From dd213ea9a9df1f4c1d8b5bd64bfc79d7284262cd Mon Sep 17 00:00:00 2001
From: Luca Prete <preteluca@gmail.com>
Date: Tue, 23 Apr 2024 15:19:38 +0200
Subject: [PATCH 01/29] Fix permissions for branch network dev - read sa
 (#2233)

Co-authored-by: Luca Prete <lucaprete@google.com>
---
 fast/stages/1-resman/branch-networking.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf
index e57a874ff6..e886234bdb 100644
--- a/fast/stages/1-resman/branch-networking.tf
+++ b/fast/stages/1-resman/branch-networking.tf
@@ -101,10 +101,10 @@ module "branch-network-dev-folder" {
     )
     # read-only (plan) automation service accounts
     "roles/compute.networkViewer" = concat(
-      local.branch_optional_r_sa_lists.dp-prod,
-      local.branch_optional_r_sa_lists.gke-prod,
+      local.branch_optional_r_sa_lists.dp-dev,
+      local.branch_optional_r_sa_lists.gke-dev,
       local.branch_optional_r_sa_lists.gcve-dev,
-      local.branch_optional_r_sa_lists.pf-prod,
+      local.branch_optional_r_sa_lists.pf-dev,
     )
     (local.custom_roles.gcve_network_admin) = local.branch_optional_sa_lists.gcve-dev
   }

From d9019926076cbaec824d8aeee47824d073d2f26a Mon Sep 17 00:00:00 2001
From: luigi-bitonti <93377317+luigi-bitonti@users.noreply.github.com>
Date: Tue, 23 Apr 2024 19:20:38 +0200
Subject: [PATCH 02/29] Added build env vars in cloud function v1 (#2234)

---
 modules/cloud-function-v1/README.md    | 39 +++++++++++++-------------
 modules/cloud-function-v1/main.tf      |  5 ++--
 modules/cloud-function-v1/variables.tf |  6 ++++
 3 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
index 2d52842bb8..7099946e2d 100644
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -264,26 +264,27 @@ module "cf-http" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
-| [bundle_config](variables.tf#L38) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L103) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L118) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L123) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [bundle_config](variables.tf#L44) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [build_worker_pool](variables.tf#L32) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
-| [description](variables.tf#L47) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
-| [environment_variables](variables.tf#L53) | Cloud function environment variables. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [function_config](variables.tf#L59) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [https_security_level](variables.tf#L79) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
-| [iam](variables.tf#L85) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [ingress_settings](variables.tf#L91) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L97) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L108) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L128) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L140) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L146) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L152) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L162) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L172) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [build_environment_variables](variables.tf#L32) | A set of key/value environment variable pairs available during build time. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [build_worker_pool](variables.tf#L38) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
+| [description](variables.tf#L53) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
+| [environment_variables](variables.tf#L59) | Cloud function environment variables. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [function_config](variables.tf#L65) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [https_security_level](variables.tf#L85) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
+| [iam](variables.tf#L91) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [ingress_settings](variables.tf#L97) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L168) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L178) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v1/main.tf b/modules/cloud-function-v1/main.tf
index 8a9af6df6c..b57d8431cb 100644
--- a/modules/cloud-function-v1/main.tf
+++ b/modules/cloud-function-v1/main.tf
@@ -68,8 +68,9 @@ resource "google_cloudfunctions_function" "function" {
   trigger_http                 = var.trigger_config == null ? true : null
   https_trigger_security_level = var.https_security_level == null ? "SECURE_ALWAYS" : var.https_security_level
 
-  ingress_settings  = var.ingress_settings
-  build_worker_pool = var.build_worker_pool
+  ingress_settings            = var.ingress_settings
+  build_worker_pool           = var.build_worker_pool
+  build_environment_variables = var.build_environment_variables
 
   vpc_connector = local.vpc_connector
   vpc_connector_egress_settings = try(
diff --git a/modules/cloud-function-v1/variables.tf b/modules/cloud-function-v1/variables.tf
index 567a8c7a7d..73964d0b18 100644
--- a/modules/cloud-function-v1/variables.tf
+++ b/modules/cloud-function-v1/variables.tf
@@ -29,6 +29,12 @@ variable "bucket_name" {
   nullable    = false
 }
 
+variable "build_environment_variables" {
+  description = "A set of key/value environment variable pairs available during build time."
+  type        = map(string)
+  default     = {}
+}
+
 variable "build_worker_pool" {
   description = "Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format."
   type        = string

From 99129d54a37da4c2d977b7db705de5024d530944 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 25 Apr 2024 09:31:51 +0300
Subject: [PATCH 03/29] Update FAST logging (#2235)

* Update FAST logging

* Fix readme

* Fix tests
---
 fast/stages/0-bootstrap/README.md             | 20 +++++++++-------
 fast/stages/0-bootstrap/automation.tf         | 18 ++++++++++++++
 fast/stages/0-bootstrap/variables.tf          | 24 ++++++++++++++++---
 tests/fast/stages/s0_bootstrap/checklist.yaml | 10 ++++----
 tests/fast/stages/s0_bootstrap/simple.yaml    | 10 ++++----
 5 files changed, 60 insertions(+), 22 deletions(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 83031f5d2a..ee5c7f52e7 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -138,7 +138,9 @@ Because of limitations of API availability, manual steps have to be followed to
 
 ### Organization-level logging
 
-We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning.  By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
+We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
+
+An organization-level sink captures IAM data access logs, including authentication and impersonation events for service accounts. To manage logging costs, the default configuration enables IAM data access logging only within the automation project (where sensitive service accounts reside). For enhanced security across the entire organization, consider enabling these logs at the organization level.
 
 The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
 
@@ -626,8 +628,8 @@ The `fast_features` variable consists of 4 toggles:
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
 | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [organization](variables.tf#L223) | Organization details. | <code title="object&#40;&#123;&#10;  id          &#61; number&#10;  domain      &#61; optional&#40;string&#41;&#10;  customer_id &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [prefix](variables.tf#L238) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  |  |
+| [organization](variables.tf#L241) | Organization details. | <code title="object&#40;&#123;&#10;  id          &#61; number&#10;  domain      &#61; optional&#40;string&#41;&#10;  customer_id &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [prefix](variables.tf#L256) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  |  |
 | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | <code>string</code> |  | <code>null</code> |  |
 | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10;  bootstrap &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  resman &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [custom_roles](variables.tf#L79) | Map of role names => list of permissions to additionally create at the organization level. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
@@ -639,12 +641,12 @@ The `fast_features` variable consists of 4 toggles:
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Factivity&#92;&#34; OR logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fsystem_event&#92;&#34; OR protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.TransparencyLog&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#34;protoPayload.metadata.&#64;type&#61;&#92;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#34;logName:&#92;&#34;&#47;logs&#47;cloudaudit.googleapis.com&#37;2Fdata_access&#92;&#34; and protoPayload.serviceName:&#92;&#34;login.googleapis.com&#92;&#34;&#34;&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
-| [org_policies_config](variables.tf#L206) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [outputs_location](variables.tf#L232) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [project_parent_ids](variables.tf#L247) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workforce_identity_providers](variables.tf#L258) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [workload_identity_providers](variables.tf#L274) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type:&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41;&#10;      protoPayload.serviceName:&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
+| [org_policies_config](variables.tf#L224) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [outputs_location](variables.tf#L250) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [project_parent_ids](variables.tf#L265) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [workforce_identity_providers](variables.tf#L276) | Workforce Identity Federation pools. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  display_name        &#61; string&#10;  description         &#61; string&#10;  disabled            &#61; optional&#40;bool, false&#41;&#10;  saml &#61; optional&#40;object&#40;&#123;&#10;    idp_metadata_xml &#61; string&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [workload_identity_providers](variables.tf#L292) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    jwks_json  &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
diff --git a/fast/stages/0-bootstrap/automation.tf b/fast/stages/0-bootstrap/automation.tf
index 6200deab38..8463ff16b6 100644
--- a/fast/stages/0-bootstrap/automation.tf
+++ b/fast/stages/0-bootstrap/automation.tf
@@ -156,6 +156,24 @@ module "automation-project" {
       "container.googleapis.com",
     ]
   )
+
+  # Enable IAM data access logs to capture impersonation and service
+  # account token generation events. This is implemented within the
+  # automation project to limit log volume. For heightened security,
+  # consider enabling it at the organization level. A log sink within
+  # the organization will collect and store these logs in a logging
+  # bucket. See
+  # https://cloud.google.com/iam/docs/audit-logging#audited_operations
+  logging_data_access = {
+    "iam.googleapis.com" = {
+      # ADMIN_READ captures impersonation and token generation/exchanges
+      ADMIN_READ = []
+      # enable DATA_WRITE if you want to capture configuration changes
+      # to IAM-related resources (roles, deny policies, service
+      # accounts, identity pools, etc)
+      # DATA_WRITE = []
+    }
+  }
 }
 
 # output files bucket
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 64978dc30f..b769f1088f 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -182,15 +182,33 @@ variable "log_sinks" {
   }))
   default = {
     audit-logs = {
-      filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\" OR protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.TransparencyLog\""
+      filter = <<-FILTER
+        log_id("cloudaudit.googleapis.com/activity") OR
+        log_id("cloudaudit.googleapis.com/system_event") OR
+        log_id("cloudaudit.googleapis.com/policy") OR
+        log_id("cloudaudit.googleapis.com/access_transparency")
+      FILTER
+      type   = "logging"
+    }
+    iam = {
+      filter = <<-FILTER
+        protoPayload.serviceName="iamcredentials.googleapis.com" OR
+        protoPayload.serviceName="iam.googleapis.com" OR
+        protoPayload.serviceName="sts.googleapis.com"
+      FILTER
       type   = "logging"
     }
     vpc-sc = {
-      filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
+      filter = <<-FILTER
+        protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+      FILTER
       type   = "logging"
     }
     workspace-audit-logs = {
-      filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\""
+      filter = <<-FILTER
+        log_id("cloudaudit.googleapis.com/data_access")
+        protoPayload.serviceName:"login.googleapis.com"
+      FILTER
       type   = "logging"
     }
   }
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 91fe60eb76..8c24a1fdfe 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -360,15 +360,15 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
-  google_logging_organization_sink: 3
-  google_logging_project_bucket_config: 3
+  google_logging_organization_sink: 4
+  google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 27
   google_organization_iam_custom_role: 7
   google_organization_iam_member: 35
   google_project: 3
   google_project_iam_binding: 19
-  google_project_iam_member: 6
+  google_project_iam_member: 7
   google_project_service: 31
   google_project_service_identity: 4
   google_service_account: 4
@@ -380,5 +380,5 @@ counts:
   google_storage_project_service_account: 3
   google_tags_tag_key: 1
   google_tags_tag_value: 1
-  modules: 17
-  resources: 198
+  modules: 18
+  resources: 202
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 904471a061..69908ad358 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -39,15 +39,15 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_essential_contacts_contact: 3
-  google_logging_organization_sink: 3
-  google_logging_project_bucket_config: 3
+  google_logging_organization_sink: 4
+  google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 27
   google_organization_iam_custom_role: 7
   google_organization_iam_member: 22
   google_project: 3
   google_project_iam_binding: 19
-  google_project_iam_member: 6
+  google_project_iam_member: 7
   google_project_service: 31
   google_project_service_identity: 4
   google_service_account: 4
@@ -60,8 +60,8 @@ counts:
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   local_file: 7
-  modules: 16
-  resources: 189
+  modules: 17
+  resources: 193
 
 outputs:
   custom_roles:

From 2446b4dd7c48f4c118514f55d31bb1a4398b17ac Mon Sep 17 00:00:00 2001
From: Vince Gonzalez <vicenteg@users.noreply.github.com>
Date: Thu, 25 Apr 2024 19:14:32 -0400
Subject: [PATCH 04/29] Update README.md (#2239)

---
 blueprints/data-solutions/data-playground/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md
index a2eceeba91..ef490ab27c 100644
--- a/blueprints/data-solutions/data-playground/README.md
+++ b/blueprints/data-solutions/data-playground/README.md
@@ -1,6 +1,6 @@
 # Data Playground
 
-This blueprint creates a minimum viable architecture for a data experimentation project with the needed APIs enabled, VPC and Firewall set in place, BigQuesy dataset, GCS bucket and an AI notebook to get started.
+This blueprint creates a minimum viable architecture for a data experimentation project with the needed APIs enabled, VPC and Firewall set in place, BigQuery dataset, GCS bucket and an AI notebook to get started.
 
 This is the high level diagram:
 

From 64ac89d59c18e3b6b4034b3fd521cf60e33dcaba Mon Sep 17 00:00:00 2001
From: Deepak Kumar <21131061+kumadee@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:17:48 +0200
Subject: [PATCH 05/29] fix: allow disabling node autoprovisioning (#2238)

- This fix allows a GKE Standard cluster to be configured with no auto-provisioned node pool,
  but allow setting autocluster profile for user-provisioned node pools like created via `gke-nodepool` module.

Co-authored-by: Julio Castillo <jccb@google.com>
---
 modules/gke-cluster-standard/README.md    | 42 +++++++++++------------
 modules/gke-cluster-standard/main.tf      |  2 +-
 modules/gke-cluster-standard/variables.tf |  1 +
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index 286b20a3dc..c53017267f 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -310,28 +310,28 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L233) | Cluster zone or region. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L368) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L404) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L415) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [location](variables.tf#L234) | Cluster zone or region. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L369) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L405) | Cluster project id. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L416) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [default_nodepool](variables.tf#L116) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L134) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L141) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L147) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_features](variables.tf#L171) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [issue_client_certificate](variables.tf#L221) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L227) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L238) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L259) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [max_pods_per_node](variables.tf#L282) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
-| [min_master_version](variables.tf#L288) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L294) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L373) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L383) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L390) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L409) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
+| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [default_nodepool](variables.tf#L117) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L135) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L142) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L148) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_features](variables.tf#L172) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [issue_client_certificate](variables.tf#L222) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L228) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L239) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L260) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [max_pods_per_node](variables.tf#L283) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
+| [min_master_version](variables.tf#L289) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L295) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L374) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L384) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L391) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L410) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 6ab4c9d881..99db49f80d 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -132,7 +132,7 @@ resource "google_container_cluster" "cluster" {
   dynamic "cluster_autoscaling" {
     for_each = local.cas == null ? [] : [""]
     content {
-      enabled             = true
+      enabled             = var.cluster_autoscaling.enabled
       autoscaling_profile = var.cluster_autoscaling.autoscaling_profile
       dynamic "auto_provisioning_defaults" {
         for_each = local.cas_apd != null ? [""] : []
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 6644595494..5580320f8f 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -38,6 +38,7 @@ variable "backup_configs" {
 variable "cluster_autoscaling" {
   description = "Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler."
   type = object({
+    enabled             = optional(bool, true)
     autoscaling_profile = optional(string, "BALANCED")
     auto_provisioning_defaults = optional(object({
       boot_disk_kms_key = optional(string)

From d831d328648b1a539215360f91f4e0f9f3c4e1ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sat, 27 Apr 2024 07:07:04 +0000
Subject: [PATCH 06/29] Use default labels on pubsub subscription when no
 override is provided

---
 modules/pubsub/README.md                         | 1 +
 modules/pubsub/main.tf                           | 2 +-
 tests/modules/pubsub/examples/subscriptions.yaml | 6 ++++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
index 6d924d90d2..4aaa4a4812 100644
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -60,6 +60,7 @@ module "pubsub" {
   source     = "./fabric/modules/pubsub"
   project_id = var.project_id
   name       = "my-topic"
+  labels     = { test = "default" }
   subscriptions = {
     test-pull = {}
     test-pull-override = {
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
index b65d372f11..a090f861b0 100644
--- a/modules/pubsub/main.tf
+++ b/modules/pubsub/main.tf
@@ -54,7 +54,7 @@ resource "google_pubsub_subscription" "default" {
   project                      = var.project_id
   name                         = each.key
   topic                        = google_pubsub_topic.default.name
-  labels                       = each.value.labels
+  labels                       = coalesce(each.value.labels, var.labels)
   ack_deadline_seconds         = each.value.ack_deadline_seconds
   message_retention_duration   = each.value.message_retention_duration
   retain_acked_messages        = each.value.retain_acked_messages
diff --git a/tests/modules/pubsub/examples/subscriptions.yaml b/tests/modules/pubsub/examples/subscriptions.yaml
index 89acf08b22..267f4ebc5c 100644
--- a/tests/modules/pubsub/examples/subscriptions.yaml
+++ b/tests/modules/pubsub/examples/subscriptions.yaml
@@ -20,7 +20,8 @@ values:
     enable_exactly_once_delivery: false
     enable_message_ordering: false
     filter: null
-    labels: null
+    labels:
+      test: default
     message_retention_duration: 604800s
     name: test-pull
     project: project-id
@@ -52,7 +53,8 @@ values:
     topic: my-topic
   module.pubsub.google_pubsub_topic.default:
     kms_key_name: null
-    labels: null
+    labels:
+      test: default
     message_retention_duration: null
     name: my-topic
     project: project-id

From a95e681f059af9e112636befd03efb124439115f Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 12:11:07 +0200
Subject: [PATCH 07/29] Removed BFD settings from net-vpn-ha module as it is
 not supported (#2244)

* Removed bfd settings from net-vpn-ha as it is not supported

* Removed bfd settings from net-vpn-ha as it is not supported
---
 modules/net-vpn-ha/README.md    | 6 +++---
 modules/net-vpn-ha/main.tf      | 9 ---------
 modules/net-vpn-ha/variables.tf | 6 ------
 3 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md
index 2de72f54ea..164e009f7e 100644
--- a/modules/net-vpn-ha/README.md
+++ b/modules/net-vpn-ha/README.md
@@ -213,9 +213,9 @@ module "vpn_ha" {
 | [region](variables.tf#L52) | Region used for resources. | <code>string</code> | ✓ |  |
 | [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10;  asn    &#61; number&#10;  create &#61; optional&#40;bool, true&#41;&#10;  custom_advertise &#61; optional&#40;object&#40;&#123;&#10;    all_subnets &#61; bool&#10;    ip_ranges   &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  keepalive &#61; optional&#40;number&#41;&#10;  name      &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="map&#40;object&#40;&#123;&#10;  external &#61; optional&#40;object&#40;&#123;&#10;    redundancy_type &#61; string&#10;    interfaces      &#61; list&#40;string&#41;&#10;    description     &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  gcp &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address        &#61; string&#10;    asn            &#61; number&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;    bfd &#61; optional&#40;object&#40;&#123;&#10;      min_receive_interval        &#61; optional&#40;number&#41;&#10;      min_transmit_interval       &#61; optional&#40;number&#41;&#10;      multiplier                  &#61; optional&#40;number&#41;&#10;      session_initialization_mode &#61; optional&#40;string, &#34;ACTIVE&#34;&#41;&#10;    &#125;&#41;&#41;&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      key  &#61; string&#10;    &#125;&#41;&#41;&#10;    ipv6 &#61; optional&#40;object&#40;&#123;&#10;      nexthop_address      &#61; optional&#40;string&#41;&#10;      peer_nexthop_address &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway                    &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> |  | <code>null</code> |
-| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  ipv6        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address        &#61; string&#10;    asn            &#61; number&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      key  &#61; string&#10;    &#125;&#41;&#41;&#10;    ipv6 &#61; optional&#40;object&#40;&#123;&#10;      nexthop_address      &#61; optional&#40;string&#41;&#10;      peer_nexthop_address &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway                    &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [vpn_gateway](variables.tf#L108) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> |  | <code>null</code> |
+| [vpn_gateway_create](variables.tf#L114) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10;  ipv6        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf
index 20af29015a..bbb7ca0295 100644
--- a/modules/net-vpn-ha/main.tf
+++ b/modules/net-vpn-ha/main.tf
@@ -117,15 +117,6 @@ resource "google_compute_router_peer" "bgp_peer" {
       description = range.value
     }
   }
-  dynamic "bfd" {
-    for_each = each.value.bgp_peer.bfd != null ? [each.value.bgp_peer.bfd] : []
-    content {
-      session_initialization_mode = bfd.value.session_initialization_mode
-      min_receive_interval        = bfd.value.min_receive_interval
-      min_transmit_interval       = bfd.value.min_transmit_interval
-      multiplier                  = bfd.value.multiplier
-    }
-  }
   dynamic "md5_authentication_key" {
     for_each = each.value.bgp_peer.md5_authentication_key != null ? toset([each.value.bgp_peer.md5_authentication_key]) : []
     content {
diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf
index d507c89881..ba86eee6e9 100644
--- a/modules/net-vpn-ha/variables.tf
+++ b/modules/net-vpn-ha/variables.tf
@@ -76,12 +76,6 @@ variable "tunnels" {
       address        = string
       asn            = number
       route_priority = optional(number, 1000)
-      bfd = optional(object({
-        min_receive_interval        = optional(number)
-        min_transmit_interval       = optional(number)
-        multiplier                  = optional(number)
-        session_initialization_mode = optional(string, "ACTIVE")
-      }))
       custom_advertise = optional(object({
         all_subnets          = bool
         all_vpc_subnets      = bool

From ab174274de35c6b73f44e23d312c86a25c729d72 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 17:31:42 +0200
Subject: [PATCH 08/29] Added new attributes Apigee organization and bumped up
 providers version (#2243)

---
 .../patterns/autopilot-cluster/versions.tf    |  4 +-
 blueprints/gke/patterns/batch/versions.tf     |  4 +-
 blueprints/gke/patterns/kafka/versions.tf     |  4 +-
 blueprints/gke/patterns/mysql/versions.tf     |  4 +-
 .../gke/patterns/redis-cluster/versions.tf    |  4 +-
 default-versions.tf                           |  4 +-
 .../alloydb-instance/versions.tf              |  4 +-
 .../net-neg/versions.tf                       |  4 +-
 .../project-iam-magic/versions.tf             |  4 +-
 modules/analytics-hub/versions.tf             |  4 +-
 modules/api-gateway/versions.tf               |  4 +-
 modules/apigee/README.md                      |  8 +--
 modules/apigee/main.tf                        | 33 ++++++++----
 modules/apigee/variables.tf                   | 50 ++++++++++---------
 modules/apigee/versions.tf                    |  4 +-
 modules/artifact-registry/versions.tf         |  4 +-
 modules/bigquery-dataset/versions.tf          |  4 +-
 modules/bigtable-instance/versions.tf         |  4 +-
 modules/billing-account/versions.tf           |  4 +-
 modules/binauthz/versions.tf                  |  4 +-
 .../__need_fixing/onprem/versions.tf          |  4 +-
 .../__need_fixing/squid/versions.tf           |  4 +-
 .../coredns/versions.tf                       |  4 +-
 .../cos-generic-metadata/versions.tf          |  4 +-
 .../envoy-sni-dyn-fwd-proxy/versions.tf       |  4 +-
 .../envoy-traffic-director/versions.tf        |  4 +-
 .../cloud-config-container/mysql/versions.tf  |  4 +-
 .../nginx-tls/versions.tf                     |  4 +-
 .../cloud-config-container/nginx/versions.tf  |  4 +-
 .../simple-nva/versions.tf                    |  4 +-
 modules/cloud-function-v1/versions.tf         |  4 +-
 modules/cloud-function-v2/versions.tf         |  4 +-
 modules/cloud-identity-group/versions.tf      |  4 +-
 modules/cloud-run-v2/versions.tf              |  4 +-
 modules/cloud-run/versions.tf                 |  4 +-
 modules/cloudsql-instance/versions.tf         |  4 +-
 modules/compute-mig/versions.tf               |  4 +-
 modules/compute-vm/versions.tf                |  4 +-
 modules/container-registry/versions.tf        |  4 +-
 modules/data-catalog-policy-tag/versions.tf   |  4 +-
 modules/data-catalog-tag-template/versions.tf |  4 +-
 modules/data-catalog-tag/versions.tf          |  4 +-
 modules/dataform-repository/versions.tf       |  4 +-
 modules/datafusion/versions.tf                |  4 +-
 modules/dataplex-datascan/versions.tf         |  4 +-
 modules/dataplex/versions.tf                  |  4 +-
 modules/dataproc/versions.tf                  |  4 +-
 modules/dns-response-policy/versions.tf       |  4 +-
 modules/dns/versions.tf                       |  4 +-
 modules/endpoints/versions.tf                 |  4 +-
 modules/folder/versions.tf                    |  4 +-
 modules/gcs/versions.tf                       |  4 +-
 modules/gcve-private-cloud/versions.tf        |  4 +-
 modules/gke-cluster-autopilot/versions.tf     |  4 +-
 modules/gke-cluster-standard/versions.tf      |  4 +-
 modules/gke-hub/versions.tf                   |  4 +-
 modules/gke-nodepool/versions.tf              |  4 +-
 modules/iam-service-account/versions.tf       |  4 +-
 modules/kms/versions.tf                       |  4 +-
 modules/logging-bucket/versions.tf            |  4 +-
 modules/ncc-spoke-ra/versions.tf              |  4 +-
 modules/net-address/versions.tf               |  4 +-
 modules/net-cloudnat/versions.tf              |  4 +-
 modules/net-firewall-policy/versions.tf       |  4 +-
 .../net-ipsec-over-interconnect/versions.tf   |  4 +-
 modules/net-lb-app-ext-regional/versions.tf   |  4 +-
 modules/net-lb-app-ext/versions.tf            |  4 +-
 .../net-lb-app-int-cross-region/versions.tf   |  4 +-
 modules/net-lb-app-int/versions.tf            |  4 +-
 modules/net-lb-ext/versions.tf                |  4 +-
 modules/net-lb-int/versions.tf                |  4 +-
 modules/net-lb-proxy-int/versions.tf          |  4 +-
 modules/net-swp/versions.tf                   |  4 +-
 modules/net-vlan-attachment/versions.tf       |  4 +-
 modules/net-vpc-firewall/versions.tf          |  4 +-
 modules/net-vpc-peering/versions.tf           |  4 +-
 modules/net-vpc/versions.tf                   |  4 +-
 modules/net-vpn-dynamic/versions.tf           |  4 +-
 modules/net-vpn-ha/versions.tf                |  4 +-
 modules/net-vpn-static/versions.tf            |  4 +-
 modules/organization/versions.tf              |  4 +-
 modules/project/versions.tf                   |  4 +-
 modules/projects-data-source/versions.tf      |  4 +-
 modules/pubsub/versions.tf                    |  4 +-
 modules/secret-manager/versions.tf            |  4 +-
 modules/service-directory/versions.tf         |  4 +-
 modules/source-repository/versions.tf         |  4 +-
 modules/vpc-sc/versions.tf                    |  4 +-
 modules/workstation-cluster/versions.tf       |  4 +-
 tests/examples_e2e/setup_module/versions.tf   |  4 +-
 90 files changed, 229 insertions(+), 210 deletions(-)

diff --git a/blueprints/gke/patterns/autopilot-cluster/versions.tf b/blueprints/gke/patterns/autopilot-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/autopilot-cluster/versions.tf
+++ b/blueprints/gke/patterns/autopilot-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/batch/versions.tf b/blueprints/gke/patterns/batch/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/batch/versions.tf
+++ b/blueprints/gke/patterns/batch/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/kafka/versions.tf b/blueprints/gke/patterns/kafka/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/kafka/versions.tf
+++ b/blueprints/gke/patterns/kafka/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/mysql/versions.tf b/blueprints/gke/patterns/mysql/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/mysql/versions.tf
+++ b/blueprints/gke/patterns/mysql/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/blueprints/gke/patterns/redis-cluster/versions.tf b/blueprints/gke/patterns/redis-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/blueprints/gke/patterns/redis-cluster/versions.tf
+++ b/blueprints/gke/patterns/redis-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/default-versions.tf b/default-versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/default-versions.tf
+++ b/default-versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tf b/modules/__experimental_deprecated/alloydb-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/alloydb-instance/versions.tf
+++ b/modules/__experimental_deprecated/alloydb-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/net-neg/versions.tf b/modules/__experimental_deprecated/net-neg/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/net-neg/versions.tf
+++ b/modules/__experimental_deprecated/net-neg/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tf b/modules/__experimental_deprecated/project-iam-magic/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/__experimental_deprecated/project-iam-magic/versions.tf
+++ b/modules/__experimental_deprecated/project-iam-magic/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/analytics-hub/versions.tf b/modules/analytics-hub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/analytics-hub/versions.tf
+++ b/modules/analytics-hub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/api-gateway/versions.tf b/modules/api-gateway/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/api-gateway/versions.tf
+++ b/modules/api-gateway/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/apigee/README.md b/modules/apigee/README.md
index 24c6f4166a..ebae675f31 100644
--- a/modules/apigee/README.md
+++ b/modules/apigee/README.md
@@ -359,13 +359,13 @@ module "apigee" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L126) | Project ID. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L130) | Project ID. | <code>string</code> | ✓ |  |
 | [addons_config](variables.tf#L17) | Addons configuration. | <code title="object&#40;&#123;&#10;  advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;  api_security        &#61; optional&#40;bool, false&#41;&#10;  connectors_platform &#61; optional&#40;bool, false&#41;&#10;  integration         &#61; optional&#40;bool, false&#41;&#10;  monetization        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [endpoint_attachments](variables.tf#L29) | Endpoint attachments. | <code title="map&#40;object&#40;&#123;&#10;  region             &#61; string&#10;  service_attachment &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [envgroups](variables.tf#L39) | Environment groups (NAME => [HOSTNAMES]). | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  deployment_type &#61; optional&#40;string&#41;&#10;  api_proxy_type  &#61; optional&#40;string&#41;&#10;  type            &#61; optional&#40;string&#41;&#10;  node_config &#61; optional&#40;object&#40;&#123;&#10;    min_node_count &#61; optional&#40;number&#41;&#10;    max_node_count &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  envgroups &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [instances](variables.tf#L73) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  name                          &#61; optional&#40;string&#41;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;  troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  enable_nat                    &#61; optional&#40;bool, false&#41;&#10;  environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [organization](variables.tf#L98) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  display_name            &#61; optional&#40;string&#41;&#10;  description             &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  authorized_network      &#61; optional&#40;string&#41;&#10;  runtime_type            &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  billing_type            &#61; optional&#40;string&#41;&#10;  database_encryption_key &#61; optional&#40;string&#41;&#10;  analytics_region        &#61; optional&#40;string, &#34;europe-west1&#34;&#41;&#10;  retention               &#61; optional&#40;string&#41;&#10;  disable_vpc_peering     &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [environments](variables.tf#L46) | Environments. | <code title="map&#40;object&#40;&#123;&#10;  api_proxy_type  &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  display_name    &#61; optional&#40;string&#41;&#10;  deployment_type &#61; optional&#40;string&#41;&#10;  envgroups       &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  iam             &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  node_config &#61; optional&#40;object&#40;&#123;&#10;    min_node_count &#61; optional&#40;number&#41;&#10;    max_node_count &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  type &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [instances](variables.tf#L73) | Instances ([REGION] => [INSTANCE]). | <code title="map&#40;object&#40;&#123;&#10;  consumer_accept_list          &#61; optional&#40;list&#40;string&#41;&#41;&#10;  description                   &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  disk_encryption_key           &#61; optional&#40;string&#41;&#10;  display_name                  &#61; optional&#40;string&#41;&#10;  enable_nat                    &#61; optional&#40;bool, false&#41;&#10;  environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  name                          &#61; optional&#40;string&#41;&#10;  runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;  troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [organization](variables.tf#L98) | Apigee organization. If set to null the organization must already exist. | <code title="object&#40;&#123;&#10;  analytics_region                 &#61; optional&#40;string&#41;&#10;  api_consumer_data_encryption_key &#61; optional&#40;string&#41;&#10;  api_consumer_data_location       &#61; optional&#40;string&#41;&#10;  authorized_network               &#61; optional&#40;string&#41;&#10;  billing_type                     &#61; optional&#40;string&#41;&#10;  control_plane_encryption_key     &#61; optional&#40;string&#41;&#10;  database_encryption_key          &#61; optional&#40;string&#41;&#10;  description                      &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;  disable_vpc_peering              &#61; optional&#40;bool, false&#41;&#10;  display_name                     &#61; optional&#40;string&#41;&#10;  properties                       &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  runtime_type                     &#61; optional&#40;string, &#34;CLOUD&#34;&#41;&#10;  retention                        &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/apigee/main.tf b/modules/apigee/main.tf
index bb0417b279..afbc1e5af6 100644
--- a/modules/apigee/main.tf
+++ b/modules/apigee/main.tf
@@ -20,15 +20,30 @@ locals {
 }
 
 resource "google_apigee_organization" "organization" {
-  count                                = var.organization == null ? 0 : 1
-  analytics_region                     = var.organization.analytics_region
-  project_id                           = var.project_id
-  authorized_network                   = var.organization.authorized_network
-  billing_type                         = var.organization.billing_type
-  runtime_type                         = var.organization.runtime_type
-  runtime_database_encryption_key_name = var.organization.database_encryption_key
-  retention                            = var.organization.retention
-  disable_vpc_peering                  = var.organization.disable_vpc_peering
+  count                                 = var.organization == null ? 0 : 1
+  analytics_region                      = var.organization.analytics_region
+  project_id                            = var.project_id
+  authorized_network                    = var.organization.authorized_network
+  billing_type                          = var.organization.billing_type
+  runtime_type                          = var.organization.runtime_type
+  runtime_database_encryption_key_name  = var.organization.database_encryption_key
+  retention                             = var.organization.retention
+  disable_vpc_peering                   = var.organization.disable_vpc_peering
+  api_consumer_data_location            = var.organization.api_consumer_data_location
+  api_consumer_data_encryption_key_name = var.organization.api_consumer_data_encryption_key
+  control_plane_encryption_key_name     = var.organization.control_plane_encryption_key
+  dynamic "properties" {
+    for_each = length(var.organization.properties) > 0 ? [""] : []
+    content {
+      dynamic "property" {
+        for_each = var.organization.properties
+        content {
+          name  = properties.key
+          value = properties.value
+        }
+      }
+    }
+  }
 }
 
 resource "google_apigee_envgroup" "envgroups" {
diff --git a/modules/apigee/variables.tf b/modules/apigee/variables.tf
index 027ad05e47..6ce9fdcf1f 100644
--- a/modules/apigee/variables.tf
+++ b/modules/apigee/variables.tf
@@ -46,16 +46,12 @@ variable "envgroups" {
 variable "environments" {
   description = "Environments."
   type = map(object({
-    display_name    = optional(string)
+    api_proxy_type  = optional(string)
     description     = optional(string, "Terraform-managed")
+    display_name    = optional(string)
     deployment_type = optional(string)
-    api_proxy_type  = optional(string)
-    type            = optional(string)
-    node_config = optional(object({
-      min_node_count = optional(number)
-      max_node_count = optional(number)
-    }))
-    iam = optional(map(list(string)), {})
+    envgroups       = optional(list(string), [])
+    iam             = optional(map(list(string)), {})
     iam_bindings = optional(map(object({
       role    = string
       members = list(string)
@@ -64,7 +60,11 @@ variable "environments" {
       role   = string
       member = string
     })), {})
-    envgroups = optional(list(string), [])
+    node_config = optional(object({
+      min_node_count = optional(number)
+      max_node_count = optional(number)
+    }))
+    type = optional(string)
   }))
   default  = {}
   nullable = false
@@ -73,15 +73,15 @@ variable "environments" {
 variable "instances" {
   description = "Instances ([REGION] => [INSTANCE])."
   type = map(object({
-    name                          = optional(string)
-    display_name                  = optional(string)
+    consumer_accept_list          = optional(list(string))
     description                   = optional(string, "Terraform-managed")
-    runtime_ip_cidr_range         = optional(string)
-    troubleshooting_ip_cidr_range = optional(string)
     disk_encryption_key           = optional(string)
-    consumer_accept_list          = optional(list(string))
+    display_name                  = optional(string)
     enable_nat                    = optional(bool, false)
     environments                  = optional(list(string), [])
+    name                          = optional(string)
+    runtime_ip_cidr_range         = optional(string)
+    troubleshooting_ip_cidr_range = optional(string)
   }))
   validation {
     condition = alltrue([
@@ -98,15 +98,19 @@ variable "instances" {
 variable "organization" {
   description = "Apigee organization. If set to null the organization must already exist."
   type = object({
-    display_name            = optional(string)
-    description             = optional(string, "Terraform-managed")
-    authorized_network      = optional(string)
-    runtime_type            = optional(string, "CLOUD")
-    billing_type            = optional(string)
-    database_encryption_key = optional(string)
-    analytics_region        = optional(string, "europe-west1")
-    retention               = optional(string)
-    disable_vpc_peering     = optional(bool, false)
+    analytics_region                 = optional(string)
+    api_consumer_data_encryption_key = optional(string)
+    api_consumer_data_location       = optional(string)
+    authorized_network               = optional(string)
+    billing_type                     = optional(string)
+    control_plane_encryption_key     = optional(string)
+    database_encryption_key          = optional(string)
+    description                      = optional(string, "Terraform-managed")
+    disable_vpc_peering              = optional(bool, false)
+    display_name                     = optional(string)
+    properties                       = optional(map(string), {})
+    runtime_type                     = optional(string, "CLOUD")
+    retention                        = optional(string)
   })
   validation {
     condition = var.organization == null || (
diff --git a/modules/apigee/versions.tf b/modules/apigee/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/apigee/versions.tf
+++ b/modules/apigee/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/artifact-registry/versions.tf b/modules/artifact-registry/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/artifact-registry/versions.tf
+++ b/modules/artifact-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/bigquery-dataset/versions.tf b/modules/bigquery-dataset/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/bigquery-dataset/versions.tf
+++ b/modules/bigquery-dataset/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/bigtable-instance/versions.tf b/modules/bigtable-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/bigtable-instance/versions.tf
+++ b/modules/bigtable-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/billing-account/versions.tf b/modules/billing-account/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/billing-account/versions.tf
+++ b/modules/billing-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/binauthz/versions.tf b/modules/binauthz/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/binauthz/versions.tf
+++ b/modules/binauthz/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tf b/modules/cloud-config-container/__need_fixing/squid/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/__need_fixing/squid/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/coredns/versions.tf b/modules/cloud-config-container/coredns/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/coredns/versions.tf
+++ b/modules/cloud-config-container/coredns/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tf b/modules/cloud-config-container/cos-generic-metadata/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tf b/modules/cloud-config-container/envoy-traffic-director/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tf
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/mysql/versions.tf b/modules/cloud-config-container/mysql/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/mysql/versions.tf
+++ b/modules/cloud-config-container/mysql/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/nginx-tls/versions.tf
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/nginx/versions.tf b/modules/cloud-config-container/nginx/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/nginx/versions.tf
+++ b/modules/cloud-config-container/nginx/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-config-container/simple-nva/versions.tf b/modules/cloud-config-container/simple-nva/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-config-container/simple-nva/versions.tf
+++ b/modules/cloud-config-container/simple-nva/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-function-v1/versions.tf b/modules/cloud-function-v1/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-function-v1/versions.tf
+++ b/modules/cloud-function-v1/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-function-v2/versions.tf b/modules/cloud-function-v2/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-function-v2/versions.tf
+++ b/modules/cloud-function-v2/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-identity-group/versions.tf b/modules/cloud-identity-group/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-identity-group/versions.tf
+++ b/modules/cloud-identity-group/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-run-v2/versions.tf b/modules/cloud-run-v2/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-run-v2/versions.tf
+++ b/modules/cloud-run-v2/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloud-run/versions.tf b/modules/cloud-run/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloud-run/versions.tf
+++ b/modules/cloud-run/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/cloudsql-instance/versions.tf b/modules/cloudsql-instance/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/cloudsql-instance/versions.tf
+++ b/modules/cloudsql-instance/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/compute-mig/versions.tf b/modules/compute-mig/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/compute-mig/versions.tf
+++ b/modules/compute-mig/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/compute-vm/versions.tf b/modules/compute-vm/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/compute-vm/versions.tf
+++ b/modules/compute-vm/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/container-registry/versions.tf b/modules/container-registry/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/container-registry/versions.tf
+++ b/modules/container-registry/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-policy-tag/versions.tf b/modules/data-catalog-policy-tag/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-policy-tag/versions.tf
+++ b/modules/data-catalog-policy-tag/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-tag-template/versions.tf b/modules/data-catalog-tag-template/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-tag-template/versions.tf
+++ b/modules/data-catalog-tag-template/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/data-catalog-tag/versions.tf b/modules/data-catalog-tag/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/data-catalog-tag/versions.tf
+++ b/modules/data-catalog-tag/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataform-repository/versions.tf b/modules/dataform-repository/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataform-repository/versions.tf
+++ b/modules/dataform-repository/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/datafusion/versions.tf b/modules/datafusion/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/datafusion/versions.tf
+++ b/modules/datafusion/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataplex-datascan/versions.tf b/modules/dataplex-datascan/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataplex-datascan/versions.tf
+++ b/modules/dataplex-datascan/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataplex/versions.tf b/modules/dataplex/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataplex/versions.tf
+++ b/modules/dataplex/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dataproc/versions.tf b/modules/dataproc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dataproc/versions.tf
+++ b/modules/dataproc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dns-response-policy/versions.tf b/modules/dns-response-policy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dns-response-policy/versions.tf
+++ b/modules/dns-response-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/endpoints/versions.tf b/modules/endpoints/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/endpoints/versions.tf
+++ b/modules/endpoints/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/folder/versions.tf b/modules/folder/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/folder/versions.tf
+++ b/modules/folder/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gcs/versions.tf b/modules/gcs/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gcs/versions.tf
+++ b/modules/gcs/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gcve-private-cloud/versions.tf b/modules/gcve-private-cloud/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gcve-private-cloud/versions.tf
+++ b/modules/gcve-private-cloud/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-cluster-autopilot/versions.tf b/modules/gke-cluster-autopilot/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-cluster-autopilot/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-cluster-standard/versions.tf
+++ b/modules/gke-cluster-standard/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-hub/versions.tf b/modules/gke-hub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-hub/versions.tf
+++ b/modules/gke-hub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/gke-nodepool/versions.tf b/modules/gke-nodepool/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/gke-nodepool/versions.tf
+++ b/modules/gke-nodepool/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/kms/versions.tf b/modules/kms/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/kms/versions.tf
+++ b/modules/kms/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/logging-bucket/versions.tf b/modules/logging-bucket/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/logging-bucket/versions.tf
+++ b/modules/logging-bucket/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/ncc-spoke-ra/versions.tf b/modules/ncc-spoke-ra/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/ncc-spoke-ra/versions.tf
+++ b/modules/ncc-spoke-ra/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-address/versions.tf b/modules/net-address/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-address/versions.tf
+++ b/modules/net-address/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-cloudnat/versions.tf b/modules/net-cloudnat/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-cloudnat/versions.tf
+++ b/modules/net-cloudnat/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-firewall-policy/versions.tf b/modules/net-firewall-policy/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-firewall-policy/versions.tf
+++ b/modules/net-firewall-policy/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-ipsec-over-interconnect/versions.tf b/modules/net-ipsec-over-interconnect/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-ipsec-over-interconnect/versions.tf
+++ b/modules/net-ipsec-over-interconnect/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-ext-regional/versions.tf b/modules/net-lb-app-ext-regional/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-ext-regional/versions.tf
+++ b/modules/net-lb-app-ext-regional/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-ext/versions.tf b/modules/net-lb-app-ext/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-ext/versions.tf
+++ b/modules/net-lb-app-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-int-cross-region/versions.tf b/modules/net-lb-app-int-cross-region/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-int-cross-region/versions.tf
+++ b/modules/net-lb-app-int-cross-region/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-app-int/versions.tf b/modules/net-lb-app-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-app-int/versions.tf
+++ b/modules/net-lb-app-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-ext/versions.tf b/modules/net-lb-ext/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-ext/versions.tf
+++ b/modules/net-lb-ext/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-int/versions.tf b/modules/net-lb-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-int/versions.tf
+++ b/modules/net-lb-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-lb-proxy-int/versions.tf b/modules/net-lb-proxy-int/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-lb-proxy-int/versions.tf
+++ b/modules/net-lb-proxy-int/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-swp/versions.tf b/modules/net-swp/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-swp/versions.tf
+++ b/modules/net-swp/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vlan-attachment/versions.tf
+++ b/modules/net-vlan-attachment/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc-firewall/versions.tf b/modules/net-vpc-firewall/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc-firewall/versions.tf
+++ b/modules/net-vpc-firewall/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc-peering/versions.tf b/modules/net-vpc-peering/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc-peering/versions.tf
+++ b/modules/net-vpc-peering/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpc/versions.tf b/modules/net-vpc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpc/versions.tf
+++ b/modules/net-vpc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-dynamic/versions.tf b/modules/net-vpn-dynamic/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-dynamic/versions.tf
+++ b/modules/net-vpn-dynamic/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-ha/versions.tf b/modules/net-vpn-ha/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-ha/versions.tf
+++ b/modules/net-vpn-ha/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/net-vpn-static/versions.tf b/modules/net-vpn-static/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/net-vpn-static/versions.tf
+++ b/modules/net-vpn-static/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/organization/versions.tf
+++ b/modules/organization/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/project/versions.tf b/modules/project/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/project/versions.tf
+++ b/modules/project/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/projects-data-source/versions.tf b/modules/projects-data-source/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/projects-data-source/versions.tf
+++ b/modules/projects-data-source/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/pubsub/versions.tf b/modules/pubsub/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/pubsub/versions.tf
+++ b/modules/pubsub/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/secret-manager/versions.tf b/modules/secret-manager/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/secret-manager/versions.tf
+++ b/modules/secret-manager/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/service-directory/versions.tf b/modules/service-directory/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/service-directory/versions.tf
+++ b/modules/service-directory/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/source-repository/versions.tf b/modules/source-repository/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/source-repository/versions.tf
+++ b/modules/source-repository/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/vpc-sc/versions.tf
+++ b/modules/vpc-sc/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/modules/workstation-cluster/versions.tf b/modules/workstation-cluster/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/modules/workstation-cluster/versions.tf
+++ b/modules/workstation-cluster/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }
diff --git a/tests/examples_e2e/setup_module/versions.tf b/tests/examples_e2e/setup_module/versions.tf
index 3d6a43260a..bc9986b3c7 100644
--- a/tests/examples_e2e/setup_module/versions.tf
+++ b/tests/examples_e2e/setup_module/versions.tf
@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.24.0, < 6.0.0" # tftest
+      version = ">= 5.26.0, < 6.0.0" # tftest
     }
   }
 }

From be966c4f3273beff68ad51250ca3b5ae49ecbc35 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Sun, 28 Apr 2024 22:18:02 +0200
Subject: [PATCH 09/29] Fixed issue with service networking DNS peering (#2246)

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/net-vpc/psa.tf                         | 2 +-
 tests/modules/net_vpc/examples/psa-routes.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/net-vpc/psa.tf b/modules/net-vpc/psa.tf
index 1e44a9accb..913cebfb3a 100644
--- a/modules/net-vpc/psa.tf
+++ b/modules/net-vpc/psa.tf
@@ -28,7 +28,7 @@ locals {
   _psa_peered_domains = flatten([
     for config in local.psa_configs : [
       for v in config.peered_domains : {
-        key              = "${config.key}-${replace(v, ".", "-")}"
+        key              = "${config.key}-${trimsuffix(replace(v, ".", "-"), "-")}"
         dns_suffix       = v
         service_producer = config.service_producer
       }
diff --git a/tests/modules/net_vpc/examples/psa-routes.yaml b/tests/modules/net_vpc/examples/psa-routes.yaml
index c64353b788..a9a8bfddb3 100644
--- a/tests/modules/net_vpc/examples/psa-routes.yaml
+++ b/tests/modules/net_vpc/examples/psa-routes.yaml
@@ -84,9 +84,9 @@ values:
     - servicenetworking-googleapis-com-myrange
     service: servicenetworking.googleapis.com
     timeouts: null
-  module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com-"]:
+  module.vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-gcp-example-com"]:
     dns_suffix: gcp.example.com.
-    name: servicenetworking-googleapis-com-gcp-example-com-
+    name: servicenetworking-googleapis-com-gcp-example-com
     network: my-network
     project: project-id
     service: servicenetworking.googleapis.com

From e1226676fdb5f9bc918e8734ee8348c9b1968963 Mon Sep 17 00:00:00 2001
From: jnahelou <nahelou.jerome@gmail.com>
Date: Tue, 30 Apr 2024 19:21:35 +0200
Subject: [PATCH 10/29] Added missing identity when connectors API is enabled
 (#2248)

---
 modules/project/service-agents.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
index 66c95a4640..455287e807 100644
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -121,6 +121,7 @@
   service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com"
 - name: "connectors"
   service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com"
+  jit: true
 - name: "contactcenteraiplatform"
   service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com"
 - name: "contactcenterinsights"

From 27a055a9cbffda216250af736ec2a68241bec12e Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 1 May 2024 18:50:30 +0200
Subject: [PATCH 11/29] fix factory ingress policies (#2251)

---
 modules/vpc-sc/README.md                   | 23 +++++++++++++++++++---
 modules/vpc-sc/factory.tf                  |  2 +-
 tests/modules/vpc_sc/examples/factory.yaml | 20 ++++++++++++++++++-
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 2bdeebe9fe..fb99c10657 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -233,7 +233,7 @@ module "test" {
         resources           = ["projects/11111", "projects/111111"]
         restricted_services = ["storage.googleapis.com"]
         egress_policies     = ["gcs-sa-foo"]
-        ingress_policies    = ["sa-tf-test"]
+        ingress_policies    = ["sa-tf-test-geo", "sa-tf-test"]
         vpc_accessible_services = {
           allowed_services   = ["storage.googleapis.com"]
           enable_restriction = true
@@ -242,7 +242,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=3 files=a1,a2,e1,i1 inventory=factory.yaml
+# tftest modules=1 resources=3 files=a1,a2,e1,i1,i2 inventory=factory.yaml
 ```
 
 ```yaml
@@ -282,12 +282,29 @@ from:
     - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
 to:
   operations:
-    - service_name: "*"
+    - service_name: compute.googleapis.com
+      method_selectors:
+        - ProjectsService.Get
+        - RegionsService.Get
   resources:
     - "*"
 # tftest-file id=i1 path=data/ingress-policies/sa-tf-test.yaml
 ```
 
+```yaml
+from:
+  access_levels:
+    - geo-it
+  identities:
+    - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+to:
+  operations:
+    - service_name: "*"
+  resources:
+    - projects/1234567890
+# tftest-file id=i2 path=data/ingress-policies/sa-tf-test-geo.yaml
+```
+
 ## Notes
 
 - To remove an access level, first remove the binding between perimeter and the access level in `status` and/or `spec` without removing the access level itself. Once you have run `terraform apply`, you'll then be able to remove the access level and run `terraform apply` again.
diff --git a/modules/vpc-sc/factory.tf b/modules/vpc-sc/factory.tf
index eca5867a7e..d8a0a53622 100644
--- a/modules/vpc-sc/factory.tf
+++ b/modules/vpc-sc/factory.tf
@@ -74,7 +74,7 @@ locals {
         }, try(v.from, {}))
         to = {
           operations = [
-            for o in try(v.operations, []) : merge({
+            for o in try(v.to.operations, []) : merge({
               method_selectors     = []
               permission_selectors = []
               service_name         = null
diff --git a/tests/modules/vpc_sc/examples/factory.yaml b/tests/modules/vpc_sc/examples/factory.yaml
index 475c4d1e89..4496566709 100644
--- a/tests/modules/vpc_sc/examples/factory.yaml
+++ b/tests/modules/vpc_sc/examples/factory.yaml
@@ -81,9 +81,27 @@ values:
           - access_level: '*'
             resource: null
         ingress_to:
-        - operations: []
+        - operations:
+          - method_selectors:
+            - method: ProjectsService.Get
+              permission: null
+            - method: RegionsService.Get
+              permission: null
+            service_name: compute.googleapis.com
           resources:
           - '*'
+      - ingress_from:
+        - identities:
+          - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+          identity_type: null
+          sources:
+          - resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - projects/1234567890
       resources:
       - projects/11111
       - projects/111111

From fdcd309729b6c99f4ce2672e71d64df430529ff8 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Wed, 1 May 2024 20:20:21 +0200
Subject: [PATCH 12/29] add support for labels to GKE backup plans (#2252)

---
 modules/gke-cluster-autopilot/README.md    | 38 +++++++++----------
 modules/gke-cluster-autopilot/main.tf      |  1 +
 modules/gke-cluster-autopilot/variables.tf |  1 +
 modules/gke-cluster-standard/README.md     | 44 +++++++++++-----------
 modules/gke-cluster-standard/main.tf       |  1 +
 modules/gke-cluster-standard/variables.tf  |  1 +
 6 files changed, 45 insertions(+), 41 deletions(-)

diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md
index bf8affbe51..0091d6e04d 100644
--- a/modules/gke-cluster-autopilot/README.md
+++ b/modules/gke-cluster-autopilot/README.md
@@ -206,25 +206,25 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L112) | Autopilot clusters are always regional. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L189) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L225) | Cluster project ID. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L241) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L37) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L44) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L50) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun         &#61; optional&#40;bool, false&#41;&#10;  config_connector &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [enable_features](variables.tf#L64) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis            &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  gateway_api         &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac     &#61; optional&#40;string&#41;&#10;  l4_ilb_subsetting   &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates   &#61; optional&#40;bool&#41;&#10;  pod_security_policy &#61; optional&#40;bool, false&#41;&#10;  allow_net_admin     &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [issue_client_certificate](variables.tf#L100) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L106) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L117) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L128) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [min_master_version](variables.tf#L151) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L157) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L194) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L204) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L211) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L230) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> |  | <code>&#34;REGULAR&#34;</code> |
+| [location](variables.tf#L113) | Autopilot clusters are always regional. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L190) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L226) | Cluster project ID. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L242) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L38) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L45) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L51) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun         &#61; optional&#40;bool, false&#41;&#10;  config_connector &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [enable_features](variables.tf#L65) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis            &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization &#61; optional&#40;bool, false&#41;&#10;  cost_management      &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  gateway_api         &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac     &#61; optional&#40;string&#41;&#10;  l4_ilb_subsetting   &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates   &#61; optional&#40;bool&#41;&#10;  pod_security_policy &#61; optional&#40;bool, false&#41;&#10;  allow_net_admin     &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [issue_client_certificate](variables.tf#L101) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L107) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L118) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L129) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [min_master_version](variables.tf#L152) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L158) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L195) | Configuration for nodes and nodepools. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L205) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L212) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L231) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | <code>string</code> |  | <code>&#34;REGULAR&#34;</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf
index 825c8739e5..6824d22309 100644
--- a/modules/gke-cluster-autopilot/main.tf
+++ b/modules/gke-cluster-autopilot/main.tf
@@ -322,6 +322,7 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
   cluster  = google_container_cluster.cluster.id
   location = each.value.region
   project  = var.project_id
+  labels   = each.value.labels
   retention_policy {
     backup_delete_lock_days = try(each.value.retention_policy_delete_lock_days)
     backup_retain_days      = try(each.value.retention_policy_days)
diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf
index 570899274e..a31596a6e6 100644
--- a/modules/gke-cluster-autopilot/variables.tf
+++ b/modules/gke-cluster-autopilot/variables.tf
@@ -22,6 +22,7 @@ variable "backup_configs" {
       encryption_key                    = optional(string)
       include_secrets                   = optional(bool, true)
       include_volume_data               = optional(bool, true)
+      labels                            = optional(map(string))
       namespaces                        = optional(list(string))
       region                            = string
       schedule                          = string
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index c53017267f..dd8ad0f444 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -310,28 +310,28 @@ module "cluster-1" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [location](variables.tf#L234) | Cluster zone or region. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L369) | Cluster name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L405) | Cluster project id. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L416) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [cluster_autoscaling](variables.tf#L38) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [default_nodepool](variables.tf#L117) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deletion_protection](variables.tf#L135) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
-| [description](variables.tf#L142) | Cluster description. | <code>string</code> |  | <code>null</code> |
-| [enable_addons](variables.tf#L148) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [enable_features](variables.tf#L172) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [issue_client_certificate](variables.tf#L222) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
-| [labels](variables.tf#L228) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [logging_config](variables.tf#L239) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [maintenance_config](variables.tf#L260) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [max_pods_per_node](variables.tf#L283) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
-| [min_master_version](variables.tf#L289) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
-| [monitoring_config](variables.tf#L295) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_config](variables.tf#L374) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [node_locations](variables.tf#L384) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [private_cluster_config](variables.tf#L391) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [release_channel](variables.tf#L410) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
+| [location](variables.tf#L235) | Cluster zone or region. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L370) | Cluster name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L406) | Cluster project id. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L417) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network                &#61; string&#10;  subnetwork             &#61; string&#10;  master_ipv4_cidr_block &#61; optional&#40;string&#41;&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string, &#34;pods&#34;&#41;&#10;    services &#61; optional&#40;string, &#34;services&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  master_authorized_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;  stack_type               &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [backup_configs](variables.tf#L17) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [cluster_autoscaling](variables.tf#L39) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; number&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  gpu_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; number&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [default_nodepool](variables.tf#L118) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deletion_protection](variables.tf#L136) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
+| [description](variables.tf#L143) | Cluster description. | <code>string</code> |  | <code>null</code> |
+| [enable_addons](variables.tf#L149) | Addons enabled in the cluster (true means enabled). | <code title="object&#40;&#123;&#10;  cloudrun                       &#61; optional&#40;bool, false&#41;&#10;  config_connector               &#61; optional&#40;bool, false&#41;&#10;  dns_cache                      &#61; optional&#40;bool, false&#41;&#10;  gce_persistent_disk_csi_driver &#61; optional&#40;bool, false&#41;&#10;  gcp_filestore_csi_driver       &#61; optional&#40;bool, false&#41;&#10;  gcs_fuse_csi_driver            &#61; optional&#40;bool, false&#41;&#10;  horizontal_pod_autoscaling     &#61; optional&#40;bool, false&#41;&#10;  http_load_balancing            &#61; optional&#40;bool, false&#41;&#10;  istio &#61; optional&#40;object&#40;&#123;&#10;    enable_tls &#61; bool&#10;  &#125;&#41;&#41;&#10;  kalm           &#61; optional&#40;bool, false&#41;&#10;  network_policy &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  horizontal_pod_autoscaling &#61; true&#10;  http_load_balancing        &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [enable_features](variables.tf#L173) | Enable cluster-level features. Certain features allow configuration. | <code title="object&#40;&#123;&#10;  beta_apis                         &#61; optional&#40;list&#40;string&#41;&#41;&#10;  binary_authorization              &#61; optional&#40;bool, false&#41;&#10;  cilium_clusterwide_network_policy &#61; optional&#40;bool, false&#41;&#10;  cost_management                   &#61; optional&#40;bool, false&#41;&#10;  dns &#61; optional&#40;object&#40;&#123;&#10;    provider &#61; optional&#40;string&#41;&#10;    scope    &#61; optional&#40;string&#41;&#10;    domain   &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  database_encryption &#61; optional&#40;object&#40;&#123;&#10;    state    &#61; string&#10;    key_name &#61; string&#10;  &#125;&#41;&#41;&#10;  dataplane_v2         &#61; optional&#40;bool, false&#41;&#10;  fqdn_network_policy  &#61; optional&#40;bool, false&#41;&#10;  gateway_api          &#61; optional&#40;bool, false&#41;&#10;  groups_for_rbac      &#61; optional&#40;string&#41;&#10;  image_streaming      &#61; optional&#40;bool, false&#41;&#10;  intranode_visibility &#61; optional&#40;bool, false&#41;&#10;  l4_ilb_subsetting    &#61; optional&#40;bool, false&#41;&#10;  mesh_certificates    &#61; optional&#40;bool&#41;&#10;  pod_security_policy  &#61; optional&#40;bool, false&#41;&#10;  resource_usage_export &#61; optional&#40;object&#40;&#123;&#10;    dataset                              &#61; string&#10;    enable_network_egress_metering       &#61; optional&#40;bool&#41;&#10;    enable_resource_consumption_metering &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  service_external_ips &#61; optional&#40;bool, true&#41;&#10;  shielded_nodes       &#61; optional&#40;bool, false&#41;&#10;  tpu                  &#61; optional&#40;bool, false&#41;&#10;  upgrade_notifications &#61; optional&#40;object&#40;&#123;&#10;    topic_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  vertical_pod_autoscaling &#61; optional&#40;bool, false&#41;&#10;  workload_identity        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  workload_identity &#61; true&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [issue_client_certificate](variables.tf#L223) | Enable issuing client certificate. | <code>bool</code> |  | <code>false</code> |
+| [labels](variables.tf#L229) | Cluster resource labels. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_config](variables.tf#L240) | Logging configuration. | <code title="object&#40;&#123;&#10;  enable_system_logs             &#61; optional&#40;bool, true&#41;&#10;  enable_workloads_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_api_server_logs         &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_logs          &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_logs &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [maintenance_config](variables.tf#L261) | Maintenance window configuration. | <code title="object&#40;&#123;&#10;  daily_window_start_time &#61; optional&#40;string&#41;&#10;  recurring_window &#61; optional&#40;object&#40;&#123;&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    recurrence &#61; string&#10;  &#125;&#41;&#41;&#10;  maintenance_exclusions &#61; optional&#40;list&#40;object&#40;&#123;&#10;    name       &#61; string&#10;    start_time &#61; string&#10;    end_time   &#61; string&#10;    scope      &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  daily_window_start_time &#61; &#34;03:00&#34;&#10;  recurring_window        &#61; null&#10;  maintenance_exclusion   &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [max_pods_per_node](variables.tf#L284) | Maximum number of pods per node in this cluster. | <code>number</code> |  | <code>110</code> |
+| [min_master_version](variables.tf#L290) | Minimum version of the master, defaults to the version of the most recent official release. | <code>string</code> |  | <code>null</code> |
+| [monitoring_config](variables.tf#L296) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | <code title="object&#40;&#123;&#10;  enable_system_metrics &#61; optional&#40;bool, true&#41;&#10;  enable_api_server_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_controller_manager_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_scheduler_metrics          &#61; optional&#40;bool, false&#41;&#10;  enable_daemonset_metrics   &#61; optional&#40;bool, false&#41;&#10;  enable_deployment_metrics  &#61; optional&#40;bool, false&#41;&#10;  enable_hpa_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_pod_metrics         &#61; optional&#40;bool, false&#41;&#10;  enable_statefulset_metrics &#61; optional&#40;bool, false&#41;&#10;  enable_storage_metrics     &#61; optional&#40;bool, false&#41;&#10;  enable_managed_prometheus &#61; optional&#40;bool, true&#41;&#10;  advanced_datapath_observability &#61; optional&#40;object&#40;&#123;&#10;    enable_metrics &#61; bool&#10;    enable_relay   &#61; optional&#40;bool&#41;&#10;    relay_mode     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_config](variables.tf#L375) | Node-level configuration. | <code title="object&#40;&#123;&#10;  boot_disk_kms_key &#61; optional&#40;string&#41;&#10;  service_account   &#61; optional&#40;string&#41;&#10;  tags              &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [node_locations](variables.tf#L385) | Zones in which the cluster's nodes are located. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [private_cluster_config](variables.tf#L392) | Private cluster configuration. | <code title="object&#40;&#123;&#10;  enable_private_endpoint &#61; optional&#40;bool&#41;&#10;  master_global_access    &#61; optional&#40;bool&#41;&#10;  peering_config &#61; optional&#40;object&#40;&#123;&#10;    export_routes &#61; optional&#40;bool&#41;&#10;    import_routes &#61; optional&#40;bool&#41;&#10;    project_id    &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [release_channel](variables.tf#L411) | Release channel for GKE upgrades. | <code>string</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 99db49f80d..bc743fc5ce 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -511,6 +511,7 @@ resource "google_gke_backup_backup_plan" "backup_plan" {
   cluster  = google_container_cluster.cluster.id
   location = each.value.region
   project  = var.project_id
+  labels   = each.value.labels
   retention_policy {
     backup_delete_lock_days = try(each.value.retention_policy_delete_lock_days)
     backup_retain_days      = try(each.value.retention_policy_days)
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index 5580320f8f..2436b467cd 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -24,6 +24,7 @@ variable "backup_configs" {
       encryption_key                    = optional(string)
       include_secrets                   = optional(bool, true)
       include_volume_data               = optional(bool, true)
+      labels                            = optional(map(string))
       namespaces                        = optional(list(string))
       schedule                          = optional(string)
       retention_policy_days             = optional(number)

From dccf5735c58f26fb08814eff7845ebab1297ac30 Mon Sep 17 00:00:00 2001
From: simonebruzzechesse
 <60114646+simonebruzzechesse@users.noreply.github.com>
Date: Thu, 2 May 2024 08:09:10 +0200
Subject: [PATCH 13/29] fis issues with private workstation-cluster module and
 persistent_directories (#2247)

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/workstation-cluster/README.md |  3 +++
 modules/workstation-cluster/main.tf   | 21 ++++++++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/modules/workstation-cluster/README.md b/modules/workstation-cluster/README.md
index cf45451479..05a0acdea2 100644
--- a/modules/workstation-cluster/README.md
+++ b/modules/workstation-cluster/README.md
@@ -59,6 +59,9 @@ module "workstation-cluster" {
   }
   workstation_configs = {
     my-workstation-config = {
+      gce_instance = {
+        disable_public_ip_addresses = true
+      }
       workstations = {
         my-workstation = {
           labels = {
diff --git a/modules/workstation-cluster/main.tf b/modules/workstation-cluster/main.tf
index 07399df4c8..b26a9fe579 100644
--- a/modules/workstation-cluster/main.tf
+++ b/modules/workstation-cluster/main.tf
@@ -70,8 +70,8 @@ resource "google_workstations_workstation_config" "configs" {
         pool_size                    = each.value.gce_instance.pool_size
         boot_disk_size_gb            = each.value.gce_instance.boot_disk_size_gb
         tags                         = each.value.gce_instance.tags
-        disable_public_ip_addresses  = each.value.disable_public_ip_addresses
-        enable_nested_virtualization = each.value.enable_nested_virtualization
+        disable_public_ip_addresses  = each.value.gce_instance.disable_public_ip_addresses
+        enable_nested_virtualization = each.value.gce_instance.enable_nested_virtualization
         dynamic "shielded_instance_config" {
           for_each = each.value.gce_instance.shielded_instance_config == null ? [] : [""]
           content {
@@ -81,7 +81,7 @@ resource "google_workstations_workstation_config" "configs" {
           }
         }
         dynamic "confidential_instance_config" {
-          for_each = each.value.gce_instance.enable_confidential_compute ? [] : [""]
+          for_each = each.value.gce_instance.enable_confidential_compute ? [""] : []
           content {
             enable_confidential_compute = true
           }
@@ -114,6 +114,21 @@ resource "google_workstations_workstation_config" "configs" {
       kms_key_service_account = each.value.encryption_key.kms_key_service_account
     }
   }
+  dynamic "persistent_directories" {
+    for_each = each.value.persistent_directories
+    content {
+      mount_path = persistent_directories.value.mount_path
+      dynamic "gce_pd" {
+        for_each = persistent_directories.value.gce_pd == null ? [] : [""]
+        content {
+          size_gb        = persistent_directories.value.gce_pd.size_gb
+          fs_type        = persistent_directories.value.gce_pd.fs_type
+          disk_type      = persistent_directories.value.gce_pd.disk_type
+          reclaim_policy = persistent_directories.value.gce_pd.reclaim_policy
+        }
+      }
+    }
+  }
 }
 
 resource "google_workstations_workstation" "workstations" {

From 94c32c1d71e96d8332b8e74f71045aa4e4b5e0a6 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 2 May 2024 08:56:26 +0200
Subject: [PATCH 14/29] Misc FAST fixes (#2253)

* Misc FAST fixes

* Fix readme

* Fix FAST nva bgp tests
---
 .../0-bootstrap-tenant/README.md              |  2 +-
 .../0-bootstrap-tenant/variables.tf           |  4 ++--
 fast/stages/0-bootstrap/README.md             | 18 +++++++++++++--
 fast/stages/0-bootstrap/variables.tf          |  2 +-
 fast/stages/1-resman/README.md                | 22 +++++++++----------
 fast/stages/1-resman/outputs.tf               |  2 +-
 fast/stages/1-resman/variables.tf             | 17 +++++---------
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 .../data/hierarchical-ingress-rules.yaml      |  4 ++--
 tests/fast/stages/s0_bootstrap/checklist.yaml | 22 +++++++++----------
 tests/fast/stages/s0_bootstrap/simple.yaml    |  2 +-
 tests/fast/stages/s1_resman/checklist.tfvars  |  2 +-
 tests/fast/stages/s1_resman/simple.tfvars     |  2 +-
 .../s2_networking_a_peering/simple.tfvars     |  2 +-
 .../stages/s2_networking_b_vpn/simple.tfvars  |  2 +-
 .../stages/s2_networking_c_nva/simple.tfvars  |  2 +-
 .../simple.tfvars                             |  2 +-
 .../s2_networking_e_nva_bgp/simple.tfvars     |  2 +-
 .../s2_networking_e_nva_bgp/simple.yaml       |  3 ++-
 .../s0_bootstrap_tenant/simple.tfvars         |  2 +-
 .../s1_resman_tenant/simple.tfvars            |  2 +-
 24 files changed, 71 insertions(+), 61 deletions(-)

diff --git a/fast/stages-multitenant/0-bootstrap-tenant/README.md b/fast/stages-multitenant/0-bootstrap-tenant/README.md
index 9e3a74d84a..a1b3ba367b 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/README.md
+++ b/fast/stages-multitenant/0-bootstrap-tenant/README.md
@@ -208,7 +208,7 @@ This configuration is possible but unsupported and only exists for development p
 | [custom_roles](variables.tf#L95) | Custom roles defined at the organization level, in key => id format. | <code title="object&#40;&#123;&#10;  service_project_network_admin &#61; string&#10;  tenant_network_admin          &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [fast_features](variables.tf#L105) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, true&#41;&#10;  gke             &#61; optional&#40;bool, true&#41;&#10;  project_factory &#61; optional&#40;bool, true&#41;&#10;  sandbox         &#61; optional&#40;bool, true&#41;&#10;  teams           &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [federated_identity_providers](variables.tf#L119) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | <code title="map&#40;object&#40;&#123;&#10;  attribute_condition &#61; optional&#40;string&#41;&#10;  issuer              &#61; string&#10;  custom_settings &#61; optional&#40;object&#40;&#123;&#10;    issuer_uri &#61; optional&#40;string&#41;&#10;    audiences  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins  &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [groups](variables.tf#L133) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-devops          &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins  &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-security-admins &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
 | [iam](variables.tf#L146) | Tenant-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_bindings_additive](variables.tf#L152) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L167) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
index 74daa0a9f1..5fa964beee 100644
--- a/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
+++ b/fast/stages-multitenant/0-bootstrap-tenant/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -136,7 +136,7 @@ variable "groups" {
   description = "Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated."
   type = object({
     gcp-devops          = optional(string, "gcp-devops")
-    gcp-network-admins  = optional(string, "gcp-network-admins")
+    gcp-network-admins  = optional(string, "gcp-vpc-network-admins")
     gcp-security-admins = optional(string, "gcp-security-admins")
   })
   nullable = false
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index ee5c7f52e7..43060232fe 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -39,6 +39,7 @@ Use the following diagram as a simple high level reference for the following sec
   - [Log sinks and log destinations](#log-sinks-and-log-destinations)
   - [Names and naming convention](#names-and-naming-convention)
   - [Workload Identity Federation](#workload-identity-federation)
+  - [Project folders](#project-folders)
   - [CI/CD repositories](#cicd-repositories)
   - [Toggling features](#toggling-features)
 - [Files](#files)
@@ -533,6 +534,18 @@ workload_identity_providers = {
 }
 ```
 
+### Project folders
+
+By default this stage creates all its projects directly under the orgaization node. If desired, projects can be moved under a folder using the `project_parent_ids` variable.
+
+```tfvars
+project_parent_ids = {
+  automation = "folders/1234567890"
+  billing    = "folders/9876543210"
+  logging    = "folders/1234567890"
+}
+```
+
 ### CI/CD repositories
 
 FAST is designed to directly support running in automated workflows from separate repositories for each stage. The `cicd_repositories` variable allows you to configure impersonation from external repositories leveraging Workload identity Federation, and pre-configures a FAST workflow file that can be used to validate and apply the code in each repository.
@@ -595,9 +608,10 @@ The remaining configuration is manual, as it regards the repositories themselves
 
 Some FAST features can be enabled or disabled using the `fast_features` variables. While this variable is not directly used in the bootstrap stage, it can instruct the following stages to create certain resources only if needed.
 
-The `fast_features` variable consists of 4 toggles:
+The `fast_features` variable consists of 6 toggles:
 
 - **`data_platform`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-data-platform](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-data-platform) stage
+- **`gcve`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gcve](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gcve) stage
 - **`gke`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-gke-multitenant](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-gke-multitenant) stage
 - **`project_factory`** controls the creation of required resources (folders, service accounts, buckets, IAM bindings) to deploy the [3-project-factory](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/3-project-factory) stage
 - **`sandbox`** controls the creation of a "Sandbox" top level folder with relaxed policies, intended for sandbox environments where users can experiment
@@ -636,7 +650,7 @@ The `fast_features` variable consists of 4 toggles:
 | [essential_contacts](variables.tf#L86) | Email used for essential contacts, unset if null. | <code>string</code> |  | <code>null</code> |  |
 | [factories_config](variables.tf#L92) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  checklist_data    &#61; optional&#40;string&#41;&#10;  checklist_org_iam &#61; optional&#40;string&#41;&#10;  custom_roles      &#61; optional&#40;string, &#34;data&#47;custom-roles&#34;&#41;&#10;  org_policy        &#61; optional&#40;string, &#34;data&#47;org-policies&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_features](variables.tf#L104) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gcve            &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;  gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [groups](variables.tf#L118) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;  gcp-support &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam](variables.tf#L134) | Organization-level custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index b769f1088f..26ec513ac9 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -121,7 +121,7 @@ variable "groups" {
   type = object({
     gcp-billing-admins      = optional(string, "gcp-billing-admins")
     gcp-devops              = optional(string, "gcp-devops")
-    gcp-network-admins      = optional(string, "gcp-network-admins")
+    gcp-network-admins      = optional(string, "gcp-vpc-network-admins")
     gcp-organization-admins = optional(string, "gcp-organization-admins")
     gcp-security-admins     = optional(string, "gcp-security-admins")
     # aliased to gcp-devops as the checklist does not create it
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 6b7836fd8b..5ac024870b 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -358,21 +358,21 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 |---|---|:---:|:---:|:---:|:---:|
 | [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | <code title="object&#40;&#123;&#10;  outputs_bucket          &#61; string&#10;  project_id              &#61; string&#10;  project_number          &#61; string&#10;  federated_identity_pool &#61; string&#10;  federated_identity_providers &#61; map&#40;object&#40;&#123;&#10;    audiences        &#61; list&#40;string&#41;&#10;    issuer           &#61; string&#10;    issuer_uri       &#61; string&#10;    name             &#61; string&#10;    principal_branch &#61; string&#10;    principal_repo   &#61; string&#10;  &#125;&#41;&#41;&#10;  service_accounts &#61; object&#40;&#123;&#10;    resman-r &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
 | [billing_account](variables.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | <code title="object&#40;&#123;&#10;  id           &#61; string&#10;  is_org_level &#61; optional&#40;bool, true&#41;&#10;  no_iam       &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [organization](variables.tf#L232) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
-| [prefix](variables.tf#L248) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
+| [organization](variables.tf#L227) | Organization details. | <code title="object&#40;&#123;&#10;  domain      &#61; string&#10;  id          &#61; number&#10;  customer_id &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  | <code>0-bootstrap</code> |
+| [prefix](variables.tf#L243) | Prefix used for resources that need unique names. Use 9 characters or less. | <code>string</code> | ✓ |  | <code>0-bootstrap</code> |
 | [cicd_repositories](variables.tf#L53) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | <code title="object&#40;&#123;&#10;  data_platform_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  data_platform_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gke_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gke_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gcve_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  gcve_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  networking &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  project_factory_dev &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  project_factory_prod &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  security &#61; optional&#40;object&#40;&#123;&#10;    name              &#61; string&#10;    type              &#61; string&#10;    branch            &#61; optional&#40;string&#41;&#10;    identity_provider &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
 | [custom_roles](variables.tf#L147) | Custom roles defined at the org level, in key => id format. | <code title="object&#40;&#123;&#10;  gcve_network_admin            &#61; string&#10;  organization_admin_viewer     &#61; string&#10;  service_project_network_admin &#61; string&#10;  storage_viewer                &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> | <code>0-bootstrap</code> |
 | [factories_config](variables.tf#L159) | Configuration for the resource factories or external data. | <code title="object&#40;&#123;&#10;  checklist_data &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [fast_features](variables.tf#L168) | Selective control for top-level FAST features. | <code title="object&#40;&#123;&#10;  data_platform   &#61; optional&#40;bool, false&#41;&#10;  gke             &#61; optional&#40;bool, false&#41;&#10;  gcve            &#61; optional&#40;bool, false&#41;&#10;  project_factory &#61; optional&#40;bool, false&#41;&#10;  sandbox         &#61; optional&#40;bool, false&#41;&#10;  teams           &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-0-bootstrap</code> |
 | [folder_iam](variables.tf#L183) | Authoritative IAM for top-level folders. | <code title="object&#40;&#123;&#10;  data_platform &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  gcve          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  gke           &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  sandbox       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  security      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  network       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  teams         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  tenants       &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
-| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; string&#10;  gcs     &#61; string&#10;  logging &#61; string&#10;  pubsub  &#61; list&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  bq      &#61; &#34;EU&#34;&#10;  gcs     &#61; &#34;EU&#34;&#10;  logging &#61; &#34;global&#34;&#10;  pubsub  &#61; &#91;&#93;&#10;&#125;">&#123;&#8230;&#125;</code> | <code>0-bootstrap</code> |
-| [outputs_location](variables.tf#L242) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
-| [tag_names](variables.tf#L259) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;  tenant      &#61; optional&#40;string, &#34;tenant&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [tags](variables.tf#L274) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [team_folders](variables.tf#L295) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name         &#61; string&#10;  iam_by_principals        &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_principals &#61; list&#40;string&#41;&#10;  cicd &#61; optional&#40;object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
-| [tenants](variables.tf#L311) | Lightweight tenant definitions. | <code title="map&#40;object&#40;&#123;&#10;  admin_principal  &#61; string&#10;  descriptive_name &#61; string&#10;  billing_account  &#61; optional&#40;string&#41;&#10;  organization &#61; optional&#40;object&#40;&#123;&#10;    customer_id &#61; string&#10;    domain      &#61; string&#10;    id          &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [tenants_config](variables.tf#L327) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object&#40;&#123;&#10;  core_folder_roles   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tenant_folder_roles &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  top_folder_roles    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [groups](variables.tf#L199) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | <code title="object&#40;&#123;&#10;  gcp-billing-admins      &#61; optional&#40;string, &#34;gcp-billing-admins&#34;&#41;&#10;  gcp-devops              &#61; optional&#40;string, &#34;gcp-devops&#34;&#41;&#10;  gcp-network-admins      &#61; optional&#40;string, &#34;gcp-vpc-network-admins&#34;&#41;&#10;  gcp-organization-admins &#61; optional&#40;string, &#34;gcp-organization-admins&#34;&#41;&#10;  gcp-security-admins     &#61; optional&#40;string, &#34;gcp-security-admins&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [locations](variables.tf#L214) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> | <code>0-bootstrap</code> |
+| [outputs_location](variables.tf#L237) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
+| [tag_names](variables.tf#L254) | Customized names for resource management tags. | <code title="object&#40;&#123;&#10;  context     &#61; optional&#40;string, &#34;context&#34;&#41;&#10;  environment &#61; optional&#40;string, &#34;environment&#34;&#41;&#10;  tenant      &#61; optional&#40;string, &#34;tenant&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tags](variables.tf#L269) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [team_folders](variables.tf#L290) | Team folders to be created. Format is described in a code comment. | <code title="map&#40;object&#40;&#123;&#10;  descriptive_name         &#61; string&#10;  iam_by_principals        &#61; map&#40;list&#40;string&#41;&#41;&#10;  impersonation_principals &#61; list&#40;string&#41;&#10;  cicd &#61; optional&#40;object&#40;&#123;&#10;    branch            &#61; string&#10;    identity_provider &#61; string&#10;    name              &#61; string&#10;    type              &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>null</code> |  |
+| [tenants](variables.tf#L306) | Lightweight tenant definitions. | <code title="map&#40;object&#40;&#123;&#10;  admin_principal  &#61; string&#10;  descriptive_name &#61; string&#10;  billing_account  &#61; optional&#40;string&#41;&#10;  organization &#61; optional&#40;object&#40;&#123;&#10;    customer_id &#61; string&#10;    domain      &#61; string&#10;    id          &#61; number&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [tenants_config](variables.tf#L322) | Lightweight tenants shared configuration. Roles will be assigned to tenant admin group and service accounts. | <code title="object&#40;&#123;&#10;  core_folder_roles   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  tenant_folder_roles &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  top_folder_roles    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
@@ -380,7 +380,7 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
 |---|---|:---:|---|
 | [cicd_repositories](outputs.tf#L391) | WIF configuration for CI/CD repositories. |  |  |
 | [dataplatform](outputs.tf#L405) | Data for the Data Platform stage. |  |  |
-| [gcve](outputs.tf#L421) | Data for the GCVE stage. |  | <code>03-gke-multitenant</code> |
+| [gcve](outputs.tf#L421) | Data for the GCVE stage. |  | <code>03-gcve</code> |
 | [gke_multitenant](outputs.tf#L442) | Data for the GKE multitenant stage. |  | <code>03-gke-multitenant</code> |
 | [networking](outputs.tf#L463) | Data for the networking stage. |  |  |
 | [project_factories](outputs.tf#L472) | Data for the project factories stage. |  |  |
diff --git a/fast/stages/1-resman/outputs.tf b/fast/stages/1-resman/outputs.tf
index 31e9590203..de411b9115 100644
--- a/fast/stages/1-resman/outputs.tf
+++ b/fast/stages/1-resman/outputs.tf
@@ -419,7 +419,7 @@ output "dataplatform" {
 }
 
 output "gcve" {
-  # tfdoc:output:consumers 03-gke-multitenant
+  # tfdoc:output:consumers 03-gcve
   description = "Data for the GCVE stage."
   value = (
     var.fast_features.gcve
diff --git a/fast/stages/1-resman/variables.tf b/fast/stages/1-resman/variables.tf
index 8417466730..3256b9bb74 100644
--- a/fast/stages/1-resman/variables.tf
+++ b/fast/stages/1-resman/variables.tf
@@ -203,7 +203,7 @@ variable "groups" {
   type = object({
     gcp-billing-admins      = optional(string, "gcp-billing-admins")
     gcp-devops              = optional(string, "gcp-devops")
-    gcp-network-admins      = optional(string, "gcp-network-admins")
+    gcp-network-admins      = optional(string, "gcp-vpc-network-admins")
     gcp-organization-admins = optional(string, "gcp-organization-admins")
     gcp-security-admins     = optional(string, "gcp-security-admins")
   })
@@ -215,18 +215,13 @@ variable "locations" {
   # tfdoc:variable:source 0-bootstrap
   description = "Optional locations for GCS, BigQuery, and logging buckets created here."
   type = object({
-    bq      = string
-    gcs     = string
-    logging = string
-    pubsub  = list(string)
+    bq      = optional(string, "EU")
+    gcs     = optional(string, "EU")
+    logging = optional(string, "global")
+    pubsub  = optional(list(string), [])
   })
-  default = {
-    bq      = "EU"
-    gcs     = "EU"
-    logging = "global"
-    pubsub  = []
-  }
   nullable = false
+  default  = {}
 }
 
 variable "organization" {
diff --git a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
index 93d42fbee8..e444dd3f0b 100644
--- a/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-a-peering/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-b-vpn/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-c-nva/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-d-separate-envs/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
index 0504f376c8..817be2e99d 100644
--- a/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
+++ b/fast/stages/2-networking-e-nva-bgp/data/hierarchical-ingress-rules.yaml
@@ -11,14 +11,14 @@
 #       - rfc1918
 
 allow-healthchecks:
-  description: Enable HTTP and HTTPS healthchecks
+  description: Enable SSH, HTTP and HTTPS healthchecks
   priority: 1001
   match:
     source_ranges:
       - healthchecks
     layer4_configs:
       - protocol: tcp
-        ports: ["80", "443"]
+        ports: ["22", "80", "443"]
 
 allow-ssh-from-iap:
   description: Enable SSH from IAP
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 8c24a1fdfe..0b1d71d48f 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -55,9 +55,9 @@ values:
   module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
     condition: []
     members:
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-organization-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudasset.owner
   module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
@@ -70,8 +70,8 @@ values:
     condition: []
     members:
     - group:gcp-devops@fast.example.com
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudsupport.techSupportEditor
   module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
@@ -131,7 +131,7 @@ values:
     condition: []
     members:
     - group:gcp-devops@fast.example.com
-    - group:gcp-network-admins@fast.example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '123456789012'
@@ -240,19 +240,19 @@ values:
     member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
     org_id: '123456789012'
     role: roles/billing.viewer
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.networkAdmin
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.orgFirewallPolicyAdmin
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.securityAdmin
   ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"]
@@ -260,9 +260,9 @@ values:
     member: group:gcp-security-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.viewer
-  ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"]
+  ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"]
   : condition: []
-    member: group:gcp-network-admins@fast.example.com
+    member: group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/compute.xpnAdmin
   ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"]
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 69908ad358..bdc0ec68cb 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -16,9 +16,9 @@ values:
   module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
     condition: []
     members:
-    - group:gcp-network-admins@fast.example.com
     - group:gcp-security-admins@fast.example.com
     - group:gcp-support@example.com
+    - group:gcp-vpc-network-admins@fast.example.com
     org_id: '123456789012'
     role: roles/cloudsupport.techSupportEditor
   module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars
index 88df6b629c..0e303043d1 100644
--- a/tests/fast/stages/s1_resman/checklist.tfvars
+++ b/tests/fast/stages/s1_resman/checklist.tfvars
@@ -24,7 +24,7 @@ factories_config = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars
index 9cb8528817..8086201d88 100644
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -21,7 +21,7 @@ custom_roles = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages/s2_networking_a_peering/simple.tfvars b/tests/fast/stages/s2_networking_a_peering/simple.tfvars
index bdff7a433f..9a117062e3 100644
--- a/tests/fast/stages/s2_networking_a_peering/simple.tfvars
+++ b/tests/fast/stages/s2_networking_a_peering/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
index 24d3a8e039..b9c4ec9ddb 100644
--- a/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
+++ b/tests/fast/stages/s2_networking_b_vpn/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_c_nva/simple.tfvars b/tests/fast/stages/s2_networking_c_nva/simple.tfvars
index fca8913f8a..c2a9cef0bd 100644
--- a/tests/fast/stages/s2_networking_c_nva/simple.tfvars
+++ b/tests/fast/stages/s2_networking_c_nva/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
index 071011dd5e..8522e2b2f0 100644
--- a/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
+++ b/tests/fast/stages/s2_networking_d_separate_envs/simple.tfvars
@@ -20,7 +20,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
index fca8913f8a..c2a9cef0bd 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.tfvars
@@ -19,7 +19,7 @@ folder_ids = {
   networking-prod = null
 }
 groups = {
-  gcp-network-admins = "gcp-network-admins"
+  gcp-network-admins = "gcp-vpc-network-admins"
 }
 service_accounts = {
   data-platform-dev    = "string"
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index f0594c4ca6..993910f7e7 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -740,7 +740,7 @@ values:
     timeouts: null
   ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]
   : action: allow
-    description: Enable HTTP and HTTPS healthchecks
+    description: Enable SSH, HTTP and HTTPS healthchecks
     direction: INGRESS
     disabled: false
     enable_logging: null
@@ -753,6 +753,7 @@ values:
         layer4_configs:
           - ip_protocol: tcp
             ports:
+              - "22"
               - "80"
               - "443"
         src_address_groups: null
diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
index 52ca76a3db..e3691e9ca5 100644
--- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
+++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.tfvars
@@ -16,7 +16,7 @@ custom_roles = {
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",
   gcp-devops              = "gcp-devops",
-  gcp-network-admins      = "gcp-network-admins",
+  gcp-network-admins      = "gcp-vpc-network-admins",
   gcp-organization-admins = "gcp-organization-admins",
   gcp-security-admins     = "gcp-security-admins",
   gcp-support             = "gcp-support"
diff --git a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
index 33cf461989..9cc9d46c69 100644
--- a/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
+++ b/tests/fast/stages_multitenant/s1_resman_tenant/simple.tfvars
@@ -34,7 +34,7 @@ fast_features = {
 }
 groups = {
   gcp-devops          = "gcp-devops",
-  gcp-network-admins  = "gcp-network-admins",
+  gcp-network-admins  = "gcp-vpc-network-admins",
   gcp-security-admins = "gcp-security-admins",
 }
 organization = {

From 7aa6c7e059d5e46a8630259ae5bd1edeefaa3336 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 2 May 2024 22:11:33 +0200
Subject: [PATCH 15/29] Style fixes to FAST log sinks expressions

---
 fast/stages/0-bootstrap/variables.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 26ec513ac9..09c0e08567 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -200,14 +200,14 @@ variable "log_sinks" {
     }
     vpc-sc = {
       filter = <<-FILTER
-        protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+        protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
       FILTER
       type   = "logging"
     }
     workspace-audit-logs = {
       filter = <<-FILTER
-        log_id("cloudaudit.googleapis.com/data_access")
-        protoPayload.serviceName:"login.googleapis.com"
+        log_id("cloudaudit.googleapis.com/data_access") AND
+        protoPayload.serviceName="login.googleapis.com"
       FILTER
       type   = "logging"
     }

From c9503d5ac506f4bd4c83afdc57f99a97463bdb62 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 9 May 2024 15:09:54 +0200
Subject: [PATCH 16/29] Remove data source from folder module (#2260)

* remove data source from folder module

* fix fast tfdoc

* fix locals type error

* fix folder test

* fix fast test
---
 fast/stages/0-bootstrap/README.md                 |  2 +-
 modules/folder/iam.tf                             |  6 +++---
 modules/folder/logging.tf                         |  9 ++++-----
 modules/folder/main.tf                            | 15 +++++----------
 modules/folder/organization-policies.tf           |  4 ++--
 modules/folder/outputs.tf                         |  6 +++---
 modules/folder/tags.tf                            |  2 +-
 .../stages/s2_networking_e_nva_bgp/simple.yaml    |  2 --
 .../s0_bootstrap_tenant/simple.yaml               |  4 ++--
 .../test_plan_org_policies_modules.py             |  8 ++++----
 10 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 43060232fe..5d456302f5 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -655,7 +655,7 @@ The `fast_features` variable consists of 6 toggles:
 | [iam_bindings_additive](variables.tf#L141) | Organization-level custom additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [iam_by_principals](variables.tf#L156) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [locations](variables.tf#L163) | Optional locations for GCS, BigQuery, and logging buckets created here. | <code title="object&#40;&#123;&#10;  bq      &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  gcs     &#61; optional&#40;string, &#34;EU&#34;&#41;&#10;  logging &#61; optional&#40;string, &#34;global&#34;&#41;&#10;  pubsub  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
-| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type:&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41;&#10;      protoPayload.serviceName:&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
+| [log_sinks](variables.tf#L177) | Org-level log sinks, in name => {type, filter} format. | <code title="map&#40;object&#40;&#123;&#10;  filter &#61; string&#10;  type   &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#123;&#10;  audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;activity&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;system_event&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;policy&#34;&#41; OR&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;access_transparency&#34;&#41;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  iam &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.serviceName&#61;&#34;iamcredentials.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;iam.googleapis.com&#34; OR&#10;      protoPayload.serviceName&#61;&#34;sts.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  vpc-sc &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      protoPayload.metadata.&#64;type&#61;&#34;type.googleapis.com&#47;google.cloud.audit.VpcServiceControlAuditMetadata&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;  workspace-audit-logs &#61; &#123;&#10;    filter &#61; &#60;&#60;-FILTER&#10;      log_id&#40;&#34;cloudaudit.googleapis.com&#47;data_access&#34;&#41; AND&#10;      protoPayload.serviceName&#61;&#34;login.googleapis.com&#34;&#10;    FILTER&#10;    type   &#61; &#34;logging&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |  |
 | [org_policies_config](variables.tf#L224) | Organization policies customization. | <code title="object&#40;&#123;&#10;  constraints &#61; optional&#40;object&#40;&#123;&#10;    allowed_policy_member_domains &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;  import_defaults &#61; optional&#40;bool, false&#41;&#10;  tag_name        &#61; optional&#40;string, &#34;org-policies&#34;&#41;&#10;  tag_values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 | [outputs_location](variables.tf#L250) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | <code>string</code> |  | <code>null</code> |  |
 | [project_parent_ids](variables.tf#L265) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | <code title="object&#40;&#123;&#10;  automation &#61; optional&#40;string&#41;&#10;  billing    &#61; optional&#40;string&#41;&#10;  logging    &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
diff --git a/modules/folder/iam.tf b/modules/folder/iam.tf
index ba852837cb..68d3e606b0 100644
--- a/modules/folder/iam.tf
+++ b/modules/folder/iam.tf
@@ -35,14 +35,14 @@ locals {
 
 resource "google_folder_iam_binding" "authoritative" {
   for_each = local.iam
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.key
   members  = each.value
 }
 
 resource "google_folder_iam_binding" "bindings" {
   for_each = var.iam_bindings
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.value.role
   members  = each.value.members
   dynamic "condition" {
@@ -57,7 +57,7 @@ resource "google_folder_iam_binding" "bindings" {
 
 resource "google_folder_iam_member" "bindings" {
   for_each = var.iam_bindings_additive
-  folder   = local.folder.name
+  folder   = local.folder_id
   role     = each.value.role
   member   = each.value.member
   dynamic "condition" {
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index f6942baa4b..817c4d1e06 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -37,7 +37,7 @@ locals {
 
 resource "google_folder_iam_audit_config" "default" {
   for_each = var.logging_data_access
-  folder   = local.folder.name
+  folder   = local.folder_id
   service  = each.key
   dynamic "audit_log_config" {
     for_each = each.value
@@ -53,7 +53,7 @@ resource "google_logging_folder_sink" "sink" {
   for_each         = local.logging_sinks
   name             = each.key
   description      = coalesce(each.value.description, "${each.key} (Terraform-managed).")
-  folder           = local.folder.name
+  folder           = local.folder_id
   destination      = "${each.value.type}.googleapis.com/${each.value.destination}"
   filter           = each.value.filter
   include_children = each.value.include_children
@@ -108,10 +108,9 @@ resource "google_project_iam_member" "bucket-sinks-binding" {
   project  = split("/", each.value.destination)[1]
   role     = "roles/logging.bucketWriter"
   member   = google_logging_folder_sink.sink[each.key].writer_identity
-
   condition {
     title       = "${each.key} bucket writer"
-    description = "Grants bucketWriter to ${google_logging_folder_sink.sink[each.key].writer_identity} used by log sink ${each.key} on ${local.folder.id}"
+    description = "Grants bucketWriter to ${google_logging_folder_sink.sink[each.key].writer_identity} used by log sink ${each.key} on ${local.folder_id}"
     expression  = "resource.name.endsWith('${each.value.destination}')"
   }
 }
@@ -126,7 +125,7 @@ resource "google_project_iam_member" "project-sinks-binding" {
 resource "google_logging_folder_exclusion" "logging-exclusion" {
   for_each    = var.logging_exclusions
   name        = each.key
-  folder      = local.folder.name
+  folder      = local.folder_id
   description = "${each.key} (Terraform-managed)."
   filter      = each.value
 }
diff --git a/modules/folder/main.tf b/modules/folder/main.tf
index 4335dbe515..8bb46a533c 100644
--- a/modules/folder/main.tf
+++ b/modules/folder/main.tf
@@ -15,18 +15,13 @@
  */
 
 locals {
-  folder = (
+  folder_id = (
     var.folder_create
-    ? try(google_folder.folder[0], null)
-    : try(data.google_folder.folder[0], null)
+    ? try(google_folder.folder[0].id, null)
+    : var.id
   )
 }
 
-data "google_folder" "folder" {
-  count  = var.folder_create ? 0 : 1
-  folder = var.id
-}
-
 resource "google_folder" "folder" {
   count        = var.folder_create ? 1 : 0
   display_name = var.name
@@ -36,7 +31,7 @@ resource "google_folder" "folder" {
 resource "google_essential_contacts_contact" "contact" {
   provider                            = google-beta
   for_each                            = var.contacts
-  parent                              = local.folder.name
+  parent                              = local.folder_id
   email                               = each.key
   language_tag                        = "en"
   notification_category_subscriptions = each.value
@@ -49,7 +44,7 @@ resource "google_essential_contacts_contact" "contact" {
 
 resource "google_compute_firewall_policy_association" "default" {
   count             = var.firewall_policy == null ? 0 : 1
-  attachment_target = local.folder.id
+  attachment_target = local.folder_id
   name              = var.firewall_policy.name
   firewall_policy   = var.firewall_policy.policy
 }
diff --git a/modules/folder/organization-policies.tf b/modules/folder/organization-policies.tf
index 38b69871c9..6de3081ce8 100644
--- a/modules/folder/organization-policies.tf
+++ b/modules/folder/organization-policies.tf
@@ -52,8 +52,8 @@ locals {
   org_policies = {
     for k, v in local._org_policies :
     k => merge(v, {
-      name   = "${local.folder.name}/policies/${k}"
-      parent = local.folder.name
+      name   = "${local.folder_id}/policies/${k}"
+      parent = local.folder_id
       is_boolean_policy = (
         alltrue([for r in v.rules : r.allow == null && r.deny == null])
       )
diff --git a/modules/folder/outputs.tf b/modules/folder/outputs.tf
index aec28f7152..79ff37cb7d 100644
--- a/modules/folder/outputs.tf
+++ b/modules/folder/outputs.tf
@@ -16,12 +16,12 @@
 
 output "folder" {
   description = "Folder resource."
-  value       = local.folder
+  value       = try(google_folder.folder[0], null)
 }
 
 output "id" {
   description = "Fully qualified folder id."
-  value       = local.folder.name
+  value       = local.folder_id
   depends_on = [
     google_folder_iam_binding.authoritative,
     google_folder_iam_binding.bindings,
@@ -32,7 +32,7 @@ output "id" {
 
 output "name" {
   description = "Folder name."
-  value       = local.folder.display_name
+  value       = try(google_folder.folder[0].display_name, null)
 }
 
 output "sink_writer_identities" {
diff --git a/modules/folder/tags.tf b/modules/folder/tags.tf
index 2cd2f2fd1a..323886ef50 100644
--- a/modules/folder/tags.tf
+++ b/modules/folder/tags.tf
@@ -16,6 +16,6 @@
 
 resource "google_tags_tag_binding" "binding" {
   for_each  = coalesce(var.tag_bindings, {})
-  parent    = "//cloudresourcemanager.googleapis.com/${local.folder.id}"
+  parent    = "//cloudresourcemanager.googleapis.com/${local.folder_id}"
   tag_value = each.value
 }
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index 993910f7e7..d9b2d67c9c 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -1520,8 +1520,6 @@ values:
     log_config:
       - enable: false
         filter: ALL
-    max_ports_per_vm: 65536
-    min_ports_per_vm: 64
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
diff --git a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
index 3e84c00ef6..f6f0d3ea26 100644
--- a/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
+++ b/tests/fast/stages_multitenant/s0_bootstrap_tenant/simple.yaml
@@ -14,7 +14,7 @@
 
 counts:
   google_bigquery_default_service_account: 2
-  google_folder: 2
+  google_folder: 1
   google_folder_iam_binding: 5
   google_organization_iam_member: 39
   google_project: 2
@@ -30,4 +30,4 @@ counts:
   google_tags_tag_binding: 1
   google_tags_tag_value: 1
   modules: 19
-  resources: 129
+  resources: 128
diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py
index 632b45e726..f8839fc251 100644
--- a/tests/modules/organization/test_plan_org_policies_modules.py
+++ b/tests/modules/organization/test_plan_org_policies_modules.py
@@ -37,8 +37,8 @@ def test_policy_implementation():
       '@@ -55,2 +55,2 @@\n',
       '-      name   = "projects/${local.project.project_id}/policies/${k}"\n',
       '-      parent = "projects/${local.project.project_id}"\n',
-      '+      name   = "${local.folder.name}/policies/${k}"\n',
-      '+      parent = local.folder.name\n',
+      '+      name   = "${local.folder_id}/policies/${k}"\n',
+      '+      parent = local.folder_id\n',
   ]
 
   diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',
@@ -50,8 +50,8 @@ def test_policy_implementation():
       '-# tfdoc:file:description Folder-level organization policies.\n',
       '+# tfdoc:file:description Organization-level organization policies.\n',
       '@@ -55,2 +55,2 @@\n',
-      '-      name   = "${local.folder.name}/policies/${k}"\n',
-      '-      parent = local.folder.name\n',
+      '-      name   = "${local.folder_id}/policies/${k}"\n',
+      '-      parent = local.folder_id\n',
       '+      name   = "${var.organization_id}/policies/${k}"\n',
       '+      parent = var.organization_id\n',
       '@@ -113,0 +114,9 @@\n',

From c58850c096df0a194dc1437512267f99e4ca2d9d Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 9 May 2024 15:24:41 +0200
Subject: [PATCH 17/29] Add Hybrid NAT support (#2261)

* Updates to support hybid NAT

* Fix readme

* Fix variable order
---
 modules/net-cloudnat/README.md                | 61 +++++++++++-
 modules/net-cloudnat/main.tf                  | 25 +++--
 modules/net-cloudnat/variables.tf             | 42 ++++++---
 modules/net-vpc/README.md                     | 12 ++-
 modules/net-vpc/outputs.tf                    |  7 +-
 modules/net-vpc/subnets.tf                    | 20 +++-
 modules/net-vpc/variables.tf                  | 14 ++-
 .../s2_networking_e_nva_bgp/simple.yaml       |  4 +-
 .../modules/net_cloudnat/examples/hybrid.yaml | 94 +++++++++++++++++++
 9 files changed, 247 insertions(+), 32 deletions(-)
 create mode 100644 tests/modules/net_cloudnat/examples/hybrid.yaml

diff --git a/modules/net-cloudnat/README.md b/modules/net-cloudnat/README.md
index 407bce3f08..34fb560660 100644
--- a/modules/net-cloudnat/README.md
+++ b/modules/net-cloudnat/README.md
@@ -6,6 +6,7 @@ Simple Cloud NAT management, with optional router creation.
 - [Basic Example](#basic-example)
 - [Subnetwork configuration](#subnetwork-configuration)
 - [Reserved IPs and custom rules](#reserved-ips-and-custom-rules)
+- [Hybrid NAT](#hybrid-nat)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -102,6 +103,59 @@ module "nat" {
 }
 # tftest modules=2 resources=5 inventory=rules.yaml e2e
 ```
+## Hybrid NAT
+```hcl
+module "vpc1" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = var.project_id
+  name       = "vpc1"
+  subnets = [
+    {
+      ip_cidr_range = "10.0.0.0/24"
+      name          = "vpc1-subnet"
+      region        = var.region
+    }
+  ]
+  subnets_private_nat = [
+    {
+      ip_cidr_range = "192.168.15.0/24"
+      name          = "vpc1-nat"
+      region        = var.region
+    }
+  ]
+}
+
+module "vpc1-nat" {
+  source         = "./fabric/modules/net-cloudnat"
+  project_id     = var.project_id
+  region         = var.region
+  name           = "vpc1-nat"
+  type           = "PRIVATE"
+  router_network = module.vpc1.id
+  config_source_subnetworks = {
+    all = false
+    subnetworks = [
+      {
+        self_link = module.vpc1.subnet_ids["${var.region}/vpc1-subnet"]
+      }
+    ]
+  }
+  config_port_allocation = {
+    enable_endpoint_independent_mapping = false
+    enable_dynamic_port_allocation      = true
+  }
+  rules = [
+    {
+      description = "private nat"
+      match       = "nexthop.is_hybrid"
+      source_ranges = [
+        module.vpc1.subnets_private_nat["${var.region}/vpc1-nat"].id
+      ]
+    }
+  ]
+}
+# tftest modules=2 resources=7 inventory=hybrid.yaml
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -111,15 +165,16 @@ module "nat" {
 | [project_id](variables.tf#L82) | Project where resources will be created. | <code>string</code> | ✓ |  |
 | [region](variables.tf#L87) | Region where resources will be created. | <code>string</code> | ✓ |  |
 | [addresses](variables.tf#L17) | Optional list of external address self links. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | <code title="object&#40;&#123;&#10;  enable_endpoint_independent_mapping &#61; optional&#40;bool, true&#41;&#10;  enable_dynamic_port_allocation      &#61; optional&#40;bool, false&#41;&#10;  min_ports_per_vm                    &#61; optional&#40;number, 64&#41;&#10;  max_ports_per_vm                    &#61; optional&#40;number, 65536&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [config_port_allocation](variables.tf#L23) | Configuration for how to assign ports to virtual machines. min_ports_per_vm and max_ports_per_vm have no effect unless enable_dynamic_port_allocation is set to 'true'. | <code title="object&#40;&#123;&#10;  enable_endpoint_independent_mapping &#61; optional&#40;bool, true&#41;&#10;  enable_dynamic_port_allocation      &#61; optional&#40;bool, false&#41;&#10;  min_ports_per_vm                    &#61; optional&#40;number&#41;&#10;  max_ports_per_vm                    &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [config_source_subnetworks](variables.tf#L39) | Subnetwork configuration. | <code title="object&#40;&#123;&#10;  all                 &#61; optional&#40;bool, true&#41;&#10;  primary_ranges_only &#61; optional&#40;bool&#41;&#10;  subnetworks &#61; optional&#40;list&#40;object&#40;&#123;&#10;    self_link        &#61; string&#10;    all_ranges       &#61; optional&#40;bool, true&#41;&#10;    secondary_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [config_timeouts](variables.tf#L58) | Timeout configurations. | <code title="object&#40;&#123;&#10;  icmp            &#61; optional&#40;number, 30&#41;&#10;  tcp_established &#61; optional&#40;number, 1200&#41;&#10;  tcp_time_wait   &#61; optional&#40;number, 120&#41;&#10;  tcp_transitory  &#61; optional&#40;number, 30&#41;&#10;  udp             &#61; optional&#40;number, 30&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [config_timeouts](variables.tf#L58) | Timeout configurations. | <code title="object&#40;&#123;&#10;  icmp            &#61; optional&#40;number&#41;&#10;  tcp_established &#61; optional&#40;number&#41;&#10;  tcp_time_wait   &#61; optional&#40;number&#41;&#10;  tcp_transitory  &#61; optional&#40;number&#41;&#10;  udp             &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_filter](variables.tf#L71) | Enables logging if not null, value is one of 'ERRORS_ONLY', 'TRANSLATIONS_ONLY', 'ALL'. | <code>string</code> |  | <code>null</code> |
 | [router_asn](variables.tf#L92) | Router ASN used for auto-created router. | <code>number</code> |  | <code>null</code> |
 | [router_create](variables.tf#L98) | Create router. | <code>bool</code> |  | <code>true</code> |
 | [router_name](variables.tf#L104) | Router name, leave blank if router will be created to use auto generated name. | <code>string</code> |  | <code>null</code> |
 | [router_network](variables.tf#L110) | Name of the VPC used for auto-created router. | <code>string</code> |  | <code>null</code> |
-| [rules](variables.tf#L116) | List of rules associated with this NAT. | <code title="list&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string&#41;,&#10;  match       &#61; string&#10;  source_ips  &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [rules](variables.tf#L116) | List of rules associated with this NAT. | <code title="list&#40;object&#40;&#123;&#10;  description   &#61; optional&#40;string&#41;&#10;  match         &#61; string&#10;  source_ips    &#61; optional&#40;list&#40;string&#41;&#41;&#10;  source_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [type](variables.tf#L136) | Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'. | <code>string</code> |  | <code>&#34;PUBLIC&#34;</code> |
 
 ## Outputs
 
diff --git a/modules/net-cloudnat/main.tf b/modules/net-cloudnat/main.tf
index 7a537d8eee..bf5b7bc785 100644
--- a/modules/net-cloudnat/main.tf
+++ b/modules/net-cloudnat/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,13 +47,21 @@ resource "google_compute_router" "router" {
 }
 
 resource "google_compute_router_nat" "nat" {
-  project = var.project_id
-  region  = var.region
-  name    = var.name
-  router  = local.router_name
-  nat_ips = var.addresses
+  provider = google-beta
+  project  = var.project_id
+  region   = var.region
+  name     = var.name
+  type     = var.type
+  router   = local.router_name
+  nat_ips  = var.addresses
   nat_ip_allocate_option = (
-    length(var.addresses) > 0 ? "MANUAL_ONLY" : "AUTO_ONLY"
+    var.type == "PRIVATE"
+    ? null
+    : (
+      length(var.addresses) > 0
+      ? "MANUAL_ONLY"
+      : "AUTO_ONLY"
+    )
   )
   source_subnetwork_ip_ranges_to_nat = local.subnet_config
   icmp_idle_timeout_sec              = var.config_timeouts.icmp
@@ -114,7 +122,8 @@ resource "google_compute_router_nat" "nat" {
       description = rules.value.description
       match       = rules.value.match
       action {
-        source_nat_active_ips = rules.value.source_ips
+        source_nat_active_ips    = rules.value.source_ips
+        source_nat_active_ranges = rules.value.source_ranges
       }
     }
   }
diff --git a/modules/net-cloudnat/variables.tf b/modules/net-cloudnat/variables.tf
index 0ec05e4221..27484ee319 100644
--- a/modules/net-cloudnat/variables.tf
+++ b/modules/net-cloudnat/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,8 +25,8 @@ variable "config_port_allocation" {
   type = object({
     enable_endpoint_independent_mapping = optional(bool, true)
     enable_dynamic_port_allocation      = optional(bool, false)
-    min_ports_per_vm                    = optional(number, 64)
-    max_ports_per_vm                    = optional(number, 65536)
+    min_ports_per_vm                    = optional(number)
+    max_ports_per_vm                    = optional(number)
   })
   default  = {}
   nullable = false
@@ -58,11 +58,11 @@ output "foo" {
 variable "config_timeouts" {
   description = "Timeout configurations."
   type = object({
-    icmp            = optional(number, 30)
-    tcp_established = optional(number, 1200)
-    tcp_time_wait   = optional(number, 120)
-    tcp_transitory  = optional(number, 30)
-    udp             = optional(number, 30)
+    icmp            = optional(number)
+    tcp_established = optional(number)
+    tcp_time_wait   = optional(number)
+    tcp_transitory  = optional(number)
+    udp             = optional(number)
   })
   default  = {}
   nullable = false
@@ -116,10 +116,30 @@ variable "router_network" {
 variable "rules" {
   description = "List of rules associated with this NAT."
   type = list(object({
-    description = optional(string),
-    match       = string
-    source_ips  = list(string)
+    description   = optional(string)
+    match         = string
+    source_ips    = optional(list(string))
+    source_ranges = optional(list(string))
   }))
   default  = []
   nullable = false
+  validation {
+    condition = alltrue([
+      for r in var.rules :
+      r.source_ips != null || r.source_ranges != null
+    ])
+
+    error_message = "All rules must specify either source_ips or source_ranges."
+  }
+}
+
+variable "type" {
+  description = "Whether this Cloud NAT is used for public or private IP translation. One of 'PUBLIC' or 'PRIVATE'."
+  type        = string
+  default     = "PUBLIC"
+  nullable    = false
+  validation {
+    condition     = var.type == "PUBLIC" || var.type == "PRIVATE"
+    error_message = "Field type must be either PUBLIC or PRIVATE."
+  }
 }
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index feee775cc6..d29251cc96 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -662,9 +662,10 @@ module "vpc" {
 | [shared_vpc_host](variables.tf#L238) | Enable shared VPC for this project. | <code>bool</code> |  | <code>false</code> |
 | [shared_vpc_service_projects](variables.tf#L244) | Shared VPC service projects to register with this host. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
 | [subnets](variables.tf#L250) | Subnet configuration. | <code title="list&#40;object&#40;&#123;&#10;  name                  &#61; string&#10;  ip_cidr_range         &#61; string&#10;  region                &#61; string&#10;  description           &#61; optional&#40;string&#41;&#10;  enable_private_access &#61; optional&#40;bool, true&#41;&#10;  flow_logs_config &#61; optional&#40;object&#40;&#123;&#10;    aggregation_interval &#61; optional&#40;string&#41;&#10;    filter_expression    &#61; optional&#40;string&#41;&#10;    flow_sampling        &#61; optional&#40;number&#41;&#10;    metadata             &#61; optional&#40;string&#41;&#10;    metadata_fields &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ipv6 &#61; optional&#40;object&#40;&#123;&#10;    access_type &#61; optional&#40;string, &#34;INTERNAL&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  secondary_ip_ranges &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_proxy_only](variables.tf#L297) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; optional&#40;bool, true&#41;&#10;  global        &#61; optional&#40;bool, false&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [subnets_psc](variables.tf#L331) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc_create](variables.tf#L363) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
+| [subnets_private_nat](variables.tf#L297) | List of private NAT subnets. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_proxy_only](variables.tf#L309) | List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;  active        &#61; optional&#40;bool, true&#41;&#10;  global        &#61; optional&#40;bool, false&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [subnets_psc](variables.tf#L343) | List of subnets for Private Service Connect service producers. | <code title="list&#40;object&#40;&#123;&#10;  name          &#61; string&#10;  ip_cidr_range &#61; string&#10;  region        &#61; string&#10;  description   &#61; optional&#40;string&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc_create](variables.tf#L375) | Create VPC. When set to false, uses a data source to reference existing VPC. | <code>bool</code> |  | <code>true</code> |
 
 ## Outputs
 
@@ -684,6 +685,7 @@ module "vpc" {
 | [subnet_secondary_ranges](outputs.tf#L122) | Map of subnet secondary ranges keyed by name. |  |
 | [subnet_self_links](outputs.tf#L133) | Map of subnet self links keyed by name. |  |
 | [subnets](outputs.tf#L142) | Subnet resources. |  |
-| [subnets_proxy_only](outputs.tf#L151) | L7 ILB or L7 Regional LB subnet resources. |  |
-| [subnets_psc](outputs.tf#L156) | Private Service Connect subnet resources. |  |
+| [subnets_private_nat](outputs.tf#L151) | Private NAT subnet resources. |  |
+| [subnets_proxy_only](outputs.tf#L156) | L7 ILB or L7 Regional LB subnet resources. |  |
+| [subnets_psc](outputs.tf#L161) | Private Service Connect subnet resources. |  |
 <!-- END TFDOC -->
diff --git a/modules/net-vpc/outputs.tf b/modules/net-vpc/outputs.tf
index 412e363a4a..4d143e829f 100644
--- a/modules/net-vpc/outputs.tf
+++ b/modules/net-vpc/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -148,6 +148,11 @@ output "subnets" {
   ]
 }
 
+output "subnets_private_nat" {
+  description = "Private NAT subnet resources."
+  value       = { for k, v in google_compute_subnetwork.private_nat : k => v }
+}
+
 output "subnets_proxy_only" {
   description = "L7 ILB or L7 Regional LB subnet resources."
   value       = { for k, v in google_compute_subnetwork.proxy_only : k => v }
diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf
index ca3541450c..09d4748d00 100644
--- a/modules/net-vpc/subnets.tf
+++ b/modules/net-vpc/subnets.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -124,6 +124,10 @@ locals {
     { for s in var.subnets_proxy_only : "${s.region}/${s.name}" => s },
     { for k, v in local._factory_subnets : k => v if v._is_proxy_only },
   )
+  subnets_private_nat = merge(
+    { for s in var.subnets_private_nat : "${s.region}/${s.name}" => s },
+    # { for k, v in local._factory_subnets : k => v if v._is_proxy_only },
+  )
   subnets_psc = merge(
     { for s in var.subnets_psc : "${s.region}/${s.name}" => s },
     { for k, v in local._factory_subnets : k => v if v._is_psc }
@@ -185,6 +189,20 @@ resource "google_compute_subnetwork" "proxy_only" {
   role    = each.value.active ? "ACTIVE" : "BACKUP"
 }
 
+resource "google_compute_subnetwork" "private_nat" {
+  for_each      = local.subnets_private_nat
+  project       = var.project_id
+  network       = local.network.name
+  name          = each.value.name
+  region        = each.value.region
+  ip_cidr_range = each.value.ip_cidr_range
+  description = coalesce(
+    each.value.description,
+    "Terraform-managed private NAT subnet."
+  )
+  purpose = "PRIVATE_NAT"
+}
+
 resource "google_compute_subnetwork" "psc" {
   for_each      = local.subnets_psc
   project       = var.project_id
diff --git a/modules/net-vpc/variables.tf b/modules/net-vpc/variables.tf
index d8948a2640..6fd011bec8 100644
--- a/modules/net-vpc/variables.tf
+++ b/modules/net-vpc/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -294,6 +294,18 @@ variable "subnets" {
   nullable = false
 }
 
+variable "subnets_private_nat" {
+  description = "List of private NAT subnets."
+  type = list(object({
+    name          = string
+    ip_cidr_range = string
+    region        = string
+    description   = optional(string)
+  }))
+  default  = []
+  nullable = false
+}
+
 variable "subnets_proxy_only" {
   description = "List of proxy-only subnets for Regional HTTPS or Internal HTTPS load balancers. Note: Only one proxy-only subnet for each VPC network in each region can be active."
   type = list(object({
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index d9b2d67c9c..38a23789d5 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -1520,6 +1520,7 @@ values:
     log_config:
       - enable: false
         filter: ALL
+    max_ports_per_vm: null
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
@@ -1551,8 +1552,7 @@ values:
     log_config:
       - enable: false
         filter: ALL
-    max_ports_per_vm: 65536
-    min_ports_per_vm: 64
+    max_ports_per_vm: null
     name: ew4
     nat_ip_allocate_option: AUTO_ONLY
     nat_ips: null
diff --git a/tests/modules/net_cloudnat/examples/hybrid.yaml b/tests/modules/net_cloudnat/examples/hybrid.yaml
new file mode 100644
index 0000000000..4dd1939598
--- /dev/null
+++ b/tests/modules/net_cloudnat/examples/hybrid.yaml
@@ -0,0 +1,94 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc1-nat.google_compute_router.router[0]:
+    bgp: []
+    description: null
+    encrypted_interconnect_router: null
+    name: vpc1-nat-nat
+    project: project-id
+    region: europe-west8
+  module.vpc1-nat.google_compute_router_nat.nat:
+    drain_nat_ips: null
+    enable_dynamic_port_allocation: true
+    enable_endpoint_independent_mapping: false
+    icmp_idle_timeout_sec: 30
+    log_config:
+    - enable: false
+      filter: ALL
+    max_ports_per_vm: null
+    name: vpc1-nat
+    nat_ip_allocate_option: null
+    nat_ips: null
+    project: project-id
+    region: europe-west8
+    router: vpc1-nat-nat
+    rules:
+    - action:
+      - source_nat_active_ips: []
+        source_nat_drain_ips: []
+        source_nat_drain_ranges: []
+      description: private nat
+      match: nexthop.is_hybrid
+      rule_number: 0
+    source_subnetwork_ip_ranges_to_nat: LIST_OF_SUBNETWORKS
+    subnetwork:
+    - secondary_ip_range_names: []
+      source_ip_ranges_to_nat:
+      - ALL_IP_RANGES
+    tcp_established_idle_timeout_sec: 1200
+    tcp_time_wait_timeout_sec: 120
+    tcp_transitory_idle_timeout_sec: 30
+    type: PRIVATE
+    udp_idle_timeout_sec: 30
+  module.vpc1.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
+    name: vpc1
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+    project: project-id
+    routing_mode: GLOBAL
+  module.vpc1.google_compute_subnetwork.private_nat["europe-west8/vpc1-nat"]:
+    description: Terraform-managed private NAT subnet.
+    ip_cidr_range: 192.168.15.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: vpc1-nat
+    network: vpc1
+    project: project-id
+    purpose: PRIVATE_NAT
+    region: europe-west8
+    role: null
+  module.vpc1.google_compute_subnetwork.subnetwork["europe-west8/vpc1-subnet"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.0.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: vpc1-subnet
+    network: vpc1
+    private_ip_google_access: true
+    project: project-id
+    region: europe-west8
+    role: null
+    secondary_ip_range: []
+
+counts:
+  google_compute_network: 1
+  google_compute_route: 2
+  google_compute_router: 1
+  google_compute_router_nat: 1
+  google_compute_subnetwork: 2

From d838c4ac478ea71ec30f69c06dcbe7173b07f08d Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 9 May 2024 18:29:25 +0200
Subject: [PATCH 18/29] Make Simple NVA route IAP traffic through NIC 0 (#2262)

---
 .../simple-nva/cloud-config.yaml              |    5 +-
 .../s2_networking_e_nva_bgp/simple.yaml       | 1889 +++++++++--------
 2 files changed, 949 insertions(+), 945 deletions(-)

diff --git a/modules/cloud-config-container/simple-nva/cloud-config.yaml b/modules/cloud-config-container/simple-nva/cloud-config.yaml
index 328ace7e2c..b5553793c0 100644
--- a/modules/cloud-config-container/simple-nva/cloud-config.yaml
+++ b/modules/cloud-config-container/simple-nva/cloud-config.yaml
@@ -1,6 +1,6 @@
 #cloud-config
 
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -51,6 +51,9 @@ write_files:
 %{ endfor ~}
       iptables -t nat -A POSTROUTING -o ${interface.name} -j MASQUERADE
 %{ endif ~}
+%{ if interface.number == 0 ~}
+      ip route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
+%{ endif ~}
 %{ for route in interface.routes ~}
       ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
 %{ endfor ~}
diff --git a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
index 38a23789d5..25ba7ccf9b 100644
--- a/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
+++ b/tests/fast/stages/s2_networking_e_nva_bgp/simple.yaml
@@ -10,7 +10,6 @@
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
-# limitations under the License.
 
 values:
   google_compute_address.nva_static_ip_dmz["primary-b"]:
@@ -113,22 +112,21 @@ values:
     alert_strategy: []
     combiner: OR
     conditions:
-      - condition_absent: []
-        condition_matched_log: []
-        condition_monitoring_query_language:
-          - duration: 120s
-            evaluation_missing_data: null
-            query:
-              fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
-              metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
-              group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
-              val() > 187.5 "MBy/s"
-            trigger:
-              - count: 1
-                percent: null
-        condition_prometheus_query_language: []
-        condition_threshold: []
-        display_name: VPN Tunnel Bandwidth usage
+    - condition_absent: []
+      condition_matched_log: []
+      condition_monitoring_query_language:
+      - duration: 120s
+        evaluation_missing_data: null
+        query: fetch vpn_gateway| { metric vpn.googleapis.com/network/sent_bytes_count;
+          metric vpn.googleapis.com/network/received_bytes_count }| align rate (1m)|
+          group_by [metric.tunnel_name]| outer_join 0,0| value val(0) + val(1)| condition
+          val() > 187.5 "MBy/s"
+        trigger:
+        - count: 1
+          percent: null
+      condition_prometheus_query_language: []
+      condition_threshold: []
+      display_name: VPN Tunnel Bandwidth usage
     display_name: VPN Tunnel Bandwidth usage
     documentation: []
     enabled: true
@@ -141,21 +139,20 @@ values:
     alert_strategy: []
     combiner: OR
     conditions:
-      - condition_absent: []
-        condition_matched_log: []
-        condition_monitoring_query_language:
-          - duration: 120s
-            evaluation_missing_data: null
-            query:
-              "fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
-              5m, [value_tunnel_established_max: max(value.tunnel_established)]| every
-              5m| condition val() < 1 '1'"
-            trigger:
-              - count: 1
-                percent: null
-        condition_prometheus_query_language: []
-        condition_threshold: []
-        display_name: VPN Tunnel Established
+    - condition_absent: []
+      condition_matched_log: []
+      condition_monitoring_query_language:
+      - duration: 120s
+        evaluation_missing_data: null
+        query: 'fetch vpn_gateway| metric vpn.googleapis.com/tunnel_established| group_by
+          5m, [value_tunnel_established_max: max(value.tunnel_established)]| every
+          5m| condition val() < 1 ''1'''
+        trigger:
+        - count: 1
+          percent: null
+      condition_prometheus_query_language: []
+      condition_threshold: []
+      display_name: VPN Tunnel Established
     display_name: VPN Tunnel Established
     documentation: []
     enabled: true
@@ -165,17 +162,15 @@ values:
     timeouts: null
     user_labels: null
   google_monitoring_dashboard.dashboard["firewall_insights.json"]:
-    dashboard_json:
-      '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
+    dashboard_json: '{"displayName":"Firewall Insights Monitoring","gridLayout":{"columns":"2","widgets":[{"title":"Subnet
       Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/subnet/firewall_hit_count\"
       resource.type=\"gce_subnetwork\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},{"title":"VM
       Firewall Hit Counts","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_RATE"},"filter":"metric.type=\"firewallinsights.googleapis.com/vm/firewall_hit_count\"
       resource.type=\"gce_instance\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}}]}}'
     project: fast2-prod-net-landing-0
     timeouts: null
-  ? google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]
-  : dashboard_json:
-      '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
+  google_monitoring_dashboard.dashboard["vpc_and_vpc_peering_group_quotas.json"]:
+    dashboard_json: '{"dashboardFilters":[],"displayName":"VPC \u0026 VPC Peering
       Group Quotas","labels":{},"mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Internal
       network (L4) Load Balancers per VPC Peering Group","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"breakdowns":[],"dimensions":[],"measures":[],"plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesQueryLanguage":"fetch
       compute.googleapis.com/VpcNetwork\n|{ metric\n      compute.googleapis.com/quota/internal_lb_forwarding_rules_per_peering_group/usage\n    |
@@ -228,8 +223,7 @@ values:
     project: fast2-prod-net-landing-0
     timeouts: null
   google_monitoring_dashboard.dashboard["vpn.json"]:
-    dashboard_json:
-      '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
+    dashboard_json: '{"displayName":"VPN Monitoring","mosaicLayout":{"columns":12,"tiles":[{"height":4,"widget":{"title":"Number
       of connections","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/gateway/connections\"
       resource.type=\"vpn_gateway\"","secondaryAggregation":{}},"unitOverride":"1"}}],"timeshiftDuration":"0s","yAxis":{"label":"y1Axis","scale":"LINEAR"}}},"width":4},{"height":4,"widget":{"title":"Tunnel
       established","xyChart":{"chartOptions":{"mode":"COLOR"},"dataSets":[{"minAlignmentPeriod":"60s","plotType":"LINE","targetAxis":"Y1","timeSeriesQuery":{"timeSeriesFilter":{"aggregation":{"perSeriesAligner":"ALIGN_MEAN"},"filter":"metric.type=\"vpn.googleapis.com/tunnel_established\"
@@ -279,9 +273,9 @@ values:
     source: null
     temporary_hold: null
     timeouts: null
-  ? module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.dev-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
@@ -296,7 +290,7 @@ values:
     visibility: private
   module.dev-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: .
     dnssec_config: []
@@ -311,7 +305,7 @@ values:
     visibility: private
   module.dev-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: dev.gcp.example.com.
     dnssec_config: []
@@ -324,23 +318,23 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: dev-gcp-example-com
+  module.dev-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: dev-gcp-example-com
     name: localhost.dev.gcp.example.com.
     project: fast2-dev-net-spoke-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]
-  : allow:
-      - ports:
-          - "80"
-          - "443"
-          - "3306"
-          - "3307"
-        protocol: tcp
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-composer-nodes"]:
+    allow:
+    - ports:
+      - '80'
+      - '443'
+      - '3306'
+      - '3307'
+      protocol: tcp
     deny: []
     description: Allow traffic to Composer nodes.
     direction: INGRESS
@@ -353,17 +347,17 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - composer-worker
+    - composer-worker
     target_service_accounts: null
     target_tags:
-      - composer-worker
-    timeouts: null
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]
-  : allow:
-      - ports:
-          - "12345"
-          - "12346"
-        protocol: tcp
+    - composer-worker
+    timeouts: null
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-allow-dataflow-load"]:
+    allow:
+    - ports:
+      - '12345'
+      - '12346'
+      protocol: tcp
     deny: []
     description: Allow traffic to Dataflow nodes.
     direction: INGRESS
@@ -376,37 +370,37 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - dataflow
+    - dataflow
     target_service_accounts: null
     target_tags:
-      - dataflow
+    - dataflow
     timeouts: null
-  ? module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]
-  : allow: []
+  module.dev-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: ingress-default-deny
     network: dev-spoke-0
     priority: 65535
     project: fast2-dev-net-spoke-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-dev-net-spoke-0
+  module.dev-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-dev-net-spoke-0
     timeouts: null
-  ? module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]
-  : metrics_scope: fast2-prod-net-landing-0
+  module.dev-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
+    metrics_scope: fast2-prod-net-landing-0
     name: fast2-dev-net-spoke-0
     timeouts: null
   module.dev-spoke-project.google_project.project[0]:
@@ -419,69 +413,69 @@ values:
     project_id: fast2-dev-net-spoke-0
     skip_delete: false
     timeouts: null
-  ? module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.dev-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-dev-net-spoke-0
     role: roles/dns.admin
-  ? module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]
-  : condition:
-      - description: Development host project delegated grants.
-        expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
-        title: dev_stage3_sa_delegated_grants
+  module.dev-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
+    condition:
+    - description: Development host project delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
+      title: dev_stage3_sa_delegated_grants
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-dev-net-spoke-0
     role: roles/resourcemanager.projectIamAdmin
   module.dev-spoke-project.google_project_iam_member.servicenetworking[0]:
     condition: []
     project: fast2-dev-net-spoke-0
     role: roles/servicenetworking.serviceAgent
-  ? module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]
-  : disable_dependent_services: false
+  module.dev-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-dev-net-spoke-0
     service: vpcaccess.googleapis.com
     timeouts: null
-  ? module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-dev-net-spoke-0
+  module.dev-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-dev-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
   module.dev-spoke-project.google_project_service_identity.servicenetworking[0]:
@@ -525,8 +519,8 @@ values:
     project: fast2-dev-net-spoke-0
     tags: null
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]
-  : description: Default subnet for dev Data Platform
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-dataplatform"]:
+    description: Default subnet for dev Data Platform
     ip_cidr_range: 10.68.2.0/24
     ipv6_access_type: null
     log_config: []
@@ -537,13 +531,13 @@ values:
     region: europe-west1
     role: null
     secondary_ip_range:
-      - ip_cidr_range: 100.69.0.0/16
-        range_name: pods
-      - ip_cidr_range: 100.71.2.0/24
-        range_name: services
+    - ip_cidr_range: 100.69.0.0/16
+      range_name: pods
+    - ip_cidr_range: 100.71.2.0/24
+      range_name: services
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]
-  : description: Default europe-west1 subnet for dev
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-default"]:
+    description: Default europe-west1 subnet for dev
     ip_cidr_range: 10.68.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -555,8 +549,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]
-  : description: Default subnet for prod gke nodes
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/dev-gke-nodes"]:
+    description: Default subnet for prod gke nodes
     ip_cidr_range: 10.68.1.0/24
     ipv6_access_type: null
     log_config: []
@@ -567,13 +561,13 @@ values:
     region: europe-west1
     role: null
     secondary_ip_range:
-      - ip_cidr_range: 100.68.0.0/16
-        range_name: pods
-      - ip_cidr_range: 100.71.1.0/24
-        range_name: services
+    - ip_cidr_range: 100.68.0.0/16
+      range_name: pods
+    - ip_cidr_range: 100.71.1.0/24
+      range_name: services
     timeouts: null
-  ? module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]
-  : description: Default europe-west4 subnet for dev
+  module.dev-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/dev-default"]:
+    description: Default europe-west4 subnet for dev
     ip_cidr_range: 10.84.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -592,14 +586,14 @@ values:
     enable_logging: true
     name: dev-spoke-0
     networks:
-      - {}
+    - {}
     project: fast2-dev-net-spoke-0
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]
-  : allow:
-      - ports:
-          - "22"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-dmz"]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
     deny: []
     description: Allow traffic from Google healthchecks to NVA appliances
     direction: INGRESS
@@ -610,20 +604,20 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 130.211.0.0/22
-      - 209.85.152.0/22
-      - 209.85.204.0/22
-      - 35.191.0.0/16
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-dmz"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from NCC Cloud Routers to NVAs
     direction: INGRESS
@@ -634,21 +628,21 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.128.0.201/32
-      - 10.128.0.202/32
-      - 10.128.32.201/32
-      - 10.128.32.202/32
+    - 10.128.0.201/32
+    - 10.128.0.202/32
+    - 10.128.32.201/32
+    - 10.128.32.202/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.dmz-firewall.google_compute_firewall.custom-rules["allow-nva-nva-bgp-dmz"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from cross-regional NVAs
     direction: INGRESS
@@ -661,27 +655,27 @@ values:
     source_ranges: null
     source_service_accounts: null
     source_tags:
-      - nva
+    - nva
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]
-  : allow: []
+  module.dmz-firewall.google_compute_firewall.custom-rules["dmz-ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: dmz-ingress-default-deny
     network: prod-dmz-0
     priority: 65535
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
@@ -698,8 +692,8 @@ values:
     project: fast2-prod-net-landing-0
     routing_mode: GLOBAL
     timeouts: null
-  ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]
-  : description: Default europe-west1 subnet for DMZ
+  module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west1/dmz-default"]:
+    description: Default europe-west1 subnet for DMZ
     ip_cidr_range: 10.64.128.0/24
     ipv6_access_type: null
     log_config: []
@@ -711,8 +705,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]
-  : description: Default europe-west4 subnet for DMZ
+  module.dmz-vpc.google_compute_subnetwork.subnetwork["europe-west4/dmz-default"]:
+    description: Default europe-west4 subnet for DMZ
     ip_cidr_range: 10.80.128.0/24
     ipv6_access_type: null
     log_config: []
@@ -731,117 +725,117 @@ values:
     enable_logging: true
     name: prod-dmz-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-landing-0
     timeouts: null
   module.firewall-policy-default.google_compute_firewall_policy.hierarchical[0]:
     description: null
     short_name: net-default
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-healthchecks"]:
+    action: allow
     description: Enable SSH, HTTP and HTTPS healthchecks
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: tcp
-            ports:
-              - "22"
-              - "80"
-              - "443"
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 35.191.0.0/16
-          - 130.211.0.0/22
-          - 209.85.152.0/22
-          - 209.85.204.0/22
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '22'
+        - '80'
+        - '443'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 35.191.0.0/16
+      - 130.211.0.0/22
+      - 209.85.152.0/22
+      - 209.85.204.0/22
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1001
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-icmp"]:
+    action: allow
     description: Enable ICMP
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: icmp
-            ports: []
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 0.0.0.0/0
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: icmp
+        ports: []
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 0.0.0.0/0
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1003
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-nat-ranges"]:
+    action: allow
     description: Enable NAT ranges for VPC serverless connector
     direction: INGRESS
     disabled: false
     enable_logging: null
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: all
-            ports: null
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 107.178.230.64/26
-          - 35.199.224.0/19
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 107.178.230.64/26
+      - 35.199.224.0/19
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1004
     target_resources: null
     target_service_accounts: null
     timeouts: null
-  ? module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]
-  : action: allow
+  module.firewall-policy-default.google_compute_firewall_policy_rule.hierarchical["ingress/allow-ssh-from-iap"]:
+    action: allow
     description: Enable SSH from IAP
     direction: INGRESS
     disabled: false
     enable_logging: true
     match:
-      - dest_address_groups: null
-        dest_fqdns: null
-        dest_ip_ranges: null
-        dest_region_codes: null
-        dest_threat_intelligences: null
-        layer4_configs:
-          - ip_protocol: tcp
-            ports:
-              - "22"
-        src_address_groups: null
-        src_fqdns: null
-        src_ip_ranges:
-          - 35.235.240.0/20
-        src_region_codes: null
-        src_threat_intelligences: null
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges: null
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: tcp
+        ports:
+        - '22'
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges:
+      - 35.235.240.0/20
+      src_region_codes: null
+      src_threat_intelligences: null
     priority: 1002
     target_resources: null
     target_service_accounts: null
@@ -849,27 +843,27 @@ values:
   module.folder.google_compute_firewall_policy_association.default[0]:
     name: default
     timeouts: null
-  ? module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]
-  : email: gcp-network-admins@fast.example.com
+  module.folder.google_essential_contacts_contact.contact["gcp-network-admins@fast.example.com"]:
+    email: gcp-network-admins@fast.example.com
     language_tag: en
     notification_category_subscriptions:
-      - ALL
+    - ALL
     timeouts: null
   module.folder.google_folder.folder[0]:
     display_name: Networking
     parent: organizations/123456789012
     timeouts: null
-  ? module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.landing-dns-fwd-onprem-example[0].google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: onprem.example.com.
     dnssec_config: []
     force_destroy: false
     forwarding_config:
-      - target_name_servers:
-          - forwarding_path: ""
-            ipv4_address: 10.10.10.10
+    - target_name_servers:
+      - forwarding_path: ''
+        ipv4_address: 10.10.10.10
     labels: null
     name: example-com
     peering_config: []
@@ -878,17 +872,17 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.landing-dns-fwd-onprem-rev-10[0].google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
     force_destroy: false
     forwarding_config:
-      - target_name_servers:
-          - forwarding_path: ""
-            ipv4_address: 10.10.10.10
+    - target_name_servers:
+      - forwarding_path: ''
+        ipv4_address: 10.10.10.10
     labels: null
     name: root-reverse-10
     peering_config: []
@@ -901,496 +895,496 @@ values:
     description: Terraform managed.
     gke_clusters: []
     networks:
-      - {}
-      - {}
+    - {}
+    - {}
     project: fast2-prod-net-landing-0
     response_policy_name: googleapis
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["accounts"]:
+    behavior: null
     dns_name: accounts.google.com.
     local_data:
-      - local_datas:
-          - name: accounts.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: accounts.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: accounts
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud"]:
+    behavior: null
     dns_name: backupdr.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: backupdr.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: backupdr.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-cloud
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]
-  : behavior: null
-    dns_name: "*.backupdr.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-cloud-all"]:
+    behavior: null
+    dns_name: '*.backupdr.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.backupdr.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.backupdr.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu"]:
+    behavior: null
     dns_name: backupdr.googleusercontent.google.com.
     local_data:
-      - local_datas:
-          - name: backupdr.googleusercontent.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: backupdr.googleusercontent.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]
-  : behavior: null
-    dns_name: "*.backupdr.googleusercontent.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["backupdr-gu-all"]:
+    behavior: null
+    dns_name: '*.backupdr.googleusercontent.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.backupdr.googleusercontent.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.backupdr.googleusercontent.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: backupdr-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]
-  : behavior: null
-    dns_name: "*.cloudfunctions.net."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudfunctions"]:
+    behavior: null
+    dns_name: '*.cloudfunctions.net.'
     local_data:
-      - local_datas:
-          - name: "*.cloudfunctions.net."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.cloudfunctions.net.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: cloudfunctions
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]
-  : behavior: null
-    dns_name: "*.cloudproxy.app."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["cloudproxy"]:
+    behavior: null
+    dns_name: '*.cloudproxy.app.'
     local_data:
-      - local_datas:
-          - name: "*.cloudproxy.app."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.cloudproxy.app.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: cloudproxy
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]
-  : behavior: null
-    dns_name: "*.composer.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-cloud-all"]:
+    behavior: null
+    dns_name: '*.composer.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.composer.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.composer.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: composer-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]
-  : behavior: null
-    dns_name: "*.composer.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["composer-gu-all"]:
+    behavior: null
+    dns_name: '*.composer.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.composer.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.composer.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: composer-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]
-  : behavior: null
-    dns_name: "*.datafusion.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-all"]:
+    behavior: null
+    dns_name: '*.datafusion.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.datafusion.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.datafusion.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: datafusion-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]
-  : behavior: null
-    dns_name: "*.datafusion.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["datafusion-gu-all"]:
+    behavior: null
+    dns_name: '*.datafusion.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.datafusion.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.datafusion.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: datafusion-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc"]:
+    behavior: null
     dns_name: dataproc.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: dataproc.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dataproc.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]
-  : behavior: null
-    dns_name: "*.dataproc.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-all"]:
+    behavior: null
+    dns_name: '*.dataproc.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.dataproc.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.dataproc.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu"]:
+    behavior: null
     dns_name: dataproc.googleusercontent.com.
     local_data:
-      - local_datas:
-          - name: dataproc.googleusercontent.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dataproc.googleusercontent.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]
-  : behavior: null
-    dns_name: "*.dataproc.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dataproc-gu-all"]:
+    behavior: null
+    dns_name: '*.dataproc.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.dataproc.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.dataproc.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dataproc-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["dl"]:
+    behavior: null
     dns_name: dl.google.com.
     local_data:
-      - local_datas:
-          - name: dl.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: dl.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: dl
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr"]:
+    behavior: null
     dns_name: gcr.io.
     local_data:
-      - local_datas:
-          - name: gcr.io.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: gcr.io.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gcr
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]
-  : behavior: null
-    dns_name: "*.gcr.io."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gcr-all"]:
+    behavior: null
+    dns_name: '*.gcr.io.'
     local_data:
-      - local_datas:
-          - name: "*.gcr.io."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.gcr.io.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gcr-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]
-  : behavior: null
-    dns_name: "*.googleapis.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-all"]:
+    behavior: null
+    dns_name: '*.googleapis.com.'
     local_data:
-      - local_datas:
-          - name: "*.googleapis.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.googleapis.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-private"]:
+    behavior: null
     dns_name: private.googleapis.com.
     local_data:
-      - local_datas:
-          - name: private.googleapis.com.
-            rrdatas:
-              - 199.36.153.8
-              - 199.36.153.9
-              - 199.36.153.10
-              - 199.36.153.11
-            ttl: null
-            type: A
+    - local_datas:
+      - name: private.googleapis.com.
+        rrdatas:
+        - 199.36.153.8
+        - 199.36.153.9
+        - 199.36.153.10
+        - 199.36.153.11
+        ttl: null
+        type: A
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-private
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["googleapis-restricted"]:
+    behavior: null
     dns_name: restricted.googleapis.com.
     local_data:
-      - local_datas:
-          - name: restricted.googleapis.com.
-            rrdatas:
-              - 199.36.153.4
-              - 199.36.153.5
-              - 199.36.153.6
-              - 199.36.153.7
-            ttl: null
-            type: A
+    - local_datas:
+      - name: restricted.googleapis.com.
+        rrdatas:
+        - 199.36.153.4
+        - 199.36.153.5
+        - 199.36.153.6
+        - 199.36.153.7
+        ttl: null
+        type: A
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: googleapis-restricted
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]
-  : behavior: null
-    dns_name: "*.gstatic.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["gstatic-all"]:
+    behavior: null
+    dns_name: '*.gstatic.com.'
     local_data:
-      - local_datas:
-          - name: "*.gstatic.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.gstatic.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: gstatic-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu"]:
+    behavior: null
     dns_name: kernels.googleusercontent.com.
     local_data:
-      - local_datas:
-          - name: kernels.googleusercontent.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: kernels.googleusercontent.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: kernels-gu
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]
-  : behavior: null
-    dns_name: "*.kernels.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["kernels-gu-all"]:
+    behavior: null
+    dns_name: '*.kernels.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.kernels.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.kernels.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: kernels-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]
-  : behavior: null
-    dns_name: "*.notebooks.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-all"]:
+    behavior: null
+    dns_name: '*.notebooks.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.notebooks.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.notebooks.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: notebooks-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]
-  : behavior: null
-    dns_name: "*.notebooks.googleusercontent.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["notebooks-gu-all"]:
+    behavior: null
+    dns_name: '*.notebooks.googleusercontent.com.'
     local_data:
-      - local_datas:
-          - name: "*.notebooks.googleusercontent.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.notebooks.googleusercontent.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: notebooks-gu-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud"]:
+    behavior: null
     dns_name: packages.cloud.google.com.
     local_data:
-      - local_datas:
-          - name: packages.cloud.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: packages.cloud.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: packages-cloud
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]
-  : behavior: null
-    dns_name: "*.packages.cloud.google.com."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["packages-cloud-all"]:
+    behavior: null
+    dns_name: '*.packages.cloud.google.com.'
     local_data:
-      - local_datas:
-          - name: "*.packages.cloud.google.com."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.packages.cloud.google.com.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: packages-cloud-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev"]:
+    behavior: null
     dns_name: pkg.dev.
     local_data:
-      - local_datas:
-          - name: pkg.dev.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: pkg.dev.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkgdev
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]
-  : behavior: null
-    dns_name: "*.pkg.dev."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkgdev-all"]:
+    behavior: null
+    dns_name: '*.pkg.dev.'
     local_data:
-      - local_datas:
-          - name: "*.pkg.dev."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.pkg.dev.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkgdev-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog"]:
+    behavior: null
     dns_name: pki.goog.
     local_data:
-      - local_datas:
-          - name: pki.goog.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: pki.goog.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkigoog
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]
-  : behavior: null
-    dns_name: "*.pki.goog."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["pkigoog-all"]:
+    behavior: null
+    dns_name: '*.pki.goog.'
     local_data:
-      - local_datas:
-          - name: "*.pki.goog."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.pki.goog.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: pkigoog-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]
-  : behavior: null
-    dns_name: "*.run.app."
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["run-all"]:
+    behavior: null
+    dns_name: '*.run.app.'
     local_data:
-      - local_datas:
-          - name: "*.run.app."
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: '*.run.app.'
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: run-all
     timeouts: null
-  ? module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]
-  : behavior: null
+  module.landing-dns-policy-googleapis.google_dns_response_policy_rule.default["source"]:
+    behavior: null
     dns_name: source.developers.google.com.
     local_data:
-      - local_datas:
-          - name: source.developers.google.com.
-            rrdatas:
-              - private.googleapis.com.
-            ttl: null
-            type: CNAME
+    - local_datas:
+      - name: source.developers.google.com.
+        rrdatas:
+        - private.googleapis.com.
+        ttl: null
+        type: CNAME
     project: fast2-prod-net-landing-0
     response_policy: googleapis
     rule_name: source
     timeouts: null
   module.landing-dns-priv-gcp.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: gcp.example.com.
     dnssec_config: []
@@ -1403,20 +1397,20 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: gcp-example-com
+  module.landing-dns-priv-gcp.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: gcp-example-com
     name: localhost.gcp.example.com.
     project: fast2-prod-net-landing-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]
-  : allow:
-      - ports:
-          - "22"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-hc-nva-ssh-landing"]:
+    allow:
+    - ports:
+      - '22'
+      protocol: tcp
     deny: []
     description: Allow traffic from Google healthchecks to NVA appliances
     direction: INGRESS
@@ -1427,20 +1421,20 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 130.211.0.0/22
-      - 209.85.152.0/22
-      - 209.85.204.0/22
-      - 35.191.0.0/16
+    - 130.211.0.0/22
+    - 209.85.152.0/22
+    - 209.85.204.0/22
+    - 35.191.0.0/16
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]
-  : allow:
-      - ports:
-          - "179"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-ncc-nva-bgp-landing"]:
+    allow:
+    - ports:
+      - '179'
+      protocol: tcp
     deny: []
     description: Allow BGP traffic from NCC Cloud Routers to NVAs
     direction: INGRESS
@@ -1451,21 +1445,21 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.128.64.201/32
-      - 10.128.64.202/32
-      - 10.128.96.201/32
-      - 10.128.96.202/32
+    - 10.128.64.201/32
+    - 10.128.64.202/32
+    - 10.128.96.201/32
+    - 10.128.96.202/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags:
-      - nva
+    - nva
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]
-  : allow:
-      - ports:
-          - "12345"
-        protocol: tcp
+  module.landing-firewall.google_compute_firewall.custom-rules["allow-onprem-probes-landing-example"]:
+    allow:
+    - ports:
+      - '12345'
+      protocol: tcp
     deny: []
     description: Allow traffic from onprem probes
     direction: INGRESS
@@ -1476,28 +1470,28 @@ values:
     priority: 1000
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 10.255.255.254/32
+    - 10.255.255.254/32
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]
-  : allow: []
+  module.landing-firewall.google_compute_firewall.custom-rules["landing-ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: landing-ingress-default-deny
     network: prod-landing-0
     priority: 65535
     project: fast2-prod-net-landing-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
@@ -1518,8 +1512,8 @@ values:
     enable_endpoint_independent_mapping: true
     icmp_idle_timeout_sec: 30
     log_config:
-      - enable: false
-        filter: ALL
+    - enable: false
+      filter: ALL
     max_ports_per_vm: null
     name: ew1
     nat_ip_allocate_option: AUTO_ONLY
@@ -1534,6 +1528,7 @@ values:
     tcp_time_wait_timeout_sec: 120
     tcp_transitory_idle_timeout_sec: 30
     timeouts: null
+    type: PUBLIC
     udp_idle_timeout_sec: 30
   module.landing-nat-secondary[0].google_compute_router.router[0]:
     bgp: []
@@ -1550,8 +1545,8 @@ values:
     enable_endpoint_independent_mapping: true
     icmp_idle_timeout_sec: 30
     log_config:
-      - enable: false
-        filter: ALL
+    - enable: false
+      filter: ALL
     max_ports_per_vm: null
     name: ew4
     nat_ip_allocate_option: AUTO_ONLY
@@ -1566,9 +1561,10 @@ values:
     tcp_time_wait_timeout_sec: 120
     tcp_transitory_idle_timeout_sec: 30
     timeouts: null
+    type: PUBLIC
     udp_idle_timeout_sec: 30
-  ? module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-prod-net-landing-0
+  module.landing-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-prod-net-landing-0
     timeouts: null
   module.landing-project.google_project.project[0]:
     auto_create_network: false
@@ -1580,70 +1576,70 @@ values:
     project_id: fast2-prod-net-landing-0
     skip_delete: false
     timeouts: null
-  ? module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]
-  : condition: []
+  module.landing-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/foo"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-landing-0
     role: organizations/123456789012/roles/foo
-  ? module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.landing-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-landing-0
     role: roles/dns.admin
-  ? module.landing-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["networkconnectivity.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: networkconnectivity.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.landing-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-landing-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-prod-net-landing-0
+  module.landing-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-prod-net-landing-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-primary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
+    description: Terraform managed external VPN gateway
     interface:
-      - id: 0
-        ip_address: 8.8.8.8
+    - id: 0
+      ip_address: 8.8.8.8
     labels: null
     name: vpn-to-onprem-ew1-default
     project: fast2-prod-net-landing-0
     redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-primary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
+    description: Terraform managed external VPN gateway
     name: vpn-to-onprem-ew1
     project: fast2-prod-net-landing-0
     region: europe-west1
@@ -1651,25 +1647,25 @@ values:
     timeouts: null
   module.landing-to-onprem-primary-vpn[0].google_compute_router.router[0]:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: gcp
-            range: 10.1.0.0/16
-          - description: gcp-restricted
-            range: 199.36.153.4/30
-          - description: gcp-dns
-            range: 35.199.192.0/19
-        asn: 65501
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: gcp
+        range: 10.1.0.0/16
+      - description: gcp-restricted
+        range: 199.36.153.4/30
+      - description: gcp-dns
+        range: 35.199.192.0/19
+      asn: 65501
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: vpn-vpn-to-onprem-ew1
     project: fast2-prod-net-landing-0
     region: europe-west1
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["0"]:
+    interconnect_attachment: null
     ip_range: 169.254.1.2/30
     name: vpn-to-onprem-ew1-0
     private_ip_address: null
@@ -1679,8 +1675,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew1-0
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_interface.router_interface["1"]:
+    interconnect_attachment: null
     ip_range: 169.254.2.2/30
     name: vpn-to-onprem-ew1-1
     private_ip_address: null
@@ -1690,8 +1686,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew1-1
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1707,8 +1703,8 @@ values:
     router: vpn-vpn-to-onprem-ew1
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-primary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1724,8 +1720,8 @@ values:
     router: vpn-vpn-to-onprem-ew1
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]
-  : description: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew1-0
@@ -1738,8 +1734,8 @@ values:
     target_vpn_gateway: null
     timeouts: null
     vpn_gateway_interface: 0
-  ? module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]
-  : description: null
+  module.landing-to-onprem-primary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew1-1
@@ -1756,18 +1752,18 @@ values:
     byte_length: 8
     keepers: null
     prefix: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-secondary-vpn[0].google_compute_external_vpn_gateway.external_gateway["default"]:
+    description: Terraform managed external VPN gateway
     interface:
-      - id: 0
-        ip_address: 8.8.4.4
+    - id: 0
+      ip_address: 8.8.4.4
     labels: null
     name: vpn-to-onprem-ew4-default
     project: fast2-prod-net-landing-0
     redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]
-  : description: Terraform managed external VPN gateway
+  module.landing-to-onprem-secondary-vpn[0].google_compute_ha_vpn_gateway.ha_gateway[0]:
+    description: Terraform managed external VPN gateway
     name: vpn-to-onprem-ew4
     project: fast2-prod-net-landing-0
     region: europe-west4
@@ -1775,25 +1771,25 @@ values:
     timeouts: null
   module.landing-to-onprem-secondary-vpn[0].google_compute_router.router[0]:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: gcp
-            range: 10.1.0.0/16
-          - description: gcp-restricted
-            range: 199.36.153.4/30
-          - description: gcp-dns
-            range: 35.199.192.0/19
-        asn: 65501
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: gcp
+        range: 10.1.0.0/16
+      - description: gcp-restricted
+        range: 199.36.153.4/30
+      - description: gcp-dns
+        range: 35.199.192.0/19
+      asn: 65501
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: vpn-vpn-to-onprem-ew4
     project: fast2-prod-net-landing-0
     region: europe-west4
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["0"]:
+    interconnect_attachment: null
     ip_range: 169.254.3.2/30
     name: vpn-to-onprem-ew4-0
     private_ip_address: null
@@ -1803,8 +1799,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew4-0
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]
-  : interconnect_attachment: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_interface.router_interface["1"]:
+    interconnect_attachment: null
     ip_range: 169.254.4.2/30
     name: vpn-to-onprem-ew4-1
     private_ip_address: null
@@ -1814,8 +1810,8 @@ values:
     subnetwork: null
     timeouts: null
     vpn_tunnel: vpn-to-onprem-ew4-1
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["0"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1831,8 +1827,8 @@ values:
     router: vpn-vpn-to-onprem-ew4
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]
-  : advertise_mode: DEFAULT
+  module.landing-to-onprem-secondary-vpn[0].google_compute_router_peer.bgp_peer["1"]:
+    advertise_mode: DEFAULT
     advertised_groups: []
     advertised_ip_ranges: []
     advertised_route_priority: 1000
@@ -1848,8 +1844,8 @@ values:
     router: vpn-vpn-to-onprem-ew4
     router_appliance_instance: null
     timeouts: null
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]
-  : description: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["0"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew4-0
@@ -1862,8 +1858,8 @@ values:
     target_vpn_gateway: null
     timeouts: null
     vpn_gateway_interface: 0
-  ? module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]
-  : description: null
+  module.landing-to-onprem-secondary-vpn[0].google_compute_vpn_tunnel.tunnels["1"]:
+    description: null
     ike_version: 2
     labels: null
     name: vpn-to-onprem-ew4-1
@@ -1917,8 +1913,8 @@ values:
     project: fast2-prod-net-landing-0
     tags: null
     timeouts: null
-  ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]
-  : description: Default europe-west1 subnet for landing
+  module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west1/landing-default"]:
+    description: Default europe-west1 subnet for landing
     ip_cidr_range: 10.64.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -1930,8 +1926,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]
-  : description: Default europe-west4 subnet for landing
+  module.landing-vpc.google_compute_subnetwork.subnetwork["europe-west4/landing-default"]:
+    description: Default europe-west4 subnet for landing
     ip_cidr_range: 10.80.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -1950,7 +1946,7 @@ values:
     enable_logging: null
     name: prod-landing-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-landing-0
     timeouts: null
   module.nva["primary-b"].google_compute_instance.default[0]:
@@ -1958,15 +1954,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -1976,8 +1972,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2148,7 +2143,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2162,44 +2159,44 @@ values:
     metadata_startup_script: null
     name: nva-ew1-b
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.128.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.0.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.128.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.0.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west1-b
   module.nva["primary-c"].google_compute_instance.default[0]:
@@ -2207,15 +2204,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2225,8 +2222,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2397,7 +2393,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2411,44 +2409,44 @@ values:
     metadata_startup_script: null
     name: nva-ew1-c
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.128.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.64.0.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.128.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.64.0.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west1-c
   module.nva["secondary-b"].google_compute_instance.default[0]:
@@ -2456,15 +2454,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2474,8 +2472,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2646,7 +2643,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2660,44 +2659,44 @@ values:
     metadata_startup_script: null
     name: nva-ew4-b
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.128.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.0.101
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.128.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.0.101
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west4-b
   module.nva["secondary-c"].google_compute_instance.default[0]:
@@ -2705,15 +2704,15 @@ values:
     allow_stopping_for_update: true
     attached_disk: []
     boot_disk:
-      - auto_delete: true
-        disk_encryption_key_raw: null
-        initialize_params:
-          - enable_confidential_compute: null
-            image: projects/cos-cloud/global/images/family/cos-stable
-            resource_manager_tags: null
-            size: 10
-            type: pd-balanced
-        mode: READ_WRITE
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: projects/cos-cloud/global/images/family/cos-stable
+        resource_manager_tags: null
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
     can_ip_forward: true
     deletion_protection: false
     description: Managed by the compute-vm Terraform module.
@@ -2723,8 +2722,7 @@ values:
     labels: null
     machine_type: e2-standard-2
     metadata:
-      user-data:
-        "#cloud-config\n\n# Copyright 2023 Google LLC\n#\n# Licensed under\
+      user-data: "#cloud-config\n\n# Copyright 2024 Google LLC\n#\n# Licensed under\
         \ the Apache License, Version 2.0 (the \"License\");\n# you may not use this\
         \ file except in compliance with the License.\n# You may obtain a copy of\
         \ the License at\n#\n#     https://www.apache.org/licenses/LICENSE-2.0\n#\n\
@@ -2895,7 +2893,9 @@ values:
         \    permissions: 0744\n    owner: root\n    content: |\n      iptables --policy\
         \ FORWARD ACCEPT\n      /var/run/nva/policy_based_routing.sh eth0 &>/dev/null\
         \ &\n      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n      ip\
-        \ route add 10.64.127.0/17 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ route add 35.235.240.0/20 via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
+        \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.64.127.0/17\
+        \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      ip route add 10.80.127.0/17\
         \ via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/gateway\
         \ -H \"Metadata-Flavor:Google\"` dev eth0\n      /var/run/nva/policy_based_routing.sh\
@@ -2909,44 +2909,44 @@ values:
     metadata_startup_script: null
     name: nva-ew4-c
     network_interface:
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.128.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
-      - access_config: []
-        alias_ip_range: []
-        ipv6_access_config: []
-        network_ip: 10.80.0.102
-        nic_type: null
-        queue_count: null
-        security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.128.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network_ip: 10.80.0.102
+      nic_type: null
+      queue_count: null
+      security_policy: null
     network_performance_config: []
     params: []
     project: fast2-prod-net-landing-0
     resource_policies: null
     scheduling:
-      - automatic_restart: true
-        instance_termination_action: null
-        local_ssd_recovery_timeout: []
-        maintenance_interval: null
-        max_run_duration: []
-        min_node_cpus: null
-        node_affinities: []
-        on_host_maintenance: MIGRATE
-        preemptible: false
-        provisioning_model: STANDARD
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
     scratch_disk: []
     service_account:
-      - scopes:
-          - https://www.googleapis.com/auth/devstorage.read_only
-          - https://www.googleapis.com/auth/logging.write
-          - https://www.googleapis.com/auth/monitoring.write
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
     shielded_instance_config: []
     tags:
-      - nva
+    - nva
     timeouts: null
     zone: europe-west4-c
   module.peering-dev.google_compute_network_peering.local_network_peering:
@@ -2977,9 +2977,9 @@ values:
     import_subnet_routes_with_public_ip: null
     stack_type: IPV4_ONLY
     timeouts: null
-  ? module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]
-  : cloud_logging_config:
-      - enable_logging: false
+  module.prod-dns-peer-landing-rev-10.google_dns_managed_zone.dns_managed_zone[0]:
+    cloud_logging_config:
+    - enable_logging: false
     description: Terraform managed.
     dns_name: 10.in-addr.arpa.
     dnssec_config: []
@@ -2994,7 +2994,7 @@ values:
     visibility: private
   module.prod-dns-peer-landing-root.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: .
     dnssec_config: []
@@ -3009,7 +3009,7 @@ values:
     visibility: private
   module.prod-dns-private-zone.google_dns_managed_zone.dns_managed_zone[0]:
     cloud_logging_config:
-      - enable_logging: false
+    - enable_logging: false
     description: Terraform managed.
     dns_name: prod.gcp.example.com.
     dnssec_config: []
@@ -3022,41 +3022,41 @@ values:
     service_directory_config: []
     timeouts: null
     visibility: private
-  ? module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]
-  : managed_zone: prod-gcp-example-com
+  module.prod-dns-private-zone.google_dns_record_set.dns_record_set["A localhost"]:
+    managed_zone: prod-gcp-example-com
     name: localhost.prod.gcp.example.com.
     project: fast2-prod-net-spoke-0
     routing_policy: []
     rrdatas:
-      - 127.0.0.1
+    - 127.0.0.1
     ttl: 300
     type: A
-  ? module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]
-  : allow: []
+  module.prod-spoke-firewall.google_compute_firewall.custom-rules["ingress-default-deny"]:
+    allow: []
     deny:
-      - ports: []
-        protocol: all
+    - ports: []
+      protocol: all
     description: Deny and log any unmatched ingress traffic.
     direction: INGRESS
     disabled: false
     log_config:
-      - metadata: EXCLUDE_ALL_METADATA
+    - metadata: EXCLUDE_ALL_METADATA
     name: ingress-default-deny
     network: prod-spoke-0
     priority: 65535
     project: fast2-prod-net-spoke-0
     source_ranges:
-      - 0.0.0.0/0
+    - 0.0.0.0/0
     source_service_accounts: null
     source_tags: null
     target_service_accounts: null
     target_tags: null
     timeouts: null
-  ? module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+    project: fast2-prod-net-spoke-0
     timeouts: null
-  ? module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]
-  : metrics_scope: fast2-prod-net-landing-0
+  module.prod-spoke-project.google_monitoring_monitored_project.primary["fast2-prod-net-landing-0"]:
+    metrics_scope: fast2-prod-net-landing-0
     name: fast2-prod-net-spoke-0
     timeouts: null
   module.prod-spoke-project.google_project.project[0]:
@@ -3069,73 +3069,73 @@ values:
     project_id: fast2-prod-net-spoke-0
     skip_delete: false
     timeouts: null
-  ? module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]
-  : condition: []
+  module.prod-spoke-project.google_project_iam_binding.authoritative["roles/dns.admin"]:
+    condition: []
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-spoke-0
     role: roles/dns.admin
-  ? module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]
-  : condition:
-      - description: Production host project delegated grants.
-        expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
-        title: prod_stage3_sa_delegated_grants
+  module.prod-spoke-project.google_project_iam_binding.bindings["sa_delegated_grants"]:
+    condition:
+    - description: Production host project delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/composer.sharedVpcAgent','roles/compute.networkUser','roles/compute.networkViewer','roles/container.hostServiceAgentUser','roles/multiclusterservicediscovery.serviceAgent','roles/vpcaccess.user'])
+      title: prod_stage3_sa_delegated_grants
     members:
-      - serviceAccount:string
+    - serviceAccount:string
     project: fast2-prod-net-spoke-0
     role: roles/resourcemanager.projectIamAdmin
   module.prod-spoke-project.google_project_iam_member.servicenetworking[0]:
     condition: []
     project: fast2-prod-net-spoke-0
     role: roles/servicenetworking.serviceAgent
-  ? module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: compute.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["dns.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: dns.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["iap.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: networkmanagement.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: stackdriver.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]
-  : disable_dependent_services: false
+  module.prod-spoke-project.google_project_service.project_services["vpcaccess.googleapis.com"]:
+    disable_dependent_services: false
     disable_on_destroy: false
     project: fast2-prod-net-spoke-0
     service: vpcaccess.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_project_service_identity.jit_si["iap.googleapis.com"]:
+    project: fast2-prod-net-spoke-0
     service: iap.googleapis.com
     timeouts: null
-  ? module.prod-spoke-project.google_project_service_identity.servicenetworking[0]
-  : project: fast2-prod-net-spoke-0
+  module.prod-spoke-project.google_project_service_identity.servicenetworking[0]:
+    project: fast2-prod-net-spoke-0
     service: servicenetworking.googleapis.com
     timeouts: null
   module.prod-spoke-vpc.google_compute_network.network[0]:
@@ -3175,8 +3175,8 @@ values:
     project: fast2-prod-net-spoke-0
     tags: null
     timeouts: null
-  ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]
-  : description: Default europe-west1 subnet for prod
+  module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west1/prod-default"]:
+    description: Default europe-west1 subnet for prod
     ip_cidr_range: 10.72.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -3188,8 +3188,8 @@ values:
     role: null
     secondary_ip_range: []
     timeouts: null
-  ? module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]
-  : description: Default europe-west4 subnet for prod
+  module.prod-spoke-vpc.google_compute_subnetwork.subnetwork["europe-west4/prod-default"]:
+    description: Default europe-west4 subnet for prod
     ip_cidr_range: 10.88.0.0/24
     ipv6_access_type: null
     log_config: []
@@ -3208,18 +3208,18 @@ values:
     enable_logging: true
     name: prod-spoke-0
     networks:
-      - {}
+    - {}
     project: fast2-prod-net-spoke-0
     timeouts: null
   module.spokes-dmz["primary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: Default route.
-            range: 0.0.0.0/0
-        asn: 64512
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: Default route.
+        range: 0.0.0.0/0
+      asn: 64512
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-dmz-ew1-cr
@@ -3306,10 +3306,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west1
@@ -3318,13 +3318,13 @@ values:
     timeouts: null
   module.spokes-dmz["secondary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: Default route.
-            range: 0.0.0.0/0
-        asn: 64512
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: Default route.
+        range: 0.0.0.0/0
+      asn: 64512
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-dmz-ew4-cr
@@ -3411,10 +3411,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west4
@@ -3423,23 +3423,23 @@ values:
     timeouts: null
   module.spokes-landing["primary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: GCP landing primary.
-            range: 10.64.0.0/17
-          - description: GCP dev primary.
-            range: 10.68.0.0/16
-          - description: GCP prod primary.
-            range: 10.72.0.0/16
-          - description: GCP landing secondary.
-            range: 10.80.0.0/17
-          - description: GCP dev secondary.
-            range: 10.84.0.0/16
-          - description: GCP prod secondary.
-            range: 10.88.0.0/16
-        asn: 64515
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: GCP landing primary.
+        range: 10.64.0.0/17
+      - description: GCP dev primary.
+        range: 10.68.0.0/16
+      - description: GCP prod primary.
+        range: 10.72.0.0/16
+      - description: GCP landing secondary.
+        range: 10.80.0.0/17
+      - description: GCP dev secondary.
+        range: 10.84.0.0/16
+      - description: GCP prod secondary.
+        range: 10.88.0.0/16
+      asn: 64515
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-landing-ew1-cr
@@ -3526,10 +3526,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west1
@@ -3538,23 +3538,23 @@ values:
     timeouts: null
   module.spokes-landing["secondary"].google_compute_router.cr:
     bgp:
-      - advertise_mode: CUSTOM
-        advertised_groups: []
-        advertised_ip_ranges:
-          - description: GCP landing primary.
-            range: 10.64.0.0/17
-          - description: GCP dev primary.
-            range: 10.68.0.0/16
-          - description: GCP prod primary.
-            range: 10.72.0.0/16
-          - description: GCP landing secondary.
-            range: 10.80.0.0/17
-          - description: GCP dev secondary.
-            range: 10.84.0.0/16
-          - description: GCP prod secondary.
-            range: 10.88.0.0/16
-        asn: 64515
-        keepalive_interval: 20
+    - advertise_mode: CUSTOM
+      advertised_groups: []
+      advertised_ip_ranges:
+      - description: GCP landing primary.
+        range: 10.64.0.0/17
+      - description: GCP dev primary.
+        range: 10.68.0.0/16
+      - description: GCP prod primary.
+        range: 10.72.0.0/16
+      - description: GCP landing secondary.
+        range: 10.80.0.0/17
+      - description: GCP dev secondary.
+        range: 10.84.0.0/16
+      - description: GCP prod secondary.
+        range: 10.88.0.0/16
+      asn: 64515
+      keepalive_interval: 20
     description: null
     encrypted_interconnect_router: null
     name: prod-spoke-landing-ew4-cr
@@ -3641,10 +3641,10 @@ values:
     labels: null
     linked_interconnect_attachments: []
     linked_router_appliance_instances:
-      - instances:
-          - {}
-          - {}
-        site_to_site_data_transfer: false
+    - instances:
+      - {}
+      - {}
+      site_to_site_data_transfer: false
     linked_vpc_network: []
     linked_vpn_tunnels: []
     location: europe-west4
@@ -3702,3 +3702,4 @@ outputs:
   shared_vpc_self_links: __missing__
   tfvars: __missing__
   vpn_gateway_endpoints: __missing__
+

From 01533a4a66da722574991229c4803bf426dd9908 Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Fri, 10 May 2024 07:56:11 +0200
Subject: [PATCH 19/29] update changelog

---
 CHANGELOG.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ac785d99a9..6c2177cdbc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
 
 ### BLUEPRINTS
 
+- [[#2243](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2243)] Added new attributes Apigee organization and bumped up providers version ([apichick](https://github.com/apichick)) <!-- 2024-04-28 15:31:42+00:00 -->
+- [[#2239](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2239)] Update README.md ([vicenteg](https://github.com/vicenteg)) <!-- 2024-04-25 23:14:32+00:00 -->
+- [[#2230](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2230)] docs: :memo: fix error in phpIPAM terraform config by updating VPC pe… ([PapaPeskwo](https://github.com/PapaPeskwo)) <!-- 2024-04-22 10:55:03+00:00 -->
 - [[#2227](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2227)] Bump golang.org/x/net from 0.17.0 to 0.23.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2024-04-19 12:26:14+00:00 -->
 - [[#2228](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2228)] Bump golang.org/x/net from 0.17.0 to 0.23.0 in /blueprints/cloud-operations/unmanaged-instances-healthcheck/function/restarter ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2024-04-19 12:25:52+00:00 -->
 - [[#2226](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2226)] fix cloud sql PSA after module upgrade ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-04-19 10:41:02+00:00 -->
@@ -29,6 +32,10 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
+- [[#2253](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2253)] Misc FAST fixes ([juliocc](https://github.com/juliocc)) <!-- 2024-05-02 06:56:26+00:00 -->
+- [[#2235](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2235)] Update FAST logging ([juliocc](https://github.com/juliocc)) <!-- 2024-04-25 06:31:52+00:00 -->
+- [[#2233](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2233)] Fix permissions for branch network dev - read sa ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-04-23 13:19:39+00:00 -->
 - [[#2221](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2221)] Enable TFLint in FAST stages ([juliocc](https://github.com/juliocc)) <!-- 2024-04-18 08:06:24+00:00 -->
 - [[#2220](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2220)] Add tflint to pipelines ([juliocc](https://github.com/juliocc)) <!-- 2024-04-17 08:23:49+00:00 -->
 - [[#2218](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2218)] **incompatible change:** Allow multiple PSA service providers in net-vpc module ([ludoo](https://github.com/ludoo)) <!-- 2024-04-16 15:02:36+00:00 -->
@@ -46,6 +53,19 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2262](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2262)] Make Simple NVA route IAP traffic through NIC 0 ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 16:29:25+00:00 -->
+- [[#2261](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2261)] Add Hybrid NAT support ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 13:24:41+00:00 -->
+- [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
+- [[#2247](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2247)] Fix workstation-cluster module for private deployment ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-05-02 06:09:10+00:00 -->
+- [[#2252](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2252)] Add support for labels to GKE backup plans ([ludoo](https://github.com/ludoo)) <!-- 2024-05-01 18:20:22+00:00 -->
+- [[#2251](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2251)] Fix factory ingress policy services in vpc-sc module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-01 16:50:30+00:00 -->
+- [[#2248](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2248)] Added missing identity when connectors API is enabled ([jnahelou](https://github.com/jnahelou)) <!-- 2024-04-30 17:21:35+00:00 -->
+- [[#2246](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2246)] Fixed issue with service networking DNS peering ([apichick](https://github.com/apichick)) <!-- 2024-04-28 20:18:02+00:00 -->
+- [[#2243](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2243)] Added new attributes Apigee organization and bumped up providers version ([apichick](https://github.com/apichick)) <!-- 2024-04-28 15:31:42+00:00 -->
+- [[#2244](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2244)] **incompatible change:** Removed BFD settings from net-vpn-ha module as it is not supported ([apichick](https://github.com/apichick)) <!-- 2024-04-28 10:11:08+00:00 -->
+- [[#2241](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2241)] Use default labels on pubsub subscription when no override is provided ([wiktorn](https://github.com/wiktorn)) <!-- 2024-04-27 07:22:41+00:00 -->
+- [[#2238](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2238)] fix: allow disabling node autoprovisioning ([kumadee](https://github.com/kumadee)) <!-- 2024-04-26 07:17:48+00:00 -->
+- [[#2234](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2234)] Added build environment variables in cloud function v1 ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2024-04-23 17:20:38+00:00 -->
 - [[#2229](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2229)] **incompatible change:** Refactor vpc-sc support in project module, add support for dry run ([ludoo](https://github.com/ludoo)) <!-- 2024-04-22 07:28:01+00:00 -->
 - [[#2226](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2226)] fix cloud sql PSA after module upgrade ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-04-19 10:41:02+00:00 -->
 - [[#2224](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2224)] added missing option for exclusion scope ([cmalpe](https://github.com/cmalpe)) <!-- 2024-04-18 11:12:16+00:00 -->

From 2b6c81f73d1851068e1eab027130c1457ec2a170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Fri, 10 May 2024 09:54:19 +0200
Subject: [PATCH 20/29] Update docs - gcp-network-admins ->
 gcp-vpc-network-admins

---
 fast/stages/0-bootstrap/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 5d456302f5..758eac468f 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -276,7 +276,7 @@ Before the first run, the following IAM groups must exist to allow IAM bindings
 
 - `gcp-billing-admins`
 - `gcp-devops`
-- `gcp-network-admins`
+- `gcp-vpc-network-admins`
 - `gcp-organization-admins`
 - `gcp-security-admins`
 

From 5b3ed10cdadbd7f082b8b13b94c297de5c2ee536 Mon Sep 17 00:00:00 2001
From: Jan Van Bruggen <JanCVanB@users.noreply.github.com>
Date: Fri, 10 May 2024 16:19:35 -0600
Subject: [PATCH 21/29] Fix bug from output typo in new project-factory module
 (#2264)

`local.folders` is just a map of var-based keys to string manipulations on those keys, while `local.hierarchy` is the seemingly-intended map of var-based keys to generated IDs/numbers.

see
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/modules/project-factory/factory-folders.tf#L32
vs.
https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/modules/project-factory/factory-folders.tf#L39

Thank you for recently developing this convenient module!
---
 modules/project-factory/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/project-factory/outputs.tf b/modules/project-factory/outputs.tf
index 9f49ebe986..5040e76671 100644
--- a/modules/project-factory/outputs.tf
+++ b/modules/project-factory/outputs.tf
@@ -16,7 +16,7 @@
 
 output "folders" {
   description = "Folder ids."
-  value       = local.folders
+  value       = local.hierarchy
 }
 
 output "projects" {

From 35a17a46ba99b4845fcc9a7ea6b140c254ea142e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sat, 11 May 2024 15:19:09 +0000
Subject: [PATCH 22/29] Fix failing E2E tests

---
 modules/net-vpc/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index d29251cc96..fb115804c2 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -299,10 +299,12 @@ module "vpc" {
     {
       ranges = { myrange = "10.0.1.0/24" }
       # service_producer = "servicenetworking.googleapis.com" # default value
+      deletion_policy = "ABANDON"
     },
     {
       ranges           = { netapp = "10.0.2.0/24" }
       service_producer = "netapp.servicenetworking.goog"
+      deletion_policy  = "ABANDON"
     }
   ]
 }

From 6a3c7fe4445ca3f801db6a7d19cdd47587fe6a35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sun, 12 May 2024 12:00:39 +0200
Subject: [PATCH 23/29] CloudSQL PSC Endpoints support (#2242)

* Add PSC endpoints consumers to net-address
* Cloud SQL E2E tests
---
 modules/cloudsql-instance/README.md           | 175 ++++++++++--------
 modules/cloudsql-instance/variables.tf        |   2 +-
 modules/net-address/README.md                 |  25 ++-
 modules/net-address/main.tf                   |  42 +----
 modules/net-address/psc.tf                    | 102 ++++++++++
 modules/net-address/variables.tf              |  26 ++-
 tests/collectors.py                           |  11 +-
 tests/examples/variables.tf                   |   2 +-
 .../setup_module/e2e_tests.tfvars.tftpl       |   6 +
 tests/examples_e2e/setup_module/main.tf       |  46 ++++-
 tests/fixtures.py                             |  11 +-
 tests/fixtures/cloudsql-instance.tf           |  33 ++++
 tests/fixtures/cloudsql-kms-iam-grant.tf      |  23 +++
 .../cloudsql_instance/examples/insights.yaml  |   4 +-
 .../cloudsql_instance/examples/psc.yaml       |  38 ++++
 .../cloudsql_instance/examples/public-ip.yaml |  25 +--
 .../cloudsql_instance/examples/replicas.yaml  |   2 +-
 .../cloudsql_instance/examples/simple.yaml    |  40 ++--
 .../examples/psc-service-attachment.yaml      |  29 +++
 19 files changed, 464 insertions(+), 178 deletions(-)
 create mode 100644 modules/net-address/psc.tf
 create mode 100644 tests/fixtures/cloudsql-instance.tf
 create mode 100644 tests/fixtures/cloudsql-kms-iam-grant.tf
 create mode 100644 tests/modules/cloudsql_instance/examples/psc.yaml
 create mode 100644 tests/modules/net_address/examples/psc-service-attachment.yaml

diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index c1474cec1a..6ecf42a32d 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -1,4 +1,4 @@
-# Cloud SQL instance with read replicas
+# Cloud SQL instance module
 
 This module manages the creation of Cloud SQL instances with potential read replicas in other regions. It can also create an initial set of users and databases via the `users` and `databases` parameters.
 
@@ -6,7 +6,24 @@ Note that this module assumes that some options are the same for both the primar
 
 *Warning:* if you use the `users` field, you terraform state will contain each user's password in plain text.
 
-## Simple example
+<!-- BEGIN TOC -->
+- [Examples](#examples)
+  - [Simple example](#simple-example)
+  - [Cross-regional read replica](#cross-regional-read-replica)
+  - [Custom flags, databases and users](#custom-flags-databases-and-users)
+  - [CMEK encryption](#cmek-encryption)
+  - [Instance with PSC enabled](#instance-with-psc-enabled)
+  - [Enable public IP](#enable-public-ip)
+  - [Query Insights](#query-insights)
+  - [Maintenance Config](#maintenance-config)
+  - [SSL Config](#ssl-config)
+- [Variables](#variables)
+- [Outputs](#outputs)
+- [Fixtures](#fixtures)
+<!-- END TOC -->
+
+## Examples
+### Simple example
 
 This example shows how to setup a project, VPC and a standalone Cloud SQL instance.
 
@@ -14,10 +31,12 @@ This example shows how to setup a project, VPC and a standalone Cloud SQL instan
 module "project" {
   source          = "./fabric/modules/project"
   billing_account = var.billing_account_id
-  parent          = var.organization_id
-  name            = "my-db-project"
+  parent          = var.folder_id
+  name            = "db-prj"
+  prefix          = var.prefix
   services = [
-    "servicenetworking.googleapis.com"
+    "servicenetworking.googleapis.com",
+    "sqladmin.googleapis.com",
   ]
 }
 
@@ -25,9 +44,18 @@ module "vpc" {
   source     = "./fabric/modules/net-vpc"
   project_id = module.project.project_id
   name       = "my-network"
+  # need only one - psa_config or subnets_psc
   psa_configs = [{
-    ranges = { cloud-sql = "10.60.0.0/16" }
+    ranges          = { cloud-sql = "10.60.0.0/16" }
+    deletion_policy = "ABANDON"
   }]
+  subnets_psc = [
+    {
+      ip_cidr_range = "10.0.3.0/24"
+      name          = "psc"
+      region        = var.region
+    }
+  ]
 }
 
 module "db" {
@@ -38,17 +66,20 @@ module "db" {
       psa_config = {
         private_network = module.vpc.self_link
       }
+      # psc_allowed_consumer_projects = [var.project_id]
     }
   }
-  name             = "db"
-  region           = "europe-west1"
-  database_version = "POSTGRES_13"
-  tier             = "db-g1-small"
+  name                          = "db"
+  region                        = var.region
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=3 resources=11 inventory=simple.yaml
+# tftest modules=3 resources=14 inventory=simple.yaml e2e
 ```
 
-## Cross-regional read replica
+### Cross-regional read replica
 
 ```hcl
 module "db" {
@@ -61,21 +92,23 @@ module "db" {
       }
     }
   }
-  prefix           = "myprefix"
   name             = "db"
-  region           = "europe-west1"
+  prefix           = "myprefix"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
   replicas = {
-    replica1 = { region = "europe-west3", encryption_key_name = null }
-    replica2 = { region = "us-central1", encryption_key_name = null }
+    replica1 = { region = "europe-west3" }
+    replica2 = { region = "us-central1" }
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=3 inventory=replicas.yaml
+# tftest modules=1 resources=3 inventory=replicas.yaml e2e
 ```
 
-## Custom flags, databases and users
+### Custom flags, databases and users
 
 ```hcl
 module "db" {
@@ -89,7 +122,7 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "MYSQL_8_0"
   tier             = "db-g1-small"
 
@@ -112,47 +145,19 @@ module "db" {
       password = "mypassword"
     }
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=6 inventory=custom.yaml
+# tftest modules=1 resources=6 inventory=custom.yaml e2e
 ```
 
 ### CMEK encryption
 
 ```hcl
-
-module "project" {
-  source          = "./fabric/modules/project"
-  billing_account = var.billing_account_id
-  parent          = var.organization_id
-  name            = "my-db-project"
-  services = [
-    "servicenetworking.googleapis.com",
-    "sqladmin.googleapis.com",
-  ]
-}
-
-module "kms" {
-  source     = "./fabric/modules/kms"
-  project_id = module.project.project_id
-  keyring = {
-    name     = "keyring"
-    location = var.region
-  }
-  keys = {
-    key-sql = {
-      iam = {
-        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-          "serviceAccount:${module.project.service_accounts.robots.sqladmin}"
-        ]
-      }
-    }
-  }
-}
-
 module "db" {
   source              = "./fabric/modules/cloudsql-instance"
-  project_id          = module.project.project_id
-  encryption_key_name = module.kms.keys["key-sql"].id
+  project_id          = var.project_id
+  encryption_key_name = var.kms_key.id
   network_config = {
     connectivity = {
       psa_config = {
@@ -160,13 +165,15 @@ module "db" {
       }
     }
   }
-  name             = "db"
-  region           = var.region
-  database_version = "POSTGRES_13"
-  tier             = "db-g1-small"
+  name                          = "db"
+  region                        = var.region
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
 
-# tftest modules=3 resources=10
+# tftest modules=1 resources=2 fixtures=fixtures/cloudsql-kms-iam-grant.tf e2e
 ```
 
 ### Instance with PSC enabled
@@ -177,22 +184,25 @@ module "db" {
   project_id = var.project_id
   network_config = {
     connectivity = {
-      psc_allowed_consumer_projects = ["my-project-id"]
+      psc_allowed_consumer_projects = [var.project_id]
     }
   }
   prefix            = "myprefix"
   name              = "db"
-  region            = "europe-west1"
+  region            = var.region
   availability_type = "REGIONAL"
   database_version  = "POSTGRES_13"
   tier              = "db-g1-small"
+
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1
+# tftest modules=1 resources=1 inventory=psc.yaml e2e
 ```
 
 ### Enable public IP
 
-Use `ipv_enabled` to create instances with a public IP.
+Use `public_ipv4` to create instances with a public IP.
 
 ```hcl
 module "db" {
@@ -206,15 +216,14 @@ module "db" {
       }
     }
   }
-  name             = "db"
-  region           = "europe-west1"
-  tier             = "db-g1-small"
-  database_version = "MYSQL_8_0"
-  replicas = {
-    replica1 = { region = "europe-west3", encryption_key_name = null }
-  }
+  name                          = "db"
+  region                        = var.region
+  tier                          = "db-g1-small"
+  database_version              = "MYSQL_8_0"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=2 inventory=public-ip.yaml
+# tftest modules=1 resources=1 inventory=public-ip.yaml e2e
 ```
 
 ### Query Insights
@@ -233,15 +242,17 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
   insights_config = {
     query_string_length = 2048
   }
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 inventory=insights.yaml
+# tftest modules=1 resources=1 inventory=insights.yaml e2e
 ```
 
 ### Maintenance Config
@@ -260,13 +271,15 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
-  maintenance_config = {}
+  maintenance_config            = {}
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 
+# tftest modules=1 resources=1 e2e
 ```
 
 ### SSL Config
@@ -285,13 +298,15 @@ module "db" {
     }
   }
   name             = "db"
-  region           = "europe-west1"
+  region           = var.region
   database_version = "POSTGRES_13"
   tier             = "db-g1-small"
 
-  ssl = {}
+  ssl                           = {}
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
 }
-# tftest modules=1 resources=1 
+# tftest modules=1 resources=1 e2e
 ```
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -322,7 +337,7 @@ module "db" {
 | [labels](variables.tf#L140) | Labels to be attached to all instances. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [maintenance_config](variables.tf#L146) | Set maintenance window configuration and maintenance deny period (up to 90 days). Date format: 'yyyy-mm-dd'. | <code title="object&#40;&#123;&#10;  maintenance_window &#61; optional&#40;object&#40;&#123;&#10;    day          &#61; number&#10;    hour         &#61; number&#10;    update_track &#61; optional&#40;string, null&#41;&#10;  &#125;&#41;, null&#41;&#10;  deny_maintenance_period &#61; optional&#40;object&#40;&#123;&#10;    start_date &#61; string&#10;    end_date   &#61; string&#10;    start_time &#61; optional&#40;string, &#34;00:00:00&#34;&#41;&#10;  &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [prefix](variables.tf#L207) | Optional prefix used to generate instance names. | <code>string</code> |  | <code>null</code> |
-| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [replicas](variables.tf#L227) | Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation. | <code title="map&#40;object&#40;&#123;&#10;  region              &#61; string&#10;  encryption_key_name &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [root_password](variables.tf#L236) | Root password of the Cloud SQL instance. Required for MS SQL Server. | <code>string</code> |  | <code>null</code> |
 | [ssl](variables.tf#L242) | Setting to enable SSL, set config and certificates. | <code title="object&#40;&#123;&#10;  client_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;  require_ssl         &#61; optional&#40;bool&#41;&#10;  ssl_mode &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [terraform_deletion_protection](variables.tf#L258) | Prevent terraform from deleting instances. | <code>bool</code> |  | <code>true</code> |
@@ -350,4 +365,8 @@ module "db" {
 | [self_link](outputs.tf#L114) | Self link of the primary instance. |  |
 | [self_links](outputs.tf#L119) | Self links of all instances. |  |
 | [user_passwords](outputs.tf#L127) | Map of containing the password of all users created through terraform. | ✓ |
+
+## Fixtures
+
+- [cloudsql-kms-iam-grant.tf](../../tests/fixtures/cloudsql-kms-iam-grant.tf)
 <!-- END TFDOC -->
diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
index e67dd3979a..613e106e74 100644
--- a/modules/cloudsql-instance/variables.tf
+++ b/modules/cloudsql-instance/variables.tf
@@ -228,7 +228,7 @@ variable "replicas" {
   description = "Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation."
   type = map(object({
     region              = string
-    encryption_key_name = string
+    encryption_key_name = optional(string)
   }))
   default = {}
 }
diff --git a/modules/net-address/README.md b/modules/net-address/README.md
index 55b84108a2..5f53063368 100644
--- a/modules/net-address/README.md
+++ b/modules/net-address/README.md
@@ -122,6 +122,26 @@ module "addresses" {
 # tftest modules=1 resources=1 inventory=psc.yaml e2e
 ```
 
+To create PSC address targeting a service regional provider use the `service_attachment` property.
+```hcl
+module "addresses" {
+  source     = "./fabric/modules/net-address"
+  project_id = var.project_id
+  psc_addresses = {
+    cloudsql-one = {
+      address          = "10.0.16.32"
+      subnet_self_link = var.subnet.self_link
+      region           = var.region
+      service_attachment = {
+        psc_service_attachment_link = module.cloudsql-instance.psc_service_attachment_link
+      }
+    }
+  }
+}
+# tftest modules=2 resources=3 fixtures=fixtures/cloudsql-instance.tf inventory=psc-service-attachment.yaml e2e
+```
+
+
 ### IPSec Interconnect addresses
 
 ```hcl
@@ -176,8 +196,8 @@ module "addresses" {
 | [internal_addresses](variables.tf#L50) | Map of internal addresses to create, keyed by name. | <code title="map&#40;object&#40;&#123;&#10;  region      &#61; string&#10;  subnetwork  &#61; string&#10;  address     &#61; optional&#40;string&#41;&#10;  description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  ipv6        &#61; optional&#40;map&#40;string&#41;&#41; &#35; To be left empty for ipv6&#10;  labels      &#61; optional&#40;map&#40;string&#41;&#41;&#10;  name        &#61; optional&#40;string&#41;&#10;  purpose     &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ipsec_interconnect_addresses](variables.tf#L65) | Map of internal addresses used for HPA VPN over Cloud Interconnect. | <code title="map&#40;object&#40;&#123;&#10;  region        &#61; string&#10;  address       &#61; string&#10;  network       &#61; string&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;  prefix_length &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [network_attachments](variables.tf#L84) | PSC network attachments, names as keys. | <code title="map&#40;object&#40;&#123;&#10;  subnet_self_link      &#61; string&#10;  automatic_connection  &#61; optional&#40;bool, false&#41;&#10;  description           &#61; optional&#40;string, &#34;Terraform-managed.&#34;&#41;&#10;  producer_accept_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10;  producer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map&#40;object&#40;&#123;&#10;  address       &#61; string&#10;  network       &#61; string&#10;  prefix_length &#61; number&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;&#10;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [psc_addresses](variables.tf#L115) | Map of internal addresses used for Private Service Connect. | <code title="map&#40;object&#40;&#123;&#10;  address     &#61; string&#10;  network     &#61; string&#10;  description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name        &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [psa_addresses](variables.tf#L102) | Map of internal addresses used for Private Service Access. | <code title="map&#40;object&#40;&#123;&#10;  address       &#61; string&#10;  network       &#61; string&#10;  prefix_length &#61; number&#10;  description   &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [psc_addresses](variables.tf#L114) | Map of internal addresses used for Private Service Connect. | <code title="map&#40;object&#40;&#123;&#10;  address          &#61; string&#10;  description      &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  name             &#61; optional&#40;string&#41;&#10;  network          &#61; optional&#40;string&#41;&#10;  region           &#61; optional&#40;string&#41;&#10;  subnet_self_link &#61; optional&#40;string&#41;&#10;  service_attachment &#61; optional&#40;object&#40;&#123; &#35; so we can safely check if service_attachemnt &#33;&#61; null in for_each&#10;    psc_service_attachment_link &#61; string&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
@@ -193,5 +213,6 @@ module "addresses" {
 
 ## Fixtures
 
+- [cloudsql-instance.tf](../../tests/fixtures/cloudsql-instance.tf)
 - [net-vpc-ipv6.tf](../../tests/fixtures/net-vpc-ipv6.tf)
 <!-- END TFDOC -->
diff --git a/modules/net-address/main.tf b/modules/net-address/main.tf
index 20b8b6a16e..e7c69413cd 100644
--- a/modules/net-address/main.tf
+++ b/modules/net-address/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,20 +14,6 @@
  * limitations under the License.
  */
 
-locals {
-  network_attachments = {
-    for k, v in var.network_attachments : k => merge(v, {
-      region = regex("regions/([^/]+)", v.subnet_self_link)[0]
-      # not using the full self link generates a permadiff
-      subnet_self_link = (
-        startswith(v.subnet_self_link, "https://")
-        ? v.subnet_self_link
-        : "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
-      )
-    })
-  }
-}
-
 resource "google_compute_global_address" "global" {
   for_each    = var.global_addresses
   project     = var.project_id
@@ -66,18 +52,6 @@ resource "google_compute_address" "internal" {
   subnetwork   = each.value.subnetwork
 }
 
-resource "google_compute_global_address" "psc" {
-  for_each     = var.psc_addresses
-  project      = var.project_id
-  name         = coalesce(each.value.name, each.key)
-  description  = each.value.description
-  address      = try(each.value.address, null)
-  address_type = "INTERNAL"
-  network      = each.value.network
-  purpose      = "PRIVATE_SERVICE_CONNECT"
-  # labels       = lookup(var.internal_address_labels, each.key, {})
-}
-
 resource "google_compute_global_address" "psa" {
   for_each      = var.psa_addresses
   project       = var.project_id
@@ -104,17 +78,3 @@ resource "google_compute_address" "ipsec_interconnect" {
   purpose       = "IPSEC_INTERCONNECT"
 }
 
-resource "google_compute_network_attachment" "default" {
-  provider    = google-beta
-  for_each    = local.network_attachments
-  project     = var.project_id
-  region      = each.value.region
-  name        = each.key
-  description = each.value.description
-  connection_preference = (
-    each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
-  )
-  subnetworks           = [each.value.subnet_self_link]
-  producer_accept_lists = each.value.producer_accept_lists
-  producer_reject_lists = each.value.producer_reject_lists
-}
diff --git a/modules/net-address/psc.tf b/modules/net-address/psc.tf
new file mode 100644
index 0000000000..2fbf75788f
--- /dev/null
+++ b/modules/net-address/psc.tf
@@ -0,0 +1,102 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  network_attachments = {
+    for k, v in var.network_attachments : k => merge(v, {
+      region = regex("regions/([^/]+)", v.subnet_self_link)[0]
+      # not using the full self link generates a permadiff
+      subnet_self_link = (
+        startswith(v.subnet_self_link, "https://")
+        ? v.subnet_self_link
+        : "https://www.googleapis.com/compute/v1/${v.subnet_self_link}"
+      )
+    })
+  }
+  regional_psc = {
+    for name, psc in var.psc_addresses : name => psc if psc.region != null
+
+  }
+  global_psc = {
+    for name, psc in var.psc_addresses : name => psc if psc.region == null
+  }
+}
+
+resource "google_compute_network_attachment" "default" {
+  provider    = google-beta
+  for_each    = local.network_attachments
+  project     = var.project_id
+  region      = each.value.region
+  name        = each.key
+  description = each.value.description
+  connection_preference = (
+    each.value.automatic_connection ? "ACCEPT_AUTOMATIC" : "ACCEPT_MANUAL"
+  )
+  subnetworks           = [each.value.subnet_self_link]
+  producer_accept_lists = each.value.producer_accept_lists
+  producer_reject_lists = each.value.producer_reject_lists
+}
+
+# global PSC services
+resource "google_compute_global_address" "psc" {
+  for_each     = local.global_psc
+  project      = var.project_id
+  name         = coalesce(each.value.name, each.key)
+  description  = each.value.description
+  address      = try(each.value.address, null)
+  address_type = "INTERNAL"
+  network      = each.value.network
+  purpose      = "PRIVATE_SERVICE_CONNECT"
+  # labels       = lookup(var.internal_address_labels, each.key, {})
+}
+
+resource "google_compute_global_forwarding_rule" "psc_consumer" {
+  for_each              = { for name, psc in local.global_psc : name => psc if psc.service_attachment != null }
+  name                  = coalesce(each.value.name, each.key)
+  project               = var.project_id
+  subnetwork            = each.value.subnet_self_link
+  ip_address            = google_compute_global_address.psc[each.key].self_link
+  load_balancing_scheme = ""
+  target                = each.value.service_attachment.psc_service_attachment_link
+}
+
+# regional PSC services
+resource "google_compute_address" "psc" {
+  for_each     = local.regional_psc
+  project      = var.project_id
+  name         = coalesce(each.value.name, each.key)
+  address      = try(each.value.address, null)
+  address_type = "INTERNAL"
+  description  = each.value.description
+  network      = each.value.network
+  # purpose not applicable for regional address
+  # purpose      = "PRIVATE_SERVICE_CONNECT"
+  region     = each.value.region
+  subnetwork = each.value.subnet_self_link
+  # labels       = lookup(var.internal_address_labels, each.key, {})
+}
+
+resource "google_compute_forwarding_rule" "psc_consumer" {
+  for_each              = { for name, psc in local.regional_psc : name => psc if psc.service_attachment != null }
+  name                  = coalesce(each.value.name, each.key)
+  project               = var.project_id
+  region                = each.value.region
+  subnetwork            = each.value.subnet_self_link
+  ip_address            = google_compute_address.psc[each.key].self_link
+  load_balancing_scheme = ""
+  recreate_closed_psc   = true
+  target                = each.value.service_attachment.psc_service_attachment_link
+}
diff --git a/modules/net-address/variables.tf b/modules/net-address/variables.tf
index 190bffdde6..236c23960a 100644
--- a/modules/net-address/variables.tf
+++ b/modules/net-address/variables.tf
@@ -107,7 +107,6 @@ variable "psa_addresses" {
     prefix_length = number
     description   = optional(string, "Terraform managed.")
     name          = optional(string)
-
   }))
   default = {}
 }
@@ -115,10 +114,27 @@ variable "psa_addresses" {
 variable "psc_addresses" {
   description = "Map of internal addresses used for Private Service Connect."
   type = map(object({
-    address     = string
-    network     = string
-    description = optional(string, "Terraform managed.")
-    name        = optional(string)
+    address          = string
+    description      = optional(string, "Terraform managed.")
+    name             = optional(string)
+    network          = optional(string)
+    region           = optional(string)
+    subnet_self_link = optional(string)
+    service_attachment = optional(object({ # so we can safely check if service_attachemnt != null in for_each
+      psc_service_attachment_link = string
+    }))
   }))
   default = {}
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : (value.region != null || (value.region == null && value.network != null))])
+    error_message = "Provide network if creating global PSC addresses / endpoints."
+  }
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : (value.region == null || (value.region != null && value.subnet_self_link != null))])
+    error_message = "Provide subnet_self_link if creating regional PSC addresses / endpoints."
+  }
+  validation {
+    condition     = alltrue([for key, value in var.psc_addresses : !(value.subnet_self_link != null && value.network != null)])
+    error_message = "Do not provide network and subnet_self_link at the same time"
+  }
 }
diff --git a/tests/collectors.py b/tests/collectors.py
index 749e192c50..310b8151cc 100644
--- a/tests/collectors.py
+++ b/tests/collectors.py
@@ -87,8 +87,15 @@ def __init__(self, name, parent, module, inventory, tf_var_files,
     self.extra_files = extra_files
 
   def runtest(self):
-    s = plan_validator(self.module, self.inventory, self.parent.path.parent,
-                       self.tf_var_files, self.extra_files)
+    try:
+      summary = plan_validator(self.module, self.inventory, self.parent.path.parent,
+                             self.tf_var_files, self.extra_files)
+    except AssertionError:
+      def full_paths(x):
+        return [(self.parent.path.parent / x ) for x in x]
+      print(f'Error in inventory file: {" ".join(full_paths(self.inventory))}')
+      print(f'To regenerate inventory run: python tools/plan_summary.py {self.module} {" ".join(full_paths(self.tf_var_files))}')
+      raise
 
   def reportinfo(self):
     return self.path, None, self.name
diff --git a/tests/examples/variables.tf b/tests/examples/variables.tf
index 29dc8d8940..d999609b0e 100644
--- a/tests/examples/variables.tf
+++ b/tests/examples/variables.tf
@@ -84,7 +84,7 @@ variable "subnet_psc_1" {
     name      = "subnet_name"
     region    = "subnet_region"
     cidr      = "subnet_cidr"
-    self_link = "subnet_self_link"
+    self_link = "https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-west8/subnetworks/subnet"
   }
 }
 
diff --git a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
index 5bb6d779ec..fd63d450fe 100644
--- a/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
+++ b/tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
@@ -37,6 +37,12 @@ subnet = {
     cidr      = "${subnet.ip_cidr_range}"
     self_link = "${subnet.self_link}"
   }
+subnet_psc_1 = {
+    name      = "${subnet_psc_1.name}"
+    region    = "${subnet_psc_1.region}"
+    cidr      = "${subnet_psc_1.ip_cidr_range}"
+    self_link = "${subnet_psc_1.self_link}"
+}
 vpc = {
     name      = "${vpc.name}"
     self_link = "${vpc.self_link}"
diff --git a/tests/examples_e2e/setup_module/main.tf b/tests/examples_e2e/setup_module/main.tf
index bd48e4fbd9..4e1d1931bf 100644
--- a/tests/examples_e2e/setup_module/main.tf
+++ b/tests/examples_e2e/setup_module/main.tf
@@ -15,7 +15,8 @@
 locals {
   prefix = "${var.prefix}-${var.timestamp}${var.suffix}"
   jit_services = [
-    "storage.googleapis.com", # no permissions granted by default
+    "storage.googleapis.com",  # no permissions granted by default
+    "sqladmin.googleapis.com", # roles/cloudsql.serviceAgent
   ]
   services = [
     # trimmed down list of services, to be extended as needed
@@ -35,6 +36,7 @@ locals {
     "secretmanager.googleapis.com",
     "servicenetworking.googleapis.com",
     "serviceusage.googleapis.com",
+    "sqladmin.googleapis.com",
     "stackdriver.googleapis.com",
     "storage-component.googleapis.com",
     "storage.googleapis.com",
@@ -114,6 +116,36 @@ resource "google_compute_subnetwork" "proxy_only_regional" {
   role          = "ACTIVE"
 }
 
+resource "google_compute_subnetwork" "psc" {
+  project       = google_project.project.project_id
+  network       = google_compute_network.network.name
+  name          = "psc-regional"
+  region        = var.region
+  ip_cidr_range = "10.0.19.0/24"
+  purpose       = "PRIVATE_SERVICE_CONNECT"
+}
+
+### PSA ###
+
+resource "google_compute_global_address" "psa_ranges" {
+  project       = google_project.project.project_id
+  network       = google_compute_network.network.id
+  name          = "psa-range"
+  purpose       = "VPC_PEERING"
+  address_type  = "INTERNAL"
+  address       = "10.0.20.0"
+  prefix_length = 22
+}
+
+resource "google_service_networking_connection" "psa_connection" {
+  network                 = google_compute_network.network.id
+  service                 = "servicenetworking.googleapis.com"
+  reserved_peering_ranges = [google_compute_global_address.psa_ranges.name]
+  deletion_policy         = "ABANDON"
+}
+
+### END OF PSA
+
 resource "google_service_account" "service_account" {
   account_id = "e2e-service-account"
   project    = google_project.project.project_id
@@ -141,6 +173,12 @@ resource "google_project_service_identity" "jit_si" {
   depends_on = [google_project_service.project_service]
 }
 
+resource "google_project_iam_binding" "cloudsql_agent" {
+  members    = ["serviceAccount:service-${google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com"]
+  project    = google_project.project.project_id
+  role       = "roles/cloudsql.serviceAgent"
+  depends_on = [google_project_service_identity.jit_si]
+}
 
 resource "local_file" "terraform_tfvars" {
   filename = "e2e_tests.tfvars"
@@ -168,6 +206,12 @@ resource "local_file" "terraform_tfvars" {
       ip_cidr_range = google_compute_subnetwork.subnetwork.ip_cidr_range
       self_link     = google_compute_subnetwork.subnetwork.self_link
     }
+    subnet_psc_1 = {
+      name          = google_compute_subnetwork.psc.name
+      region        = google_compute_subnetwork.psc.region
+      ip_cidr_range = google_compute_subnetwork.psc.ip_cidr_range
+      self_link     = google_compute_subnetwork.psc.self_link
+    }
     vpc = {
       name      = google_compute_network.network.name
       self_link = google_compute_network.network.self_link
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 50b6d8ad6a..1d725135f4 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -186,8 +186,13 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
     # print(yaml.dump({'counts': summary.counts}))
 
     if 'values' in inventory:
-      validate_plan_object(inventory['values'], summary.values, relative_path,
-                           "")
+      try:
+        validate_plan_object(inventory['values'], summary.values, relative_path,
+                             "")
+      except AssertionError:
+        print(f'\n{path}')
+        print(yaml.dump({'values': summary.values}))
+        raise
 
     if 'counts' in inventory:
       try:
@@ -199,6 +204,7 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
           assert plan_count == expected_count, \
               f'{relative_path}: count of {type_} resources failed. Got {plan_count}, expected {expected_count}'
       except AssertionError:
+        print(f'\n{path}')
         print(yaml.dump({'counts': summary.counts}))
         raise
 
@@ -218,6 +224,7 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
               f'{relative_path}: output {output_name} failed. Got `{plan_output}`, expected `{expected_output}`'
       except AssertionError:
         if _buffer:
+          print(f'\n{path}')
           print(yaml.dump(_buffer))
         raise
   return summary
diff --git a/tests/fixtures/cloudsql-instance.tf b/tests/fixtures/cloudsql-instance.tf
new file mode 100644
index 0000000000..6fed8d6ada
--- /dev/null
+++ b/tests/fixtures/cloudsql-instance.tf
@@ -0,0 +1,33 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cloudsql-instance" {
+  source     = "./fabric/modules/cloudsql-instance"
+  project_id = var.project_id
+  network_config = {
+    connectivity = {
+      psc_allowed_consumer_projects = [var.project_id]
+    }
+  }
+  ## define a consumer project with an endpoint within the project
+  name                          = "db"
+  region                        = var.region
+  availability_type             = "REGIONAL"
+  database_version              = "POSTGRES_13"
+  tier                          = "db-g1-small"
+  gcp_deletion_protection       = false
+  terraform_deletion_protection = false
+}
diff --git a/tests/fixtures/cloudsql-kms-iam-grant.tf b/tests/fixtures/cloudsql-kms-iam-grant.tf
new file mode 100644
index 0000000000..9ea53a0268
--- /dev/null
+++ b/tests/fixtures/cloudsql-kms-iam-grant.tf
@@ -0,0 +1,23 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_kms_crypto_key_iam_binding" "encrypt_decrypt" {
+  crypto_key_id = var.kms_key.id
+  members = [
+    "serviceAccount:service-${var.project_number}@gcp-sa-cloud-sql.iam.gserviceaccount.com"
+  ]
+  role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+}
diff --git a/tests/modules/cloudsql_instance/examples/insights.yaml b/tests/modules/cloudsql_instance/examples/insights.yaml
index 84a4245ddf..a2c46f5b9b 100644
--- a/tests/modules/cloudsql_instance/examples/insights.yaml
+++ b/tests/modules/cloudsql_instance/examples/insights.yaml
@@ -17,11 +17,11 @@ values:
     database_version: POSTGRES_13
     name: db
     project: project-id
-    region: europe-west1
+    region: europe-west8
     settings:
     - activation_policy: ALWAYS
       availability_type: ZONAL
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       disk_autoresize: true
       disk_type: PD_SSD
       insights_config:
diff --git a/tests/modules/cloudsql_instance/examples/psc.yaml b/tests/modules/cloudsql_instance/examples/psc.yaml
new file mode 100644
index 0000000000..722700d7bd
--- /dev/null
+++ b/tests/modules/cloudsql_instance/examples/psc.yaml
@@ -0,0 +1,38 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.db.google_sql_database_instance.primary:
+    database_version: POSTGRES_13
+    deletion_protection: false
+    name: myprefix-db
+    project: project-id
+    region: europe-west8
+    settings:
+    - activation_policy: ALWAYS
+      availability_type: REGIONAL
+      deletion_protection_enabled: false
+      ip_configuration:
+      - ipv4_enabled: false
+        private_network: null
+        psc_config:
+        - allowed_consumer_projects:
+          - project-id
+          psc_enabled: true
+      tier: db-g1-small
+
+counts:
+  google_sql_database_instance: 1
+  modules: 1
+  resources: 1
diff --git a/tests/modules/cloudsql_instance/examples/public-ip.yaml b/tests/modules/cloudsql_instance/examples/public-ip.yaml
index f3ca86d3a5..e216ee3b0f 100644
--- a/tests/modules/cloudsql_instance/examples/public-ip.yaml
+++ b/tests/modules/cloudsql_instance/examples/public-ip.yaml
@@ -17,30 +17,11 @@ values:
     database_version: MYSQL_8_0
     name: db
     project: project-id
-    region: europe-west1
+    region: europe-west8
     settings:
     - activation_policy: ALWAYS
       availability_type: ZONAL
-      deletion_protection_enabled: true
-      disk_autoresize: true
-      disk_type: PD_SSD
-      insights_config: []
-      ip_configuration:
-      - allocated_ip_range: null
-        authorized_networks: []
-        ipv4_enabled: true
-        private_network: projects/xxx/global/networks/aaa
-      tier: db-g1-small
-  module.db.google_sql_database_instance.replicas["replica1"]:
-    database_version: MYSQL_8_0
-    master_instance_name: db
-    name: replica1
-    project: project-id
-    region: europe-west3
-    settings:
-    - activation_policy: ALWAYS
-      availability_type: ZONAL
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       disk_autoresize: true
       disk_type: PD_SSD
       insights_config: []
@@ -52,4 +33,4 @@ values:
       tier: db-g1-small
 
 counts:
-  google_sql_database_instance: 2
+  google_sql_database_instance: 1
diff --git a/tests/modules/cloudsql_instance/examples/replicas.yaml b/tests/modules/cloudsql_instance/examples/replicas.yaml
index 1ed30f9bc9..bb337d4457 100644
--- a/tests/modules/cloudsql_instance/examples/replicas.yaml
+++ b/tests/modules/cloudsql_instance/examples/replicas.yaml
@@ -18,7 +18,7 @@ values:
     database_version: POSTGRES_13
     name: myprefix-db
     project: project-id
-    region: europe-west1
+    region: europe-west8
   module.db.google_sql_database_instance.replicas["replica1"]:
     clone: []
     database_version: POSTGRES_13
diff --git a/tests/modules/cloudsql_instance/examples/simple.yaml b/tests/modules/cloudsql_instance/examples/simple.yaml
index 5103c12b4e..4221eb288c 100644
--- a/tests/modules/cloudsql_instance/examples/simple.yaml
+++ b/tests/modules/cloudsql_instance/examples/simple.yaml
@@ -16,10 +16,10 @@ values:
   module.db.google_sql_database_instance.primary:
     clone: []
     database_version: POSTGRES_13
-    deletion_protection: true
+    deletion_protection: false
     name: db
-    project: my-db-project
-    region: europe-west1
+    project: test-db-prj
+    region: europe-west8
     restore_backup_context: []
     root_password: null
     settings:
@@ -30,7 +30,7 @@ values:
       collation: null
       data_cache_config: []
       database_flags: []
-      deletion_protection_enabled: true
+      deletion_protection_enabled: false
       deny_maintenance_period: []
       disk_autoresize: true
       disk_autoresize_limit: 0
@@ -54,25 +54,25 @@ values:
   module.project.google_project.project[0]:
     auto_create_network: false
     billing_account: 123456-123456-123456
-    folder_id: null
+    folder_id: '1122334455'
     labels: null
-    name: my-db-project
-    org_id: '1122334455'
-    project_id: my-db-project
+    name: test-db-prj
+    org_id: null
+    project_id: test-db-prj
     skip_delete: false
     timeouts: null
   module.project.google_project_iam_member.servicenetworking[0]:
     condition: []
-    project: my-db-project
+    project: test-db-prj
     role: roles/servicenetworking.serviceAgent
   module.project.google_project_service.project_services["servicenetworking.googleapis.com"]:
     disable_dependent_services: false
     disable_on_destroy: false
-    project: my-db-project
+    project: test-db-prj
     service: servicenetworking.googleapis.com
     timeouts: null
   module.project.google_project_service_identity.servicenetworking[0]:
-    project: my-db-project
+    project: test-db-prj
     service: servicenetworking.googleapis.com
     timeouts: null
   module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-cloud-sql"]:
@@ -82,7 +82,7 @@ values:
     ip_version: null
     name: servicenetworking-googleapis-com-cloud-sql
     prefix_length: 16
-    project: my-db-project
+    project: test-db-prj
     purpose: VPC_PEERING
     timeouts: null
   module.vpc.google_compute_network.network[0]:
@@ -92,14 +92,14 @@ values:
     enable_ula_internal_ipv6: null
     name: my-network
     network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
-    project: my-db-project
+    project: test-db-prj
     routing_mode: GLOBAL
     timeouts: null
   module.vpc.google_compute_network_peering_routes_config.psa_routes["servicenetworking.googleapis.com"]:
     export_custom_routes: false
     import_custom_routes: false
     network: my-network
-    project: my-db-project
+    project: test-db-prj
     timeouts: null
   module.vpc.google_compute_route.gateway["private-googleapis"]:
     description: Terraform-managed.
@@ -111,7 +111,7 @@ values:
     next_hop_instance: null
     next_hop_vpn_tunnel: null
     priority: 1000
-    project: my-db-project
+    project: test-db-prj
     tags: null
     timeouts: null
   module.vpc.google_compute_route.gateway["restricted-googleapis"]:
@@ -124,11 +124,11 @@ values:
     next_hop_instance: null
     next_hop_vpn_tunnel: null
     priority: 1000
-    project: my-db-project
+    project: test-db-prj
     tags: null
     timeouts: null
   module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
-    deletion_policy: null
+    deletion_policy: ABANDON
     reserved_peering_ranges:
     - servicenetworking-googleapis-com-cloud-sql
     service: servicenetworking.googleapis.com
@@ -141,11 +141,11 @@ counts:
   google_compute_route: 2
   google_project: 1
   google_project_iam_member: 1
-  google_project_service: 1
-  google_project_service_identity: 1
+  google_project_service: 2
+  google_project_service_identity: 2
   google_service_networking_connection: 1
   google_sql_database_instance: 1
   modules: 3
-  resources: 11
+  resources: 14
 
 outputs: {}
diff --git a/tests/modules/net_address/examples/psc-service-attachment.yaml b/tests/modules/net_address/examples/psc-service-attachment.yaml
new file mode 100644
index 0000000000..7c3eaca02a
--- /dev/null
+++ b/tests/modules/net_address/examples/psc-service-attachment.yaml
@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.addresses.google_compute_forwarding_rule.psc_consumer["cloudsql-one"]:
+    load_balancing_scheme: ''
+    name: cloudsql-one
+    project: project-id
+    recreate_closed_psc: true
+    region: europe-west8
+    subnetwork: subnet_self_link
+  module.addresses.google_compute_address.psc["cloudsql-one"]:
+    address: 10.0.16.32
+    address_type: INTERNAL
+    description: Terraform managed.
+    name: cloudsql-one
+    project: project-id
+    subnetwork: subnet_self_link

From af253c97022068c8c0500988b45e1ef0f727c7fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sun, 12 May 2024 21:02:04 +0200
Subject: [PATCH 24/29] Fix 0-bootstrap iam_by_principals not taking into
 account all principals (#2267)

* Fix 0-bootstrap iam_by_principals not taking into account all principals
* Add test-case for iam_by_principals for 0-bootstrap stage

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 fast/stages/0-bootstrap/organization.tf       | 10 +++++++--
 tests/collectors.py                           |  2 +-
 .../s0_bootstrap/iam_by_principals.tfvars     | 20 +++++++++++++++++
 .../s0_bootstrap/iam_by_principals.yaml       | 22 +++++++++++++++++++
 tests/fast/stages/s0_bootstrap/tftest.yaml    |  2 ++
 5 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
 create mode 100644 tests/fast/stages/s0_bootstrap/iam_by_principals.yaml

diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index f91b4e8c14..fdd08937a7 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -138,8 +138,14 @@ module "organization" {
   organization_id = module.organization-logging.id
   # human (groups) IAM bindings
   iam_by_principals = {
-    for k, v in local.iam_principals :
-    k => distinct(concat(v, lookup(var.iam_by_principals, k, [])))
+    for key in distinct(concat(
+      keys(local.iam_principals),
+      keys(var.iam_by_principals),
+    )) :
+    key => distinct(concat(
+      lookup(local.iam_principals, key, []),
+      lookup(var.iam_by_principals, key, []),
+    ))
   }
   # machine (service accounts) IAM bindings
   iam = merge(
diff --git a/tests/collectors.py b/tests/collectors.py
index 310b8151cc..9e26c06774 100644
--- a/tests/collectors.py
+++ b/tests/collectors.py
@@ -92,7 +92,7 @@ def runtest(self):
                              self.tf_var_files, self.extra_files)
     except AssertionError:
       def full_paths(x):
-        return [(self.parent.path.parent / x ) for x in x]
+        return [str(self.parent.path.parent / x ) for x in x]
       print(f'Error in inventory file: {" ".join(full_paths(self.inventory))}')
       print(f'To regenerate inventory run: python tools/plan_summary.py {self.module} {" ".join(full_paths(self.tf_var_files))}')
       raise
diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
new file mode 100644
index 0000000000..4ceaffb6ac
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.tfvars
@@ -0,0 +1,20 @@
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+billing_account = {
+  id = "000000-111111-222222"
+}
+essential_contacts = "gcp-organization-admins@fast.example.com"
+iam_by_principals = {
+  "user:other@fast.example.com" = ["roles/browser"]
+}
+prefix = "fast"
+org_policies_config = {
+  import_defaults = false
+}
+outputs_location = "/fast-config"
+groups = {
+  gcp-support = "group:gcp-support@example.com"
+}
diff --git a/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml
new file mode 100644
index 0000000000..83b965d302
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/iam_by_principals.yaml
@@ -0,0 +1,22 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.organization.google_organization_iam_binding.authoritative["roles/browser"]:
+    condition: []
+    members:
+    - domain:fast.example.com
+    - user:other@fast.example.com
+    org_id: '123456789012'
+    role: roles/browser
diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml
index 8f415a219a..2643714eb9 100644
--- a/tests/fast/stages/s0_bootstrap/tftest.yaml
+++ b/tests/fast/stages/s0_bootstrap/tftest.yaml
@@ -25,3 +25,5 @@ tests:
       - simple.yaml
       - simple_projects.yaml
       - simple_sas.yaml
+  
+  iam_by_principals:

From 604920dec9ceb39e20b9768f482807f2675092ff Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 13 May 2024 09:24:17 +0200
Subject: [PATCH 25/29] add logging settings to folder module (#2268)

---
 modules/folder/README.md                  | 18 +++---
 modules/folder/logging.tf                 |  7 ++
 modules/folder/variables-logging.tf       | 78 +++++++++++++++++++++++
 modules/folder/variables.tf               | 53 ---------------
 modules/organization/README.md            | 15 +++--
 modules/organization/variables-logging.tf | 78 +++++++++++++++++++++++
 modules/organization/variables.tf         | 63 ------------------
 7 files changed, 181 insertions(+), 131 deletions(-)
 create mode 100644 modules/folder/variables-logging.tf
 create mode 100644 modules/organization/variables-logging.tf

diff --git a/modules/folder/README.md b/modules/folder/README.md
index 2efb626b97..ff242aeec0 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -345,12 +345,13 @@ module "folder" {
 | name | description | resources |
 |---|---|---|
 | [iam.tf](./iam.tf) | IAM bindings. | <code>google_folder_iam_binding</code> · <code>google_folder_iam_member</code> |
-| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
+| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_folder_iam_audit_config</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_settings</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
 | [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
 | [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
+| [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
 
@@ -367,13 +368,14 @@ module "folder" {
 | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [id](variables.tf#L48) | Folder ID in case you use folder_create=false. | <code>string</code> |  | <code>null</code> |
-| [logging_data_access](variables.tf#L54) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_exclusions](variables.tf#L69) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_sinks](variables.tf#L76) | Logging sinks to create for the folder. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [name](variables.tf#L107) | Folder name. | <code>string</code> |  | <code>null</code> |
-| [org_policies](variables.tf#L113) | Organization policies applied to this folder keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [parent](variables.tf#L140) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> |  | <code>null</code> |
-| [tag_bindings](variables.tf#L150) | Tag bindings for this folder, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the folder. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [name](variables.tf#L54) | Folder name. | <code>string</code> |  | <code>null</code> |
+| [org_policies](variables.tf#L60) | Organization policies applied to this folder keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [parent](variables.tf#L87) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> |  | <code>null</code> |
+| [tag_bindings](variables.tf#L97) | Tag bindings for this folder, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index 817c4d1e06..bb42983c22 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -35,6 +35,13 @@ locals {
   }
 }
 
+resource "google_logging_folder_settings" "default" {
+  count                = var.logging_settings != null ? 1 : 0
+  folder               = local.folder_id
+  disable_default_sink = var.logging_settings.disable_default_sink
+  storage_location     = var.logging_settings.storage_location
+}
+
 resource "google_folder_iam_audit_config" "default" {
   for_each = var.logging_data_access
   folder   = local.folder_id
diff --git a/modules/folder/variables-logging.tf b/modules/folder/variables-logging.tf
new file mode 100644
index 0000000000..89685a6de9
--- /dev/null
+++ b/modules/folder/variables-logging.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "logging_data_access" {
+  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
+  type        = map(map(list(string)))
+  nullable    = false
+  default     = {}
+  validation {
+    condition = alltrue(flatten([
+      for k, v in var.logging_data_access : [
+        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
+      ]
+    ]))
+    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
+  }
+}
+
+variable "logging_exclusions" {
+  description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "logging_settings" {
+  description = "Default settings for logging resources."
+  type = object({
+    # TODO: add support for CMEK
+    disable_default_sink = optional(bool)
+    storage_location     = optional(string)
+  })
+  default = null
+}
+
+variable "logging_sinks" {
+  description = "Logging sinks to create for the folder."
+  type = map(object({
+    bq_partitioned_table = optional(bool, false)
+    description          = optional(string)
+    destination          = string
+    disabled             = optional(bool, false)
+    exclusions           = optional(map(string), {})
+    filter               = optional(string)
+    iam                  = optional(bool, true)
+    include_children     = optional(bool, true)
+    type                 = string
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
+    ])
+    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
+  }
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      v.bq_partitioned_table != true || v.type == "bigquery"
+    ])
+    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
+  }
+}
diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf
index 6da2685a71..e5f6d548be 100644
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@@ -51,59 +51,6 @@ variable "id" {
   default     = null
 }
 
-variable "logging_data_access" {
-  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
-  type        = map(map(list(string)))
-  nullable    = false
-  default     = {}
-  validation {
-    condition = alltrue(flatten([
-      for k, v in var.logging_data_access : [
-        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
-      ]
-    ]))
-    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
-  }
-}
-
-variable "logging_exclusions" {
-  description = "Logging exclusions for this folder in the form {NAME -> FILTER}."
-  type        = map(string)
-  default     = {}
-  nullable    = false
-}
-
-variable "logging_sinks" {
-  description = "Logging sinks to create for the folder."
-  type = map(object({
-    bq_partitioned_table = optional(bool, false)
-    description          = optional(string)
-    destination          = string
-    disabled             = optional(bool, false)
-    exclusions           = optional(map(string), {})
-    filter               = optional(string)
-    iam                  = optional(bool, true)
-    include_children     = optional(bool, true)
-    type                 = string
-  }))
-  default  = {}
-  nullable = false
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
-    ])
-    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
-  }
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      v.bq_partitioned_table != true || v.type == "bigquery"
-    ])
-    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
-  }
-}
-
 variable "name" {
   description = "Folder name."
   type        = string
diff --git a/modules/organization/README.md b/modules/organization/README.md
index cc602a6f12..1b004aa623 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -500,6 +500,7 @@ module "org" {
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
+| [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
@@ -508,7 +509,7 @@ module "org" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [organization_id](variables.tf#L155) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
+| [organization_id](variables.tf#L92) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ |  |
 | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [factories_config](variables.tf#L31) | Paths to data files and folders that enable factory functionality. | <code title="object&#40;&#123;&#10;  custom_roles                  &#61; optional&#40;string&#41;&#10;  org_policies                  &#61; optional&#40;string&#41;&#10;  org_policy_custom_constraints &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
@@ -517,13 +518,13 @@ module "org" {
 | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_data_access](variables.tf#L51) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_exclusions](variables.tf#L66) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [logging_settings](variables.tf#L73) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [logging_sinks](variables.tf#L83) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies](variables.tf#L114) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policy_custom_constraints](variables.tf#L141) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [tag_bindings](variables-tags.tf#L45) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [tags](variables-tags.tf#L52) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
diff --git a/modules/organization/variables-logging.tf b/modules/organization/variables-logging.tf
new file mode 100644
index 0000000000..210352f081
--- /dev/null
+++ b/modules/organization/variables-logging.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "logging_data_access" {
+  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
+  type        = map(map(list(string)))
+  nullable    = false
+  default     = {}
+  validation {
+    condition = alltrue(flatten([
+      for k, v in var.logging_data_access : [
+        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
+      ]
+    ]))
+    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
+  }
+}
+
+variable "logging_exclusions" {
+  description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "logging_settings" {
+  description = "Default settings for logging resources."
+  type = object({
+    # TODO: add support for CMEK
+    disable_default_sink = optional(bool)
+    storage_location     = optional(string)
+  })
+  default = null
+}
+
+variable "logging_sinks" {
+  description = "Logging sinks to create for the organization."
+  type = map(object({
+    bq_partitioned_table = optional(bool, false)
+    description          = optional(string)
+    destination          = string
+    disabled             = optional(bool, false)
+    exclusions           = optional(map(string), {})
+    filter               = optional(string)
+    iam                  = optional(bool, true)
+    include_children     = optional(bool, true)
+    type                 = string
+  }))
+  default  = {}
+  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
+    ])
+    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
+  }
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      v.bq_partitioned_table != true || v.type == "bigquery"
+    ])
+    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
+  }
+}
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 4464558e69..146cf9b14a 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -48,69 +48,6 @@ variable "firewall_policy" {
   default = null
 }
 
-variable "logging_data_access" {
-  description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
-  type        = map(map(list(string)))
-  nullable    = false
-  default     = {}
-  validation {
-    condition = alltrue(flatten([
-      for k, v in var.logging_data_access : [
-        for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
-      ]
-    ]))
-    error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
-  }
-}
-
-variable "logging_exclusions" {
-  description = "Logging exclusions for this organization in the form {NAME -> FILTER}."
-  type        = map(string)
-  default     = {}
-  nullable    = false
-}
-
-variable "logging_settings" {
-  description = "Default settings for logging resources."
-  type = object({
-    # TODO: add support for CMEK
-    disable_default_sink = optional(bool)
-    storage_location     = optional(string)
-  })
-  default = null
-}
-
-variable "logging_sinks" {
-  description = "Logging sinks to create for the organization."
-  type = map(object({
-    bq_partitioned_table = optional(bool, false)
-    description          = optional(string)
-    destination          = string
-    disabled             = optional(bool, false)
-    exclusions           = optional(map(string), {})
-    filter               = optional(string)
-    iam                  = optional(bool, true)
-    include_children     = optional(bool, true)
-    type                 = string
-  }))
-  default  = {}
-  nullable = false
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      contains(["bigquery", "logging", "project", "pubsub", "storage"], v.type)
-    ])
-    error_message = "Type must be one of 'bigquery', 'logging', 'project', 'pubsub', 'storage'."
-  }
-  validation {
-    condition = alltrue([
-      for k, v in var.logging_sinks :
-      v.bq_partitioned_table != true || v.type == "bigquery"
-    ])
-    error_message = "Can only set bq_partitioned_table when type is `bigquery`."
-  }
-}
-
 variable "org_policies" {
   description = "Organization policies applied to this organization keyed by policy name."
   type = map(object({

From e4941c27f2afa053a8dd8a839b026963858a1642 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 13 May 2024 20:18:51 +0200
Subject: [PATCH 26/29] Implement the full IAM interface for tags (#2269)

* IAM authoritative bindings in org module

* remove extra newline

* organization module

* project module

* tfdoc
---
 modules/kms/README.md                         |   6 +-
 modules/kms/variables.tf                      |   1 -
 modules/organization/README.md                |  47 ++++-
 modules/organization/tags.tf                  | 166 ++++++++++++++----
 modules/organization/variables-tags.tf        |  80 ++++++++-
 modules/project/README.md                     |   8 +-
 modules/project/tags.tf                       | 166 ++++++++++++++----
 modules/project/variables-tags.tf             |  83 ++++++++-
 tests/modules/organization/examples/tags.yaml |  27 ++-
 9 files changed, 492 insertions(+), 92 deletions(-)

diff --git a/modules/kms/README.md b/modules/kms/README.md
index 4782d8240d..90621bef37 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -120,14 +120,14 @@ module "kms" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [keyring](variables.tf#L64) | Keyring attributes. | <code title="object&#40;&#123;&#10;  location &#61; string&#10;  name     &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [project_id](variables.tf#L115) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L114) | Project id where the keyring will be created. | <code>string</code> | ✓ |  |
 | [iam](variables.tf#L17) | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings](variables.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings_additive](variables.tf#L39) | Keyring individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [import_job](variables.tf#L54) | Keyring import job attributes. | <code title="object&#40;&#123;&#10;  id               &#61; string&#10;  import_method    &#61; string&#10;  protection_level &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [keyring_create](variables.tf#L72) | Set to false to manage keys and IAM bindings in an existing keyring. | <code>bool</code> |  | <code>true</code> |
-| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10;  destroy_scheduled_duration    &#61; optional&#40;string&#41;&#10;  rotation_period               &#61; optional&#40;string&#41;&#10;  labels                        &#61; optional&#40;map&#40;string&#41;&#41;&#10;  purpose                       &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10;  skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10;  version_template &#61; optional&#40;object&#40;&#123;&#10;    algorithm        &#61; string&#10;    protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10;  &#125;&#41;&#41;&#10;&#10;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tag_bindings](variables.tf#L120) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [keys](variables.tf#L78) | Key names and base attributes. Set attributes to null if not needed. | <code title="map&#40;object&#40;&#123;&#10;  destroy_scheduled_duration    &#61; optional&#40;string&#41;&#10;  rotation_period               &#61; optional&#40;string&#41;&#10;  labels                        &#61; optional&#40;map&#40;string&#41;&#41;&#10;  purpose                       &#61; optional&#40;string, &#34;ENCRYPT_DECRYPT&#34;&#41;&#10;  skip_initial_version_creation &#61; optional&#40;bool, false&#41;&#10;  version_template &#61; optional&#40;object&#40;&#123;&#10;    algorithm        &#61; string&#10;    protection_level &#61; optional&#40;string, &#34;SOFTWARE&#34;&#41;&#10;  &#125;&#41;&#41;&#10;  iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables.tf#L119) | Tag bindings for this keyring, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 2708a7f7cf..d0d335674b 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -87,7 +87,6 @@ variable "keys" {
       algorithm        = string
       protection_level = optional(string, "SOFTWARE")
     }))
-
     iam = optional(map(list(string)), {})
     iam_bindings = optional(map(object({
       members = list(string)
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 1b004aa623..f0253d11b3 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -440,12 +440,44 @@ module "org" {
       iam = {
         "roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
       }
+      iam_bindings = {
+        viewer = {
+          role    = "roles/resourcemanager.tagViewer"
+          members = ["group:gcp-support@example.org"]
+        }
+      }
+      iam_bindings_additive = {
+        user_app1 = {
+          role   = "roles/resourcemanager.tagUser"
+          member = "group:app1-team@example.org"
+        }
+      }
       values = {
-        dev = {}
+        dev = {
+          iam_bindings_additive = {
+            user_app2 = {
+              role   = "roles/resourcemanager.tagUser"
+              member = "group:app2-team@example.org"
+            }
+          }
+        }
         prod = {
           description = "Environment: production."
           iam = {
-            "roles/resourcemanager.tagViewer" = ["group:${var.group_email}"]
+            "roles/resourcemanager.tagViewer" = ["group:app1-team@example.org"]
+          }
+          iam_bindings = {
+            admin = {
+              role    = "roles/resourcemanager.tagAdmin"
+              members = ["group:gcp-support@example.org"]
+              condition = {
+                title      = "gcp_support"
+                expression = <<-END
+                  request.time.getHours("Europe/Berlin") <= 9 &&
+                  request.time.getHours("Europe/Berlin") >= 17
+                END
+              }
+            }
           }
         }
       }
@@ -455,8 +487,9 @@ module "org" {
     env-prod = module.org.tag_values["environment/prod"].id
   }
 }
-# tftest modules=1 resources=6 inventory=tags.yaml e2e serial
+# tftest modules=1 resources=10 inventory=tags.yaml
 ```
+<!-- TODO: reinstate e2e serial -->
 
 You can also define network tags, through a dedicated variable *network_tags*:
 
@@ -498,7 +531,7 @@ module "org" {
 | [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
 | [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
-| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
+| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
 | [variables-logging.tf](./variables-logging.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
@@ -522,11 +555,11 @@ module "org" {
 | [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | <code title="object&#40;&#123;&#10;  disable_default_sink &#61; optional&#40;bool&#41;&#10;  storage_location     &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  include_children     &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id      &#61; optional&#40;string&#41;&#10;  network &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10;  display_name   &#61; optional&#40;string&#41;&#10;  description    &#61; optional&#40;string&#41;&#10;  action_type    &#61; string&#10;  condition      &#61; string&#10;  method_types   &#61; list&#40;string&#41;&#10;  resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tag_bindings](variables-tags.tf#L45) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tags](variables-tags.tf#L52) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/organization/tags.tf b/modules/organization/tags.tf
index d25757c243..0321818a5a 100644
--- a/modules/organization/tags.tf
+++ b/modules/organization/tags.tf
@@ -15,50 +15,96 @@
  */
 
 locals {
-  _tag_values = flatten([
-    for tag, attrs in local.tags : [
-      for value, value_attrs in attrs.values : {
-        description = value_attrs.description,
-        key         = "${tag}/${value}"
-        id          = try(value_attrs.id, null)
-        name        = value
-        roles       = keys(value_attrs.iam)
-        tag         = tag
-        tag_id      = attrs.id
-        tag_network = try(attrs.network, null) != null
+  _tag_iam = flatten([
+    for k, v in local.tags : [
+      for role in keys(v.iam) : {
+        # we cycle on keys here so we don't risk injecting dynamic values
+        role   = role
+        tag    = k
+        tag_id = v.id
       }
     ]
   ])
-  _tag_values_iam = flatten([
-    for key, value_attrs in local.tag_values : [
-      for role in value_attrs.roles : {
-        id   = value_attrs.id
-        key  = value_attrs.key
-        name = value_attrs.name
+  _tag_value_iam = flatten([
+    for k, v in local.tag_values : [
+      for role in v.roles : {
+        id   = v.id
+        key  = v.key
+        name = v.name
         role = role
-        tag  = value_attrs.tag
+        tag  = v.tag
       }
     ]
   ])
-  _tags_iam = flatten([
-    for tag, attrs in local.tags : [
-      for role in keys(attrs.iam) : {
-        role   = role
-        tag    = tag
-        tag_id = attrs.id
+  _tag_values = flatten([
+    for k, v in local.tags : [
+      for vk, vv in v.values : {
+        description           = vv.description,
+        key                   = "${k}/${vk}"
+        iam_bindings          = keys(vv.iam_bindings)
+        iam_bindings_additive = keys(vv.iam_bindings_additive)
+        id                    = try(vv.id, null)
+        name                  = vk
+        # we only store keys here so we don't risk injecting dynamic values
+        roles       = keys(vv.iam)
+        tag         = k
+        tag_id      = v.id
+        tag_network = try(v.network, null) != null
       }
     ]
   ])
-  tag_values = {
-    for t in local._tag_values : t.key => t
+  tag_iam = {
+    for t in local._tag_iam : "${t.tag}:${t.role}" => t
+  }
+  tag_iam_bindings = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_iam_bindings_additive = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings_additive) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam = {
+    for v in local._tag_value_iam : "${v.key}:${v.role}" => v
   }
-  tag_values_iam = {
-    for t in local._tag_values_iam : "${t.key}:${t.role}" => t
+  tag_value_iam_bindings = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam_bindings_additive = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings_additive : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_values = {
+    for v in local._tag_values : v.key => v
   }
   tags = merge(var.tags, var.network_tags)
-  tags_iam = {
-    for t in local._tags_iam : "${t.tag}:${t.role}" => t
-  }
 }
 
 # keys
@@ -82,7 +128,7 @@ resource "google_tags_tag_key" "default" {
 }
 
 resource "google_tags_tag_key_iam_binding" "default" {
-  for_each = local.tags_iam
+  for_each = local.tag_iam
   tag_key = (
     each.value.tag_id == null
     ? google_tags_tag_key.default[each.value.tag].id
@@ -94,6 +140,30 @@ resource "google_tags_tag_key_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_key_iam_binding" "bindings" {
+  for_each = local.tag_iam_bindings
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role = local.tags[each.value.tag]["iam_bindings"][each.value.binding].role
+  members = (
+    local.tags[each.value.tag]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_key_iam_member" "bindings" {
+  for_each = local.tag_iam_bindings_additive
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role   = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].role
+  member = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member
+}
+
 # values
 
 resource "google_tags_tag_value" "default" {
@@ -108,7 +178,7 @@ resource "google_tags_tag_value" "default" {
 }
 
 resource "google_tags_tag_value_iam_binding" "default" {
-  for_each = local.tag_values_iam
+  for_each = local.tag_value_iam
   tag_value = (
     each.value.id == null
     ? google_tags_tag_value.default[each.value.key].id
@@ -121,6 +191,36 @@ resource "google_tags_tag_value_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_value_iam_binding" "bindings" {
+  for_each = local.tag_value_iam_bindings
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].role
+  )
+  members = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_value_iam_member" "bindings" {
+  for_each = local.tag_value_iam_bindings_additive
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].role
+  )
+  member = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member
+  )
+}
+
 # bindings
 
 resource "google_tags_tag_binding" "binding" {
diff --git a/modules/organization/variables-tags.tf b/modules/organization/variables-tags.tf
index 4688504d57..21a0efe6f4 100644
--- a/modules/organization/variables-tags.tf
+++ b/modules/organization/variables-tags.tf
@@ -19,11 +19,47 @@ variable "network_tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform organization module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
-    network     = string # project_id/vpc_name
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id      = optional(string)
+    network = string # project_id/vpc_name
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform organization module.")
       iam         = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
     })), {})
   }))
   nullable = false
@@ -54,11 +90,47 @@ variable "tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform organization module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id = optional(string)
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform organization module.")
       iam         = optional(map(list(string)), {})
-      id          = optional(string)
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      id = optional(string)
     })), {})
   }))
   nullable = false
diff --git a/modules/project/README.md b/modules/project/README.md
index 75388aefc3..cd92870a47 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -1173,7 +1173,7 @@ module "bucket" {
 | [quotas.tf](./quotas.tf) | None | <code>google_cloud_quotas_quota_preference</code> |
 | [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_default_service_accounts</code> · <code>google_project_iam_member</code> · <code>google_project_service_identity</code> |
 | [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> · <code>google_compute_subnetwork_iam_member</code> · <code>google_project_iam_member</code> |
-| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
+| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
 | [variables-iam.tf](./variables-iam.tf) | None |  |
 | [variables-quotas.tf](./variables-quotas.tf) | None |  |
 | [variables-tags.tf](./variables-tags.tf) | None |  |
@@ -1204,7 +1204,7 @@ module "bucket" {
 | [logging_exclusions](variables.tf#L108) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [logging_sinks](variables.tf#L115) | Logging sinks to create for this project. | <code title="map&#40;object&#40;&#123;&#10;  bq_partitioned_table &#61; optional&#40;bool, false&#41;&#10;  description          &#61; optional&#40;string&#41;&#10;  destination          &#61; string&#10;  disabled             &#61; optional&#40;bool, false&#41;&#10;  exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  filter               &#61; optional&#40;string&#41;&#10;  iam                  &#61; optional&#40;bool, true&#41;&#10;  type                 &#61; string&#10;  unique_writer        &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [metric_scopes](variables.tf#L146) | List of projects that will act as metric scopes for this project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  network     &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id      &#61; optional&#40;string&#41;&#10;  network &#61; string &#35; project_id&#47;vpc_name&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [org_policies](variables.tf#L158) | Organization policies applied to this project keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [parent](variables.tf#L185) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
 | [prefix](variables.tf#L195) | Optional prefix used to generate project id and name. | <code>string</code> |  | <code>null</code> |
@@ -1216,8 +1216,8 @@ module "bucket" {
 | [shared_vpc_host_config](variables.tf#L235) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object&#40;&#123;&#10;  enabled          &#61; bool&#10;  service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [shared_vpc_service_config](variables.tf#L244) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object&#40;&#123;&#10;  host_project                &#61; string&#10;  network_users               &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  service_identity_iam        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_identity_subnet_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  service_iam_grants          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  network_subnet_users        &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  host_project &#61; null&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [skip_delete](variables.tf#L272) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> |  | <code>false</code> |
-| [tag_bindings](variables-tags.tf#L45) | Tag bindings for this project, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
-| [tags](variables-tags.tf#L51) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  id          &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    id          &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  id &#61; optional&#40;string&#41;&#10;  values &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description &#61; optional&#40;string, &#34;Managed by the Terraform project module.&#34;&#41;&#10;    iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      members &#61; list&#40;string&#41;&#10;      role    &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      member &#61; string&#10;      role   &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    id &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [vpc_sc](variables.tf#L278) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | <code title="object&#40;&#123;&#10;  perimeter_name    &#61; string&#10;  perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  is_dry_run        &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
diff --git a/modules/project/tags.tf b/modules/project/tags.tf
index 4f2a666459..1f9ff378b5 100644
--- a/modules/project/tags.tf
+++ b/modules/project/tags.tf
@@ -15,50 +15,96 @@
  */
 
 locals {
-  _tag_values = flatten([
-    for tag, attrs in local.tags : [
-      for value, value_attrs in attrs.values : {
-        description = value_attrs.description,
-        key         = "${tag}/${value}"
-        id          = try(value_attrs.id, null)
-        name        = value
-        roles       = keys(value_attrs.iam)
-        tag         = tag
-        tag_id      = attrs.id
-        tag_network = try(attrs.network, null) != null
+  _tag_iam = flatten([
+    for k, v in local.tags : [
+      for role in keys(v.iam) : {
+        # we cycle on keys here so we don't risk injecting dynamic values
+        role   = role
+        tag    = k
+        tag_id = v.id
       }
     ]
   ])
-  _tag_values_iam = flatten([
-    for key, value_attrs in local.tag_values : [
-      for role in value_attrs.roles : {
-        id   = value_attrs.id
-        key  = value_attrs.key
-        name = value_attrs.name
+  _tag_value_iam = flatten([
+    for k, v in local.tag_values : [
+      for role in v.roles : {
+        id   = v.id
+        key  = v.key
+        name = v.name
         role = role
-        tag  = value_attrs.tag
+        tag  = v.tag
       }
     ]
   ])
-  _tags_iam = flatten([
-    for tag, attrs in local.tags : [
-      for role in keys(attrs.iam) : {
-        role   = role
-        tag    = tag
-        tag_id = attrs.id
+  _tag_values = flatten([
+    for k, v in local.tags : [
+      for vk, vv in v.values : {
+        description           = vv.description,
+        key                   = "${k}/${vk}"
+        iam_bindings          = keys(vv.iam_bindings)
+        iam_bindings_additive = keys(vv.iam_bindings_additive)
+        id                    = try(vv.id, null)
+        name                  = vk
+        # we only store keys here so we don't risk injecting dynamic values
+        roles       = keys(vv.iam)
+        tag         = k
+        tag_id      = v.id
+        tag_network = try(v.network, null) != null
       }
     ]
   ])
-  tag_values = {
-    for t in local._tag_values : t.key => t
+  tag_iam = {
+    for t in local._tag_iam : "${t.tag}:${t.role}" => t
+  }
+  tag_iam_bindings = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_iam_bindings_additive = merge([
+    for k, v in local.tags : {
+      for bk in keys(v.iam_bindings_additive) : "${k}:${bk}" => {
+        binding = bk
+        tag     = k
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam = {
+    for v in local._tag_value_iam : "${v.key}:${v.role}" => v
   }
-  tag_values_iam = {
-    for t in local._tag_values_iam : "${t.key}:${t.role}" => t
+  tag_value_iam_bindings = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_value_iam_bindings_additive = merge([
+    for k, v in local.tag_values : {
+      for bk in v.iam_bindings_additive : "${k}:${bk}" => {
+        binding = bk
+        id      = v.id
+        key     = k
+        name    = v.name
+        tag     = v.tag
+        tag_id  = v.id
+      }
+    }
+  ]...)
+  tag_values = {
+    for v in local._tag_values : v.key => v
   }
   tags = merge(var.tags, var.network_tags)
-  tags_iam = {
-    for t in local._tags_iam : "${t.tag}:${t.role}" => t
-  }
 }
 
 # keys
@@ -82,7 +128,7 @@ resource "google_tags_tag_key" "default" {
 }
 
 resource "google_tags_tag_key_iam_binding" "default" {
-  for_each = local.tags_iam
+  for_each = local.tag_iam
   tag_key = (
     each.value.tag_id == null
     ? google_tags_tag_key.default[each.value.tag].id
@@ -94,6 +140,30 @@ resource "google_tags_tag_key_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_key_iam_binding" "bindings" {
+  for_each = local.tag_iam_bindings
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role = local.tags[each.value.tag]["iam_bindings"][each.value.binding].role
+  members = (
+    local.tags[each.value.tag]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_key_iam_member" "bindings" {
+  for_each = local.tag_iam_bindings_additive
+  tag_key = (
+    each.value.tag_id == null
+    ? google_tags_tag_key.default[each.value.tag].id
+    : each.value.tag_id
+  )
+  role   = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].role
+  member = local.tags[each.value.tag]["iam_bindings_additive"][each.value.binding].member
+}
+
 # values
 
 resource "google_tags_tag_value" "default" {
@@ -108,7 +178,7 @@ resource "google_tags_tag_value" "default" {
 }
 
 resource "google_tags_tag_value_iam_binding" "default" {
-  for_each = local.tag_values_iam
+  for_each = local.tag_value_iam
   tag_value = (
     each.value.id == null
     ? google_tags_tag_value.default[each.value.key].id
@@ -121,6 +191,36 @@ resource "google_tags_tag_value_iam_binding" "default" {
   )
 }
 
+resource "google_tags_tag_value_iam_binding" "bindings" {
+  for_each = local.tag_value_iam_bindings
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].role
+  )
+  members = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings"][each.value.binding].members
+  )
+}
+
+resource "google_tags_tag_value_iam_member" "bindings" {
+  for_each = local.tag_value_iam_bindings_additive
+  tag_value = (
+    each.value.id == null
+    ? google_tags_tag_value.default[each.value.key].id
+    : each.value.id
+  )
+  role = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].role
+  )
+  member = (
+    local.tags[each.value.tag]["values"][each.value.name]["iam_bindings_additive"][each.value.binding].member
+  )
+}
+
 # bindings
 
 resource "google_tags_tag_binding" "binding" {
diff --git a/modules/project/variables-tags.tf b/modules/project/variables-tags.tf
index 8914aae6e6..ac73f03fd8 100644
--- a/modules/project/variables-tags.tf
+++ b/modules/project/variables-tags.tf
@@ -19,11 +19,47 @@ variable "network_tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform project module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
-    network     = string # project_id/vpc_name
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id      = optional(string)
+    network = string # project_id/vpc_name
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform project module.")
       iam         = optional(map(list(string)), {})
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
     })), {})
   }))
   nullable = false
@@ -45,7 +81,8 @@ variable "network_tags" {
 variable "tag_bindings" {
   description = "Tag bindings for this project, in key => tag value id format."
   type        = map(string)
-  default     = null
+  # we need default null here for the project factory module
+  default = null
 }
 
 variable "tags" {
@@ -53,11 +90,47 @@ variable "tags" {
   type = map(object({
     description = optional(string, "Managed by the Terraform project module.")
     iam         = optional(map(list(string)), {})
-    id          = optional(string)
+    iam_bindings = optional(map(object({
+      members = list(string)
+      role    = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    id = optional(string)
     values = optional(map(object({
       description = optional(string, "Managed by the Terraform project module.")
       iam         = optional(map(list(string)), {})
-      id          = optional(string)
+      iam_bindings = optional(map(object({
+        members = list(string)
+        role    = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      iam_bindings_additive = optional(map(object({
+        member = string
+        role   = string
+        condition = optional(object({
+          expression  = string
+          title       = string
+          description = optional(string)
+        }))
+      })), {})
+      id = optional(string)
     })), {})
   }))
   nullable = false
diff --git a/tests/modules/organization/examples/tags.yaml b/tests/modules/organization/examples/tags.yaml
index bed4b46188..cce3674346 100644
--- a/tests/modules/organization/examples/tags.yaml
+++ b/tests/modules/organization/examples/tags.yaml
@@ -23,11 +23,20 @@ values:
     purpose_data: null
     short_name: environment
     timeouts: null
+  module.org.google_tags_tag_key_iam_binding.bindings["environment:viewer"]:
+    condition: []
+    members:
+    - group:gcp-support@example.org
+    role: roles/resourcemanager.tagViewer
   module.org.google_tags_tag_key_iam_binding.default["environment:roles/resourcemanager.tagAdmin"]:
     condition: []
     members:
     - group:organization-admins@example.org
     role: roles/resourcemanager.tagAdmin
+  module.org.google_tags_tag_key_iam_member.bindings["environment:user_app1"]:
+    condition: []
+    member: group:app1-team@example.org
+    role: roles/resourcemanager.tagUser
   module.org.google_tags_tag_value.default["environment/dev"]:
     description: Managed by the Terraform organization module.
     short_name: dev
@@ -36,14 +45,28 @@ values:
     description: 'Environment: production.'
     short_name: prod
     timeouts: null
+  module.org.google_tags_tag_value_iam_binding.bindings["environment/prod:admin"]:
+    condition: []
+    members:
+    - group:gcp-support@example.org
+    role: roles/resourcemanager.tagAdmin
   module.org.google_tags_tag_value_iam_binding.default["environment/prod:roles/resourcemanager.tagViewer"]:
     condition: []
     members:
-    - group:organization-admins@example.org
+    - group:app1-team@example.org
     role: roles/resourcemanager.tagViewer
+  module.org.google_tags_tag_value_iam_member.bindings["environment/dev:user_app2"]:
+    condition: []
+    member: group:app2-team@example.org
+    role: roles/resourcemanager.tagUser
 
 counts:
   google_tags_tag_binding: 1
   google_tags_tag_key: 1
-  google_tags_tag_key_iam_binding: 1
+  google_tags_tag_key_iam_binding: 2
+  google_tags_tag_key_iam_member: 1
   google_tags_tag_value: 2
+  google_tags_tag_value_iam_binding: 2
+  google_tags_tag_value_iam_member: 1
+  modules: 1
+  resources: 10

From 4d1d3c6811228fcfc59b5b80d9c6d988494e55e1 Mon Sep 17 00:00:00 2001
From: simonebruzzechesse
 <60114646+simonebruzzechesse@users.noreply.github.com>
Date: Tue, 14 May 2024 14:45:39 +0200
Subject: [PATCH 27/29] New Bindplane cloud-config-container setup (#2272)

* new bindplane cloud-config-container setup
---
 modules/cloud-config-container/README.md      |   1 +
 .../bindplane/README.md                       |  95 +++++++++++++
 .../bindplane/cloud-config.yaml               | 128 ++++++++++++++++++
 .../bindplane/images/login.png                | Bin 0 -> 158968 bytes
 .../cloud-config-container/bindplane/main.tf  |  48 +++++++
 .../bindplane/outputs.tf                      |  20 +++
 .../bindplane/variables.tf                    |  88 ++++++++++++
 .../bindplane/versions.tf                     |  27 ++++
 8 files changed, 407 insertions(+)
 create mode 100644 modules/cloud-config-container/bindplane/README.md
 create mode 100644 modules/cloud-config-container/bindplane/cloud-config.yaml
 create mode 100644 modules/cloud-config-container/bindplane/images/login.png
 create mode 100644 modules/cloud-config-container/bindplane/main.tf
 create mode 100644 modules/cloud-config-container/bindplane/outputs.tf
 create mode 100644 modules/cloud-config-container/bindplane/variables.tf
 create mode 100644 modules/cloud-config-container/bindplane/versions.tf

diff --git a/modules/cloud-config-container/README.md b/modules/cloud-config-container/README.md
index d7017dcb77..b41490040b 100644
--- a/modules/cloud-config-container/README.md
+++ b/modules/cloud-config-container/README.md
@@ -11,6 +11,7 @@ These modules are designed for several use cases:
 
 ## Available modules
 
+- [Bindplane](./bindplane)
 - [CoreDNS](./coredns)
 - [MySQL](./mysql)
 - [Nginx](./nginx)
diff --git a/modules/cloud-config-container/bindplane/README.md b/modules/cloud-config-container/bindplane/README.md
new file mode 100644
index 0000000000..035722521e
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/README.md
@@ -0,0 +1,95 @@
+# Containerized Bindplane on Container Optimized OS
+
+This module manages a `cloud-config` configuration that starts a containerized [Bindplane](https://observiq.com/solutions) service on Container Optimized OS, using the official [Bindplane EE image](https://hub.docker.com/r/observiq/bindplane-ee) provided by observIQ and documented in the [official documentation page](https://observiq.com/download) when selecting "Docker" as target platform.
+
+The resulting `cloud-config` can be customized in a number of ways:
+
+- a custom Bindplane configuration can be set in Docker compose file available in `/run/bindplane/docker-compose.yml` using the `bindplane_config` variable
+- additional files can be passed in via the `files` variable
+- a completely custom `cloud-config` can be passed in via the `cloud_config` variable, and additional template variables can be passed in via `config_variables`
+
+The default instance configuration inserts iptables rules to allow traffic on port 3001.
+
+Logging and monitoring are enabled via the [Google Cloud Logging agent](https://cloud.google.com/container-optimized-os/docs/how-to/logging) configured for the instance via the `google-logging-enabled` metadata property, and the [Node Problem Detector](https://cloud.google.com/container-optimized-os/docs/how-to/monitoring) service started by default on boot.
+
+The module renders the generated cloud config in the `cloud_config` output, to be used in instances or instance templates via the `user-data` metadata.
+
+## Setup
+
+Please refer to the examples below for a sample terraform code for deploying a Bindplane server on GCP Compute VM with COS. After setting up the terraform code run the following commands:
+
+```bash
+terraform init
+terraform apply
+```
+
+Wait for a couple of minutes for the VM to be bootstrapped then connect via IAP tunnel using the following command (substitute the VM name, project and zone according to your configuration):
+
+```bash
+gcloud compute ssh $VM_NAME --project $PROJECT --zone $ZONE -- -L 3001:127.0.0.1:3001 -N -q -f
+```
+
+Navigate to http://localhost:3001 to access the Bindplane console, the following login page should be displayed.
+
+<p align="center">
+  <img src="./images/login.png" alt="Bindplane Login page">
+</p>
+
+## Examples
+
+### Default configuration
+
+This example will create a `cloud-config` that uses the module's defaults, creating a simple bindplane server with default (latest) docker image versions and setting localhost as remote url (suited only for local development).
+
+```hcl
+module "cos-nginx" {
+  source   = "./fabric/modules/cloud-config-container/bindplane"
+  password = "secret"
+}
+
+module "vm-nginx-tls" {
+  source     = "./fabric/modules/compute-vm"
+  project_id = "my-project"
+  zone       = "europe-west8-b"
+  name       = "cos-nginx"
+  network_interfaces = [{
+    network    = "default"
+    subnetwork = "gce"
+  }]
+  metadata = {
+    user-data              = module.cos-nginx.cloud_config
+    google-logging-enabled = true
+  }
+  boot_disk = {
+    initialize_params = {
+      image = "projects/cos-cloud/global/images/family/cos-stable"
+      type  = "pd-ssd"
+      size  = 10
+    }
+  }
+  tags = ["http-server", "ssh"]
+}
+# tftest modules=2 resources=2
+```
+
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [password](variables.tf#L63) | Default admin user password. | <code>string</code> | ✓ |  |
+| [bindplane_config](variables.tf#L17) | Bindplane configurations. | <code title="object&#40;&#123;&#10;  remote_url                      &#61; optional&#40;string, &#34;localhost&#34;&#41;&#10;  bindplane_server_image          &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-ee:latest&#34;&#41;&#10;  bindplane_transform_agent_image &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-transform-agent:latest&#34;&#41;&#10;  bindplane_prometheus_image      &#61; optional&#40;string, &#34;us-central1-docker.pkg.dev&#47;observiq-containers&#47;bindplane&#47;bindplane-prometheus:1.56.0&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [cloud_config](variables.tf#L29) | Cloud config template path. If null default will be used. | <code>string</code> |  | <code>null</code> |
+| [config_variables](variables.tf#L35) | Additional variables used to render the cloud-config and Nginx templates. | <code>map&#40;any&#41;</code> |  | <code>&#123;&#125;</code> |
+| [file_defaults](variables.tf#L41) | Default owner and permissions for files. | <code title="object&#40;&#123;&#10;  owner       &#61; string&#10;  permissions &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  owner       &#61; &#34;root&#34;&#10;  permissions &#61; &#34;0644&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [files](variables.tf#L53) | Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null. | <code title="map&#40;object&#40;&#123;&#10;  content     &#61; string&#10;  owner       &#61; string&#10;  permissions &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [runcmd_post](variables.tf#L68) | Extra commands to run after starting nginx. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [runcmd_pre](variables.tf#L74) | Extra commands to run before starting nginx. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [users](variables.tf#L80) | List of additional usernames to be created. | <code title="list&#40;object&#40;&#123;&#10;  username &#61; string,&#10;  uid      &#61; number,&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code title="&#91;&#10;&#93;">&#91;&#8230;&#93;</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. |  |
+<!-- END TFDOC -->
diff --git a/modules/cloud-config-container/bindplane/cloud-config.yaml b/modules/cloud-config-container/bindplane/cloud-config.yaml
new file mode 100644
index 0000000000..78f6ea6ec5
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/cloud-config.yaml
@@ -0,0 +1,128 @@
+#cloud-config
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://hub.docker.com/r/nginx/nginx/
+# https://nginx.io/manual/toc/#installation
+
+users:
+  - name: bindplane
+    uid: 2000
+  %{ for user in users }
+  - name: ${user.username}
+    uid: ${user.uid}
+  %{ endfor }
+
+write_files:
+  - path: /var/lib/docker/daemon.json
+    permissions: 0644
+    owner: root
+    content: |
+      {
+        "live-restore": true,
+        "storage-driver": "overlay2",
+        "log-opts": {
+          "max-size": "1024m"
+        }
+      }
+
+  - path: /run/bindplane/docker-compose.yml
+    permissions: 0644
+    owner: root
+    content: |
+      version: "3"
+
+      volumes:
+        bindplane:
+        prometheus:
+      
+      services:
+        prometheus:
+          container_name: bindplane-prometheus
+          restart: always
+          image: ${bindplane_prometheus_image}
+          ports:
+            - "9090:9090"
+          volumes:
+            - prometheus:/prometheus
+      
+        transform:
+          container_name: bindplane-transform-agent
+          restart: always
+          image: ${bindplane_transform_agent_image}
+          ports:
+            - "4568:4568"
+      
+        bindplane:
+          container_name: bindplane-server
+          restart: always
+          image: ${bindplane_server_image}
+          ports:
+            - "3001:3001"
+          environment:
+            - BINDPLANE_USERNAME=admin
+            - BINDPLANE_PASSWORD=${password}
+            - BINDPLANE_REMOTE_URL=http://${remote_url}:3001
+            - BINDPLANE_SESSION_SECRET=${uuid}
+            - BINDPLANE_LOG_OUTPUT=stdout
+            - BINDPLANE_ACCEPT_EULA=true
+            - BINDPLANE_PROMETHEUS_ENABLE=true
+            - BINDPLANE_PROMETHEUS_ENABLE_REMOTE=true
+            - BINDPLANE_PROMETHEUS_HOST=prometheus
+            - BINDPLANE_PROMETHEUS_PORT=9090
+            - BINDPLANE_TRANSFORM_AGENT_ENABLE_REMOTE=true
+            - BINDPLANE_TRANSFORM_AGENT_REMOTE_AGENTS=transform:4568
+          volumes:
+            - bindplane:/data
+          depends_on:
+            - prometheus
+            - transform
+
+  # bindplane container service
+  - path: /etc/systemd/system/bindplane.service
+    permissions: 0644
+    owner: root
+    content: |
+      [Unit]
+      Description=Start bindplane containers
+      After=gcr-online.target docker.socket
+      Wants=gcr-online.target docker.socket docker-events-collector.service
+      [Service]
+      Environment="HOME=/home/bindplane"
+      ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+      ExecStart=/usr/bin/docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /var:/var -v /run:/run -w=/var cryptopants/docker-compose-gcr -f /run/bindplane/docker-compose.yml up
+      ExecStop=/usr/bin/docker rm -f $(docker ps -a -q)
+
+  %{ for path, data in files }
+  - path: ${path}
+    owner: ${lookup(data, "owner", "root")}
+    permissions: ${lookup(data, "permissions", "0644")}
+    content: |
+      ${indent(6, data.content)}
+  %{ endfor }
+
+bootcmd:
+  - systemctl start node-problem-detector
+
+runcmd:
+%{ for cmd in runcmd_pre ~}
+  - ${cmd}
+%{ endfor ~}
+  - iptables -I INPUT 1 -p tcp -m tcp --dport 3001 -m state --state NEW,ESTABLISHED -j ACCEPT
+  - systemctl daemon-reload
+  - systemctl start bindplane
+%{ for cmd in runcmd_post ~}
+  - ${cmd}
+%{ endfor ~}
diff --git a/modules/cloud-config-container/bindplane/images/login.png b/modules/cloud-config-container/bindplane/images/login.png
new file mode 100644
index 0000000000000000000000000000000000000000..3de1e6829ab26c97c9bf8214580ddf3b22987bca
GIT binary patch
literal 158968
zcmXt<XIK*4`^QU5%N+HXsku_0Qqf%eRB%?7mYEyT!pupJ8}~LdH)3XPaAc(d;!4B4
z!HG5yF(<gio!j)^oBykGUFYSw&N<)v{(e7qqM3;y57%|BGiT25JbHNF;>?+I=rd>7
z-(TSPyR$GRr}uX`>t|tj?+k$=x^(8ujWdt#-?a*U&T76iT>c+Kd>>QHcKv(l4;~)C
zh3hYc=H8X2piHEEH?Mue=DgC(!3OsuZyDSv&&|F%`I&)~Mf?-DX!TEkQM9qYvk<>h
z_H{+TbS#JYqPlSV2N9{!J3sC&M*Dr9Y(A|$h3lPe<7+3q*Zmrvoe(~NPERJ+BWOFe
zLr;%>h1nDT?EX?xk~y^_`Z&~whwQ<dnvgVd6!R%QkrtRdEkRfNDn8VGqy;BkuMINP
z{V6wVrir8}+BJNEH3gfG{fDMjnHrkZh3tucIseOR#3cL{DZYAW)Se!<n)heoTRJm9
zeX;>wsYI`1t@pJE>DlT+j{Ilg_VrDa=X#k1!zMW_q@Gdy0L^wS(4#IerE`$}=lw~Q
z;p|A8L~JT?Z8&_f3$;~N9g`&a<q}EL$$jxkMe5Pj6IVpBo5+IXFJ6SD!wU%ehWLUd
z60+l6=M4$_xkIpHOMYLjs@Di|uoXptrV910jtq?uO~m|l+qMN<{qUdx$4KV!5WEzW
z0Hn>b9ZBIfA)-P47GchyGz>khWUR4)0xunZ(deX&y*@>is}b<K^1i6p5>kB6iy&5N
z`coV=L5vT1oDnpj0}yVk(tH-wxFR1pvuu#z#~TE}IOkbc2US`i+T5npXh2&lp1_@%
z%OM%5SWU1<mWRl!QlA&LVmbhjRjKapWZXUUG|ac9F&H8$_1sA}uUp#*A;SSl={qh9
zS8@7<G8SFIZx4tAOf>hP#Nmm~?wVY74@y^bI=jE(y$t1=6>9wzSo~US;oNNC8yf-p
zEVTPvm*e1>@3nVtoq9y~h4+7ivr?in&YHP~aT4|$q_-dn)-<i|HxXUF5O}4XvNhlz
z%T>GXFAdMTA9qQT3bt;OtkvIiiw-2^ZB@Oy$<C_X)tqes#G#)9T5_8F!euS=c9%w5
zi=Akk4?kG3GoJT5nyQ(PZg3ya{znIbEz*X#(l2)&OxY^>V)~Z3okCsszc|FhH1UJS
zc>i)Ak{wjts<u+<Nsf4ihinY)Tf!4biK(pKQV#t1<+8EP(E7XOV~-E?`a`INE-h<a
z;hEBQwpZt^_W)Bqo_)K6K26WqvE#m=!eutHvQv7}BT}KQhnWyb`z=it#dNGm+Ed%4
zmW7!p&AJg?IW7Uwemnm%zs~?=p0R8Z>H>OnclXuOSwzGmPH!x1g_Mwf3DIn+1ZQ<1
zI`@m6gR0CBZ;TZoS(lXnn5%pcA?oIX>G&{UhSS{Tg33t~(|}v^dC5QYo%=!e=TiG<
zT<P-o)!7`J%G%^aTd%-94qJ|TuHR@$fbXlepoFU8E1h?6NkP}%R7r^VTTikgIXPfx
zSj^`n2kSSQyDm`yT>b)<V#9rBLOfY=bkEnrKO$^j2e1;l6?Qc<#T7r>C>p-9;?{C}
z6}hClX?`|a-X_>O*3eF3fPizZ@S)7zbFqiWj*1I|%YR!vh=24t`4ZAa{El2xDTj2p
z*YU)E1JvfV+8mng9zJoXry)tAF73zP2NRbJlc}EXp*jdUxpQ0-J2tn;zVam2ff$c1
zA}BIeB;7~$iE6yi3_TdW^zg%o^~rjd$e}7uEC=tgt?(75+Zb%O-H={uSzHZU95du$
ze7iNFd3jUtiA_L3vdB)T3r%4X8~TBOJDlCZRa039?kja2(%OxTQ6owpff_Invg7>F
z6&`Dg-3?Oq7~!NJ;yGXB2#m;z;+1>o_qv^}f6zvwnV(}437KH~`s~yQ(#{n<L|xK~
zkp>w|y(7cmt|}cXh-g+%1+Fojd;Ief%TcH%1L~}Pz<N*G3?d-v+K<Jfl-2!<GKRBQ
z{Sc;G1jObtxA|vE3-Q)&@2fB0!O~LMUush9<L_G?as*HF^SXzB19Q$n8Yp8#z*~<3
zBa#};P8EL6@<4k#f))EpPedNrAcs*M*8I1XHzWBXd-{!=&q{6#^kkH;b{S@pkq@|8
zSfLsU;X*)i!4Gc(jSRkrTyKqK59HCl>^KGSVa1Hws@y>bAN(19Lfh|KGdzS_N_8ee
z1;Z2?w=z1Q55%o>x@pRv#awYks2U}|m>ih(EII&MO?Jm$Dk#6OgKRR<&C)|D!-++X
zR!a-ZLM>~)u!H;5DELaH{;vPE{srIl><YNeQk*sKFW0>Os>luErv1*jvgF5vl$Q$$
zIoy}D>f`p}2k3@QAdUv1B$fO*&XEM}RILUv_Y~}tQg$adawLGFDoUxuxtnJ4Z@vo9
z?g|8WIqAj91HMXK6RVTu9&jsX8hWHVjo#h7H%_D8goFX>YmV<64K9A%Cw59^YWOIM
z6l&(vHdC=*331Yy^wc+)@YT1~#lJNAFU{$7krj4@4IwRlye=&k;O;$nyA55u9qa2L
zUB#y_LH;%OsmOVY4v^|lAGp)^Th3Xv9shLS&wk1U0SO8@OtT<`b5yeP&j^8~yef%n
zTa{^-wl2)_z5?Ez&Q9vM9#-#gz2ykHL`~6$7z6Se9H%LGXG}8+k@$!Lo{%F7hcNe3
z|6J+9I>v7fj?S=3U;P%UAMKWpMG$V_(B|j)hfpgCP_*~{A7R!y%Nqq(yx>7b$`%?E
zh`s~$Bss>7q^6`Nr0W#@F7)z6dAx=#P!NtSF;w9l|M4`z1><@>F%#SV((lWaR>E&+
zecZ0KTK1np-#4By3-`5M+(${v+;d7@oO73Ma+3a=2M%1StLcx5Z8UF$tr{H3Y7bW0
zA3VMiKzbn~!~Xzj7i$ZdtTfFoa1LH~EIe#6&MFBG)W|ZALfy<LNznVNqb9{XV!Bqk
z-9mn<^5ZWsLY?x*=4whCT|CU;3Un*ht4x%v`F8V?fIbXZeXRNWI?aS+k)h`yG2ejR
zMi&zzwQPU>al7rOLJs1s6`m^SEgx}2Z*SaNjjb;RWpwBWe1&$1E3Q`!2`>cxncK>V
z!1*|&*w=(I+%EN%Zpf~Qgs8B5@Ta43XgE;a(OC0;>Q-xm4DnxO*B1w0RBfMKUY(ub
zMq9n`Iwxd*BXTQEO3@=v-;@xPrx%2hzt6<=ZORXTAMR`NUpM}D$DB9_Ey_!DS$xwV
zd8b>;9MIeFDEiUWh5KixdURWEjE3JmAZ5zXK6yV(5WX?Bq}{gaEKxUQK#}b1&FX!8
z)R8rus>9Bb=4C|w{xxv9%za_40f-3yphv#VfAL>Ct%)}8Dy3^(2?YcX;EGi>+*wur
zDpxQht+WR#O)H{JEbZO6E!K8ludqTO#NpUs*s#&i>qa!A=|WT6X{wGg2UF8A`&qmy
zi4HIkFp!S6e)GB)b96Tv;r%ud>C;$bG@cr09y+7hl23n{HteQE33+f&$Qvf+e`2<y
z=<X(3)|PFlJC_|4IW5$ARDH-ysOxCLPc}q9jKv5?!|_484pEIjjF=TtPOJC?b8K1P
zu0F6OwwY7V;_wc&-+tVSNhC&tdz&6NFIlN=R7vy=f@y=6@D)(ZrXVv8ArR3KX?U{m
zyWfMUe3#1B1xIarHQy1zY0o#b)jp!8h>0hjNY8dffJ&~8e6SOO%ZJ;9O>6?Xo(XOr
zhi2%Z!;-$1W#fqwPOVt;oMyPnIQ_ccStj?<tuHu69^iA$b?w9S#~ad5!>!RJK9wRs
zV3Xj^<aAeJ`1rFjG#6}!_~IFArD#Y}Uwq(EmUn_4F>W0aQQes`u!fvLJHbKP)22OL
zI{4+V;SpOeXZ5jt{|(2(B6U<P$bKjM<)s!ShRk8uoHXr6fK%8&Jn1CtsA*yMSCCw7
zv-0PJUo&m<t^CEn(#8*!VplNZVOvU~*D;i;y4Hkv4lS^cA8qYAH>4rSQCjHYn}r)b
zm7R*uMd9A2V=xg*YP!S4K3c~4OLpf#GFvS?1|8n(eb)`oK_TZ{=loWNbOTfd5Qp*+
zyge`nN1s`t(YOiq$o~nglLh%640TEHH19XzU-^3Y;2p!?h+SQ}SE(6iuX@9bX5$5C
z=aBu>`mP{xMVx4Ug7@S~b@-|lRtoFB*Bu66`<Qf&!N&XSry1AgKw2p2+ARxF!8Cif
zw$44rZ%B9JGgne=G(-u$XHiXwVOG(keMhM!itoRi+wZ6TcSmePRB>K`?^m*CQIFEt
z)Z80veTEW9oo-L9e0V^cOZjmrz_0$pahpnIAP;~2MtrhZ3&mIV)H+56Z~s!y#eNsa
zIKN)JHQJkeR7#RcPu@0j(C&YCB{ZXitG^mX-Ug|ohr}okU>s#o{cu9wvp=N00@kTb
zQeRc@?am1dcbED5ftPx*VgT3RGpY4GCuq-M%zC44fOao}*<=1&YwQgZqSlXO(*N*o
zk2Dd26^<@#k5ljerrX3cS<E$HCE8Qvc}qdb*g>QuH5c{g>MrpJHjWdu(A>_Oq$t9I
zf}(zy{YIkU1lpfVy9J_Ji$Prx-PBq>a)oHYu6J})mEc~OSX8-fOjQnbPUtBT$SeG+
z3aRzWBYMubqP|n+x@O8Ty+%T(@}GK<$fr&s_)9Qp$H?kmK~gPNtPQgZM_GfdGe!Je
z)2!ptRG7EAF4PpXd2bFciIj2_yA17(hQBOi)l<}-t{I>6MEm$kUwf36#xlA`B`TY9
zHA-!4wv;-#;%v1T^l+tH|8V59YZ@XE_AY!1O+v>AR~P1TgR~f)|1~&9j4Twx{T%B2
z+emw&tIi_O4AFT$FIk9PT<_CA|2~`(n_RhW2fcurTc-z42a}G#pH&PG#Gvn|=8B|M
zWZCm==Yag*kuSFIJaCAl-tk2+Y#c43_h0Wic$B-{b=CMOy=_-V02*IFGl~S}@5;<m
zuN!^<p2|m6n*yVJ(PbsyI^YytE`40K3pyZVXh)eTZYydXJiSrzec}M)l(WM;98&l1
zd>C8aXOLtsJMe(zLj&4(gR}b`_`A<*>W}1{m2|w<)2k_G(!C?>#CcjiyZY0{rQgJ>
zESh^vFDy6RX@Ez>HV7$K2amUR4p4M#TO#;dYU4WmNli(HIO3AyeY_=cdDl#x5jyXd
z&X{()UEz1YB1(|&cF(0cbPmh|_ykBm1Dp_wR^4!QS0pk(EyW&6R1q;G?A{=|)~mDt
zb>mj5_wP)^RK$vD9y)Jr{uzLZ<vTuc@JP1NnOE-H6sfDleJv#$ds(#v>^$zJ_Lgu9
z68U_a@5lNfJq0JX^Y>tZasGKO&PtX)<)SNaM?jy19kHCNJ|EVwLcae5y)(IaO{9fQ
zd&CedN|T+om6vCi_%*onE?VN6%85oFebdRX!q}DL_IXk6>tgj-P&wmRDAc6^aU!=7
zSXgit&WXgTk$Y-Te^iYvHC>&Pnbv7H1mhL+i5H+M-TPSrcLQ$q<9&hssmPZ_rqUxq
zS{qIH-g}NSlmQPrft68-RomW9mGTP(ePF1>`(xxLy%}jsP}h8|n#||*Dx+JN6y4eB
zb-RE0$u$}_vI^$0AgsE`xPc2ZdOkPAB~ue2+9GEMVabY=UjMLVIhTZ!6L4jmP^X)=
z)RuF4WA@t+zsg0tl%w}jqj0Hwn&C;c$XevroIkiGxJXTuR;|uj;wf21PKb#uL3hA~
zQd#Ub)2qKpqT465()->0eGphT7BUiY8>;5dV?V%}4^HcJ`g`J@$WP0~7)7!`oU_XM
z299~@6Q2`)yA>CYop-JJ;1SFk?{)4zrs$f`s^E17-C7K#g<H&7?x_J^>s}j7MClsL
z^lhFG23lM4ojhW9oY4TF<5pgt<J`AZ)-o$YYEgW<CeJ^5F#cW<xChFa5bx`CD$lL+
zjn3b^)c+~r;jKm^3l}Efo2{$KbK_Tir<fIivkoDn5?nW!<M_5hPu_3;tqL3e<LdaJ
zdsd;{r^-C78f8i&AZ*fRvgC=d%XUR(=VX#Z^k&j|G*v$oKfE8;nWKbrOscB5{troU
z=gYl4?hN<@2n{aIa}wrgXlUQ_(MH&rg{&mJN`gbA-*Xeh{Y0HSz<A2W@QnP5@PaH`
z*S{stf<#9^1+uE2mjmbdNQZ>g3=AeJV;wt&q1r;3SRsV&z{4_z*hJIv&k0JdNsGMk
z9Ic^&*laW6p+`w|8zLN|y+sWng9FR&aDL1kF8DoOqzd7aB415|IX(FHSF=4A?WC$l
z^x~vc;}Kybc6VlMq<ztep0;zx!#v=Q1K&a;!<N^wX1@YNFH$!nCWHaT32rW#B7GyM
zQ)`vZfPxjNk*8z`ZNJRjk9@Xz?2}uV1_w66c8!}4B+(caG~z-Wuf6TKr#QJG9RL6+
zE5rFL?xrL*2I@h$?V^#dacxyA%9&vK8z!h6oey_#&M$nk4)9L)5AHyQ;i=K`Z7b+i
zRz=SrR^&|3`6g~(uXVz6VZ_{VP9nxcp)A<vywffVzag7f|Jt06uqFVm0X8ZKS_P2V
z%YIeg>%U9Ztb@orAy>f;)rAZ-cQ*l)UnDrsy53w(HA74}3-bgw-_iS)-n(Q^x28&>
z<i8rsIL6-y+QTiUNbM58;;M|FV<X<15N-`DS5!`6N_;^-V)qEUDZzt2)));OI|*AI
z;j+GbGO#XSGBBHsi>C|Q9h(b59UKFirM=^H)|hp{rn^=8b;(;!J5OD+h_v3}vKoR(
zpzlxw(g5LEVhGXG)U>LFZHmO!q74-zg)ZeV0j<pE?)#aHoQ$RnJ6A#w^S(pbR<o9t
zR!K*-aD?j!z=T#`;2z&V?hcYU)l}`uRp11meZAYPcOY};`_XenHP9ZW$JIlS$5Ib9
zaY*>c@1&ynYsX{wlpQar?P7bUaD)6u`7PATz`cN#%5Rp_9p@je0$<;W(Bt8V*DNt|
zG<mrvE3*z<vrJ9)oA&p|vEm+O9Y{&r*aF{#X{rv_dTLl}K6%2T?mTiOo0w;BLJa)(
za}PzfLwMS!wSBjo!Gj1$S|-6ewU*%4qAF4fA_-YHK&R}@m%6iu+qng@2)&8-=*=a`
z+f5an?1t$2A_T}PV&QRSv5BCI)7-CN^Eo@JPpK3kmn$R2RumiV^iQ8k@`C0BZr?%i
zn`9jCsh#Jt`VFIN0;#smW+ClIuEG7H_te;UwEzSDb>+eLu8E+woz)FR%3!_-ECXRJ
z6R-5w919=XEz`Bm?7o^Gb0kYy8VTGr<Yojr+lfuNDEPL_?mN~?=L5w%!>0Ev0`lDw
zj^y*xsA?pT0KeCuWQE^ti{Ogg_0gKAz&v~8piv-+|9$g2I0-fJG#8U&r?2yK&)2oe
z-&jY558`RI3#l^?cywStqaR0)KSb{IJ96orEeyW**%V4aZew*+pF!b{5#=KvPOr|3
zOV69-8&x2WTpC!cep66AyO`tvFXDVbd##gyEr(v~<awWwVktw4I8ar-jS?qnbnDzX
z!8brvNgsfg<{68#B|Qz*zih}qX5Mz5^)M_McwSlpST+hYVNnVTEvH9jFZbIEgejW9
z{#VV`6$;&Q-JK0~(G!=hu<`&6AOih2=NRbKlHXQUug*yXq@rI`4^A=Dnv;>L^)uWH
zwwdIY@+TT&xbz@Q>i4SSD^ThQ(i}j$0u64K@_m`Ltd#^{%sWo1J+wUu*ovJquNs8Q
zYq!x{x3A6l@AmrK{83bWwqUSotn8-I3724_x{h-JQLwkDBNRp}3*r(~EzlD2BUBUq
zdO-(?n}wBRhd1ely%lZ-aUuW|wt>kix-J%5UlrA}?qfuM?9kj1oUw=Y8&?>7@um8|
z%yeEEG1_|1&_U6LYdNZB-=ciTk=p%iE_GT&;H#z0TxE_Er8_TarH=!%f5&4cl$5P1
z9rOKhcj~X2tp}g9$Wgyd5>|L|kX4sftI<Rn_!{5AyEQxtH_nW<%yJ@*6|vTKt<*}=
zIc<3>Q4mp|0R$2b57-S<ldbuI=WPUTJnlSrwW{>fJL<#a6|uRufXaGh;u%qyREf0N
zQ*3I`>Y2q^8Ft84nUd@5n>EnmrHV6`@BXJTt#atVpL=rwA1*6+WO>tkbm{=eh<Rkj
zap5KBc$Sl6iWfz2Z2(D}e(og3ccK2pHgmmi1S3@-aF(Jk0AG&O6^y{>P~&I2=4JmV
zlz!hFRS|7*_)gty?UdgQsw41gcraN@c?n9fHNlxj3Fpbt$qyDdAK-oXBEQn-JY57I
zoVmObCr<xioNxuUVTHnidPl0nAT8aw3RBE+R@sH;#o-mo-{@vDE@TNKc*Z59e4n6L
zcyhBopTH0NCB73gC8Y4=FZ#bf9;~)6Ko+dFs$l@71GTJ10Iz&O;1KzECflclz%f9S
zVQ{ULD5pkTjxyBs!~5j}kbVc<qeH}x*IV$U59`&gX(HNt(&|onc;U7G3K6aSmXy{i
z^8OH}%tu%y86oQTCL+H%S}=09<T2^QqhJH^l~5!K(*wz<dPOe)kiF0KZRNvVkG7hP
zNWp{jbAK!jqF1yRF8%U}OC205uhIQs%OLOP>?R8aHQy#@eV>}+XBMY_O~L^J8Q}w-
zU122f&u5z<zl%C01Z(=+icn4i*WW{Y`_fNr=*GSOOP|UaC4By{Zs*;#8?@jtl5-Lj
zG}L?i+Ub(#r{$-yo+h_;lpjL$T!$J8buGST5kLM8JozGa&+|mf?@ve0xxnsVPkdav
z#w#$_O@ZR(54?rdK~ry!?x#O?8tfIn(4+OlG|o#bMCrMx=_dNKB=2fnn{qC;Mq-NT
zY_9I-j%B>-9W>Pd4=<goKgUyv6J5kS!a8V4*#Elnv4!G{a^Zauc&CJw;LbiPeNp%o
zX==GF!DO7M2Ks4vvhZ4kRim~PDb6_I&J^A>Q+KhQNWbB*uKydlXFWCX76VO_;;_+v
zJohoo!hG(EhRsalOY!lY4QQABh_ki6ocO<T491AhIMdSB<Lib_i`J*O<7}YU=+&^s
zBBgg&q{5q1tb_S2pwk<-O7rK)2UKOyz>C+&m1_4z>8vOW$lsK&rpbfvxH0Jg<p=gG
zZW$KWyp~%%$Nk(zRSPy7Zcrdea*n~7_<izK-d#9+%X7j|kl`EoG*E&lZ!`_EV?FEU
ztLSVMsB_*Q&;+`cO1|wZz*{%QRmQm3VthjSs!GG(cJtCM%u<Ebfvy0g1<V7V41%9R
z5oK{tMWtb<a1p$)!pzf|4Xt062o^W9`e`Ak6$?KK50&0=6>g!Z0xMwdG6D9BZ&WA;
z?+`p)@C-6G%Iwf(MVoJRM-LuyTDNDWt3LrO&<yDmFLLsUkx#qS1plp9a&rBE_s`TL
zG{*Ov=V{7j2I2&erHIm9cK#MP)Zh4r{v3%J%l~!aL5f>O+eNmUnaqjm{qNn*(Dwqk
z_?WN?hyK{@hX=6ulgQ%uu#Ut$`8gp)ZR|8~ak}Ng1%Vu^X_39s*MlbaF5d-TDFk-p
zp8w2dN-ZVTkCw{G)ZoSJtzL=6P6=!wTEoU3M8B_5lF{tzZX^F&{5^UP%azOK^6ypN
zaIqraZs9+l?vzOJa$P=9%M{q_s^yvmMJjt&KAgGZ$*Lg8S&+eYOIpkYo0X)v&<UPI
zo4{LW1&w)m(m!LPY1Us2x|Q>_fZQ)auCzA1F}fyq7+{<!=b!!GOPF!#IN~6_zF+0d
zk(D}fbpEW(e(-T?80VGsfSuRwIo0W%{t(WZ1}o~5Pd{>xJIBrUwgX1M+hrmOg()y?
zc`es!&@)Y8kOp=5Yc+hnSa@Or{4!4w>T|;Ca=Vs_xZTMSD}nx%Bwy(jYz?zi>8whp
z%8;QLU7G^cU)?Q#ZN#W(9hT)ho+={tQm?BT!1oQcJb;{X23P#%(o;4F2)4dv@8L9V
zO4WiqHZu*d+uY^i<ZTuYy<hIva&PUk2U4Xi0L2szk?E@lzEzNcz~DUfV*lz8NY^U0
zP1}Orv$PP*lB|kGwCmop1$$i`DWfSznN{QzC3f({ngdAaf=XASMiHE~%u3jC>k;+k
zd-lS!p!XuGNEkek^H&4+_(WtWjNdD3&1v4;==bT3UER@DMpoQ!>3=%Ep?hF==w=@O
zLSe4R%<{Q5XsG6J`<?kCfR1X;r~!-9MPETX&E}Z!^&Rvk`|ExDRAZ!rZNr0hfu9eb
zpTCC<hWKL7S?~FHREC=<oy$|$v$`8lU0k7h&{##Uz3bAi5HI$&Mp1OiRzZ4RnYYM<
zH(4~=K<72L^EtDbFCF?6Zx?<+xX|8s>3vq^xG<vky4x2!>TpW!av}f~M*Hmom(yOG
ze&o7<c(O!Md8d}CXs>!~-f}0(<%uN!9aLBsFX_szzD#^g`-AbQo?NaH+zMa{{k#c!
zE689TT`{`5?42p7qWH{y#uv6euexxaVG!qs_Jb(Oi{P>$y37FE=QnP}A!XfRWHcNW
zNbC!c?VOr+FpshN>!8vLpB((J6OnP0y$v{pL_%ucI#qSt+4+38D?2^$;7aSazVKVj
zt7}g=PYGSuGciMEpl-A_D+}QyD4%_)$zUmOM;y3oUNyg=(<wj+_;Q}<zDxSdnC9XK
z#k&T$P7U&M51+JGVY5+T9j*I&$YVwI%>Z&IEM*2p3SdsTb66_EZK7hyqMVD~U%n=%
z4CDi75Q>~|LnK%I<#?Q*K*1#SlMqPm#lj2g?z9;FXf=&6uc?6xTvx#=LN_uLK>tfT
zlXwc{v7QrJFy5PG|A&C@?Q3g!msrvG@4yB2Td&wmvo>r8UfiQBPrss{*AP@a@8!-I
z?p=LVrP<kSDwElH3w8k*RTdtAnBKBWdt=h1xdr0C1U&c2{ny$7?4_1UhQNTaU~G<n
zaK*#I29%Hx+_$(RwAe(!^4eEXQ(|gT?LeSVjfec4X{}(v`t03ti`Xng3e7oW+0lDm
z)DSOV0I$klwd{Uwn96;6aQk)g|FZz~lg>wSVb)=|aK|H19yBC>V&OvJ_lm9JKB_S%
zL{L?$43wWTkpo&H1P}!dH!sKR5PZlp%Ct4ST+gl<jB9l{Sb_YIQ;GbX8MXgKbv^aS
z+BYa9rLzftOAbs5Ieuf|y2m{PJN6TY>>7#$3~7-XY_%;`=z%DHa7d>F`ci@bpk>q*
zH6+?;!uuE!Q2~0JBupw>yAD6<`J>Osb&u_^AnC|x^mT5gb?c5<I9SrYQd;a-7n(X9
zp6#(b>|8Bx0)G{!3)-~8oqHWO-V*P53~U+AM3CphOhGO;zR?HHd+j~1H93osw}SkG
zoh{of$iRpww%F50dogG2ZVK{W{HjY?e5-g~Ia}E&)u?s3s@tf7`@Zyv*{!`r@LJ3p
zYImWur*TiiR$~Aqk_zTxVQuhS1=2EPN)BpJ^JD4`<a_~B?aZ~+mC5?tv>y&n47`A0
z@~@y^kx;8t$@q0U7U#Et$-9B3PLOOem{nQQ5khf@Wc$(mRT@HFG4Y~2F|@MMZRi*T
zTT@?CbcOF)X)5Oj`Wnt$rD^<jHyF3_at%a)8MD@ha#Ll*#TR#Jf5VSyKU?@0)4)Oc
z2sK#7DYIDN(!4b3k+q*4r4)7_^M0*Vq@O_ur~-5<$NyOVuYmVjwXyJ|b%5V|1NNfq
z<5Bw=0?yND*JO2h);<;}s-*BW=^K_X)HgSR%RjRTNT%`f`G(iYM{)kJ<Hhb{5|2<w
zUUL04WkV~KHuv|d2>WsU2+vN*gRw-xPwC&EQMpE*V6vzQC~uog{Q&G%Q^&56>le5n
z+3L1qqueuiOI{j3jnab@%0KwT=pzu&2M@*g8;l+W{joVBmiWQ03_Z+bS9{>5+AKP4
zbxw)B25<mhExUf<tKkF9$~yxj_Fv(<Cw+X&n#<35&<$J87vrYCpSMJv|AKgsDRvPq
z3@`BTi+!6&%h;0pbz|F;1DPbNc@+4^zTDCoZEvaaCKRM49|m+_F(d`0_JYB`XaeQS
zFbLibEhiDM1`qe$Q>FwYyUqzx$O=(ny2QAAL{mquheSZR^bmJQ#q8kj^3NgRKO<;0
zCg<)07a3T=(lSBr!&I&9&pi5mne)s(;^P<{%Pb~L3Ky+UzsHI2%2dV$5pOyLT3cS7
zYyeg_<SY%U%$!i%cxdS+b{2ttqcG}(euaEUjSZwOuy)goUVQ{qfTIyR>dZ%r#lkub
z2e9tJfgCX{aQ$VV>J+6f1_3#63S4*7*^;PLXF%v5$3!Zif5V@C>P?isKuu2#B4NGq
zrDu!pZPx5VL9I^fjCDYsc&OgGUX49`^&5u?A;%)xO4t)dR{A&j2JT^us`a=?`;{%(
zw$54;0~vj&sWC6dCzM@-d-gsYj;MnF@(=Kv9?7sh__y(^{y8mnnUdD(A}NCl*RV6#
z-$6X?9NBgSRxN{fUe7TcJHgc6g1&2*6^fDr{~p4cV@H1uQqS@&bW?{Z_(emiJ|tCd
z%QK<7ieaA%`q(2w(|XbAIv#<gIs)p&o|@S<YF`y;b~*?itp)D~ld7;@N_O{WLX*IW
zGf$e9{)DBPwGnTSDUFoj)fXfRr`uBYvTORLFr!v=<&0wamE6%67+3#N|BG6_V%YGa
z<ulvTu>}dH!F3%|%S)fQYHDispMO$vbo=ypwEkU=yH(t;zlkyhCUZ|>=bP6F5fgeZ
zh(()=Si5LXZoW!^)>)q{Z=mUFfVdo{Y%?fR>(HvYOxtkWl4!PCKOYKlhj~?E_B~Kl
z_<84(Ah24od|&8d(8n^Ef3^Rz0W=j)3Gy|^q*M9kg1&Onvijf<1!wi8zSywR?cf4D
zpLV7;W|aQ-9uLwK%7)%27O*Vc@8wfMc*m>nA@BZt!o|VZ?=|4~K9K32=nOT`Zse-Q
z_qyb{sv9&Sqnwz%4=Qo-&%V;Wpw{I<wu>HwcUM;biH*5*L(su1Q(qU_Ca<Hh)nRIa
zm9k%YAMJm61W;jzoQ~lB*KNo+6LlN=;a!@Yp)=_8TZvJtkx3JQWu4|h;YUi!q)HnD
zbT|LIxu;`{)I<5idaQ-biz;d<1WBYX_QXWu!*jdSI-k!8#s*=ueN?RG3}Y)$R(}<S
z!Q+CTwK#M>XE^h*V?=?b+VMF&;b1CFqrYr9GShP;a*gFtKoQ2MvG#gy!u24HT3hfF
z=JB9!lHcn&^C)?3@Rz_!43XEz&OxMXjKCT$S0YXg(9SxCDwC=QgiU=A9s9+;WQVZb
zh8p;IOfAU)5-uvrX#)t{XYMGTLc|7@*NkBOm5&@M)4@dPlYhe@G{AAY5WRe^z__FU
zS}-HzzM4aYWF8C%--vRN2oXEXs@;N*#?XSJNY(_N0eMkzS=gP^wLem}mc2%G3a9cq
zd%Kftq<O9NhSODtqfd|Xj;?5Q%#Tlj*Ls^5pL;{PI4P!9<;a6K$xM%v4=kYymz@df
z7-op^xYJZXj5L+tcGB1cBl;lr{9XYcv@(At3mTq5J`Wc;r?1HCX6;rmo8R~Mvr#gG
zsY@pr>)m#tzR1s4Yx%ul6*%tMNdA=aXP3>7PW$RqLdks#K6**5tU25PyF_ujja!~Q
zCsUMC0W56ZF)bM_1qq!@c-5c(hkB-H)$m`KrtN~u<kM#Yt0;+THLg+Hpr%u#iL+h{
z;Y=ZWWaClXq)bS#V=UyLX2c{XV)Uz66f;*cJ@lOgU8^!7nV-zPVk@vV8gv}B!1Q!#
zt>Se_)d`-y3SW1kU6T-wQf^@)dAuyXIpsCBUt9U)LZ2@?`fg9r_?bHAa#R-Fe<1`P
zbnfa-Vl7LF^2>Nq_%)@$YOeuixuw~>mmu(yQ5(YY1*9(x*JS5a>II+5OZGptcln5N
zs>%~|cj-NDQ@5_VULkp{;n*r<Br%G#v#bysC0Z=`m^IO@xyJ;e<QqXQm{HV3XmkU1
zKIY)n(-`e55pUe>PMnE(bF#Fj1V66g%R}RqCPk0c@XYH!HVb}0=)cXvpM^z{CHh7b
z`GBx?p-B=wb83AJJR^v0?FfceRa&27y;37;U{lFe-{9z`SDLcgj$&4+zPA>hM1A=&
z0h2iLV4!FHOz%_`R0sd%dC>knvFOn9)T{Pp2ZY1CW}sw?aslE=_YA@l;%*q8dNQ?B
zAjIB4))`Fg3j~G)El+*Zn%%}UuSm5x>ef_=X#ek9;=&-m35LN^cQTufyMNxqwTGy8
z#AY)m+hTe}@Vr!pB}Ca*veP-mU3>O!V`<^){tJT<ir}J@PiYrKH<bn&O_kL9M|(tI
zPmjGXj6H1?!*$1&^fGXBLXj#Ij{zJF!Qc^AhyYD3<xZUsF9Dd%T!1(*RJ3|TAQ_)9
zt%VX&O1S98!@PVbn(SPMa*AOZ3Y-b&%xHDi+GVO?E2SP;A1Mn{a<A+V6iK|#`F_2q
zGH4dIq{~2}t@Y20++;u^9)W2hH&gqP2|V8xs`&VJFRuvjHryo}i`h7l^?iR#tjzW-
zuU-d(vKrLyv)0i#$0rk6z3Fq}>r`s8Q~r*xb9z-L)#ZIX^M?r@+w?-)Wx(=exu@7y
z<+)#jinkePB&A?rfh$a)Me6ehR*xiRs^+up>Kx;SN8wi1-d)=dMPhq3VpLnK^@k_Q
zUJxDbgX%E|eb_Gb7TOOGj^}`mf;7>0O+Jjg!DxmBR2n-x86BklOp^F8<&(Ovv8Ri_
zG}XD2>sQ!7QK=y*(sdLofF>U}vR(?#e}1X8o0^>NM82@#{WGrz-jshZ+<k7jJ-lh9
z22U!QutH+PR0`;vb~!&a1-28CMSoy<!6HNZcHQV@frDccZpZK&D5*$dHhIi<rg=T0
zA|l`T>}QL@e+rq#kdODG2OJP7kM!6-$P>lrq+I+rp5gl+3h(qRMeph_h)RjD)z>_^
zhD_^9193l;eYO~ykOCgDQHQ+5+H~Ew;BkHMwsBX_*)F5<Z!cB);Sb1L`LorG^MRH-
z?>G7cj*I^nr{6a^p|7(@f-kQA&P*=Iu>0j~tVo>C_Q%{bP%`4opPnkLb4N$=!B987
z7vCek9uqR^iFf6InN)zj0w3z<fTOI6Nh^)|%7SE}$2m>(KQlm$mxw*<1xP~x$0boc
z%weoL!r9Eh4k|8_9y)P_Zh|atZx+_Z*fv^c>MwuM1g6{C^>Y~6;IK9iY_BGgSE``5
zaGk&|D%Unh&`ct>(Z;ev$$jG=M16XJLj|umBho{!HWjNQHi2o)`8A#QK=`XmfnU?c
zjYpW6mTApCgi5C^ZFY@HjQ@k%GAKu6Gjd-H@WVBb|55*y=oc3-sN%`aa%p<Bbgj-J
z`%~~@QRvnkHC#9I>4teGpFLmR<`3h6DaQ#(%~EaG@d4%Z`kyw*#3ln0Hh((6#d{$v
zLojDmG^;&35KJ^!Z`*W;T8pm^p6pHML7SOpfs7pB=is25;T)6Z!#+=5>9I)&`ZQIf
zpSi$YHK{Z4@wKLWT#`b7Gea$@^2M;GFfrKmZf_v3**%}T^=#9q2Ofw5-iJ;_T((vU
zHABN*9ugd{6K<X(2%lD&1m|nzF$FIbunGNUfBo2c1I=3l#&nk@>BOt?zCwUL{a(_p
z{p@Sl{Mk`)wxi=i_*i>vm4Se9S4CToN8x2%UdJ|28DnBDUVck-FIbQ1@<NrDIojgz
ztWKJY`|+&1_PfaT|7wboqHb{$q1Qz0w9Qhi11qGICu)4`G)k^K8$lQQWNgbkV}@He
zcth6+Vy^yrT_t2td_cu4f>slu+PJAUmn__fJB%at)|&sZn+w$7sCk;p<5PY3D$I4i
zL#3iJv5NQ9dZ+yQht1*hdB%jtUU!O!Mm@1D-8EN(Tug=#?fcd|AOHIJhg>NB5&eS%
zC#97VpW7M%z|rCECmHcJG*w|u@IY8Sj3*?+6r?vi@9t^k@Lt4*5t4CY6omR_EZCie
zy29S)TKX6UMf{BlcRR){!OY)_KRuy*R_Oaph@ryZ_l>Pi+eE=ClTG)VjU6h#?=BqU
z=OG7wQ$a0YP0fmu24YeeRDbL4O$9+J*RU{5<$(CGN=m3pbR1h5h_M#nEa6wT5qsr-
zWOXA>-6AFEW-A*A{!D>w9Hy%5KT8RJdtS#L_glPr!%`u~PRbUd?V6~~Z;5h#Au6w2
z0FId(y6~U158uwGbb4A0@_(|&h#33bM)qR`b(>6MSFfL!N2Q0dUu;BjEnL>SCxh(d
zvKQUt%fX&a1-wF@Pckb#HdpU`7~3#E>%fgkc_t$=FG=<dh)Zwnu-RQVUUfz?nhGZR
z=e$2PcJxtnYSf=6CjtZ~+>N}*A)1<jyEx~vt<TH_6n-L?96|@%A6&1h7HQ16t*Rx3
zsvpDoR`t1O#9+mt4N`SlYj$d#%ep_cJn+kBMx;y9J5`}UqI>2<aqZCKR>r1VDY?ZQ
z(W_R&SSix-;}HPPSQ2DBwt2l=V5NRh@RYtP)L`(szB8m&&=bd?(!Un_1wDz=6Vhi+
zwMV}fV}$w)a|b~@w%qLw<ipEn?}}(Cj_+uVy+TwJrzTsHB%VW8BaD9mM8M%|j)try
zpYrcR)LN&x)S7}Mj1KoYH~MOJV2>YJR^YBVt?Gs~%1&M;zu#b13jcdHF1FoZm0ktq
z=*SUW)PL|g`?CLWNAKl3))T+JS@y=<odmNdCV$UiUZ<7bUq{oaPs;szpB_*#Wl684
zD<Nsii?yy#tcS-V2?^!kRwu0op`B3bi+CsNv$b0n`{zb(v>;G^yefgRuprRPNFZf^
zp`3mNk-44b2buBY%%bXs6Sku87ylfrBfm5NYl4Fg%iI5b5N;Q-Jo{eyyKp-yLMsqE
z;_s~YWipUrrs<$izp}5nU`syXYScnhS(m6qy0FZf@Jx8DK9@e=q`ReuVoej(^FhR|
zKrn_!pmC<o`zLnI2+%X?8}q4-c`mZbF6=hcU6gO;a54DB!j6Y5bcd%$<!4)BM7up_
z+a{*_?N)nkQ$c-6p9567I=A6kyyl(*WuRxcDzVRS9->IWp?fGn`#4`>=M~_|W$@qZ
zM}<1`La<eo0BB<Ee|}o5{B85e&b(i2E%kts|MJIxl1)jC5FbWJqH(J#AL2bap^<J#
z3JRK@eb*#EntKE>UwZu{%g5?yQ+JU_SW_(3{HR>>i#sv!qldKwbvkg>tlaM;u)893
zL5|X&bnoj-x$_VKihv1339|FvsUphWG20AIh@1$c9o`j?H{2iz@7w4u2=VtOb>TXq
zPw)vV#^IZdgK2q$V90~cwD(C(g*<l0pvE%v%KtdI`mgqytDDb?``t-nYl(LPby~~d
zumS=tt{*LX7b`!+NdCo?)N76jy8|Bf^v}uie}8LQSsHny(LEhC?)Ajb6{;a{EAaVB
z&k930V$~U1p>^uA;QyxpLk_#aF*Kd?T_nJFCl*1WzBYNX>cdZ3HCb(opoWscRi7)5
zm%T|B;jJv~`EtVN>H@0aadpGb+L*0GCYS9KO!vdD`72GhvYc_R^=W>jikr@Yb7m0a
zIKcBq*-p(td|2SoRg`;)J+#8ZF7Vn^NqC35D6b3bqUY14_tc-<rpiICx|5kRZmcq&
z3l%Oxoq=U;Y-90$wbhvZ8nwN$(bBD8rJ&&H_i8FAvuB0igDb`X%{vGrP_H*Au*4yJ
zFSfbpCFi1*&vb;?>xHD7{VI<is{E&1NH%@`yrJpOMT3=?&6;c(ckH?L2pd5eKU$sL
ztFa%DV`sMo?aW#!Q!Ekd>aBj4Y52mtq_(A?*1pS+!%B2&Io}pT4TVR+v+xfC^4<`}
zjpIbm=1cC{eP61~yd=Gz#Z#}jZ%6;UB{(^yQ&F9Gn0?MsEFF<i07S%8tyNCUEqm||
ztrZ-UNL$u^ZXhh*no3Xm{nzEI@M_kosfiph%rF+1S^asF#K^f0v}^<tKKw2v4kB;Y
zh*}*Wo8<eK=;+eQHUw5Dq%O*1pT9rx<EdF>yUiQ89KM{wY*;?AUT_Xx3m+~^K~6P6
zf6lPN@~n7$Sgw&4@DCD=M1lQMw}&!{4Lg1Y`TDeKv8yukAV5U!?<g^D3BCH3gS7pR
z@#aU)o1?Yqoqq`zZs{DSwcS?*@5x11$sy2risp{odlTMD9nw_sspv`X?30zj#3(Ia
zs9J)`n1gJ=C%36JwT;ww=9~Pw8YvHQy@{GmLpcK#z$43um3;?qo_*70xp@u2$)o%|
zWMcQEZV0~$o5v-#_+yQ=DKt==u0xk+zt;4bD;~hM`Shkc^?$4DHPLr)4Q$KCyMQ#I
z>CD^b*j<;R(`)9G1NN0D27e$v@g~1cC0ZTNoapgeIZHIG{bMGe<oR{=gqw@7VP$&O
zCH7NN9^gbk#lHfxHpj$03#NNr_@AxGKo`TKC<uJ*NVbESbT;ZgxxQ+-H-buIN;846
z7dNGMFP%27|L6G3Ria|$>YW9R_wg5R_YEKDmZ45qIMn*(y?Zq7^l##5cn*>!6aQ6_
zVuyrQt^2UKK-~ez#h<0MszDUOh*jXsxMd5Au{dCxATsestB$Zc=se&CcY$Ymrrg$q
zTOGQbz;Fdp-+|SxbxS|%2t&b2H=Qz*6T&bJal!3shV(IqTkFNjX#wWJgK9PtG2wly
zY1HJm5Ne;-AIE{YLn73$OwJKw<w0^6&gx-6H?JWbvJ3&@Kf#zo?L2$*o=`vD)bJK5
zN79eftrc*N86{I7Y_vIM8%8{4is~I%9oFe_MUl<se;->$rk(`azZ^s}jGOX>HD~__
zu6<2hPcOPM79UZo)JbB4#~GKX)K^IO1)x3!zjPeYQ+(b4{*oROXN2Wj?W>#co6=SJ
zpUY`+3MN8$UARELN%vyMMEKmlfS}DXgkSg@&Ae6C5zXQ3yyju}`r}RraKH%OMi1Zy
zEF+h5S7g=4xf!!{`l9dg)P+jmWv0}+M_QUhP^vtODhP+OC*jTYC8XQLx3zLd4x5wo
zP&1Ws<gPKHoD_rr(AI;q_pWl{4lG>NmTj1^)T-tiw2nB}bHx;L_3ALQ5d%YKM0AWy
zNESaOhs@+R^*)q75{+nobGE8dnvV>eT95M#w%@z-L+o?Wn%I$*gn(68>G5pbzm;cH
zlAJP`_w5#<AMAd~=u5OU9;z%ElW!!je)KwI!dG>JM~cF%0zs}3bD^{<`arJJ&+9I!
zYwlvU>xxkb9Yb#WXN{T%kaCAS6$2k0C*7yrRvM`|%>`XTXK=+nUq4b6Y<wqV*r5H{
zdp+TTjMa^%E6Gf~oiCQxBm_`JEQN|KjVQF@(L-LnqSvBrcAbZ@3-Bhp@|D>=Np~wA
zNY!giKMxkq*;r*EehkcSLE;0v<TFUud`@oV%|RKlV&wpxLR%aRDGhG}b-Qau$>*p*
z#XieoMAx>SPD+4-)%MY8GFn+7|2jgc?AXbrx7pB0t4Q+&>#A;I?%*|bb{Vhlc6WR3
zNXr+>Dw}8@I0aBHuH}P%-1Kvi4HDbaZ?<BVazU&g@@B|!&Fx1WYj7qtWS$4}sS(~h
z0lqa?5vsE|FWV#A$|QB2&vXBsES2CM!R%oppIyloaLF)z8L!5}Ha0KR5V+TK2kBI;
zKd$;N1$=!sXu4cCslP=us<9)QHvZ#@kvP(Qj(_q}@5L2V!vji?3xxsPy=N=rUE^TM
zN_iqJ=u2@I{PDN22pj!eW01xkzayOX;>h|)GpFVlY)x=I8pv<Y_UGot?%DvIyTUJ8
z{55%!UC1!#5`mJtV=I6o|K!|roUmE5oyhU<yNzrW@Lrk@BAdjs__yGl0Rp%rAmT|`
z_-L8Tn!F-Rr+cg&W`w97<qVi@!2f1EzfT3#r6u#=8~;+|w7Khx942&;R>{1u*AJ+H
zndv)B4N^{x52l<U-Izaz7-f(6o(Rq4i@=As(<X%7>{vm@d6ms0W3uTQTeu&B2-LuS
zqopb7`fTLl9=-&5R2c<5NDWb!)|%&a<ow0%!i^4U;@eg`8LWj{8&E~w@aTJGnmgns
zW#te9Lo(^^u7B&Xmo++iGeMv-wnDaQwuAvmMBEX+?(sdVJ8A%;x5kaPAMcwXPoc3A
z>`w*6xwCCmGkWuM0y3J}t)kc83MR6h3?|NV`O+v}7^6_*VCb~)tg6<Hs?tdnoi1;*
z*2C+{|3QwKPtQp~Y_9AJa}z-UJ4*y7J?r51t+Kmm-&MlcIFr+p9%q$M)G?Br*P;}C
zU-A!te_LJ!i~Bg7l(oOSSpzT%&IDY0*$VKkG;3fRJP&gKu8?BoM2zGV3?!UsRL!oC
z1-?1UzmrOm2^}4PQ&hxc5wUy?s_n3gcH?{C=sJ{bH<eb#A49E=U$*YPO#b~er%^vE
zN7Uus5YdK?s(|X^b}i4rc#^PBUoC)mKRK5xbGev{UYxs!WQKlNw&+RpEz-^q=jyMz
z74LxoSsas=P`<crka#gK7Gzf(1~0q{F4=$4lh!=*nK80S0gzH7>^4CZzO@<R&~$$H
zM8$|4!OuhN?|_#2#tsPRsC<Y;NUW@LXz=2IA`<#Ew+sJ-#+fAO3`E2{Q=KmyN|mhn
zCEe*GDBqJ(@zI0Y#=D9{bc#j?pwn{v7T-2oH8qS8j~-&UxV>1L>%w!DLZv|#!S--&
z4iCla+!uhVQfAH%66O}}k>OYdBT2olZLi2!R)4e&lTKG9NP+-)TbJ*bFO7~x^BqFE
z(ehuk!PdL_wgNApEsKkDBcKTIWX}JTE2mG4Nj0_cJ^2&;AHO`swc*pZuLz1B^{qEa
z@I5B>+>nEue@LevI5ZLB1Z`jfUiVdc^PgJqoQVOG0t{vabQ|t<f(ah)XOs>J@BYIF
z@Bm3cBfn#xXu=^O?bXiUc>*NF)~>?Y|8JKJkNd}csI_q&$HEe}-KpXkVvyq(x>iT>
zB7}NFL>fIbe$>}^%39rDn`^FOqi_q?c}=^qFM?nW3;Oxo>q+cQVM-8@<H%xDvQCTE
zj*q*+VQAU6QXd#kN#gTqhMf40zg~U5)O~bAuQV=HQi~Q`Thb@9zzI33sTGSN^v-aF
zjh2k_%SnJe`ZjWQ^cC8GRs~~e(Jsrri6(<Q^o&3Cr@o=*M`X1`8DVf})-!6`xpk3K
z>yUQuz^x5z(hnn766S614sucdcRWr%BYeP+ewu*8JWn`cjOslfV*H)^sOme2*=5$K
zPJq=Z(}d8DM{?x*pV%Z7uW@bI-C?e{StKRK#}<j43y%`YivGSzW@r0XtPcV7O{v|#
z@PW;g_sl|taV9bIyw<WBPQNa{H;s*Ru6WckTIi^2>C<d(qKhC|p#pG*Rf0Um3Hc>f
z^n3<9CI2q^9u)V#4-umksOi`#yKg?(mT6bCr@F<+53Q$x$NsULDh~zty1=9-f-8L}
zNPa2I|6tkii<B{5z5+@tW_%hW&%Kgw6B8}v3XD~v3j;{1$kHu3otxQgNy9||z<@k_
zy+lOo?n&5K1o?}fOlHMr9{CWPJ-3MY#^uQY3M5j~<O_%3Wp{*q_b*tp)t<`^w|g><
z))SNC=bSwi!v1!ZyoFpj<|x7TzLfr=!?0C<JHYDImcs2|y>JcuJ6cSaa1`Up%S$I;
z`x23cfty2{DFazedq`107D(pjlwAa>3I%@imrsgB9^kKS=L2~EQYFq^5h{Dtcjfyr
z2QpegyNNA?_4iTOlQ+z8PhFSI<ZQhWL`4CeI`=-Q#4Ex-#D9P|)@dpFmrH=&ox0hM
z8fb_^iV5)cvbD-To<GCe1sEO=eQ>qm;_K-Nx=f9Obzz3KM-cS|WigFzdR}#<<Hl^b
zzzI73|5*Uo%?I-`ikb1t<nI5Y>0JDo{@?!}a(L%dNzPO%#~j~d&Pt_&9AXZIIj=Xu
zoDVZ3l*3eV9+Gl4hlM%L`D`jNa^8%bHrsNTIsAM-x7+Vecs-x5=XJbakE_7l=;G>f
z&W{9^`fF<a18Mad>*sCZL;W$qJFl+_nZadloWWiTK(g_y4`JU}`kd4hCUWAQ+njMg
zCgTOy3MK@TJ|}{VmA3UulAeuI-#)h_fk21qYRmqQwg&HZ9?g}Nl#4t)2pO}@ZFHCs
zk2q<Gz>Z);8okl0Iu3}P@LriqCBvSe`hwwDlzz4@Ifv+KE1<oTNpJpOmp2UPTtas(
zRJI2)-0GE?W)lx>9yh^9hkAl4)Xxyrvns4~oj9b`aq-Zqb>-h}u`Gg_o0}F@&XKbR
z2*n>8P;V<WKVGZZ>ywo`?l)qIMhI+K^IW|}pF--_0=fd3QX|)$C2!MA{W!su>H4M(
zlzdOo!_2|`_-Rnj(&rhO?ywB3S7RdHiu#Pi;uxaQzTLjpMyYGV9HkgA7ck*8?sxvY
zmz~pjLLFYd(+bM?_Tc-pNB=y;OT7ds_eN%~!o^~3<?q}KH=JfEy1y(VaqD}*eu;F_
zH6?Wx4Rpgb$XtxTE3tgagR{*4?t82$*Z6Y$3`I#-^ZbJH_f>r;c(_@pT{YN!t~6A(
zqoaqqs2}`XZ@NdgTgsu-5E*c0;c8H-O-28pMBz$k(CcS|4!zCIC|ZZ0V`K2>hFvS2
zA+J#<4z-=RRV>IMTi2mx4RNQAGV1T!H1?+t991-xpnH?s@KZPGVVfauc!uKp=f@ap
zkMb>h$tIFDc@R?Y2E=8kH|Dp|1oNB>#+ojPkPg9*5|k$8Y?ADKJE)WY1q&8X+T(Qx
zCThML=+Bcq13=?ed1OESJ!t1uWq9h6tq{a5loXnth#rx$IoA!ccac;mka(V<sM(@h
zsUWcGn~-!$I2BjoK~qzs2`Hb76=nxxp8Rofx%)~hY~l(i<xMAZYvtzs(XjBa<+VZB
z8Ttgt9ki;@>Mmt3?t2B?-pW9^2d#K$v(fJ9l3iT8j^D`5G1X6emcP<9tCy;Oxu+Z`
zhIJVC3fu1`j=%k3x+f)Fx%FxIMxnw8$i?m6`+^$txQ<AEZq0JE+aNprCKrw;{r(xp
z*~qXww57%`i{7<Mx{bzUw~MO@Q5s2$;rF!V?*LpIYi(8s8x!wZs}`X`2J8d{vQZ%F
zQXBq{`CPZ!$iNq_LbTnDgv1FxhO5Yw$Ao!*jP8(SZ_IFl-gCb5?V&kif-7=Z<O;b#
zW$RqLaIr#V=N-~OXuJjLQw!RB{@p24pB%jiXymLO<f{8^G`KeDY(KJSTVF8q`2B)s
z^|bx)UoaZ~J7RJwV9PFH9>0Sx)CQdu3!s?i?H{jiCPxJBSZ6&Y*=8(E!@b;GnEpl`
zXC+T?`xWCc&^*<GJvWnnEa*uPGa)}&6Qe)r=Gz{Kxr$$29~EDT2I<{zL;oIW7^TVN
z$oCr)cgADJ7ps_0+)9qM_18jiwE^wu0zzb#jJP^ZYF!Zr-qXY@hIk|_1O<_oHHb!=
zdISiM;IG_D(Gbncb7F=g(4Fz)aCB4=c34tg%d3b=`cu*t;lBF)<eP^#DPT8eXYjlS
z+Ewja+24v9<+O*?-))$Zgv$-7+nWY|h!|DZ-F=;5Rhd<|QeH~+H^=K#^!qr}OpIlJ
zt=#znU5T%vvJ<~#w?$ZOqzdg6WYVskz28{Ec2uucgR}qB7v{hOMcXrmB7Kg9o1s4}
zMz3ukC|q*>MTuf;*t*rL2X5_L5)!rdzMC`M_S6@l7AaUARr@uHo8_L?tA5&DNuo}K
z2`&4Rg6_bZ@XAwY_Pv^>-_zQhNTG|rJ0ia*>2M$6R6iY-(`L7RP_w&S+>JiQ5tAba
zqXJsX#Vz(uOG-%j6%bjr#cCCTuZXBXc5n30dacYx4F7hWS{06%mDp{5>JKi9R1j-=
zW;bWEbY~A<qDkZJm1|xl9!oetCa)BiA51RsI7oKxMDI{|(x!^Z6mR7fE<`tdKCe@d
z=~-OtL7g1D_04y8g4I>xL{t*b*PClAv=gEUQ8VpQUBkrbc*REqd*ie^7;#XwqLYzl
zxV%JWOB+aB3-(rzuU00&asKi2&z=5r23C|$hrRr$k*Rj{q;p(E*46IcxG*K-Uu}7z
zLEU}RQ{=v%CMI$s!BS-v@rDwM;`al<uSjQ*vH$W&tyYQf)Y5;AKep?%{FHaY@=x)(
zP{G%U-+Sy3(U`s#R$D>j>~$Mj@F2(Vz}xsw1NYKiZasKI`=?K&4_E0p9iATe2>dl*
z;LCvJ{__jhL4Q)q(&%3IZZ=`G3TnW@m<kyl3&a&iKCAv`hg|j^I*zAw6)Hi0-8Cfn
zmTT4UY0qg&LCn4>3xQV%`$1O1-I?Ei@v0l(?wVmXNF+?YhdYkdmp;$cX8fG4K;L(M
zw)4!moetPj<n|kFgFFnOeCz|*#59S(w{y<%S0G13^+?S6P@A=1Ka%zqHMI%a!zpSN
zEAPA->+Dva2<jU{5sxl|R_)tJ2XWywdi|190j15A`v7v$KG$z`Cg9oMCnfkrv=v*m
zi)XR(=4WH;MhE^_8ahS1Iv_%BrYsA@^nle@U<oqnw&}cgLHhn?y2C$o!fVYcvPLF#
zOe`2HgwN6eE1U?4zGMtee0Ht=zGNJhd^<JNVQ{ofnwT?O@MvY^eyFdIm+e9dk}6@U
z^hy3I=!aiNN_5pnOYnA5d@5^Khk-&7E1UOI36&J42iJ&b6G8GgsNH*@hb20yA3Hs7
z<0+ih8%x7pQwFgRV!Bibh4MK2Qjx#vYU(JhyxC8l@fgXA5XHvd72!6#)%{1}X^Gx(
z4qZ_WcjAE^yF`|EqT5X|mk1fZIg`u=5DP*v5N8wI`In6v(!Z1EOq_%%b+<2U0Hw{Q
zuHyn$fioDOV{B7p|JA9g-Ex22pgr&Mr3{BBilu+Gv2e<_4sRZbXO<wc!hFyh03<NS
zPN$-!o3lSeUN@l5W2yrQqPBRabcNXjOitSOIQcANJW6khQ$heZ03tEdqx;sRLtcXT
zl?tj+@j5TSJ{FlAR!nsHGqb5<4&o_=ufA(_lRO`BPdO9n-Wbmmx>4}FyPCL=u>N)r
zf_cxI4xF5l8hG4~Z8;E+z`W_cAo=DK-)Xm_cEax!bG%k4fZ}We3%$1^oUm`Yl-hNr
z?}xk@e&y+YI^>G?>d2mO)YKlNiQqi|7@e*lvV9wz?~sdj*;0AMb~a5~Eb)_?aH$uG
zOWLVR>wMptA${WtR*E^pK30P7X=e$C1<p6C$H8gy>^pg3;mt$eo3eIPuBfw3=4@=&
zQG&I3S92uhCZgYP3-h1(ZXmu9dXqK0bzaUzqDjXqYc`Pl7NGw6(KKg*p`a>s8R#vB
zSHHOR;CwrR^3KCZR6il91f6p2?}JHuB;*SZr_;GHAoiE2OlA^iMgksm?2;>Wkq%Pt
z2ZqYVOFdJE_<Qq0|6EKoA_1`{MR-=bcKHe`z>Kqsi)%(>!q9lS-Jr^_X4Vva8nF*q
zbqjjOhz~#afZBrd<Is8>A}hG(bR<>n{N#2v=q2H%GV!9g5s<5+xyt1Mz(HdEm0o<(
z^W{TD0j8_Rr!Oudk+HiF9ZBvV<;ad=?TFGdu6IbhdxG*IwlWjB_P5%kaoq*$F-hD1
z9NgdeEG%7a+=(gp;fqW{T0nIGhW<zTLxYh@yT@K6cb=SHoe@YwTaL`glp1<2=XP4x
ze;@5gO&>Ie#X?dd=1~#|+H1?}(F*xW`&LAe`#r_)6ZjlRv)UO#+^m{To>iVB3Sxdg
zdR`TuD`x8&%HYv`F@_O(c>nsYs;DxkRV_^2pq!A(40*Wm+jhw<C`!Qq3X>JX2)jIu
zg$lOYSB#tRXscNEA{K%y<MI~@{kpB-GF*`ec2Q!3r^+Q@IV^>sjp_}GGZIhm7Fbok
zXIpD1zj=FZvZpnv#FV@wdQ;aS7jkw{7>XP$T(`Ifw}S{$_!QC=)mMYIET-FA#u&{3
z+^~P2b&yht)y_raMWhxeeyP@)su72MqX(*TTaeEm1c2s>wh<dFLj=)0YPh=*V9G^o
zDF?w@b6k{aAqmQDQg+h%SddPJn)cRGbyvd6sg_<q#BAh%Gf)a>>Y;jPs~`DbYmIPo
z)4r{24S03$*+~Bn4_TX=W64i|_nRP2h~>>{f-K!PBf$%ntaY*5U{_&SKuv|yM(_QH
zfAG}PmMvRf&`#r!SiQk&Y1bB@A;{K1-Hn92KNIqjwCs1BI~TI|b%`fmUF_<+W<vtU
z82e4pmsKWYMbk|aV^iy2wbyQ@Z^<uKp0SvoV!0t?`|b91?%4ih2m8+++L*4Se?I3Q
z6JEW7VD6T|EClrhIZaIMS)8-gx;j-`G<Fpt(bvjh8G^)jsuAJe*D4JQ7S=54>Z$~@
zooHhI@k+^TuBq=hkIwhTjdiq^<tGNd7IwE_RuBsRb`VzlIxiS1UGpxG=SbgT<nt&r
zamd0@16?Kv_oiBo@#<wgPYPfa6zT^*nq}QP%dK+1D!nXLQ(^@3lV;Uq?@%4+<XyE}
z;dy&iJAmEizC<SBSr%ZZJfEf|f&1)c`Q#hn$UdM}$#u@UzD5i`5C<~oMn29<g2*8f
z!vje<cAAz8*_JH<@si{<&1H9#reQ(Nu{^@#?-mNw`j(y)@F@)|yq72gnZ-)CboD64
ze>}+}D?wBn#rG%!s7b$(GTneZcN%V}$oma7$?S}pr1QK&GI<4Lt^BKA(Eyz_rMvX6
z*A)&;CHUdrE^n&kecii#cC>c@p9tQ+*#&1eA7;l~<@BEnthjp5m=y#oXR2N7V9(mx
zI%gK_!J#x{fYwL-C2gEbMv6zM`qy0$N*)!Zrsbjis~i?sD2nahOD4_)@dBZ(wN(;}
zI&E1dDxX?PlC<w>CmHwERhqMBKa~n7rCr5Y^xSi>6t=o>HBL+%k9s2w<r4F=cl+|l
zq2hsUx|n(dZpb<>^8b!l>egky`mmcNv%k-=m2XJ!45=V$0e%QA!vwaVnsMs+9-Dr!
zAcw*Tg&fyR)6dHp+v(A}F;R6C>S5i84hT!7HipY{Z-n-K)fRW*;Eu1#4gm2=(-C$!
zHEF4pvy%sv7eE^y9rAAJgz39VuNbFq4(Z$J6Aw(uBR%i5LsAZLtLd$#z8SYkJM-D!
z!H*Ah*9w|XwIa@EN~y!EHr1pdLc^Hj8lD(I;>p-l6s*zDM)p9`g<R4+V;{N@u@Dg^
zGD;z1ud*I*H9k!Vs>J1_@c}n?<BMC1E)9Ltf`~nAkr4*|Ff!G=E@s5i9%Xj?ws73K
zp(-*YB8#bNzWcH%+j3K%CP1^B;SsZM#WW>%hOU#V;FBi;2YFfHV61vfv)u%gbiW^c
zrM?YowD>FmsrVC87I2@C{~J75NXP{T^nPS<yPq&!&$kV#-MaXqgt<2Um?%-sqNUBD
zt>&Ie>2F_GU3tl8|4hk#Y9%(}V)?aqd_*gYf~ynABH`zu9`%SLp^ZF8h>8G=_~6;)
zJ(1eesI0Az)?&N7Pr2BRW7zowt!KBKyo-R)k6=el>|`JAKu_tF2;+HjexCS9&P5xv
z2ZoChH4rvrDzdAs)lyy2Je<OLJSQT&DXa>cHJ$izt8sQU*5_nh+GHRW;-%5|9f%Fj
zIiP)gEOxvVxZb1be`hDsKt$@#_OlyCnQWs&3n@bLc<LP+x=vUzW8%N4uPCX{${X!(
z*Zy#o8SBmLA-Cc_l7*D>X<kCB@;6QQJ|CZ$oHTAlU6ZOk8F4|nJ4Zds#_{AeSkEv*
zT>e~VT=~0Kn8vi~!boimw+2R>XuvNyf@-C=WHzyQgK^lMt<LaO|38e>-eu1h_h{Ad
zE;%pZ=?k7OCI6Q6-UFDW6Q`zYjd!lcv#sL7@&NLKvymbl<)8BzMB4@F4}w>14z(`Z
zcP`&SocVfgop0OJNB0Xfpmw0P<ctE_&!I*oQ+yxHqq|bL^v;_)xiDLbeB;Mk9s}>L
zg-jE7@>1*E7f!z4+86nUyl(^G5}rZDIH~;_G#I&;ZmGWi5g_N~Kfcuu9Ur9Qa`+sH
zqJ2f{$0(lZX0l|u;wpaZmY-Q|NBWyJqrJ^p<y=8EdCGW`OvAwT$ELhz6@jIb?yzFZ
z7VVwai~@ocSrK8kat2mFH1NqITtbnFzfEL%pX+pgm|CFjn;ti#?Ht{0gcNEU*74dj
zcj_zH^_dE3V|)f8!nrjNx3TUB%}x#|pR!?=r9KNLC=Y)%F(9*LsW*k<LT~lk$G@Dz
zWK%7QEmyje(?W1I$CN)M>xk|<`b7$vIa+~ay;y*k!PA78UoWSK+l7G|p-!ac#6lDC
ze?{I^bP+F>7@1!B)M7|FvKr64Q8J!%JLKin0N#3<#eK{*XnE&rHsc${no6_Uf{mtN
zr91Na;{Um+*bKI4tbi&(p9n6=F^(}AX=#Hv@4~*w^eT`(IzL8%cnqNU2SXJPXGJ`<
zny8h@Ca2vb{CP`><9p<$Hu*b+gnM&oB&?^8ISL0)SYfJ?!LcX(z&%)M0QYNl{lA6$
zx1{K*QfS7)@8;tlFGgKgd`g-qQ=!(yo^4*Z&&4ini}*{%L9H_5SnVQD4RlTk#%l79
zmZJsrCWwA$IX+`7y05rmY2OHP)#=VfRx^z4KN?JVc;l0~g9)PeKrigG5@0={ah76*
zEKV${q?GONBuA>v$V!#&8;UhaZQsszNCikY(yHr{Hr~qfbYuldNlAFUqNkpKi9#~Q
zeOn51*)!Ge6#~04C>YqeztCUyxjRsvxgiV$#qnq&QVW*!P;cGu^mLqOu@o#*6xkQ5
z5k8bSjlcS_=#rb0H?Ol9PgRdEmb)Z&{)x5*d{w9Ebb#&!_J#0810P!S?`s|e-Ot25
z!=LgTUv>k+m!7$gBfPyPt&S}XW8hZz-eOnZa7(a?65n>6`}VR23X6K56tSbAVKN)K
z{rTLP%kqe|cNOa9{tJ{2xJ|=WkNSFigg=!lPd&^&V5kA!EjEuiG^h?G(T?}9Q31<4
zc!L*V2jf`Ju*D$!R@`W9KGI%b0jK1(J4DVdOF~1ygKZG^CYeg?TCt{L<E;NMZL;x*
zsunLVP4;P}(ld<pXzzz3DW{hC)titC9?b<9oi=3C79Pf&S!ie2c9ujPbZ1}>U&|<_
zhX0bzWX@6GAr;<xechnrAh6Ee1wJ2IP9>i#d3l)_Sx0$7(5qQl^o#RK_43B_r5@$!
zhNgJQ!T<YKz7@&`zkvB5wV^gitj&l>BWEVk^9Ph|l|O=^7fEarmT|4M;JyjuXqIu1
zmPtByB6nStYX1K0JMJxFcnPp#9HxNCrFvx4Y8U0kCgRJ`vzf-mCbjzFG9z>qB?p{G
zJBSfo=jW}%Fh?nBsCzp~M+r81;}LCq?~O>{$zj<RRiz4mm-}62fTA2$j+xJR;E-_E
zbusW#GQfhX?<9Z<We0F4dVjyv`O566b0J~TqW3&Er;M+Rt%w!Wyrf-Se$urz;C63A
z&#NLgcRxQGB)Z}v%CZ#*Ro6+bm$;*WHs#QVdE^L~_x^kElm&KqOnAoO+H{Jt4N?NA
z_NOJ}E--3aAD4866~T24Iy`Xgz$!+Wl1BOtOo;4jcpBcLw^ZWY5f@&eERlK?rrf6;
zl1H*plS}qz2-toO6lJ#3^C<R?2R}1!o!-7eCjNNRSNUWOr=vLoj+m<-PAmBPg)}{O
zj35;j?Ebg5w{&mz)8?amK<Gkm9H1${tf|B@iXvAhX^Bwv4qq}m>`{x)Yn%(8@y9!a
zyd;pRsgavB0GR%lBxeSv`Huqd;`D)t2}kTfg)$gU7CNP9)<M;d^8w7QTv5j2Mm1QH
zo@J~IKAJEC=O275QRENpFs_b7tc?JsmT_aA1~jhYkgsNOaiML`atFzw(62T(4Y2RK
zXYV)|Gu?d4ulNq`pIs*%u(pEpM09^ZwQaEKK1FVwqSg9W7e#l01zwMkV@GL(w(|aR
z7j#7AlYG^vyE9ip0*-P#Kc=_Z8O=@jdN@o7VfMMj)HrQa`)C-)RB-j*4tP4gx$x2o
zI%(ni!=3I<O27WB8KM5s?mISDW4-gQgnRd2s|s(-&c;NHB4B*VdAzP>fNdj_KLelr
ze=&x6^L8Dh{_im~>6k!yCFPfnx8hB?)+LB706yKK8Yidno`8GFFVPL5(pmkCbq6lK
z-O3;RuY`<R0asAoLp0i_S4r9D?ledUF}$75Lt~%;4`8obxl}Mx8>`2Ck(a*9MqSN{
zE8v^B7xQRGbSOzx_+FuriF|>-{bDxt@5Quu@AIGI)!z^EU~2h?rzEyj42xRxY<o-4
zzy`Gs$zh$)_oM&~<N#Nl4iN%hfn-WW9;e=FY$Hmj>0(cq`7OG1kto+{YC&(e>tL%!
zRD5gHK}n;s6k{ME)9iTJ%#j>Wz^t5GKWvw_yAuCIIf{Xu;njj}h)G6v(`KW#^@fFD
zovTq+`fGm^qV_47t8mKRE$p!vwkeF3bQ1B4H}%=^kCXk_;Z-;eY^P5q>XRQhHigdw
zsybVLw)0-!G#D2S-W{F{BpEY<*5fJ?Y|YZ`$ti4=jXqAN-&J0=+T8mjS?o(tU>Bg)
z%sR7ZNuptZ<MyM*8uvqkfPY$1WSb|q=#b?;)5b;Dfo_c4{gYZVAm4YXgg(uAic1p7
zSnpE*)5!ChlSt)qO=8=GUS9l>xmYdOA?n8(_FDdXN<w66VbTY{@;x7fkt|uykN>N{
z0n48LFWfpjof{b|k3|5!keu^Gb>)~;neXwEOU(U{(~<X^EqGvjU0X@}zeq8ye}gZ}
zE{#-%e(FYl9*kMyc*0|{{?Azxwafu8Ry#pf#TDHVzr~ek)lFQA&hQXR%Y7lv2X>YP
z><X-@*TgMmiww~t>b39JhEL;}=+|dne)`+Tit891Ot|h*W$-Jq{6#Zx*s&kj%lh@4
z!K&`6a6g|A_czrvC5Z8_v`FFL+iF^l!yLCOl~-Lf-tdY1C=n_4b1b#Bjss8M?^V8R
z)MJp)B0Cn^yr#9lm>aHeJle=DdHgF1M6CX635azcrWravY?uf9*Ek=(v9gxEa1v`^
z>(jC&F`S?r>BjiN2_w+{7%$W?Y=7>D{uI`Cr<Dh^(1P$10s`b)5qc+5CsVYs69(3P
z{-`9%^WO0;micm6Gm5Tx3-1uI)poC{XpmuKaM(&Jfv-m`=uR&mGZEOmtzpebqNXC=
zky#+IHCxeU0h+1U@FI<J=y=hCw;~1mFp<+5A|X9FtLt}L$)4xvF*v`<XT(tHnd@%;
zwxc_?0K-`z&9O417gV7c8fv~0F1M^?T5S5H3d6AxdmJo&7n)nIWitUoR8uuIW?!&<
z<kqUFOQXAHgh-tBrK)Oq13c3qM8(q)@_Y-MUWQ<T+i``9^L=GNse9A;RNIqxs)vbt
zv}c<JeD9w-Lt6V{JrSpT`5UzQZa0Qs=blN=v^pG7FS}Y<^(#y<ZA%rc%-dh!-NPHE
zZVGQjCC14k&N(4nk(L$LHr$+@es2Y=$ovyg*cFq?L~pM9ni`(X<hd(i82;181{D48
z<RY;(QT)?vHs#lsjI=T|Ui3(t3JhpK8);5@1iq=ag9hM%GFqo<DnV@(UhMkvreVH2
znyzQlIR8FRIOFtQGD1#e1@MP0y#$APG^x0Hskq#>47bsPpCUf-4Iih49M7XOau@sq
z!iN`*bQT(5rx!%@mxwG7nE%EhCVw*a2j|tlXK_SOKF%eD_%{E?;6FJwP?S1c<P3Q%
zc~Fy}lo~eTno*+17#z-oPmgDq9rT!OW^KYoFWlO0Y+rkx0ghl)Pv2ezu0I4H;xnWU
zV<=!r>YD^9>T<-fwbb!;LM8+@7ll4t@jYBAUh+TDqxOkqN*ymrJv;t+YMAuEWeT#+
zApE5<^LjICC13+1SMI0RZEADUys|lUb4J1IU(98Kz6hk(!x->GMA^ALwY7*aomkXk
zhhjlL`89}FzY=8_;Wq;6mP3d%kPrs^y299Qz7tSuLfD)2NRLh1JbcQNZ%3v#_Xi_z
zxwh5eKk`l!8Vyv1rm=;!y9@#(B*VF;=o1`<?=5<inZ3XEr<h<v`29AjPM6%{(i5#+
zM7uC!z1B~2He2NI%-z=>9Gid|QHPtI$YsJ7p`sDq{!WXNZ@Y#}RZlFM-tJY1LR7!e
z6@sQa*b<&*|CBEc>aPE%*3{m264>!icE4%n*$%()h!?6Wte2ydS^u8j{wS_1?$_6G
zx2E@CgdyFtvYFItIsMNOoJxoz{roz-`;f)v8;E6zwFdp4j<zW=*4ILHD_T#wfXBb+
zm_M!MMEh<-g`@SRV6D58Ia|*;%%$6%V+xQn6n{j3@q6yC6@97P5O~$K7QEoUkmoq{
z8%)O-5pZ%i!5rs>kl1OQ0WV3e{CAkUW9ij*>cnZ_=f_I{*pRRdsWt#FwmNb}J>%5&
z*bSG!hf2IBA6~ny6F3>@3J<P6H7a=JG3Jj|U(sOkf2m=q`^m<N3ye+3EwjjV%M9j8
z9QM25Ds1k8;&!^(Ne-zoYNK&HPk#e#;Ke90*iFq8^9lWR!L)VHn|i#r(4<Su1~(p(
zH^2qwBDaF@w+!gx22HwTXlmP@Y>4v5UjRV)yrfYZdUcDgnUIk8`@_V$cXL&5H_E4-
z+U9abG6szNup)fUx%p`<7dED}N(kbLQj^Xo()wX?NNMV{-18Pns>P0IWXCK#wg25H
z;=+t4|8C2AT(fvUO7ck5504oyF=cXSYSK6W;%W*yDyzFa$zKXw+L>6G(JPI*bmacm
zz!keGT_G>23dR__ir>z&n)OpS;!^(qEC4wu^0P}cX(+y(2tQm-Ul-A?^Io2M)#qr2
z783goMy5=>RBxtE`J|$Eiln*wZxT=BGF~zl9Ogg3){NJ!E(F~kOnGru42!t3!HRM{
z!@jw$&lApJzINru-Jo1?cQMZLiPw>05QftL04u?40-XDH=}(JW|J8VU0_$4xRN$6D
zQ6nqb$7FPhk9cGo?)K&Gdk#>mm5)vVqF$+h&0c325h<>UJ5z8}MJ{u6jdG6zq`lut
zi!{j$C>En5wpAqEc;ghZk{dDoNsfOBq%Z^8A!%~P=kfRp9%MURYs^uS_KvflQ|4wh
z(v{B_t^IDzj>P2D-;N<sPP$i>lq053ZehjVP@)b6B(aB6^e8ua#f#Mw2R&{iKeDxI
z;Zz4wY3%R-+tj*LoclBZw%HHgq;VUZRA-JckXZj6@epP0|6Xnd?YT4EpH!6Bdf!hd
zI%lA>KlR>tt!TGT`&Zd`_6Q=?rq#*5I{yP?K0VHJ;spezz$`@)zLl%q$6dzH`8|X-
z`H0HvSyj4=zmDua-WpOv<9e@>m%OWRx0N<%{nIy+Mn&@K>a)$d=1rCRyXV40l=U+7
zWdruhy2j42*^VjgA%8p^oDw<c6H!e2S*DOm6CkhRHVM7nvu@hOwz=>xraZc{PKGg;
zgk;#Q9b#=*2AG&=YooY&x3ft(tn;2uulFFmI->AQHycm$pY?)6j=VqX2o5m>RhO^w
zPn8h%u%ZP8MtP@0PANg6*c&)dOY&DmYt4^K0JWkmW06Bb-T}uv1_A)~4xg#wbDY(n
zFAdj{ZSAL5>^3VRMSfKP&VkkM#L<p6lN?(Q2ZmzOq+dH6<_;E$B=1)(9Osd=#uzA4
zhQVRCJRk%Q-ZneVBn@K^A7`eX?5FxJ1SH3mb4WbPL|nyBOc7y=%T==yz_}CU<6aWD
zZ6A_(n!@#ic{ArWaDKp0o_ikje~B0QxYZeRj0vq!>k{XU%2fc0gOGb+05p3v5LvNw
zXTq(C#S&8UYe`((GQD+VLT$cE)JP^orokb(6kk#N_q>*^^*3}&AFP_D^E(^sZ8!aB
z$8Dq*`2^w4ot`<Jofq?F1}#wH&}Nm7X$9VuoK+{9gEss0B@`i&^Gjb~a6CduNe5DA
znmy~l#E5?Kdp`K0!0+kkD^^d^wz;CZ{AFZz-xteL+na|!ozkt;J8!0Nbw^Jv@H!F>
zYTh5*(+;$kk%f5M2wvd?PM?oqONkm)Kq-8(uG1k{4&v_3R2fUO45sz+kbh{Q*<Pfh
zl=wxK1)<Ji(tHz;_X=7cN7dCbdHqg15Uc>l;l%Qx?Bq9rlSST2C+Z9Z12;D*`px65
za}VQO?QZ8scCDRCNMEhmF3q_LGWgZ!MO$G%+2GC;I^I8NXk|K3JO{NeM|Nw%yJ=es
zyH&%dS$S#X7^ACO(NEuxw!6WHL`7}y44a({N7d@?))qu&spBZ~wobhB_HUV!Lrb%7
zQhF6bM%>o6H6}VB;x*+Gtx|NYUNcO7^TAN?GkVW^VoqXgq4<cV1^>!51lA3#FNsuM
zHt%L3kJZIDjh9r$q$gJc!P3T0)j~L)j6BQ=>75n__kUwMcpWyE)0sFVIG^e2l`{4#
zKbhCrjI3p=9490zu=>yLFZuq-<8XT+$dsd?qrBpfH<|Wt(tnU{Z@$hjbpg(=W3vLL
zC}BC3<a*+XMHm2<bpc*U8oN{XqoUK4eNsG2opx20zWre9Id5QJ5YJg9+eeuqVH3|Z
zuMC{K(trP~$N`uomQ@s=EM-|;8Li;7`buE0BGo*lUTI~TV}C!$7(1eAzj-ONDOIza
zg{MGpaSNW#@^Z-QbQ?-5uq*fd<6kL*7gw(I+3Y|ykG-3&aocwM(kg`PE(=!wW6xzb
z5d=~Ui<E(%Kdhi50DkMsmNy<7H!AiKe(%dMgxZ$Dw?bMeh}{gclX7f3Y;55~DkDMv
z@A&UMq_XY^>nfX!FP0uN?pzzR*@C|5GHS=Ctd9Ervgd-dL;)llozuw#*-|_u@&{p#
z(8u-^Oo>;YcKyd71f8JRE9eJCos?<@Tx?BkI?qIIiTO8clFiARPqdbU6K&iY+~$CA
zgjS#hK++Z5TX2B8()-du---&>_$5<t?x}`-EWbF`J8fjOv@sEy>4h?LP{7h$|C*FT
z+@y5E-W3qB>SE3~&_N*7dP^i61PQEe36BmI_jgkZaq;idPj;V@reZ@*NqL!xEDl2`
zVQJ}HX-oW8Wzx})vT5TcjNM&{ON+s7rIV#BA0LbR4D>H#z1igCsk_Q~k~g?=juo3f
zI5e12d)_Rq>@!fuugp6cpPo8Bwz-kGsgl)lt@l_b*d!>h!e7w+>AmzAc|!GpDe4V7
zJ5AVVXphIo<h7M)kv&&UsP*z${pmNguhfVwirz*ew*<WeZ@X!omnJSyPmr3SdDLI;
z<%1+Qs$4>+i1(D?gTIW|`vgo8Zz@_H(wK?nIHxWHCbhuUal1<jJij9o^|O8Jc{?LF
z!<RXE0uTEhD>>D^3R`l%eA<NzW9IQA`I4$|b6z!XH}bkc@W@lT$K@)XWtlDAgv|SO
zN`PY1nu>>x-kYw|e3g}kIdFt#;&v8|O!F~_;~*nR5VkhK;y?k>7mV9~q2YJu=sm>A
z1OmH=r}B@fnB}~5(qWWO`oT+Ae(zYdN*x4GT?k;;Las~I70>TDqO~Ed>i*me-Sw2V
z=QpDUz7U+OQ%$4F<8SD?E@F+8$;J-K!$-Zzb3d#Tqtx38LVFeB+|&K_05eBut7|*t
zsA*%v75k^Dyp;rhPk%Kw-7CP4#6Y_}@azRT$pwBnw{q5V=cmK|*t%b5NAZ<bbcx+3
z-qhXv%nAm4^LAy=aOEY7MU7p5*r1^xD{P{))>NY+Hwc@%dP6<jy4kPO$#0Q4w{rz3
z9LqOC95HfnoWA1b{;n&_!-*8ykL=hV`D?9T@jzroV$b~ERa^+w;==PAslOjzcyaGi
z7b4N^laC0C@J9It!cYr&Cyd|-I`d2W##rc<tr>81c`MzKd4ON|2J1)Xqi12mx3-Fo
zr@6s3u(k30=2;4S&ubx|eOu*!@xT#|(=?%XQg6wpm!;WWJq^6|o|=-FbOm1lv<%8)
zys2;>nHB_tBdjNdU0#Ol=;1)!V$0hDGIz|DH3$03H9N)kIuG)D5yYjDtzR<6@_crH
z!jUlI2!MCTdsaH6$8nIVz5HV-s^PsS?!B*EWGy&&*EZ>)eEtszs1=PHIRaG+)v1BO
z6>Lm7oK-M4>Xc7(teq{jk?~M>5ckkF9m|Sgdn}lQ4t5I*&FbGTge7W7o%A*Jii%9M
z8al7vR1RDGl0V{HwB2zwR_)c<T)JJ6^+w1iNrRs+;B{%F<>C>*e-n%r)=*knELY{G
z;p}6UtaDtZDvB7v|Nac22I6MKxIONRhhFKv@+v%VS+`I0Z0Y)fk4jpv4r|Wygh9=s
zwBKedvI6YM{b#PTpR+sEc@Djhf=0WP;+$JleK2=oUR%XT4;38_s**PcBhY#^e%Ic*
zfopg+IeT#4DkNAssZxO;99v7->=-<HB;g7wHW-2?b0i0N9X^`di#*|1GT4hc?($z{
zE`W>YQ_NbSVe==4M#JEPkugPlzA`YM{q&CJGgjG3h`rN#K_!XfL7|=v#@0IG1>Dcw
zNALDB?QY`FE3^+I-!kq@+DjXohx={efQAXaZm|ZsVBTDDNT6DiCYMC&z%H~~d4-cK
zxA!Kc#v-#?QkoxvDIoY{OMrZPG@!b|#7XFs>mSPUQmC;`o=CD!6c%nK{xzbn7ZNz4
z@@PkH_$^Er><s>9us0F<68To0SNywud*FXfx@$af3EpfyJVFp?s_3C<;x{`o?lce6
z@0;zIO2Mn2AO>zTwPrR+QhdmU4ub|DZ`UYxF`#U77R|mv^Iz)fO}U`K8f^}O8X4hN
zz4ylQ{eB}u)Gn2acB0bIkt!I$D{{sPOkQTo9c&PLbdSjQsXeKiFFAo9=k~UA-E`_N
zGxumDD%ZOH8&y>(i-CaDrm~Q-eb&blTgf|%q^{m1u_(+5=DP=^To1UWQ=1jzZ69F9
zRR^~Z{0?59(`zN4`zS3{zHdW~ZW#0KjZi;6`*EwcdcW&rU~bcar-5ZP;&7Dx=~2q@
zK%&~^v&W4G&wDQr&N&twr8ko^<3n7U(0zjrbIgeUOZQt>kN*6xCeJ_{Fx6WQ-=~Hz
z)8@v)aI`NnNA)BD{Uw3&mt)mZKmO;@MovB21-7j>&#QWiP+UGI3X$Z+ljo1hw2&3*
z+4kupFo&a*olEWm`~9{y)Xc?x`^@a_prgKx8irMUUKqSjp-X06a-|-_zuu>p=4l1x
zrRVV3kN}AlsCr0n0s1TLVc%-SYyhmDHupQrrOlstaICOAOnWj|8d|>>OExgW7dZ06
z^$+-Qt~WM<M~lBM9QH#6p&PJa_>A`*{uE%Fws3v=>Q9g3&hEBxrWqBG)M*M|Jc>~#
zp6n5bZu(b(q}IXB-!^=W;Q7j5jGEkDyw&H4+R|J4qR*OerQbC8zQw3Ve>9)4l@XX%
zMi?nL)pB;ktqM2VF}il4^HcO)t<z~c^_ly(UFPIJe_A$YW1j`boWhKO9OsoJK}(BW
zdPGWP4Q~1MZ{uFR%NRhdIAimHo%Pgy>qy3_u1BvC1Ayix#{@f@Q!bl@T<$9$f86_y
z^>7`obUZgTvbnXJ71{L<r>Tf3u&o=6WO}KTbfw~3SL%ncM_<8?j`U{yEln(Gg%o>Q
zZy{$G>mDu*3*>L_lLpO>KafuADZRsNl73I>=NLQE&lgVvb>47&KW+aShqx`&*?75H
z9Zbb`eYaRSN5u!@35R|*!H_cY81O~_3y3b^+tXaFKVQ80dH;R_x4fw%??9G-l{oAP
z#-`myTyg`}hn*Zqn<E0B8cPbXp|nDfnOawm=hn<Tya|L<;w|FX9Q`9N+Ll623huFY
z&puWCVtO!&w{OtxjQQ~t6(6}n5c;j6seIU!DWAY>iGy0J8yHk)6@0o%#@=!(o^zrQ
zrA5}DD244GQyZBhbqZ?fo8*JS2J^R|Y1gf6!A1Aj*L-&69U~4>{z1EAFe_djtIgUx
z{6O@TPMW(D<@6;ZwHEz?@1C!0pGm&mm-qEt^EEwr>kBZ6n}N%I_iz{P)Xy_a@~RKt
zLdrHa1vFn+P~TMrEt?4vO`U_Np#vRq!+52z=SjnJOrMB;os7oT(}T`<?qlcEw$niB
zKCMjo&z)8o3K$}(wx<n>es6d>S%0s|ETn}VWc;mz(J?4Shb;#77`Eg#K5domrXny7
zN|wAA)O@TbJ}LD<ViSFilEWo7sJ`%9Ubdjv^&IO>^-CpXK$FRmKun6KIn`vPSkRc<
z2U?BDM|xM<^cCpPFo1!3VJXCd=_~9cR6FqvV={+sRsE~pSVkFIO}29d9}9mK{Svsh
zu^!8)pxxQB<PEhlQQ;&HWiHvs6stJy5AWiaD=Q?t(}v8-3x@s6T$KfL#YUd8$#C|e
zWMx?<|7GOe=92$>jzzOU_IV>vC-T|_hj;zc7#x7W^GiupEmEx?!cv(NwJSuCXb9dw
z=5vYX8E&ojuxEDWC*5Y(P4@=<jMqg<Pqe4Eb9I$t0#MfQWmYTRm)~*rX9<dc<j#7S
z#LFJIC9QNvzFh*2fm!?4w&~D-QYsfh_ALPtcFuOO=tn3a?EZ~mI((TiT-7+25x<Go
zr;7}S=&w!>*XlnF;ksEpSf%<x^vR*IKJ7gz&47`HOEB?D4qcA;KY#P-)Za*R&dg!v
zcqW7Jk^vH$PZEooJ&L<6(c1k_QY*Yr#q!4`IflK3;+dO%`YU$@3tX9T$y38uI4yMT
zccf5|01ZFA<PQtI>?rpIZJm*+z$d5s{4N<=YGjR;Bol*Nf>IFB)S-K11E6vp77E_k
zh_&eo$)jBFhM5b0cA1?95EmW5rF#4I>I<1cby~ww148RM&qvntmr|1I5mi=7ju;|B
zM?>mIK=fBb_M})Znl^hW_apM-jq_hB43Yo!SfDWcJ9m#9ZvVM-=7zv}t@VoOkBv+7
zHI!uWA&PgkQYl)>uOQjPiM0v1Iq)f7bf^Kw5gQ)Nzmh*}B<RX>_D>OTf%N2_3vzxv
zC_Q$w<hz2HiI$F)aHm=s#bM};y5lfmbb3ax;Clke=6dG^?Kt&3mxMa`x%4NgjMwAI
z$&V&YRdvAh)&Bo8^pxRKLtjt;#Qw~Y<=b30Yg7sh{ZO8Qn&$Iq*o9^EA8mP-5Ox)#
z4!8FC=#Np(h!eM+)&R3VIgyRmX9UH<gLtv`zX}u}LRx?pP;=@MLL75{haEPzQ)Zg6
zS(GB&T?xJ^R4}onti5X<cB+(2Rl=Xn01XFk4V1%*{BBP-F-7;BK;npv_uL~t)blQ_
z_~$Fw2^-0aZ~O+43L~DHEoBW+>}K2!qtyKf>`1QkwEmzVGyH>4gI6v)U;C#vo1=re
zKV;uYq&0!50dGqkQ}IY1S#@~DakAcYvG@atuph-&1%y;UcOj%rRLEj6hkiDkrvaqs
zhb+6hwf<d>wKhKCfl~i>&Oara_<IDQNAFr?KUt~C9)%TnpI;sT)f-RUh>+)w{CdvV
zdRg$FV6)q0uR7t~7?%&Wy-5m&6Omrk)gnOmZata)iJqkT1|XKQ{_Ot@@>Zn2UvqP9
z=nYdHjTI1#Jt(V8XD(79zoswVu4<Wn31WeK8^M|}+{O~GdnWALPlf$H%p^lld*?1^
zfJXl<du-Y?XOq$pnEK^~+FY9Gi|5~1W=yFLu$RS6ls-`3fBljZVg)bI-d7UzK$Edf
zJY_)+ZRJ6BsIldD<BzGqqy;0`dX0N)KCjxg=w9=SlQ&-TW^<O)xx_5`)K;0l*NS3-
zYgXE3?7$Bnq;{AGtODl0bVP|d@mcKQ@bCU`W>jVNYTuBgTt$0A{B29X@}o6WD_6em
zkvQIpzRn?W;qRY)+axvG4ysapqs}?`vFBfQp}S|H9Dlz@+}F4HqB51vhx9|*pUyPG
z1Eul^F;Z+Ue}<WE2cN}jl^g?7>*Q5BBWqNyeY(e^kSniN=)DX}Z6A%l_eQ{VZa+2Z
z(;4@r+ad?5(uUc(@_chGQJz(7&)mVu7w)lM!Uc=5xvy59DYGZRBxtRFdX??q%Rc)L
z=B{G=;FJRX|78$TW1OZ@`Ywm_pW_IcvO4s&<ONkQG4dS~$aFi@tEgHZJ+C{~W=9YO
zNZxdw3jv7aKHCJ<+)OZ;eXZS|08x$l=ed?+LIh3UvxX3QohAe$eqaP6OMq3h#sgew
zeOM783%pTjq2aLrY?Id97Ed?unR_+|f>Bkj1Fz6+{#N}=VqD)#s@!-cQA4>S)f46!
z{n^cU=Dx1FK|#9e@E%ZEEK!|Li>LQ6H~l@HK62CBe42-O`&+?A!v3uKzJyenkumvl
zr`de16EOL<v@uc7>x$sMYbwstl<T)FekH*ntso>wjeNRHLh06iS~Pj>X7JhSnY6cX
zR{yHDkDCtLh9^GoFHZ-)7^)b`C-TIORgP8c=w>Ztb@x<7SJ&~9d&4CHIuf<fbJLQi
z(Z!uHBefAW&2LL|bV#h)9U-O)^exie+@{-=-J>+Nj<dZuvGH245+YPNIjk|2)n9S|
z1kEF*h`~G}<OyF?EJ(hU&*`r%jmOAWZlzTP;21d()&I*7LQXAqgs(lAcM!4-n#fx}
zUe~5adq)PRB;4@U>6OV+DAkPe04A3gp?&?J(tWz0!_&Aoun}~Audmu>&@X&amKruk
zHUqu9R1s#u;j*rQ)na&?Lb~!M-dngMHkmA7x^MVuz2w)GV!{b}*W9Q_aaAkWDk`Sk
zzx%D77QdZ=o8i0^%{jFJy^-;qGTGmzQ_uxta}7^{ZGtE0Er(r8V>xK8g+@=`9YhpS
zl&ty@3>tggurR9*KdX2_xSF!^*md!n)P80Lw~$i)xd_6ysgM!h)7`nPmVXH5o6DbB
z5AE1K7nM7Ydr%7Zd#hS!B8&}vc-vR7(3!UdyT~{et>Z26&mA{E=(`c_=eqamnSNve
zX-Iz_$6o!<<1gr+3%fHjC)Y#GWN^RrZO_^*R9+<yj0_Slz83HuL-@UqOknFC2QHY|
zYR+OlG^^Tvnh#CcnMNBdbIubJQEc)RC#QOfhZQ#uP<~f|_iOuOUjDhbG5ap%WjgOq
z73-!y9?VaQt%z!8acUTn^5Qv;)A-w*-W*3v0Le4zzx~3n@y?XfAq~F&J(_}37rTcL
z)^GTjOtcYGM$@(Hto9(h7igKDQYf^APz$VQI-9`}@T_vLQ%cZa@nGxV;;eMw9iJ}y
zNnVtT)Fc?%lcFeNbX5pDkRq|_q>n>Bp$3KI6At=ux4tRse~fN_YM)!J(6+Z*Tnz55
zqpA8o?lr?tN$>uX9YQ^86#M6-25X~dbvZM8uEF2tXybTiygh)K^cTb*xpD}!(6x#Q
z@4?pY39m}f7Vc+MsfW-n&HB2|Ksg37s3-Nc(MI$np#(+0p@+xxSr?($*Zj$x=v^)P
z*Cnn+9u=6d{#sYGJwV^IQ}L|>)Z&qjUnNhES^Otm@;@bheEDS;Q@P7T|BZuXy+|L)
zTe1n(5RyB4--Kq{&;CBaCcSkc=()Hiy%((x($wAPxp;se5rj#F|6Jxkob2b~W#=5;
zgO<-mekGW$MeC1{q3kxiNw!#=PVRJ#ES=5uLtRVPEv0QGnI9h0qH%J9I5)gtyY_R4
zmgS&1X$AxTn(w!cjBH;in)#n!J~{Qv#vwkH6UV}U+j$NXiZZ@8%!1komi8Mu!IrQ&
zDzN|I`&5taivTCr_BcpI+bc0A-wv2?lM3y6gW2x&bi$NGM4xDH;iX2m=ThN5g4K!q
z!2}RP-+S0>vW7SG#IzMdZ`RLR)0<xT0hR@0jz1~jN3_$&>|i{(WhKa(YQq-oR_7Uz
z8ZlfGxp6?xqE^FtBR_3KXxk=09Z3?73#S@W!rDd^w=ZZ5-bVRb+m9K3;52N7Xk04&
z5H)swQ2K?B#1NQ0KTSvBoCDK+1EI<@#BmMvqWXPXVilqqGPV^RQ&-4#7jV7Y#hMf&
zEiU2Gpy8<F@8R_NQ}wPtTZzc$;s>Ixe5(Wu>Rj7+95mKdcQ_&_qpMJ9I_1cor#W<E
zGu7+#k3|na+mCJkSKWJ@&yPe1x`&+TqwATE9@+z*qgTt1tax#rB96nDzd2sB16q=0
zqWb+0)%B}46PTqk0C|Ljc!}qm_pxQ|ro7T>rg3J*R<jyOl+D>kjeN#78W04I*2HmQ
zs~@7PM)W{KNq?=|pEh;dPadVL%IbI=ojYhux`o0H{S7(>G03oml=qKP6-zvD9`h9P
z*3^w|zJv<Uyg$}*+TC~Y*MEO>yy}ed=nAJwlBpBPkO*xF?JtGu%eNyzw=2ap(|Xp6
z-j*5zWdB@ZAX?`DB8xgR9#^K`R(byEd^<5czP9m~m<7CU^GjqJjsk{63q*cCXPs$6
zHIzrEv5m<GYj^yvji^t(_T2=N{SLEXS4){4A8b(o_=WfD%-7Ba;T?u`78p{Q{O~_U
zViuCHqu31Q{9b!*6u*xCekcF@(cJr;vF@CZc6#1$g6U>V!)>O0)X~n~gO=BuxDvGg
z!Z@dCrE(u-8(-P3PK_`V1xn0N)PpgiUJj=5*y=9@I<0Ex&RTaH8c@W6t?E?hIY=Dg
zC60Hrk(y{WowHuOy0F6XM)Zvp^3BU`@rQab%Qy@1DxEW2<m&cI5_?torXjUjyMFw<
zrR^o2rRluQQ=bS{d703G5npwGKV4O@Zl6|dNumS9IGNKuS3WBBh9)JA_wldaDCJo#
zYPewP=|)2#w4R+=oV3GSdA`!{G!NyJwP!3>|N5%=9dgyE26e$j;wC`mxjj)?6h+QX
zk8v*xgr>;O<FE2z;<>w%`KI5U4eDMl<G7)S{lG5}AE_3Q@e_cCvj5EX8B(4wG@3r|
z8q{Z#jZ%W&S&?OxSDtnK0Qxb)^$+vgH8CYV{KYSbs!Pxj!>7|mOK*R7lU`VxW6T#9
z#7hu{A#VY{6{OGFwMw3@ff|3}YwOcQ${<zwGKr)u-zcWX;$LzIHiEHuO48j8U986|
z?KO=>1{3T<=7NTeqz?WYPSJ$V)1tjlO)k8LRgLq_t<)53<1CDRYdC@2>=m#=l-$FR
z)Fr9gWt}+XBbu@@<sdEO7A15w%3gmhO&=OI)h*eeOYIwbj%r%TxpeWfocJzdXJLPo
zgwP>RRT|HHii~&Ar_l97&=dj56O8|f5p`hBU^#L@B1DmRk}yIE$G1E!h&P~wEHIT)
zBMyoG<37tGQ}z71_Qj4x{B^e;7c}T@H*Y+<S^jsF(D<|d#u>$C9Zu7931B9Eg<5zl
z8n*Kr-|o}I$S|1YfmUOWZ(C|<ktLu<5xxhJ*=b9Z@4m~-5`)dcTy+;e{SAEm2HS$&
z>cGR({ZNrkWTKhhS?YDMzgHHrNew8arovQ$H7Isw36`g4Rn)(e$GD;qm?%ID50TJ%
z(2H(X9be;qx4MmGh%cXtLX&@3DV9~sInSsV5Q^=ggDAbz;&e&f!ydO_YnukeG4X;R
z)o=GhdS%cUtF|~oD^kbHt%3|a_7@hY4nTM`6&?;ir_#|hNYAqjI&LzZ2iCSxP>Z6I
z_7bKZ@*(Y=5V4n3tc-Zrou);GKA~cW*Cyl=O(oBY<1bl{+MS56|9=*sUNj3BIXO_C
zXf!zm0k<Ob7s0Mh5&cbxmjcg3YCJsuA}>{EH=y^EsNog!(}CahfmlBF92ne&Bl$Tz
zb7U}+<->3OB$eNqyMyOcz{7{;y-4W~c9J$4hB^w#{_uf;*9vFm+M1ygcB}p?-($vK
zh=Qp@HZMgRG_j1);S=U$qtgE&n;t4Z7?j@|C<n=tseYwB?8#B)*zxArv-Uqp?KR?7
zfx9Vy>abC-%z~)3llns(<q$_Rj`}-EI%(NJkvjRqw*9+#H5I`O61YKktIW(!ayy#y
z%m3r)y~El5zqtQTTOF#U_NKK<TbtOe8l_5=h^@9-F=_^B)t*%p6|}TQj8L0|+FPm>
zD<n2W5J9Z)%lE#1_x)F{EC1xW-Y4(Z>zwm^oaeDh5!v}689u$|uW>;dY6Z84hmc!w
zC~ML?kI%8H%lC$|)CgrmlTga!z&9PaSZSw|4~<CY|M4XC&bj~N2YW>>j*IwFVGHc%
z>_c`G$@X>lt^Al_Fa*mli3lNVex7VQtRLbH!Zjn0N5B^6fAfMGhSkrMxMurieY*B`
zV>QBLXCYLSS$}3N`$|c{Sy_Q?#0n@PfF0VULA540(YC7#o10Yk57~0mz|zwS#7u6e
zEGoX`?fUC@tDx%e7j3MD;@sQ6;_c{VA_uN*S@@!FZ#5T;o9{_#*SSj{qO0Dv2t?pk
z#^X?F>Cnw~O70LStS4(IEZ+K@qH*+LrC71ex0ysGYLBfKfLoL@hLHX}Ry(5eQ2nHB
z5GJMr;KcRe>|PMNuD}~kqZH}k?cHiNx8H^EV!x-o0U91Brsz-qzKv@7%F^Q&RQrQu
zw+F082$i1iT}vgOgVfA|ZcM~q^2ABt`eqS714P?kHkg-B4m7rkrk|uItfk<My@fq`
z-$>K5NCqmcjt&57YK=Z~^S0kVPik>eE{#y#4C<BNiY`a)45DSWp=soQsddB<AU{sY
zZsG2!kX4ai=92hw>7u`)kKgN&U)JHAO)~#6l=X5M3aGoDRl*7nU%3YUcZa+Yaj!|j
zp#}u#%j4f1XTK;Dn4%Rkc<X8<Y=mTM;JeuQb%}zj@zV9a<#fyZD$_U6wYxX7$I)N>
zZZ!)%f$}_ey*ikKuHF^rF4g4un)Cj@Rd%fUdEnRegk=Cbdi65?m|pZ+*x~)5kv0>h
zC=aQNpLSiF4haI@TeZZXAm03;!`wMn5tm7NSm6^&WBdNlkc1s&lki?EhCw>)<O~g6
zG`?oE<QR@Wy`s@{Hi$rm9oI61%@2<`O6^|3U!aDV3xbz$=^*58Yyr7wsQqZ5!18}o
zvg;v-40N)#pgwG5GVH+iLpj$Xy#idm$O1|9*B~b_<ZG@<zYe8v<AUW1)K{LjIfeX5
zZ#x?Py=8u-L>d{qO{V<XYiMkH@#P47HhF>Bo5LUEQR%3Sk}aFQCx1PtloP`QIhzQn
zzh>z6VcNbXacz*k%T6-5gDy)ENhB|S?K_qj<(6sR6^(ERIUc&m+n?^wT08%+W6?HG
zrw&zg>R#9xiXh_qt+!WQZ-Lv+sSoi(<+km#a>lVd0y4M%ae#m_JFlo}a(PrfRHZTR
zlITHB@=~d12{9k{Sw$tJzP4FyyVm@;7dp;|vB>d+>s1^n<j1OAYEM!AdFzov2F1}X
zg%k53inlx_P(j2R{i6-n(W5)js5EEIu=qAeJ$p=XLirK=tfS?d`kB;~6I<fm)9{ke
z)sLJ@@|yuR7o$Yh)5;o2tZ~l^<OET1)4!B=E@ChS=<T8oYQToanoQb@|Ho+R%9EiM
z-t`XuVm61=XT+9I8L9otdxs_XZuEPm4`0&mj7jw!eB@4at|&-jWtO<Sy~r_`Twp7w
zaojJHe~Cg&1TW(1&#jA$*7!hTj6$7lrLrFcFJBT>y;u~8ls%D<fMq`7*m=-;*$>n&
z&^w-G6l1%wRC*)K0LRgtLEy>J3OPzM7<DA8z2NXqcy|A1nbbY*S4HS)&@I^eSPu4e
zh;D`Ht+%oJa{)luh&6-S#4T9i0))y<T6?1^FXT)>ZE$<SHVFaUUdw{+YfyImHnDhb
z@G%y@H!{>1u?cNdU4PGz;Sp1XKd*3=q~6krbB=O8l4m6sP9gh6VDm-V1Q2pBb4WUd
zBX}LK28RAs<U<Xp9nNcWy7!;&x1VQTXh6VxU@R~*eiWkpGVwL79;YPBog+@Bho626
ziHXDsW!zpN3CDe9v3v%~xSK48`0Dmuk5=2H)cL94Ny1^Ynb!Asxl7XTScE<c5kW$7
zv^7li;!lK*kRjl0|K4W&@u=dL=0n_?g2k~Yc}sp0<{05PEZs*YG*5WD=7+RbGCwZA
z15?Je?`M?M)2W|GlQZ;FOS0OIv<YowN=Nj6HQUDyXX@)uG%O;%Gx%CH&O3=tN34+}
z(5&9@&0!B$04)5_sP42NU_$d_-lF98#mdDoD}j2cc(ooPE@tEzwabAC?MOa|0YsGQ
z7>!8ugP!&AyO*<knc_3*A3bauvvix5e5eK)$IY#+6H55*$y>`XMiNa(ouLUHwAz1~
zVmhVota&+(8NrtTIaDTJO2k^%p5WF{){<Id?7!B0{||v^fNa#9$g+UIb+!tmv$~q>
z?e1@P&PrM7+RmZ&XBD7(d^I}8x;=3{?-yYl>|t{xtaw<zLJ*QI+Y8{agde>aDF|dB
zv9G3^NUhb^JEPAjUT7RD@lg)6OupBV`vNhQ5uemx*x0jKto}<KZ+YcyUXAHVg6cw4
ziRSPdg|hqK#q{~azU+2?lv}F5`72Z5!K+ej2R#hk%(cY8qIPcVIfeUD+Yy9x^8S0B
z&(I~(uQ%NMfwT`=_|U^v=Hf)oVtvn=tFK9i3iQ?=aXOU`a6d~vvQ*nmGC16+mp1hp
zR(P);7UDI<j{G(+yCZG^jA)it$;)7+i_7b|PG=n+A)e-I@H!X%EJn|~r;2<#qZ5|i
zoUkJH=qHSw6(&w5y27DUFxC|Yb}8A*n$r*m90bK^mC${*;15GEPV}8)`|2P#5?|NO
z3+h={@CQdc-T73K>sbLMqVU)V%B1a>Az<OrpM7z4#2EqaDO&J$^3cwX9CLW0*!HH3
znT0W?oGou_tQeU0D$&yws=iyo_ecF;z$p42Npkx{at6`9sL^`fe6*+mPK9(bV}E2>
za~+ZrQ!k<qOLf(L+8nP)1j$G6AO0?Qqj6HCA#;{Jr+l>}0OnNQ>j|~?@3!mX3Exkt
z;y>@#Z6s;<L>zIzdPXMO&kyQPTKnE=bY!VDSd1hF!vA3q$Gl`3^Lm7PD{w7iqsh2(
zCEg%Yjkym*5i{=Dt~tag4<4E=vzT?2S|(h*Kbu>l<8TW#Bh2(exh#2uR@kk21nzBe
zAdgK9Sk)<Gn7tOKFp0F?+RbXfaQJU_KGM0Pt^it&aBF4CM4kf)8#nLd(RrV{0?K9r
zawX&Kbb>v*{rc=q{|oOrkVnw%mxGoH^Td1E!s$tN1^l(UQ677bE6yFUwXTk8Qbzv@
zzM(lGEJdm?RM?NRIFEb;sm0i6V^^)dzWSSyr|&s8cviX2q1oALII``1w%3SBoM9U8
z9<L#wT0gix-b;v`AtOnSbQwhV^5N>R0-K~K4^8@MeY-SAtyU*xVYMs1MLcqT)+ek!
z*b{kvamxdZH`#*E?>tn;MTMkm-C}KXukBI_mhPs&lcjS(P5s@<ai8j#EPVw#N8YV<
z>zR77C}`|hNhMWoG*XRe^cSatH(Er+v^x{UTgI<_^tw5HCT&~X9o=X<4Kg|Dec`!$
z4*$CMmm$PQWwYY6o;ptugdk`|xst<20Vp+U?Kz_?Y@CO`0^RE%EK$cz=zPadcdXhE
ztgu$25R=xvxt&M3rbH$3RWukBwvZ5rv%<G2)C}A*O}zz_t_eJ{g+G6UdJrBv;&x$t
zx{Ve+TU=sKRj~~l>#?8AncqKWfZ_8GU~7-~6cf%>%!w*MIh(Bc47HR7eGNxD5%+zv
zJEbHGg<M9Ioc&41dVyQPv3i;5zK5lo1=hg}Rm<gke=mr$><!fN*)aW{^`u@!!jlae
z0o)oP&p3BbEf@+k7(5(v*J#=)<h7-gZ@fZ$?wpA^H8~S2H?BOC>MVVRVxkLvP<{;5
zi0N=6to4AFp~6~P^)<;IXC7R~qad1@s_KT&a%>lDIE<BOiZBY;fv*9W`m865#QI<}
zOaC>n1$!SJ_n)zVwD^YnNk^!Y*;?HmcfKdwC0VLTru4sH#*7Xn3Dv_{4`M8K%|bp;
zUPX72RunpDue@iLq<?uVlE?c#-jss%=V`1ILg?SAzLR#9Sv0->5n2a)WoQeS8|_#6
zv!*eTMl_SB@P%Y8)u~bu;pwYGJDX@__!8$LWyzyWI#?|^TSy)%fW-4FF1mSV8=#V(
zcpcd?tp<FJ63CniCdDi8BAVs_mEK!1nfhNW&fqUvUS*gr!nv+ww)yZ4y5ze8UpC_z
z<{Bwo8fQ;W_g&Rn_glSXDliB4@tvT!H~gD6J7Ex&gK>y{E&OO-H(32-EVaJ;{DQ1Q
z=!J^R7$_ZMdWu2qtMwjg@tO9&3GGMi7uw>Z&XFb<jq55Ay4rsOZWvyF?)lTaI_Nsk
zRug}<)0w73-GzVWx!uWL)k?YDQP4$$+NyMF{{D@Xj>8vy9ti;Wp%55PJbW$*GML^m
zy*&VN=zS_9V_8;!<hoL0Jo^+gZ@v_ApfRanz{kjbzWC`hX_XzLYB36mc$_cu$|N;u
z<ru%=T&0I<F~L;9i<8`E`nTf}W%{go&eYl^&LgSjXXO@2l8!1TUoW_g6p3NMyt(bN
z`2&X*NrxBZ2PHEg(#H+SB~eyxaSkkiF(!^PWz*Lh-4Hz=mDmFr@QbdSUoMPJqm@j%
zQ5gB-viPG2aM6H*g1o5q=y9!Q8}PK57rXTEu945;vEObf&6e<lC%vs|>G!HA8a{UR
zcEyG-MltqsYn~~XO`Jdv$B5yNvYNsGlj-iC>Zs!!Nl!1!)<IR@QTJrOLKA7UZ^cb*
zTatJVgj_b8<<(&EpmYS#+BXzl)KGc|?8FW92V9)C*r?HVH6<k&vUdD)QEat<^kH#7
zgPn{hL1IhkDC_CO@^#_$O!L_hg>ohsedf^$^$s?#vh-1Ap-E0_vWT9SlfjA4?6r2n
z!};9XYLI`7vdSpT9zQmCiUM)!DP%2(+61pV!c=R3IZ!;{+Js6DpeulW=_3Z7d9LP(
zYO&3G{ZqYAk{)&9EqAR+<lyMmq&r8DwJy-BzbPNY4?h>gA9&#2d@XGNPD<g-R<3}(
zw8QLa9C!AUvy9;3Rw`8^vWza`3=Xj3seeRL9QTqSN*okIb_r2P;Ace-Cv!mgj4G#l
zsQV%Zp8tgPOT3o2%QByNb$EbHG%?&IP<!zjE?4+t(tL=2f%uFzM~D{JmG6F?_iu(8
zL~!;_2N<y!XX_M%(ETD6HU4v<^A~D^`>%C(IA*^~R~tfT(Se!Co{rYy(J#!tYhQiu
z^=tb1QEhWsz2}n7fU$i+k8M4`SX)0M4#-!YvT`ijif=`TmpVzeSxxHliI(3m#P2=C
z|G|aga<OXLHM4>Nt@2PF*P9(95o3hc!-8D?z{tPfWDxLYP5K>W1#T*2ZAot`VFw8$
z)S-U{^QT0b6!>G>W6<JZq`W>pY})}_qua&S)Q&ZBZ5wJ!0TB`;!@kY=blpy${TdM>
zJF}!i*1(mZ+B1n3w?`r6aN4HSVZQPYmEcs#vQR@`4(*8Y1C9x0Mva#T)u5#iQbO<E
zhEi)R{ymV<?v`ux)zf!te7=o(iLXg&CKhw+w7fB?eS!jf%smfM6`gU$XWC&O`>H0;
zd^#qS$Qmi-i@}*x_bpEfaJ8F9w^Cz=*x;7z1km+I3_o8PaBFi*Wq~1cC6=+znRs{(
z6$?uDXyOyD2)2$jBRP{rUPoU!9P8W5uThA7q{82A#OvSv)jWE>t^$Q@`k7oWW1BHt
z6jjCq6mF2sh3iQw`^M~mxmaNUd;7g#$3)BdWL<mqk%zgBjcxD(QfQ^;AK1s5*Do)6
z56{5+kPO|Q$sjK#Ti-$dQ3tR)q!r8?X(IYKsHuy<zU+#x>GOt6H&T=*WTHy-H|T{s
z2A(bGmB41t|5bX|uS}%$;qg9Qi&=lG+P7Qat&KClnsvo}X)3ttj}=uvF4GgmOb|fw
z#~<zi^1=oO675WvrU-`*x!V(l%R>;ad_w0oZSl5;dmw{|S<>sHa77x?+(}>RkDI0Z
zJOBXeI9cD9oD}!1)AsSV_t!SI&Jir3iW6hH{Bz#EB(V3S_30#GPy%6HK`cj{mmfw`
zgB*U=X>@BPEA8)hR>pphE{LaD>O+$&Nm~czbPIfm^`B=Zo7si{I%ci+{RYF~eQV>V
zuyOM^sOiNwJEY0W2cufKIcvJYF=E^`y(6ocUT}DWEIxE;J^%wX<94O)(^`V)>{2CS
zDlwp}VNKGnFux|4Z^UvXlX_d3sD2YmlpN-t=6b4PK-~w`z{Fm3=u}g&$Aj)VKh#3-
zMlx&kWeK0Vy@FLp<lcVd38wn4?0YVBSFly+wx~hwgwYF~Sy3)qv)yp_f0g)2gA|6*
zAa~QT9x1qjZF4As@dJXhwtEOqaUOo}UGTX>ufo;O5!#M})@s~p?S9Bo#|#V4at_y9
zm>Dx}6$G{neNz5?y~k4|Qo5K!aSVmzET640__h^qFjVpFfsxB(N%s~v?x^_iPgWb!
zCIkaC@x})li9R8t(42(Ppf-POBN!ifMomYh>13QPsDqC6i8adiP8QkQ#~&egnF)V}
z9&w*2wCT?<T<s`JpMlJ6)&=&WcIHxAFvf&#W<xhBi1e^=ftU=Q{e8aZpY;HD>EK(c
zwUpMaa+;u=be7f?5bL{EVL;B&E`_Y@wSXw{4jJOD!4kTTDBYs!N?Qn=ZuBrh-)BQ~
z=6ncxJfhbg94JL;Gwg_83&4h-Hu#y6!FH+COO)sfq{$cfFPEUEliIrEo0tW6j98I>
zOC8v5D6eXPhp*Na@QzBV8A3^u(8|2vMcU^(w};+-WYn4UFF*bHGj_*0a-jbD<a2Yh
zG*k-r>)^@T)akCv4A}TUEr&bm`mxAg<vomoRX>1gB^z%L*FfRANFz)+tKrLd72%|>
zb{Y7w0{0~6Zk7hogdYL+zx?;Yx+3;Byt@(+l8L;2+_qF5Cv(I&>|SqJe-V@2tWHm^
zrCplaut%~#(1pDL9n808cc9oSb`J4?oj=Q?WfDs<xF^q+bT(V8-;aW-j?_H*ld9ny
zS5n4C+C;N>p9>XF*WT{F-Q9qb0h3-%^}lfKGg5ciMk90wrm(8DWWVWI(paCRlR%E>
zr(kY?2)$(BZ%yGxTC&+pB=Io``*=cU^tP}Eg5T(+$<^zkR<^EVwI?ukq{9_#S=0z6
znAUXV-XVK?&^zK<;eGu*+$#HlG100)zpyjLvEx%iV*@52+BjxN+z@b&R+%tv(nu@L
zD3W(8{ID=_rcdL%gn%UB{+zGLPdeT4wn2RS_TeFb($8?=qe6<%7&lZQj0ev82HlFc
zFEEGZ>`_mO0ec7Ydrc;WuPQnb?AE(u_D>i;yjG;9Iq2(o{(&kB-OSkgq6MZY__Fg2
z($HcMYorM~C-mQaBM<hleaEMwGiD3qv4decDE0JWXGNdK^Mk2s183!zl9p7vV>qZ$
z<EV?A5j_vTakhW4iEnH~5_o^~@w{l-J}mG(`M1KMZSD1_;C!Fz)8$7-+C>;b`aeM3
zeHSIMCLwk`hfRw1UJj?``?lZqia*MAQxvIMaw7vPMkpqF#3=p-ZZ?FA&!{U9?y{u(
z>8j}RGnAKUyC30SJjgst+e_e20<pvT@@7uyqskjLwq8B*%<0E*cIH;O1&f;Q5!2a&
z6Qw)AN>1DIethOgB3j`XEMgE03+xW$aZE%XW<e5l1qA5{(+QhF6761LP0lWC9(?V~
z=*E+OTs=6H)v-1&*AtDTdDePoMy@43BMbYp=V9aTQxLXLO7f{9v_VoJO#jKSNGU(>
zh6ZEllcZ16G7j$=pFQ-+5c~0|>gKq1QwMEf3Xxj4YkY7^9K{W`Nw=R*zQ0?q9Z&m3
z`%>n*>8GBM#m*<bF^Z3ov5KHnYu5-6?Qd*%@X|{Te<>^2B5JmMdOdBY%ztS_?YYd>
z<TJ6vPfd;QcUXcICO{WxlL}O)u!O;_owPu=>sY6VmEZ)!CFh!w#pXp1$@bDne~&I&
z!!BSiOolxGE#7OX<MTyxeq6O>cfVz_{Tpgc4Js#OsO40e>R(MG+O_h24fc22FKfx<
zTfFqY?%iX_VEfalf-vOUJqc##;u{P$Z-cjr_%Wl(o5Om`4d?-yp2l_xFCm;C&~7lr
znCj_0)V*VBuYJ5p#vfcK93Y@wAKkcmcEo8)jMIEs3uBJM2SatNK@R~rrNN_0u8mgs
zlL^85!S`rVPsp?Es_km)PZ&IPc>^+d$_u<tdPLQlZ36!}mpybj<#dG^GgTGQUo1+h
zPoD30(qX}8z2JIDyAWq(g_}j?r9I{0P7v<Hq8T00;NU;-(OzYyO@82&q&O3t`9$oA
zK((LDedc#RmH(_dU-W@KXceY{TuEWUwh1M7uS-Fi70h@Bm~FE;N;=xKu1MOVBrPoF
z=fA0#$VEKDdMAi;t_>D1SMu&ucbYxKGdOt$rYKZb&T90v|1>(4T}AgI8c%k3nKgFK
zTJ1mz+w%qQG^%cgUH2jr)}i7Tz6M}>WQf?czSp?e*szAmf{~-rsYb@4L`Oj4DjnqU
z{wK}3bBa}Lpu$&mpU1J`$m(foqh$GxxzIuWSkqUDlH6e_Fyl;sfdWiUrgch${*iVs
zmD2a`h>&)Zfr!)hDTp`we>_mo53`40R-HRu$Me*<oauTs9*U3Ens?AiKK~`?&z+o8
zM%p5mHMtrvvLogflUdnoM)I^J@<k8R@&u9`K1AP7(MU@7d<ek{h5GgnWcuqAcj}hN
z3o^z#f`mg-n8Dsf#O3K|is?*J3KnZ5yp;!2-(b|hN353cs~XH_<cS!bO@JwZr^_Yh
z6+(4RC0g{K=l91;RGZb#@Mp8Hn)aCmBtwbM^}kmalm=5SC=kMOy3wb5QsSx=nx2|Z
zi(yPPr<1~fgQM`?zXdZ?k%&L{LFod|3%PKD2ek2lvNo}`VqQ*MW+t@l!ou~@L-)7V
zpINy<_W_jx`KMvFdw;U(sm>I6!V7XL0p@CRbsGSAeA2Km^C6^QbEcqrduf?1%^8tW
zjh2PfT0X&0;D#Xi%QL*;)8#YTmvs)W`iorlr6An3q6?T9Kia(>iK&;K7!7`Q$-_x#
z$&=r1$udk|&9qsxQyWvyQ!=F!?-`f2_+t3>I6gBZsX<ypKw~!yp>@-GD2%^K6th-Z
z2{&`CcsTm;If<(Q(2G{uE}kmhqdP2@I-D4VpYg}{rD=>ICQ?GS^AQmT<%$mfy|^^e
zDr%{9gPzHSzR5Y7hv6<R4rw>ic?x{&u(uTL7WtCZge?c~jzg5*K%V{)3!)v!c2i%h
z>uRTh4tHP_H=Wn4k#-aO#QD3;@>67So08Op)8g&Z=U%-Q?>~fRYa%>f#j_E2weCMx
zN2=?r<yBs|bvd+$T;&thZj}_*K|#i|ZIc8QFsC{WzTXKf9d9rW%rhzib^E6RGH<15
zN({ZB2P=|RFi*?Xc0-?nle&^dDjm=zOeADdwJk#I#R{bn^%a$>K@DgmtUSbsHE-e`
zpi+WbXvd31WU<0@w0mPIo3Ra|YD8KueA|wth-c8ON~k4T+5E@+exaRGquMU4Hj9nz
z)SB<Ksju<5dXQd%F-xOhN$$kItc{{b^69tJ26okp5Q1TlvbQu?cwg-C=Q#<JkKdj+
zKS110A0BM;B5Osa#l{mZ+)_^jc(9z?naYFis!R96c|<0MAx$C!QBtXQY9B9-3{}@C
zGkc{t=%rEI32ID6wlH03CyFfDNy9-!xc8m{W9mv%&+&Z&omGSuKaf<;ad4#JUmI}a
zx%Fo4!=%KYdcGFcPdTofff<(cXG@Pd0Nrglc!?K}D_N5s+LCxkff{S{tm)!xm2-=h
z8VgQW43CT3TJA`N$Ubww=b|NRDJM2u8U<(juE;>&4HuL9S=#I+G-EDh&JA8#(5g}}
zVTGA&jY@S~?baJVRjIuazLlJ6?o9W98%;9K_#N`MM`*q0?#x#BhecK$i_61437#91
zg^NW3pL_*|q}Go16|Q0!L<1R4H&8>%MP<@$Tj8u>UbZGQB>`z)y~$#4TxFvC@m~Ln
z@krd!s#>Q%u?LFdBS(ogJeO>iqf2Z^`O5-WXBm6L8~ImxDd=rVe)Z3a`TgOG-HJe5
z2-s`V1{%IWKCi0jqjWlA^+e|aj)>?w(u5^6b@Fckarp4~f_SV?(#{3a8kRG?8`*W$
zSZgLEgViO~R#@_s!;Ya5+K>?sTWl3&vz?x}-k`CWgLW&)3q{u-{Sf~O#OnbAx8J$-
zgok!NoRI~-xI@@9!RiKNi)#9KEi+QmW+Xjw8OPQ$f}=FB`I!EVZeVwxve}j*P$JZ~
zsp1AR@uqz7Uh^Vz+Ip04GKm~KC*!}YtO8HV{PnJ3I~Xj3is`KT@AOZu60-wukB9JD
zwNGa_<nql!-eZ~0!cN)h+iQ1rB2Hmf>(dTihX<dHE>@B`dvv}_Pt|)xn)JM};AZ<=
z7&UrVJ6FG<BluVO*H?)sO&19TC;!1+QY5#c(5?R{`4!1gJmKYcj>}}wVm0DnN_wt(
zBU|Lf>sLz#g9V$6yf%de>oBA&_H>R(@#9chF30bS5|Z{ng-3|nhh^QexW`CxLNxRL
zWdQ`93OgV;Onv3+|69%mLLpwaE<B5fp1E8f+zAes)(=#~0hPHl0V=xBAX;02Rz3;O
z_E_3eV16e(eHWUL@glzI6s41Oucyhdw-zOL9Cd(tRrPlD^L184D>d3BHM7Q~c{x9L
zWnz*fWFQgCS#t5qQtLL!5m;JtNbSp*1+)xooy=d?7|$nGxHb-HKto!-qfBBMpvy(r
zV}5`}c-kr43v^B6L^{=LhpMLjHOZJ(DXZA2h#9UT<s%ON>hs&?eRaQy9V+^gxM>Jf
z^nFoG!_iH<)~jVa-Aw^*sCYXna4mr9&D;A<1*8Sn_^!nf;@-XMj0)W{#27PPGGr&b
zz9P>y5i@43#=mR12iOo_yjN}_O)ogQaI9z*n}i<+EQH)u$oaa~a|auFp3v0u`i7T0
z=vd%HlYhy80!iStMVcLbT^rKQ?_xH@j9eC-7tX&~WA=X2i-z^Lk8E62mA)O4)`^mQ
z!wW-{<(8t=?KI%{uOl(FJTO%A5;&iaGe5yb=xs2aB*{^3Z6nydW(MVMQyPJZsidha
z<JL$mJ5SLntSC+Ji%Rgo8Tfu!irQJZEqM%45_aG5+O|zGtr?Ndt`tS2>Pvq-$g|;R
zgiVBBzUIYSGX$ydZlp>Tce*$9SW~}(1_<7?40C;gi(PQ)w@1$^Ytod&?HxEf-YlD9
zz2lO23yi<{vPS-e8z~-yyk$K4rg7>|C`8+4{Fo@#`m(X~cC*@s(^^fN6O|5sg$F9>
zI7{+O`%5%9A3W9iqUKv9{wzfEGe#dCgWk|VW_gtAhxa<!pdPD!v8z`g5Oy<|Ntb}K
zvW>qiB^Fg~roX+!&J|oEjRC`54&47FtQ#}lEPSKmU?5B{djoaA+~YMN>USgMew*ST
zLjqd+_<myhSdAcldd7H0mqn5@(0Fz)8y6<TpwKbE<`6C9>?A9Az~{SKBaxeu1yGtQ
z)c*F#g*DZ)D#wvp`Y=2~rm3TviJE4YxRaM2UKY0YNt50HHFS0LF$)BrF`k)rk`@ab
zi@Ba+q{o}4E#<hYgXc#qd4HHjEUW+2>ZfIx6zZ$hPl@9{8TL>~2x7TzeCgZPEC0&n
zKkg6A66W0P;B#@+>1h|vTk{az8*p92AQPXB$Pp-I4sW6Qxo+?x;$SiYg`%2|y_vLz
zcuiG?)>Rk04Vh{`J`N;mvzLevKJWg%&8Z~(sb}`tS=Es4&DpdgV9DRlj4*h~OrVL=
z7DsZN4^<B}3t#+wW<4N*s$_z}i7k(?N@nGkE#H2sdo>B1nQyc3LTp^A=Tlo84nQ^*
zINmOzVQuqP*lqH(st*JT(Vy;ZC{*pBLSNdOEf{8gadR5>EZU<<DD@sWv0ga<-jqx8
z`FdpY;}L&e`4<L+$!5Bvl8QxlgOh`9!!=|8SbBq2Gv_fgQ9To?L*Pl~%rz34fb+;Z
zWVz?AEPpJRrfy=$)4G%}z?H5q97045-2fnuq<$UY#gC58&zIgErl-0y4=coP6sAOK
zj?l6Pz8$YR)kNKzvziC=B@oJX|3J-rNv=%3PZJy}$vM3I%iXK-)<fNO30b$8(V)Q;
zMq->}X1Wy%)}1*{J#oS_K(K33XL>X`HtUMi^nFi3Mjd;qEn3gXPv51UftHhz#h-pC
z{db{ut@ri!iEtVWB-JFEBVwpA>^WpJ1nf<2>YEd`28Nv=AZj~V1+7QX2;e!0)ipzk
z^ndl528l=Q0`mWYY$=0*6Be#j2Q}idh5CMwQ{YX*R^E0@UuH&Ab<(`48f%t)?zNHE
z9~c?EskJVY_C%1%!3FMndCR)JnMH1ZgaJT2zRpUNcw$gaBJwdh)tNQpfhVuL#L2#u
z^YKQ;BOfu$))1%n>uH*ZRkO|ya5@zFHy>i6Q%MSKQm7gI6|@<?ImBG4`b`h>*_J=Y
zNPLp@!r2b4tPHP|SaLWE2_VJ&{+Rp^gTwZ&OUC0`gF4n&5UCrd&+7U;O(rw5|DLGC
zE8wpeI|zIc^bhoGU3s2;0rxbkS#G;<_m5Bw6rRWcXXMYXgegJ~?8>;Wekk|`97srg
z!sqi_z{_jS&yk@Q1z|Xw%d0!i1_jj4*EGDx=we&hBaDkKT6!-fs?}U)j}z`WzwrJt
zhknv9wkZ(BaI5-$%hYw%{LU1`tM%qe9rHuefHBh0ysl#VgV#mLJ<pHw0gj~3rB>wF
z{Q_q_7rEZ@h>q@l^^|in^@gVU=wyZ0n!^!FPTaP+n~92=wpJTNB_kzQ?3iul9WTC|
zx%^$Zo*>oF2jBekGhC4oNTnAwn8Z2f$$xPVflq#rn{x}b_z~{8WWuTUO~Xy)w3p$k
z`tjF+XMv>U)E*b0!LU}^1`mVI*&}~tFV2p#6OI*cI-j}gnex-vN=+YlTacTO-C+ap
ziBYoM!N~L)Z0?X3vQ_#fea6nG<0|3PbIIrU`}O*&tWOYJb}QG-OsYaPlHF<LC4sSy
z$?GV8%tqms(20)C>;UCj!K?3So0i^L(?tNI{UwE%kcnRRXTpZN^$B<0k#_qf8_Vtx
zRTUU^+oSWi|MMh8b7ien0$_cR><<PD*~iGYbgMfP`m})AD<_O=A8GxtRm|<9M?vjv
z(2GmSm$XHfk68^e^HjEro=R|zTBti&L&6BLAA}q7bDrnud`d2`;a7W6FUT-WD@qq^
zG`oAtm@wiyCRu8q8{m1vCF^RmaHZJCDU0=4V{4f{`#<q)Wun9Lsw|^P2+J)br>R$O
zvX$`XewWt9pKq!e#?)DqbhfJM>V1on6Vj8J>@kHqOS+N{a;Hde(yns8ZI^r$w;Wy2
z&8~hvql%=P;%zbE^T_cpdpDW8ABqnn3m=dmpVu*5BPXh`DiG~y#~ooELoMWH9vEDb
zABy(+4eBSr4FS9fktPRnJuQZ=+M8dwg34K7rb!k4mH&UNn8@L{)`xe=(&Z&@%%}x{
zM+ESmv6{HW!HDvbpF7^h=VYKjwS+fd+<0%fb36hRV0S3YIGI1jZf_o>CI61=ulvm^
zVCKso8~&-m5`WfcS<Jy8ca5sK=JPJ9iGi#i4Y0QGVLwo&<9?`O^+KhscuHF$y@7cv
zV`P4h70YCQYYzCUk;O-QJMlEykYV@kx+?-A{@f|Dhh>YU{U!ig&$fxwgryCbPW|nq
zC&E$pE7G84B?+MgCg&!zNozJ18a$J%DT)4?(0R+wS(m1o-pIB&6SW1W^yTRO?_<ol
zfFn#~&f>=i29>FIuTsz%&u@tsR^jRs=B5|tuMTs^WxXEeKVmNSWVog|?mehl_`R3T
zgp%B`o_7B1Rvb;jU|6BT`Ug+u+K7y}&Vd^jy;=z#u>{RqrtiCHFC{VsoQ!Na5o6Mm
zdJ;RQdn;HTqwIjlU~Nv3`de6df#5w)IeuV5?{L+#y7Jl09?L*POPlzjhV#~-8Za`j
znwmYRwbc&OmTc%H1;jh2L9-YgtMTq<e78F4HdF#M!SH#xJzUis+k6Wi?l3}a)C7zm
zxcuGeF=1u{$*prPnW8W=dq^F-q~JB55r=wX?YG8|T2W8?aAsQ7d^H>eKDw-aME4jm
zn)K{D=!1WF+@Y9yX}3tll_IX$4Yvwyf^6@T9_wE8=lH*6k;QxEWZ@>!XCYzir-#&g
z45p-G{!-IBP8}5ZXtP{hVeMA5-Ndye?BcYi6`M)s-wa8${Jz=C(XGyu1j{=P0~~|x
z<&n(XWi(7yQ(}>(G<;i-sD940lu!3&q6~jQb7fC1l(NV8z@tU<Nl_g2dcoQAg$I|z
zSig^3&8spP&?m*SCuLjTg4PoaIwIU_(uCy<Q^LK)y5XC%qM~B6JVnQ~O-nuhC4g*a
z{e3^En?z=0oz-gIn7oS!fGLuhS1u!a2Qszg+SFTYN6tMTmRT!0SA6g_%2ah0eKFw-
z$^2SIPBh)N!O&8xtQxr6w=-%LHzE94Te@Z#S&e_H6rqa)_AK_Bc9bP}^!eCC8Z49H
z?I~IvZ?tY%gVb$`?E)MmHo)JD?Ru*=P>eZUCn_^LwO<PT)D~YFk0c-5m<+Tgf2-~~
zXjWG1;0O(na9GD!S!3_F)|`_Kw`6r+M)Zc(+kqBMwc>zY9*2?=e8Go~?SuFuPV6X$
zmMXX7Os;DH;dQGx^yTJ_CDXhl<5`(SXHM76KrEn1goVAYVM~R<wY%pG{=Xig>A(y3
z7oilhy0rUkuBy@u(dWZ7qK4)cmo@hYY8ySH198?gannm`Z6%lWh2I#)h(wrMi5x1R
z%SQK@AVBjPBJgVn9lRwcWtev9{YB*&OxVzH&jJ~eyVK8O%49}LP>5c~vOl_vRC1`$
z!N=T(DbbH-1FFQe?#QAM@Z{Lc88@{HU5`IoI(E9@x@~Jw`IJh9z&clbSmjc_bK;5k
zB~^}8n*gMEp)t6GreF|NJ3l@nmS(NZ1By;FSg+^>PoTwDzn_$LzitP!!5WH!gl-yQ
zvh6?*9$|Mn0JO~&BPQ;6cdtA3OD!=Tu^Vlb8-fV1_IcB4($-5M;6mzw`;UpP=FkJ%
z9o_JSK_rvj!^!V%iC==`*jqo-KDJO@Je%U<x#D5T5Y+I4Nj9mT$)~W{g)~&9OB^Kc
zAtk<iNT3Xh{Lf;Pr=VHxgwFq_<AADe&v_im6S8a+4G!QH%LNo@A>I%dr+s)LzK@#F
zsO_4*awsWl7j)H%yeY~rw8$uZ$R>Slp)}9ff#g#m#LU8M`di}GXU2oVa}GO$s{EbW
zXtwx!#+P5}sdG!TZhNUB<AVdIHOZeKY}awUTj8x=X_V{JoVnqmfDn(k8jx>?p1CkM
z+Hw35$<A3VWV0m{?9#R1gVLWu*+p8BdCH?~P>3IXI}ZRol5VzH(DG#!<^(t~_n<Z<
zBn9SXkvU&CTm}z#{VUuIFA+$6o`P-Dx9yTr(kOnopQo$hJLrv2SgX4g<-y`LzT>``
zmyD*VLt65m4&o0$<3?`>@595VaTR=(VI3AqzQAOlutT*Z(8ihooes1OxBjPS#gCh1
zy>6^tHT6psy;#r}ccRNTBv522JKU_ZH9WHyN*zh4KA4zc!2%8Yy8-g(2N%K3g?~U3
zF>5Hl4%!cK12Q6A&NO$fwtNX@+iH3y0NJ%{n5z9{#^LjLUWdiY3Afs*ncA2G4F9T?
z<|%D@>Vgb@fJU&wY85awG8fsYh3s5#Cv?rP%^s3tyQE5QQg~TI{@3qk#?uBFzoTn5
zS1zZ3QzXESj-E|(&%O=#S51BFnOF#<JQLoUV^9p}c*D9gWC5aj<6c>7bXB8vJQ9Ww
zH)8vv3f<2_+nt)Kjt?Tr3%`W6k5i3_;J$b)ZxZ!0HH0rd@^2h?f-}qHMEy7;9gAo?
zb0$0rQo^Car@2CMP!Lu~h*n??6et>87y~K@4tOh)QaTf`FN+ZAQ3|ztZApM@39xmW
z+9U=$1xTg#q;3VPr>g7bB2U-|i*3a><i)GhyxA&8Hcl3m94bdT^@Q0nUW{21dtaKH
zT`hUWle3ZT&bL3&8r0rdu+*j;xT^BkhGoZ0-GQfk>i#2Z3vMfOr_}MX<@9*jOrfa%
z_S$7dr;ZNO-{q^Zev4APoEn#UQ;hYxpTp|c1e&C04+f~q(-7>B_5bV8>M?iFzzF>l
zR*%N4s}?tqS1T9Gm9O=2dWYI>y}ebN6%0~HDUFN!biL{l&S1QSc=K-N+oJkk3L&}s
zaT+>HW3~2jLBJ))Ml3IF6v{EM+KwwitgWkT1N*@@v@-OMGcYopU2xMH4D8Sw@ukXI
zYm`0znWubbCIqv_7L2m})CBnfAaCw}7~zlLAjUl_uy11BoVOg{AN4U$YY>+RNq>#N
z|5H=5`242Tret61x3i|v>3xAmH$|Y`xrDnt%e@q!ujVQ%PbBRK{~nZHfYB3)AEynq
z&x%5C`^pP!qWH8?Qr3+Asmx{`N);X$!JwE+Z6#~HFT#+PnDSawi#(Hxc;b`k4%mHC
z-cQcc5uArL>w9sMu@^Es<)oGa+fj2mgi>_Ooir0(mGFOA_;JmZwLH!CHPN*pcf=~t
zYZT$&8Vz*{EaG(=ax?H;8T=Koe}8piH_AkdqmifH{+NxA`$F~OS@4q=m)O&j8y_p(
z6W?o=CZ7LI;il#K0I2=@xc1oo_xu^QmnrS<zULmyjtTbKq*KZBVL#;*n~#Esc2s@J
z6?O5|oL~06yB-#%khG;f(>kR(wqxrsmG)g^<n2=Nv$%L_@Wf<3oXU8P*El7aG>lml
z*lNUm1BvZgF5T`X=~=2iNr{`_6%oaVE+r7uhReN7^DP8mpIho3NUyH^9swE`;)`vE
zQTkR*h)LA;0l`@ks@=LFVMiNFjCj9Q9MSoI;(Ag-Z6Lq$nelr6gR8xq4aP^w?rR{o
z?NA6Y+}<}PN4(q9OEesgo*RW&w$2yvd*F|H6-BUS7LzDaK;AsON+KGJQ8Wr4OvmQ!
zgslY>Px|3S^L;c`wwqKMa`9)YD-inn7;8I&O8yY28Pp2p!r=sI2|_v4!c!|pHTk7>
zh<uJqEq}{TxBOY&FDi$AfcjRlqH0Z(37Gf1*LT9(k_0b)r*?Yq61g$;`EK*^jw%G~
zJm|sA>c@lG6Q}4qO22l@zfL##FDds99X3sp`OTkW*Vc&L4<!`))j3|A`IAmA73`Pj
zDqqL&*jDx=oody5`PM8Ov~M?seI#Wy>wV;NK~L!z0@_wMD|l_DYL(FEE|i=VsJ|+S
z;*{j{Wir0vqNkW!Vbf<PxBE<5gx~13rfZ1ie+^|bu5{GbQF2<!%%!zt)#@TFeB;_6
ziHp%LgD^<%u~yb;%T)2;9BwCYDRwF7R1-HPoVoj*c{4Eacfr{od6?b)16A+1G-&XH
zdi4{EDjQh;un}}itETwo-H5u>wGVM2A(3A3+s5&Szj}em*|v9&xnH8Pp0+w?svcNu
z9S;5Ye`u|~p_*}_ra|g*5Fq&|P_ZYQalt+_@~=1D1EBE>)JJFzwE?Gl-v~gAI?Qc9
z_n;yTMpKzW!0@D>-2UIyUxAY2=h(<4G{4g7G~g}HH0d|l%q6L55K8<BCeEOt#&*QE
z`8W3Gv#0}(nIBvAXw%!%2>Z$%OwNR1-VBI`*~3ixGcj~O&a6IVRr0MYPK8Nyf^F%?
z;6Vn!bm29hkxpyLO{1}vfv{*|;YLV`MyjY`huv|<mONk2;Wsq0zQY=1U!8=?pR@Jc
zKh%HijMVi^ILahXl}i9>#C{F*3wkGf5AEPc(*-ZOkLfO&e3m;2sN+0s)B-HhbVVy(
zvE5n^>y^>xyNO?S8ZITw;+Pfgi1tn;-k!bVD_wqQ>-oUyj?YiHh~$doe!300&8DWA
zR3_g&DOJ-9!K+)S)QjAHZq(GNwW5|En;lF`8=i7#X&o$J$&zXkR<-!;6X>VH^nvpv
z=3C%JoLCLD>$@C1#Be&v;AIrL$UM^)j<3Is%Waw8Z${hv`F~OhS77V?UQ?s<w?$OV
zj1YKcW<=Vb3hx%=!=<#1cr~2WQ5(QNi-SzuD%5qRp8#H6Eg_9Uo<qhG?f$fdtz<5I
zIV-zPae~a46#VfHYQ+|N1bJ68zu!<FT`nU>k>L^M4_>#utB(g2$u?I`=;E^8nREM5
zO5GKJPsJBvXyqnr;Z;D6y{wG09?^-CVLGI8x^z+$cSQ|r-%7}R=v27Dysmb1!ZXJs
z4kMs{m%^~#%Lm4baUeYR;n48?Q$LR8o4v(92bMsd{HJfnBN8pfuLkqhN@imrVcARL
zXJfwbbLwAyB^1U`?C>FEwD$VsjZsMK{4%esmcTzodl5LSyCmT%Z1`nGwR(~6#(1Pt
z8tqjUgDTA9ezsE4S+Vz;!nd~zn8~J#BP0@AMHWm+$!GB;IfVP3$k%n2-*HCO4^Mw#
z4SfD~L6EvUzRcwf9m)C9drUWaD`Hc{BLNC<FH_@hH!mZO7Q)^|q^=Gh6&08X>z6g<
zae+45Qc3H|z1;Uo!q4UeN(Bp}PNG}9H(%KJY;dTaDxtl=VWbek$z~N@S4pCDYRIzS
z%oV;}N00ClbpO9%?_Ke$C0+L;vKV1HQN43a3p$jD@6=q@4!)V%+_v8%=}ujP%g|uO
zBe3IV*>^7c0}an+IZ*qNn(*><{gw>rl~c+lTNRkF6BqUKYZQ-@J_^@YF;P)eFP8q6
zM?wIvpFObgmW_Tm_QALT@l9arqE?vEvPqpZ)1PV)P~_8SL1%yCKwZtE647A)R}mJy
z-ifSrHL1w~jiP71p4C%MP{E0#{7Ui9eAj=WQGlK%*DXN7Zbt$<JUb}kZsQOB5Xsvh
zdM)E#=3pf4!{=WzUN0#r-h4(c&i3b41+EY7>7rtsvCAZtU~Bx+Xj)3*$?|bQ`n!Xb
z@Dy5l_J)%2TCeiGOW<K-b9JgI#PACs$aKC4e9xTM%-5@C&5J(!OlpFFH@@`i{P9A9
zqBv`=XL@6P;fPG4#$hvP{vkJa4lnLNzvExe;JEZ;IKFhgj+^E{w&2(k(m{vzDmYp$
z`P26gNmdM)b?GRpXS~?%9qQ7J>fY`G(iyfgwhJyMu(uE0Fyw9AXpIcT&fQ77`1{;;
zB4RBFil7kiXD{ym;4S-K_7-@`xXRZ^LD}{3LALCL{j^VICQPSssy}f3hW>YhI-$Dq
zx$sK!xAV<XmwG~zJq{{H>o#qZ-5QEsm@nl%9Ah7b^8v#|%io}8SksgGihf_`5fx*p
zX2^MJ%48|5lWEjE+E)|2y>%rweQ_u$RWW7p!*rOecY^s{*Up-35WGE;m$4vm%Y{fw
zNhPLGAkr?HsZ5c@-6>psR(}&fGuh(021LY{556WWn1)Jj7MSW@xk#pxQj2SpSmE97
z(Z1;KY|K~6KdF=72l@*PvYFSJqqJ7NBDMhAR>B%!!Sbm}Pf()5bIUl<R4by2q!T(8
zqx9lU7VGuQklmPHB@h5#VfRi?B~!z=PPcD|FTrcqcvz?Kqy8Tl!?;dW*pFUfLPdqw
zYU6rn;7$fWC1abDQD}Jk|1s9y7hBnmX6l)Sp`+nriP%;=CI2wUj^aMkP6pVt`?A3-
zxs?cijDV`tRL<SCfC8;r$@m-h(Jh54VvV2L1f8{=$RoTE(4}1c{}VFm3ql42s7{2p
zRGw1U3-*@-r+;Mq*qr9#8K8EnYN)n%YiF^p4G{e4>7@970T<SR)6N7F=;6OWs-suE
zV~SF7Uf@g_;rfn$ujSrjr5k}Y_GV8jIx{vn@&OANTk}aG3XXf#&3qbX_`TNrD_?Dg
za<cXvZtN0_GY44WkR*GcR4RFpwq!~pPC8(bv5ikR9{c7V3kT}<X;z5)6KA9vU!HaM
z?j0HIbV2q8N&jRN1VJ4UcR-}*MZ+VDWm#C(q8qFFI94oWSYawuI;p6h|F~k&H8)W;
zxI+{+uDP$p$QNeO@${-7-5vMN{2QHLb)T%Kow(1#e<jc$`xWT4W`zVQBsiS?5lPW>
zHC)Vt+hWJs{zQfOgj8hHsy4!BencYF$mFW4FkCwxp#R!^#5p%H;W@C|Nt0DX1+6GP
ziiycS`0>eI{+{IDDkdvk&D{Hue_NvBA1Ne%JfLo2pvFak&XAkYGQ6Uy(I)HYw;lo9
zwwFn`!hf{%>7$#62UR?7S!~3rhDHu0;+?OSFn$|5YoqsdgyU14s7+jR8}iWqnd(?z
z=f`h{pdl67Z%>NIZH=hok+piXP3W7}jluE;!;J0EQ}tMgTYY|<du-gguUgT@OvS2$
z;U~=d1TCEaaHFxWXsQ-uc8D2TQLxnl2MMY>cYa#<;J?d<*2GHCsCD^ah#R#3DbSzB
z_mPjjCvf%z6ispEl{YpNHoZEp+NDV?(h5`fViZ+W$<F2#Trmt%P+zKfFzUj8X!lPx
z5#`PgGkS1+k&+k$@O{<kWWnia6`NSFntNVuh>f~+G@xcQ-_OKs*wP3jU<&#28Yiz`
zTPl4f>#!-4T}v3FVk(W}B7H<zR!Ey<r{s)hQSeIu8GV$d%={zROB-#!Q~l=Ryuoz`
zS9xHn_i`*WZg*f}Y+a-<N-7idGg+qP`kL&FQJt+>&1W;#u2u}1rK1cxK|5e{cGT|9
z5WbGCSpIGzS_}@yVrQ&yhbeysK6-ZzP+8&#DzD)Y)I3CFs<QBzdFPyPR6R&mdcn%u
zLfE_mn_z6Wd4SsOG^(S{NCeHeO11#PS>*mtoNyO$zo)PW%USc@9o?VvavQk;$j3+~
z#3n~j<DopaC{vJt6}<i(h`;RQs>ahAZH(;TdBwznx*)N;oBKf6-R!xzv;?V~>|BCr
z!z~3RbW7AE8Tm;SZ(!K<VXyO-;%}PQy80umQ$6E*;k{)bSx3CdnX<AX8%lgOX7Y0H
zvA7nqRhEKbFFyv>NTfuZh#5YzA<nr=YYQz||H?L{$YA)zq1tV;p>LX)^4NND!AlA+
zeJ+bj0hvk-xbm#^`X_W4AqYe=8ghfj=jX$^D++%OcuDw>_E_5MkCZWx=C>KaBj>l%
z18+ibt1Aly!k>-p%-G%PLbmq%p6z>rRRSWYPJkBaUVpNufOgjZmELYSNoFMTS5CT7
z$^b95Q)e=KACg*9PUImvbV_ZA7Df=(`CP*qVZ;hM2|LwGJ1q!tIn61Ec&762d#mC3
zwFq(P@G%4o%NIO4O`zHc{)mFI!RUX<h^uFR4PMP5dju(+AK8#AE!rMYp$sCn=MRJ3
z?pR>Y3MiwySUrNJy&Ots+V+20fIBdq=w5FV_B=l7ijDgJ4Nflim7Rp1@9I8sW48^q
zZ{1BV;8GrQiO~2%ed+M~s;AYl=LW6Vx$TLz9ov!@hl%zcqI!7pdxj`tC;-_MR(Dvr
z{nuoZVOv9>J7LQ{uYa;KWzq6g_`q6Pd&0XV3><U98(tVC1Z3EQKr>3EqO)aPEFONr
z{4<v{s@LtgJNXSulk{Sgy~le}@^EMJy1K%N?Xc%qG^ooJS@ts!8Nf^%lo?SoQa8o1
zM23O3zy*??`#ZExJliWR<Pl7K-;K7a+36oTQObBQg2K!rY_c&^v!4;`=e+H&))-x!
zE3$&c>F(#Midq{D$7!Xx)xLgr<ZRD+iu`VJZ=E%gn-;)Pnn~S0FZM+6xt4pHxkeyZ
z2x+<&t>@d#pV@#^vO;RpK3SO6AVvK2XU$bc_edBb58f1%FDFeFItX|DP1L9lflpZg
z+xoXmNtLrp$0+5jL5}OKBQlZc(>T2ihV%LG87hOQE@b%NsX^`E7jq33KFW7&1ZgI>
zH=;-x>4xt33kqIw8M{4s5k41Cc>(1d`-ZJC?D+RG1rNMo7#>li>DXS9m`qka7!N%8
zr}2B+?<}ZMWp;sz{*U3V?&oWSf=~N(H5ByRWD0oxMgA=XpIFW|g6$wjXm!sryH7l7
zdZF8N`FOtluh$!jQj|Adga1FW-aDx2sOuJ1L<Lci4$>5)gP}+WN>L;<fq)P?p@Y&9
zfzSn|gb*SEQUxhe5;{_p4hf+brT2~k0YdM5@p<RD@4fTQnaSj@Omgx&XYalCUTZ-`
zxPx<o?3D;@%4s%C;i^?CUP*>C^DAb&<CU6}2re6JPzNII3PHM?Cw*k%D{(+b06HV0
zd!OE1^1LOhld;i;yL+#uv7HN`P(N;lZ_+<W#@bd1PJXnox|!cV_NBOK82Ec)Y?Rf4
zNxSuQ4C&J6mW*PXnLil<2}3-(QEf`hdNdZNQ!{5%N=-_H{l@x(K{!QNVwy_m5XB&a
zv;LN?%Zb<CvhVHbSS<ogd=xyJ`Obx?5Wi*sTZYDG-b3r{HZYC`O85G916_F$u1t7(
z$a|ozfIdOvMx9W0Ngc!MKb}r~>`8OIL3`poK|{~^-ng|cS+F+4=Ljc*ZT4%|Pjn?#
zT&{&z94|-7>`j*(+tIY?$$w^baZOgtEzIO4rjz%cY&9f6)-9>=KAE`KxvEZfuX1ff
z<--E^EGkQ8+@GIdu_dl#svwd`&I-G8819@U)~Azp^BzVf`ur@IctoQ;k?j?A_^yH2
z^1CSJF~;juekP^;?UZ5TPk4OE_WZ#sEn@iWTfw$X3}xQN`<2GoFrrQHHVF^-h&mk!
z%X>0KiXoB(SNu;lHqSSH`JJCK89Mv3^tZ!D_jB)ov`9US68%Ae8|d>tfy7p_ca}~s
zYC2YCs5)Xi&`dzz2?DLynydq2Tr0-ShE%&R*W?oJ3iEt~$%ofn`oR!`btGFt>a%0X
zDxwap3K$WljAlP5oljjc%+dK^tFP6+k|ZdULBC`6+@a+uV>O0326r7@i|T!T)MBmW
zA;NB0zdmkFSa6324r<5PEHnK<MvkadWd^1zV!RCl%<)%_icK=0sd7P8r3o{0gHNDt
zA68~9DOM4Tye%JOGN&W>Zd5>I;~BmS05jtZ>@w(S>n!IJby9C}T}BrhzQ5N3ET1x+
zth+pi92^7~82Qtz+7Z*=G-`0wkdbdZE0QY&R~f<%6adh&B$yd*;X!-TSMa3wElj;%
zh*03p&!!$(Q>nW91_4mIl+p~1SVJ}+*NTuP45a|>cLS<%sv(fLOx7zI{^nFtUln-9
zKJ)7A;xKfa&f;y^f-d^-XkSY4Y}R|tbmnoL7r714`kQ(~#A0uC|9bFYy7!sa2&$>!
z)x_EOneXm^s!U%s_D*tt=@fmMw@A<l=sze@>qSpr7^zmcxd83ce3jb;65J*=v2sCJ
zi3oHJ+RSqrE=!kx?|LIN?r52*@z{wNmvLNi|5-n-X<~Z63MuWoUN-ZC_`rl^ueRwh
z0egW7JnFK5$t{m@ADvD#9;LpysjnUT`N<Pab``W=fsn7o8{>)fpR2!5c*e;y1hqBO
zw$0CmB6Lx#U)<;Y6pzb4u0f>%n=edpL)f8M9e<9SPC;u7YpbFGyfLv;raw0DsCf&~
z?a|5jkL^2L$)5NP4fYsbJZb1zQndfho@>|OQ9-N74MW^$>+t+Q@j(MoF;(ECzg1%X
z!x`7+<6<v%Zi(U;3(_Wq&uPMA$g7sHh&HTp*o`-1k;*zs5qB@Gi#po?Q*^?D9f-m}
zsWL<DGGO|RyI+##E)|UGzivf#o4yTaw?^$)S+#{ShdpEL$m)qJA%${%VVUS)r{QOJ
zVm}I%0qqr0wFP|7RH3oJlWE*Tya5`8xEfWC1UOXeara1gwjt#hd=y~AKyAojBfJa(
z*7Pvyc24w*c)&r`#u2mMwdLwEVhwG2Lw{@Q=cZwd@)Ro?Xv1gY$G&&(aUacbyY>b4
zR*Z9Q!Xrvk$rB)fUkmakJ}0k99!%>~=EV&7uGD|4C(A*;wrJSy?D&}6?nV(z{)5`z
z5~bNMxX((ETIj&t>~Uj<FKp>NoWuh)XYL_(7%^L!sW9)ybd)0()akyARVMYxOD{Br
zSfi*AV(oRmH&d8i$iFmZF;AW`c9SSV!8*~iS0bP`R~P+0YqUbstb#VnBwkivWEbXw
z3RIEPMxo#kCg=VPW|4IO9&*Pfot+SZ(w+Ou6zuEt+#{gUJApIb;@-jYfdXsO&$M@t
zugt#!N+FCoM}rpj8H=6!YMj@UlquP46Z$2e*R6^6?s~6&o7FhgL0)cFqT@@ku=Rg1
zstojf7V^yDwjui+0cu!&Hk|h%=waXepW&hO6V67SZ_4ob+Q*uE)PURCI7d<vCmaP%
zi<)glJP;PviJvFQYC|b{Z!lEGD$gfYk0tfdv7avsbusZ~-Ky@PtQBlF7zs)7-<#&G
zoSJ(8@}l1@bWq6t;=L+g{UvQXK#wl1;cu$z@buAswP=vH*_k2U!F==a|I6SHx8(1h
z?K#7B#p^L)&90o~j9(m2G-^S-Y<Don4hdBdqSJ#QZ0PUmv$)`2)7#53RpippHPg5&
z-8J>GLqo~xLF%X3|L~C#>vrvkE@Ty}oVW<=Hfqlkgw)b&aGv+8G>OBMsW^Vc%os6}
z8f^8?z@hX9SVw!Pp~&Sf2Bj<pR&O-v{sRoAZDXJ0q(&yhp0#^}rSH+OMkT5!m>NVQ
z9L)g5?&q<iwv*iq+>9g2+IL7;s<_w`Q@qZF=uYw&;v5O`_nNYLf~Topb2JBYu<!Jh
z=S9mEN?w5LWNNEJSE?AaH3Oj6byH)%&gU%CSu#egbMbBLI_Yw!OJP$r_?n|#FRfD2
z08*kDR43qBna7i@<H%b8WA~YCAiBzs#uRV1uXXK)?(|=N?O%?qb6QBSqV_7kPFZQ*
zhK(~Eg;BaX@_f<fd)IK%vF6g%gu{xSev!|@KM*U7E|b}$w>i}%^!wUMu3lJEF&L%%
zl1HJP$GQNyQ!<<3?2s1Zcf@`WH9JW38+kG_tu4Qo{tG9p5D_;!DBvd!7VsC{zUAhp
zcbqgr4sq`}8?zrYkkua;#N5c!S;Ta5X#0u#`DgcJ^Z5P#F_~9#*5_2LK2h@X8DW-8
zcGIh!ZDslHR9p{SKhGsUB=>GtxplK;d;DBw9YdW92Q)i!l>}i&lVfXQk6(<v&nPf?
zgxT9lF&qJd=HLU=H;M^GkYb0T4d~|0qHP6e-h^CPuq(k!Qt@bZs3KNv!5oW28TJX!
zXOK7n*W_Gh5x^+Z=wAH1CbcB|)`^`zPx@DJ2kl&ti5(ZSly{>Ed;3(sYr2fZ!qI-C
zNM00=hk6kklcMnLED+Z6+j0Z^H5@GX@^;rJ3;TFgg#;V@dj|MB+Sc|m0;BD)wBSWt
z<oX0WA=^b)T&0G@5kEB=eu5Eorp*)mi;BFKFxq_e{#nIQT(p^}rKsJe{Y!7b3x_-e
zt7m1BhhFz`n~VH<h1O&GY<M8rSsNCOsWI@-?NF~l_&LcUS7JTNljPD$46i2q8<8hY
zADlPrS5?>BY(IIIJ3EL+R0PixCa(0!=1na<BqVAB$3V2F1rguT7aar^Rbu@`IRg(g
zV3<sy_)SZDHkRSULS~KKX&{#e_WsiV#cEEUNzN{DpMk$xZs)<{CkpQ8#fZqm+r=4y
zhrHu?WKwDWG<jOvyb0cPCFpxS*?D(t=#Utf%JVshOu(4&J3X(41V6^D)b0lwp45*t
z<bHWOQv3OIdf~5EN$_+3KL7K4bH6dWztj~k^TJg4ZQo|DRR^CyiJjQu8=Fy-d8&%b
zWyJbT|6oV|2M<^@y;Jo)mHLv=a9r!eK=lu;*EJidJAI0c^&2QRM;42>9*-Me=3PO#
z-mqq9mH2i$(lHNTiORB-h+kE_`<wS2=JV1xVc|BH3}W0r>zyIi&&#!qJ3*}}@O}&(
zTMUkpOmO%2yBJslxu4q`UX2T}tH~Dfq;R_9K@I4whkrNfJj^3NRF+vt)M4MYv4%4u
zg(~iy%dtgB@ag*4?_)qYsU`~R`@<4PRzH?7(4EmeFBs1eAK(AAC8Tss;3=h)=UpUa
zT9VWySwRsBW`Py&1(a!Oi%PJ(G7w08-uJ>5I)`L<<=y?3@&)ah=#d`{b6oP?+?V!k
zAX`GbuXfFVElJXEib2vF_q1QaRc;LNNOM?DWyu$g%i4B{y^EG{6~aBE!?A0kFB%^7
zpTDw+v{uwG;jpONmrr!p-U9YQBU6V?rS2w1Sf9`aZ9ONl_4#?%p6(<@EGK{6UIJMB
z7)0i&ivOYf^Nc(V*DJfSzI$~JGm|HOM&{@>oN>+pzI}O9tv4<LJOAaKxPVT~g_4X{
zN@Sr_-pc*F-99_IBKr<@F!C%{`t}QmE7`Sos<>@4aMM%e#E|U0TWU0Z5JEVwC5U}U
zC<#6zBiEZJ&ktNy6#j>tQC#=^XDMk6`OuLp%+V-+TE4n{um4V1G$8PA7qJZOA5gpK
znfSpRY~3Su(ONN14#$<|K4*Kb+-m`Idp|u}TxpukDH}%WwN0r`cm>q*a4nhM5U&z+
zq!msPBdxE09bD<Ba!0iRuFUQo^Fx<g_!ox<3ezYRQ<)7TqD@@9)5qe+^0pFkl9h3h
z?;LClJghR@i6!S;e^V#?LNzjeu3QX|cn0jd5>un)7Oq6G%*tQ4wh0-$P50-i>HI~E
zLa8(tjyq-r|B{KfF4%bHjfHM-yN~=v{&ClGCH@78QyV6UQgZ@+^f5<hO&Xw_EWrq4
z)Q=k!j%U^ur^y<_9FfWHnICdj!}FPq87;Hfb*t{{7fW&d`7K1ko$CMvFAn<3S?;E|
zbfs(T9CrZKqXCnn@EERZ$+J1uV@OZHM!hxW)4O^e7e_0@4w|7#eHR%%d)i8W;Z54V
z9~SKZz8+5&cDaqx#8-Ln0%VrwKbe!N&u;TijMtUx<G%jZmajae;<Py__NlLx-wa!+
z0tAwf57!|9EejL8+@u|(1x)Y4D<J*9ES?R-d#_IuuD?sp$4jaW>sO`cY}5e937-G1
z8-IF(<vw)Kt_|@y_YX_4yf1@)5uJ7Ai8w<@>eqV?Xuy}?bMBI*c(i=OL4SlCydd#m
z<Azs>8^HfaWE^U76vf`y=eu9Q+&FqjoH-}97JQ>&=RV$2WkwqoFMN-yj;UZt@@$wx
zKw;(bem`GP)=jlj*Ou|0q@Db&mD)UbPW=8`+dM4>XTikTyr}l-$;&?5ot}m}6(<#d
zmGZSHAAQICb_Mh<CM7{OoG?{tJ{azSH>tN+IIy>?GFXFiC5F8ho1cV`{c4?egX<Ji
zXC$rT1$c}&Y&{BA7ex(t&vn^oZKh6}Ihxl9r<<g(SEt<&-YUcOz0;_&_Y%=Hn8Sri
zXl3=?S~-C|!GcO%zvjp@(@pnIF0t)vFXz>+epGYcR(n%5D#4n4F0x<nfrU?c8U(5t
zEtqN$ozpZnOZZXN2NF*x(rpx7&c9?vFq1307FQrseeSy-#P9UJAsY6oy<>X9ou_dj
zExsMvoWj6J19lX1V0Ymw)=$+P;GfuqfAI~5RQfP^8ZC|1jv4ND*&R|17P$qkx!4z_
zlom(jr^bF^O+Vod{&sfGU1ys9=J8Ry-uO=X$-4JJ?U!F<i>t=5FgczYvd@^@Spo4f
z?O~a^H3Z)`CX@rEhOOP9=OvX&maOxU$PA&FA78eQ4ha`;?LuFm!^jB5K5->@!{MLQ
zO$nLcjd+1qR@6Fd@w~9{-#k(5Z`k(<uIAPMhbvXC$Z!52`ZuolkIMx9mVqk0R!#Mq
z{aCcHo=7hhE5XpA3hPy%{=S&FWRT3@j0!lyU=8-q<(>?@Z6VD}Z3GV+x8`l;T6^bA
zRcoSJ4^#rd6!gOZ2>=ogJ*>bqTcW!W7TA0G&Iz_=I@AFp7Q*xAoyJ%Qtf_);;9jqH
z(**#%QqwX&735&uo^#%g9H~--xF{BYw#vGyS;e>_1F*d2V1s+_dLsdGln{|HFPsc9
zQjHYPpY3&`aKUWNb+S&{vvYa3AUdS4aa`Yse@5hbGWC7|jNsES(QG(jW&NHcu0n|x
zy~Nv`JE23j>Gve)HRm|%S?9IuncI-~5Am-u>46KzV@6ECgdTBZfyNs>mpgiGlosu6
zq~_Fn=O$Tm);p3G_JGH`<6w_M`j`<eVn>@&9hBZiZg3ez(mC?_F<{|YfHP&5aZKm^
zVVQHmn^`2^Mp_9zpP68?I8-{xn;~)1Y@Y_p%@SHv$D>POK}SnOq{ZpWS~8G(^UG)P
zH+~0t+OV`&k5@leo2BGuD=M6fA;-BJR^*8gGH;gL<VdV^o7_U}_mP!khY2SG<Z5aE
zilY0bK4Ym5HtmAI?VM=7pZNT+P#72u4?6yR;o@}aR*x4OC#zG`ZL3=OiJHCn`_1%x
z9i17tw2FPP880!gbh7C+KF_x!kPcUZYiNA|u1a{ckO<Y>N3p@l3iDD>cge=Dvv1D!
zMgVGO?XS6`XUOVEy<`qxATd4;qG5x%%R(-iA=N&OC$ubUtALAbz{JG~`eJkgKFLYe
zE%C12FCq6sk#RyZ`z|vE#9o)`iM7!#8F^P>^u3K`Kb@~cd+k4-XRC%KZo#A<FH97}
z4jYSWU5x^iV*h$q*P1^$%87H`7D%b-HMgge2<dgi6)qcADvX#wv*ar`<{sZ%11}iq
z2Ck2Fc`kSZAI4;^nheFb;L6-N_Ch@ta;LipOs~-(t2P1E`5p#A#t|r4U;7ByKwwLL
zP6`m7EPSkrM#4)nnk$j4@HO|;!!qB;J<ix;#0gN7PIXvpux2t`;^hdF!VS|(d#26m
zQyk<t|KLlCd;&|d|2eGg(PUbi;w^N{Y|c7gW`VjETco-s9qgv~Z8<W|9hY$Rj@To<
z{;#N2hbLn{>gBIt$IYB!H6Boxm06B2wAP)-Xgm|2PV{(M&kH_EZSOQW+3+%XSJ8B}
z_Eb(c+q%mt0$<&A*<rEr(TXK{Z5%e`<sGV7xpM|$uAnh{kFF!$o%-^Kz#h2%vLWX|
z?qD%PYF9~3mbvdz0#fy@N{3Y3FuQAw)#aHXLyM{Npq-hM82PHHd9n};f$QW8^1|nt
z^$-uk$$E-Y@#{pGpYh4*Qet)RVMOq&lLl;tf~=Lt4Zg=@j+ZF1ue=Pma6quoCX3!x
z(y8vO7&aac4NI(tS}*_BwogQ)x&<t-)68)A5EhuvJGe;32JVs>yFd2J6n#4QdT_s;
zi))!0Esi>eh`(L{%&AahC(?`2$89qw@&Z*hX!4g@x0f*m7J5&j*J^Cu><tB1wr*mL
z2wlZ_Q!v^af9zJoSLGNpj(<Ly$>*3jsgm<2%NTa^{1zM?oW}l6T=ymrby15$!0Bvz
zjKYqZ+;H7A3nKkpYuc3~l)&s3e98b1s2i~me3<L_y!H3m_02L;k3FBIVDDF)p!d4)
z)w@idumGNmJ#9as0si@8=w;jF$~o!}Tt3_Ihuq?pAuep}u^FX0I1(EI!ci^k{m~Q*
zRP`lmu{wQ}eRy7U=w?qFQ^^M+Wf``_1_Hy{Gk-2qtEXole~2%&jIo*PNPCxoJyPzq
z_IS>R5G)<EZ{GLIx&;t-lCgUR=egzfv=f%@DXk7&H~0R%|LJ<$jf+l70iI2&xqK?z
zni6#&=8jH>GU6p`-`Na|?wvY1u!)`Dx;Y31bWbo7_nGx-125ewao4?iWgaS4lUta4
zls<IdlCt3dPOSXW?G_19<qqstQU)z2W$Q^;c@1~V7g2;fAIKxK16ebkdlX~0=He9?
znRgzihc2#eO8nbm)zqE!%iVcFV+p=4j#@4I@XD-t@gXu1rXoJ6#m3i#XCUe-7xq>x
zjR|=iEW22BPZ+6ghPJnkt3=}-6lxuPzuw!k`fB;UaLi{}>6c6w@kzL<Qp>h9>K~C&
z^+FW!E0CSQi{S74MvUE*ocJY|LLr{PKX(hq3C9%0VWKQ^UX|WQK@j(rz19F<TzFB<
zUxBp#dv2d#D|(-*>Cx*I(=++^?2t-gF<w+!HGf9S(%YLC+2e-uQOVizv4|_2GVh!R
zN;4{Msk;a#PYrkh9!fONEu?7N+zo&RQvRBF%f_DYy+<4Aw%e%TJ-uAGfmX)9y22(~
z{{gh~m>o4E>R>yPh{!&gW(#2p;iV1nqSjXBdbtyAPiar7Lbv7k>5u1wZaJ8NoBzI@
z#klX{8%LCZ?A(W(L989`vyP2tb0J4phPx8-RQvgtQ<KHa{CQ_=p5YnH^|gA>lwHaX
zcjpP%gOimu&bm1JKM|3NP~~L1<u*An`g*xC^`h#i{`k3c^A$bYNZw;b`VO5dWk$-b
zsbk`AzU;6dg9~r%tsQdrp+~Myyd;|uBbay@TEC9H2?*}Gn694)%F?;&r~Fhme_ldm
zUC-s92_lKH+@pNxP5<N>LZC)gi*K^79r~-SPX(Ac4SX>;0M`qM<s+V-q#?P>J~((}
z2OGNRfZlw9f>e~^WLVs!^l1$7D2-QR{H#Y)sd<S_A_z|8RhZNeYuZo#te&n4>|FuR
z+JF1>{7MM9wesjx+*E>BocAkTyCZ7@mq&3S0GfDzZpnnHL})F0ocRZmZjn=2?=*#d
zq+iY3MXqGIM;kA=URqTYX{zgjtlIg_9QiCPRkRky<2rw2H77M&4P_VK7_3R2)nRjR
zY)p{OoS$A;U^0z;KKppq1H_fx=wY@n#pQ;X7b8rF!zDQOE5fehB783912wN)5bvbH
zElWzGJY^BS_xve?Nk?SChOEJBf6NP}?y&WbX`1<Fawid#vfe4OeEE?Tc6A`+=-1hk
zORI_rKYR!@%|EySTRlfmp7f&>76znJ_QKoIC+Bs7gZ2m-@d~M*>3lBft!mB~-%_y~
zQZRwK%NPYvtieS7QAK|aeYi>Rq48%*2|8a790@aj&lIc6&3mS`cOqFPJM)CRNA6p6
zNmujUZ@wQ3WeZ8ApfDnk0z{;#;`SZSFvp*j>C_$|A1Bvi_;HUFeiplTIKqlmv3oU`
zYE+skK-^&(KPeSu;Z;)UU^ch{jj8Cq`?Bt()p}2DCv{EkK}~mlKGV<%`v{O+FH<vl
zv&rD42lv8yXR3q4>mAQ#pQZr}x-OqXA{+<D`>cOe%nW~XTf1DFU57g$lzChV#!pD5
zR#6JL&3U$99_S}L!l)0WIzJF3!D~h(jAI_!qW?IY8O`rF8(5DD78_f`D*JIEIj1-t
zweYx~Fs%m~?gdc}(OREBmeu=xPAY3J)deesmy{dh>G&^CuX~6&fIkT9Z}(XCRaqbw
zwGtWPS-1y4LrEs~@=!w3L=ROr6~|qwZnDDJT*O!uTS)7z%OwU$FQ01?U(o476`_uT
zB_*9JW{Q3sktZ#8$B$=I49?7p>Y=s5*XR9tW16#|e4j;(1i5;o;dX_E_WRDy)>V~(
z(&+*zwhbJ~8T4Cn5=AX+C-tYRj6*ZRr3J?cD@JrNgU2P4GT=X*r%=-MgR<xDN~QWO
z>{=~)%2W_h#HFovpKB(c1F}$;PPm%EvA){BlBd$@<Og`^Z|gUi`VVoB=eLzOheNsT
zcMLnOxO7f;#k+)$sbJ}OxPPPK7ev)nvXWM=S6++%@<)L2oBmDvdGttd6%ex~jJ%SN
zot0z8#D`tzCH}i(ZYxk!%)Z?U6gMS5Bp@Df9(vT^5$smZ@z$znaUW0mES(WPkH?C_
z$p#`g2gD37J^qb-E%nd_<R>i^Ts*DSIjRqngWcaY3bs$OlvB3QfEYhdrusk@zSdbt
z-pW1nhYEIpv>!nrWcdNSkH5zgK9CUCqpSX~73S+~y#sd_54R3~sYM%*miO9i{3m}}
zcg2t$>OUpTQ*IK^Ky0aMDjW4UR1BUavnW)5TggTmP0&eIgHkG~iaFIfB$g}Er|G}h
z9khTvMFI(qn!c&us;NCrRgllmG%UeiNgp_oszE{-d~Ta|5ioiv4QTw5`_9gdtCfF6
zF6@-_mK95M?jkk|@aFat0f8!(DzoiMmdt4}qQSit$#kGey8J;v0+8;a*{?b(Q59D2
z!E^t`P?|G?C)%+d=~YnPvw(WVuuT~TeGm`b>Mq>{F%J`%vS4L=J76zO^oqyDq{Rb4
z1EOJF^MdrG!;otXTJ58Go6I4F$A&5%72$9($?$vqZe#b8R#QC18>!(3>uwy7qCU}U
z%%OT<@jnca<3cMF@||!>U1}+nUr=%POTr#h#GWQY#0x&*y`9hD)Z?kt^vUuGYq32r
zCBqDn5I!0?=|&;;jA}~KZ~gzy0<h)Z(x4V}&O0`B`NImBuD;J&EBYxP*FS;Hu$49|
zRNORF?3Y<hRLgpRuo2H)-?0n3*D$k%a^9bp9XHF8)@d#+4_^jKQAkm!Ui<gB*dBVM
z<D;AAqMq_|*?A!keum$qE#bna$YCo7_X>0MD!Cb)pilgjrTu6zQ+mFJ!XtB?x%nG}
zyD5!wDi-2Cm`JL&D>e4qOP;!#%GMN~A{>Su&thInJ1lA#7skL07esCv1D=LlbJ-69
z!>qzRzJgu@Sr}itbFwaTO-JSlgbQhXv!*Q}h^GI5v?jagbLfv%5Mv($=xiC->SF+2
zJIoQXSFTVKp3Um0b5w#ul>iS8D4t$zpnkpDZtsRhJbdvd+Y>>_;?_Ec&!@N^Cx64)
zp8KF4<6H0`I>VP_8PtrrPHa=QBv&)2?s<Tpa^J+wu^>CzzWYwCo>IXcJf!7x^5A;U
zpEbePLjIVrcwvhEX-6~Y1gf~?$60h!bW<jxNfgAH5|mt&LYG9B6mw~KSeFx8)EwJn
z)6?ZudBEqS@5$?98Dzg#;fHzWOV{`9!lmxUgguXO*n3~4P{Nb4+r6*}t9??*sBhLS
zRRqDS^b29F2Ee4sbpTXwNy@GX*^{5iAVIzXq6=?AN}*|w%h|vj%hIu1kF1@-gR4Vq
zH0Kayp=5mbJ%z!L%K8frU|Zk#>|+%!)alQY*7J#2!(-~aAUcHf<K|+hz^@5k^zHlN
zWCfjhifh6Tx1$gJfHqCw%Lc|z)8zEC_UK7exoLmuXCDQFo4crATvZf^C@?ZyVWn2@
zR2AMD;xQ!ha2NO*%J^-jGP${sj2!irMoG@il$inF=u2JBh3CXSk5zl>hVEJ4n-Hy7
z8yZddpPP5=-_09KobmORqKIIp;N9zb+!$&9#uy*FW?aH=W>8c9Q|7T2PWt<C=;$h}
z#K4Y2I5hqM{9S-wqI#RmAzVXAvFnylX~oiJ*XW%-^H5>@B1alvaK(@+SG_wkM5Dwl
z2#svlPyGi4!ntiCGHmMny-Q1R2c-`!*K$I|2-GDuF}h~&S+SEb3%;qSLp4tNKF!NJ
z{5c<Zot>28UjFHBes%pK_5Gx$^HulCe*HK5p@XR+H?BL9Je3NgWJPthIOIcadMx?7
zyCx(SlUgE=i;v&2piBaW!--2x1aCng$v$_vXbTU{U3MjP%%jFaNGUG)XX%<c+dyc-
z=+?voKwH)=wXp>}nWFD1BfTt<3?1o+uSwlZCO<f!fPZ1Tb;PG)iM&6&6nbGCg}N2T
zvJ14ZK%5unNT2h2!}kj-APcm>SOAYC(sS9{xDgY+d^Z)MOCE(Oqb8Ebn?!`B7Rm0$
z8K+(sH`45cZwrrH>Fro>8@{%7C|@MDe&BeX57?zfD?XM%XXhtDN$=Ct5w;u)!mv9T
zx+f>~&WZD3oe;r$Wq<Gzwh}<R0z_X~)X06j)&b4Voqmf9b3MMKMq9?^`1^dKw)*1H
zaa(=5aC>tNXH8WNcSqy#!En|LD^)b#iOl1j5;qtrt$_YL%XjvSO>$1VZcfR{Z(!Pf
zI`$}@))FgjaES2`eaFM&rmlMRfsK^iLs&F?-w*UNRq=3Uhfg4linj9a8_CXjSkbK*
zA;?=jb!v$*6P8qozWsTxHc^qU<)JoF7sPbubvkY_8$!V5zq2?O@$W1KDWr;}(}DEq
zSPN7O&pR9LuoL6T3I?4pw?;m&Ef0V+?zQ+aOXx@!9<Yski~Ji2rz1&+J-3A@Z&iy=
zHUngeEgM(spWPtPJ&Zr<M{+LY8Tq)m`7Z#^Q&0?eQ}Vd#n&Yke!}(0kkFD7+(8KpU
zMZQDu39G@+v#!)%o^L%i+!qdNB_=tTq`4@9t1~k+k4jpYv`+N|X8RRrOXMw1#z$QB
zA9z2KEzhoBWEZoB3|ejt8fEXl+19m$hF!m{sSV1e4t``5e<>GtnKoN=Ku7`yOx88c
z-v46=dH2j&#3nUAmusgRDCuR6O0M*bW2%cJi(p6w13aJ%DG}cio5mDtUKc23|59v=
zjT(zWX9LOF_vH({2YuueXq}6EuYdP9>f`;F5NWF3<E@8@h4HE^_G7yacM7MYR@);j
z#1qRO_dC{O+80Q2Xt(=)QQ87vuV8&FgapsP9^<{yX}l_O5Iztb=&SUR0L|?+eSIC4
z2KMA?9$r}GFl0K_7xgo9#<i`Q5EsZQh-Zu*nt%-b1uzO-cXPyz*$rl4>hzndptb2)
z6ZW3rr=02}ab0B_2;DmsqQ%u`&}PZ2dVSuIBr9%%m6${9y}f0raWa^xrW8G&N$-><
z>Kp4ZZ<Pj8-)SlA#<xy0q}5UW<x?lOr8}Yn^~D}b&e-E`mC#mN*`LGk<2}m~78(Ce
z*zO(j347irPyv>rkO5Qb_bd)6>IN<iS!0IvPI-8;*esBgd?mw+$FjV?i~u%YqRzy*
zI~txEC@~!LOj_n>_rbx;n`}S&lqsZHr0w--R9kNLLQr7`7>m&7rjn%lt-?_kH)fho
z<R|M`?H&@Uq7Uy!tq6JUZs^|arD}ssW7-1Z52~D7eLzK_r4qXP{2U0$^?NU3qGk;*
z?F~*u51P*0NEAeXJEVAf92L^f(q=2bNhnS}SQuVER??)9%Udpp8H?d|d*;`o`=A?c
z4c+h2@HXFb@;q4AMGTo*z%>2CAeHwzPcw@h4)lljC+*334tX)BEwhqC)4wCp?#K!G
z*m9)rD8Uth4~tDP@Q|%y=*TD0lmPdg5mdxTR-9MeL4!bms9JqBaNg7ixw8OX7YVSC
z@C20f9@OYUXLU$@b=PH|w#nob=0$Bu*eM7H$@O-5s|I|Wz_2>pX2v^zV6)Di7U@n)
zUn#8Nvi^89jHETIjeTgnU!c00WIAqEJ?4xa1XJjM^DXa{C)R=;lPLN<-R&pZL${AR
zfiyQ&s-{fW6T-~s?Bk8*#gyEF#^zTn7r*Wo8!qQFOCFo>UHq||1^VpmU^zU~c881{
zT^;Xx1lUtQ+-C2y!0R&}=vudZ_{<~@^JqqVOTl4CvrHC4UPhb_t}_1$B-?x9G}@}+
z+$+Z9f?$=Z5Ocd=S8t9s0mzn{uJg@N-p=RSXWaO2N0Za&V54g;G0OMApX>eVs(XS2
z38~y8OJgta13`Fsxmqa;6byYDHmQWLOklP1*FW1pfY=VYmsdS%q7Dnzmk(Tg&AO32
zy8g)%Wr{|p&0aPa1_C`i1ELiJNK=^JsvDq}xPyPuDoYp5n)7b+UfDZ*43aWWYylW|
z<r;(xo2jfHd;q%9fvKIKAmI~Z%cld+d!EU{&it-iD>^_1kJ(Fx`c&yaDO!GDDHl-O
zF3R5M1DEU8t7k1KW4|uYJgh922Cn7Or&Lp0mXn4PBfxeGI_xp@Rq&wf#;1u)GI|TI
z8{Gco!nyyFn5jo+3VnVmvuaPjnq&xZHSI}w#uswokJDwN$rGt&ic;#RRTHPRz~nCL
z%j5B9*2zQjMj|4n`aPIc6OL4HN!08IITS=sXi~&_WDtJv;a=a$YCqM9aiB-<PKx7Z
zd*F0-e0OqroGhz|u&aTD%<@<}?~sXsjpRi|4WU70>v`{A5~PAR%73vXdTD+$s0DGI
zT{`}1rb52JU0(`X<lO=47)+oB(*cKYbEd^{i*gL&1506Iv}`7HnNFxF*@&4MOxK{d
zzPsF#dcE-}ZP~(NVGPH3nwH#-_OHF5Y%Tmw@`~Xe5vfu2iWWu)%ZFLI?&||vME_Pq
z<_2T~Hw5|1Tb`rnsPz&?GbXypw_`Vz{++|gm4~m<fs+dpd>OS5oX>Lv6f))K>1f?l
zXO@8pt}FjZmZd0a!`~S?XiMLtFRx4Kt&KncqMpE}oTTl%F_BIt>3}zYl4XJfkH3DP
zSpl@{*1nZz^lIP&FA%Wo8pUF#fUdFfcGEAZfHwmV8YP&w?!BiUD6QXHLbyO{ML49l
zg<v+#goU2iExpRriLy)f9@7`-i+%A&6C_g4^zd)n-0_YDDM%aZU(eNxxz}YyCr2Oj
z5{w@5*92e8t6m~1roC0hjAf?H-g(7X{Q2^WsV?O7)0bIS1S&AEN`+I6Z|cyfR5mw3
z`$VvKJP#f6Eo;BtO5P{FD0SxVj-t$NgV%7WnSQw9dA-R$&c7pptfodamxv0C9b`qq
zoh|)T&g#8S?u;VF_wSgaqmrGU>x^K3I5>9q9Q>!|{z3Ksu$toHPJ3<8F8>u4ds<62
z<RTk_OY}MayQ>WE7=e4}hjgbOl>gM4Vi~ec@Ds)U9ZVWvNmbh=QHO}V(XcqQ;Vf!z
z^tj45ZY5ug<N3~c6f@6^sWO}t@!yN+iQ`_dZdf8^*-=c2M+U4SGDJUFa*O`-1s0o#
z>Y3gCku?9ldneY=L{w-4H!?V*7tq?E1KPQN9rD6>aw4pmI^20FJII}C!{K3}vH)XK
zbgNqhS%Fil)M>)TvxaI+olPytQvB#4^Yn5K?XJf^<BiSBo^EwzUA~q<5me_5q_(O&
zq)q))?lz%AL+p=Wh~<fpdQDVi3yQ(!fh63Tfkq?xh227aZ*#@Si!Db5*3orr{aIO8
zkLq|l8k<VXFVOboWNY3x8+~R<>hN9&M@XQJwp1(|bcs+7|G)yR?s07)c>IOo5bb__
z@18VY_=^93>U%B9ay{+;5dY3T{3g@>yk2QrRyqDV-u&;IUb#rUwD7gQ{N9wvFyUd2
zbu?fntZMghadEFX6nDtS-a4YWn84~C4T(mro3fYeSM}8!CMZjvd^S%#g?ey6;^+Dd
z?@!Mj^4AGIyS(y&;zOm~W!!>n_mDyLADP1ogA4Y{WkdA>_qdW?1QQHLSb@iu#T-_E
zv)Mlk_Nvu|JBHt6L=R7LUoF07e&yhn4az%Wp!JBJ?^%0KeD?5f{dK3g8>b0B>3I9;
z(m@MX6W;LeTlK0o<Id%+d8?t#E$U*c8DE?_Zk^2bv8HNVz<$|wSM>1IZcqzkv(M#2
z7-K*yY8=fEHu;nrEcQ5EzH(IG5UA|%wbu2L(k;shpc6Y6oE8p(va7sa5Ty)>QU$0~
zjEdcqk@=T;*C6h1u{V-TiJY6KXJm!h#L9mS4vCXEi0qFq?x&<88f^jcbjuOhd{LBt
z`EM`PIzNRmk=}g8Nw+6=+&+L8yIJ$F_xQP4g|7{#F<&X0p^lk4U2rO4G?8%qwonog
zNKk|4zmaoVA=%dUW?c{3@c0@FHw;ic65g(4spdUTmSh3Mu$s1M;?*|0p19-=;~D+s
z8}l0m$<EcuJ)@rq?ej0j7(FUqiQ>%h#Nj7t`p@km1zx&~kMllH6PGNbK4DY$=0(cU
zn~XNZUVV?$=ZlMd@NU6gDY4vmjELes$|*<aFMngM*{)1HtuyLwFxRD~j)S~av|;VZ
zwAcYk#mFET)-3oAUS&fMun!jSVdEfSY8AZCE*rs}Ss=j(`@N$rx#VB=$dOEC=Gjw8
ztY9%8eAsxpy^jY36$BD|PJerM3JFv%Y{1QGi7p2{*1u!_?)w^$OPL20Yx#yM$I;_4
zX3v$<0!clKKUx5CZ@vVMts!2}b*T8)9XEEG8s2|g+TXnAi(~jq?Z?LfZ!q^x7ahHK
zePPrDZ^Tu-3*y+W{-X<I)|G^%9z_H;o%z-|f0z*oN*?<L$_iwr)(+<-418`><u2%=
z%!`gUY%gaKt=Uq!gk)Z4)D>y5w3V8bg{#NBcT!f%pVg=PE=*Rgg)80Y)$IYaNNezD
zG_~|)scy(k$~P7~Saoqtr~0Nq_|V*OWx>#8JfOr!(Tz%&8EO#?9)!f>gaZvH^yl4O
zrT&vl@b=^L+%EP_dw9sz?ec%BTQLggfa(xbSAJ;^8`(JjbO6ppUA)CpqOf>8<5=%_
ztN8FeK`85Z2HPcnqLXhFrbAEtO4K|5D>vQKQFN>u;|hrj(gmloKvPCLTd9`i*WBJ|
zE)0g*aG-e)uvN*ki&L%M1qV_ht_GEgEll8X(P?koV0+1+udR_*_mw6+o$PnTF{!dM
z3~$#xgRno#g?I<aoJCN&KsUV8>d}FypfH6&xC`G$sj^>f?Kr-GzubgmnQ#rq=ofEG
z#t-$Cx*8<PWL3)AQ;SS2j74{r8L7=cwC6tYTl%8K!smuV5WfEt_WmJ7|JHSe5a^J6
z^3!jQE)NzoUoolXN4?bC{sG{lfLr8Pb8ZZ6#!}gi9AEIp;B!()m~LufB#sULWQ;}B
zUZ_}7+I7e%x{(kj63~qNcEh22d9f%laua$ee)0n0+2!uqhAVx#k>`$eZ_e+LOma}V
zPk7?FgFoXHND~eXQT+hTYWliQ@z{|;jG``=o`L^Pl~_5rU^J@RfhLS|lbQk+YR>m?
z;F?ZygyVwPsz%oCvcccq&IlmGv|t4;L>+oWE;wl<9pkn?l_hQswJ8p%k^#ijvq6dS
z69cHF-9q<>0~tU4-(`SkdUZ?c*EB;&DL+&?$HzR7Yb?9C;HLyb&PO+}SJ_yE=k{@%
ziQ-SREMpZ^?lPhxLadL#0LlUo>RI)b(s@qU+(<PyW>yfUQEt$~3E|}>QuV9e1h1tz
zvieaC^lG7IH^y4e9N=u&7VDDEdjv4qtkagA)~zw!mD>L0zFDtX^VQeGAH&M8z(?g$
zj}M#x^bc94DD7rv<bIbOQgNG@Uec?NkkC)UEaovMx5Tl~+2GXSxD8R#-27aX=tD5O
zsGB%zH;f18D;y22!`!;D0JT~g3k5nfCat(o!cH?GzUR|M=}9u53ZWeKhxwF0F|4U4
z|8C3wU7+|o`GZj2{cS)cbfai+5Tk-_*!{jg03aAotya#N45qS=TllUB53fYI&4L0x
zfrkdpq?YN7;wrR6Kl<jS-tk<>VB^+3Pv_~iB`g0G5o8&CtVENq2wFK{EVGy2dt@s!
zEZPr$-n&sU10828lCOveV`mab*P15(?Y5sAYtZM__;SBamp>nV$KY#^;sOtS`8A9s
zjYO>v)t{y%sYYdkKV7{faQXX{XY<~pfa>RYHWZ!A6&j(j@H<zdQ&{-@q`5WQ^Veg>
zi^j3I4q~|~3sbMK>_lHI=7Xz5PE4Ei8&c45{DgAqHGt&w7ORch6@xQ(Nt1*|;V`75
z)XTcryQX00p1}V}761Fn(Lp5`$`NR6G{<dLTL9n_ne4(|=6%y?Lt>eZbq|wv)9>>q
z-eG4>Ej>rWV^b>1$4=&D=4tJH+H{R=EnQ1v_L@RlfUu!p!Pk10mL3sDl~E$gmE9o|
zD48nM47J%*Fq8HIB1NO=rGy)C-*sNfQJ$-+Irt#RMUF}86?X{(W3dXcd4J+~YB0F2
zGMZz2JSUVvr1l9VAFKY=JJ=GM%-1`E^r60%FXeGR87q%w$e&w9jAt+x*aeji<i2Xo
zf?Hj1@r`tWK6$8^`bz17UP#lq>j|Gq?$6i9jz*m8bkMMfo^&$g8YNjN7K9N}5!I1!
z*qK{v@wS#$e4*TujL3sJ>#Xe_jqjP|7xi#-gKre@6BIu(+4m2m`M=jSil}uzo^~qx
zQMX-uj=(g0PiB0b8f1!l8&|75&peFpv|nbpF1Qq;$7<Gy0YnVsYQn7tK1jSg{XW4Y
zZ&kr(xjt1p%X6AR0&HZjdhREBycO%+CCPy52wrzq)S7HBN63~O*GlHya8tc}=SbvD
zR~YfDVm>^oW^<VbwTFB<qtn8$Gpgp<TorDb@he^aag3ZZuN+ez8sshvN~RNhwe_I>
z>Q_cn?fCUlqv&yJ^;P#8KAwFt!JRcBa>?b=7=`Z6!SPDi`ca5W6=fDsknhkIs5;`Y
z9{a<WMiqrm4Q=UCuqlg-<JkX3$+0K)vAlzx$qh6Lq<6jj;KLOJ$L124n~5Slu;v+A
zh3<VmQIaI_pEjO2Ik^0Hxx160EOLX-j*Q5FsL)}10S_*L_a1vPEIRYz*kpydwM&1p
ztt@)nAuChI>9Eb%PYlrVo{l1w(f;td7jsdQrXKP*)CCFz_ADCZ=Da)mTbT>3RP>b8
zL6z99viLEaWq--TcA>QMVGLn9!o+k)G`<L${^TI_hPE8F!W^!-r#Y9BN?(U~T%H$I
zcTfC8-_ku4r)<BYb9)C@fcZTb8iiv^d#{ladGxBBq+ApG15T}E716<K5)f-%!wL;0
zfak0n4l-|P>{T_$-Pgj0R=?Kgl37Z!ed6n?G5b>8N_d#Vl&*@`M&DWA2GzDS8T79d
z_&;k_2W+Wf9#&a|aexv{iw-J|yRkjxDOz;D+WAYS_YUc|Y20pWd~bR@?a!e;G#=#-
z&PiM7Q@+OdP0lKM<ugg7$|uUmX2+&hM2We&BcLN|@aHgwkbGz6&o1+^Gbb?HAQoY%
z@j+>_|GK?QZ?K~#ylxx^*!-KL<8GaRx~}_-&_XM~kRT}esa|u|<0;&lj$%pnS<kKa
zHf&Git?p~g3cu4YwX>dNtgZjRV3h;Bf&)wxW@)KVE2WFEG6<K!;lAk7<jpMA$w9e#
zlzPz<ZP7aBp&4DeI4gNRemJKgGS!ZdviT3B`rifmM3*E?DWsWHt6T}90qeRDV`n4T
zRdBM{6D>wvj;B3O=wBpV_p@;zCauBiq9KX}0Bl)RA6F`J8E9uN&QiQpD_pIU#?RhY
zWALvtr-MtBs)N@HW&qY`VLsE3_d!_t68HMiMiEb_$qi2h+&ddziNq4Jy#Ad3kKB(c
zkU<i&qPE{#Ij$F1t!*K89)g$ed4BYfe-R~TfNyXX<<gt0?*=6-IwC@4t~25IbHE*m
z4Csi7!JJ%rx`o0|>ffIgXjKY7^gU1sO7%m<MXvBx8i;u4zn1a}{GY<`zZYgV)#M=E
ztVtI`VVyVZtPqqSU<9_YCI{}9vA4Jqt+ZdxnMX}J?8(L0T&QpyJB-!F)UiT$?9X$y
zOrhQWUO(q~qS)DjvHPuc&q<xSmj#f)VNknh;cFUbRuW_>sE;{a6;BJD(6^{NPtFFM
z?~{${bR<=yqxkqm^K*2+zz2&p;wyZ?>I227(KSAa^{y8{J?2OO$9$5c98{;k_B{=l
z&wuZeT%Ew_YrMRFRr+(g8A~OD4z9A<t8@5gUKKBCZk8c{f7=fnTYD93IO-@fhp7aD
z_(XkOgsoqG>uL8(ndtown(*IW%<+(_RD5ns-UQ%VX%&W5ru^chQQ?zQRrnEBtj>GR
z6gVIkmME?m>F9@F&^PZ^G6-{1k%m8L5*lz`^_vB4*9>Eh4MT0fqik%7QH{}!&;TbF
zmB8-69TRAa-uK=F&MAKXzjb*iWuurvPl)ZUs{+zBY*QB{k#NRGuu!GBg1d5KAV+dv
zXjvBg%-}EWgsl<-QdZ+DD_aH6Bh>CnrJcoAns2sbu!BI-V0cI%DV#XR(i4l1kJ9Ku
z%5IDB-?npm5M>{x;ysmmFnE%s^^x$h!3bRV{|ki(D*d$z$0yKKAy;t|fc-q(wtV6H
zqHw}vlc7CtG=1}y$uMLe{HCo-&Y$GTr(bra@yN2lcu5%+SajGWJgkO8GB%tVLkqV~
zF{P&7u*p1nz|c4;NLQSmS(Q?-qU*TAUu3PP;{N;}Y|HS%LS!amS```YsHZL(qG^>M
zKs<X%LC2q?_J@sH6m~dVazHQg7K80{IagkZ<m7dMiYvp7v&i-p$4!0N!X#Vc0gayb
z;7=}>D}9e6348Pg-@lR)>3*1RW(3EE2BMX6O(IuEc<bP8w_;^dFdqju^%@@%4n#EJ
zt!==uL*BA{pe`&g`wTh`5la^i>~s0wjPc*Qm`9Z5$7PZhg^fJcYeSh#&qAF3V9bH`
zyEHZ!1;a|Y@eJyxZQMyu1aI<Wx$Q&;J?m@RrWDxpd+;XdOIM^0%z3Vct9Md`loEO1
zKymv`g6L<-pb#F~9qsS2XJ5BE)*sTy$xM&leMLK3(lW!4ASc!)-nzyX6GelWY|d~&
zK?5Tg*oQ7+aQtSV&U*|u3p1`T5a~O)4n3dzVLx<}d-+Y74Q7@;i>u;RyCze0cH-u|
zkM$Kc796<e86N>%EOh48&7v8%qKNiOmVRi!j4A)I<<*vSCHd^b==MDBDp4%p`^bxV
z3`(PJQXAoY2+v4d9CZzI!w&~>UucAzEb>Yu@l6PYy<_1`C{tN*a#j34@$FxnbJtU`
z%-PWMTA=bCOUxeg;^<;PGCRA*>H90rwgP#p7XisfUGC@=m%RbsMY56ZeWSNePy4m8
z9z!g{QNdPPeRY>SVy%DY{&^QLwu2=E(p_1$=OtOX^z=r`ShGVcNt6Y2bS{{)?oDX4
zF?%$U(~S9cpi#6l*<w}Y$@-Ls`5Lz{konMUy3Y?8W!T1KGq5gM{3OZ=3^yJ95XwLw
zaQh|iAnPH_@~hrwCMgvGF6wKqSgxx+=(TO>i$o2~A1DhY;6$4~&hAW#ATk}FT;o}2
zrv{ssM7~^R@OncX_|XLxi5SPhIhf(2Go4)1Aa^}oI6N%W5vhQ1p8L>TBQj%u21Xd}
z$$YznX`7sM{Xfy~f8yZR@TcGSyH<5KUrgm+TLiEVC8G6e7-{6}pMUG^9akRF)v<Q9
zlN$xtT8RF47C@OgOn~O4L5V+468)tusZAkHr)(SrUdTx|zWNiz*s@C@1AM$iGAph{
zs`~gT4fCHnstcaWKDdF3WTI|>CPIN1XljbT@TkvJTb565YjJ6e7-`LS>AbdXlRArQ
zF1RK&r;gB~s-b8M4i7Q9-#-1p`1Nj@lMQB(5I8Xj$`s>GDf=R4Pu`+K{bK_K2~Cyv
zuT5v0khKY%8i%ci^OQJm18|<&?)RK#fp~GmPFwStm8LRsz=;LVcM`%PVhys(RtbjA
z2PeamHoyE|q48gkBzJQn9n~5>Bfz@y9f8n>(j{P&0C=ykd}iE~6XjCJz^gGC1qwed
zA0PKTE5>mzw(8=dZ%8p^Qcu|0px>zQEekdj!R5ByXe;c(VqZ0A$k|>dFiZ&Vq^GdK
zdn3R2v`{Zxt4zJQK*ydvS!P4rqRw-zVKGZ@w;}SjM7xw;tO}($dni-HUoO(F9Ssy^
zh4cI_$H~)^eS6{RZ8YJpJhYj5vT)x5=BZ!tZ!2%wmDfaSbNC)&wJtMU7in?!2eKrn
zx%1kjIXAGbB@@#q3uz&B?CLkLj<wFGC7m%pGX9Of{qIVZq=@~vIP?*t@Fmo$?Wj&6
zp(i==TTK|IWQ@Nm^CgzoRb$eUuB)w`k`bRU#v;eHW60+%c>aE8c}*{X=#g^MBFrL;
zJg($_i0(!Dnpe(r2Mv{M$F`{SWLDdtLPx5i{2^{z0a@v`QN!+Ff#$OP(=)P&!F>I!
z@vkUm#`l}D&&75JE;aAdB?T1mye(~FxZ0CHmHbs=JYzdT!%QzMx0{PknG_3QVu6nf
zKK}F?kqlOX=(ql`d3kWoN&UJ`NdHqMeMb4AKK>~<{-s9>bzpknx&z>{1L=-=-=`hP
zz`le3H%LyB%S)<9Y+T0m9hJEl<NCfs&mlwoD-Jnd@F9O_EH{ux3_G2Fpd4Hf+rnfU
z!H03ExTC&ek@F1%8{0ua45C5LMyU76H#f4H3mhH&p4EPIcWpZRa~G8c)W057ycilu
z5T591Bqs)P;_0TLdhw6kpGr%(&0)bk>Q=Ur^)CD%agsqZMwylG_9z_c40;Vl_UpCC
zOEkB>R&F;5KlDHR3MoYS4Z}M}(@SK3*t0VbP-mQ9;H{%jcJTL_Q32iV`K%b_Z0B1l
zYid>&Bm!n!a6&i`y&V2OlOz9I2*r}8Ms$+hABDAU$;+ucI?s18gBUh6K{+%$E+emi
zYj|~Ycogmtx<D`aLB3U*bgp$jcxH^2$PjC)RbD_#-Q<E;l!GB*XL%j(^r+;f;zryA
zWDh%EF;FM@WZ*WWzw>x@?V&)m>Z)WWKktC<n|VuC^&n`T?Y_gif)m4MQRI##J`BP0
zB*89(ppI*`PCioZ;ADA6ztgR-`8F<5lqXX~{$U=oHM1fJ5accM@`G6VsLGz`Px?>&
zK8|IW9;A$w_BijFuqkc2)=;17NyfxKtnmL{&Z?G<MA(m#U)PG}0C*^;$!l(pw*1~j
zKw24hl~(L|q}#njjQjNfzMDwM^k2S;0>=oCs|v>1xI29;8vh?#Ul|wW*1c^KM-T-C
zrMm|N>6B*Zj-iz9p<|Fzx*KUEL}D0X1_Wk6Lb?X&7$gT65NSzY{?BvHdpy7AFkkLZ
z-1pvlt!rQFT5Iq1#Kb3_Pg*u8<w%m$v%hTch~Gkg=jqyOruq2G^qEz&ljX&gVA`PR
z;4q5`*O9WHr^{iwzvxMY2cJ0iw3qh&$iE`n9dBe)jthZxk@!nrtQMNCQfasN<!VLW
zQem&0eHzVzk&VAa<gV+v^lk4Ac>KzlA)q4)^vKa!GpW9zAK%#WgtRHMWSkngSM0we
zc-<bFHQt9q+Kvjc`jxx(AOab4WE@}HwD9+e{`bl88l$9O_rD}7Imv2{M-x1ooI+0<
zP;ptm!+)7Kh>$uai~fUlaqlPf)Wu-uBa&|ri$HYz&%)71mpXYAl8@UJ_wu+Y(-&u8
zSs`EDkHSRPB{6<a@rQmUQ&0_tGg@$&%#1Y9KEcIV)nD4<x8?Ym%&A|>om#{<$z@Kz
z`}~7<%73q6BSBN-{SUZ$7HJ0&FRPbCYk}Rlr5RDc4T=ZhLQ>nyBN&%dy<4dsSBfEr
zhB_`3$$rTY*%XL)V8e#qn`o)nF!smr0P*iR6h`A#-ZWTnJBsrr1L^5Bg}Ki5PLZw#
zmC#A%<gPJ62%1qbE})H*JRoPgE4jIvH2j3oQ_UdGpH*Xzx`|g!YrBV|mU8AfDRw)P
z<7D{cckB4S=QxI>z~o*OwCI@XVUeE%%p4(A49S@L*i;$h^S~aPiKrbGny<ka>}D&x
zXRbKc=HA*7`?a?PAs^iauc&w1aayQ6znVTVDp7aZIY)RR;-$FwwokR(%N#PcS{RW=
zTJ5xq?rdVyFXzEMpJeG|F7NbMNidl-EWg&}t9^pIXu<JHx*DD?8c1Y+vzASL`jn$N
z|3+8=Ol9L6uzussy?Zy6&L8?c8n5Ej@X_r>*6FhNkC>Z=Xup^f*(mdN=6UDm|Ipg;
z*Q0jA9xH{#Ii%4YOJ`(e%gl1MM26ixwC<Ao%B#H?s|g{Z$8R^}9tU$~__a>kKITLA
zhdn<L{0A3$##AFtpr;&|e!&%sn$nW5KX8s|z0kkpFz;AhbPR;G8g$&6IyC61<h_ur
zCfmE!0NlgVAK+TLCmM3bZxMYTE$-uDdV#33VVWQV6ETewOGsA=4VDrcuB#;brS0)_
z39rP*Byv<c@BEl0=%%JZ(cxmJ$Q`Lwe#i!&1Tz^tIe86r<UMIzG2DtHvU*m?G_&XU
z=Jg;KsggwJbL~ztlpEi{C%kO2F9?;;!F$Y_ORKeL*WIv$rEa#qiqNE`gg!*$+MO^V
zE1i`B{Z-=6kFK`X-|VdsYBs!DHhTBNT~7ZVr}*7)qnt|-)<peUB^LhU=-GE95lLRp
zx=n==u;>4jTW#++63APC48Cwx1)oc555fEl^-gRpw)Qh8%mEnblh$eI<iT{LyDIZ9
z<>NhTGEbB5k&^nGJ#G!D9JJDv3hhQ*nm_wAphwzCcARZo?QvM!Nn2!qwL$*QYvoW9
zlEUNA4%(4;|BoGR<K`?9d_jZZ+8-@<?5tm})^F%eK5V!yRB3nHGt%-)u#@@B3hjN4
zH=WkUZt`qeui%|T+H}YXw`!H>H<b0(tBPm3fgi&jyWlZVg{$}=pD^-`R+sx;w<Zq1
z`aG@0mO1Ua)s?Iwk`Yy3%f0y=qw+~MF3qTyZ*%Fo_uDLiv3+GV&Cw27PyUwEmY;sh
z`gN(?KYuNWp9!X-!*0M|bB;u9S$%n$tYn>=;$+-%Eg-W0V3&FsNZGg{<OTry)ZTdI
zQhUEg)X(!Ezeek)-D{?m{lWAPie(*PJ5Xe*N;E5N!r)Lwo@y5rQ*GL1@0CGt;<s&R
zpFPyzBH`qDL4M3ygVecdr%REK%tPOEwQ@ruy;5~No`kZH3Q{|wKUfGDqAF{|vorq~
ztwLd~N9a_zKRVxeD3qM^ffRC#gRm|?q0Q350vHo+f<3hhsJ<JkedN>2)qA!c&tY;K
z<4s#B<|BaNJbNcraN7De&H3*W-yKEAD;pfL->CQv{(+`Go03m`%|myk@T%nybS7px
znDx#Q#bmx;@}3E~c99YedCH*yp6~v#?*4&*sGnj(GhD`o8fF2{yOe5(5dtN~rS5Tb
zQ=CfonBKijO)|wWm;2?#2dJNHDuvwR+{W$eR^2x`?!L_9VA8kL+Tp^Bhs$)((U@47
z44RY68zG<8D#R}x33EP@?~4f({Ib4Hs~KlZ&buvqFDRGIYGH3R^M`THMs}uAx|#Wf
zQbA>S`5oCcImD@6_^5O7$c5y8s*nB_cCNYW{zEP6iF5uO^v5W}hoL<n$um;Jy${K=
zGi0Jju?4@PW!ga+Be#9|MD!V*OYiox>bHqxb)R0XaJ3FDf8p02c~im`q1Sb9RrVsm
zVUoS*?d|khJ?>>YYOo5^tNFM#C5i0IL1f+XJ<X7=Js0Xku+o7NRYk`;&`Iowky{1x
z!`l|2wN+2r@6GDoD!%(@rj(qQXE^3<y-;#g$FQ!Ioh%tX%RQE?K-z9hN1V{xej`po
zr6M)>2Iq;sCA*52vBxV3Bj%1TL-#~=M=O_gSY-63JibI$s4IK}H4^K(6zt~wgRG0p
zKX_7JsW_`qeqicB*yc<-(KQ%db+sO#=w!zd^syCnmRH*=A~$aC-mDxIbtnDd%`YoC
z$!^aOzqoynd`jJw9{0hLhCLNsaMC;@=1wKftSQDR6NM}7pPa~_&o9IS_%7>wT*-3J
zK3|Y>o5P=?ZQA=<q@PQWx-ga%g>=diiQk#yNlkkm>fpGTd_#}0gvbg>8!emvEv!$R
zl8Y>N+}kv_VUImv;?uToQ0<vAf8uhMa78a0=EDcep3b_lw#IgAoX{M%qNRiD|DCY-
z{Z|9I^T8wLqtxJ8RZ?Kpg#J!k?m#7w=_Y$cCew8ZAwOn$Vz<{g`FY)oZ-J-KXHh@Z
zx>19}zY<ZxH|wDv?>AJ!-jHc)KhpZfs`0Q`n{PRUK;#wmXZk1+k^=Y7{u;UQF-%?l
zFYd(G7ZI_tvc`0CEOXy)I}5#~xc>3sTF2e9bDS5<bIRBbN_i}5cy5XbqNQ~$Fl#xk
zXms5D4hhhAX&Hnu$2+!-m>8hvEA&UFap`9r{5vj6<t}7_*_pjia-JbR6XTh^u@<=d
z7RDqVCNu(*lw`iY8^ncCT|Z+~xb6grsgyf&eiUmhqA(`!s?ikfNM`L&=<8X1Col5z
z7;D79fPdu~qb}D2WVgvQpsr8KNTsm&hUe;vdd-{m9m1Shdd`InD9Qe;ASj{d@<|?Q
ztS!q0Xs$TcgS#ClH{)(kmxk_?q9nm!$u1Edx8tUc8=|CkLubYCoG$@Wu|aN)hrBlQ
zH*ONVxN+-2$c;PX1uxX85e+qs`T6^h@1-lzL5mXyS|*s`n~bllaZz1L4m{l6<HxR)
zJ!xz+xXJkII&$36I=oag*)^3-OrBgm#|^yP>=0y&eJ8h;BAm~-Bp`_OSs!VT63;w5
zYcpg=U~WTPSpvZ<32YYKJHkPop7#UyZD$MOq>R1UzZi|v>aU1UZwhGlI9>o;j?adM
z1C%;|VyeE*0uQHT`!F>iJR_hM?psFAe9rY?+{PxW74i=y1d8$VXy2VNV7)=iO-K<W
zewZ!KuLRm*b2@qN*=A(qd(>VjuS!k??kY-TQ`mkQKQr*#9R8afvW5Gwwr%29V53X=
z#A+6Ac<X6r3s~hu>9DiOM-xHaSQXH%p?aAXdgIPtlQiu?khZRJ>^nKOdsr%(bQw54
zHz>|X*~fJ*9(Z_;ps0T=4IwesWL%p@F4nTFkIge!+LwmsMfyvi{NvZwC&WnzAMeGl
z`}hP|+vH7Q>@{q#P)Xkc3g0eF^Idn2d}`+<iF>|7vgedEu~<fC+r%s%c}XIdnPj&y
zihUl(p(;D4fV-)!OWQ*)6DOQ&s2iUOdemcAN~v1(AB~5FOHdbwZUF^h2S_87SY(&k
z^7lTr1!07t5kxp^rzPdvC`sX%#RDYW6STMEe#PO-DC^Xq!Z|uev<2NZ3GMDHy322X
zg>M*=3I7Snfw$qF48Pe%WXOp)G%9^QhCK9{suOC_p|~j_K>?gigHr3gO4tFCWRc0&
zDUaOSmQc_fJVFX&pG?1Fa@R?*fM}HA4rVz`Jw&r$Dg_zq!3G}(XWNdm(T-2J6p=W{
ze#v-)v9-pytN8sdqVgSm%{ORZtvwJCCwwws*+mnottxG7QB`t3cutc)!O=b8)Oot*
z6?3ji5%6Vi{D-?5hd;{izDx`dj%-av$~-2d*3_E8pF}P<@cmI~zG)5KNTJ8sm~inj
z0vi<yic8~Ad_^7&(oiHvG+W?cK;hhq2b8?2bOp+HeCOTC?MCLSL*mL{dnM^lPNcOy
zrn6I^Y9S$!`~TlZ=-s}sjEdP+q}TVL7WGxVH-N}|VZ=pygHYorifTw(qDd>qaNLrI
z@5h~Y2{P*(EHlgpLV#>W?UkYHR?QLfcM<Lk-p9RESxWw%L6SX`q~J%IBNd!nzQ}hH
zH`fWvjc1ca()m7Gjahvbqt{d!rtC~1VAI6Nv#R-q<!v|4A4<w7-R`?DpeeQ?0^Osf
zv~zgbNL`<+Ixup0BdNh}>Ia@TiPd>c8WpC+)*-&eOa}`T(7f1ets&8*y7u@##COHe
zx5utR#$>sg_XOzz->PtXJfCYl?0$zbAJ;s7UkDR~gGEXHg9rby`fo8x^w~E^@<=up
z1DUeXyU0@M{s8ZzD30@h=KKM9zJOrr$%Dk~CrP3Xo1g|Ms@S0@^yM<)vq0zu$zFq+
zKxCSzVyx-D5q!`F*_4)fca?=i-fEo8j->!S)@qzjl>C$HOF7mTojY|t-@Q4c=~M))
zPvLVuH_WWf(gV21_q=rZ`h)!88u7SJ<V^eOLfF~5OR@&bLo0DeM*E{YCxr;ZYQcn*
zpFg&(H3OW3w_2V29}r)*>or%$w^JP&aBfE0tE&Kw!MW){&lE@q%q-%SDv6u{ShE&y
z)1x@De%b$G-+#th82)15qC^2Qv$(mlJA>XGI6fFV!R%h4=ix%abx+k0%>Y&L%|_2c
zkSY4&qfNEt`C!h7(m_cE->ZS~v#y*u#2?k!^wgv<sUEAf3FDZlR9S;Jh=!@|3|w?Z
zTfZRVRq3Z~k^L?9+VuUE#__%zQ^rhy)Niw4Ev0Xna#(LmZ)vs6S4{5ZKXP;^M%^rG
ze~={$t5?ZVZ>BNNI}3eAa&>*j_O@!^)=_DopCSo-42zNL#Zl~n04p7-LTI_dNjCFe
z^3qWz!9RzK3skL8SSkCaGLGASTknrZwr7cpo9jpC<(HSu`cI4<1&x=YslZo{(+`&6
zZ6kC3GA^#mF86dubr7d+Kn-|I%*I*v#5!fI*wyTO4I3UfVXZdBsbQRE=pIxxsyocp
zLf}4X#M>DfSTU09w{3@(;BS_8kwg{s@#jC#(8V{jK-h)$5`PpQrku<m^r-x_C#EhH
zD@1ibOPcTI_|)rcsYLuG5H*IT3Sq%JeV3_XzmnkEoAJrX#^b`l!NHQOHu^a03N~4`
z#VM%=at;Kt{?Rf!_hWl#`SS7SV<<(AVRu3w`TJE#q{Iig;3okm4$zT*x-09m)x;FR
zTESJ{mC5MV6LDBN2YSBhh*FTS6zhDvNLr9*INjt4H1hNI^Zc<fi;m&}vd!5wBruSc
zu-u1X?5|v~-I50_lRr(mqg)LI8YgU2ydf)vf(8M^;)+Gn5~6})hNr~5S8$}nK0d~~
zxRv%^nR;IKqHGe*7}~2>fp59PN@+Gu*iVH#!;5o$Y548Y7H{;eg{P9zma?btelGrS
z%-dS8g)#L>#)FRg7U{CIRy4&yy-jb2nqF+adJm%j(sHFZT9&V^S1(jy1XW4!H7)(6
z-6Y+ym*3*MOb6b{t0A<Ci2na374jKL;5Tz0GtYc>DUw~Fa1gI-I?+G3_~rWW!vM8{
z1y^?P___?{LbxaGS0#&<d~np%!4p^<^~f*Yq3Eg~qoidvt@@NEELlZ8>H<BaN~2=G
z;@1t5Uv4(>c3bhC<cQU#qd&EIEcfm2%NL}rU+MB`oF-Ba#k8Pz7SrbIHvL8<uG<Nq
zk-8SoEsf^|B(`1>mz1R<a|D}3ORG-YYNpco(S><RNQM_SKdboi*P4&#CnEzmhDWVA
z30bgnGBArWj$H4jye{MS&&E2rDXB2mJ*s~0v=v7-xn$;IziiY_tub{YYC+A~kr<_1
z{J*XHMks0Mq_j?T_%$*Ysf>{9?5+bW`>!x`6Lz@$>a`)jp&biw^~=&_?QASBsR+9N
zDOGA7Z$MG!@Q73JXV^kusi@A##kiBIfO(OqW#%*=F_#%vw$s+J@qI+o-h=Pvd9+qL
zn%j6Q4fjvYW6`vs*gx2s2&;hO8G8LjOeR!r4@F#bj&76#sYI*sUs%70l#pk#+6;8X
zuc7FfcCI!N7D}RhZpH&)SJ>e`3Z<|Tm_Cx@fr#g|Htn}DweU>!{%Xw0_9u}N$J>$n
zv^In%MtlA_gKr%rIC7;GJv>n`*E*_Je8ryrl;6PVgtq6m?V0`=_!fE>j-guL-W}1-
zBHz<<jAV0jBxQ%>_^6s;=$4OOcjpYqgXfReIkdMSuKFoA1e@Mt7kzm2Ql7|_D7%;{
z=QxrMk%{=2JIo1sZ3lqw!4KL%tRMjrUjOj-d$`7ae_0L--4>c5o#!!k@>->x_RB>(
zfhIK!G&bQW5m+G0+=g;cG(ohFEidtgj`(#({623qKP<?JjO9B6$yP?t11X<xy|<tJ
zvdH9cAGT3F*Kn9bn^2Y9ZxKb&SYXs$=z`GkyxxfMr7y)ZMtfzVih=8wA#p(=6KA6>
z5yBr_n%=Lpl9T*C=xUKWkY5BK&c*$n$^1o!BgFRZB}7B_95vlN&q!h2`qCyekHmjq
zjk#e=<^I!GIt2g|aUN<!Qi^|KzAjKS&-7bgB*V2|@znAU44-Tx)iN6yznG82B(cjB
zvJC5F*$>X*GA|UFUvE>lvigFSA9W|ErL2gtK2?HHH+1U^xs9z4Tm>j&)9@<oMps#n
zXw8ph7#B(UE}~~izfhTVVg!;uqYIQ+eFzpOebVj}1`;^n8T?2OVwV?gLbQpI1N^S<
zyJ7oWB<5@Z;Rp6OpYuRQ2Rg-5@{jR5B+e0tYK#Rr2v<t|n`b{xe4)PVml}L79!!F;
zztXDgOa)>txX%Jxee*4`43MBLAU({C)N?a&aLiS_V2?RcgXf2NbBWEHbYc%0t`A;K
zAUZfT_%RS7RTdugIM_q&Cww^B={j$y726(F>rHcZ{@M&C$>O{GrGh0TZqqaps~#3l
zvodMd`?L4g$$CF}Z|@0eqbN4R+v+HMhuHB;l%6^6-B<|RJA<+cwgS8xASa(UO$sw)
zrDQ(thQIwXX(K)*?n(zS*d}t3<1i4l6`hN;N<--lEJr5{e47xKi%m<piV~WwmsV3D
zl4Ky0+;(DAKXBR+4jbiW%Kn{#3bBP^7K=^7^*C}q9-g}k?9pg?48^9X>>15ypE1=5
z7erT=ubixtXh)=0YpUJ`Cw#yTYyWa$csa1)?<BPjeO+sVlwO`Yp6D)`3Wo6P4z(P(
z2jpe&je!gSw!5EvEvCZ=xH?s`j8W7kmXn??;+i{qRI^NefsenC+KPm;Rbh}m{EK5o
zBNAJmp|AIK&bPg}nag1;`Jk*>;%&ls`xi>?nU*#CP;%JGgBU3;Np@!{FN0KHGI{Dl
zIhlL1=RXiTar`;kol`NAyOH661k;f@fyxRbP+A7P6hn+U<|`~M{O?#J<a5;>NKj+m
z8tCBDaFQ6K%z7VLR{c0B!#4BWl{pNH*aw5d!`KRtqOp16N(WKd5B6uTVeS}*ID+gP
ztQ!DUzT~`}Sg%7sR1ZYJwB^z{`iJrdI)TJ35@X^$tb-e;UeHVQUjE+up7#_5Jw}!Z
zPZGjXQT{5A9o(P6(G8xFQR%EyjUI+^U%#%?fOpo9swsfNyLbm-Q(EXU{7Q<>BnT?U
ztLVG)dnL1)O~LqMR>!8B66G85?>F$G&m>dQ(IlblK9ctjQC}JJk#rG~(s}{?!(vyW
zbbqtU8@GJE+p~Qs^;d97p`mGP11oukf@EKm(~397mPB24qG%qXdafgl%eN?Di^FxR
zhTM~$i&^T9oUd_GCV7h!)pMSiex9E`79blGQfzyX^@88C<D8&MnNC?0*nPyF4a_X%
z&2iAz6Av$%r<n$$inRcjPa8#RK#u1+cXZ=qJDZUbDPlRT7YD^u=v4LQC0yMz&ck<X
z`Hm#9n41p>DK*LA<7SYL<ActyCl$cQqUHhj@}{bF7FI+KK$_lGek8+vd`Y@2hSlpw
z&_H^B5)6CwMnpn)Vb{x^>y>X*7Ti7CH{N+q7hlPMB^E8SG1bNUd-UI8)C&bNYstnp
z&d2E7<Q`gHeRc`%X*du9d%%LRjZ?|~G7cl9_WAsRW!k}MjlmlUikbqv9$3lSTf9Sp
ztMBr6ovXEZbX3oyqqKp@>nrTzC9`u*;Akq|(k6@Y?;x|USju0^Kc9-X@eIkR9_-AD
z?44QneP4Q{UL6^e08*L>r84Uw##9XfBy%0zH>mpRLm>1ZMRbU3;7h-$V`gP1Dx`;?
zzb>VhnABwwl#p$pwn0yWb`|gzc^DF1VzAk6g^Oj@+w|PUueuzp@2x-N!v4;uzmdok
z9x4rFNOvjOfUcfUUTU~tpBXUsUC53sR(<}_Ww`0<2OefTnzKSn@Mcpe?04o=`gu|X
z27)zK<H^KN98cxW9uPh<Giih(F46NS0b0kMt)@r`+hq2XAokO=v7fa4v##{t;{#3y
zTfm1#{XM9mQAte3N*ApL;F(tzIiY^D=yp6E@taw>UU5xnQwUxnkCTnj=F&1D&2DqD
za-B!Fk2#pCC}*NU6Hk*i>8yKV&GGhN!dv^>NM$Vrk_}~Q|Fs>GKVUFW&;!N!ohI#I
zV^_ophZOd&T7ZBOp@x8Slmg^v66pVzkV1bWlnd_~tkg~Vm24cb4HxEfy1r0nX17CR
z$Cc}D-wiG;6;B#2p6%CF%v43rm17dURA0tivjS$0Gc4nlolquK8$Z^^A6o6YtoiWR
zS)Ht(WS?^H)UGI<1h^z@5Ypkao!cg#;KWe1;DtmUGQ^iy;Oyp5j}l+NQ;job&7^VK
z`{paf-;h+Y7SeBuVcHP0K%S}nj4<Umf8pHLhehqWme%4^siXitrMFeg{m4+Qxm?Lc
z1<d5jIh!x4JMCrXa?&@pUjQa_1K9m8t-$oVuV^pbegxIXGjc35tvOwS#LWY0+^GLH
z<r}wRl?w%e9rJ=AZ3h8ujdT9W(U}0J#i}yg38oo4;es{9<W9Tty9{iIZC@CVc&mUF
zQa#2LcXt+(AEo%M&Nk<jHU*DN!!I3rLh}r9$MXA}q)d|T#`uNC_Ow1hn@8b1x}<Im
zFvxQJ_j`GF(+A|o`Vu6?G23&*Y}7Is0aMKg)zl;V6c?&F#?0*-z1|x)tFOPidm`_>
zg_(o+r!poa70T;Ck%VMm^pC=ns+zY5mLTyYZ~S|PdF>^0<s$%8yvAAQ^S%a2?U;|%
za%Z4w@cCDhW;;5|(ncx2H$CU=I%lB_Q%=b*05+hr6#oBH%>L4ajJ$3g`&xk+P0p_+
z!gEA*y}{&pp2Y|;e7;sSQsTYdIa7ecuwHY<vxmt=SUX5QF8%Ay-t792)6T_UOT?90
z>|Jr+g!MeARnsF+0i}imnR2=7?`f(NmTs&o6LdAH77(ghVF&WTq`lkbM1OJbL0nm5
zhPn%}2WQiM$QhzCgYxmQ!W3lPjbgk$Vi+B}c^o2AO%-YWRPqVx$r?46S`n30=E<E|
zi6&f*h4dq&cV?-~u4J!3F`;J@T)@@PYXyg2)}y|haK--($ZVGA+K9@q^Y)%|kvz6V
zU#`cSiTfNLITr-*kvuKPu^J4}aaDHC{VlF^`$GS0cacu@Xy!Ch=@WA!a&gAy{=*}K
zM~Q6gNKs{ngr`IIc6LvN$XKQvu>3-_RIzOBaJM>7j;4sgP?SF3L5cvtSA{uMrH?1s
zbJPWJq{-}!<a>Bj3aG5lt->YMq5oi}(k$PB3_D;y@C)t#f<}%`jb2uoMP)dOtzYbx
zKk<x6y)pGx3%``@%v=j_TYj-u$c<P|*vR$9`Ac-(`pm(s922D;=JTGb>D;SksevJ?
z5(7)bz7vO?3pCdXzu0hiz-^4A0_39$<rT>J$g}&No<w|s{4z82qDlQ%S{>q@hiG7@
zpRj2n5nTFPMBJB*pbx*rTsQ7CFyBH`SFR;ip=^*&=~o+oHI%;`P|DAJrWvj_c6~|w
zz0CFJLOI<rk9J9pF&BCx{w^tR@<?!e*dadDS!9AP?&dbK#>Sks3BO#m@x8)zpIy>;
z1<7E*5byP(Umdo>zO2xk$m=j?B1cL!cAO-9pNkpt=X%lWl!q^lJ%M!=X;f*f8d_{(
zy^%uB&FvFn>P#wc`(qe(U+FY2Nth=)@4J2=$Dj)jEF1YXXR8%b+1@bUACO3K$Vff8
z{8&A}tEqY|>Q<b{r$QHTp0HgMe&QuJ<cFVo8m%H=Mctx>MQGRDndTnCqcqZE$239i
zZ{@_amXPSutnSEnk8)vlcLHM0a8P25i<@=Ef(-_H>Avq!vu0aCJb5IA_v&)JsEV6X
z)1p_?$Qdx^5@_UH_nbKI@mZ+=MeNpYy8JO^sn2+KLSE18p52H=f8YIKszqe26}G8C
zP1RZZ>8qF6F40zPp|PzC)0052OG0$o^W1&KCDo=6>9A5_3bQoC@P?eGz~+4;lot<*
z<5-`gMCzSHHK-iSlgCOPIx1W){6Iyglr>UiD)&a4M`ZJ;H;p98qVhbvH#R@?aUVc3
z#PMk2PLY%}X)H$2kpwRQY2f?FZoq<bJKi?f4}R=9K=R`JTa7cMTN}FjyVh_cR9YZ3
zyRg<Xf5UfUauFIZa>6=XDqWSC@&M@+Als=iZ?dk0v9=glkqCuf-!YIirF0;0-o%z$
z1T{jQ+AzBn8G(9MB<`wu4Gp=+JNT!ia<QJ53Q-*2Ny{sCU2fI+^^@zz^Ob!rn&+IY
z9yFe<De4epx{?3M#ZO3G2@hqG9JBJBXDPQ3RMmO~5u;*$E=}2b9MORC0a+fx6b7~8
zh6%jN)(l}c)eBIG=J;?neT8Jm_9<zZ+Yj2=<^r!vG>ITrHn$ZQKvh~|hlE3%2c)1=
zZt6rMw|jf|?cZn@@_C*0WpG(MYb8da`#ca;X1WOybbs7en&BUvcYZjS?qST8Su|2*
zU*}n7d@eKvKB3?o8nH#?OD&S|Aew4?1G#!Z)-RznEPEeE(t{3Ohvelz7N^!nOGS3(
zCm}b$+tWS@M*%1Bu4e1-R3b*0r-^*@&NK0cF!lYTkoYR7@W-7yZ9?ph!Vzo|j@}JY
zA`#tNW^JquDkR;Y0F}5Re5cm@I0kWhClbZEj10j(wEBa1@jxquYbm_Dg#qzxzZ->$
zWZavWB}x0ous{qoqSrJ97`}0`H8x+z8g*z|cG%KNol5BC;NfBuA=NVsEfR&grb<~@
z7>-nWJZ))A6DEnZPD_vj!x*QMo*<=uY|WeAQmUqlzV1=lL8jqzH3iCyFE`MH(I0f{
zf}PF%&0xY<SClVu&m~KZpe#lH2VVC5*2nqzC3AvBv~k%#vrgXfkm9q5qGvag3+*M_
z(i?Z~X{u}*d7ylvtv0DIM~`T88(hU7sIF8Qs-(Mm?7r8d>H(}z9b1hDBbp-)Tc$9^
zTT7;YQ<0kl&aSu6xh@$^rcQa7RpUlsG1s-sD@oH4@b-Kmi-YV)nd8BRz4?d6`+NL_
z+osGZ{@Td=pZn{E2M^SIE)+UCGb(GHo=yn@rvu{0-X&NU<zZug*01f%w+J_kJvm-|
zRZb@XP8paxP7F&;=YW!JeZ1{7L+kO@rtdvi2z)~!;D?d>=s``4>+HsRM!s2}83fcr
zVrqpZ);g4p736yVvM~0_jLd#)3S+x;Hg6id2_?dOJHdnRXu^1%O^^+UR)&uASENtP
zUOhb0RV_G-lY?Cwu`|3&=IK913B2RjW;eHj5H;BOWP>$Zygr-$x<g~~DEGq}$st<8
zXlo+)W8;B-ARsFT;`v;%CpB2fvq<@cf01nc!R+jF9!YoG)JNRD4sDNxee$t{dGASk
zhQ(2$(0H!w%31$U6uu;#I>zAVXUYN-5;5K+#Sm*?-goA6$8MdF<Y!5q+}sQ0r9^B2
zw}%24X^CI+nxDJb*Jd<dqK715GNcQm&EO*S*)_aLaK!;_Zbn-}rnv>71<l)_=?P2(
zR`R8)aQ>Q$aGTR<sP<MFJMDSWaW&IQ8FqU83Dr2^?-JM0b<6-hVAdSjok1KFH~4!#
z<ucg5kg=#dBALW^ZzDy5c@K(oe3F^%rfpnx3WnV3b{w*b{XIQ3MHIlWuSoBlD!(WE
z>qYL?JulKk-sdR_oWKL;vx)dhBz-XU=NK}`*>kQAWRtu4mA^aAAGI@*GLS4<O;Nnw
z?6voWg7<{r1Ene0ZF9u>8}=727zb<;j`HeGq9H)MQ|Sp<MhIIUKB%L4Oc;szgkVnn
zB$;fD?*!cTClMbIhP+c)+a6+a4<PMr>GKxVG~JA}JJgyY>1V%AKDpQ|BNebn9F9gV
zE%JA;p-XwOnRq0(@}nztT)!n>@_YJJfqxy)Lbb6yr_3*SaB9DujQGrtS+z=QD_%6a
z*ng}e6$lc69~M7m1z^+q)7C@B@VMj{-&>x$MSZHR%`goWmY(2KI`9=YkdOl8O8#P6
z2FjOJUz2qmweH9{+q|U`UJ1@z-9m#*)C6AG)H6*Yf4o7E-cuwr^<dHi5vo@gW}r6n
z?r5)9HsDQhH{!&PxfD5^*?iQ=+05rC44;Zb6Tj+-5!NVb^GXW}Nn1@1{B)SWcYb^D
zDv9fIqU2bvsxgs+<o8uoVAIO(oG3|lX)!e1IXN;_0<!vhbPN*~i7M)8%<AWu0G%QC
zve`Eo&sLgkKMu$r_?RT-b2&a`JYb(w!bn*3gC<e3Y}o^fYF?MgUNOk9scK9BfU<2M
z(?V*WOZ!}5eidhoe$q$F8~T9_6Kzy~8w8^4Ve4@&N)p~ZUcV|H;TaAPfhxioiT8a^
ze^pvkQs~pE(F#Mewhqe=ye9^Vx!G<ywKu9%85AaO{E$lA8jRv;d(Gl{ejQ6Mu<qtg
zP8U1PP??iFS<1$DI(#{LG#jc%>Si8z3V~?N?ykw`ZcWAM<CXXx_{k2%e%-G)db?&z
zmvFEx&f73#{A-l2+y8e${ZsBi6zfLLhmxFi3rQQ*+QxAv?3`%Spi|LGGJUeBBC{{D
zDesEgQ8VpDA=V<JG>`5`rEqM%nq{3~#c|w@D?JgLm%s62>psiq*6P<`4(yk*@iHH3
z{}st>ameM`P`y(STYn+fLO`<H{-?x@aeuaPypY9r>Gepex)a;R<$fx9M5H{F_}Gs_
zwXCd~HgrM<9PjN=lP(`Yu7k$gFqf7mN%}aV!dR=oIZ0GO3&s$ek?Qym8Sm*)4j}l9
zn_(&>605ocX1`-psI*Y%>~80EEZyS%$amBCAj8uU+j#Na!YP%U8X+AqS7(p_XO&MY
z2^Xdqcd^eJ@$aY*YH;)v5VzwVa&Vd&+n2jeMub#vYt4vZ_Ut958x#%}X?vF9?*;@D
zFri!$D2i=g_ULg9j9uzkO|ax%;}cDn+^wUkm#W7=2RA?Ay-}lL8QL#9#37WKv`yNT
zl|D#?2>Wttg$U{cS{(#_nD5(0i9r=%C$FHLn<iV*yYKUHv0W)Pw3kUy{fG;C_!R8u
z`R@uWeGU7aBI&AO@vH17`$5?64|Q0cYUi9NS^^6ULF)!*#YkV5S994nzNPaHeFb5a
zCHIT<uK{;#c+F9YA$xan^}R63PPEC1K45*L^}6x7c22~+9b(!mPcYgMCJj+t7>$b|
z-6p8^0&&ETVs5b1j@^Q@%Bs|A+%y4YgEY%m((!XHs|@+!-Shiy9H{p^vvFpPEr;Lg
zmN|kgX750c>0_()DOb_AYr>oC>`+d9cBNE7A5Ee0OVZ;cJ0NQ6e*ldH!FW)cOEM6%
zi$(AL$~XEk`_Lv89+f+mt1}|162P+g)5(|_aG<aY8tVq#k{KUKE=l&!&m);Tb*!x6
z80vFgoLW^K5JdUsS2va>jJ<PA7vnFe9s-zbImI{WWsajcUzS-rk!wIk{lzmfX*nAn
zmWG1C^eu4%{RAX+b|Q9x8#C`rwhm@p=-d$a<-U27GVe!@mPe+@(W~y&X5tlJrIdGu
zXph>0Zd@-$4GHU<`R>hC$p;d~Gh@7fh$fp{`8O47ru~1GbNnYbeW}Xu47La>ZVJnz
zn?8*c4rU)(1hJ$~N&AfLe6hqLe0Ykj4vuGP52!Vp;e$ggLIFW8=9EL8jz!M-D@_V%
z@>BJfRMBwCNSy$rRKogKAM*te7~D4TbMDNs2$-nrJCAD|N6aHxzDdq-%+Alq@CYZW
zKd)+!PRMkwzguFJEK)SwXfRDB(U5=<I*cmVI0H!mB^og7rC(LrIINnQ{hM<aQx^1Q
z-&J*)F4mw;wpB=8Z#tcS-VKyfj6HNt2BEA%_kV|mX&u7Bl@qMJM{ZU+hG?ooZ>t(Q
zzIXKvdM$tREMK;pCS<OQi;-u+{J9LRhXLT0*e?Ap#gVrxS?xKz0sGxKD<ho6$kRgT
z*JB$XwPFwBE29>J0g*8^RIS!NGv<gXbb_njV<A}{&SxB{lVV@2-Wl+Dx~_o%Kt6%@
z2!P8jtJ+&`xK(tR^z|)I|KL8YwcN}WRdeZm&GFR(uMFLR+uijwXgS^#1D_jPRKQss
zNC?Q^<{Vf+)yKH&IoF_*1sZJ7R2l2XNrS77Cei#n?7s!lH$oMdUIrVwW{D40#v@q3
z2wYm1!4AoW4@N)5Bt?(jQ;WCubH>BHRYZGBM*i+*b5+t_3Tcslsqc=ts3q<P>8<U4
z0N_Lb%Pwk@@6iW&V=oZ^q|Uz+W0{j~CD4FSO7eq;#e}VF9K7!+7d+^WdEjI$c#-np
z2cGthZDS9reYKs#=H}+{MsVhG4$CoUFxepk{|zm?G%`teBfMbe`EIBsOA^~X7qznw
zQ#<3Awgd8ku3$0E&wY0FhmjN}z_<p}%2KsmqcVyAuZ~;`CDpxm7ztmM#-2oeOG(<h
zqj@!$Y7Mz!@m36$I0=h-{J8YAuIt;-l8UEfGA{;cx;1w2srUA39cEr{3Wl4Zw)(ol
zw5QT$GE9c$<}HJt*^2WfcMlu8m`S?S)hgC%j&F8Rh!TRU7bpudyz`yMRv7mmueh`4
zM1U*21ek@s)XlO#Wyi!9f_XF*HzNAnUAhj{--FYXK^ro2w}zevf~4f%_I2msZ$=PP
zjqL{iI``^h$t;Pd5^gZf|A)}?r{+_2^OlJVLVp&5gMOWW1s!>%SDM;z--8OkU70)>
zOIatn%A}-7-=4CViaxjZ#!;Fyru*a%j0V}L#Bj9L>+taU<s3`r7_FB2%ydH2&`18R
zcK!IoeQq&22#L9;?G#$ced*mseB;lhTypc1;fl}t;eAt=*KbM>I%!!v3VUJvJM;b1
z-zVuqolI9K9p+pbX<{FNOXJwG8QFAFHS>c<8I@o>`}`l_qgi&{>0LXgPr*+4><LW-
zWxenGH}zP)m1=MTqO-ko6?OV#zfOt%x;RjpQ9tD(QK@}z*gTeQOB{Ldd$RG*vY_d~
zJ3KAhb^pf-6Ab`B{yu#eWCFh6GpBAkL&lkmze(7n2V-k+UJzsIznVLHmvQEJ6p*FP
z*o)M+5+ZZ}W{e|bW9lNjtgLrz)9?&%AA8Rb-5&=OjMdE@P4wEVg>0JA@GWVRUd#Ng
zH2j5aHSg|t$O1LE`$$#z^WbWGq&gAXbB|nPR+}C-1u@4SrigL9RjIaBCP6d^rr3+-
z^DOCsRM?0|Zy+0+{P}x>KD0IB*aKt~j16_m&D$yakcMBIu=(Q6+xNw{pMh5TD1Nuz
zKV`mHb$Zn@&tXx!@hF_dud`xQ9;4y6Kn$aeMA<8rG_7sp3cHmVQ^|)2K2is=pfVd0
zHW(Vf*kdb#*e)+o&sRrR+=OqMV9w-nX7tEFDGTr+p}7*A`AIY4!9Qe#KY8KjHxE92
zdvk9roWfirc`Z$jmoPm$;G>|V$75&*M~X#$nM1OrIr7ZKyD6bJ?~&+4m@Z+7Bx_z#
z<~XoB6<-f5rEd~sh^yJ~bD*(;uWL=EyVwO$nKk4Yw#-gMM6~~dZ~bN0e77jfywLXg
zx<LU8$8%umglf2+GkJ7sVD#0PcXXTm9=rDIgAT5vIrUByP7z~M&YJ7U$VQhqd4KjY
zwWRvubR#_&4^F^kX2)Aa=$;P9t@s?v_J)No*MB{$n9^s~p{xsU35AmRO)CFuw6iQp
zCvIog*WU2upJZkXD-eo8vw->bb$!CiDj!NF_dPOri`9zl7q?RuM_XC8h+7!d`ZtN#
zXuxTA1*@^k#8ercqdBd0Md(EsL8*P<OAecXKl0OedFdv2Wisk=8964N>oI*5s+RN4
zZVc1J!<-%A0(eya&5_7MK5v#4NX2+y^L(<ELFkn3Gh*I>a(xMhDTbpsc^#kUl|iiB
z^{xx-p*^V<2%ILJ@Ri*}qI{5YPd2Xqy?Kzofy&omdoN_hlJ)JFx(xVf${-6@DjYCJ
z{Zu2_C2hKB8hUqpjir-t34TM9P&VwhXy?C=UZf9}(hP+*VHwV4*{hpGHb}}UI3RgJ
zv)o&=3}b|}@fPw|HmLD$E#=IuszTocwKE-$%mOYOnzO^}H?2`GJWey5#&w2Po2^BN
zH*XIAR>Jt_N^|3dDvS6hbpBEP9&mW<$_eF3#Ti{6`DttD(W_*xS6#0HCmWTta_l{}
z5lO%G(MEJ4Bw*l&m(t|$NkYKh7K;aE92=rYz3G959OSL%Upn}o|NPoXV`U1NbDi%U
z_Csgen4Xs8g)In|E0Axpc;^@FEoYaq6#+6-WL>>9T!49Z)}V&tvSn!#)>J~g*KR6H
z@nz2Pwl|WX%s7JOANi#J!ocJ;i%t=X#*py>jDgKZ`Kdn)UMh4US)9>-RFnJbb6J(@
zl(TuynJzuD`2$f+n09c)FGi!~@HAh5`B(79m>5-Cx+Nel!VNS>a=Ykv{pY`PKN$P@
z!O|+rSQ>w*bCuA&KGp0^7YjW*u%!9vWK}ugseZqkW3r~u<H0}j?H$a$Fj^1t?JK+s
zg}gn?Oh}$;$OVKQ{O@!)U6<C15D(FBx%e|zRh6+r=Tmmx?ANti==Xn)c^#i%(nh4Q
zMV869IL8uX)wWDnmSR6<$*PXx=Ve*=bfMCQRy{Vbz}dY84a4?L8eR2D%^Hnx?+CJo
z;`U2Yp>y|X1F4tvaD=~WvVS5adFG3O4@=3ve$30q_M+j68kS!$YA@ge3#_jPn!T+O
z`SlHb_?m_%emNz6O$}$MR%9cOwoZX;cQ4PjbDJSw$tB2s5!R6}-ZkOREy=x*wz%Ga
z2P}$%Vb^H-a>Ju3W2t2<?eQntad^?^?w%^=y4t+|^YuF16b#%X@q2mkU$bIFe~U5K
z2jftdeBF@O%CbBM*jy|7(NG}$fkUI^fWlLSQlfHgnt_3pV`B@(9wuq)L??7w;-(sV
zw3X%8AIi^w^cX1(3?G<|4d8Ldl<>NDhV^8TS}ExGy7kxAGyYui4Gx))zca@FSY@cj
zEwN5uK(akY9uz~S$rWU$%c%A!<@oVzvfqsQEW)VIY9a23y87kTYRMe4Yd4wtic@;V
z_{`-y=gB0B9M|zMLT>IHE~qqjblJy)4wl!I95&4wlJAgS&-rul;$CR{i;of91Ov^0
zLNm|+kLRiZEJv0#eWLkkbpc$_L^0Hn>X^-kTBm1qxg+LE;)Uf_fSd@E(A3PqbV@b~
z4pg}Y{@A@mGQ|c@=(b~1MCOu0gzi1je{lQ%x&wJ?2tgSY=0^lsfY#jPv~|{4kg{Cn
z)TYyPuv6{hWS*S`y%aUcy_g%ZesM6Xa9yv5PJPJknOJ|U{0~rsjWrQ!@VbgY@Gg&|
za7THm-9O0af3ev}?N+IJr|S1&g%=a@2@AJ+J)el-^|8m0zGf!tbEVSj?|0lmup96)
zI577Vv3Q>rn#tPTPJB}V(5*DC$>@d*Tt-+6rW096MYuU`694NEUclT^3?PJpfO8>)
zR!m(P=uU=tx-BltX0w1TSJAQ$NetdLu5;rgWON#nmrq~S;80a5*!9*SL^iUeQ7AbX
z=t5lx$};9c{+F$Veqqrf)kyKvB?TUkYMOf_kc$E8dQ~6or$pQC000HnBjp!au5WXe
zta-P062}=M?!@sp#T#id?XVh_s>2|-_({<^2R{<vKT1Xaocq`pfX;H3O66DvO;W^z
z+794wZC&Lf%}@M*fx?MDOi~k6_~uw3=4xaeeUDX71%oO#wLMJ7>fu^-HzS>XW+>Vr
zYG^a}j_vn}7GgsB2{OA4hTazP^4Lw^WUzUlVP>ZA>VJsdXW54zZA28fkVTgnj&CaP
zdQ9+y#q9h=&03MULOYA_W$DAr#>iA3;lLS<4_Erq@J-0T=Kert8D>;?-6nH<CL(~t
zgfSPXUQy!SM0?KJMme6plAN4c#a6EBo0c$@&%5T$X>=7QnG1o0*Zr>_ePN{UaKPsI
z((c*-cw~e&8>-tq?=$*rlZs!SYVrFZ-W>rv=E*d~j%P7i_5J({t&S0?cH4(|dgQrY
ziaf>QFZzieYGW|!I*n}kjPHCxHarpRUqgD`C?Vo*wEx4pUha^MKGm3|>g@;Yh<Zh6
zaddJtilvA{<&l7Bxc$CC#zbB9dTp+TCmPekLr6_n*85Unx%&^cdjsOI$M&kCytsZ<
z_xi%(X4RwQrSUPQ->dom+6q~3<}EQ7DaWSS1M_%Nf4P`NVO6$+)SzAP*L59AcESoK
z4E_U$MS<@i*EHf(U^zKFRbVtGGo|a{JE37HO#ZK0fX`#t=G#@L6@Bz3u=p9D>S|cV
zExUpK8w1$uSBqV6{9dW}r)NprDwWKYXH+=XQ(`Prnl-Y-q)6a&Rrm*ZDi0vmAAfQl
zRWHyva_6c%D?-Gu082{MKP~CoP-pPNobkuwicL95&9pPfIvn<B$>oXuWKw^#340bT
zG7T2d6~L?5hN~=vefj%cWSTx;$B{_CJ~=2-LS{WrJb9@kK8t|q+*tJnCSMgbrc!P4
zhTgk@JFjv^!6Xx2z~T*%)cA+c{-2HIvnA=fGPf}vg@Aa505<>XVqXjP951q+z12U8
zOH21yw@UMgpVwKFu!W8xevOTD?HNpRE8=e0r5g%K4s>tZ@E&n5)Zb<bPILne;^S%m
zmP`C|-vSX#Ut^AjRg@okxtxWT<2lLFBQxHL7B(qZl`Z!B5;L2EF;J|=+xVHN;U0ek
z=oZX|(ZS(yR&xe!nqS+1Ty-mAbd~yly~pxFRG4l;Yi?JHORvh9I($eoO?!M<iW{|Q
z<1H#x;QpwwaSi=xdw;)o*Et5z=(O;GyR5vVIQ{q@Ti}ps&$!7JGQJaGmMT2H_RGnW
z#l{+17^J^A%3xbx>P5|%FLAJ8rYUrP#Qh$TnUa9WH9ZPQ{8v5@a$TAaz1SBbE+|vW
zPEYY+B6WiQF?jZ9_ncu*t*=Uzr^&j>w}3fWh}JFVv5jygWnE^f>&K}*Ng=+9fmGwu
z=V4!yUUiH9i+|Gp>7RGG6Ra)04U>?JYr=*RsgHqzbWHh*DXvv-_n3`coJ!uKj0WAt
z(p9vCbd`N0e4X81RtCuU=Na76d&5Dq(pSpPbZ<!jj{o~%fIs7~nqxwvrBwxLmicMt
zqD>pH3l(@orH@P(QC0PNXx4UJF7qmWYd9w&fMSo*q@Ov4KgTxQcBC;t&VS(SP&9cW
zRmh2I^Gl3dwl9ee-M_f}1NNPzlDs#^55>-AE4X${w}li@kG$&Qem=l?d37Z5FipiA
zyYDZjd4j%t?UK^i&k);vlk8P@F6>Xd@mP*L=~8NTq`cHqrMo&!CLO0Jf_U)HRQ-RL
z$V)!L4I(yhf&GX-{Q5628T$gX1s_umhOH$nV0tIbQZyvpH|m5Kdd+k)HGc?YR%8LV
zvLf)FLh0b{3aU8gx2V8km0PNfG}p64@$a+b*HOMM4N915xb67ZIQdS!v64A?3f5=a
z&fw9Is-ik~d90doCCfpWF3>bRB2WGK!5!^bxBjUpok?e(R0^&RhaG9^s0Y7S+5Bg{
zpQXKE&UGAEbZjkV&W-4%>|->sa3IVj_<)2A&AqKq_<-nYvtGRZ>V3+jx8BbaJx(XM
zhIB>ZsXkf8v07$tz$aF;tuhT(4qh_lf+7h1g`}DAgkFQ;F%xt~IXfjY>(Rtavr@{=
zU7QlUAS=e-f97YpDdg*i^@%42Ba4qZ`%hPRJzsO@BK5ezA_~ijh4BjLlxF+RPjMM&
zhZm)n87j7XbYIUkpduB(kJ?ezB7$DD3V+eTzhj1bDlfp4-%sDz^L_x~rLkqI1gM=X
z*Q+j8ZC{_nrPGP2Y?!T5LaGz8f!mk>$w(TsD)#VJ{hDN-^^)HM0CTbiYL7k_60J@9
zKND6Xa>pwoH6E0at57X#DyOG$p#Zc#N*dGXp3G~zR=qws&XJ|d8)#PPs%~xDYR|Uz
zDIC}#6d}YegjKc#i21rC<eB&2WEa9(lpz-ciT^j2!Td5j^@uUq=|ME}RdEC7fC}4X
zptq>WT_{C;pl%-4w+N74v=+kH1X|AXQ_ag1vkBc$V{qx0zhnGxf`1-~N|X437*2gs
zrA$eh+7*Azlw|&$DWxr03y)7izuqtL-kg=l{2KieJ*L`~>5OM?qJnjy#4x2fq9ps>
zQe?HelZHvh)?GaTrLkh|<|ExE{LTn5CXR5o3Sx$Tj}+hzpN6l>Q8XF`Zxr&o<_bX8
z+HfU35;Qy408irAMI~_g!39uNF*V+oJ9oQT4qWVVuhR+n8Q`)^lP7H5X9B(LSm-!L
zw4}#0=>EUZyG&~TSVLD<0Tnms6o~UcU?85Sy-jJy7W*0FeF(`WTblTUdW9E)fbv+*
zql}Itf-?3Ouml2IU8W)W8qx|c6Z%~8llL;K|BHE)H_tPgO{Hc%dQ+dV@IJHwDi8_-
z5;_}t2J-9naGuDpVhl9FQB8@6xAo`p8Yn~4dX75^15vpN+8oc}TLbcw_yKIgbO)aO
zevIPJee@b9?3YStWH?NEJ?~3G3o_ke_){I1Rd{b+UzLd9-80cpRmCaJ7!<=UewCK;
zMeLbuF+V{?@V>DbG9(%Qs9RJDmb=EFp|{lDe{OBRS$>1_E%b+_=84k553^V54YYYL
zSCXN9*Eia7MXNm3IDM@tGGhb^H`z$o|FDGqpq&gierPyj4Tx9Iu)7&a1mvv;zVtKJ
z5PHnLRi!gny3N6#8*#{p{onVHzYSr_l?Yw&zq`W)0^w}PCRVjnQ79d*Sqn}Nw&d5G
zeYMXzIqbyx!kxeEJECSi;G}6fin<(m1C?LN6hWrZX%#LNYZLKqTQsx($j<(ElDO}O
zf+A8Il~STUTyzJt{4uEV?!D?H=y{%mXvPXDtaw2qZAQS$!5n?QO2p<=BVlw4O(rVz
zlcBSpOlvH(l!!TC5ceRbdXlOC|MY~^f7cUObCCx2eM~(EcG|LW<hqmIeq6msme+Fj
z{oY4{s&#6O3Rg5XFBNF*UgtYg@)*B3eF30%>5CAU#)Gys?)PWE2$U3Mjo^tH$VTPA
zd#E7^XTSG9jLC@mmVt;v7PD0QAM`+LG$YX9?aZXozy|!+6WKu(US3zOB$Zla37<qT
zjfu;z^60wjj6d;!O5PZ)hM<-<=pDkgAvZIt<ZF8oZZ-}uBCm*L%ymTd{kt>tx$X03
z!owVmvnEosp6@!BWvqqd(+?C(P{;GE99`Lyu(=>T!VQ+wj!m+?mD4lE5aVX^g^u33
zo?N-0t#p2ZGFs3-D#rg@4DxGfN8y|jh^rduEtpgL=zp&y>N??^%7X)-V@ds150u#_
zQlh$F!`(oq&(6zO8i~ccIj>IGOSU#*m?zU74?58s4rPazKF@bt1`Y#^m3ZyLbP-$}
zf1d{Z%Yu!JZUH)g);jQ#s#Rvt=bx$zb)OwY1M1?^O&cQAxu!EdY@O8AfVQXzp%;r|
ztaPibr988_{U+J#08gj(SGx7xc+M{kQW`IK>XIe-t~Vn{>c2wkXkCd$m~Nlh;s0an
z+vAz;`~R=HI-eA!DCA5|B{`4EDaI5c!&J=qeBPWoh$O_Ya+t!*Sq`&|QG{5?=FBGN
z<`{;U!|&s|@B90^Tvz}0$YY<q_xijJ&%^8O!kmQ*At;WAI_z$gLlNbc--sy8%6OhV
zCxqMYxTeq>?Z*W#MAitMccG*Ai1g~DJv-;$^4s&zIV_s;HNyhBc;T7=<{Wpj_?g+e
zJW|;FS#^Lt4kj&w$6c)O_e57b*lo_j|3Hv`IQ`+=<T}Z;<<sIa^D{1h9>b0T7}XC?
z>3_E{t{e`hAe1K*Qw@A@d`1{|sFD?IPX0cKHl=1H9BNaRpFv*`GL_1X9OENJpe~$5
z!6oKt+h3sSr=Y}4z2on1Ha~r96J46Mh*-Q--~B+^7brWCcTW7fum$XMs?&wqqAbP&
z7udTI4(xzWT+oax;Ph@5E)ppixzDIvvi(H?WfA1Bn+AE49Pv4F#jNyZ3sgR3Gl5#^
z6EQJLEU8pW;TLvgG^bKLfzJuwWeWfAPaUQEkpt4fj?a14o$0Wa5FB<vMtCvc4P->g
z>5Z1Wv_yicnE-gA+_}TcKqj}$lOS2_{S1ZofQ~WkjwFVswBDyY)O)(ZE%QDj0C`Zy
zmc3nZ^kv7p<>?-oi8PJQe`WMNhr;$jucnr3QXXo@KhR?rfy&!Am?UUjGf`zIjzigt
zlkUTw#M-(syp&JKuv)B)M5B8q45G5l_s5|9&g=oCpzxy~s#WQ?EvJ5#7P)YnIg%bm
z?L*1hDlV8j`Tqmbe|ry?O5hZ8lLAn|VYE4&sH~1F;|iAXl_!>O;@^Q88Twfir}y1(
zU%zK>$^~EeI*tmXUlQI?9u*wxH(3}5T#B?Dy3wV3a;F9V<UB#UK%*E1DDuTYI(VE4
zE#?b9@j^(S#r`h#_`lij+OUvRX{4etOSVu?(BPxUvOa~Y@1=oTL#jK0Yf3mjEm}0u
ziOlLQB!l<dW&ifV;f}OeRE5DE16N#v!f^tZhM$b^QE)vkQ6YZ6J-P?~MAG-;w_YZ`
z*~4k}aLd106VBM{`5vVs&BS<ma1wJ3W=Bc*Xr2fHg=J!cgy&Jyu}RcIMVtYpxkx_c
ze#Vdy&X6fYRh3Ovt?Uv=$#4!lenyePyB6~N(M`qWWANYNAs=rKpLXRL!_$kz%HS^Y
zlyAbm&=-keU9Z*!b<arWQtNVkZb&(YKNoc@PXrr_J2>US3N-}E<nui!7fwQ=mfv24
z{;P4g&i2@J*n~qG3yPVs7*)MuyFbbAe1B+pd0{!)SX@H4NF1hFo7=`q_53g(8tJk4
z6|L6yq!4~IacXIbTcAWB<z7@_w-ON+W*p7AOTF-)gcb#UdsoqXm{M9^kfb{%g~)Hl
zLenZlp-IzPq)Fk!h|;f7h-N!Q^QR)Bt+GB&(<cOP2u&hn^AbGa3X4;bH0d>!(U(`X
zamCiPH8}3yoXW-bf9yksp?WT)k>rHP;_Qn3O<zmZ6N;>-%H8Qpr35`${i;k4U0P%G
zd7Z!)<c5r%%~k==EKk!3&Frt){^O^m1B2J-(pBe^X+n+<{eHgMp$!iHhBi1R1dM)Y
zD?hHPh@?DK!;#388Szr*5{qM68O?SO1OzLr);{0+T3FgD-A~pJ=<k*36xCT<Z7zt>
zt&0IqbfkF?ix-z*H<RVw|FER-D`)ptR@7i#H>@1ykOlI>mEQ~sQMzvx>c#cGbj;mA
zpCSw^p*a}|<R8ay7yvgYnOX-aaYkaH`hvr!Bl&3_r>>Cdn`nwHh-a9>9=*#YwqS7P
zE$s#!xanStwbdW@A-zx~wP~{=wqZF5t+u~wGye0+7Fg{i)iqaq<}k?56OfASPAFWD
zI`i(`MniUT##gcVrFTN$K7+WbH@Eh+%)ysOu;YHC(>o|aN-#nGQl7?qgKZCA_lhT!
zQE;Y2$QtRIWmVL}onP1kdn)V;5)%JyJ5Y8=bXG}Iq_2C`R;amBYWW0qP#`KpkvX}(
zUiALbVbLnL_x7P#?BC3%BUheqAF1-;t#kCgjfMOxia+*Wyv#Oii*oWJS7&j#w+l)5
zJ2fkl%nki?EfcB*J(-7O-79Gyc!5rq(qGMaXH56fQL?-=_ro<+_jwVTr*gJ~>qFN=
zfqTJiHx#>mc<wS^{FOl8f7lm(M6}&EU?f*-toLPh5X4Z#NM<v~%_^3VZj8P_cF!&I
z`#Q(yJpbV!HJ>W~tqP)hATl66=3CEfq*BZ4mIeM)<Sir4e^;4%`zH8P%b(}s=_v5Z
z1;ayHht;Hd$^>!~-el4A7_&$sL;;~Ilgr^biVbd+2)sppCuXBpF9Q@<T4(&@yVHjx
z3VY?M6VHwRuW|VQLtm86{TvTUyl(Lr1@?&?Fa<Pb0{MwS<wp!y+_Mor*{DSQHP)8_
zNr39B{BhgU#x*5T0rRc2r?iyp2arC-QcqtT!*%n6mHvI;Bd1Odmy@Nd^s93U@WNOS
zy8M;6>-n)+^4KhXY__<wY%<;zb><;aI?`-j1s;1A73LL=5`7(RC)f8q(?wk7jDGqw
zmz?vl@xaX^b=`aJOr30f3Ro>Nc8P}n+jH?ge#ZsrPSNCrk4Yvad0o1F$(6eZ^xU9k
zK^ALw%Ah|}vlQI&GG=l+DM@4{F&=Y*6f2oa?K2?lZQ{7$M|xoUX>9NdMeAfWzp7?D
zV|wCv%hIx(To`o(B>DW@zkZN!de`k00WRUYcvp|0hZm?Kr0QTiTIqD*C1*$bJK=>E
z3VAot=8lG(w&YP^@4hzy<BRq%qmKACkEt^TQqeD@FStI!PIt0@eM&8zE4ij^6>|*7
z->G=;Umx^7U|+bMB0|bnq5XvH({h<paU8Cmof03NNVoOoN=C$?@9eH-X3M6{SWNi{
z1_Ce~x=lCJ89XH!zzXg>d@aXR5|L}8tSy_0eE$2mvO5K#QwZisL<H*wVk>J*7WpHv
zhhtl|B&#jgB<T+)>rAUwv3lJT-7lfwZ+Bjp?aL90abi5wz#6-5iyXfIK)TbvhjiVk
zKTRENpGDKWzN{yi-t@cs`WLs7y54$j*HEcK0_Uwe!FNC$;61|ix*8n<I8m~ADO3Yp
z)1|EVqVhm5uZ*s2n6ZpO%fE3+PT(p;E(kFZ>%#AzYjyOULm#vi-8mKWa5>D>r_eHD
z=GiPFG4dGh%h#^G%P|&QW3G?x<`ZlWWI_tNxSB=c;A`7NjZ+Yk<}Ur`e_MhJdodo|
zmwfaBr2uNy`*cUjOt_vzu_$uv9#9|E;A8iE!l?yy&DWr7U7=I?3IokxjxwVh-*bjp
zeuZxR!js6RMf*cIQ{wL<6aiP%C4&eQfv6c-A`~Rt)ImLZZS8c|I9xGW6Xg=G7E9>V
zssJAqI~sDjmtsT=LX4jYT+bH?M}F*T>3*ob^!2LF-2$M>nV$Jg89jOL@?JVG1e#hd
z*AzINlB(dvOD6Yy)-T9O{t|A~l)0IgIg<-p7!%%$7!cP@seYLsWDq!bq|7rM_3`vY
zZquWd$0-AYm-tp)tdby^R^-I}`3;n+;)Juc2JoeBo{6O|9#f3q-;`I*s7I|H$-YWy
zXS4-egap6Lkx#F&r+ns^os^SsZQs82mHlZnDIxlrn<30dA<C9=5j0>*_PPXD(0wX&
zPa*?3x^lpPaW$#4RoP{?HT6G9wc@ZQ7bHc{DNdz3{Z`}cD2<NEDcfY&9aC}(B}2a`
zvv_#6tFR1LcMJ!6&#jj*oHgAE_wtK7XwkAd$LeISYV}wgX<vRd+<Ei&v(4=RxoWd9
zO)h=m)pzJZtrNE1aK%0twWp-d(5ql9c&zt_lrJpVwA}9Y-rPN_1*vYDvm2J(dKUvj
zrf*9Z+6&d^CJOu}uUhc#kxGSHYDw&oigA&@?aWh|N(d?(GeZvC-;eeuCGX>i5cG_0
zA;&ATX|nwx@m%h7F>jhQr&ZI<#nO1BjieR$Y23=IVL6$)&cDmk{u`))`vitNCEN;(
zU(IKdUPG;Pg^Ki=uSq3<I>s7i;4YEWh0=;fE{M6}ar08n$FWJ-cs*e&z+sgKhiUPc
zmPTTM0bHs+;kU!ycd6W^LCr#6JSf`993u53Kj~VRQ3R(=e@Va_1MIpNVsmeW<-8^j
zRPp#J!wL@O{+Zg@1`r45VbS6us6F9AkGU}>;HDz}cGfO`)?cLu0CUP+xak63syHJK
zO^t@`iHo3ok7OrjdcF8T=zw>#v%c%L;Cw1?E*$>qmS`kl--o2f@OHeZVbNoc{tNYr
zMN8F7ZHA)3TT2Wb_4PZ-ld0ZRrO7mO8)$W~d=_7nRx#umQBFPXr>`>eUW2$0?Ut}I
zxFpTEWLBwX{K$H{QGv2*xc14UPra%m9ZOmzIvewtF>jt%aMN!}_ZZn19yByKU$g2s
z7a^gn(Z73YC;;u1uXpUmI#oO~{oH98PQR|2M;<6wX?gF&KPQz!E&9SDxQNY>THQ=S
zY&Zc}N~(ts?bv6bdoW)j{Ykt+ysUe!M4`LoVLS-tZjL!{M)ztY*Kp@GxdUg~Y(_qe
z8s5_3+oby}_SDiXo32&#iSPt`9LhR4Q)}HHygGoBuwv*9S4NQ5@r-D9<WlFt(-T4W
zkxMCCC2PrMV^6kOwY3HcRclh&CogP;_h2I~EPj`e<?jF6?j)e!mc0D974P`rVq_TV
zS9DNN^?V1#$mtBksFpU5gju~Cx;;5Rnm`#x+hfb+VnQ=oOC5iy?p>68OY?5N*-4(7
zSyK{W9jP%NVNUhz{aOV2+H+H}^=5U*99t+elesZj`xY#Rz|+^|36S}K0Sij{CL^7A
zR!gyqm0>Et4k-?9eZV-y7J6^i=br%RJ=DG#zzP0Apy=YkA!2!3(iw$^JP`)naifcs
ziKeC-ntk`AJoRY!*PmN8Lz>7H+<0r5-03)#4()-CXUv?%EMv8zPmvvE$DO#+u2r4&
zJye(bY;L0^hyk{S98`0td2_{Gb>yed&rb&p_D6aolZH-0%C2S|*wwY%pFQ;+AUh3R
zVjK$f7qj9gZ)OO43m>EiVg%O4ue>Vt8}&$Q#doF*n+y<||9tzDJgGCy0<KkY(AbyI
zIgLd$UtfF)mo^NiPJAF4txqV_Ce8(JZz_Pt=Rp%7$Du%)cZORSbtdQ3Z$J7uz(w`I
zAoRxJq$lV{9FZ6YU-NP{s^n*jq*cfEtHYtlXQ)I4`l^(XSgDJttX6!^{(B5=I<GN3
zeBuy}lM)PHoS+hFM|l}DWo=%DgYZph#vaxz+K;w8!4OfX^dvS%yQ^MW1+;U@X`T}@
z6tmiOYle5ainwL?YW;kug4LvQk0U!I7CBZ=&1Va|YyD@@TkI)_*|!*6-`^2}-Z}u0
z6*A~DzXdYCdClaGABq${DLV5)*4;e^@!2U@SKO}3^H-P$1w7?+KVww5inDMb-^!V@
z!*;rYyj>t90XO1LbpmyTZV2+N-9z?Y#V{}d-~VL0Rjf9X=$PVKk!!l~lyB=Y3AjL!
z$5m0<8nHB09f{vu2kuium0m8f9&ihs&33-~v~ut1>xx!;l;4Q#a=jn9^;Wpv@lcXj
z2mF@R+69Sss(awUI$Je&Zz5P4jA`hCNj?FgYh`c=A^s2(hiU{a?2Z?wrrplV$Cf#P
z_w3J*EJU?_1rnqWt7WEgl}0fPU8LrsU`tbGSRJ*I;owAU!XoT;Y$ydq-9MS0zO{KZ
z9YP?EOI1yO4^!R~W}J3PcvqwSxIyqcz^Ku*V#`Z-HQHRyDBwZ4zLxTp+UXXk8+h0Y
zThn&g`Z$lNL?u|`E0Tj$z+>Lok8W2}kv0j_7GLPA#8KBlKwg1yk@4OU##(Lpz#~()
z`t9dQlnAw7TPrX0o0r;D)YCjhA{iyI2<CTX#S;BLhCd(LEsCko+zVB7M8CDVkswK}
zuP5K8OzPy9X~UDy-g%S{0a8`E59gz0&^;1eGio$g@YVTYlhS+L8HwC-B{pjm%CA-*
z&eFMF-s{*>VQ~>IGt)=>sS{eESPV5}rOam%G^czQkXLRrCZMScc)!CJQ@h=UPIB!6
z=Psu{qSZTkyVMkBE{)wawnN21D%y<d4BQ*3FRHj0I0NvSX>svrk931uZfA8CgqvNe
zkox3{1y1pZ_ub2pJ`_$#=wi17Mi0F0a$X=Zo1Z^5e5joM#(J&Aj2g^Qt@1xDz#ib8
zpZa!C{ih+rjWq)rigFF_mnJbOJ}Z6pxb3ZRb4EdzLAyVof-0v%RItE1f#eVgxM~?<
zGH!04o))qYWu0ZcwOEiaT1j870QU^cAsN{UBwgZSVsUk)v`YV<({>8A4JMoaOKH9O
zJ)1Uo$LzOCT)VpXUV%fspi}`*V~ZPipYS(JnX>oI!voWEq*FX?weA+*bDI6=Ah;k_
z<v8{zyawCWl5z)r$);I4vMl=5TRDB_dgyt&aa$Dlypm%?XQao}I|~`sDBrfwEWVwF
zJ92_nn;X)Q$Zmduw&GW1c)E7ZZvbl;Iu!<tT`FezN~?oQl!NNbVV|)(^IWrM#)D~0
zI|T#7z!nsB3&;!={ZlOrR1;4+=2w=e;b~I4^^gi_GDncMG)p(_>9tE?cCZCsq|NzN
zVWXspVrd?AIEu=UukHG9Y{(cUePHR;LB3QB^K%o<l|ZZL&!+Fy2%|#Xjb;A)N8=7O
zL#H5sB8?Be^y3(B-y{N77{l(9wH5z*F{xwO1tI5S{x(LpsaU;zn>S&&vosY_PdLde
z5zB9eX*}T(cqi$>brC-!Y6W=+5INHo&|J~}dIo3JT=Ld3HC@lbowOVz^8q>_6S_t&
zAF!r9$eT0dWtI5gRA?mu28I_BAs==c0k!oww(R1d<ywj{W}O+CVSZ%ud*G0t;m{@|
zFzYHr-Dafse5|4>ZLQ5;k4<gt9ix*9aei1<AET1ZM%oT`?6GpEo7CXH0aI=FKxe<-
zKM=kh&X(#S<)8<%HI+5JiCEMwI<>~>UX11EGLO5R2UkSAF@JhBRgbfkm&4Kayu=$V
z4TXIK0SWG7FeRx{y(h<p<)#a-25<5D_mLAtBUFEVXR^tJI`-S8xK4z0ysKj@yDO@a
zwvOxgG@-EV{0I3GVtzF#v<jtewcGHa)DRnoADG@feUH<^n$>c4vc(Hl=O~5Gt+G+t
zvpXP14g~}%cF9JBUw_{R#yDJ(%B3Dw#pnR$)9}yc%1v|b*U$iX#Nz2Psz-899e#&d
zvamIA?XxcWb673`8AQ)N5omy<rVNd6e#sb9Y7f#T4$xK{p;O)5w3EX=gA1ZrqN)qu
zy1{aZ)2$v(d2(VtKTw$0FlJqCI`&1R_oQ&D-C+m1YqBtB+uzsi01p0Rdtu=ys}T8l
zQe64vWUbSENUzvVQ~zaVvcXLAq&B6wrSt|D#I*BR^X*HAB`vHCH}AB(J|tP}#yH8Q
zT$gJvR*~4sIyLJ{2-KJ2E3==(I{H^mTT$EyH3q~kYq~6LCR>50THLSLqa{$D#*p?m
zsIB^WlW-@L^<f(|=NVgtwQ{d<Ca!lCCoR%VhPK-LDfzI?{-3Fq9g=n8_6DH2l2{09
zrfk(AHamTLW|CnswB@I~n3GBE%Rm2m`u-B{ZS}2T@uzS4!re~{Gn?Fu2cBb3?@EC0
zg*kv017ot#uWoWvi%cz$<Zc;6-3Iw;oyhi&e1P^?Olr~c$|=`3;GXh@fV<=N-<=w}
z6~p*tJ1?^0F~#+yEOB!LU6XJE`Hi2JI1>^<qw@F<fo3Zwc^MG@YMU~B#u<oAa37hf
zLRTVH`X?#s@T|3!ufqI&ZPWpnlsby}`I$+Z59$G_nJB{7{02p1c}Q_>A)8FxwgQb+
zv+A$aqn;kH;XqwL1hrZy7Cw`2eR}jC)G46EhZ>2FG>g3Noxzzy=ix_>7Y;35){w<J
zk(Ye}N!SRRN$PqMG2X=~4t(wWIc!iX#gp?1uVkUQv8`fj{=w|&wRMG>xD&xG)Vw#4
zJNwM(sy}WV%znxnaJ?lZ23>;;qr%ZvNn48*q2qHYJ{z9txBPoIR~nqH0*0S4PWaQQ
zpwQ<Y{W~qrFGJoGzrhC)KZ!sC{}8#sfsymw=qg6Sk)4^mSJ04DoCj3GHTmedOS_99
zXEH#^Hd1UI9hru+AQzhmTV*YQ98)wv)DeV=MVg&@I$T$_3fEp@%_p+HhjBrq&bBWn
z$PdM2L7E@wrWM}&;%a;OqFx_FnXG$WdlUKjS<TaKho7}9+C0S>##(0<2@Zjb!w``J
zOBmLSPqedTeIZUqakD2hSPJz0(Vw`f%GH`xy`~GnCdR4r+aC{7%hH#sb4!5~TDwKY
zQC!`;r$>C-)h1JYQU<oVOx{eYvdkIg?WsY=FylW{Z!VpNIAaYo%>N<Udp~~iTb+0d
z`-_Ts2KM_b4Okp3o9cvV<S^`h(>e96Bq3>{tGeyWY$t#yhsF1Zk<3lnLkvi1a56fH
z5zSp)E+>y#bgv3A>d^(T4iLp}YsZrl3KT@fXO3;9;F-~;iZolj@y$muDl0Y&!)>3<
z&NWaSBW+$;mNbTyNzWS{QeR^D<Xg~7#Vf!vBsm(AFklE*T0VlSo|z$AuisowMjV?D
zsJF^)0j*q#g%k%h_*mqfQQkixoZ4-a67KPRw`}Y_S>Rh)gmLWq1u-ph*JraYDKi3$
z1oc?Dt$o>hXx6t^80L!C;z-^RTz>=pRSO)PYiX*g<%{0;%0I?dwE2oe^Wr3ZOP@VI
zp`FKh;HgJm^rJPt_EM2~uuscsZF<d8+I%*ucA=HIX$)~Besd!XNTvO3w!y9V0buC%
z&lhG`Le1=~agWLplS(nQaP2y+Bkl90o;MD%KB&tv9{7y<^n{uiiSfKXrKoZ~cuoQD
z->Go|;i0^7yx3W}*3{uYiMZSDA0v;28o(1r)_+s`G*_7wtRa&Nh%3m?%fwur#~LOZ
zx&+$__Lb3vl<C!3MdcBweM5pNs+FkelE<rluci6+FooXm3L!3!7Z37=Q6)i_YrVY>
zbgn{_gn^6hL~*ep8@)_w`i5M=poMm~U@FGvhcQJ|4Kb*>sT4S+GNf9We?umunVg+;
zWaS9XUUf5<foKngP<`1#eriz8ZY@P|z<V-0pkP<0y<q;`LsFCoptSKjZ2J8NDbDVU
z(t41m5HeQ8Q%IO$Ya`YyHtPmeHqngtKkg|qVyN0=4Ag*U=IloFc;&}ppR}T*xy8mw
zz6sn9ZG}kKClxl{AfT~*@GC-Qsj@vSfp;}bw9?&fDGL${kn<?N+Ra(&;ik}x{CDml
zWDBZ<_3~7tH}V<PJAG+}`PE*vkU@+R*om6tk4A@fm${6?nt)uU^qG^z0sNy&v*xa`
zfN9;<(DkU0L;>`nL}H|DX}Kh-SG%WZcG$KdMl?y_6Gx#^g7$QH@3lvyi_jIfQs0(q
z%i+WQE#u04a)8iz%VRurWhou^lns%?N~)R<ogZ+lnyom0kO~~|Mgk5S%cmla4!2b#
z{nV1tomZOzz8bat_5DX4>-982%fq{#FNZ@+DwpGN24Rt59y4J@o5S0Zz@U*tcKqhs
zYEn}8XI|a+(7{&ll<Gp~kxvqnt}uLM5|!bsE6M%3t)kSKt=S_Pi&ogKgmK=fnJVF9
z-RifARbgX?bnrs#H#R!Um%A+#6r6YgQ@OCx)nd?Jhopjf^7ldR(ML`&Kr3UuEok0J
zSm@j<(Q?k|j1g8}oM$`7lGEgpSbMYP6`k26=dtZ7-RrP$;{>U(=448Zf$&GnzS2+K
z%3{#GNjR7hljHlMM!GJy`)KIk=wGe)PWyf7xqr>5tK;_Oocb-rXYRQyLZ~i**j1R!
zT@COQ40%Gzrj)O<ZrjDwWFqF~?&o@P>UkJ7q1-%pnk0HJ-1daIez!&Ms42I>0~oAr
z!hXY3_to(i{s@F*VTNm>kA8!&ujvoX_kfb#T|JAUW(c*@o$P9KXcmILOS};XY<wts
zHw}Og$l=()jb9uP{n*etRQ8iEEUEEe^jN;VF0BW$h3wznb5OqvF&{ji7^AeFlYL;D
z%2I!YSsI))OoX%H61w9xou~AV?51@s<Q~U+l=5l@X(c@CJeuck>{S`U6p#-NHoSkF
z-5}4X%GXHTIM0zy^pxJI=dia%A>LB?OSZ=4mWEMchPQy}WyLLsE&)T_Q(hY@#sL#~
z;!a<yOx<6t&@z6cc4^i<i>G2J<dp|;rj$&vrmqxJfRR)E%)mlZumJ7Bs(}Fc=vLiP
z8GZi`OPIN}L!x0+{Xa3NU2eh0l{>LUebT&Tagb7`DHVTHxDsAGei%m)nUp%LBK*E1
z<WAhjmUP2IqB5Df+!t=dl%{xHmcK~bgD12nazmkdXPdK=44OfJ(P52F1{`X4h~tI+
z=WDIz-1$~RDP@>7rca@>RX*$H4uHk<mkAi|L?E8dyN8ZCXI{%%>_QDEv?Kb++x(<W
zp84cF7WaS)Dn@O}icu6e$7p0lS#Jnz&T_CB46RQP21kJ}VZ3^Ma^LQ>Q^x+Su6aQI
zmME@M{u?j1gOp7R@)aPoc_`km+-xV=%D$bTkUVKIRS->1d#La!FIc_Y(+idmeb)ja
z`UX<TD^(u=rWJr>5g{Qgi;$zKo60{v9?S-+bq(+obYZJmCo>5cv(wnnK!-H>nu*Db
z^(2#qmx~S9g1_){GyzEmFeswue9%=f4X;VxIMSJ6<@2DqxWC|)JTsEhdb43@a?Ns~
zI}Tkta(7s%@<bS*46pG&jo%$IW$e%CMrTQH+E5Ba7qDta_;5!hF{nJX4F!kpJ>FVJ
zxuSbv9ZFf*2wk|DIjvpSY$x4!>>X4&G0}kc>pOEuhf%dyl(?P*hl8Jansls(Q{~-$
z^5EnaE22-`h^!VkpXfK}*;HPCVgNVo>Q5?PzFPqS`~o4$K<7#^Gz3WnuYs*k$h<B~
zfox5ov*{u|5~+*(V^p@nm|>#4{qzsvz{>M5<NC|*4()1Pe;yRNZDDj)_`RmNZrKdV
zq(4P>rKRGb&h6%fTe6N^whL|SWu0)Fban_fN)z1Y^0qq<F{*jA5LRZ!?XO(l97X89
z0!<j7exK!5<G&Wd;(G<zTJM>(U^uxVDhDE)LhEQ}ot}HNbk$7Yi@`b@qbbDE){$v`
zwvgM(8_yLWsZky`6@A%6Apf7d+({bp62KdHX%@ue`W7T~FRhb9_}8t{mxO0=HFjgR
z1sA8|^kMo?IRm&tA1Kx55vSAP(h5fob8Ycx>o=2qS4*5b!s*vaOrE|rwLbhqYP77U
zGy4@l#u0P|l==cD;J%@&PtKk}WAI%Sxh9-SO(D#B#)QJQ_iE?6I&rg=l32bJ%wi`_
zA;M?$JWVW^Dafb4y^Kdu-x-Ens$(#(ik$nIM4Wi1d1F^Fe`mY?mYJkX5@-==OGwID
z{&Hd9b9Zo}9y_pWvf#9J++)ey0TZ!kRRgiOPVKLEY6*|<Z*DD}(~!^94Kv-U6~#jj
z9OQy5{dmJr4p~YW%2KEucV%est>v)f37CAf@#cu^jiGDBYof!BWru+EP&<%@+Rw*q
zSVHZR)jKhA27_T3>V*8b#ljX=^k3rf{>q{(ZEx-8xH2wly+t`YsOVoy<z>9QCTYL5
z8XB77=C@>_->}u+b0LX$;b(-DZ3?oH3%)zaNTIIlDl#~A0)-f|Qfi+$6zP{PTS(V(
zf*HxVZDPXX4o!mFD;0c~Ry;zKQb)}iN1T^`{et?jiL%9rM(Bx1<q1NS6?}B9r0@nY
zJ@UuWr#=Hd2D`~axK`HnW-eezpIfDb2CbAaK8!+c;V^zs>i$*YG=>5AckPKgowP#r
z@bUaf+fU1rRdlaBV6NG`N2I3B-2+)4aT)w@C2eiHHgXQVy-8-0%i6eutI2IDxHJF(
zDxXitIyKR5y+}dh{A;GaL=sm&ka;upCFjWlLwTa-f9OW22?vj$nhZ=fUup2Bo(Qd<
zP98A36ae_Ham%58s9XWz9YjFx>}8X^|KVr;8=;bNk16rWq}do?#h7a_^3lCoO8l@1
zy9Fj7`CfE(st&M}DrxIkpgFKW@K^)vb`;O!Zi!S$mlRKvy!NQ(kO{Z~!&%$Wqw*!}
zp!jl2B|w~br+kI^)rTKvJUJ?T>#XHZb;ib0JD)3O$Z~#hHGWRHrxMb?qCAkD=HIWh
z*_`fjmDM2ceLO;S<`g5VJx$ItaYMdFp_aj?u#}klFPS#<@G-ywuc|eDjpT*-ddmKe
zg!^X1vSQiHkZtj7vqZZfP{gS}p)2l`J@?i|3wcgEkXQ<ifnq%_XKb-)<Fj_dMhaYz
zvO(#nP&b1xZK;jE_E5|m01V<zs89B_>$M~8SRuEg3}12nLm+!^0MLImgYTD+JM=78
zGz(>B6=vZ|=BuY#%`9X~^aSz=gpAD$?K*LGP2tK>ILL8NmUV=g#Y0iAe8L@4hB!N<
z5_6%Lkgv=IA(2YQ6Sh|fwWt%Szg{s5>{UUaiH=x(Gt$)El=G|KbW|?|uc)i3+}-j{
z-+am9Bu%^!KeX#d1D?%W`0eDTDMs_n4LsHXKU%Q|YkN?FFasbZ`3ViDh1s>p!>S*J
zZ)Dq?Y~ldedG?kA=cJ-gkDSSa6IX7QYnDczwGo9oaX|#q<UC|kCpy4U=1r*dMPM=P
z@}gPDQTkFkFc208(yzMKZZ6j!NDFRLVra=A%#|0yIB+cq^2e<8Z)zUj{Z#iC4tK72
z#D^t|d4I9Hj_A_`C6uR}M4+~1Jbz@px%EnyYu44ts~N1EEbf*voFzd$8?`S%YJSg8
zeRP{x-nEY$W_YITQGA8x2lRM?x?p{7w~EEY!iFhvV9qa);8{g;Blr+Vs}O)T3ntQ+
zixm3*l#E4DAuMy`JZnpQ-{J~^B)r-B=gN@m<Bm(ave_SdkLtY@N!46&SVL_~!EOd=
zj2YWCWT2dxPNf)q(OG!7<Tlmy{X#%~gSM9h5}alwYX<$(Vb~GH*_=TqrBt7IVN|Dj
z((it+tnyJkwhOYUcBE^ZOB)-0l^aQwh~N_QU)8sa*mf18KOV2K11=RIBOTQn<)wP5
zPtjVP#OgNb{4y}3KyFd&p8sgt=xk*cx%H-5lO;_~RZ0d2Uz#A6N<w$^;*Hscduc)u
zrTZ-r9I$q?!l%{aA=qoLl%-{?4BCY2b8+a3)Y893`Gab|-Z2{$YOh&&Y^`0rCMi=N
zIBh{MKk43`lKU?8AD*xKdk*&^YB^=;HMc4vJB;wjO|SDN7s*r#(Kj>Jc_goJF0Pf!
zx)CgtjIGKz*R%i*HwJ4PtL0Y28t1;W-)rw^Y529Ur(_oRc@hVc%-we0bQ?Z(dD8H6
zh3v9+<@~C+zwqW^wm=8M{n?t6qW^f49(}yH7m!4gHe+CI+1OVb7OYn{9_OGkg5UOQ
zQnO!FYo?kvpnO&C1P@zGImzM<v=1!lejkX*?K;ClxPnZRgfGS`(H_XFrHl)e!~?z>
z|B8YodADl0U;q!--$}a4o6M_}c8EG?bE7;xx&~eB>{4bx`~>i=gvwS|O2{h7u;07A
z%7@hFMi$U^-bI4|?BjtwhKlALor~<H@yDjlXmz_g#2O83R8<r}z&TJWDbP8)00t;k
zk0phl14y<YJwS6U>0jpezWYXpEXdrOi|gi|oP!BLfRU98W;Q4bXzk32WAR{0VsX%T
zd6%h$mFJCbUjGix3davZIlY7~NAau_nD<#;5yQRa4BG}slv(6hyzkX())_Y4ToC#2
zTu^GYOBOWTxbOkzd$*U*v&<VGI<|`xf06>ETi?8bBy&@+XvMR;2DzPF|Gwfd^N6UU
zLBeaQpu3Bez#G*F*=ZxifukA#QTm)cHZLVS!g=9|LGAcW({;^0ox=LIt6{KAJ#&bc
zB)bbt2Q}Q;ukl;a2p}S;p7r;N@?i%zqXJmxj|-0+<~M(XrA3@ALuU!fN^GkyikICI
z8(1mvxCB3zIFm*@uREY95z1^37A`y+<k*a<!L*vje|k6Cl_o%*^RZk5{L;w4=Zm`r
zt{oNC;|BiQWRDi9g(Pa^_Q|2QS}{FHE4M>Dk)Q0;`-lZ6sZFHKr0O$Hg(Ko#Dw)%k
zNCuXCM+*;kHl_D!pGed*GVJ8yF2cX0d{U<7!2vmlfzgg1-|f%euRj1(MWWfgXN>7d
zs@TFv<gH$Ga-S{lW<@pB59Lo2^E>4LDw!%Z_6!7kY-CCXKJw1b$`}W(!B^j1SK<kh
zkO57l8aGFAD@<!Yg#u_a=%vb$_T#-?P#8S{rX5awMIYIXBkh>yK0ZA8EmB0DziB{_
zSWawNVqbcD(KB*inP>kQ%kIbb-kerSOuCoZ<qY_cGLGTm-z+6{Fy2=CNYWGy9q@8a
zM#r!v*Gr>c2)#x##;_TTUw~Q;r19?^79Ss;dJmqeE_g@ry9wP2h*ao@mrLK}h>$HV
z5T^;s@A%-2HVR3~Mb@&Z8ROm$C!rD*@`f5yxtT)mef0a~p-T?M=z$;DY^|q)Xka}3
z1{+oVM^ppfrC;=RiwA}Gh75ekQYXPzPIII)Y3BGTvkK7y!(7Dc98nTdJD*<a@xm4m
z5y!c#+%Y(Uh|j5LN}x?UIt<DW0P8PS_>O7*tNfjO{p^u}93xT5@7mq=HT(xbTm}Jj
zsq2)|>s#!{BSGwDz}-3He`E&77rfdjiEusqAsptkoXm2*P-=$n3s^GLt}dR~|8r7t
zcgh9|+I`Q%39_l569H%jWlE;&!IWeyaubt8A0cJ4RS%99o_4n4bQrBzHtZA(R7415
z3%zyn$nXuvFEKscWpa|rWepW|Cwr91jji!S3~#37zdxYl5KtyB!8bKy1USycOP!8e
z`V5H*coBwrUf!*roAe=DGbsd|MtWOx`{0ACsWV39Mj(yww8RG#Px|EIo9G_Dik>U-
zDiY}$Km_rQ{x*W%*EK62?>nm8U!R*q0}SiXTUy{AW+jHBL{|x8dr5es{IdwW{E<Zq
z0Q7%6^)b#T{t<{Fm^N(nUi5Zxf#|bpP^yrc`~A*`-D$UWFxJMkf4_@(@WuXm-6)}j
z6Uuv<ROXt~`|YpELPvT_Vd06KdL2m`E2>p>21Ujwc=xsgn_Ni*>Q=Ux;+m@U?G%vV
z_c3C|(VqJ)o>K7{B=pRLW!y!HM5<S7O#`4a?51b@?M93L$S1GgUpNG)toj`_1Fvcg
za2%&`<Z2r>mAKK2=+S}IK897?YXrhUg0I@rz4gg8zEvq-=*O|pz)t~O5HC!UJVrR`
zm__T`KB7wns?hAu3W4T)GRol)uHWPLAprQf_Q%umnwE}KzHIZMz%;h32Eat^Hao>W
zVb2i-AEl}dLu*0hp+*a`+v3OxbZ6w{MfpU)*B!_&_0;L7UQ^})?dhXnS+boS;$f@o
zeO;O)sj2cehiGuIUrx1!eX$hH%)2!I>m<S^7m?pFgV)Q*)e&nIq~{*PUAXQ@N*8sN
z3xjrdym~Mp)knSUOdc<njCyJ7b9~3nb#C&XH5Rz3@9Fh~VH1?}h>n+pZ&F;VV)EJj
zDHr5ou^zAr6hX$M@OY6eiqMJ3$Vp(B5MS@N>i>Qz57%8n)X<98a^@hllJw&Bdkn&j
zUGM!~N6f4q;<zmDsdXVN;AjfXmIH8!UU<hPg+rZla%)5xNxd;j(kS%DtH+1NUQLyI
zAHQ$$I(Q8rk)M08Gi+}3YWI4<X6|sO(wds9M7SXM2Mxb<;JmNXB?v7Z?tT~Wq*0lD
z8UlTu7=}uM#Enf=hD)iGx0QGhnG`VkS`NjFXsTE?H#7!UNK}hT>Kw25QGkmNC~drB
zdm11{>VL1S12hjpQjS&?B3qwoTH7p~<RyS5A$J@b?v;m0Lvy>&=le-y9>ZBawlDHI
z@G9K(S$ym1#ct`916+wczQq<$J+w@09bYl}Wn0;zF8OM3%rih)Q;m#4{-db?ejex8
zM`s}2XA?}3<E3{-AVT5LRT=Bh|7ig#PA-adv4<@#d<oWs;K~Qx9a3#V%oP*6&uYtx
z*q>lL(prDsx@3FT^<G~zKEwBwGK{2-qDRvzn$KVK0x3<T#d_o|bN@zi83q1m(N`|u
zZ$#W!OiVPU4-5hKjVQ)B98Q(WcRYSdMWUy9Tgu=OI?)OlDxQM9OZH-q%x<s%XQMwP
zmV}Xk3K7-!F5_wUHfN6VMTwN~x#6+nX6{46j3Az<qzAx0l4)l~aK=3&!UwkF0{@od
zcOD7=PZc!n_^2)$qpoQPp*nLLVq8-odx3y=NlIAZ)6g>h>|dSL_H-C7jwluH-~Ms{
zHf?+UDdDV%?TBihE!KF8&aDuP@qY>A1z6^9^FlyMxHEqiI=8RgS)$R!?we#rbNq5x
zykd%xsp)BNgZO3U%okcO@b_2`UZL|ohL`cBP_<<{eJviRXGt)qDEL4#aD2ypdwhV3
zI&oh-p`f5#wH4gf;miDjGs=iPqlGy=J)34!YM3jX79dyR7@*diZMJ-194@@v{f;~x
zoHkP%D4XN-RJ*Crc>D{1gRlO+Cj*`edf=5WC*4bB+H6Ait<Y1XY9ygrx``pYaV#<v
zSdawAOX7_DP=rw9!WyxkIdPb<yleEvg6W@+^bmkuMe?^#{jtbpF$_XZnW~1n_&qZv
zPYejhL&daw@ph0tzZT!jGj@d~U=jxx1W-oVe*s*diPI&{g(JG;3<s->YcceG?W4v~
zq9t+m7{o+QFR%ye?CKo<KfBhQY-YJ*PQ@37RkuKsGPKmN*gyf@v9;(Nwf4<`<%$;)
zfoUZk@xcCyicWnfrz)mv(Wni1H3g|cB^%}WzOq`hpM4ws_!y4610T2%50=)&VUW-r
z0ZXbIz~7tv31X#sQ;N4H%^1)gq8-r0yWN&D+&y&yJ=49Qou{aTD<g!V%JyWfz1bpB
z$Xm!akV5btaI^MEcsX$ATTi2UNfyNHf>bm)eY$7H@jVoJywxR7DwBE~pX&&lyj5L#
zIKXz6`LRRb=y2!Nu^!VtV?)rj*^)_m=G(1WK1_TOz+0XDGpHGCjiIj<3H~3a)?;e(
z{BKvb{AUA#{Lwx0@CPF&m`2Jnx*}+*L~*sS&mFI5xoqFuWYN;{h*Ro<SG1aMj;ISP
z2rYjFCYcu!_KJNi8DE7YQdD16l;AsVJ3sPC?Q}*r_KmJ1P35(mrAaF-z9%7gUdyT`
zyvKS6TMfE`=4TN`?Vptv_{W;6pE~^afi-U@M~-|Jey+0c*|0p6DoLKyyX>QHYU${o
z$rBxL!o4rOP~+;kOP>MUqGi1!`h4*xV_^N5<svui{5AY(sjAZuWnx7H3Lg#ostl9B
z0w0aBsA@U|aVEGwKel_s_z30y4p$uSEs!|52W|%I1NJ5~yoMx|%oYic+(K0K>mR)w
z+)AOSD~WnZV(;3MMjZ7N5q)Z$c3WzD+2K0)V?v|^1N7>32bL)cLZpi&wq8xDbdmcB
z?bmptF1;s=%7<1r`$vL#e`v=6C@?$%Ki1b}UdPW4BBcVI3-g))!xr6vAWvm%rg&`@
zdbybRjW$MS3j3~nhI!gzV=C-O-+d(SOrUBoXCT5{rqBaFZUAz;Tl0m{-trNDRTQeZ
zeOg)(qE%hDhuDoz=1x`+tZl0p$Sx$%iMc`2%)b<hYk&ePg+3<20I>DEKzhSj>(r3t
zX=@xnht%ZKhc+e@7yw=3+aJQ3#^nR(y}{(zO@J<Z#sDH6(nFf_rFpjjkas!FmjJeK
z^&QVv_P*c<%nQ@WJua6F`Tx;Qr=YHrEv9B<uPt!KS7&U`!xfjGC-b{5YZ?_|;)C+i
z2E2l*BaFchtg`o!QHG%9*l26|Df+qccfJ;$iKDr`hqxdhQpHM3o3Y~Nfc+MTG<RGl
zYd+np<-@xknp+j~ON6={2*70_hf|FKl9sfs!3PmdW3Kr$GVEWr^-a35vJMVzZ!x|<
zWlMgvOzf%UCyiRoLjawXAf<*yze)ml1;g!i_jInrwbk|@W!h8{L7xTSF;sxDt!J(f
zYQ(Lohew#hvB9c;0bG|*qaRqbRo!AlmjrI)*C)2n*D*>H!3^uI<)ObQq?)-xckgLt
zs=b;ZZIstP{rNaZhYtlq^g2@>ALM;?qBnG#IWq}T-(-ra^CUJ;s{VTWl#<D}`Ne0h
zauVy$vo_~bhf~An1_Oix{pWfQ(ft>BJXUSuHM6okls|Y?Wr(N8zrAV*1e(n?gaGS0
zyZX;x*W9-&zgY4g0$NBZFj@1a7E1vh5I6K5g4MazH<N8X^<wb3Yp7w6tV1I(E3oNR
zB}~UvC;<z>;%49q%XYBn^Tcww1?75f6RvZTxfX+y<mxbL+`QT)(vJoi9&#FJ^@Ded
zxiX*>KbqM-=fBOu`U7m5&23!JHjA<6;Dv+`e?UpHLqx5RCP9BK9WBw^q3pqIN@Jf!
z7ypm=XQ+h+&oiINggE-Zw)!_$2!;_nD=(O52_LkGO*N}r%|$`<9gSVbg2fEcS$VR0
zsZoGIXVE2imgoGjJEHB((Z6)(o2#sp1z$I0SxWY7#ej71vV=8H=*lplu$v|ISTzmt
zg?v6wb+%qzFW*s|0ceji6QO39WxTcZ!7xabH1|`Gg05wb$IY}@3zT{3rz<af@LA5c
z4z{$n^R3<7wzF)a&3mryh~N_;>vf?qZ7MqimjY?wdB@Y&GXIG8P=~!pdV1RPV6uf!
zx=U)uVtK#3I%#%!Ww_0^yivSoDQUb_LoRytk9P1BQ?po05fS}U_PO3S=*&HzG|S?c
zvhpm*d7Y~8(oTk#Yf|U(iA}t52q1J=RhhlgGJ@Dz!l<+~#(8>gtxe+4q>VEGOkb@-
z+}@m5aQX!-cZ{3!YY*0;{OD^(Y9lAEV$_gYc3bNUv7zxN6n}h=vt1(?ZhI4#3%9+P
zz?RgFc}b5G!F8iL=C_fDQvgCkBq}!)P;+;b)@&qRjfQQ+qocPr$7Mp)Xuld2csEsK
zwyWkt*lw*>wOiwKR5u=s3O_RcWBfzehZb`)KIAs5F-@dSJoMGoWVOXlt2k$CR=>E+
z(V*d@)~RaC?c1`_fnzE|m^uGiRyJT?liX~wS4Z<M|7ePd3I6%#cEVgmJ3TYh9pDsZ
zLq9$SL|_}H{nJH(*)}n1PN~llM+1Ik@}eMH{mqQT;s6A4#)g;VcYrN!_ZVSz4%mk$
zzPJx|^W_1dxlddCqzaw*XM-bpW2wmj$@o7r*PWLkz*qfnt?F&}uWqDj&RQAw<>IXz
z8?4nzAp*<13i`0P2FzHup;b+j{Ha@$p<AM~kt71|wMA#^O)qF|2>RjEp_K~%EP#$o
z6t`d4pkA5hB8w<7eq;`%Y|ZVL(U%GOG=vr9ThHoff+_|NXSHXmZ!e`7SOF5GXm_7X
zAIjubu#<XD?Jx2`jAnOWjIx(dmXo!4$d33_hwC10YfNW!1o%r<iYSi9f6y~%CU8ha
zm^Mvc<qF;oYf=XUx56@*4`2D&5WQm4({Pz!Pvpjsnw!r|3UFq``OQ_n$a0zONnJq%
zwl?HfCLgwnwh41gC#~x7t$$}ZKk)vC$@1giVNLMV;<Jp_+NCQppBe_PTlNTk>KW7n
z3zC9!0?Sf`<Wrv8j$UA&|0U(S7fe1^{Fts)u&?w9ZodfwiqTDI&rs-e{8H%_nG0VH
z2nK~wztLHv=?ZMa2^J+g(w%<)AA4By=&iZ6b_qRP>NslEx&{21*XP?~<C8)nq+^C*
z)E#}$CONXH>bs^QJP!3NW>Xo+uDaI0+GVoOl77wu)F1NUsjbFnboP>rqB_lwFc90a
z`AcVr&t5(9Ka#bv;t)gz=BV_Ci<=FFZdcc5g6D$`i9MisCC?2+==KvP-G&YX+?NQP
z8Q)4?M@c5#+Xwjxh)!OgpEno=Iv3^|eMeJfmDe}6w|+&mj<90YiO>JL8|r_%fsGC&
z$R9_`Yd2ph-6-;<dQ6)jwIE{_1?Q;by@kec3cZO*e{{z`hOUQHI|kSeXR)Vg2|b>)
zA>NTXTMifa5Z7CJQ{TVnxeQyjr1RoTmRoFjq_D3BvTQSTXlsSQ81!!EnSECNpgw#-
zF|X@=6K`PWi<hz6tD)QeMB3~&U!Xm&yZIfSDdP9A>(_-{CH7s;$<c&b+}I;3a`5z-
zrq}1roUu>UdPtAD+9r79oV7`3j^Yy$F^I$I+u@Dcy1eY=4R0R_Wqf?vOIu-e&A}pk
zyRGu`R@7KGt=CnynI!w3qTzg^PJ0v7d8n4P`I1_To-1E!YY1cuT>w)j)wZ88ziOn%
z#UPi?i@MgX<Bcir+JjccRxiNICozFOahk08+99DA;^~<x^T=4;<Jpw^&>zn|kc0fO
z22DXf9aiN}LFNP7t0vFzv@58x-cR~5+>~bLu`)_Q6dlL{xq;ZO%1V{S8cu02Zfwnp
zN>E+h0|(}$PC*c^N>IJpqMG$7pULB1KUmvHCnBIQQ}x|kb`P*oUilDu%W!kLR&PG2
zX@KY)0h-^>kg(p;qhbmbSrKlZJm)8<kd&kc27i9rrDuvtxV{yVoDNG%PaxSg#{=q~
zX|nTA?uhH+b<G^Q{Ysr-C|@adIg~vNOqD2<_PQc~(t`-ET1eo=v<#QAAaQQqE``!R
z7XQH9nU=uF*}f^?&kl%`SpAJhG~*1AbibOFJK<hwhj2AId2}_MwH<VKIUEwDRwv$b
zx&J|viZ3Z>CCm_e5cKnL!xc8=UstRO`P0}%6gB{^&46$1#{%QCOeiAnk)L$VCR-CP
zY7W?x?HhX5zjDAWt#d63AiF^K=a);#fl_N!Va9%$0GPjSn6We_n8_NNt~fi)e4IIi
z#{B%%)apEX7`G8d+++*5*CUT>8-F;dGFxs86a&Jop3Px4Mz2lGbP=Mine%4*Y`Mqc
zK8$E8X04!}(rmp6Re(V1qhQ`C?iknt1)T+u+j$I2Kwxya<8P<=T}1CbgMvl%7b<iJ
z)8CRWb$P@`{wT=ZfC;6!RNQsTACG4CD3prtHDWjHdlq0rPIXyNGsu_FvcZ21jW;sm
z{sL)CDL2SZ8TVmEx-H66-D))L83=Mv!&G0r;F6AFYbk1J9t3RhrX~W-x>auoYqkmp
z+@L$2bTmnC`D4UP&*2O-iP^yD(y6{=`Ld{M3>(Eb53D`Ur{oT;L6AeN7)a%TI8H4?
z#1s|yCpCQ3&*nHasp4ns5FHXg^>6BgUYuQe6ih@Ktv7ob)r+^g^FO0rX$lb|4M)4{
zVSf~IYM1|A?)ouX|6-^+X(HL#D8%DV+t`<4OFmx$uqr&E<Yk2)D?!=w$eOi`N5lDE
za^vElrpW|O>wB*!i+LBEkE&@(uvu~fmT13DRQ0<VJZ60QCg<VHRgu^=ZM%*#A9~~X
z>Pd){XhvbQru_KrZ&v;^yizi@(7(288nzwoGZ@j03r`E4;Bt)M@$)!8p{!9!za3Jj
zx|-_48j#67!K%O7t{01#S$D|XuKqR2uv4fq2TmXs;*OXeP-#Y`|4bT+Qae4i34D3>
zlJVw>QT44z=9Hi{)!+gDGt}jlQ>M7k`6~V%wa}if=y!Ym4hg%}?em)WwEwK-w?q+s
zieqZ@iqTZoWc>EG$C5~qbyl?5QE_5>jJZXc0;Hx%LfB-QoD$0SZhTptV7ENw>*!Vl
z+)OY`<+;b7P`rG~0NbE_^UKxnct3mU{Q7fA!`E>}J(G&v0~5&xfW8LS<Iz_NS9tEy
zVl&QthrIeB6g`oIZ3-M(j`8`phlP`>=*>`>uiY3A&EC<IGNP=NOHxuokd|8@9UIWJ
zQaf0OccG=cDR^E5{|(R~fB;D?(jTq1+G-4$D`I?kXDP;V)ge`$2gB@B7oHY9_v5v%
z-CUWa!^DP##NE~od)jaRWHzh%<XQ2C0?~l)fu)>K{5j0XNZ*vCjn4VcV>EGadfwgI
z9|CXv`rv4$f3Z?&$Sa3EyIOLeacR>c%f7hY;8j{KLvHlV`%@6pLx~$tT9Zn}-C$B#
z{2lro?3oFbYBm8y*mmGrP?2k?UQaoP$0D<X+!Oju`&TJ@U0N(`4;6ZpI(ow}*sslC
zT-iZgzG|-apCZ9knhN7`#59S9s-^?Wv+n8rXNtS`mz9OB6-yMo=APPNHrKy-Hf34R
z7lC{6YJEm@8EY~DcUG%TA8ofEW8u;<(pwD;G}c<A%UZL`qVn`i8TC`Fn(bm>$oilk
zfn=pTFRHGK29!m>|IzhYi}YH<->wtKv3NFKHyL!NrC%Z-XOpGJ4U2(8GKLL}qqjwP
z7C(skP;?dNh|^ZoXJ@VCaw8JqorK!u<q`sB>+f)*2TJ(8Q&*leDMk#}N9gVLcp(s`
z8WA^ugh!~>J{(%IHA(O4Wi64q(_VI2i{BRI&h$Ty8@zLx)~O&RQW_>}F5}Z0W5of%
z9)FpYR1=XvRBO8GR`syqMM9>P+m|0App@<P;%z<m(55Pi_|UHj&Gj$K@KtCM%<ESa
z5!Z$&-e3}9dAApQ`d4x3FO!aj*G_yf16tgm;0JD-(2|isW{F{tz~=XZ>Z#9jgFvy%
zi|865(9FAokmSkJ)u}I56KaFJkib;NXd8ZT5Ok?<qoc)Vu!K)PHu!7iBpyLuvVILw
zWsuW8x5$EFN+VNubuPSVQ=Kko4rI*{+>uQdv3jdC@8UVq(XCBU8dZ7`j4_(*vTR}b
z<E-ZT@ha01_F3wzG6wUr0^f4C5A&efYs}V5oNt`fx-SrOIGY%dbedly8^thW1K4pX
zxqw+I$7O4zFED+gECwH@)@#fB9mnt8cj#7vaa+#4nxHk2_ao0NGSEh%0^+e#*oN`d
zGUNAb7pXU7V0zHPTCs=!kFf8Kr@HU|FD)vS5myv-jN=d*c2;t5jvO2!>u8X1tn5Qb
zk-g42$mZnOBgZ*}gQ8(1IaYRL9YPL~{rl+my&sROuI}spyN5pKGv2TH9L;81AMvuf
z51`x7NwL|v%k}v{b-WU<jyqa1+Pxl8;tOhN$+ErcVVW@qj<Lyjo_O0tAioy|)PNSL
zbqmX#x(jj(wX4I=h^S*}CS2fpfCfS<t{l8H<ll__pixO>_?e^@p=uT8UVO>WfvUyN
z@3c9WOdsByd)~O>q?4OaX5%P;uKRLkK`wqw7F~aBzI~_B8@Oj;)NP4tlkG~s+}B^s
z;|s=XzDC>I$@MmiJcyUR@H9`}IG1pZ$e?I4KfAc0X<AfM_@&Nu_Ha<G=>{E?y5DNM
zGJz)-s>|777~vjnFNIkWX@ddCU76fbJl|~*Y>O}Q3>%_YGk*}lcelP>c_Xs(T<x!2
z$B9p`S-vTuQ}=yVA|iY$UP;DP=B=?wZt1KNhcsskK<5O9H4cqWe{b?5%KI+mTj%#-
zbU~>_fxs9qwpj)J*^_<v5$GoNn5;9>%?(#DQyn#Tg&k3?a^|3M!BlqRXRFjr$=#m-
zXmTEd`20Ns0gI-O8hb{&-sbnTa3EwZ5CucXDc`8Ukqh!Ccw;ZCD|YvQdy8!gh&>p!
z*7Z!<Cj&Nw%-5DjjE9vHMLmcZp@<oQ6jLj#@>w4P3Z4`a3cTD86pN|H&!aes|9(V)
z0+`JH+1E%c-}Q=FBdmta>{)XQZ`y$zzen-XW3mKySzSd+$%lJh&?K~s8l+VGFi*IZ
zK`9SHp7^14wev{1tA=h9;>F2Oazv(2%IB+S*huSL4Ba)Ztn2Nu(Jn8|t(6BSq8sB-
zzg?7hZ=Fq)8yA%@T4e*64d~IvV3%Hj0-p(F7NHl{9pZKSCvLJ=%o_@(tY<U%@a0MY
zpPqqZO2c%nxqD64ib2FJ8t)`aX%n^iYThZiBcCSqkd67Cho4wZJ$8}1GXI-N!DqJ5
zzCChN4P30f>~DP@i!|hN9Tm8f&*gsE3hIgI-ALICs-^Rp?Z-_aOocw-TjL0$eq1-g
zmD$$}X4?@m>lPtt@#~yRBFL6<uPVuf=XiBaHUuTjq2|M(+q_`YUlFS(Y=vH~78xNY
zJSl`x1vw&~-59RVF)H{$Q1pkA6*O+@<K2FL%C)jbZTAu}*kY)v2OB~^OT<}C=6vCe
z3($|@qsDG-LykQ!>GJCAFy}iFXUnr}8CM$Yn(k)=9On=E;*!n%+k8Up;eyGR)L;=J
zf~q!`ze=gr(0`3j_Y)+o7kzZQ;y2&xD8Mq&CcmuY2TCRIz-buBM6pc1h;^x8;_?gB
z{GI&+ykevX=G?4zZtKd*%<o3Eeu*o<aQy`0OFDo?p|9)2>4gjGkAoc!CMF(EG&bV6
zN%E1D(-bt(R*^9%g33|UWpvD=n89K;Uss^=4}92)8}hp<!8ug2g5&|+hF&T6Bm+*S
zdsEKWI^1oCUTFGs&ajS>?dD_)f2Fr^rSBOje|!5Yu?yI;ap|DMZQIc|lMK+EBogwV
zsbOz(^el!`oUDEeW9Lhe|4@vo^+~gta4$$UJ`QUo0_^EGG2lolt4Nqc9JJaA2aa9-
zv~JUP+Anr_Yt06b+0)FMQ{WGBOtn4mOF~!8j0di33X31;V+OYeT4`b}LALHGA`ihW
z*|cLq?DBq~u&*;z`F<H94Nk<YvgsP==8Hk)>3U+i7cl4U4k!2!AcwheO~M!LjkKCQ
z`n*dsHc^J&gE`FMN%(*zZ*{q-r9<xzjmn*-ANX}_{qV%@M{4uRe}TI))9=y#3H4W(
ziH}C(5<_2q_;>?~ddvGRrxVJg^B{7rMrcm*JdabveKh@9@O!-zE6QSJR*W8y1`Vbu
zZ*s!3PUh=%O}Rc7IZ*1`zT5xxg$A0!)4re3-;W2Ukq4T3zqj6dM9)kyG0vM}w=TA$
z8x|Zo$x@i?Ztnvha)+DdrVHyvqoW+cZ$Uku<0C};=y*9@5QRq$Ide~`<@*L3!b5}n
ze^}1{#L<r-z|&m+7(Sq(o8MWYdL#)M8xen@|Au#;ar(w|QR|?&1i$j4Br)FfTy}XC
zT;I^>Quk}q*Js&v4Im!kX4c^OZq0)42H5LNJvgXLdq+=FINy!w31!np?o(HgGxjxo
zo@vJ$WDw-vWb!`3ffG@j-7*In&0b)fezYP$85^Y~#>>Q|JoT_nKh1a$5!E7kU}-t6
z^VX=~zP=L|O6v^lkVZG-kET!@^>4eec5qnv6`h87_{HEy(vLUXm!lo|d#wzFvva^H
zzyIM87lQH`FOo?VOeH;j-l0QrC-=l-n8ZeSp$I5@TXgP%B=kB)QMk^wEm>M#13hzt
znssD0S!L}UA%FkNLb}zgRQEA8m|}cS(FSmO_?BF+{P*|OZ!lBzfDH`V@sWOR{RE|_
z!wDS^OQXTHlWvPQ<a<O*YjWmv?H+}pzeu({%J!60#U`Sme2RZ!Kqa)CEZ3^y3&CV}
zMJ<Iyy6}Vu{GRSq<)VBKQi1k{d4=w7df0B!aEYT|^X659@U!+7`SH3wPI0<%@+J^2
z*rlPEDVNFO)(DqyE~{4+5>)3J(_{;XF3pU*YN%A2m%z=W8Duarv@{@)`u5M!BoGNt
zi{v~xQgH{~{+>f#*2><(5YgnDoG$C!p3<e>gU7c3tDv@}ukpow_yMwpEC%9|{u;Z6
zmqEnLLWSv7m7EI<LF0LVXZwNwQiI*;=;dGW#HxEnrRGnCf>K}WOrPbF#EP^F+v5gi
zc@Sfl6i-=~vKB9OVG&@r@VB9~?VtySW47ro?AIom`3J(d#k)w|#8eeshi2b9JBnq*
zV0>lO3ZEnq!GF|OX&)fb{ne?KwITmQDA(W16yV!m2hOk&zv=yfX^02NdK@8nN2@hE
zF9GM&iHz_`xIveyQsiF{a&(}d8|aCcVLXZ@tRd2oUVeu9GH$bCdA^unTE|~w%}=l<
zixU>TM><j#nn7#`&yqWTT^0$Ppfva9jY_rZ*Kec#_>BbZhD`Y*MBoh`(7zY&$wD-g
zUKHzh^JZ#2I7C*Lhw2-5)S61swQ?^Kl9!{e2jQCd;-na*>6yk-tu>_;6Z&KWd^%U}
zo&R6~dUB=&{brTP-lWWDZIwn6hrt33`4uUSy=!M3zNm}+mW7J<|48qK7Ys`Hz%2|X
z-?{O~gu`O;pwY&S&0;(yLm?{?#bP~oXD(?eywN@M#e1t?8PN2vde%HR0r6OWOJgeH
zw6`eg{h;<e2&aAylXIb;vu2GrqCM(>`JfI=2^xDxTK^?(o+}v5hQ{cql(TETj_}|{
zb;YJp5-obz`#8TFxPdy%1?W<2T5fI@!sf78x^fOE)wH6e2V;NoM#TaWkE7i45zrok
zXF~HIdOj1ETJQq?9RaOn<q!I|peCJ4ej3*#Xy%_s$%*p-D_kjb9@lg1PB)+nPzW0W
zF&x$LoA_$TK55zB8^$q$F*YQ7wLHNTcYlJzz3ocQXrmcPcxz#BUSHSMwKJoJS6cqZ
zlP$p`6Bo$eQxspZH~-b{==~_)@J^mbJc=ic8$#R)oeH471W7*3<)Q;ZNX<{eOk!mm
zib@?AR&mTZS(n5vh09o!EDK%<GMHuK>xn+zaC`8@kzaF=s`}4LA_`z>#cBDdOSYAC
zq2{AV)$7@X7_k^a9ta+{6SlshZssrf{#Gj+!biX3?xy0RlvJ7o_U1JtUD1Rn+aWOw
zFV=ExHV3}d5BwMYtzb#W?Sftv)wi%!x_oA0{3NR+EajZoGAQkJnmVm1`mR8-eaH1-
z9$_{_zXR-@Ofu{&E1Qlu#L-hRP2d!9t<P6Vu<9N_^xP0emor7+tIxgj-B$Wzxp_AA
zt<paIj&EOCK*pJGbhhQ;H8@ZGW$bqj@jJN{K9bh$;W^meFe{vvP;CzOd<rwT%p=7y
zp)h)*v)5HqJGKAL_v{jWn{rsO2(PQ~!)F9@TE_dU&JK8naZ6QKNMpsd{~Z&|()z5>
zd>B6UE0ImwTD)h50KGTxv#;l$xl<D2eTOyLl~zZIdwg7rzQkI0JOOu8B2{iQ!U(DE
zrfI<`0hQ9Y^{)Ge-8LBG-L2se=ex@fo<))L5i8%O{fix1R<X!l*T@;iA7_g$6At{E
zsREUE4`zswg&fd~MVBnthM`*cphr&6$~uUqk-Pn&Du%^EH`?7qdfIQk!Y{-fy_EK5
zvLm0^4ec<Y^%@4@4!t~9&{$(y(Zg|_Pp;H5WokM}u2#OnvbGPUkZB_{xA$B_zIEd4
zzg|4WCH!?nVqiBY*gf+)m(tqFwc~z{(=F=k(BnF|i)8N^v6Ld&ut|jlh(`yLBj4?e
zyc`#oli}8H;?8GMLaT<PByGwBvkB7@pwuUPOZ1H&XHWk#ft_G_(9Sb;-di^xmtK2a
zBu)MX<EW=6N;Nu>Hn|qn6W`x|T?U@NkecmhcsL)=m^z$GQ&YUyRsD^fj2y=|ofWSF
z;r@ae#@owbdb9aKsq0^z1{406{DV4Q*qki@9Mhc1ogXiYz_^`rZbxOaO2@CS7!%my
zPcnvkT_NEO_HB1&Zx)-B3yZKRD_LK;nNO%1G?B94C8RiH;}1G#Ai*67qRuL)48C%)
zS{Mx^;D1fcxm_kz<MM1`X#`bn3yHjORmI+mt#GvTQ&8Z&;G2R3du1XALY&d`=xh13
zmSW%PMh+dLkI=VI2fwnvCo%HaWv0CIJ^<4AXYskG!EW%fUW5xtIqQuO`TfTPCdO$P
zgdM{346yxKD3s5#O_x5VBb`dk%Tl~r+K*wex0)sB6%QtgTR92g-ajMj1safoO+D?N
zcDdNEUCyrrR6kF3F#Q%?_<{E`b4|>Nx7($~Nmb?H_0<yxUV4+jmGRTyt)Lf!mUtZ*
z!IOwd<H9fFZMEvOS;;#Wzt?4V^%=_4$mt%YI61-&LiKeRbq*R*MuOpr=Y&s=*1kJA
zvoEt3P~4uCNE}$aDtAot_g4BW@cm1FF!_d@A){>}r%?sG;?d`@#uaBPLq)`6pA>b?
z8n1FdWuW=qepAw6F6^V&o#JMpE$`YMsM*EwA)A3|9)!`^zG+e2>n0I5ea6lJwH7#p
z^5wD1U$XPRRh}n)wwgB2@JJg0oO-qQDNAwbREIs0@mI#Ker=(urqgE7!y2c<CA7x@
z_IJ4AUZe1YWM*)hr_m+1FAh`R^Ic`E5wEe=O&fa}ns6|#=w%_^g236vtdUB`P!}GX
zcWeLl;X^zW0FonZjH9SMw$CKs91VUX6&XH!zHph;OLh>oj%N*{(wNW%PjIXYB)Stt
z4av4&a;{kBeyu*~6vbDHtR;e3!_(@OR58O{F3A(NmI0D~4B*VU_uC(GA&fR}_E{a!
z(Y_ZS#g4s5z8hv9{QVp;-dEpP-`6;E!gOfnpb}UTU2JruMJK<Ug9h>B3YB)FIA)M6
zfK<F!!uc9{t84Nm)^I)9B4wT%7#MJmtuW^<-lTE-7Q?RpOiYjSfM4!YMz`s)?s{~K
zx~y2sr2Fj?GqLC7KpmArULF#CL&fN@<eFa1H+2Myq2V3sY+8M)XqN9A`g;qJh`a9M
z><ET3#H09K)gX`o|9e><<<e5?lW!|zXW)7SD49rVK1U@#f?F8&Y*4kgM|fI#;oGlk
zjGwA6xf?J6^-KDB(gJ2uynmQ$?Tce5)mZeK<EX8?H8jCE17iQhQMkb_Rpr(ni?-d)
zI#8q`f1#5OI)0~>8(J<2<!DQCuT<Wzc=blh3dzs611XdtuzEb&g?85d$oEWNJNF7*
zF)ZA*wXmKO>JZO3I%f`yBZeGnqFwC&ds+5@1HoZO%Hq`99>SeB748;9wB1+l(7I-1
zw*?=;S7Qa2K;_G)!KYn=3|PY-w(YF2>F{yNzPFdCsa}&zF|q-ImDi^?Gpog_*e)v4
zHo5N5sMNS^dws~iJ;qhMLc8pz4uXT2c<#83S$(qt3ygxh2v5IftB@*Nny^ge3K%=c
z1B0i160;bG@5iO%nNt!RqX<t4(Ed85Dq?Wlu(@-|rRelR<JYYv7VXCY!K2RaG7nDl
z{P*xun1OKKXX-9<WBkl(NE0(kDz5m;co<(=b&kyd=qa@ugMhZ{^cWm|Uq*NLNlh+F
z&hD~PUB4KRev9-HZFZXYoPNgy#UH1Kt?+Rg7T8ihJ%L_}e;08qblKWX>i<9Ke;@ql
z!_(TT+25VrG0hT~e|03M>`jBV<FZ`;?V}dO@z<;PXO$gBggOM>7=-7`zG*Hb67=}E
zjzbfu_~KH-o3GhuHMpj*Ns=J1Rm774onqpgU8lU&&|rD`9{!-zUy0s(n7#nxyB;~k
zIfEHE-)n72v8phvTVA(G^~E>1w*8%MQJ|E`c&TvY%yLDaR7HY#6d{?A46o4b<J3KY
zNpZf`PQI~pI2^4#4MjF@sRLDv=l?2t*$}4HH`fH}eIfRju-`!y(Ks?rnV^8s51`;H
zn$kj#mwAvpe48IEWj_Um1;}k-hzCzXU0?XAwIOXvp`(Y6TKD?$eDA7v&P8~<7>o4K
zao~|!IR1}W8j2OHOHfBNwutENr>iDnMHr9l$cd+_?<nQ8sV?={3#5L1(ZQ4ZHVzm)
z-TK-leag^`%-v_@##Ag{_&r}J$q^lu;>eq%QR4(u_MTb8PmVVz2$=q7PVs*@faz;M
zl<~8D<ERa7tbNHv&xfj-1ah{i*<j-5!w6xD=f<rIp?$Z7u*67`NVi0c(#g^BtK}fk
zong@@aE*^<FZi?vq$J;qg?o}hvZTATk3fcG|NF`RPrJs0NZ*7UcuqciZdQeQy}VA}
z2$j)4s%~<d(nZy}hq<b5a15p?2R(=CXfUgk!79tx7u>M2ljjTrIbXL39(ocB*dTbh
z-2~<aA@{#X{MMAQ{T#H)P<aq>hAjecKY>|c#nMcr2)|3__!c9^$>FEPoc53MdSZ%M
zZp=Efj~X66fV;Yp-QBnSx<IF|q^hd9ROYDme5Gzdp-Fwe0_d6uN7>sLV4NI>{$Fow
z?q2C++zL;BjCzt$PrxU_sD3r74ZUpQVRzIdhV>I*7X{x+S)PK*vAi$=#Zp-kxJH|c
zka40z!=`HJO^5M>c!aCch)w6J2+y!jSIgYLm3&>hZN56)<5C2&Sm4ablWo;TVs@$B
zC`;ky6x@oCK38(WeFd$ioXNIgiyF@~D&)i*$l;UW2-IivmW(SbMY`4m6@+sVBf;96
zleLE4mgBhy!&X2AIA8H!#y`6iARq^V*?)!#;!}$`U(%>>XjYYs4x=r;zQK9m!=Smb
zfmwf~_U+nGlG7W7Q|%cyg*ig31X5kE9Z?<m%92h4Y3F+g(X-FZ<O!TAB$t`S($^AR
z<5(SWjZmOO)BFqA3jCv#dFaBkdK90I%sms<#3hcWzP})Li|qVuQ$ySpzFw}Dr*Y2p
ztZ5FEh*PiVBWW0E!7NcOy2gz#FTL=;W(*peB?g^B6E*)LcGEdkoY~TKBC~O|BO1;o
zW+5&GXGSY#nREYTnC1{<V0cWVfF&(W-9PL)qveO~{Ts<q;0(ol0Y7gy`z*px$P|>S
z{8gz#p^-TkBk#p~*w^<=BG)MEAofGT2Dw8=zsba^U$JkTrKIUK9kbiB82)?PFj#>{
zf}=sz154~eJ9-5Z*%qP4n!=cDOpPsFFB0?eX%DEG1Pou3hMZl>J?@)_dC?Ymy&+Me
z1;kEznL|tZT&tJ}-;nbG!+8J+*OMk*2^4MroD``t@2+{uGlLCALeELwE#f3v1>-#a
zB7tV_5tKJhgffLuUp~Wzva@i*a+^KO8k@~t7v;MX^B`s?v~$}{OgNi~2~nYHV^(g2
z(DT4Yb9&^3_<t>%ROcWb7_yc+tXSYauRiNc^2^0_$*O4OJMVMe+ub%yF;=e@E@f<1
z12t#0I)hm1ElTW;r;QTsla-bx&wpIL{hZJ|+sMb~2gJ=Uo9F&@z?R5o<M-rP0wgRy
zd2o?b{}sLwD(qVd4zusLnXcNo)xSY$Pcp0VoKraR5qDMpsd0v*1XLt!Ic^&m*C#!m
z(;P9tB8SZ#eQP{}3^L9{4*>JzKTq@aZq(KbCRtg{9;4a{E}quU=hwYpcbkI+MDI<p
z3A?UiOKB=X@-ID#c3{m_lyBE#J&70&s%-+dQ~P42bfqYJmiP{Qx>TwNM$WulyQU!*
z_0N^j&mNwb+ZCq!QJ28sOqjrJo^BSM6>|Tk&ADIdttc8<Xg!SLGS%_aA$CnzQj=lB
zOwxJEdy2-{va;s}4S&R61}mkjU!7Q`!WVpW^g~l3bC1UzJ9SO&d*A4bIRIxl9QGbq
zY1Xv*P5ibL*u&Jw@_!ph|M;I9$g`q6C25bq_r`&Hm=+Nk5^fPKk5;e2ZkB)8j}Fry
zZL6<ygb>j717%io!{*QYr=V7SJP0Do_daD^;pVMNw`=6~+Llgvt|xDvS5@4b<Cs$G
zB=Ca#g5;(O{G9JE=E6^k(RM)z3F2l675(;w_Z5i0Z+%ik0t-v)6pGEOE;*LH;j&v}
zOr(ee-%mILm9v}5w2qQHVs^M`egEuv>Q}K@@Yl!PZ%uC3a!cNU0lUK@JuHf{(;?s?
zohrq72EsXUtS5J-QiNF6m&eVUHf~Wmak<|E`lf_jh1+*dl?`#t%XhtQSJu)3fI8W2
z%vI`MS)eY-rTsn?57fcGEVxlf6G}A4CP-K$??NYZ@C|aU(cw=9K69SZX+4E$KjL2I
z|Ef9!B42*4v9(4sW;R{~yGH)_?U7s2GU-eAdiScXbulamcMK=mjpjkNLYVHLFJb(A
z^ZiMC`Su^jvp!x@k54f0*(bt-x?<|sTUtF+;699*@`ws^wZE(J`&^Q5Z<td{ujh#0
z>aNVwKKp}AD7XcG*<FD^E76|vuAH0jq}dd;+;<Ff?Qz8Gs8Fx6i3q|=e%Y5I><F&d
zqdl5(-JoRCb$}IF8OU{AFb=-b&c_U_kOJ7}dWBl(MwQh!`aOCrV8v)nP3_;(@0q~!
zDH1O}KXM=P=w%y{q9uI{6h_&b6b^(UKah1HIwnWJbBg3y+qqWWT)faEMG|UdGBS4H
zVjJ+a$Vk0EauVHVAnDVLGtwu=>Ew6PUGztMP{Vg>3%*ergIw(U=2m2;G6MXo87*Qp
zyska~M#(X;V$fCla9E{4w$Lv<)blX5rV+E!s>x*cHz$qV?cCQW0J1t~_fI$k$}Y5i
zN6xJ8ulFXvuCQ!8tiTSIQA!-ElaFQ6dB0md_9qxBTv2gOMOtEwj87u^P5Uwco&Yg+
za25t0ih0S=v~D>RGWaFxOBC_lH!H*aJfl+E{A6{7sFBM`f0r8uaF;LW9GOm?FMLlE
zyC~rV<XLS?NOo<+T%~h(x*j7te!j3f%ezb9T*8LrVX$O%z7VTK|2pzm_FvBv?g}_6
zJ>v=!DdnL$6&}aV^8>wrz}CQcG9uB^AG1ER;NKhkD1ml*WA($C-v;we3i}yeUFOMF
zfM7CAJK=oRz0M{x-jl5Djozn>(s3fz5p;BgFxDcR^-0IwD9Tst!<j2j=Fo6gIuD}y
zi-=&6jJLL^g`JwuH4k?KLBXQ<&U*;|4_lvBYxj*22lb_>6<^GMqlE10hohKQeCwmm
zWBcL#*0wf;eYOO=Ed7~bklB@^^mh^I;p(5xU(pMvG1eVn?^1pS;@T7W@m=7tJZt^*
zc#bT==S4;Ad$VN)?Jrw*Oil{3UB2Xm4#GJ+kGuvL0M66?!Sy-&T#iK@7}Fdr6`9q(
za%l0e+BM&>CW`GjVldVN(*KP7G5S)YYkd#Jd#OZ;_@O72<~D<zf$OVz-uHtV;x%ln
zaZ!2L4MOvP{J<bwsbu&Ca`C<{9H=m(FF5|T!v~6IK*s~<@ZywFXCp0$+_hHa1r93G
zhX_R6mPtfW0z(Q_CFsmL{8WEW?4Tu2fM`QAlU<Ubd#Yjwr-|}F2smOKB}O$(SDb<x
zLqYGIPB+-y_rG-k{o5Hj@lf^1Uf$910~6}X0-~p~2L`sO3OZ{__b=#w*1@BCNgBEr
z;;EsvlTrGnzTndACpa$g4y$J$%lgM0cv26Pwmoe+$Fe|!_=|g_+G9dIC5#G8Zgsg7
z%t`eABFgh~5gd`Iiboo|a>rc@vzIe@r~hoCTgyI9RVbqqmdPp<s>qU4+B<2Z6g`EW
zgaSTHcMc%Li6x~U!?-#~r_!59hX{E4+;=@+>|B6eitlp&Z_of>Ma0FwSCUvF#Qc^+
z6=edN6;f2wFBZ~e|9<isYQ#vfPd<J;LFZ5xF(OAXA{rp0$DO~|R0bjT*kPp6%XnF@
z_Q7sKwpEm?B!CAfar;f?1Gs}*_fLESI-LEHU`IHgnqUHV)0gf*th{%isvm8Z>Z4!1
zpp{DL387(iN*%FC?%*4CP1mwx<Kg|U;|r2}-;spl8A|$}lFZA6pL52=Z>Y(MM;~Xt
z$MWlv95}^)sbv}hX5#3A$&>D6Jm;uH_xqLo`uKw0YSh9uhR?S4LXvlULeu%#+mkH0
zJxw`WqX1s;Fo3Yxd*kpB$*~Aleh_i~_DGX3J&^}d{4UY+w*$MYu%HP{Si8XCd6R1D
z@73Ma;l*Ccz1sYKmUfYKU9~<v)yKt~*VPqt!ip*A-V(8HJ5iI$o&zR<<4_rld@v0$
zwXgqUxktd}-Q)p>@@7Lt$i2Bths+^4^dw^ecsui#=Kk<O$2??}VmnUQcN0!`OBZCQ
z#~pjRD1t$~Ug9=7N@32Tm3V)t0BYMh+o5U+H8{!wp2lr$h?OdS_byyG(Cm^|wR4}j
zWTbY<#LBu4-ZNL$jQ=3UvQ>PDYqYC+fczUXZZ||IGwBE6UOf50=D_S(=BgQS$^?V2
zGlJ_!(B`Q{5{ul$*|l2YSDbZCyZ0x(h?mfD*^;zS7{<F`H9)2gxiSTL6(Tj>e)UI(
zk@d|y6zp||jFF^rOm44@&S2M7)5?+~w_7E5H|1>}|2S4J$Aor~O}^N#M;NWGb);7c
z>DhK+T%<txp8I4xA5Zl@6kVV_<I}cBY;58|IWWWng*O;!_F>aW-|EECQu5x3^;IC%
z6B0v2cu`{B#Ks9L33a*eN(ab)2!(u19R@RsVW49I8~ajR!B`EW`2%g<hU9M@dlgaN
zqQ49Kb<%--AXJs^(c?)QR%v#^;j5d{`wpx`d6MR8!#+KD1&p+xOF0fMZ_ee+=)@2z
zLC=6C^PKJdGrx|RcO^!=S-eL!1Xu(>Z%cX#9}7A<YTOV^BabhFlF55!1(GMbO<jfc
z4i9%Ag!-+Ww=7t}Rj&}k9J1n?BJ9fP4;cH6AcOBYZV6o=Uc1vf)~C5UGf0*B!zT*M
zG-}M}lzaBrm~cr|yw50Z_T$yd#cT!?i*J*sSxQQjaiaVAnlJUv0qw8n=YDmwY@Pi>
z(zk+x@#`JJ&!xbA#e$!*Re+WueNX=%?0b&y6-$M8K+_FkS4~r)u+N{8wW=&7UutX|
zcP>eIAg=XpMSo*xw%$apdEENGbjrjTf%XQwR|d0Yn(`RktcdsNI!S<$;P4A<5eTqd
zf1q{2;2$4>swESV2hp+bEtRBLp^OC+;BHGZVkY!1aD?{T@EI9Q^xGwYVq~jNrUbEs
zlR&(Uw-@i0=?Xua<YIWDb;bDb0!=rw+{ON!jZsctl&V~}XTt0s9+dXka2HzO1^qTb
zF-JHyH^CI_3R4VgYcbVoD7N$TJjNbBv6$55!XP{~J*<s6Qh|Mk?gW*7oz#dkiYxAv
z(U+09<i-T6Y*oP_D`Pd2>;4(JWhM4*)s94*rAahIIFRbHxGsEYNvf)Xt*1`iAz*;~
z!f|b_7AcclhjJAmYDrX;&Z6J*Ab1L*%}Gb%(I|JEj5kU&ZB8s)k9}I<5K>bO!)DAA
z2_)LisEv^J>3`l+u;2+|SC~MPM3!Kf`}4^6orej?HGU<;%2|;A@>Bh9*NaEEob;1X
zcGu$&3KJiDa+Bftg{Ph;g!Kf)#w!r>gv4{;Z2ECe3z|jHD^emRhk!EMGtKu8LFq9t
zYDc|IDE?v<9Lo%zJ?m~MQ`q7Lz7(B+FuK+EGA)5Q7wMRnw;2~TLtE<JYVNmyB?zRB
zYozc`2S>5WOZ0?8>ArCfXnVdkD6(14nP)^%)FPR4&t3WO3(oQ<cqj19)wA&Y@>k;Q
zuMFhpw+sG*1z?9s2XX+>!p5eGp+OvE&Eko_PSQ6VQ+Mx5&=DXrAO&qom7a6`VJ<wE
z>=yXMO7<tnxB&#-^BD&?wo2Y4acQQ16aAhw1(1Sn=05WO=Uwvh17q-Jg@bda;K(K%
zLi|7@F~CB~+?P`+BcVw+#vQM8Z=<{+zr94~fi{44!MEfbiWI~dUx)Ym#P>?S7ty6X
z{yHJvuP29|pvt4=69za&yQXe-{J|jZ1v5}0*-J+jxr-jCAvY0_2aTnSq~6hv*~$`X
zLsu?}Z_VVLm&~)Bfp~c80c7+JEulR|g7m@HNYOOPLsY*dgj&dXkn7CBEoGo$@zc9t
z_Rmwr&qO4QqOxO-dB<hc_S0mTb9C_r5b4r!Rf31+E7ksuPYm^Pb$JheE#wR}x_GF-
z@hP`{ws?BoNULsFFWSz9D0QWVOT59}jm!(oX66+BT&oy1HfvvALiXAB-ROq_6T~x5
zzd!|9vmA*At<;dn%ZsWq#1H+&${jkx>gNS@RVmqX7$$gocgw|rTyR$rxyA3M7>qU7
zB$|8mw<;a@7G#{5fSFh#@?K{<`2lG@`-YL-B^hYjisj)F2;0i07Uxy#iJN%Ssb;ZR
zTL4dSFJ9YJ7~?|WY*EpSfA67Uw8x}uoP{J}+Ir<EQL5oV6mxFW#^b=gf0jh|&fSW5
z5@B;<jSx`zMLkZdC+3rsqAXJM(5oV|9rH@$w`i}0*zcNlo^jK(yS8gwN*HHkBaCaD
z<>@(&RpC2<fD8RjKWkUjBO}qiDxWHBh0b;@Uh-6wW>9BQP5ahAPi|DAsy1tGLVxGj
zY4V6I+hy9Y^37twbn?=)c2Dc2@`+%F{rEH2vJLG%;F!VU9@zqt6YtGJZHDc2Gh4UR
z0YJ{RqFB;xhvA$SMaR9RS|}(je3uK9xbn|Sy}9=CFnCUm?EHLKJt9S<Mf0^@vzcu`
z+yImSfjbw*MGqnj!?jwAOta(DIt|_NKwV1gq;#2tbI~W{`xoJBaXkKp5zVbCU1R4D
zTb8?(lUM<uNcEqa4d7+x;KTN}yt*KhrZXck(Os!7hw-yLt{?svk7*-p;X3CK&}xNB
zi?=G;aK>LwUXIT|P6Z=aPhL0u++{BuPsk*9pwluE1M>FLqq-lpelW4TCMQ08ob}$X
zzDT=c^E|fD@F%_m;R0vQs#xrRNLwMX4(Vu7yoDYm0;*{jtLtrReTH#B8_T41{APqd
zgKHEjjmb3I6Cb1}6&=}){My3QU2o8sZyjR$2hXn5{mZNVXDD}PRW<v}XdiM$?0AUD
zv?>eE<-4;EtM^Y2JCT=dE`Ov(N{PLuHWimV!JT<d{?xy?I38Q~4k3y)Au<b!;S~S!
zVI?x>W7FRIolUjB^5Ks)&<Us<RLIYYm|kgH#TAELR?I(ivg+upy8ZYwDTPugeVA7F
zq+=&*E-01yrc2nVRP*IC=7PK(q)PGIi%i|QC{6$+sJmzGpBX74<e{<Dpf-3(F<6U`
z=a-`g*I5$5T)j$bKd+`8GjU)abfMex(&6)>%EXeM{5sSn-~KvE_7t>3hsVWH5xuF{
zEa*s$!U2RKKg3?gKm7j@4-@+g*%3XOP4;H<W%|$re3V8qx3rXOuh}gq0Y=r#H;e<n
zF!ibg7W?eBky>DJw`CA{umjrojHTE0P;C|Ztfzw*fB_zU3)or5u>Y|jR)r7|R}Pg5
z#w18%4^Ls9Y^ECnLOJz@?RLyV$bh&#g<)khMJp;~lv9V${)nIjLcdX$F}Y}Mt-pNp
zs#0!(PWgeNqCA@4G`b7GA8ha%4^VRfG0sjGq;}%4^3bGAW#0>7KaPyHVD4>A)AD;d
z{kKET(0a_AJvc1ITYs&Xx%TZXwSDm-9P9k8UwyAqkGw5LNX1O|&a)JTcXgXy1&TBN
zBwAcwm*h{^JyJQZWFa+(@Z{Qil11nUt<cJeXaLDRf9*N4<%n~HXoGg0HD4zh$nPHo
z9()<`nxpjQT$yw29aB#j9z8~{Yh6e~Z8H*cd<VDYWw*1P$1Z<zT=mV}sU8bo&e!!<
zoU0tElU?j4{i-!~>*9%zYzU!@*j{$1d>^_8?fptBIm(k4m2D{H$zNB^SFvmyZbhTP
z=DYnhN(OikAOc`kR7Zg6KIa^@(#hBp-#pE_7;c5Bir~Ty??;a>1EAUutGl`Ehm*M@
z#ibt&_!!BUIV&Z7o}r*S3o^D8EtbnOJQf_Qx{UyTngA)_Mz&;2po6dPJ$9)Ma};U)
zJG0=W&cla^NE>TC!3Sg!hIzQ>@${!<KOB60hs3T}P03hk7YUSYzYc#fh+^`lY88E0
z!UK#3D*dvZSl0M3cDjt$zAdX)Q=D3CHvWWQ%A+Cpw&)cA3T!WN-u-dwfV9HA#)V?j
z?-9%40;n{^#<tzixFpI$zxs{1Q`vp-abYRmpiUjz%O;2aKAds_?Wg8;VIJjAN-Hjo
zg(aIp2+W1tK^)ELNPg7Ek00gZqg8+4tLyX;o+l)i;lpSMR|zz3%j7LdxC3pR95Vl|
zJXBpyd|o$(YZPz%BW1)qZoca4@X#II?J3FJiPqko_vi;q0I(p5Ch+&`p1r^uC_?<;
zc5v(rqdrdaV|hoPnP-AfGslo@!e8N}76NCD?I03w06eikXa|fa9{D=j;gOE>Qcwan
z&*X$=%L8<;A}(*?`=rBhfD%x?H9Gv%tMYKJ;yX=##t-+&<L%d-y|>VvZpVCAy2!?*
zC|t>lF<E&-iJ{wcT8_{}S$R{xQ_TR;Y-GLXjW0vKZW+)mpG<K~ck-$k$Z3-uq1r`W
z<lXv76bAggI%;B9O9A!T<pHtM>otH7#Zt~vh|1<UKxe@?XJEv?d7P)g?!CpcU-b)a
z9c3Z{t(4eJug{opWyf*<<}s2-Dz%H6FfBZbDzX&~%T3shNEZRXcu1}Kk?Jst%SE$y
z`9#Zs+*+_tgLz>rX$;mL$AbV=uI^XR1yYY;8gR5zfGz=QwZC4s-FN;ry?VApJ41fd
zjUE9`{}d*I0aQHZXxkeLDZ`#!DV<zq4i_okHkT<s2~92yQ^J%i*T?3OoAT`#Pag&@
z{S(ovWj0r(_CoE7N2#t&x*wu?a;6Zxph9ofy{<_en;60k`q$atQ23k`GhO2M1&`~@
z7@;GUZmBGpgb)|}7dGhDlJbhR)4`HYy|%I?1B7Zf<2AF1+6md6bvr}N-%}Ak%D%+t
zjwpP;LT|`GeX6bBRBr9O#<%<uQSAuW5*YYdL%g=vb`qkuK5uj`1O(hz|EA(ExXbt|
zX(QIJPh`&}A`~HhbZs!PGyqVq_Wfy=^D0JBL}@lDB<Ika?;dEQ><1O@dw<^@1nMO0
za*ppAbu*b=dX2oG13~6ZYAc#Zxpz7!<%?+LK^35<T!A7Z5W6#nLl~3%JR6wQ)JlrV
zB3>qP%|q{EC>ikE4(qC)zFph}zK!ti)ESK~4~%Tf46XY6deNpV>s*o5?S2WlxtrYv
zo%tgsk~SnOz+=c$hZ_hB?)1`tq1x5Yhm<b(F*x4k0!jjtxM1ZkA8m-GX^ih-R#m<8
zHMtqv?*gu8zc(9kHS~Ggxsy}l-vju5J?8go8Xpef^S-rvcGD4C^YxxfP0;s}KPvfi
zQ-;3Yv&%T7_=4kRfbTdPT}V>-!Qrof3r%{$(1!Am@0EG-U4^B{@07gdS%|KmslxYx
zT+h`>WyWl8A}X10u}M?6r+kXfH+#ox$b$}6*}m_k6p`DW@r|B8U9^wSQ_pJ)60kPD
zOm9#9NNHW7_SPm4+c!JGoq(%d`A^N1GuvZ{2#bvg$$+F?jw7UWG1aXdDmU~afam?M
z?0&ud?wMi6V2CW`k#K$Qm?**b`@zsIlK(U4$~1=TPykLIS9Yc%4_k`YN*0ZFUFyiw
zDQqjJq{8hy*?u4kQ1iOuMj87+vn_rc0QwsC;{Jjo8^VM-KAmyiilH6;Bw+i9<#o#+
zv@kj`q+SG=Li>95GE9E*3!5JEcW#x;Ds8Rz)+1Ky+Sfh7{)<cW?bZ4btHqs_g`IR1
z=5-vMKYHsHHwAB5s?3n4|A+|y&27XU%8lXQDMR#(8%Gzdzl(VwWgUm_++fT;y&J9V
z?A@8tDG{(eWxxhs>(^9XFI!Ho-x$G_A=YN<v#nb_Gd4?R4g3}W9(B#&#0Q8QW?F!+
z4=O!}saNU@iMis5UGW?Z-iag0wLU_RY^~^IY>&SK`-Qo*IB&jDT1ZOY8Em9I<HP6y
zHhs>0lxBxxfIU!6Mh0g3GHn*MQ4c=wNf)prqIG60zK2<6tdGCz1X$a?U-(XF{5JWC
zrH%XUL|>Vgi;t(}eu#?(JnHrf@ZNrWYx!U|lO3V0i|!5VxI9+abZH|1Mgike6KZ<X
zm@FcB60zzSjB}LCcO6b;_$rW#WfqW@#1rzMRIY`o7%s#H|MP(AVmMn3V5X^saTXFf
zU&<&4KM+-#4m@5Y@#Fba?ODHxR!i7|&(uJt<xaOj^@=<R5|MnG)ngkoWwhb_`P#~C
zQ2WNnYWi|ESUKwxs<p`Z!B!zXJz$X=w*m@ubvK9x`2f-^IMl{!?~%NiGdp4K<0Ey#
z;x)Y__m<|J!6C1=r&P2;6t}~M+Eo-*zmfrAp$wj#R5zpR*~xVhcg1TP&(Kbd?95Z~
z4YIXs;`Dv|iaFZn04=7v1jb0Ezu&i~cRP7U+znT`8uESAZT}C1^0N!y%RH#Mp8!yh
z<Uc{^GT1lPz_!z=HfX+e1y>qBjx%?Tdekyk?9G_D(hLlUj1<0Ut~UW`X5PO-I`v*(
zyOWxHftJS@k;>9Ec;4rZ1&j%5=N@+--6xntl8yt=^sXSML0^hX_&uya!^)sr%<_zJ
z9YLE_td_yAClR!@E2(51x3tNvC|SD_uw~)Zx&SB?kY|T_BQjGfRw4nRaK|NZ0K4aE
zLS>y&?ZTF(SDczNW{H=^w_59b-vPFGWfLlSJzzCipr&HC*jxVWx4IzM3y#^b^?5CD
zeBK{bHC7~XQnLOSAdX=7MqZ3|Wq7-1Sr$-xn6JGXy`|^V$UB1P^J===d68eS|BP|a
zCvfzRt-`mL`>JI?si+kiHz4=1Sb$ko+J*%r?baCp1KiupX9jrJ)Y+;FYf9U9l<w}%
zZYp2>I=gxKeLsOP8YjX?4FcoVtB)+Q_2HV@Wey-tx18VTHI~94gs=$H3V@Xt=QnH6
z3X|;75QSDnORM_qttw7L+g__Dmo1fa6H3k>0hWL@QeW3^7+b_k)Ne8nUE@+DBe5EQ
zOe%FeFW7)fLY|>fKkpJkq(^&EpAA@UKmP#)t?S^7&2Gfkan8#dKJ#wJw1E&kqC2cS
zBkrudpt8OXH{xd4v9&sQS!t9dCM6u+!s>eQ+cmzOY#1x?eE3TBNID&mh;i}R{BkUb
zTM3|iTO!(hw~t)Oav!d;@zN#v4h)RM4KEF^g4tA&voH{a@t5yht@54Oo$Y}bF!W`H
z-zT?Dm7UgR`boer&!=0=a<pUwEdVHEz>|6{<}1vM0}41H70b~9JyE^Ja%rCZoBf7u
zhXSAcy}7+PzMrw$Wi~Wpv}-}SyHSJf8ViCfJKjqB0px?j@w7<CZxJV@D0M{}O?T<Z
zy~QJm&*T%3Gm2}5DW!axkAlhCakFmd-XfDk{#6uKyF5I%X$EM0Fs?*qaFs+vs5;(h
zipZkjYR?qHgE+!~xO70diGW3xyWYsPV8FWd`*%!3zEmJL_1iau+=OwoTJ<VvsOI?U
zrd72Ub;)9A!$@vomC+x)@iC;c+42feELyxYm6nK>+m)8Uts0f0(&~P^;pkNHo9U##
zFaMBC&3INayiwwn{rI?l*SL~+J7S&2P4ipu%^+{oE(}C14jI(P0|q7~I8)uKyj9=f
ztq&59L^Y9THm4u&M%8;XWB-DoU11HM2{BXxYArmm=CAav!KvJU?G_bXD<dbt2FPmK
zyN{)tx4qw;@thf6AGA?P<NNXO(2K2k*WMa0<l#}N=^t*tU|$uOv=b$CYQB<=NNIp>
z38caUMKM~X8aOIHkzn$UO{Z3RPCWT8E6lJIHZoP5h1cg|DchaYo-|A;GGA@T2Q?e8
z>kNDIY1KCCtH&R^+Ih~7xMFbc{!sODM1<sg4&dlHTYr5iIqKya;Lch?WweywfYwGC
zFsbxR3tDuTb`T(z$gQM#R-t=!_(!ulzbLOQ#t`=bl4tg!$i`+4MD-{UaGygc&|B$q
z3lF@&Cc_))Uc~wb4BVi#^%~$II+cBVt1+a;N3RM&>r+wm!}26L`*gEu=IB0PWK=&I
zJft!cXK^Oyd}AG^rP(4Q(cBeQ-OjhV;J>{FRna+g`o}kkORX(u@`;A<`~l~kkR0=`
zn?GXwep2;4{Stx<>Lef@)fMq5hv8MADo!6V^9$}QvI*Syd&~U%DFET9=rwoK0U9{5
z>Yb4c%K@hv$9~{Gxt2&W$yMmlai|!q+FUUC>-XemB2l*mQXII9o^Um1D67`KOnVUU
z6q-<)wAX&=sd1y7trRZOj2&Ra`Mq6iXx$%l#<+1+rpkTjiXhPBx>>b43Xvcoj{u2;
z61&3U3Z7E8++4tu(z1TF7RWZGrB~fMf_J<`MeP7mpj{tBsk(`f?1F{Bvi1EzL%Ay7
zo5zxOb|tFj09Q^g$L$F*FmYqhW-WW`c)OyQ(qvhTwmj2JW{AppzxgFgEg<lw(6U05
z{b(B5?MvytH@WSs(Fzk!Ms|Rx$fCR6I-kDePX>vbFmest);nU1azgmY%GEQ2ZXW<A
zq{cJV8R!OB_!AqJm8jCKR>iQV*8PC8+LIE=pw35pehPm}=`UC~UaZd)cK%HyM55cp
zUVPvSF$;=lNbvv;wwpsNLc9>I)nXx-${4ioyLD-&zy-^L&>u$4u3+|I7%<@lVjsQC
zH0l;4vWUy$WN`Harl}U-4JhrM@T|JmiJ404l{T$#=zG+fqxeB@G&{l!orT-cKy3r=
za=HPNK~8|1x^>u6zHWeU?WD71n&+q6AuN#(+V28}Xg_-{NuSXpw4L>u`ni$`JVjIS
zYZm=tjIy_AIIJ~uSBk-cCxc2lVNv&P3+$1>*ib=XoYp&4hMZ`V<ry0fd=|A)GHVtw
z5a-FAOQeOp$LG@Rf0oc^yuKdl1e^v_<{5x6h*rQ-<h2^`^sclFjazvm31%rh>i&O~
zvsSNijPH1%rL>7zf_I4Wth`0GvH!W$w`(<ozrlC{b#ST)2r=W5uUz#T^EC#Yc5m<M
z`M}fSB{6vkMUW&ccUu=IwCDuwOOJX?hya|pG?};%14;vRRb<R>BRjrj`Sx5IH8r)!
zKMu@?KCSu0>C5bwShuhOdeLjTua^DThwz=#o&YrFzC!WxB}2IhC(BJzVs3l-w<@O~
zbB9eQuL0?_+B;CNookRj7uZw|R&C}~zgw644t{Z>hwp4VDtzx+xGvZ#i;$NeT1sEN
z{!^1hX};39*K2<EHlTf2F+8bDlb=dW@n?MD_gYYy`K(FYS<1RQReXV)rTtCA(rnft
zzNgCmo0>WOo7=0##G2tbKHMt7upvTn+uG;#Grl3H{e=8Dc-cD30}yz0U!4>oO8U<S
zErSDG{Vp~nyR@uM_!yRYPq10=%U6r8`U03Duh|wh6!+HV)EQuY!^!}^Jo~roBzv2w
z(5QHZHXG`i?1!sm2A|2qYKFen_aD)&>Rk1HB|*$QQ%ew$%Y&LyVj&0k`!2zV+si)V
zbr^^T?P><T()MGr6t)^3msVISnR0K+{0OFVDT<Ie?s68uLD<%|0pP6a&}Y1&)sS|r
zBVb68MFxGH3)n&HEMOKkXqquQud{!6ab4D|U1X)JNLFQwoi2G6vi&VYC3|NnhF>Q`
zc{E5uL92eH-?wx*LAJIGXT(@v)b+;>?*!hZ83QtX`4v^3fHc}p%5np@Vt^<E#<MlX
z&7He3N7;t?@o#@DGYEb|Y>PM+09)VWu9Lel(rmW6J3ceMJd-k_?7=SWkytY<G`I2j
zP;R5;azlPo{)3&yV?KtaYtQ28)2sEeN{cKp$Mx^gm)8KPMo_71<72?8$h}M786Fd`
ziL0(g62X0xdA45$g3lowu_C#fx1LS3mP)=UgIqpU?YRML+~(;i-PTig4kUP4ylrC=
zt0(wUnG1U;zHx{(l;mHz_>;n4!d%Mzb5iP~To}S8SY5t7VJI3$>;Wxb$Gzg$eKTr}
zj}RZ|I1rv>L$S3bSH01lnXr7cQpJR4Zic^)*TdCe--QE^6UraXZ=qZl7o-b~y`Udz
zRY1PR5(?WuODjCIIa#T->&4RlV5zN<4ltmFE$+W@ro|g?m&{sfa*B^9JB(nWQk*N+
z6q}`5PcwG*pa5i=T{Ctdx407Z$;YDnJ<j)+Z1LBB0DsZgpMXCA?Eur1G)dHR<94-(
z$o{HLuKDN}%G+^Vsq=%HVoPkiX$)cGIo%g^3n67AIic4N5RxDnr5+c1en4XxH%;M~
zmyS1+rM+<n-nZ%G*fiFTU+`9IDS^f0ZU_T(qSe+p1R&g1@=AH5DCWcH-)9Ivp%>-5
zv?7PiaVN1<hs>+Xcm;8L0=Zi8i3bO&AekHgY~hSpFrw!xk=9H>3P0`DP%+V6Xc8nk
zr8+Wv7aN`v++XB3x3%dUzA>??on;wkhi4V-c4G85DFU3LDXVY)!kPjI)QVLgr#r}8
zt!@|Ea6|YRUg&t6Ie^tO4{tdbZ?4f5(Dvr0*By(<x!#ui{Lu3NgOA8roiNw6uVs9H
z(9lEXyr=|HzOQGb?cLh@jv`6i%EGgP0AcXm|3Los6pjiOYumZYhzN(9W9#7hdSg<{
z`+DH|TID5!vsVsti9(G{yq---pB$Acv}LdQa_XW|9wJ|?`*oR}yMBu~nWcw}S?UaF
zx^fz5czhyzN80~|KAdIP2r1CF3O0nvnA|qNN`ca;{hdUuT=p>RY(9)+f?QJ=HN0fz
zS1E~Ar^Q4`h<;yiRExO3bQFlS*1<R}2qps<<APs0|M4O}>2;aGxV92e`F(S;n`2|M
zfXmG+TCVS9s@8bdc&uDR&$c3xcwSP{zA(6A*4Y6*RHTm(Z)nD;h>t-;%_pFjFd=Hr
z*PFR!JOS*=>0%$=AcHhE@!!^{%e$fk%H**MBRP|#y9T463_Vva%rcT}SZ5sWJey(N
zgA%00cAI5cZS*chu9re>0XYd~@Q{A9XZ*qCJqh*~``i_jO7<jxhcMEqR#cH(q;~GP
zkFNFVa;)+VOADj_hMulpJsx&i)Y`_*xdWS?vq3s_hq7FkC8fx6GG2momlG{#H!6j8
z$5p=25}hb>zgRSls_9F&V#s{V8HVi`<xH$n25EDQcHmM<q|VhpGWmYO-@O64m2c<+
zwTRTRtI~ePA3=q1zaBUwJ{!kvF=1WVhSR6yc74yU5@cx1vt<cBwr9yMHGv3ijRy$1
z>&Td`3Pn^@VJY7#F()P`t1GFg+5r4w`_zv)08af+X_Z}~n`%C=b9l5_YIO^Pc;(BK
z#u@~vifDRvGXpdR_r)n+DiBPkPM0LGYg9x<UYsI!H9vYA3ZS+dpeaJ132mYFs?Z*B
zc4HJL{s17mFm?RYe+BmM-kDcu(Dn2vu&eNx^|cO{S<Pk9@nmpGcEHf^!5>G@-4Upu
z@)-I!3YAUdoSXqh=I0Fkgy(_{p{`mXIN0s;&gY$9iD%sc6@wlM3FHU!0;?&6>LAyD
zz2YZka48oh5dj{~lD_%&2)09P5q{WY)Sw{AkU%K!C42^@j2fjlL)P;H@vpA^2Mci5
zAlzj}xMus5f2~(%3pj8*EYoy~C;~}~wz;hy;auiPI|vvOrTq^&0To}31X{$))ts>>
z)zk3>ZT%YTm^l4wZ*V8gDQ7d1-9?M7ft}lQjtO$c!3sB5PgyXnyCq1X>dE%m?j1V?
z7i-bVFWiEV|5evWW)$dfuIM1YP#<#5vV+=hKMNbLGgXgGxKVsZOHmUt)K*eAd6&?2
z)j1OTBe@lL0}oG;94XH)AHTW3>oFJfGDZD7bc_D@^8}n7AiN2_|5w7BnxT~W>TvQ^
z;sh3)xBgyE6x^jL5&u>!ELY@lQTt|YkO6F)>~4DG4GE~Y&F$j46rzXa#BuI<NyY{R
zp0^yVxY&R(JJPxF(CvRY-2h+*kP+eot@q&!#q(YC{pLhm3nYU9xZUD4VjUWtl!)y0
zBA_<%{Bhs}`z&+PebOhao+vCY??=LuY2sesM&5>Lh5Z|G4*;A@CM2@nXnDy{d>oJL
zc(0^6*6q$X{GiviYf~Gh-aU?;eX?vYL+%QTG<DqTsszkT&Q8b>!CiFLMJ{f~=X{ME
zH+V?k=VWgXkl)_5{+Yh>|0PG5!KYsJ_;XpFU5MyyI%Q7m?;e(}IXuvNeyl)4#5B=U
zp@)sGY&N5>0|41_3S~@mrA%&TZ=B!-r`%asRYk{j@!a8Ztdo^JqF4z~(LJVslN|f^
zI{Rk|b=?2s_=aPueX%_og81<CLNd2sm!Pc-ptDn_*23Q1!(kC)uLj$wV?&^%J{fwN
zi~s<cJ8(_5W;Ln2ye9@a3Q#@9hUa4s=2YW>W(@@xKcJVSiTN*jN&m;~0wf1ajc(w#
zC&Qj98c0g(mcGOxWzr-nEkzbNp-S;IIviAdv(YZpoHQ^;?1Az6wec3-Yh@^%B6D5u
z_z|bam?UiMlEVM281yr%d}aZsDR5&B@tS|Z97@Vh)VDT17cH>EyY`n@CUp;g3<4J2
zCtsnifC*GwdhkA38r_5GLCBs4r7Lzwoivq}<z{++H<6G6zkN&ShftvP@h8iV|2;@e
z_qX+!jmJ?%1QxmeA7Nh}4)xyte{x!Aw?rtFeK3^l*^0rK42CQtbnIi#KGqf~gcw5@
z6b56>GGs3zYr-IeCi`C2BK+Pu=l49%iF3aHbah=_edhCdFZcbrm)Gl-smS8SyK!q#
zGQ6I|D+|ER9J`Qu0Qb=};l3lwB0V6JCE6ywD787#UF1XFsyYePJPG^U%JG}u#gys?
zhhTMf6<r=@fy!C1-v6NYoxh@i?piipx6Bwqe22T#15wK&JW6ZSS2j~=VaL8eBg%(P
zejP1Kj=`Q_wTnVoAA0IOpiXl0&XMoXF=^D(P{EI)m}t`LPt{_2a4)v}_axr_wM8X1
zFWs5@1smJTHFOgo&1r>2B@B)7H#Pc=zKbi<^i@|5r_L6~Uo4u52Z7l^$(fRFi|{r&
zN&?T)m&1NWuXT?g1YsAa#QT}#%Oax74K-`mH~x*HtqgJRVV#_X+&<me(DG8iG71}K
z&=VSM@&0KcJYuHXX_3G5u>znKLetw<vEorF8%vy=b`x|NnddYW``jnLNL1V%y4%6b
z0P4Z}-#F~~OF!>aj&sPUHe3;QRXq3dDOFC0dt`FKaiue=Gg2jql1^7jSo$akz-tK4
z$s|ElEKsDEdb#a3`y_-k>P`X;kJq8mg-dI;8e{Tc&_bf)zY~k|05q<Aa4bI9RxQ>-
zBQ&k!GyF%82cKV8|8lbfoNK`obIvjr)+<+Q9EdXs?9J3n<k1{e_EQ1!A%B>Bg|d4y
z6T7htaQi=W&6~$TO6eb|(tquko>aFeNp^}8)#%E}Q;<3^fKmVq?X4n2lcV{hAcLm%
z!Kb-rEqg_fP0cSzY)JCDnjee#g~>*4zcxk{&Qx`6WD;#??Q8q_w1X*<H=OwCk$#@C
zjsUlL2~GWd?D!o;-k%~*cL9U$W+31JN4otM>V8P#GaSK+F%pDY<of_KheoTwl-0MC
z=OG8yqB*m#IRWpO^}q;w<m<sj)Thb^1_<U;izVzClIZ*4oXN%ZoeD<OnEXhT<o}_L
zf(D5Ig!q*C<*XD26)3V^<!mrtfr&XYgNMJ8zh`gM10Bds`^hvpY-(6CURgBUdNAij
zJYRMX4!OG7f8oiD_BOCk6$;xsif-m`&0nsV=ucwkaa)MHceGxd#r@mGo?onT?If|U
zFAu%+(?4e!sPX;un7(>mnx#B0gK{j`N&xyUJCbSa_i|o)$Gju@OQ;#Nq?a6@sWPlX
zvqVmuu+H&EjohBJw?Fmi4nPUEob@fA;u$0k9D06M6*I1Vc8-6{f%$NWJdWiFQ@3+g
z*cB4hV&4PFJfmJ1;|f*-CLum#s-9s7l%oB~wR+m?$wSJ3iIx~Xu((&q@)I6@U_+X?
zMdkgW>q2K@r9WeDWGmYpXfR_?l9<bKDmX)aQxniWBumn&x(_}|NoY_X>~dZ1oJ?_(
zZ~xeYPO%ZN1ud)<b27E0f00Ve57J?3qVRF@M@%26RjySJiJIB4KbN#{`r3tN7xv2`
zSqM^B3JH>t&p>4w6R@RCk}J}3-(areU-NlURoCgF1;Q>Dw~67pe~CygsFMVx=@!sT
zgStzspDloR^A9+*IqN}CY@WV%K2PF1Mw`L-G#f8&A6uHN;%ANh8VzVo_pBohGbx!|
zeMhf&Fuk_e=&&QRTjkSJDJ~ZON4O;c7;S_1^>O{KjQy7;>E#s6e!ra-<Q|$F=RTG+
z6P%L3`J8*^L~kW%@pLC@3D`{r39GA~9+MYUqra;C!GK9XPr!_aJ(a~#=ZiYMfgT!6
zYoGtN?6;>J&tK|~DL{1~`l|&hw=!b&)T)1(6^}0F0T2D?-~>z*Q+5Lgzp6n!=Kv>}
z{bjpE$aRJ(t~KvZ#jlIZDIvO8GNDpl_KvsX>dBu(QtOG4l0ARxCv9-mCjiQ*?t85*
z)eGXRou)Idb7=fS=JOaz2?IVeC$gH)g=^?TiAO2R*l0Qh-w8B-$#daAE3sdl*^LRW
zdpSI*m|-7}YmY<mnHB{`fNlH!4{U1{>^wblCT02Z9A}O~K~e8j`J$8j2Zp`wHRIKR
z^2Hx+P%3X85#VyS#XmYSkBKMPdO(NIbvqaGwhf%t6zKENOTvzTB}}^W?@~9)z=>M=
zD;G{0Msr4@bv~)zl^6fRGFW+@D4_x!X=S|bF>4msC1k_`f39}C@0b8gsxLD$MplVl
zi@2_7qL4;ub2*$>6T2r8{K;?*b?)R+o-!xKYXB=pugD{90j!W0`hcD(+GJFR6mjvB
zngS7th^uA{=~tby9oon>@Ar|@wy2MBOwDg<AKKTvutQHLemwqfG02>XI?qG<E6_Mj
zKKi!G1*s7RHDmP6QFKtact$cxvRGaxbgJ_}HT0W2Zp~I2c1sMf>N4IIUvTn13Rr8i
z$bX4&CKVYI3iSlSbLCVK=O3>!cpM;8N>N!uC)pxDg-pw=XpGH_8Zje>MmfJzRMqh*
z3B`2F`=f!upP%9dP2{?i2nR0q?6-w8tF_dVNTu-kA3i{`<DUY>Al%BS$Zx^w+tF58
z3k7+wBOLh)m%66Zqnbj!ZAl9hX;ve#$_TB+S9s>!3r$rfqqs)S{70pw7omyhX=yBA
zR=jLp_~{z{S<=o1t8TnXTh>#oAJGIf1NiL~HN<={)^bfxCOHM0bCztHm;}3B7C*LE
zJ}xHP^^7W4ISMCfFTGkBL~Dw{wZAx8oXSmu=|VmV^=tVBK)5y1^x8%*{G_^b{NpAW
zP?-*tKa%VidOnJ>k47<_C0fS(AoxA<bC8gX-Fo>>1C>n^{Nqtl0QAn=b>{Z$$>7#d
z=fzt$tU1I^k}M>Z2C9x0FpZ5ms6lSzGkNq(I5!gDB=+)+t~HPq-_0rh%hi*kWd!YH
zJ2+D^$IqtN@Ce3Rg}G!|=40uRJ%?Zbs7rIUS$w{;4*Dl0FcpKKhyRq;I)?+rqSm`3
z^1^bzGWLP?WURgc0Yvdzcm5eHfqJkWC;rU+)<!`p*8<G&<~m1W3CjUWYvFq16eT5L
zoY>OVRyOs(+p!H+w-Le%#aF)1MFn^>rph4oQ24`!u+Ld~Is)yHw4jxGab@kFY0`kk
z)|A?K&MWeoc6!XWFjTs}25s>0BTgc^i84NjI(-wtFZsfH7LY~0YM0++sus7bbMgOt
zZd(e{YAN|L25mhf+js11?W<WIKxZF8J3jnp9mf=^=smo^_f7uHhNTNhz5;DSDs1p%
z^t~{$x27X35=p!y*GFlqa8fsJskJ>&qTZXjWz;#6vMkqLPHxPUWkF4&Jt~JlAaAXF
z<d^<-KfssIK9T#<0a8oq*0#B%+q}5gydM)cdZ1@gx|OZZVk4wsX<8Cy2C*mx{sJDn
z^c>?#KKB08#vRJ$YNUb3;~y2V8<_)5XB>_}fYw34t36HkUv5IZ7CtRysQ(GZX_&7S
zZ`@R)Jmu)O?!;q0_LL(v|5l;-yKHLl$xe8nW*Y^oXseBY`g#90arcAPmu3|uV0<Dl
zWoP$<B|mdJAYdO2^<Z0ETDOya$+KNieWxTAE`CaO>8(O~S(`*carfOz+TKRGXq(K|
zkRR72w}N0~+I;k8dY+(B9jU}Y>47eHxP`3I45^!QdZY4vv2PXmcyw{sp+^9EGIsoX
ze3J+=;?t+$CrWs6?hHKi=3GHJre8&iQW~>*@V#e{IR1h2U6pRtC?<;TF+LGhP4=pu
z15+MJHc@YXU>R}JUO`$dkP{)yFwq5cMO5%klXKAQ`VXIfQ_2AC>m|hzXQ2X{=JnTe
zgNkDeKO=I6Pn#2ymV!AmE6FgIW|?Qf+;&hllOi*ZudJx>)16UjrIB=M75ueuRX!MJ
zi(}G|&;r`xSXBwo61|<H^LekV;7|2Ueo!2AKOFh+J@Sp<TI!(MmSJJln+$^s7RHER
z<<Pgm+|eveH$t2jX+nV9fwq4VUQzEfKCidLG$#?vo!;!H^LdWZRyXFTVX7KkfgaR0
z-O-=KIrP#a|6RE^Qa*|6y&QJR%_Tz83`#`i`It4gaIhDyGjHqIGFmp2&5-GlY?Du#
z27GdsBWFzVQigI+9M6{NVG@1fUV82QGSE!7ZJ^bA`!GOi4>^BTN`09GVsAp%GcLlL
zV>Y*STe7n7i(k3%EKs29e_KzgCbl3gY68WJ<WZHvT-7;JmSr4q%PUf?NLg(P*4M}<
zcj)ZZQ!pKv!{P?`4cE#&Ez@6Ob|6D1Qqdf8DqrYHZ@Q-P6OYS7&9ZRu<9DY_)Lp}E
zuV9y+3b4tKD;x1>%{*0-xG7<0)=Nn}oO)7Rkn+gccJTSX3Cixsls=hdoO5`Civ>9=
z9A1pr7kkgQff=biZWzjK*Q^fCfv_SPv>n`23w`!n8)=ef!PJlreJ)4a(SQH}#_g>q
z|Cl!g-S3q#P{2Iqi?!OBZYMTBo#C@&p`-B>wnz$fW;p5nRIh+it|jvE`j8!zKztiw
ztAr`D2q^gs&%ctjq^xc{b3ArnPyg^!HLC}Bhe!)%rBN+z3?~aCOuOwG=i+(oenO%v
zlMS~kpj$14sI-Y<1>NjTiNzI7`z6y}V_o<~op?IHFi+_ANvhZkok4)YKZ?hG2?<hV
z)s2+IXehN@ZijeFJZdPXOOVg#`qp6JH+;0<VhCJ10sAgPSM1~O(uh&q!Qwuv1RlFd
zx5oHK&wn^MW(V|w<Z!I|^IIh+z8gE)CW%1Y&Cgf@i^ue<`ZMTC0_mv{!a;Uwn%`YM
zEBkWeE#peqs4zM(+MP2g!^ZG7oY(MSr~Wg1=L}#;0@e=yej#+L&}aA>E4XEC^p8W_
zv7G8P*7Z@PTOX5XGh#+={vT;XlMd&6M>lR<j@_4(NcC`~K)hG*nSEneM)nno=L&Qv
zgX!f+?u8KFX4e@!N>W+W@B%k`<XrM`E=DbH9lK7F(H-wa!ZH=64!gB1$H5N-f4OE$
z!3eyribo|oLK*{?O@0YF&tD{f$vi+pV{AvypE;kp-(Ee@{TOu0+S^U!>^m#3zEwRG
z4C3|~6_hWbQP}pTy_jO3h3D#Q<@M(aagMiK9IE1|WWGz(7`EtC5$!%ocwn;uIm-)F
zL!{{h^>WmDO?(_c>wqCp%*bt+ivCr0-acjj&ak0km$ByJdS;`vv6fh;6s8744<;&8
za5@mDPSl3b@JAv0|A<!B!>ou8qe47FKqrBUV;MN*_Ho0Z*7fU;t${G<Nz2q6-7JTk
zVpX8mk@#{B#$p@|CU|ugZ>|nxBzg{E3CLYr3?}JxXWiHtxd{KOr>BKi{SShr4<PIV
zoiqi?o3Pdw^~PQfa%JN0vhpL`LVC0g&tu~12u#PEFtWuO(Rvfax~9|OM+^{=MeJi^
zGSinh>4Tiv%4fRPjNQ9$OjRzun;GJ6#+*t2MGV<Kem{3PB;S8+&{K1#Q7fI!EbWF5
z#Jy~WdEu7M7}{1Gj=kWtPR<mN%a4p1{umZxI@Dg0ij*?6yTO(lf$!Qp8hpKZ4g3#c
zSZTrtU5<?~$3<Hy@#HF7rC^ux?p#OE8Rf2zn#p?eOCO`+t$4*44VIhESIa>=%p*s(
zDd!K0IMgv-)=oyH$UxEoikF`XLa_VZ^!-%sl6B@o5e;)U#BO?uW_vMUxKR)RZeyVA
zTaRN#44K*WT#C{H3}flSm6HF+UIa;3foAg(gpp$z&x1EJlfR5;0b9Pf)@PSjwo?*5
zWz1&mztiuH0o_dl%E6B-X8DQ2hiwYvl{OxsJZ{Xrw$W}*nvg%pXizHr&{4xtgh&^Y
z7N4Y3oCoG(#Q$I|JTDj}=9|Dsl59(;l=MfGn}lMEHydRE>#=ZV%!j)Z^CM}B{_lL`
zSAf;wp3pEjf(pd35K<1{lHibawROmWg%92uouzyQXj)2x?FvNvIdfaR1}T)+a`+tE
zSoFCOzP0g>unI$&EE1Eq9wMxWMzB9kO=1ivtwZ0w3`n@yHMQ6xqFJ*sxKOV3{&|4n
zrt0|dUyxd8sN&YUcm&SAs7(TtyLl+~Y}gIZXbZ@RdPgxGx{FLn!%wO?HB+jBJa{@h
zCz+d=h+UZ1W8G!pJ*>ec@QyE0*VzzaSnF%g#_hb%IBdJH8|exPEaq+mpI3QUcR$pb
z?Yl_a{4Zrlzz<`m-zQQF9}Q1RZ~L$~iiEtcmpMF8IwAk&_R;!o2CdODMor<B#5y3>
zFqh+`>Njvi%`ce+lLk#bFh`C^lC_3KKhEB0T<DW00Z~Y6%!yqB1O~GE)#;Hkx9S;H
zw7H+SpLJw<U+#_>3<{DttvYY~==w9YDD2o15HCy{i&Ziu-ME4z$7>7)8H`w8Q10#`
z-&(Z59kWaYL&eu#?k2aroTC2{sAFQOTSL;_Q2TMe+Vn`8P>dUUJ2pBcs?z`AtQusg
zrTLP`iww(FxVkZ7<hes7Kc~|^;#MjenIv_1>CnV@y6pk{@rdQCJ0nvj<bT<hlXqS<
zXeu7zV;|*o$*e#3m_BmUGP%zmLC#}|@`y&APN&Z^uF&Ir$!u?8ViRK^-9FwI?B&rO
zYTubI5@IlI^ePneM0yBKp8oq$1JrltRK^#zO-IZMgkOj78!C?qpjix?1=y8r$nWax
zdOd%DbNnE0gsJ;x2(u8Z-2Sz*U<~k2Ll^kzE+*iDf##=_i^$(7GCOU_w?=qR((!$z
z>$%!!YipL3|BPgL56mN?U9r)Kd9WqNmcfYBZq&2m?|TAM7LT?!CF_>=psy1fdHuXB
zd@&K=a#VcWgXDK+zZ>MN5qIV2k<oY)%h13@*@wscgQu0l;KjOv%{`x1$8ToOiSZEL
zXkk+@tuXAToC_3Jj7D-%5R_*0>ev49Eub+y{;rE<j~C|r)a@)lcOLpY$Ml6st({TU
zYm2vu4|Jh&A}*J;+cK-ksk{((iRLDx(7nMzuc}9xRk7o|5eJr2o>qSUK%<97!)744
zS9SoW<wMLK?@rjCl0oUVh@7~T@*B$xhuhS72w&O&B@oDWamUTdk?l*--p08m-5+;K
zF0d)94vW!E`6C^E!D<Ydti}FK>D{w&iKX+Yu%~4E^ZzV-0%Y=yN6)5wI+gzp1#k7D
z*XWBg(CjP>kFN{9iDY_jK4I)C=HXi!qyz66JsuRo%bv%>PEY*OBt?Y5{LqY;*V6@v
zLkB?N(qM0~5YXOH`RPnmN>8-d9G@&_e}T<5wJEdUk#~nixl=o?(OvTyc8K>niQSG~
zTfrpBeE5>wfZk;f6Sb%I)iD^(G{8;te6T0)6^M6?meI_dvBxAgN_&aEWeB<FWB;nv
zz`|~1>h`*dr2Fim&NL_dau27y0y$+6{Udt((+byIRbxh!-{W!RjxP^n4lEzpb?;w(
zr31N$ZsEd(0q<_d==P5vxe+<MskSsWkCx-`jt=kYAB#Z=j{IN6xXVepUI;`w|JfJO
z)%rAQfDQZ>_qU$VKRfQ(MfS1Vd=BOjY0e}zXd@CD>kT5P-4D@fS>k=V>^=gu7%(|a
zJOG=+{B@MInm?j2#?1OHrDjG3#U@Zo@(A3+ei&5lH1E%;aR%Iy3&CH5YQweVi0s#-
zVA?mx<kH6cW3>?L?zR(4Y)dbdr|gNB?C%O0-TdMGI{HYQsmKfT;o#U&Tq|TvNqz8X
z#+~XttSie75Av8>)8*AOu;khy=pr14iIgddS`Ng8jc4I6huB_k1G>{z#!ReC$L#Ah
zhYz3|I~Klc-{E;>0{SGxPn`{E)B;5$Pu0ClD`7t<9~EX<xRc{MI3B1;1TVecN{x6E
z@~Bi<7*BH_y=8BC|Nr*_bR9-q83Ge;sYYP65`0@OwJ2_Xd#m6<a_?bowi>-H`<1DQ
zcQC?Ozez>qs2a(x58l5+AO4Hw@Yi3N`R)SeC`DIM$bXnWt4|ka@L6=R=Cfi@8io8a
zK1vXCTY!g^DE$CXucQ2U<(41y$!O9@*W}knmxR#sJDIC9cODj*ij6LRUeV<D%d>%!
zOjxoa2=m)Ns>k@|#<*J!!r<o(w=W5bi)1z!X^vj26)QWYIap-3G=AlVSf#{;E0Gs|
zD_;J}8Eemk8lL2BZ)lR0J2FA$BRV#|bJ;_3=PNxwSO7B;FJ@LQva(}NonA+D=-QL8
z!hz+Fl`F-RR3PvyGH8E+c?6w*EGS3QAu~osOHXV{WAT$0y;d4!P%Gok?cJL!DSKB<
z$}r<3{xkiB%h{(FMcabjPvV~I31m<RGS(?c7Vp5+Cne_2wInp!D0xf$#z?A7F6#8h
z{UKS92Y_nJRs8pnIy=80Bus;r>SMd!!#Ig2e|sR$t$r<AQ^BtvwAp(LC!!K$DNuc?
zN$<r*fDw+ZwNla|oNehkrelnQpG3VE8`SfEw;eOBc!6Nm@8}o=yv^S^EA|v{aH5*L
zNzM|NTbAfL%v_D~?VmWDvwVgrEqJf^_6Y`zbwSq(Esqidp!nH_W1tdGc@+;`J`8$e
z9W!ySq;~Hedy*nIA;&9(0JjTEj}g7rgPFYamH`QcczVwfqf~gDy67_aYbSy}Se<xz
z;0)`lOitgVQkHIu<a_!R3Z@efcgZ)9TSs@h-!P?TK%-k{wvv`F@|ySs-6L77*+Dvj
z^_fhO9s&|-nZ*rQGxZ~UQ^i(;>mM#UJ=gmYE%ZmI{o>JQb6rOc;mWX|;d!90;;oB0
zw97^r`0lsw_>yTKp|3pP&7|4r)!DElz~j{M(6+6QqKxC~3u=4;`m5A`FFj0>KcA!3
znV{3+U>~d{a5eZk(drJ^yM(>>PNoQ+@izGP$bN*!4WfMk|BOJ$$*4=RQ@Wvq5StUH
zG$X$WfRSLXPZ^M9ccIgO9HJDiuj|`#<Vw*}u{N?ie=>fp+V2Ea%!04%(64t8NQcpS
zi4#(2xj}C%ZNp(sC~kREyQJqdMZJ(zpX?>tCc_m`Pw|l^B6EyMcRcr7(mn#ZY~*0=
zaC3~g5ofH$kVz&%{>+Z9Nb8=uBCkNqUzT$ALG0DB19e{6B}pmu1xLf|ZJ(PUvWwom
zS^VN(Is(R_WB~cFGRs20{tuH}aW+T3V2?aam^mEibKrIAmh6j;*UxRdk`sy0Uk@LU
zzM_92PFS8zy`IzKRt_>i>XsFkZ2HS6hm(9<XN~JH7ns?aQqa}UTZ!Uk0-`wL{d>;n
zM`trMcOQ<1tFQb)qjjkIBB_Ky^FymE$4t+djH;uSM(%b&zEMEbMlu584si*~2XLyv
zN5!ruzBc2~<1C_QsHa535hKBs=NnBxsz$Qkql<p`i>7kjvXjET79d_H73d5z7na~&
zMbP-B+&SYEM$XJYO5r(unHRYYu1toVx|$iB@lk*7$)lT5C3<&uu>TP(%_RG-&2t`M
z0EiWWYsN{;48p8gd4<ikvRr(%dK>))pFrGs3YfYR771|71duHwrx%1_&!nhjL_xD}
z+!txeVKabcpG2C^i}~#q=a3MlF*%ljK8W|a5B|t0W<EAb&w9nBIlO~mOgAB*W1tbp
zIvI4_GvdUppE+mLZ9IHMR|b~gcqB$u`f2U&REjkpX15nNxVc04Hq@k^>geI9m%+=+
z*N57(ab~V-t)cdhZSfoBXl|FyeM+I4D_?Uc>9aD<j5B#`-Ol-*hol>yOb$#ci^iS@
z6=%ras!0hbzD53u-@h`G#fm1&dsUTHN)yG)N%eh{!kYD$j7}O=c2X;G%ctKWBzjj*
zjp^8)Crac}Z_{R6@`#lG#i;EBGe6x^Vu1%|?tv1rTIVJV1y|Ky;TdleK`Vi(MsD_k
ztjh)*q-ZU&D1U@{*(Pd5r?9YIn=0iEtCaRubht8j5a@q}?ydiYmKy7eO^dp@5ZL^2
zorY?%o~ZgfhL^9`I?S=qE|ZS0%!ENhTwx@yH=F9F6wE6aZc!&ji2opPYBGeAAa>p9
zdX>M=7v|yQ<Ck|^WX1EG?@?lvqmYIW+Cp=o<#6m>Rc*GxCuM=+gdn$`wWLd-5d%*y
zI~<o|oH%ua<$Kz5E>H*(*jvmZm&#;$6?1`Gp+(@K@^6@HC9+TE0_@`>xtBPK(+8%p
zx?ClI;nXa5#z(tj)GAVw=Q-0Dce5;KDxY5zP;KJ7v!`kkaB|(gSE28T?l+P?*;aYl
zR7CyGCTM2&MQ1ulILl-B<X2twM8R%*(6AhZ1&q5Z4STA1Xo02+Vj{lzhXJQ{)3Zh+
zA?^-6eY4)=3EfcpC@iS?=XcAZ8|%GONS5>^VaK)^PK$c7r|SuFBGm`4&CB@hR^M{G
zNs|jE{OCU=YrW)4F8<hL9;PiT8)c#`@l+#uiGY}?%mV7EfoSjkCtM6Lu_goYDT*1R
zJG<Ollo!EXct_0%zqguGm@~t<lieZVvVjgF*|DqIfjX4D8?(h);hn4Y=ub~mvcX)f
zqk7P)+=JO3Rr@VL>^@_kbRb7kt3O(zy9n!X8DRymn~U4tafzE1j>U4+5`{H+&i!an
zd`>#&;c1;^gFnWx^iIBhrqE83Wky}J%)<DCN6wuIqgNZ*Ki?H$t&b^|K9Tk~AI1tM
zuf2V=r`Xx6Y@n`S2GijVw%5b+B~{Xl@OWx-u^#y5WoR2YOv){gc-X&Ut8Q#jYXv&|
z{k-4Lr659Id~Q0Nlc}PUn`kc!l-{}C?74lwAokhkqevHK&VU9T?WXgCHOQKT2R3be
zUQ6MHHJnb2ZB8i8rgREyCEUu;M&tC@jK}XVnQmJt_?7mfDkZ{ES|(3{faG(JB>(?y
z<o^?(NXqZvWshSZBAvS&M7g<mv(Z3#UFGVOTkQqAf~6#7DMK~#x`z3__nXSnfkOsl
zPUE5UwPO!kKt+YwEMtmsm%V*)`y?oCM6vewBR`+9GQP@9K;Lt+V!aaLT$loB7O-RW
z$+Gd93qq^u&29Cs$k&pH`I(J3NK&z<9Du}6<haakuke+@2Eyi;8qjd^T9SFeLKr<}
zbndYvlIg=`H*3%V_8>-mNV&=;t6-eEuPdmt1x8uA3R<PnA9v%A58vp#Y9a0AdPjX@
zCX?Clmy~tdvXxgd8qmGE>c%F{4%fu_mGWXa6Kt0tr;e3A$C&IBTKH|sBaL#bPka7<
z<wE|1ctXc%R)H2)Pvp~%xnk8Xdd4A-LTpj(>iIzYu0GD@YmcY=PbOz6GVV(I=gsZa
zcbo92RH+|D*RILXRr8(nJ}vj+(!LV9gcrHA54X3^U2OQ!@Zs){S03L^PCj^IFIOfv
zCz<7Gm&eOjB$}OFZtcBrnSQ_LmF^pc$<u=a-}x^O+#4)6u&A6ZTK-@jp}~;jajXBe
zVVnlXdsI2GfHtF%bZHMIR1F%mrOw<R=6cCoc5D4NyFQG{2n%1IC}7gamDMVLGDOah
zGc_?W!CG35T{CIW=3qZN;lNqX`yeV>#ZcXl^*WCfU56bv5}xRJt#Wt%>4WgTI4aYW
zQ?v*B6gGNXAQ86i16|_3*0BUl|0KX0Vc{@Fg>Ggwe>m<fg}sVhP<>@!p3|D{(&qbY
zEZvUzonS0Z@=>&<h13dxzjwFz*1P08vs7;5Yg31t2SLjd2iIVb3K2GIpqrbO=Tga=
zkTcZps_BFtd42zoPE~)DC>&jossx`I{%{rIrw&PT5PNGpGp0K)vN#cSfXCg{NhI&@
zN;*4Ej-YT?w2m|`BIYT|siWq73_;t3sx~RK#3b@{7bY|v<+M8|c5JP)u!lisY~MqP
z+d5194$myvjYgSx+#?xp9o>C|6ZVfz_#@tUy}MB8(^m1A8BVMyFzXb}vluh9P#|CG
zt(`*O5Vw?ujYgB5p><7J_-I!cs?9=^4>M~km%O+yl1lLjy)C!v!JmBTDBe<-?pvt`
zI$pEE4m^#Ya$Bl~FQwCC!#uht(l~S^SyU@SMF_&YW5w~#SqI%15s-()=xa{LvA-K=
z=60<b*Yed(`3CTxWZm`fXFv_C>q`>3cz;6Dckg`sW>TlG9?amoiJLJwEsxI!B9cRl
zA2i5?B-m~r{!seG>TzfJ(e!A<7=fH45U3L^Ke8J!3~*@)k_2&v-k1Hu8`aL4{qRE`
zP3qN_Yb47;+}gTL6g8Z%eK*YRXG<J&s+vPzPALAK+nSEnuu9?!d!ClJLOH$1i95dU
zdvy7kvRRBSBT_GbFYKOPB)%a`xH~)XPIn!~;;2qg7x|5?NOpqH#&x^FrxjH<vY*N#
zWV=ySqsKUP>TNfmmQ1WjSIxMY-7h?$sdzX8{aIZ@$ncs#z~GD_bo0^b8gsl}OqaH)
zKz%#6HYK6M{RuU?9v8ETb1<T-woJ`6Kj$-BP&JtCAX<+OhxUF=Lg|N;_$D&xSV)nR
z&W!A~!vhzzR-K!*RSOf+&cWrcu1BLJEIlv0ecUS0`7ubAPOt*vlRSiLSvqGS1#4*q
zb4R`N@Cm}OXln*C`|EWy9V<8=*?XUl#&l{QoeiC2{FxA4)3(7)!j^{RkDl_RZOCx4
z;G6WLd=8w5qu8*F@oSX4BGFje&+vo{p=3b^qMj9>P76PY9h=g+i*|KVN`wYnk(d`L
z(g&dCnIHeqP;0|Wi{DEsjT}nl?LZ@^8w;Z42$j#!%!_I7Gq3aIr@s&{g1k*MJWudO
zCfe;@feDRgyo5C60*}vS!6r0NGl6N3;@d8XNq%!aQpC2k{ip6utmvY%6{4-Ui8df%
zgp9tlJ0^Bue8S^Sb}5RyrqUvYE|kre<;ngm7#3VC5<>V^ot7tbg&pswd*l{{&DB1k
zL?2NSNo6VvJH0!L`GNOt|Ac>^5@hZL&p_tG#*bSXWN~N{u_<%Nk3*Iy9Q6lN+r1FQ
zxhAja;JPR~mv_sa@j<G{sJ-5af&T$+_N|!ch??thZIQzLhS_Pznfr3qo0~e*o%J!!
z(~(y!wNeY?(UQ|Ew>yu^<==I-CAN9(4!%5Sm6K3>u;`D2{P0xmnKrRP<Tb(U7IRe#
z{j(NQW5K=r`2#H(+1VE5S)OLO_IY|nHgUE6@;uIgT^{~wCn38pIR2G<-4wakLtnB<
z3KNb_PF?m#tm<T*)uO6;tADRdyO5iMG-nPeqZw#*E~Hte5pj5m?+}yeYP$D{n2!J4
z)a-IiitL{)%CQ>;oTVvzsFNF4`VoKqUQ<ez=UU-yEFwnd&4A4{M8n6zbb%ZWSubZI
zF$imE<4QeyHYk?L<ZFsUngr=cM8$KrT(@D9UrQ@HzU#@(Tl<@%%FpDkyeM#yj69lw
zzR^R^%2kIs*X3Bc@p;;|IVY<s$3#0`Yr4&>)3;fEsHLSP`jW?&LJJ*-6zS3@hnf;D
zyS&64$EF&PFqX2kd=c^syD@Hw<}Jq{9quMe;l!cY6m$%3LfN}_=txF1mFW~*G}r$4
zOOqxhV;!8fNpK=>IzK6t!TQXu^}Xe@zxZfIaj05Mmr35uo7aJ0r&riheMT)kuH~4V
zjQ9`zYtEh1$9Xc<&feNTkM4wXR0gIKOPbh2qRJbCMfY^w;EToIpiGn`1lt!|7?hJL
zf*W}azlxjHbb%STK?aCn0lQGXxhG=ghV$&y;$`DkKXzY}E_(jUgcu=Q=&Uozo>#+)
zn2&F3B9n~@6Gyjnsl`id?yCF{bM-RZSbHm}T%-s!lGdG?md7s6xI07nF6Is%@EPLB
z_lHBDaX(;ViO|b1bik>o<u`pVwvY;&q`DpMV8RGHTFL+?=4E~P%&r}Mae)RMq~pPY
zh8YZ@--thcb@AG77|lGKe?yCh?O;pwLmljMy^3C)t#sloEYW`PH*y$Ery?go(MP~o
z;^}ubQ3Bct(y+%KDm}X{R)9W^-NeZ%P^(Nk*^K*RCj9vmQST`3IM>16G*m^&QdePC
zczlpgTODHLhS3m$+R5fs>M-G4?Cym&cP<O(sp;f6iImHzCGTFxC0;Eb^~6|ew1<Su
zWt-r~ypY6Ew!#Cb(Kk02aO%_Qic{^WmkG_%EgCBp8e`I_G1@IISu3}jZ*vkjOIgi#
zJDUOSXO>cynhekcyQW)<{DwmofsbqlV_EE^lh0(wQ1JIT+sIt|&Om){Uz#ZF>y4HS
zK48Fp-#I>vaAdbdwbp#b2UJk+VFoL61iC~cIX^ee^rgXb8!LPKukpA~nF%g6B4P`f
zdz$-mw&1xBBS&)Yl33x;@Wr63Qf<=odAsqh{rx+wz)b-uP&6|xmO5IM+*_=yEeLNP
zj$ZJI%66ZVs{yx-l$NLG!Yes{K>o_p2SrK6)!LoY@JZT?GB6`%k45A=f0<AjBa2wb
z<m=*RGs=~`;db2VBW#+=%_1OzMhQd3OUYB2&H@fr7#X>zdmzp`uS#eEtnYt|q2#Gb
zUg-VYDM}g_JDxvhI7j97Va3p7=`*iL9E~_*!EM<#t&Jbo1g*E6X{>vieKdS<l0$>}
zf~F|!hsqJZGLbpzZRirl{6ruwW*?<O5nH9dAms@?QQ4!U9*V$e?tE75o}YD#E`zCT
zf?Z|qU9(iDvM%C!$My6W=~N%R2e=sOsHGU`Y?Fwv2YT)~KD;MkC2e1nouN6y#kup7
zRHiEY={<rMj=Nyab)n#w(JuZ!M#R5_=jh<B6E{vrR^4!gS-}$n(L<s=fstWGDEKvp
zGFYzrL?drsd&tp@7~CzP-L}bSzdF?dyTAR)<BtXUU|2xRs+bI<U1ix3g?j=DP+~?I
zP=T5CV$oukCB09Dt+@xDS~HW&a&od{^}$4y6}r=`$Xvd<J>8TIE7HV{qpU)W1}R7n
zy=484aaN2~%sQ#(TQ(~)J`iL4N@hPK#k+Z`^8SiwqU}N4(TpL+3Gdw=?>j>#o&sxr
zC(B2jyV-J$P1@STRL>2zI$m$Gq(aT0G`->s^)|Q2&rB+mamrn;jv3RP(T4@;1PbhR
zxp<!8DPx1nA<49O(Sgj;%C?yr<A#xy(2zGK>_sd{lR5`hT}_p!qc#>LxI=FSGQ@nN
zDOhFfx!nfKn8qZiEB*=&X+}roInaw5b62f}w|p}^JRhGzvK<V`m}(N@59~r^v{&vv
z@Lh~A0=wcP4H<0csL`w9g_p|er!v#twcNCYw=W*IuIcISo}W%1ZL6>%twB3fPGk@t
zUEW=J{<OT`md71ZPE6B;_%F(Qx6|ud4CM~J*O*pgSRRNBBCa|MNXCm86h6esDr$Nk
z=tI_VCXSI!P|^njb&kxH6vW2HRzxUld98r~KlAg$H8mTbLq+;|Z;Ac=sN6L|ekyp&
zF(CK#4P(U>&-vLT?0DSZNQ8oai)ZE5DkqOS0?s!BckA&sIn%-YJdzdJ6QAxZVA;mM
zkNb5rE3zVVbSkf_9NoKg2k}*RsJbvPJgVHix=i8Qr~88s&-uT6XO{EJeDY5*Ctv!k
z&CmB)Cs*-QNJlt;^VF~Ow%CSCp0g04@f+UZ(dyUMM(55XWUP6}8-=%B*Ez-)7du-U
zqU2(l?~FG;7YbNhL2W4?PqBO)OVw?0{0vezY3AlS%v}`=)fF4FMeSxR7Z3lsug7U+
zS139aI}J3kg~?tkjPFGWVzDQiWI|{OqGoe+?(rfRdS!Z3t^{2B^UUBJ(YtD=kYjhs
zc(a*vBx_<&<82e}H+pB&Vg_|Nj@Dw{LG^3Kfntz~MA+Nr$A3Equeems!!uY+eZSHV
ztcVVTMN^<fi`1MXU)!l+u{K|K{Q6P3n`x8DbJEfD8{!XeB`;eKve7HXE5+AoFWI`b
z_-UggqdfeCn<snB+tmO5=s7+`?BLVO^BA`I8#fH;n;B%l4Gd>mj0$RAn`jkT)0tUw
zu$F=|dR(57mm1k@yxnVip{4xI?~E*QA5M=Di@VbpHR`UsVu?*ZNOh|IKK``n>49HY
zikC*D=7(t5n=1<kMCzJc54*;c#(SvxsKR>0#=64VSuYUMrH(4-&QYT!KjB}&B&NeU
zj=#9sTT#8{mmSMkONyOcSs`8ZYIgp-E3z1&O*{A*(iPn6OOxarui!d>FHCa`Ke;GM
z$lH9sQrAD;I$W5l)%7KY&Zwb>&5_)C+1tKPXcK7u1*A{atmHa{nT$uqFXWaE_4{po
zpNOC&_5EV}?h@%_zmMW7Vokg;Q<jb^KQfq*Xv|<Ir_I#&r8WizBoG34Z1^VK&~qA9
zMHqit;d=~-hqmLvk(}#foc8*)6!1!lW(w|}58CHm(w%!9CqymgK8#pz{mNoVpyzXC
zW<^3Ki7ov(s>g(}FXBH$h2<?$!E7>u^439)%j`wJA}U2*MHq6p>SUAi^r@@pz{0zp
zh7R4Osq5XT><^8yANWYYg!=f;rzQunV9G7UkE=?BN#6+UIvw8n%Oz4|00XlI8OcX8
zI#NhN&k@?aTk@qDIK0;7*r>7lwwjp;yFN`)MQ|FCkjLx`&9<3OubRnG85MPJvpt>E
zaDgD(T(Cxuyo7xG%OKzP>c3Gb>a)(3VAVR+a}TXNN>c0BnNexUbLr(Wdso|<_1M)%
z3ZB~I`S_u}&ovue>10neJrA9A8BG$q>t|3(I1~5Ffx5#DN_!Q2Di%`Mp{pwVmlGB@
zlDx8Vb!OTuc=o{>v8SARHu9W1CC<{Rv8S%ssgKy2H4PXbgy^{-Z=X;p*FJE7cB{Hb
z!(RXuU^or^Zkf`AYO6$)nyuJI$*0^fgOMILJF3rg6Et2v#7TE_-w;*l@Y7K0;u*>&
zM&LYY$!m6FZV;6~oG0p^zW>hA3_Y`lBUS0tBv%_lV>>3{qWB&g4taH%V_?ek$*O{(
zyJR3AV9b5&|Mvno<;JX8V!?Ri2T5{(+Z4q0>$X4H5Bf#clylSaoW>vO+ie!Kl##2o
zQ+wVm860a?&Bsj~v6O<-a^3s7E=d$u&z8(e))8AhbFLPmo+A$kM7tjdxUN-)dYF-D
zj}Eq42tI*$uSi@plQ+W^i=ASA3FYw-nu@0B0w!|^b;7zRJ}848Yz&1SX)Yyt<nIn(
zUtre<pYxq{nAwotqV6|c3^Rsy!sH(KgD#6oVc}I5xIDd+MV<4BXE#1SbY5(%A5xX7
zm%8+eaa9!Dr#_7iJ{!I!3b3AHM>m&dBzsj1^FZd7#!xjM)xz?djp-Wi<I077XX3QS
za*6Q#MYcelQRU4`w0z0*T)*sW>xDbc@k(=4@g(PFE-wG)%)xkFbDm)#o*?zFV>?F%
zy>Zx5s_B3V-Sfp4ql7|)53^Ea8`@m#$xv@Ir96pzZUs;$Bi7Hp+WH%AzDuM9#j{2<
zkGqK}v5Y2b{EDrimR|)0@y&bUdhf%)E)J`5#pnw1{@b@*{YKfc4ZHbCco^RLV6Kpe
zD1kF$GUBS#_s6IA{k`yg>o{1$Gqxx4J46ZN&D_u^wTknQ=N9+EC&X;`TSUxu;w%EV
z))Kb1>RC)@*&in?nHm#K;L`(btVrT{Hpl}PH*~rVlrd|eq`bP^;|XmBeW2%+f4TE|
z@IkdH99K?oYGhOkqn6(rGyMgSM0q>HBgoS>u(fc??v&BAv#yx91Ln2+t<^VMT|@Lp
zSLE6^w!Iz-_zJ5WU%aKlPF^i^LiOJjN@gzz=Zoiki~6d7<HBU3vvYf+sm01FIA%gj
z2NV1%yHAU8J7~UD0{Sz59n6<u`%&eqe969r6_u4A{l2%D4(;HHuI-%O&5gA+C%M%R
z<`p79L^$Dflz%dOBhf#u;^hb8H|$@w)|(DobJh2ZNWUUepncwN>w<~)5@=ao<nUHs
zLQ8|vy68;i(Q&kxhH>KT(aat^3}S>W>(PYd20*FH{jXSC5@Mqt0wbaH-`n>Rx?g_#
z$I@Vx&zi?MzvT|@gwdIuS%+0$YL9ena|HbOdcQPaIrZEe$WvVOn=6}08UT`q!vjZS
zmKUfAPSw)&8$LB_J{1bz?kjw_KD+<$&rP2|0PE-}fjFG;$cByQDF^E1s^sd-`-R4g
zQOj+H=V-)n+h*tH(6A`^qz=SP_i<~I)JbIIK$gQ%z^i3R-8qdPt!U2qf1}QaNe+EL
zr1qQWq<49OUe>|E3eUB=5+TCYOwE?v+KlNo8`Ukr$$9l4_~B3ccMQn;UM3`2?QLkr
zOm|GHZKwKyHQ@=62ZuW(juPFkw%?^pv&SCRyK+;M(C{9NlB6~Y?LdbT<flQ;;la&~
zn(d9(64mS7`SUv%k0dtVrKylum;?k)hv(j=iB|NQ2Ari9uhjAR|3vBrkAJHrop8{Q
zf?l|5v5<adlfjN06=~_^YH?%8R6hu(cj7~NoY>I4Ec~}Hf@xl^xTvaB+Xep}Z+cYK
zYA3jSVM#;s?9lXI#2L@OUZ&`1YK%F<C7OD-H;1?9ww4sOUDv+8J-6V$y%rF#1_X{>
z6}a&uW5ZWbC(^jnN)|cmFoJwA!q0Dj?JT<qNRCL0X1ejlTL@&Aj6XVS*K4=xSg1ao
zp1)Jj2oun-lm5Io<w|Tr1mvAncgpG4;7o{)Jrw3_D}BR9=zre}&bc{jtuWw3J*4pM
zu0X=#o#lnw&5zcBT(LjpEhhWSNu-gS^yi(rvh&c+(oZk~w!Gk^zFib1{6nYJIq?Xd
z+T!m-U(tl1mZ%b2<DpiSA+$<lv?f{UEdCFC&x<rh04hp>5W|1h!cy8;AbBIZW<48L
ziu2c0BVr+`0xS2_<Fs72>u%Vhl3ISCta?6T$7wUP?L-bIH2t()pVD@I{~MG_5p)Po
zxP5L_r&CtBJwEAeaHXkCTy&zzM&jE=WlZ=~6{U{UbE9(M!)&&lrQ60Q;k@J!eaDxo
zqOhU_kZjum)_){UbVmmMZZ7?|Ij4Y%jqmLN)h9OEw|}&Idd`2u45>`-!;jwZCT3I;
zGpg|U%N4aE0pD8&ccj<vH;lq%s(viC{KQpjk^xJS8;GcH>NG-CKxQv-FyIH!(hl(d
zTF>H{U$xpl4-Q+++RRvJlHY0{X0GR(T`gvcoN(23-%syj9|X?ULT2UB3=X<zF5D1I
z&jT}*>ZJcQ+s-e+)<<)}5<)DC$5}}c=X#s_R92ir%;h=YK{_X@9`*u~p|b_^&Ji`@
z{Q_c$xvi~*ZU34Fx&mv73%(g;H|K}9=7v2M024zjf|ua`HPm!=$bZ9uv0JkGYuM%r
zMhimdbe~#ZRv$stWa=KytU@(Vk~jO3#aEtW(Pa>OhZd`pW`BZiExsM#q9jYD$W(MI
z!DYfh_TWqt5e_vp)XNqVJged62fYgka2N)u^26PSB}IpdEG%Wo8todG{Cc$@ozeXR
z4d)5{UYFPa!hYqz^QD2^X?7@Jd-MJrPl4;&{2(d03tYk~MA$34{CMYb&xIl3O_7>T
z#xF?$Ti+q~A#$7Zy)|1a9h4a7=HGSbjHAq_w!v-LUQ^T~3S}z%s8cw4PG46FTHqn2
zcJOC0?bY~>iwn0ec5d#77F7|nZW)oKqm)*xcXw75=Yhh=m6J%+Y_YJIOQjXH^GE;P
zu$%htU_o7{%m0JiUiHwW$*YlagysC+dGo-RKf1PSu&VSkP6|=ou-LMVftt;M&0-Qo
zSdN<aBSHrxe%Wp^A|Wvf-*F0ku^)+FNpFPlGerF;3(|M&ayKVICI4(#<n5m;`a%v&
zBdEU24j~9x-_EOr;Bb9<a;!+~J3qMb_m&T6xkOGwB<f!7DWijd&eIzWZTbL9|Fzwv
zcNN!5Wi8o=Nw8$!MYua6ABeUJZ|1jp7Y26igqj<%0pDXW)s*}xk*&`n$Cb6eJNZn1
zjRx|R%RB#40UXrg`3CM5|Mjlq`I^<<fX!Yi?`LQ&X1TwVI`qehpKth#aR*qlB0zTM
zMy_`0V;KSLx`&USd#+R0qwig34%L$MtY4a56#ts^U03FWRg6ibi;T3#{*!ag^hmD8
zd5`}tqXX9$;Bb&~QBiN;W47pV9oxlCaP53*+!0b$-^UX+0-S7#j-=xG<gKaXo7CvS
zY?FY^6|T`K(rpExR=R4cX<mF?Xf7wE786W%8mOxC{|S>mUDyX0M}rqpQe$exhn~SF
zoFm_8nob_lKgTmk8{iu4H<qIyS$&@aX&H!ER*r93n7nu}Sh&n|PNmWOB&dQde3AJN
z4)|2U_%dL7OIWT=c(WpMi(pE!hvM^zu{?z4{EUniVk`d~eth$5L_lRgOSAKOe{Xfk
z#)!h!NGhar;h4e?>WMW|Q!pyAVAY|<^TW9v)1n%;bF-JB)HG?j+zw9%_wQom^scLO
ztKX*4=Q7lK@I8#a>;3l+oj4vCuU9JReHkk+=sY*&w)mv;jO*yr()5plz;J?L3;%!D
zBM#rC%uFq8%`dDDXoQvN^q@4P@KyL~Fct#2nNY0XoVETi;M*a6DWVEBU|BW5je%PH
zraz*&s!o2#e#(aIn9mG(nL2njM+<$kP#T)%`f%QlZ1HxK$*D*U@{LtcCO!}@f#v33
zxP3>j>x)a3_9mg(%W{^MZ<{ylv7!`=|F0^$It}TZ&U8z($xbl1Todo?4UA0sY{s(s
zvC{2j&28NS=y1gEIY%>i(lm?H9D~Va6@Tv7>Q1nhIHyMCZs~EcD0C{}_23jHI%T}A
zO6c^BIiIlV0u5a?5AUfdk8h?S>c<HK7)1~z6u<q_)^vWl&o?bF?{G@$=({K+ZAKEK
zpBFf?|8*-<!(VnnSJY|;$l90;HiNW7!A6s&f1ybB#yijIA|L7lmaJO1m9XFT#_;eC
z9=estR0lRuVZQUjk84s6-}5*<etLYhouyj4sv#8?rKs0uXga#7FM|I=d`|KRAEtM4
zSk;og`=U))W^?+d#eN<bNDyvH=1BZri($=c-9bmU5c~a?5{75DR!q0uy<KiL>v_+Y
zO@t@?7Q2e`79w7M79AXIIu-1yDYv3~Ly9PgyDpIIy9VY4c*Yh!=+v2yvRJPd@xLU_
zCt^yQ0Ud<B`4e)n?HqT%OPqD^7W+<t3KhDX>a(V%xhsxQ{=8!=X+tCASUujStE3nT
zMl+bbAkO9Zi9$UTUr~aXl9VJ;kOP2n2D!@rMo}L`?<Q~mn9x!BvWRE9J6z^!z4nGt
z^Lov)FUTjTnp-IFW@EhKC0G2{r!)h+-#gzFMbrw)VT5Y{CaBJS^ykn;hMzBW@tRZ<
zt!<oA(ut{oFhBCRZVXzm%_o`~?a&itsN8XkWa+O%>0P;R$sD~pF)2d^jdt`*o*Qp<
zBjUpTjAn0z?neb_H{V?UbpJ#xHDF_4cnFZ`5Qj$WY9Yt2vmzBX`r41Dp_0y9!ig%M
zAdH8pO!5c+vh;B~mg?+#H7XP4a2|QN<A>^SUU+_qXyj<!NFKR`Qq?p+n6{s9LLV``
zI7)su%_YG>_C`DLWmBBo=m7QN4IJDutv_99>3u~3jL-JwT1He^bR@SaWM)dx^m{XR
zd}s1lHWM=biTa4n3D6t-_FRCh<rU)5EHP_={2j2r33}d>(lz>!kUB^WaI<ryS>Y;F
z)9_mLT2<;w*8<z0RstBdUQbgnR!Hfgj>NIpI3q;<*~3q+{^=9oJ3hhO=$e!vgX)I2
z>GGU@MEGlUS{YlmBqd`3^G2nDQg6(y$fmR&X66P5(qkbIy_*%RK}eyu&6s`~oiIfK
z2gEi0&4B5mXwfGz>ymOs8k*Gz%~uGK8H{s8zw`^!pC|l-#Lm8b4`V=@_;6}2E8|?o
z=k)}aih8b_YHsfn+4LW;cc|C#Qy(NRl_67Q#t`WVQ2J1O^-j3M{-1E?j$)!>bCUN&
zqGx*gsHXh)(T-2cp+H)GNnt^LeKK{bYKM)v)-0HR=hUB>wHKJ3FC3XUg+vqaJeZgm
zb#Vr=OO5<JmERW+o#40$Z{cA<rxd@tFLXJF^X#zB$5i!c7hl?pp@I2z@BbL<-)P)v
zoGQOI=&Hw>m~Qm<rXNk`PU@_gAw8t*Ahbd2WWSQ+(H%gGE;(fV^Ly{SirIk!$ZUNn
z%<=jxHo?u1XjBp(d`7v!tCK`{JKfD>_?E!|`wmhE7rw}u%Fl2U>fR#igw8=cO7~R+
zFYWZvSNuQL=C`{t`{v+YJ*R-e_L?U^D+m56I^SB_F&(N;74mt*$r&x!Y_DKZboO~^
z>o-KN+tCX~bjqph53+qkE)$R)rKE#hw#-QmH;-62<wV=F%GWk=vG|;$GL5|9|M}9B
zd{5XO)Bp!rF}$@}s;ZfVXsfH)30qKg^V@6NTc+D)t$((+os{~0XJM5l+nhTYtSo#|
z9@#hNnLD<paU4eEl(jn-c9yGHTv@S~F}0(6Ubu#0yONbAoDbr}+uqTXu;+iqN9W(G
zpO=dimZK99=dE#_Kz_rx<j!3DtK{vh4t_v>-4#@aq%GuTbM#d7RpezVNCY3`_o18n
zVx(sif)E8<2{y?o*q1$x6^~P8ueWfl4ti98Y*6f{l@(AT{VNXppBxAG&MB0;q$)Lb
z$`TTXXJW)7{jPL?tNWr@R7(2(xMj*E4q86M7qyFaO<=GyvcHb!Gw6wMBCbpQ&uRF1
zd44X$P6+>$i(o<Xc$^Q--PPHrK^_`(#dx2x@}XMbbBGVfIVolP$R_%NQ(f21W_}EL
z1>#isSLJIV4Z+&~eaz3pir$IELH_T@87j9vWxwt!Byvj)aU?^OS;P*bE5vd_SR_C1
zaZ#MIj`!MUvtg27un?yMHaAUkhS_w6I@(v#2n}`)(OP_ap5UwU`0sR=^A{fi{ea`-
zhrPvz`SO)>B?m}OlJ(vC`W2%-#mvfvip1?<YcryPr;vX%6Tq5S9->B)sog#N{i#!$
z^ycGu3fb8vQgaMoRp#bZgT2<`ue@k(EeV8)>>d3Km}B)DDUKB~{iBr*JtK!o@$)c{
zw`O^7`vc9Ae8r^Yroc#HXLlj7$imQ0mKJ3G*1h(6?$0#IQ$YfXNpHjfdY3n%G$n$2
z{PBnHbx-phL;8<r_jBmQYJAt8k4kS9xJ*ztOkF|RHZizxmBVKiZCRn8s#x{VzWr#>
zv<F`YI82^P<(Jg(Qzejil%{Z)bb<0Q{+27KnhvSwRumUz<@6{gB}dK}6+$B_yuN&T
zjVI_1j56GNd!M*+J4)q6&kRPnm6mTI+H8S~U`9CoOV0fn9w0LO2kJL4idu#)S58}b
z(Z<X=cQ)N+A{Vr7*sm0eBBqPeQI^4jv~fBWJe5)9lXH{=`~&BZsJsZJe?Gq*0)$0d
zbWjAI$yMO_D9@D53G12E?_Z{?oI}zaq0l(A<k(pYjd)luIJ$74X7I%9XVmsT=gk3F
z4F@n#=#jIGH_br3yHjes+jOYyP&b;O7i^0DqnP$`LeRt<Wu4dX$;9(a(;I@M?51>=
zo*^%g$wbB+{pVaWXKfSuwfD0=o5-#rCBt!jy?iJn@wobQ^D)pb#gHO~l}jki%e6EH
zu`xf%=(9!t1W*^gJaYI?tN9;-4?Vd3v^+kK`3Pe9T8tW4BHAkQu~qRi7j|z`Szl4(
zb5$eROZ`?S_#9q~`$%Eg!>y$7hvYK2pB&{|;QsgR@Y0lO>dWQr^LZVuKIbTmN~YDX
z9A+sCAT!&Q3v}v1j5l^#J}vL}w|stq7y*^!aZt47nz*`J+And9O<r&=n+e{}xYn;H
zcP7kv`uW<I{v8xp{q1w;CETT7bG)?I|6g5K9uL+2_iv?JO39K!A!}mD7Ru6M9n6Gm
zqa<rg7$z|zT%}~sj2VnUVT^4EGg-1_XDr!9WQi=<GqxmpPWO54?^l<{U-OUiI_G;n
z=d-=v@6U$?bIf<O*WzX86(N92J|+%wQ%}lcgWu;d)!IApzUv2FG<AS$wPjX~DxL^n
z{1w@SY;nh9i!;{)j;tB~i9P>U7bpGzv5(d=4QrV@1{s!Y7!I7J6hBA_+(z9ypZ1G$
z`}?Pm*2iXvl)<05%*z6{E>?ibi6Zq~9y~`{4#uu;6PIV35ljYP<KWR7kPJsImvEd=
zg)MAk-K0FXu#6hjiYAys;wG;Ed^&>0b}hT+p#PV*2kgb||7}9Y;t#3;fZv-pK8sh=
z9$z+6=^Zzj7RXJ8pbSO#W!oRtjbr>IP&&Y9meg1oP@d<ZRRlAcNBKmU<0AFx1nP(s
zUj9#mM>K~E6B|FPqxCOkz~c}7YydjR|J}v<zfkkHCkqO#rps29`+Z+(1Wpp*U+7~&
zj%R6Fyu3^pF9dcx@xIJymGw9QbyB+&5_?{k<xX2CXE-%9Z48)qa%mLE4CRw{08E!P
zgJSz*<%zzl9CwdHNFL7<3}WgCm3LQj9LJ1AYhBVmVjP1dTSP{=l{~wif%X`Niv=3d
z9~HJtP6BuB4G37EYXA;840KwY?Ij#9{L6-;PX>{b(XQ(N{HtO2#>VLl$7njP)rInK
za?OK}rjSF0e&fu!nKyX{W=|9&N@pTBMSCBu6%rK_<J~?v^vK8@EvqkX07j}*kY+x0
zV`ql_*KehFTjsX@Y)t-F(WrKn1#=G#q|m^E-K7}`TULpjKvSDei~)hln_zU~gQro1
zwrKY$0)yZ;I^KJHEi6&>N?$9X6>*OJrh*SL@tFt_4TV%CGs_%H<fZ=Z68&>^#2eP@
zI?CG*MR*}ys+nRA%B-@VMDC?5og&1C$P?4Q>IW9fhY!fD+&0GENsd`D*Hu9UPgbSy
zg#u09#y3#St@}PdwzqDz1nh((*;&)2GbECI?R=)%lZF&J)UG}LvfurvBvCQ?1#PCF
z!R1UIZdBCYsQ;*B#R=5aTT*ru@*0&fF)?B0R(LmG6fk2-P|H%xQ)}}OZ>gN-M=$Gv
z5z*>b@_tz!@_#XqC>z9JBbQ_4H^jn|3HLC~@@b)#TRDz3*CmsINro1f1Tk;?*BDMR
z%g`aIt`vO*!~ns(%@$hwg?h9mYxM^2Zp_#qJ$ABmY-%W|@U}^Qc~)nx*dJEVPHX~H
zo$M%nsF_Wot;B`V?piq{<=bNPb6N7HdF#acQj#}NNPdXgou>&DPuixEm~xx<(*sTM
zhR#v3n4>y5pI!aEl7WrlWYl$&DUuI>6q$&5GjwvVb+^pAdP$G`!MJ#k{Fzdx@~ct&
z{RXSo4r&?92=`wlC=x_4I>ywN=|VkzS`;@D3ts|0&hTOfwMaIbcE@@SxrbgdQVNGh
zspG8j%D>sb&#&+!^(UvrOt+UW6mHVUJYg_TWjNi%Xr4IH-9;n!MMll*sc7@-==Wpy
z@mrZFI~VcQapwJ5^7<$M)=MIe?6{sSKTA30Vw+D7c$V?ro8tBy7mEAD%>JNLKN34C
zI{S5vIXUn-BFtq?jW(c{liP01HagBR=D+g+AF%ow)lw?;Vzv$8_-+)tX%Si#<n2`y
zjI}WF$(ELonmrd@0GE9r-Qc<;OvIP1#-I2%<Sv9j?*-LJ`t8pTp67mZu{fR(Z2G5@
z(pwmRW?W~wl^#^1SzU<8&@f}{<g@4MR>S#hX8mGKV0mHWPRfbZRWR*9NpnO7&HnIV
z38RJBx2}n&Vy4GQDX7T&mI!f>fUHh%_dv1e?7zY8KUf$d&!2SX<X4v6rkeLVu6neb
zh+8b4t63K8dfRj;FZ(0_+|aY|@#qFfjiiZBJkL^t{)U3``J5nJ@4N3GbxO)Ez6ysW
z+%l4H2KM(Np)s@n4h?_o1vuAqM7BCbW=wZH&)UI6N=}xpzxF9gBMb5-F9PK3W3^NU
z&AJqCsHOvj%s3vVU8R45A26NG%VRxHvG#*ChMgW&T<<B_l|1V36pJ$y@xLmWJe~qd
zDWLi?IiCn8JNAU0J}BYw2?kCOPk*|9D*d6A5QSN#dX;TdaYiv=rzjK=zye(9{sH+9
zl62C_4?=L)gOjTufzzO6*DOv=S)Ro$1iJ)WIN#~r;TP*$&u(_PM|Ej1zNwu7yx6nZ
z-%!WD-Q<+P3jn+^Dbri+&GMOM%{rALQLQs)k4J>*C7&83=BDB!QC1MVWmsMikayYb
zN;Y+cW`(a@%BFp@!aR)&6*Jg3bwMGeC`9sgk7D_RU9n4S_f(c6Wxz6DMy`w7K#C)l
z*BXElBpTFyNxA;_XV9{Ut<n)_42)ft{>D<oG*dJ~KSLhUfy>pdItRo60M9>K=JXyv
z5bs^B^pd-+9BA@+ySDDsGpeWu0e$YUu9-e6{(fQ0mZD(Vsy8h0J`$k$I`h6(beTBQ
zBR$B;pCpo;`?xs)=wFFJ!c=!To+~dNf^VfixsF%0+5evJ4VJUj@4a=D<hkb5Pt=MF
zfYjO7O5**#eypB}Z}a2zmdSEMiD1)?X;09Ouli#-t0kb*U{dvdWZ>mEObCtd&_+1-
z45Bh8RP-pkb(r2H08#Qg9+b5IIuy|f7g^F0wJJ?kQwcU*QQV!ECtoY6n=jU7SSf^K
z9JjuyK+h5<c<Gr(lea3*Ek$dT;^@W6|8N1Ucp+BjtopCe8oxAW4APEhn-sf-z#Wx)
zTT>zqj4FP^+wU?HW#bq?Y?qX$!!3{2ET0(O1Sz^k*3#csB%9h84sY7D0`#+iGOtH>
z2h756F!xGN;CaGhZ!_frK>%~=2#}}~kL^Z?6MZF{<+s}Fzt%+zJ4e4A@q$w_Em0&9
zO~MRX_fKX5H9z(e=_d1=MC4!6Q(wS;h&Y)XDr5?AKn#d{$X%p4k1s3MN^b54&2)}6
z2!9Hdn08AKhJ}CSCeMxb6qOi);Cp(C+-L95VTM+A7VW@@Mt}L%ojgYs!M%kpz7(VD
zQE1THbmOj5PZ<~Qy49FGRbrJmlG(2}D|~z^X~ba7`<zIR;hCE0@9oc@?ermO2k+K2
zCvM(+Vj8x2gQ>q3;mQdSLr_w%IMo{pUc+bB%JTsOUk0X($M&pVpMve;v=7Dtq&{~H
z=M?v)BJec0(G$#yPl)xWB|b5wc$VPR)4id$)3SVzl&!CnF`a~Kr@2SKxvak>JwM}{
zWyt0JT74wz@V*`fkGi@3Eq(ZWJUANjNhJV0R9_z(VCIL4EQ7BG8w|_H%jD#g16+GH
zr?BHdkPDUDHONufBq-8tt_tI-v8r#1Fg~ugN5Yf&^SNRmF>*HFokW)Px)Db2Vj0j6
zH@0C$lXtJ6_+u8WNx+?pU_x<yKa=KzyNXbRQcO<77?}&xIhpzx>X^Z&)U8CFXX3NL
zNH(XZSXzl#3V8a4yS#9+&d^h(51&IN=WV<CjzQ8OA*h{iU`qEgfX^MI2=pFM58Hd(
zPW=rI?lPA3onSU0mLDDkkK8&tnu#C1A!ST|q~i{0$>6XuWQeDE$J)3g;g@3jfP!n-
zE@Ee%bT8zx0YJ^~tmjlS7Iq3HoW<qn%hBT^+V5r84-6`*2?x4%HP3z(Q2*<5389o8
zf}QF@L(dRX(|LE=+IxXL{fcVyLWKQ_CLgu99;90&h?M9wP?ElK+ouD(b5H2&cbvty
zj+js~y5xi8fuP7qZulE<{_S~#mW2Qkv&ju}*>t_lm!t<Iu`hRx>J09P|H$3)cPMvM
zYpc=6LTUNEExoC0?&FhirXj3##Rp)Bt|aUl>0wW?5w6n_FHF2pT3}vr^#(p8x?^qz
z5#EMq;U5W4ci48Xe9v4_X1Aqpnu{#ME-(VNb8;jD5|&~|bX90X7W<tp^n>vA3rA!f
z!Fc82+HS^s%DTfv12xK-7I0Oe)Hg#VXBEH-ql0_u>sQ1;ZFG!U8atiGL{jF~g$baV
zPJ=$)`0bJZH)vfG>QXG{nb*rQ&0#45&*V9F(?;GATR-QLC8H9xbNtI3pPEtyjJcpO
z5viSy_lMu2<$9&>07RjSDS~^o{zX{>zLk?kF93@`3d$etfKuz+O0jw#lCnn^x9}><
zmPTr33Ph?<Ih%yhm-Ih`qgNA)Bo_&=Pha3?EIO*M0y+KeR9zAR<9MIub+IE_E7a2J
zDibZ4SO{-+uLWlo$P@9$ppLDhn2XTCrXzSvGhH}L;A)!y<1&gfmq)P1Wnmg|dS?Ln
z&I%wkTQ!ns6*Gh0Fb#c<E9M`d(_X?7juf)EG)~N$<BgK;++8MM>)(+M*x~rt;@HF>
z_~}7Y&$NfP!?{MsV<vaa61DtPdb6vU3nDh!7+2s`_ZjpVw_lQo>XbOyj_BH(@2HNd
z!0Ncy?Ncotxe>-Os>n=_KfE(jv|#}-Cj7RM!D5qCT#jmdr<ixAG})>q>(4H!+Xj8E
z-XR8pQO^7{ZiV1(7`f)+&hX!T4B);xh<0kl4WIU9hZPkP%D<vNox2tFz39R^HyH@U
ziU&OuNWNk1rFANFy-Awd27nQBl52MTHeRTcWVFpS9Ok%Vz#BK5cyL{fEw(TbCwf*Z
z4}{`RRJ+!<?=9EuiNQja>jKZkn}6ypYIoIJ09RVz=CEGSnq3mD!tYOz_QBp>?2qHQ
zP3iG?@DzKTYNl*C@V5Ml?3>I3T9vP9f!GMvQN=Ot_<cK1Dfy?4=$XN*2c4K>3L(Mb
zKIpL|uE#5?UQs5#Po7}K-N)-}u-OdxH;mS^iwOAX3Cerm#)^e@6Qw3zrldpYCt-HV
zu&Y4s@Of<Ph311W$uYMU&rbiIK|`}gpw3!J%!EUb0lzzk5#AxJDc=j!?<>{k3QSWk
z7W%aF+xj2^xD<y=$*^cq*(Fjspt8XBP`8be;gX*sS^&|3V||=DUG(+jAqkiI@-8K#
z1!@baRA}5AQ~&_##?Ase1KI}1E3^vj85w^|8-2#5GX1BMU1y134{#GSx!Zh_6c6Ww
zB%kR%D&l;|#atHC%*|`hD#m*AQKZ8aU|Mjc+sU2j-Fu!rl0;#4Fueax4_vFkrPqq4
zGphbba<P-%T3DC_)F>>OabqOjSA^KG+<y56jGg&DB)~tv)vz;tc&&XI&X@e)qu5Yu
zKS>PNl5Y(Pblt+VSPEmB`ME;7nV0<bTp*{*3@A%_l;HIhr~aC}Y070Z5UIsZR*fy)
zMJ)x|3)4@Ma9|AHNq8G82A!6JId*5huh1~9RUoE2bX~}ERE!)z(ACUk$zDeR711+!
zo*icL3bfb!X?K>-nWAJygf6`VGYcm@BysVbBNpmm*4iF(W|^)`KC8@kwC>H*R?%*j
z-&u43oCXqtIl$7JY+1}`r;$5Jv^ZBUn-3PW6?cgKEw_RJu8-hu-1c0k_~KU6o!5WF
z*>`^j`ihPX|1>!M+hTgHZ#&H<k>gC&q0e+Xh;^J&=Uo`H^8$(3C`qKvPiL;*07lf7
zep>Z7N5WWioVbN#$@GdUOozf7%o?5`_>59^_2SjDqYmmz0imaTlSR+P>#V)#vI~nH
zyfs)A_`?+f6$AO^JoejIy)T4+))LZd_e1!=O}ZD8k03%64&GfwLjn%?K$a>8J;ah%
zJK-xQv_}fs&1q<!lEvNe4qzUfx5-b(Ye17n6OjgfUeav|01amH-2~rGqrGqt5D}10
z@tF~vLKC08Yqkf6q;6S>3}Gk6#rC@F1(zl68&$kIr-c^RR!G*VOVdA(I!2S02=2ZR
zaQT?n4&M!MF=cDBbO&Q=^m1gDVH}Qo@Y^HHAeuBe{DvFPU-qbzAgn&}(t)E+_q!2C
z9_{y~UN3y#I|HJuGy4{Y-Y6SwQat>n5Q=O&#Zf=;?Q{g+nfS>$%^AH^Ku~OVHb1Lg
zMBxQBBGdn=>3w^Xv!~zZr1F<J4VMS#^F`oG(05!P93Aa3!0lQPR?`uDr%^dg&9i>I
zkhHOtZ|+mxYSUCbb_pp8IKZDfqDd|JB^3=ZHaYQ<esY(iW3{YlUOs3r$AI(YH4A{E
zl<fNItTvQPRaTvNToSuyj#uns@|mIfbVrKi3y(pJA4Tl!9o&nq9^i%WosqIW8;NV9
z_dVA~4GruYZ7C^Sl%#Jxbyl$&%V2@+E1jfB2Bp&+0lQU#2Ge%Bvsq4+1AtCYpwzGJ
zrC#7m4r>!bZ9)=zAULVGnV|u($-u2wMl_<YCgb#<AYkkKNxeI-0q3+dP|-#!<ABY7
z1gZn!pk@bIYozaC%L;8Jw(Rb;vr-?ukmg)Dg+v+R=zVXT39zbyhyPmlm-=_|ayv}n
z<2Xwp0zFUbTbqD)&Iv(V=9DeI9$6(Mu2%>^3M1UIyxydpJfdmpb}Bj8)a9K{(*1c!
zZ`2XhjGLFFN$xU-1PkB4i1P%(Ugo7oyQaUkH=bfA#9H#<_T`4+l2xhl(%_326lwnD
zq+1UgxpYhit2Z&JR$#iXlOKDb*yr+wzdR5N&h8ou&VyA}(UG(|)4GBlQ7fgK>9Mgp
zc*}MK*j6}P$K$kQe3!S44|0S1P0W(7r**?IAjSB!Yl@M3hA4kp_Hc_UY8=<q_Ht46
zgu%r&P6%>u#LaHZkVCJO4kJOK!NBO6O54j8rJb39+c8U16)P>p6Lz?Q3DsPI0k}#2
z8WBLWbpD)BV$a`?8+%8Hh>n1^lW^}z`JJ^c`ZKLZcGN^FpdcjB?uZc2*M66EcQSrm
zU)MwhC22+pvKAW0&cmi|c|GJ+;Ds1qoZNRBwhJrqF#^oeQb)u*vq<oUq1i3sG^WS4
zw>B+|H@bz>TvMl;&_jy2E<jYxn0u1z=m>OOvb=U3p8%Xk`Pvne3;LRv&yhU9>JLfD
zx9OL%SG@>hx3bgQ-{2IRX&E<}V{`yJOHJRs{8xHn8XP4}rjJQ@%@gdY5xFL@Mm5a}
zZmJ&z&ZH;2Qp;bxUp8R>75q%yv$^)U6=VegTYlgO+WBB*EINlIWZ`;r2iFalaCdjD
zOP+H9Uwoecr;jJ<$96B^>Myp5)wL-u8#NQfeI8g?Y_3yQa=krhwY^P<i(>waos*8F
z4Q%5PWlQ|#RHZ2sETq5h)FqsLiJ^>hXrHkcrcg5{*F7w^6_Kq^&fK5lR=Czw3CNX+
z*Je3f)JX23*7)6;G1q`g%D*1p;5HgCtjW+Dj!Do`Ur9A{KcGQ+ZiGKYmpiRaa(8%u
zE%szJ0>31jS)LSF4Tu8RxyD+%x6<%D5L9E=8$Ax3nCS!2ff48xS(x})`wyC=yn002
zknOpADXt3UNE@LFUbeY%K4HI-auj~{7z9M!H7N<A1!J}AfqX2?NpVSURolV>JCbEy
z2-=D*gB^;;PgA*@N|%L+lbBBzcfN!TF3W2w+TWDLObCO`>I5|5Nr&naJv)q<jEes)
zV4f>oN#f&uBgz`$$M9-(sR7#?fI7q`#<jCk+8$Lc`2^eQjzMIA^Aqo-ejn}{%hFbK
zaSYm2iEBq>59!l5OGzY)6+p$KtuME0;s8G=5gCR*oxX|!_c6eI?Lj32(cnYm%+H}w
zQpy4}gcDRk?2`-R6et9k8t}5-a_8f`J}3?Bm*Tw!C>HrdDNd8a`-XDYm;2U%7FcW+
zwbS@f<LpQ*oLk|h6#qFs=zXG^VQ@EJu`+yT?g6=0%>_w@ei`nN5!(u!z98L+mF#Kh
z)rkpP!54l5H>anjRgu{wI$)6ldaM?QNM4Z)a;NrDp9MfbjcoSZwUF`!XhugJ#7)-(
zl$7OthB8H5VvJzYN^y!67Wf|R$AmX7s3hD(`sv`~AG+j3h&o9ZmUrG*dvrBlO_umQ
zrXT*W{-UlmcVznPAyRmF)*(nkoZ~<}pfSjYDTL{`Urx+X^e0Ch0fg}`3Yt43!hIIT
zF-UT`D(=S2OZVoCtv+jD$<Dbnz1deX6PR3!x%p3u2Sfpag3_+q=*#&C*Hux%?5l60
zpewJGhEHA7BH)$;l#blCQy3u9?w`+pSwi%X$!)UXfN+2#c4iRwus<&`<gKLw>ipp1
zP9(4yAg%PT7AX*6`&Jt0%u*%(c)tP?Aj|rH{=K@ZCQD3TCoIEs#T`Sw%Su*jXR4U8
zlhr==Y+)SY9#G;;twhc$7uQiD5wJ(+cJ1L+9~|XIy-Q#$pXGRNGEEdSr4*n_<ESBz
z$vq@x>(&pM)@j_gOwJ|=Cwl=jJY#a}uH9pR`9_-q<5Ouj-%MJ{0+T=NA}@U&6?Kb!
z9b<Y>sBNt|viHS$UBpjE=(MXNbghvb<AN0>f>Vqa?mIY{g4~UKt=K(t%o0%k82}}d
zEJLOjN^Mp3`nnETFQAozyCpM=#CN<>+tYguoK$)X6BL_^+M_;LbY^#gqeYyFYyJRJ
zd2uv7A%~fI_oA8K=e6U*T(iQjjlsG2um8VaF|N^{^|<lv;IwQx+e@XhjKZSA>s^>f
z<2H25BE3s9qtu3{u5io9TIlf;HPbi7t#&qdUa18c*EEMy@pbl&$56<;rGRvY>kXdI
zN4eW<!koBQ-C-9vHO-m@YqHiwOLxxIKvc4zpJ1m<$2ZN{NysMO>?9N3+j%<JA1Qew
zffVViORGz9{YC>RP!7SGY3?4YT?TX=4YC<c*UrLqScNLlG@!G`P8Nl6JDGMPIt(XB
zeJ$?iinG04`U;cqVMl-=(hWNi^}niBIX@qVC<)$iR8F$KfL;Ca8kV1NA8(ct3yhWE
zyilQxwE!329|ZVmT;sc{x`F?WNow|@-ft__mne<S^eAXB0!ZE_ZH6?NlSj^a33)}d
zJ~;QO&0aS@8bLss+}uT~|7TEVO%}e_0TqXgg?7$KZ+t1Pux}Cbo^ZRKqjU;%zx+do
zpX*T9k`S?+Yj;d;<sex)Ot{y|TF3#%=(USuTMGmTXlpz(V|FP6Vu?NmwKSgd-SM|>
z8lG7Rlb8jFb})(7U797UKZlCV@VjnBQMY?$7gx~r&-!A<Tp+n8vO=&<<EfXYq%W=$
zOw~$(K(S8U9hFiWRrEOkd;J`DMA0YG)P{^oW5N$Wv*<zSEL*sT-kK}S^ywJ@-gDa(
z-m{e)y|G}c)$k6jb=0Eplp!chs_oSY$h2$>HQVdvqLZoIV5NPjyj8&ML+67{Wl_7J
z&zFTbfUq~8mv?pBp28K1#to=Ye)#bIcxyT%zR$b6YMOfj4zlfQsS&Qtnz*rh)D;WH
z_C4G@l>#Ow5&9lAqXU@+r7pfV&TE6-a~4}DHpIZ4M^^ya<6PwmNj8#5DBYRjA5%FK
z1TY@w0sxH|grof1OiqzVXQ4ke<du<dhVS(cbNeky-bs<9uDt{Q35;ZL%E)CkfB&JA
z6OVwIJgQh_Sijj^UtF~D9epyCbjb%&;Km644_W6w$*k?3y(s{DcL7*O(f_xu{ihW8
z>mloAhitdO7RI4<MA(`K;aZh+x6~baelakk>J%~$1(08T1Odjt!cUc$Iv^cGW_;XP
zu>Qf){`@k=NdKbxa;w6d{J^c*aGkRi2IGsWLi9Lk-dAyh_VrcKs&PHIEBFMhfxfuG
zcY~$0WQYK<3HEbi!2^$~tu@6JKnggh4ye&%=(|iO`m36k>+3ic`e3ngb76aVJFe>c
z#KPSU)ilW&y&h&s_=;t52zw$nQ0DD?&J+d_=D;%%p0>x8EIP|gsp<$NOUUr%L`XTS
zk^~?lUmKL4Lxx5k8UDA&@XuROIUN++yOKEa-6;+Yl#I$K4WJV<zJW1p$rehyR><%H
zbAdsddY%BAC2vs6=5l~ryAHlYN5j}7REbIasjrE3inEz^G8B6NkYGh4>*9jj2mkXD
z{$Yj$U15=tmG#LAlXSd5VyI5z&`RVwjB!4)9TB!*%w;?c%i(J$tdB97%yVU*n>?+h
zKhP5(BC6+i4!8ef?=08nwtFyPI|>n$UxXunnE%v^R?)u;3rrWQZcjqC8Im2YX#y17
z=CBNM-_pO7%|A~7fc(3<Kbz!d<UgE{>i!Y!JMYIcw4&OAbQk;3e2z7C6M&^5pM3w$
z#`A)`ym8EQfvDAOjph5UP79ZXP_y)P=Z0>-gx2>11{Y<who5weqx0=6V;^-6K;8Td
zG>i+LcIVJ<ZJuohCDYbB(7zss9t-1JMTuh)zF<H=I3=#jdtz$F$f3$NWu&5`<Lx?B
z9Q|l%z6$BluviZ%OG)yW)$Txj**LX=023rV^0?0e1G!ccofo3t$|p}J>Q|3=m7_HE
z7jViJ+naUeB^&MPbZK<MfWISadh%wge150OzW@<67z<h>uvP5%G_FWB%i--=hX(2*
z+<pzQ(%bto`t0_?#$To1{ql?2WjXVwE}`v_`T0#^tIPL4q0+aKazn6#<&2o2{r5BW
zxrd+P3oTyLs-Z#>vYkmH_@#(%jn#>beu1JQlfNIjz^%O#fzPTQ$gyL&#z%BDvhLCA
zD25r@MSt=9A+E_jf?rlrAWDnG9T}I@cn1ITi%@dS^W^Ng?DBOr`{@PUjXg!x6%{kF
zN=xJV67z|#_{!ss`XUQ_WOWzBJfhBy8!v11S;Gh2hWcRNE&l=WgCaQ(Zfle^EL^RM
zrkwV$RhM;N+-fzaYpG^eo;(JHb%g6<MIF1YZUh)zq<D_B-b!n*{V{CR5K+1ge$qWy
z!c&p=9@_r#9R1VyR3LBo`u3Oijty2ZZsrZQUmpf<_S4T#J<MPu4=R4|u~KznPp?*<
zLwq^SmDgWgF4Afy)BEkh#1lu@-HpfnTu`sv2a9OUaY~@C;`z=};p@6>#}g#v#W@vz
z#cS~*$2OAOdg6`WSV|=~T^wFq?Nrr?fN!w(4xo##C`Ohw3NQE6C9T;2lh30H+5_og
zI4q)zPlLXFMR(*_YSr}>e(Hn24m_%fucE#@uoY!qu8_N;ChO+WzCF(Vj)Q2S<^3u)
zj?-0NB0Q+E#;@whW97K-joMM`d9wCP4d}&?wc}s&l_yZX$fKdn)}mjxRqHv~67KxR
zc5RjRPA-Dqj<8!CUU53J=<{ZHeImehnU)JY%i%vkE>|k!#(FS{t{B((qU^lBuN&KX
z!=aM{6ELJ^it>_NrKYr|arkYiIQmvDwF775c_CoLGR4|@EM>vq(?hZVWTH*YSpk{9
z#A1}Z-qUY^T$2bq8LKHY*;-r=SNzjUP}e2*ZN%#|k3aTZA3xw9Nm-8u&zAZwqZW(v
z8hwAQhz8B~lD`f0TPrgIwjXBtf0P}O(&U13&b&@`bGS{q7apNWmSdErm_~@$sWu@n
z%0>7M2mg2Lm09RVk#(M7C8>UV96vA*(>6b!KB2##+Hlvqf`bFaU$W};`}CT7G1d6M
zxIWB9*M3pPh89-w^@B>7ICKSBBtBZfky!G_ABWrZwXWQN(0-_Hs+i>tlqKsX6jd=#
zv7=RzW|gV<{YXei51)ZnEVaFqwnVTrF+J?~sW4Gz1~%Z*{PD)RS4Ww8pZomx(BBeF
zIG5$@`n(?Q$=a2wwb5;3E))DItIcHIQX5nyUh$3FBhT9=K2avR;3x8q?({AvdO`HJ
zr`_Ww1nc3D0d_dOCiyX9X0(W*`Iow!*KfoLcm5#bsu1g%v&-lDI=4?Xi#Mkvw6J9}
zkxaKs{2RQ`0H?vO02*5{s9sZokw)%`{N|L%74aYv*v4x$aMzqk{B+ved{_-nS#9}T
zE;xwa8s=NZFIM0ShD*O_{Fb!8lHOx*e!^_Rne+iaEgzR>c(FhArqqP(n9$<>d4Uqp
zl%}JKOQJ>``>ahu?;!trPhZmE5mV%sfNIwSAKDK-1phdf{PfKQ@Yt`^@@l!D;gLSa
z2N>L|7m@UoAwe9nKh+lFoF;Z%?a-9+{3g&l!Xm)=rI877k4RR-<#=kaLH&6zn}lWs
zuLVl0qoab=nEr4gs2>v3^~Mx2yLDiOTkiLIqaAmdazuAyqhLz&n{HspdIK)SnCbjQ
zx1c9`)uyX3xV+;z1um^V{Out+kuK6vnZ9sJ+j2J2(ja<n<7FRTBcs7!56tOOvtT<c
zo75MVtF4Fnfk^i)mmA*f3}h2o)@smN42eN%_c{DR{;9UyJN5O_(6e}9q*g=3*IVUl
zf{mcg8v%KpkngW!&1u7J%;j4s4GJ>Ju3W4sS5$C*IoHR7Xm^_eU-+p^=)P#II_!Ed
zsnPdH+C+%YtkZ0$=QwSceNTUg>-a$N9T@}BX20xmS>bgp(Ze#|qB}l&GD;(FO2}I{
zv=Y|em(~|e4qN>LK?b>ToLu#zKSSxXavYao77-q}#`p@`3&XV=eSIu=p`Z)03p~>|
z4(;C%q|-Yt*~}Gh`OhPh8mzp&XpmDLB_1ypPtE<RHsTfLZ>6aTjHZ<RXzD!Lv`Xi1
z-+ZbmHrF&jcH$59q{uPYS#qM|)Ha{lo?G|I_G^T#-&o4^uFU<lOb9|soCjZUOc2$4
zM(-#z7MMB<O)co)C5xTBXH;Y5yp>6uSgA;7B_ms!It>>~4G07k$-s}XBfe9WWK~U3
zbY7M}7kH1Ey^jp%)XlNas$6-$ZjGo;gS=Q1j3zl?3MIEH@cL#>RpX_v#jSLP1Wi=5
z<q0~JiaIs($;9vIN?rW3J8i1Vm4L?X&-;fY$NH;~7<<rxv-GB1K?n%x?wRXTDRyEu
zv4D7u{?vN8Qd`<>Nk-J^zkVy|1H`s@q+2O;oE7^)m`7(sxzN=yyv8W3w)HHt-$$`S
zY^wWQl!MF1`iY6HX*Ngk&f4m(YjZOA2-Bp^mwI5HucOb?j@-Oi(njcG)9~VQGsA$I
zjlHm(`WYe&QPb_w3bS^DZTpgO-rqTuI$U1@l-Gtmq8qor^Gg;V_CHv)!Io&3<A2mO
z+JDnR59QoUXqs9u?R>Ye2gP6(%`g;7q!~cfQZzTJ8i<ISFxwD<dLtt(ecB?397{5C
zArJB<F2;CVU##qv&zM|r{H}Q)DKh$73r-Eq0$JMhrIbU=sZA{G8-hJFu1n5Yg$<`)
z)8@pXibIU$o=Wz$b)Wv)tXL(6HoW;c0r9G+fKf7U5BF8>=2<)TVY)0Wce4g#K>ixy
zd`md@cN%hp(D|vN$L5eYyR3kNz|am?PrnpN-MNiZlkc*vz)!7#T@n66YYG}oi0sod
zu+*&b(F*w-uQ{UNQFtKo*3DCK2k;|mHVN+smXf>C1A%8U{r5SeU{TGRRx>tBldHp;
z62o=B@*0AWLLYINkr8stO|+J9Q-|=zB6C?!l<qRV-R><DS-Uz_m6Nu1(HaXao^Pdf
z^eMeXd;TqK(OrEs{n6W=zamJ42P&1&vP_pgAz3SZu=A@<Bo>n%Q583ud9nkQ+~hwd
zx4PZ=W!OWN9D`g<HW0-(4W}+^jh$BN%R~vwDf|~0T{-q8z+-7RI`8z)9D}(znko19
z_Zg9kYRUJ5Yu8%{NN8f+&0@8_MhS>)1v^+681kMrpg$bgx-radZbh0<b%hr{G<WZ>
z%`8BTjIv2=ybZV^gq)HT!#>#8p5)U!D?D;CcAyt}*(s<u;04^idyYB0)Us3__z=C2
zFu*PbAHJ*B>1p$QSZ#Q7`1{5dke>yzhBegxmlTX}-769Zof)DxS*9X;9XbY8MMIj@
z2nRbcY`H9<&-9wB=xfQ{Jb7^`6O+&4knhQ{;S*Dd%;hOODQ#`bc;UmhZ6I`aRm$at
z`Wein>Oi>8D;bp3h4c+4T7Jke*Epg2YS{9%Zv{?LeBI=Y1=SzEZk#{fFMQkX*VZ}E
z;drL^!q~Hq!Q2)p5U)#DE7;aJw+(7HMIN!nDZs7<uc?k;+^nvnHlx4A(iRVI@cN~U
zj{E!G2CJ>^eHPnI*?64&T5vJr-8b%4W@%&}yijJ|bTj0|+UmhXWT}sE!M~<^s)(Nd
zwvK{pY+SK+QkduvBX-E`k+g6SZdH}<7PSWjk;UWNJp-9YDo+}|-|RSq)}u*bo9?mA
zWoDZ;PEceGO2*mK@U8qFln>tnC=TryD0x!un_#)=V#w;RR3KabldIWw?ejkNQ1NE=
zQRcp4Tr+0FlJ%gCU5#5st!u&^mkuSFsRqMMHV?-Jl;4K|R9|Iu8=J)8N7B|8Lj*Z(
zBtNRwWezEJdT{16zGJx84f|4%?dz`F2QF``o46J;)C(CGD{_BtT^Vq_A6smo{dff`
zvdlG1`aD%l+DP#VNa(%aVmX=XCKlQwpYZy5DbC7wB+&+A81O?+1tmCB@nq^0g9xYA
zcD2m5>ob}Jr3cvgK%3LVwewTCI=AgTsqLEKXXmS4`Hr0J^eFi(&@r(o!6*AWeijtM
zLLHf!a6XjNbGCzd_OL|wZB%s9B|(q^y=4;nsB6>aVq=A_MlH<#XfW0+)rs^cS`s7B
z`gzmlTvF`bm>W%>2MnT?P0n!`ZLQD%O%x*&F%uok`%jJhzp4+U`1MU&iesLZW(P?<
zF2$fd;cZtzul!%>&oAk2*ew;L+iPsfr%8Fq-g8_`ju<#BAzP%sZ`NqouSn+%-0I3i
z+W>!K(=6$atbPxaNS@eNoduui(%hmrregie{t1i=Nd3XIzprKqjB)$hW}z6*Z|n(M
zDHiIFlN5iQcN(=59sJh)v!xCF!fTA-$LlEhMpLY-jl5C#b8D|33}<`UQr*f$K!c<M
z**tbT;JL@f3x1qFfg@JFxlEG2PenK3`a+swGOEJ_6RTPG9J*E<C%&3%NWKe<su*5t
z@Lkjmu+8Po{~n}j5~jV@@?XsP9oV*R(V7BZ+m0HqpR36CcY0?R*2<Lt?@^1P=>%*q
zjpg}2XJ}wuQ=A<+8#Dc;FSMoU^OshEJY!QjTsL#XT6zZm^4<nP#L(=h5s3-4n2rp0
zb}}>3fc~cotKJ6(13tTX9qB+@9CLE8&Tu}lvE?=I#^Vd<G&dI_4wG3B<q+Stb)anB
z@65O8g{C524y0(Z@oWS^;@3**a%453DlP&BuT$$(E%#*lyOk^JY6yA|*8?_C^l#s#
zG(B265+<DAnFutM3id8$w>E-Vo(tE0n+rS?5aVYSfR}QNC?`|>NP~Tx!Y=I{@{%3p
eMcr%Pf9!DxJ<9{q^+o>y{OM~$wDPXnKKdUW*}`-H

literal 0
HcmV?d00001

diff --git a/modules/cloud-config-container/bindplane/main.tf b/modules/cloud-config-container/bindplane/main.tf
new file mode 100644
index 0000000000..a2a11f8654
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/main.tf
@@ -0,0 +1,48 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cloud_config = templatefile(local.template, merge(var.config_variables, {
+    bindplane_prometheus_image      = var.bindplane_config.bindplane_prometheus_image
+    bindplane_server_image          = var.bindplane_config.bindplane_server_image
+    bindplane_transform_agent_image = var.bindplane_config.bindplane_transform_agent_image
+    files                           = local.files
+    password                        = var.password
+    remote_url                      = var.bindplane_config.remote_url
+    runcmd_pre                      = var.runcmd_pre
+    runcmd_post                     = var.runcmd_post
+    users                           = var.users
+    uuid                            = random_uuid.uuid_secret.result
+  }))
+  files = {
+    for path, attrs in var.files : path => {
+      content = attrs.content,
+      owner   = attrs.owner == null ? var.file_defaults.owner : attrs.owner,
+      permissions = (
+        attrs.permissions == null
+        ? var.file_defaults.permissions
+        : attrs.permissions
+      )
+    }
+  }
+  template = (
+    var.cloud_config == null
+    ? "${path.module}/cloud-config.yaml"
+    : var.cloud_config
+  )
+}
+
+resource "random_uuid" "uuid_secret" {}
diff --git a/modules/cloud-config-container/bindplane/outputs.tf b/modules/cloud-config-container/bindplane/outputs.tf
new file mode 100644
index 0000000000..56e0824296
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_config" {
+  description = "Rendered cloud-config file to be passed as user-data instance metadata."
+  value       = local.cloud_config
+}
diff --git a/modules/cloud-config-container/bindplane/variables.tf b/modules/cloud-config-container/bindplane/variables.tf
new file mode 100644
index 0000000000..39856f4585
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/variables.tf
@@ -0,0 +1,88 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "bindplane_config" {
+  description = "Bindplane configurations."
+  type = object({
+    remote_url                      = optional(string, "localhost")
+    bindplane_server_image          = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-ee:latest")
+    bindplane_transform_agent_image = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-transform-agent:latest")
+    bindplane_prometheus_image      = optional(string, "us-central1-docker.pkg.dev/observiq-containers/bindplane/bindplane-prometheus:1.56.0")
+  })
+  default  = {}
+  nullable = false
+}
+
+variable "cloud_config" {
+  description = "Cloud config template path. If null default will be used."
+  type        = string
+  default     = null
+}
+
+variable "config_variables" {
+  description = "Additional variables used to render the cloud-config and Nginx templates."
+  type        = map(any)
+  default     = {}
+}
+
+variable "file_defaults" {
+  description = "Default owner and permissions for files."
+  type = object({
+    owner       = string
+    permissions = string
+  })
+  default = {
+    owner       = "root"
+    permissions = "0644"
+  }
+}
+
+variable "files" {
+  description = "Map of extra files to create on the instance, path as key. Owner and permissions will use defaults if null."
+  type = map(object({
+    content     = string
+    owner       = string
+    permissions = string
+  }))
+  default = {}
+}
+
+variable "password" {
+  description = "Default admin user password."
+  type        = string
+}
+
+variable "runcmd_post" {
+  description = "Extra commands to run after starting nginx."
+  type        = list(string)
+  default     = []
+}
+
+variable "runcmd_pre" {
+  description = "Extra commands to run before starting nginx."
+  type        = list(string)
+  default     = []
+}
+
+variable "users" {
+  description = "List of additional usernames to be created."
+  type = list(object({
+    username = string,
+    uid      = number,
+  }))
+  default = [
+  ]
+}
diff --git a/modules/cloud-config-container/bindplane/versions.tf b/modules/cloud-config-container/bindplane/versions.tf
new file mode 100644
index 0000000000..bc9986b3c7
--- /dev/null
+++ b/modules/cloud-config-container/bindplane/versions.tf
@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.7.4"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.26.0, < 6.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 5.26.0, < 6.0.0" # tftest
+    }
+  }
+}

From a14ed9add2777769d6b1657ff1b6c44637d2e86f Mon Sep 17 00:00:00 2001
From: luigi-bitonti <93377317+luigi-bitonti@users.noreply.github.com>
Date: Tue, 14 May 2024 14:56:10 +0200
Subject: [PATCH 28/29] Cloud function CMEK key support (#2270)

* Added support to kms key

* Updated doc

* Fix variable description.

* Updated README

* Cloud function v2 integration with kms

* Fix variables description

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/cloud-function-v1/README.md    | 47 ++++++++++++++++++++------
 modules/cloud-function-v1/main.tf      | 14 ++++----
 modules/cloud-function-v1/variables.tf | 17 ++++++++++
 modules/cloud-function-v2/README.md    | 23 +++++++------
 modules/cloud-function-v2/main.tf      | 11 +++---
 modules/cloud-function-v2/variables.tf |  6 ++++
 6 files changed, 85 insertions(+), 33 deletions(-)

diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
index 7099946e2d..ebcf0dd0aa 100644
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -16,6 +16,7 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its
   - [Private Cloud Build Pool](#private-cloud-build-pool)
   - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
   - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
+  - [Using CMEK to encrypt function resources](#using-cmek-to-encrypt-function-resources)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -258,6 +259,28 @@ module "cf-http" {
 }
 # tftest modules=1 resources=2  inventory=secrets.yaml
 ```
+
+### Using CMEK to encrypt function resources
+This encrypt bucket _gcf-sources-*_ with the provided kms key. The repository has to be encrypted with the same kms key.
+
+```hcl
+module "cf-http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = "my-project"
+  region      = "europe-west1"
+  name        = "test-cf-http"
+  bucket_name = "test-cf-bundles"
+  bundle_config = {
+    source_dir  = "fabric/assets"
+    output_path = "bundle.zip"
+  }
+  kms_key = "projects/my-project/locations/europe-west1/keyRings/mykeyring/cryptoKeys/mykey"
+  repository_settings = {
+    repository = "projects/my-project/locations/europe-west1/repositories/myrepo"
+  }
+}
+# tftest modules=1 resources=2
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -265,9 +288,9 @@ module "cf-http" {
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
 | [bundle_config](variables.tf#L44) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L115) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L130) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L135) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [build_environment_variables](variables.tf#L32) | A set of key/value environment variable pairs available during build time. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [build_worker_pool](variables.tf#L38) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
@@ -277,14 +300,16 @@ module "cf-http" {
 | [https_security_level](variables.tf#L85) | The security level for the function: Allowed values are SECURE_ALWAYS, SECURE_OPTIONAL. | <code>string</code> |  | <code>null</code> |
 | [iam](variables.tf#L91) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ingress_settings](variables.tf#L97) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L168) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L178) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [kms_key](variables.tf#L103) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same KMS crypto key. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L109) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L120) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [repository_settings](variables.tf#L140) | Docker Registry to use for storing the function's Docker images and specific repository. If kms_key is provided, the repository must have already been encrypted with the key. | <code title="object&#40;&#123;&#10;  registry   &#61; optional&#40;string&#41;&#10;  repository &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  registry &#61; &#34;ARTIFACT_REGISTRY&#34;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [secrets](variables.tf#L151) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L163) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L169) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L175) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L185) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L195) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v1/main.tf b/modules/cloud-function-v1/main.tf
index b57d8431cb..7a7fdc9152 100644
--- a/modules/cloud-function-v1/main.tf
+++ b/modules/cloud-function-v1/main.tf
@@ -41,6 +41,7 @@ locals {
   )
 }
 
+
 resource "google_vpc_access_connector" "connector" {
   count         = try(var.vpc_connector.create, false) == false ? 0 : 1
   project       = var.project_id
@@ -67,12 +68,13 @@ resource "google_cloudfunctions_function" "function" {
   labels                       = var.labels
   trigger_http                 = var.trigger_config == null ? true : null
   https_trigger_security_level = var.https_security_level == null ? "SECURE_ALWAYS" : var.https_security_level
-
-  ingress_settings            = var.ingress_settings
-  build_worker_pool           = var.build_worker_pool
-  build_environment_variables = var.build_environment_variables
-
-  vpc_connector = local.vpc_connector
+  ingress_settings             = var.ingress_settings
+  build_worker_pool            = var.build_worker_pool
+  build_environment_variables  = var.build_environment_variables
+  kms_key_name                 = var.kms_key
+  docker_registry              = try(var.repository_settings.registry, "ARTIFACT_REGISTRY")
+  docker_repository            = try(var.repository_settings.repository, null)
+  vpc_connector                = local.vpc_connector
   vpc_connector_egress_settings = try(
     var.vpc_connector.egress_settings, null
   )
diff --git a/modules/cloud-function-v1/variables.tf b/modules/cloud-function-v1/variables.tf
index 73964d0b18..8dc592addd 100644
--- a/modules/cloud-function-v1/variables.tf
+++ b/modules/cloud-function-v1/variables.tf
@@ -100,6 +100,12 @@ variable "ingress_settings" {
   default     = null
 }
 
+variable "kms_key" {
+  description = "Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same KMS crypto key."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
   description = "Resource labels."
   type        = map(string)
@@ -131,6 +137,17 @@ variable "region" {
   type        = string
 }
 
+variable "repository_settings" {
+  description = "Docker Registry to use for storing the function's Docker images and specific repository. If kms_key is provided, the repository must have already been encrypted with the key."
+  type = object({
+    registry   = optional(string)
+    repository = optional(string)
+  })
+  default = {
+    registry = "ARTIFACT_REGISTRY"
+  }
+}
+
 variable "secrets" {
   description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format."
   type = map(object({
diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md
index a5bad718e0..f54dd50aec 100644
--- a/modules/cloud-function-v2/README.md
+++ b/modules/cloud-function-v2/README.md
@@ -281,9 +281,9 @@ module "cf-http" {
 |---|---|:---:|:---:|:---:|
 | [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ |  |
 | [bundle_config](variables.tf#L38) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;  source_dir  &#61; string&#10;  output_path &#61; optional&#40;string&#41;&#10;  excludes    &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [name](variables.tf#L103) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L118) | Project id used for all resources. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L123) | Region used for all resources. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L109) | Name used for cloud function and associated resources. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L124) | Project id used for all resources. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L129) | Region used for all resources. | <code>string</code> | ✓ |  |
 | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;  location                  &#61; optional&#40;string&#41;&#10;  lifecycle_delete_age_days &#61; optional&#40;number&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [build_worker_pool](variables.tf#L32) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> |  | <code>null</code> |
 | [description](variables.tf#L47) | Optional description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
@@ -292,14 +292,15 @@ module "cf-http" {
 | [function_config](variables.tf#L65) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object&#40;&#123;&#10;  entry_point     &#61; optional&#40;string, &#34;main&#34;&#41;&#10;  instance_count  &#61; optional&#40;number, 1&#41;&#10;  memory_mb       &#61; optional&#40;number, 256&#41; &#35; Memory in MB&#10;  cpu             &#61; optional&#40;string, &#34;0.166&#34;&#41;&#10;  runtime         &#61; optional&#40;string, &#34;python310&#34;&#41;&#10;  timeout_seconds &#61; optional&#40;number, 180&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  entry_point     &#61; &#34;main&#34;&#10;  instance_count  &#61; 1&#10;  memory_mb       &#61; 256&#10;  cpu             &#61; &#34;0.166&#34;&#10;  runtime         &#61; &#34;python310&#34;&#10;  timeout_seconds &#61; 180&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [iam](variables.tf#L85) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [ingress_settings](variables.tf#L91) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> |  | <code>null</code> |
-| [labels](variables.tf#L97) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [prefix](variables.tf#L108) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
-| [secrets](variables.tf#L128) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_account](variables.tf#L140) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
-| [service_account_create](variables.tf#L146) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
-| [trigger_config](variables.tf#L152) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event_type   &#61; string&#10;  pubsub_topic &#61; optional&#40;string&#41;&#10;  region       &#61; optional&#40;string&#41;&#10;  event_filters &#61; optional&#40;list&#40;object&#40;&#123;&#10;    attribute &#61; string&#10;    value     &#61; string&#10;    operator  &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  service_account_email  &#61; optional&#40;string&#41;&#10;  service_account_create &#61; optional&#40;bool, false&#41;&#10;  retry_policy           &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L170) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector_config](variables.tf#L180) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [kms_key](variables.tf#L97) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L103) | Resource labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L114) | Optional prefix used for resource names. | <code>string</code> |  | <code>null</code> |
+| [secrets](variables.tf#L134) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; number&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account](variables.tf#L146) | Service account email. Unused if service account is auto-created. | <code>string</code> |  | <code>null</code> |
+| [service_account_create](variables.tf#L152) | Auto-create service account. | <code>bool</code> |  | <code>false</code> |
+| [trigger_config](variables.tf#L158) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event_type   &#61; string&#10;  pubsub_topic &#61; optional&#40;string&#41;&#10;  region       &#61; optional&#40;string&#41;&#10;  event_filters &#61; optional&#40;list&#40;object&#40;&#123;&#10;    attribute &#61; string&#10;    value     &#61; string&#10;    operator  &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  service_account_email  &#61; optional&#40;string&#41;&#10;  service_account_create &#61; optional&#40;bool, false&#41;&#10;  retry_policy           &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables.tf#L176) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; bool&#10;  name            &#61; string&#10;  egress_settings &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector_config](variables.tf#L186) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index c38f863950..24046eada2 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -59,11 +59,12 @@ resource "google_vpc_access_connector" "connector" {
 }
 
 resource "google_cloudfunctions2_function" "function" {
-  provider    = google-beta
-  project     = var.project_id
-  location    = var.region
-  name        = "${local.prefix}${var.name}"
-  description = var.description
+  provider     = google-beta
+  project      = var.project_id
+  location     = var.region
+  name         = "${local.prefix}${var.name}"
+  description  = var.description
+  kms_key_name = var.kms_key
   build_config {
     worker_pool           = var.build_worker_pool
     runtime               = var.function_config.runtime
diff --git a/modules/cloud-function-v2/variables.tf b/modules/cloud-function-v2/variables.tf
index af97650fc3..428ba8dba2 100644
--- a/modules/cloud-function-v2/variables.tf
+++ b/modules/cloud-function-v2/variables.tf
@@ -94,6 +94,12 @@ variable "ingress_settings" {
   default     = null
 }
 
+variable "kms_key" {
+  description = "Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
   description = "Resource labels."
   type        = map(string)

From c854057bef191748c6fd66329dc9392c2152405e Mon Sep 17 00:00:00 2001
From: Ludo <ludomagno@google.com>
Date: Tue, 14 May 2024 15:01:43 +0200
Subject: [PATCH 29/29] update changelog

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c2177cdbc..8a34721182 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,8 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2267](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2267)] Fix 0-bootstrap iam_by_principals not taking into account all principals ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-12 19:02:04+00:00 -->
+- [[#2263](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2263)] Update docs - gcp-network-admins -> gcp-vpc-network-admins ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-10 08:04:25+00:00 -->
 - [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->
 - [[#2253](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2253)] Misc FAST fixes ([juliocc](https://github.com/juliocc)) <!-- 2024-05-02 06:56:26+00:00 -->
 - [[#2235](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2235)] Update FAST logging ([juliocc](https://github.com/juliocc)) <!-- 2024-04-25 06:31:52+00:00 -->
@@ -53,6 +55,13 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2270](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2270)] Cloud function CMEK key support ([luigi-bitonti](https://github.com/luigi-bitonti)) <!-- 2024-05-14 12:56:10+00:00 -->
+- [[#2272](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2272)] New Bindplane cloud-config-container setup ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-05-14 12:45:40+00:00 -->
+- [[#2269](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2269)] Implement the full IAM interface for tags ([ludoo](https://github.com/ludoo)) <!-- 2024-05-13 18:18:52+00:00 -->
+- [[#2268](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2268)] Add logging settings to folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-13 07:24:17+00:00 -->
+- [[#2242](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2242)] CloudSQL PSC Endpoints support ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-12 10:00:40+00:00 -->
+- [[#2265](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2265)] Fix failing E2E net-vpc test ([wiktorn](https://github.com/wiktorn)) <!-- 2024-05-11 15:29:35+00:00 -->
+- [[#2264](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2264)] Fix bug from output typo in new project-factory module ([JanCVanB](https://github.com/JanCVanB)) <!-- 2024-05-10 22:19:36+00:00 -->
 - [[#2262](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2262)] Make Simple NVA route IAP traffic through NIC 0 ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 16:29:25+00:00 -->
 - [[#2261](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2261)] Add Hybrid NAT support ([juliocc](https://github.com/juliocc)) <!-- 2024-05-09 13:24:41+00:00 -->
 - [[#2260](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2260)] Remove data source from folder module ([ludoo](https://github.com/ludoo)) <!-- 2024-05-09 13:09:54+00:00 -->