu_fb)4dDt=7 ze*aHw;fL>jV5QdM=Zn?zxqY#tWQ(Kk?B8T7naFzOnpD2Oe2IrIkDE)(f6eAz=ZUSe zydIL0N<-oWPfEhMwysVY%pRQD{zkVixRq*J$d6N={`T_6gM!K%=H=P*(tS?-3qUR7 zDs-8OSQGd%>NPZSf|4zVNxt25w(9FzuMkIQNNcP53+zeJ;uiT!{QMnqBC6R&cJ-E_ zM#oK=t|^%t2UBtQ2d*xIoQ}EH{grX7`Z!Lr!2Q<$_3`7!9HUaOf!?C0e(;|J3Y^A4 z=gGrIb#vQzsZ79HP`v92pYe6GPk6Z7i|Y&|?CC4cUSGZDvo z85Cm#DtF70wFb1tY0vWUK_R{b2zj97#ZW+4sdc(a9?~q+019^$I%qh8RWy}iiO@ksM#c1=6? zvr0lr9b+j!Hxe4APRE-ljqv+_?W7trkE~iDNW5+tBO>o-Dtk9MIk3qnB+HhUFv_r~B2;%A??-D0!3g6YP z6A`kuII%@8UPY-V3d^GTL|=qlPkSZFJu@1a82^51dUU-+F|C66Shl^Z9NAt-dSeZ- zWz^Fj#{PKp-pv~!&BUGcT;~}b=Ot~eH>*<~%u(TxZ->YfRjrT=u@yeSEnig^GCUr3 zo_^$MQ1SI^vR+-{_cJ57U-l;U4V&d=jr*-qb4Uvc7tNGqW-x2=ybSnq6>|$;ke-U7 zt^D}z`^%hUJ(nCxB)%LkW_NEcpe|>8^*ko6aF=-PrnSfr%|=9XP(7ba;aqT-Qb`B$-^;z@INY?LcNwCmsaLad(aO2${iVCW@Na=8L+z~NEi z@4YiR6Lameu!nmU%OXn>u%nK^vqL85^Bd^o;mwdixfs%gF;l&3h|Qdqb|o>Fp6PDF zWTR38zc~t05OufHkG#J1_GQvzT1u)qJKY%?Idt=&M18W9HENGh#{1f!PzKHR$^Hjd za1b~KeX|6D4IjHkM}Mru2ykke7r_Ucdi$%j9@XHRd=&OySe|(B$Ya^c{qnnW7uke= zvA>D2x>;~qq!5|e+;D|PHD6WKDL&XbUdqjLCn7JJQq5MEi%Vn92%q^evNvJN zZhNa8cYSZ_N7^||EWx3&wisRiTo*kiA}Gr;un=i~TMcb~4ssBZ3#hmGg!zmbXdk=p zLM*uS_EPWt!g_;)Wzl6L159F_>su0Dr(oR6DCP@9;d zRQBMC+Gj16!5knrY?u95tkrNo`-@Vrocp>{*1gDl%H&f*C4TKq)U)7TTP&IwS|W$O zd#_eH5E*JT7$-xVlD>RyGK=k^c&rf<(=^0Yhw@A8B#6k{XN;9eSVIL>5hSazT$Vwn zY~lr}=!z6x&%Ho4hXgzC$kiuF`v)4UM)C>{3`7#RDzAwL}&;+3I( z;E>gIAJThR!x`1_Q1u>jZKRfCUOV$= z&8P=KQ)aEdl8w`N2#R-NvLRB|rY>l{2u6|#zC*s&Ih$s#?BhOUBTZPW=y6%%*WF_t z43UrClI^GJS}Io?Lh?wJM6IjhXJJ0>nY2jxSG)Hd#W@{bQJC3|gd3$l<}Ef1%X z|6E8C^9oO5ZMq7_%)rkmf6V>dxEEbs6ms=lBFk?Jqch2NqtBi#*bZy5x`IxboOQ6V zIlm-p1jh4UMhX?S zuhn`3Wo3@iyeeK6Z4~BgUv7H3_f}Qz#F+p6NLlNpu=s_Rhb<+kO=MP7HosYk%@jE0 zWyOetdZtwq_ENp-xx70s{QHLV`aay&E=~0a6Fu*yZ70qc5|e+LHErQ*-&Qr5np%N{ z-%tB~%`1j@uXL-GJRNUaP)J@Gbe>84zVPcWj&}Mg)#Q}Bjka{x%eE|kBrQ-~7G#>2 ztLs-7>Zg+Mi6nd%(zuXnv}eYb6{W;Gav)n?b5b}fAWqOhrFxrFI}fH%Q|M-~B)8IL zOpBuK)!668@zJ6CAHJjK1~&his?`Z=xukbZakU^id|?X$->s*dU9De-zRU;Rw4#}^Q_(^-kAV-DpA zJvYTk{l%(gj_3B}Oe6!rZ#cY`9C!hP#i+d(;{J>sgkH{~ZiDDOefw({G0)!pn=b+I)1r6tbr?op-tn{mj-6Pd?{In895XN1S9 zNf+bzAmknYz-i2E+$Y>+uJDAX&sbuwQa#tEPu`^7c%ieG`+iQ|VCSRwfJ;oEx%v?x zrk#$=hR+#L1sR+~WpImM`=m!b%QbSH5t9);jSAeZeo<;ncRJ@n9>dd!`KRIYCa1MO z(+Tn>h?c!#&3P-9{e~^CBs1%0(8iieb37gHQUCI9jmF=ZKUN-tuPVP~jW9JuzvE1i zXa-5=gl3~U3s4p7U#-r2lY5?4h%x^W5z3pj)c3}v^$cmMS?9dRo?@?csF2^G=;l!W zg4HR}VUY-09elx&rVelI(X(*RY**5DL3%>mr=hB>>5lbOZec=#hBvOxtQXC^=_Iz_ z{#RS`1%#I2wQqxt1SrAj=G3UzI;!x(<7`XB9Atlho#!zBTub?;p%Mt!Z%zM@*c>Wx z{;tD;by`=az5o1gWz6fNHYP}Z{vLw_`SG5=^I>>|Ls`gC+1J^3%BDs9n>~?WC$gmOte>K(+qoiT>ZzNJ&~GM?dqoQs+;(M17^S6hFTBB43a?Es~?y?yqmv(9BvQGH|M_P7M9sbm6xYd_NiU-eLA#sN*b z93aEnx84kp4X`h-+>J1xzsNNE@dh2=Q@+ABEG*3}{%n45kQN-SJ%3t&J0Bp*`@pSC zcyVnle!ZZybS7d=6#5LAnVgB>KMo8#4>h&6%(j`4`5D<|@x-uAzQ=z~k{b@AJI=;dOD{Gqdk|-+QmU_Fn7z zS@xe;@cmI;>V|Aets~FXnF$Tt%EVkyGDh<8H9;3F{#Fj5>n%!x%sROeJUl!QI*9w$ z(NXJv>gVHg)Z0sH0ZyU;mJysv(2vID<>Wle1W6(p>FMoY+xyK~MdeLF0lPclK8Ss= zv9W2tTmUFWP@MRFU4MC8s5U6Fi=;tDc}MFtp*}7 zyP>L;jaGio3;37*m>$6QI~!>h5_qoC_C2F2_Y+pLm6N@Ux^!Z>yP`fsZ{}v+iHQMu z^oTpJzbX2P4kxireEH%e>#WJKTv@zs8E8o9XYlUY^Cu=2aNGoQo+1Wo-C@q<4@uaL)OJ_&F5(>8F7X+l#{=ks3a2TGLAhHaumxu*hD{n8a$qI0A1d@D& zy?5_o^RcqF0>r~ysyL9(P>_1B<(Z|7j zm+IuM8-S{5KRsz}OdMUzZ>-_V>i11GZR6pHrYrwAcZ{I&pC`3;Q5QuLu^hj?K>qiRjZ?`l^ zBn{!%@9Db>!IIYpH`Pvz zm-RDfW+Us3_mv0kMYxX~+Chh0_U+ql~M;TVT#B5XPFi;fr}D^63J%6et1 zWB$ZcLnWQ$!L^+XPrykH-C(Kb7EPTcM#=`r1ywipr6Z>i^cvlnL%iC2pHyxCdIUCR z>D@KHag+CBU3*V|O1szzZkT0BXk=2wJYAYm;LTv5Mg6sy0Snw7a@C5Gi<^SvU?Fgd zy#|Ooh-d~|eJFl7A^R7x_qlU~2S4x#X}^ovZk+ER!_FbKsPWiE&bRV{vhB#x-g$Qi z{oH#Ik46osTQ?0wH@0rK5IzcaA%w15=Qe3JL&r&__dToSh%W93JSaz7MohF_1nfzC zpqYXNPXfyqYY>7FjsT~zK#!E8Rlp%6B0@lwpPjwAv(t1p?Eol`xda2hegsJb#V&&} zF)_ZrzCFA};JB%m;pWZBS_L?O)WAE|#{gPXh69{ccv$Eq#Ki?XYFPMCKjS}#)J7q@ z8SKz;EszX0NFiAVn2exiBr~(++|1`&J^2Gzv-bd1ppxHUCx8xASF3k0E+s}jK} zp5+J02#>zw4y=P`nU8%fw7CHP;rCJO9Qq|SZVgxFqs%Dgxf%?H-dI>>s`q@HX(oI( z8(fQ9kz(Zkk=-B8K=NUkUFOxMIddToT|wY$yqygvx98y{rG1Q0zKjY3k&#W_soDXJ zh}G&4J2yL=LpQ`Sz5PLNm;{I2v9FE=Pz9X}A@!)xhvE4KTN@jJ1ESu$mxpzYjDReQ z&=H&z1`UH?NxeFV3}2c>#}7bKnm&+swyM}$ZG&=E7NUk<0@DF;w5h2ntBozqf&*QY z_My292Z@#4F5mzUc7t)OudmM^_;nemH*a)hRe}PjAQTD0LcO8iO&LI*bD^d1!?@DS zOiO@N1t{U*OBDE*F5Ryl2U#3fk)5;85iJN3-FXL)VtP z%h@F0R4gV%JW%XI#EFN~`cMG>Pcl;kMug04;29 zyHb|8QdI-q#yf!KDb&Gr24OTXS3!Il#La=lTUcF%y1FKIC+#J5C&5CxP3|54=!BP* zK_9tS6G3%k{QbqAQ<7vQMn`jTa0K)f<(IOT@$ld0?E@7SKq(Dw?%p&kH~50xv%%{u zh1QVPW;<}ku4#75A`~0tQt2u7B({CLFs+8!I4ptJF+^PA^^F2{l9K3fTlOlC4AOy= z_|E9q1plKem7>S^@~BV2N?Iav@i-Ojh8q?3-bfiU-ERAdOb=n57<>J558zBG zf2LE9k6`M0GX^Y9->oP>2pWM2UdDn7x=;56tAmMh`)-@ZloRT8x#$IFj5t>6+8(9 z60{hjZeu)gII!__G&CTm!TzX|-H;9w3oE6=*w`3kJ^^IR(R9I!GdZhR?Ay5qacsT2 zgDqTy6l`Mnuk(8h>!}H~#%m6mTUX2F^gg>svF5IgxKF+rNEJUIe-oG66K&Z+BjSh3 z&Kwv&#!oOC)yWv_FWa&6#tN`Kuv|V5!lyyN+}Z%;Pr7R)j7m8?ZT`oH~Zc zi0t-~eQ)6DY~quW|Kq2g$*RzLaNcGRm0$GXKi^i+@OZ z{{_p|B!zE-cJ5&R|5bEe}gR063_plAO2TkfWyGJFf32QZIAZ@1nbX* z_2=vc#dQ!1Lc{UU(%0uKe+bimtqmrDej_5|J$r%0exH`E#fYt_y}RVf^ZA|J*4)_h zno6B>gb4HFhV8btu6+QytNjB|Ku>P<(lb^6oFl}6eE>i@Heb$@e*sU&95frWp433> zDuwgUg}?WIZ_yBm=V(F@FZ4Gd=r@I-1>7kvnwtS)htkB@#%{mgW;VbiNDlx;$zDr z_k}&f?g@L4Yjz7<^cMj$Kd_;BRqWDCf8H|n-lbQ6<*%XYZd=nT+{xb}dhJOb_1ulF z?v-gqc(cn=J;^)a%P+H$lsTx|UFmred$5pNg>R2!CFL+!JUk98G|HT-#R-9F>DwY? zQZwSS8$V)TXj~+8S2g9&pBqo?p2*M#+&nn9_n2|!(_4CtB zuvd*KG7GHrJl%+z$sF9iHLygCM83L;oJ+Um%l8@&JQ;>nKkgBRh!Eh)1LwQc5@s*e zOo_dXLsJ&|`tbrbYVH`KAa1-z$B%6}R%#vH5ZpTWg86NCl~?L*nQ$#B%{X2Qyz z3FoSMFa|6f9^i&d46aZ@% z-*^-`6?P^6XZ3t_y0ybtr@h?p%ziVzZz^5dLR6S4?|p7jP7dC08AYEKJ}g{AXi)O= zJ|UUvlXb^Weqv(T`=Kn5?O5>n;_r>2#x;3zB-Qvyvr@A04=v%+SSQI0@-Gjt9?rm| zZ%M=t^$|LhuQjCat%`Y^T4(t%5FSwy$W+(8PylBk-a-3nAJxTP6V!M#-H8A zU$l=O(;C)-^M7ZZL)`Da$u*7rAA7<#JYHU(NM+pCSj}ip0G>E~SMy5es*uwQgE)*< zu@&U=u_BSVMK*>gHQ7@Z|*(Env!2KmL+PIot*O#KrcV^WP@ zb?)Kq!0V|L+2oeXxA1g~;6I4$O1=Nt`nH*6uEJ?z9z+oE4ot+-b zQ*VOasi;cS`7k7kn@;Ech-qk6`l~FZ(xKc($4{^(geCwvRJb(iNJiQ!IL#%eC_YM0-jcF&P=B!ZX zmG|YVS6@GHVE16uD|2WfU-u}ierr)1bnTo_CsgzRNq6i-e===kMC--Z%StAi^P);` z|1ya{-YsI}a4pk5w*^jfsBu-1+d{G@(fvz!kMJa~QPnT^*}?Wvm#rDzio;|#8YSHv zu}b+e0gg2kWn~l z>?>P&RqISXY~~h)$GyWI+UcF!Z*+=<-;8B#n<)Hcb>mZ9K#G@$kKgXJ1|_Ir9*}P~ z+5Zf3@R=k%uOZ8N&ErZq{?Z{R%mrNwd|_%ZF@Gf{X-1=}+2weg0Vk8y$qV{aw<>~0 zZvC%pS1tF+f{JP9d5s4=<>4%2vR2f1lk8udF%RQYXTcI2LJu1+#Mby~*iqxowla6R zHL)#$RL!!~Ptpwb4gqc4QS_wfag>i~W^S${5>**8@D^?%D>np1=A6!M2GOfI)dxwq4 zdKH6>vU$&ke`8dkpuo&iqHAkduKYQyQMEpUL&y$DY#4r}X}=NA;Us74A}535h1Tdd zfthv#`SNwd*9Eh^-1jC5;)ag1I5M-~^(tL+=eS}JjUVWMbPU!o-EA10JgK-87odDf z>U^_&g(su#QmHi!vJtyi^Yo#OEL{1PwXy(3S!_dCQFUsV7Du>!vLb>_qaVMtqeP6k zYeDe>7YNGjegJtlw3M2Sxf0pT-(}%^oWDZyAU6n|>GYl&)VmLpV>Q{^801HrfvSkH zi`__qWHvwY zWWlVQ>rV1s_%oFc1|$zL5g5NL?U|PG{Bd5=|61BFtM#hlDK|;#8+=VyVD~HHWDMM8 z@%hfqg~QlIMf}e?_P4_Zc#vP{!9tK3JqDE$qE>#oLgU%Vt{I|OIup1beyu&&$;xj? zYhJhG8QsIk9$z@$_4B?Y!YgI@+a<(ihXS4+0pZ^md5x=YK=G@&Ez)%;f_^h47yXXX4mDf3OQgb%Ipx|MN!C ze4PL8oub$4Kc4dpt9ph6E3rTmHx;|kXv1kBoR8&rsoMEkKD0_W7UQ!3wr7xcUr zw@sLFgZ8O`wFX@#6*Zwru1_|AN{Ke2H*@ldV@F*bl+sX6;!gOX3)a~E({lHD<%sc6 znw-B_q#(t>i5LPAE-k5?nsJstc?)XdP)w4KJ!G<5dUY1Y)$P?G_N<^A2^*73yY zH%}@fgD+rUGCB~ypt?bfD?6G6>*G6=^fR;8q6#-3+Oy?u+wy@)4ELpe*xOo%+-ViV z8BT%P(zT1T^1X5&ly-i;Ux+2ngw4H-i=3Gm%fEEG>Qm3tvmFy8U9-io+w{SA<%?;N zN1JH8#?X_M0zI)p3wd9jOH;G&W?@(>D%GDOEjTJTcAXad|NO0D9PV-{+H|6^;QF06 zOykS9_tVN7uhYfRK`-}=3W}nujJE<^e9gQhh8XkEzIFf!!3al0Lo(Bwjqn^3% z$Vt?9J(_{>&!1v+24uE$8IMpg>XAZ5w|5L`%cdT8Hl1W=>a!>9@RN3RYd`K2t*&~4 zS!GjE->t^8Sbat; z$De^Xo(qF!Si8E*=)h!aq_e-~V@c5blHov4-?#XT@QeD&T6MWn@t-k=x%jf`=>}@& zj6TSYacxEr2|>&riZ`%%i_aiGrPTSLs#E2o`(=vCQR6|OJexL4p#`Nid{+`r7C%V$ z#ePn;pSbHKw{+U~$?;CCzxGb}xQW*?QHF zXA=6CRH^-|e_j)DZ189nGdN1&VKYMgyb+PWtVSZXxF2TNLRaTmz;c?@;bO$U6OcTc z2_)O2>L1mE*!_;+(ENqdT;D$I?M>A8iR6=x_36ew>rUVKT3D4O1mZw}c^!(qUBpQe zf7-lts>w5&wZMfiXD_eGEWk&`#!qz1BupHqE}nLOoA5bWX-;BCrtprvk|Ikg@=#Db zN_hRFv+qc*NRN9`?S78=>1M-Wd$IvT`{HA_ygPHn^}}MmhoUj=j9x25LV6hXtGfML z?@>0iES{Rr;x(LXVQ!{c+zt*$71L||+jW{p%gI5Z%)kQ4IEc*xeoi&Wex|sA7#f_E=yfWryH)ijMkhaTNl60|B<-DB3 z35V^rN3xjJX&jaE9(?(P)6d7pt;#>?ld@2bkKFPl+b|OsGulIew^uieG8VoCZ!fXc z$H;rhQzB=0p%kTEkO@ZMGo!loIK#N<{npI79EE`jS{K`JtgQx;`UQ8PPS*ImfRlOo z$mVE_7KPFNT2_bk_SdU4nnS<_k%NxjIbgfPY5hmW!110vJ9% znLh7VZyE%<;$PTA|GdM{3N=PyvWw`eDPo?UWOA22mZM;qCLVJpLP{SchVNHioZSKzIwRkntWKzHE}34qX)*E z1S_2Ct5EV&#CB68UFlbbZpEEalwraV{3w&}vK8W+JeE@4C;xCfD+Dc~16YMMr~!xG z)VFnGoB#z}tHCQ>&7r74{qKFIoRo!M!4zm`FT0dqaGRT_h|*BgOE8qGoq$qT_x|I8 zu!^P)xZG})9u;Prws0b^d{njbtRUI* zag@E$QK+hT-RNe%FKIau9Tf8Ic|eH4ZopjGx9ZXD?{+hdeR}&6_xMV$13Yidsq3W^ zVxK__dJ-_NhOn+fAd_s;;tj6@EbjK52hP=VUAgEr(Ab>!eVj1AZ?hOHctuAw&>^|+nxwellbAFo)qsE4$ zonHdYRwSJN76ejE4>y(;$AUo29{h1jH0Ymta{+@u2ou~c{UvbYp%8GlZM4eFgy?IK zp8@FGhddQWe-|P^566H&0;q|*z#rm-xKJ@NpusyU~ zge##^G=#!*mj;7B?Cg`^KOOWp!T3Pm4+aGNnBab}AWvc=171tsoRJL_f8u|7QOtpo zFcgUTms2Z#C@3qBggV_k``#=AoSBI!Q7N-|rqXN2#@u|izCO@5g4D&u1*FICc6V}u z+UA!puB7tQzI^#|Swa@zK8A<_7-pc=GaD7Yqm0w;R?+z<%VlfX(!O;)z$O!;DNZ=d&8rdwT8GvlS2I3WD9glA@CR8?2+?e2oia8hwy zY1Z2bLG|#4DV2vi+uK%pZf`ZM931BSB4=8#T@@80#_!TVP#|^fnlH$JM?7Ph1O!8X zHoT|yZE-B|!-q=Og}38g7aSZN9o5yN$*o-wGrBs>A-X!gxiM}WAo`6Y?)eD98Y_~@ zu2WwwtT=&6kQEi$AM&wUsPBP*A6u+EYgSB>Qs%C8vQ~P&R#q5D%O7EthMqqQJ`#|2 zZb$ZVFPcVV`8^hhSGoErr_Dx=dM6ssDn=9NdQILkagTI$6&4qp^uKD#7fD)d*3Xl? zc`bL3E>D5ano?6dA?I6)ii~0|UJ~KT+M1)iz4e8y6EB3JTOsCfE<9bZRZv*Cx3nYm zT`S-=&J{aPqcBnfG^v^2PGqR4**?UHtK^dO1}Y8Jpz1M)5`P*yFDQ+-?$C0hzFWWT zkIKYr_3dDYLJC{e#r4XaC~dBj+y_h<7G|!Bnwru6ehW-5E32%^%Aq4<%JT-}%pcZO zLl4F2EH%X)?d%xe@;M?&Z##>?2L=Xsj1hH!c_DbY?X%hE&xDb^2G$ZTRks9VdWzBl zcpVYY^kYUfhe}#GHJ7EX;@tv<%!-PA)QMkcKrPQ%cS%!seTM_M3mE4O4H9G}6Ki}J zc~8{tCsb=4qEMvbsNs>31etLh6S>wEsO@p@*!2E4(k?PGGB3WJ*Q`G6$4fw8^9jSg zA20Y}*w3UcL61k$(qxTcW^6#Bx+J+2f|2K2R$7XL_mC_&_1FkjwfPQui3q;uPQi*i zAS=KU~podf&% z#5ll3CMqZ??QU-mN@GwHo%L8b9~{iQm*L@g6OtDvD{i3QV>JSUU^4FPmHsw8z$yak zd=c^&u)kZ%#tK(HIYsg<|_tK zx(RG)05>*wKpWcX^#IGoiEdFw0yOjrG(@jRiz#?LBBRrRsmTO}A_)OCNPto$MFj~8 zr?^qOzt79NhluH428zz{@#Kr`2@c*a4O8nt9tI}oBAl0xb>ypK&)2UZzPK>3)PS}; zagjhpFT-e(p}`AYIY?mv@Fk_p5&)eqE>;UnmjYTaVC%pf0Qe_!5C?v;uI^o*Wa{M9 zHM5~z;uQ`?D3JHNG9ne(@7w|Ea#=>@bXSN~4M5*WO95=_=P=C*kByI-P=0D)Qv3JY zReXRD+_1&L2*^M{mx;#*&|%*Mx3VLy=Pj1$&8 zBS^vd!;5vN!{%X1O<9@6djJ%nqorlZ1p?T1n|K35!`j+switQYyg!D!a)E7aqrDri zc+3<6y-FBruT^2cgd}xvap5u-cnbOw@`i~BOo6BT)D~4~X=b*ztUPdpVF6|p0x_l^ z)7YY-u5M~FkjQyU4O3SjCqR=8m|Q=v)CqY4KuS zeBTpy_j1i2k_KPIhuX)Vg) zfXwSHoD8IYpcb+uCtO1nD17>Tuj_IH98(qE(@ojdRijf*uXjWusmD@j91~`RN*}Ja z1ZaL)ROAyg%8~-~AJ{Ncu$uN5u;Wk7E!_SpHOv$o&`NUEVGul2W77+bChMAWh)}r= z0?gdP!gl$=2{c!`%0tec*bnsPtP?+&SBk>v<6n${-HXuP%YJn8O5Fsk3UieoP>BIZ zw%;?#?NVsdf@?f$Bfv3mfC)WTo9J~(`lhF_wiaBY0pGk}U}@`kH7fzEbRm3~ks$K` z;FL;&pi1Hs*UyIa0ot%+0>jqs>LuPfItmIRg1j!oYG3S z=F#uD<+TL`ow{b1th#%?f0xVCQB_SL$wMGScAR~E5tW2VGILLN1C$u+x>GWLumWpx z3+_m8Hg;<+Y%31S6h}_~RC^TKV4S2rM3FW$KHgvC?BQV*VZ}=unVI`GLe212UgpTq z&^21xT`$Bgj}yt+^d4OexVR~aVW6to-Pbp};qm?ZcZb@VsF&!@BEX11m57l&tVzb3Xp56dYN*qCP*i3-K@<@E;{1;OcjM8a0pnw1_8`%mo!z}spNa}r zlrgbJgpIk|O%>K;vU>yK`RLcQTiNhHp-|jKH8smy2g~6kcmx1KG9vAmR#7o1icQ~n z)-ykEz(GA8K|w)~tJSs)V(mbH*S_7=_2!dJ1Smi9J~lStZE{@Px)%b-T?s=?jg22L zfZVS5yxd$nN5_eYiM7Q=K~Os4$AZ3r0pdg$vWa%3(biKJks}JGBw9W>HWtx5gKt!l z1qk037LPFUR5Z116*Y=qR@T+kRaNP>BWi2&rF2U^e*98eOztV1jI9L^90~mOL&GY9 z0Q-0+T#O5zr^k;O7%;M;c`NeOtGFw{#k>F};KcMP&44ZT8Xqf!pYzPpZxW-a$ShB| zd>49vLA94E{9tcm!--+f#?p#JTKV@34#r(mz0F$N?q($*!#QJt{Z|xv>5&1wOG`&r zkej=Gc22k%U66;peLE`Hz2C9o2Z}b* z($8~Vzy95Z(cyOmff@>0jTO&b&yF-G8V2uVRc;oJN zpU%#H-*4};Pt~n^?w?zA^MmT@r+f8UbImp97-PVN!! z^5u^|KvWnY;GG(ARhB>gc>Txor;?hU##_zj8bs?^H|N)nEd3M15|a`sx$kk`b4jRk zS?!vs=RTeBiN8tzba}KsQtV#1-NFtF4TWVrcz}iVFa-pv==r?$Aatt&qhdE@%a&Ni zVgc(=)jGj~Bv(sUUu(~IF>Hr_{YWI#i1pC?l<^ne+s`kRNp`qrWE|AUpz!XOMaI5=T3hE+(G@fBXFt0 z!ifI#lTaKY$itxj=O5QI2eD!#*H|Tg5m{J!aI7=8A#SX_8>33EjqylhINdT6YKf3- zPn#IO91f15#dsr?nVOy?DLEyJ^jq6EAf=q5CjsdxKbA+a(c6N=P1GDQ2=Ja__&9uS zZTx%_kuk+>grNFxa_dUbJq7(%Udi0TV1M=pd?hIvN*N=7jRh7UU8Fh}IqnKG2yb*F!jqvH|PKd00N8HJgfLrfPh=&YaS7g~o)*sVTY> zDst-LqR+Bcv*BaB)zaw=>qRq1`_&|?Md=u!kZprfJD2h(%*%7Gvs!VIl^0}v1 zNA8uBHv&FglA;rN!Xmo6*L_>&^r`6R8S6~PLzp~Op1!_U6&bD9m{z;JI)g@g9r^|9 zdVIk5kdLB^Rz_cHhdyD4hO^&VOw= zbnVm4YWRindSd}akWw~eZ^ALF)C(e8 z2(8wBY97~FdV0Qm@nTQeaFJFxg#K7Xp_kcxTX;sCKhY~M3DXs#ZZMV34<>rvJ-tai?*ecbL1D?_nk%5 zgIbL=e7clz&_fg*Zz3KtDJG_m_YD^MG!owt8xe=*$=4ladF}Rw-s8HJ`|6KrfryHn)83;~w(7 zu$i9EZMoqk;jQFe{Hi$E*U?3v?kbk8T5@G7nwG7i10IQcP{ z7r$l)N%1yuP4(8>ZynQ-vBy^v?kuo^db!VVJ)mkSK1CIpwq|?ecF=kwJ_2|{^L0pp zs5n!JiMG~9jKRCSZPS=fu!0sP7uvJCRrqSFT4ujrhJx&&ZC)>3UFT^pXRgp2=p+e5 z*w2kmj-i_Rx$N**4UH^`klAooK_63RXZ2cncV)4)UunQH02y(~0~~1JhP@;=8+j-F znx~O1m)~)#VFla9>8|C%ifKB0Eh1J+fJ5!f-J{pRFwg#O5HOO`n$+lbVli@(pmlrX zEAZUV$uxIgW@$Ac?snqr@%4+q3xs{9+~s?z?Yq1NZ;sL>)*Aar#S^ctZ=0La0vX&C zVmXc!x%oa1iQ$t3pq`!_XSj+{k`eJ0sv6ryunN0Hv_ zbNl|1d{S4fKvQ-mdan7F1GQnndgQ%1eYV*mJstg+&GATXt_GXKCH~}Qvj{TP={*5* zxh|5SFaED zjQ*RoUAwXJ~YX#_2>5xUzt5svrS4({m#zdEV$06EPz0pAxD%X{Rq-!<*%k!txra&r4`R){^(=o9hV-bjV^Cf{mZoe zH}csCf3Xh-O(WYf-RnU&@St_?DDQKHgtb-P*+$u*4Oy197lGQ25e+I^b;nK`fr^V*y+0JYY`m4rx4u`cC)LgL4`*y+(3E-|q? zO1lUI3v;Qe?fUj6v}}f6knzd2lN+m0XyNJcsd?O4$8u^D`mAU(J~-|K9|v~3JgVtt zZ=`M`bP+N585|ei+G>SF@I`l#xTXtL|0!>2k~%~-H~u#Hv`R{q^6H+HByV0)DuJvV zkE&I3()V7dqk(86jAFPC7qUuU1@$-JE+(R>hP=TJ{2sl6i>D0XvIzoTjRknMHNn!= z7>N#Bear9i@$xc8;$RalUBvP~&PTgLflDu&n>pJ`^<{>t=GeizYQoCQS^bmxIuq@N zu7#bQucal)ir&^$0(B;(ka?7#-LoL2;wv}sFARo>oGTsLR8!voW<73lKmVv)_NZx) zltgqHGme`04iACLuQdq*Cm9RvB0E25C2zpVBDuLX{+6OQche?Bmp0EB?pH{S#JuAG z5&A#DuKx$fco|J7pY}v2Y(7FVDX!?{3Ps7|K!S>gz6%qiP;hPjN)H0g>s)<_$UO&Hxc@d9>%kbeC zR~Fw^SJB`z^bnGyh%~@*$WeeHEyQ%52Gp#o!pM{U{wxU8OeY;+`SKw(mHtaMV9t7L zzc|BDG7ehu`!Ls6koWZyn6xj`kaGuq&{F>~+Entte8VdsJ^*CjpDDr3^&Sro*xZW0 zj{}6O_W=FK`G#H9*Set&D+XpJOE>&AQ)U%u8#g?F!MrDhBn=X){p+(#iPE0`+tUXo zlSE>z7Z6>S;x*jaUpALG!(LJdq2w)UT?RWp*^4)A_BEVgn~PNFEr3i_t;^X>mc8Zd zDRnqK!WLQcdh!W2T;@is=L7O%!1tl zf0kKwo@6@0v`9+j)HgI)b|d}u%S5%u?bk;q%2sSYmvhDPxwZ~h9#K;Pr{^V-osbYA z4E9f9Pw|x544`wXZoG(|*Ib211&4Yb?5&jIj`MexFq>m5e0J}AWJe1eKV~kI*K{5z z5xsQZoyAY%B0`{7r_rYl8e%pbkF55eMCW}LqF42z7X^b34{NsbOTn7;Ugr)IWp|_q zNm7{fjEEpx-{>FMO-HBcKKVJGwvv{+Y<$#=_w{ zlVwr{zWp?EB01gqBPUICh6wBW3&1(hfmo&o1ibJjiQcQiojhzF5x1o-B{;RfPJFR} zbXIKa!S@BBy~swvPvxgHb~9C&A8_jf2HJEEKI<>Ev`8*IueW#wQG+dUgJttpA3}nl zwmPROeQc9W7QOv-JepE3%M%SIn{0Re^IvJ}J#xp2V)h=^xT-QSB=s6D^<{?pRR-MK z*S&`qQk?k{%6<0|SEUZWQL4ZF!uYlf0uepJ4v(ROfJe!d&SR$cG+?j2QG;ea$20S{ zd2CI+EzZPDbJBdG^tR!;tBci?2n@o_Zayv3#&LMpK}vq@_x54D$?b-F z(Ho7}cgGA5In766#EHk<77Vj7PZb2@1UwcS%8XN;B2n%1W_a=N`2`7_QV}B#q_uX} z^%Z_NYYvyuMr46BIw1d12PGoNs5!e}T))6wA`TjLET&Ux5h|*{Xg8^Vl=YAu&XvK;6(J#cfMet0pBarDeL zupp)Fy|Lz_l87&EPXkKUlf*U`4wqC?Ja$E27k?trl=^uB7J75T!8AGpJz75N8EKdt zhBJmqM4)4iNh`_wcRH_8E|^&fkVI2;7fd@^be|Pe?vVPGMo>SDt*F_ZVT~7mqRk9n zl=egYOyMegZw;d~OxJwvXCNVKywk;A7H}e^BswXGUR`|G5ALW8`}tG?wor;Y6*k~m z&FTNMMb&t}I;glSXJuVw;mcg7+kUe7eq{HPnfis+b$nZjDiF0tD*;;Moim}GMz{w5 zzW4d->>VlC!co={KV*0Q=LK*G%Y|n$(_Ed}sgrjwz`S^=PN!nK+w=~1()jhtC3+3F zfMhvP?v7Kb^;nF~k`pdHj5Uc;(rtC`)QBJN^uD|Mv?>My?QGy!kErT_M z9bDOsBee}My}-T6xqYJLEq7-;*Ut?;=U_Ou{040`!;42A!-t)WgctYFD3nra?E*ST z$KBRZFA$vFcej1VEdtm|-u6kxl?8Ph#lkHBo60gUQKM3%1WAjNtF~<|tPntY{1@I& zV4Q@4shHfmu0Q0oGnrL`ic`ix`_05q{51?Kc{?{(G3EiuZrh-M0G+Yk-Me@18e5@y zs0M2YJb)v@K*mC9Fm}U+a19g}nPDujxtt)e62yCS!qHO%f753Oi?~aaI2adINWexf z!HF-kb6sXEWGgx%E7BRm5q~b2L9_l7{?G-9G=xHcEUK#wtG#K$-KjhMlF4dND9$=oYvnF)li#PDtVzT#-*O$S7r*1vg$;?6 zSUOr5O%>Y2qwbCfQ`4Lj3wGPbTDq$UHQJ)KS`IuU$KW5p-U)gDC$k<{6M1Dv##dL` zKKt?PwVrQQWD3LirS0#O6Ok zuyd>`oRD4O$R~D~=}wAb#*bkurOnx-U2*YtN?FaA))c`$kPyUU-Z}H#at2FrZb)*#q`&&KdjeQ7x(0o?{+#e7lJjz3Xy(Sp8!_j!~22_q?RX__V63SvrGs2 zwW1v#5ghYs&^9Fz4M_?Gm79)8o~P+Te*>O?Z5<_Mv^yc9jli2GzJ_(RmI_WF(-Pf#7r)_;#=d-r2h_cKMp>I+qYLLd=^?gw6Ig( zq1=xoMMS?ZApM@#H>EHFKQK8miEc#PaoQE7;XKY2+|u2n5A1YApUO% z{w`LP1%Tg|%|9cBqTdwdpJO5|TiWoy8)DT(=3gI;$4Cs~kWgxWUyiEK7BmcRQC1DjzSVP7)_cm}V)rI89Z&gT1;)vfhABMx0G_mOptMC{-89C_GUCQ&Hc`?JDK zFEJmks4e9*$6#y94H)11He^Q;bs^>H3>6lr`FfUi(mJ#DO>-I6g>?2Y{xD0X1azE7`_t1vPX#8< zje&Zhv-4CZw;Gkmdds?ataz2qClF4KJ9G!X^v*Vl%GvVh>D3d zRMt;sfjW;+&f%_?5S8%6Y+^xcgEGvIz5c>P5FNc?Yvs-NO@9aDojj=$AF5h$)sqKz zsXy$TNyofFnNefMI(jedvv2aToXtI?b9F)Ki7>WC9EwdDz2=Tfy8p(2qTITomEn1Xu{G#r$w#m+$`d_qTOA_{H*UW7v(GMOZM1 z8tg`VDx)y9;5u+Du#@|kx`-(kxkc~rk-Kgu12Y-WY)>>{wz13*eN&cYdE1f(XC#6t zLEhLcv}Q?tefNO>kr5jFQBEe;b9y+(V;)nPZ~P6CF!0M@cI%8M?TNGo1N1Rj+%`-R zW=}x40n(ZKPV$hSofqMcpVfHUg>n9P0RKG1<>Zmo51wf?@Yu`eyhQ0eegMbViGHfa z))Uj<(+#eOI85}}rE?`e6@hq`Mik;(h*I>3`gx;tF*6kZ~pREhP41)eR&-+ha^ zHn8&1Pg2$ss=#-V*J0G{N2=^?U?g-G-#sCY;>}GRIyVu-PX1H{SK#&NnZ$GSLae_X zLFm|Z8z^c9@34UJ`Ln22Hi`|-MwA9R5B~0f;LDvgs^d%PYQVwY-NaL=0mcz=cdO}k zU(7CPYc(AvfE0xed|w!LDd|q3$qPjHS=Ua$s1oo(u|+#;__}bgGfU(%9#1C);ZO z2R>iwTJ5UF{xc(gA0VKcGA4e{)FPB zaMH%krK(Y4c!97|8I^*bv~=#7&Q}X|QWhx~cICqkItCVFckv8vlw!eP=J2ltL+iYT zQ~?tFI(cU00;lfYi@4>O?OniDI(X|Udnf9?t;Wfa$Z&Ck_s4ZNGz^TBYXCaRe>8}4 z+5p*^0Re=i6j-#0RE*m5_$q8EY=mvitj;w zrbPCuT?Ya~EWZ-Z#_t$MAG8Ms8mPK+*^FHIh#-kzU+gLR0jzgb{@&w2^s~-jSc>!2 zk88>yMsVlFELg5rXWcFJ9a$ne<4Gl3)8W=*^taJ~8l^r;1-Tk0e(tcQ-uO0xdGr!` zPd37{JC2I-oon~4o)3+~Ae`{pDcgbp8D%&);7tA;n*5m4LjMi6b_%fLN8YSF7^^vj zf%=)ND~i>oP)-6CSB|TyB!A6p3-EP%g-+$zY*Z4QJ=EF3dm@C$%jRe10;y}_lTA6; zWpZVwiZ7cr+J)u2wIG-1y4xN_J^y~S3^Es7=g6OU@)c~T6ds0kyHd9wt{6sNK1PqY zeHDO=ECvsX$lONI>0O@-k5J%6-AoLHS30OKmPj|2^A5Ek)gPc#OZr=#%9YU%lQ3Y~ zV-5YW%>kZB$!@1z*-P*ztM^CM7vIz0m(GyA3ouy)gJ!s@$CLB6|}R9&g{QQuhSjPJI%@ui^tp- zSuHnX`wuf`Lz}8VrdUobn8kl3F#rUe8{YfZM_5%+$W#jea}3&5WT{&fX3qo2TVnrM zq&ke15zd0NrdXY20lIV=CT7hYKP(P z?db|ey@;x?G`$Gpn9Wc3{$51Z@7iuF6Sbgl%J?^Q7KMvhWtk;aOcfg~av%oesP=>% z4M4yREOHSDYWHM-(>(%ohqp0+r6=A=Fo%GZRPf~GXuLAQTF`^pXY)FK2igu2&LtP1 z?dO+Fp$hmC<$Xw}>i+22YuDxXr{tTA9KP#fKuPEqN3<6qg2W=r|6ZBM zUtVmEbG&dK)t+_7OQax`MoaO9lY@UrQEiP^4$8_+0c|O}VJMB*r=uWND+}Ve3ygl7L?1f1 zcssb;INXgRzE*j)ytsgS<@};J+X%tJ77mJPgGNot1ke=%eL25^Kn*ke5IX|v*xA@N zO}Dx%pD3Pm--Ofbd}Y(((|D7vaq0+*7_`0%HyNbF0&?YResWuiiB8P)spNjvRkv{C z+s|gL3IfaTmV$B}m++05V`h?8sSKcw3Kh~nJi!gr{qChcZv>4AnQ_YNE8rdGoJE9XZWNbXXmAwk>H)d--Pnj0a zrn#g@r4f7Q0sP;=SBYcxwd4YoltEvYXp?+pd81MnB9tgvRHh-3F=$>!VGfW@aZ*F}sjyP~B z%gwotlhSQc+XF@TI9OLu0tcW92rXQs!g}pEinwT+vbXO%b9}OHCyzqU<|~74>ZxPk z`f$Cw0RuKZo+aPF5gIPsyl)&ZnS3($pV(d5G>QNkYD`~3DYe2E}cmKQ&VWyWc>Sq;00|vD$7>hPR`owKu~k~KaSxvF`}{un-T>r z$HPnyX0*$8bt8gg+q6yS@CAvP~(WoS{11V><55omog<%aDXHMM1^8i zcID6Uhw_)3&uCec`&)~LEcB~ItWdm*^#RvSG8t{sHO1;aJFCmcFv*X9^9E#ncxl+` zPd)qQ&6|URgB*JW1uZSDw6wJ0DfZA#w5iBlo(}B^pLt?2A@=;!S@GCuwX8xF+X0Vn z#}qn>>3xR)YKy9p23n8S!hLAKJq@q%fS_^9XEXh6OW?bS%s?%jUE`smT4o}QlJDSQF~f(Il! zbIsFpb2t7=>P}8h3JTa*5fKrUm6aE*%s@4N?)cJ971onr1+hHxjHd4(jZOG!66Mw#$j`#ryqNINF*^EAJM1X8RHbMYrOQ^N7DC@Q-JH0!| zh&VscOPt(Ba>3o``GWjc@JRabCqLb|1p_QeswIc!$A5MBch&+~T{wv4Mpt+aE>AZ`|r%Y)gzS zC@9$9-=CS8Np_{n!pv+7fe@fk*aig#ekptV<_#S^eRp@a+OucR>bwqD3w4;OUXuek zar2J+h7QRPH|HNd(T?BV@loC}JoiwWM$ZeOg%?i0@%sAyYV~B02vPw|6{rhO$)W_D z^nASe`d(|hi%B6lWrwOdwlat&_Ph{LSolMX zriMjLMcqlH@KO(B2!I8&fEE+AEf$cTYCx6jWuCZJ8c&iCzvf297sWK!$L{Nk)&2A5 z3t3rNb@kz^E8nM2pFV$%DWdy>f`Fi`u8xd^gilN?S|&|Gy4npyO-7aooGaL;+}yj@ z%*@P=vkk;xu%n9#45*CFs_TfY|D|&h7zAnvM23Luxd7RQ`wRe+QQKHYeOHTh&Vr>? zF3hNgf6lw;Mjfbu6q4`ns$S_Arye^sDie{y%$LA*ml0`!+5`noD z*q~-2<10|a2`4rhvtQ^d)_pgsr2cMjF^Hn_$#CylTS?vrV-nUz~zMM)uJss5r12G2n0+O^k@ z$Lr4%@bFkIee-CwWwN(+ZGy{(`iieownYC0h#|rR*R4>+FKF91I~T89u&S)@p*3Xr z+)#=ix1WNgkh25S#R-6vSSodq1@JurCWurL%Z&nB;tyxo^vx5~!}v?*Sb~UJIP9Di zyl(QNGz1hQc6?yX+-oYWw*>lsO0ONc05h`XB7z)B1@Msr#0Q8UQ-^aAX{Ol0>tue1 z2gk!>sl@u!W~5jtjPP6;dN{FYFMcNW^c?OVzopm|fGZXCkUfH@wwWS9DzfVT3)TbC zxF_6KEI`(mYb@{ne46V&zhLRhhHNYa2+N-$rm?xNc0kES+HFL}g=Fuv4DflW0OLYc zSQ4Q9R(btSWYPh@J}1j&RjAU{N{s>>n@(gV`V9LYD*>p(pG*LN%XtiN@RAF5)fs_M zt5-b>;3$0nZ79OR;;E!FkCf;Yi2RFfc&U5>yqfPZ+~v`e?I@Z4<4?HNosp*LYA0T_>JQh6_0{?wr`2en`7t1LN>&N)brtF>}1t6MTMudOzoL)v(QR3H{ zqM#mmBvAm=&lsPz)?mg9hyy$Wn2upN{D$v9dx+%BBl zARW=_3wh&%(vssC zHwP#kH4VjNM4B!T*CHMx+|7JfrQ0tC-(N^-$xB+e+BiHPftfM`CP~?^2W}i7Nz-3c zb`Su=XKRBQO80Y?q_tsD9=v8js<3`CbozwCukVA8Gagxq`tn_$jYJ#y?9Cr#*|g(r z0?zQ4S0U;2nl#90M7)(&VwQ`6nwD!9a9+T5SbO^Gs+OA$fI`CDk2ewNM=(0ZQW4rh z0S=LYTT2|0C9d!pzmjv*z_8+HX6~3a4o~R>Qk{*|V7obM*(fzs?-So^jfW=Bd?qO^ zlq4-hePIIhA^;@`%LM++mIfcJm8*@DZX=Be>hT6*XsN&IlgStIk}F+GDP{LQmcK^{ z*~al`7?2L&WB={BA?m-SaA3MokF_z_!iJOJ$U|%L$I>p4#y)J#LSG%mvjTNnu;A+1 z;R$uzwt0F>042YJv$NDplCLRFF|?&u&ZpM$~blY@sM*5GeP))5mZ% zYF$)YdQJB6QEWw7L!JpN`*0Fy0RbAc#OIEdR0gbOku^vUFVul|Cnj^f3Y*mcWGHp3iQ$Mzvfn;ESm&McI_D!qTOTx@lIqK$SN&T z_D`4p&4*v2>K6>#;i&TCHt|aVy+Ozg)S<@U2_z0mPEP`=jzANF6bzrHoYVlHs-}^I zBB(9ae`R3SM|wA>F7-4}G@>|Un;KT*rBy6`C8aDwxJ+gMfe+}t=Ekc6e{%`{VkM1P+ z2OxG>2L2D3g$oq5|IYA9YB+S4wyLkwp{ej5b0CNn6IF;|gAJ?NuhO9AhAJ)<<(e3b z|L78rhUA!nugPaO;2q-STIJ4K^L2;zw~_@yL@b*FDVq@?f1Q1|GR9FH6@@xMt;)1L80eJ2 zn-;d4slx=NX$)04jpSk{lo%i2PXg`%SRZlMsB2@<#bSa(Xj(Y^4Gb*gt(fXloUyU9 zZscF(5V5$$H^3FR2GJCMca{NnT#!Ytrryt} z`k%(Hi1JHz{e-0$;5BGy-eUn0o34{AVa=y6PUlbvHoxrEMWyfoZ6=f_rhNc?{cpOk zoU_mZ;qHuK(3{Qs(^vHgN9~uKFh)j4lK}sSh(vs9hQZ$FWN+WT1z^YUlnG*UlbMNW zm^C^oYMnhf?c(BMa#GK_I0z=8u(-O?xTvwLm6vPPwP^!SzebOl$l%zGCr<)`AvW67 zOCXo6W)l6WD(+V32c+xR)}Ufm&-UW69x5NA0T82UW^9a?o}QkaeHXZD76TTKKRF}A z2a72_fBt^_22|7JwmE)s;_d{XHK(uPW!bfc0K0aV^ zf2yGM_4VcDWdLRl5393`TYu#nG9idJiIv4?Ye~AQn9&pxYc<;E#_g8Dh9^yGtl3C|-=^hm@K$d6rjHRJ64C1A9UQ z2|h0Z4izaNlKd$RuNsL-!X!@!zq08o1Ie*^Y-o5GWJ=u2v5rm3MkVBmL9)5M&8i(9 zleE3P-Ps91^PHT=-wFi=1;oWo=;38HML{Uaii#rMNBI*b*~AE+(;Wc%N{*YGnLYTL zC1H-OdvDIp%Ie4Xc<`Gu1`5g!CW>wD^{Of!J3^uKPcqqlFQc2KJ7TDX=^Bp12?CMn>YKNdVrv)H+xt;&-80E2#$C+}zC0&hE^c&63Cv z_SgaT9WXxt-e1`QC9Z3L!BG}2udd!jMTNCwWi77uryv*y?tje$9(Z_oAZgyEjh$U; zaGj1H-c;OR5EcEGuV-MLlwLb7N&-U|?o$ zS9YR&?Y)I&FkNl?V~qsz3n26Xowid=|B0#2cv9OH#MHxY%;w&{yO@_D9fdret$%s0^UZta>Q_auMheKMg z@D6aTWtlIkYHRWF@v~cMYe^%R;;;<5I3uH?G6#>2cs6Kv08xjAhK6DrhhQHA*xvF` z(YB@X@1$oG!T?JCEByg@PcE`FsmWmo(Q{F|fdcbWc`6#8Z>nToTdKIbGkc?}dWvz)&BGbo5q`rQ6BE7*eUpSI-9?5lXxv$Q35Q$H zbV%#2X&R__$Uj3?Nh#`Pd3_L9vAL$EruH~u&gK#OkWSwI* zng>iKnqBBo8w9v}uebEbDho##6Fsi8)$3Ta?bu5D6cw=!8iNPAqiLwEt-BknJr+B* zVXI>kISlaA#rtIiIr#|E>|Xy;>?W%2*JCJbCSiEE?Ol)FN~y+(?#z^7EbDMU0Ry=E6?YbWS-q8+XM*dOMHoB1E$YqE8Kah zLxJ`uqhstq*F68nk6%+VcTblH#UH~Ft1qnB$CoBL{BZeeO@(!_4P;MtXA3Dj={71# z^GF*^dolbUI?1FEKqRv#T{Mhl9@;{%Q_%vuqaMzoT>9J<5Q|P7EuEK2fF~M~}o{~V#9;Ia3 znA>9bI6Hi?6VE4DnjNZ>O4HRyQ4V08zT`+w0LBx*|0>o<0C*m_A`=mlG_R=W(~!2C zUjlS3>l$>g$I^Ft_2F}KEo5KgMp>n)M7X?f2bEANFT8SbB2FX5YP24qD~h;z8`Zx! z{@vv;;Ry9&FW~KBS2@4}M8wWEs-JAzSr!!%LZ~K&q(hzvOWl9yutt}cwP)rkHF^== z1R|x+dsF4Z&?uB9Hj6L{rdM25+<#{zEN*&b)tXq zaFp9@F)w+{+}*Q)S~U7&M8UJh7e~({7EY*7MNV{|l!kV43S!$>nY~m$!iL!OKiTRn z4|^Z)UKIVMQzo{Bnu>{pCTHG5#QmyiGb!Z~pMqNWqNq{-25&d#M=B~&ct zr}4SMy~Mb7)>fk0rN28LsAiK>h&u1RJ5y`>m?(TPKYQ=hdH72=mo6$$u}>bO_1G3x ztXLr3cga_yu)p`mbBaJh7Svn`JB{Ad`hm_IYM=bj>;Mls+{7X~< zPQb32LjarOk1Y%>+grO6uK&4<_Oica&`L|xWKQWmR`}07d)nHYVo42{Jph3!0oCdk z5&g5u3nb~g0VQ^%H6a+OSoYOq|AkHeEYJ`^R*m{-;lZShMpf^w1Mk{@`fGx#|16~@ zd7O)YjAj|_aE<*j?Ehp|fPC{CzWxQpRtXTq^VZRw7)fp*fY6lJNiYZM4D-`eh#`_j z$)eF+0F~mmm4fjPu$Wd1CbdnF9g!GAt2dQ}?Comq@mNDNU+&cNvtUDp{uX0*Aqq>oD`eW`S) z-dm_s3JBJ?L!(Jm$O6RgsJW_uePnlAAVqQ2cyGFlBlE0n}VH za4rAL#cj}4YwfAmw651Q;^zc#r&jYFZ@7Bz%uK5Mr~9aP)bAt(KX1=ug!6UilOO;L zo+>qKCMSn3YXgNs0dZMJhxEIdpNh)h@^X%DdPc_X<|bh;;x(7-`Ij%Rbsr&1n!eTn zmUgVG_aSB5HYWPjRUam>Ow?h(O2&=`B+@SFSC8f)-!4o|P4BeqFLq*+<#nPVMH?$t z?4uxTQlQ4taR7*&HTKgSva>TYC%f~GR#vqxYXggmW;}vILNvneIHypCA7f)_qCVP& zPsGJ<$BPYCR#pJG=2)8#sB_lV)~u|oyZB`FUr+VW^m+A3?s@l=r4I%DZXIl#xa0xI zsupvp9Lrl`<%N8(=GZYKjfYZv4UPxC%4X}(yW_X=pMb0EWS*tQ%^T?iINf3OW`Ig2 zLdrpmRfVgetBYYo(hF$tckbL_faL=C3axH;XSOk+3S{r-nDOC5#ZildkC&II*TGYI zI3V8FNp9`z>}+hbeFN^ui+Jo9T3W7-juMd!>6@6$kBmHuPWh$z3T~PC`cg&cVi%9i z#x6c6*-q>6JbJwAR9L4w#%Vk&YGgP)Gx=^`Rxg78VA3iEXfE7w=-YDa8ES6C_gJkR z&$XpvcH{M9owRp5H6GB+o>7BB*P^#$uVqRt6G+M1e>FX*!M+xFx;YbDNg3SJW`Hj) ztsT^qx6zB*Uz;x);OjXms;I<7MM-8akQps8x9%na)%U}Scro2g2x!4KLn1qB7QE{t(Zo&nJ#iflc4xU#bHz`y`0o8d&giYpfPDFDR}t7PV*(u2TU`5x+DDR+rr1* zuaDf<*e*u#KR1=m37GA^YU??Ne{JS}+q5UUv-J|Xkuw|QLhrFXbMt^3#QVJb4t+E* z@XE}B^rdVg_)BG}XNI7q$6nw1k{teS28E~Rc&BM^d_T=v8r%kQx9>h$^0_Xu7uAEJ zPJiUJrTJ_9f)9N6HrIMFU0W*}d_L!RG1Pu8F0kEe=I5wzcp2M6)zuC^vC0hcMBhIY+97NURh zBoou1tAuu+A&*p)&E9|2f8FNAQ>tKRBcMziI5L~6j!~8JBd%s)vL$}Y&&PumXm6UE zeLxgm@u*o;xjn{XXX2zt)Dh^06x-M+ezBYU0hPWxyOfw0p`qih!>i9X**en=$0RdC z_M!AK!_P_;vV_Xt;Ah&$urtDA8tEc3@Lqo88?SA?KEu^>3_W;oV_VaSrhfw-S9}Aq zXW{6~=tC{iY&aeR;Rh4Q0nE9hBb1i_fsRk3sH|+`f9{*f0EgQW!FIDG(9zJsxO0xt zC}um70cr?2LYnnvlrR z^m8m!D`_Q)e@a6(zfk18I$|yqq7SFI7>?N7)Nkml&8b$>(@WZkz36&9FgZCntbcfq znD|NY1sOns?d|M7j{AcEN=Qvj4TuPD9_Sh(h3+ZcA`KXl6&pnCgpVmLz-h6LKAgx+ zGjqF=tQk#yo@V$bE-Mckx7WmYegnVr&hhIGFkC#2dlBPClk>NyX1B25k}{ zzDI|(UCdR5xK;NXT{tS*5;r-L5EDPQ6<0JcFmQFPsv7^JX~DSJTT9;-^>!b8OAA;* zARS<}&uqo-c!K=<_V=Bt^_2o@Xvga$-oATBfGBcMlZD;UBm+fd7F{xA0(T+=YVD_k zwSM*^pg+F^H2a+147j|N6-L)5g8b1F{B?J}b^hzRtJmf$i|)EZz0+-B_pOO~;O2}- z*O43=MbJT;@a4(Q8y;an8tPrvr~R|SH$LvWGmTbxwZNt3g3q1x`d}5(CT~$Cya$D_q4}J;KH|MF{GpQE>+g8~gI|(s8El9vFPP zF?Il^kyBDoh-huSJzN_!4TJ#CQ_}q}#~zw#$jSyMBqThAnY8*F85%}9LD`Jwnp+)SlSKAaR< zmzuOjyJ<1S-9$eP4hh*W!R35i#>flh~8Mp}MxyO$N=t_+Z@w@hA-Cw?Z=>Sen zC+AP^q5AH?WjHpi+BXcRS1 zLy4m{^dW2OF2?jZox26~YPb#`|zDJl|iUd9;JF3`L= z6u+%ZNindrq&qrV?ujKPChm@=CcL~|VTY@FsNZ z?6ywlq3q|vtN6-sKH7N>lYCST`jGkwD6cg|I^0#u)>bc&e;Yx z?2||^xlafFnd9w=BLU=!g^i63D4GKqr|Yuu##pfv5K>p`Ujy~7D4BI#GKvn1RLTcl1Bn-Pyc{w{FmWdGcqPF$AcxRnU#LdQLWB&Gfer;{7oT241 zLP#}gS~yRE((6Igq4+5gySiYA_)-C>mN{Ji_OjmQVt!Aqf+R#ZFwsLeD6iw z*~|=;q2U$%N_>1gkW@kdVGIUzBhb!go&9p2hFr*3CJsVC+;B31o7ACK8P8Olb&o!P z1K#(4(e{>MQE%V-uoBWG-6BUqx{(|~!2;x9!_J^LbNq zbMwdXfdO%8X~G-%{aeSAX8|@gces(@U1G~cp|d}PE%Z)&F0e}5CvO%YPW5z3ytl0? z`PV2Ln_64%tQ?&jZdb!`oQYfBdQ6vPWpNvY12)ch$cPN&6|w0>Y+C4H__+`?;jt<< z5nR)M#~{z{$pNV6JHmt_pGEsOK0u#_z1J-?gq|+F^_g*>%3^Mw*H@g{pU9!IIk0^8 zOqlqY<;cSH^hb3Vz(uPoE3o11?d>E!0`y293><#oL1^G}NP{H>i}dppz|FHM_#J@l0Lbjl z1hMH8dsc98fDoXCE&c0A?iIpmQ>U?VHMt8bYfgd3%*27G+iB@dUhv6EXHGn(JYcgM zr#m}IBN=g`*zY~EJ@9dHDgJ!~&dDSPei|F9gmY0S2wk;Ve`Tkc6;^8Exo**E!4!d- zSrZmWI?(tY(V81*X(87~U$?6t1vxw2N5q7Oj~1FXM6=2^W_48GXum(Y{slrk(dFvm zQb_n_Yk&Xj^mv`4<>t+suMG`*uH`|_He&*7yf&we&yI8m2nd3eE*1nIhvxyO%E7^5 z_G5Thr{bnf1BK$r&!wfM#YG^;A(9Qvz%uT6AQQ0Rw1NS|Bw}Tj_3quf&&QOxOeP^skN`2OAXTQ!}6e*UG|&t>}2s`?x{8#9&MdoVSB!7I1`*#Nx& zI3_@M{Ofc8J>$nmj#M^>V zj)(;O z(kVa4k9@_$?zckar+K;wDJk!@e~^Qh19G_z{MuU*9)Okrm37qHpwP90P<*4~@{29} zWh(T_$_g57Qxs{O1RzB{D6Pyl%t6i^Y|enw!jr5R$c7?kl?f__!;gKLi&>V{V1dh@ z1#SIz?T@;UoxTb2`hL5kOL#|MQvh(;rzdvtJ_#8arX}!1_36u1tUdoN{{iHHH|TaT z$CzjkK!_UOeDD=YcU4g_(8GfcA*{K#yW8Y+Lr6$y9Jj`2_nt9KOjHy(@Z-lTN07?8 zeM4CIVYL8>DF}Qg2hrx#pkfg0!qBLFR}wc6zN@N+A`plxgdp4G)q(&?HPA(FB=Oz5 zmzmYoGHwlKj~~BRN{6I>{(SAql?(C!06m$UoMZ=@tYax4MIFup;;=EOF!0VpLqp+# zalX%<6=r6tth|nk3so4I4?JB6tgFaW1IM(Bm!%m5T8u!?!svIN4OQy|1@5PsC$2&F zpKAR{R!RwY`-3izxpvxE5QlE6MB}(oJ1rcct{{=>ci zHPsNB-u?dl`$_+ORv+M?%-#c}^OAsKZM>=k2jjJA~sP%v>M7{%fy4s}$oDhITf^jh5rO`dud3mwHlPaXh zMAA6zoh@vRft9sM$mk&a3L(fk9+%=^eTuq3;gY`|l#Pk0y`w|x`g`HjYj&5>Nm5Qr z0o&`NWy|P$*hu^PJue@h2`_e`$>r3#;o5?UN-8RZnOWb~`lo`|XNcPUfat4t2RzQ= zxBF`mx7fhNEox!gHaNTx&#Mu(*ZChy+Ti4Y1_Wmxn8l&Zc5)ABT;9EY{X8+B6Zydt zw)qh$%ATzy%nlsf=K4&*4`KcvdMUSm4snaOeQ^2Ny2(y)YM&x7=HYl05aF(!XS98| zkamVy4?NpWJ7b}uYKH5p!YW_Ts zAZ8r|!L<>TTpT>bOr9CiqlFMBm-TNSf)EtArAyEd0(08hZGb?~zC?vi;P}}{ii^`+ z^U~E&S8vYoxOcDp^ZmHOuLwWD%o5>`7I_swX54P4(DG@6-K8{oV8VqM<9xKJyJ&9rHu9PGTL$%%mXGR=b`hnH$?dAnnKg!NF^p(oRoIh(qI1 z&c}NWHR9E|5TQnb0$aCnJK|6!fHhbO){^Uu{>*$}wW&XmCWr*CU%$dJB{`Xei3vm{ zSBO1VMyMDVY=-LmW{gkgjNPDhfF0bNX%TUO^#&ex7>|yP4dVEtk?FvQnWh&PZ*9$W zJgEek|G<-$z}VQ>pMB(UEC8hS@qq_>C4iInjKLSM&EaE2rAFJ!1&AR}=c_rxxkVld z%}`*vTef;}Fb7eaag_8&bmSLVXwF2Ij9W}^1mmuZmffefxsW9S@1r3XqOzF@Iuu%n z3Pgy}cGa$-`WKb!Y>fsB+E9R|RRlvt{G6@VEhx_|A=vj{g2B?y1;~CJRe; zcJ@dQQf{w}g|xsrv!-y6VU9JfcKcFQ#YiGAFAr?VVVOHwMsJu0a;su8fTZabQL=uZ zZcE)XbvRC>hX0S%XS`64D>OFx&a%+v!Bx>!a<@Bo!fMoB9g&w#OSn(SBF8+|3^VVZ z)NH^~k)-LG+Uh7( zW=7hXo5%G|V=G>Q#h}%ZxSY?0d}uw>Xzz&G0Sn^#=3VHE77BcgNwni_X+Sp5e z?khcRJ78Du*iUx{O;ZwoY?+LY7Vb)eb5dIw3*lQM83Do>K*q8M;jE6IpB_SJw2-9Z zUQ)?|2yvFaBXiy z{mhxS;xacp6ige6vzqx3wi*I{V0ZFIug|)zgOU>xf5g=qW4{b+iT3XuN5QuSr={EMxpr)iWsd9I78`y%FWiN&q%k?=|L->q< zIOwmprywND&dj;x76|5iSs%}5A}7(?nF<~v&lEJz;& zYBcg9$s6gQ<*f8n=-$mA-y(TAS^^OkC!33vt*6#A&e!@g8C}&DI&Vtvz>PJDI+I1! zJ45InOx}sFVUjgXFc)e*TNIOu80Ekr6aF6jUFj{*k&t~3flML-&wi9xe^j!xyr#{8 z-1rW}8?oQWo7Tw_B}~6X4-O83suaM;elL9(7C=)`#4-IL36ByzF!0EK&_?{D9;i03 zEiWs3^&M!Maz9$i$;o}4pPvUs91{~pa*>^#osEsRa>ElJk_^x&63rSI+{5O(J$R5F z8FV&HptMU?3PAJ>P6~3erZzz$HwXCUdK~G?^%!vMa5wKj+1Qe5ljOLO2t|kSEt8s> zu1{ITC~^6H<^Vz0o(Es-UD~lgVeU{e4|s-M4R$c*mei*I5+&7#!y3 z=F+=BnBVZ++}zyx`XWIv1mSmBtZwe*Rask$0d7L21aMlfy-Je-;N}Df8YpExmVrD3 zy^zsQN=oNP-)7ocTPvMsLUfM}=p@rq01~MeUB^kW5|0k(Y4{c)PbpzGG`_{%~jq{@}At(gQK8 zhDQ5mdjpd~Ou>-jEHx&sPIy`*I7gfNSqln|HYo@r;hHZlfYONSPLZ`1O#uF6sgxZW z3gPDB%KY@n!paJGLL<0G9?;~-L?nWQQG7~DZQxmepP!$zv&bzvl9Aivav=js@FHSn zI>mgi^$Gb$lv)zeZ1OS^64%Iyu`;FncwC^`BZh*2hBoO0gDLVk+_H2_t~ULuVgMswY;LLDmqd_GstGp`hSkK;+!a2;L=zhTwp7 zE^C}Pz|KmrB3^0f%Hrb7(GknZ+#0EPmo9m@yVsX+Octux>>O?{bdByizxvRtWNZ7C z(gqgz__=s6Zu1Gcm$N9cJNVBGR>M(~jSn~gE%CPp?<=$I>@`uu$Wj3VUHk;6tDvX^ zxB}o{emx9Lf%u1f4}oT{YkGB<2L_DbWGDRiF?5*FG z$}k9ShUDEDL^tM$?|PtuT@Zx8O8s>8qh`f|Vwwb=rCOAlV7h|cH{&J(yspGo-_yHB z7tR_U&X%W#{w5q7QJXvV-5Fj4oW&CKODoRTqJ$i(8y$PPRYqZz-?a{%( zPgtMMoS-~7eB^){;G?mDPD{N1=eyvBM;jM!&fcF0@E{s@Bo5U*zK%|vN^mXUI$a)z z^RjT0o$ZL|oeFd892v~snnb@a##xpBrfh3x*EK2?04M{aP620s9;74SOdP=vtemv> z4MAwgv;{qBbR=fxZF)8M!poHzkfa4Jm-sOP>w*@I{3^@R6a4kF0R;o#sHu` zZBnBzqZ6aqmYW$V?l^Z8x_d_a@^&OTB;Dd{grx_IG}BzbJ0_JKBQs{^gNhgL_qr-h z*RJ*&>=CFNgeO9#TI1p4Pp@sy{E369KgKBsrA+Uej+x*w&Ad2yzYZj$I}0B&Bc#Z3 zm^7Gdi);F*G7&;z(q{gy#NALVSWOH+ii@AW1*O=n)x z)#H`<&0+HkCJZLR(uV(QOJfI6@Kt<@ap(^4(E0Euti;ymEirS$pW(#q%X9S1)2y&% zkqg44!VJlRzjhFa3wjJmJA_O;0q+0x5Kx@jX|wzG91BjBeD`^gKgwzg?&}#@#)fh) z-2TH7A92s;GSjXw&q;lWFydQWr0S)V2tgIq40!J%+K2Q4DK04}L1LZ~hVHTb+CLf5 z8F(^??#k)vUPz#ah=DV)YX38J|3JOlss@f-5wkD2-|%|A{8*qE;5=9Fns$6sVLw$Q zHR1Rs+RRP7nmHx<-2EWM?zs6@<`eZjF?rtOjfnj8{if2ZD?=HgyhD!{j43~#y z8Z`kLr>_>;paSqYQV&M^@EnI`L@VP}e|29;Q@C{Y{E9cOGdoz@ZRSvyrDL(L)mr!T zsfm}S{wxq}=j^-3`RD!blQd#%jBbL}46IRWDp?s|&F38zrN}j5C_>^=6mS{X9vG~? z_&yUli8JZVp}Z<%P9B%(E!yy^A0{<%u*l?Oa@Q8~mDRAy>{fr8b9WY-Y2$r*^Y-6Q%HTxc%z<5z#NTXCW%^H=^;#F@w*@m2R8RM3Vk0Zx(k z)XlNs!maD@d?&%O+DLBIWlJ|H8N=)n2BIO(MkqE6IX9A50i;I&HWfkO}( z@3ebyMzgcIX&Pw3c54Q0nvaV|CURTo&ZEVv%21DfkRf(g(1gK{S`^?WHtR|H<*30h zl4%;KReTfqubuuYd=Ojm`v{r5E1pUgcsv6-bX9-`lfVb4>! z+z*0~meYW?hm-Y(%=rB!pO`$EU*_mSOp#vyYyTD9x^I)6f@)3TQXEauD` zu$Zib_(uW&T>(y37HBw%%v*p~9i(pOm?VF$udg3R9~^kaXB*7)6A}?sxy-e%tmM|z zgG~GR-bjg|MmN4KT3@ThY>`d3gDDA7fK?p%0|@|l#|MEiM4%!atQX|)CJRlKK?=}d zUHN3AfdY_sAurBOwtM(=^2aNj(#%*6sEmxy!N!zYk|bl4N<_Hp9M`+H;#)X4{%5EDMFv`0 zC4iU|chtSuQ(0#(%rIXYCwJq<(=V;c%F0Jupgt88zt@FZihnF1MrOLF8~(?8ZEj0_ z>|n5JSDIRT^B)U5j#mmw0lY!L0oaN+#GqPPJNF3{D{Isor)o4FKK_)k*IuH89Y8t) zkB5qAZ0>Bdzvlzrn3R}U?ubf!{kqV3My2!uQGQ+?s>GV&1LE|^&e+)4IgUx_j)H>1 z21abkX6)N1wQDRr{)6SDV{JeGS+_=C6g1D(<{jw2FonXgXM@cjf_s0 zIZFtDv4Nd~T$Pj=|*NXOpiRAiN#X6Xqm0AQx znUHZEKQAvdFCWMuI;T~NuVs7BG?StEKOF)YlTFpvuV3@?$w>+q;^P@uvJr?tkbbtQ zDl034!7j`d8m;&)bhAE!`|MtCq*tQwpDeZnM6zSR^_GB6yhR!k~2 zg8Bi|J^%oD0DCzVLdINpU;kWDe`WGudBWGP94z(uNnN2upB>sP(Cd(LCZDZv{k6UP zATVEF-}F3QUf!)sC5IbR4FE?A+v)l3t>|h#0TPBIGBPrtZ`T*Fadf1UXfiat&_ma+ z6odug;dI{{8g%mXf<4+Lel~7AE#Yc;Xe8pDk(t@NrFnCXW9VZvB^r>X;y9e4(GfE5 z-o2B)nrkQ?u?I?Whz{xWSCs@nE@}$fY6ok~&z4=xAfqQ0X%3ze(=WgTVxqQTvr z9TV^VOtlYPdg?3XtY8b|Py9BtErQVeb>Y*N#psJUrkpSc{4cX4OX);!vjOA|k8`wd zdJB+XPEP88v>`g0d>aSHL07lMg}gNS4AqdE~=cPw=){1{>D!w(m21^OLDGRX<%Q35 zF$B}TfK&uodY=TzI8F(P$19FPwoq+sE#A4K0uys;WE83uy{_&tW*Aio0L?!f#gY7# z%(R1R?d4+9(l&>myV>hEHVRKUlv3K-?k+3AACi>f{56gy>^P+P)T0+U@VQzKEc^MZ z#UAiIB5@H}kf9891*@4R-ccC`(LZyKq*>-(r8duiC_WHjqewa4A|t5ldwuQOZ&v_9 zW4d2{%~@+n3vX0BUTnzNiX~TyRCwFkKHJgf%GlAD{uvb<`C%09isR$vONvMoI~5?7 zY%Boa2>CixW%+AB59k`ZZigmt0B zZD;eoC_E;Vyd0A2%zM`VlAf`?qI(*kt7QJLv!Cp*P)zwK{R5mWCBn@+KuQhpu>8PY zb=LN9kM3LV#jp1_NTDj8`yO3qcMU%F8>X3H2K?_S@E|YEjD#;YpHx>=IMZ;;f~J1c zb6AI1f>#ZHiG#T)V>ctO3?tBg=UdG*rx;VCp<`IHtF_O22!piHF;ys>?5aI%YEw6$ zG#aGbx(Pbm{DVOe0{!3$%og!|Fb)k#;l`?A(-z!8`ebw@ z!hm9Z?HV1rw7saTg7gFXcTK__Eiys)s3^xRKv`iYGDD2xFJ|g8*}v(p!To8#qbvTw ze5g}qu2hQOjm=Ek(dqRKh}>hC{|tAYEX|ko)MZCR>|wR6{nfnDon@_=SNuf~Ctr)m z_P}-J6>`7Npr^UcH|QC*ofZ~JN_}SGL4xTv4)BXQh$^RZm01?a$eX7or;ddOE|hoY zbvu0j+SWi&(n4ICg2H$V&cJ?SDu#pvMX(y&`appMtyWXdnIyh7^1OEAllu zq2>~`S-fyhV%PiCOh1P~Q9yiRGF+nv$7OY@Dt`<}h}&&?dROL1z@ly2BwT_CkmRN3Cj-X0TtVsg^Qj?_AY~#j5*n(BPdeR%-ciy9) zy21u^n)pYmUKP%NS^QD;_}!BfiG+D?4Ma}PGAKsv5eMBk=DOB7Z9%c#I8gC{JBUWH zd3KN+`0|VwaM7bt8 zby~q|_c@Vm?=u2#IH6f%LtEmvEVzRxJsY9>_~7({7?K!lE;5vurNg#`o0*4|hhtyK zZst;SLfsqhNMdZqlFI1vZF&j~T673omDFugJx?hCBnp$U?Iu;tFD?DVcn}T; zx~u{d6bg{6_@JWLlY)#a9qtaLL!p31>$>@^bT|<6HZDyUiGzk}0~;L?`-*Z0pnDld zV*?B_1_A^}gPSlEwm>oc_P_rB@4d#6R)U_T-Y~A#ZTLZ{`Kr;PhB2QaqXOI#R)Y0A^xHL&^ zpcgeZGK#hZ(y5NNw)(HTYIZHtUvO&s15?Rw-_x@~qC#JC=SuneHym7bN?i-V147Sb z)avrGtb&50FatS@^o0aERGtnUiYzVQD z6tS1{fsLj>ndc0Hqycq*9^r97v!i@hDs;Q2cc8%Ihmcwh;cAmj#2tpfP~o3|otS z^$MW5zKZZQ6-;rlXbBh6ORw;Ca&j)o4q%_I^YPvGoN?*MWmR(9KOcg>9I_xD8Q@V* zsUumze@@$js}77nGsV`*7m$j*o*|F!D>GWIUkCc6w8kVVY!i-B6W(m<_D5D(d*!<* z?{~tS*>c|EF+o1vx@%!E3u;bw4w>gYRU~fQ@CFK!k&Os?A)pDF8hBH zDC~TXpAh1trlxkYotc?=HsUkHgZcSWJ{+&#^EI+1=T0YGB*PXpbb zDTkcgI8bR;!@+-g5rtErc?f8!^%1U_Pa-ZO4{FU(DH+hq25RYWupat)dOMkPFPrGl ze9jqTn91mizcMhu(Ys(BJuRNkSjHwu0G-SSrPp-fS&tq)TLC1yw!ro2!z9JW+w^_gy{s*Ai9bn?la3JE_w>L`uFfs>Zc%Cwn0dkmQE!%-ysPoC zzo_3d{CL~V(*tGTsdz7CdCgy=g?b@rYwa%oSIDHdeD&r;0WRb}PC+RS0kJs0?VjPM z$Gj%mNfNU3{(%%tTKJj;5vt`-A0c?Sk>aPg1K z24<}g&dZP7J0JAKJ8`M&Ivp+kxMgqQ80;Lb!DzPu597I(@2INa!iCHw}}3PTivFAZ6JtHFrpL zsN1Xig(}kBrSED)amG>NWdM46QI_6RhY2fdhcDLzJADQxlP$2AnOu=wo{Gz}B1{f@ zITa5UHQ0z0r>BikJiFtN?`4_94HFt`@aU*%+F`Vk$+^l=48$C#tNfrXbWYtDfJPK?64?QSra!AiG>6CPw#{c_NYOhsQD;PJn+b^N+5~> z%?47iAAxupJQVdWcRX!q_^;pm&-sSotOkKBnD-1JR67}5=yDzm{r527Fe|wH~ z-K;0u&8BF&v}9P~QLBD()?$O}$F7|#_59yFp`kSK@ zrRBVG>#rrU8>hG@Plu8MqC5%R92}u%De$2=$;`4(e(BN5C1ZgH9EvxZeBN1xFeM76 z%0vZ2tDEZ*DI$&BW!iJDrs3b*= zic#7pTQxZThbvX>xh%^r%im6?o=~qE`g*PvPuQCKe6^!kK^=E3Ni;-t4e1AB=W^R> zPc5wjJC~wD1|5l^IW)Q}sV=Dk{`p%H#k%72;GnoEDkysa;%RS@Y`J68?ZjO!f)*;A zynms7a3G#lLPF*CCQHn@FF)H?&`z7!h6ked(e=ucPUDZ>CPu$KnT<^uE61Gl*Avu9 z1w$hAhouCKe7v^l+S65EbI0By2wfSkUi}$!yk-ce@;ZaMRqhqH`@=mOUYoQ@i${Jf z`^0iBJLVFHhUrD9-LT)wx3R6+D+jma{uo(ZG>%qt_sD8#Y(fxHuZCriKot(Rd*2%e zM$NTFJ9e1AN}3z--```kTuf-2dSkXfEwxy!V_J_KAJR1PwwVlYqC;o@TtFM|bgc5} z1VfaKnqEV=r+NF*L=48BOny`+ji7{2)_NEcy4kmqtVED7lQQJ8Df(G7ZOwf|JX~lo zgp1q}epJ}D(5dSz60-SH6SN$VtT0)g?_zjl2GPruk)?oV==ZLBnJlO$v)INjOGiqb z&_2m-?{2!#T)C8+?Lv>eLZTRZrQVDTj$xe6747uzNb)B%r6ajFx{4Y?O+OYgPQ|@u z<3O6JX6Jduv4oH%I0{}5ewA45qxnJwb`QMb*E&=*O0iQaRt{gk0bu|+=(@BXQ)nAI zd#$$4WlfGwFj;QUz`%BB9@oUPglh+B{6z1d-+J0PJVSpH8Zz<9d`hHYyO4yKU^&Ud z9yR({SHO+<1tI2p+K-11|A-FrDuGDRzK792du2A1%JNA8LD?QLakHC6Hrg7rk$)$w z^QhA26o;-l$F^~MTw4#yP1l1!^P)xZm{^I4=o&5r7;GGoeJ~xFer9%|^SwPPq*i$L zO4mo0_j&7(7|F75^QlTNxk{GHyS-I0jwo{flRtRnaPmxroOOehSg1%Cn6bOx+4J}A z_jG3!MD7y)N%LDWm%sRNDG3npZk6oFH7Zv z?_&I^GIEENKD+_%)_mItde~BxAMvSmQ1-Z587S$w@zXV~RdPWg<_vxa=XWElhSb|~ zkLYdqzrE$?LJzr5=B|GEih)5qV|Boq{7HtY_8Gk1D|$q~E3yGh4>UA1zom6CFTdd+ zd2K}m{{9~}73(v5Xm4o4;Ma4~W6XBPU%gX;nf@{Fi9^N<%?%?iWVs6)yT@mc=d5($ z0_WD|=gne#sK-GBH$)!Q`=cm8)Pg`-nP^{1GdQ|@zhlxr`fy4Hre~BlFn^B+L zPUVx3awV8Elw;xr5=-&cfmhL=0gyM7S~Qc2P)dVcYhW~j=a8D<-y==JNB zZ~n0k&A0KG{w&6Xvj2or_&GUF?4*=|6tm}EK`Mfhd21RNB_Ou=ku1F>c3rXB-FI>g zHH4GGKzC981#|jnwbRhYfRhN}C**p~2(##7L1b3+>1D68i~P30gixYWm-KktJGUP) z^o>eP#!q5}3JI9mHTgw5aVC<8BJ;bBh zk@kcI4ysVlIAp9XCd#VH-ck-D7og2X*`z`(*P=c{bgbrn)`#7d{@{Iz7ExikL|V-+ zt3Y*);SaP;iR7~XVX@^AoEUq2HZS}NAgZ~z+0VYSPS%7w^6&urBU)aH-EIZhNo5Bi z(md`e_Hrz@W5ZZEGR(G?EmSKgwN{?INgz9J3%~z-K#!fuDCsgIzDA$E->}eaP6|we==f{Lx(b!PmVtpN2uBcU^MIxKW%kQ_`ZVe?@>H2eAypqm zt2JV0xwAgqZV69n^g7-3#N8;(fIHKWGPtozrbjrtu`uaKOXmmBkiPPc2`dVv6V`58 zx?>&@ui`XhwH?7>IyCX+8?tx;RS&R*Qmff-fc+rC4Wxx63)6sis@LVv0G={&IAC0Y zO#s>1^51Sw7b`g^Sd2rG@^I=+aInNP<%jfXqFC+z|d-8w^{SPEFG58rG3krj* zCZv^Mw10zTtom#roCm26h|&b9Xv%-!wEqS~#HF&Jc|j-8RdNLJbNymen@aEeU-$+B z^}sewsc{a%UWcSh2mp~TG1Q8VBRjXP;nD`3)L@rUgsb4 z{wrmS?Vmr*1Gd#)$>H;R1T=pqS+O@yVO5vs!iv8E)<4towb)r$aQr<$pn-~Pzs&M< zUWXz>zlpkr`Si-O{9UeLaAoVifbC{JxR3#;1_BL;#a^5^rW6V4WR**sE$poa+$i?# z$?swD|;eJ0`94=A_1}W55`z}}!?pPQPX&jda;~5a`AtKd;xAOEQ z<1e{Bys^}jr;{!v;OWHU?>^rc;P1YkFTlzAUiIWo zR3OdH2uLr?!K0Rg*3B5n4RtPGOrv}6oAkEXSM2S_HDkCNO+6?}j$t1UkafUyA%&{H z^7mRCPcKe>I6F|}U*(iKf$)~$J0!ZkG6|iW4?Vk?Oj}!Y)^q+?r z;5)H$(0TN?P5A#Qp8R!g&lAM|7R^m#uU$J=P=TfVwSIrjzPuM3nwf3cSPj4ZODFgb*5DzD_{{i- zATp9(g$;X=aO|(}krU)cY2KXQW((S#U=vnNaBx+e4hX9?Z~Z4TbUx?*@xRg`zSxWS zu5SHAKK$F}frOSaIV*c3iwmaWfa~SeNtOydq6} zJmJs8^?*KR;d|6EPt_dz+ezt12kJ1_rK9{~e1)hxDtDhfV7i{Xx2bkLJB}RcS7A9O zWG!gQAqn4#5URUnxh&KD?`+9m4mO`fht7tOFUX|_%2}wv53Y-aCrLV?0%xV|-FFkq z_FrCgQV1Y7?aE(O<9&L15+QUYH(?M(X*sL*l!QqaVcH*Fprd4j0A=e?&K6A<^hkoh znCB#s*CB>tOv9)q+OQ6_gQ<3sx>-!JV5QZ$8euWKSKo~=sv^!mnW@jHFIuEfHmf_> z>R|U+sW$@azp{kl_Ktcf?8G2EYFuS2!BYE>+6DpBf$y=77dz;vST2-gOLgevZum=c zPumUUtClR%vQAUJcH+m@f05qrrViZNLmdlFR61cEN%Q^JZkuVx@jpF6b&Yw1&o#94 zD8ZDei(yHj8p+3Vo!8LoYnV{5@UX1?)Y}GCGYAh%$VoE?AzD#F(yyZGAvJn?c-{0O z@$qW&`p?|7z|+Htv;Y+n*}xN`A^n3>8ghGDxblmsGGqTT($D}Jrk5W$kk2;9j{+Vw zOd*-rD3&tRV&#Z5f{e`h@R&xUwq`%7#IDPG(Y%OmnBw6fjlQe=a+=bMVIzS5mUV1+ z#*FP$=bZirjTf%J1o(eZRS#kEqWS#Dh5U&_(-yWOznz_Nn&^e1#b-!g=oHw799?GR z4Q&y_Q+>;IC^wW4vYLu;N8s$Wl7k?@(x(q)N>7B2j$Y9*ww#>a*{M1JqL4(W|&2X=45DppUOG0p3ZjigUb^Zf~& zrJWmT9GG6EzLJ3ov1A6oE# zb9P-mPS5itXMrNVN1FC!)1~Q?MPRmaEE(UY3`O0+i3(4ql&!L?q1tjf;>OLa&@9RN8s!t7LG7jtntdTk%{+FAf_8dE8@8oo8nMWgoGo z$3PeMX2F?pW4>RZ4jhlB;gQd=;%Rk$u9H*d;Nr4$`NoAkPSds_=t@YVwb?}#lDkbf zq=O4X4eS&c9Ng}&i@o=J1jj3_`y4IE#S*^SmgZ|AM3qx3sYL<63@rmpr4Yt>DSroe)Vr_ z1wiK;XJ@F#7Z7<5&9Slk2X%h`+_E}o+%X6_V53-n^=~xlzYGK5O#!?64+dKqx(DdU z|Fp=&r9fxc#RI+_l!*MbL;s>#+ku-3|D|sJi{u8xE4QvJ`F z{^vIW-=?5*>+dnJTKB(v*#Df2Uny{lazv@vtEsVM5_m-Qh(8+d|HMxBoB_AR5>0;+^4=Ughl=!aETm1^+*9t_|}-anUJ(`Z5l-KE-?V|U2+ zJ8rY%g!0()4eJ;WTkewX>e+iA10%WZI3 zQPIeF)aaU%QG6htqewL4+@IHkI%ayZCI)qkW1BokJ@o$`>fwZD$y!rDRV+V;9C-Zm zSOMUjWV))@@eZ;z#-)buWt}Y)BucwmZ}-{@w}SkO76R03`XokPzTF9_G3@1z;W7;V zWFno$0yxI!O+se*-SG=?%A*UtpwsM9vFkB88DrMbYPT3)gym&ALsf zwcVkD_I#>S8k_XYKKlInToGg%fF?hW*EC7Qb$xy!1HDSit8A zTVCK{zfjxoP7Cf0Bi3sA7PYTkCnrC&Ygta#rkG+QaO+=51+g}A9x4`Kh&}|0$^M+g zX#eC1rS@l=4V`}bQ;I@6-I<>~3~>do+BbWDKc?=>N^Xbk^%H)Rca|MsH-?p9aU5~! z{ocOe(@6~}#McMS#ewx5Vor`T#)LaxVv~68+O?usU74;S{0n{b2b}R7Wo*SEGEwF# z(wl>ws>fzMH$BqgZZ*VD6`w6ni1xa;Jtmf;HR6jrwDdkXTRmp%^lcR0Z|JUuMCf)% zuSFD(NTe%%q|BjoEKPX$F4{$8le3nCqGM8(<#1-k-5sU&Lo^4@BdqTW6u+KyND|xYPi297j zb+pj3+|Rt-WE)_o>taZE8Vn(EpvA%D9t=*5h?SwD2tP3{@#9r{RaWJ=$PO4F>%MKA>eW#)AdLOl}4?bA1?fT^no1-$hYCuWviJqBWL3Q+o>FvwVMjcj{1ZzQp=DZ5u0LB5 zc-#dBS0m++1{lk{D9o!S0=zH{@p zI48ba&NXc5-$+sB_xkh=)KT@!jpUH#Z;J~|I1#Y#zw{i~fC-zw{1q~78yf!8w4cA< zFiIgPmX_iN_h16=N5o-%{(YwB)QlP-|G#}~b^ctf-&?n4ov|~; z{%sL1mKDPe;sGwwIsZo^`R`$aMlNFMBkUAq!2*DPh*I~9Wl(eZnkS35kx?nhQJw$s z)qVwO%@I*sr|Ys&E}((9#(6v(biNv3YGBYXEDweCm|(1be%xtBxC6?*@>D=){*q$4jjiq5h%nV(ld_;whAl5Gef;5%7hdeG=HLNtS-rty+T;HK%IT`B ztHHetq?d3>ypL3aLv*jR5CXjKY?8)ziZ3`RbReV`Qp1Rkd-}s z${P}HLl$LH3c7MUP*XDnO;s4K4Khv3M}aci(wCb^pnq9^F=Mu}=;UKEklqCvUGf7d zS#W5mIe%~Z>N)2a)C%+#%5RmFmBEPM3c8t@neUYPU_W=4hev`?y))U7MHh8K*fT^gDT79IA(WEf zCbExIEIh)(lw_cYHY6wr(l7G5(T4Z>_3-Fu75qvU(EomvrX~2x43$|r0%7bk3pA(L zE%iqC576d%Ka{Qh>CYA(DCV0>;e~52bY9s$WI1?8X%nvvUP;y^y23=zGjD8+&z335 zHS{GW4F0|`muR{8vt{~SCLBXpli@75ZA@B(?%53s(S&Ajz1+R9aV?Yv4Zp)R6tS@tSCYtg1E3m78x)U zh)O9bidtL-CIJV9vJ?a?6Be<6R*_*^N9)*=gc<96->mubeee5ydGFnO?tQ;^&biFX zi$?vpMaNEm7kytzOx*p%$#m*OhB|4$vGvR_Ha5m^3|v&? z9S9OQl{Q=!Z_R;A5($} z>0Xrd-MzbWfX9iR4Tfky*jdVKm&rys4>L%4?CFm*k)z%AOlBLTw2d_*V+_uXNX{Uo-&(=>-DnKKbZ~fa z>BDhnHqklkeSE)SQN3gRp@dEoDs^CJNXI*^`YmZ ?Z*o$%n;6;^y)PHwJAbM*FO z8f%`=FTjv^oI})cmX!pfcGZ{E}X8sN=@~G zKR?WMX)Ne-`JUI|`a^SKrqKx%eMA`-mj4+=g=Qw7Jvimj9Bp544@4hZ)#@?~4zr0t ziBK+LhC{bn)hjvR&`E*1=!7~RVO!{FJ?szEuX=jDg5_GmMbtqx3$HxUr0hD)%F1`^ z%mo;#_VxAIo0c;_evBC0y7ex+rFYouGcT&%Ye8SOOq46kP=mK}!R+kp6UUATcNF`3 zdC34q6YVFe#A3*E%;wq(B2E7oWBd`^xo#z}5djh)x6qe$TlY}(&2JTmgKK7DO^R!HuSNA~BT)9N{55bC6mv6o{8Pp{>ka|X;Y zA75XmCX*MhFW$2lWKr2(ObLWWtD1cpN)V-Gm+V8oak{LnO?SxbG?zz7&+6iU@rena zPoB&>h)9-JR)*mbRYyn``@RYNmd@#U1()FF{IAZ9;@Ojdg~0J8BDvs3|E|pKUFSAk+1< z+@)#yH57hQk_#2KJ$=2s!^6XWx|XthHMy{YA}2&HJD6X5QOO6FIw!f3$Wqig%vEo$#+b+c3p{`d3ceMlSc0cq>X} z>ntz0O5AY(S?j-$k zRBnon&XT#9wE|BT{CbTK*3Y2!dwOQ<&>Y`qw`$c*c&OcE_SPm$d3k#uT_=kGkrE?G zDsIHVa-uFz`=xi6&}n z_rL&^!O)eb|2Fc%q;H3C9Z4r`?*7rovH_A)&12!YJ5$faV%viScHN6UKv@lR0kPCP z3^_GB0q=`MD=hUzSY_w1g{Aw_Wqy#KX+EF$drXzG@7-$13g75q9y>oeYF&TszJ4f| z%Z-S;)73Szg0Qr(Xq1Ras|^d<#$Z-~k)242Nrp^oA@jSau^g%nnUATTP_|**C`joa zxy46e$3xkgfnVlf?yek4iU)j%H(9j+3`(q^prZtO)G7Z7RmBF&B$QpEqw0$vS=t)o zy7@0d<wXXo`#r{?G9!?L8Lgf9Kn+O;J`MJq%o(3v4scF;h2c!U@8kzlCX zadB}3K`65nw0|jsPA@riD$=-kKHp*daIG1kdjII3V{_&H@`)D zg&{03c>hFR0~bP(h)Q<#qDSSGHpI}9paS4>_0AlKjU|@_AdWa!oZm5{QcF{`OO1A_ zYfK%Xkxpfo=jP;8%Kxm3uA&Mhnp3{Jv|E0DpOhQDDTbF~pir1u&& zVb-EYIKlwjpUY(*kQ&UG};3tnic#1|j^z3aUzE(zLfaf;{s2mR#tMbrT`QP-DCEE#N5Vr22 zV?%?2?L6OGLFzcHBbFi__iL#i@qbkde;)F*3YKBsVEK}aZwzc?%1r|V%D;`?|Me~B djm1V^X@8d0PQFJU`DzhNycdegdp5w6FjG diff --git a/fast/stages/3-gcve/diagram-5.png b/fast/stages/3-gcve/diagram-5.png deleted file mode 100644 index 88f0425b52f66e46a8140ef206e28d1072b72213..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 52954 zcmd?QbzGEP*EUQlh)9EUgLHS7beA*=3IY<+Fm!`-cej9a4-L{G2uKehAu;68@5yyv z-j~<&KEL1l|M&67z%b{z&%M`Pd#&R*)|xOi64Zwe(wO|oiAqGbws zM>~PaMMk|h_(iyH4#oD0v08W{6@`(oDaYXl`mrp5BzQB$n z|8>LPZ=Nap_RZ#oB(p{RUqf~xy#ig5{eHloH;2%5LiQ$lh6x7#oWkE%FoQuD|8sW0 zN4`=xrcmeYwao~#|7HI8Cg8_^tmgN_I&)FKzywc^j{7+N$9f;Gh+tbm{9hKkIsr_a z)WdD~pf7dwowOHMlKXVyK9 zJp+Si0ai|I-v?>sC0!b@-bD~rva(KCa`#z9W4!y*GhUEC7=9qNPd5u|R?W}10%FaL z=*cSo$_qDCE@pMBz%To;DW_tnBJv3K1f5m@B?}Jr|;7>IOpKJX+k zXhnQqKet4O2T8C3KURH`-|L(i;pUdz_B4O4-h%BJsX)|45g48{s9F1kLE~X}QpEzt z`fVv=-Iy}xpGTua#uqRc^KV}?=ykoIMZIQ4w4nAARrWKEpi4C$=y~ntgE7S18aLpMQ~!0m!hxWoOGf$6BrY-&vGZ{J^zr;;e^_DuGH7}x zPlr=bLd>2mfXYBi_@k4;l9)G`H|LElVw?c!k57&hG>0KChx|8m2=K>Ue8G~onWr|Z zpoBoCMmSYnbSosd9X;&D3?AP-BP^2$)oo-R>0 zBFTQ$jISS``$u4(S_?VaA^>)kI5XHR)?0 zZG8nobM5$F>Kg9CD`=kbX&pK^03=C;6)31qVBCTRC0%5Z&$!1f%1gk&ym}vM!s1Y4SjeSMi zJ#+NFU4OAy@piBc=z_z*a0N13_vjKH2S+2j>-kf>ml^5ie;#zT2p~8L>*1TYzciFW zMra7N>$t>kBBCg8RU7uvOuaCEltfxX!Mi#3%%!BFOKo4YiTV23#LnyOd4eA?R_x?r zPuCliCxX8Ff1}RNx!{L4f<2DODDTETrJ-qO+7cDf4?C2rq;7@hEeU6Wbs{`}?!iR-^hP0xk&DA?Olv_IOyMv|-Dxs}%jw zq>*)}+&4|z7D`^$oCt`BGP|z&9)d+G>3&^^*SQ}HDVPoGaGkAYq?5-;`<_hk<>h?= zZCVu+6hPvm-<7dL7HR&Q;vbTc{zFV0{GE)x$be*htR<4vC9|)co-gbB*HT*GvwisB z#3(7LucPwVt`~8jo3;)`t|w&!&wjq0tcA>Lb=sAkdu;5>Vt6pL3Xh$98KXGlM`!aS zo@Lxcm(rxsJ-qKrj1O1uEvdF7}a=JwBzw=ch<@^8+vYul%i#j&0gk)$aW5R&Y`g;9c2ERLz zT|1O9BlC%IEK?Os#r+m|;8TNuw~9NhZO& z^aYB&lje!5t1w)P!JH7VyyLchogZs~Ah)--FCD$A5EBzxNHj^$Zv7r~8dhCGsGl!B zqyrUkgFQD+Kc!l}HsyVEei$)Ey6}@sYJqC>{+HtOQ;#~^C4`8i8;=lJQBmPq=Eb}4 z(8HPXSxkH~zc8GvppXz*TjGSPHt1o6@PKa6b>^SP%{T4AgLeM#p!e#f9piFy4#wCE z&(SS&CEjNH%-R<1M~%tI!}fgx1G!Bt1GMTyE*^g};OlQ@L9V~K(dFWS~G$?Zzftw zhrDEoPgZDEEt}{^4>&@uVo735xSpPXT3> z(%a3l4(XQDj8qb+_FB?Uy3~KbU=9%g?cD2tnEt6L_z98?mPtHv6E^khdCFCrgupaE z@rd2JmfDx0+l7{BQNi#IrQ*dcojF^+*OU9~cWszQ$H8C=lWqUxU1zorX3J~yl+t5Snaw3&+)kFP^#Ttgjp%{uvOC-2Tj+g4TKyWN#xg3 zZ;iTh>pARVGuMV39ZiVL$Hxb{x}4pfE#@Nw<=}*#9VeE5alM!L^qd#z&f6PyH_&G} z-$v+hvHQrCkIxY7f!A@xQP&H6a`oHA8#?nn;u(6?>Pv5=BHZQc1CM6bfju{uNNm*3ufCG z>#Nw}^~6fb4~c0$eeBzydVCs~kce#Q%>I-VS*mgQ-d6Mm_jjXP#dC^+dCy=dZbDgV4k4!?vKgxdlmYocQ=v-CTs4$d|o+efiGiTiY}F zt#d1|y+dzYChl)mlK|p9usz^+JSTbijNE@qIo)*Npna~^LTpiFacyfiJRt$Mnngp& zhIwo3PCN+fUoO~*G)>hBVNy-{2NWwB<$Sf%5M+5nODSv|0Mn8;$9U`pH*>>Nq5*&8 zbUDECUTi7BJf+GgcypJQf(MUC%x8OdI;2Peh1>SP*Bqh7EJs-kz97s0E$!%s=})Dnog0Z0L4uN+BAG_l-T3>c#pMbR+Yne-oX2PdSWGTac2 z5R7+W6QD&F^VK=;O6ca}bCYFV#uZdVzOn72g1juid=+8t*O*LS792>yP62mtU>o}B zljN`cg*Qx8j9S@SyUS4#0V>4=J5w{|+Cj;>V*+_*Z=~z^1qAR!MMX=Dn6&Cl@;$VX zVAm0S^)DjRwyvfY0%BH&s5CNSQUbrTq?i9c5+%S;^jjq+zcYW-(Tv&<+@WdWf1h*f z`oqpPnl>JbC{8^dl}KM8RY!Y_YgXq~HZ2;FA`#8tQ%fUwQWjW&ghxZ*H$HBv_LleB z=w;VZp+{l%s1fIK+lHzE)ugoM>5&sw-1gsZYdN|0SJGoysYdHuzr_3!W*EC%tCPd7 zsjZ30{D8aio%r<47@Lew>GMdsSIqAw*m$fdUl&~wRlJlAKjTh@WlK7Sa&dCK9^vgC z97JVh9s4>oh96#D&g!4RsS_z&{sDAT{0+MO zAfZ)HmIfOKmGT1-b$MR34IqeNOP?LP{|mgQz)|>9 zfA>X29L#=T*o1|Won*bq_+xp z2ihcbK*s}!R~cO5pVPA#YMyIhmpXF$gZ?+-SAJ`;1izf}G@Zs@%= zLVoL z&EK1!^9Y_ND-#In)O~-m9&rY!HjvjJP%JN|+WOjuo}FgK-;lPII;X!j9(WM1>ECp^ z6H<<#WgCZ@fB?@!wp?gW2vYd%5VSAF2S=E!ivec{iT)k`G$7^uY|rpmlL4=I8}1t? z#;4GrT}0tv@!Qqruz);s+4bh{@pBSjAM50Uy4L7Ov*7L*`EM{!kpIJ<#RaH=$SSt_ zJ0raUY5NW-bNWeQn?hM=UR3t~E%}HeBUqU$Rs(_$?r-DN_svqlr_#v>WjO-I@kVJP z*v026ZfyFI zNB-Uv;7}o#0DIB|FfXOI>TvxZsgd7L_9V+7QuV z-w$<5)eGjkj;cJVV_cE8av`F#%?fkr8im5V0yZ(eRQI1QnXJ|~sCMcdo@P@gXRidR zWt(!NS(%!Z!;u<{wsJOvkalhc+Jk1UMbZ~m5rNr!1;SO;P3CX9{Xf?zZiK-0A&auN zHrMCFQ)5wh#Va2qRr-tjjA={W?i{W~sB?TDQoD}N_%nqVQ||Otr`hT-JqAgT&o3dS z3)szA?8@wM7W?7F$@xzg4}_aVP>#gd(9!%mGh1?vns25PyK8x__$y2$=zH#*N~!iU zt)chcE^ZvVmow5AMEmTk(LaxVPOwdrQrKpqCaC}RA>Q9U^tWi3gWIbc8N!D_gY$(C zLA|u`Xz}Vj?Cols;b6XXsC)$CphHZnSX_;U+HBP$x<)UA_{I^5BnD!K)UcGPJHocw zb$RWpZQ3kyHZ?AytjvT(!j2zYz64?hWd^Bh^F4>(qD;H{`)u=H1_)S}p*$e1fU z-E#FoJ9xy`*7RObI8#JieJ7eM;}d3;Li2!6(;=}m-2lbHo1vX#JM=}lu;9j8`YmTq zMC$vDz{Bg2&fZb3-dQ>0b`#C62otCcy(jive=;mph zP|c2c*!2%lW|7)Qca@@f2dWt3{oV1ydZ7LNt*yH26wXAhnZlmqPEb^&4&~jTziLZ+DluwdM0WiJab4x&bEEQ==#{a`p85h} zOYKsQa~ZOMh5c-qR~opLbT3yW7kL8RkaG>rT-K;dlKTF{DZjih5_;c7-moJKJ?xpKiI#hH&>74|}{9MA4?R9P?G-P);Vg6*ziP>sL@*2uQAchBu{fIQ} z<^qs5bs(qyCl>;7AK5wbC#;O!a$HcT zQ?h*A`}BcRP5Rvl&Pq}uQLd3amtkl}FkAGEfB3v_{JWM=XkhL;s-8BE}Bg397=qs5h$s^J25T?me? zB4Jnjo^RCJ$#Mj`L?ne!B)mOtTivR@A(2FjhKP-Q@J)^g!Mx#H5DB`C9RM5!M)tFk zNftQT0!a;Zy%1|Omdf(yK>X=b`zWQ9BMzVrkRv<1Gb&(D!FOW(dS8Fl8D)p{6?sfs zW_xPHsiiRqefG8kd7Cp>dfO}vUA(rQgKt~ek)bRrXSM0Fz7V4fjLoY{Ncy$8;deKj z)iXqSkFzswLVBw$XOYut0){A_gbyt7p$w1NNjvR+fHhxHaBvZhH#}#MKKlrI-p@;z zu)wC^eDHh`dtWMzKoP{$EJT_Fu$D6Z2wDDAA%k(vNyPonjh2IzfX6`AkLr> z2f<1S2f%ALtG^2bY6>6$AcQ`osbF#W0>N_VkxL5vDw=~Ef^7b{X;*IFgtb%2t`VxH zknrP*m+78M2~Tbg##Ccpk6R zYY+lE({+IqYx;CAt%hHD=epJJ!xmi*Rh&h!y@*uw5e?BRQ|8}NJ=I5Co)guT&MGzOr;lm}Mh~+hr^v3GUbxL1+7r7AAlJ4!>~qi3+ReM_J2q zJ(4|rvhN$9POmOIf*R%5So_!`*ab5}$NA~|pd!4zu)3eg2GMvYo(!Xc6QdY(gUtAK z;d0eBuQjJX&o=QFJ8he}Yg>en8H4$SD85|& zFow0b<;xTX!?xz^jvS!mqzy^nD^H7=c6mSh#A{;Iy(N+F&|QD)9w`(d7#kAgHU)Fric}-Ea6b&@m33O^AZWKe%B;BJPD- zI-nn#QqG=hSZZ4<^xZX#KR%y&dq9t)mf%Y?uK}c9sop;`dypmP%@8ulTs77m9@Bbv zDK$!^I`PtVbl}VUzQdJq+02)t_Qw-s!gCg(nDeB>chcSa&$X(w$uUHQpN_Fs=Davu zDff|5cq1&i$J2lJVGj*=CA;J5InOS4Z>rh#Yj*y%wOG|oz8orunc0`Oqjq@}yY<95 z1|3-Zb=F+xAB^a!26CN=^Tv;S8V|l0|CnEYT)mZi2)#*|KRP<@IvBOKHy_t&gB=K4 zatmB5f4oc-Tj8eIV>f_oo88 zJntz36MC!lD?GLZw$(>6kA)HZ%W|}f501{NLN~?kFtn||>_$ zai+{v)_3i!ZeMUX>360C@4RP_Q&zzy{pjE<)yJsKu{T4n)+Gk_LGYp*Twxt#c|i*0 z2dAACSvGoq)0t~r@d=GZwxv*hRT#jEve<(N~uZD>mx9Qm>wq8H#zKM_qXxO zfCT6`NmfR^2ym8DnWEM|()-1wte5xqqz}aYU1Rm7#!*|JAH*`b6bk;wu?^H_-GuUQ z24i5AmuEssSF4Ve&VnQhjZ)IaCMj3dm@8doCYTyZXF4pmkK*5XKWkt1MJtYafxT3v9 zyDD$5r$@%aDRGxaW`RK-^^Ni2x2kdRWv!oe2{grkS0cwWtl2_-N96<@=Y5TR zv+^xIDHmiBcJN{-ZDqAjI@+54%h&p7Iw1h$lo8J8YYbh5eSu&BxS6aYk4#yz^&?c* z?QUOyO0vaqJ)7UblprfZ7?@xFcsnaq=PYYh7n{jAo}|**i%hqLA7V$n1sBlEPqXa1 z^RsI0E?$&haV1zSqu9a@J156;jN_9ezcBbOSbwzyT~BHWACHtDp`%D@NRqU*F?9~G z!6|m!$Q4M&Gyl{b%NF+6Rs{ER*^LFdBK!P$)gf8%PO~?8*as-s9vgN2jp%cJVX2v= zVaonlY}9}ZmyR`{KMUKbih1#B$}tp*$r`qY zJ`=ghmAVLlUb~)PxojeosiWjz{O$#qEu*Ib*G(j_K!iNH4Pg7NmrZzheq}s+YeUUA zmP^gWmY&~+vK@{mSUC<|zc!)XH}em^>B_qw#by%J?C56A?&+Z($afg_xfrdB3^ki& z4b!p!xKWe{Bgk24)dXR(6#x0CQXt@3p7fa8m43Bgr&*%c(8P|2KcGTeX6%Om>R#6! zKDUh>d6ZU=@mIU0{?XUG>GoUO-qk!Yt;LO&(~VKQ+-smFjh%S~_oOhMZFga2S7vDDBK> zjR5zN&ttTA`38?JYRqF6`Frr;Xyp8$5fs=m!RoLXc*~(q9z2w z%7Dar6T8M_jvxT&2$w3R2vHK9I?&C&3I&VBzq2v?cKt zVKWFW!p@!WJy=DSz7t|iPCWv=tZ&%2Ybk)x5PB8}1r}L)2(*w8+R7ZUa-ft-IY@xt zB~jRj;^C;p0%RrJ9?vGNPgf#kQELtO1V0OJ)*L~G7C1**A3-EIFCOZLv^}Zg-AL1P zrsc3Q4&~6FKo;WsorM5Wu9>O*oWyqOHA;eXSuGGkLkQu(m~<3UzJ1AdSahq;k!pD}W4T-zHIApuqy61{+yO475Asd1~nZa)zw3<|vI$i!TJ~`j-qTX8>kkpc0 zr%ZBTHy)rM0A!3n!>W_{{h@nY9Ht2^`7%w5&W?66S);8T63N-JDYU*(DE4|7>6rdu z;nma#0JU2h{6|w@IUrdP%zADA?QNNT5Wr;Bk~>Qae#qdP0Hk>^q%nUevc*;M(sD`t z5FOv-y4|OTH9JJ7SV}JP$J;Hcnp)1-v2~X zFjKm1EqWn)_KiBt%{c%zi;GFXHKD!k`@jM3NdfFOMt*`1x$ey=@>7*DH@6KKrvnx} z#(r0en79ADd0??C@>Ak_Du4g-1&Ujb-fu|q}t z`HchqKgw3UFI_%$&njd$YMXdAHZj((MOnYIZw6f+)#2-qoUDrrKK8n8u6l%voXV$x z&06}^jbERBpr?1u_i5LqrDcSk&`0O^o50C&pFJu@=;PzK<7Leh2=>h}ZEE)H9PGmr z1>dm~)&d!UqoBBus?L^L>j*=-cP0YjX^eN%>)u^u=-XID-o^xr@L35D7w=oOLVlTC z+F>#VLL~J>@ARtpVRl<16WWRwS!|N6{?T{%G8OQy2gP6;0IPR&=6`4`KynD^QT~Da zAVbDs7}73$oOaS_ZOR>TqbGgXUY2I!!(vqn3RYgCO5204LnDFl@i=5YZ;77$nhVYM zY?MHZl*2mUI8tZ6{m3ia?iHJw^$2ms^U}!t?Yq?w)#U&cJKtqf%o-()43pku8qY}! zE}4xPb8adwYIGJMC#lv-uj=huLODfcKOlHR>}1wsE$GdD1}9GJoIZz6GljN!Ba3-o z!S{o?@n%^w`n!zMgD6Y{T(L7f(8Yn&evi1n4c?yv+X@(a-)mZO6D_v5Bd&OJaH)v~ zOp`9vuPpvjpAnpK_DJxIC=>v$BtM!_*_1Mws5*Uaju@En(Sjp=B=yx@9CCvZ7d)V z;+M0k73gAufMjQtF@GeGb0Ej_@vo}4(c0MGK6A0v51LDlb=ycCOt~M6XsS|{)vDA- zt4F;Tx}_5QfxFU)KA0(7)Ff)6pTDz{O_=5 z4s~v#+(cu1jS%$$O#3NDbpS~r6Y%jtboem4GePu;=2>wEjqp&7mRcJ5CZ{d_tds=m zD%=khMEZ|0&PnO+Iso*1gi*$v*Q=Mh^ZW`H0of~0@}|a*@vxkGzS!gfwr@UhzABC^;C96(3Q)6H{s{&by+NEq5Ht;Ev?B&f5hQfKuEIcpakoHMU6Hn zaU`kc%};=rp@01oUN4$AQ>p1Z=rpd)L~`J{k3hFe<3{jG+U}y`>I;slWQ_n>k!zw# z6VVVR3sneIcNs5pzWQ~coY%p3JESSi_-f~UPApm#RpqYWw-FN+_b9P5xGjGO zu4q|QPfQ<*LGCIs!Y+G5T<;^V$w4U2M7%w!*`wmgqEf5muTWcgD_%zXMTa)GdNx+} zG<4kgwuTTGyZtnay;7Ro^355dQogzw?6JQ%eHn6qasQa8V(SI~RBG)yUfebgVlJOe z;8oekV+BVG%~2lw*xVS@0{>!x5$2017$ZZuf@m8lPv#7(Z3*YHylguk zkSY%PsiB3)MR5?jo|McWUL%h@=VCH`2YWuM9@h2TTr(L9B|7Sc&zGb>qeuheBhd6+ zwi$QT%^v`s{qZVU^^sO#4AD{LDt#bt$4ATAcZU4VxT4Vwt39CU*u(&ggxm9k7P=s zpk&nvJ(cR|e-gH(!TFHZf*l>kyCDXK{vc2+%7bu{nbF9_IQ8X7!bLiVA5y;Ywg$#1 zAHTpD`k;pr_tA<&h_UsB_=1|7_LufxU%!;kH9E79ZF6Zc$D9rGk>?*CK}%ds6nRvK zKO|GZ5X(s|Qayf~jZ7B%bUK+}xNbP=o{-L0_IRE43(8S(Z-$B}> zrL>C+@8Xi<)-Ik_O-)TqTpWUr&;26f=`|-MCA_z{_nW@&ajfs(zkh>l7|^9QRqO&g zap(nHtcj*CIj?cp`zAZZx_r`VvOwGOl#sVl%iCKq%KlO`z5-HizLl6LTr4=e67Y{A z`yT;Up;^9m-XF)JGS@vm4f&krN(VuSj?16vp6PMn;y$*RmqV}a;N!};4~hJ}AQidp z>m}EfT*;s(M@L7UL1+Z*9;cSmW!mMhmV{gnNTSHaqGG9KmupGOPCD*yG3?sU@Fk@j zb<9LSFm~|Gu_Dx2cQ)fzTCs-Nxb6A=k9w)mG~|1wBy%5<9Ybbt6nENvJH9^04^w;m zYj{Too4+svHvrX2e|IJT5{SDHHQuA*g!GZGBmLLpxBhyX0~-tRYy_1(`%UKj0_vyo z-R0vL{wl>Ro5smEI}y}ig(7+;_szGInP>UYqLTM_x9Y_zqz><^tE*wR7c0=4lktdq zlQuUjd3kwDpwp`|@TH6lB{TEWv%T4nXw|VNWvBH=NA}Z|Mg}A31umZ<=|IPmX0b}w z@G#oh?o2Bp<&0kKyGZ`~qqUyC3-Il^!Q@>6gJ!P)n^8-kL8EQ%%Sa+BD&LZtUTAYf-#RJ{P;k` z>DeH|j-`VM3p32a84U4+!QTE7u*YW;SyCmr_*P}0R+`7=Aw2QxCjE;c((=1M)5mX(dbg-8TE+RTdHjrnX02I)zAF`T(i=E+EA zn7D7^O&S{-W`sVnTWrD_7e4vKf4|)BIa#PkFqwU@)QUz)_qwPm_Jya1N1jQCcZ!H- zL(E)gC`yKy4_WQI(eCabv>^8QI!!0{sRH>|tu7UqH#s>J&_h%lx&*7<r4Zn zZB1O@4|uEk8{RU58O2%5<8e7?IcS?B!=ng}=Q>;sM(#cE1RJdbC#)o3j!WL3Nayip z%5{3{=Ec_iqLf!5Hl1makD+7b)NA{jE(7x}`(gpv$@`cHyN5r660I*@PdOqwtbHti zxi*d|s|(d(0~esB<;~Tpzi9X+?DsBGYO>rK4RqRphjMy>kDy{gKR?C>xjs`Ro+y$b zbr4QGBCdwL?Ne#HgRDv#x36n4F#*-Gp4PgTVRiJYx8!g=$fSd|=0S;Xy#f{L2j5r{%{00WRM*Qt;e zV$!Yb9U%7sg}~xUGz#jS_r6QIy^n$xDW?a*ra%S}ef}va&!IeVhP!;XD*N-b^v_5I zY4S$fJVk?zKVM{B z)GpU?f9FX#k+J*vCKJ$3Hd8-FDCKbfk-&uimB4<8^5ae#)q8hfe(US7le!h8w0Csw z-$j3X)UPNd9iZEj7xX2LWT3CuRIcM3vWFXccI?y>4*dB}NyX!B@_8gyc8dQ=vhC{N zfJb;0sh|sL@pw?Kz8nP=l^Mr7X_X92Lpd-TXb zb8ITPZVTm$LU7yVR=T9^&+%+Fuxb!h3-{xcyDSc~;8%59r#s)MSW*HVzs68f>3bY+ z$jAEIM8b5+wB!pg`QA^_TyQcVSR2)aQ-Nu~z)8ZR%FM|4?A3aIcO8^sKt1xUNV!Lmt)1ovoq8kw z?p~YwNw2f|5&APk;1tK6NV6XVMbT1Gt zdB!YXnPM4xc~fkG8W6Zv$XE&z^BPp6cM_Qrvb|ehN}De&8BWxH^SZE!iHdAaOkw&; zGrM;$`YHIV3{{WpNX=j|w1p+FHr@orSK$aru!G*fMCZP2zMvDH*UbpXYbPJMWmySj z3-gGy!kf%hMpRGU@K`v|Y#v~=xBj7w^I%>!4S6UF+RkSnLgO7PFbvw-+DblWC`{4F zVSp%3PKDz!z3K8trmApXYH@zER^ISoAzY?<+b&I3v2>{2^P)eFRRSK+>8;2TJQe2YveNS^r$MSzkvfSs`7=&GGP?ptpMFD}EG{NLs?Duidj=L+xI_R?JVHk3o+>rc1w&#HWWvdelO{rA|xZD8F+!b@P?XM2hrz{pLHsVc(#hp z{Onf{%E%Hep5_m3BZ5)IqCE0NDp!Bs&F_-A@wp%L5B&t8t0e%-nn&{*P7*sDm=Z86%%L zq)oJrpqP;B*`k2F>Vgd?ttz5W2kKVT=EdeiZeCjvI`C|n-UqDq_SP6!7QdG=NqSn6 zA02wRS#PHbzsoM;6j#kh>N?yrBiP9bd+I3F+p92H&+yA`f-31ZgX9Y`Ef&K?_2LV7 zdf$o;MQ87N2&9R46Az5i!Y_L^t8ryPiJ(=+`K0_$)bcd@^9y-0Xw_8QGTs&C(#cyq zQ*X3aKqu$`Frn2c27BMOgwi=Oh#-(aSwzl3@91)9;0^k82OVnx^@%RRZcWcY85tEo z$beqR86XL1H9KSw7COkK;*o<8lg9hz-U{LFxQTvsL3lV<-{LYIwM!W$Q(WzcQr5o>Kle zqjf17QN{QQ&n}@)*P&q1^fe&j;RkCB&NMsmDA-t^ZcjW8cbW>2WrMhYILUUu*T@Z= zNHpL8(ApVL6c%KYqnpxw^OuR=8iC$NTUft_Ze|bH$aS``Q=E-v0UXVSLB%<#L+alh zM9jKKL*X#S%cBQ!uFF@XK(JSG@lp@hB+iJk?f!;^Qr4TvQwYGrh1conEW+^R+fys< z_iAWsP(2qMs5bQp;0br4|973b4(%_y{MEN%^c2oD4)uk2&gZbI7~=?J{6VVoh=!C= z_H>pQ8Z<_C;?p8b=jS|)aIdi83Ix-S}kvH}s4RQL_(1B@M-_@eNi%0b)QzNjsHn=UqMVaNOGj1L?MStxtj4~0JuCTJyC zj=1Df=)w@?VV3}8te2jV{WjH%0y3_^scvWatg!!X9cKaEZ+cqGp=t`esiLCN6l+;W z4Atg584@&o5M7;r+Z%8tAYXT{+Q+*{{Kd2obq5=|bLzi_w`S)v8Jd0%MQUhUIMn`1@u(`C|&o4XvH>wbl z{+|s{QEiBz+)_zGM0l$VQtr1=yRy``3YT-Xonfyd`GjDS*Nz<;87ZT$Pb4fNvbMDq zoX&tx^H%>AXx~{}F=qu3UExwyp(YR2WL+JP1MYzOnazCNd(9l?2Uq{5iz>qFhZ~@rJJ4L-U`(E9<$3cHbj{o$y4Stl# z`TU@Z*~uzfu>9BmQn5{H3AsD?L|D)V<-?9HoL*jUooN%P57?YMsptV>a{XfBD z3@u>`v-_B2PJm^?!&wEG&yMsTuL7!T+7F6wD}@@+_pG6l2yzoDTb%1d*X|eEc{mz4 zE5Cj*11y$OAhvfFl~kXbdENEp{O z>3Vg#6C_%c6CUswqu+JKi(a~>B|T|I$D$|FXw zRqcYtuS5D8C&Y{m)#VW$oZjnW;QlAeT&(!P5l=cs_x1TXoiQ>$fosI1dO+pZKGy$3 zomF$`8`yd9PfOuD0UC*rdO%0zAAljA??t<5%v5+xzP&(U60 zM|h8%&5oy*N|rD~RE2(hSql07;bC?a><-|JC3>|*q1(a1!I0_!G8}`WiCHF{&!GS^ zc+(w-3S|8d%Lq~WdYgHTjP;3JDXJ%mKHk^+eARK#ud&qX`7hByM_rE}$j&2lqQK&8 zZz5cW+XoD_k%}b9&(FWIhJt}Xa8@!d74l35uuZHkX!f&SfQaXL=pJYzR<^g9fX$fs zN*S0fQ;ya;fSy-@#P+JisdN<|7dNn^^r)%p0RY%4C^iEzq8Ix$2x$1sn3Hn= zS5a%jEcT%Jna=wG`!-Y9y(VVNBHIfe;Ocngq?%&7pI=epdk-0uRMC8~Yl8-3>c{=e z_P#<@6}>Fre=N@&#?g*6*Jzg=<8UQ<=5w+&n#XW;4UqchLN3hxp9ljQSG*0{Xz1|0 zu1>LLKOU`02t#{uVC&IhfhF-rOnSfc{z3(uZ-Gz;eDUkQ4LMP1yEeQAn8ev(ITKNg z6F=$D6e;MANrX=w>|L3zK*ilz!{0p~GADVHLc?as&gX_Gmf3qYctBAbiieRkzw2*V zr=uxgU;^_X)IXn)jK=K9Yp0>3q=x2OGA9BGpTtNt?Il22!I(h2*$VqgKk8GjKrZu| zfh!^}6`)FZCimO<(Sgk0IPR}k?t5pqS86TBUjpDWNPPFq1A3Mv;_07P_5k|tZm)y5 zHGXiS?qi7E_yQEb>_^>us$<2t+dcx5RTy+#(!3Nsya0SMCiDiwVDF;iYL{tJ2Vly* z0u46v{$V)u5J16@G%bDloLwA6s9y1nV$hwkq+KNJ88PouVqP0elYGhJtF3gqC#(y%&ey=s=Au#MKN# z;dVWyq*;4gfgXtwtYF8VV=}-w>Wjva(P!vZn0l9aC}{nixz1|l2>=^$oLvr=S*R*- z-S?MT8)JkSvwiN|{YuAZd;o!BI8*Rjqn!y>b>a34uS^AFXkl{=O=H6Mn@&WG9OHIC zRRA2UG;~#?F6l~P(yAP$p_Q^5uVjFRDpZK@lV!#GxNT_@pj0LzEg>$B)o8M6eYZ6Ru2C$K69Y4q#}mav8~%oM*6l<{ZStuTKLZI7pWD1-fO zt@Z7@SXR>mX*cbJPtZiz{Z(T0Ma4}McgHhH6Vd20LM)~lqZ(wlipj9`8$@_P37#p} zC77H+BVY}kej6tkCkafYAaNs^s*EOJT2PnSb$O)}P!BbMO;Ov9g@p`27d>eF~N=P^bJzZdwOrc_)t6$+y))<1xlhW$QdZJyEO( zKu??FLp&+IW|%LkAO@2L5#Z5Nlw;N(-F_BSEOYK-fiP})EGTUk4PoIngAAkfOc||t zB+ZPVSki_QpgmCyDeg=rlqm%T#!#if!^3Y+m&S*ZG`|0~CC2wcCPE%zXL(Qhzr6qz z2J}J{y$GHRCv>Y8|I-zcM5sQWM= zr%`>UX*uP~JOTC%*UM`=HzaUlDo>X?Bo)6auY}8JeaSI0;#$)NFyhNCJivsczugMx z*mj;40AI?0W;5B>8olO2mB)O<)3j#ZT&WQlw!iHfj^IKg;Zb;;eo+$fB!AaUS+MMn z8UfUsQ{gTgsNp_XlUh82?@AzFr!TLN-cG=*TUDqQD>dg6OrwmQW8-IX&%p&u@_>{_Eb{|x3)lLvpe1W^+(*#CMkI|yQ|q1{qnbV z5V*^Ydv7@L4uWbH3-ZIO;zoebTrl_nPa3FU-+K1E;ay+x0wn_D9FnZGL9AnaPnl8a zPTH#`=X3mO;U}!%X#0|N-V`BMgx9)$c>OYjYLI5mFagl;hauK`OF(^#iKDU#1z_5q zW+SSg_pF)?STQud`1(#$-xNNHC&~LiB9e>AnX$Z^zet`Mps}ncYI+VgwL0QclU=Wm zTB#zV$fjw2v|j>Lm@m6DG(el<{SUr|wHjK5Px#XG)&Zy6c4Yx%5WG8C^XP*?fw~rm zbT5k0MAz)Wy|)s9t$;B3+&?r1)}#{wdJsVb>crIfcS#dKd?NxNS6`N`mgODlzP#+_ z@#gT+`8mF$W(f^FeMI|a2`S@45n&8<2GF~)PBao;08q+Z!CBO0>62ITh@4Vm=+}b) zbo9{BTGJ&|YR=kwp+nu`8H!HDfa=T)%w(#yYts2IuV|32ciCI=CBj}i!FWjkLi`uq z>{(F*`6;ckB1F-FeMq>e7UahB@4<%c*k=7}*7yZ)<-Za`l@*fN&9w0?Tk|~=b3Z(F zE69X5u4D$^1SCjxX7%YtascF}cnGMieYLfk(16xu8%C3fNM~0WwbJow-X9OM^@W4# zdfQuDTVK7)!spBh!hdlVJd`2eXv+S)_uYD3plAh>ToA8bbVLMB`Ss+oeVvoHL=e8A z<=mIoxx6oQ6+nqU#$GT8kTT8g56od*vLUEX@kw}Ntwho*zjBxhoij(x+}mL<%EuX# z(L35qvWZ;=xlX?Kv%1p-RxSL(`#r1rQwly`qB%@4QJi<|;TlJ)BY zo=QhM1b`*+r@@|GGn1AQCfJ>>Sj6=qq!ea+ro}h83)A(7i#W{01+v;9;{)7w(F`~@ zT&T5Bt*m3!tC42@pgR0bHB(TVIYM=KCtJi*XM`(v=0*X+ozS@cj`C4b(*M;=^tpGrM&XkO zpgX+#jTf$tS(H>ZDDN9?MG-CRy|WDCG+70=+%T*ds7e9CpquIbtIr3gsjuW?8YpuT zk=_?d?UAf(e`Tkk@6ETeByDPHj&QLo>>-|IrDWnlG)iyj8kqUyNML8WoLtUsy=!)K z1`Uk*T#c*f4ajLr<<;1nHMCl#IWn0F`ZNXd{5Y?JIkFkrxiN-%WCE_OcVg0zf3;g; zlgoe>xh)OKR|UXzQ)bfA(g!oHhs*71j@jEX!?{u+y$*F()D>3p>#-*DHE+>cT=w3kfYGw=D(pK9V9%yKCOWz{mg#1S-JG!Up5TDsq>5gz;Eo* zGzCXN`=XrH``AbNpZ(7D@?Y2(Lum!{n(QgTFbEnYxF;AL=e{_U12vilqR6S}S*zX- zK>V$6HWq7D#rbbfLTSF#&5{;MYxd60&gwE}s&Xn(DfwuoE2nW|sc#L&(?@I`%4c|< z?IOo9W9wlTMi8)thjMz|1E>+dMrrb$RXne1v8aX>Z)Wm&t@T6>y!X+P|5(V!shXWV znqivV4?kSHx@pCzkAJ*{X@3qpVj^I_8BAVVC-4;moA{1=a&mLKq`2F1ZWD5UE_&}x z3Y2SdfZ~jsm6Iycm1pv9(@%OZcXIL;O#d!*l4`R0XEd*gVN@c!X2}b@!l7@&cpj({3uF^n!IyYHIQiFeB4caSWQH|TQ(N)r4ozfxkxGKE~1 zDZyINcQ(sydL*)d$~b+>12mS+tgM*aJbbzOjLMn`MLxtTBn_~4VM5r{Hi|DcS z>xuhW(AkfSU)1f-Tv))T-5s_|Es%NbslGSWp|_qpdWzYeFLKnDp8zq8dJMvJkE3SW zm#pEogV>-Sgdai00qh*sG&(Ww2CFF#2xdQtjBSEF25608L1mvAN&snm5_B@k*C+X^ zE(H&j@hlsu*z5ZI9%}`tI%(Y06raR4wVi!8a1E_;Hgge7u2(Zpp-JvdVGB{CT&?s&uhafZiGFHaph(r|h%BJAX^kNydc5SCt zyWC;-8j&fa(*`J|AK-hSld=4$Tqk_Q_kXy0%dn`zwG9*yln{_^P^43&Q$gu&r8}h? zh7_a(1f*NKyI~0F4oQijLAr-NFMEIcI_ElnK>q-<*1Mj#Yw6P2_R#$FI3{p{V3Xja z#Q2huu)1@*_*KvLUPdgVFZI^D{vfQD#BYgW4`t6yRK4cA!_Bq01DiGnAie>h&rV$= z%dWs!JZuJmL`@PDc}=K#0oK!`z^sW#IGc8z zoRB$y9u(yg--ycX|1zhL-}p63So4yBAVvor)p>6ghbD~+GbAr~oRr~gZfCt8sCtZo z+%J@2ule{sK`66EMZtoNH_GpMKu}|YE3f&t$)(sLYD9Ka!4pwFqn3d)Qe;_4f-DZ~ z+gX6qUUm8d2)mEIpCQ6Hu}^8trKu~FCvuac2-&V$))@<^WJCl@w}5Buzfh!jk+RmR zY&5@&U7r2`J|nGRO<1{0q}>umRT%r7Q7#dp^K-OyK#U*lRgZ?%SSGu9xpncrJH9*m zjXhptsp`BlfdZ-{p;NH56@zY)Pm-z(cdmeTcLKFPO{ZPkUEL>jPaqkf_H6LFv;}Oo z(cWyOl#EO#SU7`FqYYFAu!X;@ce$N4*Uv{_uOz5IB z#c1R(X+L~C+xQ9bbAguY12KresdPgVU-(0USwH)#*M2+-Q8ug5y`v9pyXsfh+H)zn zgo?G6!uErkChPG=pN<*HRoTx^e%8Lnw(`tWy+9BSk@nm1$wXyig7v z7K%kLzxwbkB-llC^=9k?b|^L)SDxCo$j)4KK77mp){YqcPl4)90adO#D5L$%|G}K2 z^ZU5hQTf2Gs@Ii}uFoNjD>vQ9@9|Vf7$b8kb0>GdHB75mAc~w{#iT$v(~l-j*7m^PNPZ)Z76Ffb3a{cOYSK5&whyvk8M*9Z=YYrI~#B0&#C!yJ-POSkuc6k z=$M$$&pz)Qh>dCt)MbyFoO$em)qa&krgw~sYasash$4cdCOKpBf|PI6w!7a7*8`J{ z>?61Vz-_O9+Z%7tZL6ya%`8LNU1EGlR7kCs2ok||krO~|?}3p^Kbg`$Hl}pELFId^ z+((y7GD$W7pn4w0r~oyH2=ok31ytqHapxo-m z#x7(j``T?Q)uX-Ugj1I@H@;DD*$bR=HFK*3N+`Z}t_9n0W1f_71g3CeX?OBJxt)D3 zA7|_z2$RHEUKM<{Q=X)yS{9QCk1hMn)vB%4UGpiYlD4ZMyG$xk#@d zJK4CMBu*`xA}8#6RtxpM39D7wJ|%4J z%G#oo-^wz=MEI0Ze#V`AV(RUx^7m{tX+G+C9Wpg=jh3jpAu)Nd8osrDFwUf_^C z5OD)ewp3L{dF7sJ0)TROb1_N*bvq9f9Y&SV1*Mq7J+`p3ZD`U$QI?btKy z>po?$efzVXqv)M1IzbAlrP+sHdv2wDrX>H6q&R63Md!C@-pa$3p8Eq}&-&>|g zk${v5v0Erj35kdllQSWv{$2J;;4OLU&BgD&S9dm@sc!09ErlaB`%Bkr5;>*>3*@Em z#&e3Wpa)lNi8d=Y0s`zA|#ilLo0SkCKi5>@+@7Ios<2EW{%0Gbj?-jFB&7W8#RXEK~AZ7WUQOC;|RljGJ`(-els!;RUXocQWi!Z!^+ z0={`fI@iwo;qG#^G_6+YA8-;fTz5-2eK;Wmi|aDP)P_p`iYhLqR2e1$4gTJcMx7<= zEljy<(cajX>J6DZnd?o^a4Op@?~sgY2=j)}vkv3q=+8g3oIVQJf=_5$CNFzkVqoBE z?tVxjl*;B^_SjWI&ZrCfrQf2)ApiZ}kM;>M#~R0ab;r{>aVjhZQn}Ntk|4s8%#7Lz zo!PK!puMZQY|YNAj%N|?6-ohg9W5)gAI%{oB2-LA4&NyIwS%AldcECZV17OJEm8n% zgACyi{eFxrRjF74RiL)Yrgn8Tm%GE10^?Xw33`xREkXENDaFwkl@{Z>KHB ztl|%vLz!IL%^0nm zmku+Tl6bA3xSf87rdCvB1V3FQBO*VpH6*5h0)hVRi~nDL$cl&O<>$eshf$Si64rUP zmdD@l@n;*w6^S|CeJy%fp+W$Esus}EFJ0mvot74KcE&|RPuD*B8;wGHiC(mD<7ik+4T{r(+4+hHOlQYur0*6`8-hbR) z6)LE=UzvWhSH!^UQ-bq{8^W2PHE<*6n82UUF=*CVN{H7>gTnFbkHSa>u}K{SI#Umm z@&C-Vtdild8y+8gA#bxCxfIyeIZMqaYNdSzt;wXbnUwNXE#lZ$5^eru&!`J{P!?$2 zlK+3dafbadKW^pixuu4tD2$6h>ALdPsrqfnOMd@-;&gHBeM)%)pGIrCB-a;zIxG5U zM52Yhp%6ZEqLT5l%{ADN|uNehkMNX+%b0b*QBZGraZ zaET6qz{R?dfj9_ z>-oGOmCq-HTEp>#dzFMT)>(H;;D5Ja8gYZ#1r%0_!(xAtYVDTwhE)ru>%bvRS4m?R z*S6o3=(vGD^{^hx^`}I$#N|n6ai`MvRg4IE?i5WAD*&qEN3Q!z9N8lV(NHpNa2zx{ zdA=UU@KJJ{e1R+^DnbJCU0_{=c7h>SfRW<*XyqW; zx|m&)%iqNU&6RF*->OrGguB&E2q#Y%Tk0`{vUw}z`%a=mYwQ{o-Ddl_3ZW3=Aoq-~M1_xCM{zlKM*xrQ@u)OGU%rF?l6?v%IA2e9`gEv$E>+Ue?Tn z^kF#hHHUY}*VtKgKb2pqZ!PCX+BSFhJy{t@{Y8Il7yf1pR%+GpSfXrA^VCO7{$A*V*= zFmt1`LX1|7c8tz$nJuwYd4YoIzN=7UKK|1XEl<4)AYj3xjoXdmUJN!it0Q1rJ9XX4!m z`h0?dj9}#12NExWU1ao;CZ!W{l-ll9ZQP$z{J}u%ufXo8mCH@f;3(@W^~I8n?M_-s zs!v{#Zm!_g_x}Q@dzQ~6w#7ldG-IpVM@yuzf{@nikg!k6%9U~@MqyCY#Mnb$6z=C#d2L*-f2%iCGwsQ%xP+}6{5!mtn6!Ze2z z{Eo;#Ync$32iSPT(gy-&jh_O5V17Rs&zidgz%b=jPnSw^03BfE(xV`;-rIwStQyS+%s)lWuIiXe^HaXwR^TMz7ml0G&^H(0uIW{QEHCBx9 zFe7Q-pewxWqsov4n$~*C1lo+dzs)TOPnd5kZJAaAbzw#*%Uj|ZM0Cu z=b*`^9da;;XsMGxva8+ngZCEVx0sLn#>|W*Qcvnd7?mUIAx3d}FzJTxoz)Zm9U!S#3Y>h8Neuuvnecgq9e>nQFFkD zQ0S8J4&=zW!=j??!`i*}HNNrFRx<}2))Fp@dBoKB8M}ul%MhGNgcmKvEP7l_yUXcP z1!Js8pVWVX*j@bA#4s{dTyB7qy<5OMyX<^obL(L3eG{YYeSfu;8B8Tw3miTLVD&}^ zDZxsjlrc5dGgyz>OG+QOAq0q6R{ssHp*F=Meh2@anIXcXlY7zsoE=Fk0u4F@XI(!1TmPt6VmxlFVVlf80*AZXX;hfr z1$7_Ua(WkB_5qFLM{RPG^G?iDh^6VKMk0&8&lT-cY)Y0NOPQii5cQUvUie6UCyrL7 z^8b?78`r_B{bUqofTHiDP5>c*3~PpBa+e_KyAA*Q@^yVaCx!6`#Zm2Bwi%hv6hUN~ zweSCzTVZQ_7hzKC?(eUAAfz~g179+5+*58(J+sv!A$HJQJ zSH!N!ajl+Vk%s^ghP2SLZ67%|ivYUPeCN=6AhkN0kYx|8y#Q_C$E$~nzjjFTp#CdF z``Hc*A=~;L)|QRvoB};|af5O7BOaBRVodzT00CeO^yLpg|FsP?UZh8l<_A7XLa|%m zi;7@}!o^k-BRVUaWrQjM?B*3C1In-Jn*++hH>S$0Zvo|)zpP>@bNvJZ%Cqsdi(sMion$2%{bZ<92$T!D4tkP>oW6#pAm4m`x~GhhN77xA?NH6HstB+la$~}A6G_TtWm!4pIF}NStlUY*!Sc=V z*ZkGblh(8Lgv{ZOUy!w%grlh5>B0DFi=8}S*6o5fqwdDjJHW!DpePzYvNZs+&aMCX zDji&=w<<^6GksO0kfO^TGP@khDE)6#-e=0mGXl=rFWGntWi?{8kHgPE^@(TK@JX6H z?;(+~^|zCA#y3;EM(f4e6RpOoUo9((!`VA+TQ?oajJOab==+W|f&_KdY2oDbnRZY= zGW|kj_uT_;h|JvVd+yCT5aiJ|KJU1U)6|R3k!5LN+>&SPNSI#YU52PeI!PW4hsq5k z>FV<!bC6gRZ8=ZdpWr+AM$t?+Z!L5;agF;tq1@mVb8t0;DFn%aF9p z!Dpu5Nj9&xFQ~}LSu{*~IA@AA6(fzmu(xTVPC6fNHf|dYLpdU63Bs7amQ$o_qC+=} zH9BT=UJqKWKZQq7d-Nk#t?d+hsyWtRNOaLS8Ib&>FP(r z``rLFh(Ve|)MqxF8VIk?ZxG;&KLCJnLW=nkF`lQ#q+GEb;7lj|*g0D!1G-Xldv=eX zrtpXYR&W08-Hyo4&;EcAxL|?C$^CrNihc&Xt$h2Fl%Th zs8`%oB@zl>*^T=Snh!-5(dnn2dvbVuFsia9q(X*VZiJk5@V>&Aa*m)+k7re~>AS)| z3VQ|_&HY=>F<5MLz_V4Iyq*(sM@nmO`g67uo;vJtt>53=~>;WY|LrYf#ySs|u)rcNKqouw>mhkmcpA` zgK6Q9#Up!HyJJSVyGr?8J}8{Z-?OO^$TEAs_%G12)rYGSE`RTd9(R?9?ePxFes=l7 zYoqh1JNU!ovt@X|d$Ie4c_!XiaL;5m?x-2|XfyB$M{6dk-NEXDkgYtUf%p51`E$$Y%>Ivd*Y+Xyev0 zP)z`;*FLCyA;#o@esi#vhB1Uh@MKC;-~YgI&ucVYc!R#4m%bhyLgC_K_Wf|7zYR8) z?n~Qqd7xbkhA&@5i--l4cDke5lK^W|?Z|<>0oY(Auxb8{!EpuiJWzL*JYPo8Z+c6{ z0hNrRB)AlR0(tV}Nyi()CUnlENald@=!G!evX-YOTEM%YkLan$bbtUYM1=3f(db0T ze8g=*hJ zCv9p9oS9-sUw?3{oKh?)M0MB1#D%9l;gH*M;^PI(+2x44ryu#d@BLLi&C1F&Q%y)d zTVxp~nMgz(*G>zJ>|1Bny~TJ%9_!k)ggPQKKHP2DaF5>;>*|E)y}eX{dx!f&!qt4( z1%>5@jv1U<$MUj(@@JrZ4u(6J0Ks{4L;U&9q$HHVv55h`S+nXXlA!j!GAd7 zMaHMmOmq`ve~Oz(gTv#~z7+O0P;4}t(c$wetht2xr$ITeU4Pi%D>Aao$th1@h>Nj$ zM;{(wr%+V7<@gyz2LZC*;BM{;#fNYf|2&;)25=Ry0^{Bc?VC0%qF>TtqMF^!C1DdW)-Bt|O79yF1XC-&a|3+Ay2>V9FhO6N@V-e_DiO1OL`iyeswuXWYqp7O0stz zM$O{mtXGghV(OxCRO@9{>n%%Afd(nv%Z`KX76=vxl*e%P9xHg*Q#NY?{~+K%A8JQtWZNYFI!BV`k2OIQv{QKI>2Us|tdY)~+B9Yvm zz3yW=Qr9#ejL+v;|BgP34As!HFa0t&&Zu9yk{Fz#I7d^`LoU)*=~Nzx7a_yP4bBQNgcnFc1c#GT0&B z5U1f`erA|;unL$3ion`rZSomY6G7j&VrwKVc2>W+PNWJQ;v)DO{3$}+zPqQ2M+2%K z(t&1~dJQ-X&Wa=4HVC2OkmGJ5r)mt(0~RK*Tx>AzT(r0! z8+j=G1^dZdM*1s>GL2MBhzEs~jNC^fm0zFS@o;fPFU>{px4c+-9?J4+FJ{gO-Yg`> zBF;V&5m_?YI6uBX9PVh`*erqV3Ruf_@IKobh-;tu(Op&=g%5GEUokyVYf18O{j&>) zPw~n{5%V5nFX+@$T4~Dq7Ki6rYp(rCs%|*FNYAs$Eqmi}A&1YZMqFxZ8Gv&b)ze3x zA!@JmLQ^fk(nz5?f2Mlnt8Xn-a;Q(Ut ze&z8>V@cC^2>)~VzAu(}CiXD`H z*t$E6AhwIV5M#}1Yd9rgvleJm^b!mPM%FdVWQQUjFT$|e=)z4i_FivYnxF%$&rs(% z#)tEPI0yY@pV?YpD%ZWma9`KMkHbvr^>U!t#%hSeL?ZY^|rhLmy+$p4P5xLqqp~2%>mZloc0K}@e0zP zA}xZHx`)>=uYY@=hqPK=n99a?w(GS{*0PN1)Vvs+F7q!h#}=ryiqKLoHoQMEoiGDA z`Ac{IFoZ5)zx(iT0~npmvMj$!@cAB77kn;U?IwWO-EcdF59P$im5rc7C>${_6d7Qwu`h9;{taSDfB@?M`4fPZl{>CAG z;YYOW{VZzPi)!E}10#&r@Os&OqtN_lLE8@2-J9MnFCJzzGSQ6`Sp(N=aF*6t{B*K4 z9K3_E`HGE=@`-ITg`sAd0bDTqXx;nLc;@~N6%9-5(v`ygqSK@0;arpW^o03SgCh#+ z;NpB;Z|-1%!__|m2kpF+<0jUW@n&mY#GM36UzHKjH?~U!m1nHN;fHZY#YojGuS7fe zAh*P*(9w6d46Cba$365^GQLX>o6Ic_6HXMWMZJPung-)igb@<$^*d4}~79AVZ&94b0aL=AU$K2Yz#%U`TM`(QDXIh!5T zI;PIYGrg6>O{n5uy@!N_P0V=kNA#+ln=_38KUi{%baTMJ-nZZO!62lL6s@uC5VOrvZo9nTy3fI9+{3FwhZ6i4Z^D2C# z^AB!|`!C>SOEoz33K=m@V*z)E>B4ZgQCoawosW8gPWR-tyR&G2-3|$vPpe$4$69s0 z{Fn98nghyau$TCi{(;YP7R_6l3XaG;e<`dI{mb7vOaKu{+}~cI_yM49|ECrMTwtTd zB3}(Lm;khfPgOen??DgWvpOCIZ(cZA5LFu&T_c>A$aA^4%)R%B$3npdhzRI`0<^|f}2rmsY+JBA5-Cg zjh2nUv3hN{%FU`k$&Vq{#{mR`s_mDj89wieQ&ObfmSoc_hNvgMxa%H$w_0nS9=9gp zd&TeRyzQRWeYruOE+J)qTz45KCa(>F3L3C80l0XqU~rbUl%0>*&3aH5sM zjt};?XNCAj8)p$2JnBY%yBg*GF52~(RzYD#ukNmAGH9_Peaq)sq>T*TK{l?5^?Q&w zZR@T7x*B=tHW~`2H@H=Fbv~KMdYkv%9Wg8E@^jyJ?^v{IRbD1@bVWgL zf4vvz?d3CSf<#f=LAwZ;;dH)6#= zJyV8S#bBxDDz0`kTo&Nj!UQ9Kyd=gry6px7daz3b40L( zetgm88~_;~95(YcT;;h53j+{=w`Gsq&=I{0$y*cDd0>f4Gh^lFVb-Sli~>!Ers1$c z1G@#LtYClUI4zW#>$>{h((wq;N%-)h>wb;O5C}Rk9YEc#dSi&TW=k^Z<NGrs12NX274k-G#v=VIM?JD# z`qyKqoL09})q@E=%0%H0?KPW=ckeb%5?`e-!}vBs7Hxn?pms2CK<)ZkG-1F+TjBV zK4j5e#YL*Iv>k}sj{O(TCfwB)pjU-es!K&oj{D09&H(vZM&%S*fC+GpJ1 z288^;`rBeXr1G@2M86Fxl;wI6v-DWPMntUV-{mX4@0elC6BS(HM-L1R9=wozE1Gmd&!s>U?`$#4j16&JC+RxRDA;b9##^B_WmKx?F&DeT(k%htG@Glu+ zx@py{Sv;_z|984(bJH+SH`>?U#P8dwb=VvtkxLi)?5Ya8Z>vG_^6)S%tH%1Ha^&)! zrL+j0uk!JJQhZQ8;?`7uM9@kNvyghGB>^eXA$+;;6}XDcid__ew@7<+r(>iXEOxsk z2mSn*yd!N0HNoGI8f$qj4wu77*PagVuGPo{{bgdugHI7`Q z*h;^|AvtqDdIiQxK68fVuBsN5;G-;;6y)_bd`F^u3T5MDpI44jH2`^0iEmBOL1qaZ zg3hmxXtG>NN3|a%Y(5h7xuB4v=rgzGe(xymo`H}sfI&Zp`-_qv2lSDQ3`E1L0N~-kY;O(^_xOrdNu7*1zpMGhWDtcU?WZZ$ByZQILxM(UU1MdK;T%BnlPZ?t>g|OD z_TaYz_9{>rv@F_R|GRKx`)h-xQJbR~QT$GukA)rB2UWi*j_*6U)ESP==P(&${Re_& zZ_ubS%@Ugb$@F6l{mU{`7lF@isRgM$X|5Iw1HJjuiUsJizx=Xc){^v~VyJ_TI3r~} zo7o=GKEtHFT7S&kqdVh$qH-7^YqF{4LWy&T7wllJ`WeV|NvLde?0*g?T{B)d%#n_r zSiJ7jIFf(vVj5a|c<{?llM6=RwrBwgu4#Y^d6IIwdixA9#;L|onjld)A*&cLy^R6a zI5G-~F0Yy<;xc$qBA0i$HWRkaEe{Rnpu%oL2-3_F9z7l613C8S_>v&#ite%iErSd! zqC-Yg`M(0@1_=;Fei<1V-$mHiumEA#9jho38i0b4%^Z4*N?r!qALUk7vmZ@k8}3W zZh&>;AN4tin()tf;ko@=wgV20HY!Ua@Cp5c(_vRHL(qg2)bIYBEm^ zF<imFKoM>)#VWX1qC+WHe<$oe!cg`ldx78Q!ZrXf+0>b|Ty$ z9j?Bn+ZYIAm=0!Ytel>c;|+o-iB=Tv4kvjvU zbZ7lP7btQT&?Ci-)mnwwbuPvz3#K-EK#PEoh`pACFj#Mo($$sk^4j%V?fY4IsSrtk zY}pP_g*b|z3Vf)q!7h5=gbtGJ2A`1nl);~{+o9;|GVd_KcwmBGX5ai|)73)YYCY+A zM&-vQ3F1F+2U%amP+`$!7|==BN;)NF`0CXYB9N2b0$v%)B}Siw5= z=h0wvtj@LBC_>`#D+geOMqOO7z-~Y2UK)Pn<%?b*xT zr5Wx=M1+bvt0Bt}J_iB>-VM*TnkPl?CD3&m>_r`~#|&r=pdwKCrHM%-`X&Q>ew^RM zg-3JBrai%+SNIe)a)+Sv<;qcM{Sxk*9Bqz{A3+A-I2eRt+Rl`vwVPNSn83_6+iR!^?d{)7vj;{j*pL#pkJS2#k^_qEHh-Ejo z&QD8P1q#lg%bkfKr~Ie-KJ6sca?BjM*=SqN=4R7hB5qnvlL9 zw?b&iiwQ@%MoM?b8cZd*Z08U~fV^D5DVum&PXreAye%vy=p@s1V*0~XDxv!Xa@h9ZBQ4V1IlBbH541`E*hhM9$*l)Cd%r{Ww%Zu; zSOnBF+)R*D#^Q??W|;;hgha4Rd?(8F`epk+Ex<2=90zijf{81ppEFZ8avcpoEAG1RIX#Q|dOQNC!fvV;eY!>?okI}58V2N3KuduU`0%L6Fi4uq*a;Z!(w6Jvwq4*0 zWi?}|Dq-jx1*1e1FMb+6!U~tGo~HZY~E~d0TP!+5Ut-W&OrJfe|Z#ZC($k zC68RdFi$Kzh48CsxxTyE;|!gneO`6+RjJZQT-sAS!8ks(3Qn3S+prNFjd(d!C5H+H zCPvyub&U=n=*dPpxmC#;wpUVxPTt39HQbH3S|Gk!QN z>^3OumwdelgQIFcd2|p=cK5T1313;Du2>Sa$9Tnbgj;K$LN8XDY**x3=mOL1grlmD z-5;inpqIYvvVVu=jGrg136nS#o8-PoO-lT!7nsC)hGoK*a&yqkUL9=mDT?wd*N92} zn+(iWlAV4Fw-sUV+Os5<_@xLiOferc?Kcy^9Z3@-erV|VpngJat+^-VsDnhX;e1~) zm8)&*{X8Bs_9b(BWD0 z+KHv)4Zqb<$RADXj+rVR&vdm>D^=o{9JB>!>h^q|Zr-kWtqErP8h`tv z*S;X=GvAZ~;Y#v+d_JQ=U6h@X5mH^5ZX|cOS(e!Oyv5v(>w166@d2L3b^;OZrP-rn(7HlUP>`btTwPZX-fu!!*xg+6H@X2b}m zTsoa;nFtQeb>8r%XI%d5@qS%DxUN9?C0N`2M4-n;04))yz;Xk7#3o=uVLukfSoof-XZbGz?IuONq6U$+-?Q#LYC0&Xhmmp*Py+l*y@ zkR1G5-y-^03th}>A@c49UqLY(YM)8`m$=PPqAftAJ;N$_muF)yyUTWj-Qa)~Ucwfe z`g9ox(2mZ3eH!ej2a!2K({h)&rj>d-goG}voJ7N zBDAHD&i)NNlpDd?CeZ7D#qKBl^e8%w`|DtYbxZ3`umR~vD!7GjZ@<5?dQ4yS+q^=H z1@fY5;`a@|Q9o=D5A^s{EPyc`ccRCsQUvoQ2*Qb86jS-i{_1DHUealh;P*GrutwwN zQM)cIAX(~3hEB+mo2iCg$aY!~;D%R4{0r7Cj26ddu{f_KP(M}66GmoGBK--KHY!BK zmhhv8HQo`wrt*7`#2>zqU`0xx20Q%C8*pwwE89rdB?biQ6 zY&5oVx<0a`iXduFv&7+C!Qn>j6cl5vHcvU)0X#tVFh^(5=zcDP&-UpBg;tH2U)wvl z=aNv?r)E>U>&pfT^O3aQ0N#de?FL`4YGq1wtP7J|QVNAkrSSYxJ6`1jI5<-Ra|Rn+ zLPGqJw?U2i{(i0L{Jj(%e8O>HhF!lkj4;AZBG+-F!gkQ?dkXy7K~pQyznLNw%4X+b z(ypFvnFkByCBRq7EUJ+M*5oA}kH&qOcI!94L&4wrUF&nz_N!-%&X$venAS6mwkWtU z2_>H+KJ-TZ^2{Bun6AL7+g}J}0x5U|mq*7Y<&o&719>(2JtrI47M(MW1xRg ziFz@#Y#Ew2uGi_k@9>=ge=}12>Q-sf%H;pL>W zpWddgr0{Glk8^`kDrA^>ZU#Evv;rg(y+9uW8n_5{fPVK+v(M_}y=OJQtvYDpzvj1| zHsia?*1>_4lDCb=2b4D!{eMmjr(^Yy1=Vt`?3O|ILR<9DpQz;zZZ6(-f7Te(XW!l7 zG$DYyD*YqpJm!V0A7tm4{&q zk+*|C`-x|(iAMAq{Fd|Yf`Xqdc~ih~-%9!%QEKr(QF3K}w%2$#;Sf z8p*1iC6y&MG5y*N8@KO2i2RV~A}ROBwd2XW)wC6M!#%jZgY^v-QXUbTZYR;Z2Znu9 zLWpnrZN82i*;FAjOdf{S3=zMUMDRV_Wd}bxI9gHU>$!G4tUdbmBP|R!pJ6MRZ_qQi zvica<8&KXv|Mw_2PreB0^CKF|t>AF6&cTwzO|qidIo702rB>u~_oS1>SrV&X{-{)K zi0rl3Q)<5Oo;^#l)i+xi?mA&oj>Hg4QCb+O0gp-Fi^>w*7ZL87NUWua3;bVAL0BTL zR&S!t0lru`2Zq~hrs?H8vA!1MF`MF`UE&q0Vlo$+&@w=XHcX#D(4rP70$1#S&m+eD za}zZlwWWvYtL=$SIZdM{kj7ZFD8s~5WzcI~(sJXpt*fFS>@Kh16BBZ~yuB9q=@}l5 z2hbZ^L}S9vcNnL;V@C3Wd>DqQ1|!A|Yds)g$K<&jpY=J`YjkKoCzy-xOY{E+SuG$f zJLN0FqU?J5po2s4b8V^~36aO%wtvXnH+Hi69`q-wctx&IqcEF@vPEu?521WW9ipO0 zSvAR|grnWXnxWmNT}hJ`GbN4hUt$>6_zY{IK1b~eJKtUB7IR7aH-+Mw;eBN2vA-RP z2VWUQGaA2hm_T;6jZ1AY229^0$?Grdh2iddGM{oHP+A2@;UGW?UvOl5EDOGI8t;7G zkx(}Bs6wFdx-?J%zus*npj`lCt%{104;35w=DFMD!4n$9=yBzVh1 zm12G0_{8kqgGQn@`Lr-Ln|W9swfOM}Q3l!>-Zuh>Z|zEKDY)}Rey`C@2p|zoYp`f0XgRQ$7k=Y0wh2p?!6)Ud00>vDgN>YAl01y7hZ z$U;L@Z{ovyiq_%$FpLTzVIDkvVP#=sdRwtFKg6f^o7x*Bfm>dJ$s5sY5;IM+(@rMTR8nal$qzW<&yb`A0ir1VL)Wczq@DjrkS9r`J`EPgbI;F+Nv zJSub=LN5=O_0Mu@6A=`MYy*T!I{^^uvTkgoHS^d;>=-}1MA4tjMS9e?)O^E4Unhh+ zGN2thNJ&ZkgfnQ4{*ycM-U>?SYE24?A8GbFkA8UPeJ3Bfb@eYHW4z46Nv$}sg#tx4 z1+6@PBt4pM!7(@H()HeSfTqyN=KJBnlbcHSDJFj@!hr3Bw%b4v-DblJkg8N6!I;>F z5JtqBj0Dx}EDuwM18NVspzZ$Ld|`46Ye=^a8SvR3x~n$qfqtM;ii~jCy5n+wqqp|7 ztC)Q))azM(3jvJkrG|bFp_|Plq4aG6vi~xzwMJ-MlE!M<%|(`6XpGT*q+&?#-QB^* zjfeEHzZFBJmJ{EI^_f{gb7)zdN}Ea!g3XmS?9TVG!5!7#dG z)cXGG_VFe70QIA57I5Pp=epqatsn}xYlUr~m^_16mhMgFM2&C!8`hadGDZ#*dAm1&gfd(fR^T!ha6|n9C!(;Ca0NPiyZTNOj-Fk0Y{5 zGRufaR!GBMWJ|=&sL)i4H#%y;SAZ=7p-@ z^dB64&+F}K-`qU=B}vCNu<-mT%u`kit{jcFgN=QKj9H0*80@`A13*Z z^$Iq6Wwg#LC2}v`86H0J((B|Xs}LtFhjPIxF`oV3(Ic*jDVu}%V12Y6Z)7maUcKH!!+yd|3s^b_ z=DH1@8;V9o3O6d=#MtGY@LyV8l<$2vPkQ|(fuL0!hfp@jiPg?hVzOu$HZll(CFL7< zHck0VHjR+}*j9b;RDT&Y@O6akJ~}0&Nv_T(NCZd3oL1Jgj4V@*x;-D+!lzSu`csrJ zHzk^)ax`@Jpl)p)k7A!?+Z3Xg-1L!E1kaX{L0{PDPAnJB$S+T)a+B+XxZcJ^#H3{T zdice@5@1p!sWcUBB0GXw=2{wDp4M+@g>73q_OCW@Ba!eVC|E!pn_cJbmo zfx0QU=hOg(rl?ge5$5Gcx|LuVW?`+EmivYeYm8NHJ{J7!sMfBI^bIumgH4P4eW-&W z!mlJlQVUOxZ^gW@>`rCQ>b8yN|CzIYRMR-Hba#;NgEN79{-9)xmJ4gQf$M_TUo$SOO+C;)bl7XE*U_S z&&vYWO;NvYKN&>Uu9TcDcj3$XF=JELW%;5t&F3IC`$to&SknN9x;7_ob#J@N_ef_w zQG1r4NWPFB!_B1I&rGI2+417{5&X=i93pwKm97(^WzVpJbmI_oY%U}PtlA6 zg7fM!0D|4X=J*8&0-DTvsr%%xCj4bRUY9*WfQXZ~Cd!ZZ#0S&PPnY$oP%>FvcYT=H z?JqjKYCm`1m>2(u)b;DUmv072b7PRv&4buWrs-%bBWjiVIS_ddqvmmugc%e4YsTcY zY&)bG9q!?Z$H(Sh(PyUIAj{L`Ot0yklGidL?Gb(z;*CJdr!cWYP>>wI!DAnMM+8r@ zFnToLE>A}ZK27IiM0Hddgz@G_Tex9%>?j)>nMgnQ@+QgS^w}G4Mv;1@-x8W8*Y> zrOYL{S<@8boWy=DqQ@C~af|Rlto4-V($w)&aneV>e9^ERE=B}J<=vLVpFBar(HdI+ zN!oGRPXzmLs`SK(k!TO&ZWl!Y;s%htxyUHQLpdO;xE4Iaa1o@;%1k%4yu3VD?^u0s z0jQHYO|=t4((L~AT@WD_%F;y(I}-pITL!-Ca&J4y$;nLt&EYdFFPa-|mKbX8ZEWNn zp1{}*OIQJ6`tHi5Y1}*B z(5tfIDf!N1daj9rvgPq3A&FWM&UUe2k(%}SD${(FF6xtu;`AzLx^t{p&5@tPD4}2S zVIOYQ7~MuWxU4Pm$m!(WIx1xF?h#x<$$*#reqA$RE|0tga!xKg&)6&1K^8-0uW41qD?raYod@|{GM#0CZxw8Y04K_ zjF*u8#fLa`f(%(`FAe}Ufw16D@{15Pc>2P?oBRBPn4()v@mrzqbVeR2RDEclLOqmb z*f|+7rnsI{H9>Bj8l|rMD;%eZR9U-P-yS(yCUJ)eWuUWMW6Dl)olkuO+k8ncz$kLg zM?|RP#Yt5KAZ9K07}y8Ce*jseZ-xs@8^_=}%9Q`6yQi(~P(_$k$D2T(3}OrX&*xZnAOnw}J4x~$@B;;ql+O3w^?G{r?0y3Dddz()nZb~tHa!FsreA4z-_lr2II-v=J$$PfO9WcYjxvb6Y}7Dm_!BJuvt$aMMC|FUI4v?Zt!haUTxjKwr1>a8?&H%9lqOkBYNHXY zG|YnJS5mvRiM6XKg)s39+-2H*_0)Q0w-=-{MmE1!{x<#p_NyceO4aY z^+<^zk(KVnJ}aT@k{>){zrUV{>9H&~;*j-X18kety7((i!bITxWlEGK!V1*&M0{l|DF@o@!MCmBM!02PpN02l zP4dkeLktr%{TCLMuSH|{X};&Z;lO*WC~&D6Dk-R-=wfvj>**7=G|t&ijtN^Wp0AEN zT?RmG1%#BJ1O<@@m5EfY&^@AI4+7jJ88UC8B_HIKD$t)hhyw|5el9L9()haC+7HDs zk+<}{&hEoVk=MKfF;J7EX@h46(}GtCmC-n!Zcl6$t$6_kPtw7w{_5rBiu>Qy3gqak zK}+tH2estmwz(i+xtF{It5~bKXBGd+#4Pkd1CSjSdzC%siXip}w%Mk|_}R5S?~|0^ zM4YKslPj80m7$=))dngD;=QccbbbW3an>+~v!EU%s#G`LH+5V=nUv2yI^ANXCxuSI zZW6@pHVcexdGhJ(V!DEw@{a67{aiBl)l;wnt5v_zEN;{=K&LqU=(AW48hHqbLOGs|Xk%Pfd5s**iFZD^2mZue~9@?J5ZKcWr$mP*zVV&9Z^Ib2~Pvd1sLg;=GK4 z_A?5&iLwRAbPL|P8Uu#hw-Qe{^o%Cc*Xx(Vs*td0S<-53H zH!fn1&q4Li4pbvn3qt+uEqbVgYMgW}4v6IDkPZSyerNJ}u4xK@yiH?}S0HlcFW2U% zbIbGjr#44Q#4@S$Qsp2WJ4+@XSk!{uUGJn+i64-TmXiATY|M}8u~mi#WJJH2eJj>E zaiNbRWwxM;o< zSdBlhj#!f~arYu=%oM_qevh&{bSa@@nzzzqkQifh&raw^?w+qVmj$Gg1i`=D_q^=; z(@C8axWGc=00OfIO+sF$eEgZ0KY|akXWsqFSz8lG%grWfP4{{4EAm2ZyMl{pxulWz zz1S{!<?5A&&<(k}dc-K98`3IVziKns`r#Zt0`t&gG8zk2BLBrf=-}+}k#sd_NHH ztj(tOnCF^~C7gWg8?BimzjlQX0lOOmqRii3fIv7k*1ECYfcFL?j)8255+!m=wf2p( zV|0;>+8IQY;8+MvF-kM7V~~|EvX@m=VDoBic8tLouI_CqL+>Q{z($I?DY9bw!Kt;x zYgZj3)GC?A=sA1LEWF>*q0qO={Gh5pGO$)~^XV zf@FO}h&ZaH$f+DLwv-*MqTGah2gCkBN{;8g3j1=9$7@bFL?@ zDk&*ghDX_0JK=1&UU6`Q2!3fwGi<=GS&uz7uDasCxymA1dsNjo0?SHI&+V~z&)(3K z18JuT>@EHiJUqrw1ChY%y8?+N6A(%vV1!E!Vd#;RQ^9!fMm2;qxy48(O830 zyj{5L_0w&;bhw{CU6Zfza10H8;z$?aHTnEhZ%!g6++>lxN1ABfdIKAn_}cNzT$QS~ zeLiP&_s@w}#2E$+jnB=`dTqG^5A{+Gq58>@vla&kCl2sKOyQ6PGBgLoSGm6r6y6D| z&Ik)T1pEzBSy@>I;af+ZJ$puy0lj+R4k-Q0(VqiAkeLqkK{ag6kCZ(ay2ho((9iiwQF zdo1-K!$L%4lLpk=IRa3j3y_80F$yZV*JSl987(S-k>o&RjNIb_yeaT9;K~mP0S7-g z8&>njf3IeT5ZGenC$xya>r^LHN7;R3rQyM@Hht-xuW$bRSygaz?CaXjlThW_=oryH z4*}8otl9B>s9m|!O3W*CkTbYMmpv0gHSS0KeNn+D@%$#^;Y*Z7;J-cJEwLL8BCvyi z_E(Dfc?LW#j)IMi&CT&%q&H*x30ed|gxFFznDr{%&l5&rPMH4=r| zT5KccSZff*-#PB)APTE{b9*p<>fwRF*n-N@A4Q zpTr4Z)v(R{CSsE7iQF=lLQLsZr;t0$jgVO77FZJV8Wn zUqCb?y|;O;rA)Ra1Vao{jk6uHtVuiB%VCw9tfr<$Vw;a3{m$g35JZWsf5264q7O)x zPm~uyo3tGyfr+PJf~il?iyzheyaW|!t}f+NS69FM+Q}nv9={Xe)dNZbebof%r=JLK)L}7 zL*(e5djdo#&MfdtZlwU9T$ob3x{T2QflKX1aGj(STswi?Of8@YzUrczX7Dx)@j~Hv zePs+D>qGSWwe)K-PK-oi9QoAf9j zLiHmXDCzx<&Jrpx8-r#Af)qfYn`j8Z(~T;JztP4+Rh`y({-&;^D!LQpqqJ_iV+hxlez8pZQB3q{V-jG3b9zonAFlZcm9g$gqcc@CIj>u= zrXzG?Ei5b>*6HG{cy?y8(Km+P-A}!E!QlqksM#~vQ_OLHh1*!m3CDJp&pz-)B{(B> zw8`=`zzs*No-X6Cw~?Yv4Bt9E(A%iI_EWXkAS{oXnz7X3tKWysGcwWr$yU;7sr|ns zA?z)BOThDv=x~pOV1{*O{6MroxHW+TAG_jig1BByU)_5!?b>7PH>y&uUl9P6Fnwss z-;qB_jJVB_JXrAJ5hOZZb~!f9nU^|RGe|BZ`S{t>JjqFS@c0#Di)Q$jamXrederpg zoblBR`{>Fpf|G0WomS{xgLY%-5-XpD1`C9DQn`w9mzJ32t}P#uyY4{o zyaM%=o;Dy{D*0{13p6?rbPL*ogX7g}dM}^+G+b`Qh%b*5mN=$e-3@NDbMev69f=nt zYLwvIKmqY9HYx|WxN8qX()>q4(mZf;YY_aR8f!D%uc^Kjkr+Y7{Kg^FbcYJHy~9;L z;ET#TTs;=Ju)4U&DBjvMmXTe^-m6xOk8La6TeA!(TUu=hirkYYhR&6pJ|LYc5H3h1 z&W)$Dq^GBodvNE+K2~X*1#+p}y;hct4PBVQ&| zcpOvM_Wx3*(0q#Bo~`SChiSA+qb|R#jcf@sGnYuRYQMqT?z}>_iVZx|9L9lmy?1{6 zl;OQtuhLK78>~n>Lo-Ok__0s1&Bg;_*PAU*hc_Xodul&e!c0_8D?i z?e1=Yl7%HD5OMcBk=8rdY>C zQ$~h6{FsFum!P+xTT~=X{Ve)rz{RMr6!mU3zQihqT2pROtKM6;o|FfSbW40q3+Hlm z`Z4>F<4DljMC@y$FEe~E(Bf%xuflZ9S(2|h$ZwTd3vXyI_#I4tXWIYeAm57;ad+MM z6Fox{R}fg-1ihtUny8V{MuE@5WT&LVc`*{6i^0cFZ3qPIXMQd-C*du(@!&!3v5(^% zT(lSN@80O*(>g3lSumwtY#JMJ_%QRsruUP6k){}3VPw;}1+)}~(mKrkatw;6Jzf6} z-qp>tWl>1a(S}}tk&>*V6Yp6GqU}Eq8+cBS$ndz02q4 zUdz501KW#qY)6JvhYRIeJIm)eYf+ep4=JzSun_uw9D&?5$g-I?Kh{73yRA^n5( z3RGWJK9Ir0lOMFp3Y2}&`s`glqBX9NnGAU+@%VgVIv*B*5jmmVC|9GMvqN#`-}P!n zrr!_i%->q_-cdH6XtA=k*QxHMvF8U6g$JDe-yn+mzR@l^FU%qW?*Tsj{(U!$)UGOB z+IEy)G#WJi$V?j)*0cSj$y27T?!Hl-ZNwneB@AYa`sw_}e$1%E(bT1pfC^$ahq)zw zDZMHV{T&I~whY}N6_yTOg3*1Kl{8ZVDw1}fX{FO9pF{p7aP zs$e>nxVhiRZjleuFGZZ_0+fR=+uCQ%yw?k_npc!9DL=K6Wy=n=RW!TBu)lZSpWGtk zgQV>vC257p3dzRQn@80@duZOSxL0%UNZE?1%8%s>sLB`XU%2PO^wvZbi`|t%LB3hS z54CTx?p>2>W`7;tdO;yzgN)jVW@FP0)wz1GT}fsgtArX_@l8#*Z2MMZG%TBr?-7IoiGvWDl3wPNr@+RmwhzsJ=jv=XV`sXbnlA5na zT({jnX2E{9RU;T3(QBNN0*;wx+TN4`jMQycUNtB|DcL$-_n6)2L)G^+lb>HgUjM*K zR5~_xrHkIFez5dlJ@C+Y+el*4Hr_)tzsGiIAZt8M^o<>ot<;HOVma#4@{NOw-?lVd z-+md6F0;?nvyF?);Uy|r=s0{%@TU4uq*cqD#8>$(*ICPoq809~p>abibd&lvZB(=m zWu=V51c|xmdUX&3&Jg9AOT;nw)4h|!Qgh9M?fpHfFa#T)`i_U1JKLxW>qFTGEzjPS zYuh|bXQ~Lfx!v$-bgoYJ&N{`3!UH*Og8N%siJgOWB4iGSkKSAj(K8eLCL+``6$0i# zYxWLqyXTr~)$nrDyc+5%XB5%4HdT=4Ijvfq`aD*Ig2|?AF=p> z^!sA_s=f(VD1Ow7#!#^6L(+6zy-Dj^T>IUpmOB(ZiCb58(k#%qc((aZVu$mGy{9QY zO$ze&+>ewmwyUe~7c5vGJ1%v7f#$%gMY@wK8+z57y@L(d$F`dJ-#+Re?X=Y%P(Dyn z$Sf#}0M{VFPViF+#d0b;KwR|^h%!gC-FtvZLkju7B|4S2WiLT)k~*K9oOkhz0z~d01=hJ&1Af9 zsP|Q0(Dhx~xk^{Pk#rsj;p0XFDF!YDQV$O^GKb7O6g*kyZo-w<@F-XY*uK>}v$hMt z^=s1&>rc+Rx37E`-E9TUG~Tt1OF5s`TU|AhMi>Cuy%CF~+kSoikrgS7$mU)FcT|#6@jeO~#LIfX?4H zTF!~rs6hy3O^f#HRCiWK6%>rxZ0x%@v&uM6wSVH`>={J*)KzN!VK=}eKJS<=;)f7q zx3d`p9v|v?TGwZna@u3}4BG+8pzm=~K1VmBu!Al11>b%kKS;+gsrzw_Yf{#>ox_k* zA41Dxe59r{i|@1G&ObLe{4vJ7{Pt}OP{^3Ne7z6V`LGNZjBm;0NEaNuPmW5oV5b$H zWy(Hz{env~>DHHJZempAMdQZ$fi0&L`93Fi@@SUSn@t->3hm-66h9tVq^66mvL3ka znm%7BPUoVKwDf8~y52L!uIH&nS~qGNdu{1@HPPrXZyCR+I9UO^e)}B2r{8(f9A4Cj zF83f-6!T_i6Y=6G(Vg~rT| z32GS)1#^$TUTo_hw!HE7RfT%*?S}fd()zAt#fQV%IB0_kpD|C^m#d#`(hjMOa1dVN za)}=eV|gfOf`2Va=O16*{#MF%f$P$C)!QE?5_44oSTl{Z+g`PE-C9Blg$(Py?6Q@#pEbt)1$6&b}wz ze{|ulbF%eHUkm+>q35}F$U$WtIax$G9RvdjIm;I&0TOp+?MBfYi_Xa{Fp&Y^90(h0E;GVSUMgb#v8WlpYkkJ@LJP5SUZ4k_Vczk-~(*etKsAO(tESAd<2rHGT@5c%zyhg{{K(X`#%>!W`_Lnu>|V6c1^-v z{MY9%r1=0DM=>2%c{*IS{(;Hak!)fIbm0ONuS5(-gwDGOEiS7&&>p#8&0@X*FGaom zt405x+cCh!gwIN;z&Wx^`42JUHw2j_cM|klTHajOSN+{hImUdrX;q}c8+qXt`@0=f z7_lc=5I2a?s#YQda1xq~EzkdHfp#?yWB!ta4F$vjFbsb+Bn>k?xgh)Fr(kM{fA(4} zmg*#GfI<7Ur=urZ}urRP#MX4XTzdS@QwdNEH`J|1}xGa5Fz z+Uy@=Sk?N2N4#Yb9F}_om9Ra$JlPu1s^0^>_do0nupP1LQF|+P@9Ox^U_py(TH2T_J>6Wajr`X;)QLNWF^)E9}2MCb!0bgF9qYlwi2P zx&;priBQ-2znb;Ck+1S#DALhH>{b8cp&j92oO(Wu`rZ=!wc&pMVs%{@piW(%P~`u3 zh#)*{;njPb{%gnm_q)>t!K6(K$~B_@$HO?n!%6y_I!(gf{;Q9Ko!$vsVs(WvXBk3 z$bk`0E1)$?mbB&_U

    (~`2j{i zwbI-Z#T`jNBM4&j=T&CY^75^Fg$ZcbI7n^cgcM+Tz%O%Cm#yPyE5(Ai?0 zgllDxX8qctC6Ry_i8w$yQlJ=s^Ao|Z54}U=gTEiVP1|T7FbP@m%QZr9a&%>Zv z2Q>HBfQ>;lKN2AaKn7*V*<=H(j6ts$tgErI%q>EXPEP# zh!%~kGOCVRbW%+9}T3t%pCcWMVX-dUCZO7`l~tSAYk-Zn46o6IgVYbwSSr>Q-e_Sm)E3~ zBO)fHmE+tb>o|&HWLTT)H|_53c3GLy*yT1dmhZm3ZFJ+tn0Gr8gX&+mvbJ8P6@BpI z7Kqp;l0T1+XG3#B#CJvLUX5~HXxW6@Ma z?v*+cQ?Bl}i1nF0imGa70so$VzkpdT%N?K9Axc2MecJ&b$t1dWmW74I2C&whA&@fk zd?k2EaBAkr-Ru!Ti3X4dsr00JKkBuas~U5reo)$Ft}kls>qE4T4|eme^aU0Y3Qiv) z_yecn>qLrtxNmzgFDd(WR!}!!vbkAVpP(C^90E$p%9ZmQ{zk`jj$iyLx0#W}Dvg$1 zgPzZ57cDK_L;p~WIIr!+sK=18S|{c}LKV6ZIG8rk+@@d4R*VqE&x{4trcDllW{NEc z?yrG-yuPYx2wI{Y1)yeTm6rBRL#HoP{-D+J69cPy4djXYBZUmM#y$i84CU+>$u1Zm z@cC{qNs$ryXKwJ>EEcGhFbai3EfYQ0Vmvpd(~o`Vrg?btp&`4h#3O}epirtR7cly) zj&!7T)98=naH7|Ho*d>L6FVng@)*myg6njHsVB_;)nYjbKl`y8-!rPH=s@dcO}0xr z`9`V|vAlt`bvCGBs2{t*cBG?PZCRhCkR~|o@Gb#j zA%i?LdR@ty0VOFZIS+8O*QiaARV)9~tc@(C+{lS+fz29n4k^Fn)NTDqbTDFo;iWcX z&ra+@?6`!Qt!=LDNJYQMiA%|b>si*CS9_MePaSbrSs=^x>nnGjmBmqF7URQ6M_off z^8VMdCGtJR_{0>~{a7zEC_6v-ZvWzVqcp?RE)_;!DJyFc@H$Wa70@@UxRK_N2BJ83m5%&t2!XQXQ5Iy0{}KXPSAAVfq|7 zHtoCTAFr0K$wD@In=Toa`5=a>Uw<(lU}H2_Z+Ev_v`)RQ_U%ephP2`v3K7<14hjC| zt&6dn(9{s}T=~7GGGBGZRXUD8A}1QQk1pl^2<2g_ykpX`49Z1r#6^l)Un~0YSj$om zin_?Adk7ZupPoA8{m@AJLGg;#@ta|perZ|5kgn%>&DkVExcMIk{{mGo|;;_)nq^v^)9ZTlJVcEfAvCSJqr?xGRS+Dx7g$=wJ=buwtAUEv#vMC=i zI(4MHFU2iyJt{Oet2nFHz0K-E(a1%VVP{o5!@g3LV7tZ~&ol51h{O!+hCuK#~ zJ|sEA3jZG7L_#{Ma!h(4l(64m(;ejv=daOKzN}5wxzsu(Xn2MuZa+8t`!25>&RpR4 zwuB$~89u(m#wpOLJ%sNaC?%?SP#t)I_@7_2OG1jY*hhH3JF%brOv?rCKaWUH$>9#V z;-)1?DBh_0VB^Hx)t>(O&Bv)|Q5V^qH{j=KCQf{s2dTL1-nV$#*Kzip>TlyPGJLWk zy!~}JcY>9qfS1$Osqh~DZ8iT)tOFSZ=4+_5^p)Q~6YMGc&5xE7zhCsT6WyPmfA2I3 zT^}s#kG{_Pe|Fv<^ZTzCbBd9y$F;b7sbembU2LJ6JmJk2N-$8QoY0%w;nQ4y+WFxs zye*|BiJyX#Hi)PO@$y+(;vZ8+dkESp)!?hc=_7X?#ysg!Tq_sh9q{u2G}wxRgav;5 zN=b{VW4-UbHz?B#R~>Oso;;6{fkCQce5#1 z#OULLzPdaP3nS9aZEfp68EqlCYkibM$`va+a886H(E}7qqpXlE%{BhyyQU*94<2lq zy8l@Gj!fHTXJ;3?+m#XJ#*Yqs1}*>lEF$t{ASdj_ez5b_+*d-KZfzg-hQrsO#4Z7- z&@G_4a|aY}OLi-OwoXWQ+=Ln@xfsmINtNi^8bodHzV z(4#igOQ7zr!8@Cn1Zj_+^73*UK$+8gwpt|@`k<(=3bRehxy79^rZI9o&?4#dW?NTTrhEs3(Dg5?ADAc?gGbdC*_Ay^63c=0dDl;HEW zwzlBH;jiLst*i<@eNysPX^cI4C$vh@SR#voS74~zxp|a6F#DL(9Gu%8sq2eD%P-b? z$#~`wCLf--5_JZ7Q_!Mf82&6AA2|WC8*C^>HkxBnmXHLxWCTs@1R6b7S&80%0gf+E zx6HLfDYv(}eSNe?uEL>C(+9*0X{;i%8F+82S8>{U!{8w3`f2m@%sjkfn}t8QfAr#G znwvLo#>lP#VhQuRnAMjBgdZWgs&;qd$xCdfHk7KgBR z=Wzqd7{*V*SD(>%TM~F!=o^Lg%CPFui%IAIv^ad8gr5d8re$usI987-DoReSf%049 z-NTldg==njT(Ybe=nA1DD?x6kUxsc)q=iHmZM2$|mGvHpT6~BM*T~n3SX)eOE$2&7 z%3kv{!i7Xi%$}#})}O}#i+*#l_`I0d#zT(Wfc7dVZnD-`+@)Wmzd)=Vm=Y{2=`uHU z2s5CY%>{I7V{mMMesT^77_mY~%utwyuI~3n9(D$ ztZEu|i7qX&9?!bK^$hFKY^oea8i^}K5m8Z_(zR4?zj$zo; zxk|-i3Ca=XehbTrva4!kz>1+L>yzPfQ=Z!>c&OEnv^ z;xKc^FO(lzhlvX4ae+cjkJpp-s+qHr+&BheGHoHDoo_GHH|l0P{m?q6ERlxQ8s~M0U4Z2$ z2C9BLDYE?dnI_<7y5)DLOV9deXkF;hWuHEFdpmogDQhe1b+(5a@*Eyy?mCK;6q@s$ z*|fb^F~{)@_MhlcHw>LReYu3%LGSU_;vZslpG+OUhk|WlWrKf6H5&=VB(cs_n=d6@_ zM{Ne-pta;AZ;BIeMb6%Q>5N9#7XA?F;Z>|sd7}1CsA8v|a9&dE4N|xgyh5P(0yD`z z;UrwPx?4|G`4v5mta>I{c(BzFz;yhNX%nNSMHRX^O~Xd9A9pOA}aC5RGocM%qnk9mX+-!Jx>^S7uz~NKC!Nv0Am$4)wxyjSsYrd8*`BQk} zTg*Y0ge^yL68IXe4}8T(J}r39Ed92vAK{mTUrEILv9*8RK@0|L-x0I&y?6fpP5|NT zcUzg3-0SDBPW)fJSd^}G)U;&vJ+VisCUjbACC zO>#ugdZPU?!g~ktQ&I|yD9eFZKO&N3=)%RLRvUqTy0i%HLxU-sB^jLhJkXE3rPHVW z^y7^oI5KO;lZauIUco3;h^9CG8KrPF!r3`8VkGG}7U1mSq7TgwuhJ>FiN3jc>cr%v`>eaWdrn?nD@bI1t3sALHNmm|Jy|c}D^O+i9y};%i59K9 zhyxj)?R8d!T_5-)HXtr1X4P?Gc4{iWGhIC{>k}kCt=>mLd1@EPk6@Mcs^CC|6%u~y zza6>&p71g3U~li8J8iFuXM52Gz}eB((&~eo)f`+?-Wk{JFOj`Jsp1{3{n4<>t5VnN z5QmJ-#Kgq0C(z5B^74U;i(gW%*g~j6$G~7#Ii1lCM84+WrYUAWB9$`6+Ve84gu=`Z zW`kZaP;760*C@afP;|)pWK`k$#crg+N>C@q^)62J*31^9Gi@wQfnziXIaoFzBIqSf zX7F&5UDCxhRWFWYElJ*A>Kr|)@J@LLJ?Y!aFylhp*JSsu>t{*fh%W9bd-LW4!Pv{d z!M=WX9^RIlme#lC6gtH`fwmlC_dWm4kH$)yb;whz*t#LcXDxrK^qCqlHhMDti5z%exZOno(BP?|&L; z{j#IKzKK>2%MV5`ZU3Gz2v>sBYgEf6>^@<^I5NO?bJVh=|MS=k4O8jS82Jh;mJPvT zv9qu|+Ot^va=4aH#;KaH|Lh6IxAAe$o`HM^{&b=3rRhUp^avJg-~Papd#izo@XYe` zG!;A}cA&tF3Sf&LNo}mK|C!i7_mKY=FUE5$?_Zu2=pAn-g8!~v MR=bp^aNF%xEiEE2bc6KJ(hYl| z{^EK5`LjBde5PS&_xGvLaaWK|S8nkA zzDRNfasAh$FA!Sf?@Q0FpppN6g#AM5+OJ2?ui{(&zQle7g7fRq3-tf{X8#B8S&f;I z(S5wjlYH(f;eGh!fZzlIv8(ufrbV1m$p}5fufu8m=`NredoYg@Tn%g!7Saox+4k!|(%NTY9y)i@P2CRdvz2iv^$A8_m!sRV; z%O*2t?k?|5^g3?Pz@WNkRjIcoxbR#hCkE~I2R)da*I%6;_gPU|O@?j!c;fh~VFpI4 zPfbIk;*&75vAq7n{d~6yJ8Ggpw!JMhB*dz0Y%RX_MKb=RHH)j2M>_n+HQ&3JAI6RW zmimnpU8jAyWD14%X2or4*l%fh{QBOe#<5XEeR&{u_hMp{BP$M^beS)xcKoCBuH}@* z`I`t@E^2b>{XJ}`V=ew|%Gj{Ta}n_!qeDU-tI)WqhYy>%OlB#23=?BxXE&{ct(LVd z5;(UNE_3v`@a4|cvmi%E_SZA&BE zJiFI%XAA0PMcy37xjX9Q7pza3dY3MCJhbzCSI}@!p`?~$CEcMooG{u=!Q1TQxnATH zE}zQf(=N_2Pmr^VBYyl@GvxdvKx!4LXBa9#r?VrZ9v73N<;$}kTY9)Y9@!s4YQV@~ z#l);62sSq$AfTf|P7R@%%io&5z+Ff{5T>fDGgTbhyg41ErT)}xE<|IH|JB2Xws%|= zY;=vCbsiYYyL5``{4PVemq8Z6g|(X@DkASrojG`>!*fsOTW*itY>>yepm_QdtMFNM zj0!gRVc_8D0&|v}3dO!Y=zWx7l~81r6=)o~Csj*@Zpv zF3X!V_ef%mi7fkOdwYAw>wPnOs@x~*SKTJV_ur`~_AWz-H3l<#^l#s$G;PZxr;&vB z=4Vx^=O%pn`YmOl)1JB%n?tW=#&vB#`<(moSpGh8cvbevM#zTtmV+9dgY*Ome8V}YpfsY>Za)4K6uvW5)rJa!N#6Y?B=z$WjRDxFPZO!KT%HaQ&C#3 z79BjF$`O~eG@Od{@v*XE-0MJ9+!VHtk>F5!IzN~FhGSl%)je6cDGI^ zm&#xOu3VFG>F*d8C3|Hl+YB-Y(k?+@X_&ohQJx%p4YM~wwnIAh63;JAxjY*}W z%MF@+mP~Vrx#hm1WbU>F=Ob z9uYAiL6F{TfWr?DmxJ;s=a@p~#2k($_P5yBIk|}~{Zu>9MEKTv8HZP~{F*8|S9jUJ z|0?{NziPT65vs!H*sHJ#e!SwX>Z-p9uUU8#(mxF4RH+uaozuxqrk_|+?9*@homZgh zC51;JCbs(esr`2Gs$Tz8)w>G|bC$?;A@M1p@k*D1Q@mi;fc87kOllYXH-$vxn zJYe76qLx&+F^>eS7Z#0lj3#VoCS#cDTLN##d;2hoX<`A zb<1R$Ws-@p76SU0J{g>QlIOiF>5TY+bYwz`i#PbL7T44)p*naOkf0PM3d4*XEk_PZ z*wvl4Z^~SPp%)r|B2g!|Ul8gNm0Cr!vGO>|Fw&WEb61+<_@~(9mTYwr1bSb)`c}Gf zT!cXVLHm{(22(!))M171!%R-n1^}2=J>8|CuVs5|Q)&-C5 zMf1;-dW_MDgL;udhJxx>Y<7b+Z7b)#3(u>+>>s#69ZFwf7b=mQK%R}v@z&!_Yxwp*B z%yWcccvLP~S$TJQB;4msoxjBW!chbB~Z@fH!x>6BM*sP)UiD zQ(xTqw6vr77s&f?*-(!@NfDBB43Fd3Ie0g_!}xk4&S`ecE)MiME(Ekr_I4jH zZd0L-cZcUXQZo0^Tt31lb?d48m!ob}1#D$cC@!4aedB;rOgCthxs+HR;DvV-`qt2t zUG;kq6OjPx=sIg!$Q>4|oe-~+OGwb;l!V_BD#)$!Lm8)jq` z{f<4$x4NF`Xx%q5WIXv`um5lzq>JlM{jQQ5b{b@vw|T_{ugf{w=z6)?pLa%U^`x5g z_wmL~2>^WZA)}(KEb3$A@=fT$?jrkeK%h^=Gi{BB#3LKxb#daP zQ}q%#g-=*>t*uSw2(u+9ayi*K&vw6FmM8pcmtc(-JvJqwk8SYSXkok1BX=NP`6vDB zcsJF;+jCQRt8xiS=B!*7Q|0!?I-*%gYyB$0WWK(-g?)~GUB^Fc3u^7E8qc|Xdl$@%a@^!@bw%W)CKB_k2;5nJ3W`qm6ql7~EV&kJf-B~|(hlGa@3_0|tYA0~} zJ;)s-$Cewgiu&-OcWVn%Co%aITnt|$^;>B>1Akh2hGzXF#^tTDLoUxm8d6uSsOU_F zbDVJCnwf}t;39kh-H>9D)*9u+ce#At2-PK88hV=SI2_=S zuuEIb*d?a=5^@QAK8O6qufaF}zhKt?U!ZsvO(ctMr9tN6>w`{~M>FKa=XZU%*ouk9 zws^Zf;rp>XqQlZke*)#|x`ftzt6xMO zul0k=(XU#%NiMfZ2oZVs^6K;aMhmekSBfA6qPo9<`18)kYq8*oBRs#s_?O7W2*CN= zey!gL66|#UIn^UFH$P0{~ zW8F`C4cCynJ^p?q6BLnq7y$_!m%Hi&;TRyl!FNZzHc%dm-~s|-T0t}-#;U_2SnYCdiy zpA6zFMK}K05Hv{eW4w!;Fk0j%7}}S|QJ+HR`z+%h6*@ca1g83j7oHM%jdAoiyz8e@ zavD$i@xV{x%;B8eV40?Ry9$L=eG4oOt%mg@MHMXZn4Z0UXx zxLf0xU>Wzy>55e_esm#43Hs|Wmx4{IU)vNIuGEO>xa*y~oA?;XwQ$&Hz519mW_7Yp z)=6pEI^SGvz-Vms!mHLlEwWsdzN>jX4_ys`o9%fYJD^K@;|PJ5n|h7yj#XJkLvc~= z_T1Gd^kXX@2*=u6@wjPiWo)=-t-tLE3lja!w|3QuoD+&*$h!XNd#s)euX^urd2C%1 z%IodZ{X8BeA^m4z(3n$d2#zNDKPT{?A$fZP{eXUz5QNW}gOM&(zXP>m?V(#`@VCI~ z+{bpW*ixwn+sN1sSTOb(_1?ncmJRpQd`eFm-kdv%oLyIFeuABA!iub-GAose!(}$4 zKSQ+m(=u?tBC6o>Bw|0}o^f)SP=M9otDves zRO+fF8y76!#d$UQj6H%VJy5*Uxh7C7d}2E0swsSKx41|u3u{Sm?ZM+Kf6j_bTdtX< zgv(XuAz9??LenbkLq$utW}1E+dYSknh5ek}u-0+x-rcyp-b-N{-S1L5{94n8>Fm1N z4uxN1*)=88DR2xbD+DOM-8Y4pkq1MoI4;81)te2Z>7a=r%Ysw}UTO86soxk@J#X+m z19HTr3^9C1n16jquRz_E)i16-x)0X8V3*qDEN|w|!@$$MYVb36&3Q&s^v33=zCvjF z)uIrFiup+BF!H70sL8haxjFAWV$?@i=d~}ZxM<{g^ndEIqaHrQF1B=5P`BLnt^?IA z`(xvHJ-xcKhkgsLKCx;R33!wu&PT^xc9LhiECNc;WH&C$9VUdM_R-b%-7l;UAFY&4 z7RGa$o&4NTv0%aqc2?N!SUo~~*bDgHI!t=(0x}f{1otTZiRzYfG?A+0{XYJl8a!$m zVc)*F5V)EDryMoc?ge>E_0xdlx4lxG_4-^vR@;8w{)y|bJ8}*+>E$c&vvY<5cIt5=q0%v4Z(pa?qZCDT*^feh_aiK{ z(ku;q+EE;yNz)%<(o#{v`A0^%rE?>mc1pkOc@$Um)e{t%Pr7)*qK&a zb*x8V|v@6?4vUR(@$~e!+F6Yox~?yJdfe zn<~C<8)()=D}PsXI2S{sI|a;maX%=1)H@N zwOH&jyrH1wur>+%LW#&gw~ohk>RR1MOgi{1Q+xJMuAR%Up<}$F-eEf^99#5Gm6z!Q zroxw0uVGJ@8DU*lp7~Sz75JdtU*oXmXm1$OqWA?+P}7~Cr5vU|=slspCm}woek*V7 zHK;PjE3f{_JmPF~x^Nx+5d9*dVkEZ+Z>x zStYiltI^w}bp7(F1ZX<$0gxg$spMNVLBbG@f8fhVlGM^bDaIQ~ z(nxw6(!b!*iyO4axB6|Ah{)fS8zDtsP6&Q!Wc$!K3HOEc<@?-3(-Fb9tdWkF!Y;dh zi3c`6g}uCtg}@h5^loG~N};q!w?H8TN&R#1X1f6P+`S<=clEz-;@|c6i^yL$cFw@m7clvYVB$J~&m&FmJ1zi#;s$*+NyNd!X zg%3v=s}P^$&pKI1O~#*$oQH#ZSmRj)Io}<56^O#EB9N}^xTw;y8xM*fCrgLgz1`@y zn;sOPEx$;UO4j0*JL119z1OtOFRziwQ&^B&ph7?KS}HmH8lqem;MpfO;2vTwUr7&8 z#g{v@$lTjncn&ZJNuwj3c`NTlm2sHu=x4Kw#)o7J4t~S}?zG50gw!|(0IG*C!B(5M zi9k3`gD}2~T}3Q1rhcmWp|sgq`jXjcnRwkqU3Fw6O5=#Lta3)%m?WQse^2&NCeqo= z|K+-BpV;mFJIflHG2_AGY*>8!hd(_Y7#r}HJ?vCh?H4~66OP*dmb;p>Im|>lK*GOY z{H;`Pq*BkHq$!cPKqyUVsmSLfB$=5zo#SCt;k1}%)BR@_uiF0|1ezhzAb4y@5bHf8 zBQJjK+~Pt|cxPhW2`-IjF$^q8Hsr&@6Y-!^kLh!8F_XY=YNo#;&*QClTG?<6=O9^`)VQnGnntk;*Y3L8UZL?Tsq%sIK&QU!@5P zrV)ek-J5Mq_)?V0ObJqT#gm^|C5axv>2;7e5XZ>fFg6!*0m@@3_FxJD0ZNwJDy=`2(6xk-K?R1}-Ob3geoh=HT8=eG&;RfE@L4^G9a6v(icL@8X#1cGx={`M+PJ7V(U? zV;sHgYXlgw7KL7ojVi{k?IgSt9lICawQuj>F$ku}dI}QFksk;t1q|Ru{p!!4yz!cRkP4K6 zCfT19l>dEqrA}dOISlz}Tibha3@uiz4sPpHXFO$6&oH$2{wXX!(Xai9j6<@Xq1(4_ zTiV$4TbG^UnBNl?&Q@nVN~d|6J2+73$^LtyyPe{&=~^#Fj-xx73ixzxHqJdP#CY0bB5`NHv*i=j-DQX& zgONyNg~Rl=g5Yg@%hj~qNk@&PZP+>fY6~bVAeeyFR*EB2$O3bcU}VSJhrwVj)vj~1 z`4pTCqfJQadNg%X9Ri=^K~py3bkp?R%V&$O?Xt}H`mnk(YrI*h15X@q(9wg*1OZK z2c@~fOH*L%l&gc%z*_4I^B zW^diYPR$Xbk-H~e*?+w$sas&y&9kkH|1iA6Zjzl0L-5=NH$GqXpN zlW9e;BJ^t9f^Uk7h{WnBC@TXS_8uBJBzVN^J17+i9KZBPfCY@BAXICc-5IJkVW!j2 z2Bd1ZJ1WZOX{h((yq+Y{qXL1ag)EtVL23TzWT8|&l>Ik}<2IB9ymx;hUPmEH9rt&8 zQ}**}heMUAB|j1o4ycCX6S&jwo(JbNkq$V^7_$sE`0NnGaPx0C4QjI>)f-a8B00kS zrmLMkXx-;54v`9+a>}Pusq@@p)!pCS6*H5{*Gv+Hg%F3OEiNtfvr?cy?D`(>E>G6L zM(;Tq8Kpc;&K~QE6Lh&rDd~GUcPkP-)(sO6&%xUITW2R5E2}X?{N6n&*}|NhJEVnq zc?<|;Ma8sZb;QjG+~NNI{)q`nLc+P#RfWN?oqKQY4%l9a!)**%SX|s+?4n>DSca<8 z-Mit8P`Lvkd3rgPHHr34yG?2iml7=X~Q_Njy{G>ptT%zPM7m=w# zMYi5ux3SnF|1~s5D%_}K$dZjJq}yL3`Zf!+4jReP$w`7)iYmql@Hrk!8MKb!rch8$ zk^sI@htsIFx3{;Z=1>f;#mMkENQ>sCCj04nB{zj!hI$!1C6%ZMEVw?A-3>_Pn2QZXyFrkls z;Akpid3EjSIom$5*Lm&8MM7YiY7l;M{m_6Bp&V4NlKaXorozF1XNUo@;T}%#!z(y{ zMMlAo9?7u9DEz_p$WEiS`16|apW5s<3bC@XN=!^-$g8WX%g)YbR!K~I5H_5Vkx^XC ztpm(#_=Q9Odlgp|J0_>_>MIPqI`wg!?;O-->zd~0n@ud7SoJ3HK(Q&%Pjl~!@R zvbq{<;6$BQ6z(HtMdP|5h@Bs^^qv3Qk0#QfIxMKNb>+C3>|!GW5(DovZ$&q8^>llA z668!>*RmF8V$4&G_Xe`!+cQe9m=H|7OcVz3d6?TST;Dvci7azA=iQC7!~-KKzL_{w z8%9$Ue)?u2?xFs`pAZXrQ4_SYq^xQK6>>hv_@-5hypbsBDoNt-0S))J@5)v|eQ>T-ZOj-|%i=!YWmfiy;ca#(>yC@^$jTw-pBGKKys6=&%+3yJu zxJ3WA?Nxha!fSpC*Ae^swU4WyGrP^SJx2kotnA-BALJ65w`I^FaBIER+sbxKo4FDX z!(@gd+HT8!z!>M5oQ$8~Oxmk*jZsRpcX;dua>iSnk#j`opqY>OsHY?4ZrWZ`zH`9u zZb|W2wIi;krlzj8HVF3fnVO7@Oo3s8at4U0?l;Aa7QZ+W$aip>mqR6s{%9g2)B4ZO zz331jK8wuk(?0-#@Y5P=Gqtv6<>lR3=!~ir9m>C}q@)CWL|}QU{EhTi$@qt6g<#vG zUB>n{`)o+j>4B=o;jHU}w?*Es+5wxWebm*mZ-H$qWqTp_SE+$obpFxi{cO{TG-AwD-S~;8F!QHqWC+HYpIjD7*Hj z@%$q!0l_+&4D?MDmEHgQr~fzG`yV_vnhfj$-=z-#3?0zl{sHd)#odZGAmV9>F|pcG z0?(_7JZJWbbiiU6f7>2_Aw~cosIV3*{rsc^{TH>&i;@~Xu+b(O8->8nKQa@c?dZEvIam#a_X!OiH}E-<^l3s;XLEwyIvS zM68vlly$rO*Rlht$MGjK$IopMIB(Y_?`jgF7G{=bvBnogUN zf?_V}Tw)hm>vIxmSnc^_Zf9rbw6BLpLPFx+y)Rr5Uw-~{w6R%5p|X@SSE+RqN9b$S zH5va|BqizVKSIK<)c-qNL>f{Ai<9fq%44Qe#_4BfX2879Y2UOz+QCS%$*Jm9(5(^NV^;uKcc$V|JY;yB-d4Z1V4K9 zCm;606z1aOf=Y9oc5N*xzX#lcf?7H{@{8^AZEbBrApoyuV!WRU$jQmEj3F5riiwGt zot+H{2_Z(0#i<9V9yAs*1$9;pGc(4rWOde2{qWI@yVul}brt00QG6t%q|1u?>*KPx z^27kPb$Scv9FVb(My^&~evo?Dh8^7rrGhrtAM1$cOxNKie!mV63tDzuIRAESaH zO0x8$0ZmVuW+CdcAg(Avr)KCIN1Qdh+xz5^z`&S-I8U6!eE&XoDF#f z8ZOQ@FYA7HcPT9qs<8g}oent7RI1S-$@8ty8rWurjHj1ZwlVz#N`GryV@)G(2x|>*(&T_t;_bxia$EEHF2Bbud?};bcRUz_Rav#`mys zdOFE%ZDoZ={9U?KvKiWMdF?^|FC7XvQ|oz2ZA$S;krFl?-?!3T^Ke{BM61hmH{=aS?~)Zvz8GT^7F|9#*ESW%>QH)}~8O>X)VgEGb^@_CZuaC1xJMJmG1( z)(c^kZ^w5;5#4r)7k6Krgl8&4mBkb6smi5%9w%$C66@AGFJJ}aIdQ(OsS(ZQ7=LuW zV*G;S8D?BlqZ6fzp1{S-YGH%9Zq!Zs(X{T1qoj)t%^0Z?D!KNKZWCkU$KHZ=W4k{Z zUuCK!sdfRjnksd2co;9_^pcGCzP-{ggXqxwyy=rCPaZsYx%F(#5jrNL&lI1KupIuP zm;ul-G!a_b7xQruMRzIZcTF!uVH*=A7NJh{{zA6$|C_dIgI4E5eLWW~`{u<~1l=|< zs=<9(U~)#_BsR{$VfEZwElsMVie%UEY~2B#O8Vhxa(Gynp1!^|zpBb{?W0c~t3&yW z&7vQjWYx}p`b+W&2yl{_6T?r|D?nIVmgy+@A8xfTz}Wg0>bwp($udk&&o<$ixdoY- z{u&@hs~u+`<57B}LN2jSRaK2o<&E|9D1EL!&s3uRzOi?Iui4SU0q#vwhtsa)<*O2dPhF~cTF|N2GZ=U8>Q0Pu88v)>ZKSy z7fG+7?|SaSb)yy@vbP{U8xvK4)?Mrs!p%&oWkadW49j)(^q?*-^xTu5&9JN3>)1fI z5fu`$oveo29^DLWcDaXel9X59ZF$m z)9HF2hI*(Tfwo8s?zPfAP!Fbk4yfWjD>Cn_a!bsvub-VAO!s#@DH*^OU9Yc~5D^U9 zR*Dl?n4f=A29%V`njqhuBuPU=^oVh|&~UoeW2fA1+_Jr>=w6t+h;H>FNEG;3Kc!{B zzkUBdh-X0Ydkn`Fgn=~R+AfJ7_oV9~K0j0HT?QbpI&2cB3E5SXWo2Z9LQceuV&mfC zVq&;CQod#6W)y9iPg!n}9x0w_Upws!eQ&3tqOzlaj?)+MWn;kT^*+y()@yDF3HxeR z+&CbrC2-6g6kya`{VitE0R;B_89;BFmLa+K|7^V|!az?iR`*$KjG^!jO(Yw;9EqiG z_Ol>D0Rbif#=m>U2??sTgM6O%mV~k9rNHBPX)Bz20HOS?FvRX;1R)hJF1X7vU-rH5 zb`Gz_?Z?C%NG!jXf+TEy8c-);2qN;H*Co+vHqGyatAhsNaqop%+Frk z{$~tGf*SK%(R0@LC~yOIPaoab#XFFIHCWszr7XVtM=J9oMp;RFz-7rU3el7L9Cj|X zG25#*c3F)>q{bya; zk44us!NdrP)mRilg^&MZb=5`>2Mep(=VTv{Qku9QC=_aCMIM`!Q}6j8(D(}Us*ERW zd=OH)M0X)ny8OdpmB{_`S5}@8fxK@h3P(RmdAYlrT3GBTXyJYC0h$SXQNTkWLYZFbX-Q(yp84c4z`tP)7+LHEPQ(*&?-W9{~TojU! zm?$AE>;VeDj+?Xdr;1O2hQEIErY}7A_-##%m%2Jp1fQT_Nu9a5d7^~RvE0K|e-J<2 z;h*cjK1l8qAsI>F(=^RT*GYMTyryAbpgblbDQT#qqobu|aXJ`QTwMI}CFHnJH9HN) zSf-1lDx z3oOO~09LrbTomH7KF04!y*X8<&zr(26%aim-ZVo(%*j1y2aGnC?h zU@MyoKb@nIOI>c_WM^ksI&YUezYolU`dW*g#HuP`K|w+5rS1gLOE3`_1A99(G_+ZN z5;B%@&ClPzy|wk|1%DC7&F%;AzMik`brTKv+ejvmnAE|IKeE9I1-OA>sAMMZfnoX&6)Vehlgd`Z1Z+H zxf+B-MFj-}%+1U`7?fP6LoR|kLG_22aNSOkA{79b6#n8f@Q6OoK1z90P*e?Z~NN<)PE6Sbl6qrE7{As@cDlad6;HK1p4i!%BtAD+5wQeS!d^w^yXr zgU?JyEk`p8pP^7QY}rheq;f zVbVmkYiDC4LYoW3-`3u+Aw}-`L{&cv612$l{JeO@Sk`bUQc_YbGT%F10AH5g$LZnL_O`RCV;^d0NOOo5Z7d#GM@?7xfm#4&72P0I zw-P>IeBsLLmn?$QSm-~U!`$tk9Zk4D!9=s+F&gjY`C;m2`E~Zf*f&$=_UYfdySX%= zoVPVyhi5GmsaZu$^+654Wf`DfasxEH=W6swP@8C7?QLv$mERaRVPRnMaftbzy8HSX zxX~jQ#qO>K*2*MH(jzSrm4^4(Eq4`a6?-^*o~0*kXM{Rx73dlH6&loiVhi^c;o=I_ z?6`5UK7HQBf~2FPYiw-HV;a26!h(-gdN+#85J;Sv=+#XCvqj!aorLNgzn9yDN}eCi z0Z%e00>r{!Zbn2IAqq9@cbQAwHcQ?5{{6c@^X=^% zD=`8KW40v}PR9C~|H5Dz*=M_O{}sWkot5LaTMGBsKB;Cuv@@y_hE*rX&wz`f%7 z8+=aO1WId7qc;pSG|Eh$%wNO6_4a(d;DFy3hdanzp)4V^8f;i#W5ha*vO5G0=)x7qyQ`!rB4%m+Ns+IIc>MIa*kV zsgkZUa&`0dXxmw9+U5z^`#!O)Imc?Je`{r;MDhV1ExZJifgAj&bKJX!JXG2n^NhDQrlf_Z5r@tLf}hlOEDsCQLV2dy{w@OXYyRT;{%0NgZ6X}O{d zKx*94k&35*r@Q2I*ESejKfP1a4C?=H-TrbIf}0riuDq8J*MhpeP9QSxB~3O)%5le+Dl zXKM>5QcL_j*n&QromKTZM-oT|q^lIiPzGa|shE&gYE`D5gJs=-h zpIQK4-rIQ)3=8(zprC!e{;#!g-DW~c95m|}=oPMO>=?XWcAv;OXmoAg|;bA0KZ!(IS(KasB#8gF@JysE;4n$(XEe zqgUtTuyS*Mz_B9Sxt`^66A#bAFiKl=?OC#4(w63}zhEdROfEYN?K`@szWuWe69Z>Q ziw?OLwYdseiT#d&*?T(}G%N7R_NSQGR!&P_nIUJxy45wyC8p!GeEV=D`NmD0ywJZ< z<2P2U-R31sT#E!&QKBZ&nQH7^WQ%eC7ysiazgv5s$wIA3C{9Q%2l;S(u*JXOnfC0~ zH))E>YWW)N0AeuO-yfa_Gc|4L>dMc|Y_IGP!VsaSPyO`irQ-2Svp;JDDhQE1Za^n=q0+RRSvb#4~!*h{R+LrF4NQc2K-$aqVck`-`7r6 zwcEw=&*yMqjBX3U$hCvgpeLl7y1Jc_f$!caI@k{P_TK+oW_swC9~MS1Hh@G*=_pn! zPTdm~Jpp#(Sk4m`g9hJ(h=^9;mLw*;fB!x%PJuW`DIXoAR}-6EKKFlenekhe_HMoW z8{t)*^IbCK#^A@P~2#AR(hU&s#6;}S) znz{aO-UQ|LfiDiW!6)dK=N$|%Bjj6;jldZEU)*Xj7+XL`s3u3_aN9&1hVa#w z+$0yAJG2!kaWass`8do2=k|=%RB}0Q1wf(d$S=L(6^-TK(Gm37`PlJlwMjeRj;OJ} zvuE1_!9=>Q=8Nyk{}T|pEc2tJAIcI(c9h39T>4fgO>3vK-%syY336?|A&oc8i z>GAULAlsDD($5Q zTKVPlu&@GJ^RjZX(eq(t%UIQNReIaGpBfYHS*g35N1M*{_M?!2YTP%>G_F6mnnyxYpwN z03%qFZ)zzqH(Qfa=yCni4H&R?zkdCit(J+RulX5uL#YJ#9G}jA+FPbry+}$4Sa2ZD zsgj<_SZu_rGa;F%GYlE2mjZ%6_*Mm+8k7hKqMQW`K!zO$7ZD#>z!KtD{Bgr6Vpt?E|TKkb}PhHXxz3s}j5HwBKgr)X||KBL3_ z-d?aEJ^{gllk$p+@Qr?_(H;V_aXs)|aGuNWn}Z3T41VjfvDQ{bCMFrKL&gUNL;A_h z+ZGqDp(iCXCwv)IQQW*0MIQ(GxF&W59VXLJ5ld3zIG4@s)?{WJuP)#=Okb}?A!U3& ztaAgIAMTAFy_1&5B|wi1ERJwdOg`{)bU5~CqO{=%JH#(x|!=PTdFs{5S`(!`Q z+Iq{p@4MuNBYdkbKUzsbPkyrSVUa4WO0~;UH{eWQudJ+=`(zQEoSaM!Ol8a;7^xT# z8D?QxIZ4sckI&_4ih(uX;Td%^bs()A+V#XtXYc3F=Q|NVV9ox3c@0XGpxllt4_RMc zCNq9f8aqb?$#AVqzwK2qT3#Z}4l2*{34x+qegtOG3;lmI>$@sxlq*=6=T94_Cq zUVKQ>>T|TNavh8v8q-6>8;aDYioeW{@WuI5Nxfnl-s7b7&bk=0@u-dA3_Z*d&iCc! zbJ*7#*d3kj@QdnCU(dY2M`Mk2R;d}Tq zMJ6>MD2QQ+iI@q_7?q!u^|hme4ll#H!hX`2L(*gWwVOr75_3>L?`wJ_@EL4{IXHsZ zV>Fl1o?!}CXG>AYeqOcNn}_C=_ZXLp+k=W{{k#s8UgzO6_Q>Ef zZ0ydGkvudjno-_5tt|qiz zHMd;&0}3?49bR+1EZN5R}vNmW{2NuXv$da1m*sP6yqBd+Y2 zQry=x?XIjWma(Vlsvjo$otE)S2i@O-KRUrdFHj&AZb&WcoCbzJB9~oOz;IR6P04pg zwS(R13Q@oydz|b5CT)1Se0@j3SGB?P2{*S4A_K2%w>J`N*-zdM2tQL*F6|v10X}`{ z-7iHx_~X%hZti7EV(qs{l#uEtmcd9b@ZUF^&H^j~{8<&uvWM?fatG8w&T49s3>x)! zj%>7<6qj^$cBWztFxk9TW(R`EF|G(aUsEAzGn7hH22Q^IwV_QZ+1_lr_Zk$E;fHT2 z+&67i@vHd)Zz#G4D4paS4NpQYQ&SXDS6Ru|!68x?E#L~&&^^gxmo^%D1}}-NN7LNf zjj_!=x#(UyIv-+U$ogyKn|W^PI>mQ>?4g{D{aY^edLyyfCp*sAT=7Cq zFzP16XRZzB__k6K^k8#Zg_IkU#phjcNQilJhYZ5a$tfi?2W-vc!TLBDGTL7o;yyB#LPp z7@Pwc4Oj(gC546!8L4bUSYrtx5wWrINr|D<;_{PN5tTJH{T4RXhy-SzmV^EM?v9QW zXU{<6=JojnhUrtAQ+g=RfDZ5<3nzxqJY}>cklN=RgqUbIM+$*^-n*~gRJ&m(wE^-ULuK6VhbLD)dE9I1^Gcr_R%AtqlgFz4Ga!`sA9!= zj}=}Oiv@yuI?U*~7m)p+%M_W8reTCQBwI4%?~h z^>!8xBx$LD>2O`Jy2ciI$;V|(buBGJFwz)w^euuduVrwsEG4C}Qnc9X zz`jh!XSOAvwpMJ8E?NqBCjG?UeNGD`Fu}lm$KcrqFcKBctO88xRjod9UBXMN1Bm>e z1!1LZ6x!UoKO9Zc|I?qar?K6hQD5O|xVXAJk}SnrIog_m!1L(Z5q4Nw^^~-PMs_=0 zDSzw*Gjy}E>#CW8UHevXEgauc*Zkon)MVu)E823SOuA+H@^v(8_$GOKCeXb2`S}?p z26)JJzB%zM4R@&*RR3cCoe*TCt7!=BYEhw98SnCdE z0`3Rj#>kW#y>{)|>dFeR&2~$15DeeIX8JHE;bg31Bz_#F(?|26xTl)$N9(?fN zK}Kfgav$B1`LrkydYC-+wzjf!az1Hn>zJ7B+ckhO;jqQe6!Uur2WoK)^=su4U@ZXn z1WM5h+y*gfJj@Omhw<->uH~vJ{`{T2Lqw==xYE849aN1T%1stllw6?*UJUtP zY`t|@mD%?`tVd8nL|Op}Q9uC!K|mx9ASIFU>EmmPdt-S;{g^Wiznv~=`2{m(nw6FXO!5JTGAHNP3hz0 zAjl-n{2xUz5UKqq{1==-sg`>4e{F<0L5u`}JVf z6cl!@38cC#DL_KU%9R=x@onYg8sNxGSL_j;^w2cSLMriHyTWpIH((--{7CFJAkssL zrn$RBSgEP6fJ&e3RI&Ra6a76l$6Qc1wBR#2KQjeipgfa()Xvx^ezQkS4?5>@t#|GW z`GGpK+jgtyIHHUiyNMLI#T6BYz`6lcZ;yzc1S^yJUjKjvOH2Cs!h*PCJzyF8j2kE` zuEx=%`FkHE)N=!Z%boRlc#(p^Lzswe%m=L@prB3th))a?S8|YTc;fi;oX#=Z^O)Mq zzk7I*+%#U<5yGLb?`hqlE6}#>mmxa>(SeBfVtcMIWA?&0RXxd1cjeS8n1)vv*AI4O z)GLWI3(Luhk3d%>F5=hYF!dlIF`~oKaY8D?IBmYDQs_@dG8(C*s0i?(l%#8=CJ@Am z-Z39x30bb{JTW?A+AVm0(gFpPF{8~+=VzkpeirC+rH*NxA8~*8PYkX?Gh=&e3kL@$ zY;eU<(&N|5v!+JlsUMJpoUKIP7xdF-_o;Ln^i?yu;bhDG=M00_+gAsIeI=xA%Zz*M@}SjL0+{abig&08w1**{dY@a;Lm z);uD&?fsUGBhAUb)WAy^KR-Xn$`+=khV{BD0*+)HYR!W9xl25QCym^b((MBE@VY=u zb3}*y1G=6(dD5Rw7&6R;iX_nnDaxtvQiQ5>L1v`nz<~O@C^q&)+wL14L&P(dTUGQT z!o2Te-d|;>3XLsT^zc;kO)=$oO%?uJ@Efr4g(JEkxlp#r-k58TQ?(f$=pxD36 zmyJ9%RMxGg%EWHMC|d5&prxUB({b*(j#%q$^^7MU%#vQFG)QW)HZ(TN%2TRw@$?O% zv=-cZqz^EG+M~(s~6CI6fD4*xfDe}(=xZCLr7?pX+t+=Gj zrM^9JW=yibm8L8C8hTNIEUixTtzh9Ha_&Roeb-k5c0>WMB%+1z&Rbe0DtLa$Sbw$n zfQh2FNFFUcnD_3$sjw*cv&oA84gOCue*Q$us~OEriJiWM&+QM4CZlew%h5|$PA}Fg z$qr=xVar02cE)>paAWzmo5$LMA&?(`xAA$V-mhU z!hUnupE!8$+3+!08;N_ehEIEg39rqo=6#M;G-;mM@vgrPS>@CDqK;->5s}H`xW|J=4B(|{j-Fn;BHvJm+idp~HrRo>Rt1SERbyO6; zI#!;W5a&tk%uc#S;PVCtei>RX?o?5(yJd6r5{j9VrJA{n`Gc|DRHRw^d$BK9@}OwS7aKla8W69tlwD)@TWx$p0aNN}~7-(4OTwp|+b=B7v+TrM?>{6c%k zepU2xXLXaGALad0VXHt^@IRYHazA{OQkytk$k$$2UJkvCN^fkod-}}BbtOogAcB&t zge%!r$ThsvQA<I}dUeS#=D}aZmIR5x@h11X!rTy{3teFgJ?;gr^_d&zwX5H?A zA6xXNynRc}<5UaYhE4^nlsfqlMgBzn!I6HRf>}$}PFtS(9RHD;N{WkDLCFMMfDjzf zaZ6_LG@z@+2sl~X<8BU-wU?DwqPx|sCX4(b-Mcc|Q`o4Ee<`7^h<2>7l*IJ?bW-M% z{C-_kIfTyp=<`#*erl^#ellI;C0N7!beO!*((3LVp#|H-)+Y#ZhyqfrdNy@()App2 z-J}bK4VQLSnS2N*Bj4-Y{vi8dfhs;;uf)YuHUGq4`dnBGOkUcta*L(?U*|wvTU!eq z|HpaZX+C78BZN}+i2VlCi8uE+zsIuW*nE6Mja$rcnPb?$Wp0-{TWd1Me{Co?tmp3G zi=ubj$|fV^XDk=Le!QRf{SDZ=b&+!*QfXu3R@6;7A9+8Ff37~c>Ge4pD|NGA%A_lg zg=$)2v_IZi*d4qNAc|jNEqVZJ(HVZLbi?;oEXUgJ7?H61@Ozf*u_u~v7 zH2JY(V6KU=!EU;-2n)SUo{pZ|VUFwnVUasx!8OBg{zSyYG;(~Y$Xk&D?>>adU%%6r zJUt!v-h{Z?SIewDuR;C0*GIMwY0N^-iow;0MUz?<$X5NPQ@=;#R=|I{AaM)SqgTs+dRh_or ztchh#{lgW99PRYf;-cuYF&Qnb2(u9{3e#WDd9w450vb_R%XFf)>bG#n(S?EB-hM=G z4-vi^JOgx1h~TBqj&#>SQOMn)awhiMYNE53fQ;UOWxK!Fj(jtg+}FLg-$HPtnfLBGRTdCJFtUp(ob=KmXz{yHK3lE#*np~9!XK!gR! z3S z5eiw~1CesxIGSI8&C}P{2TYA8Y$6Pb=xzFQq^9*<+#isu0n0cS4@+=8Y&f3BqTgsG z-5xtk0O!blT^!=IeggxFc}&LGcmi}0larH06i)Epd}&~JpPEvl_H+~k_{Aw#sEa)B z+&-|b#{?x?8=%CqG8;LbloVHjp4Lbj;44@+kOLM`RCwTo8(@KSA$W>tGWm%RR?p$?l+D^}>?k1wJ|L5(9qzZ zo1I;-*78006Xs@k%qXU`I_s@+yh{6d)0YfmgwT(^>9VzCC9wph<3jQy31#Ir;28j8 zwqW!=Y?XYZB|dLOB1u&decGM$izsG1@$x`q1NB>~skXK@fU6bc<)5(OU`=8YSM(Z& z=tR38xewpoLM&n8{V$jCcq`s6Am`##-(14L;*(()KQ}eY0%c`pmX)17Ge1ABh9?0Q zxLt_6&njLuuL=_o)?S9xRG(87zl_f-c2?^4sJ9wStJ&n&R zDKfHg6@QWsYqBVb)T`+)vFpZkv~D3cLat&!5C8`jT1S&=7N=l~yQxV{eb$}`29qCI z`7Z%gi<|#_#2W4nCRSoc6^LU_UZp>Q8dJf?!J$y0riLiX%{4MKB)f0{tc4lO>ktL| zCPSQfUl!%=TX5p3uh#1;|FJLlL?M)vw~ejs+RDnPngu;P*rjS(>=%&RJ#it){4Jym2pRalGf5?sP$*R9}C&zwf_$rLc5627xUD#i~c!}2?ZB>Aw% zYYE`J4CFk?eg38dqU?=4j-a4mUtOKCnb{jHMywHwE!%$zVUyR*q3g14K0i0NW*(neSonQF?%~+vWQ?f0o0C(x z79&ikX!6DhzbM?V3*1klP$N|hZtQxkc;aYwotwErdlCzVmV_dbj_~7-;bDdXafBD? z6mGDSy{=@e41R&SrCr*qv(0bGRZUwdGp>rA^^j+PcL`y{fLsrldmJ1b{RC#vkZGfS z87RtmUzO1lYbf8TNKGFY9!Cgsb3X-GqpeNZ%G0O@pI1kN1#kOTNHW1Sa4UZ-F`h8@ zPJFT3zLT;tX+hQ5K(KtTbUT?!VFijXrT=_=8NjpMPCyNtHJi7B(sjQNfV8RZ=vxko z74};C5B62@sirzRRh^xkL4IuIiNboW)9bufN)^>{$KD~ya2WMu(2x9R=?o{w#y(eE zMIq8!P5TE19&U#Xcb&(3icpxu#cxL->F~uwrrhAUY@Bc2< zOB|;sPnN!-PQXuBwg4n)`W{WGCPbNoLm z`a-C4*7n~O4McwX_HDNBwxs0K6u%b&U<*g<{?#SenfkAVP7$sh?C&zIFKupitIl`1 zb)((V;^N}m((n)7+;uqV1XNB*Ny+}lOc3Y3pD*rW^c+S6YhC^O_pGzr_5f%B8s+Kf z37eOeme&7Rf=LlAYmO&=;6a|Od-SD-Sfj|s(Uf*|6{amtOY_ruco$6duxh9OrPK2} z*kh1*pM(^jL%B>QRz3LN?H-1v7Vu=}pxRVBcSZt#t;RPw!8%&}9jRiXa(mtxGY^Us z?f3s~eG!7_@#DwCn5d|zeu5KX2!(e_0#SF$RF%lSFMc{>@PIPP)6hVg;vi)*TE1!Ms|PWTBv-*lB=H z|4g?JrRiNA9aqSh78b0mJQ>fjV2X(Y&iwJ7nlF)WbusT>v#ScredfWsb&}t1{T{|} z&dsmB{*D0Pw8RDC*TGQ|gP(RPEW1;MX%wydiMk#7C8mb+i5&h*hST0t_rkHS#g0Ua zIXd2?Ee2kP79-J-tDILIt89CHMg3MC_TW9deaXKK>l?4*PzQyCRK)_}rI3OYUTcpS z8wi{PqI?2nEQ)5H(hgLCk2&&pluQ_OVd2)=bo;AUulfnHz^o50)BFckVfd2A+ny;VVbT^O;XS=EI zprNN&2~ul;AzM~#XgTum_;ihnpKb+u-07@_6zL^{@9RIGNxpxsgag$dBkW9ht0k>R zB!R@V)3&-!`?BZDj`fxmXFP1cESNDvkd&b>ztf1%4q!&{;jR+W(;T}(KJN9i+fjzr zLKbXo9G@5ZoHt?Tu*csZ0{dYkEU*mvW1N`9T#c``&w^)a8r0m1#1qG1d1{rb=VygJ zpU!_wYWmUe9fBx3I~ybnqI`UHX+3BD?2*1a6K2n_^n%Qty!vZC&BzD@d{8|0sjunc z&tunK8J8MP=+{^{c|{a2A^e32{3JD9(ZBM!Gs%L9LkvCcP8tsR*_V+GJ33NnGw|SX zoEYeJbRP1FH9HVNuT7<5qb*);C+}pJqk~hbmqdQDcLg} z1yxfKcnZh=S+v^$ZKvToa>#I~YietCik>|(Hum~An+hLl$GPYvCU>z!*OKfpK7!-W z90BhkM^uop8Ys~79@!9n;Ub1XP;duyCOJ7d{XTlqkn02p$U*|g!&cILT-Yh(eSzf%x!-ribTT95?Uu;st}^S$xUx$a>;ms83kED0bn z457Btn`C?%1d8*qT43{8SXcmrUq~T@bz>)B{Yb(f31sxFGVbhTz%HpC83QUo<8h(u z00umGHj{wB76{&etf93mhy9!PL|AJ)vM8aE?|R)h%KfRuq(=AwSsxB>K}Pb=en4e_ zM1F;a7DnuMVSvpxb4`gS9Pa)8v$jvgw5G7G?tkCXDaaTedA+u!Wf2JTZ{NP{_aXi_ zO~t?XaC4nB;#72J399E_F7J3{^zLt`LNb>!Aa@=F5~YP%szQ$eq>}B7(nCWj}$3j zQ)+rckaElVtw+nz8!I?#{y*RKd-c!I!Y+3MH*riL_iv^Tg$48Hy8~ZD<_)ncDEi03 zXu#$0+}G1voR}~+G+c#8EiElsx`yWYqtWPYdZ7OFtazQe0x`18Wt;S3LmC%FPcC4v z;0+Hp834ri?G3+%Nujr~&am&=`W5T{v%3*wdU`|9Vg;cS85w2@kb@|Jr=KA0`?+u* zq=E~LA9?OB!6Ba?su+R-G4ss+(uf3PSHE1}6r9D}hx+Qmg$s5i5UseM=7X?EIBZDL z6MI0v?^@+`YLS}W$5xqeJ_U(e<9J`;^jVCJjeU&5@t_Gc(7F#$csgC4uGEs*sVMJ|n7lrhU(vphj@p z(+fAMv$l5p#|M_47;Jd?0V_JO$%}fedp8XST!m}Ejz{QayxcuFRamQz@(!w0Q$Scs zUDGXv_UQL3Ao9g3HSgRZNPs6}a{{tx*C|XaAhU{w7j_Ut_=6Sh?zXnr_T={JBvgfI zsi~PKWlWr%ck|44-oObcXrQZ?W;SAPa(wBpBgsEU?bP{A zNEZFC>$-F%{}N{6A&4i6@k_?lEG#s%v?^S-pGl7)q%numYAVId6q(L9u+;YD8FHE497U2bkx48w{}382nUiWERe0#@GN-_J0# zHSd|a~;po(|hMn zjE_HM~P`d%Kqze?uFy@38ki` zRqBmIMXtoh$5(q3Lm6OYnkT@;6&PHQpD%7XQUkv zN~4@W{iL*VmlIQ*^&owy?*mP-{yRA7e1yR!lT~&IA{(MJXGETYONzDE*VnhOINc7p zWQShbf!}}>qV8~O*^r7VbYAdZ2cG*N5W>ypcs;wRrVWuk4}m{Em7n(##+V62E0Cw( z)!i3|^A5@~A|fKoJs;#Oe^;zKaqby^BmgkL&ePtsez~N$F*rN+T;c`NoR@l|#S_jr zC?QRTa)>yU6cir4J@!;-l3?71#DN3w%_O|fczSttb##zZQUV;%I1Sc6WF05u&7G6B8$4q!ma~@4X(vmBxj`YC$CR$kLLC?{K*C1W2ex z&M1J}kNOj6S}(}#qG!IE$I?H($@HJ_eOCAmj|{pApO)IkWo@c;KohnyB{|tP57Q1~ zr}&6wJ&VMj*yZhHPTD;o=)EtHiBA9g<;yfA78Y8-^qJGnUcje;jXCyqigzF0aE_kH z&a&>?x8D0=$AZG=TiV**gJ!E7R2$}tN|DxcS}3e^TyaSC&1Obb;T##emN~&J zLyRe}=;0N;?xkHXv8wr5FXJej@Vl%oC^hp7J3tsZI5>c$VTrT%y8`;5w;WmU%*Sh; zwk(ethHD>$CtWX-ia3ghRqx=q80l;8R}*5Rq9G;fAcfzdMa5nr)Il-CPCm#%o}HAk z>3zuf_&DIofE*;WzQEDU4@7FQYZ35o|zIKp`(#>XE~vv|bvjBF}? zdGx^FV8L2$@BKk@c5RlyL5fKSq`lk13Jjm9axZzYbPNegKJ^%JgBTLWl*58D>gT`<lqaVK-jGb8p zjMqo2ZvHpiM7d@D24Dr&&;UZ-bHF2hHhxD#<6OaLXdsg9-5}pv3UDLQPsTFL5$7Y6 z-B%j{G&~5?K&LnvvlS=!giBvfxg|FvSVV7OV8X@E-#s)WDlA;)$oZ}Q>Y0=+9Vkd4 z#{V(cU?l=xAlwx}Xf!gqR3J|Lk#Oy2U!{}^`-|{d2~<B^Rd!^DlqMT5oQmi<4`;y6))wxwu^uEYD>b-= z3K6&ipzIyV*T`2u+>r~tCMhkQ^Wfl=)CA&!dfqc0+vP}l{)d;@%x7uFqh|M#vVjpE+Uye6}t)YPor ziu@XnM~0OEA=Z)kW9zREJjt9f@1YLl!L!|c4y~xIz0LErdHuxs;!7(l;V=X*gy0w8 zE5JJgx*)U%8;S?e&Zb*HRGKLR9#O*dk97#2?qX9zw$$f9R%;J+1OJ2{m)oUCw^~i z%q=LG3~}=T6>g-Kkr4w1#uPj!;*Y6)D1xFq^7Z)f*&L{okf{LIZWpfkP%LW1?c=w0 zEQpwCQKEWD5IRYDW8@LrP!YSnn&{!a%gDX{wv`zv+1`|%=?~8pzbw2&=l&ElMqUx@RRWj}X9p8eFjqNSR z%G&gO3(a_C7>MEy*c*r`^<0*5>j?=6&d`gv06Xtj6hk*R)UOBo&N;wj#@11Hul}Sk z#dLQ&Y>nMJ{cy+gI@MHxKBU;@#EI^Om;F;iyhDx!xWaPb7v}AK$+n0@3omD znF*%G1`6i&)zxYb$UuhnnugGOq6fc3Go4}e@9ybYRO5l~0#N0xqzCeZFZ($GXrI_# zhQ;f=(bSe~>}Y5B$kI?JuB^dPH6qWibG=ENkI;EA^%1|kHQ%77KY)JKB43-`_o(4Q zGeELy(Y~?tr|2RzUl&$Xh$do!G%}HLMait#%4+ZB&L%*z3CLK4&OnYm|Fh}WiJGwcUSvz zmsk&pJl}vBp)e_c8#|kWj78DHrO@+4`GJG`rbBn`FlRUakjtyqFiTSy1xW2Tk<%h# znDU4VX3OZ$n%bYDlM)2(t;)m3T6V9w?QO>>q#=%2&cT6OKKa2{eag3)4}LKM>@r&U z2^-vR$1A&Ue8aOdyBlcTeo5)#0TQRZYH2XkkBqb%~dKVPbF*w-#*bXt!)det*S4eGb zgdUf_`e}EXFyt?erL{HSA=hC*#_ac$_LcR$dnCy~ZnC4fei9t<%~$-JZ{}`}1Xgpr zrw9IQKb5)}s}A~b>G{KqlAW+b40@UVLM>h{h$(psN=kk6Ep@7*YyrnVLX72 z4$=I=^mMN>nmfHpdv#@n%hJ#gJG~2J=?ncgnKArU{m*wdI6iMfs-{8fo&$0p{~NQG zCLchEBIL4_nUT@b*-3HXJwERm`A^Tc{5NjQ_vH~v@H3Ym?3kaPI9Han3WpJDYI|E- zC_!qe4_XelMeoj7SM2A5otJ~zR_tCdVLK_!jNpJATKo$Dr~{X2POBy=M%6bpf%QoT zrAMyn32jN$zR^2andy_dH%nbH6BfGT*f!B?AOiEDtaFi$iHV7^&FA=s%ACC`h>~0( zv$neZ!Z3EZJyB`78)4WVg3wV{ry?b7i>>|f!_3WXu(lTW7w4@QOBLv4UXCUwK^&;W zFq}Rf>9sq0KnkGR-D2e7Si%`j9mk;(W-imy-js|O8qIM}UTG;QgT0z0$m~S~3Tq4A z8NOIwTl0t(f7>fMCYBHpak!Jl4L%(_8cknT$G|{TlxSTax&jblR8{u<*1Ph)U++HI zi+?3+SOSUG-tNNPmk(+4Oiyss4dsE{D5$#cVO`Jhs8Oi#;vT>lL;szwTz!_<=_d=r z!}`2m)2ou9S3=m*HRQp~fKtP`grR(U8+8&>4(w@Tqse8_=fz<dgTP*a8FEWKfvrvY|laM(P==h zKM8BpTRI}_{BZj21|qHbPf|_2%IKts(oWmMGi{_KXT%^-$k~PG%=x!r^L|5ZcO;9E zuQoR9Q$Da%zhB*s5vI%`T=TudBak=9pCyvgHry^)kTf0BAK6KKhk2s=1`W;I2AZ%7 zVI96rmitN`v?ve-UEc#VDl*pgie&5daO!tY(q z@hZ8AvF#FEd;}3ZNbAlNBN-~>dQUP`JmWAhZ(BNYkp{fH!1;HY-w(Gsza!CyPQGhW=Q7sgCaPw(X1zkh%3-W_VclP6Q% zU7_p<+2>?f6TEyGm*_eV51>fgGff z81^;dM#BG%bInjjW|M88oIN2KA&pgFLeVG{$XV9h=} zZ-05t33o)(HO#w5Y*Z&G100ioT~((F;r)@9V&YPCNNLliwJ&Jn_{cIY!Q?`Ynsw*3 zD^eANy`>Pa0IWZK2A;U}8A({mtS3xziG6zV@zN;2V#Fa~64}(vygEj= zH>*iRI&`%hiX711#3ePAL?SG+pc$|%D|aPb)V}|!&m_i}YHGZbsB`6H$9Xs35qeQo zxo}TCsl42*-0bawhjt45yQ_qc-hJ0YD-2h<;LK3}`CORc^QK@%R7maVinF(8ORljz zBJH-(Ma)qfgS}40pR_&_uN?xS9v>zyPN&AK9$WlbT+>2s@7l1-8l&RPJ|RIQO1lkY3pS zB43HNx`90kH03wvVh@@nYu`wBt<3C5DYjp&n2}cRtQIKttX}%v`npMTA}BY z^hUPQ0w<|z`E{eh708v zFY5jt(u z3SWHzuw$xMJDJ!uQn~X{)jIX@4GlHK08|{ky+1f^@J^wax4Mvq3}k<^YlBNDsjBy@ zXJ`eUkJPVAcn6%`2wIY?PvV}jL35nkCIprV7QTO6S+P|Sk@-G6 zJPaJ5hje80-y?wDhTDF39o*J32mB(D8^P$_8XerpEeIJ2PU=bLAuB++p4X zO#H){P*+v8o9n@1M>*akX1vs(6a_pR)P&GP+}PZNUVcz;u%&6m(t0N4hTp3P4<6v- z<3lc2>y+=JAyT{v+FY2&J@oUZmZoO-yLTvYmut|7M2W>1I(kTv-By$*l2n7nn|J+<& zKEnAI-1-Pl020bIf%Sa1s{H45a5C*n#9M1E=G<&Cj@86@FuLcuvRP4;Kr8+`!!0Nuc zF<-IQP@zv*{D$HaPDGtv5-7t+rvi?^nW^=G(WVyR>sx zC)J72Ph=Fu*Ztv8^`g3HdbzE0J+@uW&FZIc@zdQw7Mtn5rVoiNZr529qm7x8Mf_WI ziskyuz-E{_79nDf3xWcRe_!^XMJ7rchOSPQyw*e<$%-@#$CV92c`GxLQw zt+11m6X1G=O_2CbwZ=6yHQlwuuF39?F~&aus`fcT2ZM3n`rb;$qI5yvxheW*N5KiL*U&8vr8Y}{0OK~EJh@O$68wzYziG$6QYjM($cQEZg#);_*7wA{l(+M zs?v5Igkjs(8+lIuhA(?Y%09C;Lz^zwx7S@QY;Sx&KZX7jyr^d}U+=8O0L^cIUD8$0-mBvPS$cjr9NJvOh z$5vZJO~?eVX&1h5kS>@2U`$=T`^Af6LDj*VbG@(dHEw9{(I1S^W7_TK`_?0d_D*_7 zMXrCR{|L83Y_-8vA z&iF4E>|_PnhAW(;n)0D*?djlC?D^_A4P?gD^z_{W4aZT3R6+h3bLeBQEk^~;_&ScEto{5IV z{rhC>lx5t)!mhxe05E?ley89GG<;lOqE2ULXJBnc#X)gV(e^Kdj*1G7TzW=^^x-#x z5ff+^VT+!apdb%TTHR+0J7^vZJ#j$>wt4qEu3V1bz}2K`CtTZ+FM6E&n;#O;{#{<^Yy?e)rr5s^=E%az%jy$;c7tri^#&;ZnK=gQsOpU+@GEiEI zvzT0lc{eClL&U{qN7I4&dIDaZirZKIRJ^r79cXP-`+DXIJ-+V6gIVLbe^7n8qfJe-Z;u@(`=;i0!n-tH;^M8PYJTW0 zoro%FeB;{Kb|_$dtwaZPfCm8S-9gw4=<#xvZ@t`aVOu7F7=F|^f@lj#_m!1@;q;O3 zchIP~xL<%$+vUI*H{(s~W6&rM5&~Kkz%!|omjfwu3|CkFguCzBXexEy3rw@)7tAlu zo3HPi^IRqR9PethFFV?%7i~R)5k%32>pCbtkfKp6cPU=lj%x}zNp8Bw{p{(}UT}0U zhXFvd!cH7wteyV`QvPj1ZxiMsbv{HO*{DdT=A{aeoaq)uH&VreIB_{N9aEG_RVDlv zZ?k(*a&9W7I{2qM8*?r?{jf8QLK4fH(bewH7{(H@VQTCd|77RTJI1!{&$Z+69-dPY z_?=L@D5J*%gm9gniLDCSY`^xNAr5eVSQaC!`GWVS6i4Sq>ZU?!NjzuHF1PIn;o4*X zrGJI0sDk!H4X1Uyd1Do>3_#mQ2!`ih8bM|jBZ`mw66UAhS(F;5x$fs{uCu8I#6w88 z#mwo-7&GfKq<&|&IOXhaSD#n6wsHt34twzBr9A<{l>f;#vRSI-}CkfNmf{WkhCun&$(=nA78OH_1P zZy4=o4L9SV2uW-cyb7W+r0&2)E7|^xOi|}Gap|mZ*xIi1ZK3Dz2u@w|HGlb5&Ax1} zHCMj(F~G?Q4&%vWDSY==yc_GCqU)Dd)1FqZ1!Y7!bEhaeec%1Ys)&>{*PMcY+s{yY`Oui`oy2QVA6?U6{ldZ{K zPvLq>AS@y0D~M1cuzfr~6BA<*?RKzHG$UKp){y(iGK4f)ouU52YPdr!n`qHNXKWN{ z=*fgGvd3!H-kiEb2a?U(oNkNRMRXGQwyLVZ3(iF#(?aK*HHCH~BwO6?sOjj8bME$l z(+NsVPnWuVdsvAg;okL|Hy_-)w+xyE2p}86SD@N~90tB>>HE%(lRPqXeVq#77iTcQ zE+Z$$#?J1tIzhy&A?xT^346Ca#(5=faXV)*dUwxT2(W>fKyO9aaNjDfB+=Es9MG@Kr><77o=jd z9xrFheLy^i+n$%1)(?aXao>|?pR(i5*NL!SyJipt$SR~CPu5@pP9tQkRH7y(CLo)A zdBd<>;Mmt81@@PZME5i&P=6seEIaSfY?$o-wf#xn^!@E030rQf@^)ZR*PPy5M(aPa zP~=JJ+M47%97{IP^IExX>G)jpS4h5Zox5$n;NiYDg+^x8fG;bke)V&qg$Kzj4LuIE z=>FawL(|l0uB&*w$uK$0%gYOj_C z1G96(!YJ`Ynk@9BMKMcRyNMOg2@xPyj7A zegFPq*UHq|S4tH!1xjK(ycc$2QE+unZgw`}ORd%mK7eOHK{Tgp^5SZ~@X{HcnT`=)JsA_+InclKTlQ0?tr5Qo@A| zJO9{X35R+fz{f1(=c^FZL@r_gSYWO6%8Z5$P`TxN8?;-th476hM=Y z&CR)w4|NLPOixOBtpHV8)}%3X)NZE-y)= z_Jy*<{sb?KfRe-?i%gwM#ySlp#DalwX zyC5U#)HLU3`co;x%b(+K!_mw=wOW#d?KR#a+OA-_PCnI{=hv~B;ymCU+u-iDvdT~5 zHvajUoE~);@1iAM_OUY;NJx$o#)OAEZOnbV6F-_Cco{0aBXSc&H6U;O0`bqPb2#!g zXOh~>bTCLS1d&QZ_{)&IpCoVfZtl-DMVQ3Vb40GGRj}!v57R!(%edQnZ}{9rQPD%d z;LFR)VSZ!(<034M@IMF=FkUUkRT-^ax5oF9c235KxYTe;UpE+SjuwnMPt%eyTGKT_ z>2_`H%xV6-CG&!aNROKOIc>M1n{h}K^XvJGN~l2ypJ~(Qbd)mmmg{xxef6Bk3)ZgN z-7I#APcX4mD-)ZHrXc!rt^mEDe@ik|H>w;!#koDc_tnWVU2ig!X|g5q0X6MN=<11< zx|YptNs)z&?Yy6N7I$~5PZ3Mvo?K38JpW&t&_Wrfrd!K5n(wf5?=tf;@r2g~``JA+ z8Rrq;eXpn4iRo&;b^WGL8gL?60C^ ziIiG#)0ML2@jGWg1#tY(qcocWyM zE+ACKTlOg})2uMtyiXhSPguU?(Lr(7C+EPFEzZVPHAuvTXUT4{;y5K`jbkcbVeWTa zJ99c9FQ2JBN;pi!ed07TUoPd_coo-I>esYYHi=_v4*gD*SpKT&&9P`wxco?i1ySNj zR3d6)#gTG*TV9>h$n}-ONou;rd{2GKjYf}>t1K*U6p+8MbR!YO2WJxlMjY z+;#66DJkLoHg@?V{;gji4YsSjvE08|hL3A^zBVEtlfj;0V4vyT$MN&Q^O8+W#^k1N zfQoqsi*<1JvTCB+;|$5ft9xxF?%@NVzCGNW9R5Vq{Sw=?<2$nxYmvb%n`_kutp{7J zaZ83{6M5!yHJOU&SEYl4#csb^g-h z_*ESD&CZXVQMDX#e|pf2D5?7E*|r4?)$czds};667&GRE4g&q_ALFedT|cB>#&NKF zZUO!=AU}87>b={>_v489?Y6vhw5bH!I4x?!-nq7y^4W5K5yd<~w=|1!F`tsNXl~i$ z=8l4bu9%J4%`W@JE=%&dlNE;1ejABtil0I%uI5OB+HXVOjp}mH+uz-LLh4iP^;%3k z4X$xK+WQw{%JE&++I|k!uA*{I)hZh##F&_$__;IkFXZis zLycOmvaNR6C#$Z?&?(*{K}qQfITF}3y?#^TZn7#u5L752vi!`h!Pl>#+$lIp-xyKG zEAaA7Zc^BA!C<1IMKtQ#9R+WGlW#0Su3IvC=#g>LkK}Zfy_ER|?%kB;QqK1Nw3k6E ztxI#h+gBl4z+T>AG_rQ3`9Gd(o_FlfA6OT$cg`k^hP0-Jr+ZZGEaj3OhOwXPOhIe# zAF}%3eiP=JP>?BgFw&G!c9U1U;g5bo>lt^2_WnmXbo>z|UA*Xsz@GRCm-@kZx>o}s zpG}(WHY=k;y``Lox>qACO_ffnkB^PB#5ZoP<p2e0o0MXc`o3?BN?a6Lyz z4DAGp6^= zerh~yzY9Ey#$QZQ!3ezmn!-wXe&b-&@0tbmpvvUNQ`*~= z(S8nxQcY^r*H68P11?*nx^{Prc$UEzgO$q3LZ*P2~AfwmLp=rCHYJ zk#||^^KW)D7DCSH+y|NRf2*dWKR)`pBmRv?Ki6C2Y!$gr_KE7n()w2Ews>+$$ZA< zS3>AZTd@Mnjyr|Sf2he=>A*iJO>a5!zP;(c)b^tV{11uILmBdhBW1*2&I-x1SO2{9 zKUf6(0alIqhuQb?>|epb5o`B10LG*UO9TnuE5J2?!UN5l)YR18-Un8B$1(*9WCEa) zgRa+r1>AopE$yva#(18dJ|iXNR|qxvzXbh1-1nnunizl0o~I`yosMlHbk@Y|lTk8f zs9yTiZ~k``cYZp|`5h>-Vd3S?O-?2d1(JcVXhrSf!P9ggpmMbR8vF49n2i?LQRX0% zgz;t-76x1}Z&|O*sg~mgYn_|)XHX@k1?4H#7^|z;DlDhS2fpuWt*SfjcJoogUxxQl z5;RetLba)t{A+8xcr0;OPsn{`Ax)0hBEwZVk0J;de&ocIepz-LP$yi!uFM}17|10c z@cIo@Z2-Lj6#;lojcV%Z6_Czex`b2Z*9(B&^T(iDaB?c%d4-hlfA#Vuj8JX5dCFy^ z$`cyLXv%gNX$Qo5BZSV~yDx&_H`X>ctNVa7lEu?=$K0IlG0d5Vs<{;n?YT4|m{|?i zM)LDR@=J3WRv7420MuKs^*n5>tF1k+g%w(?<-gZ#+k)#tCOg+xQhcK(GhFQFcSy7f z%6HMZmXSj*s_>6=AisHE5G6&qZo&NO$ESb~mAAS6bAvcelJ}9m8nR@AatkaYv zr3%NmVRbM~A#_#!dMiwG9Q`@;z8=RZm(ARmA>*Q`ZIZA~#rZCm?a?psZ%E}?zCGV^ z6kJh{#{i(lK{~}=Qi1U5OT_hQ?6-aX{9H4^EAMMR`}%-{`1L6if^a958_Z?HvjRxq z4H-)ZJx*U`C3FSPHUX2GkfqBKfrttV!?UYf%Q0ygo;qu4(b3y`K1I9;1{eVd4P^1y zX+Y+oKrr0~uspZY2`eMIb?a?i4=tZh9+Z3WpFblLvb-Th?fD5f;oLc6J+oFzCle4j zay`8nES7ctX_2ZtIwx81I@?cxpqZ2jxBc4d!}sHqF{kB%bN#zamFNtY13l(e{NId* zyz7}GV6NPHW7eUz*({krb?SB^CGXm*`nhQ3W6o}&VG-IY4r7I#_tiPwXb4#P%dLP; z{JV$`wXlDQWK!ph`FQ^Ox7(@@!&)M~-TnD?QpsyeH~`=7)nYRd#n*sVX2un}z<~C$ zTk5t*u*{x71Wrkl~;a9Enp@R0Q1j@jOQ@rWfvoN#ZdlcIUWyl>iScm_*q_>1JRJv^BVK>+aj3+8%`EoH?S65k>hP405=M ztNWF=KNrmUY$Sqq2YsQ-fLFT!7xTV1-1JQ+`le2FZ%IN$3SWh$eV3T7uf+QB&3%*1 ztp#D{K^&=1+-?iKB^jx%dmFCaOy3msEuA;#(BWIn2Wh^2jxT`l1XM)RD85;KAtm8S$b)!*Pd%KNxGTYLa?9v5&+3 z+ZmALb#*XZyf|Dgk0vA}jBQ>TfDw~2TsYxT&yCID=ABnk)zcpM$KcihaLF^on;}ztmZyF9{ee2Y^Wlos`QG(k0d6Ee!Z!S5y71R3tECys zSx+l*2s!op#FrXY&8$86Mn!jneqr+ka>&89=y_*xvU9>`J6_%^8O0`)Z({_Vk6WfH z#z_1EvrpP6siBqEE_0kLkF(LX3bu;ECED+{u(%MZm$fgJL+{?#G^B*J`DTeV)+P|u z1`&Wm%H~pjzF*(_rChtDM4dmEU;T5fV^(tCd%PI_06l?T`!1Fl&g+98gu9|VQ{_YY z`U|;4wZGR7=Ti1AMpWSlna59xPC-homhhE~RebbI?P_Tu?(6I5P=U6oHH@qE>I2?+^?kVf?D#m$q{Raygl(wAfjF7SPsC=z zcc+?zHVF#yYrs=9v}d~U3g7nGv+L9nFFzs;^8i8Z!2qj@Ug-H(64OS|z2GDKLg0Qi znset~2LwnvCkd%3>*}6yuA{5^4756%XU|}umDND8s)~xo14BZrfakynJj-z9)|V)& zZu~X4a9!h7WS`Yx5;>*D%E2q|(rVJXy1h4Qn~@Uk^d+TTdM26=c#;QkZV#KNsh*kM>W(6IP&=fxYasAoz>pX z!_D2AjBAOWw(!)Tq0Tfr*6_^&X3A0;UA{$0I;E75?YuJ_%T%yv+HB~bSt@IWgXAjQnegAu)h+CO$Cmoa2!z}VxpKZ^NVEZ+Ja?*s`=2R zn@ogWQ|a^d6*I8f8#xrSJQUFj#Az8(C2r&FHjnm`zWFc?@n^)i>pRbn=Qu~Lzj->c z5R4nUmuB(*8v7D(sJl08WX~E&b``Qlw#E{oRCZa4kd&P;48}6ngp8z;>`V4FCi@!kpiBe$RQH`<&;w?_;ZD*OJCKg2o#0YwXZ6 zv;E3{^ed-2IXb3iWB_FYWXgp73vPG+4bJ{B($CXW$X+)$#PN2&xYx&cdx}?QD$-u_ z5YG1}j0M=16tD`MSipK!$OKQIjMq0eA$kru9DpeY+cP@FxaJ+&^H~6x{F#AF66|AU z{8d*%+3W>UEoTiCC976_MwwCt=cs?T1?T>UpLwO~h0(;FcR-&I zcr zspC-rsyrNjj&c6JUW+~RYFMmA{p8(B_{@$lw?AZQtZf*dJ?TTot%yu19XpAWd3Eal z@zikB8)8Kjp74e3=9Z?NlT5ar4JA2GpR4zRjmfBgnl=Ymz{#$@J*DKe`>jKx_xZ3M zGfTx&1)o_f?C6+)2xA#9)tEXmsS)nm5_^fAT1Rjcg=v2pVWc?)_41!MiJd}Ss#YG?5cZg>ga7ugaE+3vX6DAET$;Vzg;rnZj4@-^00u5uHh~fBv*~b2;=M+@ zE&X>lH|Lwie<^-B(E8ZHgJ4d}xkxxrkqhVRc}BwKa(2ou+i~h3x3*89&tZ zSn^D>!Cp15OPR?s4c1QOMtk4mvte4U_w%f_sYTp}+3S4Z%ios2ZP@9OU8MLvXp{R% z_2VD;xzU~uX{0e4IRiGG~Fa{pr7%uqK;`X z3zmNn5KSt6R-hF6=kB%ET`Y0A1=IK@ZMp_dswItHMU7Gz0{`VE_t^to4; z)8^S}g9{yLcS-iML`az=Xzj3NW{RDvW*Q{orenr&<9fT6!3iYG7MxL3mt0{!RQ&$v z8g7{arg;vhnOp0gojy|-(%l>Nr>HORDft>F1cY-p_h5DCEZM%$EGV(~9QOwTKCGnw z_>qGrPytG*6Dh{Dvnb#TPQ^C^F`j80btvxDP#qM@nRH8oO@fmlY3noMR@`y6UEU7> zzJ#f^Wa~XQ9ywmuCW4@apeE@-J@M)UmTIb&{((RU=!g@Kt^1Fk2)T@fPLSkT@f05{ zZMMvQSJz$KZDM(W_IRb@Wbu-G$KcvLn`acZ>E&6BzB%&_3h9o|XsQF>{qwX`h?EH8Jmj^1SRHk`k zDHpT(4cB|xU8Hh3az=%9I&T&>@i`8o6*;?ulV1}AN)A}PnD_pt6He$%2Y^Ugvmit?-!=x2~*;la+C}37^uJPlvB; z%8VoEN3yH2kkIlz{wPCRkuSU2eqAZSww+CVB-@Y4?ML>L$Oag_ zlp5^OhgqxAiZ<)EwD-3K*tjF=`;{P>4yy)hG7V)MOe6Z7VW_DgjwP6m(G4!i6^2fk+pEhZ2wLs1(ntvTbet@ zfR6Xqv;PX9&)8j~;>nUuzIGA&8JO*sPX>BtT`NH#pqq|L%JSMjYYYIF{ME8xpg+w$ z!x-WY{8}&n=jG^X>)4f_4$+Bwm#idbroxg@oiN%Qq@|d%IT-ij?5^>qV8J|yP~rk2 z_RgXGDF9UjAc^z8VP5VfJU^MA0oW#~3PW=YK~dyazU7ekPq?%_m1@~M8R5{chw3oD zRzE;^&kXz9J^&t={>={sXyBs&kn`fw1OfWdp{maBa=RlP9UjV{63733L~s*?rA%F+ z$3WOdoE&I5RG$YZgz66)_;|WsaoJOkqO`#IK|87Sot$UXx!|WyHk``y4q6~GaOkYD^p z?bL36%Q|R*Y$d-~aoJPTb-^|pfvT%1XL2FxvXhrTo5}b6geG+{tdBDi4yq!|kt0r! zRohkW=ch6Wih6^QJ9(3&YN!FJ?rp27%2x67mhV@@by+jn(Zs1cMaF_>!4S4!-h*nK zq%*@1`UME@QN2x93lv+>B8eW+xY@BNtI8@qu+)qqE=?eP`8co`%PPjMU ztR9GqAC?B`Ez!~KlMy)@&K<g$NJ#5if3jTweORWSSu6{=5BH-(q0IrSajOC@Pr+ zZ7_N?QwL0syUE{-SFWJ(Y?I2I`sC#=KTw5mqeMYC-`*b1STfV~C~!uM(v3c>xsMQn zPhsN1>U4tkl|1tzDS8^*t6Ou<1ll7x_NJ^=&f8mx8v~C{1UDJnnwTG3M~;ia;{#G z$-(~xmaW0<{w){?pP$y5#E>H_4VUdZ;SQU|_wRR&4-mj=#!-=#XzWH%pIYw^-N~g| z`>zMy>vv#25{{dZ0WIePC2Y!Bnx8k&UG7)>LLcvM%E&eT`s?de2}z|rY;nVS(G%t6 z(os|0wtc;k>6+WT1}9JKuwyUWGTrcL+vDwX!DL9tmR@)FW8+}HxNq99uWR^3M6&`~ zfb9)zFY!Ofn@4Qm*U|g8@;$>Wn%|U$AJ9QUC#^yY&nB(;=SZGoMRjyT1im@bYeiSb zkwU)L<#O6KBb)kNpOswrL0xdlWI|SARD5(drQWA>J5Hq?Sb;HCRyn5M+T9v=VO6^c zlp@f(O}HioBn5KF(tF|r*Unpe$U|j2XFcrJ)_$J%x2U~2x|4E7?3-+Bali<%QB)jR z_w>NCg_izdL%+?O*8DWn;00jkzpV;X9(DJC;&&NLYgD;_5Q_TU{Oi^5r`?*kxYf(U z(_l@x-Ma0dVx0TJx$(0N8W3FxW0eBoz?X?&B%yuy;aQePUULh zQ#7R}8=q}}v{iA5HfjsWeEt#o_Jz#aN}mlD=B02G;Xa1Dn)l+?Ff`gxiCX2tOL_N5 zqPA=s{V^|IDGa`gf<4`wZVimg;BaU$;^|xZ^0Kl`6Si_%ovetD_?fjP!IlO9iYU>O z#6L>cEb<_@wKgDiLdes6t~Hsl;M_;}ZIv+PzaD<6>at13rUYKQs*`1%#Wr`)%`2zB zzF9L7+0;p%YSQH`t|_;9!~0@QyIdjZ-d>&*Nal_y_R&KvRFW!~=c_`i9$nF{7ujn6 zlve8~*tRLvz6WvUm0q6;O>UjL&1-~jZ_K#S4UzpTS^2i`-eSqZXxmfh4J`1Cr2+`d zmcY{2B+XNM6UI(w&9>iO9FIudMjR|U;E;ezd^3IV*0DS*yi)OMsfM6vRn1v36pbf{ zv%BSu7&E74ZW83QmvV*VBjM)gwuz8W2c92upC{YbD_iN{r{YpZXdS;mqLRFe_WcgP z&YzIUn*`_442WNcK`sH?3{zJ3fFv6_tj_l1*}? zBo&;t?ZSv)I57Ki+oYxuO)w(1h*!I_F1C)xO$wAu`|hL-=izd?c#G!!dhc?`2mb(epS+G=S@&nY5(;XRTE78sye+NdxK_;UX>6tHi0(hpaG8JY zTX{6BjC^T?!jaE%HMZm>y#|o2>c3&ZIY{udB0#+Aa4kdb!u8kW1hqNJ z;~K}h4F3_t4bflv?dR}jy+L+Aa!?GFVWldmz5 zS~mS|@2%1-1%4-0xh;NFvrl6yg?oH8dl0CZl8fNX232IVz(d^TB77ZlhA_s#Px?`C zKm5ZQ1bhMv0{{PTF!d!#3>C$9kF~y{DzYlI>e+(3u^g`qt2{Z0L_#Onljq*BGL1DY zvPs?x>svUWC$G<=XaB)y^%gT9H)n^z0?z9pGl>Ev37gJIVp<|1E>hyC?1%tzA|m>r zfVNv#m5&hxP^c)+P+^FPh$iH1Vie>_rHF`#rilryiM*6S18@{WANUNQ_~)yDTN#su zGIHh(i`~c#HKOFRBy2=P*#q~_dKhf(qWsJ~lPMdaYT)2$@KJdToGgHen0A_ua0YEs zsQ`Jx887WH_PxCMu=jcAtXvW|4%%|R)C&fi<7mAF_41nMXf7jMefqn)^6KiUdPcv2 z&?czEzkcqoWmu9VIboYmXJ??8|x>9 z7PNugvfqsrP-})^3@{js^+hgrrappv0Nl(|4eX+I@q)BJ9G>U!8MEnDl_+LgdV5eT zYF^)7%~Kcd4THVvcu;Q8HRgVz@D(Vee{UjMClc4mHimjVW#_x|<0`rzURhaLLf^k< zzdY9PvoCJ|5*;0lG81|UG?-DZY;B7vZHb5yeQ9m4>Wi}$80E)Yf8ge(e{!pl}b+v)7=T!zVW&2Of3l9wvl^*+zlp>ckuo)<9d-8@HEpR z-;$-SR)6?350Yhz)Oi6j>)YSHrNaatct}Shksvi(s8QSq>KK#a9V_k%i_@tv}%=kQZ+}eT+HW7(vFUbvI{bSuthB<&iNTG z?oy##y}cKid*PkpnsJEz4%(NUOcDj63jG5a0zSBG`XJ7%O`fY=%>f<%9 zaTWx~FqIp7-l;R!8Ly7k7ZW%^wNdJNfC^k>nC?iO!Oh~O@RO9rQl2gcW`h3 zBB8heRY8`>e%nF!vZw(6uB8C6xK2OJSK3LE%?5J!T!X(J`}u)wl~6QYHXZg3qR~ya z7L=hieAO@iGSOE~&?vsOps*jPUQ{7s?<^|1hckf$DoQ*#^Tt4Vbr*DW z*Sq{xd0J@u275yQ@C=O|(E&zWpun0Ic|KriDqGmI`4tK!T_;66S@F(i@cuVbzRV0M zt#zkwH?*>r0Z#?d6RED+^tr;>t!tHb@Y5V#9jlP0JCDQN4aW_qmki(6WpUtpZ8cOW z^k^B5T}gu6ZMWxpjZWTlgF**z#4Lpopm!URzKi%_>NT94xYPH<>SD|n+q!&{3m@h} zf1tN&&!iF)x%@brs<;CvT|g}y%G@|}=p25Q5c|PkER>{64Qk}mrM!f8@X-MBwU3Mh z2LnD<4%_{Q7fNz29$SI$+k4=55i>*zKL0qk|MYueQ8WGz$2N?eTD-Z4dKn2G?Ktpg zFv4MCz@v>5E?5cNnzK5=YkgBy9|>g%#n_6(M57h0w4Qn_8pY+K;ZEFmq~%DG1v%4Vq7S} z<5$ppba|+#DLMe(l6zPLQ_FeqNodEV)lkW!fPzdwi)P8NI{sXTW4H-a5m@bE$V%9 zA9$`b9vr&vNP6PB(o)Ncm}*dctU+9;_8w~w^ltR29wH`kreVI$Q3Bt0cTKQYtWD$e zjg8o;XY=!g%VZfSf5H_*H+Ocb;g0&CShfo8>>LH+v2I_(yRt)RZOd_vkz;l~`6r$EZ+l#B= zIIy3v6Hvu%Mq5ZRzz6kYtUGjLIbx6dbwwT@{*Rx~;oIR^M@d?c)`?Ctdo!y9j6ib$4rR zOg^=x8nTy`F7>0grf?UF8)yUE5(O?L2qZosL6Ygk4C&9}L$h5MNClhm>E{jt{hOvH zl__dlLj#lvDrKOr2{nB7{ zK&~diiu`=&Q1_dH1mO++9w`v$gepM`R-L zSpZ)8(8lnjc?MEkKVU*TDY4gYW20_FzIpzDsGVU|~NGv^nmIwIj-YbRPYasNyW) zNbn{nkOU_h8bIzMPw?k)+I3SxUU>UcNoe9V4uX^T7m)f-U-Juo1!!c96%Q*QhKl|^ zwDNpt!(DHDwUB)8v1!Pmnf~8bJVnCRxO{k9zLfJu`6nY=0i*zxGM{EwySl8)s_ync zcF%6YCn2PbHb>sYUFhY_?19e!kpKZRmz5Q)bY)%LGRJ<5GS4&z$+RTlK~8a#!2SIE zEG>Z#dlT1fy#Y9p);W85y z>%8ZNT_E&=F1KIN&&@O=*npO>gE82>WP?g-jp67~ZB-W%wXz zc7Skit(I1xO7NGcoJ`OQU6t`f(_aYivvQlE4*)x%du4zPj=7eRMk#XvY^AHIoIwBb zA=p#3`^Wl>x@5Ypk#9n8+FJ*S8EewUx?e+;moQY%#9Wt2(Bh8;6bUve@?dUJAW;Z_ zmXuUx+?xzD(7}v-yY=@V5J)&M|B>x&FaB7twfM0|WQ`U_-Cq8E!&`bCkFVcZtJKe( zf9qDIdw$R!mEP*RSpd#Nhw;t7*jf A more comprehensive description of the GCVE architecture and approach can be found in the [GCVE Private Cloud Minimal blueprint](../../../../blueprints/gcve/pc-minimal/). The blueprint is wrapped and configured here to leverage the FAST flow. - -The GCVE stage creates a project and all the expected resources in a well-defined context, usually an ad-hoc folder managed by the resource management stage. Resources are organized by environment within this folder. - -## How to run this stage - -This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages. - -It is also possible to run this stage in isolation. Refer to the *[Running in isolation](#running-in-isolation)* section below for details. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../../../stage-links.sh ~/fast-config - -# copy and paste the following commands for '3-gcve' - -ln -s ~/fast-config/providers/3-gcve-dev-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ -``` - -```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 - -# copy and paste the following commands for '3-gcve' - -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gcve-dev-providers.tf ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -The full list can be found in the [Variables](#variables) table at the bottom of this document. - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - -### Running in isolation - -This stage can be run in isolation by providing the necessary variables, but it's really meant to be used as part of the FAST flow after the "foundational stages" ([`0-bootstrap`](../../0-bootstrap), [`1-resman`](../../1-resman), [`2-networking`](../../2-networking-a-simple). - -When running in isolation, the following roles are needed on the principal used to apply Terraform: - -- on the organization or network folder level - - `roles/xpnAdmin` or a custom role which includes the following permissions - - `"compute.organizations.enableXpnResource"`, - - `"compute.organizations.disableXpnResource"`, - - `"compute.subnetworks.setIamPolicy"`, -- on each folder where projects are created - - `"roles/logging.admin"` - - `"roles/owner"` - - `"roles/resourcemanager.folderAdmin"` - - `"roles/resourcemanager.projectCreator"` -- on the host project for the Shared VPC - - `"roles/browser"` - - `"roles/compute.viewer"` -- on the organization or billing account - - `roles/billing.admin` - -The VPC host project, VPC and subnets should already exist. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [main.tf](./main.tf) | GCVE private cloud for development environment. | pc-minimal | | -| [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | -| [variables-fast.tf](./variables-fast.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L38) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables-fast.tf#L46) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [organization](variables-fast.tf#L54) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables-fast.tf#L64) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [private_cloud_configs](variables.tf#L49) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | | -| [vpc_self_links](variables-fast.tf#L74) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [groups_gcve](variables.tf#L17) | GCVE groups. | object({…}) | | {…} | | -| [iam](variables.tf#L30) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | -| [labels](variables.tf#L37) | Project-level labels. | map(string) | | {} | | -| [outputs_location](variables.tf#L43) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L71) | Additional project services to enable. | list(string) | | [] | | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [project_id](outputs.tf#L46) | GCVE project id. | | | -| [vmw_engine_network_config](outputs.tf#L51) | VMware engine network configuration. | | | -| [vmw_engine_network_peerings](outputs.tf#L56) | The peerings created towards the user VPC or other VMware engine networks. | | | -| [vmw_engine_private_clouds](outputs.tf#L61) | VMware engine private cloud resources. | | | -| [vmw_private_cloud_network](outputs.tf#L66) | VMware engine network. | | | - diff --git a/fast/stages/3-gcve/prod/main.tf b/fast/stages/3-gcve/prod/main.tf deleted file mode 100644 index 9853149390..0000000000 --- a/fast/stages/3-gcve/prod/main.tf +++ /dev/null @@ -1,59 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description GCVE private cloud for development environment. -locals { - groups_gcve = { - for k, v in var.groups_gcve : k => ( - can(regex("^[a-zA-Z]+:", v)) - ? v - : "group:${v}@${var.organization.domain}" - ) - } - peer_network = { - for k, v in var.vpc_self_links : k => ( - trimprefix(v, "https://www.googleapis.com/compute/v1/") - ) - } -} - -module "gcve-pc" { - source = "../../../../blueprints/gcve/pc-minimal" - billing_account_id = var.billing_account.id - folder_id = var.folder_ids.gcve-prod - project_id = "gcve-0" - groups = local.groups_gcve - iam = var.iam - labels = merge(var.labels, { environment = "prod" }) - prefix = "${var.prefix}-prod" - project_services = var.project_services - - network_peerings = { - prod-spoke-ven = { - peer_network = local.peer_network.prod-spoke-0 - peer_project_id = var.host_project_ids.prod-spoke-0 - configure_peer_network = true - custom_routes = { - export_to_peer = true - import_from_peer = true - export_to_ven = true - import_from_ven = true - } - } - } - - private_cloud_configs = var.private_cloud_configs -} diff --git a/fast/stages/3-gcve/prod/outputs.tf b/fast/stages/3-gcve/prod/outputs.tf deleted file mode 100644 index 5c97be0285..0000000000 --- a/fast/stages/3-gcve/prod/outputs.tf +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# tfdoc:file:description Output variables. - -locals { - tfvars = { - project_ids = { - gcve-dev = module.gcve-pc.project_id - } - vmw_engine_network_config = module.gcve-pc.vmw_engine_network_config - vmw_engine_network_peerings = module.gcve-pc.vmw_engine_network_peerings - vmw_engine_private_clouds = module.gcve-pc.vmw_engine_private_clouds - vmw_private_cloud_network = module.gcve-pc.vmw_private_cloud_network - } -} - -# generate tfvars file for subsequent stages - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${pathexpand(var.outputs_location)}/tfvars/3-gcve-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/3-gcve-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -# outputs - -output "project_id" { - description = "GCVE project id." - value = module.gcve-pc.project_id -} - -output "vmw_engine_network_config" { - description = "VMware engine network configuration." - value = module.gcve-pc.vmw_engine_network_config -} - -output "vmw_engine_network_peerings" { - description = "The peerings created towards the user VPC or other VMware engine networks." - value = module.gcve-pc.vmw_engine_network_peerings -} - -output "vmw_engine_private_clouds" { - description = "VMware engine private cloud resources." - value = module.gcve-pc.vmw_engine_private_clouds -} - -output "vmw_private_cloud_network" { - description = "VMware engine network." - value = module.gcve-pc.vmw_private_cloud_network -} - diff --git a/fast/stages/3-gcve/prod/variables.tf b/fast/stages/3-gcve/prod/variables.tf deleted file mode 100644 index 451485c3d6..0000000000 --- a/fast/stages/3-gcve/prod/variables.tf +++ /dev/null @@ -1,76 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "groups_gcve" { - description = "GCVE groups." - type = object({ - gcp-gcve-admins = string - gcp-gcve-viewers = string - }) - default = { - gcp-gcve-admins = "gcp-gcve-admins" - gcp-gcve-viewers = "gcp-gcve-viewers" - } - nullable = false -} - -variable "iam" { - description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." - type = map(list(string)) - default = {} - nullable = false -} - -variable "labels" { - description = "Project-level labels." - type = map(string) - default = {} -} - -variable "outputs_location" { - description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable." - type = string - default = null -} - -variable "private_cloud_configs" { - description = "The VMware private cloud configurations. The key is the unique private cloud name suffix." - type = map(object({ - cidr = string - zone = string - # The key is the unique additional cluster name suffix - additional_cluster_configs = optional(map(object({ - custom_core_count = optional(number) - node_count = optional(number, 3) - node_type_id = optional(string, "standard-72") - })), {}) - management_cluster_config = optional(object({ - custom_core_count = optional(number) - name = optional(string, "mgmt-cluster") - node_count = optional(number, 3) - node_type_id = optional(string, "standard-72") - }), {}) - description = optional(string, "Managed by Terraform.") - })) - nullable = false -} - -variable "project_services" { - description = "Additional project services to enable." - type = list(string) - default = [] - nullable = false -} diff --git a/fast/stages/diagrams.excalidraw.gz b/fast/stages/diagrams.excalidraw.gz deleted file mode 100644 index c892828838fedd31d0e6022b67b98d9156bfbd59..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 95456 zcmV)dK&QVSiwFpJ<`riE17vAoXL4a}b1r3gV_|G*WO8A50PI~^bK=OdexF~_;dvc& zYG3BfVB-~Uc)xMN!475-W;6E0`R_LiVr!p=TT8(nA@VfJtxjw4&`VG4Sx5(u0eS6p|O-j}WgKq!t|NO^!!YbMA zkEbfFO1sh-^r77U!QX%U_-FE8*L!-E(xA|(wJMVbCbyhdVZ_wpBEF$R?~+^H5?{fcwPT-tdV=HHL+YA3CpXkz>9I{iG#bezYl zjaDl^cxz3h?c4B$&b|JiXE!T%jq;%W*)Xo_v!}}Tz`TBTyJrt;^-iU4ng!3U+TB8_ zF?gGNHkw`iXq&%(I9JRUVyUHtso+v8L&U3yW!hNui7ixWHxx zvy@sGXq!?Xsp3LApFD+G%sJ3vfQJNU{a|ZQ8dgvB;luFsE<2E|)3;3X<;(}RC>K~T zpwbHZ1+0;~ihZCKv7jRqa1;<*3P#-ZtOm35pSUe(mhw|t^IKBa*uYE?U(yJ;DK%2W zn>D^hN3(KykfR5uk4J}K+dH={RFdG(`Vni8SFTab(r27Tj!XM_+ADxwgA(QpmgxTSdJueRp5q_FWJ zn#(s@Kr{kY0M5Af=4a#Rh^CrctH*ljy0F)|c+kyWFP)+rj%WlS0hCxt0xmGoL@Y$J zux1v}WVmS@VQ8rD<7c265-bC{iU@(JbUw%x&9Y#$;}paN-auUO$4@|0ges+=OSc=* z9Hjn*h=wdo81w|iikVpEyqi09D}Ofx^VL%GThh$l^4wj(ml$JF`F-Cc3R@e3H2un-nVQ4@xdY{|b=7KR?t8uS>5G?xpq#pqvB zOKFY;)>=}gghw2YVoPBpl!;9s;E1jO@D#uZk_u_~XUju*-w9xmT})&#t|*d70Nr3* z5WNgw%rY}0bkZG?{C05WtF-2~tgb8K*`P8Wc+xS#ed!nm+=Nk_aZfmVj}B+S5#KoA zY~iUG&`kew3rVWl?*E`vs?(3%w(*v{AQl;C}ZMyJwS z))u?hs5Lr;)^*^!3&VkZRq20x$e=f@xZ9#~ICD@e!UGY}l=ebIh1ufO86Zjun5ePx zin#5f=zw^iS1Gslw2F=!OK0e#amp2{Mk+hg(NDGD-QO^2`DX3!!EEiy%n>j&= z{aJ1#RR1$O`FY^Fh39bHp{+Aq_b>9f@J7Svq%?9mIzjc{57kq?dJ@Cq%Xe2BWY&9p z^NA_dppbeKd(&gW`{rdjH*JCHPw&T>$GiJY2TlymIMG@WO)*+pE51!pPA-K+1kq&fYI-d}&ICCprN51E z5`?KFo`h3G$IbEK1sU6e(#az^L%Q}z>bXjO%W-pyVw{p<8D%wkf}06$Cb$^~ZVD_W ztMfgl)#VCnrP60_Riy^|XD@eqhwa^`mwfYR%Yk!?LY$NQIzqD0orwu@Cdio}XFMTJ zMTl8x>V=#tI&#unPTI$HlFFRjT^-&wM`|EzTaKLD6XPVDX^EIhaC3Ss!Oa9WC#BcK zO|*D*wtXB44!2#qVO+SWqvPi2twS4E>FaVWeK>w9qsPOi*Y2j{CKVPHT4>zfvc3%3fC7v-(MwOC;CzI-**M3jr^wp&p9$y{$QkYm&QQ##~ zBTT6hYeI2Yg^N1~*8Jd@t6LIYt^2*-P~+kktozL|*SCa(tBv04J-&gXw@HpGd;&(h zE9}D12! zIo)*7WY{=Ol9=c;!ixcRCb@+3oI60?<*2F_V@> zA*mx&C@stgpbM+~(KRvm@2`EVf@q!G3XlM#4k!Flair}MH zq8~r~@u@N+Y!1mVsh06tjWabi4r2v?fn;pWzMG-}0m(oN4g6p&)mlQU^%Os_x|NYJ z-r7Q1&H@kuOf+i*ps&I^BDiC*N!QI`9Aoe{3=BOqr%$lnA+RtdBqtJZ1zc>RLj~Lj z&hNhghGWTuX2LU4vKO87=lh(X``yFZ>GAcbbk0ZVV>H}y($5hnH{4**NJJ?A%)HfV zNtbjm=U*)I$@%^HynAlghl+i2erk?#0CNf3IhauXe>LR~WB_YE?%@!u1ZL|#|Gm)Z zn+RCrfRknbJ2+CxYxf+uj~)Z6sjM z-uTb#PcsDzKA3G%@JlIugA?)x*1OaIzdEJwb){1fViBCnqoCKCeG_Z2WXy#_xPDcX^iZ!R_FKD;^wUNpp@cjEpdDgWp5v zql?HgAwtF`$7CvK`Ovj;Ffem-!Z_nZ5RA!U_!Du0IX4!C5ym1kav&_T)<;2&+Dz`_ zxo}yEnH<Xyx~LR-4Ko^;xhRGLF7pe{<72#xgyHy*}7 zdcbd2TAO@n5x8_n?_z2(b8G{&AD-+Y2@P4zllx^z3VS{kyF{tD+bk7xpDruadMXzp z-^vyd(txX5Y*-(!jwzcEO;f%z=w>EIa_oIH%AhxpPCjB`M!A{#Hb)=G@F_KF!Pmf7n6(AwFsQkSlBJt#$;K=tjFM8! zrNA)Kg^oPIO~);>H$s4bT2lq%*?L_ofCyks0M!UWE3N`tebA3pmQ>6Qm5R9^Q}Jq9 zuy`w*KuGJYZlNKa`vnZyaKZ%LVCH7ML+FRm3De`%u-H39wd{H)EH^- z0m-}vySjTg^I(-k6cBXY-~56D`{`j*1ikt z&Z>PGubu^pwz3ffw%h6^8aIS&1Yz=Da{y$VG0c(Y9NkfL!o=$6C3RKLD0QN997PH1^T>h0=e&uFoB3l1G`IR=%&{ax)fncN1%6@n!1NnC<6XM zBnB~cV3FY3c*L&EV$&CXc(8yv+T=-(?*AhOJ}S7``mg!dO+0MI;0qAwe}pCcLH_^p z-8JQ#1}F%CtRnEi>$cxCelpoxflRNg+r`uH4rNqA8)Cd-a*UOS{ra*b z_%eOI>Ek}p7H61Aum=VNXknYiwoNf94s04HQ%s-Nl7T<+6cae8f=c8{jy`$(>oZI- zg|CCxaBj>DQ!KL*!EN{T87A+({Z$i8aY-|6EVH9vF?MV(wSldQ}ngc9@7>aWi&`7DlHV{XZF@#Y52EqTlL)ww0V_WSDGl3x%1nyIDO zq=~z=;_b|Dnpuj;65_VhxS?bN5`mbEZ+@&v!(a>49(hKXax0v$Q>;H-8`uDGCnCQaZ!A%)Qb6G zPs0n1}N1ilu{+TS4p|Z^3Tb;;q&tE&c2~t$u$;p)(evoPdZ5|-6(Pv z9Yt~?`=HKG&TpU7o$J$sT!X(CZZ_NbA_&0{#K9OTjHfWnEI408NT35$GmbP2L;mL* zMnDnY7B9E9Oi;XeA$RE2g8jKUtY9+jrj6< zS2Nzw@`=bx)He$QwN;20-@A>~T>&%;xGQQlXBhfFWkL8qgB|Bg>$FYO(t{1nFp zU<=l7TXHFVI~eM}@bvV$B1a?a z1@z>2rsC_aTz?TBJhRn{M87k+uRn5f$LrVQDYhqD?sZiRIG8}N^(#Rza|HBX!ILns zRbUq?*H&Aa(4faZVlSQ?ycHxeu$)?aX}c^7f5o8^M#Tn*vjIZ0mK3E0`teGIR~yQ zn^J#zxOh&aK4Dz}s912l(y3_hi)QD!R)}33^fRLJGVOelk}oBWOBeDbeI}Fr$I%#D z?BsrE*x`<_L*o)QF5wUtG%jJ|5)OtN;}SM5VdE0sQI{}+x$Q;yVObLDnFewdp7Wf;9;c z5{2^$V`MQ&LO^E2I(eeC{LRUcXw_P|n7AEb`S(EPnhw@nv(sVq3b>;P^0XF7f+Qzb<@V&ca$ZkQ57Q5oZj>iiyQfKk^uX;8PtOb+x*# z!&9io+Q3fdYZXba_uJ_!nHcwT`#VmdIEyo_9HP@0l~UemjDKD>0->3?7HohS{$%*m z`(e7?`Fy$2*i6^E`45<`ck^#e*SlTldgsHJIM;&Q?k!wy!n38=^fA^WFAw&4;^p*g z+#*0IvfIv<2#-rG0FF39NQs524=qRv)Ll@Hhy+rJy%U$W!Qn(0(SpZ#?nyU%$?zrr zvrW&t&4_^Md1rdwxn67sG)Ya*J0H5l7eDOv^jd^3K&~ zXje58b)Zu6~l7b8r9!-OToWHi5j zW;TA)^6q;AOs3_XX?f>2kv5uTrsdt%M3-P{!mo;5%fD_{s2EKaYa~}3Wo}|;i58a6 zF>y28ajvve(IqJaB`C1xoncCbDZL-2=bhm3(_NfaDS8sGQs9*@(bBFf~|&EZ*b!V<{I zgpLN6k4)H!Mq+SVpWYQ-`eOg#@8MGGcD*Z)YRy=?*BJhhws)>~|8fD2IlL|*iJp#1 z2v=uyB|MU3E*j0}`lNSII~&$3$GPdvbvLu!1{jip#{oi!MB1qV2K8qoAwtHr`jmGhMS2G&N>zw@` z=bx(+eou*GEP&BsPFxj^tKkWM{@Chu_A9(_TAkip_75_X{%vQ+2|pw7wT{xkEP$6S zyt7j4^{T2Wf6BjjPNWLQu(u67=a7;PByyHrsSMnrtOr ze%$fjkH39Pu(3_|MIv43UXoI&lX!o`E|g>gtBV6fQ7{t0JRt;mcc%N}URzyMB!GwpK~m%W}-o<|A5aV{SL=GSGh3d(UlYYkI6mUWN9WX3G zwJ@?Ra@)d3RCjZcLD^r1^#5qmZ~V3{XNLk$?{r!0S!G0EHxNizu1YM8@Ysowb(p$4 zNFH8vI>Vb`?f3{ijyn7qAt-R zqN{9yZ(=Z+v=@mjxo&kY0gEb1g2M07;mRB^-lyTadHKI}xfw%Ia5Kli?AKeTLj*Zz z5KInxT_3=~Fy~8IBc{xP~%|4S%7v#P;JKvC+w{VYF-0=9OYgzg~myHz+0%7%_kqm z`(1YsrWQpo2JKP9Y-y~3Fj}32=!grJ*fD=X4R(ic)^joGV|f{^2((`2D{^=+mwkUo zn@k=Z{vN{P?0NNtsrGs1)?#G*G#b=VBl!?5&i3>RjudAp2X4qH$FS!CKXh36Gn|E` z6PE}RT?vY`1fD0(B3u9G@BFLaI<8cfF&0Z67YZ!bS)He={VJAZLkW@!21SE>eLL-` zbC`#YjFkZM@XD_3X?qU-xz`--!8q-~o;C*u<@WEc{$|i?@BKHOIQwUB2xA%kv)3Cm zes}vYDXUEz{%Jo|4`IMM)J@?)mrO%B$mNxcB>4Z_@q!Ywzja-mCZ8uug}+yA`|Lo6J5M%olR} zcQ=1;Pxq?j?%rr<@70?1x~+Nk@9uuPH>&NWYw!=4R{!i(U?KzC+ACM9PyfKG9@xNp z_Qu26C1Ig|Ga7Bn@A}mk25Zxs838d;$}1JJy@F@IHX5g|4s0~4vx|PZk|NXc(UxNv z7$XE&J0b{da7@`eFXfFHNvu69aE2D~M+$j&Ki&+)n0C%^ru%Dpa3i+t+t=PeBCz~E zYjbBntk;jV?Xlf{Th5wm^!iUQ?KRE#FRZ@V3a;3C5!b$(1g$^1FHf1ah-U;4CMMUe z4R^(yPI#cGUQZK=LH7BmniQAhAa$O4$@L=ziZ3X8qco0nGX}x{B;u4mUwhJJ}yq> zV`^X3%cr?qjpUC-q4eS`k=SkE`QiB!tDXJcu+I{V5{(0&^Kn<#RP~h=j;${F>Z?Z^ zdlRJ93B#0FRSASlo%xha3D z+BI4$FY~7;WSY697%Z2->{G*@410P%{JZwONvrDWYJ!>2nzF$gwx9OvyY#CrQc(Je zfh8!u(zI{Nv{=Frxe~z@D89P6(aPq&N&3S6pd>6o+AeN)g>zVY65J zCWwr=g)J+1Y@cS;>N|d$l~ahws| z^pFCB=48{h7GLXcLP{4J>XmIM)9Yu3GKKB|24@(z z4&10CepEqkQY$1P$(ZhDZP8$o6ZKT{f0M8lCEyrWDEo*uKXd;R?& z{Jx(nAKgvpi*=>=e!f_#qjx$$7wWfmE660YmPiOuIJ57YegFM< z4?}=~%89VR4*QICYloO3@?ZO>aBfYADUz^+|Fc^^#N_^N|5Su2s?oeXES+1-xMrrC zJ*>Yiz~uhi)($X5g&*6&l|0qgkmi|ENXs>Wc^IB6*(q{@QV-8}*Ug(r;ix$%o#(2% z&6Oe!FWJhj+Vw9AFA-&lU_}i>lnhaNKi(n_0Kt;#4hsCUw|f29l1F;v2C*gA^vx}b zExC_x-Pn@X^IJEzx(M0{UqJ5cP6j_RBB}BbaqlS`g(9NcdEPgysW5z&R zElaotmY%|srlZ@3QMH~;^6a&hAVY1y?KW%kN<=S*|_H7dU>zQ9VdK90P1yL=p z;cWQ#=BpNQ#bGBBLNT7-V~}lJ=}2u#btcfJOr#XFu=*C1nMgt*f3eO z+H7FcXG5P1eR@BP0*B9+8;#8xSJ46 zSV2RC{0(6;gz5b-`Wu@u0i(ZR^fz2Dwgc&rMt{SHFL~?ZW6UH+)IB}&d4*DvRwFwp zT;9c+r_)ZVlg&KkoQ)-SkuOo8?+OvZiQp7jo9erMX?mp2+kr{RgQEV1Eg81-ei-!) zqrPF(H(Z^DMt#GmZ@gwUdAA^wg5g>FQ8(r^4bPm8_i4YkpEzj@bM@=|%kfb=Q)q5C za|+IE;&BTov`|>+l5FqZtlOZzA(*6=#gGZjy?ti5lTqJTaezjBFkyBJ|o z1olIdkn{eT+4YU~#`lDmjP{1n-te198_hDKy|FE^C1AMlYru1JVM<9WJX7lIS4io( zS7?+DdGfh%cyZe3*LIvK?NDq9>lmS~;xkO??K8uajQEDz^^Ew&{97Zw5k4DzTLMc) zd}D>PL$M}r@eS-Pz5(_D*9~#p0!v90o;OXcPB~U=ou-a!cXqp5$xI8dnSB#)T2p*O zQ52V$Ah2mH1Z!(CutazqQ&@QfGq6;!cVKB_@eR!4Txv%j%w$+ZE|H~W?F}L+Ol(Gi zdf?ErTB~q$m=`2fI6Hc|xuD%n@sqSh`^dg7)KA&XO|p2EZWLRMqwe2BrPkKoD35B* zr&zn!82%ac4fp#;rN2?uM9&pYnDm4b%7_L?*ZR>U4v!|SgKO*T(jwF9L%x1EJRnbL zc^xU5)XKwqJ7PG&I{ZMHZWE#9D;BkUBN+H-l;bpP; zviN`#8CL-N3P_J7g#^=Z5nYt7Ggn9i<@iOn^#7e-^lc8lZ?6Aa7ZI2PHP<(;90Rjo zZ$0}(el>2h*~3(BS{e3RK%RY!W1z(SA^f?L1_f%^bYa*&i?jdEW< z?>HtF@F=3=qq+jld7b9-XLD`ox%>c=FXlOG^|3TxSL85oQeNu z@5-7|S(@$p{T0OdUN0Rr506ebp(xJ8jxdgvjsYh`6+g0CW$VG#&UftP!1z*$G3VF}PQ#B%QH3;2J^0n$pH`>ZP4%m-VymBOv{Im#MsIey?fYuE@A&Ao zX0_H|f?A7Zpm7O1U+l2{O@M$UQNooscF6G9AvfDY*?Bn9{ zv$j9~6e|yn)}Mb;y=wQVQLd(n+y`G?>m&haiAMHu&Q zAYab@Rn`%F|;7U)8Zo7rI z`pppYO}Dai^wD#g^C+wX1^(L;esp;F+1R;#e7Ne|cLsXz@g`UA=g8sfio*{D@#k=+ zU=l!@Q_ZIokQN35kQyYClwe8z(VT_wM>5A!JUpeWMe*;!WIO;!S%XIx68!nFf=OOb zE0+81?l1)cqy5}N8%&kE)nXsk{-0L6mUs-?U`3g)lCx~i5`!7TiMcci8S_awuQK8 zG#;)`Rvd|d2w^XE$~hrMYOAMq-MJ;0w~Bl2N@?mMi?JdRQSf9zPjP@dMjGx0Mtyh}2WDIjE*axAP+qv)DM7 z4INVWDk#Rd!qaVD=fO5@c;GlRSB3uW-QFds+%qmO4%GGi<5z%VI@+;Z3S%8mFkHZh zVS&5O!jFK%FzSG`QbKB`wPF5g&S8L~R;x+3s2m4zts{X!5d~_EQ?D4Vm|-w@(o-8N z^>2yc^3aJiH2rRM?_U3V;lTgbm!C$Xt$$%r$&|F<9>+4)9zJJ&m#yU+c{hw>m( zpf`Wp2iLbd@%9mof8*I2;s}fFL@ghMN+!)*G3me(#VWyE6EdgV!=n4n#8K43Q?imX zidj8lL>b#UbtpV57>}`*D>{4dQ!#?IZnbw9_NTU#sg#t05>&42hxjvO`Wb!q+^Jkv zj;{~1r{#jC7r8M%O}R2;2tcNwAkX+w?LPVaJ5pr)7bL!B zmg4ww|Kt8|WFf9N4no^_Amy77!VQ@6xQ9gjlIfIy|j6BDth*S z4YJqi;Swmx=P&-BYfXo8V-u_R&EI~$^WXoScio)G+~1$|u7{n=!fB@2(0^;aml&?A z+AntZ`1GLAJ88?uO#N`HROp4f?##qap*Asi4p)8&wZEF_Tx>O7N8y(r$a41h?PYfu zbXRtosbH#r^5YJU7vAlL$Gg+phckV1P|WswyZ!3j>oYI3_E-Cusl_B20`kCc$&H!b z!BR#$ihyet!k{oxQv-{5%Cyvkzs+JDI5{BBf-^kVtgY*~?v;q-g_aAPsJNDlMg@ zAn^1-fU$C4hb0Ld;edTab z0s|skyUqr?U~xY@EZ*%sq-(-v_t~57hE5-^IWAg< z3yGz+rNK&MD~yYjNJ*KyK5PPv2{1OqVB6P^xBLD3 z{^Lo#!pf!7^#;axW1mX}MuxRPtq9JiO@J{0#snC{Fh(u~9+L5b#cX(3tkJJ2DyX z-RR@+u(;8z=Xz(4TP@w$OK;u29A>Nc`89{dH3~0kV~Nt7B-_ymFebnl2VW!@Uz6N> zKROp7m3-s*q*c1ewYODkm`M-F>GpYhy@7F!!i$Dc%!M}zVN7r_!Nu^n=->KTXa!4= z5Kmk@36G19;`KazTqzusGnuQKY<~Z_z8h~%?f7xg3OwGEDSp8l zj`?ykgAZ=|7;wK!xZ?C3EPBr|UvCEIqWR{@3-fYxazT3ZjK0er}KDQ1#1^J}c91~;R_FEz*YQhbSG_bW; z0*MJECXo11CdK%cZPStg(QKsJ=w`~c4MXFdZs!ojRpDVQKiF=0FkU(fl> zXGMJueosmnlp~hCzpd=#d-db=;s_USakVx0T}da};|eUM0r-lsQ#|n$+}PQ-fjhn;_feid zI_qedQbn*1EU>BI*vj0wqtvlVXhHyKjHQb3#hxwYjsQp_$S=6zT8c<3YZh*Tz8>>v z-X{y56ZUTA<8GB-o2*!$WW1{^UK5x*Z_y1jX8c$QB4qvBP2={k(9}yDZs`b>uRC`w z)gY~Ixzc;eWpZb=+F2vsCS>t5A*~%)veKX=5mZjqwS*<=fa;Q1`4DVR$*F;@5)%?w z0Lmy4w3(FL;3eqqk$ zliTRebUycvzT^VN7ug~LCh!Z|C3Z|%b#^4Qumrr3*M8!bj!<4Qf46aPbJ?yHUYf0| z!SQ{1TkYl6n;sdgX~$vqgd$XMe|l7u6;rFtr$^JD`D``qXJW4YM7|&S2oqTf)Cj~= zPzq$ij(!b0q7GL?A&^OFr6rSi+umq!S%J=gIe-;LQeh=5L8Zh5cvFWk z%hf0~!QvGI6*qSn=ni5HCVp69C&tGdG&su)!CI1<2KrL&z}>)IfItSES8PHf&%C+N z*n|Vd27tk-)QW-|3!%8@O`UWwGe-&R6~{4NvDl+k;N`JZfg+ z^G6T4<_%Mg6=y?AIm*H^G#nPnbiJAN+BFlBYZ-h}E}=ueh7NryJ4=ZL^~NT(=K|Yi zMq|4TJE;^G*fxV@%R%dtiR-P*wwdSXzPxSbId@;*HuHJ7KecZb+i+suW&CX$XL0Rp z#|@i(OdrZCo@*XJh7@xYxMoYWG_Vw= zTT-r0WC(bcX34HuLWDkF0irJbuIjkL*;b*r!MpAxN?H`Mt~ROfKlmm*LAhJTtPC&P zi2!K{>UbhUA^k3lh0vp9TNymSxw3us-37<@9#;Uf6NbSJFFJqkVGnRFQV@J9i$3D_ zs0gag~nCDh`^Y;35uOy1Y6(>bO=|srhIT*5%9Bc9UvZ6&oM8M0GvY^B$kycT6 z=e$o^1fP+HfJ|Uoj`+GqNn%*$cu+9eF-w@y`wPHNQ>qQNP6vP_lh8;&v>Pfg{n7%a znNaa~1M-1@DJTt+P)#1Zrm&EO1o1!=Xb2OAC~${!4pN_ka@W<4A>x%NMdEg-GW)04t7m*9;b3BpqK(2 zfvbUM3ig|^PF2v8q)10h zmJqk4#tkLkNQwH`+}?u{F-3g)&RZ>o28!&N3S+}FqHK}B7DOd~oH?#{@_IPTymW8B zixG{+R#*ac4D zkq$$w!#HDL-3;uK@bUe)$^cIDAj+90jH$prbQjlqMSgzry4fu^ZqNTd9rcfIhHfGx zYp`U-x9wj{+cO1G@8SS^)oUdcwX&pJ>4jl z)8%%zns!x7!S^?sjXIjuKV=wqwL4*P{YJUi{QN+_-5I}IhF>g#Xz9+*P`lfxH(JH! zdBCq12mN-w+Izd1es@rH&qsCdGj+;gaxPF5k;8c+g;2hwCMd;lAm#viK}CeNzB!S( zzd!3;4?CBI(@e9W|JHghu|h?q*t@I7iWL^mP+D*@82l#2l^6F`fQLy(5luNreTIG9 ze6hkPQ?+UVtT4(UQc24V!@|zYLqc)ua6mK$uucRhcUOtDj~14SV}=X&)=-fw`eSj8 zm)D0&{O=bG9Ro&0yTs|&C6Q}j)wiGCf2-o1(Ra_C%4OyF`Y?N1E@*m@J8`33tz91A zD8boV32;m>=z|^NsVnK_pL(%_>jHqA0Q=z>h{FtM_jMXClOk(oUj79_E$zP`@ins) zBT^cFq%y=z|M?TCxWsmnhI*#7L};|D+AntZ`1GLAJ88?uO#N`HROqcZQcEid(PS&C7ts$A_R{1CRE{s$FnbumWj3yFWAA9WJaP44(Q3?U9M*u9%K$Wt< z=?(YU!1+O>qL}`rTq#4#2;MA=VZ=ep1Mej<9Fq@sM`2|;{+;$+sr^JHMmVqHJ=JdgQRzuwZc-Vg*9{PyoQip|Ebk#vL zVhDH(p)q{nRn%~{vMV>ZM<|W=$%Ex9B1I??C3k+p*Ax*Ct%yjv)Nc1-?u(u8mP4LD z9hVmJ51Ls2eI&spP(trkTU!xIkv?^Aiu`EEj<(5;tu&tZE?-LVW{1RYx0Ep9Xr&nL zxB^m6OCgJ!ir`6r4};qwVrpd3(nCtD#!97GyS2<=puz|iJ2lkPYG(r`#&RH{?oY3& z)rOB_G~4x5uiEbeo#_2(js6dQvFBsK&1$W`1p5sf#IkLfO670M+G;KgwVn~s^YFHO zv0cA=B>OU3J~`SgUfIpoV?)Ji%dtm5fm=Ip^BmkB&>rPt=p$3sf;vESL5_1OjnaH- zU~xu3!3|Tzs3t(Y;Bk32LYX#bNkHgHtAmOO-|h`EjYc&K59EnG74`>P?F0FJ;maQ| z`*O2AsH7Sd7#XgGZ}!)IzaE#F`=)-7c`jQ@!437^=(q@P=5n*OnXdNq@ldul$VtIG z0H$swYJ5 zhF{05Wn7P8@gS)PGvG$Cf2QC=AzMiYn2;4p0a$1|C9<@z&S>8rXqhxzE(qC6?b|6q3ld=i zt288-y~dcG^zEGe^wMyV8Y@8i2=CKLSK)z?WO??ca&^*dl{UB2#oao+EUtL@njm15 z+5wlL4a4F`mikN9p9e-Ng@m#CgrgE*On@-~#)!a3fd&gK3*`lj*AcQAn@^?N^s_1P z&4*Lg=IzeQU%KAFs4z{#DrGDtJZk^*9V-BgSj>XLog|boLB<3b<3L8G4F{#@sibeh z$sw+vODpM$NIthT)tFX53NMwF@yaDx{{C2JQqW$e18w zf{bC15ll*8sRU0Y{r~J;X;UK0w*4y|?|peM;#Nh@!$$;BCS?#6<3*+2Of?~e4R&%mqWct7l2qYuBR#W4kgG<81!q zDMo3|*D}q*jtE*@w76(-G1}S-QVb!1J%RBiIxt>z58kg23yGIOHF5Iy(9yKOqSw_3=oso;B`j9&ml+6*8 zZRB(O&V|LY{)dsIjQQwUS>OCKeDgMgmd%2WpBA!U_#wc_iFcN}9UT>mxk;{HJU@JC zqqEGxKD*FS03Xy{77!(BeMgAj`DEzwl2iJ!Ge(DWwe?5a0H99Rn;h(KZ zfkf%a)|I>@@n6n2(l-R6KhG)Mk3OYS_lk@0>G}1EYF_6$wZWu=&v$%E3x!>ywu1>( zR4}nLrGY#cBBT`sx&t8YpPk)gP6M90Lc#ZI$&of1e5;dMtW0W%_^=Ua)ZRNjf99;N zCw~oFU|5aTuX>{~f(d0V9VIKjZpQF6=E6lL{VBZj>v_T-6mGzVz`6c{ zUet%J(Z8Smr}sPpQ?5V!?|0AoNL|_bwARFbA(ks?lGmQodKi6LCx?#%l@sM2Yx3*} z-*?a6(U;VAzg4vpoW0frY0VjDa=Fw!_LPMeQc zrQG55!EN^BW|U5KvawF%E#xK%OjA>31o$#$%f4B{6qkf@1aA>W10=IIsLYI+i!j9h zj4&ij6%mgpJm52*$w?_7_CP*i`ShBxS(JFG4=UGPhZWDV3DL!e&DkiKC#4Gs>JZjA zm|Wz`=W5t$Ozyt9I1v%Rh`s_3KRh|PW-61ok|>ibWX8tlGI1ZbyPO+&euhlt1xX_8 zCIFuXUPhYPARuC#ug+o$$01H&_=JG)A7L!QH&2+t=TZSJ#TxGAc%jrBGy0a`KoMig z9GnU-lIUCN)V$WNNf_Ka?Mis00+_u3QjNm5IRrjC3_v58L&#y?JkDAgDd#VrrAJZSow!We;=mzmI)viaMc^?@wVmpkj@Y@icx zre1&%q!|UT7uvl*54C=A=HTA_cAv;N9RiMGvxoPObBB0TYb2D!GPJ;O$mo8O50i)i zH_F6X#^tQfg`C)X6ign!@XUg_?fPRHOug4Pxsd*?JtIOM;1@!d*fC|t$r0Az_@zQ# z8`x4bIyo9n-q;h)p1zh*Lz2!bKP;=0{U%3Bx{_gvjooOa{K-+BH&weGOpca6^P3#` zPOup_^8d*1%r68@L`i9>k)=k{7d9J!gh4URO)2Kt`s2s#fU^RkPmay5M+yEa)Dyr| zkq{(cX7)-FA=m7X)}NsvgZl*x*$pa0mM_n!ka6_z zv^^6=EIJpe$ZS8Cy*Pavu(WQx-!+RDcc(kfh0Kx|g~<;yRbh^om%aCC#Y`)Xgk3MQ zWa#(nGpN%TX$aiNV%WLCf|-(t0yr)Pi5o1KQ3UY@_=JV_c4ooMvv*%!F!OwNUtciu z8Qed$VisF>VqRbT+m_7YTGNgjLUx@CF(i?pvYuRsN9RJFbc5f$rY5EL%FWr~`LI-e z?#5fW``fvYz^+kgF;e+v6D?or*zV+oz^+XtQz^VR|64BfH*%risLq*&byO&#z|y18 zgK6N2Ab2v7EX<03Eq>uYktc-inh?#S$L)wgYzg7wtRWEmk29H5l3FB|FK>3}vL5?j^dJGOF*o3{Kc) zBJP?9krS{;MEGV$Bm8ni!U%|JU^UoC?qH!k&PKpzxIz#q5XnC%`-<4r+|-W5g8GL?Fxb-D$Hg=_-B-Syiyb)EVYmj6pBUtGYodjIK)>-C=G5Z z0#BeWr4)jFfFGiby!ryxQUkSGaV0sGgs>=ylb{Yl{H)XZ)mOaa3wT&%P*!4b3ujw#%2#`>tjMv^Lwu;QFxjm_4~&APX~ zsRfTD%mpS83Xi`g9rHr?&=g-Oj`F%^P|<9=-PT3wj!l zcig83AC%ggR0mfKSie#>(_tO@^fe8GF#s4?u3?QEh9)5^>>DIHJa+)>P@==Te_u^> z_&vX`COZ5^_|N1yV(U%ZPb=QR+)|n&rkN1;OpO~#c0s^R1{H5I^iO#UyQI__jHvi_ zuHK!CtUhivx`j+Nb=3a0oiJb2b-~DmFba%AAw$wQ_(V+e`e6A0G6nO21p{~(%fWQ-&J(nKRE~_FCSWyX-T;MSE{bJ^*G_K}fJC}WN zoV%_a-{0Le=ZR4I8E0At&pLN^);#Q22dUeHKHW8@#4y9N=dx|NiQeGWnToeKt=H$? zVC2lD?7l}lCb$nIk_XCbI^kUL+PA2*B zYqNTOiQ2Z!`h4j=aiPGi@Zkc0pUVr#|~ zupX^u?0U+Cl&g>w8ky>e8|vq6TX6zG2ek~#DO(=&*YF^#I1$K_HtU^LoLIi!Do$9% zi62LfFs1^T>L8wZqJ!w{DD&(H)*|_5ny5a=%kJHXjmVy}Bc)yXVcJ~HpU&91<#x$U zni<&?k)=k{msOkycypt^S;dLj4OVet_O4Z&*bBu8B7IL;5^Rp=!QgqSZzb1|CcSQp z^kwgb*862N7DMMQrwY4Hg#-r+fdS{(q=WW(#mwwzHg#UYjuTiq^w-cKt2wcmpSPM5 zR&&C$u{~HcvzilMVnd1uAjtDIQRm1|Dmob&(S!R|X?)bUJFMKMC(niM$>qy_lOaJ} zM9mn3sd6d(<+uKHVu&cMFh_Gmi7XTP+nJD6oUn=$R&l~B-Deditm4F!75OSoU@akF zkyLpummNl@MQ06p((TK`o59(&Bl0i3PT^7SIxPy@Oe9>T5S3uC5HN{dmYl%UBwQ6% zcFoLEqv^|PPFT%}0LN)HCq7^MsX0M}ujT|iYM^5apO|y&>F92~nJ6dUZ&0E2q@4O? z@pX73=Y#v*bn79frS>M>fiWe34~pA8!q%xzUsiX*>P}eQiP;@icjB`>t2+TSLnwdU z35fBvS^w}<;yQ{>iu#?0$LmD7)H}^z)(%?EYr2xk?Y8a&1}@=(Wx!a1yMQ^avplO!#^WB;r;z_ z2~PN-1^6pp!3iZKfT@~o4OsvS933q#&Kz_&8KobOu8FL^U121L7dws?N--CloMK9o zk9~3rXaP~OYxMjW)(nB0#@j;+&0LJZbDPa2KndpJ*&wu#5ZqCzLn{-!US}?9nmQ`g zZl~XF$&d~^`FSwtp484tMS4#-IZa%lYPr}NC$|6wpWpbO&wqW|Po;ZR9j2bjoW9mG z%o!l*R10&RoU`+~30VH?^PT_uS5Ujx4^N3<&N+OzM7O;Cdh~vrc}Fp{`+QPMVf9|j z7bm$|m5GvS$#e|u9^I!3=~kK`YtSYTkgg34RLi@zzG z!6OM3lE1;h$2jiXR*i^ z76kaSv0z03{}q?$Z_OkYW1a;JBD?vrf0U-@wV4%giwoqyz=R zjQ!Vc|2%SXtWC0&Smc~uv&d{02B4!&HCq|Q^F7u5?)!>LZ^jJ3!QO5r#X!w8RFi^xrV%Y zxt32SMD8G;Yu-QKwcj#N?}=U4iU>i@cvG-j1x`!^Cz{)6{r5EsoEA7gKD{;0sWdk` z-@Vta)=*=vH0oJ|PgJj#zs}dv?Z*O1R(BmZ33s(36hOcnO2CUXd-p2M$tYtYykxHh zP79nCIAZ}$BZ|w3MBWQTYsixot2ft)!zaaLncX(ea$}L;-Tg++eadrcOo&oQTIif! zv(Raw^W)Rof=;d^l0q==6{0l`?I&>Vw0l{rrR33LLnqJc)rU%dzmapF(wq=GV2U{7 zcFWZCnuSgaogbgx9_wU?31BQURGG)lH4Xta3Wy6W@@#xuXkDbx63K1JZaae=PCkZzE!7(?t()kG0ErNgV7Ft~X1)KinnA=+c!u7oO zX1DL0_r^vZj3^?!1D{NE?_EFWUMFZ_m>#fEc2qCsXuW#A^WK}dOoP`}go7c^9Ktqo zMt+CvVhDS{%n8B7?u(mV`#W9tHiMqcf|ef^@+e6;!4i36W-dBrmNT^Zl+9P(&dGWI zx=_0)_fKB;8Z%>Fq1+;75-tJKxwP@l^qK`t3!0mPCdSBDIR|UPq!PqCPgIDGnx~JA zhc@I#qw-ZXRk=#;IBF`2T`7&$ETR}MZ6zj@xDZBZg%~oRNwy;?&af*0vLyn8 zGW8L;N8LF}T}mj@M(qm|L{`#7(j38nxGxMg-^TguxZFtgMAOXjJJkACLRwLHK)QQoG~S#e_TkqToPV040ytf zHj6@1M`%#Gm=R(q5t2mV<&qf!OKM8i!_3e|Z#+ta%;*LR!9RpM*VD21xE-dTf({{$ z5nV{*5F&=UL@gKxt?(4&+a2(UW@GfWA|i3D81@V5@_ z;BHWUe+f4P)BxPO_wm8g=#+nO_4ZO8(TOUylBv@8W&Enk!@Z{bT)K)YKr5+$76eFT zwq%=!RU26T%x}i;&*taXg?*UVZ^kbWf}o9tp1QV-|3@?aKmxGg?H=*KT3EK}{eMW5 zoKpW}2?bAuxQ|R)F*x8Zm>o#iSM%D>RyPD)4M>>UtASk^dSL zY3mka!Q5*3GqGk~mD4mVa#wQ{PJQ@^X6 zsywGe7DNFKuBD>VUr#MWC;erHYbSE>w8!ghdQqb3&gI~nlYTDEKGw*bMS>-+=LYsc z=&Phbs@3JBfBu?S1y%S%L6qj6cI}q*|3cDl6;+?BBY|g-qDm1COxlGx!q_ym^u^AL z=-A0e2RBo6BQErHwnh>+<(hk5-fl$|46Am)Kw}N0PBYI@%{M`nfC*O$3v&Qa&5dg% zy=1ANDu4kP?-qzO(Lza|yxm1X6?mBd77|*#QuB7<;(%w*t|k-I8{gIIdEWRvXt|c4 zTBvmE)rav{tEmfL`{`0DTT(U$KmjRD{YlkjbYOVAY~Buz()|-I69?zz-ClmocDI{U z8TkaP2u2tv6*xg?w#^t}U}F#yM3{cXeDkt7;ILH~S_B5n9E649j4<@#ius7CORjk% zRv5f4z?aZoW2&r0b8?nHEni+f?jm_fn->)?5={FgTBx-~m-W=xJuaM`U&{LQ$3Vpo zCswOnO&kesA|*(223!Zc_8A_89HX`|b9mpRYLM_Vyv)%Y_6uelwhhK)UP(lpVDMgq zl(6lL2 zBIakhxTrQ;av|eec}Ijy;OaXz>>00)Dcc}SvET!dk}HDYdH7emE=8wMqSP6vRL*tX z)Nxv<1JteOx4x<0atcLZF=(t6=isReyeWgKxph{rEHbFTJ@!GMf-iY10fS%4CWK|K zSoUPu)7uL>R3Kr14%Ro>#44 zASQaD%^gEyQ`8~GchSn!1JO*+jE^{&QEo!WrZ1}u4^2@AehvHz6QhUSOlATO3m|KKoTE(HcN7ixBvPaStm!4?4n)S45MSX*f&NEvQVy(aaC=N>7kTn5wo-92J_hD2yg`WNOqMgf zz24nJjgdyCa?=cguI?SaJFrS33K%-;Zm!|KzB$+w0ak(On7QApf6YzANNYhu(=?X* z|LeQ|zN33nCye0+IuLGsmd@Qj;)z6vFsiiia&b@oh=>O%9~*6ysf@Pp|fA&>U%RLt{o&PH;)-8B^7dRWZR@LVXF0uA7mqRukTsD6ybElQU@{d z>LF60h~gp=g?RO0k>J`m#Z1g+=l|oxA_0$(L`n~T^|6uZm(@jlL&7hBAGA@02zJDO|u>N2z1z7A*TOIRMg*{1g zd=e|p2{^Tgh4Y-am)i0t344JFfOv)_;-=>AH<3*OBTYu6;7<>kAC%AECRe#K_yaj z4(-;CGsPrgFHhv$nmAJ|v5Dn#w|<<-|JnYjFjHKkd7UhiVGJM*+;p?a`fX7r|9M+G z$`luVYzJE+^KXANC{XY$aF9^qMyE?BkGIEJ?H(2{YTaQM<=nwub^5*OQruA{SGzUW zr(|gyQ6|^}6j2=7+Qo7u%az_&BRZp75UuF~v5TxMwTghxthnrkHj@+&eXHDA|I_8bp0e%0dTlSf`pw;a`fh zv4YB!K%L8Jo=y(y=a<*bPOo~Oy4~)|8dymn=@_1)G^(QXC^v7VHGoVhVH$)}gjH}Y zQYDnD#ZuC=w6+FD+A)R4V1ESNbhCUNq4}I~)Uw zAY=0ppG6a_g##WKSX{}#!UV^vH^ma<0A7Lp0(a1eBFJ-q*;CwDfky~-%vACNoReZ9 zTn*M#O5wE}{@4=V#{bX9OFw3 zOs>I%^h;h)Y&_J4{ntmr6$O&QOnq8Th(~w&t66z8^X(`tOz%|ye+~1ly!W{s&$??1 z^YRm1zTkChUW+R>E_OthRBAWEo*9sT5Uw2^(JIa1O$G7nHQ$|{@7}cQ(xusW5$(Y| z;aDq=Ap{J_RFT8LumRgYZu4>jDqzjNRPB+%4h?-)TJb{@ryewbl+m zLet&3?e3V1AA1jNw>EITn&QMT(74!85OxR|$c2b0?kIUs&B9J}=tx{2Hy+!UXXoUs zS*`9>soTgW)`1Q@_x>kBhv|ytU;;kA(pm~K=UNE@TnLyXKnnt&eOVir2++}JGf!BfC5}(R2IvmF~{}K6L8;7k~#Hw=wtx zGzj|c&)(v&bkO|U?em0=&F5_O#mC6m$Xin*5%y)-3KSoRa;elz}?a6j~igH8S?a6j~3Wpop?P)$Yz;=6D?{2o+ z(>hoGkN5v;P<}Q4_PhG02!qMv{(T7^qci@?!Cvv|_V~>0C%T>f^U3h}$tB;K@xSzX zGN*N6nVKx5;H(N)Hh814obu0K6LYgCZc^2ew4DF-z2C|CZL=qzt0Q4&psMPr1hLp2 z8w?IO3<2%2d(pu&Q*WQ&KHrQBw}-NMzjrW6@20-2#OB&DSLz6=%#mqR5?3y^d%|GF zrSWf=z)Mp3BM2s8{hl~DLsY^bOuK+c{hlxr%2d=8VQC}uDEBA(u4L1b;^frTpPx5FH*GHJzvZk-Wqyw)+e# zv3bA>+s&k7-ySj7n*CEY>JECnG{TxP@zC)l)I>X9BK6X!dIQ zzH-_uJSUUtyr@O_QYD{9Z7&j_qcc^bjmDtj%HH^f=Or)9^Ct>PLEH&$`AimO#zzpLWvsTaSHi^Yhfng$$X8%6gD zj!i~bCD@dVWIVDO3%r9cqQh#b+*PO9 z?)j+MRJo@oPV;xqt*689iKg%0_;G0Oef3=@nB1GxdlmZF!bf5^nK;Q7{_<|7x#O?z zpZvWr&_AsOr;k!!Ed$Sd<)(ms`V0tvh6=If44MlWF>{ zx8+<)@j`e_jEmU?mw-A`G7f<)_?~^$(KO z`b9Ivvy^sjcfIIRZ|d`O_iFFt5Q$M+J}I!h$6JX{mhG9BRe-GmY!zUu09ysvD!?1u z&MLsm?)M`VV8w&;#xT|tQQ*FQZb4>+>O=K|Ta;`MuTQJJ7HQXV({!Tzy}bfJEt54S zvB?fuR;uHVE5J${D+l;$eFEzf?5s%QU0dvPx^_PU0 zN~_T%;Fs#|z-hv&ndnM|me4d=%-_kQRPw35f4Wz+c=|D_byV8Z-h*c)evM2!`<gF^36|;F8VO zM=>%je5lb&#c8z}W_+?rD-_id9Lg|8#-8i##P~V8r#qdCtej2{9?tH)`#+y8r|#=* zop@^YvgKC0S1TQy{T>AQ>5R;(v{t2!a6_xoT9q~&ZmddcRa&dkep8iprh&miT~vTY z5tO`j*}t=p`Z20?q}qMgb4KWEl-ilE{Pe~> zL=x02{`+3_DP9pIlbP5Tp6;nJ{l20K=NCNmL0OY8W!3RV)g*Zwa z&9xR<6O9G)I=~;qh&UKl2ka*fte<#J^u8CF(wbu?LVeHgjd9kY^t(EE1)0~v+F21> zf={0Fz!s_)acW{-{^k8MN71q6`6%n2JrO<3pB;~qtdt)&A4Xs0bFHapasATnn8Sm> zM9nK&rXUqJ$I{`MAdS=($GHLhFhGh9tMysAEyC|;pOP&?*5pLk`E2<1&24a!tiWxby|1N(+_*Yw42G@{}}JF*r^n2BUb zu+Vaemb+ zJpuLo8$UGS_x0C1dVJ`gU8P3HC*#Lzv3EM{b}qkbNvgfeudhip^PQi6*a-!yz?zw? z8y+A6Uq*+d=le;W$@WpQa6OtH6V^+f4$|9B_yk~q0D7;1?s;553ofU7s8i}3cJ4C6UivXtq({@v z@m9i<<$LC3MPMreTM^ibz*YpdBJc*cvm)@a`~64}Skqt;STYXFDj@0XD!NZlI%wXO zYfVziJ)Y71T;*i+cy{rveF6Y2lW)v1tX74#`J@y41O;m{v`v|H3EtlOoi2fufPJox z1g(Jwop5l2ZLCa{I2Ckc;d+GtTQ-}K^=>|~j~>YAw2+r~s=w_LFpw(52{$RtFa@*e zyylz}kbFil%n+mK^AzB9>QNC>qfzkCh+1Ed53gwY`DAZ;`Eb+hosKg%BMYY=qq6m= z{Ewb1H2?M+W`K(XG&ZP)U3~>QrYn=9U0l2>6t4~o1NWquDY7l6V*>mpP6ehg0pKKl zeDj+`E5J8X*r+dZo7=|1@G*EVGAvDZ#K+ys8U1Ga#5m%l?1lOSXrt+NX3?vqTvlnz@4~ zT0+;4zi}-p2DT0pss*69)}HDYE7YPgf6uh?wnXuVkuL;+k0ksUi%~J}4vD!K)$$`M zJ4=dDDdbVees3|Vpp|T1pIMB`({_CU|dml)xzInt3MFm9#o4Qq&3fLjGDEjqxOtv0FNJu!K z8_o`=YS$@+Wk}W>bBwuWBc0|Vo<2QihnDT*GqHEuU$ve6&28P=>fdg*=e+P7#K;BE zRsxEPdB=t$TGWfm8U~;Ts?c*uj%fYyQ*OsJM|)1BJpS?8>{baU*N z*-$Is(oRJm$<|Y`T$Zj@tJL0>L@E3R(PdS+A{!T4E!%h1d@PqjZK4-lfBnbdCqL!R zPr0)!n4fazr`+jqlb>?ur`-7|_kx~sb3djTl^+lUXX1~!``Jao?)BB~dwc(+@wB{q zSl^O6e5bOx(4s)wz<%_nwTk{PQ55|7V{X79cS7Z&AQuHg_c=f2PJeeMa7`Y$6oQ!u zxEju-*4UJB*gC;rfs4w?({BC!y}nm@zSw*^y?-zE#e5%f3+CWTp++3G3EWF4==9l& zN-FFjLM_hJbd6ueMshj#0fPjvOc-JwE*4;;fQlrkE2qz=zjivO&+WU%uMqoB zou$YB@o%qu;>pdafKZmQ{NjghmQ{9?svPb=UX^#Rd*|B?<@=4Rd;Rz@?*vfDKpW42 z3=R$_rahIndf5rZ zYj3XY+qbPNu~oY}eVI$d$_XI7@~Chg70#o=c~m%$3g=PbDVEEl!sFKaFGht0AJd(R zGf-ld&_bo`vWtR7r%|}y+cgiRYPrO#t;WgoQ*p6H0bt7;_)&$Y4Ls$^v!efaSXgtI zfsvtP;9M2ts$k^Zd005^-I>rex%z2LgDP@k5DPj!Ew`*;r(ai0j_Zw}O2BN(%(l-gYv5qb*Z!KLMJ=cY+t$-8W9aM(ZxdacTW0L zahfP;wRUNZs!nQ`bzgog9G@sv;Sb04*VXDx4yj*Pl{c!2g$+LD_*`;L`Ixb&F~Kx} z@rl>-*~3L}I2jN!rzCNA&Ax)MpM9z_X8upzsLBNlLd1D58H3ERG1M%*Qx)}y1ppeK zM$LW@1-^3h7o=0w_zIR^$(^b^&l^>NSS9XcdVOQ3Dxch`N;nF)B#cZcPtd~Cmv(nv zPgL`1=V6&|wJW8Ka&@*XJii0vlma)>f=2iO$-Z2{XP+u#Xqr8fwKEN#iY#1nY70HjmuLI4!u~txV8`D2cu3orAa|#F zw8Gu{&eqP$=22alnrqq8+#{Os0Wl28=?F~P;ijJ4Q<0?snUaF^VyHfQ=7JFZOu=ff zE1coptC-fsaEJ!%jtOr-q;;r6{bvp!6ExV_q=l7oM9YL|PFTSNJrV1r4yUPnAest< zgCLaBX~nHo;_pMWnF#smc-Yu784Qmb`!a$eiG zJz6fkte>6k%{`(y9Wchc2T`NOK~at-C|?3XoswXf{k{m7Vl42)2DFlrEA#brzVM71 zZO|z(u2g~PkElNb0js6rIiAe`&o~{JSQ?JxrQ=}fp?ro9JTt&E#xg43`Oen$D23M|2<6=}>hpyko3xOXS-5PFU7jhSHw zRCgkFK-qD@c>GkFjR{h)G5$o>UQq6v%aP;1ha5@!WAM9?oiQPB zB;_Rnt`aBVS!!4ee;QjrzL_01R&P!!uif_5(s{YH@_KEK_V{^kwy<$W4|k@pp}B-0 zkzRWSTBcbfEs;8law-JXoGY)BgD<>A|NXn9Z(&#g4_4c*xsj|U$FR#)-U<=>whjDTdnT@20xuenB_`lm0Xx;`k^|Q zk-#gS4AsQNQijb5)JEl2b$j>iyT?n7=oV(bo{ zOsLSX&akm>Ww-V6&eraOx%F4wtH$+XuM2Z6 zbXqU1&ad`er-`lq)P`{ z;d-r7SzYp%jjfLD%+$2L(spow!q`|8!ww zi={2cX87@0^{p6(bZ|IEX&!Q!A*7o?*tAyE{y}N2z0-SKyKY~+R9Cu3uZxa!czlED zL)?RKsANL(=aJ4@NA0v+4sSJKJ_!?aQY3Z%;3-aaYQLZZUu^ai>iG>B7hsn+)it`}j`)ofl&8{lAVkLO@r| z4s>UwQu%PL_j*=7y*RusUN-t?H8=M_N5$Zj28KYHP3S1zSua@I4t5Iyc8Pms1|Khs?y|}7ZpzR90N^R=jAf*b#k&c*v3J@Je)ro!67{!Eh$?Y%Z0q$r4&eAK?bF|CR?yp5VuDqkeEFKGY zJK5pxa_{VjA3QzpTwTCC4&GOb6@I_yaEIN&rBPN&Z+xf-a~|Q2ded2|cS|de%JDA8 zyT2Citn}Ust-j(tA-Jn$hr43!=Iz$E%Ui{>o&AfmPW8$Z)V#wTcY!us7|2zjwfF*x zPc_Q|LxUM8DawgyPhy=es@2%@31tX$soD?PIVSHa@g1Mj4{3giw5d9lub)=xONZ^N z9a}p-yKXlRJ0eHA1wp!`O)&L`3(;RrhH+DUdR7Q0Wg@~kPjdwnk3E>!&5m&A>#OIc zcT=j$ZFPItdpxObzdp=4!ZB+CMeWHQwVC63G+rkItrh&92eH#OIgflwMkfM8O%99{ zMjGa245Q=J4*|c^#uzK8@_B^OF{(Y%+Na^%W21a`*St7s)XP^#>l?RAjsAfQR)Kc=H%HPE0K#siPo>S?c8=hIi17vC)rN{Ss|8Z{Q-kp-RSfM}|xRSb`KBF{MrmuVmWyd1!=#+{MQO?Nr7 zzF)I_oU`3)pN3!z*;QoX+vJw;VWw6Hs1EA*HkFxvV2G!T(Ltl;sW4==05@AOpMxP) zW0)p{B8SBHv7y7g>`b$1OXsfesQdijyd*0-FGY9TTzIAlEv*LD;SJt6Ez>LwUU6cY z8kIX?JvE6Bi}sM3hQ%q%Xa;4t;_Nfk&v7~wPCX{cN#+8R%n9EOkt7VKraxkEONTQ9 zf&R)#Z^_{}2Va<~f#EPDrGqgV$xiL_hu0HMQVkGwhI7^c0^ZV==e}KNJG~Bsqdg zt|YuwhKDik=21rnJ*bwVW2OvWmJeF_5US$#Q7_Wr)f8?RBZ}!H-Q5gV_xs`D8VRhK zmBZ^3hT4B7I!V)wdq&H*?DvQ|{J`EM5*?DSp8Cj4iNDYHqGN?GTSsuw4Q{@54 z8bcbw3((CB3Ud4%oE+#1AJ(d=&#Z%e`3Mqg2eRw19H|b_-YlDNjJ?8DSXxO6kbH-S zmSOzzhsol0;{xbj`Qa6rp%ZY1uL~`KfByB6)qIe04tI<@$ZRYt-=82~v;SHWFa3?B z=F-OL&C7cCsQW(e2l`O+1d5(U!$P8mrdE6$=)(rRqQn-7)m&X$xXioj57fq>f8 z;aNcs<5JCN@E88nLB+D1m*>3v;{`0EUYkIC21K)9K@lvogTZ{xQkz52^Gq(95ktmS zGY0HKL>z)NLRsodFX38s`oMI!KoFyWC@?gSmPO}&J5X3FDF7@Tai!D+WxxmhzJT>$ zenQF!T@?ye4MzqhB%MuPZ_rdgQFH2nUov9K>!UCt%v`|HNsBu#ro4eVprPm-lnx$P zXl>nhXp8RMV%g2V~Zk zpx03pSDVOk+E8D8I%=@sQCUtX@W3F7BzA}JimS+aSc_WS5jmpvR~gphl+{XZjHYM! z;iGL>i>2|ta4Vol5H(rs0e1(EMp#SCFtVJM+8d}6jq&8>_Hoew9 zi&|tfMUo)T(2`8c5kr9@z+w=A8BSNC^_tY|Re+h}t7@IDUWY%9iz7B9jKT`ggFJ(n z`SH98s1YShYzvS21l{?HNA;c8latrp{#E_%-4wR3%xt^!Eq+=>QpINmUQNe@5`LBf z?@T~vhiVi)tDvCvnQ%TWPxhqWy%Davv9@>IxL$fcW)JJaaiN~gBa?v+`8qbyLg=sJ% zg{(avUe1GO8_+ZVyD>qAEeW}5xT7(Ph9*9TmvaG_E;yorRDhhxaMnagCs5MF1FaTv zcri*wq^Pst*h4OZ@j19+i7!hBQ{OckY=Z4d50}7by5%^mllqK8pJAskGwtO~z8)T}w^R`6NzRFA zr~(22ztP+PqqSn`v3f!;JO_vU%716vMApM~;m1c<)kVrmk@bThuUlyv3y6>(tz}4>`^ysDwyeE;V@#e+8Ii9A)OD;%i#&nqhz%3MUFe zrnJ@4a@VW?PT&39sSYdGySP#*0HDK^}1d%8|j@jag0-OQhAP9MZF&UkyH% zJM4UFsWj|{74)MgTml5cL8OO?1?&`_41^a7jfbWc(+g^pT1$DzM^2Flo*@lRLOU6V zWg2<}2=K#Kr>RkuC#KFNe*Xv7(-dTPTG2^>_a>4XHaJNE#UgJFf0w=-ge|1z|Fd^x zUCATS_7|B|^YG{d&f|oPCCU zET;EpGnh+7rI{fYSy;^d&30Z<)JN|XleH0_aD#b8+Cv_rOFK-Lp+06DlEb8(K$bE2i>x&;Kd7z0-)TFDV@pqC;O zruDzOnl+lI zjUS5Y5h+C$kHI<44q?!GMv#4@cS6rk@_bRy*Uj=Mh|Skb#)A7*b?J zG!p=bVmmr+L}rmA%LD`#(ZOIS*tZ-%P3h!%%#x=<&yO(^P|U^8r};LPwp5$I*H5#K*N11gSQl&UU)1A%%@-g{2kEU|pf1odRZ0 zcAQ8i56Hm-UNquq*!^VOi0TeJyJ5dD2we!siII|NkiezE1sTWmc0oA6iI!!z3PSjg zAdq$#Q3>=4Cc~p%V59^+J@N}|zzq@_7)xf{AY?`t43cUS379-YNDv+gKm(Mzp%YDc z+IV`w2Q)#{#Yb?T4J?GKTEeoSzHs2g!$a!kL>@;~WrIzQ03p|eBA_NP^(qxdmrh!ru5 z!U&CjeWlgE(%p2*$0;{@p|O>#Qpt*ZZ^61Q0Pam12so1JJN>bh!07a z2Gp-7L2}}gJN@ya81CfMEpZ0PbPKS0&70F*prL*R0Z}a@>eEXbl?dP5jp=zIbMvO<0H#5{!XCpMX zFoYHb)3Zt!N*rrcOOYF+jY^+t<(-zAJQ{SbYBxlNFuYFGJP6t{h)Ue4tj0x)S3F6AEdbYwBC&kE(B zCXxg_ACZF;yMvtBF~f;}S|cHd0Mo`I4(GvxN1~qLbU(1?Vz`wUA%00@GD}CYfW7&G zy}oyziBltY(k#}SbKr9*kS7;775M7mz*lPe-OAeeGh3^xmz}Fx^Z2g$JO{wXP<6nW zVC;)X{uBEa5phBye~i%2%?$XEQ6eOW37P4aYwyQBgC1C-sSMv7?(|Yb0_ja=Dkv1N zH$SkKc;%TeHEJKtV7WO5J(PzdfuBlo&%#0PVCku{{P-wK_gkuUBpSU_cKDQg(95WZ zMf(7u9>R63FFZ75-59jKd5M97D1$--E)Djebxc$o!93ynhp+zQ?n%Ufq$+UlKZ1J! z`9TTw2nQ7eR6h=;$xwY@X;WE8R$VFR69+Wo7<2=9DV@Ry(7}k~0yG=RVMGE^C=Kn= zplT?`w6dHziH<>;SP_v+4IwU#qeolM@=YhE$Y0IKiWeBib=^iq!t4vHH^PQ zMCG}ZXw5Lfc%5A}lkpHSC0Sd9v7r#cvlZ(yUNes%@oS=|f@(K~S(N(Vk zg!D3=BOPFm{tl#Y;mYtJ36b${8x;l0N~9O*ZzA0|S(DIT84%P+35=(L#MQquKuYx4 z&Sc{dXUOZMdPz6oUXp+6uvL9{xAL&Kw_Ms&exb40`;M2C97;DsFG&~~q1O%UkKjQL zB?5fJ3_TiTr3sctkIUoU@(VHEM-sxFH&Qe}Y{bb^gZPq0+`*=3fcS|1Jo+f;YaWr= zArDD`-ICeJk^ose>#Q_a4;qV&W^3i4^>+7hDyoHtls^v%x}oR@LB*>>eNg~Hj@(Hz zS@0X{i3olWGz|!M9ZxoZPkTWVp*jnF;huSNg0cm9$Nu0cFXtjb9~ra(JCAbSiT20O zuKstp`WPc5A&{c9OtnI{;Z~@7*eX}p@pE&p`P5#!yRGhCZu`7jA*~~2;eTsr(D#YB z{xhQ*waW@3iSTh|VudhAlQtAL3PhcYl=!4ZYdAQPAXB6IU*=~r8uFNyXBOrbMkv2V z2rZioJ&cG3>O=$5&#wL>pHB2akst3N$THzD*5AJ#3;~Vf+{Po~i5dB%5+bnzCnVT5J!(xPfTKVVHEGFbsGy02$qMuw18T=qNn^hGsyQ*Z8=y z-8%RugSxP>0_cG660o2)D85Irw}#a30CYf>UVy5y?Wi`WX&+pVcA#Mpslgk| zuH*+UIP|(IW|=2P!6$Cd61p(ptA;jkNINbn^&u?>2~KjZb@KVq{o^E)(+v@s0Boga zr;yZO@i2u1(r^sa(2(5qu|P*ayff!cv*BL4bOqPD2^3tJT&Yxgo!yTv@3qgmitz=L zd#9NbCSydVBgpOxFaC9!osXmvC=REC$Jl5A*B?2}f&jo1Mj>>HhLe^&wyk88-sc+oc`ygR?@34P*J(7O)@y}jy1W8tu8TKjyvxz@e&C2?SL4||ubXlP0}%y)^;uo$`Z==L+xatS|3el&;#h=IT24xCaG%Nd8)7 zg;ojO766|U9BRIVT6A7#0(>IU7$oaCGngrv&T%z4qnycjypLdg2>f>>w~6J#T!DJ? zi+Yn5aK;Lrw1Xj-t{M3*gD{1Wvh)pT&q3-WJAWM+;XOj|5D-@h)Z`I^Y6mx{HACnx zM3;mpltq#Qa%O@jg0})vW10zwp#@}$c!VKp2vvHGk-`bVf{AZWAT|oeM@kJr!bE?3 z@>ygrH{uY-%LUvF!B8xZKyOs?WOd-A?{fUZTKIfgNbX>^aLBu)zZ=K(xo41&O|19l zW&W81W&(y5j^AvP-yod^;~bMX3bAY|A1a5O@P+2VYWvYMd!@$sw0^1WKC9ghx7zC) zt>^tEXSZ&8vQ^!Fmc7gNdd_<<=#)iqR?j;X_tp$r?RdBtN2&>Gy;hr_>I>*)r&m_f z7z;)_!tP3j%H7nVy;f;~Otkfmj9=eV`kXCBdy)-U#B|Gjw6Jlt+1|QYIXPXve_UU0 z9=O+o{@G#+`}T14xN~*=w)WoI>1^*FF2AoArac#?edJF0`PD-^Y$B-o+10-Qbb`_O zX1s4mYd_FEgah5$^3B8M$ysTAoxScZoc218mB()tuKgm=Nd^&DEv1L(Y1$0Md4V~B zS`xBWS(R%A$`vU0{}AOIlr7DOQL&u~X3I3!SB`n@asT=B`u%lLsm6X#>_#KerXmgR7bq0;2jfc~ZrOo3OyDRrT%1i8Y zd#wPu`2e}Wir2}JW#mTt=6b*Fk8$pxG@0H=@E8tNjgQ^y%0qLfRNGzH?7nS2Ry)nR zoI{oHA~IfE6oO)c)UeF=bUiYs7u9N7s!T>0S&E>VR2XTSk}At)o=S82A(_nt2QSwv zNA}~cb5*)7FPZvkbNTA9K&v@KtBJv7^gf%xa`PaDGA<&=g^GpWQhm6maA53RTwHBe zn!Vc1$6o2wwr<#m?i2112${p6CMUg+S0FqM-!q!Ehvns*9=CovPk z45gbPUeD3hxU0_=Jn&>D{csxOHV&i zN(ew@FF4&tmiEXtI z?_T)Qquf8rIm%_^>gEUIFwu;Yf0J2uH8&vlWpE0R`~0T>x$lA;`2d(9n_hL*3kNw~ zIx2Txw#x0&mffpgop(DITW9kPanE-b=%k8n-9zR&C}Ssxk@^ zrtOiYtZ*~_qN{zLH6P9~i%&12IY(iv>VQjk}Enby_dIZNXEhBRPX@QD! zjEY4$!tl3e<}VsW(9kEY*pG|v;kbBx@^pH%Tif1x-Pm}2e%qG22eqr5<6>qtf`}9Z zUWop4Dc!7aaVpga7#!_rt7i`DE0A%Hk+G;o$Z<7-;?B~?0lEKy%Zp-!{1zi%!#S-S z&y_;LQ{&?Kk4a0h^@@)vJygn#9KQ4sZtP!{9cQC_hsk4 zXb|mpC`wzY=~kf-KE#78*G^iUIiqsrxr zSN`{RjQrR$G0OEFa~y;tKCIJS-!hvZRJz%E+gsgRzS{0pyuGO}>x$^){WK`rVg@tw z$othy3>E13NFp2{44n(FMu$p`@t0R->|tm>^uL;~XaJ{`nXs5|fRTK|$AAs(dNTi7 z%S<2luzh&dJ$S2JzP)cQGyPP0sWk@@IMX{7g^xRJA9v)&NL(FcD!&5@Rzh})rDagc ze1b^fq1oEqSXys%9+wVSB!ymCrjK0ULV*k4#|6tg=CP&KhLvSFEId{2E;ldv^+9!u^;qrw#ox?7EXXLH zz=lC){YUm+MFqMc&P;X+u|S0a6~2uM%1a?kY86&lg@eNFrM0$mwo$pN+3KP`JC!?U zd9OB*QbyKG3<^UFko-E6e?h@T7W&MdJ`-Gxj%*x~}CBpXi zD?%IPlyxqZLqA> z*z~Uc4X;OHpsec~C)7@+uN6fy497^(|L zhH^(7Hd%G8b*^q3ZKj@OeWjLrWXSLt@(B%sp~PNg&oC&Up@4?(Lxa~SIQ6NW_hlcB z47U7GyD0T;#eQS&{>h%-@WbugwZfoKk5s zXp_KzdPQR-FSx{i7#9{sZ;izDGxHgwpg-$fs=QixF&r6A_FTF7Ag&K?9?Q=w)ynm5 zWpmzW={NzQl^}mh`saqp)`K*9J z3nQ&lEH!1h9F7Z%>_t3O51UWR>frqC?$|%QR@|K9!moG?6XSv+OJXn+yTFA47iQ-$ zC~JgvOs7(bl?h5XmumaxZ?@FiTWHcezXdQD3Ru^&?&P==!?za=6}GTru_g zi@ip@vwT}1T`rIgDkch%6lJxi7j646dP0zhE6Ada#RhcJGW@Tk6(pTY~WwAnFGB8#vAs9Fg zbGffO=E1b5^KR*!mI98KiVsGKIf^SStin3vx3}Q|Y!1`hkX@5ZIW@xML_k$&41O77 zS?OZ|Jo?apFw$CJ4_t0-nQ@QixHfQ68D~aoZB%?X4GS#b%2MG1r*lhQ=1fkKTubc) zXWGg9By5O?($3N@7|E>@aSdaPJLjM*cxmIb2NU@tLvj*duV~FR9*$Qy#+cSIs~i@@ zfKICd141L56oOM7HOD3Q)|Qy&x6vIAa}G1>QUg9~CHPKj_3=cn*lury*B&>XF6ZZN zZzrDb$Uqnf4u}F1GSZ*pSGgOglEAi5cTa0ocF3n-dkXKw!dyz+hXR(WJ5MvpGaZztbl3>` z?JWe0Sq7v^R0$2B0^WFV=`bAuj$iJG0DSNnDJ7F3h{dl11%OM?a)F<8jLCfCQh`q) zJX2fUurl)QYh-P>6vFd zW>Zu^lm>K>3f$3Ac!A+Oo&bI1@Pom+VrFmP!_j7E1FjX-8S{cuYW-+y=K=wl0~-XG z13Gd^((s-26zV6!Lk!7jp1*R#?;gP_>0^ z3H=X)=?UqIj5i!uFd!XlYibDN9mg-1!nHwLm-l!$9jZVm4VHs0){ZuvaJev+hj&J$ z?xY=Uy=XTbqyi|$0gg(Hw40DM2GF+7L7J53Bgz_S0#()}uM#tGd?ZaEErlb%;GI!m zCeED8YAFGTpys8Pj^su`4+1apUaU2Q*m0kzG_r;Bat^qG2ds@(#w-oH;gZqC4^Muc zjaLFKZxr746Dz|w9azZNx|O$Cp|ojg)afK#N)^}ivKBSe1OTPiSUYXK)A8ZT8hp}J zBcy<1FSzG%i&dVF5RhPEPAf0K))W1|zQC74#}7yXk;CjD@|I=Ayi$p=wuzI=Hu&)g2C)lXn zZnCPEyC5u|4ltDXAtzEI+Vm9=62P3K`~x-M-ob7dLV*0F;hBH;*Z6l}4$e_0E~|(v zauvgR0v|`<%t5^kz5%{lfZ17U=4-(p=qins$stLQL3KIVQ80#l9|}5VDB#G2w1k-h zg{jHp+K@3g$b~CHjyWg8YOI8Evq-7`_g4^}YK-f!00YmD&S5~9SSzH5nubSTHZdS+ zq@uGyszwY;k~^Xb7_l(w`if_qje&lJn#o9K9Src>QD~6?0bg2M@};nuCf=|^25^fU z)=p8KZqAGNKadx?sluoRjfk7|@Ka3NGklB}Hu=6DXadYO#Dypd?PhE|9T*PF2|^+v zG_H^XWa&N^#$yEDTE_R-1hDLq_=A0m%@r7sc}j@K%Y@WX#>LPE+Ps}xK%T(t@~fF+ z7ePB5lR|`-gniuUtAOkh|8mq(NrLYbP(82|(iOP5bWW}k!xT-0l%EHy1Jww~vjPsK zdJc`^p2Pk9`NPjff9~dTcU5hlG#>2*JN}C2kW8)nR?h+6BbWs&B%EpP2THV=z&j8H zAR=sl%RU<_ko4ETYxeGMns;E%X<5M>_Qg{mN-3fWgU*8pfa4zih4%y=VxT3QA-$G1 z_ad^ozgg+6UC749-1X|+kHec@|3u7uhbip8_J7OPz zc+F*Y%ev8#8{83W8N4ZsL4Kldq{lJCE*gS%_=zf|$1$^vYFp%%;@!VE-}d}a++X(2 zM5Xp)p+0|cHG}Rcgl-jp+&KZ+^(^e<^36{NmRkIPSWwa+T(`ubZ$d!xp*BP4-zNuL z0xW^S3u?VK(rDArZg~hsd%Bm-czP3+&EgQ%j5c0Kp_x|{4|jBsg?Z*16E@}{%A$I| z^W0BEb-bxg{`Cj-24oTWOplsum$)i4TzmDUpbE^$`@%&hC)b?L4 z>#fahL_A_*+$4DX_s1vy`_Hg(4|;pu=SSb)|M7I}Ru*^me(c>Xj$zzocURdzv#;*< zsdX-vZs*vK=2@|E2NpJAvjk_}Nckn3b$Z?FZ=b)0nrmWzyVU%7e)SU5g%A%g!Rxzj zvv>a5>=PWsKCNDzcL^c>-Nqhv?qcB4KW{g$KEBYujx@k*qlomgd66Sb#V}&UOof+h?obLAvpI2aJbM4&8Yt}no*?2v^xnuUQ zaS+wx-v*A~0tbH+g{3oAt(}8_8mqPE`G@EtWT9AO$w3Ld9XPWc=Xk;e4#La?9l|P| ze@yrrN1KM&gUikdgd+)6M3jV>Y*eG<2ub zY9(1D+2;MLA#PE z24i@9@Y8ZOWVFX84j6@??&(^k24(k(1LMY_=-8K)t(H03-dk?4yQ=E!O*=5cgmT3w zi_>%O?IZ(ZSlv?k+-&I?FwTH+28;!Okur-7xNvHf`TgR+SbOfs*YoAYi{9~aYi)1! zZ2zeKbJ~GXnm~euX=}K%T4wj_{PVzQDXC40+%f?(V4MNt3>XUl<6BK3nSQ3*kcy?6ZTU8hR@O>G#%6J3yt?l#?6xZlubs!sUQ2bhk8JH>+L3XJ!i<7h zPxY$Uj5N-maR!a!AdOT`j;fufLSw5qG_EWv_IU4`@?c9f+c)~~#hHl@H0D9$6a^Xu zl_9~)=-Cm>3>s(9SR5Kn@^3%=Y0Z>&G94P*#i4P%zkYhWS8rZCK3!}+_jj9oNlkd$ z!U}gTP;^Na?s8a?Hi3-4DbmPIpgFfx`Ag#exRe_9nF+O@H4e3x+6y)Fr~k>wm?y%527s=d zbsp{U$+OPJdrP(BQmykzaqH~#4m&!i)plB^mB!ut?c7DTQk`_`>_woxHFP^nQ9^3M zI*&J`lXX9A3|2B9*uc_qYVrg@r8^LIKeqd6V_Fqg%9XDK}*^#rg}920x;WoNOm za<_lKy>xWj@%pEDs!Ta1j`slYJ28=I2D_G9E?|a{JJ#)-gaM};rFa8hN*xZz@T zycvp$!;4~3BWS9+P5BM*Z(IsEdg^Q&riE$xR}IvhrIN=+0>;xBV<}YoEGP0yzJ9rA z|NDH&KLK`;iFMw7x?Z4m554qt`{6z`hH&4V#)gv@Pvub~U+Ok*!j+~@Sa5@>7ntYK zc25xG=Qw%}EXzLufwSe2{tQUsxR6Tn?BadaDTQ6Jsn?;div!j0YC97ORGdkw^)J0P zj(S^|&q(eYQd#P_25F_fdV<^RR`H`EmD7PYjKicDrvZ+GI7JnwJgkc4kPNDOl2W|S zSSlxG(o+@w89BL0500)@g2b&HAmFcTg^%cO|)H00R)>KoXV2M z@WVktEQwQD#ptxpF5n+lIQD?Y6qu@2i^G)JtnKmEv%zRNF!~D#$Jq$9A56j29MlICsJTa4mg(( zleZW_`eE4b@d|<8E|T5)wYqAN_sy@X_OI6Ubsrnhj8sR96;`|IoW|8)Y-QEbe)_xX zs;Ni`o`muOK*9#|X(6K8Tyfpqc{yuqw{+ck*nN6zZFO9Axpy#L-5o#0Fx~}ZDnKu+ z;Y=k?wY4{aa0V_B^Kdb~v5ur;aJoWzN&Qz+Dyt1tkp%L4K~1o17N7sDmJA@r=;e!5|o^x zzJiH?{1t~uf&k{$RyaQFbj~jx*V^~@S9izzzIy4ePNUTNer5iMubyol?y1$A<8{qc zb@}(kgBkp{XbIyPRQ&owXaB~4oe`bWp!=%a@S41Zn46#i9v8&i0W-yN zQpTf()YSHyC@>=xjtwXSM;!{e_4o(eIKO#YMZ)-Nr9ch1peCU40Y%^yHBwYm?$pse zg!}<5^=}h0EaNX+d`l~U25LSBsv*3>EDPj^U_fO+-Hg$AVXey5jtn1nj(T}oIB-nH zyB}da!!}CNF&X;Ze_}kYJ+(da&T|*vQ33s+AT?e7X4E{i(0)>XS}d?&$UZ0+~kAAc8S z#>w%ukO@B0;=C)HR*c%>+DPN-@YB+J_l^eCN6d%)w)9A%HGo#53I5RGN+aWVN6T5c z03ZZR^cMfcT>eH3-&pv&Kue+s_%-ge&aI|9T<#b&%oz*z4O{`)6TV#6qd$}1K@DoM z7(J)9HG-K)^dv&*7m8E*Ms;~k{FIkmSD&hz$MuE7jkQTHf00M&!GRRDekD`@-OO&D z+3}rr=X5xwPk!eYrO&48(TwyAF7^?H1IYk`$S;dN4%#55g$)s{H4%p)aSn! z8?#O&WK^w_*a#~G%Hl-ovBY9=Z0yaS9zS)rm%2yhv0<0DOna;K_`9(2t63hB4zuCv zc!v#@E^&6Mxqu;u)%O5T=4^JBM}ct1(9ot);b|4{$wz}2szR{KTR`+cEPvGIlFa9?o^5Vv>+FgydWBXS! zOW@;^|NUp!xb<6hcxC3QYt{P8-LVz*pH}vZjXSUaV?^;U^}5;V^qRDku@An#&CS5i zj_V{QJKZDV$0iYr`ovP(l+?4BrQ(1!yb02TrhC9AhxedCg5X>*KvROwg^6iG!H2Sf zF)^g8*Qn_pjQU6mpeMDMbDnxJ4uTe^{9*V(io$a=rzD0+@05{_&l1yyC8n`}&VH?A z6idUzsKZg@dmp)JMhWuQw9t%cA06p$$W0p}k@ROk7E7|LOwUuB?E6*@^U1gjU27D_ zs;$;xZ%+R>zhJlWY2oF5t8sSvG~te?lz=K`J?AXiA@d!l3=i=4_?X(?M4PpK?J9KE zSrS(POoh`5m>9;Y(m*QvJ0Bek9OL+tN3?2(t<%fLCw*`(kJk^X^}E(hza7=+?(MvI ztju|L^ek3>m><^*>uz&)xnMHjqtv%WV1+Xh6i_SpS4_swDOf;<4b*;>qJUQ9-vx#T zpn+aoX<-C#DtVB?wBQ<0V=ad)n%o$q36!=D_`^LO)jSq>uPEwLXFVOHC`m;{^MV|mbWAhUMT_mOq8R|`H z^H1I-G@0IlQjiR6LhL+s;KPyTrUD214tIxBoeG$-T(dHK>2yGaT?{7ZJ=|xLYvzY< zt$~&2UI+?~vXYlz%UkrZ&ZRQug{q8sA1mXPvfk>yD*c^h7|a+fR=Kr6ug(@eQT`)2NBia=hFG? zB!x+c7Qw&qR(X?~dpsjVe+?n}@a;TS6#kotd!OZ9yASWvStbFHabNKZ&gU=hSTZi@ z+GK3Jcjp**tDJ{K$}a2RvCPKH z)ZoxoaXKWLKdV=@h10E#m)H9Lvv*}piDk?B{rn1}?#sCm4YB6oyg8PrI0B+k5eDD} zK?D>~@y7Y@HBi0-a37O_xQxISRtN0g$ zLre7zA>9Die-Ri;k~SB8cZg}18rgPS8D^x4gbzm6CsER(IV;p;+0bwE6YO`(Sfsj@ zk#$T27?@xq+keKtZfG70fejE0SiBL&3ozcNUtMs1BkuxJpsE=B;6>MOi!y1Aho9Tqj9{h=WI&rU8yxSS`VT<`L#C=y|mnN$Li~_pP2sjQ%#_ffS zE@mKc&OX`p{tne!rLL8oyY`lI++B5K6c{#>HcbKiDyk52a6K`vxco#|b*wCyV}Na} z!b*T?WTb`!fnX~zEr+0enpFm`j0S`o#^anoqwfTbu>RUGEHeZ%cw9CTu-px1%PCM+ z8vYu^EpH4bglela*oA7GzMsND7Lwp)G8Pn71f;;h^59_ab1+}A?08(-aul}KNF-3# zNRqhV1hFg>7J_q72bu{LKELUotjYmQqS3(A>*DY5kN+5g0ESRcwVsQv z){lDm2i@Dzh4LWJI{llQV*i}2x>{!hj;~~J8Vzzyx!8BsFaRXE0&^m~K|`Y0zmH-c zd2hkM1Z+wSpAcqq$A4mSE(d2vu1x$VmY6~C+RY#T@!s373jf44o6%xn+OAXxJr`T7 z?-u>>UbnfUKXJ*A)c`}jW$79o$nWF@h4Rs%P_LKU&&%CPIdimEO&yf8$Hms#L!o$s zKYo-Qu>^lC$X3cE^XAP>fY5gYLciU$AYzR`QZ_a2O`bpY13 zH}>PVe)GnD{C4teq{X}<%U8> zcUPIGoBoUA*k|_I+P%ou8^?bQR+@_!r~On*)k~FBrTyfjTs!+`=yCkMecAmAs8;^n z+YDIt5{yevQ87bP%d#C@-QOPBz1M>m*%-X_boZ>Z;uaM4MA8xzCkDznlVqZ+C6Z4N z?1Rh=!OoToT2RY%CNsi>G8{x&h~U`0Z){#iNvZWVEj~kgmhM!~`uZOwK=iPXD1it_w4f!YF;9zG5G_e1AKM{b3l(vdUA2?K-A^UK@T{zsjCgC?9CnQK?lN%~9S*TvHD9b=HLGbgK#jKbn(Ljnqd$l9Q@*1u!m zN)S*;^t&dZvjiM{z9Au?NC+qbRA)j!@$pzs0*ZhL5d1y`il2Kb_C|EY{&JZWslCG0 z{^sVf*?AQuX&dDgSL_z#2JR*^L}JfAPx^^@7oI&1pH3wD!OrDq5Bz?-vpVkNkB!DNij%2VHD$5DPxrM zr{!9heuBxgGH_BgoMa@sn8roZ>=Tk>(ST54MdYVl{m9Rb3iZ4DdY0sN+wDzf3<%}L z1FsmC;tx61klQc(E}tp=HArc0_K8yew%$uM+qLf3@K1Pue_RX{e!{{EUkgfTMKsvt zp8OLJ(PhQX&vq`OYKJv(QoZe;3tir`nR#TzWC`QPr*7K_aN`sfAS$@#f`H1BC@Utq z6o6%!28&#RNCB-zls}m1D7AjI{@w2M;2@Wp|N8|OIdB%szRpZDU+yVk;Q(nPJo8~& z(eHC(`_>FEivn zSm;9kPnlI&xjcQDIqH3B6$W+y^>Xc@_}#zd{W=q?v4&22XTZjIoj)+Z|9$-JW7~6s zyNWb>ZKt1qc`lzjX7iv`bioGK=`5ks;K#=+|DA#k)B0X1?m{+m3JWs!Y=E#h`M9PV z-Cn8YY`kC9=3wKg4|liM-l#k|Fvksexw}zn-EQ>m;D4M}36=_9@1&Z}v(wzDwwt%k z(|_Jy+Ni*oW#?C`)a#WhcMg26J^Uz2hTHm+Q|UDaX&hX>-o-BdOxnQDSAr6O5vy_W zCnQT_&YR(!*`Z;-G(cmuO=~c!Q3gv8Yo7}KLj+C}?@?-C|CCP&z)S-0Q?k9ErgxkE zzw=otYOG5{;?sS9_-^#Xr~l>tb5^`#Tt|N@$yI5_K(Bb>olf)%zjyuE=(f+V2PfQV z9A5k+-CX5y#qAfC76zam7o1UyMzRS5MgS6F(nx{MEhhcRVHUma3@jyKD7JeeKCX^w z`vpuFz+rOvcqhPoVQ^wyGh4R#@>`+8NR?juX#mE<=!tT>-GeZp>!b`1PY(f9N!wUq8TFfY*QQZC>OyD(#0(saG%K^Z&s7>Xo|?d@NQ{rlm{EmL%#_Fv}&J%>Q}4Ue%f%rKpELBf7t#?HfD~EiA$yY zzP27Zg&KcX8N+mON)_`o7N4SPmE1!~?d{jPW~-QEw0_h+-je6>YL)nnMGTZ#%o|c1 zzB;F&aG%wYFhVRb->lu^d9YJT)6F=8jU1cAzwwl1^uQ?p=NH^y*bqLK?& zy4Sn+OmPZWQj!=HP0Yq4Xk{vlai8otjYrqSoZnxa`R%Jccs|S)f9fZ)-)cUjUM?Ej zcU$gQU$tH7<1AAo4IqKSLRuo>Pifp7DL-nZ&d{oWt(U_<1aW7T4NvmxxH&qtE`NbZ zoAN!6_?SA0pTqsj{pUQADxi}%6P$3jkUu0Ka zQc;6(I%WmuoVbfMM}i9TAf*5xCM6+Y>Ml=G0n(-#zKU7^<*uxmF-e7q&H~+Qlv+7e z^nuAk@KK*s$1fIC!n$IQUnrYFc5zM)~A>-UX7NX$3~VCSaB$XQuS1L*qP+6R}DX zOonuMt3J4Q5dAUg;!yHVI%>9TEqA}So$8gc&rUge@J3T-?(2JfebmX7i`S1YwTohT zkjk0+z3Ly$DFVnMxeGxip8EF(0RFU66a?yUg$Nb1eVh?E@X8_xf#Xc5o=iZc<0mn6 zK;Lt@D&vW?#nKW%k>6I5aU7W9aK9DSY+Lx(FvG&@zqkTB7Ma>%eo|>Z*$co53V>XI zwO|d=Ho|~9O#z2;2_gWkKvKU*qp3DFAX39?j=c&1I$10(k1`<0^dY0#Ff-XNoD=YI zV}yYTftf-0Se+Hax^wKu#SH=N&Sy3pc`E*s|FgD}uSEVy?gX~1A+FbzP_a-pL& zC9M`a_<_UCEE(e+Eo9}=5)&eY1!#*FL4>9}K^sfcC@l?Ue}O~PM8LTtSYfBM zWE$iOU~^_eC%6I?m6rRa1A`ocA4I_r^aAxPI;a=Dc0RYmp38>^h5AFP{@T1#X5B%( zrf^uT9rCLxW&=tp9bJ{xYA~pue9uRu%@?q{3J3ha*axT=u!$I84a#{`am7O z;Kw~6|4ia)(a(QTV_)j337Yi70^BDG6t1VsgU^s%9q0&K-O4HfY7l+mAPI?>$Tk9{ z8r2UQ!Q~O`hh=FbHDel$CGT7WF`Zz|sl>#`P>SJVrlgPW&Tj5(HS0X5E==wE@a8Kd z;>S07C29x89LG-jWKP3BLE{ET2<9I*|Ms9C&o(cw%lppu*-rJUa=3XL!?=efn?2ip zDGkmJyRVJ*ar1nmlAjaN`DBccm)-aE%@PZ_^;R0e~p&BFRE9D2`(A&Diz7d=&1fu^hynLc=@vHY+pZC zI)kIm&hfgVdd<_A?`tX1f=D;($0VwsECZRTR3sJ$wnf4yKm}o0DG91yXH=g!usz-# zNjmyEuqE?l2ICwXo(SV9994ATnAtvQ+;pYF7+Z!e13%G;PrbiD=QoF34NQMJ?8`9S?=uxu}=J5W9C1hpElg7%E}>*x~U zf|MVg8;#a$=cfGgF!PY1&)0($hf5N`w&KX9qy^JrvVSHuU<`<%C;$T)-stZGjmDtt zm&F@XKXDAX5$P_H_LdKCh3gL2d)WhdRX%Q(n>D?EW8CuLEp@fex6ZQL2a;Wj^H%?+ z_fr3}@&POocga}-nC5%;dpBSLnu8FNWy^iv};eRKihEez+O z4J7)Xof0^BcJEyX2y*u`p+fzg!Hf61M}o2jEH`Cz1h5&hyB|Fq1fxiICPLjdG zBP5dV?_KTZUoVT5T(f-KX!T3ogEdD;R-_fSR3)ITHQbs-drXw%t?^2UjHSi6#h8Tk zD-lod(Kp0L!99UT#PC8=!2{1uxks^J;cF&`B4s7U)2%p>7shVA<$2ymg zJ{&VIRB)S++4nKHjY-U1OlH0UA*(n04Gr1cIb_Ic&G`EI&dW>vzJakhsmY#_1 zOrvsO4t5XJO~0F8aXf@PhgxENh!k)pCmG|ZHfdw|kjj}63I}aLJhWVok-{h-4Nr(p z0MWMrL?70jg+mM$92>Vk7id6gG~pm1$F0Q$8jx~=Ra%;ijkhulNIhpacLP$-wVS^I zsn6zqRR_}8rW13&*6-GWG_D@Oaf^_Zz(WBEM~ZT8DfNu0Z$`&M)#_=X`C3S|W#Q@h z_3*H^QB@z=B=jc+<}uUEX=xuia%G2Ml@ z?`rJQWF?@HnSAy$bf)1PfJxx#D%y$;jmrD=^Sm5v8@Y8T`#Se<^whB{4vj*Si-tVA zl+t0cwi1g%BR^LWR?R63CK)BtD$HY@#zycSX$a;-YB>b%(>(r^NeqdHHE2(;(Rac| zSU!lIIXH+&GAnL9aNzLbsVaQV_vGToy3wuYNTY;QcQ1OYU?<>4O!!elE3D9fvHLS{RG zD1`fg3}LX9fa@pp`g(zX+1w$ZnEcDZDUvG_ z0*WPU5WIHthk(5I_NyX5am{A5SZJt7h0t@c#rkdmAn$dXI{*}y{8$Mvo#rT03*Hsz#4?ZGX+d&^pC`;CVYvYnULR?~a6iJ8VJ58iAxj zYTTbZfAq&E`*4Bik7st|3Ppds=QnTk$8Y`SjsE!U@Ye)?Vw+9es}=8NE-CgC(@lu` zrp7HwR)J}PD}Q!PsRU9+d8Y~QMu$b4jF6pdBY&pk{`vK0>ZWE+|CoFZabNmOz!&e^3iS{bvB>v z<92t&?I$L%wIu^vSu(V-&17$PqSHveYcA8f-mHz9(iDUeH?#KuMU; z7-Txm=KkR7W}m0jR_zVUjk23z{KxL*V`~5T{K({bgG}S_x>k9+KVBDln!ntBN?3Rk z7TzcWCM>)O3val%NmzI%P1uBmcfQdQ7T$T@{V(^QvqO6SmkHipGGv=6M&E~Fb%XT)YpS&j0 zBD}cHh2()kK+NeknbXHLcs;HTg^m7Ac$n*~|Tj{Kvf;mgsQy&Gmirql&s)3Kq+%v8)>6hOw*~%c{X}6U(ZxtQyOz8!D>;srPN)gGmbjj?BA%PbNI6 zugUFBdXOy1ZoRN=`iaB6$49l{q@Ek;NX{fiApJ8a&CEm)K@<+n zy2BMC(vg~?6J)7Tj7;E_Fc?*6v2qEX2(JvRq;|MMK^L|T@Hy>ONkKb?p?-{&;9!GI z0~Li?X4b4DPzj-2L@;`wYH#1&4)4$R?r+rKSZB^u`K&bX0V<}574RQHk%vf^w*E=0 z1Z>YyejF2;D>st;3Y<##E=PP#F2u+{idtXy4|XR(xxy2qj>Cgg`jK2WRVsOuOuzPS zHA}ZNe_nr(VlW+2VvR+Z4_LF4ASE4aeL|(NmTB&7gc;Hd# zD4^5EU83xFpp@@o#Mjg^oD-$|q;SrZZ%VZS1OpE28TxlJM@DsHKi|47U6c!D{Z<|x zq;?Zs9W6$6aBd^TC;~QfR;`m71&FbCw zCX7#K*>+J`tu2Oz@$ z2!PQw!cI7W+BjHkk1GadhH~mJu!pD{<6BucqH++5X<-QqN*#N)16?BZQi_+l!(Os> zvGaO)=4K+vr*n3kdra{xyBJ=l>b2X!4gKB_2c;}=6%33+9R9rGxaBx*Im`{?xaBx* zIT&u@xaBx*IgVT2)VO7?{Y6tsu|JC|ht0+5^WiytDt zC$)lu#l^o?SSZ(k)l~-j7y$J#mUsjdPS?prx`e$Q1K{wf_0Z3pJ)U=OpK8tQLAzkK zGxvWD94-`CoU1+$JG}{_Gm5`o#=Vf?G-^!=!=H~K}JtngGZ0+*S9vv1p zo6<{I48W49(UO9jEwq0O!;j0IIE5nS^nW?0kL6B}t3zRtNkq@G^u3!#Nc_kL{Bgn0&lMQL&WVF}p?s zPy&XjkBn%a;M8fclL1%@@PYyxq}B_i!$u>0**K}6c2BNEEtR~^{55d6klcA*E%$r4 zPR8C@z1TVZxvQ2smG-Y*1$>)wYJ_KK=XLnKziVD{b~j&7k=BjMl=Um)$HPVTKArga zDsyL)HKUG})&c>Ra;jA_RgMS461i?% zzg?fREEh%jV)_fU_VeHHktd>HiD{x3P&Q14WiB1?eZyPrfbVR8(Gg>$@XzR7cDpks z97@4(ODUBS@J!SDT~BX#qZkE8Uwb=0-(#hPHPls{Wx-4oGxpONRvI%X5?=`v|AJ8- zN54IV-R1l4>-UFbC;z0N-^WgksO}FN^mGJ zO>=6WD`v534fkgCKbi%r46u$>X2I4ogY41OzV4BOcC(cjp4Yb@Qa)L*$jbnXEarC# z<&mt<93f$xVPhD8bxz%hvcDn?)_*~c-kn;Ca}p4LtWy3(AqARWFn*rF6{R^CNYNgh zZV!vEr`e~MdMDSpP3Dtp4_2Hx*pn9vxo{vNVj{W@ZQaJ`AYZzw+<3%QU6}65M8kQ@AtB7H%E7zv9!-T~GV#G@0SpkW1;YfHB z93%-#gvn`IMF=Lp8o7q0B^Bl(tP5DdP;;OKk|_z}#izjvN7^tT4VDYbDF1b}+7iAC z5?|9xaZa%E6LP_#`9c-OUrDCDE48)4L)B5LcV4rDrI1Ux)JFycsqa}{($EDsFKh6;drh9-RMe#{{f8zrj| z+X6xw81JOO)ka}iQ%kTS>KJ`X2#0B_Ee350PQd*Ox}A0iY-B8r5AFq6q%nX^Ouf6@ z(^*GzO~7U4cpfHHV1(-I!K2i%3d=KF3x-{X2oMOEUCJGy6o;{6R0-h7fq{185ew6h z6KLQff1*UxW0r_`PNx^ua!W4Y`R3jc0RuSyjt!dQ`7vb;VgR-BZSoAv0PFNv<$2cK z4o{I@uN&RVRF+iBiF4JUty*EQbG_*l$pS_oU8R5!Sj@;jtuGu!D$0uSiURcAWv-Ji z-%CEjUJQ6BQu~zMjtSB)BuLcZ3eR@6#Ev@{#X9!ufVN5!A;A@3QiIhBvxIcWx1(UVCbo3?7c>7;Ioab zs`-t2q|cIwc%Tvy&toFmRW|$a=H3DUqc{H!4Vc^oFl4<65v7>;K`imqj5^^7(f*mq zz0@kXgZtCVhsKcIlgxQx-3gJP4os&3D=ZlNB_<+&VQidtK7{L$x|_YPrDlZbmv}r9 z6bT$tqF+OaJ{>$uVUuH%!7+fG-@p5GL5(KBzwNlgxPS-x$3^CZa*VngyWfY042Ua? zwTcJkw9WS57kA)2pYD&ofOZ)RG%q)H@A8Kxgb8dX0>1c?llv*q7!KTlgNHxY+L~W6 ziu!S8svYwW*Gw^H-noo+oy~l-xi`VgahrdOMhzir!HE3RA+*$zSj#*mqHcIbl*`=h zXP@6%?d{Itp)HBT%~k($(;1P{j)tiQDx}=G66>cAQ6mkw5hgH8G$up8hYZbj?h+r~ z9an}K;QL|t!H54zl*ID*M5xI+CGQR>c<`37P=zu+{9_`(#RMch{X41x6Q9M;fUy+{^M=#e$a;im=X^vcSJEfEX1ij}&pZMjGs>$g~`>_UR}{ z3f}_ zAqxraCsD?Nr3yh6xWhRIho6K0iiOU`;g%!X!p1XNa?O|sBc9B9KrBSXF|Pr$2$)d8 z&o}**-1k!s!;p5Ywgld#ob%jZdQS%%ry0|!9BQn=q*IAKIs*-H#6uM{lUOAV{5Q#{ z#g>*K1d3>v+U%Kxy?}XA*!z^gTGJaMc=#RxSzs_=5R_-3>t1-f-hC_a{kP|{V(zVT zbSpE}bl!?}x9f~JTEH}7t`%U1nJoXXStmdon^a@7!q~3IcK!YJ=ZpXxOvN=Zd;-fB zKL3eGT%H{wxi;rNk(?RK9=pZQf4t}Rr;dN3dYX^H!q{D@ka;dQSikM`$9vosKK+Rb zKh}Z^`5*q^BrvMECmDJQPll4|gT3Rz@ae6ZXzichSM*!+Y~4$Q29lwTIsDOBia11* z)0hYS9v<|r)&jy}nGjUb+`qoW(T`8);Sxtbo}rOzboAr>e2X6a_>JG9M?Zcu{4*y% zkv&b+qZRFBuIS(=qMZ=+PK_E$)}b~qHU9MiEvA)YvW*uhdJa#DZq9Wky;H0{9VK^K zyUqIjTmP~8U8HEi3K$IY#xX0(QpvGO(nOy~s;FZ|(j(Yu%$YJ1&lX*IU`nJT8FrKq zloKPZhekAAADGh7gA1RM7hhcGfU%~&YIMu@x>0$0yzI4)50h>(RL(wSo;!mZTCSve zZ^?(lHtFa78n(1h0pVwos1?hJa;H~KxcKh()Fbry@YQ!sGyeV)wbp_&Xud|!4HYIl zR+V2N>QGLFL}kKgHQ6>%8%Gduup~9w0%-V)$v@vX z4J@U$Oo|{EDk}@8345^J?ul08pme)CD4j4jD5MLyF3(lyb@{n*)5`7d>@->l_XT^8 zmBG#4t>JrYa7OOrfw;Ij|2EWM936fJi#w|=a`peY|6YLh`&ORA13e`G{XJR#et6d3)Pxn)?Xah8;c>rx)xOO? zoNPGjm)sFx@nO!1R@_?UU(WZ(TdOgK-ie*C@Dp92R0=k^IxCKtJWy#JCZu;sGEmoH+!{{c<8qOaqpIiQrn;J{CDa>BLw4xgxme>?svYL{6CEu0}k|l;aN5lNv?rA4qzt|fNVzRa&WG$9xV~IAz4P%KmmS}_FCYESpi8hvKH&&wc zk8FQ$ZcJT7(@py4=wp;VABsKsm`XSIj?P5-QC{5-vKvkMVc$sxK0nczRBw%cSjLa* zvldfc2v;%X|M=POr2Mfy>v44`==9ZRmGwQ{Qp!+ZAk_18s~;XY?afnVa8MeMz0y-r zpADbxdZo1wf7Qm(QYb+&YR#B&@;_G@W%634$AB0IaASWuY^^#xbrGb_{1y>X`I@ z{Oos<{#ZoyxH=Sg`UknrXf&p{l+tK#$z%{7Jg+a$Ud{j5yV9oAnQr@6tml5Yx9TR< z^YBq+P;g{$s;A0A0R<6M1eIIwf4_U<6d)l1f(Ja|JR^jVbh=lswR`v4CE2%EN3F*} zt#a2mdHk_00`o>uhg$?R%&rm`05N(LJUP}~71|Cd8pfIf!E@0lDv(RGE`8sC49bl9 zxGPNtQVq8lcU56=RF=9qJ1gH^Z)UnqHdV;HWKWO9-vgL)#ZgnW{!fQdM}9J{DC&F0 zuMa2y)eSDkOtEI2(!w|Oy+2DFb!u*M9H>yObZ=`h!vf491{Y5>?w&#ikr7yMP|Z+d zhrC?DKY}gSfS1**S^yU$nw)^dP@oN{VZN~7DrCPXHaO@tJ4vjVmT0eI!-!RUqx?Hd z{j(!}3cmmRS+?Z4u-f}i??%|7F@%fj9$w|pMo1dKdn=Vtk_zRKYyaF-9=!c-*u`H* z3D-nJ{07n%*irE{*+pk0Hh~}}h{ybBoY}y{E`{)yh5Z?1p>r=^Q|)d+^!G$6v%l@w zRwrJ|lVxBSJP{^A`zdWXC(;AIZ$|~0wi5qN)qLhvbBF9+xR7=JL?hNE&iXy7vpXuSGD^_P$ zS3cn+L0pY>bO50=C4PQt-kpG-d!!Xp23>G{G2(~z;-$^&flZg1Tjc&i<*xM`_Y8%hBb_JSXTG ztMj&j$7}$S+|;@oI7}V@H=vzbZ~wN3_yWkZQGe>(zaO(fH~#yn*1fN^|Hu8eUAp}| zCtU6IbLZ)81OCr60+EsqtFc(&%dlRfBPHD4F)y7q+qZYOhceULe{ymMu_9&cp(9YoF0(=l_#1;~ zquvtK0K3A1WQ$P0m0J6~I2}Nz9*@(R zm)-5%?s4e?{&kc&O=nMjcz5&Wt$BLM=LWrlT=99kvf12op5Efv-OMCz(xleoiMZ^b zQs?QW(ryd@OFHcU99vp+$^W;PovbHypuGas=sFC~!8d>REjoP2?MEhR*~^#f{M%md zsAPKE&F$4*wzCY~X>kn!+Q2GLTxa-w$y{j-kSv(=4Ghy@_=x1`f7OEbd{gy+=L$GI z$8uTUsU@CFJ|-1OJY_zQ(8(JA&Uuh9Jjz?q01X%wOQu*FtY}FGhs$> zU?|~r?|$%XF;`DmO0I?1H)Y&VOfadX@`vm}bjW_WOO^I6&JP-U>N)+?IqHi(FRnOb z6YC0UK^Zg9nM{xFxBwUg#wRV&DAW`six#BI3|~H=?a~p@_Sta}e8{I#CI-s}X%BHv zF#FeGwiDP7V)**xr?X8Vi+z3NaFJ>uFq6*uWl`ivbYMJa4b*YDl)Y*09o7zBuTM(5 zTPtqe69SCNf;i2K)B>d0bSO@5(?FCa{>mVgifrZ!Q9h60|G9VnBYVNTZ|T zg?hFJcI%ReR#Ubr&Ep4s{s4#RM1U z$3;byvc&jC7jry1F5aGHp33t2q_$56^5W&PcK&q!W9!Lt;v&^9Zpy>(Dwjr#W*o0o zbP++3QLA-A7!zPjfH4kWM3*ZdMaox4i|D}Euh#EVxxLFKIVbr-*IbsHjm}yF;~GU5 zsg_hRw0KW&F~P+I7vJAp1Q!`$9M|QIpLuFdM#sgi{qELtZ=0SL)K>A>Vb3|IAlDlg z*C)OxG#lnhB&e96VuFhAZ!W|Z#ZX8q>$iC~r=p|c^XX&m@#Q9Wou$+^OXBK8q@1-z z#dQiVGNPH1prXI;Apyn&7!zO&1I9peSSeu03+9iDdWPi1Y&zZP*ZRebdXVS*ct8w! zTyb3F#^qF4foA$b^FNflNR=zmn3@xbAq^8?XW*MX`(?FnEZSU=1QvfYEC%+J7`{F` zt~r#s+;D>#euQ%FF;rj93CAL5=4A?&#RSJMlPgRL;N#SPOM#ssjMHlD!8mD(^Rg`P?DiqK z6?(lPG1f)DWkRAhD5sQ3#7Y8*2_z0*p_U`U<5M_669q-aIT7UW`72quYOVcJd}Hw!7E+fLfH)t!?{ z@3h~tULv#Ix#&J-F5gJLn6-^&xtu9wIzLKesGta+36YsNI;ppn)Z2=3!ld3-Qg169 zZjyRiNxiM4-qyO-+oDq(lDV)f$ha?8j85t6MW?AM7lp%Obx^u^eCW&F!PZ(+dd*xA zx|B=cnNm(E7;{~#ifUy#qaQye)@oZgzd>&dwE#^B{W=r+q?VS?(UE{Lu$C6*f#FFB z92BGz@x{ebbX?p?t6tq!s@GM0CN3JH_Ow$Q{1h(E8Jx5*&v5`03+M;a@OPl>9T%+& zbD*X|F-1{b1_EP*P{&k1WCe5pYjtVNbmLx|_$hwK6s;YRWrl?}vSo8s>!x#=%0>D1 zws+V$d$i?0frekd_0{?UE7y?s38J6n4PxjNg-X7i0|=Kde=U|7U4d2Xzo%Q3k) zJ&L+Cx8%v+U4B6>K8!g&QVW-n{H|^D|Wdmf>wTc*MAPK^pjC!pzVqFYw zFp&RBTRVkxEn3KixWWSW6Clt)Zb)y$_B)g+U4k zRNV^hkNBGCi8C^wKxs%=us<*}AkR7XOR>*yM~A8M9T%IVs86nUyEU4=V*5IKzuL;s zNaIolOqomMvUIfG7D#3ns~8z6Efdt}V3dlMVn1GS^lODyxP&Sr1p^X>(Img(Il;$# zfE18ii7~gZyp^4FQ+F7tw_Z)bNz~zL zz{gBSGgmXCIK!MP5Nw2xt|Sl_mjeV)e~i;<7M^4-Tq_j=T#^iJ5!m=r2fD~$J}Jls zblM7y5-L|njfn=-5{$o$fT1I>)`7+iFjjEP9Sb|1b_p?pq3#9Z!Nh3#_Qa=)U7d9` zkUK?Cv2Z3-=(^7I#-kJnlTg-JOO(+Oly%6{rQ8)tacDc3as^;~Xn1;5>Q5q0*!P{- zugHnJ&77E@>13x`tjmR5-^?Q-qyc9iv0=}6c1&4?$T?xbDZPRzqW#M!K9n61pf&fc9-2=_Cqr*X zj&8^^alOe}?e=4P%h@TdcyRzDw5uo#D~6f+T8u`txfHI(YS_apd!<=$Y4%l!6;VsA zVmv%II3YxT4I%ncc9s$g>Wz(R&)J3Dm-aLo6@(pCigQTMPi@Qz<)HP+$oW2`@i1U( zt>U36VAG}h{L0<;>OKPtI4i?kA3n8AZM*llhbDvxZY+xM1t0ELWClwT8xGQbroJ_M zs3`8snHuJpy}71FVP<`n@%FQ+mp1btnA&c$57D?GWHtCu;7%z)tQC|=-=(w63@iLM zo%{STyW4DLbf@rIQ%AJ+vetA+NldB~Fp2>Tl~~l{d6}Uh3N*rif>6I^;Vj`oiyj@K z?3@p2$CbgZ6Nw&th)<%VMKvqb_^zIJ^-0h#hDF*|@*$3i0DTD(+5Ye7&kfbF5E^$L zgW!#DzA4&$^3w&c?<2Ut6wFi%Zg|o5`-puEw>J@dDvLhikI)Pk9Ka2|pl0e}v#A$TFnA0^5;d_=)CAqlB-PRA$?6YkDSL+ zu9rEeU#&PVn!aWxsVg`&1b3hs&rZddqeQqTSXmHbxZg!#s{SM~f@7p1pcI&vL&`pB zg@c1hVn8%uMhP=|e*yU6?r6hs6CjA-QD`Kf+YJ=}WiVH1_|GUod1E+%p<*#=3YvOk zqacNjEMOp^ArqDvi$D~(%Q*+N&q2K6rr=Sq<%qQwMyZw@I);c6Ihl5WxM>p_f^(P+ zG!rWP`X+D5dp_kdpbP|eCQ4%Ej7tWSV>*0ln({c6OO1tz9VS8rlX2)Y9CK5JJxSbA zP0i3fhY}G^VdCy;)1M@a1)%`J1=U2Nlhc|+JAw^A6~}4a_?mI&ccM@0rOVT+t4DTO zcwwby_OzEj>E7?J__VGJnzy2*3MWdL@o9anR)09=-|1xWCz;m2UZ3j&pe_||S>j_* zHuu_3Oo8R;d66r#_7lr`!SuG9f9=Qr+5V}epSZ5(qp>hyS1Kf)i#68Yw({fOZga2v z#DyQLL4^VreiTeROf%wVeV*Tq&V*X8Mpk^ z6qr_+okl`~{vI0i9;pR@H3IF@)My}i{$-zloWli{eSC8wS7_PC|N7=#_6cggd6#{H zp75Vp^@;6j;%=>YALf!4ePS93agWrvp=1?|bc9ypZ+}rD13i>5?Pv3y&&^Q!Aa}9T z6?@%B=i+#vO1r!JH@)&tQKC7GbO=S?Lrf%5+Kl;&aZO!@pIVK4i3M*W9}oJ>YIOlD z06jMt<_pT9kt#2^_qLAZNf+uz23eT6CPeSPk6I(oGsq9@AOXgpr5`< ztqUe3(rJV~C0-NXr%SvhLQa@?O(b3ui$3G^3@cMlv7Iq?WSC{3GX1w#?nP%uY28Vg z?6d8rDo(R?C<-sVd$rc=h%1*uSJa9@KTukXUDqmwl_@9EaB65+Tsa{}e+@ZG%qFIM zxX`sFW)t6ENX#a_KTXUg*1~LJ3K^nCYM4uzFB#g8PKF-jdE@nM_x_c1%$AVp-2?h; zSDXxK<5CU0R{;H$Qja>b<0b+Nte9&CT??r1qHJi%UK7y6vCLMe`BuV*{u(}%cug!e z(I;LLiPwbh$<`p_F!7q0Mu!6TR8k6as1(HCi1Z*jA37<^YkpLy-<&n7M74US`*+^5 z(QC+u6mo3|yxl@?Af96ED;OP87P_SMI;bUN=x--OiP=PAHj$W3_=Wruvx&rP;)59J z@wdN-k>H%bd}Mty4-cagqr&qc@3x-{{BSQLu4wE0rtz}kZWCcSMYvT%Fx+$vOqr6^ zwwn+N#21_-p+*Tc`gkR76N%fzl!-HOoA`RIr`yDou0Z9UM6UKXzE1XR0AFsr1!t-h3 zHZk>liQB|4TKh@dCgxiD(Hf{J;r^AxkE3&;qvpY@lRw`)PF3vlfVDd1W~IBSL5=ZmhC0P^g5eOc;Txom4j+4p8FJZsC5K0EnTy_2^Tf-8((U8jRQ2)b zvij5|?XC7hZ?jbVHAHDH%ZZ1lPW2CZP6YmZT&5EhByoOF!G$#AZ+{6Wl!yjU-q)|M z7#%CPy?s38J6n4PxjNg-X7i0|<~~-es8+hSwV1&I)H*HZ+W)8eYEnR#9bIIR&uJiWqQ;zi&^F>AT}In zuj1p^wOWvbNnmipO8YNx{b@`}qBMR-J4=OwpdhdGbmj4qNqm^V<>AC0Fepa{gR*+t z?F^b14{t}Wdj)cGYP$W)dB9-Yxp$c*lbFktG$8B=m3B}6Fy$IWEGEH76x$xc{e=V^1UA=NqxrMo@Yna1enNq=&|`=;VJU3-W#9;X z(JgM;Vy$!EKXZ76d#CbtztS&uo^BeVbeh+XPA;boi|Zm>emi#HvLPqHqy=^cTz~L> zU%FTjRbj3WZdNhjNomv1M}fWzEudpcWw=&4LdbCmCxpH&-iL@0ijQug(=G)Kp&5lw z1UEW@Qvq`Yl|W4~Dk!X{774x>aR~ut1fqna;R_9qQd4x<nv&#H|~;>27Eobef509%F=}x|WkCv$9U&Utr^(*mxQ=ezkRy zQ36>oMZtJNNGl|x15mU)@eiy#kj`RT*5QK-2)5@u#vS@|948qeG)dT-luPNm6+W|K zEYKb>oGymlM^q4k;WNZF7}!#y$Qk$XWZePM;j$)vy(Jke{3d)EsaWj8z0ak#LK_f9 z!RTBXrnTmX0xWha-&dN&eWi`%c4VOeu0Y(cxH^=Gj{<*e1TDcyB+(=L06h*W>Zhzo z5L1rdr)VzlKTA1Y@d*zfKw`KSQX0fl3VlM#RZkO1kFP>6D174EMo+aqX~ zlmH6I5+uG-?Sj9PSfF4`UIBVol7R>fiybB>ooa9A^tRc0gp>8&;zGH0@^Dct%{%GD zwM*d6SJJWMKgDpesFT(3UE6{sfcgZ_lhT^zsDKKx-UsH+1`BdC~X>&A2(~p%ZK* z0+Qmwf=ZB8H|ANhZB2NC%M_r=^u@O|{y{TsEP*odR38VA0NCLaBbgSyBs_YN1}QRj zd>Y0inpz%z2T6J)`em869EeE-lM-+%N|Je?^vVJ8OOmKbrKlLPDML4B0?mPk4uzpp zAM72sXhY(gL+^>9!9nh$g)a~?Xiwwg(v=^piAbY&8`m5%Z+sRuE|Yb_Q@M>m-uK95KM6 zTS3Zo)&$osIx0$Whi{SAss!v9+mn)%yd2RcA$Z_Q6Q$=EBvX=N1eCHIpDT{bQ_y6h z*8{jU<*;Hf4xCei>;hVkNv`*CT$dEm0H$!sNj0=t(IsZUDa)N4(OBe}3;rIN0Ye$) zvf7J>td<3p|%>EtIgs>dcohx-?_)hVWyC)ar}!Hzwvj?MV( z7#iGR7z0l630(V(WFu63UM2S&SS2_esw!z=NZa1yh?^AOqnMizE{Ov`Mq6_Vt{^?K zLCb=_W|Tw@ZtF!R~$c8>Y zw5ww+)BBVfr8Ln210x+m1i=0vTp{mEU^?GN47Z&|=ZFVy15Yqwh4?8o0Co_?MUN** ziH7lAOuy(tJ~Ff~kfu{Qq`=NQfcQY}T%@>0S4%|i3Gs4fc}<7|CS2TMjH5OQ(QrKOiPB0 z0uVBg?2p>`(F|7(bo9a@F2i-Zxwvw-3ajfo2X||xdRThp{WHH!KkSIL>+5cNX>&)| zi*{+RRIc3k-*D2dofP}mm6LjZtI#Lt*_YAzJ!!9jubg##HLW7E zNJv0O85v%Lv6>t&>SyqxDiv807cbRju_$Ug#fABH2uKP^3T@G!HE6`-7twx8Bf)J< zTJ;ufoB`i8!uiW0LCQxl*oYk0ubr(6t1JEID{*=E(pbFNd94C$Z~M1?ZFS{p>2U8( z)io-aLYEkf(3Z2e#E5adZDc@jyUL=w|rox+w&4B3(J>{K1?vPa?^aNK!s)oJ0c zn0ap`H}8C*TCWuMTg9v0?fv`yrai45A5CK3zfmR4po>VV0?v^X+Lw>?X5Iz*Jd)#n zl4zSr8!ytn|D6;PODfXVU;jGXsJEZ?>U*y8x?kZnak=BR3m3P~exqJ$i|v=Ec4MV< z^(y z(LYU&88?^g!qp0@-CHg_!NFCn$&1OESDNx0wutV z(N=8IpUF|fp+QFjB`AP{F8r6A=lH}k3JXz8B?dKK5BeLm!}EHzvv;(-suypLAKUjc z*wUZh_@B?8KG#R*?BSt*(mr@zslz6y&ED(r%cc)^eCzm4VC(ZY{~hUQ05HIi5(^SD z3&j;cl3U>=&_M5`q-SyJG&#ziNtCK9Y~wDI3U zq6(Y}G)NFsBf&TomWO80o#5ymf}#3f+Mh!Eekdp?43res%IEI>g&%j<8{3V$ zrS5a@a>Y*{z6)z+f(HLmRH0xgn2R2t5}G7>*!wIQThJWK>*ed;}Yp zQbSPuIN)C+IYuiUp^?JdSPC(qP z9iHDkiqoGBj6W#C=rjYXl*|cZj*B@iW`T=zI1hA@E({m1lj9X6G(%!k-xgxzr0#*g0(9xj^K>7dJM)YylL0dH&}ySMDZ)8tH~VYN%Js%>zs>pG%N9Rumgn9& zYtJfUxD>)t+T4(J&NiMCbt^2BgfWeCD1^(yIltL7&(dp|&g=MPK8s+&F&1@KwwoLk zH=c{lhh2Vf(r&DDdW;<{8&&=3sF>;L-waXFk(!~@CJ*K0pqPW=;1w%DqN2;#4Aj<< z^@cIUO_dxIFYW&Nk?h~==f1t}9_+Tx&YHWEU}B^u;aQhfZKet&%2-k$A+1k_q+bVB z2{{g3z^l)r9X-=1GDF6l;Z?dfi5we_-`DW#dg_Qj3qG13iXP8ueJ_!@;lAu7&2 zshDAMP*K8+t3;Jx12;rVG#aBDSSaa9A(duI;-(DSz@yqhjQY)@4y3+e2U|nKW_(gd zvzG0_J<@&boi_h;>NoZCK@b1nb}Y1;PtErK-L$&xvu5wl^X0?EpY?_EpZd+&pNIPS zpT--N@xFJzXV%%Q(BVy$DGVO`a=F9sfHRDL!i{^H`!QqHqcTB<`u#=5=pcc6=;qMv z7|pnJzN#PtkH;W7aH;~pou-Nf(dHd(ZPV$o=rC4ZjB0`?0|4r+Fwoa@d_e?wnv~8s z)jR^GM@&8^m2vdTBK)3Ii1DQl_OZM^qObp*j0yl~HxZBwxiP+uHQ&B^J%PI20D4Xz z2hOoa7ay1a94nIN0PqRU|L=MImKd)moOD3Nk@%oen7^INe$X)*8JFMSTt%)&dX22a zls?E9pi+@Q1!y`4N?svARbELBR0_;vXQ|ve*(h!wzHBU=JuK|6&OJ~`&2 z8iF_l29REGQpVuQD(+^7Q(QUENi`4*##Q0i7h(E3P^P+@=nEmPD(8dtrd)$H% zVe7w&REp{xOysou_JB+D+|z4x)-yu|YxwX#f1(2N7lB4EEcvdynj94#8*8iOz3Z#p z*VfZbrTbc}?7UBW2I1$OoC*`9lS3m3GQk$2oicve>)r@zYB0pmlrc_Pe!< zZgr1^@fWHvhmI;o-5}5g{YT6Fjr8ryNZJq&Ys`B-Ac|9&EFP;{byQolEBp7w zZq3|Z)~b7(^<(b*yZP~C^Hv*mUcJ6szJ8W_o#UJ5!gro5A*2~*e7Tu9(V6Vsl;>$R z2xchL9hY~oychG7LQ+Kf!$^sYh|dI*o>N*FE*08r?ptev_JqfjAl%Z1>PmB+p!%Cs zINjJHvNNH0u$r7CX<~zpE<>Kcn27D3@fg*~HV9|{l-D05Q z8PDnHqMB~W#q=-rj))n+^gA|gj?-hx9Aw=fJ&HVG<_2lMkUaEmX*q@5adp35d1{bq`Eq@{_=Pq1SxWpeet8{w|vke z!HwfQ_Ht=XkNz2Y#68fABsG*$PB|unm3loY^~9v&7KAbsZjZOf(nzZ~RS}g!YZ*Xq z^p1rCO<8>4sKwYUZSaIJZ`EhXY7SR5<`R^nN~=m!?st4^_%u{TSEF4=qY$W#JMzn^ z`X)V#1|HBrP+>T+3TvS%I0aIc(bl{ z)-UG$MmaD+!8@Et<&41<7feD%qU2HWb4SIrnG9sz57&aD}A&m>+Xz=bfh1yv4NPh zbD8Zr8{4(in_%p?rQf1iL&$vap~ypij`SFxB)sTLIYo7Y&Q)c*v9Z-Js^;3Byx-Y< zy;<7&;e<#a-?xSX!^NYhNcNPBXqNFIZodF33$B^@sx(umJd)D2_dc3lo&WsmZ#(N>_y_z|i z%m+1+!~gt2jVR3vt$%1zbc)*>kL;}8fKu(Db-uiJ-D_T+_WALg6QkI?B6J|6lGadI zlQTQ3P?7euMpni&XUb7;LXscxJ<2k47X&gm;_aiCH}G-L-C!yY73JLM{e|#n2DOXm zDj<5oL2zW~yjw1D-J`WK_+ygDytTj>H%=RLsB}=kiQ__+3LQ|UtwT$dfGU6o0O;}q zda%yo9t*%N5ZXG6?ui0J+L}{#5WQ%J0|9{czz7*%BDyg8NdES;M`@W=qIOCy;n@M!f87DzU?l_b2Bqr;nHhv~?FG!6DF1cZf zG#7qI$RqLy2#o<)>q6DJ$|kfe17EI8~|lMK!)^y?(E3cl%=Ra`*9S{qf*z>*D&mSka`SenNPT zTc=6p->H#|80RVBB%=Tt!__)QlyfNdlUDaalei#qcP2E|8ucmV`Kqgo5Fu;Hv2i{^ z8%~6p+l6wUuQV3QXZH)uJ@!fTQ0#dsRPw>~rJ>0phTZsJ&E9QIu|H^+Gm_g|%}4cD}TG z*jeV)PNwiM6SXYxm~)1qH6RfbJ9MMcpaU2 zo-)cx?6B053tw{F2Vmfn2xpbZK+E@IdHwlyx;SXzrNoiOVU$Q4&?@*&oZgjjkl-0( z8ICvOhM1$joqs_Zrx3j&={33*Q!<&z_>LZP+lknu(cFezciP%cj#cH}$zkDfb>nX1 z?7?h3-yN?kx7X)9z=P!5Q&wxPImutKudjZ~VbKU=_&X{|&$Jz*P8`o;KuivZh3qCi+)y+;=-_UmigP6;xE*cp=yn z85Kl9@QeH3zf8uZ!EU;NR-2h3CT1pBnxeb<)X9@sCv~+v*4d}sjXJ#>Zf_00w<&`} zvX=zv{b}+KcHn}^EFnOZlgLsm_HhRI#FXX0T#z7BJsSbj>6sdNz|eV{mg5P}!i+M4 z;tpF$ zrM3jy{LWTrDylh}rJ!XlR=31CpimlvbUBem%wlr{KMsqSfdLUoA^w_L!Laa!q2Zw+ z=<-YB4JYB_QHdoqz}X;5oxY+B?hlwfn7o6)$dKroExev;QtiMPp=SDeG7ZxQ7HVKM zxPv^Fpb5W7pshUoR7sVZHt{rY|Jlh466jQnlCrrs1VrLgqGkk)Tyw&r_j;2b{rKx- zCa~6OV7F7=iA$WE*P9K+KL7(Q#ERGM6%81S42A)uNv<@tKB3iW6MydE7DmQoj}~#} zJanxU*y2UNwTiwF^DivL=u*NuCg9ts1+Kl?yd!Xj8HH6ufGZUKwUGl%LrPbLSFKaZ zv5%MxR4)%o@hSiLuV;JNq4~PFEDiSRd~E8O!g^DFPCZQNa|mXUP=|{XEqx{Z$=V>w zKl`5djzXby-rp8Fgo?dUegkt{8XA?)b&UUyX8dyrz=|IahzAzJvQyw?+8XMo{d2@8#ecT=#J$_p?%#yk;(BMf~I|MISJx@N;Ex(b| zcuE_IWz~vcIa?@nCXn|5`bP=6VQNel2l<_UO8h`LV5njySjPQ;yXVbLb0<^Dch7UA zx4(6yUyh5_R08JvH-4zM?-Q)kSB1Vfsn-fwa=WE-zY6U=zi|7{Y>MOkmH$2sG(k9C zDyvj()$abue0NT1_FI$6D1|dN6>4Bkf$*v@2lIpD__)((WX_~Ggh~6-y?HFkyUh6R zCGCt2a0h~UEU-h$re+wM5gq}u50i4zbau8oWr{>vB$bMB9+i0>9(UwTxAbuIe0-L> z+ufyXbav?nn2H$HpYF-=W~X&p{&jp-IJ(#8jY9fC(=5R z)`_%hE7JPfh|W-cm`#f5kk+sVC-EtNTW2b*{An{k8lTGyeIa{KUAESgUlQv9%xj|& zQmL68Sc*hiid{^Vv?8i7!*TvUn)5rEHsIZ{urs_m--b4;rIb*H*$eO zpNNb6<<(Z9(XZarE7@I zpN)nar_VZl*6FkBs?X~1QZQI4VEIutu!i<5KI4CWgs|asXH*{T?dy}=)8NuPq}}^@ zKI4Z4$g@nM0Vz&LVrB-GCVAFsnB|;FNBLi$`#UMWlV=0o9Sb_ct7v^QZ3a3OEPL9> zV0HF9K6KXiH;FlTd43s}GY_OyDP3GwuTrkg!mkGCWE!Fo$|#vdPUA^N1n?gwIJ0_Y zT*-;Ez$?+P8NLu=G6>3OfT!GNeO6F9xpWa=c@HbXPJQ#Cc~srKD7LrvcgMxczXvRr z(oeTq!|#?)r@r#b{Za&{cJ}EvKro7Eh~iXWb?ZfZK$u_joKm|Kg|-g_=n@*H80ITx zpU9`u#x1K~)h-2MLneWn3u~=}h$)0pL7YJil@tOHu0A!=0DME!wWxG=ayR%#UL^@j zmC1cCHSy2>ge_I(Z~ge^!%}79nkEe(y_HzsOo>lPe6>`e{?Gjt7AoPh6d#}F=Yn)5 z9KM(g4Fx4dmpl_33SP#Cue;vn@OYK~58i`ai4PjJ-J?r;@uW7c^VO5ee(tEdRp%+! zkCeh96s;i&BAO62?W--7_KZX)EKZd6nZKv9#R!a#P$7JjAs8|$_2yQlw((M-rBZcp zc)I(zeK7DZ`^};rU0$1J{j#7MgI{~Ot>I4fj|qzYaCBJ^i(VT@6QD61TQyAQBNy)> zFt?4y#^Nmw=JsFMcx}Ld2~)udiS{m@+ZAG#aQBW@u5J#Fs_RXl zr1rR&?3}>P^&;HFCIx*-7=wTdh+dQ}gX2$*KfOKXx0!xzHh{Tl&ZNdJ3(-sVylx0@ z%@D9m!{QMmi*V*PYk2L|zzhsgL2MGa+Rp7Hk!&N0*CrPL9#Sg`3tfzESo2QZYYz?> zptT%(iLG{NUt5F#WH3Ua$2K*q7GLud9ZN)SmxWK%{MIvzU&r~aaT4x~v+yktarPF! zLnAKk5*U(pzJx6@;G72wPWAYF>83pD<+7RPk=i`Wm98ta?>Z^}t&6`QcKKo3!ufjG#+~djJG5NjcNPs#WRI zSISEUpN5#gW#?X>b7U!QTimeFaD~3OL`@n$5us)`ATHY%7w%D5M~$9tx0#;4xWVIF zwl8kj`CGOxZs;ZcnZ~%u4JYaImF(sGqRzMp-3v+ItBIpYDu|QMR%TXcVwzFhff&e~ zn(>)ar?WA9lwEeT^RWN&!g6<~y9dcOzx@8nCWtQ#Ct3;4**xR2)r2NAFi;laHA?@dOh<`A8HzQQ zu$*c5ZyeztH0Wew|Oye;}IJQPY z+`~0vB98hpZ-8RbG684+EEt*z6+OPsKgoYQV&#HqiO)BE^y)R|aw?Ca z$r=C+91Rw)=%qE$Qx$b3(H{cS9*kN_L^R7udaBL8l5j5w+=C~mCNS6ZnkXi7GE7{< z1VL#iXyI=yu<-96)UrDdC-&-jM{ZM*x^mGfqTln7|Z&?TkQ5DzNLv0%Dmd-FGBwx?3;7m=1DUqzi{ByT_hAH^k{#1e~ zsnNWiEG#XS3aRO8C+ly^F9n~srSnTk;YTXSQh0ia!fcYjooQevxvThO$zBi6HoAKo zkE+F0?(~A@4ePBpSz4$3k^&Mhgp4vQc1+1JrMJgx@&Pc|2y~EC(}MN#>7|h3$Q9B{ zfyJ9CN-qVEZ`t%x*!f#Fy%ctZe*l3bITghI`FG?;YbSETzrzQ<0DR2(sM1^je zhhM;%2uUqn$0tp_R+Sud)k|xe?A{j754i5P(%#oW6X6L;VeX&vmIJ#Odfwy!tGh01g7>8V=l`f1Sf z>E`t?|8RA$vyU~N$(Jjlm;HN))KcDJy?(d3@l@OJ@#ODu7z_B~AMMgWjl%uN!9HW{ z`0$ZwY*kOL3hnca{{69d>5}upem3PXm(;>TS0n)t3a4P&rU#J2(}ZcsjNpvv4UxT_-F~C_$AE>4 zx~7IH2>~aGo2hUgPx?tu+&~Py623nciX{LZgJ zIn%0jwr`r7=MQVmpHR@YFlpdsW^e+-qpzQrtg)zx2o+h?=g5;IPj3%rxH0F&mB!`_ zH$Fb#3^zVrb%q;jVYo4eENO}T%SoU;StmYMx@ZiqI$M{F)8TIWxUyZUc6c-GT*(M5 zeI=9LQOw`-^LH^Mgeour;BJN+M%i#n=v0VJ6sS8jMn|Ri9ba;M>FweCHdZ47&Tqr{ zZ3G@{4eBAC-^M(;#Al!WNX`+7ulqVg_z2Ul1#k?t7&?D&JibPwz1#-XH5}wlS|12hX(%={b5Af7QReQ^WoaYh`8i zU|ibYyssYH>$I=>io?Qg463$zu_*7kRsZ!lx9U5mjqk}VIj0Thv@vfY ztu)J=(?)s{O9EFOBm+TI={`PHy6+!fl^(~NX9xMMa`mWuq)+=hYfY8bD6d2@RuC2< zD#w(5Kj)Z|bJ_?xo^#sxc-1*=#IHn8OIFD_Z7lHaSga}3X#;|RaMpxn_ErXxrtSh+ zr9qDx`*3ny*y!!nHa2!op6)9tciMoU!BfU)3nxeex1ME9#uJoVqpX3mF-Bnx@@L-k*=Ym2ViO(NPPtYiwaa?`DVMveKV0rzw2ticxt|5)&xxuGPsc~9 zx_5iiE_UhR_0iwMqn0w-Xtstw;8KE2O8|2m=LeV(~U*4waIdu+E7Mh~SuT&c7au%KBsHYd5p8Rrsx zwt@icAwGazJsqF*+ncBT)~Ma%d-d`8J#C~Nz|gE-YbJmm3v6UF)BTStSTul@z(vDL zV`fH{G5|vWP(&LVwS6nq2UbcBk{hKGyI76L$_SupkK$48Fc!Ts4&MYqpM z+vHBoG4IPwlX9^c!hH{dYM=~UFbSdh^fm@TxJNZy69(v^G!L)GixD`5=H&(T;9?t1 z6z8}*Sq9|gIrjkJA-0kPwH@ZeuvgR&R0(TIq{G;GsrY=TnsW2$_NJ2EZa+MnZ*-=j zBzfGXjqKxPxz#&s+0GL^Wtk~Xl%x#vodX9jZ;uU% zwVhN7!{kKB5{rGD5zjDXx#UzqKUvx#nupQV;oR>6aq6YHQe6J(Ai>hMKwoH zDP{#a48~C0H3W1TH9xZu=g2_r#>l0e7Hu2{kZee6h_Gl4j&I1qvOtc#Q!bYsCU0C3B zfR?b1iOKF%DdUvl&Y5=v?l6P8x&~aK@UM*=U>Yh+3=j7e=G;s?e*#JW;{scki`V(l zuV!D=?kZJwINYwDKeyMM^aIRLO>yqPe8ftVP}bklSJGcT62$sv-}A=$!x_CVRT4(V z-uEsOtRUx+PA`u1|Iws>E(cig;{hSTLU6X~=YOiDg9+^#%DIqQ1Q+K$#fQ%RR_>B# za;Ilm(kpK_uWJwW`(%~Y{R~s-z_sahxb?h`!vu`U~DiX`q0_GI!|40)$acBH7xj^ zEcNWSet9bhzvw@UIuP}6CTQUHsX=_$X_HDu_bzTl^L#`yNBhlgmmZ{@u_@~jq9~`5 zPfTZ~QO8h^QXuc}23Wj!`2MM%S7{AiL2GOjVKcYQtKLcG_Sa!W6grL4b>Ft9y6+V` zox#cO&iGUp4ykO80eX#ggl$a-n^S3>N*m*VPNj7!Z8Y3CmDZ`WPNiL2m6nFuB*ANN z-k1qiX@~JSf3tj8+8XZLlDyjDOzk|^8@I!?=KPXiKW>=U2G%0Qc#1VzYBWR3n8@}e zj`RP~oZpGG0q>55o#7&_u(MCUVW-j%D@fl~7awvy$4AcF+aXa$t!nFRqw#Q1J?7$m z^V{-U%T~h@?!f|x3pgyWQq3SI<(>wb3^9n23|7lfWJb>~SEp4|e;yxo zXv&Ei5PJ`PI|TArd5;?qr|?D??m=8cvD2KeYNfr0Uo6fthzc#d9)&*I46GWElU#AQ zKP=~OpDd}g{owLaJI^(&^KkF&?1+ z2wYmp$sC)uA6I7;L?uM%$dWL}`TuCn@5I@FcgMocaH}St3(>4xLYQUf0v4#3yu`=O zQMcFW4sJ)Io8CYd3YWW=_v|9&@~j}hhOGs5Ex57}L(E_&mB4`vq0A~Yyr(lGOHQ8! zZixo-5>`2DATSHED+ns0VSeFrN{S-+}< z2?U5-La2lm&{8vB>)9z*1;GY2*vCi%6nyFogr0+(G8XCSmfRiwkzPs0!sP$#U1v`t z*|z;Ft@-?1@8s~l5u4E629p|eCCh+`27}35-T(g9E}*F@S8@RCzU7f-M!0-@e8Spm zXNqs|JT-F%08#`>N}wWlA3J%iUy)2yP7$R z?=&J6zIb`~+FQQ9I=%ZjcYMJ*^`+mBODj9a*Aow4rwb3kfmbwOh$}{Z|H?7FdakSX#=lH&&x7;Wu1=j&BVDF z5HqqX{oBmClZt66$-bKg8KOL7tXD zbIAZdLpFXX8AYi`Z9b|M;&_@OY3+@2y0GYE@3eccC&fLJjh%hjoqufe=a^1(uzlP( zo70`mU0IiNTz9pr-TyT@(O-@(17gujPZR3;iVI*^oWaxv?`o3U*rzsl)0NzgFtyi~ zFyu8=lCk1y>ACG{1}|KnKfAYHI*dBd2xSUg#QBT&(&@)|=RGsdmaxDT?CzgVL`p!N za}Y=a9j@Bojge|&pHY4%sUg-ZztPp;dz#;eYw#miFu#FsM8N_M(Z_7;m@)}YI2$R3 zoZwGhQdg>UgOMyxpVl{bu9}_a?(=&4jIZu%t9ts!bkirT0vtkP9JkzQ?-LW7q((`G ztjSgshTT=ZWRoqi}K?*NnGs&1+8`fQq(ZiLesQ`SO26 z8&B;KP*>&Y(%I_y&a&?|?s|_`ou}XXCwE6bwkDk}c@sE^9hKnO(%QItOFxDLGxVIAw+j*1T}Noa?JRX_P5R%4Z^11Ymq0NV z8*gG-aHr00=oZ|mYd3rg?u^a-svg{9o6eX!mjAak;Z9$-p__1z4MHY^E@hVabjF9= zHI*&t@@%QQ{o~?fyZOT`)O+;?^CXfhehDYK=Vk~pUsy(sIZJaf8VgAO0e2pfACl5QS{KUcF)vloPEvgc?z9%% zbEb+p&bW_S{!Zd9D9XQ6+%lXsJ1qv2Z2uB1G?VE~rRui4+&8E8xp}evym)CkhdVvD zuC^}hq|1G)14p(J4tgG%HRFPRnjB1mQL&5?6-z6@UkU!V*P9ap3aXKoK@W?A-OvuE zF0K#$#)H>8hu$PB-=b-tKyR zo=q2%a&#G^VO1YpSnR6TJ*?gC*CI^$bIOaQeDPN{YVbyr-zjnkBj_!r;UtM^?vnD%K&0qf>Jo=gvqWkHVHOr$-}(z z!U|(^Giy)n<*kQ#|7h;F>dYQ*E?q{kpm(|1++1Dh`OU?xr`hi-wdcA&n<%iT)UGj+ zm8#-KbhxVGM!|qp#f_@s#;AKdopx&%G066ny%$)G-Q>SXce_M*F3+dh3d zUTNLTZ2zt|Kdp502Qes3(LeRQ(ATaZ(4Xe5vRo#tO=9Jl1 zm0QPUYFy+(dDgW5c({Ig`m=k!{o{JGJ3q62ank)c;jF1JvPlP)TO4TcDQZ_eB5V5C zsvAOiPEFa1s%})osUl8qud3=sRdpjrtX5Sw{=BBM>PDV}3FpyMCS|JNUo0>9cb=8) z?KC>=qwQMvj=Apbyg!PFr{8tIf(RW~Nbw`93?hJY&~a;J6{&!(F!O_6H} ze^a)ykyKP^AgWXq-KdIgR7E%bysDxbf5xkdZv5XjDP?wLS7xR3#-}HJEtRKDEAHl5 zo7?>}dEBjUojgO-++R<4(G6Vr0DH)UqnfD3v3LL5OW6&L!_75x9$_Qzjl1ZEu>sjs zslW%Ay*4SlDW&L!V#-+03uBf~dpmlI&GhDX7v-rqpS%2i*jkP9p!$s3l-s8dwfolL z;q9-bM{t+kbTKLCw3gm~UeS%i_WhUC-01(_ah2R?5wA-_52`wojUJFl&_!)3dMpo+ z0-1HJ3_f z*X(h|wY?c0J{ahRH&E>$&p}~$3Vd)Ecy0`nR*>aDvVOfwOG<9Cx+rUOe0Tld?}NS` z!Z%_1pJA0L>3H<`52;K=Cf0uW>hOpB)9KtZv)*pDw`&L2znTrHF6T~SIM_Y73$=KV z4i_ei32eU7Qo4xe>!0J+RrJt>=le0PkM%9YU!c>~G7l=f`j6;<>?a$*L|zUTSH>Hc zUf6!6Jb>NF%}ee#`Ps?w)$hIClZ(r{O+D!VM!_}8dT1-o3d57V03{ifBpJQAvNk!f zNdqts1fw8`sRpph8kF|*2O~$8xfx19X0B z>X$dQ`^C>vn}*F~z=~TYp{9fRKru>~n5 zQcDW_WZWk0X*_-s3kS?Rmy4+;#iysKGNd6UN&+i01T{BBktWR8VJk`)9}jbk&ad$ zT8(z_bB7xk8OJ+X!O8^yAz-4n_!o1<8r66dAar$h&9&v&25nMnlzf*g^c;G9u8B5UUKF>DRo_5NO+qVEI9U*Wo-UaGM zJEu3>t&5w__DmNeX~^K9gtFv)=ytTS|dAK&i=fu(Hk~9N-%8bMB{I`*` zfrEIBkcup{o|+xWWKI15Z-U!9ODUzQL`IPa9P`WzC<9PWDG4?)ApRzx727c4&=wD< zphH9dF_c{6aC?$gOs+AMhZ>2|@LNjM!-W>j6qigxtKt|@PT+_9$j3-06L=*-}>?md}Wr6ZI zRlpLbD8SC!Vgn*ZRMabnN|i`yy^hxt47`~Yv4B#<6Tf``3T!nQx5Dy@Wj5FdVXQNjjvJ0eZ1or=&1*)vC<;25EVlM@ z5eV8~j*ASLCVWg^qj$ZuLTgH$$FVL^6MzSttgn`;8&i}{d_YM-z{)BmIE0WX(QSjo zDg+r_1I!ZwHa4CLoHH8Rgk$44D-qwX1Fx_$8oP`$rfuAo=K|a{ZW-QFzC?g|=mYX$ zk{m$Pav!%e0yBVVTslu~GMuLp&}tz3!rN&SkM@iR2jl_nE(c;@Jpe)_8~^}+#XNqq zqXXlWh&wz)fF(7!X^Pgi%!vW9G>(yUPKK-t>@H;tV(DJuev9u13vle9;xSJ#299oC zVnj;xBb#dog2nS=_&p?&9HY2Zuj2<=&~;QyV44m_?Zi(ea;HX{o&zYW{BbqJDb*vv#sRuTS?MYUl1^=V8Lte8qsmnhqOoJY;t~_8hn!-~@`WGMY3h zF|SDGN}K-4ch)S1ue6eA6s-ZCN2UbET#7N09$}U;TW}o7t)JBL$>T(B=AxL*O3VL? zw0vzHGy@1nASFOIq5COGL{B*hzy_Z#qvab7>CAwXobvUOo$~_H{Tu^igE-m}6}oC* zKaf+78X$3QOst? ze%=ap6IX(Bsuc%q9@>Cs1GcyPDsN(>YFScpQxRCOr+3jF5!~D51^3y-)fkF*;S|lmMOr!2K2IWLvl(VHs+fI(7_P^iu@9@R9H~+dMw^^^-!Q_s=-L_j7 zZ=bvgGQ4t~_R;MJ_~brr_8;xulPViMg!N>d)2XotJLTa+%*=3RA3Dp*EbXfs-f=s3 zLlye@MBXpF4V8CTlusNz@F!@E!bk?%FQEvIl(e2*74dym?-^PVU*Zc~c%#X? zqKe`UZqJV{TZdfo9eq)6pZMDYHQV~+>~V^Ct1_<&o+fTn%uPrANSRN_kv`xCp3~r; z;3Z}?+6TVIA|q91F0G?N%4ES$!{y)Qarxx-@$mWN=i`~UJzw9l8`p<>4-+4D!Cc@i zwJrrm@>FLgj>`sW#wXx%N~nbk$XgCYl^ijgi$0iER6x;1qn<06ej99BU>YjB2uoix z@)deMwhz|^t8X;+$4UDIs4z0DJF4&~Slqfm))+|@Hpu8saZklK9Wbgt>d2YLjrAsJ z-f;?ghNAOEwE=7yU!${>QeiyfTC<2^8@{aqWjOSAGRGK0ft!URih!ION(=IvDA8ZQ zOIal>`GcrdyeMPRa?tdoAq#_)-YJzB(R)G88>O`2)|7E5I{^yrjim?!+xL^Pc;s{; zU#WK`^7(XNJyuZRc}nvZ$@yu<$ibv3goB$h<$tl>c#z}AQvYI?++<1aDn{j0Iai`M zBE$yTU^~J}ViNnAEL*0jDH_#!rGGhB{EI>4?ThahKRXi57`|B?^I`)_)y_1PuP|DR zM6+e!J;u}`?2^NQpCtyATxz;Up28SR+-n)UnC}!t(J*C7+%wt%9D7fJMz~2n5kcdq z!-3V5rX-v%k#eZ9UO4qs)tJN>OC(ES#w?7`cAktH#p_QQhqz^mYDa16CJ-ObX|Evc z2mu7uwJUMOD1(uDmy`7-Vp5?OV2ZqNWHQva4!Tr#b05~`1*7nqys?S-Ij3-Gwf6*9 ztV{*PaQzGib{OVmGTSVy$?P2kaug;NlUn65Y3+7(=XPU%>u$E8t}l0f*B6!>8xxO7 z`9x`wFv*3L9dzZKsW9np!KBPcQ75J6I-^MOetAq<_|<;CR&!o%$c2;M)`NUp*>#hS zNl@Oj&%q=yPUS5tR#XNl0VZMR0OO6Ml#b8{mjo$pC@`yHPE(Ci13vx#>|I$`>Pi;= zE4}V>lU4KZC=TEND$c&RkU^120TsQg|9kHpQ350+fp89-6YpK!cLh>ZQdQrczwIy| z?-X&2wML?kk8nYC1g;^+=&5d_l1ikYvy@9M7>&SxgaJLN*wi>!RDvZ+3J#OC;kAFv znHeJPRJa2Z!ERj`6CiM0r@X!Jtl>k*SPKC^DLE=~)7gk|S7PSzGvCiYewqkNq1~9w z^g!-f7{NHUeFZp)y)71)3~W&@gp^>?x#Y=;PvL3RtcP{}Nw4 zz7}0(_KNKDlkVSKbso#MFE5+4Z*~)vnXAarv{;VFuq_DseAyH+wlG+tjD?vDYYSO$ zKeY(V*ntjDY}#g};22E6u>4>yl<_3DZkoLOXV7bW?Vi<0%?$FfA^j@6C5+%rhJclE_*aNpxIyO#(Z-cO3d=(uxubUhHa+2_ka<)n6TdPWLE zb-W1fB*no;oH0xU!Hy9Q5tb8|pHX7 zte^eJKEIb3DL>ux_VsA#MDFLXGH1r<%j+uy!!i=erl(?pd*&-OGw~M>>W1wRpHVap^noy3Yn zD+4M3Q>aU!?k|TrWG+OSFW(xNr|3wh`}c=eS<^l&-(@?Q`?ls$Rq}wE=jv8bG zm?&mSkuF8LzYpmGgX#=DJW6ou%d*^z4t2S6_Eze*I@f3KwPtt!p;!7W=YJ>EMF|iX zED&&eRv|@-9LE{H6Mc-*UrdjZ*g3s_qd{F@PPB5ccPC*~31O5mi$EQ6L|d&r_xdAU z3S?^xWPuwYf!j07VbPMe|DJ3j;R&WqTeAT53VV0?>Ugc_z$XgZTl@5G>+Hpf{OkfRHBiAmLGb+lsn(Boi6mbCd4AvwG0qD0P9Zx$Hpa4JtOi^UD^~o-pqXv$E zPr-IqREPG(NP%yCfiDxd6B4*RGrNc4A>Wes|1RhYWOzU_V2a%|{gAI69r-G)Yqdu% zcLgIig{}H^r(x>r-XM)B>)=*F3CSsElYKQ1_>8s!8+K{I*s`hJLBPixZaKD|HcB!o z{2BnkHwf6-n9T&bsaN+L(eg;lQCB8~z0HNam>@|UMTO*mb8vi-!+NqBo;Xw?+oi>} zq)4G3p+AB{xFkp(N06aF%IOioq>xxB&k5B?mmXn6YLONX6f0PIJ4I2CA8V|3H{2?V z{j8#}WX_!PX07FL!<0WUJp&1p63zA{X~B}h&_(=jFPD;upUmsm>AgeB9f$|wiB19eGkG zVf>93vZi=8kUs&GSxqfA{aB}7ev9~R2*K1{=3mO*i7v#Oozk;;HMhI^z1!9G!a@18 z@w)Cpe7@gC3%3Ok2N4PKaZX<68n|sJ(v7%1?Nd3vv2r~1+suA@N#G0i+n`5+bL$U$ z-RQuVf4jXX?&#fewcIPI-Rh8^_qNv^_(J?P8s#cBqY=cwQC*q+l8EC5G(k{5A_V7B z=v!atOFcJ!-(C{@0zEg#jfE^xzQMZZ=-Bsm$M?3IH@TX;8uUe*H(&W>vXtw;+;aoa zhpnP0EHdc-a#i_P33zU>EtA$H)%Z3T_EOKyI(u%go2Dd;^YB8_srysU&5|=*mFGq= zFk+-j_PI`;o1nfaU~L6=J^(3>RGP%EVx&Z94ByRx*g9|TkZk$*Cc|%Q)xEu9?pKNN z#fow*mkt~gDZm&d*fVTGif5Ry4u{jH85pVrL~L-*O@zKFgI>AQe=hex(#=Y8D;!GU zd}0S7bgxxD|DE|4OSTg^vTFb{^_%NGj(Ej9Wjb-j#FN zz4yJ^(O$dPE1s2Kx(SRc?)Bbw>2A=>bSvjCRkoM4d%Xn4-6`J=8*i$4{n0G!=Ty7h z9vrPk;LHRN#!%dK2)SOv4`k-(GdI9X0L%J0o&HxfC4Ti@qXrnDLk)oi|LBhvj%G)32)A$~@tAQ8>~_KoDEPRf zVZ;5x(URu8TE>tF1a%f@N4O0&;2%F{V2OwrX2fpgX+OW6E8ShOx5mqDZ@VZK>eTZK zG2Nw3;b7ESSXL@0oq=wDH7*PosTPc7FVE>>-oPM2JTM_9P~9gE68x2KcOWwP6A4l( zMfI<1eY6M`XiH@DU z+xP0nYyIi0n19(Wv-d7owq&!hlVZUrAq)dhQb@9F5PGH9Nr{H%fb~qV^XpoQohf#@ z-(DGZA`dlD+W1@SHad2aQ}tHfyD014?%C;c<*>4A4mKP+ll8)`7CHsC-(*aNW$>iX znL=j@oryrFQrt*JjbF8XiEKrO&a2asxEwb7&&@%PtJ2jyIrz9;bLiB{k;W2gB=$cU z|M157I$f6np;UyWe5c5nB4>)6i6EyGlo{nM74ahHc68+Y99;0-lc$^Zu+=yf>G_qlTsqP(UJ4)Z1{2fcu}}-77ve4 zAI#Q)X>~RlIXB7E>1GlGuB6ub=vs=LDRR2sUKMh3p|n(#`Kz3{=)gHt$ETlXuNU{` zp_bdO-_+&hmELIJ+$1-rqLf-}%$EY^*R>QlQ{Z&Jy(Dnz>8n5W-I5u@i1rVz=c5DX z2Y-7%Eat1F3LSpRi`!RvN9$`2oK`!GVMBAn8Ay-cl+sB7zA4pMWzXS1JXPABvao=p z;&GLjAOa@LQe%B|?e9d+z`c~f?eU>6Lz%-3W_d%4@!PI|-fQH&ES{PR2Zql@p#o!Yv{(!oK)?lwN( zE{E@juTSePzPUq@5&*0oOU<~o`D#2yL1lJH*gcvUWL8XF?cdk_PU*c$yJtDO9~RKPdVgyQdODQu>& zxh!l_Fbe{4(^>*HLy)_u5FIyf_p^hO&SAUPd+V{Ii<_goGWY9^n*fDqI#I#7P)Gwk ziJOcev!s?B1dCFf5ji!pV1DN~9MFO~N^+wKY$;0!mt&oA%W*ht)x;C9$1Qad=~EQa0CrZh)7EKgg1x5`-Gzj(*^Ta5Eg;@ zV+G?;WI`~^8c>EOSCql|fZd}QED+Hq0!b#WrxLK6EOYyKOb(}E`v}kov@ve8fKXmR zcgG1LxPeENn36s*o`Lgc-47&#O%h>x^9}^F@G6iGRA7@j!os;D$#1=Vw3&(9BVNOv zpi8}+(P5K<7ytt;#FA?_LIVafgK1a~$Fe(K+^sc(R?BVtxx>Xq#$-ned24Fl@P48Vsko^*K}Qa$-VtF{^{?0 zYy835yf;1^po#ssn2Di`!vlx8m{XPik5>8TY5+^#?qd+d0<&fB|2@RZ*yAP$Iu*4- zq5k0uou|>Ev)Rf$_sbtg*}{`OPZXRG7CJo* z8Ufgns5){^nV8J&n)!6O*;zmj?e;7M%ZCXS>O7tQ@+fsInt;ZF24Qpr!)QQLjHfNnLQ>fMnZ#$5N&1~-5?<5UO|{&X3z=W+6A|(P)@V} z!R{%E3H-{VzSTBahT@}$~Rsy%)GQ84R?LZFk0vv)Qe%6Z2yZ6ZF6^1_~x@J%>z1T+}GjvTE=Tt9N*iN^mOKWO5(q+xsIH;Ynkjmn>)4GhhXk|i+@CuhLH78n8ftu zF`Ff5&D_#}re{~t6{dV{AbO=*D?5;+CwuM7Y^%8DB@bZ=6CrTwK%vyczz(u{S&EER zdYC|yFmPbB2n*<^3R9{uegB2nhnbOq$dzHnFFf>zLH(egg0BlXCdjcnmC%Qhw>CyXV0Z(is%5{ z={maZ^mHW5*5%cC^W>rU`X=~xYxl6c=DJf@b`u;GiY54P{y<`T8l@-eY{D8pWx;5p zL|R3?IqW~m6MRP+0u}|+(pBweO6`#(4Kxa!#^*-YQspU%@`TlphGEeU7}JyJNx=R$ zQ~=sh+*c-&_um*!2-Q|;urAdkcNK+=E+p8nL>UXBEP^hQ zkw#0dG0l6)31X2Jya>)2rhJOq7?%%1sh={09Ll|zjM z*$=W(fxHft)Cs?;u$9CLN@}EJ6ij&$uH_`X)#k4xoCTo(;RQ0lBU8kNcufMsOrZb4 zu`$HI@ZmPP;J-b3D7+t?(!$H0dLA5=pN(SgYcBYWh2 zhvk#gV!pZ6rR~jDmy(V#)oiU&^C`1WB#W6zK@C%B4cO>fsw+heF#!r2fiz2M(r3MR zgef3Na)}6&ZxZJkMVS2Ow`hbZ=>07kVG3H|-xFX;Y&J>1tz;K-Me(JCPD0WrHEAeW z2YL<51L-xSAq?4f{EO$S(bcA#yQ}NW_8^;o>0g)MZ{MG98O#1EwP`VW4a?vtFr@TB zc3JBo5E#*GNZ35E+}tAd1(m@p&PJJ+-#A^Y3v@ciN7{Os>hrWPXL==L5m zjdCSZ>GoSi5NqRObUb^gJbfO} z27S!7@2+l3FMF@DpIHRYrpwRAc-F=BO;$M~V8%$HK|eyK<4HW@7CDVUwYEefPXY^0 zy`eSyXTC$JUa!l#^oze?5Lplb$~d)D`0juX;UIg)BXPb3jY8dwJ#q* zHc@t5Af5<%IFS>ADMq1$d09mHZ{;>KkO$#W_*DTRzaDEW!z&$0=K zs1x*%ul4fvv6!8$-C;V5VoP0$FWId0R4&$KdOk1R98GR>z+eY3gt?&|z+eY3 z1jCITz_6*++W`z8yPF-r@R6(k&;8#IaDKh{^y~2u_>$=xJNmyctec8G^+#z{ z$;a_1@_P{TLnd&!)0$7rN_z7zUvK|zzwXx?zeK6cr~eLVVUYK5cLA;&A4cKvVVvUU z!%^p6KagQ*bdip>inI1!@!@NnUukj{!%TobZCE8l2-vme=sY%c@Cy6SVEFto5_l+ek1-1*F3hC?2e4bAJQoHg)|drxlg+I5FXH4;<`D< z?Lu~yVIqFpB}>$*96X>&M-VBbFzSG!uiw!hK;x#u2!01?>THF7PxQ~?nO5*ZoO088 zmr<#_;LOa2CsYtZI1n(eseOcKqqJH$+s8>3CW!zXV@BJ89Z6kc?jJN`4u!D$M|FZn!vlreKA&$Ki0FuVaC2vgYf3{WnZ*hI4~QmvrMsLgBk>Uf*VEpzxO=uBR9 zvZVNCI<6La)mATNxtr&kyBs&h1n+_6hv*73HEcZeHW z$J;vI!Ej?8Z|itl$NQ%`-dg!j#YLuu(yx8gEIjA$o)=ZIn7q2EKQv>7yMDCWs;+)E z=SOC75i{OKOF*x8D1W!p(mH_hZ(OriyW14jDvCs4>nO|lkDBvayW8XHP}u2bcTlsoJb0!Tx&BR|SSoi{g~(FfjUO-W=7;TfOHLiG_%l;iz^&h6rzwi2 zW*(Y=dY|LgIF|3s zTGu&rojuS09=!aJ*_}GQN_@A`{q{A#-sD#AG~~n#5*v`wk?dR~ z?{jGea!pwz~3YHHg z%v3adI@2Qe$Y?jBt-~W4Ys%zlsXiM-#;wX@ znz~@(@Qx@#R3S*c5yjgsH+5j=2yRXnJfG{L z%6*^TU~~JfTJzXmuRG$IpX3Du-T zdE-&`2$~n&Te+AmUp~d6RE+Df%KYl?@~m>ZKAQCH*yS#3aa)T!#0{;*Z7uF#xUm+u zwYaUt{X;Eo0IPRKBOCGq)WH}c2fzY= zf`2{tKR39s##|^f9LX~N|DOAujNcmE9#@A#PJe^jweL5DU(-YrqMmm}0A}H#vvJ=R zi_9WX>}K?+lkJ^eq#yf-ZEy==CL{suNJXiM{co|;INThN6&csrh=1>(=O-<0P5{G! zZ2<@>&3L%3-`pg{*sa-n1Lo~279XB2*R@!rzPKF0$4aj6e-B`O$lHCP9v3cKne=^=rFFEFN(qYYyPeDIVN)vj@WPS8=p7U( z%!yZTOioQ3T5e?RLoOBKjB8DUCr-{9wKF-3<4CtyiQU!Pkq2BXxiO$0U#QA3wN7?2 zcdJIRl6qu{91TbuJFBufs?||L+|cT%R!0qn8>^#Q9o6cnKUGJ?%2y4L1OSM;39_5? zpN1#>y~^S?5kKuN<~R5;w!WOCI*mhbh#y4yO>azLerX{Yke~yu6*8QK0V@bRJYh-y zQImcvrFvW)3Os$KR7m>$z!OuUA^afXjh?CS=!p|^d=s5VBi%@gl0lhWSMuq@mQt}f zS_ahG^rEByp_{$$o_k{oi7+fE1kn_K>gZWeZ%l16Tp-g#3nfGL#x!TKnFxf;On)A| z6&JII(`Mm@Czox^SF_&(nIG$o*%-B(WY1FK{{DV;vENF<{hzQGS~-kRGZ~mjL+3ZR6@UkYj1U3>GQAPM?u0#2 z6ga(r*U+3vbElSPHKFETVjPM5{gZZ*LoS z>pU)HQ}RsZPDhuG14lHilmloEUpp{9qwZ`Vnh*~Bli=n-IhPynY>$X$ns5RfX=ExM zj9cx2Xw;F|$RS))*e4ztBgLj)xh6sM=NBN_K8l7QuQ81TwSceG)jZ(jwP*+fJ;g#j z7y5C^nEO7zp=ii|*_y}Jg543&eEZ}m>01M7dYCHT^sO8o&gQx1G#U}J_WigyFXPlD zk4?(omA-xO5TP(;k~SF{urNquH?lWI9i)M`QK^VR?+i8|UEN{qT{PReX0LuX0}4(B z3#4YbUNkb3v=Z%IM|@achWML;Qyt;#gyUPsfy?Q>3J4 zUle?`Lob0dbwP(bK8;52%W4{{)iRRsx2^LHSk211p!OL^MGcB-|xyRL^;MLbM$H-qo26QpKCB3IB;hXUAiXVFy*R|aF z9nRjP$!s}$>L<^?3tm6iM~@N*NQ;J0si=m$WD{PI!!hJqW@w87l=ZJZ3L(0@D9cWGkiXS^Ij_=$2c(c+LXq>%01hpBfh#Ok1)@rrEaAUPvtJPYq_J?Y< z1o@Ai$5c~-VC{RS1?})@K|DDeCmIj)^W`93Kg+~!60-{a*=Ye*4uNG&AY~`dlQewO zf`6~oGQk-~!40f!TJZAR?@SAE!Z_NE@f(V_iuP4qU3$8qk%(&nYEjqOUjktJDezKBfn{WI*Qp!S%CBEwE41O`T%} z5DuxEOB8-btQ8C)fg}pjYRA{}NTYc!lkB!e$ckJH(?e+i_4QqSM5~Q=TvNinN2-1E zl3!l*M3mN>Prn*G&pjQvPeu7~hxT&u^Xht(Sa!+!rd-KZ3#V7fo4umOS4>Kxj(~(+ znbw<-E^fevL=ICL7%RdWNiM#yMu0gKC?G|UVsZtX-^=4+jzSWUjzhA?ArW;IVf`Uy zL_sE_B@b#i_l+p<6;%Y5ZFyWB@n1vcvAueBq$K|EB3-kswwxe^Ib!Za!woMF;o&8h zUnW>y#xsxYQW<_ndZJL-}zuK94sKEK?J^ZY<>)vi~PrBHgHdn z2ISCGN&l07|J-C2R5GbF3p)7scz%Djh;W)m?YmqBUuPehjW=Dz`@`n!>}nwv-RvlL zTd&n;dHrS#Y^Tgy@piEuf6VtP(REu_QJo%5?sMb-WIbl491J(sW40c% z^_YLG$Bg}Z1envedQfC=qvBcdE&kC@HtUyaCp4&PI zb;t!l5K0slDzM+1%?nrTuy7_2RoY}%pFxc;?%hNnEx|aj zNV`^ej1s;c&!^qh6CLw7Pc$Fg2%t(2iwm;Kmw-W>uIlVbs$A{&V92p^GON{Etv19B ztyXKb+F-b`TCLS;tycR}wOaV(zFGp2n!KHY<4y~97-5>4RcC25@71E2Oe~enoFy{F z-VaX;um)fdfU1HkL8Uz4f*@tOPiYm{CcvfzFVFqXw7^QW9#@Bg*LTJp`AW5bDw=TV zeLjxtFzu+l9^5P!!`!^RW~sq+))$YL8^G}T45Ko*PUD1YE1fC6bhB8C%iLYbsmLGbsd{oPJW>j2unam`+B zWC0%nlVCByvi_rH{njP+xH=Si`n$yM>am;w+4de1Pj+adB9f8Y%VA5zp455w@j?$P z*~k4hfcpZQm|=%PkcQO)9DB1TujURUBii&-GjgqeIZp`1;$8@vbNXBZBiBLN7R1uMNvGjY;@?!>YW7hcJs4#5Iy5q_Hw|l`p zuf8u^*cT=sGxUQAW-=9yygY1Q^k6=VUxN>5hl(&g8^w z!28Aww#ENOlg@NJpR_vDlm6&r*6W;{HBL_+CgZzKYv%YM#<0_!eF0wV>8*Y_yh!3( zA!z1c!OF#+T^r~QCxNT=IVwaek(;}_yGXN{9$wv?E)N`EjEm|piWpOZ0}l`z07HRv z5~j@;#PwV2e6Iiln}re$tl6j+#9ieV9$+vMrVV*e3TN@fYtzF2PEQ)6_Wwp_(d^4+ z9Zzl>qyGANFCPG~?D8Hzizt6onP#-skazt~`Uzj5{8Fb%PcGW^0y`5xv;X$j+u*IJ z0}EAXr3r_)xpCk^X-5e5Tz#vNhIC+STTtQ{eF-V4iRm5h5q7a~xYAN;4k(5-aaBTZ z@Awb7tsAn-zs;q*w{$Wxne`rY>gKARYshScT|Goc?lj``yxi!hQKwZe&QIAa-){Au z-pDqe0|j@$NWJ-B?;H(zF|1yXhWu?mql}M+TujLo$=KGjFM*6ohOk2Japb-cYZI;B ze4NkY)yIOgmj3lRQo|Bg?i0-JFMWrjTeaTmZctJ(DwF-hV`o{PM`r5-kJ11i4pp4N zHpdDh{rb``K*G(Kb)vDcINmu>{+Sq!1)v$>##;cyQH*-TXfyR4ekcgy3}P{Mz0p5w zn^PbW#|{vHwd6<8Sa#TAK-lFGF= z`QO368H`f6P>c8PR@2K7pN&_IaeKc#;`gpV0-8D;YYKFmGfp1Zjtv~7_BjeVeY_ZEXs22o^Ztb_@UydQ_aC83 z7((!+VDq6EZH!{y7!9eJ6sGdaYcuW8Y3J!8nV+asVm8l4qxGnW-VRRF2OpxTqlAD9 z6_eaOw)$l=F%BynVTjY5qAv>3h&vFSITl(-=`H35hG=ZgN(dklfpr@Pw3~i(jQ%gr zCI28YZ@u!j#AA;Ak5QX5Nf=A%jUhYm{D!WQWv@`iovMs22hrpp@)SGtfJ~mfIK;F$ zPpCGvIP73-YH5(xkSf8|z915&TbFNH{yrkIfX^X;=Lco(Pm656&SsqCyOY*3(T?Bz ze|uNf(>Sw4-}x0+^B$}B<&m8b0yiwlfJQ=r1PEIgc96dReoy&hW^5Cu4M`xwH5v&i z_B4*Ws!pA%?$gVygA$S7g2-IvE>E(wXi(U}oiknBmkuwxdk;sd)mYuN^^LjO&Gz=m z`P2h4wZ@Q=NUvma0r!hDvB-NaBm*Q1q2!S5l%pZC8UrF5=4d;4unsm&-t+|!S$-NK z%kd-fkob{*YBo30S=z%nD1eya0c5k&ys7NWoz^O{xwCLwZ=Cw%ncGttK#YbB!S5K- zVXuwM6y2nt#k;~7?G$M%*a>yUXaRtd&eI}XIcO(#xG$y@(uuM&_Uo=8&i~`vcDH?T z^Wz(JojSdvqb@C)dR@T!ae2|cgrj!;bMO>*peX+25w$_}E44<}Q_@rk{B*T}933!FjUc*h2$BHNXWU;uP=$iO0Zg#K8n zs$Oes&B-wrt`|38C7zVs0zsq6dgk1&9UaU+ zcDu{_Tm8Ew>q~@9Hi&&b!s0n36_N&KqHmBgT)n^AytzJEf845`K3%nDzt8Ti+)g>d zN(J^wx+dBSFJ5J$DiT~+kYMSkhddd49ZOHk;ZtUX3?-u<=qi6TzW%?pth^eMf^(*l zdxR6=VWoI@Xx1vNrM2pLx86U#yXf~GcKF8qbVI2!JhI5Ijdh+0oh7ogKT6dzU|4o*+>9t`pH{^oe=_P@K;rTG#{6Huy6?nW-~H8O*oqE5BA zuRQNRULD)T^^>3S+3WV1I9uMUOgWTl>I9j1iv_~2vRSSwBIAU|4aSpr@Px2*4BaRP zw#`^r*7E~hkzV;>yd}kO>H>kTT9;qQI*NaW28V-ld^VuZWFkqy zM>2_jT<`&*VaPqd_IM%_qE&FgwPU(fT|09}%j%%ft<)~uL*=-oKGydoG84^{7GA1g zyyI>XP7`##CxG8*{FYf=HC$vi?jtkUa8N_2BIuxK<^|JQ!xxybnE~;c5JFm#!d5ms zAZV&kjwA8V_@!Sd$#IRLyf+G?;k$&D(Kw4FEL}3~xa1g7PT`2i&1t)c@SHnO#jMO* zMAEJq5YQ95*P_6PlJtS4m)ud=DJ${EB48jUOF3(d5|)Ptq>RXu);U++bN{FMO+PGB z9#+LMAgzf*QW6$%!-$BI@NI@DB}tknIU+2_(rS0_1eJ6|k?%ZoKo>EmDPV&Id1uup z3zpBlE0~SrOo#17M_%F0Xv}iFs4T6g=BQo8NnTbda?1jdi&Jk8 z3>!hzCeE{>AAy*Gn8s;wh@p@X{<YRXQ}!o#1m8tM%<(=DgbIi-BKVU+ z4T&woV7wA37ZxHSGDBGlz1t!dgVfSEhFA?EDblKim|bQNvGB)e%Zds62kl*l^;zbv zATfI9TxLYtRY9I`4NVW^a98MBu9IFa5jdCL*mIzEZLfx4z6K+3bqO0CylqTb4*}73uy!FO76RVx;cp10uVM?QzXTgHz&;qkh>wT4m!8feaEOc!us-7J zdv!H99^$zo*>Z#=n2S^?bD^t%ddW3Iw15c)$3rM3)pa^qz!Q&2g+4ln2q+I0!yJf% z3qrYzxL{H#Fb({5<1;|X0ia%J>iJu#gN|WHOv?cXwIj)Rmx`mfh+Gph?&7c*mL^6N z)ug~?U?a4$AgzWPQH_y~)&nNP?p%0c@of-FI0pqrKIC0`A|j;1noeb~%rg8A#;CC* z`!mVkZ|3=m<*q3e9CMH)hzXisdqWA(bPpCb+Ou3d&+7B5Uf-|mR;Qfi1F#X#IgkzM z0rMHnH_LPc_N)=LXg!M`ZMn)){PUXUn}`Ink>-)ED`N?9zTY&TZef-VJAgHkvT~N? zTcZ?1SO_ggFG>CvBKg`nOHw8Tjnby+DX5yHJWt_mONMm12+21Z;LH#xVPS~nX)=kw zhk0`h5gU0Ucx(X$`iKFh5Ret;#7q@>6Dx?ZM}(s$$_Hl3Yd zIw_wgT|g^Il`c5k*zGMan{WxvC2|Cid6M@;zVbH!w-LFU$&eb+sRB7iCfDAuHM94# z-+XF|ji<+_=HboeZL_^xy_|CF<|e`vTJI3wT(;3I;4PdMtH-A)i_se0iXFn~CRL$# zLLdmr;F__!t-9H0H5$k5`Q7UCjurL8)6NGs=NQ!!OY9!;?y^8%7U<*4Wr4md(3b`J zvOu34uq@CI9j+|Uk2qdgpwGV=9Iq_U|Groj=(BgvB!9n|=WCU_^P1B^^p?rNr?RXS zr}-V%sBNp~#l`m1&#n1AdBtK0;!P4y$iR_R9^udLGNUk#2|R_T9VEUWa{yJwQW-_G=1{%SnUDR*~f zV3mHOIMaW8Xf}5me&e(^-|sxG-}iaz=6cGRzOcw&xTE+6JCsS$mze33E)B3()A5Sh z$^7+rMVS61%k+w}K*425_OayoUx??IRr<0@KWwcphkBr=`!<@J`f;x TV|lQDX8!pfu*6e0RiqC9zlG!H diff --git a/fast/stages/fast-links.sh b/fast/stages/fast-links.sh index 257f709b09..84086acd83 100755 --- a/fast/stages/fast-links.sh +++ b/fast/stages/fast-links.sh @@ -56,7 +56,7 @@ set -a && source .fast-stage.env && set +a echo -e "# File linking commands for $FAST_STAGE_DESCRIPTION stage\n" echo "# provider file" -echo "$CP_CMD/providers/${FAST_STAGE_LEVEL}-${FAST_STAGE_NAME}-providers.tf ./" +echo "$CMD/providers/${FAST_STAGE_LEVEL}-${FAST_STAGE_NAME}-providers.tf ./" if [[ ! -z ${FAST_STAGE_DEPS+x} ]]; then echo -e "\n# input files from other stages" diff --git a/modules/gcve-private-cloud/README.md b/modules/gcve-private-cloud/README.md index 1cc8029c4a..34d57edb94 100644 --- a/modules/gcve-private-cloud/README.md +++ b/modules/gcve-private-cloud/README.md @@ -1,4 +1,4 @@ -# Google Cloud VMWare Engine Private Cloud Module +# Google Cloud VMWare Engine Private Cloud module The module manages one or more Google Cloud VMWare Engine Private Clouds. @@ -20,7 +20,7 @@ The deployment might require up to 2 hours, depending on the selected private cl ## Limitations -The module (and the underlying resource) still don't support the creation of stretched (regional) private clouds. +The module and underlying resources still don't support the creation of stretched (regional) private clouds. ## Basic Private Cloud Creation @@ -29,13 +29,11 @@ module "gcve-pc" { source = "./fabric/modules/gcve-private-cloud" prefix = "gcve-pc" project_id = "gcve-test-project" - vmw_network_peerings = { transit-conn1 = { peer_network = "projects/test-prj-gcve-01/global/networks/default" } } - vmw_private_cloud_configs = { pcc_one = { cidr = "192.168.0.0/24" @@ -55,13 +53,11 @@ module "gcve-pc" { source = "./fabric/modules/gcve-private-cloud" prefix = "gcve-pc" project_id = "gcve-test-project" - vmw_network_peerings = { transit-conn1 = { peer_network = "projects/test-prj-gcve-01/global/networks/default" } } - vmw_private_cloud_configs = { pcc_one = { cidr = "192.168.0.0/24" @@ -86,13 +82,11 @@ module "gcve-pc" { source = "./fabric/modules/gcve-private-cloud" prefix = "gcve-pc" project_id = "gcve-test-project" - vmw_network_peerings = { transit-conn1 = { peer_network = "projects/test-prj-gcve-01/global/networks/default" } } - vmw_private_cloud_configs = { pcc_one = { cidr = "192.168.0.0/24" @@ -146,19 +140,18 @@ module "gcve-pc" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [prefix](variables.tf#L17) | Resources name prefix. | string | ✓ | | +| [prefix](variables.tf#L17) | Prefix used in resource names. | string | ✓ | | | [project_id](variables.tf#L22) | Project id. | string | ✓ | | | [vmw_network_config](variables.tf#L27) | VMware Engine network configuration. | object({…}) | | {} | | [vmw_network_peerings](variables.tf#L44) | The network peerings towards users' VPCs or other VMware Engine networks. The key is the peering name suffix. | map(object({…})) | | {} | -| [vmw_private_cloud_configs](variables.tf#L58) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | | {…} | +| [vmw_private_cloud_configs](variables.tf#L58) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| -| [vmw_engine_network_config](outputs.tf#L17) | VMware engine network configuration. | | -| [vmw_engine_network_peerings](outputs.tf#L22) | The peerings created towards the user VPC or other VMware engine networks. | | -| [vmw_engine_network_policies](outputs.tf#L27) | The network policies associated to the VMware engine network. | | -| [vmw_engine_private_clouds](outputs.tf#L32) | VMware engine private cloud resources. | | -| [vmw_private_cloud_network](outputs.tf#L37) | VMware engine network. | | +| [vmw_engine_network_peerings](outputs.tf#L17) | The peerings created towards the user VPC or other VMware engine networks. | | +| [vmw_engine_network_policies](outputs.tf#L22) | The network policies associated to the VMware engine network. | | +| [vmw_engine_private_clouds](outputs.tf#L27) | VMware engine private cloud resources. | | +| [vmw_private_cloud_network](outputs.tf#L32) | VMware engine network. | | diff --git a/modules/gcve-private-cloud/main.tf b/modules/gcve-private-cloud/main.tf index 4c7e9bd94f..7a95cd018e 100644 --- a/modules/gcve-private-cloud/main.tf +++ b/modules/gcve-private-cloud/main.tf @@ -15,24 +15,31 @@ */ locals { - # Creates a map of additional clusters objects, including their parent private cloud - additional_cluster_configs = merge( - [for pcc_name, pcc in var.vmw_private_cloud_configs - : { for cluster_name, cluster in pcc.additional_cluster_configs - : (cluster_name) => merge( - cluster, - { parent = try(google_vmwareengine_private_cloud.vmw_engine_private_clouds[pcc_name].id, null) } + # aggregate clusters into a single map and add their parent private cloud + additional_cluster_configs = merge([ + for pcc_name, pcc in var.vmw_private_cloud_configs : { + for cluster_name, cluster in pcc.additional_cluster_configs : + (cluster_name) => merge(cluster, { + parent = try( + google_vmwareengine_private_cloud.vmw_engine_private_clouds[pcc_name].id, + null ) - } + }) + } ]...) vmw_network = ( var.vmw_network_config.create - ? try(google_vmwareengine_network.private_cloud_network[0], null) - : try(data.google_vmwareengine_network.private_cloud_network[0], null) + ? try(google_vmwareengine_network.default[0], null) + : try(data.google_vmwareengine_network.default[0], null) ) } -resource "google_vmwareengine_network" "private_cloud_network" { +moved { + from = google_vmwareengine_network.private_cloud_network + to = google_vmwareengine_network.default +} + +resource "google_vmwareengine_network" "default" { provider = google-beta count = var.vmw_network_config.create ? 1 : 0 project = var.project_id @@ -42,7 +49,7 @@ resource "google_vmwareengine_network" "private_cloud_network" { type = "STANDARD" } -data "google_vmwareengine_network" "private_cloud_network" { +data "google_vmwareengine_network" "default" { provider = google-beta count = var.vmw_network_config.create ? 0 : 1 project = var.project_id @@ -50,7 +57,12 @@ data "google_vmwareengine_network" "private_cloud_network" { location = "global" } -resource "google_vmwareengine_network_policy" "vmw_engine_network_policies" { +moved { + from = google_vmwareengine_network_policy.vmw_engine_network_policies + to = google_vmwareengine_network_policy.default +} + +resource "google_vmwareengine_network_policy" "default" { provider = google-beta for_each = var.vmw_network_config.network_policies project = var.project_id @@ -59,17 +71,20 @@ resource "google_vmwareengine_network_policy" "vmw_engine_network_policies" { edge_services_cidr = each.value.edge_services_cidr location = each.value.region vmware_engine_network = local.vmw_network.id - external_ip { enabled = each.value.expose_on_internet } - internet_access { enabled = each.value.outbound_internet_access } } -resource "google_vmwareengine_network_peering" "vmw_engine_network_peerings" { +moved { + from = google_vmwareengine_network_peering.vmw_engine_network_peerings + to = google_vmwareengine_network_peering.default +} + +resource "google_vmwareengine_network_peering" "default" { provider = google-beta for_each = var.vmw_network_peerings project = var.project_id @@ -80,25 +95,35 @@ resource "google_vmwareengine_network_peering" "vmw_engine_network_peerings" { import_custom_routes = each.value.import_custom_routes import_custom_routes_with_public_ip = each.value.import_custom_routes_with_public_ip peer_network = each.value.peer_network - peer_network_type = each.value.peer_to_vmware_engine_network ? "VMWARE_ENGINE_NETWORK" : "STANDARD" - vmware_engine_network = local.vmw_network.id + peer_network_type = ( + each.value.peer_to_vmware_engine_network + ? "VMWARE_ENGINE_NETWORK" + : "STANDARD" + ) + vmware_engine_network = local.vmw_network.id +} + +moved { + from = google_vmwareengine_private_cloud.vmw_engine_private_clouds + to = google_vmwareengine_private_cloud.default } -resource "google_vmwareengine_private_cloud" "vmw_engine_private_clouds" { +resource "google_vmwareengine_private_cloud" "default" { provider = google-beta for_each = var.vmw_private_cloud_configs project = var.project_id location = each.value.zone name = "${var.prefix}-${each.key}" description = each.value.description - - type = each.value.management_cluster_config.node_count == 1 ? "TIME_LIMITED" : "STANDARD" - + type = ( + each.value.management_cluster_config.node_count == 1 + ? "TIME_LIMITED" + : "STANDARD" + ) network_config { management_cidr = each.value.cidr vmware_engine_network = local.vmw_network.id } - management_cluster { cluster_id = "${var.prefix}-${each.key}-${each.value.management_cluster_config.name}" node_type_configs { @@ -109,7 +134,12 @@ resource "google_vmwareengine_private_cloud" "vmw_engine_private_clouds" { } } -resource "google_vmwareengine_cluster" "vmw_engine_additional_clusters" { +moved { + from = google_vmwareengine_cluster.vmw_engine_additional_clusters + to = google_vmwareengine_cluster.default +} + +resource "google_vmwareengine_cluster" "default" { provider = google-beta for_each = local.additional_cluster_configs name = "${var.prefix}-${each.key}" diff --git a/modules/gcve-private-cloud/outputs.tf b/modules/gcve-private-cloud/outputs.tf index f378830056..e4ffda2c68 100644 --- a/modules/gcve-private-cloud/outputs.tf +++ b/modules/gcve-private-cloud/outputs.tf @@ -14,27 +14,22 @@ * limitations under the License. */ -output "vmw_engine_network_config" { - description = "VMware engine network configuration." - value = local.vmw_network -} - output "vmw_engine_network_peerings" { description = "The peerings created towards the user VPC or other VMware engine networks." - value = google_vmwareengine_network_peering.vmw_engine_network_peerings + value = google_vmwareengine_network_peering.default } output "vmw_engine_network_policies" { description = "The network policies associated to the VMware engine network." - value = google_vmwareengine_network_policy.vmw_engine_network_policies + value = google_vmwareengine_network_policy.default } output "vmw_engine_private_clouds" { description = "VMware engine private cloud resources." - value = google_vmwareengine_private_cloud.vmw_engine_private_clouds + value = google_vmwareengine_private_cloud.default } output "vmw_private_cloud_network" { description = "VMware engine network." - value = google_vmwareengine_network.private_cloud_network[0] + value = local.vmw_network } diff --git a/modules/gcve-private-cloud/variables.tf b/modules/gcve-private-cloud/variables.tf index 4ba6802494..4a18de6507 100644 --- a/modules/gcve-private-cloud/variables.tf +++ b/modules/gcve-private-cloud/variables.tf @@ -15,7 +15,7 @@ */ variable "prefix" { - description = "Resources name prefix." + description = "Prefix used in resource names." type = string } @@ -58,8 +58,9 @@ variable "vmw_network_peerings" { variable "vmw_private_cloud_configs" { description = "The VMware private cloud configurations. The key is the unique private cloud name suffix." type = map(object({ - cidr = string - zone = string + cidr = string + zone = string + description = optional(string, "Managed by Terraform.") # The key is the unique additional cluster name suffix additional_cluster_configs = optional(map(object({ custom_core_count = optional(number) @@ -72,7 +73,6 @@ variable "vmw_private_cloud_configs" { node_count = optional(number, 3) node_type_id = optional(string, "standard-72") }), {}) - description = optional(string, "Managed by Terraform.") })) default = { pcc_one = { From e5df2600b64fe22739640db23764b7a60eb9907e Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 26 Oct 2024 17:49:47 +0200 Subject: [PATCH 61/94] GCVE stage refactor (untested) --- fast/stages/diagrams.excalidraw.gz | Bin 0 -> 95456 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 fast/stages/diagrams.excalidraw.gz diff --git a/fast/stages/diagrams.excalidraw.gz b/fast/stages/diagrams.excalidraw.gz new file mode 100644 index 0000000000000000000000000000000000000000..08138c507a24bdfa0dc92954e55a91b4bf51c681 GIT binary patch literal 95456 zcmV)dK&QVSiwFpi<`riE17vAoXL4a}b1r3gV_|G*WO8A50PI~^bK=OdexF~_;dvc& zYG3BfVB-~Uc)xMN!475-W;6E0`R_LiVr!p=TT8(nA@VfJtxjw4&`VG4Sx5(u0eS6p|O-j}WgKq!t|NO^!!YbMA zkEbfFO1sh-^r77U!QX%U_-FE8*L!-E(xA|(wJMVbCbyhdVZ_wpBEF$R?~+^H5?{fcwPT-tdV=HHL+YA3CpXkz>9I{iG#bezYl zjaDl^cxz3h?c4B$&b|JiXE!T%jq;%W*)Xo_v!}}Tz`TBTyJrt;^-iU4ng!3U+TB8_ zF?gGNHkw`iXq&%(I9JRUVyUHtso+v8L&U3yW!hNui7ixWHxx zvy@sGXq!?Xsp3LApFD+G%sJ3vfQJNU{a|ZQ8dgvB;luFsE<2E|)3;3X<;(}RC>K~T zpwbHZ1+0;~ihZCKv7jRqa1;<*3P#-ZtOm35pSUe(mhw|t^IKBa*uYE?U(yJ;DK%2W zn>D^hN3(KykfR5uk4J}K+dH={RFdG(`Vni8SFTab(r27Tj!XM_+ADxwgA(QpmgxTSdJueRp5q_FWJ zn#(s@Kr{kY0M5Af=4a#Rh^CrctH*ljy0F)|c+kyWFP)+rj%WlS0hCxt0xmGoL@Y$J zux1v}WVmS@VQ8rD<7c265-bC{iU@(JbUw%x&9Y#$;}paN-auUO$4@|0ges+=OSc=* z9Hjn*h=wdo81w|iikVpEyqi09D}Ofx^VL%GThh$l^4wj(ml$JF`F-Cc3R@e3H2un-nVQ4@xdY{|b=7KR?t8uS>5G?xpq#pqvB zOKFY;)>=}gghw2YVoPBpl!;9s;E1jO@D#uZk_u_~XUju*-w9xmT})&#t|*d70Nr3* z5WNgw%rY}0bkZG?{C05WtF-2~tgb8K*`P8Wc+xS#ed!nm+=Nk_aZfmVj}B+S5#KoA zY~iUG&`kew3rVWl?*E`vs?(3%w(*v{AQl;C}ZMyJwS z))u?hs5Lr;)^*^!3&VkZRq20x$e=f@xZ9#~ICD@e!UGY}l=ebIh1ufO86Zjun5ePx zin#5f=zw^iS1Gslw2F=!OK0e#amp2{Mk+hg(NDGD-QO^2`DX3!!EEiy%n>j&= z{aJ1#RR1$O`FY^Fh39bHp{+Aq_b>9f@J7Svq%?9mIzjc{57kq?dJ@Cq%Xe2BWY&9p z^NA_dppbeKd(&gW`{rdjH*JCHPw&T>$GiJY2TlymIMG@WO)*+pE51!pPA-K+1kq&fYI-d}&ICCprN51E z5`?KFo`h3G$IbEK1sU6e(#az^L%Q}z>bXjO%W-pyVw{p<8D%wkf}06$Cb$^~ZVD_W ztMfgl)#VCnrP60_Riy^|XD@eqhwa^`mwfYR%Yk!?LY$NQIzqD0orwu@Cdio}XFMTJ zMTl8x>V=#tI&#unPTI$HlFFRjT^-&wM`|EzTaKLD6XPVDX^EIhaC3Ss!Oa9WC#BcK zO|*D*wtXB44!2#qVO+SWqvPi2twS4E>FaVWeK>w9qsPOi*Y2j{CKVPHT4>zfvc3%3fC7v-(MwOC;CzI-**M3jr^wp&p9$y{$QkYm&QQ##~ zBTT6hYeI2Yg^N1~*8Jd@t6LIYt^2*-P~+kktozL|*SCa(tBv04J-&gXw@HpGd;&(h zE9}D12! zIo)*7WY{=Ol9=c;!ixcRCb@+3oI60?<*2F_V@> zA*mx&C@stgpbM+~(KRvm@2`EVf@q!G3XlM#4k!Flair}MH zq8~r~@u@N+Y!1mVsh06tjWabi4r2v?fn;pWzMG-}0m(oN4g6p&)mlQU^%Os_x|NYJ z-r7Q1&H@kuOf+i*ps&I^BDiC*N!QI`9Aoe{3=BOqr%$lnA+RtdBqtJZ1zc>RLj~Lj z&hNhghGWTuX2LU4vKO87=lh(X``yFZ>GAcbbk0ZVV>H}y($5hnH{4**NJJ?A%)HfV zNtbjm=U*)I$@%^HynAlghl+i2erk?#0CNf3IhauXe>LR~WB_YE?%@!u1ZL|#|Gm)Z zn+RCrfRknbJ2+CxYxf+uj~)Z6sjM z-uTb#PcsDzKA3G%@JlIugA?)x*1OaIzdEJwb){1fViBCnqoCKCeG_Z2WXy#_xPDcX^iZ!R_FKD;^wUNpp@cjEpdDgWp5v zql?HgAwtF`$7CvK`Ovj;Ffem-!Z_nZ5RA!U_!Du0IX4!C5ym1kav&_T)<;2&+Dz`_ zxo}yEnH<Xyx~LR-4Ko^;xhRGLF7pe{<72#xgyHy*}7 zdcbd2TAO@n5x8_n?_z2(b8G{&AD-+Y2@P4zllx^z3VS{kyF{tD+bk7xpDruadMXzp z-^vyd(txX5Y*-(!jwzcEO;f%z=w>EIa_oIH%AhxpPCjB`M!A{#Hb)=G@F_KF!Pmf7n6(AwFsQkSlBJt#$;K=tjFM8! zrNA)Kg^oPIO~);>H$s4bT2lq%*?L_ofCyks0M!UWE3N`tebA3pmQ>6Qm5R9^Q}Jq9 zuy`w*KuGJYZlNKa`vnZyaKZ%LVCH7ML+FRm3De`%u-H39wd{H)EH^- z0m-}vySjTg^I(-k6cBXY-~56D`{`j*1ikt z&Z>PGubu^pwz3ffw%h6^8aIS&1Yz=Da{y$VG0c(Y9NkfL!o=$6C3RKLD0QN997PH1^T>h0=e&uFoB3l1G`IR=%&{ax)fncN1%6@n!1NnC<6XM zBnB~cV3FY3c*L&EV$&CXc(8yv+T=-(?*AhOJ}S7``mg!dO+0MI;0qAwe}pCcLH_^p z-8JQ#1}F%CtRnEi>$cxCelpoxflRNg+r`uH4rNqA8)Cd-a*UOS{ra*b z_%eOI>Ek}p7H61Aum=VNXknYiwoNf94s04HQ%s-Nl7T<+6cae8f=c8{jy`$(>oZI- zg|CCxaBj>DQ!KL*!EN{T87A+({Z$i8aY-|6EVH9vF?MV(wSldQ}ngc9@7>aWi&`7DlHV{XZF@#Y52EqTlL)ww0V_WSDGl3x%1nyIDO zq=~z=;_b|Dnpuj;65_VhxS?bN5`mbEZ+@&v!(a>49(hKXax0v$Q>;H-8`uDGCnCQaZ!A%)Qb6G zPs0n1}N1ilu{+TS4p|Z^3Tb;;q&tE&c2~t$u$;p)(evoPdZ5|-6(Pv z9Yt~?`=HKG&TpU7o$J$sT!X(CZZ_NbA_&0{#K9OTjHfWnEI408NT35$GmbP2L;mL* zMnDnY7B9E9Oi;XeA$RE2g8jKUtY9+jrj6< zS2Nzw@`=bx)He$QwN;20-@A>~T>&%;xGQQlXBhfFWkL8qgB|Bg>$FYO(t{1nFp zU<=l7TXHFVI~eM}@bvV$B1a?a z1@z>2rsC_aTz?TBJhRn{M87k+uRn5f$LrVQDYhqD?sZiRIG8}N^(#Rza|HBX!ILns zRbUq?*H&Aa(4faZVlSQ?ycHxeu$)?aX}c^7f5o8^M#Tn*vjIZ0mK3E0`teGIR~yQ zn^J#zxOh&aK4Dz}s912l(y3_hi)QD!R)}33^fRLJGVOelk}oBWOBeDbeI}Fr$I%#D z?BsrE*x`<_L*o)QF5wUtG%jJ|5)OtN;}SM5VdE0sQI{}+x$Q;yVObLDnFewdp7Wf;9;c z5{2^$V`MQ&LO^E2I(eeC{LRUcXw_P|n7AEb`S(EPnhw@nv(sVq3b>;P^0XF7f+Qzb<@V&ca$ZkQ57Q5oZj>iiyQfKk^uX;8PtOb+x*# z!&9io+Q3fdYZXba_uJ_!nHcwT`#VmdIEyo_9HP@0l~UemjDKD>0->3?7HohS{$%*m z`(e7?`Fy$2*i6^E`45<`ck^#e*SlTldgsHJIM;&Q?k!wy!n38=^fA^WFAw&4;^p*g z+#*0IvfIv<2#-rG0FF39NQs524=qRv)Ll@Hhy+rJy%U$W!Qn(0(SpZ#?nyU%$?zrr zvrW&t&4_^Md1rdwxn67sG)Ya*J0H5l7eDOv^jd^3K&~ zXje58b)Zu6~l7b8r9!-OToWHi5j zW;TA)^6q;AOs3_XX?f>2kv5uTrsdt%M3-P{!mo;5%fD_{s2EKaYa~}3Wo}|;i58a6 zF>y28ajvve(IqJaB`C1xoncCbDZL-2=bhm3(_NfaDS8sGQs9*@(bBFf~|&EZ*b!V<{I zgpLN6k4)H!Mq+SVpWYQ-`eOg#@8MGGcD*Z)YRy=?*BJhhws)>~|8fD2IlL|*iJp#1 z2v=uyB|MU3E*j0}`lNSII~&$3$GPdvbvLu!1{jip#{oi!MB1qV2K8qoAwtHr`jmGhMS2G&N>zw@` z=bx(+eou*GEP&BsPFxj^tKkWM{@Chu_A9(_TAkip_75_X{%vQ+2|pw7wT{xkEP$6S zyt7j4^{T2Wf6BjjPNWLQu(u67=a7;PByyHrsSMnrtOr ze%$fjkH39Pu(3_|MIv43UXoI&lX!o`E|g>gtBV6fQ7{t0JRt;mcc%N}URzyMB!GwpK~m%W}-o<|A5aV{SL=GSGh3d(UlYYkI6mUWN9WX3G zwJ@?Ra@)d3RCjZcLD^r1^#5qmZ~V3{XNLk$?{r!0S!G0EHxNizu1YM8@Ysowb(p$4 zNFH8vI>Vb`?f3{ijyn7qAt-R zqN{9yZ(=Z+v=@mjxo&kY0gEb1g2M07;mRB^-lyTadHKI}xfw%Ia5Kli?AKeTLj*Zz z5KInxT_3=~Fy~8IBc{xP~%|4S%7v#P;JKvC+w{VYF-0=9OYgzg~myHz+0%7%_kqm z`(1YsrWQpo2JKP9Y-y~3Fj}32=!grJ*fD=X4R(ic)^joGV|f{^2((`2D{^=+mwkUo zn@k=Z{vN{P?0NNtsrGs1)?#G*G#b=VBl!?5&i3>RjudAp2X4qH$FS!CKXh36Gn|E` z6PE}RT?vY`1fD0(B3u9G@BFLaI<8cfF&0Z67YZ!bS)He={VJAZLkW@!21SE>eLL-` zbC`#YjFkZM@XD_3X?qU-xz`--!8q-~o;C*u<@WEc{$|i?@BKHOIQwUB2xA%kv)3Cm zes}vYDXUEz{%Jo|4`IMM)J@?)mrO%B$mNxcB>4Z_@q!Ywzja-mCZ8uug}+yA`|Lo6J5M%olR} zcQ=1;Pxq?j?%rr<@70?1x~+Nk@9uuPH>&NWYw!=4R{!i(U?KzC+ACM9PyfKG9@xNp z_Qu26C1Ig|Ga7Bn@A}mk25Zxs838d;$}1JJy@F@IHX5g|4s0~4vx|PZk|NXc(UxNv z7$XE&J0b{da7@`eFXfFHNvu69aE2D~M+$j&Ki&+)n0C%^ru%Dpa3i+t+t=PeBCz~E zYjbBntk;jV?Xlf{Th5wm^!iUQ?KRE#FRZ@V3a;3C5!b$(1g$^1FHf1ah-U;4CMMUe z4R^(yPI#cGUQZK=LH7BmniQAhAa$O4$@L=ziZ3X8qco0nGX}x{B;u4mUwhJJ}yq> zV`^X3%cr?qjpUC-q4eS`k=SkE`QiB!tDXJcu+I{V5{(0&^Kn<#RP~h=j;${F>Z?Z^ zdlRJ93B#0FRSASlo%xha3D z+BI4$FY~7;WSY697%Z2->{G*@410P%{JZwONvrDWYJ!>2nzF$gwx9OvyY#CrQc(Je zfh8!u(zI{Nv{=Frxe~z@D89P6(aPq&N&3S6pd>6o+AeN)g>zVY65J zCWwr=g)J+1Y@cS;>N|d$l~ahws| z^pFCB=48{h7GLXcLP{4J>XmIM)9Yu3GKKB|24@(z z4&10CepEqkQY$1P$(ZhDZP8$o6ZKT{f0M8lCEyrWDEo*uKXd;R?& z{Jx(nAKgvpi*=>=e!f_#qjx$$7wWfmE660YmPiOuIJ57YegFM< z4?}=~%89VR4*QICYloO3@?ZO>aBfYADUz^+|Fc^^#N_^N|5Su2s?oeXES+1-xMrrC zJ*>Yiz~uhi)($X5g&*6&l|0qgkmi|ENXs>Wc^IB6*(q{@QV-8}*Ug(r;ix$%o#(2% z&6Oe!FWJhj+Vw9AFA-&lU_}i>lnhaNKi(n_0Kt;#4hsCUw|f29l1F;v2C*gA^vx}b zExC_x-Pn@X^IJEzx(M0{UqJ5cP6j_RBB}BbaqlS`g(9NcdEPgysW5z&R zElaotmY%|srlZ@3QMH~;^6a&hAVY1y?KW%kN<=S*|_H7dU>zQ9VdK90P1yL=p z;cWQ#=BpNQ#bGBBLNT7-V~}lJ=}2u#btcfJOr#XFu=*C1nMgt*f3eO z+H7FcXG5P1eR@BP0*B9+8;#8xSJ46 zSV2RC{0(6;gz5b-`Wu@u0i(ZR^fz2Dwgc&rMt{SHFL~?ZW6UH+)IB}&d4*DvRwFwp zT;9c+r_)ZVlg&KkoQ)-SkuOo8?+OvZiQp7jo9erMX?mp2+kr{RgQEV1Eg81-ei-!) zqrPF(H(Z^DMt#GmZ@gwUdAA^wg5g>FQ8(r^4bPm8_i4YkpEzj@bM@=|%kfb=Q)q5C za|+IE;&BTov`|>+l5FqZtlOZzA(*6=#gGZjy?ti5lTqJTaezjBFkyBJ|o z1olIdkn{eT+4YU~#`lDmjP{1n-te198_hDKy|FE^C1AMlYru1JVM<9WJX7lIS4io( zS7?+DdGfh%cyZe3*LIvK?NDq9>lmS~;xkO??K8uajQEDz^^Ew&{97Zw5k4DzTLMc) zd}D>PL$M}r@eS-Pz5(_D*9~#p0!v90o;OXcPB~U=ou-a!cXqp5$xI8dnSB#)T2p*O zQ52V$Ah2mH1Z!(CutazqQ&@QfGq6;!cVKB_@eR!4Txv%j%w$+ZE|H~W?F}L+Ol(Gi zdf?ErTB~q$m=`2fI6Hc|xuD%n@sqSh`^dg7)KA&XO|p2EZWLRMqwe2BrPkKoD35B* zr&zn!82%ac4fp#;rN2?uM9&pYnDm4b%7_L?*ZR>U4v!|SgKO*T(jwF9L%x1EJRnbL zc^xU5)XKwqJ7PG&I{ZMHZWE#9D;BkUBN+H-l;bpP; zviN`#8CL-N3P_J7g#^=Z5nYt7Ggn9i<@iOn^#7e-^lc8lZ?6Aa7ZI2PHP<(;90Rjo zZ$0}(el>2h*~3(BS{e3RK%RY!W1z(SA^f?L1_f%^bYa*&i?jdEW< z?>HtF@F=3=qq+jld7b9-XLD`ox%>c=FXlOG^|3TxSL85oQeNu z@5-7|S(@$p{T0OdUN0Rr506ebp(xJ8jxdgvjsYh`6+g0CW$VG#&UftP!1z*$G3VF}PQ#B%QH3;2J^0n$pH`>ZP4%m-VymBOv{Im#MsIey?fYuE@A&Ao zX0_H|f?A7Zpm7O1U+l2{O@M$UQNooscF6G9AvfDY*?Bn9{ zv$j9~6e|yn)}Mb;y=wQVQLd(n+y`G?>m&haiAMHu&Q zAYab@Rn`%F|;7U)8Zo7rI z`pppYO}Dai^wD#g^C+wX1^(L;esp;F+1R;#e7Ne|cLsXz@g`UA=g8sfio*{D@#k=+ zU=l!@Q_ZIokQN35kQyYClwe8z(VT_wM>5A!JUpeWMe*;!WIO;!S%XIx68!nFf=OOb zE0+81?l1)cqy5}N8%&kE)nXsk{-0L6mUs-?U`3g)lCx~i5`!7TiMcci8S_awuQK8 zG#;)`Rvd|d2w^XE$~hrMYOAMq-MJ;0w~Bl2N@?mMi?JdRQSf9zPjP@dMjGx0Mtyh}2WDIjE*axAP+qv)DM7 z4INVWDk#Rd!qaVD=fO5@c;GlRSB3uW-QFds+%qmO4%GGi<5z%VI@+;Z3S%8mFkHZh zVS&5O!jFK%FzSG`QbKB`wPF5g&S8L~R;x+3s2m4zts{X!5d~_EQ?D4Vm|-w@(o-8N z^>2yc^3aJiH2rRM?_U3V;lTgbm!C$Xt$$%r$&|F<9>+4)9zJJ&m#yU+c{hw>m( zpf`Wp2iLbd@%9mof8*I2;s}fFL@ghMN+!)*G3me(#VWyE6EdgV!=n4n#8K43Q?imX zidj8lL>b#UbtpV57>}`*D>{4dQ!#?IZnbw9_NTU#sg#t05>&42hxjvO`Wb!q+^Jkv zj;{~1r{#jC7r8M%O}R2;2tcNwAkX+w?LPVaJ5pr)7bL!B zmg4ww|Kt8|WFf9N4no^_Amy77!VQ@6xQ9gjlIfIy|j6BDth*S z4YJqi;Swmx=P&-BYfXo8V-u_R&EI~$^WXoScio)G+~1$|u7{n=!fB@2(0^;aml&?A z+AntZ`1GLAJ88?uO#N`HROp4f?##qap*Asi4p)8&wZEF_Tx>O7N8y(r$a41h?PYfu zbXRtosbH#r^5YJU7vAlL$Gg+phckV1P|WswyZ!3j>oYI3_E-Cusl_B20`kCc$&H!b z!BR#$ihyet!k{oxQv-{5%Cyvkzs+JDI5{BBf-^kVtgY*~?v;q-g_aAPsJNDlMg@ zAn^1-fU$C4hb0Ld;edTab z0s|skyUqr?U~xY@EZ*%sq-(-v_t~57hE5-^IWAg< z3yGz+rNK&MD~yYjNJ*KyK5PPv2{1OqVB6P^xBLD3 z{^Lo#!pf!7^#;axW1mX}MuxRPtq9JiO@J{0#snC{Fh(u~9+L5b#cX(3tkJJ2DyX z-RR@+u(;8z=Xz(4TP@w$OK;u29A>Nc`89{dH3~0kV~Nt7B-_ymFebnl2VW!@Uz6N> zKROp7m3-s*q*c1ewYODkm`M-F>GpYhy@7F!!i$Dc%!M}zVN7r_!Nu^n=->KTXa!4= z5Kmk@36G19;`KazTqzusGnuQKY<~Z_z8h~%?f7xg3OwGEDSp8l zj`?ykgAZ=|7;wK!xZ?C3EPBr|UvCEIqWR{@3-fYxazT3ZjK0er}KDQ1#1^J}c91~;R_FEz*YQhbSG_bW; z0*MJECXo11CdK%cZPStg(QKsJ=w`~c4MXFdZs!ojRpDVQKiF=0FkU(fl> zXGMJueosmnlp~hCzpd=#d-db=;s_USakVx0T}da};|eUM0r-lsQ#|n$+}PQ-fjhn;_feid zI_qedQbn*1EU>BI*vj0wqtvlVXhHyKjHQb3#hxwYjsQp_$S=6zT8c<3YZh*Tz8>>v z-X{y56ZUTA<8GB-o2*!$WW1{^UK5x*Z_y1jX8c$QB4qvBP2={k(9}yDZs`b>uRC`w z)gY~Ixzc;eWpZb=+F2vsCS>t5A*~%)veKX=5mZjqwS*<=fa;Q1`4DVR$*F;@5)%?w z0Lmy4w3(FL;3eqqk$ zliTRebUycvzT^VN7ug~LCh!Z|C3Z|%b#^4Qumrr3*M8!bj!<4Qf46aPbJ?yHUYf0| z!SQ{1TkYl6n;sdgX~$vqgd$XMe|l7u6;rFtr$^JD`D``qXJW4YM7|&S2oqTf)Cj~= zPzq$ij(!b0q7GL?A&^OFr6rSi+umq!S%J=gIe-;LQeh=5L8Zh5cvFWk z%hf0~!QvGI6*qSn=ni5HCVp69C&tGdG&su)!CI1<2KrL&z}>)IfItSES8PHf&%C+N z*n|Vd27tk-)QW-|3!%8@O`UWwGe-&R6~{4NvDl+k;N`JZfg+ z^G6T4<_%Mg6=y?AIm*H^G#nPnbiJAN+BFlBYZ-h}E}=ueh7NryJ4=ZL^~NT(=K|Yi zMq|4TJE;^G*fxV@%R%dtiR-P*wwdSXzPxSbId@;*HuHJ7KecZb+i+suW&CX$XL0Rp z#|@i(OdrZCo@*XJh7@xYxMoYWG_Vw= zTT-r0WC(bcX34HuLWDkF0irJbuIjkL*;b*r!MpAxN?H`Mt~ROfKlmm*LAhJTtPC&P zi2!K{>UbhUA^k3lh0vp9TNymSxw3us-37<@9#;Uf6NbSJFFJqkVGnRFQV@J9i$3D_ zs0gag~nCDh`^Y;35uOy1Y6(>bO=|srhIT*5%9Bc9UvZ6&oM8M0GvY^B$kycT6 z=e$o^1fP+HfJ|Uoj`+GqNn%*$cu+9eF-w@y`wPHNQ>qQNP6vP_lh8;&v>Pfg{n7%a znNaa~1M-1@DJTt+P)#1Zrm&EO1o1!=Xb2OAC~${!4pN_ka@W<4A>x%NMdEg-GW)04t7m*9;b3BpqK(2 zfvbUM3ig|^PF2v8q)10h zmJqk4#tkLkNQwH`+}?u{F-3g)&RZ>o28!&N3S+}FqHK}B7DOd~oH?#{@_IPTymW8B zixG{+R#*ac4D zkq$$w!#HDL-3;uK@bUe)$^cIDAj+90jH$prbQjlqMSgzry4fu^ZqNTd9rcfIhHfGx zYp`U-x9wj{+cO1G@8SS^)oUdcwX&pJ>4jl z)8%%zns!x7!S^?sjXIjuKV=wqwL4*P{YJUi{QN+_-5I}IhF>g#Xz9+*P`lfxH(JH! zdBCq12mN-w+Izd1es@rH&qsCdGj+;gaxPF5k;8c+g;2hwCMd;lAm#viK}CeNzB!S( zzd!3;4?CBI(@e9W|JHghu|h?q*t@I7iWL^mP+D*@82l#2l^6F`fQLy(5luNreTIG9 ze6hkPQ?+UVtT4(UQc24V!@|zYLqc)ua6mK$uucRhcUOtDj~14SV}=X&)=-fw`eSj8 zm)D0&{O=bG9Ro&0yTs|&C6Q}j)wiGCf2-o1(Ra_C%4OyF`Y?N1E@*m@J8`33tz91A zD8boV32;m>=z|^NsVnK_pL(%_>jHqA0Q=z>h{FtM_jMXClOk(oUj79_E$zP`@ins) zBT^cFq%y=z|M?TCxWsmnhI*#7L};|D+AntZ`1GLAJ88?uO#N`HROqcZQcEid(PS&C7ts$A_R{1CRE{s$FnbumWj3yFWAA9WJaP44(Q3?U9M*u9%K$Wt< z=?(YU!1+O>qL}`rTq#4#2;MA=VZ=ep1Mej<9Fq@sM`2|;{+;$+sr^JHMmVqHJ=JdgQRzuwZc-Vg*9{PyoQip|Ebk#vL zVhDH(p)q{nRn%~{vMV>ZM<|W=$%Ex9B1I??C3k+p*Ax*Ct%yjv)Nc1-?u(u8mP4LD z9hVmJ51Ls2eI&spP(trkTU!xIkv?^Aiu`EEj<(5;tu&tZE?-LVW{1RYx0Ep9Xr&nL zxB^m6OCgJ!ir`6r4};qwVrpd3(nCtD#!97GyS2<=puz|iJ2lkPYG(r`#&RH{?oY3& z)rOB_G~4x5uiEbeo#_2(js6dQvFBsK&1$W`1p5sf#IkLfO670M+G;KgwVn~s^YFHO zv0cA=B>OU3J~`SgUfIpoV?)Ji%dtm5fm=Ip^BmkB&>rPt=p$3sf;vESL5_1OjnaH- zU~xu3!3|Tzs3t(Y;Bk32LYX#bNkHgHtAmOO-|h`EjYc&K59EnG74`>P?F0FJ;maQ| z`*O2AsH7Sd7#XgGZ}!)IzaE#F`=)-7c`jQ@!437^=(q@P=5n*OnXdNq@ldul$VtIG z0H$swYJ5 zhF{05Wn7P8@gS)PGvG$Cf2QC=AzMiYn2;4p0a$1|C9<@z&S>8rXqhxzE(qC6?b|6q3ld=i zt288-y~dcG^zEGe^wMyV8Y@8i2=CKLSK)z?WO??ca&^*dl{UB2#oao+EUtL@njm15 z+5wlL4a4F`mikN9p9e-Ng@m#CgrgE*On@-~#)!a3fd&gK3*`lj*AcQAn@^?N^s_1P z&4*Lg=IzeQU%KAFs4z{#DrGDtJZk^*9V-BgSj>XLog|boLB<3b<3L8G4F{#@sibeh z$sw+vODpM$NIthT)tFX53NMwF@yaDx{{C2JQqW$e18w zf{bC15ll*8sRU0Y{r~J;X;UK0w*4y|?|peM;#Nh@!$$;BCS?#6<3*+2Of?~e4R&%mqWct7l2qYuBR#W4kgG<81!q zDMo3|*D}q*jtE*@w76(-G1}S-QVb!1J%RBiIxt>z58kg23yGIOHF5Iy(9yKOqSw_3=oso;B`j9&ml+6*8 zZRB(O&V|LY{)dsIjQQwUS>OCKeDgMgmd%2WpBA!U_#wc_iFcN}9UT>mxk;{HJU@JC zqqEGxKD*FS03Xy{77!(BeMgAj`DEzwl2iJ!Ge(DWwe?5a0H99Rn;h(KZ zfkf%a)|I>@@n6n2(l-R6KhG)Mk3OYS_lk@0>G}1EYF_6$wZWu=&v$%E3x!>ywu1>( zR4}nLrGY#cBBT`sx&t8YpPk)gP6M90Lc#ZI$&of1e5;dMtW0W%_^=Ua)ZRNjf99;N zCw~oFU|5aTuX>{~f(d0V9VIKjZpQF6=E6lL{VBZj>v_T-6mGzVz`6c{ zUet%J(Z8Smr}sPpQ?5V!?|0AoNL|_bwARFbA(ks?lGmQodKi6LCx?#%l@sM2Yx3*} z-*?a6(U;VAzg4vpoW0frY0VjDa=Fw!_LPMeQc zrQG55!EN^BW|U5KvawF%E#xK%OjA>31o$#$%f4B{6qkf@1aA>W10=IIsLYI+i!j9h zj4&ij6%mgpJm52*$w?_7_CP*i`ShBxS(JFG4=UGPhZWDV3DL!e&DkiKC#4Gs>JZjA zm|Wz`=W5t$Ozyt9I1v%Rh`s_3KRh|PW-61ok|>ibWX8tlGI1ZbyPO+&euhlt1xX_8 zCIFuXUPhYPARuC#ug+o$$01H&_=JG)A7L!QH&2+t=TZSJ#TxGAc%jrBGy0a`KoMig z9GnU-lIUCN)V$WNNf_Ka?Mis00+_u3QjNm5IRrjC3_v58L&#y?JkDAgDd#VrrAJZSow!We;=mzmI)viaMc^?@wVmpkj@Y@icx zre1&%q!|UT7uvl*54C=A=HTA_cAv;N9RiMGvxoPObBB0TYb2D!GPJ;O$mo8O50i)i zH_F6X#^tQfg`C)X6ign!@XUg_?fPRHOug4Pxsd*?JtIOM;1@!d*fC|t$r0Az_@zQ# z8`x4bIyo9n-q;h)p1zh*Lz2!bKP;=0{U%3Bx{_gvjooOa{K-+BH&weGOpca6^P3#` zPOup_^8d*1%r68@L`i9>k)=k{7d9J!gh4URO)2Kt`s2s#fU^RkPmay5M+yEa)Dyr| zkq{(cX7)-FA=m7X)}NsvgZl*x*$pa0mM_n!ka6_z zv^^6=EIJpe$ZS8Cy*Pavu(WQx-!+RDcc(kfh0Kx|g~<;yRbh^om%aCC#Y`)Xgk3MQ zWa#(nGpN%TX$aiNV%WLCf|-(t0yr)Pi5o1KQ3UY@_=JV_c4ooMvv*%!F!OwNUtciu z8Qed$VisF>VqRbT+m_7YTGNgjLUx@CF(i?pvYuRsN9RJFbc5f$rY5EL%FWr~`LI-e z?#5fW``fvYz^+kgF;e+v6D?or*zV+oz^+XtQz^VR|64BfH*%risLq*&byO&#z|y18 zgK6N2Ab2v7EX<03Eq>uYktc-inh?#S$L)wgYzg7wtRWEmk29H5l3FB|FK>3}vL5?j^dJGOF*o3{Kc) zBJP?9krS{;MEGV$Bm8ni!U%|JU^UoC?qH!k&PKpzxIz#q5XnC%`-<4r+|-W5g8GL?Fxb-D$Hg=_-B-Syiyb)EVYmj6pBUtGYodjIK)>-C=G5Z z0#BeWr4)jFfFGiby!ryxQUkSGaV0sGgs>=ylb{Yl{H)XZ)mOaa3wT&%P*!4b3ujw#%2#`>tjMv^Lwu;QFxjm_4~&APX~ zsRfTD%mpS83Xi`g9rHr?&=g-Oj`F%^P|<9=-PT3wj!l zcig83AC%ggR0mfKSie#>(_tO@^fe8GF#s4?u3?QEh9)5^>>DIHJa+)>P@==Te_u^> z_&vX`COZ5^_|N1yV(U%ZPb=QR+)|n&rkN1;OpO~#c0s^R1{H5I^iO#UyQI__jHvi_ zuHK!CtUhivx`j+Nb=3a0oiJb2b-~DmFba%AAw$wQ_(V+e`e6A0G6nO21p{~(%fWQ-&J(nKRE~_FCSWyX-T;MSE{bJ^*G_K}fJC}WN zoV%_a-{0Le=ZR4I8E0At&pLN^);#Q22dUeHKHW8@#4y9N=dx|NiQeGWnToeKt=H$? zVC2lD?7l}lCb$nIk_XCbI^kUL+PA2*B zYqNTOiQ2Z!`h4j=aiPGi@Zkc0pUVr#|~ zupX^u?0U+Cl&g>w8ky>e8|vq6TX6zG2ek~#DO(=&*YF^#I1$K_HtU^LoLIi!Do$9% zi62LfFs1^T>L8wZqJ!w{DD&(H)*|_5ny5a=%kJHXjmVy}Bc)yXVcJ~HpU&91<#x$U zni<&?k)=k{msOkycypt^S;dLj4OVet_O4Z&*bBu8B7IL;5^Rp=!QgqSZzb1|CcSQp z^kwgb*862N7DMMQrwY4Hg#-r+fdS{(q=WW(#mwwzHg#UYjuTiq^w-cKt2wcmpSPM5 zR&&C$u{~HcvzilMVnd1uAjtDIQRm1|Dmob&(S!R|X?)bUJFMKMC(niM$>qy_lOaJ} zM9mn3sd6d(<+uKHVu&cMFh_Gmi7XTP+nJD6oUn=$R&l~B-Deditm4F!75OSoU@akF zkyLpummNl@MQ06p((TK`o59(&Bl0i3PT^7SIxPy@Oe9>T5S3uC5HN{dmYl%UBwQ6% zcFoLEqv^|PPFT%}0LN)HCq7^MsX0M}ujT|iYM^5apO|y&>F92~nJ6dUZ&0E2q@4O? z@pX73=Y#v*bn79frS>M>fiWe34~pA8!q%xzUsiX*>P}eQiP;@icjB`>t2+TSLnwdU z35fBvS^w}<;yQ{>iu#?0$LmD7)H}^z)(%?EYr2xk?Y8a&1}@=(Wx!a1yMQ^avplO!#^WB;r;z_ z2~PN-1^6pp!3iZKfT@~o4OsvS933q#&Kz_&8KobOu8FL^U121L7dws?N--CloMK9o zk9~3rXaP~OYxMjW)(nB0#@j;+&0LJZbDPa2KndpJ*&wu#5ZqCzLn{-!US}?9nmQ`g zZl~XF$&d~^`FSwtp484tMS4#-IZa%lYPr}NC$|6wpWpbO&wqW|Po;ZR9j2bjoW9mG z%o!l*R10&RoU`+~30VH?^PT_uS5Ujx4^N3<&N+OzM7O;Cdh~vrc}Fp{`+QPMVf9|j z7bm$|m5GvS$#e|u9^I!3=~kK`YtSYTkgg34RLi@zzG z!6OM3lE1;h$2jiXR*i^ z76kaSv0z03{}q?$Z_OkYW1a;JBD?vrf0U-@wV4%giwoqyz=R zjQ!Vc|2%SXtWC0&Smc~uv&d{02B4!&HCq|Q^F7u5?)!>LZ^jJ3!QO5r#X!w8RFi^xrV%Y zxt32SMD8G;Yu-QKwcj#N?}=U4iU>i@cvG-j1x`!^Cz{)6{r5EsoEA7gKD{;0sWdk` z-@Vta)=*=vH0oJ|PgJj#zs}dv?Z*O1R(BmZ33s(36hOcnO2CUXd-p2M$tYtYykxHh zP79nCIAZ}$BZ|w3MBWQTYsixot2ft)!zaaLncX(ea$}L;-Tg++eadrcOo&oQTIif! zv(Raw^W)Rof=;d^l0q==6{0l`?I&>Vw0l{rrR33LLnqJc)rU%dzmapF(wq=GV2U{7 zcFWZCnuSgaogbgx9_wU?31BQURGG)lH4Xta3Wy6W@@#xuXkDbx63K1JZaae=PCkZzE!7(?t()kG0ErNgV7Ft~X1)KinnA=+c!u7oO zX1DL0_r^vZj3^?!1D{NE?_EFWUMFZ_m>#fEc2qCsXuW#A^WK}dOoP`}go7c^9Ktqo zMt+CvVhDS{%n8B7?u(mV`#W9tHiMqcf|ef^@+e6;!4i36W-dBrmNT^Zl+9P(&dGWI zx=_0)_fKB;8Z%>Fq1+;75-tJKxwP@l^qK`t3!0mPCdSBDIR|UPq!PqCPgIDGnx~JA zhc@I#qw-ZXRk=#;IBF`2T`7&$ETR}MZ6zj@xDZBZg%~oRNwy;?&af*0vLyn8 zGW8L;N8LF}T}mj@M(qm|L{`#7(j38nxGxMg-^TguxZFtgMAOXjJJkACLRwLHK)QQoG~S#e_TkqToPV040ytf zHj6@1M`%#Gm=R(q5t2mV<&qf!OKM8i!_3e|Z#+ta%;*LR!9RpM*VD21xE-dTf({{$ z5nV{*5F&=UL@gKxt?(4&+a2(UW@GfWA|i3D81@V5@_ z;BHWUe+f4P)BxPO_wm8g=#+nO_4ZO8(TOUylBv@8W&Enk!@Z{bT)K)YKr5+$76eFT zwq%=!RU26T%x}i;&*taXg?*UVZ^kbWf}o9tp1QV-|3@?aKmxGg?H=*KT3EK}{eMW5 zoKpW}2?bAuxQ|R)F*x8Zm>o#iSM%D>RyPD)4M>>UtASk^dSL zY3mka!Q5*3GqGk~mD4mVa#wQ{PJQ@^X6 zsywGe7DNFKuBD>VUr#MWC;erHYbSE>w8!ghdQqb3&gI~nlYTDEKGw*bMS>-+=LYsc z=&Phbs@3JBfBu?S1y%S%L6qj6cI}q*|3cDl6;+?BBY|g-qDm1COxlGx!q_ym^u^AL z=-A0e2RBo6BQErHwnh>+<(hk5-fl$|46Am)Kw}N0PBYI@%{M`nfC*O$3v&Qa&5dg% zy=1ANDu4kP?-qzO(Lza|yxm1X6?mBd77|*#QuB7<;(%w*t|k-I8{gIIdEWRvXt|c4 zTBvmE)rav{tEmfL`{`0DTT(U$KmjRD{YlkjbYOVAY~Buz()|-I69?zz-ClmocDI{U z8TkaP2u2tv6*xg?w#^t}U}F#yM3{cXeDkt7;ILH~S_B5n9E649j4<@#ius7CORjk% zRv5f4z?aZoW2&r0b8?nHEni+f?jm_fn->)?5={FgTBx-~m-W=xJuaM`U&{LQ$3Vpo zCswOnO&kesA|*(223!Zc_8A_89HX`|b9mpRYLM_Vyv)%Y_6uelwhhK)UP(lpVDMgq zl(6lL2 zBIakhxTrQ;av|eec}Ijy;OaXz>>00)Dcc}SvET!dk}HDYdH7emE=8wMqSP6vRL*tX z)Nxv<1JteOx4x<0atcLZF=(t6=isReyeWgKxph{rEHbFTJ@!GMf-iY10fS%4CWK|K zSoUPu)7uL>R3Kr14%Ro>#44 zASQaD%^gEyQ`8~GchSn!1JO*+jE^{&QEo!WrZ1}u4^2@AehvHz6QhUSOlATO3m|KKoTE(HcN7ixBvPaStm!4?4n)S45MSX*f&NEvQVy(aaC=N>7kTn5wo-92J_hD2yg`WNOqMgf zz24nJjgdyCa?=cguI?SaJFrS33K%-;Zm!|KzB$+w0ak(On7QApf6YzANNYhu(=?X* z|LeQ|zN33nCye0+IuLGsmd@Qj;)z6vFsiiia&b@oh=>O%9~*6ysf@Pp|fA&>U%RLt{o&PH;)-8B^7dRWZR@LVXF0uA7mqRukTsD6ybElQU@{d z>LF60h~gp=g?RO0k>J`m#Z1g+=l|oxA_0$(L`n~T^|6uZm(@jlL&7hBAGA@02zJDO|u>N2z1z7A*TOIRMg*{1g zd=e|p2{^Tgh4Y-am)i0t344JFfOv)_;-=>AH<3*OBTYu6;7<>kAC%AECRe#K_yaj z4(-;CGsPrgFHhv$nmAJ|v5Dn#w|<<-|JnYjFjHKkd7UhiVGJM*+;p?a`fX7r|9M+G z$`luVYzJE+^KXANC{XY$aF9^qMyE?BkGIEJ?H(2{YTaQM<=nwub^5*OQruA{SGzUW zr(|gyQ6|^}6j2=7+Qo7u%az_&BRZp75UuF~v5TxMwTghxthnrkHj@+&eXHDA|I_8bp0e%0dTlSf`pw;a`fh zv4YB!K%L8Jo=y(y=a<*bPOo~Oy4~)|8dymn=@_1)G^(QXC^v7VHGoVhVH$)}gjH}Y zQYDnD#ZuC=w6+FD+A)R4V1ESNbhCUNq4}I~)Uw zAY=0ppG6a_g##WKSX{}#!UV^vH^ma<0A7Lp0(a1eBFJ-q*;CwDfky~-%vACNoReZ9 zTn*M#O5wE}{@4=V#{bX9OFw3 zOs>I%^h;h)Y&_J4{ntmr6$O&QOnq8Th(~w&t66z8^X(`tOz%|ye+~1ly!W{s&$??1 z^YRm1zTkChUW+R>E_OthRBAWEo*9sT5Uw2^(JIa1O$G7nHQ$|{@7}cQ(xusW5$(Y| z;aDq=Ap{J_RFT8LumRgYZu4>jDqzjNRPB+%4h?-)TJb{@ryewbl+m zLet&3?e3V1AA1jNw>EITn&QMT(74!85OxR|$c2b0?kIUs&B9J}=tx{2Hy+!UXXoUs zS*`9>soTgW)`1Q@_x>kBhv|ytU;;kA(pm~K=UNE@TnLyXKnnt&eOVir2++}JGf!BfC5}(R2IvmF~{}K6L8;7k~#Hw=wtx zGzj|c&)(v&bkO|U?em0=&F5_O#mC6m$Xin*5%y)-3KSoRa;elz}?a6j~igH8S?a6j~3Wpop?P)$Yz;=6D?{2o+ z(>hoGkN5v;P<}Q4_PhG02!qMv{(T7^qci@?!Cvv|_V~>0C%T>f^U3h}$tB;K@xSzX zGN*N6nVKx5;H(N)Hh814obu0K6LYgCZc^2ew4DF-z2C|CZL=qzt0Q4&psMPr1hLp2 z8w?IO3<2%2d(pu&Q*WQ&KHrQBw}-NMzjrW6@20-2#OB&DSLz6=%#mqR5?3y^d%|GF zrSWf=z)Mp3BM2s8{hl~DLsY^bOuK+c{hlxr%2d=8VQC}uDEBA(u4L1b;^frTpPx5FH*GHJzvZk-Wqyw)+e# zv3bA>+s&k7-ySj7n*CEY>JECnG{TxP@zC)l)I>X9BK6X!dIQ zzH-_uJSUUtyr@O_QYD{9Z7&j_qcc^bjmDtj%HH^f=Or)9^Ct>PLEH&$`AimO#zzpLWvsTaSHi^Yhfng$$X8%6gD zj!i~bCD@dVWIVDO3%r9cqQh#b+*PO9 z?)j+MRJo@oPV;xqt*689iKg%0_;G0Oef3=@nB1GxdlmZF!bf5^nK;Q7{_<|7x#O?z zpZvWr&_AsOr;k!!Ed$Sd<)(ms`V0tvh6=If44MlWF>{ zx8+<)@j`e_jEmU?mw-A`G7f<)_?~^$(KO z`b9Ivvy^sjcfIIRZ|d`O_iFFt5Q$M+J}I!h$6JX{mhG9BRe-GmY!zUu09ysvD!?1u z&MLsm?)M`VV8w&;#xT|tQQ*FQZb4>+>O=K|Ta;`MuTQJJ7HQXV({!Tzy}bfJEt54S zvB?fuR;uHVE5J${D+l;$eFEzf?5s%QU0dvPx^_PU0 zN~_T%;Fs#|z-hv&ndnM|me4d=%-_kQRPw35f4Wz+c=|D_byV8Z-h*c)evM2!`<gF^36|;F8VO zM=>%je5lb&#c8z}W_+?rD-_id9Lg|8#-8i##P~V8r#qdCtej2{9?tH)`#+y8r|#=* zop@^YvgKC0S1TQy{T>AQ>5R;(v{t2!a6_xoT9q~&ZmddcRa&dkep8iprh&miT~vTY z5tO`j*}t=p`Z20?q}qMgb4KWEl-ilE{Pe~> zL=x02{`+3_DP9pIlbP5Tp6;nJ{l20K=NCNmL0OY8W!3RV)g*Zwa z&9xR<6O9G)I=~;qh&UKl2ka*fte<#J^u8CF(wbu?LVeHgjd9kY^t(EE1)0~v+F21> zf={0Fz!s_)acW{-{^k8MN71q6`6%n2JrO<3pB;~qtdt)&A4Xs0bFHapasATnn8Sm> zM9nK&rXUqJ$I{`MAdS=($GHLhFhGh9tMysAEyC|;pOP&?*5pLk`E2<1&24a!tiWxby|1N(+_*Yw42G@{}}JF*r^n2BUb zu+Vaemb+ zJpuLo8$UGS_x0C1dVJ`gU8P3HC*#Lzv3EM{b}qkbNvgfeudhip^PQi6*a-!yz?zw? z8y+A6Uq*+d=le;W$@WpQa6OtH6V^+f4$|9B_yk~q0D7;1?s;553ofU7s8i}3cJ4C6UivXtq({@v z@m9i<<$LC3MPMreTM^ibz*YpdBJc*cvm)@a`~64}Skqt;STYXFDj@0XD!NZlI%wXO zYfVziJ)Y71T;*i+cy{rveF6Y2lW)v1tX74#`J@y41O;m{v`v|H3EtlOoi2fufPJox z1g(Jwop5l2ZLCa{I2Ckc;d+GtTQ-}K^=>|~j~>YAw2+r~s=w_LFpw(52{$RtFa@*e zyylz}kbFil%n+mK^AzB9>QNC>qfzkCh+1Ed53gwY`DAZ;`Eb+hosKg%BMYY=qq6m= z{Ewb1H2?M+W`K(XG&ZP)U3~>QrYn=9U0l2>6t4~o1NWquDY7l6V*>mpP6ehg0pKKl zeDj+`E5J8X*r+dZo7=|1@G*EVGAvDZ#K+ys8U1Ga#5m%l?1lOSXrt+NX3?vqTvlnz@4~ zT0+;4zi}-p2DT0pss*69)}HDYE7YPgf6uh?wnXuVkuL;+k0ksUi%~J}4vD!K)$$`M zJ4=dDDdbVees3|Vpp|T1pIMB`({_CU|dml)xzInt3MFm9#o4Qq&3fLjGDEjqxOtv0FNJu!K z8_o`=YS$@+Wk}W>bBwuWBc0|Vo<2QihnDT*GqHEuU$ve6&28P=>fdg*=e+P7#K;BE zRsxEPdB=t$TGWfm8U~;Ts?c*uj%fYyQ*OsJM|)1BJpS?8>{baU*N z*-$Is(oRJm$<|Y`T$Zj@tJL0>L@E3R(PdS+A{!T4E!%h1d@PqjZK4-lfBnbdCqL!R zPr0)!n4fazr`+jqlb>?ur`-7|_kx~sb3djTl^+lUXX1~!``Jao?)BB~dwc(+@wB{q zSl^O6e5bOx(4s)wz<%_nwTk{PQ55|7V{X79cS7Z&AQuHg_c=f2PJeeMa7`Y$6oQ!u zxEju-*4UJB*gC;rfs4w?({BC!y}nm@zSw*^y?-zE#e5%f3+CWTp++3G3EWF4==9l& zN-FFjLM_hJbd6ueMshj#0fPjvOc-JwE*4;;fQlrkE2qz=zjivO&+WU%uMqoB zou$YB@o%qu;>pdafKZmQ{NjghmQ{9?svPb=UX^#Rd*|B?<@=4Rd;Rz@?*vfDKpW42 z3=R$_rahIndf5rZ zYj3XY+qbPNu~oY}eVI$d$_XI7@~Chg70#o=c~m%$3g=PbDVEEl!sFKaFGht0AJd(R zGf-ld&_bo`vWtR7r%|}y+cgiRYPrO#t;WgoQ*p6H0bt7;_)&$Y4Ls$^v!efaSXgtI zfsvtP;9M2ts$k^Zd005^-I>rex%z2LgDP@k5DPj!Ew`*;r(ai0j_Zw}O2BN(%(l-gYv5qb*Z!KLMJ=cY+t$-8W9aM(ZxdacTW0L zahfP;wRUNZs!nQ`bzgog9G@sv;Sb04*VXDx4yj*Pl{c!2g$+LD_*`;L`Ixb&F~Kx} z@rl>-*~3L}I2jN!rzCNA&Ax)MpM9z_X8upzsLBNlLd1D58H3ERG1M%*Qx)}y1ppeK zM$LW@1-^3h7o=0w_zIR^$(^b^&l^>NSS9XcdVOQ3Dxch`N;nF)B#cZcPtd~Cmv(nv zPgL`1=V6&|wJW8Ka&@*XJii0vlma)>f=2iO$-Z2{XP+u#Xqr8fwKEN#iY#1nY70HjmuLI4!u~txV8`D2cu3orAa|#F zw8Gu{&eqP$=22alnrqq8+#{Os0Wl28=?F~P;ijJ4Q<0?snUaF^VyHfQ=7JFZOu=ff zE1coptC-fsaEJ!%jtOr-q;;r6{bvp!6ExV_q=l7oM9YL|PFTSNJrV1r4yUPnAest< zgCLaBX~nHo;_pMWnF#smc-Yu784Qmb`!a$eiG zJz6fkte>6k%{`(y9Wchc2T`NOK~at-C|?3XoswXf{k{m7Vl42)2DFlrEA#brzVM71 zZO|z(u2g~PkElNb0js6rIiAe`&o~{JSQ?JxrQ=}fp?ro9JTt&E#xg43`Oen$D23M|2<6=}>hpyko3xOXS-5PFU7jhSHw zRCgkFK-qD@c>GkFjR{h)G5$o>UQq6v%aP;1ha5@!WAM9?oiQPB zB;_Rnt`aBVS!!4ee;QjrzL_01R&P!!uif_5(s{YH@_KEK_V{^kwy<$W4|k@pp}B-0 zkzRWSTBcbfEs;8law-JXoGY)BgD<>A|NXn9Z(&#g4_4c*xsj|U$FR#)-U<=>whjDTdnT@20xuenB_`lm0Xx;`k^|Q zk-#gS4AsQNQijb5)JEl2b$j>iyT?n7=oV(bo{ zOsLSX&akm>Ww-V6&eraOx%F4wtH$+XuM2Z6 zbXqU1&ad`er-`lq)P`{ z;d-r7SzYp%jjfLD%+$2L(spow!q`|8!ww zi={2cX87@0^{p6(bZ|IEX&!Q!A*7o?*tAyE{y}N2z0-SKyKY~+R9Cu3uZxa!czlED zL)?RKsANL(=aJ4@NA0v+4sSJKJ_!?aQY3Z%;3-aaYQLZZUu^ai>iG>B7hsn+)it`}j`)ofl&8{lAVkLO@r| z4s>UwQu%PL_j*=7y*RusUN-t?H8=M_N5$Zj28KYHP3S1zSua@I4t5Iyc8Pms1|Khs?y|}7ZpzR90N^R=jAf*b#k&c*v3J@Je)ro!67{!Eh$?Y%Z0q$r4&eAK?bF|CR?yp5VuDqkeEFKGY zJK5pxa_{VjA3QzpTwTCC4&GOb6@I_yaEIN&rBPN&Z+xf-a~|Q2ded2|cS|de%JDA8 zyT2Citn}Ust-j(tA-Jn$hr43!=Iz$E%Ui{>o&AfmPW8$Z)V#wTcY!us7|2zjwfF*x zPc_Q|LxUM8DawgyPhy=es@2%@31tX$soD?PIVSHa@g1Mj4{3giw5d9lub)=xONZ^N z9a}p-yKXlRJ0eHA1wp!`O)&L`3(;RrhH+DUdR7Q0Wg@~kPjdwnk3E>!&5m&A>#OIc zcT=j$ZFPItdpxObzdp=4!ZB+CMeWHQwVC63G+rkItrh&92eH#OIgflwMkfM8O%99{ zMjGa245Q=J4*|c^#uzK8@_B^OF{(Y%+Na^%W21a`*St7s)XP^#>l?RAjsAfQR)Kc=H%HPE0K#siPo>S?c8=hIi17vC)rN{Ss|8Z{Q-kp-RSfM}|xRSb`KBF{MrmuVmWyd1!=#+{MQO?Nr7 zzF)I_oU`3)pN3!z*;QoX+vJw;VWw6Hs1EA*HkFxvV2G!T(Ltl;sW4==05@AOpMxP) zW0)p{B8SBHv7y7g>`b$1OXsfesQdijyd*0-FGY9TTzIAlEv*LD;SJt6Ez>LwUU6cY z8kIX?JvE6Bi}sM3hQ%q%Xa;4t;_Nfk&v7~wPCX{cN#+8R%n9EOkt7VKraxkEONTQ9 zf&R)#Z^_{}2Va<~f#EPDrGqgV$xiL_hu0HMQVkGwhI7^c0^ZV==e}KNJG~Bsqdg zt|YuwhKDik=21rnJ*bwVW2OvWmJeF_5US$#Q7_Wr)f8?RBZ}!H-Q5gV_xs`D8VRhK zmBZ^3hT4B7I!V)wdq&H*?DvQ|{J`EM5*?DSp8Cj4iNDYHqGN?GTSsuw4Q{@54 z8bcbw3((CB3Ud4%oE+#1AJ(d=&#Z%e`3Mqg2eRw19H|b_-YlDNjJ?8DSXxO6kbH-S zmSOzzhsol0;{xbj`Qa6rp%ZY1uL~`KfByB6)qIe04tI<@$ZRYt-=82~v;SHWFa3?B z=F-OL&C7cCsQW(e2l`O+1d5(U!$P8mrdE6$=)(rRqQn-7)m&X$xXioj57fq>f8 z;aNcs<5JCN@E88nLB+D1m*>3v;{`0EUYkIC21K)9K@lvogTZ{xQkz52^Gq(95ktmS zGY0HKL>z)NLRsodFX38s`oMI!KoFyWC@?gSmPO}&J5X3FDF7@Tai!D+WxxmhzJT>$ zenQF!T@?ye4MzqhB%MuPZ_rdgQFH2nUov9K>!UCt%v`|HNsBu#ro4eVprPm-lnx$P zXl>nhXp8RMV%g2V~Zk zpx03pSDVOk+E8D8I%=@sQCUtX@W3F7BzA}JimS+aSc_WS5jmpvR~gphl+{XZjHYM! z;iGL>i>2|ta4Vol5H(rs0e1(EMp#SCFtVJM+8d}6jq&8>_Hoew9 zi&|tfMUo)T(2`8c5kr9@z+w=A8BSNC^_tY|Re+h}t7@IDUWY%9iz7B9jKT`ggFJ(n z`SH98s1YShYzvS21l{?HNA;c8latrp{#E_%-4wR3%xt^!Eq+=>QpINmUQNe@5`LBf z?@T~vhiVi)tDvCvnQ%TWPxhqWy%Davv9@>IxL$fcW)JJaaiN~gBa?v+`8qbyLg=sJ% zg{(avUe1GO8_+ZVyD>qAEeW}5xT7(Ph9*9TmvaG_E;yorRDhhxaMnagCs5MF1FaTv zcri*wq^Pst*h4OZ@j19+i7!hBQ{OckY=Z4d50}7by5%^mllqK8pJAskGwtO~z8)T}w^R`6NzRFA zr~(22ztP+PqqSn`v3f!;JO_vU%716vMApM~;m1c<)kVrmk@bThuUlyv3y6>(tz}4>`^ysDwyeE;V@#e+8Ii9A)OD;%i#&nqhz%3MUFe zrnJ@4a@VW?PT&39sSYdGySP#*0HDK^}1d%8|j@jag0-OQhAP9MZF&UkyH% zJM4UFsWj|{74)MgTml5cL8OO?1?&`_41^a7jfbWc(+g^pT1$DzM^2Flo*@lRLOU6V zWg2<}2=K#Kr>RkuC#KFNe*Xv7(-dTPTG2^>_a>4XHaJNE#UgJFf0w=-ge|1z|Fd^x zUCATS_7|B|^YG{d&f|oPCCU zET;EpGnh+7rI{fYSy;^d&30Z<)JN|XleH0_aD#b8+Cv_rOFK-Lp+06DlEb8(K$bE2i>x&;Kd7z0-)TFDV@pqC;O zruDzOnl+lI zjUS5Y5h+C$kHI<44q?!GMv#4@cS6rk@_bRy*Uj=Mh|Skb#)A7*b?J zG!p=bVmmr+L}rmA%LD`#(ZOIS*tZ-%P3h!%%#x=<&yO(^P|U^8r};LPwp5$I*H5#K*N11gSQl&UU)1A%%@-g{2kEU|pf1odRZ0 zcAQ8i56Hm-UNquq*!^VOi0TeJyJ5dD2we!siII|NkiezE1sTWmc0oA6iI!!z3PSjg zAdq$#Q3>=4Cc~p%V59^+J@N}|zzq@_7)xf{AY?`t43cUS379-YNDv+gKm(Mzp%YDc z+IV`w2Q)#{#Yb?T4J?GKTEeoSzHs2g!$a!kL>@;~WrIzQ03p|eBA_NP^(qxdmrh!ru5 z!U&CjeWlgE(%p2*$0;{@p|O>#Qpt*ZZ^61Q0Pam12so1JJN>bh!07a z2Gp-7L2}}gJN@ya81CfMEpZ0PbPKS0&70F*prL*R0Z}a@>eEXbl?dP5jp=zIbMvO<0H#5{!XCpMX zFoYHb)3Zt!N*rrcOOYF+jY^+t<(-zAJQ{SbYBxlNFuYFGJP6t{h)Ue4tj0x)S3F6AEdbYwBC&kE(B zCXxg_ACZF;yMvtBF~f;}S|cHd0Mo`I4(GvxN1~qLbU(1?Vz`wUA%00@GD}CYfW7&G zy}oyziBltY(k#}SbKr9*kS7;775M7mz*lPe-OAeeGh3^xmz}Fx^Z2g$JO{wXP<6nW zVC;)X{uBEa5phBye~i%2%?$XEQ6eOW37P4aYwyQBgC1C-sSMv7?(|Yb0_ja=Dkv1N zH$SkKc;%TeHEJKtV7WO5J(PzdfuBlo&%#0PVCku{{P-wK_gkuUBpSU_cKDQg(95WZ zMf(7u9>R63FFZ75-59jKd5M97D1$--E)Djebxc$o!93ynhp+zQ?n%Ufq$+UlKZ1J! z`9TTw2nQ7eR6h=;$xwY@X;WE8R$VFR69+Wo7<2=9DV@Ry(7}k~0yG=RVMGE^C=Kn= zplT?`w6dHziH<>;SP_v+4IwU#qeolM@=YhE$Y0IKiWeBib=^iq!t4vHH^PQ zMCG}ZXw5Lfc%5A}lkpHSC0Sd9v7r#cvlZ(yUNes%@oS=|f@(K~S(N(Vk zg!D3=BOPFm{tl#Y;mYtJ36b${8x;l0N~9O*ZzA0|S(DIT84%P+35=(L#MQquKuYx4 z&Sc{dXUOZMdPz6oUXp+6uvL9{xAL&Kw_Ms&exb40`;M2C97;DsFG&~~q1O%UkKjQL zB?5fJ3_TiTr3sctkIUoU@(VHEM-sxFH&Qe}Y{bb^gZPq0+`*=3fcS|1Jo+f;YaWr= zArDD`-ICeJk^ose>#Q_a4;qV&W^3i4^>+7hDyoHtls^v%x}oR@LB*>>eNg~Hj@(Hz zS@0X{i3olWGz|!M9ZxoZPkTWVp*jnF;huSNg0cm9$Nu0cFXtjb9~ra(JCAbSiT20O zuKstp`WPc5A&{c9OtnI{;Z~@7*eX}p@pE&p`P5#!yRGhCZu`7jA*~~2;eTsr(D#YB z{xhQ*waW@3iSTh|VudhAlQtAL3PhcYl=!4ZYdAQPAXB6IU*=~r8uFNyXBOrbMkv2V z2rZioJ&cG3>O=$5&#wL>pHB2akst3N$THzD*5AJ#3;~Vf+{Po~i5dB%5+bnzCnVT5J!(xPfTKVVHEGFbsGy02$qMuw18T=qNn^hGsyQ*Z8=y z-8%RugSxP>0_cG660o2)D85Irw}#a30CYf>UVy5y?Wi`WX&+pVcA#Mpslgk| zuH*+UIP|(IW|=2P!6$Cd61p(ptA;jkNINbn^&u?>2~KjZb@KVq{o^E)(+v@s0Boga zr;yZO@i2u1(r^sa(2(5qu|P*ayff!cv*BL4bOqPD2^3tJT&Yxgo!yTv@3qgmitz=L zd#9NbCSydVBgpOxFaC9!osXmvC=REC$Jl5A*B?2}f&jo1Mj>>HhLe^&wyk88-sc+oc`ygR?@34P*J(7O)@y}jy1W8tu8TKjyvxz@e&C2?SL4||ubXlP0}%y)^;uo$`Z==L+xatS|3el&;#h=IT24xCaG%Nd8)7 zg;ojO766|U9BRIVT6A7#0(>IU7$oaCGngrv&T%z4qnycjypLdg2>f>>w~6J#T!DJ? zi+Yn5aK;Lrw1Xj-t{M3*gD{1Wvh)pT&q3-WJAWM+;XOj|5D-@h)Z`I^Y6mx{HACnx zM3;mpltq#Qa%O@jg0})vW10zwp#@}$c!VKp2vvHGk-`bVf{AZWAT|oeM@kJr!bE?3 z@>ygrH{uY-%LUvF!B8xZKyOs?WOd-A?{fUZTKIfgNbX>^aLBu)zZ=K(xo41&O|19l zW&W81W&(y5j^AvP-yod^;~bMX3bAY|A1a5O@P+2VYWvYMd!@$sw0^1WKC9ghx7zC) zt>^tEXSZ&8vQ^!Fmc7gNdd_<<=#)iqR?j;X_tp$r?RdBtN2&>Gy;hr_>I>*)r&m_f z7z;)_!tP3j%H7nVy;f;~Otkfmj9=eV`kXCBdy)-U#B|Gjw6Jlt+1|QYIXPXve_UU0 z9=O+o{@G#+`}T14xN~*=w)WoI>1^*FF2AoArac#?edJF0`PD-^Y$B-o+10-Qbb`_O zX1s4mYd_FEgah5$^3B8M$ysTAoxScZoc218mB()tuKgm=Nd^&DEv1L(Y1$0Md4V~B zS`xBWS(R%A$`vU0{}AOIlr7DOQL&u~X3I3!SB`n@asT=B`u%lLsm6X#>_#KerXmgR7bq0;2jfc~ZrOo3OyDRrT%1i8Y zd#wPu`2e}Wir2}JW#mTt=6b*Fk8$pxG@0H=@E8tNjgQ^y%0qLfRNGzH?7nS2Ry)nR zoI{oHA~IfE6oO)c)UeF=bUiYs7u9N7s!T>0S&E>VR2XTSk}At)o=S82A(_nt2QSwv zNA}~cb5*)7FPZvkbNTA9K&v@KtBJv7^gf%xa`PaDGA<&=g^GpWQhm6maA53RTwHBe zn!Vc1$6o2wwr<#m?i2112${p6CMUg+S0FqM-!q!Ehvns*9=CovPk z45gbPUeD3hxU0_=Jn&>D{csxOHV&i zN(ew@FF4&tmiEXtI z?_T)Qquf8rIm%_^>gEUIFwu;Yf0J2uH8&vlWpE0R`~0T>x$lA;`2d(9n_hL*3kNw~ zIx2Txw#x0&mffpgop(DITW9kPanE-b=%k8n-9zR&C}Ssxk@^ zrtOiYtZ*~_qN{zLH6P9~i%&12IY(iv>VQjk}Enby_dIZNXEhBRPX@QD! zjEY4$!tl3e<}VsW(9kEY*pG|v;kbBx@^pH%Tif1x-Pm}2e%qG22eqr5<6>qtf`}9Z zUWop4Dc!7aaVpga7#!_rt7i`DE0A%Hk+G;o$Z<7-;?B~?0lEKy%Zp-!{1zi%!#S-S z&y_;LQ{&?Kk4a0h^@@)vJygn#9KQ4sZtP!{9cQC_hsk4 zXb|mpC`wzY=~kf-KE#78*G^iUIiqsrxr zSN`{RjQrR$G0OEFa~y;tKCIJS-!hvZRJz%E+gsgRzS{0pyuGO}>x$^){WK`rVg@tw z$othy3>E13NFp2{44n(FMu$p`@t0R->|tm>^uL;~XaJ{`nXs5|fRTK|$AAs(dNTi7 z%S<2luzh&dJ$S2JzP)cQGyPP0sWk@@IMX{7g^xRJA9v)&NL(FcD!&5@Rzh})rDagc ze1b^fq1oEqSXys%9+wVSB!ymCrjK0ULV*k4#|6tg=CP&KhLvSFEId{2E;ldv^+9!u^;qrw#ox?7EXXLH zz=lC){YUm+MFqMc&P;X+u|S0a6~2uM%1a?kY86&lg@eNFrM0$mwo$pN+3KP`JC!?U zd9OB*QbyKG3<^UFko-E6e?h@T7W&MdJ`-Gxj%*x~}CBpXi zD?%IPlyxqZLqA> z*z~Uc4X;OHpsec~C)7@+uN6fy497^(|L zhH^(7Hd%G8b*^q3ZKj@OeWjLrWXSLt@(B%sp~PNg&oC&Up@4?(Lxa~SIQ6NW_hlcB z47U7GyD0T;#eQS&{>h%-@WbugwZfoKk5s zXp_KzdPQR-FSx{i7#9{sZ;izDGxHgwpg-$fs=QixF&r6A_FTF7Ag&K?9?Q=w)ynm5 zWpmzW={NzQl^}mh`saqp)`K*9J z3nQ&lEH!1h9F7Z%>_t3O51UWR>frqC?$|%QR@|K9!moG?6XSv+OJXn+yTFA47iQ-$ zC~JgvOs7(bl?h5XmumaxZ?@FiTWHcezXdQD3Ru^&?&P==!?za=6}GTru_g zi@ip@vwT}1T`rIgDkch%6lJxi7j646dP0zhE6Ada#RhcJGW@Tk6(pTY~WwAnFGB8#vAs9Fg zbGffO=E1b5^KR*!mI98KiVsGKIf^SStin3vx3}Q|Y!1`hkX@5ZIW@xML_k$&41O77 zS?OZ|Jo?apFw$CJ4_t0-nQ@QixHfQ68D~aoZB%?X4GS#b%2MG1r*lhQ=1fkKTubc) zXWGg9By5O?($3N@7|E>@aSdaPJLjM*cxmIb2NU@tLvj*duV~FR9*$Qy#+cSIs~i@@ zfKICd141L56oOM7HOD3Q)|Qy&x6vIAa}G1>QUg9~CHPKj_3=cn*lury*B&>XF6ZZN zZzrDb$Uqnf4u}F1GSZ*pSGgOglEAi5cTa0ocF3n-dkXKw!dyz+hXR(WJ5MvpGaZztbl3>` z?JWe0Sq7v^R0$2B0^WFV=`bAuj$iJG0DSNnDJ7F3h{dl11%OM?a)F<8jLCfCQh`q) zJX2fUurl)QYh-P>6vFd zW>Zu^lm>K>3f$3Ac!A+Oo&bI1@Pom+VrFmP!_j7E1FjX-8S{cuYW-+y=K=wl0~-XG z13Gd^((s-26zV6!Lk!7jp1*R#?;gP_>0^ z3H=X)=?UqIj5i!uFd!XlYibDN9mg-1!nHwLm-l!$9jZVm4VHs0){ZuvaJev+hj&J$ z?xY=Uy=XTbqyi|$0gg(Hw40DM2GF+7L7J53Bgz_S0#()}uM#tGd?ZaEErlb%;GI!m zCeED8YAFGTpys8Pj^su`4+1apUaU2Q*m0kzG_r;Bat^qG2ds@(#w-oH;gZqC4^Muc zjaLFKZxr746Dz|w9azZNx|O$Cp|ojg)afK#N)^}ivKBSe1OTPiSUYXK)A8ZT8hp}J zBcy<1FSzG%i&dVF5RhPEPAf0K))W1|zQC74#}7yXk;CjD@|I=Ayi$p=wuzI=Hu&)g2C)lXn zZnCPEyC5u|4ltDXAtzEI+Vm9=62P3K`~x-M-ob7dLV*0F;hBH;*Z6l}4$e_0E~|(v zauvgR0v|`<%t5^kz5%{lfZ17U=4-(p=qins$stLQL3KIVQ80#l9|}5VDB#G2w1k-h zg{jHp+K@3g$b~CHjyWg8YOI8Evq-7`_g4^}YK-f!00YmD&S5~9SSzH5nubSTHZdS+ zq@uGyszwY;k~^Xb7_l(w`if_qje&lJn#o9K9Src>QD~6?0bg2M@};nuCf=|^25^fU z)=p8KZqAGNKadx?sluoRjfk7|@Ka3NGklB}Hu=6DXadYO#Dypd?PhE|9T*PF2|^+v zG_H^XWa&N^#$yEDTE_R-1hDLq_=A0m%@r7sc}j@K%Y@WX#>LPE+Ps}xK%T(t@~fF+ z7ePB5lR|`-gniuUtAOkh|8mq(NrLYbP(82|(iOP5bWW}k!xT-0l%EHy1Jww~vjPsK zdJc`^p2Pk9`NPjff9~dTcU5hlG#>2*JN}C2kW8)nR?h+6BbWs&B%EpP2THV=z&j8H zAR=sl%RU<_ko4ETYxeGMns;E%X<5M>_Qg{mN-3fWgU*8pfa4zih4%y=VxT3QA-$G1 z_ad^ozgg+6UC749-1X|+kHec@|3u7uhbip8_J7OPz zc+F*Y%ev8#8{83W8N4ZsL4Kldq{lJCE*gS%_=zf|$1$^vYFp%%;@!VE-}d}a++X(2 zM5Xp)p+0|cHG}Rcgl-jp+&KZ+^(^e<^36{NmRkIPSWwa+T(`ubZ$d!xp*BP4-zNuL z0xW^S3u?VK(rDArZg~hsd%Bm-czP3+&EgQ%j5c0Kp_x|{4|jBsg?Z*16E@}{%A$I| z^W0BEb-bxg{`Cj-24oTWOplsum$)i4TzmDUpbE^$`@%&hC)b?L4 z>#fahL_A_*+$4DX_s1vy`_Hg(4|;pu=SSb)|M7I}Ru*^me(c>Xj$zzocURdzv#;*< zsdX-vZs*vK=2@|E2NpJAvjk_}Nckn3b$Z?FZ=b)0nrmWzyVU%7e)SU5g%A%g!Rxzj zvv>a5>=PWsKCNDzcL^c>-Nqhv?qcB4KW{g$KEBYujx@k*qlomgd66Sb#V}&UOof+h?obLAvpI2aJbM4&8Yt}no*?2v^xnuUQ zaS+wx-v*A~0tbH+g{3oAt(}8_8mqPE`G@EtWT9AO$w3Ld9XPWc=Xk;e4#La?9l|P| ze@yrrN1KM&gUikdgd+)6M3jV>Y*eG<2ub zY9(1D+2;MLA#PE z24i@9@Y8ZOWVFX84j6@??&(^k24(k(1LMY_=-8K)t(H03-dk?4yQ=E!O*=5cgmT3w zi_>%O?IZ(ZSlv?k+-&I?FwTH+28;!Okur-7xNvHf`TgR+SbOfs*YoAYi{9~aYi)1! zZ2zeKbJ~GXnm~euX=}K%T4wj_{PVzQDXC40+%f?(V4MNt3>XUl<6BK3nSQ3*kcy?6ZTU8hR@O>G#%6J3yt?l#?6xZlubs!sUQ2bhk8JH>+L3XJ!i<7h zPxY$Uj5N-maR!a!AdOT`j;fufLSw5qG_EWv_IU4`@?c9f+c)~~#hHl@H0D9$6a^Xu zl_9~)=-Cm>3>s(9SR5Kn@^3%=Y0Z>&G94P*#i4P%zkYhWS8rZCK3!}+_jj9oNlkd$ z!U}gTP;^Na?s8a?Hi3-4DbmPIpgFfx`Ag#exRe_9nF+O@H4e3x+6y)Fr~k>wm?y%527s=d zbsp{U$+OPJdrP(BQmykzaqH~#4m&!i)plB^mB!ut?c7DTQk`_`>_woxHFP^nQ9^3M zI*&J`lXX9A3|2B9*uc_qYVrg@r8^LIKeqd6V_Fqg%9XDK}*^#rg}920x;WoNOm za<_lKy>xWj@%pEDs!Ta1j`slYJ28=I2D_G9E?|a{JJ#)-gaM};rFa8hN*xZz@T zycvp$!;4~3BWS9+P5BM*Z(IsEdg^Q&riE$xR}IvhrIN=+0>;xBV<}YoEGP0yzJ9rA z|NDH&KLK`;iFMw7x?Z4m554qt`{6z`hH&4V#)gv@Pvub~U+Ok*!j+~@Sa5@>7ntYK zc25xG=Qw%}EXzLufwSe2{tQUsxR6Tn?BadaDTQ6Jsn?;div!j0YC97ORGdkw^)J0P zj(S^|&q(eYQd#P_25F_fdV<^RR`H`EmD7PYjKicDrvZ+GI7JnwJgkc4kPNDOl2W|S zSSlxG(o+@w89BL0500)@g2b&HAmFcTg^%cO|)H00R)>KoXV2M z@WVktEQwQD#ptxpF5n+lIQD?Y6qu@2i^G)JtnKmEv%zRNF!~D#$Jq$9A56j29MlICsJTa4mg(( zleZW_`eE4b@d|<8E|T5)wYqAN_sy@X_OI6Ubsrnhj8sR96;`|IoW|8)Y-QEbe)_xX zs;Ni`o`muOK*9#|X(6K8Tyfpqc{yuqw{+ck*nN6zZFO9Axpy#L-5o#0Fx~}ZDnKu+ z;Y=k?wY4{aa0V_B^Kdb~v5ur;aJoWzN&Qz+Dyt1tkp%L4K~1o17N7sDmJA@r=;e!5|o^x zzJiH?{1t~uf&k{$RyaQFbj~jx*V^~@S9izzzIy4ePNUTNer5iMubyol?y1$A<8{qc zb@}(kgBkp{XbIyPRQ&owXaB~4oe`bWp!=%a@S41Zn46#i9v8&i0W-yN zQpTf()YSHyC@>=xjtwXSM;!{e_4o(eIKO#YMZ)-Nr9ch1peCU40Y%^yHBwYm?$pse zg!}<5^=}h0EaNX+d`l~U25LSBsv*3>EDPj^U_fO+-Hg$AVXey5jtn1nj(T}oIB-nH zyB}da!!}CNF&X;Ze_}kYJ+(da&T|*vQ33s+AT?e7X4E{i(0)>XS}d?&$UZ0+~kAAc8S z#>w%ukO@B0;=C)HR*c%>+DPN-@YB+J_l^eCN6d%)w)9A%HGo#53I5RGN+aWVN6T5c z03ZZR^cMfcT>eH3-&pv&Kue+s_%-ge&aI|9T<#b&%oz*z4O{`)6TV#6qd$}1K@DoM z7(J)9HG-K)^dv&*7m8E*Ms;~k{FIkmSD&hz$MuE7jkQTHf00M&!GRRDekD`@-OO&D z+3}rr=X5xwPk!eYrO&48(TwyAF7^?H1IYk`$S;dN4%#55g$)s{H4%p)aSn! z8?#O&WK^w_*a#~G%Hl-ovBY9=Z0yaS9zS)rm%2yhv0<0DOna;K_`9(2t63hB4zuCv zc!v#@E^&6Mxqu;u)%O5T=4^JBM}ct1(9ot);b|4{$wz}2szR{KTR`+cEPvGIlFa9?o^5Vv>+FgydWBXS! zOW@;^|NUp!xb<6hcxC3QYt{P8-LVz*pH}vZjXSUaV?^;U^}5;V^qRDku@An#&CS5i zj_V{QJKZDV$0iYr`ovP(l+?4BrQ(1!yb02TrhC9AhxedCg5X>*KvROwg^6iG!H2Sf zF)^g8*Qn_pjQU6mpeMDMbDnxJ4uTe^{9*V(io$a=rzD0+@05{_&l1yyC8n`}&VH?A z6idUzsKZg@dmp)JMhWuQw9t%cA06p$$W0p}k@ROk7E7|LOwUuB?E6*@^U1gjU27D_ zs;$;xZ%+R>zhJlWY2oF5t8sSvG~te?lz=K`J?AXiA@d!l3=i=4_?X(?M4PpK?J9KE zSrS(POoh`5m>9;Y(m*QvJ0Bek9OL+tN3?2(t<%fLCw*`(kJk^X^}E(hza7=+?(MvI ztju|L^ek3>m><^*>uz&)xnMHjqtv%WV1+Xh6i_SpS4_swDOf;<4b*;>qJUQ9-vx#T zpn+aoX<-C#DtVB?wBQ<0V=ad)n%o$q36!=D_`^LO)jSq>uPEwLXFVOHC`m;{^MV|mbWAhUMT_mOq8R|`H z^H1I-G@0IlQjiR6LhL+s;KPyTrUD214tIxBoeG$-T(dHK>2yGaT?{7ZJ=|xLYvzY< zt$~&2UI+?~vXYlz%UkrZ&ZRQug{q8sA1mXPvfk>yD*c^h7|a+fR=Kr6ug(@eQT`)2NBia=hFG? zB!x+c7Qw&qR(X?~dpsjVe+?n}@a;TS6#kotd!OZ9yASWvStbFHabNKZ&gU=hSTZi@ z+GK3Jcjp**tDJ{K$}a2RvCPKH z)ZoxoaXKWLKdV=@h10E#m)H9Lvv*}piDk?B{rn1}?#sCm4YB6oyg8PrI0B+k5eDD} zK?D>~@y7Y@HBi0-a37O_xQxISRtN0g$ zLre7zA>9Die-Ri;k~SB8cZg}18rgPS8D^x4gbzm6CsER(IV;p;+0bwE6YO`(Sfsj@ zk#$T27?@xq+keKtZfG70fejE0SiBL&3ozcNUtMs1BkuxJpsE=B;6>MOi!y1Aho9Tqj9{h=WI&rU8yxSS`VT<`L#C=y|mnN$Li~_pP2sjQ%#_ffS zE@mKc&OX`p{tne!rLL8oyY`lI++B5K6c{#>HcbKiDyk52a6K`vxco#|b*wCyV}Na} z!b*T?WTb`!fnX~zEr+0enpFm`j0S`o#^anoqwfTbu>RUGEHeZ%cw9CTu-px1%PCM+ z8vYu^EpH4bglela*oA7GzMsND7Lwp)G8Pn71f;;h^59_ab1+}A?08(-aul}KNF-3# zNRqhV1hFg>7J_q72bu{LKELUotjYmQqS3(A>*DY5kN+5g0ESRcwVsQv z){lDm2i@Dzh4LWJI{llQV*i}2x>{!hj;~~J8Vzzyx!8BsFaRXE0&^m~K|`Y0zmH-c zd2hkM1Z+wSpAcqq$A4mSE(d2vu1x$VmY6~C+RY#T@!s373jf44o6%xn+OAXxJr`T7 z?-u>>UbnfUKXJ*A)c`}jW$79o$nWF@h4Rs%P_LKU&&%CPIdimEO&yf8$Hms#L!o$s zKYo-Qu>^lC$X3cE^XAP>fY5gYLciU$AYzR`QZ_a2O`bpY13 zH}>PVe)GnD{C4teq{X}<%U8> zcUPIGoBoUA*k|_I+P%ou8^?bQR+@_!r~On*)k~FBrTyfjTs!+`=yCkMecAmAs8;^n z+YDIt5{yevQ87bP%d#C@-QOPBz1M>m*%-X_boZ>Z;uaM4MA8xzCkDznlVqZ+C6Z4N z?1Rh=!OoToT2RY%CNsi>G8{x&h~U`0Z){#iNvZWVEj~kgmhM!~`uZOwK=iPXD1it_w4f!YF;9zG5G_e1AKM{b3l(vdUA2?K-A^UK@T{zsjCgC?9CnQK?lN%~9S*TvHD9b=HLGbgK#jKbn(Ljnqd$l9Q@*1u!m zN)S*;^t&dZvjiM{z9Au?NC+qbRA)j!@$pzs0*ZhL5d1y`il2Kb_C|EY{&JZWslCG0 z{^sVf*?AQuX&dDgSL_z#2JR*^L}JfAPx^^@7oI&1pH3wD!OrDq5Bz?-vpVkNkB!DNij%2VHD$5DPxrM zr{!9heuBxgGH_BgoMa@sn8roZ>=Tk>(ST54MdYVl{m9Rb3iZ4DdY0sN+wDzf3<%}L z1FsmC;tx61klQc(E}tp=HArc0_K8yew%$uM+qLf3@K1Pue_RX{e!{{EUkgfTMKsvt zp8OLJ(PhQX&vq`OYKJv(QoZe;3tir`nR#TzWC`QPr*7K_aN`sfAS$@#f`H1BC@Utq z6o6%!28&#RNCB-zls}m1D7AjI{@w2M;2@Wp|N8|OIdB%szRpZDU+yVk;Q(nPJo8~& z(eHC(`_>FEivn zSm;9kPnlI&xjcQDIqH3B6$W+y^>Xc@_}#zd{W=q?v4&22XTZjIoj)+Z|9$-JW7~6s zyNWb>ZKt1qc`lzjX7iv`bioGK=`5ks;K#=+|DA#k)B0X1?m{+m3JWs!Y=E#h`M9PV z-Cn8YY`kC9=3wKg4|liM-l#k|Fvksexw}zn-EQ>m;D4M}36=_9@1&Z}v(wzDwwt%k z(|_Jy+Ni*oW#?C`)a#WhcMg26J^Uz2hTHm+Q|UDaX&hX>-o-BdOxnQDSAr6O5vy_W zCnQT_&YR(!*`Z;-G(cmuO=~c!Q3gv8Yo7}KLj+C}?@?-C|CCP&z)S-0Q?k9ErgxkE zzw=otYOG5{;?sS9_-^#Xr~l>tb5^`#Tt|N@$yI5_K(Bb>olf)%zjyuE=(f+V2PfQV z9A5k+-CX5y#qAfC76zam7o1UyMzRS5MgS6F(nx{MEhhcRVHUma3@jyKD7JeeKCX^w z`vpuFz+rOvcqhPoVQ^wyGh4R#@>`+8NR?juX#mE<=!tT>-GeZp>!b`1PY(f9N!wUq8TFfY*QQZC>OyD(#0(saG%K^Z&s7>Xo|?d@NQ{rlm{EmL%#_Fv}&J%>Q}4Ue%f%rKpELBf7t#?HfD~EiA$yY zzP27Zg&KcX8N+mON)_`o7N4SPmE1!~?d{jPW~-QEw0_h+-je6>YL)nnMGTZ#%o|c1 zzB;F&aG%wYFhVRb->lu^d9YJT)6F=8jU1cAzwwl1^uQ?p=NH^y*bqLK?& zy4Sn+OmPZWQj!=HP0Yq4Xk{vlai8otjYrqSoZnxa`R%Jccs|S)f9fZ)-)cUjUM?Ej zcU$gQU$tH7<1AAo4IqKSLRuo>Pifp7DL-nZ&d{oWt(U_<1aW7T4NvmxxH&qtE`NbZ zoAN!6_?SA0pTqsj{pUQADxi}%6P$3jkUu0Ka zQc;6(I%WmuoVbfMM}i9TAf*5xCM6+Y>Ml=G0n(-#zKU7^<*uxmF-e7q&H~+Qlv+7e z^nuAk@KK*s$1fIC!n$IQUnrYFc5zM)~A>-UX7NX$3~VCSaB$XQuS1L*qP+6R}DX zOonuMt3J4Q5dAUg;!yHVI%>9TEqA}So$8gc&rUge@J3T-?(2JfebmX7i`S1YwTohT zkjk0+z3Ly$DFVnMxeGxip8EF(0RFU66a?yUg$Nb1eVh?E@X8_xf#Xc5o=iZc<0mn6 zK;Lt@D&vW?#nKW%k>6I5aU7W9aK9DSY+Lx(FvG&@zqkTB7Ma>%eo|>Z*$co53V>XI zwO|d=Ho|~9O#z2;2_gWkKvKU*qp3DFAX39?j=c&1I$10(k1`<0^dY0#Ff-XNoD=YI zV}yYTftf-0Se+Hax^wKu#SH=N&Sy3pc`E*s|FgD}uSEVy?gX~1A+FbzP_a-pL& zC9M`a_<_UCEE(e+Eo9}=5)&eY1!#*FL4>9}K^sfcC@l?Ue}O~PM8LTtSYfBM zWE$iOU~^_eC%6I?m6rRa1A`ocA4I_r^aAxPI;a=Dc0RYmp38>^h5AFP{@T1#X5B%( zrf^uT9rCLxW&=tp9bJ{xYA~pue9uRu%@?q{3J3ha*axT=u!$I84a#{`am7O z;Kw~6|4ia)(a(QTV_)j337Yi70^BDG6t1VsgU^s%9q0&K-O4HfY7l+mAPI?>$Tk9{ z8r2UQ!Q~O`hh=FbHDel$CGT7WF`Zz|sl>#`P>SJVrlgPW&Tj5(HS0X5E==wE@a8Kd z;>S07C29x89LG-jWKP3BLE{ET2<9I*|Ms9C&o(cw%lppu*-rJUa=3XL!?=efn?2ip zDGkmJyRVJ*ar1nmlAjaN`DBccm)-aE%@PZ_^;R0e~p&BFRE9D2`(A&Diz7d=&1fu^hynLc=@vHY+pZC zI)kIm&hfgVdd<_A?`tX1f=D;($0VwsECZRTR3sJ$wnf4yKm}o0DG91yXH=g!usz-# zNjmyEuqE?l2ICwXo(SV9994ATnAtvQ+;pYF7+Z!e13%G;PrbiD=QoF34NQMJ?8`9S?=uxu}=J5W9C1hpElg7%E}>*x~U zf|MVg8;#a$=cfGgF!PY1&)0($hf5N`w&KX9qy^JrvVSHuU<`<%C;$T)-stZGjmDtt zm&F@XKXDAX5$P_H_LdKCh3gL2d)WhdRX%Q(n>D?EW8CuLEp@fex6ZQL2a;Wj^H%?+ z_fr3}@&POocga}-nC5%;dpBSLnu8FNWy^iv};eRKihEez+O z4J7)Xof0^BcJEyX2y*u`p+fzg!Hf61M}o2jEH`Cz1h5&hyB|Fq1fxiICPLjdG zBP5dV?_KTZUoVT5T(f-KX!T3ogEdD;R-_fSR3)ITHQbs-drXw%t?^2UjHSi6#h8Tk zD-lod(Kp0L!99UT#PC8=!2{1uxks^J;cF&`B4s7U)2%p>7shVA<$2ymg zJ{&VIRB)S++4nKHjY-U1OlH0UA*(n04Gr1cIb_Ic&G`EI&dW>vzJakhsmY#_1 zOrvsO4t5XJO~0F8aXf@PhgxENh!k)pCmG|ZHfdw|kjj}63I}aLJhWVok-{h-4Nr(p z0MWMrL?70jg+mM$92>Vk7id6gG~pm1$F0Q$8jx~=Ra%;ijkhulNIhpacLP$-wVS^I zsn6zqRR_}8rW13&*6-GWG_D@Oaf^_Zz(WBEM~ZT8DfNu0Z$`&M)#_=X`C3S|W#Q@h z_3*H^QB@z=B=jc+<}uUEX=xuia%G2Ml@ z?`rJQWF?@HnSAy$bf)1PfJxx#D%y$;jmrD=^Sm5v8@Y8T`#Se<^whB{4vj*Si-tVA zl+t0cwi1g%BR^LWR?R63CK)BtD$HY@#zycSX$a;-YB>b%(>(r^NeqdHHE2(;(Rac| zSU!lIIXH+&GAnL9aNzLbsVaQV_vGToy3wuYNTY;QcQ1OYU?<>4O!!elE3D9fvHLS{RG zD1`fg3}LX9fa@pp`g(zX+1w$ZnEcDZDUvG_ z0*WPU5WIHthk(5I_NyX5am{A5SZJt7h0t@c#rkdmAn$dXI{*}y{8$Mvo#rT03*Hsz#4?ZGX+d&^pC`;CVYvYnULR?~a6iJ8VJ58iAxj zYTTbZfAq&E`*4Bik7st|3Ppds=QnTk$8Y`SjsE!U@Ye)?Vw+9es}=8NE-CgC(@lu` zrp7HwR)J}PD}Q!PsRU9+d8Y~QMu$b4jF6pdBY&pk{`vK0>ZWE+|CoFZabNmOz!&e^3iS{bvB>v z<92t&?I$L%wIu^vSu(V-&17$PqSHveYcA8f-mHz9(iDUeH?#KuMU; z7-Txm=KkR7W}m0jR_zVUjk23z{KxL*V`~5T{K({bgG}S_x>k9+KVBDln!ntBN?3Rk z7TzcWCM>)O3val%NmzI%P1uBmcfQdQ7T$T@{V(^QvqO6SmkHipGGv=6M&E~Fb%XT)YpS&j0 zBD}cHh2()kK+NeknbXHLcs;HTg^m7Ac$n*~|Tj{Kvf;mgsQy&Gmirql&s)3Kq+%v8)>6hOw*~%c{X}6U(ZxtQyOz8!D>;srPN)gGmbjj?BA%PbNI6 zugUFBdXOy1ZoRN=`iaB6$49l{q@Ek;NX{fiApJ8a&CEm)K@<+n zy2BMC(vg~?6J)7Tj7;E_Fc?*6v2qEX2(JvRq;|MMK^L|T@Hy>ONkKb?p?-{&;9!GI z0~Li?X4b4DPzj-2L@;`wYH#1&4)4$R?r+rKSZB^u`K&bX0V<}574RQHk%vf^w*E=0 z1Z>YyejF2;D>st;3Y<##E=PP#F2u+{idtXy4|XR(xxy2qj>Cgg`jK2WRVsOuOuzPS zHA}ZNe_nr(VlW+2VvR+Z4_LF4ASE4aeL|(NmTB&7gc;Hd# zD4^5EU83xFpp@@o#Mjg^oD-$|q;SrZZ%VZS1OpE28TxlJM@DsHKi|47U6c!D{Z<|x zq;?Zs9W6$6aBd^TC;~QfR;`m71&FbCw zCX7#K*>+J`tu2Oz@$ z2!PQw!cI7W+BjHkk1GadhH~mJu!pD{<6BucqH++5X<-QqN*#N)16?BZQi_+l!(Os> zvGaO)=4K+vr*n3kdra{xyBJ=l>b2X!4gKB_2c;}=6%33+9R9rGxaBx*Im`{?xaBx* zIT&u@xaBx*IgVT2)VO7?{Y6tsu|JC|ht0+5^WiytDt zC$)lu#l^o?SSZ(k)l~-j7y$J#mUsjdPS?prx`e$Q1K{wf_0Z3pJ)U=OpK8tQLAzkK zGxvWD94-`CoU1+$JG}{_Gm5`o#=Vf?G-^!=!=H~K}JtngGZ0+*S9vv1p zo6<{I48W49(UO9jEwq0O!;j0IIE5nS^nW?0kL6B}t3zRtNkq@G^u3!#Nc_kL{Bgn0&lMQL&WVF}p?s zPy&XjkBn%a;M8fclL1%@@PYyxq}B_i!$u>0**K}6c2BNEEtR~^{55d6klcA*E%$r4 zPR8C@z1TVZxvQ2smG-Y*1$>)wYJ_KK=XLnKziVD{b~j&7k=BjMl=Um)$HPVTKArga zDsyL)HKUG})&c>Ra;jA_RgMS461i?% zzg?fREEh%jV)_fU_VeHHktd>HiD{x3P&Q14WiB1?eZyPrfbVR8(Gg>$@XzR7cDpks z97@4(ODUBS@J!SDT~BX#qZkE8Uwb=0-(#hPHPls{Wx-4oGxpONRvI%X5?=`v|AJ8- zN54IV-R1l4>-UFbC;z0N-^WgksO}FN^mGJ zO>=6WD`v534fkgCKbi%r46u$>X2I4ogY41OzV4BOcC(cjp4Yb@Qa)L*$jbnXEarC# z<&mt<93f$xVPhD8bxz%hvcDn?)_*~c-kn;Ca}p4LtWy3(AqARWFn*rF6{R^CNYNgh zZV!vEr`e~MdMDSpP3Dtp4_2Hx*pn9vxo{vNVj{W@ZQaJ`AYZzw+<3%QU6}65M8kQ@AtB7H%E7zv9!-T~GV#G@0SpkW1;YfHB z93%-#gvn`IMF=Lp8o7q0B^Bl(tP5DdP;;OKk|_z}#izjvN7^tT4VDYbDF1b}+7iAC z5?|9xaZa%E6LP_#`9c-OUrDCDE48)4L)B5LcV4rDrI1Ux)JFycsqa}{($EDsFKh6;drh9-RMe#{{f8zrj| z+X6xw81JOO)ka}iQ%kTS>KJ`X2#0B_Ee350PQd*Ox}A0iY-B8r5AFq6q%nX^Ouf6@ z(^*GzO~7U4cpfHHV1(-I!K2i%3d=KF3x-{X2oMOEUCJGy6o;{6R0-h7fq{185ew6h z6KLQff1*UxW0r_`PNx^ua!W4Y`R3jc0RuSyjt!dQ`7vb;VgR-BZSoAv0PFNv<$2cK z4o{I@uN&RVRF+iBiF4JUty*EQbG_*l$pS_oU8R5!Sj@;jtuGu!D$0uSiURcAWv-Ji z-%CEjUJQ6BQu~zMjtSB)BuLcZ3eR@6#Ev@{#X9!ufVN5!A;A@3QiIhBvxIcWx1(UVCbo3?7c>7;Ioab zs`-t2q|cIwc%Tvy&toFmRW|$a=H3DUqc{H!4Vc^oFl4<65v7>;K`imqj5^^7(f*mq zz0@kXgZtCVhsKcIlgxQx-3gJP4os&3D=ZlNB_<+&VQidtK7{L$x|_YPrDlZbmv}r9 z6bT$tqF+OaJ{>$uVUuH%!7+fG-@p5GL5(KBzwNlgxPS-x$3^CZa*VngyWfY042Ua? zwTcJkw9WS57kA)2pYD&ofOZ)RG%q)H@A8Kxgb8dX0>1c?llv*q7!KTlgNHxY+L~W6 ziu!S8svYwW*Gw^H-noo+oy~l-xi`VgahrdOMhzir!HE3RA+*$zSj#*mqHcIbl*`=h zXP@6%?d{Itp)HBT%~k($(;1P{j)tiQDx}=G66>cAQ6mkw5hgH8G$up8hYZbj?h+r~ z9an}K;QL|t!H54zl*ID*M5xI+CGQR>c<`37P=zu+{9_`(#RMch{X41x6Q9M;fUy+{^M=#e$a;im=X^vcSJEfEX1ij}&pZMjGs>$g~`>_UR}{ z3f}_ zAqxraCsD?Nr3yh6xWhRIho6K0iiOU`;g%!X!p1XNa?O|sBc9B9KrBSXF|Pr$2$)d8 z&o}**-1k!s!;p5Ywgld#ob%jZdQS%%ry0|!9BQn=q*IAKIs*-H#6uM{lUOAV{5Q#{ z#g>*K1d3>v+U%Kxy?}XA*!z^gTGJaMc=#RxSzs_=5R_-3>t1-f-hC_a{kP|{V(zVT zbSpE}bl!?}x9f~JTEH}7t`%U1nJoXXStmdon^a@7!q~3IcK!YJ=ZpXxOvN=Zd;-fB zKL3eGT%H{wxi;rNk(?RK9=pZQf4t}Rr;dN3dYX^H!q{D@ka;dQSikM`$9vosKK+Rb zKh}Z^`5*q^BrvMECmDJQPll4|gT3Rz@ae6ZXzichSM*!+Y~4$Q29lwTIsDOBia11* z)0hYS9v<|r)&jy}nGjUb+`qoW(T`8);Sxtbo}rOzboAr>e2X6a_>JG9M?Zcu{4*y% zkv&b+qZRFBuIS(=qMZ=+PK_E$)}b~qHU9MiEvA)YvW*uhdJa#DZq9Wky;H0{9VK^K zyUqIjTmP~8U8HEi3K$IY#xX0(QpvGO(nOy~s;FZ|(j(Yu%$YJ1&lX*IU`nJT8FrKq zloKPZhekAAADGh7gA1RM7hhcGfU%~&YIMu@x>0$0yzI4)50h>(RL(wSo;!mZTCSve zZ^?(lHtFa78n(1h0pVwos1?hJa;H~KxcKh()Fbry@YQ!sGyeV)wbp_&Xud|!4HYIl zR+V2N>QGLFL}kKgHQ6>%8%Gduup~9w0%-V)$v@vX z4J@U$Oo|{EDk}@8345^J?ul08pme)CD4j4jD5MLyF3(lyb@{n*)5`7d>@->l_XT^8 zmBG#4t>JrYa7OOrfw;Ij|2EWM936fJi#w|=a`peY|6YLh`&ORA13e`G{XJR#et6d3)Pxn)?Xah8;c>rx)xOO? zoNPGjm)sFx@nO!1R@_?UU(WZ(TdOgK-ie*C@Dp92R0=k^IxCKtJWy#JCZu;sGEmoH+!{{c<8qOaqpIiQrn;J{CDa>BLw4xgxme>?svYL{6CEu0}k|l;aN5lNv?rA4qzt|fNVzRa&WG$9xV~IAz4P%KmmS}_FCYESpi8hvKH&&wc zk8FQ$ZcJT7(@py4=wp;VABsKsm`XSIj?P5-QC{5-vKvkMVc$sxK0nczRBw%cSjLa* zvldfc2v;%X|M=POr2Mfy>v44`==9ZRmGwQ{Qp!+ZAk_18s~;XY?afnVa8MeMz0y-r zpADbxdZo1wf7Qm(QYb+&YR#B&@;_G@W%634$AB0IaASWuY^^#xbrGb_{1y>X`I@ z{Oos<{#ZoyxH=Sg`UknrXf&p{l+tK#$z%{7Jg+a$Ud{j5yV9oAnQr@6tml5Yx9TR< z^YBq+P;g{$s;A0A0R<6M1eIIwf4_U<6d)l1f(Ja|JR^jVbh=lswR`v4CE2%EN3F*} zt#a2mdHk_00`o>uhg$?R%&rm`05N(LJUP}~71|Cd8pfIf!E@0lDv(RGE`8sC49bl9 zxGPNtQVq8lcU56=RF=9qJ1gH^Z)UnqHdV;HWKWO9-vgL)#ZgnW{!fQdM}9J{DC&F0 zuMa2y)eSDkOtEI2(!w|Oy+2DFb!u*M9H>yObZ=`h!vf491{Y5>?w&#ikr7yMP|Z+d zhrC?DKY}gSfS1**S^yU$nw)^dP@oN{VZN~7DrCPXHaO@tJ4vjVmT0eI!-!RUqx?Hd z{j(!}3cmmRS+?Z4u-f}i??%|7F@%fj9$w|pMo1dKdn=Vtk_zRKYyaF-9=!c-*u`H* z3D-nJ{07n%*irE{*+pk0Hh~}}h{ybBoY}y{E`{)yh5Z?1p>r=^Q|)d+^!G$6v%l@w zRwrJ|lVxBSJP{^A`zdWXC(;AIZ$|~0wi5qN)qLhvbBF9+xR7=JL?hNE&iXy7vpXuSGD^_P$ zS3cn+L0pY>bO50=C4PQt-kpG-d!!Xp23>G{G2(~z;-$^&flZg1Tjc&i<*xM`_Y8%hBb_JSXTG ztMj&j$7}$S+|;@oI7}V@H=vzbZ~wN3_yWkZQGe>(zaO(fH~#yn*1fN^|Hu8eUAp}| zCtU6IbLZ)81OCr60+EsqtFc(&%dlRfBPHD4F)y7q+qZYOhceULe{ymMu_9&cp(9YoF0(=l_#1;~ zquvtK0K3A1WQ$P0m0J6~I2}Nz9*@(R zm)-5%?s4e?{&kc&O=nMjcz5&Wt$BLM=LWrlT=99kvf12op5Efv-OMCz(xleoiMZ^b zQs?QW(ryd@OFHcU99vp+$^W;PovbHypuGas=sFC~!8d>REjoP2?MEhR*~^#f{M%md zsAPKE&F$4*wzCY~X>kn!+Q2GLTxa-w$y{j-kSv(=4Ghy@_=x1`f7OEbd{gy+=L$GI z$8uTUsU@CFJ|-1OJY_zQ(8(JA&Uuh9Jjz?q01X%wOQu*FtY}FGhs$> zU?|~r?|$%XF;`DmO0I?1H)Y&VOfadX@`vm}bjW_WOO^I6&JP-U>N)+?IqHi(FRnOb z6YC0UK^Zg9nM{xFxBwUg#wRV&DAW`six#BI3|~H=?a~p@_Sta}e8{I#CI-s}X%BHv zF#FeGwiDP7V)**xr?X8Vi+z3NaFJ>uFq6*uWl`ivbYMJa4b*YDl)Y*09o7zBuTM(5 zTPtqe69SCNf;i2K)B>d0bSO@5(?FCa{>mVgifrZ!Q9h60|G9VnBYVNTZ|T zg?hFJcI%ReR#Ubr&Ep4s{s4#RM1U z$3;byvc&jC7jry1F5aGHp33t2q_$56^5W&PcK&q!W9!Lt;v&^9Zpy>(Dwjr#W*o0o zbP++3QLA-A7!zPjfH4kWM3*ZdMaox4i|D}Euh#EVxxLFKIVbr-*IbsHjm}yF;~GU5 zsg_hRw0KW&F~P+I7vJAp1Q!`$9M|QIpLuFdM#sgi{qELtZ=0SL)K>A>Vb3|IAlDlg z*C)OxG#lnhB&e96VuFhAZ!W|Z#ZX8q>$iC~r=p|c^XX&m@#Q9Wou$+^OXBK8q@1-z z#dQiVGNPH1prXI;Apyn&7!zO&1I9peSSeu03+9iDdWPi1Y&zZP*ZRebdXVS*ct8w! zTyb3F#^qF4foA$b^FNflNR=zmn3@xbAq^8?XW*MX`(?FnEZSU=1QvfYEC%+J7`{F` zt~r#s+;D>#euQ%FF;rj93CAL5=4A?&#RSJMlPgRL;N#SPOM#ssjMHlD!8mD(^Rg`P?DiqK z6?(lPG1f)DWkRAhD5sQ3#7Y8*2_z0*p_U`U<5M_669q-aIT7UW`72quYOVcJd}Hw!7E+fLfH)t!?{ z@3h~tULv#Ix#&J-F5gJLn6-^&xtu9wIzLKesGta+36YsNI;ppn)Z2=3!ld3-Qg169 zZjyRiNxiM4-qyO-+oDq(lDV)f$ha?8j85t6MW?AM7lp%Obx^u^eCW&F!PZ(+dd*xA zx|B=cnNm(E7;{~#ifUy#qaQye)@oZgzd>&dwE#^B{W=r+q?VS?(UE{Lu$C6*f#FFB z92BGz@x{ebbX?p?t6tq!s@GM0CN3JH_Ow$Q{1h(E8Jx5*&v5`03+M;a@OPl>9T%+& zbD*X|F-1{b1_EP*P{&k1WCe5pYjtVNbmLx|_$hwK6s;YRWrl?}vSo8s>!x#=%0>D1 zws+V$d$i?0frekd_0{?UE7y?s38J6n4PxjNg-X7i0|=Kde=U|7U4d2Xzo%Q3k) zJ&L+Cx8%v+U4B6>K8!g&QVW-n{H|^D|Wdmf>wTc*MAPK^pjC!pzVqFYw zFp&RBTRVkxEn3KixWWSW6Clt)Zb)y$_B)g+U4k zRNV^hkNBGCi8C^wKxs%=us<*}AkR7XOR>*yM~A8M9T%IVs86nUyEU4=V*5IKzuL;s zNaIolOqomMvUIfG7D#3ns~8z6Efdt}V3dlMVn1GS^lODyxP&Sr1p^X>(Img(Il;$# zfE18ii7~gZyp^4FQ+F7tw_Z)bNz~zL zz{gBSGgmXCIK!MP5Nw2xt|Sl_mjeV)e~i;<7M^4-Tq_j=T#^iJ5!m=r2fD~$J}Jls zblM7y5-L|njfn=-5{$o$fT1I>)`7+iFjjEP9Sb|1b_p?pq3#9Z!Nh3#_Qa=)U7d9` zkUK?Cv2Z3-=(^7I#-kJnlTg-JOO(+Oly%6{rQ8)tacDc3as^;~Xn1;5>Q5q0*!P{- zugHnJ&77E@>13x`tjmR5-^?Q-qyc9iv0=}6c1&4?$T?xbDZPRzqW#M!K9n61pf&fc9-2=_Cqr*X zj&8^^alOe}?e=4P%h@TdcyRzDw5uo#D~6f+T8u`txfHI(YS_apd!<=$Y4%l!6;VsA zVmv%II3YxT4I%ncc9s$g>Wz(R&)J3Dm-aLo6@(pCigQTMPi@Qz<)HP+$oW2`@i1U( zt>U36VAG}h{L0<;>OKPtI4i?kA3n8AZM*llhbDvxZY+xM1t0ELWClwT8xGQbroJ_M zs3`8snHuJpy}71FVP<`n@%FQ+mp1btnA&c$57D?GWHtCu;7%z)tQC|=-=(w63@iLM zo%{STyW4DLbf@rIQ%AJ+vetA+NldB~Fp2>Tl~~l{d6}Uh3N*rif>6I^;Vj`oiyj@K z?3@p2$CbgZ6Nw&th)<%VMKvqb_^zIJ^-0h#hDF*|@*$3i0DTD(+5Ye7&kfbF5E^$L zgW!#DzA4&$^3w&c?<2Ut6wFi%Zg|o5`-puEw>J@dDvLhikI)Pk9Ka2|pl0e}v#A$TFnA0^5;d_=)CAqlB-PRA$?6YkDSL+ zu9rEeU#&PVn!aWxsVg`&1b3hs&rZddqeQqTSXmHbxZg!#s{SM~f@7p1pcI&vL&`pB zg@c1hVn8%uMhP=|e*yU6?r6hs6CjA-QD`Kf+YJ=}WiVH1_|GUod1E+%p<*#=3YvOk zqacNjEMOp^ArqDvi$D~(%Q*+N&q2K6rr=Sq<%qQwMyZw@I);c6Ihl5WxM>p_f^(P+ zG!rWP`X+D5dp_kdpbP|eCQ4%Ej7tWSV>*0ln({c6OO1tz9VS8rlX2)Y9CK5JJxSbA zP0i3fhY}G^VdCy;)1M@a1)%`J1=U2Nlhc|+JAw^A6~}4a_?mI&ccM@0rOVT+t4DTO zcwwby_OzEj>E7?J__VGJnzy2*3MWdL@o9anR)09=-|1xWCz;m2UZ3j&pe_||S>j_* zHuu_3Oo8R;d66r#_7lr`!SuG9f9=Qr+5V}epSZ5(qp>hyS1Kf)i#68Yw({fOZga2v z#DyQLL4^VreiTeROf%wVeV*Tq&V*X8Mpk^ z6qr_+okl`~{vI0i9;pR@H3IF@)My}i{$-zloWli{eSC8wS7_PC|N7=#_6cggd6#{H zp75Vp^@;6j;%=>YALf!4ePS93agWrvp=1?|bc9ypZ+}rD13i>5?Pv3y&&^Q!Aa}9T z6?@%B=i+#vO1r!JH@)&tQKC7GbO=S?Lrf%5+Kl;&aZO!@pIVK4i3M*W9}oJ>YIOlD z06jMt<_pT9kt#2^_qLAZNf+uz23eT6CPeSPk6I(oGsq9@AOXgpr5`< ztqUe3(rJV~C0-NXr%SvhLQa@?O(b3ui$3G^3@cMlv7Iq?WSC{3GX1w#?nP%uY28Vg z?6d8rDo(R?C<-sVd$rc=h%1*uSJa9@KTukXUDqmwl_@9EaB65+Tsa{}e+@ZG%qFIM zxX`sFW)t6ENX#a_KTXUg*1~LJ3K^nCYM4uzFB#g8PKF-jdE@nM_x_c1%$AVp-2?h; zSDXxK<5CU0R{;H$Qja>b<0b+Nte9&CT??r1qHJi%UK7y6vCLMe`BuV*{u(}%cug!e z(I;LLiPwbh$<`p_F!7q0Mu!6TR8k6as1(HCi1Z*jA37<^YkpLy-<&n7M74US`*+^5 z(QC+u6mo3|yxl@?Af96ED;OP87P_SMI;bUN=x--OiP=PAHj$W3_=Wruvx&rP;)59J z@wdN-k>H%bd}Mty4-cagqr&qc@3x-{{BSQLu4wE0rtz}kZWCcSMYvT%Fx+$vOqr6^ zwwn+N#21_-p+*Tc`gkR76N%fzl!-HOoA`RIr`yDou0Z9UM6UKXzE1XR0AFsr1!t-h3 zHZk>liQB|4TKh@dCgxiD(Hf{J;r^AxkE3&;qvpY@lRw`)PF3vlfVDd1W~IBSL5=ZmhC0P^g5eOc;Txom4j+4p8FJZsC5K0EnTy_2^Tf-8((U8jRQ2)b zvij5|?XC7hZ?jbVHAHDH%ZZ1lPW2CZP6YmZT&5EhByoOF!G$#AZ+{6Wl!yjU-q)|M z7#%CPy?s38J6n4PxjNg-X7i0|<~~-es8+hSwV1&I)H*HZ+W)8eYEnR#9bIIR&uJiWqQ;zi&^F>AT}In zuj1p^wOWvbNnmipO8YNx{b@`}qBMR-J4=OwpdhdGbmj4qNqm^V<>AC0Fepa{gR*+t z?F^b14{t}Wdj)cGYP$W)dB9-Yxp$c*lbFktG$8B=m3B}6Fy$IWEGEH76x$xc{e=V^1UA=NqxrMo@Yna1enNq=&|`=;VJU3-W#9;X z(JgM;Vy$!EKXZ76d#CbtztS&uo^BeVbeh+XPA;boi|Zm>emi#HvLPqHqy=^cTz~L> zU%FTjRbj3WZdNhjNomv1M}fWzEudpcWw=&4LdbCmCxpH&-iL@0ijQug(=G)Kp&5lw z1UEW@Qvq`Yl|W4~Dk!X{774x>aR~ut1fqna;R_9qQd4x<nv&#H|~;>27Eobef509%F=}x|WkCv$9U&Utr^(*mxQ=ezkRy zQ36>oMZtJNNGl|x15mU)@eiy#kj`RT*5QK-2)5@u#vS@|948qeG)dT-luPNm6+W|K zEYKb>oGymlM^q4k;WNZF7}!#y$Qk$XWZePM;j$)vy(Jke{3d)EsaWj8z0ak#LK_f9 z!RTBXrnTmX0xWha-&dN&eWi`%c4VOeu0Y(cxH^=Gj{<*e1TDcyB+(=L06h*W>Zhzo z5L1rdr)VzlKTA1Y@d*zfKw`KSQX0fl3VlM#RZkO1kFP>6D174EMo+aqX~ zlmH6I5+uG-?Sj9PSfF4`UIBVol7R>fiybB>ooa9A^tRc0gp>8&;zGH0@^Dct%{%GD zwM*d6SJJWMKgDpesFT(3UE6{sfcgZ_lhT^zsDKKx-UsH+1`BdC~X>&A2(~p%ZK* z0+Qmwf=ZB8H|ANhZB2NC%M_r=^u@O|{y{TsEP*odR38VA0NCLaBbgSyBs_YN1}QRj zd>Y0inpz%z2T6J)`em869EeE-lM-+%N|Je?^vVJ8OOmKbrKlLPDML4B0?mPk4uzpp zAM72sXhY(gL+^>9!9nh$g)a~?Xiwwg(v=^piAbY&8`m5%Z+sRuE|Yb_Q@M>m-uK95KM6 zTS3Zo)&$osIx0$Whi{SAss!v9+mn)%yd2RcA$Z_Q6Q$=EBvX=N1eCHIpDT{bQ_y6h z*8{jU<*;Hf4xCei>;hVkNv`*CT$dEm0H$!sNj0=t(IsZUDa)N4(OBe}3;rIN0Ye$) zvf7J>td<3p|%>EtIgs>dcohx-?_)hVWyC)ar}!Hzwvj?MV( z7#iGR7z0l630(V(WFu63UM2S&SS2_esw!z=NZa1yh?^AOqnMizE{Ov`Mq6_Vt{^?K zLCb=_W|Tw@ZtF!R~$c8>Y zw5ww+)BBVfr8Ln210x+m1i=0vTp{mEU^?GN47Z&|=ZFVy15Yqwh4?8o0Co_?MUN** ziH7lAOuy(tJ~Ff~kfu{Qq`=NQfcQY}T%@>0S4%|i3Gs4fc}<7|CS2TMjH5OQ(QrKOiPB0 z0uVBg?2p>`(F|7(bo9a@F2i-Zxwvw-3ajfo2X||xdRThp{WHH!KkSIL>+5cNX>&)| zi*{+RRIc3k-*D2dofP}mm6LjZtI#Lt*_YAzJ!!9jubg##HLW7E zNJv0O85v%Lv6>t&>SyqxDiv807cbRju_$Ug#fABH2uKP^3T@G!HE6`-7twx8Bf)J< zTJ;ufoB`i8!uiW0LCQxl*oYk0ubr(6t1JEID{*=E(pbFNd94C$Z~M1?ZFS{p>2U8( z)io-aLYEkf(3Z2e#E5adZDc@jyUL=w|rox+w&4B3(J>{K1?vPa?^aNK!s)oJ0c zn0ap`H}8C*TCWuMTg9v0?fv`yrai45A5CK3zfmR4po>VV0?v^X+Lw>?X5Iz*Jd)#n zl4zSr8!ytn|D6;PODfXVU;jGXsJEZ?>U*y8x?kZnak=BR3m3P~exqJ$i|v=Ec4MV< z^(y z(LYU&88?^g!qp0@-CHg_!NFCn$&1OESDNx0wutV z(N=8IpUF|fp+QFjB`AP{F8r6A=lH}k3JXz8B?dKK5BeLm!}EHzvv;(-suypLAKUjc z*wUZh_@B?8KG#R*?BSt*(mr@zslz6y&ED(r%cc)^eCzm4VC(ZY{~hUQ05HIi5(^SD z3&j;cl3U>=&_M5`q-SyJG&#ziNtCK9Y~wDI3U zq6(Y}G)NFsBf&TomWO80o#5ymf}#3f+Mh!Eekdp?43res%IEI>g&%j<8{3V$ zrS5a@a>Y*{z6)z+f(HLmRH0xgn2R2t5}G7>*!wIQThJWK>*ed;}Yp zQbSPuIN)C+IYuiUp^?JdSPC(qP z9iHDkiqoGBj6W#C=rjYXl*|cZj*B@iW`T=zI1hA@E({m1lj9X6G(%!k-xgxzr0#*g0(9xj^K>7dJM)YylL0dH&}ySMDZ)8tH~VYN%Js%>zs>pG%N9Rumgn9& zYtJfUxD>)t+T4(J&NiMCbt^2BgfWeCD1^(yIltL7&(dp|&g=MPK8s+&F&1@KwwoLk zH=c{lhh2Vf(r&DDdW;<{8&&=3sF>;L-waXFk(!~@CJ*K0pqPW=;1w%DqN2;#4Aj<< z^@cIUO_dxIFYW&Nk?h~==f1t}9_+Tx&YHWEU}B^u;aQhfZKet&%2-k$A+1k_q+bVB z2{{g3z^l)r9X-=1GDF6l;Z?dfi5we_-`DW#dg_Qj3qG13iXP8ueJ_!@;lAu7&2 zshDAMP*K8+t3;Jx12;rVG#aBDSSaa9A(duI;-(DSz@yqhjQY)@4y3+e2U|nKW_(gd zvzG0_J<@&boi_h;>NoZCK@b1nb}Y1;PtErK-L$&xvu5wl^X0?EpY?_EpZd+&pNIPS zpT--N@xFJzXV%%Q(BVy$DGVO`a=F9sfHRDL!i{^H`!QqHqcTB<`u#=5=pcc6=;qMv z7|pnJzN#PtkH;W7aH;~pou-Nf(dHd(ZPV$o=rC4ZjB0`?0|4r+Fwoa@d_e?wnv~8s z)jR^GM@&8^m2vdTBK)3Ii1DQl_OZM^qObp*j0yl~HxZBwxiP+uHQ&B^J%PI20D4Xz z2hOoa7ay1a94nIN0PqRU|L=MImKd)moOD3Nk@%oen7^INe$X)*8JFMSTt%)&dX22a zls?E9pi+@Q1!y`4N?svARbELBR0_;vXQ|ve*(h!wzHBU=JuK|6&OJ~`&2 z8iF_l29REGQpVuQD(+^7Q(QUENi`4*##Q0i7h(E3P^P+@=nEmPD(8dtrd)$H% zVe7w&REp{xOysou_JB+D+|z4x)-yu|YxwX#f1(2N7lB4EEcvdynj94#8*8iOz3Z#p z*VfZbrTbc}?7UBW2I1$OoC*`9lS3m3GQk$2oicve>)r@zYB0pmlrc_Pe!< zZgr1^@fWHvhmI;o-5}5g{YT6Fjr8ryNZJq&Ys`B-Ac|9&EFP;{byQolEBp7w zZq3|Z)~b7(^<(b*yZP~C^Hv*mUcJ6szJ8W_o#UJ5!gro5A*2~*e7Tu9(V6Vsl;>$R z2xchL9hY~oychG7LQ+Kf!$^sYh|dI*o>N*FE*08r?ptev_JqfjAl%Z1>PmB+p!%Cs zINjJHvNNH0u$r7CX<~zpE<>Kcn27D3@fg*~HV9|{l-D05Q z8PDnHqMB~W#q=-rj))n+^gA|gj?-hx9Aw=fJ&HVG<_2lMkUaEmX*q@5adp35d1{bq`Eq@{_=Pq1SxWpeet8{w|vke z!HwfQ_Ht=XkNz2Y#68fABsG*$PB|unm3loY^~9v&7KAbsZjZOf(nzZ~RS}g!YZ*Xq z^p1rCO<8>4sKwYUZSaIJZ`EhXY7SR5<`R^nN~=m!?st4^_%u{TSEF4=qY$W#JMzn^ z`X)V#1|HBrP+>T+3TvS%I0aIc(bl{ z)-UG$MmaD+!8@Et<&41<7feD%qU2HWb4SIrnG9sz57&aD}A&m>+Xz=bfh1yv4NPh zbD8Zr8{4(in_%p?rQf1iL&$vap~ypij`SFxB)sTLIYo7Y&Q)c*v9Z-Js^;3Byx-Y< zy;<7&;e<#a-?xSX!^NYhNcNPBXqNFIZodF33$B^@sx(umJd)D2_dc3lo&WsmZ#(N>_y_z|i z%m+1+!~gt2jVR3vt$%1zbc)*>kL;}8fKu(Db-uiJ-D_T+_WALg6QkI?B6J|6lGadI zlQTQ3P?7euMpni&XUb7;LXscxJ<2k47X&gm;_aiCH}G-L-C!yY73JLM{e|#n2DOXm zDj<5oL2zW~yjw1D-J`WK_+ygDytTj>H%=RLsB}=kiQ__+3LQ|UtwT$dfGU6o0O;}q zda%yo9t*%N5ZXG6?ui0J+L}{#5WQ%J0|9{czz7*%BDyg8NdES;M`@W=qIOCy;n@M!f87DzU?l_b2Bqr;nHhv~?FG!6DF1cZf zG#7qI$RqLy2#o<)>q6DJ$|kfe17EI8~|lMK!)^y?(E3cl%=Ra`*9S{qf*z>*D&mSka`SenNPT zTc=6p->H#|80RVBB%=Tt!__)QlyfNdlUDaalei#qcP2E|8ucmV`Kqgo5Fu;Hv2i{^ z8%~6p+l6wUuQV3QXZH)uJ@!fTQ0#dsRPw>~rJ>0phTZsJ&E9QIu|H^+Gm_g|%}4cD}TG z*jeV)PNwiM6SXYxm~)1qH6RfbJ9MMcpaU2 zo-)cx?6B053tw{F2Vmfn2xpbZK+E@IdHwlyx;SXzrNoiOVU$Q4&?@*&oZgjjkl-0( z8ICvOhM1$joqs_Zrx3j&={33*Q!<&z_>LZP+lknu(cFezciP%cj#cH}$zkDfb>nX1 z?7?h3-yN?kx7X)9z=P!5Q&wxPImutKudjZ~VbKU=_&X{|&$Jz*P8`o;KuivZh3qCi+)y+;=-_UmigP6;xE*cp=yn z85Kl9@QeH3zf8uZ!EU;NR-2h3CT1pBnxeb<)X9@sCv~+v*4d}sjXJ#>Zf_00w<&`} zvX=zv{b}+KcHn}^EFnOZlgLsm_HhRI#FXX0T#z7BJsSbj>6sdNz|eV{mg5P}!i+M4 z;tpF$ zrM3jy{LWTrDylh}rJ!XlR=31CpimlvbUBem%wlr{KMsqSfdLUoA^w_L!Laa!q2Zw+ z=<-YB4JYB_QHdoqz}X;5oxY+B?hlwfn7o6)$dKroExev;QtiMPp=SDeG7ZxQ7HVKM zxPv^Fpb5W7pshUoR7sVZHt{rY|Jlh466jQnlCrrs1VrLgqGkk)Tyw&r_j;2b{rKx- zCa~6OV7F7=iA$WE*P9K+KL7(Q#ERGM6%81S42A)uNv<@tKB3iW6MydE7DmQoj}~#} zJanxU*y2UNwTiwF^DivL=u*NuCg9ts1+Kl?yd!Xj8HH6ufGZUKwUGl%LrPbLSFKaZ zv5%MxR4)%o@hSiLuV;JNq4~PFEDiSRd~E8O!g^DFPCZQNa|mXUP=|{XEqx{Z$=V>w zKl`5djzXby-rp8Fgo?dUegkt{8XA?)b&UUyX8dyrz=|IahzAzJvQyw?+8XMo{d2@8#ecT=#J$_p?%#yk;(BMf~I|MISJx@N;Ex(b| zcuE_IWz~vcIa?@nCXn|5`bP=6VQNel2l<_UO8h`LV5njySjPQ;yXVbLb0<^Dch7UA zx4(6yUyh5_R08JvH-4zM?-Q)kSB1Vfsn-fwa=WE-zY6U=zi|7{Y>MOkmH$2sG(k9C zDyvj()$abue0NT1_FI$6D1|dN6>4Bkf$*v@2lIpD__)((WX_~Ggh~6-y?HFkyUh6R zCGCt2a0h~UEU-h$re+wM5gq}u50i4zbau8oWr{>vB$bMB9+i0>9(UwTxAbuIe0-L> z+ufyXbav?nn2H$HpYF-=W~X&p{&jp-IJ(#8jY9fC(=5R z)`_%hE7JPfh|W-cm`#f5kk+sVC-EtNTW2b*{An{k8lTGyeIa{KUAESgUlQv9%xj|& zQmL68Sc*hiid{^Vv?8i7!*TvUn)5rEHsIZ{urs_m--b4;rIb*H*$eO zpNNb6<<(Z9(XZarE7@I zpN)nar_VZl*6FkBs?X~1QZQI4VEIutu!i<5KI4CWgs|asXH*{T?dy}=)8NuPq}}^@ zKI4Z4$g@nM0Vz&LVrB-GCVAFsnB|;FNBLi$`#UMWlV=0o9Sb_ct7v^QZ3a3OEPL9> zV0HF9K6KXiH;FlTd43s}GY_OyDP3GwuTrkg!mkGCWE!Fo$|#vdPUA^N1n?gwIJ0_Y zT*-;Ez$?+P8NLu=G6>3OfT!GNeO6F9xpWa=c@HbXPJQ#Cc~srKD7LrvcgMxczXvRr z(oeTq!|#?)r@r#b{Za&{cJ}EvKro7Eh~iXWb?ZfZK$u_joKm|Kg|-g_=n@*H80ITx zpU9`u#x1K~)h-2MLneWn3u~=}h$)0pL7YJil@tOHu0A!=0DME!wWxG=ayR%#UL^@j zmC1cCHSy2>ge_I(Z~ge^!%}79nkEe(y_HzsOo>lPe6>`e{?Gjt7AoPh6d#}F=Yn)5 z9KM(g4Fx4dmpl_33SP#Cue;vn@OYK~58i`ai4PjJ-J?r;@uW7c^VO5ee(tEdRp%+! zkCeh96s;i&BAO62?W--7_KZX)EKZd6nZKv9#R!a#P$7JjAs8|$_2yQlw((M-rBZcp zc)I(zeK7DZ`^};rU0$1J{j#7MgI{~Ot>I4fj|qzYaCBJ^i(VT@6QD61TQyAQBNy)> zFt?4y#^Nmw=JsFMcx}Ld2~)udiS{m@+ZAG#aQBW@u5J#Fs_RXl zr1rR&?3}>P^&;HFCIx*-7=wTdh+dQ}gX2$*KfOKXx0!xzHh{Tl&ZNdJ3(-sVylx0@ z%@D9m!{QMmi*V*PYk2L|zzhsgL2MGa+Rp7Hk!&N0*CrPL9#Sg`3tfzESo2QZYYz?> zptT%(iLG{NUt5F#WH3Ua$2K*q7GLud9ZN)SmxWK%{MIvzU&r~aaT4x~v+yktarPF! zLnAKk5*U(pzJx6@;G72wPWAYF>83pD<+7RPk=i`Wm98ta?>Z^}t&6`QcKKo3!ufjG#+~djJG5NjcNPs#WRI zSISEUpN5#gW#?X>b7U!QTimeFaD~3OL`@n$5us)`ATHY%7w%D5M~$9tx0#;4xWVIF zwl8kj`CGOxZs;ZcnZ~%u4JYaImF(sGqRzMp-3v+ItBIpYDu|QMR%TXcVwzFhff&e~ zn(>)ar?WA9lwEeT^RWN&!g6<~y9dcOzx@8nCWtQ#Ct3;4**xR2)r2NAFi;laHA?@dOh<`A8HzQQ zu$*c5ZyeztH0Wew|Oye;}IJQPY z+`~0vB98hpZ-8RbG684+EEt*z6+OPsKgoYQV&#HqiO)BE^y)R|aw?Ca z$r=C+91Rw)=%qE$Qx$b3(H{cS9*kN_L^R7udaBL8l5j5w+=C~mCNS6ZnkXi7GE7{< z1VL#iXyI=yu<-96)UrDdC-&-jM{ZM*x^mGfqTln7|Z&?TkQ5DzNLv0%Dmd-FGBwx?3;7m=1DUqzi{ByT_hAH^k{#1e~ zsnNWiEG#XS3aRO8C+ly^F9n~srSnTk;YTXSQh0ia!fcYjooQevxvThO$zBi6HoAKo zkE+F0?(~A@4ePBpSz4$3k^&Mhgp4vQc1+1JrMJgx@&Pc|2y~EC(}MN#>7|h3$Q9B{ zfyJ9CN-qVEZ`t%x*!f#Fy%ctZe*l3bITghI`FG?;YbSETzrzQ<0DR2(sM1^je zhhM;%2uUqn$0tp_R+Sud)k|xe?A{j754i5P(%#oW6X6L;VeX&vmIJ#Odfwy!tGh01g7>8V=l`f1Sf z>E`t?|8RA$vyU~N$(Jjlm;HN))KcDJy?(d3@l@OJ@#ODu7z_B~AMMgWjl%uN!9HW{ z`0$ZwY*kOL3hnca{{69d>5}upem3PXm(;>TS0n)t3a4P&rU#J2(}ZcsjNpvv4UxT_-F~C_$AE>4 zx~7IH2>~aGo2hUgPx?tu+&~Py623nciX{LZgJ zIn%0jwr`r7=MQVmpHR@YFlpdsW^e+-qpzQrtg)zx2o+h?=g5;IPj3%rxH0F&mB!`_ zH$Fb#3^zVrb%q;jVYo4eENO}T%SoU;StmYMx@ZiqI$M{F)8TIWxUyZUc6c-GT*(M5 zeI=9LQOw`-^LH^Mgeour;BJN+M%i#n=v0VJ6sS8jMn|Ri9ba;M>FweCHdZ47&Tqr{ zZ3G@{4eBAC-^M(;#Al!WNX`+7ulqVg_z2Ul1#k?t7&?D&JibPwz1#-XH5}wlS|12hX(%={b5Af7QReQ^WoaYh`8i zU|ibYyssYH>$I=>io?Qg463$zu_*7kRsZ!lx9U5mjqk}VIj0Thv@vfY ztu)J=(?)s{O9EFOBm+TI={`PHy6+!fl^(~NX9xMMa`mWuq)+=hYfY8bD6d2@RuC2< zD#w(5Kj)Z|bJ_?xo^#sxc-1*=#IHn8OIFD_Z7lHaSga}3X#;|RaMpxn_ErXxrtSh+ zr9qDx`*3ny*y!!nHa2!op6)9tciMoU!BfU)3nxeex1ME9#uJoVqpX3mF-Bnx@@L-k*=Ym2ViO(NPPtYiwaa?`DVMveKV0rzw2ticxt|5)&xxuGPsc~9 zx_5iiE_UhR_0iwMqn0w-Xtstw;8KE2O8|2m=LeV(~U*4waIdu+E7Mh~SuT&c7au%KBsHYd5p8Rrsx zwt@icAwGazJsqF*+ncBT)~Ma%d-d`8J#C~Nz|gE-YbJmm3v6UF)BTStSTul@z(vDL zV`fH{G5|vWP(&LVwS6nq2UbcBk{hKGyI76L$_SupkK$48Fc!Ts4&MYqpM z+vHBoG4IPwlX9^c!hH{dYM=~UFbSdh^fm@TxJNZy69(v^G!L)GixD`5=H&(T;9?t1 z6z8}*Sq9|gIrjkJA-0kPwH@ZeuvgR&R0(TIq{G;GsrY=TnsW2$_NJ2EZa+MnZ*-=j zBzfGXjqKxPxz#&s+0GL^Wtk~Xl%x#vodX9jZ;uU% zwVhN7!{kKB5{rGD5zjDXx#UzqKUvx#nupQV;oR>6aq6YHQe6J(Ai>hMKwoH zDP{#a48~C0H3W1TH9xZu=g2_r#>l0e7Hu2{kZee6h_Gl4j&I1qvOtc#Q!bYsCU0C3B zfR?b1iOKF%DdUvl&Y5=v?l6P8x&~aK@UM*=U>Yh+3=j7e=G;s?e*#JW;{scki`V(l zuV!D=?kZJwINYwDKeyMM^aIRLO>yqPe8ftVP}bklSJGcT62$sv-}A=$!x_CVRT4(V z-uEsOtRUx+PA`u1|Iws>E(cig;{hSTLU6X~=YOiDg9+^#%DIqQ1Q+K$#fQ%RR_>B# za;Ilm(kpK_uWJwW`(%~Y{R~s-z_sahxb?h`!vu`U~DiX`q0_GI!|40)$acBH7xj^ zEcNWSet9bhzvw@UIuP}6CTQUHsX=_$X_HDu_bzTl^L#`yNBhlgmmZ{@u_@~jq9~`5 zPfTZ~QO8h^QXuc}23Wj!`2MM%S7{AiL2GOjVKcYQtKLcG_Sa!W6grL4b>Ft9y6+V` zox#cO&iGUp4ykO80eX#ggl$a-n^S3>N*m*VPNj7!Z8Y3CmDZ`WPNiL2m6nFuB*ANN z-k1qiX@~JSf3tj8+8XZLlDyjDOzk|^8@I!?=KPXiKW>=U2G%0Qc#1VzYBWR3n8@}e zj`RP~oZpGG0q>55o#7&_u(MCUVW-j%D@fl~7awvy$4AcF+aXa$t!nFRqw#Q1J?7$m z^V{-U%T~h@?!f|x3pgyWQq3SI<(>wb3^9n23|7lfWJb>~SEp4|e;yxo zXv&Ei5PJ`PI|TArd5;?qr|?D??m=8cvD2KeYNfr0Uo6fthzc#d9)&*I46GWElU#AQ zKP=~OpDd}g{owLaJI^(&^KkF&?1+ z2wYmp$sC)uA6I7;L?uM%$dWL}`TuCn@5I@FcgMocaH}St3(>4xLYQUf0v4#3yu`=O zQMcFW4sJ)Io8CYd3YWW=_v|9&@~j}hhOGs5Ex57}L(E_&mB4`vq0A~Yyr(lGOHQ8! zZixo-5>`2DATSHED+ns0VSeFrN{S-+}< z2?U5-La2lm&{8vB>)9z*1;GY2*vCi%6nyFogr0+(G8XCSmfRiwkzPs0!sP$#U1v`t z*|z;Ft@-?1@8s~l5u4E629p|eCCh+`27}35-T(g9E}*F@S8@RCzU7f-M!0-@e8Spm zXNqs|JT-F%08#`>N}wWlA3J%iUy)2yP7$R z?=&J6zIb`~+FQQ9I=%ZjcYMJ*^`+mBODj9a*Aow4rwb3kfmbwOh$}{Z|H?7FdakSX#=lH&&x7;Wu1=j&BVDF z5HqqX{oBmClZt66$-bKg8KOL7tXD zbIAZdLpFXX8AYi`Z9b|M;&_@OY3+@2y0GYE@3eccC&fLJjh%hjoqufe=a^1(uzlP( zo70`mU0IiNTz9pr-TyT@(O-@(17gujPZR3;iVI*^oWaxv?`o3U*rzsl)0NzgFtyi~ zFyu8=lCk1y>ACG{1}|KnKfAYHI*dBd2xSUg#QBT&(&@)|=RGsdmaxDT?CzgVL`p!N za}Y=a9j@Bojge|&pHY4%sUg-ZztPp;dz#;eYw#miFu#FsM8N_M(Z_7;m@)}YI2$R3 zoZwGhQdg>UgOMyxpVl{bu9}_a?(=&4jIZu%t9ts!bkirT0vtkP9JkzQ?-LW7q((`G ztjSgshTT=ZWRoqi}K?*NnGs&1+8`fQq(ZiLesQ`SO26 z8&B;KP*>&Y(%I_y&a&?|?s|_`ou}XXCwE6bwkDk}c@sE^9hKnO(%QItOFxDLGxVIAw+j*1T}Noa?JRX_P5R%4Z^11Ymq0NV z8*gG-aHr00=oZ|mYd3rg?u^a-svg{9o6eX!mjAak;Z9$-p__1z4MHY^E@hVabjF9= zHI*&t@@%QQ{o~?fyZOT`)O+;?^CXfhehDYK=Vk~pUsy(sIZJaf8VgAO0e2pfACl5QS{KUcF)vloPEvgc?z9%% zbEb+p&bW_S{!Zd9D9XQ6+%lXsJ1qv2Z2uB1G?VE~rRui4+&8E8xp}evym)CkhdVvD zuC^}hq|1G)14p(J4tgG%HRFPRnjB1mQL&5?6-z6@UkU!V*P9ap3aXKoK@W?A-OvuE zF0K#$#)H>8hu$PB-=b-tKyR zo=q2%a&#G^VO1YpSnR6TJ*?gC*CI^$bIOaQeDPN{YVbyr-zjnkBj_!r;UtM^?vnD%K&0qf>Jo=gvqWkHVHOr$-}(z z!U|(^Giy)n<*kQ#|7h;F>dYQ*E?q{kpm(|1++1Dh`OU?xr`hi-wdcA&n<%iT)UGj+ zm8#-KbhxVGM!|qp#f_@s#;AKdopx&%G066ny%$)G-Q>SXce_M*F3+dh3d zUTNLTZ2zt|Kdp502Qes3(LeRQ(ATaZ(4Xe5vRo#tO=9Jl1 zm0QPUYFy+(dDgW5c({Ig`m=k!{o{JGJ3q62ank)c;jF1JvPlP)TO4TcDQZ_eB5V5C zsvAOiPEFa1s%})osUl8qud3=sRdpjrtX5Sw{=BBM>PDV}3FpyMCS|JNUo0>9cb=8) z?KC>=qwQMvj=Apbyg!PFr{8tIf(RW~Nbw`93?hJY&~a;J6{&!(F!O_6H} ze^a)ykyKP^AgWXq-KdIgR7E%bysDxbf5xkdZv5XjDP?wLS7xR3#-}HJEtRKDEAHl5 zo7?>}dEBjUojgO-++R<4(G6Vr0DH)UqnfD3v3LL5OW6&L!_75x9$_Qzjl1ZEu>sjs zslW%Ay*4SlDW&L!V#-+03uBf~dpmlI&GhDX7v-rqpS%2i*jkP9p!$s3l-s8dwfolL z;q9-bM{t+kbTKLCw3gm~UeS%i_WhUC-01(_ah2R?5wA-_52`wojUJFl&_!)3dMpo+ z0-1HJ3_f z*X(h|wY?c0J{ahRH&E>$&p}~$3Vd)Ecy0`nR*>aDvVOfwOG<9Cx+rUOe0Tld?}NS` z!Z%_1pJA0L>3H<`52;K=Cf0uW>hOpB)9KtZv)*pDw`&L2znTrHF6T~SIM_Y73$=KV z4i_ei32eU7Qo4xe>!0J+RrJt>=le0PkM%9YU!c>~G7l=f`j6;<>?a$*L|zUTSH>Hc zUf6!6Jb>NF%}ee#`Ps?w)$hIClZ(r{O+D!VM!_}8dT1-o3d57V03{ifBpJQAvNk!f zNdqts1fw8`sRpph8kF|*2O~$8xfx19X0B z>X$dQ`^C>vn}*F~z=~TYp{9fRKru>~n5 zQcDW_WZWk0X*_-s3kS?Rmy4+;#iysKGNd6UN&+i01T{BBktWR8VJk`)9}jbk&ad$ zT8(z_bB7xk8OJ+X!O8^yAz-4n_!o1<8r66dAar$h&9&v&25nMnlzf*g^c;G9u8B5UUKF>DRo_5NO+qVEI9U*Wo-UaGM zJEu3>t&5w__DmNeX~^K9gtFv)=ytTS|dAK&i=fu(Hk~9N-%8bMB{I`*` zfrEIBkcup{o|+xWWKI15Z-U!9ODUzQL`IPa9P`WzC<9PWDG4?)ApRzx727c4&=wD< zphH9dF_c{6aC?$gOs+AMhZ>2|@LNjM!-W>j6qigxtKt|@PT+_9$j3-06L=*-}>?md}Wr6ZI zRlpLbD8SC!Vgn*ZRMabnN|i`yy^hxt47`~Yv4B#<6Tf``3T!nQx5Dy@Wj5FdVXQNjjvJ0eZ1or=&1*)vC<;25EVlM@ z5eV8~j*ASLCVWg^qj$ZuLTgH$$FVL^6MzSttgn`;8&i}{d_YM-z{)BmIE0WX(QSjo zDg+r_1I!ZwHa4CLoHH8Rgk$44D-qwX1Fx_$8oP`$rfuAo=K|a{ZW-QFzC?g|=mYX$ zk{m$Pav!%e0yBVVTslu~GMuLp&}tz3!rN&SkM@iR2jl_nE(c;@Jpe)_8~^}+#XNqq zqXXlWh&wz)fF(7!X^Pgi%!vW9G>(yUPKK-t>@H;tV(DJuev9u13vle9;xSJ#299oC zVnj;xBb#dog2nS=_&p?&9HY2Zuj2<=&~;QyV44m_?Zi(ea;HX{o&zYW{BbqJDb*vv#sRuTS?MYUl1^=V8Lte8qsmnhqOoJY;t~_8hn!-~@`WGMY3h zF|SDGN}K-4ch)S1ue6eA6s-ZCN2UbET#7N09$}U;TW}o7t)JBL$>T(B=AxL*O3VL? zw0vzHGy@1nASFOIq5COGL{B*hzy_Z#qvab7>CAwXobvUOo$~_H{Tu^igE-m}6}oC* zKaf+78X$3QOst? ze%=ap6IX(Bsuc%q9@>Cs1GcyPDsN(>YFScpQxRCOr+3jF5!~D51^3y-)fkF*;S|lmMOr!2K2IWLvl(VHs+fI(7_P^iu@9@R9H~+dMw^^^-!Q_s=-L_j7 zZ=bvgGQ4t~_R;MJ_~brr_8;xulPViMg!N>d)2XotJLTa+%*=3RA3Dp*EbXfs-f=s3 zLlye@MBXpF4V8CTlusNz@F!@E!bk?%FQEvIl(e2*74dym?-^PVU*Zc~c%#X? zqKe`UZqJV{TZdfo9eq)6pZMDYHQV~+>~V^Ct1_<&o+fTn%uPrANSRN_kv`xCp3~r; z;3Z}?+6TVIA|q91F0G?N%4ES$!{y)Qarxx-@$mWN=i`~UJzw9l8`p<>4-+4D!Cc@i zwJrrm@>FLgj>`sW#wXx%N~nbk$XgCYl^ijgi$0iER6x;1qn<06ej99BU>YjB2uoix z@)deMwhz|^t8X;+$4UDIs4z0DJF4&~Slqfm))+|@Hpu8saZklK9Wbgt>d2YLjrAsJ z-f;?ghNAOEwE=7yU!${>QeiyfTC<2^8@{aqWjOSAGRGK0ft!URih!ION(=IvDA8ZQ zOIal>`GcrdyeMPRa?tdoAq#_)-YJzB(R)G88>O`2)|7E5I{^yrjim?!+xL^Pc;s{; zU#WK`^7(XNJyuZRc}nvZ$@yu<$ibv3goB$h<$tl>c#z}AQvYI?++<1aDn{j0Iai`M zBE$yTU^~J}ViNnAEL*0jDH_#!rGGhB{EI>4?ThahKRXi57`|B?^I`)_)y_1PuP|DR zM6+e!J;u}`?2^NQpCtyATxz;Up28SR+-n)UnC}!t(J*C7+%wt%9D7fJMz~2n5kcdq z!-3V5rX-v%k#eZ9UO4qs)tJN>OC(ES#w?7`cAktH#p_QQhqz^mYDa16CJ-ObX|Evc z2mu7uwJUMOD1(uDmy`7-Vp5?OV2ZqNWHQva4!Tr#b05~`1*7nqys?S-Ij3-Gwf6*9 ztV{*PaQzGib{OVmGTSVy$?P2kaug;NlUn65Y3+7(=XPU%>u$E8t}l0f*B6!>8xxO7 z`9x`wFv*3L9dzZKsW9np!KBPcQ75J6I-^MOetAq<_|<;CR&!o%$c2;M)`NUp*>#hS zNl@Oj&%q=yPUS5tR#XNl0VZMR0OO6Ml#b8{mjo$pC@`yHPE(Ci13vx#>|I$`>Pi;= zE4}V>lU4KZC=TEND$c&RkU^120TsQg|9kHpQ350+fp89-6YpK!cLh>ZQdQrczwIy| z?-X&2wML?kk8nYC1g;^+=&5d_l1ikYvy@9M7>&SxgaJLN*wi>!RDvZ+3J#OC;kAFv znHeJPRJa2Z!ERj`6CiM0r@X!Jtl>k*SPKC^DLE=~)7gk|S7PSzGvCiYewqkNq1~9w z^g!-f7{NHUeFZp)y)71)3~W&@gp^>?x#Y=;PvL3RtcP{}Nw4 zz7}0(_KNKDlkVSKbso#MFE5+4Z*~)vnXAarv{;VFuq_DseAyH+wlG+tjD?vDYYSO$ zKeY(V*ntjDY}#g};22E6u>4>yl<_3DZkoLOXV7bW?Vi<0%?$FfA^j@6C5+%rhJclE_*aNpxIyO#(Z-cO3d=(uxubUhHa+2_ka<)n6TdPWLE zb-W1fB*no;oH0xU!Hy9Q5tb8|pHX7 zte^eJKEIb3DL>ux_VsA#MDFLXGH1r<%j+uy!!i=erl(?pd*&-OGw~M>>W1wRpHVap^noy3Yn zD+4M3Q>aU!?k|TrWG+OSFW(xNr|3wh`}c=eS<^l&-(@?Q`?ls$Rq}wE=jv8bG zm?&mSkuF8LzYpmGgX#=DJW6ou%d*^z4t2S6_Eze*I@f3KwPtt!p;!7W=YJ>EMF|iX zED&&eRv|@-9LE{H6Mc-*UrdjZ*g3s_qd{F@PPB5ccPC*~31O5mi$EQ6L|d&r_xdAU z3S?^xWPuwYf!j07VbPMe|DJ3j;R&WqTeAT53VV0?>Ugc_z$XgZTl@5G>+Hpf{OkfRHBiAmLGb+lsn(Boi6mbCd4AvwG0qD0P9Zx$Hpa4JtOi^UD^~o-pqXv$E zPr-IqREPG(NP%yCfiDxd6B4*RGrNc4A>Wes|1RhYWOzU_V2a%|{gAI69r-G)Yqdu% zcLgIig{}H^r(x>r-XM)B>)=*F3CSsElYKQ1_>8s!8+K{I*s`hJLBPixZaKD|HcB!o z{2BnkHwf6-n9T&bsaN+L(eg;lQCB8~z0HNam>@|UMTO*mb8vi-!+NqBo;Xw?+oi>} zq)4G3p+AB{xFkp(N06aF%IOioq>xxB&k5B?mmXn6YLONX6f0PIJ4I2CA8V|3H{2?V z{j8#}WX_!PX07FL!<0WUJp&1p63zA{X~B}h&_(=jFPD;upUmsm>AgeB9f$|wiB19eGkG zVf>93vZi=8kUs&GSxqfA{aB}7ev9~R2*K1{=3mO*i7v#Oozk;;HMhI^z1!9G!a@18 z@w)Cpe7@gC3%3Ok2N4PKaZX<68n|sJ(v7%1?Nd3vv2r~1+suA@N#G0i+n`5+bL$U$ z-RQuVf4jXX?&#fewcIPI-Rh8^_qNv^_(J?P8s#cBqY=cwQC*q+l8EC5G(k{5A_V7B z=v!atOFcJ!-(C{@0zEg#jfE^xzQMZZ=-Bsm$M?3IH@TX;8uUe*H(&W>vXtw;+;aoa zhpnP0EHdc-a#i_P33zU>EtA$H)%Z3T_EOKyI(u%go2Dd;^YB8_srysU&5|=*mFGq= zFk+-j_PI`;o1nfaU~L6=J^(3>RGP%EVx&Z94ByRx*g9|TkZk$*Cc|%Q)xEu9?pKNN z#fow*mkt~gDZm&d*fVTGif5Ry4u{jH85pVrL~L-*O@zKFgI>AQe=hex(#=Y8D;!GU zd}0S7bgxxD|DE|4OSTg^vTFb{^_%NGj(Ej9Wjb-j#FN zz4yJ^(O$dPE1s2Kx(SRc?)Bbw>2A=>bSvjCRkoM4d%Xn4-6`J=8*i$4{n0G!=Ty7h z9vrPk;LHRN#!%dK2)SOv4`k-(GdI9X0L%J0o&HxfC4Ti@qXrnDLk)oi|LBhvj%G)32)A$~@tAQ8>~_KoDEPRf zVZ;5x(URu8TE>tF1a%f@N4O0&;2%F{V2OwrX2fpgX+OW6E8ShOx5mqDZ@VZK>eTZK zG2Nw3;b7ESSXL@0oq=wDH7*PosTPc7FVE>>-oPM2JTM_9P~9gE68x2KcOWwP6A4l( zMfI<1eY6M`XiH@DU z+xP0nYyIi0n19(Wv-d7owq&!hlVZUrAq)dhQb@9F5PGH9Nr{H%fb~qV^XpoQohf#@ z-(DGZA`dlD+W1@SHad2aQ}tHfyD014?%C;c<*>4A4mKP+ll8)`7CHsC-(*aNW$>iX znL=j@oryrFQrt*JjbF8XiEKrO&a2asxEwb7&&@%PtJ2jyIrz9;bLiB{k;W2gB=$cU z|M157I$f6np;UyWe5c5nB4>)6i6EyGlo{nM74ahHc68+Y99;0-lc$^Zu+=yf>G_qlTsqP(UJ4)Z1{2fcu}}-77ve4 zAI#Q)X>~RlIXB7E>1GlGuB6ub=vs=LDRR2sUKMh3p|n(#`Kz3{=)gHt$ETlXuNU{` zp_bdO-_+&hmELIJ+$1-rqLf-}%$EY^*R>QlQ{Z&Jy(Dnz>8n5W-I5u@i1rVz=c5DX z2Y-7%Eat1F3LSpRi`!RvN9$`2oK`!GVMBAn8Ay-cl+sB7zA4pMWzXS1JXPABvao=p z;&GLjAOa@LQe%B|?e9d+z`c~f?eU>6Lz%-3W_d%4@!PI|-fQH&ES{PR2Zql@p#o!Yv{(!oK)?lwN( zE{E@juTSePzPUq@5&*0oOU<~o`D#2yL1lJH*gcvUWL8XF?cdk_PU*c$yJtDO9~RKPdVgyQdODQu>& zxh!l_Fbe{4(^>*HLy)_u5FIyf_p^hO&SAUPd+V{Ii<_goGWY9^n*fDqI#I#7P)Gwk ziJOcev!s?B1dCFf5ji!pV1DN~9MFO~N^+wKY$;0!mt&oA%W*ht)x;C9$1Qad=~EQa0CrZh)7EKgg1x5`-Gzj(*^Ta5Eg;@ zV+G?;WI`~^8c>EOSCql|fZd}QED+Hq0!b#WrxLK6EOYyKOb(}E`v}kov@ve8fKXmR zcgG1LxPeENn36s*o`Lgc-47&#O%h>x^9}^F@G6iGRA7@j!os;D$#1=Vw3&(9BVNOv zpi8}+(P5K<7ytt;#FA?_LIVafgK1a~$Fe(K+^sc(R?BVtxx>Xq#$-ned24Fl@P48Vsko^*K}Qa$-VtF{^{?0 zYy835yf;1^po#ssn2Di`!vlx8m{XPik5>8TY5+^#?qd+d0<&fB|2@RZ*yAP$Iu*4- zq5k0uou|>Ev)Rf$_sbtg*}{`OPZXRG7CJo* z8Ufgns5){^nV8J&n)!6O*;zmj?e;7M%ZCXS>O7tQ@+fsInt;ZF24Qpr!)QQLjHfNnLQ>fMnZ#$5N&1~-5?<5UO|{&X3z=W+6A|(P)@V} z!R{%E3H-{VzSTBahT@}$~Rsy%)GQ84R?LZFk0vv)Qe%6Z2yZ6ZF6^1_~x@J%>z1T+}GjvTE=Tt9N*iN^mOKWO5(q+xsIH;Ynkjmn>)4GhhXk|i+@CuhLH78n8ftu zF`Ff5&D_#}re{~t6{dV{AbO=*D?5;+CwuM7Y^%8DB@bZ=6CrTwK%vyczz(u{S&EER zdYC|yFmPbB2n*<^3R9{uegB2nhnbOq$dzHnFFf>zLH(egg0BlXCdjcnmC%Qhw>CyXV0Z(is%5{ z={maZ^mHW5*5%cC^W>rU`X=~xYxl6c=DJf@b`u;GiY54P{y<`T8l@-eY{D8pWx;5p zL|R3?IqW~m6MRP+0u}|+(pBweO6`#(4Kxa!#^*-YQspU%@`TlphGEeU7}JyJNx=R$ zQ~=sh+*c-&_um*!2-Q|;urAdkcNK+=E+p8nL>UXBEP^hQ zkw#0dG0l6)31X2Jya>)2rhJOq7?%%1sh={09Ll|zjM z*$=W(fxHft)Cs?;u$9CLN@}EJ6ij&$uH_`X)#k4xoCTo(;RQ0lBU8kNcufMsOrZb4 zu`$HI@ZmPP;J-b3D7+t?(!$H0dLA5=pN(SgYcBYWh2 zhvk#gV!pZ6rR~jDmy(V#)oiU&^C`1WB#W6zK@C%B4cO>fsw+heF#!r2fiz2M(r3MR zgef3Na)}6&ZxZJkMVS2Ow`hbZ=>07kVG3H|-xFX;Y&J>1tz;K-Me(JCPD0WrHEAeW z2YL<51L-xSAq?4f{EO$S(bcA#yQ}NW_8^;o>0g)MZ{MG98O#1EwP`VW4a?vtFr@TB zc3JBo5E#*GNZ35E+}tAd1(m@p&PJJ+-#A^Y3v@ciN7{Os>hrWPXL==L5m zjdCSZ>GoSi5NqRObUb^gJbfO} z27S!7@2+l3FMF@DpIHRYrpwRAc-F=BO;$M~V8%$HK|eyK<4HW@7CDVUwYEefPXY^0 zy`eSyXTC$JUa!l#^oze?5Lplb$~d)D`0juX;UIg)BXPb3jY8dwJ#q* zHc@t5Af5<%IFS>ADMq1$d09mHZ{;>KkO$#W_*DTRzaDEW!z&$0=K zs1x*%ul4fvv6!8$-C;V5VoP0$FWId0R4&$KdOk1R98GR>z+eY3gt?&|z+eY3 z1jCITz_6*++W`z8yPF-r@R6(k&;8#IaDKh{^y~2u_>$=xJNmyctec8G^+#z{ z$;a_1@_P{TLnd&!)0$7rN_z7zUvK|zzwXx?zeK6cr~eLVVUYK5cLA;&A4cKvVVvUU z!%^p6KagQ*bdip>inI1!@!@NnUukj{!%TobZCE8l2-vme=sY%c@Cy6SVEFto5_l+ek1-1*F3hC?2e4bAJQoHg)|drxlg+I5FXH4;<`D< z?Lu~yVIqFpB}>$*96X>&M-VBbFzSG!uiw!hK;x#u2!01?>THF7PxQ~?nO5*ZoO088 zmr<#_;LOa2CsYtZI1n(eseOcKqqJH$+s8>3CW!zXV@BJ89Z6kc?jJN`4u!D$M|FZn!vlreKA&$Ki0FuVaC2vgYf3{WnZ*hI4~QmvrMsLgBk>Uf*VEpzxO=uBR9 zvZVNCI<6La)mATNxtr&kyBs&h1n+_6hv*73HEcZeHW z$J;vI!Ej?8Z|itl$NQ%`-dg!j#YLuu(yx8gEIjA$o)=ZIn7q2EKQv>7yMDCWs;+)E z=SOC75i{OKOF*x8D1W!p(mH_hZ(OriyW14jDvCs4>nO|lkDBvayW8XHP}u2bcTlsoJb0!Tx&BR|SSoi{g~(FfjUO-W=7;TfOHLiG_%l;iz^&h6rzwi2 zW*(Y=dY|LgIF|3s zTGu&rojuS09=!aJ*_}GQN_@A`{q{A#-sD#AG~~n#5*v`wk?dR~ z?{jGea!pwz~3YHHg z%v3adI@2Qe$Y?jBt-~W4Ys%zlsXiM-#;wX@ znz~@(@Qx@#R3S*c5yjgsH+5j=2yRXnJfG{L z%6*^TU~~JfTJzXmuRG$IpX3Du-T zdE-&`2$~n&Te+AmUp~d6RE+Df%KYl?@~m>ZKAQCH*yS#3aa)T!#0{;*Z7uF#xUm+u zwYaUt{X;Eo0IPRKBOCGq)WH}c2fzY= zf`2{tKR39s##|^f9LX~N|DOAujNcmE9#@A#PJe^jweL5DU(-YrqMmm}0A}H#vvJ=R zi_9WX>}K?+lkJ^eq#yf-ZEy==CL{suNJXiM{co|;INThN6&csrh=1>(=O-<0P5{G! zZ2<@>&3L%3-`pg{*sa-n1Lo~279XB2*R@!rzPKF0$4aj6e-B`O$lHCP9v3cKne=^=rFFEFN(qYYyPeDIVN)vj@WPS8=p7U( z%!yZTOioQ3T5e?RLoOBKjB8DUCr-{9wKF-3<4CtyiQU!Pkq2BXxiO$0U#QA3wN7?2 zcdJIRl6qu{91TbuJFBufs?||L+|cT%R!0qn8>^#Q9o6cnKUGJ?%2y4L1OSM;39_5? zpN1#>y~^S?5kKuN<~R5;w!WOCI*mhbh#y4yO>azLerX{Yke~yu6*8QK0V@bRJYh-y zQImcvrFvW)3Os$KR7m>$z!OuUA^afXjh?CS=!p|^d=s5VBi%@gl0lhWSMuq@mQt}f zS_ahG^rEByp_{$$o_k{oi7+fE1kn_K>gZWeZ%l16Tp-g#3nfGL#x!TKnFxf;On)A| z6&JII(`Mm@Czox^SF_&(nIG$o*%-B(WY1FK{{DV;vENF<{hzQGS~-kRGZ~mjL+3ZR6@UkYj1U3>GQAPM?u0#2 z6ga(r*U+3vbElSPHKFETVjPM5{gZZ*LoS z>pU)HQ}RsZPDhuG14lHilmloEUpp{9qwZ`Vnh*~Bli=n-IhPynY>$X$ns5RfX=ExM zj9cx2Xw;F|$RS))*e4ztBgLj)xh6sM=NBN_K8l7QuQ81TwSceG)jZ(jwP*+fJ;g#j z7y5C^nEO7zp=ii|*_y}Jg543&eEZ}m>01M7dYCHT^sO8o&gQx1G#U}J_WigyFXPlD zk4?(omA-xO5TP(;k~SF{urNquH?lWI9i)M`QK^VR?+i8|UEN{qT{PReX0LuX0}4(B z3#4YbUNkb3v=Z%IM|@achWML;Qyt;#gyUPsfy?Q>3J4 zUle?`Lob0dbwP(bK8;52%W4{{)iRRsx2^LHSk211p!OL^MGcB-|xyRL^;MLbM$H-qo26QpKCB3IB;hXUAiXVFy*R|aF z9nRjP$!s}$>L<^?3tm6iM~@N*NQ;J0si=m$WD{PI!!hJqW@w87l=ZJZ3L(0@D9cWGkiXS^Ij_=$2c(c+LXq>%01hpBfh#Ok1)@rrEaAUPvtJPYq_J?Y< z1o@Ai$5c~-VC{RS1?})@K|DDeCmIj)^W`93Kg+~!60-{a*=Ye*4uNG&AY~`dlQewO zf`6~oGQk-~!40f!TJZAR?@SAE!Z_NE@f(V_iuP4qU3$8qk%(&nYEjqOUjktJDezKBfn{WI*Qp!S%CBEwE41O`T%} z5DuxEOB8-btQ8C)fg}pjYRA{}NTYc!lkB!e$ckJH(?e+i_4QqSM5~Q=TvNinN2-1E zl3!l*M3mN>Prn*G&pjQvPeu7~hxT&u^Xht(Sa!+!rd-KZ3#V7fo4umOS4>Kxj(~(+ znbw<-E^fevL=ICL7%RdWNiM#yMu0gKC?G|UVsZtX-^=4+jzSWUjzhA?ArW;IVf`Uy zL_sE_B@b#i_l+p<6;%Y5ZFyWB@n1vcvAueBq$K|EB3-kswwxe^Ib!Za!woMF;o&8h zUnW>y#xsxYQW<_ndZJL-}zuK94sKEK?J^ZY<>)vi~PrBHgHdn z2ISCGN&l07|J-C2R5GbF3p)7scz%Djh;W)m?YmqBUuPehjW=Dz`@`n!>}nwv-RvlL zTd&n;dHrS#Y^Tgy@piEuf6VtP(REu_QJo%5?sMb-WIbl491J(sW40c% z^_YLG$Bg}Z1envedQfC=qvBcdE&kC@HtUyaCp4&PI zb;t!l5K0slDzM+1%?nrTuy7_2RoY}%pFxc;?%hNnEx|aj zNV`^ej1s;c&!^qh6CLw7Pc$Fg2%t(2iwm;Kmw-W>uIlVbs$A{&V92p^GON{Etv19B ztyXKb+F-b`TCLS;tycR}wOaV(zFGp2n!KHY<4y~97-5>4RcC25@71E2Oe~enoFy{F z-VaX;um)fdfU1HkL8Uz4f*@tOPiYm{CcvfzFVFqXw7^QW9#@Bg*LTJp`AW5bDw=TV zeLjxtFzu+l9^5P!!`!^RW~sq+))$YL8^G}T45Ko*PUD1YE1fC6bhB8C%iLYbsmLGbsd{oPJW>j2unam`+B zWC0%nlVCByvi_rH{njP+xH=Si`n$yM>am;w+4de1Pj+adB9f8Y%VA5zp455w@j?$P z*~k4hfcpZQm|=%PkcQO)9DB1TujURUBii&-GjgqeIZp`1;$8@vbNXBZBiBLN7R1uMNvGjY;@?!>YW7hcJs4#5Iy5q_Hw|l`p zuf8u^*cT=sGxUQAW-=9yygY1Q^k6=VUxN>5hl(&g8^w z!28Aww#ENOlg@NJpR_vDlm6&r*6W;{HBL_+CgZzKYv%YM#<0_!eF0wV>8*Y_yh!3( zA!z1c!OF#+T^r~QCxNT=IVwaek(;}_yGXN{9$wv?E)N`EjEm|piWpOZ0}l`z07HRv z5~j@;#PwV2e6Iiln}re$tl6j+#9ieV9$+vMrVV*e3TN@fYtzF2PEQ)6_Wwp_(d^4+ z9Zzl>qyGANFCPG~?D8Hzizt6onP#-skazt~`Uzj5{8Fb%PcGW^0y`5xv;X$j+u*IJ z0}EAXr3r_)xpCk^X-5e5Tz#vNhIC+STTtQ{eF-V4iRm5h5q7a~xYAN;4k(5-aaBTZ z@Awb7tsAn-zs;q*w{$Wxne`rY>gKARYshScT|Goc?lj``yxi!hQKwZe&QIAa-){Au z-pDqe0|j@$NWJ-B?;H(zF|1yXhWu?mql}M+TujLo$=KGjFM*6ohOk2Japb-cYZI;B ze4NkY)yIOgmj3lRQo|Bg?i0-JFMWrjTeaTmZctJ(DwF-hV`o{PM`r5-kJ11i4pp4N zHpdDh{rb``K*G(Kb)vDcINmu>{+Sq!1)v$>##;cyQH*-TXfyR4ekcgy3}P{Mz0p5w zn^PbW#|{vHwd6<8Sa#TAK-lFGF= z`QO368H`f6P>c8PR@2K7pN&_IaeKc#;`gpV0-8D;YYKFmGfp1Zjtv~7_BjeVeY_ZEXs22o^Ztb_@UydQ_aC83 z7((!+VDq6EZH!{y7!9eJ6sGdaYcuW8Y3J!8nV+asVm8l4qxGnW-VRRF2OpxTqlAD9 z6_eaOw)$l=F%BynVTjY5qAv>3h&vFSITl(-=`H35hG=ZgN(dklfpr@Pw3~i(jQ%gr zCI28YZ@u!j#AA;Ak5QX5Nf=A%jUhYm{D!WQWv@`iovMs22hrpp@)SGtfJ~mfIK;F$ zPpCGvIP73-YH5(xkSf8|z915&TbFNH{yrkIfX^X;=Lco(Pm656&SsqCyOY*3(T?Bz ze|uNf(>Sw4-}x0+^B$}B<&m8b0yiwlfJQ=r1PEIgc96dReoy&hW^5Cu4M`xwH5v&i z_B4*Ws!pA%?$gVygA$S7g2-IvE>E(wXi(U}oiknBmkuwxdk;sd)mYuN^^LjO&Gz=m z`P2h4wZ@Q=NUvma0r!hDvB-NaBm*Q1q2!S5l%pZC8UrF5=4d;4unsm&-t+|!S$-NK z%kd-fkob{*YBo30S=z%nD1eya0c5k&ys7NWoz^O{xwCLwZ=Cw%ncGttK#YbB!S5K- zVXuwM6y2nt#k;~7?G$M%*a>yUXaRtd&eI}XIcO(#xG$y@(uuM&_Uo=8&i~`vcDH?T z^Wz(JojSdvqb@C)dR@T!ae2|cgrj!;bMO>*peX+25w$_}E44<}Q_@rk{B*T}933!FjUc*h2$BHNXWU;uP=$iO0Zg#K8n zs$Oes&B-wrt`|38C7zVs0zsq6dgk1&9UaU+ zcDu{_Tm8Ew>q~@9Hi&&b!s0n36_N&KqHmBgT)n^AytzJEf845`K3%nDzt8Ti+)g>d zN(J^wx+dBSFJ5J$DiT~+kYMSkhddd49ZOHk;ZtUX3?-u<=qi6TzW%?pth^eMf^(*l zdxR6=VWoI@Xx1vNrM2pLx86U#yXf~GcKF8qbVI2!JhI5Ijdh+0oh7ogKT6dzU|4o*+>9t`pH{^oe=_P@K;rTG#{6Huy6?nW-~H8O*oqE5BA zuRQNRULD)T^^>3S+3WV1I9uMUOgWTl>I9j1iv_~2vRSSwBIAU|4aSpr@Px2*4BaRP zw#`^r*7E~hkzV;>yd}kO>H>kTT9;qQI*NaW28V-ld^VuZWFkqy zM>2_jT<`&*VaPqd_IM%_qE&FgwPU(fT|09}%j%%ft<)~uL*=-oKGydoG84^{7GA1g zyyI>XP7`##CxG8*{FYf=HC$vi?jtkUa8N_2BIuxK<^|JQ!xxybnE~;c5JFm#!d5ms zAZV&kjwA8V_@!Sd$#IRLyf+G?;k$&D(Kw4FEL}3~xa1g7PT`2i&1t)c@SHnO#jMO* zMAEJq5YQ95*P_6PlJtS4m)ud=DJ${EB48jUOF3(d5|)Ptq>RXu);U++bN{FMO+PGB z9#+LMAgzf*QW6$%!-$BI@NI@DB}tknIU+2_(rS0_1eJ6|k?%ZoKo>EmDPV&Id1uup z3zpBlE0~SrOo#17M_%F0Xv}iFs4T6g=BQo8NnTbda?1jdi&Jk8 z3>!hzCeE{>AAy*Gn8s;wh@p@X{<YRXQ}!o#1m8tM%<(=DgbIi-BKVU+ z4T&woV7wA37ZxHSGDBGlz1t!dgVfSEhFA?EDblKim|bQNvGB)e%Zds62kl*l^;zbv zATfI9TxLYtRY9I`4NVW^a98MBu9IFa5jdCL*mIzEZLfx4z6K+3bqO0CylqTb4*}73uy!FO76RVx;cp10uVM?QzXTgHz&;qkh>wT4m!8feaEOc!us-7J zdv!H99^$zo*>Z#=n2S^?bD^t%ddW3Iw15c)$3rM3)pa^qz!Q&2g+4ln2q+I0!yJf% z3qrYzxL{H#Fb({5<1;|X0ia%J>iJu#gN|WHOv?cXwIj)Rmx`mfh+Gph?&7c*mL^6N z)ug~?U?a4$AgzWPQH_y~)&nNP?p%0c@of-FI0pqrKIC0`A|j;1noeb~%rg8A#;CC* z`!mVkZ|3=m<*q3e9CMH)hzXisdqWA(bPpCb+Ou3d&+7B5Uf-|mR;Qfi1F#X#IgkzM z0rMHnH_LPc_N)=LXg!M`ZMn)){PUXUn}`Ink>-)ED`N?9zTY&TZef-VJAgHkvT~N? zTcZ?1SO_ggFG>CvBKg`nOHw8Tjnby+DX5yHJWt_mONMm12+21Z;LH#xVPS~nX)=kw zhk0`h5gU0Ucx(X$`iKFh5Ret;#7q@>6Dx?ZM}(s$$_Hl3Yd zIw_wgT|g^Il`c5k*zGMan{WxvC2|Cid6M@;zVbH!w-LFU$&eb+sRB7iCfDAuHM94# z-+XF|ji<+_=HboeZL_^xy_|CF<|e`vTJI3wT(;3I;4PdMtH-A)i_se0iXFn~CRL$# zLLdmr;F__!t-9H0H5$k5`Q7UCjurL8)6NGs=NQ!!OY9!;?y^8%7U<*4Wr4md(3b`J zvOu34uq@CI9j+|Uk2qdgpwGV=9Iq_U|Groj=(BgvB!9n|=WCU_^P1B^^p?rNr?RXS zr}-V%sBNp~#l`m1&#n1AdBtK0;!P4y$iR_R9^udLGNUk#2|R_T9VEUWa{yJwQW-_G=1{%SnUDR*~f zV3mHOIMaW8Xf}5me&e(^-|sxG-}iaz=6cGRzOcw&xTE+6JCsS$mze33E)B3()A5Sh z$^7+rMVS61%k+w}K*425_OayoUx??IRr<0@KWwcphkBr=`!<@J`f;x TV|lQDX8!pfu*6e0RiqC9D=g#y literal 0 HcmV?d00001 From 35441cf8ae2b82c5ca85d30c0122b73aee379da1 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 11:14:29 +0100 Subject: [PATCH 62/94] GCVE stage 3 --- fast/stages/3-gcve-dev/README.md | 25 ++++++--- fast/stages/3-gcve-dev/gcve-pc.tf | 55 ++++++++----------- fast/stages/3-gcve-dev/main.tf | 19 ++----- .../3-gcve-dev/{output.tf => outputs.tf} | 27 ++++----- fast/stages/3-gcve-dev/variables-fast.tf | 8 +++ fast/stages/3-gcve-dev/variables.tf | 24 ++++---- modules/gcve-private-cloud/README.md | 13 +++-- modules/gcve-private-cloud/main.tf | 31 ++++++++--- modules/gcve-private-cloud/outputs.tf | 21 ++++--- modules/gcve-private-cloud/variables.tf | 16 +++--- 10 files changed, 125 insertions(+), 114 deletions(-) rename fast/stages/3-gcve-dev/{output.tf => outputs.tf} (67%) diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index fa27a5f5b7..0dc9d0d649 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -22,6 +22,7 @@ This blueprint is used as part of the [FAST GCVE stage](../../../fast/stages/3-g - [Running the stage](#running-the-stage) - [Files](#files) - [Variables](#variables) +- [Outputs](#outputs) ## Stage configuration @@ -147,9 +148,9 @@ terraform apply | name | description | modules | resources | |---|---|---|---| -| [gcve-pc.tf](./gcve-pc.tf) | GCVE private cloud. | gcve-private-cloud | google_vmwareengine_network_peering | +| [gcve-pc.tf](./gcve-pc.tf) | GCVE private cloud resources. | gcve-private-cloud | google_vmwareengine_network_peering | | [main.tf](./main.tf) | Locals and project-level resources. | project | | -| [output.tf](./output.tf) | Output variables. | | | +| [outputs.tf](./outputs.tf) | Output variables. | | | | [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | | [variables.tf](./variables.tf) | Module variables. | | | @@ -160,11 +161,21 @@ terraform apply | [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | | [environment_names](variables-fast.tf#L32) | Long environment names. | object({…}) | ✓ | | | [prefix](variables-fast.tf#L48) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | -| [private_cloud_configs](variables.tf#L53) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | ✓ | | | [folder_ids](variables-fast.tf#L41) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | -| [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {…} | -| [iam_by_principals](variables.tf#L27) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [network_peerings](variables.tf#L34) | The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {} | -| [stage_name](variables.tf#L75) | FAST stage name used to find resource ids. Must match name defined for the stage 3 in resource management. | string | | "gcve-dev" | +| [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | +| [iam_by_principals](variables.tf#L24) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | +| [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {} | +| [private_cloud_configs](variables.tf#L49) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | +| [stage_name](variables.tf#L71) | FAST stage name used to find resource ids. Must match name defined for the stage in resource management. | string | | "gcve-dev" | | [tag_values](variables-fast.tf#L58) | Root-level tag values. | map(string) | | {} | +| [vpc_self_links](variables-fast.tf#L65) | FAST host VPC self links. | map(string) | | {} | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| [network](outputs.tf#L17) | VMware engine network. | | +| [network_peerings](outputs.tf#L21) | The peerings created towards the user VPC or other VMware engine networks. | | +| [private_clouds](outputs.tf#L26) | VMware engine private cloud resources. | | +| [project_id](outputs.tf#L31) | GCVE project id. | | diff --git a/fast/stages/3-gcve-dev/gcve-pc.tf b/fast/stages/3-gcve-dev/gcve-pc.tf index c7ea19fc19..d60d08db62 100644 --- a/fast/stages/3-gcve-dev/gcve-pc.tf +++ b/fast/stages/3-gcve-dev/gcve-pc.tf @@ -14,18 +14,14 @@ * limitations under the License. */ -# tfdoc:file:description GCVE private cloud. +# tfdoc:file:description GCVE private cloud resources. + locals { - ven_peerings = { - for k, v in var.network_peerings : k => { - peer_network = v.peer_network - description = v.description - export_custom_routes = v.custom_routes.export_to_peer - export_custom_routes_with_public_ip = v.custom_routes_with_public_ip.export_to_peer - import_custom_routes = v.custom_routes.import_from_peer - import_custom_routes_with_public_ip = v.custom_routes_with_public_ip.import_from_peer - peer_to_vmware_engine_network = v.peer_to_vmware_engine_network - } + network_peerings = { + for k, v in var.network_peerings : k => merge(v, { + # interpolate FAST VPC ids if available + peer_network = lookup(var.vpc_self_links, v.peer_network, v.peer_network) + }) } } @@ -37,31 +33,26 @@ module "gcve-pc" { create = true name = "default" } - vmw_network_peerings = local.ven_peerings + vmw_network_peerings = local.network_peerings vmw_private_cloud_configs = var.private_cloud_configs } +# optional reverse peering configuration from the peer network projects + resource "google_vmwareengine_network_peering" "vmw_engine_network_peerings" { - provider = google-beta for_each = { - for k, v in var.network_peerings : k => v if v.configure_peer_network + for k, v in local.network_peerings : k => v if v.configure_peer_network } - peer_network = each.value.peer_network - name = "${var.prefix}-${each.key}" - description = each.value.description - export_custom_routes = ( - each.value.custom_routes.export_to_ven - ) - export_custom_routes_with_public_ip = ( - each.value.custom_routes_with_public_ip.export_to_ven - ) - import_custom_routes = ( - each.value.custom_routes.import_from_ven - ) - import_custom_routes_with_public_ip = ( - each.value.custom_routes_with_public_ip.import_from_ven - ) - peer_network_type = "STANDARD" - project = each.value.peer_project_id - vmware_engine_network = module.gcve-pc.vmw_private_cloud_network.id + project = regex( + "projects/([^/]+)/", each.value.peer_network + )[0] + name = "${var.prefix}-${each.key}" + description = each.value.description + peer_network = each.value.peer_network + peer_network_type = "STANDARD" + vmware_engine_network = module.gcve-pc.network_id + export_custom_routes = each.value.routes_config.import + export_custom_routes_with_public_ip = each.value.routes_config.public_import + import_custom_routes = each.value.routes_config.export + import_custom_routes_with_public_ip = each.value.routes_config.public_export } diff --git a/fast/stages/3-gcve-dev/main.tf b/fast/stages/3-gcve-dev/main.tf index 4992c53667..9d0ed4917b 100644 --- a/fast/stages/3-gcve-dev/main.tf +++ b/fast/stages/3-gcve-dev/main.tf @@ -32,20 +32,9 @@ module "gcve-project-0" { environment = var.environment_names["dev"] } services = [ - "vmwareengine.googleapis.com", + "compute.googleapis.com", + "logging.googleapis.com", + "monitoring.googleapis.com", + "vmwareengine.googleapis.com" ] } -object({ - local = optional(object({ - export = optional(bool, true) - import = optional(bool, true) - public_export = optional(bool) - public_import = optional(bool) - }), {}) - peer = optional(object({ - export = optional(bool, true) - import = optional(bool, true) - public_export = optional(bool) - public_import = optional(bool) - }), {}) - }) \ No newline at end of file diff --git a/fast/stages/3-gcve-dev/output.tf b/fast/stages/3-gcve-dev/outputs.tf similarity index 67% rename from fast/stages/3-gcve-dev/output.tf rename to fast/stages/3-gcve-dev/outputs.tf index ba6f2ebfe0..5dfd9e1ec7 100644 --- a/fast/stages/3-gcve-dev/output.tf +++ b/fast/stages/3-gcve-dev/outputs.tf @@ -14,27 +14,22 @@ # tfdoc:file:description Output variables. -output "project_id" { - description = "GCVE project id." - value = module.gcve-project-0.project_id -} - -output "vmw_engine_network_config" { - description = "VMware engine network configuration." - value = module.gcve-pc.vmw_engine_network_config +output "network" { + description = "VMware engine network." + value = module.gcve-pc.network_id } - -output "vmw_engine_network_peerings" { +output "network_peerings" { description = "The peerings created towards the user VPC or other VMware engine networks." - value = module.gcve-pc.vmw_engine_network_peerings + value = module.gcve-pc.network_peerings } -output "vmw_engine_private_clouds" { +output "private_clouds" { description = "VMware engine private cloud resources." - value = module.gcve-pc.vmw_engine_private_clouds + value = module.gcve-pc.private_clouds } -output "vmw_private_cloud_network" { - description = "VMware engine network." - value = module.gcve-pc.vmw_private_cloud_network +output "project_id" { + description = "GCVE project id." + value = module.gcve-project-0.project_id + depends_on = [module.gcve-pc] } diff --git a/fast/stages/3-gcve-dev/variables-fast.tf b/fast/stages/3-gcve-dev/variables-fast.tf index afd625ba92..e2cb2388e4 100644 --- a/fast/stages/3-gcve-dev/variables-fast.tf +++ b/fast/stages/3-gcve-dev/variables-fast.tf @@ -61,3 +61,11 @@ variable "tag_values" { type = map(string) default = {} } + +variable "vpc_self_links" { + # tfdoc:variable:source 2-networking + description = "FAST host VPC self links." + type = map(string) + nullable = false + default = {} +} diff --git a/fast/stages/3-gcve-dev/variables.tf b/fast/stages/3-gcve-dev/variables.tf index 833e112c1a..6c66ddf06c 100644 --- a/fast/stages/3-gcve-dev/variables.tf +++ b/fast/stages/3-gcve-dev/variables.tf @@ -17,11 +17,8 @@ variable "iam" { description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." type = map(list(string)) - default = { - "roles/vmwareengine.vmwareengineAdmin" = [] - "roles/vmwareengine.vmwareengineViewer" = [] - } - nullable = false + default = {} + nullable = false } variable "iam_by_principals" { @@ -32,18 +29,17 @@ variable "iam_by_principals" { } variable "network_peerings" { - description = "The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix. Network is expanded for FAST defined networks." + description = "The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks." type = map(object({ peer_network = string configure_peer_network = optional(bool, false) description = optional(string, "Managed by Terraform.") - peer_project_id = optional(string) peer_to_vmware_engine_network = optional(bool, false) routes_config = optional(object({ - export = optional(bool) - import = optional(bool) - public_export = optional(bool) - public_import = optional(bool) + export = optional(bool, false) + import = optional(bool, false) + public_export = optional(bool, false) + public_import = optional(bool, false) }), {}) })) nullable = false @@ -51,11 +47,10 @@ variable "network_peerings" { } variable "private_cloud_configs" { - description = "The VMware private cloud configurations. The key is the unique private cloud name suffix." + description = "The VMware private cloud configurations. Key is used for the private cloud name suffix." type = map(object({ cidr = string zone = string - # The key is the unique additional cluster name suffix additional_cluster_configs = optional(map(object({ custom_core_count = optional(number) node_count = optional(number, 3) @@ -70,10 +65,11 @@ variable "private_cloud_configs" { description = optional(string, "Managed by Terraform.") })) nullable = false + default = {} } variable "stage_name" { - description = "FAST stage name used to find resource ids. Must match name defined for the stage 3 in resource management." + description = "FAST stage name used to find resource ids. Must match name defined for the stage in resource management." type = string default = "gcve-dev" } diff --git a/modules/gcve-private-cloud/README.md b/modules/gcve-private-cloud/README.md index 34d57edb94..0461dc8529 100644 --- a/modules/gcve-private-cloud/README.md +++ b/modules/gcve-private-cloud/README.md @@ -143,15 +143,16 @@ module "gcve-pc" { | [prefix](variables.tf#L17) | Prefix used in resource names. | string | ✓ | | | [project_id](variables.tf#L22) | Project id. | string | ✓ | | | [vmw_network_config](variables.tf#L27) | VMware Engine network configuration. | object({…}) | | {} | -| [vmw_network_peerings](variables.tf#L44) | The network peerings towards users' VPCs or other VMware Engine networks. The key is the peering name suffix. | map(object({…})) | | {} | -| [vmw_private_cloud_configs](variables.tf#L58) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | | {…} | +| [vmw_network_peerings](variables.tf#L44) | The network peerings towards users' VPCs or other VMware Engine networks. The key is the peering name suffix. | map(object({…})) | | {} | +| [vmw_private_cloud_configs](variables.tf#L60) | The VMware private cloud configurations. The key is the unique private cloud name suffix. | map(object({…})) | | {…} | ## Outputs | name | description | sensitive | |---|---|:---:| -| [vmw_engine_network_peerings](outputs.tf#L17) | The peerings created towards the user VPC or other VMware engine networks. | | -| [vmw_engine_network_policies](outputs.tf#L22) | The network policies associated to the VMware engine network. | | -| [vmw_engine_private_clouds](outputs.tf#L27) | VMware engine private cloud resources. | | -| [vmw_private_cloud_network](outputs.tf#L32) | VMware engine network. | | +| [network](outputs.tf#L17) | VMware engine network. | | +| [network_id](outputs.tf#L22) | VMware engine network id. | | +| [network_peerings](outputs.tf#L27) | The peerings created towards the user VPC or other VMware engine networks. | | +| [network_policies](outputs.tf#L32) | The network policies associated to the VMware engine network. | | +| [private_clouds](outputs.tf#L37) | VMware engine private cloud resources. | | diff --git a/modules/gcve-private-cloud/main.tf b/modules/gcve-private-cloud/main.tf index 7a95cd018e..08e4eca7b2 100644 --- a/modules/gcve-private-cloud/main.tf +++ b/modules/gcve-private-cloud/main.tf @@ -21,7 +21,7 @@ locals { for cluster_name, cluster in pcc.additional_cluster_configs : (cluster_name) => merge(cluster, { parent = try( - google_vmwareengine_private_cloud.vmw_engine_private_clouds[pcc_name].id, + google_vmwareengine_private_cloud.default[pcc_name].id, null ) }) @@ -39,8 +39,9 @@ moved { to = google_vmwareengine_network.default } +# network + resource "google_vmwareengine_network" "default" { - provider = google-beta count = var.vmw_network_config.create ? 1 : 0 project = var.project_id name = "${var.prefix}-${var.vmw_network_config.name}" @@ -62,6 +63,8 @@ moved { to = google_vmwareengine_network_policy.default } +# network policy + resource "google_vmwareengine_network_policy" "default" { provider = google-beta for_each = var.vmw_network_config.network_policies @@ -84,17 +87,22 @@ moved { to = google_vmwareengine_network_peering.default } +# network peerings + resource "google_vmwareengine_network_peering" "default" { provider = google-beta for_each = var.vmw_network_peerings project = var.project_id name = "${var.prefix}-${each.key}" description = each.value.description - export_custom_routes = each.value.export_custom_routes - export_custom_routes_with_public_ip = each.value.export_custom_routes_with_public_ip - import_custom_routes = each.value.import_custom_routes - import_custom_routes_with_public_ip = each.value.import_custom_routes_with_public_ip - peer_network = each.value.peer_network + export_custom_routes = each.value.routes_config.export + export_custom_routes_with_public_ip = each.value.routes_config.public_export + import_custom_routes = each.value.routes_config.import + import_custom_routes_with_public_ip = each.value.routes_config.public_import + peer_network = trimprefix( + each.value.peer_network, + "https://www.googleapis.com/compute/v1/" + ) peer_network_type = ( each.value.peer_to_vmware_engine_network ? "VMWARE_ENGINE_NETWORK" @@ -108,8 +116,9 @@ moved { to = google_vmwareengine_private_cloud.default } +# private cloud + resource "google_vmwareengine_private_cloud" "default" { - provider = google-beta for_each = var.vmw_private_cloud_configs project = var.project_id location = each.value.zone @@ -125,7 +134,9 @@ resource "google_vmwareengine_private_cloud" "default" { vmware_engine_network = local.vmw_network.id } management_cluster { - cluster_id = "${var.prefix}-${each.key}-${each.value.management_cluster_config.name}" + cluster_id = ( + "${var.prefix}-${each.key}-${each.value.management_cluster_config.name}" + ) node_type_configs { node_type_id = each.value.management_cluster_config.node_type_id node_count = each.value.management_cluster_config.node_count @@ -139,6 +150,8 @@ moved { to = google_vmwareengine_cluster.default } +# cluster + resource "google_vmwareengine_cluster" "default" { provider = google-beta for_each = local.additional_cluster_configs diff --git a/modules/gcve-private-cloud/outputs.tf b/modules/gcve-private-cloud/outputs.tf index e4ffda2c68..e42d98ce1b 100644 --- a/modules/gcve-private-cloud/outputs.tf +++ b/modules/gcve-private-cloud/outputs.tf @@ -14,22 +14,27 @@ * limitations under the License. */ -output "vmw_engine_network_peerings" { +output "network" { + description = "VMware engine network." + value = local.vmw_network +} + +output "network_id" { + description = "VMware engine network id." + value = local.vmw_network.id +} + +output "network_peerings" { description = "The peerings created towards the user VPC or other VMware engine networks." value = google_vmwareengine_network_peering.default } -output "vmw_engine_network_policies" { +output "network_policies" { description = "The network policies associated to the VMware engine network." value = google_vmwareengine_network_policy.default } -output "vmw_engine_private_clouds" { +output "private_clouds" { description = "VMware engine private cloud resources." value = google_vmwareengine_private_cloud.default } - -output "vmw_private_cloud_network" { - description = "VMware engine network." - value = local.vmw_network -} diff --git a/modules/gcve-private-cloud/variables.tf b/modules/gcve-private-cloud/variables.tf index 4a18de6507..cc184a82bd 100644 --- a/modules/gcve-private-cloud/variables.tf +++ b/modules/gcve-private-cloud/variables.tf @@ -44,13 +44,15 @@ variable "vmw_network_config" { variable "vmw_network_peerings" { description = "The network peerings towards users' VPCs or other VMware Engine networks. The key is the peering name suffix." type = map(object({ - peer_network = string - description = optional(string, "Managed by Terraform.") - export_custom_routes = optional(bool, false) - export_custom_routes_with_public_ip = optional(bool, false) - import_custom_routes = optional(bool, false) - import_custom_routes_with_public_ip = optional(bool, false) - peer_to_vmware_engine_network = optional(bool, false) + peer_network = string + description = optional(string, "Managed by Terraform.") + peer_to_vmware_engine_network = optional(bool, false) + routes_config = optional(object({ + export = optional(bool, false) + import = optional(bool, false) + public_export = optional(bool, false) + public_import = optional(bool, false) + }), {}) })) default = {} } From 9140136d20b98a43415787315bc1b13f0b513135 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 11:25:02 +0100 Subject: [PATCH 63/94] gcve tests --- fast/stages/3-gcve-dev/README.md | 16 +++--- fast/stages/3-gcve-dev/main.tf | 2 +- fast/stages/3-gcve-dev/variables-fast.tf | 7 +-- fast/stages/3-gcve-dev/variables.tf | 7 ++- tests/fast/stages/s3_gcve/simple.tfvars | 53 ------------------- .../{s3_gcve => s3_gcve_dev}/__init__.py | 0 tests/fast/stages/s3_gcve_dev/simple.tfvars | 39 ++++++++++++++ .../{s3_gcve => s3_gcve_dev}/simple.yaml | 12 ++--- .../{s3_gcve => s3_gcve_dev}/tftest.yaml | 2 +- 9 files changed, 64 insertions(+), 74 deletions(-) delete mode 100644 tests/fast/stages/s3_gcve/simple.tfvars rename tests/fast/stages/{s3_gcve => s3_gcve_dev}/__init__.py (100%) create mode 100644 tests/fast/stages/s3_gcve_dev/simple.tfvars rename tests/fast/stages/{s3_gcve => s3_gcve_dev}/simple.yaml (78%) rename tests/fast/stages/{s3_gcve => s3_gcve_dev}/tftest.yaml (94%) diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index 0dc9d0d649..7a1705473b 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -159,16 +159,16 @@ terraform apply | name | description | type | required | default | |---|---|:---:|:---:|:---:| | [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | -| [environment_names](variables-fast.tf#L32) | Long environment names. | object({…}) | ✓ | | -| [prefix](variables-fast.tf#L48) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | -| [folder_ids](variables-fast.tf#L41) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | +| [environments](variables-fast.tf#L32) | Long environment names. | object({…}) | ✓ | | +| [prefix](variables-fast.tf#L49) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | +| [folder_ids](variables-fast.tf#L42) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | | [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_by_principals](variables.tf#L24) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {} | -| [private_cloud_configs](variables.tf#L49) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | -| [stage_name](variables.tf#L71) | FAST stage name used to find resource ids. Must match name defined for the stage in resource management. | string | | "gcve-dev" | -| [tag_values](variables-fast.tf#L58) | Root-level tag values. | map(string) | | {} | -| [vpc_self_links](variables-fast.tf#L65) | FAST host VPC self links. | map(string) | | {} | +| [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {…} | +| [private_cloud_configs](variables.tf#L54) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | +| [stage_name](variables.tf#L76) | FAST stage name used to find resource ids. Must match name defined for the stage in resource management. | string | | "gcve-dev" | +| [tag_values](variables-fast.tf#L59) | Root-level tag values. | map(string) | | {} | +| [vpc_self_links](variables-fast.tf#L66) | FAST host VPC self links. | map(string) | | {} | ## Outputs diff --git a/fast/stages/3-gcve-dev/main.tf b/fast/stages/3-gcve-dev/main.tf index 9d0ed4917b..f4f6cf25d4 100644 --- a/fast/stages/3-gcve-dev/main.tf +++ b/fast/stages/3-gcve-dev/main.tf @@ -29,7 +29,7 @@ module "gcve-project-0" { iam = var.iam iam_by_principals = var.iam_by_principals labels = { - environment = var.environment_names["dev"] + environment = lower(var.environments["dev"].name) } services = [ "compute.googleapis.com", diff --git a/fast/stages/3-gcve-dev/variables-fast.tf b/fast/stages/3-gcve-dev/variables-fast.tf index e2cb2388e4..d5df85d5b8 100644 --- a/fast/stages/3-gcve-dev/variables-fast.tf +++ b/fast/stages/3-gcve-dev/variables-fast.tf @@ -29,12 +29,13 @@ variable "billing_account" { } } -variable "environment_names" { +variable "environments" { # tfdoc:variable:source 1-resman description = "Long environment names." type = object({ - dev = string - prod = string + dev = object({ + name = string + }) }) } diff --git a/fast/stages/3-gcve-dev/variables.tf b/fast/stages/3-gcve-dev/variables.tf index 6c66ddf06c..18ce9af3b9 100644 --- a/fast/stages/3-gcve-dev/variables.tf +++ b/fast/stages/3-gcve-dev/variables.tf @@ -43,7 +43,12 @@ variable "network_peerings" { }), {}) })) nullable = false - default = {} + default = { + dev-spoke-0 = { + peer_network = "dev-spoke-0" + configure_peer_network = true + } + } } variable "private_cloud_configs" { diff --git a/tests/fast/stages/s3_gcve/simple.tfvars b/tests/fast/stages/s3_gcve/simple.tfvars deleted file mode 100644 index b27af09752..0000000000 --- a/tests/fast/stages/s3_gcve/simple.tfvars +++ /dev/null @@ -1,53 +0,0 @@ -automation = { - federated_identity_pool = null - federated_identity_providers = null - project_id = "fast-prod-automation" - project_number = 123456 - outputs_bucket = "test" - service_accounts = { - resman-r = "em-dev-gcve-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" - } -} - -billing_account = { - id = "000000-111111-222222" -} - -folder_ids = { - gcve-prod = "folders/00000000000000" -} - -groups_gcve = { - gcp-gcve-admins = "gcp-gcve-admins", - gcp-gcve-viewers = "gcp-gcve-viewers" -} - -host_project_ids = { - prod-spoke-0 = "prod-spoke-0" -} - -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} - -prefix = "fast3" - -private_cloud_configs = { - dev-pc = { - cidr = "172.26.16.0/22" - zone = "europe-west8-a" - management_cluster_config = { - name = "mgmt-cluster" - node_count = 1 - node_type_id = "standard-72" - } - } -} - -vpc_self_links = { - "prod-spoke-0" = "https://www.googleapis.com/compute/v1/projects/em-prod-net-spoke-0/global/networks/prod-spoke-0", -} - - diff --git a/tests/fast/stages/s3_gcve/__init__.py b/tests/fast/stages/s3_gcve_dev/__init__.py similarity index 100% rename from tests/fast/stages/s3_gcve/__init__.py rename to tests/fast/stages/s3_gcve_dev/__init__.py diff --git a/tests/fast/stages/s3_gcve_dev/simple.tfvars b/tests/fast/stages/s3_gcve_dev/simple.tfvars new file mode 100644 index 0000000000..0f1461412b --- /dev/null +++ b/tests/fast/stages/s3_gcve_dev/simple.tfvars @@ -0,0 +1,39 @@ +billing_account = { + id = "000000-111111-222222" +} + +environments = { + dev = { + name = "Development" + } +} + +folder_ids = { + gcve-dev = "folders/00000000000000" +} + +organization = { + domain = "fast.example.com" + id = 123456789012 + customer_id = "C00000000" +} + +prefix = "fast3" + +private_cloud_configs = { + dev-pc = { + cidr = "172.26.16.0/22" + zone = "europe-west8-a" + management_cluster_config = { + name = "mgmt-cluster" + node_count = 1 + node_type_id = "standard-72" + } + } +} + +vpc_self_links = { + "dev-spoke-0" = "projects/em-prod-net-spoke-0/global/networks/prod-spoke-0", +} + + diff --git a/tests/fast/stages/s3_gcve/simple.yaml b/tests/fast/stages/s3_gcve_dev/simple.yaml similarity index 78% rename from tests/fast/stages/s3_gcve/simple.yaml rename to tests/fast/stages/s3_gcve_dev/simple.yaml index c3c846a21c..396b8675f5 100644 --- a/tests/fast/stages/s3_gcve/simple.yaml +++ b/tests/fast/stages/s3_gcve_dev/simple.yaml @@ -14,13 +14,11 @@ counts: google_project: 1 - google_project_iam_binding: 2 - google_project_iam_member: 1 - google_project_service: 1 - google_project_service_identity: 1 - google_storage_bucket_object: 1 + google_project_iam_member: 3 + google_project_service: 4 + google_project_service_identity: 2 google_vmwareengine_network: 1 google_vmwareengine_network_peering: 2 google_vmwareengine_private_cloud: 1 - modules: 3 - resources: 11 + modules: 2 + resources: 14 diff --git a/tests/fast/stages/s3_gcve/tftest.yaml b/tests/fast/stages/s3_gcve_dev/tftest.yaml similarity index 94% rename from tests/fast/stages/s3_gcve/tftest.yaml rename to tests/fast/stages/s3_gcve_dev/tftest.yaml index 2f66f9b076..d8d581f6d5 100644 --- a/tests/fast/stages/s3_gcve/tftest.yaml +++ b/tests/fast/stages/s3_gcve_dev/tftest.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -module: fast/stages/3-gcve/prod +module: fast/stages/3-gcve-dev tests: simple: From 658cc1fb31a0419107bb6969ab2e5c21391ab16a Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 11:26:12 +0100 Subject: [PATCH 64/94] tflint --- fast/stages/3-gcve-dev/README.md | 3 +-- fast/stages/3-gcve-dev/variables-fast.tf | 7 ------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index 7a1705473b..be1cda2e07 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -167,8 +167,7 @@ terraform apply | [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {…} | | [private_cloud_configs](variables.tf#L54) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | | [stage_name](variables.tf#L76) | FAST stage name used to find resource ids. Must match name defined for the stage in resource management. | string | | "gcve-dev" | -| [tag_values](variables-fast.tf#L59) | Root-level tag values. | map(string) | | {} | -| [vpc_self_links](variables-fast.tf#L66) | FAST host VPC self links. | map(string) | | {} | +| [vpc_self_links](variables-fast.tf#L59) | FAST host VPC self links. | map(string) | | {} | ## Outputs diff --git a/fast/stages/3-gcve-dev/variables-fast.tf b/fast/stages/3-gcve-dev/variables-fast.tf index d5df85d5b8..8f84cffc2f 100644 --- a/fast/stages/3-gcve-dev/variables-fast.tf +++ b/fast/stages/3-gcve-dev/variables-fast.tf @@ -56,13 +56,6 @@ variable "prefix" { } } -variable "tag_values" { - # tfdoc:variable:source 1-resman - description = "Root-level tag values." - type = map(string) - default = {} -} - variable "vpc_self_links" { # tfdoc:variable:source 2-networking description = "FAST host VPC self links." From 27224dd411d0c4e1ba8fa3aecceaac033a6d91ed Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 11:28:20 +0100 Subject: [PATCH 65/94] tfdoc --- fast/stages/2-networking-a-simple/README.md | 2 +- fast/stages/2-networking-b-nva/README.md | 2 +- .../2-networking-c-separate-envs/README.md | 16 ++++++++-------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 7137d6435a..3626af43d1 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -484,7 +484,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | | [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index 0eb39816a3..21d69c94ef 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -540,7 +540,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | | [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 6db5f222f6..4abb36cfc3 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -343,7 +343,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | | [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. | object({…}) | ✓ | | 1-resman | | [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | @@ -363,11 +363,11 @@ Regions are defined via the `regions` variable which sets up a mapping between t | name | description | sensitive | consumers | |---|---|:---:|---| -| [dev_cloud_dns_inbound_policy](outputs.tf#L77) | IP Addresses for Cloud DNS inbound policy for the dev environment. | | | -| [host_project_ids](outputs.tf#L82) | Network project ids. | | | -| [host_project_numbers](outputs.tf#L87) | Network project numbers. | | | -| [prod_cloud_dns_inbound_policy](outputs.tf#L92) | IP Addresses for Cloud DNS inbound policy for the prod environment. | | | -| [shared_vpc_self_links](outputs.tf#L97) | Shared VPC host projects. | | | -| [tfvars](outputs.tf#L102) | Terraform variables file for the following stages. | ✓ | | -| [vpn_gateway_endpoints](outputs.tf#L108) | External IP Addresses for the GCP VPN gateways. | | | +| [dev_cloud_dns_inbound_policy](outputs.tf#L79) | IP Addresses for Cloud DNS inbound policy for the dev environment. | | | +| [host_project_ids](outputs.tf#L84) | Network project ids. | | | +| [host_project_numbers](outputs.tf#L89) | Network project numbers. | | | +| [prod_cloud_dns_inbound_policy](outputs.tf#L94) | IP Addresses for Cloud DNS inbound policy for the prod environment. | | | +| [shared_vpc_self_links](outputs.tf#L99) | Shared VPC host projects. | | | +| [tfvars](outputs.tf#L104) | Terraform variables file for the following stages. | ✓ | | +| [vpn_gateway_endpoints](outputs.tf#L110) | External IP Addresses for the GCP VPN gateways. | | | From 43ea755e12375aed97b145c68fd2c1fc4102501a Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 11:35:03 +0100 Subject: [PATCH 66/94] fix links --- blueprints/gcve/pc-minimal/README.md | 132 ------------------------- blueprints/gcve/pc-minimal/diagram.png | Bin 47499 -> 0 bytes fast/stages/3-gcve-dev/README.md | 9 +- fast/stages/README.md | 2 +- 4 files changed, 4 insertions(+), 139 deletions(-) delete mode 100644 blueprints/gcve/pc-minimal/README.md delete mode 100644 blueprints/gcve/pc-minimal/diagram.png diff --git a/blueprints/gcve/pc-minimal/README.md b/blueprints/gcve/pc-minimal/README.md deleted file mode 100644 index 9123c30695..0000000000 --- a/blueprints/gcve/pc-minimal/README.md +++ /dev/null @@ -1,132 +0,0 @@ -# Minimal GCVE Private Cloud - -This stage implements an opinionated architecture to handle different Google VMware Engine deployment scenarios: from a simple single region Private Cloud to multi-region Private Clouds spread across different locations. - -The general approach used here is to deploy a single project hosting one or more GCVE Private Clouds, connected to a shared VMware Engine Network (VEN). Peerings to existing VPC networks can also be configured. - -Multiple deployments of this stage allow implementig more complex designs, for example using multiple projects for different Private Clouds, or connections to independent VMWare Engine Networks. - -Like any other FAST stage, this can be used as a standalone deployment provided the [minimum prerequisites](#running-in-isolation) are met. This is the base diagram of the resources deployed via this stage. - -

    - GCVE single region Private Cloud -

    - -## Table of contents - - - -## Design overview and choices - -This stage implements GCP best practices for using GCVE in a simple (but easily extensible) scenario. Refer to the [GCVE documentation](https://cloud.google.com/vmware-engine/docs/overview) for an in depth overview. - -## How to run this stage - -This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management and networking. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../../../stage-links.sh ~/fast-config - -# copy and paste the following commands for '3-gcve' - -ln -s ~/fast-config/providers/3-gcve-dev-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ -``` - -```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 - -# copy and paste the following commands for '3-gcve' - -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gcve-dev-providers.tf ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -The full list can be found in the [Variables](#variables) table at the bottom of this document. - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - -### Running in isolation - -This stage can be run in isolation by providing the necessary variables, but it's really meant to be used as part of the FAST flow after the "foundational stages" ([`0-bootstrap`](../../0-bootstrap), [`1-resman`](../../1-resman), [`2-networking`](../../2-networking-a-simple). - -When running in isolation, the following roles are needed on the principal used to apply Terraform: - -- on the organization or network folder level - - `roles/xpnAdmin` or a custom role which includes the following permissions - - `"compute.organizations.enableXpnResource"`, - - `"compute.organizations.disableXpnResource"`, - - `"compute.subnetworks.setIamPolicy"`, -- on each folder where projects are created - - `"roles/logging.admin"` - - `"roles/owner"` - - `"roles/resourcemanager.folderAdmin"` - - `"roles/resourcemanager.projectCreator"` -- on the host project for the Shared VPC - - `"roles/browser"` - - `"roles/compute.viewer"` -- on the organization or billing account - - `roles/billing.admin` - -The VPC host project, VPC and subnets should already exist. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [gcve-pc.tf](./gcve-pc.tf) | GCVE Private Cloud. | gcve-private-cloud | google_vmwareengine_network_peering | -| [main.tf](./main.tf) | Project. | project | | -| [output.tf](./output.tf) | Output variables. | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | -|---|---|:---:|:---:|:---:| -| [billing_account_id](variables.tf#L17) | Billing account ID. | string | ✓ | | -| [folder_id](variables.tf#L22) | Folder used for the GCVE project in folders/nnnnnnnnnnn format. | string | ✓ | | -| [groups](variables.tf#L27) | GCVE groups. | object({…}) | ✓ | | -| [prefix](variables.tf#L81) | Prefix used for resource names. | string | ✓ | | -| [private_cloud_configs](variables.tf#L90) | The VMware Private Cloud configurations. The key is the unique Private Cloud name suffix. | map(object({…})) | ✓ | | -| [project_id](variables.tf#L112) | ID of the project that will contain the GCVE Private Cloud. | string | ✓ | | -| [iam](variables.tf#L36) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [iam_by_principals](variables.tf#L43) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [labels](variables.tf#L50) | Project-level labels. | map(string) | | {} | -| [network_peerings](variables.tf#L56) | The network peerings between users' VPCs and the VMware Engine networks. The key is the peering name suffix. | map(object({…})) | | {} | -| [project_services](variables.tf#L117) | Additional project services to enable. | list(string) | | [] | - diff --git a/blueprints/gcve/pc-minimal/diagram.png b/blueprints/gcve/pc-minimal/diagram.png deleted file mode 100644 index 78ae82b24d7e881e72d0845f70951cf5f8884027..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 47499 zcmY(qbyOV9);){|31M(|cY;IkV8I=NGX#QbaJS$PLU0T2GPqj?NpL5)ySwu>&%O8k zp5MwJy;d`+?mBg<&ffd%4p&irJ2HLz4x5i|QnC8)f!)&SDyHjkMv9lY>#_Z^ z*A{8?lvSNX1Oo+X7+jA3|1K-is1^v|MT^?J(*OVF%TMHB19Vc5|KEFdh5lk?^XMsG zbZ|h3lCY{`|GiLXZT;VX{~3Os(LpbaCv9kj{Nw$m>pBxD-oJj|S&lnuRd;fB*1XBH zfCWaWu(Y(a^En;&_`d=F8TVSVbAFy!Fyp8Ip8~YszRo0!|L;L^agAxTDreB3o)-)Q zJ>mbJlL;y^)N|JV&*r~pszQJR3S)hp%QD08?+Ao40)v~tGbK^~>#mrIiWo&bM^v?b z?*9VyGB2_Mv4HnwT?jTpNM*t{J;e;nQRY8&U`F%4Bl)CRsEEwoMm!Ti-Xy7kPmB}n zkWX0?3*RIwm=h>UyYF5$=!+*6B5i#7_asrX;SiA^S}-V#S`W=KL5rApP&#;65hC~f zGFgRJwM6Jl2zsZoXslL0oR0ci8=kq+!(uz3bkr)8RbOI=Ka(wn)oeR#>^SN-lOVqL z6m0crRc+Szz+L2rFPFd)E}z7{4h@elGHfIIlf?c?F-EWH9ObQc#mekyd{}r>ph(+s z+c}C;@V}>Mmm?M+ZW95k(>fHP*jI+k4ELp?P^vgb%YBzymKP?JUB{7TJOaPjN|nyO zYm@||r;(J)f#wQF#DWJ_Gw{#mj(7a;;Ea}Q@XV30F;2Z?_}a<&rIef%Q%!seGDo>V7B@(E>`JM5$q8#`}hjO^zbek8HFw2 z>*cY8jt+x&Yg?Qh$I5vAKp4NtX0>a1$hW+zYZGyFxJ5>9G((yuRdj-MyGt&6uN;`C$stsnY`H^N0feB#{JOQ2H$)1ef?N|y zDt}2}CeDmZ1gl=jHX@ZOy|QhJIBBkAuMPglemofSH8iWsP4p?sT#QRSPfL(wpwS8uwFIpDOIZ;bLIa8EnT6=8HBo5zO?2F*CBJeGO>31Y3c z$F{OcO5y`}L&h8gRX%-e>B4?wo*9ORvc@M`{Vw9SjSbsrgy| zJvl4N{~MmRZ5@>g1P-^Kyw0lX%_usJV-e2UH5mR{rakhD{++bs-Hon@7el&YZrap3 zSZgM_H6%pj+`QGEH@Q#t-ZG7R=fq?c&%v*x1H%jYxA= zJS)NuI?^~d%hk@;WM%qwc-NPEF`h2_5``^w7*xzqq?`NVA{%34ioMASL_blZ^cem~ z^+Kif3Qrf63LC<*`4fC5?UFDh(z))L8T{Sd-J8SfO<4s6$$c%ib?9#g5>ZF2Ix8)i zkh9IH{a0^Ddw;7Jn((F}f(`DuGT7UkH}Iv}zo;~a{HRpXjFQ@LRTN*(fL>$6;?rH7Ze} zwF>XdaX^muJvi_9wMsACGauZRZPc*$kS4Yqp1T4d$nd^jZ?-dT{Z{V?~oH zrRC&Mt)|Pq!oP|I%AWOfQ2_ia3`!ar0s}!8F$h>n^HU<);B@(NUJhg}ob}5xwgV8K zRdwZx|CU<{Q5=Vjw&G3-*R>Hml8)D{qnbf@nzm@o{QF5Q^N$60ko zA1F91xm%kTUuAtZ?7!&Lt%OpTK`C}hrv0C*zK=?c1Qwqu==?&0NsW?uoSR+F78Zb; zRtq|vUV_YeQ6k%m7D-KU6r8R7@-*&6WsZ^3ecLqR2YS~sF81TrSj3o9LcJa9TPmEp z*L&@{=CifEeV$;RB4qC8ZYJt%(WeLEBfGyOtZ97em=o{B4}{$sI)AILRwc9U%;o2v zbybg|R+%p%k-T$-(=65M-R1gR8KeX6d;h46>&R+Qf}@mr|@C zTKG_`ayIegZa+IJU!(qR&VOqbF~dr~mwJHsLGQD2Igfn??v%VGM{PM$!ux9G5k-t? zQdp72Pf|61w4%y=;fhVO0-la|PYC(ma@|=9dl503W(L&T`P^VIzN#EhH(?Tm-5OUG z&mHoYwVl)+&DgXaS!;V70n12I&@B{-w>c4}U^Eu(A1<@b_R>ecI%`X}Knh;FKk3(dCY=ia(EBafl9V_6LAhiKdL9hKqi)4 zTXlT;x)xeI@wrpVM7Y^S`qs&ei_-P>&lIvKX#mkwDU+U9e#GWjv8h)=b)+rpy^p~7 z_&BibK9UIg!T|{<5qf2teUD$#ddcs0)G7&HTnRedVG}%y>>l%pzgsYZW#+!& zTUvR-r`CP}FimP=@aSKNaEWqjQFPFg74dyky7i}4>P-NDZmsN>uPUW@B!wbPwvt-w4cS4WAL+LiS+ynOw z8=PF7NnclFfQX0!P5YFMdrEj149f_Jcx-+S^ASbuj5kp;{a`PpNJ8s)T55hDP%(?* zbb0$_Kc3`PYIRydcAK=qpHNqy%gYhH1P4HI3>&CB#^S1NV|L$M{@Ip^zB7@IT4e&S zAAG)d>;`<7A|$M%5+F53Epwvf-Z3P%&=g*GnJ94KV0n5y>LIQN!TR%wUQKBIU`0Z>Gq1(X z=oG5!e1~EFadyfIjwv(d>*>8z71SW4V51}UZbV8q98(Y;5uA|`xuju) zTI#5sO1Ty8L!DXaS=-l;kZjpF3L1KPYO1w#I4$YV>@rfO_c0kvXL=={bfmph#~O)< z3wd<`uYrAl)VE|0vmN<$gaU6hM@RYBpeR%hlx8H_F>FCJ=Tn_Ib2 zK5G=)5II7|hN!or(DGnjOFr%bcQJfqc`0+NU8^s@TmI>>r;lHac9gfZK(D%vy)6fph$;1h7I;?Gc?w(!*hi-Om>H_hVAP!;Wx&C06+RCa0bb`iqD>3l`Ev>F+0Yg^p)8uG&q* z$44Q{xeikfyHMqiR++q=Fs8HRy~&P(*UeszsK2pEzETO3aBIlrzg*&7Qx*#%#=-f~ z)B!)T?Z|6v*5d2iesX;t^cSpJi5-!T!-j|eMw@YecW#9U&M2<0rA2LQhYKMBX9x%- zt(7O&p`MJxvX;P#i*$xF82?gb_MDtq2`JD-xCU5 zL;$vA)eD)+Yx-u6phXVHOIAZM)fswH%K^h9XF1xCf`ltq1XGEl+IfiUKpQ4}-u6Zh z$t!o{lpEnk$7L)u%lbCQMw=^jjuj?DK5Ey}pB%BrL zCN50c!I4ZnHj^%`d_8LPS^T*oid{la7u2SS=3I^BBAw!3(xfELoLfTb%eyj&@hkKjn^Mhusx`7NLn*}D{pPI{R02QL z=oKJd2Z3Z^V2xOa-FprdDq8R^A_MQ6kq#_NY2_pvYGWF(LPxydaU<2v9^8HuC{etB zOa~#T=6xjTh*$Qa8vHmo;Bdq<_m?t~J1zu#FKf^3Gvd#gQC%rU3q{g|l$<{k?L-%K z)b3OZl4`qJLhfZLqzX z;+d|K97p|QX=*5_O~v*bp<)3cE{u_W@%t=n%f?#6$htP~QD;5D3euSc7zl=RUKihB z2}Ql+d$gn5K?is!Z>E*xBEG^be{LR?%i$%@*T^%7z}^Knzv&it1Uk1LHjeiYnMHPG$Fk1iyL!^>B# zntKK_eQEEE6Y%_DV;ita^uxtJA56}r<#Hh&O+RFDk%;+D+GBNGkkpf0?$>6tZrQG* zb(qhN8c}P6?x~kL`40=@Hb&^UmWo#%3NiVav}Y8O!A$=8pqro#;dfZbeCDOZ*+=xF zj}{uL8-9it-PDf7{1+8sHoi(qz{_fA@8KaXCP0Y0mVOSYQ-9P}xQ*jsZ&IUs# zbS0n5r7Hc#jTI)1&EAp!u=*Te^r1Au-_0ruz(>mYudZKtPcA>L`k;HHE7y z?~+kWu0Q!R1tgwWy|q#)t|T;TPPVsj?6YA1VP&eS`uD`%rO{QRl&Wba#?rw(5ud2l zTyl>VUCFyZX2Mb$N;bK2(ct-DpD1o7G|Tr_K7X;~DHx^2=u!gWiKjtktmV5Phmrc@ z)%9$jCjoXqOK(c&YoxMBw8rrYxLQ63Rs8wSZ7$NpaSjrZ{dKyv$!QH52Ao}X75;_d z2mM{}C(}`}IQ?^agXUZ!o_{(Ub84&*&EJ{>Af6r4c7?DujOi?<^x z9Ha?ai%J3M5;k8ZX>k~JU$@U3R`eqmHN;{BM&PuSBhlqz0$g9E%)LtRNsE?;2l01! zI5G-z%Hg+Q>(i6-^U$OQJ{uQYcFde7pBgM|AHt_6SY+e}`@;8;J%P+)Nt#BF5AdD! z(jrUbSw7F9^U+y=@aIqqWL%7v#vV2zY7^X*#KF=`8%Sd@2k-L-OvD4#PQx(Toi+hG z9N-niz4b}H$78+So8nVxSHo5CxRkoNy`@~8 zTpB(a$3=X_aCJkuM`8J2~s0xX2BL;KgV=ymi%UY9TwoX=+$*E=&;vJVJ&Qove5K)|bG~iAbKbv>74EYA zfyKwI2$)?Zr%#RfD#_7Y}0G6sr>=JN7#(! z<_LWZdqyb{0U0)F1^x(%$5gOE$7B1}WCa;>80_#H2*1o=1^WdGt= z5W62{eB7(cH)0F+6N8cHmNQwdIQ+x=Ei?1$D#l_gyRU9`HHd>#D9;GPyT+zGq7e(+ zq*6Nn_=tm3lP=;xl0T5pH+jllQuH>r>!SDR^xSP{;oLVI+I%aNc=S#QSc*PNMjk-Y zhJgWA1?itv@e()-^n7?;F@3M`#pQ3T{K-{1A}Yf6kozm;j+5#L*9xQCS4)pOT$gv} z%0f{q-&7QQpWjbCj)4{vA2B%_sFlr z3rxHa2`l}jXn(X3 z+462D@Uz#6?3ga^?lhs+0DubxfvBqyJwPPP(ynf4>n52|8$*B`vwN#B{z0|V2TsLMB4epSRTt<_W0nqFu&|h5d+(~`!;N%5yu1b zxuvB}F!O1C%I_&6>?FSA>B_*Xq=*IIRWU^Xqel+G^!doI>ag;1?>NJ2A$Dby!{w;H zgV*?Y*tSR`zd53tv!*NY(z;UtN&kUX3Ws43$TPgHu_SAJ#4~ZA$asS^OEg}P*uM5- zxbU-0PgR_$!_}arH@~py=~TIz-lmqJG}!O)NlzhJkh)Kk<8elQi%iuX&q1+8VP&~!<)|%g zHa%@VH?pn`C|0&c9} z0XP0kzBGG6U#gIbKtAWoIq@QHf|#9O`akK}Vulp1mwQtT+7%>wlf}8sOwVlko(q<~ z5g98=sK4)X#8%bBs30NMt(#U-0p8jag`jt)y|1GPx#*VfY0(?&;X0n5-W|2^nbMc* z;Rfi;kiFl{U|6vM=s`w#V=Xi}Hc}_iv#Q8HYfyxO69v)on3jL-U zC!o)w5{8S6h87eXJEDl&&j^j6uLmjTu_PT?WzJsIa^svsC>mvdzW&DWjT&+MwRC!{ za%fi81OG^zLleIa#g*U~7B)5}Ie8Wu<0g*k&l3if97z-e1O$G7N5xt><$Gv$rnm;? zK@kw{;j(EXHtXh{d@0pCKXI<>d?Ja!WmoO5Sh!7M1~G&7A3oBvHn+WOOwnLF57^=0 zS?g0rxEY)V8ka-?{cf69H zWEf~zIbv4csb}97GGpW?JhQ#M9sUBF?XH>;!2spto6n<-RRz%HRd)!QPW300oZQ^i z{e83yrO-Yyuh&y0n$F4f9gkPUaPaVB5L21ZsgI+$Z~xrxS9YxR;2W{*RBROc1nAsv zc-`$5#${&4jE<@#*!F$mT%AxB4QXg_Ge@jFRY>JVIc~eo^htmVi;99q;4&X9nb@yE z!}rpOc&v;Un_b-R4;#kvK490{&f}G8m8)f~E+lRZrJ44{kTwYm8;xLx4QYGSXc{t5 zUb%W0$H&LVefzf3iuo;35|&Q`h^%!bePYUc_X$$YPhk;zRiI(uKZi1^7i{c)O?E*B zQo~##f_~bu85{fxgDeV)+gos>gII4@p{P%; zuvl(yi@?Ih0$QiBg_)jmf63Z!w}_|S%zvVZxU~6OEw%XLwvmU8P3f{!K8dZ-^^mCj z;Y|J{j$?jvzbvUzo%yN1LM1!U%KqWz6qN=UKdSL<;9x&@zzWcK)2X$H3j{r-`Fz=w zEprExUZZr7fsNc(5qUy)IYz$x&kLZGDO3yt(XKQk;CJ|$8k)YG?#8TLq4E3H){hu1$))u{GNoOhJD0rguG7w8C)hbF6dy zm)-Fckk>{(=H;&+Vsge61}(hOQ3L_NwPb{4n=7~Jfo0ic#-OClnl=PaVsUoG$3XRG^$yk)z(~FT|f*!WSi->zQ?o`HfJM z=$&iX-VAePYoLJhmhnV^;-9|$euA#cXuhS+gTFPWzv;7zJm>4IL;ap^WnlLfnw&N7 z516~s#RhlqO#*FC?g;DdZnv|hqL&jWr!zfPDqP`m|3;`Mowx66>!`9u+*)aX+&?T}`l@a0_1iwc%J4)mfExk#M*AlPMWSkdiDqdDF&SERqUwhw8;{)A z7#P}^ABjJmAq~*82kVG%+K&DV5R8rGio{{ep-42gJfGlP<1!yiRtTe&t&RaUVClII z26cTc*DNaK)rjb`#>pQ}rwv)e#Hi`w`COQ)=K-EYx@b`}q_M+v8|9HxJ5_H(F{EEV<=TiC7A|(Pk-cO}|F0iQcRP{iV2C=?dDD z!OSv0X*C~8E#6_+W)pQ5iak$1A47r!gP&H`A@vg9>TEv@jldovMwL~A@=ykaJumvB zpl3Bua?6M89*K9beqm?H`_zyJl9Ti6o!r_>3CrX#Y1u^Q==K zMe9xN5Fy@K({OlmNc`-;$@|84>*oD8(OwJcpPFA)=PEm%bh`?M&gC2yJN*2%Fr=n` z35<+jli$x%wMLx*homSr*izu!Eui(b8g&la#2`CFot$yu0lffhb1>4lG9 z>tBid?w42ns5CxdBIK+8$nizP#6Y@+7JG+Ovyy%?*StbHXqIzoWpg`eC^I2#AE;u{ zR!%VtD*d?s2|cYO7R)XWtvBbHY#NNcr?Sv#a5D<#BtdpwhCiRp-F8k+&Lp)b936S~ znM*fGm)-f+&>y8vVg_o}*5Wx}7qAq-twEwbVanYSk%!Dh2m^7?ZB@laB{8Zrq2=NX_Nl+Rvcc4arBA)@-dxlRJp@&$=yHf+rRgq|#1ddc1H6V(ns)!KV>NoWtK>5cBnOb^_ z2x@@>UCAMRqvZWE&lgpk%{@(0?1_93rG<%*EE0*|6GaA)G&kw-O>^eP{v_^qT=8{1=XDH&XIjC2FCYgCU;%6Ti|&2VV>>J<>q7fi!da9JK?S* z(7HL=U7X9ll*pzOR3O!jJK$o1b-aWjSJ%Vs)P$>_B3PwO3G(wWM&i=wW@pguW5HVi z`SM96vK+ZB`YYYCwS_p!C(wdCJxns&kl)`IjZ(gWdwv*AXllU{LsMBhR}dQv4|vMj z_;j^q))k_}%BZ*anP}`H(1abt6e<>ldm~(xf7zg2iz8$^}nAJmO@Gw41|LBy= z@a@$LYQORXpN|>{OrhhPASm0o|3Ex`%8bdoH~?8gVBUrU7O(2}HY2;gIa2LK_}N{r zrSAnj&8WZ0+APs?_?1a#3Iu(7UgnmHILG;Ud?V*ABo`8l40T#XdNgWa{{Cv(BVJvX zsr3b{p;bmWZ3<|1P8}ljv41={8|S7eSn|$q5wlT}S#a!|nDM0)BB6cuYcXIPR`(Yr z1Fx;AY&923V}-Z%5C9C+-bqeAL>nO4-S4gtJvNWvAaq=#MLBralcS&GI> z^6+Z0Wof28YCcd*d+2_)4F?gE;)hnlK?vukKhV@0)8*7Mp?=Z?AhMoHrVgR%j9MqQ z5Tss~CE;*NB~<3v#ZAx7&u7y4z&veEWS0zWzPDGT7+sNq>jiV#su&Y5Q@`hc7 z;UFJ3Kw+0VO>Fqv(l68N!QPjK&x$p;L{Kh62R9M5xTy=1*&m_@{YGsc?zf(n$T}!p z&R=wb4-Pzma(=d%HaI?WY|JpMD-}Orx1Is-xBDcExZ1?jHiB?NoM`2@cG3fdbSSha z>M6FfYFSYiG=SY(Cd-04Tk793i&8CdFh#>m_xJ-Ti1A+2DX3^-tYN8pKSYS-06c7J z$JF_nq+G8-ix|P7;hi0&^+3j85%W2dcCnh&CYE`H>6VZ=PU1T=M=pc{$MtE5cdSQ5 zN>&OnF^RCJhAnS*`oK(~5}3^NXshSKMJRT=MdB18%#5Pa^ZJOt&MBW+)=HZk0pLrA zsSHlv7*-TsXgScWGgI#*rQ{Xtil7(yAXT!u71?&jeJ;`FB$(jKY+bA+7dc9S9%J;! zBcj}Hu{qmm^N*DqpIy(x)x7;WfaeT&FuswR(uZY zX7s^u_%u*ygSLq60wpP3PeD0AHHuw!hiB%qAC7{$dat3B-9I?zPpq7-pZ11fB41qh zg*7Y%j(w8w&mtE|5h9Fjd*I|fTnINjoLk*@Tk6^?*L!@)Q&Xu;IPn_+Cj^uNRB~FfXzm;pgN9 zcksS8>U;fzDR1o02aQQ@9~UiMXZ*O{b!AXoZF>1=FtI*f!pfJnRGV?VUUVy6+_wP@>@emQFSw>`rhLxq`Y9fC0zf$m z8X8IQ0{~8+{=yI~vP}a3w_%eWX>LbUuhXk0;0OALBHO6>6qK$z(D0qHW}dq*M^Pz8 zK8S5fp=bGWW)e0-WWo;Kw@$R`*M*tg>Dop;?NvXysE0rYko} z;an%>Y++FZr!B4fw|9WORm3ujgMc_bs4c ztF(coB&B6cPl8bxNQp`)nvG^En5gy#sb0jH!CN}pa5z`S7m8IXE+C5o(3ypq~DesU)&y-~8 z91bNP=$*&eC&Y?cY#JIG2LCqq(;PsZR+BqsriOT39sG`hCNgU)*><%8s06pI1z>I* zeox*HX9Mg&Ga_BUnUj6*g(ZmS&Ee~i&p#bDEbD`h@Mxe*kNwm)CRa8I=6hD&t)8tN z$Fq=mX|N^c3S5Q!+qVRwUc7g%yMdw2ZX?07es9R2wIOJy=dZ{=O*G7(tO7jr?!f~G z<+Y@m71Pq~2KHo;#s?|ajE^seO@_d79;<5Si$&n@`-eA9Rd5x^5dEJ(GDNV_5Ar(< zBd~37roxc3qe}z=_9U&yIkUQ1x9PwhJ#^XjH=k@lUUa=V)wobvz3eHm$EJ1%<~g>@ zOVn@n+Q?-uL{m4fr|+J<^&~J*Gx3FiSxyu%1kN+-rM z6@REYWe@Px3vhtg(fg#;*msgW@lR%cC=TMJ=B_`D@jWJG%45J87qh;%5<4; zDD{*^Cn=(8MwrU`fpc**tNIan+Ga5V51r_fF20t{QdFBvYzc!+mQqIgFgYBA4H@!c zJl%*_K3Q-c+1%msTkS?H(}BSK`ied<=HXPuuwwP!s%@34$MNVWqs)?9P>PXy^5{yv zre0=6sU`aj&*hI5gs;1-3^pnS?{a3PYs=6=TP8MR^)F?;Dy{GzyqOh^Nx!&R)y3Aa z;tH}Sk%rjDE!RAE46n;6?Jh4YK2Xke9iZ7Yl@GHHGh2kYpv9eK#{+UB0%S0<57$Ql zr5hYs;-r}$8ykD}`mJAPR#p~gd0$^&DTx;>EbJfZA3Rv{v6$p(KbSO8X=`XG%@+rI zWc)Dg?_LC-Sli_9!Lhn|VQ@z!{?wGy20Y(<-xv^qDnxQ2gzNLCQg<6r%Xe1G7iE&F+)<4vBv0=6?UUn{1v7(0)#+v+=gCKgA+z~Hd z;ysrL^=Ofl|5%S)&Zoa;qh21H#imj&(mOm2!wuz$ee_J&j`9Cvg!aHAM}6P!a}UD9`}#tUWLPe6G|O~U%XWONOMEkBvOwyI4ldgOGa3b? z(NJVYK(j~82DEzdA~xG*ET|KGg<{`ea+8q3VQ)_q!h%ww>dYILOAABA(2khY)BB~@ z-!8AGSMm)-EHuKOW{J6&^doB4=F6pN@;}Bc$IW*0$G<3}lM}CzSVXX5u(~Kq;A_?K z7{eX>V8_!p3zj8x+&`6`$7ss>M_tCU-U?sA~MU86_ng7`s5T2sqU^YD-F~zsYO-$ROSkAnD%Gw}MF5jl77OzbDVQHrd**&B<|K^MiI$e)@bP)nz)5@_ zmS>y<4cJ~ZqQ-|*-E}-aV$dt4tJK3ttGgX9MU%dB{j@dS;(g2cLh`jt0cy?6+my;> zZ6bLMXz1O6h-lSq!yAAs>yc97R8h(R6eV2cveGE4uB%^*LJ&rzq7dElX%Lvl!azRO zsfWkgFe1m7h`S{3eJZ9-^N|1Yb@Ix7e%H79rN+{9JkzASMXdwOjMlOGdL=3Qe12)5 z4b!)iJfRz9j;4gm8lq_UaXyG<{HS_{>! z3OWTDiAWgyFMlaqH~QmHtx{l84L?ddHECbgjEI!_C;c3hWzi1gOb8b%GdNd!Qod?XujI}Ym77MsvY33M&sw@)b({S07ARuK7gNS- z@FEO)`jK^^(G8lHewr6WBqae!BHJMOdt!BiF}Tmng-RJ}U4%=Kjds84Phpq0=g`d= ziVRv@+oQSf-!o^Fb71wA+aIz53b*F9j-Q{OmvYl8zuhlSMoz5HN|_pX-Fl69&IW$d z*uUYD*1m&41RLM(7V5CdwF+I`nbphb0^f5AL1NedS6oVRO0iTUMKDNxZ^BR$%cE;9_ua*>#U|YDPLM~sQOJa+>}Y=!+>H{nl~D3EbTT^_AzLw&8xJ> zpyu<4mfqE=3uBId%S%tMf_i)D(UmqV|NE*co_F(@zh5_(P=zkwp_bq#nEiuRm{WFR znperL-1F{qCNzRNOZa3YAO{4xQ%3tN9zXJ5l&qcM%z~;5eYw{&Z(u_fA`> z=5S+!2zl)FibFKAyb@*N{N{MIjF+JuTG#gg=B4A5I7(5<=})}t8bEU@smiaRVZkto zIjeBYYW0}hA51IPIl_J|DrV;v{W5#=;Ep2#)=dd!->Mtg$d0R<(u9zXrAGJ2j)kM< zeYONm{|~u+06PCJUUP!KmBRH|!vLL_cksgfBnY37u=r;Kz(DqNrh5`R76x=97*;C& zTM;U1Iw6m)e9A19A_9vMw)CtzwX~%8;HD1&NImfW&6{7CdbGg0y}gJE*_ZCt_O+E> z=Tn0*npjr!6)&QBp&!tuQICwdzdo)EWN3YM;6gB;GYP&(vu{`Z`R-Fc$c4o1I3g?z zMl@-VdLU%D_1IDI6`v>tOuglVG@=_pCnZTWP_%?+t4xCA=6fg<0jR;n9tj%oyt~{_ zx+U6Q1%H0Z8Z*_scV9L$r+{N`7&J5TAg#TeD*LD|72VVxe0l0)S2=LcTkhH7dZ-3l zq}1>`v9~o{c^~2rgcW135ryRbb4m$YS#8{b7lyE{TU53p9`}<8tuY8O9eV*yBE}C^{W=f`mMe(L>nS%INL=xWO8J7EAN;Yv zH;*SK@;hPNCY#>t>DOdJI^~Be&$p6sAKeKyR`F`1F0c}A4qlrvb zyF-}f^vZPJPMJy2XL(~qd`zzR{?QkC$|gyiDpR>J6OfNRb$@Fl4Z?6cu1R_W>it(Q){-_8{aMRy64Y8Ze=n~AZm!*~MYA1J(*UQX} z`HC@^!$*rP>xEgqY9GA`5Y1f4miR0))^$M=WkXDS&RYt&5HnYDIPTm$UJF_%rocbw=)T*T(3Vb&%X9F$W{&o# zEO9*+@LRMNG?YL_CCbie5`muKh&terIq#h$t?1XJoGu`pFddWl_T5fXRmYsM-xMiZ z9|LVQUaT*SZpNkx1kUo`c6d287H4JtP2FP3h`?;0YZ<6Z;K$a8~_N;|_J zwt^lA-U9|kmCG#`RH&e`wdDt#6N3MAzb}(5;|kFnwUuo$*#xtc&8IWUitBHZv%blM zZ7ici>hC~FcJvW?B}R6Ko|MR0scZDTdv@rbM<(?ZvOmrH#&1`%0p;rCk5(fl2wz|x zb^dcNx!w8jQ_&BNB(`GLzi$p0(guH zm+OBX)uJ z7-+js=;~r23cb|cSVFmmW>A1m15t&(TjH3$r{1mbdW;k>WG)?OU#L8vR<-k=&OD%G zm=;K7vPlX-JiaR{xl+F9Kzs!M8tflnBW$j_u`2<^PNTow_=K%TCxA$BCHayHZeCTeyn;V}H5DtshXDm>D~#8gJW<8-!<=LDsQyPEonI zKr+|ns2TY(h=mDL%@1#d*78jd6^Itjsk(H&+@y|eYICdz=X6#>kfhsoQ zF?sv7hk(NZFh&qyRphAs{mzsS517E&5V<=OX02tXZgO-Sul1A7XIz^5#a|Q(Hcs4p z;wz>VOTf0E<0Z3H6YI>QY~!g*l*1-N#dcLPhlvVTohb}U`o%@CjZ7*6@BQC1+?DO^ zK<+DJOW`w2H(i_HPs@!KMJ?9&ff8`zkp79K_79K%Au zg4r;qAtCn!RAOdOS_hYcm0Kg=%XpKd!Sn?iF&zbBM-~1>9fx5Oh!fzz*u(IDXV_XO z{(>PL@dVpP00V~01Fl>&;K*6A0M-N%Oe$QM*Y2$aJX}i%aw}xAkmsp=4s8y%8CO*O zslxp79K9k@m?QVoOeDw=KhpSipeo?9K+J6c^wP!>;NftP3PHYnqlOnxQGv9HCh#eA zRZOdX1A~L}KTp`KSv5y>Cwfu0hUkn%TxM{EA%iNNqH2->=?tB(5eF40i0L*Z>lR2~ z%qD3qDb$~Fli`4;0bjLM6>q4ax1`cff8y+#PmNij5d8qzRO9NYd-uynBz`~ zG&0%WM*qCvx!czdhi|lj>|6aV7h;#=&qc|*sw))e6Y!m~+NCH>0V8RbF83yM#7N3P zwrJquxB9z(l$T=XdDF^)e*#DLPSg2|2@u^jJn~SGXtbD3jI`>T0yt@jgC=HV6m)Fy zvyXs4tuIkFW!3YYR{mu4Jq9B@pP$F$&3f$4QrkP%qlMxpQcTPMz@Lzr(v!#TQU(8cpIsXaECG=zJxwR9IGBD@iK9%7YJJ+-aSG=UA%Ky9o;uO3| zpn(ZPzeksgy(zSzG`_xi+xaTjLtP;N{t*a%0Su07D3itNuZ}yOMd*~$!?0-OR{nm@ z>ZvmMr4iZc=y%$Ke}cE(aBkibTDxHh+NbBsRgv9Q6z9!ApZef;IWtNZ!7A~_EPMFJ*{&jL90$A9bVN=4X2v}R6K*eMZSO7f% zZYT`E@=WG^B7U(y!#@A}!-o%hz86D$%d^^yFuHz#GbHKu%c&B*-QQ|Na^IV5&%1v5 z*j8o0$$|qgM@?l~A0MA%jULwJ&nFfyrWp}YQDvO4A!V1E8CFo*tFXWI5e7$YMJ>53CgNER;Kl|v*EuJ#(6;_5RM3tE zr7-9fhIAwztHa?OkI>busrz~~-)OC+`jjjfOcfXy`0d*_e<~@v44*CwZYJw=fY}Qk z_s3Bui}*BqMp!UEJa~F|6pMZwxCOKxK&4=sH*j#^Xa|(jgXIo#uFu232Mg=#>#AkR zKFqhKrlwQziU21X!gs6q@DlO?_3e?Y%GOFCbJTg^p5%O1L+~eGC5_&V$&hC&q;T%N zZ?K%8Gh;O-=)QDUDP&;tBGe&(*B?9Po1h0{zNCec{q-PD9zZ6%`{iOmvIxF65 z?d%kr;*+*YZv@>^cWGo{t1+0f`4pFoPk~^E8=xeP~1pKpsX+fbTe27 zjzv_*n?}9f<|85`>W@~DinuWEDm!2=@WJ5$IfvSx>KbyE{v7$P@fi@C^UQ6(`1 zZzZHm$=z3A>k>_GPFDAPCGTJ0@X2P95%>jxewPcQ{ZgR=kwCNo4CNK@s}p^(qE9+f zULR)wpw9J9%ArCv7wPW$*zdgz(9PtbPGHhhivv#&`C=E?1J(uO`rn1=zkmO>8Uy-@ z?S32j?ZDX~B*CH_8y+rhVIeKTFL6+7IWZZ?=3BKJGNii`yO|XD|FQMfaZz<`)Ud=L zAxI-2sdR&Yl+vMe4vm9!cQ*=1NjFG$4Bh3>B_fTagwl=Vx4G}ltuGhEJ^K4m3UdNrTsg+fbK%6OyEN`!Iu0XDPUg z!KvZ3<94?DBC|Fqc;U4~3bPpXTi?pKU1bLL+!fQ>XFGU^Gi@q9!V+a zJ`E~3#Otoh-aKP2>$aCC+FU`)n(8k^fu?kZ=%v>_JP2Xp)ZSzKYV+8=IhVhAa{5{S z{wS{1F~YR`KocbQZ=;2eLaRG{fY$C0p|per!?)kgn1LNvdo7^deK+2DWBqJcRL52? z?oO=$iL^{rf%k4joM&z;kxe(zf?>JC>wGT~heEJu%W`uxqYE+-43&-wC*i2bG^)3p ze8cv6!;Na!(>mPOP=*}*p!_SxeUb7pv zmtDh4wJJ3Y<^V;;yl+`!I>Kqx`2dnx%LwQ(Lhy00m3?l*ysp%st@+a}zNbtyWx4+( zP+&W(qTb6yOc;Q+Yag5Jg{+jB2giC-uw{LpltnFl)d*Ngii$W$6k1?-N&prD4A+Ib z-I^Vjh*^3+G0vil4QS4O{gwq*Bt_~g9s14{2zqM44YCq-<_{BiNg7(riI1iHJ1Re& zJr!{fYtziuV?;)A%);qkv>NtY2s@BXmfx^01dae-V1E~Ok)1d62wU4u7d~9+k-YTkCm=F6T<<&7OU5!CS7La*f0GiVf+YuoTk0i%V89~c&VWW zyVk+O5+OL*K+;#@F}G^H&3j=tw~|a7-mW8UX`x^w9n|J^UgCG`@QTFLp^H1W?xe^d zE8CxQSa5Z9mGES)?4kBC0zdY*OSyJU!C?7lx34`C*>vnTo}p8^h{5XUvPzX)Y0EYY zr;%nD9@vA5?je+*UA^2}92HS&J~!@BgQ`alab%3TBFt9S6Ywz7xc0TuUy*-sGawHw z?DH)%@Vd^%*_vy|qaBqpzWyQgrw%@LCcSp4;WTZ}J_hr{$FK47-<~S*$KVi7E+u1- zzd?JKEyZPd(bgpRx`6=$fed(>i8Ca&HqN|Ae)H(ah?=6ir82_vX~zBS@&76fZgA7) z;mkXmq!SbGxX6xMAB_En6-i)JnW1ajJ)Q8)8ULMqcs5`vH4tWgkIw{BI2_Bc7y&}v zW>wl5ZDZiFy5)}W{qyR&(!nLKfb`&G#$#)tp2qXsJYa>x7nRD6<437JlCktjFIB1A zYT;4?%}*nBT-{=Cxr>V}jd(sfUW(#kG}I*Yz#dr7WFsme#*x;hjA7HqQg|41&i4Lh zuBrU+q}87rtQako3i&EQc0P7IEf|4HvGc=*!T7&TvrwwZ<_s%;Dn?M@fhw_d6j zLoo&Qd-vqLBm2-Gm)Y-&e42#p&f!%gFp(|-D^8?w4AhC8%*l)QSiRn9X!Jx?Vr4y; zt#@XE$xX|qAHo|glO}0}2WfG)gZK5NBME3}mx)L=gQxN^(vZUpd}Ud*h%UE}9?h42 zzLzJrIY~u1fjyrbb|h~1GF{bpUlAOZwxsmvEzux(f`HOdmMhK=VY2@`)R_?`C z&3dxn3Rf^1i3YBh*6t_t=*9>LkF?QcNJmjU&eJeu+?Ksc6lR^y4!?`vSu^$9je>h8 zvqQ;zn+(ILN6&q4jmhixUm?9Vw1YGY*DFRIJvrI2j^`i`JSM3$n(1W6jOe&=hzrz4 z-YLz!EIzLRg#JpcR+4E7M-s4L!0$mh{GP|5L0&8IoIam9yz|FlG!ti*uun0vS~p)n z66fVy_)QEi{#CbC7E=+u-tjf2i3FF)b#7zg=fL6`-_FSy)F%q2kc%L++OfI~;cs%t`3#Ds4OV4~{?Aj+=F!diLh@>7~=*R?W?eTlt zKlXq7@d)|Jc7-KyoPv?ZO97g(Gy2!;Q}SHh`e7fAaE4VhHkeG+pcY6 zwB@#@*ST)d8-JF9$Ab~--gV9*uTuW9W>VdSUGl%X*a|y->9{Jqn8}G-%C{pmVrimL z>+<75$-%8g$34%E9N>l$9G|k9qxJTehfXJZi+YoHqv=$WRveMu%V?o(i;4#`LA&2_ z)d(PPR#dI-i*BjX!#zYFd{gwL@3jxhqL*=1;B*qbPxgazQ{1=inMZ$&XD-ggyy5RD z7PEv=xB01*PeXz0RTsEn{@4Y!#`eG6$CbWX`N5vATO$kR_{bn|@#?4uE<| z&;9NDw&}Ifi4;E^`>yM68>2UybOGtR3RUuefF`VT5DBBhEc7(#_C+H}S$G7)m{)qd_t7V0l+nmi3`Q2;{?pB>>_#e;O@_c}H!w_>kf1+N0 zJpU7qMPj5NKYY^R*iIfBw?c=z?cQ})J`Stv)~y`d@FNOsQ?#YG-*`3b!6Z-8o$y(J zY4}|qQNq6w>13vljB95?qphg2ZnlaL($IZ+573P!Ms9==x1gYB zcVP-v%VO$bMm6dI+_xbr@^C%Y<&T~;%U{Td%o*x0obv6pzgi?Y4nZaEWrn&ywaLib z^?CnrX@pGUYf8;H^D)x1I&G|7)P^9a4mSEvK28S2o`^eHN9A0YfLaK%P*-wTR%wqO ze-N}@#tLN@zg7YlcBfZ^)u*K2X=Qv_x}CF>NQ|ZP*im=q0~F}N=4j!1<&*jCls;)D zW8$K(j?U4LeRwG`;2=(7PGVIvZgP}UQtGQCV8AuvY;@!osjzdvz(B`D_cu6SiWa)B zuZT|D`tUmt6^3NC8D>J5@I|ZCQ$YTykf;KGT86)}?6>6eznIRp)3_o+{3B>^mg)Vj z=_MOwK7U&ZvbB_?jc2TRMMqz`FW;D#85YJKmF_LL;j^XwQ2&xl1e>M2sn-*ptTHgM z{^{}P+~tPq^2E{u1wrEVYLUD(_-Q4prSobsEPA=0)K~Qcxz*5xXO&~EQT!_ z+~PMHQL$;qY9-y8rCv@o{V%$vZL2O-A^UqkT9MxeutJp!0OW$~<562l~` z8k81+Qj_6V7IcQ746V*kQ^p-Ot7EMf>-lT6N4`ECt~aif{Og&kH0N)&a)bOw=#h6j z0%6U(EJgCDCq+kxUb|%LKVVh6Em5Tjcc?I8X(`fya-F8yLHSN8wTJ@SMPF16mW09K zamyE}aF45Z2_|2>XO$D!RxYb;Ho58=nXOjDt2PuYji%exFl}cIyXkX_Blk*xOu-&b z{H%y*=mV42gBqL&uZrkT-;cbzS$KE}+3@|zG=_>;F~IavJ45egUh!P&;=v5o<*h7d zCGcRn2VFLe;ThB{i0@P_TXxSL6>NJ~YhvFn*dfaG%sI{u#IEL=h1qsitQf?8bfwP1fbJYPx+n@5L7i1P|=)!>1mWyQIcuProWqz;GzU z&54s8rCUCSUsS=F$OxkEPUBEJlm5PcgI3#2(14y_)u$VDxBfb;P(H;tFZ%S-nO=;7~T*jD| ze|}c$2h0SL;s-!Wd5@D;%0B{@%ZR?PHdP2vNZGV}x3_L*dYFhg{=O%t>p3rorBhSr zhZ0ey+R2`J#e;WLE_0?VW(JrWH5x3MYw14b(0BbbX`Wp@LfMoo6l(G!e(?vW!ubN2 zpZnsHA}+BSKzT!3-Qk`mO0qWNIS@b)rC`8=^^mu7q{4sbL_ef-e*iE%BFpc#n0Q_I z?)um=ZKlp@dbMuaK&{1#%k!-){k1QUq8kk|ckhE*kI%+S9mZzMk#$XEh>FE#A~$~P zP*I`whsU~U*JXx4PRRFqGwFx^1I%9!5zUsF)2)MP(}2CTF&rJsK(0#_30~_{THpJH z{L1RTinR099U`n(+IGr+jrNNxw8C3<0%oFI+B!!b=TvCFt2d3F`6#1(IJx1h7g0CY zw#)hq{x*?SMKeH#(&PDY2yFmJK$cjBYw19q=$pKI;Q}<_xgsZ07?~(2soIrClLAkw9CP z#^MDV$edO!4-JKjm)6mKlL=Dosg>n{a{b+WVLv`S!pCRyJQ0^X&b+6=k31$mkpf0A zQTEbdAc7FZ5dt3*K7K^$bD~lUB1F02M-)SeY+peVl_)fsi6gJyOo#3?rHGGC{$ZJJIa#clD(7aJ-Dlv!=b-eeI7*5CN!9t5 z3Zz@O&*;Uf4lJi67aBwRr*2|%>=}&!DYoU*@F`!V2kCRL)XlUGQwdB%0BK(5r>r-i zi0i=K%nkCh2=4MY?+RdB}&E7O>du8IlgSGa)xvZ2BG32to zB(M>4Y$g(G2U4?%oHs>ia=$y3?w-IIy1h~Q=cv!*BOsN&Ngo@3`SF*xjXry8ll5mg z()RQe{itOiO&c*r7WT8vi@!ITDjGz1D+eoI%@-QEnq7B4fj-OyMK7UIQN7>u-#UO4 zzI^EV6$;uT(W|rFE@yS12I)>R^u^F2tcXS!JcdWKR+uOex6--TJ;v?dUGdk6Ga zU-P10seZY-oKVX3E>?9n-+?+?k0Y1XTX#h`tO37`MYAla8qZTs*M8ix`F4t6Gxjn; zk26-^yRB!1K_F%jEgSM7l?^#60345kC3CLkp<$=l zxVsyh#a|kMJj}V=-#vnJa%W0o|Gq7%XviScMN5hGS$<3R$c0TbMhJUy%p|s`uGsE( zLE#zkXzrfcoqw_Nf}!GD9Zj4mpS9KIa-`?5f~Ii)M`6ZC1yfz{;FNWQxFTmR@<+zQ-`|J(7z^c|}or7x}4yO8AK#AUJj&`dQBfkFx1@_g&!- zFja~hy0zbTbx>jaTFF`xO~*x}KQ+e(!`SsflROsYM}XV->j9(Ssze9x;xi4)^69=4 zEvE8{kQpZunED`#ZtWR}yWDqo?G7&_D85x&C~$fXMG{{?W5}sF=}7K4&C0usfHf&; zaZCxEfi`yehr@{z-gU}UiXA?{u6S-b13X*5yjQ`Nb~_HJwM)OpcIe{Q0x8?{pPvW!v{06bFOK7t|;4e29N>1HDpa`uv}Tz1G0M8KN}) zwR3E8PEadqo%)jr|7xr&DEa1eI<(o7NC`+!WxP%Y(cm|R-gv`ZZ*-Bc*d9g$g2^CD zh@@jQqtqam;@#zD*0bvc0pXc)a_Lt`p%Z-yU`v?#9XGm&*7PPJI)&_oxzRoozliPG z&g>HrPv^`(_Jwgk=S{^1bY-}(rY0n(T1Q>r>{}NGf-dPjan73Hs3Dz*NJ?(k2M zulw;$KC|agcO-UW8ymkaIu_H%m`YaB7Oy|WY^F<@Hz?jdt%nQWGA}yLMp5KH!FIdN z_^PXZrHi3T=3q!lDk~EbpnaxRS;s7TqWnm!)f5p?6q>AphsQ}9h=+?3N*hZ=xA~NB z^!koz#|6rNl9%Z`XhxNk@dvZ8#BA~JrTS#t+H20M@7#Fq9)VAub$pd>H#&1(|NU-3 z+-hWw4Gngsw}^B{&O^$UI@RN%m9c-Z)*UE4!H$?q!HC%iqjPV+RN&jF9ON2dsQND6 z8P~kQI?_`~?iiD?CZ?K$)i*8Q`Bf`kG%WY=;o$b!AGT33R+jZBc(J5mQh~vK92m$Po?H?#k2RizfbA~>}Q0~;la2)y&wKs814P_jv8qwCVF9LFB+Cn6=U(Uz{u z1lGeJvdCw?B5_-Cgji};`d?9c^*zUW?$L|7`<&#mJ{>$smbnvt@Toq)*DUYL8&VQ_-xL#8G~t>Y^%AUe zH;#8ku4CDL`=oC?_n3~_i?L2VbzJh9@mhZHCXq1!pNZ+o`O@8n z2TUIW1I>KQ`sbXaVoFHn%woe&)1$;UZ@<=O2px_RC@l|B`F8gAQT3sG4FM*mN!V0T zXABv^b>w_sbT>y|t~9Pi1R>+o>i>n)eT-&TEho`qp4)7-t8n*3h6$ruh2wUIR!?Us}qxiiE2Kr^-%+@IaALiw3 z6*7N&o*GtP0d4CN-5KO1SBOujXl`V z?xDDw!EL>s+PrZ3sVVHcM6HH%?Dul}p}gm@pYvN(iRC&BPFc#LMM5#(@kdxMo!cy{$wK(%+i`nV+#~Co6=ENgt ze>tbx316*1?XYo9i)%xLXJ@pn1VhgvT2MJ(s@>UbKea(78cL8*h2_kuERQLqeXFw7 zfBMpy(asHd?!m?6=8T}r5kkAhmVz0SXjkXIO+#l9X*ji#vy|l~!lBb) z63$fP(B^4MQ#2um%M$A1IhxXj;$ex^AiH7^7(CKVooIRoissY!Zb1eUAnqjXr=45n zr*45v4PKzqGZ1`~6y4a@W821tvj+JOZU1cyC%5m@IeG{)yglMvysNwTiUdPPazx^OFv_9=_;z3Yvm}8(3BH=*td$ni z&0%57QDis7ZxZBtCbcqy&dq%7q9V!-3rm>HzPA{z40&|G7M|U4sc7k7P2JWJ8H1Wo zQR{62GBUq%2z=gcM=CmeKBZ_!pWj7hV(s>C6;`47zaw&m~Nbl@+mO z^{r-y>mfOj8#nVe%T^E*pulasRYGWXRJl&)>aoFG{^LrgM4XDgo%vOpkWP)45D4oGGd<=Zz z9W0~6K~O8VK$%`ep7EuSyZOf$FDyO^%zl6hjYK?Gveslj=&_S|kf6dVZ5$Wp|4Z_V z!>Od6hbMRaj_X>nw)RZZQcx@t`@%Q6o(KCgW7VH_Y{&Q(K2VQK+9gDx3N{LfSH)8E zLEl_zjy^7(HqxqRu$z7qW%0XYQu(IQlu`SrKj(#^+APBQc~jKlVQv-oB4f(O_K;7v z$QBL0zOKjd&4IB)UpHqU&u>!-BM1|mcglXM=UVIkR|`PH_=-x&jr6r|t3dIGIS#}2 zg)(!X>9qq#%V`oB24aE0OKHtkSO0y@>Wkv&xTg$$#S zxe-&Z@}u?dBep0@Y|hHfPTS&&9je{hX2te5hAF`2kz)TO`1 zy8-<{l3#QcyaE_SKE3Lr7`sS@#S`_dj<&3`c%ev!Kc%BJxv|J|J=FO`{QukkI^7tNt5^1=I2! zX@beoqIkGT73&;?)e5P>cZHntoc+CXB35q^%S}}o!xVU91VMQ>-(!hcsuo;wn@p%> zZxF_-TY-mh8)j+x=uiGu=yM@uL@9M%g;z&ED8r(E<8>%E&{&eobL-EL>5dF!3Vi!x z*Vd^(5~*!yL?JI~w0_01q)QsV?8R@mi394!@Tafy|>`+t9g?fGD$_GMo@6jp)G)XA` zP(fsb*O((Yr|&CHS#jmf?MI(EwX@W&pB5XmdBP{OadpciX$Gn`jObO#pJqKQ^A3#p zoNV5k(Qy@r3J-+(ZA4aJ#3F;8YJq`I_A3=h&&-Dz^J9cgP=iAQ`M!5j&{*R8XVcjB z)5t6oNKg_*5k9}eQH2j2F{&>PoQ2~6MXiqPk!|}Ay&@XCBK@HDF*lcekxx(|r zGj>W6A?Gb+f&seZqaW<--`kc0v4+)n*>_Ah1B9kHzh8l+p8VUdJuZ1vjl?@3en>uI zy&|DG1B`^sbcMdcE3{AOr69%MID7gr)h!h_Eb*>N`rT66HT-G(YVa@5%$7cw4n*>#@NE3G*;r5g$p z*?*N#e?a3>%0jvxWfhP|J%VxBt-p^J9sKt?G)kaxE z!FZz z69=fIl`xvze!3(L+)IYYWqtRWHiuKurHz_+VW8mQSn-$^;m8J2dStv>9}$tGnEGO% zHU>{KQEKSxTaLE(Q?EJk9Gj%O$zgvp2R^hftWCX%;A=1+@0QHKSO@A+4pjr4*{KSB ztcnI|;fF$p<})ty=h^bJj$Q16mP5w19g1z2MfwfC*#@e9f(&5Cx#Y2PR`^Vai$Ig> zXXMxjWcYcpMK5LZiM&_#1GMz#!eiHYU;Z-+WOJDcO}?(D{b0fqAL3?gGK~bG`>R85uEq!p{OOwA4Dd%gS8o&NEE7*@(+ zam#!6BXNB=Q)K?B=U1uD1&7{}r0Bm*yEzHyRb@fr>h&Qu>)Whx;eOgUZ50u;(N6`w z|M=PitK~k>86^nhx+&8;8Paz|AC0)qbQ%>f71MngM?EEQ3Z@lw(=^TUG6^{ls({H% z9a_i#7(9dXrwu*5;hqoL3r!#GNA!tv*f3xjOWsrqsfkvcVhgP+tOu4@&Z-p$poK1qeqz?2!Ch$76b>u= zsrk-K!95p~F=4yE^Ym6UL~*y%Zv&xXWll8;yb!4XXb{u`RwsmH7a=>(;JUOZ!kCd9 zG&fl{ZKk}~xLWiXoJX({z5CF4CIH2l{T}Rbj;Kp<5{2@HCNKaM&egN;XJI1FThvqK zHz-ZoAu$;V5cez??l8HINl!d-n4FwFUH%t?ppUW~`t${t#9A=-#GC(8i0G`rl8FInsjf zLHEzK75lMG)C0DQ9S{c`ucQX)AbFxMiEzQyzY5%`H&9_B$Pj}BrLwGcL9)k)O9!hz z_)OH0r<$VofZu(vxLNdn58*}oT^Js)SlDcUDI4&Og&I8ON8iNak6)NU3(3_Ta%wqe zF?O)i|LJ9RCR~nxCcq*0v~fXJ;7l^;komd7D#1m*x00#jU5tV{$C0w#g# ze;)3C-z$oPce0wm-cmZ1A+gYTedGPJfu4zG??#V!-aVrJ)5g!q>Bu^j{|pXa?PZBG z6K(?LOAPoC7zU3x$y5eDo@XfQstZL>J`v{qcf5k$nD5`47~f>d=jA6nGJLk0XDVi$ z{;0N@3F58NDHnR0uMbbvaz*xfww;%;+pwUVgDh-yQ(Wq3=|BH&iepaMKg=ypiI1Y&ROj@Ri6>`7mTHh$Dm#J&# z1Vcghg+eqBRjJ8{7%i!0Rxj7K_fU@zz)MDe$RZOeX6@kCY``IpB)(&}?fOM^of)4A z0R~)xwdzw6a!ipZ^;IYFG?gKZCipGurh1+SSPXl9{`S#B;OpZxP&EiSe}B&Z6LMk@n9frra+s14 z05^q_Vou-!LE0fMVs7I19GDfRru58O6%is{XUo7yX_+7zD1d(viIR`CoiB!i91X%C z`vITLTren)S}iH9sCF5la9aofTXHV2`?}bv852DKMsB=<&RhQ4HKr7kl)4a46U&JL z?Do4`FGCKe=N;5jcqs~WVA-qHR8Xac5r#hhcVQrx$edYj6TyW&eDuU$O-W>u&=ZJc za{x8{awFOJb6i{y(A^S&JN0Q9`g{Po<<-qBzg|+a^mj*~mhv&k3i0~O9SGYmKLF-^ z!g&P+t3Y|#3+jDfv|kD{TvG)^KHq^;RcZmNpPW36k$61FQu)N)RHxOQ>s~l4pCNe4 z7;2K|dVBr1z-D*8f!{-WU)wChgto4=0_3FVQ?CKATLX&aE)0fr|GVqW*MT$33MoZw za$pOVDE#;q>5k~X&yw><*sz-q<#_~sUTTxITEAIm;o1gGn z5&{#x5Ky3*4N5kF(z_^yC3rvs2ND0bsre~Ag(7`laB2194YZ4y0LN zqqYp3%{XH;qzy4@P=|of+!!b(>G9v*F+W>p-3GE_Ue0?1Pn1sLJOcm|p^f(M7DcOv zLA6#kP%GY%=?y7z!Vu`kg1Mcfq@*v8hk4*eU4h6nt~ZybXz>`ofjoD~|3qx}Mw?tL@>2r}wae!D23WKG?^FXu<8 zCq^iyzZ{>zQxsT_Z`}Yw`cn^?a{Od{b`l_jHZ>R<9OUj?014Mt*&Tr6B6z!W^rWp& zY|w|}UgLubS;w`*-HF0zYQ8E9LN%?vr--Ap)H-IK0_isyG00--)SrEf!mU15wh;6a zum~Y-sxsIYfDT0I zyZ18)J9-83#U8jYP=A9WtyFZb z`Ey_jNPO=4{>tU-=3640{r()0Jz^m~AtC5j-uwB}J`-t@&l!nPJIr-Q?bjD262oGw z439hBp#suSs7ktcx=kPta}B5T0tjH9cn z_2{tJ9+!f0iF&gk5fRlF_%Vn=4i4%AF}W@oM7H;sMbbBkN;gw-B*>tu>K$E(;qw;MQP)G^Qfr`d0WEN@T{*V-bS z)$XnyNbLNLrer0A*}dX`m{Dd0zjkXR3S-+-=ZfMcA`rpppa$S`saY)|tyBez?YE2#q(AZE_fRL~30iLrU2E`(A+g)L& z_~Y#k-&H8y%Gzh!(vd`!r#_g&APlSH-|HHc3jNvc%*5;^g&L$EGI-ShhA+C$8Y$;F zK%>8y!8`I#@0vM*-Yu79y>eQ?klXT^8@~#6eD_ur`Ez_|D99-G_k6_zRTd;ocAR47 zDb#%Ew3jNu0PJq})sEAtc4|YsKLC&pfv0D~m&59)6Nj3cGtz@^chx>8taTkJEPPnr zy5i&~X|#GHon7eu;VZ!vFjY!JL32m7VJ(ymnyIO5C*uHas8PlGLWw3x8U7ESFyfO> zIO%1CBY|trJlS&W)c>5(nHf9|V>tK-W#1y>n5R`TK$xv{l7d_};D_hq{xn^(|YRyL}fZ0ue`r?=0f1#6pNNU*Fd zVbTz8Zu=pBq--LV(0mqrmQd_fXH^wd>K6c!`AlozS}E0-2hZ4C2|szU!ii%>)H<_$ zG&NwZ!Z2>#v7QlC9P9t-H+$K_&K0q)aO`QaaTJ%#z>#x1mvQehz&qT9?+@>U2f}5V zj-HnR$E?*4BnF)RgKACa&8SO2fbs=UAzyxmC<~el5=M~okNVqn_}&cPY2zr}RDTC@ z{b3gXUU>Oz7tC|E!D3w7*5$&f^^(SQ6lBCNBl(B9O8NCX=max7nagB%zE76MB*X;` zjR`!o;&)J3x?*AGzXuoS4BGToB@f0UAJ+mEr-1(9A@7<=KFy4P_7U&-@g*` z0u$iydsw>>%}_7Z#yrzzRamL^!}S)gArg@r9Z{drK`kWafGc#=tzMHr>{GosFlXU9 zD}6_u*f*eA2F1HKN!F<~4*;nUa^)Lcni^2n8j5~a(zb&4gOt||k zynNBNMLV4KV&Lg8CrGv)_TEt~ZBvB#xb!}{u6Cr$d@6v?A)gZ1!Dl00S)o7fgg_tm zJe2xTqBHs9YUigLc|V2sn27uD+pCyV*xj#2qln1+xH7^ck2_CPmgs=!-+)W}62$E5 zl8Y^7{LJ}H%5|!c`N^Gy{VpvQM`c>lB0~W@kPjAh!1bDkFm3&KK^jsMkTtbI&9k}n zhj0JvKJ7Krz7%97l)t<{EXSDPdh!nQFL}Q#>rHv^AYenY0lr2vPXX4e4__T^8We+~ z2R2+70CP61XkSAf^H&nMDv6w`8^0~mYpO=l5@+9jA^_Yz%XLEl-FSU{Jk~!vjQC6= zVQobm6|oXHGrQy)?q)X99qhF)QZldkyq+_(?Iw(&YUg~(;ay);<4(Gha<=tsE_MBw zO~XoOwnULZ6ZhHPQnbj`x$!Vt!}1=m42v+!t$1kiU9ZTH35iZEprL)F zm*MrMkza2I8-y5PyRh3E$5T_qzeHK1J=-~o!b;#PwgXDwqrtuo15_EByxZP_MQe2} zZtKw?%S!{QGCUe#@iJndez|$+9~;5Ul%b z`@%wppTTq2xf%FOyH(PF61vZy(`mT*A9eX;Zn`mo`TZ!NN9px8lY_rlVp2cZ2)R*0 z;N%T95(D^j2ea3I-Hoo@31-=J=Q?r?ZYap^C*V?3?slHP@%<8&q;tPS$p%BCAJV_M z9QpK=RXZvC=fi;Er;kF{0wwS=luQkG2H&Q>RMPvhdWnq+i4=4piH}A zR1&6S{rwkXs7RB{V`1mD$X=aq=V$Zx!U>dbiuCuLIPkZiInUqlf2&v+SjDC)F)WX1 zg<_z+!0hVGsJGkNyM>uV_q=(9!ip|blP%4Ef{bqUT2n5$?)k(0JLg)%=tjHnbMky&sxx9d$GPKMy=-BuphV8FoUaV(S!l5BRjFT~6-=l3aXSA`~ zAN^WB5|GsGOtzSfW!IY$BsJqz=vMOEpmcd#SC-*VwoXuGy8Sw4W@WSBi_^sOczHHK za5QI|#d@LLDOk9Bfwt6w@+$fX7cxi}o-{NTwXmn-lDh!3(FIsSYuv)PPqE0^D);zG zfhDI@{hr6rdOnL`{tVhoLozlp+FimXbLK^dn5so?qP3#+)Dp~H{ z%A`}SlkYNW_6&CdQ(<>zgf0|&Y^LI8Ek^#t+h+oQ`{i6~(|69EQy z(Qa|OYkrCHaQLGj{{Ly*sO~WXpF95Xax^Y9*Ocu?vD+inxA6z1DuK|B_Y+d8qL_pQ z{{KWcJE-Yz$HCc?pD~87=^n0az6a3>McVUhQwYh0p(n-@=*S=vJx4zubz1796CshF z3uCI}%)gcMA-YyJi)+#q7cqG#p&Xnm7epd>(pVi2#v+j2Pj${qZf5?Z#FsUReO?+?`XzgA5 zlAJD9|A~EX%tVuPt4m}5m7n>hy0dw#c}~NdE-in<^adcydlQCK@fpi^0@jSEOKD=9 zY=p!Hx%UTB^A!|E2r@v@wZO=`w10@v%DsE|4S&;S1l&(c_qSe2zu`9L5~~ zrc+yiV7x#Kzuh3y_`#VG{bz&j4=PD{Ii?;-a2mn{#fq#@&jf;7mrqF)3GT{B4HK)` zXqu}u5Fi=g55Wg)WlwsuNj{)y?hiS*C&DsTZw9}vna`rJ9CA4V6ls&x!|@Vm`y~cq z>1+(u)O#Z$9+hd=KT4Y_m$0=RH(pWt!0Oa@`<1@C$XPPr7vi~kh1%mfa$d3TOMtpD ze-?`U@e}hsz83~mVY?C~$0(!RJoe@2af=$$e*eLFvS@3e)4bS8@S zIsU;@Lms?y7bU6R_}P&aM+bq2Ykg@H50lZ=je8@w?kM?f(*vNCAe~lm@CB?0r2ZmL@&|?X6tGGf1BQ{nP_gyDRc&8pwrKkJJ)+w+KG88y)Ly z&ai#nsK==FsWa7I>2H11f3*Nvcf$~$ngy16*B;apyDaOoAQ#$0Wn@aI=z(s#w}9`} zE`JTl4&dZI004fnJAZ#lGn&B?sNjBYW@ZdLR4?wK9`M#G({GuwZkq&!?M_8vkz~A& z+;JsSk{G-xoQAoQh1@D;hvKhBUAMj=0RyRCKpKq~D3HIfTNJJ=4Te(64e>$4#+40} zwoHX)45n&;ADo&J@SDCrqT~QwpEC1Xqk}Q0_) zD|8(Z#-~)~(y}k`t7{>lDf!qcN}y`lXd`CC1-)_s)EyyVI>lEdrzu#ep62IP?=O#=9kC`Im}FG{L>@C-;B&-^m61TOqx z=*Rs!Q*W=n0=CokkH-$YualrpRaNzob2P9b*l#_?8GX6-h)3q0lm(7JX%pS%Da#nJ z)_TJZ-;GYRZocD>Ja{la-3F8dW-Saep4A*%F>Ad?HG)i#bhXZD*)k`#@P*X(3|0Jm zF{TVvItofVg9?rBaUDsQX9;tzpcELUIq(Zvk8 zUF-PHfLv(XMyl2DA>2Fi+Z+45eE$O=+EFJkp<6gQ+y?+71mxA<0kpR9z7jZt;%IAY z(^n6znPR|!Rh7gCOriq>fzp%Ebr*6zYfd~BX-BqDlOL0TZ#Onyr2)U%Zcw~n^~Dn? zO?o#DzzzgE0M?4lAY^#T|I>Lw1@~BYEKb(!}^AHltWBP7^#m{3Xq%O?$_=3K5jP=XYbUuS^S>?v

    - GKE multitenant -

    - -The overall architecture is based on the following design decisions: - -- All clusters are assumed to be [private](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters), therefore only [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips) are supported. -- Logging and monitoring configured to use Cloud Operations for system components and user workloads. -- [GKE metering](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) enabled by default and stored in a bigquery dataset created within the project. -- Optional [GKE Fleet](https://cloud.google.com/kubernetes-engine/docs/fleets-overview) support with the possibility to enable any of the following features: - - [Fleet workload identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity) - - [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/overview) - - [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/overview) - - [Anthos Identity Service](https://cloud.google.com/anthos/identity/setup/fleet) - - [Multi-cluster services](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-services) - - [Multi-cluster ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress). -- Support for [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview), [Hierarchy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/hierarchy-controller), and [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) when using Anthos Config Management. -- [Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac) can be enabled to facilitate the creation of flexible RBAC policies referencing group principals. -- Support for [application layer secret encryption](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets). -- Support to customize peering configuration of the control plane VPC (e.g. to import/export routes to the peered network) -- Some features are enabled by default in all clusters: - - [Intranode visibility](https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility) - - [Dataplane v2](https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2) - - [Shielded GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes) - - [Workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) - - [Node local DNS cache](https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache) - - [Use of the GCE persistent disk CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) - - Node [auto-upgrade](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades) and [auto-repair](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair) for all node pools - - - -## Basic usage - -The following example shows how to deploy two clusters and one node pool for each - -```hcl -locals { - cluster_defaults = { - private_cluster_config = { - enable_private_endpoint = true - master_global_access = true - } - } - subnet_self_links = { - ew1 = "projects/prj-host/regions/europe-west1/subnetworks/gke-0" - ew3 = "projects/prj-host/regions/europe-west3/subnetworks/gke-0" - } -} - -module "gke-fleet" { - source = "./fabric/blueprints/gke/multitenant-fleet/" - project_id = var.project_id - billing_account_id = var.billing_account_id - folder_id = var.folder_id - prefix = "myprefix" - iam_by_principals = { - "group:gke-admin@example.com" = [ - "roles/container.admin" - ] - } - iam = { - "roles/container.clusterAdmin" = [ - "serviceAccount:cicd@my-cicd-project.iam.gserviceaccount.com" - ] - } - clusters = { - cluster-0 = { - location = "europe-west1" - private_cluster_config = local.cluster_defaults.private_cluster_config - vpc_config = { - subnetwork = local.subnet_self_links.ew1 - master_ipv4_cidr_block = "172.16.10.0/28" - } - } - cluster-1 = { - location = "europe-west3" - private_cluster_config = local.cluster_defaults.private_cluster_config - vpc_config = { - subnetwork = local.subnet_self_links.ew3 - master_ipv4_cidr_block = "172.16.20.0/28" - } - } - } - nodepools = { - cluster-0 = { - nodepool-0 = { - node_config = { - disk_type = "pd-balanced" - machine_type = "n2-standard-4" - spot = true - } - } - } - cluster-1 = { - nodepool-0 = { - node_config = { - disk_type = "pd-balanced" - machine_type = "n2-standard-4" - } - } - } - } - vpc_config = { - host_project_id = "my-host-project-id" - vpc_self_link = "projects/prj-host/global/networks/prod-0" - } -} -# tftest modules=8 resources=46 -``` - -## GKE Fleet - -This example deploys two clusters and configures several GKE Fleet features: - -- Enables [multi-cluster ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress) and sets the configuration cluster to be `cluster-eu1`. -- Enables [Multi-cluster services](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-services) and assigns the [required roles](https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#authenticating) to its service accounts. -- A `default` Config Management template is created with binary authorization, config sync enabled with a git repository, hierarchy controller, and policy controller. -- The two clusters are configured to use the `default` Config Management template. - -```hcl -locals { - subnet_self_links = { - ew1 = "projects/prj-host/regions/europe-west1/subnetworks/gke-0" - ew3 = "projects/prj-host/regions/europe-west3/subnetworks/gke-0" - } -} - -module "gke" { - source = "./fabric/blueprints/gke/multitenant-fleet/" - project_id = var.project_id - billing_account_id = var.billing_account_id - folder_id = var.folder_id - prefix = "myprefix" - clusters = { - cluster-0 = { - location = "europe-west1" - vpc_config = { - subnetwork = local.subnet_self_links.ew1 - } - } - cluster-1 = { - location = "europe-west3" - vpc_config = { - subnetwork = local.subnet_self_links.ew3 - } - } - } - nodepools = { - cluster-0 = { - nodepool-0 = { - node_config = { - disk_type = "pd-balanced" - machine_type = "n2-standard-4" - spot = true - } - } - } - cluster-1 = { - nodepool-0 = { - node_config = { - disk_type = "pd-balanced" - machine_type = "n2-standard-4" - } - } - } - } - fleet_features = { - configmanagement = true - identityservice = true - multiclusteringress = "cluster-0" - multiclusterservicediscovery = true - servicemesh = true - } - fleet_workload_identity = true - fleet_configmanagement_templates = { - default = { - binauthz = true - config_sync = { - git = { - policy_dir = "configsync" - secret_type = "none" - source_format = "hierarchy" - sync_branch = "main" - sync_repo = "https://github.com/myorg/myrepo" - } - prevent_drift = true - source_format = "hierarchy" - } - hierarchy_controller = { - enable_hierarchical_resource_quota = true - enable_pod_tree_labels = true - } - policy_controller = { - audit_interval_seconds = 30 - exemptable_namespaces = ["kube-system"] - log_denies_enabled = true - referential_rules_enabled = true - template_library_installed = true - } - version = "1.10.2" - } - } - fleet_configmanagement_clusters = { - default = ["cluster-0", "cluster-1"] - } - vpc_config = { - host_project_id = "my-host-project-id" - vpc_self_link = "projects/prj-host/global/networks/prod-0" - } -} -# tftest modules=9 resources=57 -``` - - - -## Files - -| name | description | modules | -|---|---|---| -| [gke-clusters.tf](./gke-clusters.tf) | GKE clusters. | gke-cluster-standard | -| [gke-hub.tf](./gke-hub.tf) | GKE hub configuration. | gke-hub | -| [gke-nodepools.tf](./gke-nodepools.tf) | GKE nodepools. | gke-nodepool | -| [main.tf](./main.tf) | Project and usage dataset. | bigquery-dataset · iam-service-account · project | -| [outputs.tf](./outputs.tf) | Output variables. | | -| [variables.tf](./variables.tf) | Module variables. | | - -## Variables - -| name | description | type | required | default | -|---|---|:---:|:---:|:---:| -| [billing_account_id](variables.tf#L17) | Billing account ID. | string | ✓ | | -| [folder_id](variables.tf#L131) | Folder used for the GKE project in folders/nnnnnnnnnnn format. | string | ✓ | | -| [prefix](variables.tf#L189) | Prefix used for resource names. | string | ✓ | | -| [project_id](variables.tf#L198) | ID of the project that will contain all the clusters. | string | ✓ | | -| [vpc_config](variables.tf#L210) | Shared VPC project and VPC details. | object({…}) | ✓ | | -| [clusters](variables.tf#L22) | Clusters configuration. Refer to the gke-cluster module for type details. | map(object({…})) | | {} | -| [deletion_protection](variables.tf#L89) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | false | -| [fleet_configmanagement_clusters](variables.tf#L96) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | -| [fleet_configmanagement_templates](variables.tf#L103) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(any) | | {} | -| [fleet_features](variables.tf#L111) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | -| [fleet_workload_identity](variables.tf#L124) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | false | -| [iam](variables.tf#L136) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [iam_by_principals](variables.tf#L143) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [labels](variables.tf#L150) | Project-level labels. | map(string) | | {} | -| [nodepools](variables.tf#L156) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | -| [project_services](variables.tf#L203) | Additional project services to enable. | list(string) | | [] | - -## Outputs - -| name | description | sensitive | -|---|---|:---:| -| [cluster_ids](outputs.tf#L17) | Cluster ids. | | -| [clusters](outputs.tf#L24) | Cluster resources. | | -| [project_id](outputs.tf#L29) | GKE project id. | | - diff --git a/blueprints/gke/multitenant-fleet/gke-clusters.tf b/blueprints/gke/multitenant-fleet/gke-clusters.tf deleted file mode 100644 index 8a6fa3211d..0000000000 --- a/blueprints/gke/multitenant-fleet/gke-clusters.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description GKE clusters. - -module "gke-cluster" { - source = "../../../modules/gke-cluster-standard" - for_each = var.clusters - name = each.key - project_id = module.gke-project-0.project_id - cluster_autoscaling = each.value.cluster_autoscaling - description = each.value.description - enable_features = each.value.enable_features - enable_addons = each.value.enable_addons - issue_client_certificate = each.value.issue_client_certificate - labels = each.value.labels - location = each.value.location - logging_config = each.value.logging_config - maintenance_config = each.value.maintenance_config - max_pods_per_node = each.value.max_pods_per_node - min_master_version = each.value.min_master_version - monitoring_config = each.value.monitoring_config - node_locations = each.value.node_locations - private_cluster_config = each.value.private_cluster_config - release_channel = each.value.release_channel - vpc_config = merge(each.value.vpc_config, { - network = coalesce( - each.value.vpc_config.network, var.vpc_config.vpc_self_link - ) - }) - deletion_protection = var.deletion_protection -} diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index 8fad3b48db..2dd1505b6c 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -167,16 +167,16 @@ terraform apply | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | -| [environments](variables-fast.tf#L32) | Long environment names. | object({…}) | ✓ | | -| [prefix](variables-fast.tf#L49) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | -| [folder_ids](variables-fast.tf#L42) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | +| [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | +| [environments](variables-fast.tf#L27) | Long environment names. | object({…}) | ✓ | | +| [prefix](variables-fast.tf#L44) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | +| [folder_ids](variables-fast.tf#L37) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | | [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_by_principals](variables.tf#L24) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {…} | | [private_cloud_configs](variables.tf#L54) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | -| [stage_name](variables.tf#L76) | FAST stage name used to find resource ids. Must match name defined for the stage in resource management. | string | | "gcve-dev" | -| [vpc_self_links](variables-fast.tf#L59) | FAST host VPC self links. | map(string) | | {} | +| [stage_config](variables.tf#L76) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | +| [vpc_self_links](variables-fast.tf#L54) | FAST host VPC self links. | map(string) | | {} | ## Outputs diff --git a/fast/stages/3-gcve-dev/main.tf b/fast/stages/3-gcve-dev/main.tf index f4f6cf25d4..2772f9df37 100644 --- a/fast/stages/3-gcve-dev/main.tf +++ b/fast/stages/3-gcve-dev/main.tf @@ -17,7 +17,7 @@ # tfdoc:file:description Locals and project-level resources. locals { - folder_id = var.folder_ids[var.stage_name] + folder_id = var.folder_ids[var.stage_config.name] } module "gcve-project-0" { @@ -29,7 +29,9 @@ module "gcve-project-0" { iam = var.iam iam_by_principals = var.iam_by_principals labels = { - environment = lower(var.environments["dev"].name) + environment = lower( + var.environments[var.stage_config.environment].name + ) } services = [ "compute.googleapis.com", diff --git a/fast/stages/3-gcve-dev/variables-fast.tf b/fast/stages/3-gcve-dev/variables-fast.tf index 8f84cffc2f..fddbf7ec1f 100644 --- a/fast/stages/3-gcve-dev/variables-fast.tf +++ b/fast/stages/3-gcve-dev/variables-fast.tf @@ -20,13 +20,8 @@ variable "billing_account" { # tfdoc:variable:source 0-bootstrap description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." type = object({ - id = string - is_org_level = optional(bool, true) + id = string }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } } variable "environments" { diff --git a/fast/stages/3-gcve-dev/variables.tf b/fast/stages/3-gcve-dev/variables.tf index 18ce9af3b9..00ac247532 100644 --- a/fast/stages/3-gcve-dev/variables.tf +++ b/fast/stages/3-gcve-dev/variables.tf @@ -73,8 +73,14 @@ variable "private_cloud_configs" { default = {} } -variable "stage_name" { - description = "FAST stage name used to find resource ids. Must match name defined for the stage in resource management." - type = string - default = "gcve-dev" +variable "stage_config" { + description = "FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management." + type = object({ + environment = string + name = string + }) + default = { + environment = "dev" + name = "gcve-dev" + } } diff --git a/fast/stages/3-gke-dev/.fast-stage.env b/fast/stages/3-gke-dev/.fast-stage.env new file mode 100644 index 0000000000..c16e68d5bd --- /dev/null +++ b/fast/stages/3-gke-dev/.fast-stage.env @@ -0,0 +1,4 @@ +FAST_STAGE_DESCRIPTION="GKE (dev)" +FAST_STAGE_LEVEL=3 +FAST_STAGE_NAME=gke-dev +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman 2-networking" diff --git a/fast/stages/3-gke-dev/README.md b/fast/stages/3-gke-dev/README.md new file mode 100644 index 0000000000..41bc82036c --- /dev/null +++ b/fast/stages/3-gke-dev/README.md @@ -0,0 +1,217 @@ +# GKE Multitenant + +This stage allows creation and management of a fleet of GKE multitenant clusters for a single environment, optionally leveraging GKE Hub to configure additional features. + +The following diagram illustrates the high-level design of created resources, which can be adapted to specific requirements via variables: + +

    + GKE multitenant +

    + + +- [Design overview and choices](#design-overview-and-choices) +- [How to run this stage](#how-to-run-this-stage) + - [Provider and Terraform variables](#provider-and-terraform-variables) + - [Impersonating the automation service account](#impersonating-the-automation-service-account) + - [Variable configuration](#variable-configuration) + - [Running the stage](#running-the-stage) +- [Customizations](#customizations) + - [Clusters and node pools](#clusters-and-node-pools) + - [Fleet management](#fleet-management) +- [Files](#files) +- [Variables](#variables) +- [Outputs](#outputs) + + +## Design overview and choices + +The general idea behind this stage is to deploy a single project hosting multiple clusters leveraging several useful GKE features like Config Sync, which lend themselves well to a multitenant approach to GKE. + +Some high level choices applied here: + +- all clusters are created as [private clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) which then need to be [VPC-native](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips). +- Logging and monitoring uses Cloud Operations for system components and user workloads. +- [GKE metering](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) is enabled by default and stored in a BigQuery dataset created within the project. +- [GKE Fleet](https://cloud.google.com/kubernetes-engine/docs/fleets-overview) can be optionally with support for the following features: + - [Fleet workload identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity) + - [Config Management](https://cloud.google.com/anthos-config-management/docs/overview) + - [Service Mesh](https://cloud.google.com/service-mesh/docs/overview) + - [Identity Service](https://cloud.google.com/anthos/identity/setup/fleet) + - [Multi-cluster services](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-services) + - [Multi-cluster ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress). +- Support for [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview) and [Hierarchy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/hierarchy-controller) when using Config Management. +- [Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac) can be enabled to facilitate the creation of flexible RBAC policies referencing group principals. +- Support for [application layer secret encryption](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets). +- Some features are enabled by default in all clusters: + - [Intranode visibility](https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility) + - [Dataplane v2](https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2) + - [Shielded GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes) + - [Workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) + - [Node local DNS cache](https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache) + - [Use of the GCE persistent disk CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) + - Node [auto-upgrade](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades) and [auto-repair](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair) for all node pools + +## How to run this stage + +This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages. + +It's of course possible to run this stage in isolation, refer to the *[Running in isolation](#running-in-isolation)* section below for details. + +Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. + +### Provider and Terraform variables + +As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. + +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. + +```bash +../fast-links.sh ~/fast-config + +# File linking commands for GKE (dev) stage + +# provider file +ln -s ~/fast-config/providers/3-gke-dev-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/3-gke-dev.auto.tfvars ./ +``` + +```bash +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 + +# File linking commands for GKE (dev) stage + +# provider file +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gke-dev-providers.tf ./ + +# input files from other stages +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/3-gke-dev.auto.tfvars ./ +``` + +### Impersonating the automation service account + +The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. + +### Variable configuration + +Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: + +- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above +- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above +- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file + +The latter set is explained in the [Customization](#customizations) sections below, and the full list can be found in the [Variables](#variables) table at the bottom of this document. + +### Running the stage + +Once provider and variable values are in place and the correct user is configured, the stage can be run: + +```bash +terraform init +terraform apply +``` + +## Customizations + +This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables allow management of clusters, nodepools, and fleet registration and configurations. + +### Clusters and node pools + +This is an example of declaring a private cluster with one nodepool via `tfvars` file: + +```hcl +clusters = { + test-00 = { + description = "Cluster test 0" + location = "europe-west8" + private_cluster_config = { + enable_private_endpoint = true + master_global_access = true + } + vpc_config = { + subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke" + master_ipv4_cidr_block = "172.16.20.0/28" + master_authorized_ranges = { + private = "10.0.0.0/8" + } + } + } +} +nodepools = { + test-00 = { + 00 = { + node_count = { initial = 1 } + } + } +} +# tftest skip +``` + +If clusters share similar configurations, those can be centralized via `locals` blocks in this stage's `main.tf` file, and merged in with clusters via a simple `for_each` loop. + +### Fleet management + +Fleet management is entirely optional, and uses two separate variables: + +- `fleet_config`: specifies the [GKE fleet](https://cloud.google.com/anthos/fleet-management/docs/fleet-concepts#fleet-enabled-components) features to activate +- `fleet_configmanagement_templates`: defines configuration templates for specific sets of features ([Config Management](https://cloud.google.com/anthos-config-management/docs/how-to/install-anthos-config-management) currently) + +Clusters can then be configured for fleet registration and one of the config management templates attached via the cluster-level `fleet_config` attribute. + + + +## Files + +| name | description | modules | +|---|---|---| +| [gke-clusters.tf](./gke-clusters.tf) | GKE clusters. | gke-cluster-standard · gke-nodepool | +| [gke-hub.tf](./gke-hub.tf) | GKE hub configuration. | gke-hub | +| [main.tf](./main.tf) | Project and usage dataset. | bigquery-dataset · iam-service-account · project | +| [outputs.tf](./outputs.tf) | Module outputs. | | +| [variables-fast.tf](./variables-fast.tf) | None | | +| [variables-fleet.tf](./variables-fleet.tf) | GKE fleet configurations. | | +| [variables.tf](./variables.tf) | Module variables. | | + +## Variables + +| name | description | type | required | default | producer | +|---|---|:---:|:---:|:---:|:---:| +| [billing_account](variables-fast.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [environments](variables-fast.tf#L25) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L51) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [clusters](variables.tf#L17) | Clusters configuration. Refer to the gke-cluster module for type details. | map(object({…})) | | {} | | +| [deletion_protection](variables.tf#L88) | Prevent Terraform from destroying data resources. | bool | | false | | +| [fleet_config](variables-fleet.tf#L19) | Fleet configuration. | object({…}) | | null | | +| [fleet_configmanagement_templates](variables-fleet.tf#L35) | Sets of fleet configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | | +| [folder_ids](variables-fast.tf#L35) | Folder name => id mappings. | map(string) | | {} | 1-resman | +| [host_project_ids](variables-fast.tf#L43) | Shared VPC host project name => id mappings. | map(string) | | {} | 2-networking | +| [iam](variables.tf#L95) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | +| [iam_by_principals](variables.tf#L102) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [labels](variables.tf#L109) | Project-level labels. | map(string) | | {} | | +| [nodepools](variables.tf#L115) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | +| [stage_config](variables.tf#L148) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | | +| [subnet_self_links](variables-fast.tf#L61) | Subnet VPC name => { name => self link } mappings. | map(map(string)) | | {} | 2-networking | +| [vpc_config](variables.tf#L160) | VPC-level configuration for project and clusters. | object({…}) | | {…} | | +| [vpc_self_links](variables-fast.tf#L69) | Shared VPC name => self link mappings. | map(string) | | {} | 2-networking | + +## Outputs + +| name | description | sensitive | consumers | +|---|---|:---:|---| +| [cluster_ids](outputs.tf#L15) | Cluster ids. | | | +| [clusters](outputs.tf#L22) | Cluster resources. | | | +| [project_id](outputs.tf#L27) | GKE project id. | | | + diff --git a/blueprints/gke/multitenant-fleet/diagram.png b/fast/stages/3-gke-dev/diagram.png similarity index 100% rename from blueprints/gke/multitenant-fleet/diagram.png rename to fast/stages/3-gke-dev/diagram.png diff --git a/blueprints/gke/multitenant-fleet/gke-nodepools.tf b/fast/stages/3-gke-dev/gke-clusters.tf similarity index 52% rename from blueprints/gke/multitenant-fleet/gke-nodepools.tf rename to fast/stages/3-gke-dev/gke-clusters.tf index 46c9cae339..d881711673 100644 --- a/blueprints/gke/multitenant-fleet/gke-nodepools.tf +++ b/fast/stages/3-gke-dev/gke-clusters.tf @@ -1,5 +1,5 @@ /** - * Copyright 2024 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ * limitations under the License. */ -# tfdoc:file:description GKE nodepools. +# tfdoc:file:description GKE clusters. locals { nodepools = merge([ @@ -26,6 +26,49 @@ locals { }) } ]...) + subnet_self_links = try( + var.subnet_self_links[var.vpc_config.vpc_self_link], {} + ) + vpc_self_link = lookup( + var.vpc_self_links, + var.vpc_config.vpc_self_link, + var.vpc_config.vpc_self_link + ) +} + +module "gke-cluster" { + source = "../../../modules/gke-cluster-standard" + for_each = var.clusters + name = each.key + project_id = module.gke-project-0.project_id + cluster_autoscaling = each.value.cluster_autoscaling + description = each.value.description + enable_features = each.value.enable_features + enable_addons = each.value.enable_addons + issue_client_certificate = each.value.issue_client_certificate + labels = each.value.labels + location = each.value.location + logging_config = each.value.logging_config + maintenance_config = each.value.maintenance_config + max_pods_per_node = each.value.max_pods_per_node + min_master_version = each.value.min_master_version + monitoring_config = each.value.monitoring_config + node_locations = each.value.node_locations + private_cluster_config = each.value.private_cluster_config + release_channel = each.value.release_channel + vpc_config = merge(each.value.vpc_config, { + network = try( + var.vpc_self_links[each.value.vpc_config.network], + each.value.vpc_config.network, + local.vpc_self_link + ) + subnetwork = try( + local.subnet_self_links[each.value.vpc_config.subnetwork], + each.value.vpc_config.subnetwork, + null + ) + }) + deletion_protection = var.deletion_protection } module "gke-nodepool" { diff --git a/blueprints/gke/multitenant-fleet/gke-hub.tf b/fast/stages/3-gke-dev/gke-hub.tf similarity index 61% rename from blueprints/gke/multitenant-fleet/gke-hub.tf rename to fast/stages/3-gke-dev/gke-hub.tf index 2707046227..7ca8e49452 100644 --- a/blueprints/gke/multitenant-fleet/gke-hub.tf +++ b/fast/stages/3-gke-dev/gke-hub.tf @@ -17,29 +17,32 @@ # tfdoc:file:description GKE hub configuration. locals { - fleet_enabled = ( - var.fleet_features != null || var.fleet_workload_identity - ) + fleet_clusters = var.fleet_config == null ? {} : { + for k, v in var.clusters : k => v.configmanagement_template + if v.fleet_config.register == true + } fleet_mcs_enabled = ( - try(var.fleet_features.multiclusterservicediscovery, false) == true + try( + var.fleet_config.enable_features.multiclusterservicediscovery, false + ) == true ) } module "gke-hub" { source = "../../../modules/gke-hub" - count = local.fleet_enabled ? 1 : 0 + count = var.fleet_config != null ? 1 : 0 project_id = module.gke-project-0.project_id clusters = { - for cluster_id in keys(var.clusters) : - cluster_id => module.gke-cluster[cluster_id].id + for k, v in local.fleet_clusters : k => module.gke-cluster[k].id } - features = var.fleet_features + features = var.fleet_config.enable_features configmanagement_templates = var.fleet_configmanagement_templates - configmanagement_clusters = var.fleet_configmanagement_clusters + configmanagement_clusters = { + for k, v in local.fleet_clusters : v => k... + } workload_identity_clusters = ( - var.fleet_workload_identity ? keys(var.clusters) : [] + var.fleet_config.use_workload_identity ? keys(local.fleet_clusters) : [] ) - depends_on = [ module.gke-nodepool ] diff --git a/blueprints/gke/multitenant-fleet/main.tf b/fast/stages/3-gke-dev/main.tf similarity index 65% rename from blueprints/gke/multitenant-fleet/main.tf rename to fast/stages/3-gke-dev/main.tf index 97fe5e538e..5c8b9b3314 100644 --- a/blueprints/gke/multitenant-fleet/main.tf +++ b/fast/stages/3-gke-dev/main.tf @@ -17,6 +17,7 @@ # tfdoc:file:description Project and usage dataset. locals { + folder_id = var.folder_ids[var.stage_config.name] gke_nodes_sa_roles = [ "autoscaling.metricsWriter", "logging.logWriter", @@ -24,47 +25,51 @@ locals { "monitoring.metricWriter", "stackdriver.resourceMetadata.writer" ] + project_name = "${var.stage_config.environment}-gke-core-0" } module "gke-project-0" { - source = "../../../modules/project" - billing_account = var.billing_account_id - name = var.project_id - parent = var.folder_id - prefix = var.prefix - iam_by_principals = var.iam_by_principals - labels = var.labels + source = "../../../modules/project" + billing_account = var.billing_account.id + name = local.project_name + parent = local.folder_id + prefix = var.prefix iam = merge(var.iam, { "roles/gkehub.serviceAgent" = [ module.gke-project-0.service_agents.fleet.iam_email ] } ) + iam_by_principals = var.iam_by_principals iam_bindings_additive = { for r in local.gke_nodes_sa_roles : "gke-nodes-sa-${r}" => { member = module.gke-nodes-service-account.iam_email role = "roles/${r}" } } - services = concat( - [ - "anthos.googleapis.com", - "anthosconfigmanagement.googleapis.com", - "cloudresourcemanager.googleapis.com", - "container.googleapis.com", - "dns.googleapis.com", - "gkeconnect.googleapis.com", - "gkehub.googleapis.com", - "iam.googleapis.com", - "multiclusteringress.googleapis.com", - "multiclusterservicediscovery.googleapis.com", - "stackdriver.googleapis.com", - "trafficdirector.googleapis.com" - ], - var.project_services - ) + labels = { + environment = lower(var.environments[var.stage_config.environment].name) + } + services = [ + "anthos.googleapis.com", + "anthosconfigmanagement.googleapis.com", + "cloudresourcemanager.googleapis.com", + "container.googleapis.com", + "dns.googleapis.com", + "gkeconnect.googleapis.com", + "gkehub.googleapis.com", + "iam.googleapis.com", + "multiclusteringress.googleapis.com", + "multiclusterservicediscovery.googleapis.com", + "stackdriver.googleapis.com", + "trafficdirector.googleapis.com" + ] shared_vpc_service_config = { - attach = true - host_project = var.vpc_config.host_project_id + attach = true + host_project = lookup( + var.host_project_ids, + var.vpc_config.host_project_id, + var.vpc_config.host_project_id + ) service_agent_iam = merge({ "roles/compute.networkUser" = [ "cloudservices", "container-engine" @@ -76,7 +81,7 @@ module "gke-project-0" { !local.fleet_mcs_enabled ? {} : { "roles/multiclusterservicediscovery.serviceAgent" = ["mcsd"] "roles/compute.networkViewer" = [ - "serviceAccount:${var.prefix}-${var.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]" + "serviceAccount:${var.prefix}-${local.project_name}.svc.id.goog[gke-mcs/gke-mcs-importer]" ] }) } diff --git a/blueprints/gke/multitenant-fleet/outputs.tf b/fast/stages/3-gke-dev/outputs.tf similarity index 95% rename from blueprints/gke/multitenant-fleet/outputs.tf rename to fast/stages/3-gke-dev/outputs.tf index 11d9d217a3..1b7f7fcac0 100644 --- a/blueprints/gke/multitenant-fleet/outputs.tf +++ b/fast/stages/3-gke-dev/outputs.tf @@ -12,8 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -# tfdoc:file:description Output variables. - output "cluster_ids" { description = "Cluster ids." value = { @@ -23,6 +21,7 @@ output "cluster_ids" { output "clusters" { description = "Cluster resources." + sensitive = true value = module.gke-cluster } diff --git a/fast/stages/3-gke-multitenant/dev/variables-fast.tf b/fast/stages/3-gke-dev/variables-fast.tf similarity index 65% rename from fast/stages/3-gke-multitenant/dev/variables-fast.tf rename to fast/stages/3-gke-dev/variables-fast.tf index 8c8251aef5..dfa1916f7f 100644 --- a/fast/stages/3-gke-multitenant/dev/variables-fast.tf +++ b/fast/stages/3-gke-dev/variables-fast.tf @@ -14,41 +14,38 @@ * limitations under the License. */ -variable "automation" { +variable "billing_account" { # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." + description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." type = object({ - outputs_bucket = string + id = string }) } -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." +variable "environments" { + # tfdoc:variable:source 1-resman + description = "Long environment names." type = object({ - id = string - is_org_level = optional(bool, true) + dev = object({ + name = string + }) }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } } variable "folder_ids" { # tfdoc:variable:source 1-resman - description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." - type = object({ - gke-dev = string - }) + description = "Folder name => id mappings." + type = map(string) + nullable = false + default = {} } variable "host_project_ids" { # tfdoc:variable:source 2-networking - description = "Host project for the shared VPC." - type = object({ - dev-spoke-0 = string - }) + description = "Shared VPC host project name => id mappings." + type = map(string) + nullable = false + default = {} } variable "prefix" { @@ -61,10 +58,18 @@ variable "prefix" { } } +variable "subnet_self_links" { + # tfdoc:variable:source 2-networking + description = "Subnet VPC name => { name => self link } mappings." + type = map(map(string)) + nullable = false + default = {} +} + variable "vpc_self_links" { # tfdoc:variable:source 2-networking - description = "Self link for the shared VPC." - type = object({ - dev-spoke-0 = string - }) + description = "Shared VPC name => self link mappings." + type = map(string) + nullable = false + default = {} } diff --git a/fast/stages/3-gke-dev/variables-fleet.tf b/fast/stages/3-gke-dev/variables-fleet.tf new file mode 100644 index 0000000000..4d71600e21 --- /dev/null +++ b/fast/stages/3-gke-dev/variables-fleet.tf @@ -0,0 +1,68 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description GKE fleet configurations. + +variable "fleet_config" { + description = "Fleet configuration." + type = object({ + enable_features = optional(object({ + appdevexperience = optional(bool, false) + configmanagement = optional(bool, false) + identityservice = optional(bool, false) + multiclusteringress = optional(string, null) + multiclusterservicediscovery = optional(bool, false) + servicemesh = optional(bool, false) + }), {}) + use_workload_identity = optional(bool, false) + }) + default = null +} + +variable "fleet_configmanagement_templates" { + description = "Sets of fleet configurations that can be applied to member clusters, in config name => {options} format." + type = map(object({ + binauthz = optional(bool) + version = optional(string) + config_sync = object({ + git = optional(object({ + sync_repo = string + policy_dir = string + gcp_service_account_email = optional(string) + https_proxy = optional(string) + secret_type = optional(string, "none") + sync_branch = optional(string) + sync_rev = optional(string) + sync_wait_secs = optional(number) + })) + prevent_drift = optional(bool) + source_format = optional(string, "hierarchy") + }) + hierarchy_controller = optional(object({ + enable_hierarchical_resource_quota = optional(bool) + enable_pod_tree_labels = optional(bool) + })) + policy_controller = object({ + audit_interval_seconds = optional(number) + exemptable_namespaces = optional(list(string)) + log_denies_enabled = optional(bool) + referential_rules_enabled = optional(bool) + template_library_installed = optional(bool) + }) + })) + default = {} + nullable = false +} diff --git a/blueprints/gke/multitenant-fleet/variables.tf b/fast/stages/3-gke-dev/variables.tf similarity index 69% rename from blueprints/gke/multitenant-fleet/variables.tf rename to fast/stages/3-gke-dev/variables.tf index 96ed616c9a..6c6625fb7d 100644 --- a/blueprints/gke/multitenant-fleet/variables.tf +++ b/fast/stages/3-gke-dev/variables.tf @@ -14,11 +14,6 @@ * limitations under the License. */ -variable "billing_account_id" { - description = "Billing account ID." - type = string -} - variable "clusters" { description = "Clusters configuration. Refer to the gke-cluster module for type details." type = map(object({ @@ -31,6 +26,10 @@ variable "clusters" { shielded_nodes = true workload_identity = true }) + fleet_config = optional(object({ + register = optional(bool, true) + configmanagement_template = optional(string) + }), {}) issue_client_certificate = optional(bool, false) labels = optional(map(string)) location = string @@ -87,52 +86,12 @@ variable "clusters" { } variable "deletion_protection" { - description = "Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail." - type = bool - default = false - nullable = false -} - -variable "fleet_configmanagement_clusters" { - description = "Config management features enabled on specific sets of member clusters, in config name => [cluster name] format." - type = map(list(string)) - default = {} - nullable = false -} - -variable "fleet_configmanagement_templates" { - description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format." - # refer to the gke-hub module for the full type - type = map(any) - default = {} - nullable = false -} - -variable "fleet_features" { - description = "Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used." - type = object({ - appdevexperience = optional(bool, false) - configmanagement = optional(bool, false) - identityservice = optional(bool, false) - multiclusteringress = optional(string, null) - multiclusterservicediscovery = optional(bool, false) - servicemesh = optional(bool, false) - }) - default = null -} - -variable "fleet_workload_identity" { - description = "Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true." + description = "Prevent Terraform from destroying data resources." type = bool default = false nullable = false } -variable "folder_id" { - description = "Folder used for the GKE project in folders/nnnnnnnnnnn format." - type = string -} - variable "iam" { description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." type = map(list(string)) @@ -186,31 +145,27 @@ variable "nodepools" { nullable = false } -variable "prefix" { - description = "Prefix used for resource names." - type = string - validation { - condition = var.prefix != "" - error_message = "Prefix cannot be empty." +variable "stage_config" { + description = "FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management." + type = object({ + environment = string + name = string + }) + default = { + environment = "dev" + name = "gke-dev" } } -variable "project_id" { - description = "ID of the project that will contain all the clusters." - type = string -} - -variable "project_services" { - description = "Additional project services to enable." - type = list(string) - default = [] - nullable = false -} - variable "vpc_config" { - description = "Shared VPC project and VPC details." + description = "VPC-level configuration for project and clusters." type = object({ host_project_id = string vpc_self_link = string }) + nullable = false + default = { + host_project_id = "dev-spoke-0" + vpc_self_link = "dev-spoke-0" + } } diff --git a/fast/stages/3-gke-multitenant/README.md b/fast/stages/3-gke-multitenant/README.md deleted file mode 100644 index f5d73a4909..0000000000 --- a/fast/stages/3-gke-multitenant/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# GKE Multitenant stage - -This directory contains a stage that can be used to centralize management of GKE multinenant clusters. - -The Terraform code follows the same general approach used for the [project factory](../2-project-factory/) and [data platform](../3-data-platform/) stages, where a "fat module" contains the stage code and is used by thin code wrappers that localize it for each environment or specialized configuration: - -The [`dev` folder](./dev/) contains an example setup for a generic development environment, and can be used as-is or cloned to implement other environments, or more specialized setups - -Refer to [the `dev` documentation](./dev/README.md) configuration details, and to [the `gke-serverless` documentation](../../../blueprints/gke/multitenant-fleet) for the architectural design and decisions taken. diff --git a/fast/stages/3-gke-multitenant/dev/README.md b/fast/stages/3-gke-multitenant/dev/README.md deleted file mode 100644 index 9247d55698..0000000000 --- a/fast/stages/3-gke-multitenant/dev/README.md +++ /dev/null @@ -1,243 +0,0 @@ -# GKE Multitenant - -This stage allows creation and management of a fleet of GKE multitenant clusters, optionally leveraging GKE Hub to configure additional features. It's designed to be replicated once for every homogeneous set of clusters, either per environment or with more granularity as needed (e.g. teams or sets of teams sharing similar requirements). - -The following diagram illustrates the high-level design of created resources, which can be adapted to specific requirements via variables: - -

    - GKE multitenant -

    - - -- [Design overview and choices](#design-overview-and-choices) -- [How to run this stage](#how-to-run-this-stage) - - [Provider and Terraform variables](#provider-and-terraform-variables) - - [Impersonating the automation service account](#impersonating-the-automation-service-account) - - [Variable configuration](#variable-configuration) - - [Running the stage](#running-the-stage) - - [Running in isolation](#running-in-isolation) -- [Customizations](#customizations) - - [Clusters and node pools](#clusters-and-node-pools) - - [Fleet management](#fleet-management) -- [Files](#files) -- [Variables](#variables) -- [Outputs](#outputs) - - -## Design overview and choices - -> The detailed architecture of the underlying resources is explained in the documentation of the [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/README.md). - -This stage creates a project containing as many clusters and node pools as requested by the user, configured via the [variables](#variables) explained below. The GKE clusters are created with the following setup: - -- Even though public clusters are supported, this stage is designed with [private clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) in mind so it only supports [VPC-native clusters](https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips). -- Logging and monitoring configured to use Cloud Operations for system components and user workloads. -- [GKE metering](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering) enabled by default and stored in a bigquery dataset created within the project. -- Optional [GKE Fleet](https://cloud.google.com/kubernetes-engine/docs/fleets-overview) support with the possibility to enable any of the following features: - - [Fleet workload identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity) - - [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/overview) - - [Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/overview) - - [Anthos Identity Service](https://cloud.google.com/anthos/identity/setup/fleet) - - [Multi-cluster services](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-services) - - [Multi-cluster ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/multi-cluster-ingress). -- Support for [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview), [Hierarchy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/hierarchy-controller), and [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) when using Anthos Config Management. -- [Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac) can be enabled to facilitate the creation of flexible RBAC policies referencing group principals. -- Support for [application layer secret encryption](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets). -- Support to customize peering configuration of the control plane VPC (e.g. to import/export routes to the peered network) -- Some features are enabled by default in all clusters: - - [Intranode visibility](https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility) - - [Dataplane v2](https://cloud.google.com/kubernetes-engine/docs/concepts/dataplane-v2) - - [Shielded GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes) - - [Workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) - - [Node local DNS cache](https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache) - - [Use of the GCE persistent disk CSI driver](https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver) - - Node [auto-upgrade](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades) and [auto-repair](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair) for all node pools - -## How to run this stage - -This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages. - -It's of course possible to run this stage in isolation, refer to the *[Running in isolation](#running-in-isolation)* section below for details. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../../../stage-links.sh ~/fast-config - -# copy and paste the following commands for '3-gke-multitenant' - -ln -s /home/ludomagno/fast-config/providers/3-gke-multitenant-providers.tf ./ -ln -s /home/ludomagno/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s /home/ludomagno/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s /home/ludomagno/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s /home/ludomagno/fast-config/tfvars/2-networking.auto.tfvars.json ./ -ln -s /home/ludomagno/fast-config/tfvars/2-security.auto.tfvars.json ./ -``` - -```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 - -# copy and paste the following commands for '3-gke-multitenant' - -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gke-multitenant-providers.tf ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-security.auto.tfvars.json ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -The latter set is explained in the [Customization](#customizations) sections below, and the full list can be found in the [Variables](#variables) table at the bottom of this document. - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - -### Running in isolation - -It's of course possible to run this stage in isolation, by making sure the architectural prerequisites are satisfied (e.g., networking), and that the Service Account running the stage is granted the roles/permissions below: - -- on the organization or network folder level - - `roles/xpnAdmin` or a custom role which includes the following permissions - - `compute.organizations.enableXpnResource`, - - `compute.organizations.disableXpnResource`, - - `compute.subnetworks.setIamPolicy`, -- on each folder where projects are created - - `roles/logging.admin` - - `roles/owner` - - `roles/resourcemanager.folderAdmin` - - `roles/resourcemanager.projectCreator` - - `roles/xpnAdmin` -- on the host project for the Shared VPC - - `roles/browser` - - `roles/compute.viewer` -- on the organization or billing account - - `roles/billing.admin` - -The VPC host project, VPC and subnets should already exist. - -## Customizations - -This stage is designed with multi-tenancy in mind, and the expectation is that GKE clusters will mostly share a common set of defaults. Variables allow management of clusters, nodepools, and fleet registration and configurations. - -### Clusters and node pools - -This is an example of declaring a private cluster with one nodepool via `tfvars` file: - -```hcl -clusters = { - test-00 = { - description = "Cluster test 0" - location = "europe-west8" - private_cluster_config = { - enable_private_endpoint = true - master_global_access = true - } - vpc_config = { - subnetwork = "projects/ldj-dev-net-spoke-0/regions/europe-west8/subnetworks/gke" - master_ipv4_cidr_block = "172.16.20.0/28" - master_authorized_ranges = { - private = "10.0.0.0/8" - } - } - } -} -nodepools = { - test-00 = { - 00 = { - node_count = { initial = 1 } - } - } -} -# tftest skip -``` - -If clusters share similar configurations, those can be centralized via `locals` blocks in this stage's `main.tf` file, and merged in with clusters via a simple `for_each` loop. One example of this approach is provided in the underlying [GKE multitenant blueprint](../../../../blueprints/gke/multitenant-fleet/). - -### Fleet management - -Fleet management is entirely optional, and uses three separate variables: - -- `fleet_features`: specifies the [GKE fleet](https://cloud.google.com/anthos/fleet-management/docs/fleet-concepts#fleet-enabled-components) features you want activate -- `fleet_configmanagement_templates`: defines configuration templates for specific sets of features ([Config Management](https://cloud.google.com/anthos-config-management/docs/how-to/install-anthos-config-management) currently) -- `fleet_configmanagement_clusters`: specifies which clusters are managed by fleet features, and the optional Config Management template for each cluster -- `fleet_workload_identity`: to enables optional centralized [Workload Identity](https://cloud.google.com/anthos/fleet-management/docs/use-workload-identity) - -Leave all these variables unset (or set to `null`) to disable fleet management. One example of a simple fleet configuration that integrates with the cluster example above: - -```hcl - fleet_features = { - configmanagement = true - identityservice = true - multiclusteringress = "test-0" - multiclusterservicediscovery = true - servicemesh = true - } - -# tftest skip -``` - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [main.tf](./main.tf) | GKE multitenant for development environment. | multitenant-fleet | | -| [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | -| [variables-fast.tf](./variables-fast.tf) | None | | | -| [variables.tf](./variables.tf) | Module variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L38) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables-fast.tf#L46) | Host project for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [prefix](variables-fast.tf#L54) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [vpc_self_links](variables-fast.tf#L64) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [clusters](variables.tf#L17) | Clusters configuration. Refer to the gke-cluster-standard module for type details. | map(object({…})) | | {} | | -| [fleet_configmanagement_clusters](variables.tf#L87) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} | | -| [fleet_configmanagement_templates](variables.tf#L94) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} | | -| [fleet_features](variables.tf#L129) | Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used. | object({…}) | | null | | -| [fleet_workload_identity](variables.tf#L142) | Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true. | bool | | false | | -| [iam](variables.tf#L149) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | -| [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [labels](variables.tf#L163) | Project-level labels. | map(string) | | {} | | -| [nodepools](variables.tf#L169) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | -| [outputs_location](variables.tf#L202) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_services](variables.tf#L208) | Additional project services to enable. | list(string) | | [] | | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [cluster_ids](outputs.tf#L57) | Cluster ids. | | | -| [clusters](outputs.tf#L62) | Cluster resources. | ✓ | | -| [project_id](outputs.tf#L68) | GKE project id. | | | - diff --git a/fast/stages/3-gke-multitenant/dev/diagram.png b/fast/stages/3-gke-multitenant/dev/diagram.png deleted file mode 100644 index a282e7d5e6cc21b6febeadaedfb5af9d90387968..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 44405 zcmeFZWl&t(x-Luzu7L;+!Gk-&-911`rdEYTZl@uh=QSebfq4xhEhen$rn}pO98IC_UV5iyvL}16BR6!q+aS>p6ayC< zvua5JwmPJeyhXUW=j3e0U4DD)92A2-X;8}YHr%@cUAMdzBQPSuy8LIgu-{KuO$m{{ zezWtG%#_T9n(djSV!>vWxRTv%=t31;(e}Vc2|3sG9>+|khMUv4#jD67r8h5H1L36n z{(M2jTE&Gyl*f$>$k8x=y8Ot5ggX%Z|NOL6HWcnnA@oz$Tk0p+um5yqXD_n}!BYJ3 zQUbxgPz7}irN#a6mtl~Vl#cNJ_^rS{3u&LAK%vVU1JeItXKxBG(f+(87-ZE17qjxbzs&lR z93REt55>;ThSK^hr2hwP_yv3#`VXRv76Jj{1icirRrn9u0Mu;yA4K_oubPF%;l_VC z;rE2U8~^^FwS9tYWphUQYnbzeEO39yFoogP?FWp+x8(mp6YtYoOG{ze1iVFA-YHqX zu~`WJvqIA4{Q`QYj|>j}Y)aYtfJ(-_KXMEG*^=xy0aG&V3TgWDI{fRY0b9BtU5ELz z3$#uHzL`!$avu5T)oo`2PB0&m{FLI)+cbTio$cV_HO2eq)fIXIUgAt*h!Oqgum7LT z|BvSX7*GB`nSI*I=xQi=A*FRQYTBQ3i~kuZbE2mY8E$M}H2kR~c6Y|N(5sraXOu5<$Uz7+=Pf8L$Y0N~!0+(G}dkl(ue|FuLS zDV{0j9V+U1BH%DaEKh}oL8A~atUCrK558yA5Q)6m%$htn5IEs!zPOtlUYrcQ5Ohqi%k!8AvbN2hKouTE{1%}H@+qjpighga@rM-TU?jt)CtNUpQOBJVDIc7zG%8mf1>*Q*8ZTCFcrTo)^TrRO&{ zPenv!G=5yXY5&ZpRg4){T`^ZtlAlHAZAT#>9^-_hLo^VkYqQt#v1ifq@;m%S*blG8 zGGCMZlLW(x5ufAR1T0*ltnU}izE0B>IvP8CY5yd!M8NSZu8P&1so=+<~EZO$kT%8-&85yZNoy& zB5a9L`q<-|fhfXGw&Qs3!B@63`uv;7Uk?6r^UB&^Xai3(Gne7p=;x7 zsin~^)x^4#c<(Kaa4R-4US#(1EAAVgmz?SzbD+?6-69!FK1SZ`B_J41-#*&KzoHn| z2fwlB9=D-Ms=oJ|E0_#go!wXY0oy7MH$`qoAzwgR2|?Y;4kj$jvN~GVXC3z+ALa#b zJwMK|P==pr_q@32e5?0k>PPr?WH;xPc3r*t#69D<;K`iKMvp^d*ZoOwopGYW;*Ia_ zt8vL4(&go0CSL+Yft%~OFTAs9N27xFH`*ivM+wK;^eYhdK$)3%G_I3!#`*YW>BRJE z{;J3%jh22ebstMfimS=ug8M}TZraB|el~~ZbW0-Je9k`m7&#$Gj!CEd^}}Jv0$a`8 z*tMLR;bn7{Z&#ynF;!gD{k7uK5p`t$xCvWU=-%D@hvkimMo0D z#e(LRe$h(&d>zQsn$#(tbwmu_zZI+~u!YD`#n#jBhe6Bg--;ms+uPU_rk{J1*{ ziVxFF5Ow2;x0MbzyLy5J0!(+P!M7)HSx8xWH=BBI%#9iCzn;s&MQJ$A?`lyFuHzP4 z_twpRa~U8g;vk+dh9(djI?_+b33AuO=Tw(b#mRUxTwIOhm-I!HT-~Wc9@ZV3Qm0Bc z3DT(l$#JbHfVGssOjs!7XKSK!=!*Vj_ex=KullYbU+FTy+ft;CCz#tKf+Om&`9{WS znpRD*Fq)rEJdkL68e>>w5Qa=2wigrVY1LKwW|BHSD~S!p?gAUxY=W>t727L zk!Y#wwzbNaVq!9`(PjIRz5pEi&F8}RzR6io4kexjfU?;vqlm`##i7* zJ!+tbS4AmhsN^HN#s`a6QE%bXIUM`(RZgyz@l1RcG_(3{we#r(ED21kN&;kRTOPhQ zj86rH@%c{p*oQ7E3&LMI{~dlJ0Q_ytX8vD7>oewjQErH;bZzoRqKVggaZvtRKwkpa z8VmzSUnl4jq2)`}d^~++@~uG3hhU4@RGlhp|8L3Jm7ii7_LH+f=ks6mRQkI5S)>zV zZyU5Ce#4!7YmjCoN7U@onwL9lIxk;`@eA#c7VbA( ztk+R`lI`l=F42JKdix7CEm92Y?h{a;%5@+cb*Y`>S{Z9i%6NCo9X2b0II5%s=HeF@ zYd$`d6%22E@IpWm@07ULC8_^$XFGsmNEnEM{jcu)zKZQt5s~pgVk{ay7UM*|a@PG1 z(Gvmcr}QNm-~_HPhNs1FrZm!Dv4yK+9ZT+Xi!sKP@7TIP(n`|n(NcvDA>d!#%Iqha z2A+Kpo_(2gWc@D!iw3e|eUkCyM>6Yf(o=-hco24CISeSyKCecb{^+;Tf@DL-3cv{| z9F;O`g)(b~b!fDfirVH*J zw_XNBdYwVz1jn#Fr&`qqT4^-PyEo>G#i0}%kEMp)3A(2$KRtIprBObfh4Q7AOS$I; z|J$L4h22rZ;|k@L;)e4cZsn>iCV@N4?bDG8HIG+vJ(QEhs!A!=iThM$^X|$s@f9rx zlY+U|#`AlnUvcYGgwN8VZX=*u6tcHI2TO<>#2k2Ky9;kPCi-!UK}sOaZ>IZXZX0`( z{T(ip0loNX9f=te+d~xRf7bxnE`Jp=bpP&cl33-h3KJux=W~FN4vpGClu%u=P*F-w zQ9eG9@l}!?pqe&UD5YbdZyq~_j?AAIXD4C{tu@;u*j6@V5b2%|YV-n?-oRAd$Is37qg8%Fu8LCTm9C8FCpwi2rI<`P zOYBcx@VX|dSeoK(VE$d=N5VG-#++{YF|FW zigxLLcRDUuvIHPo5T|KHf@Xwc*hp^kZ#IlKRIdXyORIa~Eem=jP-%<8nY$=pMKF3k z(@+;u$o6ZCm^4Yac+r(WjMu)#3$YC`xavYE*oR(T9e&rV$E=wvH{DljQ)4ZXvp4e* zW=;3mdAq=?z5`{)kg?D%F$V2F(Wag4ulFiV2eY}RRefV94z3~uiWf51-f9{RWo691 znSxtiOOu3Kt*IVmaRbT_kWb?N57UT~b`p<+dSfN&hQ5eB8TbSc3gb(yuDe!)kiXI3 z_J>EO%y|TU%>TejJNhSAM%Tef3Q%JehmX-Qnvy2|ww7Ju7Cn&;6R^J~%Cy3Y(>T0~ zv*-}NYYIY6ch;*-_zTv2=6MRNwLIL7du|P)bv#}4h6B@B=P7X{Z~REjdzE9 zJ?|NH)td9QUl9bR->g1mmc`>MVZj!c^No|>ylWn`N@wF2= z#|Bw;sdh=!plJH)SKrgITgFTu;h6uvpsr4T&I*YjjBFP!M-Q+#yI}~>TH|8d_?BoedIA! zy_bZYXuGY>n>7w}=yYL)rFi6*Pp`XxOS167Q1=+V;@|KO1Kj|;oy`uCFa z{~&<>2RQ$RY`U&2}PRu*wvq;hIRitO_VP2 zXl)<=ivjrs`@ORxH8o3?Mr2MwGvwPBVUOwBkL2PMA31bK`B@E{@{fK0B~h;M#{lyr z=idU1nH%iqv}1Q1^GH%^{93% zY0#yttPU9P38P%+{C51h5C*Xh9CggUeq~A+SR@8Ck(1`%kRX1hAN`K(27j{D2j)~H zBX(j5o`Vlyl?);lJC`v(Ekuz8LJXI#iWa&LIz-4~UfgE!=;#l(^a!t0$LtI#vJ->% zH|0oI2inz7L45y`$V3VZ{5a232J6Vb+;71ij;g>AmoQXh(z)v_f{4uDgF5?rYbKEn z`pF$NM}aaoQ^Baf57rJ$ED%{itohTPV*iv{|1Gg6DUFeQ+K06$NH>+6q2O`|ckn_1 zn&wjt_Nx=;3pcQX5Kqz44>K5Q$vf!1n(XT+?|B+48-@0jPHp~D?S)_~Vz)b)XB$+v z-2_T<80S8~*47$Uwu&@MJ?#Rpb=nxzLlI9H z@xeE5s*JJUD85eWGqSXOuBp`~CI(BO@EB57|BgkGU8gs68C?OtkW~l2MgC(;e zeXPuQ52|euqeecrCv?`^4`JE$rA(2tHA8I&9NG5Xh1OARKUUcXG2F{N4>-Qf2ciQJ zKc1SIn>+N!k9XQtEm0q(^xGc+dU*P8)kbF41~kvRX6NU3*n1m=NM$b|6MCPCpH_G5 zs40cAcfXuVmcGIoxJ=0YWa8rn4Gs%#M^Z56UxO5W=?zl#J*v{&T7 z=#rrPN~yw3}HX*F5@Z3RNYYqinkqUd7Ty6_2LiO?XKH9o0zzGSIj)h3A5LWI}% z;B4No=(iDrt@NpPG;s5H>3Ap0Q+7(mBGLsvoA-lgqXl9Pe~rYGP6mg&KI4P3NTEP2ls5RKv!#H}prQ!JqsHa3erxP{ua1q>YHAO>lr{fYz|QB{j69SX zrVpNoP*oGvdJ}awk6b-g#-9$7CD+46S_zGlm-zuc#-9n`-nCL(8sx8{T9qoSUr$YXu!`RjpyXLejesjeD6DV6fYb!z6?=gU$@S4&x zw+j|fYJ}~MyZjv^i6j9%+mjlE;C~cqLZ+D5}{pbtB856TlYdWD{lU#bVpX-(^He-Vw6M3LPMUC4>#1^&Ys85 zAL4iI%9jf%{+ua=kLbC)X{qqJC(HRXR*0Uaict+o#R>5X;ujqfwOj1FGljCp&iwAl!1{-3ZeC)X|bDV#yOUZ zd5%J4MeRj6s+T2XXHnQOBd19 zf#>>!49#%2nS_muG1Q&uZ$iItgj3I1KxV?88c>>vP0W2G{}9OE5&ouXKXz9$smJ`I z={&9D=BXRf)3_($9ZlQ1i1kKOqj>5mss>q(u2;`vlDapOW$Ib5MwjdfHZ2FqHeWIZ z*THU*voHbMI-Cn;MlfwOLtoEnK#|#&9-xeIbluDRuJx_!CH3@?Vkd+3>M=eQHV=ZS zm)ZHoPrO0$P4_rse(yBz8}M@<=4YMn$4U~#nr{x{XNC{svDJkenV+@kG~`|$1&(ea ztzkjhiCz~GDFPCa^t-SH16VhL@NPRQ1E>IS|E>UdBY|YTBGQJz@yy@jxoRu}2exgS z8(Gj17?)HLKaG6U>_~b-Rda8Ux?@L!MW z8mp+K!}TD|{mnT1lV}e)9!7<$my=b`bt$bq$TfDiWDF!FXCUv@=9prfVp-0nhSm54 zpS7*8)4Mq5*>#l`_Cg85+z)SqpAic#1Y{7=RR2(XZ*AFEe5u>0Zx0B_OGGN$17Ink zU74;3k8Cu`-)!{1`xie7H0M1VRjjaFzQ`upprP*#5}$`|D2+xl^|Wa06}jvrh0*q= z9gJz0*GFTgGmevJyFR;uRJmJ@>k&Lpn$XoF$~oOmF-hZX$7QX5VRlpbC+KrsNUWqTwW+@H;XF zOviul`{Fn2(!YE!8jBS#Ec;VQu3wZjgraD3?7fgQbIYudD@7n8hWyID_q#8K8ul#` zpNT0Cf&GU+Cl`K9yKk-Kv&*<6$`_T$POki!@As-XL3RS0154Cp8J!GwM=uw{aQ>cC z`2w^H9W223xq3iC=}P(UVKyuK_*bvhbE;8NIV#vqj4r!!ZzP*0v&;f)o=y{fE`eQj z-jW_t=VWY+B-&F3_+fFrI@MrDNRp~j-;7wflv)fJXK!EbGk>zEO7@fqYthnTq|3^b z64LCf%GBb^cK^)e75MQa-R&P2Lm^|z;t=%lmxD`#^Y7-G-a@Y#t82t0bed_8bsMmM z7nJkJTH`3ckV4s?D{5>q0^MG z@m<%?^by9d?Z9*t<@kUB73FkVPJ{tfrAJKhPmI5)vBnhuwQ)02>?%FQGGiBZwwWti z9eYll#zH)Klz5Np;!=CE0OAZG+uuOC3rJZG+EPuw*gF|>A)a-F11_S0XpFq>avM=A^2v>=2qwXbl_-E!}YdMS=A|z-8 zZui%cw7YTeuPdx)g9;bV ziys$*V$aUkhlzWQTuo(+Wu&c(RB{E2faKI99=`&igpHso^l_sB zil9KZeG$0l$ZyY`D95omG%^!=w?7u>Fr%cRY$PL^)~y&4~kWM8N^dKL1P z8ss8Z0`$QwWK22asOE4#dDuI3N8uol$&_|01S5LHO^v4fhzY~0rkAe_ICr5u)Whi4 zm$gLDt?@s|u<2}Rp7{hGgfBxNoQYRTF_UBr2Jw>JojVoSjZR#Gq(O~?8>RUN(ZSv? zk)2J(LXsGRk2=dqfYiHuZ&_eBzYeF{h^y9dF8SF86r|Tb`aLs9lShM|kZF1F%cs+a ze&^>%_#1`m{>7eJ|YhcTD?JcpVX1%QDO2r4wvGcSvEI2|gk2^Y>H2&=8? zlod91g1h9m6N>_XU)NllHe1cF68aZTug7>Cp-;$gKGg22>-_o*xk+o2UiJxiv=Kz8b|kd{th;5lk}6#7bF!(&;%b9*QF`jgW|_m=XCaILsh?upU&9 zGGzU0W&rv2M~<|WxqL3aHdqr=l8TyFXxnYw3isjIqG7qBgg?^z^jTm9`)p)2=(2{m@#EI~f@AD&p#|r~07+z`41l9>!ii>rd2Syyv!uXUNQK>z zF?FrALmk+AogC&Cn$LkYcnOF*Y=cS6ZdDmccc69Ro0EocLVs;^_qGLcHoc{%{p;{J zBcECw_-eRHV)%q`4Y38;BoVh`CpJEtrwsml9}4)TOq>b#W%U)mjBUw~{-P;FW5-HU z%!nxbyhXO{r2g(uTG$6NbQU+MVCboZ@1vMwBc{vY6QryJ3gkJEh82G-3b3Klk1*=` zH;nqlE=(!Qwc4(=;;c-FW9HHw1Bb7n)Kke1p&2LcZOeVBnn6jUU&2}#9-w)h2n_0& zev-Xah`1V8us%}?lp&Vb!ES*BMGk93X(q0Zh6NAm0U67!KR0ntBk2;J-@SYPLoQ2H ztj3clf9>!2V*Q~pe%D@-Z`4m@Zynrm9N^!Ma1*68V&wi3;VFakSLEOkJzXLG!Kx&C zEwW=nQ z25=+mEt{o0_*TAKO+|a8}D0W*M)Uy5SSfuN5O3>@$c6}fqiIAj!N#b=OcoNFi?yjBw=5-1~p&YVR*RteP?2#@E+E^k%JS=!BnO_l~dJ6{{)AbW{%Ml}{IRD1n^~9dJ$cbF7U>xKgmRjXNgD|wM+=e8-+|X|pvn1^XNrnH z80Bg2^~SH^LSdzZcNuyf`$EUp;58bS?gsTOExCMR#TlpR@MLV~LMgk8Q(nd=@iV%# z$(a5+mN*Q3T0AlK9Z9ks5br?`Ia$YPU?zK8CcAP9p&>F&B@^!vo{UNF2^mKL#Z$V~ zz9LFLq9sDA6&vkPk1>btzER@-g1MhxVe8v8ZoAL9e4H-OJjn3iyln+SA`#Zg2f4+S zA_iXBEz1zA*ki?sZxJ2Vmp7@XkQ|=`AR>1V|Zf@BW&#;EfdGfCml2 zP#M7!Hl>Gv6%%;D4s}hk?WH#8Poj1#T!L4aD@7^FX<^Yx3uivq`&7O`c+A#ukl2lN~f901{SixQ6F*C)|`?x@NH7-Bb9?mfkfP z=`tRl9V_?6*R767u=d$^ClQrnag>gS&HXn%UJoxkQXOO%(TCg)JI#cQWtvzBmHO_) zer+r%H?D51C~C6>H=OrpbLbbQ%2obQ{4p`9YpHUUI>LVKjuAii#*ic zZhtnL34y2rY{9e6Sc6q`jRookOnew^T2Hye8}m|F&S2B>CS%y=EIrA?M`P1e>4axS zR1nDgJ(vclVqZ1zjB-t-DODHv*a^ewK2ta0OP1c=cI_>hHLN}O6;Jz_afm!B;dx;} zcI-i@Sb^VYI|5@k!M11KY4oJ_apg`b15auoi4gB!G?IqwLce24ICS8{kOToYrU>m5fBkUU1Tvx z7=&Eq*>Qpwj)GqVE-)VsF$W1+@jYHdNRX0vdwW}&<+CuAs0(w%pcvA=6r+m!K!+nv z_LQQE5riobB*cjbMn{Jfk716mr2GVRqEbjp^dPk!aQ?c$H#^?IvLm1kl-fpL zQ;&-!>A42m&Wc4V?3*PwxTMb|QXBK#>+^@3%51cVH7140vYZKC@&cM((oP5~-Ntdr z^6Q`@Cyj+SL*aa)WFp3ONn@qh2nJ<2iI?)!^SGHb`yOu?MO`i%Y#d?VT8FL_+}9di zan%`(W2+ult&QaQ`&aNS_eo*I*Mq&S@vnK=DT~u<+t*Hp1O;)nwQQT5g{K5hQigsh zKAb8Z4_@OxXj%EGE5MBBhh z$XXG8sWUa5Z{V1={_$-#naTaC;ys-2O^q+FEi)_RcB)H&Q&DxAp-@g*%|@hwb)=8? zrfws%UA^TReokVvbn9nj&=nk3o?FYjFTtx(y6f^_smfs!m;Kkg>p%;(7X`BRrJ(4M>C8U!Qt-Rks*r$(?KdmPtwy4 zX{INMdVcwfj@Ei+v9SS7-rhH6walZR-cos}R=BlfidP8+NAo_NH!hT`nl8qy+JgD4 zk%jH7%O6GMjh%|6uHiwJyNdVxgECmRlWAzmO*`?d?k92YfVX_*iI_*|&)9%1*Mp4j zio}`9vJdHR7zwYrifpXEX7{f7hdu8IhfJ$JIbOD`3z2eYL7W=3Jx(D+RQ zu+s{NT0AOARA`MpG-ZjF@x<#|16HMebffTdm7-mcB|ekbj&PJ6(zw2TD)h;-9gA2E zdZ>2B%7*X#2I=#3o_w*$|`A}U8R8-eTLC@2R1-RY>Ag@y9NqK&Yzg62>LuPGfG zmh!`j?=2=rXkyRF?k>H+X%6N)rIG*-fGCM^8=X5Yo(4bZQN^Cmf%8aP2HGRT*w5JZ zM5xr~GHkiFJJ!sZ1|zTRY(~mhA$eTanS*(>_zRPZu8*@yL2@XLnSKqnyK*!*v6ikZ$LsAKySlU$!Kv9&gz@XpbWLQ( z)|#S4VXJvHOvDw>gHAZr*kHLM5qGdA6Z5jD?@Zc7M*khCQTK3@_JUciIU;fpXDWB@Fp^qUlIwGpQ5qw6$5Pbc7D#-f{0tRQCP-Zh_4&48@? zp_b|N7rp%~=u;y3QvMah*&Ui~p_=fCAqvClU~G7DU73TD^E$dF15@zUZdy8B3W`YL zr4&k+Vl@$$ecguB?6=YtMMp{<5*`;|;jF0Fg!~Wf8VY`vdxRt==Xpk7FUsN+jD6_o za9Cd{Bk)luT9l$quD1lmlY{_;%(8Y&SwN$nsyZAZ#c-0%|f zpaL8yF$Sz1nm#j%*LD6aPjh5#Of->$nzg={EbZeK)J0X#@s)6y9nI^Q;dnm0P|u-x_{C~tPM$Q$9P<p@4W9NnOTGn9`fDzR&Dg5@iMGOpr>UoLAE`Q|8B0lM+oq0AqQq36TJ zARv3z1*pR@WGl#D_BlM79Bwok?G9;0ETyN`EXQee{a7cOVslJ;jsQ`ECwsU!x;8Ew zGd4qE7Wsr|o|<~x2kQ(*Co%0qRbf>f&%NqxV7jsSD55S&(}d)pb_Jt4{C-?r50v#e zTXWmosZ zED>eMSORW3tDOr)i@rv-NACX9>lx?WO{ecW3taEc`dV)Lwg=Yf${H*6MQH94rSrL$ z;(e1$ltO>SQab3}A17__<78d_pg!y*u7Yjv+uTw*&ajw$AzCCwIDvNC|>;bOrW}@`1Fy&%@ry#aoXq2X=*CATxcIGL!*loxBu9ykL z*dG~F!jM=y9YbHA)(=_ZTf)TftL~f{?%=?A`%{iDKUarDR%=u+@xtg$<3$#fRb)_n zLK=_NtHvf^6(SMrytuMm(g;$Ipljv^S^io#Mo?xiUrQN=tDE)ESJgY(Kax~Qd&f5Rv-YwuAhicDLR*|nc&{}llnH#7uf zqT>q|G5#+1B@kC$jG1dTJcEJU%t7)fLq(p8f1Qqv9io#@L-VFVx|2=$p&wN2X~LbC z?cr;Qf568TSYs7t4_QPZ#^!|w@t~&T^%U(|^kmWw1fX1LPYvfAs1$w3u9@0`xEW+- z#}4(NRzbvs_weZ(?h=}rG?V6@wcJ~!5UPde`wR3EcOi=nvIKZVb(# zFCeP0t?91aXC`$pTXFritC_`?b+^>fk2C3R>(>Cz()2Aj(foUO$(8U4FI>XycXuo1 zvdV(qy#n&(twS|w$mDucPANs9oLOwaL$6RpxknxOuItjZH4jf40b51<3peR5-`k_E zq?eP*!XR_$%=C*kRHjyKD0Q4%%3+V#h}=;U@@F}Aagk8CxX{dQvN{E-I)`MA9Ez2# z3*Uze`-^$kqR_(hi_P395erZXcHeFo{q$^$Zwt2GdTd7rf~0VD@lSO=$O2pfnySTh zo&&L5J}gwJ{#N~yj_kWrDq9r!W_HaxX*hlwkf~H9m?9Ud{q0jXevCS#xKwORX)Nk{ zA!d^4EpF-=`L98m3Ub4O77hsO7YZ#Y){hn}H@h3eAX4Ti+g#NIGBcl|a3!KMhHiI0Uj5Lh3sXcY&@Tt)SKu&CDDVFJ>YLqKn% zu1~4d9W*!T7_}0zN_aI5WUclEU2oCm5Vce+kcUtHV*8o^lOuA9%13r=2!+G0-u;^1 zdS#O_BPq7br}9OIK8BNZ*yF34{RYJW?p2SgvVJCTT?^PJMMQdCf;B0+tdCE09eeFl zoz?~sS$@B9ME*$}!ZoMn8IZ)(A|i20p8_z^*{}Bf^WPLrd1inN+(-hAJFofc#LS0C z6)Lae#HyO<;EZ{E*o9zha~fgFLov4qF(B))FcZ_!Pd)irY+MZh&%XOzdMCO#=9E?j zSM}y`6k12@i!l|&0eKkX&zIk7nyeQ_>K)qp_!L*i9=9>b@4H?X#ebfh`Xco~*PQAF z{P;|B{?0ok(Mrz^VbTcU%9Uvz&zVBFtU4|9;IMOW}-VP5M{ zF(teF9*i`ikpv}iZcl`>nZs^hk_SQudV;;P;g6^!rr@LHj_lrAAPw}f%IE(YdKi9GW;s=NvMpFfrK+7K4JuIco3hr z>?oYbb+INHZFPZ~XZHc7K|>jD#J!6<<6`kn^$aJ$TK(Az)nj_O4iqllMD+mZ+_8_w zr0xTyT^Svx)cN5r# zY+7L*TLd`yfUg?M!I%P4!=q&CrO?ub8~q}9XFl$HvX;>w(T|_L)~RZ~aFo_^l_rxq zt)u8jGgy7Swu=%OIF5Zi+hrqJp&w@nNsr2DyB4xT)2dkCzR%g zCiwS;ar`@ZgN@&u>M|RJn;!0OHsB^@7JsE)e96|Ft#N8Xp^f{54f+siHWQT+PEv&@ zxU4|}=1u~)i+RxmQ5N;4iTsQc78?5grrX9EpDNBqj*=hu(={{U8E{+xRjAddu}9OX8J{~o#9u^K;EPAIXl!YN$7GY)l(FHDf>i_D^8Ribo?1rNkm3h z$e9zQJHljmv#O-qL#=V{I`B&4THS~7^|2)!idX9ISpc4QtsVBFUQQR%qOJJZTupJYAUewN+rMW(&d-s)pivFjP(!%|OJoiKDv9J%U| z37&Vz9P$th34kt;@9rJ}G!P-lZ+`i`qOh~ek5Vpn4``V?SMqS(G&TIMQDsrrKm2mC#8sm*F4B*h7)ax{y6I2K=y zm_O@B@7Uk&DoK35k-oU#6>gB?-O!8 zOI(kG?Dit)Tu{5dQ2!cZ!|}0)$>LZxkR8JJu3E8B~)0~EhV)M$5N;g494c; zI~p+Lm-H2}OVnK}wR9Art{}dZ4mm2nP_bumJ<+|jamKloXsY*V{qCP0T=1q|gc^FD zz`P$EELVM-5aryA-ksGP_@T9PsqT0OxQDyOSwCdA(b!vAW&iNi^b2DjbH9;h zg&%%NOkmR3K0b;_GRQY)`ev}=whl3ORy)|L8MnbbM9aFWHsK8#M== z_?wizD`Q535>m>I1Qc4f8w(bM^}dR=eVF&=b98G4>e?0%oj-Z0pAMjbAl?Qi!l`0V z@ly2QtFcHPvTxv|W``@xW5m?mL+WXDvJBe0@6r7*idp@nKF;P#5=gYtVM#Nnih_4e z)3q{*v2w8a2!Vt}I?JY+&@Pnt2g_26M<}ju$~+b zmKhxjx!J8JG3h$qZ$qi&|r3%?f9lLxvQx$9~ydke+cV zN?c%*boH2`i@;aM&=ZTU+A(KfW-xrIQ*I<`%Lyhl9kZvHAXvmcGz&>FD^a{VNjOc= zfAAOmoMr_KU(_~Mxr&lFEaTiaEha5|Aqo1Sd%4PNm#sLt{Siukhe)qkC-%DXBH2Lj zdrw-cLb64bGK^Jw^W%ZF3KvwUOv>QI;vMVcvmA<+u1T`OJbCvm$`hokI|kYFyuFdN zy9BrdAdSq$nM^e0WzSq5h@wCvOb2ezQZM;24@&ediD$vydood)R(Cw;}MwWxvP?c#p$|R@E?Eg0u!jAXGj9 z&43TDQ;P4iSOU27W4QpYg-{|wNFz7lZm5BtDPaQ-wnYuk^iq`M-SaoSa&J3T4Epn6 zx7}m_ zAB_{!K8);K>gyUir-jT1^xk^ks|cQ{I69{nle28#n-KLnG+b&V?WRp8HVd)3UUP^i zxo6gqS5))0$|PPUCsS)5C_~i#Na7) zDQik#t3H8GPy>jkJXf%)wC7ZhWF9K(fI_oStWZE6>M|U7} z&ox(gH2_->3o%}3f1y8tY@KhoJ(AhY;MgVbykZy5Z2yO-Fet-z<-<$W%Gs8=g(aYGt&CHIo^~^YsQil zcJ+&KqC!KuItxAhG`uV2bKi&>CSX?J)~W}?Or$3IWK7&=E5hO zj>e1SGd1>SoPcrk9J_uww3PKF5MFLd3Vtf{IV*CUez%TFx05cqe;2CgC9=0`>8+ur zzzXu9q2B8yZ1)P45U!p(NIm0?3b43)Uzwlqhy}Q-Ug`)7SCeV;)nOo6ea(*bP>JOy zg(kF=JzG^_<9sp=6?f5gCtANARhZ{2IG;oLTwJNjAvEY^4N5K{ zE!8m_T>jkTPbK``MmBTkyrqyCk3rVNGh+gwK zcIH;6iexqaO6-7{V%5t%G4p=in}SXDnmSGof@5F;?zvkPy;jqtcdiIg>!iPkuSkrX zw8w0C$}1*(W`cF*q#((&A3zz6+{v3|NuQy< z14~B*rRxUGLAr|@&C-O$4ijm==4OF2UX7WmdmqjNQl@6H4=Eh^U;%>x*rc+)Ik9y# zlAEcnb)S~BiwZ`Z`12AjqOt8HJ_|lcekuW51iYuGTGOG? zhX1j3kJuqT15A_xhlX4U{VkB7UldkfgcSIp3cAN>SrZYRH>k#_Kok>tUzFF$cV+6z z?-^2Zm^Yu^p=Aohs5hwfxC}+z<^hAZ_KMGWzbXSwb2`e-6W|PYx)dPwZB#{LkXrR5 zdZY1|NKZ`9pZKuKc)zBMpT^mX8e5TUjt=8H8SuRG>lbXkbUNbU_F3Y@gim-*^5)!J z92mw^3kstyV|zq+2%0m5zsYS?6(wXe_nSK3s>oT_9j>q9lGoeE#1Je}TalJC4+U?j z>t=VLg|*LO7@`IwGK+*?Zoo?|{Bn_i2UA}2kORrID?-b4+YJ3>u6Z1wY)iU);Ol3!xCpB8AIlwcDwY2g67+6ky|Apeaqm8^x0VUcgNX~iF?ZJct+ zKQA?OIbPnFR@Ji81S@VZ-Q{LG%o+W_D2WB;!Dzo9u>yyPB(dxQvaw&=5KWDdQNqnl z%@(aJ*ZL3nQU~THoqWuHMFu=GX7ppQ_@8Ggok;;TG2#N&)Y-jm`O!}WF5&fwryt_t zHpo^`@YFY!R=j0SSQsRViQ7>B2AC5Tcn!p#GoeUDXH7yJXCVQ?FOPXY>7y z#WZxbKtt8-nhW9a9Zo=~0^)+V$vSS+A7YmkhFRp%0Q#2spq;U%*clG4F zl|`FtY%g)aTo;B_04#oOteah;1sKDLWc$6MDTYE9C-YjacdaL;C)?z4aXQYQ8g}A| z`><45{jJa&#$F9i+Ke9!TF%#+e<3g+QDP8wKHt?y=XJ$6UKD!mm%;103~-sM4~rg; zy)ae1ILsaUwceM6ye?>nn8ZH{&xGAUim)*kJ8FkBrtzQq;Q z3KX+fO%KWVG$xW4)~9MG%fRdz{OT$_`c)ceV`c6Ll2@XP zljb|=XN%_czx4$OxW;U!LA%v%EIE1krA*KLl#AENlQ(xhbM{?C+W={8SJ&HDO~mU$ zZ#L_$_{#GuAz;dVIX@hCACF$+Oc(9_2F!jL0T!NLKAadKM5gx{k*T!~+Mr+PZ1_te zHaqf#Br&aS$kQhQ2Q~&6Zv|c5Dyl`>YogW;tI0LsyjzzTczlkmb+t45ZQT$OZ?ITRq-@^f-XyWx(=Nv^v2Vond+F<15*4mtr|m-m9OTkO;^>n5E?aqum5yh&Pq ztZegr>r>3aP`ap@$JamIu&g2h2Xg`=9q8@HE zF-DKB5-nJS*PI&;BLjIBoC6Wn3(#)wE&yLN$SxZXc3oWkzRrpMbcG-dpx6DGe2&6o zm^t5__r|&=;$*N!eydNONgIK66&{Glhr7xvDUptkkKcNfxm&Cx`F>CmNXdBEEAB9? zm%Q>XGyxmTOk1SV^1b!SMLI8^?yOIKcR*ZEph@%x<;q70?J@Y1ue&^6_U99r%AF3W zHMut{UF$tzOFQ+9J-_$A;51%gtmz7heOYu6@@x*uzXoFCn)cX}F~s>;<-4||E;X;+ zD67c(lyZCbsI+uM*_IRd+oKKZcRA}DDw0A^L-l5^10R4_tsFEv!WnR#Nze%!;&`I3kaTl`nu9zCpmK79eCh^tc%?w~{xaBNDjDVxe3NtixfNW4|;m5ck zy70&*e>W`+@7`b1+WRl&J*zUyb~=lY^T+rLM%rU!`9p3S1&CB}~TS+}|Bt;IJ>_K(&dt4~J;PDT=2 zu7YHh(4kG~+I3BM9vuTOm<;xo97h~KMj`#@Q#=t{m-%uD+n7%VZVS6VI;id6FKIC@ zKe@KC+PD3cX>S&h+A~*Bmn3Z$^x1{p9+*_OUP14J^B0;027=o|)B>Y}Ycje6%^>Mz zs+;{HGBkm=##l%?Bpa87rzJu{%Fdfsa5 zX*e7mQ)ptD!XWhaUBeG$8N;Nyv5O}}XsIJVDY)g{Fjsa{>J^8ydu1%jqNXZMA_W;p zbnRC95GLN&s%+ss12BqFM5FgnCdnF4o?59MR8;rQWcN@B@|r%N645&T;PdYH*9!OT zQ8EXs<7o;1$(1d~pRDV6O4s%1AM)wL$42MX@y0w}8BVcR3!pk@j+rixTBvI_IH-+t zfXl9Bblk4{lIq#;8!)PE-{7^8(LL0LaYt+%JFshl=|U;M!)N!X`A$Hbn}v)NJf-eg zjA-Y9u#BmRR}0dw3~GsSjlM~%34hug-I|R@cpa7D zvv@thB|1q&!AxXbEw86!>!S|X7x|~=O*~*vin9K7p#YolKh(>Ft{%t^;NR`XkG9RH z#8eh$>H2M?Qf}v4Pb}4_!w=8|>?GeG>A`rU>YXYGVlv7~^!;yYRh$CJjtu0r6Ug(| z=5IUJcw`Wm+RkDWMQpbEiUe(c&dXhFdq^`@R||~D#$v}X@Uw(JV{@G)EpgBwCoZV* zXSAlJ#9c~sy=-HwF!DZ1yAy>LJb6q20>HO!_sEVfGyF|nDHS=6ZOE;?9CwY*xo`Ss z(0qD?Bf4{M@eO}gc>0TMoa35K@pgs`A^uHzripR{Z~)GOUH#j^ORc@c{zbCBti_MH z3SWxQ&|jN-&qxg=X^pFiiMHmTcnS)Z3Yk&mSK|beI8Y2YDm&UF#iA<>`G3-mc8&66 zO+~B|j`RlBGFB>Uh+|}}l-q2*hPmzoM%7U4&eIa`RXW=UO?DX1LfWfxjZ%V<8AFtX zvhb&NHxhhLYI&;01UCET$Ng;E(1z=r^=)avC$9Ri`Lj#bimV(KI-qK zf1920$(d=9AGP4XuNE%LpPwhwc2ld^z0kV%&Sk7Uo`yp0{xi$WiYa5$Qw+9++n-b4 zfDvf-#dpsS^g!hPq=ocN^alpt_Qx!g^#Sody1aDpDzQr%IK}CqU(k*Ef`a(%J-8X& z(O??> zm6J9#A50z+#*ZnP`#BBVf!t6a|Lq$p9Qr@9S@5WvL-2WPAKz&sxKAi-$&rKZXOU4P z`KkuJ1tKURjrp|`o0HE0_e&5(cif2 z{8b3Du|CxI{OeKGRAI*^;FXd{WHC=)6ju(`Agy&}eaVF(zn78Y$4o^ysGi=`>JGqn z2XlW4-Ef^rIaU(}V-mmMK>c^)Rj(vWHdIQR|N1l~AtrW*r);mF=3Z1kUL>E>D`gU7 z4^w(8cU$!M@Yh%RS>-IWni(27E}PbgiHOyTj;zcPK0ar-H_Q;2Ma^OEVp*wHIPCSzqS15xav!&7-owN5{>T ztc<&28#_)Z=Jq_0Kj*o>iPY0uTG=nrcN5xGZmLAEQ7R@p16W|r#Gy)Fpi{o@W1^?oc8;}z{U?6mK~+P;rZqFFWy=1g#Z zq=!kOV|OLCf8gx}#wG2dCvVjEr>&XkVB{rtDHOUmL_x~vP}Ifh%}p)U5M|^2AmCLz z)cnUY|M7&F!{K)(DpCaL7eyL`>L{*%O)%8()cgk?{dn5fYCV7bmZ}Yc@53LyygZqs zu1Ap|Iv^U?DRg($t2P}n0@4!r4)R@UNnLq2*~-}{(nrf|Hd%U!xLCl*GUa|-?s$LxE0>DTNU~nxwBErRWC12x9WP|=#|t5SYdNg%=H*+hx6?0D2Md7SLL~l8-j7;H3qjFW zuBzNdXMW^5<>dZmi@$hSRhZrMskXK_N!4k_K9&@z%#}g#@oePLbq29g*qwkc$y-qBh&Vd(68ezDrzWV)mDQTI#Ak-Z>`jraXdO^XHs*HR0HyjIEWG88B^_o|_ z&ME*CtA=YOEC&=uy2YJ}tcGWNxW27Hnr3-%5f^8;>ua^Q)U_A8(T2}I6Q7){wfCvN zv1U5iueBzm&yvrTm7rpW(2^8vu!UVg+g>$Y-}b4?Mr@LfK0&C-KL9ceCjMIGL0r%O z#_><{=Yt7V1b0(4bRo&is9czN6#ipPeC^U`K$JL^sIUhu^0*<=*eLTG_wi`s0DkKd zCkvC2y->5}==bz*NUO?U;t`4BQ~+t#G&otr=xeth z+C9d-&J5zS56psZsey61F8ObK_Mhe{B+?4`(gAfB-U3X}+QaYkiSyW~Q1Y?Ulr&(d zM$lpLcaH0(Rwya4_#g~CMt5(No`ZOh56~=joyULaJ#e-{$5NM45a!S5^$}l40Z1E0PKtMfN!Ubm*PVSD`xRXzJ_kp-jXcC#r9h!wh zqidhT4A^mQd{<}G@P};%iCB_wsOpcXq38_pUDv)5VEE{hwgfB5GhE|NbQ;_q*Qf zs6^rJz)}D5WqsnBh`166N6NVv}#Q zvvb$}#x4Vek&EpJaFT8N{Lc^%;EPRLsJNsyq8NBE=B(VZJ za1A?iO$@{w+ATj9dli0|VQIiKBlu@F?vE<0!4QeI{_9-8(sZ#P;oA5)6%Xnogsnvg zG&J4*J3k5*ekKCGz5Y4!+J6TBfW}y>(O!q&cMGu#zj=ZkTr2ax7+kxIb)c_55cqGy zP5#--zr%#Bu*tSAmcMaO|Cd8{QLb3}{ecqu&(xsbmv&pqKQ`~R*IZ6ZoYsY3lkp{w zC1?I9N7PF6oh3BzNxXUlZBySn`~+J0?c-i)Imch>QahSHeK<`{qmOS<-MAXr8W|pb z$2d+82^a(2Os?Nf9x6a-~Pn{V4uT&j9emShKuIQKsZ`H@R8vV{d)3p zk@NN<^`Yeb`R3s8FpuAJqZ_Y@{$BWs&k4)6-=){Ha@!ehqoWP?^{n3Lo4Dj(K3&1p z=A!Wn0ZS1CAGbovH%B?^tG0TIZCX<4^+${Zc$e+ME?pBI6>a0sfGKINxgIa4XBN&d zGg6m+xl@H*hpBtrl25z6&jUp3Jy&l_k#QwS$|6jStc(zpj_R=u2gME}USq{J6@tRT zt?yct+hvINPS!~M2(N`7)*s^1in~2CVe-T7N0JB@8&4 zBRLD-ud~G{K9!aA<8_H2F)|`rOQL$G^#~jj$_-a~%Vv7-K*WrgPVIqeZatqJJVm!w zmer4n^#g2?M&hp<3se3E4`vXz5YpK4e@E` zd)X~V=xdC4|8Obn8f9-GvvEuCc8HLEW7D1WP%Ik~bb^_#f3e}eto$!m zgK5by(6IaoERSRS_wxU8^7N#81a!Pm%j)(299pLyv{D4cNi)>JtCMq#xQWOg_?lfTa=rro5q@a+3hp6fm*2 z@ZcjNTp?+&eRg#A8h-$|6~#3%Q7AAT(xiSG=A|2 zHz}03v`nzQPxFbmm*Tsn5xeR8gx3#lx=?24_+F9x%7JFlU?(USYEzGTB3G;)kW^h& zW!ki6)8F6!BA{ij^9$rp&HAAwDO1gy3I+E&cQzu6%OpMn7r7h2vI4xijn~@;c!I5Up;`aoHj_D5! zx=c$fa7sw*qrH#GBIX)kNvTJbimGCp*ZN0CpHW_Iy9W5)G?UOE;ed#-&3^K5lZw2#NizCL~M7%%`f>wktCy=9f0XH6K z&qUwC{R9|+>dvn%@(&;4uHaJH;Np@O0=ccUAtTbVJtpD&TljX#VaPOBAi=^o5RP#? zV2`)}%e@YWV8m@>2U1$@MS+^!l|$NhQty$s%3tvb#Ngn7mHP;oulU>pT$k26Z%A}E z>E6TyD`wX6i7WHAV~7|*-J z@&P7y8_0CS4H%L{DbNv^ML;f4S=(4WTW;{b@gxjMcTaXav3;Bz*wT4+g(|Eqg)!p( z`k(ezenh1dyicwmjH3gu%rk;;RCwq~|3yVO*aOuj9xnDku7Lwl2fLK}+EPodzzB|} z!U?F8SY9Abb-+shO&^ic2P&;sPb045l0N_^VL=LxS_Nn>8+V}o{-=ZZ0Hcb%xe62^ zIA@@DeuJ}Yx2gW$coG~>xMNoB%iSN`{Fyct1Lp5TDDT$hes`sT6cdsA1rmS@8O6Sz z3@H5~$mpCd7hk_D^BClrG`K#nyI5Xu*?UcoAiF>nrFnwAftvujotXq&^}YS?)VOVb zowO?Us=1S3Lj#=lD9yX3G3G0vvb?`VD6Y|;WTkLfR3vTk^3BYp$VeT=n#S+BTp}F< zUc(~@{SB144?0VPjZi%AI?o+FNftKy!T}8NecHis=4-B=GKz`TS+j+I9$dqr21IGc zTgk^Mn5(f*eTa=N6*Q%9{MsGucxZMp)gK*+!=2#m;vD4YX#U5}M)7IVf%`0dI442`BeH}|=dhh95(KAnp&XI^pTEX(6K&Ls5PdoQaF|k&XbH+k9eoFsP zN(9RGz4?=`V!aWO;!7^=p`M=gVf2&Cd)-zM?;82-;%|FL<-t8)+9oM8L`nQ~3MSnn z{}Ka}Ak|uT-fw46b2Qs2^=!z;yI=X{RWmf0ahzE7*_f8=Plz3 zd^$SdNRQvGx8%?8ZpJp{2#^ejn^m;uvI?AEhy+!ete$jQA9NZgE~*G5onE^%)ebxJ zda8R_-;>nGW%p2W&s~o**Rwp=D0f&v>(NaQnX4f;D5=pYfGtMlZj*LElxuG@ft8gPet5Npvb zy4YpAZDLA{Mh3m-!x*=svvf_pyypYDcBcjOPrSXY^(rR!;(}oZ<(i3${R8~ln?@s~BQCi448zR|m(Zh|Sp3)F$Y!L3%z-d~ns1 zI=I*!1N(Ulyq9Ajr!4S3S>~6(>ySaF$-|J(z-u$LzA$I>Ev(4#DP1r*b&!J z=Xtu&DbTZDR{W}wVC?(5bb8SCz;8WTNTk+2dD3BYp#gALMr~6rGYmns_B8i}dfM%F z7uwiN`PysQBnp2ek)tBn;Mxt)$@lXiyK_OjbCil3enZZ;akbBhwcHQ?s2t9E7=Nli zTjb@p?Ee-y6JUs5%cFzpYT>g%#hC*d9^1BmM>P4^Bzdnt4hQ~X1FygBbF-NdEaHX2kC_-tUF9m9MBDz=K?!yMB$z zBkh&wfP5N3&_o_xzuvC&e&zSRI7`;nAky-D+eoB!64_T!c|tYz;uT@H`kxT^dC_Db zEJoP}oh-?cjT?hm@A3TOu&Rw}I{Ela%=}X@aB~V^8EluJSB_cNz)AZ$1j0cv5~WU+ z=}4b87hT!?aQ-R;eZzA$QCCE19i=&N2hqV9z=!JmF4_wHzCy}lU6t!nW`Ly*;)8zl z5x7eZhDV)l2@c(C{gd=t#KP5N-%O4(8CM^9SQ*K?_|=qG>$Hr=xyAX;(jW4)ex*gc5PLY|eox!ERcWM18a(9n7$@%%ROwgB2$}0D}49ru> zXW5d{co`z*bE$zNP-Xg|yEa|4h_`d!*lAy-oah$H++i>DY>3e{ye~5O*3SVEuH~b6 zTBb_lqkIr;3Ja|fiP_x*|S6*_{zjP2?XB*f>|YNpG%tCJwu= z3OFgH-Vd@ht+_Z^FKNGFh96@i(oPC(uay(7d=@zp1%AF7;%)Q((tZGPu`2kP3Bm!x4G$cZUD11BHu&-k*g?M@RYO@}rV=_-!+GFL-I}C+1<@Xhj zVoJFdF~pzFQchrvPtK953T2Om-m<_KhZ}t3s!S%PcZa$^Qe3ki=3Asj?WYIV&77AX z91&}s;(sEX#(|xPEy$BMLB`qu=7c$F|e^p!dC&HIRw*#Y*K{oDz0T z)1t0gew_(Al8BehB+bzGQoe)-`1M}VJro98Ug>c&{&tF!k2^ zCx}>xY2H$?^H9Do`SaJ$A@`sI;w3|d#`xp-Sbf@+89}=fmlXF^57lMOlVq#!K=Tj( zrTM$dkF;O&Kfmv@272kEDjk+H-?UG!EsM}-!`{FS% zF&$f;O$l}SB1SW~PZvLx8oVY|WFYJ!rsY)}9t6CQvkp^M>5N@LfrRvhrrENqc6`kaUHi*aIQo z>S96P==%=IMY!puRuJ?F6{_^wn)`96_@CCXwPh-lBiGyG#keeds7(i^dZt%Sl!uT(9YtBIRz^1JwF8m-G4l0j6YAgaaatpAQNGNy5l_uDKyQ{ zl~4kK?w)1J!Tb@!aJ61O-@r#^*B2OAS7y3u6g_<}^6B@DC%Z&uCNEz}1gkyZa$-vi zB^*T1BD7nf@$T9l{iSXN3F52uLuv`4F-vlL)Xs@)oE)d}kjOOrKnfE|%8dFBEb=efz@o z-Z1p$nmk5VbDr|-q>zNS8A@Zckn+uHS}+B3AR{U5EwbwC;hV5e$E1zo@~Z1AgP8_h zG>ce{0r*$I1-I6kcaQj1O)2x%R3xo#^}S|Q;FS`JYxWN$RnP5==~fTuzwaEHyw^`N z|9Ummkm9`Oh4E+MR%HaYS5@u%FJ(5Uc(<;&;hL5*-qq8wFG3hX-U1j^Dcv5xk|{hN z<+GVAwM%(;@taU;rRVeN2*#vcnaDI?Pikg~Dxm9O^ZxvU zs6ONw?PWF-Swkv17)F)%sf7j3u+jM^iCx~?AZiSg<2_I}2B@(tP@|Emkyee5uJ%P& z^0CPh{5tyGh+leIfl%9CC-vGR5XzF2)>UvnRey#+Hgx-uNsi9Ybka1gQ`T(3H9r?h z{>0q(nr9HO?IT-h7WuqGjIk0t{mr%)>@iR7P;i)@(!JGx6bVJ(k-L_U)xof#tA%9+{YLApRD$v^D~#KjjeZJFzoBZDfllyB6N8Eki9tfx z{9w)gbB;IUIo>1MH@6AqW&Fcn{=n#o)V4KfRE`)~ruy0GdWi!x36wnJ>@`)1?x7-E!g;me*pBuJ5G?z5I!@7PwwFjmA~#^}^Bg&eMX`cl@fwa@sr=^Th5(7F`| zt)Ek9y~{j}3b{zujKo<}3De>0?edb_=27Pck7q*;z;D8`(T#g#sf`i^~zd zPlg;iYD^>XsSdxKTs<3xYwzn7-4|hkDqBU98IjkkZI|m7V7Wuu7!oz?QMy|D9lY2z5=j;2r(L=G9)arF}(G9zB_)b>sS%PHNc_Ep4bZo!T7>`?Y0=%5$gg>4Mvd z)9YND$WAXg&b#mg>YxOzHPY^Cj`qpzs1b8fQ+t~jk-U&3e znpmgoTx-22`IATvbGOg-{j_=WBBiy_&71yBjE|RYZzRlguHlbJ;`neBzu_4FG47O< z@otnWf!|cI?=bOp-EsAGb)O0MuGH~+bVLTcR46l5+vwH#dCK@WyNx!te6RQJ+m($S z^?9A0l2z)qbsjI<7D=o6?0n57pC`DK=px&psiSobr#l@BKTq=oDeIAs=$Oa_X@^cX zhVWiB6Rk}+b_AdAba>V2Ldf>K}b&xbm2&vT#auBJ-)YVi(^>A{j7_aeQB zMvj{Y`F4o43=xI)4q=aq1yAABi}p+VPbw`9&m?~qT+&d;d-~4&WC488m33kEF%20b zJAGmLcg!U)1Ie%9uoydcDO~NH+RIN80~z8}mq%hos-d(Z z@Xw`9BJ4z(z@9#czVj`h%9q54L;PV;?U0%g^WqKEpx&tg-LfL#2WfO2*ki?`p)EOM zI}!e#!@8?4)ShhG`@8DNt?(4hfDpvmNAY%WZOoHPh9>BdjqDyJ%8}~Z%vXYwGa1RB zM-K!nI-t)_iM22o(E_!5aoCi5bqIx??cn9t5*7)06@(I_WUe7SsOsg>*f`>y*Cb zXnA0&k3PO$z9yE{TN!0rEsqQwj?|N;3NiXu_le_buU;YL-WlW#tvYB{-tYWzf5w?n zz(@0IYi?Dc!wQ4-=a3xoky}zF9y7|X$L4h1PW!|`M92%blpsv`qpK`MawE{UoQ^th zOUoh%QG3!KYGC@j<~VY7s(*f&vZlwL`#CFIZciy=G6begQdZ~g`D(siFczVMP|aaMjvM{grYN0@xaEJ*;zJ{+iP}0OQYhb$agJ2H;QZ1FSf>?9{(U6 z$?Y{A_O!`*r$pb31@ZE6iN}1(>x!d<&A?Y@w>VMFpIq+peKWz=zDmBA@ZNMC07)XM zlLr=!p=6VHjK`g;JsyW{qHtpfq-SO#*2r{h84FKgc5d~~%db9q>7RMk|0*H8r`G1w zb}nTQ&yX@WJ(q=ZBaC+DZaTp-0VlmM9517V>DL1bU-R+o@tA1{n<)X0LtOIPXVVI>FwkqB(Bfo%)r`ujE#X6I*+IdO^=mWZLs^>Ria2pap|@ z48qTPYSXghGyxkaL%q^({;uglfd#nVm zapzekN606%;zJYzOPSlH}`_qpg+)7`WS3$&U&zKC-^{soqF5T&Iho)uk z_xW9~iDUd;ybhbec-C`!@mjA$gh;-#I#bNPcsj3FyYsE{7G%qc_&}vat#c}^x1X!d zI2a|km#4^2DdPEgD$9@EV9AlEq-u<)ZQ6LPk>Kgb^4fQp+N6eb=fY66M&sxn!Q<=m z6E%c9G^uWiUkO}zhiwE^wIGsdGdTgSc zmn}%gMXBZ0wRSb+N!MHht~N(ZWZ8uK;tsX@LIr{$`QV{GvOn(EMz)ImuP;X!B()5J zmnM}qH~X5qcge9Y@?EN9Wlh}`!8}8b{ZZ&f0;Q8+N*%;89JQ)_RIDpcBcG24XL!8! zL2JM&-09kl+{470wVC{?HMEyIhqJ2@haE`83_$VMI^^rE);eHeiI~)J<6m6$#iLo~ zP50r8r?}}?fe9cTdL!zsmIk95hJtYHm4^)ImVQ%?IsSN>--RJAhh<342CsJUJ6oL1 zIl^h@F~rVN{0$Y7`lp2n4^NIE0w1&yNa?r`1YcIi&0XSYZ8Ady@?07JZGqYYFSRfu zVR?nymu3isTUlz`q}`z~ZB^dk!`z1uH1Y-S`)sB1&CSyxa6s#cj5EL24BhE+c6X?& zO@|}8c8h}eeL`x1{Fq9u$L}`vwnE_vVbUkl75E$u=z@G(!3k%T`hC?$UB9%?eM0&6 zQ}Qiqg;gX6)#BgzU#MJGV*}puqx<^jS28h!B2yrpw3@zhu6oKL_@uBxfNmz!Rg1|u zOs%12rjbOe8DT~1tGabp!A(%=hWu4DlD^YujBVny4kyca!p#^iaiCaXJ#BC__*UZg zs#-_2>7U?R$3G@JbvX;v;vb=n%eCGZx!3PG-9d}hCRAd#=f7Pc-;fF3eQ2&|mc3_ulJ?GMuC72f1%uN}71-voth; zwpHX=@EqcSuRf(C)xmsIn{(UP8)AcJ`|0{GN!)Ko>dq<IS1Ee-5lua&W_`c8NLYSATS@Q#S0g&Wo3x z`|l7tGwC3Zcu!Bin9fsb1#4Ws^6)pRA25G2CWzoL%-Oov47G6GOrJ71g>>Z@P6uSg z>UkQE*2fLe(tACVK+IA962IUl?0C@@m~q8viL4AXgkx`d_XNLDcE){NzSdLI zGhlT&(})114=%N(mGDhGV?)(zgoSu9;s#A@2e-{UUbBB(6A?683)=5@teCV{(vcde z_dl?CersN;jBBl=lndi7*?B7QC1XeQb5Ur)AXAR#1n;=bgH|K02Hu-)X253P#{fzc zb)DAF=7u)!AOD^lM&CfyYz}p>wU&% zk*jNQ^%;t($Q~1G@!I`~XwltQIGt^Z8)64AS%+UxEpxEO;;@pIPkV0i^RhBtdTH?Gp|Kn1 z4l#CRy4*3WmacNhcFCrKUJ~^ArYC3Cu&r7^ehFIG2OT>OmHaC9h7{C&YOzJF+j_|7 zC3(7xu3z;XuUHt_ba}d0CDEOhkK8P2>akuwo!?~??Tsi(R73WEr{b_kcu2LBKfFXx zxnFuq)Y#264B_~~MlQ*m|G8js@nra8pS28NUW!bo`o~gcpntESiFo^`@ZG*h;Y%;|1{zIfL}r8lem`pqZ} zM*^sMx2?!beSuMtXs!mN+3x5U*UA6!NYljV%S0}j4gRi^m^Fjz1;b43)=QLP)sPxK z%Fw2Q=e+c_x}S>GYO=Mb`8%W^FZ371ovT97#jIopKkkxf1&!>ts!=;)3OodvYb3wY z__R+C$AP4j{@Eb(QRz2*;Xj?XQ2*s}F9ty=(0tLN6p~*%f5=Mar{bfrB^4dp?i5Hj zaH5U<51Qh*o*)(N*4?x94aX8U@kofZ-0pSw^*AjLj&7viUR>%R{G8in!Y+$Mce|;e zVcKi=y`(u&8#bQKDz|Q+bZq|sy!cY!u(_&Tbkfo+B>)!m@B)6wqr_GtSqqSX`bak$ zwSrEgK309q0)fb5Bu6dZilkLYCHc)aUmZIpX|WKVS#Ga2N<|@XBwTzM$A?XX2w6=6%uT%hPv0i4n3_@as(Ozh~1mTYj`! zE*YYq!F!$Ine9|m`}lNL`5v)W)uw#hPJI=(`(3nroA*YVuO*4(Dr+kBA%;7-{t1a~nl%V5J*`Cupq*Wwn z7XMv{;k)M3PjpusdD861P;3zuH8dkN;B;q$?nn>g^wwO~B$Kt#x}V(C5Oe_S20l8^U31k& z%s^rc4+f%zyKtMS2~JL7QxD(f((yVG{cr71_`yht`K-2*gI}_}R=P6dCpA=N9nA2A zXs`r!urWUQFtXjmyE@;OgxXKBX@e^1^w)idY=trhZ?rd?Hj9sJ6#2Aoqt2LtR_$dzso5KkDVfUZZdCXNjgByE|y%127-o|FQGN zdQvzL3HD%%@RCsJFZPpzd`zr9-+*`bWvO5za`W`WtLra=?@kuDBJX_u-9Q1E_?Iit z2>mr`!nYU?%6s}huz&^~E#%2TTK9#Gr`ufYOa`9P)Obm~#O1B}VY7%a&7_4d6uE(K zCrutOv4WcA294GlW%3DEJR=k6k}uU zpP(pIRit9Q$HkU8p*fqYhg{so+$B?bVJXupNJ*fRFadhe>M>6Y`u z8mI0s(HilR@To4g%wR?0L0DokNe7>#WA~u~|o5u_PCKeqj zLO;W$d#SQyakO~by;zkjcaVgGfr;x`A=x8e_m3|IG^{MdS&y|rc*9vbd5ZnhLs*0(ac<49G)8S zi#;6N-`w2fx0|lH@X5H?ET6Ddn%H+IHgH?busnTHrUp2Ch*N)mu-0~U{}<)K2?T^( zoWh3;k>pGLN0eFa9=_c0Y_(olN{p+AjDApSMpjvC=Y3nxhEmIcewpG;%9<>TIm(7X zN6!qbot-wXGMxu@wsnnj{JF0&d^Nk?ZQT4`Ps9ycp>OJ;^eGhiwNdI4fnHtZFWwBa zh-6maR(^MUojo6bgGaDmKNH7mlzMSUD0TF+^vJ{rGb-z?X;kcXu(tnDW*|wah2E@q zt*auG)$!3!?Ndl32mIXZU0hAMcm;1LT^duSpWipT>6A!rcL&b^BbD`A^*f*pIM@0T zQMd==kZ9R9Y*Dp{tgrZ(_fS7_1iJD<`tp>zgxaq{?a)`k>4WwVLP;LC`pFzZMhf5I3q5X#=_x`lE?92l!D z*3&O(g-#E0*d@f&YOt=A9C)4cyMif}t?o0Y)42uVd&@m>*qL_wocTY%;&#Mef!sZ>uy8DZzxwY^#S%lY7bCXS0oc2g2rn{oVXki zpDgarT!0^Df2WKhZ--c2U*TZJs0VjQ#CxQ|xBst{nz27V@RZARYH^3w@@jW~J9uRs z3AJ~{off?K5=pqZhi&2PmxMu6ml~rl3|g*<@zw4$-#%rcSTOI5|Ai4)N{=63ROG>G zJR@(U?0$OOVPZPe{rct}u@@gIZMbv^zf%47_V<`HS_khH|yLfL+w{akvqAwsL=-PhY2ek*04X!@2{LJj&cymugzl4 zA2;s6hY&DR2viDZ{D^p-wA3=2msZFsx&Wart#lr&mj@g{8S~t)`V^?*iX*waDn(K) zP(gbC^LBq@5A-IT`{)HOg1pRWu=yPD%sTPEaDam9KVn7oT1x_^b+(fpdtG&Hj<{%E z@)EW$R9X}qnV)Utkcy$O49?X34zp*7m$4vyX@zQxWyt|pHz<4x^y;tXiDLr4ATu*3 zoE;ZU!x4QmPKz;mo?RxTS5wMK7=2(dT%abt*_|T32-?Cueh!;TzMQ2bNkivA03|uM zvB05L+?YQdhGiMLHCfwEm@gZmy-AY&dIhoU5j%}eqPD1e6kiqdvUcJhic~q&WK>Gi z-7dzvv)(^L$u88opuUs(XW8ID>t5qYaUYIFugPHD%qWKRbN)MB@wwaDrkg<^n3jXz{P|hY zdLTuF;*J1E>M6c#{YqMpqD|(ct|?X(a8HHbme=T;kd!vsVI>H-YU{8}>B!TUcG=<( z!jKp_kk!P*g9OPJVaSKESsyi2u`0cTGl2ULtO0n)Urr&%J@*MrhDqO=?dtZgukW;z z?Gba!6^qSV`w{|Ixa5$###GKupEm;-jXX9_Y%9R(v_{1o*S@*Jr-+ z9pW8Ky;Z4B5AZHLx&F#ia2wggoZghGZ$sr*l{Y!%DyN)*KKA@&)>HU}3VhyHL#%dIOCX*qvz z459jZc?@bR$yFYAw~7CZKP}UHf^5%=aJz{Lw#X3FS`cQ+Qq+^q5N;rv9U7)?ReKM< zKdToLSv-jwgRro<$kcy-;3x?^Ju`eNkigb~>mOpN

    PV0?Fmre z)_z-wkCrKV1>UwM_B0ltyVZ~!`#2q;F4<87*x?JVSZm>3bs|&nx}1b9n`uZNRHi3~ z-?KqD7&MQXGWMF2IRu&1#g8Bro9T3Utl(`_*tew+Yn@JL7JKsCi($lsv@n^#_T#9=u)^pQy)rt3bJpU3Zn@UOQjpT+Bze_J?qN?@H2LyX>o zDz~3Wdcf1^h1jRR#~eR*kTgObx{{fwO9@!?A}^v&tS7{H`UXCA1>Ogh_HEV!c6i>{ zIOpm3>B)OFv~;S$0P7nUlasTtf;W)?tiGNN!2u!mX+z6KlhHRMDtlfSA|BYkO;@Hh zkVJ%UnW)txSB_ON`xl?pP-F-!STz+3p>$%0yOx~KWg1puyvH+YIVo56i+afZsFk0- zRFpiAk}dXF3kj%Tnc@A#K!WXBD$VN>2?N8+jQ$ zKFB~C@jL!T$@i^i7|Ct{9lk%Kz0&W)HsMMya>BuHq=p+qeM-9SzNjfB8hv0s0j(*A zvR$5(1gpjKS4r2M)cM%|+U`VxRFSRcB}~*(aq|emYX9b?6OhIGsZ}a82)JBInX;ZV zvYo7|T7E%1%(30G#{~C!t%&Xm z@A}J0oyy&s_i8t}Gb>jf{y4&Q_dp7t>6p<;ulFnQ#yIpyR9vci$xui2y|zko9vDu7 znT}|=$F=5>Ikh(`2}sU1cM!CSwwPTP+&=kOFP7H zV~2;D>sdJFwwUSzOY@%86h^i94iB0V==UX&^Q6ERz>U1(!=Z;8vqL=Yy}9X{iO31- z<-?WyiaE{CxdGI|oe6V*p2i~NXpYtv?EBK>R(-zJaXI$7^go3jfZQbOzEXC6O@HZ0 zy-;4D3P!1Ul(aoj6%3^m`n+MB<_kiTNGROWfnx{?(v;S-lpLe?InOKr)i+V4gP0>& z3y~OcilC*&WeX=St;!x4@BHmNf}N_Bk&+OYAvTp zb6n=Hzmk+uc=`VYVaKJa#r+GXUa|Q%(l-y}Nn8}Yb{yjzoy>i|d1LYtkQo52yt|iG zWisMZH{(xc74Fh$8^I?lfD=)F{8Ii_NJqDI1Z&58^yhi>4-W<`a@lIWd)g6E0W8yo zXmq5JRLTx9E1^hhb+<*t?C{eRAo5$ew-N-=_R{_9g~XZ*@gOO%NQj2wT)uOSqc0Q#a1){UTLVdOvqWsBPV78N+JO*#&VR zZ^fcswROWgT~ zXmN5>Alnl+qPzbcC;LAF`2T}j$71@+0j3}O?a6Y&zfIU*xN?9!#{<}NEbR7gIQ%~l zdau8pB>mrbl1K~BR6&0U8Es!m1iIUzsU=Gcmy#U<1VtQtLyQLjnEyJ?Yk1#10G|hx zQf=bklHZHHqJQ=;@tnW}0&u>5UGD$uI~DFIR1FwDaQ%IYcA$J>RiLJsIMPsO^3hdX zJ;)bnIX}<{VGYi)ln}JXJ;Sx$;f$qOWeK;&1sl_^2fua1QT-S0xli&x{RHILoZwBj zNm8E$fbzH3&%&|`=%88xohbjbYZLCh6^xD3 z2Z~?O4 zHdgu2djfonpnGIvyiCbVm5JH-iLTn^#M$_Dy~;ZIC&4tT_@KGXl)doHva0B@6Q1cl z3b-KD80EM>S`KR4iPD=9TSp)W1Dz>4${gYfaHhJ2g2oZ4YA!)O< zVAva_pwja4L6hu5riag>j@bvu6>xo6{*U&~JsRqDjpGtRZAIu%HnxNj;!qK$^{%ilmF=GMS;>&HXw__Fxl+Vv?w2OsAb>kc>+Pk#cE7HpaO7op+d@bas2Kv-Udw z9skYx{btSk{GR9gJn!?q>;3%Zmvv|-^*;pAcJdy?BmAFC`v3I{-%avEaP~Zb@?au< zXyntmxn$pQJixCU_W#JoA?B92G5}hDtjGfH*Dg8&Gn&AMRksv3P`k(QJF_8!|(+>f-~sxW;xcf<6BNW0L!{!aW41oq``ifa4=hm9LpCK;PBJmmsj2|*QfLbaa zf09=+{@G27&%FuVT?A~u5f1YtIwQ!#KEq}3_jFuH_)e#}JJD&o>{YP?-FTlJw9wDC zg@?Plcb|2wKO2Q|^}EKAt_)l8rc;k4IO!0+eegMTQbsIJujQl8Lennx7U*r(){9I#7ti1|(B`~DY4HL` zb}`vxHiWYduJddt8upfz2aJ3N*Y&tQ=r0=_Y}mOnKb5>`C+m1opnt#sB*FhQosa` zh&pLA)9>o1;)TWHTMNHLHC~`!*B5r^44H{A>19;ox+$Swi0)pm>Y5r3Ri~K^jJiXK z3lNqYFJ)O9YmwvGs1j^0K0$wDJ}kb~-`u_vDv{0^fu^=prpu?(4Z4xev$$hMVwLuZ zB1^utVl(iAxdlp!u+ay2E|=xzKlb2J1Uur5X1vnm3ssF@q&jGB$Zo@G<{0$Ql=XhLFm5g4(gB0pN;#qtm4Rrw>A80`xhKK5n4 z$5R#piyg;M@s8zF4U85W>4nZ1ZMvpsI%afVZ^a(yG*KgoACCD9pncKE0E8iL&f}E8^PmS_>-MKUIAe_u88 zi=&X^&(Z!(kRvZqK1#e-^y1tLB}R*JS(qn}TvD5O z8!+u{Cb{KJrJA&-f1Gf4g?GT!n|#SoRUC!j9N=lFbw)>SsJN;jG_7BNlfDkyK`5h2 zjnm;!-iQe!n+@KErusrVclywB zR*tc=k`k*V3ky7$zwJYWUk7Hk4{FPBa92-l8U{y2Yz66Vab2!QSZV%URrU&PbnZlf za_1pLR;KP?H*V$~iIu@dZ0gGN-&s%9c0kHbspz4|VGvGdnE9hp6qZCK&qM zRX_GxD!C=WSYWvUfY)hDC4DeGOxQ~FO3?)xglcYt>O6T6m{Y&L47wfQ<+80{0MbCJ zh^ERgcBABYQYoQx>s=Z|il3vxB2MIZPdt$`j;p6;Ea-g_Mb6i&X4A_~kU}*2{E$I1 zu7#Q4-~DSYT&O-h@9m8vZl&up}&sLBOP==bN?Um&;;USP^!nCa@CW zxQEnW_S+gtit2*@%o%WUCF-c9TKp`ImA&m$SJM1p?tRx#R+~l*@Y%trHLrS2nm&)C z3^j1I3RVokJn63U2OWYQ*x~3|iG+0{5xA>kC$NvMYR;xx*GjRT+<`TiSq9?Ka&bNZ z16$;_J@a`}yPdOcMaZXz7dH8er7(4-qy0;4_441B^fGv}I(krwI&Nbq@R#*FSjhwx zv6OV|Tn{tj0y;s^Fvof3xD!36L0y?#$I_FtVjxJRYNYs{?3c`SZf^&?D+*P%zU@mk zsl9)`=AT)U-ma|Cq*!V>sjZ@bfHz-2IPNaA%n%A{{_N#J5IJ^FkH(okWa2M@)l3b^ z-Hacu@7(++cka|lU)sn+d>8AkiF*6<|LsDhXFV2f56SKfX-&6f$fkE9{E% zxLY0QHEOVgYrtz!@N+u3SKw;1{YKc!n)VWZ3@)OgxL5>*isXi^mSXpm+0GB!~vuy)a$@HWxOD{XkYG?8$-nKnVd4yz)1Q#=z*7W6HhXZ-a$FQ=n7e8~NQf zxF7+jP^(oi_%f$7eQkDtc>#vt;883hEz97W%baTB!>%SVr3UFMOxr4-zzlao;d#z*Io&4V_rhQFwtciwwp0As}=RGc-ogk)~U`OeDj*n!|af;X< zg_i5u%HQC;n`7lAPEd%7Knjr`26|Si2TmCH6%(ri{@DYoF8y1gnSwAHUWQMLlfY}6 PxVR1(9Wg92aJ~F*aq-O- diff --git a/fast/stages/3-gke-multitenant/dev/main.tf b/fast/stages/3-gke-multitenant/dev/main.tf deleted file mode 100644 index 261b2477c8..0000000000 --- a/fast/stages/3-gke-multitenant/dev/main.tf +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description GKE multitenant for development environment. - -module "gke-multitenant" { - source = "../../../../blueprints/gke/multitenant-fleet" - billing_account_id = var.billing_account.id - folder_id = var.folder_ids.gke-dev - project_id = "gke-0" - iam_by_principals = var.iam_by_principals - iam = var.iam - labels = merge(var.labels, { environment = "dev" }) - prefix = "${var.prefix}-dev" - project_services = var.project_services - vpc_config = { - host_project_id = var.host_project_ids.dev-spoke-0 - vpc_self_link = var.vpc_self_links.dev-spoke-0 - } - clusters = var.clusters - nodepools = var.nodepools - fleet_configmanagement_clusters = var.fleet_configmanagement_clusters - fleet_configmanagement_templates = var.fleet_configmanagement_templates - fleet_features = var.fleet_features - fleet_workload_identity = var.fleet_workload_identity -} diff --git a/fast/stages/3-gke-multitenant/dev/outputs.tf b/fast/stages/3-gke-multitenant/dev/outputs.tf deleted file mode 100644 index a3f7165dbc..0000000000 --- a/fast/stages/3-gke-multitenant/dev/outputs.tf +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# tfdoc:file:description Output variables. - -locals { - tfvars = { - clusters = module.gke-multitenant.cluster_ids - project_ids = { - gke-dev = module.gke-multitenant.project_id - } - } -} - -# generate tfvars file for subsequent stages - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${pathexpand(var.outputs_location)}/tfvars/3-gke-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/3-gke-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -# outputs - -output "cluster_ids" { - description = "Cluster ids." - value = module.gke-multitenant.cluster_ids -} - -output "clusters" { - description = "Cluster resources." - value = module.gke-multitenant.clusters - sensitive = true -} - -output "project_id" { - description = "GKE project id." - value = module.gke-multitenant.project_id -} diff --git a/fast/stages/3-gke-multitenant/dev/variables.tf b/fast/stages/3-gke-multitenant/dev/variables.tf deleted file mode 100644 index 80feb23a7e..0000000000 --- a/fast/stages/3-gke-multitenant/dev/variables.tf +++ /dev/null @@ -1,213 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "clusters" { - description = "Clusters configuration. Refer to the gke-cluster-standard module for type details." - type = map(object({ - cluster_autoscaling = optional(any) - description = optional(string) - enable_addons = optional(any, { - horizontal_pod_autoscaling = true, http_load_balancing = true - }) - enable_features = optional(any, { - shielded_nodes = true - workload_identity = true - }) - issue_client_certificate = optional(bool, false) - labels = optional(map(string)) - location = string - logging_config = optional(object({ - enable_system_logs = optional(bool, true) - enable_workloads_logs = optional(bool, true) - enable_api_server_logs = optional(bool, false) - enable_scheduler_logs = optional(bool, false) - enable_controller_manager_logs = optional(bool, false) - }), {}) - maintenance_config = optional(any, { - daily_window_start_time = "03:00" - recurring_window = null - maintenance_exclusion = [] - }) - max_pods_per_node = optional(number, 110) - min_master_version = optional(string) - monitoring_config = optional(object({ - enable_system_metrics = optional(bool, true) - - # (Optional) control plane metrics - enable_api_server_metrics = optional(bool, false) - enable_controller_manager_metrics = optional(bool, false) - enable_scheduler_metrics = optional(bool, false) - - # (Optional) kube state metrics - enable_daemonset_metrics = optional(bool, false) - enable_deployment_metrics = optional(bool, false) - enable_hpa_metrics = optional(bool, false) - enable_pod_metrics = optional(bool, false) - enable_statefulset_metrics = optional(bool, false) - enable_storage_metrics = optional(bool, false) - - # Google Cloud Managed Service for Prometheus - enable_managed_prometheus = optional(bool, true) - }), {}) - node_locations = optional(list(string)) - private_cluster_config = optional(any) - release_channel = optional(string) - vpc_config = object({ - subnetwork = string - network = optional(string) - secondary_range_blocks = optional(object({ - pods = string - services = string - })) - secondary_range_names = optional(object({ - pods = optional(string, "pods") - services = optional(string, "services") - })) - master_authorized_ranges = optional(map(string)) - master_ipv4_cidr_block = optional(string) - }) - })) - default = {} - nullable = false -} - -variable "fleet_configmanagement_clusters" { - description = "Config management features enabled on specific sets of member clusters, in config name => [cluster name] format." - type = map(list(string)) - default = {} - nullable = false -} - -variable "fleet_configmanagement_templates" { - description = "Sets of config management configurations that can be applied to member clusters, in config name => {options} format." - type = map(object({ - binauthz = bool - config_sync = object({ - git = object({ - gcp_service_account_email = string - https_proxy = string - policy_dir = string - secret_type = string - sync_branch = string - sync_repo = string - sync_rev = string - sync_wait_secs = number - }) - prevent_drift = string - source_format = string - }) - hierarchy_controller = object({ - enable_hierarchical_resource_quota = bool - enable_pod_tree_labels = bool - }) - policy_controller = object({ - audit_interval_seconds = number - exemptable_namespaces = list(string) - log_denies_enabled = bool - referential_rules_enabled = bool - template_library_installed = bool - }) - version = string - })) - default = {} - nullable = false -} - -variable "fleet_features" { - description = "Enable and configure fleet features. Set to null to disable GKE Hub if fleet workload identity is not used." - type = object({ - appdevexperience = bool - configmanagement = bool - identityservice = bool - multiclusteringress = string - multiclusterservicediscovery = bool - servicemesh = bool - }) - default = null -} - -variable "fleet_workload_identity" { - description = "Use Fleet Workload Identity for clusters. Enables GKE Hub if set to true." - type = bool - default = false - nullable = false -} - -variable "iam" { - description = "Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format." - type = map(list(string)) - default = {} - nullable = false -} - -variable "iam_by_principals" { - description = "Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable." - type = map(list(string)) - default = {} - nullable = false -} - -variable "labels" { - description = "Project-level labels." - type = map(string) - default = {} -} - -variable "nodepools" { - description = "Nodepools configuration. Refer to the gke-nodepool module for type details." - type = map(map(object({ - gke_version = optional(string) - k8s_labels = optional(map(string), {}) - max_pods_per_node = optional(number) - name = optional(string) - node_config = optional(any, { - disk_type = "pd-balanced" - shielded_instance_config = { - enable_integrity_monitoring = true - enable_secure_boot = true - } - }) - node_count = optional(map(number), { - initial = 1 - }) - node_locations = optional(list(string)) - nodepool_config = optional(any) - pod_range = optional(any) - reservation_affinity = optional(any) - service_account = optional(any) - sole_tenant_nodegroup = optional(string) - tags = optional(list(string)) - taints = optional(map(object({ - value = string - effect = string - }))) - }))) - default = {} - nullable = false -} - -variable "outputs_location" { - description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable." - type = string - default = null -} - -variable "project_services" { - description = "Additional project services to enable." - type = list(string) - default = [] - nullable = false -} diff --git a/fast/stages/README.md b/fast/stages/README.md index 7fe0b6da5e..91fce268ec 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -49,5 +49,5 @@ Implemented as an [add-on stage 1](./1-tenant-factory/), with optional FAST comp ## Environment-level resources (3) - [Data Platform](3-data-platform/dev/) -- [GKE Multitenant](3-gke-multitenant/dev/) +- [GKE Multitenant](3-gke-dev/) - [Google Cloud VMware Engine](3-gcve-dev/) diff --git a/tests/fast/stages/s3_gke_multitenant/simple.tfvars b/tests/fast/stages/s3_gke_dev/simple.tfvars similarity index 93% rename from tests/fast/stages/s3_gke_multitenant/simple.tfvars rename to tests/fast/stages/s3_gke_dev/simple.tfvars index 1cafdd9aba..f7a8e54b3a 100644 --- a/tests/fast/stages/s3_gke_multitenant/simple.tfvars +++ b/tests/fast/stages/s3_gke_dev/simple.tfvars @@ -1,6 +1,3 @@ -automation = { - outputs_bucket = "test" -} billing_account = { id = "012345-67890A-BCDEF0", } @@ -21,6 +18,11 @@ clusters = { } } } +environments = { + dev = { + name = "Development" + } +} nodepools = { mycluster = { mynodepool = { diff --git a/tests/fast/stages/s3_gke_multitenant/simple.yaml b/tests/fast/stages/s3_gke_dev/simple.yaml similarity index 93% rename from tests/fast/stages/s3_gke_multitenant/simple.yaml rename to tests/fast/stages/s3_gke_dev/simple.yaml index c1fca496d3..b18b091e43 100644 --- a/tests/fast/stages/s3_gke_multitenant/simple.yaml +++ b/tests/fast/stages/s3_gke_dev/simple.yaml @@ -23,6 +23,5 @@ counts: google_project_service: 12 google_project_service_identity: 7 google_service_account: 1 - google_storage_bucket_object: 1 - modules: 6 - resources: 43 + modules: 5 + resources: 42 diff --git a/tests/fast/stages/s3_gke_multitenant/tftest.yaml b/tests/fast/stages/s3_gke_dev/tftest.yaml similarity index 93% rename from tests/fast/stages/s3_gke_multitenant/tftest.yaml rename to tests/fast/stages/s3_gke_dev/tftest.yaml index 39bf42c4c6..14b8860e0b 100644 --- a/tests/fast/stages/s3_gke_multitenant/tftest.yaml +++ b/tests/fast/stages/s3_gke_dev/tftest.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -module: fast/stages/3-gke-multitenant/dev/ +module: fast/stages/3-gke-dev/ tests: simple: From 0f111472a0da3c4e32937565f3247870af0e917a Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 08:52:58 +0100 Subject: [PATCH 79/94] tflint --- fast/stages/3-gke-dev/README.md | 11 +++++------ fast/stages/3-gke-dev/variables.tf | 6 ------ 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/fast/stages/3-gke-dev/README.md b/fast/stages/3-gke-dev/README.md index 41bc82036c..086065106e 100644 --- a/fast/stages/3-gke-dev/README.md +++ b/fast/stages/3-gke-dev/README.md @@ -200,11 +200,10 @@ Clusters can then be configured for fleet registration and one of the config man | [host_project_ids](variables-fast.tf#L43) | Shared VPC host project name => id mappings. | map(string) | | {} | 2-networking | | [iam](variables.tf#L95) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | | [iam_by_principals](variables.tf#L102) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [labels](variables.tf#L109) | Project-level labels. | map(string) | | {} | | -| [nodepools](variables.tf#L115) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | -| [stage_config](variables.tf#L148) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | | +| [nodepools](variables.tf#L109) | Nodepools configuration. Refer to the gke-nodepool module for type details. | map(map(object({…}))) | | {} | | +| [stage_config](variables.tf#L142) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | | | [subnet_self_links](variables-fast.tf#L61) | Subnet VPC name => { name => self link } mappings. | map(map(string)) | | {} | 2-networking | -| [vpc_config](variables.tf#L160) | VPC-level configuration for project and clusters. | object({…}) | | {…} | | +| [vpc_config](variables.tf#L154) | VPC-level configuration for project and clusters. | object({…}) | | {…} | | | [vpc_self_links](variables-fast.tf#L69) | Shared VPC name => self link mappings. | map(string) | | {} | 2-networking | ## Outputs @@ -212,6 +211,6 @@ Clusters can then be configured for fleet registration and one of the config man | name | description | sensitive | consumers | |---|---|:---:|---| | [cluster_ids](outputs.tf#L15) | Cluster ids. | | | -| [clusters](outputs.tf#L22) | Cluster resources. | | | -| [project_id](outputs.tf#L27) | GKE project id. | | | +| [clusters](outputs.tf#L22) | Cluster resources. | ✓ | | +| [project_id](outputs.tf#L28) | GKE project id. | | | diff --git a/fast/stages/3-gke-dev/variables.tf b/fast/stages/3-gke-dev/variables.tf index 6c6625fb7d..496bb954b2 100644 --- a/fast/stages/3-gke-dev/variables.tf +++ b/fast/stages/3-gke-dev/variables.tf @@ -106,12 +106,6 @@ variable "iam_by_principals" { nullable = false } -variable "labels" { - description = "Project-level labels." - type = map(string) - default = {} -} - variable "nodepools" { description = "Nodepools configuration. Refer to the gke-nodepool module for type details." type = map(map(object({ From 363b218877677969573b17bb185e75e37a465c83 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 18:56:16 +0100 Subject: [PATCH 80/94] remove data platform stage --- .../data/stage-3/data-platform-dev.yaml | 21 -- .../data/stage-3/data-platform-prod.yaml | 21 -- .../stages/1-resman/data/stage-3/gke-dev.yaml | 1 + .../data/top-level-folders/data-platform.yaml | 20 -- fast/stages/3-data-platform/README.md | 6 - fast/stages/3-data-platform/dev/IAM.md | 89 ------- fast/stages/3-data-platform/dev/README.md | 218 ------------------ fast/stages/3-data-platform/dev/demo | 1 - fast/stages/3-data-platform/dev/diagram.png | Bin 59453 -> 0 bytes .../3-data-platform/dev/diagram_vpcsc.png | Bin 34710 -> 0 bytes fast/stages/3-data-platform/dev/main.tf | 56 ----- fast/stages/3-data-platform/dev/outputs.tf | 70 ------ .../3-data-platform/dev/variables-fast.tf | 90 -------- fast/stages/3-data-platform/dev/variables.tf | 218 ------------------ 14 files changed, 1 insertion(+), 810 deletions(-) delete mode 100644 fast/stages/1-resman/data/stage-3/data-platform-dev.yaml delete mode 100644 fast/stages/1-resman/data/stage-3/data-platform-prod.yaml delete mode 100644 fast/stages/1-resman/data/top-level-folders/data-platform.yaml delete mode 100644 fast/stages/3-data-platform/README.md delete mode 100644 fast/stages/3-data-platform/dev/IAM.md delete mode 100644 fast/stages/3-data-platform/dev/README.md delete mode 120000 fast/stages/3-data-platform/dev/demo delete mode 100644 fast/stages/3-data-platform/dev/diagram.png delete mode 100644 fast/stages/3-data-platform/dev/diagram_vpcsc.png delete mode 100644 fast/stages/3-data-platform/dev/main.tf delete mode 100644 fast/stages/3-data-platform/dev/outputs.tf delete mode 100644 fast/stages/3-data-platform/dev/variables-fast.tf delete mode 100644 fast/stages/3-data-platform/dev/variables.tf diff --git a/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml b/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml deleted file mode 100644 index 246f381eed..0000000000 --- a/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: dp -environment: dev -folder_config: - name: Development - parent_id: data-platform diff --git a/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml b/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml deleted file mode 100644 index 1f093b2170..0000000000 --- a/fast/stages/1-resman/data/stage-3/data-platform-prod.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json - -short_name: dp -environment: prod -folder_config: - name: Production - parent_id: data-platform diff --git a/fast/stages/1-resman/data/stage-3/gke-dev.yaml b/fast/stages/1-resman/data/stage-3/gke-dev.yaml index bd9501e326..c15fdb417a 100644 --- a/fast/stages/1-resman/data/stage-3/gke-dev.yaml +++ b/fast/stages/1-resman/data/stage-3/gke-dev.yaml @@ -21,6 +21,7 @@ folder_config: parent_id: gke stage2_iam: networking: + iam_admin_delegated: true sa_roles: ro: - roles/dns.reader diff --git a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml b/fast/stages/1-resman/data/top-level-folders/data-platform.yaml deleted file mode 100644 index 686f36f66e..0000000000 --- a/fast/stages/1-resman/data/top-level-folders/data-platform.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/top-level-folder.schema.json - -name: Data Platform -# automation is disabled since this is just a "container" for stage 3s -automation: - enable: false diff --git a/fast/stages/3-data-platform/README.md b/fast/stages/3-data-platform/README.md deleted file mode 100644 index fa04c41f83..0000000000 --- a/fast/stages/3-data-platform/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Data Platform - -The Data Platform builds on top of your foundations to create and set up projects and related resources, used for your data workloads and pipelines. -It is organized in folders representing environments (e.g. `dev`, `prod`), each implemented by a stand-alone Terraform setup. - -This directory contains a [Data Platform for the `dev` environment](./dev/) that can be used as-is, and cloned with few changes to implement further environments. Refer to the example [`dev/README.md`](./dev/README.md) for configuration details. diff --git a/fast/stages/3-data-platform/dev/IAM.md b/fast/stages/3-data-platform/dev/IAM.md deleted file mode 100644 index 02a5df7a91..0000000000 --- a/fast/stages/3-data-platform/dev/IAM.md +++ /dev/null @@ -1,89 +0,0 @@ -# IAM bindings reference - -Legend: + additive, conditional. - -## Project cmn - -| members | roles | -|---|---| -|gcp-data-analysts
    group|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) | -|gcp-data-engineers
    group|[roles/dlp.estimatesAdmin](https://cloud.google.com/iam/docs/understanding-roles#dlp.estimatesAdmin)
    [roles/dlp.reader](https://cloud.google.com/iam/docs/understanding-roles#dlp.reader)
    [roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | -|gcp-data-security
    group|[roles/datacatalog.admin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.admin)
    [roles/dlp.admin](https://cloud.google.com/iam/docs/understanding-roles#dlp.admin) | -|load-df
    serviceAccount|[roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | -|trf-bq
    serviceAccount|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer) | -|trf-df
    serviceAccount|[roles/datacatalog.categoryFineGrainedReader](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/dlp.user](https://cloud.google.com/iam/docs/understanding-roles#dlp.user) | - -## Project drp - -| members | roles | -|---|---| -|gcp-data-engineers
    group|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
    [roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user) | -|drp-bq
    serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | -|drp-cs
    serviceAccount|[roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) | -|drp-ps
    serviceAccount|[roles/pubsub.publisher](https://cloud.google.com/iam/docs/understanding-roles#pubsub.publisher) | -|load-df
    serviceAccount|[roles/bigquery.user](https://cloud.google.com/iam/docs/understanding-roles#bigquery.user)
    [roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|orc-cmp
    serviceAccount|[roles/pubsub.subscriber](https://cloud.google.com/iam/docs/understanding-roles#pubsub.subscriber)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | - -## Project dwh-conf - -| members | roles | -|---|---| -|gcp-data-analysts
    group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|gcp-data-engineers
    group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|trf-bq
    serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | -|trf-df
    serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | - -## Project dwh-cur - -| members | roles | -|---|---| -|gcp-data-analysts
    group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|gcp-data-engineers
    group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|trf-bq
    serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | -|trf-df
    serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | - -## Project dwh-lnd - -| members | roles | -|---|---| -|gcp-data-engineers
    group|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/datacatalog.tagTemplateViewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.tagTemplateViewer)
    [roles/datacatalog.viewer](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.viewer)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|load-df
    serviceAccount|[roles/bigquery.dataOwner](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataOwner)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/storage.objectCreator](https://cloud.google.com/iam/docs/understanding-roles#storage.objectCreator) | -|trf-bq
    serviceAccount|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer)
    [roles/datacatalog.categoryAdmin](https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryAdmin) | -|trf-df
    serviceAccount|[roles/bigquery.dataViewer](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataViewer) | - -## Project lod - -| members | roles | -|---|---| -|gcp-data-engineers
    group|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin)
    [roles/dataflow.developer](https://cloud.google.com/iam/docs/understanding-roles#dataflow.developer) | -|SERVICE_IDENTITY_dataflow-service-producer-prod
    serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|load-df
    serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin)
    [roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|orc-cmp
    serviceAccount|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | - -## Project orc - -| members | roles | -|---|---| -|gcp-data-engineers
    group|[roles/artifactregistry.admin](https://cloud.google.com/iam/docs/understanding-roles#artifactregistry.admin)
    [roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
    [roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/cloudbuild.builds.editor](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.builds.editor)
    [roles/composer.admin](https://cloud.google.com/iam/docs/understanding-roles#composer.admin)
    [roles/composer.environmentAndStorageObjectAdmin](https://cloud.google.com/iam/docs/understanding-roles#composer.environmentAndStorageObjectAdmin)
    [roles/composer.user](https://cloud.google.com/iam/docs/understanding-roles#composer.user)
    [roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
    [roles/iap.httpsResourceAccessor](https://cloud.google.com/iam/docs/understanding-roles#iap.httpsResourceAccessor)
    [roles/serviceusage.serviceUsageConsumer](https://cloud.google.com/iam/docs/understanding-roles#serviceusage.serviceUsageConsumer)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|SERVICE_IDENTITY_cloudcomposer-accounts
    serviceAccount|[roles/composer.ServiceAgentV2Ext](https://cloud.google.com/iam/docs/understanding-roles#composer.ServiceAgentV2Ext)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|SERVICE_IDENTITY_gcp-sa-cloudbuild
    serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|load-df
    serviceAccount|[roles/artifactregistry.reader](https://cloud.google.com/iam/docs/understanding-roles#artifactregistry.reader)
    [roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor)
    [roles/storage.objectViewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | -|orc-cmp
    serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/composer.worker](https://cloud.google.com/iam/docs/understanding-roles#composer.worker)
    [roles/iam.serviceAccountUser](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountUser)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|orc-sa-df-build
    serviceAccount|[roles/cloudbuild.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#cloudbuild.serviceAgent)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|trf-df
    serviceAccount|[roles/bigquery.dataEditor](https://cloud.google.com/iam/docs/understanding-roles#bigquery.dataEditor) | - -## Project trf - -| members | roles | -|---|---| -|gcp-data-engineers
    group|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser)
    [roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | -|SERVICE_IDENTITY_dataflow-service-producer-prod
    serviceAccount|[roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | -|SERVICE_IDENTITY_service-networking
    serviceAccount|[roles/servicenetworking.serviceAgent](https://cloud.google.com/iam/docs/understanding-roles#servicenetworking.serviceAgent) +| -|orc-cmp
    serviceAccount|[roles/dataflow.admin](https://cloud.google.com/iam/docs/understanding-roles#dataflow.admin) | -|trf-bq
    serviceAccount|[roles/bigquery.jobUser](https://cloud.google.com/iam/docs/understanding-roles#bigquery.jobUser) | -|trf-df
    serviceAccount|[roles/dataflow.worker](https://cloud.google.com/iam/docs/understanding-roles#dataflow.worker)
    [roles/storage.objectAdmin](https://cloud.google.com/iam/docs/understanding-roles#storage.objectAdmin) | diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md deleted file mode 100644 index 0227364f77..0000000000 --- a/fast/stages/3-data-platform/dev/README.md +++ /dev/null @@ -1,218 +0,0 @@ -# Data Platform - -The Data Platform builds on top of your foundations to create and set up projects (and related resources) to be used for your data platform. - -

    - Data Platform diagram -

    - -## Design overview and choices - -> A more comprehensive description of the Data Platform architecture and approach can be found in the [Data Platform module README](../../../../blueprints/data-solutions/data-platform-foundations/). The module is wrapped and configured here to leverage the FAST flow. - -The Data Platform creates projects in a well-defined context, usually an ad-hoc folder managed by the resource management setup. Resources are organized by environment within this folder. - -Across different data layers environment-specific projects are created to separate resources and IAM roles. - -The Data Platform manages: - -- project creation -- API/Services enablement -- service accounts creation -- IAM role assignment for groups and service accounts -- KMS keys roles assignment -- Shared VPC attachment and subnet IAM binding -- project-level organization policy definitions -- billing setup (billing account attachment and budget configuration) -- data-related resources in the managed projects - -### User groups - -As per our GCP best practices the Data Platform relies on user groups to assign roles to human identities. These are the specific groups used by the Data Platform and their access patterns, from the [module documentation](../../../../blueprints/data-solutions/data-platform-foundations/#groups): - -- *Data Engineers* They handle and run the Data Hub, with read access to all resources in order to troubleshoot possible issues with pipelines. This team can also impersonate any service account. -- *Data Analysts*. They perform analysis on datasets, with read access to the data warehouse Curated or Confidential projects depending on their privileges. -- *Data Security*:. They handle security configurations related to the Data Hub. This team has admin access to the common project to configure Cloud DLP templates or Data Catalog policy tags. - -|Group|Landing|Load|Transformation|Data Warehouse Landing|Data Warehouse Curated|Data Warehouse Confidential|Orchestration|Common| -|-|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:| -|Data Engineers|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`|`ADMIN`| -|Data Analysts|-|-|-|-|-|`READ`|-|-| -|Data Security|-|-|-|-|-|-|-|-|`ADMIN`| - -### Network - -A Shared VPC is used here, either from one of the FAST networking stages (e.g. [hub and spoke via Peering/VPN](../../2-networking-a-simple)) or from an external source. - -### Encryption - -Cloud KMS crypto keys can be configured wither from the [FAST security stage](../../2-security) or from an external source. This step is optional and depends on customer policies and security best practices. - -To configure the use of Cloud KMS on resources, you have to specify the key id on the `service_encryption_keys` variable. Key locations should match resource locations. - -## Data Catalog - -[Data Catalog](https://cloud.google.com/data-catalog) helps you to document your data entry at scale. Data Catalog relies on [tags](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tags) and [tag template](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tag-templates) to manage metadata for all data entries in a unified and centralized service. To implement [column-level security](https://cloud.google.com/bigquery/docs/column-level-security-intro) on BigQuery, we suggest to use `Tags` and `Tag templates`. - -The default configuration will implement 3 tags: - -- `3_Confidential`: policy tag for columns that include very sensitive information, such as credit card numbers. -- `2_Private`: policy tag for columns that include sensitive personal identifiable information (PII) information, such as a person's first name. -- `1_Sensitive`: policy tag for columns that include data that cannot be made public, such as the credit limit. - -Anything that is not tagged is available to all users who have access to the data warehouse. - -You can configure your tags and roles associated by configuring the `data_catalog_tags` variable. We suggest using the "[Best practices for using policy tags in BigQuery](https://cloud.google.com/bigquery/docs/best-practices-policy-tags)" article as a guide to designing your tags structure and access pattern. By default, no groups has access to tagged data. - -### VPC-SC - -As is often the case in real-world configurations, [VPC-SC](https://cloud.google.com/vpc-service-controls) is needed to mitigate data exfiltration. VPC-SC can be configured from the [FAST security stage](../../2-security). This step is optional, but highly recommended, and depends on customer policies and security best practices. - -To configure the use of VPC-SC on the data platform, you have to specify the data platform project numbers on the `vpc_sc_perimeter_projects.dev` variable on [FAST security stage](../../2-security#perimeter-resources). - -In the case your Data Warehouse need to handle confidential data and you have the requirement to separate them deeply from other data and IAM is not enough, the suggested configuration is to keep the confidential project in a separate VPC-SC perimeter with the adequate ingress/egress rules needed for the load and transformation service account. Below you can find an high level diagram describing the configuration. - -

    - Data Platform VPC-SC diagram -

    - -## How to run this stage - -This stage is meant to be executed after the FAST "foundational" stages: bootstrap, resource management, security and networking stages. - -It's of course possible to run this stage in isolation, refer to the *[Running in isolation](#running-in-isolation)* section below for details. - -Before running this stage, you need to make sure you have the correct credentials and permissions, and localize variables by assigning values that match your configuration. - -### Provider and Terraform variables - -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. - -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. - -```bash -../../../stage-links.sh ~/fast-config - -# copy and paste the following commands for '3-data-platform' - -ln -s ~/fast-config/providers/3-data-platform-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-security.auto.tfvars.json ./ -``` - -```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 - -# copy and paste the following commands for '3-data-platform' - -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-data-platform-providers.tf ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-security.auto.tfvars.json ./ -``` - -### Impersonating the automation service account - -The preconfigured provider file uses impersonation to run with this stage's automation service account's credentials. The `gcp-devops` and `organization-admins` groups have the necessary IAM bindings in place to do that, so make sure the current user is a member of one of those groups. - -### Variable configuration - -Variables in this stage -- like most other FAST stages -- are broadly divided into three separate sets: - -- variables which refer to global values for the whole organization (org id, billing account id, prefix, etc.), which are pre-populated via the `0-globals.auto.tfvars.json` file linked or copied above -- variables which refer to resources managed by previous stage, which are prepopulated here via the `*.auto.tfvars.json` files linked or copied above -- and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file - -The full list can be found in the [Variables](#variables) table at the bottom of this document. - -### Running the stage - -Once provider and variable values are in place and the correct user is configured, the stage can be run: - -```bash -terraform init -terraform apply -``` - -### Running in isolation - -This stage can be run in isolation by providing the necessary variables, but it's really meant to be used as part of the FAST flow after the "foundational stages" ([`0-bootstrap`](../../0-bootstrap), [`1-resman`](../../1-resman), [`2-networking`](../../2-networking-a-simple) and [`2-security`](../../2-security)). - -When running in isolation, the following roles are needed on the principal used to apply Terraform: - -- on the organization or network folder level - - `roles/xpnAdmin` or a custom role which includes the following permissions - - `"compute.organizations.enableXpnResource"`, - - `"compute.organizations.disableXpnResource"`, - - `"compute.subnetworks.setIamPolicy"`, -- on each folder where projects are created - - `"roles/logging.admin"` - - `"roles/owner"` - - `"roles/resourcemanager.folderAdmin"` - - `"roles/resourcemanager.projectCreator"` -- on the host project for the Shared VPC - - `"roles/browser"` - - `"roles/compute.viewer"` -- on the organization or billing account - - `roles/billing.admin` - -The VPC host project, VPC and subnets should already exist. - -## Demo pipeline - -The application layer is out of scope of this script. As a demo purpuse only, several Cloud Composer DAGs are provided. Demos will import data from the `landing` area to the `DataWarehouse Confidential` dataset suing different features. - -You can find examples in the `[demo](../../../../blueprints/data-solutions/data-platform-foundations/demo)` folder. - - - -## Files - -| name | description | modules | resources | -|---|---|---|---| -| [main.tf](./main.tf) | Data Platform. | data-platform-foundations | | -| [outputs.tf](./outputs.tf) | Output variables. | | google_storage_bucket_object · local_file | -| [variables-fast.tf](./variables-fast.tf) | Terraform Variables. | | | -| [variables.tf](./variables.tf) | Terraform Variables. | | | - -## Variables - -| name | description | type | required | default | producer | -|---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L38) | Folder to be used for the networking resources in folders/nnnn format. | object({…}) | ✓ | | 1-resman | -| [host_project_ids](variables-fast.tf#L46) | Shared VPC project ids. | object({…}) | ✓ | | 2-networking | -| [organization](variables-fast.tf#L54) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables-fast.tf#L64) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [composer_config](variables.tf#L17) | Cloud Composer config. | object({…}) | | {…} | | -| [data_catalog_tags](variables.tf#L106) | List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format. | map(object({…})) | | {…} | | -| [deletion_protection](variables.tf#L120) | Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail. | bool | | true | | -| [groups_dp](variables.tf#L127) | Data Platform groups. | map(string) | | {…} | | -| [location](variables.tf#L137) | Location used for multi-regional resources. | string | | "eu" | | -| [network_config_composer](variables.tf#L143) | Network configurations to use for Composer. | object({…}) | | {…} | | -| [outputs_location](variables.tf#L159) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [project_config](variables.tf#L165) | Provide projects configuration. | object({…}) | | {} | | -| [project_services](variables.tf#L185) | List of core services enabled on all projects. | list(string) | | […] | | -| [project_suffix](variables.tf#L196) | Suffix used only for project ids. | string | | null | | -| [region](variables.tf#L202) | Region used for regional resources. | string | | "europe-west1" | | -| [service_encryption_keys](variables.tf#L208) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null | | -| [subnet_self_links](variables-fast.tf#L74) | Shared VPC subnet self links. | object({…}) | | null | 2-networking | -| [vpc_self_links](variables-fast.tf#L83) | Shared VPC self links. | object({…}) | | null | 2-networking | - -## Outputs - -| name | description | sensitive | consumers | -|---|---|:---:|---| -| [bigquery_datasets](outputs.tf#L42) | BigQuery datasets. | | | -| [demo_commands](outputs.tf#L47) | Demo commands. | | | -| [gcs_buckets](outputs.tf#L52) | GCS buckets. | | | -| [projects](outputs.tf#L57) | GCP Projects information. | | | -| [vpc_network](outputs.tf#L62) | VPC network. | | | -| [vpc_subnet](outputs.tf#L67) | VPC subnetworks. | | | - diff --git a/fast/stages/3-data-platform/dev/demo b/fast/stages/3-data-platform/dev/demo deleted file mode 120000 index 7a0e7c1e35..0000000000 --- a/fast/stages/3-data-platform/dev/demo +++ /dev/null @@ -1 +0,0 @@ -../../../../blueprints/data-solutions/data-platform-foundations/demo/ \ No newline at end of file diff --git a/fast/stages/3-data-platform/dev/diagram.png b/fast/stages/3-data-platform/dev/diagram.png deleted file mode 100644 index 79b46e179e8a3a248d676537905a1ddddc7da7f2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 59453 zcmb5V1z40_)Gj=V2!co|rGRvYbc+rRgS2!v4Be%mbVxTSAV@3SNJ|Ycba$6@!`Zy& zyyrXT`o44h-@mWt5@+Ul_TJCld#!b^weA)C4kn3(L4pB+K(M5xph^%3N)`li-wypg z_~vke!Uz08aeO1Kf{u|2n9qMDyHI=x;^9S^t>~T?LsfG%U=xf@ejo#KmHKKFiIL^HqBtXYg+5%?ADU! zXx(YU+E(4xVg02`O{H_hN`>`jrY*+tXp`W~`wSc*U!_9yA+PVtQM{&nvIz0-;+#?4 zi~J@*0eJ&?)C=+7Tl*^&p1zx(oR^obr>?G!nd*2qeMpdiVK(O7e<18HaW?M0dhPV) ze||IgD2ny&2Phps5*6}6x^2Z3T8loEEKQ2PK?%No3ay3wP5MBxZug!_C&Yr0n^qVp z4tnGvYPfq0@*mHG8$rWK`+pAbf86kztJ*nhqbT7d+*Fq4>(S|q&+Cp9wp|-b^Q1ox z_aLvSUm{UIn14x+t6Xe0$(krFXt?|{iXEI5cU;6X>W|IXs&r|mX=l@` zQc)dg-Fv=cxhHaj7_87zb1rvIGz`;Bs|54h?mE=XrK_Vb8$>x2R}^x*vi4BZ97(cN z#8Vfl7UH0J>6bwSflQMgZQOrd{lfh=Yxktsd1{oPpLO!`K(ImB+eY4o`~^K*s?Pg& z(XRX2Hht&GswrxSbiu>!D_AcmWnX_j2_(1JsQ?~(Q_=&P@MOz-TamHWDSQ1!;L?$=^jiW5J zMzV$)Wf!trn#aZ&JaFzY#5a^B?A_ekiu_H73W1zrffN5J4iDYDoJ5Sk&zD4AqNGz6N*lvb z-LZ$cj&(6#s#`*rnGTz3RG*WTmPN3nE;wEi89|NNN&KdQGKsVuNprF1g!rsxd#78T zQwp4&EJRcy7AH^z8bom31+YYqEpZdUb7_P8)JhI7ufTJ&tN|40OQ-jM+?`Q?ll>D( zdQ>U_FSMnlR8_S?j4dylU{6ypu`!MJ^bpl)J0}Hs2-xH$F`U!X5c6ByYw}$_QXsp8 znhmqP7hyXy^R()`GI1O#8+t6^%}()*W^k>6Dr&pFaI#xdRWMC*pZQkZh3mJ}(>oAd*`)zDVZ+QLxue+h)mC3M-+?Y>RFC zAo{m+uD<+IEArtfW3tY`sP(m|LW5xhcU@X~psOg?M_V!oq(y2zRkHRmgk9sv-TK9o ztua+UoDQgJRIwM-`fhmtuYSwl1!9^-p9gl43^3r!_s*Kfhd!J$LBc> zwuWA4sC%CF)k;t%^XL9?Ncg~a@l}BkqCfo&{7aj*T%HXssRW=+bA)>Te=Eb@R}UdE zm_}EhZ#{O%T(~+D8?X9aEa`&zC)NTD`rEiwaLRMnfVX5!bXWWyIY~DEt7(G3nJoebx5#__a$;h)D6PBN(2r^WXx$=HW z0D;ibeDuAbx(69p`{m467{!8Ov@Pm$;>733m3(x2?dwCA%KwDvZVSHPYyjH{eHx~F zHw>8NzvFd)ms)>DPlw!zpL_)~+V!fW#;@h)c7tu+(pmPFG7O zmvOT?9?X=M5LgX%cazm@;e+*#`GbXPx;Ig~C{~1lt3wT5`wxvUaEZe%20F47U034K zfMCB?XSTKX5`w%(Z(Rc**oG_U-yyke~$m}T{6PsQwnYJk-Caat9 z>_A7}M%N)>{}a|RoraNjV?^4z<<_h@2vkU-$lY!%n{4ftIiF(b_!dlbVF z)d0dd&qBI+MLm6vH1*k-F^|Ye)s!F8@k4L=C{)>Q4A}#}o?s$iQrXk)G)7mCKGJM8 z8#SS1c=+=uT`qOND5f8d_7`J@at8|8)CoMZ^!e!fkl)64rvkM9FvBfiITGtx)yH&d zoT#dMiLr}(kIx&NJbPQr4mVCt`EQndg-u7MIT1m>Ur9d;lW6B3i4R=|;r z)ocYEgr|G{Kdo5=_b9SHrPeB^%ILuwSGO{ES|-_rYPSx|B){MYkvSx4+c0n za=Lw0h2VNSmOw7R>GXYSW#%#$o3`;C*aMUQdRqy_a2gM@=vtDp=rJ;yaDkkOfkUV7 zfcxMjjW7rDI}iZ#5C5*re+L(Vo%=74nGpYdhzR+b5K=sd(eFcU={?9N6tE#g!TCQP zP7rJ;L0`bgMrgW}vU~19a8~ZltByUQLDyDS;+vRln3G0kNat1~Qq72qc(4YX(QoW9 zLWsoT;kl}6xD!KWcz(V}hUnd7gM990Pc5g)A>}%4k03?>%|S~BMgr|W#OZ(QpBkVH zdmC@!x5!R3qh9*@*1)GRQ6LaI-n(9UwS7E>^23}hhW%o;6gh5 zsfFShS$e)KmcJ?RC%06DO%ij+wSglXb*DIXQ|PZE4c*6>ZG1AbWBx3x$#S-@6ZSz1>-3$h+3Bse2NfuPpK&aA95M-qLJ6#J@E(&y%1H3r{S0;Xm{?cd z+S!?@velE7#l-!do4Yq%!^y#6e^j?O*K~{gE()xa7wBDr#WwpUY}Go zUGGQw7LIM9+1UM^7n6?Wu^wl?@VW=lcesPlr!sgqc~ZI=xm~h2WlP!miKNEE7*>be zpM#Mnu;cK8k4=>YS;SofV`Hbioc-I=HIA#jNl>Tji{rI)&)vGY>)myKoxs*#V62HU zv(uxa`Xi()2L}f~KfizF{^j+Pz*c?s?a2x&b6}`230a}8ufP#`eK+!Y$^;Vs(8*D0 zFUbBaUih0#MMk;U@>dgASLRh0HIEukXFav5;8+1QP!(7%+GGiJtc$yMq_R4hDXF)`_Hs!^lNu zcd^AEPq@K&V7Z8^bIQxh8ynLdefAgI4-O8vtwyuIe{b0DAZ1OkT0^AS+uPgL?@IuO z$J`T9)4E{C_dGm2oSU25-QE52WXHCR_c$%*>0)v+ap8sEVqp^YWjl zBCtl2S3A9Uxd7LfUzEtHw{tEsA1R8^7lJ1j2*lIvDlYnYg< zB#JNrsXzxX{}*gp&1kN1boY&}0%SsZlj29M)4 z(c2md^scV1v0@$4>V}~WudSjgMn=XkiKVPak>uoLO)ag*c=U(b1 zx-2X#-e(Jel7|t%1eV_E1mW7*zW6n})-~~8MJ}U@&qw4fG&D4hkB>ip{``%b*LGG; zK><6U37kDB0s4b-O&jy)MT6$g6W_?m^^P^&91nz>!>hCkMglU;$|j~~XGQ3hBRh?F zQv7?Ok2KIK#vP!0TV*>ZVn>=a zXwFVltk(pCUSD5>7ku$jENk$`p!w$JW{{NX2w13(22Sq`3>G$qa{YTcBVJ&Jf2L<- z#1pq)X!#sU$i|b>7ftQ#o=bT_y&q|hx*9U)>V&3ZYE*z zxK!qWVWTEcvd{4G;nt!}=ewzeg@tvJd2WL@LT)(uQMd`E>(sem)lV_62h*jy9gnDU zlY~>C1IeZ8kHMK9H-0s-bD~jZ+LyvxQd#LT|1gEu)@LP7J>BQRq9bv_TDQT&+0Gm6 zfw%W{iSPB+*_m5l>;7?x?~FN@Zmm;ZW##DJX+m5a@#BEOdIoUVC>DwvI3VoT|Db29 zbp?dGf_ne-G%AN_&+k4m&%Wav)tc)-dUKPP@anC%X&6!6Z?GfJt}(7p6SgE&!x}{p z?%LYZKNYP#Jw2_hnT>kQxf&0;nVKhvB&5O}XQ!sD*oh>9)RxeRnyNtwy@pgR`800-+rD{E?hd2lX_aA6qrZ!yT!X<-#tA<*vr3SWrcrI zx3aX{+}Z+Xbar+YUN!-wRstrE^Xb#4{$L6tBcnhaTP_kbEL1WQEELG^?9V{i=Ol)c z@~$o~bMf$KGRN=v-d>{EQUQBHgnnn7h1=WPn*&9F1qp+I&tVe>k1gCEdME)sTzZGR zj7}o0j-ptBjrqOS>h<3UMf`P_@S0|w#`MaDKny6G3Zv1yo(8og~TsZ3O?Hpy1A&)pQWL7C zM4|#mpzA((eJ@(Xm)8MOgp0a0X}Xj$Wya823a}3v{|To2+kXq64kQTg`}gnvERh`R zeSjuR?xq4E^8G&}Indzzf7(BO4J~e%?gx5xRn@royY}pY^C-H@7^o`@*0GV18tvi% z*~7JdY}WFsyB0V~`0QD7pDCq-KpHQ68oek|{~5{{cCVrSsDEkVn?1OkhIYMMlw*2w zvJ4am3DB!g;D4LZ$UmLDO6e<5E5cy)z1r`D<#HY&-(m|BXjglkI{*`6e(i^f>1W~M zrozh900$nZ?9n2vw^kB-6?IdxOBEslrHQ?Juy_+ifC0n7UjoEwxY7%?;-JBmtAC)=QWefHHtf!wr=|K-b< z$nPKWF#d(Eca9}!nfU(!xn3quSXZK;J%QE|;Lw7xf5%YeU~}zkWEB_h_9k&gv7*YU z206V7aT16}x372%ckk{N5cGJ#svzbgk&WrlPmMG(O$@3zHOoHtYP4rY3rlAX zyzX*oEVf(YgF!PtjWcNb;5lbwd*&#gEXkDP3=*)463ZAhol2MbKS9WUPxpU{W&Z1Y{kLz3rqcPqZV;B2PlEn{ zK-?hA9wDwcY|f=wq(&gF2yMd#+k#`0DT*`+<9{Ae3>JTPx3aRbxR^DgpAOv*mMaT` zA$ohmA|n-~rGtZm#p>_8FdX?ze&kB3U>YJIAfTh8BPWMeRTZsqdEX6KdeEq)lR1ne z;BdH@*vCQhF#V5r{;K|SamQ?{vI$t4zz7n#czP*0E~h#IIsoH=K7h^YXlwga^od=K zwP}2yq-osjpa5?vqsYv4LYIJEaf_|oZI#+hdfs&cgO&>MiM2#~!f5xeIf@*5QInMp zzJ*Erx6?iaC%Vn2DyPGXkEO!NbmE4V*YK908Kbi^mWnv^y7+&F+}Ap4X@-x7TToNf zYsalDT{gVr@XmHN>$HYwDK(afAL?n;3$_xx9t!vsGAUJ+m9_MDp%utNYGl5uTf=NX zz{A|38ke2Pqobo>RR_cOCOVq- zhqayPRsOsxYSXKhu3LRF$|}kqsa8_ep4hl@0%0+dPwO#IC3I#|qx>IaFwzUjVA~8b z{r;1MOiZp!h|&56p~Eu8O;+NIQU^DZdxP~Le54yk080*LB8KMCU-AE(+A%|<5?cYl z?ngmQLvwt3IyOAatk=ur0#C&sHByIUwi`ZTt*WS)sdq2S&VEqFA;*&%lVAEfw?ZQ8Oi@ME z()q7KwQ(ulQ6LG^E#`k|vI5n3 zKkV>B{=?WQjxF;=9o27J!p5#W5`6>d^Mc8hx~=%fu_mUOpBzakLK>y28XB&FXYqE- ziYpoT2-(@$EiEkoM~UIo*45e0)=x}KSX5{d8_~u{XPs~7OR1`=%E-t7*Mz9&Nk(g5 zIgAzUfkt%T`D}!pa&n4npRNYe!ArCT!6!eXUkmV_Kj5BeTP)9qJr0xowLr$sddwM~ z!lfNg?VdQk3?E@ZA1(@lVUrfe*uHkg%yw3`{D21KR_r&-hCDK={(`a8)8`BmI|yy% zwW*bL4uy({S*k9>;;=VXv)(y}QlsDBxSFOaeJmaRv|9RaxYnRSVfA=_IV&rtG?~>< zWnN}y>#~96UIbN*L^ic3Lv-?2GY+NKcq88gf0yH_MiuAhXLucS{hny^qn6eLKpU6? zmS?g*Qh1n{m^eAhs;W-AnozX|L&9$YSS;s{q@BI#?*$c@Cw ze-I?X3xE0mFF5%sUwxHfxo7Nj)=_amWJ1*@bPmZR6)na!yF%|=wYdsSS2TW!-bO^| z-3u%HGhh`fk^BvnRt1yO6+^QGem|u$R7$e9q?B5Wfs9qn@2?%_dHkFqRq#>tKI`=s zl}eQ>fd=}0RH6j0UKsP(d=TNxsftn%nc~w8&7#rKQ8h6fIa=j6Z~U6|DJUa5IgL8P z_#Iatps_rrMt}3>O-nS5?Be1gt8P7?dHlnazR{r}AkBDuQZeCs*Cw`<_z%L}@7um!fU<;53JJ+?y#c?dqwKpNqjiIl{-jVnhdzM` z=a;7>wk$G?l5YTNRi(iYbRdIC^-~CEn#3Y`Pl3i4tErs0%v`5Guq@FeqEC4 zh^U!?19_&QFe+u1&&j07}23}N%6mO;qV&tbptw9e) zz_)y6Ywy}ksjSxqEvRe#kF;DECwZWf**!#C8yog~&$Eb4=UwXjvux33ENMf47#dnx zZT+5ofj9?VI5@>W^_zbu5mQhOv!86_wwNamQuoeihqKaqW zds|ziE9ROViFaW2Nt((_Vc}~K!|^A1xK`iTD8j>2`Qr!r(3V7eX6Y{>rM1SdbQGmT zOWj|jRcN1pZeIlaW7 zoVmHV`G&ua7bTH3XjuVV#fI4d{{d=g8F_guga}V8b5BxI5(qPp_0Mncy?7D`aOQjF z#K4z+i6o6@%FX*6neW}u4!gDgXL076B83Z^k0Av=2M{eB(R;j2?3So|8P4$e{y6bE+HXMYlu=x zRb%}Ay9kk)pv48U2As-5eIiRfNw%*FyqSD-0P(Y@97Gkrn&;mTlgP54$1=;LH#IhX zU!)e(#r5VNn`X{M5-w3@+=Z7rG%+^D`*-B##;2F>na0BNT+&MZNd5N)WW9kA8Gn?B zm0MJ&f}E&A18XdnHlIVqvPsdW_o@HPqaYv7*wCWC(bUwmGvMkXc^t64y)711Jhekc zqWYGPA?))GI`KbUEi|?TGfm<+2OUq+dS^25GF<)e&D3ZG}qt);_YQTYoi?jL#1!u~>4DH@1f@*i4#FvA0vr ze0v~9B;Y+R{AI;Jgt$EEj}lm`R_+W|a6&>BD&sbw;u*W;xT`(fM7fw;BUCzy1gK&} zM}=sCt+<4Qt{Dtf<>in2Fb_8*)cAa#wDMQ+KW--`cY(zPcRvvg#QmNxr`oE5n*XUb zBEwPF=3g!VHDa**<#diqHj{KTwKPg6J9~!^S!BCmO~#K{4wu8#J~1Y&hpp8|&sv3* zRmdu*)Yv^>vi=b|DRAL_hU>o0fI}Cez72(Bma_BM3_DYQuCXvWx<8;2 z>Es_7NObfSt>e9{tSr!51_s}BOUP>p*RJ5A)?|^n0DD$dxej=U;o#xp<8DaAlOQtQ zh7E<&ceIdh818-!Qqnj}<{`tt*GLU?wkCoZe$4U6WvD{E(V zL72wi)G!RVD;(UAtiih%)K+w}p(kru<_16P`di)z+qPw4}}pJq{i1*l`)%u(!19}zuV68bQu zmV?EeDo?6zMH#}$WrJSDK)w-@nHU?JO&>C~V;TnHc~d(l`+b!B{51gUyr{*^%{NH( zyazU}o!FE(MIsg~QEHpSGr|@R!Uw>Y6Bo;tg_4BRGB9*mR`Brfz@UkBZu^EnC>pz3 zg!S|Df4m`jqV4xO3|BFcHMiwms-rlT@)ZMmo8lPmQ!f%bfF5PcCvgdObHb_kflic# zdNhczu-L2*>z^_JP1_Ys17a>-F`qqKlQJJjC7r#^X8!UuL~%$UhY~@oJ`BkU-o3&N zF2}?h^hQO}dN4wB` zsf3^hVgnmaKq-R8bwVm{*Z7ai#huB5eDNR(L|P%g%Rg_SL)aM%JSaY_`@3Kn5T<$8 zvL=KEb(mQGd`&U$B(Su!6udt0?QJx55eV?jMsEVt?|wkN=5>Cs0@UKEUgf&uubhRn z*0tLWPeCV%7q~M&Y#ZFZZ-hn`64ibmTcM$But>}mj+`Cxy_&bu)3%9dxE8Ka8}s^k zg^X-$*zrMrx*VGtx(!svp4?^)o%lP$W-BMFP<_kg4WDbeIqCDg**7YsJ`rsAwZD3) zfG_dRd1W;vPys(mx1_H}%H4d$?^AW6L6uWY1Jw9c#BltafLG3ejJI8xO~Eq+OV{;$ z+voD^v-7fp0QmIaOiD6=0u&y(7imjwv9)>K)O6iW6ti$MM=%|EX**U$GS#m-wl`gR zlqb4-8@T6dK#B24kwM_nsXtxV^JII%Ub@?|Vt1yFx4K@x+0XrObw*1dEiH|$;YdkL zOiWt3%c`Vd6p4Jr+8+9f%=Y)j$@NOZP_wAF&-XcwtEJs;rs7z2?VA2=YnRU7{Jn=| z%C6R$P8k+0*PaV(l2yf8e|v6^kDDecF2*;K?WL8?2CjDq)vb;uX|4KYZOONOp~s%*}>5TcEC$4i*%lCZu7r=7{4S8JkYNM0AAv$57( zQZ2zt9kLSJGty9yS)LOyRM*azjflLiBKM{-ZDS{CS-P335dC_@FBG<)uG?8nh@JVq z`qC*SB}Ge13j`by{Gx7u=Ru;SAV0s-dV(@!@%(U&aFm*}U5bRZ7D9DGw3)5*NPdvd}V~;`AQXlji-+v-e9$`4_f( zKJ2kK?a2=Vhm8k>=lo&gfI?!~3MF__K*X{LwCHJlDg!G9)44;S_s1ADYI zQ!9Lq>mB39IF;~Uy^0C?akc!trp!TD*Eh7Ht|F_dbM@?G4xV2#nHm-S_dsi<&qmnS zr@(8cbRxmF9Ih=G86;(5OU8G&Ub)iD(5bJD?nluTt-&MoQ$L4U)|R~B43U*0P<#0# zJ%7`=TE^5E?ykRkEU~2}Df*I9T#-z->TEnIdGbOcOSfv}BWjX`tI!7>JaOrGWc1P+ z;Tm_jQ@|+pD*ySI8SxrHYyN+EwP1j6pHFYI2&zgfV z`H8#8(~30e++bxD1r&liQtjdm5|`hLn0oqk8a)b}P2sEYs+cWT-^71?+nL@V{!MY$cNM+afDk6>2+|94f5Ha^c-DppoCVo z=|Z02j+zbS*@avsH8okkzI%>@C@mf#0-stX^mW9gS};v}*8QUS3gAUy$QsP1xG0nuEb$WJIfYQGKQWmrwjM>IANpuKUWtv*xF{dU5&-lQ_`OP7L?i<2o^rVxki@n0Yk24sbYoBMj# zwF$VMQ{@&zvkjgNx_e)bXrz;QZPS^1nr|NtktfsQ>eM=I0BMU9I`{*;RXyM9<8QY0 zzkYGB?VWtCoSvS}$;o+ilby?mI3H`QJ{hS}h(6d*7F0c1KHOVf%l5kdW-x(*srUZ0K4zIyycQJ?^{??Kxhgw^bwkw!y_O&OgKBnOn5iqorP=$-Z@J>-FP7?7(i=p-=AA zg43M!#*ccJGI~0eYM*u1P}3Fs!D#-^f@5rpm;j_)w=^hwE<&`MfL{2~p2|!G~Xt+>!A2xa6dVY)zi>R6V|BHqI**De5G4`!>^$ zZN}6|HT!5=dCBz>lAm8*SxH({8`-v>Tam}B@A_Nih8`PHp-Y$b*|Yj5LEAD zMO+-0?a}M{uC!mcK1uU*Yi-#{dDh^#K7F2FyWJZ*6gRd-s;Q7#ys_a(*_(!Fc>y3@ zwdd*XT88fp$e&KuIMU(TOq71Ft-auFI`0F<54h;o*4sJqDL(t5dUl8eW(^Qg^}Wpl zz7ZWQEl6%(0z)A$FHakjS5RPO{_NMUU%=f44MdLC`ZM&(Oyw;sEM#Q5mm)=djyFeM zQ{Zg7$V*Alv#|8_^e{0pc6WEnNK5~ku=Ym+KzW{l(LVil=rICO=W~4lvR&e#&yG({ z@CLhL==|G#HohkW{aHICeq4nXV!=hCiZynKllyhJ{F8f`X}xdZt24717Aq@HHlwTV z@c5(HaZXidj$b*^eqrF+-d6F~ASbulG_O+CX*?g8Ja-OPTddEov{%%a?K&LeDM`~) zOHPO;IqjRl)~%mhKSg_>c-CF4>Rz)^3VREEO1O3VcXPq_3_(>ZSYivGtEOiiEOk

    g4uXPfvr7?)3N+cDu3@8N6OXu40@` zJv?K*wOyG@-JVf5YlFdn1;d zXyPOq&R1r}In*?52)3@vvzC#7cvzXD?anUN&g|YveQDEGm9NNO#D1Bcx0}40hmzg( zfX;y<^09!8BD@0y)3jKZy}(VPBdj-8c?8TXQPkEHZmD#|>ss98mc?*K5Jfo4hB|OA z8udYs22e1g@r@GtS%x>tw-OR)XxieRu4oE+272<^u?19a0aL|ddc6>n0L|>E+?_Y| zk7(%Z*FIle!p_NQUqeVu9SLmSowG~dfVm>aK zI&ZbSl_l-Pa(b4k5=F!H#GCa8JiI;0Pc?rk_UYO39aMH%;*TfPDMt-E4Vq zj$+!nLl;bh<(B=YZF6UX(AZ+%FEitMebA8`OQfoQ>zJ-B$$#!6jpL!&Q`1^upV0Fm z&oJt!^@z^N&zkT;_w36rqpWGpl@}6qBRTBxaY;gAwrD}?-F>6eN7RPa{g|E=B<>4^ z^&j#XH(w~6oM&%NUXo|9F?Azg3J$dmD4heHNnxVX*8>Vom+O(Yt5J*fy@T7YzDzA~ zlZsx`qWdZ49-pB=x&HESmnkYhqv?}HZ01YpXLlyv+F^sUkT83;t|oihQtFkZxOR%> zmx3j5;!&Sbag?Y)DEH9j=Lnj5t&mSuC!q&7PsjYpSr9$K@UaM+>dg@bnVbS{kQ4TE zzMlY;`}z3+4hLm^QPIfOvEJ1pp?@nxMb-QIc&zET$aZ9O6y!Z0PgZ^ZZZcaB=q&EQ zks*r=4C*y?bamy$<>)BZZSdCer3 zYuL@c=albNpG`@FWB1Zg*t_)Tt6uzO(s?35_uWZoy$Ska$i>#$Y(?cUPShOvJA#}+ zDQsruXAd+htBofX@k&JXU#*)yGmXut!7H5Jl*Ou0hqosl?dZ5rI!x;DYSrz|U0qcqV=3{}yLJ>JfEvNv8G6to(@I#WGy z)8uok=~dXZaNxBUEbm|X2O$;4v1x>F$WzSdxnHs}HQL{#W#D3?ad4S{eRHK=f~zR) zL+jx|8$lsEcY*X*Xu2{eY&YL>7P%O}Q=|ee?{d>kKiY^o3F=2fxtt1Fvv!*0yK!!B zR!i(TB z)baQt*ke?iy)UXaH$O9BQNPnvnyzvw&WK8S0}VA@z3#;H8JW}nH%K93a$(Det-zNrCoUE z(!QI}{{DUzF+02U1$cm~o5x(vB7pDt6NEcGWfQOetOegVQ)}{!-TT)Y6?OPaa@4*a zF`3;e;&D#NQLaaxSMVxc)|UahM%6)63;P#WrZKt&BhN)0YvvXv8cn){b9o+SMi`m~ zQf1+k#Ch!)^x3~p-EN3TB=Y}pz6~84Tq6)4G(IonMeOa@2;Wq@9qx3i0_lB9Xoi9H zu10Ior$o21&tYgYw1|8<|^i`dm{N#KeSIM4QQ+3CZ%`!dmA$2EdOHIn(BD9&#iNO^~=a>YsZ|+c6yKWZ)rD z8|8d0(bHoaZ#!50XASeYko|s>?`70{Jr6#7QlfUDd0g~%^Z53B&SitP%d23B3W=Jz zL9zkU0&#IhfsE((*c(GI%Y4o%0xvFR$n@sPo9cw+3|QsZOFD1k(h6v069JU~pF$wx z;bZn)#x_;hWU6KNGOV8bnu@!<$|XT)UaYEmJl`yYD9wZi%pMu^yue*$DxvG*+UYw%&zl{ zhg}>Og@#-^`*_xqvz1l??F>>e1r`N2kgC`}7km-5WOSL-Wgh}3Si3K}M#^(*_Jf`H z*PaAYad1QhQCldvsL08GeEoaJ#j0XbdZcLU^z!n$c-bveA##bGb^E&5jVePsPzvz^ zmO!IOJ$zh!fW~*|W>lUmJ#xB){ota3RT%eMZD-ufLP!jXfW@n04ZB?jPZNK}Eyb~= z;78G|8zE!z#W})#;r$GzcIz$G)Tk&RC2xXEvngOayhMp&6(=~jK#AGS=UDsr!7nsr zDT0F=C(%hhg=1BGC>`?gwLV_NEdX4qbUJxC0*IQ-AD@g?jbFhDmDxwlG{saE(7p19 zI+m@)QXLH(;;loLQfU|VmX?_mV-r6)3->J~qskE=q)nDps}*R(DAK6cO_GgKM)arI zB}C$`FtFK?LD^&InvW9pGV#~49S%^ddB@Aekyf-*L@GqQVKI6%O)cJx7UD>Y2SrfI zWFEN}K~4s5>|nbP+f5TX(zv(bGKCWFW2j0H31vp&A8{b!Phrs1TJ6Hgd@@^=g1Xqx zT?ef+$w>^+;*!)jmV(K4Fx}5plM}&O-GdV1R2T)N%V?O(#QWxxgS6x2HgKPsw=7NH zy@qp`WuhwyELL-5gCE|LC(Xft*0Lj1B;>s}zq=eO3D%922;5iM(^nIHv7>^?cDY6; zi@j?3%v2_r_Flt%S^t!GqEPoR~-L%{V*Q+`ODcHz%PPQ`kK{-m(6 z*5H~rS75uSqLaR@Q55Aw9paNC#>mpeF46RsD14P91s*ZLr}a7?z4 z96IJymPy)@YHXn!pq)ysdBg{U3A2jY?ix7@TQ-DO@V~DMJw30^h*Dl?V4U#kUCok- zbn7EKt5#(Q!C%XjJw&b$l>KP!I#$VgwRw0zIum7=z9`_5_9qi!SbUo6?#Qmreij}oBC>mTgMJ1GGr2D5)C4wTi-3Q zb;{5XnSEx%(85k*eT_x$TMICMTB~@wi#kSkq zc}?DeD$cqLrm!F>rok|xU-U3~hrfr{^%H&YnsXN3EHVQVLaos()}C0`{xrE5%jWe| zxQeCV2q{lRd%JK3?By3jf{=>ELP*naXFnei>iC9;zziF8dD*d!bzHcxN+E-E$Ho@H z(9&w>=Cyk5`-ZgR3plTh^kW_y-Sx~+7qvY@8?xEem!-c<(yTSAYN>TDras45D6tTw zZSs6a=4)5|(z<3IF2_H56D>v`j&FJCR+ARff;b&=M^g+u`^;LI8EC`29Qw-s8D`Az zCtq&Vk72Kp$`^lMJ|&{7OK^W0O(Vk|QnQ~)|IU&8)K@??30HYgp8EytWI_J>(Dj6H zt_0SKMq35v^81GI4P$qfZoQNr6Rkl(Dn6y^MJ|p7F;vL35ZJU5>x9bbhevrx`IZ(g zchhKUJeKmj)vb?I-eCl=uqm&r5}U$_K2uuhAgA0^GQugn5+@Ilx^L4I%CN9%(|}ZC zoI2scAF9_qEGzMsE<++l>iuqKl_CLBu8ab6IbOqs4==a7=WA0_Q^D))gnH#uJE!md zsOx!;n3jFM+1}W2-^|Os3q%Q>FUK^;qI`U9Yr7|$EtHlQHZAf@K<97XGJ4qgax=WD z>1;9do2czfZG~BXI^Yrv6o8CQUVc7?&2N6+i;djVy*W|#&;O)(%GMH^u2!~6nsyJ* z1N!LCR`@~oBZ^8gpmEcs?sR)%>DZ%F^Jb%!w0h=;f2znX>7@}qcpQ|66J8v~sq6CF z&Hw(bp5b$`@iF%+NPvTZh{rd<9pr_(b2le|4pz~+s-&)7<$HUByLklHLqS&}s`1Jg zdHZ_hiQa=`9^7l-p`fds9`=jQO-%4xOPEidb`{v|eW={V_~N;(a7tQZ0r+pAcrXZCn zdO6YWb1{?w+~W%{a`W-&Nt<}xjL6?_b-w34dcZY0?Z3V1uXEWEaNZ=q)hHU}o%1>* zQ%Xk&Om7=!89F+~DP{!fl{0oGcX)j;4#N`aoTsjTX?gsS~cZ;akMe;5L8cq zs*xvwM*0}QTcZ;_?~3#}$^x7W(d!L`R#Sqj17=VIadUP4R*#$LF&GWGm8Lxy{4W>a z*ofu!NO1xIcPfC3GB8$*PeeUjk-1GI&1zlvdwJcw0$wO0A_5@vcT-M$&%sb&z;8PW zX#y)Qb!e3y|Fdo=<7%0%&UJ6L$=6p|d1yfU%BKk=-M_*1PPjjO)n#LA%5$nq%2a9! z94jwt4ex#*$TaOcM4JivZo0i}x()O_3j{r&QFXcg!VpPl4W~x$Nb%aVX!pX@gJ0}M|{KQm2J^lMSmm>NQZ*TABuxBiq!*g>@))TM%o8N&V4GoRF5zDbc zjhL7i&YVbd2R!q?BRz07(ZRxQ!{3EjtaPF?nO7A{5xOEQ;WhzSO>-avbK9`zy$2M5 zb`@O5&cwl?w0~`Db5jNeyDQuY0V{-h|D)JtcPVqvK{B`1&9UBXTu`Cf7FfhIn3&GkaDrMjbRYCp*GP0Y3yp0YXAUgU#Q~@TVc(20l4HI{IYk_1M;; z8}C!ISy#nOK8&)!p96-)Q@N)$UwRoaF8O>(=nxc3Y1O;ggGwn7^Iq??05PSfPoIJU zAn5SO$ja%Z|FOuI|F6QYj7HR#D!HJ#3aF;14-6(sO+bkYhBua_Rnk$b(1 zUjcPF`a3266nYsk+nRUdJ)Gk>VH<3sO~_=8}p8CK{FRnS0_{3V!_f`m*Wx8;h2vCLo?2 zd0eljxB&VYSZr^RxyAO-p6>3BzdriNlplI4{1(XC`+d>Y{GwtcLrq8(i?<(5rQ@v! zXDT)Tp91>|hOMNd;|<6L$6I5z<3ASw>j0$Qe43hSYX#2ohc@aRRzmXg`-Kj{3v}OQ zCPqfMe=M1SVziQmlgS>orswsOhU`SE{TXaM2leiU)Y2X&6J{*WdWv=G42_I3+*gTJ zRoQgw-|Ol&n)cmMTY(NhB9Wl{sIaW;@N9o6BvS||Opx*ubltUv!$sWwex2KEvRh~Y zIps>*xtrf8*jMNMzGQA)rki*VkRh&D43DzeeQL$sPisr}0+ei)_77e(N9a<_yoa|n zx$Q3&YLrDsM}w6iAtm)^A~upuV8wFT^b|@5Njb4xVd(O)$BQSDe`B+L{v0qZYxvuO zX<}j`=(7D&vj}8huxutK?^-vJCwLK%5qH^}EgG?$^Vnjc#4zP3-<|c?DgsPGNpkPu zrF|faVLQqxrChEE6#7Th!A@lg!sB1-y@mho%D1;Z%(x%|Tz|8BsfVE8k@@{keZV+u zRuK6C^lDyS*U~?Sdh|{oEq?Ik-O)i;_KbMQr^VT!be_Ej!TsYJpWH+HMLLPE_=9Shv^y3FE%DX_; zn*Z7J8}iSrWCk^ep05g4R<2w)BB%QC*Ri^2Yd-l#xizbg znU)a|61Frf8n=fM5fg*Vfwt?~i8hJZ;b_=`XSm?a;F-v

    7Z@{}HeodYrkEbQoZ6LE zU_q_h?GXXJ1t>j?FQ8*;6*LDCvBBCvwu)5_qeN=}C47U0aAI^6wP+*@sXTfV9uZLj zGA+8%PlgW)Z#Nt*Bt6bi0tq}LN*w`y3UI*c3{>%9ClD_1mHeR^(uh&dW|e<;6nw{q zx1=Flbo7~ri>i0we%Z7|0A+HKtvK&^D3u88A97aRU>5`9HCrJ8KS|tqW4xW(+XEgT zEXAq3W<6U|(#p!c(7ke4ryAnDRV4JDa*V3$F$R&dj!pkwh5G z=;Up!2l>+{9Bga_V7V0$aR;YuvT`hKc`}pf0*RBLakQzSJm#RVYyFp2Qe!HwnlrV% zL-u2BvB*8lgj{+0fdGo*#H6GNo2qV8peA7kURhsPl$WOm@x$}y&tbn+X5N<$H!X1# zB|+x#i6I@fmT~%CuCOc!Bw5e4g@D@lI?k=rzA&#$7C8{t!TuB&h1tgBcvwd#+&4eh z)YKsNwwiJ5dvK`kB9UMxfK7>H0L&54oI`r<*6@|5ZU20Wpob>VY4kd~>HUu2O@8>; z_nw0;E&flo8Y@O!Il1a1^1`{J9 zwgJU1XlU>vEN}v`3^Y4DQf~JHtE6tHk5gk;o(V>TJg(nwwJ>sYT{-p8i|pZxsW_S6 z;5|x7SgJ<%rSi>0f7>Kxiy8FNP)9k zfOZAF5o+%Se*`uXVO_i4yXJ7$c-8rC3Xp#E+&(iarv_IvA?YFj557qupfg-P2ufVHKU>qs$Hx-K84~1^pAzHZ z4&P9p(wy^{a13+cru8}@%` z!}sx6D`^kN1(E6D#sqi)gFdUnk;7tuscK9Y7>auLEZ{J}EI2#laqZeQunCAhK((#A z!gUIrJpVPzx`|ub8Y&ej}#_PiskNq(-oq&4)!JL)8E&(+Zy{m zj$XZb6-LR$`PmDYM!;JETRG{|6h(t40v<$cY# zb7#&Td-cNd!ne--9i?2hXJ$yPX6`6#7E0KdVd%i_tC@EKroG9R?Nr-wn&Q6(D%7l5 z=fMD34owR);n?P(_p0_3`D8j4!I0Lz-qMXO-b*7ygbm^KUmITqM5~VSFYs|k+R@O} zz1ex3wuB*jwxc`Q_@|Y#;dG~KTf`caIH-Modv6cS2{VV>9&mnyj|D&U=3)C?msXp0 z4h{}+5Tvcet^>22D(-o=VMojRO=YD3T@aG4w#YIun?>%9kx~NBJZwBluAUqpLxKS8 z%*piyNU{8yr+qO=+Qt}QKMGqbH+T2I+?pEUUm;eoxePA(yDJ!#VTdH>@3c_q6eaOe zx`mlEqY*SQZew(txhTA?!^Y?;M?zuJ6H*}ouS$F+}HW*CN{QRifZ#gdI~P=Rxd8t(FSwJb@99SflCCIvDO1SP0gW` z%|>c(%Rdb$o(&Td6Pn^2rhJ7|w$W#|QY};hzJ1O6_Cd{rg-pP-Pexrv{aayVSEuRR zmPG=IyRbsn+(;$fv)XCf>bklUu#CU7a+ZJ<2~J_#+Gk?7!ax-TOzp!+*I_FG#Q~#< za6l^#x2ddbTU_At>S{TH37_idSP3NMC?;uuqDn)9I1mYD5!A@BoA0DP-|~MLc8ki( zL{S!-fUWnD(NMuacj0h%P=EDAOL=d8Wj9h7dp;ZgBbQ!9H=l&}SIu>BwfRYYK*0^D zCxOkemUwY(tqpj+U24&O(*i1A!EDU3wtOQdsPColUr^re@iC*wdEoT0Rr?#LR>1r>PZ|Y zYkGvzCcnPr-+sesBO}`o5I~xFJK9D)Xn?S7Nr$@P$e5%tQ}J{E&6}W{fo*B;LU$5C z34~dVjTdkR3rQ>a2tIhwwnK!05bCgv;vW;Uf!!8A7&eB9QA{i)VBF@Aq+!b!ob+^T zY+YQz!-FBD>gt+sL4=4lx?rFL}Cro(!B4n|&Kk3U>^@b1uu zLwn*<)szU>c5TCa_kFWMqSTE?KT(rtvUKMU3**uEM`H+5OcRtD>DD#urfjz4K$3vX zL@mEpqKc|&I!h;dV+Tyu1k6gOdpQ!0brYae*FWEh^Z$-JW~nT;uLjGhnc3oRjkmDE zgI#4gC#|QudwpXgl_A6fsWzixmlD*?M#!{IUiRGT5ALuNfqi@cp|oVIR?KpO=!8J} z<5k$!K~pFWln-|W2V><7kku7ZKGxJc>=D_7Q**G1wf=E`oSw_{)w+qvp&{7vsy}|r zYqD3O)#9?#!R(6*I0c;6N|qrt1EfsKqT5I(r^=z#&$FQ-<2KI5#)CGgh zmhCD>>xYtnaBPCI=X@TN3&jX^o-ZP8zS3H>d4&Gqk-4qAA8tB)P<{QlN$r-&P?|U8 z@m#Xrf>DL*^F*l*hfhsncnoJ~my**ZI&)B^@;+^n=x_Tw&DE3 zBg61DY8TKQf=Lf(_tS|cSbj32OK!@tDyNEq3YZYvAC7Gjr_BAp zH1(&lGG1O@d)pi9PVT4fO5qLiiMQXJp-oUM7)8^y|zrpU2e%}(%p zD?^*d%(Cguy`>kX71zws{G-l>uPLO*z{^Xg1EUUYl8$c06b_1|Sm{#;b z5{5{_Ir(?mtKP){zV&MZI{L~v8`gU!+4^=vwH0p_mIX^kEq_&}wX`$Cf-=9J zDTl(@B;GN}^O2dpR91b<tIVjL zo0QbFH2WvFOW$-`)tWo_Xc!c<8ErA8XOPM}!*r@5c&a7Q@~yy$g%FlAO>q`|bw2V9 zi*qg!<~P@z*#s9O8Hs9Hl^z+Nf4_a7P~a_Rrum!OuW>UeO0cx$A|o>a5Rs$vWqFYG zfoPS-NNhx6Xp7pikZs+7DQek{mEQQyuVWDxxzpk7{O8irZSw+RbCbTXZi|2iGd(@M zq~s;2Ikx2-eZML{;^5WR&P&}3EPB6&{%seHr^~A(Pg!QickY8z2HPFQ+uC|x;uK^T z=m(0D4}TCH?!ZINUkTTj?=%k1w~xV=kRS=yMVrw{GgPTjtc!oTbS-6rU+M5hq}rm% zp=MGkm8=LcPg{}O`ib2`ImH3LQ!JaUdqQ|4idK%kZf$1C8*wRT>AW;{Ya}ml2qKT0 zcg*AZh+8dI$g1)J29i%5P`rx$Z!aYYJ ziw8*WiNc}bVa@Ek!I~g;3u_PC3_hiS(mykF6^&9Cdxf+nd-C=Q7O|Kk$~1I`DZICi zxXQaZsqg$|llwWtr?!6MPIHgx{La;hnX|{o-U8AN&E@X{#uQ1gyL8WHve5dNaiq%l z58haej$humwVjfUkmc4$D3XGm?ugp_?saOzOwhZNW_)_Td+9#1mZ2wMf}x8tXu#v< zgBPLp$-76p{(4Kw>KGa7L{D47y@ft{J3N(GCFznYkK}Wz)%0?Z^q!4wV58aWoz+jZ zF6x*SbjqWS491Ijwxyk;axYF%Y)0_rw5zMM;w|UrR_$c7``JtFdMYNS&T$2YJp$T% zYiofa+)wqgrLc~-GS8Qve9q9nlawCo8ZFRxI`{VcSk^O1-|G8OnkaSYau2x26HDocnp1pKk_iOeK&#aXpOGPsJRS%qSq;br0qEKCy zmSUM|!|G`M{cLq^?pQk&e65&a4SoE!}Qgu%IdQ{PgmwQ5a)Lo(*muj!vI za)PJSGJg^8ur5cPLzI;efO@SAIs)pm3zEU z`0`h+KDAC~wj-MXl7dKGLQ;1Q%q0D9izMj@%=>xCFyd;L;Xk1mSx;hVZoQz^d>@rWA&DJFqu2%+{Xyf7APv0=C9FUTx>972`qmFTpgKsie zNkX?RKAj~;ISoL&p+gr#Qo4hf+d*HCs#mG9SiT4BIaj1??e80yg<-VCH&2`JWO6+$ z?XqKSQ;Vre6TTISRH=A~sYw_k8+UgjUtm!OdF^gb`LUr5^d|6gxQbJ zmF+S#4(|}lgT=CFHKRh(0J28-t;Z)OzN@9CF4zfK$#_cRX;z!|2ZYrX?GnGs;*w~` z6(SC0iYdsqNX`;R26YbTD%B0X&KC;;*25x^=R9#s(e$yNlBtI2(^AYxRSu*bsj@Wt zPrDxBMbq7V39idbSZ(pyiEY}e^uc&V<{G?ohYTNb$9c}}ct{C?(w{2aHZ<3fc{y8j z3Gz=NfkchwpRmxMZx#Lq(){N${`OC#CO_@JF5pWeLl z{HJLd?EsaoYUd-C=u`iP!*WqN2pLkF){RtTe^8|E>(#@rUB#Y98~Ys`tu0N2(4Uf} znFnH24-OCAMQ=IQi*4Dy-aR=(Lqp?;W9wkABfpi-Yhj?TeEZj)N!;&aDZ0KJy64CT zgMJ;)9gdgfSn2UZnLYRZq9l>Js0?qP8x}t|WF9d8?VF^UTnB%{2Q#yg&IS9}-{@1M z&z{VhS8-1?YewhI-`e0}u7(gWt`g6)RefbAJcPkz8Dusa<4xqULfXsI`j@4e$@^Uk z;xB(PAGo(Ra2UJQ^3ZE1L^S7QvIf1ztN7b$4#C#h6#aSb_sWl2$kNQ$@!IR9$9%9> zeinBP;Ehn>doOVZjmFeEJyWWTkLbvD`8ngj*!@*)FCX>WJ`}u_2{r?+vj+YR#SbV~ z@y_}%4-16(Vognz)Hlp_bhJ{jg9h$z8`Y`UJgb_gV3QxLrQ`4QRf7k_vDz&-g`${B zVRq*5h>=%5dtD*t{Mr0=^A%c?uy`Tt$1C5dQ=5R>{m^;sZ!BLC+WEL<0IBIV% z14@ljB7^VKd2JXkO}s<^{%1n4t%x(y(sJxDR33P6aPVh}AnW^3)s3}1ijkJzFK#g9 zlyo~VMpQd=MqYMw^c7%_BIr9_<}r5vBaxJTayk?F3}Jx3>-HHo<4#=mLX_Lf_KQ6s z7jQV3@z&JP@Y?t^03v9}h&tzKxb5G}?V?U#N$_S!I8sreP}x~AX=!8QR%%o5E|2~c z)3svz$jv>=i55T(xtPR0tx{YOB*eJ-rsYicNz`e*?wJ6mm zqh!NHj@qamYU|lnnYOXDFiK_Zr)w-3ng1wi=+8vS61B&SeJo`O0EYne0P6r@RlvM4 z3zTGMn*!JhNE3=%Bnm{9mX==Q%v!CTuwhOIDhpmf)WC814g`7}07~%Lam>03Y}wub z^MMF%UtXaBm2MO~I5-Gr+?#1Y1;qk~veU)M zsZ$LY?3T1R|2+)L7cUM^&bE_OU{=C$<3xlwCUIz*e=DP@zkf8-w}dl!bFzZbrG2dF zu!q7#r$5`0yz(273@b<`cmd1@j0B);HgQkjA9Ivag7z6EYwXQ*btisb)1|9DI~emm z8Jj|J<|TT#z`|{QKGZ8r`2*h!Ucfo^il3~V9_^yIZTR9%f^YFvAmtC9ettm#4z)OC zh;(4?hYxaIe%Jr41uz6|stQ;#;C%Hx_Xo9jcf(nMSfxvcpeW$~BD^GhI&vVrXY1n# zbO5t&zp=Q4L#(q`xwv=V+tdieuya0Y6zScIB8t^7uB_j?x~i{{L|lFJyHY==O~E5G z&&J-qY;3)9#7as^3c>+Ewo(G_sh@v^8SPxbzzQ@~S+@a>fI7!Q%L3)%3SotOib+7N zHh7){n4_R`V)jwcK0}Zavz+ zm;W>(tCcPuN{Wc!hQ|r;)7c!e1pLtr76?7Bqj|s$AF%+fRSuA+i~seWquwk4t*IF|v?S*-=opoW647=^i{j$Pd zQzJ5g)b&TBr!zaXZqa{8O*DzI{p;%LyiaGTEfb}Ydc}tcW~nIg!kR7wXO@lV zf&UQ_Szmm6U0ZaqqS@#M9e;Ochb|(ZXf-i=eqjN>4=mcmmJRHjoEKmk-~#HS$JN-F ze$fMtlqIdJtE(vIKumNrZbbA>-$Uy4<>kEG++h$?KwfO%5&+-DMMby78DsB0%;?kl zCtXYd`i%C9irxD6mX6Fvep0e!EGwVdx*aIG%DGiZZ^-8Jh&}Eo56M+-g=Y@FIpSV& zU@MZ9%pgV8!w+~A=Sf%Q*huW`{1wl`2^2yPAs}O8b%5s#%YkNMuam8K-237TsRji3 zOiLh;V&n665C>Q6xo%nV?6Y2R@8Y}SC~g6GC@^P0Kmp*yD29l)&-Exf(ITV+t9h+eotev@G>(eQC;pW~ z7_t{7f~PUc^bB)i!l&L-R(YMWEfrp@&tAMJZl11|#Dq*ttZQ!|@Rr`=3sPU7+W7mt zovxuA3n7FS((BNsQeGNj{V6~BtDyIqaZ|(_1rk;NDql%Y&9s|sl1fB86BL4N8NuB7 z9kc6R+olCx;tZ#F(|q<`7VoU}AGy7WeEa>^@B{vA56#zpf1U+HF0sDrtpZf+;KK$b zP#F!fHj6+)Cd40Tk?xlBOto6>3??Mhd)_-=JYOo|p!eABYy8>A>0KwWqu+h3hI!)T zdpGBiV|@Gmtn1%2xpdMo0bM$t0zUqz;^1%zx2!}v^4GND{>){b_mF+& zlyfHBb}vvQ6KEqi`ze4LmokdRsSvu+-nl@$6<*}&_Ef@FZxcNrL(i8t{{=y@GwI{+ zYX?RRMXCio^Yp9rs7)8b)-mv#0~vi-%*WLH8uqn;sKTrvm&44-an9>k28Cj@b8;0rhj9zpbR{q9pQM&D!l;|3`Op37-OnVX#zE+{cb1X}=$jQl}Grq;msOXUmwFhDW;jJ5`=AbG0cjMU7ZVm!S%$d~qbL5YSauPf=p-AMf*}BvJL@81`vu zmL$Wc78lgwqBHv5@-_sMp#3Tx;!kj9z@y`vHZlTV4br(xHL&V#6Z*}W?2yl^w1p>J z`ohStkNk;tR!KlBkKAc$&*`Fat(J6sY8%U|WfcM`KL~Ex59Pk)y5eSOAIN8nN?+EH zHj$3h=$T-2J6})9zmLuorJmkCaMedv3KtW7@&$|GeN_zCk&J#RKbo|j>kc+Dez2i8 zN|)STe*VRvHk|J@+c#C!cr9hMn>SjeuPGzR3`HfgAxo9b=vx5C*IMo!sn@E0zI+T8 z#+r8!@sHkSe!8!si);x{_VLBy$-`uQR%l76APt8C1FIXXj?F(ZIs?L#cvy0o6;f`G zNG!eziYt^hG+8it%!qA_$WxTFK*t;0&*koacu9uodgc;F1mX8WtT4PcZ*Dv$vY0km zKxfLkmH^?dw5%Ptsw8yzt0c^N)~wC%nW$H>^F!GtquWT!Y!fUZ=9LU*-WFjaSQT)| zBv)!bP>_86s?Jv5!}9z`!>x@OlZLM~0`$_~vpOW}zLi7?iG8 z(u3$K%zdsY&nujCc9h75V-Q>#nVGq?1Ov0(H2uOw0+%zH9(+SyBlxOyll2O!d5Kt` zolZuySaBGRUG_oZ(|u^V5@x2rh4yLRV820!QaBu-{J;hF$KCJuQFT%?17Xm(nQjo6W(1$MUsIpo+dUE9~v3jKw)VZ z^Y2H!C4>(s!ufmgjg6dlP!UB{{WTbB{`FC)8_Sj1Vll=)b9jvY_cGN^^UF9&@cur8 z&jQ|FBVefg*R=`5W|^{kdI%X6KU}{iIBdp;qwY6ec8#|mPMP=e=iY--bRG~!t;$F#K4P$ zPi64sa!81m*6oqOSN@hwgZKACB2-u0)E-?9RW|j_RJ+m6>=Vs^^?)RzM8bLjnamp* zz>xRG@QR!dA>j(+3(Hc>`x8xCE{1_idu;&$qQ6R}ey9uEeM?DOlSBmLzrgf8j?@k4 zeJy+0jfI<3B$icwT&a4B4pM<6l~O;?JNBG>*Np%KA1pmpID zp7;ZD+aqV^ot@Xj#ub8v*JD>oXZYoxtKG!AfsoGcrT(*Atj`G2lTM6M>T2tRk<1W} z?Oy{_b=U$ERU6sdY&5}`=Flc{TZh*-o>nZqXt1Ap;Ot48PI0l9q{(f-ga}SHM30g^ zN!pyeAi%mcGB2$yUa6^$K8p^stbvxZ*haCBN3iiSQxzjQQ-ByWDpN6l!M*C9zC7`;qrc;wM z^=!-dBwz`yBV07|{IvQdXmlm=v~Wm#)N{kb*(=-ZZ0E=+$v41B;MUZn%XjN4b>c?i@f~BUr1?REm~U+HuyOb|O^sa!jd1s6-CkR*+9 zw)6?w2U{-6z|ZnXjuRJ`eym_&7>M^uZDln*)xtnbt80u@4fRjz;O?!y z)CaQcGz{p_ooOt*%I47ql5`BMp1(X#6LaxzHA>W0cPigs)4xcYa_y%)KmUEWq5lv$ z(21eva+c9rmV?)9ABiwPCS#9H6cCFYkF!0w1+tXQo*2vtjuXEa%(Or26xY*)pP{Qn zr{J}^a7H1bcrM{&UiWFi*pIB@AMvgBLTh@&LYb1QYeyygpIcQ)&kl~3eO`x*_MxXa~-g}N(yWy30115QRWitJHr2gMuz&`@TRjx$%;i@v!5wiN?J+77v zW~`$@++fJ!ddrZoW|xUAt)N26YVJWv0COJGRWWiRvUw&mKfDlzx;w0|Et%-aLz8W| z5)?Z)Fz=fev?X37f8DWUkeQqP=`i@$R8g+zNS5q<)URJ+MQaMj=T|`LJa{Vb zoKSsr8OJ1%k8kxW11(nH>T2&aIc|oXqawfFzm~4 z@t>=C?=ta}@gqp}hMaD)npy5prikt7+S-T(11d zypv*ChrXPXvMGj!yu3%rIvZRi#(MMxQr>y*SZ>SUOSQ&g_fg{7V4`*uFD3h9Gx~bM zgFRwrd8B=vDytu{JMD&Zm^uZJgmyi+FYCwf;MQ{7!)tRLUL{sRi5Bf;_y(v?LXfDN z?P%v%*zXA8v2#8ixO1moV&|ks-s~&x1B7iJZ7*Qg|tJ$E~rk@0C7SdQRM0};m-Ilu`AX5I&8IAVK05_rwTPq&(-Q(}VShFkmL7V>nbeLhvO8V{ofp`j04)PNE1uU($;!yl zaUat4G>Y}QNeLv^ChDqcYu&!R4oc6>U$LtJwA^W9Towse2h6u)65ojzwm0?Y0VS+Z ziqgB*e#m8jatBu~zXFXu2jFW42EU=K3nV>=r)^F+Pwl&X25_uu-0od|K7dkZAhU&9 zHrCebAjm12-i5*zWcb8b_eI9A2+R~Gq*>&yi?kLilbzwc^pz^g2c2v)*iO#YUjUd4 zavm!qz(yZDc%Z9Gg~!jw2i0z<#M~Udy-v1Q8~`(c(aSIMcGh4p%gCT-W;PqlS9hut z6VMhlLZ=mnE(ZP^|K^un>{X!IZ+Y__zA);iG7LPBYz`e1uMg0ngN+GGo&*~ZL!O?V zTAs*+LR6R;$o=8-CS4a(z^GL8v|=U2 zd2*!A`GrSMvp>!ua7Lde&C)!bz-Q$=<>?G2C_wy=Pfh@6wIXdpjSf%*f*Kxlb701c z2}t!k7-5u;9d{bD2KC+9xWFw$HIu25$0L*97%!zyME2O*_ok=<8(ig-7x@_ChodcB z`dwfo(%?ctnM5#L0Nyw|0DzdW*;iz_A?0U1ucK{DGQ-NBBx#?sy&ae<-;s>|yxf>58H0zm?C-dn6(O zdzc~IN-K84Gjyj&C7P8 z73$I{9P%HYPOI%Xcege8yw_UPmA2u1EImG22`vjM=ha$q5c9%Y*vxmvlq`b+Jt!S2 zju1qov%udU5U*`+dT-P$7HU|6{HCg5|09eyD9w}fq9GwbqfqN5l)0j%vUSvza9H{Q z?mT)a6$n#;Y)GL-F6>cIVGA#o^fZ8O5oNi6l3Ac?1NWq9PjU?;c&+}Kq`3sUCj~t+ zjaFmBoD)X81j1v;e{J;1(XI(307ZUQzr(Zpv}xXI7w`Nq#ilXV?pU_W>i=(5%}<^j z{p0m;hI%Gos_1oy>Hy7WgZCRJlZ zQm7C^s6IxM<+1d^AD-3;gzy2`15q#9&DznI4CY8PjNOV?>3ipP&BsC> z`IH#_b=dF0@eti4z}pSL{;_mIVI|j61fE+*dKI|Fjm4s-Z$#O zBuzll_~C)S(E!9`b(`)&FyV7cOR#y-Mab}xdje%c zd`D{wQZ}1sw}D{^o|{E{nP&;kFRgw+PgiPD_@jf3$FTvf@aq+V=x zi<@vfp+;1}@I!$OEqi-=`24A}iK*7t9ngJ5ss+`+76PA&O?6l8@niczb;W;l(_kt@ zf_KaroGn0oHSzvc42M!nC?WgI9f0ZDuCsvjL?WpK!54bg)*qXveEl# zI*k){OYH6`7G)b6oRUzDne`(}h@Y4*v$@48TfTO^O^e@7n=nceFWu^$>a@y^F8$pH zlVFE}yXIS$)c60Z7zL9Sd75F<>#I=oOc&DDWqwtHaRypa;{4An(xl>PF`F}Jg~@%4O#nVfpC4S zV&STkth-xI?_!iHwggWr@X3GGnc|r#LSV)65Qm~!66U^=A7mJ2>}qT>MO6bTKX1;N znf3oZ_Y0-8nI;-~b`I%JgbWZn& z+|v^rNpE+dyMtfPb0trv6;1txg?l4^IDRfJ?wz-5Rc`eUS3TIJUV_25od#nD$~NpwRx%Q)?IdBiy+a+(JE zy$|)8MOM+!QZdaRuT2aQi1wEqk(wv0MF^Yp#TpM>*b z?rCv}$QZetdv-cgk&-0Mfy~wY0%D0%KU%os} z0|)J>lqXp;d<`Fhc$7Z*VSA1VXH+QLN&EM_v-UKq4Ve&-`s|pfk=!OcYJm8?lT54; z)vMmR*B7{SznJ?6{)FqVE#H<`Hb*7OUaZPB8LGOXQr(~Edwp9_*k|U;#E9nZWS;dk znK+?7OUg9@4d02BUXq2~*4CB1i)(P6(Lqgv>Sgv_1 zscS~(R`@=zM6=*vAOx_HhRz5{lpxyMk@Jl7ruCgMHq7MmYOR9rzp?F0F|Q*C{F}c& z#~cj8njE&7b7W}(e1E`27N3?CbH95xYr?0BoVr+FG3QABMVZDZWk^>hB2 z3@=T`k9BMm^6)^Lx$v{S=pf2otSwr#uKWBHQOKpXwkM)P1q&4b?NmQcS1gEn&)m6|i zV_s*D7bPsJUi)RwjDv+mGeAWJ^T*?X0Ucs@x6-c2MAY()L0rZv!OSLt7U976vPUs7 zc1;z*fNPAM5q<1&kwE2vXMZ zh-;|Z`#%6!{36mWsfNdY3G+7}t}6ccdG=R@Wu$I6#rrLjID|p8!kocQoA!&|k9i$h zuabiPtp(`r2KLeh@w($?vr8=^&s_5Q!)#o|tuRD550jgsTJ((zyx(o_5C73L{ZA;* zS1JqCw*-Lpe}M;aHSqEA)kEpb4v3CYa6#401Q$Ihhh$OQ5Inl@R-?S)Vr3^*nvTD) z(LD?}Ex^e}?mvF=A4pT4#m0C|2ghXwvbKK<#svN)2KD8fZIYjI^DrjY{VVl9-EWWhB7FKxWix{N-`a5ZE9_5QB2U1OCd= zn<%vmP?`VT*MWcg{MW*^|5Ew(UtW;OREK&7$EUB-&X3jUR0*>RX--~^#U?0@#*iE> zc5BBl+Ht)U9mi;Bv~;CocLep+Nc~Yy z)A%db+m6h$Zs*O5cm5ka2bp5K{UVyWCe7WL@;hbH)#r=e7k$f4n;|iH2qvFZbf$Nv znjG=!++X*-OBcT}yN8Zzkr|#!+M@#rB;BIkqu$`Qz2;9nX0~*kl(wPlJnBScbv){) zeSBT=h4<)h3iKWp_NSlCiCH^4>~(GYyNv}>M8}Q}D*bF3YCpNHd>x5F5|W~SKIq%9 zU#!C{0?z=8mfze^p0#!)+cP8tJ$eOD)WF6<@2(Hc|N(HqZ z<84}rfikZnkGk&u!CCtB?+!!iZ#tGMAy2p}CBQ*f-`k%3wd~6MB;c%K{s+iBz1C$H z$Ng!q(|AL@04~-=mv_B*asKJ63c-|Rp~j<%ut4*R?Wl(HS4A5QIr<*%>Jw}38k|R& z)3#@?nDA#7dtY?OIeVUk#+XJOe6^%jCtS===8S*xBrjC)_mI*&GbjM;^CZI>xtu=@&4EQn1kP|0$2bjTz<(c>$t&#f&b zZDL>q?hDb@d8BvIc-l@8^tBViuEBMvGna$ZSiixVjI}csXJv>Z^)c_~w*d`ai=BY! zBxOXHTjhlvQcfpVIqu`Ds3ui*I)N(MgAbu#IlA0_>C-c zZ?jRNOC<|fdWc~(&KX4y*qrTN7hD_mKJA$L{3JSM`*#Xk`yb;=_tJG~LRbXTPlR5o~>k1x~rC1kf4Q1u9w)(uUjtX&ikq)0(;(+0R z5M;Cp1GmsiLX)oaVpBVf4>zJS=9TT+fYCa)11hl+o00L0&9F@iD{(3esmQ|;1WjM( zJ3H(uy#Sp5!2e6Cq)8QoG+$41(Z*-8plAjB?+JRN9{Fd*X{XkST^l%W&s}CoW?poE zye%^7c2IoLyD4gc?d`qgepqZTY(>%dX(=b^Ttu*W!mHu%+)+NzTu=R|@oeZ9(XLsM zw(4W=YS+!aUovWG`s$`7@&9~_|0PS{zV;FCT2#WkuY|i-SKh(yRE-%w^l3xYPLsGx z23IcYt%${}Nq%9$^rd@cz(U_G8;sXC%Xxaap;$g!5PseH(keAq-tABYf-uGq9yx;ARv8J$Y10ff<0a{^Vu^`oVId`FznI;L z+Kf`1AL1)y;?~-jGlf8vEe_QDC}CzdBYzozYg`gP;~#a5rf4SOUMjjVET1%JRHnxh zE~4pbT5GvQs9s0fG?PLN!pxc5y{C8F%9CxT+{^dhby*s7!n?+&n`dL53F9fKV!?jy zOZEHJw!=+r%d*5M5KzPqr>hvlz#oih?chNFhwyu8*q3Yp%LXFzwZ$`fw{#%|eAuP^ z|C*Qow-a|>2M6NIO#(VPBHBpZ;FoW>XL$1SZ*x2Oj=Z&5QXrCKDm0j-TnxJH*jDUv z&WS|Yd04!pKP^!tl|)`8Ymqe~A;7~kP9`I#S1nTG%%n|MAn=R$WEWzOv6vXF#~+Vm z~l& zm2V>A+S9|)_-d=<7#`f9VK(9{84W=>NwM|P!%WlKwJ__;H+<>q4PskYWSs7|MVSAf z7I*$(#jS61%_4xNY78Trxm0a->Px}{4SE+}6G6hzT;DQwVs|=u{vN4o9@CW%H2;+7 zQZroVYP!)Ufs0HOL9$TZ@N3pIzm4wO{OXkf-8(+oz5VOKY&uloJY0V-;G!f$_l?pG z>Z5r^L)zbG;GLIivxjq~7*~O=FSl1B{2QGjy0|w@{%V}3cIWx4_n}jxS?MZbxL6@> z^nyER@muL`d?Qk%&RES{!EDd0YH|Bm8mc~|_vKc5faF@rQ74T`Zs=w+Zr;nQ8bdb| z@TpA*Woe5D6$0MkMzCc%M5*)T>(j=EN7ow4Bx~r(p&JI@rzSP2<(i)UvM0=-yYCZH zd{bIh?krmCxo7f~a8(}Uv>}6+%+RwtUUL60`+z?eBksF@SVBcMFUA&=@0v>U*4|^r zuf?OWp}ln3r0d?7@#&XqjOVS&r5$d9BWpHJX=Z{+RtMY1GBZL>R+}919)|a>y}a=~ zD?lC}e~EYrNpklgeF&eKGIgT_c^iQRA3n|7P`3;I;+4de{1@J<15-u$8I2RgMm2TmAJ464K3JylfLZWDZw@p@=nkYs(B8uZG^KwQMY)>-u}Ml z(R`d!-5IJNH=qHK=LE%AP=PczB>JLuNsR#Zfmd2g%)Sh>ougf^P-}}(Nj(5{Afm2S zyX~22FLo19a)M~kXQZQdhBZ1i6;B~~ zD<&$c%z8|q_X6~P0!iyCy^gyJiUH|MsmF@r=GsPn_@!u{P5<0yh1?Q#pz;iEjD_K zkgZmesY4V8`Ww@C&Ofe*Dr#tIUcZ8ReKRS|&CP`_1v~jj27seGJ3DPA>l31*fm(=x z;yW4|(kjtPIe-!ZVhn8!;4D}KUcGu{S2O;Ergs;TyJ{ebMOQaPI%9ih2lVBDl-=wq z1v5~C>#iwiZYONQ0s~!lI&qqL_$n-%#_$;}x>fjBbsIJ;=P*Ng(jE=eissyzn@8e!Z zL%Z}I0y+TnhIS;jW%OmBW48*ys&~ z<-suyK!2ucp5zB}D=VxUH^?mJAiModQ+QmQrkWaqUiS7__wdLXV}|tSI`psMtt(W7 z%ZYx5q@lBbu0epr;8n~Gc7RQiaBiak%dl)U9 zQ&akRY7pyo0W1-qvQUWV>9DkuBa3e}5kYNkLMR*kT^`a1bg#`ql76`lz z4BktAfMlkkoXV#k^*y$w!1Vs($0HXP7l0Ovi;ESQ>{t7NmIF2i%3IvP#H6q{ZRQyc z8w=*iGvPC%KvTuo38dcKyVCB{`uiYY#3;u6HS4kL8?Y2$M|BWVP{RW=hrVUUG?u(7gYcW?+}fxETEgeL{m@j%b?mcRX=!OEr-R?W z-|H1$td;euK7Oq4GVKe@8W=mk_W^lfsJtyevf0?#Vc7NkeQ|Sh-|1SIp9dP%dic|; z^jzSf07`_gAgI9dPK87^vZJE|HH;G!;6^SvqpD#8vGg-vy#SKdy-)wVgaUgVzbxUW zt~(}>PNt)yV{Duu`C+)k*k7aI3_Kr~-lwO}fZ!d-#L$osF^45w1QcdB0Mr~Z``~l2 znuSu31%shhDFtUYuRVa;N5H!R6%A{sa9DfimNEY(zDzN(|aBr0IeJ3)~?vAFM9W#x_uJ=ATS9#3L1zmoODU zC>#XeZ9wTI$VckImv)oX(u!BjQ&3XUYw)P4HbMdLJPB(F{C0$*0f7bg0agX}pO{nc zbmkqW03RPA5z(c4FsUl#Kv|~F!XCxwflkAMlh-@Kyg^*dq1!D=l%YCzQ5o1x_;O7 zyRP5w{PDW-$~m3q^Z8i!+x<33NbZ1_2qR+~7@a^r{N%*nKoBcKYnTjc)T`kM~G)(x;=tT%hssvc(O5j#r}u_|N=Q5`T#iBW~Tk4edUx zpV0Av9vvwj8My8wWoKU{C%>&T0=>0MA$Lmjz|p4}n!T{lVFlZa1C#{J{-6#w4@$$YaEiKKax#jRySux) zx|9YdSU@bpYLdYe(buOzh)Urz;o%cilwuZ(+mYfwBbh#iZ4Vk8`AMr2bt~W?HbWbZ z6$}qL>MD31mV!KrjSW|cIte}vuI0@et~#UXnVF3zHpRp_ogJf0u-e1CL~O#mA;)EY z-@sK2k{(AF7ng?*>EqKHC7K##un;h{F-~+FKcwN^Q&S%xIJ!73LVTJ|Tts9g)Bh4n(5?E}Zlal*g}RY< z-Qny3{+@Sul4s7(4z3cTA>hItJgzM45_%W%2SK<9Has*G6e2-q{?VN*GLH$ZL|7&H z$>m9$&kt+e=w@L8udS^`Mn(#yYm5Yp{fQLLt7!fEHaB+$4ys_`W@5leTlTp8X|qQi zVch(j%i`+W$-7rjW$L{P?o}iqOdW@WThBy9MWd{qYaPHwtkpX&#+R(7xa?|bY|xq3 zZaL@p;u1AEf@Fqh!S@X0I>inW%*;=1#+Av)?Wq0qr)Lv7eqq2;RaNfm*8_IG+?<@4 zFz%%-tC7rHo!Bx73tK$eis-TDlYSRIfJ?E=LV}w01(_yh$w29E4P@S|c=bx|Bw)Ua zXzSkH(DplUmP5eI|M0>1r3>Ok?*fHlB-w!56!ia!w@XV<_yh!ZxhTwnPV3&RhA2Mm zivBh|Ee&Uj@87?}sl)9M4-vkQ^;gN+#RU^Pq@ogWE6>$0)0*Zt>|bCZINlc2W>n_v z=;+SyBW%B=(#)uU&n5)kDMIQ z4L*W!V1cD+cz76!4wEa=s&U~zu&_+b z++l-NlJn-x188-AwHLV<$}A!A1S0uR+YuL!;AHNT12tEvK?Q@M7VLA-x(4-Afo@57 zcsR(_Y?_QsVLLN1xn8cC++z)Mm@(*N3m8x)+N9*welzo*P><*r#Au@*VevNuU1}KN+<*UT;S?m zIPVJ(?qC#|`x6f>85;Ov(@4PFtFwaYkLP=+lOm!$vXr4>1gpWBz~e`ZjEtbI**$?1 zAXH`X7Btyf4X{w!oze1h0)7Mkwse9N z50EE6^C=G0pdsHS&eg_4kUU#A4fP%&OWzjM+Wx}#PM(}JBM?&@ks#_e)-H=;CoA5x7(cP z*VQ^QVeLC6PeQeKFQ?Cu{$QbrPpjmW6cPCaC*yD7@zdjIZjSk;5C)n*V-FsDmKK|& zc_Fmvy>p#aq$pZWiq08DT4%H-DjaT6a5aPKtH_$am6b>rYX;PNd&dt2KE>e5H=fpy zb$?P0+;xniPtWHX@a90gP%A7T8j@07QOco1RVFlSmI(KVO}f(S#O`A+P#o+C(!wO< z>_Fbtn3520eAoC`h_&+>o9Y#MJ1H+a#^N-Mv!w4nax0#s5$NYd%fJJXUNK@KiAa~T zwf*hmbyt0*E^HFCN37_Cy|})uRRZ&E$|O$-rcew zcxd~q7XP!^QQy90n&~SQYQdEyfo=5L^wKrs;^a07HU-sH*@!|jLyhClFC1eoqfvE! zPW>iDz7cIUzb5b7RuG@h>Mn1SU@P0wU%+}55G!(&HBLE zJCc4&tqwJDCo|DY?`TArgtI10`HH)AzP3+@F}dNVSm+Rrq#ce$JIP+RInyTG+qUGv z?YuplVvFOwT|Te6LpbJWov-5kC=VsS;Py*XQ{0SX+uU3xjDv`!cu307C zBUd&NKUv!o12&!Y8^89Nh&?pak@FA2s*`@2GR*bkRCt}XG07Www00%yQ5^EY+{dWc z6aLcGwhz4@7_vIfF}Mo7i?!>O5TtK)v}8h3OjknVO;Ha4@d59@EQ@m7A? zphwQOibZ)ox3CG*E=`juMIel5_p{klUtXLX?>eph_``OA;G$UXBa2h1%Zl$&T=q5t z(^j1(twW11Cds)naRPluQvz}?==(JMAT9r-^LhoVHXmP5eLP!bV2rHyRyQNBXB%@0 z9BHrjmvIl|NMBq3<4|?q-Q7K_nUD%jM>lRnwyCSBRfEr4mbjGwO*rK}J-w0PVer;m z&kz%`QJbBzkQNU%mU^C5!S2QOm0-cDR2f*DhXsX&3vd{j+khPje6hD02JNK+{?;B& zT2@)x*@^GR$x3w9MRL$*Hl--S=+3l#w`0%%;*Hh|OHo;>xRxWI& zX6NPuqX4f!9BIxX)~l+jL0T+oYHG=y?`vM*y5_?Z0zg_ zY|9zz8UUdo(UA+^o$5=d&c4Zd*1u(dmF>l6zW(;7qgaZMtR!=$ov8~Rm&^rj6v^ z|8REL&--a05uSwGkA7EO`}X}i*JTwr*Z^t=d4@539EewAD*&}fxcrb3Jb5gJ6wM@J zh*E|6S*ZXE5pL1pX&2Raqv1Y&Z}r?@$!$gIYZ4FSGp+jiwCw1M|9Kjv)Fd_dW7)Om zr7=y@?R7LqGopbW9&|g8BVZT;S$y&LZ>XWk5M*RzfSwlQ=flW@g! z*%FV{%Je7K_Tjg2Afm$sz`0wuJ^@#D)bR$|4S)+c=f=jz4}AG@uXGej6R4Gdr5veM zT;T8oOq9uOL(rcbQs$i3Ls=v>KaO2@%G{IxD*Bt6hL?&!o&-uiKqacGst~XAOMx?A zYxKy@uDGqOO_(#>f@v_4?tWWJ}m9D1c%4ov`Jf;d&XtkxiCaa7PHR8wlrH-9 zok(g<-K6b$-wO7!a1l`WR^8`yZ!#{^2W)FwYG!7pLbs$t?DjJze783H=IOwtugrzI z<6~o-re+8+0BNAC2Pz^sOP7tUVCd!$3E>PZ?&nt+sd~o&BZa72cCyGp`>AGc{&4A< zI;^y4{26+(GuPqrg!!8jO}(dAI-ViXKOfw_je@I+j*7xqR&H`}fC;{zpCmF43@?U; zbTf*;Kr=Kn6zkQycf3${+KcGx>s!)L(b76JOv1%N2*Px;Hx`qipiZH#Nu#SgUn&}n zmYvj;79d3U3H&@oUq)v$wD$I$cPVN_M3N`b&O4R=v#M`CX*^Navdm;Dc`bL#<)S`G z;LOJmMDWv*dH1_Hi(mo)x!119jX!@9RoHY(01YtWO#$vSC?%Hno(S538UyH^)79~vKy@iiF-LXD+!TM^<$-UH?Uy#k?hI5J`}adL99u-xKH1s3;1K%|gpKmxit zI;3v+#SkPSE?iQQG^b%ZN}yj%FeTGqMg4Imctpj35V6wirlz6-xEEe#0L;XALUOUL zu`wnBgpzXf`}d_j--XYVNjTzmJbM0nVSZ2n8(|Me^CwAd%LFUf?J~{QNdj zSb#1Trj$`zV2c6^HxG|4PqKTHKRAF6i1uADuq&w4OwhALL zWcDLE<^lmEjuzt5(?=P~WtW-5Y3>a5wdqR+QzPWWzfJ5x568yVcEYJ1W>#&jh&%~Y zEijS6=k^~E@x)g!lL;S)uuwc?$_52Ol?8X!-`^jo^nrn`HE#e40>4={Hn#h`R8jee zS76%VSf`|*KuAakyUzI9K44ft%(bKUHK#e$Ws-1yeY2H4oOr*zVAN^m`fSEi9E2Gi zN?L{mx+s@JK31IjU6rH*k{~+8U)V*=36}!BM+>Z1V-jE=l`q z_CpTw%xnLghJKe^LOhQN4pL3x#eeeir1us@yMdGJwHiE~`)TO0LBOj*=P`i$tvoJ1 zJ}phn3&EYy)G%GNiiex_9fN|-!679Q<)jt<_&6a+5-Lbo6x^Gnq@;{FlGc8-Gy@Pf ztSvhY4S=NDzn65r`b1C!ZbEAl2%k-ut(vD^v=qQgw1FX)muMt>>dai%${>j4qRJH5b+7T`p8RSQiP== z^_9R!SD#1BrzieuwFmj;hFMfI*>*TsmeQ@v)}on!vV&Xy1$lrGz;_oX7#=rl{W!r7 zMZzt|5ou{@02gd-y2dJzBau_X!yW+DfU~o&pP#I4W-bjG`uA}H zk@5@1(l7?) z7D0@{``ZTx)S6dmX-jlVAOQm0N#NB2PyyO;t3zNcl}X^E;9+mrZurraT`!$Vr`C(- zW(H17axu=99oGMO;)&RoVkuZ%zw)%EvlZau?{^{4`iFBmfjPVR&{Xo9InL4JxeyFh zb`-&F=)-~xr5+%!)>fH@^UvMgV(z~pa&vP#Ee-3P(#6~n2&ndD{0}RY3M>r0Al?;G z2`(yAQ^v7MD7Pu_pN~h1lOd5OeaWAcL)Z`J*`-NdcTn`-KhxeMV1FS;%s3Z8c>{Xgp0dDl6jR;p9Zyi%8&kVtquTpEE@Om~wU&=$11L zYvtJ30pJzT1%i$O@T8@srNLVkaGuD_GX-9Jwh`T!Px7TFUE^$QeOq0K&_W)62KV~q zJ}Dy7Hy`&z<%>^hHn}wv5pnF@o4=T}Pv>AUho(hrT--%O=_pTYsEW=@1(q#=khH8U z|J|iQ_`Bu3ztqr;0=qHGCxFX>&H^xmy(gz2sX{O@GtWXNPN`tfTwryoX$Sb{mNT?v zXiZ`fEbjJ>1uErAY;u%w0)k&k3ETUE)Qx9)DoR93;&CkZ_RBeD+aaE3QrBc@&C9+6aF6{V#r5rh2~da;CNBuY}~IoQXCo8rw5@>?-4oA~+8_M{dOh3|0e-k~ z8%sBE`F{xX5A{z!J~0sAQ3@ZS9jQj1{C&H&(YxB<%}ssr3yIyzBNvv7Mx(7i*0UdJ zyl#D!J~eL9h1;^{Jai$idF_emH;o&boyUaOnu`}C6jXS0EF2oDwIf>Hs9jHAHd^=cP(do2Y zljK338e3c|pSij6u)awCtl*3L`0bj#2hU!e(@wnMIP;61(%#Z5`al~#E2hOk->S%r z5|A2*)_D~H$5C8)4GTk9x5f(Qi|gjXwc=E53QkfNn|CkfE>Q|~ZkGQ^nLHRbGp;(_ z)9uOVcG(qZ{?sZw5V-ar>Yj!63b|F%s?+V$ClA$|@G$Mpi)YR$=6NpsOt#b|79&yS z+haGK*w@|-^1wkAPkptm)a@j&WS2Xv2_Z+)(cO)DBq2}IZ;ykjL`O?;WHGtSNfNMK z4lox2uK-!;bEJJC%1_0RXoH+NU3*fYG4G_$l+gKrXg zlHh)*`CZm_n zZ^Tvn>9^GnOTfi4)BC>hNBlB*{}eSlgWy{s0d@($R0>bOtkmN(&S^0Q zb#}KkMV#&Dmk5bM|3}xHDR2Dyd%b)-NN>U z9oa_#4LKeuY$sl2I$_l6FNa353^6$kKb0)|(ozanvH&4%IQ!dHYO~Uwic_IfkPSrp z%aW6QMR}_4CMYhVxUi{d2;$=Z4l)wrVB`IADks6675Fo%>u)RNmdG|3P(hW{ec@@) zx5w#ZKWX|WzsS5UuDdA~=kfb#f6B$oFZ<@b6XV1j2`cwXNe$jA4TO;5{uuSd6VD_^ zqQorC7pc^JHu$}^ob-(BQW?`blhF&JlEUea zGpo%Jmz#J6l=-37 zq(3jOVIQ@9Pwjo?=j;0PPq1+jgs5La4#91V3$q^2X^LL@22 z@o+&cyPXa$No9a5J8JP*T`vjR)L+fwGpCVHtS+fSeGknM`XA%wzXnmC#+}#E|9lMg z)3kIboc{Hh*n-0HGqK8j__$bKbM9$%Ouy}_v7@Zcyhalqv)>&9D;B}hUt*lSXf%R$ zZHuOOnt>EPzepO{TW#8o{WR+cOU(Skw8n!yG1Zt9<)1#1eC&Gd$X*TG=^`QA@U4I^ zWKo+;b;w?KQx6|YJygG_03l9hWc9wUYrO+5y80ap!hXD_yqf~sYOUiA-mHbJVon1A zTlu9~ac8oX8-?wz#samf0^d+w^~hcc3M?9TQEGv2TEvgF8q;3=L7?KB^{t#opwB_dIv;Gkfgo?gxB$Sr8c+YNLrP(RstsWO)}Epe(Fa zMIrs!wk^Nr=%M}c?uHoo^T%&y9IJd>>(Mx6!!X974bULFqNX8^Bu;S?QY=@9IDppmO zAs3@G4=g@>1cjnQ-2@OFpnPZ$|6(hQ0Iz@5H>3X{H*(AxM5||6r>bb7;qR`jYN%p1Nl+qsF#jplbY@lU}DFZA};SgV! zAP(BqO9&{Ov!5BIf3XD$;U&&njTa(&hRyBmBP`N5x!dhUs(B@K_R?Lu_&I>%wK$NA zfl4{^^a)XfL`0gOB6CDBTZR{KhyX%_ZtY_v8cPl;#_v_PrGSffPgfTk0bSL|_;_$6 z18$jP-TT^F4CfNc4Tu~8)*Fy?qT}N?AaHGUb!24^P)hjyOZfPQe^)95348ncMwUIL z2FzNX)Ilv#qE}R045qPBM<5h}t6^bfwL^Uz5b(p617J)?hjd^E61B86G;o7K0uJb= zE3(0H^sR#h2_R~TF;P(yP{3l6Zk|2EZJy3aO&uE?1c^VmN&=_?(oX^eZ!g4hT39Dx z0XhmaB580{ML^_cPxUH>GlF5rK_b-qfMYM<4r*|yYinP*eEAQ2^`#}S`&|e43-bJc z*x=y6tvL+;1$qUhxQC1)App=IW(Qaih^5ulzJY<8=^9{h4ELeS?F5Jvpc&0`phIY7 zOVmLnczm$2xVQ+o-^-U2RhF#kN1>i{n z+VzBroMtfDHZLuv)=pa+I>D`j_Rwh6(AGw~`MbJq0-OLi*4Eb69A)}k3^xZ74d$)} z@LbVxS3!zQheRU3Sp)c0Qc?nsq5Q9KQ5t^8CiK!9YHJk~6(a}!*w!2Y77d=V&|rm1 z?Q$5V(1JfhOBLY?P65#6%_sun+pl9|i|^97RtZsToSghdwf2cbl0@aw*jsuI_V%u& zp&-o#-q?K*(SlAM;%)%_G)!snKdLsZm;ss*L}5byPbyT*(Bz&+$4@%JV1AL5L{3A~ z2x@L1(*YL^EDHpomj=WL1cn{n!`i@Y8VBvTc^)1f zAt524it(AXPJsY=cz6esrvzvvpuaFkhgY1-bW1=p4s=FHprpLq3A3iwXbs}&Aa}Lk zpBDhlN}`4*{F=i6LoRP@;042IJ6YBa!bT+Z=$V=VK^KZij0FI=JNQH74Iv8hss2Nu z11RJes%qegnKrpE0EXA0vl$W+0+5L{yzK0*5EIi8hX3D5T@XR*D%Md0XgUt~q2TG4 z8>c5H-+S-?z}U$|(i~b%jVaR*;I#p_(AvhPMDH!w_(rq!K&1=z4)0rAf7GPKtg6+( zuT9hdmMJ3>2+!WKyVq?B7<;dWmm#k6$K)i;tiSIbp5n)Fa0sRIii@YS^#EFOhvLS& zp1C0Dh)bHos9ie^K?s2!TJ{897+~>l-@W_gdo~|03r5>N>K|nSBn_Vk%qob&yvqm^ z-U?>HRmq}JN5G2V=76Ri?hiO+q-13L{Y1b|K~0^SoUBt%cMnggZ>{*t$4ql^L z$Z$*jhvfz6?2706!^1;Z$|HuyNl8h8Ndrs?Xxjkvk~FocYWrIHQV3WK08Oi0jO{Cc zzD7pxL5~ic6X0vWBI$6Tbw!>;Y5?8Y$(^h=XaV*z03X5v1TQcokgV?MKj+}!h&tdb z)CF7z?lxR>(u)_b2JPqO=V5|^-u>+zF5r0~m_YUjj9(FvT_BBNs0!=T!z+76W%bq7 zWC*Z{z?cMYZf*h%6u69lXJVH2Lm!|rz}EoBkH&0#XuZSY3K>f9^h7k9uhY(^4|Z7B zs#gL%3cfDnLPMVg;CjHX$jMpN+U+f|3si>Rk&!p-YiMe&t*kTyWejL8@N#s7X9zPM zpc)vBIay(4{OE*^yP@Kj;GbM{1B zk%x9wJ^8=*Q$o=95;J2aOP#_BHs+(oqq`IWte`m^B)aoLNjdkNi=Z${Ktxkg`H8VQ z`CSDaKcnkebg<9?1P<;&p&=mSYv2$-up za&ght(0JKnjk5flpy|b+rlRr&F8tj)jelOi1ASLgqN<_6%gqgGhwkt{A+mGaiR!e& zfgQ|!R#u`hj0+etpd#>)R?~TDf3JAK4VkJ|SWe)3L7pU+%QRr`o~&#e(2Co@Oc@^1 zqaOSLm_!98*n$a6_=`Hl6!4S4dl8~*78iwwa;Tyg{+nrK7&i~$Y&ERG>cwePz!d^I z#W(B4yupr+vNNf-X^lohy}jz5vSUVAA2C6(iHR^m|NhQ&sjsUWcM?rjV^2ZC@@Ux^ zRcu)|_^&(5z)*gNtM%;f!>Z_QDM0(oOig8ABtmygZ~z$oIlr{{Q+v6i$XuQx(bLek zq3R-HT^s+Oe5vMXVg&FqA^wrDM!y3-v>PGHxYgemGSy*!G$qajV6Z7?Wru+S*?tP_qz{dq7ZxLoR=$ONe${>yqgvM}|Ne4{@taJP8%^Mg7 zq2F?0YR)eT_^{KHodL?rVX#NX#)1KcJoq``-V6G(4H0S)IGBUM57_<${K#lM@y9w*-1%J^|iB*APH3gdq)Qpo_u(gJShsmm8s=tPCtI z^ufl=dB1n7@VlP!j;=27;*YpV!_Qw49E?ERhn)y$iMkISfRz$#ca?3{wzg+m@j)Lv z7UK?6;Q$-=&idA^TOJ-elP+y*^YgHz!}gDdfOAf6;NKFh;-uaMV7nJNJV$MTPNyFx zzm1_=xMyD?DXZHx4ruiJV)t=U@+ySg_|n_6kpe zYTL)x7jtZ5^xu4{RIt3V0{!4c_$Z8x&=#8Url_b8A#1B3tkD=7DY)>^_DXmf(BA=i z95{+A7wSUyz6Am+wNb$gAB(2d#5#B}IP1D8_s^q!=hLj0eVnp5C;?~)0zqqzV3`H} z6v70%iXpl++uFbvPQbP*ni@G!bI15$TU^EdMpr`W_71E(Aw)-?wax=ukC zyC^YbS=|WEr{5-hpYn(=%puD0ku!r2@l8Ki^tu0=u=Tje6^VAsS~6nIT&0yKfz&s+ z93{UXe{*vL+HC;!3|1P)y0>~fi)@WwY{?g|W&1jb(xU{*7h;Nk{hQLY_G7$D;ST}b zK`wECkpRciwZBGvDKe7cH{HgE z%X_`J7`Cj!5Bd3b))89aIbuiZc}CZqmwu(`aXb!6`w#d@)61h270HAT zJlGHMF;3fQKHqY;JbhDaVwDO&JW)duHy@)^(0JIMZf9@bJ-Q8~0OPKovqpq_D`nRg z7_uG_s?Z*y8&w0ds)1OAuQ?36Hi|6QI?;`WCR}rTBSo8zbxnL*Us_y}SLz;DlzWRX z76R~4@n+>%Euapb$b6~vXtMdmnxe-;sT?WwI;PmVLuD$er$c5z>tD;oaMS&9IMVEL zT`3<9ORx;FNUND;&6MKE*|U=}$zfBCRhrMZMbc5(Os|@V(o^S4l~sDgiCe4nKTrrL zCI25`jwh@{g6bCHl>*oZE;gE{Ifq@(nSw{L^z~odO?w%#Tw8$>4qN!xhff2%smr~g zJ$$a%KI#IF)v}ZlCZxEP63>_~{$hi7#*J9}GuinOLLr#;`2JPbneKa@ZpABCsi;h| zw67DgeHy{lCAxx-y_*qMB(v^F;J3}t>_(g}7$5VEjP9s*0_`+ZCGb_SJK4LsnEt*b z!KCGzu%`-XQA`OnU+`CXYw4RZ7}ot+Cxy72GL-pp)s-AwFT}p@e1ne-+_8e3Yfg4; z?>u;i$p*d@kmGF0@gqwj@!)M&Tt}s+#$uhCRlf_x8`Ehh{hbB$%jzkMNeAzzKf!aN z^_AHz!|2BuVOY=ah;Sj-f9m_rmtt>G=PwsBzoyuWlzl#*SD4%Utxtd7Ra5Cl->sIg zHhqipM`f&cqbms5Z+7ZpncBZ{7o)$RadnUjCBD@2F{c7S)g-ojb zp8hg4@NgWQ7&x7`nG8N{rxITF=$XC@h(2=cxas!VN#5~lMsr;6j84Aau)x_)(VFoN zj@?dzd9&r45r*}fb#W`FQ+t8yu@dOP8$(wkm)1p0#0{;^bJd>v1YAOzW@x(zTskjK zED_wg!EuJ-*w2%)O@N~)qVhh}590kM7YQz3&hm2yh7(jb zx#AvO<^qJ*-a;?7xVRXiG;g>8*-9SqlOcosdfLgLdym;`mB40G34^%k=i-4Q=TuZw zQL=D$gr+3>86P)yNogs05PfVHn7~E1U8hn9H4xb80o)+;E(;cA*kC|}mSSUqAxd5K zq4xgUpb!B>p1Q&r(ycB(t|Pe*E1$8N5yqR@u{(=Sx!~=p*HN80WMfs z*_HahJ_tqK*q{!&`Hv1JvJKeFKs^JFl#=t&ga3`q#hv9yTJ|ZZHs(jVLR%*H^s9iz z47*+F2S8Tq=y$HV57@$rhUYbC2SN`zJ39abY0pu!MsZvmzzv5IqpAGdcRWfeh{i;kciv$0_x*g<>+l1EH1IG1Jnu6i|ts_i_Iq)E2 zRIaF;T(k7--SLM424s2p!f(YoSOBHDKAx zlYlhKQcG|;odrKcm{V#>)XS1iid02aL&*ZcRN%HJrk^1S;s$J8u=@jHD0X!n$p#Vi)D^~_6)8cUt-~Q#BC+zkalf1CW;P_YN{5sFD~IZEAO}5@KTP&cOVF?Yum{EV;t_Q8p%m$& zWxq4ag_3;ixGoF&e+0IvOg8yZifI zVn`^df#4{j2|Oh{JUkpZ0CVi^-wfJAUDqMND4)7@$q4>n-~M7=*jfV_l8OxBuYd z1`IX#rW1gF^24KyL5m9|H1O1|g@6l*EeD!F1%+qEd~J{)4H&d|903s#&|rKex@h>t zF6v^3gE<9`m~rR*tGAM$djI%CX;q>E3|HXnLBRDwZ)&HCH`GU9(2tY zGl&}LVr`*tha)l|HuJt`Kie@$GM3@(?eZx$z{$b@OM*BBgFY}EK{cq(mYAQ|23ft|3Fr|5O87E7LswP@1x@nxrB{KSv02;$(6!JlSBS^QGd4H9XjD9C&6 zpJG&ykVOSu-A91$q{z#tZ+px3XjjVm$G1h39g(8Z!g zMfZ&)4GI?Rv8}|g5HHz$%FThy$b`?^`=i-g8##AX6GNZ9a#eyYSq<2(u#%gBZUJ!! zWf*+4u(qM$xH^9eE`~LV+>r9!{smfEte^0h;5u;SAsXy{7LITDSKNp|MRPgwP5Hc* z-j3shI~$($m&lURp|kc6qYr=g6ISp?b8W&p(L~)|f$-2Snf0--eg29286Qt5a`c5@ zyyKy_CMJx+Zs`~sXJuquMnJtLmBj)H^hdm!_0Ivpl4K`0~bw}+IT?yD6kYWX6#isny*Q^&en-A6AX1pf${ zCiC&|7=dOMsL9}6AZAhy1*g(H%plA&f8qg9%w(+tIRcV}8hDmP=)x`L0*DcxP$(-a zE5npRuBal1q#jRT=m9Cp!iq9Um0$_Ht}Eua#kWF&>H25l%E!UWHOxoDGLMnkV@)-0nyP7Mb2y4h}&6 z;2*iVe;{bZ9~2ZcI09-+o@7VJ>H>=icmWC)*e9xuYb5?OG!)HrEo6#J`JwfdthIT| zitQz*dFuau;3|YnSTwN|59n3DY_(&_5m)*Ur_=TaxaDRl-;Vi~Wco5SHE6?c zCP}Rj;kx-#-p#@uF#9Si^!~=o48Y|3W&or^UKzk=z#f7ngIt*yVGj2jNUY!NMR!Z4EV%k<&inrT7&J)@K~1TFj>0mcg@Q z&;1e;AQuo!lL7QZ$N?l%a|GBw=zqu}k5hR@9B(MhG(!D3)_dAVwG4S0c&k%;Exei5v@nPjoDsB>lt(uE#l_W(}s#?Wka zt3e~}d4ZZ?AdBprxMqB0LtOiv$lQ9x6Q!>9fkwH_5RJ{xOT0hA56ONlK!;mevPXb7 zz?@_Rg`z4O*%j6Z*ysVPgTKo$tq1~t2(Y*4lSy#0hHvk&H$mLBd))Kp4E=*6|#rp}AO zsU@x-Os`krG2qI7yl;t(0Qo17!7gYHLnotr;2D5?m>=ay;0R>-8Co6yKC35M!*(+6 z)ITs_P@-3Ug<;?s*LAH~Cgw^?=3mCSE?JM%c~8A?2tHJPEvS*sNz?GQ^SF?yTN+Lp zq4U41!;spv*dN;##~uGRn%StJ82A>caSt~vkIxOv&-Yk*X5IzzNGHvUm5xG5kJeZe z>$k1prnu~LnE2xGSZDCxsKSBA(+~lBp)0d8?SrcG+-tV<$68ONRn8Z`M!83LD0=hBa4YXMQgbBkS`+wcu*>AmQi19SyhMjmJS_SvZ>!B-mN{3 z54!Yk{6R|b5~A(BQ|a2`kNf;Y`$t{lGQ8F2ufFcDlP#N-Wia=DoBW|bSo=1h1)b)@ zKvcqS&*ANrCMfUHlIbbGw0^@!`Fa9(Ko{?A#NnInz^d`B`Guk6ycw|vfvnBHV-_|R z@48rj=BWH!4t>rh(>q2;gIoemlU2y3&_;L41>xYMGWo$FY;@=)-> z-_>7J9X9jaWlg!q2mYDQIs!AYchdTi7*WA7NOv@B6vO_1wg9#I01;?LNRqC+s%B6gD+&ev~lkfw-<>}Iy(;qe78_R=1CckIs(5L27 z{LYRw;}`l4paRQ&pW2Ic8io-8T zyM}gK^3-*4Vpe%CQ1`lPbH8t&h9 zU2);?^JVdwJoli-HT#RoE&QoR=Qj-cdXs(h669Z_xBRG7!pt0lJU;nV>71@zU|)Qs zEms^AH05;D!YXrjm1Cb;ePNQ}w9_gl{txzs9*?R^Bfs~utl>ktVi$3i;E#jlNC%UQ zO*6{R4?9~YsMZ$9e^5uA$bP0cb8m{_9>=q~S=FMxkSRS8&FIr_OmxzED}C#IbGh<) z@#EiH^baFw$Yr;&HiNILQ=XZ=Iw;3IE9~|jet05q_j`k04sGlQQHq>`Hj_sZe|D*V zd_60;r7GlcMBnF|Huq2^W~oY~ony!^6-QQjv3dOAhm#kLE+x-;l310VAkV!^H8#X? zT#R-9H17qJeEPw@Ef#RjASk93R5vBUDZ05;_pu?~&q{H>OYMk0{`0H|K24l0dPmmO zM#5j*_0=thrNOpTzEu+z*_hZzxGy{{crs*fcSp>xNP33Gyu)pe`6!BQn~>9=+?Mk8 z#vTp#Ag|{-H{ql9>DX9StA3Go|M+1+bF$uu`GbJiwr_dd8G@3gm0`W{uAk^wC!~~( z1wsc_hOUaH(4nq)U{N!%nXVnC}5k3_C3 z`V11S<;bQHS#)%NWxOB6LC{sj94ORBBPc|8b!F{*c(3wr_MSmI&0UC#QnY8fx=It3I~gh2ksTkDG~55oyxvZ)n4r zqi%&vOF{a{*DxCL3qOWE%PNZ|Hk3=)!2sPW^Ty*RNc2V7TjqUi>ba-0+2suJ_~ldRv1orN5|S{h?UrvZ-V4Vxv#9jsD+0<`fEC z)5i@|0h=jflMk67#MDy1)TW3vB|eVPpP8d~F4==q!tX=-z1UdIpGRWwo{67+<%6I4 zNCi|0MLlp6ir!8;SD5L%@C>C9j2^eXktt^Jb-0O8b7SvFszru~^`*CJzI{y^yDHK$ zx1i*0DY^g``}_A0rRpjoR)5<#rXjsL^!(oJ<_4cqpLJqBZ%UqwnaRNsWkZ9(Xf59N zx=N1AAzv(0Y#f#>Lt@J+NFO=friZ9KHj^~Ai`wrM6vE}dC*BUJd(0+IxKhU7RXMai z*?qIV{n_0i_D_q)=fG^h)}L7N-?J1_8R{G-AR$#s(|N`Cu0iLcTC~%lzcSv+BZ|r) zhKQ2D99nqN2n8Ote@tK_G*te{Cn8CI@vqcyA?APO6j|RI`p4}LGbAu?NVuf>Ps}(A zxosRGEfM4LfNM#2rh8NpguYQ)cIlPzwLv6S8EiqMX<)ydnD^55Tj50bja^1$F1~)q6fniuWF~ znFJr_Ib`JLr|lN!r#&NrpG!V}RDFyPxJVP#gScps{fyxM^>ruylh>rcVUaJ1KqTox zQwms3G=Fy_XO6T$d4{`>hv49*Ag3{aJ1RgYlj{O)Zg6_SKLc}-j{og1)sW~*pR(zO zpoe$oP9<3T$IW9@ZUqHk;sUVDzw%iCHUbF*kaNmc!otF!Xa>8nFBv!B0G3e{0JI5c z#Xt=R?qhRe@DF(aJi?X_R1Y9qV7T)jNvWG$1Dp$@VhF8PA(;mJLxB2X2F#K-I0ymX zz3Utbo?y5IH77`&jN1ZF!2u2q+&IyfNbiBoS4s-mU?RIZC`=>XKuHL06p62aNdujr z{c9ZY()-^*)&@c$IAVg2z&5S0?W;763u4;T2&JB7&lLEFlaohBMga0c34p!S@YIw) zxXwVA5WXUi`E@9uFXn&}AZCzKQNVPd9UUhi4ZzuX9k?4%41*X61WJ&zTcn+9`rtt+ zml~KJZ5~ZKA3(N<-o5KwTo?ij_yZ~EoP2Q!Oae7pYU<+7Q5@Ls=Uqb}x|C)tZz;gp z)urvUer5wKr*h$}FCDE4COse##F*Cs*9$Px)KrY>YX!ov0l+e=cQW+#J^Bc51v-%g znB_pu^HpNJs2+-^FbfJs#>auHfO!oL$}507f7!ctQ^1?58IZXa#X<@)E0C5+aB$cH z`2b$P0njSm8Mn&?g(TDyz)@%cYc+s|Ao~PvB^3AP5F7quCrm8P?@viFux&CkGT``M zw(@th)Sy^1Q(s4COKwI05fdNS$p$JN5MO`?ok^?z5jbr*$O*bN83XZb1}a}iM@Kca z&(NJ6$dH;Zt_y8Z|cb8 z4mj3bbn!qQ07^#}-cCb5b8rbU|ISR1IUmps7VsarbT(d*cIYotF-GqQR{xM_4dWOL zHQ;%=v>w^&>JC8#cl*jEN^;C0h=n4l1lJ1Yk0?ZN+Zguu_5$7MAmlnASbV9`5nyFE zK02D5n8*?Z7Ijxi9WuNi6$LzaiiekXj=WaCZ(#^Cl$3_NDd4vx$0VnqRa`Tp{<^5> zbF~z3M?l#%ka0s@hhjAy!J=(vx5#*Yhz31c>rTI9RQ}gsOQA;-wU8GNJO#W|ejc9B zeSIGSj_Ze)G4lf;5Ix`%(cBiq`jiG{$3`#}0jk~H2Vo3`JP1V_AOS%50o}6>1vuHj zP=>sd2M;EN2c$qN1nBJn_;nbT>8JK4XJ@yVw}*gn3doQkOavVJ0M&}j$Cy`vU&y3W zJ%B=i74{92Hy=&xg0G1v8(i3LUj;5fov@WlW}`6rIWtNCgtZbSraxZq#_f(A=l^6?EVPfnIF z3(sb0XTB$0Sx55+EO6%_U;>;Z!AdO(9OX{S#|2{g`?Vk%Ks59Ab%5ppM9Z@Q<_f4= zj{|JXp31!f?$U-wTyj@+$m{#jT&h;bwE`4(2|Mkiz8dIFjTjxsnF;3mO8@X`dy&}e zbYf~*2{R2ibKw@ygFkpgswk*u%JDAEn8*EoT8|UmWN}y?zO7o{d*z+bjY|lPt5O5c zwI+!yV*tb3d$@daj!Y`SSs;e%PYK#iF9;Eo0YwyG{gclT}cc`gKk^|>Xs z*#%g=W1`{tz$(eOYQ|{%pHW5OXOzn!idjp<^1on<47OOhc!a&{(6X(i`KrfCZ+EGI|L;xqO@4mi zvc8|1*nEw|2-f`N5qbf&wvoV%-J72Db*86A=|QR@=P1RYZ{qp)Y{de@1)szEa@%c> zZo^DR=6%tReL4jZ)aN$CFgCv1 zJ=D=MkAcI%M}ghun+#r?hQxv4*^?3m#?}mhQ-#3Z^qB`(5a=9+n_dnM%Zs@|3?J6q zn_y;8eOTLjva_=TW=zvS5(yj_1{NJiy};}A&D)8F0CNI_#${orsSvhy3oA2q$`tfW zEK6uHhJg4}ws~wt+HFqZ%~nq5vj|9H$;r(P0?vsX)7Jyvkj~dYpn>%xU=puhu0swU zM}nj0@|x-G;T~W0wmd@FU0nljyZ%vtQo$wIWGwOx!0j)Cq4#vF_wY2(Fa<+V-0}hN zGqQVS@8ZED7>v+3g6V&y|2wVYl{z0O23YI{=68-rg0MarHygAKmXHpP61Vi<@D~IJ z{wq{3VAX<65q6K^pYRP~Z%Dqi0=@!x{;CS{dR}W2$w2dpX?rU7adBsG+AQXE~mxUp|xVhO6^1|Bv zv~#2|NnXJDycPxFW?-sT|1b8S|KaTOjH1V0UNT!9z(gHNPj>6wqpDq{3 zQYO(mTb=vn8d@*9tWX+d_NWEe5Uc`0%WVM;bt2Y+q`2+Q4S3j3|5stx9?s+* z$5*Koofv8%LT-<>xnF9Bu%+d?<0zNH7*Wfij7ceuQ$jj8wsnr&N*9qb_uE{~WRL0M zQp(b@ERNigDY=~QI?p-h&))y{zR%w6_xpZ+-|y!FihC%g&RM^~3d_xP!9&Uq&|ff2 z;5en4SjJ1JoY(mb#xv->dwM$J!FLpNwBRaQ{dEiq#4$AyZPjK4Sf=s>p}~P07`qwu zvi-=IZlwvm>f!o@USx5jpH7iXukkGtphSXOB3uc;+iAVgK;Z#c$^wr^+{Y)5(8ep& zg>p9@(*Q(BAkz*A1kwb)vHE2oPM7ZvlgR*y5r3*w60ioR;A5qiL*qEC# zbZ%t{C}&_KPkIV|vGlxv$}kd;f2~X9>5+hM0}U*%I6V|;wWLy=Yy&?1>#UI!0KJ3Ov*BUd{ToD@D?R*s|RcfqYQ9(V~hxe}lSts>j8DB1_ReMXJ~Q zuD1Eyuy4P8Gu*%2%6fMLSPMdS-7L<%9pH&?BYg(OGCPUj8_3vc*k^lgc@d^pGq`+M z(^Q}O=&?&m`ZD$)p`NAVr0|wXrM@NyveLc7(q(p(#=X3AH>zllqM`it!HK9-PtC-9 zP2TXX2$7~-V`%15`)RgU5T1gHZu0E19*wi`I~`KSGq;^pi)->HDH9&7u;ZKjiCIY; zg4_o>t^&Q@?~HB!4%xF)+w1-*w*yB5WJQmZ9cMO62FYC4GFm%!osMXZKDgv?V6q|; z{a&KR!A+G%JWr_WMjj7M?=&8DW-=09E)f%R=1Q)IJsVH>L|y48uzWr z@E74v2-T+MZEY@p5j#ZX24NHdk|mm04GdvBL6zZ=#-pen;jcYE6Po?vx#pJZx(jiI z<%>68PMB@{tDot%!0@TlEHl3B$=B8Xuh(VNb@Dbr+UhziYc!yVXqnb<6>~U(=mNnC z`;;vwbg_{8iM?&{%Av0C2aEXFO)#$F%Pi+uh*u0}rmzw-Q`>N}gB?*n*^(c*>@`V@ zl0y3SV7yK5=X~mYWlNcjYE?CwiW<&aW!|$8!sYJDQ{|-=Oo4~{VXt#J-6ziMH@z}= z$Ppnu-TkoTQZ-+thR=1|fM`Z$-clKBON~xeK*dTAKyYa*Wno%=v=9{Qg2s%CGV^d* z7nn>#Vy3yPTKd{qEm2L|Ynp3I*Y+VW=KJyKEF#jofGMIXz1n)7mn^a_Zm4>5vd*2P zSC4(u7G!#7((;j*HJX7?guC`pvPQz#oU#!)0x8n`zKbI%$P%{-6O8lHs$Zb> zvhR(v(o$1U!C*6!)IwLzzJDH$?u4k-SkZ1WVmikpFPqLs%aS*)SC@Xp|1r}y8wUR# zoWFJQM(WkCLFjbMD7{*PNRd^SoJDx9HIol6`XYTE!dMb1`I@DJ*ZbCu7VP@82sVO} Rj5+BCi3B(NJ%_-gzX9b#H7Ec8 diff --git a/fast/stages/3-data-platform/dev/diagram_vpcsc.png b/fast/stages/3-data-platform/dev/diagram_vpcsc.png deleted file mode 100644 index 2bbaad0b217849d286393d7ac1f096d5f28803f5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 34710 zcmb5VbzGI-8ZY<)5+WttB?8h7(t>oyrc2m#cZW&{NDD|y!=|LAK_oVt6p2lWC`fnL zy!_5NGxyxNb7$uL13vrBwVw6lcYU8|O?3raY)WhZ0C1HQUupvYDlq_{Y+#{+XCT*n zf5Crfo-#_hSXfx|D;ht+pA=ql23|U@HeSB3Jgfm*7guL%PERWjYik!zJ6Eqgv@S^i zpa+y*zR>l{-d?ozqMq>=xn5VFU-F%(ja3I81U`QDxb7*UY5OH-4ClP|Z(=3)Y}SEM zc+@)|_3N{wX9)FQ*EH#025T5&4;@v6ZswA!mZY^T_a3~9mjhqo~ z@FFoNB#JI9Cqry(lxw}m+4JGpQ5b;?R_dG91r+*lg4RQeLuo7qT|QM>EQWC9NH`ip zxF(#(AH2jy!HgeHAoJ9U>(Gx;iHVdUC57PO{D2=^NLdi+F2C54?a#eMXaeZI-t@4POpmnVPnlPEC~1g``@`K}aCzGGPU* zF$IIga48sgU<1SvoPJmg4F+TeNAwrsQ}ePn*S4Gc?}m=*`7r_3m=E0T5~Ig?kpU?l zodY ze;vGE!{1VFmo5dE(opMqqL#7oW+|!R8cxBCoE%e(MV8Jt>aM9`oMtzG))cN7pK)o{`}!Um>F~*X+s1_HN18L$LyP( z7wg~-wH#|@GWm(h#RDwNXg!};W0+IQ3)jHS8xU35z601KLWY2m`^iU?OaLe8>w;^1HkDP*XZCg2+e zgT0}D9~T!}z^e4!5)b|-e4@6t^R@@dR}N?ba3~u&&V_=4una|knj(^*fK{0-XLo0(8R=ZEYNKvnSCA^NC7?zm1KI_XJsS@M zVr|GAUcg##!={u>8a54$B9LL%w1>YPd>*{7pBVD6jNtE}*OLz%FMNpmbJu41COXwt zvPCJ|h3e*Dv|}=C_$&|3M<2?KeZ}L3*yOSVvc~XjpKW=Wbc{JR8`{QI6)f)!=|Lb` zAM7}ME>*{%JY_>Mh(9Lvt&6Mfp42QcmI9I53V(9Jvk_me2$P$w#ip+wG;t{t5rwGRlaW6b%yhR1pt zs{Ic2&vWoNA!V?+;HH^9x~#bos6fEbf=$ZCN%N9AvknJBJ3QtaMn4O)nCq+=#E=3f z;$5ttWR59g1mzK0PqP`(B4r6VHZz< z8BWRMk z5Q&gqy35^(j4JBQDujJRrK3>)PH#wTw zVP|mlJO%zytt4}ktzv3!UUE*BZfKnTq5BpV z|32>Q^fd4JB&WcSvorkn2^v3Ut~P_0g3Puh=f#91UkOn*U~oYoDexajPX^9Ssyml# ze^7yf$Bc?}gt6tQN2Q5NL;Q2s$@@ReknII)5kEy7m5zGx3oOpgYMMfx#r#St8~|O{ zNkFi*oWBSmd|j@pP%bU?C11}`iyIRqUexNrH{AKAfFbcW^aLc#%xJN9VEnX0en=E& zeJ-m#Ae{sNT#Lyl94@V4-c;x!Pn1&FD>1xx$nGIb?K9=A%UB}D%Ct&!o{P2A} zKZZV18Ug^v)-lc%PG#r-+#>B*5|a9`Z-grcBkyfP;2<7*J0%M6?vVqVRGWp&yZF^1 z375Os^KZYQ`QttA)C@(19aV)LYLF?Jd;+Wo*yz!#UU2Bw4KE`O8|Tp|B$R{wh$#hb zC$1hgTcy|58{(3JG|^k5Ag7M$Uqx4{GvKhcrrj}fsz*}eMKQ$~0m)1UZxV^Z;nF+= zI2$LILqmreLD!_NYH?Ez8Q9-ln(=WGm~`w7wf^GkNj5lyPhW67^I%K0d_HO^4eSl8?Bz{ui2%BQ;GN=he7p~+m-AA7`{R#a5R5MBKm>E(+fsh41X!XwO&I1? zFI*Lwl7rO8?4&*CdJ1Pb(Js&E|!;!T7^9p^&jnHh7N=HGPH^1 zv_3cqWhobzsE>@le^F{>*hH^HHC@$m)T9w|yoR6dFD}~QvWXumqiC9wzWSv$I=ZJP zKcg@Z3@rQaq*9d~tsI`k2xW~FupYK#vywIhC&PHMcFklaL#+nPTByHS8i~Y! z7IE~`6rHEB1>`DBjgf-k1V&oQW&UL!@Qxvg6sU;|bdcmI#(rG?>0)(jV)~c7gyZF# zSA|v(EbAXuDAspZ(f#EtLW|dbW-i)S+ELLZ3WutDpS`qlw}KS=IK-4x>N)D@^#1wSD#|a&-<@@FbS7C#40$mSKW%uciw;w| zGSy;8)Qay1UXlPNqQ4s7%!`M557;zTyEqoJ!b+RFTrJ!f383Wi#E;(4gM&VC6r zCaniu)x<%xB2xe#Hy;jBbYGC9tEY~YHzWcM#R->rQfPG%WR~_vm)Tgyba7%y&ulG; z=~>PQ4jz7N!QdkqCcfSBkq+2Yylm)WiTYvsJ_*Cc5iQE2Opys^f<}oqOQ)t z9bg< zxLz7za@1D??9;6;`?2)+xG_VBmalhlwAg4YsKtUW%h@EG*&4}We4H}<;=tQ7gU~v#?%){sF3@q;o!_evf7LEX zclTG}y*wJAdg82@%!I%u_-W8IsK~Oz0fT``(JuAM4VGuKw(YKzjFm64i&m_Z%z@xz z=&q|2YITA=a5fTE)6vm+;@(XnV^{plIkH9B-G4pK{xe!&E917tI=@yieZ^2qCMFmm zm55(wj7dR%2B10l^s-QG#A91#O3*uo5X;qumkCIC>*v^FrbS%1R1(X%FJP({vTly= z4^9xVEOO1j)=IoYCl@E#**#P|pCI@=ZR;I-!qL_xEc8nKI}{@%z#qCk0am zD?jlJ}Ph?)aj2{X!CWowOwD}mpq-d3Ow88^!WK5gWvlnA^684$s(pJHkEEzE~N7a z!?UH+2|+qsd>%wbgcE|)^W)JUN_S2}Cw&|9l5ufyac&b<53NV;?z-$mwHPbN%LfDm zfPx&;U%MDBb7uSh{ay!J;OBwg+}zw6Gpo!yFc)>aKlmx*Jn@e&f~u;jXcN|hteYAe zM*{nsnwoxLa=qf=$2Wmll;Cj?4!_y6{DbMqo40rIriH`2$@LI644dr0 z+H&RZwVJj5Il3?oT<*u&28Il-KuWeWiuO^C{#GQ5C;fkRGCu-R-bWm zn-B4fS>4^srtnA6j$&sYzd5}lT!dcf{aEIC5D&5_e2DfxYCc=jiGCMmv>`b}nrma}Err6=* zsj=(+UCa3EhWl2^wZA8j$a0CJVBYn%gMKQhvz9RwY339P8k*pXKj~dZIeQD9V-k7S zzgft{eVm-O4+iM&HubyazJIU#=xL9G(Yr2ncaeNJ@;zWZ$MsOq9R z2P*p49CNJ};fZo)ymDGVSi#x`q4E9>F}J^qee4|{7|7y_Gnmdb?v6Darz8+clCr74sL#9M0K{+4SLd6Y z5q~^DyOd!|^=MnnyZlkwAz1$_0H>R(zzYIzlG`5(6g}}XzIXv!; zL_DuczA$CBRA+2X?qhQ#ZXjS{D(j9LNz#80tlDM-wWOgJX;Ff zGj{Fp{@IPvws^aDce__#J$t${kN(0B{2WpAOHBFLRoo1hj1bm^>Kj?n~_XR zTEA{6AIbBi0@fol>=y(f;G*x$Hz%z7XN~wwstGT;56~Fpp8w$veTMZF)NXKGG*}OA zPhIcyu9)e=tLfAC510hhT#06R?YRwh_O-5PFogY!Z5N0vfrmWM1e_vj# z!kuB^kIKaun3!~d+qEF}8buqxnm5*U{9Of%3jx2A6dJ_6&i7aLLeAQApi<*`;Boipa4H@LzJKfOfLj{~C!jPTM=k$SWVEMOk>#-h>a?vMFx z-};d~CqtHy^U(THP5a>xs0&_4Bf>L3eu#r2JOf>jZr%V{*STEetA>|#E{mcm@MDDe z?IHK=FK!M}m88i7@jFn|t&1*z0VoA<$nBwbA$enGbB;A?>gpjkTjn)YRp?eMy#YFgSVm{lmEuQP3 zA2_>T>cEIsA8SAh5zTQ~VoyW-=>(mV!;E3+NuG;Zk&rwQ>+Fj#+b(}WB0VJ0WM1{C-ZLlx2cX! zz3Xykem(;PQUQapv9XQjN(6SIExMe+Q&`M{4*E>E)(`wD^}vg@293lFVnWN*wCX14eE$^$5+}df^A@wz$F0SLMLqiqIEeZA z`8@x%j6Be^z=_&9Ic38tiG4u_62B^W5UruwA%k_ViJhR99-p2%#5(41&$X2B5dfb# z0=KG~Z-28$MavgX*a;*l&hDIMBdTfc#@gplLHbp$o=`Bg6lrza5R^TI|b z2LgfEw=D0Skv*SSxJ`JAi9b|FjRme(*lElujfnqYQJT037nu!Sc(q-+kpKBjNIIgA zM^!W@oL;N<78u*w_B!WhX7qoToG#zpEJxwdIJmm{wk=9XNX#9*ZZun99JVSa#}HYiZwH1Y5P`NmeYSiAm~O@ldwhsBmdo-e~ogt~r+H$%0>1P{0!yStEzt;9Fw;auy>8*~6+ z#UDW%D(0<4S|Gw%sM3hzEI@fvb9c#II8i3J_|1~HZBa7yIg^rT$o07w0daAMh&Kl? zJZw;Z`;!x*pfCVxsja%z_TJu%O%EU)7#Jv&mE(^sr**p@C1v-DTHJ4cw$=*V@G%XZ zG4)*p%@lOnb30iDtoJy5ZeTx{k=fKEL6_&c7F*MCN;%+Op;yHwcw0VUmnpm)G`ZoW zr>hI*B<|G0j$2@+eRXxEA|dDgDA#Vf*v{2e%6s#JUhyP|hDqHXB)p;LaJIn8M-&^3 z$ZoagIHYsCcz7I+2roYXa@WDM8IMj9M2otv|8P6v5_58Lx^~^1g8t_R5}Bc1dLQa= zFiPW3{KUf(_09Yv2rO$2GBY!=7`kpxYW7;zX(M0VubA(W|GMSU?*Ylv+UBJIFrhTP z&nRFO6_}WqdBLa1a?0+_sR}Trgj`PM9g25_+*~>dU4emet@|}vV`C#%`c{tb(#G!Y z?N-G#1bvfr{6 zOb*7JSHbN}R+Y~4rH#6$fjrA#lD2VB9AFK=ZzL^o0ru4#p1|?#>hL&cT669(*G*lB!>Hxr+)tj}mm8 z2D-sy=Ny#CHYkA3ruzAv5HPE191R-*128B+Fk=JuM_fZZ^~7$MZx)v&j=;f!rJRt; zB$RIvjPgcL%*s2@`?&Al47z`6fIO~$EcEsW^pxX5i$3$tz&@Bg+(%bTAb$0J>QYzr zQf*=N#QN7S>$&70kg3revC!i}Itei4oWqmM+q<8K?z*^)U7yi!z6L~VvV}M;{sUCn z1ly&#_pCAC#>tAC-OU3KvEDnQitFFp-1ILMH4g(dbi@XXb!wB~^ZJ`xTXcRuUzb;sKFaSeX4Jj_sdPUz6g@&MmqUeTD~dS0JXLyg_`Vmh`r_- ztXS?25<-XTwg(5_6|jO2cw$mwz2OlO!T>-Ioql}5+NU9Krv2b;k0ECoRz3+AVYHXG zH;VLu!Y?x-#5f)f&Occ?S?7L4f4}@rYG-Gs0$uQN4<=pqB~gfVrZVm9+*=S1<=W9) zB$26T3%Z(LzWu8pWu&FW%gcKJj^W45%vdlr7FY`QePK?HGOM|p3B8#Cebo%8bUt7f zJ--7c8iBSeR?MztRvM7H{x!=S}|>sF=~@kh4yUG*IXzIG;S4Y zN^m5pY}9y;L?PVb{wA9PJK$SeWmfFi?@LGH%z==5CP0aaQ`B?xh^NtL_QV$Jovan# z4;4HF^Wo?rV@#WPgJkA*(y`aqCBC{V@nCWdvWL;GzCmS3# z%DH@$UB*;FpsyT~{ZxiMFNe+TcR@0y(EUW%3~Mt7z{=|;zD*Y|9A${3^)FtC~({oUTauhN~JP5)ITn}L-|g2X8~U{~=ecMKJ775x^x(F@XT zd;jLlwWAAK|KCaIzW;z4cA5Xw_{MI+)c2+J{{)Pz@HPCyb@&HDVM9(y%_);wXO@IX zp84rM}>3t1*cqH<>O*;5B9R#@fzzccFzTpNXht!U7w>Vz7B)Y;05f z<FJYah7b;)`nInv z=a?~hvw@;nznVjwo{X48wrTTa9-h6Qu7)+XRUtx8V~LOPA0me<$sWr2>sOi05j_k# z{U%mpOUPS+sJ~d#;BsD(J0Hu9Rz25uZPT*l;hI;Pux@yO80Sj05D(lx{{5qdLnYKt z$5}1)Mmz6JQG-5tQ1FKcB@DFb(TRy{dS^S%nyN2{yPB~Rp&qQirOy1WmBPX%zc+c4 zsBt@}h6jvBLp8TB%*=)5l(De_0$NYy zAU}?#jEJ>JAJr`l<~k;8|9B}6gvC{nkUqk!OCEk_gVq)TLD$rOl?AcmpgfFH)3ZWE z%4g;_nr@#iV3yNTDrCA-PA9ND|tX_3dxbOdFz{A)Gv~$M`r99<81%5Mm&;z^+_VlO$ql zgKKe09?`vZ!c~H_zevVJXa*3i^SeLS3OGAI-?-gBjcep?UnGk;h?|OkeQ<6nTr;%x ztvTU6w*NyQD77i8=^RUz=DCD_yYTO-&v6(jFl=1NDZcZ`h$;XpYWE+M5(jrqJK~YG z`6W$5w{60s@+qi*_?g4m+*%z`Fat378~bkT&i6VcC+-g|qORlM&tqDAw6NyJX$v7h zT2{f7!;3?N^t5p*K9`1$>Z2P()be$BO;uB6|6*W~)MF)-u%05WvC!H^AfN zFgvqWtdm+U+mm|yK9Ve^4I60!Ev~ zcD`?4I{@s$=1#XnDIz7VHy>r_wtt@y;9bB31mmhWscPD&>Clbz(pS37TM!R`2_~tN zAwMQlW0zEtKPPXW0B$#znQKPtgV4jD8`0&#buHJY-h$TZt3O}<+II7@c^x&Xil@Ou z=|C+uJwt%%N_`AE;%PyMPb?nbVxYfhu=T}179ThkU3+32tRDNye`&*GsMr&*Xv$SV z%g$XD(IYH=Cpu9Lal%q`b(QY0dJU?Mxl`Wl%cD(0p3iV2z_NHhfCk~D<=y^3N`&HeM4#+pv<}aLRu#kJ9yx--oCS>rM0P; zIsNfvJg#b0YKF@Crry=Cj}CKEoN7PU$x~Cp+MnSQmW{3Aw)kD?@d{ZpuFgiy5gJbe z6553uHJB+}&6=lvxfQP_jsJbeMAC}iQ7B9s3HEgJva7svT5VNhj>QFxrd`1h z@JQo4YK&SKxm_XTB0QhdE5Xuh^~A^?>7}g&)whm2WzSPWivQ_^(7+0g^F*NDUpDn! zH6h;nKePby=Yeb@q9%};_S48L5;;jvw;D!-b5@P5K|Dd-Wh>PQKb!0Yb*N2fI<^BM za*M4UHz|6eCqc~6XmlU|pp!w&a4~TqR~12EzuZZHV63QaZhEtyO+Vr-040>Y z$o5mJS=T<$4V*CvB?5GXtCO+)dAW%nye9Zsnyhp6qp{{h*Z(1dMAX?sBu*Jy8BCX; z ?8*mQC81gDpWW57)maDz-ys;=ehfb1gcRiUg&XU{;q_UktIN(kpGw}9U1gyk1n z4U7oj6Msh5w9|vIgB~-8mXWYIKEQBiA(W#FMb6i?w&p(_uzku~BWzd)_v6Ys_;Ef; zyU48);o*8Sd`3t~lk~K_+Syc1r(*648znV94t|4^h(6q)(VnW;qufs9CmnH}VaG(f zxIVclS2}|~)WaX(*(}khTD7}(^?(I$EdYdn#C2jy(!o9)w&KLV10K}!oW!s_vwY!W z;AJG6);EYEEu*JG;eZe*eXcp<4 zsXWX+STG(B`IyQw8sW>EbA_;jS<#E~2Auv4B$lIkzvhq0(tg)T9QjAj+}G+ZTDBD5 z>-Dr~gZDsX&QTC4fWyoW*fnp6hgP#`@Z!jgOmZt?X~B=jKw=kLo?6brRqIDGRU6~n zF(549c8nztp_=o7pn(4)U-ZZ6Zow_nGFaWu)ED}#mT)Vu(gtB4-$ifz0~F(8t*OZy zEnr`7&c>OS$`DYreKhA{Zw58Yw3OOkrte!v>EPbL#3w~ zwR!ltg`=gCAm_cFFa$-K<71+ApQZ4~Ciy3dOq;(!T=;CjYdiW}vX@mXR$NsmF#q6` z5oZ(tqDLMNw|?x|H|OFL+qo)*vpJ=JBPd~Exp zo%f7+Ga(~KsK8&GR)HdwR!VlwZG2||GTEOlwZK1pDO|I z)m@T%h$b$#ylNoeO*=jA`#vy<+C*!Hk=7hRL(k*To`4P|x|2XwCr;mfUiUF14zdzG ztGGu#_K2hRfkH2!InSq&^Qp35;yLxU6mOX@RsUtbH%7HX=OrfaVJaKmD4Swl-lF*@)hiw0n?r7P0~4lEwcF0#hWhQ_V($c*V?*3n63Z`G-KQj3uusP zwNFC{`y?ge*;xX&6qtX1py=_%_5&&*KC_x$A=2Ufd+t8L)=FIxXbS;3?O+K}45QAb z|N7)R|CPVS-18>ZClxaram>I+QA4vl;SZd{k-c;7RlWQc4>2moo5o zryHz5cU?B?Zww8Z3J1H~xvI*3VZY6HciYbZ#eqU}Ui0~e*(Bs&?5{`d%X^q%ztDWr zT`A`57|B%DR55&f3(01xT8&K$S(lp(p)4MW(1^j*ATH=lCGq$}+ z1N>@3+##Y~7}a059`m(yE3*E?pTzlN z3@P*u)}MypC^Bwfg1@s?>)cXMHcQE=D2iBaO`Ki`IzUcQ9n}auzLDB zB`TrwgpZ-9y=ip*yQCwXFT{CrjqQC=w4AyJ8_)6xBEjy zL18$|*ATvb!I(w%4X$N`XRi9t6JDUI70$ChXB?lMDY8V>Y9HHNJ;Z>(4(>#5z}VLG zr*Xox;a)9@V>-6j`$PpC9CZZc^yM)_qZ!@2S0>4oFxd3tx=(LdCjQ{QL-g`aI4&-WzGl#ghn{g{?*-}SBV5+OLoHOhNdR2lAA~1 zEscc+BZU1x~o_irMvg5gu{OUMC_1G)2j!>NKA0lQ%oS3gR4%K zE8cFlM~Ded|1az_;S5ig4JVv(%`PpqKJvK?yF!xSFxf+ee~_1d_j3Ff<)d=et^%CZ z)y*x9n2(o_50^1G=y1JGOTh$i1ATXQSCOgiKV$j_GAZ%)^_2p-9l-t%9SssBZhAfl zMd|VdHIaZ)vj-8tBn4VSH{pMTT|yCePo)3>nf%s&(3bzPv&67g62EJC?5KTyr+?!9 zvJIQwk>BM;sqfBQG3PUIK3Hl!6MEo<63!mJ1~K1VlV6{}lT}V2D9Z_c%rOoQbpWv; zH(`@VAM_q;J8pE7NYeZkHwq&VP)bMnSLe!q&(`2@76hMf&X#N9kRWsvUh=Pnne@v& zySf21gSuV*AtoTFr<*>abb&Wi<2`xugsct686>s*TgYJ}{|xHC5TsV!|7w?EpI)Ds znj(pQ2@+PwCU5W8W=^Ye4LsKf?q`CBbu0$Bgd`~cEKKIwzeyi`nA^YpC1mS+;>#{5 zxXgQkhdpgV>G|d#%6|#9WpTHU3ID%At*okQK)qwjBg$>ZL-W@kJe2%Ytds$gutKkN zv2aIXl^+NiR2g<+F4=#OFoUCe&2)a4mfx}0c~yt399T8{HGVH!T~M}FGh3$rNZOPH zYwU>3Q=CP?{&~CZgvlzj)uf0fT?`vkdh*fxcl<9~h74;b^xAy)K(G?TkwFO0r0Krd zs457gy@0X=A-p6-D6-%M2;9lB>K*N01OY#N+S1v{?-$JwG^9Rt!gg?PBwd6RJfn~P zZ_SDY*Vgu94ZTP&HG@}i_y1C%@I3#Y6bjr|X#9^F|6_`vX}#04WtFrbi`uNFU#Eg0 z-j)BsUvpq|pME5kh=uy@*LRG!hbORmu-y|q(#2xfQw!?N-3|dD zz{~03+ZT2bnwwjr%^+6Y2)Yyl)M;_O#G@&3obt!2v}CFi$fJ^&M`CGMs1iJ18V=|i z2w6|O*DL%v2=S)=v7G-^)78J%>B~QQo=j5V4_YS3OyacZ<_6WFqL)yW@Y^&SD4wIQ z6l?ctd=b>CKnEDAy&C(IQ_$V^5)$!|9eP@ z^9=*-VVhwW6I>SZ0)*fp+?{0=W@c&e7^pg3gfe=8;#-JViGj0`q?I=up$+-&Jzt-Q zFVo;>Oi5u*n@S!)DnbQP*@Vsgd3mWs`27aL(0r7Y;}BF zC)t{;iieeC5$zBBWS`~8*4))kHyKk>Zi_CKYnDmTX3gnpesId?@y^oI6&yNZ$W6B~ zS#Rf9XR>#xbt!xdShi3D;eND0T?DE*DL+{Q7JJ2(h8Ht6&1lkSM`gw*mXF--ClW0=-hW1G^E&O z!kPzQF}WqyVRrT2hBcuF3pfC`L%$+91SE*UxFI<%GI;<4 z4X=JB^3*7O$}NahgisY0bJ-vLN=eVf(0tisgZxpcI$i|uvm04!AUdPFF{^2w^w@1@ z>e27<4T>1$^&@n-=R^+^msuUPsETNc(} zFf}kudLberDOoST$@x!h#83P%Q_?)(WGrY7E;@^s&Hd+g~y!reTfdsn-@`LT~#Ih z_B`3x5!dCvFP6496#e*849&F;k|HDD6nI_Suu0QrJr{j$Ke^E~^JDhp^6ly>FG@OJ zTk=1&NH9L^{%U(Qvg$A`{1`24Yu>>`$SPx`VSO?8HoB~4*hj;*O*1hfsK-SJ_(lYx zaD_<%1LHX~X7o&HqbF+pq-?Y!3B{~RT2MKA@4(D#u1e~&M*>o^9J>6OA0p^{P+0?iYDHJH(ms_MyX!!}xJvf{44M4XA#26HNm~3aM|%apUf8QxlPFBCIQfVqDUyBbF~9+u zboJYC<{pQ(nF% z*l@_{L1CmytIuDB`bx+R1P?v~iI1_Re-282vgNS+?vA4dNJAio$xjVyvreQ3|HNG= zv#`g|D-kn@W~#rt5RQs`pj5Z%l_7(&)HOdUkgHBZPFMPn*L|T~VwSdWB2P6pP9Ejc zFqDvK!;hZ8(hzW?QhV?d$~sFGM`@T=Qf62>t|b6KL8!Ip@Ph2}vP5WP(=s0m1(1W( zN1y^94eF zbWipCLdBd=k!LtSzC~^m$D0I=!PA5%?;Kur^P*Lsh_Y*?ep+74Q3kXnq8J^e!z(-f*YB& zxw&$)ZE3N-H_hj6!jX<3eksul>d7fKNF%ivond^sX1ut&1#@KP+W^&c?|uBVk+Tt8 ztbNHNg#v)e_2hT!KLyt+wcaYJR#Ew?rE_6PcY_*_`7D>hx!MCywIBG@GE}?>d=Kgj z6&E6ZhZa_V3iwG(_elS$N_m2p@`}}K$;L&1yHis{gg19+orRx*M$NUdEd0#1@k#Vc z)+}6`dYzij0y!x~tN9iwz2(4Q3}5y;mIp7irjW9~fQ5j!(;8+rLTF(Ki=t=Bdc@B3 zX?hl-d35gvDT=jKL zaXcUn4-+sD;Yvf$WRo{oDX(tY@WPRUgKf!b>g#Td?p_`qsq;DM zMLmAkX^|MibozAJuR~BSI;9+!@Rig0b_kgAc!nV|2nq&g1wHBrkGd+E)z%k5pt(lNZ8m*6qwc2dbRRp zSFwnN(47(oNQAGWd>Ywd4$sEH;74~i_7+srx*8ZLY{`yZ#jX=~6yTJ5=i`(CFS^;} zrChnuYFF>bUtEO~WADYs@e-p085c$wE@dav235V$-&UfdD_N%vIMxH7G?H$Ctum_l zpyD!SjMZ>**EG%np9s>n4OD^}JUmp;tEMv+eT8=BH|c3j zJxNKiWlZ9$M|S`G*-=5T;(u!yzy6z*GYTx#INzwI$2M5)ZbkmUQX~^Jd&;dW8j0c1 zDkYnB`eLH~E`U{$4`BicWnvQzT+($KGJE`z;P306SRCm@CJFww7;{Zx2&A!V0PNx> zk@I~VnuUld06zaf4SmE0%S^ZK&9+!eO<|%@)1li&%R1{AjM3Ko&{Fd#`I|OzhoRWN5d1B>I#pJ;2Kkc9Uxg2nu@w-H^2BdT&~MA%Mj* z2iVgn0uNrWTg)!Th{qEE7Kya?^Y58ia{!4pj z|0y9sVo>^sjRfr&VN@j8PFPGyQM@FB@gFV#Ma!(U9ms?H@2Uf&GLY1G+Ic4p9)z~6R1Yj{DkTBp0 z(v>(t4|L!1Ke^y?W|@rn-$^Q1`Iyr8|6z=bHHvlqqseFgJc+dq%~+?+spr$vlrgfe z`6{|TwZB)+uKaUB!kUN?S^kBoScNA)PWN^M`h;@&n0aemte~;P&G95y^n$dGRRn%`*sQA$NgCxKkP%g4=f(%UMQB+Eo+dC2JX5LZo|dS|C4cp#2z z)W0X9$X_y38MWKZBALvCUC94iO0-n_RlET!xY^7KazA$BakIFJ=;i$F@7e^dtt+Uq zV)s~o_t~*MgMW|6M$Z8uia?Nh3ugLYzXw7c^5nqaMH*roFVh-@K0~<{XJp(R~SZIb0nC44#IT>rG*FbiHp z(&@DH+#Ltlz1>%+v^mP(on*nhq=Gq$`zU0t@7VD7@nkqP(UVXM1@h$-Jj+BSu!g%d z!Xsovl0LD*hBqF_6u^JKWEvj#3YJTqfTD)!isq1bxKzXi-#L6Ed}x@Ieza&R_Fmq~ z*m(X;8`!5}XGrq$AR^c_S~Zf9ST0GbB_yiXCe-~-Qs$ijD{;|XSBF?a0!*9?^EMlK z24~_&@;`i?7$HGmsQOZq*!hL~YsNw6iadv{MzcVv8Pe?f zoUIiTCY|@9T~%?hydWq*)JJaL9TsIBR~t56`>7liFS!)!ZXO4q{7mx~{_E)hHfwmc z?l1y_OoZR}Y)Rt{TTw&0kSiaJKIuP81$YYmV!)Z~qhsi}_NKG!8n{_Csr#O9Z@75g zMY>jAAOBqe+a|CgV>~?(G0Z!XL9B$)ngTf`nw6DiCZS&*1Mh>G-+)nTM9S~*{6hT+ zfOURt4LPd!&WKXaapLs?!l2}-ukAkWOW=q1e;E1mofX3FQrY4Q=gfEeGG%9>zvz3! zDLk4@f*sX%dByGHZDcx%K50|gapGgByYf~}OLt^@DA2_W8`$ZPFiRHqELY1*z4^K0 ztKLFcf7_x&2oP&OJE}2Y%+S)#%;2@CSD+_v&2P6fI)GM8Y9(eg?ly@z*o@S+E#}+= zZ@C!b0Z-8{iy=pWmsg{{lehk)K<%NgH(^LsD$=e3H|%>f2Um|!x<9lB?!&`x;urt|Ci5lUD&L?u$boP#|V2Vl!s*g6XJ*~Z#9 zLy@K@e!o;XW`hQ#Oj&x1qOK5ZoEcN&0Utl4uoFZ#Y&OK2<~+$F_`p;>T$rEVV_Ewl zHT9{^T?B!0Kf3JyQP+FNbJ@TD|EH0aWHzj1W$)}{?@eUORyGOQBO#mYy^@_3LP!YN z7ee-mNcQY^yt>}+-}m>q{XSoRTo=8(yw3AEj^lV9$8mq0a*HWimkU(}#;jWEw@q;C za{^X&aFCaS+L~q8`1%)j5E|l!$Nk9ThIAU7(5e2jC(nc_)UryMSg75)Fp63?H+k8M z(^s!z9cGDASHG4+khNhxo-lgd5)6c~Kzq1>l$^nEOb6QapFVvG?V9G0jvQx@%39AI zavHMX+H(_Wrbc33e!3Q#VV<;!&yG+!+OKc^T(6(Px);KsLN~WNVEA}reYc1Tw{JorQTvZ8fWIAm5%hi9CPaM<90=_GQbxphP>ziAhrC-SCK~==X-GgDo*FImdyCLSmzUF&&)9Mo!Lj z>kD;x%h`u+d2JTop64=46})~aO&zEFUP(gdU=;oQST(P0v?Q*#O!dwob1<#Oe(5B( zn$K}hEGLgP3qm8ye?{RTm%S_(rI=?7a7W zji6kU-qhFj@jEJ4s`(-XmBvhXv;u@8lVvhWSxE7wDk>StWGQ$BmCQ|WP87wvd>Ku= zq%(|~NYW-(-i2HrE?}ndDIFz>tJ~?{*yk4zxY~HLh5jYvQ}HrX>mQH3l@R!Q&4Xn6 zW&A097)_{rm*Pz;l#tPXKh?R`6L_XL`dWSV161E6X(a2e2Xvk5>+9>3=_e{L;!2Vb zT&d~xtPQ$BSJV5nR!V&F@j9&?AS4HPX3?B0(IY6ia~UW$}7T?>zq#>j5?rlG7J>;0j5=;_NF2ShKXrday4 z2t=^>URKJ(ASGwpgkjRhl~7%hq>HBZKrJd_dW9%AZPbPQyJ&H8!elv;?(njZz5e$T z|F`M+&!T`)ea&vbZ#SW?t1Dpjw+g~&s*B@=Hfe*R2JNvZv~2qH|FX5y`h>1l6(J|a3bA3hWuj1taJ zWsGOQXPl3kZga{H#C;(`ws`+Wl+qWhj@azf*M{p)H##&jWzDdEm~1j zi}>-0%{r6e(>Lb#@zn%4#K|58gzP+BFUi(?hj0Q*2RZ``4 zs)nF>`AZ~y;v&YZZBB-o{5PVs@r9DL@6X=G{=eMF+=u*WCp%Qs&D@cMiCO~xT@e2o z0j%}6Q-gz*=3NANLxQd=eaR1G^L7f7jD?-%#2-D%(JzbAGcYhX9g@2xk^7l%B^jH5 zQvQg#2aq#A6kbCm$A81UiwOV4Of22MH~r%Hm=WJ<(~&=TFy_ke)EBcVJ^_Idx4>hE zW@ATJSKeK@GyR~p!QtV!N=L-CFW_r;>B5AwMbM*Xlx?OHR6>FCs+~tyt&+1G+f6@T zSVcrfuCG7T(YZFO7OPh>_IPpkw)@vr*hfcO955r-A{gem8}39{30oGD<2TXCaZMM? z-+)1%*!Ub9zH_S&rn3i=_rkF*06)$X9DJF6Ez6@r&J5Kq%-CNt#8Eja$>s!ZvQ}hW zQFIjeO^Y~K9b4T*_|I5A`*C%gd6QuAS_v4mI}$0x^~K=#{XVK79MNkjEoHkn?Q{ER zt(x@fbQ*5uSMp{Qgw+ms96jWAeU)O!F!MG&mS&SFa} zeb3UZkdTm_AX%DVGbc-G$}wx$gp54p<&BhirKo};2UOy~Tx8m#Q{w2RVRtdHqIRj$ z^gVVx*myu4$#PJ`N*G7Bh;Hajm_jc(7-msilwmI5%EFc$=gu2?Xkc&|+4!eyWMf}f zgfjTENT29na6CktTSV%FlH4e#VOn`S1K)y^P!ZhhT{=2om6ZCN=xI0kF65?pg!x18 z43gs{arBY0bogBOtWPZ7mZ_!-65(JX{xmoZhUFvc@7}$WUFuf&?bQqb*V>OCcp;KE zZ{Fm!>SJPJy3va;rqE#k?P~Br>LF z^5|=6#j6%675Y{8So~O9d-L|~!tOC0=^_(eXa{6EQp9|`jE%pKMOliHSAEy<7Rx%W zWs2|N;pJszWrcWY7N8nXC6e{avq>#vVmUUrLrHKM69dch_fiiG=F^RTX5cqAB?H8r z0IB6RY0$nZ7$eaUB~8oyL`d}$6~3I84<+>47n&Z*gyZ z1O;3IoW`>j`V?CF`}+DyL@K|-{Q;!9+LwZ&$)h%7C)@tW9aNgz)inMf#;gL0t+22V zatXXCa?hWiPC2&vT%37^=fV)_mK%CPM1lShAUoiZu@L}pI9OO3fkK7Rqax@+0o

    60Dy#_9O&7MfWWimFNv40b6D^{pAWfy zjqM>6R_|XNnOBUT0ww1K{SCgYeqYmt99xd9o;|DAEH->+(ew5}Npc0ATyC-y6cGU( z?p}7Wt^Ibo-RjpCc*#y4G#t(Ww^d<`7pGxjXNS}n`_voPlf8AwRznOJNCP#nlQKu2 zC&T#)+`4(Kt$(ii9d*38LIDf@pTR+pT!1aDQ*NkdWYq5vuc@d85+<7yRgn}hT0ku? zAD*uEr_}=sR$k5#DO(ML3`L(7AU6Rbzl;^+)qF7@ddun-2Sx_dd?yBf7f5ifH|BleBF!T3+chmVD_nLgox^H4+bpEU3>QxsLf>-wRqZ|7{I;nU0 z`CHC@_gY$7s)-%b@8V?Jo&Yt5dINxEksuae*ZqhKv;-Di8ZH2kHK-WJ4w9%CSBhJT zV^DhG`OpDMjVPrHgUxuwf zqA)X}`@bKOcOHsDm=5X5T|vN8Q9NEmczDZU^ENJKAZN?b!g7)c0alRGYqk_VTTL~! zfso7B72!)sDdlYu@NI`2NlyR@0?CNgfh-hs44cmPSI{l#TeBPcP#Z2YY4shHw@JM~ z0bld&A!%uW)IVec^2<7NDjO z+hYON6PRs~AvF6zrlnFm<6vF%-CWb>>}Uu0S%VyPAh7VbdvSwIBR+u zrI3)+qY)SDM6O>K>jZiX(?%Zl{GhZj#lp%8i~iO-nR|gW@cr)Y?qbIr2Pq?4fF9dx zfS4GYpcjNTb`20$owF7xj&=favPGa-74|EoUeXs}Ft&0(Lyu?f4wudalfmh0ed%~Jd^!lZSp*CXkusxEbm1`-_uuCA_=Ba=T5P!yx7Z&_c4$hZZM z&rauc<(0M!rZ{>S>b`^#YdE2UmANJ6{l2oYvZ?7g^t}SSHv1)!HAPGN!GrUyXRX!x zWx^R-6@KR%K=psT7%eL=|6XG|0;V;-GFyf46R?dP`Iazoe|I!U9>8T3XbJ@<$O0LO zB4vwIpr=%;NYw{+1d!sObJ2a~kf>My2tK5uS=iW?1U1ew2BB31jNTOr{z|nfy=p5I z+lj*VelPc;`4_Ga4-cax4#Kuu(VWy)MBkj8cm>i>19*8<;cR7Pwbu&E5|!HC+5#Mn zfq?;q;3+8J8gk&2o3vic0iJ%9`js>-1SYe`U!TE2jnk;H1`z(JC<5eYa=`a9WvJ(C zAHWGYI5@BnaAE%#I8q6_b#EW8uCC5P3m7-M+O%aYibg~Y#bmX$4DAruf0Td&YvPyS z&K6x0p9eYWrAAHH1bh22a%>wxlmaw*_|w?$-SYt~lsGKdNMsNV)otcDD;A#n9qJI^ z*x*)YV1+AWW-w!N>es9RL2T#fxVn1`@dcP!WVc|kMX;|0LBpgF;RB+3_w4 ztQFaMZw@A>PwrqY=qk0SM`cwN_YHg<9UU={ZGeU!aJG#@HVHizVBH#^(QUGcc0SBZ z%%oQT9JRH$oSY%&3i}dV=d-2mSO}z015P>a%@*mfLWGY6dJR0^&(6+1fBt-M;GS9t zYpS}s8crYB-!w|bGR1u07Qe6VuDb~*D$0!1^jk%I6%CfWjgk#nqq>46_3W9zZvE^w zz~m4j$wg6ui+5|7Ru&dO(1-Vk zBBq_;WEe7cV}j{a!P>h%Q?|$ua(&Tr+8}TWvCt00!t5}&@INpc5cQ!jYaok-TvwC} zX^tSO65{0CM$yD0>t`^RzOW9#HAT2Ic!S69>j+`LGG$i>L~PaoHZt#YbiA4cg9?GJ_(fb(X;XuH_p?O~?sO=XxaZS?wPb6yeYzO;$dzC*0dbF`V zd7ST$!#Z>Yg@S?9yS-M`Kfl$oo;cqhM5})HF1JG5*Vp&A_4f9*nEFbsXmHxifPG{$n(^F75$dL-Y#;)%Mff#7;jquG34b8hW%(+aSgKLFo z%nK}gQ)43-0>88EKNl6CIs#%lx@G$N@cI^f@SQtFg@rE`rMa^>M+!SND6PLX!3h8Y zS}2QM3TkU}7^vz<^aOVMZ_4KJiVJ?gkWF8AH$>Y&?83F^lsttKgl6&HV2;#v4#Ste zF`W~ztig(c#zl?3y^_*p-ZerQjiISEH{q&>)BpT)?Yz<#>NgXuC_w|DhC%d3uk4?r z@R#Z7>GJdoPJ-|*XqJ+a>HvKHCSC{um2i#su}dJ$w1WV01OEl61@L;wmFaANTW?)# zLhq`n1+@u&yDe!*JoH=jc6Xb)e7T{#^&6Zl;Po<`YH$sh=tHf)Z*UjzmFe`Z?*4Q? z9n>UeUr}Ho#K}$Kvb-Li8z-c}m)4JkK+okXJ!+%!Tau1;&Bm>^BZbpENBWm~iNzGRJQnWNRf5Urtdhk)WU+_@8~cM2!N&F{@3^HFeYmy4$M0a$-Bst)D)#wvWtC>q7NAnX7G z;JZjMD?d?+GKC*Lh}PFM)sJA}J|$eo4SWy!V7?#@m44qZ({pLYrI+2#UU1|+nbu;eI_ULzdJ4t6a#{5y zYZw~#osG&DmVWkTnA{!av#-@R_kH*YH7|^+Vba9s61-z7e}KUcb^5p@psJ)4v6Y>b zkzw@U!BYs%K#j?CFd{xSwrzzHm)-b7a@lQ*aA~_DVx+sj|L4X=(304tYtOD=?~*uy zbuv$Jt)x@ty-SI4v&_~87CJaz5l|8E_JdK@*C$VN4epo+y`;FAy_c@#01N9W|ayu_?UPzMz0~etvG32s$C(TmAmP89k*L zV(s1EzYjp_1jJYL^m@)d65)k_3kQ$=0S+XSS&dM8c5i}H-*K_n*ElupSL-81elUwL zna%SrD3TfYR9Ydc0LxaZP?;!98l{5;A2j(Bc6UrhM#is@An^1MT=_?WuEKq6|M2ke zSQX|_2{lsJJKEaXo8M|n;F7_&^bv9~h&H;|eGW8? zMn*==S(a0Y;BQ9m_F-o8e6xVIOQCg_Yf8kZyq^EBH*%^;vXpf?PogTWZe8I!@rx z-iR7*pgKz;499Jp1&HU2s;wf$X(nKiLm)(wsa-UJQjUNCYz87Zh_E1QdkI~_#AFsE zJ3yq1Q3x-gRS-d6WW!sOLM#@iw?xtEs8E-9CYH%6IsIi4=t1iY7up z59d30wSUSCQ1T^_vLoNVoq$3S_{@Q<`}dDoJLJVQxIxMob>c&o|%_HGeqm4;y}V1 z(}z=-KyesmwiOIkQYB05yms7}PQe8{tZ~I5umU13OY#yDZ4dfHK|1T=puW}UgGcOQ zqIiMkO%r1aMPFQ#`-+*8Ii`61LlZp9Oo?MJ)Ez*53BxEr`)cy==bfkcszvdhpQ807 z_zOs!uXlkXlND=eTXSo)IEj1pFvt@|4oo}3Wo}Sr*x<50T(EhV4^drNnSECjm9ni3 z9F|#iN{_&)C)Yl%^@5`$Sa&-(biuVWyR8p{om>MMDGIFt19kOZaCH6y(n0bb-y!!V z3YG+=lmfaZH^ZcpLtw$6vSbrUH}W;t!E&GfD5-ci)(;tJwR`*8dr7U0jb5N>1wWIK zk!`j^#0&`w7uXD_gC&|j%}Y3;+=Iwa>izM%>gssdM{xGuL}^%o+R-0wTQa6b2f*%x^Ca(iQZhqxb2HRsl~*_C6UNNKeTHDB zGWqTGmFaWT*Ffz?fjXvZ@k$O0I-<;|1)IUvmU)*`Ar8XMM=fmTIx$px(wGvJS6HSy zcZgoGcG2lI14qktGrxh%FznQpbZ~PM8eqPyJ`J+A+(&FoGVrE z)B}^}KWmSI;I2-=P2210g6w#2U!O(0`3KN&a-v{p;q<-h)eNy0L^UWO zB1m$#xc}5I4C;?TMb#(^45=_ED`k&wfEE}mny>#vUnwfRrnPDQWACOElYp+awsIQ( z&oNySOWLYQJIChzYX)pL_WWV_qK*pe>|}T$%o#?sv1f4HovnN%B_ktaVq#)%UpBC6 zPX4{CltyGN402rHH~c_^ELNTmJUTb)VRR{X2EJn6&?iymTsZt6bde(R1)2w|Qalzs zli75aEiEkY=Q$u3N_Usj_H9^rp*9Ql+xSFz`kv^wpSaZr{%cS$5%rR>j$6AyiB6x^ z6AE+szkKlm9WB(U4Ypna^DehUxpDIe$PbyntKatfbBYplt1`!qcmA^c8-(ZN1az)K z8uhFPb_>dKgpl*mhy7<%`&mcnK98$e@AR-pNq3Z^Dvb*LZ#K$l$xn*ghSi`ht{OKYl>k zpCvJzS>?0c+`iXyFE2=#`TB|-vOX<_^YnpNGpu^tSwUyvj2+8b3(O#i!inpDmVO_5 z4=u0IU$v>8?6a!YDT(|u^Vvr{JQsA}6${K3)K)gZzra>NDI6)pfg6ULa&|V2*lnp6 z!Qut6Sdi+D=(JP26`qU55*4i`c;#m>O{_e`IozLp_{-Vt=pOO75>`SYWTJs#SJ z5H_k-28HI%%eyS8LqS|{@eit?6ZOdPZ|RPr2loxs?omW2A?!i*|jOsx#91~^>TG053bVx`cjC2RdT{PIQ6 z;Cpcu7V9Rsli39TT7azBT1c9kU2`vi{pGVA_+4n ze*{$a0_1bET&EH!w#QXd$p}39lcK6Aq}$snXD{n+nWq-g_O<393Rk!Kv;3N=F1S?mM&9i=34K7JEla!as%>hx zn5p1eL~xKs*!g37!L_2+Z?TQuxlVh<#qxrrH|FSY;<%%e<(UZm*3DG!Wma*<%W+y1 zUbk~_05c>dSSU-|P*i&M&%y#<)seE_ADN~|BeGm3N2X84QsISV^pk3F^KVMXUrKw= zJ8ep!)$rUzCcMRvwL1#PuNRUQOqd9NYnB}0dR&F#XA36MSB4EFOsQ5;+m}NpwN52- z#Od39UVkYaXktR0!=%P_Bj?Q##yh|2A#6G##(bMcsRvj=$wEe5pL3Vyw*-(uTOkHw zODrV+dcx_Z&#$q(`_tnmAydP+2zrj7t74+0?p$q3?DwBg}< zwbbruSCEg_UsfxwFuQqG6f~V02GPj|oLE6bBc((+!z5@=x#SL{HuzsqC^_x-89eMYlgly8y%Ae+mon zxgK?LkAG%K(P$@~W_`1DA|J)Yt6?FDsuex#`$DH>R7KLiYd)+;$hg#&Rj0V^$=vE6 zz9<;5)UjCF2w%nY+3JlTp_fQ4Bzu{k-yuDcFfgg6K@`G~Mf0-db%$>>d$W_5>=1rd zuUX5)C+g{qwfLgd-~2#(*3*Nf58>pgQG0d1ZPzT% zI3fzO4O8?;2~O;1%9PXdI}%>=%IJ!UQ2sio^F>1_i>R}blX_APd-S}Tec>Dlv65o( zSC&j!Hlkl1TjDg*8mnwpK^@#e_k5f+G=d8$L_|9Hnz`x z%PU{|`=6ei%e9I*-;TdM$ze_HRjc2eT0r?4rHV88l|Bf}1f(SK|jXSS>& zQf8V57JIZNceWsAwqvWD6}496lRBTQ4__O2&BPm+KQ;NBduew#R{o=T{1X?R za4U52j~h+~!siYm)#fjJQw`IuiXU-O;+~q9Fi)Rn;Mt=|I4zfo1|SF%oYsWM#$ugf z@J>2%5D7wwVTJ^jPQ@$9;!L_qW5TJqjGQ0tY~JaZ_m?ju@YsZxm3qyhS8CmMjsiD- z%ZO6nrzDubw?=5@oaq$q|9_Sei>r%*&%etH(j+jU8_TWzzNBGw?eT9#Dc}00 zR=UkybpNJVFjqWEZxIB?_@&z=pYq@$#+N%&*ql8?MWM>wiy_P`k{Xu!GYNb6JfwSa zw2HCaTZhl3B$^d{64nSvq+^AzAdmM#a^yeV!aePH6iAaEFyWWW zDKJ+4zQPw7S}U?Fnk^3Y%bG+cf~BwJ5ttBSLL=K|?eBlNv5-uq-w0o4f@$z@MJmZ9;+u#xy2V+PUD_wz zs!Jby>lyNFu%6{gig6-bK2;z7*}916!U?<+!$iz4Iqa6dY8NzMd97#EExDMgFz+AD zSSNL+2fte~TL}^{L&^ug`()M}de}1tsIw{c(o&rxgnJG6T^o}#bU78|rXFElAw!sL z-iK0R&ju#X=hemOANVBNd!Gjqel!ovr@hTWY^D^G`au(+`RRkJ)_$oDya6}^$CDc?;i`yE?!!1OQ7q;}_ZG>pI@9{?R{ zr=lFAR^Mh2nqPP8z?aGW;*|RBLzLJ9cWwj%v4gxOOk&TSE3C)p8uV*@rq!pMwCA#IGZCXZYjAI7Eql_z9R*JVrFHoBBRi&ZfQQ zy@Vsl6pQBnFg8=bhZ`9bN4tWqp?Ob`{WEV4qQ~_-MZ4gqSo5LFvn5Oq@7pFc_@~VX zA2MI-b_v6{f$@2FQ42@yL@A$mi>3nMC+7Gb3Ox2K9vRle^OC&guAfn}EyYElYJ|^{ z5-)pxpt4r&a*Vm1gdv{P%Rq*sP3!#HP!+?iX$G7=2kE!-7M+s2y2Xb2d_4YCG?Pzu)?iut!ZhgV!gpM@_2Q1`Osrp zuBqv&yZf~_qkXX@`zLG-=m;%oh*3a=5**ODSpD=AjdJ=uzRt{|iAT`m6?%%YTjL>b z-Z4%#8L0F}npwWcD@o}hVdB}B81R2u+C$PiW+u}(?(oh~7!6ZGzp2wD@?mknh5HuO zJ*zxP11|Nl%eLDaO-`fR?=U|QgwX~mTtd`iV@fLS$qU1GZ7o?5RA}-9xTzqh8WX4<;h5FPSwkR=B}rWX9wS z4rMy%(hP3wygWYpvPt>=?9E+4%5!7KtnpqBqTk0YPDi~LEzGHIcr=n4R0K^O+eK!I zZ3vQ`D4*i~TN#*Jo_rp$=<7L5g>=_k#h=j(TGii7SC!w}VeVY83u#~4p%mCJR4R}y z(qg#A+1IO<9Ag#`i!;Etrt1A~YN?mzEeK&8T!A_B{m+9XE6HB32U zc}w77q&1y{pX^ZIUZ4xo&6HaFh2!916Z_9Q0dvaJ)p#E;y@?!)?u67#K>4(`o_3OI6+4E)+aq0Tc zDF#aF;=lnx`t|D`%G*uev9xrvGqaCc+-NC(eHnI*`=Ipt)phXpBY2COLv@ z@bgU>-sSa%@)o6kqO>H7S?U))&!?YwEnE#XDAP$B&`o|__aR@J`5MN@^i8`0`BA&7 znul!bn#_m?IvT<>{unnP+K^)md}PR9{oqP4e%;K-6;e3n?z|9kVUT?$k6?=0tVWD{c^g;+IOTE#zs;Oa7APU=W#hXzv8-9^kBpG26v}u}4CQy@r!v30X*9=2M9_W)~vE9nq%0 z$j5Cs6`{Omf2lf&AhrKfHk>1a7iNX7hMu7Z+sEzp6tI+EbiTZ9& zVnvtT@mtZX`@wch&((hi{n3|NS?~}s(+ub3Jo0UO zL*`eoZJ4_D%iM(|@awmuyKb?uxIHjb>WGIXRnA~(6UZ>jR`?`#T^Apg%39 z61*%yh%3h$=9}z-Z@s`*yKf}O_`phCn|`iVDdDE(eqv$aQoK0fhn#yY@dHBs$CPqg zqviw9y3NP;aUA=KB?T@DG(V}J5RJYB!}LA6NUE7NLh0rqf}J-#i!7Zch@03pCnOL+e>V0Yi$O z1d6-3H9=I^AhNme7fLBNl})C0<4u17Pc$7Q14tmHh5m1o^BNwkTgW1vOZ@GBSE9CQ zR}fs-iz&*Hu`z4!gAQw4xpXTE+)#diR7kEs77b1ME-`^00eUbadU+Bi^f4>M>6g9E ztLFeJ<#WSP5~e~N-wk|(>*#&XQQVxRXiqJ-)6H;+*;dQh4KW2x&ZlM_pQcOS_-9eo$(RN6~#l) z3$^q8rEC;$0#||l@-cmBadBIlI1xFi)xUSZC(>;CzhwRX`zl}*>Wc4qqAdz@WY$vS zmtKyb@_@}{_*hcVS<`8D^IzD<=>MeM4y_CsqM=6ywEELQfG1e}l>|>TcLeHLR34Ce zyD>xLOoJLxa_$_{!3k?Tx%QhZwfy(!YBQLBbT?Fg79)|-xTL3d+4^gg@%n*>n4_?8 znaA&?z=Wb7cv$FnIBHb0wAqqa&BllJuul(HtSukBevt1q0jLsPD4HH0!RN}4+M|$cT1@>Wl{NeIA;qB6*H2&ZAbtm#~@MIz@uQq5%UGV=Y<@#$>0RisQ zKpU^KYNfhpisRbq@~V{;=#?zfVqD-SD$>73{FCUV=415B*XpP8iNh3g_F^sSJNp)Q ztdf*fbc^jc1Qfh1d4!Od{PAUmOWwYF4TcW&%Sv&q7+g)E~}O6P10Brf*s`D3(9;JEdYczI3f<VhlhCphSI)1^8-P!juoUOw1dkv{=aPLec{TA=92h0d_Hf!0;ve?$`9X{KPsC{bDm zC>xR~t{!JHI63?5U2W&!$c)EHe&>3hdeM6IJGAWL+J^ep?GHoQF+HQ9POOFm$w@E_8c4=-Xcmxk7 z>;G@iC;IYP_NR(w4k2{OJVn;LeOsw%0CtY;lVthQpCnek5$s`Kmj^ZV3FAsWD%{Y}>ASD- zLOlZ~Od97+)oDo4+xE}Gf+f8JXspuYnfNq>*S+rDcJ*t&JDN|c$Vl8fn@uPOIf8o6fABv=v?=*F;~SP86m@7hVF=37R6@f0 zu)&N1*BO2-ER1kGlt%9A|lVzOVB!n{>3tw<%dT7S7zdh?58EbIu;k-+^J25P-XZqO*X@4yvq$_4g+D zA<+*ah^WF4j3Wvh1>rytF#3NHqz;W4!v8wEE9_J9Yx`am`W84wA}9!n=4~wDDvdbP zO+!vxAQb+BpK^{y-U@_~t~;E#arCzEd~4G|?$Tcj64zSjJygj1lQ0_;slhj6foCkg zuMi~|Irs@mlYd!K6mv+e36lOP_UM^i0$NA&mh@vQmos)BQEBPg1_-80n)z$rD!>0pVeRLGR z<_d79i6f3UNlHHFP2^b99;I^*7U}?JyK>@0#}V zK&9B%{?Vh`2>qGr<68ZwWWlJO&2CE1{J?pRSnd)*P3|Sr_b9T_e>aXmD0%3}yXyg$ zvR-J95pm0(D$Cw$H%v3z;E6{;J(m`rcs0y2KXNy$ef+>%M_|b``7iD%({B1+s|__S zJGby(eO(o?;hGkSichnrVYZ-#hcf4pSwLA2qwH;Q@%#<**u`W@5dxtbTT~T6s1J7G z%G)`PDlx6m{|QZ9*!mHK;Q_Fi-7fL+E3{uvOMUbOscKNwdSa;QCwH|4s4B@8nH z1R4CmpB74pUrqOnixS0DK4VEXh5NY(3K%-}#=i36d6%E@>M0{{XSgLM;FQ diff --git a/fast/stages/3-data-platform/dev/main.tf b/fast/stages/3-data-platform/dev/main.tf deleted file mode 100644 index b27a575ff6..0000000000 --- a/fast/stages/3-data-platform/dev/main.tf +++ /dev/null @@ -1,56 +0,0 @@ -/** - * Copyright 2023 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# tfdoc:file:description Data Platform. - -module "data-platform" { - source = "../../../../blueprints/data-solutions/data-platform-foundations" - composer_config = var.composer_config - deletion_protection = var.deletion_protection - data_catalog_tags = var.data_catalog_tags - project_config = { - billing_account_id = var.billing_account.id - project_create = var.project_config.project_create - parent = var.folder_ids.data-platform-dev - project_ids = var.project_config.project_ids - } - groups = var.groups_dp - location = var.location - network_config = { - host_project = var.host_project_ids.dev-spoke-0 - network_self_link = var.vpc_self_links.dev-spoke-0 - subnet_self_links = { - load = var.subnet_self_links.dev-spoke-0["europe-west1/dev-dataplatform-ew1"] - transformation = var.subnet_self_links.dev-spoke-0["europe-west1/dev-dataplatform-ew1"] - orchestration = var.subnet_self_links.dev-spoke-0["europe-west1/dev-dataplatform-ew1"] - } - # TODO: align example variable - composer_ip_ranges = { - cloudsql = var.network_config_composer.cloudsql_range - gke_master = var.network_config_composer.gke_master_range - } - composer_secondary_ranges = { - pods = var.network_config_composer.gke_pods_name - services = var.network_config_composer.gke_services_name - } - } - organization_domain = var.organization.domain - prefix = "${var.prefix}-dev-dp" - project_services = var.project_services - project_suffix = var.project_suffix - region = var.region - service_encryption_keys = var.service_encryption_keys -} diff --git a/fast/stages/3-data-platform/dev/outputs.tf b/fast/stages/3-data-platform/dev/outputs.tf deleted file mode 100644 index 3f99046217..0000000000 --- a/fast/stages/3-data-platform/dev/outputs.tf +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# tfdoc:file:description Output variables. - -locals { - tfvars = { - bigquery_dataset = module.data-platform.bigquery-datasets - gcs_buckets = module.data-platform.gcs-buckets - projects = module.data-platform.projects - } -} - -# generate tfvars file for subsequent stages - -resource "local_file" "tfvars" { - for_each = var.outputs_location == null ? {} : { 1 = 1 } - file_permission = "0644" - filename = "${pathexpand(var.outputs_location)}/tfvars/3-data-platform-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -resource "google_storage_bucket_object" "tfvars" { - bucket = var.automation.outputs_bucket - name = "tfvars/3-data-platform-dev.auto.tfvars.json" - content = jsonencode(local.tfvars) -} - -# outputs - -output "bigquery_datasets" { - description = "BigQuery datasets." - value = module.data-platform.bigquery-datasets -} - -output "demo_commands" { - description = "Demo commands." - value = module.data-platform.demo_commands -} - -output "gcs_buckets" { - description = "GCS buckets." - value = module.data-platform.gcs-buckets -} - -output "projects" { - description = "GCP Projects information." - value = module.data-platform.projects -} - -output "vpc_network" { - description = "VPC network." - value = module.data-platform.vpc_network -} - -output "vpc_subnet" { - description = "VPC subnetworks." - value = module.data-platform.vpc_subnet -} diff --git a/fast/stages/3-data-platform/dev/variables-fast.tf b/fast/stages/3-data-platform/dev/variables-fast.tf deleted file mode 100644 index bd6ae628df..0000000000 --- a/fast/stages/3-data-platform/dev/variables-fast.tf +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# tfdoc:file:description Terraform Variables. - -variable "automation" { - # tfdoc:variable:source 0-bootstrap - description = "Automation resources created by the bootstrap stage." - type = object({ - outputs_bucket = string - }) -} - -variable "billing_account" { - # tfdoc:variable:source 0-bootstrap - description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." - type = object({ - id = string - is_org_level = optional(bool, true) - }) - validation { - condition = var.billing_account.is_org_level != null - error_message = "Invalid `null` value for `billing_account.is_org_level`." - } -} - -variable "folder_ids" { - # tfdoc:variable:source 1-resman - description = "Folder to be used for the networking resources in folders/nnnn format." - type = object({ - data-platform-dev = string - }) -} - -variable "host_project_ids" { - # tfdoc:variable:source 2-networking - description = "Shared VPC project ids." - type = object({ - dev-spoke-0 = string - }) -} - -variable "organization" { - # tfdoc:variable:source 00-globals - description = "Organization details." - type = object({ - domain = string - id = number - customer_id = string - }) -} - -variable "prefix" { - # tfdoc:variable:source 0-bootstrap - description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants." - type = string - validation { - condition = try(length(var.prefix), 0) < 12 - error_message = "Use a maximum of 9 chars for organizations, and 11 chars for tenants." - } -} - -variable "subnet_self_links" { - # tfdoc:variable:source 2-networking - description = "Shared VPC subnet self links." - type = object({ - dev-spoke-0 = map(string) - }) - default = null -} - -variable "vpc_self_links" { - # tfdoc:variable:source 2-networking - description = "Shared VPC self links." - type = object({ - dev-spoke-0 = string - }) - default = null -} diff --git a/fast/stages/3-data-platform/dev/variables.tf b/fast/stages/3-data-platform/dev/variables.tf deleted file mode 100644 index a2d8271dc1..0000000000 --- a/fast/stages/3-data-platform/dev/variables.tf +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# tfdoc:file:description Terraform Variables. - -variable "composer_config" { - description = "Cloud Composer config." - type = object({ - disable_deployment = optional(bool) - environment_size = optional(string, "ENVIRONMENT_SIZE_SMALL") - software_config = optional( - object({ - airflow_config_overrides = optional(any) - pypi_packages = optional(any) - env_variables = optional(map(string)) - image_version = string - cloud_data_lineage_integration = optional(bool, true) - }), - { image_version = "composer-2-airflow-2" } - ) - workloads_config = optional( - object({ - scheduler = optional( - object({ - cpu = number - memory_gb = number - storage_gb = number - count = number - }), - { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - count = 1 - } - ) - web_server = optional( - object({ - cpu = number - memory_gb = number - storage_gb = number - }), - { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - } - ) - worker = optional( - object({ - cpu = number - memory_gb = number - storage_gb = number - min_count = number - max_count = number - }), - { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - min_count = 1 - max_count = 3 - } - ) - })) - }) - default = { - environment_size = "ENVIRONMENT_SIZE_SMALL" - software_config = { - image_version = "composer-2-airflow-2" - } - workloads_config = { - scheduler = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - count = 1 - } - web_server = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - } - worker = { - cpu = 0.5 - memory_gb = 1.875 - storage_gb = 1 - min_count = 1 - max_count = 3 - } - } - } -} - -variable "data_catalog_tags" { - description = "List of Data Catalog Policy tags to be created with optional IAM binging configuration in {tag => {ROLE => [MEMBERS]}} format." - type = map(object({ - description = optional(string) - iam = optional(map(list(string)), {}) - })) - nullable = false - default = { - "3_Confidential" = {} - "2_Private" = {} - "1_Sensitive" = {} - } -} - -variable "deletion_protection" { - description = "Prevent Terraform from destroying data storage resources (storage buckets, GKE clusters, CloudSQL instances) in this blueprint. When this field is set in Terraform state, a terraform destroy or terraform apply that would delete data storage resources will fail." - type = bool - default = true - nullable = false -} - -variable "groups_dp" { - description = "Data Platform groups." - type = map(string) - default = { - data-analysts = "gcp-data-analysts" - data-engineers = "gcp-data-engineers" - data-security = "gcp-data-security" - } -} - -variable "location" { - description = "Location used for multi-regional resources." - type = string - default = "eu" -} - -variable "network_config_composer" { - description = "Network configurations to use for Composer." - type = object({ - cloudsql_range = string - gke_master_range = string - gke_pods_name = string - gke_services_name = string - }) - default = { - cloudsql_range = "192.168.254.0/24" - gke_master_range = "192.168.255.0/28" - gke_pods_name = "pods" - gke_services_name = "services" - } -} - -variable "outputs_location" { - description = "Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable." - type = string - default = null -} - -variable "project_config" { - description = "Provide projects configuration." - type = object({ - project_create = optional(bool, true) - project_ids = optional(object({ - drop = string - load = string - orc = string - trf = string - dwh-lnd = string - dwh-cur = string - dwh-conf = string - common = string - exp = string - }) - ) - }) - default = {} -} - -variable "project_services" { - description = "List of core services enabled on all projects." - type = list(string) - default = [ - "cloudresourcemanager.googleapis.com", - "iam.googleapis.com", - "serviceusage.googleapis.com", - "stackdriver.googleapis.com" - ] -} - -variable "project_suffix" { - description = "Suffix used only for project ids." - type = string - default = null -} - -variable "region" { - description = "Region used for regional resources." - type = string - default = "europe-west1" -} - -variable "service_encryption_keys" { - description = "Cloud KMS to use to encrypt different services. Key location should match service region." - type = object({ - bq = string - composer = string - dataflow = string - storage = string - pubsub = string - }) - default = null -} From 339a864f07e5f5033ebfd2a7010cc02704d6a82b Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 19:02:02 +0100 Subject: [PATCH 81/94] exclude provider files via tfdoc opts --- fast/stages/0-bootstrap/README.md | 2 +- fast/stages/1-resman/README.md | 2 +- fast/stages/1-tenant-factory/README.md | 2 +- fast/stages/1-vpcsc/README.md | 2 +- fast/stages/2-network-security/README.md | 2 +- fast/stages/2-networking-a-simple/README.md | 2 +- fast/stages/2-networking-b-nva/README.md | 2 +- .../2-networking-c-separate-envs/README.md | 2 +- fast/stages/2-project-factory/README.md | 2 +- fast/stages/2-security/README.md | 2 +- fast/stages/3-gcve-dev/README.md | 38 +++++++++---------- fast/stages/3-gke-dev/README.md | 2 +- tools/tfdoc.py | 6 ++- 13 files changed, 34 insertions(+), 32 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index b1ee3f7ec0..2068f44b58 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -636,7 +636,7 @@ The remaining configuration is manual, as it regards the repositories themselves - for Gitlab, rename it to `.gitlab-ci.yml` and place it in the repository root - for Source Repositories, place it in `.cloudbuild/workflow.yaml` - + ## Files diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index d3b6c72073..51f6307a0c 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -235,7 +235,7 @@ terraform init terraform apply ``` - + ## Files diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index ed61306223..a3d628cbe8 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -300,7 +300,7 @@ gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-glob gcloud storage cp gs://{prefix}-{tenant-shortname}-prod-iac-core-0/tfvars/0-bootstrap.auto.tfvars.json ./ ``` - + ## Files diff --git a/fast/stages/1-vpcsc/README.md b/fast/stages/1-vpcsc/README.md index fe5ebc78e6..6ad81ac74b 100644 --- a/fast/stages/1-vpcsc/README.md +++ b/fast/stages/1-vpcsc/README.md @@ -286,7 +286,7 @@ Some references that might be useful in setting up this stage: - [VPC SC CSCC requirements](https://cloud.google.com/security-command-center/docs/troubleshooting). - + ## Files diff --git a/fast/stages/2-network-security/README.md b/fast/stages/2-network-security/README.md index 4e7619d677..ebad676156 100644 --- a/fast/stages/2-network-security/README.md +++ b/fast/stages/2-network-security/README.md @@ -161,7 +161,7 @@ You can optionally enable TLS inspection in stage [2-security](../2-security/REA Ingesting outputs from [stage 2-security](../2-security/README.md), this stage will configure TLS inspection in NGFW Enterprise and will reference the CAs and the trust-configs you created in [stage 2-security](../2-security/README.md). Make sure the CAs and the trusted configs created for NGFW Enterprise in the [2-security stage](../2-security/README.md) match the region where you defined your zonal firewall endpoints. - + ## Files diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 83c60be31a..a715a9241e 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -470,7 +470,7 @@ VPN configuration also controls BGP advertisements, which requires the following DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone. - + ## Files diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index 3e61e7496b..7b70b365cc 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -525,7 +525,7 @@ If NCC-RA is enabled, you can configure the NVAs deployed updating the sample BG DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS resolution to Landing through DNS peering, and optionally define a private zone (e.g. `dev.gcp.example.com`) which the landing peers to. To configure DNS for a new environment, copy one of the other environments DNS files [e.g. (dns-dev.tf)](dns-dev.tf) into a new `dns-*.tf` file suffixed with the environment name (e.g. `dns-staging.tf`), and update its content accordingly. Don't forget to add a peering zone from the landing to the newly created environment private zone. - + ## Files diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 643a8e2367..56918c38d2 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -334,7 +334,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t - change the values of the mappings in the `regions` variable to the regions you are going to use - change the regions in the factory subnet files in the `data` folder - + ## Files diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md index 124b9072c0..f8cb576d2d 100644 --- a/fast/stages/2-project-factory/README.md +++ b/fast/stages/2-project-factory/README.md @@ -338,7 +338,7 @@ This approach leverages the per-environment project factory service accounts and The approach is not shown here but reasonably easy to implement. The main project factory output file can also be used to set up folder id susbtitution in the per-environment factories. - + ## Files diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index d97d56e213..f93d45f813 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -280,7 +280,7 @@ tls_inspection = { } ``` - + ## Files diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index 2dd1505b6c..611b844f63 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -151,7 +151,7 @@ terraform init terraform apply ``` - + ## Files @@ -165,25 +165,25 @@ terraform apply ## Variables -| name | description | type | required | default | -|---|---|:---:|:---:|:---:| -| [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | -| [environments](variables-fast.tf#L27) | Long environment names. | object({…}) | ✓ | | -| [prefix](variables-fast.tf#L44) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | -| [folder_ids](variables-fast.tf#L37) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | -| [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [iam_by_principals](variables.tf#L24) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | -| [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {…} | -| [private_cloud_configs](variables.tf#L54) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | -| [stage_config](variables.tf#L76) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | -| [vpc_self_links](variables-fast.tf#L54) | FAST host VPC self links. | map(string) | | {} | +| name | description | type | required | default | producer | +|---|---|:---:|:---:|:---:|:---:| +| [billing_account](variables-fast.tf#L19) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [environments](variables-fast.tf#L27) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L44) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L37) | Folders used by FAST stages in folders/nnnnnnnnnnn format. | map(string) | | {} | 1-resman | +| [iam](variables.tf#L17) | Project-level authoritative IAM bindings for users and service accounts in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | +| [iam_by_principals](variables.tf#L24) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [network_peerings](variables.tf#L31) | The network peerings between users' VPCs and the VMware Engine networks. Key is used for the peering name suffix. Network is expanded for FAST defined networks. | map(object({…})) | | {…} | | +| [private_cloud_configs](variables.tf#L54) | The VMware private cloud configurations. Key is used for the private cloud name suffix. | map(object({…})) | | {} | | +| [stage_config](variables.tf#L76) | FAST stage configuration used to find resource ids. Must match name defined for the stage in resource management. | object({…}) | | {…} | | +| [vpc_self_links](variables-fast.tf#L54) | FAST host VPC self links. | map(string) | | {} | 2-networking | ## Outputs -| name | description | sensitive | -|---|---|:---:| -| [network](outputs.tf#L17) | VMware engine network. | | -| [network_peerings](outputs.tf#L21) | The peerings created towards the user VPC or other VMware engine networks. | | -| [private_clouds](outputs.tf#L26) | VMware engine private cloud resources. | | -| [project_id](outputs.tf#L31) | GCVE project id. | | +| name | description | sensitive | consumers | +|---|---|:---:|---| +| [network](outputs.tf#L17) | VMware engine network. | | | +| [network_peerings](outputs.tf#L21) | The peerings created towards the user VPC or other VMware engine networks. | | | +| [private_clouds](outputs.tf#L26) | VMware engine private cloud resources. | | | +| [project_id](outputs.tf#L31) | GCVE project id. | | | diff --git a/fast/stages/3-gke-dev/README.md b/fast/stages/3-gke-dev/README.md index 086065106e..2fb479da68 100644 --- a/fast/stages/3-gke-dev/README.md +++ b/fast/stages/3-gke-dev/README.md @@ -171,7 +171,7 @@ Fleet management is entirely optional, and uses two separate variables: Clusters can then be configured for fleet registration and one of the config management templates attached via the cluster-level `fleet_config` attribute. - + ## Files diff --git a/tools/tfdoc.py b/tools/tfdoc.py index 85e6fbd5b6..30c972aa87 100755 --- a/tools/tfdoc.py +++ b/tools/tfdoc.py @@ -73,7 +73,7 @@ HEREDOC_RE = re.compile(r'(?sm)^<<\-?END(\s*.*?)\s*END$') MARK_BEGIN = '' MARK_END = '' -MARK_OPTS_RE = re.compile(r'(?sm)') +MARK_OPTS_RE = re.compile(r'(?sm)') OUT_ENUM = enum.Enum('O', 'OPEN ATTR ATTR_DATA CLOSE COMMENT TXT SKIP') OUT_RE = re.compile(r'''(?smx) # output open @@ -193,6 +193,8 @@ def create_tfref(module_path, files=False, show_extra=False, exclude_files=None, opts = get_tfref_opts(readme) files = opts.get('files', files) show_extra = opts.get('show_extra', show_extra) + if 'exclude' in opts: + exclude_files = (exclude_files or []) + [opts['exclude']] abspath = os.path.abspath(module_path) try: if os.path.dirname(abspath).endswith('/modules'): @@ -346,7 +348,7 @@ def get_tfref_opts(readme): try: for o in m.group(1).split(): k, v = o.split(':') - opts[k] = bool(int(v)) + opts[k] = v if k == 'exclude' else bool(int(v)) except (TypeError, ValueError) as e: raise SystemExit(f'incorrect option mark: {e}') return opts From 8a5f3de35ef8f8a35b9293c06ce48a60d5adb8f1 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 19:04:00 +0100 Subject: [PATCH 82/94] remove data platform tests and links --- .../data-platform-foundations/README.md | 2 +- .../data-platform-minimal/README.md | 2 +- fast/stages/README.md | 1 - .../stages/s3_data_platform/simple.tfvars | 25 ------------- .../fast/stages/s3_data_platform/simple.yaml | 35 ------------------- .../fast/stages/s3_data_platform/tftest.yaml | 18 ---------- 6 files changed, 2 insertions(+), 81 deletions(-) delete mode 100644 tests/fast/stages/s3_data_platform/simple.tfvars delete mode 100644 tests/fast/stages/s3_data_platform/simple.yaml delete mode 100644 tests/fast/stages/s3_data_platform/tftest.yaml diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md index 1a9f2ddad1..14d74b8657 100644 --- a/blueprints/data-solutions/data-platform-foundations/README.md +++ b/blueprints/data-solutions/data-platform-foundations/README.md @@ -23,7 +23,7 @@ The approach adapts to different high-level requirements: - least privilege principle - rely on service account impersonation -The code in this blueprint doesn't address Organization-level configurations (Organization policy, VPC-SC, centralized logs). We expect those elements to be managed by automation stages external to this script like those in [FAST](../../../fast) and this blueprint deployed on top of them as one of the [stages](../../../fast/stages/3-data-platform/dev/README.md). +The code in this blueprint doesn't address Organization-level configurations (Organization policy, VPC-SC, centralized logs). We expect those elements to be managed by automation stages external to this script like those in [FAST](../../../fast). ### Project structure diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md index 1f6e73968c..ab0f0880c8 100644 --- a/blueprints/data-solutions/data-platform-minimal/README.md +++ b/blueprints/data-solutions/data-platform-minimal/README.md @@ -49,7 +49,7 @@ The approach adapts to different high-level requirements: - least privilege principle - rely on service account impersonation -The code in this blueprint doesn't address Organization-level configurations (Organization policy, VPC-SC, centralized logs). We expect those elements to be managed by automation stages external to this script like those in [FAST](../../../fast) and this blueprint deployed on top of them as one of the [stages](../../../fast/stages/3-data-platform/dev/README.md). +The code in this blueprint doesn't address Organization-level configurations (Organization policy, VPC-SC, centralized logs). We expect those elements to be managed by automation stages external to this script like those in [FAST](../../../fast). ## Project structure diff --git a/fast/stages/README.md b/fast/stages/README.md index 91fce268ec..6a30dcb017 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -48,6 +48,5 @@ Implemented as an [add-on stage 1](./1-tenant-factory/), with optional FAST comp ## Environment-level resources (3) -- [Data Platform](3-data-platform/dev/) - [GKE Multitenant](3-gke-dev/) - [Google Cloud VMware Engine](3-gcve-dev/) diff --git a/tests/fast/stages/s3_data_platform/simple.tfvars b/tests/fast/stages/s3_data_platform/simple.tfvars deleted file mode 100644 index 2ec41d37ad..0000000000 --- a/tests/fast/stages/s3_data_platform/simple.tfvars +++ /dev/null @@ -1,25 +0,0 @@ -automation = { - outputs_bucket = "test" -} -billing_account = { - id = "012345-67890A-BCDEF0", -} -folder_ids = { - data-platform-dev = "folders/12345678" -} -host_project_ids = { - dev-spoke-0 = "fast-dev-net-spoke-0" -} -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -prefix = "fast" -subnet_self_links = { - dev-spoke-0 = { - "europe-west1/dev-dataplatform-ew1" : "https://www.googleapis.com/compute/v1/projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-dataplatform-ew1", - "europe-west1/dev-default-ew1" : "https://www.googleapis.com/compute/v1/projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1" - } -} -vpc_self_links = { dev-spoke-0 = "https://www.googleapis.com/compute/v1/projects/fast-dev-net-spoke-0/global/networks/dev-spoke-0" } diff --git a/tests/fast/stages/s3_data_platform/simple.yaml b/tests/fast/stages/s3_data_platform/simple.yaml deleted file mode 100644 index 4195230818..0000000000 --- a/tests/fast/stages/s3_data_platform/simple.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - google_artifact_registry_repository: 1 - google_bigquery_dataset: 4 - google_bigquery_default_service_account: 7 - google_composer_environment: 1 - google_compute_shared_vpc_service_project: 3 - google_data_catalog_policy_tag: 3 - google_data_catalog_taxonomy: 1 - google_project: 9 - google_project_iam_binding: 61 - google_project_iam_member: 52 - google_project_service: 114 - google_project_service_identity: 33 - google_pubsub_topic: 1 - google_service_account: 8 - google_service_account_iam_binding: 13 - google_storage_bucket: 9 - google_storage_bucket_object: 1 - google_storage_project_service_account: 7 - modules: 34 - resources: 328 diff --git a/tests/fast/stages/s3_data_platform/tftest.yaml b/tests/fast/stages/s3_data_platform/tftest.yaml deleted file mode 100644 index 245b313e01..0000000000 --- a/tests/fast/stages/s3_data_platform/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: fast/stages/3-data-platform/dev/ - -tests: - simple: From 6edbbf652b228a951bd6b22ccf0d7506c4c53562 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 19:27:43 +0100 Subject: [PATCH 83/94] fix merge --- tests/fast/stages/s2_networking_a_simple/ncc.yaml | 2 +- tests/fast/stages/s2_networking_a_simple/simple.yaml | 2 +- tests/fast/stages/s2_networking_a_simple/vpn.yaml | 6 +----- tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml | 6 +----- tests/fast/stages/s2_networking_b_nva/regional.yaml | 6 +----- tests/fast/stages/s2_networking_b_nva/simple.yaml | 6 +----- tests/fast/stages/s2_networking_c_separate_envs/simple.yaml | 6 +----- 7 files changed, 7 insertions(+), 27 deletions(-) diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.yaml b/tests/fast/stages/s2_networking_a_simple/ncc.yaml index b45320d4ee..65630a089d 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml +++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml @@ -43,4 +43,4 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 24 - resources: 179 + resources: 180 diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index 827d2cf6cc..afd24899e3 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -48,4 +48,4 @@ counts: google_vpc_access_connector: 2 modules: 29 random_id: 1 - resources: 196 + resources: 197 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index b334f7d963..869cd3b8f5 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -46,8 +46,4 @@ counts: google_vpc_access_connector: 2 modules: 31 random_id: 5 -<<<<<<< HEAD - resources: 231 -======= - resources: 223 ->>>>>>> origin/master + resources: 232 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index 9c79dca2c4..182338498a 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -51,8 +51,4 @@ counts: google_vpc_access_connector: 2 modules: 39 random_id: 2 -<<<<<<< HEAD - resources: 256 -======= - resources: 254 ->>>>>>> origin/master + resources: 257 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index dba7787547..61d3d53cd3 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -53,8 +53,4 @@ counts: google_vpc_access_connector: 2 modules: 47 random_id: 2 -<<<<<<< HEAD - resources: 264 -======= - resources: 259 ->>>>>>> origin/master + resources: 265 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index 0f2e010ed5..d8f362d8b8 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -53,8 +53,4 @@ counts: google_vpc_access_connector: 2 modules: 43 random_id: 2 -<<<<<<< HEAD - resources: 242 -======= - resources: 237 ->>>>>>> origin/master + resources: 243 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index 03ab05f0ad..65cd1d33f6 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -46,8 +46,4 @@ counts: google_vpc_access_connector: 2 modules: 22 random_id: 2 -<<<<<<< HEAD - resources: 209 -======= - resources: 206 ->>>>>>> origin/master + resources: 211 From 7fdc4c3f2a1287c84ab6420262a544e0cf68b66a Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 19:36:24 +0100 Subject: [PATCH 84/94] fix resman inventory --- tests/fast/stages/s1_resman/simple.yaml | 680 ++++++++++++++---------- 1 file changed, 400 insertions(+), 280 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 5824077ab1..167451d889 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -1,17 +1,3 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - values: module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: condition: [] @@ -137,12 +123,14 @@ values: module.net-folder-dev[0].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null @@ -150,6 +138,7 @@ values: deletion_protection: false display_name: Networking parent: organizations/123456789012 + tags: null timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] @@ -226,6 +215,42 @@ values: members: - serviceAccount:fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/viewer + module.net-folder[0].google_folder_iam_binding.bindings["organizations/123456789012/roles/gcveNetworkAdmin:development"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'development'\n\ + )\n" + title: stage 3 development + members: + - serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/gcveNetworkAdmin + module.net-folder[0].google_folder_iam_binding.bindings["organizations/123456789012/roles/gcveNetworkAdmin:production"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'production'\n\ + )\n" + title: stage 3 production + members: + - serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/gcveNetworkAdmin + module.net-folder[0].google_folder_iam_binding.bindings["organizations/123456789012/roles/gcveNetworkViewer:development"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'development'\n\ + )\n" + title: stage 3 development + members: + - serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/gcveNetworkViewer + module.net-folder[0].google_folder_iam_binding.bindings["organizations/123456789012/roles/gcveNetworkViewer:production"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'production'\n\ + )\n" + title: stage 3 production + members: + - serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/gcveNetworkViewer module.net-folder[0].google_folder_iam_binding.bindings["pf_delegated_grant"]: condition: - description: Project factory delegated grant. @@ -235,6 +260,42 @@ values: members: - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectIamAdmin + module.net-folder[0].google_folder_iam_binding.bindings["roles/dns.admin:development"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'development'\n\ + )\n" + title: stage 3 development + members: + - serviceAccount:fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/dns.admin + module.net-folder[0].google_folder_iam_binding.bindings["roles/dns.admin:production"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'production'\n\ + )\n" + title: stage 3 production + members: + - serviceAccount:fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com + role: roles/dns.admin + module.net-folder[0].google_folder_iam_binding.bindings["roles/dns.reader:development"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'development'\n\ + )\n" + title: stage 3 development + members: + - serviceAccount:fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/dns.reader + module.net-folder[0].google_folder_iam_binding.bindings["roles/dns.reader:production"]: + condition: + - description: null + expression: "resource.matchTag(\n '123456789012/environment',\n 'production'\n\ + )\n" + title: stage 3 production + members: + - serviceAccount:fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/dns.reader module.net-folder[0].google_tags_tag_binding.binding["context"]: timeouts: null ? module.net-sa-ro[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] @@ -279,16 +340,6 @@ values: bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - module.organization[0].google_organization_iam_member.bindings["data-platform-dev"]: - condition: [] - member: serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user - module.organization[0].google_organization_iam_member.bindings["data-platform-prod"]: - condition: [] - member: serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["gcve-dev"]: condition: [] member: serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com @@ -334,6 +385,11 @@ values: member: serviceAccount:fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/compute.xpnAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: condition: - description: Org policy tag scoped grant for project factory. @@ -344,11 +400,21 @@ values: member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: condition: [] member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com org_id: '123456789012' role: roles/cloudasset.viewer + module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user module.organization[0].google_tags_tag_key.default["context"]: description: Resource management context. parent: organizations/123456789012 @@ -557,6 +623,7 @@ values: deletion_protection: false display_name: Security parent: organizations/123456789012 + tags: null timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] @@ -665,80 +732,6 @@ values: bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - module.stage3-bucket["data-platform-dev"].google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-dev-resman-dp-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: MULTI_REGIONAL - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-dev-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["data-platform-dev"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-dev-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.stage3-bucket["data-platform-prod"].google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - effective_labels: - goog-terraform-provisioned: 'true' - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast2-prod-resman-dp-0 - project: fast2-prod-automation - requester_pays: null - retention_policy: [] - storage_class: MULTI_REGIONAL - terraform_labels: - goog-terraform-provisioned: 'true' - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast2-prod-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.stage3-bucket["data-platform-prod"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast2-prod-resman-dp-0 - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/storage.objectViewer module.stage3-bucket["gcve-dev"].google_storage_bucket.bucket: autoclass: [] cors: [] @@ -961,91 +954,10 @@ values: members: - serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - module.stage3-folder["data-platform-dev"].google_folder.folder[0]: - deletion_protection: false - display_name: Development - timeouts: null - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["data-platform-dev"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-dev-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["data-platform-dev"].google_tags_tag_binding.binding["environment"]: - timeouts: null - module.stage3-folder["data-platform-prod"].google_folder.folder[0]: - deletion_protection: false - display_name: Production - timeouts: null - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/compute.xpnAdmin - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/logging.admin - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/owner - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderAdmin - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.folderViewer - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0@fast2-prod-automation.iam.gserviceaccount.com - role: roles/resourcemanager.projectCreator - module.stage3-folder["data-platform-prod"].google_folder_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast2-prod-resman-dp-0r@fast2-prod-automation.iam.gserviceaccount.com - role: roles/viewer - module.stage3-folder["data-platform-prod"].google_tags_tag_binding.binding["environment"]: - timeouts: null module.stage3-folder["gcve-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1087,6 +999,7 @@ values: module.stage3-folder["gcve-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1128,6 +1041,7 @@ values: module.stage3-folder["gke-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development + tags: null timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1169,6 +1083,7 @@ values: module.stage3-folder["gke-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production + tags: null timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1207,46 +1122,6 @@ values: role: roles/viewer module.stage3-folder["gke-prod"].google_tags_tag_binding.binding["environment"]: timeouts: null - ? module.stage3-sa-ro["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["data-platform-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-dp-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-dev service account (read-only). - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-ro["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-ro["data-platform-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-ro["data-platform-prod"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-dp-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-prod service account (read-only). - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-ro["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-ro["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-organizations/123456789012/roles/storageViewer"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: organizations/123456789012/roles/storageViewer ? module.stage3-sa-ro["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast2-prod-automation @@ -1367,46 +1242,6 @@ values: : bucket: fast2-prod-iac-core-outputs condition: [] role: organizations/123456789012/roles/storageViewer - ? module.stage3-sa-rw["data-platform-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["data-platform-dev"].google_service_account.service_account[0]: - account_id: fast2-dev-resman-dp-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-dev service account. - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-rw["data-platform-dev"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["data-platform-dev"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin - ? module.stage3-sa-rw["data-platform-prod"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] - : condition: [] - project: fast2-prod-automation - role: roles/serviceusage.serviceUsageConsumer - module.stage3-sa-rw["data-platform-prod"].google_service_account.service_account[0]: - account_id: fast2-prod-resman-dp-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform resman data-platform-prod service account. - project: fast2-prod-automation - timeouts: null - ? module.stage3-sa-rw["data-platform-prod"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.stage3-sa-rw["data-platform-prod"].google_storage_bucket_iam_member.bucket-roles["fast2-prod-iac-core-outputs-roles/storage.objectAdmin"] - : bucket: fast2-prod-iac-core-outputs - condition: [] - role: roles/storage.objectAdmin ? module.stage3-sa-rw["gcve-dev"].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] project: fast2-prod-automation @@ -1527,17 +1362,11 @@ values: : bucket: fast2-prod-iac-core-outputs condition: [] role: roles/storage.objectAdmin - module.top-level-folder["data-platform"].google_folder.folder[0]: - deletion_protection: false - display_name: Data Platform - parent: organizations/123456789012 - timeouts: null - module.top-level-folder["data-platform"].google_tags_tag_binding.binding["context"]: - timeouts: null module.top-level-folder["gcve"].google_folder.folder[0]: deletion_protection: false display_name: GCVE parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1545,6 +1374,7 @@ values: deletion_protection: false display_name: GKE parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1552,6 +1382,7 @@ values: deletion_protection: false display_name: Sandbox parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1559,6 +1390,7 @@ values: deletion_protection: false display_name: Teams parent: organizations/123456789012 + tags: null timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] @@ -1575,6 +1407,11 @@ values: members: - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: @@ -1585,30 +1422,313 @@ values: members: - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com + role: roles/viewer module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: timeouts: null module.top-level-folder["tenants"].google_folder.folder[0]: deletion_protection: false display_name: Tenants parent: organizations/123456789012 + tags: null timeouts: null module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: timeouts: null counts: - google_folder: 16 - google_folder_iam_binding: 86 - google_organization_iam_member: 16 - google_project_iam_member: 26 - google_service_account: 26 - google_service_account_iam_binding: 26 - google_storage_bucket: 11 - google_storage_bucket_iam_binding: 22 - google_storage_bucket_iam_member: 26 - google_storage_bucket_object: 25 - google_tags_tag_binding: 16 + google_folder: 13 + google_folder_iam_binding: 72 + google_organization_iam_member: 14 + google_project_iam_member: 22 + google_service_account: 22 + google_service_account_iam_binding: 22 + google_storage_bucket: 9 + google_storage_bucket_iam_binding: 18 + google_storage_bucket_iam_member: 22 + google_storage_bucket_object: 21 + google_tags_tag_binding: 13 google_tags_tag_key: 2 google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 - modules: 54 - resources: 313 + modules: 45 + resources: 265 + +outputs: + cicd_repositories: + networking: + provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno + repository: + branch: main + name: test/00-networking + parent_id: null + type: github + security: + provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno + repository: + branch: null + name: test/00-security + type: gitlab + folder_ids: __missing__ + providers: + 2-networking: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-net-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 2-networking-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the\ + \ Apache License, Version 2.0 (the \"License\");\n * you may not use this file\ + \ except in compliance with the License.\n * You may obtain a copy of the License\ + \ at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless\ + \ required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-net-0\"\n impersonate_service_account\ + \ = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 2-project-factory: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the\ + \ Apache License, Version 2.0 (the \"License\");\n * you may not use this file\ + \ except in compliance with the License.\n * You may obtain a copy of the License\ + \ at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless\ + \ required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-resman-pf-0\"\n impersonate_service_account = \"\ + fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n}\n\ + provider \"google\" {\n impersonate_service_account = \"fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 2-project-factory-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ + \ file except in compliance with the License.\n * You may obtain a copy of the\ + \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ + \ Unless required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-resman-pf-0\"\n impersonate_service_account = \"\ + fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n}\n\ + provider \"google\" {\n impersonate_service_account = \"fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 2-security: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-sec-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 2-security-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-sec-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for networking\n" + 3-gcve-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-gcve-0\"\n impersonate_service_account =\ + \ \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gcve-dev\n" + 3-gcve-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-gcve-0\"\n impersonate_service_account =\ + \ \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gcve-dev\n" + 3-gcve-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-gcve-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gcve-prod\n" + 3-gcve-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-gcve-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gcve-prod\n" + 3-gke-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-gke-0\"\n impersonate_service_account = \"\ + fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n\ + }\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gke-dev\n" + 3-gke-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-gke-0\"\n impersonate_service_account = \"\ + fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n\ + }\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gke-dev\n" + 3-gke-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-gke-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gke-prod\n" + 3-gke-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-gke-0\"\n impersonate_service_account =\ + \ \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for gke-prod\n" + 3-project-factory-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ + \ file except in compliance with the License.\n * You may obtain a copy of the\ + \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ + \ Unless required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-pf-0\"\n impersonate_service_account\ + \ = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for project-factory-dev\n" + 3-project-factory-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ + \ file except in compliance with the License.\n * You may obtain a copy of the\ + \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ + \ Unless required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-dev-resman-pf-0\"\n impersonate_service_account\ + \ = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for project-factory-dev\n" + 3-project-factory-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ + \ file except in compliance with the License.\n * You may obtain a copy of the\ + \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ + \ Unless required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast2-prod-resman-pf-0\"\n impersonate_service_account\ + \ = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for project-factory-prod\n" + 3-project-factory-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed\ + \ under the Apache License, Version 2.0 (the \"License\");\n * you may not use\ + \ this file except in compliance with the License.\n * You may obtain a copy\ + \ of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n\ + \ *\n * Unless required by applicable law or agreed to in writing, software\n\ + \ * distributed under the License is distributed on an \"AS IS\" BASIS,\n *\ + \ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ * See the License for the specific language governing permissions and\n *\ + \ limitations under the License.\n */\n\nterraform {\n backend \"gcs\" {\n\ + \ bucket = \"fast2-prod-resman-pf-0\"\n impersonate_service_account\ + \ = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for project-factory-prod\n" + tfvars: __missing__ + From 1031f5097c8602d1c96ad2cf4f3d174b7f43634a Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 20:45:51 +0100 Subject: [PATCH 85/94] boilerplate --- tests/fast/stages/s1_resman/simple.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 167451d889..11213a51f6 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -1,3 +1,17 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + values: module.cicd-sa-ro["networking"].google_project_iam_member.project-roles["fast2-prod-automation-roles/logging.logWriter"]: condition: [] From c9b8b2c2c88e9131cd0d3781b423faf6fb1773e9 Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 20:56:27 +0100 Subject: [PATCH 86/94] inventory --- tests/fast/stages/s1_resman/simple.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 11213a51f6..b51eb95977 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -137,14 +137,12 @@ values: module.net-folder-dev[0].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.net-folder-dev[0].google_tags_tag_binding.binding["environment"]: timeouts: null module.net-folder-prod[0].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.net-folder-prod[0].google_tags_tag_binding.binding["environment"]: timeouts: null @@ -152,7 +150,6 @@ values: deletion_protection: false display_name: Networking parent: organizations/123456789012 - tags: null timeouts: null ? module.net-folder[0].google_folder_iam_binding.authoritative["organizations/123456789012/roles/networkFirewallPoliciesAdmin"] : condition: [] @@ -637,7 +634,6 @@ values: deletion_protection: false display_name: Security parent: organizations/123456789012 - tags: null timeouts: null module.sec-folder[0].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: condition: [] @@ -971,7 +967,6 @@ values: module.stage3-folder["gcve-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.stage3-folder["gcve-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1013,7 +1008,6 @@ values: module.stage3-folder["gcve-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.stage3-folder["gcve-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1055,7 +1049,6 @@ values: module.stage3-folder["gke-dev"].google_folder.folder[0]: deletion_protection: false display_name: Development - tags: null timeouts: null module.stage3-folder["gke-dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1097,7 +1090,6 @@ values: module.stage3-folder["gke-prod"].google_folder.folder[0]: deletion_protection: false display_name: Production - tags: null timeouts: null module.stage3-folder["gke-prod"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] @@ -1380,7 +1372,6 @@ values: deletion_protection: false display_name: GCVE parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["gcve"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1388,7 +1379,6 @@ values: deletion_protection: false display_name: GKE parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["gke"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1396,7 +1386,6 @@ values: deletion_protection: false display_name: Sandbox parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["sandbox"].google_tags_tag_binding.binding["context"]: timeouts: null @@ -1404,7 +1393,6 @@ values: deletion_protection: false display_name: Teams parent: organizations/123456789012 - tags: null timeouts: null ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] @@ -1452,7 +1440,6 @@ values: deletion_protection: false display_name: Tenants parent: organizations/123456789012 - tags: null timeouts: null module.top-level-folder["tenants"].google_tags_tag_binding.binding["context"]: timeouts: null From 00b00896e6585e8e4c674cd00eb1ad5092ba0984 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 09:47:20 +0100 Subject: [PATCH 87/94] add support for pathexpand to org policy factories --- modules/folder/organization-policies.tf | 5 +++-- modules/organization/organization-policies.tf | 5 +++-- modules/project/organization-policies.tf | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/folder/organization-policies.tf b/modules/folder/organization-policies.tf index 840a941a5b..128fb67dd9 100644 --- a/modules/folder/organization-policies.tf +++ b/modules/folder/organization-policies.tf @@ -17,9 +17,10 @@ # tfdoc:file:description Folder-level organization policies. locals { + _factory_data_path = pathexpand(coalesce(var.factories_config.org_policies, "-")) _factory_data_raw = merge([ - for f in try(fileset(var.factories_config.org_policies, "*.yaml"), []) : - yamldecode(file("${var.factories_config.org_policies}/${f}")) + for f in try(fileset(local._factory_data_path, "*.yaml"), []) : + yamldecode(file("${local._factory_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files _factory_data = { diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf index 55e3fc9953..53ae794a7f 100644 --- a/modules/organization/organization-policies.tf +++ b/modules/organization/organization-policies.tf @@ -17,9 +17,10 @@ # tfdoc:file:description Organization-level organization policies. locals { + _factory_data_path = pathexpand(coalesce(var.factories_config.org_policies, "-")) _factory_data_raw = merge([ - for f in try(fileset(var.factories_config.org_policies, "*.yaml"), []) : - yamldecode(file("${var.factories_config.org_policies}/${f}")) + for f in try(fileset(local._factory_data_path, "*.yaml"), []) : + yamldecode(file("${local._factory_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files _factory_data = { diff --git a/modules/project/organization-policies.tf b/modules/project/organization-policies.tf index ef6dfb8870..5c269af04c 100644 --- a/modules/project/organization-policies.tf +++ b/modules/project/organization-policies.tf @@ -17,9 +17,10 @@ # tfdoc:file:description Project-level organization policies. locals { + _factory_data_path = pathexpand(coalesce(var.factories_config.org_policies, "-")) _factory_data_raw = merge([ - for f in try(fileset(var.factories_config.org_policies, "*.yaml"), []) : - yamldecode(file("${var.factories_config.org_policies}/${f}")) + for f in try(fileset(local._factory_data_path, "*.yaml"), []) : + yamldecode(file("${local._factory_data_path}/${f}")) ]...) # simulate applying defaults to data coming from yaml files _factory_data = { From ba0478f5ab1e0bb2c50341a3c3864018d3826186 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 09:47:41 +0100 Subject: [PATCH 88/94] remove stale moved file --- fast/stages/1-resman/_moved-v34.0.0.tf | 270 ------------------------- 1 file changed, 270 deletions(-) delete mode 100644 fast/stages/1-resman/_moved-v34.0.0.tf diff --git a/fast/stages/1-resman/_moved-v34.0.0.tf b/fast/stages/1-resman/_moved-v34.0.0.tf deleted file mode 100644 index 25d586367f..0000000000 --- a/fast/stages/1-resman/_moved-v34.0.0.tf +++ /dev/null @@ -1,270 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -# billing resources - -moved { - from = google_billing_account_iam_member.billing_ext_admin - to = google_billing_account_iam_member.default -} - -# stage 2 networking - -moved { - from = module.branch-network-folder - to = module.net-folder[0] -} -moved { - from = module.branch-network-prod-folder - to = module.net-folder-prod[0] -} -moved { - from = module.branch-network-dev-folder - to = module.net-folder-dev[0] -} -moved { - from = module.branch-network-sa - to = module.net-sa-rw[0] -} -moved { - from = module.branch-network-r-sa - to = module.net-sa-ro[0] -} -moved { - from = module.branch-network-gcs - to = module.net-bucket[0] -} -moved { - from = module.branch-network-sa-cicd["0"] - to = module.cicd-sa-rw["networking"] -} -moved { - from = module.branch-network-r-sa-cicd["0"] - to = module.cicd-sa-ro["networking"] -} - -# stage 2 security - -moved { - from = module.branch-security-folder - to = module.sec-folder[0] -} -moved { - from = module.branch-security-prod-folder - to = module.sec-folder-prod[0] -} -moved { - from = module.branch-security-dev-folder - to = module.sec-folder-dev[0] -} -moved { - from = module.branch-security-sa - to = module.sec-sa-rw[0] -} -moved { - from = module.branch-security-r-sa - to = module.sec-sa-ro[0] -} -moved { - from = module.branch-security-gcs - to = module.sec-bucket[0] -} -moved { - from = module.branch-security-sa-cicd["0"] - to = module.cicd-sa-rw["security"] -} -moved { - from = module.branch-security-r-sa-cicd["0"] - to = module.cicd-sa-ro["security"] -} - -# stage 2 project factory - -moved { - from = module.branch-pf-sa - to = module.pf-sa-rw[0] -} -moved { - from = module.branch-pf-r-sa - to = module.pf-sa-ro[0] -} -moved { - from = module.branch-pf-gcs - to = module.pf-bucket[0] -} -moved { - from = module.branch-pf-dev-sa - to = module.stage3-sa-rw["project-factory-dev"] -} -moved { - from = module.branch-pf-dev-r-sa - to = module.stage3-sa-ro["project-factory-dev"] -} -moved { - from = module.branch-pf-dev-gcs - to = module.stage3-bucket["project-factory-dev"] -} -moved { - from = module.branch-pf-prod-sa - to = module.stage3-sa-rw["project-factory-prod"] -} -moved { - from = module.branch-pf-prod-r-sa - to = module.stage3-sa-ro["project-factory-prod"] -} -moved { - from = module.branch-pf-prod-gcs - to = module.stage3-bucket["project-factory-prod"] -} - -# stage 3 gcve - -moved { - from = module.branch-gcve-folder[0] - to = module.top-level-folder["gcve"] -} - -moved { - from = module.branch-gcve-prod-folder[0] - to = module.stage3-folder["gcve-prod"] -} -moved { - from = module.branch-gcve-prod-sa[0] - to = module.stage3-sa-rw["gcve-prod"] -} -moved { - from = module.branch-gcve-prod-r-sa[0] - to = module.stage3-sa-ro["gcve-prod"] -} -moved { - from = module.branch-gcve-prod-gcs[0] - to = module.stage3-bucket["gcve-prod"] -} -moved { - from = module.branch-gcve-dev-folder[0] - to = module.stage3-folder["gcve-dev"] -} -moved { - from = module.branch-gcve-dev-sa[0] - to = module.stage3-sa-rw["gcve-dev"] -} -moved { - from = module.branch-gcve-dev-r-sa[0] - to = module.stage3-sa-ro["gcve-dev"] -} -moved { - from = module.branch-gcve-dev-gcs[0] - to = module.stage3-bucket["gcve-dev"] -} - -# stage 3 gke - -moved { - from = module.branch-gke-folder[0] - to = module.top-level-folder["gke"] -} - -moved { - from = module.branch-gke-prod-folder[0] - to = module.stage3-folder["gke-prod"] -} -moved { - from = module.branch-gke-prod-sa[0] - to = module.stage3-sa-rw["gke-prod"] -} -moved { - from = module.branch-gke-prod-r-sa[0] - to = module.stage3-sa-ro["gke-prod"] -} -moved { - from = module.branch-gke-prod-gcs[0] - to = module.stage3-bucket["gke-prod"] -} -moved { - from = module.branch-gke-dev-folder[0] - to = module.stage3-folder["gke-dev"] -} -moved { - from = module.branch-gke-dev-sa[0] - to = module.stage3-sa-rw["gke-dev"] -} -moved { - from = module.branch-gke-dev-r-sa[0] - to = module.stage3-sa-ro["gke-dev"] -} -moved { - from = module.branch-gke-dev-gcs[0] - to = module.stage3-bucket["gke-dev"] -} - -# stage 3 data platform - -moved { - from = module.branch-dp-folder[0] - to = module.top-level-folder["data-platform"] -} - -moved { - from = module.branch-dp-prod-folder[0] - to = module.stage3-folder["data-platform-prod"] -} -moved { - from = module.branch-dp-prod-sa[0] - to = module.stage3-sa-rw["data-platform-prod"] -} -moved { - from = module.branch-dp-prod-r-sa[0] - to = module.stage3-sa-ro["data-platform-prod"] -} -moved { - from = module.branch-dp-prod-gcs[0] - to = module.stage3-bucket["data-platform-prod"] -} -moved { - from = module.branch-dp-dev-folder[0] - to = module.stage3-folder["data-platform-dev"] -} -moved { - from = module.branch-dp-dev-sa[0] - to = module.stage3-sa-rw["data-platform-dev"] -} -moved { - from = module.branch-dp-dev-r-sa[0] - to = module.stage3-sa-ro["data-platform-dev"] -} -moved { - from = module.branch-dp-dev-gcs[0] - to = module.stage3-bucket["data-platform-dev"] -} - -# stage 3 sandbox - -moved { - from = module.branch-sandbox-folder[0] - to = module.stage3-folder["sandbox"] -} -moved { - from = module.branch-sandbox-sa[0] - to = module.stage3-sa-rw["sandbox"] -} -moved { - from = module.branch-sandbox-r-sa[0] - to = module.stage3-sa-ro["sandbox"] -} -moved { - from = module.branch-sandbox-gcs[0] - to = module.stage3-bucket["sandbox"] -} From 0ad2c324540c94ade972219e31f0156f9cb2495b Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 09:48:41 +0100 Subject: [PATCH 89/94] start working on moved file for resman and stages upgrade notes --- fast/stages/1-resman/moved/moved-v36.0.0.tf | 93 +++++++++++++++++++++ fast/stages/UPGRADING.md | 30 +++++++ 2 files changed, 123 insertions(+) create mode 100644 fast/stages/1-resman/moved/moved-v36.0.0.tf create mode 100644 fast/stages/UPGRADING.md diff --git a/fast/stages/1-resman/moved/moved-v36.0.0.tf b/fast/stages/1-resman/moved/moved-v36.0.0.tf new file mode 100644 index 0000000000..2ce2c8def5 --- /dev/null +++ b/fast/stages/1-resman/moved/moved-v36.0.0.tf @@ -0,0 +1,93 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# stage 3 gke + +moved { + from = module.branch-gke-folder[0] + to = module.top-level-folder["gke"] +} +moved { + from = module.branch-gke-dev-folder[0] + to = module.stage3-folder["gke-dev"] +} +moved { + from = module.branch-gke-prod-folder[0] + to = module.stage3-folder["gke-prod"] +} +moved { + from = module.branch-gke-dev-gcs[0] + to = module.stage3-bucket["gke-dev"] +} +moved { + from = module.branch-gke-prod-gcs[0] + to = module.stage3-bucket["gke-prod"] +} +moved { + from = module.branch-gke-dev-sa[0] + to = module.stage3-sa-rw["gke-dev"] +} +moved { + from = module.branch-gke-prod-sa[0] + to = module.stage3-sa-rw["gke-prod"] +} +moved { + from = module.branch-gke-dev-r-sa[0] + to = module.stage3-sa-ro["gke-dev"] +} +moved { + from = module.branch-gke-prod-r-sa[0] + to = module.stage3-sa-ro["gke-prod"] +} + +# stage 3 gcve + +moved { + from = module.branch-gcve-folder[0] + to = module.top-level-folder["gcve"] +} +moved { + from = module.branch-gcve-dev-folder[0] + to = module.stage3-folder["gcve-dev"] +} +moved { + from = module.branch-gcve-prod-folder[0] + to = module.stage3-folder["gcve-prod"] +} +moved { + from = module.branch-gcve-dev-gcs[0] + to = module.stage3-bucket["gcve-dev"] +} +moved { + from = module.branch-gcve-prod-gcs[0] + to = module.stage3-bucket["gcve-prod"] +} +moved { + from = module.branch-gcve-dev-sa[0] + to = module.stage3-sa-rw["gcve-dev"] +} +moved { + from = module.branch-gcve-prod-sa[0] + to = module.stage3-sa-rw["gcve-prod"] +} +moved { + from = module.branch-gcve-dev-r-sa[0] + to = module.stage3-sa-ro["gcve-dev"] +} +moved { + from = module.branch-gcve-prod-r-sa[0] + to = module.stage3-sa-ro["gcve-prod"] +} diff --git a/fast/stages/UPGRADING.md b/fast/stages/UPGRADING.md new file mode 100644 index 0000000000..603fb530e8 --- /dev/null +++ b/fast/stages/UPGRADING.md @@ -0,0 +1,30 @@ +# FAST release upgrading notes + +Only changes impacting Terraform variables or actual resources are noted here. + + + + +## v35.1.0 to v36.0.0 + +### Bootstrap stage + +**Breaking changes:** + +- the `factories_config.org_policy` variable attribute has been renamed to `factories_config.org_policies` + +**Non-breaking changes:** + +- two new custom roles have been added: `gcveNetworkViewer` and `projectIAMViewer` +- organization policies for the IaC project have been moved to a factory, default policies are in `data/org-policies-iac` + +### Resource Management stage + +**Breaking changes:** + +- the "Data Platform" stage 3 has been removed in preparation of a completely revised state, any associated resource (service accounts, folders, buckets, etc.) will be destroyed +- billing IAM roles will be destroyed and recreated as they are now driven by a loop and their names have changed + +**Non-breaking changes:** + +- GCS and local output files will be recreated From 5111b0c4187223fdf8736f0fc1aea22712d1f253 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 16:07:40 +0100 Subject: [PATCH 90/94] resman fixes and moved blocks, upgrading notes --- .../data/top-level-folders/sandbox.yaml | 1 + fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf | 8 -- .../{moved-v36.0.0.tf => v35.1.0-v36.0.0.tf} | 121 ++++++++++++++++++ fast/stages/1-resman/top-level-folders.tf | 5 +- fast/stages/UPGRADING.md | 41 +++++- 5 files changed, 164 insertions(+), 12 deletions(-) rename fast/stages/1-resman/moved/{moved-v36.0.0.tf => v35.1.0-v36.0.0.tf} (50%) diff --git a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml index 43c8c8f5f0..a45f81bd36 100644 --- a/fast/stages/1-resman/data/top-level-folders/sandbox.yaml +++ b/fast/stages/1-resman/data/top-level-folders/sandbox.yaml @@ -16,4 +16,5 @@ name: Sandbox automation: + enable: true short_name: sbx diff --git a/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf b/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf index b207830302..9b13d9e598 100644 --- a/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf +++ b/fast/stages/1-resman/moved/v33.0.0-v34.0.0.tf @@ -18,42 +18,34 @@ moved { from = module.branch-pf-sa[0] to = module.branch-pf-sa } - moved { from = module.branch-pf-dev-sa[0] to = module.branch-pf-dev-sa } - moved { from = module.branch-pf-prod-sa[0] to = module.branch-pf-prod-sa } - moved { from = module.branch-pf-r-sa[0] to = module.branch-pf-r-sa } - moved { from = module.branch-pf-dev-r-sa[0] to = module.branch-pf-dev-r-sa } - moved { from = module.branch-pf-prod-r-sa[0] to = module.branch-pf-prod-r-sa } - moved { from = module.branch-pf-gcs[0] to = module.branch-pf-gcs } - moved { from = module.branch-pf-dev-gcs[0] to = module.branch-pf-dev-gcs } - moved { from = module.branch-pf-prod-gcs[0] to = module.branch-pf-prod-gcs diff --git a/fast/stages/1-resman/moved/moved-v36.0.0.tf b/fast/stages/1-resman/moved/v35.1.0-v36.0.0.tf similarity index 50% rename from fast/stages/1-resman/moved/moved-v36.0.0.tf rename to fast/stages/1-resman/moved/v35.1.0-v36.0.0.tf index 2ce2c8def5..56bdf93230 100644 --- a/fast/stages/1-resman/moved/moved-v36.0.0.tf +++ b/fast/stages/1-resman/moved/v35.1.0-v36.0.0.tf @@ -14,6 +14,127 @@ * limitations under the License. */ +# stage 2 networking + +moved { + from = module.branch-network-folder + to = module.net-folder[0] +} +moved { + from = module.branch-network-dev-folder + to = module.net-folder-dev[0] +} +moved { + from = module.branch-network-prod-folder + to = module.net-folder-prod[0] +} +moved { + from = module.branch-network-gcs + to = module.net-bucket[0] +} +moved { + from = module.branch-network-sa + to = module.net-sa-ro[0] +} +moved { + from = module.branch-network-r-sa + to = module.net-sa-rw[0] +} + +# stage 2 network security + +moved { + from = module.branch-nsec-gcs[0] + to = module.nsec-bucket[0] +} +moved { + from = module.branch-nsec-sa[0] + to = module.nsec-sa-rw[0] +} +moved { + from = module.branch-nsec-r-sa[0] + to = module.nsec-sa-ro[0] +} + +# stage 2 project factory + +moved { + from = module.branch-pf-gcs + to = module.pf-bucket[0] +} +moved { + from = module.branch-pf-sa + to = module.pf-sa-rw[0] +} +moved { + from = module.branch-pf-r-sa + to = module.pf-sa-ro[0] +} + +# stage 2 security + +moved { + from = module.branch-security-folder + to = module.sec-folder[0] +} +moved { + from = module.branch-security-gcs + to = module.sec-bucket[0] +} +moved { + from = module.branch-security-sa + to = module.sec-sa-ro[0] +} +moved { + from = module.branch-security-r-sa + to = module.sec-sa-rw[0] +} + +# project factory dev + +moved { + from = module.branch-pf-dev-gcs + to = module.stage3-bucket["project-factory-dev"] +} +moved { + from = module.branch-pf-dev-sa + to = module.stage3-sa-rw["project-factory-dev"] +} +moved { + from = module.branch-pf-dev-r-sa + to = module.stage3-sa-ro["project-factory-dev"] +} + +# project factory prod + +moved { + from = module.branch-pf-prod-gcs + to = module.stage3-bucket["project-factory-prod"] +} +moved { + from = module.branch-pf-prod-sa + to = module.stage3-sa-rw["project-factory-prod"] +} +moved { + from = module.branch-pf-prod-r-sa + to = module.stage3-sa-ro["project-factory-prod"] +} + +# sandbox + +moved { + from = module.branch-sandbox-folder[0] + to = module.top-level-folder["sandbox"] +} +moved { + from = module.branch-sandbox-gcs[0] + to = module.top-level-bucket["sandbox"] +} +moved { + from = module.branch-sandbox-sa[0] + to = module.top-level-sa["sandbox"] +} + # stage 3 gke moved { diff --git a/fast/stages/1-resman/top-level-folders.tf b/fast/stages/1-resman/top-level-folders.tf index 1eb88789c7..edb467f1d8 100644 --- a/fast/stages/1-resman/top-level-folders.tf +++ b/fast/stages/1-resman/top-level-folders.tf @@ -32,7 +32,8 @@ locals { # extract automation configurations for folders that define them top_level_automation = { for k, v in local.top_level_folders : - k => v.automation if try(v.automation.enable, null) == true + k => merge({ sa_impersonation_principals = [] }, v.automation) + if try(v.automation.enable, null) == true } # merge top folders from factory and variable data top_level_folders = merge( @@ -120,7 +121,7 @@ module "top-level-sa" { name = "prod-resman-${coalesce(each.value.short_name, each.key)}-0" display_name = "Terraform resman ${each.key} folder service account." prefix = var.prefix - iam = { + iam = each.value.sa_impersonation_principals == null ? {} : { "roles/iam.serviceAccountTokenCreator" = each.value.sa_impersonation_principals } iam_project_roles = { diff --git a/fast/stages/UPGRADING.md b/fast/stages/UPGRADING.md index 603fb530e8..6f79d68688 100644 --- a/fast/stages/UPGRADING.md +++ b/fast/stages/UPGRADING.md @@ -1,6 +1,12 @@ # FAST release upgrading notes -Only changes impacting Terraform variables or actual resources are noted here. +This file only mentions changes that require changes to Terraform variables, or replace existing resources. "Soft" additions like new features or optional attributes are non-breaking and not considered here. + +We do an effort at covering most stages, but don't typically cover multitenant and stage 3s as there's too much variance in use cases and potential configurations. + +As usual, consider this a guideline with no guarantees. Migrations between FAST releases are actively doscouraged for production, and mostly make sense only when developing or testing new features. + + @@ -17,14 +23,45 @@ Only changes impacting Terraform variables or actual resources are noted here. - two new custom roles have been added: `gcveNetworkViewer` and `projectIAMViewer` - organization policies for the IaC project have been moved to a factory, default policies are in `data/org-policies-iac` +- new `compute.setNewProjectDefaultToZonalDNSOnly` organization policy constraint has been added to mirror default configuration on new organizations ### Resource Management stage +The [file containing moved blocks](./1-resman/moved/v35.1.0-v36.0.0.tf) for this release can be used to preserve most of the important resources which changed from the previous release. Just link it in the stage and plan/apply to see the remaining changes. + +The moved blocks are not exhaustive and do not include resources that can be dropped and recreated with limited impact like IAM and tag bindings. As usual, proceed with care as we provide no guarantee, just a starting point. + +Given the amount of resource changes at the IAM level, we suggest applying twice in a row to make sure there are no inconsistencies left in IAM policies. + **Breaking changes:** +- variables controlling stage 2s and 3s have changed and are now explicit, check their configuration to make sure it matches your current layout + - the `fast_features` variable has been removed + - the `fast_stage_2` and `fast_stage_2` variables control now control stage activation and configuration +- a new factory has been added for stage 3s, with an initial default configuration that matches enabling everything in the old fast features variable - the "Data Platform" stage 3 has been removed in preparation of a completely revised state, any associated resource (service accounts, folders, buckets, etc.) will be destroyed -- billing IAM roles will be destroyed and recreated as they are now driven by a loop and their names have changed +- billing IAM bindings will be destroyed and recreated as they are now driven by a loop and their names have changed +- GCVE network IAM bindings will be destroyed and recreated as they are now segregated by environment **Non-breaking changes:** - GCS and local output files will be recreated + +## v34.0.0 to v35.1.0 + +### Bootstrap stage + +**Non-breaking changes:** + +- new `essentialcontacts.allowedContactDomains` organization policy constraint and `org-policies/allowed-essential-contacts-domains-all` tag; if the policy already exists in your organization, import it via state or delete it using `gcloud org-policy delete essentialcontacts.allowedContactDomains --organization ORGANIZATION_ID` + +### Resource management stage + +**Non-breaking changes:** + +- output files update +- resource attribute updates following provider version change + +### Networking + +- additional DNS response policy for the `gke.goog` domain From 6eb760360f99b4d31cb6aaed60bab8a6d5c65ba6 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 16:15:24 +0100 Subject: [PATCH 91/94] allow tfdoc to manage toc in individual files, add toc to upgrading notes --- fast/stages/UPGRADING.md | 17 +++++++++++++++++ tools/tfdoc.py | 5 ++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/fast/stages/UPGRADING.md b/fast/stages/UPGRADING.md index 6f79d68688..7d3aabdb0a 100644 --- a/fast/stages/UPGRADING.md +++ b/fast/stages/UPGRADING.md @@ -9,6 +9,15 @@ As usual, consider this a guideline with no guarantees. Migrations between FAST +- [v35.1.0 to v36.0.0](#v3510-to-v3600) + - [Bootstrap stage](#bootstrap-stage) + - [Resource Management stage](#resource-management-stage) + - [Networking stages](#networking-stages) + - [Security stage](#security-stage) +- [v34.0.0 to v35.1.0](#v3400-to-v3510) + - [Bootstrap stage](#bootstrap-stage) + - [Resource management stage](#resource-management-stage) + - [Networking](#networking) ## v35.1.0 to v36.0.0 @@ -47,6 +56,14 @@ Given the amount of resource changes at the IAM level, we suggest applying twice - GCS and local output files will be recreated +### Networking stages + +IAM bindings for stage 3 service accounts change and will be dropped and recreated. + +### Security stage + +IAM bindings for stage 3 service accounts change and will be dropped and recreated. + ## v34.0.0 to v35.1.0 ### Bootstrap stage diff --git a/tools/tfdoc.py b/tools/tfdoc.py index 30c972aa87..04e7db91d8 100755 --- a/tools/tfdoc.py +++ b/tools/tfdoc.py @@ -515,7 +515,10 @@ def render_toc(readme, toc): def main(module_path=None, exclude_file=None, files=False, replace=True, show_extra=True, toc_only=False): 'Program entry point.' - readme_path = os.path.join(module_path, 'README.md') + if toc_only and module_path.endswith('.md'): + readme_path = module_path + else: + readme_path = os.path.join(module_path, 'README.md') readme = get_readme(readme_path) if not toc_only: doc = create_tfref(module_path, files, show_extra, exclude_file, readme) From f92b0c4a15ec07b801dc1f8e7f183f27a3ea2bc1 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 16:28:50 +0100 Subject: [PATCH 92/94] tfdoc --- fast/stages/1-resman/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 51f6307a0c..c0a080b4cb 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -241,7 +241,6 @@ terraform apply | name | description | modules | resources | |---|---|---|---| -| [_moved-v34.0.0.tf](./_moved-v34.0.0.tf) | None | | | | [billing.tf](./billing.tf) | Billing resources for external billing use cases. | | google_billing_account_iam_member | | [iam.tf](./iam.tf) | Organization or root node-level IAM bindings. | | | | [main.tf](./main.tf) | Module-level locals and resources. | | | From c7f539955a12ba943b4c598e7befb94cac21a530 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 16:37:00 +0100 Subject: [PATCH 93/94] fix inventory --- fast/stages/UPGRADING.md | 2 + tests/fast/stages/s1_resman/simple.yaml | 290 +----------------------- 2 files changed, 11 insertions(+), 281 deletions(-) diff --git a/fast/stages/UPGRADING.md b/fast/stages/UPGRADING.md index 7d3aabdb0a..5a56c26891 100644 --- a/fast/stages/UPGRADING.md +++ b/fast/stages/UPGRADING.md @@ -36,6 +36,8 @@ As usual, consider this a guideline with no guarantees. Migrations between FAST ### Resource Management stage +The Resource Management stage has been largely refactored, adopting factories to simplify the creation of multiple environments and the creation and deployment of new "Stage 3" stages. Before upgrading it's highly recommended to familiarize yourself with the documentation, to assess whether your specific configurations need to be migrated to the new variables. + The [file containing moved blocks](./1-resman/moved/v35.1.0-v36.0.0.tf) for this release can be used to preserve most of the important resources which changed from the previous release. Just link it in the stage and plan/apply to see the remaining changes. The moved blocks are not exhaustive and do not include resources that can be dropped and recreated with limited impact like IAM and tag bindings. As usual, proceed with care as we provide no guarantee, just a starting point. diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index b51eb95977..7535e164ae 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -1448,288 +1448,16 @@ counts: google_folder: 13 google_folder_iam_binding: 72 google_organization_iam_member: 14 - google_project_iam_member: 22 - google_service_account: 22 - google_service_account_iam_binding: 22 - google_storage_bucket: 9 - google_storage_bucket_iam_binding: 18 - google_storage_bucket_iam_member: 22 - google_storage_bucket_object: 21 + google_project_iam_member: 23 + google_service_account: 23 + google_service_account_iam_binding: 23 + google_storage_bucket: 10 + google_storage_bucket_iam_binding: 20 + google_storage_bucket_iam_member: 23 + google_storage_bucket_object: 22 google_tags_tag_binding: 13 google_tags_tag_key: 2 google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 - modules: 45 - resources: 265 - -outputs: - cicd_repositories: - networking: - provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-github-ludomagno - repository: - branch: main - name: test/00-networking - parent_id: null - type: github - security: - provider: projects/1234567890/locations/global/workloadIdentityPools/ldj-bootstrap/providers/ldj-bootstrap-gitlab-ludomagno - repository: - branch: null - name: test/00-security - type: gitlab - folder_ids: __missing__ - providers: - 2-networking: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-net-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-net-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 2-networking-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the\ - \ Apache License, Version 2.0 (the \"License\");\n * you may not use this file\ - \ except in compliance with the License.\n * You may obtain a copy of the License\ - \ at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless\ - \ required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-net-0\"\n impersonate_service_account\ - \ = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-net-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 2-project-factory: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the\ - \ Apache License, Version 2.0 (the \"License\");\n * you may not use this file\ - \ except in compliance with the License.\n * You may obtain a copy of the License\ - \ at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless\ - \ required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-resman-pf-0\"\n impersonate_service_account = \"\ - fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n}\n\ - provider \"google\" {\n impersonate_service_account = \"fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 2-project-factory-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ - \ file except in compliance with the License.\n * You may obtain a copy of the\ - \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ - \ Unless required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-resman-pf-0\"\n impersonate_service_account = \"\ - fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n}\n\ - provider \"google\" {\n impersonate_service_account = \"fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 2-security: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-sec-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 2-security-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-sec-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for networking\n" - 3-gcve-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-gcve-0\"\n impersonate_service_account =\ - \ \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gcve-dev\n" - 3-gcve-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-gcve-0\"\n impersonate_service_account =\ - \ \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gcve-dev\n" - 3-gcve-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-gcve-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gcve-prod\n" - 3-gcve-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-gcve-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gcve-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gcve-prod\n" - 3-gke-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-gke-0\"\n impersonate_service_account = \"\ - fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n\ - }\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gke-dev\n" - 3-gke-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-gke-0\"\n impersonate_service_account = \"\ - fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\n }\n\ - }\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gke-dev\n" - 3-gke-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-gke-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gke-prod\n" - 3-gke-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-gke-0\"\n impersonate_service_account =\ - \ \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-gke-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for gke-prod\n" - 3-project-factory-dev: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ - \ file except in compliance with the License.\n * You may obtain a copy of the\ - \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ - \ Unless required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-pf-0\"\n impersonate_service_account\ - \ = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for project-factory-dev\n" - 3-project-factory-dev-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ - \ file except in compliance with the License.\n * You may obtain a copy of the\ - \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ - \ Unless required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-dev-resman-pf-0\"\n impersonate_service_account\ - \ = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-dev-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for project-factory-dev\n" - 3-project-factory-prod: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ - \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ - \ file except in compliance with the License.\n * You may obtain a copy of the\ - \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ - \ Unless required by applicable law or agreed to in writing, software\n * distributed\ - \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ - \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ - \ for the specific language governing permissions and\n * limitations under\ - \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast2-prod-resman-pf-0\"\n impersonate_service_account\ - \ = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for project-factory-prod\n" - 3-project-factory-prod-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed\ - \ under the Apache License, Version 2.0 (the \"License\");\n * you may not use\ - \ this file except in compliance with the License.\n * You may obtain a copy\ - \ of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n\ - \ *\n * Unless required by applicable law or agreed to in writing, software\n\ - \ * distributed under the License is distributed on an \"AS IS\" BASIS,\n *\ - \ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ - \ * See the License for the specific language governing permissions and\n *\ - \ limitations under the License.\n */\n\nterraform {\n backend \"gcs\" {\n\ - \ bucket = \"fast2-prod-resman-pf-0\"\n impersonate_service_account\ - \ = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for project-factory-prod\n" - tfvars: __missing__ - + modules: 47 + resources: 273 From 0e6e192c1f3702224e32a2b4d60ad83ec46ea064 Mon Sep 17 00:00:00 2001 From: Ludo Date: Thu, 31 Oct 2024 16:42:32 +0100 Subject: [PATCH 94/94] fix module tests --- .../modules/organization/test_plan_org_policies_modules.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py index b225ba1ec2..16e6822cda 100644 --- a/tests/modules/organization/test_plan_org_policies_modules.py +++ b/tests/modules/organization/test_plan_org_policies_modules.py @@ -34,7 +34,7 @@ def test_policy_implementation(): '@@ -17 +17 @@\n', '-# tfdoc:file:description Project-level organization policies.\n', '+# tfdoc:file:description Folder-level organization policies.\n', - '@@ -79,2 +79,2 @@\n', + '@@ -80,2 +80,2 @@\n', '- name = "projects/${local.project.project_id}/policies/${each.value}"\n', '- parent = "projects/${local.project.project_id}"\n', '+ name = "${local.folder_id}/policies/${each.value}"\n', @@ -49,12 +49,12 @@ def test_policy_implementation(): '@@ -17 +17 @@\n', '-# tfdoc:file:description Folder-level organization policies.\n', '+# tfdoc:file:description Organization-level organization policies.\n', - '@@ -79,2 +79,2 @@\n', + '@@ -80,2 +80,2 @@\n', '- name = "${local.folder_id}/policies/${each.value}"\n', '- parent = local.folder_id\n', '+ name = "${var.organization_id}/policies/${each.value}"\n', '+ parent = var.organization_id\n', - '@@ -155,0 +156,9 @@\n', + '@@ -156,0 +157,9 @@\n', '+ depends_on = [\n', '+ google_organization_iam_binding.authoritative,\n', '+ google_organization_iam_binding.bindings,\n',

    e7 zL-XtWO}@_$%I<;#R{{X`>*$xY20^#{m4(Z)csan=Il#*5-90{a0)^=R?Zbc97Th87 zXF4MA7;m)+5?x?m*GhlH)lnxKj#Y*39q}HxZ1h}@zP}N<+pond(`)+vfZnfCr>;bM zWo);(Y>l7aZqZt}^rThC7ne-?YxodRrZ|u~!=h(C*y+n0Ae9)y--zo1`{ydu)v%vjB^AY<)DWz|4$G9?=7VVdD?%z7vJHg5Zdmi zMu$Ni^U!(vsWRWUAD(>@L(VNuCVNJz1s-02D3&_^sXuW<}S&612nX^p| z%nXq1`DRfXn=h*OAC4(>Jrdsn)E^DYTmP)aXmQ(p;gy8>e(h*?xKNS6$m5MpO7*&O zuBHu0yPf>@G&$1;&D>A@jR{hspOo+4g5*GGi&LkZ5K=a;5DS(-lK`3#1nw%s+< zONqsg`U^GHV91lU-T*k^B}*^ z1ftm~xX585(!m9i$yHrsF@v@K3vbP=K^E<+7fG=zXwMGd{_ApMkHDgCqzisA<=VxS zt^&qBh(#zsBqRPUCL$bM!=2RPR1NcG9vE)7Y>>Qs0hrJUxu!hP*8AK+QjF&7e1D1m zMGwVHN@WuKMI|xFT;M~*k(nhaIG$veq5Vqx7wf@jy!acnI zcf2K3mni3BkKTMn3(x5+;U1AW1$rcfqyV+a7|dE;X>7Vm}t%S2>V z>R`+R3hJJ9>6{_s7GlHKX{hk}d<|(PTp>)<<49Upb*5&9Y68TNY-tvNufcBvjC}b( z3b8^(y-k%G@y~A%3X#dH5I7zWp=Bs&AXkYf=lx~41m%9P{par01P2vB%P{#9B-{N7 z55V}nPJ7RApk<-Y0Lg(O87?vYx=&U&&z~Zs56iO)-XbyKN<+MFtnm>a9jesp2+@;} zyS#JJwW!i7K$f?VNXrMb29bu`b!{D+LA_`ieM!#$Ph$)u2@t*iS8Fj~UwJ>3Xki9J z1DNXGP&*~vuzhw^#i3;?RS(rAn(gU0UKZ1H(DJrA(5m@e)N&HrPsv!P2)eFFgSsy8 zp$H$US(>Jp^$$f9UOh}yEhG=X^Q=e2GVnE?C%lORJ$Nr`kti&GbKjeTgr7602hrq5 z62ONFpepD+Jt#c}ZFL9gfJyJq$ly=OXz&(pk+RgOV+N}u?cTHK49RC<*uQNGy7K|E zo&&z7{#2ZkC;Ebg`k!QoR_2U(d-$X)6Rsh+*P2!9B(Mep^H0ZAGD^K*~{@u-l ztG>Oz032KZ7prU){0%5>b@0+ja%sd9hMGct-LG56|9_WLE<(P~y$cBZ3Y$y|2LCsn z173F>={LLa;7NXA_ABB#hG_(VFI1_`K_i0b^D$$=-*ey@rLWLSZtlk;?tXfa*_>)% z5@!4VlmGYZCn#;e08PvR+6L>|i1;}sh+T=f5{9UG6vk2R}8#Bpmn+6A3S^Cuq7bVXozM)!Bpu&K16K% z`gNbLrpYK|)&nEhuS(6ug$GdTJBxT~KGy0|RVG{yOpsIyT`zltAZRfgqXfoDuaD>( zbnba~S)wA%ax(OIMFz1laC*ZlaDQ4&&=_R$RA9sk-umR=W*tn)d}OdAO1*jWY0ZWN zA;{ju{QtD~-SJfa@87m_2*+Ngia|GPgs!+F2P^?F^`b6m&>S-?2ZD9Oi;wr&gzSzv9E zVOf0j@S_D5$9CfncVk)$o_drk4bFdmgRQowsc@07%n((=d7ryx@Tgn|GLue4pX{!yA-bfVhz%&}f zU?rix>loW*g2{?Rp12I=_1vLj&+Oo}EF_4Hn$bB^4w%{)#+(CU5btB5l0d^4F7v+= zkv^T2lE!QM@dgDW!YeZKw1QpV+QJUQfayLhU|K$L2nho4Q_Cx_insh(Qm>E&mQ_&2 zN>!X+kwMY-2w8mkCf|@f<%aO}ly3h&hSn8mF<&oR!??!5*c@WBvjRwL#Rrx<1QlyA zms3(!<^+s!rgLg_E+dnohRwI0@T#}B_pWMvf%E?+QFt(Kj3&|>UxYLcJ zVK|U1c9PtIZL~f>6qs|@fCaJTf0{7M{_noljfJsk#R=TR2LAm1@f-**91rym`8{lf zk}Cq6m2|r9@6JP@=O4O=gm3MC{ti+$wElSR(#cqTu21mX&nt9S`KiGS$rD=xK3uB< z^JHNXi4101XJlYmI{sa;2d*laO6^u`v^0GDUes6_E<9d-`e~~--I+tT=-&P8;QL+`nZ5&tw;;L!HV#DJQslANF7h~YCm?QacNEUE;5#l|B1mX`x(F~SxXwX2#+L@= zOvz@JiG=GcSjB)DaI+cb;dP|i>OCI;CEm7z zML&rIVyM|zr7a{)XPhRq!o%-1@h^(3b+Zd7wS3bJjGatr#3}{bJ`#o@-!c2MyGo4j zheACpa(u9X1o4?+R~JLNZ0|Az0Xv#a%mRrlcd_@XSz!=)?*=#9Vt9Y`asKxm@Md2| zI9kLiuKuut&GM=LeX|+H!%o5#2{>%XssQ{oU5$9J?zyEKLSegXAEE6zr)bRpPx&VT zLzHC-ao$v7_JAiop;-u5FpqMcKWn{;HQtv|_Znb&qL97QmQ$rlO<(>sT>Oiivy?&y z3I4)Wd{#gv+~6srL6%WL^oMUWQO-w<_a+kZywr%JicjB%l{!hkL#7!on)UG0mdjl+5i0oK$1INl6EFBh1Rqjj9H9I9z4kAe=aU5Ne|Xs ziU3jvTG9Jxz-Ko99ZoIiWJIFTCdsimaXM3;x2+yUOC`FV{Wa>6ss|o!UO{0{K-z+S zGRABpG9)m9qX8pkeYjUaAKEz3{BuorXKFs`g?4L)pn2s{ndeLLAG}r-r(i$HL2myQ z4jw3z<6snew8?-z{}SvIBcx?y_knA-f)vp69fg0TtLII=50yW9G-W!D&u#f4Bt5Kp zvUAHjRqd-+GfBss=D(WeQxo?}i#=eDd)Q37hAx1v6xpVpRVP9!;g9>RNg`8Uw$amqgS{v_)6=%)3qj)7N{2XKUJS+h1`)oA6o-FtGfNY-){)ToI(BfPX>dv z;q}=2zyr%V21e0GKb$aH8E=kIy?lV%Vo4DM_ayK}NDBL2-#K~;vHA=62t&wkj_KA5 zYFyrqEclv3u_NE{^VyD;Pc1cM3a7;LAqWbXw~Cuey_K!BctD3@Nsh-HKvk6IyJxfV zWN&HXZUE7#{Po-L&$0Mr{a2p6n&);C=79^DEyntL@oW`6k@z)fT4hyqUq`pM2%Hd$ zfWQ+1eZS^*Uv!0es{GuVj&qrnB}GD2B_!`Fpsin^TA&oRRu!?4^>cBA3HqoVGEw(>dO2Ub0kCvJd^{Cpe)5tA^bw?KM4(A}nL4t{#x**CGu^`*g!Hc~ z{JfryssuI}Ps7D|=e-TY@enZ27b2O2o3zC0lZcJx%!Kgx1o%4^N0eW|^j?HN`WdKL zauH6?QJvr?t`LF331{rSZ@5%8A9pi=&ewiD;`+~cO^Dv97aDL7a|*;KZ;NJ_8|z4F z%Ap^J50qP#Wsna-`I3^jqbcMNe-$vmyNT?Y3fW-8C_mGY%UlXkd0NkxTN{AZ%P|LL z9z)Mi@wn7isE!@qa!}{Q=;K20%KJF2nP>49k-=*xKByAaX&Dd7RZg3FDtAwAmJckj zuCE&Bdbv7`+8@R_Kuz*|h0|_h9{<5cB{(ONUlJYS57%7#b~bDab@v^M!QaVny_j@o zHcG)b_q{2-vouQR9LH@HcWz@5JT)DW%Ci0Q#{7UE7%CTmM`ImWd#0pEZ?f9LPW7@E zJqNusXX`+o$UxXzj@qa6qNO^83uqD|=7+DLIi&E8*jwfkQ0$$$uKNAeVlQ-YFcQu% zcVGSr^@}YQuv!iV7r!^VM|~%?2J*n0FsnQC$I^NGFz~iWVgC#htn8J0)cv{xraP?T zcivP}+jj4EB^wX*mR_REV(!*N*H6Jn^L0_Q^RBt^2vQBKqlg(pk2=O4yqAJ)Q`YqU zhxBQC=G3|Irm))81O4_|zsWz}FzZsbweLJ9v(9=7eIxupw|+;m+Nz&)TV|SKO?ttr zMQ(Ay@|6?)p%-7y@vJ}5prEUK%~VGH9*w%wczKi67p1gB`Jv|*T7QYN`^y!D&v#s( z=1v4sj0vO4siY~&hGh3lwA`c6bzpa@Fl{Th^tRwb0zRs%rXoqfR7(3gb7%X-DO#m( zR3=(dow@6G1LDnx!I|(5YR(HZrs4HeW;#pIL&eeY)})Hpm_iPWu*&@XTRn?VY*li& zifW9v_DP&p+;Jw=zm+|^lUv~N09s`6PI|(2zlR9}DrMFg-cgg@CTMre&MImmg>goA zC!+@TCM!jU*PPb!to=>Mn`c)e5~e&wkeWr=VK^SzOSR;%88==s+36hGe=8=Wc@Z5S zkHeXu&m>2)7;V!Su1xPgPJFbf90@&kP@WpatTupAhwWo)Za0M->JJ!0Y6 zuFKn<{8G7t`9m*g^}eg*WyHQD**SiyS~e$i;UUe{Y}8LE<>~?9ZEcClJujq~DD{L9 z7mgkT&(VVwbzkUQ+#Ra~iAcL#)XQqkE$Bs`s#3Bp>rX%R!H!`0#z476E==Ern&@|A zW8pqq;u-3kHIjukjvsv`nY2QAYqFC`!3WNvTaKOjDI0S~E}RFET&ne#BBy2nJLc2$ z{^*K$ElK$obK(NSR}1AeyFYK1-}NdClGhaDfXn@6V+Lk{fk<^OR!TdXOwYhslP(s& z(3|*JnIyktIr9-}b&83EJn^s)+j zL(t%X*WiA7^n|61#MIPpprs6IDMwU8d#hG3C6;q)r+Vsp%^_Gt6k37iDWAd9XhS2{ zPx0>-E1vgiH9k{q6G~NcwqNWkqRj)Vcet(%ldVJ1*L^LZqMt%rl6>(&Li8{Sm%Kel z0?&%>sa?^<=$0UmQLnycZV?NU{lY@}Rq~($Nh)>Ne7jgZE@h@J&vU!#-r|oon!t23 z{S#ToEWv#Yct*|S1NN;to+ih=OiQbD(^+t=tpVb(yZF~gp{8he)zs$bvN*Y#W zc0R2n(0^)2*{M!0Q6!ipYfIowBh^|vm{e;^{nm=W(+XV}OyW7_B$^1rLrvU??StN3 z>!TCL{bX89Gu9K#U&UG!XAvB{{Lz52+%w%$eg8`~-E>yZ+^qp`ByY=4%-zU@*Dw3-9ttc%SzZzxZ�%&j;bcxGcOFY?#?4EiJp$|6FQ zSxLWyZQjY#JMUkoqcS#UN0Qe;G0Xu~a@FoRE}_zm<ejA!J>f9KSmOCB-R(lu7hMOlCc8Qxc|t(@^f>oG*2t%i znDQi7WftC7y2+NN<;tY~!uHZz%A~cR1w*W)*eX%-bN{D=Gco6Qx<^29akK#ei-XhL=gEj%cz&T%swR+~;;yIf9A%_fzo&XV-tQUY^#Y~k4O<*n_O z>J>xAAm)P0drKyhUsd#>GDkxk&yD$k!sWOeL&MFRsMa!6t76r9($uru(1=U0&bBjK zp2zOpk259sJt|JH8-z6 zvQ1PElEJE5>Vj*Cgo*hG^AJiLV?>?vgGBT6n?zYK^_D?SVDdTRYKeCp*-=s5g}+WL z&%qWtyK{HEG2hqXAjzLvGoqAgcqfd;PBhSuSHj_XZi@Ar6Cc0(>PV>rroUB4(>iM36;^?0oc)pSGVr!)4o}sD5pp_Tgqkeh zk_3Ir%Yom?Q2MzJ+)CbDR>28u2K@|bXotu#W==^VUF00kN>LG1h0UdS-_sL; zV#rS&V1_w32kR~)te)eoQ$h7ZT&5C|bk6l9GC#je%N*Fz8~|Ru;|z0C_4uRYfMi;& zm1~SYf4kn#_)xU!NOzbI(7olwC-$z+MH>h^bU9cny$+ zE4=EA8lI>er;gqgmtwZg($pkT9VaAL$Tf5_Juxsug!AgezlJwKyh0OF|exht3Ywdi)T;VkenkT?EQ9NuZe_p!N|JBgc@@x5>12z=?8{R61mcTPwGCslQQFE`cU z6#Y}KdbRERXFCy1&sJ;phZau3*)C`tb8dsQ){*JhuHQmXaiw+MF78x!r&K2|D_Ffo zotQEc;k^Bx^n+6t?2p9D89uE=k^SDpapF6IS{F{BjX;2Wn_5Ad5pk_@}N4+R+!quN%<$Ik|jN0O+%q`pXOUopWwdH^Awp75l6s@Zn z#A07Z`kQ`yeM@xerlHJ{U;D5WUs|+&3b`ojl)f)oH(=fRle?ESuk>Zhdebc2G3D%S zBG2D@5k2AYy|!B~77i0xX;|Y8@9k5=em4W8c76GBfkC+-@kLYZ+$Drtp?fnoTCRQ9 zZToW<6GLS5z!f(==lT(epSN7U1lmy1$&3+AD5gGbX?MR8*IcTvi{o$Z=|u5r_Mo3j zT?rdwv8~G&)2zmGGFd&jUOrtYu5nmcWtC^xMUR?3iB{#f{t^zdRm(bcA|d{S*z^?z z#n~;tgTbLZoFS)at$llapFai(!y)R19R1C>!7PC3i=@?T#E0g^|9 zu_R?@l7qrr8$)LW4YD~kmt7!fBE?g{5wL@qo>I}FZ;QirF>&nOg;T|e57&>%-0__i z(!lwk&+HV;?4ygQ*kc(v_g9Edr%TQ%B=GkqTQGY+B=2_Si!4|rKD&gCQ+%~E>2fS4 zr;5D?&AN!`UY#j&z_qJn7!AKZPY~}V3QyW%yZzL@RS(c5bNKhfqKWjJG74UT7-pTy zrXRMHN5X$;7l>5LOPm@N@sz(~)FS{Ia>auYYZPtmuKB;qSq*u`WK zD_-OskJtGAHHI?Y^f0b;YxGv1u#YOa)8*EaTGNWj{j0`#lVGkk);Q3zrON7b!*!J? zCy>#=9GrDd)KMWLX;bbIhxlt560S@%W2zQ?QvTV;)S1bF2oFTkx?GOTAnUB~ZA`b) zTIgPioC%lP{d9Bf!ye7@cRchA9#Zq4XBB=->YVNAw!D!WJ=s;lO=YX2Fss}$xJu6> z)K`6YWovu~V>maXPMTYMEt>CHSU;HK*sB};;0N^sU!1ehbn^jyRk$ASz4?7n+u_5D zV~#2Hl_NAa9r8xC1_z#5U@x;JTANBaMVp)BY^0g^1Ty+g$MUu%n6;N4B#+*1637^) z&|%!~J$Fb*zvnGKu4rqfM{UQ^{Ywj4Bc4vD{O3tRJbu^^f7mFXjazd^NZ>t~5Nwjx zjwo?T`VmwZsWf6GI@7RS{Oyw3ejw3uJFp#`H>Fp)ZjvK8tU+vx#%CBW3$=KzGApzY zPJ=c8A?U^CKu+hr>ul%1zTn zEv_DGne= zrVf716vb(BznT3aL@!vcmAw7lEw=Jm@KrL?x(HAQ_ADB;fUeNq^7gKK{E%&y-Zips zRMuaUBZ@Q{Q-S{LE?DJBThsxTmCF zE1lis0|QTN(B1tJ|D}gbm!ejhQh(BSzW$`13Wd4UD-}?CZPiA!aocUDd<29vjKYOx zQmIRJa<#gcd~inSY9p%Sv5W#SWUUEy$sB!}-LKdyiCvD7IA^rF)Ro;?59?#`qU}_y z-A+{;A*&~1CfU%$yBzIOULY~st+6A$?_|5&v1D`9klaqy2!VevRl;d zofk=-D|c=Bz8tMj=M8H;WAxLVs+T2n)gE%T2g`*M88U7*r=KW8ISpOCVfQ=`<3>Mr zs@G&b7OyHHo{E&+{=xF769rg>Xy|L`i4YH_Z=6oE_Q<#Q2%^Bf<^K3J^ALqp(ITOm z^y*#<|JV@~y}cn3ou!@a^%UhS?5BtSlsMPES<~YjQ^hN_82A%((zkR;V@_?)86)2d z^i1!^w#zE+eBr+4KnON{;t=2K_`?*#`{;d{KcHMs9w2T6UYCrrlPTb0WUEeG5-M7Y z7sL@@#KP|zn+arLy2_j4>m9E$2R>L4*Xky3Y7M7oC(>IvZ{%X`M#SuNs-s^pqxlsAuD%S#@X}EXzK?k_xQ>KaKgzQ;xk!w?r$G=a_C?X=?GtSHi!|&jRzcQ&FWF zeO%MJO$=C1smi>w(DF!1pW~h$4josL;!r24&$786-laN-S zW1}Ie4aU&dH3|_kzUdCLeyZjq{VLA%MKBiQVJo!yHm!AepRk(q~i~37W{RPhY+CK2|I7>kc^KXq za`%rTk3_b?An;Sc$GT29VE zp;KkNCgKGh^g5N*{{kQYx98!FnItgq&I&=%SMvTZPaMz*F?#5x<0#C znkxkk0$l+0!m95-LmmpjSaj07N{#Mz=W9C06Pg)B3(Ch7gt`}A)d1PKJg{RPVbb;_ zF(mOoB9APrW--jEL|4^u?^?3qOmcJkqUdKo%f6!iW$(atLhyAZ-K%j@fJmiK&JXE{ zW1hit6$Q=>`bM#<+#pZhCZ(8vWV!M6naaiQ5==i1Qd~%n-PZO_*k+ zC~0b#$`3{@GW`Inr#}RIdP{O(3|vpWU>)cZ4)P2 zU#+KJ?(z#5FSU4?z}R_c`}gt(HLl;;w6YH0bY8RVlW&-1(0=$)Z&rEpGT?LM5||6B zF_s8eERO*1Gj%}Hx1PK<&9}4FsX1Bilu64J@wF{rmt|$zpNV6idOZBQX2JHLJD)I>+Veis+{eDWW`SCw7KYdJb~h4w2tviSZWw#ndan$H*>A4Lc6Qdn3F7Pp6Ae zrb-VTS5(7L%Lhc4IrvW{kjvaQy7YN-oA0(UrHn?OD|YxQX{JFP|NIaa{9z{hJThCx zs(={s5>BRg$OGHwZ*KA#+0C`Z$Do6~G-?;fX`Tf+tsZym4_D4xxaC+-eSy2c#*VYu z{(D=_bSq_ML#voyoP-l{VjLRpu2MyN~X{ed}6D*bI)CG4|Bk{}faC1|H=!sh}-7 z;Z~!rDIxG$Tg*8W6Ut!|2f^FjtC->-KmU9K1+P>p~UhR_1E*atT)u*Z>&He2^_NZZ13 z*h1#&nqv?9zEqd(6PhhAp&(JQ(TpeSWGi1r_?`w!2zAG?E;RTW>yMb50W2fS&bxo`yJ!%7WPE5Bkrqk=4ub0&7t6x6Sdn- zp~o^G{@l%1t9y8jKB#H7?Nx=$?UQjyH8KSH0dHHzItDzhhW44nL89n^W8Hag1P%Jf zWN>--4;C*j;(#C$8a#AN9K!-rDv)NCa0-}lt$Jsna;`{B-|5zZ9VH;x_sj%)$LR2Rq1$a*uXE#dU-?gE9@YG zb!xN9WlO}s_cP05E?j0q)lhgdwW@or=L>Tzg<9sZp+Mw2>YEz9kV)|wA<^)Cv?_yO zABAuWiYX9!%sN6&aDajR^(bo%IZ-W<6ZKJ!xm}hT(OmW7g*rCWUHFnGCoACx!)Gn9 zTnKUI0J{|=FBb^c_1?8!;vx-Fh12h0`BZ>?OOW%L0Z+Jez+-u$X(d=q%%*}c`0NZr21T<3RyF1ivnP=O*+56GFC?VW_2e95 zO(rwRJ^t*SgwPSlc8nF*CvJ3);aD1(I?(58(H)DbS!h_NPwIEdX*?0DSFVFQqphs*& z>OOi?_5mRELZ3e(9+*6L<+FocCUYA=cMOCk4b8tM5f@cw7>zbUhnlAyj6}~TFhxr_ zdFycYj{{tCWYFbSxe}V*W*2`;<4Z{wRjLk9w>_09`X5eR8bV<6f2kwwXGZRm*z{|m zOj~mT!O~@0c32QC2-0VO*SoH*^_z6 z11R7JFzQqqi0srCWPj<8|{YC_+wR!OmA|{~~;1RjrwbOwx)8?SU zpiSRwk_Z7Fj}%8GP@FmRts+3`g%H7PBU}nMV1_U|NtZ8z_8~^|#e*Hp2k<=ESbEP2 z@R~ff0m=pA5kEhcIp>h^5@-4;7y8^B@>D2q`KKY0aK5$#pBNF{=F-$a_c0 zi!QU8CHkUL z4FmE|$R4c7u1F-OUOOSh|9<_5=DnL~eV}&Gh&UsL~8^nrW?1mIuQ98bdNG8@+w}42Me1iD8DLk zkV`_dgRbgZ=1#H1Ai+d>XBWr9NAxwoR~fr`GW)((4{YR=dI75|OJa^tdJS%YO*BJP zE4oM3hX|~FB<`(0EXk8k!_zy@Cp=IN+}T>4>5Bw9e)6+ub32{$wzfRQplgOIU-sN% zSxk50BDAfLbMHMkpdJfmwwuYC89!oRFo$+>$#$THIJYDfXE9Ru3;c@m-~)cOL=?$V z#?%ww10F%@LWFTRcp#mJ$B24KOX}Y3)cO3#U+0BIMdLJvASm3K6D@j@JON4tFB*76 zeP`!FBKwLW?gY9q-o}=3t8O2hNR*VQ9iW!~tODv}<+jhdbQ4A@9a5q7dl66>=7!2L zi7LRTDS*vXtnn-O{Ap~kGIVpu>Zfjk%py+ayd{U2si!65T^?!bc7!TezE-woVB-jS zua{w6Vi#~Yni}tqSJ$Syd4r{-`fLp6rYWQ({XPu?kA>?wxfkVLF^Cqk^jwlL1EL-x zHMgd%A6kek`&3K#2E}VFtk>o?n9!*_grvjd(c=a%WI))pIYcwVKeuy>Rwf8*k%`5I z_q7fnuf%9ua{eXjdMc#auZ+Q1tyEi{w7}ZK9R4LEV|5_DE9ua_{OtCcb@9pMBNIAO zG{iM7F5OFik{rxiWc9r*s%-9j3jZI>7qNK;Nq#Vt5Q1GCF+N(*7PA@j5WOVwP6f7T7i9fZyYKm|%e|Mt*$pm65<%;HZB8 zP|KvoZh8{(!Y%XY5^L*9`;P}VzhC_FFz4jSlhoFWYr$%HvG$+yLpDlo!nYEULx*@Y zBW6PwV=A@y=FJ;D0sccV3Wg)6;PLL!tr%?j9x9VbOnG0G$|XEFcxy;Q}~-P00mj;H<8FueF7AQ}IUNd}z(5@gO@w0ihAh5pay z1dzLmj-OTa-?jSp6I$nBMO?<&qyt0z&y@(dLy2Q_V2cW{+33M7>c4;WfA_Upnxz+9 VT=m_q+$V#7C-qEpD|8%V{|{P#GV1^U diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index be1cda2e07..ff258175c3 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -1,11 +1,8 @@ # GCVE Private Cloud Minimal -This blueprint presents an opinionated architecture to handle different Google VMware Engine deployment scenarios: from a simple single region private cloud to multi-region private clouds spread across different locations. The general idea behind this blueprint is to deploy a single project hosting one or more GCVE private clouds connected to a shared VMware Engine Network (VEN). -Optionally this blueprint can deploy the VMWare Engine Network peerings to pre-existing VPCs. +This stage implements a simple architecture that integrates Google VMware Engine in a FAST organization. -Multiple deployments of this blueprint allow the user to achieve more complex design solutions as for example GCVE private clouds deployed on different projects or connected to independent VMWare Engine Networks. - -This blueprint is used as part of the [FAST GCVE stage](../../../fast/stages/3-gcve/) but it can also be used independently if desired. +The setup configured here is for a single environment in a single region, and is provided as a starting point for the more complex patterns [described below in this document](#architectural-patterns) which can be easily implemented by extending this stage, and/or duplicating it across environments. - [Stage configuration](#stage-configuration) @@ -91,7 +88,7 @@ Before running this stage, you need to make sure you have the correct credential ### Provider and Terraform variables -As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. +As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. diff --git a/fast/stages/README.md b/fast/stages/README.md index f50e8237ee..ff340ae271 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -50,4 +50,4 @@ Implemented as an [add-on stage 1](./1-tenant-factory/), with optional FAST comp - [Networking Security](./3-network-security/) Manages NGFW Enterprise deployment for the production and development environments. - [Data Platform](3-data-platform/dev/) - [GKE Multitenant](3-gke-multitenant/dev/) -- [Google Cloud VMware Engine](3-gcve/) +- [Google Cloud VMware Engine](3-gcve-dev/) From 934d3bd0d6d6f5126a55a5b43cd80624ec146754 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 15:29:48 +0100 Subject: [PATCH 67/94] module tests --- fast/stages/3-gcve-dev/README.md | 2 +- .../examples/additional-clusters.yaml | 19 ++++++++++++++----- .../gcve_private_cloud/examples/basic.yaml | 13 ++++++++++--- .../examples/custom-management.yaml | 13 ++++++++++--- .../examples/network-policy.yaml | 13 ++++++++++--- 5 files changed, 45 insertions(+), 15 deletions(-) diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index ff258175c3..6e159556ca 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -2,7 +2,7 @@ This stage implements a simple architecture that integrates Google VMware Engine in a FAST organization. -The setup configured here is for a single environment in a single region, and is provided as a starting point for the more complex patterns [described below in this document](#architectural-patterns) which can be easily implemented by extending this stage, and/or duplicating it across environments. +The setup configured here is for a single environment in a single region, and is provided as a starting point for the more complex patterns [described below in this document](#architectural-patterns) which can be easily implemented by extending this stage, and/or duplicating it across environments. Some configuration examples are provided in the [GCVE module](../../../modules/gcve-private-cloud/). - [Stage configuration](#stage-configuration) diff --git a/tests/modules/gcve_private_cloud/examples/additional-clusters.yaml b/tests/modules/gcve_private_cloud/examples/additional-clusters.yaml index 841b4095d5..7c9c38c3fc 100644 --- a/tests/modules/gcve_private_cloud/examples/additional-clusters.yaml +++ b/tests/modules/gcve_private_cloud/examples/additional-clusters.yaml @@ -13,25 +13,28 @@ # limitations under the License. values: - module.gcve-pc.google_vmwareengine_cluster.vmw_engine_additional_clusters["test-cluster-one"]: + module.gcve-pc.google_vmwareengine_cluster.default["test-cluster-one"]: name: gcve-pc-test-cluster-one node_type_configs: - custom_core_count: 28 node_count: 6 node_type_id: standard-72 - module.gcve-pc.google_vmwareengine_cluster.vmw_engine_additional_clusters["test-cluster-two"]: + timeouts: null + module.gcve-pc.google_vmwareengine_cluster.default["test-cluster-two"]: name: gcve-pc-test-cluster-two node_type_configs: - custom_core_count: 28 node_count: 4 node_type_id: standard-72 - module.gcve-pc.google_vmwareengine_network.private_cloud_network[0]: + timeouts: null + module.gcve-pc.google_vmwareengine_network.default[0]: description: Terraform-managed. location: global name: gcve-pc-default project: gcve-test-project + timeouts: null type: STANDARD - module.gcve-pc.google_vmwareengine_network_peering.vmw_engine_network_peerings["transit-conn1"]: + module.gcve-pc.google_vmwareengine_network_peering.default["transit-conn1"]: description: Managed by Terraform. export_custom_routes: false export_custom_routes_with_public_ip: false @@ -41,7 +44,9 @@ values: peer_network: projects/test-prj-gcve-01/global/networks/default peer_network_type: STANDARD project: gcve-test-project - module.gcve-pc.google_vmwareengine_private_cloud.vmw_engine_private_clouds["pcc_one"]: + timeouts: null + module.gcve-pc.google_vmwareengine_private_cloud.default["pcc_one"]: + deletion_delay_hours: null description: Managed by Terraform. location: europe-west8-a management_cluster: @@ -50,10 +55,14 @@ values: - custom_core_count: 0 node_count: 3 node_type_id: standard-72 + stretched_cluster_config: [] name: gcve-pc-pcc_one network_config: - management_cidr: 192.168.0.0/24 project: gcve-test-project + send_deletion_delay_hours_if_zero: null + timeouts: null + type: null counts: google_vmwareengine_cluster: 2 diff --git a/tests/modules/gcve_private_cloud/examples/basic.yaml b/tests/modules/gcve_private_cloud/examples/basic.yaml index 40803f0209..afb411eab6 100644 --- a/tests/modules/gcve_private_cloud/examples/basic.yaml +++ b/tests/modules/gcve_private_cloud/examples/basic.yaml @@ -13,13 +13,14 @@ # limitations under the License. values: - module.gcve-pc.google_vmwareengine_network.private_cloud_network[0]: + module.gcve-pc.google_vmwareengine_network.default[0]: description: Terraform-managed. location: global name: gcve-pc-default project: gcve-test-project + timeouts: null type: STANDARD - module.gcve-pc.google_vmwareengine_network_peering.vmw_engine_network_peerings["transit-conn1"]: + module.gcve-pc.google_vmwareengine_network_peering.default["transit-conn1"]: description: Managed by Terraform. export_custom_routes: false export_custom_routes_with_public_ip: false @@ -29,7 +30,9 @@ values: peer_network: projects/test-prj-gcve-01/global/networks/default peer_network_type: STANDARD project: gcve-test-project - module.gcve-pc.google_vmwareengine_private_cloud.vmw_engine_private_clouds["pcc_one"]: + timeouts: null + module.gcve-pc.google_vmwareengine_private_cloud.default["pcc_one"]: + deletion_delay_hours: null description: Managed by Terraform. location: europe-west8-a management_cluster: @@ -38,10 +41,14 @@ values: - custom_core_count: 0 node_count: 3 node_type_id: standard-72 + stretched_cluster_config: [] name: gcve-pc-pcc_one network_config: - management_cidr: 192.168.0.0/24 project: gcve-test-project + send_deletion_delay_hours_if_zero: null + timeouts: null + type: null counts: google_vmwareengine_network: 1 diff --git a/tests/modules/gcve_private_cloud/examples/custom-management.yaml b/tests/modules/gcve_private_cloud/examples/custom-management.yaml index 6c7d7268a0..8316920914 100644 --- a/tests/modules/gcve_private_cloud/examples/custom-management.yaml +++ b/tests/modules/gcve_private_cloud/examples/custom-management.yaml @@ -13,13 +13,14 @@ # limitations under the License. values: - module.gcve-pc.google_vmwareengine_network.private_cloud_network[0]: + module.gcve-pc.google_vmwareengine_network.default[0]: description: Terraform-managed. location: global name: gcve-pc-default project: gcve-test-project + timeouts: null type: STANDARD - module.gcve-pc.google_vmwareengine_network_peering.vmw_engine_network_peerings["transit-conn1"]: + module.gcve-pc.google_vmwareengine_network_peering.default["transit-conn1"]: description: Managed by Terraform. export_custom_routes: false export_custom_routes_with_public_ip: false @@ -29,7 +30,9 @@ values: peer_network: projects/test-prj-gcve-01/global/networks/default peer_network_type: STANDARD project: gcve-test-project - module.gcve-pc.google_vmwareengine_private_cloud.vmw_engine_private_clouds["pcc_one"]: + timeouts: null + module.gcve-pc.google_vmwareengine_private_cloud.default["pcc_one"]: + deletion_delay_hours: null description: Managed by Terraform. location: europe-west8-a management_cluster: @@ -38,10 +41,14 @@ values: - custom_core_count: 28 node_count: 6 node_type_id: standard-72 + stretched_cluster_config: [] name: gcve-pc-pcc_one network_config: - management_cidr: 192.168.0.0/24 project: gcve-test-project + send_deletion_delay_hours_if_zero: null + timeouts: null + type: null counts: google_vmwareengine_network: 1 diff --git a/tests/modules/gcve_private_cloud/examples/network-policy.yaml b/tests/modules/gcve_private_cloud/examples/network-policy.yaml index bfd3133de1..64ed0653df 100644 --- a/tests/modules/gcve_private_cloud/examples/network-policy.yaml +++ b/tests/modules/gcve_private_cloud/examples/network-policy.yaml @@ -13,13 +13,14 @@ # limitations under the License. values: - module.gcve-pc.google_vmwareengine_network.private_cloud_network[0]: + module.gcve-pc.google_vmwareengine_network.default[0]: description: Terraform-managed. location: global name: gcve-pc-default project: gcve-test-project + timeouts: null type: STANDARD - module.gcve-pc.google_vmwareengine_network_policy.vmw_engine_network_policies["ew8"]: + module.gcve-pc.google_vmwareengine_network_policy.default["ew8"]: description: Terraform-managed. edge_services_cidr: 192.168.100.0/26 external_ip: @@ -29,7 +30,9 @@ values: location: europe-west8 name: gcve-pc-ew8 project: gcve-test-project - module.gcve-pc.google_vmwareengine_private_cloud.vmw_engine_private_clouds["pcc_one"]: + timeouts: null + module.gcve-pc.google_vmwareengine_private_cloud.default["pcc_one"]: + deletion_delay_hours: null description: Managed by Terraform. location: europe-west8-a management_cluster: @@ -38,10 +41,14 @@ values: - custom_core_count: 0 node_count: 3 node_type_id: standard-72 + stretched_cluster_config: [] name: gcve-pc-pcc_one network_config: - management_cidr: 192.168.0.0/24 project: gcve-test-project + send_deletion_delay_hours_if_zero: null + timeouts: null + type: null counts: google_vmwareengine_network: 1 From a5b382b3b3da81e217cea0045993e397d44a0d3a Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 17:43:33 +0100 Subject: [PATCH 68/94] stages README --- fast/stages/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fast/stages/README.md b/fast/stages/README.md index ff340ae271..7fe0b6da5e 100644 --- a/fast/stages/README.md +++ b/fast/stages/README.md @@ -4,16 +4,16 @@ Each of the folders contained here is a separate "stage", or Terraform root modu Each stage can be run in isolation (for example to only bring up a hub and spoke VPC in an existing environment), but when combined together they form a modular setup that allows top-down configuration of a whole GCP organization. -When combined together, each stage is designed to leverage the previous stage's resources and to provide outputs to the following stages via predefined contracts, that regulate what is exchanged. +When deploying as part of a whole organization setup, each stage provides information on its resources to the following stages via predefined contracts, and each stage can pick and choose what to leverage from the preceding ones. -This has two important consequences +This has two important consequences: -- any stage can be swapped out and replaced by different code as long as it respects the contract by providing a predefined set of outputs and optionally accepting a predefined set of variables +- any stage can be swapped out and replaced by different code as long as it respects the contract, by providing a predefined set of outputs and optionally accepting a predefined set of variables - data flow between stages can be partially automated (see [stage 0 documentation on output files](./0-bootstrap/README.md#output-files-and-cross-stage-variables)), reducing the effort and pain required to compile variables by hand -One important assumption is that the flow of data is always forward looking, so no stage needs to depend on outputs generated further down the chain. This greatly simplifies both the logic and the implementation, and allows stages to be effectively independent. +One important assumption is that the flow of data is always forward looking (or sideways for optional components), so no stage needs to depend on outputs generated further down the chain. This greatly simplifies both the logic and the implementation, and allows stages to be effectively independent. -To achieve this, we rely on specific GCP functionality like [delegated role grants](https://medium.com/google-cloud/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226) that allow controlled delegation of responsibilities, for example to allow managing IAM bindings at the organization level in different stages only for specific roles. +To achieve this, we rely on specific GCP functionality like [delegated role grants](https://medium.com/google-cloud/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226) to allow controlled delegation of responsibilities, and [conditional access via tags](https://cloud.google.com/iam/docs/tags-access-control) to constrain scope for organization-level roles or when specific resources are managed lower in the chain than IAM bindings. Refer to each stage's documentation for a detailed description of its purpose, the architectural choices made in its design, and how it can be configured and wired together to terraform a whole GCP organization. The following is a brief overview of each stage. @@ -44,10 +44,10 @@ Implemented as an [add-on stage 1](./1-tenant-factory/), with optional FAST comp Exports: host project ids and numbers, vpc self links - [Project Factory](./2-project-factory/) YAML-based factory to create and configure application or team-level projects. Configuration includes VPC-level settings for Shared VPC, service-level configuration for CMEK encryption via centralized keys, and service account creation for workloads and applications. This stage can be cloned if an org-wide or dedicated per-environment factories are needed. +- [Network Security](./2-network-security/) Optional stage that integrates with security and networking stages to manage a centralized [NGFW Enterprise](https://cloud.google.com/firewall/docs/about-firewalls) deployment. ## Environment-level resources (3) -- [Networking Security](./3-network-security/) Manages NGFW Enterprise deployment for the production and development environments. - [Data Platform](3-data-platform/dev/) - [GKE Multitenant](3-gke-multitenant/dev/) - [Google Cloud VMware Engine](3-gcve-dev/) From 7b67ecd2066d1933878cbfc6f8a8afd7fd599175 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 17:48:40 +0100 Subject: [PATCH 69/94] move network security to stage 2 --- fast/stages/1-resman/README.md | 4 ++-- fast/stages/1-resman/outputs.tf | 1 - .../README.md | 0 .../data/cidrs.yaml | 0 .../data/firewall-policy-rules/dev/egress.yaml | 0 .../data/firewall-policy-rules/dev/ingress.yaml | 0 .../data/firewall-policy-rules/prod/egress.yaml | 0 .../data/firewall-policy-rules/prod/ingress.yaml | 0 .../diagram.png | Bin .../diagram.svg | 0 .../main.tf | 0 .../net-dev.tf | 0 .../net-prod.tf | 0 .../outputs.tf | 0 .../schemas/firewall-policy-rules.schema.json | 0 .../variables-fast.tf | 0 .../variables.tf | 0 fast/stages/2-security/README.md | 2 +- 18 files changed, 3 insertions(+), 4 deletions(-) rename fast/stages/{3-network-security => 2-network-security}/README.md (100%) rename fast/stages/{3-network-security => 2-network-security}/data/cidrs.yaml (100%) rename fast/stages/{3-network-security => 2-network-security}/data/firewall-policy-rules/dev/egress.yaml (100%) rename fast/stages/{3-network-security => 2-network-security}/data/firewall-policy-rules/dev/ingress.yaml (100%) rename fast/stages/{3-network-security => 2-network-security}/data/firewall-policy-rules/prod/egress.yaml (100%) rename fast/stages/{3-network-security => 2-network-security}/data/firewall-policy-rules/prod/ingress.yaml (100%) rename fast/stages/{3-network-security => 2-network-security}/diagram.png (100%) rename fast/stages/{3-network-security => 2-network-security}/diagram.svg (100%) rename fast/stages/{3-network-security => 2-network-security}/main.tf (100%) rename fast/stages/{3-network-security => 2-network-security}/net-dev.tf (100%) rename fast/stages/{3-network-security => 2-network-security}/net-prod.tf (100%) rename fast/stages/{3-network-security => 2-network-security}/outputs.tf (100%) rename fast/stages/{3-network-security => 2-network-security}/schemas/firewall-policy-rules.schema.json (100%) rename fast/stages/{3-network-security => 2-network-security}/variables-fast.tf (100%) rename fast/stages/{3-network-security => 2-network-security}/variables.tf (100%) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 30649ed00a..a0dd7c0cdc 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -274,6 +274,6 @@ terraform apply |---|---|:---:|---| | [cicd_repositories](outputs.tf#L77) | WIF configuration for CI/CD repositories. | | | | [folder_ids](outputs.tf#L89) | Folder ids. | | | -| [providers](outputs.tf#L95) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [tfvars](outputs.tf#L103) | Terraform variable files for the following stages. | ✓ | | +| [providers](outputs.tf#L95) | Terraform provider files for this stage and dependent stages. | ✓ | | +| [tfvars](outputs.tf#L102) | Terraform variable files for the following stages. | ✓ | | diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 9104100714..b771ecff95 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -93,7 +93,6 @@ output "folder_ids" { # ready to use provider configurations for subsequent stages output "providers" { - # tfdoc:output:consumers 02-networking 02-security 03-dataplatform 03-network-security description = "Terraform provider files for this stage and dependent stages." sensitive = true value = local.providers diff --git a/fast/stages/3-network-security/README.md b/fast/stages/2-network-security/README.md similarity index 100% rename from fast/stages/3-network-security/README.md rename to fast/stages/2-network-security/README.md diff --git a/fast/stages/3-network-security/data/cidrs.yaml b/fast/stages/2-network-security/data/cidrs.yaml similarity index 100% rename from fast/stages/3-network-security/data/cidrs.yaml rename to fast/stages/2-network-security/data/cidrs.yaml diff --git a/fast/stages/3-network-security/data/firewall-policy-rules/dev/egress.yaml b/fast/stages/2-network-security/data/firewall-policy-rules/dev/egress.yaml similarity index 100% rename from fast/stages/3-network-security/data/firewall-policy-rules/dev/egress.yaml rename to fast/stages/2-network-security/data/firewall-policy-rules/dev/egress.yaml diff --git a/fast/stages/3-network-security/data/firewall-policy-rules/dev/ingress.yaml b/fast/stages/2-network-security/data/firewall-policy-rules/dev/ingress.yaml similarity index 100% rename from fast/stages/3-network-security/data/firewall-policy-rules/dev/ingress.yaml rename to fast/stages/2-network-security/data/firewall-policy-rules/dev/ingress.yaml diff --git a/fast/stages/3-network-security/data/firewall-policy-rules/prod/egress.yaml b/fast/stages/2-network-security/data/firewall-policy-rules/prod/egress.yaml similarity index 100% rename from fast/stages/3-network-security/data/firewall-policy-rules/prod/egress.yaml rename to fast/stages/2-network-security/data/firewall-policy-rules/prod/egress.yaml diff --git a/fast/stages/3-network-security/data/firewall-policy-rules/prod/ingress.yaml b/fast/stages/2-network-security/data/firewall-policy-rules/prod/ingress.yaml similarity index 100% rename from fast/stages/3-network-security/data/firewall-policy-rules/prod/ingress.yaml rename to fast/stages/2-network-security/data/firewall-policy-rules/prod/ingress.yaml diff --git a/fast/stages/3-network-security/diagram.png b/fast/stages/2-network-security/diagram.png similarity index 100% rename from fast/stages/3-network-security/diagram.png rename to fast/stages/2-network-security/diagram.png diff --git a/fast/stages/3-network-security/diagram.svg b/fast/stages/2-network-security/diagram.svg similarity index 100% rename from fast/stages/3-network-security/diagram.svg rename to fast/stages/2-network-security/diagram.svg diff --git a/fast/stages/3-network-security/main.tf b/fast/stages/2-network-security/main.tf similarity index 100% rename from fast/stages/3-network-security/main.tf rename to fast/stages/2-network-security/main.tf diff --git a/fast/stages/3-network-security/net-dev.tf b/fast/stages/2-network-security/net-dev.tf similarity index 100% rename from fast/stages/3-network-security/net-dev.tf rename to fast/stages/2-network-security/net-dev.tf diff --git a/fast/stages/3-network-security/net-prod.tf b/fast/stages/2-network-security/net-prod.tf similarity index 100% rename from fast/stages/3-network-security/net-prod.tf rename to fast/stages/2-network-security/net-prod.tf diff --git a/fast/stages/3-network-security/outputs.tf b/fast/stages/2-network-security/outputs.tf similarity index 100% rename from fast/stages/3-network-security/outputs.tf rename to fast/stages/2-network-security/outputs.tf diff --git a/fast/stages/3-network-security/schemas/firewall-policy-rules.schema.json b/fast/stages/2-network-security/schemas/firewall-policy-rules.schema.json similarity index 100% rename from fast/stages/3-network-security/schemas/firewall-policy-rules.schema.json rename to fast/stages/2-network-security/schemas/firewall-policy-rules.schema.json diff --git a/fast/stages/3-network-security/variables-fast.tf b/fast/stages/2-network-security/variables-fast.tf similarity index 100% rename from fast/stages/3-network-security/variables-fast.tf rename to fast/stages/2-network-security/variables-fast.tf diff --git a/fast/stages/3-network-security/variables.tf b/fast/stages/2-network-security/variables.tf similarity index 100% rename from fast/stages/3-network-security/variables.tf rename to fast/stages/2-network-security/variables.tf diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index e2b35d3a38..6641d92368 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -58,7 +58,7 @@ The stage lets you also create Certificate Manager trust configs. With trust con ### NGFW Enterprise and TLS inspection support -We deploy NGFW Enterprise in the [network-security stage](../3-network-security/README.md). If you require TLS inspection, NGFW needs to interact with CAS and -optionally- Certificate Manager trust-configs. These components bind to firewall endpoint associations (created in the [network-security stage](../3-network-security/README.md)) with zonal TLS inspection policies. +We deploy NGFW Enterprise in the [network security stage](../2-network-security/README.md). If you require TLS inspection, NGFW needs to interact with CAS and -optionally- Certificate Manager trust-configs. These components bind to firewall endpoint associations (created in the network security stage) with zonal TLS inspection policies. Using this module, you can define CAS configurations and trust-configs for NGFW Enterprise. You can create them using the `cas_configs` and `trust_configs` variables. Anyway, these will need to use specific keys (defined in `ngfw_tls_configs.keys`), so that FAST knows which configurations to use for NGFW Enterprise. You can then enable TLS inspection and customize its behavior for NGFW Enterprise, using the `ngfw_tls_configs.tls_inspection` variable. FAST will create the TLS inspection policies for you in the regions where you defined your CAs for NGFW Enterprise. When you create your CAs and trust-configs for NGFW Enterprise, make sure their region matches the zones where you will define your firewall endpoints. From 2debdad1bdc6f574e981bd763dbebdd082d503d8 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 17:51:45 +0100 Subject: [PATCH 70/94] network security tests --- fast/stages/2-network-security/.fast-stage.env | 5 +++++ .../{s3_network_security => s2_network_security}/__init__.py | 0 .../simple.tfvars | 0 .../{s3_network_security => s2_network_security}/simple.yaml | 0 .../{s3_network_security => s2_network_security}/tftest.yaml | 2 +- .../{s3_network_security => s2_network_security}/tls.tfvars | 0 .../{s3_network_security => s2_network_security}/tls.yaml | 0 7 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 fast/stages/2-network-security/.fast-stage.env rename tests/fast/stages/{s3_network_security => s2_network_security}/__init__.py (100%) rename tests/fast/stages/{s3_network_security => s2_network_security}/simple.tfvars (100%) rename tests/fast/stages/{s3_network_security => s2_network_security}/simple.yaml (100%) rename tests/fast/stages/{s3_network_security => s2_network_security}/tftest.yaml (93%) rename tests/fast/stages/{s3_network_security => s2_network_security}/tls.tfvars (100%) rename tests/fast/stages/{s3_network_security => s2_network_security}/tls.yaml (100%) diff --git a/fast/stages/2-network-security/.fast-stage.env b/fast/stages/2-network-security/.fast-stage.env new file mode 100644 index 0000000000..6c51deaae4 --- /dev/null +++ b/fast/stages/2-network-security/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="network securoty (optional)" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=network-security +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-networking 2-security" \ No newline at end of file diff --git a/tests/fast/stages/s3_network_security/__init__.py b/tests/fast/stages/s2_network_security/__init__.py similarity index 100% rename from tests/fast/stages/s3_network_security/__init__.py rename to tests/fast/stages/s2_network_security/__init__.py diff --git a/tests/fast/stages/s3_network_security/simple.tfvars b/tests/fast/stages/s2_network_security/simple.tfvars similarity index 100% rename from tests/fast/stages/s3_network_security/simple.tfvars rename to tests/fast/stages/s2_network_security/simple.tfvars diff --git a/tests/fast/stages/s3_network_security/simple.yaml b/tests/fast/stages/s2_network_security/simple.yaml similarity index 100% rename from tests/fast/stages/s3_network_security/simple.yaml rename to tests/fast/stages/s2_network_security/simple.yaml diff --git a/tests/fast/stages/s3_network_security/tftest.yaml b/tests/fast/stages/s2_network_security/tftest.yaml similarity index 93% rename from tests/fast/stages/s3_network_security/tftest.yaml rename to tests/fast/stages/s2_network_security/tftest.yaml index 5f6eafbb35..05246b4ebb 100644 --- a/tests/fast/stages/s3_network_security/tftest.yaml +++ b/tests/fast/stages/s2_network_security/tftest.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -module: fast/stages/3-network-security/ +module: fast/stages/2-network-security/ tests: simple: diff --git a/tests/fast/stages/s3_network_security/tls.tfvars b/tests/fast/stages/s2_network_security/tls.tfvars similarity index 100% rename from tests/fast/stages/s3_network_security/tls.tfvars rename to tests/fast/stages/s2_network_security/tls.tfvars diff --git a/tests/fast/stages/s3_network_security/tls.yaml b/tests/fast/stages/s2_network_security/tls.yaml similarity index 100% rename from tests/fast/stages/s3_network_security/tls.yaml rename to tests/fast/stages/s2_network_security/tls.yaml From a3d47657eee843eca447a2595b2d1f054f781de4 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sun, 27 Oct 2024 20:08:10 +0100 Subject: [PATCH 71/94] replace stage links in README files --- fast/stages/0-bootstrap/README.md | 20 ++++++--- fast/stages/1-resman/README.md | 32 ++++++++++---- fast/stages/1-tenant-factory/.fast-stage.env | 3 +- fast/stages/1-tenant-factory/README.md | 30 +++++++++---- fast/stages/1-vpcsc/README.md | 34 +++++++++----- fast/stages/2-network-security/README.md | 42 +++++++++++++----- fast/stages/2-networking-a-simple/README.md | 38 +++++++++++----- fast/stages/2-networking-b-nva/README.md | 43 +++++++++++++----- .../2-networking-c-separate-envs/README.md | 36 +++++++++++---- fast/stages/2-project-factory/.fast-stage.env | 5 +++ fast/stages/2-project-factory/README.md | 44 ++++++++++++------- fast/stages/2-security/README.md | 36 +++++++++++---- fast/stages/3-gcve-dev/README.md | 32 +++++++++----- fast/stages/fast-links.sh | 6 ++- 14 files changed, 288 insertions(+), 113 deletions(-) create mode 100644 fast/stages/2-project-factory/.fast-stage.env diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 6e05e029a6..26f15d9d7e 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -399,22 +399,30 @@ Once the initial `apply` completes successfully, configure a remote backend usin - the GCS bucket where output files are always stored - Terraform outputs (not recommended as it's more complex) -The following two snippets show how to leverage the `stage-links.sh` script in the root FAST folder to fetch the commands required for output files linking or copying, using either the local output folder configured via Terraform variables, or the GCS bucket which can be derived from the `automation` output. +The following two snippets show how to leverage the `fast-links.sh` script in the FAST stages folder to fetch the commands required for output files linking or copying, using either the local output folder configured via Terraform variables, or the GCS bucket which can be derived from the `automation` output. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '0-bootstrap' +# File linking commands for organization bootstrap stage -ln -s ~/fast-config/providers/0-bootstrap-providers.tf ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/0-bootstrap-providers.tf ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/0-bootstrap.auto.tfvars ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '0-bootstrap' +# File linking commands for organization bootstrap stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/0-bootstrap-providers.tf ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/0-bootstrap.auto.tfvars ./ ``` Copy/paste the command returned by the script to link or copy the provider file, then migrate state with `terraform init` and run `terraform apply`. If your organization was created with "Secure by Default Org Policy", that is with some of the org policies enabled, add `-var 'org_policies_config={"import_defaults": true}'` to `terraform apply`: diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index a0dd7c0cdc..d3b6c72073 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -170,26 +170,42 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. + +Using local output files. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config + +# File linking commands for resource management stage + +# provider file +ln -s ~/fast-config/fast-test-00/providers/1-resman-providers.tf ./ -# copy and paste the following commands for '1-resman' +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/providers/1-resman-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/1-resman.auto.tfvars ./ ``` +Using the GCS outputs bucket. + ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '1-resman' +# File linking commands for resource management stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/1-resman-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/1-resman.auto.tfvars ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/1-tenant-factory/.fast-stage.env b/fast/stages/1-tenant-factory/.fast-stage.env index 5efa6ad45b..c79bcec29d 100644 --- a/fast/stages/1-tenant-factory/.fast-stage.env +++ b/fast/stages/1-tenant-factory/.fast-stage.env @@ -1,5 +1,6 @@ FAST_STAGE_DESCRIPTION="tenant factory" FAST_STAGE_LEVEL=1 -FAST_STAGE_NAME=resman +FAST_STAGE_NAME=tenant-factory FAST_STAGE_DEPS="0-globals 0-bootstrap" +FAST_STAGE_PROVIDERS=resman # FAST_STAGE_OPTIONAL="" \ No newline at end of file diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index c253bf9dc4..cb892d8a0b 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -90,26 +90,38 @@ The only real prerequisite is having fully deployed the [bootstrap](../0-bootstr As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '1-tenant-factory' +# File linking commands for tenant factory stage -ln -s ~/fast-config/providers/1-tenant-factory-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/1-resman-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/1-tenant-factory.auto.tfvars ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '1-tenant-factory' +# File linking commands for tenant factory stage -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/1-tenant-factory-providers.tf ./ +# provider file +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/1-resman-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/1-tenant-factory.auto.tfvars ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/1-vpcsc/README.md b/fast/stages/1-vpcsc/README.md index df8cea6976..fe5ebc78e6 100644 --- a/fast/stages/1-vpcsc/README.md +++ b/fast/stages/1-vpcsc/README.md @@ -91,27 +91,39 @@ It's of course possible to run this stage in isolation, but that's outside the s As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be get from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder or GCS output bucket. The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be get from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder or GCS output bucket. The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '1-vpcsc' +# File linking commands for vpc service controls stage -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/1-vpcsc-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/1-vpcsc.auto.tfvars ./ ``` ```bash # the outputs bucket name is in the stage 0 outputs and tfvars file -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 + +# File linking commands for vpc service controls stage + +# provider file +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/1-vpcsc-providers.tf ./ -# copy and paste the following commands for '2-security' +# input files from other stages +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ -gcloud alpha storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/1-vpcsc.auto.tfvars ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/2-network-security/README.md b/fast/stages/2-network-security/README.md index cf52c977c1..4627098f6b 100644 --- a/fast/stages/2-network-security/README.md +++ b/fast/stages/2-network-security/README.md @@ -52,30 +52,48 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '3-network-security' +# File linking commands for network securoty (optional) stage -ln -s ~/fast-config/providers/3-network-security-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-network-security-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-network-security.auto.tfvars ./ + +# optional files +ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/2-security.auto.tfvars.json ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '3-network-security' +# File linking commands for network securoty (optional) stage -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-network-security-providers.tf ./ +# provider file +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-network-security-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-network-security.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-security.auto.tfvars.json ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 3626af43d1..83c60be31a 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -109,7 +109,7 @@ This is a summary of the main options: - Cons: additional cost, marginal increase in latency, requires multiple tunnels for full bandwidth - [NCC](https://cloud.google.com/network-connectivity/docs/network-connectivity-center) - Pros: full bandwidth with no configurations, no extra latency, transitivity between spokes, feature (PSC transitivity, Private NAT, rich roadmap) - - Cons: traffic between spokes incour charges, PSA transitivity currently not supported, architectures involving NVAs can't currently easily be implemented + - Cons: traffic between spokes incour charges, PSA transitivity currently not supported, architectures involving NVAs can't currently easily be implemented - [Multi-NIC appliances](https://cloud.google.com/architecture/best-practices-vpc-design#multi-nic) (implemented by [2-networking-b-nva](../2-networking-b-nva/) - Pros: additional security features (e.g. IPS), potentially better integration with on-prem systems by using the same vendor - Cons: complex HA/failover setup, limited by VM bandwidth and scale, additional costs for VMs and licenses, out of band management of a critical cloud component @@ -280,28 +280,46 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '2-networking-*' +# File linking commands for networking (simple) stage -ln -s ~/fast-config/providers/2-networking-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-networking-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars ./ + +# optional files +ln -s ~/fast-config/fast-test-00/2-nsec.auto.tfvars.json ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '2-networking-*' +# File linking commands for networking (simple) stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-networking-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-nsec.auto.tfvars.json ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index 21d69c94ef..3e61e7496b 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -10,7 +10,7 @@ It adopts the common “hub and spoke” reference design, which is well suited - the "dmz" or "untrusted" VPC centralizes the external connectivity towards untrusted network resources, such as Internet (inbound and outbound) or 3P service providers or parties connected through VPN or Interconnect. - the "spoke" VPCs allow partitioning workloads (e.g. by environment like in this setup), while still retaining controlled access to central connectivity and services - Shared VPCs -both in hub and spokes- split the management of the network resources into specific (host) projects, while still allowing them to be consumed from the workload (service) projects -- if Regional VPC network mode is selected two additional regional trusted hub VPCs are deployed to provide connectivity to GCP services (eg. GCVE) that don't support multi-regional routing. +- if Regional VPC network mode is selected two additional regional trusted hub VPCs are deployed to provide connectivity to GCP services (eg. GCVE) that don't support multi-regional routing. - the design facilitates DNS centralization Connectivity between the hub and the spokes is established via [VPC network peerings](https://cloud.google.com/vpc/docs/vpc-peering), which offer uncapped bandwidth, lower latencies, at no additional costs and with a very low management overhead. Different ways of implementing connectivity, and related some pros and cons, are discussed below. @@ -82,7 +82,8 @@ The final number of subnets, and their IP addressing will depend on the user-spe ## Design overview and choices ### Deployment models -This stage support three different deployment models that can be controlled by `var.network_mode`. The stage deploys networking resources in two different regions and supports both regional and multi-regional VPCs. Depending on the selected deployment model different routing strategies and NVAs failover modes can be implemented. + +This stage support three different deployment models that can be controlled by `var.network_mode`. The stage deploys networking resources in two different regions and supports both regional and multi-regional VPCs. Depending on the selected deployment model different routing strategies and NVAs failover modes can be implemented. - **Simple NVA**: This network mode deploys multi-regional VPCs, the network appliances are configured behind a "ILB Sandwitch" (two different network passthrough internal load balancers on each of `dmz` and `landing` VPCs), with static routes sending traffic for specific destinations to specific network appliances group through the load balancer. - **NCC-RA**: This network mode deploys multi-regional VPCs as the simple mode but provides a different routing strategy. The network appliances establish BGP sessions with a Cloud Router on both `dmz` and `landing` VPCs, which comes with the following benefits, at the cost of additional initial setup complexity: @@ -113,7 +114,7 @@ The landing network area acts as a hub: the multi-region landing VPC bridges int Each virtual network is a [shared VPC](https://cloud.google.com/vpc/docs/shared-vpc): shared VPCs are managed in dedicated *host projects* and shared with other *service projects* that consume the network resources. Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls. -When the **regional network mode** is selected, the stage deploys two additional landing VPCs each one with a regional scope. If required the regional VPCs can be exteded as shared VPC and cosumed by other service (spoke) projects. +When the **regional network mode** is selected, the stage deploys two additional landing VPCs each one with a regional scope. If required the regional VPCs can be exteded as shared VPC and cosumed by other service (spoke) projects. Users can easily extend the design to host additional environments, or adopt different logical mappings for the spokes (for example, in order to create a new spoke for each company entity). Adding spokes is trivial and it does not increase the design complexity. The steps to add more spokes are provided in the following sections. In multi-organization scenarios, where production and non-production resources use different Cloud Identity and GCP organizations, the hub/landing VPC is usually part of the production organization. It establishes connections with the production spokes within the same organization, and with non-production spokes in a different organization. @@ -348,28 +349,46 @@ Note that by default the "Simple NVA" architecture is deployed - in order to ena As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config + +# File linking commands for networking (nva) stage + +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-networking-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ -# copy and paste the following commands for '2-networking-*' +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars ./ -ln -s ~/fast-config/providers/2-networking-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +# optional files +ln -s ~/fast-config/fast-test-00/2-nsec.auto.tfvars.json ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '2-networking-*' +# File linking commands for networking (nva) stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-networking-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-nsec.auto.tfvars.json ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index 4abb36cfc3..643a8e2367 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -175,28 +175,46 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '2-networking-*' +# File linking commands for networking (separate environments) stage -ln -s ~/fast-config/providers/2-networking-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-networking-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars ./ + +# optional files +ln -s ~/fast-config/fast-test-00/2-nsec.auto.tfvars.json ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '2-networking-*' +# File linking commands for networking (separate environments) stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-networking-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-nsec.auto.tfvars.json ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/2-project-factory/.fast-stage.env b/fast/stages/2-project-factory/.fast-stage.env new file mode 100644 index 0000000000..a22865d96e --- /dev/null +++ b/fast/stages/2-project-factory/.fast-stage.env @@ -0,0 +1,5 @@ +FAST_STAGE_DESCRIPTION="project factory (org level)" +FAST_STAGE_LEVEL=2 +FAST_STAGE_NAME=project-factory +FAST_STAGE_DEPS="0-globals 0-bootstrap 1-resman" +FAST_STAGE_OPTIONAL="2-networking 2-security" \ No newline at end of file diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md index f1ab1d6e80..124b9072c0 100644 --- a/fast/stages/2-project-factory/README.md +++ b/fast/stages/2-project-factory/README.md @@ -100,34 +100,48 @@ The `data` folder in this stage contains factory files that can be used as examp As all other FAST stages, the [mechanism](../0-bootstrap/README.md#output-files-and-cross-stage-variables) used to pass variable values and pre-built provider files from one stage to the next is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '2-project-factory' +# File linking commands for project factory (org level) stage -ln -s ~/fast-config/providers/2-project-factory-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -# optional but recommended -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-security.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-project-factory-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-project-factory.auto.tfvars ./ + +# optional files +ln -s ~/fast-config/fast-test-00/2-networking.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/2-security.auto.tfvars.json ./ ``` ```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '2-project-factory' +# File linking commands for project factory (org level) stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-project-factory-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ -# optional but recommended -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ -gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-security.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-project-factory.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-networking.auto.tfvars.json ./ +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-security.auto.tfvars.json ./ ``` If you're not using FAST, refer to the [Variables](#variables) table at the bottom of this document for a full list of variables, their origin (e.g., a stage or specific to this one), and descriptions explaining their meaning. diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index 6641d92368..d97d56e213 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -76,28 +76,46 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '2-security' +# File linking commands for security stage -ln -s ~/fast-config/providers/2-security-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/2-security-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/2-security.auto.tfvars ./ + +# optional files +ln -s ~/fast-config/fast-test-00/2-nsec.auto.tfvars.json ./ ``` ```bash -../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '2-security' +# File linking commands for security stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/2-security-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-security.auto.tfvars ./ + +# optional files +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/2-nsec.auto.tfvars.json ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/3-gcve-dev/README.md b/fast/stages/3-gcve-dev/README.md index 6e159556ca..8fad3b48db 100644 --- a/fast/stages/3-gcve-dev/README.md +++ b/fast/stages/3-gcve-dev/README.md @@ -90,30 +90,42 @@ Before running this stage, you need to make sure you have the correct credential As all other FAST stages, the [mechanism used to pass variable values and pre-built provider files from one stage to the next](../0-bootstrap/README.md#output-files-and-cross-stage-variables) is also leveraged here. -The commands to link or copy the provider and terraform variable files can be easily derived from the `stage-links.sh` script in the FAST root folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. +The commands to link or copy the provider and terraform variable files can be easily derived from the `fast-links.sh` script in the FAST stages folder, passing it a single argument with the local output files folder (if configured) or the GCS output bucket in the automation project (derived from stage 0 outputs). The following examples demonstrate both cases, and the resulting commands that then need to be copy/pasted and run. ```bash -../../../stage-links.sh ~/fast-config +../fast-links.sh ~/fast-config -# copy and paste the following commands for '3-gcve' +# File linking commands for GCVE (dev) stage -ln -s ~/fast-config/providers/3-gcve-dev-providers.tf ./ -ln -s ~/fast-config/tfvars/0-globals.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/0-bootstrap.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/1-resman.auto.tfvars.json ./ -ln -s ~/fast-config/tfvars/2-networking.auto.tfvars.json ./ +# provider file +ln -s ~/fast-config/fast-test-00/providers/3-gcve-dev-providers.tf ./ + +# input files from other stages +ln -s ~/fast-config/fast-test-00/tfvars/0-globals.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/0-bootstrap.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/1-resman.auto.tfvars.json ./ +ln -s ~/fast-config/fast-test-00/tfvars/2-networking.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +ln -s ~/fast-config/fast-test-00/3-gcve-dev.auto.tfvars ./ ``` ```bash -../../../stage-links.sh gs://xxx-prod-iac-core-outputs-0 +../fast-links.sh gs://xxx-prod-iac-core-outputs-0 -# copy and paste the following commands for '3-gcve' +# File linking commands for GCVE (dev) stage +# provider file gcloud storage cp gs://xxx-prod-iac-core-outputs-0/providers/3-gcve-dev-providers.tf ./ + +# input files from other stages gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-globals.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/0-bootstrap.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/1-resman.auto.tfvars.json ./ gcloud storage cp gs://xxx-prod-iac-core-outputs-0/tfvars/2-networking.auto.tfvars.json ./ + +# conventional place for stage tfvars (manually created) +gcloud storage cp gs://xxx-prod-iac-core-outputs-0/3-gcve-dev.auto.tfvars ./ ``` ### Impersonating the automation service account diff --git a/fast/stages/fast-links.sh b/fast/stages/fast-links.sh index 84086acd83..ce8e80797c 100755 --- a/fast/stages/fast-links.sh +++ b/fast/stages/fast-links.sh @@ -56,7 +56,11 @@ set -a && source .fast-stage.env && set +a echo -e "# File linking commands for $FAST_STAGE_DESCRIPTION stage\n" echo "# provider file" -echo "$CMD/providers/${FAST_STAGE_LEVEL}-${FAST_STAGE_NAME}-providers.tf ./" +if [[ ! -z ${FAST_STAGE_PROVIDERS+x} ]]; then + echo "$CMD/providers/${FAST_STAGE_LEVEL}-${FAST_STAGE_PROVIDERS}-providers.tf ./" +else + echo "$CMD/providers/${FAST_STAGE_LEVEL}-${FAST_STAGE_NAME}-providers.tf ./" +fi if [[ ! -z ${FAST_STAGE_DEPS+x} ]]; then echo -e "\n# input files from other stages" From ff7cb9d981b42b65cea6913a3df85fef1c6b0f65 Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 09:07:56 +0100 Subject: [PATCH 72/94] minimal netsec stage refactor --- fast/stages/2-network-security/README.md | 24 +++---- fast/stages/2-network-security/net-dev.tf | 65 +++++++++++++------ fast/stages/2-network-security/net-prod.tf | 65 +++++++++++++------ fast/stages/2-network-security/outputs.tf | 57 ++++++++++++++-- .../2-network-security/variables-fast.tf | 10 +++ fast/stages/2-network-security/variables.tf | 6 ++ fast/stages/fast-links.sh | 2 +- .../stages/s2_network_security/simple.tfvars | 3 + .../stages/s2_network_security/simple.yaml | 3 +- .../stages/s2_network_security/tls.tfvars | 3 + .../fast/stages/s2_network_security/tls.yaml | 38 +++++++---- 11 files changed, 210 insertions(+), 66 deletions(-) diff --git a/fast/stages/2-network-security/README.md b/fast/stages/2-network-security/README.md index 4627098f6b..4e7619d677 100644 --- a/fast/stages/2-network-security/README.md +++ b/fast/stages/2-network-security/README.md @@ -170,28 +170,30 @@ Make sure the CAs and the trusted configs created for NGFW Enterprise in the [2- | [main.tf](./main.tf) | Next-Generation Firewall Enterprise configuration. | project | google_network_security_firewall_endpoint | | [net-dev.tf](./net-dev.tf) | Security components for dev spoke VPC. | net-firewall-policy | google_network_security_firewall_endpoint_association · google_network_security_security_profile · google_network_security_security_profile_group | | [net-prod.tf](./net-prod.tf) | Security components for prod spoke VPC. | net-firewall-policy | google_network_security_firewall_endpoint_association · google_network_security_security_profile · google_network_security_security_profile_group | -| [outputs.tf](./outputs.tf) | Module outputs. | | | -| [variables-fast.tf](./variables-fast.tf) | None | | | +| [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | +| [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | | [variables.tf](./variables.tf) | Module variables. | | | ## Variables | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [billing_account](variables-fast.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L30) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L72) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [vpc_self_links](variables-fast.tf#L92) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | +| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [folder_ids](variables-fast.tf#L40) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L82) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables-fast.tf#L92) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [vpc_self_links](variables-fast.tf#L102) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | | [factories_config](variables.tf#L17) | Configuration for network resource factories. | object({…}) | | {…} | | -| [host_project_ids](variables-fast.tf#L41) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | +| [host_project_ids](variables-fast.tf#L51) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | | [ngfw_enterprise_config](variables.tf#L35) | NGFW Enterprise configuration. | object({…}) | | {…} | | -| [ngfw_tls_configs](variables-fast.tf#L52) | The NGFW Enterprise TLS configurations. | object({…}) | | {…} | 2-security | +| [ngfw_tls_configs](variables-fast.tf#L62) | The NGFW Enterprise TLS configurations. | object({…}) | | {…} | 2-security | +| [outputs_location](variables.tf#L51) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | ## Outputs | name | description | sensitive | consumers | |---|---|:---:|---| -| [ngfw_enterprise_endpoint_ids](outputs.tf#L17) | The NGFW Enterprise endpoint ids. | | | -| [ngfw_enterprise_endpoints_quota_project](outputs.tf#L25) | The NGFW Enterprise endpoints quota project. | | | +| [ngfw_enterprise_endpoint_ids](outputs.tf#L69) | The NGFW Enterprise endpoint ids. | | | +| [ngfw_enterprise_endpoints_quota_project](outputs.tf#L74) | The NGFW Enterprise endpoints quota project. | | | diff --git a/fast/stages/2-network-security/net-dev.tf b/fast/stages/2-network-security/net-dev.tf index 461cd8db00..b068a8f6c4 100644 --- a/fast/stages/2-network-security/net-dev.tf +++ b/fast/stages/2-network-security/net-dev.tf @@ -16,32 +16,55 @@ # tfdoc:file:description Security components for dev spoke VPC. -resource "google_network_security_security_profile" "dev_sec_profile" { +moved { + from = google_network_security_security_profile.dev_sec_profile + to = google_network_security_security_profile.dev +} + +resource "google_network_security_security_profile" "dev" { name = "${var.prefix}-dev-sp-0" type = "THREAT_PREVENTION" parent = "organizations/${var.organization.id}" location = "global" } -resource "google_network_security_security_profile_group" "dev_sec_profile_group" { - name = "${var.prefix}-dev-spg-0" - parent = "organizations/${var.organization.id}" - location = "global" - description = "Dev security profile group." - threat_prevention_profile = try(google_network_security_security_profile.dev_sec_profile.id, null) +moved { + from = google_network_security_security_profile_group.dev_sec_profile_group + to = google_network_security_security_profile_group.dev +} + +resource "google_network_security_security_profile_group" "dev" { + name = "${var.prefix}-dev-spg-0" + parent = "organizations/${var.organization.id}" + location = "global" + description = "Dev security profile group." + threat_prevention_profile = try( + google_network_security_security_profile.dev.id, null + ) +} + +moved { + from = google_network_security_firewall_endpoint_association.dev_fw_ep_association + to = google_network_security_firewall_endpoint_association.dev } -resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_association" { - for_each = toset(var.ngfw_enterprise_config.endpoint_zones) - name = "${var.prefix}-dev-epa-${each.key}" - parent = "projects/${try(var.host_project_ids.dev-spoke-0, null)}" - location = each.value - firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id - network = try(local.vpc_ids.dev-spoke-0, null) +resource "google_network_security_firewall_endpoint_association" "dev" { + for_each = toset(var.ngfw_enterprise_config.endpoint_zones) + name = "${var.prefix}-dev-epa-${each.key}" + parent = "projects/${try(var.host_project_ids.dev-spoke-0, null)}" + location = each.value + firewall_endpoint = ( + google_network_security_firewall_endpoint.firewall_endpoint[each.key].id + ) + network = try(local.vpc_ids.dev-spoke-0, null) # If TLS inspection is enabled, link the regional TLS inspection policy tls_inspection_policy = ( var.ngfw_tls_configs.tls_enabled - ? try(var.ngfw_tls_configs.tls_ip_ids_by_region.dev[substr(each.value, 0, length(each.value) - 2)], null) + # TODO: make this try less verbose and more readable + ? try( + var.ngfw_tls_configs.tls_ip_ids_by_region.dev[substr(each.value, 0, length(each.value) - 2)], + null + ) : null ) } @@ -52,14 +75,18 @@ module "dev-spoke-firewall-policy" { parent_id = try(var.host_project_ids.dev-spoke-0, null) region = "global" security_profile_group_ids = { - dev = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.dev_sec_profile_group.id, "")}" + dev = local.security_profile_group_ids.dev } attachments = { dev-spoke = try(var.vpc_self_links.dev-spoke-0, null) } factories_config = { - cidr_file_path = var.factories_config.cidrs - egress_rules_file_path = "${var.factories_config.firewall_policy_rules.dev}/egress.yaml" - ingress_rules_file_path = "${var.factories_config.firewall_policy_rules.dev}/ingress.yaml" + cidr_file_path = var.factories_config.cidrs + egress_rules_file_path = ( + "${var.factories_config.firewall_policy_rules.dev}/egress.yaml" + ) + ingress_rules_file_path = ( + "${var.factories_config.firewall_policy_rules.dev}/ingress.yaml" + ) } } diff --git a/fast/stages/2-network-security/net-prod.tf b/fast/stages/2-network-security/net-prod.tf index d69638033b..74d18ce1b4 100644 --- a/fast/stages/2-network-security/net-prod.tf +++ b/fast/stages/2-network-security/net-prod.tf @@ -16,32 +16,55 @@ # tfdoc:file:description Security components for prod spoke VPC. -resource "google_network_security_security_profile" "prod_sec_profile" { +moved { + from = google_network_security_security_profile.prod_sec_profile + to = google_network_security_security_profile.prod +} + +resource "google_network_security_security_profile" "prod" { name = "${var.prefix}-prod-sp-0" type = "THREAT_PREVENTION" parent = "organizations/${var.organization.id}" location = "global" } -resource "google_network_security_security_profile_group" "prod_sec_profile_group" { - name = "${var.prefix}-prod-spg-0" - parent = "organizations/${var.organization.id}" - location = "global" - description = "prod security profile group." - threat_prevention_profile = try(google_network_security_security_profile.prod_sec_profile.id, null) +moved { + from = google_network_security_security_profile_group.prod_sec_profile_group + to = google_network_security_security_profile_group.prod +} + +resource "google_network_security_security_profile_group" "prod" { + name = "${var.prefix}-prod-spg-0" + parent = "organizations/${var.organization.id}" + location = "global" + description = "prod security profile group." + threat_prevention_profile = try( + google_network_security_security_profile.prod.id, null + ) +} + +moved { + from = google_network_security_firewall_endpoint_association.prod_fw_ep_association + to = google_network_security_firewall_endpoint_association.prod } -resource "google_network_security_firewall_endpoint_association" "prod_fw_ep_association" { - for_each = toset(var.ngfw_enterprise_config.endpoint_zones) - name = "${var.prefix}-prod-epa-${each.key}" - parent = "projects/${try(var.host_project_ids.prod-spoke-0, null)}" - location = each.value - firewall_endpoint = google_network_security_firewall_endpoint.firewall_endpoint[each.key].id - network = try(local.vpc_ids.prod-spoke-0, null) +resource "google_network_security_firewall_endpoint_association" "prod" { + for_each = toset(var.ngfw_enterprise_config.endpoint_zones) + name = "${var.prefix}-prod-epa-${each.key}" + parent = "projects/${try(var.host_project_ids.prod-spoke-0, null)}" + location = each.value + firewall_endpoint = ( + google_network_security_firewall_endpoint.firewall_endpoint[each.key].id + ) + network = try(local.vpc_ids.prod-spoke-0, null) # If TLS inspection is enabled, link the regional TLS inspection policy tls_inspection_policy = ( var.ngfw_tls_configs.tls_enabled - ? try(var.ngfw_tls_configs.tls_ip_ids_by_region.prod[substr(each.value, 0, length(each.value) - 2)], null) + # TODO: make this try less verbose and more readable + ? try( + var.ngfw_tls_configs.tls_ip_ids_by_region.prod[substr(each.value, 0, length(each.value) - 2)], + null + ) : null ) } @@ -52,14 +75,18 @@ module "prod-spoke-firewall-policy" { parent_id = try(var.host_project_ids.prod-spoke-0, null) region = "global" security_profile_group_ids = { - prod = "//networksecurity.googleapis.com/${try(google_network_security_security_profile_group.prod_sec_profile_group.id, "")}" + prod = local.security_profile_group_ids.prod } attachments = { prod-spoke = try(var.vpc_self_links.prod-spoke-0, null) } factories_config = { - cidr_file_path = var.factories_config.cidrs - egress_rules_file_path = "${var.factories_config.firewall_policy_rules.prod}/egress.yaml" - ingress_rules_file_path = "${var.factories_config.firewall_policy_rules.prod}/ingress.yaml" + cidr_file_path = var.factories_config.cidrs + egress_rules_file_path = ( + "${var.factories_config.firewall_policy_rules.prod}/egress.yaml" + ) + ingress_rules_file_path = ( + "${var.factories_config.firewall_policy_rules.prod}/ingress.yaml" + ) } } diff --git a/fast/stages/2-network-security/outputs.tf b/fast/stages/2-network-security/outputs.tf index ce93d8e512..acd5944e27 100644 --- a/fast/stages/2-network-security/outputs.tf +++ b/fast/stages/2-network-security/outputs.tf @@ -14,12 +14,61 @@ * limitations under the License. */ +locals { + security_profile_group_ids = { + dev = format( + "//networksecurity.googleapis.com/%s", + try(google_network_security_security_profile_group.dev.id, "") + ) + prod = format( + "//networksecurity.googleapis.com/%s", + try(google_network_security_security_profile_group.prod.id, "") + ) + } + tfvars = { + association_ids = { + dev = { + for k, v in google_network_security_firewall_endpoint_association.dev : + k => v.id + } + prod = { + for k, v in google_network_security_firewall_endpoint_association.prod : + k => v.id + } + } + endpoint_ids = { + for _, v in google_network_security_firewall_endpoint.firewall_endpoint + : v.location => v.id + } + firewall_policy_ids = { + dev = module.dev-spoke-firewall-policy.id + prod = module.prod-spoke-firewall-policy.id + } + security_profile_group_ids = local.security_profile_group_ids + quota_project_id = module.ngfw-quota-project.id + } +} + +# generate tfvars file for subsequent stages + +resource "local_file" "tfvars" { + for_each = var.outputs_location == null ? {} : { 1 = 1 } + file_permission = "0644" + filename = "${try(pathexpand(var.outputs_location), "")}/tfvars/2-nsec.auto.tfvars.json" + content = jsonencode(local.tfvars) +} + +resource "google_storage_bucket_object" "tfvars" { + bucket = var.automation.outputs_bucket + name = "tfvars/2-nsec.auto.tfvars.json" + content = jsonencode(local.tfvars) +} + +# outputs + output "ngfw_enterprise_endpoint_ids" { description = "The NGFW Enterprise endpoint ids." - value = { - for _, v in google_network_security_firewall_endpoint.firewall_endpoint - : v.location => v.id - } + value = local.tfvars.endpoint_ids } output "ngfw_enterprise_endpoints_quota_project" { diff --git a/fast/stages/2-network-security/variables-fast.tf b/fast/stages/2-network-security/variables-fast.tf index e6b6de55c1..45fb1c0fbd 100644 --- a/fast/stages/2-network-security/variables-fast.tf +++ b/fast/stages/2-network-security/variables-fast.tf @@ -14,6 +14,16 @@ * limitations under the License. */ +# tfdoc:file:description FAST stage interface. + +variable "automation" { + # tfdoc:variable:source 0-bootstrap + description = "Automation resources created by the bootstrap stage." + type = object({ + outputs_bucket = string + }) +} + variable "billing_account" { # tfdoc:variable:source 0-bootstrap description = "Billing account id. If billing account is not part of the same org set `is_org_level` to false." diff --git a/fast/stages/2-network-security/variables.tf b/fast/stages/2-network-security/variables.tf index d291577fc7..94f00b6fed 100644 --- a/fast/stages/2-network-security/variables.tf +++ b/fast/stages/2-network-security/variables.tf @@ -47,3 +47,9 @@ variable "ngfw_enterprise_config" { ] } } + +variable "outputs_location" { + description = "Path where providers and tfvars files for the following stages are written. Leave empty to disable." + type = string + default = null +} diff --git a/fast/stages/fast-links.sh b/fast/stages/fast-links.sh index ce8e80797c..eaa6206912 100755 --- a/fast/stages/fast-links.sh +++ b/fast/stages/fast-links.sh @@ -75,7 +75,7 @@ echo "$CMD/${FAST_STAGE_LEVEL}-${FAST_STAGE_NAME}.auto.tfvars ./" if [[ ! -z ${FAST_STAGE_OPTIONAL+x} ]]; then echo -e "\n# optional files" for f in $FAST_STAGE_OPTIONAL; do - echo "$CMD/$f.auto.tfvars.json ./" + echo "$CMD/tfvars/$f.auto.tfvars.json ./" done fi diff --git a/tests/fast/stages/s2_network_security/simple.tfvars b/tests/fast/stages/s2_network_security/simple.tfvars index f713e5af7e..1ab02d8d2a 100644 --- a/tests/fast/stages/s2_network_security/simple.tfvars +++ b/tests/fast/stages/s2_network_security/simple.tfvars @@ -1,3 +1,6 @@ +automation = { + outputs_bucket = "test" +} billing_account = { id = "000000-111111-222222" } diff --git a/tests/fast/stages/s2_network_security/simple.yaml b/tests/fast/stages/s2_network_security/simple.yaml index 4deac063da..c0ff76a2d5 100644 --- a/tests/fast/stages/s2_network_security/simple.yaml +++ b/tests/fast/stages/s2_network_security/simple.yaml @@ -23,5 +23,6 @@ counts: google_project: 1 google_project_service: 1 google_project_service_identity: 1 + google_storage_bucket_object: 1 modules: 3 - resources: 24 + resources: 25 diff --git a/tests/fast/stages/s2_network_security/tls.tfvars b/tests/fast/stages/s2_network_security/tls.tfvars index 72f88d6604..ecd91f565f 100644 --- a/tests/fast/stages/s2_network_security/tls.tfvars +++ b/tests/fast/stages/s2_network_security/tls.tfvars @@ -1,3 +1,6 @@ +automation = { + outputs_bucket = "test" +} billing_account = { id = "000000-111111-222222" } diff --git a/tests/fast/stages/s2_network_security/tls.yaml b/tests/fast/stages/s2_network_security/tls.yaml index 83431eac8a..8c6e0a93dc 100644 --- a/tests/fast/stages/s2_network_security/tls.yaml +++ b/tests/fast/stages/s2_network_security/tls.yaml @@ -34,7 +34,7 @@ values: name: fast2-ngfw-endpoint-europe-west1-d parent: organizations/123456789012 timeouts: null - google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-b"]: + google_network_security_firewall_endpoint_association.dev["europe-west1-b"]: disabled: false labels: null location: europe-west1-b @@ -43,7 +43,7 @@ values: parent: projects/dev-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 - google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-c"]: + google_network_security_firewall_endpoint_association.dev["europe-west1-c"]: disabled: false labels: null location: europe-west1-c @@ -52,7 +52,7 @@ values: parent: projects/dev-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 - google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-d"]: + google_network_security_firewall_endpoint_association.dev["europe-west1-d"]: disabled: false labels: null location: europe-west1-d @@ -61,7 +61,7 @@ values: parent: projects/dev-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 - google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-b"]: + google_network_security_firewall_endpoint_association.prod["europe-west1-b"]: disabled: false labels: null location: europe-west1-b @@ -70,7 +70,7 @@ values: parent: projects/prod-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 - google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-c"]: + google_network_security_firewall_endpoint_association.prod["europe-west1-c"]: disabled: false labels: null location: europe-west1-c @@ -79,7 +79,7 @@ values: parent: projects/prod-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 - google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-d"]: + google_network_security_firewall_endpoint_association.prod["europe-west1-d"]: disabled: false labels: null location: europe-west1-d @@ -88,7 +88,7 @@ values: parent: projects/prod-project timeouts: null tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 - google_network_security_security_profile.dev_sec_profile: + google_network_security_security_profile.dev: description: null labels: null location: global @@ -97,7 +97,7 @@ values: threat_prevention_profile: [] timeouts: null type: THREAT_PREVENTION - google_network_security_security_profile.prod_sec_profile: + google_network_security_security_profile.prod: description: null labels: null location: global @@ -106,20 +106,35 @@ values: threat_prevention_profile: [] timeouts: null type: THREAT_PREVENTION - google_network_security_security_profile_group.dev_sec_profile_group: + google_network_security_security_profile_group.dev: description: Dev security profile group. labels: null location: global name: fast2-dev-spg-0 parent: organizations/123456789012 timeouts: null - google_network_security_security_profile_group.prod_sec_profile_group: + google_network_security_security_profile_group.prod: description: prod security profile group. labels: null location: global name: fast2-prod-spg-0 parent: organizations/123456789012 timeouts: null + google_storage_bucket_object.tfvars: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: tfvars/2-nsec.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null module.dev-spoke-firewall-policy.google_compute_network_firewall_policy.net-global[0]: description: null name: fast2-dev-fw-policy @@ -300,8 +315,9 @@ counts: google_project: 1 google_project_service: 1 google_project_service_identity: 1 + google_storage_bucket_object: 1 modules: 3 - resources: 24 + resources: 25 outputs: ngfw_enterprise_endpoint_ids: __missing__ From d67b242cbd44020e0d34ef365a1441e4edcf5b59 Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 10:01:19 +0100 Subject: [PATCH 73/94] use factory for iac org policies, add configurable drs org policy for iac --- fast/stages/0-bootstrap/README.md | 28 +++++++++---------- fast/stages/0-bootstrap/automation.tf | 28 ++++++++++++------- .../data/org-policies-iac/compute.yaml | 19 +++++++++++++ .../data/org-policies-iac/iam.yaml | 24 ++++++++++++++++ fast/stages/0-bootstrap/organization.tf | 2 +- fast/stages/0-bootstrap/variables.tf | 6 ++-- 6 files changed, 80 insertions(+), 27 deletions(-) create mode 100644 fast/stages/0-bootstrap/data/org-policies-iac/compute.yaml create mode 100644 fast/stages/0-bootstrap/data/org-policies-iac/iam.yaml diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 26f15d9d7e..b1ee3f7ec0 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -661,25 +661,25 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L264) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L279) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | +| [organization](variables.tf#L266) | Organization details. | object({…}) | ✓ | | | +| [prefix](variables.tf#L281) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | | [environments](variables.tf#L94) | Environment names. | map(object({…})) | | {…} | | | [essential_contacts](variables.tf#L118) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L124) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [groups](variables.tf#L134) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | -| [iam](variables.tf#L150) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | -| [iam_bindings_additive](variables.tf#L157) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | -| [iam_by_principals](variables.tf#L172) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [locations](variables.tf#L179) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L193) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L246) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L273) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L288) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [workforce_identity_providers](variables.tf#L299) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L315) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | +| [factories_config](variables.tf#L124) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [groups](variables.tf#L135) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | +| [iam](variables.tf#L151) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | +| [iam_bindings_additive](variables.tf#L158) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | +| [iam_by_principals](variables.tf#L173) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [locations](variables.tf#L180) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | +| [log_sinks](variables.tf#L194) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | +| [org_policies_config](variables.tf#L247) | Organization policies customization. | object({…}) | | {} | | +| [outputs_location](variables.tf#L275) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [project_parent_ids](variables.tf#L290) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | +| [workforce_identity_providers](variables.tf#L301) | Workforce Identity Federation pools. | map(object({…})) | | {} | | +| [workload_identity_providers](variables.tf#L317) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf index 117716a15c..0b369aacac 100644 --- a/fast/stages/0-bootstrap/automation.tf +++ b/fast/stages/0-bootstrap/automation.tf @@ -38,6 +38,11 @@ module "automation-project" { ? {} : { (var.essential_contacts) = ["ALL"] } ) + factories_config = { + org_policies = ( + var.bootstrap_user != null ? null : var.factories_config.org_policies_iac + ) + } # human (groups) IAM bindings iam_by_principals = { (local.principals.gcp-devops) = [ @@ -117,17 +122,20 @@ module "automation-project" { role = "roles/serviceusage.serviceUsageViewer" } } - org_policies = var.bootstrap_user != null ? {} : { - "compute.skipDefaultNetworkCreation" = { - rules = [{ enforce = true }] - } - "iam.automaticIamGrantsForDefaultServiceAccounts" = { - rules = [{ enforce = true }] - } - "iam.disableServiceAccountKeyCreation" = { - rules = [{ enforce = true }] + org_policies = ( + var.bootstrap_user != null || var.org_policies_config.iac_policy_member_domains == null + ? {} + : { + "iam.allowedPolicyMemberDomains" = { + inherit_from_parent = true + rules = [{ + allow = { + values = var.org_policies_config.iac_policy_member_domains + } + }] + } } - } + ) services = concat( [ "accesscontextmanager.googleapis.com", diff --git a/fast/stages/0-bootstrap/data/org-policies-iac/compute.yaml b/fast/stages/0-bootstrap/data/org-policies-iac/compute.yaml new file mode 100644 index 0000000000..ffdcc7e9c1 --- /dev/null +++ b/fast/stages/0-bootstrap/data/org-policies-iac/compute.yaml @@ -0,0 +1,19 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +compute.skipDefaultNetworkCreation: + rules: + - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies-iac/iam.yaml b/fast/stages/0-bootstrap/data/org-policies-iac/iam.yaml new file mode 100644 index 0000000000..c4b603c6a5 --- /dev/null +++ b/fast/stages/0-bootstrap/data/org-policies-iac/iam.yaml @@ -0,0 +1,24 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +iam.automaticIamGrantsForDefaultServiceAccounts: + rules: + - enforce: true + +iam.disableServiceAccountKeyCreation: + rules: + - enforce: true + diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 9b7e209fbe..66646c06c0 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -202,7 +202,7 @@ module "organization" { factories_config = { custom_roles = var.factories_config.custom_roles org_policies = ( - var.bootstrap_user != null ? null : var.factories_config.org_policy + var.bootstrap_user != null ? null : var.factories_config.org_policies ) } logging_sinks = { diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index 30b702e9e1..019c9afc52 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -124,8 +124,9 @@ variable "essential_contacts" { variable "factories_config" { description = "Configuration for the resource factories or external data." type = object({ - custom_roles = optional(string, "data/custom-roles") - org_policy = optional(string, "data/org-policies") + custom_roles = optional(string, "data/custom-roles") + org_policies = optional(string, "data/org-policies") + org_policies_iac = optional(string, "data/org-policies-iac") }) nullable = false default = {} @@ -246,6 +247,7 @@ variable "log_sinks" { variable "org_policies_config" { description = "Organization policies customization." type = object({ + iac_policy_member_domains = optional(list(string)) constraints = optional(object({ allowed_essential_contact_domains = optional(list(string), []) allowed_policy_member_domains = optional(list(string), []) From 75f789d6ee5be1c0ce598758847586f5ddaacb75 Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 13:58:09 +0100 Subject: [PATCH 74/94] test mt stage --- fast/stages/1-tenant-factory/.fast-stage.env | 3 +-- fast/stages/1-tenant-factory/README.md | 6 ++++++ fast/stages/1-tenant-factory/tenant-core.tf | 14 ++++++++++++-- fast/stages/1-tenant-factory/tenant-fast-vpcsc.tf | 9 +++++---- fast/stages/1-tenant-factory/tenant.tf | 4 ++-- tests/fast/stages/s1_tenant_factory/simple.yaml | 6 +++--- 6 files changed, 29 insertions(+), 13 deletions(-) diff --git a/fast/stages/1-tenant-factory/.fast-stage.env b/fast/stages/1-tenant-factory/.fast-stage.env index c79bcec29d..2feb424dd1 100644 --- a/fast/stages/1-tenant-factory/.fast-stage.env +++ b/fast/stages/1-tenant-factory/.fast-stage.env @@ -2,5 +2,4 @@ FAST_STAGE_DESCRIPTION="tenant factory" FAST_STAGE_LEVEL=1 FAST_STAGE_NAME=tenant-factory FAST_STAGE_DEPS="0-globals 0-bootstrap" -FAST_STAGE_PROVIDERS=resman -# FAST_STAGE_OPTIONAL="" \ No newline at end of file +# FAST_STAGE_OPTIONAL="" diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index cb892d8a0b..b771cbc021 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -155,6 +155,12 @@ terraform init terraform apply ``` +#### Organization policy errors + +If you get an organization policy error assigning IAM roles or setting essential contacts on tenant-level resources, make sure the tenant configuration contains the right customer id and domain in the `cloud_identity` attributes, and the administrative principals and essential contacts for the tenant belong to the right Cloud Identity. + +If both are correct, wait a couple of minutes for the organization policies to be enforced and retry. Remember to also check the organization-level IaC project org policies, which can be customized via the bootstrap stage variables. + ## Tenant configuration This stage has only three variables that can be customized: diff --git a/fast/stages/1-tenant-factory/tenant-core.tf b/fast/stages/1-tenant-factory/tenant-core.tf index 496dcf54f5..c4d3086c94 100644 --- a/fast/stages/1-tenant-factory/tenant-core.tf +++ b/fast/stages/1-tenant-factory/tenant-core.tf @@ -25,7 +25,7 @@ module "tenant-core-logbucket" { for_each = local.tenants parent_type = "project" parent = var.logging.project_id - id = "tenant-${each.key}-audit" + id = "tn-${each.key}-audit" location = var.locations.logging log_analytics = { enable = true } } @@ -36,7 +36,7 @@ module "tenant-core-folder" { parent = local.root_node name = "${each.value.descriptive_name} Core" logging_sinks = { - "tenant-${each.key}-audit" = { + "tn-${each.key}-audit" = { destination = module.tenant-core-logbucket[each.key].id filter = <<-FILTER log_id("cloudaudit.googleapis.com/activity") OR @@ -48,6 +48,16 @@ module "tenant-core-folder" { } } org_policies = each.value.cloud_identity == null ? {} : { + "essentialcontacts.allowedContactDomains" = { + rules = [{ + allow = { + values = formatlist("@%s", compact([ + var.organization.domain, + try(each.value.cloud_identity.domain, null) + ])) + } + }] + } "iam.allowedPolicyMemberDomains" = { rules = [{ allow = { diff --git a/fast/stages/1-tenant-factory/tenant-fast-vpcsc.tf b/fast/stages/1-tenant-factory/tenant-fast-vpcsc.tf index 6330f52440..12b235bec3 100644 --- a/fast/stages/1-tenant-factory/tenant-fast-vpcsc.tf +++ b/fast/stages/1-tenant-factory/tenant-fast-vpcsc.tf @@ -29,10 +29,11 @@ module "tenant-vpcsc-policy" { } iam_bindings_additive = merge( { - tenant_admins = { - role = "roles/accesscontextmanager.policyAdmin" - member = each.value.admin_principal - } + # uncomment this if tenant admins are allowed by org-level DRS policy + # tenant_admins = { + # role = "roles/accesscontextmanager.policyAdmin" + # member = each.value.admin_principal + # } tenant_sa = { role = "roles/accesscontextmanager.policyAdmin" member = module.tenant-sa[each.key].iam_email diff --git a/fast/stages/1-tenant-factory/tenant.tf b/fast/stages/1-tenant-factory/tenant.tf index 79c202ef79..b143639f2c 100644 --- a/fast/stages/1-tenant-factory/tenant.tf +++ b/fast/stages/1-tenant-factory/tenant.tf @@ -97,7 +97,7 @@ module "tenant-sa" { source = "../../../modules/iam-service-account" for_each = local.tenants project_id = var.automation.project_id - name = "tenant-${each.key}-0" + name = "tn-${each.key}-0" display_name = "Terraform tenant ${each.key} service account." prefix = var.prefix iam = { @@ -114,7 +114,7 @@ module "tenant-gcs" { source = "../../../modules/gcs" for_each = local.tenants project_id = var.automation.project_id - name = "tenant-${each.key}-0" + name = "tn-${each.key}-0" prefix = var.prefix location = each.value.locations.gcs versioning = true diff --git a/tests/fast/stages/s1_tenant_factory/simple.yaml b/tests/fast/stages/s1_tenant_factory/simple.yaml index dfcc464f5f..ce130cbb63 100644 --- a/tests/fast/stages/s1_tenant_factory/simple.yaml +++ b/tests/fast/stages/s1_tenant_factory/simple.yaml @@ -14,7 +14,7 @@ counts: google_access_context_manager_access_policy: 2 - google_access_context_manager_access_policy_iam_member: 7 + google_access_context_manager_access_policy_iam_member: 5 google_bigquery_default_service_account: 4 google_essential_contacts_contact: 2 google_folder: 8 @@ -23,7 +23,7 @@ counts: google_iam_workload_identity_pool_provider: 1 google_logging_folder_sink: 4 google_logging_project_bucket_config: 4 - google_org_policy_policy: 3 + google_org_policy_policy: 6 google_organization_iam_member: 6 google_project: 6 google_project_iam_audit_config: 2 @@ -43,4 +43,4 @@ counts: google_tags_tag_key: 1 google_tags_tag_value: 4 modules: 50 - resources: 290 + resources: 291 From e1cdc02a745af41380c19155cfbb438d89331d93 Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 14:04:49 +0100 Subject: [PATCH 75/94] tfdoc --- fast/stages/1-tenant-factory/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/fast/stages/1-tenant-factory/README.md b/fast/stages/1-tenant-factory/README.md index b771cbc021..ed61306223 100644 --- a/fast/stages/1-tenant-factory/README.md +++ b/fast/stages/1-tenant-factory/README.md @@ -13,6 +13,7 @@ Typical use cases include large organizations managing a single Cloud subscripti - [Impersonating the automation service account](#impersonating-the-automation-service-account) - [Variable configuration](#variable-configuration) - [Running the stage](#running-the-stage) + - [Organization policy errors](#organization-policy-errors) - [Tenant configuration](#tenant-configuration) - [Configurations for both simple and FAST tenants](#configurations-for-both-simple-and-fast-tenants) - [Configurations for FAST tenants](#configurations-for-fast-tenants) From 24ab698543542685cf13ae376f0b5f754c0f557e Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 16:53:52 +0100 Subject: [PATCH 76/94] fix cicd workflows --- fast/stages/1-resman/outputs-files.tf | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index 33161d5de2..97eaae3964 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -67,10 +67,13 @@ locals { identity_provider = try( local.identity_providers[local.cicd_repositories[k].identity_provider].name, null ) - outputs_bucket = var.automation.outputs_bucket - service_accounts = v.sa - repository = local.cicd_repositories[k].repository - stage_name = k + outputs_bucket = var.automation.outputs_bucket + service_accounts = { + apply = try(module.cicd-sa-rw[k].email, "") + plan = try(module.cicd-sa-ro[k].email, "") + } + repository = local.cicd_repositories[k].repository + stage_name = k tf_providers_files = { apply = "2-${replace(k, "_", "-")}-providers.tf" plan = "2-${replace(k, "_", "-")}-providers-r.tf" @@ -90,8 +93,8 @@ locals { outputs_bucket = var.automation.outputs_bucket repository = v.repository service_accounts = { - apply = module.stage3-sa-rw[0].email - plan = module.stage3-sa-ro[0].email + apply = module.cicd-sa-rw[0].email + plan = module.cicd-sa-ro[0].email } stage_name = v.short_name tf_providers_files = { From aa504c80b098037c5668a1fb6c70d2bc9a7b7cd7 Mon Sep 17 00:00:00 2001 From: Ludo Date: Mon, 28 Oct 2024 16:57:28 +0100 Subject: [PATCH 77/94] fix cicd workflows --- fast/stages/1-resman/outputs-files.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/1-resman/outputs-files.tf b/fast/stages/1-resman/outputs-files.tf index 97eaae3964..166b8558a9 100644 --- a/fast/stages/1-resman/outputs-files.tf +++ b/fast/stages/1-resman/outputs-files.tf @@ -76,7 +76,7 @@ locals { stage_name = k tf_providers_files = { apply = "2-${replace(k, "_", "-")}-providers.tf" - plan = "2-${replace(k, "_", "-")}-providers-r.tf" + plan = "2-${replace(k, "_", "-")}-r-providers.tf" } tf_var_files = local.cicd_workflow_files.stage_2 } if lookup(local.cicd_repositories, k, null) != null @@ -99,7 +99,7 @@ locals { stage_name = v.short_name tf_providers_files = { apply = "${v.lvl}-${k}-providers.tf" - plan = "${v.lvl}-${k}-providers-r.tf" + plan = "${v.lvl}-${k}-r-providers.tf" } tf_var_files = local.cicd_workflow_files.stage_3 } if v.lvl == 3 From 06b852d03d8a4a3f0e6b1db6d4630fdbd714e8fa Mon Sep 17 00:00:00 2001 From: Ludo Date: Tue, 29 Oct 2024 08:50:29 +0100 Subject: [PATCH 78/94] gke-dev stage --- blueprints/README.md | 2 +- blueprints/gke/README.md | 2 +- blueprints/gke/multitenant-fleet/OWNERS | 1 - blueprints/gke/multitenant-fleet/README.md | 265 ------------------ .../gke/multitenant-fleet/gke-clusters.tf | 45 --- fast/stages/3-gcve-dev/README.md | 12 +- fast/stages/3-gcve-dev/main.tf | 6 +- fast/stages/3-gcve-dev/variables-fast.tf | 7 +- fast/stages/3-gcve-dev/variables.tf | 14 +- fast/stages/3-gke-dev/.fast-stage.env | 4 + fast/stages/3-gke-dev/README.md | 217 ++++++++++++++ .../stages/3-gke-dev}/diagram.png | Bin .../stages/3-gke-dev/gke-clusters.tf | 47 +++- .../stages/3-gke-dev}/gke-hub.tf | 25 +- .../stages/3-gke-dev}/main.tf | 59 ++-- .../stages/3-gke-dev}/outputs.tf | 3 +- .../dev => 3-gke-dev}/variables-fast.tf | 53 ++-- fast/stages/3-gke-dev/variables-fleet.tf | 68 +++++ .../stages/3-gke-dev}/variables.tf | 85 ++---- fast/stages/3-gke-multitenant/README.md | 9 - fast/stages/3-gke-multitenant/dev/README.md | 243 ---------------- fast/stages/3-gke-multitenant/dev/diagram.png | Bin 44405 -> 0 bytes fast/stages/3-gke-multitenant/dev/main.tf | 39 --- fast/stages/3-gke-multitenant/dev/outputs.tf | 71 ----- .../stages/3-gke-multitenant/dev/variables.tf | 213 -------------- fast/stages/README.md | 2 +- .../simple.tfvars | 8 +- .../simple.yaml | 5 +- .../tftest.yaml | 2 +- 29 files changed, 462 insertions(+), 1045 deletions(-) delete mode 100644 blueprints/gke/multitenant-fleet/OWNERS delete mode 100644 blueprints/gke/multitenant-fleet/README.md delete mode 100644 blueprints/gke/multitenant-fleet/gke-clusters.tf create mode 100644 fast/stages/3-gke-dev/.fast-stage.env create mode 100644 fast/stages/3-gke-dev/README.md rename {blueprints/gke/multitenant-fleet => fast/stages/3-gke-dev}/diagram.png (100%) rename blueprints/gke/multitenant-fleet/gke-nodepools.tf => fast/stages/3-gke-dev/gke-clusters.tf (52%) rename {blueprints/gke/multitenant-fleet => fast/stages/3-gke-dev}/gke-hub.tf (61%) rename {blueprints/gke/multitenant-fleet => fast/stages/3-gke-dev}/main.tf (65%) rename {blueprints/gke/multitenant-fleet => fast/stages/3-gke-dev}/outputs.tf (95%) rename fast/stages/{3-gke-multitenant/dev => 3-gke-dev}/variables-fast.tf (65%) create mode 100644 fast/stages/3-gke-dev/variables-fleet.tf rename {blueprints/gke/multitenant-fleet => fast/stages/3-gke-dev}/variables.tf (69%) delete mode 100644 fast/stages/3-gke-multitenant/README.md delete mode 100644 fast/stages/3-gke-multitenant/dev/README.md delete mode 100644 fast/stages/3-gke-multitenant/dev/diagram.png delete mode 100644 fast/stages/3-gke-multitenant/dev/main.tf delete mode 100644 fast/stages/3-gke-multitenant/dev/outputs.tf delete mode 100644 fast/stages/3-gke-multitenant/dev/variables.tf rename tests/fast/stages/{s3_gke_multitenant => s3_gke_dev}/simple.tfvars (93%) rename tests/fast/stages/{s3_gke_multitenant => s3_gke_dev}/simple.yaml (93%) rename tests/fast/stages/{s3_gke_multitenant => s3_gke_dev}/tftest.yaml (93%) diff --git a/blueprints/README.md b/blueprints/README.md index 3fbe689817..8d8dba17aa 100644 --- a/blueprints/README.md +++ b/blueprints/README.md @@ -8,7 +8,7 @@ Currently available blueprints: - **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Network Quota Monitoring](./cloud-operations/network-quota-monitoring), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/compute-quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation with Terraform Cloud/Enterprise workflows](./cloud-operations/terraform-cloud-dynamic-credentials), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation) - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Minimal Data Platform](./data-solutions/data-platform-minimal), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder), [BigQuery ML and Vertex AI Pipeline](./data-solutions/bq-ml) - **factories** - [Fabric resource factories](./factories) -- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot) +- **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant](../fast/stages/3-gke-dev), [Shared VPC with GKE support](./networking/shared-vpc-gke/), [GKE Autopilot](./gke/autopilot) - **networking** - [Calling a private Cloud Function from On-premises](./networking/private-cloud-function-from-onprem), [HA VPN over Interconnect](./networking/ha-vpn-over-interconnect/), [GLB and multi-regional daisy-chaining through hybrid NEGs](./networking/glb-hybrid-neg-internal), [Hybrid connectivity to on-premise services through PSC](./networking/psc-hybrid), [HTTP Load Balancer with Cloud Armor](./networking/glb-and-armor), [Internal Load Balancer as Next Hop](./networking/ilb-next-hop), On-prem DNS and Google Private Access, [PSC Producer](./networking/psc-hybrid/psc-producer), [PSC Consumer](./networking/psc-hybrid/psc-consumer), [Shared VPC with optional GKE cluster](./networking/shared-vpc-gke), [VPC Connectivity Lab](./networking/vpc-connectivity-lab/) - **serverless** - [Cloud Run series](./serverless/cloud-run-explore) - **third party solutions** - [OpenShift on GCP user-provisioned infrastructure](./third-party-solutions/openshift), [Wordpress deployment on Cloud Run](./third-party-solutions/wordpress/cloudrun) diff --git a/blueprints/gke/README.md b/blueprints/gke/README.md index acba2a8f4d..2e15752314 100644 --- a/blueprints/gke/README.md +++ b/blueprints/gke/README.md @@ -20,7 +20,7 @@ They are meant to be used as minimal but complete starting points to create actu ### Multitenant GKE fleet - This [blueprint](./multitenant-fleet/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations. + This [blueprint](../../fast/stages/3-gke-dev/) allows simple centralized management of similar sets of GKE clusters and their nodepools in a single project, and optional fleet management via GKE Hub templated configurations.
    diff --git a/blueprints/gke/multitenant-fleet/OWNERS b/blueprints/gke/multitenant-fleet/OWNERS deleted file mode 100644 index 86004b1c7d..0000000000 --- a/blueprints/gke/multitenant-fleet/OWNERS +++ /dev/null @@ -1 +0,0 @@ -juliocc diff --git a/blueprints/gke/multitenant-fleet/README.md b/blueprints/gke/multitenant-fleet/README.md deleted file mode 100644 index 0fc0f593fc..0000000000 --- a/blueprints/gke/multitenant-fleet/README.md +++ /dev/null @@ -1,265 +0,0 @@ -# GKE Multitenant Blueprint - -This blueprint presents an opinionated architecture to handle multiple homogeneous GKE clusters. The general idea behind this blueprint is to deploy a single project hosting multiple clusters leveraging several useful GKE features. - -The pattern used in this design is useful, for blueprint, in cases where multiple clusters host/support the same workloads, such as in the case of a multi-regional deployment. Furthermore, combined with Anthos Config Sync and proper RBAC, this architecture can be used to host multiple tenants (e.g. teams, applications) sharing the clusters. - -This blueprint is used as part of the [FAST GKE stage](../../../fast/stages/3-gke-multitenant/) but it can also be used independently if desired. - -

    e7 zL-XtWO}@_$%I<;#R{{X`>*$xY20^#{m4(Z)csan=Il#*5-90{a0)^=R?Zbc97Th87 zXF4MA7;m)+5?x?m*GhlH)lnxKj#Y*39q}HxZ1h}@zP}N<+pond(`)+vfZnfCr>;bM zWo);(Y>l7aZqZt}^rThC7ne-?YxodRrZ|u~!=h(C*y+n0Ae9)y--zo1`{ydu)v%vjB^AY<)DWz|4$G9?=7VVdD?%z7vJHg5Zdmi zMu$Ni^U!(vsWRWUAD(>@L(VNuCVNJz1s-02D3&_^sXuW<}S&612nX^p| z%nXq1`DRfXn=h*OAC4(>Jrdsn)E^DYTmP)aXmQ(p;gy8>e(h*?xKNS6$m5MpO7*&O zuBHu0yPf>@G&$1;&D>A@jR{hspOo+4g5*GGi&LkZ5K=a;5DS(-lK`3#1nw%s+< zONqsg`U^GHV91lU-T*k^B}*^ z1ftm~xX585(!m9i$yHrsF@v@K3vbP=K^E<+7fG=zXwMGd{_ApMkHDgCqzisA<=VxS zt^&qBh(#zsBqRPUCL$bM!=2RPR1NcG9vE)7Y>>Qs0hrJUxu!hP*8AK+QjF&7e1D1m zMGwVHN@WuKMI|xFT;M~*k(nhaIG$veq5Vqx7wf@jy!acnI zcf2K3mni3BkKTMn3(x5+;U1AW1$rcfqyV+a7|dE;X>7Vm}t%S2>V z>R`+R3hJJ9>6{_s7GlHKX{hk}d<|(PTp>)<<49Upb*5&9Y68TNY-tvNufcBvjC}b( z3b8^(y-k%G@y~A%3X#dH5I7zWp=Bs&AXkYf=lx~41m%9P{par01P2vB%P{#9B-{N7 z55V}nPJ7RApk<-Y0Lg(O87?vYx=&U&&z~Zs56iO)-XbyKN<+MFtnm>a9jesp2+@;} zyS#JJwW!i7K$f?VNXrMb29bu`b!{D+LA_`ieM!#$Ph$)u2@t*iS8Fj~UwJ>3Xki9J z1DNXGP&*~vuzhw^#i3;?RS(rAn(gU0UKZ1H(DJrA(5m@e)N&HrPsv!P2)eFFgSsy8 zp$H$US(>Jp^$$f9UOh}yEhG=X^Q=e2GVnE?C%lORJ$Nr`kti&GbKjeTgr7602hrq5 z62ONFpepD+Jt#c}ZFL9gfJyJq$ly=OXz&(pk+RgOV+N}u?cTHK49RC<*uQNGy7K|E zo&&z7{#2ZkC;Ebg`k!QoR_2U(d-$X)6Rsh+*P2!9B(Mep^H0ZAGD^K*~{@u-l ztG>Oz032KZ7prU){0%5>b@0+ja%sd9hMGct-LG56|9_WLE<(P~y$cBZ3Y$y|2LCsn z173F>={LLa;7NXA_ABB#hG_(VFI1_`K_i0b^D$$=-*ey@rLWLSZtlk;?tXfa*_>)% z5@!4VlmGYZCn#;e08PvR+6L>|i1;}sh+T=f5{9UG6vk2R}8#Bpmn+6A3S^Cuq7bVXozM)!Bpu&K16K% z`gNbLrpYK|)&nEhuS(6ug$GdTJBxT~KGy0|RVG{yOpsIyT`zltAZRfgqXfoDuaD>( zbnba~S)wA%ax(OIMFz1laC*ZlaDQ4&&=_R$RA9sk-umR=W*tn)d}OdAO1*jWY0ZWN zA;{ju{QtD~-SJfa@87m_2*+Ngia|GPgs!+F2P^?F^`b6m&>S-?2ZD9Oi;wr&gzSzv9E zVOf0j@S_D5$9CfncVk)$o_drk4bFdmgRQowsc@07%n((=d7ryx@Tgn|GLue4pX{!yA-bfVhz%&}f zU?rix>loW*g2{?Rp12I=_1vLj&+Oo}EF_4Hn$bB^4w%{)#+(CU5btB5l0d^4F7v+= zkv^T2lE!QM@dgDW!YeZKw1QpV+QJUQfayLhU|K$L2nho4Q_Cx_insh(Qm>E&mQ_&2 zN>!X+kwMY-2w8mkCf|@f<%aO}ly3h&hSn8mF<&oR!??!5*c@WBvjRwL#Rrx<1QlyA zms3(!<^+s!rgLg_E+dnohRwI0@T#}B_pWMvf%E?+QFt(Kj3&|>UxYLcJ zVK|U1c9PtIZL~f>6qs|@fCaJTf0{7M{_noljfJsk#R=TR2LAm1@f-**91rym`8{lf zk}Cq6m2|r9@6JP@=O4O=gm3MC{ti+$wElSR(#cqTu21mX&nt9S`KiGS$rD=xK3uB< z^JHNXi4101XJlYmI{sa;2d*laO6^u`v^0GDUes6_E<9d-`e~~--I+tT=-&P8;QL+`nZ5&tw;;L!HV#DJQslANF7h~YCm?QacNEUE;5#l|B1mX`x(F~SxXwX2#+L@= zOvz@JiG=GcSjB)DaI+cb;dP|i>OCI;CEm7z zML&rIVyM|zr7a{)XPhRq!o%-1@h^(3b+Zd7wS3bJjGatr#3}{bJ`#o@-!c2MyGo4j zheACpa(u9X1o4?+R~JLNZ0|Az0Xv#a%mRrlcd_@XSz!=)?*=#9Vt9Y`asKxm@Md2| zI9kLiuKuut&GM=LeX|+H!%o5#2{>%XssQ{oU5$9J?zyEKLSegXAEE6zr)bRpPx&VT zLzHC-ao$v7_JAiop;-u5FpqMcKWn{;HQtv|_Znb&qL97QmQ$rlO<(>sT>Oiivy?&y z3I4)Wd{#gv+~6srL6%WL^oMUWQO-w<_a+kZywr%JicjB%l{!hkL#7!on)UG0mdjl+5i0oK$1INl6EFBh1Rqjj9H9I9z4kAe=aU5Ne|Xs ziU3jvTG9Jxz-Ko99ZoIiWJIFTCdsimaXM3;x2+yUOC`FV{Wa>6ss|o!UO{0{K-z+S zGRABpG9)m9qX8pkeYjUaAKEz3{BuorXKFs`g?4L)pn2s{ndeLLAG}r-r(i$HL2myQ z4jw3z<6snew8?-z{}SvIBcx?y_knA-f)vp69fg0TtLII=50yW9G-W!D&u#f4Bt5Kp zvUAHjRqd-+GfBss=D(WeQxo?}i#=eDd)Q37hAx1v6xpVpRVP9!;g9>RNg`8Uw$amqgS{v_)6=%)3qj)7N{2XKUJS+h1`)oA6o-FtGfNY-){)ToI(BfPX>dv z;q}=2zyr%V21e0GKb$aH8E=kIy?lV%Vo4DM_ayK}NDBL2-#K~;vHA=62t&wkj_KA5 zYFyrqEclv3u_NE{^VyD;Pc1cM3a7;LAqWbXw~Cuey_K!BctD3@Nsh-HKvk6IyJxfV zWN&HXZUE7#{Po-L&$0Mr{a2p6n&);C=79^DEyntL@oW`6k@z)fT4hyqUq`pM2%Hd$ zfWQ+1eZS^*Uv!0es{GuVj&qrnB}GD2B_!`Fpsin^TA&oRRu!?4^>cBA3HqoVGEw(>dO2Ub0kCvJd^{Cpe)5tA^bw?KM4(A}nL4t{#x**CGu^`*g!Hc~ z{JfryssuI}Ps7D|=e-TY@enZ27b2O2o3zC0lZcJx%!Kgx1o%4^N0eW|^j?HN`WdKL zauH6?QJvr?t`LF331{rSZ@5%8A9pi=&ewiD;`+~cO^Dv97aDL7a|*;KZ;NJ_8|z4F z%Ap^J50qP#Wsna-`I3^jqbcMNe-$vmyNT?Y3fW-8C_mGY%UlXkd0NkxTN{AZ%P|LL z9z)Mi@wn7isE!@qa!}{Q=;K20%KJF2nP>49k-=*xKByAaX&Dd7RZg3FDtAwAmJckj zuCE&Bdbv7`+8@R_Kuz*|h0|_h9{<5cB{(ONUlJYS57%7#b~bDab@v^M!QaVny_j@o zHcG)b_q{2-vouQR9LH@HcWz@5JT)DW%Ci0Q#{7UE7%CTmM`ImWd#0pEZ?f9LPW7@E zJqNusXX`+o$UxXzj@qa6qNO^83uqD|=7+DLIi&E8*jwfkQ0$$$uKNAeVlQ-YFcQu% zcVGSr^@}YQuv!iV7r!^VM|~%?2J*n0FsnQC$I^NGFz~iWVgC#htn8J0)cv{xraP?T zcivP}+jj4EB^wX*mR_REV(!*N*H6Jn^L0_Q^RBt^2vQBKqlg(pk2=O4yqAJ)Q`YqU zhxBQC=G3|Irm))81O4_|zsWz}FzZsbweLJ9v(9=7eIxupw|+;m+Nz&)TV|SKO?ttr zMQ(Ay@|6?)p%-7y@vJ}5prEUK%~VGH9*w%wczKi67p1gB`Jv|*T7QYN`^y!D&v#s( z=1v4sj0vO4siY~&hGh3lwA`c6bzpa@Fl{Th^tRwb0zRs%rXoqfR7(3gb7%X-DO#m( zR3=(dow@6G1LDnx!I|(5YR(HZrs4HeW;#pIL&eeY)})Hpm_iPWu*&@XTRn?VY*li& zifW9v_DP&p+;Jw=zm+|^lUv~N09s`6PI|(2zlR9}DrMFg-cgg@CTMre&MImmg>goA zC!+@TCM!jU*PPb!to=>Mn`c)e5~e&wkeWr=VK^SzOSR;%88==s+36hGe=8=Wc@Z5S zkHeXu&m>2)7;V!Su1xPgPJFbf90@&kP@WpatTupAhwWo)Za0M->JJ!0Y6 zuFKn<{8G7t`9m*g^}eg*WyHQD**SiyS~e$i;UUe{Y}8LE<>~?9ZEcClJujq~DD{L9 z7mgkT&(VVwbzkUQ+#Ra~iAcL#)XQqkE$Bs`s#3Bp>rX%R!H!`0#z476E==Ern&@|A zW8pqq;u-3kHIjukjvsv`nY2QAYqFC`!3WNvTaKOjDI0S~E}RFET&ne#BBy2nJLc2$ z{^*K$ElK$obK(NSR}1AeyFYK1-}NdClGhaDfXn@6V+Lk{fk<^OR!TdXOwYhslP(s& z(3|*JnIyktIr9-}b&83EJn^s)+j zL(t%X*WiA7^n|61#MIPpprs6IDMwU8d#hG3C6;q)r+Vsp%^_Gt6k37iDWAd9XhS2{ zPx0>-E1vgiH9k{q6G~NcwqNWkqRj)Vcet(%ldVJ1*L^LZqMt%rl6>(&Li8{Sm%Kel z0?&%>sa?^<=$0UmQLnycZV?NU{lY@}Rq~($Nh)>Ne7jgZE@h@J&vU!#-r|oon!t23 z{S#ToEWv#Yct*|S1NN;to+ih=OiQbD(^+t=tpVb(yZF~gp{8he)zs$bvN*Y#W zc0R2n(0^)2*{M!0Q6!ipYfIowBh^|vm{e;^{nm=W(+XV}OyW7_B$^1rLrvU??StN3 z>!TCL{bX89Gu9K#U&UG!XAvB{{Lz52+%w%$eg8`~-E>yZ+^qp`ByY=4%-zU@*Dw3-9ttc%SzZzxZ�%&j;bcxGcOFY?#?4EiJp$|6FQ zSxLWyZQjY#JMUkoqcS#UN0Qe;G0Xu~a@FoRE}_zm<ejA!J>f9KSmOCB-R(lu7hMOlCc8Qxc|t(@^f>oG*2t%i znDQi7WftC7y2+NN<;tY~!uHZz%A~cR1w*W)*eX%-bN{D=Gco6Qx<^29akK#ei-XhL=gEj%cz&T%swR+~;;yIf9A%_fzo&XV-tQUY^#Y~k4O<*n_O z>J>xAAm)P0drKyhUsd#>GDkxk&yD$k!sWOeL&MFRsMa!6t76r9($uru(1=U0&bBjK zp2zOpk259sJt|JH8-z6 zvQ1PElEJE5>Vj*Cgo*hG^AJiLV?>?vgGBT6n?zYK^_D?SVDdTRYKeCp*-=s5g}+WL z&%qWtyK{HEG2hqXAjzLvGoqAgcqfd;PBhSuSHj_XZi@Ar6Cc0(>PV>rroUB4(>iM36;^?0oc)pSGVr!)4o}sD5pp_Tgqkeh zk_3Ir%Yom?Q2MzJ+)CbDR>28u2K@|bXotu#W==^VUF00kN>LG1h0UdS-_sL; zV#rS&V1_w32kR~)te)eoQ$h7ZT&5C|bk6l9GC#je%N*Fz8~|Ru;|z0C_4uRYfMi;& zm1~SYf4kn#_)xU!NOzbI(7olwC-$z+MH>h^bU9cny$+ zE4=EA8lI>er;gqgmtwZg($pkT9VaAL$Tf5_Juxsug!AgezlJwKyh0OF|exht3Ywdi)T;VkenkT?EQ9NuZe_p!N|JBgc@@x5>12z=?8{R61mcTPwGCslQQFE`cU z6#Y}KdbRERXFCy1&sJ;phZau3*)C`tb8dsQ){*JhuHQmXaiw+MF78x!r&K2|D_Ffo zotQEc;k^Bx^n+6t?2p9D89uE=k^SDpapF6IS{F{BjX;2Wn_5Ad5pk_@}N4+R+!quN%<$Ik|jN0O+%q`pXOUopWwdH^Awp75l6s@Zn z#A07Z`kQ`yeM@xerlHJ{U;D5WUs|+&3b`ojl)f)oH(=fRle?ESuk>Zhdebc2G3D%S zBG2D@5k2AYy|!B~77i0xX;|Y8@9k5=em4W8c76GBfkC+-@kLYZ+$Drtp?fnoTCRQ9 zZToW<6GLS5z!f(==lT(epSN7U1lmy1$&3+AD5gGbX?MR8*IcTvi{o$Z=|u5r_Mo3j zT?rdwv8~G&)2zmGGFd&jUOrtYu5nmcWtC^xMUR?3iB{#f{t^zdRm(bcA|d{S*z^?z z#n~;tgTbLZoFS)at$llapFai(!y)R19R1C>!7PC3i=@?T#E0g^|9 zu_R?@l7qrr8$)LW4YD~kmt7!fBE?g{5wL@qo>I}FZ;QirF>&nOg;T|e57&>%-0__i z(!lwk&+HV;?4ygQ*kc(v_g9Edr%TQ%B=GkqTQGY+B=2_Si!4|rKD&gCQ+%~E>2fS4 zr;5D?&AN!`UY#j&z_qJn7!AKZPY~}V3QyW%yZzL@RS(c5bNKhfqKWjJG74UT7-pTy zrXRMHN5X$;7l>5LOPm@N@sz(~)FS{Ia>auYYZPtmuKB;qSq*u`WK zD_-OskJtGAHHI?Y^f0b;YxGv1u#YOa)8*EaTGNWj{j0`#lVGkk);Q3zrON7b!*!J? zCy>#=9GrDd)KMWLX;bbIhxlt560S@%W2zQ?QvTV;)S1bF2oFTkx?GOTAnUB~ZA`b) zTIgPioC%lP{d9Bf!ye7@cRchA9#Zq4XBB=->YVNAw!D!WJ=s;lO=YX2Fss}$xJu6> z)K`6YWovu~V>maXPMTYMEt>CHSU;HK*sB};;0N^sU!1ehbn^jyRk$ASz4?7n+u_5D zV~#2Hl_NAa9r8xC1_z#5U@x;JTANBaMVp)BY^0g^1Ty+g$MUu%n6;N4B#+*1637^) z&|%!~J$Fb*zvnGKu4rqfM{UQ^{Ywj4Bc4vD{O3tRJbu^^f7mFXjazd^NZ>t~5Nwjx zjwo?T`VmwZsWf6GI@7RS{Oyw3ejw3uJFp#`H>Fp)ZjvK8tU+vx#%CBW3$=KzGApzY zPJ=c8A?U^CKu+hr>ul%1zTn zEv_DGne= zrVf716vb(BznT3aL@!vcmAw7lEw=Jm@KrL?x(HAQ_ADB;fUeNq^7gKK{E%&y-Zips zRMuaUBZ@Q{Q-S{LE?DJBThsxTmCF zE1lis0|QTN(B1tJ|D}gbm!ejhQh(BSzW$`13Wd4UD-}?CZPiA!aocUDd<29vjKYOx zQmIRJa<#gcd~inSY9p%Sv5W#SWUUEy$sB!}-LKdyiCvD7IA^rF)Ro;?59?#`qU}_y z-A+{;A*&~1CfU%$yBzIOULY~st+6A$?_|5&v1D`9klaqy2!VevRl;d zofk=-D|c=Bz8tMj=M8H;WAxLVs+T2n)gE%T2g`*M88U7*r=KW8ISpOCVfQ=`<3>Mr zs@G&b7OyHHo{E&+{=xF769rg>Xy|L`i4YH_Z=6oE_Q<#Q2%^Bf<^K3J^ALqp(ITOm z^y*#<|JV@~y}cn3ou!@a^%UhS?5BtSlsMPES<~YjQ^hN_82A%((zkR;V@_?)86)2d z^i1!^w#zE+eBr+4KnON{;t=2K_`?*#`{;d{KcHMs9w2T6UYCrrlPTb0WUEeG5-M7Y z7sL@@#KP|zn+arLy2_j4>m9E$2R>L4*Xky3Y7M7oC(>IvZ{%X`M#SuNs-s^pqxlsAuD%S#@X}EXzK?k_xQ>KaKgzQ;xk!w?r$G=a_C?X=?GtSHi!|&jRzcQ&FWF zeO%MJO$=C1smi>w(DF!1pW~h$4josL;!r24&$786-laN-S zW1}Ie4aU&dH3|_kzUdCLeyZjq{VLA%MKBiQVJo!yHm!AepRk(q~i~37W{RPhY+CK2|I7>kc^KXq za`%rTk3_b?An;Sc$GT29VE zp;KkNCgKGh^g5N*{{kQYx98!FnItgq&I&=%SMvTZPaMz*F?#5x<0#C znkxkk0$l+0!m95-LmmpjSaj07N{#Mz=W9C06Pg)B3(Ch7gt`}A)d1PKJg{RPVbb;_ zF(mOoB9APrW--jEL|4^u?^?3qOmcJkqUdKo%f6!iW$(atLhyAZ-K%j@fJmiK&JXE{ zW1hit6$Q=>`bM#<+#pZhCZ(8vWV!M6naaiQ5==i1Qd~%n-PZO_*k+ zC~0b#$`3{@GW`Inr#}RIdP{O(3|vpWU>)cZ4)P2 zU#+KJ?(z#5FSU4?z}R_c`}gt(HLl;;w6YH0bY8RVlW&-1(0=$)Z&rEpGT?LM5||6B zF_s8eERO*1Gj%}Hx1PK<&9}4FsX1Bilu64J@wF{rmt|$zpNV6idOZBQX2JHLJD)I>+Veis+{eDWW`SCw7KYdJb~h4w2tviSZWw#ndan$H*>A4Lc6Qdn3F7Pp6Ae zrb-VTS5(7L%Lhc4IrvW{kjvaQy7YN-oA0(UrHn?OD|YxQX{JFP|NIaa{9z{hJThCx zs(={s5>BRg$OGHwZ*KA#+0C`Z$Do6~G-?;fX`Tf+tsZym4_D4xxaC+-eSy2c#*VYu z{(D=_bSq_ML#voyoP-l{VjLRpu2MyN~X{ed}6D*bI)CG4|Bk{}faC1|H=!sh}-7 z;Z~!rDIxG$Tg*8W6Ut!|2f^FjtC->-KmU9K1+P>p~UhR_1E*atT)u*Z>&He2^_NZZ13 z*h1#&nqv?9zEqd(6PhhAp&(JQ(TpeSWGi1r_?`w!2zAG?E;RTW>yMb50W2fS&bxo`yJ!%7WPE5Bkrqk=4ub0&7t6x6Sdn- zp~o^G{@l%1t9y8jKB#H7?Nx=$?UQjyH8KSH0dHHzItDzhhW44nL89n^W8Hag1P%Jf zWN>--4;C*j;(#C$8a#AN9K!-rDv)NCa0-}lt$Jsna;`{B-|5zZ9VH;x_sj%)$LR2Rq1$a*uXE#dU-?gE9@YG zb!xN9WlO}s_cP05E?j0q)lhgdwW@or=L>Tzg<9sZp+Mw2>YEz9kV)|wA<^)Cv?_yO zABAuWiYX9!%sN6&aDajR^(bo%IZ-W<6ZKJ!xm}hT(OmW7g*rCWUHFnGCoACx!)Gn9 zTnKUI0J{|=FBb^c_1?8!;vx-Fh12h0`BZ>?OOW%L0Z+Jez+-u$X(d=q%%*}c`0NZr21T<3RyF1ivnP=O*+56GFC?VW_2e95 zO(rwRJ^t*SgwPSlc8nF*CvJ3);aD1(I?(58(H)DbS!h_NPwIEdX*?0DSFVFQqphs*& z>OOi?_5mRELZ3e(9+*6L<+FocCUYA=cMOCk4b8tM5f@cw7>zbUhnlAyj6}~TFhxr_ zdFycYj{{tCWYFbSxe}V*W*2`;<4Z{wRjLk9w>_09`X5eR8bV<6f2kwwXGZRm*z{|m zOj~mT!O~@0c32QC2-0VO*SoH*^_z6 z11R7JFzQqqi0srCWPj<8|{YC_+wR!OmA|{~~;1RjrwbOwx)8?SU zpiSRwk_Z7Fj}%8GP@FmRts+3`g%H7PBU}nMV1_U|NtZ8z_8~^|#e*Hp2k<=ESbEP2 z@R~ff0m=pA5kEhcIp>h^5@-4;7y8^B@>D2q`KKY0aK5$#pBNF{=F-$a_c0 zi!QU8CHkUL z4FmE|$R4c7u1F-OUOOSh|9<_5=DnL~eV}&Gh&UsL~8^nrW?1mIuQ98bdNG8@+w}42Me1iD8DLk zkV`_dgRbgZ=1#H1Ai+d>XBWr9NAxwoR~fr`GW)((4{YR=dI75|OJa^tdJS%YO*BJP zE4oM3hX|~FB<`(0EXk8k!_zy@Cp=IN+}T>4>5Bw9e)6+ub32{$wzfRQplgOIU-sN% zSxk50BDAfLbMHMkpdJfmwwuYC89!oRFo$+>$#$THIJYDfXE9Ru3;c@m-~)cOL=?$V z#?%ww10F%@LWFTRcp#mJ$B24KOX}Y3)cO3#U+0BIMdLJvASm3K6D@j@JON4tFB*76 zeP`!FBKwLW?gY9q-o}=3t8O2hNR*VQ9iW!~tODv}<+jhdbQ4A@9a5q7dl66>=7!2L zi7LRTDS*vXtnn-O{Ap~kGIVpu>Zfjk%py+ayd{U2si!65T^?!bc7!TezE-woVB-jS zua{w6Vi#~Yni}tqSJ$Syd4r{-`fLp6rYWQ({XPu?kA>?wxfkVLF^Cqk^jwlL1EL-x zHMgd%A6kek`&3K#2E}VFtk>o?n9!*_grvjd(c=a%WI))pIYcwVKeuy>Rwf8*k%`5I z_q7fnuf%9ua{eXjdMc#auZ+Q1tyEi{w7}ZK9R4LEV|5_DE9ua_{OtCcb@9pMBNIAO zG{iM7F5OFik{rxiWc9r*s%-9j3jZI>7qNK;Nq#Vt5Q1GCF+N(*7PA@j5WOVwP6f7T7i9fZyYKm|%e|Mt*$pm65<%;HZB8 zP|KvoZh8{(!Y%XY5^L*9`;P}VzhC_FFz4jSlhoFWYr$%HvG$+yLpDlo!nYEULx*@Y zBW6PwV=A@y=FJ;D0sccV3Wg)6;PLL!tr%?j9x9VbOnG0G$|XEFcxy;Q}~-P00mj;H<8FueF7AQ}IUNd}z(5@gO@w0ihAh5pay z1dzLmj-OTa-?jSp6I$nBMO?<&qyt0z&y@(dLy2Q_V2cW{+33M7>c4;WfA_Upnxz+9 VT=m_q+$V#7C-qEpD|8%V{|{P#GV1^U literal 0 HcmV?d00001 diff --git a/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-a.png b/fast/stages/3-gcve-dev/diagrams/diagram-multi-net-a.png new file mode 100644 index 0000000000000000000000000000000000000000..d2142dc2ff334a6d7c99a3d1b42981fe192829e7 GIT binary patch literal 122109 zcmce;1yEaC_%BM0wm?fMEiOIK;!@n=tF2&u02U;i)ytqSgC{_rrZGqqxAQ0R= z1PBnEyL)=hf8M-#^XAUnnY$-5tew4=eg6Hv6~f*t%Ra)Rz{A18c_jBvN(~1G*A@ro z4(@~7z&BtfMG4@~EjKmUw>T9;R9iSWFL30f-e`Db?9O@nJv*MezmFc+O|{><5SRP) zeD9)-kaL_RoG$SATRmKFW?FB?wiclUuBk2dVh#LA)tCAONAAUww{PEa^ne%A&Cq9J z0g5^u43uwQ+kY9pIBwb98}PL97wO&Y@IMq0gpu6>CjaO9+sR8-;J+Ijlg+n&xc}Xm zkS_E5*T!jnlKnq@rh-oi{(JC)qtoiYHjc+%;&=YL`Hp`;{$Kl}A!PW!HqP$IwJKanreKy1k(>$R|{16_l-i{Aa_9=YgjLCJ(subu7tS zq1k*MQ@bCe2ISt@S;BK;^S>D0`D>b3_J&35)MA#}ti|;Hu|XskjI7&*%JY%IzszW; zdm(;@j0MlursJ=^QquwDH$}16=|B8?axbjlosgU?;!MYZWEyKFRFFGfc^%3fk-7|z zi;h-~?`2EwH83!sqwj#lQ0J+YG-)R#YV-2(5swzfc35!V57=9K{%jlMlPFJ4O1UzX z^k>O`2mGGz>C@rrfW0#=ffXTF&vkyNqh$>>>ZzG{0^P42CRoC(!* zMR$}A{qE)^??W{*~XM39>r2B)T{~vNR zr~wL21vAe9TQym>d8)yo3PJ^!jDl=DWIAs2LmQg`n@?;W?tR$-C%@iMK&nD}se;n5_Bnn2Faa zmgb0Y1d*zu;?Z(2=I)!#ys7S)neLg3xb6f7`LViMasru%F1qA?14Dxh9|MkfOS%Dzhi$H9EZVwFMgQtgr@~9kPK#!_4#gnJ=+F_UiXWoV^MX~dJgHM=BAOo=7D+z zG$NKqsQUQGGWK}A z{On$^Ppi?h)E5sZtTwvvHwIJ0j~Q)*{xHyh?>7Srl~j~ahB0|y-%2js9&1Z5Rj1rf z7b+qmyJ8-{(~4KGQo~HKx2y8zPR~M<;=485eUk8FcI!HNChec}8UNMarJ$oXeF{Sv z?EIy0S~}pViT#=Ht$Bn+m*kWh*gl`MF?ZUdPmG*Cl9DR-xd>7jw7j~w;YTCAM`c>0 zZS;>g#fwhYRt|#|E;f&~jEv-@=8dvksw94XQG_B}07d*P*&BJ~<*mdJuUw=enBd3H zdGqr=;_m5%!VD#4dRkf@cN!-{9xi#6b4!Z?L z649%^j0lFXSwTgNugk~M(QbP*hOds(KgTT)he=6MsboabXT3Ae4THF>ljx4-k(lP9 zTh+koB3CZyQ#QN8L6MBn^fE8Q&AEBv&(zRKTvzSamdeWC>%QFmv?6F(^`+~Vun2)u zJFL0kfx6Z4xh)hqJ3gx@RmIiOgvF;MgH2VSvDAu+baYu8vQcE>PJ3)oP|VhD#+`?u zM?PSX5=sPpg^p?WH7aP@75`)jJzG&}FE0C*#9a%pJBmuYr9jj7#nOBKHy;2C!)h=3 zFY7G;)`#5vM7tP%3*;ar1w-@eyH@A3U!L}U)3j^+;{5ckmb%TQV}$pOBc17SEsXG5 zrSV#tZdsT+c==e(19n%N>+sPiSiDzM(2Tv7>Z$zAkJNMsg!87k>q0qNdoyx(VotGd z=x(%@^3r;zOIt<0z~~nDiP7z`ZH`f8%oYJAR?^VP!@OmA-uSSJUhvKLgy)nC0W+=) z@eqP+N9Q!&OdraWk_nGvZ_Lp?*;Md$#rMtG`K$Yoo{27t!EMcs71MkUzn?$f@D!MFQPimlNd0 z+0>4w+?ebn)bhMaC=<;LZZsY2IZHr+^j!C~<{7OyeQlTQztcrD|35*|*V ziBzR|v~^}cu;wC{(n6OvG%rbeq@{Vx8YC9_N;zsbKb?(;KLv=}(xTaZ9sk;vfH9dT zK8$`D+$>WOzE-e)X8{YQx{kvqKI%9)BG~#_T@V3m3q^4)FD2#ZSmAlS%%3PPEoFr{ z1U2$QgZ*YK4-Z2fJ$b$=R6jE}#O z(oh?28s@gFwSL(ZI^`&!w^=FDB;)SW_*y|VD?u?Bz)hwLQH+SSJdexsAljWb(m9UZUZm{bjz&Q77zWFoyDE%+);)!PBU5WXh~L7 zbl1SGy8U6iTc7;41~ZZcc+%OK@PGs@VqP8!fk1gNN$ZysoHpGl?}s!U z^x5}kKRa`j8tksUi#y>*Oh5N^Y4e9wN^mh!KVj`_s@oT(6?vN?Dk<*7wXrt0b1Ol< zptLkXYeq}QD~k)!+CGI-Q&aa;)!e*65piK<;&)k$67eKf_4bzb(%H12I(yqhN=!Xx zM{nWUSd@JK-w6Gq-2gzlg>ae5YfhTQhd~4_!C{%NB-Z9k*+$J9zH@)9S3s|E^tB-bz9_SBUG7ZKdhWM8 z5s*JP_4(^%SxmA*;GH{ewPzE2e9sdT|N8kexeQ$@7D*HfjgN1=t({yEZRQj70Y{dB z?hT@!z)`A`=%F9F`490;tbff~;Y8Q?5o~}yd|n{6(a;&we(-9GcVtN2Fh)|eS935{ zeRA_HVswb$Jd1M)(ldS5-kqDjX z&(l$c-R?9UcPAe%8E)y=&?oXvB~dE6U$%64*a>93WtMup<5Q-^nguwO015S34*^;d zB#5MSNVsV%i#eV_{;I3G+D+NYBEr=8VOp=byu7%cuIAj1k%X}^T^}cty%Tz~F`3Kb z^c@S)!@wsb6sB_=dQ#g59VMle=8ct4*Fdb8MR6YT$Q#`i}brfRIy zC?=jOPuOe)5AH@hD-@W9@kWjwU~2s1b#!KG?MC0Fk-d?6Nf5Et;+Idi;(PN9YCiB=Mi9Y37twWyszdw0oP(t|lr1yjs$XksYtzM% zjM&@R?QHJWFpK-s zQ+(aUi;`sU@B*I@TM79<1}wQ#2W(`4Xb~z`R#}^0L~(P$sb$QXSVH43Pe!C7waS}e zcb>%~Kon-M^Fdj=^MHG3R?4B<+#+CoM?k^q!ycyd%SKp_oE)E?u(qs}#+-cjP`u)c z%-FuP2B&CfIb*rHzp6cs09OWmZq(UKK0AJ3VTjFbZzoze_#61nyJv%2%!)I8L{;ky z3XVxzdDsEj$EsFEXV%=bWcH{yM0{v-GgGzOMg%*F!XEPSFkHUiZH`)L0^YrDmq=B0 z^|7tpT@{HN7Dg-^Q7Su$v2iwJ|NEG(6$?u##CkN)TfX4e*x1U{0Wm{-V`1HpJ=guy zvl0z?=6T_G-;+|OHq_?k%iID568Sgjqb38rgHVX6x3q@fY3L(JlSfVevc>MC6 z(|ktgZM8NuGz_Fp>@+?4 z!?4$zg3-|WGy~4AvdT}U&aF?Ri7;G3Nj+1rjw3@{Vos2(E0xlN4I{k|Gc*0CYqEg# zMF}~5UXewu0lT%v!g726O}TiU|bO~%NyqGm3WD^=0^o=3Q5CMG{3I4{rRoJjuA4Hv*q zz#2;WyOT@rW;+sb=%#@kKSx^aeZm^TGiza(%kRb zF(U@Q)?JOZbr=Hi1QE-0M!ee4b&E%xnY*6-TKm?GaIG|w%gMOEw3`$p?R`4grXxN zs9{oCYI-m-s7~j3NQhQ>64(0Pdfj#=?Tdsp#fxtm#gUX~)+Xonp7K&iQL zT1CiANS2QNQwd$?M`Nyf-4kV19R+=raEnJTpE9mYeSWaF$2?2vt7A(bkmvDLn^%8s?qh=}96&La2GD3WbiaL*Gm0^7v<@$$N7FUn|;j z?EFyQH-T&dNS*Vk6`X8sTtF_Vd}h;YZ5DrI>{QM`3(eDM^*3ZVgh9rfH@1h2s5jWC zDgF4&G?tv8lZ;XOeLLJ8#wHvswS0GZ;;NV-FIXzJ*DJ1H5Vk3>0I@2CK=v|aJe69H z(q1Y)Yxe1V$gP~SIhkH9`Aph|fI&9HfMeyX--xKo=k6yUf)d$0hM9BgO2uvnO5db8 zye1=yReW-OWA(4CAhSix`9AMqGs`7%_ z4%k{dxuTM>cTSf-2Id$fppf0xAX7~6F^=iwNY3*=^zqjM;L8U= z0!wjZc}m@#!|Kgh=S}d2_lKahv}s+BSBZQc4#s?m`g{(5&#nFGf>S{^0LD#zbU=Ot z03FC{9uEm_hR<%C<(uLl@jtKpcmhDO9F)sEn}k8B(IgNwZEkc#fUf!NIj%6R$c;>{ zLDD}j8sI<4{%IlUhkG^oEidw^7W^Fvz6({b7kujd(B#DE;BRaixHbhkt(=kn1Nr_q zUa4N@DQo#3B=-LXH2lAZoc^Dq&vrV{9FV7OoLtS6y{EdhV}#B)xc{K3EMwg*nN6Wo z1YCD^$)~ZN<8DaQW`bkET$_5v-X)ncpuXmzFm?HpRYWgdbwp42Szn9hoh|nD-g$i*OWqt8yeSQ;J0tA-GoNp^#4vD}R#;960_Y<7Hr=`(} zHJXN!7Ppke6(lVmf88~)(9`uje$RyOdSXZ=YPR3!18O*zQsu&-Ih4 z@^}welBvskr;vGUeSG;=Cr9c@6Is)mKE<-Sn_rWtOM0galg!mgR!AJ<#g6OC&Q}T7 zLhoylh>TQsOfa4#(30yQow4s`PRjx;vbse8_&sJ7{?lS|r-C?B!1`JBH>78K2)#CqYWj@T=amA`2 zrWWs#*#B6gkOrm7kMyh=oSe+AE7O((X4a&tMUrjM*brwQpQkSj`}!@?-qYN=&!XB59RW{|nJ8DDH@6rII7#&5`e7igI47)kVUo~=5_Bt?`!c-cq$H` z?s{c9AbH!X>MRnOx5WAiFQRG(yI7*LiY0hPs$InTqBF{dtC-W5B<30Ro8qcd#rpeV z%z0O*69x~nUoY@Siuiq7Ds#~N(V4}pZ)rCFqtEibV$GwLKEmuhRena3IEOy1EWakM z022$hJB(P!a9nj7o_*i?v075boB}c-t8pr|@YkorLBh0YC|gluPoe#r5sma8JMw)b zxJo;*)vwl1Hm$3fyqc62YoRZf>?0gFqp~bSL>(^u)SWQYyy~Dsllkoa_*nD1-lXh=H#~gjL zQ^{sAiaZIchARa8`so%eq zkXWb5N3K_y!)?_lZ27mvD~H5ET-1A}v7XG3#$ZE23l6*u>&cOwoB_=xD!#AP%XQ%- zk~1SrV^WPF1V*}*&X~u@>Kwo3M<<5fSFfTouF^pO5tpxZvC1EPB)!u$VIcr;nOoG>zLT^4;-5$*Wkw|4`sA11Lv zO}CsM>5~Z0SX#LM`4Z=2Hu=#%6-=@~LAqs#oBKcYPh7(Wg%O=fLB`bS(MMJI09FQE zAzyRauAluLNyS2GAe@hjm1-`$%{g)@+v4wBCJF*v+4_HdDbAwpqPJ0r#!0=`7s`JD z1{@scM;(hwWDV+%tavCffEY)*KHAz)VB6e%Fe!G6nEX$0VW9royjk$C1Cm6sx;t}o zI$&*SQNH}59^Yj1&~>>b^L+b6e-7qu**SnCaerw~G^T+HSkt1_Eui@NW5o0=r_%4m z;xuIWseQjP2M?Wd?Y!l?744{ievSQI5&USj%ceA&(mrU-bvz4d;jlBit_wc_Dr)$^ z!^Lkb4yAqe17oSj(T2e;rIa%WkNDqinxt z{eAtvYsIgfuWc)TA4+qj?&BX;v;115CG@T?B5@D_3 zlX|v8UPb4zG~x7P9wU25F)YEi)z;QO9hHgBx-@-rS`&6F&;OhH&cJ#7n1ucl@jSr|vWCgDDUafdVRFFNm&b7jsj9qS zZRgjw$2hmR~*WQ*F5Jx>UHN?!bT79i`HU>XE3O+Gpy+s}FysE6ac#`&+1&LL^K zRaJCyg<4NJ3&_MgBLc^@UU`Pjk28%c&{+vJ*|b933BCQNgQA5m&Pxc(vd@3K>KD~? zWVUOg$>)#UkEU6oZWVGGjy;SA3cWa|NFXM>SEmf|KC2}c3FK{4rOCOnsne~|sGIN+ z@h-OL+daQso@16`mC_FN#8PDHW*ch1;O2ty%&Mat(eE`;AeL0P`dZS0hQZ{hxtOw& ztfZ=23Gi->tj?tVSiJ`Y=x4<>+^iM(r1-!AVdu6J!7E=RIQ-6LvotvD`7{M*ZL`eM zOR*D=!}oaMW3}Eg5iT`OWim@rQo(}-wWvpw_zFLHCcD__)&@kkn>QGKlCBGjAC%+{)$ILQUMzqdEwA>IGTHZ!;W0r12X1v6`k2es|jIyD|jpkz~ zHm~c#516<~t0i5FT0qI?&$n7r0vDJE-?abB}1(!~Qx7t;+y}!O3CN&M+~J)6sjS z{AgH>g?k{k>t&j8diynOvk{)|<36l_1l{wea4OHqgcxOAtv(ucyMGjP59d2RtJ5DF zYJkhw*r!=iB|hi2=j@`;1usUnk`!rXUB7U{fDc&Vla6w&0qXg_`=nMLcr7nbb6Ek4 z0Y&_++*l;>P90Ty04Cupm&)FSetg?;Qp!DmR*a=?W!*^4gkn`e&hQkYoN{m11>>T- zu%hy_^&j7&nzgSh-|AzUC7q0_k=$=&q;3XJ&r5o-)cVb5tJ6-TpH;w^scz}P0x1o+ zUZeQZv4tv>hjuEd&7=RE*=|Ap=IH%al@Z~q{a-(q$8{=uj%xLz=dqd%zWe>M^CCux znN5~sRki78i2k|7P{sKW!wl~JTQjTvid@OwQVA8ktFsf4`Etj~3tqcsCGz0|shYps zFxi$8S=H-1hMsK;mb(oBllUF2bYqhaa=I8$jqGMKWBZqIV}*;a#f`h6&EoG`HpXiB z(hKiLT>w%r6P20VLV@!-|F;|H%?n_)tMqV}{P!fzBAJK+vB0_$kDj8KCv|22bV_@9 zZYzukb^D_~vn_{V{e@?LoBuu_9+wt->L*E$r;PnHIC`>ETS7LxKCNV@RwJaB?B_0y zk?0k$nRX|~Dnz~S*|3uC#ePGgp5#T~z70h%hHxXUfE#L!blcmn?$KpQJ)F4&%S3Fc zKxvXg#AF)oS5mv_yCTD;qhW27Y#?(=w1D4-Q+GNwU?j!1Y$6ez40)-ULo5%2xCH7A zIVXMYg-oTF>9TF2q7B-bC3X1|S3Pm8%n~n;`P=x4HGo%g#|n8?VTx>as5QIqLuJMi zpv-6DFdv!E&G)kHn9;|l>bJWU@yL{oE|UG>YX zrMBMO7LbcP!a@iTry|859Os94Mnw4snt0*F6ILf#BBJ!xeqSS;8ta2%Cd7gX=iMp_`ltp0#hc_Y`EJHj##nV-O%EBY2cT|uJ%x}pNwYr>^vYZq4B zas9U*4q00M-v;OC5#W%?Z;yhrSRLGS@6uvuOlrJrvSRk+i1_0A5QReTvMKtpUa6Ou zxSCvA3A9%TP$mZEUf`Fv4wF?W#~Te{uM2k9KVaGiXOfM;mhvW-6~8*)*MEF?i@xBo z0g39Y@AW(Ea_^@DJdy6IrI*_JwD?q&PgZdwRE5iwM9OK-uch&c3%axCFV7Qxc+tgS z>KfbMexHNK|G-B)D|70Lh$;L&R(E6RcU8GU8-t}KM^l!@iZn81`m*1_X?Xje=RJ=g zDz$NX|G>2pA79<4*dSSE&|hL@2MD>Fxat?g4rOeb6Cwa90%ejuDz)FVPoi<|w0Wk? z?&DC&m_|j0M(ex!hM!n~Z8SoZc%O2YlYJqd(XL<-}K`Pn#|c{b}#6Rb24C z@@o~AD~1{CWLj3L0O^0PH(4z=d8l<>D~+keGlA#Xz{GH z73S0B&1675_vAORKbC&x@|a2LHhy<$g^kj5sJ-3I>eVP;c=Wze{)X|<=SXM5k`aV8 z=Vz@<2C!`x^A5i31pwJqxm|u! z6<|m#XpcSlpsH>IxPXv>!RClK64@d5xKbYkXH1sEhh_XQrz|H9i3Nk}qib!y4AF95 zG$lv@Y&B*a-J(BdWIU^OFiDS2v@11hrOR(+H6}P&+@QI@h4x2F}ZDcm| zkKdP3RWIr3{Iw1@Mx9~Y?i&$vnmdF0?F6x)J;zq$NU`0S@Ai!b_u4XqT*}>d_Ni6l zIbpBUbG~H$Z9O9;Z;3nx&j!zN6?Y`Abc)@_NKy~dS3rEpZ`LisC|-%SewhnL$jb^m z!tr+u8Oi=9$635R)TBs*L%WRVx_5g;rBwqJc zD-oUxdW&-%%*P@64l@kl^Jh!yH@rIs0kk)(r5STlyaV*R0sS|0gM%tkqck5nTJwhZ zGcGP#Hp=cFX*37;jgrl!}v1%b6ia_VY}Uj+;sR_ z)V*N^m#l2)i2_Nor?f zcX@rhA`&365)1e#Yj}Mfxp1I?pYLN>*_QQ_)J^p6+_31-5`m?el59}&^jwp@b*S71 zTm9A3HXtaceS9T?x^@!PNC8gcLLmR;(`cTLKh@m%cS6~-pN^szW(B7`j}4F+w9DGVL`g$(M#ApP_)}Qd|JzWv#Kh-R-X+l`i4aoM)I0y6oWz@Gg>I zZ*h&RikBtkj(H`3m|#li+y6js$=TS|FR;jxK@rkW>g|*k3G;BkCu;Qdacfy=|GYbM zBJE(IdzqgqFn9ICgzCo6$iwy*q2^i_aG-{Q%VH>QbB8mpg^hCkvTMGAQMTOQb$q*Y zh6<-al**-T$S9eO)tcqZVOfHfrruR^`+av1>GARSDeEDf%W@b}=Xq&Ob*M7dQT1KpxDq4ik?KmeNp( zxisaakKq^S&5c$hvOWuR=6iZqwZ{H>AC(K$g{wn*Q+&5|{5@cO#^TS3cn(>3asGDY z;M|#sS$LJpczvp(?K$kfGNM2(sezd+Luw=d_rG~zknG*l!!%Sx=~S@^iv3nk^rJ?gmF`PLWjKSe=BL`@?$ zJNoD@jx*V(6$zc|$(=#b*ZRu1mhWF#_*tPbVhcI*#9Cu(@%iS$YO zldl^5$p&P$@XDyF449dy<^Y~C{3Rarso#EJCZ(OP2Z_}S8^&`}5g6C-xwwDtZfF7Z zw7#)njt8Q%O9etL2Ap7{<4#xF>b(fFKI+`!dtM+^6ul)PLNeO|pW*xhp|CAgrj>xd z*Y6@a!wrc{=bs#0$=y4T0!@%JhXM~XcsUN@E%)CBpex6^W8CZPBunl z4Gq3P4}q7aI@s#vz>JJYUIzteJj`MW!qw5OxP0#u#8rj5l!Y_aR*ksLX|m4i{Iolo zCP0_8sNuziy`_(WdeDmp*FQg)6%Bb{Hn;1I)l&2gjh5H9sL4gPr*gy+3pUp9qzx`V zj}lu=Q7sMhj@KbbRA}1)>dv%WHGOkceFhL1d?)ZCU?4DKU{<|bc)BJ_++Tg2t)#TV z+OhcfgmBxpk0tM?v#1RxQCB3@MFdDiUSbxK5=(o%Gu#w?0_d3~d*fO)$76yzpdE<| z)|j=9=*ozVo0^_o-P;oL*v|MdQW3BqFfqAqmAxwHc(~hD1dj{Hcl9#TaY1*$+20#{ ziBI=#sVz}0Q45vnicA$%$Z6RW>HV=cxJUb-R&!1FH{t5NFYYU6){pymK8fuz9TJb# z%LtH}L@w>EiP>J(j1=qGXag$SnA*)LdObfe$0KSf^|!MZEu%$l3Yfd#^+wH`N;k|= zI1Laga~dBK4@~a@+a22207kYkm;(fpQotv$)g@0RNSuD{i5cB6hS-YZ3*2GLl@FoW zzk0a1zgeZeQ9NEZ=6dXIe)E{l6@)doI>lGJf>g!xU#@f|6^77XcmT(zKkj5il9I>{ zd?9IQ>7yaTMC_>;1L@y{Q&30O1q^lp6K;Brc$S%_kt zjHZ&P-C0cS_VlazY09ObGMu3pMKQk+91bT$SC+F;@|zBv1sX&k$0xq4cklV`-m{qp zGlVzuJJj&Y*?O#3t%}fk$ydD3l2_nh9!RX4oYY|0ou(47G`(5jiRfy%f?_e%$~yJW zG6#jTTF`r;llMbqiB*554gjmU3i|cb(<#rLbNU^9V9vqbcVi7re259a%9o>0%NkyE zf1M;Ajg%J9H@nyVbtEO$3V|l!df@~ z;+3=&usQMbU!`hqCr2yhYL*rz*18bdnes|$;sIwZl;{_^o#=XiD%CJP@Um3j5Vsm3YVN$zy6PR@8IpWU_Hl)eS8H-*0PUoFZ?~G_`bH zl_!y0KFdeUZpl7gXHQh;w}?wZPuweeMekWi=UpekDwmFD)Y#HYKAE5o3kc4p#6zS$1f4C;a_^l=)RR!{0Q%mRDYvfD39WGSr0rITW8U(g>>i}0g_DvR{lHG3b#9VY3U^603T>K}Q*^KyAOhTq~S5%gGK;t-J zMGceF!XQ0J6gROTW5zN01qX$zpH>aFwSnh@Pwr_7h$K1 zZkUwP`M^I92^TJ*6?s>ipXTZpZgga9bCKq&_m<|3uVl8X_(3a6_JqMso_7XTK|{VET(Le)LP)=^Y~WhO;5SqYf_FP;>m%T0uV&h}{bf=W+xCzWNP{Pd z(^~+G?CcyoTrjWGBjJ!yv_OD?p{gk_SyN?Pjr*)~^~RQlp32+Ws@}@%M&CZ>83{ zf&nuawpkIHbwG$mpW8E~Y6)fLVLw|P{rrI*#@3Fx?rBhk!*BJYTNaw!KenpevD;AB zCam1wTq5G4FJf=_SvaOen{84c?G212RkOdIsJ`xTOd!_armnY~b-5eaw2f!8$xE~a zqBg$Vpj9hs6hVl6Kt+3+-zdX$28vw}eBK?oEAv+~7{2GPG%dP5FCm4n|(S?&q)vU1caqK?j$Lj z^99{jv%A#5yRC~xUR#^Kj90&TFXq%-S8yTVVH5XtPo*Q|5nvYR@E$xI7LSD^=Vhe$ z5-ntcvLH`A9pn^tw_h=a=N?7X)Rv5nbyrS$+K%kl4>3V`90HUqY?dq73pNg=BBV>y zbT>fUngJ&?-M?brvX9|E?U*_Glqc_r&jT{TR&Y6h^tldr*4FfK#HT? za2;(WDKmy)z}l5i>N)EqBs_k{oHE!P?*k`_HOTpbTZr7{qi9+dO}(^bGsa1_o2?O2 z^N^9EnQx=-RvCOJSH>c;&}w;DCXLXjDXi8wPgOQ{4ob)*Qa#!~{kXWl9Ugaxxd(Wj z&EZz0hOr%{c^o;4xZ0Xxc1vJ+PIS<+NcwCVKK|l)0?C@(y#>Ghq*@*MsAj_K-QM}4 zH`W^VCe~7#x(C<=zl`sg^zWMuQ=`N((dnjOPjEn><}*@xCucY?_qlF_laPlsr&(EU z!w5z8^9&&ic1R>8yO>F&T&4{EP=?RN@bGj^V_h}dYu;b;wQ-J3S=dZI$!?{8j`vUU z0!Mk~TwGmRH%r{Km(5;p0#t-e%;}l%lS_}n6)N#awYM~-UOpm*o zg&Q=jOZ{kZLU`l*Sq!4iBMM=G!dK4uW z>cR3Bm_10(*km?D6nxoS-L($e>lb+!7Lp#C%oi8*SJ(RExIMv+E|*9cs@r#L3WfNN z{dGN?9-%esFecE~EpeI~0=k$>@>eZbP}wPM@`P(JB@S^^$ZHy7{E!#Ci{49FvH|fe zRu@26MU9#UbPV`JCUpAxA5+?$%yl!S{QOE!R~ujGJ6rhv+ub+7F~od@QFR&l<dK@U*_LG zuUgt#$#)jLLJ`Q92B#b>Alendp@})@By-g&UO_yp0NPr<>*s%&Pdlj)*JRV+>q8uy z9%`i|E$8j>$+}9Xy&=hPGnMWD9}jh1UVT$`Yb46E9G@0Z>qBieV9%}V>!$-!88es_ zU0!B1Iy@~Jiy?c2TOfbD>13=aVh3Tm=p3as_8%EuXHJk$oR$NEBz9rDR`JLx01vqm zeXGLV_;zJ`zQTdIZ;;CO1A(EHufBy%Y^}@_^OJeQ)9*`E-CQtkwWk|%Bel~BMw86t zpUB7sY=1lodZVf5u9YUDNH>=bK++90Kw3dB#w3#LL=Cm)Cok=b;M|$7@mOy%fVVPh zGayB;N=+pZ*G!$NEBJRPF?;@!9o;2iMO|=xE1-mp6fc2ypJzW9l%a zbo%E<2M^cxwj`ydlVFH-TsvC$_Mxeb_#4m4h>BGp_}LrTW4GAAf9e4y7Bh_mgv21{ zy@;JVHHwFHK@^Cn5b{ArPGC>KC<4!lVvN zmh>!p0t~i``=oLG(Ar)FR%5+$f9R!wv&~W(=yb7q;ghC>ceP9 zA`1w6*4RubFO$viW1UxcCl20kA=e*LC(8T{t-(hlEI8V~*owVGPNf zYrR_ekYJjZsP}>j+=TY#1?|n(^Rzy(1%IFJrlJFb2>k6brVZ1|tOkoC7d5ht6yWm0u3rHJ3iQ{VUrt;jP>d*$#QJ=k#i@S^>q&zyJf(zYYYQ|zmnNUfbdKX^Z>*E%I& zg&H16gD@%us0NFqu&PSABT0{<{?3FwS^_U@fig>JbkS=&5&)P~(iwT@eAYw;CTZ&B(AM_$vnVU zqhc}FX~54xGW`y%e^p8P26g1-hII450L%+LbKceSP@Qz%PkTYZN;$388jTocl@ABD zf}FLeCsI9}N4*NR3bTd}1WWYZyN^Tm5+!3<{o>6X95O+P!QlWypd#-)M|2n2*s>dN zbHE(EQJ@+c_(IXiz~xmH>sOQhMJ}L8(64ot)c?)`c%&%7_JUZwf#bi?tQs|#Dv+ZP^U;Eh#5Zu|%iJL7&-PyVG zK>O2+9spTUQMmkh-i%sW8v|2RW+g4S+*sXUzg6Uc$3g<+3?CPu%nAqMl0H(6`>L;O zi+dtb51ZS1hliN@23hzVNWk zR&9S)(2r;AB+(n8QB*TmEXa$yZXPb_0b|q`^#Pjds?|%hoF45j6r7CbTA{Y@brPQC zDrMFmZGJL*72HT(5(-mE7Xh{%ER;H(R9Go+*)O+3r^g1TeLk(1R*vq;dN{TLt)XFCRIAcXCgRg_yu-x#Adf*&AAmaG_6994W{*eQ0B|ZUgpEs; z;K5_#lZXrdZ~UQB1kKp04e(_UnVCcRpk=%&s!Z2)M~sJL-nzW;!`k%MeWtCdL)WB4 z0$P64`A6-G_i`$l=vc2F0O9-AP`_!6}wWToHnPu?IPzIyxi6u zAOK`o+Ju~MzMSFSUGP|_%%6SpghR|NwX}Hy=*8hT^1G>v-8NaA`uVwVm^aE09kE3 zyHVy+t1~d2#J~`4)OPJDag+hF)+ZiKLMm|pYo-B=GZ4eg%rfb* zQD|dlCPfifcfO%jz5}_)f;;vO9FG8g&jovQ-8Icv7NqYmpyvk-t>+|qwL6>dU;|hf zgy`8t@zMcRH>j>25N7UFKOoEX6yMJu6s{9<5p6$A9*)fBpA@ctF^s=bIM|5!R8-DG z`OAW0dq?FrJ1;d5on>CWFtp_FlTQ#sgUWcZpT{!Kq$O`cx(xsNU459&-1h$t#&+HO z2ALj&>0k$FXY|r30a!A_(C>~U$64*jw>-lc9qkU6jC!Y!yhg$# z%OD@8@Z5rmCIGeB+uqw+o4L5@2T;=e78B@gIkYTPXZu^f$n*>V!CuepbzcVr%I&~C zYV3f-9QVY3rj|Vl#22Wzjv}4HrVM7eXHp+eJeOJ}ep2S)+BU0xlRg7&-r-3BH ziG&OI-yDnbr#7c{E_=X_EfV|Mu3P4)ah-mFWWys3XGQZLQzUokuGm69XFrN6^~Gw6 z1h@j?1AM^GipQ0cFATMFJrJK|3EKk;V|hsij69qhm8pbMTCCE$Om)xtizM?*Q<)gh zbMw=)@1*96oSR+>5IPO$`j>y%Q?jXU?+2HM)>n>4^kuzi74SCNC&b%nF1)eYxc6qe zA6a_s7w962rX+(8j~#Ezb0kmq3h}a>$PfKff_pvw0>HaPCY<@9TuvT8I+-R}&$Dnx z;_Cyx8daJt-#|SVKByWv(0&}=RrB~%@W1GK>wv1duUi-!QIHgA0qIidMwF254(SHz z4waA=>FzF(Zjq7(329L2M*2|SJU+j8-|ybL|4|OG*?X_G<{Wd3G1q2lWE9twdnVHU z)~8V{uvF9_oQnF%6Y3`k=4>6NBXKW6sSaluV)Ep1<*_g^Bbb$ga91toPA=j+5*_KD zQ80hoZki2tKI)B+H}UuBEg#?(tGzrL<-=hu%M+!JewsO@WT5mf6P?Z#DY2`4_^JsF zyo)2hyNRuCT`eUy;ViA5J0F?;o}g|nM;-my(ZT)tT~giyZL5HPZQ!zbXG!4N_l?>C zr`)93WV9ibr%l`y2c}uPD)M@YRBPQ(;PX5(5qTw? z`&Pax*{-a5&!&XSJ{TT5AEO^?pmkv|Va3YY5*2rjX-z%)OnV_e@tge6lQ@Jh@eejE z&w2I_+R8=|9TGDP*+(^1&ElN8Rmwi2GpkB!0-G$DsUM|Q2IE9F}Z{> z^EPS!{jmmS!Cz0O26+&sFczaE()U&>Xp-Wo+LZeSLv`v68|vs^mtnD-1=3{**K8F3 z6N|5vQf*3}%|FBJO#S8y=zx3lQS~)NL`Z+W9EXjrcFeR=^_r2`^+73xY#G0hqYU?5 zblN-bI=a2?6s$|!8px;X|QO+GvS6?@LcHu}-6& zn0)8ia+85#&FUCN^VYiY=QG^ zrNxiUsp{tAUw53Hos|t_WcvRs_MD%c!R6)7x{ekoudc2(UmzI5j|Q6YBO)TEs;r3k z-S!i0n(}8|e}46|tMwSpkzNZWCnq=QPm1SvcbaSRR1T$xSZTc{SVT0{pUk^GUAuSi zL$|)BCXcZE^JkSJwV`_F?OOZg0%x6CJ0nrij*d_w^t*SJLgCg{11X+IGtTY@YuV;S#l`0X1B#I8! zjhTX62-p)|US1+1A~`uZgo(bw>3)8GqM4zgp>nirY-~z4Fe&iS{0}q0;Tzjhs77pDm*8R=LhkbKNXv-PlElgps>)(8mcos@lMy)u{|I_VIxAW z?u*PrInS{IK`}oS<`Onn2q&G<+>;o89mtcxU%!53w;1#F^)=-M(~POuhky35^5J;? z2s=9~YhiiW0{IOWv%{Pe_1Er3GLCPmu9;yX10o8_VAzL^L2TO--0C4WOYKnU2$9|J zZqj>Y+rM9BakJtI@%~7E9+1rIY|e}3gRi2lf~c6kP2SdMfN#}#b#Tp4b+I#=I(R|f z>ely%S%2eD#c!>#gQ%dQ+a<00?~M_R87nP;Aq+ak%*YtmK>9uM7fbTE80v}JxwTd2 zAKmEtc++)u%na=E6j+Ix8qS+|gRS0}?O*3POa&4K3rdS|zW>k#J3iz?bOdA%ZgE_A-t&`LyV{F)en6iO*bnl%ge|sm0q;c1u2kx;C}o3mUAb@R>6)$Fq(sdBT3Q>{Hy{= zE!NP_A1~NPaYdvPP6Ly__+ftUsy^y!Y^D)>AJ*VnJKz)HhCs0Vkw!6P{UGpeiHIDP zm>hM)3E4aVbLV~guc9JG0|NtIUS1dytEtWAepTft{w^s=$)Mb5iJT`}I^$_iaNKX8 zQ~G{0`nO{P6+4 z>(;!JpKyPJG}uK)dvXKcEG`?8PBiH#DfTr;yW^VBtb9m~e2KcdzuNMsmO_|CThKcx z$4oiZowM|D<*R7C#dPFfE84t4!pHN3WNYp=db3>^=2PdPBi|2k^_ez%^x&)->ZRk4#2Ne{ymLnXh8fA7Ev#zoOpH7a##f#}{2@&6NI z2x<2A_CjK^u(2scJ`lZctnufo&HxXE#ka3eI+f^BV+B*RmNcxMH5G){W*=O-L0tT${4m$k(!I3<3tvo_K7rH*nFG(vZ-6X5E8{wW~-^5Fe{Ai z_3JLj=gq3uMA3=vZSp=8SaWi|eB*{7&XDCfJ#@n)NJ+qCD9B$TB+RA}Gz^2S)tlGQXKh63os2+a~o7`=`4J5(Ll z2_7H6RB@AUiM%7`JS;(_DOPP!Ds(V&icW&Vb|$Ut9jI0`@RN;{h`g=6TybM2k?vmR zt?>A~?z#5a#+Rt+wA~Yp2G5Vs(~4WaUm5hU&F-pKl;JPw9dddI(R(vFGIDsl%z&Sd zFJTZWlZyyq?@PqVZ@YMyzq)t06OvP;P1wFhhmu)IXmA%PwCGX{!hSBlwZOv*% zZ|XZWJO6%Ko^VBaxD1QaTf1)lY)Jc($5s8_CG5WWvhCOJdJaAYFZ$S*zqe-4nhC#3 z-Run6z3#%4{%&34e)ZXTG+>57R1VGMt%G2!^w_u;*yL>?HeFI>a~~pbjJM`0 zB$O0A9Zp$rMV`203D@nTy^6`&*qEYOk}=hB>S$fzy_dNy$9TV3>GK3nfqZ1>JRxD| z13{*Roqh+y5UJAa5YS%wK zTqSclxw}^-*4*OgEcp2x{~BeALi(%E#>$IEh$L_IqrvX}A@6TQKUMn|jdQHj5Bv&d zzKuJG?<{yX^7!~~Nb}n_9}i_PmtPmHnheYK%KI;po1x3iMpK_b!Z;Xf!F=WsQ7x2W z4P)b_jfwJVtEn7hKptW+&5KN=Ilm;JH8~0!7C2L24=K|*lwlqgM0Ag}s7KrWevSUt zznOcj*f|b^k;DCaeX6VD>PvY@c`Ec)BuQc+sk3b#8r+X%y=)>P6LV9V1OhDPhs)=P zYzB-u$|fwS+c^wcew644;ED`MP)QH-@YFSV-ja$th(OqSoF1B#jr(H02@XKKk~)~N zC@gHt&@eu#HfDKs)mjUlT|g7JdZqal^0tW?iw-f}^!>XR!5alF1u7fV?9R|qDqC5{EW|mG);IfZK=N?-3yC!|F zbx(!qySBFa7fXBiLn3ITOgx{a^k5CU{Ot5&XsFWJ&g?M%$|UhW5FHl3#*J&wNrUyV zgt52gq+K7h{v?E39%kz^Uf(A>5VR7zHRz?c^}hjdg;*dRcYgSu#>)I69{Uklma1|v zD!G2(zJ#e|S9v$}1}L@~_UmKC6XhnlHLssdy*Z=NFH>Xma*Rw_SX?CGbt-CTIEzj$ z!wU)y=5_s(Rh5b2<1L4KFqY&ugScKcZW*tnpezsU&Rn-s_pRXgi7^x*20720|K&U; z^GR-%?1a?x#7db3zN5+IKXKh#H43J2{)2nw%Cs~eNYohVo9ek^ESV&!y;@#CncJ#Q zX8gVl`%UBGO1jrYV}k}F3+jejii(Qqa^IHsfU~iO`Uo!f=g-yvc6N4OOixcw7M4=@ z3X)d!it8OTG-lnV>0DVd#bJD+`U>N|gtu?s4rPknBV-dd7#=NDWzlI^Sz6-ozBr2| zw3K`)AyMbLw{&?C@bSKBxB$Y5M0yyvaC9^Z;(Tb*WBWlOoYbYoZ$=6RtW6MBtKMBT z-G;IE={QEzP(L!db#P$4ii5|;bh^}ePEl47TY78YJyB}h!FpA>daZ13$oAa#+?%Gu zxM)UN!v4wVb7PZIQ)ORzM6iTu|7sUC#?9CJnr0%t0U>z*HBFB%|$+rHYdkDuA0*{I6b#mj@obdZPKbpwk(gkxVp8Y z@>)>UWJ(pAn(aC8RBPFJd3nb`a9CPe0;%(L@!}lcez`yS-P^Y+r8*?o*xwu7ojDTw zDu&sTVY@_mdA(P!9%7<8IHqbsmvtQv4NX9f84(dtC_SH_a71)8RcudkQW6)jjIC|i zn>TOL)AeRt7VKP|oSdwzm{JF-%Poq=T4!eXpFDX&N!i-Im>OSBCg`Q5rbdg479am@ zl%+f^%?DH8!oosdKf|1biD?vek=k_uGNZk{otl~&0|R4?H>e$UKIDrKH#9Rdv$872 zdak3RBO>CLoSdAWZwCKS$Y*0^Rh%h2J39leg#d_+>sLql4Wpu>aB*?t;^I)RzZESh z8>MGqxp(JId3E*nY~x?t}q$BHa zZR^?aqo>r4a<5{4eGjtGyO(l5dauv*8sfyIPVlI+Oq>xNJzQ3*D_Y!;W6b#7Rga__ z3EmW(%nZ4-Y zoaw(`QGLElCqk|0>)$Ep5=9r?&9Aj7im@6I6QQf7RAL*<)<$J$Y>3|<$MznHZpSUh z>RJ6esSJ~9AH3No_#%mgmHek?jFpeF#Je=i_k;V9Vv|m-_s|)qyMxuluI=Fa{~xNZ zc*w{o#du#f{;5bbufgluX_n?Q1=tHL{IjoJWM#>84 zmGH2!?Y9NuFy0St{TUS>ukmExo*xFYiQM|Hd}MJ9xZGD~ z-~3MZuusvvRc~UXd>Zbj(~Ni7syZBUmm52O1LC>tAKtn8RC5ypYs0p{FzIGb7PDQk z%k_!P?ORLy0j1hCghuB2E58hJVn5h&vl)xasgAbvbX#Dg)U>ev;^Ed<zT>M>_!rvAy zZ+O&lzPkQ1?;V+y%USpeCQnCesSXx?|3cCx! zbd}ZAA%r{F2G~C!K)23eb+dYol+Wcc`6F_2J@BFB%BH5UnPHO~0#W-k-m*Oi4_M3_ zH*UbN=9p<@5(d+Kn}k^n)7Thj+`>XlHMJVZRY2deXw`h0{T3}@lq%rKtW~pfIAz1? z%9F1|h=<2+`>QQ3?tyYO%-!iaM~m48*IwF@o>&$#NY;wEGRZuS6uzI-ipIyseSCbR z6FJJ%iUtPBJvQ@3RO#+Ty}o}uZ~LYeQ{!9 zXZPpqL`#>R<=?FEi*H8*?~qsJXklgP;Vp4C;52L60)3mr&!p zsp8iPC8;C{9=m&Yhue$!3{iZnuIT@m380FMp`B2wOhL$iU!go%Gp~RA4PA<8t7)%` zm3U23>q7yOWV3_|z!YnQyFo0uXfqq}5*3iN#%c4zbyta)wB4|cpBR+LExgj2x&W1=!bt%(ErEFn5M>rcPs1{%(Hzo-)iwX2I?(7{rARdXvR8Z0JJTTTW zK2*$BSY`Y~I5`*lQnqjbFG}ZjXdeSDJLm6{qd#`GpUt{GYal78QFvY^M--sAh)y3F zhaEeOzA5DVrF7fVM-}kh^w+PybnB^TXz=mz2aUy6Y@6LH1X*)RV!)$5& z`V}Mzpx0Or%Ozu(VdllNnJG9rI%;T4t_)>bSy{!GMLzexI{`HBjG}KqK#$?)e8t?S z2EtaBmi`zdZok?BKYxBY`d%CzR2opeqT|yF{l^Lrv|NVvcQ-m7Sf0)i?woFN)9M4N&-+YQ8T(v9^I;JZX>U z?H$PzQ$2#5n$yTGq^cT#iA@?o8zUaDf0^rJF^-};iuMuVR!7!P5d9&_^QT0Vtl08# zTTxL`hAXQ-Yb|Te!dhl+W?^Bw)YgWKp@L(m+Ih&kcXj4cc0A_dvP*u#>4xR%UQMLJ zoTqJ3TFSS!!}_JRLNLE_E+1?xdF{zu9X|OQO=}@J?3{bgM8U@QgWfey97X%>7u4(y zT?YO~`gSJ1AFOAY$6|6OWP?!2l}9t+T5sNP(t~ecl8_v_vx;>H^vZ2c4K9uZJ#w@+ z>HW=5{=xv?2R{R*Kzsjjjh!!Ic-Xw*L?eHq2t-9%~nQwUmZRzBoYhY zsVFH}TN-}h*BmZiTcRF`Bhoohn@)h(plZ(*|;t33sOf%nx|&N{dX9H z{x~>)W1!Wpy%_)2!k=JAmht=h4U8DVS`Jy~TbdT-D>V*T13K40n}NXrFvirVvDnkD zU&fYm8&oje7cYF*HnUzvUWILe?d@-qui-dOOiak*M#si>hOF=Jx^68GwX~2^Q|Dx4 zWK>i{<(M7p1|sVi&W{@#mKXsz1O)l!baZs-W(WWd=-C5OQc^t5Tg0TK{aFLnb4@dV zQA6ePAgnRoXW-*&sHjk)h=A>UjYV0NZ)s|3D$@}wwo^xl$5q4%Jroxg|JKuk6WosG zmr+n4A-laTyA%`@6c_mvR*Uj*baL{jHz*vn^kz$G=X;xq5Q5<$TK1@?7`vnq?fb7p%pLt_+Z!2?>%eEGiiNG3;nx zR$OpDKX-hZhmVuJCO!#Lu$i`Q_YaYtAtfDNs;iBJ7teFQ$`e0t?s0gEW z^)o5ZMnOCptzKLE%>bZ&scl0Xe>Eldy{A#l1`2NL}F2g_HO_bL;Q_DWHo#?k*&-qo< zkYU`{5!r0bU%hpz4wF?jxW{|W@!2bzlf|#MrQ}T{+-3`O!!OsR1_-z-6;&vpzXSPT-L#|Gs0NO;;760;QO$X|GV z_P!sSota4)En$`rBmRi+B?E|-)c4vq^16Ajgzw&6V|foBBX_mr(P)&X#eEuJF8=D( ze2#QtihyT9W@cnkQiJIbMJPsKU?5~bco)g$NPZ;9#-d3Da_a?oc}P_jf*}aKpjmSf zhZWFB4?m5UI?sr6AliFdyU^D5;^0bwaQYzN$BBZnOgDPiHBv|uM7~V|oMK)3=Vk{Mt;el;e3fN}F?f_I!9w;M&-i)d1FL;cc4$s9H> zP+d-DWN%4IFuW5xbh0mln!$|VMAfD(Km1T%)M$(72$$H_#=ZVLm~gHV>4hamzDjAl2Nat z!+2@~r;4)r#6*wT^ol@$tY5at{l_n@__dSoEr;lPU0YdO(`qEpWccWT@cOj2{9~kT zC-SJ%tHy9WyLoHC!+mg+sO)LH{!e!UrE3{})`yXo_!XX)MoU)DcOeq7NpmXwri*2G zq@X@SrsHx$`15ngwnfEh(e*O+ZEr*Qv&_$(&o@rF9O3=)09_#{8w|@04 z@=PIAJ7ppE>48zqed>Zo@_T$z-Q5hd$$SE)XAdq*lC|9&@nw=93(XH^b<%k9Yd^mx zGqYp2mw*#aHRp@@CrikFE{Uf7vaYl`Hd2Z@-1AtiF(PO6Tbz=ng?(sXDvHj?;FXyI zi#GW(v)(D{nD;p*_t_LEy6@`Um&~FWn3KQMH9Z!bV1SAs^bgz8i*VLEan*pm{cm1M zg{6EH@6jcY_ySEKQJnT zcErWJr?zMv*v^-$ZcXf1BKN>DFdz;$Elf>aRtCvK&+u6V zs(2Q1-UsSqV5b#4*5Rafbd>46`V)E8xL{*sSkbP(%aIL@l@ z%=K(~nqAm6JRcZuw1$Lic&Ey@H>--JU>$v1eO$JX>Ip%;i-DGeF-DUs4L0bCmdf$j(7fa>m$N8td_jb&8TpGaZ5)%^xlp7y-LTG4c1O+dl zwmv=D)@^jFEH1VJ4k$kALvXMpO(Lmhh4r0_nB5xY!v+0&g|Z zFFOVd2nLr29F`AQv&x{NfuWU`mp3vp!otETAY?{AM;x%Su}zm5hR*u1f^0mM~wOiWI8HVL20;PlycuRBB$K0dzwB<{VHAxb}C zxTG?eO1fSreqE&}CnrN}joz0RfByUd006d!%k>*o!twF(;BlI*vP!JFb_KZY>!}>q z8m@Qnz0;ZD?>~2y&Cg;d?TL5Xk16Kn(<^GGntMb}cM27>agL}>*jlU9g5U-EC6pt# z$$^iVx7+`X!+J0EZh1L7=hAtPd31F4Y z4<4G|L6{6A6H{{W)MtAWuTQj3QjFaW1aDPwK7U&`(-b=*zw(W5u^^GxY9-s^NVP<; zqv7CnrS8raQNi6GzGdfJ#Ep^U&PwG6M=NU=EkzN8!zY}+CT-_ut+qtYzD36;sEP(p z4~nmZe=OfaV+$}G3%2P$y$Gg*Z(7beMwqS6Jm*^N`;y9$WcnxjGP68(ST(f)n%+l? z-I=k3r9#k6WC;>tBD^o3A)2?QehdWXbd@|;^`3Bxadlc79^RW-ZB1|?Lm}i$OFfDh z)(ee#f4E9Ma(;OwL@ID4?q_2h_Rvf~NlM-8qsXI<0)$vc)@(!MW0N&GR>e%7Ttw&a zuRpvIFMBg6daqs93T^`}=dkCLU+q1YqT`(T@v@E}H^r~nl_q^beNnUJJkDB_$|PpdO+QJ^~C< zs6rGc;E4c2X2FizKCio5VzfI8YURD<0sP>02(|wH{=Kfs{^&$wFqM#XIXhSqV=Cx4 zI5=2%Bw=^dFWw*)u+5=9n@4??R+VYW#N&zzTY+QvChH znunvBZ{96V8kPS+lj!L#R5nrFTx9&D(6}}8TC48+Y%I`)+>S7fm-z64vk$AzI&g4MSY9wtWk8&g=4HXXAAPX0rUON*`>GBw z-*mrE3kRHYN>rWi>5~0OzE#S{#C){9*q)L1{*=yyS=0d+?JdF$M;LLi=0e5hwA{il z&|Qew-@y&cCXc05B;z#uR5jS=H7+yK7koHfh~PEPRsK!;Z&-q20Wune_DZ zU@Br{Vw#%XH=zf%x67RUZOlP!M;OW^l?H!pD{#gPIqVF_l-==)-%(=Jl<4m&xDuo z$--5QP=X~HuodlZ-gGegg$2yLckMltP?rO$43g_(jqa#NB#mCjN)O5@TB3H(p`NhL z6BLmTUTUu0Rzrr6fpgdJlR$tqu47T;y{6I}i3g)JI8|G<4o?^Q1MREhuOC&XN+b5C zNTh48l~dn)GQXDEj7@-*{1vybiM?v>_{l-<*!ALTBB<%&in-ar;o)1L#g1TI{34mzYTQm`cm{c{M&46OI^=UIE(teYPOEV^>7?RR z`jv(?Y3=h6K)|JZUtPIn*d&MA|FFsZuM6)gC9`` zc^bwMir}9WPXDwSlTw)ko?#FypvJ5#Dw3kby?N_aea(oVPaXObPEH6m+nE^|Fp;2` z1^#UYLVzAR(jr=K>~eiz2X)K|Hx%f76rF^h@9KK+x-)ZaJe#*rhxKiGE|}ZkmoQAJ&u-8}R$iraqJr4$h`o*XELbwBhP#!%7Sjezte$7i;Y<_b#%NWrfe` z*|M3mU{p2oIFbxncQnw`d*X5Y+DdHqqiyZ<7opyC=ndEjdgys`@U5HU5!YwWG6bP( zY2(mycZ|(BCdzubM==_4M7)zfSkaL$LJ%qkLMFh^Z(?f7c{^;e_6o{89$a<;OVuN~ z5;pF^s(`}XU_6xyGF*|eiA`GPj=|w!vxe8mPJ*-vP;sEFT3=oUn-2;~!&78lYmcVh zmf<$CG4+GbD&(0|DeA0GHe$V`fTQ*upPcl%I9UcA=dZzb5(_DVq@A1BVh=g7n-ihT zEB|`Um6DQzG=ZY%SbIZ@$WC^|y0*P{z+NU`vLZN%`BFbr56F zT(TYFrK29sy@Q>ftzg%E@#00p#@{#DYG^qrduf?{7H1xFdWil{TYwO6zmYcliiE_E zNP%Elw@=VK5jmMF&8GwiRYF3-%xtwM3=4UK?f=*Z;JpmUulnwwB9Fm;{F$XRO5nML zLnx8_esE-DAk z{kmueY$7O{{{o?_$W5kwRNhng%K3hGdVo?K78=?IbCqNHOpZ`pN$@hP^ zwvNvDTOI!MqiKEhj_YIpc`&p{`&w~AEqTh7E0g|&feI9=;N3nZ@^Xav3P%OLmUb1D zto;`*lnUXOH!3GFu3Uh|%9e^AI~ToemSa+cyf2i=dSK0cd{C^!uAo?O!atT-SeBeNvwT*a-`(<41}KMUcn6Pzy-V{@kg2V^a&?=vCNXQUB|mUVW?^G;LWEu zY`~uhwh>Z)@QH9$PEJHsLTBEjZD@y1xB5(^6~zZXn&vZOOkDFI^OgrkA^*j}oxwxH zC_1B{9}Dp-snZj4tVu%!m#S8ktV7F0=|NY8EJh-Y9P=mRv#(8dcPEaCGAhbUoz@4m z>jN<3EMxWh$6M_BAI5rXYYRDPE1vT^=VV2*Ne?3*PnKDR68&X~S+-ez$j7cvZcq)5 z^d*DUW{F`>xbd9|QoT)xQ~ouf0q>yJ(75z>yT^8IXB5mK|3$B21TP1EXUwGvYD!qo_bS3 zaan{TWU2uZAj+;*i#e7q+REU&Ey@RAW8||Ps+Q(=k ztg(Hdze9~&4=5D`|5@Xvp{8GPQ=d$*a_&C!8 zPYCX^7;#FVS^0-LJz8S%GIs#t(;x>xa-f?DYXhg%8GKt32R%5nyr97=KBWv9h*3

    {&CKc>8qQ8nj{|Nm=PdPfb-_+& zT?cyHpNQ^@|5B|m2nwKkxgoK3Q5CT*~u>Wip^H%ou z(Lcr!)W{MnPlpOrO460sk3mm;h)BkWk>aN+pfHk=!4$kd1F;I+eAo3z6)>PVfCoc- zPc(bWO0bXBer}z3hWh%?`*uw$CnpDwN-#V&)>hsBmm`v&q`j+a&9s;aoS_;xwqaJhVJGwu#) z$jHdUOKx}}%HO_iA03tC z1^ETUZxDZv)opB_2dp|HF7mmuf}mgxZ>dhdiz6gRJEbf0*NUCrfbKk#^;vn; z6havl6&&?!S<1)9$LZZn@knyXI4gj}+MW;5U(!joH<}D3#L7D zE9%DXbdG4~`64i26mmn&4QD0M~+3JQAr z=8ePt^!sQM%Oxlw4o;UoBfL9|tE($u6aYrHx3?MeI+q>e6B0a5I&e&QPTp-Nf@e(# zSYw5vrpO5vL^K5r0HrgC^Yo($n(kd_S|^i+ZP^< zh(@)1eLPQroSfX(l|Bz(YCZ@ICMJx`%ywX%8>wDmrWY2Pfn~k8@b$DB>+kPhSXdYt zu^!Kr1B5Te1ZXFq{f1grT|tM02Xx5rYo0_iUY(wDdOm{OZHGT>ZF#vAMA54yPvSY7 zl~(`j>+2d~qPV1_CLk_AXEz=`MD}=ic(k;%2nYyxdwV~SUrS0!sT6C}*=+RIASt6< zTwdz-l}jh6C@HPHZ2_$O>2B$%JvbQ^6?JlCq$Q`33bU8wO_v=fq59?VG46I>$M()n z%T&~_pdcouw~y#K_k3KBmJ;LL){OCu_Ir~c0RaT=UBP5TV&dJR>k-PK(0f`;#Eq4< z06-ZB`})=jM#xN@c*E(4!luT@#}^i)NYK0W0b^i!oJ0x{No2Fsa&^7)3KjqGr?Iio z$H!+_fh`!k69JS+{FZysAOkP1jDdD$1t11Ay_rq)_wQeytocg&h2XPUZ1%?kyy91> z(>Mee+Yww4Eo)$qz5ebD1WVx{Y*<*>nc3Md8$a^?Gx=EM?sxLpmW3Bp^$$X)Kw_!7>~%sAhiZltUAK2@xxyhqm- zry?O)zP;E3#wGRjt6&W#7FLmF1Ndx(&7joP`8gRmxmJ_Q#m(7Px&+h5j~|6aMTg=T z1e3juqrlCN<;Z}jhwND+4l;zUF2mFH9wZz(;PEt+l;PZZhpVgQV4DD8q@bYK!4`c9 z`32EteF52p0}bJj)ZJx7EXr8-yUP_7&xZ?@`~6?OrA8wkXpBQi#H6J|b7KflDZnMU zxDs2wvvYCD#C>jASkN^3>b9}r0q9V`&!4EDcVB=`b})cVVd zQc;PlNm~#xRaM_b_Ec6>oLyeVh;;i-Ei8o4;^X1<9)_r?sR0@5XVG9Hn@oiD7=ZQb z_LF6s+UtZz`M>|FK}=rniJaaAJT4Ce>dLGyymwx^ggZMsKuu%@;hclx-9p5lKPL;0 zOV14EmCINQV7!3FN=iu7JDunn8X7hqoH)8*rsw2rb%x-B?R#!9Bq9Q6K*Xs3>t&el zV+2SWlob_0kq!d^2Fw=xj-{og9EFygGyuJWnkB@=vhQWzz?TBp->__cs0Q(KdHH)! z7>D8D->k2(sFcVg^j0gN1joT@bYWYk0s0ZMvOd=C zf$R>S)ePLjHrd}L&!-3eF>!l)dyo|Yr~u2cxw$F$6S=Iia(oOtMI`Xq=4(O?P1EeA0s;DPJ z!-|>f9^8{3T0)>4cz1QQWm8vUxg=8am&es%z5CDE)==!dJN)miwS&c`J7DP7IWO8t zBYOZhTb*0q+5$kr!NF12(14GND@Hon3;>3R!)ATDOz(P~_m3D*VpS`RMgWA9xxExo z>k>fEOilg1HJAjlg)hW2WmQ#4yzaL^x%+tYzyYW(+mah86eUS|soH!Fs59V$t{1yX zW(_GR+WPvLB_$<6LBL>>qdvT9F2;qXGRLGFN!ZJ?v$-DJ`k z{O&rlPBM}njfi`?-riJL*gqG}jP-5@xNr*Z0@U4ALt`Gy+8_1N{d{|*-hS^Jjk1tX zJMfQV78$^wOMy;6Q`50_0%}P=QSixoj-ByB9JYtkfWw2B-_j%)fVxm=JO=)dJ=S`* zQ4IW0OWpuF)buF`z66AXADyE^LI$F#RU#rIkq{99(yeW5unb=T8rtq*SyWhVt08zWVx{AHs&x>1Va6DRQ zP#M>H^~%@F3j!jiy1F_O6BA>6VM)o+=BB}qA0Id4WRkg6tIgiI@cBxTYd5(}jEyNo ze8)u=5ft<-D4_P{N1sitth8IGw+B?#ZLUtk!r*yq0w00ipZ4YEQl40n6|I5Bvcvhh zvoOBLWiF;Q7FJdwK973<-U>O=AZ4$JI~4-h09bp{wPSmu+f8|GtrJ*x8f;VWAz)sB z@lI>e)6*j%A?=I&DztQXE*bM5fVw$E>V3W>g{=K>1%KXmV|o|?kZNbjPh{rjBQ~3u zng(hA_>7B$P4iDh4rhF1qzphNh|T*;&BW9~{N$0qy6Gx;v>hZxuwqP2O`D${@4%u+ zOhdD>HWDqNbxtR%0199tWx-a1vVwqVFMwnEZ>5lhM}Yh#(A(dZ%#;CbGa&11a=mIt z!x|bGco_1092*`c$ro^TzIonn$+*v{Hf%=T2xh7dqyu@1pB{1az#c|4vywcI@57cM zDI)S}RjNP*f?D(dQxfK}Ps<$|jQtq<**G-jE2q=(auk)qa08VjITPTKR8->Fo-RpA zNzVZrBv5B(>JIYpPip*fSft|g^*3Hk& zjbk!IeLNDD1rr3euUz=;1c*FAw}Ijt?A%00faide-N@8*?#QH8=4v$3kwUKxV1pL4v+)w?OCd0rE{KFNVWW#e*4Hwd{b4`5x155 z5#-g{;$KkjlMD;VC61RgfX(^J0+$5ZSNVfM4q@gD97n##Sw~n=76gau39zyfZk+^Y z0GI$SI@;Nt&y9jcpp+$y6yrDkJ^Ihq17ZsX&5M>5D^y}$Zs${dxp%gfmPf!V0|Ek& z$fJO*vY1X5g5DhH!L?5Gw-7ww*7*2A8>h!6CMJV_IY`ML0d1i9R?08gNdU~6$@B5P zu#o0t;QBl10B8i&XCq;zr$=k%blCs)uIW!I$i>W5!7c$OER)eUF{#&SgJTH6I-R*e zOt`wdlz3F*;%We?K9M>t4Gp*bZj@riow~Dg-Ecj_$;k=GSC|Y334}WT4j7ybRFUW; zMfSzg<6vQ>$^8DyYT;;cwvep&W)zR^~NjA3Ey0^D?(fw*+AdwAeAPyfN zUsOayI*C*1_y&R3SxN8hMF zYofp#hgE=g(t=F|vG6(_9)KfQ*%kb0%3oq+t6$518AfIR_j2co!i+~*fhR3KxIq1PUaWplK(ZDZqCI7{)krGj>I z5zFy$!U%w!B>-DCC$KT=b9V&lcx+28b?KvN0SyZ`WfvTtXFCb2<;dJFswM;QdXqKxX~2 z)dY0lNH-(yl>Gcp&?!XaKW`8{Yj%L*>E=qWQ7fygOn&YUQch~+!sCmJ4oe_4ZUS8# z7Qgwy8f5msKa%-8=|HaLeSEW(vbDLH%xS+1NCTj&z!|UiD~7I?rBYzp*4VJbz#qG?;gB#v0~gKT=l z9}v&ZPLX@Mmh#rzkqlA5jNb9t69oz-eAa30iKGBa%JZWa(~K*q0|?4t$ANP9-OA*V zK&EChoAxR>lO~Tm5#@(JTTMa!2Qc)hi`cXMX95tii@ue8prF|5jizn}pbz*OP$Y>6 z3C%$O{fG$iMUdX#HsO1xjTn7Xd;`@-FLnIm>8*E<;LZS>^s#-#YO+K-?13nhfa5ul zS=CMt9~xAF%`GS}<)^1WM*w#Hx_Wkg{%=CUr>5=4?2HWC`)g~!_@D>iI?t=z7JvqC zEeX{<1Y(z)u~8a8(#Kb)3wp~ZPN49FbK6>4S{fA3De`!IFRu@$0*{VMIK$_4d@&YD!A}d{1!+3BUQ6 zxHvcfnLP*Qplv8<*Ps<8q*N9lY zmmmhOssPdGxZsPe3E7(+AeB#d?}5r8@Yj{IpFj+8JzWpHzUmmV?utbufPtzq`wvpq zf?^rp)BRg*Eyz$`-yUE@*YD1ZnDIQe8J24MK=udZ8QlWF2|-3M1vq@Q*^H0n<@t^R zl&#+5fzu;AudM6@$h6SAL#`I<0gxVCPweiRK&>-$zsrzy+huY<2SNQjAkG;n3w3Gj z@bJ*mx$+e}s=k3idY{k-Yru9Nl%Hg~4Yw>XmcipG|D6j^@L^$gmUEain2-yb@7p!- zOL@ct?fZv^p%lI$Hm;WmotpJ_J3tTuQ3~FUAF9j#Mmao3KJQxS<`)L(u`AGDuCs0V zIoR0=xEzq1FvLjEfiXM{uq`d)n@yL#(Dsw~)WyKYhC@SQVQ%jJaBH8|W6GTJxDr6T z2zAGQy7L5^rc$Dn)>oq4+*uPA6coAc{0q1>(2H*YK;m%fz&%12=2B|Bga7@%2n583 z*bV`28?Qm|c9||L?_N?wgwK!S6HDuj-srul z61{@#?Ch+YY!+Sn@gXh!0SbPJX!~}nPjV}ki0ml}lu~>an{Pyja40@zkCeWEz@Q+ax z+Y^eO3B_|7adKe=>SgUJVJ$ccL>jxqe1HF14)Z{fUvjpd2hl^rk4vA|%&?^N4dQi} zFR_L3_wQDx>*DwOZh#t2GirC7fuOeh)dWBfy<3L%$+5GuqNZljvi{F6I`*1y3_I!T zKEA#uSMNapB5Sy6T|065Mui3FAr+KI zpWRg5-oat>D?buXv$KoK>X2R>t$Ou0b#=XhSUSy!TkGpVHNJ=QNIys4{(*s$oWsgW z=JViQ#~guAXoAZ_6O0cVpvwm0Meg70VBT3A^4dUh4p4R^JG2ifk||3}w*$79+4 z|KnGb9g?UdZka_zGRr8dj53p1QdC4{aTytv$`0A0%w%Rqgh)ooN+BbJ%(#sBKCkZk z^ZkDQ`2Ehu``vv%?&@-0$9WvD@f@#{&yzvcK;(6Hwx;zEx}mwPHe8Z7_7pwx(l<8d zsH}Yd>A8AJN{Vuw{b&nk<(zOj3R}8tj}O#MwvB~0_w({Z<&NCKZ_zrg*rB)Is@{F^ zk`1*LdJGZ=$KS7XX@1A=p4ly5Zyz%=GKv|_8L^i_0Yq|`0mSr)F~r>3+FD2F6VlIe zi)p&RnFO%#)aa$EZVugj652$pst@~02lw=w{;w<_3Q!@@R-XQx$Q!M(KH$rg3yMi+ z@{ESjyXqt2;x;gC89yL(NX80pBoy~s#CrM2o zAUOCP(?VbVWpxLKe2xBX&F?NYk<6dndH>-o?N5Mbgny;@Ngw zeZG17fr!(ZBzeio?;E#NgZAt?a^(XW)^&uhVlUmpXYIddzD%+LK&7g3wE4SJMp2R@ zHt_wYDJgHyQOL^4na%aArR)8~?X2}!C0-nnZ4-ThcB_0qN~toeL{L;Y1SR*(sri-` zEz!{K?(Pds#70hy8#iv8K1~-hyxvBe! zd1u+~GI3QpjGVTKXuk5UzCJAB_)}A*5^f`}yQNf?Xjt05`kUm{Z=9Xlcp2@{4#?m?faled&gF zielcf(dx=dZV%(^$yMc!@Qa6c;>-sG1az|Ysu}1#QxqXfZxHxr9T!z%D8q-AC@K@wOx!m*wNTjFy$uNH~k#fXIRpVVCF7 z6VXdEUe}=m8=DeW92prwt5$h|HYF^KWv%%Loj=clnURG>^1$W_y#Cg-&HUI^&U@1@ zlv6(PZcvhY$wdX)P_^1$e`W$Vdo`U;(I#yVO@E+o*H=;Px$ZNH@qoA(c$>*ln_Cn2 zHX3UY)O=<7%c}$X_wN@H3OID~{fI+Bem+_H2j&7!pGwhhs9VoyXw-^T5S8>7$ufu8 z`L2s3x)tf&GqTTuLdQ`FeR#OrKd*^^VR^MzsQvViOiIgOQ>YA%-u|F zH8mE17srfg7(GyL3H6ViJGS=W9?-ZkpN9|Wi}FfJp5&aR^5I5RmU!GP9}wqWr$diukPiWY%YLfYWpPXg^8uw9_O zzW&GX@cms9O%{1n;^}O^Nwb%1O7ru>-VNa~W4|M;lX(U}e@G0V_TF@4ol`!(GZa93 z)e>s#CiW`7;fXc=cFP7xE>@;JtFhonD(~Be=lc%!Xp>0`V%l_@$sTT=aVbm3X3K zV=twAo;~^y#NlXjtm|;YHm6r$nyP)a0Lfwmt@Y^HvuDFd>SP(@XjOyd9E!ob>Pg~N zDSG;ct#YdxAJXV)X_s+3Z6o08ASmLY5xY641m~_zg_VuXq$-yO>)yRB7I_dV>FDT) z9XT>f{jsxC4oH(sHneNgfXG18K8z0qEOQLNEdmprfsFu5051zIM~2b)^Fj-!D1<(B zb%F7iWRhR=_PDliZVUigSB`mcQBi_~t&x(FlB=sL;x*I{Cr_S4$>QPRfkg>W$}cG3 z0Eq0`?;%jxiL&c}kkB&f`q}La2_T%XVJ+SdlJO>T0U`px5b}?1!grKI)jsR*7kg&q zKs=-NM&$%`Cb-N$v+ua@)dB+pw{G3~`}c3;6ALP#?E$ryn<8z$6rS3@<7Hh|dOFzu zS(J4s)*c*M2v+50wy>~(D3Gi!LD6I(S!})WuFsTODfG`KLZZmEjOU6W2G6w53csnP zV%>6l;#fJ8@aF<1*=_Wc%&jVq_A%75QL@r1Z+d=GCnm6;YsfCH*P_wXr7E%NN?&EX zN7E&N%K0Cw*RHiOOd4wRw6;!z=ruIUK!0}TOzYm`ZotvTfByV2GJ?$?Wos@8G!M|~ zWX?8bW_wVMPP;akPV$7(Y^E^CPEM}r?RCd;0O3}?SM2p?rK7)}OWwicP?MG4bJSpkTqAKKi4+8>9L6!hSnjL`*jCPUzUNcD#n5lfX88IyXrnPPMObCSo2jGGic29Ur>62htlNL^;1&8djaUiI8PU6V zKI8^`d6tfzo?Y0`+qS*0udk&gXr4?!8MejQHcX*^@b&f0qjC21tc;3^!r`g%`~#dr zjaLVlq?VSJjt+~J!%ltu4rFfVMa;IE72n{r;-zQen8cfDh(w~U?soqZIDsHnYr@tf z#KkxNz3jjF#KnC@u#1b2&kNH|Q2|l*eW+^Ju3e}~aQ7oNnRo9}b)Lr!#xs|NMMV5w zT5`R4b9R3I5=Xm{o*paUeioLR-+@jt$5A87%J#Oj+yL%KiZT>tTPai|64y{hfFi7O zzHlhn?v%C~QhG{j z41m1=$$Qf59PoP3VOLt>0$%RkwTtuEEqer@?%i+4Jpr`>zkT3ORKo!yjVY&S^UB%!|s!o zCg8cp&E9?n{m~Ko0R@O!uqm(w^Yin;d;+R%S>+j9s@o7KIPSbK^ZjJe#}(V9wPi$=1l@}Uz^L#13xVB}R@sfH6rmhz-h0 zO2^z5Xf&k;#>X4I_I>&C1q9t~(#$_G*LhHscXU8CW^Ue(2Et5;^Dy!fcm?#C7Y>+% zpFy>b8ZkF)aL@vW9w?QFS;fx8;ctC?dpXiJ$Q^)s)teb{tzZ3X=)xvAy=ls&5T6YAgx#B{AH;exH7u#RCEecTiZW= zjFzyCDK3`m6(?|RP2?B_-H7rC*#Db;j!P$>o~;k&3f|I;Ia5JF^*%qW&t+z2g6|FX z;&;7zbsW(<#Zg|^q=Z?1kF1y&%hs5o?L=L{$KY5&V{gwL`ts4+98>W*O=Vn{AE@6VzL_JT2Jv(!6SKqIev; zmzS3?CDo#{o}L~BCFSxNDa39Ztj1lUszJF9kt^i)LHb#*Xf&QJ0xU9& zka+?tLtH>yy7j#2U3h5dO=su8`}YSv3{+n)(_2SaLy?rG5uJ~g4#fc=bsF~ot+X7Y zS9GiWX29BVFTORJ-BwXJFFU(AtP}z(iSa|8@n}2hR4TI z?32i>7m(YVh+VU@WVRd$#m2_Q(6Ad-Lk|_dV@ui>fNPLv%$;835fM3#U;}daQUUY@ zviS3Rvb;x@-UZjFxEg?*f(TDw?>w9v#?{(}}%lSJ$ zm=)$DG+2=S7#i&Y*_a{+S)BD@37>o%0wsHMWg!X7+)_%Xv8 zd9V4y2e+kP$1l9`hLmmY^ov&K7)33pQN$31K7JGx69Wek6&<}RN1Pkdpzah}0KLPB zPbxdUjFhLG&)otNFD)kr_@oW$9(%kKe(FXJULHmaJMBKQmF8z3%0n}vWj@}V|4CFKa1C5XEic8lLX z;|}u3bLp3XLS(T5Vm207s7bUB!p zX=^*R-4HAZWk^mfg;knr&E*x26BpKC3}0+f;w zJwrpc<)rfoh(!xusNM7GLNx_oSiJJd;D(J2@#p6Zq&7c4znGZaLPA1Vb3nwKB(=Di zk;s1h`n7lW?wI&^Q2vv^kY2mH5;<7{Secn~-G2WBYw7I#d)q!0n!d@!%XnZG7GmgN zoFcT+ptDMve<#t@)x{paX9wp^qyr#T;K;#^1K8cgP>=QYAQHP(#OK36YiMexgI!q| z(^gE_Y5lN>xP+=W+oUwCAnx>Y>`l`%XCMxQ!Y&PL6Vey*-U+5q$Dds}{m{HYa^7v@ zv+X5vIsUa_LLZ78V*SPyW1qw;-nJWeFYi!ow_jad%`q*P5EVtAV}{b}kMI10jiN4> z?uDsdc8`iwI1fccvQty3w#I`S_&GjK`{Zl`lwK&tLDE6a4Mz%@4;VIWM%gg8uu$Rl zdwSa*GJ(pf>s{^E{aXY&-^ z?|L+c!EEC%cI@M6BcuATvi#mX zYMI;nLe)P1b&P;yl{|d7t*vcr;7XAIYKwt^0T^8oOHv%m=o&gYoWZ%E@Z#uqxzFkYzCT%D^GZPUY-J>`oHI*!`fh&WHtG}&n01BmFzgncT;DyBHm3(V%GhvK| zSRm_jkim^jjlW3n_B+1(wyv(xaKBC7i!98{1Jl#f!^7fNKJ2_$tjvNh`_wlTtqW{3 zCTO|QKJv2QDZ;^oCZG(V_v%fnHR@NFM?1}W#~p@8Mo@F3x3jn?x!Hcx|La|bKQOsO zSun_8aG1B?1^SrzQ^Jf2QAz3PCD*$SUM!~I#^JO*CH?8(%%)#OlV9-+{@yT)nvcp~ z?p(nJ58>gJBH%yP`^@I4=>O*r(D*>GM<9%a&4e4~51hhal9IFf`gM`L`Ht6frv842 z8hj0u+(L#lCc*&%W9PZ^#KpyPN6`B{Edo9DB@lg4(HiRhr*_odE}Q?~J^!zMOF;<> zd7%mNFScvO5D0!do1q7qz)AYZk?=-KI@ka1_CJACk~*64caa!9>i-32#rjP5dN$6T ztgP`^FB!lhgoyvQS)we-N&#S*XVYyl1Z@$I6vQ*F$G@K!Mujh@MyHm&57_UWS}}<2 zBZmeD5nKGfU{$Oo5#_rbAl7Otrc`jhv;EvnAn*ic`H=QKg$#d{cH1sOl_Vk(co1h{ z1NBwS4Ga}4WI|zKvy2KeyXD0vv;VoJ!~d!jOj-O-zXeKvp+Enw6+!heLpWR84CWQIa`J`>G-M%0kV!2N>s5TNH+>LK#e4p`L6jnpR z!WP4g9Bsd3ErgfCkw*4<*epyrT8?ZcYd_nfu-bj09c`W z1*WU*Myf`%k4XFYLU*^}_Zwu&i=dGF=3gk*Ngst}!IkD31IVHOTMh_t;3>m@dHmR~ zoRj>=2>}#}f00|Ki|9s9hBNKlxl`D&V zy14`86M-<>{*R(#x9J1XF$}^bB;VEGmz9#DDc^xFwhmr7P-T1ke?N>y4Kq0Y_qDe9 z-@E?5|7}2kyoIH?OM{STZK)n^SvLN=k(4&Yl}MyCC6t_KmB?vwIY?m1^yR1U|Mq;R zZ;LI}9-8ulW3mK=(F525j~;;u(?5H543$Yr%D#xxJ6ux!`+S9D=d*2l#F=WaRBh5U zn@f7Bl|Ca+UujMFgLCo1PbEdfq{JT0HSnnuw!6uH&5xjEQb(3^n$kbB+LRO@FnQZt^YDIVX4d!l%!Wl_W_Qp7unE0Y{eUU$hYt0l9m6vR z;N{;Xj*m<_`6l3cLD?97VUKMqU6Va$>CQ$t)rn=KptzJC`%d7P!25D_siv!u4GAM- z4cF&x?^t=+Q`w%J>1ttY&^9yimd>?t_OcG^vzyUAQrP>Iu))S)=y`?;`+Nk9-o@z}N$*HcQ@EaxF8!e2L z?V}0hwvzs2Ij&_BYQ1fwV2@+RUZRnMt#fqh>yJW0+{g^iij}mO7^o=CApuT%`Enf& z6)=8!ky+L21cD$fv_dP_01K#eD^2@yC^?2u(6kay|r|BZeL zTnagck)PZ3tN>C#R;dxwSWo9uonfU?t4$$>oGjuPxUJLt=uF$58b{)N(jDd?f7^c+ zE?u+}X&Mu52?z3ikV@N1mSc`yM{N4~^{Zc(89}BExB`lWwiim!rqD7mvAbZLAZLSCJB5~sv1;uZ zlY0|PK_6~$PZ~I#I{BNLww#tgI4EPub9O$yd{N>5jm|Uf_nxO##)=ErJfdrAjxE~5ux7!Y=>yiZ?7gKJ zDoYfjGR1)eCl+F6GO}?;XD2y!dIxQZ;?3T-BJk4w)F&BMp4&kYQMm{i1IZ~qKkT_} zI6ulW1BQOKs-WFccJTcbW6f`~C zYRR!GLI{yQASERQAK*#2drhCWkE5BsTTF`c8URtM4ZF4y(vqR3h<-+0aF!oJ^ zT86liqM)%vL@4}YNtnQrgiE3IxIc+_(jK&AWlX>{8YB{M&k z+y*8fP{is~gtG?BO)Exx96eFZ4fWBBv8?RSFLN&r)V_LN_CDZ%iA|B-x$*M^UR~8K z%@-b(Bo{mz->@=C53)@@{lu_|rt&4A&z{5~%&X2Lk?o;p19@}j#cG@)E z>JCY0|Nfdtef?$42QQP8S=iVho$`J8Y1|1IlwChbQ-HBdT%3rR38OjCV)1MyH+_D%jPf;!hkKp!9^+X^rhP*liiGW6i*0);g_ef^6~ zU=!93T)&E8i2fg~#hqTIre1+ck@KqpHxayPc$_ew2LJXdBORR@gFAH=d4?}qY*`6O zm(a_3mkp9vhc3Cv)P{ol4h^RVg;BfSs$Kn`H+~`S@9y7}sh+-zEuruA*D@h%+VX!y zDB};@A7=}%_`p9V^b_&I|%Sww=BXT)Doo*{Ym`m7V zu}@U=)t9eb{&O z^83e#h%Sam(D5St2Yy}sbzSOaotDXzxQM{-o%^V8tn&i46+F}=@NOz~lv7bwS^hBg zM?0D+arE__Z_l4h9enE8<5b!b-+gJJcCS1&1}S^Kyc$;9Q{14GADUm8%(_%cDodwL z-6!y5eNQsY@dJ~02{T-lb2-}&Q{3SmC@1^p#FFzkIz$@V@W!Ux_?sBy-d{i28rn6vE6ue0=^Q^n1m*#I4&9FHpjQm5_aLb#lzf z4Ztx(ub?nc{OIdX6$VFYpn6l|O~%-7E2|?r89>BMs@%l<2C|+SN(49%fpQP2K3u}2 z2q`H;m?+G9+S>~t%vI)6qPbjcyLv8IleR+aHLe=*YlsEZS!z%1~>((uRQI{_5>ym+8 z1ejHCvE94VI=Z@Bf}g-{0`DmoB^AS1-)q_RcRbps(ThEJ07n*BQRT&YWH(eWJAKg& z;8M5;4l!EZ%M+SE(0~pIG|zZQ81M7@0Ir# zHCT$}fbl`W07smKKPKPS)m?_J0*;A_KEXqWf<4OdgFe#6fVBhWHwRc2AZN3|%j`dA zQswZ)tK}QMee-~OAp6>-u6j!`7&zEjSi(X=&YnAWkL`U^6HF?%PzOV(w!?+;Zwbyz zv-z(ofgtl0zEeYZTb9J4=uaI4S9b4A0YNCQiCQ@d;_zB+aRVnr^X_0 z9h^8B_|1t-OeC|ns0U#v+UmuWGz0*UJR1V&oXrR*E;;hGj(7)gkSL~l5MyCg;*$3i zK5*c=jg3-xE9AWG*5cJxRwI0(qBj9mknE)&G+KhUm%BYz+u!f?{;`lr|3jufl1Goe z%Hx}YWW@o%ZFIEAlSvN%u_S$noI(Hl`}tkq11bxw87dGeDk>;hA@X=DL-%lh5F#KMBUIDK#fLn8TnJ%SOCl`IWME!T57a_0o>a!?gNGZB{kucF|L+bF z5gGaY3APS~ty@JzMBEp~E}|&Da3Kj3DA8RFL}I9egk9g-aN~A4XDI$~{i`?lfTRv{ z*nH+~pea}O{dfXkwhF*9ln}76QdB;7#)bi+X8;T!4csIY_2H1tgZTJ7No5Yp`Cx4T z#1jMItx1BcWH9v4+8TzSOc+7@UvB*|876nL9r#j!D0Pv=CvRP=*6nkRBg;I`=Wo_5 zXbDi_!IpvX)n%enQ(r&g^z-+PjZhvqFh1;q^bCkJo@X4c_;|20c~LN)A|2=T-yhgm zBLXssle#&GZHKHJm$RFLBL^!EORDWgk_(w@o*7VV*-)t<_g+?3fSya0-!A^$WeO9_ zhQg7#z2tQyaQ`4n{qbiv9oSB@89Y1qV;pi_-FEOlKvU5f=j&%>WJnW9GYE(?j)x`G zO-(&OY@kCPAqpY$zJ2REH4LES6*vx53Jg>!P@w>wvXLafCY^Y*-PRR36%YYEiF0al zvV=dfx@~*`CIi5}bNwx3c>AE~mzqc(8Xss2NGmIJpN#M#hh4jRvd$eUnggAC@ogZG zAgK#)2rWw(?SgGZ{Ii1PDl0F?e=ix*X@_y=JBGK!jUWm@>=`e0)1q91>ET8v;NBP+ z=WE7Akx!nK081)Llj&|~Y7*e(E#xD_M??VLBKz3T(Xj+PLzO-_D27oSSchs!XceKQ zhn<>l(*#TfZLO_2uQaLtu9}a}|Li`@G>DOQyn@nsqVFK)6+sdMY7g$bNaB$U(GNw9$y%|Wk#c@!!!gJ-g*WOfWGqadO5(pbYa&8kB(tU?m6fm@v_a&5U6PB$$G($e%lX`WgiK zP!HN@OFTkh4Z~PyO4*eDIa9`mDB85xg9!ydd7^s8niV(d5E`u#_tLn+;|GM{KK*NVL zw?H$s)L+{9I4VjW4+ZQ-ZWxe8vh1?tCS|NqNSy_udDg#Vwc)F;UrmU$dlW;kP0P#5 z96bFZB0BJB$ma$$Biw^e{SmxGR#bd$p`Qf(I?IP}2sK15($+a({TRQolZA!sUU|`i z=(4i1=8mxOow0KK`B?~jC-D&c!-!FEWniBp#Nt9h2^Bds z>r2!9WU1ca!}gQic|KlB8X6z)bn&^Rm2gym2=Rduh~A-m1WCwd+dL@b<<-?o1yyMN zfeX4KS9H&B2V{=oqT&Yq-+1G_NCwWldG}`@=>I(@sHt*0=v6VBz9|_vQ`;;SO%}Z( zSv^ln!%%>Ntum3};VEYYVH+EWIJTP%Pa|c_pYDYY*8_^JqDNdkgP39*1Frz}h7cUJ-$gzUvY<~OvpC#am6WrwNpE~IWTc3Xks zV3G+^J}^8}KY#9TD2C-2ivd?1@5VJ?Vz`>An#oM#Sld6uM!+2BvW@B%nE*7(!g)vh z^pDxB8$lt8GKv?$|NZ@%8{VV?*$2%3*q3j>`4_Xub!Q8~I(}ZLYudwuI5L#IV`+oM z#h5@~NyB%Ch9Xw*&lm8r?k?H!(cgo6j(5XE>u5oxj06NJi2=A|T>_>R}QFU8= z@@pyT+&#venAU|hu9S+WC#(*sC{N$o#)ixZ$yvxjo{8EN6llwIL*(QLHjB?OHhWl( z){Z^56eGK(N%y6x5^woUbX5n7zuU_Q@)%y{A3H=<(-^kW(OoNw&sIqJ2!mJ6ZQW;O zWp0qULQRE8V%xfOe`DW#m0fKU4&Tf+N3h{!e!H(C+VRA>qJx0Dj8W+p^a5uhTkIY^ zIUp#=01r6A1H!kYm>8VghU{^N$;`5#Bh19JA(Srt=UO zOm>SBPnGkAQWNe|l;AzS1Z}E)&9Zyk0PYNX+KRx*(2IGnR{gqcezOg~~ zR}L1h(oc=|7Z`jv7oo0D8f?AD1tt_y14vUhRi=iAZ}06y>FmoS2^ASm#*+z=J2;@I zVu_8wcHsDVFF$_@GB@L}oAUBiprUSO+g!aWjk`rj1w-q`Z}uobS~=6BGTdbq6~r%v zS4n4cAUwiB!XN=ZE_N?uH!#k{mlAG1N=_cc_QSBAnrY^!)%eTSLR&$J=S$F)bl zl(I~Etf6>g{u|GT<88JglQVW9g#f97STL3s(uoQ)lD)T;P+&Pv`xho-SBx-(&}1}A!JYjPC~NN8P+zvCN$ zt87S%W!b)c_O>3BZor?LMtkF>s_j^}to!1H6_8Qmv@gyMslI6Y@?{0~H&l8W{N%$N z+l4tfi*PHUB_K-l!BTe>?qd{-0Prz+h_^Qj+Xy*YTujWU#QrHtoX3y#)Qf`=ms@1N zyg<$QU3CQ!C+b}79?tL<1I#ZW%TE^Wz3IT_1I;wc2d*326`RfG=q!`W8j1jPxu!3( zvr!VL`2Ik$L)%kb^-wEq1L9N~pUK|hV3m}oDMPqzNI^5GkXs$Bo7Xq~IdsU5e0Hj*vBvWD1B8_w_mu`=M$1it ziV>NLlT}>RdAg76Ma9Zv$CqKSVsCQl#u$ic+{+iE#ka-nc z4smxfuw$ZU1fs-TboUW{{<|W_>B%-s&s?6zBL5{`lkKehBpYHwT-&9$LN_JR?nQ zp141I$kR-aYCxgEg?quh(6OPek=~-SPc67+GDm4DTPy~XpMjD;NETmnUIklS7HK1Q&J#TdT+A5RXIH)V}0Z)-cJCokXt(@%b{Jw z98!oiy5IL#-1ZgOK(CEvx1xxdjjcX1b_-dgA@^+oOI8#q-fJW`bLl0b59myv>>w~m zWP50m7dqjYld(vwU*o22Cs=`dx%!(K?J5RL#6S)qa$LY6K}x8^p&f1f}Vsjwi4b@L3@1) z0`uh>+L*U@&L+RPlbdxRe|?^tNSQKw^;cF3?dT8XoV`1LNK7q;B`vXcuRkwOkK?*c z>iFcA_uB5Ax}9d0_cpKV+C2g+HW$QIF3ZJjA3rkk!zVWJ(wN3SqgEI&kddB#p$S$9 z+pk6s9Tad7_i%}GN!fG9a8ht()ma6PTVli!m+ivhBC?JdY_mwsw=UBPgsQ;<3y~5m zwQ)Iv_jb&Gp^z~mq7SSv%g)TKIV09cmFT}G@WWiD5RJ_>0|}TAzZTnZ8Go{;xZ}N{ zgQje<@UskH0|@Ng(S+W*C1tgD8QB})jI^vQ=3?rFWM930{ZbPcVv~usaVMKkUEtqd ztf3_6&VT*-c#e{c27h~N>mk|L(P#~*sz8=o;dKla9BVCE{!d`5DcUTIp*Ul$KT$7{ zRQccr#lFGFj$O>m7i?@kIA7P>-|_COM&GQ6Bb5F`%(gW(aqW>LrX3K3q0`I;;|`YGE#{PdTehy z^3V_D&s_bjTLaNZIs{E!j-AXqf-uC$b+kUrx3{|+OfESgWEo`dmause7^u0i{s-c3 zdz1wbi;?XR@&miuySwlA8#y?LbuoDWY)1yan^OvWgj_sN0JM^a5XPkc2Fy$57z=8O zQBZICpKx~lL%x@aPn{4LTq3*4NJ3|1RTJerS`y{Cwr#79-j(|A^H(d6i@9!3~ z;<3|%39VBV7@^6;{Leu&G!TE`fnMMf-z~z!L$OhcREHvMpke|uMP_?0FmJ}3Q+m0k zV|&9J85kKCfkgMq{uAD4=*G2Xx*75&NQIwD%40GJGp0NO$H0&arrqKV_4QXENW~YI zfnXC+^4trKAW{9_4wx)}m)*AcJyJ){M||blvSX{hO-^KI#JkJ# zRd~}!fZERt3k{wyzt0+{Mw4t$hHJY;C%$npeyFK@Qvbxqdk?Q}J2baFo%Q^_7`aVX zuS@i4xyX!LoSMopNxl?#Z{ooCoX5ReJlh*1e_jFULNzAS5O(>&b@iSwetpS~V@)0& z0z-0|Dvf$|xlPXEgyctRyks(!?2xU$_c2!a=~)#0xeb$ey5R3_Z`D=)IKF`N0QP}} zgIE2p2%@9F>dagp)OX*i}av6g-N_9Fm|uzwBKwg77N4W>!KgrfQb=Szcv7}wj& zVFgDuYCycffy3>7>lVWw?8RDpZTY%t2?`}aEsN6{~iKoo!&#Lv%9l0@C)(pPaC-}~)p@V#0I$9f>SgpsQs z_yhf8GHeWRwf6oto3|a~PAljc@;U$$p_zkX42ZgRh8{}*h7!ld#R2Vd29%9X^t*21 zJ{mDN-e0`Jc)03(!qz=fAtIEO=vh$9p^XOD0jpJCj=4Nq`s%kM!1>YApt67r7H_pX zHL*^)iTPlOJG0Bp|EmQERrnj&H8-=V)0{6lPcz~0CEFuMi$DYPgjUx#bPdgo-J$1b8F;bp9{47lTrPa$H*Nz)3nOde@?HL!bJwEEiZy>SuUYjSYEC!-+OT>ZW3{NMyP zGl&?!u%2V$;tOy*))-(%eye}ekFIp~)F*(IfbUZ>GR_+sK7l0#QAa|n%4=gC{E2mK z(bK2Z=#>(i?<#PUmX~j8(UAvLVd5{5*8fB_9wPvDXD6r4b|Svjkl0>`<@?mp@f&jn ziG4?*$^-tB(u7!A2`}|PqF@q~W8nHw=HbqRIV6Kb)EQ#I{=nCOd5A0rLZKKA3i{z_ zJ_>{ia9Q^?G@pouGdsZ5U_Seu5wV&LOTe!{aDtET{Ri4_7%VnXQX$CzSwXAD)z4CR zJ%~#lgDq*CjzSPh9z=MZ2Ud9`GUB_B<4*YbW^cQNfZ5(V0`nOrzvO0%7!?Y_GGHnp zCRX!qus1m)1B}EpFk8a_6!JLv{!gyadKZ!Fwk_na_wk>&BxyQEKNfmMzhs8hG(Hv@ zN&bY6b8FIlPc!pYv=<+C+qIevS7oHZIwBCNVDi;{k*l-MbkIPRGUciHm=v+GDq*x- z$a>cEp3<$*C6|xioN0W(1%FLo)oIsrpLhIFS9m`zllX!$S}ozy)ay1Es!;B@&t`=C z(ZDV(-r^Z>x&ymndmZ0s3A!gvgi$NyBNfx$7a18s0s>$h@g_lF>T9rt6p;tIVTCoL z#kL$Ef3N;3`N|dygR2i3S$;%(hrI*k_Ld@a>YYF!iZA;@sE5v_TPbu6<`VKqLy~qq z&OD-+&FxVXOQo2=yLSIK@(v(Alyot+zMCnkJ3C$4k`z%(p!3$(v-vUJ2=pGV`XP1T z`H-yNPn3>qM=6v0LKdI}B0=}s%PBryUQ3up$MS(nLs`&X3n=PL)$Ei@$+(NTYb1u{Vgml zy^DgcAA{mL-@m6jAaw8`wA^%ZoTc87q|7Wg!`k#Pu@0YA|KY=n=e@(Vw|l7+LxA5F zg-#NjcG#cd$s5SrOyHLB3s2bM{Oj#=DwTb1+zh*4cb(6vO3|`g+MALZ6%;vC!4~i!YMFM`EM9@xPl-34 zi~Vr(*OQtCe53}6uEAl$6NlZp-fOjAiyX0hVG_gJ zp<8$BacC1m(&xj%^pIFcBMa6dTM3wm9E^wL(sIDwc$ zkJ*QH?4Xjqx7Q_I<-vaZI+xR7Ak0S3^@m(&0jcT@Yd#OdO7(@@z@tCNW3R}@z*S+C z!|d!)h$jQ{#T5uX*f*%yf$J!!gfqY{7Mo!F5m;gMa&m*@-am8QexuWut8e zViurg{_`KB&r(vhv$6dc7u81aQ^d1u2|mqG}RE5OH#SwP^?#@cDuW-9f_s;qJ@8a zEVkNktGMS+W9wZp@cw7F)rd}b3T=i+vho97|AWJNBj-M!(-CrL|8V?<7DL}uzT%nh zqXk(`{C_@|=PrM|ewxo&h4ramR*v2v9?W*PaXdcz&U3^zr+&`S4&{iwiwPizomVi8b)TvZ-_Ct*4!;Hs? zzHI%hm5FZGZ>qL-nDor}3RO@)C5-JM3uEu@XJ=z8vY-b~Nj7D?8zQxLbRZF4cXBEO zW#6lgvc=~7*_lf=vbuOgGmSY&d0pAYUG=tz6OX6(H*sLDA)+Jz=^^UiOOU$&#hMw4 z`ADlCC4627jd^o#MpDuYc{Viu!a0*Cb!2aevWm(t6uXcdV9x`L!G?#`{cXZd@|b9^ zkUMv(VG)b@<6|kdD={lgq&;LVIXgShT;$Lp^1w7yC_vTFDg!oKB6CY55>5z=ZV16s zNWWxt@0n|WJdE}9YOk*X)gnEc0$&Z`J(M|JT}$YVNW5gc8RBWV-d_EGJzD~-4)9$) zdQ_O3JFr52DG0!}89v+^m{#&kwe?_o2zD_6Y<3qZ=lOGguLK1nBR9BvNOXwXq)`HZ zy&1|@<3N$;OsC&a3lo@+BFHuV7v$K)?@>PG^`(5;@Lq7^sN*?#TiNvpTAJ!_PM-nF zc4r6WKAxCOapI&}~UZ?qiDBD4yNQPy3_x)m_$C|(Hvl#4ox*~s1hONtU z;*^F!eMvY9=qZwnT;bi8;{Fx8huSNJI5BWYqcn3b?p=3zA)UHm{gH`sowbb zL@IIsY6bZJB>>{T{OCw==fagMMQEb%G(h&-0BbclSq8BqhDmg1f}+?Ebi4=1xjIKh zNy+9*A#Lnf{*JaiohTtkG=g8IrWS$dE-8^(FSSM;kGd2Sn*tBPS;0%57w)+=07n`} z7s$annDvtS{#i`QR8gr15s4AYhp&AW6rZLJRH0{JP+C<}R_22=#lRp*)Cqp_UmX*p zyN()1F1mb&vobmu*0WX65NNvaUZs~&QC(0hph}gw-YE=LyshnQk+C8=@3kXk*bm~X zM1XhS(PT-F(kL@q{_DYVady7kOM}-Qid&ymQ)|Go%*5BB?3#o*t0PmN^nC-sClCPA zHCDPUoQr$8xV--L6k@NCsUe_am^4pLw3yz~|NEwsljVdWN-YrP-_`Mb>@ib+-Mr$w z$%a$+WD3Da5(I1JbOX+{nD8~<-cinR-O!@9<1z&czy6z+COQ1s_IfF zXJl9<>_h_8SnSscLOjZn7Uj<$GKeQ$V>)JW3x;5 z*WX-R@y(UJ7@zUIs)vcQ{P%a$b3WqVwKiXFH1XMn%tw9qM(N^s(8j}k8f;m~l@8;t zx3brBbtD(r_*BNEe)&}95c7y7r>}qhry=gl`o!Dx5BG*NRc89R=`SwV-q75yrOZ4$ zGc(oVHaTRqiTSdu%cQ-70~A}=)p=OK)M37&_zz=9B@+_*y1N@L9A@4ODHGg#1KR~_ zS24#IYzIor7E3W`A<*;~eS0S1aP#Iad=8M6hY|2h5my&&QDWE(#Y^vCWv#8R2jzPZ zy36!*H9RE{ov6rx3S&cK4glsTD8Fsj+piB28W74GC4011$UzmTrEnhb6WUZ9vaecO zLyK<+$^wio%oUFxvlhydKoTLWndDp2`f&SFZ6&iUun&Q@+>)sDSc4z1(gpkw6mNi% zC@R(Mp>#mX#=B+)Q0m40k%@z-1N&>aUoH2qd8ziyZc7` zNv%wdFGPn|lrYq)^;zv`H9e$_>8zz&gI$lD|M017ZpV_Oe~_$j!x8aPdAjveueZf7 z=e}4UC8xPAFWNW5{zl+4B-;R6)AFc9ig{v3l|p`gnFp#Mn*?tpFH^h zg~YyJ@o-`cgeiqplSwBh8WC$o>Jz7^s859c&X}~)>iD!WSCufSACjEeAehyZAt4%@ zzu&RaVAxXs3VSE({LiDV?b;~}_by~DRm%0vImzejqPZ4xZNu{>X}wsWmpZ32MEC9c zag7!EjBWoko-0W$kksj15{n(^aTE?{uq*r$T>ldVzWD*iXKFfBr`;BfIt^R6)~XU; zxgA>bqYGo$uu@F3{&BhRV;et}M|=D0G5HURR`*<_vPX0i8!Zwv%bb3C?CgCjd45OF zs(Jh)wP4yk<2lOu@7`Y)stTg1d(|InyWGQ6rBfYr*y&o49Kl<@`p7d^C|v4b!G)w? zXebS=IC20kRPQK_5Ky$W@g_^WTZ%r`Hf(zi!%+O))6W;t{~_UxT|?>xn}m`jA|}QN z7(2Q(pp0m>Xh{kR1u}vbL9jJ4ZQa`3)I=UKj+#_gM+f45sVs~)hk6RC0}KVh%Yi^< zjQD}>hr*E#C{%E;owc<+W_Y=}!c92lJ^fL8Mp79D9tnM64h)w^#KRL~+Q^B8CKDkJ z3{4*WP^;#2{{H+8w;DOCoIT2sjTRDOF}WNUW|wKrB-wx6>={e4efaVh z@%H1^t&cuDu#+{XGWp}w+j>*Fi$Pk0ZDL`S9*_8X%(c7|J9do(QW_*TPS0#O7|I;; z-Y5{C`=bvdK(*8G=-dkk2-;5ZQ#loIy&X!u!1>x!^J|cR^lXJhg!ZiS^6S724Vv1p zeSdC@1deR_Q2(uSaR1XW%Ehlb8#g@M+LU;@sR`EXC}`=Kn3m?}L80#LRfiYR=h;+b zSlAb^8aaD**PM8+L(Qlm6_Yg%a|w+r~`)dI80Q1`t%}ovGylzK~~uFE*78g8)#4K?(Ln=ffjiCu3fj0 zZE;efq8xYCzKuXj7ZA`0>WeIgyin#sC}Rf0Wd9e45eSUEa zAUSTj#TNhLysc@vg%iK>+*xh!9QhqVDrb+SUSW_V9eo!sekwDk$kyDp7vGG!e=}bc z@!65_RWr`k7ay+lw$MS3gzLFFbwBF!KOE;M zkC;Cf@Os6ro>JYpAnwPnAT|Cqxze(X)SeaCU-YY#>65#-X>@wdItv}OsGM>tlHuT* zuJ;Vnd+@b>(*YHZt;*+KyO$nsa(_Mi%gyPxbG7^0+mjF7TRneIp9b8(aedB{)kSwe z?(~A@clXKu54|=%c@F2?Jh=$mQs>TfA>Dut7dUoo4H%M>O#JnunEDR%8&hn_XfNE| zZbvpLkmpAZ7Uy5{{B(=XKOed*^2@l;AffX|mNUuP7N7+6D+(4=3`k=1$H$oooYV(T z@$NB+fCk~7eM|9xg5Y=jKSnO9lQYU(j`SYCbq>GbPYFQn}BW@b}ojxWx< zv-hngne&-(iA?0)+~j|>4sqrB(0YB9k^+t6i`P*L>+z(G(U|9_bYO^5-7Qnq;9fqp zT}{jn|I6~L)vCVAm18AKzeUSl@T3qeKHn(1cjQsT z@4S&OsWNNoMZ4LqIqdJh-h_E7`%ew6WZ77J`eVL1scE;vH7xy&#&eqqPNJA{6@RAy zqx7Vumw{b^%mcB6-T}BN@-GycNDehO_z4YQ1#&M}TR8$vOC;Bux92g|2;SO|=;(md z^3d>bT>}H;-J-(6$5D3G(K`vI>?UCZ2J+JSssAPGC>Zw8C{w!}Ii+bZ5@eOmQ2P5w zz-9flvO`C^+;(rgH`3cGlBse?za12hHSMN)&0h z0<52M-YObg4hp{z{&lf^JaBz~LDpR6?yS7muAHye+hW@dU%_Exxi0HJ{qEBtj=j_M z2JY#(0OBbxc&o_)Xh#1JdvE;})%%4F zqaY>Hf`Wty0#ee_f^N;e2Y*St4=zR$DP`^)0V zgmxKPG5?zQy6l%%oGXyGcCykxQrhb+IjlQs5fF)7+6xQcg{_7%6LndFb*<<1Enln@ z8P1D9YhKdWPDdTE|!HdY|F6|KK}$9g`T0NJj5C8DCN@=DDBo68L<6cVl1WXV=h-9UK%pq6A2|UFYZp@pXUnZQuiK*sh z*KwTwuIEeL8?mS}7Y)uH*B4t-?^yadhy)bd)8$$N<2c_F-FuWj@r(!(C%@#m(HnZm z*XDkh;sQt#5S#|;4#4>UC@6fV+d25!6!YWWFDkUJ|2a-V4~`Q8@SF0HE=ENWvn#?i zi?XK;2DTZ3j8{-D4LpYi@+!l=!vzM%{EQ6?tW{v}ErHWGN3J~`$tE|pl~;|$c|Y*p z>jyRMjPPhGnZ9`L(P!$X%Xzt z9-d=6s7<7KL->iRMasGt3v+&Tyrs=Ime<|8sI2zj@%#=ab^6+MjIdkcy$1$OD>*a$ z2KRN_>2yqsS&jg-o3T0#?UOyYSI1<)4_YoZvI_`g$mZ!ZI+}sT6qe5)64Z=9YJbEt zFgxH8$o>3}CqfkR78^KmJi6a=iA_A>585=JPs7I;U4EZ7M;8ly;S;FA*7QR9?5 zT8w+aNEFUwIh89Yt^6_FyfKcCZ z4Orlhki4}#;?f#alwm3T*+E9Y{@zpOX3F6k$%YP#E4f~%+SzR`+ zB7$((Cdy%Ecw~;wTs=GT-ZbLC@;e8NxYJ7&F>EBe9sZ9Zq7B8Zj|IOI@5o~i82Ai@ zS)*&H1pxaXXTN6iQ!FRpZr>3->b4H5@y5s#0MmT)jQ;!HCC{F^sHKZ6vQzDELcT4W zQH8O>XN)D)bBs2}bK3L42VJt(*F$|0vba1qT*rJ5Zl|n0$<~*PVwaX8trBOd689qt zDwT>0S?m@AUYN6iDUZC+QD*=D`){VGF0{+2)ngMOI3!85|aobm^cc?PH zP=IRhAs-ZoeeKW{cE!ijN%k^$=OP(PC|Otly#xgnSw1-t> zSi^?Nq09kQhZs{BO+C`+YmOt#Og9cLuNW5KX1xL5RN?LSb$PO~U|q_8F1fCSA9)@@ z7TEDc?lyGpHvnM@e94Op_*F)`Za$I`h%yORUc$2x(ltI%xjFMZp7}qy0EMy=wknSi z&=@f@xx7%1KYb(XK7|=Y`SId&8LL7qew%1?rbb1R9?}}Kz{1#2wyy(jt_gbSPRlF z9xMIzUc6skUWOl-CSM@Ggsq+vcm@twn8w6Ve%fNMbTy)X@+qSx8&<9oU*4A7&r5b>Cv&-}jVxI-Tu}@y<6K7Qrua>XPQ+ z%T@6D*H&k@WH+YOb~pn5NP-JQuH~a-LN=opLsi}?JmY`!CYRkECI?_P>*#+M=iw*T zuwDo2+Iq4Moaq@DnMcw=-K9`B-PkQQi+6_H0oID&N~3r41=+~@(UrnR#rDA1ZS{SN zchTKW>%zhE;@ws#1UY4d|IZ7|aY{j`WCew0THi3u`y_Q$oCG9ED%Ntpk%~*tWXqvbgg!6W z>900xL)cpDJv+LG-N6kBT@0=62duomb94rfM-ClKqa5-PS-o-$Q}e8aJFJtPY|5L0 zq9bzcTQB(X?a=b=?Uq2s`9lvm_}?IbFXy6#!5@}HAdl*P&DM+c`ayFp zW65b1ei3#xJ%8V#H?0PBEs`wO#r(t{N!Cf7hjtywf-9p2xr706<2U)&q<`@IEH=)~isfr;~XL1&V!o zoo8K7^Rc6YR>HUQ;i(p1`foA^0lf_(6Z)F>Od`tL0d_+@$FDh>JsxK!;C6n)>f{az z3@Bqk-W_Ppd;_S+LE1Ql0uL}957a8+9XUTj_=pN_M|Vs`+!Rxe>lXVlWo`=M1^jpk zYo1}T%BE-Qm_>Q##@^+2GkK(l3#JXW9m-Y^yCu8Z7BjE8-qV4*gE7j@DFApzJ?tl; zUq@f5U_N{gc}OnP#nNr{+HG2&ha(aG(E3*4A|z7#Z#%{YD5o`2i*W@8wVauL0NpenJ&A{jae4 z-_O{-qyO4S{r5+5r2qFxg#NV%`tNUFvHdsy_Z1KSz5f4C_px+yBJ^!=wVr37*xxdgIAG$n0v?%E>bzc2a5?DLfgA2gKq`Am+Del-~G%88Ef zXXimo$#J46H%?r?SeMPOIY62Pqr+T4cNy>^=Xd2z|MD(sAO}53i7`g9E6cSG6+t&( zP45Qk6 zNG#|6TZ8fMKv<^AJLv-M0BNG5KyVb>!%?e)2gjI^GBdAAT{-`$H$rrz0we27r*}EL zOV1u5sBt~0Ul;Vx@5|ryM*Ny5SG<`YX>if~g?zx+MKor@e_H(uU06Zsy*RQjn1G6b z+~+oI^AlR=zzU6TbwWUpd-9-c$AVBt7kK&PVX7Ho=4bK*$qkm^FK?B9{}lSU{_pDK z$dYpxwKL||oFE?7k<)vyk?I`D*G#|r{=nP@=075QeU1tg`s1tbl#^que@YEVVZ*k#3C{=TfcusXDvu$)PpJ!T<{#fZiqr1EmXk?Qrr_H zUvs{6k_@0HJ^0s?>+3o;Ms&9E04P(;%Kz46s32h`$PpQI46ZvAKvM+WhG$`6k+KB_ z!&@*|NuByGVBb084j)JOTpUqlfbuZP+%>Ly##{`hQ0I zraD%LI=V+%}#kCj4T-!6YOs6s3fpv)@A`m?L- zze_HE-1ieV=Sz(e6&l8%A5mnj^ zJ1fvF54?)iXo;S?jP3lpwD%9X5uZ9h!ZG+I=lf7I!@om5D&emf4W(HRK0!w)|KA~W zxAwokdF%aK5d?j4+5~&TMN+2jh7*AJ{&!I#UoZ=V|7WPA0!Ow6e&RYu<(k!@_<@rU zAUr(v@hlo{@#uYujNX_5$}0Z<8pV;n!+GP>%AV%Nb!=| zY|1>+H(1~uTble71V5nS3CYr!<0;{QG!x?@(%GYc#r!C=f}^)Zg8!gM0oXm@lEK52 zqLjGXU&Qj{_cn6tg9TmmHgPdK)NPLCSk#G7jA@p&rJ7HG--XsGxIAo2lq_M3;8y>$ z^>pYmiu@TFs(nPPwg`HSvi_BO}SbeI&PqX%9(_kcJ(^xLllLMMlV}6|>2N z`U^#=#im7Re@__F@pYH1m=o;GHb^L2?(2WAtXlFsShxZZ(m-%%>bstS+kaSkN@n}@ zM@C1Pi`msCVY$CuIZcQ>3L^5v*JxRg%!pknM4D4zN`Ellu*j*YNSh9~GE~jtcIJ_g zzP#CAoortj`*v0rtP!Vhyjq1)#R@gJv}axr++teZCw{TNyHmxJIzqaD*MwY(-;@iH%lln?_8ijhqV{O3Z zw^5~9i+-^)whZ*sn>T|85r<1N)$~^+-tVtth(BF4#gzT^RBv4EKI>UtNXm=_v(^(u zV;Zb}bFr*cXf&&Y$aXajng>fVNip}IZCvXoeI`13ke`p$|JDr8ejUV%IBBIUnu#l4 zth*w*-FaUg!u>3d1VU9jX_to7E5z+t9&1Zva)Eic%SlHm5tVlS?$*&?yRhSUb?X(Z_9`3sZBC=tR-M;SA2MJFF>X_M=h8}?(nwzot=5jrItjCqpP%lK`1as@??zS)iM3($;Xovf(M9W1m1uT^)pb&$Z#(&xGX=qc z`m1x#?p-hd05W@o^}cReDYisg`CURE#x=e#d9(I1wFy(LlVk6C07aJ}N_Y}=eW-Qa zmKo+yq`-^2MV(sUsxa%qki3uDG!C6-?++)}FLNm*PUJsTO>ZqXn(=KWXd*Rr&Q6V4 zrI&yB!k9542d)0{R!WLpDLx@zx!<*paX5L<3VwI8d_Hrtw)nl zza_HPO^8}vCz2Hh`!s^Q(4p2`klyOk>La-6tSvh=_6gE(A(<0B(qe14z>7mEp;*X# zov;?thsh!*jPLC24(rbqobDGNRBx+i|B_VTVWAloy2BJOe?g|*;+C+3K38Mq(3}z@ z4K{|O=_#OXx|v3U;2S)2 zypzt%V6-5Yu2s?s*IPx#50_OJ^H|E;GReXMUVd_|8pLFEuh}xF>*gI!1_OrETh(h{ zOYB}B+h`9;@S<5hWbD8eevSBe2yss8BC|GKXD~aN2bOmI~PXH zCuWmgjtQ*Xb{nFIV0`vOH(>8ca)+(GCUgn^Ix;Vx3&J?z(I=80>IwaZLcf{-4CwrM2>zw3LVicPG@63!ibJM&@v zzph>J_RvP5H7wAi!rZB9FLFAJO5Sw%R!_{^vec5l4X)ZNVAt^WqEfP8p(>l3iCU`Q zJ06mtyppHG-XyV0s$6Y@-Bx?!WRam96a`XnA=*S`$&dCZqb(=j+~&$T7?kRxB)=tf zR=BFIOU;8vXnleVuDiDUDtDiq`-3GM0oQP=H?d<$Vk@-@ zraJc&$sl_c8CFr}P?eDV5nJ_?=NoY&vp&l;|I0Xvx#)?AFTy+zW%E4S)OrA) zeNP_DXx5uvVpAKnJAJ#p(o1&gcfQp^t?%OOr7F+quC_DH@Fe0C8X%CfV>x~Ug5EbKcUmil z&-m6E4;km9g@d_3B4}In@hq8EauYfV~FC(+FWUXpxg|7t*YvVk%_T!qVd%o z38&ocZA;`#vJ_5C6tKdpp8z=hzD;9+;u1wIe;g;pBCv9T{ldOe$id>qzO`{=%f{4N znfCc6+TLZC|D-V%vIOwpaDxpM`heU?7xZjcjwt8`v3DDOc3%BqmfV1Imy)$JDrPvb z=ijk$uS0W9g3mmjO1u9Tf0sGPiIm2OqJ*UZ{>MQfZeg_9Vu5vUGdQQUfa>$BYBj4h z;{pH4UD(wVk5+L?+)$D3CvG|2PmZm1Z;gx++036S68Ha@9%7la)z~$Z9-NAHC#u$L zv|4e5YR>)T{p#K)gxf9x%-R|?qkSI?j$Jtinx>_dAgmmb`Fn!?V@ zav#ST$zTSFf0WV}0xX|Wc&x`sYZjT=uou1E%TI)Nn5z-W)TpZk&)664%ST?%=ZENM z>c4^hD7MNdCRs=K_CpKEqA41(=8(hmZBQ|@! zB4(zB)g{@XS_|4*&!>Ul{_=f5-r|mIFFBGGzE>_#B^pS5j~>$c+1Z4opVLybwUDz% z8achC^Ks#OMiZ{NOeIXZhXW_q%-zyM=yd|^DqHC++)z~%-a3=7K_Brc1l%7*=O-9` z$yU#aYBY0Dw1G{B6$Ib=}~Hmx)sOyxuP;zCmzO45H%}R z@KZ+6r#D@{aL>Y+aM8!V)ftITk9i$-MaEm)=C$?c2GXKu)qOIO36Pn52fPdc0WA`9 zMCQ`BzJ~HG(ux3|9R{hU8w z)}+T5v0yh3cfYP^w2s`m!^=Yn6b16FnIVvyA|^RMy1=bhLGXNiNSkfJyh_u`IrDSA z+}JQb-P;uQfvogXg};<+)P8m^`kF>b*p$1(VYjLKNp)##86-oe5vgtV*)=UiS?f9k1a6 zDi1Wvpglz|2S&sK&m8j1qnlDi8aaypXbLC%iWZVn`*P`VUz*-pJA4>lJNzq#NtraV z&Tetnv#GYH2~alWx|aorpvk_5Z>oi>p=CT?TWWFGNwiS5V1oI3Fs}YephN)M)aod? zT#ZDQko6`@zHDGupZVHAw$&Dp&558a}n?#*NU)oX?;o|K_W-Tea*}7x9kLId}SW!Urf(rW)pPnLvoZQU8O$~#U765t+Z~-@7ZF#}N(vlR#aEDt10MCQb zfF(lcn#9G(k><=n5AgjHBiJRq-I?Cge7o?v!7>@cg}_Jm?{x`;-6?!u*QB%<1DgBH zqCe#6mPa~T=o!=@;RYpehQ00x)MoTEq)e3+(VL9-ZC`otZ}!k9(aS&y%a$57VKn+J zZXNCbd)~KacHVUA+oc%T8*>y5@tY7cF4qq&07la}kClS$!nK(!jk}jbvTu8b_;R+4 z-{UaJQ&I7qwX#mIYm_?7Z_Yhq`N$rt+``hiwbNrNWUD`?mRg;`Xz_XZ`%lRrc0-IzK1j##iZ5rydtT0&&t|txx#2|-{uhkiSXQ z^f;jb9U&*t-~5D16v|<0EJ%;}B?8k8FKUO3s2seX$qwwD)i^tbheb5;X#?IiL1M$c zfnP*X={x5LVoX*(;0>lCtWy>lanZw(L5VmlZN?2Js4u$F6P`Jbht4ch&~sY-Gb8=>Wzi(dw?}hzAlkV{9v?B;QuJNhR)$)NpOTXafV zrb1wv$u-xTAwsQh9_DpOiXr~wp!5e=`7q=(`7$Z?T^X~Uq^v6-Xs1_nEqAQLTgDZ0 zOxi8Vn$xbfN5dV>sRhJ?4StE$ho@Hqo~ifGbMH2&0wB&x4g*!O1REo#l%X?YNP^$E zYRg*`uAl&^M82jZeLPoFkdiU_XjtzN0u(t6QhznAE2S_7dXFN;mXi6 zH9Q@>D(cLRamdHS2fwKmC2F(IMKJ*Ohc@eD@rb^Ls+f%VRiT+9`1!P-FSyjVuE8(a^M3T>W|AnkxBEG63U)zk|EC-0Sp3Zx%E^T}ulxRIk-bvb!dg%RYjNOM z1%eIA7^8CNkX*t%J~E2-uzjYsAq0{zy#=}Gl$-71rRzK$Y}G0dZRy=>(b4o?8%9jd z^=sEvloE5AocoI+8@L%t8r{~?xO*E%4DBKC`KW8_YG~`~ufBfl3VMRDKR1dq>IRW` z@Y$W~gKri~8!SnJ8A9?C+x1C{-2_E)+kb{j6YCRQLF5&$sR5S39$zG7JZ-R-;p6o&b(P z1KF#1`%0SFRjrrO+`j-f;9!dHEgSsLdeTyBdqM;$ed2gzO?{_fu;ckDiNMv%o2tr^ z#&^_o1~0Vf_s}EzKthVgB8`dcbIH9J?BIKY=(~CT;YBp&GaZ!_FXJykW3c z@fm-^u`w3b)PI?+XaWpggGD7P6zgy{D&Aa|poL!tx^{kpwKs?d+#T^~?)$#khqE(; z@ZvSuZTUW)?YDa(Dga?NFpM#I_5gX@aqvWNcxp6(qk_px8Uh59+w?%L2MPx z8C&}r$p*W--T4diq!C*WeTpH|#9HPz25Tg8i~+;%b5vrVI~?(O-iNq#bS!AM6rRrd zK@!I)SPC4sreqA(@E8u#kOXIPmAS|dMpQ;-I9 zy-o-ks^7EyKpR4UN}%|`m&dJa=umAG;~9Sje41MJ;+a3=95(7@!>sy_nP{8>pt_Xb zZ3NJ9-XJ57=rp`02u)11EObaHUG`QR(RxD=8jBv#xq^Y@H)w=+hxo~gWD!a56?}bv zy7iRk;;HjkP@jV9#Ha@l&-3}#;(A+PY6ku`mOuVM9cFO_>FAe2w^=GlDp$)}5`j88 zScm~jv4Yr?;Oz?{asOgg2x?cR`X>_u8^?pJY>}vvwU%G%OnM0p)$^4oX3J~!?~;|n zBj@>>Y$wT3KjS;CPBfHx?l_T{_zIUzPhZx@HIz)}c&yYAcFV~MhdzaID3{!=4|exj zkw~X)uVr|gPwkbxH~6kO$8BR@3e7;1hz1yl`V)-$>SO|EmbC1mKc?N3Rs+n{)Ba-& z@?$YD0s}P$I;ZiFD%|dpc`nFUs4D<)Vhz|NEL|{^bHv)8ZEq>cv-v6mkqUhpK{_{Z z_g*6U)k|Wmmh0HyPoAlQ*JJqJa_qZUhl>>exqIK9styu`Ys6)wFvLmnl9tWtle{Fs zvJG^d-;XFw=YNY{J=>Xe+nibqB!88l6bJRPJHQRR!D8nP>limG9P+vvj_yq<#o8?m zgz@|)L-p{u=1obYiwp6C)DmuNom_c@WNBH~4ID7bsqyncf<48*DlVr!ABxyKc4bM5 zEwCSuhQ7lM*7mwj62ao~7j|%kAL`s+BWXs#hyBD3()eyJEHi48M_+x&obuSjHGJZ? z4k7cL6ZkMlziDX13$e8c;jpB93+Y-cD#_qrYjdj$Oi6qi;Hx!XSTv==vYe5 z8~ct%jU5MW#yb_M0*}j_?VCtefe|;wPt(bubJ-rKM@cEhM#q6UaktYqj{G3&} zrAy886S&-y^o+klU5kZY%drwATI2w?sh;+I(XpMToQ`So(3ypbQEr~y5uf)JGNh@v z{wqZC2xQ;!JNTsOSJMb^t|m25XZXG>Odib8PUzTzCE=uj)|+#+Zio;<35AwBL_SYM zf)p(p>}@C7{jVSVw0o`Nla1fDf{n%S9_Z|bN89NKliVf7 zfg`xlkt*5us}@Y2wkLzXP4iRwEh}0tR`MEVlbY&O#a`7`t!X1w{cs-wXv+`}1|aEH z`YfRxn_DwK#}pYcX9_jFyB4~OpHC)^H6MDg+U+&nh#hf;`6z3ZaJfwkIcm6ZWr$F0 zkVNt2oey5#h@F%K{`2)#kJBVInP<=B5KsM?L+$p_)_}#_G22(g7LoV+^ahKRoujUn zbvc|(CWF^O@NJwl2@w|Xb)PkLp3=>H=}WYGy%VAH$?+xOUsNH+ zgqNq>*@Aho17^wT<#RoQc=#eEnk|xD1&k!9NV5rRts%X85b#OHrJ{l&fF_5f69#^= z$(%mJU_oPoHSSHTNL!hBSrgzT%kezR9XQ}}x#D)v%=~_Yc4Pp&KN1qos!(d#w1fd0 z!<-ah3O#b{{lf#38)TI@0y`!w6Wf6}`bOTTgv7~W6XHPUuNr2dvUYt8D=lExNy2pq zR4ACKv0`PVT-Z2wym*Gs>o%O^j4g;=BZt0i!M@8G!N*ynQ8d4%msf36?c^xtzd3ef znj>^>I4Y2-Ldz*#_l%M~T;ptmQ@g==Z)q`E%rZe6pu7<;CtfCMi{ALc{Xw_5@y(|M zut{!iYh!p=6^pbYo@Bli6_3~5SOGH(sVPvi4qZ2W6t748d;0rLDOx&KJ~~!UfH45cjjy;Jmb(*U!sxX| zm$9Xt4aoUmjQ<{~rPmNfU~;2R=g$5CS^vn8eo+Q%4ND?1Zm`CDiB>ButWTOFx%Cc>cib*+_Td$|UgEldi`F?d{7d$Yj~NC~)w)9Lj_e zwZ1A+h!&+mM9UmyPi^Ytw9)vXn3c06mOsiJ_Hxa(IGa4~WV_-}fF&m_i-aJP-bHMZ zK2hFNdDEsD1>j0LiRP42{BolvbabKrt|7|F3!U&zZlDI5Q5iZ36pg&dxz6KPHR%Td#<9 zW~#lO)iL?V$7b9B((xsilX!h4%lPcDU$U4UG(xN1K1MS!=e@xGu0cpvuO%ZG)PVMunt$bBhGRyw`WB08qZ0q2}tM%V4h@bYY za`Y?1?xlHt_n=L|Dp~XR^;G2qQc%mi$Ju0D9M5byL%qZtn!e@6_xr>N=S{xitG>8s zJ>KwxxY+JJzIcYw3TyAnXuEmMnUWsTyH?>Ha=(K)_#oA%JF_nQANpjLkpqRE@PY1FW4!np3vI5}v>NLBo5+0@LQWvCmd$@NbYx4AbNQhu)qz-F( zF%NW&h$WZ07?>eNDdLnwCNsI2>eEJiYZ0FF4A2Wp+~eQSb2>6kBtx-JRoBRYiB$#P zU=p>IzdevOYpPvXV%%89FgSBfq?}lBaN+9r)zeQLSZAMT;gR^XkS3+svShua)d-g? z;4L?~0fOp|g529nEgsFb?eucTEQFTTHjs}s5;SK~oxV(@)zPl8W@k;jmR~cdMKwzv zv(>$b_=du*W$pacJ4D4ml9d#4U*5ZRutQuvx6jKjz&B(n$ttP@*;;kLbLVwUs6@s?B7J?U@*p$4B_jNo)-NjNf9H#S*qEh2ig=m>Z`_wG;RiTDT9&(q}43pG&$oF98w_DqD7upLsQ2Ge2lmA+DtKeijk`POlQR zot*1E+rsSPMR{xA9;{-|jduxXXW^7`&-uomovu^=gZYMMk!zg}$ z?*xaKymT4{rV`~$nokcn8R!lBE^YS&5LBi{YU#44S}}z4>E#EL#D@#sr}-6Js|@%X zTcmS!irFeS19XeAlDtXV5BX&k?7&&a_~)#j*!6nyXdQloi1qX&5)&!UxGBl1h%W!a zjxk;;ajSOgoHNTvrR+;_v9Mk$(IZfn+*tWL=DSeg@AL5wAd5MROJ=GJp4QzX%RseK zfAc3-F78XvYtFLjduocgI8AE2#bWq9#F$v>bs-IK;S^`hD4UG@1VECFF1-Y0BQ96& zH1W}rluQB_gA<8y#Njng&a4KzMl7@!jxG^^*Fs@`wTcuvqV*a0LAu^%VxRv(eV{SS`Rl{J(! zzKo774q)&eZSUHB&?=w>0_LZW&)H9@Fhjm3lj0TLkZfeWTUQSPV%D#?lwRx;@K%PHk zT|8{N-8LDF8XsL~G=Z?Q7EYLs5}!66Q|J7WOK;GvimD;N6HKz0hMsFogAQ97ryv%lP<rr;i%Or)He#vJz^5m{9LyP?8P1tF#s*V>PU zNnL#Vq=5rH^Axr^XC)go%`b^eF%k?a^9PWc&NrF++GS8#5>sApg3@P#pkISmC^mT8rEIUZcA zbI$Ii^tpoyRI`Fi$z$gr=*IcrmM}Lbk7C~BdkK9Dv1t$noNsB-$jCC{Eayp0TWpCW zBE`ZC%Hk%Cba923ek&|yJs{^edn<7QTw9X4rcTq*8$_S$p7;Sy>#EL;F!x2^Y@+$9 zwG{fJ4bg@amRKx+oC{OGd>1yCFKyk%TPoRsaVzI{K~CY3bOTZxB{~e~Z5@8SYan+; zLtf>}@`U{vphnPbj`kb8ZuoCFd%CrIS^06?#(K`EnbiyBN4y+xk>oX$Y|CmRl8#ok zj=X+hFbG1Aa`eg^YBZn zok@J%7lp(Tt+2j}mD@>P^AFxvJ<=B-2C_ZF*5a~b))SrO8{OgI$8Xfw`)Clb=u#7S z1gJ>-O|Br5Q|#FgZbf}_b$(?tB`crR+(?y;?)L*bYSb)pCX-zbFrqi{Apz-^q96_S z`%E`6m$JnbrJ`6i87$05?RtAZG`%N}+cyi#E7pl>%+CrHa*5Dnpwl+XZGeAK$p(`j zyu5#{*xK(oy;uIA4cVcAlrZ~g_OAVI=VQkr=7wA+zGH^w@(N}C0lY}ITi!K31MB7h zuinORlDbw+X%2&u&}qyFW9$8i!^_->*^CfM3H}T+c@K}HVZeSaDwfSHRqM%^$+t_( z)tGfA({UcYU+Y>Hu)7X77_l=+NmU_#VK@@xlxpej;X!dNG~bZQr4%IAi@xQ8+f>rH z3%;7A4*2%qtt^@Ig^^04f5To3qaQC=nCaD$jzTQiF(r@?&k)e-j+xBT2L1>1rQ`zx zZsk#WV$D6);|QWqA|3)Bf^{gg<@QQXolb7TUY62x5U#i^&m( z+MB==Evm;VSgJpi|HKN-{J_S-&Bj7>3?`+o!peAiV?V2Dst@~bg5s8X&y1lq`$`sV zUi&}Uid&oNgYUBB*i@E-V5j*j#}uRhQE;%aIB)cj)JUppE2wGJ$of=ly$3E8gNfXX ze|L{F>E-P`;9jxzQv8MV3I%N>S$7qy0eAW~E*gJ!X;yK0qQkma;hjmNCCCWH{r+cu z`QEu13}Y&f2JRgQf#gRhyjEoR`!nHH37T`NAz^@7cgJa^I$6{x&9v~3ySGg=qpIH| zb+iJfNl1xJMBfA92|61pInV;mVzJxA@8M_4S~a!BA1XD(L59>!ViHMeckG01;{s_} zg68%YN_^|GQupKEJ_V}Kn>!yKEK-&_U|8~(>W7V829Gcj=2qI&bsP6(+PL2nZFXrxj>rsh{<#s z+>SaXQ&er1oEjEIp12LFoh6HfOEU$GY-!fHE3=W|04BDfII|(H;51rKasZVKgFl8X z+b4JDzFp5beEG23p?{8rDKf=r3?uZTf4-76fta{}`-EwU$xjrH zQ(VPburzCv-As?4)|Zr2-OQCh>JF#E!omTuAZ>vEEF&;yu~IR(jH04m5Wf9yI%z&Maab`%4DDq8q^U4P)bw5ocWB_q5#aFMW=6lnW(<^Y)Sj@V%$J=m>J!4k zW}g&D@Df%`T9q9Xm=Hd#X$U%TVH&d_fv>ZsERI1rM;GSOW8%1KyaRgIk`%)CRLjgg z7W!YYbY`zjDqG}XMp&C28J70JuI>Q)j$abEgVyADrUHw}xChwXe(N{zn1CvXhv+kA z?E?S%!7pd6x@!fR_cR0I!&Ukm{i^f&t#Qkcu@2C|g{gdHWUYRBSdQ3-X79Rhin~A_ zD;$hm&QCXtO$s*~O(Q8KKoq$?z5J%;45w`jUxX{Q6of~I50|FSO92c7@(0MmePjKK zZNS>(Pd;rLXOzSjiL~Fe#zB7~s$~!V{1}0rIt=72fXMSiLqCP(Vts2vPFe$C9VmJ@ z2sXF&7r2L9=_VO*i2r~PLQjs2f^+lM@%OQ2T$25)THHOp&O(xUPYj`S=Npg!CadQo#Ljg7Y#&p zSfLhi z&*o62-}(NGehpWyD6&EUNGf31n-+F{zP@E_RaDyOwk0SmI78#&DB{-lfNd^Um7&UU z0aUohPWAOPCj3(>v5SqW0}Ht{g|(#xwWVg~K_H$Rpr4EcOx!pK%d$@Ijj|2JC+Yt* zWoP1t=q4j8#Y^QxgP^452d!xHxJvWIU75XUR3tsx2fY5p8jDrF3c6uT!7B>LeH+h> zA&^T}@78f}e);%O#b=rriD!-Y;i7kC0@p9A)UBQ0GK&YPTo(|UOi(trC$TTY+C}-sGl3(YJy&ZbCQQ~-iXC9?I z?Q@{n0#1h~)mE(AirSvX>LqWLS{V3-)YP>*PA|`~Fg1%g&VMk{(Sig49=FZMFhqPG z;Mm$ImO<@<8u5^#lG1D4mCZaApF)!^26Qq27o|8kCz<)4{co`;0n#gjkqmB^f(CXrwZT1Djgz#% zQcQ5)`Oy-`f!5x%lA(#QTCqxrib1MJAn{o_@) zZY+bB3`$vTWx*D>r{k4fl0CoTm_u}W)xb)s!b>{xWBTQ3BiLsFiasAcj40JkS)|29 zpDcRuC;gxA9Nc5@5ArRD&XmC+BYPzGyx;}p0CP*=_D&^1bIT= zi9^*mQ~|_fj9-pgjporix^sJmoCC55u(yqN7d{q&SG-OdGTPQE?i%LmcCTG-`6GKn zX-=?PQj2#4a@>Gxx?>hvkj^}SNr9RL0CjV<>HUZ?+jbr%f4IFE@adRZ?oV##u?Zi0 zsXZ29RK;2t4|aX(agQr%NhNaS)}UVFBoj%LJcu`y#DRx;`NWM&lcO}lS&hvA>^XL@ zuEk{TkgQ7&FF|c*5p_EWJ+Cf=5i{mT#~wt3u_qY<88#=CaY+%UFTBWxB`EPrHGbO- zIqHl^#VlQ{tv<|;skjuNld~C4b zJyYI$CKFf3;-)-rj}BZ^WH%%*heF|5wt}=-&z0dako3jchJO7TGj?+t5oJFFgl9(*!h%X> z`=u$t$gBpBpjezW_&n47{L;~(UkN!#-OSxC*8iXOuKXR!u8)sM)DsG&5LpIUB1@JL zdPs<&WD7$XW9-}5V|t51k}Zs-5T1y!OVd~$hDS(DQdtH=5@Q<6Aj`aG>Uw{B-~Zq} z*Id_J*UWvN`<(CnJ?B2(&-r}5_r)Q1+VLMxm~DJu85{!tbVcT<#~cWUx!AfIKlPv)9S9mzX}nI;`|$0OB5 zzGhLXK6J{o$dlaL-q|(l$ND95BrEz(9%}UHMPZHMBAoi}K;t9$i;-Dii0E*6z9g+4 zkjEu|!(n^>Yhl-->oP}Iwst%uR1Q4Gnp?V;(xi{hdk8U(9egN{B}8!kSwz7_@ zng@Q@_WmyWYk&0+!&*W0uK!jN)+qB}W6QWn{VkxEPP`Lj`sqkPW%rx6Hb!s}ppH^! zqfKUpk56d9)8?6and-cQG74{RFWl!k;b#BCBdQf@Q0?c$chJNOrWDSn2zfBs{ieoY zt5cL_hq`K~C5Qfrn#bLpot0HkIB4@oB{&u~1xy04=B;dr-6eoT?cOo$BKmsy8@E1z zHC(k!2o6s2MZ9O#GzWb&m8s^ zu|C>|UtO2I88}K3BJWA6o%q}J?t$Lhr8FEJ z9+~kanSVQm<6LZtlL!v#J=W98TEyK6k_+F>ZhEI}DxnI{DJB5=7D55G6&LdzwsEyk zZS`Ic6XI1ak_U!P7~!0O!SLS5ssnpn7iDc4gr zDJ;tpZ9I2JvKBgZxQMsDQ_njn)d9BW=Fx@EIuwVJDC;fgeE-8kvk+iAfNcQq_dLfp z0N!qKH`nBePu!&Ps7F>UZIKI(e>MU4fIc5rR~2y$GsK;!db+G6U))k~eRsef7m$(w zAKUX@7~0f4gU%<0R)IiD@_|!{Lx1tK#XRoE&hD7WiU(eL zS?&uuC~uXLl(h6dHDac`_+~(b(ct(uQIX&l{ewEt4bBI-bfRnB2L05ln6#GF2PFNQ zK|L>QhJH@^kj^L+PwIFebNZk3?xlmc*e;Lg?T7R+J)S{0!c|*V42wN{kL2*wu0^)w zJ9CONETwN=XEbo#x$}C7)6)tqkxYeub&1Lv3O10?qL`c>ny0}D9b+eHo7R;l?C95bpHJ$m!i}F(R++-d`s)`#l0O zXuC%*g?dw4o%b4_Y7lnKuB9Wx;)1m|K5Hfby%p~gg*f3`3zlj1KCh#<3DMi1O#n-! zsZPnN>Mm(}kro%RRDvgP7CuQ7 zzhozv*q%9_rijQb(q`s*EFwsR(|x8Y86cwSryXcqcST&avgLVP!^|vo-XR}e46$VZ zy43K8nef=kl~lgDF2dJCh(QM@O&vx}|cz6uV(=I=rpBw16H08?pqP#(EuS zPlBTGxvZOvl9Y&HAqEbAh+K&_H9*o6ZA7zq5%y;$7|kmsEYj$)Zh~^qdmyL;Y4*|` z7obGGIc<)cX3~PO?#bxekD~qoj7u3ro2`4rQky{@D*$n(PyJa8c^{C?tu=fA#KfXB zH9{w#Z-7S~z@HdCCyixq6a;}BFB1-{e?`M4{TyK>&Mf|D*3Z)PPGEy!frI-2Ok9zf z1aymrs@j;lC??(9f)uZP$k1j@9(61V01;hn&mfT1ZmN|A*sxYZHGPUYAZMY0d-!_I z_V$&++^|&cF9yZ=chw@BWJ!XR#`_0XFmSqXV~5)hIo5hdPUJ;-p`EYUuA^v8hX0ZF zB+cbN@?V@!{gffCYk!$*yAMM`%TEXhHHclB% z`SC;On~xUy=ex(vtlvAUq|^Jqn-4P_Sfzknq11&OdA=&C&_-LXs>X zoQ1@oLAA9%{B1k)nGD*~zOG)4mQ;{i^kt`jF z62UkJFj=fVDJOPaE+OTNbqaYwL-Y?taUd1{6iD22 zV+NNGZ8A_C4l+1SB^NzQ&$IPg^Y$RSiKy+9xj>D*C`bIrut)iDBIM&kFTR>k+DB&% zI#LUeZLr7%WQdP0`pe4^?~xSFnpooyY^hJ_z-Nm*a7Wr#l-}ear?c^polN$5K|-Tmz3Pam2MrfpT$=HQ<@Qga2U#n^ z*r!JaIPBcpqEXDc?884f1GGTn{Xg}VlRx)O=v76z>~Op~MahFyK86nHRfRGiApxIw z%F_k8JM9IFo}ccB#ZVzH6@ht7juqMso{gT*CQ8Hsn@*ifs)NDyw4=)lpy-(iCCDfg z$NBOyAxkO0eUt_d58jP({QS!_y50HXV4%cy zQ+vTR58aOg??cd!-f@eIMI6Ag;NU`y#Y%`b7j~E}O=D<-=$#r@{B;fXDOM`gb!r~B!mbFc0WFb6BYA_jg78(g^`+0Xd_2QO2{FJ!ZQnhrqz;Pxl zYn>uiC`5u6Vu5I}wX#;+AnvEUCGI-^zM9j(8@~&iY|SmrkQcTh((T!AX0Oo-J2|#N zU#5lYtw&XTcl_0vz~p?FwF?D>$X)jl5KTauofIvXDYP&>TEzj5PlmuhtJHI6?HyTX zMAzzCC)mCvVHN^hrmEqyzpRzcK8I67VpDdaDRRV@24e7}H~%CT%fEdizf!!ppkN4Y zwQj}eVvucWiF{ItcG8S|5*0L&*5HUAtt{l5YL;XVVjw=7YLf?@027M<7+e4U{@-@k Z6lL~Et@~b6tzw(W%*4vL`l8#v{te7M=e7U< diff --git a/fast/stages/diagrams.excalidraw.gz b/fast/stages/diagrams.excalidraw.gz index 17bd062a0d2a8ff994a9a95649af95ce257f8ec5..c892828838fedd31d0e6022b67b98d9156bfbd59 100644 GIT binary patch delta 94223 zcmV)cK&ZdOhXvs21%Drl2ncuP6=whgWNBe%a$#+AE@gOQVQgt+a$$D>>|I%N;>fao zpI_18c^!0WU*^qV;}vgszj4CB4rUQ%Gxo&!?>7r$BtRQR?uKbG6EodXsg$b9{OZfB zs;qzh`0-y7QO0KC1Nk4Z8!k$baPTeS6p|O-j}WgKq!t z|NO^!!YbMAkEbfFO1sh-^r77U!QX%U_-FE8*L!-E(xA|(wJMVbCbyhdVZ_wpBEF$R?~+^H5?{fcwPT-tdV=HHL+YA3CpXkz>9 zI{iG#bezYljek}vKX_|Rr0v`Ah0eYHpl3HLca8F({@F0D>$9iI_Q1S;cDrW}YxPd0 zZ<+hjn7hP{cfQLz2pd3ER>oxkg`*rmHV?=t$*?=cgnneezlMm;)G&`q{5WZ zS&4e3QL7J(v>I7lX+#-ENP|F*FqKKSNT~@H%Jr;yd-tg9D9+?6NgrrhxG%TIsZ)F| zPX_f-dT(cX|G!R`^$P9Ek*T;dY_;6Y-YHL;{U4{&sV36tmH#=dV9M_=YOq_2U0QUo z-@7U|M}MW;*WFg5*zR@4e4L%Nmit9Jg;OxmnNmzqh8zoPH9F13Mr+xnreivPxCCA@<&XD!m@(0c_?a=I zpgCFzLiZuZ<6$B%KHGi0fOaCWU4AyOd*$6@zCPWG9XT*Oh zp(z@~N;s};IXNLvDiKP0I^U!k22ndtktQogVoox$`AmKvtgDTfOjJT@)} zOaR(p6u^XPEHD#nNn&hq7$g)ERA?%oJX=ZRR-r%0*zI=145#jr^Zl@EaHw7>Ea?t> zvhTgFscv3Voj?6>40rOE*`NRWmuG2zbAK|wB|~zm`@{YJm2nnpEqrlSYK#@eP5~Fr zj-uo2P4;mQ-S1uE1G}BN5V!kOjO@+FSz}KKOQW4qQ^&?X*b>$jP!LW9;{dmm__C$7 zftCx4X@E(gj0(8GW(KpAS{P`XQXr|~LOY*4g;~rw&|-jx1ZVwVYfu_iPxax$@PG6! zJCLo@w@mZp%m=n87g#W$(hB+otdYBleV`Vxpd%D;6cAeqM%?wR2D9^@xGiXw@>5## zTT<89z)TTe(g?UIHB!WzHNHkivvPTmqX(ytM~9VivDsq%c7OkDK+dH={RFdG(`Vni8SFTab(r27Tj!XM_+ADxwgA z(QpmgxTSdJueRp5q_FWJn#(s@Kr{kY0M5Af=4a#Rh^CrctH*ljy0F)|cz@8%UN4=Z z8;)oMApw+FNdhh~(L^jnv#@3s&}6u29ARjv@8f5n8WJo6x{3&asdPTb70t3>wBr=S z1>Qhh@yAaG2N3$n%NUs6kHjs@0QQl^AQ9FJm4VI-7^O(5Wit^n{9zzC8GY4~T$ zLwVl`V3A!+WHGKNl1KpEU|bNr3}DPMGb41;9g_TZaOSJD=C`b_D}UnIpfVnK(lNq) z=@tJSR9|m7VQB65Gx{f{1z>GMuPr*wm&cOqsVeTZp+8^GkoBa-M()`2SWixei zZo3UQK5(16u@SS1&40Zcl)FUqt@M0d&Gz@`;7HxXP;dR6<@2M$!yT%mTXGN4lYXxI z%VsN`KC(N5eB*s$*<$W$w$N_0-sWs&f)^m5-K!NkjrYR9z{T8M=!=>`kew3rVWl?* zE`vs?(3%w(*v{AQl;C}ZMyJwS))u?hs5Lr;)^*^!3&VkZRe$M!e8`|Tthn2vayWBP zEW!g3(UkT=M1|Sn)fpg43Ye&|@`||aqUeBlpI0yZ@?p2o%wMbi`-{#!*^QqCh>q~9 z(K|z_IWTS*p%^1SVSQvm;yDWdO}m}3xvf`6-Q=%`cXlh{EYDha?HM(hgXX5&%kySEpw)zdsbFX)H%p&J}G20gz8 zFBUl9A}iWwYM#Jc& zG;%sRLG|Ac)lC* z^>zZA32Y{?84KgY1QVjU_GFxV1>nS^=Uo51X*X?w>QC>-na8{PO$Sa4&N$Ip5lt~# zS}VRyQBE#}L3Tvg(XKz)d2K#3(cYBBJ-KUp) z^JvR~bBjWpll(eDve2E0334XLnILC8Ax=ezS!wEpoGLnU(p*m3$90m*oZVd=-Zn>S zAZuHWoZA!QB%Eo9m`ZSSdM&}t1UDz8*MG!Kw0L#4eH;l6w_UqoT)3&DvAo9IDRUl$HS-B?xy1=6&4j*XyDvZQ@*hI@@IuOv4GcLDJi@N{-8W|Uiz*jo-s~F zm6C)flj@(>eoy4|)uk97Umf~Vm{?R%;3ZNcOsNuULUCAyi#rI`{NR|YTM}Na`+vRP zP~+kktozL|*SCa(tBv04J-&gXw@HpGd;&(hE9}DlGTlz?_KuADgQgo68wZ)!-6AUtvO@6JjLPVA6(zX2CAbM*wh-93 z9pGgPgxPA3gCDJk(3G3=15AE&>3-h8>b$CkR_Lp^n^GUMG?j)HX%i7fT+CHSEpRg> z#!|z-iYP+EYZMmYj4287aepD{e1*gU&{2pnla@sxsUuV+9L>bkV$GNBK4bM+~(KRvm@2`EVf@q!G3XlM#4k!Flair}MHq8~r~@u@N+Y!1mVsh06tjWabi z4r2v?fn;pWzMG-}0m(oN4g6p&)mlQU^%Os_x|NYJ-r7Q1&H@kuOf+i*ps&I^BDiC* zN!QI`9Aoe{3=BOqr+-hd-XX9sB_t;ja0Og!qC*AT2+r@n0fuAAgl57sQnDAF^ymAW zp!?m!+UfE2sC3Rp>0>n9a?;NcC^y_-&`3lm|IEDAYDt%LFy~(^^U3-B`Mi5>*oTUJ za(-%#asYD)+c}s}{(m*)4`cvqKJMWVtORE3KL5SY>6-{x<9~pYW&k@lQrL4v;(m1O z49*w5p^1PswqT5w3QzK0E@m}nFpvw*fS@rVOkQ(e?2HgE2}}emfE^j{)@=UP0MZ_z z=H*1dpxr>sA|$(f$@lH-IlF9^M&s*;lg!)R9&2qRV9wt7&+Jb#1q(iyZBp<{DSd+z z@(0$t)BwLarGM{rrBg6XId|jxv-vK)_PZ1LO68l#mz%6*;I??K6wF4)vts9ISH9%X zLr-3eACIok#nWqP)43ql7L0fb_#mS2KL;2-j+x=iVwedbq$GH5{qonA3SupBi7dkz zX6CdA#Tj8};y`+YfCI{W?uQ1)1Q{nK1m1Q#GIelbUw`V}K{ow}FY|}!>fViBCnqoC zKCeG_Z2WXy#_xPDcX^iZ!R_FKD;^wUNpp@cjEpdDgWp5vql?HgAwtF`$7CvK`Ovj; zFfem-!Z_nZ5RA!U_!Du0IX4!C5ym1kav&_T)<;2&+Dz`_xo}yEnH<e8yPkB~l2n>QDxfY(m`DKv>%@AA_)yy&6E3OND6yC6}v>KxZ5lhbDu6N)p{xyBHzju5z>IGTWnY#uZ}63 z5KU9QGw5a}M{?|aG|cWnbO!ZSdt|#uFYm`(6@PmNy-`1VjE=XQK^aGl7@x~%7l4Jo zOBjto6?j=ytIG_^*T@_KM>!MAKp>t}~A||81R%YqFW_nIO zVt-*qxtaPlM<2-WDK%=r*T7epwFTxdsJV%frJHNX#w;a_l2Xj2z%bHt^!+q(2rG?RLl*Pin$+C@oHJHcq^MgNb9X`p&_07 z1q|76!UWx5=4QP^=!ek>)8o~!*gHhE>wliO$49TVqCD%hH=QscWlc^tl!8#IT;~aY z5GH08O@Ot4R++Ucj4g<^Ss^D)zyg8hhegyA#*{Fo&)>{H)EH^-0m-}vySjTg^I(-k z6cBXY-~56D`{`j*1ikQlZUVXQj4*+SN&~w~W`F3W*AluEVM|A#cbJ;Ghg2v6{z4=MF?C>(;M#b^ zuFPW77k+rKfI8abNssRTBL+SyxY_!z`PWT6Y{uXV5a@q|CHz7D|MJ~6<(md52!O02 z@WJc0-!y(Q*;|23udLg})9?;uR6-kKykc^Um52Vg#fiJU;_c3ul`Uplh=1EwV@H#X zpiX@8>L+!g%B&DX-e=?-M`up&x8qY<%CvK(*7cQQ2bZPG=Zj5ePGPH?K(~~nOqp|! zsag;$u0WI7kSH|xYZ!5D5+Qr6)r2x!A#f&$%KEP6WQc!p!7Z(tiMYDpKSh%m^VYwUFRhiuoj47&M)6@L!Qo+T^VbXA;z+ zlrnRU7bj-R;yfBt1IAi$B{`LZuqe@&AOX#mGH3`&VYrZlg`ahvTK*(=eZnHZDUjJW z#SwU3tIbO+8-4iL70{i+0^bUt3`R-;qjl&w9dlEK^`zPFi52GrV1L=HBwbIu)m1IH zC&3n&0ElN89BGr*Vml%x{!>g?n)y)0JjeZ$6?V8)ub*#*Klsk z3{xz#62Wcv^%*AbzJL8y6HIYQGi@xhxR?t=P1kFz-)(-$yWPG#zZ4gKYy?^IonA7z z4Z#2RoLoAMPL+<^=h@D6w|QGBp4}GlQF$VMplUl0G9sioMYiMzGp z?aXhQS&GRL;-8`uDGCnCQaZ!A%)Qb6GPs0n1}N1ilu{+TS4p|Z^3Tb;;q&tE&c2~t$u$;p)(evoPdZ5|-6(Pv9Yt~? z`=HKG&TpU7o$J$sT!X(CZZ_NbA_&0{#K9OTjHfWnEPps(L`a|mR5Ok=3`73s8%978 z-xzf)$(KPmvs>Mj)zAk~s;9*cAMM_$qxZ9}eLQ+ig$c7NhP2{i$w4R+Rv6WtAERa%v~a_wntBfcEwf<}DVh%X1jjS*j7w0@2F@_JV@ z;>+ut{U7I_t22JjXba#NCxRj6O8L*jQ+`q2SA&O4FV#V(qkjL6Phv0a9jE*h#|2;u z)^A&KDSbMwh&ppdQd~Q(ESwXm`Z7Xj)@#cON`Fi-r2j{gej~r^a&{>2^z^zSM(}EcwkKQebyW;Fm_V@gD?u=G1oU6QlQ6JV zU>7HvSP|u;R=TO*m0{gZ5Ez9vr7Vu!I{huVU73VUT)RpF@Dh_3VigD3UM_YfuQIKN z(SP}Udn@ts?*H&Aa(4faZVlSQ?ycHxeu$)?aeqM=*cV80i}Qt&CD_X1oB_lE@dES5r#T0% zE1Ob(dboH_q&{I?0jOATz0#>@@QY^WxmJi>9P~4y@-ppwl9Deaj!PHvC4DB7{m0Q5 zTkPb1XxQP7utVb#HZI{17c?$m;}Q;r8{-l-E@9&m-cgq@g1PNQ`C(ZS>X`;|6@Q-d zr!7(u8GMp#D~UQsC*$*rg0A zfNBJ#mKoOnqglW43A>yf3Ozl2!VX%z+>#Ga17;(3bqeQJNTNIJAD^ds^_aTezqqSS zTG>bWZ6Yu0rs5JS4(1Z<*97)f?0+ccescY{!U@4djleZ zH3<+Bh4TtyWHCuXKxV@_d7`!a&B>8y)mpijxE*2n_dw>F4%S?=({I~<(#7gMf-g_I zW!{hh)(ZUZp$nA{4;e?rQQ|b#IKDmX*wcQJo%GAKEhk*qq9RT-?ZQ~W7Jsk^8HlmC zHvBc|lFY)6VB9w9L%>Vq3b>;P^0XF7f+Qzb<@V&ca$ZkQ57Q5oZj>iiyQfKk^uX;8PtO zb+x*#!&9io+Q3fdYZXba_kY{zE14MgbNf3^p*V{(tsJ7$7?o1qX^ekfHUgoUxfX1I z8UAGW)B9n%-uZmF(b!DayZH~8u6OfqP1n0!=z8bFmpIpg-0m%0Zo;#r*z_^hBQFp3 zdE({tY}_J1D6-qmmI#kaEdY)SS6$9V2Z zH+;$PCI7Qc&%4ctfa!T>dfvHSYzH(+P0u?Yy2KYh{Sd~%L;xFbFZ3#e=Sx*y%g1WP zyJ_)aa(RBxc)2VT@Q(8(qT*QUz&XrT0o-^~0r#(TFKK{Xr zJJa&c)n{m0-kFwnuYb(RvwjpK0nA>x$K{IQnbW~l^4u!jrm`K>Egn2R_0w&+<@KY% zsZAt~fLQ9{CO`%-{WfGyU)%H!QO*PpEFm@2$xx^F!?e6JE$@6bR@3tCt~2kv5uTrsdt%M3-P{!mo;5%fD_{s2EKaYa~}3 zWo}|;i58a6F>y28ajvve(IqJaB`C1xoncCbDZL-2=bh<}O&Z_#?jDcRqaw=W z)y?5qal#VF$%Kvumyb-?iAG{@Tc6$)UixDH;qT#6>wk8=E01c;Si9F4{*ktKu6O@( z0ggGmE+L7Yj!FnuXLTh!l4LF#&FA{0cThVU)+@)k>CJUFv)u+5l7hzpLWo4#sR0J{ zXCxs)# z#_@VrGaAS1oc$l?pQ{soPl;nJfYD-3TosP1;R%2K*y?rmE4*-8o!(sb4>FVfZD+>` zKO^w9j?%#_fR`=2vr_Bzs;Vk~%D;F{qzcEd>wm+X6@dX4L-~I+(u67=a7 z;D7Mph&J1FI+|=HUVhy1-;ck2Ot7&{_eCOI=w6aisgrrKPtR_rznsfu)8=&ZHS*Oi z+x$$ec+dLX-R}+T?{?XG-TliO(;-LXV3ESXR2B@mOW4@qVW`#?g<aocatfyu7=ldcP#(r$U@nwo1FMSzM1N5*62Uwn1bKI+`{Q0)T~s81hz3DY=B`#9 zK8h#1K(D$tr!U9lyrXg+PC%0iD%&TW@;I&TWlEH$`{T?uQndB6ie#YYza6$VWFf2i}FtROj+rmdwcXN?J*P=q$$bb z2r*qBz`-!*OOS@+u)wtL5rKKjy~_tShcsjX66x)QA&i)_Bx-J&0{x;&%k63Z6v1f8 zG=;ZmS-STAhUGhzpk3F@Hi0c874* zb1~^-c^Rz;v|i>ba(FP8eSb)sOdcKn9>U}7dG&><_Ic*kVr2X@8q`rE`4BD6_Vf#m z6lW<1ZpbLdu;&3kbbna+Gn|E`6PE}RT?vY`1fD0(B3u9G@BFLaI<8cfF&0Z67YZ!b zS)He={VJAZLkW@!21SE>eLL-`bC`#YjFkZM@XD_3X?qU-xz`--!8q-~o;C*u<@WEc z{$|i?@BKHOIQwUB2xA%kv)3Cmes}vYDXUEz{%Jo|e}w*vkeRN*wvg#tjakYGZ(@HT{()rg6tutiA~RPOor;mWJyXSnzKS8vk&{cG>( z-rlSC+OSTCzkj{VbQ1KZjwSF2C|z^WeDz_odG^(?Ue!7w()AG@lV;C4C1Xw#F2yAdn*?&AQ<&7ChtUW7mh8FQh3VC-w z-VDT;cFu67`)hh|Bev|@*WN%Pu>3x2b7w%T*N?UBvE6=K&YElV`cE+JHO=@htiIU_ zuGo4J*S?zstv|XiPnoueX9N%?CfBYFcg37ec%Z0WPZNnj_W7uq6qn>6b)I_3^&u4mUwhJJ}yq>V`^X3%cr?qjpUC-q4eS`k=SkE`QiB!tDXJc zu+I{V5{(0&^Kn<#RP~h=j;${F>Z?Z^dlRJ934gauzMqkC8KwY2^% zraUk^+W+Cb>I`!Qw9eu>X(L2tq3_%M&_SkH+i{8pCV75NhFM*fITrbd{B^9?cxL`G z+pE7*e--f6r(D4JR$dVS4{!|?^~f=08}d&bIm633VcIWF-AiA);rY`IKe!*H2P~@w z2Y=;kCaHQaqo>{GPkdJS$^jrK&?vbnf2!IwS}QN}rzm8axuqB^m%!{(!=4O#dO!TT z_Pt4~>gsBOnb4ZD!5g-p_UpU!t1ePd`ig-iD8ACPZ_2b-!VtLW>~Eh~6zpJvtSJAR~N2~e_L`9b*$ zZLj_w{e{3I)&XC62?RX7)mLc1%UuIQwwx^?D!GuBN3v%xJYCA3mqz)MtKntrxxIha z&fMoxXn))35+QM+J8ohrm{fQn;~a=_oDtphkOG6|WYe}5U+Zr|N*5aHm2D`~>wjm4 zGKKB|244HF7lB4({aLah@wAC>O|8)B7eTn@+zIXz-f`)c7N^^klaLI zsc^2P4KSt5yRdjOXOq_OLeFjeptbd89?n?pV<*n z0bStPYNat|DYjy0VtLI6Z(csHlgE)%u=T@M$zi(=+^8ddR6%c2DPzMm@}-A(9=b$_M!e!f_#qjx$$7wWfmE660YmPiOuIJ57YegFM<4?}=~%89VR4*QICYloO3@?ZO> zaBfYADUz^+|Fc^^#N_^N|5Su2s?oeXES+1-xMrrCJ*>Yiz~uhi)($X5g&*6&l|0qg zkmi|ENXs>Wc^IB6*?%c=f>IC9ch}9EN#UqDD4pl3yUmp%4lmituG;l43NI05iC{$y zLzE0rdOzMG4*JAG0v$uNv*pf$jX1Z{66E*YjI9w&eAO|4e8p zve88Sw4!~PUldu2XeC6wQlo~FZP3l8j4XaUPh-YFTP;ht27i{G!jq<>+lNuLo=x)X zwUr=4g^rFRme+`0I2%?~T#NHjoyRSKbu6$Z0(KNodoH-H{*sF$i%#DWSt_pEiop8D zure*;Chxc;umScROhShX)PpLqifmZDLwb!`U%R<4o*=43*>>`DEkbk`r=omly9 zBX*41kM+NYOMk5;f8852V$E_jR_zV!n1e2VkNmaQ-M?CZLn+Ueg*t4(lp@&G{2GNv zlIz3H+38g)F}&SBZFNfJ+H`XEZ4&(JnO{136rYs^Q7y0GZ20%)s}^y^VJ8wq3B>qU z#i*n4RqNoBmN^eH!BFN}jQ6v5{hNAvS{n8;xOH{pM1O^ob3`7S*SSYap5}&UV)Sx< zO@0h)7!&Lh4Ko59^UE0lj(`gq0S+U;vFSVBNe8x)-Z_4{@u;qlb*+yWhbK_oOgB{= z_OjEH+>NT7-V~}lJ=}2u#btcfJOr#XFu=*C1nMgt*f3eO+H7FcXG5P1eR@BP0*B9+ z8;#8Dh( zW;S`ZAd`aOS^H5p<}?k@oR0Ttzqg+_X$*7q>-@{{Q9Dy;ZZ~rZ&TQgw3n;WuSm=^$ z?|sGT@G7~mvq0q?b|-0@U9tB!0-Sx(EQfB7-3Qb_Cu49^ZuFH^^Nw% z_k@>>_J+~k@S8{*%`&6Cu`RJBV7TyWz<+adVM<9WJX7lIS4io(S7?+DdGfh%cyZe3 z*LIvK?NDq9>lmS~;xkO??K8uajQEDz^^Ew&{97Zw5k4DzTLMc)d}D>PL$M}r@eS-P zz5(_D*9~#p0!v90o;OXcPB~U=ou-a!cXqp5$xI8dnSB#)T2p*OQ52V$Ah2mH1b=I5 zF|b5<98*|%1T(Nyuy+I4Z)9ORMemFcJPic7_DVo&E!+Seo zIKevnK$&h6q2((UwR|M(9u)`rDIN!UsDJCCbbbMv2iRWWOlY*jNHBqr_91>5oQeNu@5-7|S(@$p z{T0OdUN0Rr506ebp(xJ8jxdgvjsYh`6+ zg0CW$VG#&UftP!1z*$G3VF}PQ#B%QH3;2f4scF_7ZjE= zBcu`&DE5JKLMSZ=J|}}Ml_KHX`k@nV-}HH{%;2hqu6zh42J35uvsR z-`~AFOFygY|ILq&mspLJN`JFB#*A?!psEI^LVRSNoRN8>gYaM|Hc03FTSS-(RtF2MVefF)7Fl{a?C@Yo?Y+e6uTIMU_q?jUziDSsaC^-C*`9e~o<-j8U- z@wh*k;X%p~R)XN;S^{+V%eqCdgHz*B%>Oom>rl7>!^Tnz;Aaxt_^^O?b3A{uwm<(A zD-VsWWV=em5pNghu|a5@h%%h824`>%9SEq zdmsPYRN+x%K!5Ho_V)Anowg#~y2=&AMNO_aiU0$_^Pdz5GNG2KsXcmTq(g;}mRn;f zXa0qr7ef){NNJU#Acq+DQc`;6#Dd_8V|YBMHpcJ6kw5=rHqOpdV4bCAwE}ke=Ei%e zaYkwamznf}5x8O=ojc&VzxBATx z^G&z1bo9}4n)4{E0|oxu6Ml4f_}SRGeSEm;+;;|g@9`#A@8`(j>x#n<1@Y%_reG34 znp4fE6p$7M1CSadl9XUc{?VL;@JBMoQan7RtVQwf!DKuDNLhnN7ZUvWu!2cmP%D=E z?d~uI0)M0Z+(R2omAlnqAJ+b#R=bvZ7&QBhPP6)H(~VZSIl!0?e&tW=&1idrPNxlM z0)OpRd+kBDTVG1Ou_6&s@MJ+xaezDJ2}B-}N@Gx5 zlE8KszZHto&FWLNnX0v$6;V;xX1T)>E7 zfq%Qs!jFK%FzSG`QbKB`wPF5g&S8L~R;x+3s2m4zts{X!5d~_EQ?D4Vm|-w@(o-8N z^>2yc^3aJiH2rRM?_U3V;lTgbm!C$Xt$$%r$&|F<9>+4)9zJJ&m#yU+c{hw>m( zpf`Wp2iLbd@%9mof8*I2;s}fFL@ghMN`EHJTrugu62&UPToW><+{2>#&cspF!c(%6 zGm2R~V?-I-I&~;KD;STlmMc1Y@KZ5@wQjX{81|>Ol&O@If)Z4&?1%U>WcnF>_uQ#m zR*tU^v!~^PrWd&}KTWwZWC%dFA<7Wk!31?GT@#iX?;T^W3Lww;QSCnY{X0@*{C^iD zzGjx<_;UZ_{%>R@L%Es$^CwVQp$Jx{8LuK2P-Vgc)%=yRlIg>iGlv1)pvF+C^mO*H zk^*o_WAOzkiB=0mROaH86%N=kV|YFj)r?2F-)#0U280+85)%~G-L{Rr%2BRtAF^--+sRH-~XL=-JHnW-=Foahn>s9X{OoGe`~#$ z7_O_@FLw9%^q|l?Y0Jk<{cx*P=!LuP%*0NiHZgb(SAGe#znbY>Y&Bj-;g=uCa`yP` zWp@~KS9Y4IV5)%f;|`7&-tC6RyVKi;GktSV%=UY`{p#K8GcUCESNoW$#eXCj0`kCc z$&H!b!BR#$ihyet!k{oxQv-{5%Cyvkzs+JDI5{BBf-^kVtgY*~?v;q-g_aAPsJN zDlMg@A@~*hw14k1h~ewA??!VW zi+z3Na8UvSB3!%92D@N!KRhhn?LDMx!ggK{bG7|atEaQwXR_X~sHp=+Dkv448nSS~ zlx4!AU<5ZjOwhrW1QrumOkgntEHZ*eHL+fo7cL%z$Hkq}MX7P4GcWfC=co7Co9>2A zAFnwsT89gXrM9KPN`GW4jEj^=NtwGoYyyl4Fh=@%0*sS7T2M>1GQtxW55oiF<&E56 z+t-h``~Ca=<4L{3%B9ow2F7?}pGyTshP6Sh2+pTXfH48a1Q^3GMlJ;&lJSDYYDKwnbGBpijk^_xMa>J2DyX-RR@+u(;8z=Xz(4TP@w$OK;u29A>Nc`89{dH3~0kV~Nt7B-_ymFebnl z2VW!@Uz6N>KYuzGA(edN`J`34$hEgsYnVw7$m#ZZd%b~ijlzqDQOt!m31LidF~P;~ zxai;dS!e}Ikq}Q@JPD7BkK*+_eOxIVlrx#Dn{0mnxxO23P3`z`(F#2At3W6d&8_~S z^hKY<0 zo4dn~Eo@|8YV43cbklbveR;p?u9-L#Y!gev3&O}$vx}HxIew?X;)vuJMXX^wu)bm9 znb+AfFMm_9ET%aAWqQS0CJA@fP)}w+=f6`J~qz6Jy=> zTOuZE!VQcxu(enMi3ubokoZw1#rT$O(~<$xC(LWlZ!1FO*?O*bx>X+5D_c8QKsJ=w`~c4MXFdZs!ojRp zDVQKiF=0FkU(fl>XGMJueosmnlp~hCzpd=#d-db=;s_USakVxHp&rF8v|Fg@LfqK+T#i=rUCehu~R(p z6x`U^w}CspBKJ|AKRWAZm{LWs4lJ;#;MmICxuevvN@zj=X^f?c@Wq}j<&FSIBgikf z;aZAFD{B^Rg1#Q}Xx=9ao)h+N=HqUaUw@mdSf6CPt1Mmge&Uvn zP+l^Bw{dWD*{&5{nystB@qKz*?SJLgn;sdgX~$vqgd$XMe|l7u6;rFtr$^JD`D``q zXJW4YM7|&S2oqTf)Cj~=Pzq$ij(!b0q7GL?A&^OFr6rSi+umq!S%J=g zIe-;LQeh=5L8Zh5cvFWk%hf0~!QvGI6*qSn=ni5HCVp69C&tGdG&su)!GBtkng;q( z?!eu^U4TFaoL6i@BhS3K(Ab0n#s+}Fsnm*s8w;Vh=S`h-Ff&I9>=nl`Ua{DtRp8~Z zRe>U-KF*O=RdkOY>sZn;PgFYQ=a`OnmCYYsWD^LOz33Ji@NmC?A*;cL=G1MKz!Y(1 zd9tC)@NDRi^$!N@x=Eg1uYdDL54q+IQ;ij8LrOWy!ZI`*7Rq$Jnf2N=6OwBgd{Qo< zL%)U&eJVRki3Rn>Cbj1R+h#^%yA3<36c^YwgJsJ>>ywG=t<1KW=jgt?ZRR<5U*9(K zdAL8dZx-8dV%}x^Z5wBC?QF*lAuG;?7(RYxjdu!BB|I6*bX9Nbf`3<^j*ocnKEMA= zAIdA9YaT#`6mt}~W=pj+uoR|SQm#&92zZue$*x&Kgg##ZqAvZe>bSz$R-w4TyY3`P zS`@ObHmUDF_$E9-xm(7p3@_V>0BH&8cp^g~{Vt4!(4%Bq89czbvVHd51;_UuR{*mU zhQSRlI)CqB4{$D05Py6si$3D_s0gag~nCDh`^Y;35uOy1Y6(>bO=|srhIT*5% z9Bc9UvZ6&oM8M0GvY^B$kycT6=e$o^1fP+HfJ|Uoj`+GqNq=Hk=6Fyr*)dC)(fbR) zPgAN5woV6tB$LocK(rewF#Xa3rkPOjcmwi*fGH>ql2A<^yr!^_g#__H6le$&hA41{ za}H9UgL1V7obUwLa>QC|q|uUV#zdH~$-DuAdbZe0mNRU9EP`9QrDt!+eLdwcpbXd` zkw{`?#NC2fn|}^=O>-Wnawwpf0vv&>foBT#o3Tz+(39i_9D|XPQA>#krZ90YwfRpH zY(Xdj4})qV@wn7_ggRVcKfUn-_)@6QNnp8u^~bywW0 z2OO7Ln^*@JGmMklw-h&b`MST0tTP=kKitL#R zW5Y9|Y>~efL?wTmIj(o|dN|CybZ@_l5sk@8Bu2!z1IrK-e+}3JA5Xy>Ba#?{upD!4 zK@hsyy?@QbIjZ+R#*ac4Dkq$$w!#HDL-3;uK@bUe)$^cIDAj+90jH$pr zbQjlqMSgzry4fu^ZqNTd9rcfIhHfGxYp`U z-x9wj{+cO1G@8SS^)oUdcwX&pJ>4jl)8%%zntygxOTqUynvFV|)jwqzceOiVas5WQ z*!=uJzug(XTZUgOf@tZ^&QQDCs5e^0=6S%c7YF@zzS?`cnSOUrbB>DMKZYhcy4pWc6~ z;+@fV&z;I;<@owAds;4NdXYPEqg}0C9)I8{!P#30a7-}hgB{|jE9vE*da;A+0)U$U z`{5Xf!whKmbs8^|B5P(|{slrU?Y|)LHM0~WQW}4xGQ>>(`4g$Q#CDQ~dZx5QXtb-^ zFLw9%^q|l?Y0Jk<{cx*P=&d+XQL2aooQ7iX)G}A;;`h@|)}iXHA(`e@`6u`;jDJ)B znbumWj3yFWAA9WJaP44(Q3?U9M*u9%K$Wt<=?(YU!1+O>qL}`rTq#4#2;MA=VZ=ep z1Mej<b!=KU;nAqYO*G0L5fl7Fk%RJ3!yQ5;Z@Xdwz4ZXxJM|B_sN6h zDVeX5a@0LTJKOL7A@(-F=|9vFEB~U`|R)1St5lWFh zb#IFNXvmJX$&Rfwp7$ZJA2tZ-2|$YAy`5o)OUV@V0!hUB7!I`!ZWTIod5=+0E8tL&a*# zu}46GTRU*`9NZqz9_3=_BU9FbIzV(mj&mxF(tK)QaYjJF4O7LaCP2O5ad}joV{jl( zwDx1$wr$(V#x^(EU^liVwl}tIXJgy8?Tvl+f9t&;-Y?TLQ&Th5r@ChPJbj+uaEYaH zS;~r>$W{bKz;0h5vPDaA!XqDq3t~P(>s^As`0S1ov%EPr2$mM&VdCHd)xma;%f8)2 zDQR!TzHuH*dUCyp4_ha#Fm^|d4NYm)kN3CA&0Hh0y#j}J)0+Gb{b2J;nwHTX%B>pQ z=0|v5q_Xa?Gh{(;p%7T*M2cDAW8?cx7co%EDET|ZoW-%UZ0Lx_0Ret@`wG!2#8rsVaHY9^tjR4&84UZ5R9%4h%wgB9 zHS3R625N&?ZO)HlbJ{vT2Xj36YvTSiqy`b)U12pGV|kp&ORQGUgQnt zdR|s**FXNd$78Xh%iPZ-u9o@1O}IMeFwsw6~L?YD-6#Q{zT|wt7lg6#D7R8K?xT zzwQX>L87!L0{Va~ibPh?Aqd=k5vd|X=%SOdLc6~GJ<#qkItMY&#qp)X8|&-6x;3V1 zZl)ppcYP)%up*6Q>e=c4vdySamVg)h2uc4=zd95moR_l2V9zdBb>2T~GH!1*Kd9Fa zF`=a<>xM#hGvO>YRF<0HS=s0ci<69D9}ng|P06W#X$Tc6a}>;dDV&kqu!txm?kxb|7i^U0Bn?J%b>z!`!%$C9ztZ=* z%u2IaE&w-cXT#Y4`FU{o_n|9pl7iX3$gy_2r&XF(%4%wvZL%*0MpwVF)zX1=Z4F)( zfz)5nAGoFBV=;6_-l{={4^I*0^l;zuJx5aY96py10o^w&!ePb!Cw!XlL`GrZGO|gT zMn#!Qw%!Y%&xRpIwKTp-Okdv>jQ2m89Aab%}3SdpiN6k<-lu{G>pw%|3!`36bab}g z*}d<$0+S~LVsfzRjh{(-M#J5b+X)FVBim%FjRb_ftqK|@dPUAdD|%Ob3rsu40X+#x z`Ka{Y_0R|mbiNOdIgt@v^}-QQGQrBffCHAWW3IJ!&Q{ZsSr1`e$z@}xa9F_7e0aEs zFy#Z3zyViOiZEJjC+Hg)m>B%>NdH*u9x8_j-FNgwV%vc>Sc@Rla?Cp#{4TmTaDTY? zfD;@Hh$qQU^4~P?e_o)ML%w{^5N!d$Kuk_PM&aF@Dp`Mt)6u1*4vJf&DegIL03u&_ znszf*s7UQ8BJ%e1}5LQE-rH-S>UjT=!5EJqbILTE` z*5-Fb@a#Wgy-zly@mzS`6~A>W<*mb>Yf-Hhw)lmBqsnS(08!6aJ9??cvw$@K)|`ou zlD^w^=!WyCPm=0`w&U*HVYH2Dg7mD<4I79f#pPZjC1N%+4hU zt4Z7+j%^Eq&z_7J5LQvfph3p`^XWFrg;s;1_BkahSLI_lP$R6=PoG?iiqA1dlS}px zY7-Or!g;Hw+rd@eUQ|v2y)X&TJ{w7aK{qv?R}P{?CdG_ct)h+Hhu&Y02NsEnF73!;S$AO|+c^h@zk%VT?4VE)s;K49_KeJ}dR7$0hg#N>lLhXg7Jie#LL zDAr$mi@l_`ty|~}Xb6+0p|H29^gktu3Sm}A;~dEnX)XAG0&F!h3IniY5(Nd9Vh54a zAz{TJnnfJcK}O_y0n69)J{r2Y-f{6#n!5pSkGv#fE;Ug}9J4*lV34 z$W6WuM>|^|t~nz-gkUkI4WUo5PNDAVHWY~iY>hqkBPYHI$iKrtxyJ@{hYl;JgELpW zFyx84ZzckOw#!#DJo(OL?zXtkDnW8Fq8)6ploeL<;ZfA3o#!GkL;Mw04nAHy#jO?e zsqC&~74d{AdSQl&-yc-ca(@y`BBD1fi{3|7vbZ(c3FTvwh3_&5UKDF_x&MBRTu(4V zC`ia!mBklH&0}-n`vr-zPASkHt-kILU-~tG2_DDE=hjcmuvQLkgB5;kZkD{%4s)q?1Tyo-U1ZxW8!>M3-dX!!95B zDV);DkcFfx;ok|OFQK!l8nJbtHwAu+Lac2YK z873kCM&DiGcRdYOHN%@(tvOm9{kRQvg96xl*%fsK zqqa9>&E6i(DKPX>sM3bVBx+=Q%zpsfEK2^-aRl?iv@6O#X>8@!e-IQ`EXc0XVdBwi zWh9<0q{-hMCHi2(tc^KWWUh?!1gE5Wezc0A(4veA)4W9-fOF;#SsTLlp^<-!q8L&I zJuUHzwM4~54Z4I2AfubG5PSZS=-r`;@t?sF1tUW8gB`(jf@eTWh6d4=4h&GrWh%l5 z@bM$gkM4K{TT%sY`ag$b`0rdKvG>YdQDwL(5i~4A(@mWZ*}F^F6c95J6jE?c>#if~ z-m^rcCwb6*TK&pKwqDdms2JLfUqi2@eNqW@QMG%S#?g~Y6O(^hy2>D9DJCGPP!OP! z!|;0(K4e^Fj5^VFOo0ssHP2UP+|7~}D7($6{<}$hPky4#e|5T^c(HC9CD6o)YZ>a$ zS_sRD&M9`sbf6rwq%3NjRJ71%`m9hQd=)1y+3>LVlm6d#Ao_G-fI?M=?( zaOGFrAG*-fe1MzVlE8%)blG~4&?aZ`084+vas98h@U5Mtw1^g-s^#M?SL?OugieVWOzm7^8@bxy>B_QokhV4HgvX6968=es4PGph)#{Yt!IaQ=RD% ztFnd-GnrwGyf1C!c!=8?C8XICk> z@H$WK8C5Rb)4))k1~m&-gBV$9zJ>dD3UuhbDiZM%w4&K^T3iqatf|cqW-U>b#f9fs zP+~*{7cUPOcc5aVVqWv=zjTzq=E-^B!TNZOCwXeYnx6{doY|>I)bF;fX#yJ9c|G`v6P@k(LfqsQRHg(a7ZVP6coHsAg73~2>#U0O~{I=ZG)UqhXs zHb+A`x{;}P1PsZ@9jD6ih%y}?F5Yb5o2HfbLMwmeMltnt@YU$yxbJULQ3HudoWL?i zfcE3C<{+1D$JBJ4oKP(| z9k*80o(u;Ww&J7~GI}fH6%DF6f)KCm|dn~hSiG2c> zEPdYvY@@>Nk@I!wGEa zHr=G~1nW^}giE5$61Y>%3a3pPb7Gs(`-A6V!|%eLhon^fE{+_u`znDmV(MBz+t|20U`($!vYR&J zkj4+*7OhS~B(B0C=qH9Uy!BM5GDG4VyTPAdjnawm4lN=m7%J#*K}XPCbxo;vA$mFi zaTFp4@s15UeHOIa9?C`qTUNJZdH{pWdl0@>zGrp0qMd!?d2UP*JaVW?7@2&;kGc_T zEQsfZI+ODFRg-oAxAe>Hb^j3boXOD7C02R;i(F0pN0>5dM~ErT2oOrD-&gaPXK^O4yF0C^b`6RxZQDJgY2y>D=!FoF zeNi9FwqF8{j+F}aN!kaQh7BWD@pt?4di$9&FnP7EoiRAQpqMID0F(d2v zUIVH4-!05Q70DyU!zH%hC2U51V^(l4hxbzteox!vnszjc-`V_-n(`TQvX&21mC-%< z*XtRpynnr34^XV8NDyPW#?0qLx}>(hYV^{n0E!M~&BUpv&lf}GfbMvwoViRCe&Yz9 zeb@1Y`}F@hN}RJrbpAaI)|i1^J#Bc36A6?PE)1UW?@w=iOM}9#>)&SgjoT}2O5uuf zxR_#-izvDhimw9OI6HYH+P)Trq*U5hT=zR>R zWr;9AwjzeK`AgmZaCJ7_b&Q&{GPQLzr$g3&-BuXv&QpW6pqOrwoH}jlM(6cWpbc4H z4i$n%Pf5?0IC}0zg+s;vN0ka3r-tSFKj~wUG2s7~KKdRyp8iQ6nNLGfL{T(k9pE|g z&esOQCx+C3rAaDLt%|EU^O0qzXV=|UMyq__vSv^q=`=wfm!p(#=!GeaSI-1&@4!`L zhT$8(!4p?t_GCaZG1gxiS>9eW4>JoUK8s}b#+SrNt*xn1kFP(rOqlvIhWC{k9zIBdDH&E&LGwe%qMlwg5u52$U@o4j%cax`;N zm+_x7#}EjdP4VWfOB6}*i89&}sZ}DAw#w-+Y(~yTQKRyN6DLq`y~05N|MGm@b1PwSZU7Q#461?5J_@-cQmd?= zwQ7hA#AqyIV<@5peSXrAwSxrg1ad8rnv4=znR07H7p_uoPkLjoRufOQM8J!mS)6K` zZdd$)>n=9yKvW;!p>`OgigJOh*!?hmreD0oiQ!BT$r`7ef(*M9r6fhi8PjV)i&8Xz zYXX5T9iXriO*G|Pk87n10zSGDV#X~A4kj3AYf1GYRooPynStwT>|{f3)=?EKz>6&c z!=m!70jH!7n#|p}&SnPf9VgJPUu32r5g(?OAA(&Tb~GG9zxSpE>2k+b*%yH2hFAdE zXn(rxoj*wg>>nOgiDtv;niIQ!jhRNQho=UJ4DkwJ#x>uLTjKzPs zZ&UKlBbzcsq;&O-zw3O8fPo#r#A6L?9W2DcqUT6=rn~uRd*+F*82^QbVRepW*1KW- z!d_>gmY0%hOl!ZQ65Hovcf;oa@OP9Q@JSbV@>k>>FE)UV+G28huBa%-ZT!M|MFDHKb<<<$@uNdG%2(+k|`NLS$z!kD0)&+C|bUF zSO|QkYeQ;0i;E^6WxE2G$@gDkb9R^-IThsoKjQM`P?6-Ot(6|rNy$rW(B{2~yTzf>!5DOLAr&T7oMU(tswcy~LK$It=Z74gxm*vv= zf#O_ag>lS^$>wxyO8$dMrGa3f>2|2zx$f@y{g|$%LSMk&UOWdpww?to+mds2OP&9H z18%h{%HWOOPF3mjRJoubRkJ0@lc9^owrnh}S-8_Gs8WOCDvZ{ zkRrF|*yE(g^%8Qv(+)RmcBWa)Qa7of;Y!kUygZAQJf#8aRU6R0FDH%QF}y!zA)fMs z!j)H@Uk*$V-u+>#dZxi&QT!7_1PtT}se-Kf6l;y)N@uMZJWzl4eF~wzg`qi2>yRD& z_|sa-rRPYxuje5hB)@aU&vk+OkNmYxB44)y9-lxTuWmG%feisl9|d(eXh8jVo}nOAE+ zeqWtmhv!!(G4VrM;{M0|lE_9CsoM#2sHE9Nlh-Y+BSHEt?=Zm;ib)5N0qS-^l3zwb z<(W50C~l^hQhT!8=}E2u#GBEG|+7ldxgTYw?K6Weld z9nsW&?XZ|IK|--(Te~JJ5xU9uVu6A$q|>ojWC-elGJxd9f^3mC?yW8?GWu4U$qopp zgs0}1k!@)-d%M%y`Nys5`GkfDY;dxCA74c)UZI&)eOZoejZjS4z!LQ3S(_gFTbp#z zz{do%*eNw^P4QP<=(%#a}B&28Y9UZd<+E-Nn0t0jlYLn%cHq0Zb|k$k>RA&vPWd zeVw;|brpE2QAh1U@uArIBu{M$?}bZ*v6KUiw+Gzbt=E5J*fbnV5Ap(LC)RWg>>|8) zzBMH*me`afHk>s?xn(gDu8n0FpLSGrN$!WlUFORF{Jcc=hfSuPQ3QsZ3A0#}?DX1? zJGZQ=S!I(So%0%u_RhT6sj3MnXt`r?X(%xrZNIMB87`9#93K zS#QrsRrA93$k2k_A58vHzjy}aCw?4%?GKQF#>Pp=Ap;L}@u#Wq+0CC{t2JH@^|*mX zei+Y_s8=l#VA}7_{kNUg7!rP*0N&hliCcH?mI`R0^e?kLpa6)oO-E+>hNHkiy(TdrBe~&d?JgF}3vDWBs z$RlOPj#tZgx>XY8kgdH$1 z_||nIf+wQf*l9Br7AYkQb#{V~PO8W}%&o(Aoa($wAfdzcpJA_Xc&NsMfye=%=^YEa zBu5yp6J;a_^jQw}rt!*nQ92M@qJ-9-=HzgOwY;D_ks}Kr^_n|7_H?i&Dio>a;2hMA z#$+^*ze!=yclY()Ww+j7LqTdpj&RUK5R6y_>RM0xFP9UBt>l($YCnw`A+;}*^$73O zg9T-sywT{VV0oItg6}e0Q`UgL)UaOuuzv0#lzYWTSKRRmVB`w&s;NKl?2q!g#Byl? zAA1h8j|#)$B!TYknxhCU$8|_YBDNTGiU)CQQZ3!&u)3JqEB2 zbx}%HXQa!e81_L5Q)Z=ujdUJ0hPv=WrxxGL(XZ9dG8Q%c0*@?)-zES83F3xx!|3ZT z6{;@}J^r!(pkL5>WOsG|2aWO#gMFOxo>a*<>e!ZHol7DtX6sE8?8A*-LzmaiQ`HR> zDy??T<&y7K1S(W3;20_dYiom!l;cTThBc@#P9m9Uc;8Gln+%1AFyg4&M59KzWBjay|aBAp+nEKe%dc;@`syc)yPmL)mG$u8h1&%dYPwkzWFlczPo3sMWx zuxC`IOsp7Gooj4thLT!i4IVcBN8C&60kG2MO&t)y@Bw5^ZseNkS;nTj%q8fE93zXX zh|#EZfm_wQelEcrnHVU~gr0}@ysmBn7hmKw-HP`i@tU;Oss*&BP@>9@n(98(`%4GR z{ZgFtW4+?g9ZJPiE>-F$VY#&kB&y){^Tjc^_THFhJVvwL-^(-wK&d7qoTZ!GRe-#`;M~s2zTRp)pDS8* zN4@M7*wvbiR9#%&Z*HA5A6=qrIZ>P@e2lbUu;MC*~$v zPx*0tP^nXOrBSv%LcQdVB=Gb}Ef#tj0UR2G33bis!m%Ce!h-3;q*92$gXQ?>;HSdO z%vy4|2QrI=(q__xpZZDiK!X$rVH%|=WfN(n2IPG*&WMt?3-HW3y*(veO??SDpM7Eb zK@+yHK0|Q8yk1Rj?bSNZysux=@)6L~pZ-2>AH3EwhA!w`Y(1a*PPr;R3RWSo0bFCZ zWD*)z*A|4atw)kh3wgdcyn{cdbt_I=vGt)>&()GsznZ<>7^F! zq1u1DCo7_8m7z@*W4kG?>t>pZ24c|LLnr$@xOJ409v5~N6u7VGhHWc(P=Qmof$%^D ztWw`m?<{_hm$@rgA;=WPen+DK^xcmgtm^QlP4uWZWd`vI$<|n{rm?$^#h{1u)_H-6 z7-zQ=4ah0$(*$?9q%p)fOU2Xg6Kzc_o7d<0w7z1WzHF3zIlms;UrS&DNB2K{V2KLYKgW9wZ_gf|CoZY~WPRR^-n@)b zZl~XN-+Qu^xR|7+GZgMr!fA227u03`oi;*uYM{1NU5szc{Ceoz9)0=MK>crqYw{zv z{HzS3ZiNUR0f`3z^b)A^n(bv*v&-2Q+Kz&639a|&c4LvfF7B!vI9g-XI)f>nh__Nh z(_(7&>N6fJy0uH~`KJ0p4nt+~k#k003#&qW4`B6hb0A&a9G; z_>KYE<~IcTI*%T>^~oyZT~cWf)?=yHxSyYeu~yn7QF2zU3`;aT)Z}9Pt-&^?i)ySl zKftQREg!94yByaT1pd*lJ4z*AR4H?$e=(!w7O-m+L=WZejcq-L98)q+9GI9q69ypQQrmX@!&fG zS@Qd>%QiGhRuYDd2s8csG7Q8TDSNfz)xzl(? zu|EIW0>y3nHP<=soh&oLRgfjIsz!|9)825(Dc}SQL5qzkan;BW za-a@NHWD9@6Bb`3*#{dEU2WYuPgL#B?wp^jf$Ia5a1}iv+S<-xy>O-E%d`{?zbdew zn8p<#dXOu0J@^|_bUou&Pvn@!gMoKLEK3+FJ6*oEq87nt;tzp(i9eBRlqx#0tdX_sHSXLqA*lfSsdXRLY`Of^{_f0sFbu0BK5Z58J0; z0MHrzq@3+-a$Lqg_|xH%0vutw2wGG8Zr5W5b-Ex4YNI9aQ;2WZv4^ys^5^Z5R!>LK zBWbl|0CgHxe@F>Rm8+Pg*hx9N>apr8PdkwdPM+b=nb;mJQ2$%j1^m%!bbn&N;-&2}w%!psjMh?mo-iSkCxqG)^ZiaFgRE&|(1Ilx9k zw_?s$Ey=amzgNsa-A@uVu_In(wlknVVe1m9!uI9Hp80f(#&vDW#>cJ(#P}O4ORFDC zB0524`|Yr~?h0730;{M=+Mgx*{|2}xq-M!~1N;xvS>w2zg7rKUQS}X@Y{qJ2Om*9O z;IV6wPb+YY<&c9o+!RUmO6Lq1sFgtefSb`s<>C`@O!`bM=FVE`K-AQuoj`@H&Z;d_ zhUc;MjK9N%MDXTT8c!_x@ZQ-a-9aRcOaG?7y~%Z6sM9I)&mN-rSiIWZ5cglS3)g&> zoup1|64%md-tUJ5C7}DEL@N7=<=dI93kwQ{{$iXn{@NhtaOGfOHvv5TS!s{h-jl*o zce|~QiNLDicq*eZ0_dZ>>~{)QJM2-=ci64PC~7U6NtWT}A3{cE(AAA#K#9wqw+rj0 z|C-V96G!`?jr0~v;9wO)lcs>&6Db@vH6TBJ?%JIk{D#pVIcjPR(mIgrg`uv?1l~3; z4t|7I-GO*MzV_1ZbemV=U+L$8y)JJa>!^xkw`9(6uoakU0$K@5q|!2A z&(t6Xr3t;z65PQ&as-o2Si0!Zkav7N!~jK6)7Q}s zOL_P0eD08G%YAD)sCofP*>^oysDcwYgs};giNxH* zQbvbPRb`eAA9Gi!{ee9alk~d9B$(X8bGvCI(F<6^ZJ-}4A`wUx4?1m3Lgt>Up$jB# zd_tXq$(QF#2)sNioxDDLLxYjKhbKo@pQ$kk$cWdFq1;VY=QZf^C(A45{jvRIz;}OS8n(ELh@$w7dRLEa{PI^Qn%3 zsP=y-?Z~iY9jk)iLHi^GV++Py*cdl+ZSczBJI?|LFrg;rHhC2Y0n9(u>uyQ(JxUbD zSv_48*>b1XgkY)R-(_oO9K(~_t>Q9Fr0K<};__imQk7b*S%(nSK?6;4O+sO_+htm; z1U=lo^vk2xx$j-SI35H+A3pGfIrg3&miaxsPjU>3q=u>Yhpp?}_%2036^+`8g3gt0$}XN~`r zhZETL6rX=ATw%6qAB17T((|ySv6VV_r9F;7k`laExO0_Cd$~OS;*y7zHu@SoQ;Aop z+8KfC6;|f(f$XOK?L!7td)^pT zn+<84j^y-$?vIi(pXFAvje_d9VD{{X{^9p~ch}o0A21Nc-*ywMm72lLFNNsu5Rf)( zjS6Wluv=SiSxo*(e*Xo(${#w*-ahbGrF;?(rt|k*&tMQeu8jBxTcNsGqLGuvI3UHX zy!#T3C5~p8OxGwDxyJJK<-48d zi~amXRt!5gIeZCmLH$GNdu%p6$JZmigae2@4E~MdZ33}ZKagiF=KtG?}pW#nTc@GLW7+BE$Kd=qs+o@A>6Uo~-zFc;rj{Lm?ECJ_XMw3(G4tQ7!LmvW|KF@3uL-V7 z!?L?f>>CTx#9ACivOp5i>xB!f?yNz;Men59gV5aqUv(zs?P#m|MwuEq7TZwp%-qHEQ?*m3Z`>Ia}s|QZ08xcUMTN|d{r~gti;F2F` z2v5n@`R&9iMjc-|)bvJU=TEgn1+HHO#9KwuoTEy9a1uoGu(nRQu*_g`V*cL3 z0o&P3`nJ+5f)QoKaUEAJ6FCo(^7s!@4QKH$`9A|ygbM9}%80KWYk6+cPs1FYsIhrhzz1}{l_bF(Vi-5- zABErH<@a#I@si~25ldE)h6j znzBA7e{HUxZQC{XN? zZF^gl?7ezeyz=t;D!gs%@Y3E+;P)=6Z=1;%S?}?^FKLSSWLCj=e=)P|A$1cw%qPKy z6o29s296W~H!6DtqBe|xG?-SrsiLKoM28i=USt2rvC(ILe0j{?I*a+1Ya)(!PO#b7uMbTobG2#faEjc=@%0=(sj$&WlI9x*n>q~hlY^B zjOIV(f4ZdGm9J#_vVFJ)gfM(`e`SN&7Z1220ZUx73~pbE=@vL!BoU z?pS4)HhH|DZ-42HSt=Nkcs?tFUD-5wMy%+fJ~BY6M5T3mofEmpx^1AMYH0LM&7n>b z)OZ~KStYmxQQ&a2A^*!=TiYqsKR)j}u%nN8P;Pv%>7mVYwV5`<+4gEBA4unDh64W& ztS8Vbf0?oLx@7b9cPvfJq&=S~0&?>DNQmVE4E(wxPm3Z^8N#4wvv8etZC-UUZ`KIbZ@q0@X3#S%XSClbj)LF~m=gp`kgQAZHJRw0L0$lg`xS^vC;vO;ssi4`)+UQNjQBThj*iQxMWFX*T?`Y0 z9ist(;Bs(9l^^;RQGLarCZr#ubgeN#9DD|So9=Tgv^8%qUoEYZPTY9F?pvm`_55}g ztRXsilc#2i>|Kin|L7i7Wd~C^{$wSG`17IX&-A2@ycx!*J z82E-*a-&+P*~@POK07FO@22>w?vPGn)#PdwU9M=I;$q~>K#)VDv5P$Xu)KJtfK>J` zmfYnL!H7af&-#uEFR68lV7N1I+rDKo? zVgnw`xPcROtP2dCfEwmQ7$gW@j?|*?PFZhOVPuIC z`h6MSsdJ=KM)2YkY5UCO=h~a+i%+vpc~>4J5s6R_Bgju28W+sb*xnlO$<8`W@x08y2(X!{s}z$M&4f z_u(moIfVULVqh@dczEm8U1mL%#I3}$v2XKjYH4cxNW~y6-DY)egFO8Ploet06h?k+ zw>W!4ExrgeEg|6Ev{cCJC;;VCzSp{zK67`gB6Vrd9teZFh=H{eDRe0n|M-DKg3htB zS{R(<(zqA>y! z%Std#1wOi9QcM|c2A~=f66o(9T)J+e@P5tEvR146pT?F7gM(HS?eS($f=u%erfTEG z92D&vpXPaoAPcbfu4*o}OZ82zU?nw|Y~Q`J zqp?}t<953G`thZKo$a9G4eEhn%(xdSEI z0vyMi{=!d&INpSLx&4L8TOL_T#dXEW)?PRaR^D2D4oAR8&&>N*&-^e+Soi4NS)`Z~ z`?LiAH2&ibnUKn_W@x!(jb*5yqaT#dI6?#ymawRcd5#e?-Z2k1njMpis#B&OWCG@> zh@j*mIMrX%Q28ojJbu4BltA{)?4~_F3t%O+r#Pept45>V)v?w_0Pyrgy3z=_H0>1W zYBnDi=RDe){(An3d3^S;Yp!*WMs_Q%&1(xHi8u6u(k<4ZV2tOBbfkk=%%rdR9mw1v z`SsCWXlJ5L(#egqGiiypP4hiyT@s)}mo4$qFEmH{(3*o3mrbKR4OoAgUfC+i0*q>( zBbS(8?#}@xBE71sFDT(G$<#wRizNM2%hx=<)c79yY=p&uLDi5+*afLWO&71H%l4tO z*+UJbUmaYBW-e2|j94I5cgjZKLw*=Y{1W*KX$+U1;9GWR_g8j~qj@@Oh|}GM_ZX?3 zxzK6|?<-eM@->Ga)<}E*>rU$HH!yT1ZYyAVfs`#@I#WAUTW4q9^6+igvnudwrmpT7L3L6G|CHqFmvL)dA#u-i;tP@VbaY;Bf>|akqv#*g z0e_-0LHmFycF8r4knZV)bET?bv4+KvLyoT+cqc|@UFNE(nn#0@@T#x<5FqEnvx^X_ zP$mep7XlL3;N8lGk{>Cv(%=dU|GetVtGnfAbEHzSZ-dY=k6+C%aAd%?R;8$JmW`qq z42pIqcPjIdjJJn}5aGtp>6&I{oY9SoY1(z*nBFhMZ4WwD6B`ox5z1H7Pd~@SvnuDu z%P8>G?j>+~;6S=?Ip|I$4qOg)O>}VhSJwP$IA6OH-Sww0VPWBv0%s=;ORC$U|YLAJg?2M~G($7OpV+hS?^ z`o?^IY~W;IO0~Vt2>!Q@YZZjrvH= zyfcR)*soTli#058Jit>^otOx>za#rw(qhu#8QbM?ig+{5v@riXW&PX>Wh8Vlc%OoCr<~H zA=m2A{^um=l34L1gNBj9M_RP>m?7np7tN-e4~Lg;VnqElsoB7)W&%x*&~A z+yV`KIDL|&{R!*PPPwMEg1<=tq6r>ZSY2D#^*X#3#ydXrTaQ;6=Qd5cNUrc;uHjzh zP{hnpSM{Sew!ql*7sw9nS(JHU%wRk0pE|cSWZ$Q~-CPZx3jzU-*N=9pj9*7vvHMw1 zd^1Fu(>Q}cPNSF1N1#`hpi^`73r>yWvsX2e{M8)={R~9#Zv3meSB}>gVZ;K0*ZKxM z0!Uk0k(j>SC-$M6y+taTa(3ROFiu3fF`n}}UgJweje z3iHr*)61jFrIvBM!G^4l$OgrSF^q+denK~YE`6L4jl8C3um~m2aWL^fTpHT3a4RL# zET;0sl{;8-80WGz*l$5W4-01sKLY)kfJc8@Q%z83icO}LA&RN zaOg|_dIZg~mJ80UmF#Yq6?nTXckoy(jB81s;{z?9`SHv^Jua7e-{%8!IgC?nV1n_rZXIbs$J7ox|Dfw9#89`AEh9IF7O_9_T_pz zYz!n3zvXTmZ-@p10> z6H_jN&=`*sYd0P;>)6k-yhH;b)}3sc7Y<0VBL3&m?BzeAcHOH<{l%5(u}ngN*Dv|lY%!uu9~7lBP5jd z>PSTzTCg-Z->ewHC>dGz1*LrNQH6PKcM-!DhdknxVsjHg>*;NG7Z0{FEeYs9*O75H zrY`a5HpakZ5Xbq+dxInCLej5O!{)aK{n01vr%Ou}i708$ci9kpt4ViCix1{1yI-vE zhvSV!Rhe#vUO7vKA49-GAX#+%*Ee|@gPJIAHGyxb{4mv6>R@R^GW6aT9JQ(?ZI}}$ zWv;p=9cg`N97KiO-x25{SFr&hM9jif4{H}(oj6(<#6Uf^Ql3T~qEQ^RL(ow?alAhG znMnjV$9KX^f)hC6rSh`r%0QnN7&IH``tw?XGNhR;h79|t&OQxoU0Jv|@6ga>llQ-& zqkFFVU?+wzyO?Qt==LEs@QnVz=R^FWcbp@VTNMAuPX_w!91^33FI@nQ`6IgMXm03q za@_N&^iAj*`c?T3A|hL=Uo1bgSks%}q#vrY&|3jC13Bq>DmjrlqDR@r-*0VkS4R|i zUv<**2K#eCbg(`%<+$U0ACjTKFhj%}N}|D76qTVNu-AJ^HA8&nPM#?pReVU39qK|{ zf*^oHOy}$y^RBMT>;C{>K%l?Ce{{G&5Tk)8Ff@;rMdyAyP*^J|04yDGrPKvwzz6-l zfc0R0LdpnT6$(}jM+PP&olReF&{RNCbLxR#GGfZ>qc9@OT)@#ui#so-yn#BPq39fx z4jx!&ZKr&~V*^rC9!?OS5JVUqS77R-w*JI|_ym?zH1J+ZKD?lykxO`*e+&!&RMV%g z2V~Zkpx03pSDVOk+E8D8I%=@sQCUtX@W3F7BzA}JimS+aSc_WS5jmpvR~gphl+{XZ zjHYM!;iGL>i>2|ta4Vol5H(rs0e1(EMp#SCFtVJM+8d}6jq&8>_Hoew9 zi&|tfMUo)T(2`8c5kr9@z+w=A8BSNC^_tY|Re+h}t7@IDUWY%9e~TkFB#goe(1SdK znECO%3aAk!Ol%8}`UKtiibwUG*OQai-u_kn?%fo&ugq+_^DTZ_MN-9Q23}3agc5$1 z0`E*fXNPJOKC7Uh_L*=#El>8O-@Os8yRo)++_+wPKV}c>=bfBbFCeid0JapRV9IO5 zZMxf;_Tytib6AgNfB9+ZX9*6+GsKg}gwNrxJUprM^jig&mSMT^aXBzmqXdlIfrHtp z1Hc~Usv!ji?R3+_hU24hDv(YyP;;;|NFbXUH5?l}C-N=@!_A;$2i)2W7ndB6(*Xz} zE*ZkiS=`msgY5Bl4n!30h&p)Db!YghV?*b_PLhs;3*lIoZiLozjCC8X-NFhBBHghGzpjQU{KS$EIj<(Kmk@&z0(h zX)q#%tUVuI&Vy$g&@=zLF+qkc3At*xqcMwyCO(Ika{-txIHG}6fSk#2)OckY=Z4d50}7by5%^mllqK8pJAskGwtO~z8)T}w^R`6 zNzRFAr~(22ztP+PqqSn`v3f!;JO_vU%716vMApM~f8+K+6;QE(&SDodZpKq}sU$@| zv{?oTQNn;4vOz-BWC{bHwsfoDl8q-`IN`@fSmif=JUw^K!Jj&4K#Dr0AMT~*u5k~S zs;z;b6fRYtrlziO30u@KdA!A>-s{xdwGTPYC8&f*T`o0w4SxlgWE^GYq~dE@?wVnM z8VV;0e?q3T)zWg;tN>7ZPutX`V}Dxinxy_Vp2n=uLz-%}h0I-ZKKj#7HE#g!2D?4B zPu&E~_N(33<7a-*ecpJxI4p1Oo%3F0wsV`mp$^PoYf#574*Czm5UB(69{Z5dkVXS_ zGJR7MC7dp)Q8f?4(v-RO1jV=`uzP7XKj ztCwd_PtWJ};G(mkO1W5{3$YGCOmjgAui@Nz^vsCHi$fwo9&rK6k-^!GSxyp5q}8Y# z(zBmm4L+7T?0jmeH0*{I^rI(S0tCZBq=$(G>=d31gck~pho%+N3u=^FOL@pgPLT+n ze<2M{LOU6VWg2<}2=K#Kr>RkuC#KFNe*Xv7(-dTPTG2^>_a>4XHaJNE#UgJFf0w=- zge|1z|Fd^xUCATS_7|B|^YG{d&f|oPCCUET;EpGnh+7rI{fYSy;^df6aDYQPfB86_d3QpKybDMcP9gnH1vFU_3ng z)neYThccMAI`&!<>miju-=LKUIJ46{XzWD_(m>V|aR52E9CLAw%yXipEwFMlBYt?k1-Qa%*GI1 zq?c>y4$&$+h*t_xVB%1~Mn%XG5_@Di#utS`N1cer(RuO2$F&p$sWza_cDkz}g^g&1 zr4`L!U7?|!0%lKkoJb}Q$iV|%G~#L4{bbyT>JB`+VZSg4T?ojDk&=4Cc~p%V59^+J@N}|zzq@_7)xf{AY?`t43cUS379-Y zNDv+gKm(Mzp%YDc+IV`gOe^jkRsrp_ zskTFBmpMk-{Kbe;+a$0;{@p|O>#Qpt*ZZ^61 zQ0Pam12so1e>>8K<%kbSm;iiG6)<2a$k9=wWm8c%|}=>|n_6 zB_3qRpFt^*Fh0>gjpj8SR|sLOJPYXcjLSIaMVLQDzcz7$9E0i+K(fFK%d_v$M)9B~ zgzm_*6oL;f_zl}X9!{s-q5jKs$ODmtN}u*}98QOJe@hj~UrMF3=4x;A{OWxBoNw*t zo(`dEpLs@%N02u&)Kq69G`BE>76sF@N*78TYg9{-8>5X%pK9fumYO^obgybRM20ZD zPYrxfaG}q|=7tL;9PGp^4{(Ii_t6ZNn{&|P3^g)+8g2cccM=YIZSUneyT84D+R63FFZ75-59jKd5M97D1$--E)Djebxc$o zf5ANA`-iXo~Zj0r^1*^#}(Q1XMo`rpZu!U};lXM^;@a=o1Gt;}~=U zc`2R32++ZZ;{r4r$zenSQ78@V(V%K5$F#DXIf;%znOG5#OAR3|jih>Zy8^>WAV*Co zZY}D(l0Vu*1Byw>IiwZ?CN+$|Lqz4df0Ss=Fv579T{V;O5HTfLTZFNp5W=$+>oQ(5 zk09fLc0XdRI-rdwso{`BmP~W__l7J2zr-<_bV)fEx+A(-@)hYrVhKT2pm=8FSu)Pz zM#!OOhW0Rryq9nR;+_kCUn}8E+|0*R@+}aDw?cUOdvRw_wiobs=b=$X8RZg%f6e&V z$09aFr69Q-pc0dDk2o9-Spx^rRj&es^fI0!9bk|C4y175%J3iwk@0UE6$Q#lq!;OL zBHcJylh9uo5Y$KsjHiOc)xR@9O7z*zWaAKL$m^tfNjKqMl7H&3RegB3^02tKT-sB9 zp|RNej+c}iN;g9#Q_a4;qV&W^3i4^>+7h zDyoHtls^v%x}oR@LB*>>eNg~Hj@(HzS@0X{i3olWGz|!M9ZxoZPkTWVf1x@Hec_&Y za)Po2dB^_XDKFvO~=KT;O4jAyoP!n^hGsyQ*Z8=y-8%RugSxP>0_cG660o2)D85Irw}#a3 z0CYf>UVy_ zhnMFL_6XiFFo2~?T{XjTugW*NjmMVWb=}teOMS7Xe;%IRbB}xGj{v5Efa1RrDHvi= z!=N|pJtjeqYsklV(KjT#K)uh!<_7gfZiQ)FJ~0Df)4V)ys0S_yed1KmyAKDwz3N3{ z;jm{~`+U2(*1hv3abR-~dXCsHva~|mKH4^iut)x=MPpF`dj;$juovL$VSuNTCcSjM zH39COfAWKi=L+xatS|3el&;#h=IT24xCaG%Nd8)7g;ojO766|U9BRIVT6A7#0(>IU z7$oaCGngrv&T%z4qnycjypLdg2>f>>w~6J#T!DJ?i+Yn5aK;Lrw1Xj-t{M3*gD{1W zvh)pT&q3-WJAWM+;XOj|5D-@h)Z`I^Y6mx{e>FqsFGQDwD3nE#19E19CxW*EQe&D4 zh@k~!ig<(}Y6w+&jgi6$!GeizParl5$45#HLBd3TeDYajFE`>4$IAuW48c$=k3er! z@?>@3r0;V4!&>-!T1f6-ws6S1q`w=-^|@z|kWH-j=Vktx17-q-7LMO+liwhn2ICx) ze>e)UY$_irhn(<*=D}+F(KCCc#`v^;sqH?i-43_f>l>}-{Uv9&ZhEp+-F}w6%l3NC zdoSpeMR8WoI~DiV3|j4YxEM#O32MDoo1f|n=w+u@R?`>@MmxgpN`}ha)S6X#>_#KerXmgR7bq0;2jfc~ZrOo3OyDRrT%1i8Yd#wPu`2e}Wir2}JW#mTt z=6b*Fk8$pxG@0H=@E8tNjgQ^yf67C1r&QZr*zCS-K2|%;yPQLn@FFr^TNHv~g4D3g z_jElnrx(>~TB=M&7+H#-np7BRo02NaW}ZrO`XQOk1P3qID@XR@u5(qoE-#t-YIFJO zut2LhM5~FxW%NFq!E*B;hB7W9$AyZ8-%@?Jr*L5GU0hskSDL-r&BtEpf7G^a+tuc` z`h0&C7@@B#MJzoH3F4#|=Ocwst|9akqEA(Bx@ssYvWyuaAYZPH?n`O*iJ^=lv!Adi zj5M*ZZ-I;dU0hrkxmBic`NGg9o6M>F+2#2|M&>cG-pSMuUN;;W->(kWwqI%&y0*S@ zdbm-2YL^ebRYw1->{dp`e@Jv7DZ~4wQG6kz;2vto7@+%OalBE;h|x|MJAu+DPxthN z34JvN^bw{%aSJ&HC5Gzgxv>V_Oqn7G1vJhvG)@SlEYi|)G;eZloKP&;=EfljtQ3Yc z(*8C9t$i5luAoK+LWOeuxU0_=Jn&>D{csxOHV&iN(ew@FF4&tmiEXtA6ZviG@tfX zyWQ^Heyy}$So!&|@TlYf(0b~QI3_hoPjko)|n0J-mi9Qgp4A)8)xf7J^IIbJ#{cVD*3?b4Rr zt6!aWI~QAL^9^#b>@Ylfi!m-g751KWK>{XHX9sK=_WDe9%rdX=oyNmbO&yhwY=Ls~ zfpY)PD-!64k|k&9dAHYasH$9^e;l&K_nqEL!<8DhC+=2l<{YXr3KFL6klwFFiW0ll=4iZ>lwUF(AT?C+Ly~a zOQj2Mb{98FjkSXlmU~>xs7C;7LS&6$Y`Y&VUX_D-1jjHfBXa<0fr@jCibXlX@V95? zFB(PA&?m0gkBjf&xOjc?bb7Q~+unNJ*m!+@+m^crf3>Te<6>qtf`}9ZUWop4Dc!7a zaVpga7#!_rt7i`DE0A%Hk+G;o$Z<7-;?B~?0lEKy%Zp-!{1zi%!#S-S&y_;LQ{&?K zk4a0h^@@)vJygn#9KQ4sZtP!{9zGx8bcPL6* zsp(ds5I)3%EZ0t2ojId&<>m6jwM%-ne7y0z;WjH=)}Fp)&Hv|X(Z3t<6IcHCcZ~el zGcn5b9djInBR;ItUEeaBAXK{9dfQvwTfW-ve^tD_sW0n_=;Zx0DB5BMGxNy%)l3W( z==ew?93Tvx3$I3pN{#WCS7z*CXg~D7ny+X8r1|tpNC|uwX2?gxs;r>XiZ(3Rw6q zERerNgi30c>Mn?IT(E~{mcPEeR-Zoh&KBE#V|lH0Iq$fjBjIE`2SpmAN9$7jDlVWT zg_$0E;ldv^+9!u^;qrw#ox?7EXXLHz=lC) z{YUm+MFqMc&P;X+u|S0a6~2uM%1a?kY86&lg@eNFrM0$mwo$pN+3KP`JC!?Ud9OB* zQbyKG3<^UFko-E6e?h@T7W&MdJ`-Gxj%*x~}CBpXie=9;8 z<&^AGWB%e4bUguBR{7P=dV713*Ebp`hQGJ3Z_f2md%r-5c|nO08|CL$4{fll)!6i| z{td53VxX++8zZZ0MUasp$qH@zYT3lQ>x#-H=Bb<&nW~V8l7b#;BWaOcE zWhKWz$GF*XhB>ai zl37xn1u_)K@B?JPKyK+%s}IUH92r*L?XecN{(P|5^qU`dP4Q5z=N=ixf4dAmvNCS5 zgI8sI;>KnM43Y`M1v#+9lG*U6V9trHfy!oORtjMF4*^4BQ_LP1p!j7JG49kDstZSk zaz`9CS#_;-u5KG`rk-VerIveS$nY8R2@Qgw#9n33Fesp*fQIiwgV!iH^{JirWgm_V zw){}LDD`f|eq-ZfoKk5s zXp_KzdPQR-FSx{i7#9{sZ;izDGxHgwpg-$fs=QixF&r6A_FTF7Ag&K?9?Q=w)ynm5 zWpmzX06T85L0vBfI zFeqz;c1)*IiIoXTe>j(F`{!@A)Z1HV-PiY?c=>p#n|okDVuHAo+UI>w{e}IBACav{~)A#zc7{2tfJO&PBVa55)^+wM%myTM;Z|B}U z-1Hjvj|EoD2Ud*UD^s|9c#~zV$EJAsw1BR^J8~H4nAav9f9JL)X#WZ@ zdh1+2=zU(#{Y)-qBg>W7(ki8fVNOO;d-})FcZ?XFW%-$osf--`eJPc3WOOtk)-cxL zJIZr}N;K1=uYUG3j>1HoN6w0)Y(8~QDtFc0%K1}wxl8|1U#Z>oBVG6C`nvOSxZYb_ zG4=b4y+*yWe|%dYT`rIgDkch%6lJxi7j646dP0zhE6Ada#VO5zYPiAFhD$-Zson^5?U@|aP zDQYi8+cZEv&*il+9OgS~erw+gYbE$j zYxVI&uh?#Hh1VW8o-XI-Zf_@^@5n$H2o8t>6Ef1D<5!c{og^tU+l0R3l#oma50jw> zC=V#R1Q6QXL*?3o?CHuvzuT*}Zx**V@9R5Hvm~Cd0RrCklh&U^0=~eL9H1Y6w_YMY zxIHiDP8)3VzI}7EQ@ed=T&;Jf!o@R+DGDizL_yQAdb!rHuMFxZ*r?rZvZ|N6AS|B_ zFqHTqCsHEX^c4^iz?`J~12y2@!EP8rfc&K4nSb}!_;+9q&QT{WtB5Re6~lT0A4lNK zLA?#W0lr&+*;#7lYr!ArDvgzY$stLQL3KIVQ80#l9|}5VDB#G2w1k-hg{jHp+K@3g z$b~CHjyWg8YOI8Evq-7`_g4^}YK-f!00YmD&S5~9SSzH5nubSTHZdS+q@uGyszwY; zk~^Xb7_l(w`if_qje&lJn#o9K9Src>QD~6?0bg2M@};nuCf=|^25^gi9M(=zoo>#H z_&<;rx~amb291cD_3%?n+cSKO7dH969%us0HpGP}3hicWJRKMg%LzgvAvCU#17ztw z7sg`*-de`@*aWcblK6vti_H}nka8pV369014QAvV-?-WoyuoTi2xVdyrt`fr;6Bg#CGf!Sbs-gaLcUgu>LsXd2 zBnHH5dRh+nT88KEG1!@BM;lNIRoZs4xn3dMUv2iBiGg1*C)eu!Qnr=i!AYc$4rfIY6+`-deC9 z3(Ce-B>OTPkB9kxSMVwYWvPMZ6*#{mV537+Y_OFHVPOF^x1_)ou|lx@Txo&oDrh_O ziPH3ZJX{kt5dl&O(i&zMs87kf7dR1&OtRG4z*Z9Q*>T-0l%EHy1Jww~vjPsKdJc`^ zp2Pk9`NPjff9~dTcU5hlG#>2*JN}C2kW8)nR?h+6BbWt$EF_$1?gvV=nZP>`1t219 zfXhA`Dvt&S_b}9QMUiAWA8s3WLsr2!P`r{)P7h9%7&+oFToIHuoa3 zy1!ZJtzF2*#@zMl-H*eYUjIbQe1|FY9VjpZWTlWaEPH{Bh7q3*$Vz*N9=HTZOeAZI z{)j+2qd_!(1Q<4bsQ{h|6*m7MsMFGj_;3k%A8oiIeioxPL6RaND(UBY65o{T}DU3mWqHmt zEP=rbYP~knXw%Scc?d>(x|hy)dJ~n+;t<_B|9Rax;D<|%%JH+Sx0G94?MysGL$D}w zTawp*6fN`j*@m8)DskF+A8qCN4eT1zP*4DBIc8+aEqwv+Q-NsU9|KijDZzPdDT7Pp zwpZyqR92eR+td46v$4O}XdRf{Yd1sbDMV=!3Q4ICpjp;BlOGfr_3^++Po0R3@pOQ$ z5+|qO*&^6A5LW8~H*2yb|Lxc4hmAMRrC;$7;uyGH1d)?$`5VcmCS!6CA`otzMmX2_gR7#vXR=V&Ks~Z#S<#zRhW>W*p?|&Axqo|+{@p_-x)z<qlomgd66Sb#V}&UOof+h?obLAvpI2aJbM4&8Yt}no*?2v^ zxnuUQaS+wx-v*A~0tbH+g{3opR;`_bfEuf{=lO@|B4nXhWXVAZy&X8S9p`w$1rEZ@ z1RcUEoqtUD8%LXl*n`W?34|jHAKaza`PnUw+2>yLPVWx)R> zfi!fd)M_PJB-!T|N%bJ9N;wFL7K&$+)X}m66&>tFP&*~^ko}c+(DqJ$8|#h8iw@5~ zdx}B3k|_pbczp2FayDeN$0rULg`n=~TBQbM_lg7K#-ZrgmzAxSIojS^Zm_$m>g-KB zFv5g##VCu@bMNgW17ld-Qu^F%=@~H2fN=(l1%Qzfl-=&K!Sy7Yq+yoX7}s-^T22+sZEO9G66GSoB`tu7z+U7TTLOE ze!cFXI4~X`*V?_SIi+^y)^7R>XPa7f=cgSQ#~c3qR$%1ZTkmylH{%&F&VX?Sj0J#E zN-h)?v`PcU!{Werc2wV6TsZBWy}aHm9IPG4=KkKrqyr=K0klwmNy<(J^4a9M&=kcO zsSXxrTFiosGi010<2aBJR6{cDM0$$QQE_N&UNywB=pO8LUlyM_i^pwtJU8JDp!1<| znxc%tFi(XYXUI51#u+lc{pCo8hR@O>G#%6J3yt?l#?6xZlubs!sUQ2bhk8JH> z+L3XJ!i<7hPxY#Q*o-vJpm7F`;~aaM;}iuN1(hMe%jnq=%nTZ5&{!NAP4aI){b|jVb}}6r+r^=Ay}y2XyjO2tJU(4) zKKFNLty7VdIbk~V>izbVqlO`tiqRQXGP;{Ujm8upn9wVyQ(wU^op zHS?$c$;g-~Dr0!OJhW9fRVR^-ZkIDo?a4-j+PndiS@I*k@R)}in0$e{b;IBH8%9jN z!Km*%=J5uAuAFrq?eWR8&c=I7wc}E)^GR{*?DP&hI;holTBnu9-Tdv`MYmF&bnEOz zpuIJ8J4{i3LTbV~k2j=~bw6wjUJKO*p)#|1CB$Z?d74f0cRDSjIUWBnm&JQ$DLo?f z1h7*a6MOPyXR)zzw|~FAbadPC`looROgScw_Wfzalqn9^Zu-VGv?wcLI#E^o^#8TR>{JJ#)-ga zM};rFa8hN*xZz@Tycvp$!;4~3BWS9+P5BM*Z(IsEdg^Q&riE$xR}IvhrIN=+0>;xB zV<}YoEGP0yzJ9rA|NDH&KLK`;iFMw7x?Z4m554qt`{6z`hH&4V#)gv@Pvub~U+Ok* z!j-0fPFQe*sTY{%(RNP|{jukB9+sDH;lui7^eY_gE&PM zr#!5R<&X@jdy-PT&sZuaX3|p?{uw}(&B{i9hA>8j(5Wf8pymKB+U4;b!5lS5)YMze zN(fD~T}uH3n;x9XlE(1EK|w5uQ(496w9hW!A67W_fX5V=s#S}_l-aE9@z&*B&5PH~ zxyRMl(;NP!bgIl6qbJw2z2k%_B?HT;OCsl1D2U(ZGQInmDtPO7L3KzYZHdNSjE)?C zUhcyNkK9TpQea9BIF}HUw-`bCVc75S3W47)lHK~Xx@wX4&9AHWuh#W-9~;n&R7Z;y zR=et)#?@eKW!2Jt`n&6@sYnT)gz^GF!UpqcA)?w`aoyc{IcsaTblrK_eR^zdbzF71 zcQ9Vv9Y4h|-UVbTKrgJ}OeIdWwKsu(a0V_B^Kdb~v5ur;aJoWzN&Qz+Dyt1tkp%L4 zK~1b$^>~zjA9@pCU_g8nv`@VYVuTG=X z`hI2ph_9Y)9`32to8xuORCW3H#)BFBw`d9D8C3lGlXw%ukO@B0;=C)HR*c%>+DPN-@YB+J_l}c@u15hslhCdkHk6lKSD&hz$MuE7 zjkQTHf00M&!GRRDekD`@-OO&D+3}rr=X5xwPk!eYrO&48(TwyAF7^?VA+H<(7n44( z7!@8rb+?zgN9M6%m$yuNtM&N1u<@&tYp*_k!M3{9?!M8L_Ez_7{ZHWG$1najBIWP$ z)4g4+y{uN(GYbkl(7%Kzs=3S&yMRPCOh3D;>RWti~7V;+mzI^n5E)?HM|Lb z(uAgaz$b_Iph1G*TrfaWg3g7BX+pt=vVt)&q^sAc=^l*wNDH7RwU~3BdNB@y7N`7S z_(6)ob2O(UhDq;~k&e$2(}pFcv4GBgtz;BS!^Eh=QRI6cxoJiT^4GM`jA2JtQ z8zPbPXFwK9va3wbQ=9DjRu1#YxC~u?YZS+-t=3_0PX9Q+V7KyV;pKj-ad!GN;f|-2 zfGTD^=PcSG^Bt!Q5AgT+nA+b&o3(!JDsqJUQ9-vx#Tpn+aoX<-C#DtVB?wBQ<0V=ad)n%o$q z36!=D_`^LO)jSq>uPEwLXFVOHC`m;{^MFV$VfXXJ!*GO)Jb!Y9%ZW7Cp*gi%12FqY5{cMT;-J) zoUx<7h8^)h8fFN{wD#IF6-%sPfLcRkqPUYnTbQg|V;}-$mD60&l?7ppih(x|nDEjF zI-K=1V(!tq3;iX z2m20phf|#jn6X^5GJNTObU=k&3?}G3+-H+(=7(>sftBZ82nvp}l9yo1TlBHcr84G) zs*HIbE8~^2;nORv0y(Q!UPE&>_X`*@>1>FyX+S(v>n+zdi?bocd$or{U0c|FZmWyV z{@S9uFq6)P6!@}$mU62UyqDyCYpnwZ5!K-5()sKpg-M7O!N2i;R(X?~dpsjVe+?n} z@a;TS6#kotd!OZ9yASWvStbFHabNKZ&gU=hSTZi@+GK3Jcjp**tDJ{K2C;k-GPs5kCb|-N2rJO$p_u zJG!bF7K=4xemQ-avbnwUiX+w>4hfm&TvHHW0;~8JghNYz^$sE30M~yJ7)p{h7kzh# zX_p$=c3c@|q>6+OM%E`$(xN#l)MVMvZ}SuEcgt9$x|NZ2OavI1U?baq#=mZ89t(jD z5DZwn5ylHJ-ltz(aDF520#l%>82sQx*Kg$f7}ie_+?7SQc;uS_LrlXOf*_megv}oO ziF-P6uUEW(+Zpp=i}^0ZeOF_bCaVFA0=mx#I1Wh0?S+gkW*~9SKH2vE4%J(wu9cm; z_Lg(pU3Fv>7&enOO#%EWst|H;Ju$Di{6tuFtSp#gfNiY8N`Pr(q=p26U@I^!hoF6$ zRR*t&280{N7J_q72bu{L zKELUo1+2;eOrp`i)a&B!@Q?o(f&hk4Pqm(luGWuw`3K$G(S`CL&pQ2^ zn_~Z*t-4xg1dgv{a2gGAO}W^2)-V7hxdL+{yg@^v*uRfrA9-)Vzyxec44)8YbH{&T zaxMpFN3Kl#CzhB&@Y>BE|MA}2uL}RfHJj0YVqw~@R0us6TdeOE{qbJ6xuZXE$&b|l zL%wC{8Xm~+gsYmh@l){C$c4YdWZ_qVbN=+ecxC4i~HyE z#_9fZftO$VbJ39hL9QNdWLi%4ttaFwibU(L!)W79;O+H7!pce zRyet6I(rwkaCJ7I-GY8({T=0oLPvL3nWvlni{sd5_S)LL$krRje+^ceix;Q;R7=%M zl~kqu51y^>|op-FM7OsoyMQy6Ykr5*um^M1A zKM{b3l(vdUA2?K-A^UK@T{zsj;UgYH6QRR$3(9@gy+f~m%41+_MfXD!AW04P63s+e#m41Q~%$9YN zswHsfyThS`ej=ftNa!cLe0~Z2L_$9?N-YZLrYe8I1ftfnHlscRP3hfMQ)l$fQL)x_ zvX^fcPd_s!tB#Dq;$}kv3WCVmptIJ$W8g{pVkNkB!DNij%2VHD$5DPxrMr{!9heuBxgGH_BgoMa@sn8roZ>=Tk> z(ST54MdYVl{m9Rb3iZ4DdY0sN+wDzf3<%}L1FsmC;tx61klQc(E}tp=HArc0_KAN| z|F+&sHQTlB*YHnxe}7yI6n?_O3SSFKXhk&G|RY;`X8Z%#M24sIJe zvFiT#?{i97fSMfLA-D+YvjAXpp*6#5X$dbg>3o`a>fUr3ExTYK3Ua976ykFJkVB@I|cemHxs606^ z#|?P7yHRT0ZuIWpf1FkcmI{Ag@1&Z}v(wzDwwt%k(|_Jy+Ni*oW#?C`)a#WhcMg26 zJ^Uz2hTHm+Q|UDaX&hX>-o-BdOxnQDSAr6O5vy_WCnQT_&YR(!*`a@7zcfH&wM}a< zs!;|@5Nn?b{zC*#6Yo)KVE>d)3BXJO@KdtApQd-4{=f5CDr&4tMB>wZfB0_n#Hat| z{&QBmV_ZjnD#=x8#z3!l;+;41|a=YDwJt=kmxG6KsjFxTIaO!{0F)?!NfV*z_WAs}-*ni7c z+x@$j;`ZrTJ^S;_=?>zp@>`Ns1F(i8FD(bPJrU={TP_GFc20jJH_Wp8g5x^p@jLfevYJ$Ps*x8)NsF@cU%w^Q%MwlEV@x}|>&kn%xdTXQf ztA#S+3E_SUYydC-ZbvwN15m&dp!W`(=StoAjr>2~48o!X2;RB<)dKUO-G8b$?}&fn z*6B3c0~qPw&31q7SE~!Zt&8A)^y!VxQ@a75{b$4JRnq^P{smS>Zp>!b`1PY(f9N!w zUq8TFfY*QQZC>OyD(#0(saG%K^Z&s7>Xo|?d@NQ{r zlm{EmL%#_Fv}&J%>Q}4Ue%f%rKpELBf7t#?HfD~EiA#T_{JypxI)xg4R~f@}aY_~Q zG!~ztYn9wXN$u^|x@N1GW3+zMKHie&@oJU$jYSNUSsv1)$wC^2FuxCDX9l(sIj^i#87S~tdUVWN@?SGw1`_e^mLSW=Q06iv*= zBWPtRjB$UT>^Y4`*TkIPU!D2wt37x=%ocy@C$isaKBQhQ8ryeU?pR;7UFqX2QzQ)_ zfx<#sBH>SI+#D%CYNgK5s(`JR!$1UaXO#_4^6R)cI<+o;fk~V4J&*X9I*Fgd{mcF5 zJd!G)lQjC8@g6CDj(c(z(;NzB{NioxOj`eP(}OWLI8NQG;r2rr%B_UwyE>BVc(xw`|idq2WuB@3cNrj2d0^MtrS~*qpfyqPgQJ+-DFBVk7 zx?+!CD5yYA31TE1d0`|-D@t4?Vk0?4-Jkmog30&v;bZFD%_x`rob4{&tLffYFc5zM)~A>-UX7NX$3~VCSaB$XQuS1L*qP+6R}DXOonuMt3J4Q5dAUg z;!yHVI%>9TEqA}So$8gc&rUge@J3T-?(2VheSOr)m5bMpFSUzed63GP`@QNP%_#!N zBDo7eCZ78D2LS%GQWOO0aD@mJvwfTqIPl6M2!Z2FsGdwfrQ;_tbU@#8xhms{w8hdA zL6P59l5rfE;&8te)@)n&*D%Av>%X`HI~JMRVSZ9+KG_Sv3JQQ+fVE%^(Kf<>I!%88 zhjIxbNTaDXHXu^NYmU7N06JMLE{`%G$n+tj+AuTOFPszbabtvm34xhG_*k74!@6_q z$Hff+?apYl>BKx9l~}>fELi?#0@=g;fYXDubDC&F!YLDQKb3&fWEmsWjPEDYaC`&> zpl6W3IZ{0V{31aFmeUWj&c?EynSp=%XNNCH28SfV^nxw~v#=DHvMmH)Yr?{rmdTfX zd~}!zC2(;xoC&(n;*2gE=H7!a&_XP@cOz-QU}i84K+$rcqctV17CZQX!_6!i;~gzz z<$Tk9{8r2UQ!Q~O`hh=Fb zHDel$CGT7WF`Zz|sl>#`P>SJVrlgPW&Tj5(HS0X5E==wE@a8Kd;>S07C29x89LG-j zWKP3BLE{ET2<9I*|Ms9C&o(cw%lppu*-rJUa=3XL!?=efn?2ipDGh(l4!f_7_Hp}W zGq)MTxKFozR<8^CRBf|Aq}58+Ym;OzATP|8;?jWf#8v4(|W@@vHSa0RN|x z%>2K9>8+Q!D;sKxI|S_tV~tl(EhC}}bKX12?}|F5&z<5`cDr-sbQ-JPdYMTAmKBz% zNNp`~7ZZ>C*Cwr{L=b-|!2q_@UzoG1b%Y3px|8pT*MF@Q8go>K@u+3>(RQcvcq4nx z?#0Qre7ksl?7Ibfacg9KQ*BR5dt!TH+qU)3`+S%G zO?B7Jsp{_4tLyBp+WYPK_MzT4p^PvS3vtu=^CpB!(TyY5cDGypeF+6h_I)Y*i&tlz z{PS!8$a=0>ng^ni|1gzngupQ3+|Xi-jvSYMD&I>ZIJv*np8+=dg6h111yfTu?FF8b zbE#L>G&2E`TxY}NETua|0->L~P%Fd(@9$FSc?Fk=Db*o%FAY4f%7_u7P#M&o=G~FvLdZFzdVrF{06r{_8Uz5x**v}i|Hr0&o-&B1BIp3$ zhH}Cf|Co$q7kq}eOFi^@^5QZ8OAjQw_-qaRVB+?Ouh9)yElhmjV7L4}ttOCkvI^ z-StZM+c&`Ri7ij$Bda&!sY4>59*UmJ)ES}{r@n*eJ3d5#q#LEk2ItsvOI8*|#nNbrQ+As$M-pOdp+xNdQ!p9Bpv*{mb$`gf)vlYBDr_^T`3 ziz9ueh$Ni`?{$j@nTj zIzBMVGbvkGf+cG!h%fujMUE7H7NcZR+Le-MADmXS{w zx;-To&R!X(rSZ$ZuLTM$^eAMlv?crAih7D86+ zJH*7pRfCYYv5o<1TIrEdEvyKV-_5z)z?G+)GP*&_rVoA90O;A}Vl=1j#jC{t_G-dj zhltpuo*$qv62Bd7X&xfW?8JwEESy^Ay=X}`neLptJY3f{tHdvG4F4D__ktFojbCMm`)3(x@|edllqR|j9+m$G{_)fX&uF` z_@GJ zzE32RNf>Sf0DnSZdiqp#(3lH{f>+i_a#Ml#@m`vEIyA7~6gJ3zT<=2t{yaTakP10W znl)-#lu8Ewb*dYDwFM=?KWK~H(tgkjz%`T~WAY0s9Ne&5bIHYj!X(5uoRvXj>0 zbE+>Fk8%A4O!ofe9R#*L_~flqiSw?agM9gHgokkb3q`EfbNGS#VX8NK|Kk{Q*L?t1 z4ES@zWp_Vp_i-5Y`FwG`1OXUj$gNjkT$wS_Jfh9Xg}oIIF-WWXTL#bpu5x7%%Hkd+ zFjwNCVi}RKSvF)q@&4z_gV|}ZnfzC3jD=pgiP5ZqA$4n^AAESkzzG3X@5ye6mSyP0 zpZ$UPU1Mpe2$o-IhGXAaQ~eMHT7dq+K{l9R_+_nmO%!z+wT*7fDD6Slm{ZTEw$jHd z+813eblzXL>&f3on)GAXsI<%7GksRyUzQAt+DfTC$<xw;KrP*K)4Q2^lDKUo{= zCQa8MWVXdR!A}(ac#cKby1mN>iyM*6_QH*i*3R?b@;h`YL-(nuYQ3r z5mldI_&$7jXl(WM@;Elst z>!*|KG(sk$HA{AQXCnLq)lSu?pqIvCVtcd8R=2)k)=|v-X@*2CBsyPhg^KA+*?kz; zY1P}-Rp#*`2n-A|db8nDS!c`uvO3#gs`2DuwavIIXIai4%30Dsty4hozQ2gj#0gj0 z+%Sjx_iDu8s86~5)EZV=oCVpAA7#4B?#P6A5oMuFJ|C;bsY9MA=^7%J@h4 z`*0^-^0EEnp{P>6U{1I}ih27;8rGTk9_z&;MUBRxrypROz;-4wf4KQ@_?e_l z27%iHG7)FDmYftS!KF~L@uSYiAil_REs95%fwn&(;zB-vU{v=H{_ogFYmQS`_COO$D^$PD|`C26(|J<5DFm|dP9&$u#rJ7!?)GF(0Uh;VJ2-Ta(w?yhma;7qWumikLXA)`iLWpfEP2@g zvN&)6{BZ5zZj7IIob+Dyz%50Xy z${q$Z-H~^VWezWJt=V4z155YHnF&afLN>H}UJwv>MQtVmG~5z9bym${+A5X#0o?9? zto?LBFw)K+$6h4){oI=VmXbb8?9d~rCw^mW3JEWPM=R*+noXJe)+nVJ$nql+Z|b;l zZiHLDq;QjC`O~&BeR5RSB8hl;-z^b}Iw((*%n&zWX9@!-#xhoQhxD3hsZ3N#R_+g` zY8snVQag2c+J0d67zll8o?ij>_>V#ZdpsB?tL{#FBD zS?Jm-B8=6Hc+GR6CMC=llII(lv~3V52aXZ^(`>PlOc5qeN0iw!*UD~d1MzD5>C$d~ zThn|>^`#PEzXqi(4#T)65{?U%OlkgDr3FveY3b^rS*EO{Lkf3hv8bFbfJI@tJ++$l&wG6^L*pS&(wI4G_~8Z zzs!)-kPskiKK{nwQ>+dP49`L|7u4?CN+;C0b3?lM=We-)S4IO%^Q@U@Mel|7Q;Bxc zO<)kgyrz*`rD{49wLK3352|dByA$*79LT}vP6?_lH5wGM zvxltKvk($>YrTGYuMuuTMX4xt)Qe?>j*ZV__c($|)2+scVXvlYfOQR-Kf zQAfR6fEcvqja`Q(W51iHuVeG9oAxx4nmf>;v9T(XeYEq$TV;FGrf#LawbiRFhz`8~ ztmSZRoj#U>$QO9IdNsMWEe6-@K1;4oo^Cu-Mk;UXb<}j-wwhL(&to<(TlZ28?C|ru z--NFB=WQ1AQPA1O%wa8@RfI0ChH^_n6ZeCB^PA!5ljrtd<<|TaLkDFR;&{qb8w!-- z?P>qy&UZxqZD|MtCr#kh46aN1p!_?fyDoz5kBbw*TixYj4i~OYlQXMY>Kff-ZD&@Z@fX z$LB!v&*95n?GT@aoTCyz5tyOp+t1UvA6;0B&RwZl)*CYMZF0_SR`+9-4aZ?OU2-qE zs249ab?$2+Qvgx>v6UB{^EHHlZkNejlB`Gl=Ppi>O6s0y*+e`Ok^)mz=*61PORVXj zVaJp1cB@5fwEtj$O{U>8y18rpCxro3Q$XP0V7Iy^^^)I$8q^zr4f4Q}><)o0zceb= z9@I$yzI|Qx@OL`%d$yZhj@9J3aEC!N+Y^9*&xo#>Ss{SL*9o<|zwA|kMEm%*+?6N$G{t50)w_h4CejmyR4QOoF2d@x5zJ7RsHf%QTd=A=7z)UWZ!Z}xlcrD+ zq+Ql&+w4N-%19uY!w2M&_&|-kX}%xS9wxNgqJ_)Fh{l}i8-}7#0 z`Pq}Br4O5wMs>d<@^*h4jV~M>Oy}~s;-fdmSQRN$iTjpaca>|C7G6DqGKK#s|>bPvwsQNJI zUja&l2j<=_3y8kaNg6`CA}^~BQ2|{stxE9SWpH*3AMWXY{?HJpwkWt=R*$ckP$)xn z$Cs1N3Ii0n1wv+JE^2Jp7gj^1;H6aLXsR$)qo=G7WyZ+*bx7Pj&`v3ZuhJ}gV{!P| zebV;S%yLdvIdo=qRtQgK4}$5C74WsuYG%EQY=P%93tg9Sfvycn*x5@hM9Km`Ye&XG zBIys^U=QLdr}0S)GYyTg{aoZX!t1+95f%aAXkar->$ejsGEk}fDMkXBuFve7-HTDg zgDp8jm}QF;QB$%~lHy6V)FyYBV2z}n$+Mh*1=nUzOlm~h4%-X68LOP3bRVEcph3^r`& zTRz4TP=wNf3e z(QV1_!`U-cMi4>88c9u=2a3!Z+Z<|7jM4+6DH;_wnJ%y*%&>xPskpH}Xb{Y3Kzi>d zXt?8!q&pfuIgCuusHK+JH_C3@wvZwU4B(Ko5>B&M(J2=)o(5)bu%s7OVwIT~AsKF* z`pczh6}1ZvRew&#LB94D&9OKCMFe9=U#hs1uBoZ-$AVJ1n_fd;Ny-`YMj8KYArDV< zbL~FtYKP-}IZyD768!nFiI)bvWlAF2Gq|r`JR7V`e9V%OLj`(FM2{G%Y^;)IBp|VV z8fh&M(Zo_++35crL5%02c4@Rf@>lmk=!xj+=KheCoqqVno=8Dq`iEhc>S8-Nqf?We zz=EMjhdh=Mg?n8^T0xpprau!E_ai<|O!$CNGXy`sF!Qctpc97k4|*i{i4a&nj}S`l zbKeOPR6L3blr=CBT zAvFtG{N!XiJJ#oZN;t{&m>#$jQmPsRou2m=%-6w=vuVSH=!Skn{+6mcMv#XdT4$^Z zvpwSP@4ANqHy4X$u}uo(i_RM-hq=rDV@Pn6VcdQ>+(ZEd=l+UDNZ)&5F$EBeK$>oU z-NH|RoZV|4cr0!pD#Yp4;BAbnCaaEzJ1yi^X&Kf!b)KM)f{7FB7WpA-PK*dvG2x5R zj{Uy*4R*g_TAjeOB_q(U2k%a;{Fb;84KvF`E;+vgJMG#u5Y2}@$oqKa*DQ@n(u-lB z9Jm162tDEN!4eN^9|Wl)9SOiG*J{%b2jccI{3Ae_&Edl?_h&2+@30)sj^R^SWPv@L?Q@F3`1|7qd;>o##&3uC|8#MoWjK$40E-wLb`Fs90Xw|`Tn`v8_ zn!$0I>3OHP^>#y4RryPlXW?{wn0qcN%Cs@*sv76p&EX~(XaUz3A_9=Q4#{lN34>CU z`YcR;Gat#j12glPHrhE)+ZOmXHy%0^yOA*AVYmSkmy0M{0!l}Z{Z2ti3K-gCx(NiG z#kFU2))biqous()qoTv$tK{qd2p1sWmoZE*PUvOv%iQXIa~6)G?CHK}?QiviejOG& z404QY$LrV%4TTS*iv*f}LmxIyK5k>VZGX?XjOp@o#erjI;&Q#Z4W$f%v7rL%dX7(c zqxp-Cxb7bqD!8(z~&Zt9Qa71BehuAhGTZd!Hj| zoR8NW=cmZGbr(+@U%xQV+0weWnA*u>2p^bK`*NJaiJOfMDFdKr3)kCF&q|P#$Pijl zD4Av0DSvc_!cV$hq7rQqXoTQwzZpLFhJHyU4%|MAmX7jLTp?1sUnkco2D1vh8E6Bw+(Q-*luk=9>%w7oBfS`_)&_4^((?@x zox)=+>!bcKI#SXyyvqR*``}iJ(P*5*xiN}xXAsrxe_=uZP?1LQ>WyfZ!bj!hrBn~#>G2BXU=Cucgg z1?SD*E-hz~+*&>CM%5Swp=tDAwLhtZ@H1468~T>3hh0BD9*!bG@MQ-%SiHf;F$KQD zC3Uh1NZUA%1miMsCjRw`O#eff9!sKue9!clUZ8JTw=C9!kxR4t;(pj`9aG>V99D2K z0Pcn8bDNyGyp0OS6ILN4{v@z-ukZS#D&68DXG`N=`_5)VCI~7%FN)`VM)NnfXu@17 z^aml~ef1((pHUjJ>dbm~*T77S!toBOgkW}FoVD})-iLPt;m32-R=$LwFWWmCm0;X= zIbgm3^8t*ZILWv^3X8@QQQ^1klnZ62N~Hh+g_~B# zJh*|OzC8Y|i~rmly9bRijzYa((Y z8d+7SIJ+)U>g-G)TuwZezRrpqUF+jhNQlhRWg~ueG03j|Mqr_iew*Iyyx@ zBAbSB1%J;P##4mwN%X(3U0PD9EXApA4QfJNXA<$r#%1($mM zLyQezXDh2KIw$vfbZnd`K=k|jOR6;2Q}mSRtCHRZQazsBtKpUulz`w&s;XTSpg9zC z)_|#^_f3Q4;Olwis_?x|;LO40pM=?hdD6r84dpRK1LFBR=L#Z1o{LEpQ+q|+*v?rM zr5uEuOV6SvBmh_#no*_}X0e(~b=cpZ$kW6~@Kb{N{FMl7BorO|JTaim|5u)m^p7^A z*2(!xLNJSzcgmzbo=d(Lc3BFlm&)WF8*}Efx zAPPitSDDIb~TB+HjtP{-Ot|EX6m?W9u4XsYZ8&H&;GQy$9aU z-QqtrMIZichTUJG+omkoi(3uHr@rA0%cYFN0+ zaf#dGy^aCwPFyKe8-jhJ8WkIa#S@*MXHgep6_EyaC>^}lX@;6MR;H2BXUh+MEb_IL zP7X>Lp#|Gb&Co$Lxt)iPZcEqBtX-Z{ZRC%MLd@V6c&gK&l1kI3La362FKabGed;w- zgG3FofWSB`TW6Lv+sF0LDJX;QVrA=yU#eK;Y-i2V4>mypg{8oLnJoexhoWh(IH_nH z`bVc%Fo0pnFJ+-p3j~WiJ=1SMF&ClKu&Z{P)}))7llz#1PpUFC*`mg{KTOTL;GIwA zqk+s9w(INtXY+nr?dqGtmH0A{&k_`IMyPl2S6mXe$BQmWG5+7i$NFnsmGIAp?ed_$ z1k94?k9Vk9%w?q;jukO;a!!9@%CO;gi_Ddt0mk6#l;95>lRPITeU%Ga;rl01+J^3n zWpygO@dQ%?Y1bTD85i$d`<^jw}_ z-EkMEZ!LH5_UMAO;~e@|~QMokBWw za}5oF9dcovC>LjtJa!7e*Vk$@%P+^P5JLq@*WQO^H}rA0X!6WoE+t)i|5N0k`T=h* zlT$~LTkjN=KR+w0D3~c{1jSLi)0d)$txl5_-gJ{IWV*p#`|Kx{ z_`r{fyJr7k8<6<*`F1>RSwax5+$=4-ujbHau#rY3;B>v4s6iOu`g|)}?5t`08vba} zZU5k>(z$qWIy(6U{<*MG>dckBBP{r_cKN4~tC}~<{8%R`^hu=^w7gQSLXb%~p~@3) zfC4Qr7S%}%EG{0gqE2&XyjHJ(jADJ0g(-`3t;MY+lyz<$aCC&OBQ-tGBl|~V-XH?^ zj2CELu!%Yk($SYtwf_w`?=$NgE!!W1O;H}gUVQ@Jc*xyK?1>AaNz!`jR}n!PnMu9{p-b$*QDs$?XJNIOc_)?&SiW7Y?+BLr z`>^BBtul&i+3ynqz59gKb)xCFU@H>#Fvs`pPG(oa#@R$cL%+~U9K;+UTanJ zj&9iw@5Tmb@X!Fnl?p}nCy4}~rk9M7I**E$G#*I=j0=8Ck5S$@o^jL9!x!cTC{H#+ zaeD*m9hWQLYa12~1x@Md;3Y28bwyd`vZCA2b7AKZ-!_?~N5&~6T(47}k9nTc2mz*Q zZWFXKSSw*1w!dkzF_*0%*bqZh3^Ua8=oAr{h2!x00=dA&EXv=<6$cdWkrHJ}sBtJu zBnJiNw77_Jo z6r?+}>1;R9z#_*2gedxtlh8$>-X7mQbW~HX#)Qx*Yg2oSz#^{f7{MY?8|iwDgnUaS z3kr6FJ(~e&*R%LAb(Ln?$vtSF&&JJCNgXoC0}<#bo_8%-gDso*&>gJOZEp5bneGWIOJ zgAiCp!(w8I^#jl1SWf)BjGNh}*<-h_h0O|3x4XbWz3Zp*r}5dS(=O=(qwQG#HEoJ` zq#1sVnlp-UoKl602sWC5tRD-afoKXHvDlb~M8t8=a?RqEN?YeRB@fk$$dXQSM%0uR z_#UnpR#~ztOQXBO|ApP!(t*IjF~nawh|2M>k{2HytopcIbh69H#++BbSvH*JDIo@y z@UWJsx~SRl4yDOUQ*(_1e*e2o1DJz~l5}S+9$Y2)1-o}A#+Nq-lx|r?^PDofr=o?K zP2z(tuuQD^Y4N%F-B%=_LlFOxga;oIa?+$R7=b&CiSP{BAGG1!I9YlfjP#5>dUqFs z_t0_B*&jMk)$})e6}b~k{3Dq}Hglh~A4%FUJUdBP7R9T>8r-AdOgyHjkaR}GsZ2+uGFR|v$jkcQ(i%7lhWL8IWTc)+`MHi zN%L#J9s3G5)s^k&@NMHgwWT_%3O5(q7uWJt@Z;NR=|@_bG$Q3s&csT}Xt9F(ja(Gl z-Mx>;H+mPfR6HkjklPbww$qg5X|SENbt`^bnerA82~sXvX>)fA+rc-1$bI|Qmi}6p zoIE`f=f_f;jCth0BL#zxUWj%xIH>Hbvo2Mkx1nCXq~=4(h@1b|sDk&7&NzjW*~mQY z0D=y83_W-4mU~W+&~eJlQ0$a8Cie2!?6%C~)p#K2AEMv=3}g#@&iJ%;`tTp{X?sDp z@vcpn-9=d)ekNd_aR3&?FnyVko>go{y70Elv0u{Ke8J8PS|cH?ePB;$#D9fsCG7?t z`4VY$1K4ocfbl*d(x2)OE?OpNwdbNfxx~wD4B12N zqYq#IG55N&Z%HIE?649e;y30g;y!_TD%^9aZopo~Jf|OrvjMERLY9)6wSvrS#M3-a zGIi5-5}{?c1Xvk`r3%$<9USRhMsK`c-K%4NCHIt}WYc8!>zx}nF(u8gDzI^A7|`aA z4HADR8wu(;+*=2$w+7LYL4u=(%#e5Q^7IaS`=Q6`gtN5N{z=MmR!O#FLrD8&Guq)A zA;25_>&lN2VG4MSu|qgL&Nw^w{oSG`*DE!@W7RV(E5WA0R>0k#Nr!9`6jM!(jFkco zp$J6ISz>0JFzV1@fa}D=|3X=QR)%gLF%X~`fpT7jjY6f>kcWtZ!M^tN3i@AKfY@{C&|Mt$UNTLUJF5 zx1?p|Hv}kK;WR~D3RRAjmn~79C~YIZnMw49dKWh!{Lsl;!(R-+^Vu@!i#p^>Z`VNy zW`?@g(;^i|)vq;TclIVJ+mW?OtraN&JA_5h@((EgF`;M#(OxDaghCfdZm$y#r;mHY zXxy4?YtNUC;ky5tDg&94+8c22%lUbXTY?7M&7Yh`1lBAl?qMn%39FrR2RC(tX97`~ z4mLsaxRAB;q%h(Q5<@59`~n;3#H2b5aWwLcmjBaf^LjAJ4qci^og-_C)-}6YzBY|b_ z^9xYyHrt`!5s4rq$Uo0SvK&t8twswc^bS+VFBIdTn}4p(c6*Te%M>EEs(won9S-6H zgSzs0bv%u*P=}1`Mi{sqW#2`!>T^2>S#w3!+Jio!3UBK^13bQk`M|eup?K3q2<*oE zg~!70LFmjiJ2h;mc^~lMacI%_6T@~mg?XnL=2bZqO;tfH*js-heod1T7gSLI}NeoCmsTTKLay@wQU!L0A)}cv&(& zZ%7y_PnxTLt0fw4fKw_0I~wi#E2Z72m%ssQEOXRS5qhQuIZa<(FmKHTTKhikb@2s*xbgID4o#(k-zV z8xBmc@)@ik3}w#a(0Y!u|3FVwPt6h+3H&6)1?~yUApJPNE@tN~h&?_{bNn*+n>gF)KHYARA-E*ZoI^MWCZxxjCd7_-ZiEaImC0AOFe2H+7 z19U@jw4%JjA?-+skX|ROTtMkTzH?z8!j0v{O_9^2-_OMT-HQ5l+x$$)qn&<)iNV7QG9YQ&I5TsJ|FtfJScFDhhk2Lpz zBbb@1uiw?u`b`uD)Iu)ofh%J~LL$7=88|C^wfAvN+}M!MBA8cs-7V~1?Hk2KmWP5{ z*D4Z50KRTJRv=^_MSsEqJD0~|6#x@gK&8^YHeJ6EnG9c`&ewbCL%LV#uRckP&dn|? zG(tTt1@{KWOoq*-t9$v!+?+1yDmY5=S<4^+3O%%~5}7}gBJ!#3a^!kw5dwP;06d+F zLR}V%t4XS9F6&2&#-*6Kgyn`*+Iho8F|B-q3pFfLr&rVBc^F-ah{pVHVL?T$NZlpc z;3OKVS$iuBO&uN*2>^jddV;dpyY+7qg&EqGzT^aDm!RAP=ZWOllMV1!z(ykz-f~YF;g1H$N0M?3Z^IrX7+htlHIyz~=~cds z#i$#9=sI-6?F*!q)~8!`U1%o;|Bd z{+%8W4JHPl6nLiq(fQNBsmGh={3ZA-U)$_Q9?f+}hVY*Sw!NH%Dwi^jzr*PDl0-;l z99o~CQee(#LtgQ8nX+d@H3Pr;?ksmXSsuLqt<9wMCbdp^sP#I7TS~L@nKTen;FMQz z*jtexxWzB8c7EsA#Cu>?)Ul{zk(KPb&6z6*_BUw7l2Z2g%1{Id-w`$9j>DGs?nLbm zueqZLLF-}jql2m=l}n0M_cBvKqM;R~5{n9TWnws+jWv49)$SIgBkG1%U$gIH1@D6# zX_<}0l^K#k@s>tN!k)(vT{GaC4Q8Oi4wjFMuoK!Aj=Hf6;T?1g*g>w_!7GeLB=Y)= z&uxn6#=Mc4I91jmIk$*t)l!y5A z)+t8AAb0Rp>PdS$74drMPlFW5XUBfNb?xh5b( z{w~na2N~33QQr)UOT(RRlUVi>;1JaGQ*RLY*ChZ|IM|W@6^sE!`5i_J%jYGsh>$Kz zVGkyCpjIyds47kqzc*icz0}EJ+XW5@ju)}*TC!D8JQyn=j4BFi*m$#*@@3#l3ZmcH217v z6+{Xe2(ai=b3~EZz96SnOXkUunGbNq=qY<8(bow3K7t|eAvl+`3SJtvua};Zd`0~0 z{~CvJ8q(Ojnr?sdnPIS9HL7yj5_ED8_A0q`?Ve?F&9=qOcTQgdV&obBb*Y|_>iF`x zZr77g^%O$7Lg@h4zWVK&$ZCew$hPV%J5rW&|9%U1!7=0-OPjW;^NNf(z)%HsF>Hp0 zq5O`q&6{I{M99MlR)FB*4Nw7ff=m*UW1*$4EWw27!ghcGHG{|xD%gQTh*4H?UfCBl z_C^1($>$gh{~R7>Y~SW7Sp%@c3EiXa(T(M6QBLV)a*}vnPE5kJXJdam6dX z-Q7mJz9j|a^@}mPjJpAJLs7&+y$GTXKepVz-X;gC@Y+voE%2Sw!_5hegYw&x6Q~;M z<#+WB_HvfpaoK&FT;i3$elm;ox{FBCkr#j~HuB#fRr1FIQ%2g0JArWDnveL02wt7= zsc=ZxrIs@iWllOU1R9L!{}M81GKOqOs3HgKunllvFDn;};5^-!Y=F-0)KmI)QsB_P zQ+nf+X`c6YP8T(c;313m9_!#1Hywt7(Yw-aX`~PO6h$4ln&g323$53*@+OAGfB`lT z482n1Gh}Z7$ah5A(~?R_WR>Wx5(~y_K^Y#s8yF-aA){7IWzuObG9ja2&|u@=2`Ip4 zEXYZsVwj@=#$^r78kt2(A_(jVDtVXkML>6gX0Cy(9;l~gy#F_Z2m(r~EGxUC`{otT zpoE9bU6D4|TYDvjNxqYTCYc?SAQbs{U(iJw%L8J7XqaKtqC~=RYH^z*+o>8}&(L#{ zkWHijjlQXIR!CCWpV;a=Gk46$k1<>@`Aew~O@qcr`@AVU)9KS-3TGnVhtrr}{Nmqc zGIfyvW39#{i}oZEe|uie3{x))g_C4XXcI$_n_Rl@mVc9Joj)NGj_sx^S?+HkW`(Tr zZMmF*H)D^PXXwdRo|8N@8*;Gt-M#?nST(N0pAEm{+ylqab4Tw7TR1+2*?!Ucv)-r@ zLC1hB@1T>VVRn)8d&WW0u)2EV4w0v85dzRsp5(8lY0dayQV}LD`uEO(rg)a+&nUGm66!!LJlZYz9B@5i} zmhf5ayfGz86y#N;&2o9hF2Dn8W606kJot$)vc=GDk^>EIh7Dk$%n9SPyfvNg*#~1( zc4&PzEgKt;J&auutNb;|UjlFCIH)yZM$A+RJO|T?k*a=j&`Cj`1u3>4mEvgp zIYVLALo=R*Kcl&y2KPyr2Koc%a9=JMfR2iZzkAx`)jo6iO?75e)|A(bn^7^jE9%+1 zHM-R{JZe}RTjB5?fz^HEHkRF|RuyF|8Cybjtt4!`j?il9mrCawqei*E>Qt!ov47QC z?a*tbpDsJK1#kfh#8{D$0p}FK71+4zhS=cpH!wPHktSrS-g*>I_?i^l1m(1VrJ>~7 z=3ZC^`c^?|1~OwfxRAKE6Kpl{_j=*+fNrxyQP^Y%hSu<=g1tBB5v(Y2J~2{oAws7B z6nxKo5}9D}0M*pk0Md$v8}N}30l~%!V}`l6MBF0w8BlOC0uhLwPhuUCD;WdcEeZIR zEb*f-XghEPW~1O|8V(Rw=Jfhsc*xB0IAOF_dFSjuq zqNmC4Gg~VC$9>JP&I+JG1q&bdp$(aJ8&atzLiLvY)NaLVsIIO7H|K{_@avlpv^o za#R}Rqc1D3q|Cg0x2*B6$#n7Is3L8UloXP{!O;t{^HFD^Iw5+JLjyKmChD?5Z z%{sxW%mnr`dYVNZo$fCFbpM#K$WXF=hiiMJ7@GHwrvyoebdz=(2nSMKo}>5POg075 z(F93l0qcLkCWr6HQT4t43;!>&Hxm#eODepS{Vs-;{zF;8VZga@-D*+4I(iyO`eJHN zEu-P>!lMMZ3h@&wFzrX#W=;g3BGQ#N) zuD`?K(6-kMht)FeTcBqZagkEuYFy;}K>OB|q}!(HdE1?*-O=?+wMDF`+3}BOEqrIg z*vC*!9^{uZq7=GG?i`-3J3(ab4@L~!89}*d9Ilk}z6IFw4QPWrrs5Pb@+E*M2mg_Xri?zw&mHJt>>KS9DyZ?qw}3SU{=6gudJW4baM0T zX1o~5&HLxLP(aNyph&5a3WG^2?-vj@_$Bn!S;$_-xcUz1Hx_UtFRM-GU@e7(|Cv<~Hh89gQv* zTQML^-xjT)VEw7Q-83XdRZWRnY1eqOC6W)D3Ck{ttV-6)jgcH`_BU($m@pvkReu%8 z5qa~arl#HxyA*{_L|+^`y8H|#a$CY%i|Q!4bh>gJR3Petvo;HW`chWSGoVS0Ak0Bc zC->Z&Mt}|QNWV?_3$u94f&dxHW~-oyWEn0lPcJNkp+9$lr#;T?%a*~+9D`mUS}yDW z-YY^dXy!Ok-CfOZm#SX2z|YmxAPx<Az>TZ z-@>ro`&A|dOe{v26{u)!S)9)^o>pD{*7MeVTj>c?U9y^_FA~K&%2ycq6kr6Tsd$RG z2Pj$(T2uFoq9b7Jm2j$x6#r3gO(*o{Gj=s6w>)Yb?0Vb@U)o+)L=1;RL>zs?ylKfq z+-cmE4Zu5H=I_nN-dCg9bL{$W0i5l81KAVdxHo2lKaz-%S$icBRYkr9J{v13ziQ9C zu%^*ALQ{zhCb*w@R7_NL01IyjycCrraAU+s9%f31LWViwq}n``q4E8mR*%{jd#68h z+Adrhh_{1EWA!=x-?gS~=R=Z7 z5m3Wpt&KX|I5+?g2QHSw>EjU}Q5{i-hq@)74gWY>#ITEsy>d`*3sU||4>8hsKb}F# z9|UQV?}{9N9%^`GxL>6E-m$j&ljm0rlifO_iMEm#RL@ATc@SF&PgN@W4y>V+9|wMu`)C9JC7GzZU*tx2du|yL;M@@hJV9Jx1c0jcoLku8gv_ z=jQPpgPv+_i<_cq)&BnJVg7gb8cp_X0;h!w%=u&jxN|1T;k%2ZO8{lP|7%siMbpP) z&h=(JIrcDQ+dcWRF^(x{lYF$vYduYC+=||(yt*FiGR2vV=0ZoG5X2JYL>)BV&(poa zK0RxlHg)!FDiC4N$Aami(VT&g!Id2`8LI1RKWkg*>={YGfT#9xQkr^lvIVa+6PKPh zPl9-#yy0v49X?pqcL54zQ&zzogH;`UJ{-+PfewFBp4VK zQttdrQU6s8OFpKlOiWUx5K^cQtp>w`Jq>#(Ss*4eJg+#dd=eAum}ga{Bs-Az6jsew za#GPp?2w3~F*YJxt;k9wquf~%A2 z_HZTzZ!Cvr=2b)xI+1NGWknd`tu@F6c5kQqYfp*Ywt8FH`b>-`;&vA&ww6r~^_et9 zX}ynwQ70_32&VG5ltIt9!NMf8Q{T%{4ILGg`XVbtlMKMQL}l1<3-C0lPozka%%pdL zV)(V5f>q(j*U5au!v6=CKxn_dVFz17!)AO^N3)jg!9CJ_?436Mbm}+t^Fa^);C3vu zn@`R5|J}5@?Xza@&-3NO#h>+s@}K(6*`J5{`JcucmGQoJzh~CjtkB_2l_?A!{BpU& z@PIRnf5MG>n)@+h)uS>&hx+|R#^@k{d+6rS?SB}}xOBd%AOnxbAUbfW0>GW7iUrZ; z9c^vX>9OcAR$h#1f+zz3>a8%)*K~YA1bCX1&N$UP0;WeyJ|~rN^vfdro>YkOr4RP8 zygs6@|DB8q0BAQ6kPNvozK%8DzIr`@y4?VJP9F!(u}2plm;f9rlIH;M3C{oTdHt3c zuYV_;bU?+C_@Gjlzn#l|&@mbrm*3!AMXpDBjjY6!KFAoLQjtIfXgUWBY$Pj zsK^JI+xbHUYn67&SI0Sf{<7G+?eWt}@1S*i>Gr#|i*9v~h4B}vFo%vRN8^j`A%IVV z{gb`8LERwG2K`6N{f+z! z8+Bg2zFWS2mV2G!o9DuJo-84x8D@OBnK{v!?A?^-X*CFDDAOI6cd)z{^M8~=QbhX0 zNQsPy&jgd6Q(71<720g>TWf>%gvXR1+|q{XN^_l{`kPcZ-Pj_sGog5}nw%tQVuOw@ zL!Q8xi0z*77}d!(2xtJ5*B@wZZpaqc-SwX;YVH5Hmp zP@Hb;>{4xEt$|UXfQtLb*nfIvL)Ga<5GU^Qh0J?Y$a>5Q8PDnHqMB~W#q=-rj))n+ z^gA|gj?-hx9Aw=fJ&HVG<_2lMkUaEmX*q@5adp35d1{bq`Eq@{_=Pq1SxWpeet8{w|vke!HwfQ_J49|PLKW>dc-}@ zj3hObQcgK0gOz$cD)q#q;ueH56mE~V$kIrwI8_mqLTed7Z}g6Z15H_c;HbseEN$?F zFmKgo$!ZQ)HRckOqe`nvQ|@gv}3V$ zW&F^g(`?YhV+WlBi+|Q?x~bLP0MrrCNP{n33RHTNo@rkS84pw;<9RG(yUNCQFZC9P z8NKv7G-h%qz>xW;Lukf9hO(g)8t46+p1s-Ys;kQ8X`y(tu6EWh=KV%FFhRjPoJi%2 z!4(%wLPnzGQSoy}#k83da~>|z4EMA%vFdC&A^K+s(Wi4q>wlMOo(A2|^uFDv`)ScX zK!6N7ixYUCAMPOhfg`VpTQZbB4`1<`&4TyeY7a+?u?Ceq#v%afta*&ne93o+qKl2VC=Z1 z-=bMV$b9gj$bUnAj`SFxB)sTLIYo7Y&Q)c*v9Z-Js^;3Byx-Y%E#en#>0^lEeS}L5(QQ z3$1@>Qgn*j8;|U)-hfi=p>@8zcin4Vp7#0ioD-wiydrcUq>|Q9Sd%k5t5A{lv_@9O zG-t|DZ+}9PAMriPGISRNGC1Pxqn9`EanRjhDi0Oq-01y<@Mi|Ki|8sKdcr|)WazwG zE^*zXwKDi)lE}QZz!*198+532P{4`fLY4|0P^PUzOO=2sfCm8R@&kIX&f*>mz%3Bk zI*aa!0z=xGQ+5!&XomvR`2KCuv_lY`Hs;7w9yc}vi-wOfJiM* zA%A1e&3bOu-(Mex1n6ICFwDXbludj9lu>kfe17EI8~|l(R<~GG}!1lhIDddZ%U$C3B$3iPoPD z|MTa;4>CNU3u7RqP$3(Y!*d=R>8+} z15$ve*yCnz24aAt-#dF%KY#3V{rPpeIB4Oe#F55flt>%UD)>&E-j#8X;C~ro8ICvO zhM1$joqs_Zrx3j&={33*Q!<&z_>LZP+lknu(cFezciP%cj#cH}$zkDfb>nX1?7?h3 z-yN?kx7X)9z=P!5Q&wxPImutKudjZ~VbKU=_&X{|&$Jz*P8`o57512ieyo12Vkm#B%yq;=O?Z6nJX8L+E4buk}YG5_E zgFKd?3BO37tvvixNtK#5@icJ%*~tqM=v0i7vbi?|MB-GUW`6{XTyw&r_j;2b{rKx- zCa~6OV7F7=iA$WE*P9K+KL7(Q#ERGM6%81S42A)uNv<@tKB3iW6MydE7DmQoj}~#} zJanxU*y2UNwTiwF^DivL=u*NuCg9ts1+Kl?yd!Xj8HH6ufGZUKwUGl%LrPbLSFKaZ zv5%MxR4)%o@h&O<`LAbt*`fKmxGW9!>U?bKnZkNgeoj41>2nBXkx++=6D@ru{mI%O z%0K&_m+cS%AAcVYhzAzJvQyw?+8XMo{d2@8# zecT=#J$_p?%#yk;(BMf~I|MISJx@N;Ex(b|cuE_IWz~vcIa?@nCXn|5`bP=6VQNel z2l<_UO8h`LV5njySjPQ;yXVbLb0<^Dch7UAx4(6yUw@8^)l>rJ`!{~5x9=0I(^rMQ zIH}hPS#rCjbH57hJ-=}K&uoh0{gwYd4KzVGUMj0pZq@Go$$WQCY4%%_$|!|1HWg}M zPJ!^MFbDI4*$eOpNNb6<<(Z9(XZar zE7@+l3joTdS9IBL) zHJE6gwA^5S${ee^XZ2YLF&qkA3YHl7dlkU>T76b)xMd{OQ7QHI$YyE{b8&ZD=&*eA zu~6SBOl^_wjQ0=A_q!LO)a-8Tj%mI0SfGxptqE6i`mEDuV;s=wvreClh8w5PI(^pZ zv+JtQ>hMx9SSeunQ8uuK_AEZ*e}06p;dEzI9_{Ua>yzBm;L<##-TQey3OfT!GNeO6F9xpWa=c@HbXPJQ#Cc~srKD7LrvcgMxczXvRr(oeTq!|#?) zr@r#b{Za&{cJ}EvKro7Eh~iXWb?Zf!vJ?SA3OD#iUL^@jmC1dV{uBWsG|&AN7AoPh z6d#}F=Yn)59KM(g4Fx4dmpl_33SP#Cue;vn@OYK~58i`ai4PjJ-J?r;@uW7c^VO5ee(tEd zRp*z<6#*%KD)r`8rnd1?p`}uFaCo}=xP372FZ<1+9$j9WX8p3D8iQYZxvk+&^^XaP z{%~|z5Q|V0;4(9e>*m!NgfC*E<35oVDp4%K^aU1FR zqkHRIL9pKg6Dl%0JpbhV?yI4!u@Kf69YcMKxVrCueLn;P-e_P!T4-`@EZ&A>Bk>W< z@7uD(Ih)^BX7Ot}zw6E7Q!ZkB3*QkDCvb_bL5X8Z8uD+-r$K(&63qq1cp^|muEi%% zFZ&OJQkJm%_3&`_j#jR24vwnpO`xRqxR~smz|Qp|+{7jYeMuODfD4FTlr4kfPmVvm zJ?6K6nSO0HfVpYTq{c1_(M$HcZU}G95U@83pD<+7RP zk=i`Wm98ta?>Z^}t&6`QcKKo3!ufjG#+~djJG5NjcNPs#WRI zSISEUpN5#gW#?X>b7U!QTimeFaD~3OL`@n$5us)`ATHY%7w%D5M~$9tx0#-QzPQ2T zTedH5*!f$wFK*~1{+Y(O$qgsz^Ofx7{G!gd3Ec}x->ZqENh*kw&sJtuXkwaC+<_R# zoSN~OQ>U{re3V^wwDYk4^1^a=r@IHqHoyG-$|i^}3@2I%&e=TUvekqpG%!#W;x$U7 zRk&;DGj)RZNJAi)U|LRC{ijlYZn*mlmCO>CntOfDk*7H13B4W+!!6AO`vgo!i9#8Q zHI}fPY4~p(;U71W5~?B4fXLG4n1~MwGhIlCUx~tQ({Z>2_c-T56Al3|S{zK{F-JJI zMnc@fHDe-<`Z8~TV$w1JXaFo2nh6y>zRy3&e>~+eU=;-SSxaK&f@z6=&o_Pa>NV$b zDvzSc8UPI(4HmEHr8Uu06?G-i9|F@Jj9N-WG|NePs?EQWa4!hlgD0paFxT{&C?<0< zOkBeRL1`#x;cqRl@b4egvO5na_Ud^@Ze&TXnXTNXec_jIGZ45Rxnw}+?99f_waPHT zU8AX_j7M$sbPK;*_}?CXZ&?TkQ5DzNLv0%Dmd-FGBwx?3;7m=1DUqzi{ByT_hAH^k z{#1e~snNWiEG#XS3aRO8C+ly^F9n~srSnTk;YTXSQh0ia!fcYjooQevxvThO$zBi6 zHoAKokE+F0?(~A@4ePBpSz4$3k^&Mhgp4vQc1+1JrMJgx@&Pb^*a&oxRMUd>^690J z;>Z=!OM%6kDM~K|k8j!ZQrP)hHoX*fg?}cyl-OvJK3mCN%r8nVC3GhweWxZ3B`I(Y z<3xpSnulM&nFvWOUB@R)y;hYRbk$31o9x~e&kwlnx6C^~!s@!|2D!+vL?SY+$Vv8X+6=jyhvH^+s_bM5J= zTI>30(DUi$^)UZ%b+5CJHJ-_rE25YEdx+Fh-eSFex4H3D+wk$^?{OFl_~IY!(m;*E z{m8*SW9|6xk!fsIPp%5>^Ns%fv3Ti{^TK{M`}U9$Ib{Is<4-pWB>2lO zo5Sb)&aXm$In%0jwr`r7=MQVmpHR@YFlpdsW^e+-qpzQrtg)zx2o+h?=g5;IPj3%r zxH0F&mB!`_H$Fb#3^zVrb%q;jVYo4eENO}T%SoU;StmYMx@ZiqI$M{F)8TIWxUyZU zc6c-GT*(M5eI=9LQOw`-^LH^Mgeour;BJN+M%i$GOXyUHO%$j*HAY9J_#IzzeCh4s z{5Do20?u#4`E3LqYz^umo!`bhy2NLn{z%RdiLd)QMED5PuLW}Z`x&um&#D*CjqUvt zQ9M6w7Pi-$Fc~D{R8xpkICe)}kuZI!x+HLWT66~u$CeyhdV4s-4QIIF3^xKbLua_* z3^!hXnNw&xRSDCcn&6Ejw+kfYhP#JXgT4Nh9^c*;Er0BktNUr^P4kPIj0b@aftjkT zGWx4F-6rF?-~gT3#?-Rv%r@R1>uI(zuM`K*wF>DudKZ7y zzr9n#{tjzpW%XcO+TXmd9^31*ulkC^!fp(Is=0>w_J^)tb_uhwDDSyd|MfYy>N}^6 z@5wDWrw!+{F>fNRG|QaRMtTxU0#_a+13^^jK0Z~t?;l^49><$!2l=gX^{9NLPy0J- zO_kOtuS79c5EddT$CQ3Q=a`an+6X$HbK3ZL)j4g%uS8EvR>?VSEb#7FtSQuK1A>8n zaMpxn_ErXxrtSh+r9qDx`*3ny*y!!nHa2!op6)9tciMoU!BfU)3nxeex1ME9#uJoV zqpX3mF-Bnx@@L-k*=Ym2ViO(NPPtYiwaa?`DVMveKV0rzw2tic zxt|5)&xxuGPsc~9x_5iiE_UhR_0ivd!=sim+Gw_hKjO3T`FoSH*{C6_3&IWvX~R1} z09D7tf(%Sa_u_+x7&Kc_&_2D-JpVeO<9(jFNY>l1S$k}^5=IZDJzS}@6tJLKHsjO7 zr6;icgR(?wLBeA$qfE=H<n5leJj-n=ER_&cYiT-go@3Ehl|Y?0zjcz zF!kxjM~>aW{n=ARx6eu2d|xJNZy69(v^ zG!L)GixD`5=H&(T;9?t16z8}*Sq9|gIrjkJA-0kPwH@ZeuvgR&R0(TIq{G;GsrY=T znsW2$_NJ2EZa+MnZ*-=jBzfGXjqKxPxz#&s+0GL^Wtk~Xl%x#vodX9jZ;uTOinX0o3d7_?$P$Zvmt`OUE`I|+$)fY&6Sjfy4&##m8nd2F zNTP|rPQ}&`ZDSlzdlUjQE;ZcV%+T3lb44{rPbp>vIt<28+%*Jr8Z|*VQDV(va|Azb zFf5RoNJ{wB8pg0pk8v2TAsm858gDoWACF2b_+!>sYNoF!LoZl6sU^?=mL$5u6t5>h zD}fWt2!E`k(}&YAeFSA%8w`_TL;Qq6d7bJs85@UGtZU|=K zRG>sH1lPbPqD?QzkAD1hG80O0wME0;l}^s<&4#%K00S+=ir4NH4H%3JhJk{~N>l3- zTCFzm=N@ihWK8yG5ogW=5CTlJ8vepYtgBsE;D2<0mavYA$?jAsOELU6X~=YOiDg9+^#%DIqQ1Q+K$#fQ%RR_>B#a;Ilm(kpK_uWJwW`(%~YK?VzdBD{Zq@Go@ii>?o-Fn3w|;pm2*2n*i#ibXa3*Nr z_NhU9*lCkWM)xjmMe}?_GDrK(ZkHaUov|tF5uzxkl21%$rcuXGk5VA-@CI1Ccz^i* zsh?MA4PHTOY!qQLx6P~GN#^#~VMP==jnZ}Bwx_!96+4~5$?nehR2L4ZY>okXjdp}> zO$eJ)X`MnAZl@B7enriZxnlG(*dn$o3_U^Z(JD--)yV?~a9?;UcZD zvroTar_vBBNZ(c$A96m&N6y>ZAyG%IYU^yH@o-Q*=HhR>KnR!2*a2I4rPI z%^)Y`o(7r>F^G{2R?AT2TvepSeFIEDFvM^-T`Yx`TWho=k)^N2Ty^Ju|9|M@pfWJb>~SEp4|e;yxoXv&Ei5PJ`PI|TArd5;?q zr|?D??m=8cvD2KeYNfr0Uw63&)darwYXQfW$VrPB{3eM00>-K$$!Zlo35Krzp8}^1c+QhsDu{KQZrxc z*(p{9!3H(h$4CPdeCiB@o`ak+7U}7h+#UXrUP;En|JT-F%08#`>N}wWlA3J%iUy)2yP7$R?=&J6zIb`~+FQQ9 zI=%ZjcYMJ*^?#+`k4q~%$JY}NU*zqD9>_ujvxyQ+1Yg2>GE7i$+MEiMBjcA2a4e)( zA%}92BI{B3B9NtG_Dn{Mhi~YGDKH&F;AsP|O3%wOdS#uC@Xf@z7!WhEEB)Kdx|51& zDapQ@1{tC}WUO7>o}TQ^bT*GydCMIyUA5fI{)F3*lz%f&nxW1LCAo9S06#-EekmD6 zsYq=;sukjRnj&fKjdHrM=w$D-d$1?PJ(G={ec7FVZ1d-sPIRz++&G)loy}cYmvdZq zwX5C#H9FB>jxGaY(MwMg>iUWcU|5{N)CTWrlH1s)Hh9yO+>S7{*OoBkHC2+a;%e!+ z?P>-uTz{WGySH9Cj5^Q=WeQ!y`HT0`>Bo5IJu}Xhu)r1U?w?LXNA=WIv(beF4n%{?O@FQ0+zkzQ=!2%A^$87AFG6_yN8!3jI;7?vsSE_V_ zkt|Q2);D*qnw{tF^LqP?ukLHBdiuw7(ZWRoqi}K?*NnGs&1+8`fQq(ZiLesQ`SOC)Ni`OdQMHtu?lSDmNd`zLotKei^9%P0XHe=K8@@|+lcVbQ;eFI9Z$?e#}9^qiWv z3lY~{M`*$AEOly4`rn3c!7Uk=Krt2@Z(>?-r_OHZ7Tl?8H+&23jLrS39^7M_&X_xv z|F<>aPG7g7n{bZ}LMDSQWtRDL#)sTBl`ZM=Y^l5boOd3h%-4NX|rdh~n29mpB8`Fy?(xxMIbYDz^0YDo_naXv58n_M{FglT1MzwhcE^ zP*8CZ+;?^CXfheh zDYK=Vk~pUsy(sIZJaf8V-~ z6%34rzQ&oRe%wB#`VO7}k%KZJtPWXyUl_Lp(11Hd8emk^siIE#PXisP)`Jt2(#$Af zA+97U<2Z#^LYP_nZyB?{bCNM`y|GX%jftf_a~yP~$*OIfhafA#BxE3gPZoNCe->2Y zAdbe8z}P$Otd>^b5|21RNKv+GXQ=k6Qjt;w~u4zf;^YoHaWw29s?6 z5-l{7=}o2Tw!GXor}nvdvHrYxe`z|0J3Y6qwl3_X%YCZ@N463UdLEiJ_CS+DbhHz&ryG!~~s{@M-iU`pTHuktUA zYc{WoMN!4t5H%fbvHsiKOX=%2w0mh>_%Rt|Dbu^eCG-qvL6K6o5whe4e~4Y?&-2au z&H3iT*~Q7i&2RRjbw24OLyO4L6#16~IYXiU$SNA=^=}ndD(hdOG6{-mNSe68dU*Fz zMsVZ^?xob=%?WZZrO$6z_fppS4eMUY+TpM9E{$zA<6f=tZsrF$m&SAx#(h)A4JDIM zI!wq+-x4=of;frvupD2We>ZI%Z|>F_2fL5gtv$Oa_x2oDrxRW}ObZdXkREd?^!Yx@ z3u_|lu7Vy#370I##x!c-Fbj>%C~h$oL!E$A3oj;#5;w&4$o*MBlvXy_QDS zO!;%li=}+=S2k+!Mw8zuatI^nF;gBrn#Z&4=hjMVZMW`z?w{AX^G|YZ!nH2xW#E7k zj&i4sj8yf0^-aqFVq1bzIOl}Pt}!+VHfqVkyz;^dV{PA&{BS)-ORX6^;rnBlso`VVJ(NiX6s^DKNFZg$!mF?{`I_;zFTKA5*?(MuknsmYM zaNe+=l#C#`nr{D+@kW3yS0T-Bf2#z4RdwTY+)Gu}jjHNK-a#7alvPzXCdapAxpszx zY#Leme_oy}wJ-F;?~UGB@91E?alX59r*;<4rkgBHk!uNmQ?{~^R8(mos#F!-sETe> zMK}Jus-hcz#;b~M{NFbzWp-s(W~KDTrzd?am8VTB?&evW+x;_n+^uh&JVVsnUr%_^ z4P5yEd&q>NnyALHcmLZ<*$s`u%{6o$VI%L2f4k_0u>sjsslW%Ay*4SlDW&L!V#-+0 z3uBf~dpmlI&GhDX7v-rqpS%2i*jkP9p!$s3l-s8dwfolL;q9-bM{t+kbTKLCw3gm~ zUeS%i_WhUC-01(_ah2R?5wA-_52`wojUJFl&_!)3dMpo+0-g;#_vbrd1bbNRH-|vII9>OSH-HOhKuE6xhTlf3{X8I>d%y}7bBIk8CtFb@QyAc(03S+L3) zl=k!oBS)6G8A?HBwJ`(j5U9aZaiczf+H`ffcz3_pJY7Dk{cQB=mp8Th#m`ckhRtNa zid!b3ri1xFF-n-5C0Bvd6pn5QcDW_WZWk0X*_-s3kS?Rmy{d;=@Z_0?&3Qta6fQ* zC{_S)?pSdUDeb3G)O}e9#$9|rg~jnv09NZr2P)+r!7oymQ!)W2GB5r3>tSY`;o?}F z2|m)|yk0hPB>)VpQX}r&D;fyQ4Abz+>XD9CA6kue@NNyfx=gff z&bec_Va||c9Js>qUtc)E35Xy8rO(c>fri12iWYZ^aQe0Koc?^J{`BKsEp#6*f87cB zAZKrWeOmqT590LFgVU1)!7;$bXUE&Nefyw&l+Wpt&%AN^Y`z|Ggk*8CH%^bq3FHt}LMP6bRaWeLqNd*9cLd(*ialJe=&h@T({Gid>I=VXb zo89I~cXxw*7Bmj)mvS=!Ie)?W(w#lJzjWtH_U5j1z5e5In|}o${`tm#M~?aH0b2Wh zqS~{yrDG}C@%;Ms#RA{G_$PWF5)Oes@BHU~^2WW}U;6%Y8B5UUKF>DRo_5NO z+qVEI9U*Wo-UaGMJEu3>t&5w__DmU7*S5( zmjg8cW`8&54(I~rG^nMw_yNuq_n#R5aDq{B3#qYyQp6L#eERPJ2b`?0 zmZ}?5lump=NkPEMDkV6CkSWn^gTyKX8C?U+6Mq6WHl7NcGaB23W8*k05#O%^udp&2 zyNolYZQPdU0^Buj8QxRAM1Xnd1M*>#96;1^AGb6DGk|GaI!|sgoTn1dY9Rc=+i4V! z_KXMz_?Zi(ea;HX{o&O~m2|7LErfJqug_<0V3P=A98 zK@7!k6mNoSV#i$wi^XnnpeUIJn86ugM)O2QzJay|!mA;ZDYdzHV}r0_2sPqu5jq+;#Zug>odj7L^vOcd*_aAEK?qcU* z!qt4mfWn#%8*V&gcRcnSxEx0|-YTB|tZ!`zc98PdN#|2A?jY z$3QOst?e%=ap6IX(Bsuc%q9@>Cs1GcyPDsN(> zYFScpQxRCOr+3jF5!~D51%LP1#pCy8>#lRR=5J269~yVvr<>+@b1u4szGL+!g4PDs zkR2cl#jz${&{TSyZ}Lhz1C4`XB}Wq8`{GFK@242)q170Qci|Mx!9`j*(>_lkWwRM( zGpd+Sp;^4MA-!Pyv-ZL5x1(eWS!Hgu?Rcm;X};KaAqGm%gQY6s~g^NJ9k4B`uRlOFT4$$qGEzj^{JFk96j(S zXpO>12HG#72#%Dro_}2x@qJeB8Cnrv;tO1OqshCXisBA#&yOx!hg|X&AO-KDmnNP@(KHvtP)8L=rC1y3+2foH4BUNTDt)oK9WWi6v z<=^FT`Q-NT@cHED`sW#wXx%N~nbk z$XgCYl^ijgi$0iER6x;1qn<06ej99BU>YjB2uoix@)deMwhz|^t8X;+$4UDIs4z0D zJF4&~Slqfm))+|@Hpu8saZklK9Wbgt>d2YLjrAsJ-f;?ghNAOEwE=7yU!${>Qeiyf zTC<2^8@{aqWq&yIcQVHqLxG!xBZ`2W8%hiEn<&v=z)M*rEct_|R=g-<(sI!Bq#+A~ zl-?l~>DTITYGUb1<-guDX$5Q`dm)vAY?kYy*R5@3oIDaC<2HIdd!b)Ni`rWYnxMhlJM``LN5FgKJuORFQ0R+{xD{;jrgOPfdll3NI zQlS@Mio9=RGSs*Zx>R>_AJ*mtqwt!%v5EOPr*LVt_XJn0Oa;Yo{R{_o80KX%+bpcf z>>UNp^_N>>A^ZHOhX@r z983aNrE(M|6_Z-!F=_2~b?0_tf9r0xp{_4?e%BY48ygdkN%=%+k}%1Il^t~DoT)JB zZ^5L@NKq%H=Q^WE@qT$sTKLs|zE*QyZhy#ylit>Yd|cUela5JH-n7rbBr#6qEh|=3 z1}On1Vdntjjii*0&x7XB-}?sJn>^YADR-~cMl zzPOMk1vrVl zEf$yzY*8+Rlwi`iL3RtcP{}Nw4z7}0(_KNKDlkVSK zbso#MFE5+4Z*~)vnXAarv{;VFuq_DseAyH+wlG+tjD?vDYYSO$KeY(V*ntjDY}#g} z;22E6u>4>ylz;Igw{Due z{AbW>eC?jqNX-oLu_65`yd{j_O@@G#arjq=TDU>y2+_u%-GqPB`)C$m#;>7u-+do1 z%3RL-cyv7wx7p{*LFJ@&ae77yLv_3e?j*&*N1QQC z1i_9G4iT0Um!DC1!1*h;(|_$o#I>~m%StWX#&MeB)F;#wf|UYjV*}(V92bW{m4GQml!EO z-SqbNkJwH-)$P|pw-4Sb3EV!j$6{$o%iW!nS7I*I35qP+{+xP`(SM=Nc6k5cy`K~L zZol(r?=o-AqpQt^I)!xM8q2JS0BIH6dSnfd4(Wv$_8$u?Voi}QMY_Ke>6l9)ZTy2m zjp#_Hn#1a_b}-cEyBFQ=S+Skn%ZhbJI)(YQc(^!m=|jf=vUysa#EL{K11bPhs7s;l zFNZp0E<~Cy-x`>w=zmD3`}c=eS<^l&-(@?Q`?ls$Rq}wE=jv8bGm?&mSkuF8L zzYpmGgX#=DJW6ou%d*^z4t2S6_Eze*I@f3KwPtt!p;!7W=YJ>EMF|iXED&&eRv|@- z9LE{H6Mc-*UrdjZ*g3s_qd{F@PPB5ccPC*~31O5mi$EQ6M1NbYJ@@(}T?%At3}k^D zA%WX7%VE)yxBs4OBH;<9OuN@uvDy?g^M=o~-BR7Su z`gNya>g(PhjVbHkRzV5LDQA;?H4ylWwgMY=X~EdCsog=q#~f}sww^XhGAjHU0Kqp1 z*x8uP1iGnL_Z-pkNX$`JCWXDtg}s;{NgPFmvXtw;+;aoahpnP0EHdc- za(`9%R|$A-uq~6;B-Qvf81_=n%{qH-u$!hNjPvk9(y9AX&&`rET$SfWF)(7JOZK@= zo|~Y)DPU~{cRm0qj#Qe&uVSP`Xbj)Yf!I24?~rWy_$I?|Yt_BIV(wRo@x_XAEtd`) z6DhzLCD=1;LW*aYu?~mRrx_Tk1Vn6b&VNmWzA1xVxzm3x_dwFkN^&b4O5uEB2V;r+ zt3IN9Jole^IBT$%pXWLKg?IkFM|0i#1JXHcyd2+WtMy`|?@cJ|)2FkC+)epBUmETX zp3lvTKKxjLbpQFqe?8m$yJg;y-oNO-$!adsQ3r#LEavZy{_&oNsp|8ePyYAcd4J<} zbMmm&skQAhYn3`j`K`+7pqjwA6?Jw0N~_r2QD zUc1*To|Rv^35+Z5_1<>rZqUqhE9Wm&wwJYgy#&VHDc=qoZ>o9y(JbueRJ+|C9K9wm z?(JLS;i3HWc}z=%oZdIZ?aoCx+JCq+8+SsNw89u6mG$Hjue#+=xA#!)G(OANI_IB> zPk;LHRN#!%dK2)SOv4`k-(GdI9X0L%J0o&HxfC4Ti@qX zvo_LcC3x{S*`65#aPj4hP+Ce$BlNL!TRFpt06+k3dx}#(;qjPp4D5Eo3@G@xq+!GT z!qJlEyjsSP2n2N&Xh*mWHGkkAKWAWxh!|$XZsln|znv@HU9q>u%WZGFC>H9}^9wQE zrB2~s)LK|pDkq(RZhti{3>c{vjAbv+>0;i%AVNGaAtq4WCk_()m2Y<-GWin;QYuCD zuWNrLs%HW>N&>gfei~26EO-0bA*V#vFKek^2)RU5bmUYgo$4uXv43nk`?6Ky-I6`H z-q~p66gu5+uL?S;RZIYC1YoC$j-9>R z_v*)M{pqZjf7vdx_bynrWV5l8V!spGPDR#Qw zUKw^G4>eKR_*?8YI)8SOQ}tHfyD014?%C;c<*>4A4mKP+ll8)`7CHsC-(*aNW$>iX znL=j@oryrFQrt*JjbF8XiEKrO&a2asxEwb7&&@%PtJ2jyIrz9;bLiB{k;W2gB=$cU z|M157I$f6np;UyWe5c5nB4>)6i6EyGlo{nM74ahHc68+Y9DiK!-IJ%A_OR7BHIG|2 z9YOXs896t~*NJ$-r7&Sc>?r|qEsfH0rpTEhXCla{iKK#2?Z=Z+BD>L%^XzQ+ar}5u zxNjB@k53=W)`4ktHX1oM$h~s-e}<5BsZs`lv-@emjdV4wG=p0;B>#eByj5Kt3UPKk{QE@ z_7AS-qXXv$e|tYH=BuR&9e&D-+gEx=>uV02Ry&MgLvzC!NRQu?(n$fnDb-kI&*48j zRob4iuz;lEag~@L0w&B-V|{e(??lePy_CT1@u4q6nZpfcK5BnZPdGPfNhl5*aJrOW z$p=n&xS7dED3PE4yek-S`U#eO=7h(aLBe>_d%4@!PI|-fQH&ES{PR2Zql@p#o!Yv{ z(!oK)?lwN(E{E@juTSePzPUq@5&*0oOU<~o`D#2yL1lJH*gcvUWL8XF?cdk_PU*c$ zyJtDOR3QZNewano7?HbaoRs1O}DZ}+ox*cw0a5;;km4fZBino`iLv^ChrG<-yCZ7PJ(Fh8j@pB#`m)}@>m$k76*YaR>1>;dx^9}^F@G6iGRA7@j!os;D z$#1=Vw3&(9BVNOvpi8}+(P5K<7ytt;#FA?_LIVafgK1a~$Fe(K+^sc(R?BVtxx>Xq z#$0H2&%Dd~5u{+PpVD9H5E)xR`&5p^U==hq;(jmH&@c`R8f?OWy8d5X1tr zW$*tz#LL*@CI~tewL+o(;R~Io(V?^1%02hXA4l23lWvlS>(3Xn^~=I@i}5alitZ2s zN-(t?j^%WA4ZIl#vl2NHmV+K-f;-1VaF@*GT{a+-l>wWKgJNVX@nORB;a%23b4!1j z3L{C&ZTGJ(yW;x!K2P3z{i+`Dq5gXSb0MnSVr}r=?KKfeCq7#}QLf)FubL*8dbw++ z5W+A$RVv^`h_e_34X@4Ddgr)PD4e}LHrl-2tX|voR<5izjs=T~fch=0p_5JZGR*B# zX5bIWgz54nA7HnY1)0SMDjY%;GQ@ui;#y=rF4Z~T`7ZjPT!L{C?o%!BetTP)&VGJS zD4yg?gXU${3kMgUPt_J}Hu-Vp;Botk9Sxpj=8wUPKU~3z_ig5YZH2J{Es;|WZ1)L$ zh&bqT6JX||F$`}$Gy_dIRw^((g=E-qn@#%@v4@A0N@-28#YLzot{fq?0g!*9*#1M( z3I9_@Aj7n_=uZ@!5EeQ;4H^O1lBhazPMMg@?V9;?x!GAj5AF6W1=P040^^_9ur-d4DeK^#lEHuODTxXE%A>%06{w3CWCO>S#o>qCGWFA9Q6I_7^M0|p z*$NcX4z~IQ+sY^~W$4tz;_6S8T2)lbv-(ru5gV&d!Cx6^PfA**BBb)9+Ec1Meg9D~ z>xn|3lhR5{#6^J5MbTw)*@w}TE3P;m#I2A%>V^$KLhMA%{G!=>gX90T$n>?JC- z0ssk5T$=ytq=V%K3MObRHz3TGTUxh!wPj3Ua(B$6s`wH=(Ya(2eo>i(*D;gqE}K8S z*he7b?ZrQ#A&a{JhOB?NwnV8LD5lasgYPoBzI1x?)-E;9Z}#$+54GZc?xA&ExL$L8 zNg2m=B*6v}U@uKa^T1reTqw}Bm7=I}FR3uC*5O2rGL-8ul95znN;RhMzaQh!QewdX zWRvD=eB1EHd^MVIK+s8Ja{=r1+q~w4ateZDV!V-c4S*~RmoD1 z-vo+nY|OjdyZdsTXhN9a#-bg+5dy9WWlZKG>P?*H@Og;?)WpCJvU*vHj8%G=K$9?VV6+Ge=%)%(sxW>3h1iFgk%7pSVaDYj zi_pCC%Y=n9Wzi-UYC1*#%Z4RNSjHmdh>uKcBEU)oLwmBD{m8}^0-k^vFqQ=_LKWl3mV( zH(SDIA?dT4IGU`7@)THS&!uLH=m6d6I=b%kbR^8y<<)ufHzo z6C4$aCHQduKw^6ur6=ob!Wuti!DypIT1CA%>_5sAd`B7r76sGNRqba=?U5u6Gzy)@ z=SJ63UXBEP^hQkw#0dG0l6)31X2Jya>)2rhJOq7?%%1sh={09Ll|zjM*$=W(fxLeXmDCBps<4&B3QB6EWE4z!5w7JV zz18NgB%B4I0O18Pz#~({hImZ^!%U$6!Lc#KzwqHUy5PS(dMLafozlX~o_Zb}m7k4b z?`tmjjfLeTT%b}dw3!k78x>^&Wfibbnow@CRPv{i|NHMd6ahA>;+lXdHi>o%hnW)c zVb6ch;#`|BQzD^>`R{J=Fq8k<{;nufQnMMoEKDz!3U$-vUe@0hWb%J+3kR8!!jJXP zme}-V4;>*#f&%4VVt*f9U8>aRQR(`Yb?%4dlhb0pxz(lZ%~qF^jxp72ty1$Tvri<8 znMpwnQ)vy@=vt~PMGY|l3LAkmOKQ?*y?B3wDIiI5i3pQ#66YF4nEdCrXoM-~{Vf_{ z3R>ac6JSbgHc7v&WEXQq@uh@LLeeKSX((9-dJW41={2Mw4B2=5i|4D+)ux-ftLx16 zAe(>bUzgu+-=A+8%l<00X)$^Y%it(5r1U{{S?eJX7}0A;*gUY@+#>Y_mBB2|Mwx$_ zRg2SWP+}eA9)t7E;A9d$exP~$8j5m)Uk-~X4WDnDc0YgJzdh-m)T`Oj#rf5RR~6bj zKG3ZLy>+-#A^Y3v@ciN7{Os>hrWPXL==L5mjdCSZ>GoZtafk*nhFpG3Nv&pr)#x$+ zLoBp3BDr(_?|9JBCj6GI|63RiwD4~K1#K(O#A;tZz5hihbs)CR+dCv%KE8j+@Y`B- zZ?Bm1Vq(2pdF_vuL>i6>pcu1|o*tX{UdzuYhaF=TH`v64f~~HYcbvv>(psB&FMoo? z7rbxrZ+6Efq#Vg$>M=tE;8_rB<70F@d#F5p9?%AT%(m~YZc8tFud<(61ka|+&&PPy z#q~{AIU-=jNTESLLZ;(MJmY^BIgLTJwnQUO0t-&Pp*8$xzC)>Augkjhi@#wISr7rr zIJH#x@s5evUO<#l0VYl;@7SNBwD8DE3(fRu{dTz%psuuP^}!01mDyiiIbRs%!5MXc z#u`Az|5!goKh`C?*WfSD_1s}LmwzR@_L_IsoG*-0q8$+JUjuX;UIg)BXPb3jY8dwJ#q*Hc@t5Af5<%IFS>ADM zq1$d09mHZ{;>KkO$#W_*DTRzaDEW!z&$0=Ks1x*%ul4fvv6!8$-C;V5VoP0$ zFWId0R4&$KdOk1R98G_2bL2v?9l&4*Foe0G9l&4*Fa*Pm9l)@u)!P9KAG@0!!0?f) z|Ihv34{(0H`Sk1Y5crbm8$HWS`iJ33KUVYn`MfhtEzeoDwTQOY*Aex@Nk1YEpbNr) z4%8e!Kja|{3>XA}VqgifrTs@u`|S`0kE=t$r>{#)rGG5~#3_FvnUAw`A09nd<6)za zMeQMqK1O>ZJ z=Y~~Cn)baOWr!XwvErtWEefnVOcv@l#ptY?iaqs5X;sO`@hI|p5c5MOaJkc(Ps~bs z^Dkd-|8BqT*BgJoM5)cE{|;$kkoRzR0j?V#M&a>coZ{!hQRiMikYQCv-V!` z;cJ{u0BOn^UaSS3UV*tO>9JT`Uk3j5Ds`1~;vcqwXB8%Xeg?YcDZS6!7moMUDb z8)lrwEnO7@OMV_v9CQNLTED^8Zv;88EFjyKkey)oYF&Szee&Y{66aZHgER}G4DfXA zzR_>+ek1-1*F3hC?2e4bAJQoHg)|drxlg+I5FXH4;<`D$*96X>& zM-VBbFzSG!uiw!hK;x#u2!01?>THF7PxQ~?nO5*ZoO088mr<#_;LOa2CsYtZI1n(e zseOcKqqKioINQfb7AA=R9Aie?f*na+V(uR_V-AJH$CPDp$bm5Xb!g_hYRzM7z3zx* zzT%fwzQ^()zkM!1_L-qK36EyHdKF{1vA(GehncZZi&T8_ZRy*`#4q_gev~nDCeO4p z@-Vys9tcy|^bAlgnAk+KE>f+a%Ban2_Ud?>$}N9$_$la2UUjmh_+~n;7JAiIJ|?d3 z%ax^jJ4af*aV|ESKho-LJ)x&p7xb!gG>P1?OJCOUwvKm*8(PQPI^Mx>V;yhncw5K& zr#jwR`A@|~riRk5ebg*G=kJ~uRk4`7x~M-iV}-kZwA-q#em3VvW^oZS-bPD6uXiYa zx6^;pI)L(TT(eiZ+Z5I+ibP=RD9iben)6$`+vDm`*y(3?Q-b^_JRyb<5KHVm;pr(n zc%~P*{!O7+DtA|f$Wq;nA206ahwXPuP93iJGgDW0p&DT=0M9-4rB1@^3efj|hk zX;vTb$)eJA|+7*l@$Uef#A>Y|LgIF|3sTGu&rojuS09=!aJ z*_}GQN_@A`{q{A#-sD#AG~~n#5*v`wk?dR~?VkW1A#nIypITMAORn z*o+B+wWP?EeEqe#xtT+c88O|u{VRW*KYeUR0kmqPabP5n`}cYUG~zrrx7Mcj5JgID z6+J6q`q%`ULkA9Mub=Cm+T8GtC_+>rNWBro+b%bCVCM*KP8U3%>!QkipWk3}`>tB^ z*j}$Y;+dc11q9!hpiu}ffSjIZcJL0}8e;YCqJCRlM=x=Eel3Uctnhf?f){_14#Nu8 zAveu>H%}lECGq)WH}c2fzY=f`2{tKR39s z##|^f9LX~N|DOAujNcmE9#@A#PJe^jweL5DU(-YrqMmm}0A}H#vvJ=Ri_9WX>}K?+ zlkJ^eq#yf-ZEy==CL{suNJXiM{co|;INThN6&csrh=1>(=O-<0P5^(yfo%Z@D$RJf zuHW1w#n`Rcdjsa}Di$A}F4whKq`tTu!N*Fj?|%|s+X`0&D!!ss0oDa?siZ%j^2 z8(MB;?L#gV;*4uegC~DZ&Kk8dIg8^+w^)hY)!UH=Tr9aUpdVkT$}qJ~b~1OXMzNB5 zWQrUONE|z>vO22OQA6C&>Zn#n4Tc-5qgox+>Zm_eN5#rl4Uhx?h`R~0oAjTCC;h$3 z;x-XK?Jnjw_%XJ=oTNI9LvM&5MEXr{OksX$AsLXM1FjV^oP~b@D+oM1VM+f{lYT3u zdR!d}Jbk59Nc#Q26H}of{2=0uo~iKYi4${t6P-sR-AId)L781w^6A5tQn5K&2GrX0 zqND(!o4xOzdt(ZTFf1qp(G-8`=vh#2Ol>k;Ak#z(B}4YcG-t7y2!zZ`e;&OR7qf@c zX5oe>mu<{fv)_LMnIG$o*%-B(WY1FK{{DV;vENF<{hzQGS~-kRGZ~mjL+3ZR6@UkYj1U3>GQAPM?u0#26ga(r z*U+3vbE1$*ck4VZ zWmED@sx2^LHSk211p!OL^MGcB-|xyRL^;MLbM$H-qo26QpKCB3IB;hXUAiXVFy*R|aF z9nRjP$!s}$>L<^?3tm6iM~@N*NQ;J0si=R3ykrwzk;5_MT4rdA0+jWyJ_;eayelD7 z?l8h2XCjd6gq$U*fr%*7RyqJs@6=#WOJpmh>skAH)aaI5y?D+7>g&7uh@oDXj9p9d zd))N5uleP*Nsw>*q6QL1Ggsb2XmM?a+NAt|Vb~V>-|Lf8cnN*P0AF-jv0U9 zq)iV}0hE0MHB7Ty0-G3P2t*pf#b;3CYo%Ju75s)$uprZEy}X~!Z`#-OXd?D-)k?%t z11j7IP$yTNS}PJ?k8ela%e5Soo5jNK!H{DoWmc=TT5X6MTCLVwOXsyTCMhn zYPAIUkDkX=Q-Waad#45M@M%FjIUIi{8V~dHv44`c=hiTrF^wo!jYMv_DZbZpldHYy540Q z4{Fruix9T}clPT&mR?(3Qf^DJ5j0uQ&Ot)CvebrU$xYK<50x^|OCUEwE41 zO`T%}5DuxEOB8-btQ8C)fg}pjYRA{}NTYc!lkB!e$ckJH(?e+i_4QqSM5~Q=TvNin zN2-1El3!l*M3mN>Prn*G&pjQvPeu7~hxT&u^Xht(Sa!+!rd-KZ3#V7fo4umOS4>Kx zj(~(+nbw<-E^fevL=ICL7%P9m8c8m`uttD66eu7?kYaKLoZrjiVU9u)kd8yL#~~4Q z6=D4$W<)_Iqa_b&IQNYx@D)`AmTh@l9r0g7=CQqccBCZ!@FHEat+t#Xg*jsGM8gd) z58>e@mtQ7WUdA(z?c}gO{;YL6OHo#q9!hiT8q{DxVRfd@HSzJRd z_YE(UIGSrMv?gX~6=h!VLL6)+P;t(Ia1#%7F%^}@x(Z?`7F~`HUHn&&d2Fqn9kJz| zsoDM}GbC<^Nx#OpJB-a9Cg-X(Yg|gqn40QRBbk}zzANAPU@sgjAf-VBzI1GU43~@i z$7MEfPml)W&{RqPlYf8z++-G1GO08RI{5c^et))zaGFQ$yIcidXCIo4H(ka1!{+Sl zY9SWg>?n6zuhnOH{bmeor_5XNcCj9R%=aqMbz4_aogPi@bL0SIJ!b1Mhqk3Mh(;6Kn(`@5U_A25LMb_SD!(R zFYet$AT7Z-ut>XBc#IOh9?z%U)e{}_I8QVm+z6mb4~u^bvdWi$L7cAY>`AIz?e}2F zv2!x3)mp7K#0{-hYqi>7xUpKT)oQI)`%|@A_~gD?0+E`$or2>|3w9V`nwnK-X*BQE zqM1xAmCc+bGR58xPYbXHU=V<+f-6C#Jm7*LWx7vk71$=grUft0{m!(&O0^zWhl1C4 z#vS=ewSa#rnsDiTK91}#?WnyT+$|N%2@g|-Za@|II zIX-p6%K5C8=w2spFB3}SSx@lWNU47`$<2R}1B|tit&JS!hSo;5HgYiBSR2{e$ks;w zu{JXI6)XWLuxUFfycNqGS{S8H@0VvwQA#w`MYTW{i{>bQ;3I$nX+I){6L3PAq*_7n z_ow~cPD|?m+P`tlUTtIn9|DtLF~PF_qh|fqCHA;F6ngr*#P8~{oB`SP9uiM>Xrq53 zl9AiXVN1lG)Oq*uLJuq1$Ne^d`vRMoVTVGHhSdTbd$T96<_;ty+VoU2a;<+kPYA{2 zT`^WD$5a(DbNru3*Rb(d_+(oaF*Z$8f;E!IbhF<`#%hs?P&)Ed5s`JV^n1|qV+L?z z*7)D3Fl@}aIq8mv?at)HY{2`*47SDpMw8BTJfE~W)06(_WY+7PoHb5Q9wy_vPHX1) zAjYuMoqYjb?CGt3IlM^XTOnxXV8P18o?RR04kv-D^*Jg;E0LSKySqrUnI2x zUyO_DFp3ycf&&i_8vsLrbP|82%@@S=TkCwU00Wza5)G``s29Xtc~A;x z@x^P?!v9WB8l(3AMrYCN%Vr%7891VFftX_|X{B1v@jE{y~Ovx3= z*w(Wzfs9IqutM%}{+Sq!1)v$>##;cy zQH*-TXfyR4ekcgy3}P{Mz0p5wn^PbW#H~HVezZr~DxKNAt?^e^x5uc4$jd6RwJ>vJSKmwXN z9BT@6n=?)}wFM5SqJX_XNC6JQ=sT#QC2o=TQKiA#s@wHE3;GF)^S204!kcu@eD*mC zI(@ttW@x8c9rJ(wg)H#1vuyVtp-LD+@TFk$p%`t9V&51IshJd}^2=*8?a*oG=^~k* zs8nJ$&qky5sEFPUPSXb;qN$^VfD09q+&#AXWiv4jD;!~n)10C&3eku=5S=*|T1e?F z<_CsoY|csuAQFLf8wa$TesqlfFV7|aATn>g^0&lej{Sd+QJXVK7)$AmAv^H=hOUxj zuTaLFs*EiM(c~cV6g%{QOrE_s#I!k2s5Z4Y>|ktaX^_^CD#6vhAQGlqmv34AJ|eP! z&mn>52W9S0i)_BmW}M`^lh!iPj^F%$dso)eII~3G`4w059;^4|k)03%H!R73MnZuE z2wNC-kiLKaeoy&hW^5Cu4M`xwH5v&i_B4*Ws!pA%?$gVygA$S7g2-IvE>E(wXi(U} zoiknBmkuwxdk;sd)mYuN^^LjO&Gz=m`P2h4wZ@Q=NUvma0r!hDvB-NaBm*Q1q2!S5 zl%pZC8UrF5=4d;4unsm&-t+|!S$-NK%kd-fkobR*e`+>2(plQWIVgab;sIo{)4Zwd z%$?RMvbnQxTyLEE?aDhztN)D~n7S+!k39UgQ}5p$@#^)-`DNp= ze<;`4@>nC!_-O#GyLXlw#1!vbMxD!Q5qV>rbhLwh#GRCRORC2~0XUPAZU{x4d*#0G zob~qaw;s=q>s@)VU!C1g<|Ml7yLYU*vj2Y!Rx!7Iv9Nl!)|`$EpSEK7q-RVd!<=(2Cj*be8vH_*=bV0ttNC_M)yxZkbJUWc7dC z4_@=OR6J_f<(1Vrt`|38C7zVs0zsq6dgk1&9UaU+cDu{_Tm8Ew>q~@9Hi&&b!s0n36_N&K zqHmBgT)n^AytzJEf845`K3%nDzt4Z}t=vvI!b%19NxCN53ol+}qAC(xSdd`psE0fm zd>u61d5esBW3{n00^mY|39T%X}JQN>R9u9v_PxKxP z@$~-Yc}B0+r{;hpYqx3_L(?a-m6SG zlxpe(nRtr@!mhGet|}tqgvSlWlX&oiuyhRFCY&lB)GpjZ<+!Cj*7qec6U~zrUaDZc<8Bg86Lh{OfZu;;{FYf=HC$vi z?jtkUa8N_2BIuxK<^|JQ!xxybnE~;c5JFm#!d5msAZV&kjwA8V_@!Sd$#IRLyf+G? z;k$&D(Kw4FEL}3~xa1g7PT`2i&1t)c@SHnO#jMO*MAEJq5YQ95*P_6PlJtS4m)ud= zDJ${EB48jUOF3(d5|)352c(S1lh!#`-gEz_`b|G9QXW>tF(9ppLsAkJal?p+lJISY zC?!dnC^;f5$I@zd?*x@}M3L`2bU+s|rzv2A1$k%HCkzMXV@LoGFOagzo|5 zkP-g6AQ@ByBkzASisLC$_9u7*-$g>q@jeiQ3WzWw_>)2ni7mrmyb>uF79t`tLs<*G z+aeZ&)Y3SHSPdd6(yE1+U1kum@W*J&iV6D%?OliUS>~-EF?#1*W<=UmNV<1%5DY&b z!}lRba!ex_d!06DLGGxSz+*ZD%CKCXh$voaI>U9I`4NVW^a98MBu9IF za5jdCL*mIzEZLfx4z6K+3bqO0CylqTb4*}73uy!FO z76RVx;cp10uVM?QzXTgHz&;qkh>wT4m!8feaEOc!us-7Jdv!H99^$zo*>Z#=n2S^? zbD^t%ddYt^L$rVi2FF7vCDnC0S-=yINrgT-hzKYT7Q-Bfg9}2ri@0D?DKHKEb>lNY z$pN5VXzKY}se_JTNKDHC2(=^0c$bQ!xQJX6Gw$NB7?vhR6xF1_W?&<J$c7x@20*)Pbc_rvK*wf$fSS%(9f9YONp$U#0C*Ekl*B&=!+2jNtWpG5nNoG z;Asmb&;LR^zpT-hHTq%0l{NaTOZ@v?B+f~VvFQOg4ugSx(s-0fH$++(Aj*_CXar9k911=fH6I(Dm{NPez=Zx zA@n}GTU6E4s#&{hYnX(=|>!|tkUOS4USh<>3?4=tMu8sXOh3)&h%aWYCO#;cXwuBm42f*(|>$u zHg_6+w&G_j&8)ddh#9zOcw&xTE+6JCsS$mze33E)B3()A5Sh$^7+rMVS61 z%k+w}K*425_OayoUx??IRr<0@KWwcphkBr=`!<@J`fThcVl_5e`fyq MAF#wzH&vt$0EN_rh5!Hn delta 81493 zcmV)7K*zt}=>^1x1%Drl2nY!M(PjVxWNBe%a$#+AE@gOQVQgt+a$$D>>|NJ#+sG1q z->-0aUzga)Vc(Rf9I1TkmWlxkVgSV?N?Z5eZx2Ng00|I)2-%bk*kwxyg9+VdPInJ_ z{{7?Ix9@|OuKoR=Z{O{4x!7t{dd27Of0^?myVq|x9k@g$zkm0gVXr*7vpyJf`~Up? zxBG-ucG_=G*)6+mcLsg9??3SSw{QPW{`I`4XO{=XPOW869++HmU!@eDKYQYICa;xT za;7w;vl|+niaj<(mK1giYxK9F5(B#eSE|KU-*&He_dpeeSjXpyxF0n?_|&fA1F0`PowyXJB4GyWDezwR*?yn@(|? z=X8tZ#^A-ALuhvPt!MuE=AJPv#F}smGbA-4oFmHR?6N6y!lAX%zzCWwgDz9?)o`2`}Mhj^nPN=Dj!j!qAQMVhl z`e0I7sE*QzGLDcI#I0-Jo{Wl=nqZ+k&ziS)_bU^r`L8<^y<*$mH&1kit(LbtJC$j7 zzDt)YUvzrre{S>4{X6q=>6J~7bnNc*E-KAY`TBXI)hM-loiQKhXWifv0LmdbTRL|G=>bZOXQc=%hzn-po63_^X2|+Ot zOeiG$>Y3xrQp(6YlTr|kL)G(7C6ukjQq>Gp;eU7a#1-4CWvICQ}b7BI%7>5^1XI{a+2REyp;Og z=IHoxGFEKE|5GE8v5HlBlXBEa42Uu4OW)MvU1%*#ksENzOIZbgpXY;U^as(|~@UtRMk+CjKsZQffg>7!Xw=6&KoV z@f1BV5HzL$9DYOi9F&LEBfWPwJi5sbWb5cY3rV3t&m?7x)6WAb0@c76Q9%@e;XoqD z2vY!=6ag*aR4V3jj~Pr+jexScYJc||!PH6lY@^$Lu2-J~eGt{F(F?Jk!&sB1L@1(! zWWa}zYg&6?iV(2Afh-{e(jmR&{1z}3E|2C|ki-;$iq4;Y2P)uEFk>K)ry!u>@qtP; zxmNe}@?~+mb9Sejz20Vyt~*d+$}HfLnj+xxlBhXv5k-~)vLyh_DZ?_{TYr=WQb|w@ z43m@)m`b-j9&ZuY#+Xwj!FHy=1Q&ox5vr7eMrBA9j#S9Pgh3ZmY&bMAuF^&8?sr3` zQ1LUzg5afwOVXoo^Hv^AyWIQQ&Av-=y&v!#WwVi#kitKA_44xaY20i=na>cWg-Q1($8S#{B9@}Dvjn?l*5ED zHL%BnK$HT>4MQmtM?wIKu4H>q>i#-DOf7e(rU6rPPo;rUh*%V;Du1XFQpn?vo4E27 zvpD8JXbsh60`a+uxgdpY^XKCrrJ02>SQd(E$~hCR1vdjJ;#PeMN=k7K_6iNQ>RiRb z7dyjib+yyMO8VSoR)`_n>r?ie|pL80;b7KHPi%@^B^){9RQCTIW^bb7U7r}0`G z7%=c%g|Vm^eE435F|>O==omE0#n$YGf#bIRdl}wWY;^42qO>@@My=5)wl0^xyEq&; z7k2-xA%ot~_V$InH!~M3!k6NmxjP8&1Pdi)0KJr8tymx{D}Tm^yW4_#;^%i8#b)7B z^ zKP~FJ_MVr${C_BT{1iZ#qj2-2=Bv{s-`zO{c)-DI;6#|%5GGNN=LoU{)e;L6l2ux& z&n%B9!|enD?n?#GUmaE44=gQNPk;FCSS&Rhwb}exHx_{zkR6EvV-cnJs9mZ#C&Tjf zxdR=VuRDBvvR$aGJ8DyIF$sp1P~0p*@SD;(O@O6hs(%%gT4UxlUOxibf95Ag0Bl>> z2ixuhI)m--Ti#cjXvL+{o?*;D`=4`1&+1mXA*Qqpj-kX1bw|AC8Mqf+dB7`BNhyBtqdq+Mf@MiV!R{RT(g5z?cDJ z3cyG(Qh%BV9?Tdk@sY7sx~x3j-EJP=wYP5Q5SJ>$%idQS?889XSM!`V}HBo_~p?_)uV8o-x*dFXd#EVDg7AuFill1I7#(69FSI4Z);$4T=XC>j~BpZJxYTl^X1v zJb&G6@3l7`o(j$VuMUh~$j6AOFr<-%d?5D)kn{#3>g>i{w!o9h;uEu2)3mg z@u86(A4}(;PI6l(Hy3-?&5;_&+82k$ujFJToN0-e%8)Tb#ta$bBV*{-${3m;IpaEz zG(N^h#?ecMHZC?VE49tN@k0gO?>#(s*MA)u1+%E68fjrZfKoqcDI*rBTF@COX^LaYe2Q3cK~kzcXF zDHpd;d9`YLKcU3=7OdLll*?NHx@5ESYLBnq?2I`UM9E-ZcQgL%TpDz?8(aALn1AWL zvy=Q@M-NN=wV$1lMNCRIld6k)zjyrTqKE5lw|SxS{m0hB_0ZYRpMP~&Og9AhnXpI!z7-sqHz$L| z3>GIxBrI|!=FfVP2_Q;9p@U&@H-A1Z=DPhO-5Hbf`q9(Q__dfXRkx1T9v3xOK2lT8 z2v*piB9m#$0HT3I<31+gt{fXtO!0C@&ip-|R06_e^+F&|8eYZSfP^=RFTftsf+L9u zB8#3J7()Wc&7#O6+uSVO-|vo#S6kgq?fQm{`h%ty6&t%-&l@FH9OQ-I&wpELOK(4I~cl}BP^x&c>|h$NsKHoR4&)0JZ5Psv0_*g zg*f8ES0J?%6%u2q;Vg!G35F`tL^G&m41ZS%6v%`W9Ml&Y?8~bdM@G!!N->kd8gTZAL@s{#<5OWq z*z93oQtRTCI%leEoFQdqXvS6?yD1tFX(oNDndB>p)&g3sCiqK>ON@-^mKM=-7Jv|7 zqKU!7SVa%S@`1%BJu`=SjKSM5@bAd1GRx%-frcp|IRWwk2+N6%tl(NO`tWrtZ#_){ z-M_5_*$@kTPSEYfUVrWA;Br(x<)h65H2lhhUNRu`n3@#3l6pM|^L)NqE$gyg&gbXv zdFS)tT-_U(4dG$$e4b*gjH@c@ySR+be`Pwqbar3y@c^=)2&h(l{&Qh5G)t`XtbbkD zkkRbif|09J9$ak4hsEW&gx54lEY_ApN^5MgCek_ouOb$sTz^Zjg5XZc!!udOaC9t9 z5-WiB7`qiHGSNcG01xnDl30*!pj6X2(_`Ou1jE-xN9J}9opasW z&2Qf0^THmwxb?!<;o;M`&+CsJ2S1!v@GIXwK0nFG+<#h-xr94?SQ3m*3KJV=z^@SX zyZu1CIoQ9(QX9V{qX?16>VY;R#fYJ)lw!jC>$euJu2wssI@D}W30#Fx!bGGKc6sMv z44j1t4S(zj0cD9ngd;{5)5+$$(068wU8Py1FUil$7ZE4w`CRHX%B9_Bxs=CrQK(iE zxrq8D)`*A>Os=s}W1JjQ*1*jraA@G#3>*RhW5M=Zg244l?VfGyKfNAsRqE~bM*aK& zI{4ZINgxXWJ<^&f^BJ2bru;F2ROA&^tu7LzP=6(J`BC^S@8+Fm5-x*Xnen5HAH5ye z0udGl%DCBn3^8A%8Ufe}ju^*^5-wrVikuFJ#UxW4GtEH+gcvZp>0J!&8_c zxPKHFCbGzhWqH?e%X~B-pn_Uc1=H1PLn~mO$C?m<2to{xb<&MgwJdU|^ zrEGci601N&?1>2iET0 zxnO2xnCqjbmZg37=KGKc5k{3ZhWLtuJM+$%trZnuS){+mCtJzgMQK-OsjDM-cYiJQ z#3UWdbmeSm)eqG?0OTJWLJa6dKadoY&4@v{WWpjaI}*`hB?2a?36^HSMTSL~#*|9!!l- zB)B%#EEDs~@ZYRYFyA#HvDSf4jeldrK*hjB)_?h5H?fWxgBBnV?-`Rfl-$nxTwJ=tF?9L=u)f`jd8b((bQxhcjhiOIa7v z*45O}WG#4+nm;>RSj2&r8es_b6D8PI>h*ejM9W+4<8tfrLb2WR^7-T0x_=X+h=oNa zdly68>`H?0$_Zb?+(hOxKB2)J!-#8P*4HjFBe;hvWES#EJ|XRkc@2@8to+qk;4I@t z(*xkoe9)+f`ECcyU_Uq_u-p~MHx(e;5`K*1mRE`*gryb|>_XvB4TV9F83#K82~Zdn zhbmBuQVRAy*k{Ci$LEJzYJbpHD-P-j%1Bro-^sEHn(wTjBPfOWKoS3Zb9Cb&+cn`U$SzM?*hh{rAz(PuK|moXAgVwMo0T z(jClC3jCy`32AF;+EB6v`7em)tFL)hr0AO{1Sb0IB-pg2RDXZG+#cieeEs@XU03Vv zQh9s5^Iu@CnI#n!W+rBmV1ND#s)=RxK9J_qJ*h=_{)>6XPtyDs7;&>M$Jk+*n*2Ti z4x+^b7}R8&MHEG41L~9?Hi~x_uVsC^y@j6n-ERA)>*Yb^r}1G$iL=tZT`Luajk^PW zc=gK=r4OZ=7=NH#qgc+Bot~ZZP~9Jsa3bX8pPhC>>LppyK|w@t(g`O%MjVU$ojN@{ zy?)&6TpsNnH~4GuYR&B?P)M-g6{i#|bS0$UZX#e+5dr2im`%z|r>kH@r~^5bWWWTO zG(XCdhA#v!sz;>`A8p*I{nwMOb1-_|#MkFuI2bQK~X`)1r;$m!eAHKK|q|C|2{X>)&i=E0?HON>4y%XEYix% zbI)D!Tz?=@O#1Y&?uIAyvaqZB59v;_g^!2b?wuINo}1fE=oL8qT*DF|SQ%XKmjkZI zDtG5NJllKBTob7rFviBrF}Q_g^xv4#TRmWpt3x59e>@c9*|*XNM*d)0a1dKa7+n2pnnQ^DJ-4AM(rqWTE&^e%~%EqY_1y- z<-{?C$V3`H2?^rW6K*ab3ZPD;33DufLqeY^y6I;++1QD?NH-par}xdTfW!B1{I6?~ zzb&6~`SFAv9N(r6E9GLN$p)=KGV{y58&(qpRt=cl+xyaGVXu9b*NuKZ5u;lw2>kok zet$fB`TN)J_T!62@81s8`hWjt$7(Tl@s_!xJQ_11=|^JCjbQ!o2$mQ5y~)+#l{z}P ze@Hd@%|ZKCZ#cU{2#|xqGE@RUT)42{HC)Rb3eKphq-CZG-M^zHsp<-2!R&7Knn>fd z=4hPei;wXf%bGZ=x1P$m*x6n;EsM{S7JqW1Sw4Q4KU2@C6P4)ph9iRb(fz=ZyUieX zHe74NwIOb3!?iYCyBKb4xYmYiZMb$z!?j?v{EM_WAv?$Z$DACjk zw+@a*r)N2|-HcwrY*Qg5tWn_g%D)?PkyJ^s7)GE z;aZQYLm{JYxRxsaaII+4^NYwYD{14p52wljZ9DdHQAC?>sPsQ zumVg(3K$y^AF%WajfOCRQ)9@wskZio#t^ZN;Aky#fC*qqjCq#|hYQydjJTp9@UVuC z9$ESF`shG5%8hJH-VTZSHh8#V8dZ437r~ zH^caGtaf<2->OWy34YWqlsBC!0oMiNK{PO5MqLLh-nxHi2Ou9?NwDorEx9pE5HJW|*ogZoVD>QZ;;&k()QFwmTEB7m@ z%W_e%tKDYmLd8ej?Cw_cBd#6rqQF*5$px3|c8~qk=4klE(OT>}S#tDa$dPT17VzO( zW3$cCK7PSANBj8HHb>ir=6`5GWJtk+0OIK_elQMChGLUmtV5q4DyQ-1P>8nhMCFgEj&+Yd4JJQ;zhPCn(JfR7H!IE+O}x#udQs07LfUQIge;g>3Ny-=kO-| z_Pmryb#n=RUfah9O5g849`a2$>54n*H3&jN*kI(JTx4IV{L_M6(^yY)7>Bm+gr5em~n04QxNba`x?au^pqSEh+P)L^wPp z>ff~rRawtgY8N*LG*)W#X#Re)6(zt$(=gc@78*ZU_oWA2(*xZt3F-s7?o zuf_Yf)yZA%xhr=cz70`YwIf<#SgyyKo!a0_TB3P=`=={SxQ+qN!UQ~h*dd--;kXJ9 z6X~;B{i!t1qx%yx3|CcB9 zz9PFAR)0PCor-#$e~IhxjQ;Wvby~YckvlF;uFt!B>2deAwcU(fVqo;JM7ddqRQoqY zt5!?8q=O0l>@|_9?3!E-Lvmp*#1i^#CiGTh*W>C?z~~nd#qMz4Y?2shQ)%d_u^W$v z2gcecf09eb$Rytt%|`#Q|2%s5YX<{Y*4RZ3GJmB2Kw*?yVBi%Ol_N~R-c(0Yq5LH^ zLj*bk1EQuZPaz=2!gQw;AM`y)VHX>z4uuyU1?=5qMrU#McneVXaKP$KHW`k;0t?^2 z@xQJW{<4!_wAn@ zOn=p`c3X4YOBmY9JUi0H6X7AI+?2UN=PX(3##z0*OP?k>m)mgeg~3Ns0vvsy)66(F z(-_03!zBZ153T|wYeCHC#!}7s8c7&k1UKosa%s?$kChy|XkQ;c9~LfM=fmLwJTBrw z<)~E{rS!c@%KT(^l(y7sGpLu1rP^3(h<_W}SgMVsE`}Q$OSQ378%y2NSgPj!Z8%_8 zYE!=N8B5&_&*vw7((jz@ruPYH-sI_i?=n|9+HO8Clmk{9)($e@%={0{e|anw-eOED zt`-$kSw_FjjNS%QJ+2OgjK1Zi0ONkp2vk5QuqEzS*ta;9)FY% z4{&d^*|Aik81pI}qrr7?9jtnbr3$e5;3t8r0awtqipBzCsQ|zNDR5zlHr?aqkd8{)E0FO08$Cj)H{)@wUK`bhC?CJRtk*kS z+_bkll#0JJlsfnAQH4@pAHNsE(0>o7dX9V%V7W%j(X)a*86IPTL+(*vOt~<)uSA@% zQRY0T1dx>o33oK|r70qzj^GSqY7$xme0X1&Q9@O;SRH1NW7>!?bHrAIuZEaM&W4)v zq>5_--i`?X@wuR?(W*yGGwPktUJ5Zjpy1B}`{VNcZ)Hm53P`U`saylAynlXmDn!EY z1sqDl7pCr*!zo%xjJ5F_vHM8zuUesNP#uQTs6RQX;QwLToXH)~fKx!7Nhy$!cn@?tby;D1aQa}bi!5E#ld35d$C z1r~xiLTbPX@IJXz9wZBsdEr{B7}y=9y$>mVOSpIqtPFO3|LTm}zklsK-dA?2ohEF* z!S8ml((H_1-s*qsPv>|0^1d?JDHYl~!$D=IT(4FuhVA}t?>0Nb@=mG@Kfr4FXQv43 z6S&b%p;UVO2Y)tezXB{}XEb=ZCG6k73^JSYw|+J>VXpmo3~(x=U_?CQ;)NyR;^pBe zb+K2$!zw@Priw{ADI9D#Gyz}4z_B@}h+sy5&`g07BMvy^$jFXq0W6z*5|a_!L`VcT z-4T7L44;pTn|Y&>s0duXuhl|W0-QSCShF&!G~c$Vp??OQ?jtN`!wUWlyXs|U7At0R zmj5$KsnVUUgz_7rKd8frn;kSS3Y7&q4GfxMlggmEv$wj1g8kGx(0 zYe^iVI>Z@53Tr$qL>B}1T51B=367qr`&(CKpE6otXny}kqsR;1FV+e#Oq7i&K28t! z;xU#fJ%1Hb>hZB0@42H7XUD3S+||{>aW-3~mxnT!f1cQqfz617EOqstE^0_}MvZdm zbbaaalA3|4va#hAKLh1RV{dw-rT~^vgci$r1!|=(udEh4x<5j$rga%5Of0PS4Ssm9 zGP6P}t&vbNM7hO+*?pJ6Wv0iP(rjVT;&lDT@_(wlvB*ahEMvUFGYeK(UVcu4MWB~o zatp?{^p05Y09O#vjvP}qpq^3*-;_QYQ~RcgO9UbaEgsv{s#@NnM>>`TV#Z59s9>$-<>xV2 z3p!#c=%u&7f~U9q4qY(0D`3cGvmsaqW`8BXe_m{;5}plZPV>Xdql>|L?5VkX*G%7M zlX!R2*^n@8&P)k3HQnFXbgVc=xWi%bNX9hKC4mEqhBhHwgta*sN8M9t8PN}CMDNa> z#z=z$N2cA+HCi|+iC+7COyl>;Eu6p~qu}nNsrzkA3n$Oft=z)N^VzN5!pUcHzkjNS zQ)I)5xZ~ANYvL4Dm$j%NWFrWXZ_5H~Oei*Ga9)I{8lDi*alV{N)qy8oko`+sd`w;r zPPdy7VGewn3Q83)epn28-Tc{S#)n{KBLy2udYAfGI`k9iP_TEmMlUBMxHcXw6SImh ztM+n2%$(~~a=Jy#=Jay%9^b0HoPYeD->SWwe5d$pnmI)`oT#5ywA1-X-JBxY3sLXY z$kAjIsFC#T^bOpPabT#P%%~Qg8Oc^Io88TnhNEIFagoZNk(A7AIx`ARoEfzv!C|^3 zlE8vpx?d58ii~0$5Hln&;=tB~_NXj`Yq&z-E)dCIc>7!#G&ptU4#MWnEPpk6d&La% zH;QydAqpJfX>3H`yThV39f38hauq5vZw?b7EVYo}8459_B4xUtF%JGG5=w)i3c(bp zLn#H1-(;wbV%#*^QUkVHaV0sG090Y3CqV-=ieB&_z!5_5F%yf&H~%NO?&_KYsH*uA_d7E>Z~v*FDej8r=? zaG-C1Z}5!N^ts1vO94qEZxKRdY-{X#6p9!>+^)ZcZ>bU9m&hd*^?&l~t0#aWiY^D& zM{Z04D3YW>@UvSz0pvZmUzPufYBX;T%M|W%(-H!&_pp9i`p5gZt(^Xe3O_c23-Q@^ z-?|TiR|e6nXZiqAR6J^^>wcR3qu9 z3So)RPb5OG(OQ65#ea;PzL*Xsub%qxsXbgH_2XF^xk0HP@A0jg`tf^ytEPVZX83C| zKaq_l>ZcX$WPVcOC!(DY^-hf%N;W}f8AzTVD>4}_LQK}oixoYDXGI6M55rP5lMtCJ z6sH4?4-O+%l=y_MbyztVOC#urwCNc!&5E>xfDain4QtzEDt~=R(YnHdaCgV_n1KCF zU}w6;iCjYTvqT8|H&}#jQ8RBQ#EYtiI{WMjH=c05IVoNw`rOTgI+>&DQU0zwxI03Z z?ON;*H+$7@LzPw%Oz!k+v3j8tD|Pynn2YTG9l>P3Z~t`Z30LRF8K3}^WneQr6U2@1 zFmbitIyt^*#D533yT^@IzEGZwPyU)9`>LHPC|D(KIyHfd#Mul=z=xVE1@IsU(@Lq$ zjw74Q5CQYG$bG`;D>>TD+;y+3sY!m&Nt4FKfg2N!PBHD(ud+R)j3<91egV!;iq@`P2MSa*)MGq~)c;4|z zzhHGIK0dX&6I-D>LCEa8A7=@`f>Py9GP}r7D?Ax0;JXCLpFWRc{DgEa_Q>IbjBh#_ zBG?g(!GER~iXx_Giw>nDkgndQZu~dvwmqkYoy4( zot0tP+_X~mVn&_t%;<2JbvwK9quL-_y}EopJZPqK^-X6+!Bs`Dc1%Q-P*@QZ7VVnE z=yOFUBv%X}j&0)1GNZSb6`io669IP9icY-0wo`P%KmQ{H;b2F+wWPY?je6vWc+aZfUU(+d+AY%jQzuu;?~BA!ZvX7K)-7*06WXT44>($c zgDa>l6S7R`?PVn=tmK51ocQ<+D>?CgKYuGZVI(KGujB-V$EJ|-$@=ue)1nD#6=FAy z!3nB>#}OF!0v^Op%8lH?{-vbJ+{wZ7^%-loZl?4kng^AuTz~bL zUtcF~E>g9dM(v>eZHUs!f)j;dx&9byc4~vKk(}`U{-{JJ3Wmmcg9Y>Vp|Aj)H5m#o zuo#2~i^kp+IypylQhK;H|F`mHcVXb_UXg2HmDjI+`9pryZZnzvWOh;s8!{SM8LB zgBKg%U@4`58O1lI&roA4+1J(UA%VtM~d=6C-O}U5Y(cq-J=|Bav)WN`9 z%@II&@~#-l>mhIsFovW60&e200nwgyaY}+2LME(45ye2LJrZBq5oTlkpS>$djsX&qNKn{2?u)lxhOm;g`swHC z)vH^87$KH(PZPQKY!-u?I;MeM)RN!KKd3S0Z#)PRL?L`%t6_U0_kO1v9iczS7?`)l)IDhw@?ltRPt7oUT zvy*HcuWAS9H&K*goV!LEp(#)%fT2k`#o%4s%m5v(H3_a%L2LMLc0jt!>a1Lz1}J8X z3zMKU5tIZdFFB>WUe0|p@OJ*v>pK*Y76w$i{p>aJHAUo6l_82K3q$IaTCI_DS8A6U zwQ2^GNv03K+W+0|)_;1LL9JbC4>HYm2E@zDo84aLwpJOq0ph7us}B|+oe~*nQYtGD z74(cYF#rj;SLIn<9#nXajtX+UGm_oAeO=k;4GX)~(!utiyyU0=kVr8+X*IW8NI-@O zRG==nG9@J*{h@kReZP5dfnzOFZj~^C>qwXYo&&1}DCWN{^?yy6ph3J-?^<0bCY-)n z((hlT>Rq$_`&Xu4>pe6pwM?l}fl&{@;7aXkraXk79Q5BUu34)55Hut?-bEt>qci$L zTFM3IMERXzT$j-iVn}Yzws($?H#>^-8mdqfXLY&c2m!o-x{6D#EKmocKGREI5Q1?F zyg?ZXL=T*_oPSX#cs_tot^|};6x&g9KV_q*67vOD99Tv`0f+B_2+O3m<@%x_;`guI z+R14K46od(Rl($5y>CBLDYbvMhy7aS<$cfyjaolLGiZM;7;*16D4-sgTx*1OIDn_x z%XA*waHWT4uhYg`{buy|rdwG!u*ex*Svc;@32zZ=4}Y+z=)khJd3}F((Y@^s_4fT$ zp)n|sz2_wd7K~oGfT~T34phtCa?@s(-gT^~~L{HE4EQwGV4; zwkxe6Mt@iEE5F;X=GY&0yB)v@c(qsScZR)6t^YIRfddc{e`gvJ#1!Mevxgcelm59NXhLZrJaSqHb>8gh%}al;p$Gr^;*&zOow197 z9gB#OzM^3*x&iCW^{vOj{at04E7Ge!o!!gp&173SCcoEe4RM8~MhXkk-m-~J48^2t zxWIC;ToYm!x7A8qMJ>#dl^pnm(Vno#r+*Psm%?1Zc#O4N(djdW3ZMwUSSJv~OmwqV zQlO1O(M2YO408JBv0FW_9$fC_k19n?&kCP>GUG`KAqdJu83H_4X%31_dy-f`c2%(> zfix69s=bGd|BbAW;01|)Q%mvla{uG~Z*1j3dGN*xkZK~CHTf^Z`S1VEx^6+_Zf{Te zm!s}^@hI17>Ob}VQv%mjohQ3>aDTL0>>qaIeXg;WEf@RIt~>Q$Cr}%AsJWG2LhY~S z?Uvfj=a+EF59I9n{Pv=o#CdB3O_%-#E^i6-C1zXE@$TsQ?nGbhmhyxC)}VIt{K$*# zo#j69Xf@^}3d0ST+!!^H0;i026#>^Qgh9nKXP3Bg3tpSXI&gA8oUu_K$A3y9o(z`{ ztmE3Hl458>WAzx2G*j3IEJ7I-#K}IfuUT1Z9CuIbjqdF|QMn~@?e(IUzkC-sE(8w# zrSp!C0W^>XcNUeF($Wa$6@hMXY^Z>X#aL|?c|B%a5dMlVJb{9Z9KtU5jaN(fWa&aq zsVf`Yu0eqY6GBPf==gSY%zxe(-ZwY4T6(8{w@o&V?~ckR8)C^ZTS-?i_?(f7Ye^@9 zVM;OJs35ik?j8Ve&xhIn$-Vsfpf)HIFKYWm!va6@p0o^f)xydQ!4F%~Q`f~OO)c9b73?ncMO&GK2fd8Kntx4WlD zxB08ynsyFW92c#N`2tvA>*XNH65}EzQc~tEMVbO*3XHM7o&w{zjuzD7AsgWfjC;|6 z@%&1zv5m|7>z%>v;D7$GQDv3#(P{%@va!#F0wcpZl~x2Lwx+tXC~atHhmRB$ zQ&db*F$!JO7Br$T%=bj)eso+cH0$fde3Ocu{LRDZeed~JoqxAi8y8n7zKBebQIV3x z6c$rhOoA*Dj?I6J|8Dd_bXZ(#H46Qc`)pfxx1H?u(_X%Id%WVXxI*DYZ7flmlXN>e z1;!K@li-U4<7<-p??)G6q>`^a9=6M8h0ca*k8;kC9BrI-RvQ>sD7+yljq0Hrm8&p(; za&FX|KpS?!$)xx>Z#d!0O$|Q01!2hjF5rrjcQEfgCx3jsDV&Svo9Fxb()nh9L&kz! z^HFryY;N|twz!sms(LY!kbj3&K2ckVV9Df=+`a5y>%%Si^Wg z3BlAe{~exrk&0zL#qpQv6>FI!oOz01c`)%fIwoGNHP~@)aQ%3&yHtQb0CT*z5q#?{4~9pws%&Gj_3 z@LfsATDf9%R8(jfJH-=E;Z2AGdx_&;?4G}~M`v9Pk5myLR2tY+cx+|nv!m3t*qe(0 z(tj9B72)&EE#)l5>{KHjMqyo1KXI7VF)Gt`Z`!I!+PzA(|4_&kPU`iOX0q+Ml4n9% zyRc-XK}jO$RC6wETu@ySD<6XGc{&O#AAb`PSOCf>5w@9?5}|*F2)*GLBj9>CI*jpN zfbo%RrZacq1MN&N;Jmp3!3Z`p1f@2Yi<+iM^NsG^e-iXM3_Qhr5AW5xE9_QGl+je{ zIcN8SeF%hiV}**fxSaT8$Vq%ev)SVpp4n`28-Gq`bMN>|E@XVMEh6LrenGn=j(;i3 z&W?l@mVh_%+fU5u80968Z`O9N&O7zuQ>%S3Jh*i>)OKOD>5;*jb{w9bP=pE|Opi*k zYU=gb^l0)kAKjIMOw7|LDDWfiVIoU`8i9BUOMy(;(LckEsLK^m2xL-PX~}ryZURuN zB=)*AoMEwe8tM#~3s_+!6;{F$RDVj0fj4ytvs}HTCRn^;sN%*xTpE_F!Nd};HhXxnO(5jy#ecWZkjec5 zhAamgno+k^0#n45<;#Z7qqCtsHrO4q%NBWfzC7N)E3~edYA!h&Qp!~pmZ9OWP$uim ztk$lXkX*~~lX58?`e*3ShqAMjSWs_lTzk&3ZDusK+pyzGagJ>>Shk#E1J`k1wIthS zzN7o{wwdp<`}($7z~uhazJFO_!%29T@n73GOKN93X$V=~~;9PIP{?eWedy{jyFu6YOdh>rMqS+5&HNG5p~X+ zs^bcuwu;0J-gGBX(xQ+RYGPyLO?YBwRK~1~F58I!X$k6hEJMM06Mx1+=$B+$89u<7 zvVHp9Imh=FR{*mUhQSTb`~2R*9^hQ0AUG@YPVrk*h6}FY8B!YaL{)63p7d~%eqPB= zXTpmuVOvPrRue~)qR2LPfg{n7%anMmmnFrm&EO z1o1!=Xb2O9C~%i^4pN_kaU8O}=+~ zLP+cMPyM2|efX(fFC=pX6 zuwoWJM4x0O79(QZg=L6|zXt4q ze?Ed&MkFx?VL9g9f*|y?dz*@L)bQU-Ml|S^+Wl^+2b{ns9fnw!amK*98Q3M^pZDV_ z131ZpC})~5rb7GBon3C1`03&Edau&FKK=8sKRCD=d5Msa&#h{Hy?Qms_W0i2R`IZX zF!*bjQh&YE9-K6vUlYH^Ud@&6nyt~;`gt)Sn6FN+;WSGXr_$-w98a|re1EOgY@k{F zs=&Bwy)la$G%Kan#|H+T?&rG|_{9>4mfrLe>hzk8X1mln4f*xbaL_rf^Pmg z&!e{ekviovITI*K$l-jELa4w}6O>{&5OVE)PL&z zr$nKmTI%1_62%IOXDBT=84P|C^bTM0>>P z*MB9EXJED0pWb<`;+@kskKO8d_26E&0W)WvlHz)gVta16v@2DJA&&8KmZHT7Kn0-@#vFG&2GT8c3#O)yd!VkTeyKq@Y= zour|@DJ?M??W)d`-8wkhE%pyP@;=wt%YT-O{Ut{#N)>T|(@+eaTIMNT{C3*Ox>UV3 zB-7lg-~`{fkqRKwT1%DDL}Ke>pB)^oU5qeFA%OJ=fTby@QWiM9;Q<>sKZsNm)4!A_ zWoQw>o4GNJxM+Fcy(EVGxYC~J_#1>7mr(-xNlVQ+il|r+wn9J^xE^2Lo?ePEp?@k! zeQ6VXEK_Mpgz`4Q@&Hwg3hZssF4WF1kFPiL`+9$E|Fqq(-LC-EWZ3r;s5&^oNdlF@ zZDt^q8r&wQnok6zLDIX-T4AZw!kQU%UL(k_|J3VsS(now#i(={F$BDY&=|h(D{44h z*_9jIBb3Jf+HNg#8K^LV#ZC?Nwc6=`iLo4rsQ1$=YPHeh7=Nu!Bh#-9 z20$nJzuPbW2fx@4u;5m$K3IVLh7MxUwoIi8wqf%m8nh%J^rY2c#eamaw}-iAvzCVmd0-F4onf}KE59#%`2%KOX?2FxOtT6j z!?p0u{yON_lQQ$b)DJQMtUy!0%VkR`xS{?V9cR(aT&}m*omyWXjAVO_92U*P@%71a zr+!#q+S&@OF%Js2>L$!wV=p8Le*&}!;lUw+xvGa#cdYXA=UVng11JblaMOPp)5jE< ziUu%2LBIv^?oW%aAMfT)$w}K?@RLL#s5Tn7zW7 zo%ZdV{`A6dks2#N`w0KjNf*(9k>q*)s(NwQYM0kHoYGc(2utl|sT;1Hw@$Fs8tm0%J^Iq(FlOmWA>I#>*JljID?Awex>y%6$Fqh;?|U z`}BvdHZUqo)38bziwTc9_qj9~tTVo_i}U@S%lMt)>< zv2k4AukK&0IlaO2$>D!SWyyh2bF8spIH!UcZ&Yjxs-9HR#tOqZWOT^rkTDTs6r36+b>NwZT5@2#=IsZ5dRyq9Z@u-756QtD$)B$` zFs@aOQD{qeyu5#w14ajo4j9LPF;rqlGQyP5I*>8WQD4E-YxRpxXD{<$>%;Ba{oGmp zv9RL6XaV_%k`RJQtC^fSJZH z^Ev0mE?+(8ObOE{1`!;#G?IJg;r99S?fuy?v1iBEwqF~Tbcw9GcP2j7=3VYkaWO_v zmXXg1I~SJ9`X42l3lXAc<$Uwc@XgB%S{4gBep<*v;YNUyv*0XuGdU_2^TYg8@pS9C zNltb*y4HW*U35>@8x_-C{#zm{Qif_y#vL$lsQA^(e=aJ9%KjK0Ar-%PbF2M{kLwVQO8|)mdxa<$$h%XpHbu`I=6HbW;D64#wht==JBY1>V$Resg z62-Y06^wIkjR+_kJ}dhJfeO=#*%TB6*G2wgH?x2L>*^m|>;3zo)4l%n2v$^UHNu2{ zmL>&~q$f*P^3p7PIUl8O7({=8Q~D|Sl+NB7sRoCqmj|YPnQv9P!xlYV@hPng^-*ny zGH$pMYHCUYc|am$4F|ddAReBbU1UxJp8Cqb?^`X2MGd~$Nv&okHAH+AMH+4Jj?bSt ztE+#Tzj_TYtXkt&wN~rHgu=JBH;;c^4d7?+jkDd{hw#p?$8Ki`|I_{cS)W2rmyQZX zh6)H9W2sg`2Fh}FlY>I*FneFfm-lK%;!)=3H*O?0t7{eof}*}D4;4Z1r}tw6-jKAyyiV$?L#r-Ag{LH+%P8lUJpV zsLQ=Ry=|YokuRz3eyeIHID2auu~rHx^mM6v@by+12+{}`hbe}$=uc>NhIe7A79uf#@Yb+E@!c# zw*&`DgfMt;D!xc!XsJ_t&0Ui)x_8#s@JJOfdj+JL#BXzme0CIoMhQ&_pbW%H;LjHu zTcG1}4`h+P z+?yX~Bb|UZ@&bYpD>!()*zQGosQHUCNB8cx`y}Xe7&wZ>9^OCB9pZmcYl$+N>evFq zF{ArIJ}?mjZd9nbjLVy!3wf#cD4INe;h9Bq+xf>dntIP~axwjzdq%`Oz%PU@sbk8D zlOt-u@oPhZHn3%Ra&pugzKRFBclc5wHO*Qta;szx)|(s|?Q20fMZ2-agp;GHtea*t znjB4k=QlYDonW8bDExmbzcarOG%=&KqehMzjb0Qt04YQXpT7K<&$M%x?$53Pwcc>V&_S0*D`tQ=>V zAz0f%(^yB!eYhK}*rLFvgF~2zk7qtysBgkYtl;1rq*kbimLPxHj(T*`#{)77I%qA& zT*YETi-oEv7FZ^XkU4h}&hO4s?TeT4gYr@yM=xC~i|*dsQy}K)%|An92KNgXvKmx~ zO~3s~h0xK%(+*4&iR4`9SnoaM_s$MqyCP?6Z#VVg+0EgKb0J(3<1qPQrWz{g^s@Il zt(aLOiE`^@jtqbOetiUWmJ$nr8=DL}7g#Vens5Ne$sloo1v5?{-TrTq+i+|gaSz2q_X+y}Wb0I-AK`I-_g=BIr)XLT5%}aK8 z^mcr8vUS=!Dm}K-t=#?XTu4zLRa#IgA2-p;sgA8qUI>5e8Y`J<6}f{*4j~Oo69jaKno}zfs-;{EHL>M`h6=9;Ict;2NGGrE@Bq%s=tbk#rEY;B(Ja>44k zPNuzEBGpxw!HL^UBz=q!B?F5jOfGgbA}mLwP(aiItDz{lLzN9U8v);uhCrmiw0x)R zGm;M+MUBn47K9^4ju>f5wE@!40UyaEG7<>e4FrEhT;XOy_-B%QyfK^*s;$xx6sk%6 zGYWPrB*a%l84GSI0Z-sQ=Ny84fFEX2UVQ>6(|_sMXYw!@thi5)J}9*|sSarbuzq7)ro%b((Q6b2QvfiqTx5+4h9)s9>ggw8nCOX1K_|N1yQtN+B+D|Lp!CX?BBc+*;_DoG1N>)L@O-B`P zLi%Tdg=)tHi?f_^@i zWy?);y4T)Fyv1w0Ja)Q$Z!Bf^J>oIZeOS8O#CVW2qlJsB_b6)^1R6FuXdG>NPu{Kf zxRcH7?pH52E2q!wZneWGaOcX0NF9GA{5jU?n5v#GHF!h`F({FW6TP4s)ROnlQFv1U zyv0GtZCBD=el~1*2gAbPrCz=@7v4BRyj<*6JIxEhi$^t?$*Sv@Qnm5T2*I)RfQzLT z{I*k^82i*IPDHln6eoVr_Bp3G5l)44=%Gru38S%IR}d4*Bxge9`>n&=_0@my`OagV ztS1LgU9Yz4Oh`k31hKV{23U_ZpX_?Xgp6;9R+eD(#0B;9maRBJpo3P&<&+%{`fGTQ zQ=EuoNsIN)DNamZ?-VDT;>3?5N0f3!usTR!o@gUEJKBBplxVQRBhQrY^m+THFZyiF z*^#k6e>ZJu#!qLg+;Y2?m}Y+_E=A<1(dgwACn7#vsBcbj;`0KhIPv+ZQ=C`}#R;ZE zPgydG$MazD0@b%R=a447Y^vOO=b2ZZN@SpV-c8=@uR0Y{5-bD;TvAL2t@DZ*?r6q3 zFLB2S93A>==#bN#Sj^8m%?YPD5!l!oESfpZi7&As!xRwY@tUY(WGH`|oDB8(#%<$h zuwA>^I=;>gANSh_=g;d+h7|V+$1w&|m0E|(Z~f`S5Hr?LNyds2IVSYCGa;uq;S?vF z;zUro&nZqg#fcFs3RRq-Rztv|xd~h@+e%K0PHOs~{iL_9x+j;ODm-^u`}cO$X;Iu} zBIO%HxCVoTfJv>gee@1j7`1jKioCrgUv8@_G<(im*usjef4w8e#*@;KChW*_A z_9fHh*9%H??`*Zf!eEI4hMPJF(`-B=`HmITDxV31jzdW!$nr#LtneuXzl~cE*qxyK{0an=jjMJG*Zrg?1kgDp_jY ziiP4ZUnvW9WEwh`Lc80y+5KFj(YmZ1?cG;4bHkmh>T$AmX9jESeJ4TKpOC8Jj)kY3%vd$SNKC~h+o5CU;b zY|2k7{(w-feF{N^0no%`HiQJzkSd{r%4!|AxO9KCbMs`>@cg;{km0YT{?kr|stI!S zO^_P_22xl;zC^D6raY8q01G6hP?>`8)Y1fbB;qTMCp$P*#@J6qxn;D+j1LjBA`s4S zj9OwN`)_P5<&57_77xVOLh($Pj0;Rs2X6@|CWq|e*(5}wofNeJ0M67|H=ro1z{Y5 zNfEbM(t-9GgSHoH1}R)V`{{f>WUSr&1ufqf*OcXq(D2PBe;yaLv5c|!dae!^9WFXtOcY5| zW7Nc| z7gNDStKeR&3WUXzLtL_ncU^(2`)-W2(^Jbj>^elu~@#k%xpavp-bYrev%)kjBKwrEUr^}(Ne~Y zA=<&BgGC36slXx?(r8Np53`-lvF?9D^M~#8N+qke?`wARv|7G9ep+u}T&MgZHE=gX z3hA~HIb?Lmm@F>>x( zp$ub+qOj=HNxyGPF;eAAO7Y~Y#C?b+Kmj3i8|`moG)ka6w{^hylYueRQc}2leq{3~ z^EuYX!IS8yS)mq0+PDU%x5h7c!znj6)A`qg5dSIeg>?wlbkG1M512U->V^lM8==Y*XJ zOCe?fD`$){w^!^ZJLY9ZEQ>`PKP+BhiWtqg2+VL_%&}2ym)9Tm3dgUf?DXk!zj9W3 zI(S)YL`-?*Z;6P=q=sNhY8R_GNOX|+{)&Y}qr$6~5yCNn%L2DU+$Dd<#KZgAU6XnI zT zUf6*e?mm`i^YHof^?QF&QJ}`%rxiF<{Qbi4S1BrmVe(xaPt12Yggu5q#3MQCpA)L5 zRs86rA;vZsYL=_gp71T#)CfF^NFbHvupTV8rinHrUTYo4 zQy~kp2%lzhJedab5#a8%!HTbmL|NgE1QDpi4WYYI6Vj2We*u05KadQJBtiG0CIm2g zDpB`R;LIXdxCHyAc{N=oxgw3N05h ztr@gh%`2a$IiB`j3#KaFo^uSUd(GvWafM27)zmtg4N7x;K8D4z2{F50wH_1{FWY>!^$o`upUBzI*ZdTtvqyvH!HX^R)|=21 z>k|WGY#53vj@2WbA@mL1lyRE$)8F|`=)=kS_=;=@6Z=i*6(Nejw2I68IzqqBgg(;0 zFL-$X-Jc7p7QOxtDN_TJ3q!{D+6ch%0#h9i$&vBkm6T5hr@Pnu?2zm3M!rnQx1AII zn%1mVSk`|AhZFv$Qq3SE1)8oQz%T;%oQV>fjZbw%ip?5uxC%hna$r5ik^rT|S+QCB zUZFhV{E|%SL8JfN>9!FjCq7%gNNUh8FIyrN zo^ZIb@1&aR1Oi7H1w@NG;IMz&>Ano#Ubn7}^R4ZE zwYg^>$5oU8s4Qi@26??98z(nn^D1kG-uI$`R?1p6J_{T-dVjfOr%QGwY0xD*U9vMC zZd`w|(+|%`#oYYqYtsUzA)26K7^70wqzB}!&JEkD`Dms0fNsr;6edZUV|xpz8eh zvzwXG00{{g9dyF?@J(q3IzcQ(h z1W%Wv1A(Kb;0d(E8yuBTQWJ+siUS;n!NHNwl9eT@h&x?Q*Ga5Ws@u1v<5oN|0ak<+ z2Kvm+B6_yb7sg1Q(llTo3c^2g>~%Rr@z^PO3JCHhfd#HiG`x^Nz4(B72_PE2c8GtP zck_2ip3Xfi7HBkoY&5dG`EBsFm)K8oQ zpZd@Dt%KaDEB)dr085gR>(LJ1Y@!(^&w777AB;GxCt4v-}!_E^G_)_qlQ1_c)fpxGBeH6 zq&89?GuUGnXaMm{IFn3GhcaTo#t*sj^E$MLcgO}*v~8$@;lugRPP&dKKHlxjPQAY`_EXv zcf3EQ9D{O%cWeek6yAlx+%11OO2mURBvI^5R3c;BcH$}}R1ysu*<)|O=EIOEvoJH} znhcqQ1;5t_v~D+8qq@zIJSW*3LGnK2w|NO(IRf}C4T;#%U&D^DMFkQD$T-(rBequh zMF6#eLu!N-C0s(t@(l*WV$yV$WtzhP6oRdRH@1w?f*_`Rpv@V5i$j0ZB1X2+$~akQ zrq}L|z|^DM)NoCUOzB@6q85A`_!g!}E+8hXDgIl(eAm4(OF?{xd+C%41E4Km?&ZcV_M%(L=qLSjZ157V>+Hg*(c2-`?I+z~|}h zKSO<9?g1EblfbmZfPsK4uME>UOS=oDCsvVVLwB z1_{zmXZW9N2rG+94Md45WvaEutrwXT0(0iyFd||^e+?sgP3|;C8W~HWHGJGZw|h-L zl{8(f^?I^+K=%1NJ*Eg#pz~<$e7~||09)rj<7ED-%VDBGW zc0RkG(uYKd0NiMkhrjdXzKS!70(GE})9p33_E(F-zMY*)$NrCNrx3I6y9{@n?Yy=OyDO*+fO=EC-$ z=_lmxnvg&%tAAz32(k?dIkNuu`sG&XF=Oxzkb;ai!1;D0@7uq9=l%Us7l;6GAn=9X z`}}^1AFCDq$h?*JzT#in4CG;EFCOG~dyTODi$7uCPS}6XE8N!^@?Z;jE`&W-Lr0UN z;6=)F6E!w_fw0ijRVYdXXGYmYwJgV@M6Gbet9O+}a(Fe&962-cTUdlG;6y;C1tOAA zzIkV12}NdSoY0VuVZ^n087?ad;TWzEBnw3H6>Hz_hr$3PgfYU1$WcU&etu%cCctdH zGh1OG4_<#qM+B+6!VJ(1!j*)71`+0!q6n?_??YlJ)-B~R3}nV3{X{}(2vq^N0<|cm zknmH;U(MFIb-bkpZnfe{aw-X7LBx|?H)ysl!GoX_0)iw=_}}05S8|?DSOi!DGW&Bl z(tOXd!S<@bLk&AvjcI44+R#Qa%I*h6jin}oT* z1RyxW5^>`M`!xiQ9TgyKSkYReX-8mB?ok2CmXnt=F@6}Gx8t|{el1gYkVhWa3Csnq zAcU9|!I*9a_ODd|!b-uM*OBTG1@_m^?;-)Dn8FBmbOX!|E&zq3F7I9+c{Bx}P>Ke- zpWT1q1t9l#`={zZVcpHIhh-M-a$%_F`ySTcR{n8+ZU>it!orWEAVZFA$eYz4n3blD zGIDd#Or(O7q3h?)Ra)B@g}eG-IzSnFa#~w{Z88*c{m0gJ-FC6j45R)7Gk_wBeVc_u zMCk7!LO%stfLO&=Ex^|GCNKU4e( z?QX(;TH(IT532oyG!w#}sbNFOG1y6Ptu}xBn-nRbw6Se-^UqA2?;#MyQ15=3rHhNk z?R~k`8`b)W&T+d*D1j}QP*lUWC(0RzU(F;mykLa5hH)z1$o3W~f`@2pv6B+*G?RZY zras0@3+@JP1VHHRQajuv2+TVe+}z(zVo>a6Ic-c7zr8PSHlBGeRv-&84B?4VVFV52*wgFq+f^2V`Am)b91&cKtwJ#bODTnViiA^RN{ zop9HDs!zwio;6n#$c5>kX)KBz)J_1Qc~OKCwBQh?f8NJmY6HI(P;dDhm0`3||7 z_lPu~?XegZt-(8d!4*@$9+7li>sttpRn^wCQbjyn<|oVBlS;QCZJG`jtDejY4i&33 zF(ejg!j*9d+;GVv)VwhPY(sxjM5u6xL0gRhZ1dlN7J`Ua5~hUUoJf-kxh!bmZls2- zG)MP3*T-`WNMkg|NH`$;Fs|VsY(88gT|NCVwnwv0-TqOn*C*ru)TVIu$@oX}Y4qQL zU9Go&z+7+HKRSaS=HTbiQ`fFftk0$;A>3$K48{u-sNP{Kin%lkHC%uB%R_KXh?TFJ z&)xgnEy=ZNwbL54o7vbQn6Q~qd>|$$E-kh)T}NiOG27rT6fxj0zz4X{kS!ALVt5cp zXf~U?$=yofW<3W(403C%F>`Aa!d%w0QH3c);6DWkD^kLZ>)<;ffd)=LaBO6c`_+NR z4DZ>^$p_5u?W=zDbcKId#5aHZd%jABDP>L|c1+jO9wB@-d6*Au8n4DjD4u84r~X;t z$U`_xLkn{P^ArX?L42dP524aBtGtZMC6|afKrhS?PB>pxD3MYE-jqXV*b%{j0&BLG za(w#$p114Mk^KWA-}py$(0~}(gQ#aW{yRvYWKArbwCx{|(^r27on>_bL)~)P1HO61HtOvY_4WyJ!l<`T)Z51&Zlc~kn?>`e zx6ff`i+cMUa`eBP|KFd|d)E-*JDT+(!gaktH8`cepPUvRI#)S+92@k;FW1wTp-sLx zrC+u70WQyBDl^QL_kx2z-pU*ZhFPJFWW?#eGpCPQ`?!A`9S9pe1y7jzp5O?q_$M26 z1IJo$a6E5xZ#yrQdA@TYTm94IB6X7ZG{43}YnI5;f(ojY!0->3#aNO7trjK@D&f6A z{k^@+1yBM=b*Lmr8fW=HjeRf^%D6KM_vI9CXh$zIFN;j6IX;hf;SHt|rHhmFw}HdM zI{O%L(hPr-wcmU~YoD#_et2&mM!buYQgaCY9-C9@!RLOnuCsJJllM5mPF`S~wUR7< z+{8#CWg!G#pPH@8&ee}^&h=6##kJ&!=pDOL{(K*EOb7wm@4F^5)vw;P@-OkYx-Do? zx>xa+S=R{!=rX73wAq|gZ8@4(cvkZK+9D-v-wl6aiwBiSR8n>^TdJQA@WbaK1vBg0 ziF1}j#A)@3#L!3#4RXRr42{H4f4GUn&`1o8#LzD)hGNFO6MnNRO_(U}M*17UN&h8k zp5VsfYFa0aWP7+wB!xKp+N2)=YMJGTW;38r+S_*TkGDCe#+-~|-`qc<{NI}LM_Q@N z(Sd)U(^D%I%yZxBY8w_rJngzV)D8}vteDT7)z3?fPP$MnO_!-^UR@lwRw^U}eyvuG z$AL4+E$GA+SK1sv5E96Hd&hg5pu?CY*f{oFeqYs>WDcGhaC%y7tQ z_VJ}Xyf{j*e7)k^cC**PRgN)vx@e55^tpeHFU3hbcAd`uMWO@>a0l=CFDG=g_&k>usOk{_HGNyzd^h`>_%#w|h@mk}qmEeDA zN_(9XC$cnJ`ZhIqIK93=V%C*I1!46n;%Q%mr$y3iB+UjmVI<8)(yTw+MAB>|%|_Df zSCwXAFnTe5^GwVWbY=XlJ-luj$qtHlr{$a4s7<={%rX@#eQCxIXs-oO0ZkaiRFET9 zW{n7fU=Bu%|JTp{PR1W8vo1#mLQa2AWmX~YUAsUkjoqTV%|?5Vefy82NoK&?kJ%Sq zRpnVT9zQvDWtJ)!D}o|O8i-jBx(=N{_lzYd(n=^8Omv6M#=E6iZW(uXNr*A!3?|L4 zT)u&^__dhO)haEbWxSAml$VM4uyJ;CTKIe5@*wr}X7tqfZ25Hknjfy8O74HX?T0~@ z&yaG*gidfw7%odwJ9mz=y~Qv)pv%$Y=;HLa=@igqOBvH0q9_n2w6U^X5DO`VxzdmT z0`)p(1y#T|kdO`f@hSGw=*H$R=~Lb7-KFJnnS9Fio%27NE+zVnu8s{`qjag=9o37; z+_wRU@6M+p1vOGo1Dr5YP$Pc@)gNvm1vOGoBL(%VDyULXX5=W|uB5PUCh(v77E``%6=P_$|^L1}oPD=(J;1$rzTT}i> zLUlPh5OjJz+*O@*YAH?=(r_R;OCaY zE8fbuV0^?kg0s09aRc(ljbE5)4eU(# zCWS{0U{R*$cJ#*rhxgtaefdMhJpJ8ORTo|5@(ocy= z=4O7=xsu&-doA)OPbxRVD_ppn-p?wJ{VO_)KQ)~PTvY1$X>Rgx)39$-Pp8wAeV*xm zmAvSi!%I{kKz2rC0@fErh;(Qx9YJni^++0EfhWPp|sv#vC2t5ksDoK<|nP<<1I~GeHM5g z*f*1LO9_97yO?6gU&z}^^*0-N4S5P965=v;c=3l_J!aU_%8&)5C<40m_I-8~kAVtc z%z?A`;N{Bz=`L-=ANw!G>bzT_owJ+7QR3z672g!x*YP#Fe100|9ul*w>-lr7FuGX| zdiP(|9qIJ`^X-w=uKD5ndj$8^Xd$(yS^;NqgPeci9vW?b(O|NB8PAtz%PYc0@taBN z$oU%67EuZVQ!_mv99-x3{vH!oAh;OjF6p}v=VK*WX_9`dupj!AZt|zGRJ~b$s4jc8 z_HA)m7upFfH>apq>|OL8&!?l*bEZHqm%Xcqt$h);7D=>`L>u6QkwhCwwEl1tNwkqf z8%ck(Usa+NddC`dAim7m&CbF2N5L6?G1=;r>Mc^wJm=_Hrg}Yl&fR@!#&3d$l&ffJ z*6?G;V%4KlXoXoaOQdhRs)+J`Ysw!9v@S;nf=+LTq+Lyrsn7xmckCSRQQb7VMFAZZVZg5$*}#8Jv%LpiHqpSk6;=d)pn3fP4oQIMhzjmo z&l>Cb#RE;fT%RuQpDL}<&HTJF`+MLra!7KgQ_8XUeFGC9b7fq4_)Sjspi{cKxIDpy zhkW7TB0sUO3+DxP+;mD{p!SgVUz{uo&?#4Z&QEt z8J`dCD?p)lL@swa&MJhwsj&A^|lLPy?JW z5>O)n)gNvm0W}g(BLVfR3aCo#STmvYYUI1B0Mp=R*ZSwf_Ej|($Jg^>EyK^h zH06ir0eQBB;K9#2s*t4REmVBfJzX<6w(BD zf23J(=p0Pr#YVnJmX9&L%#d31@1yuNjsXqzD;0WTeBYvvjb zP@ePSs*>pieWz!weY6++w$};;*hj^bHH-d3TWns(V4I#oYa<6|2&x0da_WC*Z(!MKHE>h{mL$y~o0-HOqbmIusIGsg>p9&#v1Zo2n$~T#vN-#_!pMS>^l8HaUEV)M@VE#b=NYgF z9v8vmY`7_c$3^hC2p<2`;IT_DkmN{e1=~!liTawK@~@wtt-l^`?l&4{J+9A=?fzu>?%?{h{H&%sdW`+iv-=ABK8qXahpNlT$nwEOMkNW_ z_jTuQ0MC&C$9F;zQwyJnpmD^MDv;M%=WnjM^iXXbUq6((75j2qxpOo1`c&fOf4=d< zfBWH&Tb?cLT(5srk6$XLtQTA5>Pq!sQuUGk9F6}hG<|S?@N2DeaDRMt+t=*jn}XEI zU;g#yeMVGF66`ocI&R-mSvn1?T81%JHTL=_GA{&slI_rn+t?hqKyS>g>RhgLvr2o8{S; zO2xk%FE4Dmmz6WM(zrT!EC}2WA#jD$ws6|!7_e~K7Ear2xG9{rh10fh+Wu6htxqqR zWQ4%a0P|0x{3<`?Z+4oc>y34~snn|#S#LM@@9)Y#oALwhgTwkEZ}5Mj-y=G8PFpJt z_c3%?-S2-2&i`M{`3t9Q!qvI3GyTXUjHc8m2^JC{ldvWFI`Si?FskB-% zH|3I*SJUpZbv6o~D-U^|OA*6P5I*f7EF7Q{JEgYi0k6MMGs#(}n0sVp!q&rSeW9^d zd)PlYXs({FZm*ti*Zv)}EJ`LN(kUg;hu4kE z7hjs)YOPN@odP5n!Us}YI%8w!eMm(jfN}v8urQ@g?-BI(J*bWpcyT71y4pS1I+d!t zuy>)B&f4Xr=Z&Moe)B)Q-0rI7z3$~~Ic(0hmK&#c?T7yweE4r?Q-ue$@Sx@xu<)Q3 z9@KwqxG6lSg$K3pp#D$~suJlnlblf2V%JMLAX~BdDSyY7W>;oTcJH^8Z_J%5d$}Xd zem3RD?jeGAObEz>`cHGwBp9I+Sd#_mfB$d)Ch0F+s0ml+0?$+zs!Fe#Bm;;&H|k3Q zPs$ITJ4gEJ_Ia(|oxdt~FJ$TVK;6twxeI?)8qL}P+J*&=NN}NA0V9R{R1*J)uSN@3Mcka8l|@<vK)%s)$LVg8^X$f)@f;S56JWrNoE$E6p9oQ~2--g>hAf&PCVh+u`@OS<}ND<`D`N9e209Cs)wqXWS_l5ivB z$Bq3?w|uu;n(yq06MOu;@VZ!ioowl($>Rq0vxuuKYKynvhcuCNkW5fQUUNjq>n|if zpkWd7D~>J*$KBC}fdgWnbk8eF+Bj{8xK9wamzkFg9Df%P0xAEMoMwBoB<6n~?<`CG7wo^C_UK04O#~Z{8Q!4ab^_$YDs24D_3VVj70M+@=ah&u8$)BO6I4Pvk zvdZ@Cmbj&0e{%7}Wg2!Vd;@=1-u5IzNKAQA5h-be3IzIVU7sWVEhSDU88lI{FXyi! z6$uF84+QI*Lo z0TpafXyFpI*i3$;S~#DpRod;d{iDXxVRD~{g}hpV$4AI;R^(DnPVqi5>kN;08b4Ej@l9 zfmD+7oE&LvLE6i~)TuY5;<=yzMj<&0BkaHDHcDTQ{25w_6GN*05cN)}DkZC+JXyZyS++7FXGRq!>K5VZ2%aZ-h{v1k~0OJpoZ(IJ0BofLg%dcIm`C9;U5;UcE7Q(h-f}-Star5~xVfNH6F0ZMD z`|}lZaKE>)Sh}7)`~jGt0Eoikb-VtGqi>4F0~3G>P(2`aB)-n~5@V1Fc{6bqnb28? zMHdBMK*A4#gtUK&@BM9P%0Gz+X_<5bE$W6E^%(4s+9rpMD)|9n{$juO)IC0%IjXkj zp3Z4^LmoX$77(s@b|(o4RtN|O?~DL*GyPo}e**#l8iY+6PL|h#Y`Tj>w)ua5mWQke zPZ0uvt8gXYzJ_NXq2|7CeisS9<(^7TkNKA5Htb!xzj1%%pCz~T#g{XZ+g7jdv2qVO zzhKNK?O*!t*Z-W{w%gtRjlMhQEzgroDitoZF02x%%wI`9OsuR=bX+dvx9ZxZ={{T^ zUp41u{C-bP^S z4hjqkjZA-^%pYmhzIPxoOd#_6$0@5G?B>t<{Y}QI|GqVUrxlY=&1VhVHauvPxHT{4 zH{$Br%K8mmhO_Qj^Zd4X{nBt}6ZYv%-iVcCx1FSbJ&{Q3SV{*4J}{xc)xC0F`}B;C zv8O1AE$1=+=jRA+P9@v`xqwC`oAvh zu+(WkwmZL$uR1NP>2J5_{Lk~{_T3*mjM+DIKX{){jxJU|k+HRKx?XNBw(GCY53{sd zzN4*+#VNOMk3Aa9+8YpAYqW?_Z&DF^!u;pKzyt|5umov3*Npvyl_QLqQ9{Wwui7SG;{j zTd;=GoTFh2=40^WV8Vb4;Dt+|*=*tjP2hhCM((W`X5AD3GSISFM@{^zxqjI^Uuw0_ zTgQ7Vho}1|Hy<5}aKX}r+wYd?;(7CN@u*AZTXQ!X=KBtu;Rgm_L;nvcTyO86)Ri*+ z-KC)=mNlH1;O&#DRxk?byfj=n9}KfUfVq{s-u|g_8l!CB{c<`GJl$Yx8rn^;x<6 zys&q!#ZmiVezHf1{|e9%mmI)_P_5~Q@5aNqbP)Rw&V`7Age>IKAHkdct~zfg?*#j6 zluC(>e&E=0bEVlhT=gr*r>ziP?jC=A^Quw+-Om8J)Ri*+-KC)=_Bo&%@AmHix}a3= z_a{1^>iL20uu`e+EId3NRu4{g&daCG=fj4ddZ5ED$DXI)gXUrggFuH7usEC%!UiL} zm+8*sd{Ad+y`7s+fI1Nge7jQ4a00J2NvUBRq2{{T9&437Kg06Xo4~b$Y_fmD`2))~ zm2TDc1Q__UQ!g9Wt;K~#qX4@f0(PluWdgUChF96=@NUfezX9-I?ht7@x$6FEe!S}( z--Pv(o9%XKr?Y+2e15)aiOD9ueLLQTU?UsA`G^dc&vCIQn=ZKH0i;Mf99^JYfp!Jj z{gNhlj#9})xLeB)cc&YNyK;Z~?tbm;1m>~*I$y5I>z@vHSRGQ6aasool%D!O4RFV2 z#U1oX%4whi?+Uyt@a~t>Ap~WUQ>7aD;jY}cc)1M6)s^z$+UCh&r+!8yGwpCEePl^0 zf?QSBs#rB;j36T7a{Qde9aSLR4?()LMKJcwrT8B|hjC-wJt>6KIu+r3P+Dq}d~j<$ zKf)a?&L7dkMWwD+&E?L+?S6gr>1N6iPB@ATm#y|Bw3l|+U#BC>MH5W`v9m5crF%?9 zry>%@2IAV(B!W(0bkcufv&7#l5jn-@frl8K;1fR9hAf=BZC0t?JqC;?m_z z^LbnM;~c5;!|GLM!Oz^Sny0$ltj=~03Y?n?oGVeJg;J1Vq`BJ=4YYCMv!7T1&XNm3 zdXnP}M^WG$N!kGnXN@I9LP~HGDtpP=Lb8L$VfOR$Qz@$BZbcFkb|wl3gQD; zhKSoG4g6SOgmO}ZV7byh1bF6fz%DO?<4(cCdmjdi&~jq{!^qD*eyg(=io(-{UcNeM z?#>eXxh7HqDuI8i5cGOiWdB@=rNY^+Jxo*Fks~&s=l*<-kE0raDgM;XISiLsx4%D* z<#YW;YwyQP0u<4 z;lgp5W~KK@64Us4@0AN&eY{_^_o-=EoNtDdaraaGZ5%+ybg{x9PhCgW@=z;7@E_;1UJzRedkerkEc9DlE#SGu%XQ|AzMb= z0#F<7U!#A73Lnzx_jn}mHQas^mSKa>1Z^2P)`a+-e1^!H7*mLZ;Es3($Zfzhy~!Sr z+bCks038tCk+*~6VNV4>06i^niTZ5ffu+r5^tkS)uzqkej_?B&7>wqIcep4=Rpg4cbl;g+BUL_nxRlGj@YBxBV!3z^i zF}>!uo8#$zPad9;!CE*yIG%$<2X;#C@(Mdr(LHsvnPM(s z?jV1-R%wu-Y)4w@ZKZ*gdMlk0WXD=*rO{>zOR$*8Kx_;qkJ*>r4Hcx>V>i|zHX!%f z0)l|e^HD;VXG%txs*G6H5Nn8_KsR$J$kA``^FUX6vsTLmQ$6e}#E{r}kX>)Na0-{I z&hvz$>{W1E56MLuLGnE&El1PcH}!w`UIu>ohxn zx%33(=$Rf#3+5Yu^lj^C23C!Yj7t@ImpvX>mIdF#_R`yz08>D$zetVweC$Sq znJa8`+TqQsF<+pKxD~eKf?`~l$+|ITc%(yrYRupS^9jX-(Q{ce$7<_u42U~0q~SK_ zTFb!!RV1CpYzi;{P|c7%9+25`n|Y93>x8A)aF)10Jck+_cvPMU1ttulNMm&!nVTA=uI|*gFWEwV53paF*A$}XStDo zkK;;NmOGJ*X|DJ)UMd>{;o&9LaUMY7U<{Zg!N!~%Y@pS9!d?w}NHOq6nXOm(Y@ug+ zRlNpJ+L;qTu#~40*(VLkg>h3YD7UXIodVR9Zcw$rj4{ z`DqntCq8rVY7P@>?6d567YaJN?~KCxDJZCYp?t{7lih#rUMSyPTG-fYp3l60?unbl zqfSAre;~1D0Cw!95GGiXE_>S<_x6#lIgH2M<}BEq1&5P4{K+HS=h&|Tc2XbsuLfIM zj^Rf8<-kXm32XkXPfCJ3cLJIUs)@Hj6M|4)?ZL3Zeru%x$*j-3iz;r z&0`n%sZc3g?vfS#z+&koL@5F_6upF~&nXPt?f6w;OQyiQ@RPR>vC1#LJv(>JV?XuK zfb4b34(?^Ci|(qrXwNu|MU*g!u9#w9>7Hi&G0H?e}9VkZOPg+c>l4-h7( zQ7$bNARi@rB4myJo`!s8qA7u^6!EFxx8EyWby({ZV9SOI;$gG-&M<;L= zN0b+r15O+eMRB<6{`dRs9Bo4grckg$-}FoOYD^J-lB)g9dn0b3oo#=1kFiEEN?Sr( z3P0#=svkW=T2C{H*Q_x-ZTwJHkAhNE@fe)r{1iqk8%6dFA}Z2Jp2|&0dK~zG4mP=# zPK5m4ukKGpXzFARor$QG=NF;Aets%~CMLPvscizKuJBnqDRX-cQpW0pJ>dVY+V zfMzy^>>|BfOLvG-;X%Ao$O2Og1#DD=93iow@Pw}{hPQ9=JeYTTb z4JB-3D=e*O2Kx#P?G!}zWXBC;m-B1zfESH_d>VE?88-@b2cF%qUl@cg1mqNvl4+2@ zrNIRmhg!KH9N-j|<&O%2_z!Aubj&QeY)v{n>Y=+uVYP5jkqYVcG?1Akh^F|IE*K1| zO(bCQkRd^OBmfQ2>V`=)n_egU$ zbm8J-2Qb#wWX8w!@c6iX`sZY>wp~3q*s<+y)6C5DxMlmosrk`f{pK>>y zA8_2z*&$>5(=O6c@iAw}6)}s(2#tS#eU{Zf%iVO!8wey0PRI2xeaP^Zg5GC!3T=8 z;@M#pFiuM@6h(#zAIRk=cb%mclp0;87E{B9tWQW{ouLRSDP~sW{5X?Zkb)L}3%`g0 zbVM2fF)5jNl$`|B)R-D{17hlEO)du*MPZHu94Vx1B{{#j7(d$6Z5zEiCVL6J2BuoSP*V7<5_Q{?6dh}CikHo&dw}VK)BFwNk zdc0D3M|Lpe_fi~W$e%$gkf0DTWwjh?t>_SfcsmQ2^^Ds%=tY>nO}{pEgB)`3NFZ6@ zh2{BoXroxD38_2sEQR2IgA0Dc_J0khlb%rj<#5OYk%Y=tdpQaZhqfy<$)75f)7El- z{p|8=^Nero7Csz8*FN)%A|5fIgZ*AEv=N3|7*dOZ>1mYv%6$*`J%M`_1R`v!%oH`Tp`k;XzMF7Gix?CRW@rm)sTT^G-2KtjJ|mZ zK|!=ZAp@5Md*C{zP#noT;gjO4|G0Y+c_67u-20Ep=#hjy6RN`kzUSoqyy|R-+>Y?Tp1oj zA@cRxMn{3N66HnuPLvzR8xne_0YQ(HfIJl_uKpbXDUq<9>A@k+P}j-ylCHzOB>&K5 z%Xg~6yHFosa+G#y>R&H+&wl6k)(XEiyk+Sf=H8|)KB(DExRHJuUfg}+=&Qz>_ z5Og$YLvf=JsB@8#pVSx)M~o!M)Trdk{3u3)9@FyN#@x~f71s!1WRqcr5!pbU8bJEl z)qm;JDSS}m$9oX6j48(Y``05vz~DHyu|zyYMn27iNKt_k5_&%r5eEo-F|-B7u`b;P zIAzldLP`O=&l=-_0mOrd_cZ1@oRk!Qlu|U6CX^IhfT|HALY`v%0ILd;3ktiLv7pUz zsr8g+APyr)q95!7o}vJ;3PA^YAtj`)QVY^65wswqlZk1`-1X=dELizitSews#41=Y zo?~KCV;(nv-fT|Md(@hO0FDMh^rWSqp#moolojYX2K0`p$kA^xm?f1Ijt;heqT_*( zmqU1I3>Q$l2`Nva!CataQ;{tg8mV+POx z-z8u{ZP0v=W^WCu-vQ_VExkYl&rpZdDnM-xv?t(aQpkH*ol+mbL86C8&Y~0oom?T* zu#W#7!9o&)`ScK!gavkJslt*gi^xfI-J*9?8}zgfu17o2Fp$*XjpcXp0~Z`-T@|y; zlcV5Mw`U1m81Pkt8#rVf7oGZ`mIDPRIoCS<{OJC1lF8`?iA(^t(z8>4C~B}+Od*9d z9D*7el)FAA=m^Mn7Tjqz+)J0u;Ced-gDaCuwOYTs{nq3C&S_6EK4%K=G;_jaNMt&K z>_mF;-D!3{l1iXCoDLpiqX}Gpz3qDKKTnPMy1ILKEj;d- zzXX^H1d9JkreG+F8V0>#?=cN}T!TKwi-bsciFzN4%?#>|+zOMpeC!B>P4e=hp&nvM z@Dpc(-k)&L+c`LI&h7V2dzWvvR(iL-BKBWNKWZ^pRKi{f zdnN1zIC~KAbkbzEuD8d)y%WB7{#fJPt<}Y?^U7uC##~+%9{0e256WMwtk5dO+XCQo zf`iSMP>as%RDe%J8bY$3GXqV@>=;**Gs>Ba<$VN8An>~+w~6V(T#0(Ki+bZWaK;Rt zw1YvIt{M3*gD?euNm=>}aLP}3(js_ z_htKF^HKIMI;#bry`WPT#Z^7;R6JWVXtiT;F^*Cb*m|utKjjzDi%u^sXGJWKc7)xP z44u1~qP7l2MMI^T>ZL|T(T zcNY$HD~s26>&K^+)m8SqJ$KUY-q-HG)wuSHKqnc0NL;m)9;ByP8j7<5a{|32WUcZ# z*GiNtQSSdC$~iDwnh{d5-7&OfTB}P(ynes?cyjgnJg?OH_FmEH1HJ^gm@3M1NzttZ z8(sRoCZ!Y0qPWuzGK_S~7<~K=$Z?Fh$lN}I=Hc4i$=kyEQJdXX`)}0+cCxurg4}F? z++fFl>-fkra-)57z2El7ICo&0%pN4T4~MGe+xAuMuC-OEZ_lmwUe@mqx~6eBB>@7ByBTFW%-e((wu%s?l8gL)78?UeY@>m zR<5cGrm@^wyxcF*Y6j72Y;YO9&!({4ERdmpe3g;oLdC>ynLgY@I576l&o4J?t$zLb zZKrZ#+c%wq*0<(-e-#+PuPa4NJq-%tv=`?ig;cH~^b{h&DmPg+6ct&uDAqffnZoOZBjf9T z<^Ia%Q~g}mSC>xq*A5;!)xB@E(f?|6D1|^32=(({5(@eP}2qiSmFf@({q%6|Xatv>BZk$jo zJ?6$i39J-E8fkxyqT%;@AkD@uN};f-wuqXCQ#GJfI>zaQ*P%&b|KY_lg@r<$Tr!#t+%B-BK0KJC-Qw_VOVrK2IeS70#H^kp)i@1o##o&q4q{bloiK|Y4t zdGqjmtY5m#lY0B?zFn&$(*Q!j%xLB*9OdrX{JAezH(PJ7mCfyQ zU%8jNhXqHuoLb%NU>p?9IQch!xouZ719G1Rrv$l=e@c-1F36D&01esfuB(1H$nnZy zwfD49?Nm1GPUG^d*FE1joo$edX@}v_TgbTll-PUP4GB=B&QI7h?bWI3nnhmYTg|(L zx;m^L+7jhv1LgjocO=jeB}>k->u%5CP*uA)d)sI8uUq}6rmHk>j@^xaS}!#9iHb9f zie)>(@Lx~OUo?uKAwjNxn8d}`a9q4PemFVYu5WHUudO{lzHG|vz4~RraWS_WK|~4! zFBJZBDc!ViaU$Ia5RP`V)pN!AN@Sd2WGuT83fzsLxU=+eK<$6v^0FDBxXlRIa84`7 z3&oJ|&^&+qYtk}oz2aZA9xCNViZ8u|8~dk)yQ|0T=GNQG=E~fE;z9r3tX-ZL-PlVO zQAq2^(mO%NEG1D%D}Vu-0$)W(nI$+qhO9j#cQ4h~wtm)_vN! z&oGGgI~b*{)O4$02p@`rEZ0t2ovTr~^mOs&Iu*TKJz9HQbL%xO>kr?u=Ku4#==(tHb$y+z5TMYyt8<@*{^wf-B{E$(JlIEP_)Gi zH1o*&)l3XE==ew?9Uu&y3$I3}N{#Usm*&gE(78*#n$K(ir$KCJjU-tH1Y8NlB>x)c3RG#XsfdbCtPDSbCPTI$R9l0@5R|lEO@4$kUpq*k_ z6_hF;BU89m!%AP~yV(altYVJ+`dgu&NA)g@@Yh#rg%m+B?`_eO7;c^4GHu z3o?oo*dSzGznIj4~8r9!<^;0;ZO-_GYn}1 ze?7b@rjHB)b21bXWV${k92oZImaFRJ;^uX)x8Lh@{aIu6cBSyZU?U1Hgk_qZd2*bt z*vMd*Cj$G!QMUw^x8iMxYF;gR8M zm%&F?#v^v{s*F$F*wlbQGGVwN2bQ8_HY^p)IYny-W%DX4B{2MlfFZRhrVk8Y{4$Cn z?#vvj3rB`(SM0ag!Ako~-84H)J<7&Xz3|A8<1-W!8U#a&y~@`xD50T*hVMgz*JwC@ z^_i3RRUeKFwt81Tuk>%kZgc0)gFUlsXwRiS%d*mOUYi`DI;a5C{v2j6vktH$E z#4d56#D(cO49Xgz9n+bi#L^fooD22cvlmvIHZq8af*A4@rL$IeAw)L+0UFAfwAL$5f0y85_~gs-5FEDPDWCD`p3}U7%{ra@-rS&89DlXDV1?# zbTlE>FxKI3l;=p5Xr@J?fA%Af!bDt0&dZ~$KlF}kw+Gv`vxnYdkN%^7u~ffJB3Z<#+zuKQ)GL1jyJIzLS@uoz&LLePjOcXLH%4$z9+@zpx=+oa{FwXQ?W4y8CU3n`9 z7UU6^Rx|L;QOL!V3?gp%;tn}EBFZt&HMuIIJJK@E&N4;A*r=_5Oz)KA-hQ=Jll@?afbI6ys;St#!rn!M#lT11FgPRi(SZEA= zGp%K%A4uTgLqiTDo&~)Fm&+|P>DAo-v3F(7i7QF>{reRY^L$a%zC7Zs!As+PdvO59 zcx$}jb>jZ_@1*RuB_Scn;BM%q=iZr#1{I~M%#$axvNE|ga8VhPsGT|iEtBJ&C^47O z9S(C2GwV_VK5HfTPHXkySg+V_Z-v($)*mnC=WcE$p6|#&7zhrC0uwUQpW|nfJf0*0 zBa>mC7ZJVe>B>UC+pD&(7q>R<>f4XAiJq_l0$%r%JD@}YKEacLpdWwty+nR+dtT0+ zG}y*n`}%sjc5~mj{N9}k7tbiBD5NYB1x>^1jyI}|c@{@*V{@q{W-+?(eN1eE=BC^O;4C@Je9Dy?j^)~nh z_-+AaXQ`R51%IHcG**8mha^D;)#YSI!5H#=DCn4>fFl>u5@rq*rY4hXL&o4B7p@37 z=9~^Nn zYZ>2T6Tq@d;t%#UHdkOk<|!c_FB4Kn85ctvX!Ck*0eJ$m%dcjRT?FlLObQWR683SY zuL815{L4{CB?*7NQ$Y2=Qb+7QDH`t7!a@N zX*u9)8J@q#U}u&}<_k(%=ES*@69jGmaRf98PJcdi!wA@3Zitp+M+R08AQN7$rQRR8 zvjZqlF+-3&PG?_nmkryiVC6Awd`!+qu7b$GQ8FMrdFX$rqN?x-`GdG%Yk`JRWBYTZ z1^Qv>e2LC+uzWJ19vXNmIh-7=ffu>bO!|qz2oE4&@VE4U`oe(~Ko&Yr$Ug=QXQwoL zdAggV6XzWu?TkjD!YI_~r2xw(N(F}(kPhm@63UC6hZmyYO~SL}0Kr0gYr%djC>vLi z?8|UG9_D{v!K)OMr3Ri?;QWq&jSf+bsr3I?1pzY8nO4IZ4 za81}m1V|-FYnWl6J|**B;6yMo$x>?rTS>rY$91z%ejKb0R3jkI3OJPNIW&rU4tIBF z_dgo_x$BFaRkd~8c(CW}=rf)}GPUkYJqLJ?U>1L{kZ`8CA1Kjg0`EW+fQYaGF8ge# zK+<3Tw%NP8Zr*}9r)33m*cVTMD5Z!h3_1@Y0FHb37v2+ih=G=HhV)w6+>6NS?s}!S zb}k$1b62ak-wv*O{bMon9j4HCpuh}}l|s_6>;*C!MtnLTEA1hA;1VD)k*qEHBLeA+ z2GM^IVA%Af0(dG^*!+W_PD>-=!zJW>wBd^QS&Z5QNs3HqYGLF`c833&G{$V?=45tZ z;L@vWt`~>yRo2^lvKO8G+tUMka(_Iho_kjl58VRp5P7ih=y+OjP3?$%0OB>5*)8iv zM{aOOux0S3Fb4U7zL6fs47+Fu+TkavlpcS_%rdHNkz0y)@BD1b^8;~r(K{8D+P8)J z{Q2b!x~CAjRRD751Z3BJ+1O_jt z_1Z|IO+&loAsFrHUOMCHO;k3DLv-ux$5m&aA1pO0M^CQaQf_gzGw~1&!J^D?`cn2{;B^aZ?61)_m}3{-)o1n0G-3@(-1UZrzi zS!q^pPVQ>W#@=G1wQqK=+zh3s5T!{dB&9xpW?Ab@eo$o8#{(lhbs{##(*e3loScSd zi(uD4Sgi}(tjU)A*I%O_Qp!*pfG~fKGun6|g=St+JlxSi7Ur36OxT!*D2wX-&Qm`P z)$yh}`Pc8%8<0ihGd*guRpP4T#o0<}yGPquW!x$*% zsc9%=(YeGWYFKePv69qDlG--v#LPZ$opy;0kHzNoi0 zx)Je+iE)$Q@xSk%{QJ+aarb+>-KPiN-~0A>DVue2)$4Day@Z-;Vt>2T{Bd^q9Mgpm4=};2+itUW z_R{PV9K=4YUY>OcA^zLO9(HbH;L$&8H!t76(7%c_z-;69nxK%kgVJ(!d)7VcH7~b^ z{&w@ef3?}Udwr4q?R_V@7MA z#rgH|_xs)M!{zF)!n@D$*b2xXTpF%CnPzT9GE8ih3Jhhe(oH4Jd^V9Slws1k#NQ2q zox-+)eM+ziI!@LpEq){=%<=HX3R4U^Gss~%-R~DZufWX4+L@DAtarAu{&IAE%j`j8 zKdQ&S3>?1%4*n(zOJ{$qS~~{;HCAiS^AFKQ$U?Eml7kX@J8)(@&hdl`9E6z(I)qg^ z|CsO>jy4Uk2bY}_2uBt^xJ$3|vr`SF>OoSKau5gnEL{l~Neqcnek1PjyFaA&p5?$`PIfzeV@n-sZa0%pKC1I8IJ768WAnnE)Ddfk3; zU_3giwR@LyN^Q@rUH2DGH?-`|PdhMz1{Ok2S(-tXrX_Sl${LZv&nOzDT*;t9W2hY zm<1VU$T&mBaUdh8hGg1_^c11P;?UTDCs+_td)k0&Em*-dDmOmX;&6rIu94Umg;OB+S>iJBjXf> z83nVR>Q#TS8EKqB;|vwy*WUvojMPXv~Ag zDGD?SDno*o(X%6%88ptIu{boEm-jGh#{jf23EmRwX%FO1K5Sy9iX*SJY>9maIbo^m1i}%h_dPM38V5c}H z_T=;SVq@iY?`~`9@TTMS5Aj%;a!efW0pM3+BGU|ZEw^023=?OV__tx=YYm4KP!!f? zmJ*;2KH9TrbKwXq_KL&e@ZuQbfW_nH-D!Vk%*9iL3=CB~=awn0l7$P66M@l=3SWBR zq{@zQ!^P@&GZYnv7saAR&{TDs@*CjaxD;^o)Y&#n3)A$k8mKu-C6A2+jHffkQmFP( zPUNS2{dCd({dmdW0d|pzbzXnEUZ8dlz4TT4{w_3zaNnKAhLaahNc;#m8O4A zSa5@>7ntYKc25xGr#N~JEX$vOz}fOhe+DFRTu3E(cJV&zl)|pq)ay`J#er&gwVeqC zD$XR;`j=iCN4+h~M8>8T2T22f?QvXOrwj8P$UYDzAsIe?3Hd3-}KN6is6^;WYILKAJ* zQUJlG2dA>6G5l~)5KH1zRxvv5vkUl#6^=dNF$Jb-)#5N^Hfp=Pbum}-;$>s*VfE$Y zntv*tDznDu@fB_FIAKc3z;f!6$hj2?;`gykZ+@l??y zx6+9en34m|CB)=4Mv#6O_G`RC;J1rpw|=g!TI7B6>#F^yb#>Lp1~enp(PD+wE;}c2 zH5gl2wX~o9>bhzwQi3O;ya14}!F*bXs5VzzcekHU+uAK%b?$c_A6lCoS6%Myk5_lc zPce*l0htQW3u`!2iBoOuO(1`qflI_ZT#PTQBk35Nu8>|*|CN-=Y6Ddyf&5-j6RruQ z69%u~qar*D@`Qh~wmI=|Av>L=>fEc$z=zS6avyw}J5if2uIu0H?M{35N%}WD;ynkI%nq(Ywf$c%iE(pU%l{`CsAsBw=#do zS5G$%cGc?j(Ra;Mb@|uEgBkp{XbIyPRQ&vt-mRGezhjemt}+5%!;`J9As@>he-mcL z$?>(22|m)|yeXSjjN0PbNaO18)6#qQhLi2CM=0Nu-$4y(vKT$5wl#v8Nc1E^=@*Jq z`bKqmPW+G;Tvs2f8%OnpgY}bKuNYipIHga1=O?Alrt8s+^b9Wc9)$zR0E5Uci$3G@ z)6D6In)nePPhtF}&}!7@zZM&_P9ZO8VXWR}4DC;$F4Y~1<{JGeA+)wOE<`S!?)`VTAn#l{_2fH9)@r+VFN zcX~})%Gd{A-{xlEXUBCClb!An@ne&SMSWtaZA$7{%u;c{8r}qdX+qOI;FH69&>%r@ zE*PLGLFdB6G@;-_S;3eX($#C!bPq;-qy^BETFg05y%+~Ui&OqE{2)c)Ihs=v!=!i0 zNXKW1X~PoJSU_jLRx*mEVPe$bDDu7c+%%&E`Dsy%MFFkIzY7cxKm)zF(!vPfRPrE&X~8w1###- z9$7l0!5%X#kdby&derV5tK;S%J<3$E4|bIOmG_!|)B@3|Bm7);Q6xX&in%n#pM11rzH5EL9`B`?92x9DS?OJ&RpRT=X>R>mu3!>3nT z1#(ueyoTm%?k6y0(%BGY(|~xU)?2P^6lX(<_iFbCy0);P+BC5g9rSsWI3X>2mf`8+Gt@0)}_jpE#{u)B`?%R2+DEv1O_dd(J zcJJP&vrGaYGa5-1pdwlVA?io~@K@l@At;dpbh{9p#s6XdI^OUXEAJhEA=2 zv=R(mxAH1FZU~tSK9pV7!DE??m#M*_&Ej-OG=EetYYQiv>(4Lsir-$^Y$o<0OjOwQd?#i-TJoe3iA*NvsL6FUL!sZYD#66w3*DKzC?Tq=b z#e5gyzN@iIlhpu50o`W=90w%h_CiMIbC5Xa9&IPHL-kgvXJz-cv*jH1Rvj4yhRvi+ zQvkn;Duf(dPt7YXKM__PD+}frU>mEj5?~e?sS!aS*a}R`5on)fmBA~c0pW)6I498P zJ3%9?zcviZ48aVZl#K)|cZ1n~atf4{hQCH}%NxT9q1q}9cA=W2@27B(g(P^Hj0Hs% z0V!~>JUH0<9L!fNJD!xb9EGhl5((5bk|ZuUK`aY}h2R|2fo4L5&u{i8xyMs!2AF|h z?V}`C&KWeAz0={kDPTKQni`9u9JDZK<4`>u^HPQFB-U(GBPFAj5)qDnVd6e&!8-|e z0jqKVlV~(B^}6^w{Nq1{Ab=s%Q?2KttM$Wv;a>N5^hJ4CVBNvZO>uC>R$Z+#0>@V} zIE@Cmrd;ehYZw5MT!A?e-k>2-?B7SRkG;2GU;;KJhEEBzh2uXlIhTX8BUdK=6HCk> zcXoe4G-jZ@`6Hz z=uoKN&u0p9w^Gg??$uKJ<=j!Rz4lNj-r$cPWk)Q*9}BXTGReGoa}yx+9f8nqcP)rm zBaoC$O?s0TkNx;$9xf64@yv`|q1cc2{1%P<_^scfu^+!3{+iH#Pi(V^d$r=-%ukB^ z#B>wlzNvAGk`>_UVb=IS{f6WJ0xJwzALVbM#sb2m_h^Sh_B=1J!1f|p+g3(=7O zL9QNdWLi%j(Te|X{@UcO59{UfCSP=RR|ZH!PSJh%tE7CwjQP# zh!_$|UUqSO-g5ST&h5q3>5%p=^aC60C^r;3yuHdk-VB}{$3C%__U?JE(LDOcV5Nn4 zaXOFnRHIZ$RXUGO%C)n9h91Z7+dsQs0oBUCdz%5vUV?GyDJte@YFW0!tGnu<-Fw-8 zmd)X7U-wQ+D{etyPb4itablpHGfAepS|a%b!9K{`5bSJ!xuga4xz1!pm{5j;NDC1h zyLZja^X&1(MZc=r75S1qG_2s33+FGnlR{rT92DDkUGrQTv@Wu}b&(5+4K;zI67q?U z;S%zRkO33&iG+M&**#uQ53~MYLG$Ww%azr{v)r;49U@drZbIq57{N~ec zygY(mfRILi{1b3+u(Jc2*h@mB&#W*|Bj=6gVLs*rAAK8ql+aHEytvfd68edc4~5rBu3wu(p}I8>h_`!LhFIM}-6sk4ip;&gDGs}=4KRvive1mKhzL9ve| z^<Yc-XV!h|&E?>_de`b$Y9T|ni%|-+i1d+8tXRUw7z?C4Nkmz?!LT3p$`glV^K#>qo z1gOr0fa3kJo&*#D5g_<|3KT#0RP4>@iv9UACsKPCSDDStBeU}&O42sVE3Vir$PL_0 zW{AX|eV+6a>ku-;Qe!}&CYC=B|I9@_O@ehjsB=i#jP{_Y;FIW)p zJE^Pa#)XCM=12~HIk`AH>|fo;>qhUn^3W?j?>cLag<=l>d?o<}!#F!wBVn!S5+w9} zkWj)uk?>C>{1fkwgn#0Fyo7(^KO1-${ZNrYic;p&psp1i6lII2*|yj&4lYi`{ZqYv z`>;2x=KmBZT9AH%DwQV2pmAW81XMJg6od2=Mlo)cGDb;%TCSz(Czwnt11D9(Nk+1Z zSzI*BJ|Q_44G0xhM1IoK5B&7-qH%lI$dUYRr?cry0HK1o=M}?J{64Rma{HOz7P6&( z3{qN{eWEm|Hu|Ynr{4P-{t55zkBfnS!cSOO;cGz&t%wGj+>?LeKDw;f`Ps>5RsEnY zj%(Gynb74un_Wa!OqVdef2!I+fE%Z<08zm;7X(z6L|HM_r2s6;G+5*kL<(p%qWsB> zse}J4Au5DUEBG2vW=t4YW`fIvnh_Oni8$E#OnSSI|Hu_4Msh`$y~4~)JR5v}g*P6Z z-hHY4tNpJ|w+{!o)cW@qT;#x6eD-x_n)z~12@3~E8{wG`+m3#po7*q;wj%0ct9zNb zIoaIWuQqpL)&23`=ajMlH95LNa1qo;0l@e|YlhX*5?*G=f3Vbr{=YJ-v2uC#GIP}X z(kcw>0P5x1L-D(R%iDD(R$~o+o%YUvjqy6aV}Sp@|LuL-^TXSUGQJUTGP4S2b?QEFE=`nT{uPP+t4g|By0E$7K;ZPYrgs`L1tx0g15Dllf*`PDA< z`=!dQ1E1@RK8li|+IVy-{njw;BbHiDt^Wx^X?1?>XY*-E?w|7}1yx%4B)xU!sE!?S6b{W)N;um&Xjt$v5P;GHt_S6phRHAYEt|O$gC&Ty4+Z~!E&^wX_b4^6f6Au>U@igpA=%ze)0<8Izr`#SHPIy^@#(%j zd^dXP(|@`DoEPsH*U_Iza#fl!&?}yJryKpk?_EDMd!4iE;W2lb2j@RYFJF0Bar=d( zg#oC?1!okak!;F<5r9OPG*X~*i%EZSm}Rd!14~I5itXNrkE>&U)_wug1#p=Be7qB2 zzA!kku9AiV&udDcir-b z=(l{Bc`ejBgWKog_Q`1@_w&^04dboy`y{IdU=2rJS`KP^D$a|yTo6#~oJek%b+Hb| zYSs{ywwTetwXwv1+nuRrQr9gbfJIyxnO|Yl1cSMWv$=>-vnVuJ$f(JWF*!)$jc2%@ zU4Y|__D1Pf8)d{J!u=H30AK)A$2fiiP{1Rg_b#00O2he${6F3d!lDfb-l_g-gZa=I zJXV}H#J^E>x~PIERBuwaKpJDv|xaC{X)oQ9}Gz+G6V+B8WSyY;=-eCe6{Ab@>OFv?<^7h>w|* z_%YmH?mriiQ~{mDnc#%G9bYa<)r&5vw)mCKpLF!?ex>E?RqnExjL5CLq@o7nbj%9Q zIdK<%YmNmK=0QpUKuk(Pz|{RbNd-uoYWON@0hGJ4W+o&RCOQjruTg5{Owk7>55Y%$ zQXRioPzmdbJ$|8}0y!m!k#OXNksz%oag~UTOKoDxb_ zr43l@#ApIW^Mo9jHp;E06&7riPrv6)APJgQVDxJOW;t?ZN{>1;&eJ#%t0ci>NSC+j zoqGq-AEPb~CGVu8R@>I|cYE8Zeku3llym#9G-F&%t{qS5rFP4X?yt&(d ztNqcOB7iKCyAWjJsegL_;7=<>L7$|dc@jeh^gWlW zGM-3VEG-cf`E4bc#DOUe_gi7jwuOHUGc3IRiz~2Wk*OW#Cza;Yy#TDB0LTSc3)T>A zBMhk16mTe)Ac8cSY7+w@HN587s{o*Xlf~llCGmm z)LAjCJI8)p+z`<2j7FPI%;Qms73|D{hnY|U7e~XHpi3>z__AT{JqQCW#FBeAmIe%F2Gal(Etfi4Gtz3ggC98D z+>$Zg(Lz=(EioZdSb(-@5kzRp6ST23jndL!_7_M*uot6nO9Y%df)#d3OQu1t05)ef zbb>2TQE9nvIxxsF_(2p5K`&5$&!U5R(eD)UJM5`^uz%6GPc>dzx5}(LsMiz@tFnor@r56RbIvnD`hesb3%5e1$}O|3GpGJczV!# zX?Bh}H=Fs*7{-094p^gqA?RbR!v@*x^HH|Ue|NWoddYQYjp=P*4(5^7ncm>t6BDyf={o}%}Xi)mpEneleyH`%Px$3Q# znIvFYVVR25))IFy@z{TD(ppLckrE7GOZ|m8t64{gV5mF&o_PI#*IJ=5M|BvFT23Es zce@WavhVDkA8*Uo^QVV_Td)_mwvR4fE*m%50Ej?$zuNxU#r~@aGUVP5jr1 z|2o2eiT^tBUx$mE#DAUmuM_|En)1O?yM)lKWAaj+9#NxoVNEijEAS^2-LG|m5>JtaH z$Gam*M_&iFWWLN`oMXciVLXMSiY^?p+sDnDZm!yD9iL@Rf6~M5t!e!!;kcmxnpv4f zj*St8AGT(g&LdVTjSR{Z_SyY_?yzH|3uP+50Sgx*o1LT#^8`6-PEDEtnS5{WGZnV?c~V0T{^eMt>h@ zGzMkAEZ&&hU-(oc=a^w9-~ zw=kTCHjwCleoElr*}ZikAjsX%gbMX{1~1<49tp}Cu-ufTWh#A%l4Qk$*S>6iHxPi zxW$-+^(zrifAG;a#7DtBfycz~LQ=z-)X0b*u9Ab8>)(j$F|c59#L%!&AhG_KSDzV} zq5|6@RGS8}{>MxDKW<0>8bWGCL6Jr1Tokl)<9-P+L2HpBeaUvu<8}^g3K$XngcXfmS`%e4(PbC0{$V&Kq_bzS}~izq3;8Sf{nW+ zx{wkjEgG~!O((rC+J%$|FfqYOo@{QoI$cP;f9JPo7gE3VTeJ(Q?-qYe8`Aiu6Zd+> zyPcoZhcu?U5cge;U7D-}G&0lAeuU06oC7ckJY7Xw(VN>0;kJ=m2XdhE_lJ*N zyW-F&G`VQRvr8!*C2K3OEHv_S6=Bt!vS5-?BCWza)>&)>?~#UJPNbG2;6BUaPnpD! ze|T7f_5>S!Cv1e}gV>pagNP)P!jXXSZm0lZ2HFbA8lrgSjp2lVnV>Y7hDuFT(oi_Z zLV^K`tnHwwB0vS6=A47c&tc24YHm{8a+J2#NTVg!jEN}jlb{J=RTC@(=b#VZe5vsH z&Hg0!cq+{RG!XRAN@C@laf8__9j=@Lf3{Plsj;BiK@}=c$DxWi=A{bTNh~>}MoLC4 z#q{>&rZ@jl3*Je%3qpYa7gQ5CYkEyw9{wR9OtxZxvb-86WVfU1^?EfYF8cQHq$*9B zJU{H*k(bLA*Xsg6A>0pS2!pKzTtB7P*DC}>siGkNSmN|Z6#LubEldCwrsA4_e<3v~ z%oYv-#pGWOPLW)h5Kt^(gW$DWJOt#uw_g_xDukZPE!KAn0C}(5!U3ST zYA^-RfU`WvQM0(~2??eYf#mlo=<@#t-()y{BQ+0Z{YX@r%hSn+m1JBz@TEheh zeRm}E+hGeb)(9jOQj`AV#iKtyf7ypiM1MT9BUdQ;<2}Dcqd$J@w`laoZ->7o_!HY~ z;$E$IH}jKXKQY~exNmCQqGT1ACb;rv*OW>iWt4ZC@NRTiw8;qB$u$e7N@mWkH&Zut zbMnW0M2k`-6O#rDL%}5lWJp{jPH(sfP8T=SN;_)jC8wqqA5$_|jA_dZe^W-l#RPQl zu^lcho@pp#z}BM1im*zlTIO0btBUO&HuUaOQDtr`gHUXHTITdH`J zd))l_kHJa{QBm|ssx+uJQmszCmvX_~Kh*Et=i5J>f`a-|P{0l03@(AEGkGt%py*e- z+2?Hj`r-1yZXR|wpX|eSe{aR@Cnm79B?DVoGPJSHbZ>W}(@4H+HQZl9jlVP5A)Im= zY&}iCCuSC2&|3;XNtn}DAMvAg+@$~>JNntXqlZ5~|L zE3bD)>q1ZS54WEZ7T$z~H_Cts3va^08!m1V7T#$SHeumiY_x=he|M30|KmV`=O5 zxqao(GjjLrbgE~qf0qXPW3q8U$0#Q}%_x<|NMo5x4UR>lmT7>l+A8w@>|I$?>e|+Q z|9*vaoX9#PYXGSQe{Kvf;*648d#r1s)lZv`qh-W-htTJ zH_6I<$Bj8XEo!6V^PO&j9m;I==H+TMk}(C_34)z`%)DI{1+(<`qCNUyU zVVfUcQvdC;Dtud@5JCl3UW`foPbT%TuIh1hC~)+TICbH~EI1Nrv;phpDXiwggJY|b z>0h^rER}1egCkx#J=hapmWZ=z#Hj{W#IUN25Yi(3m;pz8pKFV;=)g&Yf5hp!!m2Vr zrwq8Vf6OYQLp3&|oM>SFu0nx6aMuC9?OfucfjHMCwl0r?Wd!3 z_jZt}r}r;1&HM9;PUP9o)>Y}Z>Z)^}9+j^8I{aQRqnK||Bdityu7@Yc9E1m%#p-($ zAX6(p-qj;+p@{i>%z$q$DS8Dn9TYjoN*C}Z4X`huXV$-8no*{1)#{U6&KiGtZ54bP zJl*!eou%;N0|@>suRo68e^+HyCK6WVda(NIM`uDDA5Ng5I+)OP2UAw8(UVeDsDHSK z$UnE`9%8yQZs3%Qh8u0KTq?txpDamxSs!l#Mk^%T#^qhKq}*V1O)S?xnw>m zIEUe}YOzJzP^_YYIC#8kfL(t86`Ae!%K1b*fOoafs3Q1B;j9l3aNSC($POAiL&q;n96PhbGlKl#t zO872Ee9bPz$Uur(U-u7oCqcQw6Qqv9gH+~$T(;D9@-Ufs>0fJ>X>0zp`5?t$I;6xJ zi!dLsW@kZ4e>&Lugi2#A)7)QWS{tU6gLQ?aHAYZny<~XsRSnD&wE|WSmt?M{EtA{= zNARg>`@JwFg)*PXr$WONpcD`QZ1)9@4LHlhRkz>`rL?2qfhVP-fKD5CiL&2;Qof53 zUvtZFNtE)F!Z}mEDb)%P3^=f7=-=@Y8P&~np?zIBf3Fs+dR!gtZ|^30I$DhC;@n1x zQ3Pxz!^lXiK_ZBdv*{OtIz(c9TLl;fM8)6nqjmhV_?)o9Zdj!<4^ZH8I&vbIfbr&F z#ODFZ{lj-9+)ySAAn5v-wDN%-P;g~GG=tSNW>-;(P#W{&R<+#O8a&pwYK@zlI->r+ zoocH)f2eIWYVbcW|6AowZL0!{4zS|iPPtlz@AUNOY-Mh?p6=@KcE7&0mpm)L?{(X~ z@>8SIs=vO2x4tV6>;HD%Z@$&**8!X+_w4l>oob^8U&Zl}xLfs`=}j1=z`b!_{nO)? zxn59P*kZ2*pAd($@ZiPo@^=S%ho&l4Tpwl5f9sbQckPW2agYu`h5--&qicknaRRk* zu-YD149pDW)L&o^Q8&i7vT#J@AQaQW5*Cy?_GE{;LhdWuywV%>la2G#OX<|jM3RqZ z>?r@R&2#L0bh&-sxE@~7uMKff$`V(>z&OO=&nu2wj^mcY+%S$?j^mbt;U#WAv~wA9f_9$e;74*_o7A4>tuM0 z=@geZQL3`!^WEcf`)=ntE$?!yJnHnne+nE|4bm~NSdfh~44dN2&ep#K?4(w3u(&Hebx8Et6o$T#j1BWXG z7U%0vqi(;6I63v+=LZ#gee$OZo?<~WH3L8f&b0Sw&3X9!f3|zu$Q)m!?bEr*esf41%Ep=isjB&?hJ9mSniDF&S1ES z<<3~{jOEUsDt7|J_)>bxVa+Qce?9fiQg}+=E@bY_RjI@t61hUIQM$2*2j!nl=_M=% zV9C^INx{t)+CPTj+vQH2LJ@QNzns&@a;L}Dp|H_k?$o|XiGpEtz2u(Ico7~ND~A>H z(yZk#9!F1w;og09xRawBu67#hVBKHvGK2=hITt;T?UNape7rOKX7uOF7pnnJPyMfAHrh%1hcE0lq?5`oi6BjdH*@(6@J6#%wC0DHZRAQ zXDr7>Sw5S=O0E6;H+F%!j1{d9qq#te$YM*_vaV3a5M z8DDL+gP-HmDR;RYW?d zq-zw&EVZs`29sUQe;9QD^@L=CDnTvzyi9%S7{piX0}k-P+$E_#Qp~t=B!{Q45*!Ll z)12Gqidn2$!@XJkw`RdA1FYjSvtaMD!`$ITTKCC*r`1l3&hB^awtcc-k(U7&Szuk1Wq(B)tp9?XygRoPmn0zmSf%`ne?kg0zhL}4gDWaaFp#o6 zJlPqQUrut5&-dMY_c~cfZai3V=3q}=Eabw0h=`f!Dg-NdLrQHX(F^+Xz)D$1Fk=NV zf?|66hw*S>6+&B6SQ02QE@io5?qeCj`e`sWxRzSMF%h$HTLsh>vV2y^L{hKZu zWHO_C=5e&W@lYj|V=%IYab_@HWR_P^>nNdNxiYwl81{MP+LU&fuvkEhSZO>fAW<$H z32%afBw>j#IZvwy!Q@vXH?Xv%!d!$+0V^144zxfreE(unCLM~V|U#Ps5;#4pEd08@%i#jcWVzkX^xMgEiCy7 z?Oi!~)ttikCf7-yFhN8NCx7RJejO~mIqf8=Wukus1w=cx*QL$N3t-+{JscKyjrF`RyPj#5k zuG58B3101L=4fUVXW+{Tjy*@FV=;!7IC5a1 z-E_plJmdr#xX7O<5%riQBA(OvMYZ0N3wXYzcSOJdF27@g=6HEb*?<^8t$dq212e!n ze?3-to^^M^Q>2&6X0NoJBlT+HOf_k{Q5>c&e>z37fDuSnDIf$EGxAUC3rCU4vSz%Z z0DX6v>*UM#lJ~F|10IUhK4rIKg7gas5_P!3vt2E*;|@l#PW?Kdt&&7Ya0QsuV6_76 z0drtpjHCh_VZoFV(}EQ27R&LVhH#5_e+-QD=MIKypv$PyZrZ8mV-6KuVnU7puUZEO z`twQP3Y}y;DLK{M!Q;)fo=rFgOgsk@A+@4%%AH+h=%fR7k0^LRYdLmqS#N3;79Zsv9;igb^O%Tsl`Vd}rME!9=qcDgwu)>1DUt%Wm7skeU8;L6N{QCHgg#=-t7y6gD|F8Jq&h<^8*N7u0A1{M$}Dj4ODce_UivD95O~ zsr$Wo$bh)QSgUwoPTOJ+esu@lfAi`7=nH61K&F6d57nl;0J|Dq!EnxiK~?i9bNGhASQ zNeqcyYK1L-0u=S*L_J>7MNVhLi!I{45cOV-98ETY7|Ge6ex!(#$tj^HFM0^iiym6N z{^4^jO~waDdl${#3G1HqHk}s*Mi)^>8mTed%ko9Vg4dH_+ZQ*Su=e>VNDAKo-e$2- z6mz4u7r-A@d@~FS8xicoHSOdH1>OLF*=sy>C}rLlP6*XjX>bgcnktj8+Zs2f;g%!X z!p1XNa?O|sBc3dJKrBSXF|Pr$2$)d8&o}>--1k!s!;p5Ywgld#T=LvteoqG*rv;MS zBY)zVguQ@yQrP>Hz*^HkMDXxE02{qFM+=xn%(VjSFtgkZa#JN@wbHNWM+Tws5p8Y*AwmZ*=B; zqWSv3lujO8_>{c(;5z$^we&@^SAV_L&D!Hbsoyy|NV>^THTRf(>JG1HwYJ?KC+`kA zWRU-B*wRV`gr7*FQLZMc-F`jc;=5l{kI?7CKfi05@%NvowHBN~^D%;Ms4(HNqTNaI z+sy9ZCR@%vkGh?gdp17VbO(x3hjJ<;DicPl*|v$=ID&wKC8^OCK*L{5{(t_)X<#X} zWl{vWP&rvVN!b0JPG7W}`<3h6Vda>)K_OGj_jtZWFRM?@t9Cw}N;TUF_XT?owc*v? zwc&egcuH>MzBs=)`!dvE936fyztZ)w8H>Uz{yw)l|lTy(ArcgH`R z^-Jyuu=p_NL@REs@-OH6?XA@q!*Y(ny@X=c|5vmAxc8dJ)uGVSS6|iCx7EDFR0Oa+ zADHDv&m~&TA5adj0S~G*H;C4OkmBisD>2G&VN)G7Sh3NLuGPz3q!M?%&Oh$mGE-{%{hj~LJ!phrypnL6&h37+Ts!rV zpD)rX-{uR3Qy6WfKYvEsjW@OMcvH#L$4}9Of`NK zm4hTpj8ccA!g%+jTev^p8x3Q!_Cv^8EYZdiZHODj5^XHe27kj%EYZdiZ7k9LSc%p@ zvi-HWF?A75H|bxZk5T4qB=+RPcBZv=cq%dv^5S-w`_ZHy_MK$l^An9p_15@@Wqi9n zYcb`8a1~Sjx1aq^${*{q9#@BgPG5aiS>Mwwr3?iILOoBn2H}y@UOm=^`;{Ttt2~zV z>FDvMU)lKZSAT6BErk*kqt=X>Mo!Kgid8WQ7-it!M)}u0SzDf!4rU^1#xR0BoIHye z+Z2dYP>X=`(dkaA*K4)PrziQF{V^|GkmuinmMaOU$Ng^Ys}*TE78-VHnGXX)i>tDWlYChSG|sdyf31Ka4?6o1v=<#D613=(CEn~zmDxq|~t z%b=fyeRnAJKkoi^1(l-CONsR9UHh@Wbs2Wsz6pCqN4Nj|JkG;wy^-PqH>aj&iDq$xKh|LoJpx; z(*O3e-%0vo5!K`BP~hnw^)0}4QOgUc~ftXZeD@J)U1%@RkQnwuO4DpV_-+gi-90CR}J#S@LYr_e!U1Qr}r zGt}4tFIVu7V9Pb&Wi_i7zy*mWCm=BtXaj1PFD$qU*)NI>4tmW_5-X-9+UwXbVin&g zA7-h4b;K{h_n$w@mOKrsef;!pge@8axPQ3rVk-wWLec=17Q)qVCAU14C5Qup)eSbcg z4h5uzZ-(uE{0k85x9PpW-ZA)atY6HC8$p7I!w&_*hSm)JSmJ9n`x+fKwwqg*xu?=y zF>82bckAV$l)j9&o=&xm4>wlWP*%CdNZepU6s2@j5IM%er&=;5aAzPFQxs7R|4a`j zU9md5y7CDp3F2z3qXP(~De?1D^MCFH{MsX}m@?>s>x&UTv==XJ-VSWK)Z8Ku7b90C0yPyFP%19w|BRPGSl3Dc9ZzzA%Co4GvVY^ za%F`}DPs)n`+@Fy&~HlMNWzp#tsO2-2hgdf<8q#AGuRt}r4#RWs&EI{G4u2nV`-zEK_VV>Q|Gw8fDw*zfb9=Ry?JPrgT3kbbdtj9( zt~2<)WUjOZNES@`28L-cd_?l}zq*I_d{gy+=L$GI$8uT2)Dlmo9%i3lau3&7B29UL z>@&CobXg*AA6}q8mRx32r*-pkd2o=gT|VyKb}F^poo5{X7}x~E0e`{kREej5$k7hg z-jbMA&XktYM#y499mg%OSm^S`SZ$VhKFq9v-b|Pg92iP?-Mb$=Tg=rHmXd4X^-UQ! z6cbEpsr(_kA04t^?^30`i}QoVo_a|?w~uR8 zGzv9E$)W}6GJ}^7Xn(tO1hjp2Tm&ETrId-mvO(HI+!M_Hb(rl0_JbI{KKbcvQ^;ap zUpZW)S_sUfvwm3=IT9Th5AOTwxLnHKH1`f`2XEIWrQNL+x9$l6MrA>ul0o!J3L=Aj zd;UBwD$I9fAPN&$OkgpA#g8`^fkg@0m0&R-KUAdAQSm~(*nb1NbxFj1Q{Gpa$B+8_ zdA(7QxJC-fg%k$M8?7)ZYM9rUAT}&mn4n^UiU}%4A&ZuBhRX)NWRXRO#bU8@?3kDL z^LN!ctM61ACx?5xYYmGr2R@gIiw4W|67S@e;9`P{2`El}J!ALB#|W zKi*u3EsBAVR@QIxZcar<#h25k+|%n#?mA1UZI;B0$P4C=i+YCS#cVp=?$vt5jCz#k{J2jHd0LZy=pX@Ylc4A*f8dx; zH_`Y|E6lL#UBVg1uVB$@j`@5OI5*qWyx7-QZfd67NJT_IB*)CK7i_CiecCOz$~U~% z-92reky7ts)#qk_52LI#1}0~#hB53VL~??*g2fTvX7Hv2;h7{v{N|Z?nSy08!ST!F z3X=l(IQ8FBU}p&9+&A`MoHWIGe_0lIcKeXr3ccQt80(_nG9ghLlvBziVkLpZ1QG|Y zP|FeF@hP03i2|d#-o+vhCLTw}#M^S_WV2!D!^wO3p0bPk{LS9mJeW9+JxlavGK#u} zQH76@!2gWKwzUS02P|4*?iE1iLXIQ@lRbU%;3UE zZ%*2WQnzaCCI7mYKis{$sdwJUHqKuvZZw zG1u{9VlBwUs1QsN!NRnie>`p$Qbf0$v~8(7Czal5y=T2dX1jgSdCFYAlYB928_jY# zQ_8e|l*mv)5k3jGb*;BWr#K{YVOfxI zU#=LP($|YlQ&lbshsA2Ybn*1qle_(`wWjo%xgc~Ym%uZnoKi66Te?;i)yi~6KYmQC z)wXbcgWecw0h$o{btd#lEiIp;BLQPzEiKLi!;=y?C`c#bi;Jb`xVV#6-MXz*udDh@ zTr@=Od8gL@DO{X0IB8*?;{YfY&=02JVW8{-lOO9aEu?dq%0>D1wtLt0{@H!Fy?r|6J6n4PxjNg-X7i0|=HZik>otG4K@x;H8TDFc#JU*VU?BgMwss2X zTC|W2afJo$CqSTq+>qXg?J$%oU4k`2;B-xe{Y; zVR832-W*Rcv*phdxd-~)Qw!H(o)IWdgJ-s)mqi?RW`ze0^W(rQC4p##{W;&X= zni<6z=3IebBYbovfw;IFAb|Q~oKCawBy-_fsTkmrWN3@P#+N$KMF#UpK{lY%R%nz^ zxk748G@zDX{AC0T9f7qDG;V;gf@AJj*y*%Oh!G5RFAxtVM$@+^K3%MJ*404n6hVK* z!kJK^>pIhK9;HB-gtEq3qKuB9tV5nI<*rbQ!@YwkR{+L`hNnlR{v_grecy?_MNZuJ z%!&D#PIjurx?D*6W*!kCH*oe58}^K6$COowoD&wD(kqxE+P{24J~e~!Vao~5Y}*yznH@rpxN)te255gQrIt~<=nlk+teSd#k{$&Pu^~GOKIAK%Z4lxL z-R7`1+-P`#2{)SWXzFrB6v7zLdufRnNqoVI(a`aQq=qx8VZsWX3YaT2Xax$Y4lzTC z5$L8a0Y$7ZlE85#E_`X6yNuyly20&eR@jmDF_#K1F@pum+vxC>agI_3t^y=egcQsO zBkP?LA1>53;To9TIm`}HD+-fX=%h0J)=3xl3o2-nQ0^EMZHp80jdEgsj!wM2Y#IiDO`=!um@T8 zO0(e7?5hwfqLy04czAAbLWuqvLiDZdEF~7y8ynT0vkSX#?P)YB2s^42=a8OX+L#l{ zLF}mR4^0RY+*lOh3qIWM z$PAVwHXNk=OnqziP*L2?nHuJp{dP@_!p!OjZ269M`X zB(nYA(VrWrV<9x|JO;rV;e1oH`{bt!w(m2zz!c0>3@&)l`}Z097;JAM_*52s#Gj!V zE;xW2dO^+9!)9OkiMu&*->-NdXUv@~=CKg>e^`wjO;&>!iSf6;coEz+3#`bW7iFXK zqC-ipGL^^lHQ79Jo=UlH=AeGH;=E}3nwg}o;M5S@foeQE6=RMP;htb+L5$&k7lo<% zlf(#)k%oX$U|J3+`=k{P4kn2K(S#W#%;@6<;D@`T4Z}@D=N!~N2l0xVf=9uYBi33NrCM_6 z7$QpKWLg7p(7gQ68PEKnQ?FcsfR2-*u z<7>v9--$l0mo87QuAbOs;gywM*z;cgr1P-9;?ue^Xx@sJDx4@~#;5hQTK(aef2Whh zpJZD9etoSEfVxz;Wr>eL+1zVCF$I>V=S8l}+D|O&1=H`{{A)k{&-PC({lwLpf6tqR z3A<7u@m%a?{cS5h{`YO}m7loqV>PHy;KGlBiHB)M{H)LOyV04@{o9eq=DNM=dB-W5 z@^Sy9T3_+1$01B;jTU|+w4Vag3bWHlXwct7gFYg)0I)`&U78vVB+tL>6OePbz_O2T zPUH$L`}ntS-esSl`#0~hPtX(oe>1B-v9%`dyA|)lT+*UXOd}!gks3FYtb&n_&}#hc zZ%SmKhZ3g!Y`*ik8A>1IE_OO%uk++w9QRdecX$7$TmC6ZG^ddcq3C;vi6ly!F@G_x zsmt(FtC26U;7#P?L7!QzE`SA~=LW-kK{+tenIuJ%J~|TmyAeU&7DJM=f2HYO;qhiy zWT?7H-CZ8+ms$lc3racawy!Svd9HtyJwM3vlVUCXYiQD3PB_(C552ve>-KZa@i5(= z@xuxF_2qkui$IhRfYyXqf3t~vbd=aj-=9<;ug{LMyW6R=gL+C|ob*;(I9UV2$zXw7 zt2C(L;V*xfO~7PNl%?<&f9{T6wEFjQBgh&>zO^z8G_tha&-Koa?%#5cwM`hQqTAi~ zV#4Fw<_T|Bjzsdd4GL^_Sor^IVwc)G-EBIJaL*F@qqvFI~i&#*G} z6x$hNM}}DjD${>^74@Kd%`=HjE9dYGSf9Q%@G3WmXM*p zoeU*r6N%YGVm9Fy@=MGn60?aiG=TEHetpI0Si$Y>(<$HC+B?YA*=9DIZ&Wi6v0_EF z(z&h03>Ki)abbX4RK3KtLpqsiJTxJkj$WTQ;Ys`$h7=}FMK=*wp;^;qeA8Bf3@hV`2KYcwYqcN=lfdADmG)oY`qP+{L}~nv zc9seUK|x;W>B{3JllUNk%fpF1U{H<@24(fW+wM0n9^a4N_6p?W)O326^MJv)bMG=s zCNY;OX+YQ$D(#qx_ zI0$U6wMO%2!QroAOTVB%S?DoDo3Io%{n~egzUUM;ZL!vV=$$#d!o5>@t5@k2+s`)* zQ98}*CnuLvhsAXfF25Z+aM_R(VA29R1Fk=Kzb{=Zh^jDG2sf*k@T9cq=c7R1e}xv% zF{LtGD;*)^xP%iz-xeQ3#0bSlx6o;qf`-tH!Y6_o9l@!9xq?cdrWh3z)>DfFUyQhf z05bwn!qM=BhDWI>x@>ZyF+YkS?;U9&13n=&l~ij(n9&j31+1%J4j>wrmS6@jqjmt& z#jq;{O{L)<+=O4Tb`@9f)5Z#de+guxDGJ(UOc*8zE`Y+!6Mn(c<-!^`m$7i+jE|nr zx`bNLa}*vjKxmY(H#(Q%Z%eplNyy0gIDyASp!t9bj1jnouoI39sY&Dv`+BtIaP;9a z|Igl)HKo!l+xPn`cHDP5sw!)I6lV|z95HSL0Rm1SiW7R`{P&xQQv=;}e>XI4bT|7O zb|@6pHLP5jm9^4DueUgZh2MlPBNdB$xc9l#R%iplC>Wnh!?e~MQGi8G<@-vrxUaOa z+>R|Yz!ix56<3E6(NW-!ji4nsi6nY#AE3uUMg5c&F=EQm`xMOu{%a}6D>~uf14sJc2O7Nz!kKbxK+}$j5O@ zGTP~(oU=7}P3D|ygIADVv&W3k=mbkGtuzpjR3L~NJ13~J7@$kye~;yV6zRlOir5x; zZ6f2GKbUh4XThO4Wk5-5XxkAhA;vK++DbIt%8)=f9h=RwJ+!BEOPd3-Fo0;#m7X+c zOBFhQf=TqZ=hhf{c>-ymH4e8My8V&7X!3)m+?@2#2{sY|NpWF8#mK6g@T}>!CcMFA z3eaTwqT8DMps6+%e?ysgrjLV10PJvzkxUC;5+1!sgA^G%J`H0MO)ZbUgCso?{jyA3 z4#XselM-+%N|Je?^vVJ8i<78HrKlLPDML4BhMEHp9STFIKG-{M(S}4fhu#xIgM-{h z3tu2)(4NM}r7J&H6Ol&mHmW&f-uNtzPM@5nl+2;#D7Oy`f5JYJOyuU#d{lTAO~hLc zhQ+@Qr(kgA5vj$8MMqCl{5TP=(&wEXGL|E(_>p zqkVTsHlnk!DJezcpfGe21*OdlwP!s|sm0C!E@d4@(wHL#Sad5$xz3v5wTq65QrzKN zq_rvrJI3~;eK`N?DH1702Z%Xfo030oZdvvqELt^a%_F7ICIf6F(!uN8ou9sky^uCHCK9PQu98mOhm^Oc9~ zWoZ4Bt^dm%f-H$7OCrgVNFo}{l1Q>7lA!joB$DLs{vZGUlT*&{BobOtjt(q>IOl16 z&e`wk(-pH@xV^h?=iSoj!=V)ii_SSov(A!Yox}C(%cB|isLXgcG8_jF_waXt%u+~xMG6U$%rNs#dT@#gRtK5)dVKTF zmnyY#{-Bk=+S@s}?{C?&%E|FG=KUL0(hRzYq$=PXNuhoDNN?s{pwA;Y?k9=1nY8gj z?fc(JA+e+)ZT zlgq^?{~Nm1>)U!|N0h5;C+ml+&})?M3%`aI{L?ukVUU4NZ+PK#FoF)bRA5B^EIwx3 zT(S#S&8c>8wfF>wS7o!ZFBcm#a?(i8NYXS%Gi!{LBXVg{qXDs8YIF&d05d^bu}OcX zM-7Jt9SxMA01mqFUvi$4e-qCrEJQJt2-J8z>=&v>=e0^_|9Ev>FW;Ozw(sY#r9Z#% zKc9d5Tpyjr!$beHefYdqgDp^7z1NeMEg$aq*72Lb*5_~jJJ!)5zyL!^EJ)0Zf7{Fz zFuJ|-+Rf!_?Sb~!HzP;zch5Zy&A0kS5JYHZkU#mql zuliJNZj_I{3qYoeDdePZ#Db}k9aW36!+B_e6RnoWWJ!V78W*0p8cVRg-o~E=L=`v{ zXpkVNMuKrFC=bn`JHgRC1Vi<|v_FOR{ZLR)$PwL%2q?*Il+NA#3qR>@)_3Z6E8XYb z<(i*9d>7Wt1r7eCf2cyvQZN@iJ|#3s^hTc>+p0FO$5{;Z# zf|e?}rrS5RmU8@NK4D-UDn^M^gW?8)1v-k&_?TULU3)H=R!s9MnSL) zw0|#X=R%i33LhW;Z894&+s79V7-4Yo2{Q12td)Sw*7By%DQ*_(yVZ+YtGlL`UpIa> zFe25pS~E*2(Z;#(6SBXLi_%F>DGpHyZW%6SxR~K$3|v%3Ybg{9gvImtu&DE|t<~*= zb-8@re2{xve+TN~aVo*$1%gHVEvG{`tvHk5Mmn}guqXz3Rm!-GFJ`!y;bIE7C>T?E zP~<)c7%$=jW9Q`QVtb`uZ(nx~WEAfD_aPPs7*h^@&J`II7aAYIM&(pxz?cDJ z28?kWY0ET7C2U}X@iIOzZXIqt+??#zPu89;OMB(^e`tWG>5fJ(YcNT@^RO@3H z7=KcPkrKxla}Xs@kO5-`j2SS-0Y;5p7)NJ1kTG7x2gd7-o#UrkEoX|SAnrDf&hH+@ z+0O>X9~5D9nt@eHW`r@r#S9nIz(qQo2f9cXgp1elagjgnHjkQzN4fRp-V5yHotDc} zsaY)$e=h!<5F_0Hr3>L1U(9eZ!^Ko^(Snhr4itoo?fAI(xO}kw^18BX&E>^G;jYl! zy6e<_HZK082&2?=?^8l{^pXK%28{86ae`d3B`FZ#fqCbh_`uj`-$HM*+_QVF-L84;uUwh$vHe{~P^)`2O&zt|u>s<1rT&m>043|OPG z)bn2rjiE~=g^wr4Hj)zs3l{f~Bh5&wXT;j521k?QXMEt4n;YwVjJws7pLY%|jy}Px z&zy35V?dY8JkR#=g)`5%G8rI453DwNlOUYaxH;HpmahwY{Wj-!FWda6Sz37OtUarY zf8kOHOKEc>);ZmHPS~xmR1(HC&Y=)43+Mc1(>zbFWj3$lm-#G$3CCF2UDZ@U&fD>+~2qUNx%n(@`-96lEH5$#me`zo=RFkmLrB$1%0*Nw~6i7(xlOgHX!>WWF zjAsRNq|u_KV``*liS$QExlpy#I40uIdqmfr)AUtAkT}i^EjpjpgycVb6Lz5|roYC0 zI?)e^E&3sHx4rIF^Xwtls+~P_doLl%AMIvqcnhSX`!V6`=dB+ETuitzsihT0BDk** zqi_4__}ll4ziwUMo?kDo=z4GC>277c^|G2OrJ2K*2?YTge@v=G6=MU}MN8D{;~Q8g z=}94#W=i6w4BEis+Chx^&B6|(zF`MjL&Ii#Qb+Ta?ZG|Lee9hz|8#0Mwevv_|KN7a zwVO}P_W#|qy6r}@_viWY;Q^LBX~W{r=2GcT?WXbPp?3bK{zhfI@7?dIbv7+@cvEEx zf(O4`?kGIq4C9|*nD zr>SB=xOqog+jM#&I!u%oqnaSf0DyWc4D>Y}Ul0MFCZ#h@HIIPlF_X_pWgPvo5Wgo8 zVtna?eJrn!=<9!{qXGchO$8()Zj7&E&9|@KjG=BffS$9*fq!%C(ZvTQ0LO~tIRJcu z^Z$EZyCuf!2`3#;aU?#d6y|T|vOnw?jg8B1aIQkvBfZ8}VnQEe0#K3LV`oaU1R2~x&X$r1arC}JSzyQ(ml^Au%6NiSB+(y zE2ZUF*)uBgLFRVxP{CTIo$}RjPM^Ol_ilUqtlT?n-CnwbZuO#D*=Irgg(}RUqsr0v zqI(G7(_sH(FK$pb2(&@}(Q?Swo3 zZhk!7y46OVSFZ0?ub<_9=j7%&_njw82x*2HUw>|9Ms%ioH|2R+4T2fUbjRgAT;7X$ zN+BsC{b8g;Mnq?VNzW-Q43`RRHutTyL3_euN)T>oLv^LOj#2$hDx7X?5!snge7KsN zBxz!UjxIx81)ZEx_XX_mmTQf{EhHZh6IN(taU%;N8+v0=eVLL9P7K-q@FGk1rRhwZ8Gv z$Sr!>O$0vzM`iI8m3KF|5X@-Lk`knvYJXUNdAtvT6uQa2_)+*X{d~@M!SwiVW>9l*e_@5oAfLicz-|x zL51Pajz!v)$wP-uvq2M&9dr&XTC3TnR(k_bM?fPDzGNv-$xV8yeaWRfP`Q-nF_-Qt zo7}y`TOeZelJC%n$(;g27M~8G83!52h7xF;_iuXkX1}Yh%3Ei-{LQA?-Mm=z8|Ay5+#p{pF1k1&3~L&@Nki4xTl?oRA3&b@`$TlD97XF!6%G2}d{C{`a@=d1hIz2@avpPwu^F^bG9LVpKBDrpUcH952M z3KeNjYh-0ibEX{iCLs9{-=i!;cR?V7Bi=rKc>^B@-3_L)P*KK>-d_lRW>C9`t^%Sb zJPeKuop;M6u6wjr2LBo-GH)#~#*Nbk9V$I6;KXquON9<7)7GJ-ia`~?0|0dS0Xt zen`k8^au!z0a)t-)wxOus`Fg6>kpUL2U>Rbb$O|`-My+*?td5Euv_lY`Hs;7w9znp zW&4Mn0FhdrLdKk#^~|ilzdjBL(7)7Rn1vB2oB9AKrRehH{K$nl07~W1VDi{ae*hFb zw}0#WC#~MR4;CfvQZW$CXB(`4?f55n+@?PMNee#~g9?S7{wM>uOtlKU;+dcxSM|Kv zE*6h_t>w0C!+$+;$jgg#6)L`+3jL(BAC7a#q>HX?oiU+*hY7ufYY}6uM7LM#;b`*o zXFnmihclf01m;FA(AiIL|E4|r2^+s@&wj#Y`0pJ3q}H3XM=RaQoYToqN;@I#otie3 zEPy5_T7NeB>YJhd8LyoJj_Kc3q0nWVQ39V1jUZrs5I!n3vhN|Fod0-E)Mgom1vFz$qm|qPloXe zAh@TDvJyKiwdBH=9QOej_$0zvB~sAx{a9Xqet(@V4qA9Aainn=CDI183ceGkcV!$T zc*aw?WsPws+!VRjGG+lzUt+ z+!Y!RX8ZZ>WNo#*x!?gFB;TI0T64`w{)&Bl^;-^$Mj*rAQAv8H?F4n=XeJYS(j~b! z$bTYY8h~!)seqF%s`DveP|S|JEioqPC(!{TCnqYk_iiQk_`0!M&70NR`t|yW**e_2 z^zY}BjY^5}-5WUAs9flkm;B0V`OyD{s_GY8rh4#V@(-K2I`2HKt~`BjQ3ge1FAdcD zZQ&oPz=exhp@XUho~2Coae??Gv;$-=M1PRE8TEkq@JfwrFm&B6N_*0CxT37&bi-CL zHLM*19+DJF8gcj!x~?Mn017lRN-5Fr;X)z#85JY>fA+4eDRrca{*|eDH`VvcBdDN) zig)FOLO_s%a#0ZdYX1ATH^)oBgan8h&S`3DW{OMFCY{x5uf2P1E2tqtP+_bg+JDA4 zp!TpM442vxZ1X!?p{c0mXqJMOxmev2=YT?K4ASL98ZnE_5&StUVg?38B!&2EY6Zi> z7lww1hM>zYjW?Wxk4Ghz&;VzHD0TXdGI%~<_F(c30wY7BYqs!ys!6p2V}zRN`^hv+ zA6Te?)!+{DSb`?}MFMT*;ZK!Rsefq`PXo`NoqQmHPQ@rGoBKdOBu*u2M!?85CoFoe zH~G<@zfNWXYpn)$JLR3Y#Kn1i*iiffFwjD*c<)}(fWgRM7(kljN>l3-TCFzm=N@ih zWK8yG5m(Mb*II!sUIg5$=o>Nr#!`$fC9Got&PFY8?bYTTfhWu;tRezjp+)dt8#%x< zq;yqy)jFjd`-sUv_41$;pYmV)da_q-n!grTrQzN+e>T^d!g^DFPCZQNa|mXUP=|{X z4Sgg1$=V>wKl`1RP!Rzie?Je12NuGzRe%3OX&*bMn-gK0!Ga@$gx!Oq_{f1^rTuR?3jFWmk!o8ox?IZy$>CF7tf%l6J-hxC6mF7T6(WQ!|Xs z2#)~She8)G%`gZEs{#bIFHIakB-~℘2SJsqFt?sj)68=qhK0j4a**N^w) zc(dI&JNdtgo5=>iF^qX*JF5tsR^ zo2^1^P`SM>XTQzDds&&*2oFLH?5_tGz_1zY#ORZ9tjp!NUwEaOwz+>QEtekdl-7*l z{+3u0Ev(%@yS1cIb`39uje9b~}=|Hk}79VhOo43399K9qhnmgF3 zb#knIs8UYWV4``_a)W;a$wIBO|GfN~yQTHdC#c z%ezjY&GPk!!u3vJYKwIHdH?YAe)m$8>fMdqXL?%-tb$BTltQ4^PC>vNqdmf+hKRrO$aJDl(9q)hb>yzB$@XGYl?)^NU z@xub-Stikd6sIFGGXqPLJZm+~a?Yfq{IBo*os{3nvjN|Z1)bqlw7!`(1Dy(%J#A#L zI(rcxIT);6F@oX7$Xt zk`rfvSE6AvoDfK2G6>3OfT!GNeO6F9xpfg>c@HbX&h=)$epK1LEVj1ycb|(_e-BtL zrJrs!M&B);PMz}0{Za&{cJ}QzKro7Eh~iXWb?ar96cqtN3J>^4UL^@jmC19LU=;x( zG~fLd7AoPh6kng_=Yn)59KM(g4Fx4dmpl_33SPyBue;vn=y<1faI@Xh#qD0EIXrzD zrkA!A0W2Tx)WkWOaQ}9Tw{TDZ=TgL9H?W5A`Z--8g$%mH#76B9%jt?5u-J>ge z`KUIU`N~OoKX=sKy5^TF76B=L%GdR+Om*X>OiQK8@bGN+Vf$d{U-s)oJ-%w1`t?;o z)rPcxv-B&|dV>!WU|O>zT#x_z{S>dW%1y5jS@u2@FX)U&0m{aLt1S zr|bB9>GpKo%Vjh5Bei*$D>cj6+se6@^cMjw0oRuz7y&B>wOhXFZOF}+R2Tsvf7RmC zrK?`4JZ`tLCDmsQ`qaM?V-lPeiEM4T#J3#f4`S)={IU+ij+&FK+PomhFohcKw#^iyL~2f2J{R za>GgbdL?^1zo;{ALeE0d&uZdmf07E~i{9qsh@ zUtU=5?rirU+2)tuU)colh2cai!8w~}T(+9fga!u6LcB(avZ9ga>2C3=Z8Le^_p`#l}FKJ4S)uY28&np(wgX{ zin^2N4}ob9MlB^Gn&l)tf7RySNq80n?!gmO6PRmyO%#(k878h_f}k`MwD30;Sorr3 zs@a|XiM@H+ksDdkt7psiXA0Z7XG)_ zTNVOBRK+#+P@4w3r87(k$=CBMI8&2hN+c^W|Jp5|VG6#tKb2rge`++Z7Yj>^r9x`D z+Qs_Y@=L+jZRz|{QuvVyvJ{?PqA;5zaAz9WN$w^-S+dRH`9^nd<3TmJ%AH-(ykWid zCQIv-Us6Egg^*E(#f~XCru6oDO+Eky8-WgzYFe;fKD`uD9JxYzDX@4mMd_vB@hzKP z3cG&GrkBF*@XutIe-ax_(pM|loB2h_rG%b@q@UEJp(F*)VVtPYP4n;~|)LMYg_t7S)IC+_fF(&F4b-srvX>f2nr;H0bGUvpLH5Z|-&W zp~^G))3WGg{~jW>l($%K(5-JgRyTY+`FkA30#5v+T^guSxF0##XRH+;J~Fkf%E?Wk zb+IwHKNc@ta#7gNrab17T6pM+BmhF;5=`6l0CISmFfEx8oH1W(?{w!f zH^swozRkv^f6UqNAZrF$V@s~CQJs&IMo#5 z6pr0dS0qedsxArKo)+Cf!?7jDmfl{@aKjmHIKz!V&CnTcIKz!s<`mjaRl>BVCU_%B zXMv>LX!r1DxHq`b&z(-u@`v_mWk2n_X?{_YfAJvjAuv;wRYrf+rrTuPHmn9}M;LWA zO|S1c;^fRW795~6+n8Ebo!Q3wYdy_2=9S{$wN@cLNAKdV`kgy98tkw}R#pz4OZ%Jm zm1EmX`>L-vEbPXhnroPEf9U#UmoOWP@}67uU*B`9zH{36p4^gi+Hg)A^Cr?tv&=bd zf21d|ByiEU_v{2;$|S~)sB(r1I6wWdmIlvkn{D+mh_m19c3 z-*ZgKIc)?T&pB;;eCnJw;#Z=lC9C9|HWv7HEY=k2v;o0DIBUW(dn*G;Q+I)^(y&L3 z?VmIY8@=7?#>Vc+<9#{hP8$$3c*+=Uf8hdY;MTLO$#{ZtYm_x`m3;lD6L;Dm9>IhX zF~%sYLH^8}K09q-S8Spq+bLJ8q(z%=BVqJV+QXGfO92a-WiviKTzUfAKPXG279>38GRicp zS{^-!hZ$u7OQ|qeArKICQR7*v6ychoZotW>u*(_=%c#FoMKGKs_pJZ#5XZ?R7a@_2b}8w>F%F@IX1t zWRDmVz)N6?e8~QIVXHm=q?^p|@pLry=|cPg5#2`UJjK`N8M+|%nFC;Rl53oCF41Qz z2*CRB0qo}S_H~1khuFjcjJR|8WJ2e+IA;xM_H6 z%*@DA24DyPifBWlwr`~x!JHTr^zAQ(j!?1L@Nlu&LI5Z<3#LAU_{gz4ygz>|>(&Kn zncSH<<^#EDQZ6<_xbHzw4U~ZkCLvUx-o_vZ_o#+@!T>##=Hc~tF#@O1yu6?u+-#$X z;v9D;%YeK*=N=$D#8#4^Vz$G481{-9f+}GxiF6pdC>5U$Rb6gAc5chr?N+~kvC*E2 zlH_rV*0K**r;Xlu!?qvk8OuzugR53kHg|PltDtW>TiIIcXl%x#vT>}R&Z?6rC zwVhN7!{kKB5{vzp$RGhOe+Ph)Md!mOYy;sP#wP(ZW<8sbL=%CXimf5q#yFt%CuE~YY6BxYJzg2#G1wC2>#q)SRgf#l<=uFjA5A`<1k!9 zI0TC{-f$8=9+g<|$E>l`Oy5z4Ua)pjOP~QPNpyuN-cNv50vDJOe^^PU52s=J2+FiJ z7$(KapTJ)vh`{PYE@4@jQhAwy=g&?)kPIeCjN#3DAeex;U>78|E4S473m{-n&;cU@$Tm1_~xCO|4I8wc5m=d$@&>G1;Rp~A%Qa9?50 z&BXI3kn}$+uywiE%#VN72cmjcuCT+=cID!!wdSNBV1{ana|h-lR+@ye{)WDh{_>F^ z)<655H`X7{=zXb@Ff#VOcbQ-XIgfODaisr`CjE0cz=}T)e+UT{g0oeB|5Gg;Ola3o z&V|$>xH#`IK6DPYa#uW)J3G&k-syI|S?yonC#$q3pJx`Dc#IIOtuj(Vm^rZ|7n@YIlO=J-=~3o0%LNmZU zOy}2OSrpo}QgdKiQ{DH9?e_3wcjx&`7Y?bcKLhj{?FieN5H_dMI+ZrY0i8Dwkj42VQFi$Z%guKi!-(JbY1I=)|&H6g8jH* zUK?18e-z^>)@Z5G3@u|K+m|@b|3`CvC(;IdI~I0^i?qVdzWs)sN<*w5eOq08$oUi> zIXj&ZQAdqR<9wsmKd2mYaliR(`K@KEVF~wO0mKCy7Felfkdtyx15Jh)#7G9KWhip4 zD$?S<0VW_AVz`?wmO{&|HCmF$($`|HvU9(Ge{^zC9X7`Y{p)Rg@?1)$QUPM`DZ#aSK7)L@#U^M7!c?{R#% zk(+npV!vd@PcJuT6?6UceAK2XCu%_KJ^0%pkjKh<+<-WRH^Oia;v$Nj=7d!%?LGWr ze{q&URA}MzDD=^0Xw{IM%`e;xN+jF6K9<`ySC!2Z#&hjI17IYnXDE;oc}pK=g*qWE`7+e z$J*1=cClM2?iD(0y*a-m#v>E}flDhnf0<*`_T%cTf~bTD9a$3QIR78b`JFf$@aWlp>VZ(bf6j{4 z+-7myx+)fr3WHj%`1c^@QYz|JWAxo3>eMN}+=NLe8qTOF`rgRkq|G6Tj|%e(pHu2# z0>Kzou`1lf&oJPdLIojJyvq7jEleOlMvRBA z=!GdT9Yf$*1FuTY%QAXposRI$#JLy}GqNlF+swL?ifJjyzMBRaqC8}*o!^`s@62^K zj#hcw9eulOyScq7w;?HKf1or&ofS%Q=aK<_hHU&&GKx}>+PqgQ#K|;8(%Kv4bYaoS z{z-3tSBg6(o7;P`xA@TEPcfZnf9t4ux}duoJF+epxbA6JyZdW&qQ4wnhQy-ho+i}w z6&Jv;ID@GT-_<0yu}^LIrYpG}VQMceVaRK$BxA+Z(sSF@3}3iDe}8tby>u9Lpb^Rx zx`^`^@43^D@y>f@oGoF2E7;vXorsixI_DsehB{oe;Tt2>CO)J5PEsSRS$?Cd;rBGZ z57+QVu3&yc--v<*9HEcd#4%+WoNzW$3^~D{yriyF=>{WNo<21;wl7=Vr`}VebIMou zv{ilmW47s&Rsjy7e=&|*?zH!biA__ZBtzC@D+F)CnzsuP*ImbG!R;({YEAmzMsL9_ z8J9pY78`GBT5zY%ZsZo+scScS3+{}~{j46`6PwP2JC^^qHQ`QQw~?E0PYgn)gDz#3 z`EGEu;xAo)vc&qipEY*Bd>~{_ipLRE9n=OAi7FY`J!SYDXM0SYc=Np$e z1JW?&eNnh##g;0z^!h4L4aaE1&5ZV>4l9#PK^(OWH&akhaS`L)eW#}lcl!KBZNr_l zextVG&fMb9>BBv_=}daPCcB;Q)QEdRcVW_Zb>e6;9n2}SrJRyDry0E{>!v(&x?AS; zBj)NS}&_opsjEBC)nWlc+KBf8&J_8~L zWkOgTvigBAZV8|PcZxK?sHjs#o$@~obfj7jPEblSqlAUHlBkU16kZ8oX7Rse%>K?v z#<=yyLa{U^miEkX(3K{uws9VUtOS#gfdoET=mmdTP>F*$8cPCW@3ga8T7gSE<^(AP z9ScFt#qqW>#q%3{r094i5a1My@~nZddPt|l;GHj)T{+un0`5E{KP07rv@Vp>6JDyK zouv8@+-WVi=S&rIoJk+G{GG&IP?UeCxMetNc2*1~+5RP3XeQH}O4V(7xo=MFQ|r9( zw0wVIx(C~R*HD}1cG~5>)qx{h2?sq7&6;t+KT8fK!Khe9iHfC_;I9P#>+97C0R`1a z%b;Cloc!In zYyC!bFJ+G<*yx!bAXqu+&)=o|r?(d^KXlHHxp}qC( zvac>rHuT=^PNTlaW{XKVx{T4Vs`q~`EOy!N9n^02Y7wUVG3CWle)uyRHF%@R?-V(N z5%icVj~=a~`OZ^&rM&zZ)e7lHZLH}Z-wXwR=_Zxr9n~(Ef zS87jne>zoQQK?-MA}dwJjp%Sy#f^ditBM;{#f@?IcsA|UE@F@!D0?rogpwgs?bh?< z8PxIe_04&2xwdukc(l^Kp4<9eZ+%$l=67OHnxcn7?UXqwA_WAe&u&fen}(7jD*p8R zw~9YiMK^}9BUVK>vInb*Zd89oH%8ms87;bz$Cs3$@LA4MYm_Yv(duILTb*rvJ-BRb zT)XYoLi?v%U!QWmq?igIf2ELIDV$=S@bgoPcc?&+(Ktf(t%=@LTAc6*mV@dS*4?Nm zQ$?9xUsc_W@wh-$ccZGikviB61V&bMH}V*hO8)r|V}jtp(^{G8qg#J0&zNdE{UvvG zc)YspE@fk>d%yCq?`NDbS&!}Z6bi$TXnZ zH&V@pRo#uM?#2sq%51C3t>ZE^E^?_nYubA_Xq=qxZ3C~&Na@Ddq1a~H5EoS z>A-S}0}Vb!?W)IQP49nObweo6sVRF=)s2ccRmAD_RaM=ns&3?n)vD^opVw?w-Nc;f=mMquKkdRFyOJ9G>lcmnNzW=@6KkXmx zH=1WVE4ONU`E<6)(hRwl@Hb^E8%af#hN4PU(T%F;Mpbm<&#NlB@n^iM=*Itjky2(? zc4bydZ+v>v*SGStX~kVXX>+r8Dvx^g&EqGCn!BqhFS>y%A7Brea8wi3IQHg$doH`7 zak#mL&LeE(y-9x;-7q#Fn<^Ff0JGO7g*T-X-B3&!>v>_!@=1SNZ?d`m;?A->5oZe* zUk}==Q65yEQyX&YJO z($Isd&SawpBocH{n~EOahe&}?vcCW0x^?B7-PYyR*ZqInv-`=S$3gr0xHDn+a3BuQ z$GJ4h;=gh5kOH@wJE*LhOQo}G_Bi7@-i!_(40OXAsCJO&pfEfIKDY}!H-pcH-_#ppuyLZeqI<3xD zZU5?5t0{lg#lmq62YdUsp%xF);lgAwfz4N1N*D2b{d3g5j2^o1d_TnXv4Ms73v{|# z=0T;`;1L~?{bU1}$jjm4%6Q|_3)`=h2e4bYal!otKRrIW{Jpz#e137ep{E_dD7Z#h z4{gO+VR*6^pd_P`B%?Q1)+Q%5Z2;zhU=#!~(*RjkS%cC({m#gdWp0L2kXdcaKsy9# z@KoHW51}?)UM%0uk93JPeZ*-JL3G> zGR>KcNhm>)ctT>j4p75@IiE2e*A&wyyz|_}cU0hh;Pg&vJi~B z_KhZ`ChCzlU10T~!IC`-Cbv~AA0W4K|?kYyaW!tq~UIKe5G zKr;aqe{7}x_~TA3^&T#M-3oax=dXW#SpD&L;`Gvk(~|_jF~G)W$J=&%XTNip&*_t& zdFAxkd_Cd_$>L(KoF0?M_0zhd^nWv@&z10Fem#Zo4+U1^e*cra#46%s959m#00f1W zr9oq(JTxx!FZ+DI+21_8JnmJ)-wS)e?jBhtv$TEaA!*P7cOa{wTiwo*<>%1{PHwsuKvy$I6U)luBYMePz;}o|^ z+pG_aB)$#-#dUTgh{N!e3srkv{B01Vpz%q=m7#7ER9&2>7-n-m^MYCcEC$hB7~S&l zu>JklW_SJKXmfS-;$Ur#FNnjBC20owl$nIz`EMg>T0;l%8X*-~XgxJMlF6F-0p0|+ zca~C0Rf&uu5jf_V7f=SEo>CHQVnF;&Kr6Ok#Gx%7P(g=={$nV)#^LrPt(aV6C=WFf zqv2Uf)Wd}q%@mhRL#yH#QBL8PXEgz4f0=U!bOCc3)Y4l#fV0K@Cni6fU{u^fYAm1> z@x*T*fC5`h#;vftVwnv#LKy3erQ?QU5nDY*N%NXfE{cKc$kM6CY4g5U{dJ2@WA-N_5*Gu?j&(*8uZ`e}IjR zrvm4U#x~*DIL=DM_v^qbtc=Dk^E_e3&E$5VhRLEseko zU>cXslba0ZsRXnd2*2=l8pWeMBf-{jvZ7y<|)R&(alSYNQr)Aa}7bT zczz7eLn6sBid*$MexLU|)rdkmYUTWM6dVZ3}hb;!I;y--b?HRnP#bPqaSxW2Hq_k4|tBBHUvpHE;61| zOYcI|OHOGb7DupfJU}TYsj7^_b#w7tYrIKP9=Z*4oC0);MsopW^(X~J1HW#3LQrxD zP%pH^HM3He$VJBEIS4`xe<}nq6vI)x39gA9cOfhmyTyT`WEx-wXM`Ee6B+pi+8PM2 zhD@f^=HiVF!ipiBdjnyP;}_qE08|*f6*$0bnd&Xm;I0umyIm}K6mg=`L$KD%tNA;< z^ZLoz&)RWgQJ?JH*UsGe_WhKr`HBIBH61qGc*yQ}>^X2dzzGy#e`PdjRAOF{%#{xP zlkcoq4qs^{(I{F2JdaEXjJXtJBz=Tg%51@LB)5K2%O{T$xtWV%HY+XvFVgb0bY(O1Y(uW{1@F@u0A=@Di z+}dKfleeXqO_<2Zp!`tkWQjP2$u8H+b`pOF39*UBg`i^~^i+=90!u|Po1OT1E7(n3 z3C^ij9JG081D*}p-tx1&iIJ*hNy$w`V8Nc=M0-SVZ2bcvEA0$44vLi=OL*^zL$SA)Vx)&w zV<_H*Q#1z`Y2{1@Jc*ReW|+;WV)g-I*g^9LsJ#V4zPl@}etCm~+wOk(-d^}}+3%fp z_HVu%_WJ+2f4J`S?@snRU)uZonEuW6m;e2;cZ(msx&GG$xy|~$E+%*M<)+gbZBA*?6soKB5J*e(wrVs4Hzd*A)8%(p#t&AV>fE8z!kNv#;jcADlf-5pPxIRl%o;+Z1!talcaL8*;2KxS{7X{5N=s zS&jFF&#}lzm6=QHsE{&Q@Y8VlcX?bszIix!I{x`^DsIjin|A%`VE2CN!!DQ$yrtHq z;7Fe8f6T;j*+9+s09;N9wQvD>%b}=}BZhM^0Mm*JD7t9Wa|P3{gUt#|LuD6X>1#&5 zLeD4m<=SxdjVAta(tZIdj123JDm)4nw=R%1MpA_hGP+aTQ!!2ljOvd%a^`Vky-AvP zoPwUA=)6&F09(e_=q#mF7|*!YETY(kZ>vBVe-8bf%rVAL;AY{7A|U66(t`XZN(>h8 zQdS8|{vfIqFUpv-95g*?$ig6{cSgzkDM;# zEA_5KKA#S(#|kQZp3=NUa(O6A?6y zIviL{X-dNR5-Eoo>xENKRgFoEu|%>Ie`d_W2yN%ds8PKBlyQh#rl@w5rfvf9@tpPw z!j2F?P+hwcSBx?ksdqV9Zz3iYdI6@$`$i^1jq9LGbvO56ZC)@6ugM#mn4fbBmsWdE zaK*}0Pz=}4aA1dFUM926!kWz9Q9usW0x5yagk_Wf45VbVT=5OYMghRE62?;Ve~F<4 z!zXcDnOW`uVux|MPHEhBr#!d))x6nX+geX z5N`W6>|1?@B$tKo&;l2%;(yfN+4b)Y^sz7O1tGj zX?@Li7v~#Gi}$;~oBi7NX7`Xke@;6nv3x^ld4;=N&2z{GyJ%7zDTAmKS%sG<2XJ}q zA~AjyD$N`!iP1kjTxW$@=);hMN#Lqfj>4p3QoB4Rt=+6{->mO#-p)7G)y4Mj`qKC2 z`qX1mK2e$`Ombmm2VFU5DopxYFex)q)Jf^N&L~p6S00m=es!L%)Pk4me{$)#zj-eo zR(9O9V-l1%?Q<|mOj3EviWQYXN`Oh&Ily=$DWxMc!X-h98w$*-nA1$7)R3PJM2dBa z1dfJG@IFwXEDM|*H$@}8mKM@QJ zG3-=ifQeAIF7gR5T-SuPe;3bMJcJ%u|9JZ49{Uknsf1_YKyVBMJizL^aU&~!l|Fg9Tu zJ|P8dSN4}#d3>J{jHB!;z{$d9@s5iD6Xilk2}in!JX!I053|R1fBZp@=_JNx%sM#~ za9k07Nn#vd@%NeS6ZZN_53Vm8PbC}5iy940VWmEE9X*;B#}OIIf?&><#fY(m!4YK~ z%w#xQ$lQ8r9?aOzgeQu&St&Rc6R<2h3U5ZWeK1~dJVwHS%#L5>oBt$6VOz0-3u__A z_}_123=!?d>iuhm(!Z4&j5L1;H$`}#a2|Xh)p`|vH-Ei-&-)-Cabvb;x zua8a;e__ci%>SEj^-dWn{k(1;92~K)&sl7rirC(5Dl1q%Wn&9PNz1KXRaRmq)Cr0# z+sT}IPySG6e;Yh}?1g(`zZo{3>}{@FJG$I#s8dK6u5rwo2=G>J>5&v59nuRi)E}ES z#F`;phIF43=~zS|ZIX*ZRez*YwSKu@`PSEGh4W^!c=DXz&5N`nox=WFe7HD?=tD;U zvUyRR#EC>J9TR{V)MZfj$)OIJ3z6n4aR%n6Kho*&f9~)yZ=MfJxA{iy`{BuX;fifI z(rr>uM-8$8Objz+NS7hq=R-PYQJrCiM+t5dS(a=5P`7u+x~E~iaaHV9YR!Yk_UUVB z|0AK!r$AtEKp@hrLW&eQsx!Pb`WU4LOplV-8QQ;oQ0MH4Rsm{v5=NB}Mj7)Ss6&ou ztM%C0e`KV~fGov8<}`#AEYB^6MN2OKm~J95R!obZW&!FIYIh~Zcy)i^6URH-2lRHk z_>UF)g`MJ4UpD$_2R_Y_YZu2E6=ht-v@nDs0l=QYnIs_q{nixY>3{+h04Tsw6j^N( zx{GFnfkWU^VD5_Qxw;q`@TC{{a!yNF!SdX+e+?~$d`qtXDCl!CJRlh`MK#SN+9ekS!N~RT_QO@9Y97)qkj9h^&{WVva?07Ht_A|1(N>^fmlljI+uH2{J{EAx zQF_`a$*4#Y0D^ZAIA>!w6U3(DvFDJMM`Dks*twRh4Ed~@n@(3f85%Q81f?_Lu8oS7Ts#zK~;#A02`AN#tue0QgIy;qT!olrdU+6%u}E#>+j z&)fj?p;Q!wO@{biuB-oQ1(_R^cV*I=WD(y6!(NuTNpt1~)ifnxoX;O5jjhizH%ngO zx-vJ4!68OQWS<|Bx%o0&zg23riXA}7t+!c9K<{dKs7S$vA2xWcQ)ywfW$dNnX1P*m nl Date: Mon, 21 Oct 2024 14:50:05 +0200 Subject: [PATCH 52/94] resman README --- fast/stages/1-resman/README.md | 210 ++++++++++++++------------------- 1 file changed, 90 insertions(+), 120 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 21318c5a5b..74814aa42b 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -14,11 +14,13 @@ The following diagram is a high level reference of the resources created and man - [Design overview and choices](#design-overview-and-choices) - - [Resource management primitives](#resource-management-primitives) -- [Stage 2](#stage-2) -- [Stage 3](#stage-3) -- [Top-level folders](#top-level-folders) -- [Project factory](#project-factory) +- [Resource management primitives](#resource-management-primitives) + - [Top-level folders](#top-level-folders) + - [Stage 2](#stage-2) + - [Stage 3](#stage-3) + - [Project (and hierarchy) factory](#project-and-hierarchy-factory) +- [Other design considerations](#other-design-considerations) + - [Secure tags](#secure-tags) - [Multitenancy](#multitenancy) - [Workload Identity Federation and CI/CD](#workload-identity-federation-and-cicd) - [How to run this stage](#how-to-run-this-stage) @@ -26,11 +28,6 @@ The following diagram is a high level reference of the resources created and man - [Impersonating the automation service account](#impersonating-the-automation-service-account) - [Variable configuration](#variable-configuration) - [Running the stage](#running-the-stage) -- [Customizations](#customizations) - - [Toggling features](#toggling-features) - - [Top-level folder management](#top-level-folder-management) - - [Secure tags](#secure-tags) - - [IAM](#iam) - [Files](#files) - [Variables](#variables) - [Outputs](#outputs) @@ -38,23 +35,25 @@ The following diagram is a high level reference of the resources created and man ## Design overview and choices -This stage is designed to offer a good amount of flexibility in designing the organizational hierarchy, while still providing a default approach that we've seen working well for a variety of customers where the hierarchy is logically split in two different areas: +This stage is designed to offer a good amount of flexibility in laying out the organizational hierarchy, while still providing a default approach that we've seen working across different types of users and organizations. -- core or shared resources (e.g. Networking) are grouped in dedicated top-level folders, which allow centralized management by dedicated teams -- team or application resources are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) which centralize access and billing for each individual team or application +The default design provided here splits the hierarchy in two different logical areas: -This split approach usually allow concise mapping of functional and operational patterns to IAM roles and GCP-specific constructs: +- core or shared resources (e.g. networking) which are grouped in dedicated top-level folders that implement centralized management by dedicated teams +- team or application resources which are grouped under one or more top-level "teams" folders, and typically host managed services (storage, etc.) billed and controlled by their distributed teams -- core services are clearly separated, with very few touchpoints where IAM and security policies need to be applied (typically their top-level folder) -- new sets of core services (e.g. shared GKE clusters) are added as a unit, minimizing operational complexity -- team and application resources outside of centralized management are grouped together, providing a unified view and easy budgeting/cost-allocation -- automation for core resources can be segregated via separate service accounts and buckets for each stage, minimizing blast radius +This split approach allows concise mapping of functional and operational patterns to IAM roles and GCP-specific constructs: + +- core services are clearly separated, providing few touchpoints where IAM and security policies need to be applied (typically their top-level folder) +- new sets of core services (fleets of VMs, shared GKE clusters, etc.) are added as a unit, minimizing operational complexity +- team and application resources not subject to centralized management are grouped together, providing a unified view and easy budgeting/cost-allocation +- automation for core resources is segregated via separate service accounts and buckets for each area (shared service, application) effectively minimizing blast radius Resource names follow the FAST convention discussed in the [Bootstrap stage documentation](../0-bootstrap/README.md#naming). ## Resource management primitives -This stage allows a certain degree of free-form hierarchy design, contstraining it via a set of primitives that implement specific FAST functionality. +This stage allows a certain degree of free-form hierarchy design on top of instead of the default layout, by providing a set of high level primitives that implement specific FAST functionality: top-level folders, centralized stage 2, environment-level stage 3 for shared services, and the project factory. ### Top-level folders @@ -63,29 +62,91 @@ Top-level folders, as indicated by their name, are folders directly attached to Top-level folders support the full interface of the [folder module](../../../modules/folder/), and can fit in the FAST design in different ways: - as supporting folders for the project factory, by granting high level permissions to its service accounts via IAM and tag bindings (see the ["Teams" example in the data folder](./data/top-level-folders/teams.yaml)) -- as hierarchy and IAM grouping nodes for environment-specific stage 3 folder (see the ["GCVE" example in the data folder](./data/top-level-folders/gcve.yaml)) - as standalone folders to support custom usage, with or without associated IaC resources (see the ["Sandbox" exanple in the data folder](./data/top-level-folders/sandbox.yaml)) -- as grouping nodes for all stage 2, for example via a "Shared Services" top-level folder configured set as the `folder_config.parent_id` attribute for networking and security stages +- as grouping nodes for the environment-specific stage 3 folders (see the ["GCVE" example in the data folder](./data/top-level-folders/gcve.yaml)) +- as a grouping node for stage 2s, for example via a "Shared Services" top-level folder set as the `folder_config.parent_id` attribute for networking and security stages Top-level folders support context-based expansion for service accounts and organization-level tags, which can be referenced by name (e.g. `project-factory` to refer to the project factory service accounts). This allows writing portable organization-independent YAML that can be shared across different FAST installations. ### Stage 2 -FAST stage 2s implement core infrastructure or services which are shared across the organization, and are directly supported here via a fixed set that includes the networking stage, the security stage, and the org-wide hierarchy and project factory. +FAST stage 2s implement core infrastructure services shared across the organization. In the FAST design networking, security, network security and the project factory are defined as stage 2. + +FAST stage 2s are typically managed by dedicated teams, they implement environment separation internally due to the complexity of their designs, and provide resources and specific IAM permissions to other shared services implemented as stage 3s (e.g. Shared VPC networks, IAM delegated grants on host projects/subnets or KMS keys). + +The default configuration enables all stage 2s except network security. Each stage can be customized via a set of variable-level attributes: + +- `short_name` defines the name used for the stage IaC buckets and service accounts +- `cicd_config` turns on CI/CD configuration and generates the workflow file for the stage +- `folder_config` controls whether environment-level folders are created under the stage main folder (e.g. `Networking/Development`), allows defining additional IAM bindings on the main folder, or changing its name and parent + +Folder configuration is only available for networking and security stages, as the project factory and network security stages are "folderless", using top-level folders or organization-level resources. + +Each stage creates its own tag value in the `context` key, which is used by FAST for conditional roles at the organization level (`context/networking`, `context/project-factory` etc.). The tag value is assigned to the stage's folder, and can be applied to other folders to enable specific functionality, as described further down for the project factory. + +Think of stage 2s as "named stages" which have specific ties and privileges on the organization. Due to their complexity and the potential need for custom changes, they are implemented in code via dedicated terraform resources each in a stage file (e.g. `stage2-networking.tf`). + +### Stage 3 + +FAST stage 3s are designed to host shared infrastructure that leverages core services from stage 2 (networking, encryption keys, etc.), has limited access to the organization, and is partitioned (or "cloned") by environment. + +As shared services they are still managed by dedicated teams, but principals and permissions might differ between environments. Most stage 3s leverage folders (environment-level project factories are the exception), where the stage root folder is created via top-level folders configuration, and the lower level environment folders are part of the stage. + +Configuration can be done either via Terraform variables or factory YAML files. The second option is used by default, providing a set of factory files for top-level folders and stage 3s that mirror the legacy FAST hierarchy implemented via code. -All of these stages are optional, they are enabled by default but can easily be turned off -- and then turned on when needed -- to avoid having supporting resources (service accounts, buckets, IAM) created. +Stage 3 configuration is similar to the stage 2 one described above except for a few differences. Each stage defined in the `fast_stage_3` map: -Configuration of these stages is via the `fast_stage2` variable, which is set by default for maximum compatibility with previous FAST versions. +- can define an arbitrary name in the map key, which is used for the stage's output files and internal context-based substitutions +- needs to define an environment which is present in the bootstrap `environment_names` definition +- can define organization-level IAM bindings that are conditional to the stage tag value, or an arbitrary one defined in configuration +- can define stage 2-level tag bindings that are effective only on the stage 2 resources matching the same environment -## Stage 3 +> TODO: examples from data, make sure the add IAM for GCVE etc. there -## Project factory +### Project (and hierarchy) factory -Top-level folders for teams or departments can be easily created via the `top_level_folders` variable or the associated factory, which expose the full power of the underlying [folder module](../../../modules/folder/). +Despite being itself a stage 2 (and potentially one or more environment-specific stage 3), the project factory is an important primitive to shape the lower level resource hierarchy which implements folder and project management. -The suggestion is to use this feature sparingly so as to keep the top level of the hierarchy simple, and minimize changes to this stage due to its security implications. One approach is to create a grouping folder (e.g. `Departments` or `Teams`) here, and delegate management of lower level folders to the [project factory](../2-project-factory/) stage. +By default FAST offers a single organization-wide project factory with the following characteristics: -Top-level folders also support defining associated resources for automation, and auto-created provider files to bootstrap Infrastructure and Code. An example is provided below. +- any top-level folder with the suitable set of roles can be managed as a sub-hierarchy tree by the project factory (see the ["Teams" definition](./data/top-level-folders/teams.yaml) in the data folder) +- organization policy management on its folders and projects by the project factory only requires binding the `context/project-factory` tag value +- networking-related project configuration is available by default, the project factory can grant a limited set of roles on network resources, and attach service projects to VPC host projects +- security-related project configuration is available by default, the project factory can grant the KMS encrypt/decrypt role on centralized KMS key in the security stage + +If environment-specific project factories are desirable, they can be configured as stage 3 as the examples in the stage3 data folder show. + +## Other design considerations + +### Secure tags + +This stage manages [Secure Tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) at the organization level, via two sets of keys and values: + +- a default set of tags used by FAST itself in specific IAM conditions that allow automation service accounts to gain organization-level privileges or specific access to parts of the resource management hierarchy +- an optional set of user-defined tags that can be used in organization policy or IAM conditions + +The first set of default tags cannot be overridden and defines the following keys and values (key names can be changed via the `tag_names` variable): + +- `context` to identify parts of the resource hierarchy, with `data`, `gke`, `networking`, `sandbox`, `security` and `teams` values +- `environment` to identify folders and projects belonging to specific environments, with `development` and `production` values + +The second set is optional and allows defining a custom tag hierarchy, including IAM bindings that can refer to specific identities, or to the internally defined automation service accounts via their names, like in the following example: + +```tfvars +tags = { + my-custom-tag = { + values = { + eggs = {} + spam = { + description = "Example tag value." + iam = { + "roles/resourcemanager.tagUser" = ["sandbox"] + } + } + } + } +} +``` ### Multitenancy @@ -143,8 +204,6 @@ Variables in this stage -- like most other FAST stages -- are broadly divided in - variables which refer to resources managed by previous stage, which are prepopulated here via the `0-bootstrap.auto.tfvars.json` file linked or copied above - and finally variables that optionally control this stage's behaviour and customizations, and can to be set in a custom `terraform.tfvars` file -The latter set is explained in the [Customization](#customizations) sections below, and the full list can be found in the [Variables](#variables) table at the bottom of this document. - Note that the `outputs_location` variable is disabled by default, you need to explicitly set it in your `terraform.tfvars` file if you want output files to be generated by this stage. This is a sample `terraform.tfvars` that configures it, refer to the [bootstrap stage documentation](../0-bootstrap/README.md#output-files-and-cross-stage-variables) for more details: ```tfvars @@ -160,95 +219,6 @@ terraform init terraform apply ``` -## Customizations - -### Toggling features - -Some FAST features used here and by the following stages can be enabled or disabled using the `fast_features` variables. - -The `fast_features` variable consists of 5 toggles: - -- **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage -- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage -- **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage -- **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [2-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/2-project-factory) stage -- **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment -- **`teams`** controls the creation of the top level "Teams" folder used by the [teams feature in resman](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/1-resman#team-folders). - -### Top-level folder management - -The `top_level_folders` variable and associated factory allow simple definition of additional top-level folders, and associated configurations. - -The following is an example that creates two folders via tfvars, and also configures the factory to define additional folders via YAML. Folders defined via the variable or factory files support the same interface of the [folder module](../../../modules/folder/). - -```tfvars -factories_config = { - top_level_folders = "~/fast-config/data/1-resman/folders" -} -top_level_folders = { - test-1 = { - name = "Test 1" - iam = { - "roles/viewer" = [ - "group:test-1-viewers@example.org" - ] - } - } - test-2 = { - # disable creation of the automation SA and bucket - automation = { - enable = false - } - name = "Test 2" - } -} -``` - -```yaml -# ~/fast-config/data/1-resman/folders/test-4.yaml -name: Test 4 -automation: null -iam: - roles/browser: - - domain:example.org -``` - -### Secure tags - -This stage manages [Secure Tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) at the organization level, via two sets of keys and values: - -- a default set of tags used by FAST itself in specific IAM conditions that allow automation service accounts to gain organization-level privileges or specific access to parts of the resource management hierarchy -- an optional set of user-defined tags that can be used in organization policy or IAM conditions - -The first set of default tags cannot be overridden and defines the following keys and values (key names can be changed via the `tag_names` variable): - -- `context` to identify parts of the resource hierarchy, with `data`, `gke`, `networking`, `sandbox`, `security` and `teams` values -- `environment` to identify folders and projects belonging to specific environments, with `development` and `production` values - -The second set is optional and allows defining a custom tag hierarchy, including IAM bindings that can refer to specific identities, or to the internally defined automation service accounts via their names, like in the following example: - -```tfvars -tags = { - my-custom-tag = { - values = { - eggs = {} - spam = { - description = "Example tag value." - iam = { - "roles/resourcemanager.tagUser" = ["sandbox"] - } - } - } - } -} -``` - -### IAM - -The `folder_iam` variable can be used to manage authoritative bindings for all top-level folders. For additional control, IAM roles can be easily edited in the relevant `branch-xxx.tf` file, following the best practice outlined in the [bootstrap stage](../0-bootstrap#customizations) documentation of separating user-level and service-account level IAM policies through the IAM-related variables (`iam`, `iam_bindings`, `iam_bindings_additive`) of the relevant modules. - -A full reference of IAM roles managed by this stage [is available here](./IAM.md). - ## Files From 93ff64e5f48c1132f9cd8ec9bc07f0c0aa464e2b Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 14:42:37 +0200 Subject: [PATCH 53/94] fix stage 2 IAM delegation --- .../custom-roles/gcve_network_viewer.yaml | 21 ++++++ .../data/custom-roles/project_iam_viewer.yaml | 24 +++++++ .../data/stage-3/data-platform-dev.yaml | 1 + .../1-resman/data/stage-3/gcve-dev.yaml | 9 +++ .../1-resman/data/stage-3/gcve-prod.yaml | 8 +++ .../stages/1-resman/data/stage-3/gke-dev.yaml | 8 +++ .../1-resman/data/stage-3/gke-prod.yaml | 7 ++ .../data/stage-3/project-factory-dev.yaml | 6 ++ .../data/stage-3/project-factory-prod.yaml | 7 +- fast/stages/1-resman/main.tf | 9 --- fast/stages/1-resman/outputs.tf | 38 +++++++++-- .../1-resman/schemas/fast-stage3.schema.json | 3 +- fast/stages/1-resman/stage-2-networking.tf | 45 +----------- fast/stages/1-resman/stage-2-security.tf | 2 +- fast/stages/1-resman/stage-3.tf | 5 +- fast/stages/1-resman/variables-fast.tf | 1 + fast/stages/1-resman/variables-stages.tf | 8 +++ fast/stages/2-networking-a-simple/README.md | 13 ++-- fast/stages/2-networking-a-simple/main.tf | 31 +++++---- fast/stages/2-networking-a-simple/net-dev.tf | 68 ++++++++----------- .../2-networking-a-simple/net-landing.tf | 10 +-- fast/stages/2-networking-a-simple/net-prod.tf | 67 ++++++++---------- .../2-networking-a-simple/variables-fast.tf | 33 ++++++--- fast/stages/2-networking-b-nva/README.md | 19 +++--- fast/stages/2-networking-b-nva/main.tf | 46 ++++--------- fast/stages/2-networking-b-nva/net-dev.tf | 43 +++++------- fast/stages/2-networking-b-nva/net-landing.tf | 17 ++--- fast/stages/2-networking-b-nva/net-prod.tf | 42 +++++------- .../2-networking-b-nva/nva-regional-vpc.tf | 12 ++++ fast/stages/2-networking-b-nva/nva-simple.tf | 12 ++++ .../2-networking-b-nva/variables-fast.tf | 35 +++++++--- .../2-networking-c-separate-envs/README.md | 19 +++--- .../2-networking-c-separate-envs/main.tf | 26 ++++--- .../2-networking-c-separate-envs/net-dev.tf | 49 ++++++------- .../2-networking-c-separate-envs/net-prod.tf | 48 ++++++------- .../variables-fast.tf | 35 +++++++--- fast/stages/2-security/README.md | 10 +-- fast/stages/2-security/core-dev.tf | 20 ++++++ fast/stages/2-security/core-prod.tf | 20 ++++++ fast/stages/2-security/main.tf | 9 +++ fast/stages/2-security/variables-fast.tf | 23 +++++++ 41 files changed, 529 insertions(+), 380 deletions(-) create mode 100644 fast/stages/0-bootstrap/data/custom-roles/gcve_network_viewer.yaml create mode 100644 fast/stages/0-bootstrap/data/custom-roles/project_iam_viewer.yaml diff --git a/fast/stages/0-bootstrap/data/custom-roles/gcve_network_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/gcve_network_viewer.yaml new file mode 100644 index 0000000000..f2ee447895 --- /dev/null +++ b/fast/stages/0-bootstrap/data/custom-roles/gcve_network_viewer.yaml @@ -0,0 +1,21 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/custom-role.schema.json + +name: gcveNetworkViewer +includedPermissions: + - vmwareengine.networkPeerings.get + - vmwareengine.networkPeerings.list + - vmwareengine.operations.get diff --git a/fast/stages/0-bootstrap/data/custom-roles/project_iam_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/project_iam_viewer.yaml new file mode 100644 index 0000000000..a1966e4922 --- /dev/null +++ b/fast/stages/0-bootstrap/data/custom-roles/project_iam_viewer.yaml @@ -0,0 +1,24 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/custom-role.schema.json +# this is used by the plan-only admin SA + +name: projectIAMViewer +includedPermissions: +- iam.policybindings.get +- iam.policybindings.list +- resourcemanager.projects.get +- resourcemanager.projects.getIamPolicy +- resourcemanager.projects.searchPolicyBindings diff --git a/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml b/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml index 5b150cac27..246f381eed 100644 --- a/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml +++ b/fast/stages/1-resman/data/stage-3/data-platform-dev.yaml @@ -15,6 +15,7 @@ # yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: dp +environment: dev folder_config: name: Development parent_id: data-platform diff --git a/fast/stages/1-resman/data/stage-3/gcve-dev.yaml b/fast/stages/1-resman/data/stage-3/gcve-dev.yaml index 769e20ff5e..e36796dee9 100644 --- a/fast/stages/1-resman/data/stage-3/gcve-dev.yaml +++ b/fast/stages/1-resman/data/stage-3/gcve-dev.yaml @@ -15,6 +15,15 @@ # yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: gcve +environment: dev folder_config: name: Development parent_id: gcve +stage2_iam: + networking: + iam_admin_delegated: true + sa_roles: + ro: + - gcve_network_viewer + rw: + - gcve_network_admin \ No newline at end of file diff --git a/fast/stages/1-resman/data/stage-3/gcve-prod.yaml b/fast/stages/1-resman/data/stage-3/gcve-prod.yaml index e203be07b5..7890640900 100644 --- a/fast/stages/1-resman/data/stage-3/gcve-prod.yaml +++ b/fast/stages/1-resman/data/stage-3/gcve-prod.yaml @@ -19,3 +19,11 @@ environment: prod folder_config: name: Production parent_id: gcve +stage2_iam: + networking: + iam_admin_delegated: true + sa_roles: + ro: + - gcve_network_viewer + rw: + - gcve_network_admin \ No newline at end of file diff --git a/fast/stages/1-resman/data/stage-3/gke-dev.yaml b/fast/stages/1-resman/data/stage-3/gke-dev.yaml index 69d7a9c77e..bd9501e326 100644 --- a/fast/stages/1-resman/data/stage-3/gke-dev.yaml +++ b/fast/stages/1-resman/data/stage-3/gke-dev.yaml @@ -15,6 +15,14 @@ # yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: gke +environment: dev folder_config: name: Development parent_id: gke +stage2_iam: + networking: + sa_roles: + ro: + - roles/dns.reader + rw: + - roles/dns.admin diff --git a/fast/stages/1-resman/data/stage-3/gke-prod.yaml b/fast/stages/1-resman/data/stage-3/gke-prod.yaml index 52975045ab..97b5396a9c 100644 --- a/fast/stages/1-resman/data/stage-3/gke-prod.yaml +++ b/fast/stages/1-resman/data/stage-3/gke-prod.yaml @@ -19,3 +19,10 @@ environment: prod folder_config: name: Production parent_id: gke +stage2_iam: + networking: + sa_roles: + ro: + - roles/dns.reader + rw: + - roles/dns.admin diff --git a/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml b/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml index 9571302336..e99aa60d13 100644 --- a/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml +++ b/fast/stages/1-resman/data/stage-3/project-factory-dev.yaml @@ -15,3 +15,9 @@ # yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: pf +environment: dev +stage2_iam: + networking: + iam_admin_delegated: true + security: + iam_admin_delegated: true diff --git a/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml b/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml index 8366bd7c3c..bc6b3eb7e3 100644 --- a/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml +++ b/fast/stages/1-resman/data/stage-3/project-factory-prod.yaml @@ -15,4 +15,9 @@ # yaml-language-server: $schema=../../schemas/fast-stage3.schema.json short_name: pf -environment: prod \ No newline at end of file +environment: prod +stage2_iam: + networking: + iam_admin_delegated: true + security: + iam_admin_delegated: true diff --git a/fast/stages/1-resman/main.tf b/fast/stages/1-resman/main.tf index 773ef09db9..84d1db29dd 100644 --- a/fast/stages/1-resman/main.tf +++ b/fast/stages/1-resman/main.tf @@ -24,15 +24,6 @@ locals { ? "MULTI_REGIONAL" : "REGIONAL" ) - iam_stage2_condition = <<-END - resource.matchTag( - '${local.tag_root}/${var.tag_names.environment}', '%s' - ) - && - api.getAttribute( - 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s] - ) - END identity_providers = coalesce( try(var.automation.federated_identity_providers, null), {} ) diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf index 5361c79523..9104100714 100644 --- a/fast/stages/1-resman/outputs.tf +++ b/fast/stages/1-resman/outputs.tf @@ -38,11 +38,39 @@ locals { ) tfvars = { environment_names = var.environment_names - folder_ids = local.folder_ids - service_accounts = local.service_accounts - tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } - tag_names = var.tag_names - tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } + stage_config = merge( + { + for k, v in local.stage3 : k => { + environment = v.environment + short_name = v.short_name + } + }, + { + for k, v in var.fast_stage_2 : k => { + short_name = v.short_name + # rw service accounts for stage 3s that need delegated IAM on stage 2s + iam_delegated_principals = { + for ek, ev in var.environment_names : ek => [ + for sk, sv in local.stage3 : + "serviceAccount:${local.stage_service_accounts[sk]}" + if sv.environment == ek && try(sv.stage2_iam[k].iam_admin_delegated, false) + ] + } + iam_viewer_principals = { + for ek, ev in var.environment_names : ek => [ + for sk, sv in local.stage3 : + "serviceAccount:${local.stage_service_accounts["${sk}-r"]}" + if sv.environment == ek && try(sv.stage2_iam[k].iam_admin_delegated, false) + ] + } + } if v.enabled == true + } + ) + folder_ids = local.folder_ids + service_accounts = local.service_accounts + tag_keys = { for k, v in try(local.tag_keys, {}) : k => v.id } + tag_names = var.tag_names + tag_values = { for k, v in try(local.tag_values, {}) : k => v.id } } } diff --git a/fast/stages/1-resman/schemas/fast-stage3.schema.json b/fast/stages/1-resman/schemas/fast-stage3.schema.json index fc32808314..80bbad7495 100644 --- a/fast/stages/1-resman/schemas/fast-stage3.schema.json +++ b/fast/stages/1-resman/schemas/fast-stage3.schema.json @@ -4,7 +4,8 @@ "type": "object", "additionalProperties": false, "required": [ - "short_name" + "short_name", + "environment" ], "properties": { "short_name": { diff --git a/fast/stages/1-resman/stage-2-networking.tf b/fast/stages/1-resman/stage-2-networking.tf index d6f429a574..ae8243c349 100644 --- a/fast/stages/1-resman/stage-2-networking.tf +++ b/fast/stages/1-resman/stage-2-networking.tf @@ -15,15 +15,6 @@ */ locals { - # IAM roles stage 3 service accounts can be assigned on networking - net_s3_delegated = join(",", formatlist("'%s'", [ - "roles/composer.sharedVpcAgent", - "roles/compute.networkUser", - "roles/compute.networkViewer", - "roles/container.hostServiceAgentUser", - "roles/multiclusterservicediscovery.serviceAgent", - "roles/vpcaccess.user", - ])) # normalize IAM bindings for stage 3 service accounts net_s3_iam = !var.fast_stage_2.networking.enabled ? {} : { for v in local.stage3_iam_in_stage2 : "${v.role}:${v.env}" => ( @@ -126,44 +117,10 @@ module "net-folder" { } } }, - # stage 3 dev delegated iam admin - { - stage3_delegated_grant_dev = { - role = "roles/resourcemanager.projectIamAdmin" - members = [ - for k, v in local.stage3 : module.stage3-sa-rw[k].iam_email - if v.environment == "dev" && v.stage2_iam.networking.iam_admin_delegated - ] - condition = { - expression = format( - local.iam_stage2_condition, - "development", - local.net_s3_delegated - ) - title = "stage 3 project delegated admin dev" - } - } - }, - # stage 3 prod delegated iam admin - { - stage3_delegated_grant_prod = { - role = "roles/resourcemanager.projectIamAdmin" - members = [ - for k, v in local.stage3 : module.stage3-sa-rw[k].iam_email - if v.environment == "prod" && v.stage2_iam.networking.iam_admin_delegated - ] - condition = { - expression = format( - local.iam_stage2_condition, "production", local.net_s3_delegated - ) - title = "stage 3 project delegated admin prod" - } - } - }, # stage 3 roles { for k, v in local.net_s3_iam : k => { - role = split(":", k)[0] + role = lookup(var.custom_roles, split(":", k)[0], split(":", k)[0]) members = v condition = { title = "stage 3 ${split(":", k)[1]}" diff --git a/fast/stages/1-resman/stage-2-security.tf b/fast/stages/1-resman/stage-2-security.tf index 6ae20503b8..db978c4940 100644 --- a/fast/stages/1-resman/stage-2-security.tf +++ b/fast/stages/1-resman/stage-2-security.tf @@ -83,7 +83,7 @@ module "sec-folder" { # stage 3 IAM bindings use conditions based on environment { for k, v in local.sec_s3_iam : k => { - role = split(":", k)[0] + role = lookup(var.custom_roles, split(":", k)[0], split(":", k)[0]) members = v condition = { title = "stage 3 ${split(":", k)[1]}" diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf index 365da5b9e9..2776ced6da 100644 --- a/fast/stages/1-resman/stage-3.tf +++ b/fast/stages/1-resman/stage-3.tf @@ -34,8 +34,9 @@ locals { # normalize factory data attributes with defaults and nulls { for k, v in local._stage3 : k => { - short_name = v.short_name - environment = try(v.environment, "dev") + short_name = v.short_name + environment = try(v.environment, "dev") + implements_stage = try(v.implements_stage, null) cicd_config = lookup(v, "cicd_config", null) == null ? null : { identity_provider = v.cicd_config.identity_provider repository = merge(v.cicd_config.repository, { diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index 6698eb0442..065a74c560 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -58,6 +58,7 @@ variable "custom_roles" { service_project_network_admin = string storage_viewer = string gcve_network_admin = optional(string) + gcve_network_viewer = optional(string) network_firewall_policies_admin = optional(string) ngfw_enterprise_admin = optional(string) ngfw_enterprise_viewer = optional(string) diff --git a/fast/stages/1-resman/variables-stages.tf b/fast/stages/1-resman/variables-stages.tf index d3d244a8ef..c9184174ac 100644 --- a/fast/stages/1-resman/variables-stages.tf +++ b/fast/stages/1-resman/variables-stages.tf @@ -148,6 +148,14 @@ variable "fast_stage_3" { ]) error_message = "Invalid environment value." } + validation { + condition = alltrue([ + for k, v in var.fast_stage_3 : v.implements_stage == null || contains( + ["gcve", "gke", "data-platform"], coalesce(v.implements_stage, "-") + ) + ]) + error_message = "Only existing stage 3s can be implemented, or no stage (null)." + } validation { condition = alltrue([ for k, v in var.fast_stage_3 : diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 84e72d16d2..93c6a54a86 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -483,22 +483,23 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environment_names](variables-fast.tf#L40) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L59) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L69) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | +| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L49) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L79) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [tag_values](variables-fast.tf#L94) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf index 0e5e99e7ec..771b5c093f 100644 --- a/fast/stages/2-networking-a-simple/main.tf +++ b/fast/stages/2-networking-a-simple/main.tf @@ -18,26 +18,24 @@ locals { env_tag_values = { - for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + for k, v in var.environment_names : + k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.networking-dev != null - service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : - k => "serviceAccount:${v}" if v != null - } - spoke_connection = coalesce( - var.spoke_configs.peering_configs != null ? "peering" : null, - var.spoke_configs.vpn_configs != null ? "vpn" : null, - var.spoke_configs.ncc_configs != null ? "ncc" : null, - ) - stage3_sas_delegated_grants = [ + iam_delegated = join(",", formatlist("'%s'", [ "roles/composer.sharedVpcAgent", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/container.hostServiceAgentUser", "roles/multiclusterservicediscovery.serviceAgent", "roles/vpcaccess.user", - ] + ])) + iam_delegated_principals = try( + var.stage_config["networking"].iam_delegated_principals, {} + ) + iam_viewer_principals = try( + var.stage_config["networking"].iam_viewer_principals, {} + ) # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), @@ -45,6 +43,15 @@ locals { values(module.landing-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) + service_accounts = { + for k, v in coalesce(var.service_accounts, {}) : + k => "serviceAccount:${v}" if v != null + } + spoke_connection = coalesce( + var.spoke_configs.peering_configs != null ? "peering" : null, + var.spoke_configs.vpn_configs != null ? "vpn" : null, + var.spoke_configs.ncc_configs != null ? "ncc" : null, + ) } module "folder" { diff --git a/fast/stages/2-networking-a-simple/net-dev.tf b/fast/stages/2-networking-a-simple/net-dev.tf index 9166b38ce9..aaa9d76878 100644 --- a/fast/stages/2-networking-a-simple/net-dev.tf +++ b/fast/stages/2-networking-a-simple/net-dev.tf @@ -25,54 +25,42 @@ module "dev-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat( - [ - "container.googleapis.com", - "compute.googleapis.com", - "dns.googleapis.com", - "iap.googleapis.com", - "networkmanagement.googleapis.com", - "networksecurity.googleapis.com", - "servicenetworking.googleapis.com", - "stackdriver.googleapis.com", - "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) + services = [ + "container.googleapis.com", + "compute.googleapis.com", + "dns.googleapis.com", + "iap.googleapis.com", + "networkmanagement.googleapis.com", + "networksecurity.googleapis.com", + "servicenetworking.googleapis.com", + "stackdriver.googleapis.com", + "vpcaccess.googleapis.com", + "vmwareengine.googleapis.com" + ] shared_vpc_host_config = { enabled = true } metric_scopes = [module.landing-project.project_id] + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-dev, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["dev"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-dev, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-dev, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-dev, null), - ]) - condition = { - title = "dev_stage3_sa_delegated_grants" - description = "Development host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "dev", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["dev"], []) + condition = { + title = "dev_stage3_sa_delegated_grants" + description = "${var.environment_names["dev"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["dev"] } diff --git a/fast/stages/2-networking-a-simple/net-landing.tf b/fast/stages/2-networking-a-simple/net-landing.tf index a9afac1fe4..67e1c9d920 100644 --- a/fast/stages/2-networking-a-simple/net-landing.tf +++ b/fast/stages/2-networking-a-simple/net-landing.tf @@ -25,18 +25,14 @@ module "landing-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "compute.googleapis.com", "dns.googleapis.com", "iap.googleapis.com", + "networkconnectivity.googleapis.com", "networkmanagement.googleapis.com", "stackdriver.googleapis.com" - ], ( - local.spoke_connection == "ncc" - ? ["networkconnectivity.googleapis.com"] - : [] - ) - ) + ] shared_vpc_host_config = { enabled = true } diff --git a/fast/stages/2-networking-a-simple/net-prod.tf b/fast/stages/2-networking-a-simple/net-prod.tf index 52f646da02..ea5a628782 100644 --- a/fast/stages/2-networking-a-simple/net-prod.tf +++ b/fast/stages/2-networking-a-simple/net-prod.tf @@ -25,53 +25,42 @@ module "prod-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat( - [ - "container.googleapis.com", - "compute.googleapis.com", - "dns.googleapis.com", - "iap.googleapis.com", - "networkmanagement.googleapis.com", - "networksecurity.googleapis.com", - "servicenetworking.googleapis.com", - "stackdriver.googleapis.com", - "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) + services = [ + "container.googleapis.com", + "compute.googleapis.com", + "dns.googleapis.com", + "iap.googleapis.com", + "networkmanagement.googleapis.com", + "networksecurity.googleapis.com", + "servicenetworking.googleapis.com", + "stackdriver.googleapis.com", + "vpcaccess.googleapis.com", + "vmwareengine.googleapis.com" + ] shared_vpc_host_config = { enabled = true } metric_scopes = [module.landing-project.project_id] + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-prod, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["prod"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-prod, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-prod, null), - ]) - condition = { - title = "prod_stage3_sa_delegated_grants" - description = "Production host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "prod", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["prod"], []) + condition = { + title = "prod_stage3_sa_delegated_grants" + description = "${var.environment_names["prod"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["prod"] } diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index cd92198ed6..4a45eb7721 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -37,6 +37,15 @@ variable "billing_account" { } } +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + project_iam_viewer = string + }) + default = null +} + variable "environment_names" { # tfdoc:variable:source 1-resman description = "Long environment names." @@ -46,16 +55,6 @@ variable "environment_names" { }) } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." @@ -91,6 +90,20 @@ variable "service_accounts" { default = null } +variable "stage_config" { + # tfdoc:variable:source 1-resman + description = "FAST stage configuration." + type = object({ + networking = optional(object({ + short_name = optional(string) + iam_delegated_principals = optional(map(list(string)), {}) + iam_viewer_principals = optional(map(list(string)), {}) + }), {}) + }) + default = {} + nullable = false +} + variable "tag_values" { # tfdoc:variable:source 1-resman description = "Root-level tag values." diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index 606287340e..c72c70b436 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -529,7 +529,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | | [test-resources.tf](./test-resources.tf) | Temporary instances for testing | | | -| [variables-fast.tf](./variables-fast.tf) | None | | | +| [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -537,25 +537,26 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | | [create_test_instances](variables.tf#L42) | Enables the creation of test VMs in each VPC, useful to test and troubleshoot connectivity. | bool | | false | | +| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L48) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L58) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L65) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L71) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [gcp_ranges](variables.tf#L92) | GCP address ranges in name => range format. | map(string) | | {…} | | | [network_mode](variables.tf#L109) | Selection of the network design to deploy. | string | | "simple" | | | [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf index 4e2ef73701..613b170b90 100644 --- a/fast/stages/2-networking-b-nva/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -17,34 +17,24 @@ # tfdoc:file:description Networking folder and hierarchical policy. locals { - _regional_nva_lb = { - primary = ( - var.network_mode == "regional_vpc" - ? module.ilb-regional-nva-landing["primary"].forwarding_rule_addresses[""] - : null - ) - secondary = ( - var.network_mode == "regional_vpc" - ? module.ilb-regional-nva-landing["secondary"].forwarding_rule_addresses[""] - : null - ) - } - _simple_nva_lb = { - primary = ( - var.network_mode == "simple" - ? module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] - : null - ) - secondary = ( - var.network_mode == "simple" - ? module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] - : null - ) - } env_tag_values = { for k, v in var.environment_names : k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.networking-dev != null + iam_delegated = join(",", formatlist("'%s'", [ + "roles/composer.sharedVpcAgent", + "roles/compute.networkUser", + "roles/compute.networkViewer", + "roles/container.hostServiceAgentUser", + "roles/multiclusterservicediscovery.serviceAgent", + "roles/vpcaccess.user", + ])) + iam_delegated_principals = try( + var.stage_config["networking"].iam_delegated_principals, {} + ) + iam_viewer_principals = try( + var.stage_config["networking"].iam_viewer_principals, {} + ) # select the NVA ILB as next hop for spoke VPC routing depending on net mode nva_load_balancers = (var.network_mode == "ncc_ra") ? null : { primary = ( @@ -71,14 +61,6 @@ locals { for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" if v != null } - stage3_sas_delegated_grants = [ - "roles/composer.sharedVpcAgent", - "roles/compute.networkUser", - "roles/compute.networkViewer", - "roles/container.hostServiceAgentUser", - "roles/multiclusterservicediscovery.serviceAgent", - "roles/vpcaccess.user", - ] } module "folder" { diff --git a/fast/stages/2-networking-b-nva/net-dev.tf b/fast/stages/2-networking-b-nva/net-dev.tf index 38e11b306a..200b1e1487 100644 --- a/fast/stages/2-networking-b-nva/net-dev.tf +++ b/fast/stages/2-networking-b-nva/net-dev.tf @@ -25,7 +25,7 @@ module "dev-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", @@ -35,38 +35,31 @@ module "dev-spoke-project" { "servicenetworking.googleapis.com", "stackdriver.googleapis.com", "vpcaccess.googleapis.com" - ], - ) + ] shared_vpc_host_config = { enabled = true } metric_scopes = [module.landing-project.project_id] + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-dev, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["dev"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-dev, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-dev, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-dev, null), - ]) - condition = { - title = "dev_stage3_sa_delegated_grants" - description = "Development host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "dev", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["dev"], []) + condition = { + title = "dev_stage3_sa_delegated_grants" + description = "${var.environment_names["dev"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["dev"] } diff --git a/fast/stages/2-networking-b-nva/net-landing.tf b/fast/stages/2-networking-b-nva/net-landing.tf index 9f67f456e7..5bd65e0b8d 100644 --- a/fast/stages/2-networking-b-nva/net-landing.tf +++ b/fast/stages/2-networking-b-nva/net-landing.tf @@ -25,24 +25,15 @@ module "landing-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "compute.googleapis.com", "dns.googleapis.com", "iap.googleapis.com", + "networkconnectivity.googleapis.com", "networkmanagement.googleapis.com", "stackdriver.googleapis.com", - ], - ( - var.network_mode == "ncc_ra" - ? ["networkconnectivity.googleapis.com"] - : [] - ), - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) + "vmwareengine.googleapis.com" + ] shared_vpc_host_config = { enabled = true } diff --git a/fast/stages/2-networking-b-nva/net-prod.tf b/fast/stages/2-networking-b-nva/net-prod.tf index 135c747045..3df55b5031 100644 --- a/fast/stages/2-networking-b-nva/net-prod.tf +++ b/fast/stages/2-networking-b-nva/net-prod.tf @@ -25,7 +25,7 @@ module "prod-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", @@ -35,37 +35,31 @@ module "prod-spoke-project" { "servicenetworking.googleapis.com", "stackdriver.googleapis.com", "vpcaccess.googleapis.com" - ] - ) + ] shared_vpc_host_config = { enabled = true } metric_scopes = [module.landing-project.project_id] + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-prod, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["prod"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-prod, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-prod, null), - ]) - condition = { - title = "prod_stage3_sa_delegated_grants" - description = "Production host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "prod", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["prod"], []) + condition = { + title = "prod_stage3_sa_delegated_grants" + description = "${var.environment_names["prod"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["prod"] } diff --git a/fast/stages/2-networking-b-nva/nva-regional-vpc.tf b/fast/stages/2-networking-b-nva/nva-regional-vpc.tf index d711d1775f..95dc28f9c1 100644 --- a/fast/stages/2-networking-b-nva/nva-regional-vpc.tf +++ b/fast/stages/2-networking-b-nva/nva-regional-vpc.tf @@ -15,6 +15,18 @@ */ locals { + _regional_nva_lb = { + primary = ( + var.network_mode == "regional_vpc" + ? module.ilb-regional-nva-landing["primary"].forwarding_rule_addresses[""] + : null + ) + secondary = ( + var.network_mode == "regional_vpc" + ? module.ilb-regional-nva-landing["secondary"].forwarding_rule_addresses[""] + : null + ) + } # routing_config should be aligned to the NVA network interfaces - i.e. # local.simple_routing_config[0] sets up the first interface, and so on. regional_vpc_routing_config = { diff --git a/fast/stages/2-networking-b-nva/nva-simple.tf b/fast/stages/2-networking-b-nva/nva-simple.tf index 22e20f60b9..ab794fd2de 100644 --- a/fast/stages/2-networking-b-nva/nva-simple.tf +++ b/fast/stages/2-networking-b-nva/nva-simple.tf @@ -15,6 +15,18 @@ */ locals { + _simple_nva_lb = { + primary = ( + var.network_mode == "simple" + ? module.ilb-nva-landing["primary"].forwarding_rule_addresses[""] + : null + ) + secondary = ( + var.network_mode == "simple" + ? module.ilb-nva-landing["secondary"].forwarding_rule_addresses[""] + : null + ) + } # routing_config should be aligned to the NVA network interfaces - i.e. # local.simple_routing_config[0] sets up the first interface, and so on. simple_routing_config = [ diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index d7e7485693..4a45eb7721 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -14,6 +14,8 @@ * limitations under the License. */ +# tfdoc:file:description FAST stage interface. + variable "automation" { # tfdoc:variable:source 0-bootstrap description = "Automation resources created by the bootstrap stage." @@ -35,6 +37,15 @@ variable "billing_account" { } } +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + project_iam_viewer = string + }) + default = null +} + variable "environment_names" { # tfdoc:variable:source 1-resman description = "Long environment names." @@ -44,16 +55,6 @@ variable "environment_names" { }) } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." @@ -89,6 +90,20 @@ variable "service_accounts" { default = null } +variable "stage_config" { + # tfdoc:variable:source 1-resman + description = "FAST stage configuration." + type = object({ + networking = optional(object({ + short_name = optional(string) + iam_delegated_principals = optional(map(list(string)), {}) + iam_viewer_principals = optional(map(list(string)), {}) + }), {}) + }) + default = {} + nullable = false +} + variable "tag_values" { # tfdoc:variable:source 1-resman description = "Root-level tag values." diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index ca96abe348..d50c4a7d1e 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -332,7 +332,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [outputs.tf](./outputs.tf) | Module outputs. | | google_storage_bucket_object · local_file | | [regions.tf](./regions.tf) | Compute short names for regions. | | | | [test-resources.tf](./test-resources.tf) | Temporary instances for testing | compute-vm | | -| [variables-fast.tf](./variables-fast.tf) | None | | | +| [variables-fast.tf](./variables-fast.tf) | FAST stage interface. | | | | [variables.tf](./variables.tf) | Module variables. | | | | [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | net-vpn-ha | | @@ -340,22 +340,23 @@ Regions are defined via the `regions` variable which sets up a mapping between t | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| -| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | -| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L57) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L67) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | +| [billing_account](variables-fast.tf#L27) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L49) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L58) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L68) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | | +| [custom_roles](variables-fast.tf#L40) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [dns](variables.tf#L42) | DNS configuration. | object({…}) | | {} | | | [enable_cloud_nat](variables.tf#L53) | Deploy Cloud NAT. | bool | | false | | | [essential_contacts](variables.tf#L60) | Email used for essential contacts, unset if null. | string | | null | | | [factories_config](variables.tf#L66) | Configuration for network resource factories. | object({…}) | | {…} | | -| [fast_features](variables-fast.tf#L47) | Selective control for top-level FAST features. | object({…}) | | {} | 0-0-bootstrap | | [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L77) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | +| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | +| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index 268e942f71..4a388da04a 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -18,23 +18,33 @@ locals { env_tag_values = { - for k, v in var.environment_names : k => var.tag_values["environment/${v}"] + for k, v in var.environment_names : + k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.networking-dev != null + iam_delegated = join(",", formatlist("'%s'", [ + "roles/composer.sharedVpcAgent", + "roles/compute.networkUser", + "roles/compute.networkViewer", + "roles/container.hostServiceAgentUser", + "roles/multiclusterservicediscovery.serviceAgent", + "roles/vpcaccess.user", + ])) + iam_delegated_principals = try( + var.stage_config["networking"].iam_delegated_principals, {} + ) + iam_viewer_principals = try( + var.stage_config["networking"].iam_viewer_principals, {} + ) # combine all regions from variables and subnets regions = distinct(concat( values(var.regions), values(module.dev-spoke-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) - stage3_sas_delegated_grants = [ - "roles/composer.sharedVpcAgent", - "roles/compute.networkUser", - "roles/container.hostServiceAgentUser", - "roles/vpcaccess.user", - ] service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : k => "serviceAccount:${v}" if v != null + for k, v in coalesce(var.service_accounts, {}) : + k => "serviceAccount:${v}" if v != null } } diff --git a/fast/stages/2-networking-c-separate-envs/net-dev.tf b/fast/stages/2-networking-c-separate-envs/net-dev.tf index b0a753ec1e..4ffd04f677 100644 --- a/fast/stages/2-networking-c-separate-envs/net-dev.tf +++ b/fast/stages/2-networking-c-separate-envs/net-dev.tf @@ -25,7 +25,7 @@ module "dev-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", @@ -34,44 +34,33 @@ module "dev-spoke-project" { "networksecurity.googleapis.com", "servicenetworking.googleapis.com", "stackdriver.googleapis.com", + "vmwareengine.googleapis.com", "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) + ] shared_vpc_host_config = { enabled = true service_projects = [] } + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-dev, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["dev"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-dev, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-dev, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-dev, null), - ]) - condition = { - title = "dev_stage3_sa_delegated_grants" - description = "Development host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "dev", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["dev"], []) + condition = { + title = "dev_stage3_sa_delegated_grants" + description = "${var.environment_names["dev"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["dev"] } diff --git a/fast/stages/2-networking-c-separate-envs/net-prod.tf b/fast/stages/2-networking-c-separate-envs/net-prod.tf index 98f54fc408..944adb7dbf 100644 --- a/fast/stages/2-networking-c-separate-envs/net-prod.tf +++ b/fast/stages/2-networking-c-separate-envs/net-prod.tf @@ -25,7 +25,7 @@ module "prod-spoke-project" { var.folder_ids.networking ) prefix = var.prefix - services = concat([ + services = [ "container.googleapis.com", "compute.googleapis.com", "dns.googleapis.com", @@ -34,43 +34,33 @@ module "prod-spoke-project" { "networksecurity.googleapis.com", "servicenetworking.googleapis.com", "stackdriver.googleapis.com", + "vmwareengine.googleapis.com", "vpcaccess.googleapis.com" - ], - ( - var.fast_features.gcve - ? ["vmwareengine.googleapis.com"] - : [] - ) - ) + ] shared_vpc_host_config = { enabled = true service_projects = [] } + # optionally delegate a fixed set of IAM roles to selected principals iam = { - "roles/dns.admin" = compact([ - try(local.service_accounts.gke-prod, null), - ]) + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["prod"], []) } - # allow specific service accounts to assign a set of roles - iam_bindings = { - sa_delegated_grants = { - role = "roles/resourcemanager.projectIamAdmin" - members = compact([ - try(local.service_accounts.data-platform-prod, null), - try(local.service_accounts.project-factory, null), - try(local.service_accounts.project-factory-prod, null), - try(local.service_accounts.gke-prod, null), - ]) - condition = { - title = "prod_stage3_sa_delegated_grants" - description = "Production host project delegated grants." - expression = format( - "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", - join(",", formatlist("'%s'", local.stage3_sas_delegated_grants)) - ) + iam_bindings = ( + lookup(local.iam_delegated_principals, "prod", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["prod"], []) + condition = { + title = "prod_stage3_sa_delegated_grants" + description = "${var.environment_names["prod"]} host project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } } } - } + ) tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["prod"] } diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index d7e7485693..4a45eb7721 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -14,6 +14,8 @@ * limitations under the License. */ +# tfdoc:file:description FAST stage interface. + variable "automation" { # tfdoc:variable:source 0-bootstrap description = "Automation resources created by the bootstrap stage." @@ -35,6 +37,15 @@ variable "billing_account" { } } +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + project_iam_viewer = string + }) + default = null +} + variable "environment_names" { # tfdoc:variable:source 1-resman description = "Long environment names." @@ -44,16 +55,6 @@ variable "environment_names" { }) } -variable "fast_features" { - # tfdoc:variable:source 0-0-bootstrap - description = "Selective control for top-level FAST features." - type = object({ - gcve = optional(bool, false) - }) - default = {} - nullable = false -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." @@ -89,6 +90,20 @@ variable "service_accounts" { default = null } +variable "stage_config" { + # tfdoc:variable:source 1-resman + description = "FAST stage configuration." + type = object({ + networking = optional(object({ + short_name = optional(string) + iam_delegated_principals = optional(map(list(string)), {}) + iam_viewer_principals = optional(map(list(string)), {}) + }), {}) + }) + default = {} + nullable = false +} + variable "tag_values" { # tfdoc:variable:source 1-resman description = "Root-level tag values." diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index 49e756286c..e2b35d3a38 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -281,15 +281,17 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [environment_names](variables-fast.tf#L38) | Long environment names. | object({…}) | ✓ | | 1-resman | -| [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [prefix](variables-fast.tf#L57) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [environment_names](variables-fast.tf#L47) | Long environment names. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L56) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [prefix](variables-fast.tf#L66) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | | [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | object({…}) | | {…} | | +| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [essential_contacts](variables.tf#L178) | Email used for essential contacts, unset if null. | string | | null | | | [kms_keys](variables.tf#L184) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [ngfw_tls_configs](variables.tf#L223) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | | [outputs_location](variables.tf#L249) | Path where providers, tfvars files, and lists for the following stages are written. Leave empty to disable. | string | | null | | -| [tag_values](variables-fast.tf#L67) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L76) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L90) | Root-level tag values. | map(string) | | {} | 1-resman | | [trust_configs](variables.tf#L255) | The trust configs grouped by environment. | object({…}) | | {…} | | ## Outputs diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index f6ab1462a4..6786dad9ee 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -34,6 +34,26 @@ module "dev-sec-project" { tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["dev"] } + # optionally delegate a fixed set of IAM roles to selected principals + iam = { + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["dev"], []) + } + iam_bindings = ( + lookup(local.iam_delegated_principals, "dev", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["dev"], []) + condition = { + title = "dev_stage3_sa_delegated_grants" + description = "${var.environment_names["dev"]} project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } + } + } + ) } module "dev-sec-kms" { diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf index e670c28f05..7c267c8f2c 100644 --- a/fast/stages/2-security/core-prod.tf +++ b/fast/stages/2-security/core-prod.tf @@ -34,6 +34,26 @@ module "prod-sec-project" { tag_bindings = local.has_env_folders ? {} : { environment = local.env_tag_values["prod"] } + # optionally delegate a fixed set of IAM roles to selected principals + iam = { + (var.custom_roles.project_iam_viewer) = try(local.iam_viewer_principals["prod"], []) + } + iam_bindings = ( + lookup(local.iam_delegated_principals, "prod", null) == null ? {} : { + sa_delegated_grants = { + role = "roles/resourcemanager.projectIamAdmin" + members = try(local.iam_delegated_principals["prod"], []) + condition = { + title = "prod_stage3_sa_delegated_grants" + description = "${var.environment_names["prod"]} project delegated grants." + expression = format( + "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", + local.iam_delegated + ) + } + } + } + ) } module "prod-sec-kms" { diff --git a/fast/stages/2-security/main.tf b/fast/stages/2-security/main.tf index 5c23033531..af4d0ab735 100644 --- a/fast/stages/2-security/main.tf +++ b/fast/stages/2-security/main.tf @@ -20,6 +20,15 @@ locals { k => var.tag_values["environment/${v}"] } has_env_folders = var.folder_ids.security-dev != null + iam_delegated = join(",", formatlist("'%s'", [ + "roles/cloudkms.cryptoKeyEncrypterDecrypter" + ])) + iam_delegated_principals = try( + var.stage_config["security"].iam_delegated_principals, {} + ) + iam_viewer_principals = try( + var.stage_config["security"].iam_viewer_principals, {} + ) # list of locations with keys kms_locations = distinct(flatten([ for k, v in var.kms_keys : v.locations diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index a15d912359..3b8c430baf 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -35,6 +35,15 @@ variable "billing_account" { } } +variable "custom_roles" { + # tfdoc:variable:source 0-bootstrap + description = "Custom roles defined at the org level, in key => id format." + type = object({ + project_iam_viewer = string + }) + default = null +} + variable "environment_names" { # tfdoc:variable:source 1-resman description = "Long environment names." @@ -64,6 +73,20 @@ variable "prefix" { } } +variable "stage_config" { + # tfdoc:variable:source 1-resman + description = "FAST stage configuration." + type = object({ + security = optional(object({ + short_name = optional(string) + iam_delegated_principals = optional(map(list(string)), {}) + iam_viewer_principals = optional(map(list(string)), {}) + }), {}) + }) + default = {} + nullable = false +} + variable "tag_values" { # tfdoc:variable:source 1-resman description = "Root-level tag values." From e279aaa929b345499eeeb90bc87a33cd272f916a Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 14:52:02 +0200 Subject: [PATCH 54/94] remove checklist from bootstrap --- fast/stages/0-bootstrap/README.md | 37 +- fast/stages/0-bootstrap/checklist.tf | 153 -- fast/stages/0-bootstrap/main.tf | 2 +- fast/stages/0-bootstrap/organization.tf | 34 +- fast/stages/0-bootstrap/outputs.tf | 9 - fast/stages/0-bootstrap/variables.tf | 6 +- .../fast/stages/s0_bootstrap/checklist.tfvars | 17 - tests/fast/stages/s0_bootstrap/checklist.yaml | 1967 ----------------- tests/fast/stages/s0_bootstrap/simple.yaml | 6 +- tests/fast/stages/s0_bootstrap/tftest.yaml | 6 +- 10 files changed, 32 insertions(+), 2205 deletions(-) delete mode 100644 fast/stages/0-bootstrap/checklist.tf delete mode 100644 tests/fast/stages/s0_bootstrap/checklist.tfvars delete mode 100644 tests/fast/stages/s0_bootstrap/checklist.yaml diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index dbb8575837..6e05e029a6 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -636,7 +636,6 @@ The remaining configuration is manual, as it regards the repositories themselves |---|---|---|---| | [automation.tf](./automation.tf) | Automation project and resources. | gcs · iam-service-account · project | | | [billing.tf](./billing.tf) | Billing export project and dataset. | bigquery-dataset · project | google_billing_account_iam_member | -| [checklist.tf](./checklist.tf) | None | gcs | google_storage_bucket_object | | [cicd.tf](./cicd.tf) | Workload Identity Federation configurations for CI/CD. | iam-service-account | | | [identity-providers-defs.tf](./identity-providers-defs.tf) | Identity provider definitions. | | | | [identity-providers.tf](./identity-providers.tf) | Workload Identity Federation provider definitions. | | google_iam_workforce_pool · google_iam_workforce_pool_provider · google_iam_workload_identity_pool · google_iam_workload_identity_pool_provider | @@ -654,25 +653,25 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L266) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L281) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | +| [organization](variables.tf#L264) | Organization details. | object({…}) | ✓ | | | +| [prefix](variables.tf#L279) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | | [environments](variables.tf#L94) | Environment names. | map(object({…})) | | {…} | | | [essential_contacts](variables.tf#L118) | Email used for essential contacts, unset if null. | string | | null | | -| [factories_config](variables.tf#L124) | Configuration for the resource factories or external data. | object({…}) | | {} | | -| [groups](variables.tf#L136) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | -| [iam](variables.tf#L152) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | -| [iam_bindings_additive](variables.tf#L159) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | -| [iam_by_principals](variables.tf#L174) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | -| [locations](variables.tf#L181) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L248) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L275) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L290) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [workforce_identity_providers](variables.tf#L301) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L317) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | +| [factories_config](variables.tf#L124) | Configuration for the resource factories or external data. | object({…}) | | {} | | +| [groups](variables.tf#L134) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | | +| [iam](variables.tf#L150) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | | +| [iam_bindings_additive](variables.tf#L157) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | +| [iam_by_principals](variables.tf#L172) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | +| [locations](variables.tf#L179) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | +| [log_sinks](variables.tf#L193) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | +| [org_policies_config](variables.tf#L246) | Organization policies customization. | object({…}) | | {} | | +| [outputs_location](variables.tf#L273) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [project_parent_ids](variables.tf#L288) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | +| [workforce_identity_providers](variables.tf#L299) | Workforce Identity Federation pools. | map(object({…})) | | {} | | +| [workload_identity_providers](variables.tf#L315) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | ## Outputs @@ -686,8 +685,8 @@ The remaining configuration is manual, as it regards the repositories themselves | [project_ids](outputs.tf#L178) | Projects created by this stage. | | | | [providers](outputs.tf#L188) | Terraform provider files for this stage and dependent stages. | ✓ | stage-01 | | [service_accounts](outputs.tf#L195) | Automation service accounts created by this stage. | | | -| [tfvars](outputs.tf#L213) | Terraform variable files for the following stages. | ✓ | | -| [tfvars_globals](outputs.tf#L219) | Terraform Globals variable files for the following stages. | ✓ | | -| [workforce_identity_pool](outputs.tf#L225) | Workforce Identity Federation pool. | | | -| [workload_identity_pool](outputs.tf#L234) | Workload Identity Federation pool and providers. | | | +| [tfvars](outputs.tf#L204) | Terraform variable files for the following stages. | ✓ | | +| [tfvars_globals](outputs.tf#L210) | Terraform Globals variable files for the following stages. | ✓ | | +| [workforce_identity_pool](outputs.tf#L216) | Workforce Identity Federation pool. | | | +| [workload_identity_pool](outputs.tf#L225) | Workload Identity Federation pool and providers. | | | diff --git a/fast/stages/0-bootstrap/checklist.tf b/fast/stages/0-bootstrap/checklist.tf deleted file mode 100644 index 0c52f41ed5..0000000000 --- a/fast/stages/0-bootstrap/checklist.tf +++ /dev/null @@ -1,153 +0,0 @@ -/** - * Copyright 2024 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - # group mapping from checklist to ours - _cl_groups = { - BILLING_ADMINS = local.principals.gcp-billing-admins - DEVOPS = local.principals.gcp-devops - # LOGGING_ADMINS - # MONITORING_ADMINS - NETWORK_ADMINS = local.principals.gcp-network-admins - ORG_ADMINS = local.principals.gcp-organization-admins - SECURITY_ADMINS = local.principals.gcp-security-admins - } - # parse raw data from JSON files if they exist - _cl_data_raw = ( - var.factories_config.checklist_data == null - ? null - : jsondecode(file(pathexpand(var.factories_config.checklist_data))) - ) - _cl_org_raw = ( - var.factories_config.checklist_org_iam == null - ? null - : jsondecode(file(pathexpand(var.factories_config.checklist_org_iam))) - ) - # check that files are for the correct organization and ignore them if not - _cl_data = ( - try(local._cl_data_raw.cloud_setup_config.organization.id, null) != tostring(var.organization.id) - ? null - : local._cl_data_raw.cloud_setup_config - ) - _cl_org = ( - try(local._cl_org_raw.cloud_setup_org_iam.organization.id, null) != tostring(var.organization.id) - ? null - : local._cl_org_raw.cloud_setup_org_iam - ) - # do a first pass on IAM bindings to identify groups and normalize - _cl_org_iam_bindings = { - for b in try(local._cl_org.iam_bindings, []) : - lookup(local._cl_groups, b.group_id, b.principal) => { - additive = [ - for r in b.role : r if !contains(local.iam_roles_authoritative, r) - ] - authoritative = [ - for r in b.role : r if contains(local.iam_roles_authoritative, r) - ] - roles = b.role - is_group = lookup(local._cl_groups, b.group_id, null) != null - } - } - # compile the final data structure we will consume from various places - checklist = { - billing_account = try(local._cl_data.billing_account, null) - iam_principals = { - for k, v in local._cl_org_iam_bindings : - k => v.authoritative if v.is_group && length(v.authoritative) > 0 - } - iam = { - for k, v in local._cl_org_iam_bindings : - k => v.authoritative if !v.is_group && length(v.authoritative) > 0 - } - iam_bindings = concat(flatten([ - for k, v in local._cl_org_iam_bindings : [ - for r in v.additive : [ - { - key = "${r}-${k}" - member = k - role = r - } - ] - ] - ])) - location = try(local._cl_data.logging.sinks[0].destination.location, null) - } - uses_checklist = ( - var.factories_config.checklist_data != null - || - var.factories_config.checklist_org_iam != null - ) -} -check "checklist" { - # checklist data files don't need to be both present so we check independently - # version mismatch might be ok, we just alert users - assert { - condition = ( - var.factories_config.checklist_data == null || - try(local._cl_data_raw.cloud_setup_config.version, null) == "0.1.0" - ) - error_message = "Checklist data version mismatch." - } - assert { - condition = ( - var.factories_config.checklist_org_iam == null || - try(local._cl_org_raw.cloud_setup_org_iam.version, null) == "0.1.0" - ) - error_message = "Checklist org IAM version mismatch." - } - # wrong org id forces us to ignore the files, but we also alert users - assert { - condition = ( - var.factories_config.checklist_data == null || - try(local._cl_data_raw.cloud_setup_config.organization.id, null) == tostring(var.organization.id) - ) - error_message = "Checklist data organization id mismatch, file ignored." - } - assert { - condition = ( - var.factories_config.checklist_org_iam == null || - try(local._cl_org_raw.cloud_setup_org_iam.organization.id, null) == tostring(var.organization.id) - ) - error_message = "Checklist org IAM organization id mismatch, file ignored." - } -} - -# checklist files bucket - -module "automation-tf-checklist-gcs" { - source = "../../../modules/gcs" - count = local.uses_checklist ? 1 : 0 - project_id = module.automation-project.project_id - name = "iac-core-checklist-0" - prefix = local.prefix - location = local.locations.gcs - versioning = true - depends_on = [module.organization] -} - -resource "google_storage_bucket_object" "checklist_data" { - count = var.factories_config.checklist_data != null ? 1 : 0 - bucket = module.automation-tf-checklist-gcs[0].name - name = "checklist/data.tfvars.json" - source = var.factories_config.checklist_data -} - -resource "google_storage_bucket_object" "checklist_org_iam" { - count = var.factories_config.checklist_org_iam != null ? 1 : 0 - bucket = module.automation-tf-checklist-gcs[0].name - name = "checklist/org-iam.tfvars.json" - source = var.factories_config.checklist_org_iam -} diff --git a/fast/stages/0-bootstrap/main.tf b/fast/stages/0-bootstrap/main.tf index dfd6d34d7a..7e3cde1507 100644 --- a/fast/stages/0-bootstrap/main.tf +++ b/fast/stages/0-bootstrap/main.tf @@ -26,7 +26,7 @@ locals { locations = { bq = var.locations.bq gcs = var.locations.gcs - logging = coalesce(try(local.checklist.location, null), var.locations.logging) + logging = var.locations.logging pubsub = var.locations.pubsub } # naming: environment used in most resource names diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 18644f83fa..0959daaa46 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -54,12 +54,10 @@ locals { [for d in var.org_policies_config.constraints.allowed_essential_contact_domains : "@${d}"] ) org_policies_tag_name = "${var.organization.id}/${var.org_policies_config.tag_name}" - - # intermediate values before we merge in what comes from the checklist - _iam_principals = { + iam_principals = { for k, v in local.iam_principal_bindings : k => v.authoritative } - _iam = merge( + iam = merge( { for r in local.iam_delete_roles : r => [] }, @@ -67,36 +65,16 @@ locals { for b in local._iam_bindings_auth : b.role => b.member... } ) - _iam_bindings_additive = { + iam_bindings_additive = { for b in local._iam_bindings_add : "${b.role}-${b.member}" => { member = b.member role = b.role } } - # final values combining all sources - iam_principals = { - for k, v in local._iam_principals : k => distinct(concat( - v, - try(local.checklist.iam_principals[k], []) - )) - } - iam = { - for k, v in local._iam : k => distinct(concat( - v, - try(local.checklist.iam[k].authoritative, []) - )) - } - iam_bindings_additive = merge( - local._iam_bindings_additive, - { - for k, v in try(local.checklist.iam_bindings, {}) : - v.key => v if lookup(local._iam_bindings_additive, v.key, null) == null - } - ) - # compute authoritative and additive roles for use by add-ons (checklist, etc.) + # compute authoritative and additive roles for use by add-ons iam_roles_authoritative = distinct(concat( - flatten(values(local._iam_principals)), - keys(local._iam) + flatten(values(local.iam_principals)), + keys(local.iam) )) } diff --git a/fast/stages/0-bootstrap/outputs.tf b/fast/stages/0-bootstrap/outputs.tf index 9ed64fb850..9a34a58d7f 100644 --- a/fast/stages/0-bootstrap/outputs.tf +++ b/fast/stages/0-bootstrap/outputs.tf @@ -200,15 +200,6 @@ output "service_accounts" { } } -# output "test" { -# value = { -# checklist = local.checklist -# iam_roles_authoritative = local.iam_roles_authoritative -# iam_roles_additive = local.iam_roles_additive -# test = local.checklist -# } -# } - # ready to use variable values for subsequent stages output "tfvars" { description = "Terraform variable files for the following stages." diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index 58414c91d0..30b702e9e1 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -124,10 +124,8 @@ variable "essential_contacts" { variable "factories_config" { description = "Configuration for the resource factories or external data." type = object({ - checklist_data = optional(string) - checklist_org_iam = optional(string) - custom_roles = optional(string, "data/custom-roles") - org_policy = optional(string, "data/org-policies") + custom_roles = optional(string, "data/custom-roles") + org_policy = optional(string, "data/org-policies") }) nullable = false default = {} diff --git a/tests/fast/stages/s0_bootstrap/checklist.tfvars b/tests/fast/stages/s0_bootstrap/checklist.tfvars deleted file mode 100644 index 5b97f548af..0000000000 --- a/tests/fast/stages/s0_bootstrap/checklist.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -organization = { - domain = "fast.example.com" - id = 123456789012 - customer_id = "C00000000" -} -billing_account = { - id = "000000-111111-222222" -} -essential_contacts = "gcp-organization-admins@fast.example.com" -factories_config = { - checklist_data = "checklist-data.json" - checklist_org_iam = "checklist-org-iam.json" -} -org_policies_config = { - import_defaults = false -} -prefix = "fast" diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml deleted file mode 100644 index 58f1751f12..0000000000 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ /dev/null @@ -1,1967 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - google_storage_bucket_object.checklist_data[0]: - bucket: fast-prod-iac-core-checklist-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: checklist/data.tfvars.json - retention: [] - source: checklist-data.json - temporary_hold: null - timeouts: null - google_storage_bucket_object.checklist_org_iam[0]: - bucket: fast-prod-iac-core-checklist-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: checklist/org-iam.tfvars.json - retention: [] - source: checklist-org-iam.json - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["0-bootstrap"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/0-bootstrap-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["0-bootstrap-r"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/0-bootstrap-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-resman"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-resman-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-resman-r"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-resman-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-tenant-factory"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-tenant-factory-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-tenant-factory-r"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-tenant-factory-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-vpcsc"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-vpcsc-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["1-vpcsc-r"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/1-vpcsc-r-providers.tf - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.tfvars: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: tfvars/0-bootstrap.auto.tfvars.json - retention: [] - source: null - temporary_hold: null - timeouts: null - google_storage_bucket_object.tfvars_globals: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content: '{"billing_account":{"id":"000000-111111-222222","is_org_level":true,"no_iam":false},"environments":{"dev":{"is_default":false,"name":"Development"},"prod":{"is_default":true,"name":"Production"}},"groups":{"gcp-billing-admins":"group:gcp-billing-admins@fast.example.com","gcp-devops":"group:gcp-devops@fast.example.com","gcp-network-admins":"group:gcp-vpc-network-admins@fast.example.com","gcp-organization-admins":"group:gcp-organization-admins@fast.example.com","gcp-security-admins":"group:gcp-security-admins@fast.example.com","gcp-support":"group:gcp-devops@fast.example.com"},"locations":{"bq":"EU","gcs":"EU","logging":"europe-west1","pubsub":[]},"organization":{"customer_id":"C00000000","domain":"fast.example.com","id":123456789012},"prefix":"fast"}' - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: tfvars/0-globals.auto.tfvars.json - retention: [] - source: null - temporary_hold: null - timeouts: null - module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-iac-core-0 - module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-iac-core-0 - user_project: null - module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: iam.googleapis.com - module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: organizations/123456789012/roles/storageViewer - module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/browser - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.editor - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-organization-admins@fast.example.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountTokenCreator - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountViewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer - module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/owner - module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.admin - module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.reader - module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/storage.admin - module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/viewer - module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: - condition: - - description: Resource manager service account delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) - title: resman_delegated_grant - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/resourcemanager.projectIamAdmin - module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer - module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageViewer - module.automation-project.google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.builder - module.automation-project.google_project_iam_member.service_agents["cloudkms"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudkms.serviceAgent - module.automation-project.google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/compute.serviceAgent - module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.serviceAgent - module.automation-project.google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.nodeServiceAgent - module.automation-project.google_project_iam_member.service_agents["pubsub"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/pubsub.serviceAgent - module.automation-project.google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent - module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: accesscontextmanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquery.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquerystorage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbilling.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudresourcemanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: compute.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: essentialcontacts.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iam.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iam.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iamcredentials.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: serviceusage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: stackdriver.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage-component.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["sts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: sts.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["container.googleapis.com"]: - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-bootstrap-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account (read-only). - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform organization bootstrap service account. - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: - condition: [] - members: null - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-checklist-gcs[0].google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-checklist-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-output-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-outputs-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-resman-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-resman-0 - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] - : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-resman-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account (read-only). - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 resman service account. - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket: - autoclass: [] - cors: [] - custom_placement_config: [] - default_event_based_hold: null - enable_object_retention: null - encryption: [] - force_destroy: false - labels: null - lifecycle_rule: [] - location: EU - logging: [] - name: fast-prod-iac-core-vpcsc-0 - project: fast-prod-iac-core-0 - requester_pays: null - retention_policy: [] - storage_class: STANDARD - timeouts: null - uniform_bucket_level_access: true - versioning: - - enabled: true - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectAdmin - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-vpcsc-0 - condition: [] - members: - - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - role: roles/storage.objectViewer - module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0r - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account (read-only). - project: fast-prod-iac-core-0 - timeouts: null - ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: organizations/123456789012/roles/storageViewer - module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0 - create_ignore_already_exists: null - description: null - disabled: false - display_name: Terraform stage 1 vpcsc service account. - project: fast-prod-iac-core-0 - timeouts: null - module.automation-tf-vpcsc-sa.google_service_account_iam_member.bindings["security_admins"]: - condition: [] - member: group:gcp-security-admins@fast.example.com - role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.billing-export-dataset[0].google_bigquery_dataset.default: - dataset_id: billing_export - default_encryption_configuration: [] - default_partition_expiration_ms: null - default_table_expiration_ms: null - delete_contents_on_destroy: false - description: Terraform managed. - external_dataset_reference: [] - friendly_name: Billing export. - labels: null - location: EU - max_time_travel_hours: '168' - project: fast-prod-billing-exp-0 - resource_tags: null - timeouts: null - module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-billing-exp-0 - module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-billing-exp-0 - user_project: null - module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/owner - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/viewer - module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: - condition: [] - project: fast-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquery.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: storage.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: workspace-audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-audit-logs-0 - module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-audit-logs-0 - user_project: null - module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-audit-logs-0 - org_id: '123456789012' - project_id: fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/owner - module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/viewer - module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: bigquery.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: stackdriver.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: storage.googleapis.com - timeouts: null - module.organization-logging.google_logging_organization_settings.default[0]: - organization: '123456789012' - storage_location: global - timeouts: null - module.organization.google_logging_organization_sink.sink["audit-logs"]: - description: audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/activity") OR - - log_id("cloudaudit.googleapis.com/system_event") OR - - log_id("cloudaudit.googleapis.com/policy") OR - - log_id("cloudaudit.googleapis.com/access_transparency") - - ' - include_children: true - intercept_children: false - name: audit-logs - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["iam"]: - description: iam (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR - - protoPayload.serviceName="iam.googleapis.com" OR - - protoPayload.serviceName="sts.googleapis.com" - - ' - include_children: true - intercept_children: false - name: iam - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["vpc-sc"]: - description: vpc-sc (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - - ' - include_children: true - intercept_children: false - name: vpc-sc - org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: - description: workspace-audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/data_access") AND - - protoPayload.serviceName="login.googleapis.com" - - ' - include_children: true - intercept_children: false - name: workspace-audit-logs - org_id: '123456789012' - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')' - location: null - title: null - deny_all: null - enforce: null - values: - - allowed_values: - - C00000000 - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: resource.matchTag('123456789012/org-policies', 'allowed-policy-member-domains-all') - location: null - title: allow-all - deny_all: null - enforce: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - DISABLE_KEY - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: - condition: [] - members: - - group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.creator - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - org_id: '123456789012' - role: roles/browser - module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudasset.owner - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.admin - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.techSupportEditor - module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osAdminLogin - module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osLoginExternalUser - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.admin - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.viewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.securityReviewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.admin - module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.viewer - module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - org_id: '123456789012' - role: roles/monitoring.viewer - module.organization.google_organization_iam_binding.authoritative["roles/owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/owner - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderViewer - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.organizationAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectCreator - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectMover - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagUser - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagViewer - module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/securitycenter.admin - module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/serviceusage.serviceUsageViewer - module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) - - ' - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_ngfw_enterprise_admin"]: - condition: [] - members: - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: organizations/123456789012/roles/ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkAdmin - stage: GA - title: Custom role gcveNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update - role_id: networkFirewallPoliciesAdmin - stage: GA - title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseAdmin - stage: GA - title: Custom role ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseViewer - stage: GA - title: Custom role ngfwEnterpriseViewer - module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - role_id: organizationAdminViewer - stage: GA - title: Custom role organizationAdminViewer - module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy - role_id: organizationIamAdmin - stage: GA - title: Custom role organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - - compute.networks.get - - compute.networks.updatePeering - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get - role_id: serviceProjectNetworkAdmin - stage: GA - title: Custom role serviceProjectNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.create - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list - role_id: storageViewer - stage: GA - title: Custom role storageViewer - module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list - role_id: tagViewer - stage: GA - title: Custom role tagViewer - module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - role_id: tenantNetworkAdmin - stage: GA - title: Custom role tenantNetworkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.user-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.user - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.networkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.securityAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/container.viewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - ? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/logging.configWriter - ? module.organization.google_organization_iam_member.bindings["roles/logging.privateLogViewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/logging.privateLogViewer - ? module.organization.google_organization_iam_member.bindings["roles/monitoring.admin-group:gcp-monitoring-admins@fast.example.com"] - : condition: [] - member: group:gcp-monitoring-admins@fast.example.com - org_id: '123456789012' - role: roles/monitoring.admin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.folderIamAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/resourcemanager.folderIamAdmin - ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.organizationViewer-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/resourcemanager.organizationViewer - ? module.organization.google_organization_iam_member.bindings["roles/storage.objectAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/storage.objectAdmin - module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: - condition: - - title: audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: - condition: - - title: iam bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: - condition: - - title: vpc-sc bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: - condition: - - title: workspace-audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_tags_tag_key.default["org-policies"]: - description: Organization policy conditions. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: org-policies - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-policy-member-domains-all - timeouts: null - -counts: - google_bigquery_dataset: 1 - google_bigquery_default_service_account: 3 - google_essential_contacts_contact: 3 - google_logging_organization_settings: 1 - google_logging_organization_sink: 4 - google_logging_project_bucket_config: 4 - google_org_policy_policy: 24 - google_organization_iam_binding: 28 - google_organization_iam_custom_role: 10 - google_organization_iam_member: 42 - google_project: 3 - google_project_iam_audit_config: 1 - google_project_iam_binding: 19 - google_project_iam_member: 16 - google_project_service: 31 - google_project_service_identity: 7 - google_service_account: 6 - google_service_account_iam_binding: 2 - google_service_account_iam_member: 1 - google_storage_bucket: 5 - google_storage_bucket_iam_binding: 4 - google_storage_bucket_iam_member: 6 - google_storage_bucket_object: 12 - google_storage_project_service_account: 3 - google_tags_tag_key: 1 - google_tags_tag_value: 2 - modules: 21 - resources: 239 diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 0186f38621..8ff799b0b5 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -21,7 +21,7 @@ counts: google_logging_project_bucket_config: 4 google_org_policy_policy: 24 google_organization_iam_binding: 28 - google_organization_iam_custom_role: 10 + google_organization_iam_custom_role: 12 google_organization_iam_member: 29 google_project: 3 google_project_iam_audit_config: 1 @@ -41,7 +41,7 @@ counts: google_tags_tag_value: 2 local_file: 10 modules: 20 - resources: 233 + resources: 235 outputs: automation: __missing__ @@ -49,11 +49,13 @@ outputs: cicd_repositories: {} custom_roles: gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin + gcve_network_viewer: organizations/123456789012/roles/gcveNetworkViewer network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin + project_iam_viewer: organizations/123456789012/roles/projectIAMViewer service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin storage_viewer: organizations/123456789012/roles/storageViewer tag_viewer: organizations/123456789012/roles/tagViewer diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml index 2643714eb9..dd8319456b 100644 --- a/tests/fast/stages/s0_bootstrap/tftest.yaml +++ b/tests/fast/stages/s0_bootstrap/tftest.yaml @@ -16,14 +16,10 @@ module: fast/stages/0-bootstrap tests: - checklist: - extra_files: - - ../../../tests/fast/stages/s0_bootstrap/data/checklist-data.json - - ../../../tests/fast/stages/s0_bootstrap/data/checklist-org-iam.json simple: inventory: - simple.yaml - simple_projects.yaml - simple_sas.yaml - + iam_by_principals: From f32b22bd3dc27cca93e9c6e68e748b32a15c3fe8 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 15:00:24 +0200 Subject: [PATCH 55/94] stage 1 tests --- tests/fast/stages/s1_resman/simple.tfvars | 2 ++ tests/fast/stages/s1_resman/simple.yaml | 22 ++-------------------- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars index 0c6dd8fd3c..f197cecabb 100644 --- a/tests/fast/stages/s1_resman/simple.tfvars +++ b/tests/fast/stages/s1_resman/simple.tfvars @@ -54,11 +54,13 @@ automation = { custom_roles = { # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" + gcve_network_viewer = "organizations/123456789012/roles/gcveNetworkViewer" network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" + project_iam_viewer = "organizations/123456789012/roles/projectIAMViewer" service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" storage_viewer = "organizations/123456789012/roles/storageViewer" } diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 3c09ac91ed..5824077ab1 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -235,24 +235,6 @@ values: members: - serviceAccount:fast2-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectIamAdmin - module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_dev"]: - condition: - - description: null - expression: "resource.matchTag(\n '123456789012/environment', 'development'\n\ - )\n&&\napi.getAttribute(\n 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']\n\ - )\n" - title: stage 3 project delegated admin dev - members: null - role: roles/resourcemanager.projectIamAdmin - module.net-folder[0].google_folder_iam_binding.bindings["stage3_delegated_grant_prod"]: - condition: - - description: null - expression: "resource.matchTag(\n '123456789012/environment', 'production'\n\ - )\n&&\napi.getAttribute(\n 'iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user']\n\ - )\n" - title: stage 3 project delegated admin prod - members: null - role: roles/resourcemanager.projectIamAdmin module.net-folder[0].google_tags_tag_binding.binding["context"]: timeouts: null ? module.net-sa-ro[0].google_project_iam_member.project-roles["fast2-prod-automation-roles/serviceusage.serviceUsageConsumer"] @@ -1615,7 +1597,7 @@ values: counts: google_folder: 16 - google_folder_iam_binding: 80 + google_folder_iam_binding: 86 google_organization_iam_member: 16 google_project_iam_member: 26 google_service_account: 26 @@ -1629,4 +1611,4 @@ counts: google_tags_tag_value: 11 google_tags_tag_value_iam_binding: 4 modules: 54 - resources: 307 + resources: 313 From 4b149e3b2381295157132b140b01b06b04482ab4 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 15:30:26 +0200 Subject: [PATCH 56/94] stage 0 1 and 2 tests --- .../stages/s2_networking_a_simple/ncc.tfvars | 1 + .../stages/s2_networking_a_simple/ncc.yaml | 10 +++---- .../s2_networking_a_simple/simple.tfvars | 26 +++++++++++++++++ .../stages/s2_networking_a_simple/simple.yaml | 8 ++--- .../stages/s2_networking_a_simple/vpn.tfvars | 1 + .../stages/s2_networking_a_simple/vpn.yaml | 10 +++---- .../stages/s2_networking_b_nva/ncc-ra.tfvars | 1 + .../stages/s2_networking_b_nva/ncc-ra.yaml | 10 +++---- .../s2_networking_b_nva/regional.tfvars | 1 + .../stages/s2_networking_b_nva/regional.yaml | 11 +++---- .../stages/s2_networking_b_nva/simple.tfvars | 1 + .../stages/s2_networking_b_nva/simple.yaml | 10 +++---- .../simple.tfvars | 1 + .../s2_networking_c_separate_envs/simple.yaml | 10 +++---- tests/fast/stages/s2_security/simple.tfvars | 29 +++++++++++++++++++ tests/fast/stages/s2_security/simple.yaml | 3 +- 16 files changed, 98 insertions(+), 35 deletions(-) diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars index 027942aea2..fbeb64edec 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/ncc.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.yaml b/tests/fast/stages/s2_networking_a_simple/ncc.yaml index f5b82b72ee..b72fafda79 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml +++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml @@ -35,12 +35,12 @@ counts: google_network_connectivity_hub: 1 google_network_connectivity_spoke: 2 google_project: 3 - google_project_iam_binding: 4 - google_project_iam_member: 18 - google_project_service: 24 - google_project_service_identity: 18 + google_project_iam_binding: 2 + google_project_iam_member: 20 + google_project_service: 26 + google_project_service_identity: 20 google_storage_bucket_object: 2 google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 24 - resources: 175 + resources: 179 diff --git a/tests/fast/stages/s2_networking_a_simple/simple.tfvars b/tests/fast/stages/s2_networking_a_simple/simple.tfvars index 743ddadae2..d30f96002c 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/simple.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { @@ -40,6 +41,31 @@ organization = { customer_id = "C00000000" } prefix = "fast2" +stage_config = { + networking = { + iam_delegated_principals = { + dev = [ + "serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-dev-resman-pf-0@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + prod = [ + "serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-prod-resman-pf-0@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + } + iam_viewer_principals = { + dev = [ + "serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-dev-resman-pf-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + prod = [ + "serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + } + short_name = "net" + } +} tag_values = { "environment/development" = "tagValues/12345" "environment/production" = "tagValues/12346" diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index a82fbdf81e..985c239169 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -40,12 +40,12 @@ counts: google_monitoring_monitored_project: 2 google_project: 3 google_project_iam_binding: 4 - google_project_iam_member: 17 - google_project_service: 23 - google_project_service_identity: 17 + google_project_iam_member: 20 + google_project_service: 26 + google_project_service_identity: 20 google_storage_bucket_object: 2 google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 29 random_id: 1 - resources: 187 + resources: 196 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars index 7ccc864c0a..ca1d95f1bc 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.tfvars +++ b/tests/fast/stages/s2_networking_a_simple/vpn.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index 5c3323f88e..2399443f1b 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -37,13 +37,13 @@ counts: google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 google_project: 3 - google_project_iam_binding: 4 - google_project_iam_member: 17 - google_project_service: 23 - google_project_service_identity: 17 + google_project_iam_binding: 2 + google_project_iam_member: 20 + google_project_service: 26 + google_project_service_identity: 20 google_storage_bucket_object: 2 google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 31 random_id: 5 - resources: 224 + resources: 231 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars index 18de6761e9..753714600a 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index 5ad6e0dfaa..0ade19ef38 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -42,13 +42,13 @@ counts: google_network_connectivity_hub: 2 google_network_connectivity_spoke: 4 google_project: 3 - google_project_iam_binding: 4 - google_project_iam_member: 18 - google_project_service: 24 - google_project_service_identity: 18 + google_project_iam_binding: 2 + google_project_iam_member: 19 + google_project_service: 25 + google_project_service_identity: 19 google_storage_bucket_object: 2 google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 39 random_id: 2 - resources: 255 + resources: 256 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.tfvars b/tests/fast/stages/s2_networking_b_nva/regional.tfvars index 00bf90bbc5..4ed15f256f 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/regional.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index 7f648fe184..f394e14c4e 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -44,12 +44,13 @@ counts: google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 google_project: 3 - google_project_iam_binding: 4 - google_project_iam_member: 17 - google_project_service: 23 - google_project_service_identity: 17 + google_project_iam_binding: 2 + google_project_iam_member: 19 + google_project_service: 25 + google_project_service_identity: 19 google_storage_bucket_object: 2 google_tags_tag_binding: 3 + google_vpc_access_connector: 2 modules: 47 random_id: 2 - resources: 260 + resources: 264 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.tfvars b/tests/fast/stages/s2_networking_b_nva/simple.tfvars index f885fffb77..60a072595e 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.tfvars +++ b/tests/fast/stages/s2_networking_b_nva/simple.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index 05de3f1402..92f006659b 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -44,13 +44,13 @@ counts: google_monitoring_dashboard: 3 google_monitoring_monitored_project: 2 google_project: 3 - google_project_iam_binding: 4 - google_project_iam_member: 17 - google_project_service: 23 - google_project_service_identity: 17 + google_project_iam_binding: 2 + google_project_iam_member: 19 + google_project_service: 25 + google_project_service_identity: 19 google_storage_bucket_object: 2 google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 43 random_id: 2 - resources: 238 + resources: 242 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars index 30bb19bde9..6ef02cfcff 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.tfvars @@ -5,6 +5,7 @@ billing_account = { id = "000000-111111-222222" } custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" service_project_network_admin = "organizations/123456789012/roles/foo" } dns = { diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index a265d989f4..3a1ccf250f 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -37,13 +37,13 @@ counts: google_monitoring_alert_policy: 4 google_monitoring_dashboard: 6 google_project: 2 - google_project_iam_binding: 4 - google_project_iam_member: 14 - google_project_service: 18 - google_project_service_identity: 14 + google_project_iam_binding: 2 + google_project_iam_member: 16 + google_project_service: 20 + google_project_service_identity: 16 google_storage_bucket_object: 2 google_tags_tag_binding: 2 google_vpc_access_connector: 2 modules: 22 random_id: 2 - resources: 205 + resources: 209 diff --git a/tests/fast/stages/s2_security/simple.tfvars b/tests/fast/stages/s2_security/simple.tfvars index ae5b064e73..5fa1b94baa 100644 --- a/tests/fast/stages/s2_security/simple.tfvars +++ b/tests/fast/stages/s2_security/simple.tfvars @@ -4,6 +4,10 @@ automation = { billing_account = { id = "000000-111111-222222" } +custom_roles = { + project_iam_viewer = "organizations/123456789012/roles/bar" + service_project_network_admin = "organizations/123456789012/roles/foo" +} environment_names = { dev = "development" prod = "production" @@ -38,6 +42,31 @@ service_accounts = { project-factory-dev = "foobar@iam.gserviceaccount.com" project-factory-prod = "foobar@iam.gserviceaccount.com" } +stage_config = { + security = { + iam_delegated_principals = { + dev = [ + "serviceAccount:fast2-dev-resman-gcve-0@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-dev-resman-pf-0@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + prod = [ + "serviceAccount:fast2-prod-resman-gcve-0@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-prod-resman-pf-0@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + } + iam_viewer_principals = { + dev = [ + "serviceAccount:fast2-dev-resman-gcve-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-dev-resman-pf-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + prod = [ + "serviceAccount:fast2-prod-resman-gcve-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com", + "serviceAccount:fast2-prod-resman-pf-0r@fast2-prod-iac-core-0.iam.gserviceaccount.com" + ] + } + short_name = "net" + } +} tag_values = { "environment/development" = "tagValues/12345" "environment/production" = "tagValues/12346" diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index 51a1309b3a..5fbb91f0e2 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -430,10 +430,11 @@ counts: google_kms_crypto_key_iam_binding: 8 google_kms_key_ring: 8 google_project: 2 + google_project_iam_binding: 4 google_project_iam_member: 6 google_project_service: 14 google_project_service_identity: 12 google_storage_bucket_object: 1 google_tags_tag_binding: 2 modules: 11 - resources: 62 + resources: 66 From 9b51a129b84a8cb2bf8d870a3908331c99e9314e Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 15:33:13 +0200 Subject: [PATCH 57/94] tflint --- fast/stages/0-bootstrap/organization.tf | 5 ----- fast/stages/2-networking-a-simple/main.tf | 4 ---- fast/stages/2-networking-b-nva/main.tf | 4 ---- fast/stages/2-networking-c-separate-envs/main.tf | 4 ---- 4 files changed, 17 deletions(-) diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 0959daaa46..9b7e209fbe 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -71,11 +71,6 @@ locals { role = b.role } } - # compute authoritative and additive roles for use by add-ons - iam_roles_authoritative = distinct(concat( - flatten(values(local.iam_principals)), - keys(local.iam) - )) } # TODO: add a check block to ensure our custom roles exist in the factory files diff --git a/fast/stages/2-networking-a-simple/main.tf b/fast/stages/2-networking-a-simple/main.tf index 771b5c093f..2cd3dcb732 100644 --- a/fast/stages/2-networking-a-simple/main.tf +++ b/fast/stages/2-networking-a-simple/main.tf @@ -43,10 +43,6 @@ locals { values(module.landing-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) - service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : - k => "serviceAccount:${v}" if v != null - } spoke_connection = coalesce( var.spoke_configs.peering_configs != null ? "peering" : null, var.spoke_configs.vpn_configs != null ? "vpn" : null, diff --git a/fast/stages/2-networking-b-nva/main.tf b/fast/stages/2-networking-b-nva/main.tf index 613b170b90..b08d4f50cf 100644 --- a/fast/stages/2-networking-b-nva/main.tf +++ b/fast/stages/2-networking-b-nva/main.tf @@ -57,10 +57,6 @@ locals { values(module.dmz-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) - service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : - k => "serviceAccount:${v}" if v != null - } } module "folder" { diff --git a/fast/stages/2-networking-c-separate-envs/main.tf b/fast/stages/2-networking-c-separate-envs/main.tf index 4a388da04a..d331caa42b 100644 --- a/fast/stages/2-networking-c-separate-envs/main.tf +++ b/fast/stages/2-networking-c-separate-envs/main.tf @@ -42,10 +42,6 @@ locals { values(module.dev-spoke-vpc.subnet_regions), values(module.prod-spoke-vpc.subnet_regions), )) - service_accounts = { - for k, v in coalesce(var.service_accounts, {}) : - k => "serviceAccount:${v}" if v != null - } } module "folder" { From b6f8f264c3ccb941038f3cea9e6f37ad2fa5df11 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 15:35:55 +0200 Subject: [PATCH 58/94] tflint --- fast/stages/2-networking-a-simple/README.md | 5 ++--- .../2-networking-a-simple/variables-fast.tf | 15 --------------- fast/stages/2-networking-b-nva/README.md | 5 ++--- fast/stages/2-networking-b-nva/variables-fast.tf | 15 --------------- .../stages/2-networking-c-separate-envs/README.md | 5 ++--- .../variables-fast.tf | 15 --------------- 6 files changed, 6 insertions(+), 54 deletions(-) diff --git a/fast/stages/2-networking-a-simple/README.md b/fast/stages/2-networking-a-simple/README.md index 93c6a54a86..7137d6435a 100644 --- a/fast/stages/2-networking-a-simple/README.md +++ b/fast/stages/2-networking-a-simple/README.md @@ -496,10 +496,9 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L92) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L98) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | {} | | | [regions](variables.tf#L118) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | | [spoke_configs](variables.tf#L130) | Spoke connectivity configurations. | object({…}) | | {…} | | -| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L78) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L199) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | ## Outputs diff --git a/fast/stages/2-networking-a-simple/variables-fast.tf b/fast/stages/2-networking-a-simple/variables-fast.tf index 4a45eb7721..2397e17797 100644 --- a/fast/stages/2-networking-a-simple/variables-fast.tf +++ b/fast/stages/2-networking-a-simple/variables-fast.tf @@ -75,21 +75,6 @@ variable "prefix" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration." diff --git a/fast/stages/2-networking-b-nva/README.md b/fast/stages/2-networking-b-nva/README.md index c72c70b436..0eb39816a3 100644 --- a/fast/stages/2-networking-b-nva/README.md +++ b/fast/stages/2-networking-b-nva/README.md @@ -554,9 +554,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS | [outputs_location](variables.tf#L120) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L126) | IP ranges used for Private Service Access (e.g. CloudSQL). Ranges is in name => range format. | object({…}) | | {} | | | [regions](variables.tf#L146) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L78) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_primary_config](variables.tf#L158) | VPN gateway configuration for onprem interconnection in the primary region. | object({…}) | | null | | | [vpn_onprem_secondary_config](variables.tf#L201) | VPN gateway configuration for onprem interconnection in the secondary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-b-nva/variables-fast.tf b/fast/stages/2-networking-b-nva/variables-fast.tf index 4a45eb7721..2397e17797 100644 --- a/fast/stages/2-networking-b-nva/variables-fast.tf +++ b/fast/stages/2-networking-b-nva/variables-fast.tf @@ -75,21 +75,6 @@ variable "prefix" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration." diff --git a/fast/stages/2-networking-c-separate-envs/README.md b/fast/stages/2-networking-c-separate-envs/README.md index d50c4a7d1e..6db5f222f6 100644 --- a/fast/stages/2-networking-c-separate-envs/README.md +++ b/fast/stages/2-networking-c-separate-envs/README.md @@ -354,9 +354,8 @@ Regions are defined via the `regions` variable which sets up a mapping between t | [outputs_location](variables.tf#L87) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | | | [psa_ranges](variables.tf#L93) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | {} | | | [regions](variables.tf#L113) | Region definitions. | object({…}) | | {…} | | -| [service_accounts](variables-fast.tf#L78) | Automation service accounts in name => email format. | object({…}) | | null | 1-resman | -| [stage_config](variables-fast.tf#L93) | FAST stage configuration. | object({…}) | | {} | 1-resman | -| [tag_values](variables-fast.tf#L107) | Root-level tag values. | map(string) | | {} | 1-resman | +| [stage_config](variables-fast.tf#L78) | FAST stage configuration. | object({…}) | | {} | 1-resman | +| [tag_values](variables-fast.tf#L92) | Root-level tag values. | map(string) | | {} | 1-resman | | [vpn_onprem_dev_primary_config](variables.tf#L123) | VPN gateway configuration for onprem interconnection from dev in the primary region. | object({…}) | | null | | | [vpn_onprem_prod_primary_config](variables.tf#L166) | VPN gateway configuration for onprem interconnection from prod in the primary region. | object({…}) | | null | | diff --git a/fast/stages/2-networking-c-separate-envs/variables-fast.tf b/fast/stages/2-networking-c-separate-envs/variables-fast.tf index 4a45eb7721..2397e17797 100644 --- a/fast/stages/2-networking-c-separate-envs/variables-fast.tf +++ b/fast/stages/2-networking-c-separate-envs/variables-fast.tf @@ -75,21 +75,6 @@ variable "prefix" { } } -variable "service_accounts" { - # tfdoc:variable:source 1-resman - description = "Automation service accounts in name => email format." - type = object({ - data-platform-dev = string - data-platform-prod = string - gke-dev = string - gke-prod = string - project-factory = string - project-factory-dev = string - project-factory-prod = string - }) - default = null -} - variable "stage_config" { # tfdoc:variable:source 1-resman description = "FAST stage configuration." From 726e7cd9b2c50b90c883c45c597e396bedecaf4a Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 23 Oct 2024 15:37:21 +0200 Subject: [PATCH 59/94] tfdoc --- fast/stages/1-resman/README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 74814aa42b..30649ed00a 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -252,18 +252,18 @@ terraform apply |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | -| [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | -| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | +| [organization](variables-fast.tf#L110) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [environment_names](variables.tf#L20) | Long environment names. | object({…}) | | {…} | | | [factories_config](variables.tf#L32) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_stage_2](variables-stages.tf#L17) | FAST stages 2 configurations. | object({…}) | | {} | | | [fast_stage_3](variables-stages.tf#L97) | FAST stages 3 configurations. | map(object({…})) | | {} | | -| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L43) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | +| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | | [tag_names](variables.tf#L49) | Customized names for resource management tags. | object({…}) | | {} | | | [tags](variables.tf#L63) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | | [top_level_folders](variables-toplevel-folders.tf#L17) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | @@ -272,8 +272,8 @@ terraform apply | name | description | sensitive | consumers | |---|---|:---:|---| -| [cicd_repositories](outputs.tf#L49) | WIF configuration for CI/CD repositories. | | | -| [folder_ids](outputs.tf#L61) | Folder ids. | | | -| [providers](outputs.tf#L67) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | -| [tfvars](outputs.tf#L75) | Terraform variable files for the following stages. | ✓ | | +| [cicd_repositories](outputs.tf#L77) | WIF configuration for CI/CD repositories. | | | +| [folder_ids](outputs.tf#L89) | Folder ids. | | | +| [providers](outputs.tf#L95) | Terraform provider files for this stage and dependent stages. | ✓ | 02-networking · 02-security · 03-dataplatform · 03-network-security | +| [tfvars](outputs.tf#L103) | Terraform variable files for the following stages. | ✓ | | From 6f7657a0f17b33a00ec02af2f35d382e9dba0566 Mon Sep 17 00:00:00 2001 From: Ludo Date: Sat, 26 Oct 2024 17:49:22 +0200 Subject: [PATCH 60/94] GCVE stage refactor (untested) --- blueprints/gcve/pc-minimal/README.md | 172 ++++++++++-------- blueprints/gcve/pc-minimal/main.tf | 39 ---- fast/stages/2-networking-a-simple/outputs.tf | 12 +- .../2-networking-a-simple/variables-fast.tf | 2 +- fast/stages/2-networking-b-nva/outputs.tf | 24 +-- .../2-networking-b-nva/variables-fast.tf | 2 +- .../2-networking-c-separate-envs/outputs.tf | 14 +- .../variables-fast.tf | 2 +- fast/stages/3-gcve-dev/.fast-stage.env | 4 + fast/stages/3-gcve-dev/README.md | 170 +++++++++++++++++ fast/stages/3-gcve-dev/diagram.png | Bin 0 -> 47499 bytes .../diagrams/diagram-multi-net-a.png | Bin 0 -> 122109 bytes .../diagrams/diagram-multi-net-b.png | Bin 0 -> 197974 bytes .../diagrams/diagram-multi-net-c.png | Bin 0 -> 111501 bytes .../diagrams/diagram-single-net-a.png | Bin 0 -> 94231 bytes .../diagrams/diagram-single-net-c.png | Bin 0 -> 107552 bytes .../stages/3-gcve-dev}/gcve-pc.tf | 39 ++-- fast/stages/3-gcve-dev/main.tf | 51 ++++++ .../stages/3-gcve-dev}/output.tf | 0 .../prod => 3-gcve-dev}/variables-fast.tf | 49 ++--- .../stages/3-gcve-dev}/variables.tf | 77 ++------ fast/stages/3-gcve/README.md | 46 ----- fast/stages/3-gcve/diagram-0.png | Bin 42378 -> 0 bytes fast/stages/3-gcve/diagram-1.png | Bin 47538 -> 0 bytes fast/stages/3-gcve/diagram-2.png | Bin 45149 -> 0 bytes fast/stages/3-gcve/diagram-3.png | Bin 50554 -> 0 bytes fast/stages/3-gcve/diagram-4.png | Bin 42039 -> 0 bytes fast/stages/3-gcve/diagram-5.png | Bin 52954 -> 0 bytes fast/stages/3-gcve/diagram-6.png | Bin 48013 -> 0 bytes fast/stages/3-gcve/prod/README.md | 134 -------------- fast/stages/3-gcve/prod/main.tf | 59 ------ fast/stages/3-gcve/prod/outputs.tf | 70 ------- fast/stages/3-gcve/prod/variables.tf | 76 -------- fast/stages/diagrams.excalidraw.gz | Bin 95456 -> 0 bytes fast/stages/fast-links.sh | 2 +- modules/gcve-private-cloud/README.md | 23 +-- modules/gcve-private-cloud/main.tf | 78 +++++--- modules/gcve-private-cloud/outputs.tf | 13 +- modules/gcve-private-cloud/variables.tf | 8 +- 39 files changed, 480 insertions(+), 686 deletions(-) delete mode 100644 blueprints/gcve/pc-minimal/main.tf create mode 100644 fast/stages/3-gcve-dev/.fast-stage.env create mode 100644 fast/stages/3-gcve-dev/README.md create mode 100644 fast/stages/3-gcve-dev/diagram.png create mode 100644 fast/stages/3-gcve-dev/diagrams/diagram-multi-net-a.png create mode 100644 fast/stages/3-gcve-dev/diagrams/diagram-multi-net-b.png create mode 100644 fast/stages/3-gcve-dev/diagrams/diagram-multi-net-c.png create mode 100644 fast/stages/3-gcve-dev/diagrams/diagram-single-net-a.png create mode 100644 fast/stages/3-gcve-dev/diagrams/diagram-single-net-c.png rename {blueprints/gcve/pc-minimal => fast/stages/3-gcve-dev}/gcve-pc.tf (62%) create mode 100644 fast/stages/3-gcve-dev/main.tf rename {blueprints/gcve/pc-minimal => fast/stages/3-gcve-dev}/output.tf (100%) rename fast/stages/{3-gcve/prod => 3-gcve-dev}/variables-fast.tf (63%) rename {blueprints/gcve/pc-minimal => fast/stages/3-gcve-dev}/variables.tf (59%) delete mode 100644 fast/stages/3-gcve/README.md delete mode 100644 fast/stages/3-gcve/diagram-0.png delete mode 100644 fast/stages/3-gcve/diagram-1.png delete mode 100644 fast/stages/3-gcve/diagram-2.png delete mode 100644 fast/stages/3-gcve/diagram-3.png delete mode 100644 fast/stages/3-gcve/diagram-4.png delete mode 100644 fast/stages/3-gcve/diagram-5.png delete mode 100644 fast/stages/3-gcve/diagram-6.png delete mode 100644 fast/stages/3-gcve/prod/README.md delete mode 100644 fast/stages/3-gcve/prod/main.tf delete mode 100644 fast/stages/3-gcve/prod/outputs.tf delete mode 100644 fast/stages/3-gcve/prod/variables.tf delete mode 100644 fast/stages/diagrams.excalidraw.gz diff --git a/blueprints/gcve/pc-minimal/README.md b/blueprints/gcve/pc-minimal/README.md index f225de3e3a..9123c30695 100644 --- a/blueprints/gcve/pc-minimal/README.md +++ b/blueprints/gcve/pc-minimal/README.md @@ -1,89 +1,115 @@ -# GCVE Private Cloud Minimal +# Minimal GCVE Private Cloud -This blueprint presents an opinionated architecture to handle different Google VMware Engine deployment scenarios: from a simple single region private cloud to multi-region private clouds spread across different locations. The general idea behind this blueprint is to deploy a single project hosting one or more GCVE private clouds connected to a shared VMware Engine Network (VEN). -Optionally this blueprint can deploy the VMWare Engine Network peerings to pre-existing VPCs. +This stage implements an opinionated architecture to handle different Google VMware Engine deployment scenarios: from a simple single region Private Cloud to multi-region Private Clouds spread across different locations. -Multiple deployments of this blueprint allow the user to achieve more complex design solutions as for example GCVE private clouds deployed on different projects or connected to independent VMWare Engine Networks. +The general approach used here is to deploy a single project hosting one or more GCVE Private Clouds, connected to a shared VMware Engine Network (VEN). Peerings to existing VPC networks can also be configured. -This blueprint is used as part of the [FAST GCVE stage](../../../fast/stages/3-gcve/) but it can also be used independently if desired. +Multiple deployments of this stage allow implementig more complex designs, for example using multiple projects for different Private Clouds, or connections to independent VMWare Engine Networks. + +Like any other FAST stage, this can be used as a standalone deployment provided the [minimum prerequisites](#running-in-isolation) are met. This is the base diagram of the resources deployed via this stage.