update

end-of-game · Feb 9, 2021 · b9e84c2 · b9e84c2
1 parent 691cc32
commit b9e84c2
Show file tree

Hide file tree

Showing 32 changed files with 1,437 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -167,4 +167,8 @@ env.sh
 
 **/.temp/*kube_config
 
+### SSH keys ###
+.rsa
+.rsa.pub
+
 # End of https://www.gitignore.io/api/macos,terraform,terragrunt,virtualenv,intellij+all
diff --git a/README.md b/README.md
@@ -4,7 +4,9 @@ This project contains sources to build an hub and spoke infrastructure on Azure
 
 ## Architecture overview
 
-The archirecture is built on an [hub and spoke network topology](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli).
+The archirecture is built upon an [hub and spoke network topology](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli).
+
+![archi](docs/img/archi.png)
 
 ## Requirements
 
@@ -21,6 +23,13 @@ These tools must be present in your environment to execute the different stacks
 
 > You can build a Docker base image including all these requirements in order to guarantee that all team members and your CI tool use exactly the same environment to work with the project.
 
+## Deployment
+
+In this example project each stack get its own dedicated Resource Group.
+
+>Depends on your way of working, you may prefer having the backend Account Storage and Key Vault in a same `Common` resource group, or in the `hub` resource group.
+Maybe you haven't enough permissions to create Resource Group in your subscription and someone else from IT team will provide them to you. In these different use cases you will have to adapt the code a little bit to feet your needs.
+
 ### Service principal for Terraform
 
 [Setup Service Principal for Terraform](docs/tf_azure_authent.md)
@@ -32,13 +41,73 @@ In Azure, stores the state as a Blob with the given Key within the Blob Containe
 
 [Create the terraform backend if it doesn't already exists](docs/tf_backend.md)
 
-## Deployment
+### Key vault
+
+Infrastructure stacks often need a secret manager and this corresponds to good practices tu use one. So we will provision an Azure Key Vault before building the hub and spoke infrastructure.
+
+This stack create the Key Vault itself but will also be responsible for maintaining permission delegations to users, groups and applications of the company to consume or manage secrets, keys and certificates.
+
+[Deploy the Key Vault if it doesn't already exists](terraform/vault/README.md)
 
 ### Infrastructure
 
 The infrastructure is divided in two different terraform stacks containing resources which will have different lifecycle:
 
-- [`aks`](terraform/aks/README.md):
+- `aks`
   - implements an AKS environment
   - use terraform workspace to manage multiple environments with their specificities
-- [`hub`](terraform/hub/README.md): implements the hub containing cross environment components
+- `hub`
+  - implements the hub containing cross environment components like:
+    - connectivity with Internet or DC
+    - eventually a Bastion
+    - DNS resources
+
+#### Create a spoke AKS environment
+
+[Follow these instruction to create an AKS environment](terraform/aks/README.md)
+
+#### Create the hub
+
+[Follow these instruction to create the hub](terraform/hub/README.md)
+
+## End to end test
+
+Get the public IP of the Application Gateway.
+Access the demo app deployed in the dev environment from your host by requesting the public IP of the Application Gateway:
+
+```bash
+$ curl -H "Host: dev.linkbynet.com" 20.74.8.233
+```
+
+---
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+    body {
+        width: 35em;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+---
+
+## Conclusion
+
+You have built a first version of an hub and spoke infrastructure for your AKS environements.
+Obviously there are still things to add and maybe some things need to be adapted to your specific context, but this is a first basis for work.
diff --git a/docs/img/appgw_backend.png b/docs/img/appgw_backend.png
diff --git a/docs/img/archi.drawio b/docs/img/archi.drawio
@@ -0,0 +1 @@
+<mxfile host="Chrome" modified="2021-02-09T09:59:41.412Z" agent="5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" etag="VXW6PYkiOWR9hrlSnSMn" version="14.2.9" type="device"><diagram id="8IBC5YIdZTFhsr8UUqcM" name="Page-1">7V1Zl6KwEv41fc69D3JYRR9V1LFHbFsdHX3pg0ArNooXcOPX3wqLgomtjrhMTzsLEGIIVV9VKpVK+cSVpuuqrczHsqXp5hNLa+snTnpiWYYVOTigkk1QksuxQcHINrSw0q6gbXh6WEiHpQtD051ERdeyTNeYJwtVazbTVTdRpti2tUpWe7fM5FPnykjHCtqqYuKlPUNzx2Epk83vbvzQjdE4fHSOFYMbUyWqHL6JM1Y0axUr4spPXMm2LDc4m65LuomIF9El+F7lwN1tx2x95p7yhUnfzJcFL5PTLO/ncz8/7OrVTMidpWIuwhcOO+tuIgrY1mKm6agR+okrrsaGq7fnioruroDnUDZ2pyZcMXCqKc7Yr4suHNe2PvSSZVq23xSX9T9w590wzah8Zs2grWLYEd129fXBN2S2dAPA6dZUd+0NVAm/IOZCUodY4/jwehXjXDYsG8eYxtBhoRKiZbRte0dQOAlpSqZvvyH+r5F1bNOSf/3OKc+aJfAZ4cHoixGTQPKD9BVokeLzsQ+fIDcv4uRmBZYScIJzwrUI/miAvojgbFY4TmH2pvRlvgR9P0UsQUGkQk+1/a6uV78H5aog1dWfnDp1BxmO/koEZXI4QUWSxmWzKRDUqrhiMz9SZ3N1/txhPN36WGZ49hyCMscJqthqaJaIR8lL02KlUklJ27LJ0YzPM1RWxPFKk8jLXwuvbP6meN0SNI5XKC9n0Z+UCM3lqKSeFTiS4UDQs4yY3fIkdSSfRekHBjKbe0gg39Y0uwWQ2bz4kEA+yyZ7YCDzD4njs8a7vwLHwmPq47NM3weGcY6muPgsLpug9dZfEaN1lgjpNCbNRELnMEIXfrYxWivOPHD4vBtrRLg4aeeWMXP9bgnFJ0FCxDaN0QwKVKCbDkQtGlPf81N8t2ZuyAaG3ZVLxnQEnTeNIfyveAtbRy+lQmXFmOm2Axc/F0Pdnumu7ry1dXtpqLpDOcvRPi9NZaibRUX9GPnoSH+WyDAiFWExZGKWJaqmbA5n49UMcQaXl282fsJGTnhMNp5gJ92Dh8CxlWV/GDN0r2vY7kIx3xpBIZGBaUhaPmkBiGT+cBzJ58VejUPZbw5tTTTuITmEj2j/LIf2RIinc/fmzlGD2bLdsTWyZopZt6x5SIqJ7rqbkNLKwrWSHDtIKMda2Kr+GVbCab+r2CPdPW4l6VpiAQunu62bimss9UQ30oc47q1o2sZScXUorAM9sia8THFoJwid/d8CLX/5qM04PjELUIGh52ufiNF9OBuhI0NTDMWwMFBGxufFEmQHCCMKEH2WANUtRXuDdpWZCpbFQRuiaTmGa1jo2ab+jh6NhMdQAV17t6eGpqGX21YohH3e3ri+bckm13gEnqhPST7zNFzmZHnlHkleI7V0VF4je/hBBDbq99UFlv0W2BsKLJd9PIHlTjBQnbEyD7gWcDUGhX1iukimD/JgaLmuNT1M6ieWe/c/EVQKEQoReDBIRmgauy6KOCkgSsAEUptxlAHTyHcD9I5NqfBEtqIprgIHVO740Jvp6DTzbut6ZgntWnbGv5mZQ7egBocIC3g0tQzD5qj5DAPgVR1BjJgHuYx5gnIJ6DAET9BtcfP11poYfs/5liT5dhqfWOAnRaxEyxepE13EaF6Yz6u9GyjvQ9OVqaMqMChVoB8mSDyS87cqjFMrZfM1dDaTFz8FxW5Z526SiA/eyIxph5c7g6u8Ky3e0SgTT7TJotXsR7HJcIXXK1RSEr0UXQU9ffgWl8aKYYM0muZb04IyQ3feoNvnO1H3JXfb40Oym7QEIsHdWgApiCabF6ikQfUA0sjjpnt7MQQOQRkJL/CubhIlybEvJD8hJCjCzp4OxVQkadxNin8CBgh5pIHXgRYQwjiJvc1wSwgQFW/peuLxpfHvNZLPVobzD7lGwvPHDdW7K+0b+Xez4iN64HkBY8gdzRM+e6J9EumHB7FPeHwifx2fEf/tM7rh/CNLP57PiD9h7q/PtALa4oP0pKk4jqH6po1iu3jxQePHtz/yeRrBQF8b7m+kEEA3BVf9UD2gc2kdv9iEFydpAXLk1omyfSILTlYB4ROaSFpijsP9KM390TJ4n/BbO+4eb2hfqQdaD2vIh8n2tS8IiCMAJ9BLSOrhzruiJhVTV7c1Zabgmmir0KKCdqdQrTWqUTn0b7hfF8qC50TFqRvjkTK7wBoPDe26r5qk7K6k44993K6gFQItrRDVS2KBrxVCSbLe0kJMs/UifRW4xLGA4SUN6z76yiOBI4rdOOD6Col9sTEZDT3ReT8xDF0w9HzqWT9qgHJ3c5ARmYHz4i9wMjKp05A88PI5EBeW2f0VE9LEnTigpzUOM7iXKlJ6oDxmJ00RWJgisAHUaaQJM6FSQzd9uzq6Odyaxxk1UIOoij0a/gfIgmqx8BI0i6zK6Fyg/4vrb7TMF1PNQUcPqGbET9+aTwIKm7ofVLy2Dq+qDP32aOL8xbZcJZwnkAX+Mykh7KUOd8mHz3yKb0QnKeQMTWVzewvKURj8hWDNMCIlxtcexaRbR2SpvTat93dHvw5SGSJv01bx19c00SB4bU0jsDA08fT2b3IHwc0VDW6/BWJ8e3k9UUCZQ6bRn0gox+WSopOOgLICJSY2+3NJJotUNnH7ZsKKR3/9ncIaOdOuLqz5HMWJud3f+wor7kJ8dGGN1mjSEFYhEpQLmcowWSrH07tPkqtZYDkbu3uzoZTFF7S2S5Okla1/d2kS3+TIgPmexfflxWa+uSstmZBZiQ+r36w8dd/1o/ES34DyzctTk0E8GC85fF/leDGEglb1r+PjNh1NCpwDi1Q4HOrBECIrt9lqbuNIxNiWnpdZKne/ipP59msSl6R1uJqQ42G4LX1kOFHbly+Jh4J9eWxQKbp4C3tokIODDuei2l8x3wfT+UvmKaCCofMUm8NnuJF/SmCoSBPHF2hZKnKZx3HCp5CTgrx09Y2TO+OE4/MUh0GDyWHAuSNKBHwP/zdKbooSIU9jKKGpPP9IKMl+vYxYfI6m4l6SPTcJabsNOa9QGtttyETH/WHbmZkMxt9In+qhJ+5vMuyvN0E7xlJSzl/ulqZbtJAV4+hQcXxlk46u/aOY4GgTVRQFLCvqGNTsG3t+HPdpSUVTT9IoUkkLjM2fFqIY+dkvYXSjNbQWPaFfK75XavUBow6ZyhdJhXsgdzYpk+v1cmcT6YvLEcDeVt4te5pB6/36THO+3R4Y40hbSK81dyXyjZTuMfBDaMbyiRT2gXZKZ6K++YEfORT4ccjtMT+jEVKA+dEwFPwrW+QxWYbNge5Bi84HwkS2xXNCmU+CA26Ye2wRcVzLRrfZSjs4eyuoKgDZdd5KQfB0OECgVivK1DARzn7o5lJHknF8sNiO/59GrJ2RvXDPXbPFdgzvPAHuHHs53IkZ0XE1pXw4GU1f/ptqKfqdD0LygKupISJfcMMa8cVxlZG/k+Nf5M2BnxW4P6/w5SnEq7ltaf80o9APbuTZB+MVvjGHoSn/DzQXhXc8GMP293ulMQ6xyeWmZLAtKYtu/pZcIkTf+snT/io2JZeEhJQcCHv7U9HyroiFytyNb/is0s+h9c23/a1Dj8Y4fNrjb2T9Ztz+tp5HYxy+hPZTR93vKgsT97zeZZKmqwvbcDcoE4O+efM7Fq2KXH13cI47EN4dn3ARsi1EZekzDLcWYbZFwfz/Y7iZ6W6QjW23FT2YbYeG/7Fqe7dTl9njgavHpfZzlu8jKwUIMIJAJZbC92JrSC53BkeEcLUpOC7CkvTSxrnbtC0XpPfOvnhyZgFJstpvuw6+NU1ldjMhz4oU8uRuP8lJBxvtMIgn8GCoKF1Vws2SgtQTf6kSH0BvkIHsoNMLW+5Cn6c/TmF1VDvs5bTa2zNwdKPCp3o0vlOBSHqWDJ1LN5iwDBWPUaeTTonr7Us4/I7npSg9moGUnLj0jKSjfkJRrhBcghkAuoAtrgGdbKn5o8EONkV+2FsvVI82lB8tWpWsZZ3TOG0jcPJGWKpTdSlPCiu5lPe0qWrUquZHs/08fpF+eQ3plXkp0euG9zyud17Xcqfs9ntds2Ewpiw1poNJYf3SKQiyVzNqP7T54EfLarZr65dSbaRUu/MBO6aja21qmhr9vNQl2pBLhVVNKvP+vwk/rXHj8cumMGpWW+ZgJkP/n40G3+84o1oJla7nw2l3rH5om36vNR/0BDrspdFgZboh9T25RHuDapmvd1oTuffL9Xtv0LzsvTLypDVp9GQOeg+9HK2hR0LNKApyB3rS+bWQvfIGrnl5Qhsv7dpI79TytUlt0ZiMeCifqdPKh9LrLrRKd6H8bnnwXEZlu5tfoAX6bLc5NLveoF3b6zX8y6lca6mWisvBdOANfr9CqwXoQYMecgW3z+adIQdPMuSVLKn8QHo16t6OFn4b0trTqvlVrZqfDmYNU/Npx68bnT6pnbXsjVZAhVPbAcqMSO14fe9jPej8OrUdoFyN1A7T6JiTQU8+rR2gfEAvZjJk10sVuFHzuma/UzQHRm3ZNPoTvVoWg++vlsOquRj0KpsW9zweVE1zOHuNcwBqDKrdqRp7cvNHa65V12bzw4Qn8O4rPEXrvbpDrmUNftdc2fvFNUt5GnjsDDrx7xXHWnU0GkAvO50yV598rBrt1Vpu816jMx43Siu6LhUcubRa1TvyoiGpHjq+SK/sK8KX9Ar3o2NYT/pYyBOZq0sBzvz7HZXeHaN6r1Dvw6tLffj+AJ7Fcw3vlxMdgzoFF643qG7jo0zXJyO6Yayi4ypsi6lPyuu6VIYjIGUqw3NeBXQPrt06aIDGhgdZKqPz9UsP+jQpb+RpGb0H47fV3rYFfYLntPmV7D0X4dmrhvThRMewTw68xwK0AwPPXMMzmJeKBdplMB9WV/narLsZlkaT/kSbgJZhZa/gymxrDNqG7nsVs94ZMYBDkGOQ704NyrqThlde/2zvkNAMNBZw/SRz96wh+oBpdM4PTTO5pLePIaxBiYQ5rJjCHJY4euFbdZbB5PULrI6n+5Pgd3efM3gmuhsYsoTou4Q4HLEfPzOZjm50FYk26xXsSTaR6zOXdFtsA1rOzWeV4TkqG7dTk96s2OavIwmuCratbGLVwlnlZcYsGWPkTbYOEXk332X7qVikk7RCENPKUpHg9d7cNpVttETROiES94GS3x2fjeLMuk1SuyzL7e3mC3b3HNwZfapSIDR8vTR3RIjgLq9viPwJRBgufx2IEBpODSJwaVsoQG1XHayssWxpSJWX/w8=</diagram></mxfile>
diff --git a/docs/img/archi.png b/docs/img/archi.png
diff --git a/docs/img/lens.png b/docs/img/lens.png
diff --git a/docs/tf_azure_authent.md b/docs/tf_azure_authent.md
@@ -105,6 +105,12 @@ These values map to the Terraform variables like so:
 - password is the client_secret defined above.
 - tenant is the tenant_id defined above.
 
+After that, to authenticate with the Terraform Service Principal:
+
+```bash
+$ az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+```
+
 > You can create your own `env.sh` script at the root of the project. Take example upon the model [env.sh.example](../env.sh.example).
 
 ## Add Azure AD permissions

diff --git a/scripts/aks_key_pair.sh b/scripts/aks_key_pair.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+VAULT_NAME=hub-and-spoke-vault
+KEY_PREFIX=aks
+TMP_DIR=./temp
+
+function generate {
+  echo "generate..."
+  ssh-keygen -b 4096 \
+    -t rsa \
+    -f ${TMP_DIR}/${KEY_PREFIX}-${envCurrent}.rsa \
+    -N '' \
+    <<<y 2>&1 >/dev/null
+}
+function send {
+  echo "send..."
+  az keyvault secret set --vault-name $VAULT_NAME \
+    -n "aks-${envCurrent}-ssh-priv" \
+    -f "${TMP_DIR}/${KEY_PREFIX}-${envCurrent}.rsa"
+  az keyvault secret set --vault-name $VAULT_NAME \
+    -n "aks-${envCurrent}-ssh-pub" \
+    -f "${TMP_DIR}/${KEY_PREFIX}-${envCurrent}.rsa.pub"
+}
+function clean {
+  echo "clean..."
+  rm -f ${TMP_DIR}/*.rsa*
+}
+
+function process {
+  generate
+  send
+  clean
+}
+
+# Main
+envList=( dev staging prod )
+envCurrent=""
+if [ ! -z "$1" ]; then
+  for item in "${envList[@]}"; do
+    if [ $1 == $item ]; then
+      echo "Current environment is $1"
+      envCurrent=$1
+      process
+      exit
+    fi
+  done
+  if [ "$envCurrent" == "" ]; then
+    echo "Environment name incorrect !"
+    echo "Use a value in the list: ${envList[@]}"
+  fi
+else
+  echo "You must pass an environment name."
+  echo "Use a value in the list: ${envList[@]}"
+fi
diff --git a/scripts/temp/.gitkeep b/scripts/temp/.gitkeep
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<mxfile host="Chrome" modified="2021-02-09T09:59:41.412Z" agent="5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" etag="VXW6PYkiOWR9hrlSnSMn" version="14.2.9" type="device"><diagram id="8IBC5YIdZTFhsr8UUqcM" name="Page-1">7V1Zl6KwEv41fc69D3JYRR9V1LFHbFsdHX3pg0ArNooXcOPX3wqLgomtjrhMTzsLEGIIVV9VKpVK+cSVpuuqrczHsqXp5hNLa+snTnpiWYYVOTigkk1QksuxQcHINrSw0q6gbXh6WEiHpQtD051ERdeyTNeYJwtVazbTVTdRpti2tUpWe7fM5FPnykjHCtqqYuKlPUNzx2Epk83vbvzQjdE4fHSOFYMbUyWqHL6JM1Y0axUr4spPXMm2LDc4m65LuomIF9El+F7lwN1tx2x95p7yhUnfzJcFL5PTLO/ncz8/7OrVTMidpWIuwhcOO+tuIgrY1mKm6agR+okrrsaGq7fnioruroDnUDZ2pyZcMXCqKc7Yr4suHNe2PvSSZVq23xSX9T9w590wzah8Zs2grWLYEd129fXBN2S2dAPA6dZUd+0NVAm/IOZCUodY4/jwehXjXDYsG8eYxtBhoRKiZbRte0dQOAlpSqZvvyH+r5F1bNOSf/3OKc+aJfAZ4cHoixGTQPKD9BVokeLzsQ+fIDcv4uRmBZYScIJzwrUI/miAvojgbFY4TmH2pvRlvgR9P0UsQUGkQk+1/a6uV78H5aog1dWfnDp1BxmO/koEZXI4QUWSxmWzKRDUqrhiMz9SZ3N1/txhPN36WGZ49hyCMscJqthqaJaIR8lL02KlUklJ27LJ0YzPM1RWxPFKk8jLXwuvbP6meN0SNI5XKC9n0Z+UCM3lqKSeFTiS4UDQs4yY3fIkdSSfRekHBjKbe0gg39Y0uwWQ2bz4kEA+yyZ7YCDzD4njs8a7vwLHwmPq47NM3weGcY6muPgsLpug9dZfEaN1lgjpNCbNRELnMEIXfrYxWivOPHD4vBtrRLg4aeeWMXP9bgnFJ0FCxDaN0QwKVKCbDkQtGlPf81N8t2ZuyAaG3ZVLxnQEnTeNIfyveAtbRy+lQmXFmOm2Axc/F0Pdnumu7ry1dXtpqLpDOcvRPi9NZaibRUX9GPnoSH+WyDAiFWExZGKWJaqmbA5n49UMcQaXl282fsJGTnhMNp5gJ92Dh8CxlWV/GDN0r2vY7kIx3xpBIZGBaUhaPmkBiGT+cBzJ58VejUPZbw5tTTTuITmEj2j/LIf2RIinc/fmzlGD2bLdsTWyZopZt6x5SIqJ7rqbkNLKwrWSHDtIKMda2Kr+GVbCab+r2CPdPW4l6VpiAQunu62bimss9UQ30oc47q1o2sZScXUorAM9sia8THFoJwid/d8CLX/5qM04PjELUIGh52ufiNF9OBuhI0NTDMWwMFBGxufFEmQHCCMKEH2WANUtRXuDdpWZCpbFQRuiaTmGa1jo2ab+jh6NhMdQAV17t6eGpqGX21YohH3e3ri+bckm13gEnqhPST7zNFzmZHnlHkleI7V0VF4je/hBBDbq99UFlv0W2BsKLJd9PIHlTjBQnbEyD7gWcDUGhX1iukimD/JgaLmuNT1M6ieWe/c/EVQKEQoReDBIRmgauy6KOCkgSsAEUptxlAHTyHcD9I5NqfBEtqIprgIHVO740Jvp6DTzbut6ZgntWnbGv5mZQ7egBocIC3g0tQzD5qj5DAPgVR1BjJgHuYx5gnIJ6DAET9BtcfP11poYfs/5liT5dhqfWOAnRaxEyxepE13EaF6Yz6u9GyjvQ9OVqaMqMChVoB8mSDyS87cqjFMrZfM1dDaTFz8FxW5Z526SiA/eyIxph5c7g6u8Ky3e0SgTT7TJotXsR7HJcIXXK1RSEr0UXQU9ffgWl8aKYYM0muZb04IyQ3feoNvnO1H3JXfb40Oym7QEIsHdWgApiCabF6ikQfUA0sjjpnt7MQQOQRkJL/CubhIlybEvJD8hJCjCzp4OxVQkadxNin8CBgh5pIHXgRYQwjiJvc1wSwgQFW/peuLxpfHvNZLPVobzD7lGwvPHDdW7K+0b+Xez4iN64HkBY8gdzRM+e6J9EumHB7FPeHwifx2fEf/tM7rh/CNLP57PiD9h7q/PtALa4oP0pKk4jqH6po1iu3jxQePHtz/yeRrBQF8b7m+kEEA3BVf9UD2gc2kdv9iEFydpAXLk1omyfSILTlYB4ROaSFpijsP9KM390TJ4n/BbO+4eb2hfqQdaD2vIh8n2tS8IiCMAJ9BLSOrhzruiJhVTV7c1Zabgmmir0KKCdqdQrTWqUTn0b7hfF8qC50TFqRvjkTK7wBoPDe26r5qk7K6k44993K6gFQItrRDVS2KBrxVCSbLe0kJMs/UifRW4xLGA4SUN6z76yiOBI4rdOOD6Col9sTEZDT3ReT8xDF0w9HzqWT9qgHJ3c5ARmYHz4i9wMjKp05A88PI5EBeW2f0VE9LEnTigpzUOM7iXKlJ6oDxmJ00RWJgisAHUaaQJM6FSQzd9uzq6Odyaxxk1UIOoij0a/gfIgmqx8BI0i6zK6Fyg/4vrb7TMF1PNQUcPqGbET9+aTwIKm7ofVLy2Dq+qDP32aOL8xbZcJZwnkAX+Mykh7KUOd8mHz3yKb0QnKeQMTWVzewvKURj8hWDNMCIlxtcexaRbR2SpvTat93dHvw5SGSJv01bx19c00SB4bU0jsDA08fT2b3IHwc0VDW6/BWJ8e3k9UUCZQ6bRn0gox+WSopOOgLICJSY2+3NJJotUNnH7ZsKKR3/9ncIaOdOuLqz5HMWJud3f+wor7kJ8dGGN1mjSEFYhEpQLmcowWSrH07tPkqtZYDkbu3uzoZTFF7S2S5Okla1/d2kS3+TIgPmexfflxWa+uSstmZBZiQ+r36w8dd/1o/ES34DyzctTk0E8GC85fF/leDGEglb1r+PjNh1NCpwDi1Q4HOrBECIrt9lqbuNIxNiWnpdZKne/ipP59msSl6R1uJqQ42G4LX1kOFHbly+Jh4J9eWxQKbp4C3tokIODDuei2l8x3wfT+UvmKaCCofMUm8NnuJF/SmCoSBPHF2hZKnKZx3HCp5CTgrx09Y2TO+OE4/MUh0GDyWHAuSNKBHwP/zdKbooSIU9jKKGpPP9IKMl+vYxYfI6m4l6SPTcJabsNOa9QGtttyETH/WHbmZkMxt9In+qhJ+5vMuyvN0E7xlJSzl/ulqZbtJAV4+hQcXxlk46u/aOY4GgTVRQFLCvqGNTsG3t+HPdpSUVTT9IoUkkLjM2fFqIY+dkvYXSjNbQWPaFfK75XavUBow6ZyhdJhXsgdzYpk+v1cmcT6YvLEcDeVt4te5pB6/36THO+3R4Y40hbSK81dyXyjZTuMfBDaMbyiRT2gXZKZ6K++YEfORT4ccjtMT+jEVKA+dEwFPwrW+QxWYbNge5Bi84HwkS2xXNCmU+CA26Ye2wRcVzLRrfZSjs4eyuoKgDZdd5KQfB0OECgVivK1DARzn7o5lJHknF8sNiO/59GrJ2RvXDPXbPFdgzvPAHuHHs53IkZ0XE1pXw4GU1f/ptqKfqdD0LygKupISJfcMMa8cVxlZG/k+Nf5M2BnxW4P6/w5SnEq7ltaf80o9APbuTZB+MVvjGHoSn/DzQXhXc8GMP293ulMQ6xyeWmZLAtKYtu/pZcIkTf+snT/io2JZeEhJQcCHv7U9HyroiFytyNb/is0s+h9c23/a1Dj8Y4fNrjb2T9Ztz+tp5HYxy+hPZTR93vKgsT97zeZZKmqwvbcDcoE4O+efM7Fq2KXH13cI47EN4dn3ARsi1EZekzDLcWYbZFwfz/Y7iZ6W6QjW23FT2YbYeG/7Fqe7dTl9njgavHpfZzlu8jKwUIMIJAJZbC92JrSC53BkeEcLUpOC7CkvTSxrnbtC0XpPfOvnhyZgFJstpvuw6+NU1ldjMhz4oU8uRuP8lJBxvtMIgn8GCoKF1Vws2SgtQTf6kSH0BvkIHsoNMLW+5Cn6c/TmF1VDvs5bTa2zNwdKPCp3o0vlOBSHqWDJ1LN5iwDBWPUaeTTonr7Us4/I7npSg9moGUnLj0jKSjfkJRrhBcghkAuoAtrgGdbKn5o8EONkV+2FsvVI82lB8tWpWsZZ3TOG0jcPJGWKpTdSlPCiu5lPe0qWrUquZHs/08fpF+eQ3plXkp0euG9zyud17Xcqfs9ntds2Ewpiw1poNJYf3SKQiyVzNqP7T54EfLarZr65dSbaRUu/MBO6aja21qmhr9vNQl2pBLhVVNKvP+vwk/rXHj8cumMGpWW+ZgJkP/n40G3+84o1oJla7nw2l3rH5om36vNR/0BDrspdFgZboh9T25RHuDapmvd1oTuffL9Xtv0LzsvTLypDVp9GQOeg+9HK2hR0LNKApyB3rS+bWQvfIGrnl5Qhsv7dpI79TytUlt0ZiMeCifqdPKh9LrLrRKd6H8bnnwXEZlu5tfoAX6bLc5NLveoF3b6zX8y6lca6mWisvBdOANfr9CqwXoQYMecgW3z+adIQdPMuSVLKn8QHo16t6OFn4b0trTqvlVrZqfDmYNU/Npx68bnT6pnbXsjVZAhVPbAcqMSO14fe9jPej8OrUdoFyN1A7T6JiTQU8+rR2gfEAvZjJk10sVuFHzuma/UzQHRm3ZNPoTvVoWg++vlsOquRj0KpsW9zweVE1zOHuNcwBqDKrdqRp7cvNHa65V12bzw4Qn8O4rPEXrvbpDrmUNftdc2fvFNUt5GnjsDDrx7xXHWnU0GkAvO50yV598rBrt1Vpu816jMx43Siu6LhUcubRa1TvyoiGpHjq+SK/sK8KX9Ar3o2NYT/pYyBOZq0sBzvz7HZXeHaN6r1Dvw6tLffj+AJ7Fcw3vlxMdgzoFF643qG7jo0zXJyO6Yayi4ypsi6lPyuu6VIYjIGUqw3NeBXQPrt06aIDGhgdZKqPz9UsP+jQpb+RpGb0H47fV3rYFfYLntPmV7D0X4dmrhvThRMewTw68xwK0AwPPXMMzmJeKBdplMB9WV/narLsZlkaT/kSbgJZhZa/gymxrDNqG7nsVs94ZMYBDkGOQ704NyrqThlde/2zvkNAMNBZw/SRz96wh+oBpdM4PTTO5pLePIaxBiYQ5rJjCHJY4euFbdZbB5PULrI6n+5Pgd3efM3gmuhsYsoTou4Q4HLEfPzOZjm50FYk26xXsSTaR6zOXdFtsA1rOzWeV4TkqG7dTk96s2OavIwmuCratbGLVwlnlZcYsGWPkTbYOEXk332X7qVikk7RCENPKUpHg9d7cNpVttETROiES94GS3x2fjeLMuk1SuyzL7e3mC3b3HNwZfapSIDR8vTR3RIjgLq9viPwJRBgufx2IEBpODSJwaVsoQG1XHayssWxpSJWX/w8=</diagram></mxfile>